]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Remove OPENSSL_NO_EC guards from libssl
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
CommitLineData
25670f3e 1/*
33388b44 2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
25670f3e 3 *
2c18d164 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
25670f3e
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
706457b7
DMSP		 11#include "../ssl_local.h"
12#include "statem_local.h"
43054d3d
MC		 13#include "internal/cryptlib.h"
14
15#define COOKIE_STATE_FORMAT_VERSION 0
16
17/*
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
d0debc0a
MC		 20 * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
21 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
43054d3d 23 */
d0debc0a 24#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
43054d3d
MC		 25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
26
27/*
28 * Message header + 2 bytes for protocol version + number of random bytes +
97ea1e7f
MC		 29 * + 1 byte for legacy session id length + number of bytes in legacy session id
30 * + 2 bytes for ciphersuite + 1 byte for legacy compression
31 * + 2 bytes for extension block length + 6 bytes for key_share extension
32 * + 4 bytes for cookie extension header + the number of bytes in the cookie
43054d3d 33 */
97ea1e7f 34#define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
43054d3d
MC		 35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
36 + MAX_COOKIE_SIZE)
25670f3e
MC		 37
38/*
39 * Parse the client's renegotiation binding and abort if it's not right
40 */
61138358 41int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 42 X509 *x, size_t chainidx)
25670f3e
MC		 43{
44 unsigned int ilen;
45 const unsigned char *data;
46
47 /* Parse the length byte */
48 if (!PACKET_get_1(pkt, &ilen)
49 || !PACKET_get_bytes(pkt, &data, ilen)) {
c48ffbcc 50 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
25670f3e
MC		 51 return 0;
52 }
53
54 /* Check that the extension matches */
555cbb32 55 if (ilen != s->s3.previous_client_finished_len) {
c48ffbcc 56 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
25670f3e
MC		 57 return 0;
58 }
59
555cbb32
TS		 60 if (memcmp(data, s->s3.previous_client_finished,
61 s->s3.previous_client_finished_len)) {
c48ffbcc 62 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
25670f3e
MC		 63 return 0;
64 }
65
555cbb32 66 s->s3.send_connection_binding = 1;
25670f3e
MC		 67
68 return 1;
69}
70
1266eefd
MC		 71/*-
72 * The servername extension is treated as follows:
73 *
74 * - Only the hostname type is supported with a maximum length of 255.
75 * - The servername is rejected if too long or if it contains zeros,
76 * in which case an fatal alert is generated.
77 * - The servername field is maintained together with the session cache.
78 * - When a session is resumed, the servername call back invoked in order
79 * to allow the application to position itself to the right context.
80 * - The servername is acknowledged if it is new for a session or when
81 * it is identical to a previously used for the same session.
82 * Applications can control the behaviour. They can at any time
83 * set a 'desirable' servername for a new SSL object. This can be the
84 * case for example with HTTPS when a Host: header field is received and
85 * a renegotiation is requested. In this case, a possible servername
86 * presented in the new client hello is only acknowledged if it matches
87 * the value of the Host: field.
88 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
89 * if they provide for changing an explicit servername context for the
90 * session, i.e. when the session has been established with a servername
91 * extension.
92 * - On session reconnect, the servername extension may be absent.
93 */
61138358 94int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 95 X509 *x, size_t chainidx)
25670f3e
MC		 96{
97 unsigned int servname_type;
98 PACKET sni, hostname;
99
25670f3e
MC		 100 if (!PACKET_as_length_prefixed_2(pkt, &sni)
101 /* ServerNameList must be at least 1 byte long. */
102 || PACKET_remaining(&sni) == 0) {
c48ffbcc 103 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 104 return 0;
105 }
106
107 /*
44e69951
F		 108 * Although the intent was for server_name to be extensible, RFC 4366
109 * was not clear about it; and so OpenSSL among other implementations,
110 * always and only allows a 'host_name' name types.
25670f3e
MC		 111 * RFC 6066 corrected the mistake but adding new name types
112 * is nevertheless no longer feasible, so act as if no other
113 * SNI types can exist, to simplify parsing.
114 *
115 * Also note that the RFC permits only one SNI value per type,
116 * i.e., we can only have a single hostname.
117 */
118 if (!PACKET_get_1(&sni, &servname_type)
119 || servname_type != TLSEXT_NAMETYPE_host_name
120 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
c48ffbcc 121 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 122 return 0;
123 }
124
7955c1f1
MC		 125 /*
126 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
127 * we always use the SNI value from the handshake.
128 */
1c4aa31d 129 if (!s->hit || SSL_IS_TLS13(s)) {
25670f3e 130 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
c48ffbcc 131 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
25670f3e
MC		 132 return 0;
133 }
134
135 if (PACKET_contains_zero_byte(&hostname)) {
c48ffbcc 136 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
25670f3e
MC		 137 return 0;
138 }
139
1c4aa31d
BK		 140 /*
141 * Store the requested SNI in the SSL as temporary storage.
142 * If we accept it, it will get stored in the SSL_SESSION as well.
143 */
144 OPENSSL_free(s->ext.hostname);
145 s->ext.hostname = NULL;
146 if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
c48ffbcc 147 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 148 return 0;
149 }
150
151 s->servername_done = 1;
7955c1f1
MC		 152 } else {
153 /*
154 * In TLSv1.2 and below we should check if the SNI is consistent between
155 * the initial handshake and the resumption. In TLSv1.3 SNI is not
156 * associated with the session.
157 */
25670f3e
MC		 158 /*
159 * TODO(openssl-team): if the SNI doesn't match, we MUST
160 * fall back to a full handshake.
161 */
1c4aa31d 162 s->servername_done = (s->session->ext.hostname != NULL)
aff8c126
RS		 163 && PACKET_equal(&hostname, s->session->ext.hostname,
164 strlen(s->session->ext.hostname));
25670f3e
MC		 165 }
166
167 return 1;
168}
169
cf72c757 170int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 171 X509 *x, size_t chainidx)
cf72c757
F		 172{
173 unsigned int value;
174
175 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
c48ffbcc 176 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
cf72c757
F		 177 return 0;
178 }
179
180 /* Received |value| should be a valid max-fragment-length code. */
181 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
f63a17d6 182 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6 183 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 184 return 0;
185 }
186
187 /*
188 * RFC 6066: The negotiated length applies for the duration of the session
189 * including session resumptions.
190 * We should receive the same code as in resumed session !
191 */
192 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
f63a17d6 193 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6 194 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 195 return 0;
196 }
197
198 /*
199 * Store it in session, so it'll become binding for us
200 * and we'll include it in a next Server Hello.
201 */
202 s->session->ext.max_fragment_len_mode = value;
203 return 1;
204}
205
25670f3e 206#ifndef OPENSSL_NO_SRP
61138358 207int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 208 size_t chainidx)
25670f3e
MC		 209{
210 PACKET srp_I;
211
212 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
213 || PACKET_contains_zero_byte(&srp_I)) {
c48ffbcc 214 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 215 return 0;
216 }
217
218 /*
219 * TODO(openssl-team): currently, we re-authenticate the user
220 * upon resumption. Instead, we MUST ignore the login.
221 */
222 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
c48ffbcc 223 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 224 return 0;
225 }
226
227 return 1;
228}
229#endif
230
61138358 231int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 232 X509 *x, size_t chainidx)
25670f3e
MC		 233{
234 PACKET ec_point_format_list;
235
236 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
237 || PACKET_remaining(&ec_point_format_list) == 0) {
c48ffbcc 238 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 239 return 0;
240 }
241
242 if (!s->hit) {
243 if (!PACKET_memdup(&ec_point_format_list,
cd0fb43c
MC		 244 &s->ext.peer_ecpointformats,
245 &s->ext.peer_ecpointformats_len)) {
c48ffbcc 246 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 247 return 0;
248 }
249 }
250
251 return 1;
252}
25670f3e 253
61138358 254int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 255 X509 *x, size_t chainidx)
25670f3e 256{
aff8c126
RS		 257 if (s->ext.session_ticket_cb &&
258 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
259 PACKET_remaining(pkt),
260 s->ext.session_ticket_cb_arg)) {
c48ffbcc 261 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 262 return 0;
263 }
264
265 return 1;
266}
267
a7e6a3d8
P		 268int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt,
269 ossl_unused unsigned int context,
270 ossl_unused X509 *x,
271 ossl_unused size_t chainidx)
c589c34e
BK		 272{
273 PACKET supported_sig_algs;
274
275 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
276 || PACKET_remaining(&supported_sig_algs) == 0) {
c48ffbcc 277 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
c589c34e
BK		 278 return 0;
279 }
280
281 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
c48ffbcc 282 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
c589c34e
BK		 283 return 0;
284 }
285
286 return 1;
287}
288
61138358 289int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 290 size_t chainidx)
25670f3e
MC		 291{
292 PACKET supported_sig_algs;
293
294 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
25670f3e 295 || PACKET_remaining(&supported_sig_algs) == 0) {
c48ffbcc 296 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 297 return 0;
298 }
299
c589c34e 300 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
c48ffbcc 301 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 302 return 0;
303 }
304
305 return 1;
306}
307
ab83e314 308#ifndef OPENSSL_NO_OCSP
61138358 309int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 310 X509 *x, size_t chainidx)
25670f3e 311{
1266eefd
MC		 312 PACKET responder_id_list, exts;
313
ded4a83d
MC		 314 /* We ignore this in a resumption handshake */
315 if (s->hit)
316 return 1;
317
e96e0f8e
MC		 318 /* Not defined if we get one of these in a client Certificate */
319 if (x != NULL)
320 return 1;
321
aff8c126 322 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
c48ffbcc 323 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 324 return 0;
325 }
ab83e314 326
aff8c126 327 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
25670f3e 328 /*
1266eefd 329 * We don't know what to do with any other type so ignore it.
25670f3e 330 */
aff8c126 331 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
1266eefd
MC		 332 return 1;
333 }
25670f3e 334
1266eefd 335 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
c48ffbcc 336 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 337 return 0;
338 }
25670f3e 339
1266eefd
MC		 340 /*
341 * We remove any OCSP_RESPIDs from a previous handshake
342 * to prevent unbounded memory growth - CVE-2016-6304
343 */
aff8c126 344 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1266eefd 345 if (PACKET_remaining(&responder_id_list) > 0) {
aff8c126
RS		 346 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
347 if (s->ext.ocsp.ids == NULL) {
c48ffbcc 348 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1266eefd
MC		 349 return 0;
350 }
351 } else {
aff8c126 352 s->ext.ocsp.ids = NULL;
1266eefd 353 }
25670f3e 354
1266eefd
MC		 355 while (PACKET_remaining(&responder_id_list) > 0) {
356 OCSP_RESPID *id;
357 PACKET responder_id;
358 const unsigned char *id_data;
25670f3e 359
1266eefd
MC		 360 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
361 || PACKET_remaining(&responder_id) == 0) {
c48ffbcc 362 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 363 return 0;
364 }
25670f3e 365
1266eefd
MC		 366 id_data = PACKET_data(&responder_id);
367 /* TODO(size_t): Convert d2i_* to size_t */
368 id = d2i_OCSP_RESPID(NULL, &id_data,
369 (int)PACKET_remaining(&responder_id));
370 if (id == NULL) {
c48ffbcc 371 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd 372 return 0;
25670f3e
MC		 373 }
374
1266eefd
MC		 375 if (id_data != PACKET_end(&responder_id)) {
376 OCSP_RESPID_free(id);
c48ffbcc 377 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
f63a17d6 378
25670f3e
MC		 379 return 0;
380 }
381
aff8c126 382 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
1266eefd 383 OCSP_RESPID_free(id);
c48ffbcc 384 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 385
1266eefd
MC		 386 return 0;
387 }
388 }
389
390 /* Read in request_extensions */
391 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
c48ffbcc 392 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 393 return 0;
394 }
395
396 if (PACKET_remaining(&exts) > 0) {
397 const unsigned char *ext_data = PACKET_data(&exts);
398
aff8c126 399 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
1266eefd 400 X509_EXTENSION_free);
aff8c126 401 s->ext.ocsp.exts =
1266eefd 402 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
aff8c126 403 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
c48ffbcc 404 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd 405 return 0;
25670f3e 406 }
25670f3e
MC		 407 }
408
409 return 1;
410}
ab83e314 411#endif
25670f3e
MC		 412
413#ifndef OPENSSL_NO_NEXTPROTONEG
61138358 414int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 415 size_t chainidx)
25670f3e 416{
1266eefd
MC		 417 /*
418 * We shouldn't accept this extension on a
419 * renegotiation.
1266eefd 420 */
c7f47786 421 if (SSL_IS_FIRST_HANDSHAKE(s))
555cbb32 422 s->s3.npn_seen = 1;
25670f3e
MC		 423
424 return 1;
425}
426#endif
427
428/*
1266eefd 429 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
29bfd5b7 430 * extension, not including type and length. Returns: 1 on success, 0 on error.
25670f3e 431 */
61138358 432int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 433 size_t chainidx)
25670f3e
MC		 434{
435 PACKET protocol_list, save_protocol_list, protocol;
436
c7f47786 437 if (!SSL_IS_FIRST_HANDSHAKE(s))
25670f3e
MC		 438 return 1;
439
440 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
441 || PACKET_remaining(&protocol_list) < 2) {
c48ffbcc 442 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 443 return 0;
444 }
445
446 save_protocol_list = protocol_list;
447 do {
448 /* Protocol names can't be empty. */
449 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
450 || PACKET_remaining(&protocol) == 0) {
c48ffbcc 451 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 452 return 0;
453 }
454 } while (PACKET_remaining(&protocol_list) != 0);
455
555cbb32
TS		 456 OPENSSL_free(s->s3.alpn_proposed);
457 s->s3.alpn_proposed = NULL;
458 s->s3.alpn_proposed_len = 0;
25670f3e 459 if (!PACKET_memdup(&save_protocol_list,
555cbb32 460 &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
c48ffbcc 461 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 462 return 0;
463 }
464
465 return 1;
466}
467
468#ifndef OPENSSL_NO_SRTP
61138358 469int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 470 size_t chainidx)
25670f3e 471{
25670f3e
MC		 472 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
473 unsigned int ct, mki_len, id;
474 int i, srtp_pref;
475 PACKET subpkt;
476
477 /* Ignore this if we have no SRTP profiles */
478 if (SSL_get_srtp_profiles(s) == NULL)
479 return 1;
480
481 /* Pull off the length of the cipher suite list and check it is even */
1266eefd
MC		 482 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
483 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
c48ffbcc 484 SSLfatal(s, SSL_AD_DECODE_ERROR,
25670f3e 485 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 486 return 0;
487 }
488
489 srvr = SSL_get_srtp_profiles(s);
490 s->srtp_profile = NULL;
491 /* Search all profiles for a match initially */
492 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
493
494 while (PACKET_remaining(&subpkt)) {
495 if (!PACKET_get_net_2(&subpkt, &id)) {
c48ffbcc 496 SSLfatal(s, SSL_AD_DECODE_ERROR,
f63a17d6 497 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 498 return 0;
499 }
500
501 /*
502 * Only look for match in profiles of higher preference than
503 * current match.
504 * If no profiles have been have been configured then this
505 * does nothing.
506 */
507 for (i = 0; i < srtp_pref; i++) {
d270de32 508 SRTP_PROTECTION_PROFILE *sprof =
1266eefd
MC		 509 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
510
25670f3e
MC		 511 if (sprof->id == id) {
512 s->srtp_profile = sprof;
513 srtp_pref = i;
514 break;
515 }
516 }
517 }
518
1266eefd 519 /* Now extract the MKI value as a sanity check, but discard it for now */
25670f3e 520 if (!PACKET_get_1(pkt, &mki_len)) {
c48ffbcc 521 SSLfatal(s, SSL_AD_DECODE_ERROR,
f63a17d6 522 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 523 return 0;
524 }
525
526 if (!PACKET_forward(pkt, mki_len)
527 || PACKET_remaining(pkt)) {
c48ffbcc 528 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE);
25670f3e
MC		 529 return 0;
530 }
531
532 return 1;
533}
534#endif
535
61138358 536int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 537 size_t chainidx)
25670f3e
MC		 538{
539 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
28a31a0a 540 s->ext.use_etm = 1;
25670f3e
MC		 541
542 return 1;
543}
544
b2f7e8c0
MC		 545/*
546 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
547 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
b2f7e8c0 548 */
61138358 549int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 550 X509 *x, size_t chainidx)
b2f7e8c0
MC		 551{
552#ifndef OPENSSL_NO_TLS1_3
553 PACKET psk_kex_modes;
554 unsigned int mode;
555
556 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
557 || PACKET_remaining(&psk_kex_modes) == 0) {
c48ffbcc 558 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
b2f7e8c0
MC		 559 return 0;
560 }
561
562 while (PACKET_get_1(&psk_kex_modes, &mode)) {
563 if (mode == TLSEXT_KEX_MODE_KE_DHE)
564 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
e3c0d76b
MC		 565 else if (mode == TLSEXT_KEX_MODE_KE
566 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
b2f7e8c0
MC		 567 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
568 }
569#endif
570
571 return 1;
572}
573
25670f3e
MC		 574/*
575 * Process a key_share extension received in the ClientHello. |pkt| contains
576 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
25670f3e 577 */
61138358 578int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 579 size_t chainidx)
25670f3e 580{
3cf96e88 581#ifndef OPENSSL_NO_TLS1_3
25670f3e
MC		 582 unsigned int group_id;
583 PACKET key_share_list, encoded_pt;
f48d826e
DSH		 584 const uint16_t *clntgroups, *srvrgroups;
585 size_t clnt_num_groups, srvr_num_groups;
43b95d73 586 int found = 0;
25670f3e 587
f4bbb37c 588 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
25670f3e
MC		 589 return 1;
590
591 /* Sanity check */
555cbb32 592 if (s->s3.peer_tmp != NULL) {
c48ffbcc 593 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 594 return 0;
595 }
596
597 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
c48ffbcc 598 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 599 return 0;
600 }
601
f48d826e
DSH		 602 /* Get our list of supported groups */
603 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
604 /* Get the clients list of supported groups. */
605 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
606 if (clnt_num_groups == 0) {
b6fdc12d
MC		 607 /*
608 * This can only happen if the supported_groups extension was not sent,
609 * because we verify that the length is non-zero when we process that
610 * extension.
611 */
c48ffbcc 612 SSLfatal(s, SSL_AD_MISSING_EXTENSION,
f63a17d6 613 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
b6fdc12d
MC		 614 return 0;
615 }
25670f3e 616
555cbb32 617 if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
43054d3d
MC		 618 /*
619 * If we set a group_id already, then we must have sent an HRR
620 * requesting a new key_share. If we haven't got one then that is an
621 * error
622 */
c48ffbcc 623 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
43054d3d
MC		 624 return 0;
625 }
626
25670f3e
MC		 627 while (PACKET_remaining(&key_share_list) > 0) {
628 if (!PACKET_get_net_2(&key_share_list, &group_id)
629 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
630 || PACKET_remaining(&encoded_pt) == 0) {
c48ffbcc 631 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 632 return 0;
633 }
634
635 /*
636 * If we already found a suitable key_share we loop through the
637 * rest to verify the structure, but don't process them.
638 */
639 if (found)
640 continue;
641
43054d3d
MC		 642 /*
643 * If we sent an HRR then the key_share sent back MUST be for the group
644 * we requested, and must be the only key_share sent.
645 */
555cbb32
TS		 646 if (s->s3.group_id != 0
647 && (group_id != s->s3.group_id
43054d3d 648 || PACKET_remaining(&key_share_list) != 0)) {
c48ffbcc 649 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
43054d3d
MC		 650 return 0;
651 }
652
25670f3e 653 /* Check if this share is in supported_groups sent from client */
f48d826e 654 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
c48ffbcc 655 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
25670f3e
MC		 656 return 0;
657 }
658
659 /* Check if this share is for a group we can use */
f48d826e 660 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
25670f3e
MC		 661 /* Share not suitable */
662 continue;
663 }
664
ada66e78 665 if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
c48ffbcc 666 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
25670f3e
MC		 667 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
668 return 0;
669 }
670
555cbb32 671 s->s3.group_id = group_id;
25670f3e 672
5ac8fb58 673 if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp,
25670f3e 674 PACKET_data(&encoded_pt),
5ac8fb58 675 PACKET_remaining(&encoded_pt)) <= 0) {
c48ffbcc 676 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
25670f3e
MC		 677 return 0;
678 }
679
680 found = 1;
681 }
3cf96e88 682#endif
25670f3e
MC		 683
684 return 1;
685}
686
43054d3d
MC		 687int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
688 size_t chainidx)
689{
1aac20f5 690#ifndef OPENSSL_NO_TLS1_3
dd77962e 691 unsigned int format, version, key_share, group_id;
43054d3d
MC		 692 EVP_MD_CTX *hctx;
693 EVP_PKEY *pkey;
694 PACKET cookie, raw, chhash, appcookie;
695 WPACKET hrrpkt;
696 const unsigned char *data, *mdin, *ciphdata;
697 unsigned char hmac[SHA256_DIGEST_LENGTH];
698 unsigned char hrr[MAX_HRR_SIZE];
699 size_t rawlen, hmaclen, hrrlen, ciphlen;
d0debc0a 700 unsigned long tm, now;
43054d3d
MC		 701
702 /* Ignore any cookie if we're not set up to verify it */
3fa2812f 703 if (s->ctx->verify_stateless_cookie_cb == NULL
555cbb32 704 || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
43054d3d
MC		 705 return 1;
706
707 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
c48ffbcc 708 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 709 return 0;
710 }
711
712 raw = cookie;
713 data = PACKET_data(&raw);
714 rawlen = PACKET_remaining(&raw);
715 if (rawlen < SHA256_DIGEST_LENGTH
716 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
c48ffbcc 717 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 718 return 0;
719 }
720 mdin = PACKET_data(&raw);
721
722 /* Verify the HMAC of the cookie */
723 hctx = EVP_MD_CTX_create();
d8652be0
MC		 724 pkey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC",
725 s->ctx->propq,
726 s->session_ctx->ext.cookie_hmac_key,
727 sizeof(s->session_ctx->ext.cookie_hmac_key));
43054d3d
MC		 728 if (hctx == NULL || pkey == NULL) {
729 EVP_MD_CTX_free(hctx);
730 EVP_PKEY_free(pkey);
c48ffbcc 731 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
43054d3d
MC		 732 return 0;
733 }
734
97ea1e7f 735 hmaclen = SHA256_DIGEST_LENGTH;
d8652be0
MC		 736 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx,
737 s->ctx->propq, pkey) <= 0
97ea1e7f
MC		 738 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
739 rawlen - SHA256_DIGEST_LENGTH) <= 0
43054d3d
MC		 740 || hmaclen != SHA256_DIGEST_LENGTH) {
741 EVP_MD_CTX_free(hctx);
742 EVP_PKEY_free(pkey);
c48ffbcc 743 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 744 return 0;
745 }
746
747 EVP_MD_CTX_free(hctx);
748 EVP_PKEY_free(pkey);
749
750 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
c48ffbcc 751 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
43054d3d
MC		 752 return 0;
753 }
754
755 if (!PACKET_get_net_2(&cookie, &format)) {
c48ffbcc 756 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 757 return 0;
758 }
759 /* Check the cookie format is something we recognise. Ignore it if not */
760 if (format != COOKIE_STATE_FORMAT_VERSION)
761 return 1;
762
763 /*
764 * The rest of these checks really shouldn't fail since we have verified the
765 * HMAC above.
766 */
767
768 /* Check the version number is sane */
769 if (!PACKET_get_net_2(&cookie, &version)) {
c48ffbcc 770 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 771 return 0;
772 }
773 if (version != TLS1_3_VERSION) {
c48ffbcc 774 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
43054d3d
MC		 775 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
776 return 0;
777 }
778
dd77962e 779 if (!PACKET_get_net_2(&cookie, &group_id)) {
c48ffbcc 780 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 781 return 0;
782 }
dd77962e 783
43054d3d
MC		 784 ciphdata = PACKET_data(&cookie);
785 if (!PACKET_forward(&cookie, 2)) {
c48ffbcc 786 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 787 return 0;
788 }
555cbb32
TS		 789 if (group_id != s->s3.group_id
790 || s->s3.tmp.new_cipher
dd77962e
MC		 791 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
792 /*
793 * We chose a different cipher or group id this time around to what is
794 * in the cookie. Something must have changed.
795 */
c48ffbcc 796 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
43054d3d
MC		 797 return 0;
798 }
799
800 if (!PACKET_get_1(&cookie, &key_share)
d0debc0a 801 || !PACKET_get_net_4(&cookie, &tm)
43054d3d
MC		 802 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
803 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
804 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
c48ffbcc 805 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 806 return 0;
807 }
808
d0debc0a
MC		 809 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
810 now = (unsigned long)time(NULL);
811 if (tm > now || (now - tm) > 600) {
812 /* Cookie is stale. Ignore it */
813 return 1;
814 }
815
43054d3d 816 /* Verify the app cookie */
3fa2812f 817 if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
43054d3d 818 PACKET_remaining(&appcookie)) == 0) {
c48ffbcc 819 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
43054d3d
MC		 820 return 0;
821 }
822
823 /*
824 * Reconstruct the HRR that we would have sent in response to the original
825 * ClientHello so we can add it to the transcript hash.
826 * Note: This won't work with custom HRR extensions
827 */
828 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
c48ffbcc 829 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 830 return 0;
831 }
832 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
833 || !WPACKET_start_sub_packet_u24(&hrrpkt)
834 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
835 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
836 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
837 s->tmp_session_id_len)
555cbb32 838 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
43054d3d
MC		 839 &ciphlen)
840 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
841 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
842 WPACKET_cleanup(&hrrpkt);
c48ffbcc 843 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 844 return 0;
845 }
846 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
847 || !WPACKET_start_sub_packet_u16(&hrrpkt)
35e742ec 848 || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
43054d3d
MC		 849 || !WPACKET_close(&hrrpkt)) {
850 WPACKET_cleanup(&hrrpkt);
c48ffbcc 851 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 852 return 0;
853 }
854 if (key_share) {
855 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
856 || !WPACKET_start_sub_packet_u16(&hrrpkt)
555cbb32 857 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
43054d3d
MC		 858 || !WPACKET_close(&hrrpkt)) {
859 WPACKET_cleanup(&hrrpkt);
c48ffbcc 860 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 861 return 0;
862 }
863 }
864 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
865 || !WPACKET_start_sub_packet_u16(&hrrpkt)
866 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
867 || !WPACKET_close(&hrrpkt) /* cookie extension */
868 || !WPACKET_close(&hrrpkt) /* extension block */
869 || !WPACKET_close(&hrrpkt) /* message */
870 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
871 || !WPACKET_finish(&hrrpkt)) {
872 WPACKET_cleanup(&hrrpkt);
c48ffbcc 873 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 874 return 0;
875 }
876
877 /* Reconstruct the transcript hash */
878 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
879 PACKET_remaining(&chhash), hrr,
880 hrrlen)) {
881 /* SSLfatal() already called */
882 return 0;
883 }
884
885 /* Act as if this ClientHello came after a HelloRetryRequest */
886 s->hello_retry_request = 1;
887
c36001c3 888 s->ext.cookieok = 1;
1aac20f5 889#endif
c36001c3 890
43054d3d
MC		 891 return 1;
892}
893
61138358 894int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 895 X509 *x, size_t chainidx)
25670f3e
MC		 896{
897 PACKET supported_groups_list;
898
899 /* Each group is 2 bytes and we must have at least 1. */
900 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
901 || PACKET_remaining(&supported_groups_list) == 0
902 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
c48ffbcc 903 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 904 return 0;
905 }
906
e3743355 907 if (!s->hit || SSL_IS_TLS13(s)) {
45436e61
MC		 908 OPENSSL_free(s->ext.peer_supportedgroups);
909 s->ext.peer_supportedgroups = NULL;
910 s->ext.peer_supportedgroups_len = 0;
9e84a42d 911 if (!tls1_save_u16(&supported_groups_list,
45436e61
MC		 912 &s->ext.peer_supportedgroups,
913 &s->ext.peer_supportedgroups_len)) {
c48ffbcc 914 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
e3743355
BK		 915 return 0;
916 }
25670f3e
MC		 917 }
918
919 return 1;
920}
25670f3e 921
61138358 922int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 923 size_t chainidx)
25670f3e
MC		 924{
925 /* The extension must always be empty */
926 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 927 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 928 return 0;
929 }
930
088dfa13
TS		 931 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
932 return 1;
933
555cbb32 934 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
25670f3e
MC		 935
936 return 1;
937}
7da160b0 938
38df5a45
MC		 939
940int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 941 X509 *x, size_t chainidx)
38df5a45
MC		 942{
943 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 944 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
38df5a45
MC		 945 return 0;
946 }
947
fc7129dc 948 if (s->hello_retry_request != SSL_HRR_NONE) {
c48ffbcc 949 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
d4504fe5
MC		 950 return 0;
951 }
952
38df5a45
MC		 953 return 1;
954}
955
6cc0b3c2
MC		 956static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
957 SSL_SESSION **sess)
958{
959 SSL_SESSION *tmpsess = NULL;
960
5f26ddff
MC		 961 s->ext.ticket_expected = 1;
962
6cc0b3c2
MC		 963 switch (PACKET_remaining(tick)) {
964 case 0:
965 return SSL_TICKET_EMPTY;
966
967 case SSL_MAX_SSL_SESSION_ID_LENGTH:
968 break;
969
970 default:
971 return SSL_TICKET_NO_DECRYPT;
972 }
973
974 tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
975 SSL_MAX_SSL_SESSION_ID_LENGTH);
976
977 if (tmpsess == NULL)
978 return SSL_TICKET_NO_DECRYPT;
979
6cc0b3c2
MC		 980 *sess = tmpsess;
981 return SSL_TICKET_SUCCESS;
982}
983
61138358 984int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 985 size_t chainidx)
1053a6e2
MC		 986{
987 PACKET identities, binders, binder;
988 size_t binderoffset, hashsize;
989 SSL_SESSION *sess = NULL;
3a7c56b2 990 unsigned int id, i, ext = 0;
1053a6e2
MC		 991 const EVP_MD *md = NULL;
992
1a9f457c
MC		 993 /*
994 * If we have no PSK kex mode that we recognise then we can't resume so
995 * ignore this extension
996 */
997 if ((s->ext.psk_kex_mode
998 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
999 return 1;
1000
1053a6e2 1001 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
c48ffbcc 1002 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1003 return 0;
1004 }
1005
61fb5923 1006 s->ext.ticket_expected = 0;
1053a6e2
MC		 1007 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1008 PACKET identity;
2c604cb9 1009 unsigned long ticket_agel;
f3d40db1 1010 size_t idlen;
1053a6e2
MC		 1011
1012 if (!PACKET_get_length_prefixed_2(&identities, &identity)
2c604cb9 1013 || !PACKET_get_net_4(&identities, &ticket_agel)) {
c48ffbcc 1014 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1015 return 0;
1016 }
1017
f3d40db1 1018 idlen = PACKET_remaining(&identity);
3a7c56b2 1019 if (s->psk_find_session_cb != NULL
f3d40db1 1020 && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen,
011d768a 1021 &sess)) {
c48ffbcc 1022 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION);
011d768a
MC		 1023 return 0;
1024 }
1025
c2b290c3 1026#ifndef OPENSSL_NO_PSK
f3d40db1
MC		 1027 if(sess == NULL
1028 && s->psk_server_callback != NULL
1029 && idlen <= PSK_MAX_IDENTITY_LEN) {
1030 char *pskid = NULL;
1031 unsigned char pskdata[PSK_MAX_PSK_LEN];
1032 unsigned int pskdatalen;
1033
1034 if (!PACKET_strndup(&identity, &pskid)) {
c48ffbcc 1035 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1036 return 0;
1037 }
1038 pskdatalen = s->psk_server_callback(s, pskid, pskdata,
1039 sizeof(pskdata));
1040 OPENSSL_free(pskid);
1041 if (pskdatalen > PSK_MAX_PSK_LEN) {
c48ffbcc 1042 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1043 return 0;
1044 } else if (pskdatalen > 0) {
1045 const SSL_CIPHER *cipher;
1046 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1047
1048 /*
1049 * We found a PSK using an old style callback. We don't know
1050 * the digest so we default to SHA256 as per the TLSv1.3 spec
1051 */
1052 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
1053 if (cipher == NULL) {
1054 OPENSSL_cleanse(pskdata, pskdatalen);
c48ffbcc 1055 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1056 return 0;
1057 }
1058
1059 sess = SSL_SESSION_new();
1060 if (sess == NULL
1061 || !SSL_SESSION_set1_master_key(sess, pskdata,
1062 pskdatalen)
1063 || !SSL_SESSION_set_cipher(sess, cipher)
1064 || !SSL_SESSION_set_protocol_version(sess,
1065 TLS1_3_VERSION)) {
1066 OPENSSL_cleanse(pskdata, pskdatalen);
c48ffbcc 1067 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1068 goto err;
1069 }
1070 OPENSSL_cleanse(pskdata, pskdatalen);
1071 }
1072 }
c2b290c3 1073#endif /* OPENSSL_NO_PSK */
f3d40db1 1074
011d768a
MC		 1075 if (sess != NULL) {
1076 /* We found a PSK */
3a7c56b2 1077 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1b8bacff 1078
3a7c56b2 1079 if (sesstmp == NULL) {
c48ffbcc 1080 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3a7c56b2
MC		 1081 return 0;
1082 }
1083 SSL_SESSION_free(sess);
1084 sess = sesstmp;
1085
1086 /*
1087 * We've just been told to use this session for this context so
1088 * make sure the sid_ctx matches up.
1089 */
1090 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1091 sess->sid_ctx_length = s->sid_ctx_length;
1092 ext = 1;
630369d9
MC		 1093 if (id == 0)
1094 s->ext.early_data_ok = 1;
51256b34 1095 s->ext.ticket_expected = 1;
3a7c56b2
MC		 1096 } else {
1097 uint32_t ticket_age = 0, now, agesec, agems;
61fb5923
MC		 1098 int ret;
1099
e880d4e5
MC		 1100 /*
1101 * If we are using anti-replay protection then we behave as if
1102 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1103 * is no point in using full stateless tickets.
1104 */
1105 if ((s->options & SSL_OP_NO_TICKET) != 0
5d263fb7
MC		 1106 || (s->max_early_data > 0
1107 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
6cc0b3c2
MC		 1108 ret = tls_get_stateful_ticket(s, &identity, &sess);
1109 else
1110 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1111 PACKET_remaining(&identity), NULL, 0,
1112 &sess);
61fb5923
MC		 1113
1114 if (ret == SSL_TICKET_EMPTY) {
c48ffbcc 1115 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
61fb5923
MC		 1116 return 0;
1117 }
3a7c56b2 1118
df0fed9a
TS		 1119 if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1120 || ret == SSL_TICKET_FATAL_ERR_OTHER) {
c48ffbcc 1121 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3a7c56b2
MC		 1122 return 0;
1123 }
61fb5923 1124 if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
3a7c56b2
MC		 1125 continue;
1126
66d7de16
MC		 1127 /* Check for replay */
1128 if (s->max_early_data > 0
5d263fb7 1129 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
66d7de16
MC		 1130 && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1131 SSL_SESSION_free(sess);
1132 sess = NULL;
1133 continue;
1134 }
1135
3a7c56b2
MC		 1136 ticket_age = (uint32_t)ticket_agel;
1137 now = (uint32_t)time(NULL);
1138 agesec = now - (uint32_t)sess->time;
1139 agems = agesec * (uint32_t)1000;
1140 ticket_age -= sess->ext.tick_age_add;
1141
1142 /*
1143 * For simplicity we do our age calculations in seconds. If the
1144 * client does it in ms then it could appear that their ticket age
1145 * is longer than ours (our ticket age calculation should always be
1146 * slightly longer than the client's due to the network latency).
1147 * Therefore we add 1000ms to our age calculation to adjust for
1148 * rounding errors.
1149 */
630369d9
MC		 1150 if (id == 0
1151 && sess->timeout >= (long)agesec
3a7c56b2
MC		 1152 && agems / (uint32_t)1000 == agesec
1153 && ticket_age <= agems + 1000
1154 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1155 /*
1156 * Ticket age is within tolerance and not expired. We allow it
1157 * for early data
1158 */
1159 s->ext.early_data_ok = 1;
1160 }
1053a6e2 1161 }
1053a6e2 1162
c8f6c28a
MC		 1163 md = ssl_md(s->ctx, sess->cipher->algorithm2);
1164 if (!EVP_MD_is_a(md,
1165 EVP_MD_name(ssl_md(s->ctx, s->s3.tmp.new_cipher->algorithm2)))) {
0de6d66d 1166 /* The ciphersuite is not compatible with this session. */
1053a6e2
MC		 1167 SSL_SESSION_free(sess);
1168 sess = NULL;
630369d9 1169 s->ext.early_data_ok = 0;
51256b34 1170 s->ext.ticket_expected = 0;
1053a6e2
MC		 1171 continue;
1172 }
1053a6e2
MC		 1173 break;
1174 }
1175
1176 if (sess == NULL)
1177 return 1;
1178
1179 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1053a6e2
MC		 1180 hashsize = EVP_MD_size(md);
1181
1182 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
c48ffbcc 1183 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1184 goto err;
1185 }
1186
1187 for (i = 0; i <= id; i++) {
1188 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
c48ffbcc 1189 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1190 goto err;
1191 }
1192 }
1193
2894e9cb 1194 if (PACKET_remaining(&binder) != hashsize) {
c48ffbcc 1195 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2894e9cb
MC		 1196 goto err;
1197 }
1198 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1199 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1200 ext) != 1) {
635c8f77 1201 /* SSLfatal() already called */
1053a6e2
MC		 1202 goto err;
1203 }
1204
c96ce52c 1205 s->ext.tick_identity = id;
2c604cb9 1206
1053a6e2
MC		 1207 SSL_SESSION_free(s->session);
1208 s->session = sess;
1053a6e2
MC		 1209 return 1;
1210err:
312e9387 1211 SSL_SESSION_free(sess);
1053a6e2
MC		 1212 return 0;
1213}
1214
a7e6a3d8
P		 1215int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt,
1216 ossl_unused unsigned int context,
1217 ossl_unused X509 *x,
1218 ossl_unused size_t chainidx)
9d75dce3
TS		 1219{
1220 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 1221 SSLfatal(s, SSL_AD_DECODE_ERROR,
9d75dce3
TS		 1222 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1223 return 0;
1224 }
1225
1226 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1227
1228 return 1;
1229}
1230
1266eefd
MC		 1231/*
1232 * Add the server's renegotiation binding
1233 */
b186a592
MC		 1234EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1235 unsigned int context, X509 *x,
f63a17d6 1236 size_t chainidx)
7da160b0 1237{
555cbb32 1238 if (!s->s3.send_connection_binding)
b186a592 1239 return EXT_RETURN_NOT_SENT;
7da160b0 1240
db0f35dd 1241 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
7da160b0
MC		 1242 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1243 || !WPACKET_start_sub_packet_u16(pkt)
1244 || !WPACKET_start_sub_packet_u8(pkt)
555cbb32
TS		 1245 || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1246 s->s3.previous_client_finished_len)
1247 || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1248 s->s3.previous_server_finished_len)
7da160b0
MC		 1249 || !WPACKET_close(pkt)
1250 || !WPACKET_close(pkt)) {
c48ffbcc 1251 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1252 return EXT_RETURN_FAIL;
7da160b0
MC		 1253 }
1254
b186a592 1255 return EXT_RETURN_SENT;
7da160b0
MC		 1256}
1257
b186a592
MC		 1258EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1259 unsigned int context, X509 *x,
f63a17d6 1260 size_t chainidx)
7da160b0 1261{
7955c1f1
MC		 1262 if (s->servername_done != 1)
1263 return EXT_RETURN_NOT_SENT;
1264
1265 /*
1266 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1267 * We just use the servername from the initial handshake.
1268 */
1269 if (s->hit && !SSL_IS_TLS13(s))
b186a592 1270 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1271
1272 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1273 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1274 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1275 return EXT_RETURN_FAIL;
7da160b0
MC		 1276 }
1277
b186a592 1278 return EXT_RETURN_SENT;
7da160b0
MC		 1279}
1280
cf72c757
F		 1281/* Add/include the server's max fragment len extension into ServerHello */
1282EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1283 unsigned int context, X509 *x,
f63a17d6 1284 size_t chainidx)
cf72c757
F		 1285{
1286 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1287 return EXT_RETURN_NOT_SENT;
1288
1289 /*-
1290 * 4 bytes for this extension type and extension length
1291 * 1 byte for the Max Fragment Length code value.
1292 */
1293 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1294 || !WPACKET_start_sub_packet_u16(pkt)
1295 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1296 || !WPACKET_close(pkt)) {
c48ffbcc 1297 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
cf72c757
F		 1298 return EXT_RETURN_FAIL;
1299 }
1300
1301 return EXT_RETURN_SENT;
1302}
1303
b186a592
MC		 1304EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1305 unsigned int context, X509 *x,
f63a17d6 1306 size_t chainidx)
7da160b0 1307{
555cbb32
TS		 1308 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1309 unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
89247375 1310 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
cd0fb43c 1311 && (s->ext.peer_ecpointformats != NULL);
7da160b0
MC		 1312 const unsigned char *plist;
1313 size_t plistlen;
1314
1315 if (!using_ecc)
b186a592 1316 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1317
1318 tls1_get_formatlist(s, &plist, &plistlen);
7da160b0
MC		 1319 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1320 || !WPACKET_start_sub_packet_u16(pkt)
1321 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1322 || !WPACKET_close(pkt)) {
c48ffbcc 1323 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1324 return EXT_RETURN_FAIL;
7da160b0
MC		 1325 }
1326
b186a592 1327 return EXT_RETURN_SENT;
7da160b0 1328}
7da160b0 1329
b186a592
MC		 1330EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1331 unsigned int context, X509 *x,
f63a17d6 1332 size_t chainidx)
6af87546 1333{
9e84a42d 1334 const uint16_t *groups;
6af87546 1335 size_t numgroups, i, first = 1;
9d2d857f 1336 int version;
6af87546 1337
555cbb32
TS		 1338 /* s->s3.group_id is non zero if we accepted a key_share */
1339 if (s->s3.group_id == 0)
b186a592 1340 return EXT_RETURN_NOT_SENT;
6af87546
MC		 1341
1342 /* Get our list of supported groups */
ff6d20a6 1343 tls1_get_supported_groups(s, &groups, &numgroups);
34e5292c 1344 if (numgroups == 0) {
c48ffbcc 1345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1346 return EXT_RETURN_FAIL;
6af87546
MC		 1347 }
1348
1349 /* Copy group ID if supported */
9d2d857f 1350 version = SSL_version(s);
9e84a42d
DSH		 1351 for (i = 0; i < numgroups; i++) {
1352 uint16_t group = groups[i];
1353
8b1db5d3 1354 if (tls_valid_group(s, group, version, version, 0, NULL)
dbc6268f 1355 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
6af87546
MC		 1356 if (first) {
1357 /*
1358 * Check if the client is already using our preferred group. If
1359 * so we don't need to add this extension
1360 */
555cbb32 1361 if (s->s3.group_id == group)
b186a592 1362 return EXT_RETURN_NOT_SENT;
6af87546
MC		 1363
1364 /* Add extension header */
1365 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1366 /* Sub-packet for supported_groups extension */
1367 || !WPACKET_start_sub_packet_u16(pkt)
1368 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 1369 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1370 return EXT_RETURN_FAIL;
6af87546
MC		 1371 }
1372
1373 first = 0;
1374 }
9e84a42d 1375 if (!WPACKET_put_bytes_u16(pkt, group)) {
c48ffbcc 1376 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1377 return EXT_RETURN_FAIL;
6af87546
MC		 1378 }
1379 }
1380 }
1381
1382 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
c48ffbcc 1383 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1384 return EXT_RETURN_FAIL;
6af87546
MC		 1385 }
1386
b186a592 1387 return EXT_RETURN_SENT;
6af87546
MC		 1388}
1389
b186a592
MC		 1390EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1391 unsigned int context, X509 *x,
f63a17d6 1392 size_t chainidx)
7da160b0 1393{
aff8c126
RS		 1394 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1395 s->ext.ticket_expected = 0;
b186a592 1396 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1397 }
1398
1399 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1400 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1401 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1402 return EXT_RETURN_FAIL;
7da160b0
MC		 1403 }
1404
b186a592 1405 return EXT_RETURN_SENT;
7da160b0
MC		 1406}
1407
ab83e314 1408#ifndef OPENSSL_NO_OCSP
b186a592
MC		 1409EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1410 unsigned int context, X509 *x,
f63a17d6 1411 size_t chainidx)
7da160b0 1412{
debb64a0
MC		 1413 /* We don't currently support this extension inside a CertificateRequest */
1414 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1415 return EXT_RETURN_NOT_SENT;
1416
aff8c126 1417 if (!s->ext.status_expected)
b186a592 1418 return EXT_RETURN_NOT_SENT;
7da160b0 1419
8521ced6 1420 if (SSL_IS_TLS13(s) && chainidx != 0)
b186a592 1421 return EXT_RETURN_NOT_SENT;
e96e0f8e 1422
7da160b0 1423 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
f63e4288 1424 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 1425 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1426 return EXT_RETURN_FAIL;
f63e4288
MC		 1427 }
1428
1429 /*
1430 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1431 * send back an empty extension, with the certificate status appearing as a
1432 * separate message
1433 */
3ec8d113
MC		 1434 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1435 /* SSLfatal() already called */
56d36288 1436 return EXT_RETURN_FAIL;
3ec8d113
MC		 1437 }
1438 if (!WPACKET_close(pkt)) {
c48ffbcc 1439 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1440 return EXT_RETURN_FAIL;
7da160b0
MC		 1441 }
1442
b186a592 1443 return EXT_RETURN_SENT;
7da160b0 1444}
ab83e314 1445#endif
7da160b0 1446
7da160b0 1447#ifndef OPENSSL_NO_NEXTPROTONEG
b186a592
MC		 1448EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1449 unsigned int context, X509 *x,
f63a17d6 1450 size_t chainidx)
7da160b0
MC		 1451{
1452 const unsigned char *npa;
1453 unsigned int npalen;
1454 int ret;
555cbb32 1455 int npn_seen = s->s3.npn_seen;
7da160b0 1456
555cbb32 1457 s->s3.npn_seen = 0;
aff8c126 1458 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
b186a592 1459 return EXT_RETURN_NOT_SENT;
7da160b0 1460
aff8c126
RS		 1461 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1462 s->ctx->ext.npn_advertised_cb_arg);
7da160b0
MC		 1463 if (ret == SSL_TLSEXT_ERR_OK) {
1464 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1465 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
c48ffbcc 1466 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1467 return EXT_RETURN_FAIL;
7da160b0 1468 }
555cbb32 1469 s->s3.npn_seen = 1;
7da160b0
MC		 1470 }
1471
b186a592 1472 return EXT_RETURN_SENT;
7da160b0
MC		 1473}
1474#endif
1475
b186a592 1476EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 1477 X509 *x, size_t chainidx)
7da160b0 1478{
555cbb32 1479 if (s->s3.alpn_selected == NULL)
b186a592 1480 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1481
1482 if (!WPACKET_put_bytes_u16(pkt,
1483 TLSEXT_TYPE_application_layer_protocol_negotiation)
1484 || !WPACKET_start_sub_packet_u16(pkt)
1485 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32
TS		 1486 || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1487 s->s3.alpn_selected_len)
7da160b0
MC		 1488 || !WPACKET_close(pkt)
1489 || !WPACKET_close(pkt)) {
c48ffbcc 1490 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1491 return EXT_RETURN_FAIL;
7da160b0
MC		 1492 }
1493
b186a592 1494 return EXT_RETURN_SENT;
7da160b0
MC		 1495}
1496
1497#ifndef OPENSSL_NO_SRTP
b186a592
MC		 1498EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1499 unsigned int context, X509 *x,
f63a17d6 1500 size_t chainidx)
7da160b0
MC		 1501{
1502 if (s->srtp_profile == NULL)
b186a592 1503 return EXT_RETURN_NOT_SENT;
a1448c26 1504
7da160b0
MC		 1505 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1506 || !WPACKET_start_sub_packet_u16(pkt)
1507 || !WPACKET_put_bytes_u16(pkt, 2)
1508 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1509 || !WPACKET_put_bytes_u8(pkt, 0)
1510 || !WPACKET_close(pkt)) {
c48ffbcc 1511 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1512 return EXT_RETURN_FAIL;
7da160b0
MC		 1513 }
1514
b186a592 1515 return EXT_RETURN_SENT;
7da160b0
MC		 1516}
1517#endif
1518
b186a592 1519EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 1520 X509 *x, size_t chainidx)
7da160b0 1521{
28a31a0a 1522 if (!s->ext.use_etm)
b186a592 1523 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1524
1525 /*
1526 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1527 * for other cases too.
1528 */
555cbb32
TS		 1529 if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1530 || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1531 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
5a5530a2
DB		 1532 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1533 || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1534 || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
28a31a0a 1535 s->ext.use_etm = 0;
b186a592 1536 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1537 }
1538
1539 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1540 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1541 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1542 return EXT_RETURN_FAIL;
7da160b0
MC		 1543 }
1544
b186a592 1545 return EXT_RETURN_SENT;
7da160b0
MC		 1546}
1547
b186a592 1548EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 1549 X509 *x, size_t chainidx)
7da160b0 1550{
555cbb32 1551 if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
b186a592 1552 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1553
1554 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1555 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1556 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1557 return EXT_RETURN_FAIL;
7da160b0
MC		 1558 }
1559
b186a592 1560 return EXT_RETURN_SENT;
7da160b0
MC		 1561}
1562
88050dd1
MC		 1563EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1564 unsigned int context, X509 *x,
1565 size_t chainidx)
1566{
27e462f1 1567 if (!ossl_assert(SSL_IS_TLS13(s))) {
c48ffbcc 1568 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
27e462f1
MC		 1569 return EXT_RETURN_FAIL;
1570 }
88050dd1
MC		 1571
1572 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1573 || !WPACKET_start_sub_packet_u16(pkt)
35e742ec 1574 || !WPACKET_put_bytes_u16(pkt, s->version)
88050dd1 1575 || !WPACKET_close(pkt)) {
c48ffbcc 1576 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
88050dd1
MC		 1577 return EXT_RETURN_FAIL;
1578 }
1579
1580 return EXT_RETURN_SENT;
1581}
1582
b186a592
MC		 1583EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1584 unsigned int context, X509 *x,
f63a17d6 1585 size_t chainidx)
7da160b0 1586{
3cf96e88 1587#ifndef OPENSSL_NO_TLS1_3
7da160b0
MC		 1588 unsigned char *encodedPoint;
1589 size_t encoded_pt_len = 0;
555cbb32 1590 EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
8b17fbaf 1591 const TLS_GROUP_INFO *ginf = NULL;
7da160b0 1592
dd77962e
MC		 1593 if (s->hello_retry_request == SSL_HRR_PENDING) {
1594 if (ckey != NULL) {
1595 /* Original key_share was acceptable so don't ask for another one */
1596 return EXT_RETURN_NOT_SENT;
1597 }
1598 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1599 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32 1600 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
dd77962e 1601 || !WPACKET_close(pkt)) {
c48ffbcc 1602 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
dd77962e 1603 return EXT_RETURN_FAIL;
7d061fce
MC		 1604 }
1605
dd77962e
MC		 1606 return EXT_RETURN_SENT;
1607 }
1608
1609 if (ckey == NULL) {
1610 /* No key_share received from client - must be resuming */
0247086d 1611 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
c48ffbcc 1612 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1613 return EXT_RETURN_FAIL;
0247086d 1614 }
b186a592 1615 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1616 }
1617
1618 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1619 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32 1620 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
c48ffbcc 1621 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1622 return EXT_RETURN_FAIL;
7da160b0
MC		 1623 }
1624
8b17fbaf 1625 if ((ginf = tls1_group_id_lookup(s->ctx, s->s3.group_id)) == NULL) {
c48ffbcc 1626 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1627 return EXT_RETURN_FAIL;
7da160b0
MC		 1628 }
1629
8b17fbaf
NT		 1630 if (!ginf->is_kem) {
1631 /* Regular KEX */
1632 skey = ssl_generate_pkey(s, ckey);
1633 if (skey == NULL) {
c48ffbcc 1634 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
8b17fbaf
NT		 1635 return EXT_RETURN_FAIL;
1636 }
7da160b0 1637
8b17fbaf 1638 /* Generate encoding of server key */
5ac8fb58 1639 encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint);
8b17fbaf 1640 if (encoded_pt_len == 0) {
c48ffbcc 1641 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
8b17fbaf
NT		 1642 EVP_PKEY_free(skey);
1643 return EXT_RETURN_FAIL;
1644 }
1645
1646 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1647 || !WPACKET_close(pkt)) {
c48ffbcc 1648 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1649 EVP_PKEY_free(skey);
1650 OPENSSL_free(encodedPoint);
1651 return EXT_RETURN_FAIL;
1652 }
7da160b0 1653 OPENSSL_free(encodedPoint);
7da160b0 1654
8b17fbaf
NT		 1655 /*
1656 * This causes the crypto state to be updated based on the derived keys
1657 */
1658 s->s3.tmp.pkey = skey;
1659 if (ssl_derive(s, skey, ckey, 1) == 0) {
1660 /* SSLfatal() already called */
1661 return EXT_RETURN_FAIL;
1662 }
1663 } else {
1664 /* KEM mode */
1665 unsigned char *ct = NULL;
1666 size_t ctlen = 0;
1667
1668 /*
1669 * This does not update the crypto state.
1670 *
1671 * The generated pms is stored in `s->s3.tmp.pms` to be later used via
1672 * ssl_gensecret().
1673 */
1674 if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) {
1675 /* SSLfatal() already called */
1676 return EXT_RETURN_FAIL;
1677 }
1678
1679 if (ctlen == 0) {
c48ffbcc 1680 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1681 OPENSSL_free(ct);
1682 return EXT_RETURN_FAIL;
1683 }
1684
1685 if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen)
1686 || !WPACKET_close(pkt)) {
c48ffbcc 1687 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1688 OPENSSL_free(ct);
1689 return EXT_RETURN_FAIL;
1690 }
1691 OPENSSL_free(ct);
1692
1693 /*
1694 * This causes the crypto state to be updated based on the generated pms
1695 */
1696 if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) {
1697 /* SSLfatal() already called */
1698 return EXT_RETURN_FAIL;
1699 }
7da160b0 1700 }
b186a592 1701 return EXT_RETURN_SENT;
1aac20f5
MC		 1702#else
1703 return EXT_RETURN_FAIL;
1704#endif
7da160b0
MC		 1705}
1706
43054d3d
MC		 1707EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1708 X509 *x, size_t chainidx)
1709{
1aac20f5 1710#ifndef OPENSSL_NO_TLS1_3
43054d3d
MC		 1711 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1712 unsigned char *hmac, *hmac2;
3fa2812f 1713 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
43054d3d
MC		 1714 EVP_MD_CTX *hctx;
1715 EVP_PKEY *pkey;
1716 int ret = EXT_RETURN_FAIL;
1717
555cbb32 1718 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
43054d3d
MC		 1719 return EXT_RETURN_NOT_SENT;
1720
3fa2812f 1721 if (s->ctx->gen_stateless_cookie_cb == NULL) {
c48ffbcc 1722 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET);
e440f513
MC		 1723 return EXT_RETURN_FAIL;
1724 }
1725
43054d3d
MC		 1726 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1727 || !WPACKET_start_sub_packet_u16(pkt)
1728 || !WPACKET_start_sub_packet_u16(pkt)
1729 || !WPACKET_get_total_written(pkt, &startlen)
1730 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1731 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1732 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
555cbb32
TS		 1733 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1734 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
43054d3d
MC		 1735 &ciphlen)
1736 /* Is there a key_share extension present in this HRR? */
555cbb32 1737 || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
d0debc0a 1738 || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
43054d3d
MC		 1739 || !WPACKET_start_sub_packet_u16(pkt)
1740 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
c48ffbcc 1741 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1742 return EXT_RETURN_FAIL;
1743 }
1744
1745 /*
1746 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1747 * on raw buffers, so we first reserve sufficient bytes (above) and then
1748 * subsequently allocate them (below)
1749 */
1750 if (!ssl3_digest_cached_records(s, 0)
1751 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1752 /* SSLfatal() already called */
1753 return EXT_RETURN_FAIL;
1754 }
1755
1756 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1757 || !ossl_assert(hashval1 == hashval2)
1758 || !WPACKET_close(pkt)
1759 || !WPACKET_start_sub_packet_u8(pkt)
1760 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
c48ffbcc 1761 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1762 return EXT_RETURN_FAIL;
1763 }
1764
1765 /* Generate the application cookie */
3fa2812f 1766 if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) {
c48ffbcc 1767 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
43054d3d
MC		 1768 return EXT_RETURN_FAIL;
1769 }
1770
1771 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1772 || !ossl_assert(appcookie1 == appcookie2)
1773 || !WPACKET_close(pkt)
1774 || !WPACKET_get_total_written(pkt, &totcookielen)
1775 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
c48ffbcc 1776 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1777 return EXT_RETURN_FAIL;
1778 }
1779 hmaclen = SHA256_DIGEST_LENGTH;
1780
1781 totcookielen -= startlen;
1782 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
c48ffbcc 1783 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1784 return EXT_RETURN_FAIL;
1785 }
1786
1787 /* HMAC the cookie */
1788 hctx = EVP_MD_CTX_create();
d8652be0
MC		 1789 pkey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC",
1790 s->ctx->propq,
1791 s->session_ctx->ext.cookie_hmac_key,
1792 sizeof(s->session_ctx->ext.cookie_hmac_key));
43054d3d 1793 if (hctx == NULL || pkey == NULL) {
c48ffbcc 1794 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
43054d3d
MC		 1795 goto err;
1796 }
1797
d8652be0
MC		 1798 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx,
1799 s->ctx->propq, pkey) <= 0
43054d3d
MC		 1800 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1801 totcookielen) <= 0) {
c48ffbcc 1802 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1803 goto err;
1804 }
1805
1806 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
c48ffbcc 1807 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1808 goto err;
1809 }
1810
1811 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1812 || !ossl_assert(hmac == hmac2)
1813 || !ossl_assert(cookie == hmac - totcookielen)
1814 || !WPACKET_close(pkt)
1815 || !WPACKET_close(pkt)) {
c48ffbcc 1816 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1817 goto err;
1818 }
1819
1820 ret = EXT_RETURN_SENT;
1821
1822 err:
1823 EVP_MD_CTX_free(hctx);
1824 EVP_PKEY_free(pkey);
1825 return ret;
1aac20f5
MC		 1826#else
1827 return EXT_RETURN_FAIL;
1828#endif
43054d3d
MC		 1829}
1830
b186a592
MC		 1831EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1832 unsigned int context, X509 *x,
f63a17d6 1833 size_t chainidx)
7da160b0
MC		 1834{
1835 const unsigned char cryptopro_ext[36] = {
1836 0xfd, 0xe8, /* 65000 */
1837 0x00, 0x20, /* 32 bytes length */
1838 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1839 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1840 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1841 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1842 };
1843
555cbb32
TS		 1844 if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1845 && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
7da160b0 1846 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
b186a592 1847 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1848
1849 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
c48ffbcc 1850 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1851 return EXT_RETURN_FAIL;
7da160b0
MC		 1852 }
1853
b186a592 1854 return EXT_RETURN_SENT;
7da160b0 1855}
0247086d 1856
b186a592
MC		 1857EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1858 unsigned int context, X509 *x,
f63a17d6 1859 size_t chainidx)
38df5a45 1860{
fe874d27 1861 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
6594189f 1862 if (s->max_early_data == 0)
b186a592 1863 return EXT_RETURN_NOT_SENT;
6594189f
MC		 1864
1865 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1866 || !WPACKET_start_sub_packet_u16(pkt)
1867 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1868 || !WPACKET_close(pkt)) {
c48ffbcc 1869 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1870 return EXT_RETURN_FAIL;
6594189f
MC		 1871 }
1872
b186a592 1873 return EXT_RETURN_SENT;
6594189f
MC		 1874 }
1875
38df5a45 1876 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
b186a592 1877 return EXT_RETURN_NOT_SENT;
38df5a45
MC		 1878
1879 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1880 || !WPACKET_start_sub_packet_u16(pkt)
1881 || !WPACKET_close(pkt)) {
c48ffbcc 1882 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1883 return EXT_RETURN_FAIL;
38df5a45
MC		 1884 }
1885
b186a592 1886 return EXT_RETURN_SENT;
38df5a45
MC		 1887}
1888
b186a592 1889EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 1890 X509 *x, size_t chainidx)
0247086d
MC		 1891{
1892 if (!s->hit)
b186a592 1893 return EXT_RETURN_NOT_SENT;
0247086d
MC		 1894
1895 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1896 || !WPACKET_start_sub_packet_u16(pkt)
c96ce52c 1897 || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
0247086d 1898 || !WPACKET_close(pkt)) {
c48ffbcc 1899 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1900 return EXT_RETURN_FAIL;
0247086d
MC		 1901 }
1902
b186a592 1903 return EXT_RETURN_SENT;
0247086d 1904}
A mirror of the official openssl repository