]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_clnt.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
RFC7250 (RPK) support
[thirdparty/openssl.git] / ssl / statem / extensions_clnt.c
CommitLineData
6dd083fd 1/*
3c95ef22 2 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
6dd083fd 3 *
2c18d164 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
6dd083fd
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
ab83e314 10#include <openssl/ocsp.h>
706457b7 11#include "../ssl_local.h"
67dc995e 12#include "internal/cryptlib.h"
706457b7 13#include "statem_local.h"
6dd083fd 14
38b051a1 15EXT_RETURN tls_construct_ctos_renegotiate(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 16 unsigned int context, X509 *x,
f63a17d6 17 size_t chainidx)
ab83e314
MC		 18{
19 /* Add RI if renegotiating */
20 if (!s->renegotiate)
b186a592 21 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 22
23 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
24 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32
TS		 25 || !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished,
26 s->s3.previous_client_finished_len)
ab83e314 27 || !WPACKET_close(pkt)) {
c48ffbcc 28 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 29 return EXT_RETURN_FAIL;
ab83e314
MC		 30 }
31
b186a592 32 return EXT_RETURN_SENT;
ab83e314
MC		 33}
34
38b051a1 35EXT_RETURN tls_construct_ctos_server_name(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 36 unsigned int context, X509 *x,
f63a17d6 37 size_t chainidx)
ab83e314 38{
aff8c126 39 if (s->ext.hostname == NULL)
b186a592 40 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 41
42 /* Add TLS extension servername to the Client Hello message */
43 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
44 /* Sub-packet for server_name extension */
45 || !WPACKET_start_sub_packet_u16(pkt)
46 /* Sub-packet for servername list (always 1 hostname)*/
47 || !WPACKET_start_sub_packet_u16(pkt)
48 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
aff8c126
RS		 49 || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
50 strlen(s->ext.hostname))
ab83e314
MC		 51 || !WPACKET_close(pkt)
52 || !WPACKET_close(pkt)) {
c48ffbcc 53 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 54 return EXT_RETURN_FAIL;
ab83e314
MC		 55 }
56
b186a592 57 return EXT_RETURN_SENT;
ab83e314
MC		 58}
59
cf72c757 60/* Push a Max Fragment Len extension into ClientHello */
38b051a1 61EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt,
cf72c757 62 unsigned int context, X509 *x,
f63a17d6 63 size_t chainidx)
cf72c757
F		 64{
65 if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED)
66 return EXT_RETURN_NOT_SENT;
67
68 /* Add Max Fragment Length extension if client enabled it. */
69 /*-
70 * 4 bytes for this extension type and extension length
71 * 1 byte for the Max Fragment Length code value.
72 */
73 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
74 /* Sub-packet for Max Fragment Length extension (1 byte) */
75 || !WPACKET_start_sub_packet_u16(pkt)
76 || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode)
77 || !WPACKET_close(pkt)) {
c48ffbcc 78 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
cf72c757
F		 79 return EXT_RETURN_FAIL;
80 }
81
82 return EXT_RETURN_SENT;
83}
84
ab83e314 85#ifndef OPENSSL_NO_SRP
38b051a1
TM		 86EXT_RETURN tls_construct_ctos_srp(SSL_CONNECTION *s, WPACKET *pkt,
87 unsigned int context,
f63a17d6 88 X509 *x, size_t chainidx)
ab83e314
MC		 89{
90 /* Add SRP username if there is one */
91 if (s->srp_ctx.login == NULL)
b186a592 92 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 93
94 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
95 /* Sub-packet for SRP extension */
96 || !WPACKET_start_sub_packet_u16(pkt)
97 || !WPACKET_start_sub_packet_u8(pkt)
98 /* login must not be zero...internal error if so */
99 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
100 || !WPACKET_memcpy(pkt, s->srp_ctx.login,
101 strlen(s->srp_ctx.login))
102 || !WPACKET_close(pkt)
103 || !WPACKET_close(pkt)) {
c48ffbcc 104 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 105 return EXT_RETURN_FAIL;
ab83e314
MC		 106 }
107
b186a592 108 return EXT_RETURN_SENT;
ab83e314
MC		 109}
110#endif
111
38b051a1 112static int use_ecc(SSL_CONNECTION *s, int min_version, int max_version)
ab83e314 113{
589b6227 114 int i, end, ret = 0;
ab83e314
MC		 115 unsigned long alg_k, alg_a;
116 STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
dbc6268f
MC		 117 const uint16_t *pgroups = NULL;
118 size_t num_groups, j;
38b051a1 119 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
ab83e314
MC		 120
121 /* See if we support any ECC ciphersuites */
122 if (s->version == SSL3_VERSION)
123 return 0;
124
38b051a1 125 cipher_stack = SSL_get1_supported_ciphers(ssl);
1266eefd
MC		 126 end = sk_SSL_CIPHER_num(cipher_stack);
127 for (i = 0; i < end; i++) {
ab83e314
MC		 128 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
129
130 alg_k = c->algorithm_mkey;
131 alg_a = c->algorithm_auth;
132 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
1266eefd 133 || (alg_a & SSL_aECDSA)
589b6227
MC		 134 || c->min_tls >= TLS1_3_VERSION) {
135 ret = 1;
136 break;
137 }
ab83e314 138 }
589b6227 139 sk_SSL_CIPHER_free(cipher_stack);
dbc6268f
MC		 140 if (!ret)
141 return 0;
142
143 /* Check we have at least one EC supported group */
144 tls1_get_supported_groups(s, &pgroups, &num_groups);
145 for (j = 0; j < num_groups; j++) {
146 uint16_t ctmp = pgroups[j];
147
8b1db5d3 148 if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL)
dbc6268f
MC		 149 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
150 return 1;
151 }
152
153 return 0;
ab83e314
MC		 154}
155
38b051a1 156EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 157 unsigned int context, X509 *x,
f63a17d6 158 size_t chainidx)
ab83e314
MC		 159{
160 const unsigned char *pformats;
161 size_t num_formats;
dbc6268f 162 int reason, min_version, max_version;
ab83e314 163
dbc6268f
MC		 164 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
165 if (reason != 0) {
c48ffbcc 166 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
dbc6268f
MC		 167 return EXT_RETURN_FAIL;
168 }
9d2d857f 169 if (!use_ecc(s, min_version, max_version))
b186a592 170 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 171
172 /* Add TLS extension ECPointFormats to the ClientHello message */
ab83e314
MC		 173 tls1_get_formatlist(s, &pformats, &num_formats);
174
175 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
176 /* Sub-packet for formats extension */
177 || !WPACKET_start_sub_packet_u16(pkt)
178 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
179 || !WPACKET_close(pkt)) {
c48ffbcc 180 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 181 return EXT_RETURN_FAIL;
ab83e314
MC		 182 }
183
b186a592 184 return EXT_RETURN_SENT;
ab83e314
MC		 185}
186
38b051a1 187EXT_RETURN tls_construct_ctos_supported_groups(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 188 unsigned int context, X509 *x,
f63a17d6 189 size_t chainidx)
ab83e314 190{
f48d826e 191 const uint16_t *pgroups = NULL;
8b1db5d3 192 size_t num_groups = 0, i, tls13added = 0, added = 0;
9aaecbfc 193 int min_version, max_version, reason;
ab83e314 194
9aaecbfc 195 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
196 if (reason != 0) {
c48ffbcc 197 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
9aaecbfc 198 return EXT_RETURN_FAIL;
199 }
200
8b1db5d3
MC		 201 /*
202 * We only support EC groups in TLSv1.2 or below, and in DTLS. Therefore
203 * if we don't have EC support then we don't send this extension.
204 */
205 if (!use_ecc(s, min_version, max_version)
38b051a1 206 && (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION))
dbc6268f 207 return EXT_RETURN_NOT_SENT;
dbc6268f 208
ab83e314
MC		 209 /*
210 * Add TLS extension supported_groups to the ClientHello message
211 */
f48d826e 212 tls1_get_supported_groups(s, &pgroups, &num_groups);
ab83e314
MC		 213
214 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
215 /* Sub-packet for supported_groups extension */
216 || !WPACKET_start_sub_packet_u16(pkt)
9aaecbfc 217 || !WPACKET_start_sub_packet_u16(pkt)
218 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)) {
c48ffbcc 219 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 220 return EXT_RETURN_FAIL;
ab83e314 221 }
9aaecbfc 222 /* Copy group ID if supported */
f48d826e
DSH		 223 for (i = 0; i < num_groups; i++) {
224 uint16_t ctmp = pgroups[i];
8b1db5d3 225 int okfortls13;
9e84a42d 226
8b1db5d3 227 if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13)
dbc6268f 228 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
9e84a42d 229 if (!WPACKET_put_bytes_u16(pkt, ctmp)) {
c48ffbcc 230 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
9aaecbfc 231 return EXT_RETURN_FAIL;
232 }
8b1db5d3
MC		 233 if (okfortls13 && max_version == TLS1_3_VERSION)
234 tls13added++;
235 added++;
ab83e314
MC		 236 }
237 }
238 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
9afc6c54 239 if (added == 0)
8b1db5d3
MC		 240 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
241 "No groups enabled for max supported SSL/TLS version");
242 else
243 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 244 return EXT_RETURN_FAIL;
9afc6c54
MC		 245 }
246
247 if (tls13added == 0 && max_version == TLS1_3_VERSION) {
248 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
249 "No groups enabled for max supported SSL/TLS version");
250 return EXT_RETURN_FAIL;
ab83e314
MC		 251 }
252
b186a592 253 return EXT_RETURN_SENT;
ab83e314 254}
ab83e314 255
38b051a1 256EXT_RETURN tls_construct_ctos_session_ticket(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 257 unsigned int context, X509 *x,
f63a17d6 258 size_t chainidx)
ab83e314
MC		 259{
260 size_t ticklen;
261
262 if (!tls_use_ticket(s))
b186a592 263 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 264
265 if (!s->new_session && s->session != NULL
08191294
MC		 266 && s->session->ext.tick != NULL
267 && s->session->ssl_version != TLS1_3_VERSION) {
aff8c126
RS		 268 ticklen = s->session->ext.ticklen;
269 } else if (s->session && s->ext.session_ticket != NULL
270 && s->ext.session_ticket->data != NULL) {
271 ticklen = s->ext.session_ticket->length;
272 s->session->ext.tick = OPENSSL_malloc(ticklen);
273 if (s->session->ext.tick == NULL) {
c48ffbcc 274 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 275 return EXT_RETURN_FAIL;
ab83e314 276 }
aff8c126
RS		 277 memcpy(s->session->ext.tick,
278 s->ext.session_ticket->data, ticklen);
279 s->session->ext.ticklen = ticklen;
ab83e314
MC		 280 } else {
281 ticklen = 0;
282 }
283
aff8c126
RS		 284 if (ticklen == 0 && s->ext.session_ticket != NULL &&
285 s->ext.session_ticket->data == NULL)
b186a592 286 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 287
288 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
aff8c126 289 || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
c48ffbcc 290 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 291 return EXT_RETURN_FAIL;
ab83e314
MC		 292 }
293
b186a592 294 return EXT_RETURN_SENT;
ab83e314
MC		 295}
296
38b051a1 297EXT_RETURN tls_construct_ctos_sig_algs(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 298 unsigned int context, X509 *x,
f63a17d6 299 size_t chainidx)
ab83e314
MC		 300{
301 size_t salglen;
98c792d1 302 const uint16_t *salg;
ab83e314
MC		 303
304 if (!SSL_CLIENT_USE_SIGALGS(s))
b186a592 305 return EXT_RETURN_NOT_SENT;
ab83e314 306
a9669ddc 307 salglen = tls12_get_psigalgs(s, 1, &salg);
ab83e314
MC		 308 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
309 /* Sub-packet for sig-algs extension */
310 || !WPACKET_start_sub_packet_u16(pkt)
311 /* Sub-packet for the actual list */
312 || !WPACKET_start_sub_packet_u16(pkt)
313 || !tls12_copy_sigalgs(s, pkt, salg, salglen)
314 || !WPACKET_close(pkt)
315 || !WPACKET_close(pkt)) {
c48ffbcc 316 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 317 return EXT_RETURN_FAIL;
ab83e314
MC		 318 }
319
b186a592 320 return EXT_RETURN_SENT;
ab83e314
MC		 321}
322
323#ifndef OPENSSL_NO_OCSP
38b051a1 324EXT_RETURN tls_construct_ctos_status_request(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 325 unsigned int context, X509 *x,
f63a17d6 326 size_t chainidx)
ab83e314
MC		 327{
328 int i;
329
e96e0f8e
MC		 330 /* This extension isn't defined for client Certificates */
331 if (x != NULL)
b186a592 332 return EXT_RETURN_NOT_SENT;
e96e0f8e 333
aff8c126 334 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
b186a592 335 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 336
337 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
338 /* Sub-packet for status request extension */
339 || !WPACKET_start_sub_packet_u16(pkt)
340 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
341 /* Sub-packet for the ids */
342 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 343 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 344 return EXT_RETURN_FAIL;
ab83e314 345 }
aff8c126 346 for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
ab83e314 347 unsigned char *idbytes;
aff8c126 348 OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
1266eefd 349 int idlen = i2d_OCSP_RESPID(id, NULL);
ab83e314 350
ab83e314
MC		 351 if (idlen <= 0
352 /* Sub-packet for an individual id */
353 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
354 || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
c48ffbcc 355 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 356 return EXT_RETURN_FAIL;
ab83e314
MC		 357 }
358 }
359 if (!WPACKET_close(pkt)
360 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 361 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 362 return EXT_RETURN_FAIL;
ab83e314 363 }
aff8c126 364 if (s->ext.ocsp.exts) {
ab83e314 365 unsigned char *extbytes;
aff8c126 366 int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
ab83e314
MC		 367
368 if (extlen < 0) {
c48ffbcc 369 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 370 return EXT_RETURN_FAIL;
ab83e314
MC		 371 }
372 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
aff8c126 373 || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
ab83e314 374 != extlen) {
c48ffbcc 375 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 376 return EXT_RETURN_FAIL;
ab83e314
MC		 377 }
378 }
379 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
c48ffbcc 380 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 381 return EXT_RETURN_FAIL;
ab83e314
MC		 382 }
383
b186a592 384 return EXT_RETURN_SENT;
ab83e314
MC		 385}
386#endif
387
388#ifndef OPENSSL_NO_NEXTPROTONEG
38b051a1
TM		 389EXT_RETURN tls_construct_ctos_npn(SSL_CONNECTION *s, WPACKET *pkt,
390 unsigned int context,
f63a17d6 391 X509 *x, size_t chainidx)
ab83e314 392{
38b051a1
TM		 393 if (SSL_CONNECTION_GET_CTX(s)->ext.npn_select_cb == NULL
394 || !SSL_IS_FIRST_HANDSHAKE(s))
b186a592 395 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 396
397 /*
398 * The client advertises an empty extension to indicate its support
399 * for Next Protocol Negotiation
400 */
401 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
402 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 403 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 404 return EXT_RETURN_FAIL;
ab83e314
MC		 405 }
406
b186a592 407 return EXT_RETURN_SENT;
ab83e314
MC		 408}
409#endif
410
38b051a1
TM		 411EXT_RETURN tls_construct_ctos_alpn(SSL_CONNECTION *s, WPACKET *pkt,
412 unsigned int context,
f63a17d6 413 X509 *x, size_t chainidx)
ab83e314 414{
555cbb32 415 s->s3.alpn_sent = 0;
ab83e314 416
c7f47786 417 if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
b186a592 418 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 419
420 if (!WPACKET_put_bytes_u16(pkt,
421 TLSEXT_TYPE_application_layer_protocol_negotiation)
422 /* Sub-packet ALPN extension */
423 || !WPACKET_start_sub_packet_u16(pkt)
aff8c126 424 || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
ab83e314 425 || !WPACKET_close(pkt)) {
c48ffbcc 426 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 427 return EXT_RETURN_FAIL;
ab83e314 428 }
555cbb32 429 s->s3.alpn_sent = 1;
ab83e314 430
b186a592 431 return EXT_RETURN_SENT;
ab83e314
MC		 432}
433
434
435#ifndef OPENSSL_NO_SRTP
38b051a1 436EXT_RETURN tls_construct_ctos_use_srtp(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 437 unsigned int context, X509 *x,
f63a17d6 438 size_t chainidx)
ab83e314 439{
38b051a1
TM		 440 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
441 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(ssl);
1266eefd 442 int i, end;
ab83e314
MC		 443
444 if (clnt == NULL)
b186a592 445 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 446
447 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
448 /* Sub-packet for SRTP extension */
449 || !WPACKET_start_sub_packet_u16(pkt)
450 /* Sub-packet for the protection profile list */
451 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 452 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 453 return EXT_RETURN_FAIL;
ab83e314 454 }
1266eefd
MC		 455
456 end = sk_SRTP_PROTECTION_PROFILE_num(clnt);
457 for (i = 0; i < end; i++) {
458 const SRTP_PROTECTION_PROFILE *prof =
459 sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
460
ab83e314 461 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
c48ffbcc 462 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 463 return EXT_RETURN_FAIL;
ab83e314
MC		 464 }
465 }
466 if (!WPACKET_close(pkt)
467 /* Add an empty use_mki value */
468 || !WPACKET_put_bytes_u8(pkt, 0)
469 || !WPACKET_close(pkt)) {
c48ffbcc 470 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 471 return EXT_RETURN_FAIL;
ab83e314
MC		 472 }
473
b186a592 474 return EXT_RETURN_SENT;
ab83e314
MC		 475}
476#endif
477
38b051a1
TM		 478EXT_RETURN tls_construct_ctos_etm(SSL_CONNECTION *s, WPACKET *pkt,
479 unsigned int context,
f63a17d6 480 X509 *x, size_t chainidx)
ab83e314
MC		 481{
482 if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
b186a592 483 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 484
485 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
486 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 487 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 488 return EXT_RETURN_FAIL;
ab83e314
MC		 489 }
490
b186a592 491 return EXT_RETURN_SENT;
ab83e314
MC		 492}
493
494#ifndef OPENSSL_NO_CT
38b051a1
TM		 495EXT_RETURN tls_construct_ctos_sct(SSL_CONNECTION *s, WPACKET *pkt,
496 unsigned int context,
f63a17d6 497 X509 *x, size_t chainidx)
ab83e314
MC		 498{
499 if (s->ct_validation_callback == NULL)
b186a592 500 return EXT_RETURN_NOT_SENT;
ab83e314 501
e96e0f8e
MC		 502 /* Not defined for client Certificates */
503 if (x != NULL)
b186a592 504 return EXT_RETURN_NOT_SENT;
e96e0f8e 505
ab83e314
MC		 506 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
507 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 508 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 509 return EXT_RETURN_FAIL;
ab83e314
MC		 510 }
511
b186a592 512 return EXT_RETURN_SENT;
ab83e314
MC		 513}
514#endif
515
38b051a1
TM		 516EXT_RETURN tls_construct_ctos_ems(SSL_CONNECTION *s, WPACKET *pkt,
517 unsigned int context,
f63a17d6 518 X509 *x, size_t chainidx)
ab83e314 519{
088dfa13
TS		 520 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
521 return EXT_RETURN_NOT_SENT;
522
ab83e314
MC		 523 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
524 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 525 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 526 return EXT_RETURN_FAIL;
ab83e314
MC		 527 }
528
b186a592 529 return EXT_RETURN_SENT;
ab83e314
MC		 530}
531
38b051a1 532EXT_RETURN tls_construct_ctos_supported_versions(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 533 unsigned int context, X509 *x,
f63a17d6 534 size_t chainidx)
ab83e314
MC		 535{
536 int currv, min_version, max_version, reason;
537
b5b993b2 538 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
88050dd1 539 if (reason != 0) {
c48ffbcc 540 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
88050dd1
MC		 541 return EXT_RETURN_FAIL;
542 }
543
544 /*
545 * Don't include this if we can't negotiate TLSv1.3. We can do a straight
546 * comparison here because we will never be called in DTLS.
547 */
548 if (max_version < TLS1_3_VERSION)
549 return EXT_RETURN_NOT_SENT;
550
ab83e314
MC		 551 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
552 || !WPACKET_start_sub_packet_u16(pkt)
553 || !WPACKET_start_sub_packet_u8(pkt)) {
c48ffbcc 554 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 555 return EXT_RETURN_FAIL;
ab83e314
MC		 556 }
557
ab83e314 558 for (currv = max_version; currv >= min_version; currv--) {
35e742ec 559 if (!WPACKET_put_bytes_u16(pkt, currv)) {
c48ffbcc 560 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 561 return EXT_RETURN_FAIL;
ab83e314
MC		 562 }
563 }
564 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
c48ffbcc 565 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 566 return EXT_RETURN_FAIL;
ab83e314
MC		 567 }
568
b186a592 569 return EXT_RETURN_SENT;
ab83e314
MC		 570}
571
b2f7e8c0 572/*
e3c0d76b 573 * Construct a psk_kex_modes extension.
b2f7e8c0 574 */
38b051a1 575EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 576 unsigned int context, X509 *x,
f63a17d6 577 size_t chainidx)
b2f7e8c0
MC		 578{
579#ifndef OPENSSL_NO_TLS1_3
e3c0d76b
MC		 580 int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX;
581
b2f7e8c0
MC		 582 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)
583 || !WPACKET_start_sub_packet_u16(pkt)
584 || !WPACKET_start_sub_packet_u8(pkt)
585 || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE)
e3c0d76b 586 || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE))
b2f7e8c0
MC		 587 || !WPACKET_close(pkt)
588 || !WPACKET_close(pkt)) {
c48ffbcc 589 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 590 return EXT_RETURN_FAIL;
b2f7e8c0 591 }
b3ad72ce 592
e3c0d76b
MC		 593 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE;
594 if (nodhe)
595 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
b2f7e8c0
MC		 596#endif
597
b186a592 598 return EXT_RETURN_SENT;
b2f7e8c0
MC		 599}
600
3847d426 601#ifndef OPENSSL_NO_TLS1_3
38b051a1 602static int add_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int curve_id)
3847d426 603{
7b1ec1cf
MC		 604 unsigned char *encoded_point = NULL;
605 EVP_PKEY *key_share_key = NULL;
3847d426
MC		 606 size_t encodedlen;
607
555cbb32 608 if (s->s3.tmp.pkey != NULL) {
fc7129dc 609 if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) {
c48ffbcc 610 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d8028b20 611 return 0;
7b1ec1cf
MC		 612 }
613 /*
614 * Could happen if we got an HRR that wasn't requesting a new key_share
615 */
555cbb32 616 key_share_key = s->s3.tmp.pkey;
7b1ec1cf 617 } else {
f63a17d6 618 key_share_key = ssl_generate_pkey_group(s, curve_id);
7b1ec1cf 619 if (key_share_key == NULL) {
f63a17d6 620 /* SSLfatal() already called */
d8028b20 621 return 0;
7b1ec1cf 622 }
3847d426
MC		 623 }
624
625 /* Encode the public key. */
5ac8fb58
MC		 626 encodedlen = EVP_PKEY_get1_encoded_public_key(key_share_key,
627 &encoded_point);
3847d426 628 if (encodedlen == 0) {
c48ffbcc 629 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
7b1ec1cf 630 goto err;
3847d426
MC		 631 }
632
633 /* Create KeyShareEntry */
16f0e91c 634 if (!WPACKET_put_bytes_u16(pkt, curve_id)
2248dbeb 635 || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) {
c48ffbcc 636 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
7b1ec1cf 637 goto err;
3847d426
MC		 638 }
639
640 /*
407820c0 641 * When changing to send more than one key_share we're
3847d426
MC		 642 * going to need to be able to save more than one EVP_PKEY. For now
643 * we reuse the existing tmp.pkey
644 */
555cbb32
TS		 645 s->s3.tmp.pkey = key_share_key;
646 s->s3.group_id = curve_id;
2248dbeb 647 OPENSSL_free(encoded_point);
3847d426 648
d8028b20 649 return 1;
7b1ec1cf 650 err:
555cbb32 651 if (s->s3.tmp.pkey == NULL)
7b1ec1cf
MC		 652 EVP_PKEY_free(key_share_key);
653 OPENSSL_free(encoded_point);
d8028b20 654 return 0;
3847d426
MC		 655}
656#endif
657
38b051a1 658EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 659 unsigned int context, X509 *x,
f63a17d6 660 size_t chainidx)
ab83e314 661{
3cf96e88 662#ifndef OPENSSL_NO_TLS1_3
f48d826e
DSH		 663 size_t i, num_groups = 0;
664 const uint16_t *pgroups = NULL;
9e84a42d 665 uint16_t curve_id = 0;
ab83e314
MC		 666
667 /* key_share extension */
668 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
669 /* Extension data sub-packet */
670 || !WPACKET_start_sub_packet_u16(pkt)
671 /* KeyShare list sub-packet */
672 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 673 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 674 return EXT_RETURN_FAIL;
ab83e314
MC		 675 }
676
f48d826e 677 tls1_get_supported_groups(s, &pgroups, &num_groups);
ab83e314
MC		 678
679 /*
407820c0
P		 680 * Make the number of key_shares sent configurable. For
681 * now, we just send one
ab83e314 682 */
555cbb32
TS		 683 if (s->s3.group_id != 0) {
684 curve_id = s->s3.group_id;
3847d426 685 } else {
f48d826e 686 for (i = 0; i < num_groups; i++) {
dbc6268f 687 if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
3847d426 688 continue;
ab83e314 689
247b8e52
MC		 690 if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION,
691 0, NULL))
692 continue;
693
f48d826e 694 curve_id = pgroups[i];
3847d426 695 break;
ab83e314 696 }
3847d426 697 }
ab83e314 698
3847d426 699 if (curve_id == 0) {
c48ffbcc 700 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE);
b186a592 701 return EXT_RETURN_FAIL;
ab83e314
MC		 702 }
703
f63a17d6
MC		 704 if (!add_key_share(s, pkt, curve_id)) {
705 /* SSLfatal() already called */
b186a592 706 return EXT_RETURN_FAIL;
f63a17d6 707 }
3847d426 708
ab83e314 709 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
c48ffbcc 710 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 711 return EXT_RETURN_FAIL;
ab83e314 712 }
b186a592 713 return EXT_RETURN_SENT;
aa2ed504
TS		 714#else
715 return EXT_RETURN_NOT_SENT;
716#endif
ab83e314
MC		 717}
718
38b051a1
TM		 719EXT_RETURN tls_construct_ctos_cookie(SSL_CONNECTION *s, WPACKET *pkt,
720 unsigned int context,
f63a17d6 721 X509 *x, size_t chainidx)
cfef5027 722{
b186a592 723 EXT_RETURN ret = EXT_RETURN_FAIL;
cfef5027
MC		 724
725 /* Should only be set if we've had an HRR */
726 if (s->ext.tls13_cookie_len == 0)
b186a592 727 return EXT_RETURN_NOT_SENT;
cfef5027
MC		 728
729 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
730 /* Extension data sub-packet */
731 || !WPACKET_start_sub_packet_u16(pkt)
732 || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie,
733 s->ext.tls13_cookie_len)
734 || !WPACKET_close(pkt)) {
c48ffbcc 735 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
cfef5027
MC		 736 goto end;
737 }
738
b186a592 739 ret = EXT_RETURN_SENT;
cfef5027
MC		 740 end:
741 OPENSSL_free(s->ext.tls13_cookie);
febb0afa 742 s->ext.tls13_cookie = NULL;
cfef5027
MC		 743 s->ext.tls13_cookie_len = 0;
744
745 return ret;
746}
747
38b051a1 748EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 749 unsigned int context, X509 *x,
f63a17d6 750 size_t chainidx)
38df5a45 751{
696de86f
PW		 752#ifndef OPENSSL_NO_PSK
753 char identity[PSK_MAX_IDENTITY_LEN + 1];
754#endif /* OPENSSL_NO_PSK */
ccb76685 755 const unsigned char *id = NULL;
fff202e5 756 size_t idlen = 0;
add8d0e9 757 SSL_SESSION *psksess = NULL;
ffc5bbaa 758 SSL_SESSION *edsess = NULL;
add8d0e9 759 const EVP_MD *handmd = NULL;
38b051a1 760 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
add8d0e9 761
fc7129dc 762 if (s->hello_retry_request == SSL_HRR_PENDING)
add8d0e9
MC		 763 handmd = ssl_handshake_md(s);
764
765 if (s->psk_use_session_cb != NULL
38b051a1 766 && (!s->psk_use_session_cb(ssl, handmd, &id, &idlen, &psksess)
ffc5bbaa
MC		 767 || (psksess != NULL
768 && psksess->ssl_version != TLS1_3_VERSION))) {
769 SSL_SESSION_free(psksess);
c48ffbcc 770 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
add8d0e9
MC		 771 return EXT_RETURN_FAIL;
772 }
773
c2b290c3 774#ifndef OPENSSL_NO_PSK
f3d40db1
MC		 775 if (psksess == NULL && s->psk_client_callback != NULL) {
776 unsigned char psk[PSK_MAX_PSK_LEN];
777 size_t psklen = 0;
778
779 memset(identity, 0, sizeof(identity));
38b051a1
TM		 780 psklen = s->psk_client_callback(ssl, NULL,
781 identity, sizeof(identity) - 1,
f3d40db1
MC		 782 psk, sizeof(psk));
783
784 if (psklen > PSK_MAX_PSK_LEN) {
c48ffbcc 785 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 786 return EXT_RETURN_FAIL;
787 } else if (psklen > 0) {
788 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
789 const SSL_CIPHER *cipher;
790
791 idlen = strlen(identity);
792 if (idlen > PSK_MAX_IDENTITY_LEN) {
c48ffbcc 793 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 794 return EXT_RETURN_FAIL;
795 }
796 id = (unsigned char *)identity;
797
798 /*
799 * We found a PSK using an old style callback. We don't know
800 * the digest so we default to SHA256 as per the TLSv1.3 spec
801 */
38b051a1 802 cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
f3d40db1 803 if (cipher == NULL) {
c48ffbcc 804 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 805 return EXT_RETURN_FAIL;
806 }
807
808 psksess = SSL_SESSION_new();
809 if (psksess == NULL
810 || !SSL_SESSION_set1_master_key(psksess, psk, psklen)
811 || !SSL_SESSION_set_cipher(psksess, cipher)
812 || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) {
c48ffbcc 813 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 814 OPENSSL_cleanse(psk, psklen);
815 return EXT_RETURN_FAIL;
816 }
817 OPENSSL_cleanse(psk, psklen);
818 }
819 }
c2b290c3 820#endif /* OPENSSL_NO_PSK */
f3d40db1 821
add8d0e9
MC		 822 SSL_SESSION_free(s->psksession);
823 s->psksession = psksess;
824 if (psksess != NULL) {
825 OPENSSL_free(s->psksession_id);
826 s->psksession_id = OPENSSL_memdup(id, idlen);
827 if (s->psksession_id == NULL) {
39a14059 828 s->psksession_id_len = 0;
c48ffbcc 829 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
add8d0e9
MC		 830 return EXT_RETURN_FAIL;
831 }
832 s->psksession_id_len = idlen;
833 }
834
38df5a45 835 if (s->early_data_state != SSL_EARLY_DATA_CONNECTING
add8d0e9
MC		 836 || (s->session->ext.max_early_data == 0
837 && (psksess == NULL || psksess->ext.max_early_data == 0))) {
38df5a45 838 s->max_early_data = 0;
b186a592 839 return EXT_RETURN_NOT_SENT;
38df5a45 840 }
ffc5bbaa
MC		 841 edsess = s->session->ext.max_early_data != 0 ? s->session : psksess;
842 s->max_early_data = edsess->ext.max_early_data;
843
bfab12bb
MC		 844 if (edsess->ext.hostname != NULL) {
845 if (s->ext.hostname == NULL
846 || (s->ext.hostname != NULL
847 && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) {
f63a17d6 848 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
f63a17d6 849 SSL_R_INCONSISTENT_EARLY_DATA_SNI);
bfab12bb
MC		 850 return EXT_RETURN_FAIL;
851 }
ffc5bbaa
MC		 852 }
853
854 if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) {
c48ffbcc 855 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
ffc5bbaa
MC		 856 return EXT_RETURN_FAIL;
857 }
858
859 /*
860 * Verify that we are offering an ALPN protocol consistent with the early
861 * data.
862 */
863 if (edsess->ext.alpn_selected != NULL) {
864 PACKET prots, alpnpkt;
865 int found = 0;
866
867 if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) {
c48ffbcc 868 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
ffc5bbaa
MC		 869 return EXT_RETURN_FAIL;
870 }
871 while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) {
872 if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected,
873 edsess->ext.alpn_selected_len)) {
874 found = 1;
875 break;
876 }
877 }
878 if (!found) {
f63a17d6 879 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
f63a17d6 880 SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
ffc5bbaa
MC		 881 return EXT_RETURN_FAIL;
882 }
883 }
38df5a45
MC		 884
885 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
886 || !WPACKET_start_sub_packet_u16(pkt)
887 || !WPACKET_close(pkt)) {
c48ffbcc 888 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 889 return EXT_RETURN_FAIL;
38df5a45
MC		 890 }
891
892 /*
893 * We set this to rejected here. Later, if the server acknowledges the
894 * extension, we set it to accepted.
895 */
896 s->ext.early_data = SSL_EARLY_DATA_REJECTED;
4be3a7c7 897 s->ext.early_data_ok = 1;
38df5a45 898
b186a592 899 return EXT_RETURN_SENT;
38df5a45
MC		 900}
901
1266eefd
MC		 902#define F5_WORKAROUND_MIN_MSG_LEN 0xff
903#define F5_WORKAROUND_MAX_MSG_LEN 0x200
904
d702ad12
MC		 905/*
906 * PSK pre binder overhead =
907 * 2 bytes for TLSEXT_TYPE_psk
908 * 2 bytes for extension length
909 * 2 bytes for identities list length
910 * 2 bytes for identity length
911 * 4 bytes for obfuscated_ticket_age
912 * 2 bytes for binder list length
913 * 1 byte for binder length
914 * The above excludes the number of bytes for the identity itself and the
915 * subsequent binder bytes
916 */
917#define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1)
918
38b051a1 919EXT_RETURN tls_construct_ctos_padding(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 920 unsigned int context, X509 *x,
f63a17d6 921 size_t chainidx)
ab83e314
MC		 922{
923 unsigned char *padbytes;
924 size_t hlen;
925
926 if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)
b186a592 927 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 928
929 /*
d702ad12
MC		 930 * Add padding to workaround bugs in F5 terminators. See RFC7685.
931 * This code calculates the length of all extensions added so far but
932 * excludes the PSK extension (because that MUST be written last). Therefore
933 * this extension MUST always appear second to last.
ab83e314
MC		 934 */
935 if (!WPACKET_get_total_written(pkt, &hlen)) {
c48ffbcc 936 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 937 return EXT_RETURN_FAIL;
ab83e314
MC		 938 }
939
d702ad12
MC		 940 /*
941 * If we're going to send a PSK then that will be written out after this
942 * extension, so we need to calculate how long it is going to be.
943 */
944 if (s->session->ssl_version == TLS1_3_VERSION
945 && s->session->ext.ticklen != 0
946 && s->session->cipher != NULL) {
38b051a1
TM		 947 const EVP_MD *md = ssl_md(SSL_CONNECTION_GET_CTX(s),
948 s->session->cipher->algorithm2);
d702ad12
MC		 949
950 if (md != NULL) {
951 /*
952 * Add the fixed PSK overhead, the identity length and the binder
953 * length.
954 */
955 hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen
ed576acd 956 + EVP_MD_get_size(md);
d702ad12
MC		 957 }
958 }
959
1266eefd 960 if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {
1ee4b98e 961 /* Calculate the amount of padding we need to add */
1266eefd
MC		 962 hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;
963
964 /*
965 * Take off the size of extension header itself (2 bytes for type and
10ed1b72
TS		 966 * 2 bytes for length bytes), but ensure that the extension is at least
967 * 1 byte long so as not to have an empty extension last (WebSphere 7.x,
968 * 8.x are intolerant of that condition)
1266eefd 969 */
3d85c7f4 970 if (hlen > 4)
ab83e314
MC		 971 hlen -= 4;
972 else
10ed1b72 973 hlen = 1;
ab83e314
MC		 974
975 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
976 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
c48ffbcc 977 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
eb5fd03b 978 return EXT_RETURN_FAIL;
ab83e314
MC		 979 }
980 memset(padbytes, 0, hlen);
981 }
982
b186a592 983 return EXT_RETURN_SENT;
ab83e314
MC		 984}
985
ec15acb6
MC		 986/*
987 * Construct the pre_shared_key extension
988 */
38b051a1
TM		 989EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt,
990 unsigned int context,
f63a17d6 991 X509 *x, size_t chainidx)
ec15acb6
MC		 992{
993#ifndef OPENSSL_NO_TLS1_3
e8a557dc 994 uint32_t agesec, agems = 0;
add8d0e9 995 size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen;
9368f865 996 unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;
15b1688a 997 const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
9368f865 998 int dores = 0;
38b051a1 999 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
f0131dc0 1000 OSSL_TIME t;
ec15acb6 1001
c96ce52c 1002 s->ext.tick_identity = 0;
ec15acb6 1003
d702ad12
MC		 1004 /*
1005 * Note: At this stage of the code we only support adding a single
1006 * resumption PSK. If we add support for multiple PSKs then the length
1007 * calculations in the padding extension will need to be adjusted.
1008 */
1009
ec15acb6 1010 /*
08191294
MC		 1011 * If this is an incompatible or new session then we have nothing to resume
1012 * so don't add this extension.
ec15acb6 1013 */
08191294 1014 if (s->session->ssl_version != TLS1_3_VERSION
add8d0e9 1015 || (s->session->ext.ticklen == 0 && s->psksession == NULL))
b186a592 1016 return EXT_RETURN_NOT_SENT;
ec15acb6 1017
fc7129dc 1018 if (s->hello_retry_request == SSL_HRR_PENDING)
9368f865
MC		 1019 handmd = ssl_handshake_md(s);
1020
9368f865 1021 if (s->session->ext.ticklen != 0) {
72257204 1022 /* Get the digest associated with the ciphersuite in the session */
9368f865 1023 if (s->session->cipher == NULL) {
c48ffbcc 1024 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
635c8f77 1025 return EXT_RETURN_FAIL;
9368f865 1026 }
38b051a1 1027 mdres = ssl_md(sctx, s->session->cipher->algorithm2);
9368f865 1028 if (mdres == NULL) {
72257204
MC		 1029 /*
1030 * Don't recognize this cipher so we can't use the session.
1031 * Ignore it
1032 */
9368f865
MC		 1033 goto dopsksess;
1034 }
1035
fc7129dc 1036 if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) {
9368f865 1037 /*
72257204
MC		 1038 * Selected ciphersuite hash does not match the hash for the session
1039 * so we can't use it.
9368f865
MC		 1040 */
1041 goto dopsksess;
1042 }
1f5b44e9 1043
cf3e221b 1044 /*
9368f865 1045 * Technically the C standard just says time() returns a time_t and says
72257204
MC		 1046 * nothing about the encoding of that type. In practice most
1047 * implementations follow POSIX which holds it as an integral type in
1048 * seconds since epoch. We've already made the assumption that we can do
1049 * this in multiple places in the code, so portability shouldn't be an
1050 * issue.
cf3e221b 1051 */
f0131dc0
P		 1052 t = ossl_time_subtract(ossl_time_now(), s->session->time);
1053 agesec = (uint32_t)ossl_time2seconds(t);
7e70213f
MC		 1054 /*
1055 * We calculate the age in seconds but the server may work in ms. Due to
1056 * rounding errors we could overestimate the age by up to 1s. It is
1057 * better to underestimate it. Otherwise, if the RTT is very short, when
1058 * the server calculates the age reported by the client it could be
1059 * bigger than the age calculated on the server - which should never
1060 * happen.
1061 */
1062 if (agesec > 0)
1063 agesec--;
cf3e221b 1064
9368f865
MC		 1065 if (s->session->ext.tick_lifetime_hint < agesec) {
1066 /* Ticket is too old. Ignore it. */
1067 goto dopsksess;
1068 }
ec15acb6 1069
9368f865
MC		 1070 /*
1071 * Calculate age in ms. We're just doing it to nearest second. Should be
1072 * good enough.
1073 */
1074 agems = agesec * (uint32_t)1000;
fc24f0bf 1075
9368f865
MC		 1076 if (agesec != 0 && agems / (uint32_t)1000 != agesec) {
1077 /*
72257204
MC		 1078 * Overflow. Shouldn't happen unless this is a *really* old session.
1079 * If so we just ignore it.
9368f865
MC		 1080 */
1081 goto dopsksess;
1082 }
ec15acb6 1083
ec15acb6 1084 /*
72257204
MC		 1085 * Obfuscate the age. Overflow here is fine, this addition is supposed
1086 * to be mod 2^32.
ec15acb6 1087 */
9368f865
MC		 1088 agems += s->session->ext.tick_age_add;
1089
ed576acd 1090 reshashsize = EVP_MD_get_size(mdres);
c96ce52c 1091 s->ext.tick_identity++;
9368f865 1092 dores = 1;
ec15acb6
MC		 1093 }
1094
9368f865 1095 dopsksess:
add8d0e9 1096 if (!dores && s->psksession == NULL)
9368f865 1097 return EXT_RETURN_NOT_SENT;
ec15acb6 1098
add8d0e9 1099 if (s->psksession != NULL) {
38b051a1 1100 mdpsk = ssl_md(sctx, s->psksession->cipher->algorithm2);
9368f865
MC		 1101 if (mdpsk == NULL) {
1102 /*
1103 * Don't recognize this cipher so we can't use the session.
1104 * If this happens it's an application bug.
1105 */
c48ffbcc 1106 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
635c8f77 1107 return EXT_RETURN_FAIL;
9368f865
MC		 1108 }
1109
fc7129dc 1110 if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) {
9368f865
MC		 1111 /*
1112 * Selected ciphersuite hash does not match the hash for the PSK
1113 * session. This is an application bug.
1114 */
c48ffbcc 1115 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
635c8f77 1116 return EXT_RETURN_FAIL;
9368f865
MC		 1117 }
1118
ed576acd 1119 pskhashsize = EVP_MD_get_size(mdpsk);
9368f865 1120 }
ec15acb6
MC		 1121
1122 /* Create the extension, but skip over the binder for now */
1123 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1124 || !WPACKET_start_sub_packet_u16(pkt)
9368f865 1125 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 1126 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
635c8f77 1127 return EXT_RETURN_FAIL;
9368f865
MC		 1128 }
1129
1130 if (dores) {
1131 if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,
1132 s->session->ext.ticklen)
1133 || !WPACKET_put_bytes_u32(pkt, agems)) {
c48ffbcc 1134 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
635c8f77 1135 return EXT_RETURN_FAIL;
9368f865
MC		 1136 }
1137 }
1138
add8d0e9
MC		 1139 if (s->psksession != NULL) {
1140 if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id,
1141 s->psksession_id_len)
9368f865 1142 || !WPACKET_put_bytes_u32(pkt, 0)) {
c48ffbcc 1143 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
635c8f77 1144 return EXT_RETURN_FAIL;
9368f865 1145 }
c96ce52c 1146 s->ext.tick_identity++;
9368f865
MC		 1147 }
1148
1149 if (!WPACKET_close(pkt)
ec15acb6
MC		 1150 || !WPACKET_get_total_written(pkt, &binderoffset)
1151 || !WPACKET_start_sub_packet_u16(pkt)
9368f865
MC		 1152 || (dores
1153 && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder))
add8d0e9 1154 || (s->psksession != NULL
9368f865 1155 && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder))
ec15acb6
MC		 1156 || !WPACKET_close(pkt)
1157 || !WPACKET_close(pkt)
1158 || !WPACKET_get_total_written(pkt, &msglen)
1159 /*
1160 * We need to fill in all the sub-packet lengths now so we can
1161 * calculate the HMAC of the message up to the binders
1162 */
1163 || !WPACKET_fill_lengths(pkt)) {
c48ffbcc 1164 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
635c8f77 1165 return EXT_RETURN_FAIL;
ec15acb6
MC		 1166 }
1167
1168 msgstart = WPACKET_get_curr(pkt) - msglen;
1169
72257204
MC		 1170 if (dores
1171 && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL,
1172 resbinder, s->session, 1, 0) != 1) {
635c8f77
MC		 1173 /* SSLfatal() already called */
1174 return EXT_RETURN_FAIL;
ec15acb6
MC		 1175 }
1176
add8d0e9 1177 if (s->psksession != NULL
72257204 1178 && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL,
add8d0e9 1179 pskbinder, s->psksession, 1, 1) != 1) {
635c8f77
MC		 1180 /* SSLfatal() already called */
1181 return EXT_RETURN_FAIL;
9368f865
MC		 1182 }
1183
635c8f77 1184 return EXT_RETURN_SENT;
ec15acb6 1185#else
89bc9cf6 1186 return EXT_RETURN_NOT_SENT;
ec15acb6
MC		 1187#endif
1188}
1189
38b051a1 1190EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL_CONNECTION *s, WPACKET *pkt,
a7e6a3d8
P		 1191 ossl_unused unsigned int context,
1192 ossl_unused X509 *x,
1193 ossl_unused size_t chainidx)
9d75dce3
TS		 1194{
1195#ifndef OPENSSL_NO_TLS1_3
32097b33
MC		 1196 if (!s->pha_enabled)
1197 return EXT_RETURN_NOT_SENT;
9d75dce3
TS		 1198
1199 /* construct extension - 0 length, no contents */
1200 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth)
1201 || !WPACKET_start_sub_packet_u16(pkt)
1202 || !WPACKET_close(pkt)) {
c48ffbcc 1203 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
9d75dce3
TS		 1204 return EXT_RETURN_FAIL;
1205 }
1206
1207 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1208
1209 return EXT_RETURN_SENT;
1210#else
1211 return EXT_RETURN_NOT_SENT;
1212#endif
1213}
1214
1215
6dd083fd
MC		 1216/*
1217 * Parse the server's renegotiation binding and abort if it's not right
1218 */
38b051a1
TM		 1219int tls_parse_stoc_renegotiate(SSL_CONNECTION *s, PACKET *pkt,
1220 unsigned int context,
f63a17d6 1221 X509 *x, size_t chainidx)
6dd083fd 1222{
555cbb32
TS		 1223 size_t expected_len = s->s3.previous_client_finished_len
1224 + s->s3.previous_server_finished_len;
6dd083fd
MC		 1225 size_t ilen;
1226 const unsigned char *data;
1227
1228 /* Check for logic errors */
b77f3ed1 1229 if (!ossl_assert(expected_len == 0
555cbb32 1230 || s->s3.previous_client_finished_len != 0)
b77f3ed1 1231 || !ossl_assert(expected_len == 0
555cbb32 1232 || s->s3.previous_server_finished_len != 0)) {
c48ffbcc 1233 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b77f3ed1
MC		 1234 return 0;
1235 }
6dd083fd
MC		 1236
1237 /* Parse the length byte */
1238 if (!PACKET_get_1_len(pkt, &ilen)) {
c48ffbcc 1239 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
6dd083fd
MC		 1240 return 0;
1241 }
1242
1243 /* Consistency check */
1244 if (PACKET_remaining(pkt) != ilen) {
c48ffbcc 1245 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
6dd083fd
MC		 1246 return 0;
1247 }
1248
1249 /* Check that the extension matches */
1250 if (ilen != expected_len) {
c48ffbcc 1251 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
6dd083fd
MC		 1252 return 0;
1253 }
1254
555cbb32
TS		 1255 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len)
1256 || memcmp(data, s->s3.previous_client_finished,
1257 s->s3.previous_client_finished_len) != 0) {
c48ffbcc 1258 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
6dd083fd
MC		 1259 return 0;
1260 }
1261
555cbb32
TS		 1262 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len)
1263 || memcmp(data, s->s3.previous_server_finished,
1264 s->s3.previous_server_finished_len) != 0) {
c48ffbcc 1265 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
6dd083fd
MC		 1266 return 0;
1267 }
555cbb32 1268 s->s3.send_connection_binding = 1;
6dd083fd
MC		 1269
1270 return 1;
1271}
1272
cf72c757 1273/* Parse the server's max fragment len extension packet */
38b051a1
TM		 1274int tls_parse_stoc_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt,
1275 unsigned int context,
f63a17d6 1276 X509 *x, size_t chainidx)
cf72c757
F		 1277{
1278 unsigned int value;
1279
1280 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
c48ffbcc 1281 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
cf72c757
F		 1282 return 0;
1283 }
1284
1285 /* |value| should contains a valid max-fragment-length code. */
1286 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
f63a17d6 1287 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6 1288 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 1289 return 0;
1290 }
1291
1292 /* Must be the same value as client-configured one who was sent to server */
1293 /*-
1294 * RFC 6066: if a client receives a maximum fragment length negotiation
1295 * response that differs from the length it requested, ...
1296 * It must abort with SSL_AD_ILLEGAL_PARAMETER alert
1297 */
1298 if (value != s->ext.max_fragment_len_mode) {
f63a17d6 1299 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6 1300 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 1301 return 0;
1302 }
1303
1304 /*
1305 * Maximum Fragment Length Negotiation succeeded.
1306 * The negotiated Maximum Fragment Length is binding now.
1307 */
1308 s->session->ext.max_fragment_len_mode = value;
1309
1310 return 1;
1311}
1312
38b051a1
TM		 1313int tls_parse_stoc_server_name(SSL_CONNECTION *s, PACKET *pkt,
1314 unsigned int context,
f63a17d6 1315 X509 *x, size_t chainidx)
6dd083fd 1316{
fb34a0f4 1317 if (s->ext.hostname == NULL) {
c48ffbcc 1318 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
fb34a0f4
MC		 1319 return 0;
1320 }
1321
1322 if (PACKET_remaining(pkt) > 0) {
c48ffbcc 1323 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1324 return 0;
1325 }
1326
1327 if (!s->hit) {
aff8c126 1328 if (s->session->ext.hostname != NULL) {
c48ffbcc 1329 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1330 return 0;
1331 }
aff8c126
RS		 1332 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
1333 if (s->session->ext.hostname == NULL) {
c48ffbcc 1334 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1335 return 0;
1336 }
1337 }
1338
1339 return 1;
1340}
1341
38b051a1
TM		 1342int tls_parse_stoc_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt,
1343 unsigned int context,
f63a17d6 1344 X509 *x, size_t chainidx)
6dd083fd 1345{
848a950b 1346 size_t ecpointformats_len;
6dd083fd
MC		 1347 PACKET ecptformatlist;
1348
1349 if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
c48ffbcc 1350 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1351 return 0;
1352 }
1353 if (!s->hit) {
aff8c126 1354 ecpointformats_len = PACKET_remaining(&ecptformatlist);
848a950b 1355 if (ecpointformats_len == 0) {
c48ffbcc 1356 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
848a950b
MC		 1357 return 0;
1358 }
6dd083fd 1359
cd0fb43c
MC		 1360 s->ext.peer_ecpointformats_len = 0;
1361 OPENSSL_free(s->ext.peer_ecpointformats);
1362 s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len);
1363 if (s->ext.peer_ecpointformats == NULL) {
39a14059 1364 s->ext.peer_ecpointformats_len = 0;
c48ffbcc 1365 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1366 return 0;
1367 }
1368
cd0fb43c 1369 s->ext.peer_ecpointformats_len = ecpointformats_len;
6dd083fd
MC		 1370
1371 if (!PACKET_copy_bytes(&ecptformatlist,
cd0fb43c 1372 s->ext.peer_ecpointformats,
aff8c126 1373 ecpointformats_len)) {
c48ffbcc 1374 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1375 return 0;
1376 }
1377 }
1378
1379 return 1;
1380}
6dd083fd 1381
38b051a1
TM		 1382int tls_parse_stoc_session_ticket(SSL_CONNECTION *s, PACKET *pkt,
1383 unsigned int context,
f63a17d6 1384 X509 *x, size_t chainidx)
6dd083fd 1385{
38b051a1
TM		 1386 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1387
aff8c126 1388 if (s->ext.session_ticket_cb != NULL &&
38b051a1
TM		 1389 !s->ext.session_ticket_cb(ssl, PACKET_data(pkt),
1390 PACKET_remaining(pkt),
1391 s->ext.session_ticket_cb_arg)) {
c48ffbcc 1392 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1393 return 0;
1394 }
1266eefd 1395
fb34a0f4 1396 if (!tls_use_ticket(s)) {
c48ffbcc 1397 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1398 return 0;
1399 }
fb34a0f4 1400 if (PACKET_remaining(pkt) > 0) {
c48ffbcc 1401 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
fb34a0f4
MC		 1402 return 0;
1403 }
1266eefd 1404
aff8c126 1405 s->ext.ticket_expected = 1;
6dd083fd
MC		 1406
1407 return 1;
1408}
1409
ab83e314 1410#ifndef OPENSSL_NO_OCSP
38b051a1
TM		 1411int tls_parse_stoc_status_request(SSL_CONNECTION *s, PACKET *pkt,
1412 unsigned int context,
f63a17d6 1413 X509 *x, size_t chainidx)
6dd083fd 1414{
5de683d2
MC		 1415 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
1416 /* We ignore this if the server sends a CertificateRequest */
5de683d2
MC		 1417 return 1;
1418 }
1419
6dd083fd 1420 /*
f63e4288
MC		 1421 * MUST only be sent if we've requested a status
1422 * request message. In TLS <= 1.2 it must also be empty.
6dd083fd 1423 */
fb34a0f4 1424 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
c48ffbcc 1425 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1426 return 0;
1427 }
38b051a1 1428 if (!SSL_CONNECTION_IS_TLS13(s) && PACKET_remaining(pkt) > 0) {
c48ffbcc 1429 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
fb34a0f4
MC		 1430 return 0;
1431 }
f63e4288 1432
38b051a1 1433 if (SSL_CONNECTION_IS_TLS13(s)) {
f63e4288 1434 /* We only know how to handle this if it's for the first Certificate in
1ee4b98e 1435 * the chain. We ignore any other responses.
f63e4288 1436 */
8521ced6 1437 if (chainidx != 0)
f63e4288 1438 return 1;
f63a17d6
MC		 1439
1440 /* SSLfatal() already called */
1441 return tls_process_cert_status_body(s, pkt);
f63e4288
MC		 1442 }
1443
6dd083fd 1444 /* Set flag to expect CertificateStatus message */
aff8c126 1445 s->ext.status_expected = 1;
6dd083fd
MC		 1446
1447 return 1;
1448}
ab83e314 1449#endif
6dd083fd
MC		 1450
1451
1452#ifndef OPENSSL_NO_CT
38b051a1
TM		 1453int tls_parse_stoc_sct(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1454 X509 *x, size_t chainidx)
6dd083fd 1455{
5de683d2
MC		 1456 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
1457 /* We ignore this if the server sends it in a CertificateRequest */
5de683d2
MC		 1458 return 1;
1459 }
1460
6dd083fd
MC		 1461 /*
1462 * Only take it if we asked for it - i.e if there is no CT validation
1463 * callback set, then a custom extension MAY be processing it, so we
1464 * need to let control continue to flow to that.
1465 */
1466 if (s->ct_validation_callback != NULL) {
1467 size_t size = PACKET_remaining(pkt);
1468
1469 /* Simply copy it off for later processing */
aff8c126
RS		 1470 OPENSSL_free(s->ext.scts);
1471 s->ext.scts = NULL;
1266eefd 1472
3a63c0ed 1473 s->ext.scts_len = (uint16_t)size;
6dd083fd 1474 if (size > 0) {
aff8c126 1475 s->ext.scts = OPENSSL_malloc(size);
39a14059
MC		 1476 if (s->ext.scts == NULL) {
1477 s->ext.scts_len = 0;
e077455e 1478 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
39a14059
MC		 1479 return 0;
1480 }
1481 if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) {
c48ffbcc 1482 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1483 return 0;
1484 }
1485 }
1486 } else {
b186a592
MC		 1487 ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
1488 ? ENDPOINT_CLIENT : ENDPOINT_BOTH;
1489
1490 /*
1491 * If we didn't ask for it then there must be a custom extension,
1492 * otherwise this is unsolicited.
1493 */
1494 if (custom_ext_find(&s->cert->custext, role,
1495 TLSEXT_TYPE_signed_certificate_timestamp,
1496 NULL) == NULL) {
c48ffbcc 1497 SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
b186a592
MC		 1498 return 0;
1499 }
1500
f63a17d6 1501 if (!custom_ext_parse(s, context,
43ae5eed
MC		 1502 TLSEXT_TYPE_signed_certificate_timestamp,
1503 PACKET_data(pkt), PACKET_remaining(pkt),
f63a17d6
MC		 1504 x, chainidx)) {
1505 /* SSLfatal already called */
6dd083fd 1506 return 0;
f63a17d6 1507 }
6dd083fd
MC		 1508 }
1509
1510 return 1;
1511}
1512#endif
1513
1514
1515#ifndef OPENSSL_NO_NEXTPROTONEG
1516/*
1517 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1518 * elements of zero length are allowed and the set of elements must exactly
1519 * fill the length of the block. Returns 1 on success or 0 on failure.
1520 */
38b051a1 1521static int ssl_next_proto_validate(SSL_CONNECTION *s, PACKET *pkt)
6dd083fd
MC		 1522{
1523 PACKET tmp_protocol;
1524
1525 while (PACKET_remaining(pkt)) {
1526 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
f63a17d6 1527 || PACKET_remaining(&tmp_protocol) == 0) {
c48ffbcc 1528 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
6dd083fd 1529 return 0;
f63a17d6 1530 }
6dd083fd
MC		 1531 }
1532
1533 return 1;
1534}
1535
38b051a1
TM		 1536int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1537 X509 *x, size_t chainidx)
6dd083fd
MC		 1538{
1539 unsigned char *selected;
1540 unsigned char selected_len;
1541 PACKET tmppkt;
38b051a1 1542 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
6dd083fd 1543
1266eefd 1544 /* Check if we are in a renegotiation. If so ignore this extension */
c7f47786 1545 if (!SSL_IS_FIRST_HANDSHAKE(s))
6dd083fd
MC		 1546 return 1;
1547
1548 /* We must have requested it. */
38b051a1 1549 if (sctx->ext.npn_select_cb == NULL) {
c48ffbcc 1550 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1551 return 0;
1552 }
1266eefd 1553
6dd083fd
MC		 1554 /* The data must be valid */
1555 tmppkt = *pkt;
f63a17d6
MC		 1556 if (!ssl_next_proto_validate(s, &tmppkt)) {
1557 /* SSLfatal() already called */
6dd083fd
MC		 1558 return 0;
1559 }
38b051a1
TM		 1560 if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s),
1561 &selected, &selected_len,
1562 PACKET_data(pkt), PACKET_remaining(pkt),
1563 sctx->ext.npn_select_cb_arg) !=
6dd083fd 1564 SSL_TLSEXT_ERR_OK) {
c48ffbcc 1565 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1566 return 0;
1567 }
1266eefd 1568
6dd083fd
MC		 1569 /*
1570 * Could be non-NULL if server has sent multiple NPN extensions in
1571 * a single Serverhello
1572 */
aff8c126
RS		 1573 OPENSSL_free(s->ext.npn);
1574 s->ext.npn = OPENSSL_malloc(selected_len);
1575 if (s->ext.npn == NULL) {
39a14059 1576 s->ext.npn_len = 0;
c48ffbcc 1577 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1578 return 0;
1579 }
1580
aff8c126
RS		 1581 memcpy(s->ext.npn, selected, selected_len);
1582 s->ext.npn_len = selected_len;
555cbb32 1583 s->s3.npn_seen = 1;
6dd083fd
MC		 1584
1585 return 1;
1586}
1587#endif
1588
38b051a1
TM		 1589int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1590 X509 *x, size_t chainidx)
6dd083fd
MC		 1591{
1592 size_t len;
1593
1594 /* We must have requested it. */
555cbb32 1595 if (!s->s3.alpn_sent) {
c48ffbcc 1596 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1597 return 0;
1598 }
1599 /*-
1600 * The extension data consists of:
1601 * uint16 list_length
1602 * uint8 proto_length;
1603 * uint8 proto[proto_length];
1604 */
1605 if (!PACKET_get_net_2_len(pkt, &len)
1606 || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)
1607 || PACKET_remaining(pkt) != len) {
c48ffbcc 1608 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1609 return 0;
1610 }
555cbb32
TS		 1611 OPENSSL_free(s->s3.alpn_selected);
1612 s->s3.alpn_selected = OPENSSL_malloc(len);
1613 if (s->s3.alpn_selected == NULL) {
39a14059 1614 s->s3.alpn_selected_len = 0;
c48ffbcc 1615 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1616 return 0;
1617 }
555cbb32 1618 if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) {
c48ffbcc 1619 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1620 return 0;
1621 }
555cbb32 1622 s->s3.alpn_selected_len = len;
6dd083fd 1623
0ef28021
MC		 1624 if (s->session->ext.alpn_selected == NULL
1625 || s->session->ext.alpn_selected_len != len
555cbb32 1626 || memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len)
0ef28021 1627 != 0) {
4be3a7c7
MC		 1628 /* ALPN not consistent with the old session so cannot use early_data */
1629 s->ext.early_data_ok = 0;
1630 }
1631 if (!s->hit) {
9d5db9c9
MC		 1632 /*
1633 * This is a new session and so alpn_selected should have been
1634 * initialised to NULL. We should update it with the selected ALPN.
1635 */
1636 if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
c48ffbcc 1637 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
9d5db9c9
MC		 1638 return 0;
1639 }
4be3a7c7 1640 s->session->ext.alpn_selected =
555cbb32 1641 OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len);
4be3a7c7 1642 if (s->session->ext.alpn_selected == NULL) {
39a14059 1643 s->session->ext.alpn_selected_len = 0;
c48ffbcc 1644 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
4be3a7c7
MC		 1645 return 0;
1646 }
555cbb32 1647 s->session->ext.alpn_selected_len = s->s3.alpn_selected_len;
ae8d7d99
MC		 1648 }
1649
6dd083fd
MC		 1650 return 1;
1651}
1652
1653#ifndef OPENSSL_NO_SRTP
38b051a1
TM		 1654int tls_parse_stoc_use_srtp(SSL_CONNECTION *s, PACKET *pkt,
1655 unsigned int context, X509 *x, size_t chainidx)
6dd083fd
MC		 1656{
1657 unsigned int id, ct, mki;
1658 int i;
1659 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1660 SRTP_PROTECTION_PROFILE *prof;
1661
1266eefd
MC		 1662 if (!PACKET_get_net_2(pkt, &ct) || ct != 2
1663 || !PACKET_get_net_2(pkt, &id)
1664 || !PACKET_get_1(pkt, &mki)
1665 || PACKET_remaining(pkt) != 0) {
c48ffbcc 1666 SSLfatal(s, SSL_AD_DECODE_ERROR,
f63a17d6 1667 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
6dd083fd
MC		 1668 return 0;
1669 }
1670
1671 if (mki != 0) {
1672 /* Must be no MKI, since we never offer one */
c48ffbcc 1673 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRTP_MKI_VALUE);
6dd083fd
MC		 1674 return 0;
1675 }
1676
6dd083fd 1677 /* Throw an error if the server gave us an unsolicited extension */
38b051a1 1678 clnt = SSL_get_srtp_profiles(SSL_CONNECTION_GET_SSL(s));
6dd083fd 1679 if (clnt == NULL) {
c48ffbcc 1680 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_SRTP_PROFILES);
6dd083fd
MC		 1681 return 0;
1682 }
1683
1684 /*
1685 * Check to see if the server gave us something we support (and
1686 * presumably offered)
1687 */
1688 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1689 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
1690
1691 if (prof->id == id) {
1692 s->srtp_profile = prof;
6dd083fd
MC		 1693 return 1;
1694 }
1695 }
1696
c48ffbcc 1697 SSLfatal(s, SSL_AD_DECODE_ERROR,
f63a17d6 1698 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
6dd083fd
MC		 1699 return 0;
1700}
1701#endif
1702
38b051a1
TM		 1703int tls_parse_stoc_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1704 X509 *x, size_t chainidx)
6dd083fd
MC		 1705{
1706 /* Ignore if inappropriate ciphersuite */
1707 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
555cbb32 1708 && s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD
d724da69
DB		 1709 && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4
1710 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT
1711 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12
1712 && s->s3.tmp.new_cipher->algorithm_enc != SSL_MAGMA
1713 && s->s3.tmp.new_cipher->algorithm_enc != SSL_KUZNYECHIK)
28a31a0a 1714 s->ext.use_etm = 1;
6dd083fd
MC		 1715
1716 return 1;
1717}
1718
38b051a1
TM		 1719int tls_parse_stoc_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1720 X509 *x, size_t chainidx)
6dd083fd 1721{
088dfa13
TS		 1722 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
1723 return 1;
555cbb32 1724 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
6dd083fd
MC		 1725 if (!s->hit)
1726 s->session->flags |= SSL_SESS_FLAG_EXTMS;
1727
1728 return 1;
1729}
1730
38b051a1
TM		 1731int tls_parse_stoc_supported_versions(SSL_CONNECTION *s, PACKET *pkt,
1732 unsigned int context,
88050dd1
MC		 1733 X509 *x, size_t chainidx)
1734{
1735 unsigned int version;
1736
1737 if (!PACKET_get_net_2(pkt, &version)
1738 || PACKET_remaining(pkt) != 0) {
c48ffbcc 1739 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
88050dd1
MC		 1740 return 0;
1741 }
1742
27e462f1
MC		 1743 /*
1744 * The only protocol version we support which is valid in this extension in
1745 * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.
1746 */
1747 if (version != TLS1_3_VERSION) {
1748 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
27e462f1
MC		 1749 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
1750 return 0;
1751 }
1752
426dfc9f 1753 /* We ignore this extension for HRRs except to sanity check it */
27e462f1 1754 if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)
426dfc9f 1755 return 1;
426dfc9f 1756
88050dd1
MC		 1757 /* We just set it here. We validate it in ssl_choose_client_version */
1758 s->version = version;
1d367677
MC		 1759 if (!ssl_set_record_protocol_version(s, version)) {
1760 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1761 return 0;
1762 }
88050dd1
MC		 1763
1764 return 1;
1765}
1766
38b051a1
TM		 1767int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt,
1768 unsigned int context, X509 *x,
f63a17d6 1769 size_t chainidx)
6dd083fd 1770{
3cf96e88 1771#ifndef OPENSSL_NO_TLS1_3
6dd083fd
MC		 1772 unsigned int group_id;
1773 PACKET encoded_pt;
555cbb32 1774 EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL;
a011b586 1775 const TLS_GROUP_INFO *ginf = NULL;
6dd083fd
MC		 1776
1777 /* Sanity check */
555cbb32 1778 if (ckey == NULL || s->s3.peer_tmp != NULL) {
c48ffbcc 1779 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1780 return 0;
1781 }
1782
1783 if (!PACKET_get_net_2(pkt, &group_id)) {
c48ffbcc 1784 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
6dd083fd
MC		 1785 return 0;
1786 }
1787
fe874d27 1788 if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
f48d826e
DSH		 1789 const uint16_t *pgroups = NULL;
1790 size_t i, num_groups;
3847d426
MC		 1791
1792 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 1793 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
3847d426
MC		 1794 return 0;
1795 }
1796
1797 /*
1798 * It is an error if the HelloRetryRequest wants a key_share that we
1799 * already sent in the first ClientHello
1800 */
555cbb32 1801 if (group_id == s->s3.group_id) {
c48ffbcc 1802 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
3847d426
MC		 1803 return 0;
1804 }
1805
1806 /* Validate the selected group is one we support */
f48d826e
DSH		 1807 tls1_get_supported_groups(s, &pgroups, &num_groups);
1808 for (i = 0; i < num_groups; i++) {
1809 if (group_id == pgroups[i])
3847d426
MC		 1810 break;
1811 }
f48d826e 1812 if (i >= num_groups
247b8e52
MC		 1813 || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
1814 || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
1815 0, NULL)) {
c48ffbcc 1816 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
3847d426
MC		 1817 return 0;
1818 }
1819
555cbb32
TS		 1820 s->s3.group_id = group_id;
1821 EVP_PKEY_free(s->s3.tmp.pkey);
1822 s->s3.tmp.pkey = NULL;
3847d426
MC		 1823 return 1;
1824 }
1825
555cbb32 1826 if (group_id != s->s3.group_id) {
6dd083fd
MC		 1827 /*
1828 * This isn't for the group that we sent in the original
1829 * key_share!
1830 */
c48ffbcc 1831 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
6dd083fd
MC		 1832 return 0;
1833 }
aa6bd216
BK		 1834 /* Retain this group in the SSL_SESSION */
1835 if (!s->hit) {
1836 s->session->kex_group = group_id;
1837 } else if (group_id != s->session->kex_group) {
1838 /*
1839 * If this is a resumption but changed what group was used, we need
1840 * to record the new group in the session, but the session is not
1841 * a new session and could be in use by other threads. So, make
1842 * a copy of the session to record the new information so that it's
1843 * useful for any sessions resumed from tickets issued on this
1844 * connection.
1845 */
1846 SSL_SESSION *new_sess;
1847
1848 if ((new_sess = ssl_session_dup(s->session, 0)) == NULL) {
e077455e 1849 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
aa6bd216
BK		 1850 return 0;
1851 }
1852 SSL_SESSION_free(s->session);
1853 s->session = new_sess;
1854 s->session->kex_group = group_id;
1855 }
6dd083fd 1856
38b051a1
TM		 1857 if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
1858 group_id)) == NULL) {
c48ffbcc 1859 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
a011b586
NT		 1860 return 0;
1861 }
1862
6dd083fd
MC		 1863 if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)
1864 || PACKET_remaining(&encoded_pt) == 0) {
c48ffbcc 1865 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
6dd083fd
MC		 1866 return 0;
1867 }
1868
a011b586
NT		 1869 if (!ginf->is_kem) {
1870 /* Regular KEX */
1871 skey = EVP_PKEY_new();
1872 if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) {
c48ffbcc 1873 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED);
b3c34401 1874 EVP_PKEY_free(skey);
a011b586
NT		 1875 return 0;
1876 }
afce590b 1877
d5530efa
TM		 1878 if (tls13_set_encoded_pub_key(skey, PACKET_data(&encoded_pt),
1879 PACKET_remaining(&encoded_pt)) <= 0) {
c48ffbcc 1880 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
a011b586
NT		 1881 EVP_PKEY_free(skey);
1882 return 0;
1883 }
6dd083fd 1884
a011b586
NT		 1885 if (ssl_derive(s, ckey, skey, 1) == 0) {
1886 /* SSLfatal() already called */
1887 EVP_PKEY_free(skey);
1888 return 0;
1889 }
1890 s->s3.peer_tmp = skey;
1891 } else {
1892 /* KEM Mode */
1893 const unsigned char *ct = PACKET_data(&encoded_pt);
1894 size_t ctlen = PACKET_remaining(&encoded_pt);
1895
1896 if (ssl_decapsulate(s, ckey, ct, ctlen, 1) == 0) {
1897 /* SSLfatal() already called */
1898 return 0;
1899 }
6dd083fd 1900 }
aa6bd216 1901 s->s3.did_kex = 1;
3cf96e88 1902#endif
6dd083fd
MC		 1903
1904 return 1;
1905}
4ff65f77 1906
38b051a1
TM		 1907int tls_parse_stoc_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1908 X509 *x, size_t chainidx)
cfef5027
MC		 1909{
1910 PACKET cookie;
1911
1912 if (!PACKET_as_length_prefixed_2(pkt, &cookie)
1913 || !PACKET_memdup(&cookie, &s->ext.tls13_cookie,
1914 &s->ext.tls13_cookie_len)) {
c48ffbcc 1915 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
cfef5027
MC		 1916 return 0;
1917 }
1918
1919 return 1;
1920}
1921
38b051a1
TM		 1922int tls_parse_stoc_early_data(SSL_CONNECTION *s, PACKET *pkt,
1923 unsigned int context,
f63a17d6 1924 X509 *x, size_t chainidx)
38df5a45 1925{
fe874d27 1926 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
6594189f
MC		 1927 unsigned long max_early_data;
1928
1929 if (!PACKET_get_net_4(pkt, &max_early_data)
1930 || PACKET_remaining(pkt) != 0) {
c48ffbcc 1931 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_MAX_EARLY_DATA);
6594189f
MC		 1932 return 0;
1933 }
1934
1935 s->session->ext.max_early_data = max_early_data;
1936
1937 return 1;
1938 }
1939
38df5a45 1940 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 1941 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
38df5a45
MC		 1942 return 0;
1943 }
1944
4be3a7c7 1945 if (!s->ext.early_data_ok
c96ce52c 1946 || !s->hit) {
38df5a45
MC		 1947 /*
1948 * If we get here then we didn't send early data, or we didn't resume
4be3a7c7
MC		 1949 * using the first identity, or the SNI/ALPN is not consistent so the
1950 * server should not be accepting it.
38df5a45 1951 */
c48ffbcc 1952 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
38df5a45
MC		 1953 return 0;
1954 }
1955
1956 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
1957
1958 return 1;
1959}
1960
38b051a1
TM		 1961int tls_parse_stoc_psk(SSL_CONNECTION *s, PACKET *pkt,
1962 unsigned int context, X509 *x,
f63a17d6 1963 size_t chainidx)
4ff65f77
MC		 1964{
1965#ifndef OPENSSL_NO_TLS1_3
1966 unsigned int identity;
1967
1968 if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {
c48ffbcc 1969 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
4ff65f77
MC		 1970 return 0;
1971 }
1972
c96ce52c 1973 if (identity >= (unsigned int)s->ext.tick_identity) {
c48ffbcc 1974 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PSK_IDENTITY);
c96ce52c
MC		 1975 return 0;
1976 }
1977
1978 /*
1979 * Session resumption tickets are always sent before PSK tickets. If the
1980 * ticket index is 0 then it must be for a session resumption ticket if we
1981 * sent two tickets, or if we didn't send a PSK ticket.
1982 */
1983 if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {
9368f865
MC		 1984 s->hit = 1;
1985 SSL_SESSION_free(s->psksession);
1986 s->psksession = NULL;
1987 return 1;
1988 }
1989
c96ce52c
MC		 1990 if (s->psksession == NULL) {
1991 /* Should never happen */
c48ffbcc 1992 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
4ff65f77
MC		 1993 return 0;
1994 }
1995
add8d0e9
MC		 1996 /*
1997 * If we used the external PSK for sending early_data then s->early_secret
1998 * is already set up, so don't overwrite it. Otherwise we copy the
1999 * early_secret across that we generated earlier.
2000 */
2001 if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
2002 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
2003 || s->session->ext.max_early_data > 0
2004 || s->psksession->ext.max_early_data == 0)
2005 memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE);
2006
9368f865
MC		 2007 SSL_SESSION_free(s->session);
2008 s->session = s->psksession;
2009 s->psksession = NULL;
4ff65f77 2010 s->hit = 1;
c96ce52c
MC		 2011 /* Early data is only allowed if we used the first ticket */
2012 if (identity != 0)
2013 s->ext.early_data_ok = 0;
4ff65f77
MC		 2014#endif
2015
2016 return 1;
2017}
3c95ef22
TS		 2018
2019EXT_RETURN tls_construct_ctos_client_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
2020 unsigned int context,
2021 X509 *x, size_t chainidx)
2022{
2023 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2024 if (sc->client_cert_type == NULL)
2025 return EXT_RETURN_NOT_SENT;
2026
2027 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_client_cert_type)
2028 || !WPACKET_start_sub_packet_u16(pkt)
2029 || !WPACKET_sub_memcpy_u8(pkt, sc->client_cert_type, sc->client_cert_type_len)
2030 || !WPACKET_close(pkt)) {
2031 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2032 return EXT_RETURN_FAIL;
2033 }
2034 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD;
2035 return EXT_RETURN_SENT;
2036}
2037
2038int tls_parse_stoc_client_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
2039 unsigned int context,
2040 X509 *x, size_t chainidx)
2041{
2042 unsigned int type;
2043
2044 if (PACKET_remaining(pkt) != 1) {
2045 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2046 return 0;
2047 }
2048 if (!PACKET_get_1(pkt, &type)) {
2049 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2050 return 0;
2051 }
2052 /* We did not send/ask for this */
2053 if (!ossl_assert(sc->ext.client_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) {
2054 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2055 return 0;
2056 }
2057 /* We don't have this enabled */
2058 if (sc->client_cert_type == NULL) {
2059 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2060 return 0;
2061 }
2062 /* Given back a value we didn't configure */
2063 if (memchr(sc->client_cert_type, type, sc->client_cert_type_len) == NULL) {
2064 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE);
2065 return 0;
2066 }
2067 sc->ext.client_cert_type = type;
2068 return 1;
2069}
2070
2071EXT_RETURN tls_construct_ctos_server_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
2072 unsigned int context,
2073 X509 *x, size_t chainidx)
2074{
2075 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2076 if (sc->server_cert_type == NULL)
2077 return EXT_RETURN_NOT_SENT;
2078
2079 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_cert_type)
2080 || !WPACKET_start_sub_packet_u16(pkt)
2081 || !WPACKET_sub_memcpy_u8(pkt, sc->server_cert_type, sc->server_cert_type_len)
2082 || !WPACKET_close(pkt)) {
2083 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2084 return EXT_RETURN_FAIL;
2085 }
2086 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD;
2087 return EXT_RETURN_SENT;
2088}
2089
2090int tls_parse_stoc_server_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
2091 unsigned int context,
2092 X509 *x, size_t chainidx)
2093{
2094 unsigned int type;
2095
2096 if (PACKET_remaining(pkt) != 1) {
2097 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2098 return 0;
2099 }
2100 if (!PACKET_get_1(pkt, &type)) {
2101 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2102 return 0;
2103 }
2104 /* We did not send/ask for this */
2105 if (!ossl_assert(sc->ext.server_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) {
2106 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2107 return 0;
2108 }
2109 /* We don't have this enabled */
2110 if (sc->server_cert_type == NULL) {
2111 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2112 return 0;
2113 }
2114 /* Given back a value we didn't configure */
2115 if (memchr(sc->server_cert_type, type, sc->server_cert_type_len) == NULL) {
2116 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE);
2117 return 0;
2118 }
2119 sc->ext.server_cert_type = type;
2120 return 1;
2121}
A mirror of the official openssl repository