]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/t1_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
make EVP_PKEY opaque
[thirdparty/openssl.git] / ssl / t1_lib.c
CommitLineData
58964a49
RE		 1/* ssl/t1_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
0f113f3e 8 *
58964a49
RE		 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
0f113f3e 15 *
58964a49
RE		 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
0f113f3e 22 *
58964a49
RE		 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
0f113f3e 37 * 4. If you include any Windows specific code (or a derivative thereof) from
58964a49
RE		 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
0f113f3e 40 *
58964a49
RE		 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
0f113f3e 52 *
58964a49
RE		 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
f1fd4544 58/* ====================================================================
52b8dad8 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
f1fd4544
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
0f113f3e 66 * notice, this list of conditions and the following disclaimer.
f1fd4544
BM		 67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
58964a49
RE		 111
112#include <stdio.h>
ec577822 113#include <openssl/objects.h>
6434abbf
DSH		 114#include <openssl/evp.h>
115#include <openssl/hmac.h>
67c8e7f4 116#include <openssl/ocsp.h>
4817504d 117#include <openssl/rand.h>
09599b52 118#ifndef OPENSSL_NO_DH
0f113f3e
MC		 119# include <openssl/dh.h>
120# include <openssl/bn.h>
09599b52 121#endif
58964a49
RE		 122#include "ssl_locl.h"
123
6434abbf 124static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
0f113f3e
MC		 125 const unsigned char *sess_id, int sesslen,
126 SSL_SESSION **psess);
2daceb03 127static int ssl_check_clienthello_tlsext_early(SSL *s);
09e4e4b9 128int ssl_check_serverhello_tlsext(SSL *s);
6434abbf 129
0f113f3e
MC		 130SSL3_ENC_METHOD const TLSv1_enc_data = {
131 tls1_enc,
132 tls1_mac,
133 tls1_setup_key_block,
134 tls1_generate_master_secret,
135 tls1_change_cipher_state,
136 tls1_final_finish_mac,
137 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 138 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
139 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
140 tls1_alert_code,
141 tls1_export_keying_material,
142 0,
143 SSL3_HM_HEADER_LENGTH,
144 ssl3_set_handshake_header,
145 ssl3_handshake_write
146};
147
148SSL3_ENC_METHOD const TLSv1_1_enc_data = {
149 tls1_enc,
150 tls1_mac,
151 tls1_setup_key_block,
152 tls1_generate_master_secret,
153 tls1_change_cipher_state,
154 tls1_final_finish_mac,
155 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 156 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
157 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
158 tls1_alert_code,
159 tls1_export_keying_material,
160 SSL_ENC_FLAG_EXPLICIT_IV,
161 SSL3_HM_HEADER_LENGTH,
162 ssl3_set_handshake_header,
163 ssl3_handshake_write
164};
165
166SSL3_ENC_METHOD const TLSv1_2_enc_data = {
167 tls1_enc,
168 tls1_mac,
169 tls1_setup_key_block,
170 tls1_generate_master_secret,
171 tls1_change_cipher_state,
172 tls1_final_finish_mac,
173 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 174 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
175 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
176 tls1_alert_code,
177 tls1_export_keying_material,
178 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
179 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
180 SSL3_HM_HEADER_LENGTH,
181 ssl3_set_handshake_header,
182 ssl3_handshake_write
183};
58964a49 184
f3b656b2 185long tls1_default_timeout(void)
0f113f3e
MC		 186{
187 /*
188 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
189 * http, the cache would over fill
190 */
191 return (60 * 60 * 2);
192}
58964a49 193
6b691a5c 194int tls1_new(SSL *s)
0f113f3e
MC		 195{
196 if (!ssl3_new(s))
197 return (0);
198 s->method->ssl_clear(s);
199 return (1);
200}
58964a49 201
6b691a5c 202void tls1_free(SSL *s)
0f113f3e 203{
b548a1f1 204 OPENSSL_free(s->tlsext_session_ticket);
0f113f3e
MC		 205 ssl3_free(s);
206}
58964a49 207
6b691a5c 208void tls1_clear(SSL *s)
0f113f3e
MC		 209{
210 ssl3_clear(s);
4fa52141
VD		 211 if (s->method->version == TLS_ANY_VERSION)
212 s->version = TLS_MAX_VERSION;
213 else
214 s->version = s->method->version;
0f113f3e 215}
58964a49 216
525de5d3 217#ifndef OPENSSL_NO_EC
eda3766b 218
0f113f3e
MC		 219typedef struct {
220 int nid; /* Curve NID */
221 int secbits; /* Bits of security (from SP800-57) */
222 unsigned int flags; /* Flags: currently just field type */
223} tls_curve_info;
224
225# define TLS_CURVE_CHAR2 0x1
226# define TLS_CURVE_PRIME 0x0
227
228static const tls_curve_info nid_list[] = {
229 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
230 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
231 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
232 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
233 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
234 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
235 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
236 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
237 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
238 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
239 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
240 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
241 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
242 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
243 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
244 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
245 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
246 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
247 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
248 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
249 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
250 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
251 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
252 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
253 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
254 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
255 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
256 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
257};
258
259static const unsigned char ecformats_default[] = {
260 TLSEXT_ECPOINTFORMAT_uncompressed,
261 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
262 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
263};
264
fe6ef247
KR		 265/* The default curves */
266static const unsigned char eccurves_default[] = {
de57d237
EK		 267 /* Prefer P-256 which has the fastest and most secure implementations. */
268 0, 23, /* secp256r1 (23) */
269 /* Other >= 256-bit prime curves. */
0f113f3e
MC		 270 0, 25, /* secp521r1 (25) */
271 0, 28, /* brainpool512r1 (28) */
0f113f3e
MC		 272 0, 27, /* brainpoolP384r1 (27) */
273 0, 24, /* secp384r1 (24) */
de57d237
EK		 274 0, 26, /* brainpoolP256r1 (26) */
275 0, 22, /* secp256k1 (22) */
276 /* >= 256-bit binary curves. */
277 0, 14, /* sect571r1 (14) */
278 0, 13, /* sect571k1 (13) */
279 0, 11, /* sect409k1 (11) */
280 0, 12, /* sect409r1 (12) */
0f113f3e
MC		 281 0, 9, /* sect283k1 (9) */
282 0, 10, /* sect283r1 (10) */
de57d237
EK		 283};
284
285static const unsigned char eccurves_all[] = {
286 /* Prefer P-256 which has the fastest and most secure implementations. */
287 0, 23, /* secp256r1 (23) */
288 /* Other >= 256-bit prime curves. */
289 0, 25, /* secp521r1 (25) */
290 0, 28, /* brainpool512r1 (28) */
291 0, 27, /* brainpoolP384r1 (27) */
292 0, 24, /* secp384r1 (24) */
0f113f3e
MC		 293 0, 26, /* brainpoolP256r1 (26) */
294 0, 22, /* secp256k1 (22) */
de57d237
EK		 295 /* >= 256-bit binary curves. */
296 0, 14, /* sect571r1 (14) */
297 0, 13, /* sect571k1 (13) */
298 0, 11, /* sect409k1 (11) */
299 0, 12, /* sect409r1 (12) */
300 0, 9, /* sect283k1 (9) */
301 0, 10, /* sect283r1 (10) */
302 /*
303 * Remaining curves disabled by default but still permitted if set
304 * via an explicit callback or parameters.
305 */
306 0, 20, /* secp224k1 (20) */
307 0, 21, /* secp224r1 (21) */
308 0, 18, /* secp192k1 (18) */
309 0, 19, /* secp192r1 (19) */
310 0, 15, /* secp160k1 (15) */
311 0, 16, /* secp160r1 (16) */
312 0, 17, /* secp160r2 (17) */
0f113f3e
MC		 313 0, 8, /* sect239k1 (8) */
314 0, 6, /* sect233k1 (6) */
315 0, 7, /* sect233r1 (7) */
0f113f3e
MC		 316 0, 4, /* sect193r1 (4) */
317 0, 5, /* sect193r2 (5) */
0f113f3e
MC		 318 0, 1, /* sect163k1 (1) */
319 0, 2, /* sect163r1 (2) */
320 0, 3, /* sect163r2 (3) */
0f113f3e
MC		 321};
322
de57d237 323
0f113f3e
MC		 324static const unsigned char suiteb_curves[] = {
325 0, TLSEXT_curve_P_256,
326 0, TLSEXT_curve_P_384
327};
2ea80354 328
525de5d3 329int tls1_ec_curve_id2nid(int curve_id)
0f113f3e
MC		 330{
331 /* ECC curves from RFC 4492 and RFC 7027 */
b6eb9827 332 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
0f113f3e
MC		 333 return 0;
334 return nid_list[curve_id - 1].nid;
335}
525de5d3
DSH		 336
337int tls1_ec_nid2curve_id(int nid)
0f113f3e
MC		 338{
339 /* ECC curves from RFC 4492 and RFC 7027 */
340 switch (nid) {
341 case NID_sect163k1: /* sect163k1 (1) */
342 return 1;
343 case NID_sect163r1: /* sect163r1 (2) */
344 return 2;
345 case NID_sect163r2: /* sect163r2 (3) */
346 return 3;
347 case NID_sect193r1: /* sect193r1 (4) */
348 return 4;
349 case NID_sect193r2: /* sect193r2 (5) */
350 return 5;
351 case NID_sect233k1: /* sect233k1 (6) */
352 return 6;
353 case NID_sect233r1: /* sect233r1 (7) */
354 return 7;
355 case NID_sect239k1: /* sect239k1 (8) */
356 return 8;
357 case NID_sect283k1: /* sect283k1 (9) */
358 return 9;
359 case NID_sect283r1: /* sect283r1 (10) */
360 return 10;
361 case NID_sect409k1: /* sect409k1 (11) */
362 return 11;
363 case NID_sect409r1: /* sect409r1 (12) */
364 return 12;
365 case NID_sect571k1: /* sect571k1 (13) */
366 return 13;
367 case NID_sect571r1: /* sect571r1 (14) */
368 return 14;
369 case NID_secp160k1: /* secp160k1 (15) */
370 return 15;
371 case NID_secp160r1: /* secp160r1 (16) */
372 return 16;
373 case NID_secp160r2: /* secp160r2 (17) */
374 return 17;
375 case NID_secp192k1: /* secp192k1 (18) */
376 return 18;
377 case NID_X9_62_prime192v1: /* secp192r1 (19) */
378 return 19;
379 case NID_secp224k1: /* secp224k1 (20) */
380 return 20;
381 case NID_secp224r1: /* secp224r1 (21) */
382 return 21;
383 case NID_secp256k1: /* secp256k1 (22) */
384 return 22;
385 case NID_X9_62_prime256v1: /* secp256r1 (23) */
386 return 23;
387 case NID_secp384r1: /* secp384r1 (24) */
388 return 24;
389 case NID_secp521r1: /* secp521r1 (25) */
390 return 25;
391 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
392 return 26;
393 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
394 return 27;
395 case NID_brainpoolP512r1: /* brainpool512r1 (28) */
396 return 28;
397 default:
398 return 0;
399 }
400}
401
740580c2
EK		 402/*
403 * Get curves list, if "sess" is set return client curves otherwise
404 * preferred list.
405 * Sets |num_curves| to the number of curves in the list, i.e.,
406 * the length of |pcurves| is 2 * num_curves.
407 * Returns 1 on success and 0 if the client curves list has invalid format.
408 * The latter indicates an internal error: we should not be accepting such
409 * lists in the first place.
410 * TODO(emilia): we should really be storing the curves list in explicitly
411 * parsed form instead. (However, this would affect binary compatibility
412 * so cannot happen in the 1.0.x series.)
fd2b65ce 413 */
740580c2 414static int tls1_get_curvelist(SSL *s, int sess,
0f113f3e
MC		 415 const unsigned char **pcurves,
416 size_t *num_curves)
417{
418 size_t pcurveslen = 0;
419 if (sess) {
420 *pcurves = s->session->tlsext_ellipticcurvelist;
421 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
422 } else {
423 /* For Suite B mode only include P-256, P-384 */
424 switch (tls1_suiteb(s)) {
425 case SSL_CERT_FLAG_SUITEB_128_LOS:
426 *pcurves = suiteb_curves;
427 pcurveslen = sizeof(suiteb_curves);
428 break;
429
430 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
431 *pcurves = suiteb_curves;
432 pcurveslen = 2;
433 break;
434
435 case SSL_CERT_FLAG_SUITEB_192_LOS:
436 *pcurves = suiteb_curves + 2;
437 pcurveslen = 2;
438 break;
439 default:
440 *pcurves = s->tlsext_ellipticcurvelist;
441 pcurveslen = s->tlsext_ellipticcurvelist_length;
442 }
443 if (!*pcurves) {
fe6ef247
KR		 444 *pcurves = eccurves_default;
445 pcurveslen = sizeof(eccurves_default);
0f113f3e
MC		 446 }
447 }
448
449 /* We do not allow odd length arrays to enter the system. */
450 if (pcurveslen & 1) {
451 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
452 *num_curves = 0;
453 return 0;
454 } else {
455 *num_curves = pcurveslen / 2;
456 return 1;
457 }
458}
b362ccab
DSH		 459
460/* See if curve is allowed by security callback */
461static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
0f113f3e
MC		 462{
463 const tls_curve_info *cinfo;
464 if (curve[0])
465 return 1;
b6eb9827 466 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
0f113f3e
MC		 467 return 0;
468 cinfo = &nid_list[curve[1] - 1];
469# ifdef OPENSSL_NO_EC2M
470 if (cinfo->flags & TLS_CURVE_CHAR2)
471 return 0;
472# endif
473 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
474}
b362ccab 475
d18b716d
DSH		 476/* Check a curve is one of our preferences */
477int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
0f113f3e
MC		 478{
479 const unsigned char *curves;
480 size_t num_curves, i;
481 unsigned int suiteb_flags = tls1_suiteb(s);
482 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
483 return 0;
484 /* Check curve matches Suite B preferences */
485 if (suiteb_flags) {
486 unsigned long cid = s->s3->tmp.new_cipher->id;
487 if (p[1])
488 return 0;
489 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
490 if (p[2] != TLSEXT_curve_P_256)
491 return 0;
492 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
493 if (p[2] != TLSEXT_curve_P_384)
494 return 0;
495 } else /* Should never happen */
496 return 0;
497 }
498 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
499 return 0;
500 for (i = 0; i < num_curves; i++, curves += 2) {
501 if (p[1] == curves[0] && p[2] == curves[1])
502 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
503 }
504 return 0;
505}
d0595f17 506
1d97c843 507/*-
6977e8ee
KR		 508 * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef
509 * if there is no match.
510 * For nmatch == -1, return number of matches
376e2ca3
EK		 511 * For nmatch == -2, return the NID of the curve to use for
512 * an EC tmp key, or NID_undef if there is no match.
d0595f17 513 */
a4352630 514int tls1_shared_curve(SSL *s, int nmatch)
0f113f3e
MC		 515{
516 const unsigned char *pref, *supp;
517 size_t num_pref, num_supp, i, j;
518 int k;
519 /* Can't do anything on client side */
520 if (s->server == 0)
521 return -1;
522 if (nmatch == -2) {
523 if (tls1_suiteb(s)) {
524 /*
525 * For Suite B ciphersuite determines curve: we already know
526 * these are acceptable due to previous checks.
527 */
528 unsigned long cid = s->s3->tmp.new_cipher->id;
529 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
530 return NID_X9_62_prime256v1; /* P-256 */
531 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
532 return NID_secp384r1; /* P-384 */
533 /* Should never happen */
534 return NID_undef;
535 }
536 /* If not Suite B just return first preference shared curve */
537 nmatch = 0;
538 }
539 /*
540 * Avoid truncation. tls1_get_curvelist takes an int
541 * but s->options is a long...
542 */
543 if (!tls1_get_curvelist
544 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
545 &num_supp))
546 /* In practice, NID_undef == 0 but let's be precise. */
547 return nmatch == -1 ? 0 : NID_undef;
548 if (!tls1_get_curvelist
549 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
550 &num_pref))
551 return nmatch == -1 ? 0 : NID_undef;
3c06513f
KR		 552
553 /*
554 * If the client didn't send the elliptic_curves extension all of them
555 * are allowed.
556 */
557 if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
558 supp = eccurves_all;
559 num_supp = sizeof(eccurves_all) / 2;
560 } else if (num_pref == 0 &&
561 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
562 pref = eccurves_all;
563 num_pref = sizeof(eccurves_all) / 2;
564 }
565
0f113f3e
MC		 566 k = 0;
567 for (i = 0; i < num_pref; i++, pref += 2) {
568 const unsigned char *tsupp = supp;
569 for (j = 0; j < num_supp; j++, tsupp += 2) {
570 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
571 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
572 continue;
573 if (nmatch == k) {
574 int id = (pref[0] << 8) | pref[1];
575 return tls1_ec_curve_id2nid(id);
576 }
577 k++;
578 }
579 }
580 }
581 if (nmatch == -1)
582 return k;
583 /* Out of range (nmatch > k). */
584 return NID_undef;
585}
d0595f17
DSH		 586
587int tls1_set_curves(unsigned char **pext, size_t *pextlen,
0f113f3e
MC		 588 int *curves, size_t ncurves)
589{
590 unsigned char *clist, *p;
591 size_t i;
592 /*
593 * Bitmap of curves included to detect duplicates: only works while curve
594 * ids < 32
595 */
596 unsigned long dup_list = 0;
597 clist = OPENSSL_malloc(ncurves * 2);
a71edf3b 598 if (clist == NULL)
0f113f3e
MC		 599 return 0;
600 for (i = 0, p = clist; i < ncurves; i++) {
601 unsigned long idmask;
602 int id;
603 id = tls1_ec_nid2curve_id(curves[i]);
604 idmask = 1L << id;
605 if (!id || (dup_list & idmask)) {
606 OPENSSL_free(clist);
607 return 0;
608 }
609 dup_list |= idmask;
610 s2n(id, p);
611 }
b548a1f1 612 OPENSSL_free(*pext);
0f113f3e
MC		 613 *pext = clist;
614 *pextlen = ncurves * 2;
615 return 1;
616}
617
618# define MAX_CURVELIST 28
619
620typedef struct {
621 size_t nidcnt;
622 int nid_arr[MAX_CURVELIST];
623} nid_cb_st;
d0595f17
DSH		 624
625static int nid_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 626{
627 nid_cb_st *narg = arg;
628 size_t i;
629 int nid;
630 char etmp[20];
2747d73c
KR		 631 if (elem == NULL)
632 return 0;
0f113f3e
MC		 633 if (narg->nidcnt == MAX_CURVELIST)
634 return 0;
635 if (len > (int)(sizeof(etmp) - 1))
636 return 0;
637 memcpy(etmp, elem, len);
638 etmp[len] = 0;
639 nid = EC_curve_nist2nid(etmp);
640 if (nid == NID_undef)
641 nid = OBJ_sn2nid(etmp);
642 if (nid == NID_undef)
643 nid = OBJ_ln2nid(etmp);
644 if (nid == NID_undef)
645 return 0;
646 for (i = 0; i < narg->nidcnt; i++)
647 if (narg->nid_arr[i] == nid)
648 return 0;
649 narg->nid_arr[narg->nidcnt++] = nid;
650 return 1;
651}
652
d0595f17 653/* Set curves based on a colon separate list */
0f113f3e
MC		 654int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
655 const char *str)
656{
657 nid_cb_st ncb;
658 ncb.nidcnt = 0;
659 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
660 return 0;
661 if (pext == NULL)
662 return 1;
663 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
664}
665
fd2b65ce
DSH		 666/* For an EC key set TLS id and required compression based on parameters */
667static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
0f113f3e
MC		 668 EC_KEY *ec)
669{
670 int is_prime, id;
671 const EC_GROUP *grp;
672 const EC_METHOD *meth;
673 if (!ec)
674 return 0;
675 /* Determine if it is a prime field */
676 grp = EC_KEY_get0_group(ec);
677 if (!grp)
678 return 0;
679 meth = EC_GROUP_method_of(grp);
680 if (!meth)
681 return 0;
682 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
683 is_prime = 1;
684 else
685 is_prime = 0;
686 /* Determine curve ID */
687 id = EC_GROUP_get_curve_name(grp);
688 id = tls1_ec_nid2curve_id(id);
689 /* If we have an ID set it, otherwise set arbitrary explicit curve */
690 if (id) {
691 curve_id[0] = 0;
692 curve_id[1] = (unsigned char)id;
693 } else {
694 curve_id[0] = 0xff;
695 if (is_prime)
696 curve_id[1] = 0x01;
697 else
698 curve_id[1] = 0x02;
699 }
700 if (comp_id) {
701 if (EC_KEY_get0_public_key(ec) == NULL)
702 return 0;
703 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
704 if (is_prime)
705 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
706 else
707 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
708 } else
709 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
710 }
711 return 1;
712}
713
fd2b65ce
DSH		 714/* Check an EC key is compatible with extensions */
715static int tls1_check_ec_key(SSL *s,
0f113f3e
MC		 716 unsigned char *curve_id, unsigned char *comp_id)
717{
718 const unsigned char *pformats, *pcurves;
719 size_t num_formats, num_curves, i;
720 int j;
721 /*
722 * If point formats extension present check it, otherwise everything is
723 * supported (see RFC4492).
724 */
725 if (comp_id && s->session->tlsext_ecpointformatlist) {
726 pformats = s->session->tlsext_ecpointformatlist;
727 num_formats = s->session->tlsext_ecpointformatlist_length;
728 for (i = 0; i < num_formats; i++, pformats++) {
729 if (*comp_id == *pformats)
730 break;
731 }
732 if (i == num_formats)
733 return 0;
734 }
735 if (!curve_id)
736 return 1;
737 /* Check curve is consistent with client and server preferences */
738 for (j = 0; j <= 1; j++) {
739 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
740 return 0;
b79d2410
MC		 741 if (j == 1 && num_curves == 0) {
742 /*
743 * If we've not received any curves then skip this check.
744 * RFC 4492 does not require the supported elliptic curves extension
745 * so if it is not sent we can just choose any curve.
746 * It is invalid to send an empty list in the elliptic curves
747 * extension, so num_curves == 0 always means no extension.
748 */
749 break;
750 }
0f113f3e
MC		 751 for (i = 0; i < num_curves; i++, pcurves += 2) {
752 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
753 break;
754 }
755 if (i == num_curves)
756 return 0;
757 /* For clients can only check sent curve list */
758 if (!s->server)
759 break;
760 }
761 return 1;
762}
d61ff83b 763
5087afa1 764static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
0f113f3e
MC		 765 size_t *num_formats)
766{
767 /*
768 * If we have a custom point format list use it otherwise use default
769 */
770 if (s->tlsext_ecpointformatlist) {
771 *pformats = s->tlsext_ecpointformatlist;
772 *num_formats = s->tlsext_ecpointformatlist_length;
773 } else {
774 *pformats = ecformats_default;
775 /* For Suite B we don't support char2 fields */
776 if (tls1_suiteb(s))
777 *num_formats = sizeof(ecformats_default) - 1;
778 else
779 *num_formats = sizeof(ecformats_default);
780 }
781}
782
783/*
784 * Check cert parameters compatible with extensions: currently just checks EC
785 * certificates have compatible curves and compression.
d61ff83b 786 */
2ea80354 787static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 788{
789 unsigned char comp_id, curve_id[2];
790 EVP_PKEY *pkey;
791 int rv;
8382fd3a 792 pkey = X509_get0_pubkey(x);
0f113f3e
MC		 793 if (!pkey)
794 return 0;
795 /* If not EC nothing to do */
3aeb9348 796 if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
0f113f3e 797 return 1;
3aeb9348 798 rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey));
0f113f3e
MC		 799 if (!rv)
800 return 0;
801 /*
802 * Can't check curve_id for client certs as we don't have a supported
803 * curves extension.
804 */
805 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
806 if (!rv)
807 return 0;
808 /*
809 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
810 * SHA384+P-384, adjust digest if necessary.
811 */
812 if (set_ee_md && tls1_suiteb(s)) {
813 int check_md;
814 size_t i;
815 CERT *c = s->cert;
816 if (curve_id[0])
817 return 0;
818 /* Check to see we have necessary signing algorithm */
819 if (curve_id[1] == TLSEXT_curve_P_256)
820 check_md = NID_ecdsa_with_SHA256;
821 else if (curve_id[1] == TLSEXT_curve_P_384)
822 check_md = NID_ecdsa_with_SHA384;
823 else
824 return 0; /* Should never happen */
825 for (i = 0; i < c->shared_sigalgslen; i++)
826 if (check_md == c->shared_sigalgs[i].signandhash_nid)
827 break;
828 if (i == c->shared_sigalgslen)
829 return 0;
830 if (set_ee_md == 2) {
831 if (check_md == NID_ecdsa_with_SHA256)
d376e57d 832 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
0f113f3e 833 else
d376e57d 834 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
0f113f3e
MC		 835 }
836 }
837 return rv;
838}
839
10bf4fc2 840# ifndef OPENSSL_NO_EC
6977e8ee
KR		 841/*
842 * tls1_check_ec_tmp_key - Check EC temporary key compatiblity
843 * @s: SSL connection
844 * @cid: Cipher ID we're considering using
845 *
846 * Checks that the kECDHE cipher suite we're considering using
847 * is compatible with the client extensions.
848 *
849 * Returns 0 when the cipher can't be used or 1 when it can.
850 */
2ea80354 851int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
0f113f3e 852{
0f113f3e
MC		 853# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
854 /* Allow any curve: not just those peer supports */
855 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
856 return 1;
857# endif
858 /*
859 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
860 * curves permitted.
861 */
862 if (tls1_suiteb(s)) {
6977e8ee 863 unsigned char curve_id[2];
0f113f3e
MC		 864 /* Curve to check determined by ciphersuite */
865 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
866 curve_id[1] = TLSEXT_curve_P_256;
867 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
868 curve_id[1] = TLSEXT_curve_P_384;
869 else
870 return 0;
871 curve_id[0] = 0;
872 /* Check this curve is acceptable */
873 if (!tls1_check_ec_key(s, curve_id, NULL))
874 return 0;
fe6ef247 875 return 1;
0f113f3e 876 }
fe6ef247
KR		 877 /* Need a shared curve */
878 if (tls1_shared_curve(s, 0))
879 return 1;
6977e8ee 880 return 0;
0f113f3e 881}
10bf4fc2 882# endif /* OPENSSL_NO_EC */
d0595f17 883
14536c8c
DSH		 884#else
885
886static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 887{
888 return 1;
889}
14536c8c 890
0f113f3e 891#endif /* OPENSSL_NO_EC */
f1fd4544 892
0f113f3e
MC		 893/*
894 * List of supported signature algorithms and hashes. Should make this
fc101f88
DSH		 895 * customisable at some point, for now include everything we support.
896 */
897
e481f9b9
MC		 898#ifdef OPENSSL_NO_RSA
899# define tlsext_sigalg_rsa(md) /* */
900#else
901# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
902#endif
0f113f3e 903
e481f9b9
MC		 904#ifdef OPENSSL_NO_DSA
905# define tlsext_sigalg_dsa(md) /* */
906#else
907# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
908#endif
0f113f3e 909
e481f9b9
MC		 910#ifdef OPENSSL_NO_EC
911# define tlsext_sigalg_ecdsa(md) /* */
912#else
913# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
914#endif
0f113f3e 915
e481f9b9 916#define tlsext_sigalg(md) \
0f113f3e
MC		 917 tlsext_sigalg_rsa(md) \
918 tlsext_sigalg_dsa(md) \
919 tlsext_sigalg_ecdsa(md)
fc101f88 920
d97ed219 921static const unsigned char tls12_sigalgs[] = {
0f113f3e
MC		 922 tlsext_sigalg(TLSEXT_hash_sha512)
923 tlsext_sigalg(TLSEXT_hash_sha384)
0f113f3e
MC		 924 tlsext_sigalg(TLSEXT_hash_sha256)
925 tlsext_sigalg(TLSEXT_hash_sha224)
0f113f3e 926 tlsext_sigalg(TLSEXT_hash_sha1)
e44380a9
DB		 927#ifndef OPENSSL_NO_GOST
928 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
929 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
930 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
931#endif
fc101f88 932};
0f113f3e 933
e481f9b9 934#ifndef OPENSSL_NO_EC
d97ed219 935static const unsigned char suiteb_sigalgs[] = {
0f113f3e
MC		 936 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
937 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
2ea80354 938};
e481f9b9 939#endif
b7bfe69b 940size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
0f113f3e
MC		 941{
942 /*
943 * If Suite B mode use Suite B sigalgs only, ignore any other
944 * preferences.
945 */
e481f9b9 946#ifndef OPENSSL_NO_EC
0f113f3e
MC		 947 switch (tls1_suiteb(s)) {
948 case SSL_CERT_FLAG_SUITEB_128_LOS:
949 *psigs = suiteb_sigalgs;
950 return sizeof(suiteb_sigalgs);
951
952 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
953 *psigs = suiteb_sigalgs;
954 return 2;
955
956 case SSL_CERT_FLAG_SUITEB_192_LOS:
957 *psigs = suiteb_sigalgs + 2;
958 return 2;
959 }
e481f9b9 960#endif
0f113f3e
MC		 961 /* If server use client authentication sigalgs if not NULL */
962 if (s->server && s->cert->client_sigalgs) {
963 *psigs = s->cert->client_sigalgs;
964 return s->cert->client_sigalgslen;
965 } else if (s->cert->conf_sigalgs) {
966 *psigs = s->cert->conf_sigalgs;
967 return s->cert->conf_sigalgslen;
968 } else {
969 *psigs = tls12_sigalgs;
970 return sizeof(tls12_sigalgs);
971 }
972}
973
974/*
975 * Check signature algorithm is consistent with sent supported signature
ec4a50b3
DSH		 976 * algorithms and if so return relevant digest.
977 */
978int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
0f113f3e
MC		 979 const unsigned char *sig, EVP_PKEY *pkey)
980{
981 const unsigned char *sent_sigs;
982 size_t sent_sigslen, i;
983 int sigalg = tls12_get_sigid(pkey);
984 /* Should never happen */
985 if (sigalg == -1)
986 return -1;
987 /* Check key type is consistent with signature */
988 if (sigalg != (int)sig[1]) {
989 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
990 return 0;
991 }
e481f9b9 992#ifndef OPENSSL_NO_EC
3aeb9348 993 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
0f113f3e
MC		 994 unsigned char curve_id[2], comp_id;
995 /* Check compression and curve matches extensions */
3aeb9348 996 if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
0f113f3e
MC		 997 return 0;
998 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
999 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
1000 return 0;
1001 }
1002 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
1003 if (tls1_suiteb(s)) {
1004 if (curve_id[0])
1005 return 0;
1006 if (curve_id[1] == TLSEXT_curve_P_256) {
1007 if (sig[0] != TLSEXT_hash_sha256) {
1008 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1009 SSL_R_ILLEGAL_SUITEB_DIGEST);
1010 return 0;
1011 }
1012 } else if (curve_id[1] == TLSEXT_curve_P_384) {
1013 if (sig[0] != TLSEXT_hash_sha384) {
1014 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1015 SSL_R_ILLEGAL_SUITEB_DIGEST);
1016 return 0;
1017 }
1018 } else
1019 return 0;
1020 }
1021 } else if (tls1_suiteb(s))
1022 return 0;
e481f9b9 1023#endif
0f113f3e
MC		 1024
1025 /* Check signature matches a type we sent */
1026 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1027 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
1028 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1029 break;
1030 }
1031 /* Allow fallback to SHA1 if not strict mode */
1032 if (i == sent_sigslen
1033 && (sig[0] != TLSEXT_hash_sha1
1034 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
1035 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1036 return 0;
1037 }
1038 *pmd = tls12_get_hash(sig[0]);
1039 if (*pmd == NULL) {
1040 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
1041 return 0;
1042 }
1043 /* Make sure security callback allows algorithm */
1044 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
1045 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
1046 (void *)sig)) {
1047 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1048 return 0;
1049 }
1050 /*
1051 * Store the digest used so applications can retrieve it if they wish.
1052 */
d376e57d 1053 s->s3->tmp.peer_md = *pmd;
0f113f3e
MC		 1054 return 1;
1055}
2ea80354 1056
0f113f3e
MC		 1057/*
1058 * Get a mask of disabled algorithms: an algorithm is disabled if it isn't
1059 * supported or doesn't appear in supported signature algorithms. Unlike
1060 * ssl_cipher_get_disabled this applies to a specific session and not global
1061 * settings.
b7bfe69b
DSH		 1062 */
1063void ssl_set_client_disabled(SSL *s)
0f113f3e 1064{
4d69f9e6
DSH		 1065 s->s3->tmp.mask_a = 0;
1066 s->s3->tmp.mask_k = 0;
0f113f3e
MC		 1067 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1068 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
4d69f9e6 1069 s->s3->tmp.mask_ssl = SSL_TLSV1_2;
0f113f3e 1070 else
4d69f9e6 1071 s->s3->tmp.mask_ssl = 0;
2b573382
DSH		 1072 /* Disable TLS 1.0 ciphers if using SSL v3 */
1073 if (s->client_version == SSL3_VERSION)
1074 s->s3->tmp.mask_ssl |= SSL_TLSV1;
4d69f9e6 1075 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
0f113f3e
MC		 1076 /*
1077 * Disable static DH if we don't include any appropriate signature
1078 * algorithms.
1079 */
4d69f9e6 1080 if (s->s3->tmp.mask_a & SSL_aRSA)
bc71f910 1081 s->s3->tmp.mask_k |= SSL_kECDHr;
4d69f9e6
DSH		 1082 if (s->s3->tmp.mask_a & SSL_aECDSA)
1083 s->s3->tmp.mask_k |= SSL_kECDHe;
0f113f3e
MC		 1084# ifndef OPENSSL_NO_PSK
1085 /* with PSK there must be client callback set */
1086 if (!s->psk_client_callback) {
4d69f9e6 1087 s->s3->tmp.mask_a |= SSL_aPSK;
fe5eef3a 1088 s->s3->tmp.mask_k |= SSL_PSK;
0f113f3e 1089 }
e481f9b9
MC		 1090#endif /* OPENSSL_NO_PSK */
1091#ifndef OPENSSL_NO_SRP
0f113f3e 1092 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
4d69f9e6
DSH		 1093 s->s3->tmp.mask_a |= SSL_aSRP;
1094 s->s3->tmp.mask_k |= SSL_kSRP;
0f113f3e 1095 }
e481f9b9 1096#endif
0f113f3e 1097}
fc101f88 1098
b362ccab 1099int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
0f113f3e 1100{
4d69f9e6
DSH		 1101 if (c->algorithm_ssl & s->s3->tmp.mask_ssl
1102 || c->algorithm_mkey & s->s3->tmp.mask_k
1103 || c->algorithm_auth & s->s3->tmp.mask_a)
0f113f3e
MC		 1104 return 1;
1105 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1106}
b362ccab
DSH		 1107
1108static int tls_use_ticket(SSL *s)
0f113f3e
MC		 1109{
1110 if (s->options & SSL_OP_NO_TICKET)
1111 return 0;
1112 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1113}
ed3883d2 1114
0f113f3e
MC		 1115unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
1116 unsigned char *limit, int *al)
1117{
1118 int extdatalen = 0;
1119 unsigned char *orig = buf;
1120 unsigned char *ret = buf;
e481f9b9 1121#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1122 /* See if we support any ECC ciphersuites */
1123 int using_ecc = 0;
1124 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1125 int i;
1126 unsigned long alg_k, alg_a;
1127 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1128
1129 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
4a640fb6 1130 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
0f113f3e
MC		 1131
1132 alg_k = c->algorithm_mkey;
1133 alg_a = c->algorithm_auth;
13be69f3 1134 if ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)
0f113f3e
MC		 1135 || (alg_a & SSL_aECDSA))) {
1136 using_ecc = 1;
1137 break;
1138 }
1139 }
1140 }
e481f9b9 1141#endif
ed3883d2 1142
0f113f3e 1143 ret += 2;
6434abbf 1144
0f113f3e
MC		 1145 if (ret >= limit)
1146 return NULL; /* this really never occurs, but ... */
5a3d8eeb 1147
0f113f3e
MC		 1148 /* Add RI if renegotiating */
1149 if (s->renegotiate) {
1150 int el;
5a3d8eeb 1151
0f113f3e
MC		 1152 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1153 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1154 return NULL;
1155 }
5a3d8eeb 1156
0f113f3e
MC		 1157 if ((limit - ret - 4 - el) < 0)
1158 return NULL;
5a3d8eeb 1159
0f113f3e
MC		 1160 s2n(TLSEXT_TYPE_renegotiate, ret);
1161 s2n(el, ret);
5a3d8eeb 1162
0f113f3e
MC		 1163 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1164 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1165 return NULL;
5a3d8eeb 1166 }
edc032b5 1167
0f113f3e
MC		 1168 ret += el;
1169 }
1170 /* Only add RI for SSLv3 */
1171 if (s->client_version == SSL3_VERSION)
1172 goto done;
1173
1174 if (s->tlsext_hostname != NULL) {
1175 /* Add TLS extension servername to the Client Hello message */
1176 unsigned long size_str;
1177 long lenmax;
1178
50e735f9
MC		 1179 /*-
1180 * check for enough space.
1181 * 4 for the servername type and entension length
1182 * 2 for servernamelist length
1183 * 1 for the hostname type
1184 * 2 for hostname length
1185 * + hostname length
1186 */
0f113f3e
MC		 1187
1188 if ((lenmax = limit - ret - 9) < 0
1189 || (size_str =
1190 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1191 return NULL;
1192
1193 /* extension type and length */
1194 s2n(TLSEXT_TYPE_server_name, ret);
1195 s2n(size_str + 5, ret);
1196
1197 /* length of servername list */
1198 s2n(size_str + 3, ret);
1199
1200 /* hostname type, length and hostname */
1201 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1202 s2n(size_str, ret);
1203 memcpy(ret, s->tlsext_hostname, size_str);
1204 ret += size_str;
1205 }
e481f9b9 1206#ifndef OPENSSL_NO_SRP
0f113f3e
MC		 1207 /* Add SRP username if there is one */
1208 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1209 * Client Hello message */
1210
1211 int login_len = strlen(s->srp_ctx.login);
1212 if (login_len > 255 || login_len == 0) {
1213 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1214 return NULL;
1215 }
761772d7 1216
50e735f9
MC		 1217 /*-
1218 * check for enough space.
1219 * 4 for the srp type type and entension length
1220 * 1 for the srp user identity
1221 * + srp user identity length
1222 */
0f113f3e
MC		 1223 if ((limit - ret - 5 - login_len) < 0)
1224 return NULL;
1225
1226 /* fill in the extension */
1227 s2n(TLSEXT_TYPE_srp, ret);
1228 s2n(login_len + 1, ret);
1229 (*ret++) = (unsigned char)login_len;
1230 memcpy(ret, s->srp_ctx.login, login_len);
1231 ret += login_len;
1232 }
e481f9b9 1233#endif
0f113f3e 1234
e481f9b9 1235#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1236 if (using_ecc) {
1237 /*
1238 * Add TLS extension ECPointFormats to the ClientHello message
1239 */
1240 long lenmax;
1241 const unsigned char *pcurves, *pformats;
1242 size_t num_curves, num_formats, curves_list_len;
1243 size_t i;
1244 unsigned char *etmp;
1245
1246 tls1_get_formatlist(s, &pformats, &num_formats);
1247
1248 if ((lenmax = limit - ret - 5) < 0)
1249 return NULL;
1250 if (num_formats > (size_t)lenmax)
1251 return NULL;
1252 if (num_formats > 255) {
1253 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1254 return NULL;
1255 }
4817504d 1256
0f113f3e
MC		 1257 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1258 /* The point format list has 1-byte length. */
1259 s2n(num_formats + 1, ret);
1260 *(ret++) = (unsigned char)num_formats;
1261 memcpy(ret, pformats, num_formats);
1262 ret += num_formats;
1263
1264 /*
1265 * Add TLS extension EllipticCurves to the ClientHello message
1266 */
1267 pcurves = s->tlsext_ellipticcurvelist;
1268 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1269 return NULL;
1270
1271 if ((lenmax = limit - ret - 6) < 0)
1272 return NULL;
1273 if (num_curves > (size_t)lenmax / 2)
1274 return NULL;
1275 if (num_curves > 65532 / 2) {
1276 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1277 return NULL;
1278 }
ee2ffc27 1279
0f113f3e
MC		 1280 s2n(TLSEXT_TYPE_elliptic_curves, ret);
1281 etmp = ret + 4;
1282 /* Copy curve ID if supported */
1283 for (i = 0; i < num_curves; i++, pcurves += 2) {
1284 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1285 *etmp++ = pcurves[0];
1286 *etmp++ = pcurves[1];
1287 }
1288 }
01f2f18f 1289
0f113f3e
MC		 1290 curves_list_len = etmp - ret - 4;
1291
1292 s2n(curves_list_len + 2, ret);
1293 s2n(curves_list_len, ret);
1294 ret += curves_list_len;
1295 }
e481f9b9 1296#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1297
1298 if (tls_use_ticket(s)) {
1299 int ticklen;
1300 if (!s->new_session && s->session && s->session->tlsext_tick)
1301 ticklen = s->session->tlsext_ticklen;
1302 else if (s->session && s->tlsext_session_ticket &&
1303 s->tlsext_session_ticket->data) {
1304 ticklen = s->tlsext_session_ticket->length;
1305 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
a71edf3b 1306 if (s->session->tlsext_tick == NULL)
0f113f3e
MC		 1307 return NULL;
1308 memcpy(s->session->tlsext_tick,
1309 s->tlsext_session_ticket->data, ticklen);
1310 s->session->tlsext_ticklen = ticklen;
1311 } else
1312 ticklen = 0;
1313 if (ticklen == 0 && s->tlsext_session_ticket &&
1314 s->tlsext_session_ticket->data == NULL)
1315 goto skip_ext;
1316 /*
1317 * Check for enough room 2 for extension type, 2 for len rest for
1318 * ticket
1319 */
1320 if ((long)(limit - ret - 4 - ticklen) < 0)
1321 return NULL;
1322 s2n(TLSEXT_TYPE_session_ticket, ret);
1323 s2n(ticklen, ret);
1324 if (ticklen) {
1325 memcpy(ret, s->session->tlsext_tick, ticklen);
1326 ret += ticklen;
1327 }
1328 }
1329 skip_ext:
1330
1331 if (SSL_USE_SIGALGS(s)) {
1332 size_t salglen;
1333 const unsigned char *salg;
1334 unsigned char *etmp;
1335 salglen = tls12_get_psigalgs(s, &salg);
1336 if ((size_t)(limit - ret) < salglen + 6)
1337 return NULL;
1338 s2n(TLSEXT_TYPE_signature_algorithms, ret);
1339 etmp = ret;
1340 /* Skip over lengths for now */
1341 ret += 4;
1342 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1343 /* Fill in lengths */
1344 s2n(salglen + 2, etmp);
1345 s2n(salglen, etmp);
1346 ret += salglen;
1347 }
0f113f3e
MC		 1348
1349 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1350 int i;
1351 long extlen, idlen, itmp;
1352 OCSP_RESPID *id;
1353
1354 idlen = 0;
1355 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1356 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1357 itmp = i2d_OCSP_RESPID(id, NULL);
1358 if (itmp <= 0)
1359 return NULL;
1360 idlen += itmp + 2;
860c3dd1
DSH		 1361 }
1362
0f113f3e
MC		 1363 if (s->tlsext_ocsp_exts) {
1364 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1365 if (extlen < 0)
1366 return NULL;
1367 } else
1368 extlen = 0;
1369
1370 if ((long)(limit - ret - 7 - extlen - idlen) < 0)
1371 return NULL;
1372 s2n(TLSEXT_TYPE_status_request, ret);
1373 if (extlen + idlen > 0xFFF0)
1374 return NULL;
1375 s2n(extlen + idlen + 5, ret);
1376 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1377 s2n(idlen, ret);
1378 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1379 /* save position of id len */
1380 unsigned char *q = ret;
1381 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1382 /* skip over id len */
1383 ret += 2;
1384 itmp = i2d_OCSP_RESPID(id, &ret);
1385 /* write id len */
1386 s2n(itmp, q);
1387 }
1388 s2n(extlen, ret);
1389 if (extlen > 0)
1390 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1391 }
e481f9b9 1392#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 1393 /* Add Heartbeat extension */
1394 if ((limit - ret - 4 - 1) < 0)
1395 return NULL;
1396 s2n(TLSEXT_TYPE_heartbeat, ret);
1397 s2n(1, ret);
50e735f9
MC		 1398 /*-
1399 * Set mode:
1400 * 1: peer may send requests
1401 * 2: peer not allowed to send requests
1402 */
0f113f3e
MC		 1403 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1404 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1405 else
1406 *(ret++) = SSL_TLSEXT_HB_ENABLED;
e481f9b9 1407#endif
0f113f3e 1408
e481f9b9 1409#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1410 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1411 /*
1412 * The client advertises an emtpy extension to indicate its support
1413 * for Next Protocol Negotiation
1414 */
1415 if (limit - ret - 4 < 0)
1416 return NULL;
1417 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1418 s2n(0, ret);
1419 }
e481f9b9 1420#endif
0f113f3e
MC		 1421
1422 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1423 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1424 return NULL;
1425 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1426 s2n(2 + s->alpn_client_proto_list_len, ret);
1427 s2n(s->alpn_client_proto_list_len, ret);
1428 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1429 ret += s->alpn_client_proto_list_len;
1430 }
e481f9b9 1431#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 1432 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1433 int el;
1434
69f68237
MC		 1435 /* Returns 0 on success!! */
1436 if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
1437 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1438 return NULL;
1439 }
0f113f3e
MC		 1440
1441 if ((limit - ret - 4 - el) < 0)
1442 return NULL;
1443
1444 s2n(TLSEXT_TYPE_use_srtp, ret);
1445 s2n(el, ret);
1446
1447 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1448 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1449 return NULL;
1450 }
1451 ret += el;
1452 }
e481f9b9 1453#endif
0f113f3e
MC		 1454 custom_ext_init(&s->cert->cli_ext);
1455 /* Add custom TLS Extensions to ClientHello */
1456 if (!custom_ext_add(s, 0, &ret, limit, al))
1457 return NULL;
e481f9b9 1458#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 1459 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1460 s2n(0, ret);
e481f9b9 1461#endif
ddc06b35
DSH		 1462 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1463 s2n(0, ret);
0f113f3e
MC		 1464
1465 /*
1466 * Add padding to workaround bugs in F5 terminators. See
1467 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1468 * code works out the length of all existing extensions it MUST always
1469 * appear last.
1470 */
1471 if (s->options & SSL_OP_TLSEXT_PADDING) {
1472 int hlen = ret - (unsigned char *)s->init_buf->data;
a3680c8f 1473
0f113f3e
MC		 1474 if (hlen > 0xff && hlen < 0x200) {
1475 hlen = 0x200 - hlen;
1476 if (hlen >= 4)
1477 hlen -= 4;
1478 else
1479 hlen = 0;
1480
1481 s2n(TLSEXT_TYPE_padding, ret);
1482 s2n(hlen, ret);
1483 memset(ret, 0, hlen);
1484 ret += hlen;
1485 }
1486 }
5a3d8eeb 1487
0f113f3e 1488 done:
5a3d8eeb 1489
0f113f3e
MC		 1490 if ((extdatalen = ret - orig - 2) == 0)
1491 return orig;
5a3d8eeb 1492
0f113f3e
MC		 1493 s2n(extdatalen, orig);
1494 return ret;
1495}
333f926d 1496
0f113f3e
MC		 1497unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1498 unsigned char *limit, int *al)
1499{
1500 int extdatalen = 0;
1501 unsigned char *orig = buf;
1502 unsigned char *ret = buf;
e481f9b9 1503#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1504 int next_proto_neg_seen;
e481f9b9
MC		 1505#endif
1506#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1507 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1508 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1509 int using_ecc = (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
1510 || (alg_a & SSL_aECDSA);
1511 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
e481f9b9 1512#endif
0f113f3e
MC		 1513
1514 ret += 2;
1515 if (ret >= limit)
1516 return NULL; /* this really never occurs, but ... */
1517
1518 if (s->s3->send_connection_binding) {
1519 int el;
1520
1521 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1522 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1523 return NULL;
1524 }
333f926d 1525
0f113f3e
MC		 1526 if ((limit - ret - 4 - el) < 0)
1527 return NULL;
333f926d 1528
0f113f3e
MC		 1529 s2n(TLSEXT_TYPE_renegotiate, ret);
1530 s2n(el, ret);
333f926d 1531
0f113f3e
MC		 1532 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1533 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1534 return NULL;
1535 }
333f926d 1536
0f113f3e
MC		 1537 ret += el;
1538 }
1539
1540 /* Only add RI for SSLv3 */
1541 if (s->version == SSL3_VERSION)
1542 goto done;
1543
1544 if (!s->hit && s->servername_done == 1
1545 && s->session->tlsext_hostname != NULL) {
1546 if ((long)(limit - ret - 4) < 0)
1547 return NULL;
1548
1549 s2n(TLSEXT_TYPE_server_name, ret);
1550 s2n(0, ret);
1551 }
e481f9b9 1552#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1553 if (using_ecc) {
1554 const unsigned char *plist;
1555 size_t plistlen;
1556 /*
1557 * Add TLS extension ECPointFormats to the ServerHello message
1558 */
1559 long lenmax;
1560
1561 tls1_get_formatlist(s, &plist, &plistlen);
1562
1563 if ((lenmax = limit - ret - 5) < 0)
1564 return NULL;
1565 if (plistlen > (size_t)lenmax)
1566 return NULL;
1567 if (plistlen > 255) {
1568 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1569 return NULL;
1570 }
4817504d 1571
0f113f3e
MC		 1572 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1573 s2n(plistlen + 1, ret);
1574 *(ret++) = (unsigned char)plistlen;
1575 memcpy(ret, plist, plistlen);
1576 ret += plistlen;
1577
1578 }
1579 /*
1580 * Currently the server should not respond with a SupportedCurves
1581 * extension
1582 */
e481f9b9 1583#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1584
1585 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1586 if ((long)(limit - ret - 4) < 0)
1587 return NULL;
1588 s2n(TLSEXT_TYPE_session_ticket, ret);
1589 s2n(0, ret);
1590 }
1591
1592 if (s->tlsext_status_expected) {
1593 if ((long)(limit - ret - 4) < 0)
1594 return NULL;
1595 s2n(TLSEXT_TYPE_status_request, ret);
1596 s2n(0, ret);
1597 }
0f113f3e 1598
e481f9b9 1599#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 1600 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1601 int el;
1602
69f68237 1603 /* Returns 0 on success!! */
61986d32 1604 if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
69f68237
MC		 1605 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1606 return NULL;
1607 }
0f113f3e
MC		 1608 if ((limit - ret - 4 - el) < 0)
1609 return NULL;
1610
1611 s2n(TLSEXT_TYPE_use_srtp, ret);
1612 s2n(el, ret);
1613
1614 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1615 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1616 return NULL;
1617 }
1618 ret += el;
1619 }
e481f9b9 1620#endif
0f113f3e
MC		 1621
1622 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1623 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1624 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1625 const unsigned char cryptopro_ext[36] = {
1626 0xfd, 0xe8, /* 65000 */
1627 0x00, 0x20, /* 32 bytes length */
1628 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1629 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1630 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1631 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1632 };
1633 if (limit - ret < 36)
1634 return NULL;
1635 memcpy(ret, cryptopro_ext, 36);
1636 ret += 36;
1637
1638 }
e481f9b9 1639#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 1640 /* Add Heartbeat extension if we've received one */
1641 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
1642 if ((limit - ret - 4 - 1) < 0)
1643 return NULL;
1644 s2n(TLSEXT_TYPE_heartbeat, ret);
1645 s2n(1, ret);
50e735f9
MC		 1646 /*-
1647 * Set mode:
1648 * 1: peer may send requests
1649 * 2: peer not allowed to send requests
1650 */
0f113f3e
MC		 1651 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1652 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1653 else
1654 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1655
1656 }
e481f9b9 1657#endif
0f113f3e 1658
e481f9b9 1659#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1660 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1661 s->s3->next_proto_neg_seen = 0;
1662 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1663 const unsigned char *npa;
1664 unsigned int npalen;
1665 int r;
1666
1667 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1668 s->
1669 ctx->next_protos_advertised_cb_arg);
1670 if (r == SSL_TLSEXT_ERR_OK) {
1671 if ((long)(limit - ret - 4 - npalen) < 0)
1672 return NULL;
1673 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1674 s2n(npalen, ret);
1675 memcpy(ret, npa, npalen);
1676 ret += npalen;
1677 s->s3->next_proto_neg_seen = 1;
1678 }
1679 }
e481f9b9 1680#endif
0f113f3e
MC		 1681 if (!custom_ext_add(s, 1, &ret, limit, al))
1682 return NULL;
e481f9b9 1683#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 1684 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1685 /*
1686 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1687 * for other cases too.
1688 */
1689 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
e44380a9
DB		 1690 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1691 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1692 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
0f113f3e
MC		 1693 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1694 else {
1695 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1696 s2n(0, ret);
1697 }
1698 }
e481f9b9 1699#endif
e7f0d921 1700 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
ddc06b35
DSH		 1701 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1702 s2n(0, ret);
1703 }
0f113f3e
MC		 1704
1705 if (s->s3->alpn_selected) {
1706 const unsigned char *selected = s->s3->alpn_selected;
1707 unsigned len = s->s3->alpn_selected_len;
1708
1709 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1710 return NULL;
1711 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1712 s2n(3 + len, ret);
1713 s2n(1 + len, ret);
1714 *ret++ = len;
1715 memcpy(ret, selected, len);
1716 ret += len;
1717 }
1718
1719 done:
1720
1721 if ((extdatalen = ret - orig - 2) == 0)
1722 return orig;
1723
1724 s2n(extdatalen, orig);
1725 return ret;
1726}
a398f821 1727
0f113f3e
MC		 1728/*
1729 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1730 * ClientHello. data: the contents of the extension, not including the type
1731 * and length. data_len: the number of bytes in |data| al: a pointer to the
1732 * alert value to send in the event of a non-zero return. returns: 0 on
1733 * success.
1734 */
9ceb2426 1735static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
0f113f3e 1736{
9ceb2426
MC		 1737 unsigned int data_len;
1738 unsigned int proto_len;
0f113f3e 1739 const unsigned char *selected;
9ceb2426 1740 unsigned char *data;
0f113f3e
MC		 1741 unsigned char selected_len;
1742 int r;
1743
1744 if (s->ctx->alpn_select_cb == NULL)
1745 return 0;
1746
0f113f3e
MC		 1747 /*
1748 * data should contain a uint16 length followed by a series of 8-bit,
1749 * length-prefixed strings.
1750 */
9ceb2426
MC		 1751 if (!PACKET_get_net_2(pkt, &data_len)
1752 || PACKET_remaining(pkt) != data_len
1753 || !PACKET_peek_bytes(pkt, &data, data_len))
0f113f3e
MC		 1754 goto parse_error;
1755
9ceb2426
MC		 1756 do {
1757 if (!PACKET_get_1(pkt, &proto_len)
1758 || proto_len == 0
1759 || !PACKET_forward(pkt, proto_len))
0f113f3e 1760 goto parse_error;
9ceb2426 1761 } while (PACKET_remaining(pkt));
0f113f3e
MC		 1762
1763 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1764 s->ctx->alpn_select_cb_arg);
1765 if (r == SSL_TLSEXT_ERR_OK) {
b548a1f1 1766 OPENSSL_free(s->s3->alpn_selected);
0f113f3e 1767 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
a71edf3b 1768 if (s->s3->alpn_selected == NULL) {
0f113f3e
MC		 1769 *al = SSL_AD_INTERNAL_ERROR;
1770 return -1;
1771 }
1772 memcpy(s->s3->alpn_selected, selected, selected_len);
1773 s->s3->alpn_selected_len = selected_len;
1774 }
1775 return 0;
1776
1777 parse_error:
1778 *al = SSL_AD_DECODE_ERROR;
1779 return -1;
1780}
6f017a8f 1781
e481f9b9 1782#ifndef OPENSSL_NO_EC
1d97c843
TH		 1783/*-
1784 * ssl_check_for_safari attempts to fingerprint Safari using OS X
dece3209
RS		 1785 * SecureTransport using the TLS extension block in |d|, of length |n|.
1786 * Safari, since 10.6, sends exactly these extensions, in this order:
1787 * SNI,
1788 * elliptic_curves
1789 * ec_point_formats
1790 *
1791 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1792 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1793 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1794 * 10.8..10.8.3 (which don't work).
1795 */
68a16628 1796static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
0f113f3e 1797{
9ceb2426
MC		 1798 unsigned int type, size;
1799 unsigned char *eblock1, *eblock2;
68a16628 1800 PACKET tmppkt;
9ceb2426 1801
0f113f3e
MC		 1802 static const unsigned char kSafariExtensionsBlock[] = {
1803 0x00, 0x0a, /* elliptic_curves extension */
1804 0x00, 0x08, /* 8 bytes */
1805 0x00, 0x06, /* 6 bytes of curve ids */
1806 0x00, 0x17, /* P-256 */
1807 0x00, 0x18, /* P-384 */
1808 0x00, 0x19, /* P-521 */
1809
1810 0x00, 0x0b, /* ec_point_formats */
1811 0x00, 0x02, /* 2 bytes */
1812 0x01, /* 1 point format */
1813 0x00, /* uncompressed */
1814 };
1815
1816 /* The following is only present in TLS 1.2 */
1817 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1818 0x00, 0x0d, /* signature_algorithms */
1819 0x00, 0x0c, /* 12 bytes */
1820 0x00, 0x0a, /* 10 bytes */
1821 0x05, 0x01, /* SHA-384/RSA */
1822 0x04, 0x01, /* SHA-256/RSA */
1823 0x02, 0x01, /* SHA-1/RSA */
1824 0x04, 0x03, /* SHA-256/ECDSA */
1825 0x02, 0x03, /* SHA-1/ECDSA */
1826 };
1827
68a16628
MC		 1828 tmppkt = *pkt;
1829
1830 if (!PACKET_forward(&tmppkt, 2)
1831 || !PACKET_get_net_2(&tmppkt, &type)
1832 || !PACKET_get_net_2(&tmppkt, &size)
1833 || !PACKET_forward(&tmppkt, size))
0f113f3e 1834 return;
0f113f3e
MC		 1835
1836 if (type != TLSEXT_TYPE_server_name)
1837 return;
1838
0f113f3e
MC		 1839 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
1840 const size_t len1 = sizeof(kSafariExtensionsBlock);
1841 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1842
68a16628
MC		 1843 if (!PACKET_get_bytes(&tmppkt, &eblock1, len1)
1844 || !PACKET_get_bytes(&tmppkt, &eblock2, len2)
1845 || PACKET_remaining(&tmppkt))
0f113f3e 1846 return;
9ceb2426 1847 if (memcmp(eblock1, kSafariExtensionsBlock, len1) != 0)
0f113f3e 1848 return;
9ceb2426 1849 if (memcmp(eblock2, kSafariTLS12ExtensionsBlock, len2) != 0)
0f113f3e
MC		 1850 return;
1851 } else {
1852 const size_t len = sizeof(kSafariExtensionsBlock);
1853
68a16628
MC		 1854 if (!PACKET_get_bytes(&tmppkt, &eblock1, len)
1855 || PACKET_remaining(&tmppkt))
0f113f3e 1856 return;
9ceb2426 1857 if (memcmp(eblock1, kSafariExtensionsBlock, len) != 0)
0f113f3e
MC		 1858 return;
1859 }
1860
1861 s->s3->is_probably_safari = 1;
dece3209 1862}
e481f9b9 1863#endif /* !OPENSSL_NO_EC */
0f113f3e 1864
9ceb2426 1865static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 1866{
9ceb2426
MC		 1867 unsigned int type;
1868 unsigned int size;
1869 unsigned int len;
1870 unsigned char *data;
0f113f3e
MC		 1871 int renegotiate_seen = 0;
1872
1873 s->servername_done = 0;
1874 s->tlsext_status_type = -1;
e481f9b9 1875#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1876 s->s3->next_proto_neg_seen = 0;
e481f9b9 1877#endif
0f113f3e 1878
b548a1f1
RS		 1879 OPENSSL_free(s->s3->alpn_selected);
1880 s->s3->alpn_selected = NULL;
e481f9b9 1881#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 1882 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1883 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
e481f9b9 1884#endif
0f113f3e 1885
e481f9b9 1886#ifndef OPENSSL_NO_EC
0f113f3e 1887 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
9ceb2426
MC		 1888 ssl_check_for_safari(s, pkt);
1889# endif /* !OPENSSL_NO_EC */
0f113f3e
MC		 1890
1891 /* Clear any signature algorithms extension received */
76106e60
DSH		 1892 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1893 s->s3->tmp.peer_sigalgs = NULL;
e481f9b9 1894#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e 1895 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 1896#endif
0f113f3e 1897
e481f9b9 1898#ifndef OPENSSL_NO_SRP
b548a1f1
RS		 1899 OPENSSL_free(s->srp_ctx.login);
1900 s->srp_ctx.login = NULL;
e481f9b9 1901#endif
0f113f3e
MC		 1902
1903 s->srtp_profile = NULL;
1904
9ceb2426 1905 if (PACKET_remaining(pkt) == 0)
1ae3fdbe
AL		 1906 goto ri_check;
1907
9ceb2426 1908 if (!PACKET_get_net_2(pkt, &len))
1ae3fdbe
AL		 1909 goto err;
1910
52a48f9e
AG		 1911 if (PACKET_remaining(pkt) != len)
1912 goto err;
1913
9ceb2426
MC		 1914 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
1915 PACKET subpkt;
0f113f3e 1916
9ceb2426 1917 if (!PACKET_peek_bytes(pkt, &data, size))
54e3ad00 1918 goto err;
9ceb2426 1919
0f113f3e
MC		 1920 if (s->tlsext_debug_cb)
1921 s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
9ceb2426
MC		 1922
1923 if (!PACKET_get_sub_packet(pkt, &subpkt, size))
1924 goto err;
1925
0f113f3e 1926 if (type == TLSEXT_TYPE_renegotiate) {
9ceb2426 1927 if (!ssl_parse_clienthello_renegotiate_ext(s, &subpkt, al))
0f113f3e
MC		 1928 return 0;
1929 renegotiate_seen = 1;
1930 } else if (s->version == SSL3_VERSION) {
1931 }
1d97c843
TH		 1932/*-
1933 * The servername extension is treated as follows:
1934 *
1935 * - Only the hostname type is supported with a maximum length of 255.
1936 * - The servername is rejected if too long or if it contains zeros,
1937 * in which case an fatal alert is generated.
1938 * - The servername field is maintained together with the session cache.
1939 * - When a session is resumed, the servername call back invoked in order
0f113f3e
MC		 1940 * to allow the application to position itself to the right context.
1941 * - The servername is acknowledged if it is new for a session or when
1942 * it is identical to a previously used for the same session.
1d97c843
TH		 1943 * Applications can control the behaviour. They can at any time
1944 * set a 'desirable' servername for a new SSL object. This can be the
1945 * case for example with HTTPS when a Host: header field is received and
1946 * a renegotiation is requested. In this case, a possible servername
1947 * presented in the new client hello is only acknowledged if it matches
0f113f3e 1948 * the value of the Host: field.
1d97c843 1949 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
0f113f3e
MC		 1950 * if they provide for changing an explicit servername context for the
1951 * session, i.e. when the session has been established with a servername
1952 * extension.
1953 * - On session reconnect, the servername extension may be absent.
1d97c843 1954 *
0f113f3e 1955 */
ed3883d2 1956
0f113f3e
MC		 1957 else if (type == TLSEXT_TYPE_server_name) {
1958 unsigned char *sdata;
9ceb2426
MC		 1959 unsigned int servname_type;
1960 unsigned int dsize;
1961 PACKET ssubpkt;
0f113f3e 1962
9ceb2426
MC		 1963 if (!PACKET_get_net_2(&subpkt, &dsize)
1964 || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
54e3ad00 1965 goto err;
0f113f3e 1966
9ceb2426
MC		 1967 while (PACKET_remaining(&ssubpkt) > 3) {
1968 if (!PACKET_get_1(&ssubpkt, &servname_type)
1969 || !PACKET_get_net_2(&ssubpkt, &len)
1970 || PACKET_remaining(&ssubpkt) < len)
54e3ad00
MC		 1971 goto err;
1972
0f113f3e
MC		 1973 if (s->servername_done == 0)
1974 switch (servname_type) {
1975 case TLSEXT_NAMETYPE_host_name:
1976 if (!s->hit) {
54e3ad00
MC		 1977 if (s->session->tlsext_hostname)
1978 goto err;
1979
0f113f3e
MC		 1980 if (len > TLSEXT_MAXLEN_host_name) {
1981 *al = TLS1_AD_UNRECOGNIZED_NAME;
1982 return 0;
1983 }
1984 if ((s->session->tlsext_hostname =
1985 OPENSSL_malloc(len + 1)) == NULL) {
1986 *al = TLS1_AD_INTERNAL_ERROR;
1987 return 0;
1988 }
9ceb2426
MC		 1989 if (!PACKET_copy_bytes(&ssubpkt,
1990 (unsigned char *)s->session
1991 ->tlsext_hostname,
1992 len)) {
1993 *al = SSL_AD_DECODE_ERROR;
1994 return 0;
1995 }
0f113f3e
MC		 1996 s->session->tlsext_hostname[len] = '\0';
1997 if (strlen(s->session->tlsext_hostname) != len) {
1998 OPENSSL_free(s->session->tlsext_hostname);
1999 s->session->tlsext_hostname = NULL;
2000 *al = TLS1_AD_UNRECOGNIZED_NAME;
2001 return 0;
2002 }
2003 s->servername_done = 1;
761772d7 2004
9ceb2426
MC		 2005 } else {
2006 if (!PACKET_get_bytes(&ssubpkt, &sdata, len)) {
2007 *al = SSL_AD_DECODE_ERROR;
2008 return 0;
2009 }
0f113f3e
MC		 2010 s->servername_done = s->session->tlsext_hostname
2011 && strlen(s->session->tlsext_hostname) == len
2012 && strncmp(s->session->tlsext_hostname,
2013 (char *)sdata, len) == 0;
9ceb2426 2014 }
b2284ed3 2015
0f113f3e 2016 break;
ee2ffc27 2017
0f113f3e
MC		 2018 default:
2019 break;
2020 }
0f113f3e 2021 }
9ceb2426 2022 /* We shouldn't have any bytes left */
bc6616a4 2023 if (PACKET_remaining(&ssubpkt) != 0)
54e3ad00 2024 goto err;
6f017a8f 2025
0f113f3e 2026 }
e481f9b9 2027#ifndef OPENSSL_NO_SRP
0f113f3e 2028 else if (type == TLSEXT_TYPE_srp) {
9ceb2426
MC		 2029 if (!PACKET_get_1(&subpkt, &len)
2030 || s->srp_ctx.login != NULL)
54e3ad00 2031 goto err;
9ceb2426 2032
0f113f3e
MC		 2033 if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
2034 return -1;
9ceb2426
MC		 2035 if (!PACKET_copy_bytes(&subpkt, (unsigned char *)s->srp_ctx.login,
2036 len))
2037 goto err;
0f113f3e
MC		 2038 s->srp_ctx.login[len] = '\0';
2039
9ceb2426
MC		 2040 if (strlen(s->srp_ctx.login) != len
2041 || PACKET_remaining(&subpkt))
54e3ad00 2042 goto err;
0f113f3e 2043 }
e481f9b9 2044#endif
0f113f3e 2045
e481f9b9 2046#ifndef OPENSSL_NO_EC
0f113f3e 2047 else if (type == TLSEXT_TYPE_ec_point_formats) {
9ceb2426 2048 unsigned int ecpointformatlist_length;
0f113f3e 2049
9ceb2426
MC		 2050 if (!PACKET_get_1(&subpkt, &ecpointformatlist_length)
2051 || ecpointformatlist_length == 0)
54e3ad00 2052 goto err;
9ceb2426 2053
0f113f3e 2054 if (!s->hit) {
b548a1f1
RS		 2055 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2056 s->session->tlsext_ecpointformatlist = NULL;
0f113f3e
MC		 2057 s->session->tlsext_ecpointformatlist_length = 0;
2058 if ((s->session->tlsext_ecpointformatlist =
2059 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2060 *al = TLS1_AD_INTERNAL_ERROR;
2061 return 0;
2062 }
2063 s->session->tlsext_ecpointformatlist_length =
2064 ecpointformatlist_length;
9ceb2426
MC		 2065 if (!PACKET_copy_bytes(&subpkt,
2066 s->session->tlsext_ecpointformatlist,
2067 ecpointformatlist_length))
2068 goto err;
2069 } else if (!PACKET_forward(&subpkt, ecpointformatlist_length)) {
2070 goto err;
2071 }
2072 /* We should have consumed all the bytes by now */
2073 if (PACKET_remaining(&subpkt)) {
2074 *al = TLS1_AD_DECODE_ERROR;
2075 return 0;
0f113f3e 2076 }
0f113f3e 2077 } else if (type == TLSEXT_TYPE_elliptic_curves) {
9ceb2426 2078 unsigned int ellipticcurvelist_length;
0f113f3e 2079
9ceb2426
MC		 2080 /* Each NamedCurve is 2 bytes and we must have at least 1 */
2081 if (!PACKET_get_net_2(&subpkt, &ellipticcurvelist_length)
2082 || ellipticcurvelist_length == 0
2083 || (ellipticcurvelist_length & 1) != 0)
2084 goto err;
54e3ad00 2085
0f113f3e 2086 if (!s->hit) {
54e3ad00
MC		 2087 if (s->session->tlsext_ellipticcurvelist)
2088 goto err;
2089
0f113f3e
MC		 2090 s->session->tlsext_ellipticcurvelist_length = 0;
2091 if ((s->session->tlsext_ellipticcurvelist =
2092 OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
2093 *al = TLS1_AD_INTERNAL_ERROR;
2094 return 0;
2095 }
2096 s->session->tlsext_ellipticcurvelist_length =
2097 ellipticcurvelist_length;
9ceb2426
MC		 2098 if (!PACKET_copy_bytes(&subpkt,
2099 s->session->tlsext_ellipticcurvelist,
2100 ellipticcurvelist_length))
2101 goto err;
2102 } else if (!PACKET_forward(&subpkt, ellipticcurvelist_length)) {
2103 goto err;
2104 }
2105 /* We should have consumed all the bytes by now */
2106 if (PACKET_remaining(&subpkt)) {
2107 goto err;
0f113f3e 2108 }
0f113f3e 2109 }
e481f9b9 2110#endif /* OPENSSL_NO_EC */
0f113f3e 2111 else if (type == TLSEXT_TYPE_session_ticket) {
9ceb2426
MC		 2112 if (!PACKET_forward(&subpkt, size)
2113 || (s->tls_session_ticket_ext_cb &&
2114 !s->tls_session_ticket_ext_cb(s, data, size,
2115 s->tls_session_ticket_ext_cb_arg))) {
0f113f3e
MC		 2116 *al = TLS1_AD_INTERNAL_ERROR;
2117 return 0;
2118 }
2119 } else if (type == TLSEXT_TYPE_signature_algorithms) {
9ceb2426
MC		 2120 unsigned int dsize;
2121
2122 if (s->s3->tmp.peer_sigalgs
2123 || !PACKET_get_net_2(&subpkt, &dsize)
2124 || (dsize & 1) != 0
2125 || (dsize == 0)
2126 || !PACKET_get_bytes(&subpkt, &data, dsize)
bc6616a4 2127 || PACKET_remaining(&subpkt) != 0
9ceb2426 2128 || !tls1_save_sigalgs(s, data, dsize)) {
54e3ad00 2129 goto err;
9ceb2426 2130 }
0f113f3e 2131 } else if (type == TLSEXT_TYPE_status_request) {
9ceb2426 2132 PACKET ssubpkt;
0f113f3e 2133
9ceb2426
MC		 2134 if (!PACKET_get_1(&subpkt,
2135 (unsigned int *)&s->tlsext_status_type))
54e3ad00 2136 goto err;
0f113f3e 2137
0f113f3e
MC		 2138 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
2139 const unsigned char *sdata;
9ceb2426 2140 unsigned int dsize;
0f113f3e 2141 /* Read in responder_id_list */
9ceb2426
MC		 2142 if (!PACKET_get_net_2(&subpkt, &dsize)
2143 || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
54e3ad00 2144 goto err;
9ceb2426
MC		 2145
2146 while (PACKET_remaining(&ssubpkt)) {
0f113f3e 2147 OCSP_RESPID *id;
9ceb2426
MC		 2148 unsigned int idsize;
2149
2150 if (PACKET_remaining(&ssubpkt) < 4
2151 || !PACKET_get_net_2(&ssubpkt, &idsize)
2152 || !PACKET_get_bytes(&ssubpkt, &data, idsize)) {
54e3ad00 2153 goto err;
9ceb2426 2154 }
0f113f3e
MC		 2155 sdata = data;
2156 data += idsize;
2157 id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
54e3ad00
MC		 2158 if (!id)
2159 goto err;
0f113f3e
MC		 2160 if (data != sdata) {
2161 OCSP_RESPID_free(id);
54e3ad00 2162 goto err;
0f113f3e
MC		 2163 }
2164 if (!s->tlsext_ocsp_ids
2165 && !(s->tlsext_ocsp_ids =
2166 sk_OCSP_RESPID_new_null())) {
2167 OCSP_RESPID_free(id);
2168 *al = SSL_AD_INTERNAL_ERROR;
2169 return 0;
2170 }
2171 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2172 OCSP_RESPID_free(id);
2173 *al = SSL_AD_INTERNAL_ERROR;
2174 return 0;
2175 }
2176 }
4817504d 2177
0f113f3e 2178 /* Read in request_extensions */
9ceb2426
MC		 2179 if (!PACKET_get_net_2(&subpkt, &dsize)
2180 || !PACKET_get_bytes(&subpkt, &data, dsize)
2181 || PACKET_remaining(&subpkt)) {
54e3ad00 2182 goto err;
9ceb2426 2183 }
0f113f3e
MC		 2184 sdata = data;
2185 if (dsize > 0) {
222561fe
RS		 2186 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2187 X509_EXTENSION_free);
0f113f3e
MC		 2188 s->tlsext_ocsp_exts =
2189 d2i_X509_EXTENSIONS(NULL, &sdata, dsize);
54e3ad00
MC		 2190 if (!s->tlsext_ocsp_exts || (data + dsize != sdata))
2191 goto err;
0f113f3e
MC		 2192 }
2193 }
2194 /*
2195 * We don't know what to do with any other type * so ignore it.
2196 */
2197 else
2198 s->tlsext_status_type = -1;
2199 }
e481f9b9 2200#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e 2201 else if (type == TLSEXT_TYPE_heartbeat) {
9ceb2426
MC		 2202 unsigned int hbtype;
2203
2204 if (!PACKET_get_1(&subpkt, &hbtype)
2205 || PACKET_remaining(&subpkt)) {
2206 *al = SSL_AD_DECODE_ERROR;
2207 return 0;
2208 }
2209 switch (hbtype) {
0f113f3e
MC		 2210 case 0x01: /* Client allows us to send HB requests */
2211 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2212 break;
2213 case 0x02: /* Client doesn't accept HB requests */
2214 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2215 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2216 break;
2217 default:
2218 *al = SSL_AD_ILLEGAL_PARAMETER;
2219 return 0;
2220 }
2221 }
e481f9b9
MC		 2222#endif
2223#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2224 else if (type == TLSEXT_TYPE_next_proto_neg &&
2225 s->s3->tmp.finish_md_len == 0 &&
2226 s->s3->alpn_selected == NULL) {
50e735f9
MC		 2227 /*-
2228 * We shouldn't accept this extension on a
2229 * renegotiation.
2230 *
2231 * s->new_session will be set on renegotiation, but we
2232 * probably shouldn't rely that it couldn't be set on
2233 * the initial renegotation too in certain cases (when
2234 * there's some other reason to disallow resuming an
2235 * earlier session -- the current code won't be doing
2236 * anything like that, but this might change).
2237 *
2238 * A valid sign that there's been a previous handshake
2239 * in this connection is if s->s3->tmp.finish_md_len >
2240 * 0. (We are talking about a check that will happen
2241 * in the Hello protocol round, well before a new
2242 * Finished message could have been computed.)
2243 */
0f113f3e
MC		 2244 s->s3->next_proto_neg_seen = 1;
2245 }
e481f9b9 2246#endif
0f113f3e
MC		 2247
2248 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2249 s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) {
9ceb2426 2250 if (tls1_alpn_handle_client_hello(s, &subpkt, al) != 0)
0f113f3e 2251 return 0;
e481f9b9 2252#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2253 /* ALPN takes precedence over NPN. */
2254 s->s3->next_proto_neg_seen = 0;
e481f9b9 2255#endif
0f113f3e 2256 }
5e3ff62c 2257
0f113f3e 2258 /* session ticket processed earlier */
e481f9b9 2259#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 2260 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2261 && type == TLSEXT_TYPE_use_srtp) {
9ceb2426 2262 if (ssl_parse_clienthello_use_srtp_ext(s, &subpkt, al))
0f113f3e
MC		 2263 return 0;
2264 }
e481f9b9
MC		 2265#endif
2266#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 2267 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2268 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 2269#endif
e7f0d921
DSH		 2270 /*
2271 * Note: extended master secret extension handled in
2272 * tls_check_serverhello_tlsext_early()
2273 */
2274
0f113f3e
MC		 2275 /*
2276 * If this ClientHello extension was unhandled and this is a
2277 * nonresumed connection, check whether the extension is a custom
2278 * TLS Extension (has a custom_srv_ext_record), and if so call the
2279 * callback and record the extension number so that an appropriate
2280 * ServerHello may be later returned.
2281 */
2282 else if (!s->hit) {
2283 if (custom_ext_parse(s, 1, type, data, size, al) <= 0)
2284 return 0;
2285 }
0f113f3e 2286 }
6f017a8f 2287
54e3ad00 2288 /* Spurious data on the end */
9ceb2426 2289 if (PACKET_remaining(pkt) != 0)
54e3ad00
MC		 2290 goto err;
2291
0f113f3e 2292 ri_check:
ed3883d2 2293
0f113f3e
MC		 2294 /* Need RI if renegotiating */
2295
2296 if (!renegotiate_seen && s->renegotiate &&
2297 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2298 *al = SSL_AD_HANDSHAKE_FAILURE;
2299 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2300 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2301 return 0;
2302 }
2303
2304 return 1;
54e3ad00
MC		 2305err:
2306 *al = SSL_AD_DECODE_ERROR;
2307 return 0;
0f113f3e
MC		 2308}
2309
9ceb2426 2310int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 2311{
2312 int al = -1;
2313 custom_ext_init(&s->cert->srv_ext);
9ceb2426 2314 if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 2315 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2316 return 0;
2317 }
2318
2319 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2320 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2321 return 0;
2322 }
2323 return 1;
2324}
2325
e481f9b9 2326#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2327/*
2328 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2329 * elements of zero length are allowed and the set of elements must exactly
2330 * fill the length of the block.
2331 */
50932c4a 2332static char ssl_next_proto_validate(PACKET *pkt)
0f113f3e 2333{
50932c4a 2334 unsigned int len;
0f113f3e 2335
50932c4a
MC		 2336 while (PACKET_remaining(pkt)) {
2337 if (!PACKET_get_1(pkt, &len)
2338 || !PACKET_forward(pkt, len))
0f113f3e 2339 return 0;
0f113f3e
MC		 2340 }
2341
50932c4a 2342 return 1;
0f113f3e 2343}
e481f9b9 2344#endif
0f113f3e 2345
50932c4a 2346static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 2347{
50932c4a 2348 unsigned int length, type, size;
0f113f3e
MC		 2349 int tlsext_servername = 0;
2350 int renegotiate_seen = 0;
2351
e481f9b9 2352#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 2353 s->s3->next_proto_neg_seen = 0;
e481f9b9 2354#endif
0f113f3e
MC		 2355 s->tlsext_ticket_expected = 0;
2356
b548a1f1
RS		 2357 OPENSSL_free(s->s3->alpn_selected);
2358 s->s3->alpn_selected = NULL;
e481f9b9 2359#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 2360 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2361 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
e481f9b9 2362#endif
0f113f3e 2363
e481f9b9 2364#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e 2365 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 2366#endif
0f113f3e 2367
e7f0d921
DSH		 2368 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2369
50932c4a 2370 if (!PACKET_get_net_2(pkt, &length))
0f113f3e
MC		 2371 goto ri_check;
2372
50932c4a 2373 if (PACKET_remaining(pkt) != length) {
0f113f3e
MC		 2374 *al = SSL_AD_DECODE_ERROR;
2375 return 0;
2376 }
2377
50932c4a
MC		 2378 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
2379 unsigned char *data;
2380 PACKET spkt;
0f113f3e 2381
50932c4a
MC		 2382 if (!PACKET_get_sub_packet(pkt, &spkt, size)
2383 || !PACKET_peek_bytes(&spkt, &data, size))
0f113f3e
MC		 2384 goto ri_check;
2385
2386 if (s->tlsext_debug_cb)
2387 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2388
2389 if (type == TLSEXT_TYPE_renegotiate) {
50932c4a 2390 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
0f113f3e
MC		 2391 return 0;
2392 renegotiate_seen = 1;
2393 } else if (s->version == SSL3_VERSION) {
2394 } else if (type == TLSEXT_TYPE_server_name) {
2395 if (s->tlsext_hostname == NULL || size > 0) {
2396 *al = TLS1_AD_UNRECOGNIZED_NAME;
2397 return 0;
2398 }
2399 tlsext_servername = 1;
2400 }
e481f9b9 2401#ifndef OPENSSL_NO_EC
0f113f3e 2402 else if (type == TLSEXT_TYPE_ec_point_formats) {
50932c4a
MC		 2403 unsigned int ecpointformatlist_length;
2404 if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
2405 || ecpointformatlist_length != size - 1) {
0f113f3e
MC		 2406 *al = TLS1_AD_DECODE_ERROR;
2407 return 0;
2408 }
2409 if (!s->hit) {
2410 s->session->tlsext_ecpointformatlist_length = 0;
b548a1f1 2411 OPENSSL_free(s->session->tlsext_ecpointformatlist);
0f113f3e
MC		 2412 if ((s->session->tlsext_ecpointformatlist =
2413 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2414 *al = TLS1_AD_INTERNAL_ERROR;
2415 return 0;
2416 }
2417 s->session->tlsext_ecpointformatlist_length =
2418 ecpointformatlist_length;
50932c4a
MC		 2419 if (!PACKET_copy_bytes(&spkt,
2420 s->session->tlsext_ecpointformatlist,
2421 ecpointformatlist_length)) {
2422 *al = TLS1_AD_DECODE_ERROR;
2423 return 0;
2424 }
2425
0f113f3e 2426 }
0f113f3e 2427 }
e481f9b9 2428#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2429
2430 else if (type == TLSEXT_TYPE_session_ticket) {
2431 if (s->tls_session_ticket_ext_cb &&
2432 !s->tls_session_ticket_ext_cb(s, data, size,
2433 s->tls_session_ticket_ext_cb_arg))
2434 {
2435 *al = TLS1_AD_INTERNAL_ERROR;
2436 return 0;
2437 }
2438 if (!tls_use_ticket(s) || (size > 0)) {
2439 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2440 return 0;
2441 }
2442 s->tlsext_ticket_expected = 1;
2443 }
0f113f3e
MC		 2444 else if (type == TLSEXT_TYPE_status_request) {
2445 /*
2446 * MUST be empty and only sent if we've requested a status
2447 * request message.
2448 */
2449 if ((s->tlsext_status_type == -1) || (size > 0)) {
2450 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2451 return 0;
2452 }
2453 /* Set flag to expect CertificateStatus message */
2454 s->tlsext_status_expected = 1;
2455 }
e481f9b9 2456#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2457 else if (type == TLSEXT_TYPE_next_proto_neg &&
2458 s->s3->tmp.finish_md_len == 0) {
2459 unsigned char *selected;
2460 unsigned char selected_len;
0f113f3e
MC		 2461 /* We must have requested it. */
2462 if (s->ctx->next_proto_select_cb == NULL) {
2463 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2464 return 0;
2465 }
2466 /* The data must be valid */
50932c4a 2467 if (!ssl_next_proto_validate(&spkt)) {
0f113f3e
MC		 2468 *al = TLS1_AD_DECODE_ERROR;
2469 return 0;
2470 }
2471 if (s->
2472 ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2473 size,
2474 s->ctx->next_proto_select_cb_arg) !=
2475 SSL_TLSEXT_ERR_OK) {
2476 *al = TLS1_AD_INTERNAL_ERROR;
2477 return 0;
2478 }
2479 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
a71edf3b 2480 if (s->next_proto_negotiated == NULL) {
0f113f3e
MC		 2481 *al = TLS1_AD_INTERNAL_ERROR;
2482 return 0;
2483 }
2484 memcpy(s->next_proto_negotiated, selected, selected_len);
2485 s->next_proto_negotiated_len = selected_len;
2486 s->s3->next_proto_neg_seen = 1;
2487 }
e481f9b9 2488#endif
0f113f3e
MC		 2489
2490 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2491 unsigned len;
0f113f3e
MC		 2492 /* We must have requested it. */
2493 if (s->alpn_client_proto_list == NULL) {
2494 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2495 return 0;
2496 }
50e735f9
MC		 2497 /*-
2498 * The extension data consists of:
2499 * uint16 list_length
2500 * uint8 proto_length;
2501 * uint8 proto[proto_length];
2502 */
50932c4a
MC		 2503 if (!PACKET_get_net_2(&spkt, &len)
2504 || PACKET_remaining(&spkt) != len
2505 || !PACKET_get_1(&spkt, &len)
2506 || PACKET_remaining(&spkt) != len) {
0f113f3e
MC		 2507 *al = TLS1_AD_DECODE_ERROR;
2508 return 0;
2509 }
b548a1f1 2510 OPENSSL_free(s->s3->alpn_selected);
0f113f3e 2511 s->s3->alpn_selected = OPENSSL_malloc(len);
a71edf3b 2512 if (s->s3->alpn_selected == NULL) {
0f113f3e
MC		 2513 *al = TLS1_AD_INTERNAL_ERROR;
2514 return 0;
2515 }
50932c4a
MC		 2516 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
2517 *al = TLS1_AD_DECODE_ERROR;
2518 return 0;
2519 }
0f113f3e
MC		 2520 s->s3->alpn_selected_len = len;
2521 }
e481f9b9 2522#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e 2523 else if (type == TLSEXT_TYPE_heartbeat) {
50932c4a
MC		 2524 unsigned int hbtype;
2525 if (!PACKET_get_1(&spkt, &hbtype)) {
2526 *al = SSL_AD_DECODE_ERROR;
2527 return 0;
2528 }
2529 switch (hbtype) {
0f113f3e
MC		 2530 case 0x01: /* Server allows us to send HB requests */
2531 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2532 break;
2533 case 0x02: /* Server doesn't accept HB requests */
2534 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2535 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2536 break;
2537 default:
2538 *al = SSL_AD_ILLEGAL_PARAMETER;
2539 return 0;
2540 }
2541 }
e481f9b9
MC		 2542#endif
2543#ifndef OPENSSL_NO_SRTP
0f113f3e 2544 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
50932c4a 2545 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
0f113f3e
MC		 2546 return 0;
2547 }
e481f9b9
MC		 2548#endif
2549#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 2550 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2551 /* Ignore if inappropriate ciphersuite */
2552 if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2553 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2554 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2555 }
e481f9b9 2556#endif
ddc06b35 2557 else if (type == TLSEXT_TYPE_extended_master_secret) {
e7f0d921 2558 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
ddc06b35
DSH		 2559 if (!s->hit)
2560 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2561 }
0f113f3e
MC		 2562 /*
2563 * If this extension type was not otherwise handled, but matches a
2564 * custom_cli_ext_record, then send it to the c callback
2565 */
2566 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2567 return 0;
0f113f3e
MC		 2568 }
2569
50932c4a 2570 if (PACKET_remaining(pkt) != 0) {
0f113f3e
MC		 2571 *al = SSL_AD_DECODE_ERROR;
2572 return 0;
2573 }
2574
2575 if (!s->hit && tlsext_servername == 1) {
2576 if (s->tlsext_hostname) {
2577 if (s->session->tlsext_hostname == NULL) {
7644a9ae 2578 s->session->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname);
0f113f3e
MC		 2579 if (!s->session->tlsext_hostname) {
2580 *al = SSL_AD_UNRECOGNIZED_NAME;
2581 return 0;
2582 }
2583 } else {
2584 *al = SSL_AD_DECODE_ERROR;
2585 return 0;
2586 }
2587 }
2588 }
2589
0f113f3e
MC		 2590 ri_check:
2591
2592 /*
2593 * Determine if we need to see RI. Strictly speaking if we want to avoid
2594 * an attack we should *always* see RI even on initial server hello
2595 * because the client doesn't see any renegotiation during an attack.
2596 * However this would mean we could not connect to any server which
2597 * doesn't support RI so for the immediate future tolerate RI absence on
2598 * initial connect only.
2599 */
2600 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2601 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2602 *al = SSL_AD_HANDSHAKE_FAILURE;
2603 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2604 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2605 return 0;
2606 }
2607
e7f0d921
DSH		 2608 if (s->hit) {
2609 /*
2610 * Check extended master secret extension is consistent with
2611 * original session.
2612 */
2613 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
2614 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
2615 *al = SSL_AD_HANDSHAKE_FAILURE;
2616 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
2617 return 0;
2618 }
2619 }
2620
0f113f3e
MC		 2621 return 1;
2622}
b2172f4f 2623
36ca4ba6 2624int ssl_prepare_clienthello_tlsext(SSL *s)
0f113f3e
MC		 2625{
2626
0f113f3e
MC		 2627 return 1;
2628}
36ca4ba6
BM		 2629
2630int ssl_prepare_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2631{
2632 return 1;
2633}
36ca4ba6 2634
2daceb03 2635static int ssl_check_clienthello_tlsext_early(SSL *s)
0f113f3e
MC		 2636{
2637 int ret = SSL_TLSEXT_ERR_NOACK;
2638 int al = SSL_AD_UNRECOGNIZED_NAME;
2639
e481f9b9 2640#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2641 /*
2642 * The handling of the ECPointFormats extension is done elsewhere, namely
2643 * in ssl3_choose_cipher in s3_lib.c.
2644 */
2645 /*
2646 * The handling of the EllipticCurves extension is done elsewhere, namely
2647 * in ssl3_choose_cipher in s3_lib.c.
2648 */
e481f9b9 2649#endif
0f113f3e
MC		 2650
2651 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2652 ret =
2653 s->ctx->tlsext_servername_callback(s, &al,
2654 s->ctx->tlsext_servername_arg);
2655 else if (s->initial_ctx != NULL
2656 && s->initial_ctx->tlsext_servername_callback != 0)
2657 ret =
2658 s->initial_ctx->tlsext_servername_callback(s, &al,
2659 s->
2660 initial_ctx->tlsext_servername_arg);
2661
0f113f3e
MC		 2662 switch (ret) {
2663 case SSL_TLSEXT_ERR_ALERT_FATAL:
2664 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2665 return -1;
2666
2667 case SSL_TLSEXT_ERR_ALERT_WARNING:
2668 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2669 return 1;
2670
2671 case SSL_TLSEXT_ERR_NOACK:
2672 s->servername_done = 0;
2673 default:
2674 return 1;
2675 }
2676}
d376e57d 2677/* Initialise digests to default values */
a0f63828 2678void ssl_set_default_md(SSL *s)
d376e57d
DSH		 2679{
2680 const EVP_MD **pmd = s->s3->tmp.md;
2681#ifndef OPENSSL_NO_DSA
152fbc28 2682 pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
d376e57d
DSH		 2683#endif
2684#ifndef OPENSSL_NO_RSA
d18d31a1 2685 if (SSL_USE_SIGALGS(s))
152fbc28 2686 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
d18d31a1 2687 else
152fbc28 2688 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
d18d31a1 2689 pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
d376e57d
DSH		 2690#endif
2691#ifndef OPENSSL_NO_EC
152fbc28 2692 pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
d376e57d 2693#endif
e44380a9 2694#ifndef OPENSSL_NO_GOST
152fbc28
DSH		 2695 pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
2696 pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
2697 pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
e44380a9 2698#endif
d376e57d 2699}
f1fd4544 2700
e469af8d 2701int tls1_set_server_sigalgs(SSL *s)
0f113f3e
MC		 2702{
2703 int al;
2704 size_t i;
2705 /* Clear any shared sigtnature algorithms */
b548a1f1
RS		 2706 OPENSSL_free(s->cert->shared_sigalgs);
2707 s->cert->shared_sigalgs = NULL;
2708 s->cert->shared_sigalgslen = 0;
0f113f3e
MC		 2709 /* Clear certificate digests and validity flags */
2710 for (i = 0; i < SSL_PKEY_NUM; i++) {
d376e57d 2711 s->s3->tmp.md[i] = NULL;
6383d316 2712 s->s3->tmp.valid_flags[i] = 0;
0f113f3e
MC		 2713 }
2714
2715 /* If sigalgs received process it. */
76106e60 2716 if (s->s3->tmp.peer_sigalgs) {
0f113f3e
MC		 2717 if (!tls1_process_sigalgs(s)) {
2718 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2719 al = SSL_AD_INTERNAL_ERROR;
2720 goto err;
2721 }
2722 /* Fatal error is no shared signature algorithms */
2723 if (!s->cert->shared_sigalgs) {
2724 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2725 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2726 al = SSL_AD_ILLEGAL_PARAMETER;
2727 goto err;
2728 }
d376e57d
DSH		 2729 } else {
2730 ssl_set_default_md(s);
2731 }
0f113f3e
MC		 2732 return 1;
2733 err:
2734 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2735 return 0;
2736}
e469af8d 2737
2daceb03 2738int ssl_check_clienthello_tlsext_late(SSL *s)
0f113f3e
MC		 2739{
2740 int ret = SSL_TLSEXT_ERR_OK;
4c9b0a03 2741 int al = SSL_AD_INTERNAL_ERROR;
0f113f3e
MC		 2742
2743 /*
2744 * If status request then ask callback what to do. Note: this must be
2745 * called after servername callbacks in case the certificate has changed,
2746 * and must be called after the cipher has been chosen because this may
2747 * influence which certificate is sent
2748 */
2749 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
2750 int r;
2751 CERT_PKEY *certpkey;
2752 certpkey = ssl_get_server_send_pkey(s);
2753 /* If no certificate can't return certificate status */
2754 if (certpkey == NULL) {
2755 s->tlsext_status_expected = 0;
2756 return 1;
2757 }
2758 /*
2759 * Set current certificate to one we will use so SSL_get_certificate
2760 * et al can pick it up.
2761 */
2762 s->cert->key = certpkey;
2763 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2764 switch (r) {
2765 /* We don't want to send a status request response */
2766 case SSL_TLSEXT_ERR_NOACK:
2767 s->tlsext_status_expected = 0;
2768 break;
2769 /* status request response should be sent */
2770 case SSL_TLSEXT_ERR_OK:
2771 if (s->tlsext_ocsp_resp)
2772 s->tlsext_status_expected = 1;
2773 else
2774 s->tlsext_status_expected = 0;
2775 break;
2776 /* something bad happened */
2777 case SSL_TLSEXT_ERR_ALERT_FATAL:
2778 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2779 al = SSL_AD_INTERNAL_ERROR;
2780 goto err;
2781 }
2782 } else
2783 s->tlsext_status_expected = 0;
2daceb03
BL		 2784
2785 err:
0f113f3e
MC		 2786 switch (ret) {
2787 case SSL_TLSEXT_ERR_ALERT_FATAL:
2788 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2789 return -1;
2790
2791 case SSL_TLSEXT_ERR_ALERT_WARNING:
2792 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2793 return 1;
2794
2795 default:
2796 return 1;
2797 }
2798}
2daceb03 2799
36ca4ba6 2800int ssl_check_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2801{
2802 int ret = SSL_TLSEXT_ERR_NOACK;
2803 int al = SSL_AD_UNRECOGNIZED_NAME;
2804
e481f9b9 2805#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2806 /*
2807 * If we are client and using an elliptic curve cryptography cipher
2808 * suite, then if server returns an EC point formats lists extension it
2809 * must contain uncompressed.
2810 */
2811 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2812 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2813 if ((s->tlsext_ecpointformatlist != NULL)
2814 && (s->tlsext_ecpointformatlist_length > 0)
2815 && (s->session->tlsext_ecpointformatlist != NULL)
2816 && (s->session->tlsext_ecpointformatlist_length > 0)
2817 && ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
2818 || (alg_a & SSL_aECDSA))) {
2819 /* we are using an ECC cipher */
2820 size_t i;
2821 unsigned char *list;
2822 int found_uncompressed = 0;
2823 list = s->session->tlsext_ecpointformatlist;
2824 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2825 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2826 found_uncompressed = 1;
2827 break;
2828 }
2829 }
2830 if (!found_uncompressed) {
2831 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2832 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2833 return -1;
2834 }
2835 }
2836 ret = SSL_TLSEXT_ERR_OK;
e481f9b9 2837#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2838
2839 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2840 ret =
2841 s->ctx->tlsext_servername_callback(s, &al,
2842 s->ctx->tlsext_servername_arg);
2843 else if (s->initial_ctx != NULL
2844 && s->initial_ctx->tlsext_servername_callback != 0)
2845 ret =
2846 s->initial_ctx->tlsext_servername_callback(s, &al,
2847 s->
2848 initial_ctx->tlsext_servername_arg);
2849
b1931d43
MC		 2850 /*
2851 * Ensure we get sensible values passed to tlsext_status_cb in the event
2852 * that we don't receive a status message
2853 */
bb1aaab4
MC		 2854 OPENSSL_free(s->tlsext_ocsp_resp);
2855 s->tlsext_ocsp_resp = NULL;
2856 s->tlsext_ocsp_resplen = -1;
0f113f3e
MC		 2857
2858 switch (ret) {
2859 case SSL_TLSEXT_ERR_ALERT_FATAL:
2860 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2861 return -1;
2862
2863 case SSL_TLSEXT_ERR_ALERT_WARNING:
2864 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2865 return 1;
2866
2867 case SSL_TLSEXT_ERR_NOACK:
2868 s->servername_done = 0;
2869 default:
2870 return 1;
2871 }
2872}
761772d7 2873
50932c4a 2874int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 2875{
2876 int al = -1;
2877 if (s->version < SSL3_VERSION)
2878 return 1;
50932c4a 2879 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 2880 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2881 return 0;
2882 }
2883
2884 if (ssl_check_serverhello_tlsext(s) <= 0) {
2885 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2886 return 0;
2887 }
2888 return 1;
09e4e4b9
DSH		 2889}
2890
1d97c843
TH		 2891/*-
2892 * Since the server cache lookup is done early on in the processing of the
e7f0d921
DSH		 2893 * ClientHello and other operations depend on the result some extensions
2894 * need to be handled at the same time.
2895 *
2896 * Two extensions are currently handled, session ticket and extended master
2897 * secret.
c519e89f 2898 *
b3e2272c
EK		 2899 * session_id: ClientHello session ID.
2900 * ext: ClientHello extensions (including length prefix)
c519e89f
BM		 2901 * ret: (output) on return, if a ticket was decrypted, then this is set to
2902 * point to the resulting session.
2903 *
2904 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2905 * ciphersuite, in which case we have no use for session tickets and one will
2906 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2907 *
2908 * Returns:
2909 * -1: fatal error, either from parsing or decrypting the ticket.
2910 * 0: no ticket was found (or was ignored, based on settings).
2911 * 1: a zero length extension was found, indicating that the client supports
2912 * session tickets but doesn't currently have one to offer.
2913 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2914 * couldn't be decrypted because of a non-fatal error.
2915 * 3: a ticket was successfully decrypted and *ret was set.
2916 *
2917 * Side effects:
2918 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2919 * a new session ticket to the client because the client indicated support
2920 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2921 * a session ticket or we couldn't use the one it gave us, or if
2922 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2923 * Otherwise, s->tlsext_ticket_expected is set to 0.
e7f0d921
DSH		 2924 *
2925 * For extended master secret flag is set if the extension is present.
2926 *
6434abbf 2927 */
e7f0d921
DSH		 2928int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
2929 const PACKET *session_id,
2930 SSL_SESSION **ret)
0f113f3e 2931{
9ceb2426 2932 unsigned int i;
b3e2272c 2933 PACKET local_ext = *ext;
9ceb2426 2934 int retv = -1;
0f113f3e 2935
e7f0d921
DSH		 2936 int have_ticket = 0;
2937 int use_ticket = tls_use_ticket(s);
2938
0f113f3e
MC		 2939 *ret = NULL;
2940 s->tlsext_ticket_expected = 0;
e7f0d921 2941 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
0f113f3e
MC		 2942
2943 /*
2944 * If tickets disabled behave as if no ticket present to permit stateful
2945 * resumption.
2946 */
9ceb2426 2947 if ((s->version <= SSL3_VERSION))
0f113f3e 2948 return 0;
9ceb2426 2949
b3e2272c 2950 if (!PACKET_get_net_2(&local_ext, &i)) {
9ceb2426
MC		 2951 retv = 0;
2952 goto end;
2953 }
b3e2272c 2954 while (PACKET_remaining(&local_ext) >= 4) {
9ceb2426
MC		 2955 unsigned int type, size;
2956
b3e2272c
EK		 2957 if (!PACKET_get_net_2(&local_ext, &type)
2958 || !PACKET_get_net_2(&local_ext, &size)) {
9ceb2426
MC		 2959 /* Shouldn't ever happen */
2960 retv = -1;
2961 goto end;
2962 }
b3e2272c 2963 if (PACKET_remaining(&local_ext) < size) {
9ceb2426
MC		 2964 retv = 0;
2965 goto end;
2966 }
e7f0d921 2967 if (type == TLSEXT_TYPE_session_ticket && use_ticket) {
0f113f3e 2968 int r;
9ceb2426
MC		 2969 unsigned char *etick;
2970
e7f0d921
DSH		 2971 /* Duplicate extension */
2972 if (have_ticket != 0) {
2973 retv = -1;
2974 goto end;
2975 }
2976 have_ticket = 1;
2977
0f113f3e
MC		 2978 if (size == 0) {
2979 /*
2980 * The client will accept a ticket but doesn't currently have
2981 * one.
2982 */
2983 s->tlsext_ticket_expected = 1;
9ceb2426 2984 retv = 1;
e7f0d921 2985 continue;
0f113f3e
MC		 2986 }
2987 if (s->tls_session_secret_cb) {
2988 /*
2989 * Indicate that the ticket couldn't be decrypted rather than
2990 * generating the session from ticket now, trigger
2991 * abbreviated handshake based on external mechanism to
2992 * calculate the master secret later.
2993 */
9ceb2426 2994 retv = 2;
e7f0d921 2995 continue;
9ceb2426 2996 }
b3e2272c 2997 if (!PACKET_get_bytes(&local_ext, &etick, size)) {
9ceb2426
MC		 2998 /* Shouldn't ever happen */
2999 retv = -1;
3000 goto end;
0f113f3e 3001 }
b3e2272c
EK		 3002 r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
3003 PACKET_remaining(session_id), ret);
0f113f3e
MC		 3004 switch (r) {
3005 case 2: /* ticket couldn't be decrypted */
3006 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 3007 retv = 2;
3008 break;
0f113f3e 3009 case 3: /* ticket was decrypted */
9ceb2426
MC		 3010 retv = r;
3011 break;
0f113f3e
MC		 3012 case 4: /* ticket decrypted but need to renew */
3013 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 3014 retv = 3;
3015 break;
0f113f3e 3016 default: /* fatal error */
9ceb2426
MC		 3017 retv = -1;
3018 break;
0f113f3e 3019 }
e7f0d921 3020 continue;
c83eda8c 3021 } else {
e7f0d921
DSH		 3022 if (type == TLSEXT_TYPE_extended_master_secret)
3023 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
b3e2272c 3024 if (!PACKET_forward(&local_ext, size)) {
c83eda8c
MC		 3025 retv = -1;
3026 goto end;
3027 }
0f113f3e 3028 }
0f113f3e 3029 }
e7f0d921
DSH		 3030 if (have_ticket == 0)
3031 retv = 0;
9ceb2426 3032end:
9ceb2426 3033 return retv;
0f113f3e 3034}
6434abbf 3035
1d97c843
TH		 3036/*-
3037 * tls_decrypt_ticket attempts to decrypt a session ticket.
c519e89f
BM		 3038 *
3039 * etick: points to the body of the session ticket extension.
3040 * eticklen: the length of the session tickets extenion.
3041 * sess_id: points at the session ID.
3042 * sesslen: the length of the session ID.
3043 * psess: (output) on return, if a ticket was decrypted, then this is set to
3044 * point to the resulting session.
3045 *
3046 * Returns:
bf7c6817 3047 * -2: fatal error, malloc failure.
c519e89f
BM		 3048 * -1: fatal error, either from parsing or decrypting the ticket.
3049 * 2: the ticket couldn't be decrypted.
3050 * 3: a ticket was successfully decrypted and *psess was set.
3051 * 4: same as 3, but the ticket needs to be renewed.
3052 */
0f113f3e
MC		 3053static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
3054 int eticklen, const unsigned char *sess_id,
3055 int sesslen, SSL_SESSION **psess)
3056{
3057 SSL_SESSION *sess;
3058 unsigned char *sdec;
3059 const unsigned char *p;
3060 int slen, mlen, renew_ticket = 0;
3061 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
bf7c6817 3062 HMAC_CTX *hctx = NULL;
846ec07d 3063 EVP_CIPHER_CTX *ctx;
0f113f3e
MC		 3064 SSL_CTX *tctx = s->initial_ctx;
3065 /* Need at least keyname + iv + some encrypted data */
3066 if (eticklen < 48)
3067 return 2;
3068 /* Initialize session ticket encryption and HMAC contexts */
bf7c6817
RL		 3069 hctx = HMAC_CTX_new();
3070 if (hctx == NULL)
3071 return -2;
846ec07d 3072 ctx = EVP_CIPHER_CTX_new();
0f113f3e
MC		 3073 if (tctx->tlsext_ticket_key_cb) {
3074 unsigned char *nctick = (unsigned char *)etick;
3075 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
846ec07d 3076 ctx, hctx, 0);
0f113f3e
MC		 3077 if (rv < 0)
3078 return -1;
3079 if (rv == 0)
3080 return 2;
3081 if (rv == 2)
3082 renew_ticket = 1;
3083 } else {
3084 /* Check key name matches */
3085 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3086 return 2;
bf7c6817 3087 if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16,
5f3d93e4 3088 EVP_sha256(), NULL) <= 0
846ec07d 3089 || EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL,
5f3d93e4
MC		 3090 tctx->tlsext_tick_aes_key,
3091 etick + 16) <= 0) {
3092 goto err;
3093 }
0f113f3e
MC		 3094 }
3095 /*
3096 * Attempt to process session ticket, first conduct sanity and integrity
3097 * checks on ticket.
3098 */
bf7c6817 3099 mlen = HMAC_size(hctx);
0f113f3e 3100 if (mlen < 0) {
5f3d93e4 3101 goto err;
0f113f3e
MC		 3102 }
3103 eticklen -= mlen;
3104 /* Check HMAC of encrypted ticket */
bf7c6817
RL		 3105 if (HMAC_Update(hctx, etick, eticklen) <= 0
3106 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
5f3d93e4
MC		 3107 goto err;
3108 }
bf7c6817 3109 HMAC_CTX_free(hctx);
0f113f3e 3110 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
846ec07d 3111 EVP_CIPHER_CTX_free(ctx);
0f113f3e
MC		 3112 return 2;
3113 }
3114 /* Attempt to decrypt session data */
3115 /* Move p after IV to start of encrypted ticket, update length */
846ec07d
RL		 3116 p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx);
3117 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx);
0f113f3e 3118 sdec = OPENSSL_malloc(eticklen);
5f3d93e4 3119 if (sdec == NULL
846ec07d
RL		 3120 || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) {
3121 EVP_CIPHER_CTX_free(ctx);
0f113f3e
MC		 3122 return -1;
3123 }
846ec07d
RL		 3124 if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) {
3125 EVP_CIPHER_CTX_free(ctx);
0f113f3e
MC		 3126 OPENSSL_free(sdec);
3127 return 2;
3128 }
3129 slen += mlen;
846ec07d
RL		 3130 EVP_CIPHER_CTX_free(ctx);
3131 ctx = NULL;
0f113f3e
MC		 3132 p = sdec;
3133
3134 sess = d2i_SSL_SESSION(NULL, &p, slen);
3135 OPENSSL_free(sdec);
3136 if (sess) {
3137 /*
3138 * The session ID, if non-empty, is used by some clients to detect
3139 * that the ticket has been accepted. So we copy it to the session
3140 * structure. If it is empty set length to zero as required by
3141 * standard.
3142 */
3143 if (sesslen)
3144 memcpy(sess->session_id, sess_id, sesslen);
3145 sess->session_id_length = sesslen;
3146 *psess = sess;
3147 if (renew_ticket)
3148 return 4;
3149 else
3150 return 3;
3151 }
3152 ERR_clear_error();
3153 /*
3154 * For session parse failure, indicate that we need to send a new ticket.
3155 */
3156 return 2;
5f3d93e4 3157err:
846ec07d 3158 EVP_CIPHER_CTX_free(ctx);
bf7c6817 3159 HMAC_CTX_free(hctx);
5f3d93e4 3160 return -1;
0f113f3e 3161}
6434abbf 3162
6b7be581
DSH		 3163/* Tables to translate from NIDs to TLS v1.2 ids */
3164
0f113f3e
MC		 3165typedef struct {
3166 int nid;
3167 int id;
3168} tls12_lookup;
6b7be581 3169
d97ed219 3170static const tls12_lookup tls12_md[] = {
0f113f3e
MC		 3171 {NID_md5, TLSEXT_hash_md5},
3172 {NID_sha1, TLSEXT_hash_sha1},
3173 {NID_sha224, TLSEXT_hash_sha224},
3174 {NID_sha256, TLSEXT_hash_sha256},
3175 {NID_sha384, TLSEXT_hash_sha384},
e44380a9
DB		 3176 {NID_sha512, TLSEXT_hash_sha512},
3177 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
3178 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
3179 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
6b7be581
DSH		 3180};
3181
d97ed219 3182static const tls12_lookup tls12_sig[] = {
0f113f3e
MC		 3183 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3184 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
e44380a9
DB		 3185 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
3186 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
3187 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
3188 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
6b7be581
DSH		 3189};
3190
d97ed219 3191static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3192{
3193 size_t i;
3194 for (i = 0; i < tlen; i++) {
3195 if (table[i].nid == nid)
3196 return table[i].id;
3197 }
3198 return -1;
3199}
e7f8ff43 3200
d97ed219 3201static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3202{
3203 size_t i;
3204 for (i = 0; i < tlen; i++) {
3205 if ((table[i].id) == id)
3206 return table[i].nid;
3207 }
3208 return NID_undef;
3209}
3210
3211int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
3212 const EVP_MD *md)
3213{
3214 int sig_id, md_id;
3215 if (!md)
3216 return 0;
b6eb9827 3217 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3218 if (md_id == -1)
3219 return 0;
3220 sig_id = tls12_get_sigid(pk);
3221 if (sig_id == -1)
3222 return 0;
3223 p[0] = (unsigned char)md_id;
3224 p[1] = (unsigned char)sig_id;
3225 return 1;
3226}
6b7be581 3227
a2f9200f 3228int tls12_get_sigid(const EVP_PKEY *pk)
0f113f3e 3229{
3aeb9348 3230 return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3231}
3232
3233typedef struct {
3234 int nid;
3235 int secbits;
7afd2312 3236 int md_idx;
e44380a9 3237 unsigned char tlsext_hash;
0f113f3e 3238} tls12_hash_info;
b362ccab
DSH		 3239
3240static const tls12_hash_info tls12_md_info[] = {
7afd2312
DSH		 3241 {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
3242 {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
3243 {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
3244 {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
3245 {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
3246 {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
3247 {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
3248 {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX, TLSEXT_hash_gostr34112012_256},
3249 {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX, TLSEXT_hash_gostr34112012_512},
b362ccab 3250};
a2f9200f 3251
b362ccab 3252static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
0f113f3e 3253{
e44380a9 3254 unsigned int i;
0f113f3e
MC		 3255 if (hash_alg == 0)
3256 return NULL;
e44380a9
DB		 3257
3258 for (i=0; i < OSSL_NELEM(tls12_md_info); i++)
3259 {
3260 if (tls12_md_info[i].tlsext_hash == hash_alg)
3261 return tls12_md_info + i;
3262 }
3263
3264 return NULL;
0f113f3e 3265}
a2f9200f 3266
b362ccab 3267const EVP_MD *tls12_get_hash(unsigned char hash_alg)
0f113f3e
MC		 3268{
3269 const tls12_hash_info *inf;
3270 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3271 return NULL;
3272 inf = tls12_get_hash_info(hash_alg);
7afd2312 3273 if (!inf)
0f113f3e 3274 return NULL;
7afd2312 3275 return ssl_md(inf->md_idx);
0f113f3e 3276}
a2f9200f 3277
4453cd8c 3278static int tls12_get_pkey_idx(unsigned char sig_alg)
0f113f3e
MC		 3279{
3280 switch (sig_alg) {
e481f9b9 3281#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3282 case TLSEXT_signature_rsa:
3283 return SSL_PKEY_RSA_SIGN;
e481f9b9
MC		 3284#endif
3285#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3286 case TLSEXT_signature_dsa:
3287 return SSL_PKEY_DSA_SIGN;
e481f9b9
MC		 3288#endif
3289#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3290 case TLSEXT_signature_ecdsa:
3291 return SSL_PKEY_ECC;
e481f9b9 3292#endif
e44380a9
DB		 3293# ifndef OPENSSL_NO_GOST
3294 case TLSEXT_signature_gostr34102001:
3295 return SSL_PKEY_GOST01;
3296
3297 case TLSEXT_signature_gostr34102012_256:
3298 return SSL_PKEY_GOST12_256;
3299
3300 case TLSEXT_signature_gostr34102012_512:
3301 return SSL_PKEY_GOST12_512;
3302# endif
0f113f3e
MC		 3303 }
3304 return -1;
3305}
4453cd8c
DSH		 3306
3307/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3308static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
0f113f3e
MC		 3309 int *psignhash_nid, const unsigned char *data)
3310{
330dcb09 3311 int sign_nid = NID_undef, hash_nid = NID_undef;
0f113f3e
MC		 3312 if (!phash_nid && !psign_nid && !psignhash_nid)
3313 return;
3314 if (phash_nid || psignhash_nid) {
b6eb9827 3315 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3316 if (phash_nid)
3317 *phash_nid = hash_nid;
3318 }
3319 if (psign_nid || psignhash_nid) {
b6eb9827 3320 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3321 if (psign_nid)
3322 *psign_nid = sign_nid;
3323 }
3324 if (psignhash_nid) {
330dcb09
MC		 3325 if (sign_nid == NID_undef || hash_nid == NID_undef
3326 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid,
3327 sign_nid) <= 0)
0f113f3e
MC		 3328 *psignhash_nid = NID_undef;
3329 }
3330}
3331
b362ccab
DSH		 3332/* Check to see if a signature algorithm is allowed */
3333static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
0f113f3e
MC		 3334{
3335 /* See if we have an entry in the hash table and it is enabled */
3336 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
7afd2312 3337 if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
0f113f3e
MC		 3338 return 0;
3339 /* See if public key algorithm allowed */
3340 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3341 return 0;
3342 /* Finally see if security callback allows it */
3343 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3344}
3345
3346/*
3347 * Get a mask of disabled public key algorithms based on supported signature
3348 * algorithms. For example if no signature algorithm supports RSA then RSA is
3349 * disabled.
b362ccab
DSH		 3350 */
3351
90d9e49a 3352void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
0f113f3e
MC		 3353{
3354 const unsigned char *sigalgs;
3355 size_t i, sigalgslen;
3356 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3357 /*
3358 * Now go through all signature algorithms seeing if we support any for
3359 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3360 * down calls to security callback only check if we have to.
3361 */
3362 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
3363 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3364 switch (sigalgs[1]) {
e481f9b9 3365#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3366 case TLSEXT_signature_rsa:
3367 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3368 have_rsa = 1;
3369 break;
e481f9b9
MC		 3370#endif
3371#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3372 case TLSEXT_signature_dsa:
3373 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3374 have_dsa = 1;
3375 break;
e481f9b9
MC		 3376#endif
3377#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3378 case TLSEXT_signature_ecdsa:
3379 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3380 have_ecdsa = 1;
3381 break;
e481f9b9 3382#endif
0f113f3e
MC		 3383 }
3384 }
3385 if (!have_rsa)
3386 *pmask_a |= SSL_aRSA;
3387 if (!have_dsa)
3388 *pmask_a |= SSL_aDSS;
3389 if (!have_ecdsa)
3390 *pmask_a |= SSL_aECDSA;
3391}
b362ccab
DSH		 3392
3393size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
0f113f3e
MC		 3394 const unsigned char *psig, size_t psiglen)
3395{
3396 unsigned char *tmpout = out;
3397 size_t i;
3398 for (i = 0; i < psiglen; i += 2, psig += 2) {
3399 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3400 *tmpout++ = psig[0];
3401 *tmpout++ = psig[1];
3402 }
3403 }
3404 return tmpout - out;
3405}
b362ccab 3406
4453cd8c 3407/* Given preference and allowed sigalgs set shared sigalgs */
b362ccab 3408static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
0f113f3e
MC		 3409 const unsigned char *pref, size_t preflen,
3410 const unsigned char *allow, size_t allowlen)
3411{
3412 const unsigned char *ptmp, *atmp;
3413 size_t i, j, nmatch = 0;
3414 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3415 /* Skip disabled hashes or signature algorithms */
3416 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3417 continue;
3418 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3419 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3420 nmatch++;
3421 if (shsig) {
3422 shsig->rhash = ptmp[0];
3423 shsig->rsign = ptmp[1];
3424 tls1_lookup_sigalg(&shsig->hash_nid,
3425 &shsig->sign_nid,
3426 &shsig->signandhash_nid, ptmp);
3427 shsig++;
3428 }
3429 break;
3430 }
3431 }
3432 }
3433 return nmatch;
3434}
4453cd8c
DSH		 3435
3436/* Set shared signature algorithms for SSL structures */
3437static int tls1_set_shared_sigalgs(SSL *s)
0f113f3e
MC		 3438{
3439 const unsigned char *pref, *allow, *conf;
3440 size_t preflen, allowlen, conflen;
3441 size_t nmatch;
3442 TLS_SIGALGS *salgs = NULL;
3443 CERT *c = s->cert;
3444 unsigned int is_suiteb = tls1_suiteb(s);
b548a1f1
RS		 3445
3446 OPENSSL_free(c->shared_sigalgs);
3447 c->shared_sigalgs = NULL;
3448 c->shared_sigalgslen = 0;
0f113f3e
MC		 3449 /* If client use client signature algorithms if not NULL */
3450 if (!s->server && c->client_sigalgs && !is_suiteb) {
3451 conf = c->client_sigalgs;
3452 conflen = c->client_sigalgslen;
3453 } else if (c->conf_sigalgs && !is_suiteb) {
3454 conf = c->conf_sigalgs;
3455 conflen = c->conf_sigalgslen;
3456 } else
3457 conflen = tls12_get_psigalgs(s, &conf);
3458 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3459 pref = conf;
3460 preflen = conflen;
76106e60
DSH		 3461 allow = s->s3->tmp.peer_sigalgs;
3462 allowlen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3463 } else {
3464 allow = conf;
3465 allowlen = conflen;
76106e60
DSH		 3466 pref = s->s3->tmp.peer_sigalgs;
3467 preflen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3468 }
3469 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
34e3edbf
DSH		 3470 if (nmatch) {
3471 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
a71edf3b 3472 if (salgs == NULL)
34e3edbf
DSH		 3473 return 0;
3474 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3475 } else {
3476 salgs = NULL;
3477 }
0f113f3e
MC		 3478 c->shared_sigalgs = salgs;
3479 c->shared_sigalgslen = nmatch;
3480 return 1;
3481}
4453cd8c 3482
6b7be581
DSH		 3483/* Set preferred digest for each key type */
3484
c800c27a 3485int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
0f113f3e
MC		 3486{
3487 CERT *c = s->cert;
3488 /* Extension ignored for inappropriate versions */
3489 if (!SSL_USE_SIGALGS(s))
3490 return 1;
3491 /* Should never happen */
3492 if (!c)
3493 return 0;
3494
76106e60
DSH		 3495 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3496 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3497 if (s->s3->tmp.peer_sigalgs == NULL)
0f113f3e 3498 return 0;
76106e60
DSH		 3499 s->s3->tmp.peer_sigalgslen = dsize;
3500 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
0f113f3e
MC		 3501 return 1;
3502}
6b7be581 3503
c800c27a 3504int tls1_process_sigalgs(SSL *s)
0f113f3e
MC		 3505{
3506 int idx;
3507 size_t i;
3508 const EVP_MD *md;
d376e57d 3509 const EVP_MD **pmd = s->s3->tmp.md;
f7d53487 3510 uint32_t *pvalid = s->s3->tmp.valid_flags;
0f113f3e
MC		 3511 CERT *c = s->cert;
3512 TLS_SIGALGS *sigptr;
3513 if (!tls1_set_shared_sigalgs(s))
3514 return 0;
3515
e481f9b9 3516#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
0f113f3e
MC		 3517 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3518 /*
3519 * Use first set signature preference to force message digest,
3520 * ignoring any peer preferences.
3521 */
3522 const unsigned char *sigs = NULL;
3523 if (s->server)
3524 sigs = c->conf_sigalgs;
3525 else
3526 sigs = c->client_sigalgs;
3527 if (sigs) {
3528 idx = tls12_get_pkey_idx(sigs[1]);
3529 md = tls12_get_hash(sigs[0]);
d376e57d 3530 pmd[idx] = md;
6383d316 3531 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3532 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3533 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3534 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3535 }
3536 }
3537 }
e481f9b9 3538#endif
0f113f3e
MC		 3539
3540 for (i = 0, sigptr = c->shared_sigalgs;
3541 i < c->shared_sigalgslen; i++, sigptr++) {
3542 idx = tls12_get_pkey_idx(sigptr->rsign);
d376e57d 3543 if (idx > 0 && pmd[idx] == NULL) {
0f113f3e 3544 md = tls12_get_hash(sigptr->rhash);
d376e57d 3545 pmd[idx] = md;
6383d316 3546 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3547 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3548 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3549 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3550 }
3551 }
6b7be581 3552
0f113f3e
MC		 3553 }
3554 /*
3555 * In strict mode leave unset digests as NULL to indicate we can't use
3556 * the certificate for signing.
3557 */
3558 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3559 /*
3560 * Set any remaining keys to default values. NOTE: if alg is not
3561 * supported it stays as NULL.
3562 */
e481f9b9 3563#ifndef OPENSSL_NO_DSA
d376e57d
DSH		 3564 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3565 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
e481f9b9
MC		 3566#endif
3567#ifndef OPENSSL_NO_RSA
d376e57d
DSH		 3568 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3569 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3570 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
0f113f3e 3571 }
e481f9b9
MC		 3572#endif
3573#ifndef OPENSSL_NO_EC
d376e57d
DSH		 3574 if (pmd[SSL_PKEY_ECC] == NULL)
3575 pmd[SSL_PKEY_ECC] = EVP_sha1();
e481f9b9 3576#endif
e44380a9
DB		 3577# ifndef OPENSSL_NO_GOST
3578 if (pmd[SSL_PKEY_GOST01] == NULL)
3579 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
3580 if (pmd[SSL_PKEY_GOST12_256] == NULL)
3581 pmd[SSL_PKEY_GOST12_256] = EVP_get_digestbynid(NID_id_GostR3411_2012_256);
3582 if (pmd[SSL_PKEY_GOST12_512] == NULL)
3583 pmd[SSL_PKEY_GOST12_512] = EVP_get_digestbynid(NID_id_GostR3411_2012_512);
3584# endif
0f113f3e
MC		 3585 }
3586 return 1;
3587}
4817504d 3588
e7f8ff43 3589int SSL_get_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3590 int *psign, int *phash, int *psignhash,
3591 unsigned char *rsig, unsigned char *rhash)
3592{
76106e60 3593 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
0f113f3e
MC		 3594 if (psig == NULL)
3595 return 0;
3596 if (idx >= 0) {
3597 idx <<= 1;
76106e60 3598 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
0f113f3e
MC		 3599 return 0;
3600 psig += idx;
3601 if (rhash)
3602 *rhash = psig[0];
3603 if (rsig)
3604 *rsig = psig[1];
3605 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3606 }
76106e60 3607 return s->s3->tmp.peer_sigalgslen / 2;
0f113f3e 3608}
4453cd8c
DSH		 3609
3610int SSL_get_shared_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3611 int *psign, int *phash, int *psignhash,
3612 unsigned char *rsig, unsigned char *rhash)
3613{
3614 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3615 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3616 return 0;
3617 shsigalgs += idx;
3618 if (phash)
3619 *phash = shsigalgs->hash_nid;
3620 if (psign)
3621 *psign = shsigalgs->sign_nid;
3622 if (psignhash)
3623 *psignhash = shsigalgs->signandhash_nid;
3624 if (rsig)
3625 *rsig = shsigalgs->rsign;
3626 if (rhash)
3627 *rhash = shsigalgs->rhash;
3628 return s->cert->shared_sigalgslen;
3629}
3630
e481f9b9 3631#ifndef OPENSSL_NO_HEARTBEATS
2c60ed04 3632int tls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length)
0f113f3e 3633{
2c60ed04 3634 unsigned char *pl;
0f113f3e
MC		 3635 unsigned short hbtype;
3636 unsigned int payload;
3637 unsigned int padding = 16; /* Use minimum padding */
3638
3639 if (s->msg_callback)
3640 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
258f8721 3641 p, length,
0f113f3e
MC		 3642 s, s->msg_callback_arg);
3643
3644 /* Read type and payload length first */
258f8721 3645 if (1 + 2 + 16 > length)
0f113f3e
MC		 3646 return 0; /* silently discard */
3647 hbtype = *p++;
3648 n2s(p, payload);
258f8721 3649 if (1 + 2 + payload + 16 > length)
0f113f3e
MC		 3650 return 0; /* silently discard per RFC 6520 sec. 4 */
3651 pl = p;
3652
3653 if (hbtype == TLS1_HB_REQUEST) {
3654 unsigned char *buffer, *bp;
3655 int r;
3656
3657 /*
3658 * Allocate memory for the response, size is 1 bytes message type,
3659 * plus 2 bytes payload length, plus payload, plus padding
3660 */
3661 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3662 if (buffer == NULL) {
3663 SSLerr(SSL_F_TLS1_PROCESS_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3664 return -1;
3665 }
3666 bp = buffer;
3667
3668 /* Enter response type, length and copy payload */
3669 *bp++ = TLS1_HB_RESPONSE;
3670 s2n(payload, bp);
3671 memcpy(bp, pl, payload);
3672 bp += payload;
3673 /* Random padding */
266483d2
MC		 3674 if (RAND_bytes(bp, padding) <= 0) {
3675 OPENSSL_free(buffer);
3676 return -1;
3677 }
0f113f3e
MC		 3678
3679 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer,
3680 3 + payload + padding);
3681
3682 if (r >= 0 && s->msg_callback)
3683 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3684 buffer, 3 + payload + padding,
3685 s, s->msg_callback_arg);
3686
3687 OPENSSL_free(buffer);
3688
3689 if (r < 0)
3690 return r;
3691 } else if (hbtype == TLS1_HB_RESPONSE) {
3692 unsigned int seq;
3693
3694 /*
3695 * We only send sequence numbers (2 bytes unsigned int), and 16
3696 * random bytes, so we just try to read the sequence number
3697 */
3698 n2s(pl, seq);
3699
3700 if (payload == 18 && seq == s->tlsext_hb_seq) {
3701 s->tlsext_hb_seq++;
3702 s->tlsext_hb_pending = 0;
3703 }
3704 }
3705
3706 return 0;
3707}
0f229cce 3708
0f113f3e
MC		 3709int tls1_heartbeat(SSL *s)
3710{
3711 unsigned char *buf, *p;
266483d2 3712 int ret = -1;
0f113f3e
MC		 3713 unsigned int payload = 18; /* Sequence number + random bytes */
3714 unsigned int padding = 16; /* Use minimum padding */
3715
3716 /* Only send if peer supports and accepts HB requests... */
3717 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3718 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
3719 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3720 return -1;
3721 }
3722
3723 /* ...and there is none in flight yet... */
3724 if (s->tlsext_hb_pending) {
3725 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
3726 return -1;
3727 }
3728
3729 /* ...and no handshake in progress. */
024f543c 3730 if (SSL_in_init(s) || ossl_statem_get_in_handshake(s)) {
0f113f3e
MC		 3731 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
3732 return -1;
3733 }
3734
50e735f9
MC		 3735 /*-
3736 * Create HeartBeat message, we just use a sequence number
3737 * as payload to distuingish different messages and add
3738 * some random stuff.
3739 * - Message Type, 1 byte
3740 * - Payload Length, 2 bytes (unsigned int)
3741 * - Payload, the sequence number (2 bytes uint)
3742 * - Payload, random bytes (16 bytes uint)
3743 * - Padding
3744 */
0f113f3e
MC		 3745 buf = OPENSSL_malloc(1 + 2 + payload + padding);
3746 if (buf == NULL) {
3747 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3748 return -1;
3749 }
3750 p = buf;
3751 /* Message Type */
3752 *p++ = TLS1_HB_REQUEST;
3753 /* Payload length (18 bytes here) */
3754 s2n(payload, p);
3755 /* Sequence number */
3756 s2n(s->tlsext_hb_seq, p);
3757 /* 16 random bytes */
266483d2
MC		 3758 if (RAND_bytes(p, 16) <= 0) {
3759 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3760 goto err;
3761 }
0f113f3e
MC		 3762 p += 16;
3763 /* Random padding */
266483d2
MC		 3764 if (RAND_bytes(p, padding) <= 0) {
3765 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3766 goto err;
3767 }
0f113f3e
MC		 3768
3769 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3770 if (ret >= 0) {
3771 if (s->msg_callback)
3772 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3773 buf, 3 + payload + padding,
3774 s, s->msg_callback_arg);
3775
3776 s->tlsext_hb_pending = 1;
3777 }
3778
266483d2 3779 err:
0f113f3e 3780 OPENSSL_free(buf);
0f113f3e
MC		 3781 return ret;
3782}
e481f9b9 3783#endif
0f113f3e 3784
e481f9b9 3785#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
0f229cce 3786
0f113f3e
MC		 3787typedef struct {
3788 size_t sigalgcnt;
3789 int sigalgs[MAX_SIGALGLEN];
3790} sig_cb_st;
0f229cce 3791
431f458d
DSH		 3792static void get_sigorhash(int *psig, int *phash, const char *str)
3793{
3794 if (strcmp(str, "RSA") == 0) {
3795 *psig = EVP_PKEY_RSA;
3796 } else if (strcmp(str, "DSA") == 0) {
3797 *psig = EVP_PKEY_DSA;
3798 } else if (strcmp(str, "ECDSA") == 0) {
3799 *psig = EVP_PKEY_EC;
3800 } else {
3801 *phash = OBJ_sn2nid(str);
3802 if (*phash == NID_undef)
3803 *phash = OBJ_ln2nid(str);
3804 }
3805}
3806
0f229cce 3807static int sig_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 3808{
3809 sig_cb_st *sarg = arg;
3810 size_t i;
3811 char etmp[20], *p;
431f458d 3812 int sig_alg = NID_undef, hash_alg = NID_undef;
2747d73c
KR		 3813 if (elem == NULL)
3814 return 0;
0f113f3e
MC		 3815 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3816 return 0;
3817 if (len > (int)(sizeof(etmp) - 1))
3818 return 0;
3819 memcpy(etmp, elem, len);
3820 etmp[len] = 0;
3821 p = strchr(etmp, '+');
3822 if (!p)
3823 return 0;
3824 *p = 0;
3825 p++;
3826 if (!*p)
3827 return 0;
3828
431f458d
DSH		 3829 get_sigorhash(&sig_alg, &hash_alg, etmp);
3830 get_sigorhash(&sig_alg, &hash_alg, p);
0f113f3e 3831
431f458d 3832 if (sig_alg == NID_undef || hash_alg == NID_undef)
0f113f3e
MC		 3833 return 0;
3834
3835 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3836 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3837 return 0;
3838 }
3839 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3840 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3841 return 1;
3842}
3843
3844/*
3845 * Set suppored signature algorithms based on a colon separated list of the
3846 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3847 */
3dbc46df 3848int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
0f113f3e
MC		 3849{
3850 sig_cb_st sig;
3851 sig.sigalgcnt = 0;
3852 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3853 return 0;
3854 if (c == NULL)
3855 return 1;
3856 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3857}
3858
3859int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
3860 int client)
3861{
3862 unsigned char *sigalgs, *sptr;
3863 int rhash, rsign;
3864 size_t i;
3865 if (salglen & 1)
3866 return 0;
3867 sigalgs = OPENSSL_malloc(salglen);
3868 if (sigalgs == NULL)
3869 return 0;
3870 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
b6eb9827
DSH		 3871 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3872 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3873
3874 if (rhash == -1 || rsign == -1)
3875 goto err;
3876 *sptr++ = rhash;
3877 *sptr++ = rsign;
3878 }
3879
3880 if (client) {
b548a1f1 3881 OPENSSL_free(c->client_sigalgs);
0f113f3e
MC		 3882 c->client_sigalgs = sigalgs;
3883 c->client_sigalgslen = salglen;
3884 } else {
b548a1f1 3885 OPENSSL_free(c->conf_sigalgs);
0f113f3e
MC		 3886 c->conf_sigalgs = sigalgs;
3887 c->conf_sigalgslen = salglen;
3888 }
3889
3890 return 1;
3891
3892 err:
3893 OPENSSL_free(sigalgs);
3894 return 0;
3895}
4453cd8c 3896
d61ff83b 3897static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
0f113f3e
MC		 3898{
3899 int sig_nid;
3900 size_t i;
3901 if (default_nid == -1)
3902 return 1;
3903 sig_nid = X509_get_signature_nid(x);
3904 if (default_nid)
3905 return sig_nid == default_nid ? 1 : 0;
3906 for (i = 0; i < c->shared_sigalgslen; i++)
3907 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3908 return 1;
3909 return 0;
3910}
3911
6dbb6219
DSH		 3912/* Check to see if a certificate issuer name matches list of CA names */
3913static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
0f113f3e
MC		 3914{
3915 X509_NAME *nm;
3916 int i;
3917 nm = X509_get_issuer_name(x);
3918 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3919 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3920 return 1;
3921 }
3922 return 0;
3923}
3924
3925/*
3926 * Check certificate chain is consistent with TLS extensions and is usable by
3927 * server. This servers two purposes: it allows users to check chains before
3928 * passing them to the server and it allows the server to check chains before
3929 * attempting to use them.
d61ff83b 3930 */
6dbb6219
DSH		 3931
3932/* Flags which need to be set for a certificate when stict mode not set */
3933
e481f9b9 3934#define CERT_PKEY_VALID_FLAGS \
0f113f3e 3935 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
6dbb6219 3936/* Strict mode flags */
e481f9b9 3937#define CERT_PKEY_STRICT_FLAGS \
0f113f3e
MC		 3938 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3939 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
6dbb6219 3940
d61ff83b 3941int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
0f113f3e
MC		 3942 int idx)
3943{
3944 int i;
3945 int rv = 0;
3946 int check_flags = 0, strict_mode;
3947 CERT_PKEY *cpk = NULL;
3948 CERT *c = s->cert;
f7d53487 3949 uint32_t *pvalid;
0f113f3e
MC		 3950 unsigned int suiteb_flags = tls1_suiteb(s);
3951 /* idx == -1 means checking server chains */
3952 if (idx != -1) {
3953 /* idx == -2 means checking client certificate chains */
3954 if (idx == -2) {
3955 cpk = c->key;
3956 idx = cpk - c->pkeys;
3957 } else
3958 cpk = c->pkeys + idx;
6383d316 3959 pvalid = s->s3->tmp.valid_flags + idx;
0f113f3e
MC		 3960 x = cpk->x509;
3961 pk = cpk->privatekey;
3962 chain = cpk->chain;
3963 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3964 /* If no cert or key, forget it */
3965 if (!x || !pk)
3966 goto end;
e481f9b9 3967#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
0f113f3e
MC		 3968 /* Allow any certificate to pass test */
3969 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3970 rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
3971 CERT_PKEY_VALID | CERT_PKEY_SIGN;
6383d316 3972 *pvalid = rv;
0f113f3e
MC		 3973 return rv;
3974 }
e481f9b9 3975#endif
0f113f3e
MC		 3976 } else {
3977 if (!x || !pk)
d813f9eb 3978 return 0;
0f113f3e
MC		 3979 idx = ssl_cert_type(x, pk);
3980 if (idx == -1)
d813f9eb 3981 return 0;
6383d316
DSH		 3982 pvalid = s->s3->tmp.valid_flags + idx;
3983
0f113f3e
MC		 3984 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3985 check_flags = CERT_PKEY_STRICT_FLAGS;
3986 else
3987 check_flags = CERT_PKEY_VALID_FLAGS;
3988 strict_mode = 1;
3989 }
3990
3991 if (suiteb_flags) {
3992 int ok;
3993 if (check_flags)
3994 check_flags |= CERT_PKEY_SUITEB;
3995 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3996 if (ok == X509_V_OK)
3997 rv |= CERT_PKEY_SUITEB;
3998 else if (!check_flags)
3999 goto end;
4000 }
4001
4002 /*
4003 * Check all signature algorithms are consistent with signature
4004 * algorithms extension if TLS 1.2 or later and strict mode.
4005 */
4006 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
4007 int default_nid;
4008 unsigned char rsign = 0;
76106e60 4009 if (s->s3->tmp.peer_sigalgs)
0f113f3e
MC		 4010 default_nid = 0;
4011 /* If no sigalgs extension use defaults from RFC5246 */
4012 else {
4013 switch (idx) {
4014 case SSL_PKEY_RSA_ENC:
4015 case SSL_PKEY_RSA_SIGN:
0f113f3e
MC		 4016 rsign = TLSEXT_signature_rsa;
4017 default_nid = NID_sha1WithRSAEncryption;
4018 break;
4019
4020 case SSL_PKEY_DSA_SIGN:
0f113f3e
MC		 4021 rsign = TLSEXT_signature_dsa;
4022 default_nid = NID_dsaWithSHA1;
4023 break;
4024
4025 case SSL_PKEY_ECC:
4026 rsign = TLSEXT_signature_ecdsa;
4027 default_nid = NID_ecdsa_with_SHA1;
4028 break;
4029
e44380a9
DB		 4030 case SSL_PKEY_GOST01:
4031 rsign = TLSEXT_signature_gostr34102001;
4032 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
4033 break;
4034
4035 case SSL_PKEY_GOST12_256:
4036 rsign = TLSEXT_signature_gostr34102012_256;
4037 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
4038 break;
4039
4040 case SSL_PKEY_GOST12_512:
4041 rsign = TLSEXT_signature_gostr34102012_512;
4042 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
4043 break;
4044
0f113f3e
MC		 4045 default:
4046 default_nid = -1;
4047 break;
4048 }
4049 }
4050 /*
4051 * If peer sent no signature algorithms extension and we have set
4052 * preferred signature algorithms check we support sha1.
4053 */
4054 if (default_nid > 0 && c->conf_sigalgs) {
4055 size_t j;
4056 const unsigned char *p = c->conf_sigalgs;
4057 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
4058 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4059 break;
4060 }
4061 if (j == c->conf_sigalgslen) {
4062 if (check_flags)
4063 goto skip_sigs;
4064 else
4065 goto end;
4066 }
4067 }
4068 /* Check signature algorithm of each cert in chain */
4069 if (!tls1_check_sig_alg(c, x, default_nid)) {
4070 if (!check_flags)
4071 goto end;
4072 } else
4073 rv |= CERT_PKEY_EE_SIGNATURE;
4074 rv |= CERT_PKEY_CA_SIGNATURE;
4075 for (i = 0; i < sk_X509_num(chain); i++) {
4076 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
4077 if (check_flags) {
4078 rv &= ~CERT_PKEY_CA_SIGNATURE;
4079 break;
4080 } else
4081 goto end;
4082 }
4083 }
4084 }
4085 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4086 else if (check_flags)
4087 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
4088 skip_sigs:
4089 /* Check cert parameters are consistent */
4090 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4091 rv |= CERT_PKEY_EE_PARAM;
4092 else if (!check_flags)
4093 goto end;
4094 if (!s->server)
4095 rv |= CERT_PKEY_CA_PARAM;
4096 /* In strict mode check rest of chain too */
4097 else if (strict_mode) {
4098 rv |= CERT_PKEY_CA_PARAM;
4099 for (i = 0; i < sk_X509_num(chain); i++) {
4100 X509 *ca = sk_X509_value(chain, i);
4101 if (!tls1_check_cert_param(s, ca, 0)) {
4102 if (check_flags) {
4103 rv &= ~CERT_PKEY_CA_PARAM;
4104 break;
4105 } else
4106 goto end;
4107 }
4108 }
4109 }
4110 if (!s->server && strict_mode) {
4111 STACK_OF(X509_NAME) *ca_dn;
4112 int check_type = 0;
3aeb9348 4113 switch (EVP_PKEY_id(pk)) {
0f113f3e
MC		 4114 case EVP_PKEY_RSA:
4115 check_type = TLS_CT_RSA_SIGN;
4116 break;
4117 case EVP_PKEY_DSA:
4118 check_type = TLS_CT_DSS_SIGN;
4119 break;
4120 case EVP_PKEY_EC:
4121 check_type = TLS_CT_ECDSA_SIGN;
4122 break;
0f113f3e
MC		 4123 }
4124 if (check_type) {
4125 const unsigned char *ctypes;
4126 int ctypelen;
4127 if (c->ctypes) {
4128 ctypes = c->ctypes;
4129 ctypelen = (int)c->ctype_num;
4130 } else {
4131 ctypes = (unsigned char *)s->s3->tmp.ctype;
4132 ctypelen = s->s3->tmp.ctype_num;
4133 }
4134 for (i = 0; i < ctypelen; i++) {
4135 if (ctypes[i] == check_type) {
4136 rv |= CERT_PKEY_CERT_TYPE;
4137 break;
4138 }
4139 }
4140 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4141 goto end;
4142 } else
4143 rv |= CERT_PKEY_CERT_TYPE;
4144
4145 ca_dn = s->s3->tmp.ca_names;
4146
4147 if (!sk_X509_NAME_num(ca_dn))
4148 rv |= CERT_PKEY_ISSUER_NAME;
4149
4150 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4151 if (ssl_check_ca_name(ca_dn, x))
4152 rv |= CERT_PKEY_ISSUER_NAME;
4153 }
4154 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4155 for (i = 0; i < sk_X509_num(chain); i++) {
4156 X509 *xtmp = sk_X509_value(chain, i);
4157 if (ssl_check_ca_name(ca_dn, xtmp)) {
4158 rv |= CERT_PKEY_ISSUER_NAME;
4159 break;
4160 }
4161 }
4162 }
4163 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4164 goto end;
4165 } else
4166 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
4167
4168 if (!check_flags || (rv & check_flags) == check_flags)
4169 rv |= CERT_PKEY_VALID;
4170
4171 end:
4172
4173 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
6383d316 4174 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
0f113f3e 4175 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
d376e57d 4176 else if (s->s3->tmp.md[idx] != NULL)
0f113f3e
MC		 4177 rv |= CERT_PKEY_SIGN;
4178 } else
4179 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
4180
4181 /*
4182 * When checking a CERT_PKEY structure all flags are irrelevant if the
4183 * chain is invalid.
4184 */
4185 if (!check_flags) {
4186 if (rv & CERT_PKEY_VALID)
6383d316 4187 *pvalid = rv;
0f113f3e
MC		 4188 else {
4189 /* Preserve explicit sign flag, clear rest */
6383d316 4190 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
0f113f3e
MC		 4191 return 0;
4192 }
4193 }
4194 return rv;
4195}
d61ff83b
DSH		 4196
4197/* Set validity of certificates in an SSL structure */
4198void tls1_set_cert_validity(SSL *s)
0f113f3e 4199{
17dd65e6
MC		 4200 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4201 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4202 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
17dd65e6 4203 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
e44380a9
DB		 4204 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
4205 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
4206 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
0f113f3e
MC		 4207}
4208
18d71588
DSH		 4209/* User level utiity function to check a chain is suitable */
4210int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
0f113f3e
MC		 4211{
4212 return tls1_check_chain(s, x, pk, chain, -1);
4213}
d61ff83b 4214
09599b52
DSH		 4215
4216#ifndef OPENSSL_NO_DH
4217DH *ssl_get_auto_dh(SSL *s)
0f113f3e
MC		 4218{
4219 int dh_secbits = 80;
4220 if (s->cert->dh_tmp_auto == 2)
4221 return DH_get_1024_160();
adc5506a 4222 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
0f113f3e
MC		 4223 if (s->s3->tmp.new_cipher->strength_bits == 256)
4224 dh_secbits = 128;
4225 else
4226 dh_secbits = 80;
4227 } else {
4228 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
4229 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
4230 }
4231
4232 if (dh_secbits >= 128) {
4233 DH *dhp = DH_new();
a71edf3b 4234 if (dhp == NULL)
0f113f3e
MC		 4235 return NULL;
4236 dhp->g = BN_new();
a71edf3b 4237 if (dhp->g != NULL)
0f113f3e
MC		 4238 BN_set_word(dhp->g, 2);
4239 if (dh_secbits >= 192)
4240 dhp->p = get_rfc3526_prime_8192(NULL);
4241 else
4242 dhp->p = get_rfc3526_prime_3072(NULL);
a71edf3b 4243 if (dhp->p == NULL || dhp->g == NULL) {
0f113f3e
MC		 4244 DH_free(dhp);
4245 return NULL;
4246 }
4247 return dhp;
4248 }
4249 if (dh_secbits >= 112)
4250 return DH_get_2048_224();
4251 return DH_get_1024_160();
4252}
09599b52 4253#endif
b362ccab
DSH		 4254
4255static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e 4256{
72245f34 4257 int secbits = -1;
8382fd3a 4258 EVP_PKEY *pkey = X509_get0_pubkey(x);
0f113f3e 4259 if (pkey) {
72245f34
DSH		 4260 /*
4261 * If no parameters this will return -1 and fail using the default
4262 * security callback for any non-zero security level. This will
4263 * reject keys which omit parameters but this only affects DSA and
4264 * omission of parameters is never (?) done in practice.
4265 */
0f113f3e 4266 secbits = EVP_PKEY_security_bits(pkey);
72245f34 4267 }
0f113f3e
MC		 4268 if (s)
4269 return ssl_security(s, op, secbits, 0, x);
4270 else
4271 return ssl_ctx_security(ctx, op, secbits, 0, x);
4272}
b362ccab
DSH		 4273
4274static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e
MC		 4275{
4276 /* Lookup signature algorithm digest */
4277 int secbits = -1, md_nid = NID_undef, sig_nid;
4278 sig_nid = X509_get_signature_nid(x);
4279 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4280 const EVP_MD *md;
4281 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4282 secbits = EVP_MD_size(md) * 4;
4283 }
4284 if (s)
4285 return ssl_security(s, op, secbits, md_nid, x);
4286 else
4287 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4288}
b362ccab
DSH		 4289
4290int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
0f113f3e
MC		 4291{
4292 if (vfy)
4293 vfy = SSL_SECOP_PEER;
4294 if (is_ee) {
4295 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4296 return SSL_R_EE_KEY_TOO_SMALL;
4297 } else {
4298 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4299 return SSL_R_CA_KEY_TOO_SMALL;
4300 }
4301 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4302 return SSL_R_CA_MD_TOO_WEAK;
4303 return 1;
4304}
4305
4306/*
4307 * Check security of a chain, if sk includes the end entity certificate then
4308 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4309 * one to the peer. Return values: 1 if ok otherwise error code to use
b362ccab
DSH		 4310 */
4311
4312int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
0f113f3e
MC		 4313{
4314 int rv, start_idx, i;
4315 if (x == NULL) {
4316 x = sk_X509_value(sk, 0);
4317 start_idx = 1;
4318 } else
4319 start_idx = 0;
4320
4321 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4322 if (rv != 1)
4323 return rv;
4324
4325 for (i = start_idx; i < sk_X509_num(sk); i++) {
4326 x = sk_X509_value(sk, i);
4327 rv = ssl_security_cert(s, NULL, x, vfy, 0);
4328 if (rv != 1)
4329 return rv;
4330 }
4331 return 1;
4332}
A mirror of the official openssl repository