Update code for the final RFC version of TLSv1.3 (RFC8446)
[openssl.git] / ssl / statem / extensions_srvr.c
1 /*
2  * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the OpenSSL license (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
13 #include "internal/cryptlib.h"
14
15 #define COOKIE_STATE_FORMAT_VERSION     0
16
17 /*
18  * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19  * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
20  * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
21  * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22  * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
23  */
24 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
25                          + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
26
27 /*
28  * Message header + 2 bytes for protocol version + number of random bytes +
29  * + 1 byte for legacy session id length + number of bytes in legacy session id
30  * + 2 bytes for ciphersuite + 1 byte for legacy compression
31  * + 2 bytes for extension block length + 6 bytes for key_share extension
32  * + 4 bytes for cookie extension header + the number of bytes in the cookie
33  */
34 #define MAX_HRR_SIZE    (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
35                          + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
36                          + MAX_COOKIE_SIZE)
37
38 /*
39  * Parse the client's renegotiation binding and abort if it's not right
40  */
41 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
42                                X509 *x, size_t chainidx)
43 {
44     unsigned int ilen;
45     const unsigned char *data;
46
47     /* Parse the length byte */
48     if (!PACKET_get_1(pkt, &ilen)
49         || !PACKET_get_bytes(pkt, &data, ilen)) {
50         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
51                  SSL_R_RENEGOTIATION_ENCODING_ERR);
52         return 0;
53     }
54
55     /* Check that the extension matches */
56     if (ilen != s->s3->previous_client_finished_len) {
57         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
58                  SSL_R_RENEGOTIATION_MISMATCH);
59         return 0;
60     }
61
62     if (memcmp(data, s->s3->previous_client_finished,
63                s->s3->previous_client_finished_len)) {
64         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
65                  SSL_R_RENEGOTIATION_MISMATCH);
66         return 0;
67     }
68
69     s->s3->send_connection_binding = 1;
70
71     return 1;
72 }
73
74 /*-
75  * The servername extension is treated as follows:
76  *
77  * - Only the hostname type is supported with a maximum length of 255.
78  * - The servername is rejected if too long or if it contains zeros,
79  *   in which case an fatal alert is generated.
80  * - The servername field is maintained together with the session cache.
81  * - When a session is resumed, the servername call back invoked in order
82  *   to allow the application to position itself to the right context.
83  * - The servername is acknowledged if it is new for a session or when
84  *   it is identical to a previously used for the same session.
85  *   Applications can control the behaviour.  They can at any time
86  *   set a 'desirable' servername for a new SSL object. This can be the
87  *   case for example with HTTPS when a Host: header field is received and
88  *   a renegotiation is requested. In this case, a possible servername
89  *   presented in the new client hello is only acknowledged if it matches
90  *   the value of the Host: field.
91  * - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
92  *   if they provide for changing an explicit servername context for the
93  *   session, i.e. when the session has been established with a servername
94  *   extension.
95  * - On session reconnect, the servername extension may be absent.
96  */
97 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
98                                X509 *x, size_t chainidx)
99 {
100     unsigned int servname_type;
101     PACKET sni, hostname;
102
103     if (!PACKET_as_length_prefixed_2(pkt, &sni)
104         /* ServerNameList must be at least 1 byte long. */
105         || PACKET_remaining(&sni) == 0) {
106         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
107                  SSL_R_BAD_EXTENSION);
108         return 0;
109     }
110
111     /*
112      * Although the intent was for server_name to be extensible, RFC 4366
113      * was not clear about it; and so OpenSSL among other implementations,
114      * always and only allows a 'host_name' name types.
115      * RFC 6066 corrected the mistake but adding new name types
116      * is nevertheless no longer feasible, so act as if no other
117      * SNI types can exist, to simplify parsing.
118      *
119      * Also note that the RFC permits only one SNI value per type,
120      * i.e., we can only have a single hostname.
121      */
122     if (!PACKET_get_1(&sni, &servname_type)
123         || servname_type != TLSEXT_NAMETYPE_host_name
124         || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
125         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
126                  SSL_R_BAD_EXTENSION);
127         return 0;
128     }
129
130     if (!s->hit || SSL_IS_TLS13(s)) {
131         if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
132             SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
133                      SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
134                      SSL_R_BAD_EXTENSION);
135             return 0;
136         }
137
138         if (PACKET_contains_zero_byte(&hostname)) {
139             SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
140                      SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
141                      SSL_R_BAD_EXTENSION);
142             return 0;
143         }
144
145         /*
146          * Store the requested SNI in the SSL as temporary storage.
147          * If we accept it, it will get stored in the SSL_SESSION as well.
148          */
149         OPENSSL_free(s->ext.hostname);
150         s->ext.hostname = NULL;
151         if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
152             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
153                      ERR_R_INTERNAL_ERROR);
154             return 0;
155         }
156
157         s->servername_done = 1;
158     }
159     if (s->hit) {
160         /*
161          * TODO(openssl-team): if the SNI doesn't match, we MUST
162          * fall back to a full handshake.
163          */
164         s->servername_done = (s->session->ext.hostname != NULL)
165             && PACKET_equal(&hostname, s->session->ext.hostname,
166                             strlen(s->session->ext.hostname));
167
168         if (!s->servername_done && s->session->ext.hostname != NULL)
169             s->ext.early_data_ok = 0;
170     }
171
172     return 1;
173 }
174
175 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
176                                   X509 *x, size_t chainidx)
177 {
178     unsigned int value;
179
180     if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
181         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
182                  SSL_R_BAD_EXTENSION);
183         return 0;
184     }
185
186     /* Received |value| should be a valid max-fragment-length code. */
187     if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
188         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
189                  SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
190                  SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
191         return 0;
192     }
193
194     /*
195      * RFC 6066:  The negotiated length applies for the duration of the session
196      * including session resumptions.
197      * We should receive the same code as in resumed session !
198      */
199     if (s->hit && s->session->ext.max_fragment_len_mode != value) {
200         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
201                  SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
202                  SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
203         return 0;
204     }
205
206     /*
207      * Store it in session, so it'll become binding for us
208      * and we'll include it in a next Server Hello.
209      */
210     s->session->ext.max_fragment_len_mode = value;
211     return 1;
212 }
213
214 #ifndef OPENSSL_NO_SRP
215 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
216                        size_t chainidx)
217 {
218     PACKET srp_I;
219
220     if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
221             || PACKET_contains_zero_byte(&srp_I)) {
222         SSLfatal(s, SSL_AD_DECODE_ERROR,
223                  SSL_F_TLS_PARSE_CTOS_SRP,
224                  SSL_R_BAD_EXTENSION);
225         return 0;
226     }
227
228     /*
229      * TODO(openssl-team): currently, we re-authenticate the user
230      * upon resumption. Instead, we MUST ignore the login.
231      */
232     if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
233         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
234                  ERR_R_INTERNAL_ERROR);
235         return 0;
236     }
237
238     return 1;
239 }
240 #endif
241
242 #ifndef OPENSSL_NO_EC
243 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
244                                  X509 *x, size_t chainidx)
245 {
246     PACKET ec_point_format_list;
247
248     if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
249         || PACKET_remaining(&ec_point_format_list) == 0) {
250         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
251                  SSL_R_BAD_EXTENSION);
252         return 0;
253     }
254
255     if (!s->hit) {
256         if (!PACKET_memdup(&ec_point_format_list,
257                            &s->session->ext.ecpointformats,
258                            &s->session->ext.ecpointformats_len)) {
259             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
260                      SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
261             return 0;
262         }
263     }
264
265     return 1;
266 }
267 #endif                          /* OPENSSL_NO_EC */
268
269 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
270                                   X509 *x, size_t chainidx)
271 {
272     if (s->ext.session_ticket_cb &&
273             !s->ext.session_ticket_cb(s, PACKET_data(pkt),
274                                   PACKET_remaining(pkt),
275                                   s->ext.session_ticket_cb_arg)) {
276         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
277                  SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
278         return 0;
279     }
280
281     return 1;
282 }
283
284 int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, unsigned int context,
285                                  X509 *x, size_t chainidx)
286 {
287     PACKET supported_sig_algs;
288
289     if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
290             || PACKET_remaining(&supported_sig_algs) == 0) {
291         SSLfatal(s, SSL_AD_DECODE_ERROR,
292                  SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
293         return 0;
294     }
295
296     if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
297         SSLfatal(s, SSL_AD_DECODE_ERROR,
298                  SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
299         return 0;
300     }
301
302     return 1;
303 }
304
305 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
306                             size_t chainidx)
307 {
308     PACKET supported_sig_algs;
309
310     if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
311             || PACKET_remaining(&supported_sig_algs) == 0) {
312         SSLfatal(s, SSL_AD_DECODE_ERROR,
313                  SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
314         return 0;
315     }
316
317     if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
318         SSLfatal(s, SSL_AD_DECODE_ERROR,
319                  SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
320         return 0;
321     }
322
323     return 1;
324 }
325
326 #ifndef OPENSSL_NO_OCSP
327 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
328                                   X509 *x, size_t chainidx)
329 {
330     PACKET responder_id_list, exts;
331
332     /* We ignore this in a resumption handshake */
333     if (s->hit)
334         return 1;
335
336     /* Not defined if we get one of these in a client Certificate */
337     if (x != NULL)
338         return 1;
339
340     if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
341         SSLfatal(s, SSL_AD_DECODE_ERROR,
342                  SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
343         return 0;
344     }
345
346     if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
347         /*
348          * We don't know what to do with any other type so ignore it.
349          */
350         s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
351         return 1;
352     }
353
354     if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
355         SSLfatal(s, SSL_AD_DECODE_ERROR,
356                  SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
357         return 0;
358     }
359
360     /*
361      * We remove any OCSP_RESPIDs from a previous handshake
362      * to prevent unbounded memory growth - CVE-2016-6304
363      */
364     sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
365     if (PACKET_remaining(&responder_id_list) > 0) {
366         s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
367         if (s->ext.ocsp.ids == NULL) {
368             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
369                      SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
370             return 0;
371         }
372     } else {
373         s->ext.ocsp.ids = NULL;
374     }
375
376     while (PACKET_remaining(&responder_id_list) > 0) {
377         OCSP_RESPID *id;
378         PACKET responder_id;
379         const unsigned char *id_data;
380
381         if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
382                 || PACKET_remaining(&responder_id) == 0) {
383             SSLfatal(s, SSL_AD_DECODE_ERROR,
384                      SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
385             return 0;
386         }
387
388         id_data = PACKET_data(&responder_id);
389         /* TODO(size_t): Convert d2i_* to size_t */
390         id = d2i_OCSP_RESPID(NULL, &id_data,
391                              (int)PACKET_remaining(&responder_id));
392         if (id == NULL) {
393             SSLfatal(s, SSL_AD_DECODE_ERROR,
394                      SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
395             return 0;
396         }
397
398         if (id_data != PACKET_end(&responder_id)) {
399             OCSP_RESPID_free(id);
400             SSLfatal(s, SSL_AD_DECODE_ERROR,
401                      SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
402
403             return 0;
404         }
405
406         if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
407             OCSP_RESPID_free(id);
408             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
409                      SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
410
411             return 0;
412         }
413     }
414
415     /* Read in request_extensions */
416     if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
417         SSLfatal(s, SSL_AD_DECODE_ERROR,
418                  SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
419         return 0;
420     }
421
422     if (PACKET_remaining(&exts) > 0) {
423         const unsigned char *ext_data = PACKET_data(&exts);
424
425         sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
426                                    X509_EXTENSION_free);
427         s->ext.ocsp.exts =
428             d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
429         if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
430             SSLfatal(s, SSL_AD_DECODE_ERROR,
431                      SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
432             return 0;
433         }
434     }
435
436     return 1;
437 }
438 #endif
439
440 #ifndef OPENSSL_NO_NEXTPROTONEG
441 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
442                        size_t chainidx)
443 {
444     /*
445      * We shouldn't accept this extension on a
446      * renegotiation.
447      */
448     if (SSL_IS_FIRST_HANDSHAKE(s))
449         s->s3->npn_seen = 1;
450
451     return 1;
452 }
453 #endif
454
455 /*
456  * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
457  * extension, not including type and length. Returns: 1 on success, 0 on error.
458  */
459 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
460                         size_t chainidx)
461 {
462     PACKET protocol_list, save_protocol_list, protocol;
463
464     if (!SSL_IS_FIRST_HANDSHAKE(s))
465         return 1;
466
467     if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
468         || PACKET_remaining(&protocol_list) < 2) {
469         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
470                  SSL_R_BAD_EXTENSION);
471         return 0;
472     }
473
474     save_protocol_list = protocol_list;
475     do {
476         /* Protocol names can't be empty. */
477         if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
478                 || PACKET_remaining(&protocol) == 0) {
479             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
480                      SSL_R_BAD_EXTENSION);
481             return 0;
482         }
483     } while (PACKET_remaining(&protocol_list) != 0);
484
485     OPENSSL_free(s->s3->alpn_proposed);
486     s->s3->alpn_proposed = NULL;
487     s->s3->alpn_proposed_len = 0;
488     if (!PACKET_memdup(&save_protocol_list,
489                        &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
490         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
491                  ERR_R_INTERNAL_ERROR);
492         return 0;
493     }
494
495     return 1;
496 }
497
498 #ifndef OPENSSL_NO_SRTP
499 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
500                             size_t chainidx)
501 {
502     STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
503     unsigned int ct, mki_len, id;
504     int i, srtp_pref;
505     PACKET subpkt;
506
507     /* Ignore this if we have no SRTP profiles */
508     if (SSL_get_srtp_profiles(s) == NULL)
509         return 1;
510
511     /* Pull off the length of the cipher suite list  and check it is even */
512     if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
513             || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
514         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
515                SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
516         return 0;
517     }
518
519     srvr = SSL_get_srtp_profiles(s);
520     s->srtp_profile = NULL;
521     /* Search all profiles for a match initially */
522     srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
523
524     while (PACKET_remaining(&subpkt)) {
525         if (!PACKET_get_net_2(&subpkt, &id)) {
526             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
527                      SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
528             return 0;
529         }
530
531         /*
532          * Only look for match in profiles of higher preference than
533          * current match.
534          * If no profiles have been have been configured then this
535          * does nothing.
536          */
537         for (i = 0; i < srtp_pref; i++) {
538             SRTP_PROTECTION_PROFILE *sprof =
539                 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
540
541             if (sprof->id == id) {
542                 s->srtp_profile = sprof;
543                 srtp_pref = i;
544                 break;
545             }
546         }
547     }
548
549     /* Now extract the MKI value as a sanity check, but discard it for now */
550     if (!PACKET_get_1(pkt, &mki_len)) {
551         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
552                  SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
553         return 0;
554     }
555
556     if (!PACKET_forward(pkt, mki_len)
557         || PACKET_remaining(pkt)) {
558         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
559                  SSL_R_BAD_SRTP_MKI_VALUE);
560         return 0;
561     }
562
563     return 1;
564 }
565 #endif
566
567 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
568                        size_t chainidx)
569 {
570     if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
571         s->ext.use_etm = 1;
572
573     return 1;
574 }
575
576 /*
577  * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
578  * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
579  */
580 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
581                                  X509 *x, size_t chainidx)
582 {
583 #ifndef OPENSSL_NO_TLS1_3
584     PACKET psk_kex_modes;
585     unsigned int mode;
586
587     if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
588             || PACKET_remaining(&psk_kex_modes) == 0) {
589         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
590                  SSL_R_BAD_EXTENSION);
591         return 0;
592     }
593
594     while (PACKET_get_1(&psk_kex_modes, &mode)) {
595         if (mode == TLSEXT_KEX_MODE_KE_DHE)
596             s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
597         else if (mode == TLSEXT_KEX_MODE_KE
598                 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
599             s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
600     }
601 #endif
602
603     return 1;
604 }
605
606 /*
607  * Process a key_share extension received in the ClientHello. |pkt| contains
608  * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
609  */
610 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
611                              size_t chainidx)
612 {
613 #ifndef OPENSSL_NO_TLS1_3
614     unsigned int group_id;
615     PACKET key_share_list, encoded_pt;
616     const uint16_t *clntgroups, *srvrgroups;
617     size_t clnt_num_groups, srvr_num_groups;
618     int found = 0;
619
620     if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
621         return 1;
622
623     /* Sanity check */
624     if (s->s3->peer_tmp != NULL) {
625         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
626                  ERR_R_INTERNAL_ERROR);
627         return 0;
628     }
629
630     if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
631         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
632                  SSL_R_LENGTH_MISMATCH);
633         return 0;
634     }
635
636     /* Get our list of supported groups */
637     tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
638     /* Get the clients list of supported groups. */
639     tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
640     if (clnt_num_groups == 0) {
641         /*
642          * This can only happen if the supported_groups extension was not sent,
643          * because we verify that the length is non-zero when we process that
644          * extension.
645          */
646         SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
647                  SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
648         return 0;
649     }
650
651     if (s->s3->group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
652         /*
653          * If we set a group_id already, then we must have sent an HRR
654          * requesting a new key_share. If we haven't got one then that is an
655          * error
656          */
657         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
658                  SSL_R_BAD_KEY_SHARE);
659         return 0;
660     }
661
662     while (PACKET_remaining(&key_share_list) > 0) {
663         if (!PACKET_get_net_2(&key_share_list, &group_id)
664                 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
665                 || PACKET_remaining(&encoded_pt) == 0) {
666             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
667                      SSL_R_LENGTH_MISMATCH);
668             return 0;
669         }
670
671         /*
672          * If we already found a suitable key_share we loop through the
673          * rest to verify the structure, but don't process them.
674          */
675         if (found)
676             continue;
677
678         /*
679          * If we sent an HRR then the key_share sent back MUST be for the group
680          * we requested, and must be the only key_share sent.
681          */
682         if (s->s3->group_id != 0
683                 && (group_id != s->s3->group_id
684                     || PACKET_remaining(&key_share_list) != 0)) {
685             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
686                      SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
687             return 0;
688         }
689
690         /* Check if this share is in supported_groups sent from client */
691         if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
692             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
693                      SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
694             return 0;
695         }
696
697         /* Check if this share is for a group we can use */
698         if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
699             /* Share not suitable */
700             continue;
701         }
702
703         if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) {
704             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
705                    SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
706             return 0;
707         }
708
709         s->s3->group_id = group_id;
710
711         if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
712                 PACKET_data(&encoded_pt),
713                 PACKET_remaining(&encoded_pt))) {
714             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
715                      SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
716             return 0;
717         }
718
719         found = 1;
720     }
721 #endif
722
723     return 1;
724 }
725
726 int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
727                           size_t chainidx)
728 {
729 #ifndef OPENSSL_NO_TLS1_3
730     unsigned int format, version, key_share, group_id;
731     EVP_MD_CTX *hctx;
732     EVP_PKEY *pkey;
733     PACKET cookie, raw, chhash, appcookie;
734     WPACKET hrrpkt;
735     const unsigned char *data, *mdin, *ciphdata;
736     unsigned char hmac[SHA256_DIGEST_LENGTH];
737     unsigned char hrr[MAX_HRR_SIZE];
738     size_t rawlen, hmaclen, hrrlen, ciphlen;
739     unsigned long tm, now;
740
741     /* Ignore any cookie if we're not set up to verify it */
742     if (s->ctx->verify_stateless_cookie_cb == NULL
743             || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
744         return 1;
745
746     if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
747         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
748                  SSL_R_LENGTH_MISMATCH);
749         return 0;
750     }
751
752     raw = cookie;
753     data = PACKET_data(&raw);
754     rawlen = PACKET_remaining(&raw);
755     if (rawlen < SHA256_DIGEST_LENGTH
756             || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
757         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
758                  SSL_R_LENGTH_MISMATCH);
759         return 0;
760     }
761     mdin = PACKET_data(&raw);
762
763     /* Verify the HMAC of the cookie */
764     hctx = EVP_MD_CTX_create();
765     pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
766                                         s->session_ctx->ext.cookie_hmac_key,
767                                         sizeof(s->session_ctx->ext
768                                                .cookie_hmac_key));
769     if (hctx == NULL || pkey == NULL) {
770         EVP_MD_CTX_free(hctx);
771         EVP_PKEY_free(pkey);
772         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
773                  ERR_R_MALLOC_FAILURE);
774         return 0;
775     }
776
777     hmaclen = SHA256_DIGEST_LENGTH;
778     if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
779             || EVP_DigestSign(hctx, hmac, &hmaclen, data,
780                               rawlen - SHA256_DIGEST_LENGTH) <= 0
781             || hmaclen != SHA256_DIGEST_LENGTH) {
782         EVP_MD_CTX_free(hctx);
783         EVP_PKEY_free(pkey);
784         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
785                  ERR_R_INTERNAL_ERROR);
786         return 0;
787     }
788
789     EVP_MD_CTX_free(hctx);
790     EVP_PKEY_free(pkey);
791
792     if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
793         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
794                  SSL_R_COOKIE_MISMATCH);
795         return 0;
796     }
797
798     if (!PACKET_get_net_2(&cookie, &format)) {
799         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
800                  SSL_R_LENGTH_MISMATCH);
801         return 0;
802     }
803     /* Check the cookie format is something we recognise. Ignore it if not */
804     if (format != COOKIE_STATE_FORMAT_VERSION)
805         return 1;
806
807     /*
808      * The rest of these checks really shouldn't fail since we have verified the
809      * HMAC above.
810      */
811
812     /* Check the version number is sane */
813     if (!PACKET_get_net_2(&cookie, &version)) {
814         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
815                  SSL_R_LENGTH_MISMATCH);
816         return 0;
817     }
818     if (version != TLS1_3_VERSION) {
819         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
820                  SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
821         return 0;
822     }
823
824     if (!PACKET_get_net_2(&cookie, &group_id)) {
825         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
826                  SSL_R_LENGTH_MISMATCH);
827         return 0;
828     }
829
830     ciphdata = PACKET_data(&cookie);
831     if (!PACKET_forward(&cookie, 2)) {
832         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
833                  SSL_R_LENGTH_MISMATCH);
834         return 0;
835     }
836     if (group_id != s->s3->group_id
837             || s->s3->tmp.new_cipher
838                != ssl_get_cipher_by_char(s, ciphdata, 0)) {
839         /*
840          * We chose a different cipher or group id this time around to what is
841          * in the cookie. Something must have changed.
842          */
843         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
844                  SSL_R_BAD_CIPHER);
845         return 0;
846     }
847
848     if (!PACKET_get_1(&cookie, &key_share)
849             || !PACKET_get_net_4(&cookie, &tm)
850             || !PACKET_get_length_prefixed_2(&cookie, &chhash)
851             || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
852             || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
853         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
854                  SSL_R_LENGTH_MISMATCH);
855         return 0;
856     }
857
858     /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
859     now = (unsigned long)time(NULL);
860     if (tm > now || (now - tm) > 600) {
861         /* Cookie is stale. Ignore it */
862         return 1;
863     }
864
865     /* Verify the app cookie */
866     if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
867                                      PACKET_remaining(&appcookie)) == 0) {
868         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
869                  SSL_R_COOKIE_MISMATCH);
870         return 0;
871     }
872
873     /*
874      * Reconstruct the HRR that we would have sent in response to the original
875      * ClientHello so we can add it to the transcript hash.
876      * Note: This won't work with custom HRR extensions
877      */
878     if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
879         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
880                  ERR_R_INTERNAL_ERROR);
881         return 0;
882     }
883     if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
884             || !WPACKET_start_sub_packet_u24(&hrrpkt)
885             || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
886             || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
887             || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
888                                       s->tmp_session_id_len)
889             || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, &hrrpkt,
890                                               &ciphlen)
891             || !WPACKET_put_bytes_u8(&hrrpkt, 0)
892             || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
893         WPACKET_cleanup(&hrrpkt);
894         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
895                  ERR_R_INTERNAL_ERROR);
896         return 0;
897     }
898     if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
899             || !WPACKET_start_sub_packet_u16(&hrrpkt)
900             || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
901             || !WPACKET_close(&hrrpkt)) {
902         WPACKET_cleanup(&hrrpkt);
903         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
904                  ERR_R_INTERNAL_ERROR);
905         return 0;
906     }
907     if (key_share) {
908         if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
909                 || !WPACKET_start_sub_packet_u16(&hrrpkt)
910                 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3->group_id)
911                 || !WPACKET_close(&hrrpkt)) {
912             WPACKET_cleanup(&hrrpkt);
913             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
914                      ERR_R_INTERNAL_ERROR);
915             return 0;
916         }
917     }
918     if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
919             || !WPACKET_start_sub_packet_u16(&hrrpkt)
920             || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
921             || !WPACKET_close(&hrrpkt) /* cookie extension */
922             || !WPACKET_close(&hrrpkt) /* extension block */
923             || !WPACKET_close(&hrrpkt) /* message */
924             || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
925             || !WPACKET_finish(&hrrpkt)) {
926         WPACKET_cleanup(&hrrpkt);
927         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
928                  ERR_R_INTERNAL_ERROR);
929         return 0;
930     }
931
932     /* Reconstruct the transcript hash */
933     if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
934                                        PACKET_remaining(&chhash), hrr,
935                                        hrrlen)) {
936         /* SSLfatal() already called */
937         return 0;
938     }
939
940     /* Act as if this ClientHello came after a HelloRetryRequest */
941     s->hello_retry_request = 1;
942
943     s->ext.cookieok = 1;
944 #endif
945
946     return 1;
947 }
948
949 #ifndef OPENSSL_NO_EC
950 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
951                                     X509 *x, size_t chainidx)
952 {
953     PACKET supported_groups_list;
954
955     /* Each group is 2 bytes and we must have at least 1. */
956     if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
957             || PACKET_remaining(&supported_groups_list) == 0
958             || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
959         SSLfatal(s, SSL_AD_DECODE_ERROR,
960                  SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
961         return 0;
962     }
963
964     if (!s->hit || SSL_IS_TLS13(s)) {
965         OPENSSL_free(s->session->ext.supportedgroups);
966         s->session->ext.supportedgroups = NULL;
967         s->session->ext.supportedgroups_len = 0;
968         if (!tls1_save_u16(&supported_groups_list,
969                            &s->session->ext.supportedgroups,
970                            &s->session->ext.supportedgroups_len)) {
971             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
972                      SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
973                      ERR_R_INTERNAL_ERROR);
974             return 0;
975         }
976     }
977
978     return 1;
979 }
980 #endif
981
982 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
983                        size_t chainidx)
984 {
985     /* The extension must always be empty */
986     if (PACKET_remaining(pkt) != 0) {
987         SSLfatal(s, SSL_AD_DECODE_ERROR,
988                  SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
989         return 0;
990     }
991
992     s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
993
994     return 1;
995 }
996
997
998 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
999                               X509 *x, size_t chainidx)
1000 {
1001     if (PACKET_remaining(pkt) != 0) {
1002         SSLfatal(s, SSL_AD_DECODE_ERROR,
1003                  SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
1004         return 0;
1005     }
1006
1007     if (s->hello_retry_request != SSL_HRR_NONE) {
1008         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1009                  SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
1010         return 0;
1011     }
1012
1013     return 1;
1014 }
1015
1016 static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
1017                                                  SSL_SESSION **sess)
1018 {
1019     SSL_SESSION *tmpsess = NULL;
1020
1021     s->ext.ticket_expected = 1;
1022
1023     switch (PACKET_remaining(tick)) {
1024         case 0:
1025             return SSL_TICKET_EMPTY;
1026
1027         case SSL_MAX_SSL_SESSION_ID_LENGTH:
1028             break;
1029
1030         default:
1031             return SSL_TICKET_NO_DECRYPT;
1032     }
1033
1034     tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
1035                                    SSL_MAX_SSL_SESSION_ID_LENGTH);
1036
1037     if (tmpsess == NULL)
1038         return SSL_TICKET_NO_DECRYPT;
1039
1040     *sess = tmpsess;
1041     return SSL_TICKET_SUCCESS;
1042 }
1043
1044 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1045                        size_t chainidx)
1046 {
1047     PACKET identities, binders, binder;
1048     size_t binderoffset, hashsize;
1049     SSL_SESSION *sess = NULL;
1050     unsigned int id, i, ext = 0;
1051     const EVP_MD *md = NULL;
1052
1053     /*
1054      * If we have no PSK kex mode that we recognise then we can't resume so
1055      * ignore this extension
1056      */
1057     if ((s->ext.psk_kex_mode
1058             & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1059         return 1;
1060
1061     if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
1062         SSLfatal(s, SSL_AD_DECODE_ERROR,
1063                  SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1064         return 0;
1065     }
1066
1067     s->ext.ticket_expected = 0;
1068     for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1069         PACKET identity;
1070         unsigned long ticket_agel;
1071         size_t idlen;
1072
1073         if (!PACKET_get_length_prefixed_2(&identities, &identity)
1074                 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1075             SSLfatal(s, SSL_AD_DECODE_ERROR,
1076                      SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1077             return 0;
1078         }
1079
1080         idlen = PACKET_remaining(&identity);
1081         if (s->psk_find_session_cb != NULL
1082                 && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen,
1083                                            &sess)) {
1084             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1085                      SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1086             return 0;
1087         }
1088
1089 #ifndef OPENSSL_NO_PSK
1090         if(sess == NULL
1091                 && s->psk_server_callback != NULL
1092                 && idlen <= PSK_MAX_IDENTITY_LEN) {
1093             char *pskid = NULL;
1094             unsigned char pskdata[PSK_MAX_PSK_LEN];
1095             unsigned int pskdatalen;
1096
1097             if (!PACKET_strndup(&identity, &pskid)) {
1098                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1099                          ERR_R_INTERNAL_ERROR);
1100                 return 0;
1101             }
1102             pskdatalen = s->psk_server_callback(s, pskid, pskdata,
1103                                                 sizeof(pskdata));
1104             OPENSSL_free(pskid);
1105             if (pskdatalen > PSK_MAX_PSK_LEN) {
1106                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1107                          ERR_R_INTERNAL_ERROR);
1108                 return 0;
1109             } else if (pskdatalen > 0) {
1110                 const SSL_CIPHER *cipher;
1111                 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1112
1113                 /*
1114                  * We found a PSK using an old style callback. We don't know
1115                  * the digest so we default to SHA256 as per the TLSv1.3 spec
1116                  */
1117                 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
1118                 if (cipher == NULL) {
1119                     OPENSSL_cleanse(pskdata, pskdatalen);
1120                     SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1121                              ERR_R_INTERNAL_ERROR);
1122                     return 0;
1123                 }
1124
1125                 sess = SSL_SESSION_new();
1126                 if (sess == NULL
1127                         || !SSL_SESSION_set1_master_key(sess, pskdata,
1128                                                         pskdatalen)
1129                         || !SSL_SESSION_set_cipher(sess, cipher)
1130                         || !SSL_SESSION_set_protocol_version(sess,
1131                                                              TLS1_3_VERSION)) {
1132                     OPENSSL_cleanse(pskdata, pskdatalen);
1133                     SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1134                              ERR_R_INTERNAL_ERROR);
1135                     goto err;
1136                 }
1137                 OPENSSL_cleanse(pskdata, pskdatalen);
1138             }
1139         }
1140 #endif /* OPENSSL_NO_PSK */
1141
1142         if (sess != NULL) {
1143             /* We found a PSK */
1144             SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1145
1146             if (sesstmp == NULL) {
1147                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1148                          SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1149                 return 0;
1150             }
1151             SSL_SESSION_free(sess);
1152             sess = sesstmp;
1153
1154             /*
1155              * We've just been told to use this session for this context so
1156              * make sure the sid_ctx matches up.
1157              */
1158             memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1159             sess->sid_ctx_length = s->sid_ctx_length;
1160             ext = 1;
1161             if (id == 0)
1162                 s->ext.early_data_ok = 1;
1163         } else {
1164             uint32_t ticket_age = 0, now, agesec, agems;
1165             int ret;
1166
1167             /*
1168              * If we are using anti-replay protection then we behave as if
1169              * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1170              * is no point in using full stateless tickets.
1171              */
1172             if ((s->options & SSL_OP_NO_TICKET) != 0
1173                     || (s->max_early_data > 0
1174                         && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
1175                 ret = tls_get_stateful_ticket(s, &identity, &sess);
1176             else
1177                 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1178                                          PACKET_remaining(&identity), NULL, 0,
1179                                          &sess);
1180
1181             if (ret == SSL_TICKET_EMPTY) {
1182                 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1183                          SSL_R_BAD_EXTENSION);
1184                 return 0;
1185             }
1186
1187             if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1188                     || ret == SSL_TICKET_FATAL_ERR_OTHER) {
1189                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1190                          SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1191                 return 0;
1192             }
1193             if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
1194                 continue;
1195
1196             /* Check for replay */
1197             if (s->max_early_data > 0
1198                     && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
1199                     && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1200                 SSL_SESSION_free(sess);
1201                 sess = NULL;
1202                 continue;
1203             }
1204
1205             ticket_age = (uint32_t)ticket_agel;
1206             now = (uint32_t)time(NULL);
1207             agesec = now - (uint32_t)sess->time;
1208             agems = agesec * (uint32_t)1000;
1209             ticket_age -= sess->ext.tick_age_add;
1210
1211             /*
1212              * For simplicity we do our age calculations in seconds. If the
1213              * client does it in ms then it could appear that their ticket age
1214              * is longer than ours (our ticket age calculation should always be
1215              * slightly longer than the client's due to the network latency).
1216              * Therefore we add 1000ms to our age calculation to adjust for
1217              * rounding errors.
1218              */
1219             if (id == 0
1220                     && sess->timeout >= (long)agesec
1221                     && agems / (uint32_t)1000 == agesec
1222                     && ticket_age <= agems + 1000
1223                     && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1224                 /*
1225                  * Ticket age is within tolerance and not expired. We allow it
1226                  * for early data
1227                  */
1228                 s->ext.early_data_ok = 1;
1229             }
1230         }
1231
1232         md = ssl_md(sess->cipher->algorithm2);
1233         if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
1234             /* The ciphersuite is not compatible with this session. */
1235             SSL_SESSION_free(sess);
1236             sess = NULL;
1237             s->ext.early_data_ok = 0;
1238             continue;
1239         }
1240         break;
1241     }
1242
1243     if (sess == NULL)
1244         return 1;
1245
1246     binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1247     hashsize = EVP_MD_size(md);
1248
1249     if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1250         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1251                  SSL_R_BAD_EXTENSION);
1252         goto err;
1253     }
1254
1255     for (i = 0; i <= id; i++) {
1256         if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1257             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1258                      SSL_R_BAD_EXTENSION);
1259             goto err;
1260         }
1261     }
1262
1263     if (PACKET_remaining(&binder) != hashsize) {
1264         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1265                  SSL_R_BAD_EXTENSION);
1266         goto err;
1267     }
1268     if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1269                           binderoffset, PACKET_data(&binder), NULL, sess, 0,
1270                           ext) != 1) {
1271         /* SSLfatal() already called */
1272         goto err;
1273     }
1274
1275     sess->ext.tick_identity = id;
1276
1277     SSL_SESSION_free(s->session);
1278     s->session = sess;
1279     return 1;
1280 err:
1281     SSL_SESSION_free(sess);
1282     return 0;
1283 }
1284
1285 int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt, unsigned int context,
1286                                        X509 *x, size_t chainidx)
1287 {
1288     if (PACKET_remaining(pkt) != 0) {
1289         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH,
1290                  SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1291         return 0;
1292     }
1293
1294     s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1295
1296     return 1;
1297 }
1298
1299 /*
1300  * Add the server's renegotiation binding
1301  */
1302 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1303                                           unsigned int context, X509 *x,
1304                                           size_t chainidx)
1305 {
1306     if (!s->s3->send_connection_binding)
1307         return EXT_RETURN_NOT_SENT;
1308
1309     /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1310     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1311             || !WPACKET_start_sub_packet_u16(pkt)
1312             || !WPACKET_start_sub_packet_u8(pkt)
1313             || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
1314                                s->s3->previous_client_finished_len)
1315             || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
1316                                s->s3->previous_server_finished_len)
1317             || !WPACKET_close(pkt)
1318             || !WPACKET_close(pkt)) {
1319         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
1320                  ERR_R_INTERNAL_ERROR);
1321         return EXT_RETURN_FAIL;
1322     }
1323
1324     return EXT_RETURN_SENT;
1325 }
1326
1327 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1328                                           unsigned int context, X509 *x,
1329                                           size_t chainidx)
1330 {
1331     if (s->hit || s->servername_done != 1
1332             || s->ext.hostname == NULL)
1333         return EXT_RETURN_NOT_SENT;
1334
1335     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1336             || !WPACKET_put_bytes_u16(pkt, 0)) {
1337         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
1338                  ERR_R_INTERNAL_ERROR);
1339         return EXT_RETURN_FAIL;
1340     }
1341
1342     return EXT_RETURN_SENT;
1343 }
1344
1345 /* Add/include the server's max fragment len extension into ServerHello */
1346 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1347                                              unsigned int context, X509 *x,
1348                                              size_t chainidx)
1349 {
1350     if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1351         return EXT_RETURN_NOT_SENT;
1352
1353     /*-
1354      * 4 bytes for this extension type and extension length
1355      * 1 byte for the Max Fragment Length code value.
1356      */
1357     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1358         || !WPACKET_start_sub_packet_u16(pkt)
1359         || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1360         || !WPACKET_close(pkt)) {
1361         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1362                  SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
1363         return EXT_RETURN_FAIL;
1364     }
1365
1366     return EXT_RETURN_SENT;
1367 }
1368
1369 #ifndef OPENSSL_NO_EC
1370 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1371                                             unsigned int context, X509 *x,
1372                                             size_t chainidx)
1373 {
1374     unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1375     unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1376     int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1377                     && (s->session->ext.ecpointformats != NULL);
1378     const unsigned char *plist;
1379     size_t plistlen;
1380
1381     if (!using_ecc)
1382         return EXT_RETURN_NOT_SENT;
1383
1384     tls1_get_formatlist(s, &plist, &plistlen);
1385     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1386             || !WPACKET_start_sub_packet_u16(pkt)
1387             || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1388             || !WPACKET_close(pkt)) {
1389         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1390                  SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
1391         return EXT_RETURN_FAIL;
1392     }
1393
1394     return EXT_RETURN_SENT;
1395 }
1396 #endif
1397
1398 #ifndef OPENSSL_NO_EC
1399 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1400                                                unsigned int context, X509 *x,
1401                                                size_t chainidx)
1402 {
1403     const uint16_t *groups;
1404     size_t numgroups, i, first = 1;
1405
1406     /* s->s3->group_id is non zero if we accepted a key_share */
1407     if (s->s3->group_id == 0)
1408         return EXT_RETURN_NOT_SENT;
1409
1410     /* Get our list of supported groups */
1411     tls1_get_supported_groups(s, &groups, &numgroups);
1412     if (numgroups == 0) {
1413         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1414                  SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
1415         return EXT_RETURN_FAIL;
1416     }
1417
1418     /* Copy group ID if supported */
1419     for (i = 0; i < numgroups; i++) {
1420         uint16_t group = groups[i];
1421
1422         if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1423             if (first) {
1424                 /*
1425                  * Check if the client is already using our preferred group. If
1426                  * so we don't need to add this extension
1427                  */
1428                 if (s->s3->group_id == group)
1429                     return EXT_RETURN_NOT_SENT;
1430
1431                 /* Add extension header */
1432                 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1433                            /* Sub-packet for supported_groups extension */
1434                         || !WPACKET_start_sub_packet_u16(pkt)
1435                         || !WPACKET_start_sub_packet_u16(pkt)) {
1436                     SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1437                              SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1438                              ERR_R_INTERNAL_ERROR);
1439                     return EXT_RETURN_FAIL;
1440                 }
1441
1442                 first = 0;
1443             }
1444             if (!WPACKET_put_bytes_u16(pkt, group)) {
1445                     SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1446                              SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1447                              ERR_R_INTERNAL_ERROR);
1448                     return EXT_RETURN_FAIL;
1449                 }
1450         }
1451     }
1452
1453     if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1454         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1455                  SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1456                  ERR_R_INTERNAL_ERROR);
1457         return EXT_RETURN_FAIL;
1458     }
1459
1460     return EXT_RETURN_SENT;
1461 }
1462 #endif
1463
1464 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1465                                              unsigned int context, X509 *x,
1466                                              size_t chainidx)
1467 {
1468     if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1469         s->ext.ticket_expected = 0;
1470         return EXT_RETURN_NOT_SENT;
1471     }
1472
1473     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1474             || !WPACKET_put_bytes_u16(pkt, 0)) {
1475         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1476                  SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
1477         return EXT_RETURN_FAIL;
1478     }
1479
1480     return EXT_RETURN_SENT;
1481 }
1482
1483 #ifndef OPENSSL_NO_OCSP
1484 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1485                                              unsigned int context, X509 *x,
1486                                              size_t chainidx)
1487 {
1488     if (!s->ext.status_expected)
1489         return EXT_RETURN_NOT_SENT;
1490
1491     if (SSL_IS_TLS13(s) && chainidx != 0)
1492         return EXT_RETURN_NOT_SENT;
1493
1494     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1495             || !WPACKET_start_sub_packet_u16(pkt)) {
1496         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1497                  SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1498         return EXT_RETURN_FAIL;
1499     }
1500
1501     /*
1502      * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1503      * send back an empty extension, with the certificate status appearing as a
1504      * separate message
1505      */
1506     if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1507        /* SSLfatal() already called */
1508        return EXT_RETURN_FAIL;
1509     }
1510     if (!WPACKET_close(pkt)) {
1511         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1512                  SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1513         return EXT_RETURN_FAIL;
1514     }
1515
1516     return EXT_RETURN_SENT;
1517 }
1518 #endif
1519
1520 #ifndef OPENSSL_NO_NEXTPROTONEG
1521 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1522                                              unsigned int context, X509 *x,
1523                                              size_t chainidx)
1524 {
1525     const unsigned char *npa;
1526     unsigned int npalen;
1527     int ret;
1528     int npn_seen = s->s3->npn_seen;
1529
1530     s->s3->npn_seen = 0;
1531     if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1532         return EXT_RETURN_NOT_SENT;
1533
1534     ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1535                                         s->ctx->ext.npn_advertised_cb_arg);
1536     if (ret == SSL_TLSEXT_ERR_OK) {
1537         if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1538                 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1539             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1540                      SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1541                      ERR_R_INTERNAL_ERROR);
1542             return EXT_RETURN_FAIL;
1543         }
1544         s->s3->npn_seen = 1;
1545     }
1546
1547     return EXT_RETURN_SENT;
1548 }
1549 #endif
1550
1551 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1552                                    X509 *x, size_t chainidx)
1553 {
1554     if (s->s3->alpn_selected == NULL)
1555         return EXT_RETURN_NOT_SENT;
1556
1557     if (!WPACKET_put_bytes_u16(pkt,
1558                 TLSEXT_TYPE_application_layer_protocol_negotiation)
1559             || !WPACKET_start_sub_packet_u16(pkt)
1560             || !WPACKET_start_sub_packet_u16(pkt)
1561             || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1562                                       s->s3->alpn_selected_len)
1563             || !WPACKET_close(pkt)
1564             || !WPACKET_close(pkt)) {
1565         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1566                  SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1567         return EXT_RETURN_FAIL;
1568     }
1569
1570     return EXT_RETURN_SENT;
1571 }
1572
1573 #ifndef OPENSSL_NO_SRTP
1574 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1575                                        unsigned int context, X509 *x,
1576                                        size_t chainidx)
1577 {
1578     if (s->srtp_profile == NULL)
1579         return EXT_RETURN_NOT_SENT;
1580
1581     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1582             || !WPACKET_start_sub_packet_u16(pkt)
1583             || !WPACKET_put_bytes_u16(pkt, 2)
1584             || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1585             || !WPACKET_put_bytes_u8(pkt, 0)
1586             || !WPACKET_close(pkt)) {
1587         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
1588                  ERR_R_INTERNAL_ERROR);
1589         return EXT_RETURN_FAIL;
1590     }
1591
1592     return EXT_RETURN_SENT;
1593 }
1594 #endif
1595
1596 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1597                                   X509 *x, size_t chainidx)
1598 {
1599     if (!s->ext.use_etm)
1600         return EXT_RETURN_NOT_SENT;
1601
1602     /*
1603      * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1604      * for other cases too.
1605      */
1606     if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1607         || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1608         || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1609         || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1610         s->ext.use_etm = 0;
1611         return EXT_RETURN_NOT_SENT;
1612     }
1613
1614     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1615             || !WPACKET_put_bytes_u16(pkt, 0)) {
1616         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
1617                  ERR_R_INTERNAL_ERROR);
1618         return EXT_RETURN_FAIL;
1619     }
1620
1621     return EXT_RETURN_SENT;
1622 }
1623
1624 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1625                                   X509 *x, size_t chainidx)
1626 {
1627     if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1628         return EXT_RETURN_NOT_SENT;
1629
1630     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1631             || !WPACKET_put_bytes_u16(pkt, 0)) {
1632         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
1633                  ERR_R_INTERNAL_ERROR);
1634         return EXT_RETURN_FAIL;
1635     }
1636
1637     return EXT_RETURN_SENT;
1638 }
1639
1640 EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1641                                                  unsigned int context, X509 *x,
1642                                                  size_t chainidx)
1643 {
1644     if (!ossl_assert(SSL_IS_TLS13(s))) {
1645         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1646                  SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1647                  ERR_R_INTERNAL_ERROR);
1648         return EXT_RETURN_FAIL;
1649     }
1650
1651     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1652             || !WPACKET_start_sub_packet_u16(pkt)
1653             || !WPACKET_put_bytes_u16(pkt, s->version)
1654             || !WPACKET_close(pkt)) {
1655         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1656                  SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1657                  ERR_R_INTERNAL_ERROR);
1658         return EXT_RETURN_FAIL;
1659     }
1660
1661     return EXT_RETURN_SENT;
1662 }
1663
1664 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1665                                         unsigned int context, X509 *x,
1666                                         size_t chainidx)
1667 {
1668 #ifndef OPENSSL_NO_TLS1_3
1669     unsigned char *encodedPoint;
1670     size_t encoded_pt_len = 0;
1671     EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1672
1673     if (s->hello_retry_request == SSL_HRR_PENDING) {
1674         if (ckey != NULL) {
1675             /* Original key_share was acceptable so don't ask for another one */
1676             return EXT_RETURN_NOT_SENT;
1677         }
1678         if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1679                 || !WPACKET_start_sub_packet_u16(pkt)
1680                 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1681                 || !WPACKET_close(pkt)) {
1682             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1683                      SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1684                      ERR_R_INTERNAL_ERROR);
1685             return EXT_RETURN_FAIL;
1686         }
1687
1688         return EXT_RETURN_SENT;
1689     }
1690
1691     if (ckey == NULL) {
1692         /* No key_share received from client - must be resuming */
1693         if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1694             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1695                      SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1696             return EXT_RETURN_FAIL;
1697         }
1698         return EXT_RETURN_NOT_SENT;
1699     }
1700
1701     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1702             || !WPACKET_start_sub_packet_u16(pkt)
1703             || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1704         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1705                  SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1706         return EXT_RETURN_FAIL;
1707     }
1708
1709     skey = ssl_generate_pkey(ckey);
1710     if (skey == NULL) {
1711         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1712                  ERR_R_MALLOC_FAILURE);
1713         return EXT_RETURN_FAIL;
1714     }
1715
1716     /* Generate encoding of server key */
1717     encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1718     if (encoded_pt_len == 0) {
1719         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1720                  ERR_R_EC_LIB);
1721         EVP_PKEY_free(skey);
1722         return EXT_RETURN_FAIL;
1723     }
1724
1725     if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1726             || !WPACKET_close(pkt)) {
1727         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1728                  ERR_R_INTERNAL_ERROR);
1729         EVP_PKEY_free(skey);
1730         OPENSSL_free(encodedPoint);
1731         return EXT_RETURN_FAIL;
1732     }
1733     OPENSSL_free(encodedPoint);
1734
1735     /* This causes the crypto state to be updated based on the derived keys */
1736     s->s3->tmp.pkey = skey;
1737     if (ssl_derive(s, skey, ckey, 1) == 0) {
1738         /* SSLfatal() already called */
1739         return EXT_RETURN_FAIL;
1740     }
1741     return EXT_RETURN_SENT;
1742 #else
1743     return EXT_RETURN_FAIL;
1744 #endif
1745 }
1746
1747 EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1748                                      X509 *x, size_t chainidx)
1749 {
1750 #ifndef OPENSSL_NO_TLS1_3
1751     unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1752     unsigned char *hmac, *hmac2;
1753     size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
1754     EVP_MD_CTX *hctx;
1755     EVP_PKEY *pkey;
1756     int ret = EXT_RETURN_FAIL;
1757
1758     if ((s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
1759         return EXT_RETURN_NOT_SENT;
1760
1761     if (s->ctx->gen_stateless_cookie_cb == NULL) {
1762         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1763                  SSL_R_NO_COOKIE_CALLBACK_SET);
1764         return EXT_RETURN_FAIL;
1765     }
1766
1767     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1768             || !WPACKET_start_sub_packet_u16(pkt)
1769             || !WPACKET_start_sub_packet_u16(pkt)
1770             || !WPACKET_get_total_written(pkt, &startlen)
1771             || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1772             || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1773             || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1774             || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1775             || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt,
1776                                               &ciphlen)
1777                /* Is there a key_share extension present in this HRR? */
1778             || !WPACKET_put_bytes_u8(pkt, s->s3->peer_tmp == NULL)
1779             || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
1780             || !WPACKET_start_sub_packet_u16(pkt)
1781             || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1782         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1783                  ERR_R_INTERNAL_ERROR);
1784         return EXT_RETURN_FAIL;
1785     }
1786
1787     /*
1788      * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1789      * on raw buffers, so we first reserve sufficient bytes (above) and then
1790      * subsequently allocate them (below)
1791      */
1792     if (!ssl3_digest_cached_records(s, 0)
1793             || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1794         /* SSLfatal() already called */
1795         return EXT_RETURN_FAIL;
1796     }
1797
1798     if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1799             || !ossl_assert(hashval1 == hashval2)
1800             || !WPACKET_close(pkt)
1801             || !WPACKET_start_sub_packet_u8(pkt)
1802             || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1803         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1804                  ERR_R_INTERNAL_ERROR);
1805         return EXT_RETURN_FAIL;
1806     }
1807
1808     /* Generate the application cookie */
1809     if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) {
1810         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1811                  SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1812         return EXT_RETURN_FAIL;
1813     }
1814
1815     if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1816             || !ossl_assert(appcookie1 == appcookie2)
1817             || !WPACKET_close(pkt)
1818             || !WPACKET_get_total_written(pkt, &totcookielen)
1819             || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1820         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1821                  ERR_R_INTERNAL_ERROR);
1822         return EXT_RETURN_FAIL;
1823     }
1824     hmaclen = SHA256_DIGEST_LENGTH;
1825
1826     totcookielen -= startlen;
1827     if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1828         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1829                  ERR_R_INTERNAL_ERROR);
1830         return EXT_RETURN_FAIL;
1831     }
1832
1833     /* HMAC the cookie */
1834     hctx = EVP_MD_CTX_create();
1835     pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
1836                                         s->session_ctx->ext.cookie_hmac_key,
1837                                         sizeof(s->session_ctx->ext
1838                                                .cookie_hmac_key));
1839     if (hctx == NULL || pkey == NULL) {
1840         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1841                  ERR_R_MALLOC_FAILURE);
1842         goto err;
1843     }
1844
1845     if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
1846             || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1847                               totcookielen) <= 0) {
1848         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1849                  ERR_R_INTERNAL_ERROR);
1850         goto err;
1851     }
1852
1853     if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1854         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1855                  ERR_R_INTERNAL_ERROR);
1856         goto err;
1857     }
1858
1859     if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1860             || !ossl_assert(hmac == hmac2)
1861             || !ossl_assert(cookie == hmac - totcookielen)
1862             || !WPACKET_close(pkt)
1863             || !WPACKET_close(pkt)) {
1864         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1865                  ERR_R_INTERNAL_ERROR);
1866         goto err;
1867     }
1868
1869     ret = EXT_RETURN_SENT;
1870
1871  err:
1872     EVP_MD_CTX_free(hctx);
1873     EVP_PKEY_free(pkey);
1874     return ret;
1875 #else
1876     return EXT_RETURN_FAIL;
1877 #endif
1878 }
1879
1880 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1881                                             unsigned int context, X509 *x,
1882                                             size_t chainidx)
1883 {
1884     const unsigned char cryptopro_ext[36] = {
1885         0xfd, 0xe8,         /* 65000 */
1886         0x00, 0x20,         /* 32 bytes length */
1887         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1888         0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1889         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1890         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1891     };
1892
1893     if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1894          && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1895             || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1896         return EXT_RETURN_NOT_SENT;
1897
1898     if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1899         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1900                  SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1901         return EXT_RETURN_FAIL;
1902     }
1903
1904     return EXT_RETURN_SENT;
1905 }
1906
1907 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1908                                          unsigned int context, X509 *x,
1909                                          size_t chainidx)
1910 {
1911     if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1912         if (s->max_early_data == 0)
1913             return EXT_RETURN_NOT_SENT;
1914
1915         if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1916                 || !WPACKET_start_sub_packet_u16(pkt)
1917                 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1918                 || !WPACKET_close(pkt)) {
1919             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1920                      SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1921             return EXT_RETURN_FAIL;
1922         }
1923
1924         return EXT_RETURN_SENT;
1925     }
1926
1927     if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1928         return EXT_RETURN_NOT_SENT;
1929
1930     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1931             || !WPACKET_start_sub_packet_u16(pkt)
1932             || !WPACKET_close(pkt)) {
1933         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
1934                  ERR_R_INTERNAL_ERROR);
1935         return EXT_RETURN_FAIL;
1936     }
1937
1938     return EXT_RETURN_SENT;
1939 }
1940
1941 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1942                                   X509 *x, size_t chainidx)
1943 {
1944     if (!s->hit)
1945         return EXT_RETURN_NOT_SENT;
1946
1947     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1948             || !WPACKET_start_sub_packet_u16(pkt)
1949             || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1950             || !WPACKET_close(pkt)) {
1951         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1952                  SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1953         return EXT_RETURN_FAIL;
1954     }
1955
1956     return EXT_RETURN_SENT;
1957 }