xref: /freebsd/crypto/openssl/ssl/statem/extensions_srvr.c (revision b64c5a0ace59af62eff52bfe110a521dc73c937b)
1 /*
2  * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <openssl/ocsp.h>
11 #include "../ssl_local.h"
12 #include "statem_local.h"
13 #include "internal/cryptlib.h"
14 
15 #define COOKIE_STATE_FORMAT_VERSION     1
16 
17 /*
18  * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19  * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
20  * key_share present flag, 8 bytes for timestamp, 2 bytes for the hashlen,
21  * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22  * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
23  */
24 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 8 + 2 + EVP_MAX_MD_SIZE + 1 \
25                          + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
26 
27 /*
28  * Message header + 2 bytes for protocol version + number of random bytes +
29  * + 1 byte for legacy session id length + number of bytes in legacy session id
30  * + 2 bytes for ciphersuite + 1 byte for legacy compression
31  * + 2 bytes for extension block length + 6 bytes for key_share extension
32  * + 4 bytes for cookie extension header + the number of bytes in the cookie
33  */
34 #define MAX_HRR_SIZE    (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
35                          + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
36                          + MAX_COOKIE_SIZE)
37 
38 /*
39  * Parse the client's renegotiation binding and abort if it's not right
40  */
41 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
42                                X509 *x, size_t chainidx)
43 {
44     unsigned int ilen;
45     const unsigned char *data;
46 
47     /* Parse the length byte */
48     if (!PACKET_get_1(pkt, &ilen)
49         || !PACKET_get_bytes(pkt, &data, ilen)) {
50         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
51         return 0;
52     }
53 
54     /* Check that the extension matches */
55     if (ilen != s->s3.previous_client_finished_len) {
56         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
57         return 0;
58     }
59 
60     if (memcmp(data, s->s3.previous_client_finished,
61                s->s3.previous_client_finished_len)) {
62         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
63         return 0;
64     }
65 
66     s->s3.send_connection_binding = 1;
67 
68     return 1;
69 }
70 
71 /*-
72  * The servername extension is treated as follows:
73  *
74  * - Only the hostname type is supported with a maximum length of 255.
75  * - The servername is rejected if too long or if it contains zeros,
76  *   in which case an fatal alert is generated.
77  * - The servername field is maintained together with the session cache.
78  * - When a session is resumed, the servername call back invoked in order
79  *   to allow the application to position itself to the right context.
80  * - The servername is acknowledged if it is new for a session or when
81  *   it is identical to a previously used for the same session.
82  *   Applications can control the behaviour.  They can at any time
83  *   set a 'desirable' servername for a new SSL object. This can be the
84  *   case for example with HTTPS when a Host: header field is received and
85  *   a renegotiation is requested. In this case, a possible servername
86  *   presented in the new client hello is only acknowledged if it matches
87  *   the value of the Host: field.
88  * - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
89  *   if they provide for changing an explicit servername context for the
90  *   session, i.e. when the session has been established with a servername
91  *   extension.
92  * - On session reconnect, the servername extension may be absent.
93  */
94 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
95                                X509 *x, size_t chainidx)
96 {
97     unsigned int servname_type;
98     PACKET sni, hostname;
99 
100     if (!PACKET_as_length_prefixed_2(pkt, &sni)
101         /* ServerNameList must be at least 1 byte long. */
102         || PACKET_remaining(&sni) == 0) {
103         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
104         return 0;
105     }
106 
107     /*
108      * Although the intent was for server_name to be extensible, RFC 4366
109      * was not clear about it; and so OpenSSL among other implementations,
110      * always and only allows a 'host_name' name types.
111      * RFC 6066 corrected the mistake but adding new name types
112      * is nevertheless no longer feasible, so act as if no other
113      * SNI types can exist, to simplify parsing.
114      *
115      * Also note that the RFC permits only one SNI value per type,
116      * i.e., we can only have a single hostname.
117      */
118     if (!PACKET_get_1(&sni, &servname_type)
119         || servname_type != TLSEXT_NAMETYPE_host_name
120         || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
121         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
122         return 0;
123     }
124 
125     /*
126      * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
127      * we always use the SNI value from the handshake.
128      */
129     if (!s->hit || SSL_IS_TLS13(s)) {
130         if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
131             SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
132             return 0;
133         }
134 
135         if (PACKET_contains_zero_byte(&hostname)) {
136             SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
137             return 0;
138         }
139 
140         /*
141          * Store the requested SNI in the SSL as temporary storage.
142          * If we accept it, it will get stored in the SSL_SESSION as well.
143          */
144         OPENSSL_free(s->ext.hostname);
145         s->ext.hostname = NULL;
146         if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
147             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
148             return 0;
149         }
150 
151         s->servername_done = 1;
152     } else {
153         /*
154          * In TLSv1.2 and below we should check if the SNI is consistent between
155          * the initial handshake and the resumption. In TLSv1.3 SNI is not
156          * associated with the session.
157          */
158         s->servername_done = (s->session->ext.hostname != NULL)
159             && PACKET_equal(&hostname, s->session->ext.hostname,
160                             strlen(s->session->ext.hostname));
161     }
162 
163     return 1;
164 }
165 
166 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
167                                   X509 *x, size_t chainidx)
168 {
169     unsigned int value;
170 
171     if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
172         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
173         return 0;
174     }
175 
176     /* Received |value| should be a valid max-fragment-length code. */
177     if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
178         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
179                  SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
180         return 0;
181     }
182 
183     /*
184      * When doing a full handshake or a renegotiation max_fragment_len_mode will
185      * be TLSEXT_max_fragment_length_UNSPECIFIED
186      *
187      * In case of a resumption max_fragment_len_mode will be one of
188      *      TLSEXT_max_fragment_length_DISABLED, TLSEXT_max_fragment_length_512,
189      *      TLSEXT_max_fragment_length_1024, TLSEXT_max_fragment_length_2048.
190      *      TLSEXT_max_fragment_length_4096
191      *
192      * RFC 6066: The negotiated length applies for the duration of the session
193      * including session resumptions.
194      *
195      * So we only set the value in case it is unspecified.
196      */
197     if (s->session->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_UNSPECIFIED)
198         /*
199          * Store it in session, so it'll become binding for us
200          * and we'll include it in a next Server Hello.
201          */
202         s->session->ext.max_fragment_len_mode = value;
203 
204     return 1;
205 }
206 
207 #ifndef OPENSSL_NO_SRP
208 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
209                        size_t chainidx)
210 {
211     PACKET srp_I;
212 
213     if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
214             || PACKET_contains_zero_byte(&srp_I)) {
215         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
216         return 0;
217     }
218 
219     if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
220         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
221         return 0;
222     }
223 
224     return 1;
225 }
226 #endif
227 
228 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
229                                  X509 *x, size_t chainidx)
230 {
231     PACKET ec_point_format_list;
232 
233     if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
234         || PACKET_remaining(&ec_point_format_list) == 0) {
235         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
236         return 0;
237     }
238 
239     if (!s->hit) {
240         if (!PACKET_memdup(&ec_point_format_list,
241                            &s->ext.peer_ecpointformats,
242                            &s->ext.peer_ecpointformats_len)) {
243             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
244             return 0;
245         }
246     }
247 
248     return 1;
249 }
250 
251 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
252                                   X509 *x, size_t chainidx)
253 {
254     if (s->ext.session_ticket_cb &&
255             !s->ext.session_ticket_cb(s, PACKET_data(pkt),
256                                   PACKET_remaining(pkt),
257                                   s->ext.session_ticket_cb_arg)) {
258         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
259         return 0;
260     }
261 
262     return 1;
263 }
264 
265 int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt,
266                                  ossl_unused unsigned int context,
267                                  ossl_unused X509 *x,
268                                  ossl_unused size_t chainidx)
269 {
270     PACKET supported_sig_algs;
271 
272     if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
273             || PACKET_remaining(&supported_sig_algs) == 0) {
274         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
275         return 0;
276     }
277 
278     if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
279         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
280         return 0;
281     }
282 
283     return 1;
284 }
285 
286 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
287                             size_t chainidx)
288 {
289     PACKET supported_sig_algs;
290 
291     if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
292             || PACKET_remaining(&supported_sig_algs) == 0) {
293         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
294         return 0;
295     }
296 
297     if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
298         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
299         return 0;
300     }
301 
302     return 1;
303 }
304 
305 #ifndef OPENSSL_NO_OCSP
306 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
307                                   X509 *x, size_t chainidx)
308 {
309     PACKET responder_id_list, exts;
310 
311     /* We ignore this in a resumption handshake */
312     if (s->hit)
313         return 1;
314 
315     /* Not defined if we get one of these in a client Certificate */
316     if (x != NULL)
317         return 1;
318 
319     if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
320         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
321         return 0;
322     }
323 
324     if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
325         /*
326          * We don't know what to do with any other type so ignore it.
327          */
328         s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
329         return 1;
330     }
331 
332     if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
333         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
334         return 0;
335     }
336 
337     /*
338      * We remove any OCSP_RESPIDs from a previous handshake
339      * to prevent unbounded memory growth - CVE-2016-6304
340      */
341     sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
342     if (PACKET_remaining(&responder_id_list) > 0) {
343         s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
344         if (s->ext.ocsp.ids == NULL) {
345             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
346             return 0;
347         }
348     } else {
349         s->ext.ocsp.ids = NULL;
350     }
351 
352     while (PACKET_remaining(&responder_id_list) > 0) {
353         OCSP_RESPID *id;
354         PACKET responder_id;
355         const unsigned char *id_data;
356 
357         if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
358                 || PACKET_remaining(&responder_id) == 0) {
359             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
360             return 0;
361         }
362 
363         id_data = PACKET_data(&responder_id);
364         id = d2i_OCSP_RESPID(NULL, &id_data,
365                              (int)PACKET_remaining(&responder_id));
366         if (id == NULL) {
367             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
368             return 0;
369         }
370 
371         if (id_data != PACKET_end(&responder_id)) {
372             OCSP_RESPID_free(id);
373             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
374 
375             return 0;
376         }
377 
378         if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
379             OCSP_RESPID_free(id);
380             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
381 
382             return 0;
383         }
384     }
385 
386     /* Read in request_extensions */
387     if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
388         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
389         return 0;
390     }
391 
392     if (PACKET_remaining(&exts) > 0) {
393         const unsigned char *ext_data = PACKET_data(&exts);
394 
395         sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
396                                    X509_EXTENSION_free);
397         s->ext.ocsp.exts =
398             d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
399         if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
400             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
401             return 0;
402         }
403     }
404 
405     return 1;
406 }
407 #endif
408 
409 #ifndef OPENSSL_NO_NEXTPROTONEG
410 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
411                        size_t chainidx)
412 {
413     /*
414      * We shouldn't accept this extension on a
415      * renegotiation.
416      */
417     if (SSL_IS_FIRST_HANDSHAKE(s))
418         s->s3.npn_seen = 1;
419 
420     return 1;
421 }
422 #endif
423 
424 /*
425  * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
426  * extension, not including type and length. Returns: 1 on success, 0 on error.
427  */
428 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
429                         size_t chainidx)
430 {
431     PACKET protocol_list, save_protocol_list, protocol;
432 
433     if (!SSL_IS_FIRST_HANDSHAKE(s))
434         return 1;
435 
436     if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
437         || PACKET_remaining(&protocol_list) < 2) {
438         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
439         return 0;
440     }
441 
442     save_protocol_list = protocol_list;
443     do {
444         /* Protocol names can't be empty. */
445         if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
446                 || PACKET_remaining(&protocol) == 0) {
447             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
448             return 0;
449         }
450     } while (PACKET_remaining(&protocol_list) != 0);
451 
452     OPENSSL_free(s->s3.alpn_proposed);
453     s->s3.alpn_proposed = NULL;
454     s->s3.alpn_proposed_len = 0;
455     if (!PACKET_memdup(&save_protocol_list,
456                        &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
457         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
458         return 0;
459     }
460 
461     return 1;
462 }
463 
464 #ifndef OPENSSL_NO_SRTP
465 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
466                             size_t chainidx)
467 {
468     STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
469     unsigned int ct, mki_len, id;
470     int i, srtp_pref;
471     PACKET subpkt;
472 
473     /* Ignore this if we have no SRTP profiles */
474     if (SSL_get_srtp_profiles(s) == NULL)
475         return 1;
476 
477     /* Pull off the length of the cipher suite list  and check it is even */
478     if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
479             || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
480         SSLfatal(s, SSL_AD_DECODE_ERROR,
481                SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
482         return 0;
483     }
484 
485     srvr = SSL_get_srtp_profiles(s);
486     s->srtp_profile = NULL;
487     /* Search all profiles for a match initially */
488     srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
489 
490     while (PACKET_remaining(&subpkt)) {
491         if (!PACKET_get_net_2(&subpkt, &id)) {
492             SSLfatal(s, SSL_AD_DECODE_ERROR,
493                      SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
494             return 0;
495         }
496 
497         /*
498          * Only look for match in profiles of higher preference than
499          * current match.
500          * If no profiles have been have been configured then this
501          * does nothing.
502          */
503         for (i = 0; i < srtp_pref; i++) {
504             SRTP_PROTECTION_PROFILE *sprof =
505                 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
506 
507             if (sprof->id == id) {
508                 s->srtp_profile = sprof;
509                 srtp_pref = i;
510                 break;
511             }
512         }
513     }
514 
515     /* Now extract the MKI value as a sanity check, but discard it for now */
516     if (!PACKET_get_1(pkt, &mki_len)) {
517         SSLfatal(s, SSL_AD_DECODE_ERROR,
518                  SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
519         return 0;
520     }
521 
522     if (!PACKET_forward(pkt, mki_len)
523         || PACKET_remaining(pkt)) {
524         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE);
525         return 0;
526     }
527 
528     return 1;
529 }
530 #endif
531 
532 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
533                        size_t chainidx)
534 {
535     if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
536         s->ext.use_etm = 1;
537 
538     return 1;
539 }
540 
541 /*
542  * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
543  * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
544  */
545 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
546                                  X509 *x, size_t chainidx)
547 {
548 #ifndef OPENSSL_NO_TLS1_3
549     PACKET psk_kex_modes;
550     unsigned int mode;
551 
552     if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
553             || PACKET_remaining(&psk_kex_modes) == 0) {
554         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
555         return 0;
556     }
557 
558     while (PACKET_get_1(&psk_kex_modes, &mode)) {
559         if (mode == TLSEXT_KEX_MODE_KE_DHE)
560             s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
561         else if (mode == TLSEXT_KEX_MODE_KE
562                 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
563             s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
564     }
565 #endif
566 
567     return 1;
568 }
569 
570 /*
571  * Process a key_share extension received in the ClientHello. |pkt| contains
572  * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
573  */
574 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
575                              size_t chainidx)
576 {
577 #ifndef OPENSSL_NO_TLS1_3
578     unsigned int group_id;
579     PACKET key_share_list, encoded_pt;
580     const uint16_t *clntgroups, *srvrgroups;
581     size_t clnt_num_groups, srvr_num_groups;
582     int found = 0;
583 
584     if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
585         return 1;
586 
587     /* Sanity check */
588     if (s->s3.peer_tmp != NULL) {
589         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
590         return 0;
591     }
592 
593     if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
594         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
595         return 0;
596     }
597 
598     /* Get our list of supported groups */
599     tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
600     /* Get the clients list of supported groups. */
601     tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
602     if (clnt_num_groups == 0) {
603         /*
604          * This can only happen if the supported_groups extension was not sent,
605          * because we verify that the length is non-zero when we process that
606          * extension.
607          */
608         SSLfatal(s, SSL_AD_MISSING_EXTENSION,
609                  SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
610         return 0;
611     }
612 
613     if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
614         /*
615          * If we set a group_id already, then we must have sent an HRR
616          * requesting a new key_share. If we haven't got one then that is an
617          * error
618          */
619         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
620         return 0;
621     }
622 
623     while (PACKET_remaining(&key_share_list) > 0) {
624         if (!PACKET_get_net_2(&key_share_list, &group_id)
625                 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
626                 || PACKET_remaining(&encoded_pt) == 0) {
627             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
628             return 0;
629         }
630 
631         /*
632          * If we already found a suitable key_share we loop through the
633          * rest to verify the structure, but don't process them.
634          */
635         if (found)
636             continue;
637 
638         /*
639          * If we sent an HRR then the key_share sent back MUST be for the group
640          * we requested, and must be the only key_share sent.
641          */
642         if (s->s3.group_id != 0
643                 && (group_id != s->s3.group_id
644                     || PACKET_remaining(&key_share_list) != 0)) {
645             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
646             return 0;
647         }
648 
649         /* Check if this share is in supported_groups sent from client */
650         if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
651             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
652             return 0;
653         }
654 
655         /* Check if this share is for a group we can use */
656         if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)
657                 || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
658                    /*
659                     * We tolerate but ignore a group id that we don't think is
660                     * suitable for TLSv1.3
661                     */
662                 || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
663                                     0, NULL)) {
664             /* Share not suitable */
665             continue;
666         }
667 
668         if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
669             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
670                    SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
671             return 0;
672         }
673 
674         s->s3.group_id = group_id;
675         /* Cache the selected group ID in the SSL_SESSION */
676         s->session->kex_group = group_id;
677 
678         if (tls13_set_encoded_pub_key(s->s3.peer_tmp,
679                                       PACKET_data(&encoded_pt),
680                                       PACKET_remaining(&encoded_pt)) <= 0) {
681             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
682             return 0;
683         }
684 
685         found = 1;
686     }
687 #endif
688 
689     return 1;
690 }
691 
692 int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
693                           size_t chainidx)
694 {
695 #ifndef OPENSSL_NO_TLS1_3
696     unsigned int format, version, key_share, group_id;
697     EVP_MD_CTX *hctx;
698     EVP_PKEY *pkey;
699     PACKET cookie, raw, chhash, appcookie;
700     WPACKET hrrpkt;
701     const unsigned char *data, *mdin, *ciphdata;
702     unsigned char hmac[SHA256_DIGEST_LENGTH];
703     unsigned char hrr[MAX_HRR_SIZE];
704     size_t rawlen, hmaclen, hrrlen, ciphlen;
705     uint64_t tm, now;
706 
707     /* Ignore any cookie if we're not set up to verify it */
708     if (s->ctx->verify_stateless_cookie_cb == NULL
709             || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
710         return 1;
711 
712     if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
713         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
714         return 0;
715     }
716 
717     raw = cookie;
718     data = PACKET_data(&raw);
719     rawlen = PACKET_remaining(&raw);
720     if (rawlen < SHA256_DIGEST_LENGTH
721             || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
722         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
723         return 0;
724     }
725     mdin = PACKET_data(&raw);
726 
727     /* Verify the HMAC of the cookie */
728     hctx = EVP_MD_CTX_create();
729     pkey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC",
730                                            s->ctx->propq,
731                                            s->session_ctx->ext.cookie_hmac_key,
732                                            sizeof(s->session_ctx->ext.cookie_hmac_key));
733     if (hctx == NULL || pkey == NULL) {
734         EVP_MD_CTX_free(hctx);
735         EVP_PKEY_free(pkey);
736         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
737         return 0;
738     }
739 
740     hmaclen = SHA256_DIGEST_LENGTH;
741     if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx,
742                               s->ctx->propq, pkey, NULL) <= 0
743             || EVP_DigestSign(hctx, hmac, &hmaclen, data,
744                               rawlen - SHA256_DIGEST_LENGTH) <= 0
745             || hmaclen != SHA256_DIGEST_LENGTH) {
746         EVP_MD_CTX_free(hctx);
747         EVP_PKEY_free(pkey);
748         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
749         return 0;
750     }
751 
752     EVP_MD_CTX_free(hctx);
753     EVP_PKEY_free(pkey);
754 
755     if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
756         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
757         return 0;
758     }
759 
760     if (!PACKET_get_net_2(&cookie, &format)) {
761         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
762         return 0;
763     }
764     /* Check the cookie format is something we recognise. Ignore it if not */
765     if (format != COOKIE_STATE_FORMAT_VERSION)
766         return 1;
767 
768     /*
769      * The rest of these checks really shouldn't fail since we have verified the
770      * HMAC above.
771      */
772 
773     /* Check the version number is sane */
774     if (!PACKET_get_net_2(&cookie, &version)) {
775         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
776         return 0;
777     }
778     if (version != TLS1_3_VERSION) {
779         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
780                  SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
781         return 0;
782     }
783 
784     if (!PACKET_get_net_2(&cookie, &group_id)) {
785         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
786         return 0;
787     }
788 
789     ciphdata = PACKET_data(&cookie);
790     if (!PACKET_forward(&cookie, 2)) {
791         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
792         return 0;
793     }
794     if (group_id != s->s3.group_id
795             || s->s3.tmp.new_cipher
796                != ssl_get_cipher_by_char(s, ciphdata, 0)) {
797         /*
798          * We chose a different cipher or group id this time around to what is
799          * in the cookie. Something must have changed.
800          */
801         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
802         return 0;
803     }
804 
805     if (!PACKET_get_1(&cookie, &key_share)
806             || !PACKET_get_net_8(&cookie, &tm)
807             || !PACKET_get_length_prefixed_2(&cookie, &chhash)
808             || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
809             || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
810         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
811         return 0;
812     }
813 
814     /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
815     now = time(NULL);
816     if (tm > now || (now - tm) > 600) {
817         /* Cookie is stale. Ignore it */
818         return 1;
819     }
820 
821     /* Verify the app cookie */
822     if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
823                                      PACKET_remaining(&appcookie)) == 0) {
824         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
825         return 0;
826     }
827 
828     /*
829      * Reconstruct the HRR that we would have sent in response to the original
830      * ClientHello so we can add it to the transcript hash.
831      * Note: This won't work with custom HRR extensions
832      */
833     if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
834         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
835         return 0;
836     }
837     if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
838             || !WPACKET_start_sub_packet_u24(&hrrpkt)
839             || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
840             || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
841             || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
842                                       s->tmp_session_id_len)
843             || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
844                                               &ciphlen)
845             || !WPACKET_put_bytes_u8(&hrrpkt, 0)
846             || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
847         WPACKET_cleanup(&hrrpkt);
848         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
849         return 0;
850     }
851     if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
852             || !WPACKET_start_sub_packet_u16(&hrrpkt)
853             || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
854             || !WPACKET_close(&hrrpkt)) {
855         WPACKET_cleanup(&hrrpkt);
856         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
857         return 0;
858     }
859     if (key_share) {
860         if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
861                 || !WPACKET_start_sub_packet_u16(&hrrpkt)
862                 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
863                 || !WPACKET_close(&hrrpkt)) {
864             WPACKET_cleanup(&hrrpkt);
865             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
866             return 0;
867         }
868     }
869     if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
870             || !WPACKET_start_sub_packet_u16(&hrrpkt)
871             || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
872             || !WPACKET_close(&hrrpkt) /* cookie extension */
873             || !WPACKET_close(&hrrpkt) /* extension block */
874             || !WPACKET_close(&hrrpkt) /* message */
875             || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
876             || !WPACKET_finish(&hrrpkt)) {
877         WPACKET_cleanup(&hrrpkt);
878         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
879         return 0;
880     }
881 
882     /* Reconstruct the transcript hash */
883     if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
884                                        PACKET_remaining(&chhash), hrr,
885                                        hrrlen)) {
886         /* SSLfatal() already called */
887         return 0;
888     }
889 
890     /* Act as if this ClientHello came after a HelloRetryRequest */
891     s->hello_retry_request = SSL_HRR_PENDING;
892 
893     s->ext.cookieok = 1;
894 #endif
895 
896     return 1;
897 }
898 
899 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
900                                     X509 *x, size_t chainidx)
901 {
902     PACKET supported_groups_list;
903 
904     /* Each group is 2 bytes and we must have at least 1. */
905     if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
906             || PACKET_remaining(&supported_groups_list) == 0
907             || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
908         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
909         return 0;
910     }
911 
912     if (!s->hit || SSL_IS_TLS13(s)) {
913         OPENSSL_free(s->ext.peer_supportedgroups);
914         s->ext.peer_supportedgroups = NULL;
915         s->ext.peer_supportedgroups_len = 0;
916         if (!tls1_save_u16(&supported_groups_list,
917                            &s->ext.peer_supportedgroups,
918                            &s->ext.peer_supportedgroups_len)) {
919             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
920             return 0;
921         }
922     }
923 
924     return 1;
925 }
926 
927 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
928                        size_t chainidx)
929 {
930     /* The extension must always be empty */
931     if (PACKET_remaining(pkt) != 0) {
932         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
933         return 0;
934     }
935 
936     if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
937         return 1;
938 
939     s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
940 
941     return 1;
942 }
943 
944 
945 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
946                               X509 *x, size_t chainidx)
947 {
948     if (PACKET_remaining(pkt) != 0) {
949         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
950         return 0;
951     }
952 
953     if (s->hello_retry_request != SSL_HRR_NONE) {
954         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
955         return 0;
956     }
957 
958     return 1;
959 }
960 
961 static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
962                                                  SSL_SESSION **sess)
963 {
964     SSL_SESSION *tmpsess = NULL;
965 
966     s->ext.ticket_expected = 1;
967 
968     switch (PACKET_remaining(tick)) {
969         case 0:
970             return SSL_TICKET_EMPTY;
971 
972         case SSL_MAX_SSL_SESSION_ID_LENGTH:
973             break;
974 
975         default:
976             return SSL_TICKET_NO_DECRYPT;
977     }
978 
979     tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
980                                    SSL_MAX_SSL_SESSION_ID_LENGTH);
981 
982     if (tmpsess == NULL)
983         return SSL_TICKET_NO_DECRYPT;
984 
985     *sess = tmpsess;
986     return SSL_TICKET_SUCCESS;
987 }
988 
989 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
990                        size_t chainidx)
991 {
992     PACKET identities, binders, binder;
993     size_t binderoffset, hashsize;
994     SSL_SESSION *sess = NULL;
995     unsigned int id, i, ext = 0;
996     const EVP_MD *md = NULL;
997 
998     /*
999      * If we have no PSK kex mode that we recognise then we can't resume so
1000      * ignore this extension
1001      */
1002     if ((s->ext.psk_kex_mode
1003             & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1004         return 1;
1005 
1006     if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
1007         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1008         return 0;
1009     }
1010 
1011     s->ext.ticket_expected = 0;
1012     for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1013         PACKET identity;
1014         unsigned long ticket_agel;
1015         size_t idlen;
1016 
1017         if (!PACKET_get_length_prefixed_2(&identities, &identity)
1018                 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1019             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1020             return 0;
1021         }
1022 
1023         idlen = PACKET_remaining(&identity);
1024         if (s->psk_find_session_cb != NULL
1025                 && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen,
1026                                            &sess)) {
1027             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION);
1028             return 0;
1029         }
1030 
1031 #ifndef OPENSSL_NO_PSK
1032         if(sess == NULL
1033                 && s->psk_server_callback != NULL
1034                 && idlen <= PSK_MAX_IDENTITY_LEN) {
1035             char *pskid = NULL;
1036             unsigned char pskdata[PSK_MAX_PSK_LEN];
1037             unsigned int pskdatalen;
1038 
1039             if (!PACKET_strndup(&identity, &pskid)) {
1040                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1041                 return 0;
1042             }
1043             pskdatalen = s->psk_server_callback(s, pskid, pskdata,
1044                                                 sizeof(pskdata));
1045             OPENSSL_free(pskid);
1046             if (pskdatalen > PSK_MAX_PSK_LEN) {
1047                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1048                 return 0;
1049             } else if (pskdatalen > 0) {
1050                 const SSL_CIPHER *cipher;
1051                 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1052 
1053                 /*
1054                  * We found a PSK using an old style callback. We don't know
1055                  * the digest so we default to SHA256 as per the TLSv1.3 spec
1056                  */
1057                 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
1058                 if (cipher == NULL) {
1059                     OPENSSL_cleanse(pskdata, pskdatalen);
1060                     SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1061                     return 0;
1062                 }
1063 
1064                 sess = SSL_SESSION_new();
1065                 if (sess == NULL
1066                         || !SSL_SESSION_set1_master_key(sess, pskdata,
1067                                                         pskdatalen)
1068                         || !SSL_SESSION_set_cipher(sess, cipher)
1069                         || !SSL_SESSION_set_protocol_version(sess,
1070                                                              TLS1_3_VERSION)) {
1071                     OPENSSL_cleanse(pskdata, pskdatalen);
1072                     SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1073                     goto err;
1074                 }
1075                 OPENSSL_cleanse(pskdata, pskdatalen);
1076             }
1077         }
1078 #endif /* OPENSSL_NO_PSK */
1079 
1080         if (sess != NULL) {
1081             /* We found a PSK */
1082             SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1083 
1084             if (sesstmp == NULL) {
1085                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1086                 return 0;
1087             }
1088             SSL_SESSION_free(sess);
1089             sess = sesstmp;
1090 
1091             /*
1092              * We've just been told to use this session for this context so
1093              * make sure the sid_ctx matches up.
1094              */
1095             memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1096             sess->sid_ctx_length = s->sid_ctx_length;
1097             ext = 1;
1098             if (id == 0)
1099                 s->ext.early_data_ok = 1;
1100             s->ext.ticket_expected = 1;
1101         } else {
1102             uint32_t ticket_age = 0, agesec, agems;
1103             int ret;
1104 
1105             /*
1106              * If we are using anti-replay protection then we behave as if
1107              * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1108              * is no point in using full stateless tickets.
1109              */
1110             if ((s->options & SSL_OP_NO_TICKET) != 0
1111                     || (s->max_early_data > 0
1112                         && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
1113                 ret = tls_get_stateful_ticket(s, &identity, &sess);
1114             else
1115                 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1116                                          PACKET_remaining(&identity), NULL, 0,
1117                                          &sess);
1118 
1119             if (ret == SSL_TICKET_EMPTY) {
1120                 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1121                 return 0;
1122             }
1123 
1124             if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1125                     || ret == SSL_TICKET_FATAL_ERR_OTHER) {
1126                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1127                 return 0;
1128             }
1129             if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
1130                 continue;
1131 
1132             /* Check for replay */
1133             if (s->max_early_data > 0
1134                     && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
1135                     && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1136                 SSL_SESSION_free(sess);
1137                 sess = NULL;
1138                 continue;
1139             }
1140 
1141             ticket_age = (uint32_t)ticket_agel;
1142             agesec = (uint32_t)(time(NULL) - sess->time);
1143             agems = agesec * (uint32_t)1000;
1144             ticket_age -= sess->ext.tick_age_add;
1145 
1146             /*
1147              * For simplicity we do our age calculations in seconds. If the
1148              * client does it in ms then it could appear that their ticket age
1149              * is longer than ours (our ticket age calculation should always be
1150              * slightly longer than the client's due to the network latency).
1151              * Therefore we add 1000ms to our age calculation to adjust for
1152              * rounding errors.
1153              */
1154             if (id == 0
1155                     && sess->timeout >= (long)agesec
1156                     && agems / (uint32_t)1000 == agesec
1157                     && ticket_age <= agems + 1000
1158                     && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1159                 /*
1160                  * Ticket age is within tolerance and not expired. We allow it
1161                  * for early data
1162                  */
1163                 s->ext.early_data_ok = 1;
1164             }
1165         }
1166 
1167         md = ssl_md(s->ctx, sess->cipher->algorithm2);
1168         if (md == NULL) {
1169             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1170             goto err;
1171         }
1172         if (!EVP_MD_is_a(md,
1173                 EVP_MD_get0_name(ssl_md(s->ctx,
1174                                         s->s3.tmp.new_cipher->algorithm2)))) {
1175             /* The ciphersuite is not compatible with this session. */
1176             SSL_SESSION_free(sess);
1177             sess = NULL;
1178             s->ext.early_data_ok = 0;
1179             s->ext.ticket_expected = 0;
1180             continue;
1181         }
1182         break;
1183     }
1184 
1185     if (sess == NULL)
1186         return 1;
1187 
1188     binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1189     hashsize = EVP_MD_get_size(md);
1190 
1191     if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1192         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1193         goto err;
1194     }
1195 
1196     for (i = 0; i <= id; i++) {
1197         if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1198             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1199             goto err;
1200         }
1201     }
1202 
1203     if (PACKET_remaining(&binder) != hashsize) {
1204         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1205         goto err;
1206     }
1207     if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1208                           binderoffset, PACKET_data(&binder), NULL, sess, 0,
1209                           ext) != 1) {
1210         /* SSLfatal() already called */
1211         goto err;
1212     }
1213 
1214     s->ext.tick_identity = id;
1215 
1216     SSL_SESSION_free(s->session);
1217     s->session = sess;
1218     return 1;
1219 err:
1220     SSL_SESSION_free(sess);
1221     return 0;
1222 }
1223 
1224 int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt,
1225                                        ossl_unused unsigned int context,
1226                                        ossl_unused X509 *x,
1227                                        ossl_unused size_t chainidx)
1228 {
1229     if (PACKET_remaining(pkt) != 0) {
1230         SSLfatal(s, SSL_AD_DECODE_ERROR,
1231                  SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1232         return 0;
1233     }
1234 
1235     s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1236 
1237     return 1;
1238 }
1239 
1240 /*
1241  * Add the server's renegotiation binding
1242  */
1243 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1244                                           unsigned int context, X509 *x,
1245                                           size_t chainidx)
1246 {
1247     if (!s->s3.send_connection_binding)
1248         return EXT_RETURN_NOT_SENT;
1249 
1250     /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1251     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1252             || !WPACKET_start_sub_packet_u16(pkt)
1253             || !WPACKET_start_sub_packet_u8(pkt)
1254             || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1255                                s->s3.previous_client_finished_len)
1256             || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1257                                s->s3.previous_server_finished_len)
1258             || !WPACKET_close(pkt)
1259             || !WPACKET_close(pkt)) {
1260         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1261         return EXT_RETURN_FAIL;
1262     }
1263 
1264     return EXT_RETURN_SENT;
1265 }
1266 
1267 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1268                                           unsigned int context, X509 *x,
1269                                           size_t chainidx)
1270 {
1271     if (s->servername_done != 1)
1272         return EXT_RETURN_NOT_SENT;
1273 
1274     /*
1275      * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1276      * We just use the servername from the initial handshake.
1277      */
1278     if (s->hit && !SSL_IS_TLS13(s))
1279         return EXT_RETURN_NOT_SENT;
1280 
1281     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1282             || !WPACKET_put_bytes_u16(pkt, 0)) {
1283         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1284         return EXT_RETURN_FAIL;
1285     }
1286 
1287     return EXT_RETURN_SENT;
1288 }
1289 
1290 /* Add/include the server's max fragment len extension into ServerHello */
1291 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1292                                              unsigned int context, X509 *x,
1293                                              size_t chainidx)
1294 {
1295     if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1296         return EXT_RETURN_NOT_SENT;
1297 
1298     /*-
1299      * 4 bytes for this extension type and extension length
1300      * 1 byte for the Max Fragment Length code value.
1301      */
1302     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1303         || !WPACKET_start_sub_packet_u16(pkt)
1304         || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1305         || !WPACKET_close(pkt)) {
1306         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1307         return EXT_RETURN_FAIL;
1308     }
1309 
1310     return EXT_RETURN_SENT;
1311 }
1312 
1313 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1314                                             unsigned int context, X509 *x,
1315                                             size_t chainidx)
1316 {
1317     unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1318     unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
1319     int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1320                     && (s->ext.peer_ecpointformats != NULL);
1321     const unsigned char *plist;
1322     size_t plistlen;
1323 
1324     if (!using_ecc)
1325         return EXT_RETURN_NOT_SENT;
1326 
1327     tls1_get_formatlist(s, &plist, &plistlen);
1328     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1329             || !WPACKET_start_sub_packet_u16(pkt)
1330             || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1331             || !WPACKET_close(pkt)) {
1332         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1333         return EXT_RETURN_FAIL;
1334     }
1335 
1336     return EXT_RETURN_SENT;
1337 }
1338 
1339 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1340                                                unsigned int context, X509 *x,
1341                                                size_t chainidx)
1342 {
1343     const uint16_t *groups;
1344     size_t numgroups, i, first = 1;
1345     int version;
1346 
1347     /* s->s3.group_id is non zero if we accepted a key_share */
1348     if (s->s3.group_id == 0)
1349         return EXT_RETURN_NOT_SENT;
1350 
1351     /* Get our list of supported groups */
1352     tls1_get_supported_groups(s, &groups, &numgroups);
1353     if (numgroups == 0) {
1354         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1355         return EXT_RETURN_FAIL;
1356     }
1357 
1358     /* Copy group ID if supported */
1359     version = SSL_version(s);
1360     for (i = 0; i < numgroups; i++) {
1361         uint16_t group = groups[i];
1362 
1363         if (tls_valid_group(s, group, version, version, 0, NULL)
1364                 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1365             if (first) {
1366                 /*
1367                  * Check if the client is already using our preferred group. If
1368                  * so we don't need to add this extension
1369                  */
1370                 if (s->s3.group_id == group)
1371                     return EXT_RETURN_NOT_SENT;
1372 
1373                 /* Add extension header */
1374                 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1375                            /* Sub-packet for supported_groups extension */
1376                         || !WPACKET_start_sub_packet_u16(pkt)
1377                         || !WPACKET_start_sub_packet_u16(pkt)) {
1378                     SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1379                     return EXT_RETURN_FAIL;
1380                 }
1381 
1382                 first = 0;
1383             }
1384             if (!WPACKET_put_bytes_u16(pkt, group)) {
1385                     SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1386                     return EXT_RETURN_FAIL;
1387                 }
1388         }
1389     }
1390 
1391     if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1392         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1393         return EXT_RETURN_FAIL;
1394     }
1395 
1396     return EXT_RETURN_SENT;
1397 }
1398 
1399 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1400                                              unsigned int context, X509 *x,
1401                                              size_t chainidx)
1402 {
1403     if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1404         s->ext.ticket_expected = 0;
1405         return EXT_RETURN_NOT_SENT;
1406     }
1407 
1408     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1409             || !WPACKET_put_bytes_u16(pkt, 0)) {
1410         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1411         return EXT_RETURN_FAIL;
1412     }
1413 
1414     return EXT_RETURN_SENT;
1415 }
1416 
1417 #ifndef OPENSSL_NO_OCSP
1418 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1419                                              unsigned int context, X509 *x,
1420                                              size_t chainidx)
1421 {
1422     /* We don't currently support this extension inside a CertificateRequest */
1423     if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1424         return EXT_RETURN_NOT_SENT;
1425 
1426     if (!s->ext.status_expected)
1427         return EXT_RETURN_NOT_SENT;
1428 
1429     if (SSL_IS_TLS13(s) && chainidx != 0)
1430         return EXT_RETURN_NOT_SENT;
1431 
1432     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1433             || !WPACKET_start_sub_packet_u16(pkt)) {
1434         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1435         return EXT_RETURN_FAIL;
1436     }
1437 
1438     /*
1439      * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1440      * send back an empty extension, with the certificate status appearing as a
1441      * separate message
1442      */
1443     if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1444        /* SSLfatal() already called */
1445        return EXT_RETURN_FAIL;
1446     }
1447     if (!WPACKET_close(pkt)) {
1448         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1449         return EXT_RETURN_FAIL;
1450     }
1451 
1452     return EXT_RETURN_SENT;
1453 }
1454 #endif
1455 
1456 #ifndef OPENSSL_NO_NEXTPROTONEG
1457 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1458                                              unsigned int context, X509 *x,
1459                                              size_t chainidx)
1460 {
1461     const unsigned char *npa;
1462     unsigned int npalen;
1463     int ret;
1464     int npn_seen = s->s3.npn_seen;
1465 
1466     s->s3.npn_seen = 0;
1467     if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1468         return EXT_RETURN_NOT_SENT;
1469 
1470     ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1471                                         s->ctx->ext.npn_advertised_cb_arg);
1472     if (ret == SSL_TLSEXT_ERR_OK) {
1473         if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1474                 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1475             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1476             return EXT_RETURN_FAIL;
1477         }
1478         s->s3.npn_seen = 1;
1479         return EXT_RETURN_SENT;
1480     }
1481 
1482     return EXT_RETURN_NOT_SENT;
1483 }
1484 #endif
1485 
1486 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1487                                    X509 *x, size_t chainidx)
1488 {
1489     if (s->s3.alpn_selected == NULL)
1490         return EXT_RETURN_NOT_SENT;
1491 
1492     if (!WPACKET_put_bytes_u16(pkt,
1493                 TLSEXT_TYPE_application_layer_protocol_negotiation)
1494             || !WPACKET_start_sub_packet_u16(pkt)
1495             || !WPACKET_start_sub_packet_u16(pkt)
1496             || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1497                                       s->s3.alpn_selected_len)
1498             || !WPACKET_close(pkt)
1499             || !WPACKET_close(pkt)) {
1500         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1501         return EXT_RETURN_FAIL;
1502     }
1503 
1504     return EXT_RETURN_SENT;
1505 }
1506 
1507 #ifndef OPENSSL_NO_SRTP
1508 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1509                                        unsigned int context, X509 *x,
1510                                        size_t chainidx)
1511 {
1512     if (s->srtp_profile == NULL)
1513         return EXT_RETURN_NOT_SENT;
1514 
1515     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1516             || !WPACKET_start_sub_packet_u16(pkt)
1517             || !WPACKET_put_bytes_u16(pkt, 2)
1518             || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1519             || !WPACKET_put_bytes_u8(pkt, 0)
1520             || !WPACKET_close(pkt)) {
1521         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1522         return EXT_RETURN_FAIL;
1523     }
1524 
1525     return EXT_RETURN_SENT;
1526 }
1527 #endif
1528 
1529 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1530                                   X509 *x, size_t chainidx)
1531 {
1532     if (!s->ext.use_etm)
1533         return EXT_RETURN_NOT_SENT;
1534 
1535     /*
1536      * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1537      * for other cases too.
1538      */
1539     if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1540         || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1541         || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1542         || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1543         || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1544         || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
1545         s->ext.use_etm = 0;
1546         return EXT_RETURN_NOT_SENT;
1547     }
1548 
1549     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1550             || !WPACKET_put_bytes_u16(pkt, 0)) {
1551         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1552         return EXT_RETURN_FAIL;
1553     }
1554 
1555     return EXT_RETURN_SENT;
1556 }
1557 
1558 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1559                                   X509 *x, size_t chainidx)
1560 {
1561     if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1562         return EXT_RETURN_NOT_SENT;
1563 
1564     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1565             || !WPACKET_put_bytes_u16(pkt, 0)) {
1566         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1567         return EXT_RETURN_FAIL;
1568     }
1569 
1570     return EXT_RETURN_SENT;
1571 }
1572 
1573 EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1574                                                  unsigned int context, X509 *x,
1575                                                  size_t chainidx)
1576 {
1577     if (!ossl_assert(SSL_IS_TLS13(s))) {
1578         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1579         return EXT_RETURN_FAIL;
1580     }
1581 
1582     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1583             || !WPACKET_start_sub_packet_u16(pkt)
1584             || !WPACKET_put_bytes_u16(pkt, s->version)
1585             || !WPACKET_close(pkt)) {
1586         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1587         return EXT_RETURN_FAIL;
1588     }
1589 
1590     return EXT_RETURN_SENT;
1591 }
1592 
1593 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1594                                         unsigned int context, X509 *x,
1595                                         size_t chainidx)
1596 {
1597 #ifndef OPENSSL_NO_TLS1_3
1598     unsigned char *encodedPoint;
1599     size_t encoded_pt_len = 0;
1600     EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
1601     const TLS_GROUP_INFO *ginf = NULL;
1602 
1603     if (s->hello_retry_request == SSL_HRR_PENDING) {
1604         if (ckey != NULL) {
1605             /* Original key_share was acceptable so don't ask for another one */
1606             return EXT_RETURN_NOT_SENT;
1607         }
1608         if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1609                 || !WPACKET_start_sub_packet_u16(pkt)
1610                 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1611                 || !WPACKET_close(pkt)) {
1612             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1613             return EXT_RETURN_FAIL;
1614         }
1615 
1616         return EXT_RETURN_SENT;
1617     }
1618 
1619     if (ckey == NULL) {
1620         /* No key_share received from client - must be resuming */
1621         if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1622             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1623             return EXT_RETURN_FAIL;
1624         }
1625         return EXT_RETURN_NOT_SENT;
1626     }
1627     if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
1628         /*
1629          * PSK ('hit') and explicitly not doing DHE (if the client sent the
1630          * DHE option we always take it); don't send key share.
1631          */
1632         return EXT_RETURN_NOT_SENT;
1633     }
1634 
1635     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1636             || !WPACKET_start_sub_packet_u16(pkt)
1637             || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
1638         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1639         return EXT_RETURN_FAIL;
1640     }
1641 
1642     if ((ginf = tls1_group_id_lookup(s->ctx, s->s3.group_id)) == NULL) {
1643         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1644         return EXT_RETURN_FAIL;
1645     }
1646 
1647     if (!ginf->is_kem) {
1648         /* Regular KEX */
1649         skey = ssl_generate_pkey(s, ckey);
1650         if (skey == NULL) {
1651             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1652             return EXT_RETURN_FAIL;
1653         }
1654 
1655         /* Generate encoding of server key */
1656         encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint);
1657         if (encoded_pt_len == 0) {
1658             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
1659             EVP_PKEY_free(skey);
1660             return EXT_RETURN_FAIL;
1661         }
1662 
1663         if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1664                 || !WPACKET_close(pkt)) {
1665             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1666             EVP_PKEY_free(skey);
1667             OPENSSL_free(encodedPoint);
1668             return EXT_RETURN_FAIL;
1669         }
1670         OPENSSL_free(encodedPoint);
1671 
1672         /*
1673          * This causes the crypto state to be updated based on the derived keys
1674          */
1675         s->s3.tmp.pkey = skey;
1676         if (ssl_derive(s, skey, ckey, 1) == 0) {
1677             /* SSLfatal() already called */
1678             return EXT_RETURN_FAIL;
1679         }
1680     } else {
1681         /* KEM mode */
1682         unsigned char *ct = NULL;
1683         size_t ctlen = 0;
1684 
1685         /*
1686          * This does not update the crypto state.
1687          *
1688          * The generated pms is stored in `s->s3.tmp.pms` to be later used via
1689          * ssl_gensecret().
1690          */
1691         if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) {
1692             /* SSLfatal() already called */
1693             return EXT_RETURN_FAIL;
1694         }
1695 
1696         if (ctlen == 0) {
1697             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1698             OPENSSL_free(ct);
1699             return EXT_RETURN_FAIL;
1700         }
1701 
1702         if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen)
1703                 || !WPACKET_close(pkt)) {
1704             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1705             OPENSSL_free(ct);
1706             return EXT_RETURN_FAIL;
1707         }
1708         OPENSSL_free(ct);
1709 
1710         /*
1711          * This causes the crypto state to be updated based on the generated pms
1712          */
1713         if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) {
1714             /* SSLfatal() already called */
1715             return EXT_RETURN_FAIL;
1716         }
1717     }
1718     s->s3.did_kex = 1;
1719     return EXT_RETURN_SENT;
1720 #else
1721     return EXT_RETURN_FAIL;
1722 #endif
1723 }
1724 
1725 EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1726                                      X509 *x, size_t chainidx)
1727 {
1728 #ifndef OPENSSL_NO_TLS1_3
1729     unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1730     unsigned char *hmac, *hmac2;
1731     size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
1732     EVP_MD_CTX *hctx;
1733     EVP_PKEY *pkey;
1734     int ret = EXT_RETURN_FAIL;
1735 
1736     if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
1737         return EXT_RETURN_NOT_SENT;
1738 
1739     if (s->ctx->gen_stateless_cookie_cb == NULL) {
1740         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET);
1741         return EXT_RETURN_FAIL;
1742     }
1743 
1744     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1745             || !WPACKET_start_sub_packet_u16(pkt)
1746             || !WPACKET_start_sub_packet_u16(pkt)
1747             || !WPACKET_get_total_written(pkt, &startlen)
1748             || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1749             || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1750             || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1751             || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1752             || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
1753                                               &ciphlen)
1754                /* Is there a key_share extension present in this HRR? */
1755             || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
1756             || !WPACKET_put_bytes_u64(pkt, time(NULL))
1757             || !WPACKET_start_sub_packet_u16(pkt)
1758             || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1759         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1760         return EXT_RETURN_FAIL;
1761     }
1762 
1763     /*
1764      * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1765      * on raw buffers, so we first reserve sufficient bytes (above) and then
1766      * subsequently allocate them (below)
1767      */
1768     if (!ssl3_digest_cached_records(s, 0)
1769             || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1770         /* SSLfatal() already called */
1771         return EXT_RETURN_FAIL;
1772     }
1773 
1774     if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1775             || !ossl_assert(hashval1 == hashval2)
1776             || !WPACKET_close(pkt)
1777             || !WPACKET_start_sub_packet_u8(pkt)
1778             || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1779         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1780         return EXT_RETURN_FAIL;
1781     }
1782 
1783     /* Generate the application cookie */
1784     if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) {
1785         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1786         return EXT_RETURN_FAIL;
1787     }
1788 
1789     if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1790             || !ossl_assert(appcookie1 == appcookie2)
1791             || !WPACKET_close(pkt)
1792             || !WPACKET_get_total_written(pkt, &totcookielen)
1793             || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1794         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1795         return EXT_RETURN_FAIL;
1796     }
1797     hmaclen = SHA256_DIGEST_LENGTH;
1798 
1799     totcookielen -= startlen;
1800     if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1801         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1802         return EXT_RETURN_FAIL;
1803     }
1804 
1805     /* HMAC the cookie */
1806     hctx = EVP_MD_CTX_create();
1807     pkey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC",
1808                                            s->ctx->propq,
1809                                            s->session_ctx->ext.cookie_hmac_key,
1810                                            sizeof(s->session_ctx->ext.cookie_hmac_key));
1811     if (hctx == NULL || pkey == NULL) {
1812         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1813         goto err;
1814     }
1815 
1816     if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx,
1817                               s->ctx->propq, pkey, NULL) <= 0
1818             || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1819                               totcookielen) <= 0) {
1820         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1821         goto err;
1822     }
1823 
1824     if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1825         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1826         goto err;
1827     }
1828 
1829     if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1830             || !ossl_assert(hmac == hmac2)
1831             || !ossl_assert(cookie == hmac - totcookielen)
1832             || !WPACKET_close(pkt)
1833             || !WPACKET_close(pkt)) {
1834         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1835         goto err;
1836     }
1837 
1838     ret = EXT_RETURN_SENT;
1839 
1840  err:
1841     EVP_MD_CTX_free(hctx);
1842     EVP_PKEY_free(pkey);
1843     return ret;
1844 #else
1845     return EXT_RETURN_FAIL;
1846 #endif
1847 }
1848 
1849 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1850                                             unsigned int context, X509 *x,
1851                                             size_t chainidx)
1852 {
1853     const unsigned char cryptopro_ext[36] = {
1854         0xfd, 0xe8,         /* 65000 */
1855         0x00, 0x20,         /* 32 bytes length */
1856         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1857         0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1858         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1859         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1860     };
1861 
1862     if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1863          && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
1864             || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1865         return EXT_RETURN_NOT_SENT;
1866 
1867     if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1868         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1869         return EXT_RETURN_FAIL;
1870     }
1871 
1872     return EXT_RETURN_SENT;
1873 }
1874 
1875 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1876                                          unsigned int context, X509 *x,
1877                                          size_t chainidx)
1878 {
1879     if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1880         if (s->max_early_data == 0)
1881             return EXT_RETURN_NOT_SENT;
1882 
1883         if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1884                 || !WPACKET_start_sub_packet_u16(pkt)
1885                 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1886                 || !WPACKET_close(pkt)) {
1887             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1888             return EXT_RETURN_FAIL;
1889         }
1890 
1891         return EXT_RETURN_SENT;
1892     }
1893 
1894     if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1895         return EXT_RETURN_NOT_SENT;
1896 
1897     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1898             || !WPACKET_start_sub_packet_u16(pkt)
1899             || !WPACKET_close(pkt)) {
1900         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1901         return EXT_RETURN_FAIL;
1902     }
1903 
1904     return EXT_RETURN_SENT;
1905 }
1906 
1907 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1908                                   X509 *x, size_t chainidx)
1909 {
1910     if (!s->hit)
1911         return EXT_RETURN_NOT_SENT;
1912 
1913     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1914             || !WPACKET_start_sub_packet_u16(pkt)
1915             || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
1916             || !WPACKET_close(pkt)) {
1917         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1918         return EXT_RETURN_FAIL;
1919     }
1920 
1921     return EXT_RETURN_SENT;
1922 }
1923