xref: /freebsd/crypto/openssl/ssl/statem/extensions_srvr.c (revision 9f23cbd6cae82fd77edfad7173432fa8dccd0a95)
1 /*
2  * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <openssl/ocsp.h>
11 #include "../ssl_local.h"
12 #include "statem_local.h"
13 #include "internal/cryptlib.h"
14 
15 #define COOKIE_STATE_FORMAT_VERSION     1
16 
17 /*
18  * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19  * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
20  * key_share present flag, 8 bytes for timestamp, 2 bytes for the hashlen,
21  * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22  * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
23  */
24 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 8 + 2 + EVP_MAX_MD_SIZE + 1 \
25                          + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
26 
27 /*
28  * Message header + 2 bytes for protocol version + number of random bytes +
29  * + 1 byte for legacy session id length + number of bytes in legacy session id
30  * + 2 bytes for ciphersuite + 1 byte for legacy compression
31  * + 2 bytes for extension block length + 6 bytes for key_share extension
32  * + 4 bytes for cookie extension header + the number of bytes in the cookie
33  */
34 #define MAX_HRR_SIZE    (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
35                          + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
36                          + MAX_COOKIE_SIZE)
37 
38 /*
39  * Parse the client's renegotiation binding and abort if it's not right
40  */
41 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
42                                X509 *x, size_t chainidx)
43 {
44     unsigned int ilen;
45     const unsigned char *data;
46 
47     /* Parse the length byte */
48     if (!PACKET_get_1(pkt, &ilen)
49         || !PACKET_get_bytes(pkt, &data, ilen)) {
50         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
51         return 0;
52     }
53 
54     /* Check that the extension matches */
55     if (ilen != s->s3.previous_client_finished_len) {
56         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
57         return 0;
58     }
59 
60     if (memcmp(data, s->s3.previous_client_finished,
61                s->s3.previous_client_finished_len)) {
62         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
63         return 0;
64     }
65 
66     s->s3.send_connection_binding = 1;
67 
68     return 1;
69 }
70 
71 /*-
72  * The servername extension is treated as follows:
73  *
74  * - Only the hostname type is supported with a maximum length of 255.
75  * - The servername is rejected if too long or if it contains zeros,
76  *   in which case an fatal alert is generated.
77  * - The servername field is maintained together with the session cache.
78  * - When a session is resumed, the servername call back invoked in order
79  *   to allow the application to position itself to the right context.
80  * - The servername is acknowledged if it is new for a session or when
81  *   it is identical to a previously used for the same session.
82  *   Applications can control the behaviour.  They can at any time
83  *   set a 'desirable' servername for a new SSL object. This can be the
84  *   case for example with HTTPS when a Host: header field is received and
85  *   a renegotiation is requested. In this case, a possible servername
86  *   presented in the new client hello is only acknowledged if it matches
87  *   the value of the Host: field.
88  * - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
89  *   if they provide for changing an explicit servername context for the
90  *   session, i.e. when the session has been established with a servername
91  *   extension.
92  * - On session reconnect, the servername extension may be absent.
93  */
94 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
95                                X509 *x, size_t chainidx)
96 {
97     unsigned int servname_type;
98     PACKET sni, hostname;
99 
100     if (!PACKET_as_length_prefixed_2(pkt, &sni)
101         /* ServerNameList must be at least 1 byte long. */
102         || PACKET_remaining(&sni) == 0) {
103         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
104         return 0;
105     }
106 
107     /*
108      * Although the intent was for server_name to be extensible, RFC 4366
109      * was not clear about it; and so OpenSSL among other implementations,
110      * always and only allows a 'host_name' name types.
111      * RFC 6066 corrected the mistake but adding new name types
112      * is nevertheless no longer feasible, so act as if no other
113      * SNI types can exist, to simplify parsing.
114      *
115      * Also note that the RFC permits only one SNI value per type,
116      * i.e., we can only have a single hostname.
117      */
118     if (!PACKET_get_1(&sni, &servname_type)
119         || servname_type != TLSEXT_NAMETYPE_host_name
120         || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
121         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
122         return 0;
123     }
124 
125     /*
126      * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
127      * we always use the SNI value from the handshake.
128      */
129     if (!s->hit || SSL_IS_TLS13(s)) {
130         if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
131             SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
132             return 0;
133         }
134 
135         if (PACKET_contains_zero_byte(&hostname)) {
136             SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
137             return 0;
138         }
139 
140         /*
141          * Store the requested SNI in the SSL as temporary storage.
142          * If we accept it, it will get stored in the SSL_SESSION as well.
143          */
144         OPENSSL_free(s->ext.hostname);
145         s->ext.hostname = NULL;
146         if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
147             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
148             return 0;
149         }
150 
151         s->servername_done = 1;
152     } else {
153         /*
154          * In TLSv1.2 and below we should check if the SNI is consistent between
155          * the initial handshake and the resumption. In TLSv1.3 SNI is not
156          * associated with the session.
157          */
158         s->servername_done = (s->session->ext.hostname != NULL)
159             && PACKET_equal(&hostname, s->session->ext.hostname,
160                             strlen(s->session->ext.hostname));
161     }
162 
163     return 1;
164 }
165 
166 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
167                                   X509 *x, size_t chainidx)
168 {
169     unsigned int value;
170 
171     if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
172         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
173         return 0;
174     }
175 
176     /* Received |value| should be a valid max-fragment-length code. */
177     if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
178         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
179                  SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
180         return 0;
181     }
182 
183     /*
184      * RFC 6066:  The negotiated length applies for the duration of the session
185      * including session resumptions.
186      * We should receive the same code as in resumed session !
187      */
188     if (s->hit && s->session->ext.max_fragment_len_mode != value) {
189         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
190                  SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
191         return 0;
192     }
193 
194     /*
195      * Store it in session, so it'll become binding for us
196      * and we'll include it in a next Server Hello.
197      */
198     s->session->ext.max_fragment_len_mode = value;
199     return 1;
200 }
201 
202 #ifndef OPENSSL_NO_SRP
203 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
204                        size_t chainidx)
205 {
206     PACKET srp_I;
207 
208     if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
209             || PACKET_contains_zero_byte(&srp_I)) {
210         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
211         return 0;
212     }
213 
214     if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
215         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
216         return 0;
217     }
218 
219     return 1;
220 }
221 #endif
222 
223 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
224                                  X509 *x, size_t chainidx)
225 {
226     PACKET ec_point_format_list;
227 
228     if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
229         || PACKET_remaining(&ec_point_format_list) == 0) {
230         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
231         return 0;
232     }
233 
234     if (!s->hit) {
235         if (!PACKET_memdup(&ec_point_format_list,
236                            &s->ext.peer_ecpointformats,
237                            &s->ext.peer_ecpointformats_len)) {
238             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
239             return 0;
240         }
241     }
242 
243     return 1;
244 }
245 
246 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
247                                   X509 *x, size_t chainidx)
248 {
249     if (s->ext.session_ticket_cb &&
250             !s->ext.session_ticket_cb(s, PACKET_data(pkt),
251                                   PACKET_remaining(pkt),
252                                   s->ext.session_ticket_cb_arg)) {
253         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
254         return 0;
255     }
256 
257     return 1;
258 }
259 
260 int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt,
261                                  ossl_unused unsigned int context,
262                                  ossl_unused X509 *x,
263                                  ossl_unused size_t chainidx)
264 {
265     PACKET supported_sig_algs;
266 
267     if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
268             || PACKET_remaining(&supported_sig_algs) == 0) {
269         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
270         return 0;
271     }
272 
273     if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
274         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
275         return 0;
276     }
277 
278     return 1;
279 }
280 
281 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
282                             size_t chainidx)
283 {
284     PACKET supported_sig_algs;
285 
286     if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
287             || PACKET_remaining(&supported_sig_algs) == 0) {
288         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
289         return 0;
290     }
291 
292     if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
293         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
294         return 0;
295     }
296 
297     return 1;
298 }
299 
300 #ifndef OPENSSL_NO_OCSP
301 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
302                                   X509 *x, size_t chainidx)
303 {
304     PACKET responder_id_list, exts;
305 
306     /* We ignore this in a resumption handshake */
307     if (s->hit)
308         return 1;
309 
310     /* Not defined if we get one of these in a client Certificate */
311     if (x != NULL)
312         return 1;
313 
314     if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
315         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
316         return 0;
317     }
318 
319     if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
320         /*
321          * We don't know what to do with any other type so ignore it.
322          */
323         s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
324         return 1;
325     }
326 
327     if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
328         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
329         return 0;
330     }
331 
332     /*
333      * We remove any OCSP_RESPIDs from a previous handshake
334      * to prevent unbounded memory growth - CVE-2016-6304
335      */
336     sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
337     if (PACKET_remaining(&responder_id_list) > 0) {
338         s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
339         if (s->ext.ocsp.ids == NULL) {
340             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
341             return 0;
342         }
343     } else {
344         s->ext.ocsp.ids = NULL;
345     }
346 
347     while (PACKET_remaining(&responder_id_list) > 0) {
348         OCSP_RESPID *id;
349         PACKET responder_id;
350         const unsigned char *id_data;
351 
352         if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
353                 || PACKET_remaining(&responder_id) == 0) {
354             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
355             return 0;
356         }
357 
358         id_data = PACKET_data(&responder_id);
359         id = d2i_OCSP_RESPID(NULL, &id_data,
360                              (int)PACKET_remaining(&responder_id));
361         if (id == NULL) {
362             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
363             return 0;
364         }
365 
366         if (id_data != PACKET_end(&responder_id)) {
367             OCSP_RESPID_free(id);
368             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
369 
370             return 0;
371         }
372 
373         if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
374             OCSP_RESPID_free(id);
375             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
376 
377             return 0;
378         }
379     }
380 
381     /* Read in request_extensions */
382     if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
383         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
384         return 0;
385     }
386 
387     if (PACKET_remaining(&exts) > 0) {
388         const unsigned char *ext_data = PACKET_data(&exts);
389 
390         sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
391                                    X509_EXTENSION_free);
392         s->ext.ocsp.exts =
393             d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
394         if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
395             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
396             return 0;
397         }
398     }
399 
400     return 1;
401 }
402 #endif
403 
404 #ifndef OPENSSL_NO_NEXTPROTONEG
405 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
406                        size_t chainidx)
407 {
408     /*
409      * We shouldn't accept this extension on a
410      * renegotiation.
411      */
412     if (SSL_IS_FIRST_HANDSHAKE(s))
413         s->s3.npn_seen = 1;
414 
415     return 1;
416 }
417 #endif
418 
419 /*
420  * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
421  * extension, not including type and length. Returns: 1 on success, 0 on error.
422  */
423 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
424                         size_t chainidx)
425 {
426     PACKET protocol_list, save_protocol_list, protocol;
427 
428     if (!SSL_IS_FIRST_HANDSHAKE(s))
429         return 1;
430 
431     if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
432         || PACKET_remaining(&protocol_list) < 2) {
433         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
434         return 0;
435     }
436 
437     save_protocol_list = protocol_list;
438     do {
439         /* Protocol names can't be empty. */
440         if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
441                 || PACKET_remaining(&protocol) == 0) {
442             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
443             return 0;
444         }
445     } while (PACKET_remaining(&protocol_list) != 0);
446 
447     OPENSSL_free(s->s3.alpn_proposed);
448     s->s3.alpn_proposed = NULL;
449     s->s3.alpn_proposed_len = 0;
450     if (!PACKET_memdup(&save_protocol_list,
451                        &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
452         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
453         return 0;
454     }
455 
456     return 1;
457 }
458 
459 #ifndef OPENSSL_NO_SRTP
460 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
461                             size_t chainidx)
462 {
463     STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
464     unsigned int ct, mki_len, id;
465     int i, srtp_pref;
466     PACKET subpkt;
467 
468     /* Ignore this if we have no SRTP profiles */
469     if (SSL_get_srtp_profiles(s) == NULL)
470         return 1;
471 
472     /* Pull off the length of the cipher suite list  and check it is even */
473     if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
474             || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
475         SSLfatal(s, SSL_AD_DECODE_ERROR,
476                SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
477         return 0;
478     }
479 
480     srvr = SSL_get_srtp_profiles(s);
481     s->srtp_profile = NULL;
482     /* Search all profiles for a match initially */
483     srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
484 
485     while (PACKET_remaining(&subpkt)) {
486         if (!PACKET_get_net_2(&subpkt, &id)) {
487             SSLfatal(s, SSL_AD_DECODE_ERROR,
488                      SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
489             return 0;
490         }
491 
492         /*
493          * Only look for match in profiles of higher preference than
494          * current match.
495          * If no profiles have been have been configured then this
496          * does nothing.
497          */
498         for (i = 0; i < srtp_pref; i++) {
499             SRTP_PROTECTION_PROFILE *sprof =
500                 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
501 
502             if (sprof->id == id) {
503                 s->srtp_profile = sprof;
504                 srtp_pref = i;
505                 break;
506             }
507         }
508     }
509 
510     /* Now extract the MKI value as a sanity check, but discard it for now */
511     if (!PACKET_get_1(pkt, &mki_len)) {
512         SSLfatal(s, SSL_AD_DECODE_ERROR,
513                  SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
514         return 0;
515     }
516 
517     if (!PACKET_forward(pkt, mki_len)
518         || PACKET_remaining(pkt)) {
519         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE);
520         return 0;
521     }
522 
523     return 1;
524 }
525 #endif
526 
527 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
528                        size_t chainidx)
529 {
530     if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
531         s->ext.use_etm = 1;
532 
533     return 1;
534 }
535 
536 /*
537  * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
538  * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
539  */
540 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
541                                  X509 *x, size_t chainidx)
542 {
543 #ifndef OPENSSL_NO_TLS1_3
544     PACKET psk_kex_modes;
545     unsigned int mode;
546 
547     if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
548             || PACKET_remaining(&psk_kex_modes) == 0) {
549         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
550         return 0;
551     }
552 
553     while (PACKET_get_1(&psk_kex_modes, &mode)) {
554         if (mode == TLSEXT_KEX_MODE_KE_DHE)
555             s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
556         else if (mode == TLSEXT_KEX_MODE_KE
557                 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
558             s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
559     }
560 #endif
561 
562     return 1;
563 }
564 
565 /*
566  * Process a key_share extension received in the ClientHello. |pkt| contains
567  * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
568  */
569 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
570                              size_t chainidx)
571 {
572 #ifndef OPENSSL_NO_TLS1_3
573     unsigned int group_id;
574     PACKET key_share_list, encoded_pt;
575     const uint16_t *clntgroups, *srvrgroups;
576     size_t clnt_num_groups, srvr_num_groups;
577     int found = 0;
578 
579     if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
580         return 1;
581 
582     /* Sanity check */
583     if (s->s3.peer_tmp != NULL) {
584         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
585         return 0;
586     }
587 
588     if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
589         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
590         return 0;
591     }
592 
593     /* Get our list of supported groups */
594     tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
595     /* Get the clients list of supported groups. */
596     tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
597     if (clnt_num_groups == 0) {
598         /*
599          * This can only happen if the supported_groups extension was not sent,
600          * because we verify that the length is non-zero when we process that
601          * extension.
602          */
603         SSLfatal(s, SSL_AD_MISSING_EXTENSION,
604                  SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
605         return 0;
606     }
607 
608     if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
609         /*
610          * If we set a group_id already, then we must have sent an HRR
611          * requesting a new key_share. If we haven't got one then that is an
612          * error
613          */
614         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
615         return 0;
616     }
617 
618     while (PACKET_remaining(&key_share_list) > 0) {
619         if (!PACKET_get_net_2(&key_share_list, &group_id)
620                 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
621                 || PACKET_remaining(&encoded_pt) == 0) {
622             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
623             return 0;
624         }
625 
626         /*
627          * If we already found a suitable key_share we loop through the
628          * rest to verify the structure, but don't process them.
629          */
630         if (found)
631             continue;
632 
633         /*
634          * If we sent an HRR then the key_share sent back MUST be for the group
635          * we requested, and must be the only key_share sent.
636          */
637         if (s->s3.group_id != 0
638                 && (group_id != s->s3.group_id
639                     || PACKET_remaining(&key_share_list) != 0)) {
640             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
641             return 0;
642         }
643 
644         /* Check if this share is in supported_groups sent from client */
645         if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
646             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
647             return 0;
648         }
649 
650         /* Check if this share is for a group we can use */
651         if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)
652                 || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
653                    /*
654                     * We tolerate but ignore a group id that we don't think is
655                     * suitable for TLSv1.3
656                     */
657                 || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
658                                     0, NULL)) {
659             /* Share not suitable */
660             continue;
661         }
662 
663         if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
664             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
665                    SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
666             return 0;
667         }
668 
669         s->s3.group_id = group_id;
670         /* Cache the selected group ID in the SSL_SESSION */
671         s->session->kex_group = group_id;
672 
673         if (tls13_set_encoded_pub_key(s->s3.peer_tmp,
674                                       PACKET_data(&encoded_pt),
675                                       PACKET_remaining(&encoded_pt)) <= 0) {
676             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
677             return 0;
678         }
679 
680         found = 1;
681     }
682 #endif
683 
684     return 1;
685 }
686 
687 int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
688                           size_t chainidx)
689 {
690 #ifndef OPENSSL_NO_TLS1_3
691     unsigned int format, version, key_share, group_id;
692     EVP_MD_CTX *hctx;
693     EVP_PKEY *pkey;
694     PACKET cookie, raw, chhash, appcookie;
695     WPACKET hrrpkt;
696     const unsigned char *data, *mdin, *ciphdata;
697     unsigned char hmac[SHA256_DIGEST_LENGTH];
698     unsigned char hrr[MAX_HRR_SIZE];
699     size_t rawlen, hmaclen, hrrlen, ciphlen;
700     uint64_t tm, now;
701 
702     /* Ignore any cookie if we're not set up to verify it */
703     if (s->ctx->verify_stateless_cookie_cb == NULL
704             || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
705         return 1;
706 
707     if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
708         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
709         return 0;
710     }
711 
712     raw = cookie;
713     data = PACKET_data(&raw);
714     rawlen = PACKET_remaining(&raw);
715     if (rawlen < SHA256_DIGEST_LENGTH
716             || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
717         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
718         return 0;
719     }
720     mdin = PACKET_data(&raw);
721 
722     /* Verify the HMAC of the cookie */
723     hctx = EVP_MD_CTX_create();
724     pkey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC",
725                                            s->ctx->propq,
726                                            s->session_ctx->ext.cookie_hmac_key,
727                                            sizeof(s->session_ctx->ext.cookie_hmac_key));
728     if (hctx == NULL || pkey == NULL) {
729         EVP_MD_CTX_free(hctx);
730         EVP_PKEY_free(pkey);
731         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
732         return 0;
733     }
734 
735     hmaclen = SHA256_DIGEST_LENGTH;
736     if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx,
737                               s->ctx->propq, pkey, NULL) <= 0
738             || EVP_DigestSign(hctx, hmac, &hmaclen, data,
739                               rawlen - SHA256_DIGEST_LENGTH) <= 0
740             || hmaclen != SHA256_DIGEST_LENGTH) {
741         EVP_MD_CTX_free(hctx);
742         EVP_PKEY_free(pkey);
743         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
744         return 0;
745     }
746 
747     EVP_MD_CTX_free(hctx);
748     EVP_PKEY_free(pkey);
749 
750     if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
751         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
752         return 0;
753     }
754 
755     if (!PACKET_get_net_2(&cookie, &format)) {
756         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
757         return 0;
758     }
759     /* Check the cookie format is something we recognise. Ignore it if not */
760     if (format != COOKIE_STATE_FORMAT_VERSION)
761         return 1;
762 
763     /*
764      * The rest of these checks really shouldn't fail since we have verified the
765      * HMAC above.
766      */
767 
768     /* Check the version number is sane */
769     if (!PACKET_get_net_2(&cookie, &version)) {
770         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
771         return 0;
772     }
773     if (version != TLS1_3_VERSION) {
774         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
775                  SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
776         return 0;
777     }
778 
779     if (!PACKET_get_net_2(&cookie, &group_id)) {
780         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
781         return 0;
782     }
783 
784     ciphdata = PACKET_data(&cookie);
785     if (!PACKET_forward(&cookie, 2)) {
786         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
787         return 0;
788     }
789     if (group_id != s->s3.group_id
790             || s->s3.tmp.new_cipher
791                != ssl_get_cipher_by_char(s, ciphdata, 0)) {
792         /*
793          * We chose a different cipher or group id this time around to what is
794          * in the cookie. Something must have changed.
795          */
796         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
797         return 0;
798     }
799 
800     if (!PACKET_get_1(&cookie, &key_share)
801             || !PACKET_get_net_8(&cookie, &tm)
802             || !PACKET_get_length_prefixed_2(&cookie, &chhash)
803             || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
804             || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
805         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
806         return 0;
807     }
808 
809     /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
810     now = time(NULL);
811     if (tm > now || (now - tm) > 600) {
812         /* Cookie is stale. Ignore it */
813         return 1;
814     }
815 
816     /* Verify the app cookie */
817     if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
818                                      PACKET_remaining(&appcookie)) == 0) {
819         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
820         return 0;
821     }
822 
823     /*
824      * Reconstruct the HRR that we would have sent in response to the original
825      * ClientHello so we can add it to the transcript hash.
826      * Note: This won't work with custom HRR extensions
827      */
828     if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
829         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
830         return 0;
831     }
832     if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
833             || !WPACKET_start_sub_packet_u24(&hrrpkt)
834             || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
835             || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
836             || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
837                                       s->tmp_session_id_len)
838             || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
839                                               &ciphlen)
840             || !WPACKET_put_bytes_u8(&hrrpkt, 0)
841             || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
842         WPACKET_cleanup(&hrrpkt);
843         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
844         return 0;
845     }
846     if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
847             || !WPACKET_start_sub_packet_u16(&hrrpkt)
848             || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
849             || !WPACKET_close(&hrrpkt)) {
850         WPACKET_cleanup(&hrrpkt);
851         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
852         return 0;
853     }
854     if (key_share) {
855         if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
856                 || !WPACKET_start_sub_packet_u16(&hrrpkt)
857                 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
858                 || !WPACKET_close(&hrrpkt)) {
859             WPACKET_cleanup(&hrrpkt);
860             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
861             return 0;
862         }
863     }
864     if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
865             || !WPACKET_start_sub_packet_u16(&hrrpkt)
866             || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
867             || !WPACKET_close(&hrrpkt) /* cookie extension */
868             || !WPACKET_close(&hrrpkt) /* extension block */
869             || !WPACKET_close(&hrrpkt) /* message */
870             || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
871             || !WPACKET_finish(&hrrpkt)) {
872         WPACKET_cleanup(&hrrpkt);
873         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
874         return 0;
875     }
876 
877     /* Reconstruct the transcript hash */
878     if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
879                                        PACKET_remaining(&chhash), hrr,
880                                        hrrlen)) {
881         /* SSLfatal() already called */
882         return 0;
883     }
884 
885     /* Act as if this ClientHello came after a HelloRetryRequest */
886     s->hello_retry_request = 1;
887 
888     s->ext.cookieok = 1;
889 #endif
890 
891     return 1;
892 }
893 
894 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
895                                     X509 *x, size_t chainidx)
896 {
897     PACKET supported_groups_list;
898 
899     /* Each group is 2 bytes and we must have at least 1. */
900     if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
901             || PACKET_remaining(&supported_groups_list) == 0
902             || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
903         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
904         return 0;
905     }
906 
907     if (!s->hit || SSL_IS_TLS13(s)) {
908         OPENSSL_free(s->ext.peer_supportedgroups);
909         s->ext.peer_supportedgroups = NULL;
910         s->ext.peer_supportedgroups_len = 0;
911         if (!tls1_save_u16(&supported_groups_list,
912                            &s->ext.peer_supportedgroups,
913                            &s->ext.peer_supportedgroups_len)) {
914             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
915             return 0;
916         }
917     }
918 
919     return 1;
920 }
921 
922 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
923                        size_t chainidx)
924 {
925     /* The extension must always be empty */
926     if (PACKET_remaining(pkt) != 0) {
927         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
928         return 0;
929     }
930 
931     if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
932         return 1;
933 
934     s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
935 
936     return 1;
937 }
938 
939 
940 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
941                               X509 *x, size_t chainidx)
942 {
943     if (PACKET_remaining(pkt) != 0) {
944         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
945         return 0;
946     }
947 
948     if (s->hello_retry_request != SSL_HRR_NONE) {
949         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
950         return 0;
951     }
952 
953     return 1;
954 }
955 
956 static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
957                                                  SSL_SESSION **sess)
958 {
959     SSL_SESSION *tmpsess = NULL;
960 
961     s->ext.ticket_expected = 1;
962 
963     switch (PACKET_remaining(tick)) {
964         case 0:
965             return SSL_TICKET_EMPTY;
966 
967         case SSL_MAX_SSL_SESSION_ID_LENGTH:
968             break;
969 
970         default:
971             return SSL_TICKET_NO_DECRYPT;
972     }
973 
974     tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
975                                    SSL_MAX_SSL_SESSION_ID_LENGTH);
976 
977     if (tmpsess == NULL)
978         return SSL_TICKET_NO_DECRYPT;
979 
980     *sess = tmpsess;
981     return SSL_TICKET_SUCCESS;
982 }
983 
984 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
985                        size_t chainidx)
986 {
987     PACKET identities, binders, binder;
988     size_t binderoffset, hashsize;
989     SSL_SESSION *sess = NULL;
990     unsigned int id, i, ext = 0;
991     const EVP_MD *md = NULL;
992 
993     /*
994      * If we have no PSK kex mode that we recognise then we can't resume so
995      * ignore this extension
996      */
997     if ((s->ext.psk_kex_mode
998             & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
999         return 1;
1000 
1001     if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
1002         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1003         return 0;
1004     }
1005 
1006     s->ext.ticket_expected = 0;
1007     for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1008         PACKET identity;
1009         unsigned long ticket_agel;
1010         size_t idlen;
1011 
1012         if (!PACKET_get_length_prefixed_2(&identities, &identity)
1013                 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1014             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1015             return 0;
1016         }
1017 
1018         idlen = PACKET_remaining(&identity);
1019         if (s->psk_find_session_cb != NULL
1020                 && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen,
1021                                            &sess)) {
1022             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION);
1023             return 0;
1024         }
1025 
1026 #ifndef OPENSSL_NO_PSK
1027         if(sess == NULL
1028                 && s->psk_server_callback != NULL
1029                 && idlen <= PSK_MAX_IDENTITY_LEN) {
1030             char *pskid = NULL;
1031             unsigned char pskdata[PSK_MAX_PSK_LEN];
1032             unsigned int pskdatalen;
1033 
1034             if (!PACKET_strndup(&identity, &pskid)) {
1035                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1036                 return 0;
1037             }
1038             pskdatalen = s->psk_server_callback(s, pskid, pskdata,
1039                                                 sizeof(pskdata));
1040             OPENSSL_free(pskid);
1041             if (pskdatalen > PSK_MAX_PSK_LEN) {
1042                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1043                 return 0;
1044             } else if (pskdatalen > 0) {
1045                 const SSL_CIPHER *cipher;
1046                 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1047 
1048                 /*
1049                  * We found a PSK using an old style callback. We don't know
1050                  * the digest so we default to SHA256 as per the TLSv1.3 spec
1051                  */
1052                 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
1053                 if (cipher == NULL) {
1054                     OPENSSL_cleanse(pskdata, pskdatalen);
1055                     SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1056                     return 0;
1057                 }
1058 
1059                 sess = SSL_SESSION_new();
1060                 if (sess == NULL
1061                         || !SSL_SESSION_set1_master_key(sess, pskdata,
1062                                                         pskdatalen)
1063                         || !SSL_SESSION_set_cipher(sess, cipher)
1064                         || !SSL_SESSION_set_protocol_version(sess,
1065                                                              TLS1_3_VERSION)) {
1066                     OPENSSL_cleanse(pskdata, pskdatalen);
1067                     SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1068                     goto err;
1069                 }
1070                 OPENSSL_cleanse(pskdata, pskdatalen);
1071             }
1072         }
1073 #endif /* OPENSSL_NO_PSK */
1074 
1075         if (sess != NULL) {
1076             /* We found a PSK */
1077             SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1078 
1079             if (sesstmp == NULL) {
1080                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1081                 return 0;
1082             }
1083             SSL_SESSION_free(sess);
1084             sess = sesstmp;
1085 
1086             /*
1087              * We've just been told to use this session for this context so
1088              * make sure the sid_ctx matches up.
1089              */
1090             memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1091             sess->sid_ctx_length = s->sid_ctx_length;
1092             ext = 1;
1093             if (id == 0)
1094                 s->ext.early_data_ok = 1;
1095             s->ext.ticket_expected = 1;
1096         } else {
1097             uint32_t ticket_age = 0, agesec, agems;
1098             int ret;
1099 
1100             /*
1101              * If we are using anti-replay protection then we behave as if
1102              * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1103              * is no point in using full stateless tickets.
1104              */
1105             if ((s->options & SSL_OP_NO_TICKET) != 0
1106                     || (s->max_early_data > 0
1107                         && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
1108                 ret = tls_get_stateful_ticket(s, &identity, &sess);
1109             else
1110                 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1111                                          PACKET_remaining(&identity), NULL, 0,
1112                                          &sess);
1113 
1114             if (ret == SSL_TICKET_EMPTY) {
1115                 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1116                 return 0;
1117             }
1118 
1119             if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1120                     || ret == SSL_TICKET_FATAL_ERR_OTHER) {
1121                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1122                 return 0;
1123             }
1124             if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
1125                 continue;
1126 
1127             /* Check for replay */
1128             if (s->max_early_data > 0
1129                     && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
1130                     && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1131                 SSL_SESSION_free(sess);
1132                 sess = NULL;
1133                 continue;
1134             }
1135 
1136             ticket_age = (uint32_t)ticket_agel;
1137             agesec = (uint32_t)(time(NULL) - sess->time);
1138             agems = agesec * (uint32_t)1000;
1139             ticket_age -= sess->ext.tick_age_add;
1140 
1141             /*
1142              * For simplicity we do our age calculations in seconds. If the
1143              * client does it in ms then it could appear that their ticket age
1144              * is longer than ours (our ticket age calculation should always be
1145              * slightly longer than the client's due to the network latency).
1146              * Therefore we add 1000ms to our age calculation to adjust for
1147              * rounding errors.
1148              */
1149             if (id == 0
1150                     && sess->timeout >= (long)agesec
1151                     && agems / (uint32_t)1000 == agesec
1152                     && ticket_age <= agems + 1000
1153                     && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1154                 /*
1155                  * Ticket age is within tolerance and not expired. We allow it
1156                  * for early data
1157                  */
1158                 s->ext.early_data_ok = 1;
1159             }
1160         }
1161 
1162         md = ssl_md(s->ctx, sess->cipher->algorithm2);
1163         if (md == NULL) {
1164             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1165             goto err;
1166         }
1167         if (!EVP_MD_is_a(md,
1168                 EVP_MD_get0_name(ssl_md(s->ctx,
1169                                         s->s3.tmp.new_cipher->algorithm2)))) {
1170             /* The ciphersuite is not compatible with this session. */
1171             SSL_SESSION_free(sess);
1172             sess = NULL;
1173             s->ext.early_data_ok = 0;
1174             s->ext.ticket_expected = 0;
1175             continue;
1176         }
1177         break;
1178     }
1179 
1180     if (sess == NULL)
1181         return 1;
1182 
1183     binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1184     hashsize = EVP_MD_get_size(md);
1185 
1186     if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1187         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1188         goto err;
1189     }
1190 
1191     for (i = 0; i <= id; i++) {
1192         if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1193             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1194             goto err;
1195         }
1196     }
1197 
1198     if (PACKET_remaining(&binder) != hashsize) {
1199         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1200         goto err;
1201     }
1202     if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1203                           binderoffset, PACKET_data(&binder), NULL, sess, 0,
1204                           ext) != 1) {
1205         /* SSLfatal() already called */
1206         goto err;
1207     }
1208 
1209     s->ext.tick_identity = id;
1210 
1211     SSL_SESSION_free(s->session);
1212     s->session = sess;
1213     return 1;
1214 err:
1215     SSL_SESSION_free(sess);
1216     return 0;
1217 }
1218 
1219 int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt,
1220                                        ossl_unused unsigned int context,
1221                                        ossl_unused X509 *x,
1222                                        ossl_unused size_t chainidx)
1223 {
1224     if (PACKET_remaining(pkt) != 0) {
1225         SSLfatal(s, SSL_AD_DECODE_ERROR,
1226                  SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1227         return 0;
1228     }
1229 
1230     s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1231 
1232     return 1;
1233 }
1234 
1235 /*
1236  * Add the server's renegotiation binding
1237  */
1238 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1239                                           unsigned int context, X509 *x,
1240                                           size_t chainidx)
1241 {
1242     if (!s->s3.send_connection_binding)
1243         return EXT_RETURN_NOT_SENT;
1244 
1245     /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1246     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1247             || !WPACKET_start_sub_packet_u16(pkt)
1248             || !WPACKET_start_sub_packet_u8(pkt)
1249             || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1250                                s->s3.previous_client_finished_len)
1251             || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1252                                s->s3.previous_server_finished_len)
1253             || !WPACKET_close(pkt)
1254             || !WPACKET_close(pkt)) {
1255         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1256         return EXT_RETURN_FAIL;
1257     }
1258 
1259     return EXT_RETURN_SENT;
1260 }
1261 
1262 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1263                                           unsigned int context, X509 *x,
1264                                           size_t chainidx)
1265 {
1266     if (s->servername_done != 1)
1267         return EXT_RETURN_NOT_SENT;
1268 
1269     /*
1270      * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1271      * We just use the servername from the initial handshake.
1272      */
1273     if (s->hit && !SSL_IS_TLS13(s))
1274         return EXT_RETURN_NOT_SENT;
1275 
1276     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1277             || !WPACKET_put_bytes_u16(pkt, 0)) {
1278         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1279         return EXT_RETURN_FAIL;
1280     }
1281 
1282     return EXT_RETURN_SENT;
1283 }
1284 
1285 /* Add/include the server's max fragment len extension into ServerHello */
1286 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1287                                              unsigned int context, X509 *x,
1288                                              size_t chainidx)
1289 {
1290     if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1291         return EXT_RETURN_NOT_SENT;
1292 
1293     /*-
1294      * 4 bytes for this extension type and extension length
1295      * 1 byte for the Max Fragment Length code value.
1296      */
1297     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1298         || !WPACKET_start_sub_packet_u16(pkt)
1299         || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1300         || !WPACKET_close(pkt)) {
1301         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1302         return EXT_RETURN_FAIL;
1303     }
1304 
1305     return EXT_RETURN_SENT;
1306 }
1307 
1308 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1309                                             unsigned int context, X509 *x,
1310                                             size_t chainidx)
1311 {
1312     unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1313     unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
1314     int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1315                     && (s->ext.peer_ecpointformats != NULL);
1316     const unsigned char *plist;
1317     size_t plistlen;
1318 
1319     if (!using_ecc)
1320         return EXT_RETURN_NOT_SENT;
1321 
1322     tls1_get_formatlist(s, &plist, &plistlen);
1323     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1324             || !WPACKET_start_sub_packet_u16(pkt)
1325             || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1326             || !WPACKET_close(pkt)) {
1327         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1328         return EXT_RETURN_FAIL;
1329     }
1330 
1331     return EXT_RETURN_SENT;
1332 }
1333 
1334 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1335                                                unsigned int context, X509 *x,
1336                                                size_t chainidx)
1337 {
1338     const uint16_t *groups;
1339     size_t numgroups, i, first = 1;
1340     int version;
1341 
1342     /* s->s3.group_id is non zero if we accepted a key_share */
1343     if (s->s3.group_id == 0)
1344         return EXT_RETURN_NOT_SENT;
1345 
1346     /* Get our list of supported groups */
1347     tls1_get_supported_groups(s, &groups, &numgroups);
1348     if (numgroups == 0) {
1349         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1350         return EXT_RETURN_FAIL;
1351     }
1352 
1353     /* Copy group ID if supported */
1354     version = SSL_version(s);
1355     for (i = 0; i < numgroups; i++) {
1356         uint16_t group = groups[i];
1357 
1358         if (tls_valid_group(s, group, version, version, 0, NULL)
1359                 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1360             if (first) {
1361                 /*
1362                  * Check if the client is already using our preferred group. If
1363                  * so we don't need to add this extension
1364                  */
1365                 if (s->s3.group_id == group)
1366                     return EXT_RETURN_NOT_SENT;
1367 
1368                 /* Add extension header */
1369                 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1370                            /* Sub-packet for supported_groups extension */
1371                         || !WPACKET_start_sub_packet_u16(pkt)
1372                         || !WPACKET_start_sub_packet_u16(pkt)) {
1373                     SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1374                     return EXT_RETURN_FAIL;
1375                 }
1376 
1377                 first = 0;
1378             }
1379             if (!WPACKET_put_bytes_u16(pkt, group)) {
1380                     SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1381                     return EXT_RETURN_FAIL;
1382                 }
1383         }
1384     }
1385 
1386     if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1387         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1388         return EXT_RETURN_FAIL;
1389     }
1390 
1391     return EXT_RETURN_SENT;
1392 }
1393 
1394 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1395                                              unsigned int context, X509 *x,
1396                                              size_t chainidx)
1397 {
1398     if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1399         s->ext.ticket_expected = 0;
1400         return EXT_RETURN_NOT_SENT;
1401     }
1402 
1403     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1404             || !WPACKET_put_bytes_u16(pkt, 0)) {
1405         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1406         return EXT_RETURN_FAIL;
1407     }
1408 
1409     return EXT_RETURN_SENT;
1410 }
1411 
1412 #ifndef OPENSSL_NO_OCSP
1413 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1414                                              unsigned int context, X509 *x,
1415                                              size_t chainidx)
1416 {
1417     /* We don't currently support this extension inside a CertificateRequest */
1418     if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1419         return EXT_RETURN_NOT_SENT;
1420 
1421     if (!s->ext.status_expected)
1422         return EXT_RETURN_NOT_SENT;
1423 
1424     if (SSL_IS_TLS13(s) && chainidx != 0)
1425         return EXT_RETURN_NOT_SENT;
1426 
1427     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1428             || !WPACKET_start_sub_packet_u16(pkt)) {
1429         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1430         return EXT_RETURN_FAIL;
1431     }
1432 
1433     /*
1434      * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1435      * send back an empty extension, with the certificate status appearing as a
1436      * separate message
1437      */
1438     if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1439        /* SSLfatal() already called */
1440        return EXT_RETURN_FAIL;
1441     }
1442     if (!WPACKET_close(pkt)) {
1443         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1444         return EXT_RETURN_FAIL;
1445     }
1446 
1447     return EXT_RETURN_SENT;
1448 }
1449 #endif
1450 
1451 #ifndef OPENSSL_NO_NEXTPROTONEG
1452 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1453                                              unsigned int context, X509 *x,
1454                                              size_t chainidx)
1455 {
1456     const unsigned char *npa;
1457     unsigned int npalen;
1458     int ret;
1459     int npn_seen = s->s3.npn_seen;
1460 
1461     s->s3.npn_seen = 0;
1462     if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1463         return EXT_RETURN_NOT_SENT;
1464 
1465     ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1466                                         s->ctx->ext.npn_advertised_cb_arg);
1467     if (ret == SSL_TLSEXT_ERR_OK) {
1468         if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1469                 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1470             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1471             return EXT_RETURN_FAIL;
1472         }
1473         s->s3.npn_seen = 1;
1474     }
1475 
1476     return EXT_RETURN_SENT;
1477 }
1478 #endif
1479 
1480 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1481                                    X509 *x, size_t chainidx)
1482 {
1483     if (s->s3.alpn_selected == NULL)
1484         return EXT_RETURN_NOT_SENT;
1485 
1486     if (!WPACKET_put_bytes_u16(pkt,
1487                 TLSEXT_TYPE_application_layer_protocol_negotiation)
1488             || !WPACKET_start_sub_packet_u16(pkt)
1489             || !WPACKET_start_sub_packet_u16(pkt)
1490             || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1491                                       s->s3.alpn_selected_len)
1492             || !WPACKET_close(pkt)
1493             || !WPACKET_close(pkt)) {
1494         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1495         return EXT_RETURN_FAIL;
1496     }
1497 
1498     return EXT_RETURN_SENT;
1499 }
1500 
1501 #ifndef OPENSSL_NO_SRTP
1502 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1503                                        unsigned int context, X509 *x,
1504                                        size_t chainidx)
1505 {
1506     if (s->srtp_profile == NULL)
1507         return EXT_RETURN_NOT_SENT;
1508 
1509     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1510             || !WPACKET_start_sub_packet_u16(pkt)
1511             || !WPACKET_put_bytes_u16(pkt, 2)
1512             || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1513             || !WPACKET_put_bytes_u8(pkt, 0)
1514             || !WPACKET_close(pkt)) {
1515         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1516         return EXT_RETURN_FAIL;
1517     }
1518 
1519     return EXT_RETURN_SENT;
1520 }
1521 #endif
1522 
1523 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1524                                   X509 *x, size_t chainidx)
1525 {
1526     if (!s->ext.use_etm)
1527         return EXT_RETURN_NOT_SENT;
1528 
1529     /*
1530      * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1531      * for other cases too.
1532      */
1533     if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1534         || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1535         || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1536         || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1537         || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1538         || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
1539         s->ext.use_etm = 0;
1540         return EXT_RETURN_NOT_SENT;
1541     }
1542 
1543     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1544             || !WPACKET_put_bytes_u16(pkt, 0)) {
1545         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1546         return EXT_RETURN_FAIL;
1547     }
1548 
1549     return EXT_RETURN_SENT;
1550 }
1551 
1552 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1553                                   X509 *x, size_t chainidx)
1554 {
1555     if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1556         return EXT_RETURN_NOT_SENT;
1557 
1558     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1559             || !WPACKET_put_bytes_u16(pkt, 0)) {
1560         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1561         return EXT_RETURN_FAIL;
1562     }
1563 
1564     return EXT_RETURN_SENT;
1565 }
1566 
1567 EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1568                                                  unsigned int context, X509 *x,
1569                                                  size_t chainidx)
1570 {
1571     if (!ossl_assert(SSL_IS_TLS13(s))) {
1572         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1573         return EXT_RETURN_FAIL;
1574     }
1575 
1576     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1577             || !WPACKET_start_sub_packet_u16(pkt)
1578             || !WPACKET_put_bytes_u16(pkt, s->version)
1579             || !WPACKET_close(pkt)) {
1580         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1581         return EXT_RETURN_FAIL;
1582     }
1583 
1584     return EXT_RETURN_SENT;
1585 }
1586 
1587 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1588                                         unsigned int context, X509 *x,
1589                                         size_t chainidx)
1590 {
1591 #ifndef OPENSSL_NO_TLS1_3
1592     unsigned char *encodedPoint;
1593     size_t encoded_pt_len = 0;
1594     EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
1595     const TLS_GROUP_INFO *ginf = NULL;
1596 
1597     if (s->hello_retry_request == SSL_HRR_PENDING) {
1598         if (ckey != NULL) {
1599             /* Original key_share was acceptable so don't ask for another one */
1600             return EXT_RETURN_NOT_SENT;
1601         }
1602         if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1603                 || !WPACKET_start_sub_packet_u16(pkt)
1604                 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1605                 || !WPACKET_close(pkt)) {
1606             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1607             return EXT_RETURN_FAIL;
1608         }
1609 
1610         return EXT_RETURN_SENT;
1611     }
1612 
1613     if (ckey == NULL) {
1614         /* No key_share received from client - must be resuming */
1615         if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1616             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1617             return EXT_RETURN_FAIL;
1618         }
1619         return EXT_RETURN_NOT_SENT;
1620     }
1621     if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
1622         /*
1623          * PSK ('hit') and explicitly not doing DHE (if the client sent the
1624          * DHE option we always take it); don't send key share.
1625          */
1626         return EXT_RETURN_NOT_SENT;
1627     }
1628 
1629     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1630             || !WPACKET_start_sub_packet_u16(pkt)
1631             || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
1632         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1633         return EXT_RETURN_FAIL;
1634     }
1635 
1636     if ((ginf = tls1_group_id_lookup(s->ctx, s->s3.group_id)) == NULL) {
1637         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1638         return EXT_RETURN_FAIL;
1639     }
1640 
1641     if (!ginf->is_kem) {
1642         /* Regular KEX */
1643         skey = ssl_generate_pkey(s, ckey);
1644         if (skey == NULL) {
1645             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1646             return EXT_RETURN_FAIL;
1647         }
1648 
1649         /* Generate encoding of server key */
1650         encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint);
1651         if (encoded_pt_len == 0) {
1652             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
1653             EVP_PKEY_free(skey);
1654             return EXT_RETURN_FAIL;
1655         }
1656 
1657         if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1658                 || !WPACKET_close(pkt)) {
1659             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1660             EVP_PKEY_free(skey);
1661             OPENSSL_free(encodedPoint);
1662             return EXT_RETURN_FAIL;
1663         }
1664         OPENSSL_free(encodedPoint);
1665 
1666         /*
1667          * This causes the crypto state to be updated based on the derived keys
1668          */
1669         s->s3.tmp.pkey = skey;
1670         if (ssl_derive(s, skey, ckey, 1) == 0) {
1671             /* SSLfatal() already called */
1672             return EXT_RETURN_FAIL;
1673         }
1674     } else {
1675         /* KEM mode */
1676         unsigned char *ct = NULL;
1677         size_t ctlen = 0;
1678 
1679         /*
1680          * This does not update the crypto state.
1681          *
1682          * The generated pms is stored in `s->s3.tmp.pms` to be later used via
1683          * ssl_gensecret().
1684          */
1685         if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) {
1686             /* SSLfatal() already called */
1687             return EXT_RETURN_FAIL;
1688         }
1689 
1690         if (ctlen == 0) {
1691             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1692             OPENSSL_free(ct);
1693             return EXT_RETURN_FAIL;
1694         }
1695 
1696         if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen)
1697                 || !WPACKET_close(pkt)) {
1698             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1699             OPENSSL_free(ct);
1700             return EXT_RETURN_FAIL;
1701         }
1702         OPENSSL_free(ct);
1703 
1704         /*
1705          * This causes the crypto state to be updated based on the generated pms
1706          */
1707         if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) {
1708             /* SSLfatal() already called */
1709             return EXT_RETURN_FAIL;
1710         }
1711     }
1712     s->s3.did_kex = 1;
1713     return EXT_RETURN_SENT;
1714 #else
1715     return EXT_RETURN_FAIL;
1716 #endif
1717 }
1718 
1719 EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1720                                      X509 *x, size_t chainidx)
1721 {
1722 #ifndef OPENSSL_NO_TLS1_3
1723     unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1724     unsigned char *hmac, *hmac2;
1725     size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
1726     EVP_MD_CTX *hctx;
1727     EVP_PKEY *pkey;
1728     int ret = EXT_RETURN_FAIL;
1729 
1730     if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
1731         return EXT_RETURN_NOT_SENT;
1732 
1733     if (s->ctx->gen_stateless_cookie_cb == NULL) {
1734         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET);
1735         return EXT_RETURN_FAIL;
1736     }
1737 
1738     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1739             || !WPACKET_start_sub_packet_u16(pkt)
1740             || !WPACKET_start_sub_packet_u16(pkt)
1741             || !WPACKET_get_total_written(pkt, &startlen)
1742             || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1743             || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1744             || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1745             || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1746             || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
1747                                               &ciphlen)
1748                /* Is there a key_share extension present in this HRR? */
1749             || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
1750             || !WPACKET_put_bytes_u64(pkt, time(NULL))
1751             || !WPACKET_start_sub_packet_u16(pkt)
1752             || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1753         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1754         return EXT_RETURN_FAIL;
1755     }
1756 
1757     /*
1758      * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1759      * on raw buffers, so we first reserve sufficient bytes (above) and then
1760      * subsequently allocate them (below)
1761      */
1762     if (!ssl3_digest_cached_records(s, 0)
1763             || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1764         /* SSLfatal() already called */
1765         return EXT_RETURN_FAIL;
1766     }
1767 
1768     if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1769             || !ossl_assert(hashval1 == hashval2)
1770             || !WPACKET_close(pkt)
1771             || !WPACKET_start_sub_packet_u8(pkt)
1772             || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1773         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1774         return EXT_RETURN_FAIL;
1775     }
1776 
1777     /* Generate the application cookie */
1778     if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) {
1779         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1780         return EXT_RETURN_FAIL;
1781     }
1782 
1783     if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1784             || !ossl_assert(appcookie1 == appcookie2)
1785             || !WPACKET_close(pkt)
1786             || !WPACKET_get_total_written(pkt, &totcookielen)
1787             || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1788         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1789         return EXT_RETURN_FAIL;
1790     }
1791     hmaclen = SHA256_DIGEST_LENGTH;
1792 
1793     totcookielen -= startlen;
1794     if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1795         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1796         return EXT_RETURN_FAIL;
1797     }
1798 
1799     /* HMAC the cookie */
1800     hctx = EVP_MD_CTX_create();
1801     pkey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC",
1802                                            s->ctx->propq,
1803                                            s->session_ctx->ext.cookie_hmac_key,
1804                                            sizeof(s->session_ctx->ext.cookie_hmac_key));
1805     if (hctx == NULL || pkey == NULL) {
1806         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1807         goto err;
1808     }
1809 
1810     if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx,
1811                               s->ctx->propq, pkey, NULL) <= 0
1812             || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1813                               totcookielen) <= 0) {
1814         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1815         goto err;
1816     }
1817 
1818     if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1819         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1820         goto err;
1821     }
1822 
1823     if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1824             || !ossl_assert(hmac == hmac2)
1825             || !ossl_assert(cookie == hmac - totcookielen)
1826             || !WPACKET_close(pkt)
1827             || !WPACKET_close(pkt)) {
1828         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1829         goto err;
1830     }
1831 
1832     ret = EXT_RETURN_SENT;
1833 
1834  err:
1835     EVP_MD_CTX_free(hctx);
1836     EVP_PKEY_free(pkey);
1837     return ret;
1838 #else
1839     return EXT_RETURN_FAIL;
1840 #endif
1841 }
1842 
1843 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1844                                             unsigned int context, X509 *x,
1845                                             size_t chainidx)
1846 {
1847     const unsigned char cryptopro_ext[36] = {
1848         0xfd, 0xe8,         /* 65000 */
1849         0x00, 0x20,         /* 32 bytes length */
1850         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1851         0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1852         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1853         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1854     };
1855 
1856     if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1857          && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
1858             || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1859         return EXT_RETURN_NOT_SENT;
1860 
1861     if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1862         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1863         return EXT_RETURN_FAIL;
1864     }
1865 
1866     return EXT_RETURN_SENT;
1867 }
1868 
1869 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1870                                          unsigned int context, X509 *x,
1871                                          size_t chainidx)
1872 {
1873     if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1874         if (s->max_early_data == 0)
1875             return EXT_RETURN_NOT_SENT;
1876 
1877         if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1878                 || !WPACKET_start_sub_packet_u16(pkt)
1879                 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1880                 || !WPACKET_close(pkt)) {
1881             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1882             return EXT_RETURN_FAIL;
1883         }
1884 
1885         return EXT_RETURN_SENT;
1886     }
1887 
1888     if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1889         return EXT_RETURN_NOT_SENT;
1890 
1891     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1892             || !WPACKET_start_sub_packet_u16(pkt)
1893             || !WPACKET_close(pkt)) {
1894         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1895         return EXT_RETURN_FAIL;
1896     }
1897 
1898     return EXT_RETURN_SENT;
1899 }
1900 
1901 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1902                                   X509 *x, size_t chainidx)
1903 {
1904     if (!s->hit)
1905         return EXT_RETURN_NOT_SENT;
1906 
1907     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1908             || !WPACKET_start_sub_packet_u16(pkt)
1909             || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
1910             || !WPACKET_close(pkt)) {
1911         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1912         return EXT_RETURN_FAIL;
1913     }
1914 
1915     return EXT_RETURN_SENT;
1916 }
1917