extensions_clnt.c 54.4 KB
Newer Older
1
/*
2
 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
3 4 5 6 7 8 9
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

10
#include <openssl/ocsp.h>
11
#include "../ssl_locl.h"
M
Matt Caswell 已提交
12
#include "internal/cryptlib.h"
13 14
#include "statem_locl.h"

15 16 17
EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt,
                                          unsigned int context, X509 *x,
                                          size_t chainidx, int *al)
18 19 20
{
    /* Add RI if renegotiating */
    if (!s->renegotiate)
21
        return EXT_RETURN_NOT_SENT;
22 23 24 25 26 27

    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
            || !WPACKET_start_sub_packet_u16(pkt)
            || !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished,
                               s->s3->previous_client_finished_len)
            || !WPACKET_close(pkt)) {
M
Matt Caswell 已提交
28
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
29
        return EXT_RETURN_FAIL;
30 31
    }

32
    return EXT_RETURN_SENT;
33 34
}

35 36 37
EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt,
                                          unsigned int context, X509 *x,
                                          size_t chainidx, int *al)
38
{
R
Rich Salz 已提交
39
    if (s->ext.hostname == NULL)
40
        return EXT_RETURN_NOT_SENT;
41 42 43 44 45 46 47 48

    /* Add TLS extension servername to the Client Hello message */
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
               /* Sub-packet for server_name extension */
            || !WPACKET_start_sub_packet_u16(pkt)
               /* Sub-packet for servername list (always 1 hostname)*/
            || !WPACKET_start_sub_packet_u16(pkt)
            || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
R
Rich Salz 已提交
49 50
            || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
                                       strlen(s->ext.hostname))
51 52
            || !WPACKET_close(pkt)
            || !WPACKET_close(pkt)) {
M
Matt Caswell 已提交
53
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME, ERR_R_INTERNAL_ERROR);
54
        return EXT_RETURN_FAIL;
55 56
    }

57
    return EXT_RETURN_SENT;
58 59 60
}

#ifndef OPENSSL_NO_SRP
61 62
EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context,
                                  X509 *x, size_t chainidx, int *al)
63 64 65
{
    /* Add SRP username if there is one */
    if (s->srp_ctx.login == NULL)
66
        return EXT_RETURN_NOT_SENT;
67 68 69 70 71 72 73 74 75 76 77

    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
               /* Sub-packet for SRP extension */
            || !WPACKET_start_sub_packet_u16(pkt)
            || !WPACKET_start_sub_packet_u8(pkt)
               /* login must not be zero...internal error if so */
            || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
            || !WPACKET_memcpy(pkt, s->srp_ctx.login,
                               strlen(s->srp_ctx.login))
            || !WPACKET_close(pkt)
            || !WPACKET_close(pkt)) {
M
Matt Caswell 已提交
78
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SRP, ERR_R_INTERNAL_ERROR);
79
        return EXT_RETURN_FAIL;
80 81
    }

82
    return EXT_RETURN_SENT;
83 84 85 86 87 88
}
#endif

#ifndef OPENSSL_NO_EC
static int use_ecc(SSL *s)
{
89
    int i, end;
90 91 92 93 94 95 96 97
    unsigned long alg_k, alg_a;
    STACK_OF(SSL_CIPHER) *cipher_stack = NULL;

    /* See if we support any ECC ciphersuites */
    if (s->version == SSL3_VERSION)
        return 0;

    cipher_stack = SSL_get_ciphers(s);
98 99
    end = sk_SSL_CIPHER_num(cipher_stack);
    for (i = 0; i < end; i++) {
100 101 102 103 104
        const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);

        alg_k = c->algorithm_mkey;
        alg_a = c->algorithm_auth;
        if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
105 106
                || (alg_a & SSL_aECDSA)
                || c->min_tls >= TLS1_3_VERSION)
B
Benjamin Kaduk 已提交
107
            return 1;
108 109
    }

B
Benjamin Kaduk 已提交
110
    return 0;
111 112
}

113 114 115
EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
                                            unsigned int context, X509 *x,
                                            size_t chainidx, int *al)
116 117 118 119 120
{
    const unsigned char *pformats;
    size_t num_formats;

    if (!use_ecc(s))
121
        return EXT_RETURN_NOT_SENT;
122 123 124 125 126 127 128 129 130

    /* Add TLS extension ECPointFormats to the ClientHello message */
    tls1_get_formatlist(s, &pformats, &num_formats);

    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
               /* Sub-packet for formats extension */
            || !WPACKET_start_sub_packet_u16(pkt)
            || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
            || !WPACKET_close(pkt)) {
M
Matt Caswell 已提交
131
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
132
        return EXT_RETURN_FAIL;
133 134
    }

135
    return EXT_RETURN_SENT;
136 137
}

138 139 140
EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
                                               unsigned int context, X509 *x,
                                               size_t chainidx, int *al)
141 142 143 144 145
{
    const unsigned char *pcurves = NULL, *pcurvestmp;
    size_t num_curves = 0, i;

    if (!use_ecc(s))
146
        return EXT_RETURN_NOT_SENT;
147 148 149 150 151 152

    /*
     * Add TLS extension supported_groups to the ClientHello message
     */
    /* TODO(TLS1.3): Add support for DHE groups */
    if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
M
Matt Caswell 已提交
153
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
154
               ERR_R_INTERNAL_ERROR);
155
        return EXT_RETURN_FAIL;
156 157 158 159 160 161 162
    }
    pcurvestmp = pcurves;

    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
               /* Sub-packet for supported_groups extension */
            || !WPACKET_start_sub_packet_u16(pkt)
            || !WPACKET_start_sub_packet_u16(pkt)) {
M
Matt Caswell 已提交
163
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
164
               ERR_R_INTERNAL_ERROR);
165
        return EXT_RETURN_FAIL;
166 167 168
    }
    /* Copy curve ID if supported */
    for (i = 0; i < num_curves; i++, pcurvestmp += 2) {
169
        if (tls_curve_allowed(s, pcurvestmp, SSL_SECOP_CURVE_SUPPORTED)) {
170 171
            if (!WPACKET_put_bytes_u8(pkt, pcurvestmp[0])
                || !WPACKET_put_bytes_u8(pkt, pcurvestmp[1])) {
M
Matt Caswell 已提交
172
                    SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
173
                           ERR_R_INTERNAL_ERROR);
174
                    return EXT_RETURN_FAIL;
175 176 177 178
                }
        }
    }
    if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
M
Matt Caswell 已提交
179
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
180
               ERR_R_INTERNAL_ERROR);
181
        return EXT_RETURN_FAIL;
182 183
    }

184
    return EXT_RETURN_SENT;
185 186 187
}
#endif

188 189 190
EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt,
                                             unsigned int context, X509 *x,
                                             size_t chainidx, int *al)
191 192 193 194
{
    size_t ticklen;

    if (!tls_use_ticket(s))
195
        return EXT_RETURN_NOT_SENT;
196 197

    if (!s->new_session && s->session != NULL
198 199
            && s->session->ext.tick != NULL
            && s->session->ssl_version != TLS1_3_VERSION) {
R
Rich Salz 已提交
200 201 202 203 204 205
        ticklen = s->session->ext.ticklen;
    } else if (s->session && s->ext.session_ticket != NULL
               && s->ext.session_ticket->data != NULL) {
        ticklen = s->ext.session_ticket->length;
        s->session->ext.tick = OPENSSL_malloc(ticklen);
        if (s->session->ext.tick == NULL) {
M
Matt Caswell 已提交
206
            SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET,
207
                   ERR_R_INTERNAL_ERROR);
208
            return EXT_RETURN_FAIL;
209
        }
R
Rich Salz 已提交
210 211 212
        memcpy(s->session->ext.tick,
               s->ext.session_ticket->data, ticklen);
        s->session->ext.ticklen = ticklen;
213 214 215 216
    } else {
        ticklen = 0;
    }

R
Rich Salz 已提交
217 218
    if (ticklen == 0 && s->ext.session_ticket != NULL &&
            s->ext.session_ticket->data == NULL)
219
        return EXT_RETURN_NOT_SENT;
220 221

    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
R
Rich Salz 已提交
222
            || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
M
Matt Caswell 已提交
223
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
224
        return EXT_RETURN_FAIL;
225 226
    }

227
    return EXT_RETURN_SENT;
228 229
}

230 231 232
EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt,
                                       unsigned int context, X509 *x,
                                       size_t chainidx, int *al)
233 234
{
    size_t salglen;
235
    const uint16_t *salg;
236 237

    if (!SSL_CLIENT_USE_SIGALGS(s))
238
        return EXT_RETURN_NOT_SENT;
239

240
    salglen = tls12_get_psigalgs(s, 1, &salg);
241 242 243 244 245 246 247 248
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
               /* Sub-packet for sig-algs extension */
            || !WPACKET_start_sub_packet_u16(pkt)
               /* Sub-packet for the actual list */
            || !WPACKET_start_sub_packet_u16(pkt)
            || !tls12_copy_sigalgs(s, pkt, salg, salglen)
            || !WPACKET_close(pkt)
            || !WPACKET_close(pkt)) {
M
Matt Caswell 已提交
249
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS, ERR_R_INTERNAL_ERROR);
250
        return EXT_RETURN_FAIL;
251 252
    }

253
    return EXT_RETURN_SENT;
254 255 256
}

#ifndef OPENSSL_NO_OCSP
257 258 259
EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt,
                                             unsigned int context, X509 *x,
                                             size_t chainidx, int *al)
260 261 262
{
    int i;

263 264
    /* This extension isn't defined for client Certificates */
    if (x != NULL)
265
        return EXT_RETURN_NOT_SENT;
266

R
Rich Salz 已提交
267
    if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
268
        return EXT_RETURN_NOT_SENT;
269 270 271 272 273 274 275

    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
               /* Sub-packet for status request extension */
            || !WPACKET_start_sub_packet_u16(pkt)
            || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
               /* Sub-packet for the ids */
            || !WPACKET_start_sub_packet_u16(pkt)) {
M
Matt Caswell 已提交
276
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
277
        return EXT_RETURN_FAIL;
278
    }
R
Rich Salz 已提交
279
    for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
280
        unsigned char *idbytes;
R
Rich Salz 已提交
281
        OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
282
        int idlen = i2d_OCSP_RESPID(id, NULL);
283 284 285 286 287

        if (idlen <= 0
                   /* Sub-packet for an individual id */
                || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
                || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
M
Matt Caswell 已提交
288
            SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
289
                   ERR_R_INTERNAL_ERROR);
290
            return EXT_RETURN_FAIL;
291 292 293 294
        }
    }
    if (!WPACKET_close(pkt)
            || !WPACKET_start_sub_packet_u16(pkt)) {
M
Matt Caswell 已提交
295
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
296
        return EXT_RETURN_FAIL;
297
    }
R
Rich Salz 已提交
298
    if (s->ext.ocsp.exts) {
299
        unsigned char *extbytes;
R
Rich Salz 已提交
300
        int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
301 302

        if (extlen < 0) {
M
Matt Caswell 已提交
303
            SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
304
                   ERR_R_INTERNAL_ERROR);
305
            return EXT_RETURN_FAIL;
306 307
        }
        if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
R
Rich Salz 已提交
308
                || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
309
                   != extlen) {
M
Matt Caswell 已提交
310
            SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
311
                   ERR_R_INTERNAL_ERROR);
312
            return EXT_RETURN_FAIL;
313 314 315
       }
    }
    if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
M
Matt Caswell 已提交
316
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
317
        return EXT_RETURN_FAIL;
318 319
    }

320
    return EXT_RETURN_SENT;
321 322 323 324
}
#endif

#ifndef OPENSSL_NO_NEXTPROTONEG
325 326
EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context,
                                  X509 *x, size_t chainidx, int *al)
327
{
328
    if (s->ctx->ext.npn_select_cb == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
329
        return EXT_RETURN_NOT_SENT;
330 331 332 333 334 335 336

    /*
     * The client advertises an empty extension to indicate its support
     * for Next Protocol Negotiation
     */
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
            || !WPACKET_put_bytes_u16(pkt, 0)) {
M
Matt Caswell 已提交
337
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_NPN, ERR_R_INTERNAL_ERROR);
338
        return EXT_RETURN_FAIL;
339 340
    }

341
    return EXT_RETURN_SENT;
342 343 344
}
#endif

345 346
EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context,
                                   X509 *x, size_t chainidx, int *al)
347 348 349
{
    s->s3->alpn_sent = 0;

350
    if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
351
        return EXT_RETURN_NOT_SENT;
352 353 354 355 356

    if (!WPACKET_put_bytes_u16(pkt,
                TLSEXT_TYPE_application_layer_protocol_negotiation)
               /* Sub-packet ALPN extension */
            || !WPACKET_start_sub_packet_u16(pkt)
R
Rich Salz 已提交
357
            || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
358
            || !WPACKET_close(pkt)) {
M
Matt Caswell 已提交
359
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_ALPN, ERR_R_INTERNAL_ERROR);
360
        return EXT_RETURN_FAIL;
361 362 363
    }
    s->s3->alpn_sent = 1;

364
    return EXT_RETURN_SENT;
365 366 367 368
}


#ifndef OPENSSL_NO_SRTP
369 370 371
EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt,
                                       unsigned int context, X509 *x,
                                       size_t chainidx, int *al)
372 373
{
    STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s);
374
    int i, end;
375 376

    if (clnt == NULL)
377
        return EXT_RETURN_NOT_SENT;
378 379 380 381 382 383

    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
               /* Sub-packet for SRTP extension */
            || !WPACKET_start_sub_packet_u16(pkt)
               /* Sub-packet for the protection profile list */
            || !WPACKET_start_sub_packet_u16(pkt)) {
M
Matt Caswell 已提交
384
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR);
385
        return EXT_RETURN_FAIL;
386
    }
387 388 389 390 391 392

    end = sk_SRTP_PROTECTION_PROFILE_num(clnt);
    for (i = 0; i < end; i++) {
        const SRTP_PROTECTION_PROFILE *prof =
            sk_SRTP_PROTECTION_PROFILE_value(clnt, i);

393
        if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
M
Matt Caswell 已提交
394
            SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR);
395
            return EXT_RETURN_FAIL;
396 397 398 399 400 401
        }
    }
    if (!WPACKET_close(pkt)
               /* Add an empty use_mki value */
            || !WPACKET_put_bytes_u8(pkt, 0)
            || !WPACKET_close(pkt)) {
M
Matt Caswell 已提交
402
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR);
403
        return EXT_RETURN_FAIL;
404 405
    }

406
    return EXT_RETURN_SENT;
407 408 409
}
#endif

410 411
EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context,
                                  X509 *x, size_t chainidx, int *al)
412 413
{
    if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
414
        return EXT_RETURN_NOT_SENT;
415 416 417

    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
            || !WPACKET_put_bytes_u16(pkt, 0)) {
M
Matt Caswell 已提交
418
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_ETM, ERR_R_INTERNAL_ERROR);
419
        return EXT_RETURN_FAIL;
420 421
    }

422
    return EXT_RETURN_SENT;
423 424 425
}

#ifndef OPENSSL_NO_CT
426 427
EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context,
                                  X509 *x, size_t chainidx, int *al)
428 429
{
    if (s->ct_validation_callback == NULL)
430
        return EXT_RETURN_NOT_SENT;
431

432 433
    /* Not defined for client Certificates */
    if (x != NULL)
434
        return EXT_RETURN_NOT_SENT;
435

436 437
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
            || !WPACKET_put_bytes_u16(pkt, 0)) {
M
Matt Caswell 已提交
438
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SCT, ERR_R_INTERNAL_ERROR);
439
        return EXT_RETURN_FAIL;
440 441
    }

442
    return EXT_RETURN_SENT;
443 444 445
}
#endif

446 447
EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context,
                                  X509 *x, size_t chainidx, int *al)
448 449 450
{
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
            || !WPACKET_put_bytes_u16(pkt, 0)) {
M
Matt Caswell 已提交
451
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EMS, ERR_R_INTERNAL_ERROR);
452
        return EXT_RETURN_FAIL;
453 454
    }

455
    return EXT_RETURN_SENT;
456 457
}

458 459 460
EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
                                                 unsigned int context, X509 *x,
                                                 size_t chainidx, int *al)
461 462 463 464 465 466
{
    int currv, min_version, max_version, reason;

    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
            || !WPACKET_start_sub_packet_u16(pkt)
            || !WPACKET_start_sub_packet_u8(pkt)) {
M
Matt Caswell 已提交
467
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
468
               ERR_R_INTERNAL_ERROR);
469
        return EXT_RETURN_FAIL;
470 471
    }

472
    reason = ssl_get_min_max_version(s, &min_version, &max_version);
473
    if (reason != 0) {
M
Matt Caswell 已提交
474
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, reason);
475
        return EXT_RETURN_FAIL;
476 477 478
    }

    /*
F
FdaSilvaYY 已提交
479
     * TODO(TLS1.3): There is some discussion on the TLS list as to whether
480 481 482 483 484 485 486
     * we should include versions <TLS1.2. For the moment we do. To be
     * reviewed later.
     */
    for (currv = max_version; currv >= min_version; currv--) {
        /* TODO(TLS1.3): Remove this first if clause prior to release!! */
        if (currv == TLS1_3_VERSION) {
            if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)) {
M
Matt Caswell 已提交
487
                SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
488
                       ERR_R_INTERNAL_ERROR);
489
                return EXT_RETURN_FAIL;
490 491
            }
        } else if (!WPACKET_put_bytes_u16(pkt, currv)) {
M
Matt Caswell 已提交
492
            SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
493
                   ERR_R_INTERNAL_ERROR);
494
            return EXT_RETURN_FAIL;
495 496 497
        }
    }
    if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
M
Matt Caswell 已提交
498
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
499
               ERR_R_INTERNAL_ERROR);
500
        return EXT_RETURN_FAIL;
501 502
    }

503
    return EXT_RETURN_SENT;
504 505
}

506
/*
507
 * Construct a psk_kex_modes extension.
508
 */
509 510 511
EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt,
                                            unsigned int context, X509 *x,
                                            size_t chainidx, int *al)
512 513
{
#ifndef OPENSSL_NO_TLS1_3
514 515
    int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX;

516 517 518 519
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)
            || !WPACKET_start_sub_packet_u16(pkt)
            || !WPACKET_start_sub_packet_u8(pkt)
            || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE)
520
            || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE))
521 522 523
            || !WPACKET_close(pkt)
            || !WPACKET_close(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES, ERR_R_INTERNAL_ERROR);
524
        return EXT_RETURN_FAIL;
525
    }
526

527 528 529
    s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE;
    if (nodhe)
        s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
530 531
#endif

532
    return EXT_RETURN_SENT;
533 534
}

535 536 537
#ifndef OPENSSL_NO_TLS1_3
static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id)
{
M
Matt Caswell 已提交
538 539
    unsigned char *encoded_point = NULL;
    EVP_PKEY *key_share_key = NULL;
540 541
    size_t encodedlen;

M
Matt Caswell 已提交
542
    if (s->s3->tmp.pkey != NULL) {
543
        if (!ossl_assert(s->hello_retry_request)) {
M
Matt Caswell 已提交
544
            SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_INTERNAL_ERROR);
545
            return 0;
M
Matt Caswell 已提交
546 547 548 549 550 551 552 553 554
        }
        /*
         * Could happen if we got an HRR that wasn't requesting a new key_share
         */
        key_share_key = s->s3->tmp.pkey;
    } else {
        key_share_key = ssl_generate_pkey_curve(curve_id);
        if (key_share_key == NULL) {
            SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_EVP_LIB);
555
            return 0;
M
Matt Caswell 已提交
556
        }
557 558 559 560
    }

    /* Encode the public key. */
    encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key,
561
                                                &encoded_point);
562 563
    if (encodedlen == 0) {
        SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_EC_LIB);
M
Matt Caswell 已提交
564
        goto err;
565 566 567 568
    }

    /* Create KeyShareEntry */
    if (!WPACKET_put_bytes_u16(pkt, curve_id)
569
            || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) {
570
        SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
571
        goto err;
572 573 574 575 576 577 578 579 580
    }

    /*
     * TODO(TLS1.3): When changing to send more than one key_share we're
     * going to need to be able to save more than one EVP_PKEY. For now
     * we reuse the existing tmp.pkey
     */
    s->s3->tmp.pkey = key_share_key;
    s->s3->group_id = curve_id;
581
    OPENSSL_free(encoded_point);
582

583
    return 1;
M
Matt Caswell 已提交
584 585 586 587
 err:
    if (s->s3->tmp.pkey == NULL)
        EVP_PKEY_free(key_share_key);
    OPENSSL_free(encoded_point);
588
    return 0;
589 590 591
}
#endif

592 593 594
EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
                                        unsigned int context, X509 *x,
                                        size_t chainidx, int *al)
595
{
M
Matt Caswell 已提交
596
#ifndef OPENSSL_NO_TLS1_3
597
    size_t i, num_curves = 0;
598
    const unsigned char *pcurves = NULL;
599
    unsigned int curve_id = 0;
600 601 602 603 604 605 606

    /* key_share extension */
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
               /* Extension data sub-packet */
            || !WPACKET_start_sub_packet_u16(pkt)
               /* KeyShare list sub-packet */
            || !WPACKET_start_sub_packet_u16(pkt)) {
M
Matt Caswell 已提交
607
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
608
        return EXT_RETURN_FAIL;
609 610 611
    }

    if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
M
Matt Caswell 已提交
612
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
613
        return EXT_RETURN_FAIL;
614 615 616 617 618 619
    }

    /*
     * TODO(TLS1.3): Make the number of key_shares sent configurable. For
     * now, just send one
     */
620 621 622 623
    if (s->s3->group_id != 0) {
        curve_id = s->s3->group_id;
    } else {
        for (i = 0; i < num_curves; i++, pcurves += 2) {
624

625 626
            if (!tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED))
                continue;
627

M
Matt Caswell 已提交
628
            curve_id = bytestogroup(pcurves);
629
            break;
630
        }
631
    }
632

633 634
    if (curve_id == 0) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
635
        return EXT_RETURN_FAIL;
636 637
    }

638
    if (!add_key_share(s, pkt, curve_id))
639
        return EXT_RETURN_FAIL;
640

641
    if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
M
Matt Caswell 已提交
642
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
643
        return EXT_RETURN_FAIL;
644
    }
M
Matt Caswell 已提交
645
#endif
646

647
    return EXT_RETURN_SENT;
648 649
}

650 651
EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context,
                                     X509 *x, size_t chainidx, int *al)
M
Matt Caswell 已提交
652
{
653
    EXT_RETURN ret = EXT_RETURN_FAIL;
M
Matt Caswell 已提交
654 655 656

    /* Should only be set if we've had an HRR */
    if (s->ext.tls13_cookie_len == 0)
657
        return EXT_RETURN_NOT_SENT;
M
Matt Caswell 已提交
658 659 660 661 662 663 664 665 666 667 668

    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
               /* Extension data sub-packet */
            || !WPACKET_start_sub_packet_u16(pkt)
            || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie,
                                       s->ext.tls13_cookie_len)
            || !WPACKET_close(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_COOKIE, ERR_R_INTERNAL_ERROR);
        goto end;
    }

669
    ret = EXT_RETURN_SENT;
M
Matt Caswell 已提交
670 671
 end:
    OPENSSL_free(s->ext.tls13_cookie);
672
    s->ext.tls13_cookie = NULL;
M
Matt Caswell 已提交
673 674 675 676 677
    s->ext.tls13_cookie_len = 0;

    return ret;
}

678 679 680
EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
                                         unsigned int context, X509 *x,
                                         size_t chainidx, int *al)
681
{
682
    const unsigned char *id = NULL;
683
    size_t idlen = 0;
684
    SSL_SESSION *psksess = NULL;
685
    SSL_SESSION *edsess = NULL;
686 687 688 689 690 691
    const EVP_MD *handmd = NULL;

    if (s->hello_retry_request)
        handmd = ssl_handshake_md(s);

    if (s->psk_use_session_cb != NULL
692 693 694 695
            && (!s->psk_use_session_cb(s, handmd, &id, &idlen, &psksess)
                || (psksess != NULL
                    && psksess->ssl_version != TLS1_3_VERSION))) {
        SSL_SESSION_free(psksess);
696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, SSL_R_BAD_PSK);
        return EXT_RETURN_FAIL;
    }

    SSL_SESSION_free(s->psksession);
    s->psksession = psksess;
    if (psksess != NULL) {
        OPENSSL_free(s->psksession_id);
        s->psksession_id = OPENSSL_memdup(id, idlen);
        if (s->psksession_id == NULL) {
            SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
            return EXT_RETURN_FAIL;
        }
        s->psksession_id_len = idlen;
    }

712
    if (s->early_data_state != SSL_EARLY_DATA_CONNECTING
713 714
            || (s->session->ext.max_early_data == 0
                && (psksess == NULL || psksess->ext.max_early_data == 0))) {
715
        s->max_early_data = 0;
716
        return EXT_RETURN_NOT_SENT;
717
    }
718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760
    edsess = s->session->ext.max_early_data != 0 ? s->session : psksess;
    s->max_early_data = edsess->ext.max_early_data;

    if ((s->ext.hostname == NULL && edsess->ext.hostname != NULL)
            || (s->ext.hostname != NULL
                && (edsess->ext.hostname == NULL
                    || strcmp(s->ext.hostname, edsess->ext.hostname) != 0))) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
               SSL_R_INCONSISTENT_EARLY_DATA_SNI);
        return EXT_RETURN_FAIL;
    }

    if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
               SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
        return EXT_RETURN_FAIL;
    }

    /*
     * Verify that we are offering an ALPN protocol consistent with the early
     * data.
     */
    if (edsess->ext.alpn_selected != NULL) {
        PACKET prots, alpnpkt;
        int found = 0;

        if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) {
            SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
            return EXT_RETURN_FAIL;
        }
        while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) {
            if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected,
                             edsess->ext.alpn_selected_len)) {
                found = 1;
                break;
            }
        }
        if (!found) {
            SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
                   SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
            return EXT_RETURN_FAIL;
        }
    }
761 762 763 764 765

    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
            || !WPACKET_start_sub_packet_u16(pkt)
            || !WPACKET_close(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
766
        return EXT_RETURN_FAIL;
767 768 769 770 771 772 773
    }

    /*
     * We set this to rejected here. Later, if the server acknowledges the
     * extension, we set it to accepted.
     */
    s->ext.early_data = SSL_EARLY_DATA_REJECTED;
774
    s->ext.early_data_ok = 1;
775

776
    return EXT_RETURN_SENT;
777 778
}

779 780 781
#define F5_WORKAROUND_MIN_MSG_LEN   0xff
#define F5_WORKAROUND_MAX_MSG_LEN   0x200

M
Matt Caswell 已提交
782 783 784 785 786 787 788 789 790 791 792 793 794 795
/*
 * PSK pre binder overhead =
 *  2 bytes for TLSEXT_TYPE_psk
 *  2 bytes for extension length
 *  2 bytes for identities list length
 *  2 bytes for identity length
 *  4 bytes for obfuscated_ticket_age
 *  2 bytes for binder list length
 *  1 byte for binder length
 * The above excludes the number of bytes for the identity itself and the
 * subsequent binder bytes
 */
#define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1)

796 797 798
EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt,
                                      unsigned int context, X509 *x,
                                      size_t chainidx, int *al)
799 800 801 802 803
{
    unsigned char *padbytes;
    size_t hlen;

    if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)
804
        return EXT_RETURN_NOT_SENT;
805 806

    /*
M
Matt Caswell 已提交
807 808 809 810
     * Add padding to workaround bugs in F5 terminators. See RFC7685.
     * This code calculates the length of all extensions added so far but
     * excludes the PSK extension (because that MUST be written last). Therefore
     * this extension MUST always appear second to last.
811 812
     */
    if (!WPACKET_get_total_written(pkt, &hlen)) {
M
Matt Caswell 已提交
813
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PADDING, ERR_R_INTERNAL_ERROR);
814
        return EXT_RETURN_FAIL;
815 816
    }

M
Matt Caswell 已提交
817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835
    /*
     * If we're going to send a PSK then that will be written out after this
     * extension, so we need to calculate how long it is going to be.
     */
    if (s->session->ssl_version == TLS1_3_VERSION
            && s->session->ext.ticklen != 0
            && s->session->cipher != NULL) {
        const EVP_MD *md = ssl_md(s->session->cipher->algorithm2);

        if (md != NULL) {
            /*
             * Add the fixed PSK overhead, the identity length and the binder
             * length.
             */
            hlen +=  PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen
                     + EVP_MD_size(md);
        }
    }

836
    if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {
F
FdaSilvaYY 已提交
837
        /* Calculate the amount of padding we need to add */
838 839 840 841
        hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;

        /*
         * Take off the size of extension header itself (2 bytes for type and
842 843 844
         * 2 bytes for length bytes), but ensure that the extension is at least
         * 1 byte long so as not to have an empty extension last (WebSphere 7.x,
         * 8.x are intolerant of that condition)
845
         */
846 847 848
        if (hlen >= 4)
            hlen -= 4;
        else
849
            hlen = 1;
850 851 852

        if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
                || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
M
Matt Caswell 已提交
853
            SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PADDING, ERR_R_INTERNAL_ERROR);
854 855 856 857 858
            return 0;
        }
        memset(padbytes, 0, hlen);
    }

859
    return EXT_RETURN_SENT;
860 861
}

862 863 864
/*
 * Construct the pre_shared_key extension
 */
865 866
EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
                                  X509 *x, size_t chainidx, int *al)
867 868
{
#ifndef OPENSSL_NO_TLS1_3
P
Paul Yang 已提交
869
    uint32_t now, agesec, agems = 0;
870
    size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen;
871
    unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;
P
Paul Yang 已提交
872
    const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
873
    EXT_RETURN ret = EXT_RETURN_FAIL;
874
    int dores = 0;
875 876 877

    s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY;

M
Matt Caswell 已提交
878 879 880 881 882 883
    /*
     * Note: At this stage of the code we only support adding a single
     * resumption PSK. If we add support for multiple PSKs then the length
     * calculations in the padding extension will need to be adjusted.
     */

884
    /*
885 886
     * If this is an incompatible or new session then we have nothing to resume
     * so don't add this extension.
887
     */
888
    if (s->session->ssl_version != TLS1_3_VERSION
889
            || (s->session->ext.ticklen == 0 && s->psksession == NULL))
890
        return EXT_RETURN_NOT_SENT;
891

892 893 894 895
    if (s->hello_retry_request)
        handmd = ssl_handshake_md(s);

    if (s->session->ext.ticklen != 0) {
896
        /* Get the digest associated with the ciphersuite in the session */
897 898 899 900 901 902
        if (s->session->cipher == NULL) {
            SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
            goto err;
        }
        mdres = ssl_md(s->session->cipher->algorithm2);
        if (mdres == NULL) {
903 904 905 906
            /*
             * Don't recognize this cipher so we can't use the session.
             * Ignore it
             */
907 908 909 910 911
            goto dopsksess;
        }

        if (s->hello_retry_request && mdres != handmd) {
            /*
912 913
             * Selected ciphersuite hash does not match the hash for the session
             * so we can't use it.
914 915 916
             */
            goto dopsksess;
        }
917

918
        /*
919
         * Technically the C standard just says time() returns a time_t and says
920 921 922 923 924
         * nothing about the encoding of that type. In practice most
         * implementations follow POSIX which holds it as an integral type in
         * seconds since epoch. We've already made the assumption that we can do
         * this in multiple places in the code, so portability shouldn't be an
         * issue.
925
         */
926 927
        now = (uint32_t)time(NULL);
        agesec = now - (uint32_t)s->session->time;
928

929 930 931 932
        if (s->session->ext.tick_lifetime_hint < agesec) {
            /* Ticket is too old. Ignore it. */
            goto dopsksess;
        }
933

934 935 936 937 938
        /*
         * Calculate age in ms. We're just doing it to nearest second. Should be
         * good enough.
         */
        agems = agesec * (uint32_t)1000;
M
Matt Caswell 已提交
939

940 941
        if (agesec != 0 && agems / (uint32_t)1000 != agesec) {
            /*
942 943
             * Overflow. Shouldn't happen unless this is a *really* old session.
             * If so we just ignore it.
944 945 946
             */
            goto dopsksess;
        }
947 948

        /*
949 950
         * Obfuscate the age. Overflow here is fine, this addition is supposed
         * to be mod 2^32.
951
         */
952 953 954 955
        agems += s->session->ext.tick_age_add;

        reshashsize = EVP_MD_size(mdres);
        dores = 1;
956 957
    }

958
 dopsksess:
959
    if (!dores && s->psksession == NULL)
960
        return EXT_RETURN_NOT_SENT;
961

962 963
    if (s->psksession != NULL) {
        mdpsk = ssl_md(s->psksession->cipher->algorithm2);
964 965 966 967 968 969 970 971 972
        if (mdpsk == NULL) {
            /*
             * Don't recognize this cipher so we can't use the session.
             * If this happens it's an application bug.
             */
            SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, SSL_R_BAD_PSK);
            goto err;
        }

973
        if (s->hello_retry_request && mdpsk != handmd) {
974 975 976 977 978 979 980 981 982 983
            /*
             * Selected ciphersuite hash does not match the hash for the PSK
             * session. This is an application bug.
             */
            SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, SSL_R_BAD_PSK);
            goto err;
        }

        pskhashsize = EVP_MD_size(mdpsk);
    }
984 985 986 987

    /* Create the extension, but skip over the binder for now */
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
            || !WPACKET_start_sub_packet_u16(pkt)
988 989 990 991 992 993 994 995 996 997 998 999 1000 1001
            || !WPACKET_start_sub_packet_u16(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
        goto err;
    }

    if (dores) {
        if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,
                                           s->session->ext.ticklen)
                || !WPACKET_put_bytes_u32(pkt, agems)) {
            SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
            goto err;
        }
    }

1002 1003 1004
    if (s->psksession != NULL) {
        if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id,
                                    s->psksession_id_len)
1005 1006 1007 1008 1009 1010 1011
                || !WPACKET_put_bytes_u32(pkt, 0)) {
            SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
            goto err;
        }
    }

    if (!WPACKET_close(pkt)
1012 1013
            || !WPACKET_get_total_written(pkt, &binderoffset)
            || !WPACKET_start_sub_packet_u16(pkt)
1014 1015
            || (dores
                && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder))
1016
            || (s->psksession != NULL
1017
                && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder))
1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031
            || !WPACKET_close(pkt)
            || !WPACKET_close(pkt)
            || !WPACKET_get_total_written(pkt, &msglen)
               /*
                * We need to fill in all the sub-packet lengths now so we can
                * calculate the HMAC of the message up to the binders
                */
            || !WPACKET_fill_lengths(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
        goto err;
    }

    msgstart = WPACKET_get_curr(pkt) - msglen;

1032 1033 1034
    if (dores
            && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL,
                                 resbinder, s->session, 1, 0) != 1) {
1035 1036 1037 1038
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
        goto err;
    }

1039
    if (s->psksession != NULL
1040
            && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL,
1041
                                 pskbinder, s->psksession, 1, 1) != 1) {
1042 1043 1044 1045 1046 1047
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
        goto err;
    }

    if (dores)
        s->session->ext.tick_identity = 0;
1048
    if (s->psksession != NULL)
1049
        s->psksession->ext.tick_identity = (dores ? 1 : 0);
1050

1051
    ret = EXT_RETURN_SENT;
1052 1053 1054 1055 1056 1057 1058
 err:
    return ret;
#else
    return 1;
#endif
}

1059 1060 1061
/*
 * Parse the server's renegotiation binding and abort if it's not right
 */
1062 1063
int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
                               X509 *x, size_t chainidx, int *al)
1064 1065 1066 1067 1068 1069 1070
{
    size_t expected_len = s->s3->previous_client_finished_len
        + s->s3->previous_server_finished_len;
    size_t ilen;
    const unsigned char *data;

    /* Check for logic errors */
1071 1072 1073 1074 1075 1076 1077
    if (!ossl_assert(expected_len == 0
                     || s->s3->previous_client_finished_len != 0)
        || !ossl_assert(expected_len == 0
                        || s->s3->previous_server_finished_len != 0)) {
        *al = SSL_AD_INTERNAL_ERROR;
        return 0;
    }
1078 1079 1080

    /* Parse the length byte */
    if (!PACKET_get_1_len(pkt, &ilen)) {
M
Matt Caswell 已提交
1081
        SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
1082
               SSL_R_RENEGOTIATION_ENCODING_ERR);
1083
        *al = SSL_AD_DECODE_ERROR;
1084 1085 1086 1087 1088
        return 0;
    }

    /* Consistency check */
    if (PACKET_remaining(pkt) != ilen) {
M
Matt Caswell 已提交
1089
        SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
1090
               SSL_R_RENEGOTIATION_ENCODING_ERR);
1091
        *al = SSL_AD_DECODE_ERROR;
1092 1093 1094 1095 1096
        return 0;
    }

    /* Check that the extension matches */
    if (ilen != expected_len) {
M
Matt Caswell 已提交
1097
        SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
1098
               SSL_R_RENEGOTIATION_MISMATCH);
1099
        *al = SSL_AD_ILLEGAL_PARAMETER;
1100 1101 1102 1103 1104 1105
        return 0;
    }

    if (!PACKET_get_bytes(pkt, &data, s->s3->previous_client_finished_len)
        || memcmp(data, s->s3->previous_client_finished,
                  s->s3->previous_client_finished_len) != 0) {
M
Matt Caswell 已提交
1106
        SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
1107
               SSL_R_RENEGOTIATION_MISMATCH);
1108
        *al = SSL_AD_ILLEGAL_PARAMETER;
1109 1110 1111 1112 1113 1114
        return 0;
    }

    if (!PACKET_get_bytes(pkt, &data, s->s3->previous_server_finished_len)
        || memcmp(data, s->s3->previous_server_finished,
                  s->s3->previous_server_finished_len) != 0) {
M
Matt Caswell 已提交
1115
        SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
1116 1117 1118 1119 1120 1121 1122 1123 1124
               SSL_R_RENEGOTIATION_MISMATCH);
        *al = SSL_AD_ILLEGAL_PARAMETER;
        return 0;
    }
    s->s3->send_connection_binding = 1;

    return 1;
}

1125 1126
int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context,
                               X509 *x, size_t chainidx, int *al)
1127
{
1128 1129 1130 1131 1132 1133 1134
    if (s->ext.hostname == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
        return 0;
    }

    if (PACKET_remaining(pkt) > 0) {
        *al = SSL_AD_DECODE_ERROR;
1135 1136 1137 1138
        return 0;
    }

    if (!s->hit) {
R
Rich Salz 已提交
1139
        if (s->session->ext.hostname != NULL) {
1140 1141 1142
            *al = SSL_AD_INTERNAL_ERROR;
            return 0;
        }
R
Rich Salz 已提交
1143 1144
        s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
        if (s->session->ext.hostname == NULL) {
1145 1146 1147 1148 1149 1150 1151 1152 1153
            *al = SSL_AD_INTERNAL_ERROR;
            return 0;
        }
    }

    return 1;
}

#ifndef OPENSSL_NO_EC
1154 1155
int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
                                 X509 *x, size_t chainidx, int *al)
1156
{
R
Rich Salz 已提交
1157
    unsigned int ecpointformats_len;
1158 1159 1160 1161 1162 1163 1164
    PACKET ecptformatlist;

    if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
        *al = SSL_AD_DECODE_ERROR;
        return 0;
    }
    if (!s->hit) {
R
Rich Salz 已提交
1165 1166
        ecpointformats_len = PACKET_remaining(&ecptformatlist);
        s->session->ext.ecpointformats_len = 0;
1167

R
Rich Salz 已提交
1168 1169 1170
        OPENSSL_free(s->session->ext.ecpointformats);
        s->session->ext.ecpointformats = OPENSSL_malloc(ecpointformats_len);
        if (s->session->ext.ecpointformats == NULL) {
1171 1172 1173 1174
            *al = SSL_AD_INTERNAL_ERROR;
            return 0;
        }

R
Rich Salz 已提交
1175
        s->session->ext.ecpointformats_len = ecpointformats_len;
1176 1177

        if (!PACKET_copy_bytes(&ecptformatlist,
R
Rich Salz 已提交
1178 1179
                               s->session->ext.ecpointformats,
                               ecpointformats_len)) {
1180 1181 1182 1183 1184 1185 1186 1187 1188
            *al = SSL_AD_INTERNAL_ERROR;
            return 0;
        }
    }

    return 1;
}
#endif

1189 1190
int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
                                  X509 *x, size_t chainidx, int *al)
1191
{
R
Rich Salz 已提交
1192 1193 1194 1195
    if (s->ext.session_ticket_cb != NULL &&
        !s->ext.session_ticket_cb(s, PACKET_data(pkt),
                              PACKET_remaining(pkt),
                              s->ext.session_ticket_cb_arg)) {
1196 1197 1198
        *al = SSL_AD_INTERNAL_ERROR;
        return 0;
    }
1199

1200
    if (!tls_use_ticket(s)) {
1201 1202 1203
        *al = SSL_AD_UNSUPPORTED_EXTENSION;
        return 0;
    }
1204 1205 1206 1207
    if (PACKET_remaining(pkt) > 0) {
        *al = SSL_AD_DECODE_ERROR;
        return 0;
    }
1208

R
Rich Salz 已提交
1209
    s->ext.ticket_expected = 1;
1210 1211 1212 1213

    return 1;
}

1214
#ifndef OPENSSL_NO_OCSP
1215 1216
int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
                                  X509 *x, size_t chainidx, int *al)
1217 1218
{
    /*
1219 1220
     * MUST only be sent if we've requested a status
     * request message. In TLS <= 1.2 it must also be empty.
1221
     */
1222
    if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
1223 1224 1225
        *al = SSL_AD_UNSUPPORTED_EXTENSION;
        return 0;
    }
1226 1227 1228 1229
    if (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0) {
        *al = SSL_AD_DECODE_ERROR;
        return 0;
    }
1230 1231 1232

    if (SSL_IS_TLS13(s)) {
        /* We only know how to handle this if it's for the first Certificate in
F
FdaSilvaYY 已提交
1233
         * the chain. We ignore any other responses.
1234
         */
1235
        if (chainidx != 0)
1236 1237 1238 1239
            return 1;
        return tls_process_cert_status_body(s, pkt, al);
    }

1240
    /* Set flag to expect CertificateStatus message */
R
Rich Salz 已提交
1241
    s->ext.status_expected = 1;
1242 1243 1244

    return 1;
}
1245
#endif
1246 1247 1248


#ifndef OPENSSL_NO_CT
1249 1250
int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
                       size_t chainidx, int *al)
1251 1252 1253 1254 1255 1256 1257 1258 1259 1260
{
    /*
     * Only take it if we asked for it - i.e if there is no CT validation
     * callback set, then a custom extension MAY be processing it, so we
     * need to let control continue to flow to that.
     */
    if (s->ct_validation_callback != NULL) {
        size_t size = PACKET_remaining(pkt);

        /* Simply copy it off for later processing */
R
Rich Salz 已提交
1261 1262
        OPENSSL_free(s->ext.scts);
        s->ext.scts = NULL;
1263

R
Rich Salz 已提交
1264
        s->ext.scts_len = size;
1265
        if (size > 0) {
R
Rich Salz 已提交
1266 1267 1268
            s->ext.scts = OPENSSL_malloc(size);
            if (s->ext.scts == NULL
                    || !PACKET_copy_bytes(pkt, s->ext.scts, size)) {
1269 1270 1271 1272 1273
                *al = SSL_AD_INTERNAL_ERROR;
                return 0;
            }
        }
    } else {
1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287
        ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
                        ? ENDPOINT_CLIENT : ENDPOINT_BOTH;

        /*
         * If we didn't ask for it then there must be a custom extension,
         * otherwise this is unsolicited.
         */
        if (custom_ext_find(&s->cert->custext, role,
                            TLSEXT_TYPE_signed_certificate_timestamp,
                            NULL) == NULL) {
            *al = TLS1_AD_UNSUPPORTED_EXTENSION;
            return 0;
        }

1288 1289 1290 1291
        if (custom_ext_parse(s, context,
                             TLSEXT_TYPE_signed_certificate_timestamp,
                             PACKET_data(pkt), PACKET_remaining(pkt),
                             x, chainidx, al) <= 0)
1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318
            return 0;
    }

    return 1;
}
#endif


#ifndef OPENSSL_NO_NEXTPROTONEG
/*
 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
 * elements of zero length are allowed and the set of elements must exactly
 * fill the length of the block. Returns 1 on success or 0 on failure.
 */
static int ssl_next_proto_validate(PACKET *pkt)
{
    PACKET tmp_protocol;

    while (PACKET_remaining(pkt)) {
        if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
            || PACKET_remaining(&tmp_protocol) == 0)
            return 0;
    }

    return 1;
}

1319 1320
int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
                       size_t chainidx, int *al)
1321 1322 1323 1324 1325
{
    unsigned char *selected;
    unsigned char selected_len;
    PACKET tmppkt;

1326
    /* Check if we are in a renegotiation. If so ignore this extension */
1327
    if (!SSL_IS_FIRST_HANDSHAKE(s))
1328 1329 1330
        return 1;

    /* We must have requested it. */
R
Rich Salz 已提交
1331
    if (s->ctx->ext.npn_select_cb == NULL) {
1332 1333 1334
        *al = SSL_AD_UNSUPPORTED_EXTENSION;
        return 0;
    }
1335

1336 1337 1338 1339 1340 1341
    /* The data must be valid */
    tmppkt = *pkt;
    if (!ssl_next_proto_validate(&tmppkt)) {
        *al = SSL_AD_DECODE_ERROR;
        return 0;
    }
R
Rich Salz 已提交
1342 1343 1344 1345
    if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len,
                                  PACKET_data(pkt),
                                  PACKET_remaining(pkt),
                                  s->ctx->ext.npn_select_cb_arg) !=
1346 1347 1348 1349
             SSL_TLSEXT_ERR_OK) {
        *al = SSL_AD_INTERNAL_ERROR;
        return 0;
    }
1350

1351 1352 1353 1354
    /*
     * Could be non-NULL if server has sent multiple NPN extensions in
     * a single Serverhello
     */
R
Rich Salz 已提交
1355 1356 1357
    OPENSSL_free(s->ext.npn);
    s->ext.npn = OPENSSL_malloc(selected_len);
    if (s->ext.npn == NULL) {
1358 1359 1360 1361
        *al = SSL_AD_INTERNAL_ERROR;
        return 0;
    }

R
Rich Salz 已提交
1362 1363 1364
    memcpy(s->ext.npn, selected, selected_len);
    s->ext.npn_len = selected_len;
    s->s3->npn_seen = 1;
1365 1366 1367 1368 1369

    return 1;
}
#endif

1370 1371
int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
                        size_t chainidx, int *al)
1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403
{
    size_t len;

    /* We must have requested it. */
    if (!s->s3->alpn_sent) {
        *al = SSL_AD_UNSUPPORTED_EXTENSION;
        return 0;
    }
    /*-
     * The extension data consists of:
     *   uint16 list_length
     *   uint8 proto_length;
     *   uint8 proto[proto_length];
     */
    if (!PACKET_get_net_2_len(pkt, &len)
        || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)
        || PACKET_remaining(pkt) != len) {
        *al = SSL_AD_DECODE_ERROR;
        return 0;
    }
    OPENSSL_free(s->s3->alpn_selected);
    s->s3->alpn_selected = OPENSSL_malloc(len);
    if (s->s3->alpn_selected == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
        return 0;
    }
    if (!PACKET_copy_bytes(pkt, s->s3->alpn_selected, len)) {
        *al = SSL_AD_DECODE_ERROR;
        return 0;
    }
    s->s3->alpn_selected_len = len;

1404 1405 1406 1407
    if (s->session->ext.alpn_selected == NULL
            || s->session->ext.alpn_selected_len != len
            || memcmp(s->session->ext.alpn_selected, s->s3->alpn_selected, len)
               != 0) {
1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419
        /* ALPN not consistent with the old session so cannot use early_data */
        s->ext.early_data_ok = 0;
    }
    if (!s->hit) {
        /* If a new session then update it with the selected ALPN */
        s->session->ext.alpn_selected =
            OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);
        if (s->session->ext.alpn_selected == NULL) {
            *al = SSL_AD_INTERNAL_ERROR;
            return 0;
        }
        s->session->ext.alpn_selected_len = s->s3->alpn_selected_len;
1420 1421
    }

1422 1423 1424 1425
    return 1;
}

#ifndef OPENSSL_NO_SRTP
1426 1427
int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
                            size_t chainidx, int *al)
1428 1429 1430 1431 1432 1433
{
    unsigned int id, ct, mki;
    int i;
    STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
    SRTP_PROTECTION_PROFILE *prof;

1434 1435 1436 1437
    if (!PACKET_get_net_2(pkt, &ct) || ct != 2
            || !PACKET_get_net_2(pkt, &id)
            || !PACKET_get_1(pkt, &mki)
            || PACKET_remaining(pkt) != 0) {
M
Matt Caswell 已提交
1438
        SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP,
1439 1440 1441 1442 1443 1444 1445
               SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
        *al = SSL_AD_DECODE_ERROR;
        return 0;
    }

    if (mki != 0) {
        /* Must be no MKI, since we never offer one */
M
Matt Caswell 已提交
1446
        SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
1447 1448 1449 1450 1451
        *al = SSL_AD_ILLEGAL_PARAMETER;
        return 0;
    }

    /* Throw an error if the server gave us an unsolicited extension */
1452
    clnt = SSL_get_srtp_profiles(s);
1453
    if (clnt == NULL) {
M
Matt Caswell 已提交
1454
        SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP, SSL_R_NO_SRTP_PROFILES);
1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472
        *al = SSL_AD_DECODE_ERROR;
        return 0;
    }

    /*
     * Check to see if the server gave us something we support (and
     * presumably offered)
     */
    for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
        prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);

        if (prof->id == id) {
            s->srtp_profile = prof;
            *al = 0;
            return 1;
        }
    }

M
Matt Caswell 已提交
1473
    SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP,
1474 1475 1476 1477 1478 1479
           SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
    *al = SSL_AD_DECODE_ERROR;
    return 0;
}
#endif

1480 1481
int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
                       size_t chainidx, int *al)
1482 1483 1484 1485 1486
{
    /* Ignore if inappropriate ciphersuite */
    if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
            && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
            && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
1487
        s->ext.use_etm = 1;
1488 1489 1490 1491

    return 1;
}

1492 1493
int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
                       size_t chainidx, int *al)
1494 1495 1496 1497 1498 1499 1500 1501
{
    s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
    if (!s->hit)
        s->session->flags |= SSL_SESS_FLAG_EXTMS;

    return 1;
}

1502 1503
int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
                             size_t chainidx, int *al)
1504
{
M
Matt Caswell 已提交
1505
#ifndef OPENSSL_NO_TLS1_3
1506 1507 1508 1509 1510
    unsigned int group_id;
    PACKET encoded_pt;
    EVP_PKEY *ckey = s->s3->tmp.pkey, *skey = NULL;

    /* Sanity check */
1511
    if (ckey == NULL || s->s3->peer_tmp != NULL) {
1512
        *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1513
        SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1514 1515 1516 1517
        return 0;
    }

    if (!PACKET_get_net_2(pkt, &group_id)) {
M
Matt Caswell 已提交
1518
        *al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1519
        SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
1520 1521 1522
        return 0;
    }

1523
    if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
1524 1525 1526 1527
        unsigned const char *pcurves = NULL;
        size_t i, num_curves;

        if (PACKET_remaining(pkt) != 0) {
M
Matt Caswell 已提交
1528
            *al = SSL_AD_DECODE_ERROR;
1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548
            SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
            return 0;
        }

        /*
         * It is an error if the HelloRetryRequest wants a key_share that we
         * already sent in the first ClientHello
         */
        if (group_id == s->s3->group_id) {
            *al = SSL_AD_ILLEGAL_PARAMETER;
            SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
            return 0;
        }

        /* Validate the selected group is one we support */
        if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
            SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
            return 0;
        }
        for (i = 0; i < num_curves; i++, pcurves += 2) {
M
Matt Caswell 已提交
1549
            if (group_id == bytestogroup(pcurves))
1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564
                break;
        }
        if (i >= num_curves
                || !tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
            *al = SSL_AD_ILLEGAL_PARAMETER;
            SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
            return 0;
        }

        s->s3->group_id = group_id;
        EVP_PKEY_free(s->s3->tmp.pkey);
        s->s3->tmp.pkey = NULL;
        return 1;
    }

1565 1566 1567 1568 1569
    if (group_id != s->s3->group_id) {
        /*
         * This isn't for the group that we sent in the original
         * key_share!
         */
M
Matt Caswell 已提交
1570
        *al = SSL_AD_ILLEGAL_PARAMETER;
M
Matt Caswell 已提交
1571
        SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
1572 1573 1574 1575 1576 1577
        return 0;
    }

    if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)
            || PACKET_remaining(&encoded_pt) == 0) {
        *al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1578
        SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
1579 1580 1581 1582 1583 1584
        return 0;
    }

    skey = ssl_generate_pkey(ckey);
    if (skey == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1585
        SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
1586 1587 1588 1589
        return 0;
    }
    if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt),
                                        PACKET_remaining(&encoded_pt))) {
1590
        *al = SSL_AD_ILLEGAL_PARAMETER;
M
Matt Caswell 已提交
1591
        SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_ECPOINT);
1592
        EVP_PKEY_free(skey);
1593 1594 1595 1596 1597
        return 0;
    }

    if (ssl_derive(s, ckey, skey, 1) == 0) {
        *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1598
        SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1599 1600 1601
        EVP_PKEY_free(skey);
        return 0;
    }
1602
    s->s3->peer_tmp = skey;
M
Matt Caswell 已提交
1603
#endif
1604 1605 1606

    return 1;
}
1607

M
Matt Caswell 已提交
1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623
int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
                       size_t chainidx, int *al)
{
    PACKET cookie;

    if (!PACKET_as_length_prefixed_2(pkt, &cookie)
            || !PACKET_memdup(&cookie, &s->ext.tls13_cookie,
                              &s->ext.tls13_cookie_len)) {
        *al = SSL_AD_DECODE_ERROR;
        SSLerr(SSL_F_TLS_PARSE_STOC_COOKIE, SSL_R_LENGTH_MISMATCH);
        return 0;
    }

    return 1;
}

1624 1625 1626
int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
                              X509 *x, size_t chainidx, int *al)
{
1627
    if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642
        unsigned long max_early_data;

        if (!PACKET_get_net_4(pkt, &max_early_data)
                || PACKET_remaining(pkt) != 0) {
            SSLerr(SSL_F_TLS_PARSE_STOC_EARLY_DATA,
                   SSL_R_INVALID_MAX_EARLY_DATA);
            *al = SSL_AD_DECODE_ERROR;
            return 0;
        }

        s->session->ext.max_early_data = max_early_data;

        return 1;
    }

1643 1644 1645 1646 1647
    if (PACKET_remaining(pkt) != 0) {
        *al = SSL_AD_DECODE_ERROR;
        return 0;
    }

1648
    if (!s->ext.early_data_ok
1649 1650 1651 1652
            || !s->hit
            || s->session->ext.tick_identity != 0) {
        /*
         * If we get here then we didn't send early data, or we didn't resume
1653 1654
         * using the first identity, or the SNI/ALPN is not consistent so the
         * server should not be accepting it.
1655 1656 1657 1658 1659 1660 1661 1662 1663 1664
         */
        *al = SSL_AD_ILLEGAL_PARAMETER;
        return 0;
    }

    s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;

    return 1;
}

1665 1666
int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
                       size_t chainidx, int *al)
1667 1668 1669 1670 1671
{
#ifndef OPENSSL_NO_TLS1_3
    unsigned int identity;

    if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {
M
Matt Caswell 已提交
1672
        *al = SSL_AD_DECODE_ERROR;
1673 1674 1675 1676
        SSLerr(SSL_F_TLS_PARSE_STOC_PSK, SSL_R_LENGTH_MISMATCH);
        return 0;
    }

1677 1678 1679 1680 1681 1682 1683 1684 1685
    if (s->session->ext.tick_identity == (int)identity) {
        s->hit = 1;
        SSL_SESSION_free(s->psksession);
        s->psksession = NULL;
        return 1;
    }

    if (s->psksession == NULL
            || s->psksession->ext.tick_identity != (int)identity) {
M
Matt Caswell 已提交
1686
        *al = SSL_AD_ILLEGAL_PARAMETER;
1687 1688 1689 1690
        SSLerr(SSL_F_TLS_PARSE_STOC_PSK, SSL_R_BAD_PSK_IDENTITY);
        return 0;
    }

1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701
    /*
     * If we used the external PSK for sending early_data then s->early_secret
     * is already set up, so don't overwrite it. Otherwise we copy the
     * early_secret across that we generated earlier.
     */
    if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
                && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
            || s->session->ext.max_early_data > 0
            || s->psksession->ext.max_early_data == 0)
        memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE);

1702 1703 1704
    SSL_SESSION_free(s->session);
    s->session = s->psksession;
    s->psksession = NULL;
1705 1706 1707 1708 1709
    s->hit = 1;
#endif

    return 1;
}