xref: /freebsd/crypto/openssl/ssl/statem/extensions_clnt.c (revision 3e8eb5c7f4909209c042403ddee340b2ee7003a5)
1 /*
2  * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the OpenSSL license (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <openssl/ocsp.h>
11 #include "../ssl_local.h"
12 #include "internal/cryptlib.h"
13 #include "statem_local.h"
14 
15 EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt,
16                                           unsigned int context, X509 *x,
17                                           size_t chainidx)
18 {
19     /* Add RI if renegotiating */
20     if (!s->renegotiate)
21         return EXT_RETURN_NOT_SENT;
22 
23     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
24             || !WPACKET_start_sub_packet_u16(pkt)
25             || !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished,
26                                s->s3->previous_client_finished_len)
27             || !WPACKET_close(pkt)) {
28         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE,
29                  ERR_R_INTERNAL_ERROR);
30         return EXT_RETURN_FAIL;
31     }
32 
33     return EXT_RETURN_SENT;
34 }
35 
36 EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt,
37                                           unsigned int context, X509 *x,
38                                           size_t chainidx)
39 {
40     if (s->ext.hostname == NULL)
41         return EXT_RETURN_NOT_SENT;
42 
43     /* Add TLS extension servername to the Client Hello message */
44     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
45                /* Sub-packet for server_name extension */
46             || !WPACKET_start_sub_packet_u16(pkt)
47                /* Sub-packet for servername list (always 1 hostname)*/
48             || !WPACKET_start_sub_packet_u16(pkt)
49             || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
50             || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
51                                        strlen(s->ext.hostname))
52             || !WPACKET_close(pkt)
53             || !WPACKET_close(pkt)) {
54         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME,
55                  ERR_R_INTERNAL_ERROR);
56         return EXT_RETURN_FAIL;
57     }
58 
59     return EXT_RETURN_SENT;
60 }
61 
62 /* Push a Max Fragment Len extension into ClientHello */
63 EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt,
64                                              unsigned int context, X509 *x,
65                                              size_t chainidx)
66 {
67     if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED)
68         return EXT_RETURN_NOT_SENT;
69 
70     /* Add Max Fragment Length extension if client enabled it. */
71     /*-
72      * 4 bytes for this extension type and extension length
73      * 1 byte for the Max Fragment Length code value.
74      */
75     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
76             /* Sub-packet for Max Fragment Length extension (1 byte) */
77             || !WPACKET_start_sub_packet_u16(pkt)
78             || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode)
79             || !WPACKET_close(pkt)) {
80         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
81                  SSL_F_TLS_CONSTRUCT_CTOS_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
82         return EXT_RETURN_FAIL;
83     }
84 
85     return EXT_RETURN_SENT;
86 }
87 
88 #ifndef OPENSSL_NO_SRP
89 EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context,
90                                   X509 *x, size_t chainidx)
91 {
92     /* Add SRP username if there is one */
93     if (s->srp_ctx.login == NULL)
94         return EXT_RETURN_NOT_SENT;
95 
96     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
97                /* Sub-packet for SRP extension */
98             || !WPACKET_start_sub_packet_u16(pkt)
99             || !WPACKET_start_sub_packet_u8(pkt)
100                /* login must not be zero...internal error if so */
101             || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
102             || !WPACKET_memcpy(pkt, s->srp_ctx.login,
103                                strlen(s->srp_ctx.login))
104             || !WPACKET_close(pkt)
105             || !WPACKET_close(pkt)) {
106         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SRP,
107                  ERR_R_INTERNAL_ERROR);
108         return EXT_RETURN_FAIL;
109     }
110 
111     return EXT_RETURN_SENT;
112 }
113 #endif
114 
115 #ifndef OPENSSL_NO_EC
116 static int use_ecc(SSL *s)
117 {
118     int i, end, ret = 0;
119     unsigned long alg_k, alg_a;
120     STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
121     const uint16_t *pgroups = NULL;
122     size_t num_groups, j;
123 
124     /* See if we support any ECC ciphersuites */
125     if (s->version == SSL3_VERSION)
126         return 0;
127 
128     cipher_stack = SSL_get1_supported_ciphers(s);
129     end = sk_SSL_CIPHER_num(cipher_stack);
130     for (i = 0; i < end; i++) {
131         const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
132 
133         alg_k = c->algorithm_mkey;
134         alg_a = c->algorithm_auth;
135         if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
136                 || (alg_a & SSL_aECDSA)
137                 || c->min_tls >= TLS1_3_VERSION) {
138             ret = 1;
139             break;
140         }
141     }
142 
143     sk_SSL_CIPHER_free(cipher_stack);
144     if (!ret)
145         return 0;
146 
147     /* Check we have at least one EC supported group */
148     tls1_get_supported_groups(s, &pgroups, &num_groups);
149     for (j = 0; j < num_groups; j++) {
150         uint16_t ctmp = pgroups[j];
151 
152         if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
153             return 1;
154     }
155 
156     return 0;
157 }
158 
159 EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
160                                             unsigned int context, X509 *x,
161                                             size_t chainidx)
162 {
163     const unsigned char *pformats;
164     size_t num_formats;
165 
166     if (!use_ecc(s))
167         return EXT_RETURN_NOT_SENT;
168 
169     /* Add TLS extension ECPointFormats to the ClientHello message */
170     tls1_get_formatlist(s, &pformats, &num_formats);
171 
172     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
173                /* Sub-packet for formats extension */
174             || !WPACKET_start_sub_packet_u16(pkt)
175             || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
176             || !WPACKET_close(pkt)) {
177         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
178                  SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
179         return EXT_RETURN_FAIL;
180     }
181 
182     return EXT_RETURN_SENT;
183 }
184 
185 EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
186                                                unsigned int context, X509 *x,
187                                                size_t chainidx)
188 {
189     const uint16_t *pgroups = NULL;
190     size_t num_groups = 0, i;
191 
192     if (!use_ecc(s))
193         return EXT_RETURN_NOT_SENT;
194 
195     /*
196      * Add TLS extension supported_groups to the ClientHello message
197      */
198     /* TODO(TLS1.3): Add support for DHE groups */
199     tls1_get_supported_groups(s, &pgroups, &num_groups);
200 
201     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
202                /* Sub-packet for supported_groups extension */
203             || !WPACKET_start_sub_packet_u16(pkt)
204             || !WPACKET_start_sub_packet_u16(pkt)) {
205         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
206                  SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
207                  ERR_R_INTERNAL_ERROR);
208         return EXT_RETURN_FAIL;
209     }
210     /* Copy curve ID if supported */
211     for (i = 0; i < num_groups; i++) {
212         uint16_t ctmp = pgroups[i];
213 
214         if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
215             if (!WPACKET_put_bytes_u16(pkt, ctmp)) {
216                     SSLfatal(s, SSL_AD_INTERNAL_ERROR,
217                              SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
218                              ERR_R_INTERNAL_ERROR);
219                     return EXT_RETURN_FAIL;
220                 }
221         }
222     }
223     if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
224         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
225                  SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
226                  ERR_R_INTERNAL_ERROR);
227         return EXT_RETURN_FAIL;
228     }
229 
230     return EXT_RETURN_SENT;
231 }
232 #endif
233 
234 EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt,
235                                              unsigned int context, X509 *x,
236                                              size_t chainidx)
237 {
238     size_t ticklen;
239 
240     if (!tls_use_ticket(s))
241         return EXT_RETURN_NOT_SENT;
242 
243     if (!s->new_session && s->session != NULL
244             && s->session->ext.tick != NULL
245             && s->session->ssl_version != TLS1_3_VERSION) {
246         ticklen = s->session->ext.ticklen;
247     } else if (s->session && s->ext.session_ticket != NULL
248                && s->ext.session_ticket->data != NULL) {
249         ticklen = s->ext.session_ticket->length;
250         s->session->ext.tick = OPENSSL_malloc(ticklen);
251         if (s->session->ext.tick == NULL) {
252             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
253                      SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET,
254                      ERR_R_INTERNAL_ERROR);
255             return EXT_RETURN_FAIL;
256         }
257         memcpy(s->session->ext.tick,
258                s->ext.session_ticket->data, ticklen);
259         s->session->ext.ticklen = ticklen;
260     } else {
261         ticklen = 0;
262     }
263 
264     if (ticklen == 0 && s->ext.session_ticket != NULL &&
265             s->ext.session_ticket->data == NULL)
266         return EXT_RETURN_NOT_SENT;
267 
268     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
269             || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
270         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
271                  SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
272         return EXT_RETURN_FAIL;
273     }
274 
275     return EXT_RETURN_SENT;
276 }
277 
278 EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt,
279                                        unsigned int context, X509 *x,
280                                        size_t chainidx)
281 {
282     size_t salglen;
283     const uint16_t *salg;
284 
285     if (!SSL_CLIENT_USE_SIGALGS(s))
286         return EXT_RETURN_NOT_SENT;
287 
288     salglen = tls12_get_psigalgs(s, 1, &salg);
289     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
290                /* Sub-packet for sig-algs extension */
291             || !WPACKET_start_sub_packet_u16(pkt)
292                /* Sub-packet for the actual list */
293             || !WPACKET_start_sub_packet_u16(pkt)
294             || !tls12_copy_sigalgs(s, pkt, salg, salglen)
295             || !WPACKET_close(pkt)
296             || !WPACKET_close(pkt)) {
297         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS,
298                  ERR_R_INTERNAL_ERROR);
299         return EXT_RETURN_FAIL;
300     }
301 
302     return EXT_RETURN_SENT;
303 }
304 
305 #ifndef OPENSSL_NO_OCSP
306 EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt,
307                                              unsigned int context, X509 *x,
308                                              size_t chainidx)
309 {
310     int i;
311 
312     /* This extension isn't defined for client Certificates */
313     if (x != NULL)
314         return EXT_RETURN_NOT_SENT;
315 
316     if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
317         return EXT_RETURN_NOT_SENT;
318 
319     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
320                /* Sub-packet for status request extension */
321             || !WPACKET_start_sub_packet_u16(pkt)
322             || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
323                /* Sub-packet for the ids */
324             || !WPACKET_start_sub_packet_u16(pkt)) {
325         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
326                  SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
327         return EXT_RETURN_FAIL;
328     }
329     for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
330         unsigned char *idbytes;
331         OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
332         int idlen = i2d_OCSP_RESPID(id, NULL);
333 
334         if (idlen <= 0
335                    /* Sub-packet for an individual id */
336                 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
337                 || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
338             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
339                      SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
340                      ERR_R_INTERNAL_ERROR);
341             return EXT_RETURN_FAIL;
342         }
343     }
344     if (!WPACKET_close(pkt)
345             || !WPACKET_start_sub_packet_u16(pkt)) {
346         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
347                  SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
348         return EXT_RETURN_FAIL;
349     }
350     if (s->ext.ocsp.exts) {
351         unsigned char *extbytes;
352         int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
353 
354         if (extlen < 0) {
355             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
356                      SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
357                      ERR_R_INTERNAL_ERROR);
358             return EXT_RETURN_FAIL;
359         }
360         if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
361                 || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
362                    != extlen) {
363             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
364                      SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
365                      ERR_R_INTERNAL_ERROR);
366             return EXT_RETURN_FAIL;
367        }
368     }
369     if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
370         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
371                  SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
372         return EXT_RETURN_FAIL;
373     }
374 
375     return EXT_RETURN_SENT;
376 }
377 #endif
378 
379 #ifndef OPENSSL_NO_NEXTPROTONEG
380 EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context,
381                                   X509 *x, size_t chainidx)
382 {
383     if (s->ctx->ext.npn_select_cb == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
384         return EXT_RETURN_NOT_SENT;
385 
386     /*
387      * The client advertises an empty extension to indicate its support
388      * for Next Protocol Negotiation
389      */
390     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
391             || !WPACKET_put_bytes_u16(pkt, 0)) {
392         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_NPN,
393                  ERR_R_INTERNAL_ERROR);
394         return EXT_RETURN_FAIL;
395     }
396 
397     return EXT_RETURN_SENT;
398 }
399 #endif
400 
401 EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context,
402                                    X509 *x, size_t chainidx)
403 {
404     s->s3->alpn_sent = 0;
405 
406     if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
407         return EXT_RETURN_NOT_SENT;
408 
409     if (!WPACKET_put_bytes_u16(pkt,
410                 TLSEXT_TYPE_application_layer_protocol_negotiation)
411                /* Sub-packet ALPN extension */
412             || !WPACKET_start_sub_packet_u16(pkt)
413             || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
414             || !WPACKET_close(pkt)) {
415         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_ALPN,
416                  ERR_R_INTERNAL_ERROR);
417         return EXT_RETURN_FAIL;
418     }
419     s->s3->alpn_sent = 1;
420 
421     return EXT_RETURN_SENT;
422 }
423 
424 
425 #ifndef OPENSSL_NO_SRTP
426 EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt,
427                                        unsigned int context, X509 *x,
428                                        size_t chainidx)
429 {
430     STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s);
431     int i, end;
432 
433     if (clnt == NULL)
434         return EXT_RETURN_NOT_SENT;
435 
436     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
437                /* Sub-packet for SRTP extension */
438             || !WPACKET_start_sub_packet_u16(pkt)
439                /* Sub-packet for the protection profile list */
440             || !WPACKET_start_sub_packet_u16(pkt)) {
441         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP,
442                  ERR_R_INTERNAL_ERROR);
443         return EXT_RETURN_FAIL;
444     }
445 
446     end = sk_SRTP_PROTECTION_PROFILE_num(clnt);
447     for (i = 0; i < end; i++) {
448         const SRTP_PROTECTION_PROFILE *prof =
449             sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
450 
451         if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
452             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
453                      SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR);
454             return EXT_RETURN_FAIL;
455         }
456     }
457     if (!WPACKET_close(pkt)
458                /* Add an empty use_mki value */
459             || !WPACKET_put_bytes_u8(pkt, 0)
460             || !WPACKET_close(pkt)) {
461         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP,
462                  ERR_R_INTERNAL_ERROR);
463         return EXT_RETURN_FAIL;
464     }
465 
466     return EXT_RETURN_SENT;
467 }
468 #endif
469 
470 EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context,
471                                   X509 *x, size_t chainidx)
472 {
473     if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
474         return EXT_RETURN_NOT_SENT;
475 
476     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
477             || !WPACKET_put_bytes_u16(pkt, 0)) {
478         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_ETM,
479                  ERR_R_INTERNAL_ERROR);
480         return EXT_RETURN_FAIL;
481     }
482 
483     return EXT_RETURN_SENT;
484 }
485 
486 #ifndef OPENSSL_NO_CT
487 EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context,
488                                   X509 *x, size_t chainidx)
489 {
490     if (s->ct_validation_callback == NULL)
491         return EXT_RETURN_NOT_SENT;
492 
493     /* Not defined for client Certificates */
494     if (x != NULL)
495         return EXT_RETURN_NOT_SENT;
496 
497     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
498             || !WPACKET_put_bytes_u16(pkt, 0)) {
499         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SCT,
500                  ERR_R_INTERNAL_ERROR);
501         return EXT_RETURN_FAIL;
502     }
503 
504     return EXT_RETURN_SENT;
505 }
506 #endif
507 
508 EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context,
509                                   X509 *x, size_t chainidx)
510 {
511     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
512             || !WPACKET_put_bytes_u16(pkt, 0)) {
513         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EMS,
514                  ERR_R_INTERNAL_ERROR);
515         return EXT_RETURN_FAIL;
516     }
517 
518     return EXT_RETURN_SENT;
519 }
520 
521 EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
522                                                  unsigned int context, X509 *x,
523                                                  size_t chainidx)
524 {
525     int currv, min_version, max_version, reason;
526 
527     reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
528     if (reason != 0) {
529         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
530                  SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, reason);
531         return EXT_RETURN_FAIL;
532     }
533 
534     /*
535      * Don't include this if we can't negotiate TLSv1.3. We can do a straight
536      * comparison here because we will never be called in DTLS.
537      */
538     if (max_version < TLS1_3_VERSION)
539         return EXT_RETURN_NOT_SENT;
540 
541     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
542             || !WPACKET_start_sub_packet_u16(pkt)
543             || !WPACKET_start_sub_packet_u8(pkt)) {
544         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
545                  SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
546                  ERR_R_INTERNAL_ERROR);
547         return EXT_RETURN_FAIL;
548     }
549 
550     for (currv = max_version; currv >= min_version; currv--) {
551         if (!WPACKET_put_bytes_u16(pkt, currv)) {
552             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
553                      SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
554                      ERR_R_INTERNAL_ERROR);
555             return EXT_RETURN_FAIL;
556         }
557     }
558     if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
559         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
560                  SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
561                  ERR_R_INTERNAL_ERROR);
562         return EXT_RETURN_FAIL;
563     }
564 
565     return EXT_RETURN_SENT;
566 }
567 
568 /*
569  * Construct a psk_kex_modes extension.
570  */
571 EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt,
572                                             unsigned int context, X509 *x,
573                                             size_t chainidx)
574 {
575 #ifndef OPENSSL_NO_TLS1_3
576     int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX;
577 
578     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)
579             || !WPACKET_start_sub_packet_u16(pkt)
580             || !WPACKET_start_sub_packet_u8(pkt)
581             || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE)
582             || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE))
583             || !WPACKET_close(pkt)
584             || !WPACKET_close(pkt)) {
585         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
586                  SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES, ERR_R_INTERNAL_ERROR);
587         return EXT_RETURN_FAIL;
588     }
589 
590     s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE;
591     if (nodhe)
592         s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
593 #endif
594 
595     return EXT_RETURN_SENT;
596 }
597 
598 #ifndef OPENSSL_NO_TLS1_3
599 static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id)
600 {
601     unsigned char *encoded_point = NULL;
602     EVP_PKEY *key_share_key = NULL;
603     size_t encodedlen;
604 
605     if (s->s3->tmp.pkey != NULL) {
606         if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) {
607             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE,
608                      ERR_R_INTERNAL_ERROR);
609             return 0;
610         }
611         /*
612          * Could happen if we got an HRR that wasn't requesting a new key_share
613          */
614         key_share_key = s->s3->tmp.pkey;
615     } else {
616         key_share_key = ssl_generate_pkey_group(s, curve_id);
617         if (key_share_key == NULL) {
618             /* SSLfatal() already called */
619             return 0;
620         }
621     }
622 
623     /* Encode the public key. */
624     encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key,
625                                                 &encoded_point);
626     if (encodedlen == 0) {
627         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, ERR_R_EC_LIB);
628         goto err;
629     }
630 
631     /* Create KeyShareEntry */
632     if (!WPACKET_put_bytes_u16(pkt, curve_id)
633             || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) {
634         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE,
635                  ERR_R_INTERNAL_ERROR);
636         goto err;
637     }
638 
639     /*
640      * TODO(TLS1.3): When changing to send more than one key_share we're
641      * going to need to be able to save more than one EVP_PKEY. For now
642      * we reuse the existing tmp.pkey
643      */
644     s->s3->tmp.pkey = key_share_key;
645     s->s3->group_id = curve_id;
646     OPENSSL_free(encoded_point);
647 
648     return 1;
649  err:
650     if (s->s3->tmp.pkey == NULL)
651         EVP_PKEY_free(key_share_key);
652     OPENSSL_free(encoded_point);
653     return 0;
654 }
655 #endif
656 
657 EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
658                                         unsigned int context, X509 *x,
659                                         size_t chainidx)
660 {
661 #ifndef OPENSSL_NO_TLS1_3
662     size_t i, num_groups = 0;
663     const uint16_t *pgroups = NULL;
664     uint16_t curve_id = 0;
665 
666     /* key_share extension */
667     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
668                /* Extension data sub-packet */
669             || !WPACKET_start_sub_packet_u16(pkt)
670                /* KeyShare list sub-packet */
671             || !WPACKET_start_sub_packet_u16(pkt)) {
672         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE,
673                  ERR_R_INTERNAL_ERROR);
674         return EXT_RETURN_FAIL;
675     }
676 
677     tls1_get_supported_groups(s, &pgroups, &num_groups);
678 
679     /*
680      * TODO(TLS1.3): Make the number of key_shares sent configurable. For
681      * now, just send one
682      */
683     if (s->s3->group_id != 0) {
684         curve_id = s->s3->group_id;
685     } else {
686         for (i = 0; i < num_groups; i++) {
687 
688             if (!tls_curve_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
689                 continue;
690 
691             curve_id = pgroups[i];
692             break;
693         }
694     }
695 
696     if (curve_id == 0) {
697         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE,
698                  SSL_R_NO_SUITABLE_KEY_SHARE);
699         return EXT_RETURN_FAIL;
700     }
701 
702     if (!add_key_share(s, pkt, curve_id)) {
703         /* SSLfatal() already called */
704         return EXT_RETURN_FAIL;
705     }
706 
707     if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
708         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE,
709                  ERR_R_INTERNAL_ERROR);
710         return EXT_RETURN_FAIL;
711     }
712     return EXT_RETURN_SENT;
713 #else
714     return EXT_RETURN_NOT_SENT;
715 #endif
716 }
717 
718 EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context,
719                                      X509 *x, size_t chainidx)
720 {
721     EXT_RETURN ret = EXT_RETURN_FAIL;
722 
723     /* Should only be set if we've had an HRR */
724     if (s->ext.tls13_cookie_len == 0)
725         return EXT_RETURN_NOT_SENT;
726 
727     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
728                /* Extension data sub-packet */
729             || !WPACKET_start_sub_packet_u16(pkt)
730             || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie,
731                                        s->ext.tls13_cookie_len)
732             || !WPACKET_close(pkt)) {
733         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_COOKIE,
734                  ERR_R_INTERNAL_ERROR);
735         goto end;
736     }
737 
738     ret = EXT_RETURN_SENT;
739  end:
740     OPENSSL_free(s->ext.tls13_cookie);
741     s->ext.tls13_cookie = NULL;
742     s->ext.tls13_cookie_len = 0;
743 
744     return ret;
745 }
746 
747 EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
748                                          unsigned int context, X509 *x,
749                                          size_t chainidx)
750 {
751 #ifndef OPENSSL_NO_PSK
752     char identity[PSK_MAX_IDENTITY_LEN + 1];
753 #endif  /* OPENSSL_NO_PSK */
754     const unsigned char *id = NULL;
755     size_t idlen = 0;
756     SSL_SESSION *psksess = NULL;
757     SSL_SESSION *edsess = NULL;
758     const EVP_MD *handmd = NULL;
759 
760     if (s->hello_retry_request == SSL_HRR_PENDING)
761         handmd = ssl_handshake_md(s);
762 
763     if (s->psk_use_session_cb != NULL
764             && (!s->psk_use_session_cb(s, handmd, &id, &idlen, &psksess)
765                 || (psksess != NULL
766                     && psksess->ssl_version != TLS1_3_VERSION))) {
767         SSL_SESSION_free(psksess);
768         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
769                  SSL_R_BAD_PSK);
770         return EXT_RETURN_FAIL;
771     }
772 
773 #ifndef OPENSSL_NO_PSK
774     if (psksess == NULL && s->psk_client_callback != NULL) {
775         unsigned char psk[PSK_MAX_PSK_LEN];
776         size_t psklen = 0;
777 
778         memset(identity, 0, sizeof(identity));
779         psklen = s->psk_client_callback(s, NULL, identity, sizeof(identity) - 1,
780                                         psk, sizeof(psk));
781 
782         if (psklen > PSK_MAX_PSK_LEN) {
783             SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
784                      SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
785             return EXT_RETURN_FAIL;
786         } else if (psklen > 0) {
787             const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
788             const SSL_CIPHER *cipher;
789 
790             idlen = strlen(identity);
791             if (idlen > PSK_MAX_IDENTITY_LEN) {
792                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
793                          SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
794                          ERR_R_INTERNAL_ERROR);
795                 return EXT_RETURN_FAIL;
796             }
797             id = (unsigned char *)identity;
798 
799             /*
800              * We found a PSK using an old style callback. We don't know
801              * the digest so we default to SHA256 as per the TLSv1.3 spec
802              */
803             cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
804             if (cipher == NULL) {
805                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
806                          SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
807                          ERR_R_INTERNAL_ERROR);
808                 return EXT_RETURN_FAIL;
809             }
810 
811             psksess = SSL_SESSION_new();
812             if (psksess == NULL
813                     || !SSL_SESSION_set1_master_key(psksess, psk, psklen)
814                     || !SSL_SESSION_set_cipher(psksess, cipher)
815                     || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) {
816                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
817                          SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
818                          ERR_R_INTERNAL_ERROR);
819                 OPENSSL_cleanse(psk, psklen);
820                 return EXT_RETURN_FAIL;
821             }
822             OPENSSL_cleanse(psk, psklen);
823         }
824     }
825 #endif  /* OPENSSL_NO_PSK */
826 
827     SSL_SESSION_free(s->psksession);
828     s->psksession = psksess;
829     if (psksess != NULL) {
830         OPENSSL_free(s->psksession_id);
831         s->psksession_id = OPENSSL_memdup(id, idlen);
832         if (s->psksession_id == NULL) {
833             s->psksession_id_len = 0;
834             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
835                      SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
836             return EXT_RETURN_FAIL;
837         }
838         s->psksession_id_len = idlen;
839     }
840 
841     if (s->early_data_state != SSL_EARLY_DATA_CONNECTING
842             || (s->session->ext.max_early_data == 0
843                 && (psksess == NULL || psksess->ext.max_early_data == 0))) {
844         s->max_early_data = 0;
845         return EXT_RETURN_NOT_SENT;
846     }
847     edsess = s->session->ext.max_early_data != 0 ? s->session : psksess;
848     s->max_early_data = edsess->ext.max_early_data;
849 
850     if (edsess->ext.hostname != NULL) {
851         if (s->ext.hostname == NULL
852                 || (s->ext.hostname != NULL
853                     && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) {
854             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
855                      SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
856                      SSL_R_INCONSISTENT_EARLY_DATA_SNI);
857             return EXT_RETURN_FAIL;
858         }
859     }
860 
861     if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) {
862         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
863                  SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
864         return EXT_RETURN_FAIL;
865     }
866 
867     /*
868      * Verify that we are offering an ALPN protocol consistent with the early
869      * data.
870      */
871     if (edsess->ext.alpn_selected != NULL) {
872         PACKET prots, alpnpkt;
873         int found = 0;
874 
875         if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) {
876             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
877                      SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
878             return EXT_RETURN_FAIL;
879         }
880         while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) {
881             if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected,
882                              edsess->ext.alpn_selected_len)) {
883                 found = 1;
884                 break;
885             }
886         }
887         if (!found) {
888             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
889                      SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
890                      SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
891             return EXT_RETURN_FAIL;
892         }
893     }
894 
895     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
896             || !WPACKET_start_sub_packet_u16(pkt)
897             || !WPACKET_close(pkt)) {
898         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
899                  ERR_R_INTERNAL_ERROR);
900         return EXT_RETURN_FAIL;
901     }
902 
903     /*
904      * We set this to rejected here. Later, if the server acknowledges the
905      * extension, we set it to accepted.
906      */
907     s->ext.early_data = SSL_EARLY_DATA_REJECTED;
908     s->ext.early_data_ok = 1;
909 
910     return EXT_RETURN_SENT;
911 }
912 
913 #define F5_WORKAROUND_MIN_MSG_LEN   0xff
914 #define F5_WORKAROUND_MAX_MSG_LEN   0x200
915 
916 /*
917  * PSK pre binder overhead =
918  *  2 bytes for TLSEXT_TYPE_psk
919  *  2 bytes for extension length
920  *  2 bytes for identities list length
921  *  2 bytes for identity length
922  *  4 bytes for obfuscated_ticket_age
923  *  2 bytes for binder list length
924  *  1 byte for binder length
925  * The above excludes the number of bytes for the identity itself and the
926  * subsequent binder bytes
927  */
928 #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1)
929 
930 EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt,
931                                       unsigned int context, X509 *x,
932                                       size_t chainidx)
933 {
934     unsigned char *padbytes;
935     size_t hlen;
936 
937     if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)
938         return EXT_RETURN_NOT_SENT;
939 
940     /*
941      * Add padding to workaround bugs in F5 terminators. See RFC7685.
942      * This code calculates the length of all extensions added so far but
943      * excludes the PSK extension (because that MUST be written last). Therefore
944      * this extension MUST always appear second to last.
945      */
946     if (!WPACKET_get_total_written(pkt, &hlen)) {
947         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PADDING,
948                  ERR_R_INTERNAL_ERROR);
949         return EXT_RETURN_FAIL;
950     }
951 
952     /*
953      * If we're going to send a PSK then that will be written out after this
954      * extension, so we need to calculate how long it is going to be.
955      */
956     if (s->session->ssl_version == TLS1_3_VERSION
957             && s->session->ext.ticklen != 0
958             && s->session->cipher != NULL) {
959         const EVP_MD *md = ssl_md(s->session->cipher->algorithm2);
960 
961         if (md != NULL) {
962             /*
963              * Add the fixed PSK overhead, the identity length and the binder
964              * length.
965              */
966             hlen +=  PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen
967                      + EVP_MD_size(md);
968         }
969     }
970 
971     if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {
972         /* Calculate the amount of padding we need to add */
973         hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;
974 
975         /*
976          * Take off the size of extension header itself (2 bytes for type and
977          * 2 bytes for length bytes), but ensure that the extension is at least
978          * 1 byte long so as not to have an empty extension last (WebSphere 7.x,
979          * 8.x are intolerant of that condition)
980          */
981         if (hlen > 4)
982             hlen -= 4;
983         else
984             hlen = 1;
985 
986         if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
987                 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
988             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PADDING,
989                      ERR_R_INTERNAL_ERROR);
990             return EXT_RETURN_FAIL;
991         }
992         memset(padbytes, 0, hlen);
993     }
994 
995     return EXT_RETURN_SENT;
996 }
997 
998 /*
999  * Construct the pre_shared_key extension
1000  */
1001 EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
1002                                   X509 *x, size_t chainidx)
1003 {
1004 #ifndef OPENSSL_NO_TLS1_3
1005     uint32_t now, agesec, agems = 0;
1006     size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen;
1007     unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;
1008     const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
1009     int dores = 0;
1010 
1011     s->ext.tick_identity = 0;
1012 
1013     /*
1014      * Note: At this stage of the code we only support adding a single
1015      * resumption PSK. If we add support for multiple PSKs then the length
1016      * calculations in the padding extension will need to be adjusted.
1017      */
1018 
1019     /*
1020      * If this is an incompatible or new session then we have nothing to resume
1021      * so don't add this extension.
1022      */
1023     if (s->session->ssl_version != TLS1_3_VERSION
1024             || (s->session->ext.ticklen == 0 && s->psksession == NULL))
1025         return EXT_RETURN_NOT_SENT;
1026 
1027     if (s->hello_retry_request == SSL_HRR_PENDING)
1028         handmd = ssl_handshake_md(s);
1029 
1030     if (s->session->ext.ticklen != 0) {
1031         /* Get the digest associated with the ciphersuite in the session */
1032         if (s->session->cipher == NULL) {
1033             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
1034                      ERR_R_INTERNAL_ERROR);
1035             return EXT_RETURN_FAIL;
1036         }
1037         mdres = ssl_md(s->session->cipher->algorithm2);
1038         if (mdres == NULL) {
1039             /*
1040              * Don't recognize this cipher so we can't use the session.
1041              * Ignore it
1042              */
1043             goto dopsksess;
1044         }
1045 
1046         if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) {
1047             /*
1048              * Selected ciphersuite hash does not match the hash for the session
1049              * so we can't use it.
1050              */
1051             goto dopsksess;
1052         }
1053 
1054         /*
1055          * Technically the C standard just says time() returns a time_t and says
1056          * nothing about the encoding of that type. In practice most
1057          * implementations follow POSIX which holds it as an integral type in
1058          * seconds since epoch. We've already made the assumption that we can do
1059          * this in multiple places in the code, so portability shouldn't be an
1060          * issue.
1061          */
1062         now = (uint32_t)time(NULL);
1063         agesec = now - (uint32_t)s->session->time;
1064         /*
1065          * We calculate the age in seconds but the server may work in ms. Due to
1066          * rounding errors we could overestimate the age by up to 1s. It is
1067          * better to underestimate it. Otherwise, if the RTT is very short, when
1068          * the server calculates the age reported by the client it could be
1069          * bigger than the age calculated on the server - which should never
1070          * happen.
1071          */
1072         if (agesec > 0)
1073             agesec--;
1074 
1075         if (s->session->ext.tick_lifetime_hint < agesec) {
1076             /* Ticket is too old. Ignore it. */
1077             goto dopsksess;
1078         }
1079 
1080         /*
1081          * Calculate age in ms. We're just doing it to nearest second. Should be
1082          * good enough.
1083          */
1084         agems = agesec * (uint32_t)1000;
1085 
1086         if (agesec != 0 && agems / (uint32_t)1000 != agesec) {
1087             /*
1088              * Overflow. Shouldn't happen unless this is a *really* old session.
1089              * If so we just ignore it.
1090              */
1091             goto dopsksess;
1092         }
1093 
1094         /*
1095          * Obfuscate the age. Overflow here is fine, this addition is supposed
1096          * to be mod 2^32.
1097          */
1098         agems += s->session->ext.tick_age_add;
1099 
1100         reshashsize = EVP_MD_size(mdres);
1101         s->ext.tick_identity++;
1102         dores = 1;
1103     }
1104 
1105  dopsksess:
1106     if (!dores && s->psksession == NULL)
1107         return EXT_RETURN_NOT_SENT;
1108 
1109     if (s->psksession != NULL) {
1110         mdpsk = ssl_md(s->psksession->cipher->algorithm2);
1111         if (mdpsk == NULL) {
1112             /*
1113              * Don't recognize this cipher so we can't use the session.
1114              * If this happens it's an application bug.
1115              */
1116             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
1117                      SSL_R_BAD_PSK);
1118             return EXT_RETURN_FAIL;
1119         }
1120 
1121         if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) {
1122             /*
1123              * Selected ciphersuite hash does not match the hash for the PSK
1124              * session. This is an application bug.
1125              */
1126             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
1127                      SSL_R_BAD_PSK);
1128             return EXT_RETURN_FAIL;
1129         }
1130 
1131         pskhashsize = EVP_MD_size(mdpsk);
1132     }
1133 
1134     /* Create the extension, but skip over the binder for now */
1135     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1136             || !WPACKET_start_sub_packet_u16(pkt)
1137             || !WPACKET_start_sub_packet_u16(pkt)) {
1138         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
1139                  ERR_R_INTERNAL_ERROR);
1140         return EXT_RETURN_FAIL;
1141     }
1142 
1143     if (dores) {
1144         if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,
1145                                            s->session->ext.ticklen)
1146                 || !WPACKET_put_bytes_u32(pkt, agems)) {
1147             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
1148                      ERR_R_INTERNAL_ERROR);
1149             return EXT_RETURN_FAIL;
1150         }
1151     }
1152 
1153     if (s->psksession != NULL) {
1154         if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id,
1155                                     s->psksession_id_len)
1156                 || !WPACKET_put_bytes_u32(pkt, 0)) {
1157             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
1158                      ERR_R_INTERNAL_ERROR);
1159             return EXT_RETURN_FAIL;
1160         }
1161         s->ext.tick_identity++;
1162     }
1163 
1164     if (!WPACKET_close(pkt)
1165             || !WPACKET_get_total_written(pkt, &binderoffset)
1166             || !WPACKET_start_sub_packet_u16(pkt)
1167             || (dores
1168                 && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder))
1169             || (s->psksession != NULL
1170                 && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder))
1171             || !WPACKET_close(pkt)
1172             || !WPACKET_close(pkt)
1173             || !WPACKET_get_total_written(pkt, &msglen)
1174                /*
1175                 * We need to fill in all the sub-packet lengths now so we can
1176                 * calculate the HMAC of the message up to the binders
1177                 */
1178             || !WPACKET_fill_lengths(pkt)) {
1179         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
1180                  ERR_R_INTERNAL_ERROR);
1181         return EXT_RETURN_FAIL;
1182     }
1183 
1184     msgstart = WPACKET_get_curr(pkt) - msglen;
1185 
1186     if (dores
1187             && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL,
1188                                  resbinder, s->session, 1, 0) != 1) {
1189         /* SSLfatal() already called */
1190         return EXT_RETURN_FAIL;
1191     }
1192 
1193     if (s->psksession != NULL
1194             && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL,
1195                                  pskbinder, s->psksession, 1, 1) != 1) {
1196         /* SSLfatal() already called */
1197         return EXT_RETURN_FAIL;
1198     }
1199 
1200     return EXT_RETURN_SENT;
1201 #else
1202     return EXT_RETURN_NOT_SENT;
1203 #endif
1204 }
1205 
1206 EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt,
1207                                                   unsigned int context,
1208                                                   X509 *x, size_t chainidx)
1209 {
1210 #ifndef OPENSSL_NO_TLS1_3
1211     if (!s->pha_enabled)
1212         return EXT_RETURN_NOT_SENT;
1213 
1214     /* construct extension - 0 length, no contents */
1215     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth)
1216             || !WPACKET_start_sub_packet_u16(pkt)
1217             || !WPACKET_close(pkt)) {
1218         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1219                  SSL_F_TLS_CONSTRUCT_CTOS_POST_HANDSHAKE_AUTH,
1220                  ERR_R_INTERNAL_ERROR);
1221         return EXT_RETURN_FAIL;
1222     }
1223 
1224     s->post_handshake_auth = SSL_PHA_EXT_SENT;
1225 
1226     return EXT_RETURN_SENT;
1227 #else
1228     return EXT_RETURN_NOT_SENT;
1229 #endif
1230 }
1231 
1232 
1233 /*
1234  * Parse the server's renegotiation binding and abort if it's not right
1235  */
1236 int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
1237                                X509 *x, size_t chainidx)
1238 {
1239     size_t expected_len = s->s3->previous_client_finished_len
1240         + s->s3->previous_server_finished_len;
1241     size_t ilen;
1242     const unsigned char *data;
1243 
1244     /* Check for logic errors */
1245     if (!ossl_assert(expected_len == 0
1246                      || s->s3->previous_client_finished_len != 0)
1247         || !ossl_assert(expected_len == 0
1248                         || s->s3->previous_server_finished_len != 0)) {
1249         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
1250                  ERR_R_INTERNAL_ERROR);
1251         return 0;
1252     }
1253 
1254     /* Parse the length byte */
1255     if (!PACKET_get_1_len(pkt, &ilen)) {
1256         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
1257                  SSL_R_RENEGOTIATION_ENCODING_ERR);
1258         return 0;
1259     }
1260 
1261     /* Consistency check */
1262     if (PACKET_remaining(pkt) != ilen) {
1263         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
1264                  SSL_R_RENEGOTIATION_ENCODING_ERR);
1265         return 0;
1266     }
1267 
1268     /* Check that the extension matches */
1269     if (ilen != expected_len) {
1270         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
1271                  SSL_R_RENEGOTIATION_MISMATCH);
1272         return 0;
1273     }
1274 
1275     if (!PACKET_get_bytes(pkt, &data, s->s3->previous_client_finished_len)
1276         || memcmp(data, s->s3->previous_client_finished,
1277                   s->s3->previous_client_finished_len) != 0) {
1278         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
1279                  SSL_R_RENEGOTIATION_MISMATCH);
1280         return 0;
1281     }
1282 
1283     if (!PACKET_get_bytes(pkt, &data, s->s3->previous_server_finished_len)
1284         || memcmp(data, s->s3->previous_server_finished,
1285                   s->s3->previous_server_finished_len) != 0) {
1286         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
1287                  SSL_R_RENEGOTIATION_MISMATCH);
1288         return 0;
1289     }
1290     s->s3->send_connection_binding = 1;
1291 
1292     return 1;
1293 }
1294 
1295 /* Parse the server's max fragment len extension packet */
1296 int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
1297                                   X509 *x, size_t chainidx)
1298 {
1299     unsigned int value;
1300 
1301     if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
1302         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN,
1303                  SSL_R_BAD_EXTENSION);
1304         return 0;
1305     }
1306 
1307     /* |value| should contains a valid max-fragment-length code. */
1308     if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
1309         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1310                  SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN,
1311                  SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
1312         return 0;
1313     }
1314 
1315     /* Must be the same value as client-configured one who was sent to server */
1316     /*-
1317      * RFC 6066: if a client receives a maximum fragment length negotiation
1318      * response that differs from the length it requested, ...
1319      * It must abort with SSL_AD_ILLEGAL_PARAMETER alert
1320      */
1321     if (value != s->ext.max_fragment_len_mode) {
1322         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1323                  SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN,
1324                  SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
1325         return 0;
1326     }
1327 
1328     /*
1329      * Maximum Fragment Length Negotiation succeeded.
1330      * The negotiated Maximum Fragment Length is binding now.
1331      */
1332     s->session->ext.max_fragment_len_mode = value;
1333 
1334     return 1;
1335 }
1336 
1337 int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context,
1338                                X509 *x, size_t chainidx)
1339 {
1340     if (s->ext.hostname == NULL) {
1341         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME,
1342                  ERR_R_INTERNAL_ERROR);
1343         return 0;
1344     }
1345 
1346     if (PACKET_remaining(pkt) > 0) {
1347         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME,
1348                  SSL_R_BAD_EXTENSION);
1349         return 0;
1350     }
1351 
1352     if (!s->hit) {
1353         if (s->session->ext.hostname != NULL) {
1354             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME,
1355                      ERR_R_INTERNAL_ERROR);
1356             return 0;
1357         }
1358         s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
1359         if (s->session->ext.hostname == NULL) {
1360             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME,
1361                      ERR_R_INTERNAL_ERROR);
1362             return 0;
1363         }
1364     }
1365 
1366     return 1;
1367 }
1368 
1369 #ifndef OPENSSL_NO_EC
1370 int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
1371                                  X509 *x, size_t chainidx)
1372 {
1373     size_t ecpointformats_len;
1374     PACKET ecptformatlist;
1375 
1376     if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
1377         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS,
1378                  SSL_R_BAD_EXTENSION);
1379         return 0;
1380     }
1381     if (!s->hit) {
1382         ecpointformats_len = PACKET_remaining(&ecptformatlist);
1383         if (ecpointformats_len == 0) {
1384             SSLfatal(s, SSL_AD_DECODE_ERROR,
1385                      SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, SSL_R_BAD_LENGTH);
1386             return 0;
1387         }
1388 
1389         s->ext.peer_ecpointformats_len = 0;
1390         OPENSSL_free(s->ext.peer_ecpointformats);
1391         s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len);
1392         if (s->ext.peer_ecpointformats == NULL) {
1393             s->ext.peer_ecpointformats_len = 0;
1394             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1395                      SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
1396             return 0;
1397         }
1398 
1399         s->ext.peer_ecpointformats_len = ecpointformats_len;
1400 
1401         if (!PACKET_copy_bytes(&ecptformatlist,
1402                                s->ext.peer_ecpointformats,
1403                                ecpointformats_len)) {
1404             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1405                      SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
1406             return 0;
1407         }
1408     }
1409 
1410     return 1;
1411 }
1412 #endif
1413 
1414 int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
1415                                   X509 *x, size_t chainidx)
1416 {
1417     if (s->ext.session_ticket_cb != NULL &&
1418         !s->ext.session_ticket_cb(s, PACKET_data(pkt),
1419                               PACKET_remaining(pkt),
1420                               s->ext.session_ticket_cb_arg)) {
1421         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1422                  SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION);
1423         return 0;
1424     }
1425 
1426     if (!tls_use_ticket(s)) {
1427         SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
1428                  SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION);
1429         return 0;
1430     }
1431     if (PACKET_remaining(pkt) > 0) {
1432         SSLfatal(s, SSL_AD_DECODE_ERROR,
1433                  SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION);
1434         return 0;
1435     }
1436 
1437     s->ext.ticket_expected = 1;
1438 
1439     return 1;
1440 }
1441 
1442 #ifndef OPENSSL_NO_OCSP
1443 int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
1444                                   X509 *x, size_t chainidx)
1445 {
1446     if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
1447         /* We ignore this if the server sends a CertificateRequest */
1448         /* TODO(TLS1.3): Add support for this */
1449         return 1;
1450     }
1451 
1452     /*
1453      * MUST only be sent if we've requested a status
1454      * request message. In TLS <= 1.2 it must also be empty.
1455      */
1456     if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
1457         SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
1458                  SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
1459         return 0;
1460     }
1461     if (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0) {
1462         SSLfatal(s, SSL_AD_DECODE_ERROR,
1463                  SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
1464         return 0;
1465     }
1466 
1467     if (SSL_IS_TLS13(s)) {
1468         /* We only know how to handle this if it's for the first Certificate in
1469          * the chain. We ignore any other responses.
1470          */
1471         if (chainidx != 0)
1472             return 1;
1473 
1474         /* SSLfatal() already called */
1475         return tls_process_cert_status_body(s, pkt);
1476     }
1477 
1478     /* Set flag to expect CertificateStatus message */
1479     s->ext.status_expected = 1;
1480 
1481     return 1;
1482 }
1483 #endif
1484 
1485 
1486 #ifndef OPENSSL_NO_CT
1487 int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1488                        size_t chainidx)
1489 {
1490     if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
1491         /* We ignore this if the server sends it in a CertificateRequest */
1492         /* TODO(TLS1.3): Add support for this */
1493         return 1;
1494     }
1495 
1496     /*
1497      * Only take it if we asked for it - i.e if there is no CT validation
1498      * callback set, then a custom extension MAY be processing it, so we
1499      * need to let control continue to flow to that.
1500      */
1501     if (s->ct_validation_callback != NULL) {
1502         size_t size = PACKET_remaining(pkt);
1503 
1504         /* Simply copy it off for later processing */
1505         OPENSSL_free(s->ext.scts);
1506         s->ext.scts = NULL;
1507 
1508         s->ext.scts_len = (uint16_t)size;
1509         if (size > 0) {
1510             s->ext.scts = OPENSSL_malloc(size);
1511             if (s->ext.scts == NULL) {
1512                 s->ext.scts_len = 0;
1513                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT,
1514                          ERR_R_MALLOC_FAILURE);
1515                 return 0;
1516             }
1517             if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) {
1518                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT,
1519                          ERR_R_INTERNAL_ERROR);
1520                 return 0;
1521             }
1522         }
1523     } else {
1524         ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
1525                         ? ENDPOINT_CLIENT : ENDPOINT_BOTH;
1526 
1527         /*
1528          * If we didn't ask for it then there must be a custom extension,
1529          * otherwise this is unsolicited.
1530          */
1531         if (custom_ext_find(&s->cert->custext, role,
1532                             TLSEXT_TYPE_signed_certificate_timestamp,
1533                             NULL) == NULL) {
1534             SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_SCT,
1535                      SSL_R_BAD_EXTENSION);
1536             return 0;
1537         }
1538 
1539         if (!custom_ext_parse(s, context,
1540                              TLSEXT_TYPE_signed_certificate_timestamp,
1541                              PACKET_data(pkt), PACKET_remaining(pkt),
1542                              x, chainidx)) {
1543             /* SSLfatal already called */
1544             return 0;
1545         }
1546     }
1547 
1548     return 1;
1549 }
1550 #endif
1551 
1552 
1553 #ifndef OPENSSL_NO_NEXTPROTONEG
1554 /*
1555  * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1556  * elements of zero length are allowed and the set of elements must exactly
1557  * fill the length of the block. Returns 1 on success or 0 on failure.
1558  */
1559 static int ssl_next_proto_validate(SSL *s, PACKET *pkt)
1560 {
1561     PACKET tmp_protocol;
1562 
1563     while (PACKET_remaining(pkt)) {
1564         if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
1565             || PACKET_remaining(&tmp_protocol) == 0) {
1566             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_NEXT_PROTO_VALIDATE,
1567                      SSL_R_BAD_EXTENSION);
1568             return 0;
1569         }
1570     }
1571 
1572     return 1;
1573 }
1574 
1575 int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1576                        size_t chainidx)
1577 {
1578     unsigned char *selected;
1579     unsigned char selected_len;
1580     PACKET tmppkt;
1581 
1582     /* Check if we are in a renegotiation. If so ignore this extension */
1583     if (!SSL_IS_FIRST_HANDSHAKE(s))
1584         return 1;
1585 
1586     /* We must have requested it. */
1587     if (s->ctx->ext.npn_select_cb == NULL) {
1588         SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_NPN,
1589                  SSL_R_BAD_EXTENSION);
1590         return 0;
1591     }
1592 
1593     /* The data must be valid */
1594     tmppkt = *pkt;
1595     if (!ssl_next_proto_validate(s, &tmppkt)) {
1596         /* SSLfatal() already called */
1597         return 0;
1598     }
1599     if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len,
1600                                   PACKET_data(pkt),
1601                                   PACKET_remaining(pkt),
1602                                   s->ctx->ext.npn_select_cb_arg) !=
1603              SSL_TLSEXT_ERR_OK) {
1604         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_STOC_NPN,
1605                  SSL_R_BAD_EXTENSION);
1606         return 0;
1607     }
1608 
1609     /*
1610      * Could be non-NULL if server has sent multiple NPN extensions in
1611      * a single Serverhello
1612      */
1613     OPENSSL_free(s->ext.npn);
1614     s->ext.npn = OPENSSL_malloc(selected_len);
1615     if (s->ext.npn == NULL) {
1616         s->ext.npn_len = 0;
1617         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_NPN,
1618                  ERR_R_INTERNAL_ERROR);
1619         return 0;
1620     }
1621 
1622     memcpy(s->ext.npn, selected, selected_len);
1623     s->ext.npn_len = selected_len;
1624     s->s3->npn_seen = 1;
1625 
1626     return 1;
1627 }
1628 #endif
1629 
1630 int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1631                         size_t chainidx)
1632 {
1633     size_t len;
1634 
1635     /* We must have requested it. */
1636     if (!s->s3->alpn_sent) {
1637         SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_ALPN,
1638                  SSL_R_BAD_EXTENSION);
1639         return 0;
1640     }
1641     /*-
1642      * The extension data consists of:
1643      *   uint16 list_length
1644      *   uint8 proto_length;
1645      *   uint8 proto[proto_length];
1646      */
1647     if (!PACKET_get_net_2_len(pkt, &len)
1648         || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)
1649         || PACKET_remaining(pkt) != len) {
1650         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
1651                  SSL_R_BAD_EXTENSION);
1652         return 0;
1653     }
1654     OPENSSL_free(s->s3->alpn_selected);
1655     s->s3->alpn_selected = OPENSSL_malloc(len);
1656     if (s->s3->alpn_selected == NULL) {
1657         s->s3->alpn_selected_len = 0;
1658         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
1659                  ERR_R_INTERNAL_ERROR);
1660         return 0;
1661     }
1662     if (!PACKET_copy_bytes(pkt, s->s3->alpn_selected, len)) {
1663         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
1664                  SSL_R_BAD_EXTENSION);
1665         return 0;
1666     }
1667     s->s3->alpn_selected_len = len;
1668 
1669     if (s->session->ext.alpn_selected == NULL
1670             || s->session->ext.alpn_selected_len != len
1671             || memcmp(s->session->ext.alpn_selected, s->s3->alpn_selected, len)
1672                != 0) {
1673         /* ALPN not consistent with the old session so cannot use early_data */
1674         s->ext.early_data_ok = 0;
1675     }
1676     if (!s->hit) {
1677         /*
1678          * This is a new session and so alpn_selected should have been
1679          * initialised to NULL. We should update it with the selected ALPN.
1680          */
1681         if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
1682             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
1683                      ERR_R_INTERNAL_ERROR);
1684             return 0;
1685         }
1686         s->session->ext.alpn_selected =
1687             OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);
1688         if (s->session->ext.alpn_selected == NULL) {
1689             s->session->ext.alpn_selected_len = 0;
1690             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
1691                      ERR_R_INTERNAL_ERROR);
1692             return 0;
1693         }
1694         s->session->ext.alpn_selected_len = s->s3->alpn_selected_len;
1695     }
1696 
1697     return 1;
1698 }
1699 
1700 #ifndef OPENSSL_NO_SRTP
1701 int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1702                             size_t chainidx)
1703 {
1704     unsigned int id, ct, mki;
1705     int i;
1706     STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1707     SRTP_PROTECTION_PROFILE *prof;
1708 
1709     if (!PACKET_get_net_2(pkt, &ct) || ct != 2
1710             || !PACKET_get_net_2(pkt, &id)
1711             || !PACKET_get_1(pkt, &mki)
1712             || PACKET_remaining(pkt) != 0) {
1713         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP,
1714                  SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1715         return 0;
1716     }
1717 
1718     if (mki != 0) {
1719         /* Must be no MKI, since we never offer one */
1720         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_USE_SRTP,
1721                  SSL_R_BAD_SRTP_MKI_VALUE);
1722         return 0;
1723     }
1724 
1725     /* Throw an error if the server gave us an unsolicited extension */
1726     clnt = SSL_get_srtp_profiles(s);
1727     if (clnt == NULL) {
1728         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP,
1729                  SSL_R_NO_SRTP_PROFILES);
1730         return 0;
1731     }
1732 
1733     /*
1734      * Check to see if the server gave us something we support (and
1735      * presumably offered)
1736      */
1737     for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1738         prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
1739 
1740         if (prof->id == id) {
1741             s->srtp_profile = prof;
1742             return 1;
1743         }
1744     }
1745 
1746     SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP,
1747              SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1748     return 0;
1749 }
1750 #endif
1751 
1752 int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1753                        size_t chainidx)
1754 {
1755     /* Ignore if inappropriate ciphersuite */
1756     if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
1757             && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
1758             && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4
1759             && s->s3->tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT
1760             && s->s3->tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12)
1761         s->ext.use_etm = 1;
1762 
1763     return 1;
1764 }
1765 
1766 int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1767                        size_t chainidx)
1768 {
1769     s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
1770     if (!s->hit)
1771         s->session->flags |= SSL_SESS_FLAG_EXTMS;
1772 
1773     return 1;
1774 }
1775 
1776 int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
1777                                       X509 *x, size_t chainidx)
1778 {
1779     unsigned int version;
1780 
1781     if (!PACKET_get_net_2(pkt, &version)
1782             || PACKET_remaining(pkt) != 0) {
1783         SSLfatal(s, SSL_AD_DECODE_ERROR,
1784                  SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS,
1785                  SSL_R_LENGTH_MISMATCH);
1786         return 0;
1787     }
1788 
1789     /*
1790      * The only protocol version we support which is valid in this extension in
1791      * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.
1792      */
1793     if (version != TLS1_3_VERSION) {
1794         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1795                  SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS,
1796                  SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
1797         return 0;
1798     }
1799 
1800     /* We ignore this extension for HRRs except to sanity check it */
1801     if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)
1802         return 1;
1803 
1804     /* We just set it here. We validate it in ssl_choose_client_version */
1805     s->version = version;
1806 
1807     return 1;
1808 }
1809 
1810 int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1811                              size_t chainidx)
1812 {
1813 #ifndef OPENSSL_NO_TLS1_3
1814     unsigned int group_id;
1815     PACKET encoded_pt;
1816     EVP_PKEY *ckey = s->s3->tmp.pkey, *skey = NULL;
1817 
1818     /* Sanity check */
1819     if (ckey == NULL || s->s3->peer_tmp != NULL) {
1820         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
1821                  ERR_R_INTERNAL_ERROR);
1822         return 0;
1823     }
1824 
1825     if (!PACKET_get_net_2(pkt, &group_id)) {
1826         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
1827                  SSL_R_LENGTH_MISMATCH);
1828         return 0;
1829     }
1830 
1831     if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
1832         const uint16_t *pgroups = NULL;
1833         size_t i, num_groups;
1834 
1835         if (PACKET_remaining(pkt) != 0) {
1836             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
1837                      SSL_R_LENGTH_MISMATCH);
1838             return 0;
1839         }
1840 
1841         /*
1842          * It is an error if the HelloRetryRequest wants a key_share that we
1843          * already sent in the first ClientHello
1844          */
1845         if (group_id == s->s3->group_id) {
1846             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1847                      SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
1848             return 0;
1849         }
1850 
1851         /* Validate the selected group is one we support */
1852         tls1_get_supported_groups(s, &pgroups, &num_groups);
1853         for (i = 0; i < num_groups; i++) {
1854             if (group_id == pgroups[i])
1855                 break;
1856         }
1857         if (i >= num_groups
1858                 || !tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)) {
1859             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1860                      SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
1861             return 0;
1862         }
1863 
1864         s->s3->group_id = group_id;
1865         EVP_PKEY_free(s->s3->tmp.pkey);
1866         s->s3->tmp.pkey = NULL;
1867         return 1;
1868     }
1869 
1870     if (group_id != s->s3->group_id) {
1871         /*
1872          * This isn't for the group that we sent in the original
1873          * key_share!
1874          */
1875         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
1876                  SSL_R_BAD_KEY_SHARE);
1877         return 0;
1878     }
1879 
1880     if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)
1881             || PACKET_remaining(&encoded_pt) == 0) {
1882         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
1883                  SSL_R_LENGTH_MISMATCH);
1884         return 0;
1885     }
1886 
1887     skey = EVP_PKEY_new();
1888     if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) {
1889         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
1890                  ERR_R_MALLOC_FAILURE);
1891         EVP_PKEY_free(skey);
1892         return 0;
1893     }
1894     if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt),
1895                                         PACKET_remaining(&encoded_pt))) {
1896         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
1897                  SSL_R_BAD_ECPOINT);
1898         EVP_PKEY_free(skey);
1899         return 0;
1900     }
1901 
1902     if (ssl_derive(s, ckey, skey, 1) == 0) {
1903         /* SSLfatal() already called */
1904         EVP_PKEY_free(skey);
1905         return 0;
1906     }
1907     s->s3->peer_tmp = skey;
1908 #endif
1909 
1910     return 1;
1911 }
1912 
1913 int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1914                        size_t chainidx)
1915 {
1916     PACKET cookie;
1917 
1918     if (!PACKET_as_length_prefixed_2(pkt, &cookie)
1919             || !PACKET_memdup(&cookie, &s->ext.tls13_cookie,
1920                               &s->ext.tls13_cookie_len)) {
1921         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_COOKIE,
1922                  SSL_R_LENGTH_MISMATCH);
1923         return 0;
1924     }
1925 
1926     return 1;
1927 }
1928 
1929 int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
1930                               X509 *x, size_t chainidx)
1931 {
1932     if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1933         unsigned long max_early_data;
1934 
1935         if (!PACKET_get_net_4(pkt, &max_early_data)
1936                 || PACKET_remaining(pkt) != 0) {
1937             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EARLY_DATA,
1938                      SSL_R_INVALID_MAX_EARLY_DATA);
1939             return 0;
1940         }
1941 
1942         s->session->ext.max_early_data = max_early_data;
1943 
1944         return 1;
1945     }
1946 
1947     if (PACKET_remaining(pkt) != 0) {
1948         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EARLY_DATA,
1949                  SSL_R_BAD_EXTENSION);
1950         return 0;
1951     }
1952 
1953     if (!s->ext.early_data_ok
1954             || !s->hit) {
1955         /*
1956          * If we get here then we didn't send early data, or we didn't resume
1957          * using the first identity, or the SNI/ALPN is not consistent so the
1958          * server should not be accepting it.
1959          */
1960         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_EARLY_DATA,
1961                  SSL_R_BAD_EXTENSION);
1962         return 0;
1963     }
1964 
1965     s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
1966 
1967     return 1;
1968 }
1969 
1970 int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1971                        size_t chainidx)
1972 {
1973 #ifndef OPENSSL_NO_TLS1_3
1974     unsigned int identity;
1975 
1976     if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {
1977         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_PSK,
1978                  SSL_R_LENGTH_MISMATCH);
1979         return 0;
1980     }
1981 
1982     if (identity >= (unsigned int)s->ext.tick_identity) {
1983         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK,
1984                  SSL_R_BAD_PSK_IDENTITY);
1985         return 0;
1986     }
1987 
1988     /*
1989      * Session resumption tickets are always sent before PSK tickets. If the
1990      * ticket index is 0 then it must be for a session resumption ticket if we
1991      * sent two tickets, or if we didn't send a PSK ticket.
1992      */
1993     if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {
1994         s->hit = 1;
1995         SSL_SESSION_free(s->psksession);
1996         s->psksession = NULL;
1997         return 1;
1998     }
1999 
2000     if (s->psksession == NULL) {
2001         /* Should never happen */
2002         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_PSK,
2003                  ERR_R_INTERNAL_ERROR);
2004         return 0;
2005     }
2006 
2007     /*
2008      * If we used the external PSK for sending early_data then s->early_secret
2009      * is already set up, so don't overwrite it. Otherwise we copy the
2010      * early_secret across that we generated earlier.
2011      */
2012     if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
2013                 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
2014             || s->session->ext.max_early_data > 0
2015             || s->psksession->ext.max_early_data == 0)
2016         memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE);
2017 
2018     SSL_SESSION_free(s->session);
2019     s->session = s->psksession;
2020     s->psksession = NULL;
2021     s->hit = 1;
2022     /* Early data is only allowed if we used the first ticket */
2023     if (identity != 0)
2024         s->ext.early_data_ok = 0;
2025 #endif
2026 
2027     return 1;
2028 }
2029