]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
RFC7250 (RPK) support
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
CommitLineData
25670f3e 1/*
3c95ef22 2 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
25670f3e 3 *
2c18d164 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
25670f3e
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
706457b7
DMSP		 11#include "../ssl_local.h"
12#include "statem_local.h"
43054d3d
MC		 13#include "internal/cryptlib.h"
14
e8a557dc 15#define COOKIE_STATE_FORMAT_VERSION 1
43054d3d
MC		 16
17/*
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
e8a557dc 20 * key_share present flag, 8 bytes for timestamp, 2 bytes for the hashlen,
d0debc0a
MC		 21 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
43054d3d 23 */
e8a557dc 24#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 8 + 2 + EVP_MAX_MD_SIZE + 1 \
43054d3d
MC		 25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
26
27/*
28 * Message header + 2 bytes for protocol version + number of random bytes +
97ea1e7f
MC		 29 * + 1 byte for legacy session id length + number of bytes in legacy session id
30 * + 2 bytes for ciphersuite + 1 byte for legacy compression
31 * + 2 bytes for extension block length + 6 bytes for key_share extension
32 * + 4 bytes for cookie extension header + the number of bytes in the cookie
43054d3d 33 */
97ea1e7f 34#define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
43054d3d
MC		 35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
36 + MAX_COOKIE_SIZE)
25670f3e
MC		 37
38/*
39 * Parse the client's renegotiation binding and abort if it's not right
40 */
38b051a1
TM		 41int tls_parse_ctos_renegotiate(SSL_CONNECTION *s, PACKET *pkt,
42 unsigned int context,
f63a17d6 43 X509 *x, size_t chainidx)
25670f3e
MC		 44{
45 unsigned int ilen;
46 const unsigned char *data;
2b9e2afc 47 int ok;
25670f3e
MC		 48
49 /* Parse the length byte */
50 if (!PACKET_get_1(pkt, &ilen)
51 || !PACKET_get_bytes(pkt, &data, ilen)) {
c48ffbcc 52 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
25670f3e
MC		 53 return 0;
54 }
55
56 /* Check that the extension matches */
555cbb32 57 if (ilen != s->s3.previous_client_finished_len) {
c48ffbcc 58 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
25670f3e
MC		 59 return 0;
60 }
61
2b9e2afc
PA		 62 ok = memcmp(data, s->s3.previous_client_finished,
63 s->s3.previous_client_finished_len);
64#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
65 if (ok) {
1dbfd7fe 66 if ((data[0] ^ s->s3.previous_client_finished[0]) != 0xFF) {
2b9e2afc
PA		 67 ok = 0;
68 }
69 }
70#endif
71 if (ok) {
c48ffbcc 72 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
25670f3e
MC		 73 return 0;
74 }
75
555cbb32 76 s->s3.send_connection_binding = 1;
25670f3e
MC		 77
78 return 1;
79}
80
1266eefd
MC		 81/*-
82 * The servername extension is treated as follows:
83 *
84 * - Only the hostname type is supported with a maximum length of 255.
85 * - The servername is rejected if too long or if it contains zeros,
86 * in which case an fatal alert is generated.
87 * - The servername field is maintained together with the session cache.
88 * - When a session is resumed, the servername call back invoked in order
89 * to allow the application to position itself to the right context.
90 * - The servername is acknowledged if it is new for a session or when
91 * it is identical to a previously used for the same session.
92 * Applications can control the behaviour. They can at any time
93 * set a 'desirable' servername for a new SSL object. This can be the
94 * case for example with HTTPS when a Host: header field is received and
95 * a renegotiation is requested. In this case, a possible servername
96 * presented in the new client hello is only acknowledged if it matches
97 * the value of the Host: field.
98 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
99 * if they provide for changing an explicit servername context for the
100 * session, i.e. when the session has been established with a servername
101 * extension.
102 * - On session reconnect, the servername extension may be absent.
103 */
38b051a1
TM		 104int tls_parse_ctos_server_name(SSL_CONNECTION *s, PACKET *pkt,
105 unsigned int context, X509 *x, size_t chainidx)
25670f3e
MC		 106{
107 unsigned int servname_type;
108 PACKET sni, hostname;
109
25670f3e
MC		 110 if (!PACKET_as_length_prefixed_2(pkt, &sni)
111 /* ServerNameList must be at least 1 byte long. */
112 || PACKET_remaining(&sni) == 0) {
c48ffbcc 113 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 114 return 0;
115 }
116
117 /*
44e69951
F		 118 * Although the intent was for server_name to be extensible, RFC 4366
119 * was not clear about it; and so OpenSSL among other implementations,
120 * always and only allows a 'host_name' name types.
25670f3e
MC		 121 * RFC 6066 corrected the mistake but adding new name types
122 * is nevertheless no longer feasible, so act as if no other
123 * SNI types can exist, to simplify parsing.
124 *
125 * Also note that the RFC permits only one SNI value per type,
126 * i.e., we can only have a single hostname.
127 */
128 if (!PACKET_get_1(&sni, &servname_type)
129 || servname_type != TLSEXT_NAMETYPE_host_name
130 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
c48ffbcc 131 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 132 return 0;
133 }
134
7955c1f1
MC		 135 /*
136 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
137 * we always use the SNI value from the handshake.
138 */
38b051a1 139 if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
25670f3e 140 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
c48ffbcc 141 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
25670f3e
MC		 142 return 0;
143 }
144
145 if (PACKET_contains_zero_byte(&hostname)) {
c48ffbcc 146 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
25670f3e
MC		 147 return 0;
148 }
149
1c4aa31d
BK		 150 /*
151 * Store the requested SNI in the SSL as temporary storage.
152 * If we accept it, it will get stored in the SSL_SESSION as well.
153 */
154 OPENSSL_free(s->ext.hostname);
155 s->ext.hostname = NULL;
156 if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
c48ffbcc 157 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 158 return 0;
159 }
160
161 s->servername_done = 1;
7955c1f1
MC		 162 } else {
163 /*
164 * In TLSv1.2 and below we should check if the SNI is consistent between
165 * the initial handshake and the resumption. In TLSv1.3 SNI is not
166 * associated with the session.
167 */
1c4aa31d 168 s->servername_done = (s->session->ext.hostname != NULL)
aff8c126
RS		 169 && PACKET_equal(&hostname, s->session->ext.hostname,
170 strlen(s->session->ext.hostname));
25670f3e
MC		 171 }
172
173 return 1;
174}
175
38b051a1
TM		 176int tls_parse_ctos_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt,
177 unsigned int context,
f63a17d6 178 X509 *x, size_t chainidx)
cf72c757
F		 179{
180 unsigned int value;
181
182 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
c48ffbcc 183 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
cf72c757
F		 184 return 0;
185 }
186
187 /* Received |value| should be a valid max-fragment-length code. */
188 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
f63a17d6 189 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6 190 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 191 return 0;
192 }
193
194 /*
195 * RFC 6066: The negotiated length applies for the duration of the session
196 * including session resumptions.
197 * We should receive the same code as in resumed session !
198 */
199 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
f63a17d6 200 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6 201 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 202 return 0;
203 }
204
205 /*
206 * Store it in session, so it'll become binding for us
207 * and we'll include it in a next Server Hello.
208 */
209 s->session->ext.max_fragment_len_mode = value;
210 return 1;
211}
212
25670f3e 213#ifndef OPENSSL_NO_SRP
38b051a1
TM		 214int tls_parse_ctos_srp(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
215 X509 *x, size_t chainidx)
25670f3e
MC		 216{
217 PACKET srp_I;
218
219 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
220 || PACKET_contains_zero_byte(&srp_I)) {
c48ffbcc 221 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 222 return 0;
223 }
224
25670f3e 225 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
c48ffbcc 226 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 227 return 0;
228 }
229
230 return 1;
231}
232#endif
233
38b051a1
TM		 234int tls_parse_ctos_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt,
235 unsigned int context,
f63a17d6 236 X509 *x, size_t chainidx)
25670f3e
MC		 237{
238 PACKET ec_point_format_list;
239
240 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
241 || PACKET_remaining(&ec_point_format_list) == 0) {
c48ffbcc 242 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 243 return 0;
244 }
245
246 if (!s->hit) {
247 if (!PACKET_memdup(&ec_point_format_list,
cd0fb43c
MC		 248 &s->ext.peer_ecpointformats,
249 &s->ext.peer_ecpointformats_len)) {
c48ffbcc 250 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 251 return 0;
252 }
253 }
254
255 return 1;
256}
25670f3e 257
38b051a1
TM		 258int tls_parse_ctos_session_ticket(SSL_CONNECTION *s, PACKET *pkt,
259 unsigned int context,
f63a17d6 260 X509 *x, size_t chainidx)
25670f3e 261{
aff8c126 262 if (s->ext.session_ticket_cb &&
38b051a1
TM		 263 !s->ext.session_ticket_cb(SSL_CONNECTION_GET_SSL(s),
264 PACKET_data(pkt), PACKET_remaining(pkt),
265 s->ext.session_ticket_cb_arg)) {
c48ffbcc 266 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 267 return 0;
268 }
269
270 return 1;
271}
272
38b051a1 273int tls_parse_ctos_sig_algs_cert(SSL_CONNECTION *s, PACKET *pkt,
a7e6a3d8
P		 274 ossl_unused unsigned int context,
275 ossl_unused X509 *x,
276 ossl_unused size_t chainidx)
c589c34e
BK		 277{
278 PACKET supported_sig_algs;
279
280 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
281 || PACKET_remaining(&supported_sig_algs) == 0) {
c48ffbcc 282 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
c589c34e
BK		 283 return 0;
284 }
285
286 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
c48ffbcc 287 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
c589c34e
BK		 288 return 0;
289 }
290
291 return 1;
292}
293
38b051a1
TM		 294int tls_parse_ctos_sig_algs(SSL_CONNECTION *s, PACKET *pkt,
295 unsigned int context, X509 *x, size_t chainidx)
25670f3e
MC		 296{
297 PACKET supported_sig_algs;
298
299 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
25670f3e 300 || PACKET_remaining(&supported_sig_algs) == 0) {
c48ffbcc 301 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 302 return 0;
303 }
304
c589c34e 305 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
c48ffbcc 306 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 307 return 0;
308 }
309
310 return 1;
311}
312
ab83e314 313#ifndef OPENSSL_NO_OCSP
38b051a1
TM		 314int tls_parse_ctos_status_request(SSL_CONNECTION *s, PACKET *pkt,
315 unsigned int context,
f63a17d6 316 X509 *x, size_t chainidx)
25670f3e 317{
1266eefd
MC		 318 PACKET responder_id_list, exts;
319
ded4a83d
MC		 320 /* We ignore this in a resumption handshake */
321 if (s->hit)
322 return 1;
323
e96e0f8e
MC		 324 /* Not defined if we get one of these in a client Certificate */
325 if (x != NULL)
326 return 1;
327
aff8c126 328 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
c48ffbcc 329 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 330 return 0;
331 }
ab83e314 332
aff8c126 333 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
25670f3e 334 /*
1266eefd 335 * We don't know what to do with any other type so ignore it.
25670f3e 336 */
aff8c126 337 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
1266eefd
MC		 338 return 1;
339 }
25670f3e 340
1266eefd 341 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
c48ffbcc 342 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 343 return 0;
344 }
25670f3e 345
1266eefd
MC		 346 /*
347 * We remove any OCSP_RESPIDs from a previous handshake
348 * to prevent unbounded memory growth - CVE-2016-6304
349 */
aff8c126 350 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1266eefd 351 if (PACKET_remaining(&responder_id_list) > 0) {
aff8c126
RS		 352 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
353 if (s->ext.ocsp.ids == NULL) {
e077455e 354 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
1266eefd
MC		 355 return 0;
356 }
357 } else {
aff8c126 358 s->ext.ocsp.ids = NULL;
1266eefd 359 }
25670f3e 360
1266eefd
MC		 361 while (PACKET_remaining(&responder_id_list) > 0) {
362 OCSP_RESPID *id;
363 PACKET responder_id;
364 const unsigned char *id_data;
25670f3e 365
1266eefd
MC		 366 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
367 || PACKET_remaining(&responder_id) == 0) {
c48ffbcc 368 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 369 return 0;
370 }
25670f3e 371
1266eefd 372 id_data = PACKET_data(&responder_id);
1266eefd
MC		 373 id = d2i_OCSP_RESPID(NULL, &id_data,
374 (int)PACKET_remaining(&responder_id));
375 if (id == NULL) {
c48ffbcc 376 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd 377 return 0;
25670f3e
MC		 378 }
379
1266eefd
MC		 380 if (id_data != PACKET_end(&responder_id)) {
381 OCSP_RESPID_free(id);
c48ffbcc 382 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
f63a17d6 383
25670f3e
MC		 384 return 0;
385 }
386
aff8c126 387 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
1266eefd 388 OCSP_RESPID_free(id);
c48ffbcc 389 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 390
1266eefd
MC		 391 return 0;
392 }
393 }
394
395 /* Read in request_extensions */
396 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
c48ffbcc 397 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 398 return 0;
399 }
400
401 if (PACKET_remaining(&exts) > 0) {
402 const unsigned char *ext_data = PACKET_data(&exts);
403
aff8c126 404 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
1266eefd 405 X509_EXTENSION_free);
aff8c126 406 s->ext.ocsp.exts =
1266eefd 407 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
aff8c126 408 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
c48ffbcc 409 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd 410 return 0;
25670f3e 411 }
25670f3e
MC		 412 }
413
414 return 1;
415}
ab83e314 416#endif
25670f3e
MC		 417
418#ifndef OPENSSL_NO_NEXTPROTONEG
38b051a1
TM		 419int tls_parse_ctos_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
420 X509 *x, size_t chainidx)
25670f3e 421{
1266eefd
MC		 422 /*
423 * We shouldn't accept this extension on a
424 * renegotiation.
1266eefd 425 */
c7f47786 426 if (SSL_IS_FIRST_HANDSHAKE(s))
555cbb32 427 s->s3.npn_seen = 1;
25670f3e
MC		 428
429 return 1;
430}
431#endif
432
433/*
1266eefd 434 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
29bfd5b7 435 * extension, not including type and length. Returns: 1 on success, 0 on error.
25670f3e 436 */
38b051a1
TM		 437int tls_parse_ctos_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
438 X509 *x, size_t chainidx)
25670f3e
MC		 439{
440 PACKET protocol_list, save_protocol_list, protocol;
441
c7f47786 442 if (!SSL_IS_FIRST_HANDSHAKE(s))
25670f3e
MC		 443 return 1;
444
445 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
446 || PACKET_remaining(&protocol_list) < 2) {
c48ffbcc 447 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 448 return 0;
449 }
450
451 save_protocol_list = protocol_list;
452 do {
453 /* Protocol names can't be empty. */
454 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
455 || PACKET_remaining(&protocol) == 0) {
c48ffbcc 456 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 457 return 0;
458 }
459 } while (PACKET_remaining(&protocol_list) != 0);
460
555cbb32
TS		 461 OPENSSL_free(s->s3.alpn_proposed);
462 s->s3.alpn_proposed = NULL;
463 s->s3.alpn_proposed_len = 0;
25670f3e 464 if (!PACKET_memdup(&save_protocol_list,
555cbb32 465 &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
c48ffbcc 466 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 467 return 0;
468 }
469
470 return 1;
471}
472
473#ifndef OPENSSL_NO_SRTP
38b051a1
TM		 474int tls_parse_ctos_use_srtp(SSL_CONNECTION *s, PACKET *pkt,
475 unsigned int context, X509 *x, size_t chainidx)
25670f3e 476{
25670f3e
MC		 477 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
478 unsigned int ct, mki_len, id;
479 int i, srtp_pref;
480 PACKET subpkt;
38b051a1 481 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
25670f3e
MC		 482
483 /* Ignore this if we have no SRTP profiles */
38b051a1 484 if (SSL_get_srtp_profiles(ssl) == NULL)
25670f3e
MC		 485 return 1;
486
487 /* Pull off the length of the cipher suite list and check it is even */
1266eefd
MC		 488 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
489 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
c48ffbcc 490 SSLfatal(s, SSL_AD_DECODE_ERROR,
25670f3e 491 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 492 return 0;
493 }
494
38b051a1 495 srvr = SSL_get_srtp_profiles(ssl);
25670f3e
MC		 496 s->srtp_profile = NULL;
497 /* Search all profiles for a match initially */
498 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
499
500 while (PACKET_remaining(&subpkt)) {
501 if (!PACKET_get_net_2(&subpkt, &id)) {
c48ffbcc 502 SSLfatal(s, SSL_AD_DECODE_ERROR,
f63a17d6 503 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 504 return 0;
505 }
506
507 /*
508 * Only look for match in profiles of higher preference than
509 * current match.
510 * If no profiles have been have been configured then this
511 * does nothing.
512 */
513 for (i = 0; i < srtp_pref; i++) {
d270de32 514 SRTP_PROTECTION_PROFILE *sprof =
1266eefd
MC		 515 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
516
25670f3e
MC		 517 if (sprof->id == id) {
518 s->srtp_profile = sprof;
519 srtp_pref = i;
520 break;
521 }
522 }
523 }
524
1266eefd 525 /* Now extract the MKI value as a sanity check, but discard it for now */
25670f3e 526 if (!PACKET_get_1(pkt, &mki_len)) {
c48ffbcc 527 SSLfatal(s, SSL_AD_DECODE_ERROR,
f63a17d6 528 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 529 return 0;
530 }
531
532 if (!PACKET_forward(pkt, mki_len)
533 || PACKET_remaining(pkt)) {
c48ffbcc 534 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE);
25670f3e
MC		 535 return 0;
536 }
537
538 return 1;
539}
540#endif
541
38b051a1
TM		 542int tls_parse_ctos_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
543 X509 *x, size_t chainidx)
25670f3e
MC		 544{
545 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
28a31a0a 546 s->ext.use_etm = 1;
25670f3e
MC		 547
548 return 1;
549}
550
b2f7e8c0
MC		 551/*
552 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
553 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
b2f7e8c0 554 */
38b051a1
TM		 555int tls_parse_ctos_psk_kex_modes(SSL_CONNECTION *s, PACKET *pkt,
556 unsigned int context,
f63a17d6 557 X509 *x, size_t chainidx)
b2f7e8c0
MC		 558{
559#ifndef OPENSSL_NO_TLS1_3
560 PACKET psk_kex_modes;
561 unsigned int mode;
562
563 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
564 || PACKET_remaining(&psk_kex_modes) == 0) {
c48ffbcc 565 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
b2f7e8c0
MC		 566 return 0;
567 }
568
569 while (PACKET_get_1(&psk_kex_modes, &mode)) {
570 if (mode == TLSEXT_KEX_MODE_KE_DHE)
571 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
e3c0d76b
MC		 572 else if (mode == TLSEXT_KEX_MODE_KE
573 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
b2f7e8c0
MC		 574 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
575 }
576#endif
577
578 return 1;
579}
580
25670f3e
MC		 581/*
582 * Process a key_share extension received in the ClientHello. |pkt| contains
583 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
25670f3e 584 */
38b051a1
TM		 585int tls_parse_ctos_key_share(SSL_CONNECTION *s, PACKET *pkt,
586 unsigned int context, X509 *x, size_t chainidx)
25670f3e 587{
3cf96e88 588#ifndef OPENSSL_NO_TLS1_3
25670f3e
MC		 589 unsigned int group_id;
590 PACKET key_share_list, encoded_pt;
f48d826e
DSH		 591 const uint16_t *clntgroups, *srvrgroups;
592 size_t clnt_num_groups, srvr_num_groups;
43b95d73 593 int found = 0;
25670f3e 594
f4bbb37c 595 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
25670f3e
MC		 596 return 1;
597
598 /* Sanity check */
555cbb32 599 if (s->s3.peer_tmp != NULL) {
c48ffbcc 600 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 601 return 0;
602 }
603
604 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
c48ffbcc 605 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 606 return 0;
607 }
608
f48d826e
DSH		 609 /* Get our list of supported groups */
610 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
611 /* Get the clients list of supported groups. */
612 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
613 if (clnt_num_groups == 0) {
b6fdc12d
MC		 614 /*
615 * This can only happen if the supported_groups extension was not sent,
616 * because we verify that the length is non-zero when we process that
617 * extension.
618 */
c48ffbcc 619 SSLfatal(s, SSL_AD_MISSING_EXTENSION,
f63a17d6 620 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
b6fdc12d
MC		 621 return 0;
622 }
25670f3e 623
555cbb32 624 if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
43054d3d
MC		 625 /*
626 * If we set a group_id already, then we must have sent an HRR
627 * requesting a new key_share. If we haven't got one then that is an
628 * error
629 */
c48ffbcc 630 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
43054d3d
MC		 631 return 0;
632 }
633
25670f3e
MC		 634 while (PACKET_remaining(&key_share_list) > 0) {
635 if (!PACKET_get_net_2(&key_share_list, &group_id)
636 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
637 || PACKET_remaining(&encoded_pt) == 0) {
c48ffbcc 638 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 639 return 0;
640 }
641
642 /*
643 * If we already found a suitable key_share we loop through the
644 * rest to verify the structure, but don't process them.
645 */
646 if (found)
647 continue;
648
43054d3d
MC		 649 /*
650 * If we sent an HRR then the key_share sent back MUST be for the group
651 * we requested, and must be the only key_share sent.
652 */
555cbb32 653 if (s->s3.group_id != 0
16f0e91c 654 && (group_id != s->s3.group_id
43054d3d 655 || PACKET_remaining(&key_share_list) != 0)) {
c48ffbcc 656 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
43054d3d
MC		 657 return 0;
658 }
659
25670f3e 660 /* Check if this share is in supported_groups sent from client */
f48d826e 661 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
c48ffbcc 662 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
25670f3e
MC		 663 return 0;
664 }
665
666 /* Check if this share is for a group we can use */
247b8e52
MC		 667 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)
668 || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
669 /*
670 * We tolerate but ignore a group id that we don't think is
671 * suitable for TLSv1.3
672 */
673 || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
674 0, NULL)) {
25670f3e
MC		 675 /* Share not suitable */
676 continue;
677 }
678
0a10825a
BE		 679 s->s3.group_id = group_id;
680 /* Cache the selected group ID in the SSL_SESSION */
681 s->session->kex_group = group_id;
682
ada66e78 683 if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
c48ffbcc 684 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
25670f3e
MC		 685 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
686 return 0;
687 }
688
d5530efa
TM		 689 if (tls13_set_encoded_pub_key(s->s3.peer_tmp,
690 PACKET_data(&encoded_pt),
691 PACKET_remaining(&encoded_pt)) <= 0) {
c48ffbcc 692 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
25670f3e
MC		 693 return 0;
694 }
695
696 found = 1;
697 }
3cf96e88 698#endif
25670f3e
MC		 699
700 return 1;
701}
702
38b051a1
TM		 703int tls_parse_ctos_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
704 X509 *x, size_t chainidx)
43054d3d 705{
1aac20f5 706#ifndef OPENSSL_NO_TLS1_3
dd77962e 707 unsigned int format, version, key_share, group_id;
43054d3d
MC		 708 EVP_MD_CTX *hctx;
709 EVP_PKEY *pkey;
710 PACKET cookie, raw, chhash, appcookie;
711 WPACKET hrrpkt;
712 const unsigned char *data, *mdin, *ciphdata;
713 unsigned char hmac[SHA256_DIGEST_LENGTH];
714 unsigned char hrr[MAX_HRR_SIZE];
715 size_t rawlen, hmaclen, hrrlen, ciphlen;
e8a557dc 716 uint64_t tm, now;
38b051a1
TM		 717 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
718 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
43054d3d
MC		 719
720 /* Ignore any cookie if we're not set up to verify it */
38b051a1 721 if (sctx->verify_stateless_cookie_cb == NULL
555cbb32 722 || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
43054d3d
MC		 723 return 1;
724
725 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
c48ffbcc 726 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 727 return 0;
728 }
729
730 raw = cookie;
731 data = PACKET_data(&raw);
732 rawlen = PACKET_remaining(&raw);
733 if (rawlen < SHA256_DIGEST_LENGTH
734 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
c48ffbcc 735 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 736 return 0;
737 }
738 mdin = PACKET_data(&raw);
739
740 /* Verify the HMAC of the cookie */
741 hctx = EVP_MD_CTX_create();
38b051a1
TM		 742 pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
743 sctx->propq,
d8652be0
MC		 744 s->session_ctx->ext.cookie_hmac_key,
745 sizeof(s->session_ctx->ext.cookie_hmac_key));
43054d3d
MC		 746 if (hctx == NULL || pkey == NULL) {
747 EVP_MD_CTX_free(hctx);
748 EVP_PKEY_free(pkey);
e077455e 749 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
43054d3d
MC		 750 return 0;
751 }
752
97ea1e7f 753 hmaclen = SHA256_DIGEST_LENGTH;
38b051a1
TM		 754 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
755 sctx->propq, pkey, NULL) <= 0
97ea1e7f
MC		 756 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
757 rawlen - SHA256_DIGEST_LENGTH) <= 0
43054d3d
MC		 758 || hmaclen != SHA256_DIGEST_LENGTH) {
759 EVP_MD_CTX_free(hctx);
760 EVP_PKEY_free(pkey);
c48ffbcc 761 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 762 return 0;
763 }
764
765 EVP_MD_CTX_free(hctx);
766 EVP_PKEY_free(pkey);
767
768 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
c48ffbcc 769 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
43054d3d
MC		 770 return 0;
771 }
772
773 if (!PACKET_get_net_2(&cookie, &format)) {
c48ffbcc 774 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 775 return 0;
776 }
777 /* Check the cookie format is something we recognise. Ignore it if not */
778 if (format != COOKIE_STATE_FORMAT_VERSION)
779 return 1;
780
781 /*
782 * The rest of these checks really shouldn't fail since we have verified the
783 * HMAC above.
784 */
785
786 /* Check the version number is sane */
787 if (!PACKET_get_net_2(&cookie, &version)) {
c48ffbcc 788 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 789 return 0;
790 }
791 if (version != TLS1_3_VERSION) {
c48ffbcc 792 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
43054d3d
MC		 793 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
794 return 0;
795 }
796
dd77962e 797 if (!PACKET_get_net_2(&cookie, &group_id)) {
c48ffbcc 798 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 799 return 0;
800 }
dd77962e 801
43054d3d
MC		 802 ciphdata = PACKET_data(&cookie);
803 if (!PACKET_forward(&cookie, 2)) {
c48ffbcc 804 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 805 return 0;
806 }
555cbb32
TS		 807 if (group_id != s->s3.group_id
808 || s->s3.tmp.new_cipher
dd77962e
MC		 809 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
810 /*
811 * We chose a different cipher or group id this time around to what is
812 * in the cookie. Something must have changed.
813 */
c48ffbcc 814 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
43054d3d
MC		 815 return 0;
816 }
817
818 if (!PACKET_get_1(&cookie, &key_share)
e8a557dc 819 || !PACKET_get_net_8(&cookie, &tm)
43054d3d
MC		 820 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
821 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
822 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
c48ffbcc 823 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 824 return 0;
825 }
826
d0debc0a 827 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
e8a557dc 828 now = time(NULL);
d0debc0a
MC		 829 if (tm > now || (now - tm) > 600) {
830 /* Cookie is stale. Ignore it */
831 return 1;
832 }
833
43054d3d 834 /* Verify the app cookie */
38b051a1
TM		 835 if (sctx->verify_stateless_cookie_cb(ssl,
836 PACKET_data(&appcookie),
837 PACKET_remaining(&appcookie)) == 0) {
c48ffbcc 838 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
43054d3d
MC		 839 return 0;
840 }
841
842 /*
843 * Reconstruct the HRR that we would have sent in response to the original
844 * ClientHello so we can add it to the transcript hash.
845 * Note: This won't work with custom HRR extensions
846 */
847 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
c48ffbcc 848 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 849 return 0;
850 }
851 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
852 || !WPACKET_start_sub_packet_u24(&hrrpkt)
853 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
854 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
855 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
856 s->tmp_session_id_len)
38b051a1
TM		 857 || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
858 &ciphlen)
43054d3d
MC		 859 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
860 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
861 WPACKET_cleanup(&hrrpkt);
c48ffbcc 862 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 863 return 0;
864 }
865 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
866 || !WPACKET_start_sub_packet_u16(&hrrpkt)
35e742ec 867 || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
43054d3d
MC		 868 || !WPACKET_close(&hrrpkt)) {
869 WPACKET_cleanup(&hrrpkt);
c48ffbcc 870 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 871 return 0;
872 }
873 if (key_share) {
874 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
875 || !WPACKET_start_sub_packet_u16(&hrrpkt)
555cbb32 876 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
43054d3d
MC		 877 || !WPACKET_close(&hrrpkt)) {
878 WPACKET_cleanup(&hrrpkt);
c48ffbcc 879 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 880 return 0;
881 }
882 }
883 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
884 || !WPACKET_start_sub_packet_u16(&hrrpkt)
885 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
886 || !WPACKET_close(&hrrpkt) /* cookie extension */
887 || !WPACKET_close(&hrrpkt) /* extension block */
888 || !WPACKET_close(&hrrpkt) /* message */
889 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
890 || !WPACKET_finish(&hrrpkt)) {
891 WPACKET_cleanup(&hrrpkt);
c48ffbcc 892 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 893 return 0;
894 }
895
896 /* Reconstruct the transcript hash */
897 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
898 PACKET_remaining(&chhash), hrr,
899 hrrlen)) {
900 /* SSLfatal() already called */
901 return 0;
902 }
903
904 /* Act as if this ClientHello came after a HelloRetryRequest */
905 s->hello_retry_request = 1;
906
c36001c3 907 s->ext.cookieok = 1;
1aac20f5 908#endif
c36001c3 909
43054d3d
MC		 910 return 1;
911}
912
38b051a1
TM		 913int tls_parse_ctos_supported_groups(SSL_CONNECTION *s, PACKET *pkt,
914 unsigned int context,
f63a17d6 915 X509 *x, size_t chainidx)
25670f3e
MC		 916{
917 PACKET supported_groups_list;
918
919 /* Each group is 2 bytes and we must have at least 1. */
920 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
921 || PACKET_remaining(&supported_groups_list) == 0
922 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
c48ffbcc 923 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 924 return 0;
925 }
926
38b051a1 927 if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
45436e61
MC		 928 OPENSSL_free(s->ext.peer_supportedgroups);
929 s->ext.peer_supportedgroups = NULL;
930 s->ext.peer_supportedgroups_len = 0;
9e84a42d 931 if (!tls1_save_u16(&supported_groups_list,
45436e61
MC		 932 &s->ext.peer_supportedgroups,
933 &s->ext.peer_supportedgroups_len)) {
c48ffbcc 934 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
e3743355
BK		 935 return 0;
936 }
25670f3e
MC		 937 }
938
939 return 1;
940}
25670f3e 941
38b051a1
TM		 942int tls_parse_ctos_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
943 X509 *x, size_t chainidx)
25670f3e
MC		 944{
945 /* The extension must always be empty */
946 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 947 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 948 return 0;
949 }
950
088dfa13
TS		 951 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
952 return 1;
953
555cbb32 954 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
25670f3e
MC		 955
956 return 1;
957}
7da160b0 958
38df5a45 959
38b051a1 960int tls_parse_ctos_early_data(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
f63a17d6 961 X509 *x, size_t chainidx)
38df5a45
MC		 962{
963 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 964 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
38df5a45
MC		 965 return 0;
966 }
967
fc7129dc 968 if (s->hello_retry_request != SSL_HRR_NONE) {
c48ffbcc 969 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
d4504fe5
MC		 970 return 0;
971 }
972
38df5a45
MC		 973 return 1;
974}
975
38b051a1 976static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL_CONNECTION *s, PACKET *tick,
6cc0b3c2
MC		 977 SSL_SESSION **sess)
978{
979 SSL_SESSION *tmpsess = NULL;
980
5f26ddff
MC		 981 s->ext.ticket_expected = 1;
982
6cc0b3c2
MC		 983 switch (PACKET_remaining(tick)) {
984 case 0:
985 return SSL_TICKET_EMPTY;
986
987 case SSL_MAX_SSL_SESSION_ID_LENGTH:
988 break;
989
990 default:
991 return SSL_TICKET_NO_DECRYPT;
992 }
993
994 tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
995 SSL_MAX_SSL_SESSION_ID_LENGTH);
996
997 if (tmpsess == NULL)
998 return SSL_TICKET_NO_DECRYPT;
999
6cc0b3c2
MC		 1000 *sess = tmpsess;
1001 return SSL_TICKET_SUCCESS;
1002}
1003
38b051a1
TM		 1004int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1005 X509 *x, size_t chainidx)
1053a6e2
MC		 1006{
1007 PACKET identities, binders, binder;
1008 size_t binderoffset, hashsize;
1009 SSL_SESSION *sess = NULL;
3a7c56b2 1010 unsigned int id, i, ext = 0;
1053a6e2 1011 const EVP_MD *md = NULL;
38b051a1
TM		 1012 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1013 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1053a6e2 1014
1a9f457c
MC		 1015 /*
1016 * If we have no PSK kex mode that we recognise then we can't resume so
1017 * ignore this extension
1018 */
1019 if ((s->ext.psk_kex_mode
1020 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1021 return 1;
1022
1053a6e2 1023 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
c48ffbcc 1024 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1025 return 0;
1026 }
1027
61fb5923 1028 s->ext.ticket_expected = 0;
1053a6e2
MC		 1029 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1030 PACKET identity;
2c604cb9 1031 unsigned long ticket_agel;
f3d40db1 1032 size_t idlen;
1053a6e2
MC		 1033
1034 if (!PACKET_get_length_prefixed_2(&identities, &identity)
2c604cb9 1035 || !PACKET_get_net_4(&identities, &ticket_agel)) {
c48ffbcc 1036 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1037 return 0;
1038 }
1039
f3d40db1 1040 idlen = PACKET_remaining(&identity);
3a7c56b2 1041 if (s->psk_find_session_cb != NULL
38b051a1 1042 && !s->psk_find_session_cb(ssl, PACKET_data(&identity), idlen,
011d768a 1043 &sess)) {
c48ffbcc 1044 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION);
011d768a
MC		 1045 return 0;
1046 }
1047
c2b290c3 1048#ifndef OPENSSL_NO_PSK
1287dabd 1049 if (sess == NULL
f3d40db1
MC		 1050 && s->psk_server_callback != NULL
1051 && idlen <= PSK_MAX_IDENTITY_LEN) {
1052 char *pskid = NULL;
1053 unsigned char pskdata[PSK_MAX_PSK_LEN];
1054 unsigned int pskdatalen;
1055
1056 if (!PACKET_strndup(&identity, &pskid)) {
c48ffbcc 1057 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1058 return 0;
1059 }
38b051a1 1060 pskdatalen = s->psk_server_callback(ssl, pskid, pskdata,
f3d40db1
MC		 1061 sizeof(pskdata));
1062 OPENSSL_free(pskid);
1063 if (pskdatalen > PSK_MAX_PSK_LEN) {
c48ffbcc 1064 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1065 return 0;
1066 } else if (pskdatalen > 0) {
1067 const SSL_CIPHER *cipher;
1068 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1069
1070 /*
1071 * We found a PSK using an old style callback. We don't know
1072 * the digest so we default to SHA256 as per the TLSv1.3 spec
1073 */
38b051a1 1074 cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
f3d40db1
MC		 1075 if (cipher == NULL) {
1076 OPENSSL_cleanse(pskdata, pskdatalen);
c48ffbcc 1077 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1078 return 0;
1079 }
1080
1081 sess = SSL_SESSION_new();
1082 if (sess == NULL
1083 || !SSL_SESSION_set1_master_key(sess, pskdata,
1084 pskdatalen)
1085 || !SSL_SESSION_set_cipher(sess, cipher)
1086 || !SSL_SESSION_set_protocol_version(sess,
1087 TLS1_3_VERSION)) {
1088 OPENSSL_cleanse(pskdata, pskdatalen);
c48ffbcc 1089 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1090 goto err;
1091 }
1092 OPENSSL_cleanse(pskdata, pskdatalen);
1093 }
1094 }
c2b290c3 1095#endif /* OPENSSL_NO_PSK */
f3d40db1 1096
011d768a
MC		 1097 if (sess != NULL) {
1098 /* We found a PSK */
3a7c56b2 1099 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1b8bacff 1100
3a7c56b2 1101 if (sesstmp == NULL) {
c48ffbcc 1102 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3a7c56b2
MC		 1103 return 0;
1104 }
1105 SSL_SESSION_free(sess);
1106 sess = sesstmp;
1107
1108 /*
1109 * We've just been told to use this session for this context so
1110 * make sure the sid_ctx matches up.
1111 */
1112 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1113 sess->sid_ctx_length = s->sid_ctx_length;
1114 ext = 1;
630369d9
MC		 1115 if (id == 0)
1116 s->ext.early_data_ok = 1;
51256b34 1117 s->ext.ticket_expected = 1;
3a7c56b2 1118 } else {
f0131dc0 1119 OSSL_TIME t, age, expire;
61fb5923
MC		 1120 int ret;
1121
e880d4e5
MC		 1122 /*
1123 * If we are using anti-replay protection then we behave as if
1124 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1125 * is no point in using full stateless tickets.
1126 */
1127 if ((s->options & SSL_OP_NO_TICKET) != 0
5d263fb7
MC		 1128 || (s->max_early_data > 0
1129 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
6cc0b3c2
MC		 1130 ret = tls_get_stateful_ticket(s, &identity, &sess);
1131 else
1132 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1133 PACKET_remaining(&identity), NULL, 0,
1134 &sess);
61fb5923
MC		 1135
1136 if (ret == SSL_TICKET_EMPTY) {
c48ffbcc 1137 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
61fb5923
MC		 1138 return 0;
1139 }
3a7c56b2 1140
df0fed9a
TS		 1141 if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1142 || ret == SSL_TICKET_FATAL_ERR_OTHER) {
c48ffbcc 1143 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3a7c56b2
MC		 1144 return 0;
1145 }
61fb5923 1146 if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
3a7c56b2
MC		 1147 continue;
1148
66d7de16
MC		 1149 /* Check for replay */
1150 if (s->max_early_data > 0
5d263fb7 1151 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
66d7de16
MC		 1152 && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1153 SSL_SESSION_free(sess);
1154 sess = NULL;
1155 continue;
1156 }
1157
0513a383
MC		 1158 age = ossl_time_subtract(ossl_ms2time(ticket_agel),
1159 ossl_ms2time(sess->ext.tick_age_add));
f0131dc0 1160 t = ossl_time_subtract(ossl_time_now(), sess->time);
3a7c56b2
MC		 1161
1162 /*
0513a383
MC		 1163 * Although internally we use OSS_TIME which has ns granularity,
1164 * when SSL_SESSION structures are serialised/deserialised we use
1165 * second granularity for the sess->time field. Therefore it could
1166 * appear that the client's ticket age is longer than ours (our
1167 * ticket age calculation should always be slightly longer than the
1168 * client's due to the network latency). Therefore we add 1000ms to
1169 * our age calculation to adjust for rounding errors.
3a7c56b2 1170 */
f0131dc0
P		 1171 expire = ossl_time_add(t, ossl_ms2time(1000));
1172
630369d9 1173 if (id == 0
f0131dc0
P		 1174 && ossl_time_compare(sess->timeout, t) >= 0
1175 && ossl_time_compare(age, expire) <= 0
1176 && ossl_time_compare(ossl_time_add(age, TICKET_AGE_ALLOWANCE),
1177 expire) >= 0) {
3a7c56b2
MC		 1178 /*
1179 * Ticket age is within tolerance and not expired. We allow it
1180 * for early data
1181 */
1182 s->ext.early_data_ok = 1;
1183 }
1053a6e2 1184 }
1053a6e2 1185
38b051a1 1186 md = ssl_md(sctx, sess->cipher->algorithm2);
b740012f 1187 if (md == NULL) {
1188 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1189 goto err;
1190 }
c8f6c28a 1191 if (!EVP_MD_is_a(md,
38b051a1 1192 EVP_MD_get0_name(ssl_md(sctx,
ed576acd 1193 s->s3.tmp.new_cipher->algorithm2)))) {
0de6d66d 1194 /* The ciphersuite is not compatible with this session. */
1053a6e2
MC		 1195 SSL_SESSION_free(sess);
1196 sess = NULL;
630369d9 1197 s->ext.early_data_ok = 0;
51256b34 1198 s->ext.ticket_expected = 0;
1053a6e2
MC		 1199 continue;
1200 }
1053a6e2
MC		 1201 break;
1202 }
1203
1204 if (sess == NULL)
1205 return 1;
1206
1207 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
ed576acd 1208 hashsize = EVP_MD_get_size(md);
1053a6e2
MC		 1209
1210 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
c48ffbcc 1211 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1212 goto err;
1213 }
1214
1215 for (i = 0; i <= id; i++) {
1216 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
c48ffbcc 1217 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1218 goto err;
1219 }
1220 }
1221
2894e9cb 1222 if (PACKET_remaining(&binder) != hashsize) {
c48ffbcc 1223 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2894e9cb
MC		 1224 goto err;
1225 }
1226 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1227 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1228 ext) != 1) {
635c8f77 1229 /* SSLfatal() already called */
1053a6e2
MC		 1230 goto err;
1231 }
1232
c96ce52c 1233 s->ext.tick_identity = id;
2c604cb9 1234
1053a6e2
MC		 1235 SSL_SESSION_free(s->session);
1236 s->session = sess;
1053a6e2
MC		 1237 return 1;
1238err:
312e9387 1239 SSL_SESSION_free(sess);
1053a6e2
MC		 1240 return 0;
1241}
1242
38b051a1 1243int tls_parse_ctos_post_handshake_auth(SSL_CONNECTION *s, PACKET *pkt,
a7e6a3d8
P		 1244 ossl_unused unsigned int context,
1245 ossl_unused X509 *x,
1246 ossl_unused size_t chainidx)
9d75dce3
TS		 1247{
1248 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 1249 SSLfatal(s, SSL_AD_DECODE_ERROR,
9d75dce3
TS		 1250 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1251 return 0;
1252 }
1253
1254 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1255
1256 return 1;
1257}
1258
1266eefd
MC		 1259/*
1260 * Add the server's renegotiation binding
1261 */
38b051a1 1262EXT_RETURN tls_construct_stoc_renegotiate(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1263 unsigned int context, X509 *x,
f63a17d6 1264 size_t chainidx)
7da160b0 1265{
555cbb32 1266 if (!s->s3.send_connection_binding)
b186a592 1267 return EXT_RETURN_NOT_SENT;
7da160b0 1268
db0f35dd 1269 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
7da160b0
MC		 1270 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1271 || !WPACKET_start_sub_packet_u16(pkt)
1272 || !WPACKET_start_sub_packet_u8(pkt)
555cbb32
TS		 1273 || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1274 s->s3.previous_client_finished_len)
1275 || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1276 s->s3.previous_server_finished_len)
7da160b0
MC		 1277 || !WPACKET_close(pkt)
1278 || !WPACKET_close(pkt)) {
c48ffbcc 1279 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1280 return EXT_RETURN_FAIL;
7da160b0
MC		 1281 }
1282
b186a592 1283 return EXT_RETURN_SENT;
7da160b0
MC		 1284}
1285
38b051a1 1286EXT_RETURN tls_construct_stoc_server_name(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1287 unsigned int context, X509 *x,
f63a17d6 1288 size_t chainidx)
7da160b0 1289{
7955c1f1
MC		 1290 if (s->servername_done != 1)
1291 return EXT_RETURN_NOT_SENT;
1292
1293 /*
1294 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1295 * We just use the servername from the initial handshake.
1296 */
38b051a1 1297 if (s->hit && !SSL_CONNECTION_IS_TLS13(s))
b186a592 1298 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1299
1300 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1301 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1302 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1303 return EXT_RETURN_FAIL;
7da160b0
MC		 1304 }
1305
b186a592 1306 return EXT_RETURN_SENT;
7da160b0
MC		 1307}
1308
cf72c757 1309/* Add/include the server's max fragment len extension into ServerHello */
38b051a1 1310EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt,
cf72c757 1311 unsigned int context, X509 *x,
f63a17d6 1312 size_t chainidx)
cf72c757
F		 1313{
1314 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1315 return EXT_RETURN_NOT_SENT;
1316
1317 /*-
1318 * 4 bytes for this extension type and extension length
1319 * 1 byte for the Max Fragment Length code value.
1320 */
1321 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1322 || !WPACKET_start_sub_packet_u16(pkt)
1323 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1324 || !WPACKET_close(pkt)) {
c48ffbcc 1325 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
cf72c757
F		 1326 return EXT_RETURN_FAIL;
1327 }
1328
1329 return EXT_RETURN_SENT;
1330}
1331
38b051a1 1332EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1333 unsigned int context, X509 *x,
f63a17d6 1334 size_t chainidx)
7da160b0 1335{
555cbb32
TS		 1336 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1337 unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
89247375 1338 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
cd0fb43c 1339 && (s->ext.peer_ecpointformats != NULL);
7da160b0
MC		 1340 const unsigned char *plist;
1341 size_t plistlen;
1342
1343 if (!using_ecc)
b186a592 1344 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1345
1346 tls1_get_formatlist(s, &plist, &plistlen);
7da160b0
MC		 1347 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1348 || !WPACKET_start_sub_packet_u16(pkt)
1349 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1350 || !WPACKET_close(pkt)) {
c48ffbcc 1351 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1352 return EXT_RETURN_FAIL;
7da160b0
MC		 1353 }
1354
b186a592 1355 return EXT_RETURN_SENT;
7da160b0 1356}
7da160b0 1357
38b051a1 1358EXT_RETURN tls_construct_stoc_supported_groups(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1359 unsigned int context, X509 *x,
f63a17d6 1360 size_t chainidx)
6af87546 1361{
9e84a42d 1362 const uint16_t *groups;
6af87546 1363 size_t numgroups, i, first = 1;
9d2d857f 1364 int version;
6af87546 1365
555cbb32
TS		 1366 /* s->s3.group_id is non zero if we accepted a key_share */
1367 if (s->s3.group_id == 0)
b186a592 1368 return EXT_RETURN_NOT_SENT;
6af87546
MC		 1369
1370 /* Get our list of supported groups */
ff6d20a6 1371 tls1_get_supported_groups(s, &groups, &numgroups);
34e5292c 1372 if (numgroups == 0) {
c48ffbcc 1373 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1374 return EXT_RETURN_FAIL;
6af87546
MC		 1375 }
1376
1377 /* Copy group ID if supported */
38b051a1 1378 version = SSL_version(SSL_CONNECTION_GET_SSL(s));
9e84a42d
DSH		 1379 for (i = 0; i < numgroups; i++) {
1380 uint16_t group = groups[i];
1381
8b1db5d3 1382 if (tls_valid_group(s, group, version, version, 0, NULL)
dbc6268f 1383 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
6af87546
MC		 1384 if (first) {
1385 /*
1386 * Check if the client is already using our preferred group. If
1387 * so we don't need to add this extension
1388 */
555cbb32 1389 if (s->s3.group_id == group)
b186a592 1390 return EXT_RETURN_NOT_SENT;
6af87546
MC		 1391
1392 /* Add extension header */
1393 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1394 /* Sub-packet for supported_groups extension */
1395 || !WPACKET_start_sub_packet_u16(pkt)
1396 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 1397 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1398 return EXT_RETURN_FAIL;
6af87546
MC		 1399 }
1400
1401 first = 0;
1402 }
9e84a42d 1403 if (!WPACKET_put_bytes_u16(pkt, group)) {
c48ffbcc 1404 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1405 return EXT_RETURN_FAIL;
6af87546
MC		 1406 }
1407 }
1408 }
1409
1410 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
c48ffbcc 1411 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1412 return EXT_RETURN_FAIL;
6af87546
MC		 1413 }
1414
b186a592 1415 return EXT_RETURN_SENT;
6af87546
MC		 1416}
1417
38b051a1 1418EXT_RETURN tls_construct_stoc_session_ticket(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1419 unsigned int context, X509 *x,
f63a17d6 1420 size_t chainidx)
7da160b0 1421{
aff8c126
RS		 1422 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1423 s->ext.ticket_expected = 0;
b186a592 1424 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1425 }
1426
1427 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1428 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1429 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1430 return EXT_RETURN_FAIL;
7da160b0
MC		 1431 }
1432
b186a592 1433 return EXT_RETURN_SENT;
7da160b0
MC		 1434}
1435
ab83e314 1436#ifndef OPENSSL_NO_OCSP
38b051a1 1437EXT_RETURN tls_construct_stoc_status_request(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1438 unsigned int context, X509 *x,
f63a17d6 1439 size_t chainidx)
7da160b0 1440{
debb64a0
MC		 1441 /* We don't currently support this extension inside a CertificateRequest */
1442 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1443 return EXT_RETURN_NOT_SENT;
1444
aff8c126 1445 if (!s->ext.status_expected)
b186a592 1446 return EXT_RETURN_NOT_SENT;
7da160b0 1447
38b051a1 1448 if (SSL_CONNECTION_IS_TLS13(s) && chainidx != 0)
b186a592 1449 return EXT_RETURN_NOT_SENT;
e96e0f8e 1450
7da160b0 1451 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
f63e4288 1452 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 1453 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1454 return EXT_RETURN_FAIL;
f63e4288
MC		 1455 }
1456
1457 /*
1458 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1459 * send back an empty extension, with the certificate status appearing as a
1460 * separate message
1461 */
38b051a1 1462 if (SSL_CONNECTION_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
3ec8d113 1463 /* SSLfatal() already called */
56d36288 1464 return EXT_RETURN_FAIL;
3ec8d113
MC		 1465 }
1466 if (!WPACKET_close(pkt)) {
c48ffbcc 1467 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1468 return EXT_RETURN_FAIL;
7da160b0
MC		 1469 }
1470
b186a592 1471 return EXT_RETURN_SENT;
7da160b0 1472}
ab83e314 1473#endif
7da160b0 1474
7da160b0 1475#ifndef OPENSSL_NO_NEXTPROTONEG
38b051a1 1476EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1477 unsigned int context, X509 *x,
f63a17d6 1478 size_t chainidx)
7da160b0
MC		 1479{
1480 const unsigned char *npa;
1481 unsigned int npalen;
1482 int ret;
555cbb32 1483 int npn_seen = s->s3.npn_seen;
38b051a1 1484 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
7da160b0 1485
555cbb32 1486 s->s3.npn_seen = 0;
38b051a1 1487 if (!npn_seen || sctx->ext.npn_advertised_cb == NULL)
b186a592 1488 return EXT_RETURN_NOT_SENT;
7da160b0 1489
38b051a1
TM		 1490 ret = sctx->ext.npn_advertised_cb(SSL_CONNECTION_GET_SSL(s), &npa, &npalen,
1491 sctx->ext.npn_advertised_cb_arg);
7da160b0
MC		 1492 if (ret == SSL_TLSEXT_ERR_OK) {
1493 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1494 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
c48ffbcc 1495 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1496 return EXT_RETURN_FAIL;
7da160b0 1497 }
555cbb32 1498 s->s3.npn_seen = 1;
7da160b0
MC		 1499 }
1500
b186a592 1501 return EXT_RETURN_SENT;
7da160b0
MC		 1502}
1503#endif
1504
38b051a1 1505EXT_RETURN tls_construct_stoc_alpn(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context,
f63a17d6 1506 X509 *x, size_t chainidx)
7da160b0 1507{
555cbb32 1508 if (s->s3.alpn_selected == NULL)
b186a592 1509 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1510
1511 if (!WPACKET_put_bytes_u16(pkt,
1512 TLSEXT_TYPE_application_layer_protocol_negotiation)
1513 || !WPACKET_start_sub_packet_u16(pkt)
1514 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32
TS		 1515 || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1516 s->s3.alpn_selected_len)
7da160b0
MC		 1517 || !WPACKET_close(pkt)
1518 || !WPACKET_close(pkt)) {
c48ffbcc 1519 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1520 return EXT_RETURN_FAIL;
7da160b0
MC		 1521 }
1522
b186a592 1523 return EXT_RETURN_SENT;
7da160b0
MC		 1524}
1525
1526#ifndef OPENSSL_NO_SRTP
38b051a1 1527EXT_RETURN tls_construct_stoc_use_srtp(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1528 unsigned int context, X509 *x,
f63a17d6 1529 size_t chainidx)
7da160b0
MC		 1530{
1531 if (s->srtp_profile == NULL)
b186a592 1532 return EXT_RETURN_NOT_SENT;
a1448c26 1533
7da160b0
MC		 1534 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1535 || !WPACKET_start_sub_packet_u16(pkt)
1536 || !WPACKET_put_bytes_u16(pkt, 2)
1537 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1538 || !WPACKET_put_bytes_u8(pkt, 0)
1539 || !WPACKET_close(pkt)) {
c48ffbcc 1540 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1541 return EXT_RETURN_FAIL;
7da160b0
MC		 1542 }
1543
b186a592 1544 return EXT_RETURN_SENT;
7da160b0
MC		 1545}
1546#endif
1547
38b051a1
TM		 1548EXT_RETURN tls_construct_stoc_etm(SSL_CONNECTION *s, WPACKET *pkt,
1549 unsigned int context,
f63a17d6 1550 X509 *x, size_t chainidx)
7da160b0 1551{
28a31a0a 1552 if (!s->ext.use_etm)
b186a592 1553 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1554
1555 /*
1556 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1557 * for other cases too.
1558 */
555cbb32
TS		 1559 if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1560 || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1561 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
5a5530a2
DB		 1562 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1563 || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1564 || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
28a31a0a 1565 s->ext.use_etm = 0;
b186a592 1566 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1567 }
1568
1569 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1570 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1571 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1572 return EXT_RETURN_FAIL;
7da160b0
MC		 1573 }
1574
b186a592 1575 return EXT_RETURN_SENT;
7da160b0
MC		 1576}
1577
38b051a1
TM		 1578EXT_RETURN tls_construct_stoc_ems(SSL_CONNECTION *s, WPACKET *pkt,
1579 unsigned int context,
f63a17d6 1580 X509 *x, size_t chainidx)
7da160b0 1581{
555cbb32 1582 if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
b186a592 1583 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1584
1585 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1586 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1587 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1588 return EXT_RETURN_FAIL;
7da160b0
MC		 1589 }
1590
b186a592 1591 return EXT_RETURN_SENT;
7da160b0
MC		 1592}
1593
38b051a1 1594EXT_RETURN tls_construct_stoc_supported_versions(SSL_CONNECTION *s, WPACKET *pkt,
88050dd1
MC		 1595 unsigned int context, X509 *x,
1596 size_t chainidx)
1597{
38b051a1 1598 if (!ossl_assert(SSL_CONNECTION_IS_TLS13(s))) {
c48ffbcc 1599 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
27e462f1
MC		 1600 return EXT_RETURN_FAIL;
1601 }
88050dd1
MC		 1602
1603 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1604 || !WPACKET_start_sub_packet_u16(pkt)
35e742ec 1605 || !WPACKET_put_bytes_u16(pkt, s->version)
88050dd1 1606 || !WPACKET_close(pkt)) {
c48ffbcc 1607 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
88050dd1
MC		 1608 return EXT_RETURN_FAIL;
1609 }
1610
1611 return EXT_RETURN_SENT;
1612}
1613
38b051a1 1614EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1615 unsigned int context, X509 *x,
f63a17d6 1616 size_t chainidx)
7da160b0 1617{
3cf96e88 1618#ifndef OPENSSL_NO_TLS1_3
7da160b0
MC		 1619 unsigned char *encodedPoint;
1620 size_t encoded_pt_len = 0;
555cbb32 1621 EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
8b17fbaf 1622 const TLS_GROUP_INFO *ginf = NULL;
7da160b0 1623
dd77962e
MC		 1624 if (s->hello_retry_request == SSL_HRR_PENDING) {
1625 if (ckey != NULL) {
1626 /* Original key_share was acceptable so don't ask for another one */
1627 return EXT_RETURN_NOT_SENT;
1628 }
1629 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1630 || !WPACKET_start_sub_packet_u16(pkt)
16f0e91c 1631 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
dd77962e 1632 || !WPACKET_close(pkt)) {
c48ffbcc 1633 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
dd77962e 1634 return EXT_RETURN_FAIL;
7d061fce
MC		 1635 }
1636
dd77962e
MC		 1637 return EXT_RETURN_SENT;
1638 }
1639
1640 if (ckey == NULL) {
1641 /* No key_share received from client - must be resuming */
0247086d 1642 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
c48ffbcc 1643 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1644 return EXT_RETURN_FAIL;
0247086d 1645 }
b186a592 1646 return EXT_RETURN_NOT_SENT;
7da160b0 1647 }
e776858b
BK		 1648 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
1649 /*
1650 * PSK ('hit') and explicitly not doing DHE (if the client sent the
1651 * DHE option we always take it); don't send key share.
1652 */
1653 return EXT_RETURN_NOT_SENT;
1654 }
7da160b0
MC		 1655
1656 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1657 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32 1658 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
c48ffbcc 1659 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1660 return EXT_RETURN_FAIL;
7da160b0
MC		 1661 }
1662
38b051a1
TM		 1663 if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
1664 s->s3.group_id)) == NULL) {
c48ffbcc 1665 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1666 return EXT_RETURN_FAIL;
7da160b0
MC		 1667 }
1668
8b17fbaf
NT		 1669 if (!ginf->is_kem) {
1670 /* Regular KEX */
1671 skey = ssl_generate_pkey(s, ckey);
1672 if (skey == NULL) {
e077455e 1673 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
8b17fbaf
NT		 1674 return EXT_RETURN_FAIL;
1675 }
7da160b0 1676
8b17fbaf 1677 /* Generate encoding of server key */
5ac8fb58 1678 encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint);
8b17fbaf 1679 if (encoded_pt_len == 0) {
c48ffbcc 1680 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
8b17fbaf
NT		 1681 EVP_PKEY_free(skey);
1682 return EXT_RETURN_FAIL;
1683 }
1684
1685 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1686 || !WPACKET_close(pkt)) {
c48ffbcc 1687 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1688 EVP_PKEY_free(skey);
1689 OPENSSL_free(encodedPoint);
1690 return EXT_RETURN_FAIL;
1691 }
7da160b0 1692 OPENSSL_free(encodedPoint);
7da160b0 1693
8b17fbaf
NT		 1694 /*
1695 * This causes the crypto state to be updated based on the derived keys
1696 */
1697 s->s3.tmp.pkey = skey;
1698 if (ssl_derive(s, skey, ckey, 1) == 0) {
1699 /* SSLfatal() already called */
1700 return EXT_RETURN_FAIL;
1701 }
1702 } else {
1703 /* KEM mode */
1704 unsigned char *ct = NULL;
1705 size_t ctlen = 0;
1706
1707 /*
1708 * This does not update the crypto state.
1709 *
1710 * The generated pms is stored in `s->s3.tmp.pms` to be later used via
1711 * ssl_gensecret().
1712 */
1713 if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) {
1714 /* SSLfatal() already called */
1715 return EXT_RETURN_FAIL;
1716 }
1717
1718 if (ctlen == 0) {
c48ffbcc 1719 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1720 OPENSSL_free(ct);
1721 return EXT_RETURN_FAIL;
1722 }
1723
1724 if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen)
1725 || !WPACKET_close(pkt)) {
c48ffbcc 1726 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1727 OPENSSL_free(ct);
1728 return EXT_RETURN_FAIL;
1729 }
1730 OPENSSL_free(ct);
1731
1732 /*
1733 * This causes the crypto state to be updated based on the generated pms
1734 */
1735 if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) {
1736 /* SSLfatal() already called */
1737 return EXT_RETURN_FAIL;
1738 }
7da160b0 1739 }
aa6bd216 1740 s->s3.did_kex = 1;
b186a592 1741 return EXT_RETURN_SENT;
1aac20f5
MC		 1742#else
1743 return EXT_RETURN_FAIL;
1744#endif
7da160b0
MC		 1745}
1746
38b051a1
TM		 1747EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt,
1748 unsigned int context,
43054d3d
MC		 1749 X509 *x, size_t chainidx)
1750{
1aac20f5 1751#ifndef OPENSSL_NO_TLS1_3
43054d3d
MC		 1752 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1753 unsigned char *hmac, *hmac2;
3fa2812f 1754 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
43054d3d
MC		 1755 EVP_MD_CTX *hctx;
1756 EVP_PKEY *pkey;
1757 int ret = EXT_RETURN_FAIL;
38b051a1
TM		 1758 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1759 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
43054d3d 1760
555cbb32 1761 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
43054d3d
MC		 1762 return EXT_RETURN_NOT_SENT;
1763
38b051a1 1764 if (sctx->gen_stateless_cookie_cb == NULL) {
c48ffbcc 1765 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET);
e440f513
MC		 1766 return EXT_RETURN_FAIL;
1767 }
1768
43054d3d
MC		 1769 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1770 || !WPACKET_start_sub_packet_u16(pkt)
1771 || !WPACKET_start_sub_packet_u16(pkt)
1772 || !WPACKET_get_total_written(pkt, &startlen)
1773 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1774 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1775 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
555cbb32 1776 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
38b051a1
TM		 1777 || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
1778 &ciphlen)
43054d3d 1779 /* Is there a key_share extension present in this HRR? */
555cbb32 1780 || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
e8a557dc 1781 || !WPACKET_put_bytes_u64(pkt, time(NULL))
43054d3d
MC		 1782 || !WPACKET_start_sub_packet_u16(pkt)
1783 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
c48ffbcc 1784 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1785 return EXT_RETURN_FAIL;
1786 }
1787
1788 /*
1789 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1790 * on raw buffers, so we first reserve sufficient bytes (above) and then
1791 * subsequently allocate them (below)
1792 */
1793 if (!ssl3_digest_cached_records(s, 0)
1794 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1795 /* SSLfatal() already called */
1796 return EXT_RETURN_FAIL;
1797 }
1798
1799 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1800 || !ossl_assert(hashval1 == hashval2)
1801 || !WPACKET_close(pkt)
1802 || !WPACKET_start_sub_packet_u8(pkt)
1803 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
c48ffbcc 1804 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1805 return EXT_RETURN_FAIL;
1806 }
1807
1808 /* Generate the application cookie */
38b051a1
TM		 1809 if (sctx->gen_stateless_cookie_cb(ssl, appcookie1,
1810 &appcookielen) == 0) {
c48ffbcc 1811 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
43054d3d
MC		 1812 return EXT_RETURN_FAIL;
1813 }
1814
1815 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1816 || !ossl_assert(appcookie1 == appcookie2)
1817 || !WPACKET_close(pkt)
1818 || !WPACKET_get_total_written(pkt, &totcookielen)
1819 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
c48ffbcc 1820 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1821 return EXT_RETURN_FAIL;
1822 }
1823 hmaclen = SHA256_DIGEST_LENGTH;
1824
1825 totcookielen -= startlen;
1826 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
c48ffbcc 1827 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1828 return EXT_RETURN_FAIL;
1829 }
1830
1831 /* HMAC the cookie */
1832 hctx = EVP_MD_CTX_create();
38b051a1
TM		 1833 pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
1834 sctx->propq,
d8652be0
MC		 1835 s->session_ctx->ext.cookie_hmac_key,
1836 sizeof(s->session_ctx->ext.cookie_hmac_key));
43054d3d 1837 if (hctx == NULL || pkey == NULL) {
e077455e 1838 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
43054d3d
MC		 1839 goto err;
1840 }
1841
38b051a1
TM		 1842 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
1843 sctx->propq, pkey, NULL) <= 0
43054d3d
MC		 1844 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1845 totcookielen) <= 0) {
c48ffbcc 1846 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1847 goto err;
1848 }
1849
1850 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
c48ffbcc 1851 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1852 goto err;
1853 }
1854
1855 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1856 || !ossl_assert(hmac == hmac2)
1857 || !ossl_assert(cookie == hmac - totcookielen)
1858 || !WPACKET_close(pkt)
1859 || !WPACKET_close(pkt)) {
c48ffbcc 1860 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1861 goto err;
1862 }
1863
1864 ret = EXT_RETURN_SENT;
1865
1866 err:
1867 EVP_MD_CTX_free(hctx);
1868 EVP_PKEY_free(pkey);
1869 return ret;
1aac20f5
MC		 1870#else
1871 return EXT_RETURN_FAIL;
1872#endif
43054d3d
MC		 1873}
1874
38b051a1 1875EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1876 unsigned int context, X509 *x,
f63a17d6 1877 size_t chainidx)
7da160b0
MC		 1878{
1879 const unsigned char cryptopro_ext[36] = {
1880 0xfd, 0xe8, /* 65000 */
1881 0x00, 0x20, /* 32 bytes length */
1882 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1883 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1884 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1885 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1886 };
1887
555cbb32
TS		 1888 if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1889 && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
38b051a1
TM		 1890 || (SSL_get_options(SSL_CONNECTION_GET_SSL(s))
1891 & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
b186a592 1892 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1893
1894 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
c48ffbcc 1895 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1896 return EXT_RETURN_FAIL;
7da160b0
MC		 1897 }
1898
b186a592 1899 return EXT_RETURN_SENT;
7da160b0 1900}
0247086d 1901
38b051a1 1902EXT_RETURN tls_construct_stoc_early_data(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1903 unsigned int context, X509 *x,
f63a17d6 1904 size_t chainidx)
38df5a45 1905{
fe874d27 1906 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
6594189f 1907 if (s->max_early_data == 0)
b186a592 1908 return EXT_RETURN_NOT_SENT;
6594189f
MC		 1909
1910 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1911 || !WPACKET_start_sub_packet_u16(pkt)
1912 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1913 || !WPACKET_close(pkt)) {
c48ffbcc 1914 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1915 return EXT_RETURN_FAIL;
6594189f
MC		 1916 }
1917
b186a592 1918 return EXT_RETURN_SENT;
6594189f
MC		 1919 }
1920
38df5a45 1921 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
b186a592 1922 return EXT_RETURN_NOT_SENT;
38df5a45
MC		 1923
1924 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1925 || !WPACKET_start_sub_packet_u16(pkt)
1926 || !WPACKET_close(pkt)) {
c48ffbcc 1927 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1928 return EXT_RETURN_FAIL;
38df5a45
MC		 1929 }
1930
b186a592 1931 return EXT_RETURN_SENT;
38df5a45
MC		 1932}
1933
38b051a1
TM		 1934EXT_RETURN tls_construct_stoc_psk(SSL_CONNECTION *s, WPACKET *pkt,
1935 unsigned int context,
f63a17d6 1936 X509 *x, size_t chainidx)
0247086d
MC		 1937{
1938 if (!s->hit)
b186a592 1939 return EXT_RETURN_NOT_SENT;
0247086d
MC		 1940
1941 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1942 || !WPACKET_start_sub_packet_u16(pkt)
c96ce52c 1943 || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
0247086d 1944 || !WPACKET_close(pkt)) {
c48ffbcc 1945 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1946 return EXT_RETURN_FAIL;
0247086d
MC		 1947 }
1948
b186a592 1949 return EXT_RETURN_SENT;
0247086d 1950}
3c95ef22
TS		 1951
1952EXT_RETURN tls_construct_stoc_client_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
1953 unsigned int context,
1954 X509 *x, size_t chainidx)
1955{
1956 if (sc->ext.client_cert_type_ctos == OSSL_CERT_TYPE_CTOS_ERROR
1957 && (send_certificate_request(sc)
1958 || sc->post_handshake_auth == SSL_PHA_EXT_RECEIVED)) {
1959 /* Did not receive an acceptable cert type - and doing client auth */
1960 SSLfatal(sc, SSL_AD_UNSUPPORTED_CERTIFICATE, SSL_R_BAD_EXTENSION);
1961 return EXT_RETURN_FAIL;
1962 }
1963
1964 if (sc->ext.client_cert_type == TLSEXT_cert_type_x509) {
1965 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
1966 return EXT_RETURN_NOT_SENT;
1967 }
1968
1969 /*
1970 * Note: only supposed to send this if we are going to do a cert request,
1971 * but TLSv1.3 could do a PHA request if the client supports it
1972 */
1973 if ((!send_certificate_request(sc) && sc->post_handshake_auth != SSL_PHA_EXT_RECEIVED)
1974 || sc->ext.client_cert_type_ctos != OSSL_CERT_TYPE_CTOS_GOOD
1975 || sc->client_cert_type == NULL) {
1976 /* if we don't send it, reset to TLSEXT_cert_type_x509 */
1977 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
1978 sc->ext.client_cert_type = TLSEXT_cert_type_x509;
1979 return EXT_RETURN_NOT_SENT;
1980 }
1981
1982 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_client_cert_type)
1983 || !WPACKET_start_sub_packet_u16(pkt)
1984 || !WPACKET_put_bytes_u8(pkt, sc->ext.client_cert_type)
1985 || !WPACKET_close(pkt)) {
1986 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1987 return EXT_RETURN_FAIL;
1988 }
1989 return EXT_RETURN_SENT;
1990}
1991
1992/* One of |pref|, |other| is configured and the values are sanitized */
1993static int reconcile_cert_type(const unsigned char *pref, size_t pref_len,
1994 const unsigned char *other, size_t other_len,
1995 uint8_t *chosen_cert_type)
1996{
1997 size_t i;
1998
1999 for (i = 0; i < pref_len; i++) {
2000 if (memchr(other, pref[i], other_len) != NULL) {
2001 *chosen_cert_type = pref[i];
2002 return OSSL_CERT_TYPE_CTOS_GOOD;
2003 }
2004 }
2005 return OSSL_CERT_TYPE_CTOS_ERROR;
2006}
2007
2008int tls_parse_ctos_client_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
2009 unsigned int context,
2010 X509 *x, size_t chainidx)
2011{
2012 PACKET supported_cert_types;
2013 const unsigned char *data;
2014 size_t len;
2015
2016 /* Ignore the extension */
2017 if (sc->client_cert_type == NULL) {
2018 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2019 sc->ext.client_cert_type = TLSEXT_cert_type_x509;
2020 return 1;
2021 }
2022
2023 if (!PACKET_as_length_prefixed_1(pkt, &supported_cert_types)) {
2024 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
2025 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2026 return 0;
2027 }
2028 if ((len = PACKET_remaining(&supported_cert_types)) == 0) {
2029 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
2030 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2031 return 0;
2032 }
2033 if (!PACKET_get_bytes(&supported_cert_types, &data, len)) {
2034 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
2035 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2036 return 0;
2037 }
2038 /* client_cert_type: client (peer) has priority */
2039 sc->ext.client_cert_type_ctos = reconcile_cert_type(data, len,
2040 sc->client_cert_type, sc->client_cert_type_len,
2041 &sc->ext.client_cert_type);
2042
2043 /* Ignore the error until sending - so we can check cert auth*/
2044 return 1;
2045}
2046
2047EXT_RETURN tls_construct_stoc_server_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
2048 unsigned int context,
2049 X509 *x, size_t chainidx)
2050{
2051 if (sc->ext.server_cert_type == TLSEXT_cert_type_x509) {
2052 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2053 return EXT_RETURN_NOT_SENT;
2054 }
2055 if (sc->ext.server_cert_type_ctos != OSSL_CERT_TYPE_CTOS_GOOD
2056 || sc->server_cert_type == NULL) {
2057 /* if we don't send it, reset to TLSEXT_cert_type_x509 */
2058 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2059 sc->ext.server_cert_type = TLSEXT_cert_type_x509;
2060 return EXT_RETURN_NOT_SENT;
2061 }
2062
2063 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_cert_type)
2064 || !WPACKET_start_sub_packet_u16(pkt)
2065 || !WPACKET_put_bytes_u8(pkt, sc->ext.server_cert_type)
2066 || !WPACKET_close(pkt)) {
2067 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2068 return EXT_RETURN_FAIL;
2069 }
2070 return EXT_RETURN_SENT;
2071}
2072
2073int tls_parse_ctos_server_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
2074 unsigned int context,
2075 X509 *x, size_t chainidx)
2076{
2077 PACKET supported_cert_types;
2078 const unsigned char *data;
2079 size_t len;
2080
2081 /* Ignore the extension */
2082 if (sc->server_cert_type == NULL) {
2083 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2084 sc->ext.server_cert_type = TLSEXT_cert_type_x509;
2085 return 1;
2086 }
2087
2088 if (!PACKET_as_length_prefixed_1(pkt, &supported_cert_types)) {
2089 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2090 return 0;
2091 }
2092
2093 if ((len = PACKET_remaining(&supported_cert_types)) == 0) {
2094 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2095 return 0;
2096 }
2097 if (!PACKET_get_bytes(&supported_cert_types, &data, len)) {
2098 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2099 return 0;
2100 }
2101 /* server_cert_type: server (this) has priority */
2102 sc->ext.server_cert_type_ctos = reconcile_cert_type(sc->server_cert_type, sc->server_cert_type_len,
2103 data, len,
2104 &sc->ext.server_cert_type);
2105 if (sc->ext.server_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)
2106 return 1;
2107
2108 /* Did not receive an acceptable cert type */
2109 SSLfatal(sc, SSL_AD_UNSUPPORTED_CERTIFICATE, SSL_R_BAD_EXTENSION);
2110 return 0;
2111}
A mirror of the official openssl repository