+int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+ size_t chainidx)
+{
+ unsigned int format, version, key_share, group_id;
+ EVP_MD_CTX *hctx;
+ EVP_PKEY *pkey;
+ PACKET cookie, raw, chhash, appcookie;
+ WPACKET hrrpkt;
+ const unsigned char *data, *mdin, *ciphdata;
+ unsigned char hmac[SHA256_DIGEST_LENGTH];
+ unsigned char hrr[MAX_HRR_SIZE];
+ size_t rawlen, hmaclen, hrrlen, ciphlen;
+ unsigned long tm, now;
+
+ /* Ignore any cookie if we're not set up to verify it */
+ if (s->ctx->verify_stateless_cookie_cb == NULL
+ || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
+ return 1;
+
+ if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
+ SSL_R_LENGTH_MISMATCH);
+ return 0;
+ }
+
+ raw = cookie;
+ data = PACKET_data(&raw);
+ rawlen = PACKET_remaining(&raw);
+ if (rawlen < SHA256_DIGEST_LENGTH
+ || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
+ SSL_R_LENGTH_MISMATCH);
+ return 0;
+ }
+ mdin = PACKET_data(&raw);
+
+ /* Verify the HMAC of the cookie */
+ hctx = EVP_MD_CTX_create();
+ pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
+ s->session_ctx->ext.cookie_hmac_key,
+ sizeof(s->session_ctx->ext
+ .cookie_hmac_key));
+ if (hctx == NULL || pkey == NULL) {
+ EVP_MD_CTX_free(hctx);
+ EVP_PKEY_free(pkey);
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
+ ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ hmaclen = SHA256_DIGEST_LENGTH;
+ if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
+ || EVP_DigestSign(hctx, hmac, &hmaclen, data,
+ rawlen - SHA256_DIGEST_LENGTH) <= 0
+ || hmaclen != SHA256_DIGEST_LENGTH) {
+ EVP_MD_CTX_free(hctx);
+ EVP_PKEY_free(pkey);
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ EVP_MD_CTX_free(hctx);
+ EVP_PKEY_free(pkey);
+
+ if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
+ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
+ SSL_R_COOKIE_MISMATCH);
+ return 0;
+ }
+
+ if (!PACKET_get_net_2(&cookie, &format)) {
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
+ SSL_R_LENGTH_MISMATCH);
+ return 0;
+ }
+ /* Check the cookie format is something we recognise. Ignore it if not */
+ if (format != COOKIE_STATE_FORMAT_VERSION)
+ return 1;
+
+ /*
+ * The rest of these checks really shouldn't fail since we have verified the
+ * HMAC above.
+ */
+
+ /* Check the version number is sane */
+ if (!PACKET_get_net_2(&cookie, &version)) {
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
+ SSL_R_LENGTH_MISMATCH);
+ return 0;
+ }
+ if (version != TLS1_3_VERSION) {
+ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
+ SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
+ return 0;
+ }
+
+ if (!PACKET_get_net_2(&cookie, &group_id)) {
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
+ SSL_R_LENGTH_MISMATCH);
+ return 0;
+ }
+
+ ciphdata = PACKET_data(&cookie);
+ if (!PACKET_forward(&cookie, 2)) {
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
+ SSL_R_LENGTH_MISMATCH);
+ return 0;
+ }
+ if (group_id != s->s3->group_id
+ || s->s3->tmp.new_cipher
+ != ssl_get_cipher_by_char(s, ciphdata, 0)) {
+ /*
+ * We chose a different cipher or group id this time around to what is
+ * in the cookie. Something must have changed.
+ */
+ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
+ SSL_R_BAD_CIPHER);
+ return 0;
+ }
+
+ if (!PACKET_get_1(&cookie, &key_share)
+ || !PACKET_get_net_4(&cookie, &tm)
+ || !PACKET_get_length_prefixed_2(&cookie, &chhash)
+ || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
+ || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
+ SSL_R_LENGTH_MISMATCH);
+ return 0;
+ }
+
+ /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
+ now = (unsigned long)time(NULL);
+ if (tm > now || (now - tm) > 600) {
+ /* Cookie is stale. Ignore it */
+ return 1;
+ }
+
+ /* Verify the app cookie */
+ if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
+ PACKET_remaining(&appcookie)) == 0) {
+ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
+ SSL_R_COOKIE_MISMATCH);
+ return 0;
+ }
+
+ /*
+ * Reconstruct the HRR that we would have sent in response to the original
+ * ClientHello so we can add it to the transcript hash.
+ * Note: This won't work with custom HRR extensions
+ */
+ if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
+ || !WPACKET_start_sub_packet_u24(&hrrpkt)
+ || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
+ || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
+ || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
+ s->tmp_session_id_len)
+ || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, &hrrpkt,
+ &ciphlen)
+ || !WPACKET_put_bytes_u8(&hrrpkt, 0)
+ || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
+ WPACKET_cleanup(&hrrpkt);
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
+ || !WPACKET_start_sub_packet_u16(&hrrpkt)
+ /* TODO(TLS1.3): Fix this before release */
+ || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_3_VERSION_DRAFT)
+ || !WPACKET_close(&hrrpkt)) {
+ WPACKET_cleanup(&hrrpkt);
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ if (key_share) {
+ if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
+ || !WPACKET_start_sub_packet_u16(&hrrpkt)
+ || !WPACKET_put_bytes_u16(&hrrpkt, s->s3->group_id)
+ || !WPACKET_close(&hrrpkt)) {
+ WPACKET_cleanup(&hrrpkt);
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ }
+ if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
+ || !WPACKET_start_sub_packet_u16(&hrrpkt)
+ || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
+ || !WPACKET_close(&hrrpkt) /* cookie extension */
+ || !WPACKET_close(&hrrpkt) /* extension block */
+ || !WPACKET_close(&hrrpkt) /* message */
+ || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
+ || !WPACKET_finish(&hrrpkt)) {
+ WPACKET_cleanup(&hrrpkt);
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ /* Reconstruct the transcript hash */
+ if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
+ PACKET_remaining(&chhash), hrr,
+ hrrlen)) {
+ /* SSLfatal() already called */
+ return 0;
+ }
+
+ /* Act as if this ClientHello came after a HelloRetryRequest */
+ s->hello_retry_request = 1;
+
+ s->ext.cookieok = 1;
+
+ return 1;
+}
+