Головна сторінка Огляд Довідка
Увійти
OWEALs
/
openssl
дзеркало git://git.openssl.org/openssl.git
2
0
Відгалуження 0
Файли Проблеми 1 Wiki
Дерево: d4d9864411
Гілки Теги
openssl
/
ssl
/
statem
/
extensions_clnt.c

extensions_clnt.c 45 KB
Історія Запис

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475 
  1. /*
    2. 

  2.  * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
    3. 

  3.  *
    4. 

  4.  * Licensed under the OpenSSL license (the "License").  You may not use
    5. 

  5.  * this file except in compliance with the License.  You can obtain a copy
    6. 

  6.  * in the file LICENSE in the source distribution or at
    7. 

  7.  * https://www.openssl.org/source/license.html
    8. 

  8.  */
    9. 

  9. 

  10. #include <assert.h>
    11. 

  11. #include <openssl/ocsp.h>
    12. 

  12. #include "../ssl_locl.h"
    13. 

  13. #include "statem_locl.h"
    14. 

  14. 

  15. int tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, unsigned int context,
    16. 

  16.                                    X509 *x, size_t chainidx, int *al)
    17. 

  17. {
    18. 

  18.     /* Add RI if renegotiating */
    19. 

  19.     if (!s->renegotiate)
    20. 

  20.         return 1;
    21. 

  21. 

  22.     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
    23. 

  23.             || !WPACKET_start_sub_packet_u16(pkt)
    24. 

  24.             || !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished,
    25. 

  25.                                s->s3->previous_client_finished_len)
    26. 

  26.             || !WPACKET_close(pkt)) {
    27. 

  27.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
    28. 

  28.         return 0;
    29. 

  29.     }
    30. 

  30. 

  31.     return 1;
    32. 

  32. }
    33. 

  33. 

  34. int tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, unsigned int context,
    35. 

  35.                                    X509 *x, size_t chainidx, int *al)
    36. 

  36. {
    37. 

  37.     if (s->ext.hostname == NULL)
    38. 

  38.         return 1;
    39. 

  39. 

  40.     /* Add TLS extension servername to the Client Hello message */
    41. 

  41.     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
    42. 

  42.                /* Sub-packet for server_name extension */
    43. 

  43.             || !WPACKET_start_sub_packet_u16(pkt)
    44. 

  44.                /* Sub-packet for servername list (always 1 hostname)*/
    45. 

  45.             || !WPACKET_start_sub_packet_u16(pkt)
    46. 

  46.             || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
    47. 

  47.             || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
    48. 

  48.                                        strlen(s->ext.hostname))
    49. 

  49.             || !WPACKET_close(pkt)
    50. 

  50.             || !WPACKET_close(pkt)) {
    51. 

  51.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME, ERR_R_INTERNAL_ERROR);
    52. 

  52.         return 0;
    53. 

  53.     }
    54. 

  54. 

  55.     return 1;
    56. 

  56. }
    57. 

  57. 

  58. #ifndef OPENSSL_NO_SRP
    59. 

  59. int tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
    60. 

  60.                            size_t chainidx, int *al)
    61. 

  61. {
    62. 

  62.     /* Add SRP username if there is one */
    63. 

  63.     if (s->srp_ctx.login == NULL)
    64. 

  64.         return 1;
    65. 

  65. 

  66.     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
    67. 

  67.                /* Sub-packet for SRP extension */
    68. 

  68.             || !WPACKET_start_sub_packet_u16(pkt)
    69. 

  69.             || !WPACKET_start_sub_packet_u8(pkt)
    70. 

  70.                /* login must not be zero...internal error if so */
    71. 

  71.             || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
    72. 

  72.             || !WPACKET_memcpy(pkt, s->srp_ctx.login,
    73. 

  73.                                strlen(s->srp_ctx.login))
    74. 

  74.             || !WPACKET_close(pkt)
    75. 

  75.             || !WPACKET_close(pkt)) {
    76. 

  76.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SRP, ERR_R_INTERNAL_ERROR);
    77. 

  77.         return 0;
    78. 

  78.     }
    79. 

  79. 

  80.     return 1;
    81. 

  81. }
    82. 

  82. #endif
    83. 

  83. 

  84. #ifndef OPENSSL_NO_EC
    85. 

  85. static int use_ecc(SSL *s)
    86. 

  86. {
    87. 

  87.     int i, end;
    88. 

  88.     unsigned long alg_k, alg_a;
    89. 

  89.     STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
    90. 

  90. 

  91.     /* See if we support any ECC ciphersuites */
    92. 

  92.     if (s->version == SSL3_VERSION)
    93. 

  93.         return 0;
    94. 

  94. 

  95.     cipher_stack = SSL_get_ciphers(s);
    96. 

  96.     end = sk_SSL_CIPHER_num(cipher_stack);
    97. 

  97.     for (i = 0; i < end; i++) {
    98. 

  98.         const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
    99. 

  99. 

  100.         alg_k = c->algorithm_mkey;
    101. 

  101.         alg_a = c->algorithm_auth;
    102. 

  102.         if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
    103. 

  103.                 || (alg_a & SSL_aECDSA)
    104. 

  104.                 || c->min_tls >= TLS1_3_VERSION)
    105. 

  105.             return 1;
    106. 

  106.     }
    107. 

  107. 

  108.     return 0;
    109. 

  109. }
    110. 

  110. 

  111. int tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context,
    112. 

  112.                                      X509 *x, size_t chainidx, int *al)
    113. 

  113. {
    114. 

  114.     const unsigned char *pformats;
    115. 

  115.     size_t num_formats;
    116. 

  116. 

  117.     if (!use_ecc(s))
    118. 

  118.         return 1;
    119. 

  119. 

  120.     /* Add TLS extension ECPointFormats to the ClientHello message */
    121. 

  121.     tls1_get_formatlist(s, &pformats, &num_formats);
    122. 

  122. 

  123.     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
    124. 

  124.                /* Sub-packet for formats extension */
    125. 

  125.             || !WPACKET_start_sub_packet_u16(pkt)
    126. 

  126.             || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
    127. 

  127.             || !WPACKET_close(pkt)) {
    128. 

  128.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
    129. 

  129.         return 0;
    130. 

  130.     }
    131. 

  131. 

  132.     return 1;
    133. 

  133. }
    134. 

  134. 

  135. int tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
    136. 

  136.                                         unsigned int context, X509 *x,
    137. 

  137.                                         size_t chainidx, int *al)
    138. 

  138. {
    139. 

  139.     const unsigned char *pcurves = NULL, *pcurvestmp;
    140. 

  140.     size_t num_curves = 0, i;
    141. 

  141. 

  142.     if (!use_ecc(s))
    143. 

  143.         return 1;
    144. 

  144. 

  145.     /*
    146. 

  146.      * Add TLS extension supported_groups to the ClientHello message
    147. 

  147.      */
    148. 

  148.     /* TODO(TLS1.3): Add support for DHE groups */
    149. 

  149.     if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
    150. 

  150.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
    151. 

  151.                ERR_R_INTERNAL_ERROR);
    152. 

  152.         return 0;
    153. 

  153.     }
    154. 

  154.     pcurvestmp = pcurves;
    155. 

  155. 

  156.     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
    157. 

  157.                /* Sub-packet for supported_groups extension */
    158. 

  158.             || !WPACKET_start_sub_packet_u16(pkt)
    159. 

  159.             || !WPACKET_start_sub_packet_u16(pkt)) {
    160. 

  160.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
    161. 

  161.                ERR_R_INTERNAL_ERROR);
    162. 

  162.         return 0;
    163. 

  163.     }
    164. 

  164.     /* Copy curve ID if supported */
    165. 

  165.     for (i = 0; i < num_curves; i++, pcurvestmp += 2) {
    166. 

  166.         if (tls_curve_allowed(s, pcurvestmp, SSL_SECOP_CURVE_SUPPORTED)) {
    167. 

  167.             if (!WPACKET_put_bytes_u8(pkt, pcurvestmp[0])
    168. 

  168.                 || !WPACKET_put_bytes_u8(pkt, pcurvestmp[1])) {
    169. 

  169.                     SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
    170. 

  170.                            ERR_R_INTERNAL_ERROR);
    171. 

  171.                     return 0;
    172. 

  172.                 }
    173. 

  173.         }
    174. 

  174.     }
    175. 

  175.     if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
    176. 

  176.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
    177. 

  177.                ERR_R_INTERNAL_ERROR);
    178. 

  178.         return 0;
    179. 

  179.     }
    180. 

  180. 

  181.     return 1;
    182. 

  182. }
    183. 

  183. #endif
    184. 

  184. 

  185. int tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt,
    186. 

  186.                                       unsigned int context, X509 *x,
    187. 

  187.                                       size_t chainidx, int *al)
    188. 

  188. {
    189. 

  189.     size_t ticklen;
    190. 

  190. 

  191.     if (!tls_use_ticket(s))
    192. 

  192.         return 1;
    193. 

  193. 

  194.     if (!s->new_session && s->session != NULL
    195. 

  195.             && s->session->ext.tick != NULL
    196. 

  196.             && s->session->ssl_version != TLS1_3_VERSION) {
    197. 

  197.         ticklen = s->session->ext.ticklen;
    198. 

  198.     } else if (s->session && s->ext.session_ticket != NULL
    199. 

  199.                && s->ext.session_ticket->data != NULL) {
    200. 

  200.         ticklen = s->ext.session_ticket->length;
    201. 

  201.         s->session->ext.tick = OPENSSL_malloc(ticklen);
    202. 

  202.         if (s->session->ext.tick == NULL) {
    203. 

  203.             SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET,
    204. 

  204.                    ERR_R_INTERNAL_ERROR);
    205. 

  205.             return 0;
    206. 

  206.         }
    207. 

  207.         memcpy(s->session->ext.tick,
    208. 

  208.                s->ext.session_ticket->data, ticklen);
    209. 

  209.         s->session->ext.ticklen = ticklen;
    210. 

  210.     } else {
    211. 

  211.         ticklen = 0;
    212. 

  212.     }
    213. 

  213. 

  214.     if (ticklen == 0 && s->ext.session_ticket != NULL &&
    215. 

  215.             s->ext.session_ticket->data == NULL)
    216. 

  216.         return 1;
    217. 

  217. 

  218.     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
    219. 

  219.             || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
    220. 

  220.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
    221. 

  221.         return 0;
    222. 

  222.     }
    223. 

  223. 

  224.     return 1;
    225. 

  225. }
    226. 

  226. 

  227. int tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt, unsigned int context,
    228. 

  228.                                 X509 *x, size_t chainidx, int *al)
    229. 

  229. {
    230. 

  230.     size_t salglen;
    231. 

  231.     const uint16_t *salg;
    232. 

  232. 

  233.     if (!SSL_CLIENT_USE_SIGALGS(s))
    234. 

  234.         return 1;
    235. 

  235. 

  236.     salglen = tls12_get_psigalgs(s, 1, &salg);
    237. 

  237.     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
    238. 

  238.                /* Sub-packet for sig-algs extension */
    239. 

  239.             || !WPACKET_start_sub_packet_u16(pkt)
    240. 

  240.                /* Sub-packet for the actual list */
    241. 

  241.             || !WPACKET_start_sub_packet_u16(pkt)
    242. 

  242.             || !tls12_copy_sigalgs(s, pkt, salg, salglen)
    243. 

  243.             || !WPACKET_close(pkt)
    244. 

  244.             || !WPACKET_close(pkt)) {
    245. 

  245.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS, ERR_R_INTERNAL_ERROR);
    246. 

  246.         return 0;
    247. 

  247.     }
    248. 

  248. 

  249.     return 1;
    250. 

  250. }
    251. 

  251. 

  252. #ifndef OPENSSL_NO_OCSP
    253. 

  253. int tls_construct_ctos_status_request(SSL *s, WPACKET *pkt,
    254. 

  254.                                       unsigned int context, X509 *x,
    255. 

  255.                                       size_t chainidx, int *al)
    256. 

  256. {
    257. 

  257.     int i;
    258. 

  258. 

  259.     /* This extension isn't defined for client Certificates */
    260. 

  260.     if (x != NULL)
    261. 

  261.         return 1;
    262. 

  262. 

  263.     if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
    264. 

  264.         return 1;
    265. 

  265. 

  266.     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
    267. 

  267.                /* Sub-packet for status request extension */
    268. 

  268.             || !WPACKET_start_sub_packet_u16(pkt)
    269. 

  269.             || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
    270. 

  270.                /* Sub-packet for the ids */
    271. 

  271.             || !WPACKET_start_sub_packet_u16(pkt)) {
    272. 

  272.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
    273. 

  273.         return 0;
    274. 

  274.     }
    275. 

  275.     for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
    276. 

  276.         unsigned char *idbytes;
    277. 

  277.         OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
    278. 

  278.         int idlen = i2d_OCSP_RESPID(id, NULL);
    279. 

  279. 

  280.         if (idlen <= 0
    281. 

  281.                    /* Sub-packet for an individual id */
    282. 

  282.                 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
    283. 

  283.                 || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
    284. 

  284.             SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
    285. 

  285.                    ERR_R_INTERNAL_ERROR);
    286. 

  286.             return 0;
    287. 

  287.         }
    288. 

  288.     }
    289. 

  289.     if (!WPACKET_close(pkt)
    290. 

  290.             || !WPACKET_start_sub_packet_u16(pkt)) {
    291. 

  291.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
    292. 

  292.         return 0;
    293. 

  293.     }
    294. 

  294.     if (s->ext.ocsp.exts) {
    295. 

  295.         unsigned char *extbytes;
    296. 

  296.         int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
    297. 

  297. 

  298.         if (extlen < 0) {
    299. 

  299.             SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
    300. 

  300.                    ERR_R_INTERNAL_ERROR);
    301. 

  301.             return 0;
    302. 

  302.         }
    303. 

  303.         if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
    304. 

  304.                 || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
    305. 

  305.                    != extlen) {
    306. 

  306.             SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
    307. 

  307.                    ERR_R_INTERNAL_ERROR);
    308. 

  308.             return 0;
    309. 

  309.        }
    310. 

  310.     }
    311. 

  311.     if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
    312. 

  312.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
    313. 

  313.         return 0;
    314. 

  314.     }
    315. 

  315. 

  316.     return 1;
    317. 

  317. }
    318. 

  318. #endif
    319. 

  319. 

  320. #ifndef OPENSSL_NO_NEXTPROTONEG
    321. 

  321. int tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
    322. 

  322.                            size_t chainidx, int *al)
    323. 

  323. {
    324. 

  324.     if (s->ctx->ext.npn_select_cb == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
    325. 

  325.         return 1;
    326. 

  326. 

  327.     /*
    328. 

  328.      * The client advertises an empty extension to indicate its support
    329. 

  329.      * for Next Protocol Negotiation
    330. 

  330.      */
    331. 

  331.     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
    332. 

  332.             || !WPACKET_put_bytes_u16(pkt, 0)) {
    333. 

  333.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_NPN, ERR_R_INTERNAL_ERROR);
    334. 

  334.         return 0;
    335. 

  335.     }
    336. 

  336. 

  337.     return 1;
    338. 

  338. }
    339. 

  339. #endif
    340. 

  340. 

  341. int tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
    342. 

  342.                             size_t chainidx, int *al)
    343. 

  343. {
    344. 

  344.     s->s3->alpn_sent = 0;
    345. 

  345. 

  346.     if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
    347. 

  347.         return 1;
    348. 

  348. 

  349.     if (!WPACKET_put_bytes_u16(pkt,
    350. 

  350.                 TLSEXT_TYPE_application_layer_protocol_negotiation)
    351. 

  351.                /* Sub-packet ALPN extension */
    352. 

  352.             || !WPACKET_start_sub_packet_u16(pkt)
    353. 

  353.             || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
    354. 

  354.             || !WPACKET_close(pkt)) {
    355. 

  355.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_ALPN, ERR_R_INTERNAL_ERROR);
    356. 

  356.         return 0;
    357. 

  357.     }
    358. 

  358.     s->s3->alpn_sent = 1;
    359. 

  359. 

  360.     return 1;
    361. 

  361. }
    362. 

  362. 

  363. 

  364. #ifndef OPENSSL_NO_SRTP
    365. 

  365. int tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, unsigned int context,
    366. 

  366.                                 X509 *x, size_t chainidx, int *al)
    367. 

  367. {
    368. 

  368.     STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s);
    369. 

  369.     int i, end;
    370. 

  370. 

  371.     if (clnt == NULL)
    372. 

  372.         return 1;
    373. 

  373. 

  374.     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
    375. 

  375.                /* Sub-packet for SRTP extension */
    376. 

  376.             || !WPACKET_start_sub_packet_u16(pkt)
    377. 

  377.                /* Sub-packet for the protection profile list */
    378. 

  378.             || !WPACKET_start_sub_packet_u16(pkt)) {
    379. 

  379.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR);
    380. 

  380.         return 0;
    381. 

  381.     }
    382. 

  382. 

  383.     end = sk_SRTP_PROTECTION_PROFILE_num(clnt);
    384. 

  384.     for (i = 0; i < end; i++) {
    385. 

  385.         const SRTP_PROTECTION_PROFILE *prof =
    386. 

  386.             sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
    387. 

  387. 

  388.         if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
    389. 

  389.             SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR);
    390. 

  390.             return 0;
    391. 

  391.         }
    392. 

  392.     }
    393. 

  393.     if (!WPACKET_close(pkt)
    394. 

  394.                /* Add an empty use_mki value */
    395. 

  395.             || !WPACKET_put_bytes_u8(pkt, 0)
    396. 

  396.             || !WPACKET_close(pkt)) {
    397. 

  397.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR);
    398. 

  398.         return 0;
    399. 

  399.     }
    400. 

  400. 

  401.     return 1;
    402. 

  402. }
    403. 

  403. #endif
    404. 

  404. 

  405. int tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
    406. 

  406.                            size_t chainidx, int *al)
    407. 

  407. {
    408. 

  408.     if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
    409. 

  409.         return 1;
    410. 

  410. 

  411.     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
    412. 

  412.             || !WPACKET_put_bytes_u16(pkt, 0)) {
    413. 

  413.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_ETM, ERR_R_INTERNAL_ERROR);
    414. 

  414.         return 0;
    415. 

  415.     }
    416. 

  416. 

  417.     return 1;
    418. 

  418. }
    419. 

  419. 

  420. #ifndef OPENSSL_NO_CT
    421. 

  421. int tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
    422. 

  422.                            size_t chainidx, int *al)
    423. 

  423. {
    424. 

  424.     if (s->ct_validation_callback == NULL)
    425. 

  425.         return 1;
    426. 

  426. 

  427.     /* Not defined for client Certificates */
    428. 

  428.     if (x != NULL)
    429. 

  429.         return 1;
    430. 

  430. 

  431.     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
    432. 

  432.             || !WPACKET_put_bytes_u16(pkt, 0)) {
    433. 

  433.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SCT, ERR_R_INTERNAL_ERROR);
    434. 

  434.         return 0;
    435. 

  435.     }
    436. 

  436. 

  437.     return 1;
    438. 

  438. }
    439. 

  439. #endif
    440. 

  440. 

  441. int tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
    442. 

  442.                            size_t chainidx, int *al)
    443. 

  443. {
    444. 

  444.     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
    445. 

  445.             || !WPACKET_put_bytes_u16(pkt, 0)) {
    446. 

  446.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EMS, ERR_R_INTERNAL_ERROR);
    447. 

  447.         return 0;
    448. 

  448.     }
    449. 

  449. 

  450.     return 1;
    451. 

  451. }
    452. 

  452. 

  453. int tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
    454. 

  454.                                           unsigned int context, X509 *x,
    455. 

  455.                                           size_t chainidx, int *al)
    456. 

  456. {
    457. 

  457.     int currv, min_version, max_version, reason;
    458. 

  458. 

  459.     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
    460. 

  460.             || !WPACKET_start_sub_packet_u16(pkt)
    461. 

  461.             || !WPACKET_start_sub_packet_u8(pkt)) {
    462. 

  462.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
    463. 

  463.                ERR_R_INTERNAL_ERROR);
    464. 

  464.         return 0;
    465. 

  465.     }
    466. 

  466. 

  467.     reason = ssl_get_min_max_version(s, &min_version, &max_version);
    468. 

  468.     if (reason != 0) {
    469. 

  469.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, reason);
    470. 

  470.         return 0;
    471. 

  471.     }
    472. 

  472. 

  473.     /*
    474. 

  474.      * TODO(TLS1.3): There is some discussion on the TLS list as to whether
    475. 

  475.      * we should include versions <TLS1.2. For the moment we do. To be
    476. 

  476.      * reviewed later.
    477. 

  477.      */
    478. 

  478.     for (currv = max_version; currv >= min_version; currv--) {
    479. 

  479.         /* TODO(TLS1.3): Remove this first if clause prior to release!! */
    480. 

  480.         if (currv == TLS1_3_VERSION) {
    481. 

  481.             if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)) {
    482. 

  482.                 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
    483. 

  483.                        ERR_R_INTERNAL_ERROR);
    484. 

  484.                 return 0;
    485. 

  485.             }
    486. 

  486.         } else if (!WPACKET_put_bytes_u16(pkt, currv)) {
    487. 

  487.             SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
    488. 

  488.                    ERR_R_INTERNAL_ERROR);
    489. 

  489.             return 0;
    490. 

  490.         }
    491. 

  491.     }
    492. 

  492.     if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
    493. 

  493.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
    494. 

  494.                ERR_R_INTERNAL_ERROR);
    495. 

  495.         return 0;
    496. 

  496.     }
    497. 

  497. 

  498.     return 1;
    499. 

  499. }
    500. 

  500. 

  501. /*
    502. 

  502.  * Construct a psk_kex_modes extension. We only have two modes we know about
    503. 

  503.  * at this stage, so we send both.
    504. 

  504.  */
    505. 

  505. int tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt, unsigned int context,
    506. 

  506.                                      X509 *x, size_t chainidx, int *al)
    507. 

  507. {
    508. 

  508. #ifndef OPENSSL_NO_TLS1_3
    509. 

  509.     /*
    510. 

  510.      * TODO(TLS1.3): Do we want this list to be configurable? For now we always
    511. 

  511.      * just send both supported modes
    512. 

  512.      */
    513. 

  513.     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)
    514. 

  514.             || !WPACKET_start_sub_packet_u16(pkt)
    515. 

  515.             || !WPACKET_start_sub_packet_u8(pkt)
    516. 

  516.             || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE)
    517. 

  517.             || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE)
    518. 

  518.             || !WPACKET_close(pkt)
    519. 

  519.             || !WPACKET_close(pkt)) {
    520. 

  520.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES, ERR_R_INTERNAL_ERROR);
    521. 

  521.         return 0;
    522. 

  522.     }
    523. 

  523. 

  524.     s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE;
    525. 

  525. #endif
    526. 

  526. 

  527.     return 1;
    528. 

  528. }
    529. 

  529. 

  530. #ifndef OPENSSL_NO_TLS1_3
    531. 

  531. static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id)
    532. 

  532. {
    533. 

  533.     unsigned char *encoded_point;
    534. 

  534.     EVP_PKEY *key_share_key;
    535. 

  535.     size_t encodedlen;
    536. 

  536. 

  537.     key_share_key = ssl_generate_pkey_curve(curve_id);
    538. 

  538.     if (key_share_key == NULL) {
    539. 

  539.         SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_EVP_LIB);
    540. 

  540.         return 0;
    541. 

  541.     }
    542. 

  542. 

  543.     /* Encode the public key. */
    544. 

  544.     encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key,
    545. 

  545.                                                 &encoded_point);
    546. 

  546.     if (encodedlen == 0) {
    547. 

  547.         SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_EC_LIB);
    548. 

  548.         EVP_PKEY_free(key_share_key);
    549. 

  549.         return 0;
    550. 

  550.     }
    551. 

  551. 

  552.     /* Create KeyShareEntry */
    553. 

  553.     if (!WPACKET_put_bytes_u16(pkt, curve_id)
    554. 

  554.             || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) {
    555. 

  555.         SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_INTERNAL_ERROR);
    556. 

  556.         EVP_PKEY_free(key_share_key);
    557. 

  557.         OPENSSL_free(encoded_point);
    558. 

  558.         return 0;
    559. 

  559.     }
    560. 

  560. 

  561.     /*
    562. 

  562.      * TODO(TLS1.3): When changing to send more than one key_share we're
    563. 

  563.      * going to need to be able to save more than one EVP_PKEY. For now
    564. 

  564.      * we reuse the existing tmp.pkey
    565. 

  565.      */
    566. 

  566.     s->s3->tmp.pkey = key_share_key;
    567. 

  567.     s->s3->group_id = curve_id;
    568. 

  568.     OPENSSL_free(encoded_point);
    569. 

  569. 

  570.     return 1;
    571. 

  571. }
    572. 

  572. #endif
    573. 

  573. 

  574. int tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, unsigned int context,
    575. 

  575.                                  X509 *x, size_t chainidx, int *al)
    576. 

  576. {
    577. 

  577. #ifndef OPENSSL_NO_TLS1_3
    578. 

  578.     size_t i, num_curves = 0;
    579. 

  579.     const unsigned char *pcurves = NULL;
    580. 

  580.     unsigned int curve_id = 0;
    581. 

  581. 

  582.     /* key_share extension */
    583. 

  583.     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
    584. 

  584.                /* Extension data sub-packet */
    585. 

  585.             || !WPACKET_start_sub_packet_u16(pkt)
    586. 

  586.                /* KeyShare list sub-packet */
    587. 

  587.             || !WPACKET_start_sub_packet_u16(pkt)) {
    588. 

  588.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
    589. 

  589.         return 0;
    590. 

  590.     }
    591. 

  591. 

  592.     if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
    593. 

  593.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
    594. 

  594.         return 0;
    595. 

  595.     }
    596. 

  596. 

  597.     if (s->s3->tmp.pkey != NULL) {
    598. 

  598.         /* Shouldn't happen! */
    599. 

  599.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
    600. 

  600.         return 0;
    601. 

  601.     }
    602. 

  602. 

  603.     /*
    604. 

  604.      * TODO(TLS1.3): Make the number of key_shares sent configurable. For
    605. 

  605.      * now, just send one
    606. 

  606.      */
    607. 

  607.     if (s->s3->group_id != 0) {
    608. 

  608.         curve_id = s->s3->group_id;
    609. 

  609.     } else {
    610. 

  610.         for (i = 0; i < num_curves; i++, pcurves += 2) {
    611. 

  611. 

  612.             if (!tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED))
    613. 

  613.                 continue;
    614. 

  614. 

  615.             curve_id = bytestogroup(pcurves);
    616. 

  616.             break;
    617. 

  617.         }
    618. 

  618.     }
    619. 

  619. 

  620.     if (curve_id == 0) {
    621. 

  621.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
    622. 

  622.         return 0;
    623. 

  623.     }
    624. 

  624. 

  625.     if (!add_key_share(s, pkt, curve_id))
    626. 

  626.         return 0;
    627. 

  627. 

  628.     if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
    629. 

  629.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
    630. 

  630.         return 0;
    631. 

  631.     }
    632. 

  632. #endif
    633. 

  633. 

  634.     return 1;
    635. 

  635. }
    636. 

  636. 

  637. int tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context,
    638. 

  638.                               X509 *x, size_t chainidx, int *al)
    639. 

  639. {
    640. 

  640.     int ret = 0;
    641. 

  641. 

  642.     /* Should only be set if we've had an HRR */
    643. 

  643.     if (s->ext.tls13_cookie_len == 0)
    644. 

  644.         return 1;
    645. 

  645. 

  646.     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
    647. 

  647.                /* Extension data sub-packet */
    648. 

  648.             || !WPACKET_start_sub_packet_u16(pkt)
    649. 

  649.             || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie,
    650. 

  650.                                        s->ext.tls13_cookie_len)
    651. 

  651.             || !WPACKET_close(pkt)) {
    652. 

  652.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_COOKIE, ERR_R_INTERNAL_ERROR);
    653. 

  653.         goto end;
    654. 

  654.     }
    655. 

  655. 

  656.     ret = 1;
    657. 

  657.  end:
    658. 

  658.     OPENSSL_free(s->ext.tls13_cookie);
    659. 

  659.     s->ext.tls13_cookie = NULL;
    660. 

  660.     s->ext.tls13_cookie_len = 0;
    661. 

  661. 

  662.     return ret;
    663. 

  663. }
    664. 

  664. 

  665. int tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, unsigned int context,
    666. 

  666.                                   X509 *x, size_t chainidx, int *al)
    667. 

  667. {
    668. 

  668.     if (s->early_data_state != SSL_EARLY_DATA_CONNECTING
    669. 

  669.             || s->session->ext.max_early_data == 0) {
    670. 

  670.         s->max_early_data = 0;
    671. 

  671.         return 1;
    672. 

  672.     }
    673. 

  673.     s->max_early_data = s->session->ext.max_early_data;
    674. 

  674. 

  675.     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
    676. 

  676.             || !WPACKET_start_sub_packet_u16(pkt)
    677. 

  677.             || !WPACKET_close(pkt)) {
    678. 

  678.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
    679. 

  679.         return 0;
    680. 

  680.     }
    681. 

  681. 

  682.     /*
    683. 

  683.      * We set this to rejected here. Later, if the server acknowledges the
    684. 

  684.      * extension, we set it to accepted.
    685. 

  685.      */
    686. 

  686.     s->ext.early_data = SSL_EARLY_DATA_REJECTED;
    687. 

  687. 

  688.     return 1;
    689. 

  689. }
    690. 

  690. 

  691. #define F5_WORKAROUND_MIN_MSG_LEN   0xff
    692. 

  692. #define F5_WORKAROUND_MAX_MSG_LEN   0x200
    693. 

  693. 

  694. /*
    695. 

  695.  * PSK pre binder overhead =
    696. 

  696.  *  2 bytes for TLSEXT_TYPE_psk
    697. 

  697.  *  2 bytes for extension length
    698. 

  698.  *  2 bytes for identities list length
    699. 

  699.  *  2 bytes for identity length
    700. 

  700.  *  4 bytes for obfuscated_ticket_age
    701. 

  701.  *  2 bytes for binder list length
    702. 

  702.  *  1 byte for binder length
    703. 

  703.  * The above excludes the number of bytes for the identity itself and the
    704. 

  704.  * subsequent binder bytes
    705. 

  705.  */
    706. 

  706. #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1)
    707. 

  707. 

  708. int tls_construct_ctos_padding(SSL *s, WPACKET *pkt, unsigned int context,
    709. 

  709.                                X509 *x, size_t chainidx, int *al)
    710. 

  710. {
    711. 

  711.     unsigned char *padbytes;
    712. 

  712.     size_t hlen;
    713. 

  713. 

  714.     if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)
    715. 

  715.         return 1;
    716. 

  716. 

  717.     /*
    718. 

  718.      * Add padding to workaround bugs in F5 terminators. See RFC7685.
    719. 

  719.      * This code calculates the length of all extensions added so far but
    720. 

  720.      * excludes the PSK extension (because that MUST be written last). Therefore
    721. 

  721.      * this extension MUST always appear second to last.
    722. 

  722.      */
    723. 

  723.     if (!WPACKET_get_total_written(pkt, &hlen)) {
    724. 

  724.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PADDING, ERR_R_INTERNAL_ERROR);
    725. 

  725.         return 0;
    726. 

  726.     }
    727. 

  727. 

  728.     /*
    729. 

  729.      * If we're going to send a PSK then that will be written out after this
    730. 

  730.      * extension, so we need to calculate how long it is going to be.
    731. 

  731.      */
    732. 

  732.     if (s->session->ssl_version == TLS1_3_VERSION
    733. 

  733.             && s->session->ext.ticklen != 0
    734. 

  734.             && s->session->cipher != NULL) {
    735. 

  735.         const EVP_MD *md = ssl_md(s->session->cipher->algorithm2);
    736. 

  736. 

  737.         if (md != NULL) {
    738. 

  738.             /*
    739. 

  739.              * Add the fixed PSK overhead, the identity length and the binder
    740. 

  740.              * length.
    741. 

  741.              */
    742. 

  742.             hlen +=  PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen
    743. 

  743.                      + EVP_MD_size(md);
    744. 

  744.         }
    745. 

  745.     }
    746. 

  746. 

  747.     if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {
    748. 

  748.         /* Calculate the amount of padding we need to add */
    749. 

  749.         hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;
    750. 

  750. 

  751.         /*
    752. 

  752.          * Take off the size of extension header itself (2 bytes for type and
    753. 

  753.          * 2 bytes for length bytes)
    754. 

  754.          */
    755. 

  755.         if (hlen >= 4)
    756. 

  756.             hlen -= 4;
    757. 

  757.         else
    758. 

  758.             hlen = 0;
    759. 

  759. 

  760.         if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
    761. 

  761.                 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
    762. 

  762.             SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PADDING, ERR_R_INTERNAL_ERROR);
    763. 

  763.             return 0;
    764. 

  764.         }
    765. 

  765.         memset(padbytes, 0, hlen);
    766. 

  766.     }
    767. 

  767. 

  768.     return 1;
    769. 

  769. }
    770. 

  770. 

  771. /*
    772. 

  772.  * Construct the pre_shared_key extension
    773. 

  773.  */
    774. 

  774. int tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
    775. 

  775.                            size_t chainidx, int *al)
    776. 

  776. {
    777. 

  777. #ifndef OPENSSL_NO_TLS1_3
    778. 

  778.     uint32_t now, agesec, agems;
    779. 

  779.     size_t hashsize, binderoffset, msglen;
    780. 

  780.     unsigned char *binder = NULL, *msgstart = NULL;
    781. 

  781.     const EVP_MD *md;
    782. 

  782.     int ret = 0;
    783. 

  783. 

  784.     s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY;
    785. 

  785. 

  786.     /*
    787. 

  787.      * Note: At this stage of the code we only support adding a single
    788. 

  788.      * resumption PSK. If we add support for multiple PSKs then the length
    789. 

  789.      * calculations in the padding extension will need to be adjusted.
    790. 

  790.      */
    791. 

  791. 

  792.     /*
    793. 

  793.      * If this is an incompatible or new session then we have nothing to resume
    794. 

  794.      * so don't add this extension.
    795. 

  795.      */
    796. 

  796.     if (s->session->ssl_version != TLS1_3_VERSION
    797. 

  797.             || s->session->ext.ticklen == 0)
    798. 

  798.         return 1;
    799. 

  799. 

  800.     if (s->session->cipher == NULL) {
    801. 

  801.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
    802. 

  802.         goto err;
    803. 

  803.     }
    804. 

  804. 

  805.     md = ssl_md(s->session->cipher->algorithm2);
    806. 

  806.     if (md == NULL) {
    807. 

  807.         /* Don't recognize this cipher so we can't use the session. Ignore it */
    808. 

  808.         return 1;
    809. 

  809.     }
    810. 

  810. 

  811.     if (s->hello_retry_request && md != ssl_handshake_md(s)) {
    812. 

  812.         /*
    813. 

  813.          * Selected ciphersuite hash does not match the hash for the session so
    814. 

  814.          * we can't use it.
    815. 

  815.          */
    816. 

  816.         return 1;
    817. 

  817.     }
    818. 

  818. 

  819.     /*
    820. 

  820.      * Technically the C standard just says time() returns a time_t and says
    821. 

  821.      * nothing about the encoding of that type. In practice most implementations
    822. 

  822.      * follow POSIX which holds it as an integral type in seconds since epoch.
    823. 

  823.      * We've already made the assumption that we can do this in multiple places
    824. 

  824.      * in the code, so portability shouldn't be an issue.
    825. 

  825.      */
    826. 

  826.     now = (uint32_t)time(NULL);
    827. 

  827.     agesec = now - (uint32_t)s->session->time;
    828. 

  828. 

  829.     if (s->session->ext.tick_lifetime_hint < agesec) {
    830. 

  830.         /* Ticket is too old. Ignore it. */
    831. 

  831.         return 1;
    832. 

  832.     }
    833. 

  833. 

  834.     /*
    835. 

  835.      * Calculate age in ms. We're just doing it to nearest second. Should be
    836. 

  836.      * good enough.
    837. 

  837.      */
    838. 

  838.     agems = agesec * (uint32_t)1000;
    839. 

  839. 

  840.     if (agesec != 0 && agems / (uint32_t)1000 != agesec) {
    841. 

  841.         /*
    842. 

  842.          * Overflow. Shouldn't happen unless this is a *really* old session. If
    843. 

  843.          * so we just ignore it.
    844. 

  844.          */
    845. 

  845.         return 1;
    846. 

  846.     }
    847. 

  847. 

  848.     /*
    849. 

  849.      * Obfuscate the age. Overflow here is fine, this addition is supposed to
    850. 

  850.      * be mod 2^32.
    851. 

  851.      */
    852. 

  852.     agems += s->session->ext.tick_age_add;
    853. 

  853. 

  854.     hashsize = EVP_MD_size(md);
    855. 

  855. 

  856.     /* Create the extension, but skip over the binder for now */
    857. 

  857.     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
    858. 

  858.             || !WPACKET_start_sub_packet_u16(pkt)
    859. 

  859.             || !WPACKET_start_sub_packet_u16(pkt)
    860. 

  860.             || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,
    861. 

  861.                                        s->session->ext.ticklen)
    862. 

  862.             || !WPACKET_put_bytes_u32(pkt, agems)
    863. 

  863.             || !WPACKET_close(pkt)
    864. 

  864.             || !WPACKET_get_total_written(pkt, &binderoffset)
    865. 

  865.             || !WPACKET_start_sub_packet_u16(pkt)
    866. 

  866.             || !WPACKET_sub_allocate_bytes_u8(pkt, hashsize, &binder)
    867. 

  867.             || !WPACKET_close(pkt)
    868. 

  868.             || !WPACKET_close(pkt)
    869. 

  869.             || !WPACKET_get_total_written(pkt, &msglen)
    870. 

  870.                /*
    871. 

  871.                 * We need to fill in all the sub-packet lengths now so we can
    872. 

  872.                 * calculate the HMAC of the message up to the binders
    873. 

  873.                 */
    874. 

  874.             || !WPACKET_fill_lengths(pkt)) {
    875. 

  875.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
    876. 

  876.         goto err;
    877. 

  877.     }
    878. 

  878. 

  879.     msgstart = WPACKET_get_curr(pkt) - msglen;
    880. 

  880. 

  881.     if (tls_psk_do_binder(s, md, msgstart, binderoffset, NULL, binder,
    882. 

  882.                           s->session, 1) != 1) {
    883. 

  883.         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
    884. 

  884.         goto err;
    885. 

  885.     }
    886. 

  886. 

  887.     s->session->ext.tick_identity = 0;
    888. 

  888. 

  889.     ret = 1;
    890. 

  890.  err:
    891. 

  891.     return ret;
    892. 

  892. #else
    893. 

  893.     return 1;
    894. 

  894. #endif
    895. 

  895. }
    896. 

  896. 

  897. /*
    898. 

  898.  * Parse the server's renegotiation binding and abort if it's not right
    899. 

  899.  */
    900. 

  900. int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
    901. 

  901.                                X509 *x, size_t chainidx, int *al)
    902. 

  902. {
    903. 

  903.     size_t expected_len = s->s3->previous_client_finished_len
    904. 

  904.         + s->s3->previous_server_finished_len;
    905. 

  905.     size_t ilen;
    906. 

  906.     const unsigned char *data;
    907. 

  907. 

  908.     /* Check for logic errors */
    909. 

  909.     assert(expected_len == 0 || s->s3->previous_client_finished_len != 0);
    910. 

  910.     assert(expected_len == 0 || s->s3->previous_server_finished_len != 0);
    911. 

  911. 

  912.     /* Parse the length byte */
    913. 

  913.     if (!PACKET_get_1_len(pkt, &ilen)) {
    914. 

  914.         SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
    915. 

  915.                SSL_R_RENEGOTIATION_ENCODING_ERR);
    916. 

  916.         *al = SSL_AD_ILLEGAL_PARAMETER;
    917. 

  917.         return 0;
    918. 

  918.     }
    919. 

  919. 

  920.     /* Consistency check */
    921. 

  921.     if (PACKET_remaining(pkt) != ilen) {
    922. 

  922.         SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
    923. 

  923.                SSL_R_RENEGOTIATION_ENCODING_ERR);
    924. 

  924.         *al = SSL_AD_ILLEGAL_PARAMETER;
    925. 

  925.         return 0;
    926. 

  926.     }
    927. 

  927. 

  928.     /* Check that the extension matches */
    929. 

  929.     if (ilen != expected_len) {
    930. 

  930.         SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
    931. 

  931.                SSL_R_RENEGOTIATION_MISMATCH);
    932. 

  932.         *al = SSL_AD_HANDSHAKE_FAILURE;
    933. 

  933.         return 0;
    934. 

  934.     }
    935. 

  935. 

  936.     if (!PACKET_get_bytes(pkt, &data, s->s3->previous_client_finished_len)
    937. 

  937.         || memcmp(data, s->s3->previous_client_finished,
    938. 

  938.                   s->s3->previous_client_finished_len) != 0) {
    939. 

  939.         SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
    940. 

  940.                SSL_R_RENEGOTIATION_MISMATCH);
    941. 

  941.         *al = SSL_AD_HANDSHAKE_FAILURE;
    942. 

  942.         return 0;
    943. 

  943.     }
    944. 

  944. 

  945.     if (!PACKET_get_bytes(pkt, &data, s->s3->previous_server_finished_len)
    946. 

  946.         || memcmp(data, s->s3->previous_server_finished,
    947. 

  947.                   s->s3->previous_server_finished_len) != 0) {
    948. 

  948.         SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
    949. 

  949.                SSL_R_RENEGOTIATION_MISMATCH);
    950. 

  950.         *al = SSL_AD_ILLEGAL_PARAMETER;
    951. 

  951.         return 0;
    952. 

  952.     }
    953. 

  953.     s->s3->send_connection_binding = 1;
    954. 

  954. 

  955.     return 1;
    956. 

  956. }
    957. 

  957. 

  958. int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context,
    959. 

  959.                                X509 *x, size_t chainidx, int *al)
    960. 

  960. {
    961. 

  961.     if (s->ext.hostname == NULL || PACKET_remaining(pkt) > 0) {
    962. 

  962.         *al = SSL_AD_UNRECOGNIZED_NAME;
    963. 

  963.         return 0;
    964. 

  964.     }
    965. 

  965. 

  966.     if (!s->hit) {
    967. 

  967.         if (s->session->ext.hostname != NULL) {
    968. 

  968.             *al = SSL_AD_INTERNAL_ERROR;
    969. 

  969.             return 0;
    970. 

  970.         }
    971. 

  971.         s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
    972. 

  972.         if (s->session->ext.hostname == NULL) {
    973. 

  973.             *al = SSL_AD_INTERNAL_ERROR;
    974. 

  974.             return 0;
    975. 

  975.         }
    976. 

  976.     }
    977. 

  977. 

  978.     return 1;
    979. 

  979. }
    980. 

  980. 

  981. #ifndef OPENSSL_NO_EC
    982. 

  982. int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
    983. 

  983.                                  X509 *x, size_t chainidx, int *al)
    984. 

  984. {
    985. 

  985.     unsigned int ecpointformats_len;
    986. 

  986.     PACKET ecptformatlist;
    987. 

  987. 

  988.     if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
    989. 

  989.         *al = SSL_AD_DECODE_ERROR;
    990. 

  990.         return 0;
    991. 

  991.     }
    992. 

  992.     if (!s->hit) {
    993. 

  993.         ecpointformats_len = PACKET_remaining(&ecptformatlist);
    994. 

  994.         s->session->ext.ecpointformats_len = 0;
    995. 

  995. 

  996.         OPENSSL_free(s->session->ext.ecpointformats);
    997. 

  997.         s->session->ext.ecpointformats = OPENSSL_malloc(ecpointformats_len);
    998. 

  998.         if (s->session->ext.ecpointformats == NULL) {
    999. 

  999.             *al = SSL_AD_INTERNAL_ERROR;
    1000. 

  1000.             return 0;
    1001. 

  1001.         }
    1002. 

  1002. 

  1003.         s->session->ext.ecpointformats_len = ecpointformats_len;
    1004. 

  1004. 

  1005.         if (!PACKET_copy_bytes(&ecptformatlist,
    1006. 

  1006.                                s->session->ext.ecpointformats,
    1007. 

  1007.                                ecpointformats_len)) {
    1008. 

  1008.             *al = SSL_AD_INTERNAL_ERROR;
    1009. 

  1009.             return 0;
    1010. 

  1010.         }
    1011. 

  1011.     }
    1012. 

  1012. 

  1013.     return 1;
    1014. 

  1014. }
    1015. 

  1015. #endif
    1016. 

  1016. 

  1017. int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
    1018. 

  1018.                                   X509 *x, size_t chainidx, int *al)
    1019. 

  1019. {
    1020. 

  1020.     if (s->ext.session_ticket_cb != NULL &&
    1021. 

  1021.         !s->ext.session_ticket_cb(s, PACKET_data(pkt),
    1022. 

  1022.                               PACKET_remaining(pkt),
    1023. 

  1023.                               s->ext.session_ticket_cb_arg)) {
    1024. 

  1024.         *al = SSL_AD_INTERNAL_ERROR;
    1025. 

  1025.         return 0;
    1026. 

  1026.     }
    1027. 

  1027. 

  1028.     if (!tls_use_ticket(s) || PACKET_remaining(pkt) > 0) {
    1029. 

  1029.         *al = SSL_AD_UNSUPPORTED_EXTENSION;
    1030. 

  1030.         return 0;
    1031. 

  1031.     }
    1032. 

  1032. 

  1033.     s->ext.ticket_expected = 1;
    1034. 

  1034. 

  1035.     return 1;
    1036. 

  1036. }
    1037. 

  1037. 

  1038. #ifndef OPENSSL_NO_OCSP
    1039. 

  1039. int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
    1040. 

  1040.                                   X509 *x, size_t chainidx, int *al)
    1041. 

  1041. {
    1042. 

  1042.     /*
    1043. 

  1043.      * MUST only be sent if we've requested a status
    1044. 

  1044.      * request message. In TLS <= 1.2 it must also be empty.
    1045. 

  1045.      */
    1046. 

  1046.     if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp
    1047. 

  1047.             || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0)) {
    1048. 

  1048.         *al = SSL_AD_UNSUPPORTED_EXTENSION;
    1049. 

  1049.         return 0;
    1050. 

  1050.     }
    1051. 

  1051. 

  1052.     if (SSL_IS_TLS13(s)) {
    1053. 

  1053.         /* We only know how to handle this if it's for the first Certificate in
    1054. 

  1054.          * the chain. We ignore any other responses.
    1055. 

  1055.          */
    1056. 

  1056.         if (chainidx != 0)
    1057. 

  1057.             return 1;
    1058. 

  1058.         return tls_process_cert_status_body(s, pkt, al);
    1059. 

  1059.     }
    1060. 

  1060. 

  1061.     /* Set flag to expect CertificateStatus message */
    1062. 

  1062.     s->ext.status_expected = 1;
    1063. 

  1063. 

  1064.     return 1;
    1065. 

  1065. }
    1066. 

  1066. #endif
    1067. 

  1067. 

  1068. 

  1069. #ifndef OPENSSL_NO_CT
    1070. 

  1070. int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
    1071. 

  1071.                        size_t chainidx, int *al)
    1072. 

  1072. {
    1073. 

  1073.     /*
    1074. 

  1074.      * Only take it if we asked for it - i.e if there is no CT validation
    1075. 

  1075.      * callback set, then a custom extension MAY be processing it, so we
    1076. 

  1076.      * need to let control continue to flow to that.
    1077. 

  1077.      */
    1078. 

  1078.     if (s->ct_validation_callback != NULL) {
    1079. 

  1079.         size_t size = PACKET_remaining(pkt);
    1080. 

  1080. 

  1081.         /* Simply copy it off for later processing */
    1082. 

  1082.         OPENSSL_free(s->ext.scts);
    1083. 

  1083.         s->ext.scts = NULL;
    1084. 

  1084. 

  1085.         s->ext.scts_len = size;
    1086. 

  1086.         if (size > 0) {
    1087. 

  1087.             s->ext.scts = OPENSSL_malloc(size);
    1088. 

  1088.             if (s->ext.scts == NULL
    1089. 

  1089.                     || !PACKET_copy_bytes(pkt, s->ext.scts, size)) {
    1090. 

  1090.                 *al = SSL_AD_INTERNAL_ERROR;
    1091. 

  1091.                 return 0;
    1092. 

  1092.             }
    1093. 

  1093.         }
    1094. 

  1094.     } else {
    1095. 

  1095.         if (custom_ext_parse(s, context,
    1096. 

  1096.                              TLSEXT_TYPE_signed_certificate_timestamp,
    1097. 

  1097.                              PACKET_data(pkt), PACKET_remaining(pkt),
    1098. 

  1098.                              x, chainidx, al) <= 0)
    1099. 

  1099.             return 0;
    1100. 

  1100.     }
    1101. 

  1101. 

  1102.     return 1;
    1103. 

  1103. }
    1104. 

  1104. #endif
    1105. 

  1105. 

  1106. 

  1107. #ifndef OPENSSL_NO_NEXTPROTONEG
    1108. 

  1108. /*
    1109. 

  1109.  * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
    1110. 

  1110.  * elements of zero length are allowed and the set of elements must exactly
    1111. 

  1111.  * fill the length of the block. Returns 1 on success or 0 on failure.
    1112. 

  1112.  */
    1113. 

  1113. static int ssl_next_proto_validate(PACKET *pkt)
    1114. 

  1114. {
    1115. 

  1115.     PACKET tmp_protocol;
    1116. 

  1116. 

  1117.     while (PACKET_remaining(pkt)) {
    1118. 

  1118.         if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
    1119. 

  1119.             || PACKET_remaining(&tmp_protocol) == 0)
    1120. 

  1120.             return 0;
    1121. 

  1121.     }
    1122. 

  1122. 

  1123.     return 1;
    1124. 

  1124. }
    1125. 

  1125. 

  1126. int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
    1127. 

  1127.                        size_t chainidx, int *al)
    1128. 

  1128. {
    1129. 

  1129.     unsigned char *selected;
    1130. 

  1130.     unsigned char selected_len;
    1131. 

  1131.     PACKET tmppkt;
    1132. 

  1132. 

  1133.     /* Check if we are in a renegotiation. If so ignore this extension */
    1134. 

  1134.     if (!SSL_IS_FIRST_HANDSHAKE(s))
    1135. 

  1135.         return 1;
    1136. 

  1136. 

  1137.     /* We must have requested it. */
    1138. 

  1138.     if (s->ctx->ext.npn_select_cb == NULL) {
    1139. 

  1139.         *al = SSL_AD_UNSUPPORTED_EXTENSION;
    1140. 

  1140.         return 0;
    1141. 

  1141.     }
    1142. 

  1142. 

  1143.     /* The data must be valid */
    1144. 

  1144.     tmppkt = *pkt;
    1145. 

  1145.     if (!ssl_next_proto_validate(&tmppkt)) {
    1146. 

  1146.         *al = SSL_AD_DECODE_ERROR;
    1147. 

  1147.         return 0;
    1148. 

  1148.     }
    1149. 

  1149.     if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len,
    1150. 

  1150.                                   PACKET_data(pkt),
    1151. 

  1151.                                   PACKET_remaining(pkt),
    1152. 

  1152.                                   s->ctx->ext.npn_select_cb_arg) !=
    1153. 

  1153.              SSL_TLSEXT_ERR_OK) {
    1154. 

  1154.         *al = SSL_AD_INTERNAL_ERROR;
    1155. 

  1155.         return 0;
    1156. 

  1156.     }
    1157. 

  1157. 

  1158.     /*
    1159. 

  1159.      * Could be non-NULL if server has sent multiple NPN extensions in
    1160. 

  1160.      * a single Serverhello
    1161. 

  1161.      */
    1162. 

  1162.     OPENSSL_free(s->ext.npn);
    1163. 

  1163.     s->ext.npn = OPENSSL_malloc(selected_len);
    1164. 

  1164.     if (s->ext.npn == NULL) {
    1165. 

  1165.         *al = SSL_AD_INTERNAL_ERROR;
    1166. 

  1166.         return 0;
    1167. 

  1167.     }
    1168. 

  1168. 

  1169.     memcpy(s->ext.npn, selected, selected_len);
    1170. 

  1170.     s->ext.npn_len = selected_len;
    1171. 

  1171.     s->s3->npn_seen = 1;
    1172. 

  1172. 

  1173.     return 1;
    1174. 

  1174. }
    1175. 

  1175. #endif
    1176. 

  1176. 

  1177. int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
    1178. 

  1178.                         size_t chainidx, int *al)
    1179. 

  1179. {
    1180. 

  1180.     size_t len;
    1181. 

  1181. 

  1182.     /* We must have requested it. */
    1183. 

  1183.     if (!s->s3->alpn_sent) {
    1184. 

  1184.         *al = SSL_AD_UNSUPPORTED_EXTENSION;
    1185. 

  1185.         return 0;
    1186. 

  1186.     }
    1187. 

  1187.     /*-
    1188. 

  1188.      * The extension data consists of:
    1189. 

  1189.      *   uint16 list_length
    1190. 

  1190.      *   uint8 proto_length;
    1191. 

  1191.      *   uint8 proto[proto_length];
    1192. 

  1192.      */
    1193. 

  1193.     if (!PACKET_get_net_2_len(pkt, &len)
    1194. 

  1194.         || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)
    1195. 

  1195.         || PACKET_remaining(pkt) != len) {
    1196. 

  1196.         *al = SSL_AD_DECODE_ERROR;
    1197. 

  1197.         return 0;
    1198. 

  1198.     }
    1199. 

  1199.     OPENSSL_free(s->s3->alpn_selected);
    1200. 

  1200.     s->s3->alpn_selected = OPENSSL_malloc(len);
    1201. 

  1201.     if (s->s3->alpn_selected == NULL) {
    1202. 

  1202.         *al = SSL_AD_INTERNAL_ERROR;
    1203. 

  1203.         return 0;
    1204. 

  1204.     }
    1205. 

  1205.     if (!PACKET_copy_bytes(pkt, s->s3->alpn_selected, len)) {
    1206. 

  1206.         *al = SSL_AD_DECODE_ERROR;
    1207. 

  1207.         return 0;
    1208. 

  1208.     }
    1209. 

  1209.     s->s3->alpn_selected_len = len;
    1210. 

  1210. 

  1211.     return 1;
    1212. 

  1212. }
    1213. 

  1213. 

  1214. #ifndef OPENSSL_NO_SRTP
    1215. 

  1215. int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
    1216. 

  1216.                             size_t chainidx, int *al)
    1217. 

  1217. {
    1218. 

  1218.     unsigned int id, ct, mki;
    1219. 

  1219.     int i;
    1220. 

  1220.     STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
    1221. 

  1221.     SRTP_PROTECTION_PROFILE *prof;
    1222. 

  1222. 

  1223.     if (!PACKET_get_net_2(pkt, &ct) || ct != 2
    1224. 

  1224.             || !PACKET_get_net_2(pkt, &id)
    1225. 

  1225.             || !PACKET_get_1(pkt, &mki)
    1226. 

  1226.             || PACKET_remaining(pkt) != 0) {
    1227. 

  1227.         SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP,
    1228. 

  1228.                SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
    1229. 

  1229.         *al = SSL_AD_DECODE_ERROR;
    1230. 

  1230.         return 0;
    1231. 

  1231.     }
    1232. 

  1232. 

  1233.     if (mki != 0) {
    1234. 

  1234.         /* Must be no MKI, since we never offer one */
    1235. 

  1235.         SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
    1236. 

  1236.         *al = SSL_AD_ILLEGAL_PARAMETER;
    1237. 

  1237.         return 0;
    1238. 

  1238.     }
    1239. 

  1239. 

  1240.     /* Throw an error if the server gave us an unsolicited extension */
    1241. 

  1241.     clnt = SSL_get_srtp_profiles(s);
    1242. 

  1242.     if (clnt == NULL) {
    1243. 

  1243.         SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP, SSL_R_NO_SRTP_PROFILES);
    1244. 

  1244.         *al = SSL_AD_DECODE_ERROR;
    1245. 

  1245.         return 0;
    1246. 

  1246.     }
    1247. 

  1247. 

  1248.     /*
    1249. 

  1249.      * Check to see if the server gave us something we support (and
    1250. 

  1250.      * presumably offered)
    1251. 

  1251.      */
    1252. 

  1252.     for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
    1253. 

  1253.         prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
    1254. 

  1254. 

  1255.         if (prof->id == id) {
    1256. 

  1256.             s->srtp_profile = prof;
    1257. 

  1257.             *al = 0;
    1258. 

  1258.             return 1;
    1259. 

  1259.         }
    1260. 

  1260.     }
    1261. 

  1261. 

  1262.     SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP,
    1263. 

  1263.            SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
    1264. 

  1264.     *al = SSL_AD_DECODE_ERROR;
    1265. 

  1265.     return 0;
    1266. 

  1266. }
    1267. 

  1267. #endif
    1268. 

  1268. 

  1269. int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
    1270. 

  1270.                        size_t chainidx, int *al)
    1271. 

  1271. {
    1272. 

  1272.     /* Ignore if inappropriate ciphersuite */
    1273. 

  1273.     if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
    1274. 

  1274.             && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
    1275. 

  1275.             && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
    1276. 

  1276.         s->ext.use_etm = 1;
    1277. 

  1277. 

  1278.     return 1;
    1279. 

  1279. }
    1280. 

  1280. 

  1281. int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
    1282. 

  1282.                        size_t chainidx, int *al)
    1283. 

  1283. {
    1284. 

  1284.     s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
    1285. 

  1285.     if (!s->hit)
    1286. 

  1286.         s->session->flags |= SSL_SESS_FLAG_EXTMS;
    1287. 

  1287. 

  1288.     return 1;
    1289. 

  1289. }
    1290. 

  1290. 

  1291. int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
    1292. 

  1292.                              size_t chainidx, int *al)
    1293. 

  1293. {
    1294. 

  1294. #ifndef OPENSSL_NO_TLS1_3
    1295. 

  1295.     unsigned int group_id;
    1296. 

  1296.     PACKET encoded_pt;
    1297. 

  1297.     EVP_PKEY *ckey = s->s3->tmp.pkey, *skey = NULL;
    1298. 

  1298. 

  1299.     /* Sanity check */
    1300. 

  1300.     if (ckey == NULL || s->s3->peer_tmp != NULL) {
    1301. 

  1301.         *al = SSL_AD_INTERNAL_ERROR;
    1302. 

  1302.         SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
    1303. 

  1303.         return 0;
    1304. 

  1304.     }
    1305. 

  1305. 

  1306.     if (!PACKET_get_net_2(pkt, &group_id)) {
    1307. 

  1307.         *al = SSL_AD_HANDSHAKE_FAILURE;
    1308. 

  1308.         SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
    1309. 

  1309.         return 0;
    1310. 

  1310.     }
    1311. 

  1311. 

  1312.     if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
    1313. 

  1313.         unsigned const char *pcurves = NULL;
    1314. 

  1314.         size_t i, num_curves;
    1315. 

  1315. 

  1316.         if (PACKET_remaining(pkt) != 0) {
    1317. 

  1317.             *al = SSL_AD_HANDSHAKE_FAILURE;
    1318. 

  1318.             SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
    1319. 

  1319.             return 0;
    1320. 

  1320.         }
    1321. 

  1321. 

  1322.         /*
    1323. 

  1323.          * It is an error if the HelloRetryRequest wants a key_share that we
    1324. 

  1324.          * already sent in the first ClientHello
    1325. 

  1325.          */
    1326. 

  1326.         if (group_id == s->s3->group_id) {
    1327. 

  1327.             *al = SSL_AD_ILLEGAL_PARAMETER;
    1328. 

  1328.             SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
    1329. 

  1329.             return 0;
    1330. 

  1330.         }
    1331. 

  1331. 

  1332.         /* Validate the selected group is one we support */
    1333. 

  1333.         if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
    1334. 

  1334.             SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
    1335. 

  1335.             return 0;
    1336. 

  1336.         }
    1337. 

  1337.         for (i = 0; i < num_curves; i++, pcurves += 2) {
    1338. 

  1338.             if (group_id == bytestogroup(pcurves))
    1339. 

  1339.                 break;
    1340. 

  1340.         }
    1341. 

  1341.         if (i >= num_curves
    1342. 

  1342.                 || !tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
    1343. 

  1343.             *al = SSL_AD_ILLEGAL_PARAMETER;
    1344. 

  1344.             SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
    1345. 

  1345.             return 0;
    1346. 

  1346.         }
    1347. 

  1347. 

  1348.         s->s3->group_id = group_id;
    1349. 

  1349.         EVP_PKEY_free(s->s3->tmp.pkey);
    1350. 

  1350.         s->s3->tmp.pkey = NULL;
    1351. 

  1351.         return 1;
    1352. 

  1352.     }
    1353. 

  1353. 

  1354.     if (group_id != s->s3->group_id) {
    1355. 

  1355.         /*
    1356. 

  1356.          * This isn't for the group that we sent in the original
    1357. 

  1357.          * key_share!
    1358. 

  1358.          */
    1359. 

  1359.         *al = SSL_AD_HANDSHAKE_FAILURE;
    1360. 

  1360.         SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
    1361. 

  1361.         return 0;
    1362. 

  1362.     }
    1363. 

  1363. 

  1364.     if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)
    1365. 

  1365.             || PACKET_remaining(&encoded_pt) == 0) {
    1366. 

  1366.         *al = SSL_AD_DECODE_ERROR;
    1367. 

  1367.         SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
    1368. 

  1368.         return 0;
    1369. 

  1369.     }
    1370. 

  1370. 

  1371.     skey = ssl_generate_pkey(ckey);
    1372. 

  1372.     if (skey == NULL) {
    1373. 

  1373.         *al = SSL_AD_INTERNAL_ERROR;
    1374. 

  1374.         SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
    1375. 

  1375.         return 0;
    1376. 

  1376.     }
    1377. 

  1377.     if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt),
    1378. 

  1378.                                         PACKET_remaining(&encoded_pt))) {
    1379. 

  1379.         *al = SSL_AD_DECODE_ERROR;
    1380. 

  1380.         SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_ECPOINT);
    1381. 

  1381.         EVP_PKEY_free(skey);
    1382. 

  1382.         return 0;
    1383. 

  1383.     }
    1384. 

  1384. 

  1385.     if (ssl_derive(s, ckey, skey, 1) == 0) {
    1386. 

  1386.         *al = SSL_AD_INTERNAL_ERROR;
    1387. 

  1387.         SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
    1388. 

  1388.         EVP_PKEY_free(skey);
    1389. 

  1389.         return 0;
    1390. 

  1390.     }
    1391. 

  1391.     s->s3->peer_tmp = skey;
    1392. 

  1392. #endif
    1393. 

  1393. 

  1394.     return 1;
    1395. 

  1395. }
    1396. 

  1396. 

  1397. int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
    1398. 

  1398.                        size_t chainidx, int *al)
    1399. 

  1399. {
    1400. 

  1400.     PACKET cookie;
    1401. 

  1401. 

  1402.     if (!PACKET_as_length_prefixed_2(pkt, &cookie)
    1403. 

  1403.             || !PACKET_memdup(&cookie, &s->ext.tls13_cookie,
    1404. 

  1404.                               &s->ext.tls13_cookie_len)) {
    1405. 

  1405.         *al = SSL_AD_DECODE_ERROR;
    1406. 

  1406.         SSLerr(SSL_F_TLS_PARSE_STOC_COOKIE, SSL_R_LENGTH_MISMATCH);
    1407. 

  1407.         return 0;
    1408. 

  1408.     }
    1409. 

  1409. 

  1410.     return 1;
    1411. 

  1411. }
    1412. 

  1412. 

  1413. int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
    1414. 

  1414.                               X509 *x, size_t chainidx, int *al)
    1415. 

  1415. {
    1416. 

  1416.     if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
    1417. 

  1417.         unsigned long max_early_data;
    1418. 

  1418. 

  1419.         if (!PACKET_get_net_4(pkt, &max_early_data)
    1420. 

  1420.                 || PACKET_remaining(pkt) != 0) {
    1421. 

  1421.             SSLerr(SSL_F_TLS_PARSE_STOC_EARLY_DATA,
    1422. 

  1422.                    SSL_R_INVALID_MAX_EARLY_DATA);
    1423. 

  1423.             *al = SSL_AD_DECODE_ERROR;
    1424. 

  1424.             return 0;
    1425. 

  1425.         }
    1426. 

  1426. 

  1427.         s->session->ext.max_early_data = max_early_data;
    1428. 

  1428. 

  1429.         return 1;
    1430. 

  1430.     }
    1431. 

  1431. 

  1432.     if (PACKET_remaining(pkt) != 0) {
    1433. 

  1433.         *al = SSL_AD_DECODE_ERROR;
    1434. 

  1434.         return 0;
    1435. 

  1435.     }
    1436. 

  1436. 

  1437.     if (s->ext.early_data != SSL_EARLY_DATA_REJECTED
    1438. 

  1438.             || !s->hit
    1439. 

  1439.             || s->session->ext.tick_identity != 0) {
    1440. 

  1440.         /*
    1441. 

  1441.          * If we get here then we didn't send early data, or we didn't resume
    1442. 

  1442.          * using the first identity so the server should not be accepting it.
    1443. 

  1443.          */
    1444. 

  1444.         *al = SSL_AD_ILLEGAL_PARAMETER;
    1445. 

  1445.         return 0;
    1446. 

  1446.     }
    1447. 

  1447. 

  1448.     s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
    1449. 

  1449. 

  1450.     return 1;
    1451. 

  1451. }
    1452. 

  1452. 

  1453. int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
    1454. 

  1454.                        size_t chainidx, int *al)
    1455. 

  1455. {
    1456. 

  1456. #ifndef OPENSSL_NO_TLS1_3
    1457. 

  1457.     unsigned int identity;
    1458. 

  1458. 

  1459.     if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {
    1460. 

  1460.         *al = SSL_AD_HANDSHAKE_FAILURE;
    1461. 

  1461.         SSLerr(SSL_F_TLS_PARSE_STOC_PSK, SSL_R_LENGTH_MISMATCH);
    1462. 

  1462.         return 0;
    1463. 

  1463.     }
    1464. 

  1464. 

  1465.     if (s->session->ext.tick_identity != (int)identity) {
    1466. 

  1466.         *al = SSL_AD_HANDSHAKE_FAILURE;
    1467. 

  1467.         SSLerr(SSL_F_TLS_PARSE_STOC_PSK, SSL_R_BAD_PSK_IDENTITY);
    1468. 

  1468.         return 0;
    1469. 

  1469.     }
    1470. 

  1470. 

  1471.     s->hit = 1;
    1472. 

  1472. #endif
    1473. 

  1473. 

  1474.     return 1;
    1475. 

  1475. }
    1476.