/*

 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.

 *

 * Licensed under the OpenSSL license (the "License").  You may not use

 * this file except in compliance with the License.  You can obtain a copy

 * in the file LICENSE in the source distribution or at

 * https://www.openssl.org/source/license.html

 */

#include <openssl/ocsp.h>

#include "../ssl_local.h"

#include "statem_local.h"

#include "internal/cryptlib.h"

#define COOKIE_STATE_FORMAT_VERSION     0

/*

 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for

 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for

 * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,

 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie

 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.

 */

#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \

                         + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)

/*

 * Message header + 2 bytes for protocol version + number of random bytes +

 * + 1 byte for legacy session id length + number of bytes in legacy session id

 * + 2 bytes for ciphersuite + 1 byte for legacy compression

 * + 2 bytes for extension block length + 6 bytes for key_share extension

 * + 4 bytes for cookie extension header + the number of bytes in the cookie

 */

#define MAX_HRR_SIZE    (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \

                         + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \

                         + MAX_COOKIE_SIZE)

/*

 * Parse the client's renegotiation binding and abort if it's not right

 */

int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,

                               X509 *x, size_t chainidx)

{

    unsigned int ilen;

    const unsigned char *data;

    /* Parse the length byte */

    if (!PACKET_get_1(pkt, &ilen)

        || !PACKET_get_bytes(pkt, &data, ilen)) {

        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,

                 SSL_R_RENEGOTIATION_ENCODING_ERR);

        return 0;

    }

    /* Check that the extension matches */

    if (ilen != s->s3->previous_client_finished_len) {

        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,

                 SSL_R_RENEGOTIATION_MISMATCH);

        return 0;

    }

    if (memcmp(data, s->s3->previous_client_finished,

               s->s3->previous_client_finished_len)) {

        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,

                 SSL_R_RENEGOTIATION_MISMATCH);

        return 0;

    }

    s->s3->send_connection_binding = 1;

    return 1;

}

/*-

 * The servername extension is treated as follows:

 *

 * - Only the hostname type is supported with a maximum length of 255.

 * - The servername is rejected if too long or if it contains zeros,

 *   in which case an fatal alert is generated.

 * - The servername field is maintained together with the session cache.

 * - When a session is resumed, the servername call back invoked in order

 *   to allow the application to position itself to the right context.

 * - The servername is acknowledged if it is new for a session or when

 *   it is identical to a previously used for the same session.

 *   Applications can control the behaviour.  They can at any time

 *   set a 'desirable' servername for a new SSL object. This can be the

 *   case for example with HTTPS when a Host: header field is received and

 *   a renegotiation is requested. In this case, a possible servername

 *   presented in the new client hello is only acknowledged if it matches

 *   the value of the Host: field.

 * - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION

 *   if they provide for changing an explicit servername context for the

 *   session, i.e. when the session has been established with a servername

 *   extension.

 * - On session reconnect, the servername extension may be absent.

 */

int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,

                               X509 *x, size_t chainidx)

{

    unsigned int servname_type;

    PACKET sni, hostname;

    if (!PACKET_as_length_prefixed_2(pkt, &sni)

        /* ServerNameList must be at least 1 byte long. */

        || PACKET_remaining(&sni) == 0) {

        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,

                 SSL_R_BAD_EXTENSION);

        return 0;

    }

    /*

     * Although the intent was for server_name to be extensible, RFC 4366

     * was not clear about it; and so OpenSSL among other implementations,

     * always and only allows a 'host_name' name types.

     * RFC 6066 corrected the mistake but adding new name types

     * is nevertheless no longer feasible, so act as if no other

     * SNI types can exist, to simplify parsing.

     *

     * Also note that the RFC permits only one SNI value per type,

     * i.e., we can only have a single hostname.

     */

    if (!PACKET_get_1(&sni, &servname_type)

        || servname_type != TLSEXT_NAMETYPE_host_name

        || !PACKET_as_length_prefixed_2(&sni, &hostname)) {

        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,

                 SSL_R_BAD_EXTENSION);

        return 0;

    }

    /*

     * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3

     * we always use the SNI value from the handshake.

     */

    if (!s->hit || SSL_IS_TLS13(s)) {

        if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {

            SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,

                     SSL_F_TLS_PARSE_CTOS_SERVER_NAME,

                     SSL_R_BAD_EXTENSION);

            return 0;

        }

        if (PACKET_contains_zero_byte(&hostname)) {

            SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,

                     SSL_F_TLS_PARSE_CTOS_SERVER_NAME,

                     SSL_R_BAD_EXTENSION);

            return 0;

        }

        /*

         * Store the requested SNI in the SSL as temporary storage.

         * If we accept it, it will get stored in the SSL_SESSION as well.

         */

        OPENSSL_free(s->ext.hostname);

        s->ext.hostname = NULL;

        if (!PACKET_strndup(&hostname, &s->ext.hostname)) {

            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,

                     ERR_R_INTERNAL_ERROR);

            return 0;

        }

        s->servername_done = 1;

    } else {

        /*

         * In TLSv1.2 and below we should check if the SNI is consistent between

         * the initial handshake and the resumption. In TLSv1.3 SNI is not

         * associated with the session.

         */

        /*

         * TODO(openssl-team): if the SNI doesn't match, we MUST

         * fall back to a full handshake.

         */

        s->servername_done = (s->session->ext.hostname != NULL)

            && PACKET_equal(&hostname, s->session->ext.hostname,

                            strlen(s->session->ext.hostname));

    }

    return 1;

}

int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,

                                  X509 *x, size_t chainidx)

{

    unsigned int value;

    if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {

        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,

                 SSL_R_BAD_EXTENSION);

        return 0;

    }

    /* Received |value| should be a valid max-fragment-length code. */

    if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {

        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,

                 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,

                 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);

        return 0;

    }

    /*

     * RFC 6066:  The negotiated length applies for the duration of the session

     * including session resumptions.

     * We should receive the same code as in resumed session !

     */

    if (s->hit && s->session->ext.max_fragment_len_mode != value) {

        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,

                 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,

                 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);

        return 0;

    }

    /*

     * Store it in session, so it'll become binding for us

     * and we'll include it in a next Server Hello.

     */

    s->session->ext.max_fragment_len_mode = value;

    return 1;

}

#ifndef OPENSSL_NO_SRP

int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,

                       size_t chainidx)

{

    PACKET srp_I;

    if (!PACKET_as_length_prefixed_1(pkt, &srp_I)

            || PACKET_contains_zero_byte(&srp_I)) {

        SSLfatal(s, SSL_AD_DECODE_ERROR,

                 SSL_F_TLS_PARSE_CTOS_SRP,

                 SSL_R_BAD_EXTENSION);

        return 0;

    }

    /*

     * TODO(openssl-team): currently, we re-authenticate the user

     * upon resumption. Instead, we MUST ignore the login.

     */

    if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {

        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,

                 ERR_R_INTERNAL_ERROR);

        return 0;

    }

    return 1;

}

#endif

#ifndef OPENSSL_NO_EC

int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,

                                 X509 *x, size_t chainidx)

{

    PACKET ec_point_format_list;

    if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)

        || PACKET_remaining(&ec_point_format_list) == 0) {

        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,

                 SSL_R_BAD_EXTENSION);

        return 0;

    }

    if (!s->hit) {

        if (!PACKET_memdup(&ec_point_format_list,

                           &s->ext.peer_ecpointformats,

                           &s->ext.peer_ecpointformats_len)) {

            SSLfatal(s, SSL_AD_INTERNAL_ERROR,

                     SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);

            return 0;

        }

    }

    return 1;

}

#endif                          /* OPENSSL_NO_EC */

int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,

                                  X509 *x, size_t chainidx)

{

    if (s->ext.session_ticket_cb &&

            !s->ext.session_ticket_cb(s, PACKET_data(pkt),

                                  PACKET_remaining(pkt),

                                  s->ext.session_ticket_cb_arg)) {

        SSLfatal(s, SSL_AD_INTERNAL_ERROR,

                 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);

        return 0;

    }

    return 1;

}

int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, unsigned int context,

                                 X509 *x, size_t chainidx)

{

    PACKET supported_sig_algs;

    if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)

            || PACKET_remaining(&supported_sig_algs) == 0) {

        SSLfatal(s, SSL_AD_DECODE_ERROR,

                 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);

        return 0;

    }

    if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {

        SSLfatal(s, SSL_AD_DECODE_ERROR,

                 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);

        return 0;

    }

    return 1;

}

int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,

                            size_t chainidx)

{

    PACKET supported_sig_algs;

    if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)

            || PACKET_remaining(&supported_sig_algs) == 0) {

        SSLfatal(s, SSL_AD_DECODE_ERROR,

                 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);

        return 0;

    }

    if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {

        SSLfatal(s, SSL_AD_DECODE_ERROR,

                 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);

        return 0;

    }

    return 1;

}

#ifndef OPENSSL_NO_OCSP

int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,

                                  X509 *x, size_t chainidx)

{

    PACKET responder_id_list, exts;

    /* We ignore this in a resumption handshake */

    if (s->hit)

        return 1;

    /* Not defined if we get one of these in a client Certificate */

    if (x != NULL)

        return 1;

    if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {

        SSLfatal(s, SSL_AD_DECODE_ERROR,

                 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);

        return 0;

    }

    if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {

        /*

         * We don't know what to do with any other type so ignore it.

         */

        s->ext.status_type = TLSEXT_STATUSTYPE_nothing;

        return 1;

    }

    if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {

        SSLfatal(s, SSL_AD_DECODE_ERROR,

                 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);

        return 0;

    }

    /*

     * We remove any OCSP_RESPIDs from a previous handshake

     * to prevent unbounded memory growth - CVE-2016-6304

     */

    sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);

    if (PACKET_remaining(&responder_id_list) > 0) {

        s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();

        if (s->ext.ocsp.ids == NULL) {

            SSLfatal(s, SSL_AD_INTERNAL_ERROR,

                     SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);

            return 0;

        }

    } else {

        s->ext.ocsp.ids = NULL;

    }

    while (PACKET_remaining(&responder_id_list) > 0) {

        OCSP_RESPID *id;

        PACKET responder_id;

        const unsigned char *id_data;

        if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)

                || PACKET_remaining(&responder_id) == 0) {

            SSLfatal(s, SSL_AD_DECODE_ERROR,

                     SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);

            return 0;

        }

        id_data = PACKET_data(&responder_id);

        /* TODO(size_t): Convert d2i_* to size_t */

        id = d2i_OCSP_RESPID(NULL, &id_data,

                             (int)PACKET_remaining(&responder_id));

        if (id == NULL) {

            SSLfatal(s, SSL_AD_DECODE_ERROR,

                     SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);

            return 0;

        }

        if (id_data != PACKET_end(&responder_id)) {

            OCSP_RESPID_free(id);

            SSLfatal(s, SSL_AD_DECODE_ERROR,

                     SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);

            return 0;

        }

        if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {

            OCSP_RESPID_free(id);

            SSLfatal(s, SSL_AD_INTERNAL_ERROR,

                     SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);

            return 0;

        }

    }

    /* Read in request_extensions */

    if (!PACKET_as_length_prefixed_2(pkt, &exts)) {

        SSLfatal(s, SSL_AD_DECODE_ERROR,

                 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);

        return 0;

    }

    if (PACKET_remaining(&exts) > 0) {

        const unsigned char *ext_data = PACKET_data(&exts);

        sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,

                                   X509_EXTENSION_free);

        s->ext.ocsp.exts =

            d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));

        if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {

            SSLfatal(s, SSL_AD_DECODE_ERROR,

                     SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);

            return 0;

        }

    }

    return 1;

}

#endif

#ifndef OPENSSL_NO_NEXTPROTONEG

int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,

                       size_t chainidx)

{

    /*

     * We shouldn't accept this extension on a

     * renegotiation.

     */

    if (SSL_IS_FIRST_HANDSHAKE(s))

        s->s3->npn_seen = 1;

    return 1;

}

#endif

/*

 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN

 * extension, not including type and length. Returns: 1 on success, 0 on error.

 */

int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,

                        size_t chainidx)

{

    PACKET protocol_list, save_protocol_list, protocol;

    if (!SSL_IS_FIRST_HANDSHAKE(s))

        return 1;

    if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)

        || PACKET_remaining(&protocol_list) < 2) {

        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,

                 SSL_R_BAD_EXTENSION);

        return 0;

    }

    save_protocol_list = protocol_list;

    do {

        /* Protocol names can't be empty. */

        if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)

                || PACKET_remaining(&protocol) == 0) {

            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,

                     SSL_R_BAD_EXTENSION);

            return 0;

        }

    } while (PACKET_remaining(&protocol_list) != 0);

    OPENSSL_free(s->s3->alpn_proposed);

    s->s3->alpn_proposed = NULL;

    s->s3->alpn_proposed_len = 0;

    if (!PACKET_memdup(&save_protocol_list,

                       &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {

        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,

                 ERR_R_INTERNAL_ERROR);

        return 0;

    }

    return 1;

}

#ifndef OPENSSL_NO_SRTP

int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,

                            size_t chainidx)

{

    STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;

    unsigned int ct, mki_len, id;

    int i, srtp_pref;

    PACKET subpkt;

    /* Ignore this if we have no SRTP profiles */

    if (SSL_get_srtp_profiles(s) == NULL)

        return 1;

    /* Pull off the length of the cipher suite list  and check it is even */

    if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0

            || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {

        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,

               SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);

        return 0;

    }

    srvr = SSL_get_srtp_profiles(s);

    s->srtp_profile = NULL;

    /* Search all profiles for a match initially */

    srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);

    while (PACKET_remaining(&subpkt)) {

        if (!PACKET_get_net_2(&subpkt, &id)) {

            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,

                     SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);

            return 0;

        }

        /*

         * Only look for match in profiles of higher preference than

         * current match.

         * If no profiles have been have been configured then this

         * does nothing.

         */

        for (i = 0; i < srtp_pref; i++) {

            SRTP_PROTECTION_PROFILE *sprof =

                sk_SRTP_PROTECTION_PROFILE_value(srvr, i);

            if (sprof->id == id) {

                s->srtp_profile = sprof;

                srtp_pref = i;

                break;

            }

        }

    }

    /* Now extract the MKI value as a sanity check, but discard it for now */

    if (!PACKET_get_1(pkt, &mki_len)) {

        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,

                 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);

        return 0;

    }

    if (!PACKET_forward(pkt, mki_len)

        || PACKET_remaining(pkt)) {

        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,

                 SSL_R_BAD_SRTP_MKI_VALUE);

        return 0;

    }

    return 1;

}

#endif

int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,

                       size_t chainidx)

{

    if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))

        s->ext.use_etm = 1;

    return 1;

}

/*

 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains

 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.

 */

int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,

                                 X509 *x, size_t chainidx)

{

#ifndef OPENSSL_NO_TLS1_3

    PACKET psk_kex_modes;

    unsigned int mode;

    if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)

            || PACKET_remaining(&psk_kex_modes) == 0) {

        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,

                 SSL_R_BAD_EXTENSION);

        return 0;

    }

    while (PACKET_get_1(&psk_kex_modes, &mode)) {

        if (mode == TLSEXT_KEX_MODE_KE_DHE)

            s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;

        else if (mode == TLSEXT_KEX_MODE_KE

                && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)

            s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;

    }

#endif

    return 1;

}

/*

 * Process a key_share extension received in the ClientHello. |pkt| contains

 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.

 */

int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,

                             size_t chainidx)

{

#ifndef OPENSSL_NO_TLS1_3

    unsigned int group_id;

    PACKET key_share_list, encoded_pt;

    const uint16_t *clntgroups, *srvrgroups;

    size_t clnt_num_groups, srvr_num_groups;

    int found = 0;

    if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)

        return 1;

    /* Sanity check */

    if (s->s3->peer_tmp != NULL) {

        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,

                 ERR_R_INTERNAL_ERROR);

        return 0;

    }

    if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {

        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,

                 SSL_R_LENGTH_MISMATCH);

        return 0;

    }

    /* Get our list of supported groups */

    tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);

    /* Get the clients list of supported groups. */

    tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);

    if (clnt_num_groups == 0) {

        /*

         * This can only happen if the supported_groups extension was not sent,

         * because we verify that the length is non-zero when we process that

         * extension.

         */

        SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,

                 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);

        return 0;

    }

    if (s->s3->group_id != 0 && PACKET_remaining(&key_share_list) == 0) {

        /*

         * If we set a group_id already, then we must have sent an HRR

         * requesting a new key_share. If we haven't got one then that is an

         * error

         */

        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,

                 SSL_R_BAD_KEY_SHARE);

        return 0;

    }

    while (PACKET_remaining(&key_share_list) > 0) {

        if (!PACKET_get_net_2(&key_share_list, &group_id)

                || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)

                || PACKET_remaining(&encoded_pt) == 0) {

            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,

                     SSL_R_LENGTH_MISMATCH);

            return 0;

        }

        /*

         * If we already found a suitable key_share we loop through the

         * rest to verify the structure, but don't process them.

         */

        if (found)

            continue;

        /*

         * If we sent an HRR then the key_share sent back MUST be for the group

         * we requested, and must be the only key_share sent.

         */

        if (s->s3->group_id != 0

                && (group_id != s->s3->group_id

                    || PACKET_remaining(&key_share_list) != 0)) {

            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,

                     SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);

            return 0;

        }

        /* Check if this share is in supported_groups sent from client */

        if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {

            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,

                     SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);

            return 0;

        }

        /* Check if this share is for a group we can use */

        if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {

            /* Share not suitable */

            continue;

        }

        if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) {

            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,

                   SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);

            return 0;

        }

        s->s3->group_id = group_id;

        if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,

                PACKET_data(&encoded_pt),

                PACKET_remaining(&encoded_pt))) {

            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,

                     SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);

            return 0;

        }

        found = 1;

    }

#endif

    return 1;

}

int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,

                          size_t chainidx)

{

#ifndef OPENSSL_NO_TLS1_3

    unsigned int format, version, key_share, group_id;

    EVP_MD_CTX *hctx;

    EVP_PKEY *pkey;

    PACKET cookie, raw, chhash, appcookie;

    WPACKET hrrpkt;

    const unsigned char *data, *mdin, *ciphdata;

    unsigned char hmac[SHA256_DIGEST_LENGTH];

    unsigned char hrr[MAX_HRR_SIZE];

    size_t rawlen, hmaclen, hrrlen, ciphlen;

    unsigned long tm, now;

    /* Ignore any cookie if we're not set up to verify it */

    if (s->ctx->verify_stateless_cookie_cb == NULL

            || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)

        return 1;

    if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {

        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,

                 SSL_R_LENGTH_MISMATCH);

        return 0;

    }

    raw = cookie;

    data = PACKET_data(&raw;;

    rawlen = PACKET_remaining(&raw;;

    if (rawlen < SHA256_DIGEST_LENGTH

            || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {

        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,

                 SSL_R_LENGTH_MISMATCH);

        return 0;

    }

    mdin = PACKET_data(&raw;;

    /* Verify the HMAC of the cookie */

    hctx = EVP_MD_CTX_create();

    pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,

                                        s->session_ctx->ext.cookie_hmac_key,

                                        sizeof(s->session_ctx->ext

                                               .cookie_hmac_key));

    if (hctx == NULL || pkey == NULL) {

        EVP_MD_CTX_free(hctx);

        EVP_PKEY_free(pkey);

        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,

                 ERR_R_MALLOC_FAILURE);

        return 0;

    }

    hmaclen = SHA256_DIGEST_LENGTH;

    if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0

            || EVP_DigestSign(hctx, hmac, &hmaclen, data,

                              rawlen - SHA256_DIGEST_LENGTH) <= 0

            || hmaclen != SHA256_DIGEST_LENGTH) {

        EVP_MD_CTX_free(hctx);

        EVP_PKEY_free(pkey);

        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,

                 ERR_R_INTERNAL_ERROR);

        return 0;

    }

    EVP_MD_CTX_free(hctx);

    EVP_PKEY_free(pkey);

    if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {

        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,

                 SSL_R_COOKIE_MISMATCH);

        return 0;

    }

    if (!PACKET_get_net_2(&cookie, &format)) {

        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,

                 SSL_R_LENGTH_MISMATCH);

        return 0;

    }

    /* Check the cookie format is something we recognise. Ignore it if not */

    if (format != COOKIE_STATE_FORMAT_VERSION)

        return 1;

    /*

     * The rest of these checks really shouldn't fail since we have verified the

     * HMAC above.

     */

    /* Check the version number is sane */

    if (!PACKET_get_net_2(&cookie, &version)) {

        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,

                 SSL_R_LENGTH_MISMATCH);

        return 0;

    }

    if (version != TLS1_3_VERSION) {

        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,

                 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);

        return 0;

    }

    if (!PACKET_get_net_2(&cookie, &group_id)) {

        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,

                 SSL_R_LENGTH_MISMATCH);

        return 0;

    }

    ciphdata = PACKET_data(&cookie);

    if (!PACKET_forward(&cookie, 2)) {

        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,

                 SSL_R_LENGTH_MISMATCH);

        return 0;

    }

    if (group_id != s->s3->group_id

            || s->s3->tmp.new_cipher

               != ssl_get_cipher_by_char(s, ciphdata, 0)) {

        /*

         * We chose a different cipher or group id this time around to what is

         * in the cookie. Something must have changed.

         */

        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,

                 SSL_R_BAD_CIPHER);

        return 0;

    }

    if (!PACKET_get_1(&cookie, &key_share)

            || !PACKET_get_net_4(&cookie, &tm)

            || !PACKET_get_length_prefixed_2(&cookie, &chhash)

            || !PACKET_get_length_prefixed_1(&cookie, &appcookie)

            || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {

        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,

                 SSL_R_LENGTH_MISMATCH);

        return 0;

    }

    /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */

    now = (unsigned long)time(NULL);

    if (tm > now || (now - tm) > 600) {

        /* Cookie is stale. Ignore it */

        return 1;

    }

    /* Verify the app cookie */

    if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),

                                     PACKET_remaining(&appcookie)) == 0) {

        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,

                 SSL_R_COOKIE_MISMATCH);

        return 0;

    }

    /*

     * Reconstruct the HRR that we would have sent in response to the original

     * ClientHello so we can add it to the transcript hash.