]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_clnt.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Collapse ssl3_state_st (s3) into ssl_st
[thirdparty/openssl.git] / ssl / statem / extensions_clnt.c
CommitLineData
6dd083fd 1/*
6738bf14 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
6dd083fd 3 *
2c18d164 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
6dd083fd
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
ab83e314 10#include <openssl/ocsp.h>
6dd083fd 11#include "../ssl_locl.h"
67dc995e 12#include "internal/cryptlib.h"
6dd083fd
MC		 13#include "statem_locl.h"
14
b186a592
MC		 15EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt,
16 unsigned int context, X509 *x,
f63a17d6 17 size_t chainidx)
ab83e314
MC		 18{
19 /* Add RI if renegotiating */
20 if (!s->renegotiate)
b186a592 21 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 22
23 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
24 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32
TS		 25 || !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished,
26 s->s3.previous_client_finished_len)
ab83e314 27 || !WPACKET_close(pkt)) {
f63a17d6
MC		 28 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE,
29 ERR_R_INTERNAL_ERROR);
b186a592 30 return EXT_RETURN_FAIL;
ab83e314
MC		 31 }
32
b186a592 33 return EXT_RETURN_SENT;
ab83e314
MC		 34}
35
b186a592
MC		 36EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt,
37 unsigned int context, X509 *x,
f63a17d6 38 size_t chainidx)
ab83e314 39{
aff8c126 40 if (s->ext.hostname == NULL)
b186a592 41 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 42
43 /* Add TLS extension servername to the Client Hello message */
44 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
45 /* Sub-packet for server_name extension */
46 || !WPACKET_start_sub_packet_u16(pkt)
47 /* Sub-packet for servername list (always 1 hostname)*/
48 || !WPACKET_start_sub_packet_u16(pkt)
49 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
aff8c126
RS		 50 || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
51 strlen(s->ext.hostname))
ab83e314
MC		 52 || !WPACKET_close(pkt)
53 || !WPACKET_close(pkt)) {
f63a17d6
MC		 54 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME,
55 ERR_R_INTERNAL_ERROR);
b186a592 56 return EXT_RETURN_FAIL;
ab83e314
MC		 57 }
58
b186a592 59 return EXT_RETURN_SENT;
ab83e314
MC		 60}
61
cf72c757
F		 62/* Push a Max Fragment Len extension into ClientHello */
63EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt,
64 unsigned int context, X509 *x,
f63a17d6 65 size_t chainidx)
cf72c757
F		 66{
67 if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED)
68 return EXT_RETURN_NOT_SENT;
69
70 /* Add Max Fragment Length extension if client enabled it. */
71 /*-
72 * 4 bytes for this extension type and extension length
73 * 1 byte for the Max Fragment Length code value.
74 */
75 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
76 /* Sub-packet for Max Fragment Length extension (1 byte) */
77 || !WPACKET_start_sub_packet_u16(pkt)
78 || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode)
79 || !WPACKET_close(pkt)) {
f63a17d6
MC		 80 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
81 SSL_F_TLS_CONSTRUCT_CTOS_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
cf72c757
F		 82 return EXT_RETURN_FAIL;
83 }
84
85 return EXT_RETURN_SENT;
86}
87
ab83e314 88#ifndef OPENSSL_NO_SRP
b186a592 89EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 90 X509 *x, size_t chainidx)
ab83e314
MC		 91{
92 /* Add SRP username if there is one */
93 if (s->srp_ctx.login == NULL)
b186a592 94 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 95
96 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
97 /* Sub-packet for SRP extension */
98 || !WPACKET_start_sub_packet_u16(pkt)
99 || !WPACKET_start_sub_packet_u8(pkt)
100 /* login must not be zero...internal error if so */
101 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
102 || !WPACKET_memcpy(pkt, s->srp_ctx.login,
103 strlen(s->srp_ctx.login))
104 || !WPACKET_close(pkt)
105 || !WPACKET_close(pkt)) {
f63a17d6
MC		 106 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SRP,
107 ERR_R_INTERNAL_ERROR);
b186a592 108 return EXT_RETURN_FAIL;
ab83e314
MC		 109 }
110
b186a592 111 return EXT_RETURN_SENT;
ab83e314
MC		 112}
113#endif
114
115#ifndef OPENSSL_NO_EC
116static int use_ecc(SSL *s)
117{
589b6227 118 int i, end, ret = 0;
ab83e314
MC		 119 unsigned long alg_k, alg_a;
120 STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
121
122 /* See if we support any ECC ciphersuites */
123 if (s->version == SSL3_VERSION)
124 return 0;
125
589b6227 126 cipher_stack = SSL_get1_supported_ciphers(s);
1266eefd
MC		 127 end = sk_SSL_CIPHER_num(cipher_stack);
128 for (i = 0; i < end; i++) {
ab83e314
MC		 129 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
130
131 alg_k = c->algorithm_mkey;
132 alg_a = c->algorithm_auth;
133 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
1266eefd 134 || (alg_a & SSL_aECDSA)
589b6227
MC		 135 || c->min_tls >= TLS1_3_VERSION) {
136 ret = 1;
137 break;
138 }
ab83e314
MC		 139 }
140
589b6227
MC		 141 sk_SSL_CIPHER_free(cipher_stack);
142 return ret;
ab83e314
MC		 143}
144
b186a592
MC		 145EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
146 unsigned int context, X509 *x,
f63a17d6 147 size_t chainidx)
ab83e314
MC		 148{
149 const unsigned char *pformats;
150 size_t num_formats;
151
152 if (!use_ecc(s))
b186a592 153 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 154
155 /* Add TLS extension ECPointFormats to the ClientHello message */
ab83e314
MC		 156 tls1_get_formatlist(s, &pformats, &num_formats);
157
158 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
159 /* Sub-packet for formats extension */
160 || !WPACKET_start_sub_packet_u16(pkt)
161 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
162 || !WPACKET_close(pkt)) {
f63a17d6
MC		 163 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
164 SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
b186a592 165 return EXT_RETURN_FAIL;
ab83e314
MC		 166 }
167
b186a592 168 return EXT_RETURN_SENT;
ab83e314
MC		 169}
170
b186a592
MC		 171EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
172 unsigned int context, X509 *x,
f63a17d6 173 size_t chainidx)
ab83e314 174{
f48d826e
DSH		 175 const uint16_t *pgroups = NULL;
176 size_t num_groups = 0, i;
ab83e314
MC		 177
178 if (!use_ecc(s))
b186a592 179 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 180
181 /*
182 * Add TLS extension supported_groups to the ClientHello message
183 */
184 /* TODO(TLS1.3): Add support for DHE groups */
f48d826e 185 tls1_get_supported_groups(s, &pgroups, &num_groups);
ab83e314
MC		 186
187 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
188 /* Sub-packet for supported_groups extension */
189 || !WPACKET_start_sub_packet_u16(pkt)
190 || !WPACKET_start_sub_packet_u16(pkt)) {
f63a17d6
MC		 191 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
192 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
193 ERR_R_INTERNAL_ERROR);
b186a592 194 return EXT_RETURN_FAIL;
ab83e314
MC		 195 }
196 /* Copy curve ID if supported */
f48d826e
DSH		 197 for (i = 0; i < num_groups; i++) {
198 uint16_t ctmp = pgroups[i];
9e84a42d
DSH		 199
200 if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
201 if (!WPACKET_put_bytes_u16(pkt, ctmp)) {
635c8f77
MC		 202 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
203 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
204 ERR_R_INTERNAL_ERROR);
b186a592 205 return EXT_RETURN_FAIL;
ab83e314
MC		 206 }
207 }
208 }
209 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
635c8f77
MC		 210 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
211 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
212 ERR_R_INTERNAL_ERROR);
b186a592 213 return EXT_RETURN_FAIL;
ab83e314
MC		 214 }
215
b186a592 216 return EXT_RETURN_SENT;
ab83e314
MC		 217}
218#endif
219
b186a592
MC		 220EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt,
221 unsigned int context, X509 *x,
f63a17d6 222 size_t chainidx)
ab83e314
MC		 223{
224 size_t ticklen;
225
226 if (!tls_use_ticket(s))
b186a592 227 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 228
229 if (!s->new_session && s->session != NULL
08191294
MC		 230 && s->session->ext.tick != NULL
231 && s->session->ssl_version != TLS1_3_VERSION) {
aff8c126
RS		 232 ticklen = s->session->ext.ticklen;
233 } else if (s->session && s->ext.session_ticket != NULL
234 && s->ext.session_ticket->data != NULL) {
235 ticklen = s->ext.session_ticket->length;
236 s->session->ext.tick = OPENSSL_malloc(ticklen);
237 if (s->session->ext.tick == NULL) {
f63a17d6
MC		 238 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
239 SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET,
240 ERR_R_INTERNAL_ERROR);
b186a592 241 return EXT_RETURN_FAIL;
ab83e314 242 }
aff8c126
RS		 243 memcpy(s->session->ext.tick,
244 s->ext.session_ticket->data, ticklen);
245 s->session->ext.ticklen = ticklen;
ab83e314
MC		 246 } else {
247 ticklen = 0;
248 }
249
aff8c126
RS		 250 if (ticklen == 0 && s->ext.session_ticket != NULL &&
251 s->ext.session_ticket->data == NULL)
b186a592 252 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 253
254 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
aff8c126 255 || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
f63a17d6
MC		 256 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
257 SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
b186a592 258 return EXT_RETURN_FAIL;
ab83e314
MC		 259 }
260
b186a592 261 return EXT_RETURN_SENT;
ab83e314
MC		 262}
263
b186a592
MC		 264EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt,
265 unsigned int context, X509 *x,
f63a17d6 266 size_t chainidx)
ab83e314
MC		 267{
268 size_t salglen;
98c792d1 269 const uint16_t *salg;
ab83e314
MC		 270
271 if (!SSL_CLIENT_USE_SIGALGS(s))
b186a592 272 return EXT_RETURN_NOT_SENT;
ab83e314 273
a9669ddc 274 salglen = tls12_get_psigalgs(s, 1, &salg);
ab83e314
MC		 275 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
276 /* Sub-packet for sig-algs extension */
277 || !WPACKET_start_sub_packet_u16(pkt)
278 /* Sub-packet for the actual list */
279 || !WPACKET_start_sub_packet_u16(pkt)
280 || !tls12_copy_sigalgs(s, pkt, salg, salglen)
281 || !WPACKET_close(pkt)
282 || !WPACKET_close(pkt)) {
f63a17d6
MC		 283 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS,
284 ERR_R_INTERNAL_ERROR);
b186a592 285 return EXT_RETURN_FAIL;
ab83e314
MC		 286 }
287
b186a592 288 return EXT_RETURN_SENT;
ab83e314
MC		 289}
290
291#ifndef OPENSSL_NO_OCSP
b186a592
MC		 292EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt,
293 unsigned int context, X509 *x,
f63a17d6 294 size_t chainidx)
ab83e314
MC		 295{
296 int i;
297
e96e0f8e
MC		 298 /* This extension isn't defined for client Certificates */
299 if (x != NULL)
b186a592 300 return EXT_RETURN_NOT_SENT;
e96e0f8e 301
aff8c126 302 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
b186a592 303 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 304
305 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
306 /* Sub-packet for status request extension */
307 || !WPACKET_start_sub_packet_u16(pkt)
308 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
309 /* Sub-packet for the ids */
310 || !WPACKET_start_sub_packet_u16(pkt)) {
f63a17d6
MC		 311 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
312 SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
b186a592 313 return EXT_RETURN_FAIL;
ab83e314 314 }
aff8c126 315 for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
ab83e314 316 unsigned char *idbytes;
aff8c126 317 OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
1266eefd 318 int idlen = i2d_OCSP_RESPID(id, NULL);
ab83e314 319
ab83e314
MC		 320 if (idlen <= 0
321 /* Sub-packet for an individual id */
322 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
323 || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
f63a17d6
MC		 324 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
325 SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
326 ERR_R_INTERNAL_ERROR);
b186a592 327 return EXT_RETURN_FAIL;
ab83e314
MC		 328 }
329 }
330 if (!WPACKET_close(pkt)
331 || !WPACKET_start_sub_packet_u16(pkt)) {
f63a17d6
MC		 332 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
333 SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
b186a592 334 return EXT_RETURN_FAIL;
ab83e314 335 }
aff8c126 336 if (s->ext.ocsp.exts) {
ab83e314 337 unsigned char *extbytes;
aff8c126 338 int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
ab83e314
MC		 339
340 if (extlen < 0) {
f63a17d6
MC		 341 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
342 SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
343 ERR_R_INTERNAL_ERROR);
b186a592 344 return EXT_RETURN_FAIL;
ab83e314
MC		 345 }
346 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
aff8c126 347 || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
ab83e314 348 != extlen) {
f63a17d6
MC		 349 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
350 SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
351 ERR_R_INTERNAL_ERROR);
b186a592 352 return EXT_RETURN_FAIL;
ab83e314
MC		 353 }
354 }
355 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
f63a17d6
MC		 356 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
357 SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
b186a592 358 return EXT_RETURN_FAIL;
ab83e314
MC		 359 }
360
b186a592 361 return EXT_RETURN_SENT;
ab83e314
MC		 362}
363#endif
364
365#ifndef OPENSSL_NO_NEXTPROTONEG
b186a592 366EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 367 X509 *x, size_t chainidx)
ab83e314 368{
c7f47786 369 if (s->ctx->ext.npn_select_cb == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
b186a592 370 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 371
372 /*
373 * The client advertises an empty extension to indicate its support
374 * for Next Protocol Negotiation
375 */
376 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
377 || !WPACKET_put_bytes_u16(pkt, 0)) {
f63a17d6
MC		 378 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_NPN,
379 ERR_R_INTERNAL_ERROR);
b186a592 380 return EXT_RETURN_FAIL;
ab83e314
MC		 381 }
382
b186a592 383 return EXT_RETURN_SENT;
ab83e314
MC		 384}
385#endif
386
b186a592 387EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 388 X509 *x, size_t chainidx)
ab83e314 389{
555cbb32 390 s->s3.alpn_sent = 0;
ab83e314 391
c7f47786 392 if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
b186a592 393 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 394
395 if (!WPACKET_put_bytes_u16(pkt,
396 TLSEXT_TYPE_application_layer_protocol_negotiation)
397 /* Sub-packet ALPN extension */
398 || !WPACKET_start_sub_packet_u16(pkt)
aff8c126 399 || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
ab83e314 400 || !WPACKET_close(pkt)) {
f63a17d6
MC		 401 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_ALPN,
402 ERR_R_INTERNAL_ERROR);
b186a592 403 return EXT_RETURN_FAIL;
ab83e314 404 }
555cbb32 405 s->s3.alpn_sent = 1;
ab83e314 406
b186a592 407 return EXT_RETURN_SENT;
ab83e314
MC		 408}
409
410
411#ifndef OPENSSL_NO_SRTP
b186a592
MC		 412EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt,
413 unsigned int context, X509 *x,
f63a17d6 414 size_t chainidx)
ab83e314
MC		 415{
416 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s);
1266eefd 417 int i, end;
ab83e314
MC		 418
419 if (clnt == NULL)
b186a592 420 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 421
422 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
423 /* Sub-packet for SRTP extension */
424 || !WPACKET_start_sub_packet_u16(pkt)
425 /* Sub-packet for the protection profile list */
426 || !WPACKET_start_sub_packet_u16(pkt)) {
f63a17d6
MC		 427 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP,
428 ERR_R_INTERNAL_ERROR);
b186a592 429 return EXT_RETURN_FAIL;
ab83e314 430 }
1266eefd
MC		 431
432 end = sk_SRTP_PROTECTION_PROFILE_num(clnt);
433 for (i = 0; i < end; i++) {
434 const SRTP_PROTECTION_PROFILE *prof =
435 sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
436
ab83e314 437 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
f63a17d6
MC		 438 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
439 SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR);
b186a592 440 return EXT_RETURN_FAIL;
ab83e314
MC		 441 }
442 }
443 if (!WPACKET_close(pkt)
444 /* Add an empty use_mki value */
445 || !WPACKET_put_bytes_u8(pkt, 0)
446 || !WPACKET_close(pkt)) {
f63a17d6
MC		 447 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP,
448 ERR_R_INTERNAL_ERROR);
b186a592 449 return EXT_RETURN_FAIL;
ab83e314
MC		 450 }
451
b186a592 452 return EXT_RETURN_SENT;
ab83e314
MC		 453}
454#endif
455
b186a592 456EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 457 X509 *x, size_t chainidx)
ab83e314
MC		 458{
459 if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
b186a592 460 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 461
462 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
463 || !WPACKET_put_bytes_u16(pkt, 0)) {
f63a17d6
MC		 464 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_ETM,
465 ERR_R_INTERNAL_ERROR);
b186a592 466 return EXT_RETURN_FAIL;
ab83e314
MC		 467 }
468
b186a592 469 return EXT_RETURN_SENT;
ab83e314
MC		 470}
471
472#ifndef OPENSSL_NO_CT
b186a592 473EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 474 X509 *x, size_t chainidx)
ab83e314
MC		 475{
476 if (s->ct_validation_callback == NULL)
b186a592 477 return EXT_RETURN_NOT_SENT;
ab83e314 478
e96e0f8e
MC		 479 /* Not defined for client Certificates */
480 if (x != NULL)
b186a592 481 return EXT_RETURN_NOT_SENT;
e96e0f8e 482
ab83e314
MC		 483 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
484 || !WPACKET_put_bytes_u16(pkt, 0)) {
f63a17d6
MC		 485 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SCT,
486 ERR_R_INTERNAL_ERROR);
b186a592 487 return EXT_RETURN_FAIL;
ab83e314
MC		 488 }
489
b186a592 490 return EXT_RETURN_SENT;
ab83e314
MC		 491}
492#endif
493
b186a592 494EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 495 X509 *x, size_t chainidx)
ab83e314 496{
088dfa13
TS		 497 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
498 return EXT_RETURN_NOT_SENT;
499
ab83e314
MC		 500 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
501 || !WPACKET_put_bytes_u16(pkt, 0)) {
f63a17d6
MC		 502 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EMS,
503 ERR_R_INTERNAL_ERROR);
b186a592 504 return EXT_RETURN_FAIL;
ab83e314
MC		 505 }
506
b186a592 507 return EXT_RETURN_SENT;
ab83e314
MC		 508}
509
b186a592
MC		 510EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
511 unsigned int context, X509 *x,
f63a17d6 512 size_t chainidx)
ab83e314
MC		 513{
514 int currv, min_version, max_version, reason;
515
b5b993b2 516 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
88050dd1
MC		 517 if (reason != 0) {
518 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
519 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, reason);
520 return EXT_RETURN_FAIL;
521 }
522
523 /*
524 * Don't include this if we can't negotiate TLSv1.3. We can do a straight
525 * comparison here because we will never be called in DTLS.
526 */
527 if (max_version < TLS1_3_VERSION)
528 return EXT_RETURN_NOT_SENT;
529
ab83e314
MC		 530 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
531 || !WPACKET_start_sub_packet_u16(pkt)
532 || !WPACKET_start_sub_packet_u8(pkt)) {
f63a17d6
MC		 533 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
534 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
535 ERR_R_INTERNAL_ERROR);
b186a592 536 return EXT_RETURN_FAIL;
ab83e314
MC		 537 }
538
ab83e314 539 for (currv = max_version; currv >= min_version; currv--) {
35e742ec 540 if (!WPACKET_put_bytes_u16(pkt, currv)) {
f63a17d6
MC		 541 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
542 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
543 ERR_R_INTERNAL_ERROR);
b186a592 544 return EXT_RETURN_FAIL;
ab83e314
MC		 545 }
546 }
547 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
f63a17d6
MC		 548 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
549 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
550 ERR_R_INTERNAL_ERROR);
b186a592 551 return EXT_RETURN_FAIL;
ab83e314
MC		 552 }
553
b186a592 554 return EXT_RETURN_SENT;
ab83e314
MC		 555}
556
b2f7e8c0 557/*
e3c0d76b 558 * Construct a psk_kex_modes extension.
b2f7e8c0 559 */
b186a592
MC		 560EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt,
561 unsigned int context, X509 *x,
f63a17d6 562 size_t chainidx)
b2f7e8c0
MC		 563{
564#ifndef OPENSSL_NO_TLS1_3
e3c0d76b
MC		 565 int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX;
566
b2f7e8c0
MC		 567 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)
568 || !WPACKET_start_sub_packet_u16(pkt)
569 || !WPACKET_start_sub_packet_u8(pkt)
570 || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE)
e3c0d76b 571 || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE))
b2f7e8c0
MC		 572 || !WPACKET_close(pkt)
573 || !WPACKET_close(pkt)) {
f63a17d6
MC		 574 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
575 SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES, ERR_R_INTERNAL_ERROR);
b186a592 576 return EXT_RETURN_FAIL;
b2f7e8c0 577 }
b3ad72ce 578
e3c0d76b
MC		 579 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE;
580 if (nodhe)
581 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
b2f7e8c0
MC		 582#endif
583
b186a592 584 return EXT_RETURN_SENT;
b2f7e8c0
MC		 585}
586
3847d426
MC		 587#ifndef OPENSSL_NO_TLS1_3
588static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id)
589{
7b1ec1cf
MC		 590 unsigned char *encoded_point = NULL;
591 EVP_PKEY *key_share_key = NULL;
3847d426
MC		 592 size_t encodedlen;
593
555cbb32 594 if (s->s3.tmp.pkey != NULL) {
fc7129dc 595 if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) {
f63a17d6
MC		 596 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE,
597 ERR_R_INTERNAL_ERROR);
d8028b20 598 return 0;
7b1ec1cf
MC		 599 }
600 /*
601 * Could happen if we got an HRR that wasn't requesting a new key_share
602 */
555cbb32 603 key_share_key = s->s3.tmp.pkey;
7b1ec1cf 604 } else {
f63a17d6 605 key_share_key = ssl_generate_pkey_group(s, curve_id);
7b1ec1cf 606 if (key_share_key == NULL) {
f63a17d6 607 /* SSLfatal() already called */
d8028b20 608 return 0;
7b1ec1cf 609 }
3847d426
MC		 610 }
611
612 /* Encode the public key. */
613 encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key,
2248dbeb 614 &encoded_point);
3847d426 615 if (encodedlen == 0) {
f63a17d6 616 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, ERR_R_EC_LIB);
7b1ec1cf 617 goto err;
3847d426
MC		 618 }
619
620 /* Create KeyShareEntry */
621 if (!WPACKET_put_bytes_u16(pkt, curve_id)
2248dbeb 622 || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) {
f63a17d6
MC		 623 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE,
624 ERR_R_INTERNAL_ERROR);
7b1ec1cf 625 goto err;
3847d426
MC		 626 }
627
628 /*
629 * TODO(TLS1.3): When changing to send more than one key_share we're
630 * going to need to be able to save more than one EVP_PKEY. For now
631 * we reuse the existing tmp.pkey
632 */
555cbb32
TS		 633 s->s3.tmp.pkey = key_share_key;
634 s->s3.group_id = curve_id;
2248dbeb 635 OPENSSL_free(encoded_point);
3847d426 636
d8028b20 637 return 1;
7b1ec1cf 638 err:
555cbb32 639 if (s->s3.tmp.pkey == NULL)
7b1ec1cf
MC		 640 EVP_PKEY_free(key_share_key);
641 OPENSSL_free(encoded_point);
d8028b20 642 return 0;
3847d426
MC		 643}
644#endif
645
b186a592
MC		 646EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
647 unsigned int context, X509 *x,
f63a17d6 648 size_t chainidx)
ab83e314 649{
3cf96e88 650#ifndef OPENSSL_NO_TLS1_3
f48d826e
DSH		 651 size_t i, num_groups = 0;
652 const uint16_t *pgroups = NULL;
9e84a42d 653 uint16_t curve_id = 0;
ab83e314
MC		 654
655 /* key_share extension */
656 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
657 /* Extension data sub-packet */
658 || !WPACKET_start_sub_packet_u16(pkt)
659 /* KeyShare list sub-packet */
660 || !WPACKET_start_sub_packet_u16(pkt)) {
f63a17d6
MC		 661 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE,
662 ERR_R_INTERNAL_ERROR);
b186a592 663 return EXT_RETURN_FAIL;
ab83e314
MC		 664 }
665
f48d826e 666 tls1_get_supported_groups(s, &pgroups, &num_groups);
ab83e314
MC		 667
668 /*
669 * TODO(TLS1.3): Make the number of key_shares sent configurable. For
670 * now, just send one
671 */
555cbb32
TS		 672 if (s->s3.group_id != 0) {
673 curve_id = s->s3.group_id;
3847d426 674 } else {
f48d826e 675 for (i = 0; i < num_groups; i++) {
ab83e314 676
f48d826e 677 if (!tls_curve_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
3847d426 678 continue;
ab83e314 679
f48d826e 680 curve_id = pgroups[i];
3847d426 681 break;
ab83e314 682 }
3847d426 683 }
ab83e314 684
3847d426 685 if (curve_id == 0) {
f63a17d6
MC		 686 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE,
687 SSL_R_NO_SUITABLE_KEY_SHARE);
b186a592 688 return EXT_RETURN_FAIL;
ab83e314
MC		 689 }
690
f63a17d6
MC		 691 if (!add_key_share(s, pkt, curve_id)) {
692 /* SSLfatal() already called */
b186a592 693 return EXT_RETURN_FAIL;
f63a17d6 694 }
3847d426 695
ab83e314 696 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
f63a17d6
MC		 697 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE,
698 ERR_R_INTERNAL_ERROR);
b186a592 699 return EXT_RETURN_FAIL;
ab83e314 700 }
b186a592 701 return EXT_RETURN_SENT;
aa2ed504
TS		 702#else
703 return EXT_RETURN_NOT_SENT;
704#endif
ab83e314
MC		 705}
706
b186a592 707EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 708 X509 *x, size_t chainidx)
cfef5027 709{
b186a592 710 EXT_RETURN ret = EXT_RETURN_FAIL;
cfef5027
MC		 711
712 /* Should only be set if we've had an HRR */
713 if (s->ext.tls13_cookie_len == 0)
b186a592 714 return EXT_RETURN_NOT_SENT;
cfef5027
MC		 715
716 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
717 /* Extension data sub-packet */
718 || !WPACKET_start_sub_packet_u16(pkt)
719 || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie,
720 s->ext.tls13_cookie_len)
721 || !WPACKET_close(pkt)) {
f63a17d6
MC		 722 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_COOKIE,
723 ERR_R_INTERNAL_ERROR);
cfef5027
MC		 724 goto end;
725 }
726
b186a592 727 ret = EXT_RETURN_SENT;
cfef5027
MC		 728 end:
729 OPENSSL_free(s->ext.tls13_cookie);
febb0afa 730 s->ext.tls13_cookie = NULL;
cfef5027
MC		 731 s->ext.tls13_cookie_len = 0;
732
733 return ret;
734}
735
b186a592
MC		 736EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
737 unsigned int context, X509 *x,
f63a17d6 738 size_t chainidx)
38df5a45 739{
696de86f
PW		 740#ifndef OPENSSL_NO_PSK
741 char identity[PSK_MAX_IDENTITY_LEN + 1];
742#endif /* OPENSSL_NO_PSK */
ccb76685 743 const unsigned char *id = NULL;
fff202e5 744 size_t idlen = 0;
add8d0e9 745 SSL_SESSION *psksess = NULL;
ffc5bbaa 746 SSL_SESSION *edsess = NULL;
add8d0e9
MC		 747 const EVP_MD *handmd = NULL;
748
fc7129dc 749 if (s->hello_retry_request == SSL_HRR_PENDING)
add8d0e9
MC		 750 handmd = ssl_handshake_md(s);
751
752 if (s->psk_use_session_cb != NULL
ffc5bbaa
MC		 753 && (!s->psk_use_session_cb(s, handmd, &id, &idlen, &psksess)
754 || (psksess != NULL
755 && psksess->ssl_version != TLS1_3_VERSION))) {
756 SSL_SESSION_free(psksess);
f63a17d6
MC		 757 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
758 SSL_R_BAD_PSK);
add8d0e9
MC		 759 return EXT_RETURN_FAIL;
760 }
761
c2b290c3 762#ifndef OPENSSL_NO_PSK
f3d40db1
MC		 763 if (psksess == NULL && s->psk_client_callback != NULL) {
764 unsigned char psk[PSK_MAX_PSK_LEN];
765 size_t psklen = 0;
766
767 memset(identity, 0, sizeof(identity));
768 psklen = s->psk_client_callback(s, NULL, identity, sizeof(identity) - 1,
769 psk, sizeof(psk));
770
771 if (psklen > PSK_MAX_PSK_LEN) {
772 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
773 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
774 return EXT_RETURN_FAIL;
775 } else if (psklen > 0) {
776 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
777 const SSL_CIPHER *cipher;
778
779 idlen = strlen(identity);
780 if (idlen > PSK_MAX_IDENTITY_LEN) {
781 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
782 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
783 ERR_R_INTERNAL_ERROR);
784 return EXT_RETURN_FAIL;
785 }
786 id = (unsigned char *)identity;
787
788 /*
789 * We found a PSK using an old style callback. We don't know
790 * the digest so we default to SHA256 as per the TLSv1.3 spec
791 */
792 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
793 if (cipher == NULL) {
794 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
795 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
796 ERR_R_INTERNAL_ERROR);
797 return EXT_RETURN_FAIL;
798 }
799
800 psksess = SSL_SESSION_new();
801 if (psksess == NULL
802 || !SSL_SESSION_set1_master_key(psksess, psk, psklen)
803 || !SSL_SESSION_set_cipher(psksess, cipher)
804 || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) {
805 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
806 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
807 ERR_R_INTERNAL_ERROR);
808 OPENSSL_cleanse(psk, psklen);
809 return EXT_RETURN_FAIL;
810 }
811 OPENSSL_cleanse(psk, psklen);
812 }
813 }
c2b290c3 814#endif /* OPENSSL_NO_PSK */
f3d40db1 815
add8d0e9
MC		 816 SSL_SESSION_free(s->psksession);
817 s->psksession = psksess;
818 if (psksess != NULL) {
819 OPENSSL_free(s->psksession_id);
820 s->psksession_id = OPENSSL_memdup(id, idlen);
821 if (s->psksession_id == NULL) {
f63a17d6
MC		 822 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
823 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
add8d0e9
MC		 824 return EXT_RETURN_FAIL;
825 }
826 s->psksession_id_len = idlen;
827 }
828
38df5a45 829 if (s->early_data_state != SSL_EARLY_DATA_CONNECTING
add8d0e9
MC		 830 || (s->session->ext.max_early_data == 0
831 && (psksess == NULL || psksess->ext.max_early_data == 0))) {
38df5a45 832 s->max_early_data = 0;
b186a592 833 return EXT_RETURN_NOT_SENT;
38df5a45 834 }
ffc5bbaa
MC		 835 edsess = s->session->ext.max_early_data != 0 ? s->session : psksess;
836 s->max_early_data = edsess->ext.max_early_data;
837
bfab12bb
MC		 838 if (edsess->ext.hostname != NULL) {
839 if (s->ext.hostname == NULL
840 || (s->ext.hostname != NULL
841 && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) {
f63a17d6
MC		 842 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
843 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
844 SSL_R_INCONSISTENT_EARLY_DATA_SNI);
bfab12bb
MC		 845 return EXT_RETURN_FAIL;
846 }
ffc5bbaa
MC		 847 }
848
849 if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) {
f63a17d6
MC		 850 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
851 SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
ffc5bbaa
MC		 852 return EXT_RETURN_FAIL;
853 }
854
855 /*
856 * Verify that we are offering an ALPN protocol consistent with the early
857 * data.
858 */
859 if (edsess->ext.alpn_selected != NULL) {
860 PACKET prots, alpnpkt;
861 int found = 0;
862
863 if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) {
f63a17d6
MC		 864 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
865 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
ffc5bbaa
MC		 866 return EXT_RETURN_FAIL;
867 }
868 while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) {
869 if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected,
870 edsess->ext.alpn_selected_len)) {
871 found = 1;
872 break;
873 }
874 }
875 if (!found) {
f63a17d6
MC		 876 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
877 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
878 SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
ffc5bbaa
MC		 879 return EXT_RETURN_FAIL;
880 }
881 }
38df5a45
MC		 882
883 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
884 || !WPACKET_start_sub_packet_u16(pkt)
885 || !WPACKET_close(pkt)) {
f63a17d6
MC		 886 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
887 ERR_R_INTERNAL_ERROR);
b186a592 888 return EXT_RETURN_FAIL;
38df5a45
MC		 889 }
890
891 /*
892 * We set this to rejected here. Later, if the server acknowledges the
893 * extension, we set it to accepted.
894 */
895 s->ext.early_data = SSL_EARLY_DATA_REJECTED;
4be3a7c7 896 s->ext.early_data_ok = 1;
38df5a45 897
b186a592 898 return EXT_RETURN_SENT;
38df5a45
MC		 899}
900
1266eefd
MC		 901#define F5_WORKAROUND_MIN_MSG_LEN 0xff
902#define F5_WORKAROUND_MAX_MSG_LEN 0x200
903
d702ad12
MC		 904/*
905 * PSK pre binder overhead =
906 * 2 bytes for TLSEXT_TYPE_psk
907 * 2 bytes for extension length
908 * 2 bytes for identities list length
909 * 2 bytes for identity length
910 * 4 bytes for obfuscated_ticket_age
911 * 2 bytes for binder list length
912 * 1 byte for binder length
913 * The above excludes the number of bytes for the identity itself and the
914 * subsequent binder bytes
915 */
916#define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1)
917
b186a592
MC		 918EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt,
919 unsigned int context, X509 *x,
f63a17d6 920 size_t chainidx)
ab83e314
MC		 921{
922 unsigned char *padbytes;
923 size_t hlen;
924
925 if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)
b186a592 926 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 927
928 /*
d702ad12
MC		 929 * Add padding to workaround bugs in F5 terminators. See RFC7685.
930 * This code calculates the length of all extensions added so far but
931 * excludes the PSK extension (because that MUST be written last). Therefore
932 * this extension MUST always appear second to last.
ab83e314
MC		 933 */
934 if (!WPACKET_get_total_written(pkt, &hlen)) {
f63a17d6
MC		 935 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PADDING,
936 ERR_R_INTERNAL_ERROR);
b186a592 937 return EXT_RETURN_FAIL;
ab83e314
MC		 938 }
939
d702ad12
MC		 940 /*
941 * If we're going to send a PSK then that will be written out after this
942 * extension, so we need to calculate how long it is going to be.
943 */
944 if (s->session->ssl_version == TLS1_3_VERSION
945 && s->session->ext.ticklen != 0
946 && s->session->cipher != NULL) {
947 const EVP_MD *md = ssl_md(s->session->cipher->algorithm2);
948
949 if (md != NULL) {
950 /*
951 * Add the fixed PSK overhead, the identity length and the binder
952 * length.
953 */
954 hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen
955 + EVP_MD_size(md);
956 }
957 }
958
1266eefd 959 if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {
1ee4b98e 960 /* Calculate the amount of padding we need to add */
1266eefd
MC		 961 hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;
962
963 /*
964 * Take off the size of extension header itself (2 bytes for type and
10ed1b72
TS		 965 * 2 bytes for length bytes), but ensure that the extension is at least
966 * 1 byte long so as not to have an empty extension last (WebSphere 7.x,
967 * 8.x are intolerant of that condition)
1266eefd 968 */
3d85c7f4 969 if (hlen > 4)
ab83e314
MC		 970 hlen -= 4;
971 else
10ed1b72 972 hlen = 1;
ab83e314
MC		 973
974 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
975 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
f63a17d6
MC		 976 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PADDING,
977 ERR_R_INTERNAL_ERROR);
eb5fd03b 978 return EXT_RETURN_FAIL;
ab83e314
MC		 979 }
980 memset(padbytes, 0, hlen);
981 }
982
b186a592 983 return EXT_RETURN_SENT;
ab83e314
MC		 984}
985
ec15acb6
MC		 986/*
987 * Construct the pre_shared_key extension
988 */
b186a592 989EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 990 X509 *x, size_t chainidx)
ec15acb6
MC		 991{
992#ifndef OPENSSL_NO_TLS1_3
15b1688a 993 uint32_t now, agesec, agems = 0;
add8d0e9 994 size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen;
9368f865 995 unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;
15b1688a 996 const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
9368f865 997 int dores = 0;
ec15acb6 998
c96ce52c 999 s->ext.tick_identity = 0;
ec15acb6 1000
d702ad12
MC		 1001 /*
1002 * Note: At this stage of the code we only support adding a single
1003 * resumption PSK. If we add support for multiple PSKs then the length
1004 * calculations in the padding extension will need to be adjusted.
1005 */
1006
ec15acb6 1007 /*
08191294
MC		 1008 * If this is an incompatible or new session then we have nothing to resume
1009 * so don't add this extension.
ec15acb6 1010 */
08191294 1011 if (s->session->ssl_version != TLS1_3_VERSION
add8d0e9 1012 || (s->session->ext.ticklen == 0 && s->psksession == NULL))
b186a592 1013 return EXT_RETURN_NOT_SENT;
ec15acb6 1014
fc7129dc 1015 if (s->hello_retry_request == SSL_HRR_PENDING)
9368f865
MC		 1016 handmd = ssl_handshake_md(s);
1017
9368f865 1018 if (s->session->ext.ticklen != 0) {
72257204 1019 /* Get the digest associated with the ciphersuite in the session */
9368f865 1020 if (s->session->cipher == NULL) {
f63a17d6
MC		 1021 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
1022 ERR_R_INTERNAL_ERROR);
635c8f77 1023 return EXT_RETURN_FAIL;
9368f865 1024 }
9368f865
MC		 1025 mdres = ssl_md(s->session->cipher->algorithm2);
1026 if (mdres == NULL) {
72257204
MC		 1027 /*
1028 * Don't recognize this cipher so we can't use the session.
1029 * Ignore it
1030 */
9368f865
MC		 1031 goto dopsksess;
1032 }
1033
fc7129dc 1034 if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) {
9368f865 1035 /*
72257204
MC		 1036 * Selected ciphersuite hash does not match the hash for the session
1037 * so we can't use it.
9368f865
MC		 1038 */
1039 goto dopsksess;
1040 }
1f5b44e9 1041
cf3e221b 1042 /*
9368f865 1043 * Technically the C standard just says time() returns a time_t and says
72257204
MC		 1044 * nothing about the encoding of that type. In practice most
1045 * implementations follow POSIX which holds it as an integral type in
1046 * seconds since epoch. We've already made the assumption that we can do
1047 * this in multiple places in the code, so portability shouldn't be an
1048 * issue.
cf3e221b 1049 */
9368f865
MC		 1050 now = (uint32_t)time(NULL);
1051 agesec = now - (uint32_t)s->session->time;
7e70213f
MC		 1052 /*
1053 * We calculate the age in seconds but the server may work in ms. Due to
1054 * rounding errors we could overestimate the age by up to 1s. It is
1055 * better to underestimate it. Otherwise, if the RTT is very short, when
1056 * the server calculates the age reported by the client it could be
1057 * bigger than the age calculated on the server - which should never
1058 * happen.
1059 */
1060 if (agesec > 0)
1061 agesec--;
cf3e221b 1062
9368f865
MC		 1063 if (s->session->ext.tick_lifetime_hint < agesec) {
1064 /* Ticket is too old. Ignore it. */
1065 goto dopsksess;
1066 }
ec15acb6 1067
9368f865
MC		 1068 /*
1069 * Calculate age in ms. We're just doing it to nearest second. Should be
1070 * good enough.
1071 */
1072 agems = agesec * (uint32_t)1000;
fc24f0bf 1073
9368f865
MC		 1074 if (agesec != 0 && agems / (uint32_t)1000 != agesec) {
1075 /*
72257204
MC		 1076 * Overflow. Shouldn't happen unless this is a *really* old session.
1077 * If so we just ignore it.
9368f865
MC		 1078 */
1079 goto dopsksess;
1080 }
ec15acb6 1081
ec15acb6 1082 /*
72257204
MC		 1083 * Obfuscate the age. Overflow here is fine, this addition is supposed
1084 * to be mod 2^32.
ec15acb6 1085 */
9368f865
MC		 1086 agems += s->session->ext.tick_age_add;
1087
1088 reshashsize = EVP_MD_size(mdres);
c96ce52c 1089 s->ext.tick_identity++;
9368f865 1090 dores = 1;
ec15acb6
MC		 1091 }
1092
9368f865 1093 dopsksess:
add8d0e9 1094 if (!dores && s->psksession == NULL)
9368f865 1095 return EXT_RETURN_NOT_SENT;
ec15acb6 1096
add8d0e9
MC		 1097 if (s->psksession != NULL) {
1098 mdpsk = ssl_md(s->psksession->cipher->algorithm2);
9368f865
MC		 1099 if (mdpsk == NULL) {
1100 /*
1101 * Don't recognize this cipher so we can't use the session.
1102 * If this happens it's an application bug.
1103 */
f63a17d6
MC		 1104 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
1105 SSL_R_BAD_PSK);
635c8f77 1106 return EXT_RETURN_FAIL;
9368f865
MC		 1107 }
1108
fc7129dc 1109 if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) {
9368f865
MC		 1110 /*
1111 * Selected ciphersuite hash does not match the hash for the PSK
1112 * session. This is an application bug.
1113 */
f63a17d6
MC		 1114 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
1115 SSL_R_BAD_PSK);
635c8f77 1116 return EXT_RETURN_FAIL;
9368f865
MC		 1117 }
1118
1119 pskhashsize = EVP_MD_size(mdpsk);
1120 }
ec15acb6
MC		 1121
1122 /* Create the extension, but skip over the binder for now */
1123 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1124 || !WPACKET_start_sub_packet_u16(pkt)
9368f865 1125 || !WPACKET_start_sub_packet_u16(pkt)) {
f63a17d6
MC		 1126 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
1127 ERR_R_INTERNAL_ERROR);
635c8f77 1128 return EXT_RETURN_FAIL;
9368f865
MC		 1129 }
1130
1131 if (dores) {
1132 if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,
1133 s->session->ext.ticklen)
1134 || !WPACKET_put_bytes_u32(pkt, agems)) {
f63a17d6
MC		 1135 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
1136 ERR_R_INTERNAL_ERROR);
635c8f77 1137 return EXT_RETURN_FAIL;
9368f865
MC		 1138 }
1139 }
1140
add8d0e9
MC		 1141 if (s->psksession != NULL) {
1142 if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id,
1143 s->psksession_id_len)
9368f865 1144 || !WPACKET_put_bytes_u32(pkt, 0)) {
f63a17d6
MC		 1145 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
1146 ERR_R_INTERNAL_ERROR);
635c8f77 1147 return EXT_RETURN_FAIL;
9368f865 1148 }
c96ce52c 1149 s->ext.tick_identity++;
9368f865
MC		 1150 }
1151
1152 if (!WPACKET_close(pkt)
ec15acb6
MC		 1153 || !WPACKET_get_total_written(pkt, &binderoffset)
1154 || !WPACKET_start_sub_packet_u16(pkt)
9368f865
MC		 1155 || (dores
1156 && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder))
add8d0e9 1157 || (s->psksession != NULL
9368f865 1158 && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder))
ec15acb6
MC		 1159 || !WPACKET_close(pkt)
1160 || !WPACKET_close(pkt)
1161 || !WPACKET_get_total_written(pkt, &msglen)
1162 /*
1163 * We need to fill in all the sub-packet lengths now so we can
1164 * calculate the HMAC of the message up to the binders
1165 */
1166 || !WPACKET_fill_lengths(pkt)) {
f63a17d6
MC		 1167 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
1168 ERR_R_INTERNAL_ERROR);
635c8f77 1169 return EXT_RETURN_FAIL;
ec15acb6
MC		 1170 }
1171
1172 msgstart = WPACKET_get_curr(pkt) - msglen;
1173
72257204
MC		 1174 if (dores
1175 && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL,
1176 resbinder, s->session, 1, 0) != 1) {
635c8f77
MC		 1177 /* SSLfatal() already called */
1178 return EXT_RETURN_FAIL;
ec15acb6
MC		 1179 }
1180
add8d0e9 1181 if (s->psksession != NULL
72257204 1182 && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL,
add8d0e9 1183 pskbinder, s->psksession, 1, 1) != 1) {
635c8f77
MC		 1184 /* SSLfatal() already called */
1185 return EXT_RETURN_FAIL;
9368f865
MC		 1186 }
1187
635c8f77 1188 return EXT_RETURN_SENT;
ec15acb6 1189#else
89bc9cf6 1190 return EXT_RETURN_NOT_SENT;
ec15acb6
MC		 1191#endif
1192}
1193
9d75dce3
TS		 1194EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt,
1195 unsigned int context,
1196 X509 *x, size_t chainidx)
1197{
1198#ifndef OPENSSL_NO_TLS1_3
32097b33
MC		 1199 if (!s->pha_enabled)
1200 return EXT_RETURN_NOT_SENT;
9d75dce3
TS		 1201
1202 /* construct extension - 0 length, no contents */
1203 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth)
1204 || !WPACKET_start_sub_packet_u16(pkt)
1205 || !WPACKET_close(pkt)) {
1206 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1207 SSL_F_TLS_CONSTRUCT_CTOS_POST_HANDSHAKE_AUTH,
1208 ERR_R_INTERNAL_ERROR);
1209 return EXT_RETURN_FAIL;
1210 }
1211
1212 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1213
1214 return EXT_RETURN_SENT;
1215#else
1216 return EXT_RETURN_NOT_SENT;
1217#endif
1218}
1219
1220
6dd083fd
MC		 1221/*
1222 * Parse the server's renegotiation binding and abort if it's not right
1223 */
61138358 1224int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 1225 X509 *x, size_t chainidx)
6dd083fd 1226{
555cbb32
TS		 1227 size_t expected_len = s->s3.previous_client_finished_len
1228 + s->s3.previous_server_finished_len;
6dd083fd
MC		 1229 size_t ilen;
1230 const unsigned char *data;
1231
1232 /* Check for logic errors */
b77f3ed1 1233 if (!ossl_assert(expected_len == 0
555cbb32 1234 || s->s3.previous_client_finished_len != 0)
b77f3ed1 1235 || !ossl_assert(expected_len == 0
555cbb32 1236 || s->s3.previous_server_finished_len != 0)) {
f63a17d6
MC		 1237 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
1238 ERR_R_INTERNAL_ERROR);
b77f3ed1
MC		 1239 return 0;
1240 }
6dd083fd
MC		 1241
1242 /* Parse the length byte */
1243 if (!PACKET_get_1_len(pkt, &ilen)) {
f63a17d6
MC		 1244 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
1245 SSL_R_RENEGOTIATION_ENCODING_ERR);
6dd083fd
MC		 1246 return 0;
1247 }
1248
1249 /* Consistency check */
1250 if (PACKET_remaining(pkt) != ilen) {
f63a17d6
MC		 1251 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
1252 SSL_R_RENEGOTIATION_ENCODING_ERR);
6dd083fd
MC		 1253 return 0;
1254 }
1255
1256 /* Check that the extension matches */
1257 if (ilen != expected_len) {
f63a17d6
MC		 1258 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
1259 SSL_R_RENEGOTIATION_MISMATCH);
6dd083fd
MC		 1260 return 0;
1261 }
1262
555cbb32
TS		 1263 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len)
1264 || memcmp(data, s->s3.previous_client_finished,
1265 s->s3.previous_client_finished_len) != 0) {
f63a17d6
MC		 1266 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
1267 SSL_R_RENEGOTIATION_MISMATCH);
6dd083fd
MC		 1268 return 0;
1269 }
1270
555cbb32
TS		 1271 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len)
1272 || memcmp(data, s->s3.previous_server_finished,
1273 s->s3.previous_server_finished_len) != 0) {
f63a17d6
MC		 1274 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
1275 SSL_R_RENEGOTIATION_MISMATCH);
6dd083fd
MC		 1276 return 0;
1277 }
555cbb32 1278 s->s3.send_connection_binding = 1;
6dd083fd
MC		 1279
1280 return 1;
1281}
1282
cf72c757
F		 1283/* Parse the server's max fragment len extension packet */
1284int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 1285 X509 *x, size_t chainidx)
cf72c757
F		 1286{
1287 unsigned int value;
1288
1289 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
56d36288 1290 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN,
f63a17d6 1291 SSL_R_BAD_EXTENSION);
cf72c757
F		 1292 return 0;
1293 }
1294
1295 /* |value| should contains a valid max-fragment-length code. */
1296 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
f63a17d6
MC		 1297 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1298 SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN,
1299 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 1300 return 0;
1301 }
1302
1303 /* Must be the same value as client-configured one who was sent to server */
1304 /*-
1305 * RFC 6066: if a client receives a maximum fragment length negotiation
1306 * response that differs from the length it requested, ...
1307 * It must abort with SSL_AD_ILLEGAL_PARAMETER alert
1308 */
1309 if (value != s->ext.max_fragment_len_mode) {
f63a17d6
MC		 1310 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1311 SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN,
1312 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 1313 return 0;
1314 }
1315
1316 /*
1317 * Maximum Fragment Length Negotiation succeeded.
1318 * The negotiated Maximum Fragment Length is binding now.
1319 */
1320 s->session->ext.max_fragment_len_mode = value;
1321
1322 return 1;
1323}
1324
61138358 1325int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 1326 X509 *x, size_t chainidx)
6dd083fd 1327{
fb34a0f4 1328 if (s->ext.hostname == NULL) {
f63a17d6
MC		 1329 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME,
1330 ERR_R_INTERNAL_ERROR);
fb34a0f4
MC		 1331 return 0;
1332 }
1333
1334 if (PACKET_remaining(pkt) > 0) {
f63a17d6
MC		 1335 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME,
1336 SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1337 return 0;
1338 }
1339
1340 if (!s->hit) {
aff8c126 1341 if (s->session->ext.hostname != NULL) {
f63a17d6
MC		 1342 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME,
1343 ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1344 return 0;
1345 }
aff8c126
RS		 1346 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
1347 if (s->session->ext.hostname == NULL) {
f63a17d6
MC		 1348 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME,
1349 ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1350 return 0;
1351 }
1352 }
1353
1354 return 1;
1355}
1356
1357#ifndef OPENSSL_NO_EC
61138358 1358int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 1359 X509 *x, size_t chainidx)
6dd083fd 1360{
848a950b 1361 size_t ecpointformats_len;
6dd083fd
MC		 1362 PACKET ecptformatlist;
1363
1364 if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
f63a17d6
MC		 1365 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS,
1366 SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1367 return 0;
1368 }
1369 if (!s->hit) {
aff8c126 1370 ecpointformats_len = PACKET_remaining(&ecptformatlist);
848a950b
MC		 1371 if (ecpointformats_len == 0) {
1372 SSLfatal(s, SSL_AD_DECODE_ERROR,
1373 SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, SSL_R_BAD_LENGTH);
1374 return 0;
1375 }
6dd083fd 1376
848a950b 1377 s->session->ext.ecpointformats_len = 0;
aff8c126
RS		 1378 OPENSSL_free(s->session->ext.ecpointformats);
1379 s->session->ext.ecpointformats = OPENSSL_malloc(ecpointformats_len);
1380 if (s->session->ext.ecpointformats == NULL) {
f63a17d6
MC		 1381 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1382 SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1383 return 0;
1384 }
1385
aff8c126 1386 s->session->ext.ecpointformats_len = ecpointformats_len;
6dd083fd
MC		 1387
1388 if (!PACKET_copy_bytes(&ecptformatlist,
aff8c126
RS		 1389 s->session->ext.ecpointformats,
1390 ecpointformats_len)) {
f63a17d6
MC		 1391 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1392 SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1393 return 0;
1394 }
1395 }
1396
1397 return 1;
1398}
1399#endif
1400
61138358 1401int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 1402 X509 *x, size_t chainidx)
6dd083fd 1403{
aff8c126
RS		 1404 if (s->ext.session_ticket_cb != NULL &&
1405 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
1406 PACKET_remaining(pkt),
1407 s->ext.session_ticket_cb_arg)) {
f63a17d6
MC		 1408 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1409 SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1410 return 0;
1411 }
1266eefd 1412
fb34a0f4 1413 if (!tls_use_ticket(s)) {
f63a17d6
MC		 1414 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
1415 SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1416 return 0;
1417 }
fb34a0f4 1418 if (PACKET_remaining(pkt) > 0) {
f63a17d6
MC		 1419 SSLfatal(s, SSL_AD_DECODE_ERROR,
1420 SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION);
fb34a0f4
MC		 1421 return 0;
1422 }
1266eefd 1423
aff8c126 1424 s->ext.ticket_expected = 1;
6dd083fd
MC		 1425
1426 return 1;
1427}
1428
ab83e314 1429#ifndef OPENSSL_NO_OCSP
61138358 1430int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 1431 X509 *x, size_t chainidx)
6dd083fd 1432{
5de683d2
MC		 1433 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
1434 /* We ignore this if the server sends a CertificateRequest */
1435 /* TODO(TLS1.3): Add support for this */
1436 return 1;
1437 }
1438
6dd083fd 1439 /*
f63e4288
MC		 1440 * MUST only be sent if we've requested a status
1441 * request message. In TLS <= 1.2 it must also be empty.
6dd083fd 1442 */
fb34a0f4 1443 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
f63a17d6
MC		 1444 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
1445 SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1446 return 0;
1447 }
fb34a0f4 1448 if (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0) {
f63a17d6
MC		 1449 SSLfatal(s, SSL_AD_DECODE_ERROR,
1450 SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
fb34a0f4
MC		 1451 return 0;
1452 }
f63e4288
MC		 1453
1454 if (SSL_IS_TLS13(s)) {
1455 /* We only know how to handle this if it's for the first Certificate in
1ee4b98e 1456 * the chain. We ignore any other responses.
f63e4288 1457 */
8521ced6 1458 if (chainidx != 0)
f63e4288 1459 return 1;
f63a17d6
MC		 1460
1461 /* SSLfatal() already called */
1462 return tls_process_cert_status_body(s, pkt);
f63e4288
MC		 1463 }
1464
6dd083fd 1465 /* Set flag to expect CertificateStatus message */
aff8c126 1466 s->ext.status_expected = 1;
6dd083fd
MC		 1467
1468 return 1;
1469}
ab83e314 1470#endif
6dd083fd
MC		 1471
1472
1473#ifndef OPENSSL_NO_CT
61138358 1474int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 1475 size_t chainidx)
6dd083fd 1476{
5de683d2
MC		 1477 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
1478 /* We ignore this if the server sends it in a CertificateRequest */
1479 /* TODO(TLS1.3): Add support for this */
1480 return 1;
1481 }
1482
6dd083fd
MC		 1483 /*
1484 * Only take it if we asked for it - i.e if there is no CT validation
1485 * callback set, then a custom extension MAY be processing it, so we
1486 * need to let control continue to flow to that.
1487 */
1488 if (s->ct_validation_callback != NULL) {
1489 size_t size = PACKET_remaining(pkt);
1490
1491 /* Simply copy it off for later processing */
aff8c126
RS		 1492 OPENSSL_free(s->ext.scts);
1493 s->ext.scts = NULL;
1266eefd 1494
3a63c0ed 1495 s->ext.scts_len = (uint16_t)size;
6dd083fd 1496 if (size > 0) {
aff8c126
RS		 1497 s->ext.scts = OPENSSL_malloc(size);
1498 if (s->ext.scts == NULL
1499 || !PACKET_copy_bytes(pkt, s->ext.scts, size)) {
f63a17d6
MC		 1500 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT,
1501 ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1502 return 0;
1503 }
1504 }
1505 } else {
b186a592
MC		 1506 ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
1507 ? ENDPOINT_CLIENT : ENDPOINT_BOTH;
1508
1509 /*
1510 * If we didn't ask for it then there must be a custom extension,
1511 * otherwise this is unsolicited.
1512 */
1513 if (custom_ext_find(&s->cert->custext, role,
1514 TLSEXT_TYPE_signed_certificate_timestamp,
1515 NULL) == NULL) {
f63a17d6
MC		 1516 SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_SCT,
1517 SSL_R_BAD_EXTENSION);
b186a592
MC		 1518 return 0;
1519 }
1520
f63a17d6 1521 if (!custom_ext_parse(s, context,
43ae5eed
MC		 1522 TLSEXT_TYPE_signed_certificate_timestamp,
1523 PACKET_data(pkt), PACKET_remaining(pkt),
f63a17d6
MC		 1524 x, chainidx)) {
1525 /* SSLfatal already called */
6dd083fd 1526 return 0;
f63a17d6 1527 }
6dd083fd
MC		 1528 }
1529
1530 return 1;
1531}
1532#endif
1533
1534
1535#ifndef OPENSSL_NO_NEXTPROTONEG
1536/*
1537 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1538 * elements of zero length are allowed and the set of elements must exactly
1539 * fill the length of the block. Returns 1 on success or 0 on failure.
1540 */
f63a17d6 1541static int ssl_next_proto_validate(SSL *s, PACKET *pkt)
6dd083fd
MC		 1542{
1543 PACKET tmp_protocol;
1544
1545 while (PACKET_remaining(pkt)) {
1546 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
f63a17d6
MC		 1547 || PACKET_remaining(&tmp_protocol) == 0) {
1548 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_NEXT_PROTO_VALIDATE,
1549 SSL_R_BAD_EXTENSION);
6dd083fd 1550 return 0;
f63a17d6 1551 }
6dd083fd
MC		 1552 }
1553
1554 return 1;
1555}
1556
61138358 1557int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 1558 size_t chainidx)
6dd083fd
MC		 1559{
1560 unsigned char *selected;
1561 unsigned char selected_len;
1562 PACKET tmppkt;
1563
1266eefd 1564 /* Check if we are in a renegotiation. If so ignore this extension */
c7f47786 1565 if (!SSL_IS_FIRST_HANDSHAKE(s))
6dd083fd
MC		 1566 return 1;
1567
1568 /* We must have requested it. */
aff8c126 1569 if (s->ctx->ext.npn_select_cb == NULL) {
f63a17d6
MC		 1570 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_NPN,
1571 SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1572 return 0;
1573 }
1266eefd 1574
6dd083fd
MC		 1575 /* The data must be valid */
1576 tmppkt = *pkt;
f63a17d6
MC		 1577 if (!ssl_next_proto_validate(s, &tmppkt)) {
1578 /* SSLfatal() already called */
6dd083fd
MC		 1579 return 0;
1580 }
aff8c126
RS		 1581 if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len,
1582 PACKET_data(pkt),
1583 PACKET_remaining(pkt),
1584 s->ctx->ext.npn_select_cb_arg) !=
6dd083fd 1585 SSL_TLSEXT_ERR_OK) {
f63a17d6
MC		 1586 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_STOC_NPN,
1587 SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1588 return 0;
1589 }
1266eefd 1590
6dd083fd
MC		 1591 /*
1592 * Could be non-NULL if server has sent multiple NPN extensions in
1593 * a single Serverhello
1594 */
aff8c126
RS		 1595 OPENSSL_free(s->ext.npn);
1596 s->ext.npn = OPENSSL_malloc(selected_len);
1597 if (s->ext.npn == NULL) {
f63a17d6
MC		 1598 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_NPN,
1599 ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1600 return 0;
1601 }
1602
aff8c126
RS		 1603 memcpy(s->ext.npn, selected, selected_len);
1604 s->ext.npn_len = selected_len;
555cbb32 1605 s->s3.npn_seen = 1;
6dd083fd
MC		 1606
1607 return 1;
1608}
1609#endif
1610
61138358 1611int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 1612 size_t chainidx)
6dd083fd
MC		 1613{
1614 size_t len;
1615
1616 /* We must have requested it. */
555cbb32 1617 if (!s->s3.alpn_sent) {
f63a17d6
MC		 1618 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_ALPN,
1619 SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1620 return 0;
1621 }
1622 /*-
1623 * The extension data consists of:
1624 * uint16 list_length
1625 * uint8 proto_length;
1626 * uint8 proto[proto_length];
1627 */
1628 if (!PACKET_get_net_2_len(pkt, &len)
1629 || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)
1630 || PACKET_remaining(pkt) != len) {
f63a17d6
MC		 1631 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
1632 SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1633 return 0;
1634 }
555cbb32
TS		 1635 OPENSSL_free(s->s3.alpn_selected);
1636 s->s3.alpn_selected = OPENSSL_malloc(len);
1637 if (s->s3.alpn_selected == NULL) {
f63a17d6
MC		 1638 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
1639 ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1640 return 0;
1641 }
555cbb32 1642 if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) {
f63a17d6
MC		 1643 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
1644 SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1645 return 0;
1646 }
555cbb32 1647 s->s3.alpn_selected_len = len;
6dd083fd 1648
0ef28021
MC		 1649 if (s->session->ext.alpn_selected == NULL
1650 || s->session->ext.alpn_selected_len != len
555cbb32 1651 || memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len)
0ef28021 1652 != 0) {
4be3a7c7
MC		 1653 /* ALPN not consistent with the old session so cannot use early_data */
1654 s->ext.early_data_ok = 0;
1655 }
1656 if (!s->hit) {
9d5db9c9
MC		 1657 /*
1658 * This is a new session and so alpn_selected should have been
1659 * initialised to NULL. We should update it with the selected ALPN.
1660 */
1661 if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
1662 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
1663 ERR_R_INTERNAL_ERROR);
1664 return 0;
1665 }
4be3a7c7 1666 s->session->ext.alpn_selected =
555cbb32 1667 OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len);
4be3a7c7 1668 if (s->session->ext.alpn_selected == NULL) {
f63a17d6
MC		 1669 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
1670 ERR_R_INTERNAL_ERROR);
4be3a7c7
MC		 1671 return 0;
1672 }
555cbb32 1673 s->session->ext.alpn_selected_len = s->s3.alpn_selected_len;
ae8d7d99
MC		 1674 }
1675
6dd083fd
MC		 1676 return 1;
1677}
1678
1679#ifndef OPENSSL_NO_SRTP
61138358 1680int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 1681 size_t chainidx)
6dd083fd
MC		 1682{
1683 unsigned int id, ct, mki;
1684 int i;
1685 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1686 SRTP_PROTECTION_PROFILE *prof;
1687
1266eefd
MC		 1688 if (!PACKET_get_net_2(pkt, &ct) || ct != 2
1689 || !PACKET_get_net_2(pkt, &id)
1690 || !PACKET_get_1(pkt, &mki)
1691 || PACKET_remaining(pkt) != 0) {
f63a17d6
MC		 1692 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP,
1693 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
6dd083fd
MC		 1694 return 0;
1695 }
1696
1697 if (mki != 0) {
1698 /* Must be no MKI, since we never offer one */
f63a17d6
MC		 1699 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_USE_SRTP,
1700 SSL_R_BAD_SRTP_MKI_VALUE);
6dd083fd
MC		 1701 return 0;
1702 }
1703
6dd083fd 1704 /* Throw an error if the server gave us an unsolicited extension */
1266eefd 1705 clnt = SSL_get_srtp_profiles(s);
6dd083fd 1706 if (clnt == NULL) {
f63a17d6
MC		 1707 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP,
1708 SSL_R_NO_SRTP_PROFILES);
6dd083fd
MC		 1709 return 0;
1710 }
1711
1712 /*
1713 * Check to see if the server gave us something we support (and
1714 * presumably offered)
1715 */
1716 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1717 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
1718
1719 if (prof->id == id) {
1720 s->srtp_profile = prof;
6dd083fd
MC		 1721 return 1;
1722 }
1723 }
1724
f63a17d6
MC		 1725 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP,
1726 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
6dd083fd
MC		 1727 return 0;
1728}
1729#endif
1730
61138358 1731int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 1732 size_t chainidx)
6dd083fd
MC		 1733{
1734 /* Ignore if inappropriate ciphersuite */
1735 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
555cbb32
TS		 1736 && s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD
1737 && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4)
28a31a0a 1738 s->ext.use_etm = 1;
6dd083fd
MC		 1739
1740 return 1;
1741}
1742
61138358 1743int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 1744 size_t chainidx)
6dd083fd 1745{
088dfa13
TS		 1746 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
1747 return 1;
555cbb32 1748 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
6dd083fd
MC		 1749 if (!s->hit)
1750 s->session->flags |= SSL_SESS_FLAG_EXTMS;
1751
1752 return 1;
1753}
1754
88050dd1
MC		 1755int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
1756 X509 *x, size_t chainidx)
1757{
1758 unsigned int version;
1759
1760 if (!PACKET_get_net_2(pkt, &version)
1761 || PACKET_remaining(pkt) != 0) {
1762 SSLfatal(s, SSL_AD_DECODE_ERROR,
1763 SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS,
1764 SSL_R_LENGTH_MISMATCH);
1765 return 0;
1766 }
1767
27e462f1
MC		 1768 /*
1769 * The only protocol version we support which is valid in this extension in
1770 * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.
1771 */
1772 if (version != TLS1_3_VERSION) {
1773 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1774 SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS,
1775 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
1776 return 0;
1777 }
1778
426dfc9f 1779 /* We ignore this extension for HRRs except to sanity check it */
27e462f1 1780 if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)
426dfc9f 1781 return 1;
426dfc9f 1782
88050dd1
MC		 1783 /* We just set it here. We validate it in ssl_choose_client_version */
1784 s->version = version;
1785
1786 return 1;
1787}
1788
61138358 1789int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 1790 size_t chainidx)
6dd083fd 1791{
3cf96e88 1792#ifndef OPENSSL_NO_TLS1_3
6dd083fd
MC		 1793 unsigned int group_id;
1794 PACKET encoded_pt;
555cbb32 1795 EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL;
6dd083fd
MC		 1796
1797 /* Sanity check */
555cbb32 1798 if (ckey == NULL || s->s3.peer_tmp != NULL) {
f63a17d6
MC		 1799 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
1800 ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1801 return 0;
1802 }
1803
1804 if (!PACKET_get_net_2(pkt, &group_id)) {
f63a17d6
MC		 1805 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
1806 SSL_R_LENGTH_MISMATCH);
6dd083fd
MC		 1807 return 0;
1808 }
1809
fe874d27 1810 if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
f48d826e
DSH		 1811 const uint16_t *pgroups = NULL;
1812 size_t i, num_groups;
3847d426
MC		 1813
1814 if (PACKET_remaining(pkt) != 0) {
f63a17d6
MC		 1815 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
1816 SSL_R_LENGTH_MISMATCH);
3847d426
MC		 1817 return 0;
1818 }
1819
1820 /*
1821 * It is an error if the HelloRetryRequest wants a key_share that we
1822 * already sent in the first ClientHello
1823 */
555cbb32 1824 if (group_id == s->s3.group_id) {
f63a17d6
MC		 1825 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1826 SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
3847d426
MC		 1827 return 0;
1828 }
1829
1830 /* Validate the selected group is one we support */
f48d826e
DSH		 1831 tls1_get_supported_groups(s, &pgroups, &num_groups);
1832 for (i = 0; i < num_groups; i++) {
1833 if (group_id == pgroups[i])
3847d426
MC		 1834 break;
1835 }
f48d826e 1836 if (i >= num_groups
9e84a42d 1837 || !tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)) {
f63a17d6
MC		 1838 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1839 SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
3847d426
MC		 1840 return 0;
1841 }
1842
555cbb32
TS		 1843 s->s3.group_id = group_id;
1844 EVP_PKEY_free(s->s3.tmp.pkey);
1845 s->s3.tmp.pkey = NULL;
3847d426
MC		 1846 return 1;
1847 }
1848
555cbb32 1849 if (group_id != s->s3.group_id) {
6dd083fd
MC		 1850 /*
1851 * This isn't for the group that we sent in the original
1852 * key_share!
1853 */
f63a17d6
MC		 1854 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
1855 SSL_R_BAD_KEY_SHARE);
6dd083fd
MC		 1856 return 0;
1857 }
1858
1859 if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)
1860 || PACKET_remaining(&encoded_pt) == 0) {
f63a17d6
MC		 1861 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
1862 SSL_R_LENGTH_MISMATCH);
6dd083fd
MC		 1863 return 0;
1864 }
1865
1866 skey = ssl_generate_pkey(ckey);
1867 if (skey == NULL) {
f63a17d6
MC		 1868 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
1869 ERR_R_MALLOC_FAILURE);
6dd083fd
MC		 1870 return 0;
1871 }
1872 if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt),
1873 PACKET_remaining(&encoded_pt))) {
f63a17d6
MC		 1874 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
1875 SSL_R_BAD_ECPOINT);
a1d6a0b6 1876 EVP_PKEY_free(skey);
6dd083fd
MC		 1877 return 0;
1878 }
1879
1880 if (ssl_derive(s, ckey, skey, 1) == 0) {
f63a17d6 1881 /* SSLfatal() already called */
6dd083fd
MC		 1882 EVP_PKEY_free(skey);
1883 return 0;
1884 }
555cbb32 1885 s->s3.peer_tmp = skey;
3cf96e88 1886#endif
6dd083fd
MC		 1887
1888 return 1;
1889}
4ff65f77 1890
cfef5027 1891int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 1892 size_t chainidx)
cfef5027
MC		 1893{
1894 PACKET cookie;
1895
1896 if (!PACKET_as_length_prefixed_2(pkt, &cookie)
1897 || !PACKET_memdup(&cookie, &s->ext.tls13_cookie,
1898 &s->ext.tls13_cookie_len)) {
f63a17d6
MC		 1899 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_COOKIE,
1900 SSL_R_LENGTH_MISMATCH);
cfef5027
MC		 1901 return 0;
1902 }
1903
1904 return 1;
1905}
1906
38df5a45 1907int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 1908 X509 *x, size_t chainidx)
38df5a45 1909{
fe874d27 1910 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
6594189f
MC		 1911 unsigned long max_early_data;
1912
1913 if (!PACKET_get_net_4(pkt, &max_early_data)
1914 || PACKET_remaining(pkt) != 0) {
f63a17d6
MC		 1915 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EARLY_DATA,
1916 SSL_R_INVALID_MAX_EARLY_DATA);
6594189f
MC		 1917 return 0;
1918 }
1919
1920 s->session->ext.max_early_data = max_early_data;
1921
1922 return 1;
1923 }
1924
38df5a45 1925 if (PACKET_remaining(pkt) != 0) {
f63a17d6
MC		 1926 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EARLY_DATA,
1927 SSL_R_BAD_EXTENSION);
38df5a45
MC		 1928 return 0;
1929 }
1930
4be3a7c7 1931 if (!s->ext.early_data_ok
c96ce52c 1932 || !s->hit) {
38df5a45
MC		 1933 /*
1934 * If we get here then we didn't send early data, or we didn't resume
4be3a7c7
MC		 1935 * using the first identity, or the SNI/ALPN is not consistent so the
1936 * server should not be accepting it.
38df5a45 1937 */
f63a17d6
MC		 1938 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_EARLY_DATA,
1939 SSL_R_BAD_EXTENSION);
38df5a45
MC		 1940 return 0;
1941 }
1942
1943 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
1944
1945 return 1;
1946}
1947
61138358 1948int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 1949 size_t chainidx)
4ff65f77
MC		 1950{
1951#ifndef OPENSSL_NO_TLS1_3
1952 unsigned int identity;
1953
1954 if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {
f63a17d6
MC		 1955 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_PSK,
1956 SSL_R_LENGTH_MISMATCH);
4ff65f77
MC		 1957 return 0;
1958 }
1959
c96ce52c
MC		 1960 if (identity >= (unsigned int)s->ext.tick_identity) {
1961 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK,
1962 SSL_R_BAD_PSK_IDENTITY);
1963 return 0;
1964 }
1965
1966 /*
1967 * Session resumption tickets are always sent before PSK tickets. If the
1968 * ticket index is 0 then it must be for a session resumption ticket if we
1969 * sent two tickets, or if we didn't send a PSK ticket.
1970 */
1971 if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {
9368f865
MC		 1972 s->hit = 1;
1973 SSL_SESSION_free(s->psksession);
1974 s->psksession = NULL;
1975 return 1;
1976 }
1977
c96ce52c
MC		 1978 if (s->psksession == NULL) {
1979 /* Should never happen */
1980 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_PSK,
1981 ERR_R_INTERNAL_ERROR);
4ff65f77
MC		 1982 return 0;
1983 }
1984
add8d0e9
MC		 1985 /*
1986 * If we used the external PSK for sending early_data then s->early_secret
1987 * is already set up, so don't overwrite it. Otherwise we copy the
1988 * early_secret across that we generated earlier.
1989 */
1990 if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
1991 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
1992 || s->session->ext.max_early_data > 0
1993 || s->psksession->ext.max_early_data == 0)
1994 memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE);
1995
9368f865
MC		 1996 SSL_SESSION_free(s->session);
1997 s->session = s->psksession;
1998 s->psksession = NULL;
4ff65f77 1999 s->hit = 1;
c96ce52c
MC		 2000 /* Early data is only allowed if we used the first ticket */
2001 if (identity != 0)
2002 s->ext.early_data_ok = 0;
4ff65f77
MC		 2003#endif
2004
2005 return 1;
2006}
A mirror of the official openssl repository