1
/*
2
 * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9

10
#include <openssl/ocsp.h>
11
#include "../ssl_local.h"
12
#include "statem_local.h"
13
#include "internal/cryptlib.h"
14
#include "internal/ssl_unwrap.h"
15

16
#define COOKIE_STATE_FORMAT_VERSION 1
17

18
/*
19
 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
20
 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
21
 * key_share present flag, 8 bytes for timestamp, 2 bytes for the hashlen,
22
 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
23
 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
24
 */
25
#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 8 + 2 + EVP_MAX_MD_SIZE + 1 \
26
    + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
27

28
/*
29
 * Message header + 2 bytes for protocol version + number of random bytes +
30
 * + 1 byte for legacy session id length + number of bytes in legacy session id
31
 * + 2 bytes for ciphersuite + 1 byte for legacy compression
32
 * + 2 bytes for extension block length + 6 bytes for key_share extension
33
 * + 4 bytes for cookie extension header + the number of bytes in the cookie
34
 */
35
#define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
36
    + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4                \
37
    + MAX_COOKIE_SIZE)
38

39
/*
40
 * Parse the client's renegotiation binding and abort if it's not right
41
 */
42
int tls_parse_ctos_renegotiate(SSL_CONNECTION *s, PACKET *pkt,
43
    unsigned int context,
44
    X509 *x, size_t chainidx)
45
{
46
    unsigned int ilen;
47
    const unsigned char *data;
48
    int ok;
49

50
    /* Parse the length byte */
51
    if (!PACKET_get_1(pkt, &ilen)
52
        || !PACKET_get_bytes(pkt, &data, ilen)) {
53
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
54
        return 0;
55
    }
56

57
    /* Check that the extension matches */
58
    if (ilen != s->s3.previous_client_finished_len) {
59
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
60
        return 0;
61
    }
62

63
    ok = memcmp(data, s->s3.previous_client_finished,
64
        s->s3.previous_client_finished_len);
65
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
66
    if (ok) {
67
        if ((data[0] ^ s->s3.previous_client_finished[0]) != 0xFF) {
68
            ok = 0;
69
        }
70
    }
71
#endif
72
    if (ok) {
73
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
74
        return 0;
75
    }
76

77
    s->s3.send_connection_binding = 1;
78

79
    return 1;
80
}
81

82
/*-
83
 * The servername extension is treated as follows:
84
 *
85
 * - Only the hostname type is supported with a maximum length of 255.
86
 * - The servername is rejected if too long or if it contains zeros,
87
 *   in which case an fatal alert is generated.
88
 * - The servername field is maintained together with the session cache.
89
 * - When a session is resumed, the servername call back invoked in order
90
 *   to allow the application to position itself to the right context.
91
 * - The servername is acknowledged if it is new for a session or when
92
 *   it is identical to a previously used for the same session.
93
 *   Applications can control the behaviour.  They can at any time
94
 *   set a 'desirable' servername for a new SSL object. This can be the
95
 *   case for example with HTTPS when a Host: header field is received and
96
 *   a renegotiation is requested. In this case, a possible servername
97
 *   presented in the new client hello is only acknowledged if it matches
98
 *   the value of the Host: field.
99
 * - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
100
 *   if they provide for changing an explicit servername context for the
101
 *   session, i.e. when the session has been established with a servername
102
 *   extension.
103
 * - On session reconnect, the servername extension may be absent.
104
 */
105
int tls_parse_ctos_server_name(SSL_CONNECTION *s, PACKET *pkt,
106
    unsigned int context, X509 *x, size_t chainidx)
107
{
108
    unsigned int servname_type;
109
    PACKET sni, hostname;
110

111
    if (!PACKET_as_length_prefixed_2(pkt, &sni)
112
        /* ServerNameList must be at least 1 byte long. */
113
        || PACKET_remaining(&sni) == 0) {
114
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
115
        return 0;
116
    }
117

118
    /*
119
     * Although the intent was for server_name to be extensible, RFC 4366
120
     * was not clear about it; and so OpenSSL among other implementations,
121
     * always and only allows a 'host_name' name types.
122
     * RFC 6066 corrected the mistake but adding new name types
123
     * is nevertheless no longer feasible, so act as if no other
124
     * SNI types can exist, to simplify parsing.
125
     *
126
     * Also note that the RFC permits only one SNI value per type,
127
     * i.e., we can only have a single hostname.
128
     */
129
    if (!PACKET_get_1(&sni, &servname_type)
130
        || servname_type != TLSEXT_NAMETYPE_host_name
131
        || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
132
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
133
        return 0;
134
    }
135

136
    /*
137
     * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
138
     * we always use the SNI value from the handshake.
139
     */
140
    if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
141
        if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
142
            SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
143
            return 0;
144
        }
145

146
        if (PACKET_contains_zero_byte(&hostname)) {
147
            SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
148
            return 0;
149
        }
150

151
        /*
152
         * Store the requested SNI in the SSL as temporary storage.
153
         * If we accept it, it will get stored in the SSL_SESSION as well.
154
         */
155
        OPENSSL_free(s->ext.hostname);
156
        s->ext.hostname = NULL;
157
        if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
158
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
159
            return 0;
160
        }
161

162
        s->servername_done = 1;
163
    } else {
164
        /*
165
         * In TLSv1.2 and below we should check if the SNI is consistent between
166
         * the initial handshake and the resumption. In TLSv1.3 SNI is not
167
         * associated with the session.
168
         */
169
        s->servername_done = (s->session->ext.hostname != NULL)
170
            && PACKET_equal(&hostname, s->session->ext.hostname,
171
                strlen(s->session->ext.hostname));
172
    }
173

174
    return 1;
175
}
176

177
int tls_parse_ctos_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt,
178
    unsigned int context,
179
    X509 *x, size_t chainidx)
180
{
181
    unsigned int value;
182

183
    if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
184
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
185
        return 0;
186
    }
187

188
    /* Received |value| should be a valid max-fragment-length code. */
189
    if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
190
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
191
            SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
192
        return 0;
193
    }
194

195
    /*
196
     * When doing a full handshake or a renegotiation max_fragment_len_mode will
197
     * be TLSEXT_max_fragment_length_UNSPECIFIED
198
     *
199
     * In case of a resumption max_fragment_len_mode will be one of
200
     *      TLSEXT_max_fragment_length_DISABLED, TLSEXT_max_fragment_length_512,
201
     *      TLSEXT_max_fragment_length_1024, TLSEXT_max_fragment_length_2048.
202
     *      TLSEXT_max_fragment_length_4096
203
     *
204
     * RFC 6066: The negotiated length applies for the duration of the session
205
     * including session resumptions.
206
     *
207
     * So we only set the value in case it is unspecified.
208
     */
209
    if (s->session->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_UNSPECIFIED)
210
        /*
211
         * Store it in session, so it'll become binding for us
212
         * and we'll include it in a next Server Hello.
213
         */
214
        s->session->ext.max_fragment_len_mode = value;
215

216
    return 1;
217
}
218

219
#ifndef OPENSSL_NO_SRP
220
int tls_parse_ctos_srp(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
221
    X509 *x, size_t chainidx)
222
{
223
    PACKET srp_I;
224

225
    if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
226
        || PACKET_contains_zero_byte(&srp_I)) {
227
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
228
        return 0;
229
    }
230

231
    if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
232
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
233
        return 0;
234
    }
235

236
    return 1;
237
}
238
#endif
239

240
int tls_parse_ctos_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt,
241
    unsigned int context,
242
    X509 *x, size_t chainidx)
243
{
244
    PACKET ec_point_format_list;
245

246
    if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
247
        || PACKET_remaining(&ec_point_format_list) == 0) {
248
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
249
        return 0;
250
    }
251

252
    if (!s->hit) {
253
        if (!PACKET_memdup(&ec_point_format_list,
254
                &s->ext.peer_ecpointformats,
255
                &s->ext.peer_ecpointformats_len)) {
256
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
257
            return 0;
258
        }
259
    }
260

261
    return 1;
262
}
263

264
int tls_parse_ctos_session_ticket(SSL_CONNECTION *s, PACKET *pkt,
265
    unsigned int context,
266
    X509 *x, size_t chainidx)
267
{
268
    if (s->ext.session_ticket_cb && !s->ext.session_ticket_cb(SSL_CONNECTION_GET_USER_SSL(s), PACKET_data(pkt), PACKET_remaining(pkt), s->ext.session_ticket_cb_arg)) {
269
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
270
        return 0;
271
    }
272

273
    return 1;
274
}
275

276
int tls_parse_ctos_sig_algs_cert(SSL_CONNECTION *s, PACKET *pkt,
277
    ossl_unused unsigned int context,
278
    ossl_unused X509 *x,
279
    ossl_unused size_t chainidx)
280
{
281
    PACKET supported_sig_algs;
282

283
    if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
284
        || PACKET_remaining(&supported_sig_algs) == 0) {
285
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
286
        return 0;
287
    }
288

289
    /*
290
     * We use this routine on both clients and servers, and when clients
291
     * get asked for PHA we need to always save the sigalgs regardless
292
     * of whether it was a resumption or not.
293
     */
294
    if ((!s->server || (s->server && !s->hit))
295
        && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
296
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
297
        return 0;
298
    }
299

300
    return 1;
301
}
302

303
int tls_parse_ctos_sig_algs(SSL_CONNECTION *s, PACKET *pkt,
304
    unsigned int context, X509 *x, size_t chainidx)
305
{
306
    PACKET supported_sig_algs;
307

308
    if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
309
        || PACKET_remaining(&supported_sig_algs) == 0) {
310
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
311
        return 0;
312
    }
313

314
    /*
315
     * We use this routine on both clients and servers, and when clients
316
     * get asked for PHA we need to always save the sigalgs regardless
317
     * of whether it was a resumption or not.
318
     */
319
    if ((!s->server || (s->server && !s->hit))
320
        && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
321
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
322
        return 0;
323
    }
324

325
    return 1;
326
}
327

328
#ifndef OPENSSL_NO_OCSP
329
int tls_parse_ctos_status_request(SSL_CONNECTION *s, PACKET *pkt,
330
    unsigned int context,
331
    X509 *x, size_t chainidx)
332
{
333
    PACKET responder_id_list, exts;
334

335
    /* We ignore this in a resumption handshake */
336
    if (s->hit)
337
        return 1;
338

339
    /* Not defined if we get one of these in a client Certificate */
340
    if (x != NULL)
341
        return 1;
342

343
    if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
344
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
345
        return 0;
346
    }
347

348
    if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
349
        /*
350
         * We don't know what to do with any other type so ignore it.
351
         */
352
        s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
353
        return 1;
354
    }
355

356
    if (!PACKET_get_length_prefixed_2(pkt, &responder_id_list)) {
357
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
358
        return 0;
359
    }
360

361
    /*
362
     * We remove any OCSP_RESPIDs from a previous handshake
363
     * to prevent unbounded memory growth - CVE-2016-6304
364
     */
365
    sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
366
    if (PACKET_remaining(&responder_id_list) > 0) {
367
        s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
368
        if (s->ext.ocsp.ids == NULL) {
369
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
370
            return 0;
371
        }
372
    } else {
373
        s->ext.ocsp.ids = NULL;
374
    }
375

376
    while (PACKET_remaining(&responder_id_list) > 0) {
377
        OCSP_RESPID *id;
378
        PACKET responder_id;
379
        const unsigned char *id_data;
380

381
        if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
382
            || PACKET_remaining(&responder_id) == 0) {
383
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
384
            return 0;
385
        }
386

387
        id_data = PACKET_data(&responder_id);
388
        id = d2i_OCSP_RESPID(NULL, &id_data,
389
            (int)PACKET_remaining(&responder_id));
390
        if (id == NULL) {
391
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
392
            return 0;
393
        }
394

395
        if (id_data != PACKET_end(&responder_id)) {
396
            OCSP_RESPID_free(id);
397
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
398

399
            return 0;
400
        }
401

402
        if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
403
            OCSP_RESPID_free(id);
404
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
405

406
            return 0;
407
        }
408
    }
409

410
    /* Read in request_extensions */
411
    if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
412
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
413
        return 0;
414
    }
415

416
    if (PACKET_remaining(&exts) > 0) {
417
        const unsigned char *ext_data = PACKET_data(&exts);
418

419
        sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
420
            X509_EXTENSION_free);
421
        s->ext.ocsp.exts = d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
422
        if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
423
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
424
            return 0;
425
        }
426
    }
427

428
    return 1;
429
}
430
#endif
431

432
#ifndef OPENSSL_NO_NEXTPROTONEG
433
int tls_parse_ctos_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
434
    X509 *x, size_t chainidx)
435
{
436
    /*
437
     * We shouldn't accept this extension on a
438
     * renegotiation.
439
     */
440
    if (SSL_IS_FIRST_HANDSHAKE(s))
441
        s->s3.npn_seen = 1;
442

443
    return 1;
444
}
445
#endif
446

447
/*
448
 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
449
 * extension, not including type and length. Returns: 1 on success, 0 on error.
450
 */
451
int tls_parse_ctos_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
452
    X509 *x, size_t chainidx)
453
{
454
    PACKET protocol_list, save_protocol_list, protocol;
455

456
    if (!SSL_IS_FIRST_HANDSHAKE(s))
457
        return 1;
458

459
    if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
460
        || PACKET_remaining(&protocol_list) < 2) {
461
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
462
        return 0;
463
    }
464

465
    save_protocol_list = protocol_list;
466
    do {
467
        /* Protocol names can't be empty. */
468
        if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
469
            || PACKET_remaining(&protocol) == 0) {
470
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
471
            return 0;
472
        }
473
    } while (PACKET_remaining(&protocol_list) != 0);
474

475
    OPENSSL_free(s->s3.alpn_proposed);
476
    s->s3.alpn_proposed = NULL;
477
    s->s3.alpn_proposed_len = 0;
478
    if (!PACKET_memdup(&save_protocol_list,
479
            &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
480
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
481
        return 0;
482
    }
483

484
    return 1;
485
}
486

487
#ifndef OPENSSL_NO_SRTP
488
int tls_parse_ctos_use_srtp(SSL_CONNECTION *s, PACKET *pkt,
489
    unsigned int context, X509 *x, size_t chainidx)
490
{
491
    STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
492
    unsigned int ct, mki_len, id;
493
    int i, srtp_pref;
494
    PACKET subpkt;
495
    SSL *ssl = SSL_CONNECTION_GET_SSL(s);
496

497
    /* Ignore this if we have no SRTP profiles */
498
    if (SSL_get_srtp_profiles(ssl) == NULL)
499
        return 1;
500

501
    /* Pull off the length of the cipher suite list  and check it is even */
502
    if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
503
        || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
504
        SSLfatal(s, SSL_AD_DECODE_ERROR,
505
            SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
506
        return 0;
507
    }
508

509
    srvr = SSL_get_srtp_profiles(ssl);
510
    s->srtp_profile = NULL;
511
    /* Search all profiles for a match initially */
512
    srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
513

514
    while (PACKET_remaining(&subpkt)) {
515
        if (!PACKET_get_net_2(&subpkt, &id)) {
516
            SSLfatal(s, SSL_AD_DECODE_ERROR,
517
                SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
518
            return 0;
519
        }
520

521
        /*
522
         * Only look for match in profiles of higher preference than
523
         * current match.
524
         * If no profiles have been have been configured then this
525
         * does nothing.
526
         */
527
        for (i = 0; i < srtp_pref; i++) {
528
            SRTP_PROTECTION_PROFILE *sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
529

530
            if (sprof->id == id) {
531
                s->srtp_profile = sprof;
532
                srtp_pref = i;
533
                break;
534
            }
535
        }
536
    }
537

538
    /* Now extract the MKI value as a sanity check, but discard it for now */
539
    if (!PACKET_get_1(pkt, &mki_len)) {
540
        SSLfatal(s, SSL_AD_DECODE_ERROR,
541
            SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
542
        return 0;
543
    }
544

545
    if (!PACKET_forward(pkt, mki_len)
546
        || PACKET_remaining(pkt)) {
547
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE);
548
        return 0;
549
    }
550

551
    return 1;
552
}
553
#endif
554

555
int tls_parse_ctos_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
556
    X509 *x, size_t chainidx)
557
{
558
    if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
559
        s->ext.use_etm = 1;
560

561
    return 1;
562
}
563

564
/*
565
 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
566
 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
567
 */
568
int tls_parse_ctos_psk_kex_modes(SSL_CONNECTION *s, PACKET *pkt,
569
    unsigned int context,
570
    X509 *x, size_t chainidx)
571
{
572
#ifndef OPENSSL_NO_TLS1_3
573
    PACKET psk_kex_modes;
574
    unsigned int mode;
575

576
    if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
577
        || PACKET_remaining(&psk_kex_modes) == 0) {
578
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
579
        return 0;
580
    }
581

582
    while (PACKET_get_1(&psk_kex_modes, &mode)) {
583
        if (mode == TLSEXT_KEX_MODE_KE_DHE)
584
            s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
585
        else if (mode == TLSEXT_KEX_MODE_KE
586
            && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
587
            s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
588
    }
589

590
    if (((s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) != 0)
591
        && (s->options & SSL_OP_PREFER_NO_DHE_KEX) != 0) {
592

593
        /*
594
         * If NO_DHE is supported and preferred, then we only remember this
595
         * mode. DHE PSK will not be used for sure, because in any case where
596
         * it would be supported (i.e. if a key share is present), NO_DHE would
597
         * be supported as well. As the latter is preferred it would be
598
         * chosen. By removing DHE PSK here, we don't have to deal with the
599
         * SSL_OP_PREFER_NO_DHE_KEX option in any other place.
600
         */
601
        s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE;
602
    }
603

604
#endif
605

606
    return 1;
607
}
608

609
/*
610
 * Use function tls_parse_ctos_key_share with helper functions extract_keyshares,
611
 * check_overlap and tls_accept_ksgroup to parse the key_share extension(s)
612
 * received in the ClientHello and to select the group used of the key exchange
613
 */
614

615
#ifndef OPENSSL_NO_TLS1_3
616
/*
617
 * Accept a key share group by setting the related variables in s->s3 and
618
 * by generating a pubkey for this group
619
 */
620
static int tls_accept_ksgroup(SSL_CONNECTION *s, uint16_t ksgroup, PACKET *encoded_pubkey)
621
{
622
    /* Accept the key share group */
623
    s->s3.group_id = ksgroup;
624
    s->s3.group_id_candidate = ksgroup;
625
    /* Cache the selected group ID in the SSL_SESSION */
626
    s->session->kex_group = ksgroup;
627
    if ((s->s3.peer_tmp = ssl_generate_param_group(s, ksgroup)) == NULL) {
628
        SSLfatal(s,
629
            SSL_AD_INTERNAL_ERROR,
630
            SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
631
        return 0;
632
    }
633
    if (tls13_set_encoded_pub_key(s->s3.peer_tmp,
634
            PACKET_data(encoded_pubkey),
635
            PACKET_remaining(encoded_pubkey))
636
        <= 0) {
637
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
638
        return 0;
639
    }
640
    return 1;
641
}
642

643
#define GROUPLIST_INCREMENT 32 /* Memory allocation chunk size (nominally 64 Bytes chunks) */
644

645
typedef enum KS_EXTRACTION_RESULT {
646
    EXTRACTION_FAILURE,
647
    EXTRACTION_SUCCESS,
648
    EXTRACTION_SUCCESS_HRR
649
} KS_EXTRACTION_RESULT;
650

651
static KS_EXTRACTION_RESULT extract_keyshares(SSL_CONNECTION *s, PACKET *key_share_list,
652
    const uint16_t *clntgroups, size_t clnt_num_groups,
653
    const uint16_t *srvrgroups, size_t srvr_num_groups,
654
    uint16_t **keyshares_arr, PACKET **encoded_pubkey_arr,
655
    size_t *keyshares_cnt, size_t *keyshares_max)
656
{
657
    PACKET encoded_pubkey;
658
    size_t key_share_pos = 0;
659
    size_t previous_key_share_pos = 0;
660
    unsigned int group_id = 0;
661

662
    /* Prepare memory to hold the extracted key share groups and related pubkeys */
663
    *keyshares_arr = OPENSSL_malloc(*keyshares_max * sizeof(**keyshares_arr));
664
    if (*keyshares_arr == NULL) {
665
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
666
        goto failure;
667
    }
668
    *encoded_pubkey_arr = OPENSSL_malloc(*keyshares_max * sizeof(**encoded_pubkey_arr));
669
    if (*encoded_pubkey_arr == NULL) {
670
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
671
        goto failure;
672
    }
673

674
    while (PACKET_remaining(key_share_list) > 0) {
675
        /* Get the group_id for the current share and its encoded_pubkey */
676
        if (!PACKET_get_net_2(key_share_list, &group_id)
677
            || !PACKET_get_length_prefixed_2(key_share_list, &encoded_pubkey)
678
            || PACKET_remaining(&encoded_pubkey) == 0) {
679
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
680
            goto failure;
681
        }
682

683
        /*
684
         * If we sent an HRR then the key_share sent back MUST be for the group
685
         * we requested, and must be the only key_share sent.
686
         */
687
        if (s->s3.group_id != 0
688
            && (group_id != s->s3.group_id
689
                || PACKET_remaining(key_share_list) != 0)) {
690
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
691
            goto failure;
692
        }
693

694
        /*
695
         * Check if this share is in supported_groups sent from client
696
         * RFC 8446 also mandates that clients send keyshares in the same
697
         * order as listed in the supported groups extension, but its not
698
         * required that the server check that, and some clients violate this
699
         * so instead of failing the connection when that occurs, log a trace
700
         * message indicating the client discrepancy.
701
         */
702
        if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0, &key_share_pos)) {
703
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
704
            goto failure;
705
        }
706

707
        if (key_share_pos < previous_key_share_pos)
708
            OSSL_TRACE1(TLS, "key share group id %d is out of RFC 8446 order\n", group_id);
709

710
        previous_key_share_pos = key_share_pos;
711

712
        if (s->s3.group_id != 0) {
713
            /*
714
             * We have sent a HRR, and the key share we got back is
715
             * the one we expected and is the only key share and is
716
             * in the list of supported_groups (checked
717
             * above already), hence we accept this key share group
718
             */
719
            if (!tls_accept_ksgroup(s, s->s3.group_id, &encoded_pubkey))
720
                goto failure; /* SSLfatal already called */
721
            /* We have selected a key share group via HRR, hence we're done here */
722
            return EXTRACTION_SUCCESS_HRR;
723
        }
724

725
        /*
726
         * We tolerate but ignore a group id that we don't think is
727
         * suitable for TLSv1.3 or which is not supported by the server
728
         */
729
        if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1, NULL)
730
            || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
731
            || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
732
                0, NULL)) {
733
            /* Share not suitable or not supported, check next share */
734
            continue;
735
        }
736

737
        /* Memorize this key share group ID and its encoded point */
738
        (*keyshares_arr)[*keyshares_cnt] = group_id;
739
        (*encoded_pubkey_arr)[(*keyshares_cnt)++] = encoded_pubkey;
740

741
        /*
742
         * Memory management (remark: While limiting the client to only allow
743
         * a maximum of OPENSSL_CLIENT_MAX_KEY_SHARES to be sent, the server can
744
         * handle any number of key shares)
745
         */
746
        if (*keyshares_cnt == *keyshares_max) {
747
            PACKET *tmp_pkt;
748
            uint16_t *tmp = OPENSSL_realloc(*keyshares_arr,
749
                (*keyshares_max + GROUPLIST_INCREMENT) * sizeof(**keyshares_arr));
750

751
            if (tmp == NULL) {
752
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
753
                goto failure;
754
            }
755

756
            *keyshares_arr = tmp;
757
            tmp_pkt = OPENSSL_realloc(*encoded_pubkey_arr,
758
                (*keyshares_max + GROUPLIST_INCREMENT) * sizeof(**encoded_pubkey_arr));
759
            if (tmp_pkt == NULL) {
760
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
761
                goto failure;
762
            }
763

764
            *encoded_pubkey_arr = tmp_pkt;
765
            *keyshares_max += GROUPLIST_INCREMENT;
766
        }
767
    }
768

769
    return EXTRACTION_SUCCESS;
770

771
failure:
772
    /* Fatal error -> free any allocated memory and return 0 */
773
    OPENSSL_free(*keyshares_arr);
774
    OPENSSL_free(*encoded_pubkey_arr);
775
    return EXTRACTION_FAILURE;
776
}
777
#endif
778

779
/*
780
 * For each group in the priority list of groups, check if that group is
781
 * also present in the secondary list; if so, select the first overlap and
782
 * assign to selected_group and also set the related index in the candidate group list,
783
 * or set selected_group to 0 if no overlap
784
 */
785
#ifndef OPENSSL_NO_TLS1_3
786
static void check_overlap(SSL_CONNECTION *s,
787
    const uint16_t *prio_groups, size_t prio_num_groups,
788
    const uint16_t *candidate_groups, size_t candidate_num_groups,
789
    int *prio_group_idx, int *candidate_group_idx,
790
    uint16_t *selected_group)
791
{
792
    uint16_t current_group;
793
    size_t group_idx = prio_num_groups;
794
    size_t new_group_idx = 0;
795

796
    *candidate_group_idx = 0;
797
    *prio_group_idx = 0;
798
    *selected_group = 0;
799

800
    for (current_group = 0; current_group < candidate_num_groups; current_group++) {
801
        if (!check_in_list(s, candidate_groups[current_group], prio_groups,
802
                prio_num_groups, 1, &new_group_idx)
803
            || !tls_group_allowed(s, candidate_groups[current_group],
804
                SSL_SECOP_CURVE_SUPPORTED)
805
            || !tls_valid_group(s, candidate_groups[current_group], TLS1_3_VERSION,
806
                TLS1_3_VERSION, 0, NULL))
807
            /* No overlap or group not suitable, check next group */
808
            continue;
809

810
        /*
811
         * is the found new_group_idx earlier in the priority list than
812
         * initial or last group_idx?
813
         */
814
        if (new_group_idx < group_idx) {
815
            group_idx = new_group_idx;
816
            *candidate_group_idx = current_group;
817
            *prio_group_idx = group_idx;
818
            *selected_group = prio_groups[group_idx];
819
        }
820
    }
821
}
822
#endif
823

824
int tls_parse_ctos_key_share(SSL_CONNECTION *s, PACKET *pkt,
825
    unsigned int context, X509 *x, size_t chainidx)
826
{
827
#ifndef OPENSSL_NO_TLS1_3
828
    PACKET key_share_list;
829
    const uint16_t *clntgroups, *srvrgroups;
830
    const size_t *srvrtuples;
831
    uint16_t *first_group_in_tuple;
832
    size_t clnt_num_groups, srvr_num_groups, srvr_num_tuples;
833
    PACKET *encoded_pubkey_arr = NULL;
834
    uint16_t *keyshares_arr = NULL;
835
    size_t keyshares_cnt = 0;
836
    size_t keyshares_max = GROUPLIST_INCREMENT;
837
    /* We conservatively assume that we did not find a suitable group */
838
    uint16_t group_id_candidate = 0;
839
    KS_EXTRACTION_RESULT ks_extraction_result;
840
    size_t current_tuple;
841
    int ret = 0;
842

843
    s->s3.group_id_candidate = 0;
844
    if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
845
        return 1;
846

847
    /* Sanity check */
848
    if (s->s3.peer_tmp != NULL) {
849
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
850
        return 0;
851
    }
852

853
    if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
854
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
855
        return 0;
856
    }
857

858
    /* Get list of server supported groups and the group tuples */
859
    tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
860
    tls1_get_group_tuples(s, &srvrtuples, &srvr_num_tuples);
861
    /* Get the clients list of supported groups. */
862
    tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
863

864
    if (clnt_num_groups == 0) {
865
        /*
866
         * This can only happen if the supported_groups extension was not sent,
867
         * because we verify that the length is non-zero when we process that
868
         * extension.
869
         */
870
        SSLfatal(s, SSL_AD_MISSING_EXTENSION,
871
            SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
872
        return 0;
873
    }
874

875
    if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
876
        /*
877
         * If we set a group_id already, then we must have sent an HRR
878
         * requesting a new key_share. If we haven't got one then that is an
879
         * error
880
         */
881
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
882
        return 0;
883
    }
884

885
    /* We parse the key share extension and memorize the entries (after some checks) */
886
    ks_extraction_result = extract_keyshares(s,
887
        &key_share_list,
888
        clntgroups, clnt_num_groups,
889
        srvrgroups, srvr_num_groups,
890
        &keyshares_arr, &encoded_pubkey_arr,
891
        &keyshares_cnt, &keyshares_max);
892

893
    if (ks_extraction_result == EXTRACTION_FAILURE) /* Fatal error during tests */
894
        return 0; /* Memory already freed and SSLfatal already called */
895
    if (ks_extraction_result == EXTRACTION_SUCCESS_HRR) /* Successful HRR */
896
        goto end;
897

898
    /*
899
     * We now have the following lists available to make a decision for
900
     * which group the server should use for key exchange :
901
     * From client: clntgroups[clnt_num_groups],
902
     *              keyshares_arr[keyshares_cnt], encoded_pubkey_arr[keyshares_cnt]
903
     * From server: srvrgroups[srvr_num_groups], srvrtuples[srvr_num_tuples]
904
     *
905
     * Group selection algorithm:
906
     *    For all tuples do:
907
     *      key share group(s) overlapping with current tuple?
908
     *         --> Yes: accept group_id for SH
909
     *        --> No: is any of the client supported_groups overlapping with current tuple?
910
     *            --> Yes: memorize group_id for HRR, break
911
     *             --> No: continue to check next tuple
912
     *
913
     * Remark: Selection priority different for client- or server-preference
914
     */
915
    first_group_in_tuple = (uint16_t *)srvrgroups;
916
    for (current_tuple = 0; current_tuple < srvr_num_tuples; current_tuple++) {
917
        size_t number_of_groups_in_tuple = srvrtuples[current_tuple];
918
        int prio_group_idx = 0, candidate_group_idx = 0;
919

920
        /* Server or client preference ? */
921
        if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
922
            /* Server preference */
923
            /* Is there overlap with a key share group?  */
924
            check_overlap(s,
925
                first_group_in_tuple, number_of_groups_in_tuple,
926
                keyshares_arr, keyshares_cnt,
927
                &prio_group_idx, &candidate_group_idx,
928
                &group_id_candidate);
929
            if (group_id_candidate > 0) { /* Overlap found -> accept the key share group */
930
                if (!tls_accept_ksgroup(s, group_id_candidate,
931
                        &encoded_pubkey_arr[candidate_group_idx]))
932
                    goto err; /* SSLfatal already called */
933
                /* We have all info for a SH, hence we're done here */
934
                goto end;
935
            } else {
936
                /*
937
                 * There's no overlap with a key share, but is there at least a client
938
                 * supported_group overlapping with the current tuple?
939
                 */
940
                check_overlap(s,
941
                    first_group_in_tuple, number_of_groups_in_tuple,
942
                    clntgroups, clnt_num_groups,
943
                    &prio_group_idx, &candidate_group_idx,
944
                    &group_id_candidate);
945
                if (group_id_candidate > 0) {
946
                    /*
947
                     * We did not have a key share overlap, but at least the supported
948
                     * groups overlap hence we can stop searching
949
                     * (and report group_id_candidate 'upward' for HRR)
950
                     */
951
                    s->s3.group_id_candidate = group_id_candidate;
952
                    goto end;
953
                } else {
954
                    /*
955
                     * Neither key share nor supported_groups overlap current
956
                     * tuple, hence we try the next tuple
957
                     */
958
                    first_group_in_tuple = &first_group_in_tuple[number_of_groups_in_tuple];
959
                    continue;
960
                }
961
            }
962

963
        } else { /* We have client preference */
964
            check_overlap(s,
965
                keyshares_arr, keyshares_cnt,
966
                first_group_in_tuple, number_of_groups_in_tuple,
967
                &prio_group_idx, &candidate_group_idx,
968
                &group_id_candidate);
969
            if (group_id_candidate > 0) {
970
                if (!tls_accept_ksgroup(s, group_id_candidate, &encoded_pubkey_arr[prio_group_idx]))
971
                    goto err;
972
                goto end;
973
            } else {
974
                check_overlap(s,
975
                    clntgroups, clnt_num_groups,
976
                    first_group_in_tuple, number_of_groups_in_tuple,
977
                    &prio_group_idx, &candidate_group_idx,
978
                    &group_id_candidate);
979
                if (group_id_candidate > 0) {
980
                    s->s3.group_id_candidate = group_id_candidate;
981
                    goto end;
982
                } else {
983
                    first_group_in_tuple = &first_group_in_tuple[number_of_groups_in_tuple];
984
                    continue;
985
                }
986
            }
987
        }
988
    }
989

990
end:
991
    ret = 1;
992

993
err:
994
    OPENSSL_free(keyshares_arr);
995
    OPENSSL_free(encoded_pubkey_arr);
996
    return ret;
997

998
#endif
999

1000
    return 1;
1001
}
1002

1003
int tls_parse_ctos_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1004
    X509 *x, size_t chainidx)
1005
{
1006
#ifndef OPENSSL_NO_TLS1_3
1007
    unsigned int format, version, key_share, group_id;
1008
    EVP_MD_CTX *hctx;
1009
    EVP_PKEY *pkey;
1010
    PACKET cookie, raw, chhash, appcookie;
1011
    WPACKET hrrpkt;
1012
    const unsigned char *data, *mdin, *ciphdata;
1013
    unsigned char hmac[SHA256_DIGEST_LENGTH];
1014
    unsigned char hrr[MAX_HRR_SIZE];
1015
    size_t rawlen, hmaclen, hrrlen, ciphlen;
1016
    uint64_t tm, now;
1017
    SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1018
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1019

1020
    /* Ignore any cookie if we're not set up to verify it */
1021
    if (sctx->verify_stateless_cookie_cb == NULL
1022
        || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
1023
        return 1;
1024

1025
    if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
1026
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1027
        return 0;
1028
    }
1029

1030
    raw = cookie;
1031
    data = PACKET_data(&raw);
1032
    rawlen = PACKET_remaining(&raw);
1033
    if (rawlen < SHA256_DIGEST_LENGTH
1034
        || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
1035
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1036
        return 0;
1037
    }
1038
    mdin = PACKET_data(&raw);
1039

1040
    /* Verify the HMAC of the cookie */
1041
    hctx = EVP_MD_CTX_create();
1042
    pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
1043
        sctx->propq,
1044
        s->session_ctx->ext.cookie_hmac_key,
1045
        sizeof(s->session_ctx->ext.cookie_hmac_key));
1046
    if (hctx == NULL || pkey == NULL) {
1047
        EVP_MD_CTX_free(hctx);
1048
        EVP_PKEY_free(pkey);
1049
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
1050
        return 0;
1051
    }
1052

1053
    hmaclen = SHA256_DIGEST_LENGTH;
1054
    if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
1055
            sctx->propq, pkey, NULL)
1056
            <= 0
1057
        || EVP_DigestSign(hctx, hmac, &hmaclen, data,
1058
               rawlen - SHA256_DIGEST_LENGTH)
1059
            <= 0
1060
        || hmaclen != SHA256_DIGEST_LENGTH) {
1061
        EVP_MD_CTX_free(hctx);
1062
        EVP_PKEY_free(pkey);
1063
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1064
        return 0;
1065
    }
1066

1067
    EVP_MD_CTX_free(hctx);
1068
    EVP_PKEY_free(pkey);
1069

1070
    if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
1071
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
1072
        return 0;
1073
    }
1074

1075
    if (!PACKET_get_net_2(&cookie, &format)) {
1076
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1077
        return 0;
1078
    }
1079
    /* Check the cookie format is something we recognise. Ignore it if not */
1080
    if (format != COOKIE_STATE_FORMAT_VERSION)
1081
        return 1;
1082

1083
    /*
1084
     * The rest of these checks really shouldn't fail since we have verified the
1085
     * HMAC above.
1086
     */
1087

1088
    /* Check the version number is sane */
1089
    if (!PACKET_get_net_2(&cookie, &version)) {
1090
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1091
        return 0;
1092
    }
1093
    if (version != TLS1_3_VERSION) {
1094
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1095
            SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
1096
        return 0;
1097
    }
1098

1099
    if (!PACKET_get_net_2(&cookie, &group_id)) {
1100
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1101
        return 0;
1102
    }
1103

1104
    ciphdata = PACKET_data(&cookie);
1105
    if (!PACKET_forward(&cookie, 2)) {
1106
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1107
        return 0;
1108
    }
1109
    if (group_id != s->s3.group_id
1110
        || s->s3.tmp.new_cipher
1111
            != ssl_get_cipher_by_char(s, ciphdata, 0)) {
1112
        /*
1113
         * We chose a different cipher or group id this time around to what is
1114
         * in the cookie. Something must have changed.
1115
         */
1116
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
1117
        return 0;
1118
    }
1119

1120
    if (!PACKET_get_1(&cookie, &key_share)
1121
        || !PACKET_get_net_8(&cookie, &tm)
1122
        || !PACKET_get_length_prefixed_2(&cookie, &chhash)
1123
        || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
1124
        || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
1125
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1126
        return 0;
1127
    }
1128

1129
    /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
1130
    now = time(NULL);
1131
    if (tm > now || (now - tm) > 600) {
1132
        /* Cookie is stale. Ignore it */
1133
        return 1;
1134
    }
1135

1136
    /* Verify the app cookie */
1137
    if (sctx->verify_stateless_cookie_cb(SSL_CONNECTION_GET_USER_SSL(s),
1138
            PACKET_data(&appcookie),
1139
            PACKET_remaining(&appcookie))
1140
        == 0) {
1141
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
1142
        return 0;
1143
    }
1144

1145
    /*
1146
     * Reconstruct the HRR that we would have sent in response to the original
1147
     * ClientHello so we can add it to the transcript hash.
1148
     * Note: This won't work with custom HRR extensions
1149
     */
1150
    if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
1151
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1152
        return 0;
1153
    }
1154
    if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
1155
        || !WPACKET_start_sub_packet_u24(&hrrpkt)
1156
        || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
1157
        || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
1158
        || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
1159
            s->tmp_session_id_len)
1160
        || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
1161
            &ciphlen)
1162
        || !WPACKET_put_bytes_u8(&hrrpkt, 0)
1163
        || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
1164
        WPACKET_cleanup(&hrrpkt);
1165
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1166
        return 0;
1167
    }
1168
    if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
1169
        || !WPACKET_start_sub_packet_u16(&hrrpkt)
1170
        || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
1171
        || !WPACKET_close(&hrrpkt)) {
1172
        WPACKET_cleanup(&hrrpkt);
1173
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1174
        return 0;
1175
    }
1176
    if (key_share) {
1177
        if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
1178
            || !WPACKET_start_sub_packet_u16(&hrrpkt)
1179
            || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
1180
            || !WPACKET_close(&hrrpkt)) {
1181
            WPACKET_cleanup(&hrrpkt);
1182
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1183
            return 0;
1184
        }
1185
    }
1186
    if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
1187
        || !WPACKET_start_sub_packet_u16(&hrrpkt)
1188
        || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
1189
        || !WPACKET_close(&hrrpkt) /* cookie extension */
1190
        || !WPACKET_close(&hrrpkt) /* extension block */
1191
        || !WPACKET_close(&hrrpkt) /* message */
1192
        || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
1193
        || !WPACKET_finish(&hrrpkt)) {
1194
        WPACKET_cleanup(&hrrpkt);
1195
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1196
        return 0;
1197
    }
1198

1199
    /* Reconstruct the transcript hash */
1200
    if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
1201
            PACKET_remaining(&chhash), hrr,
1202
            hrrlen)) {
1203
        /* SSLfatal() already called */
1204
        return 0;
1205
    }
1206

1207
    /* Act as if this ClientHello came after a HelloRetryRequest */
1208
    s->hello_retry_request = SSL_HRR_PENDING;
1209

1210
    s->ext.cookieok = 1;
1211
#endif
1212

1213
    return 1;
1214
}
1215

1216
int tls_parse_ctos_supported_groups(SSL_CONNECTION *s, PACKET *pkt,
1217
    unsigned int context,
1218
    X509 *x, size_t chainidx)
1219
{
1220
    PACKET supported_groups_list;
1221

1222
    /* Each group is 2 bytes and we must have at least 1. */
1223
    if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
1224
        || PACKET_remaining(&supported_groups_list) == 0
1225
        || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
1226
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1227
        return 0;
1228
    }
1229

1230
    if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
1231
        OPENSSL_free(s->ext.peer_supportedgroups);
1232
        s->ext.peer_supportedgroups = NULL;
1233
        s->ext.peer_supportedgroups_len = 0;
1234
        if (!tls1_save_u16(&supported_groups_list,
1235
                &s->ext.peer_supportedgroups,
1236
                &s->ext.peer_supportedgroups_len)) {
1237
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1238
            return 0;
1239
        }
1240
    }
1241

1242
    return 1;
1243
}
1244

1245
int tls_parse_ctos_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1246
    X509 *x, size_t chainidx)
1247
{
1248
    /* The extension must always be empty */
1249
    if (PACKET_remaining(pkt) != 0) {
1250
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1251
        return 0;
1252
    }
1253

1254
    if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
1255
        return 1;
1256

1257
    s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
1258

1259
    return 1;
1260
}
1261

1262
int tls_parse_ctos_early_data(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1263
    X509 *x, size_t chainidx)
1264
{
1265
    if (PACKET_remaining(pkt) != 0) {
1266
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1267
        return 0;
1268
    }
1269

1270
    if (s->hello_retry_request != SSL_HRR_NONE) {
1271
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
1272
        return 0;
1273
    }
1274

1275
    return 1;
1276
}
1277

1278
static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL_CONNECTION *s, PACKET *tick,
1279
    SSL_SESSION **sess)
1280
{
1281
    SSL_SESSION *tmpsess = NULL;
1282

1283
    s->ext.ticket_expected = 1;
1284

1285
    switch (PACKET_remaining(tick)) {
1286
    case 0:
1287
        return SSL_TICKET_EMPTY;
1288

1289
    case SSL_MAX_SSL_SESSION_ID_LENGTH:
1290
        break;
1291

1292
    default:
1293
        return SSL_TICKET_NO_DECRYPT;
1294
    }
1295

1296
    tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
1297
        SSL_MAX_SSL_SESSION_ID_LENGTH);
1298

1299
    if (tmpsess == NULL)
1300
        return SSL_TICKET_NO_DECRYPT;
1301

1302
    *sess = tmpsess;
1303
    return SSL_TICKET_SUCCESS;
1304
}
1305

1306
int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1307
    X509 *x, size_t chainidx)
1308
{
1309
    PACKET identities, binders, binder;
1310
    size_t binderoffset;
1311
    int hashsize;
1312
    SSL_SESSION *sess = NULL;
1313
    unsigned int id, i, ext = 0;
1314
    const EVP_MD *md = NULL;
1315
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1316
    SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
1317

1318
    /*
1319
     * If we have no PSK kex mode that we recognise then we can't resume so
1320
     * ignore this extension
1321
     */
1322
    if ((s->ext.psk_kex_mode
1323
            & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE))
1324
        == 0)
1325
        return 1;
1326

1327
    if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
1328
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1329
        return 0;
1330
    }
1331

1332
    s->ext.ticket_expected = 0;
1333
    for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1334
        PACKET identity;
1335
        unsigned long ticket_agel;
1336
        size_t idlen;
1337

1338
        if (!PACKET_get_length_prefixed_2(&identities, &identity)
1339
            || !PACKET_get_net_4(&identities, &ticket_agel)) {
1340
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1341
            return 0;
1342
        }
1343

1344
        idlen = PACKET_remaining(&identity);
1345
        if (s->psk_find_session_cb != NULL
1346
            && !s->psk_find_session_cb(ussl, PACKET_data(&identity), idlen,
1347
                &sess)) {
1348
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION);
1349
            return 0;
1350
        }
1351

1352
#ifndef OPENSSL_NO_PSK
1353
        if (sess == NULL
1354
            && s->psk_server_callback != NULL
1355
            && idlen <= PSK_MAX_IDENTITY_LEN) {
1356
            char *pskid = NULL;
1357
            unsigned char pskdata[PSK_MAX_PSK_LEN];
1358
            unsigned int pskdatalen;
1359

1360
            if (!PACKET_strndup(&identity, &pskid)) {
1361
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1362
                return 0;
1363
            }
1364
            pskdatalen = s->psk_server_callback(ussl, pskid, pskdata,
1365
                sizeof(pskdata));
1366
            OPENSSL_free(pskid);
1367
            if (pskdatalen > PSK_MAX_PSK_LEN) {
1368
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1369
                return 0;
1370
            } else if (pskdatalen > 0) {
1371
                const SSL_CIPHER *cipher;
1372
                const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1373

1374
                /*
1375
                 * We found a PSK using an old style callback. We don't know
1376
                 * the digest so we default to SHA256 as per the TLSv1.3 spec
1377
                 */
1378
                cipher = SSL_CIPHER_find(SSL_CONNECTION_GET_SSL(s),
1379
                    tls13_aes128gcmsha256_id);
1380
                if (cipher == NULL) {
1381
                    OPENSSL_cleanse(pskdata, pskdatalen);
1382
                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1383
                    return 0;
1384
                }
1385

1386
                sess = SSL_SESSION_new();
1387
                if (sess == NULL
1388
                    || !SSL_SESSION_set1_master_key(sess, pskdata,
1389
                        pskdatalen)
1390
                    || !SSL_SESSION_set_cipher(sess, cipher)
1391
                    || !SSL_SESSION_set_protocol_version(sess,
1392
                        TLS1_3_VERSION)) {
1393
                    OPENSSL_cleanse(pskdata, pskdatalen);
1394
                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1395
                    goto err;
1396
                }
1397
                OPENSSL_cleanse(pskdata, pskdatalen);
1398
            }
1399
        }
1400
#endif /* OPENSSL_NO_PSK */
1401

1402
        if (sess != NULL) {
1403
            /* We found a PSK */
1404
            SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1405

1406
            if (sesstmp == NULL) {
1407
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1408
                goto err;
1409
            }
1410
            SSL_SESSION_free(sess);
1411
            sess = sesstmp;
1412

1413
            /*
1414
             * We've just been told to use this session for this context so
1415
             * make sure the sid_ctx matches up.
1416
             */
1417
            memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1418
            sess->sid_ctx_length = s->sid_ctx_length;
1419
            ext = 1;
1420
            if (id == 0)
1421
                s->ext.early_data_ok = 1;
1422
            s->ext.ticket_expected = 1;
1423
        } else {
1424
            OSSL_TIME t, age, expire;
1425
            int ret;
1426

1427
            /*
1428
             * If we are using anti-replay protection then we behave as if
1429
             * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1430
             * is no point in using full stateless tickets.
1431
             */
1432
            if ((s->options & SSL_OP_NO_TICKET) != 0
1433
                || (s->max_early_data > 0
1434
                    && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
1435
                ret = tls_get_stateful_ticket(s, &identity, &sess);
1436
            else
1437
                ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1438
                    PACKET_remaining(&identity), NULL, 0,
1439
                    &sess);
1440

1441
            if (ret == SSL_TICKET_EMPTY) {
1442
                SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1443
                return 0;
1444
            }
1445

1446
            if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1447
                || ret == SSL_TICKET_FATAL_ERR_OTHER) {
1448
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1449
                return 0;
1450
            }
1451
            if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
1452
                continue;
1453

1454
            /* Check for replay */
1455
            if (s->max_early_data > 0
1456
                && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
1457
                && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1458
                SSL_SESSION_free(sess);
1459
                sess = NULL;
1460
                continue;
1461
            }
1462

1463
            age = ossl_time_subtract(ossl_ms2time(ticket_agel),
1464
                ossl_ms2time(sess->ext.tick_age_add));
1465
            t = ossl_time_subtract(ossl_time_now(), sess->time);
1466

1467
            /*
1468
             * Although internally we use OSS_TIME which has ns granularity,
1469
             * when SSL_SESSION structures are serialised/deserialised we use
1470
             * second granularity for the sess->time field. Therefore it could
1471
             * appear that the client's ticket age is longer than ours (our
1472
             * ticket age calculation should always be slightly longer than the
1473
             * client's due to the network latency). Therefore we add 1000ms to
1474
             * our age calculation to adjust for rounding errors.
1475
             */
1476
            expire = ossl_time_add(t, ossl_ms2time(1000));
1477

1478
            if (id == 0
1479
                && ossl_time_compare(sess->timeout, t) >= 0
1480
                && ossl_time_compare(age, expire) <= 0
1481
                && ossl_time_compare(ossl_time_add(age, TICKET_AGE_ALLOWANCE),
1482
                       expire)
1483
                    >= 0) {
1484
                /*
1485
                 * Ticket age is within tolerance and not expired. We allow it
1486
                 * for early data
1487
                 */
1488
                s->ext.early_data_ok = 1;
1489
            }
1490
        }
1491

1492
        md = ssl_md(sctx, sess->cipher->algorithm2);
1493
        if (md == NULL) {
1494
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1495
            goto err;
1496
        }
1497
        if (!EVP_MD_is_a(md,
1498
                EVP_MD_get0_name(ssl_md(sctx,
1499
                    s->s3.tmp.new_cipher->algorithm2)))) {
1500
            /* The ciphersuite is not compatible with this session. */
1501
            SSL_SESSION_free(sess);
1502
            sess = NULL;
1503
            s->ext.early_data_ok = 0;
1504
            s->ext.ticket_expected = 0;
1505
            continue;
1506
        }
1507
        break;
1508
    }
1509

1510
    if (sess == NULL)
1511
        return 1;
1512

1513
    binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1514
    hashsize = EVP_MD_get_size(md);
1515
    if (hashsize <= 0)
1516
        goto err;
1517

1518
    if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1519
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1520
        goto err;
1521
    }
1522

1523
    for (i = 0; i <= id; i++) {
1524
        if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1525
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1526
            goto err;
1527
        }
1528
    }
1529

1530
    if (PACKET_remaining(&binder) != (size_t)hashsize) {
1531
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1532
        goto err;
1533
    }
1534
    if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1535
            binderoffset, PACKET_data(&binder), NULL, sess, 0,
1536
            ext)
1537
        != 1) {
1538
        /* SSLfatal() already called */
1539
        goto err;
1540
    }
1541

1542
    s->ext.tick_identity = id;
1543

1544
    SSL_SESSION_free(s->session);
1545
    s->session = sess;
1546
    return 1;
1547
err:
1548
    SSL_SESSION_free(sess);
1549
    return 0;
1550
}
1551

1552
int tls_parse_ctos_post_handshake_auth(SSL_CONNECTION *s, PACKET *pkt,
1553
    ossl_unused unsigned int context,
1554
    ossl_unused X509 *x,
1555
    ossl_unused size_t chainidx)
1556
{
1557
    if (PACKET_remaining(pkt) != 0) {
1558
        SSLfatal(s, SSL_AD_DECODE_ERROR,
1559
            SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1560
        return 0;
1561
    }
1562

1563
    s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1564

1565
    return 1;
1566
}
1567

1568
/*
1569
 * Add the server's renegotiation binding
1570
 */
1571
EXT_RETURN tls_construct_stoc_renegotiate(SSL_CONNECTION *s, WPACKET *pkt,
1572
    unsigned int context, X509 *x,
1573
    size_t chainidx)
1574
{
1575
    if (!s->s3.send_connection_binding)
1576
        return EXT_RETURN_NOT_SENT;
1577

1578
    /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1579
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1580
        || !WPACKET_start_sub_packet_u16(pkt)
1581
        || !WPACKET_start_sub_packet_u8(pkt)
1582
        || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1583
            s->s3.previous_client_finished_len)
1584
        || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1585
            s->s3.previous_server_finished_len)
1586
        || !WPACKET_close(pkt)
1587
        || !WPACKET_close(pkt)) {
1588
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1589
        return EXT_RETURN_FAIL;
1590
    }
1591

1592
    return EXT_RETURN_SENT;
1593
}
1594

1595
EXT_RETURN tls_construct_stoc_server_name(SSL_CONNECTION *s, WPACKET *pkt,
1596
    unsigned int context, X509 *x,
1597
    size_t chainidx)
1598
{
1599
    if (s->servername_done != 1)
1600
        return EXT_RETURN_NOT_SENT;
1601

1602
    /*
1603
     * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1604
     * We just use the servername from the initial handshake.
1605
     */
1606
    if (s->hit && !SSL_CONNECTION_IS_TLS13(s))
1607
        return EXT_RETURN_NOT_SENT;
1608

1609
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1610
        || !WPACKET_put_bytes_u16(pkt, 0)) {
1611
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1612
        return EXT_RETURN_FAIL;
1613
    }
1614

1615
    return EXT_RETURN_SENT;
1616
}
1617

1618
/* Add/include the server's max fragment len extension into ServerHello */
1619
EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt,
1620
    unsigned int context, X509 *x,
1621
    size_t chainidx)
1622
{
1623
    if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1624
        return EXT_RETURN_NOT_SENT;
1625

1626
    /*-
1627
     * 4 bytes for this extension type and extension length
1628
     * 1 byte for the Max Fragment Length code value.
1629
     */
1630
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1631
        || !WPACKET_start_sub_packet_u16(pkt)
1632
        || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1633
        || !WPACKET_close(pkt)) {
1634
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1635
        return EXT_RETURN_FAIL;
1636
    }
1637

1638
    return EXT_RETURN_SENT;
1639
}
1640

1641
EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt,
1642
    unsigned int context, X509 *x,
1643
    size_t chainidx)
1644
{
1645
    unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1646
    unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
1647
    int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1648
        && (s->ext.peer_ecpointformats != NULL);
1649
    const unsigned char *plist;
1650
    size_t plistlen;
1651

1652
    if (!using_ecc)
1653
        return EXT_RETURN_NOT_SENT;
1654

1655
    tls1_get_formatlist(s, &plist, &plistlen);
1656
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1657
        || !WPACKET_start_sub_packet_u16(pkt)
1658
        || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1659
        || !WPACKET_close(pkt)) {
1660
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1661
        return EXT_RETURN_FAIL;
1662
    }
1663

1664
    return EXT_RETURN_SENT;
1665
}
1666

1667
EXT_RETURN tls_construct_stoc_supported_groups(SSL_CONNECTION *s, WPACKET *pkt,
1668
    unsigned int context, X509 *x,
1669
    size_t chainidx)
1670
{
1671
    const uint16_t *groups;
1672
    size_t numgroups, i, first = 1;
1673
    int version;
1674

1675
    /* s->s3.group_id is non zero if we accepted a key_share */
1676
    if (s->s3.group_id == 0)
1677
        return EXT_RETURN_NOT_SENT;
1678

1679
    /* Get our list of supported groups */
1680
    tls1_get_supported_groups(s, &groups, &numgroups);
1681
    if (numgroups == 0) {
1682
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1683
        return EXT_RETURN_FAIL;
1684
    }
1685

1686
    /* Copy group ID if supported */
1687
    version = SSL_version(SSL_CONNECTION_GET_SSL(s));
1688
    for (i = 0; i < numgroups; i++) {
1689
        uint16_t group = groups[i];
1690

1691
        if (tls_valid_group(s, group, version, version, 0, NULL)
1692
            && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1693
            if (first) {
1694
                /*
1695
                 * Check if the client is already using our preferred group. If
1696
                 * so we don't need to add this extension
1697
                 */
1698
                if (s->s3.group_id == group)
1699
                    return EXT_RETURN_NOT_SENT;
1700

1701
                /* Add extension header */
1702
                if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1703
                    /* Sub-packet for supported_groups extension */
1704
                    || !WPACKET_start_sub_packet_u16(pkt)
1705
                    || !WPACKET_start_sub_packet_u16(pkt)) {
1706
                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1707
                    return EXT_RETURN_FAIL;
1708
                }
1709

1710
                first = 0;
1711
            }
1712
            if (!WPACKET_put_bytes_u16(pkt, group)) {
1713
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1714
                return EXT_RETURN_FAIL;
1715
            }
1716
        }
1717
    }
1718

1719
    if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1720
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1721
        return EXT_RETURN_FAIL;
1722
    }
1723

1724
    return EXT_RETURN_SENT;
1725
}
1726

1727
EXT_RETURN tls_construct_stoc_session_ticket(SSL_CONNECTION *s, WPACKET *pkt,
1728
    unsigned int context, X509 *x,
1729
    size_t chainidx)
1730
{
1731
    if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1732
        s->ext.ticket_expected = 0;
1733
        return EXT_RETURN_NOT_SENT;
1734
    }
1735

1736
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1737
        || !WPACKET_put_bytes_u16(pkt, 0)) {
1738
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1739
        return EXT_RETURN_FAIL;
1740
    }
1741

1742
    return EXT_RETURN_SENT;
1743
}
1744

1745
#ifndef OPENSSL_NO_OCSP
1746
EXT_RETURN tls_construct_stoc_status_request(SSL_CONNECTION *s, WPACKET *pkt,
1747
    unsigned int context, X509 *x,
1748
    size_t chainidx)
1749
{
1750
    /* We don't currently support this extension inside a CertificateRequest */
1751
    if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1752
        return EXT_RETURN_NOT_SENT;
1753

1754
    if (!s->ext.status_expected)
1755
        return EXT_RETURN_NOT_SENT;
1756

1757
    if (SSL_CONNECTION_IS_TLS13(s) && chainidx != 0)
1758
        return EXT_RETURN_NOT_SENT;
1759

1760
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1761
        || !WPACKET_start_sub_packet_u16(pkt)) {
1762
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1763
        return EXT_RETURN_FAIL;
1764
    }
1765

1766
    /*
1767
     * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1768
     * send back an empty extension, with the certificate status appearing as a
1769
     * separate message
1770
     */
1771
    if (SSL_CONNECTION_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1772
        /* SSLfatal() already called */
1773
        return EXT_RETURN_FAIL;
1774
    }
1775
    if (!WPACKET_close(pkt)) {
1776
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1777
        return EXT_RETURN_FAIL;
1778
    }
1779

1780
    return EXT_RETURN_SENT;
1781
}
1782
#endif
1783

1784
#ifndef OPENSSL_NO_NEXTPROTONEG
1785
EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt,
1786
    unsigned int context, X509 *x,
1787
    size_t chainidx)
1788
{
1789
    const unsigned char *npa;
1790
    unsigned int npalen;
1791
    int ret;
1792
    int npn_seen = s->s3.npn_seen;
1793
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1794

1795
    s->s3.npn_seen = 0;
1796
    if (!npn_seen || sctx->ext.npn_advertised_cb == NULL)
1797
        return EXT_RETURN_NOT_SENT;
1798

1799
    ret = sctx->ext.npn_advertised_cb(SSL_CONNECTION_GET_USER_SSL(s), &npa,
1800
        &npalen, sctx->ext.npn_advertised_cb_arg);
1801
    if (ret == SSL_TLSEXT_ERR_OK) {
1802
        if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1803
            || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1804
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1805
            return EXT_RETURN_FAIL;
1806
        }
1807
        s->s3.npn_seen = 1;
1808
        return EXT_RETURN_SENT;
1809
    }
1810

1811
    return EXT_RETURN_NOT_SENT;
1812
}
1813
#endif
1814

1815
EXT_RETURN tls_construct_stoc_alpn(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context,
1816
    X509 *x, size_t chainidx)
1817
{
1818
    if (s->s3.alpn_selected == NULL)
1819
        return EXT_RETURN_NOT_SENT;
1820

1821
    if (!WPACKET_put_bytes_u16(pkt,
1822
            TLSEXT_TYPE_application_layer_protocol_negotiation)
1823
        || !WPACKET_start_sub_packet_u16(pkt)
1824
        || !WPACKET_start_sub_packet_u16(pkt)
1825
        || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1826
            s->s3.alpn_selected_len)
1827
        || !WPACKET_close(pkt)
1828
        || !WPACKET_close(pkt)) {
1829
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1830
        return EXT_RETURN_FAIL;
1831
    }
1832

1833
    return EXT_RETURN_SENT;
1834
}
1835

1836
#ifndef OPENSSL_NO_SRTP
1837
EXT_RETURN tls_construct_stoc_use_srtp(SSL_CONNECTION *s, WPACKET *pkt,
1838
    unsigned int context, X509 *x,
1839
    size_t chainidx)
1840
{
1841
    if (s->srtp_profile == NULL)
1842
        return EXT_RETURN_NOT_SENT;
1843

1844
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1845
        || !WPACKET_start_sub_packet_u16(pkt)
1846
        || !WPACKET_put_bytes_u16(pkt, 2)
1847
        || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1848
        || !WPACKET_put_bytes_u8(pkt, 0)
1849
        || !WPACKET_close(pkt)) {
1850
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1851
        return EXT_RETURN_FAIL;
1852
    }
1853

1854
    return EXT_RETURN_SENT;
1855
}
1856
#endif
1857

1858
EXT_RETURN tls_construct_stoc_etm(SSL_CONNECTION *s, WPACKET *pkt,
1859
    unsigned int context,
1860
    X509 *x, size_t chainidx)
1861
{
1862
    if (!s->ext.use_etm)
1863
        return EXT_RETURN_NOT_SENT;
1864

1865
    /*
1866
     * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1867
     * for other cases too.
1868
     */
1869
    if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1870
        || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1871
        || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1872
        || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1873
        || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1874
        || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
1875
        s->ext.use_etm = 0;
1876
        return EXT_RETURN_NOT_SENT;
1877
    }
1878

1879
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1880
        || !WPACKET_put_bytes_u16(pkt, 0)) {
1881
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1882
        return EXT_RETURN_FAIL;
1883
    }
1884

1885
    return EXT_RETURN_SENT;
1886
}
1887

1888
EXT_RETURN tls_construct_stoc_ems(SSL_CONNECTION *s, WPACKET *pkt,
1889
    unsigned int context,
1890
    X509 *x, size_t chainidx)
1891
{
1892
    if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1893
        return EXT_RETURN_NOT_SENT;
1894

1895
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1896
        || !WPACKET_put_bytes_u16(pkt, 0)) {
1897
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1898
        return EXT_RETURN_FAIL;
1899
    }
1900

1901
    return EXT_RETURN_SENT;
1902
}
1903

1904
EXT_RETURN tls_construct_stoc_supported_versions(SSL_CONNECTION *s, WPACKET *pkt,
1905
    unsigned int context, X509 *x,
1906
    size_t chainidx)
1907
{
1908
    if (!ossl_assert(SSL_CONNECTION_IS_TLS13(s))) {
1909
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1910
        return EXT_RETURN_FAIL;
1911
    }
1912

1913
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1914
        || !WPACKET_start_sub_packet_u16(pkt)
1915
        || !WPACKET_put_bytes_u16(pkt, s->version)
1916
        || !WPACKET_close(pkt)) {
1917
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1918
        return EXT_RETURN_FAIL;
1919
    }
1920

1921
    return EXT_RETURN_SENT;
1922
}
1923

1924
EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION *s, WPACKET *pkt,
1925
    unsigned int context, X509 *x,
1926
    size_t chainidx)
1927
{
1928
#ifndef OPENSSL_NO_TLS1_3
1929
    unsigned char *encoded_pubkey;
1930
    size_t encoded_pubkey_len = 0;
1931
    EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
1932
    const TLS_GROUP_INFO *ginf = NULL;
1933

1934
    if (s->hello_retry_request == SSL_HRR_PENDING) {
1935
        if (ckey != NULL) {
1936
            /* Original key_share was acceptable so don't ask for another one */
1937
            return EXT_RETURN_NOT_SENT;
1938
        }
1939
        if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1940
            || !WPACKET_start_sub_packet_u16(pkt)
1941
            || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1942
            || !WPACKET_close(pkt)) {
1943
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1944
            return EXT_RETURN_FAIL;
1945
        }
1946

1947
        return EXT_RETURN_SENT;
1948
    }
1949

1950
    if (ckey == NULL) {
1951
        /* No key_share received from client - must be resuming */
1952
        if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1953
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1954
            return EXT_RETURN_FAIL;
1955
        }
1956
        return EXT_RETURN_NOT_SENT;
1957
    }
1958

1959
    if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
1960
        /*
1961
         * PSK ('hit') and explicitly not doing DHE. If the client sent the
1962
         * DHE option, we take it by default, except if non-DHE would be
1963
         * preferred by config, but this case would have been handled in
1964
         * tls_parse_ctos_psk_kex_modes().
1965
         */
1966
        return EXT_RETURN_NOT_SENT;
1967
    }
1968

1969
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1970
        || !WPACKET_start_sub_packet_u16(pkt)
1971
        || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
1972
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1973
        return EXT_RETURN_FAIL;
1974
    }
1975

1976
    if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
1977
             s->s3.group_id))
1978
        == NULL) {
1979
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1980
        return EXT_RETURN_FAIL;
1981
    }
1982

1983
    if (!ginf->is_kem) {
1984
        /* Regular KEX */
1985
        skey = ssl_generate_pkey(s, ckey);
1986
        if (skey == NULL) {
1987
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
1988
            return EXT_RETURN_FAIL;
1989
        }
1990

1991
        /* Generate encoding of server key */
1992
        encoded_pubkey_len = EVP_PKEY_get1_encoded_public_key(skey, &encoded_pubkey);
1993
        if (encoded_pubkey_len == 0) {
1994
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
1995
            EVP_PKEY_free(skey);
1996
            return EXT_RETURN_FAIL;
1997
        }
1998

1999
        if (!WPACKET_sub_memcpy_u16(pkt, encoded_pubkey, encoded_pubkey_len)
2000
            || !WPACKET_close(pkt)) {
2001
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2002
            EVP_PKEY_free(skey);
2003
            OPENSSL_free(encoded_pubkey);
2004
            return EXT_RETURN_FAIL;
2005
        }
2006
        OPENSSL_free(encoded_pubkey);
2007

2008
        /*
2009
         * This causes the crypto state to be updated based on the derived keys
2010
         */
2011
        s->s3.tmp.pkey = skey;
2012
        if (ssl_derive(s, skey, ckey, 1) == 0) {
2013
            /* SSLfatal() already called */
2014
            return EXT_RETURN_FAIL;
2015
        }
2016
    } else {
2017
        /* KEM mode */
2018
        unsigned char *ct = NULL;
2019
        size_t ctlen = 0;
2020

2021
        /*
2022
         * This does not update the crypto state.
2023
         *
2024
         * The generated pms is stored in `s->s3.tmp.pms` to be later used via
2025
         * ssl_gensecret().
2026
         */
2027
        if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) {
2028
            /* SSLfatal() already called */
2029
            return EXT_RETURN_FAIL;
2030
        }
2031

2032
        if (ctlen == 0) {
2033
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2034
            OPENSSL_free(ct);
2035
            return EXT_RETURN_FAIL;
2036
        }
2037

2038
        if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen)
2039
            || !WPACKET_close(pkt)) {
2040
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2041
            OPENSSL_free(ct);
2042
            return EXT_RETURN_FAIL;
2043
        }
2044
        OPENSSL_free(ct);
2045

2046
        /*
2047
         * This causes the crypto state to be updated based on the generated pms
2048
         */
2049
        if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) {
2050
            /* SSLfatal() already called */
2051
            return EXT_RETURN_FAIL;
2052
        }
2053
    }
2054
    s->s3.did_kex = 1;
2055
    return EXT_RETURN_SENT;
2056
#else
2057
    return EXT_RETURN_FAIL;
2058
#endif
2059
}
2060

2061
EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt,
2062
    unsigned int context,
2063
    X509 *x, size_t chainidx)
2064
{
2065
#ifndef OPENSSL_NO_TLS1_3
2066
    unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
2067
    unsigned char *hmac, *hmac2;
2068
    size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
2069
    EVP_MD_CTX *hctx;
2070
    EVP_PKEY *pkey;
2071
    int ret = EXT_RETURN_FAIL;
2072
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
2073
    SSL *ssl = SSL_CONNECTION_GET_SSL(s);
2074
    SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
2075

2076
    if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
2077
        return EXT_RETURN_NOT_SENT;
2078

2079
    if (sctx->gen_stateless_cookie_cb == NULL) {
2080
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET);
2081
        return EXT_RETURN_FAIL;
2082
    }
2083

2084
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
2085
        || !WPACKET_start_sub_packet_u16(pkt)
2086
        || !WPACKET_start_sub_packet_u16(pkt)
2087
        || !WPACKET_get_total_written(pkt, &startlen)
2088
        || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
2089
        || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
2090
        || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
2091
        || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
2092
        || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
2093
            &ciphlen)
2094
        /* Is there a key_share extension present in this HRR? */
2095
        || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
2096
        || !WPACKET_put_bytes_u64(pkt, time(NULL))
2097
        || !WPACKET_start_sub_packet_u16(pkt)
2098
        || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
2099
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2100
        return EXT_RETURN_FAIL;
2101
    }
2102

2103
    /*
2104
     * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
2105
     * on raw buffers, so we first reserve sufficient bytes (above) and then
2106
     * subsequently allocate them (below)
2107
     */
2108
    if (!ssl3_digest_cached_records(s, 0)
2109
        || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
2110
        /* SSLfatal() already called */
2111
        return EXT_RETURN_FAIL;
2112
    }
2113

2114
    if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
2115
        || !ossl_assert(hashval1 == hashval2)
2116
        || !WPACKET_close(pkt)
2117
        || !WPACKET_start_sub_packet_u8(pkt)
2118
        || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
2119
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2120
        return EXT_RETURN_FAIL;
2121
    }
2122

2123
    /* Generate the application cookie */
2124
    if (sctx->gen_stateless_cookie_cb(ussl, appcookie1,
2125
            &appcookielen)
2126
        == 0) {
2127
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
2128
        return EXT_RETURN_FAIL;
2129
    }
2130

2131
    if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
2132
        || !ossl_assert(appcookie1 == appcookie2)
2133
        || !WPACKET_close(pkt)
2134
        || !WPACKET_get_total_written(pkt, &totcookielen)
2135
        || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
2136
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2137
        return EXT_RETURN_FAIL;
2138
    }
2139
    hmaclen = SHA256_DIGEST_LENGTH;
2140

2141
    totcookielen -= startlen;
2142
    if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
2143
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2144
        return EXT_RETURN_FAIL;
2145
    }
2146

2147
    /* HMAC the cookie */
2148
    hctx = EVP_MD_CTX_create();
2149
    pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
2150
        sctx->propq,
2151
        s->session_ctx->ext.cookie_hmac_key,
2152
        sizeof(s->session_ctx->ext.cookie_hmac_key));
2153
    if (hctx == NULL || pkey == NULL) {
2154
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
2155
        goto err;
2156
    }
2157

2158
    if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
2159
            sctx->propq, pkey, NULL)
2160
            <= 0
2161
        || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
2162
               totcookielen)
2163
            <= 0) {
2164
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2165
        goto err;
2166
    }
2167

2168
    if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
2169
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2170
        goto err;
2171
    }
2172

2173
    if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
2174
        || !ossl_assert(hmac == hmac2)
2175
        || !ossl_assert(cookie == hmac - totcookielen)
2176
        || !WPACKET_close(pkt)
2177
        || !WPACKET_close(pkt)) {
2178
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2179
        goto err;
2180
    }
2181

2182
    ret = EXT_RETURN_SENT;
2183

2184
err:
2185
    EVP_MD_CTX_free(hctx);
2186
    EVP_PKEY_free(pkey);
2187
    return ret;
2188
#else
2189
    return EXT_RETURN_FAIL;
2190
#endif
2191
}
2192

2193
EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL_CONNECTION *s, WPACKET *pkt,
2194
    unsigned int context, X509 *x,
2195
    size_t chainidx)
2196
{
2197
    const unsigned char cryptopro_ext[36] = {
2198
        0xfd, 0xe8, /* 65000 */
2199
        0x00, 0x20, /* 32 bytes length */
2200
        0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
2201
        0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
2202
        0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
2203
        0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
2204
    };
2205

2206
    if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
2207
            && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
2208
        || (SSL_get_options(SSL_CONNECTION_GET_SSL(s))
2209
               & SSL_OP_CRYPTOPRO_TLSEXT_BUG)
2210
            == 0)
2211
        return EXT_RETURN_NOT_SENT;
2212

2213
    if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
2214
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2215
        return EXT_RETURN_FAIL;
2216
    }
2217

2218
    return EXT_RETURN_SENT;
2219
}
2220

2221
EXT_RETURN tls_construct_stoc_early_data(SSL_CONNECTION *s, WPACKET *pkt,
2222
    unsigned int context, X509 *x,
2223
    size_t chainidx)
2224
{
2225
    if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
2226
        if (s->max_early_data == 0)
2227
            return EXT_RETURN_NOT_SENT;
2228

2229
        if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
2230
            || !WPACKET_start_sub_packet_u16(pkt)
2231
            || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
2232
            || !WPACKET_close(pkt)) {
2233
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2234
            return EXT_RETURN_FAIL;
2235
        }
2236

2237
        return EXT_RETURN_SENT;
2238
    }
2239

2240
    if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
2241
        return EXT_RETURN_NOT_SENT;
2242

2243
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
2244
        || !WPACKET_start_sub_packet_u16(pkt)
2245
        || !WPACKET_close(pkt)) {
2246
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2247
        return EXT_RETURN_FAIL;
2248
    }
2249

2250
    return EXT_RETURN_SENT;
2251
}
2252

2253
EXT_RETURN tls_construct_stoc_psk(SSL_CONNECTION *s, WPACKET *pkt,
2254
    unsigned int context,
2255
    X509 *x, size_t chainidx)
2256
{
2257
    if (!s->hit)
2258
        return EXT_RETURN_NOT_SENT;
2259

2260
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
2261
        || !WPACKET_start_sub_packet_u16(pkt)
2262
        || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
2263
        || !WPACKET_close(pkt)) {
2264
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2265
        return EXT_RETURN_FAIL;
2266
    }
2267

2268
    return EXT_RETURN_SENT;
2269
}
2270

2271
EXT_RETURN tls_construct_stoc_client_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
2272
    unsigned int context,
2273
    X509 *x, size_t chainidx)
2274
{
2275
    if (sc->ext.client_cert_type_ctos == OSSL_CERT_TYPE_CTOS_ERROR
2276
        && (send_certificate_request(sc)
2277
            || sc->post_handshake_auth == SSL_PHA_EXT_RECEIVED)) {
2278
        /* Did not receive an acceptable cert type - and doing client auth */
2279
        SSLfatal(sc, SSL_AD_UNSUPPORTED_CERTIFICATE, SSL_R_BAD_EXTENSION);
2280
        return EXT_RETURN_FAIL;
2281
    }
2282

2283
    if (sc->ext.client_cert_type == TLSEXT_cert_type_x509) {
2284
        sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2285
        return EXT_RETURN_NOT_SENT;
2286
    }
2287

2288
    /*
2289
     * Note: only supposed to send this if we are going to do a cert request,
2290
     * but TLSv1.3 could do a PHA request if the client supports it
2291
     */
2292
    if ((!send_certificate_request(sc) && sc->post_handshake_auth != SSL_PHA_EXT_RECEIVED)
2293
        || sc->ext.client_cert_type_ctos != OSSL_CERT_TYPE_CTOS_GOOD
2294
        || sc->client_cert_type == NULL) {
2295
        /* if we don't send it, reset to TLSEXT_cert_type_x509 */
2296
        sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2297
        sc->ext.client_cert_type = TLSEXT_cert_type_x509;
2298
        return EXT_RETURN_NOT_SENT;
2299
    }
2300

2301
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_client_cert_type)
2302
        || !WPACKET_start_sub_packet_u16(pkt)
2303
        || !WPACKET_put_bytes_u8(pkt, sc->ext.client_cert_type)
2304
        || !WPACKET_close(pkt)) {
2305
        SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2306
        return EXT_RETURN_FAIL;
2307
    }
2308
    return EXT_RETURN_SENT;
2309
}
2310

2311
/* One of |pref|, |other| is configured and the values are sanitized */
2312
static int reconcile_cert_type(const unsigned char *pref, size_t pref_len,
2313
    const unsigned char *other, size_t other_len,
2314
    uint8_t *chosen_cert_type)
2315
{
2316
    size_t i;
2317

2318
    for (i = 0; i < pref_len; i++) {
2319
        if (memchr(other, pref[i], other_len) != NULL) {
2320
            *chosen_cert_type = pref[i];
2321
            return OSSL_CERT_TYPE_CTOS_GOOD;
2322
        }
2323
    }
2324
    return OSSL_CERT_TYPE_CTOS_ERROR;
2325
}
2326

2327
int tls_parse_ctos_client_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
2328
    unsigned int context,
2329
    X509 *x, size_t chainidx)
2330
{
2331
    PACKET supported_cert_types;
2332
    const unsigned char *data;
2333
    size_t len;
2334

2335
    /* Ignore the extension */
2336
    if (sc->client_cert_type == NULL) {
2337
        sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2338
        sc->ext.client_cert_type = TLSEXT_cert_type_x509;
2339
        return 1;
2340
    }
2341

2342
    if (!PACKET_as_length_prefixed_1(pkt, &supported_cert_types)) {
2343
        sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
2344
        SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2345
        return 0;
2346
    }
2347
    if ((len = PACKET_remaining(&supported_cert_types)) == 0) {
2348
        sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
2349
        SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2350
        return 0;
2351
    }
2352
    if (!PACKET_get_bytes(&supported_cert_types, &data, len)) {
2353
        sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
2354
        SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2355
        return 0;
2356
    }
2357
    /* client_cert_type: client (peer) has priority */
2358
    sc->ext.client_cert_type_ctos = reconcile_cert_type(data, len,
2359
        sc->client_cert_type, sc->client_cert_type_len,
2360
        &sc->ext.client_cert_type);
2361

2362
    /* Ignore the error until sending - so we can check cert auth*/
2363
    return 1;
2364
}
2365

2366
EXT_RETURN tls_construct_stoc_server_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
2367
    unsigned int context,
2368
    X509 *x, size_t chainidx)
2369
{
2370
    if (sc->ext.server_cert_type == TLSEXT_cert_type_x509) {
2371
        sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2372
        return EXT_RETURN_NOT_SENT;
2373
    }
2374
    if (sc->ext.server_cert_type_ctos != OSSL_CERT_TYPE_CTOS_GOOD
2375
        || sc->server_cert_type == NULL) {
2376
        /* if we don't send it, reset to TLSEXT_cert_type_x509 */
2377
        sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2378
        sc->ext.server_cert_type = TLSEXT_cert_type_x509;
2379
        return EXT_RETURN_NOT_SENT;
2380
    }
2381

2382
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_cert_type)
2383
        || !WPACKET_start_sub_packet_u16(pkt)
2384
        || !WPACKET_put_bytes_u8(pkt, sc->ext.server_cert_type)
2385
        || !WPACKET_close(pkt)) {
2386
        SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2387
        return EXT_RETURN_FAIL;
2388
    }
2389
    return EXT_RETURN_SENT;
2390
}
2391

2392
int tls_parse_ctos_server_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
2393
    unsigned int context,
2394
    X509 *x, size_t chainidx)
2395
{
2396
    PACKET supported_cert_types;
2397
    const unsigned char *data;
2398
    size_t len;
2399

2400
    /* Ignore the extension */
2401
    if (sc->server_cert_type == NULL) {
2402
        sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2403
        sc->ext.server_cert_type = TLSEXT_cert_type_x509;
2404
        return 1;
2405
    }
2406

2407
    if (!PACKET_as_length_prefixed_1(pkt, &supported_cert_types)) {
2408
        SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2409
        return 0;
2410
    }
2411

2412
    if ((len = PACKET_remaining(&supported_cert_types)) == 0) {
2413
        SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2414
        return 0;
2415
    }
2416
    if (!PACKET_get_bytes(&supported_cert_types, &data, len)) {
2417
        SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2418
        return 0;
2419
    }
2420
    /* server_cert_type: server (this) has priority */
2421
    sc->ext.server_cert_type_ctos = reconcile_cert_type(sc->server_cert_type, sc->server_cert_type_len,
2422
        data, len,
2423
        &sc->ext.server_cert_type);
2424
    if (sc->ext.server_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)
2425
        return 1;
2426

2427
    /* Did not receive an acceptable cert type */
2428
    SSLfatal(sc, SSL_AD_UNSUPPORTED_CERTIFICATE, SSL_R_BAD_EXTENSION);
2429
    return 0;
2430
}
2431

2432