extensions_srvr.c@ 108453

最後變更在這個檔案從108453是 108206,由 vboxsync 提交於 4 週前
openssl-3.3.2: Exported all files to OSE and removed .scm-settings bugref:10757
屬性 svn:eol-style 設為 `native` 屬性 svn:keywords 設為 `Author Date Id Revision`
檔案大小: 73.8 KB

行
1	/*
2	* Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	#include <openssl/ocsp.h>
11	#include "../ssl_local.h"
12	#include "statem_local.h"
13	#include "internal/cryptlib.h"
14
15	#define COOKIE_STATE_FORMAT_VERSION 1
16
17	/*
18	* 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19	* protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
20	* key_share present flag, 8 bytes for timestamp, 2 bytes for the hashlen,
21	* EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22	* length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
23	*/
24	#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 8 + 2 + EVP_MAX_MD_SIZE + 1 \
25	+ SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
26
27	/*
28	* Message header + 2 bytes for protocol version + number of random bytes +
29	* + 1 byte for legacy session id length + number of bytes in legacy session id
30	* + 2 bytes for ciphersuite + 1 byte for legacy compression
31	* + 2 bytes for extension block length + 6 bytes for key_share extension
32	* + 4 bytes for cookie extension header + the number of bytes in the cookie
33	*/
34	#define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
35	+ SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
36	+ MAX_COOKIE_SIZE)
37
38	/*
39	* Parse the client's renegotiation binding and abort if it's not right
40	*/
41	int tls_parse_ctos_renegotiate(SSL_CONNECTION s, PACKET pkt,
42	unsigned int context,
43	X509 *x, size_t chainidx)
44	{
45	unsigned int ilen;
46	const unsigned char *data;
47	int ok;
48
49	/* Parse the length byte */
50	if (!PACKET_get_1(pkt, &ilen)
51	\|\| !PACKET_get_bytes(pkt, &data, ilen)) {
52	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
53	return 0;
54	}
55
56	/* Check that the extension matches */
57	if (ilen != s->s3.previous_client_finished_len) {
58	SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
59	return 0;
60	}
61
62	ok = memcmp(data, s->s3.previous_client_finished,
63	s->s3.previous_client_finished_len);
64	#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
65	if (ok) {
66	if ((data[0] ^ s->s3.previous_client_finished[0]) != 0xFF) {
67	ok = 0;
68	}
69	}
70	#endif
71	if (ok) {
72	SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
73	return 0;
74	}
75
76	s->s3.send_connection_binding = 1;
77
78	return 1;
79	}
80
81	/*-
82	* The servername extension is treated as follows:
83	*
84	* - Only the hostname type is supported with a maximum length of 255.
85	* - The servername is rejected if too long or if it contains zeros,
86	* in which case an fatal alert is generated.
87	* - The servername field is maintained together with the session cache.
88	* - When a session is resumed, the servername call back invoked in order
89	* to allow the application to position itself to the right context.
90	* - The servername is acknowledged if it is new for a session or when
91	* it is identical to a previously used for the same session.
92	* Applications can control the behaviour. They can at any time
93	* set a 'desirable' servername for a new SSL object. This can be the
94	* case for example with HTTPS when a Host: header field is received and
95	* a renegotiation is requested. In this case, a possible servername
96	* presented in the new client hello is only acknowledged if it matches
97	* the value of the Host: field.
98	* - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
99	* if they provide for changing an explicit servername context for the
100	* session, i.e. when the session has been established with a servername
101	* extension.
102	* - On session reconnect, the servername extension may be absent.
103	*/
104	int tls_parse_ctos_server_name(SSL_CONNECTION s, PACKET pkt,
105	unsigned int context, X509 *x, size_t chainidx)
106	{
107	unsigned int servname_type;
108	PACKET sni, hostname;
109
110	if (!PACKET_as_length_prefixed_2(pkt, &sni)
111	/* ServerNameList must be at least 1 byte long. */
112	\|\| PACKET_remaining(&sni) == 0) {
113	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
114	return 0;
115	}
116
117	/*
118	* Although the intent was for server_name to be extensible, RFC 4366
119	* was not clear about it; and so OpenSSL among other implementations,
120	* always and only allows a 'host_name' name types.
121	* RFC 6066 corrected the mistake but adding new name types
122	* is nevertheless no longer feasible, so act as if no other
123	* SNI types can exist, to simplify parsing.
124	*
125	* Also note that the RFC permits only one SNI value per type,
126	* i.e., we can only have a single hostname.
127	*/
128	if (!PACKET_get_1(&sni, &servname_type)
129	\|\| servname_type != TLSEXT_NAMETYPE_host_name
130	\|\| !PACKET_as_length_prefixed_2(&sni, &hostname)) {
131	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
132	return 0;
133	}
134
135	/*
136	* In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
137	* we always use the SNI value from the handshake.
138	*/
139	if (!s->hit \|\| SSL_CONNECTION_IS_TLS13(s)) {
140	if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
141	SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
142	return 0;
143	}
144
145	if (PACKET_contains_zero_byte(&hostname)) {
146	SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
147	return 0;
148	}
149
150	/*
151	* Store the requested SNI in the SSL as temporary storage.
152	* If we accept it, it will get stored in the SSL_SESSION as well.
153	*/
154	OPENSSL_free(s->ext.hostname);
155	s->ext.hostname = NULL;
156	if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
157	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
158	return 0;
159	}
160
161	s->servername_done = 1;
162	} else {
163	/*
164	* In TLSv1.2 and below we should check if the SNI is consistent between
165	* the initial handshake and the resumption. In TLSv1.3 SNI is not
166	* associated with the session.
167	*/
168	s->servername_done = (s->session->ext.hostname != NULL)
169	&& PACKET_equal(&hostname, s->session->ext.hostname,
170	strlen(s->session->ext.hostname));
171	}
172
173	return 1;
174	}
175
176	int tls_parse_ctos_maxfragmentlen(SSL_CONNECTION s, PACKET pkt,
177	unsigned int context,
178	X509 *x, size_t chainidx)
179	{
180	unsigned int value;
181
182	if (PACKET_remaining(pkt) != 1 \|\| !PACKET_get_1(pkt, &value)) {
183	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
184	return 0;
185	}
186
187	/* Received \|value\| should be a valid max-fragment-length code. */
188	if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
189	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
190	SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
191	return 0;
192	}
193
194	/*
195	* When doing a full handshake or a renegotiation max_fragment_len_mode will
196	* be TLSEXT_max_fragment_length_UNSPECIFIED
197	*
198	* In case of a resumption max_fragment_len_mode will be one of
199	* TLSEXT_max_fragment_length_DISABLED, TLSEXT_max_fragment_length_512,
200	* TLSEXT_max_fragment_length_1024, TLSEXT_max_fragment_length_2048.
201	* TLSEXT_max_fragment_length_4096
202	*
203	* RFC 6066: The negotiated length applies for the duration of the session
204	* including session resumptions.
205	*
206	* So we only set the value in case it is unspecified.
207	*/
208	if (s->session->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_UNSPECIFIED)
209	/*
210	* Store it in session, so it'll become binding for us
211	* and we'll include it in a next Server Hello.
212	*/
213	s->session->ext.max_fragment_len_mode = value;
214
215	return 1;
216	}
217
218	#ifndef OPENSSL_NO_SRP
219	int tls_parse_ctos_srp(SSL_CONNECTION s, PACKET pkt, unsigned int context,
220	X509 *x, size_t chainidx)
221	{
222	PACKET srp_I;
223
224	if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
225	\|\| PACKET_contains_zero_byte(&srp_I)) {
226	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
227	return 0;
228	}
229
230	if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
231	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
232	return 0;
233	}
234
235	return 1;
236	}
237	#endif
238
239	int tls_parse_ctos_ec_pt_formats(SSL_CONNECTION s, PACKET pkt,
240	unsigned int context,
241	X509 *x, size_t chainidx)
242	{
243	PACKET ec_point_format_list;
244
245	if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
246	\|\| PACKET_remaining(&ec_point_format_list) == 0) {
247	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
248	return 0;
249	}
250
251	if (!s->hit) {
252	if (!PACKET_memdup(&ec_point_format_list,
253	&s->ext.peer_ecpointformats,
254	&s->ext.peer_ecpointformats_len)) {
255	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
256	return 0;
257	}
258	}
259
260	return 1;
261	}
262
263	int tls_parse_ctos_session_ticket(SSL_CONNECTION s, PACKET pkt,
264	unsigned int context,
265	X509 *x, size_t chainidx)
266	{
267	if (s->ext.session_ticket_cb &&
268	!s->ext.session_ticket_cb(SSL_CONNECTION_GET_SSL(s),
269	PACKET_data(pkt), PACKET_remaining(pkt),
270	s->ext.session_ticket_cb_arg)) {
271	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
272	return 0;
273	}
274
275	return 1;
276	}
277
278	int tls_parse_ctos_sig_algs_cert(SSL_CONNECTION s, PACKET pkt,
279	ossl_unused unsigned int context,
280	ossl_unused X509 *x,
281	ossl_unused size_t chainidx)
282	{
283	PACKET supported_sig_algs;
284
285	if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
286	\|\| PACKET_remaining(&supported_sig_algs) == 0) {
287	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
288	return 0;
289	}
290
291	if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
292	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
293	return 0;
294	}
295
296	return 1;
297	}
298
299	int tls_parse_ctos_sig_algs(SSL_CONNECTION s, PACKET pkt,
300	unsigned int context, X509 *x, size_t chainidx)
301	{
302	PACKET supported_sig_algs;
303
304	if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
305	\|\| PACKET_remaining(&supported_sig_algs) == 0) {
306	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
307	return 0;
308	}
309
310	if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
311	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
312	return 0;
313	}
314
315	return 1;
316	}
317
318	#ifndef OPENSSL_NO_OCSP
319	int tls_parse_ctos_status_request(SSL_CONNECTION s, PACKET pkt,
320	unsigned int context,
321	X509 *x, size_t chainidx)
322	{
323	PACKET responder_id_list, exts;
324
325	/* We ignore this in a resumption handshake */
326	if (s->hit)
327	return 1;
328
329	/* Not defined if we get one of these in a client Certificate */
330	if (x != NULL)
331	return 1;
332
333	if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
334	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
335	return 0;
336	}
337
338	if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
339	/*
340	* We don't know what to do with any other type so ignore it.
341	*/
342	s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
343	return 1;
344	}
345
346	if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
347	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
348	return 0;
349	}
350
351	/*
352	* We remove any OCSP_RESPIDs from a previous handshake
353	* to prevent unbounded memory growth - CVE-2016-6304
354	*/
355	sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
356	if (PACKET_remaining(&responder_id_list) > 0) {
357	s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
358	if (s->ext.ocsp.ids == NULL) {
359	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
360	return 0;
361	}
362	} else {
363	s->ext.ocsp.ids = NULL;
364	}
365
366	while (PACKET_remaining(&responder_id_list) > 0) {
367	OCSP_RESPID *id;
368	PACKET responder_id;
369	const unsigned char *id_data;
370
371	if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
372	\|\| PACKET_remaining(&responder_id) == 0) {
373	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
374	return 0;
375	}
376
377	id_data = PACKET_data(&responder_id);
378	id = d2i_OCSP_RESPID(NULL, &id_data,
379	(int)PACKET_remaining(&responder_id));
380	if (id == NULL) {
381	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
382	return 0;
383	}
384
385	if (id_data != PACKET_end(&responder_id)) {
386	OCSP_RESPID_free(id);
387	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
388
389	return 0;
390	}
391
392	if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
393	OCSP_RESPID_free(id);
394	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
395
396	return 0;
397	}
398	}
399
400	/* Read in request_extensions */
401	if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
402	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
403	return 0;
404	}
405
406	if (PACKET_remaining(&exts) > 0) {
407	const unsigned char *ext_data = PACKET_data(&exts);
408
409	sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
410	X509_EXTENSION_free);
411	s->ext.ocsp.exts =
412	d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
413	if (s->ext.ocsp.exts == NULL \|\| ext_data != PACKET_end(&exts)) {
414	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
415	return 0;
416	}
417	}
418
419	return 1;
420	}
421	#endif
422
423	#ifndef OPENSSL_NO_NEXTPROTONEG
424	int tls_parse_ctos_npn(SSL_CONNECTION s, PACKET pkt, unsigned int context,
425	X509 *x, size_t chainidx)
426	{
427	/*
428	* We shouldn't accept this extension on a
429	* renegotiation.
430	*/
431	if (SSL_IS_FIRST_HANDSHAKE(s))
432	s->s3.npn_seen = 1;
433
434	return 1;
435	}
436	#endif
437
438	/*
439	* Save the ALPN extension in a ClientHello.\|pkt\| holds the contents of the ALPN
440	* extension, not including type and length. Returns: 1 on success, 0 on error.
441	*/
442	int tls_parse_ctos_alpn(SSL_CONNECTION s, PACKET pkt, unsigned int context,
443	X509 *x, size_t chainidx)
444	{
445	PACKET protocol_list, save_protocol_list, protocol;
446
447	if (!SSL_IS_FIRST_HANDSHAKE(s))
448	return 1;
449
450	if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
451	\|\| PACKET_remaining(&protocol_list) < 2) {
452	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
453	return 0;
454	}
455
456	save_protocol_list = protocol_list;
457	do {
458	/* Protocol names can't be empty. */
459	if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
460	\|\| PACKET_remaining(&protocol) == 0) {
461	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
462	return 0;
463	}
464	} while (PACKET_remaining(&protocol_list) != 0);
465
466	OPENSSL_free(s->s3.alpn_proposed);
467	s->s3.alpn_proposed = NULL;
468	s->s3.alpn_proposed_len = 0;
469	if (!PACKET_memdup(&save_protocol_list,
470	&s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
471	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
472	return 0;
473	}
474
475	return 1;
476	}
477
478	#ifndef OPENSSL_NO_SRTP
479	int tls_parse_ctos_use_srtp(SSL_CONNECTION s, PACKET pkt,
480	unsigned int context, X509 *x, size_t chainidx)
481	{
482	STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
483	unsigned int ct, mki_len, id;
484	int i, srtp_pref;
485	PACKET subpkt;
486	SSL *ssl = SSL_CONNECTION_GET_SSL(s);
487
488	/* Ignore this if we have no SRTP profiles */
489	if (SSL_get_srtp_profiles(ssl) == NULL)
490	return 1;
491
492	/* Pull off the length of the cipher suite list and check it is even */
493	if (!PACKET_get_net_2(pkt, &ct) \|\| (ct & 1) != 0
494	\|\| !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
495	SSLfatal(s, SSL_AD_DECODE_ERROR,
496	SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
497	return 0;
498	}
499
500	srvr = SSL_get_srtp_profiles(ssl);
501	s->srtp_profile = NULL;
502	/* Search all profiles for a match initially */
503	srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
504
505	while (PACKET_remaining(&subpkt)) {
506	if (!PACKET_get_net_2(&subpkt, &id)) {
507	SSLfatal(s, SSL_AD_DECODE_ERROR,
508	SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
509	return 0;
510	}
511
512	/*
513	* Only look for match in profiles of higher preference than
514	* current match.
515	* If no profiles have been have been configured then this
516	* does nothing.
517	*/
518	for (i = 0; i < srtp_pref; i++) {
519	SRTP_PROTECTION_PROFILE *sprof =
520	sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
521
522	if (sprof->id == id) {
523	s->srtp_profile = sprof;
524	srtp_pref = i;
525	break;
526	}
527	}
528	}
529
530	/* Now extract the MKI value as a sanity check, but discard it for now */
531	if (!PACKET_get_1(pkt, &mki_len)) {
532	SSLfatal(s, SSL_AD_DECODE_ERROR,
533	SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
534	return 0;
535	}
536
537	if (!PACKET_forward(pkt, mki_len)
538	\|\| PACKET_remaining(pkt)) {
539	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE);
540	return 0;
541	}
542
543	return 1;
544	}
545	#endif
546
547	int tls_parse_ctos_etm(SSL_CONNECTION s, PACKET pkt, unsigned int context,
548	X509 *x, size_t chainidx)
549	{
550	if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
551	s->ext.use_etm = 1;
552
553	return 1;
554	}
555
556	/*
557	* Process a psk_kex_modes extension received in the ClientHello. \|pkt\| contains
558	* the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
559	*/
560	int tls_parse_ctos_psk_kex_modes(SSL_CONNECTION s, PACKET pkt,
561	unsigned int context,
562	X509 *x, size_t chainidx)
563	{
564	#ifndef OPENSSL_NO_TLS1_3
565	PACKET psk_kex_modes;
566	unsigned int mode;
567
568	if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
569	\|\| PACKET_remaining(&psk_kex_modes) == 0) {
570	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
571	return 0;
572	}
573
574	while (PACKET_get_1(&psk_kex_modes, &mode)) {
575	if (mode == TLSEXT_KEX_MODE_KE_DHE)
576	s->ext.psk_kex_mode \|= TLSEXT_KEX_MODE_FLAG_KE_DHE;
577	else if (mode == TLSEXT_KEX_MODE_KE
578	&& (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
579	s->ext.psk_kex_mode \|= TLSEXT_KEX_MODE_FLAG_KE;
580	}
581
582	if (((s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) != 0)
583	&& (s->options & SSL_OP_PREFER_NO_DHE_KEX) != 0) {
584
585	/*
586	* If NO_DHE is supported and preferred, then we only remember this
587	* mode. DHE PSK will not be used for sure, because in any case where
588	* it would be supported (i.e. if a key share is present), NO_DHE would
589	* be supported as well. As the latter is preferred it would be
590	* chosen. By removing DHE PSK here, we don't have to deal with the
591	* SSL_OP_PREFER_NO_DHE_KEX option in any other place.
592	*/
593	s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE;
594	}
595
596	#endif
597
598	return 1;
599	}
600
601	/*
602	* Process a key_share extension received in the ClientHello. \|pkt\| contains
603	* the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
604	*/
605	int tls_parse_ctos_key_share(SSL_CONNECTION s, PACKET pkt,
606	unsigned int context, X509 *x, size_t chainidx)
607	{
608	#ifndef OPENSSL_NO_TLS1_3
609	unsigned int group_id;
610	PACKET key_share_list, encoded_pt;
611	const uint16_t clntgroups, srvrgroups;
612	size_t clnt_num_groups, srvr_num_groups;
613	int found = 0;
614
615	if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
616	return 1;
617
618	/* Sanity check */
619	if (s->s3.peer_tmp != NULL) {
620	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
621	return 0;
622	}
623
624	if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
625	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
626	return 0;
627	}
628
629	/* Get our list of supported groups */
630	tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
631	/* Get the clients list of supported groups. */
632	tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
633	if (clnt_num_groups == 0) {
634	/*
635	* This can only happen if the supported_groups extension was not sent,
636	* because we verify that the length is non-zero when we process that
637	* extension.
638	*/
639	SSLfatal(s, SSL_AD_MISSING_EXTENSION,
640	SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
641	return 0;
642	}
643
644	if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
645	/*
646	* If we set a group_id already, then we must have sent an HRR
647	* requesting a new key_share. If we haven't got one then that is an
648	* error
649	*/
650	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
651	return 0;
652	}
653
654	while (PACKET_remaining(&key_share_list) > 0) {
655	if (!PACKET_get_net_2(&key_share_list, &group_id)
656	\|\| !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
657	\|\| PACKET_remaining(&encoded_pt) == 0) {
658	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
659	return 0;
660	}
661
662	/*
663	* If we already found a suitable key_share we loop through the
664	* rest to verify the structure, but don't process them.
665	*/
666	if (found)
667	continue;
668
669	/*
670	* If we sent an HRR then the key_share sent back MUST be for the group
671	* we requested, and must be the only key_share sent.
672	*/
673	if (s->s3.group_id != 0
674	&& (group_id != s->s3.group_id
675	\|\| PACKET_remaining(&key_share_list) != 0)) {
676	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
677	return 0;
678	}
679
680	/* Check if this share is in supported_groups sent from client */
681	if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
682	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
683	return 0;
684	}
685
686	/* Check if this share is for a group we can use */
687	if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)
688	\|\| !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
689	/*
690	* We tolerate but ignore a group id that we don't think is
691	* suitable for TLSv1.3
692	*/
693	\|\| !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
694	0, NULL)) {
695	/* Share not suitable */
696	continue;
697	}
698
699	s->s3.group_id = group_id;
700	/* Cache the selected group ID in the SSL_SESSION */
701	s->session->kex_group = group_id;
702
703	if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
704	SSLfatal(s, SSL_AD_INTERNAL_ERROR,
705	SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
706	return 0;
707	}
708
709	if (tls13_set_encoded_pub_key(s->s3.peer_tmp,
710	PACKET_data(&encoded_pt),
711	PACKET_remaining(&encoded_pt)) <= 0) {
712	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
713	return 0;
714	}
715
716	found = 1;
717	}
718	#endif
719
720	return 1;
721	}
722
723	int tls_parse_ctos_cookie(SSL_CONNECTION s, PACKET pkt, unsigned int context,
724	X509 *x, size_t chainidx)
725	{
726	#ifndef OPENSSL_NO_TLS1_3
727	unsigned int format, version, key_share, group_id;
728	EVP_MD_CTX *hctx;
729	EVP_PKEY *pkey;
730	PACKET cookie, raw, chhash, appcookie;
731	WPACKET hrrpkt;
732	const unsigned char data, mdin, *ciphdata;
733	unsigned char hmac[SHA256_DIGEST_LENGTH];
734	unsigned char hrr[MAX_HRR_SIZE];
735	size_t rawlen, hmaclen, hrrlen, ciphlen;
736	uint64_t tm, now;
737	SSL *ssl = SSL_CONNECTION_GET_SSL(s);
738	SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
739
740	/* Ignore any cookie if we're not set up to verify it */
741	if (sctx->verify_stateless_cookie_cb == NULL
742	\|\| (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
743	return 1;
744
745	if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
746	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
747	return 0;
748	}
749
750	raw = cookie;
751	data = PACKET_data(&raw);
752	rawlen = PACKET_remaining(&raw);
753	if (rawlen < SHA256_DIGEST_LENGTH
754	\|\| !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
755	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
756	return 0;
757	}
758	mdin = PACKET_data(&raw);
759
760	/* Verify the HMAC of the cookie */
761	hctx = EVP_MD_CTX_create();
762	pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
763	sctx->propq,
764	s->session_ctx->ext.cookie_hmac_key,
765	sizeof(s->session_ctx->ext.cookie_hmac_key));
766	if (hctx == NULL \|\| pkey == NULL) {
767	EVP_MD_CTX_free(hctx);
768	EVP_PKEY_free(pkey);
769	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
770	return 0;
771	}
772
773	hmaclen = SHA256_DIGEST_LENGTH;
774	if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
775	sctx->propq, pkey, NULL) <= 0
776	\|\| EVP_DigestSign(hctx, hmac, &hmaclen, data,
777	rawlen - SHA256_DIGEST_LENGTH) <= 0
778	\|\| hmaclen != SHA256_DIGEST_LENGTH) {
779	EVP_MD_CTX_free(hctx);
780	EVP_PKEY_free(pkey);
781	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
782	return 0;
783	}
784
785	EVP_MD_CTX_free(hctx);
786	EVP_PKEY_free(pkey);
787
788	if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
789	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
790	return 0;
791	}
792
793	if (!PACKET_get_net_2(&cookie, &format)) {
794	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
795	return 0;
796	}
797	/* Check the cookie format is something we recognise. Ignore it if not */
798	if (format != COOKIE_STATE_FORMAT_VERSION)
799	return 1;
800
801	/*
802	* The rest of these checks really shouldn't fail since we have verified the
803	* HMAC above.
804	*/
805
806	/* Check the version number is sane */
807	if (!PACKET_get_net_2(&cookie, &version)) {
808	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
809	return 0;
810	}
811	if (version != TLS1_3_VERSION) {
812	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
813	SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
814	return 0;
815	}
816
817	if (!PACKET_get_net_2(&cookie, &group_id)) {
818	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
819	return 0;
820	}
821
822	ciphdata = PACKET_data(&cookie);
823	if (!PACKET_forward(&cookie, 2)) {
824	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
825	return 0;
826	}
827	if (group_id != s->s3.group_id
828	\|\| s->s3.tmp.new_cipher
829	!= ssl_get_cipher_by_char(s, ciphdata, 0)) {
830	/*
831	* We chose a different cipher or group id this time around to what is
832	* in the cookie. Something must have changed.
833	*/
834	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
835	return 0;
836	}
837
838	if (!PACKET_get_1(&cookie, &key_share)
839	\|\| !PACKET_get_net_8(&cookie, &tm)
840	\|\| !PACKET_get_length_prefixed_2(&cookie, &chhash)
841	\|\| !PACKET_get_length_prefixed_1(&cookie, &appcookie)
842	\|\| PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
843	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
844	return 0;
845	}
846
847	/* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
848	now = time(NULL);
849	if (tm > now \|\| (now - tm) > 600) {
850	/* Cookie is stale. Ignore it */
851	return 1;
852	}
853
854	/* Verify the app cookie */
855	if (sctx->verify_stateless_cookie_cb(ssl,
856	PACKET_data(&appcookie),
857	PACKET_remaining(&appcookie)) == 0) {
858	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
859	return 0;
860	}
861
862	/*
863	* Reconstruct the HRR that we would have sent in response to the original
864	* ClientHello so we can add it to the transcript hash.
865	* Note: This won't work with custom HRR extensions
866	*/
867	if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
868	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
869	return 0;
870	}
871	if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
872	\|\| !WPACKET_start_sub_packet_u24(&hrrpkt)
873	\|\| !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
874	\|\| !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
875	\|\| !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
876	s->tmp_session_id_len)
877	\|\| !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
878	&ciphlen)
879	\|\| !WPACKET_put_bytes_u8(&hrrpkt, 0)
880	\|\| !WPACKET_start_sub_packet_u16(&hrrpkt)) {
881	WPACKET_cleanup(&hrrpkt);
882	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
883	return 0;
884	}
885	if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
886	\|\| !WPACKET_start_sub_packet_u16(&hrrpkt)
887	\|\| !WPACKET_put_bytes_u16(&hrrpkt, s->version)
888	\|\| !WPACKET_close(&hrrpkt)) {
889	WPACKET_cleanup(&hrrpkt);
890	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
891	return 0;
892	}
893	if (key_share) {
894	if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
895	\|\| !WPACKET_start_sub_packet_u16(&hrrpkt)
896	\|\| !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
897	\|\| !WPACKET_close(&hrrpkt)) {
898	WPACKET_cleanup(&hrrpkt);
899	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
900	return 0;
901	}
902	}
903	if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
904	\|\| !WPACKET_start_sub_packet_u16(&hrrpkt)
905	\|\| !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
906	\|\| !WPACKET_close(&hrrpkt) /* cookie extension */
907	\|\| !WPACKET_close(&hrrpkt) /* extension block */
908	\|\| !WPACKET_close(&hrrpkt) /* message */
909	\|\| !WPACKET_get_total_written(&hrrpkt, &hrrlen)
910	\|\| !WPACKET_finish(&hrrpkt)) {
911	WPACKET_cleanup(&hrrpkt);
912	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
913	return 0;
914	}
915
916	/* Reconstruct the transcript hash */
917	if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
918	PACKET_remaining(&chhash), hrr,
919	hrrlen)) {
920	/* SSLfatal() already called */
921	return 0;
922	}
923
924	/* Act as if this ClientHello came after a HelloRetryRequest */
925	s->hello_retry_request = SSL_HRR_PENDING;
926
927	s->ext.cookieok = 1;
928	#endif
929
930	return 1;
931	}
932
933	int tls_parse_ctos_supported_groups(SSL_CONNECTION s, PACKET pkt,
934	unsigned int context,
935	X509 *x, size_t chainidx)
936	{
937	PACKET supported_groups_list;
938
939	/* Each group is 2 bytes and we must have at least 1. */
940	if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
941	\|\| PACKET_remaining(&supported_groups_list) == 0
942	\|\| (PACKET_remaining(&supported_groups_list) % 2) != 0) {
943	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
944	return 0;
945	}
946
947	if (!s->hit \|\| SSL_CONNECTION_IS_TLS13(s)) {
948	OPENSSL_free(s->ext.peer_supportedgroups);
949	s->ext.peer_supportedgroups = NULL;
950	s->ext.peer_supportedgroups_len = 0;
951	if (!tls1_save_u16(&supported_groups_list,
952	&s->ext.peer_supportedgroups,
953	&s->ext.peer_supportedgroups_len)) {
954	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
955	return 0;
956	}
957	}
958
959	return 1;
960	}
961
962	int tls_parse_ctos_ems(SSL_CONNECTION s, PACKET pkt, unsigned int context,
963	X509 *x, size_t chainidx)
964	{
965	/* The extension must always be empty */
966	if (PACKET_remaining(pkt) != 0) {
967	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
968	return 0;
969	}
970
971	if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
972	return 1;
973
974	s->s3.flags \|= TLS1_FLAGS_RECEIVED_EXTMS;
975
976	return 1;
977	}
978
979
980	int tls_parse_ctos_early_data(SSL_CONNECTION s, PACKET pkt, unsigned int context,
981	X509 *x, size_t chainidx)
982	{
983	if (PACKET_remaining(pkt) != 0) {
984	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
985	return 0;
986	}
987
988	if (s->hello_retry_request != SSL_HRR_NONE) {
989	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
990	return 0;
991	}
992
993	return 1;
994	}
995
996	static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL_CONNECTION s, PACKET tick,
997	SSL_SESSION **sess)
998	{
999	SSL_SESSION *tmpsess = NULL;
1000
1001	s->ext.ticket_expected = 1;
1002
1003	switch (PACKET_remaining(tick)) {
1004	case 0:
1005	return SSL_TICKET_EMPTY;
1006
1007	case SSL_MAX_SSL_SESSION_ID_LENGTH:
1008	break;
1009
1010	default:
1011	return SSL_TICKET_NO_DECRYPT;
1012	}
1013
1014	tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
1015	SSL_MAX_SSL_SESSION_ID_LENGTH);
1016
1017	if (tmpsess == NULL)
1018	return SSL_TICKET_NO_DECRYPT;
1019
1020	*sess = tmpsess;
1021	return SSL_TICKET_SUCCESS;
1022	}
1023
1024	int tls_parse_ctos_psk(SSL_CONNECTION s, PACKET pkt, unsigned int context,
1025	X509 *x, size_t chainidx)
1026	{
1027	PACKET identities, binders, binder;
1028	size_t binderoffset, hashsize;
1029	SSL_SESSION *sess = NULL;
1030	unsigned int id, i, ext = 0;
1031	const EVP_MD *md = NULL;
1032	SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1033	SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1034
1035	/*
1036	* If we have no PSK kex mode that we recognise then we can't resume so
1037	* ignore this extension
1038	*/
1039	if ((s->ext.psk_kex_mode
1040	& (TLSEXT_KEX_MODE_FLAG_KE \| TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1041	return 1;
1042
1043	if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
1044	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1045	return 0;
1046	}
1047
1048	s->ext.ticket_expected = 0;
1049	for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1050	PACKET identity;
1051	unsigned long ticket_agel;
1052	size_t idlen;
1053
1054	if (!PACKET_get_length_prefixed_2(&identities, &identity)
1055	\|\| !PACKET_get_net_4(&identities, &ticket_agel)) {
1056	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1057	return 0;
1058	}
1059
1060	idlen = PACKET_remaining(&identity);
1061	if (s->psk_find_session_cb != NULL
1062	&& !s->psk_find_session_cb(ssl, PACKET_data(&identity), idlen,
1063	&sess)) {
1064	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION);
1065	return 0;
1066	}
1067
1068	#ifndef OPENSSL_NO_PSK
1069	if (sess == NULL
1070	&& s->psk_server_callback != NULL
1071	&& idlen <= PSK_MAX_IDENTITY_LEN) {
1072	char *pskid = NULL;
1073	unsigned char pskdata[PSK_MAX_PSK_LEN];
1074	unsigned int pskdatalen;
1075
1076	if (!PACKET_strndup(&identity, &pskid)) {
1077	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1078	return 0;
1079	}
1080	pskdatalen = s->psk_server_callback(ssl, pskid, pskdata,
1081	sizeof(pskdata));
1082	OPENSSL_free(pskid);
1083	if (pskdatalen > PSK_MAX_PSK_LEN) {
1084	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1085	return 0;
1086	} else if (pskdatalen > 0) {
1087	const SSL_CIPHER *cipher;
1088	const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1089
1090	/*
1091	* We found a PSK using an old style callback. We don't know
1092	* the digest so we default to SHA256 as per the TLSv1.3 spec
1093	*/
1094	cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
1095	if (cipher == NULL) {
1096	OPENSSL_cleanse(pskdata, pskdatalen);
1097	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1098	return 0;
1099	}
1100
1101	sess = SSL_SESSION_new();
1102	if (sess == NULL
1103	\|\| !SSL_SESSION_set1_master_key(sess, pskdata,
1104	pskdatalen)
1105	\|\| !SSL_SESSION_set_cipher(sess, cipher)
1106	\|\| !SSL_SESSION_set_protocol_version(sess,
1107	TLS1_3_VERSION)) {
1108	OPENSSL_cleanse(pskdata, pskdatalen);
1109	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1110	goto err;
1111	}
1112	OPENSSL_cleanse(pskdata, pskdatalen);
1113	}
1114	}
1115	#endif /* OPENSSL_NO_PSK */
1116
1117	if (sess != NULL) {
1118	/* We found a PSK */
1119	SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1120
1121	if (sesstmp == NULL) {
1122	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1123	return 0;
1124	}
1125	SSL_SESSION_free(sess);
1126	sess = sesstmp;
1127
1128	/*
1129	* We've just been told to use this session for this context so
1130	* make sure the sid_ctx matches up.
1131	*/
1132	memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1133	sess->sid_ctx_length = s->sid_ctx_length;
1134	ext = 1;
1135	if (id == 0)
1136	s->ext.early_data_ok = 1;
1137	s->ext.ticket_expected = 1;
1138	} else {
1139	OSSL_TIME t, age, expire;
1140	int ret;
1141
1142	/*
1143	* If we are using anti-replay protection then we behave as if
1144	* SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1145	* is no point in using full stateless tickets.
1146	*/
1147	if ((s->options & SSL_OP_NO_TICKET) != 0
1148	\|\| (s->max_early_data > 0
1149	&& (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
1150	ret = tls_get_stateful_ticket(s, &identity, &sess);
1151	else
1152	ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1153	PACKET_remaining(&identity), NULL, 0,
1154	&sess);
1155
1156	if (ret == SSL_TICKET_EMPTY) {
1157	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1158	return 0;
1159	}
1160
1161	if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1162	\|\| ret == SSL_TICKET_FATAL_ERR_OTHER) {
1163	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1164	return 0;
1165	}
1166	if (ret == SSL_TICKET_NONE \|\| ret == SSL_TICKET_NO_DECRYPT)
1167	continue;
1168
1169	/* Check for replay */
1170	if (s->max_early_data > 0
1171	&& (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
1172	&& !SSL_CTX_remove_session(s->session_ctx, sess)) {
1173	SSL_SESSION_free(sess);
1174	sess = NULL;
1175	continue;
1176	}
1177
1178	age = ossl_time_subtract(ossl_ms2time(ticket_agel),
1179	ossl_ms2time(sess->ext.tick_age_add));
1180	t = ossl_time_subtract(ossl_time_now(), sess->time);
1181
1182	/*
1183	* Although internally we use OSS_TIME which has ns granularity,
1184	* when SSL_SESSION structures are serialised/deserialised we use
1185	* second granularity for the sess->time field. Therefore it could
1186	* appear that the client's ticket age is longer than ours (our
1187	* ticket age calculation should always be slightly longer than the
1188	* client's due to the network latency). Therefore we add 1000ms to
1189	* our age calculation to adjust for rounding errors.
1190	*/
1191	expire = ossl_time_add(t, ossl_ms2time(1000));
1192
1193	if (id == 0
1194	&& ossl_time_compare(sess->timeout, t) >= 0
1195	&& ossl_time_compare(age, expire) <= 0
1196	&& ossl_time_compare(ossl_time_add(age, TICKET_AGE_ALLOWANCE),
1197	expire) >= 0) {
1198	/*
1199	* Ticket age is within tolerance and not expired. We allow it
1200	* for early data
1201	*/
1202	s->ext.early_data_ok = 1;
1203	}
1204	}
1205
1206	md = ssl_md(sctx, sess->cipher->algorithm2);
1207	if (md == NULL) {
1208	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1209	goto err;
1210	}
1211	if (!EVP_MD_is_a(md,
1212	EVP_MD_get0_name(ssl_md(sctx,
1213	s->s3.tmp.new_cipher->algorithm2)))) {
1214	/* The ciphersuite is not compatible with this session. */
1215	SSL_SESSION_free(sess);
1216	sess = NULL;
1217	s->ext.early_data_ok = 0;
1218	s->ext.ticket_expected = 0;
1219	continue;
1220	}
1221	break;
1222	}
1223
1224	if (sess == NULL)
1225	return 1;
1226
1227	binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1228	hashsize = EVP_MD_get_size(md);
1229
1230	if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1231	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1232	goto err;
1233	}
1234
1235	for (i = 0; i <= id; i++) {
1236	if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1237	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1238	goto err;
1239	}
1240	}
1241
1242	if (PACKET_remaining(&binder) != hashsize) {
1243	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1244	goto err;
1245	}
1246	if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1247	binderoffset, PACKET_data(&binder), NULL, sess, 0,
1248	ext) != 1) {
1249	/* SSLfatal() already called */
1250	goto err;
1251	}
1252
1253	s->ext.tick_identity = id;
1254
1255	SSL_SESSION_free(s->session);
1256	s->session = sess;
1257	return 1;
1258	err:
1259	SSL_SESSION_free(sess);
1260	return 0;
1261	}
1262
1263	int tls_parse_ctos_post_handshake_auth(SSL_CONNECTION s, PACKET pkt,
1264	ossl_unused unsigned int context,
1265	ossl_unused X509 *x,
1266	ossl_unused size_t chainidx)
1267	{
1268	if (PACKET_remaining(pkt) != 0) {
1269	SSLfatal(s, SSL_AD_DECODE_ERROR,
1270	SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1271	return 0;
1272	}
1273
1274	s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1275
1276	return 1;
1277	}
1278
1279	/*
1280	* Add the server's renegotiation binding
1281	*/
1282	EXT_RETURN tls_construct_stoc_renegotiate(SSL_CONNECTION s, WPACKET pkt,
1283	unsigned int context, X509 *x,
1284	size_t chainidx)
1285	{
1286	if (!s->s3.send_connection_binding)
1287	return EXT_RETURN_NOT_SENT;
1288
1289	/* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1290	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1291	\|\| !WPACKET_start_sub_packet_u16(pkt)
1292	\|\| !WPACKET_start_sub_packet_u8(pkt)
1293	\|\| !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1294	s->s3.previous_client_finished_len)
1295	\|\| !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1296	s->s3.previous_server_finished_len)
1297	\|\| !WPACKET_close(pkt)
1298	\|\| !WPACKET_close(pkt)) {
1299	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1300	return EXT_RETURN_FAIL;
1301	}
1302
1303	return EXT_RETURN_SENT;
1304	}
1305
1306	EXT_RETURN tls_construct_stoc_server_name(SSL_CONNECTION s, WPACKET pkt,
1307	unsigned int context, X509 *x,
1308	size_t chainidx)
1309	{
1310	if (s->servername_done != 1)
1311	return EXT_RETURN_NOT_SENT;
1312
1313	/*
1314	* Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1315	* We just use the servername from the initial handshake.
1316	*/
1317	if (s->hit && !SSL_CONNECTION_IS_TLS13(s))
1318	return EXT_RETURN_NOT_SENT;
1319
1320	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1321	\|\| !WPACKET_put_bytes_u16(pkt, 0)) {
1322	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1323	return EXT_RETURN_FAIL;
1324	}
1325
1326	return EXT_RETURN_SENT;
1327	}
1328
1329	/* Add/include the server's max fragment len extension into ServerHello */
1330	EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL_CONNECTION s, WPACKET pkt,
1331	unsigned int context, X509 *x,
1332	size_t chainidx)
1333	{
1334	if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1335	return EXT_RETURN_NOT_SENT;
1336
1337	/*-
1338	* 4 bytes for this extension type and extension length
1339	* 1 byte for the Max Fragment Length code value.
1340	*/
1341	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1342	\|\| !WPACKET_start_sub_packet_u16(pkt)
1343	\|\| !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1344	\|\| !WPACKET_close(pkt)) {
1345	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1346	return EXT_RETURN_FAIL;
1347	}
1348
1349	return EXT_RETURN_SENT;
1350	}
1351
1352	EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL_CONNECTION s, WPACKET pkt,
1353	unsigned int context, X509 *x,
1354	size_t chainidx)
1355	{
1356	unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1357	unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
1358	int using_ecc = ((alg_k & SSL_kECDHE) \|\| (alg_a & SSL_aECDSA))
1359	&& (s->ext.peer_ecpointformats != NULL);
1360	const unsigned char *plist;
1361	size_t plistlen;
1362
1363	if (!using_ecc)
1364	return EXT_RETURN_NOT_SENT;
1365
1366	tls1_get_formatlist(s, &plist, &plistlen);
1367	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1368	\|\| !WPACKET_start_sub_packet_u16(pkt)
1369	\|\| !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1370	\|\| !WPACKET_close(pkt)) {
1371	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1372	return EXT_RETURN_FAIL;
1373	}
1374
1375	return EXT_RETURN_SENT;
1376	}
1377
1378	EXT_RETURN tls_construct_stoc_supported_groups(SSL_CONNECTION s, WPACKET pkt,
1379	unsigned int context, X509 *x,
1380	size_t chainidx)
1381	{
1382	const uint16_t *groups;
1383	size_t numgroups, i, first = 1;
1384	int version;
1385
1386	/* s->s3.group_id is non zero if we accepted a key_share */
1387	if (s->s3.group_id == 0)
1388	return EXT_RETURN_NOT_SENT;
1389
1390	/* Get our list of supported groups */
1391	tls1_get_supported_groups(s, &groups, &numgroups);
1392	if (numgroups == 0) {
1393	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1394	return EXT_RETURN_FAIL;
1395	}
1396
1397	/* Copy group ID if supported */
1398	version = SSL_version(SSL_CONNECTION_GET_SSL(s));
1399	for (i = 0; i < numgroups; i++) {
1400	uint16_t group = groups[i];
1401
1402	if (tls_valid_group(s, group, version, version, 0, NULL)
1403	&& tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1404	if (first) {
1405	/*
1406	* Check if the client is already using our preferred group. If
1407	* so we don't need to add this extension
1408	*/
1409	if (s->s3.group_id == group)
1410	return EXT_RETURN_NOT_SENT;
1411
1412	/* Add extension header */
1413	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1414	/* Sub-packet for supported_groups extension */
1415	\|\| !WPACKET_start_sub_packet_u16(pkt)
1416	\|\| !WPACKET_start_sub_packet_u16(pkt)) {
1417	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1418	return EXT_RETURN_FAIL;
1419	}
1420
1421	first = 0;
1422	}
1423	if (!WPACKET_put_bytes_u16(pkt, group)) {
1424	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1425	return EXT_RETURN_FAIL;
1426	}
1427	}
1428	}
1429
1430	if (!WPACKET_close(pkt) \|\| !WPACKET_close(pkt)) {
1431	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1432	return EXT_RETURN_FAIL;
1433	}
1434
1435	return EXT_RETURN_SENT;
1436	}
1437
1438	EXT_RETURN tls_construct_stoc_session_ticket(SSL_CONNECTION s, WPACKET pkt,
1439	unsigned int context, X509 *x,
1440	size_t chainidx)
1441	{
1442	if (!s->ext.ticket_expected \|\| !tls_use_ticket(s)) {
1443	s->ext.ticket_expected = 0;
1444	return EXT_RETURN_NOT_SENT;
1445	}
1446
1447	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1448	\|\| !WPACKET_put_bytes_u16(pkt, 0)) {
1449	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1450	return EXT_RETURN_FAIL;
1451	}
1452
1453	return EXT_RETURN_SENT;
1454	}
1455
1456	#ifndef OPENSSL_NO_OCSP
1457	EXT_RETURN tls_construct_stoc_status_request(SSL_CONNECTION s, WPACKET pkt,
1458	unsigned int context, X509 *x,
1459	size_t chainidx)
1460	{
1461	/* We don't currently support this extension inside a CertificateRequest */
1462	if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1463	return EXT_RETURN_NOT_SENT;
1464
1465	if (!s->ext.status_expected)
1466	return EXT_RETURN_NOT_SENT;
1467
1468	if (SSL_CONNECTION_IS_TLS13(s) && chainidx != 0)
1469	return EXT_RETURN_NOT_SENT;
1470
1471	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1472	\|\| !WPACKET_start_sub_packet_u16(pkt)) {
1473	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1474	return EXT_RETURN_FAIL;
1475	}
1476
1477	/*
1478	* In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1479	* send back an empty extension, with the certificate status appearing as a
1480	* separate message
1481	*/
1482	if (SSL_CONNECTION_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1483	/* SSLfatal() already called */
1484	return EXT_RETURN_FAIL;
1485	}
1486	if (!WPACKET_close(pkt)) {
1487	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1488	return EXT_RETURN_FAIL;
1489	}
1490
1491	return EXT_RETURN_SENT;
1492	}
1493	#endif
1494
1495	#ifndef OPENSSL_NO_NEXTPROTONEG
1496	EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION s, WPACKET pkt,
1497	unsigned int context, X509 *x,
1498	size_t chainidx)
1499	{
1500	const unsigned char *npa;
1501	unsigned int npalen;
1502	int ret;
1503	int npn_seen = s->s3.npn_seen;
1504	SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1505
1506	s->s3.npn_seen = 0;
1507	if (!npn_seen \|\| sctx->ext.npn_advertised_cb == NULL)
1508	return EXT_RETURN_NOT_SENT;
1509
1510	ret = sctx->ext.npn_advertised_cb(SSL_CONNECTION_GET_SSL(s), &npa, &npalen,
1511	sctx->ext.npn_advertised_cb_arg);
1512	if (ret == SSL_TLSEXT_ERR_OK) {
1513	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1514	\|\| !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1515	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1516	return EXT_RETURN_FAIL;
1517	}
1518	s->s3.npn_seen = 1;
1519	return EXT_RETURN_SENT;
1520	}
1521
1522	return EXT_RETURN_NOT_SENT;
1523	}
1524	#endif
1525
1526	EXT_RETURN tls_construct_stoc_alpn(SSL_CONNECTION s, WPACKET pkt, unsigned int context,
1527	X509 *x, size_t chainidx)
1528	{
1529	if (s->s3.alpn_selected == NULL)
1530	return EXT_RETURN_NOT_SENT;
1531
1532	if (!WPACKET_put_bytes_u16(pkt,
1533	TLSEXT_TYPE_application_layer_protocol_negotiation)
1534	\|\| !WPACKET_start_sub_packet_u16(pkt)
1535	\|\| !WPACKET_start_sub_packet_u16(pkt)
1536	\|\| !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1537	s->s3.alpn_selected_len)
1538	\|\| !WPACKET_close(pkt)
1539	\|\| !WPACKET_close(pkt)) {
1540	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1541	return EXT_RETURN_FAIL;
1542	}
1543
1544	return EXT_RETURN_SENT;
1545	}
1546
1547	#ifndef OPENSSL_NO_SRTP
1548	EXT_RETURN tls_construct_stoc_use_srtp(SSL_CONNECTION s, WPACKET pkt,
1549	unsigned int context, X509 *x,
1550	size_t chainidx)
1551	{
1552	if (s->srtp_profile == NULL)
1553	return EXT_RETURN_NOT_SENT;
1554
1555	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1556	\|\| !WPACKET_start_sub_packet_u16(pkt)
1557	\|\| !WPACKET_put_bytes_u16(pkt, 2)
1558	\|\| !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1559	\|\| !WPACKET_put_bytes_u8(pkt, 0)
1560	\|\| !WPACKET_close(pkt)) {
1561	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1562	return EXT_RETURN_FAIL;
1563	}
1564
1565	return EXT_RETURN_SENT;
1566	}
1567	#endif
1568
1569	EXT_RETURN tls_construct_stoc_etm(SSL_CONNECTION s, WPACKET pkt,
1570	unsigned int context,
1571	X509 *x, size_t chainidx)
1572	{
1573	if (!s->ext.use_etm)
1574	return EXT_RETURN_NOT_SENT;
1575
1576	/*
1577	* Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1578	* for other cases too.
1579	*/
1580	if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1581	\|\| s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1582	\|\| s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1583	\|\| s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1584	\|\| s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1585	\|\| s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
1586	s->ext.use_etm = 0;
1587	return EXT_RETURN_NOT_SENT;
1588	}
1589
1590	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1591	\|\| !WPACKET_put_bytes_u16(pkt, 0)) {
1592	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1593	return EXT_RETURN_FAIL;
1594	}
1595
1596	return EXT_RETURN_SENT;
1597	}
1598
1599	EXT_RETURN tls_construct_stoc_ems(SSL_CONNECTION s, WPACKET pkt,
1600	unsigned int context,
1601	X509 *x, size_t chainidx)
1602	{
1603	if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1604	return EXT_RETURN_NOT_SENT;
1605
1606	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1607	\|\| !WPACKET_put_bytes_u16(pkt, 0)) {
1608	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1609	return EXT_RETURN_FAIL;
1610	}
1611
1612	return EXT_RETURN_SENT;
1613	}
1614
1615	EXT_RETURN tls_construct_stoc_supported_versions(SSL_CONNECTION s, WPACKET pkt,
1616	unsigned int context, X509 *x,
1617	size_t chainidx)
1618	{
1619	if (!ossl_assert(SSL_CONNECTION_IS_TLS13(s))) {
1620	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1621	return EXT_RETURN_FAIL;
1622	}
1623
1624	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1625	\|\| !WPACKET_start_sub_packet_u16(pkt)
1626	\|\| !WPACKET_put_bytes_u16(pkt, s->version)
1627	\|\| !WPACKET_close(pkt)) {
1628	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1629	return EXT_RETURN_FAIL;
1630	}
1631
1632	return EXT_RETURN_SENT;
1633	}
1634
1635	EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION s, WPACKET pkt,
1636	unsigned int context, X509 *x,
1637	size_t chainidx)
1638	{
1639	#ifndef OPENSSL_NO_TLS1_3
1640	unsigned char *encodedPoint;
1641	size_t encoded_pt_len = 0;
1642	EVP_PKEY ckey = s->s3.peer_tmp, skey = NULL;
1643	const TLS_GROUP_INFO *ginf = NULL;
1644
1645	if (s->hello_retry_request == SSL_HRR_PENDING) {
1646	if (ckey != NULL) {
1647	/* Original key_share was acceptable so don't ask for another one */
1648	return EXT_RETURN_NOT_SENT;
1649	}
1650	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1651	\|\| !WPACKET_start_sub_packet_u16(pkt)
1652	\|\| !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1653	\|\| !WPACKET_close(pkt)) {
1654	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1655	return EXT_RETURN_FAIL;
1656	}
1657
1658	return EXT_RETURN_SENT;
1659	}
1660
1661	if (ckey == NULL) {
1662	/* No key_share received from client - must be resuming */
1663	if (!s->hit \|\| !tls13_generate_handshake_secret(s, NULL, 0)) {
1664	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1665	return EXT_RETURN_FAIL;
1666	}
1667	return EXT_RETURN_NOT_SENT;
1668	}
1669
1670	if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
1671	/*
1672	* PSK ('hit') and explicitly not doing DHE. If the client sent the
1673	* DHE option, we take it by default, except if non-DHE would be
1674	* preferred by config, but this case would have been handled in
1675	* tls_parse_ctos_psk_kex_modes().
1676	*/
1677	return EXT_RETURN_NOT_SENT;
1678	}
1679
1680	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1681	\|\| !WPACKET_start_sub_packet_u16(pkt)
1682	\|\| !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
1683	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1684	return EXT_RETURN_FAIL;
1685	}
1686
1687	if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
1688	s->s3.group_id)) == NULL) {
1689	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1690	return EXT_RETURN_FAIL;
1691	}
1692
1693	if (!ginf->is_kem) {
1694	/* Regular KEX */
1695	skey = ssl_generate_pkey(s, ckey);
1696	if (skey == NULL) {
1697	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
1698	return EXT_RETURN_FAIL;
1699	}
1700
1701	/* Generate encoding of server key */
1702	encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint);
1703	if (encoded_pt_len == 0) {
1704	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
1705	EVP_PKEY_free(skey);
1706	return EXT_RETURN_FAIL;
1707	}
1708
1709	if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1710	\|\| !WPACKET_close(pkt)) {
1711	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1712	EVP_PKEY_free(skey);
1713	OPENSSL_free(encodedPoint);
1714	return EXT_RETURN_FAIL;
1715	}
1716	OPENSSL_free(encodedPoint);
1717
1718	/*
1719	* This causes the crypto state to be updated based on the derived keys
1720	*/
1721	s->s3.tmp.pkey = skey;
1722	if (ssl_derive(s, skey, ckey, 1) == 0) {
1723	/* SSLfatal() already called */
1724	return EXT_RETURN_FAIL;
1725	}
1726	} else {
1727	/* KEM mode */
1728	unsigned char *ct = NULL;
1729	size_t ctlen = 0;
1730
1731	/*
1732	* This does not update the crypto state.
1733	*
1734	* The generated pms is stored in `s->s3.tmp.pms` to be later used via
1735	* ssl_gensecret().
1736	*/
1737	if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) {
1738	/* SSLfatal() already called */
1739	return EXT_RETURN_FAIL;
1740	}
1741
1742	if (ctlen == 0) {
1743	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1744	OPENSSL_free(ct);
1745	return EXT_RETURN_FAIL;
1746	}
1747
1748	if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen)
1749	\|\| !WPACKET_close(pkt)) {
1750	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1751	OPENSSL_free(ct);
1752	return EXT_RETURN_FAIL;
1753	}
1754	OPENSSL_free(ct);
1755
1756	/*
1757	* This causes the crypto state to be updated based on the generated pms
1758	*/
1759	if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) {
1760	/* SSLfatal() already called */
1761	return EXT_RETURN_FAIL;
1762	}
1763	}
1764	s->s3.did_kex = 1;
1765	return EXT_RETURN_SENT;
1766	#else
1767	return EXT_RETURN_FAIL;
1768	#endif
1769	}
1770
1771	EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION s, WPACKET pkt,
1772	unsigned int context,
1773	X509 *x, size_t chainidx)
1774	{
1775	#ifndef OPENSSL_NO_TLS1_3
1776	unsigned char hashval1, hashval2, appcookie1, appcookie2, *cookie;
1777	unsigned char hmac, hmac2;
1778	size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
1779	EVP_MD_CTX *hctx;
1780	EVP_PKEY *pkey;
1781	int ret = EXT_RETURN_FAIL;
1782	SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1783	SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1784
1785	if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
1786	return EXT_RETURN_NOT_SENT;
1787
1788	if (sctx->gen_stateless_cookie_cb == NULL) {
1789	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET);
1790	return EXT_RETURN_FAIL;
1791	}
1792
1793	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1794	\|\| !WPACKET_start_sub_packet_u16(pkt)
1795	\|\| !WPACKET_start_sub_packet_u16(pkt)
1796	\|\| !WPACKET_get_total_written(pkt, &startlen)
1797	\|\| !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1798	\|\| !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1799	\|\| !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1800	\|\| !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1801	\|\| !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
1802	&ciphlen)
1803	/* Is there a key_share extension present in this HRR? */
1804	\|\| !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
1805	\|\| !WPACKET_put_bytes_u64(pkt, time(NULL))
1806	\|\| !WPACKET_start_sub_packet_u16(pkt)
1807	\|\| !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1808	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1809	return EXT_RETURN_FAIL;
1810	}
1811
1812	/*
1813	* Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1814	* on raw buffers, so we first reserve sufficient bytes (above) and then
1815	* subsequently allocate them (below)
1816	*/
1817	if (!ssl3_digest_cached_records(s, 0)
1818	\|\| !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1819	/* SSLfatal() already called */
1820	return EXT_RETURN_FAIL;
1821	}
1822
1823	if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1824	\|\| !ossl_assert(hashval1 == hashval2)
1825	\|\| !WPACKET_close(pkt)
1826	\|\| !WPACKET_start_sub_packet_u8(pkt)
1827	\|\| !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1828	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1829	return EXT_RETURN_FAIL;
1830	}
1831
1832	/* Generate the application cookie */
1833	if (sctx->gen_stateless_cookie_cb(ssl, appcookie1,
1834	&appcookielen) == 0) {
1835	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1836	return EXT_RETURN_FAIL;
1837	}
1838
1839	if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1840	\|\| !ossl_assert(appcookie1 == appcookie2)
1841	\|\| !WPACKET_close(pkt)
1842	\|\| !WPACKET_get_total_written(pkt, &totcookielen)
1843	\|\| !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1844	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1845	return EXT_RETURN_FAIL;
1846	}
1847	hmaclen = SHA256_DIGEST_LENGTH;
1848
1849	totcookielen -= startlen;
1850	if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1851	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1852	return EXT_RETURN_FAIL;
1853	}
1854
1855	/* HMAC the cookie */
1856	hctx = EVP_MD_CTX_create();
1857	pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
1858	sctx->propq,
1859	s->session_ctx->ext.cookie_hmac_key,
1860	sizeof(s->session_ctx->ext.cookie_hmac_key));
1861	if (hctx == NULL \|\| pkey == NULL) {
1862	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
1863	goto err;
1864	}
1865
1866	if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
1867	sctx->propq, pkey, NULL) <= 0
1868	\|\| EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1869	totcookielen) <= 0) {
1870	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1871	goto err;
1872	}
1873
1874	if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1875	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1876	goto err;
1877	}
1878
1879	if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1880	\|\| !ossl_assert(hmac == hmac2)
1881	\|\| !ossl_assert(cookie == hmac - totcookielen)
1882	\|\| !WPACKET_close(pkt)
1883	\|\| !WPACKET_close(pkt)) {
1884	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1885	goto err;
1886	}
1887
1888	ret = EXT_RETURN_SENT;
1889
1890	err:
1891	EVP_MD_CTX_free(hctx);
1892	EVP_PKEY_free(pkey);
1893	return ret;
1894	#else
1895	return EXT_RETURN_FAIL;
1896	#endif
1897	}
1898
1899	EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL_CONNECTION s, WPACKET pkt,
1900	unsigned int context, X509 *x,
1901	size_t chainidx)
1902	{
1903	const unsigned char cryptopro_ext[36] = {
1904	0xfd, 0xe8, /* 65000 */
1905	0x00, 0x20, /* 32 bytes length */
1906	0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1907	0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1908	0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1909	0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1910	};
1911
1912	if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1913	&& (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
1914	\|\| (SSL_get_options(SSL_CONNECTION_GET_SSL(s))
1915	& SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1916	return EXT_RETURN_NOT_SENT;
1917
1918	if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1919	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1920	return EXT_RETURN_FAIL;
1921	}
1922
1923	return EXT_RETURN_SENT;
1924	}
1925
1926	EXT_RETURN tls_construct_stoc_early_data(SSL_CONNECTION s, WPACKET pkt,
1927	unsigned int context, X509 *x,
1928	size_t chainidx)
1929	{
1930	if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1931	if (s->max_early_data == 0)
1932	return EXT_RETURN_NOT_SENT;
1933
1934	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1935	\|\| !WPACKET_start_sub_packet_u16(pkt)
1936	\|\| !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1937	\|\| !WPACKET_close(pkt)) {
1938	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1939	return EXT_RETURN_FAIL;
1940	}
1941
1942	return EXT_RETURN_SENT;
1943	}
1944
1945	if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1946	return EXT_RETURN_NOT_SENT;
1947
1948	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1949	\|\| !WPACKET_start_sub_packet_u16(pkt)
1950	\|\| !WPACKET_close(pkt)) {
1951	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1952	return EXT_RETURN_FAIL;
1953	}
1954
1955	return EXT_RETURN_SENT;
1956	}
1957
1958	EXT_RETURN tls_construct_stoc_psk(SSL_CONNECTION s, WPACKET pkt,
1959	unsigned int context,
1960	X509 *x, size_t chainidx)
1961	{
1962	if (!s->hit)
1963	return EXT_RETURN_NOT_SENT;
1964
1965	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1966	\|\| !WPACKET_start_sub_packet_u16(pkt)
1967	\|\| !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
1968	\|\| !WPACKET_close(pkt)) {
1969	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1970	return EXT_RETURN_FAIL;
1971	}
1972
1973	return EXT_RETURN_SENT;
1974	}
1975
1976	EXT_RETURN tls_construct_stoc_client_cert_type(SSL_CONNECTION sc, WPACKET pkt,
1977	unsigned int context,
1978	X509 *x, size_t chainidx)
1979	{
1980	if (sc->ext.client_cert_type_ctos == OSSL_CERT_TYPE_CTOS_ERROR
1981	&& (send_certificate_request(sc)
1982	\|\| sc->post_handshake_auth == SSL_PHA_EXT_RECEIVED)) {
1983	/* Did not receive an acceptable cert type - and doing client auth */
1984	SSLfatal(sc, SSL_AD_UNSUPPORTED_CERTIFICATE, SSL_R_BAD_EXTENSION);
1985	return EXT_RETURN_FAIL;
1986	}
1987
1988	if (sc->ext.client_cert_type == TLSEXT_cert_type_x509) {
1989	sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
1990	return EXT_RETURN_NOT_SENT;
1991	}
1992
1993	/*
1994	* Note: only supposed to send this if we are going to do a cert request,
1995	* but TLSv1.3 could do a PHA request if the client supports it
1996	*/
1997	if ((!send_certificate_request(sc) && sc->post_handshake_auth != SSL_PHA_EXT_RECEIVED)
1998	\|\| sc->ext.client_cert_type_ctos != OSSL_CERT_TYPE_CTOS_GOOD
1999	\|\| sc->client_cert_type == NULL) {
2000	/* if we don't send it, reset to TLSEXT_cert_type_x509 */
2001	sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2002	sc->ext.client_cert_type = TLSEXT_cert_type_x509;
2003	return EXT_RETURN_NOT_SENT;
2004	}
2005
2006	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_client_cert_type)
2007	\|\| !WPACKET_start_sub_packet_u16(pkt)
2008	\|\| !WPACKET_put_bytes_u8(pkt, sc->ext.client_cert_type)
2009	\|\| !WPACKET_close(pkt)) {
2010	SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2011	return EXT_RETURN_FAIL;
2012	}
2013	return EXT_RETURN_SENT;
2014	}
2015
2016	/* One of \|pref\|, \|other\| is configured and the values are sanitized */
2017	static int reconcile_cert_type(const unsigned char *pref, size_t pref_len,
2018	const unsigned char *other, size_t other_len,
2019	uint8_t *chosen_cert_type)
2020	{
2021	size_t i;
2022
2023	for (i = 0; i < pref_len; i++) {
2024	if (memchr(other, pref[i], other_len) != NULL) {
2025	*chosen_cert_type = pref[i];
2026	return OSSL_CERT_TYPE_CTOS_GOOD;
2027	}
2028	}
2029	return OSSL_CERT_TYPE_CTOS_ERROR;
2030	}
2031
2032	int tls_parse_ctos_client_cert_type(SSL_CONNECTION sc, PACKET pkt,
2033	unsigned int context,
2034	X509 *x, size_t chainidx)
2035	{
2036	PACKET supported_cert_types;
2037	const unsigned char *data;
2038	size_t len;
2039
2040	/* Ignore the extension */
2041	if (sc->client_cert_type == NULL) {
2042	sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2043	sc->ext.client_cert_type = TLSEXT_cert_type_x509;
2044	return 1;
2045	}
2046
2047	if (!PACKET_as_length_prefixed_1(pkt, &supported_cert_types)) {
2048	sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
2049	SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2050	return 0;
2051	}
2052	if ((len = PACKET_remaining(&supported_cert_types)) == 0) {
2053	sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
2054	SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2055	return 0;
2056	}
2057	if (!PACKET_get_bytes(&supported_cert_types, &data, len)) {
2058	sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
2059	SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2060	return 0;
2061	}
2062	/* client_cert_type: client (peer) has priority */
2063	sc->ext.client_cert_type_ctos = reconcile_cert_type(data, len,
2064	sc->client_cert_type, sc->client_cert_type_len,
2065	&sc->ext.client_cert_type);
2066
2067	/* Ignore the error until sending - so we can check cert auth*/
2068	return 1;
2069	}
2070
2071	EXT_RETURN tls_construct_stoc_server_cert_type(SSL_CONNECTION sc, WPACKET pkt,
2072	unsigned int context,
2073	X509 *x, size_t chainidx)
2074	{
2075	if (sc->ext.server_cert_type == TLSEXT_cert_type_x509) {
2076	sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2077	return EXT_RETURN_NOT_SENT;
2078	}
2079	if (sc->ext.server_cert_type_ctos != OSSL_CERT_TYPE_CTOS_GOOD
2080	\|\| sc->server_cert_type == NULL) {
2081	/* if we don't send it, reset to TLSEXT_cert_type_x509 */
2082	sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2083	sc->ext.server_cert_type = TLSEXT_cert_type_x509;
2084	return EXT_RETURN_NOT_SENT;
2085	}
2086
2087	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_cert_type)
2088	\|\| !WPACKET_start_sub_packet_u16(pkt)
2089	\|\| !WPACKET_put_bytes_u8(pkt, sc->ext.server_cert_type)
2090	\|\| !WPACKET_close(pkt)) {
2091	SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2092	return EXT_RETURN_FAIL;
2093	}
2094	return EXT_RETURN_SENT;
2095	}
2096
2097	int tls_parse_ctos_server_cert_type(SSL_CONNECTION sc, PACKET pkt,
2098	unsigned int context,
2099	X509 *x, size_t chainidx)
2100	{
2101	PACKET supported_cert_types;
2102	const unsigned char *data;
2103	size_t len;
2104
2105	/* Ignore the extension */
2106	if (sc->server_cert_type == NULL) {
2107	sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2108	sc->ext.server_cert_type = TLSEXT_cert_type_x509;
2109	return 1;
2110	}
2111
2112	if (!PACKET_as_length_prefixed_1(pkt, &supported_cert_types)) {
2113	SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2114	return 0;
2115	}
2116
2117	if ((len = PACKET_remaining(&supported_cert_types)) == 0) {
2118	SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2119	return 0;
2120	}
2121	if (!PACKET_get_bytes(&supported_cert_types, &data, len)) {
2122	SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2123	return 0;
2124	}
2125	/* server_cert_type: server (this) has priority */
2126	sc->ext.server_cert_type_ctos = reconcile_cert_type(sc->server_cert_type, sc->server_cert_type_len,
2127	data, len,
2128	&sc->ext.server_cert_type);
2129	if (sc->ext.server_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)
2130	return 1;
2131
2132	/* Did not receive an acceptable cert type */
2133	SSLfatal(sc, SSL_AD_UNSUPPORTED_CERTIFICATE, SSL_R_BAD_EXTENSION);
2134	return 0;
2135	}

注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

source: vbox/trunk/src/libs/openssl-3.3.2/ssl/statem/extensions_srvr.c@ 108453

以其他格式下載: