]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
In OpenSSL builds, declare STACK for datatypes ...
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
CommitLineData
25670f3e 1/*
33388b44 2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
25670f3e 3 *
2c18d164 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
25670f3e
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
706457b7
DMSP		 11#include "../ssl_local.h"
12#include "statem_local.h"
43054d3d
MC		 13#include "internal/cryptlib.h"
14
852c2ed2
RS		 15DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE)
16DEFINE_STACK_OF(OCSP_RESPID)
17DEFINE_STACK_OF(X509_EXTENSION)
18
43054d3d
MC		 19#define COOKIE_STATE_FORMAT_VERSION 0
20
21/*
22 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
23 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
d0debc0a
MC		 24 * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
25 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
26 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
43054d3d 27 */
d0debc0a 28#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
43054d3d
MC		 29 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
30
31/*
32 * Message header + 2 bytes for protocol version + number of random bytes +
97ea1e7f
MC		 33 * + 1 byte for legacy session id length + number of bytes in legacy session id
34 * + 2 bytes for ciphersuite + 1 byte for legacy compression
35 * + 2 bytes for extension block length + 6 bytes for key_share extension
36 * + 4 bytes for cookie extension header + the number of bytes in the cookie
43054d3d 37 */
97ea1e7f 38#define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
43054d3d
MC		 39 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
40 + MAX_COOKIE_SIZE)
25670f3e
MC		 41
42/*
43 * Parse the client's renegotiation binding and abort if it's not right
44 */
61138358 45int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 46 X509 *x, size_t chainidx)
25670f3e
MC		 47{
48 unsigned int ilen;
49 const unsigned char *data;
50
51 /* Parse the length byte */
52 if (!PACKET_get_1(pkt, &ilen)
53 || !PACKET_get_bytes(pkt, &data, ilen)) {
f63a17d6
MC		 54 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
55 SSL_R_RENEGOTIATION_ENCODING_ERR);
25670f3e
MC		 56 return 0;
57 }
58
59 /* Check that the extension matches */
555cbb32 60 if (ilen != s->s3.previous_client_finished_len) {
f63a17d6
MC		 61 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
62 SSL_R_RENEGOTIATION_MISMATCH);
25670f3e
MC		 63 return 0;
64 }
65
555cbb32
TS		 66 if (memcmp(data, s->s3.previous_client_finished,
67 s->s3.previous_client_finished_len)) {
f63a17d6
MC		 68 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
69 SSL_R_RENEGOTIATION_MISMATCH);
25670f3e
MC		 70 return 0;
71 }
72
555cbb32 73 s->s3.send_connection_binding = 1;
25670f3e
MC		 74
75 return 1;
76}
77
1266eefd
MC		 78/*-
79 * The servername extension is treated as follows:
80 *
81 * - Only the hostname type is supported with a maximum length of 255.
82 * - The servername is rejected if too long or if it contains zeros,
83 * in which case an fatal alert is generated.
84 * - The servername field is maintained together with the session cache.
85 * - When a session is resumed, the servername call back invoked in order
86 * to allow the application to position itself to the right context.
87 * - The servername is acknowledged if it is new for a session or when
88 * it is identical to a previously used for the same session.
89 * Applications can control the behaviour. They can at any time
90 * set a 'desirable' servername for a new SSL object. This can be the
91 * case for example with HTTPS when a Host: header field is received and
92 * a renegotiation is requested. In this case, a possible servername
93 * presented in the new client hello is only acknowledged if it matches
94 * the value of the Host: field.
95 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
96 * if they provide for changing an explicit servername context for the
97 * session, i.e. when the session has been established with a servername
98 * extension.
99 * - On session reconnect, the servername extension may be absent.
100 */
61138358 101int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 102 X509 *x, size_t chainidx)
25670f3e
MC		 103{
104 unsigned int servname_type;
105 PACKET sni, hostname;
106
25670f3e
MC		 107 if (!PACKET_as_length_prefixed_2(pkt, &sni)
108 /* ServerNameList must be at least 1 byte long. */
109 || PACKET_remaining(&sni) == 0) {
f63a17d6
MC		 110 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
111 SSL_R_BAD_EXTENSION);
25670f3e
MC		 112 return 0;
113 }
114
115 /*
44e69951
F		 116 * Although the intent was for server_name to be extensible, RFC 4366
117 * was not clear about it; and so OpenSSL among other implementations,
118 * always and only allows a 'host_name' name types.
25670f3e
MC		 119 * RFC 6066 corrected the mistake but adding new name types
120 * is nevertheless no longer feasible, so act as if no other
121 * SNI types can exist, to simplify parsing.
122 *
123 * Also note that the RFC permits only one SNI value per type,
124 * i.e., we can only have a single hostname.
125 */
126 if (!PACKET_get_1(&sni, &servname_type)
127 || servname_type != TLSEXT_NAMETYPE_host_name
128 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
f63a17d6
MC		 129 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
130 SSL_R_BAD_EXTENSION);
25670f3e
MC		 131 return 0;
132 }
133
7955c1f1
MC		 134 /*
135 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
136 * we always use the SNI value from the handshake.
137 */
1c4aa31d 138 if (!s->hit || SSL_IS_TLS13(s)) {
25670f3e 139 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
f63a17d6
MC		 140 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
141 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
142 SSL_R_BAD_EXTENSION);
25670f3e
MC		 143 return 0;
144 }
145
146 if (PACKET_contains_zero_byte(&hostname)) {
f63a17d6
MC		 147 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
148 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
149 SSL_R_BAD_EXTENSION);
25670f3e
MC		 150 return 0;
151 }
152
1c4aa31d
BK		 153 /*
154 * Store the requested SNI in the SSL as temporary storage.
155 * If we accept it, it will get stored in the SSL_SESSION as well.
156 */
157 OPENSSL_free(s->ext.hostname);
158 s->ext.hostname = NULL;
159 if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
f63a17d6
MC		 160 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
161 ERR_R_INTERNAL_ERROR);
25670f3e
MC		 162 return 0;
163 }
164
165 s->servername_done = 1;
7955c1f1
MC		 166 } else {
167 /*
168 * In TLSv1.2 and below we should check if the SNI is consistent between
169 * the initial handshake and the resumption. In TLSv1.3 SNI is not
170 * associated with the session.
171 */
25670f3e
MC		 172 /*
173 * TODO(openssl-team): if the SNI doesn't match, we MUST
174 * fall back to a full handshake.
175 */
1c4aa31d 176 s->servername_done = (s->session->ext.hostname != NULL)
aff8c126
RS		 177 && PACKET_equal(&hostname, s->session->ext.hostname,
178 strlen(s->session->ext.hostname));
25670f3e
MC		 179 }
180
181 return 1;
182}
183
cf72c757 184int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 185 X509 *x, size_t chainidx)
cf72c757
F		 186{
187 unsigned int value;
188
189 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
f63a17d6
MC		 190 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
191 SSL_R_BAD_EXTENSION);
cf72c757
F		 192 return 0;
193 }
194
195 /* Received |value| should be a valid max-fragment-length code. */
196 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
f63a17d6
MC		 197 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
198 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
199 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 200 return 0;
201 }
202
203 /*
204 * RFC 6066: The negotiated length applies for the duration of the session
205 * including session resumptions.
206 * We should receive the same code as in resumed session !
207 */
208 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
f63a17d6
MC		 209 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
210 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
211 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 212 return 0;
213 }
214
215 /*
216 * Store it in session, so it'll become binding for us
217 * and we'll include it in a next Server Hello.
218 */
219 s->session->ext.max_fragment_len_mode = value;
220 return 1;
221}
222
25670f3e 223#ifndef OPENSSL_NO_SRP
61138358 224int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 225 size_t chainidx)
25670f3e
MC		 226{
227 PACKET srp_I;
228
229 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
230 || PACKET_contains_zero_byte(&srp_I)) {
f63a17d6
MC		 231 SSLfatal(s, SSL_AD_DECODE_ERROR,
232 SSL_F_TLS_PARSE_CTOS_SRP,
233 SSL_R_BAD_EXTENSION);
25670f3e
MC		 234 return 0;
235 }
236
237 /*
238 * TODO(openssl-team): currently, we re-authenticate the user
239 * upon resumption. Instead, we MUST ignore the login.
240 */
241 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
f63a17d6
MC		 242 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
243 ERR_R_INTERNAL_ERROR);
25670f3e
MC		 244 return 0;
245 }
246
247 return 1;
248}
249#endif
250
251#ifndef OPENSSL_NO_EC
61138358 252int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 253 X509 *x, size_t chainidx)
25670f3e
MC		 254{
255 PACKET ec_point_format_list;
256
257 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
258 || PACKET_remaining(&ec_point_format_list) == 0) {
f63a17d6
MC		 259 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
260 SSL_R_BAD_EXTENSION);
25670f3e
MC		 261 return 0;
262 }
263
264 if (!s->hit) {
265 if (!PACKET_memdup(&ec_point_format_list,
cd0fb43c
MC		 266 &s->ext.peer_ecpointformats,
267 &s->ext.peer_ecpointformats_len)) {
f63a17d6
MC		 268 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
269 SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 270 return 0;
271 }
272 }
273
274 return 1;
275}
276#endif /* OPENSSL_NO_EC */
277
61138358 278int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 279 X509 *x, size_t chainidx)
25670f3e 280{
aff8c126
RS		 281 if (s->ext.session_ticket_cb &&
282 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
283 PACKET_remaining(pkt),
284 s->ext.session_ticket_cb_arg)) {
f63a17d6
MC		 285 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
286 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 287 return 0;
288 }
289
290 return 1;
291}
292
c589c34e
BK		 293int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, unsigned int context,
294 X509 *x, size_t chainidx)
295{
296 PACKET supported_sig_algs;
297
298 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
299 || PACKET_remaining(&supported_sig_algs) == 0) {
300 SSLfatal(s, SSL_AD_DECODE_ERROR,
301 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
302 return 0;
303 }
304
305 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
306 SSLfatal(s, SSL_AD_DECODE_ERROR,
307 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
308 return 0;
309 }
310
311 return 1;
312}
313
61138358 314int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 315 size_t chainidx)
25670f3e
MC		 316{
317 PACKET supported_sig_algs;
318
319 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
25670f3e 320 || PACKET_remaining(&supported_sig_algs) == 0) {
f63a17d6
MC		 321 SSLfatal(s, SSL_AD_DECODE_ERROR,
322 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
25670f3e
MC		 323 return 0;
324 }
325
c589c34e 326 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
f63a17d6
MC		 327 SSLfatal(s, SSL_AD_DECODE_ERROR,
328 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
25670f3e
MC		 329 return 0;
330 }
331
332 return 1;
333}
334
ab83e314 335#ifndef OPENSSL_NO_OCSP
61138358 336int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 337 X509 *x, size_t chainidx)
25670f3e 338{
1266eefd
MC		 339 PACKET responder_id_list, exts;
340
ded4a83d
MC		 341 /* We ignore this in a resumption handshake */
342 if (s->hit)
343 return 1;
344
e96e0f8e
MC		 345 /* Not defined if we get one of these in a client Certificate */
346 if (x != NULL)
347 return 1;
348
aff8c126 349 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
f63a17d6
MC		 350 SSLfatal(s, SSL_AD_DECODE_ERROR,
351 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
25670f3e
MC		 352 return 0;
353 }
ab83e314 354
aff8c126 355 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
25670f3e 356 /*
1266eefd 357 * We don't know what to do with any other type so ignore it.
25670f3e 358 */
aff8c126 359 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
1266eefd
MC		 360 return 1;
361 }
25670f3e 362
1266eefd 363 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
f63a17d6
MC		 364 SSLfatal(s, SSL_AD_DECODE_ERROR,
365 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
1266eefd
MC		 366 return 0;
367 }
25670f3e 368
1266eefd
MC		 369 /*
370 * We remove any OCSP_RESPIDs from a previous handshake
371 * to prevent unbounded memory growth - CVE-2016-6304
372 */
aff8c126 373 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1266eefd 374 if (PACKET_remaining(&responder_id_list) > 0) {
aff8c126
RS		 375 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
376 if (s->ext.ocsp.ids == NULL) {
f63a17d6
MC		 377 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
378 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
1266eefd
MC		 379 return 0;
380 }
381 } else {
aff8c126 382 s->ext.ocsp.ids = NULL;
1266eefd 383 }
25670f3e 384
1266eefd
MC		 385 while (PACKET_remaining(&responder_id_list) > 0) {
386 OCSP_RESPID *id;
387 PACKET responder_id;
388 const unsigned char *id_data;
25670f3e 389
1266eefd
MC		 390 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
391 || PACKET_remaining(&responder_id) == 0) {
f63a17d6
MC		 392 SSLfatal(s, SSL_AD_DECODE_ERROR,
393 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
1266eefd
MC		 394 return 0;
395 }
25670f3e 396
1266eefd
MC		 397 id_data = PACKET_data(&responder_id);
398 /* TODO(size_t): Convert d2i_* to size_t */
399 id = d2i_OCSP_RESPID(NULL, &id_data,
400 (int)PACKET_remaining(&responder_id));
401 if (id == NULL) {
f63a17d6
MC		 402 SSLfatal(s, SSL_AD_DECODE_ERROR,
403 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
1266eefd 404 return 0;
25670f3e
MC		 405 }
406
1266eefd
MC		 407 if (id_data != PACKET_end(&responder_id)) {
408 OCSP_RESPID_free(id);
f63a17d6
MC		 409 SSLfatal(s, SSL_AD_DECODE_ERROR,
410 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
411
25670f3e
MC		 412 return 0;
413 }
414
aff8c126 415 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
1266eefd 416 OCSP_RESPID_free(id);
f63a17d6
MC		 417 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
418 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
419
1266eefd
MC		 420 return 0;
421 }
422 }
423
424 /* Read in request_extensions */
425 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
f63a17d6
MC		 426 SSLfatal(s, SSL_AD_DECODE_ERROR,
427 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
1266eefd
MC		 428 return 0;
429 }
430
431 if (PACKET_remaining(&exts) > 0) {
432 const unsigned char *ext_data = PACKET_data(&exts);
433
aff8c126 434 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
1266eefd 435 X509_EXTENSION_free);
aff8c126 436 s->ext.ocsp.exts =
1266eefd 437 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
aff8c126 438 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
f63a17d6
MC		 439 SSLfatal(s, SSL_AD_DECODE_ERROR,
440 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
1266eefd 441 return 0;
25670f3e 442 }
25670f3e
MC		 443 }
444
445 return 1;
446}
ab83e314 447#endif
25670f3e
MC		 448
449#ifndef OPENSSL_NO_NEXTPROTONEG
61138358 450int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 451 size_t chainidx)
25670f3e 452{
1266eefd
MC		 453 /*
454 * We shouldn't accept this extension on a
455 * renegotiation.
1266eefd 456 */
c7f47786 457 if (SSL_IS_FIRST_HANDSHAKE(s))
555cbb32 458 s->s3.npn_seen = 1;
25670f3e
MC		 459
460 return 1;
461}
462#endif
463
464/*
1266eefd 465 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
29bfd5b7 466 * extension, not including type and length. Returns: 1 on success, 0 on error.
25670f3e 467 */
61138358 468int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 469 size_t chainidx)
25670f3e
MC		 470{
471 PACKET protocol_list, save_protocol_list, protocol;
472
c7f47786 473 if (!SSL_IS_FIRST_HANDSHAKE(s))
25670f3e
MC		 474 return 1;
475
476 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
477 || PACKET_remaining(&protocol_list) < 2) {
f63a17d6
MC		 478 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
479 SSL_R_BAD_EXTENSION);
25670f3e
MC		 480 return 0;
481 }
482
483 save_protocol_list = protocol_list;
484 do {
485 /* Protocol names can't be empty. */
486 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
487 || PACKET_remaining(&protocol) == 0) {
f63a17d6
MC		 488 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
489 SSL_R_BAD_EXTENSION);
25670f3e
MC		 490 return 0;
491 }
492 } while (PACKET_remaining(&protocol_list) != 0);
493
555cbb32
TS		 494 OPENSSL_free(s->s3.alpn_proposed);
495 s->s3.alpn_proposed = NULL;
496 s->s3.alpn_proposed_len = 0;
25670f3e 497 if (!PACKET_memdup(&save_protocol_list,
555cbb32 498 &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
f63a17d6
MC		 499 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
500 ERR_R_INTERNAL_ERROR);
25670f3e
MC		 501 return 0;
502 }
503
504 return 1;
505}
506
507#ifndef OPENSSL_NO_SRTP
61138358 508int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 509 size_t chainidx)
25670f3e 510{
25670f3e
MC		 511 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
512 unsigned int ct, mki_len, id;
513 int i, srtp_pref;
514 PACKET subpkt;
515
516 /* Ignore this if we have no SRTP profiles */
517 if (SSL_get_srtp_profiles(s) == NULL)
518 return 1;
519
520 /* Pull off the length of the cipher suite list and check it is even */
1266eefd
MC		 521 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
522 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
f63a17d6 523 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e 524 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 525 return 0;
526 }
527
528 srvr = SSL_get_srtp_profiles(s);
529 s->srtp_profile = NULL;
530 /* Search all profiles for a match initially */
531 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
532
533 while (PACKET_remaining(&subpkt)) {
534 if (!PACKET_get_net_2(&subpkt, &id)) {
f63a17d6
MC		 535 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
536 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 537 return 0;
538 }
539
540 /*
541 * Only look for match in profiles of higher preference than
542 * current match.
543 * If no profiles have been have been configured then this
544 * does nothing.
545 */
546 for (i = 0; i < srtp_pref; i++) {
d270de32 547 SRTP_PROTECTION_PROFILE *sprof =
1266eefd
MC		 548 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
549
25670f3e
MC		 550 if (sprof->id == id) {
551 s->srtp_profile = sprof;
552 srtp_pref = i;
553 break;
554 }
555 }
556 }
557
1266eefd 558 /* Now extract the MKI value as a sanity check, but discard it for now */
25670f3e 559 if (!PACKET_get_1(pkt, &mki_len)) {
f63a17d6
MC		 560 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
561 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 562 return 0;
563 }
564
565 if (!PACKET_forward(pkt, mki_len)
566 || PACKET_remaining(pkt)) {
f63a17d6
MC		 567 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
568 SSL_R_BAD_SRTP_MKI_VALUE);
25670f3e
MC		 569 return 0;
570 }
571
572 return 1;
573}
574#endif
575
61138358 576int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 577 size_t chainidx)
25670f3e
MC		 578{
579 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
28a31a0a 580 s->ext.use_etm = 1;
25670f3e
MC		 581
582 return 1;
583}
584
b2f7e8c0
MC		 585/*
586 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
587 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
b2f7e8c0 588 */
61138358 589int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 590 X509 *x, size_t chainidx)
b2f7e8c0
MC		 591{
592#ifndef OPENSSL_NO_TLS1_3
593 PACKET psk_kex_modes;
594 unsigned int mode;
595
596 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
597 || PACKET_remaining(&psk_kex_modes) == 0) {
f63a17d6
MC		 598 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
599 SSL_R_BAD_EXTENSION);
b2f7e8c0
MC		 600 return 0;
601 }
602
603 while (PACKET_get_1(&psk_kex_modes, &mode)) {
604 if (mode == TLSEXT_KEX_MODE_KE_DHE)
605 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
e3c0d76b
MC		 606 else if (mode == TLSEXT_KEX_MODE_KE
607 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
b2f7e8c0
MC		 608 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
609 }
610#endif
611
612 return 1;
613}
614
25670f3e
MC		 615/*
616 * Process a key_share extension received in the ClientHello. |pkt| contains
617 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
25670f3e 618 */
61138358 619int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 620 size_t chainidx)
25670f3e 621{
3cf96e88 622#ifndef OPENSSL_NO_TLS1_3
25670f3e
MC		 623 unsigned int group_id;
624 PACKET key_share_list, encoded_pt;
f48d826e
DSH		 625 const uint16_t *clntgroups, *srvrgroups;
626 size_t clnt_num_groups, srvr_num_groups;
43b95d73 627 int found = 0;
25670f3e 628
f4bbb37c 629 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
25670f3e
MC		 630 return 1;
631
632 /* Sanity check */
555cbb32 633 if (s->s3.peer_tmp != NULL) {
f63a17d6
MC		 634 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
635 ERR_R_INTERNAL_ERROR);
25670f3e
MC		 636 return 0;
637 }
638
639 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
f63a17d6
MC		 640 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
641 SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 642 return 0;
643 }
644
f48d826e
DSH		 645 /* Get our list of supported groups */
646 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
647 /* Get the clients list of supported groups. */
648 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
649 if (clnt_num_groups == 0) {
b6fdc12d
MC		 650 /*
651 * This can only happen if the supported_groups extension was not sent,
652 * because we verify that the length is non-zero when we process that
653 * extension.
654 */
f63a17d6
MC		 655 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
656 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
b6fdc12d
MC		 657 return 0;
658 }
25670f3e 659
555cbb32 660 if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
43054d3d
MC		 661 /*
662 * If we set a group_id already, then we must have sent an HRR
663 * requesting a new key_share. If we haven't got one then that is an
664 * error
665 */
666 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
667 SSL_R_BAD_KEY_SHARE);
668 return 0;
669 }
670
25670f3e
MC		 671 while (PACKET_remaining(&key_share_list) > 0) {
672 if (!PACKET_get_net_2(&key_share_list, &group_id)
673 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
674 || PACKET_remaining(&encoded_pt) == 0) {
f63a17d6
MC		 675 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
676 SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 677 return 0;
678 }
679
680 /*
681 * If we already found a suitable key_share we loop through the
682 * rest to verify the structure, but don't process them.
683 */
684 if (found)
685 continue;
686
43054d3d
MC		 687 /*
688 * If we sent an HRR then the key_share sent back MUST be for the group
689 * we requested, and must be the only key_share sent.
690 */
555cbb32
TS		 691 if (s->s3.group_id != 0
692 && (group_id != s->s3.group_id
43054d3d
MC		 693 || PACKET_remaining(&key_share_list) != 0)) {
694 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
695 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
696 return 0;
697 }
698
25670f3e 699 /* Check if this share is in supported_groups sent from client */
f48d826e 700 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
f63a17d6
MC		 701 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
702 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
25670f3e
MC		 703 return 0;
704 }
705
706 /* Check if this share is for a group we can use */
f48d826e 707 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
25670f3e
MC		 708 /* Share not suitable */
709 continue;
710 }
711
ada66e78 712 if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
f63a17d6 713 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
25670f3e
MC		 714 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
715 return 0;
716 }
717
afce590b
RL		 718 /*
719 * TODO(3.0) Remove this when EVP_PKEY_get1_tls_encodedpoint()
720 * knows how to get a key from an encoded point with the help of
721 * a OSSL_SERIALIZER deserializer. We know that EVP_PKEY_get0()
722 * downgrades an EVP_PKEY to contain a legacy key.
723 *
724 * THIS IS TEMPORARY
725 */
726 EVP_PKEY_get0(s->s3.peer_tmp);
727 if (EVP_PKEY_id(s->s3.peer_tmp) == EVP_PKEY_NONE) {
728 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
729 ERR_R_INTERNAL_ERROR);
730 return 0;
731 }
732
555cbb32 733 s->s3.group_id = group_id;
25670f3e 734
555cbb32 735 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3.peer_tmp,
25670f3e
MC		 736 PACKET_data(&encoded_pt),
737 PACKET_remaining(&encoded_pt))) {
f63a17d6
MC		 738 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
739 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
25670f3e
MC		 740 return 0;
741 }
742
743 found = 1;
744 }
3cf96e88 745#endif
25670f3e
MC		 746
747 return 1;
748}
749
43054d3d
MC		 750int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
751 size_t chainidx)
752{
1aac20f5 753#ifndef OPENSSL_NO_TLS1_3
dd77962e 754 unsigned int format, version, key_share, group_id;
43054d3d
MC		 755 EVP_MD_CTX *hctx;
756 EVP_PKEY *pkey;
757 PACKET cookie, raw, chhash, appcookie;
758 WPACKET hrrpkt;
759 const unsigned char *data, *mdin, *ciphdata;
760 unsigned char hmac[SHA256_DIGEST_LENGTH];
761 unsigned char hrr[MAX_HRR_SIZE];
762 size_t rawlen, hmaclen, hrrlen, ciphlen;
d0debc0a 763 unsigned long tm, now;
43054d3d
MC		 764
765 /* Ignore any cookie if we're not set up to verify it */
3fa2812f 766 if (s->ctx->verify_stateless_cookie_cb == NULL
555cbb32 767 || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
43054d3d
MC		 768 return 1;
769
770 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
771 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
772 SSL_R_LENGTH_MISMATCH);
773 return 0;
774 }
775
776 raw = cookie;
777 data = PACKET_data(&raw);
778 rawlen = PACKET_remaining(&raw);
779 if (rawlen < SHA256_DIGEST_LENGTH
780 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
781 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
782 SSL_R_LENGTH_MISMATCH);
783 return 0;
784 }
785 mdin = PACKET_data(&raw);
786
787 /* Verify the HMAC of the cookie */
788 hctx = EVP_MD_CTX_create();
f929439f
MC		 789 pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
790 s->session_ctx->ext.cookie_hmac_key,
791 sizeof(s->session_ctx->ext
792 .cookie_hmac_key));
43054d3d
MC		 793 if (hctx == NULL || pkey == NULL) {
794 EVP_MD_CTX_free(hctx);
795 EVP_PKEY_free(pkey);
796 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
797 ERR_R_MALLOC_FAILURE);
798 return 0;
799 }
800
97ea1e7f 801 hmaclen = SHA256_DIGEST_LENGTH;
fc69f32c
MC		 802 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->propq, pkey,
803 s->ctx->libctx) <= 0
97ea1e7f
MC		 804 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
805 rawlen - SHA256_DIGEST_LENGTH) <= 0
43054d3d
MC		 806 || hmaclen != SHA256_DIGEST_LENGTH) {
807 EVP_MD_CTX_free(hctx);
808 EVP_PKEY_free(pkey);
809 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
810 ERR_R_INTERNAL_ERROR);
811 return 0;
812 }
813
814 EVP_MD_CTX_free(hctx);
815 EVP_PKEY_free(pkey);
816
817 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
818 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
819 SSL_R_COOKIE_MISMATCH);
820 return 0;
821 }
822
823 if (!PACKET_get_net_2(&cookie, &format)) {
824 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
825 SSL_R_LENGTH_MISMATCH);
826 return 0;
827 }
828 /* Check the cookie format is something we recognise. Ignore it if not */
829 if (format != COOKIE_STATE_FORMAT_VERSION)
830 return 1;
831
832 /*
833 * The rest of these checks really shouldn't fail since we have verified the
834 * HMAC above.
835 */
836
837 /* Check the version number is sane */
838 if (!PACKET_get_net_2(&cookie, &version)) {
839 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
840 SSL_R_LENGTH_MISMATCH);
841 return 0;
842 }
843 if (version != TLS1_3_VERSION) {
844 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
845 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
846 return 0;
847 }
848
dd77962e 849 if (!PACKET_get_net_2(&cookie, &group_id)) {
43054d3d
MC		 850 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
851 SSL_R_LENGTH_MISMATCH);
852 return 0;
853 }
dd77962e 854
43054d3d
MC		 855 ciphdata = PACKET_data(&cookie);
856 if (!PACKET_forward(&cookie, 2)) {
857 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
858 SSL_R_LENGTH_MISMATCH);
859 return 0;
860 }
555cbb32
TS		 861 if (group_id != s->s3.group_id
862 || s->s3.tmp.new_cipher
dd77962e
MC		 863 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
864 /*
865 * We chose a different cipher or group id this time around to what is
866 * in the cookie. Something must have changed.
867 */
868 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
869 SSL_R_BAD_CIPHER);
43054d3d
MC		 870 return 0;
871 }
872
873 if (!PACKET_get_1(&cookie, &key_share)
d0debc0a 874 || !PACKET_get_net_4(&cookie, &tm)
43054d3d
MC		 875 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
876 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
877 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
878 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
879 SSL_R_LENGTH_MISMATCH);
880 return 0;
881 }
882
d0debc0a
MC		 883 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
884 now = (unsigned long)time(NULL);
885 if (tm > now || (now - tm) > 600) {
886 /* Cookie is stale. Ignore it */
887 return 1;
888 }
889
43054d3d 890 /* Verify the app cookie */
3fa2812f 891 if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
43054d3d
MC		 892 PACKET_remaining(&appcookie)) == 0) {
893 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
894 SSL_R_COOKIE_MISMATCH);
895 return 0;
896 }
897
898 /*
899 * Reconstruct the HRR that we would have sent in response to the original
900 * ClientHello so we can add it to the transcript hash.
901 * Note: This won't work with custom HRR extensions
902 */
903 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
904 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
905 ERR_R_INTERNAL_ERROR);
906 return 0;
907 }
908 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
909 || !WPACKET_start_sub_packet_u24(&hrrpkt)
910 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
911 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
912 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
913 s->tmp_session_id_len)
555cbb32 914 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
43054d3d
MC		 915 &ciphlen)
916 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
917 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
918 WPACKET_cleanup(&hrrpkt);
919 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
920 ERR_R_INTERNAL_ERROR);
921 return 0;
922 }
923 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
924 || !WPACKET_start_sub_packet_u16(&hrrpkt)
35e742ec 925 || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
43054d3d
MC		 926 || !WPACKET_close(&hrrpkt)) {
927 WPACKET_cleanup(&hrrpkt);
928 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
929 ERR_R_INTERNAL_ERROR);
930 return 0;
931 }
932 if (key_share) {
933 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
934 || !WPACKET_start_sub_packet_u16(&hrrpkt)
555cbb32 935 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
43054d3d
MC		 936 || !WPACKET_close(&hrrpkt)) {
937 WPACKET_cleanup(&hrrpkt);
938 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
939 ERR_R_INTERNAL_ERROR);
940 return 0;
941 }
942 }
943 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
944 || !WPACKET_start_sub_packet_u16(&hrrpkt)
945 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
946 || !WPACKET_close(&hrrpkt) /* cookie extension */
947 || !WPACKET_close(&hrrpkt) /* extension block */
948 || !WPACKET_close(&hrrpkt) /* message */
949 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
950 || !WPACKET_finish(&hrrpkt)) {
951 WPACKET_cleanup(&hrrpkt);
952 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
953 ERR_R_INTERNAL_ERROR);
954 return 0;
955 }
956
957 /* Reconstruct the transcript hash */
958 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
959 PACKET_remaining(&chhash), hrr,
960 hrrlen)) {
961 /* SSLfatal() already called */
962 return 0;
963 }
964
965 /* Act as if this ClientHello came after a HelloRetryRequest */
966 s->hello_retry_request = 1;
967
c36001c3 968 s->ext.cookieok = 1;
1aac20f5 969#endif
c36001c3 970
43054d3d
MC		 971 return 1;
972}
973
dbc6268f 974#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
61138358 975int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 976 X509 *x, size_t chainidx)
25670f3e
MC		 977{
978 PACKET supported_groups_list;
979
980 /* Each group is 2 bytes and we must have at least 1. */
981 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
982 || PACKET_remaining(&supported_groups_list) == 0
983 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
f63a17d6
MC		 984 SSLfatal(s, SSL_AD_DECODE_ERROR,
985 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
25670f3e
MC		 986 return 0;
987 }
988
e3743355 989 if (!s->hit || SSL_IS_TLS13(s)) {
45436e61
MC		 990 OPENSSL_free(s->ext.peer_supportedgroups);
991 s->ext.peer_supportedgroups = NULL;
992 s->ext.peer_supportedgroups_len = 0;
9e84a42d 993 if (!tls1_save_u16(&supported_groups_list,
45436e61
MC		 994 &s->ext.peer_supportedgroups,
995 &s->ext.peer_supportedgroups_len)) {
f63a17d6
MC		 996 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
997 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
998 ERR_R_INTERNAL_ERROR);
e3743355
BK		 999 return 0;
1000 }
25670f3e
MC		 1001 }
1002
1003 return 1;
1004}
1005#endif
1006
61138358 1007int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 1008 size_t chainidx)
25670f3e
MC		 1009{
1010 /* The extension must always be empty */
1011 if (PACKET_remaining(pkt) != 0) {
f63a17d6
MC		 1012 SSLfatal(s, SSL_AD_DECODE_ERROR,
1013 SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
25670f3e
MC		 1014 return 0;
1015 }
1016
088dfa13
TS		 1017 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
1018 return 1;
1019
555cbb32 1020 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
25670f3e
MC		 1021
1022 return 1;
1023}
7da160b0 1024
38df5a45
MC		 1025
1026int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 1027 X509 *x, size_t chainidx)
38df5a45
MC		 1028{
1029 if (PACKET_remaining(pkt) != 0) {
f63a17d6
MC		 1030 SSLfatal(s, SSL_AD_DECODE_ERROR,
1031 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
38df5a45
MC		 1032 return 0;
1033 }
1034
fc7129dc 1035 if (s->hello_retry_request != SSL_HRR_NONE) {
f63a17d6
MC		 1036 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1037 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
d4504fe5
MC		 1038 return 0;
1039 }
1040
38df5a45
MC		 1041 return 1;
1042}
1043
6cc0b3c2
MC		 1044static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
1045 SSL_SESSION **sess)
1046{
1047 SSL_SESSION *tmpsess = NULL;
1048
5f26ddff
MC		 1049 s->ext.ticket_expected = 1;
1050
6cc0b3c2
MC		 1051 switch (PACKET_remaining(tick)) {
1052 case 0:
1053 return SSL_TICKET_EMPTY;
1054
1055 case SSL_MAX_SSL_SESSION_ID_LENGTH:
1056 break;
1057
1058 default:
1059 return SSL_TICKET_NO_DECRYPT;
1060 }
1061
1062 tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
1063 SSL_MAX_SSL_SESSION_ID_LENGTH);
1064
1065 if (tmpsess == NULL)
1066 return SSL_TICKET_NO_DECRYPT;
1067
6cc0b3c2
MC		 1068 *sess = tmpsess;
1069 return SSL_TICKET_SUCCESS;
1070}
1071
61138358 1072int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 1073 size_t chainidx)
1053a6e2
MC		 1074{
1075 PACKET identities, binders, binder;
1076 size_t binderoffset, hashsize;
1077 SSL_SESSION *sess = NULL;
3a7c56b2 1078 unsigned int id, i, ext = 0;
1053a6e2
MC		 1079 const EVP_MD *md = NULL;
1080
1a9f457c
MC		 1081 /*
1082 * If we have no PSK kex mode that we recognise then we can't resume so
1083 * ignore this extension
1084 */
1085 if ((s->ext.psk_kex_mode
1086 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1087 return 1;
1088
1053a6e2 1089 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
f63a17d6
MC		 1090 SSLfatal(s, SSL_AD_DECODE_ERROR,
1091 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1092 return 0;
1093 }
1094
61fb5923 1095 s->ext.ticket_expected = 0;
1053a6e2
MC		 1096 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1097 PACKET identity;
2c604cb9 1098 unsigned long ticket_agel;
f3d40db1 1099 size_t idlen;
1053a6e2
MC		 1100
1101 if (!PACKET_get_length_prefixed_2(&identities, &identity)
2c604cb9 1102 || !PACKET_get_net_4(&identities, &ticket_agel)) {
f63a17d6
MC		 1103 SSLfatal(s, SSL_AD_DECODE_ERROR,
1104 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1105 return 0;
1106 }
1107
f3d40db1 1108 idlen = PACKET_remaining(&identity);
3a7c56b2 1109 if (s->psk_find_session_cb != NULL
f3d40db1 1110 && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen,
011d768a 1111 &sess)) {
f63a17d6
MC		 1112 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1113 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
011d768a
MC		 1114 return 0;
1115 }
1116
c2b290c3 1117#ifndef OPENSSL_NO_PSK
f3d40db1
MC		 1118 if(sess == NULL
1119 && s->psk_server_callback != NULL
1120 && idlen <= PSK_MAX_IDENTITY_LEN) {
1121 char *pskid = NULL;
1122 unsigned char pskdata[PSK_MAX_PSK_LEN];
1123 unsigned int pskdatalen;
1124
1125 if (!PACKET_strndup(&identity, &pskid)) {
1126 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1127 ERR_R_INTERNAL_ERROR);
1128 return 0;
1129 }
1130 pskdatalen = s->psk_server_callback(s, pskid, pskdata,
1131 sizeof(pskdata));
1132 OPENSSL_free(pskid);
1133 if (pskdatalen > PSK_MAX_PSK_LEN) {
1134 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1135 ERR_R_INTERNAL_ERROR);
1136 return 0;
1137 } else if (pskdatalen > 0) {
1138 const SSL_CIPHER *cipher;
1139 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1140
1141 /*
1142 * We found a PSK using an old style callback. We don't know
1143 * the digest so we default to SHA256 as per the TLSv1.3 spec
1144 */
1145 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
1146 if (cipher == NULL) {
1147 OPENSSL_cleanse(pskdata, pskdatalen);
1148 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1149 ERR_R_INTERNAL_ERROR);
1150 return 0;
1151 }
1152
1153 sess = SSL_SESSION_new();
1154 if (sess == NULL
1155 || !SSL_SESSION_set1_master_key(sess, pskdata,
1156 pskdatalen)
1157 || !SSL_SESSION_set_cipher(sess, cipher)
1158 || !SSL_SESSION_set_protocol_version(sess,
1159 TLS1_3_VERSION)) {
1160 OPENSSL_cleanse(pskdata, pskdatalen);
1161 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1162 ERR_R_INTERNAL_ERROR);
1163 goto err;
1164 }
1165 OPENSSL_cleanse(pskdata, pskdatalen);
1166 }
1167 }
c2b290c3 1168#endif /* OPENSSL_NO_PSK */
f3d40db1 1169
011d768a
MC		 1170 if (sess != NULL) {
1171 /* We found a PSK */
3a7c56b2 1172 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1b8bacff 1173
3a7c56b2 1174 if (sesstmp == NULL) {
f63a17d6
MC		 1175 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1176 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
3a7c56b2
MC		 1177 return 0;
1178 }
1179 SSL_SESSION_free(sess);
1180 sess = sesstmp;
1181
1182 /*
1183 * We've just been told to use this session for this context so
1184 * make sure the sid_ctx matches up.
1185 */
1186 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1187 sess->sid_ctx_length = s->sid_ctx_length;
1188 ext = 1;
630369d9
MC		 1189 if (id == 0)
1190 s->ext.early_data_ok = 1;
51256b34 1191 s->ext.ticket_expected = 1;
3a7c56b2
MC		 1192 } else {
1193 uint32_t ticket_age = 0, now, agesec, agems;
61fb5923
MC		 1194 int ret;
1195
e880d4e5
MC		 1196 /*
1197 * If we are using anti-replay protection then we behave as if
1198 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1199 * is no point in using full stateless tickets.
1200 */
1201 if ((s->options & SSL_OP_NO_TICKET) != 0
5d263fb7
MC		 1202 || (s->max_early_data > 0
1203 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
6cc0b3c2
MC		 1204 ret = tls_get_stateful_ticket(s, &identity, &sess);
1205 else
1206 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1207 PACKET_remaining(&identity), NULL, 0,
1208 &sess);
61fb5923
MC		 1209
1210 if (ret == SSL_TICKET_EMPTY) {
1211 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1212 SSL_R_BAD_EXTENSION);
1213 return 0;
1214 }
3a7c56b2 1215
df0fed9a
TS		 1216 if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1217 || ret == SSL_TICKET_FATAL_ERR_OTHER) {
f63a17d6
MC		 1218 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1219 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
3a7c56b2
MC		 1220 return 0;
1221 }
61fb5923 1222 if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
3a7c56b2
MC		 1223 continue;
1224
66d7de16
MC		 1225 /* Check for replay */
1226 if (s->max_early_data > 0
5d263fb7 1227 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
66d7de16
MC		 1228 && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1229 SSL_SESSION_free(sess);
1230 sess = NULL;
1231 continue;
1232 }
1233
3a7c56b2
MC		 1234 ticket_age = (uint32_t)ticket_agel;
1235 now = (uint32_t)time(NULL);
1236 agesec = now - (uint32_t)sess->time;
1237 agems = agesec * (uint32_t)1000;
1238 ticket_age -= sess->ext.tick_age_add;
1239
1240 /*
1241 * For simplicity we do our age calculations in seconds. If the
1242 * client does it in ms then it could appear that their ticket age
1243 * is longer than ours (our ticket age calculation should always be
1244 * slightly longer than the client's due to the network latency).
1245 * Therefore we add 1000ms to our age calculation to adjust for
1246 * rounding errors.
1247 */
630369d9
MC		 1248 if (id == 0
1249 && sess->timeout >= (long)agesec
3a7c56b2
MC		 1250 && agems / (uint32_t)1000 == agesec
1251 && ticket_age <= agems + 1000
1252 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1253 /*
1254 * Ticket age is within tolerance and not expired. We allow it
1255 * for early data
1256 */
1257 s->ext.early_data_ok = 1;
1258 }
1053a6e2 1259 }
1053a6e2 1260
c8f6c28a
MC		 1261 md = ssl_md(s->ctx, sess->cipher->algorithm2);
1262 if (!EVP_MD_is_a(md,
1263 EVP_MD_name(ssl_md(s->ctx, s->s3.tmp.new_cipher->algorithm2)))) {
0de6d66d 1264 /* The ciphersuite is not compatible with this session. */
1053a6e2
MC		 1265 SSL_SESSION_free(sess);
1266 sess = NULL;
630369d9 1267 s->ext.early_data_ok = 0;
51256b34 1268 s->ext.ticket_expected = 0;
1053a6e2
MC		 1269 continue;
1270 }
1053a6e2
MC		 1271 break;
1272 }
1273
1274 if (sess == NULL)
1275 return 1;
1276
1277 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1053a6e2
MC		 1278 hashsize = EVP_MD_size(md);
1279
1280 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
f63a17d6
MC		 1281 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1282 SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1283 goto err;
1284 }
1285
1286 for (i = 0; i <= id; i++) {
1287 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
f63a17d6
MC		 1288 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1289 SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1290 goto err;
1291 }
1292 }
1293
2894e9cb
MC		 1294 if (PACKET_remaining(&binder) != hashsize) {
1295 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1296 SSL_R_BAD_EXTENSION);
1297 goto err;
1298 }
1299 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1300 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1301 ext) != 1) {
635c8f77 1302 /* SSLfatal() already called */
1053a6e2
MC		 1303 goto err;
1304 }
1305
c96ce52c 1306 s->ext.tick_identity = id;
2c604cb9 1307
1053a6e2
MC		 1308 SSL_SESSION_free(s->session);
1309 s->session = sess;
1053a6e2
MC		 1310 return 1;
1311err:
312e9387 1312 SSL_SESSION_free(sess);
1053a6e2
MC		 1313 return 0;
1314}
1315
9d75dce3
TS		 1316int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt, unsigned int context,
1317 X509 *x, size_t chainidx)
1318{
1319 if (PACKET_remaining(pkt) != 0) {
1320 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH,
1321 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1322 return 0;
1323 }
1324
1325 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1326
1327 return 1;
1328}
1329
1266eefd
MC		 1330/*
1331 * Add the server's renegotiation binding
1332 */
b186a592
MC		 1333EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1334 unsigned int context, X509 *x,
f63a17d6 1335 size_t chainidx)
7da160b0 1336{
555cbb32 1337 if (!s->s3.send_connection_binding)
b186a592 1338 return EXT_RETURN_NOT_SENT;
7da160b0 1339
db0f35dd 1340 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
7da160b0
MC		 1341 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1342 || !WPACKET_start_sub_packet_u16(pkt)
1343 || !WPACKET_start_sub_packet_u8(pkt)
555cbb32
TS		 1344 || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1345 s->s3.previous_client_finished_len)
1346 || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1347 s->s3.previous_server_finished_len)
7da160b0
MC		 1348 || !WPACKET_close(pkt)
1349 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1350 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
1351 ERR_R_INTERNAL_ERROR);
b186a592 1352 return EXT_RETURN_FAIL;
7da160b0
MC		 1353 }
1354
b186a592 1355 return EXT_RETURN_SENT;
7da160b0
MC		 1356}
1357
b186a592
MC		 1358EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1359 unsigned int context, X509 *x,
f63a17d6 1360 size_t chainidx)
7da160b0 1361{
7955c1f1
MC		 1362 if (s->servername_done != 1)
1363 return EXT_RETURN_NOT_SENT;
1364
1365 /*
1366 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1367 * We just use the servername from the initial handshake.
1368 */
1369 if (s->hit && !SSL_IS_TLS13(s))
b186a592 1370 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1371
1372 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1373 || !WPACKET_put_bytes_u16(pkt, 0)) {
f63a17d6
MC		 1374 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
1375 ERR_R_INTERNAL_ERROR);
b186a592 1376 return EXT_RETURN_FAIL;
7da160b0
MC		 1377 }
1378
b186a592 1379 return EXT_RETURN_SENT;
7da160b0
MC		 1380}
1381
cf72c757
F		 1382/* Add/include the server's max fragment len extension into ServerHello */
1383EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1384 unsigned int context, X509 *x,
f63a17d6 1385 size_t chainidx)
cf72c757
F		 1386{
1387 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1388 return EXT_RETURN_NOT_SENT;
1389
1390 /*-
1391 * 4 bytes for this extension type and extension length
1392 * 1 byte for the Max Fragment Length code value.
1393 */
1394 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1395 || !WPACKET_start_sub_packet_u16(pkt)
1396 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1397 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1398 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1399 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
cf72c757
F		 1400 return EXT_RETURN_FAIL;
1401 }
1402
1403 return EXT_RETURN_SENT;
1404}
1405
7da160b0 1406#ifndef OPENSSL_NO_EC
b186a592
MC		 1407EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1408 unsigned int context, X509 *x,
f63a17d6 1409 size_t chainidx)
7da160b0 1410{
555cbb32
TS		 1411 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1412 unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
89247375 1413 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
cd0fb43c 1414 && (s->ext.peer_ecpointformats != NULL);
7da160b0
MC		 1415 const unsigned char *plist;
1416 size_t plistlen;
1417
1418 if (!using_ecc)
b186a592 1419 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1420
1421 tls1_get_formatlist(s, &plist, &plistlen);
7da160b0
MC		 1422 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1423 || !WPACKET_start_sub_packet_u16(pkt)
1424 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1425 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1426 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1427 SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
b186a592 1428 return EXT_RETURN_FAIL;
7da160b0
MC		 1429 }
1430
b186a592 1431 return EXT_RETURN_SENT;
7da160b0
MC		 1432}
1433#endif
1434
dbc6268f 1435#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
b186a592
MC		 1436EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1437 unsigned int context, X509 *x,
f63a17d6 1438 size_t chainidx)
6af87546 1439{
9e84a42d 1440 const uint16_t *groups;
6af87546
MC		 1441 size_t numgroups, i, first = 1;
1442
555cbb32
TS		 1443 /* s->s3.group_id is non zero if we accepted a key_share */
1444 if (s->s3.group_id == 0)
b186a592 1445 return EXT_RETURN_NOT_SENT;
6af87546
MC		 1446
1447 /* Get our list of supported groups */
ff6d20a6 1448 tls1_get_supported_groups(s, &groups, &numgroups);
34e5292c 1449 if (numgroups == 0) {
f63a17d6
MC		 1450 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1451 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
b186a592 1452 return EXT_RETURN_FAIL;
6af87546
MC		 1453 }
1454
1455 /* Copy group ID if supported */
9e84a42d
DSH		 1456 for (i = 0; i < numgroups; i++) {
1457 uint16_t group = groups[i];
1458
9aaecbfc 1459 if (tls_valid_group(s, group, SSL_version(s))
dbc6268f 1460 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
6af87546
MC		 1461 if (first) {
1462 /*
1463 * Check if the client is already using our preferred group. If
1464 * so we don't need to add this extension
1465 */
555cbb32 1466 if (s->s3.group_id == group)
b186a592 1467 return EXT_RETURN_NOT_SENT;
6af87546
MC		 1468
1469 /* Add extension header */
1470 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1471 /* Sub-packet for supported_groups extension */
1472 || !WPACKET_start_sub_packet_u16(pkt)
1473 || !WPACKET_start_sub_packet_u16(pkt)) {
f63a17d6
MC		 1474 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1475 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1476 ERR_R_INTERNAL_ERROR);
b186a592 1477 return EXT_RETURN_FAIL;
6af87546
MC		 1478 }
1479
1480 first = 0;
1481 }
9e84a42d 1482 if (!WPACKET_put_bytes_u16(pkt, group)) {
f63a17d6
MC		 1483 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1484 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1485 ERR_R_INTERNAL_ERROR);
b186a592 1486 return EXT_RETURN_FAIL;
6af87546
MC		 1487 }
1488 }
1489 }
1490
1491 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
f63a17d6
MC		 1492 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1493 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1494 ERR_R_INTERNAL_ERROR);
b186a592 1495 return EXT_RETURN_FAIL;
6af87546
MC		 1496 }
1497
b186a592 1498 return EXT_RETURN_SENT;
6af87546 1499}
cf53cbea 1500#endif
6af87546 1501
b186a592
MC		 1502EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1503 unsigned int context, X509 *x,
f63a17d6 1504 size_t chainidx)
7da160b0 1505{
aff8c126
RS		 1506 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1507 s->ext.ticket_expected = 0;
b186a592 1508 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1509 }
1510
1511 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1512 || !WPACKET_put_bytes_u16(pkt, 0)) {
f63a17d6
MC		 1513 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1514 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
b186a592 1515 return EXT_RETURN_FAIL;
7da160b0
MC		 1516 }
1517
b186a592 1518 return EXT_RETURN_SENT;
7da160b0
MC		 1519}
1520
ab83e314 1521#ifndef OPENSSL_NO_OCSP
b186a592
MC		 1522EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1523 unsigned int context, X509 *x,
f63a17d6 1524 size_t chainidx)
7da160b0 1525{
debb64a0
MC		 1526 /* We don't currently support this extension inside a CertificateRequest */
1527 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1528 return EXT_RETURN_NOT_SENT;
1529
aff8c126 1530 if (!s->ext.status_expected)
b186a592 1531 return EXT_RETURN_NOT_SENT;
7da160b0 1532
8521ced6 1533 if (SSL_IS_TLS13(s) && chainidx != 0)
b186a592 1534 return EXT_RETURN_NOT_SENT;
e96e0f8e 1535
7da160b0 1536 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
f63e4288 1537 || !WPACKET_start_sub_packet_u16(pkt)) {
f63a17d6
MC		 1538 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1539 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
b186a592 1540 return EXT_RETURN_FAIL;
f63e4288
MC		 1541 }
1542
1543 /*
1544 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1545 * send back an empty extension, with the certificate status appearing as a
1546 * separate message
1547 */
3ec8d113
MC		 1548 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1549 /* SSLfatal() already called */
56d36288 1550 return EXT_RETURN_FAIL;
3ec8d113
MC		 1551 }
1552 if (!WPACKET_close(pkt)) {
f63a17d6
MC		 1553 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1554 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
b186a592 1555 return EXT_RETURN_FAIL;
7da160b0
MC		 1556 }
1557
b186a592 1558 return EXT_RETURN_SENT;
7da160b0 1559}
ab83e314 1560#endif
7da160b0 1561
7da160b0 1562#ifndef OPENSSL_NO_NEXTPROTONEG
b186a592
MC		 1563EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1564 unsigned int context, X509 *x,
f63a17d6 1565 size_t chainidx)
7da160b0
MC		 1566{
1567 const unsigned char *npa;
1568 unsigned int npalen;
1569 int ret;
555cbb32 1570 int npn_seen = s->s3.npn_seen;
7da160b0 1571
555cbb32 1572 s->s3.npn_seen = 0;
aff8c126 1573 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
b186a592 1574 return EXT_RETURN_NOT_SENT;
7da160b0 1575
aff8c126
RS		 1576 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1577 s->ctx->ext.npn_advertised_cb_arg);
7da160b0
MC		 1578 if (ret == SSL_TLSEXT_ERR_OK) {
1579 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1580 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
f63a17d6
MC		 1581 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1582 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1583 ERR_R_INTERNAL_ERROR);
b186a592 1584 return EXT_RETURN_FAIL;
7da160b0 1585 }
555cbb32 1586 s->s3.npn_seen = 1;
7da160b0
MC		 1587 }
1588
b186a592 1589 return EXT_RETURN_SENT;
7da160b0
MC		 1590}
1591#endif
1592
b186a592 1593EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 1594 X509 *x, size_t chainidx)
7da160b0 1595{
555cbb32 1596 if (s->s3.alpn_selected == NULL)
b186a592 1597 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1598
1599 if (!WPACKET_put_bytes_u16(pkt,
1600 TLSEXT_TYPE_application_layer_protocol_negotiation)
1601 || !WPACKET_start_sub_packet_u16(pkt)
1602 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32
TS		 1603 || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1604 s->s3.alpn_selected_len)
7da160b0
MC		 1605 || !WPACKET_close(pkt)
1606 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1607 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1608 SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
b186a592 1609 return EXT_RETURN_FAIL;
7da160b0
MC		 1610 }
1611
b186a592 1612 return EXT_RETURN_SENT;
7da160b0
MC		 1613}
1614
1615#ifndef OPENSSL_NO_SRTP
b186a592
MC		 1616EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1617 unsigned int context, X509 *x,
f63a17d6 1618 size_t chainidx)
7da160b0
MC		 1619{
1620 if (s->srtp_profile == NULL)
b186a592 1621 return EXT_RETURN_NOT_SENT;
a1448c26 1622
7da160b0
MC		 1623 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1624 || !WPACKET_start_sub_packet_u16(pkt)
1625 || !WPACKET_put_bytes_u16(pkt, 2)
1626 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1627 || !WPACKET_put_bytes_u8(pkt, 0)
1628 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1629 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
1630 ERR_R_INTERNAL_ERROR);
b186a592 1631 return EXT_RETURN_FAIL;
7da160b0
MC		 1632 }
1633
b186a592 1634 return EXT_RETURN_SENT;
7da160b0
MC		 1635}
1636#endif
1637
b186a592 1638EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 1639 X509 *x, size_t chainidx)
7da160b0 1640{
28a31a0a 1641 if (!s->ext.use_etm)
b186a592 1642 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1643
1644 /*
1645 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1646 * for other cases too.
1647 */
555cbb32
TS		 1648 if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1649 || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1650 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1651 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
28a31a0a 1652 s->ext.use_etm = 0;
b186a592 1653 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1654 }
1655
1656 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1657 || !WPACKET_put_bytes_u16(pkt, 0)) {
f63a17d6
MC		 1658 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
1659 ERR_R_INTERNAL_ERROR);
b186a592 1660 return EXT_RETURN_FAIL;
7da160b0
MC		 1661 }
1662
b186a592 1663 return EXT_RETURN_SENT;
7da160b0
MC		 1664}
1665
b186a592 1666EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 1667 X509 *x, size_t chainidx)
7da160b0 1668{
555cbb32 1669 if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
b186a592 1670 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1671
1672 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1673 || !WPACKET_put_bytes_u16(pkt, 0)) {
f63a17d6
MC		 1674 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
1675 ERR_R_INTERNAL_ERROR);
b186a592 1676 return EXT_RETURN_FAIL;
7da160b0
MC		 1677 }
1678
b186a592 1679 return EXT_RETURN_SENT;
7da160b0
MC		 1680}
1681
88050dd1
MC		 1682EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1683 unsigned int context, X509 *x,
1684 size_t chainidx)
1685{
27e462f1
MC		 1686 if (!ossl_assert(SSL_IS_TLS13(s))) {
1687 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1688 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1689 ERR_R_INTERNAL_ERROR);
1690 return EXT_RETURN_FAIL;
1691 }
88050dd1
MC		 1692
1693 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1694 || !WPACKET_start_sub_packet_u16(pkt)
35e742ec 1695 || !WPACKET_put_bytes_u16(pkt, s->version)
88050dd1
MC		 1696 || !WPACKET_close(pkt)) {
1697 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1698 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1699 ERR_R_INTERNAL_ERROR);
1700 return EXT_RETURN_FAIL;
1701 }
1702
1703 return EXT_RETURN_SENT;
1704}
1705
b186a592
MC		 1706EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1707 unsigned int context, X509 *x,
f63a17d6 1708 size_t chainidx)
7da160b0 1709{
3cf96e88 1710#ifndef OPENSSL_NO_TLS1_3
7da160b0
MC		 1711 unsigned char *encodedPoint;
1712 size_t encoded_pt_len = 0;
555cbb32 1713 EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
7da160b0 1714
dd77962e
MC		 1715 if (s->hello_retry_request == SSL_HRR_PENDING) {
1716 if (ckey != NULL) {
1717 /* Original key_share was acceptable so don't ask for another one */
1718 return EXT_RETURN_NOT_SENT;
1719 }
1720 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1721 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32 1722 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
dd77962e
MC		 1723 || !WPACKET_close(pkt)) {
1724 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1725 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1726 ERR_R_INTERNAL_ERROR);
1727 return EXT_RETURN_FAIL;
7d061fce
MC		 1728 }
1729
dd77962e
MC		 1730 return EXT_RETURN_SENT;
1731 }
1732
1733 if (ckey == NULL) {
1734 /* No key_share received from client - must be resuming */
0247086d 1735 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
f63a17d6
MC		 1736 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1737 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
b186a592 1738 return EXT_RETURN_FAIL;
0247086d 1739 }
b186a592 1740 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1741 }
1742
1743 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1744 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32 1745 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
f63a17d6
MC		 1746 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1747 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
b186a592 1748 return EXT_RETURN_FAIL;
7da160b0
MC		 1749 }
1750
0f00ed77 1751 skey = ssl_generate_pkey(s, ckey);
7da160b0 1752 if (skey == NULL) {
f63a17d6
MC		 1753 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1754 ERR_R_MALLOC_FAILURE);
b186a592 1755 return EXT_RETURN_FAIL;
7da160b0
MC		 1756 }
1757
afce590b
RL		 1758 /*
1759 * TODO(3.0) Remove this when EVP_PKEY_get1_tls_encodedpoint()
1760 * knows how to get a key from an encoded point with the help of
1761 * a OSSL_SERIALIZER deserializer. We know that EVP_PKEY_get0()
1762 * downgrades an EVP_PKEY to contain a legacy key.
1763 *
1764 * THIS IS TEMPORARY
1765 */
1766 EVP_PKEY_get0(skey);
1767 if (EVP_PKEY_id(skey) == EVP_PKEY_NONE) {
1768 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1769 ERR_R_INTERNAL_ERROR);
1770 return EXT_RETURN_FAIL;
1771 }
1772
7da160b0
MC		 1773 /* Generate encoding of server key */
1774 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1775 if (encoded_pt_len == 0) {
f63a17d6
MC		 1776 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1777 ERR_R_EC_LIB);
7da160b0 1778 EVP_PKEY_free(skey);
b186a592 1779 return EXT_RETURN_FAIL;
7da160b0
MC		 1780 }
1781
1782 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1783 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1784 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1785 ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1786 EVP_PKEY_free(skey);
1787 OPENSSL_free(encodedPoint);
b186a592 1788 return EXT_RETURN_FAIL;
7da160b0
MC		 1789 }
1790 OPENSSL_free(encodedPoint);
1791
1792 /* This causes the crypto state to be updated based on the derived keys */
555cbb32 1793 s->s3.tmp.pkey = skey;
7da160b0 1794 if (ssl_derive(s, skey, ckey, 1) == 0) {
f63a17d6 1795 /* SSLfatal() already called */
b186a592 1796 return EXT_RETURN_FAIL;
7da160b0 1797 }
b186a592 1798 return EXT_RETURN_SENT;
1aac20f5
MC		 1799#else
1800 return EXT_RETURN_FAIL;
1801#endif
7da160b0
MC		 1802}
1803
43054d3d
MC		 1804EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1805 X509 *x, size_t chainidx)
1806{
1aac20f5 1807#ifndef OPENSSL_NO_TLS1_3
43054d3d
MC		 1808 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1809 unsigned char *hmac, *hmac2;
3fa2812f 1810 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
43054d3d
MC		 1811 EVP_MD_CTX *hctx;
1812 EVP_PKEY *pkey;
1813 int ret = EXT_RETURN_FAIL;
1814
555cbb32 1815 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
43054d3d
MC		 1816 return EXT_RETURN_NOT_SENT;
1817
3fa2812f 1818 if (s->ctx->gen_stateless_cookie_cb == NULL) {
e440f513
MC		 1819 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1820 SSL_R_NO_COOKIE_CALLBACK_SET);
1821 return EXT_RETURN_FAIL;
1822 }
1823
43054d3d
MC		 1824 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1825 || !WPACKET_start_sub_packet_u16(pkt)
1826 || !WPACKET_start_sub_packet_u16(pkt)
1827 || !WPACKET_get_total_written(pkt, &startlen)
1828 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1829 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1830 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
555cbb32
TS		 1831 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1832 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
43054d3d
MC		 1833 &ciphlen)
1834 /* Is there a key_share extension present in this HRR? */
555cbb32 1835 || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
d0debc0a 1836 || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
43054d3d
MC		 1837 || !WPACKET_start_sub_packet_u16(pkt)
1838 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1839 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1840 ERR_R_INTERNAL_ERROR);
1841 return EXT_RETURN_FAIL;
1842 }
1843
1844 /*
1845 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1846 * on raw buffers, so we first reserve sufficient bytes (above) and then
1847 * subsequently allocate them (below)
1848 */
1849 if (!ssl3_digest_cached_records(s, 0)
1850 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1851 /* SSLfatal() already called */
1852 return EXT_RETURN_FAIL;
1853 }
1854
1855 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1856 || !ossl_assert(hashval1 == hashval2)
1857 || !WPACKET_close(pkt)
1858 || !WPACKET_start_sub_packet_u8(pkt)
1859 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1860 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1861 ERR_R_INTERNAL_ERROR);
1862 return EXT_RETURN_FAIL;
1863 }
1864
1865 /* Generate the application cookie */
3fa2812f 1866 if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) {
43054d3d
MC		 1867 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1868 SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1869 return EXT_RETURN_FAIL;
1870 }
1871
1872 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1873 || !ossl_assert(appcookie1 == appcookie2)
1874 || !WPACKET_close(pkt)
1875 || !WPACKET_get_total_written(pkt, &totcookielen)
1876 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1877 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1878 ERR_R_INTERNAL_ERROR);
1879 return EXT_RETURN_FAIL;
1880 }
1881 hmaclen = SHA256_DIGEST_LENGTH;
1882
1883 totcookielen -= startlen;
1884 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1885 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1886 ERR_R_INTERNAL_ERROR);
1887 return EXT_RETURN_FAIL;
1888 }
1889
1890 /* HMAC the cookie */
1891 hctx = EVP_MD_CTX_create();
f929439f
MC		 1892 pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
1893 s->session_ctx->ext.cookie_hmac_key,
1894 sizeof(s->session_ctx->ext
1895 .cookie_hmac_key));
43054d3d
MC		 1896 if (hctx == NULL || pkey == NULL) {
1897 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1898 ERR_R_MALLOC_FAILURE);
1899 goto err;
1900 }
1901
fc69f32c
MC		 1902 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->propq, pkey,
1903 s->ctx->libctx) <= 0
43054d3d
MC		 1904 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1905 totcookielen) <= 0) {
1906 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1907 ERR_R_INTERNAL_ERROR);
1908 goto err;
1909 }
1910
1911 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1912 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1913 ERR_R_INTERNAL_ERROR);
1914 goto err;
1915 }
1916
1917 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1918 || !ossl_assert(hmac == hmac2)
1919 || !ossl_assert(cookie == hmac - totcookielen)
1920 || !WPACKET_close(pkt)
1921 || !WPACKET_close(pkt)) {
1922 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1923 ERR_R_INTERNAL_ERROR);
1924 goto err;
1925 }
1926
1927 ret = EXT_RETURN_SENT;
1928
1929 err:
1930 EVP_MD_CTX_free(hctx);
1931 EVP_PKEY_free(pkey);
1932 return ret;
1aac20f5
MC		 1933#else
1934 return EXT_RETURN_FAIL;
1935#endif
43054d3d
MC		 1936}
1937
b186a592
MC		 1938EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1939 unsigned int context, X509 *x,
f63a17d6 1940 size_t chainidx)
7da160b0
MC		 1941{
1942 const unsigned char cryptopro_ext[36] = {
1943 0xfd, 0xe8, /* 65000 */
1944 0x00, 0x20, /* 32 bytes length */
1945 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1946 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1947 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1948 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1949 };
1950
555cbb32
TS		 1951 if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1952 && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
7da160b0 1953 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
b186a592 1954 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1955
1956 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
f63a17d6
MC		 1957 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1958 SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
b186a592 1959 return EXT_RETURN_FAIL;
7da160b0
MC		 1960 }
1961
b186a592 1962 return EXT_RETURN_SENT;
7da160b0 1963}
0247086d 1964
b186a592
MC		 1965EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1966 unsigned int context, X509 *x,
f63a17d6 1967 size_t chainidx)
38df5a45 1968{
fe874d27 1969 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
6594189f 1970 if (s->max_early_data == 0)
b186a592 1971 return EXT_RETURN_NOT_SENT;
6594189f
MC		 1972
1973 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1974 || !WPACKET_start_sub_packet_u16(pkt)
1975 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1976 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1977 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1978 SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
b186a592 1979 return EXT_RETURN_FAIL;
6594189f
MC		 1980 }
1981
b186a592 1982 return EXT_RETURN_SENT;
6594189f
MC		 1983 }
1984
38df5a45 1985 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
b186a592 1986 return EXT_RETURN_NOT_SENT;
38df5a45
MC		 1987
1988 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1989 || !WPACKET_start_sub_packet_u16(pkt)
1990 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1991 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
1992 ERR_R_INTERNAL_ERROR);
b186a592 1993 return EXT_RETURN_FAIL;
38df5a45
MC		 1994 }
1995
b186a592 1996 return EXT_RETURN_SENT;
38df5a45
MC		 1997}
1998
b186a592 1999EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 2000 X509 *x, size_t chainidx)
0247086d
MC		 2001{
2002 if (!s->hit)
b186a592 2003 return EXT_RETURN_NOT_SENT;
0247086d
MC		 2004
2005 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
2006 || !WPACKET_start_sub_packet_u16(pkt)
c96ce52c 2007 || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
0247086d 2008 || !WPACKET_close(pkt)) {
f63a17d6
MC		 2009 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2010 SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
b186a592 2011 return EXT_RETURN_FAIL;
0247086d
MC		 2012 }
2013
b186a592 2014 return EXT_RETURN_SENT;
0247086d 2015}
A mirror of the official openssl repository