Coverage Report

Created: 2024-07-27 06:39

/src/openssl32/ssl/statem/extensions_srvr.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
10
#include <openssl/ocsp.h>
11
#include "../ssl_local.h"
12
#include "statem_local.h"
13
#include "internal/cryptlib.h"
14
15
0
#define COOKIE_STATE_FORMAT_VERSION     1
16
17
/*
18
 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19
 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
20
 * key_share present flag, 8 bytes for timestamp, 2 bytes for the hashlen,
21
 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22
 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
23
 */
24
0
#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 8 + 2 + EVP_MAX_MD_SIZE + 1 \
25
0
                         + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
26
27
/*
28
 * Message header + 2 bytes for protocol version + number of random bytes +
29
 * + 1 byte for legacy session id length + number of bytes in legacy session id
30
 * + 2 bytes for ciphersuite + 1 byte for legacy compression
31
 * + 2 bytes for extension block length + 6 bytes for key_share extension
32
 * + 4 bytes for cookie extension header + the number of bytes in the cookie
33
 */
34
#define MAX_HRR_SIZE    (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
35
                         + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
36
                         + MAX_COOKIE_SIZE)
37
38
/*
39
 * Parse the client's renegotiation binding and abort if it's not right
40
 */
41
int tls_parse_ctos_renegotiate(SSL_CONNECTION *s, PACKET *pkt,
42
                               unsigned int context,
43
                               X509 *x, size_t chainidx)
44
1.57k
{
45
1.57k
    unsigned int ilen;
46
1.57k
    const unsigned char *data;
47
1.57k
    int ok;
48
49
    /* Parse the length byte */
50
1.57k
    if (!PACKET_get_1(pkt, &ilen)
51
1.57k
        || !PACKET_get_bytes(pkt, &data, ilen)) {
52
15
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
53
15
        return 0;
54
15
    }
55
56
    /* Check that the extension matches */
57
1.55k
    if (ilen != s->s3.previous_client_finished_len) {
58
7
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
59
7
        return 0;
60
7
    }
61
62
1.54k
    ok = memcmp(data, s->s3.previous_client_finished,
63
1.54k
                    s->s3.previous_client_finished_len);
64
1.54k
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
65
1.54k
    if (ok) {
66
0
        if ((data[0] ^ s->s3.previous_client_finished[0]) != 0xFF) {
67
0
            ok = 0;
68
0
        }
69
0
    }
70
1.54k
#endif
71
1.54k
    if (ok) {
72
0
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
73
0
        return 0;
74
0
    }
75
76
1.54k
    s->s3.send_connection_binding = 1;
77
78
1.54k
    return 1;
79
1.54k
}
80
81
/*-
82
 * The servername extension is treated as follows:
83
 *
84
 * - Only the hostname type is supported with a maximum length of 255.
85
 * - The servername is rejected if too long or if it contains zeros,
86
 *   in which case an fatal alert is generated.
87
 * - The servername field is maintained together with the session cache.
88
 * - When a session is resumed, the servername call back invoked in order
89
 *   to allow the application to position itself to the right context.
90
 * - The servername is acknowledged if it is new for a session or when
91
 *   it is identical to a previously used for the same session.
92
 *   Applications can control the behaviour.  They can at any time
93
 *   set a 'desirable' servername for a new SSL object. This can be the
94
 *   case for example with HTTPS when a Host: header field is received and
95
 *   a renegotiation is requested. In this case, a possible servername
96
 *   presented in the new client hello is only acknowledged if it matches
97
 *   the value of the Host: field.
98
 * - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
99
 *   if they provide for changing an explicit servername context for the
100
 *   session, i.e. when the session has been established with a servername
101
 *   extension.
102
 * - On session reconnect, the servername extension may be absent.
103
 */
104
int tls_parse_ctos_server_name(SSL_CONNECTION *s, PACKET *pkt,
105
                               unsigned int context, X509 *x, size_t chainidx)
106
3.75k
{
107
3.75k
    unsigned int servname_type;
108
3.75k
    PACKET sni, hostname;
109
110
3.75k
    if (!PACKET_as_length_prefixed_2(pkt, &sni)
111
        /* ServerNameList must be at least 1 byte long. */
112
3.75k
        || PACKET_remaining(&sni) == 0) {
113
152
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
114
152
        return 0;
115
152
    }
116
117
    /*
118
     * Although the intent was for server_name to be extensible, RFC 4366
119
     * was not clear about it; and so OpenSSL among other implementations,
120
     * always and only allows a 'host_name' name types.
121
     * RFC 6066 corrected the mistake but adding new name types
122
     * is nevertheless no longer feasible, so act as if no other
123
     * SNI types can exist, to simplify parsing.
124
     *
125
     * Also note that the RFC permits only one SNI value per type,
126
     * i.e., we can only have a single hostname.
127
     */
128
3.60k
    if (!PACKET_get_1(&sni, &servname_type)
129
3.60k
        || servname_type != TLSEXT_NAMETYPE_host_name
130
3.60k
        || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
131
108
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
132
108
        return 0;
133
108
    }
134
135
    /*
136
     * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
137
     * we always use the SNI value from the handshake.
138
     */
139
3.49k
    if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
140
3.48k
        if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
141
4
            SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
142
4
            return 0;
143
4
        }
144
145
3.48k
        if (PACKET_contains_zero_byte(&hostname)) {
146
8
            SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
147
8
            return 0;
148
8
        }
149
150
        /*
151
         * Store the requested SNI in the SSL as temporary storage.
152
         * If we accept it, it will get stored in the SSL_SESSION as well.
153
         */
154
3.47k
        OPENSSL_free(s->ext.hostname);
155
3.47k
        s->ext.hostname = NULL;
156
3.47k
        if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
157
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
158
0
            return 0;
159
0
        }
160
161
3.47k
        s->servername_done = 1;
162
3.47k
    } else {
163
        /*
164
         * In TLSv1.2 and below we should check if the SNI is consistent between
165
         * the initial handshake and the resumption. In TLSv1.3 SNI is not
166
         * associated with the session.
167
         */
168
8
        s->servername_done = (s->session->ext.hostname != NULL)
169
8
            && PACKET_equal(&hostname, s->session->ext.hostname,
170
4
                            strlen(s->session->ext.hostname));
171
8
    }
172
173
3.48k
    return 1;
174
3.49k
}
175
176
int tls_parse_ctos_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt,
177
                                  unsigned int context,
178
                                  X509 *x, size_t chainidx)
179
469
{
180
469
    unsigned int value;
181
182
469
    if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
183
58
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
184
58
        return 0;
185
58
    }
186
187
    /* Received |value| should be a valid max-fragment-length code. */
188
411
    if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
189
24
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
190
24
                 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
191
24
        return 0;
192
24
    }
193
194
    /*
195
     * When doing a full handshake or a renegotiation max_fragment_len_mode will
196
     * be TLSEXT_max_fragment_length_UNSPECIFIED
197
     *
198
     * In case of a resumption max_fragment_len_mode will be one of
199
     *      TLSEXT_max_fragment_length_DISABLED, TLSEXT_max_fragment_length_512,
200
     *      TLSEXT_max_fragment_length_1024, TLSEXT_max_fragment_length_2048.
201
     *      TLSEXT_max_fragment_length_4096
202
     *
203
     * RFC 6066: The negotiated length applies for the duration of the session
204
     * including session resumptions.
205
     *
206
     * So we only set the value in case it is unspecified.
207
     */
208
387
    if (s->session->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_UNSPECIFIED)
209
        /*
210
         * Store it in session, so it'll become binding for us
211
         * and we'll include it in a next Server Hello.
212
         */
213
383
        s->session->ext.max_fragment_len_mode = value;
214
215
387
    return 1;
216
411
}
217
218
#ifndef OPENSSL_NO_SRP
219
int tls_parse_ctos_srp(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
220
                       X509 *x, size_t chainidx)
221
113
{
222
113
    PACKET srp_I;
223
224
113
    if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
225
113
            || PACKET_contains_zero_byte(&srp_I)) {
226
52
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
227
52
        return 0;
228
52
    }
229
230
61
    if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
231
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
232
0
        return 0;
233
0
    }
234
235
61
    return 1;
236
61
}
237
#endif
238
239
int tls_parse_ctos_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt,
240
                                 unsigned int context,
241
                                 X509 *x, size_t chainidx)
242
2.37k
{
243
2.37k
    PACKET ec_point_format_list;
244
245
2.37k
    if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
246
2.37k
        || PACKET_remaining(&ec_point_format_list) == 0) {
247
70
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
248
70
        return 0;
249
70
    }
250
251
2.30k
    if (!s->hit) {
252
2.19k
        if (!PACKET_memdup(&ec_point_format_list,
253
2.19k
                           &s->ext.peer_ecpointformats,
254
2.19k
                           &s->ext.peer_ecpointformats_len)) {
255
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
256
0
            return 0;
257
0
        }
258
2.19k
    }
259
260
2.30k
    return 1;
261
2.30k
}
262
263
int tls_parse_ctos_session_ticket(SSL_CONNECTION *s, PACKET *pkt,
264
                                  unsigned int context,
265
                                  X509 *x, size_t chainidx)
266
1.78k
{
267
1.78k
    if (s->ext.session_ticket_cb &&
268
1.78k
            !s->ext.session_ticket_cb(SSL_CONNECTION_GET_SSL(s),
269
0
                                      PACKET_data(pkt), PACKET_remaining(pkt),
270
0
                                      s->ext.session_ticket_cb_arg)) {
271
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
272
0
        return 0;
273
0
    }
274
275
1.78k
    return 1;
276
1.78k
}
277
278
int tls_parse_ctos_sig_algs_cert(SSL_CONNECTION *s, PACKET *pkt,
279
                                 ossl_unused unsigned int context,
280
                                 ossl_unused X509 *x,
281
                                 ossl_unused size_t chainidx)
282
901
{
283
901
    PACKET supported_sig_algs;
284
285
901
    if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
286
901
            || PACKET_remaining(&supported_sig_algs) == 0) {
287
99
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
288
99
        return 0;
289
99
    }
290
291
802
    if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
292
7
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
293
7
        return 0;
294
7
    }
295
296
795
    return 1;
297
802
}
298
299
int tls_parse_ctos_sig_algs(SSL_CONNECTION *s, PACKET *pkt,
300
                            unsigned int context, X509 *x, size_t chainidx)
301
5.85k
{
302
5.85k
    PACKET supported_sig_algs;
303
304
5.85k
    if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
305
5.85k
            || PACKET_remaining(&supported_sig_algs) == 0) {
306
158
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
307
158
        return 0;
308
158
    }
309
310
5.69k
    if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
311
8
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
312
8
        return 0;
313
8
    }
314
315
5.68k
    return 1;
316
5.69k
}
317
318
#ifndef OPENSSL_NO_OCSP
319
int tls_parse_ctos_status_request(SSL_CONNECTION *s, PACKET *pkt,
320
                                  unsigned int context,
321
                                  X509 *x, size_t chainidx)
322
3.86k
{
323
3.86k
    PACKET responder_id_list, exts;
324
325
    /* We ignore this in a resumption handshake */
326
3.86k
    if (s->hit)
327
26
        return 1;
328
329
    /* Not defined if we get one of these in a client Certificate */
330
3.83k
    if (x != NULL)
331
0
        return 1;
332
333
3.83k
    if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
334
7
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
335
7
        return 0;
336
7
    }
337
338
3.82k
    if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
339
        /*
340
         * We don't know what to do with any other type so ignore it.
341
         */
342
166
        s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
343
166
        return 1;
344
166
    }
345
346
3.66k
    if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
347
52
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
348
52
        return 0;
349
52
    }
350
351
    /*
352
     * We remove any OCSP_RESPIDs from a previous handshake
353
     * to prevent unbounded memory growth - CVE-2016-6304
354
     */
355
3.60k
    sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
356
3.60k
    if (PACKET_remaining(&responder_id_list) > 0) {
357
2.28k
        s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
358
2.28k
        if (s->ext.ocsp.ids == NULL) {
359
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
360
0
            return 0;
361
0
        }
362
2.28k
    } else {
363
1.32k
        s->ext.ocsp.ids = NULL;
364
1.32k
    }
365
366
3.67k
    while (PACKET_remaining(&responder_id_list) > 0) {
367
2.33k
        OCSP_RESPID *id;
368
2.33k
        PACKET responder_id;
369
2.33k
        const unsigned char *id_data;
370
371
2.33k
        if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
372
2.33k
                || PACKET_remaining(&responder_id) == 0) {
373
61
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
374
61
            return 0;
375
61
        }
376
377
2.27k
        id_data = PACKET_data(&responder_id);
378
2.27k
        id = d2i_OCSP_RESPID(NULL, &id_data,
379
2.27k
                             (int)PACKET_remaining(&responder_id));
380
2.27k
        if (id == NULL) {
381
2.17k
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
382
2.17k
            return 0;
383
2.17k
        }
384
385
99
        if (id_data != PACKET_end(&responder_id)) {
386
35
            OCSP_RESPID_free(id);
387
35
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
388
389
35
            return 0;
390
35
        }
391
392
64
        if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
393
0
            OCSP_RESPID_free(id);
394
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
395
396
0
            return 0;
397
0
        }
398
64
    }
399
400
    /* Read in request_extensions */
401
1.33k
    if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
402
63
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
403
63
        return 0;
404
63
    }
405
406
1.27k
    if (PACKET_remaining(&exts) > 0) {
407
191
        const unsigned char *ext_data = PACKET_data(&exts);
408
409
191
        sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
410
191
                                   X509_EXTENSION_free);
411
191
        s->ext.ocsp.exts =
412
191
            d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
413
191
        if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
414
187
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
415
187
            return 0;
416
187
        }
417
191
    }
418
419
1.08k
    return 1;
420
1.27k
}
421
#endif
422
423
#ifndef OPENSSL_NO_NEXTPROTONEG
424
int tls_parse_ctos_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
425
                       X509 *x, size_t chainidx)
426
12
{
427
    /*
428
     * We shouldn't accept this extension on a
429
     * renegotiation.
430
     */
431
12
    if (SSL_IS_FIRST_HANDSHAKE(s))
432
12
        s->s3.npn_seen = 1;
433
434
12
    return 1;
435
12
}
436
#endif
437
438
/*
439
 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
440
 * extension, not including type and length. Returns: 1 on success, 0 on error.
441
 */
442
int tls_parse_ctos_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
443
                        X509 *x, size_t chainidx)
444
318
{
445
318
    PACKET protocol_list, save_protocol_list, protocol;
446
447
318
    if (!SSL_IS_FIRST_HANDSHAKE(s))
448
0
        return 1;
449
450
318
    if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
451
318
        || PACKET_remaining(&protocol_list) < 2) {
452
105
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
453
105
        return 0;
454
105
    }
455
456
213
    save_protocol_list = protocol_list;
457
1.85k
    do {
458
        /* Protocol names can't be empty. */
459
1.85k
        if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
460
1.85k
                || PACKET_remaining(&protocol) == 0) {
461
59
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
462
59
            return 0;
463
59
        }
464
1.85k
    } while (PACKET_remaining(&protocol_list) != 0);
465
466
154
    OPENSSL_free(s->s3.alpn_proposed);
467
154
    s->s3.alpn_proposed = NULL;
468
154
    s->s3.alpn_proposed_len = 0;
469
154
    if (!PACKET_memdup(&save_protocol_list,
470
154
                       &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
471
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
472
0
        return 0;
473
0
    }
474
475
154
    return 1;
476
154
}
477
478
#ifndef OPENSSL_NO_SRTP
479
int tls_parse_ctos_use_srtp(SSL_CONNECTION *s, PACKET *pkt,
480
                            unsigned int context, X509 *x, size_t chainidx)
481
54
{
482
54
    STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
483
54
    unsigned int ct, mki_len, id;
484
54
    int i, srtp_pref;
485
54
    PACKET subpkt;
486
54
    SSL *ssl = SSL_CONNECTION_GET_SSL(s);
487
488
    /* Ignore this if we have no SRTP profiles */
489
54
    if (SSL_get_srtp_profiles(ssl) == NULL)
490
54
        return 1;
491
492
    /* Pull off the length of the cipher suite list  and check it is even */
493
0
    if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
494
0
            || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
495
0
        SSLfatal(s, SSL_AD_DECODE_ERROR,
496
0
               SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
497
0
        return 0;
498
0
    }
499
500
0
    srvr = SSL_get_srtp_profiles(ssl);
501
0
    s->srtp_profile = NULL;
502
    /* Search all profiles for a match initially */
503
0
    srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
504
505
0
    while (PACKET_remaining(&subpkt)) {
506
0
        if (!PACKET_get_net_2(&subpkt, &id)) {
507
0
            SSLfatal(s, SSL_AD_DECODE_ERROR,
508
0
                     SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
509
0
            return 0;
510
0
        }
511
512
        /*
513
         * Only look for match in profiles of higher preference than
514
         * current match.
515
         * If no profiles have been have been configured then this
516
         * does nothing.
517
         */
518
0
        for (i = 0; i < srtp_pref; i++) {
519
0
            SRTP_PROTECTION_PROFILE *sprof =
520
0
                sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
521
522
0
            if (sprof->id == id) {
523
0
                s->srtp_profile = sprof;
524
0
                srtp_pref = i;
525
0
                break;
526
0
            }
527
0
        }
528
0
    }
529
530
    /* Now extract the MKI value as a sanity check, but discard it for now */
531
0
    if (!PACKET_get_1(pkt, &mki_len)) {
532
0
        SSLfatal(s, SSL_AD_DECODE_ERROR,
533
0
                 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
534
0
        return 0;
535
0
    }
536
537
0
    if (!PACKET_forward(pkt, mki_len)
538
0
        || PACKET_remaining(pkt)) {
539
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE);
540
0
        return 0;
541
0
    }
542
543
0
    return 1;
544
0
}
545
#endif
546
547
int tls_parse_ctos_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
548
                       X509 *x, size_t chainidx)
549
788
{
550
788
    if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
551
788
        s->ext.use_etm = 1;
552
553
788
    return 1;
554
788
}
555
556
/*
557
 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
558
 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
559
 */
560
int tls_parse_ctos_psk_kex_modes(SSL_CONNECTION *s, PACKET *pkt,
561
                                 unsigned int context,
562
                                 X509 *x, size_t chainidx)
563
946
{
564
946
#ifndef OPENSSL_NO_TLS1_3
565
946
    PACKET psk_kex_modes;
566
946
    unsigned int mode;
567
568
946
    if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
569
946
            || PACKET_remaining(&psk_kex_modes) == 0) {
570
35
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
571
35
        return 0;
572
35
    }
573
574
5.88k
    while (PACKET_get_1(&psk_kex_modes, &mode)) {
575
4.97k
        if (mode == TLSEXT_KEX_MODE_KE_DHE)
576
1.54k
            s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
577
3.42k
        else if (mode == TLSEXT_KEX_MODE_KE
578
3.42k
                && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
579
0
            s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
580
4.97k
    }
581
911
#endif
582
583
911
    return 1;
584
946
}
585
586
/*
587
 * Process a key_share extension received in the ClientHello. |pkt| contains
588
 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
589
 */
590
int tls_parse_ctos_key_share(SSL_CONNECTION *s, PACKET *pkt,
591
                             unsigned int context, X509 *x, size_t chainidx)
592
2.70k
{
593
2.70k
#ifndef OPENSSL_NO_TLS1_3
594
2.70k
    unsigned int group_id;
595
2.70k
    PACKET key_share_list, encoded_pt;
596
2.70k
    const uint16_t *clntgroups, *srvrgroups;
597
2.70k
    size_t clnt_num_groups, srvr_num_groups;
598
2.70k
    int found = 0;
599
600
2.70k
    if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
601
0
        return 1;
602
603
    /* Sanity check */
604
2.70k
    if (s->s3.peer_tmp != NULL) {
605
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
606
0
        return 0;
607
0
    }
608
609
2.70k
    if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
610
68
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
611
68
        return 0;
612
68
    }
613
614
    /* Get our list of supported groups */
615
2.63k
    tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
616
    /* Get the clients list of supported groups. */
617
2.63k
    tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
618
2.63k
    if (clnt_num_groups == 0) {
619
        /*
620
         * This can only happen if the supported_groups extension was not sent,
621
         * because we verify that the length is non-zero when we process that
622
         * extension.
623
         */
624
5
        SSLfatal(s, SSL_AD_MISSING_EXTENSION,
625
5
                 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
626
5
        return 0;
627
5
    }
628
629
2.62k
    if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
630
        /*
631
         * If we set a group_id already, then we must have sent an HRR
632
         * requesting a new key_share. If we haven't got one then that is an
633
         * error
634
         */
635
4
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
636
4
        return 0;
637
4
    }
638
639
5.48k
    while (PACKET_remaining(&key_share_list) > 0) {
640
3.08k
        if (!PACKET_get_net_2(&key_share_list, &group_id)
641
3.08k
                || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
642
3.08k
                || PACKET_remaining(&encoded_pt) == 0) {
643
97
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
644
97
            return 0;
645
97
        }
646
647
        /*
648
         * If we already found a suitable key_share we loop through the
649
         * rest to verify the structure, but don't process them.
650
         */
651
2.99k
        if (found)
652
299
            continue;
653
654
        /*
655
         * If we sent an HRR then the key_share sent back MUST be for the group
656
         * we requested, and must be the only key_share sent.
657
         */
658
2.69k
        if (s->s3.group_id != 0
659
2.69k
                && (group_id != s->s3.group_id
660
158
                    || PACKET_remaining(&key_share_list) != 0)) {
661
38
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
662
38
            return 0;
663
38
        }
664
665
        /* Check if this share is in supported_groups sent from client */
666
2.65k
        if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
667
22
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
668
22
            return 0;
669
22
        }
670
671
        /* Check if this share is for a group we can use */
672
2.63k
        if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)
673
2.63k
                || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
674
                   /*
675
                    * We tolerate but ignore a group id that we don't think is
676
                    * suitable for TLSv1.3
677
                    */
678
2.63k
                || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
679
1.93k
                                    0, NULL)) {
680
            /* Share not suitable */
681
698
            continue;
682
698
        }
683
684
1.93k
        s->s3.group_id = group_id;
685
        /* Cache the selected group ID in the SSL_SESSION */
686
1.93k
        s->session->kex_group = group_id;
687
688
1.93k
        if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
689
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
690
0
                   SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
691
0
            return 0;
692
0
        }
693
694
1.93k
        if (tls13_set_encoded_pub_key(s->s3.peer_tmp,
695
1.93k
                                      PACKET_data(&encoded_pt),
696
1.93k
                                      PACKET_remaining(&encoded_pt)) <= 0) {
697
67
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
698
67
            return 0;
699
67
        }
700
701
1.86k
        found = 1;
702
1.86k
    }
703
2.40k
#endif
704
705
2.40k
    return 1;
706
2.62k
}
707
708
int tls_parse_ctos_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
709
                          X509 *x, size_t chainidx)
710
77
{
711
77
#ifndef OPENSSL_NO_TLS1_3
712
77
    unsigned int format, version, key_share, group_id;
713
77
    EVP_MD_CTX *hctx;
714
77
    EVP_PKEY *pkey;
715
77
    PACKET cookie, raw, chhash, appcookie;
716
77
    WPACKET hrrpkt;
717
77
    const unsigned char *data, *mdin, *ciphdata;
718
77
    unsigned char hmac[SHA256_DIGEST_LENGTH];
719
77
    unsigned char hrr[MAX_HRR_SIZE];
720
77
    size_t rawlen, hmaclen, hrrlen, ciphlen;
721
77
    uint64_t tm, now;
722
77
    SSL *ssl = SSL_CONNECTION_GET_SSL(s);
723
77
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
724
725
    /* Ignore any cookie if we're not set up to verify it */
726
77
    if (sctx->verify_stateless_cookie_cb == NULL
727
77
            || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
728
77
        return 1;
729
730
0
    if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
731
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
732
0
        return 0;
733
0
    }
734
735
0
    raw = cookie;
736
0
    data = PACKET_data(&raw);
737
0
    rawlen = PACKET_remaining(&raw);
738
0
    if (rawlen < SHA256_DIGEST_LENGTH
739
0
            || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
740
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
741
0
        return 0;
742
0
    }
743
0
    mdin = PACKET_data(&raw);
744
745
    /* Verify the HMAC of the cookie */
746
0
    hctx = EVP_MD_CTX_create();
747
0
    pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
748
0
                                           sctx->propq,
749
0
                                           s->session_ctx->ext.cookie_hmac_key,
750
0
                                           sizeof(s->session_ctx->ext.cookie_hmac_key));
751
0
    if (hctx == NULL || pkey == NULL) {
752
0
        EVP_MD_CTX_free(hctx);
753
0
        EVP_PKEY_free(pkey);
754
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
755
0
        return 0;
756
0
    }
757
758
0
    hmaclen = SHA256_DIGEST_LENGTH;
759
0
    if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
760
0
                              sctx->propq, pkey, NULL) <= 0
761
0
            || EVP_DigestSign(hctx, hmac, &hmaclen, data,
762
0
                              rawlen - SHA256_DIGEST_LENGTH) <= 0
763
0
            || hmaclen != SHA256_DIGEST_LENGTH) {
764
0
        EVP_MD_CTX_free(hctx);
765
0
        EVP_PKEY_free(pkey);
766
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
767
0
        return 0;
768
0
    }
769
770
0
    EVP_MD_CTX_free(hctx);
771
0
    EVP_PKEY_free(pkey);
772
773
0
    if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
774
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
775
0
        return 0;
776
0
    }
777
778
0
    if (!PACKET_get_net_2(&cookie, &format)) {
779
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
780
0
        return 0;
781
0
    }
782
    /* Check the cookie format is something we recognise. Ignore it if not */
783
0
    if (format != COOKIE_STATE_FORMAT_VERSION)
784
0
        return 1;
785
786
    /*
787
     * The rest of these checks really shouldn't fail since we have verified the
788
     * HMAC above.
789
     */
790
791
    /* Check the version number is sane */
792
0
    if (!PACKET_get_net_2(&cookie, &version)) {
793
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
794
0
        return 0;
795
0
    }
796
0
    if (version != TLS1_3_VERSION) {
797
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
798
0
                 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
799
0
        return 0;
800
0
    }
801
802
0
    if (!PACKET_get_net_2(&cookie, &group_id)) {
803
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
804
0
        return 0;
805
0
    }
806
807
0
    ciphdata = PACKET_data(&cookie);
808
0
    if (!PACKET_forward(&cookie, 2)) {
809
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
810
0
        return 0;
811
0
    }
812
0
    if (group_id != s->s3.group_id
813
0
            || s->s3.tmp.new_cipher
814
0
               != ssl_get_cipher_by_char(s, ciphdata, 0)) {
815
        /*
816
         * We chose a different cipher or group id this time around to what is
817
         * in the cookie. Something must have changed.
818
         */
819
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
820
0
        return 0;
821
0
    }
822
823
0
    if (!PACKET_get_1(&cookie, &key_share)
824
0
            || !PACKET_get_net_8(&cookie, &tm)
825
0
            || !PACKET_get_length_prefixed_2(&cookie, &chhash)
826
0
            || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
827
0
            || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
828
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
829
0
        return 0;
830
0
    }
831
832
    /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
833
0
    now = time(NULL);
834
0
    if (tm > now || (now - tm) > 600) {
835
        /* Cookie is stale. Ignore it */
836
0
        return 1;
837
0
    }
838
839
    /* Verify the app cookie */
840
0
    if (sctx->verify_stateless_cookie_cb(ssl,
841
0
                                         PACKET_data(&appcookie),
842
0
                                         PACKET_remaining(&appcookie)) == 0) {
843
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
844
0
        return 0;
845
0
    }
846
847
    /*
848
     * Reconstruct the HRR that we would have sent in response to the original
849
     * ClientHello so we can add it to the transcript hash.
850
     * Note: This won't work with custom HRR extensions
851
     */
852
0
    if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
853
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
854
0
        return 0;
855
0
    }
856
0
    if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
857
0
            || !WPACKET_start_sub_packet_u24(&hrrpkt)
858
0
            || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
859
0
            || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
860
0
            || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
861
0
                                      s->tmp_session_id_len)
862
0
            || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
863
0
                                                &ciphlen)
864
0
            || !WPACKET_put_bytes_u8(&hrrpkt, 0)
865
0
            || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
866
0
        WPACKET_cleanup(&hrrpkt);
867
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
868
0
        return 0;
869
0
    }
870
0
    if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
871
0
            || !WPACKET_start_sub_packet_u16(&hrrpkt)
872
0
            || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
873
0
            || !WPACKET_close(&hrrpkt)) {
874
0
        WPACKET_cleanup(&hrrpkt);
875
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
876
0
        return 0;
877
0
    }
878
0
    if (key_share) {
879
0
        if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
880
0
                || !WPACKET_start_sub_packet_u16(&hrrpkt)
881
0
                || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
882
0
                || !WPACKET_close(&hrrpkt)) {
883
0
            WPACKET_cleanup(&hrrpkt);
884
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
885
0
            return 0;
886
0
        }
887
0
    }
888
0
    if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
889
0
            || !WPACKET_start_sub_packet_u16(&hrrpkt)
890
0
            || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
891
0
            || !WPACKET_close(&hrrpkt) /* cookie extension */
892
0
            || !WPACKET_close(&hrrpkt) /* extension block */
893
0
            || !WPACKET_close(&hrrpkt) /* message */
894
0
            || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
895
0
            || !WPACKET_finish(&hrrpkt)) {
896
0
        WPACKET_cleanup(&hrrpkt);
897
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
898
0
        return 0;
899
0
    }
900
901
    /* Reconstruct the transcript hash */
902
0
    if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
903
0
                                       PACKET_remaining(&chhash), hrr,
904
0
                                       hrrlen)) {
905
        /* SSLfatal() already called */
906
0
        return 0;
907
0
    }
908
909
    /* Act as if this ClientHello came after a HelloRetryRequest */
910
0
    s->hello_retry_request = SSL_HRR_PENDING;
911
912
0
    s->ext.cookieok = 1;
913
0
#endif
914
915
0
    return 1;
916
0
}
917
918
int tls_parse_ctos_supported_groups(SSL_CONNECTION *s, PACKET *pkt,
919
                                    unsigned int context,
920
                                    X509 *x, size_t chainidx)
921
9.42k
{
922
9.42k
    PACKET supported_groups_list;
923
924
    /* Each group is 2 bytes and we must have at least 1. */
925
9.42k
    if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
926
9.42k
            || PACKET_remaining(&supported_groups_list) == 0
927
9.42k
            || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
928
114
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
929
114
        return 0;
930
114
    }
931
932
9.31k
    if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
933
9.24k
        OPENSSL_free(s->ext.peer_supportedgroups);
934
9.24k
        s->ext.peer_supportedgroups = NULL;
935
9.24k
        s->ext.peer_supportedgroups_len = 0;
936
9.24k
        if (!tls1_save_u16(&supported_groups_list,
937
9.24k
                           &s->ext.peer_supportedgroups,
938
9.24k
                           &s->ext.peer_supportedgroups_len)) {
939
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
940
0
            return 0;
941
0
        }
942
9.24k
    }
943
944
9.31k
    return 1;
945
9.31k
}
946
947
int tls_parse_ctos_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
948
                       X509 *x, size_t chainidx)
949
1.85k
{
950
    /* The extension must always be empty */
951
1.85k
    if (PACKET_remaining(pkt) != 0) {
952
5
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
953
5
        return 0;
954
5
    }
955
956
1.85k
    if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
957
0
        return 1;
958
959
1.85k
    s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
960
961
1.85k
    return 1;
962
1.85k
}
963
964
965
int tls_parse_ctos_early_data(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
966
                              X509 *x, size_t chainidx)
967
1.62k
{
968
1.62k
    if (PACKET_remaining(pkt) != 0) {
969
4
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
970
4
        return 0;
971
4
    }
972
973
1.62k
    if (s->hello_retry_request != SSL_HRR_NONE) {
974
5
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
975
5
        return 0;
976
5
    }
977
978
1.61k
    return 1;
979
1.62k
}
980
981
static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL_CONNECTION *s, PACKET *tick,
982
                                                 SSL_SESSION **sess)
983
0
{
984
0
    SSL_SESSION *tmpsess = NULL;
985
986
0
    s->ext.ticket_expected = 1;
987
988
0
    switch (PACKET_remaining(tick)) {
989
0
        case 0:
990
0
            return SSL_TICKET_EMPTY;
991
992
0
        case SSL_MAX_SSL_SESSION_ID_LENGTH:
993
0
            break;
994
995
0
        default:
996
0
            return SSL_TICKET_NO_DECRYPT;
997
0
    }
998
999
0
    tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
1000
0
                                   SSL_MAX_SSL_SESSION_ID_LENGTH);
1001
1002
0
    if (tmpsess == NULL)
1003
0
        return SSL_TICKET_NO_DECRYPT;
1004
1005
0
    *sess = tmpsess;
1006
0
    return SSL_TICKET_SUCCESS;
1007
0
}
1008
1009
int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1010
                       X509 *x, size_t chainidx)
1011
161
{
1012
161
    PACKET identities, binders, binder;
1013
161
    size_t binderoffset, hashsize;
1014
161
    SSL_SESSION *sess = NULL;
1015
161
    unsigned int id, i, ext = 0;
1016
161
    const EVP_MD *md = NULL;
1017
161
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1018
161
    SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1019
1020
    /*
1021
     * If we have no PSK kex mode that we recognise then we can't resume so
1022
     * ignore this extension
1023
     */
1024
161
    if ((s->ext.psk_kex_mode
1025
161
            & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1026
2
        return 1;
1027
1028
159
    if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
1029
8
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1030
8
        return 0;
1031
8
    }
1032
1033
151
    s->ext.ticket_expected = 0;
1034
286
    for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1035
261
        PACKET identity;
1036
261
        unsigned long ticket_agel;
1037
261
        size_t idlen;
1038
1039
261
        if (!PACKET_get_length_prefixed_2(&identities, &identity)
1040
261
                || !PACKET_get_net_4(&identities, &ticket_agel)) {
1041
47
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1042
47
            return 0;
1043
47
        }
1044
1045
214
        idlen = PACKET_remaining(&identity);
1046
214
        if (s->psk_find_session_cb != NULL
1047
214
                && !s->psk_find_session_cb(ssl, PACKET_data(&identity), idlen,
1048
0
                                           &sess)) {
1049
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION);
1050
0
            return 0;
1051
0
        }
1052
1053
214
#ifndef OPENSSL_NO_PSK
1054
214
        if (sess == NULL
1055
214
                && s->psk_server_callback != NULL
1056
214
                && idlen <= PSK_MAX_IDENTITY_LEN) {
1057
0
            char *pskid = NULL;
1058
0
            unsigned char pskdata[PSK_MAX_PSK_LEN];
1059
0
            unsigned int pskdatalen;
1060
1061
0
            if (!PACKET_strndup(&identity, &pskid)) {
1062
0
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1063
0
                return 0;
1064
0
            }
1065
0
            pskdatalen = s->psk_server_callback(ssl, pskid, pskdata,
1066
0
                                                sizeof(pskdata));
1067
0
            OPENSSL_free(pskid);
1068
0
            if (pskdatalen > PSK_MAX_PSK_LEN) {
1069
0
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1070
0
                return 0;
1071
0
            } else if (pskdatalen > 0) {
1072
0
                const SSL_CIPHER *cipher;
1073
0
                const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1074
1075
                /*
1076
                 * We found a PSK using an old style callback. We don't know
1077
                 * the digest so we default to SHA256 as per the TLSv1.3 spec
1078
                 */
1079
0
                cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
1080
0
                if (cipher == NULL) {
1081
0
                    OPENSSL_cleanse(pskdata, pskdatalen);
1082
0
                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1083
0
                    return 0;
1084
0
                }
1085
1086
0
                sess = SSL_SESSION_new();
1087
0
                if (sess == NULL
1088
0
                        || !SSL_SESSION_set1_master_key(sess, pskdata,
1089
0
                                                        pskdatalen)
1090
0
                        || !SSL_SESSION_set_cipher(sess, cipher)
1091
0
                        || !SSL_SESSION_set_protocol_version(sess,
1092
0
                                                             TLS1_3_VERSION)) {
1093
0
                    OPENSSL_cleanse(pskdata, pskdatalen);
1094
0
                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1095
0
                    goto err;
1096
0
                }
1097
0
                OPENSSL_cleanse(pskdata, pskdatalen);
1098
0
            }
1099
0
        }
1100
214
#endif /* OPENSSL_NO_PSK */
1101
1102
214
        if (sess != NULL) {
1103
            /* We found a PSK */
1104
0
            SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1105
1106
0
            if (sesstmp == NULL) {
1107
0
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1108
0
                return 0;
1109
0
            }
1110
0
            SSL_SESSION_free(sess);
1111
0
            sess = sesstmp;
1112
1113
            /*
1114
             * We've just been told to use this session for this context so
1115
             * make sure the sid_ctx matches up.
1116
             */
1117
0
            memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1118
0
            sess->sid_ctx_length = s->sid_ctx_length;
1119
0
            ext = 1;
1120
0
            if (id == 0)
1121
0
                s->ext.early_data_ok = 1;
1122
0
            s->ext.ticket_expected = 1;
1123
214
        } else {
1124
214
            OSSL_TIME t, age, expire;
1125
214
            int ret;
1126
1127
            /*
1128
             * If we are using anti-replay protection then we behave as if
1129
             * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1130
             * is no point in using full stateless tickets.
1131
             */
1132
214
            if ((s->options & SSL_OP_NO_TICKET) != 0
1133
214
                    || (s->max_early_data > 0
1134
214
                        && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
1135
0
                ret = tls_get_stateful_ticket(s, &identity, &sess);
1136
214
            else
1137
214
                ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1138
214
                                         PACKET_remaining(&identity), NULL, 0,
1139
214
                                         &sess);
1140
1141
214
            if (ret == SSL_TICKET_EMPTY) {
1142
5
                SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1143
5
                return 0;
1144
5
            }
1145
1146
209
            if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1147
209
                    || ret == SSL_TICKET_FATAL_ERR_OTHER) {
1148
0
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1149
0
                return 0;
1150
0
            }
1151
209
            if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
1152
94
                continue;
1153
1154
            /* Check for replay */
1155
115
            if (s->max_early_data > 0
1156
115
                    && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
1157
115
                    && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1158
0
                SSL_SESSION_free(sess);
1159
0
                sess = NULL;
1160
0
                continue;
1161
0
            }
1162
1163
115
            age = ossl_time_subtract(ossl_ms2time(ticket_agel),
1164
115
                                     ossl_ms2time(sess->ext.tick_age_add));
1165
115
            t = ossl_time_subtract(ossl_time_now(), sess->time);
1166
1167
            /*
1168
             * Although internally we use OSS_TIME which has ns granularity,
1169
             * when SSL_SESSION structures are serialised/deserialised we use
1170
             * second granularity for the sess->time field. Therefore it could
1171
             * appear that the client's ticket age is longer than ours (our
1172
             * ticket age calculation should always be slightly longer than the
1173
             * client's due to the network latency). Therefore we add 1000ms to
1174
             * our age calculation to adjust for rounding errors.
1175
             */
1176
115
            expire = ossl_time_add(t, ossl_ms2time(1000));
1177
1178
115
            if (id == 0
1179
115
                    && ossl_time_compare(sess->timeout, t) >= 0
1180
115
                    && ossl_time_compare(age, expire) <= 0
1181
115
                    && ossl_time_compare(ossl_time_add(age, TICKET_AGE_ALLOWANCE),
1182
53
                                         expire) >= 0) {
1183
                /*
1184
                 * Ticket age is within tolerance and not expired. We allow it
1185
                 * for early data
1186
                 */
1187
23
                s->ext.early_data_ok = 1;
1188
23
            }
1189
115
        }
1190
1191
115
        md = ssl_md(sctx, sess->cipher->algorithm2);
1192
115
        if (md == NULL) {
1193
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1194
0
            goto err;
1195
0
        }
1196
115
        if (!EVP_MD_is_a(md,
1197
115
                EVP_MD_get0_name(ssl_md(sctx,
1198
115
                                        s->s3.tmp.new_cipher->algorithm2)))) {
1199
            /* The ciphersuite is not compatible with this session. */
1200
41
            SSL_SESSION_free(sess);
1201
41
            sess = NULL;
1202
41
            s->ext.early_data_ok = 0;
1203
41
            s->ext.ticket_expected = 0;
1204
41
            continue;
1205
41
        }
1206
74
        break;
1207
115
    }
1208
1209
99
    if (sess == NULL)
1210
25
        return 1;
1211
1212
74
    binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1213
74
    hashsize = EVP_MD_get_size(md);
1214
1215
74
    if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1216
33
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1217
33
        goto err;
1218
33
    }
1219
1220
64
    for (i = 0; i <= id; i++) {
1221
41
        if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1222
18
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1223
18
            goto err;
1224
18
        }
1225
41
    }
1226
1227
23
    if (PACKET_remaining(&binder) != hashsize) {
1228
11
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1229
11
        goto err;
1230
11
    }
1231
12
    if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1232
12
                          binderoffset, PACKET_data(&binder), NULL, sess, 0,
1233
12
                          ext) != 1) {
1234
        /* SSLfatal() already called */
1235
11
        goto err;
1236
11
    }
1237
1238
1
    s->ext.tick_identity = id;
1239
1240
1
    SSL_SESSION_free(s->session);
1241
1
    s->session = sess;
1242
1
    return 1;
1243
73
err:
1244
73
    SSL_SESSION_free(sess);
1245
73
    return 0;
1246
12
}
1247
1248
int tls_parse_ctos_post_handshake_auth(SSL_CONNECTION *s, PACKET *pkt,
1249
                                       ossl_unused unsigned int context,
1250
                                       ossl_unused X509 *x,
1251
                                       ossl_unused size_t chainidx)
1252
232
{
1253
232
    if (PACKET_remaining(pkt) != 0) {
1254
4
        SSLfatal(s, SSL_AD_DECODE_ERROR,
1255
4
                 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1256
4
        return 0;
1257
4
    }
1258
1259
228
    s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1260
1261
228
    return 1;
1262
232
}
1263
1264
/*
1265
 * Add the server's renegotiation binding
1266
 */
1267
EXT_RETURN tls_construct_stoc_renegotiate(SSL_CONNECTION *s, WPACKET *pkt,
1268
                                          unsigned int context, X509 *x,
1269
                                          size_t chainidx)
1270
12.0k
{
1271
12.0k
    if (!s->s3.send_connection_binding)
1272
9.23k
        return EXT_RETURN_NOT_SENT;
1273
1274
    /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1275
2.81k
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1276
2.81k
            || !WPACKET_start_sub_packet_u16(pkt)
1277
2.81k
            || !WPACKET_start_sub_packet_u8(pkt)
1278
2.81k
            || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1279
2.81k
                               s->s3.previous_client_finished_len)
1280
2.81k
            || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1281
2.81k
                               s->s3.previous_server_finished_len)
1282
2.81k
            || !WPACKET_close(pkt)
1283
2.81k
            || !WPACKET_close(pkt)) {
1284
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1285
0
        return EXT_RETURN_FAIL;
1286
0
    }
1287
1288
2.81k
    return EXT_RETURN_SENT;
1289
2.81k
}
1290
1291
EXT_RETURN tls_construct_stoc_server_name(SSL_CONNECTION *s, WPACKET *pkt,
1292
                                          unsigned int context, X509 *x,
1293
                                          size_t chainidx)
1294
10.8k
{
1295
10.8k
    if (s->servername_done != 1)
1296
10.8k
        return EXT_RETURN_NOT_SENT;
1297
1298
    /*
1299
     * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1300
     * We just use the servername from the initial handshake.
1301
     */
1302
0
    if (s->hit && !SSL_CONNECTION_IS_TLS13(s))
1303
0
        return EXT_RETURN_NOT_SENT;
1304
1305
0
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1306
0
            || !WPACKET_put_bytes_u16(pkt, 0)) {
1307
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1308
0
        return EXT_RETURN_FAIL;
1309
0
    }
1310
1311
0
    return EXT_RETURN_SENT;
1312
0
}
1313
1314
/* Add/include the server's max fragment len extension into ServerHello */
1315
EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt,
1316
                                             unsigned int context, X509 *x,
1317
                                             size_t chainidx)
1318
10.8k
{
1319
10.8k
    if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1320
10.5k
        return EXT_RETURN_NOT_SENT;
1321
1322
    /*-
1323
     * 4 bytes for this extension type and extension length
1324
     * 1 byte for the Max Fragment Length code value.
1325
     */
1326
356
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1327
356
        || !WPACKET_start_sub_packet_u16(pkt)
1328
356
        || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1329
356
        || !WPACKET_close(pkt)) {
1330
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1331
0
        return EXT_RETURN_FAIL;
1332
0
    }
1333
1334
356
    return EXT_RETURN_SENT;
1335
356
}
1336
1337
EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt,
1338
                                            unsigned int context, X509 *x,
1339
                                            size_t chainidx)
1340
9.14k
{
1341
9.14k
    unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1342
9.14k
    unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
1343
9.14k
    int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1344
9.14k
                    && (s->ext.peer_ecpointformats != NULL);
1345
9.14k
    const unsigned char *plist;
1346
9.14k
    size_t plistlen;
1347
1348
9.14k
    if (!using_ecc)
1349
7.36k
        return EXT_RETURN_NOT_SENT;
1350
1351
1.78k
    tls1_get_formatlist(s, &plist, &plistlen);
1352
1.78k
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1353
1.78k
            || !WPACKET_start_sub_packet_u16(pkt)
1354
1.78k
            || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1355
1.78k
            || !WPACKET_close(pkt)) {
1356
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1357
0
        return EXT_RETURN_FAIL;
1358
0
    }
1359
1360
1.78k
    return EXT_RETURN_SENT;
1361
1.78k
}
1362
1363
EXT_RETURN tls_construct_stoc_supported_groups(SSL_CONNECTION *s, WPACKET *pkt,
1364
                                               unsigned int context, X509 *x,
1365
                                               size_t chainidx)
1366
10.8k
{
1367
10.8k
    const uint16_t *groups;
1368
10.8k
    size_t numgroups, i, first = 1;
1369
10.8k
    int version;
1370
1371
    /* s->s3.group_id is non zero if we accepted a key_share */
1372
10.8k
    if (s->s3.group_id == 0)
1373
9.14k
        return EXT_RETURN_NOT_SENT;
1374
1375
    /* Get our list of supported groups */
1376
1.74k
    tls1_get_supported_groups(s, &groups, &numgroups);
1377
1.74k
    if (numgroups == 0) {
1378
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1379
0
        return EXT_RETURN_FAIL;
1380
0
    }
1381
1382
    /* Copy group ID if supported */
1383
1.74k
    version = SSL_version(SSL_CONNECTION_GET_SSL(s));
1384
2.25k
    for (i = 0; i < numgroups; i++) {
1385
2.20k
        uint16_t group = groups[i];
1386
1387
2.20k
        if (tls_valid_group(s, group, version, version, 0, NULL)
1388
2.20k
                && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1389
2.20k
            if (first) {
1390
                /*
1391
                 * Check if the client is already using our preferred group. If
1392
                 * so we don't need to add this extension
1393
                 */
1394
1.74k
                if (s->s3.group_id == group)
1395
1.69k
                    return EXT_RETURN_NOT_SENT;
1396
1397
                /* Add extension header */
1398
51
                if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1399
                           /* Sub-packet for supported_groups extension */
1400
51
                        || !WPACKET_start_sub_packet_u16(pkt)
1401
51
                        || !WPACKET_start_sub_packet_u16(pkt)) {
1402
0
                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1403
0
                    return EXT_RETURN_FAIL;
1404
0
                }
1405
1406
51
                first = 0;
1407
51
            }
1408
510
            if (!WPACKET_put_bytes_u16(pkt, group)) {
1409
0
                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1410
0
                    return EXT_RETURN_FAIL;
1411
0
                }
1412
510
        }
1413
2.20k
    }
1414
1415
51
    if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1416
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1417
0
        return EXT_RETURN_FAIL;
1418
0
    }
1419
1420
51
    return EXT_RETURN_SENT;
1421
51
}
1422
1423
EXT_RETURN tls_construct_stoc_session_ticket(SSL_CONNECTION *s, WPACKET *pkt,
1424
                                             unsigned int context, X509 *x,
1425
                                             size_t chainidx)
1426
9.14k
{
1427
9.14k
    if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1428
7.76k
        s->ext.ticket_expected = 0;
1429
7.76k
        return EXT_RETURN_NOT_SENT;
1430
7.76k
    }
1431
1432
1.38k
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1433
1.38k
            || !WPACKET_put_bytes_u16(pkt, 0)) {
1434
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1435
0
        return EXT_RETURN_FAIL;
1436
0
    }
1437
1438
1.38k
    return EXT_RETURN_SENT;
1439
1.38k
}
1440
1441
#ifndef OPENSSL_NO_OCSP
1442
EXT_RETURN tls_construct_stoc_status_request(SSL_CONNECTION *s, WPACKET *pkt,
1443
                                             unsigned int context, X509 *x,
1444
                                             size_t chainidx)
1445
10.8k
{
1446
    /* We don't currently support this extension inside a CertificateRequest */
1447
10.8k
    if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1448
0
        return EXT_RETURN_NOT_SENT;
1449
1450
10.8k
    if (!s->ext.status_expected)
1451
10.8k
        return EXT_RETURN_NOT_SENT;
1452
1453
0
    if (SSL_CONNECTION_IS_TLS13(s) && chainidx != 0)
1454
0
        return EXT_RETURN_NOT_SENT;
1455
1456
0
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1457
0
            || !WPACKET_start_sub_packet_u16(pkt)) {
1458
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1459
0
        return EXT_RETURN_FAIL;
1460
0
    }
1461
1462
    /*
1463
     * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1464
     * send back an empty extension, with the certificate status appearing as a
1465
     * separate message
1466
     */
1467
0
    if (SSL_CONNECTION_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1468
       /* SSLfatal() already called */
1469
0
       return EXT_RETURN_FAIL;
1470
0
    }
1471
0
    if (!WPACKET_close(pkt)) {
1472
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1473
0
        return EXT_RETURN_FAIL;
1474
0
    }
1475
1476
0
    return EXT_RETURN_SENT;
1477
0
}
1478
#endif
1479
1480
#ifndef OPENSSL_NO_NEXTPROTONEG
1481
EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt,
1482
                                             unsigned int context, X509 *x,
1483
                                             size_t chainidx)
1484
9.14k
{
1485
9.14k
    const unsigned char *npa;
1486
9.14k
    unsigned int npalen;
1487
9.14k
    int ret;
1488
9.14k
    int npn_seen = s->s3.npn_seen;
1489
9.14k
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1490
1491
9.14k
    s->s3.npn_seen = 0;
1492
9.14k
    if (!npn_seen || sctx->ext.npn_advertised_cb == NULL)
1493
9.14k
        return EXT_RETURN_NOT_SENT;
1494
1495
0
    ret = sctx->ext.npn_advertised_cb(SSL_CONNECTION_GET_SSL(s), &npa, &npalen,
1496
0
                                      sctx->ext.npn_advertised_cb_arg);
1497
0
    if (ret == SSL_TLSEXT_ERR_OK) {
1498
0
        if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1499
0
                || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1500
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1501
0
            return EXT_RETURN_FAIL;
1502
0
        }
1503
0
        s->s3.npn_seen = 1;
1504
0
        return EXT_RETURN_SENT;
1505
0
    }
1506
1507
0
    return EXT_RETURN_NOT_SENT;
1508
0
}
1509
#endif
1510
1511
EXT_RETURN tls_construct_stoc_alpn(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context,
1512
                                   X509 *x, size_t chainidx)
1513
10.8k
{
1514
10.8k
    if (s->s3.alpn_selected == NULL)
1515
10.8k
        return EXT_RETURN_NOT_SENT;
1516
1517
0
    if (!WPACKET_put_bytes_u16(pkt,
1518
0
                TLSEXT_TYPE_application_layer_protocol_negotiation)
1519
0
            || !WPACKET_start_sub_packet_u16(pkt)
1520
0
            || !WPACKET_start_sub_packet_u16(pkt)
1521
0
            || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1522
0
                                      s->s3.alpn_selected_len)
1523
0
            || !WPACKET_close(pkt)
1524
0
            || !WPACKET_close(pkt)) {
1525
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1526
0
        return EXT_RETURN_FAIL;
1527
0
    }
1528
1529
0
    return EXT_RETURN_SENT;
1530
0
}
1531
1532
#ifndef OPENSSL_NO_SRTP
1533
EXT_RETURN tls_construct_stoc_use_srtp(SSL_CONNECTION *s, WPACKET *pkt,
1534
                                       unsigned int context, X509 *x,
1535
                                       size_t chainidx)
1536
10.8k
{
1537
10.8k
    if (s->srtp_profile == NULL)
1538
10.8k
        return EXT_RETURN_NOT_SENT;
1539
1540
0
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1541
0
            || !WPACKET_start_sub_packet_u16(pkt)
1542
0
            || !WPACKET_put_bytes_u16(pkt, 2)
1543
0
            || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1544
0
            || !WPACKET_put_bytes_u8(pkt, 0)
1545
0
            || !WPACKET_close(pkt)) {
1546
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1547
0
        return EXT_RETURN_FAIL;
1548
0
    }
1549
1550
0
    return EXT_RETURN_SENT;
1551
0
}
1552
#endif
1553
1554
EXT_RETURN tls_construct_stoc_etm(SSL_CONNECTION *s, WPACKET *pkt,
1555
                                  unsigned int context,
1556
                                  X509 *x, size_t chainidx)
1557
9.14k
{
1558
9.14k
    if (!s->ext.use_etm)
1559
8.50k
        return EXT_RETURN_NOT_SENT;
1560
1561
    /*
1562
     * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1563
     * for other cases too.
1564
     */
1565
644
    if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1566
644
        || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1567
644
        || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1568
644
        || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1569
644
        || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1570
644
        || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
1571
86
        s->ext.use_etm = 0;
1572
86
        return EXT_RETURN_NOT_SENT;
1573
86
    }
1574
1575
558
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1576
558
            || !WPACKET_put_bytes_u16(pkt, 0)) {
1577
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1578
0
        return EXT_RETURN_FAIL;
1579
0
    }
1580
1581
558
    return EXT_RETURN_SENT;
1582
558
}
1583
1584
EXT_RETURN tls_construct_stoc_ems(SSL_CONNECTION *s, WPACKET *pkt,
1585
                                  unsigned int context,
1586
                                  X509 *x, size_t chainidx)
1587
9.14k
{
1588
9.14k
    if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1589
7.48k
        return EXT_RETURN_NOT_SENT;
1590
1591
1.66k
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1592
1.66k
            || !WPACKET_put_bytes_u16(pkt, 0)) {
1593
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1594
0
        return EXT_RETURN_FAIL;
1595
0
    }
1596
1597
1.66k
    return EXT_RETURN_SENT;
1598
1.66k
}
1599
1600
EXT_RETURN tls_construct_stoc_supported_versions(SSL_CONNECTION *s, WPACKET *pkt,
1601
                                                 unsigned int context, X509 *x,
1602
                                                 size_t chainidx)
1603
2.24k
{
1604
2.24k
    if (!ossl_assert(SSL_CONNECTION_IS_TLS13(s))) {
1605
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1606
0
        return EXT_RETURN_FAIL;
1607
0
    }
1608
1609
2.24k
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1610
2.24k
            || !WPACKET_start_sub_packet_u16(pkt)
1611
2.24k
            || !WPACKET_put_bytes_u16(pkt, s->version)
1612
2.24k
            || !WPACKET_close(pkt)) {
1613
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1614
0
        return EXT_RETURN_FAIL;
1615
0
    }
1616
1617
2.24k
    return EXT_RETURN_SENT;
1618
2.24k
}
1619
1620
EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION *s, WPACKET *pkt,
1621
                                        unsigned int context, X509 *x,
1622
                                        size_t chainidx)
1623
2.24k
{
1624
2.24k
#ifndef OPENSSL_NO_TLS1_3
1625
2.24k
    unsigned char *encodedPoint;
1626
2.24k
    size_t encoded_pt_len = 0;
1627
2.24k
    EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
1628
2.24k
    const TLS_GROUP_INFO *ginf = NULL;
1629
1630
2.24k
    if (s->hello_retry_request == SSL_HRR_PENDING) {
1631
486
        if (ckey != NULL) {
1632
            /* Original key_share was acceptable so don't ask for another one */
1633
0
            return EXT_RETURN_NOT_SENT;
1634
0
        }
1635
486
        if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1636
486
                || !WPACKET_start_sub_packet_u16(pkt)
1637
486
                || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1638
486
                || !WPACKET_close(pkt)) {
1639
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1640
0
            return EXT_RETURN_FAIL;
1641
0
        }
1642
1643
486
        return EXT_RETURN_SENT;
1644
486
    }
1645
1646
1.75k
    if (ckey == NULL) {
1647
        /* No key_share received from client - must be resuming */
1648
0
        if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1649
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1650
0
            return EXT_RETURN_FAIL;
1651
0
        }
1652
0
        return EXT_RETURN_NOT_SENT;
1653
0
    }
1654
1.75k
    if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
1655
        /*
1656
         * PSK ('hit') and explicitly not doing DHE (if the client sent the
1657
         * DHE option we always take it); don't send key share.
1658
         */
1659
0
        return EXT_RETURN_NOT_SENT;
1660
0
    }
1661
1662
1.75k
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1663
1.75k
            || !WPACKET_start_sub_packet_u16(pkt)
1664
1.75k
            || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
1665
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1666
0
        return EXT_RETURN_FAIL;
1667
0
    }
1668
1669
1.75k
    if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
1670
1.75k
                                     s->s3.group_id)) == NULL) {
1671
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1672
0
        return EXT_RETURN_FAIL;
1673
0
    }
1674
1675
1.75k
    if (!ginf->is_kem) {
1676
        /* Regular KEX */
1677
1.75k
        skey = ssl_generate_pkey(s, ckey);
1678
1.75k
        if (skey == NULL) {
1679
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
1680
0
            return EXT_RETURN_FAIL;
1681
0
        }
1682
1683
        /* Generate encoding of server key */
1684
1.75k
        encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint);
1685
1.75k
        if (encoded_pt_len == 0) {
1686
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
1687
0
            EVP_PKEY_free(skey);
1688
0
            return EXT_RETURN_FAIL;
1689
0
        }
1690
1691
1.75k
        if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1692
1.75k
                || !WPACKET_close(pkt)) {
1693
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1694
0
            EVP_PKEY_free(skey);
1695
0
            OPENSSL_free(encodedPoint);
1696
0
            return EXT_RETURN_FAIL;
1697
0
        }
1698
1.75k
        OPENSSL_free(encodedPoint);
1699
1700
        /*
1701
         * This causes the crypto state to be updated based on the derived keys
1702
         */
1703
1.75k
        s->s3.tmp.pkey = skey;
1704
1.75k
        if (ssl_derive(s, skey, ckey, 1) == 0) {
1705
            /* SSLfatal() already called */
1706
15
            return EXT_RETURN_FAIL;
1707
15
        }
1708
1.75k
    } else {
1709
        /* KEM mode */
1710
0
        unsigned char *ct = NULL;
1711
0
        size_t ctlen = 0;
1712
1713
        /*
1714
         * This does not update the crypto state.
1715
         *
1716
         * The generated pms is stored in `s->s3.tmp.pms` to be later used via
1717
         * ssl_gensecret().
1718
         */
1719
0
        if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) {
1720
            /* SSLfatal() already called */
1721
0
            return EXT_RETURN_FAIL;
1722
0
        }
1723
1724
0
        if (ctlen == 0) {
1725
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1726
0
            OPENSSL_free(ct);
1727
0
            return EXT_RETURN_FAIL;
1728
0
        }
1729
1730
0
        if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen)
1731
0
                || !WPACKET_close(pkt)) {
1732
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1733
0
            OPENSSL_free(ct);
1734
0
            return EXT_RETURN_FAIL;
1735
0
        }
1736
0
        OPENSSL_free(ct);
1737
1738
        /*
1739
         * This causes the crypto state to be updated based on the generated pms
1740
         */
1741
0
        if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) {
1742
            /* SSLfatal() already called */
1743
0
            return EXT_RETURN_FAIL;
1744
0
        }
1745
0
    }
1746
1.74k
    s->s3.did_kex = 1;
1747
1.74k
    return EXT_RETURN_SENT;
1748
#else
1749
    return EXT_RETURN_FAIL;
1750
#endif
1751
1.75k
}
1752
1753
EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt,
1754
                                     unsigned int context,
1755
                                     X509 *x, size_t chainidx)
1756
486
{
1757
486
#ifndef OPENSSL_NO_TLS1_3
1758
486
    unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1759
486
    unsigned char *hmac, *hmac2;
1760
486
    size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
1761
486
    EVP_MD_CTX *hctx;
1762
486
    EVP_PKEY *pkey;
1763
486
    int ret = EXT_RETURN_FAIL;
1764
486
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1765
486
    SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1766
1767
486
    if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
1768
486
        return EXT_RETURN_NOT_SENT;
1769
1770
0
    if (sctx->gen_stateless_cookie_cb == NULL) {
1771
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET);
1772
0
        return EXT_RETURN_FAIL;
1773
0
    }
1774
1775
0
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1776
0
            || !WPACKET_start_sub_packet_u16(pkt)
1777
0
            || !WPACKET_start_sub_packet_u16(pkt)
1778
0
            || !WPACKET_get_total_written(pkt, &startlen)
1779
0
            || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1780
0
            || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1781
0
            || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1782
0
            || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1783
0
            || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
1784
0
                                                &ciphlen)
1785
               /* Is there a key_share extension present in this HRR? */
1786
0
            || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
1787
0
            || !WPACKET_put_bytes_u64(pkt, time(NULL))
1788
0
            || !WPACKET_start_sub_packet_u16(pkt)
1789
0
            || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1790
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1791
0
        return EXT_RETURN_FAIL;
1792
0
    }
1793
1794
    /*
1795
     * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1796
     * on raw buffers, so we first reserve sufficient bytes (above) and then
1797
     * subsequently allocate them (below)
1798
     */
1799
0
    if (!ssl3_digest_cached_records(s, 0)
1800
0
            || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1801
        /* SSLfatal() already called */
1802
0
        return EXT_RETURN_FAIL;
1803
0
    }
1804
1805
0
    if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1806
0
            || !ossl_assert(hashval1 == hashval2)
1807
0
            || !WPACKET_close(pkt)
1808
0
            || !WPACKET_start_sub_packet_u8(pkt)
1809
0
            || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1810
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1811
0
        return EXT_RETURN_FAIL;
1812
0
    }
1813
1814
    /* Generate the application cookie */
1815
0
    if (sctx->gen_stateless_cookie_cb(ssl, appcookie1,
1816
0
                                      &appcookielen) == 0) {
1817
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1818
0
        return EXT_RETURN_FAIL;
1819
0
    }
1820
1821
0
    if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1822
0
            || !ossl_assert(appcookie1 == appcookie2)
1823
0
            || !WPACKET_close(pkt)
1824
0
            || !WPACKET_get_total_written(pkt, &totcookielen)
1825
0
            || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1826
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1827
0
        return EXT_RETURN_FAIL;
1828
0
    }
1829
0
    hmaclen = SHA256_DIGEST_LENGTH;
1830
1831
0
    totcookielen -= startlen;
1832
0
    if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1833
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1834
0
        return EXT_RETURN_FAIL;
1835
0
    }
1836
1837
    /* HMAC the cookie */
1838
0
    hctx = EVP_MD_CTX_create();
1839
0
    pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
1840
0
                                           sctx->propq,
1841
0
                                           s->session_ctx->ext.cookie_hmac_key,
1842
0
                                           sizeof(s->session_ctx->ext.cookie_hmac_key));
1843
0
    if (hctx == NULL || pkey == NULL) {
1844
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
1845
0
        goto err;
1846
0
    }
1847
1848
0
    if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
1849
0
                              sctx->propq, pkey, NULL) <= 0
1850
0
            || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1851
0
                              totcookielen) <= 0) {
1852
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1853
0
        goto err;
1854
0
    }
1855
1856
0
    if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1857
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1858
0
        goto err;
1859
0
    }
1860
1861
0
    if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1862
0
            || !ossl_assert(hmac == hmac2)
1863
0
            || !ossl_assert(cookie == hmac - totcookielen)
1864
0
            || !WPACKET_close(pkt)
1865
0
            || !WPACKET_close(pkt)) {
1866
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1867
0
        goto err;
1868
0
    }
1869
1870
0
    ret = EXT_RETURN_SENT;
1871
1872
0
 err:
1873
0
    EVP_MD_CTX_free(hctx);
1874
0
    EVP_PKEY_free(pkey);
1875
0
    return ret;
1876
#else
1877
    return EXT_RETURN_FAIL;
1878
#endif
1879
0
}
1880
1881
EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL_CONNECTION *s, WPACKET *pkt,
1882
                                            unsigned int context, X509 *x,
1883
                                            size_t chainidx)
1884
9.14k
{
1885
9.14k
    const unsigned char cryptopro_ext[36] = {
1886
9.14k
        0xfd, 0xe8,         /* 65000 */
1887
9.14k
        0x00, 0x20,         /* 32 bytes length */
1888
9.14k
        0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1889
9.14k
        0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1890
9.14k
        0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1891
9.14k
        0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1892
9.14k
    };
1893
1894
9.14k
    if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1895
9.14k
         && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
1896
9.14k
            || (SSL_get_options(SSL_CONNECTION_GET_SSL(s))
1897
0
                & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1898
9.14k
        return EXT_RETURN_NOT_SENT;
1899
1900
0
    if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1901
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1902
0
        return EXT_RETURN_FAIL;
1903
0
    }
1904
1905
0
    return EXT_RETURN_SENT;
1906
0
}
1907
1908
EXT_RETURN tls_construct_stoc_early_data(SSL_CONNECTION *s, WPACKET *pkt,
1909
                                         unsigned int context, X509 *x,
1910
                                         size_t chainidx)
1911
1.74k
{
1912
1.74k
    if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1913
0
        if (s->max_early_data == 0)
1914
0
            return EXT_RETURN_NOT_SENT;
1915
1916
0
        if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1917
0
                || !WPACKET_start_sub_packet_u16(pkt)
1918
0
                || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1919
0
                || !WPACKET_close(pkt)) {
1920
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1921
0
            return EXT_RETURN_FAIL;
1922
0
        }
1923
1924
0
        return EXT_RETURN_SENT;
1925
0
    }
1926
1927
1.74k
    if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1928
1.74k
        return EXT_RETURN_NOT_SENT;
1929
1930
0
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1931
0
            || !WPACKET_start_sub_packet_u16(pkt)
1932
0
            || !WPACKET_close(pkt)) {
1933
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1934
0
        return EXT_RETURN_FAIL;
1935
0
    }
1936
1937
0
    return EXT_RETURN_SENT;
1938
0
}
1939
1940
EXT_RETURN tls_construct_stoc_psk(SSL_CONNECTION *s, WPACKET *pkt,
1941
                                  unsigned int context,
1942
                                  X509 *x, size_t chainidx)
1943
1.74k
{
1944
1.74k
    if (!s->hit)
1945
1.74k
        return EXT_RETURN_NOT_SENT;
1946
1947
0
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1948
0
            || !WPACKET_start_sub_packet_u16(pkt)
1949
0
            || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
1950
0
            || !WPACKET_close(pkt)) {
1951
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1952
0
        return EXT_RETURN_FAIL;
1953
0
    }
1954
1955
0
    return EXT_RETURN_SENT;
1956
0
}
1957
1958
EXT_RETURN tls_construct_stoc_client_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
1959
                                               unsigned int context,
1960
                                               X509 *x, size_t chainidx)
1961
7.24k
{
1962
7.24k
    if (sc->ext.client_cert_type_ctos == OSSL_CERT_TYPE_CTOS_ERROR
1963
7.24k
        && (send_certificate_request(sc)
1964
0
            || sc->post_handshake_auth == SSL_PHA_EXT_RECEIVED)) {
1965
        /* Did not receive an acceptable cert type - and doing client auth */
1966
0
        SSLfatal(sc, SSL_AD_UNSUPPORTED_CERTIFICATE, SSL_R_BAD_EXTENSION);
1967
0
        return EXT_RETURN_FAIL;
1968
0
    }
1969
1970
7.24k
    if (sc->ext.client_cert_type == TLSEXT_cert_type_x509) {
1971
7.24k
        sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
1972
7.24k
        return EXT_RETURN_NOT_SENT;
1973
7.24k
    }
1974
1975
    /*
1976
     * Note: only supposed to send this if we are going to do a cert request,
1977
     * but TLSv1.3 could do a PHA request if the client supports it
1978
     */
1979
0
    if ((!send_certificate_request(sc) && sc->post_handshake_auth != SSL_PHA_EXT_RECEIVED)
1980
0
            || sc->ext.client_cert_type_ctos != OSSL_CERT_TYPE_CTOS_GOOD
1981
0
            || sc->client_cert_type == NULL) {
1982
        /* if we don't send it, reset to TLSEXT_cert_type_x509 */
1983
0
        sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
1984
0
        sc->ext.client_cert_type = TLSEXT_cert_type_x509;
1985
0
        return EXT_RETURN_NOT_SENT;
1986
0
    }
1987
1988
0
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_client_cert_type)
1989
0
            || !WPACKET_start_sub_packet_u16(pkt)
1990
0
            || !WPACKET_put_bytes_u8(pkt, sc->ext.client_cert_type)
1991
0
            || !WPACKET_close(pkt)) {
1992
0
        SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1993
0
        return EXT_RETURN_FAIL;
1994
0
    }
1995
0
    return EXT_RETURN_SENT;
1996
0
}
1997
1998
/* One of |pref|, |other| is configured and the values are sanitized */
1999
static int reconcile_cert_type(const unsigned char *pref, size_t pref_len,
2000
                               const unsigned char *other, size_t other_len,
2001
                               uint8_t *chosen_cert_type)
2002
0
{
2003
0
    size_t i;
2004
2005
0
    for (i = 0; i < pref_len; i++) {
2006
0
        if (memchr(other, pref[i], other_len) != NULL) {
2007
0
            *chosen_cert_type = pref[i];
2008
0
            return OSSL_CERT_TYPE_CTOS_GOOD;
2009
0
        }
2010
0
    }
2011
0
    return OSSL_CERT_TYPE_CTOS_ERROR;
2012
0
}
2013
2014
int tls_parse_ctos_client_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
2015
                                    unsigned int context,
2016
                                    X509 *x, size_t chainidx)
2017
108
{
2018
108
    PACKET supported_cert_types;
2019
108
    const unsigned char *data;
2020
108
    size_t len;
2021
2022
    /* Ignore the extension */
2023
108
    if (sc->client_cert_type == NULL) {
2024
108
        sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2025
108
        sc->ext.client_cert_type = TLSEXT_cert_type_x509;
2026
108
        return 1;
2027
108
    }
2028
2029
0
    if (!PACKET_as_length_prefixed_1(pkt, &supported_cert_types)) {
2030
0
        sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
2031
0
        SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2032
0
        return 0;
2033
0
    }
2034
0
    if ((len = PACKET_remaining(&supported_cert_types)) == 0) {
2035
0
        sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
2036
0
        SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2037
0
        return 0;
2038
0
    }
2039
0
    if (!PACKET_get_bytes(&supported_cert_types, &data, len)) {
2040
0
        sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
2041
0
        SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2042
0
        return 0;
2043
0
    }
2044
    /* client_cert_type: client (peer) has priority */
2045
0
    sc->ext.client_cert_type_ctos = reconcile_cert_type(data, len,
2046
0
                                                        sc->client_cert_type, sc->client_cert_type_len,
2047
0
                                                        &sc->ext.client_cert_type);
2048
2049
    /* Ignore the error until sending - so we can check cert auth*/
2050
0
    return 1;
2051
0
}
2052
2053
EXT_RETURN tls_construct_stoc_server_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
2054
                                               unsigned int context,
2055
                                               X509 *x, size_t chainidx)
2056
7.24k
{
2057
7.24k
    if (sc->ext.server_cert_type == TLSEXT_cert_type_x509) {
2058
7.24k
        sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2059
7.24k
        return EXT_RETURN_NOT_SENT;
2060
7.24k
    }
2061
0
    if (sc->ext.server_cert_type_ctos != OSSL_CERT_TYPE_CTOS_GOOD
2062
0
            || sc->server_cert_type == NULL) {
2063
        /* if we don't send it, reset to TLSEXT_cert_type_x509 */
2064
0
        sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2065
0
        sc->ext.server_cert_type = TLSEXT_cert_type_x509;
2066
0
        return EXT_RETURN_NOT_SENT;
2067
0
    }
2068
2069
0
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_cert_type)
2070
0
            || !WPACKET_start_sub_packet_u16(pkt)
2071
0
            || !WPACKET_put_bytes_u8(pkt, sc->ext.server_cert_type)
2072
0
            || !WPACKET_close(pkt)) {
2073
0
        SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2074
0
        return EXT_RETURN_FAIL;
2075
0
    }
2076
0
    return EXT_RETURN_SENT;
2077
0
}
2078
2079
int tls_parse_ctos_server_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
2080
                                    unsigned int context,
2081
                                    X509 *x, size_t chainidx)
2082
44
{
2083
44
    PACKET supported_cert_types;
2084
44
    const unsigned char *data;
2085
44
    size_t len;
2086
2087
    /* Ignore the extension */
2088
44
    if (sc->server_cert_type == NULL) {
2089
44
        sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2090
44
        sc->ext.server_cert_type = TLSEXT_cert_type_x509;
2091
44
        return 1;
2092
44
    }
2093
2094
0
    if (!PACKET_as_length_prefixed_1(pkt, &supported_cert_types)) {
2095
0
        SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2096
0
        return 0;
2097
0
    }
2098
2099
0
    if ((len = PACKET_remaining(&supported_cert_types)) == 0) {
2100
0
        SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2101
0
        return 0;
2102
0
    }
2103
0
    if (!PACKET_get_bytes(&supported_cert_types, &data, len)) {
2104
0
        SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2105
0
        return 0;
2106
0
    }
2107
    /* server_cert_type: server (this) has priority */
2108
0
    sc->ext.server_cert_type_ctos = reconcile_cert_type(sc->server_cert_type, sc->server_cert_type_len,
2109
0
                                                        data, len,
2110
0
                                                        &sc->ext.server_cert_type);
2111
0
    if (sc->ext.server_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)
2112
0
        return 1;
2113
2114
    /* Did not receive an acceptable cert type */
2115
0
    SSLfatal(sc, SSL_AD_UNSUPPORTED_CERTIFICATE, SSL_R_BAD_EXTENSION);
2116
0
    return 0;
2117
0
}