]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/t1_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Separate client and server permitted signature algorithm support: by default
[thirdparty/openssl.git] / ssl / t1_lib.c
CommitLineData
58964a49
RE		 1/* ssl/t1_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
f1fd4544 58/* ====================================================================
52b8dad8 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
f1fd4544
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
58964a49
RE		 111
112#include <stdio.h>
ec577822 113#include <openssl/objects.h>
6434abbf
DSH		 114#include <openssl/evp.h>
115#include <openssl/hmac.h>
67c8e7f4 116#include <openssl/ocsp.h>
4817504d 117#include <openssl/rand.h>
58964a49
RE		 118#include "ssl_locl.h"
119
42182852 120const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
58964a49 121
367eb1f1 122#ifndef OPENSSL_NO_TLSEXT
6434abbf
DSH		 123static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124 const unsigned char *sess_id, int sesslen,
125 SSL_SESSION **psess);
09e4e4b9
DSH		 126static int ssl_check_clienthello_tlsext(SSL *s);
127int ssl_check_serverhello_tlsext(SSL *s);
367eb1f1 128#endif
6434abbf 129
f3b656b2 130SSL3_ENC_METHOD TLSv1_enc_data={
58964a49
RE		 131 tls1_enc,
132 tls1_mac,
133 tls1_setup_key_block,
134 tls1_generate_master_secret,
135 tls1_change_cipher_state,
136 tls1_final_finish_mac,
137 TLS1_FINISH_MAC_LENGTH,
138 tls1_cert_verify_mac,
139 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
140 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
141 tls1_alert_code,
e0af0405 142 tls1_export_keying_material,
58964a49
RE		 143 };
144
f3b656b2 145long tls1_default_timeout(void)
58964a49
RE		 146 {
147 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
148 * is way too long for http, the cache would over fill */
149 return(60*60*2);
150 }
151
6b691a5c 152int tls1_new(SSL *s)
58964a49
RE		 153 {
154 if (!ssl3_new(s)) return(0);
155 s->method->ssl_clear(s);
156 return(1);
157 }
158
6b691a5c 159void tls1_free(SSL *s)
58964a49 160 {
12bf56c0
DSH		 161#ifndef OPENSSL_NO_TLSEXT
162 if (s->tlsext_session_ticket)
163 {
164 OPENSSL_free(s->tlsext_session_ticket);
165 }
166#endif /* OPENSSL_NO_TLSEXT */
58964a49
RE		 167 ssl3_free(s);
168 }
169
6b691a5c 170void tls1_clear(SSL *s)
58964a49
RE		 171 {
172 ssl3_clear(s);
637f374a 173 s->version = s->method->version;
58964a49
RE		 174 }
175
525de5d3 176#ifndef OPENSSL_NO_EC
eda3766b 177
525de5d3
DSH		 178static int nid_list[] =
179 {
180 NID_sect163k1, /* sect163k1 (1) */
181 NID_sect163r1, /* sect163r1 (2) */
182 NID_sect163r2, /* sect163r2 (3) */
183 NID_sect193r1, /* sect193r1 (4) */
184 NID_sect193r2, /* sect193r2 (5) */
185 NID_sect233k1, /* sect233k1 (6) */
186 NID_sect233r1, /* sect233r1 (7) */
187 NID_sect239k1, /* sect239k1 (8) */
188 NID_sect283k1, /* sect283k1 (9) */
189 NID_sect283r1, /* sect283r1 (10) */
190 NID_sect409k1, /* sect409k1 (11) */
191 NID_sect409r1, /* sect409r1 (12) */
192 NID_sect571k1, /* sect571k1 (13) */
193 NID_sect571r1, /* sect571r1 (14) */
194 NID_secp160k1, /* secp160k1 (15) */
195 NID_secp160r1, /* secp160r1 (16) */
196 NID_secp160r2, /* secp160r2 (17) */
197 NID_secp192k1, /* secp192k1 (18) */
198 NID_X9_62_prime192v1, /* secp192r1 (19) */
199 NID_secp224k1, /* secp224k1 (20) */
200 NID_secp224r1, /* secp224r1 (21) */
201 NID_secp256k1, /* secp256k1 (22) */
202 NID_X9_62_prime256v1, /* secp256r1 (23) */
203 NID_secp384r1, /* secp384r1 (24) */
204 NID_secp521r1 /* secp521r1 (25) */
205 };
eda3766b 206
d0595f17
DSH		 207
208static const unsigned char ecformats_default[] =
eda3766b 209 {
d0595f17
DSH		 210 TLSEXT_ECPOINTFORMAT_uncompressed,
211 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
212 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
213 };
214
215static const unsigned char eccurves_default[] =
216 {
217 0,14, /* sect571r1 (14) */
218 0,13, /* sect571k1 (13) */
219 0,25, /* secp521r1 (25) */
220 0,11, /* sect409k1 (11) */
221 0,12, /* sect409r1 (12) */
222 0,24, /* secp384r1 (24) */
223 0,9, /* sect283k1 (9) */
224 0,10, /* sect283r1 (10) */
225 0,22, /* secp256k1 (22) */
226 0,23, /* secp256r1 (23) */
227 0,8, /* sect239k1 (8) */
228 0,6, /* sect233k1 (6) */
229 0,7, /* sect233r1 (7) */
230 0,20, /* secp224k1 (20) */
231 0,21, /* secp224r1 (21) */
232 0,4, /* sect193r1 (4) */
233 0,5, /* sect193r2 (5) */
234 0,18, /* secp192k1 (18) */
235 0,19, /* secp192r1 (19) */
236 0,1, /* sect163k1 (1) */
237 0,2, /* sect163r1 (2) */
238 0,3, /* sect163r2 (3) */
239 0,15, /* secp160k1 (15) */
240 0,16, /* secp160r1 (16) */
241 0,17, /* secp160r2 (17) */
eda3766b
DSH		 242 };
243
525de5d3
DSH		 244int tls1_ec_curve_id2nid(int curve_id)
245 {
246 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
1e26a8ba
GT		 247 if ((curve_id < 1) || ((unsigned int)curve_id >
248 sizeof(nid_list)/sizeof(nid_list[0])))
249 return 0;
525de5d3
DSH		 250 return nid_list[curve_id-1];
251 }
252
253int tls1_ec_nid2curve_id(int nid)
254 {
255 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
256 switch (nid)
257 {
258 case NID_sect163k1: /* sect163k1 (1) */
259 return 1;
260 case NID_sect163r1: /* sect163r1 (2) */
261 return 2;
262 case NID_sect163r2: /* sect163r2 (3) */
263 return 3;
264 case NID_sect193r1: /* sect193r1 (4) */
265 return 4;
266 case NID_sect193r2: /* sect193r2 (5) */
267 return 5;
268 case NID_sect233k1: /* sect233k1 (6) */
269 return 6;
270 case NID_sect233r1: /* sect233r1 (7) */
271 return 7;
272 case NID_sect239k1: /* sect239k1 (8) */
273 return 8;
274 case NID_sect283k1: /* sect283k1 (9) */
275 return 9;
276 case NID_sect283r1: /* sect283r1 (10) */
277 return 10;
278 case NID_sect409k1: /* sect409k1 (11) */
279 return 11;
280 case NID_sect409r1: /* sect409r1 (12) */
281 return 12;
282 case NID_sect571k1: /* sect571k1 (13) */
283 return 13;
284 case NID_sect571r1: /* sect571r1 (14) */
285 return 14;
286 case NID_secp160k1: /* secp160k1 (15) */
287 return 15;
288 case NID_secp160r1: /* secp160r1 (16) */
289 return 16;
290 case NID_secp160r2: /* secp160r2 (17) */
291 return 17;
292 case NID_secp192k1: /* secp192k1 (18) */
293 return 18;
294 case NID_X9_62_prime192v1: /* secp192r1 (19) */
295 return 19;
296 case NID_secp224k1: /* secp224k1 (20) */
297 return 20;
298 case NID_secp224r1: /* secp224r1 (21) */
299 return 21;
300 case NID_secp256k1: /* secp256k1 (22) */
301 return 22;
302 case NID_X9_62_prime256v1: /* secp256r1 (23) */
303 return 23;
304 case NID_secp384r1: /* secp384r1 (24) */
305 return 24;
306 case NID_secp521r1: /* secp521r1 (25) */
307 return 25;
308 default:
309 return 0;
310 }
311 }
fd2b65ce
DSH		 312/* Get curves list, if "sess" is set return client curves otherwise
313 * preferred list
314 */
315static void tls1_get_curvelist(SSL *s, int sess,
316 const unsigned char **pcurves,
317 size_t *pcurveslen)
318 {
319 if (sess)
320 {
321 *pcurves = s->session->tlsext_ellipticcurvelist;
322 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
323 }
324 else
325 {
326 *pcurves = s->tlsext_ellipticcurvelist;
327 *pcurveslen = s->tlsext_ellipticcurvelist_length;
328 }
329 /* If not set use default: for now static structure */
330 if (!*pcurves)
331 {
332 *pcurves = eccurves_default;
333 *pcurveslen = sizeof(eccurves_default);
334 }
335 }
d0595f17 336
a4352630
DSH		 337/* Return nth shared curve. If nmatch == -1 return number of
338 * matches.
d0595f17 339 */
a4352630
DSH		 340
341int tls1_shared_curve(SSL *s, int nmatch)
d0595f17
DSH		 342 {
343 const unsigned char *pref, *supp;
344 size_t preflen, supplen, i, j;
345 int k;
a4352630
DSH		 346 /* Can't do anything on client side */
347 if (s->server == 0)
348 return -1;
349 tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
350 &supp, &supplen);
351 tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
352 &pref, &preflen);
353 preflen /= 2;
354 supplen /= 2;
d0595f17
DSH		 355 k = 0;
356 for (i = 0; i < preflen; i++, pref+=2)
357 {
358 const unsigned char *tsupp = supp;
359 for (j = 0; j < supplen; j++, tsupp+=2)
360 {
361 if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
362 {
363 if (nmatch == k)
a4352630
DSH		 364 {
365 int id = (pref[0] << 8) | pref[1];
366 return tls1_ec_curve_id2nid(id);
367 }
d0595f17
DSH		 368 k++;
369 }
370 }
371 }
d0595f17 372 if (nmatch == -1)
a4352630
DSH		 373 return k;
374 return 0;
d0595f17
DSH		 375 }
376
377int tls1_set_curves(unsigned char **pext, size_t *pextlen,
378 int *curves, size_t ncurves)
379 {
380 unsigned char *clist, *p;
381 size_t i;
382 /* Bitmap of curves included to detect duplicates: only works
383 * while curve ids < 32
384 */
385 unsigned long dup_list = 0;
386 clist = OPENSSL_malloc(ncurves * 2);
387 if (!clist)
388 return 0;
389 for (i = 0, p = clist; i < ncurves; i++)
390 {
391 unsigned long idmask;
392 int id;
393 id = tls1_ec_nid2curve_id(curves[i]);
394 idmask = 1L << id;
395 if (!id || (dup_list & idmask))
396 {
397 OPENSSL_free(clist);
398 return 0;
399 }
400 dup_list |= idmask;
401 s2n(id, p);
402 }
403 if (*pext)
404 OPENSSL_free(*pext);
405 *pext = clist;
406 *pextlen = ncurves * 2;
407 return 1;
408 }
409
410#define MAX_CURVELIST 25
411
412typedef struct
413 {
414 size_t nidcnt;
415 int nid_arr[MAX_CURVELIST];
416 } nid_cb_st;
417
418static int nid_cb(const char *elem, int len, void *arg)
419 {
420 nid_cb_st *narg = arg;
421 size_t i;
422 int nid;
423 char etmp[20];
424 if (narg->nidcnt == MAX_CURVELIST)
425 return 0;
426 if (len > (int)(sizeof(etmp) - 1))
427 return 0;
428 memcpy(etmp, elem, len);
429 etmp[len] = 0;
430 nid = EC_curve_nist2nid(etmp);
431 if (nid == NID_undef)
432 nid = OBJ_sn2nid(etmp);
433 if (nid == NID_undef)
434 nid = OBJ_ln2nid(etmp);
435 if (nid == NID_undef)
436 return 0;
437 for (i = 0; i < narg->nidcnt; i++)
438 if (narg->nid_arr[i] == nid)
439 return 0;
440 narg->nid_arr[narg->nidcnt++] = nid;
441 return 1;
442 }
443/* Set curves based on a colon separate list */
444int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
445 const char *str)
446 {
447 nid_cb_st ncb;
448 ncb.nidcnt = 0;
449 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
450 return 0;
451 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
452 }
fd2b65ce
DSH		 453/* For an EC key set TLS id and required compression based on parameters */
454static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
455 EC_KEY *ec)
456 {
457 int is_prime, id;
458 const EC_GROUP *grp;
459 const EC_POINT *pt;
460 const EC_METHOD *meth;
461 if (!ec)
462 return 0;
463 /* Determine if it is a prime field */
464 grp = EC_KEY_get0_group(ec);
465 pt = EC_KEY_get0_public_key(ec);
466 if (!grp || !pt)
467 return 0;
468 meth = EC_GROUP_method_of(grp);
469 if (!meth)
470 return 0;
471 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
472 is_prime = 1;
473 else
474 is_prime = 0;
475 /* Determine curve ID */
476 id = EC_GROUP_get_curve_name(grp);
477 id = tls1_ec_nid2curve_id(id);
478 /* If we have an ID set it, otherwise set arbitrary explicit curve */
479 if (id)
480 {
481 curve_id[0] = 0;
482 curve_id[1] = (unsigned char)id;
483 }
484 else
485 {
486 curve_id[0] = 0xff;
487 if (is_prime)
488 curve_id[1] = 0x01;
489 else
490 curve_id[1] = 0x02;
491 }
492 if (comp_id)
493 {
494 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
495 {
496 if (is_prime)
497 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
498 else
499 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
500 }
501 else
502 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
503 }
504 return 1;
505 }
506/* Check an EC key is compatible with extensions */
507static int tls1_check_ec_key(SSL *s,
508 unsigned char *curve_id, unsigned char *comp_id)
509 {
510 const unsigned char *p;
511 size_t plen, i;
a4352630 512 int j;
fd2b65ce
DSH		 513 /* If point formats extension present check it, otherwise everything
514 * is supported (see RFC4492).
515 */
516 if (comp_id && s->session->tlsext_ecpointformatlist)
517 {
518 p = s->session->tlsext_ecpointformatlist;
519 plen = s->session->tlsext_ecpointformatlist_length;
520 for (i = 0; i < plen; i++, p++)
521 {
522 if (*comp_id == *p)
523 break;
524 }
525 if (i == plen)
526 return 0;
527 }
a4352630
DSH		 528 /* Check curve is consistent with client and server preferences */
529 for (j = 0; j <= 1; j++)
fd2b65ce 530 {
a4352630 531 tls1_get_curvelist(s, j, &p, &plen);
fd2b65ce
DSH		 532 for (i = 0; i < plen; i+=2, p+=2)
533 {
534 if (p[0] == curve_id[0] && p[1] == curve_id[1])
a4352630 535 break;
fd2b65ce 536 }
a4352630
DSH		 537 if (i == plen)
538 return 0;
fd2b65ce
DSH		 539 }
540 return 1;
541 }
d61ff83b
DSH		 542
543/* Check cert parameters compatible with extensions: currently just checks
544 * EC certificates have compatible curves and compression.
545 */
546static int tls1_check_cert_param(SSL *s, X509 *x)
fd2b65ce 547 {
fd2b65ce 548 unsigned char comp_id, curve_id[2];
d61ff83b
DSH		 549 EVP_PKEY *pkey;
550 int rv;
551 pkey = X509_get_pubkey(x);
fd2b65ce
DSH		 552 if (!pkey)
553 return 0;
d61ff83b
DSH		 554 /* If not EC nothing to do */
555 if (pkey->type != EVP_PKEY_EC)
556 {
557 EVP_PKEY_free(pkey);
558 return 1;
559 }
fd2b65ce
DSH		 560 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
561 EVP_PKEY_free(pkey);
562 if (!rv)
563 return 0;
564 return tls1_check_ec_key(s, curve_id, &comp_id);
565 }
566/* Check EC temporary key is compatible with client extensions */
567int tls1_check_ec_tmp_key(SSL *s)
568 {
569 unsigned char curve_id[2];
570 EC_KEY *ec = s->cert->ecdh_tmp;
a4352630
DSH		 571 if (s->cert->ecdh_tmp_auto)
572 {
573 /* Need a shared curve */
574 if (tls1_shared_curve(s, 0))
575 return 1;
576 else return 0;
577 }
fd2b65ce
DSH		 578 if (!ec)
579 {
580 if (s->cert->ecdh_tmp_cb)
581 return 1;
582 else
583 return 0;
584 }
585 if (!tls1_set_ec_id(curve_id, NULL, ec))
586 return 1;
587 return tls1_check_ec_key(s, curve_id, NULL);
588 }
d0595f17 589
525de5d3 590#endif /* OPENSSL_NO_EC */
f1fd4544 591
ed3883d2 592#ifndef OPENSSL_NO_TLSEXT
fc101f88
DSH		 593
594/* List of supported signature algorithms and hashes. Should make this
595 * customisable at some point, for now include everything we support.
596 */
597
598#ifdef OPENSSL_NO_RSA
599#define tlsext_sigalg_rsa(md) /* */
600#else
601#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
602#endif
603
604#ifdef OPENSSL_NO_DSA
605#define tlsext_sigalg_dsa(md) /* */
606#else
607#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
608#endif
609
610#ifdef OPENSSL_NO_ECDSA
611#define tlsext_sigalg_ecdsa(md) /* */
612#else
654ac273 613#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
fc101f88
DSH		 614#endif
615
616#define tlsext_sigalg(md) \
617 tlsext_sigalg_rsa(md) \
618 tlsext_sigalg_dsa(md) \
619 tlsext_sigalg_ecdsa(md)
620
621static unsigned char tls12_sigalgs[] = {
622#ifndef OPENSSL_NO_SHA512
623 tlsext_sigalg(TLSEXT_hash_sha512)
624 tlsext_sigalg(TLSEXT_hash_sha384)
625#endif
626#ifndef OPENSSL_NO_SHA256
627 tlsext_sigalg(TLSEXT_hash_sha256)
628 tlsext_sigalg(TLSEXT_hash_sha224)
629#endif
630#ifndef OPENSSL_NO_SHA
631 tlsext_sigalg(TLSEXT_hash_sha1)
632#endif
633#ifndef OPENSSL_NO_MD5
634 tlsext_sigalg_rsa(TLSEXT_hash_md5)
635#endif
636};
637
0f229cce 638size_t tls12_get_sig_algs(SSL *s, unsigned char *p)
f37f20ff 639 {
4453cd8c
DSH		 640 const unsigned char *sigs;
641 size_t sigslen;
3dbc46df
DSH		 642 /* If server use client authentication sigalgs if not NULL */
643 if (s->server && s->cert->client_sigalgs)
644 {
645 sigs = s->cert->client_sigalgs;
646 sigslen = s->cert->client_sigalgslen;
647 }
648 else if (s->cert->conf_sigalgs)
649 {
650 sigs = s->cert->conf_sigalgs;
4453cd8c 651 sigslen = s->cert->conf_sigalgslen;
3dbc46df 652 }
4453cd8c 653 else
0f229cce 654 {
4453cd8c
DSH		 655 sigs = tls12_sigalgs;
656 sigslen = sizeof(tls12_sigalgs);
ebc5e72f 657#ifdef OPENSSL_FIPS
4453cd8c
DSH		 658 /* If FIPS mode don't include MD5 which is last */
659 if (FIPS_mode())
660 sigslen -= 2;
ebc5e72f 661#endif
4453cd8c
DSH		 662 }
663
f37f20ff 664 if (p)
4453cd8c
DSH		 665 memcpy(p, sigs, sigslen);
666 return sigslen;
f37f20ff 667 }
fc101f88 668
a9e1c50b
BL		 669/* byte_compare is a compare function for qsort(3) that compares bytes. */
670static int byte_compare(const void *in_a, const void *in_b)
671 {
672 unsigned char a = *((const unsigned char*) in_a);
673 unsigned char b = *((const unsigned char*) in_b);
674
675 if (a > b)
676 return 1;
677 else if (a < b)
678 return -1;
679 return 0;
680}
681
f1fd4544
BM		 682unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
683 {
ed3883d2
BM		 684 int extdatalen=0;
685 unsigned char *ret = p;
d0595f17
DSH		 686#ifndef OPENSSL_NO_EC
687 /* See if we support any ECC ciphersuites */
688 int using_ecc = 0;
689 if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION)
690 {
691 int i;
692 unsigned long alg_k, alg_a;
693 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
694
695 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
696 {
697 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
698
699 alg_k = c->algorithm_mkey;
700 alg_a = c->algorithm_auth;
701 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
702 || (alg_a & SSL_aECDSA)))
703 {
704 using_ecc = 1;
705 break;
706 }
707 }
708 }
709#endif
ed3883d2 710
13f6d57b
DSH		 711 /* don't add extensions for SSLv3 unless doing secure renegotiation */
712 if (s->client_version == SSL3_VERSION
713 && !s->s3->send_connection_binding)
5f8f94a6
DSH		 714 return p;
715
ed3883d2
BM		 716 ret+=2;
717
718 if (ret>=limit) return NULL; /* this really never occurs, but ... */
6434abbf 719
a70183bc 720 if (s->tlsext_hostname != NULL)
f1fd4544 721 {
ed3883d2
BM		 722 /* Add TLS extension servername to the Client Hello message */
723 unsigned long size_str;
724 long lenmax;
725
a70183bc 726 /* check for enough space.
52b8dad8
BM		 727 4 for the servername type and entension length
728 2 for servernamelist length
729 1 for the hostname type
730 2 for hostname length
731 + hostname length
a70183bc 732 */
52b8dad8 733
761772d7
BM		 734 if ((lenmax = limit - ret - 9) < 0
735 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
a70183bc
BM		 736 return NULL;
737
738 /* extension type and length */
739 s2n(TLSEXT_TYPE_server_name,ret);
740 s2n(size_str+5,ret);
f1fd4544 741
a70183bc 742 /* length of servername list */
ed3883d2 743 s2n(size_str+3,ret);
a70183bc
BM		 744
745 /* hostname type, length and hostname */
f1fd4544 746 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
ed3883d2 747 s2n(size_str,ret);
ed3883d2
BM		 748 memcpy(ret, s->tlsext_hostname, size_str);
749 ret+=size_str;
f1fd4544 750 }
761772d7 751
423c66f1 752 /* Add RI if renegotiating */
bdd53508 753 if (s->renegotiate)
423c66f1 754 {
860c3dd1
DSH		 755 int el;
756
757 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
758 {
759 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
760 return NULL;
761 }
762
763 if((limit - p - 4 - el) < 0) return NULL;
764
765 s2n(TLSEXT_TYPE_renegotiate,ret);
766 s2n(el,ret);
767
768 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
769 {
770 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
771 return NULL;
772 }
773
774 ret += el;
775 }
776
edc032b5 777#ifndef OPENSSL_NO_SRP
1df80b65 778 /* Add SRP username if there is one */
edc032b5 779 if (s->srp_ctx.login != NULL)
1df80b65 780 { /* Add TLS extension SRP username to the Client Hello message */
edc032b5 781
1df80b65
DSH		 782 int login_len = strlen(s->srp_ctx.login);
783 if (login_len > 255 || login_len == 0)
edc032b5
BL		 784 {
785 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
786 return NULL;
1df80b65
DSH		 787 }
788
789 /* check for enough space.
790 4 for the srp type type and entension length
791 1 for the srp user identity
792 + srp user identity length
793 */
794 if ((limit - ret - 5 - login_len) < 0) return NULL;
795
796 /* fill in the extension */
edc032b5
BL		 797 s2n(TLSEXT_TYPE_srp,ret);
798 s2n(login_len+1,ret);
1df80b65
DSH		 799 (*ret++) = (unsigned char) login_len;
800 memcpy(ret, s->srp_ctx.login, login_len);
edc032b5
BL		 801 ret+=login_len;
802 }
803#endif
804
36ca4ba6 805#ifndef OPENSSL_NO_EC
d0595f17 806 if (using_ecc)
36ca4ba6
BM		 807 {
808 /* Add TLS extension ECPointFormats to the ClientHello message */
809 long lenmax;
d0595f17
DSH		 810 const unsigned char *plist;
811 size_t plistlen;
812 /* If we have a custom point format list use it otherwise
813 * use default */
814 plist = s->tlsext_ecpointformatlist;
815 if (plist)
816 plistlen = s->tlsext_ecpointformatlist_length;
817 else
818 {
819 plist = ecformats_default;
820 plistlen = sizeof(ecformats_default);
821 }
36ca4ba6 822
761772d7 823 if ((lenmax = limit - ret - 5) < 0) return NULL;
d0595f17
DSH		 824 if (plistlen > (size_t)lenmax) return NULL;
825 if (plistlen > 255)
019fdc78
BM		 826 {
827 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
828 return NULL;
829 }
36ca4ba6
BM		 830
831 s2n(TLSEXT_TYPE_ec_point_formats,ret);
d0595f17
DSH		 832 s2n(plistlen + 1,ret);
833 *(ret++) = (unsigned char)plistlen ;
834 memcpy(ret, plist, plistlen);
835 ret+=plistlen;
836
33273721 837 /* Add TLS extension EllipticCurves to the ClientHello message */
d0595f17 838 plist = s->tlsext_ellipticcurvelist;
fd2b65ce 839 tls1_get_curvelist(s, 0, &plist, &plistlen);
33273721 840
761772d7 841 if ((lenmax = limit - ret - 6) < 0) return NULL;
d0595f17
DSH		 842 if (plistlen > (size_t)lenmax) return NULL;
843 if (plistlen > 65532)
33273721
BM		 844 {
845 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
846 return NULL;
847 }
848
849 s2n(TLSEXT_TYPE_elliptic_curves,ret);
d0595f17 850 s2n(plistlen + 2, ret);
a4974de9
BM		 851
852 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
853 * elliptic_curve_list, but the examples use two bytes.
854 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
855 * resolves this to two bytes.
856 */
d0595f17
DSH		 857 s2n(plistlen, ret);
858 memcpy(ret, plist, plistlen);
859 ret+=plistlen;
33273721 860 }
36ca4ba6 861#endif /* OPENSSL_NO_EC */
d3442bc7 862
6434abbf
DSH		 863 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
864 {
865 int ticklen;
7ba3838a 866 if (!s->new_session && s->session && s->session->tlsext_tick)
6434abbf 867 ticklen = s->session->tlsext_ticklen;
12bf56c0
DSH		 868 else if (s->session && s->tlsext_session_ticket &&
869 s->tlsext_session_ticket->data)
870 {
871 ticklen = s->tlsext_session_ticket->length;
872 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
873 if (!s->session->tlsext_tick)
874 return NULL;
875 memcpy(s->session->tlsext_tick,
876 s->tlsext_session_ticket->data,
877 ticklen);
878 s->session->tlsext_ticklen = ticklen;
879 }
6434abbf
DSH		 880 else
881 ticklen = 0;
12bf56c0
DSH		 882 if (ticklen == 0 && s->tlsext_session_ticket &&
883 s->tlsext_session_ticket->data == NULL)
884 goto skip_ext;
6434abbf
DSH		 885 /* Check for enough room 2 for extension type, 2 for len
886 * rest for ticket
887 */
761772d7 888 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
6434abbf
DSH		 889 s2n(TLSEXT_TYPE_session_ticket,ret);
890 s2n(ticklen,ret);
891 if (ticklen)
892 {
893 memcpy(ret, s->session->tlsext_tick, ticklen);
894 ret += ticklen;
895 }
896 }
12bf56c0 897 skip_ext:
6434abbf 898
7744ef1a 899 if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
a2f9200f 900 {
0f229cce
DSH		 901 size_t salglen;
902 salglen = tls12_get_sig_algs(s, NULL);
903 if ((size_t)(limit - ret) < salglen + 6)
a2f9200f
DSH		 904 return NULL;
905 s2n(TLSEXT_TYPE_signature_algorithms,ret);
0f229cce
DSH		 906 s2n(salglen + 2, ret);
907 s2n(salglen, ret);
908 tls12_get_sig_algs(s, ret);
909 ret += salglen;
a2f9200f
DSH		 910 }
911
761772d7 912#ifdef TLSEXT_TYPE_opaque_prf_input
8025e251
DSH		 913 if (s->s3->client_opaque_prf_input != NULL &&
914 s->version != DTLS1_VERSION)
761772d7
BM		 915 {
916 size_t col = s->s3->client_opaque_prf_input_len;
917
918 if ((long)(limit - ret - 6 - col < 0))
919 return NULL;
920 if (col > 0xFFFD) /* can't happen */
921 return NULL;
922
923 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
924 s2n(col + 2, ret);
925 s2n(col, ret);
926 memcpy(ret, s->s3->client_opaque_prf_input, col);
927 ret += col;
928 }
929#endif
930
8025e251
DSH		 931 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
932 s->version != DTLS1_VERSION)
67c8e7f4
DSH		 933 {
934 int i;
935 long extlen, idlen, itmp;
936 OCSP_RESPID *id;
937
938 idlen = 0;
939 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
940 {
941 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
942 itmp = i2d_OCSP_RESPID(id, NULL);
943 if (itmp <= 0)
944 return NULL;
945 idlen += itmp + 2;
946 }
947
948 if (s->tlsext_ocsp_exts)
949 {
950 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
951 if (extlen < 0)
952 return NULL;
953 }
954 else
955 extlen = 0;
956
957 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
958 s2n(TLSEXT_TYPE_status_request, ret);
959 if (extlen + idlen > 0xFFF0)
960 return NULL;
961 s2n(extlen + idlen + 5, ret);
962 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
963 s2n(idlen, ret);
964 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
965 {
966 /* save position of id len */
967 unsigned char *q = ret;
968 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
969 /* skip over id len */
970 ret += 2;
971 itmp = i2d_OCSP_RESPID(id, &ret);
972 /* write id len */
973 s2n(itmp, q);
974 }
975 s2n(extlen, ret);
976 if (extlen > 0)
977 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
978 }
979
4817504d
DSH		 980#ifndef OPENSSL_NO_HEARTBEATS
981 /* Add Heartbeat extension */
982 s2n(TLSEXT_TYPE_heartbeat,ret);
983 s2n(1,ret);
984 /* Set mode:
985 * 1: peer may send requests
986 * 2: peer not allowed to send requests
987 */
988 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
989 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
990 else
991 *(ret++) = SSL_TLSEXT_HB_ENABLED;
992#endif
993
bf48836c 994#ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 995 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
996 {
997 /* The client advertises an emtpy extension to indicate its
998 * support for Next Protocol Negotiation */
999 if (limit - ret - 4 < 0)
1000 return NULL;
1001 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1002 s2n(0,ret);
1003 }
1004#endif
1005
333f926d
BL		 1006 if(SSL_get_srtp_profiles(s))
1007 {
1008 int el;
1009
1010 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1011
1012 if((limit - p - 4 - el) < 0) return NULL;
1013
1014 s2n(TLSEXT_TYPE_use_srtp,ret);
1015 s2n(el,ret);
1016
1017 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1018 {
1019 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1020 return NULL;
1021 }
1022 ret += el;
1023 }
1024
a9e1c50b
BL		 1025 /* Add TLS extension Server_Authz_DataFormats to the ClientHello */
1026 /* 2 bytes for extension type */
1027 /* 2 bytes for extension length */
1028 /* 1 byte for the list length */
1029 /* 1 byte for the list (we only support audit proofs) */
1030 if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
1031 {
1032 size_t lenmax;
1033 const unsigned short ext_len = 2;
1034 const unsigned char list_len = 1;
1035
1036 if ((lenmax = limit - ret - 6) < 0) return NULL;
1037
1038 s2n(TLSEXT_TYPE_server_authz, ret);
1039 /* Extension length: 2 bytes */
1040 s2n(ext_len, ret);
1041 *(ret++) = list_len;
1042 *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
1043 }
1044
1045 if ((extdatalen = ret-p-2) == 0)
ed3883d2
BM		 1046 return p;
1047
1048 s2n(extdatalen,p);
1049 return ret;
52b8dad8 1050 }
ed3883d2 1051
f1fd4544
BM		 1052unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1053 {
ed3883d2
BM		 1054 int extdatalen=0;
1055 unsigned char *ret = p;
bf48836c
BL		 1056#ifndef OPENSSL_NO_NEXTPROTONEG
1057 int next_proto_neg_seen;
ee2ffc27 1058#endif
ed3883d2 1059
13f6d57b
DSH		 1060 /* don't add extensions for SSLv3, unless doing secure renegotiation */
1061 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
5f8f94a6
DSH		 1062 return p;
1063
a13c20f6 1064 ret+=2;
ed3883d2
BM		 1065 if (ret>=limit) return NULL; /* this really never occurs, but ... */
1066
a13c20f6 1067 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
f1fd4544 1068 {
761772d7 1069 if ((long)(limit - ret - 4) < 0) return NULL;
ed3883d2
BM		 1070
1071 s2n(TLSEXT_TYPE_server_name,ret);
1072 s2n(0,ret);
f1fd4544 1073 }
860c3dd1 1074
8025e251 1075 if(s->s3->send_connection_binding)
860c3dd1
DSH		 1076 {
1077 int el;
1078
1079 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1080 {
1081 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1082 return NULL;
1083 }
1084
1085 if((limit - p - 4 - el) < 0) return NULL;
1086
1087 s2n(TLSEXT_TYPE_renegotiate,ret);
1088 s2n(el,ret);
1089
1090 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1091 {
1092 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1093 return NULL;
1094 }
1095
1096 ret += el;
1097 }
1098
36ca4ba6 1099#ifndef OPENSSL_NO_EC
8025e251
DSH		 1100 if (s->tlsext_ecpointformatlist != NULL &&
1101 s->version != DTLS1_VERSION)
36ca4ba6
BM		 1102 {
1103 /* Add TLS extension ECPointFormats to the ServerHello message */
1104 long lenmax;
1105
761772d7 1106 if ((lenmax = limit - ret - 5) < 0) return NULL;
36ca4ba6 1107 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
019fdc78
BM		 1108 if (s->tlsext_ecpointformatlist_length > 255)
1109 {
1110 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1111 return NULL;
1112 }
36ca4ba6
BM		 1113
1114 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1115 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
1116 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
1117 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
1118 ret+=s->tlsext_ecpointformatlist_length;
a70183bc 1119
36ca4ba6 1120 }
33273721 1121 /* Currently the server should not respond with a SupportedCurves extension */
36ca4ba6 1122#endif /* OPENSSL_NO_EC */
67c8e7f4 1123
6434abbf
DSH		 1124 if (s->tlsext_ticket_expected
1125 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
1126 {
761772d7 1127 if ((long)(limit - ret - 4) < 0) return NULL;
6434abbf
DSH		 1128 s2n(TLSEXT_TYPE_session_ticket,ret);
1129 s2n(0,ret);
1130 }
761772d7 1131
67c8e7f4
DSH		 1132 if (s->tlsext_status_expected)
1133 {
1134 if ((long)(limit - ret - 4) < 0) return NULL;
1135 s2n(TLSEXT_TYPE_status_request,ret);
1136 s2n(0,ret);
1137 }
1138
761772d7 1139#ifdef TLSEXT_TYPE_opaque_prf_input
8025e251
DSH		 1140 if (s->s3->server_opaque_prf_input != NULL &&
1141 s->version != DTLS1_VERSION)
761772d7
BM		 1142 {
1143 size_t sol = s->s3->server_opaque_prf_input_len;
6434abbf 1144
761772d7
BM		 1145 if ((long)(limit - ret - 6 - sol) < 0)
1146 return NULL;
1147 if (sol > 0xFFFD) /* can't happen */
1148 return NULL;
1149
1150 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1151 s2n(sol + 2, ret);
1152 s2n(sol, ret);
1153 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1154 ret += sol;
1155 }
1156#endif
333f926d
BL		 1157
1158 if(s->srtp_profile)
1159 {
1160 int el;
1161
1162 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1163
1164 if((limit - p - 4 - el) < 0) return NULL;
1165
1166 s2n(TLSEXT_TYPE_use_srtp,ret);
1167 s2n(el,ret);
1168
1169 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1170 {
7a236261 1171 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
333f926d
BL		 1172 return NULL;
1173 }
1174 ret+=el;
1175 }
1176
0e1dba93
DSH		 1177 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
1178 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1179 { const unsigned char cryptopro_ext[36] = {
1180 0xfd, 0xe8, /*65000*/
1181 0x00, 0x20, /*32 bytes length*/
1182 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1183 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1184 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1185 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1186 if (limit-ret<36) return NULL;
1187 memcpy(ret,cryptopro_ext,36);
1188 ret+=36;
1189
1190 }
761772d7 1191
4817504d 1192#ifndef OPENSSL_NO_HEARTBEATS
5733919d
DSH		 1193 /* Add Heartbeat extension if we've received one */
1194 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1195 {
1196 s2n(TLSEXT_TYPE_heartbeat,ret);
1197 s2n(1,ret);
1198 /* Set mode:
1199 * 1: peer may send requests
1200 * 2: peer not allowed to send requests
1201 */
1202 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1203 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1204 else
1205 *(ret++) = SSL_TLSEXT_HB_ENABLED;
192540b5 1206
5733919d 1207 }
4817504d
DSH		 1208#endif
1209
bf48836c 1210#ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 1211 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1212 s->s3->next_proto_neg_seen = 0;
1213 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1214 {
1215 const unsigned char *npa;
1216 unsigned int npalen;
1217 int r;
1218
1219 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1220 if (r == SSL_TLSEXT_ERR_OK)
1221 {
1222 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1223 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1224 s2n(npalen,ret);
1225 memcpy(ret, npa, npalen);
1226 ret += npalen;
1227 s->s3->next_proto_neg_seen = 1;
1228 }
1229 }
1230#endif
1231
a9e1c50b
BL		 1232 /* If the client supports authz then see whether we have any to offer
1233 * to it. */
1234 if (s->s3->tlsext_authz_client_types_len)
1235 {
1236 size_t authz_length;
1237 /* By now we already know the new cipher, so we can look ahead
1238 * to see whether the cert we are going to send
1239 * has any authz data attached to it. */
1240 const unsigned char* authz = ssl_get_authz_data(s, &authz_length);
1241 const unsigned char* const orig_authz = authz;
1242 size_t i;
1243 unsigned authz_count = 0;
1244
1245 /* The authz data contains a number of the following structures:
1246 * uint8_t authz_type
1247 * uint16_t length
1248 * uint8_t data[length]
1249 *
1250 * First we walk over it to find the number of authz elements. */
1251 for (i = 0; i < authz_length; i++)
1252 {
1253 unsigned short length;
1254 unsigned char type;
1255
1256 type = *(authz++);
1257 if (memchr(s->s3->tlsext_authz_client_types,
1258 type,
1259 s->s3->tlsext_authz_client_types_len) != NULL)
1260 authz_count++;
1261
1262 n2s(authz, length);
aeda172a
BL		 1263 /* n2s increments authz by 2 */
1264 i += 2;
a9e1c50b
BL		 1265 authz += length;
1266 i += length;
1267 }
1268
1269 if (authz_count)
1270 {
1271 /* Add TLS extension server_authz to the ServerHello message
1272 * 2 bytes for extension type
1273 * 2 bytes for extension length
1274 * 1 byte for the list length
1275 * n bytes for the list */
1276 const unsigned short ext_len = 1 + authz_count;
1277
1278 if ((long)(limit - ret - 4 - ext_len) < 0) return NULL;
1279 s2n(TLSEXT_TYPE_server_authz, ret);
1280 s2n(ext_len, ret);
1281 *(ret++) = authz_count;
1282 s->s3->tlsext_authz_promised_to_client = 1;
1283 }
1284
1285 authz = orig_authz;
1286 for (i = 0; i < authz_length; i++)
1287 {
1288 unsigned short length;
1289 unsigned char type;
1290
1291 authz_count++;
1292 type = *(authz++);
1293 if (memchr(s->s3->tlsext_authz_client_types,
1294 type,
1295 s->s3->tlsext_authz_client_types_len) != NULL)
1296 *(ret++) = type;
1297 n2s(authz, length);
aeda172a
BL		 1298 /* n2s increments authz by 2 */
1299 i += 2;
a9e1c50b
BL		 1300 authz += length;
1301 i += length;
1302 }
1303 }
1304
ed3883d2
BM		 1305 if ((extdatalen = ret-p-2)== 0)
1306 return p;
1307
1308 s2n(extdatalen,p);
1309 return ret;
52b8dad8 1310 }
ed3883d2 1311
b2284ed3
DSH		 1312static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1313 {
ed3883d2
BM		 1314 unsigned short type;
1315 unsigned short size;
1316 unsigned short len;
f1fd4544 1317 unsigned char *data = *p;
860c3dd1
DSH		 1318 int renegotiate_seen = 0;
1319
a13c20f6 1320 s->servername_done = 0;
67c8e7f4 1321 s->tlsext_status_type = -1;
6f31dd72
BM		 1322#ifndef OPENSSL_NO_NEXTPROTONEG
1323 s->s3->next_proto_neg_seen = 0;
1324#endif
ed3883d2 1325
4817504d
DSH		 1326#ifndef OPENSSL_NO_HEARTBEATS
1327 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1328 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1329#endif
4453cd8c
DSH		 1330 /* Clear any signature algorithms extension received */
1331 if (s->cert->peer_sigalgs)
1332 {
1333 OPENSSL_free(s->cert->peer_sigalgs);
1334 s->cert->peer_sigalgs = NULL;
1335 }
1336 /* Clear any shared sigtnature algorithms */
1337 if (s->cert->shared_sigalgs)
1338 {
1339 OPENSSL_free(s->cert->shared_sigalgs);
1340 s->cert->shared_sigalgs = NULL;
1341 }
4817504d 1342
ed3883d2 1343 if (data >= (d+n-2))
c27c9cb4 1344 goto ri_check;
ed3883d2
BM		 1345 n2s(data,len);
1346
52b8dad8 1347 if (data > (d+n-len))
c27c9cb4 1348 goto ri_check;
ed3883d2 1349
f1fd4544
BM		 1350 while (data <= (d+n-4))
1351 {
ed3883d2
BM		 1352 n2s(data,type);
1353 n2s(data,size);
1354
1355 if (data+size > (d+n))
c27c9cb4 1356 goto ri_check;
8e3b2dbb 1357#if 0
0e1dba93 1358 fprintf(stderr,"Received extension type %d size %d\n",type,size);
8e3b2dbb 1359#endif
6434abbf
DSH		 1360 if (s->tlsext_debug_cb)
1361 s->tlsext_debug_cb(s, 0, type, data, size,
1362 s->tlsext_debug_arg);
a13c20f6
BM		 1363/* The servername extension is treated as follows:
1364
1365 - Only the hostname type is supported with a maximum length of 255.
1366 - The servername is rejected if too long or if it contains zeros,
1367 in which case an fatal alert is generated.
1368 - The servername field is maintained together with the session cache.
1369 - When a session is resumed, the servername call back invoked in order
1370 to allow the application to position itself to the right context.
1371 - The servername is acknowledged if it is new for a session or when
1372 it is identical to a previously used for the same session.
1373 Applications can control the behaviour. They can at any time
1374 set a 'desirable' servername for a new SSL object. This can be the
1375 case for example with HTTPS when a Host: header field is received and
1376 a renegotiation is requested. In this case, a possible servername
1377 presented in the new client hello is only acknowledged if it matches
1378 the value of the Host: field.
1379 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1380 if they provide for changing an explicit servername context for the session,
1381 i.e. when the session has been established with a servername extension.
1382 - On session reconnect, the servername extension may be absent.
1383
1384*/
1385
f1fd4544
BM		 1386 if (type == TLSEXT_TYPE_server_name)
1387 {
a70183bc 1388 unsigned char *sdata;
ed3883d2 1389 int servname_type;
a70183bc
BM		 1390 int dsize;
1391
1392 if (size < 2)
1393 {
1394 *al = SSL_AD_DECODE_ERROR;
1395 return 0;
1396 }
1397 n2s(data,dsize);
52b8dad8 1398 size -= 2;
a70183bc 1399 if (dsize > size )
f1fd4544 1400 {
a70183bc
BM		 1401 *al = SSL_AD_DECODE_ERROR;
1402 return 0;
1403 }
1404
1405 sdata = data;
1406 while (dsize > 3)
1407 {
1408 servname_type = *(sdata++);
ed3883d2 1409 n2s(sdata,len);
a70183bc
BM		 1410 dsize -= 3;
1411
1412 if (len > dsize)
f1fd4544
BM		 1413 {
1414 *al = SSL_AD_DECODE_ERROR;
1415 return 0;
1416 }
a70183bc 1417 if (s->servername_done == 0)
f1fd4544
BM		 1418 switch (servname_type)
1419 {
1420 case TLSEXT_NAMETYPE_host_name:
732d31be 1421 if (!s->hit)
f1fd4544 1422 {
732d31be
DSH		 1423 if(s->session->tlsext_hostname)
1424 {
1425 *al = SSL_AD_DECODE_ERROR;
1426 return 0;
1427 }
1428 if (len > TLSEXT_MAXLEN_host_name)
f1fd4544
BM		 1429 {
1430 *al = TLS1_AD_UNRECOGNIZED_NAME;
1431 return 0;
1432 }
732d31be
DSH		 1433 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1434 {
1435 *al = TLS1_AD_INTERNAL_ERROR;
1436 return 0;
1437 }
ed3883d2 1438 memcpy(s->session->tlsext_hostname, sdata, len);
a13c20f6
BM		 1439 s->session->tlsext_hostname[len]='\0';
1440 if (strlen(s->session->tlsext_hostname) != len) {
1441 OPENSSL_free(s->session->tlsext_hostname);
40a70628 1442 s->session->tlsext_hostname = NULL;
a13c20f6
BM		 1443 *al = TLS1_AD_UNRECOGNIZED_NAME;
1444 return 0;
f1fd4544 1445 }
a13c20f6
BM		 1446 s->servername_done = 1;
1447
a13c20f6
BM		 1448 }
1449 else
732d31be
DSH		 1450 s->servername_done = s->session->tlsext_hostname
1451 && strlen(s->session->tlsext_hostname) == len
6b9e941e 1452 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
a13c20f6 1453
ed3883d2 1454 break;
f1fd4544 1455
ed3883d2
BM		 1456 default:
1457 break;
f1fd4544 1458 }
52b8dad8 1459
a70183bc 1460 dsize -= len;
f1fd4544 1461 }
a70183bc
BM		 1462 if (dsize != 0)
1463 {
1464 *al = SSL_AD_DECODE_ERROR;
1465 return 0;
1466 }
1467
ed3883d2 1468 }
edc032b5
BL		 1469#ifndef OPENSSL_NO_SRP
1470 else if (type == TLSEXT_TYPE_srp)
1471 {
1df80b65
DSH		 1472 if (size <= 0 || ((len = data[0])) != (size -1))
1473 {
1474 *al = SSL_AD_DECODE_ERROR;
1475 return 0;
1476 }
1477 if (s->srp_ctx.login != NULL)
edc032b5 1478 {
1df80b65
DSH		 1479 *al = SSL_AD_DECODE_ERROR;
1480 return 0;
1481 }
1482 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1483 return -1;
1484 memcpy(s->srp_ctx.login, &data[1], len);
1485 s->srp_ctx.login[len]='\0';
1486
1487 if (strlen(s->srp_ctx.login) != len)
1488 {
1489 *al = SSL_AD_DECODE_ERROR;
1490 return 0;
edc032b5
BL		 1491 }
1492 }
1493#endif
ed3883d2 1494
36ca4ba6 1495#ifndef OPENSSL_NO_EC
8025e251
DSH		 1496 else if (type == TLSEXT_TYPE_ec_point_formats &&
1497 s->version != DTLS1_VERSION)
36ca4ba6
BM		 1498 {
1499 unsigned char *sdata = data;
1500 int ecpointformatlist_length = *(sdata++);
36ca4ba6
BM		 1501
1502 if (ecpointformatlist_length != size - 1)
1503 {
1504 *al = TLS1_AD_DECODE_ERROR;
1505 return 0;
1506 }
732d31be 1507 if (!s->hit)
36ca4ba6 1508 {
732d31be
DSH		 1509 if(s->session->tlsext_ecpointformatlist)
1510 {
7d5686d3
DSH		 1511 OPENSSL_free(s->session->tlsext_ecpointformatlist);
1512 s->session->tlsext_ecpointformatlist = NULL;
732d31be
DSH		 1513 }
1514 s->session->tlsext_ecpointformatlist_length = 0;
1515 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1516 {
1517 *al = TLS1_AD_INTERNAL_ERROR;
1518 return 0;
1519 }
1520 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1521 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
36ca4ba6 1522 }
36ca4ba6
BM		 1523#if 0
1524 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1525 sdata = s->session->tlsext_ecpointformatlist;
1526 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1527 fprintf(stderr,"%i ",*(sdata++));
1528 fprintf(stderr,"\n");
33273721
BM		 1529#endif
1530 }
8025e251
DSH		 1531 else if (type == TLSEXT_TYPE_elliptic_curves &&
1532 s->version != DTLS1_VERSION)
33273721
BM		 1533 {
1534 unsigned char *sdata = data;
1535 int ellipticcurvelist_length = (*(sdata++) << 8);
1536 ellipticcurvelist_length += (*(sdata++));
1537
1538 if (ellipticcurvelist_length != size - 2)
1539 {
1540 *al = TLS1_AD_DECODE_ERROR;
1541 return 0;
1542 }
732d31be 1543 if (!s->hit)
33273721 1544 {
732d31be
DSH		 1545 if(s->session->tlsext_ellipticcurvelist)
1546 {
1547 *al = TLS1_AD_DECODE_ERROR;
1548 return 0;
1549 }
1550 s->session->tlsext_ellipticcurvelist_length = 0;
1551 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1552 {
1553 *al = TLS1_AD_INTERNAL_ERROR;
1554 return 0;
1555 }
1556 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1557 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
33273721 1558 }
33273721
BM		 1559#if 0
1560 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1561 sdata = s->session->tlsext_ellipticcurvelist;
1562 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1563 fprintf(stderr,"%i ",*(sdata++));
1564 fprintf(stderr,"\n");
36ca4ba6
BM		 1565#endif
1566 }
c6a27f01 1567#endif /* OPENSSL_NO_EC */
761772d7 1568#ifdef TLSEXT_TYPE_opaque_prf_input
8025e251
DSH		 1569 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1570 s->version != DTLS1_VERSION)
761772d7
BM		 1571 {
1572 unsigned char *sdata = data;
1573
1574 if (size < 2)
1575 {
1576 *al = SSL_AD_DECODE_ERROR;
1577 return 0;
1578 }
1579 n2s(sdata, s->s3->client_opaque_prf_input_len);
1580 if (s->s3->client_opaque_prf_input_len != size - 2)
1581 {
1582 *al = SSL_AD_DECODE_ERROR;
1583 return 0;
1584 }
1585
1586 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1587 OPENSSL_free(s->s3->client_opaque_prf_input);
02c27b11
BM		 1588 if (s->s3->client_opaque_prf_input_len == 0)
1589 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1590 else
1591 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
761772d7
BM		 1592 if (s->s3->client_opaque_prf_input == NULL)
1593 {
1594 *al = TLS1_AD_INTERNAL_ERROR;
1595 return 0;
1596 }
1597 }
1598#endif
12bf56c0
DSH		 1599 else if (type == TLSEXT_TYPE_session_ticket)
1600 {
1601 if (s->tls_session_ticket_ext_cb &&
1602 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1603 {
1604 *al = TLS1_AD_INTERNAL_ERROR;
1605 return 0;
1606 }
1607 }
860c3dd1
DSH		 1608 else if (type == TLSEXT_TYPE_renegotiate)
1609 {
1610 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1611 return 0;
1612 renegotiate_seen = 1;
1613 }
6b7be581
DSH		 1614 else if (type == TLSEXT_TYPE_signature_algorithms)
1615 {
1616 int dsize;
4453cd8c 1617 if (s->cert->peer_sigalgs || size < 2)
6b7be581
DSH		 1618 {
1619 *al = SSL_AD_DECODE_ERROR;
1620 return 0;
1621 }
6b7be581
DSH		 1622 n2s(data,dsize);
1623 size -= 2;
4453cd8c 1624 if (dsize != size || dsize & 1 || !dsize)
6b7be581
DSH		 1625 {
1626 *al = SSL_AD_DECODE_ERROR;
1627 return 0;
1628 }
1629 if (!tls1_process_sigalgs(s, data, dsize))
1630 {
1631 *al = SSL_AD_DECODE_ERROR;
1632 return 0;
1633 }
4453cd8c
DSH		 1634 /* If sigalgs received and no shared algorithms fatal
1635 * error.
1636 */
1637 if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
1638 {
1639 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
1640 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
1641 *al = SSL_AD_ILLEGAL_PARAMETER;
1642 return 0;
1643 }
6b7be581 1644 }
8025e251
DSH		 1645 else if (type == TLSEXT_TYPE_status_request &&
1646 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
67c8e7f4
DSH		 1647 {
1648
1649 if (size < 5)
1650 {
1651 *al = SSL_AD_DECODE_ERROR;
1652 return 0;
1653 }
1654
1655 s->tlsext_status_type = *data++;
1656 size--;
1657 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1658 {
1659 const unsigned char *sdata;
1660 int dsize;
1661 /* Read in responder_id_list */
1662 n2s(data,dsize);
1663 size -= 2;
1664 if (dsize > size )
1665 {
1666 *al = SSL_AD_DECODE_ERROR;
1667 return 0;
1668 }
1669 while (dsize > 0)
1670 {
1671 OCSP_RESPID *id;
1672 int idsize;
1673 if (dsize < 4)
1674 {
1675 *al = SSL_AD_DECODE_ERROR;
1676 return 0;
1677 }
1678 n2s(data, idsize);
1679 dsize -= 2 + idsize;
9770924f 1680 size -= 2 + idsize;
67c8e7f4
DSH		 1681 if (dsize < 0)
1682 {
1683 *al = SSL_AD_DECODE_ERROR;
1684 return 0;
1685 }
1686 sdata = data;
1687 data += idsize;
1688 id = d2i_OCSP_RESPID(NULL,
1689 &sdata, idsize);
1690 if (!id)
1691 {
1692 *al = SSL_AD_DECODE_ERROR;
1693 return 0;
1694 }
1695 if (data != sdata)
1696 {
1697 OCSP_RESPID_free(id);
1698 *al = SSL_AD_DECODE_ERROR;
1699 return 0;
1700 }
1701 if (!s->tlsext_ocsp_ids
1702 && !(s->tlsext_ocsp_ids =
1703 sk_OCSP_RESPID_new_null()))
1704 {
1705 OCSP_RESPID_free(id);
1706 *al = SSL_AD_INTERNAL_ERROR;
1707 return 0;
1708 }
1709 if (!sk_OCSP_RESPID_push(
1710 s->tlsext_ocsp_ids, id))
1711 {
1712 OCSP_RESPID_free(id);
1713 *al = SSL_AD_INTERNAL_ERROR;
1714 return 0;
1715 }
1716 }
1717
1718 /* Read in request_extensions */
9770924f
BM		 1719 if (size < 2)
1720 {
1721 *al = SSL_AD_DECODE_ERROR;
1722 return 0;
1723 }
67c8e7f4
DSH		 1724 n2s(data,dsize);
1725 size -= 2;
9770924f 1726 if (dsize != size)
67c8e7f4
DSH		 1727 {
1728 *al = SSL_AD_DECODE_ERROR;
1729 return 0;
1730 }
1731 sdata = data;
1732 if (dsize > 0)
1733 {
25536ea6
DSH		 1734 if (s->tlsext_ocsp_exts)
1735 {
1736 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1737 X509_EXTENSION_free);
1738 }
1739
67c8e7f4
DSH		 1740 s->tlsext_ocsp_exts =
1741 d2i_X509_EXTENSIONS(NULL,
1742 &sdata, dsize);
1743 if (!s->tlsext_ocsp_exts
1744 || (data + dsize != sdata))
1745 {
1746 *al = SSL_AD_DECODE_ERROR;
1747 return 0;
1748 }
1749 }
1750 }
1751 /* We don't know what to do with any other type
1752 * so ignore it.
1753 */
1754 else
1755 s->tlsext_status_type = -1;
1756 }
4817504d
DSH		 1757#ifndef OPENSSL_NO_HEARTBEATS
1758 else if (type == TLSEXT_TYPE_heartbeat)
1759 {
1760 switch(data[0])
1761 {
1762 case 0x01: /* Client allows us to send HB requests */
1763 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1764 break;
1765 case 0x02: /* Client doesn't accept HB requests */
1766 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1767 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1768 break;
192540b5
DSH		 1769 default: *al = SSL_AD_ILLEGAL_PARAMETER;
1770 return 0;
4817504d
DSH		 1771 }
1772 }
1773#endif
bf48836c 1774#ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27 1775 else if (type == TLSEXT_TYPE_next_proto_neg &&
71fa4513 1776 s->s3->tmp.finish_md_len == 0)
ee2ffc27
BL		 1777 {
1778 /* We shouldn't accept this extension on a
1779 * renegotiation.
1780 *
1781 * s->new_session will be set on renegotiation, but we
1782 * probably shouldn't rely that it couldn't be set on
1783 * the initial renegotation too in certain cases (when
1784 * there's some other reason to disallow resuming an
1785 * earlier session -- the current code won't be doing
1786 * anything like that, but this might change).
1787
1788 * A valid sign that there's been a previous handshake
1789 * in this connection is if s->s3->tmp.finish_md_len >
1790 * 0. (We are talking about a check that will happen
1791 * in the Hello protocol round, well before a new
1792 * Finished message could have been computed.) */
1793 s->s3->next_proto_neg_seen = 1;
1794 }
1795#endif
761772d7 1796
6434abbf 1797 /* session ticket processed earlier */
333f926d
BL		 1798 else if (type == TLSEXT_TYPE_use_srtp)
1799 {
1800 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1801 al))
1802 return 0;
1803 }
1804
a9e1c50b
BL		 1805 else if (type == TLSEXT_TYPE_server_authz)
1806 {
1807 unsigned char *sdata = data;
1808 unsigned char server_authz_dataformatlist_length;
1809
1810 if (size == 0)
1811 {
1812 *al = TLS1_AD_DECODE_ERROR;
1813 return 0;
1814 }
1815
1816 server_authz_dataformatlist_length = *(sdata++);
1817
1818 if (server_authz_dataformatlist_length != size - 1)
1819 {
1820 *al = TLS1_AD_DECODE_ERROR;
1821 return 0;
1822 }
1823
1824 /* Successful session resumption uses the same authz
1825 * information as the original session so we ignore this
1826 * in the case of a session resumption. */
1827 if (!s->hit)
1828 {
1829 size_t i;
195b9eee
BL		 1830 if (s->s3->tlsext_authz_client_types != NULL)
1831 OPENSSL_free(s->s3->tlsext_authz_client_types);
a9e1c50b
BL		 1832 s->s3->tlsext_authz_client_types =
1833 OPENSSL_malloc(server_authz_dataformatlist_length);
1834 if (!s->s3->tlsext_authz_client_types)
1835 {
1836 *al = TLS1_AD_INTERNAL_ERROR;
1837 return 0;
1838 }
1839
1840 s->s3->tlsext_authz_client_types_len =
1841 server_authz_dataformatlist_length;
1842 memcpy(s->s3->tlsext_authz_client_types,
1843 sdata,
1844 server_authz_dataformatlist_length);
1845
1846 /* Sort the types in order to check for duplicates. */
1847 qsort(s->s3->tlsext_authz_client_types,
1848 server_authz_dataformatlist_length,
1849 1 /* element size */,
1850 byte_compare);
1851
1852 for (i = 0; i < server_authz_dataformatlist_length; i++)
1853 {
1854 if (i > 0 &&
1855 s->s3->tlsext_authz_client_types[i] ==
1856 s->s3->tlsext_authz_client_types[i-1])
1857 {
1858 *al = TLS1_AD_DECODE_ERROR;
1859 return 0;
1860 }
1861 }
1862 }
1863 }
1864
6434abbf 1865 data+=size;
f1fd4544 1866 }
a9e1c50b 1867
f1fd4544 1868 *p = data;
c27c9cb4
DSH		 1869
1870 ri_check:
1871
1872 /* Need RI if renegotiating */
1873
bdd53508 1874 if (!renegotiate_seen && s->renegotiate &&
c27c9cb4
DSH		 1875 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1876 {
fbed9f81 1877 *al = SSL_AD_HANDSHAKE_FAILURE;
aa09c2c6 1878 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
c27c9cb4
DSH		 1879 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1880 return 0;
1881 }
4453cd8c
DSH		 1882 /* If no signature algorithms extension set default values */
1883 if (!s->cert->peer_sigalgs)
1884 ssl_cert_set_default_md(s->cert);
c27c9cb4 1885
f1fd4544 1886 return 1;
52b8dad8 1887 }
f1fd4544 1888
b2284ed3
DSH		 1889int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
1890 {
1891 int al = -1;
1892 if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0)
1893 {
1894 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1895 return 0;
1896 }
1897
1898 if (ssl_check_clienthello_tlsext(s) <= 0)
1899 {
aa09c2c6 1900 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
b2284ed3
DSH		 1901 return 0;
1902 }
1903 return 1;
1904}
1905
bf48836c 1906#ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 1907/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1908 * elements of zero length are allowed and the set of elements must exactly fill
1909 * the length of the block. */
71fa4513 1910static char ssl_next_proto_validate(unsigned char *d, unsigned len)
ee2ffc27
BL		 1911 {
1912 unsigned int off = 0;
1913
1914 while (off < len)
1915 {
1916 if (d[off] == 0)
1917 return 0;
1918 off += d[off];
1919 off++;
1920 }
1921
1922 return off == len;
1923 }
1924#endif
1925
09e4e4b9 1926static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
f1fd4544 1927 {
c8bbd98a 1928 unsigned short length;
ed3883d2
BM		 1929 unsigned short type;
1930 unsigned short size;
ed3883d2 1931 unsigned char *data = *p;
ed3883d2 1932 int tlsext_servername = 0;
860c3dd1 1933 int renegotiate_seen = 0;
ed3883d2 1934
6f31dd72
BM		 1935#ifndef OPENSSL_NO_NEXTPROTONEG
1936 s->s3->next_proto_neg_seen = 0;
1937#endif
1938
4817504d
DSH		 1939#ifndef OPENSSL_NO_HEARTBEATS
1940 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1941 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1942#endif
1943
ed3883d2 1944 if (data >= (d+n-2))
c27c9cb4 1945 goto ri_check;
ed3883d2 1946
c8bbd98a
BL		 1947 n2s(data,length);
1948 if (data+length != d+n)
1949 {
1950 *al = SSL_AD_DECODE_ERROR;
1951 return 0;
1952 }
ed3883d2 1953
f1fd4544
BM		 1954 while(data <= (d+n-4))
1955 {
ed3883d2
BM		 1956 n2s(data,type);
1957 n2s(data,size);
1958
1959 if (data+size > (d+n))
c27c9cb4 1960 goto ri_check;
f1fd4544 1961
6434abbf
DSH		 1962 if (s->tlsext_debug_cb)
1963 s->tlsext_debug_cb(s, 1, type, data, size,
1964 s->tlsext_debug_arg);
1965
f1fd4544
BM		 1966 if (type == TLSEXT_TYPE_server_name)
1967 {
1968 if (s->tlsext_hostname == NULL || size > 0)
1969 {
1970 *al = TLS1_AD_UNRECOGNIZED_NAME;
1971 return 0;
1972 }
ed3883d2 1973 tlsext_servername = 1;
f1fd4544 1974 }
ed3883d2 1975
36ca4ba6 1976#ifndef OPENSSL_NO_EC
8025e251
DSH		 1977 else if (type == TLSEXT_TYPE_ec_point_formats &&
1978 s->version != DTLS1_VERSION)
36ca4ba6
BM		 1979 {
1980 unsigned char *sdata = data;
1981 int ecpointformatlist_length = *(sdata++);
36ca4ba6
BM		 1982
1983 if (ecpointformatlist_length != size - 1)
1984 {
1985 *al = TLS1_AD_DECODE_ERROR;
1986 return 0;
1987 }
1988 s->session->tlsext_ecpointformatlist_length = 0;
b6acb8d0 1989 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
36ca4ba6
BM		 1990 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1991 {
1992 *al = TLS1_AD_INTERNAL_ERROR;
1993 return 0;
1994 }
1995 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1996 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1997#if 0
1998 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1999 sdata = s->session->tlsext_ecpointformatlist;
2000 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2001 fprintf(stderr,"%i ",*(sdata++));
2002 fprintf(stderr,"\n");
2003#endif
2004 }
c6a27f01 2005#endif /* OPENSSL_NO_EC */
6434abbf
DSH		 2006
2007 else if (type == TLSEXT_TYPE_session_ticket)
2008 {
12bf56c0
DSH		 2009 if (s->tls_session_ticket_ext_cb &&
2010 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2011 {
2012 *al = TLS1_AD_INTERNAL_ERROR;
2013 return 0;
2014 }
6434abbf
DSH		 2015 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2016 || (size > 0))
2017 {
2018 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2019 return 0;
2020 }
2021 s->tlsext_ticket_expected = 1;
2022 }
761772d7 2023#ifdef TLSEXT_TYPE_opaque_prf_input
8025e251
DSH		 2024 else if (type == TLSEXT_TYPE_opaque_prf_input &&
2025 s->version != DTLS1_VERSION)
761772d7
BM		 2026 {
2027 unsigned char *sdata = data;
2028
2029 if (size < 2)
2030 {
2031 *al = SSL_AD_DECODE_ERROR;
2032 return 0;
2033 }
2034 n2s(sdata, s->s3->server_opaque_prf_input_len);
2035 if (s->s3->server_opaque_prf_input_len != size - 2)
2036 {
2037 *al = SSL_AD_DECODE_ERROR;
2038 return 0;
2039 }
2040
2041 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2042 OPENSSL_free(s->s3->server_opaque_prf_input);
02c27b11
BM		 2043 if (s->s3->server_opaque_prf_input_len == 0)
2044 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2045 else
2046 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
761772d7
BM		 2047
2048 if (s->s3->server_opaque_prf_input == NULL)
2049 {
2050 *al = TLS1_AD_INTERNAL_ERROR;
2051 return 0;
2052 }
2053 }
2054#endif
8025e251
DSH		 2055 else if (type == TLSEXT_TYPE_status_request &&
2056 s->version != DTLS1_VERSION)
67c8e7f4
DSH		 2057 {
2058 /* MUST be empty and only sent if we've requested
2059 * a status request message.
2060 */
2061 if ((s->tlsext_status_type == -1) || (size > 0))
2062 {
2063 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2064 return 0;
2065 }
2066 /* Set flag to expect CertificateStatus message */
2067 s->tlsext_status_expected = 1;
2068 }
bf48836c 2069#ifndef OPENSSL_NO_NEXTPROTONEG
6f31dd72
BM		 2070 else if (type == TLSEXT_TYPE_next_proto_neg &&
2071 s->s3->tmp.finish_md_len == 0)
ee2ffc27
BL		 2072 {
2073 unsigned char *selected;
2074 unsigned char selected_len;
2075
2076 /* We must have requested it. */
2077 if ((s->ctx->next_proto_select_cb == NULL))
2078 {
2079 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2080 return 0;
2081 }
2082 /* The data must be valid */
2083 if (!ssl_next_proto_validate(data, size))
2084 {
2085 *al = TLS1_AD_DECODE_ERROR;
2086 return 0;
2087 }
2088 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2089 {
2090 *al = TLS1_AD_INTERNAL_ERROR;
2091 return 0;
2092 }
2093 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2094 if (!s->next_proto_negotiated)
2095 {
2096 *al = TLS1_AD_INTERNAL_ERROR;
2097 return 0;
2098 }
2099 memcpy(s->next_proto_negotiated, selected, selected_len);
2100 s->next_proto_negotiated_len = selected_len;
6f31dd72 2101 s->s3->next_proto_neg_seen = 1;
ee2ffc27
BL		 2102 }
2103#endif
860c3dd1
DSH		 2104 else if (type == TLSEXT_TYPE_renegotiate)
2105 {
2106 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2107 return 0;
2108 renegotiate_seen = 1;
2109 }
4817504d
DSH		 2110#ifndef OPENSSL_NO_HEARTBEATS
2111 else if (type == TLSEXT_TYPE_heartbeat)
2112 {
2113 switch(data[0])
2114 {
2115 case 0x01: /* Server allows us to send HB requests */
2116 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2117 break;
2118 case 0x02: /* Server doesn't accept HB requests */
2119 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2120 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2121 break;
192540b5
DSH		 2122 default: *al = SSL_AD_ILLEGAL_PARAMETER;
2123 return 0;
4817504d
DSH		 2124 }
2125 }
2126#endif
333f926d
BL		 2127 else if (type == TLSEXT_TYPE_use_srtp)
2128 {
2129 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2130 al))
2131 return 0;
2132 }
2133
a9e1c50b
BL		 2134 else if (type == TLSEXT_TYPE_server_authz)
2135 {
2136 /* We only support audit proofs. It's an error to send
2137 * an authz hello extension if the client
2138 * didn't request a proof. */
2139 unsigned char *sdata = data;
2140 unsigned char server_authz_dataformatlist_length;
2141
2142 if (!s->ctx->tlsext_authz_server_audit_proof_cb)
2143 {
2144 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2145 return 0;
2146 }
2147
2148 if (!size)
2149 {
2150 *al = TLS1_AD_DECODE_ERROR;
2151 return 0;
2152 }
2153
2154 server_authz_dataformatlist_length = *(sdata++);
2155 if (server_authz_dataformatlist_length != size - 1)
2156 {
2157 *al = TLS1_AD_DECODE_ERROR;
2158 return 0;
2159 }
2160
2161 /* We only support audit proofs, so a legal ServerHello
2162 * authz list contains exactly one entry. */
2163 if (server_authz_dataformatlist_length != 1 ||
2164 sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof)
2165 {
2166 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2167 return 0;
2168 }
2169
2170 s->s3->tlsext_authz_server_promised = 1;
2171 }
2172
2173 data += size;
f1fd4544 2174 }
ed3883d2
BM		 2175
2176 if (data != d+n)
f1fd4544
BM		 2177 {
2178 *al = SSL_AD_DECODE_ERROR;
2179 return 0;
2180 }
ed3883d2 2181
f1fd4544
BM		 2182 if (!s->hit && tlsext_servername == 1)
2183 {
2184 if (s->tlsext_hostname)
2185 {
2186 if (s->session->tlsext_hostname == NULL)
2187 {
ed3883d2
BM		 2188 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
2189 if (!s->session->tlsext_hostname)
f1fd4544
BM		 2190 {
2191 *al = SSL_AD_UNRECOGNIZED_NAME;
2192 return 0;
2193 }
2194 }
2195 else
2196 {
2197 *al = SSL_AD_DECODE_ERROR;
2198 return 0;
2199 }
ed3883d2 2200 }
f1fd4544 2201 }
ed3883d2 2202
f1fd4544 2203 *p = data;
c27c9cb4
DSH		 2204
2205 ri_check:
2206
2207 /* Determine if we need to see RI. Strictly speaking if we want to
2208 * avoid an attack we should *always* see RI even on initial server
2209 * hello because the client doesn't see any renegotiation during an
2210 * attack. However this would mean we could not connect to any server
2211 * which doesn't support RI so for the immediate future tolerate RI
2212 * absence on initial connect only.
2213 */
c2c49969
DSH		 2214 if (!renegotiate_seen
2215 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
ef51b4b9 2216 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
c27c9cb4 2217 {
fbed9f81 2218 *al = SSL_AD_HANDSHAKE_FAILURE;
09e4e4b9 2219 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
c27c9cb4
DSH		 2220 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2221 return 0;
2222 }
2223
f1fd4544 2224 return 1;
52b8dad8 2225 }
ed3883d2 2226
b2172f4f 2227
36ca4ba6
BM		 2228int ssl_prepare_clienthello_tlsext(SSL *s)
2229 {
761772d7
BM		 2230
2231#ifdef TLSEXT_TYPE_opaque_prf_input
2232 {
2233 int r = 1;
2234
2235 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2236 {
2237 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2238 if (!r)
2239 return -1;
2240 }
2241
2242 if (s->tlsext_opaque_prf_input != NULL)
2243 {
2244 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2245 OPENSSL_free(s->s3->client_opaque_prf_input);
2246
02c27b11
BM		 2247 if (s->tlsext_opaque_prf_input_len == 0)
2248 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2249 else
2250 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
761772d7
BM		 2251 if (s->s3->client_opaque_prf_input == NULL)
2252 {
2253 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2254 return -1;
2255 }
2256 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2257 }
2258
2259 if (r == 2)
2260 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2261 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2262 }
2263#endif
2264
36ca4ba6 2265 return 1;
52b8dad8 2266 }
36ca4ba6
BM		 2267
2268int ssl_prepare_serverhello_tlsext(SSL *s)
2269 {
2270#ifndef OPENSSL_NO_EC
b6acb8d0 2271 /* If we are server and using an ECC cipher suite, send the point formats we support
33273721
BM		 2272 * if the client sent us an ECPointsFormat extension. Note that the server is not
2273 * supposed to send an EllipticCurves extension.
36ca4ba6 2274 */
36ca4ba6 2275
52b8dad8
BM		 2276 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2277 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2278 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
2279 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
2280
36ca4ba6
BM		 2281 if (using_ecc)
2282 {
b6acb8d0
BM		 2283 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
2284 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
36ca4ba6 2285 {
a291745e 2286 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
36ca4ba6
BM		 2287 return -1;
2288 }
b6acb8d0
BM		 2289 s->tlsext_ecpointformatlist_length = 3;
2290 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
2291 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
2292 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
36ca4ba6
BM		 2293 }
2294#endif /* OPENSSL_NO_EC */
761772d7 2295
36ca4ba6 2296 return 1;
52b8dad8 2297 }
36ca4ba6 2298
09e4e4b9 2299static int ssl_check_clienthello_tlsext(SSL *s)
f1fd4544 2300 {
241520e6 2301 int ret=SSL_TLSEXT_ERR_NOACK;
36ca4ba6
BM		 2302 int al = SSL_AD_UNRECOGNIZED_NAME;
2303
2304#ifndef OPENSSL_NO_EC
33273721
BM		 2305 /* The handling of the ECPointFormats extension is done elsewhere, namely in
2306 * ssl3_choose_cipher in s3_lib.c.
2307 */
2308 /* The handling of the EllipticCurves extension is done elsewhere, namely in
2309 * ssl3_choose_cipher in s3_lib.c.
36ca4ba6
BM		 2310 */
2311#endif
2312
2313 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2314 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2315 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
2316 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2317
67c8e7f4
DSH		 2318 /* If status request then ask callback what to do.
2319 * Note: this must be called after servername callbacks in case
2320 * the certificate has changed.
2321 */
2bd45dc9 2322 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
67c8e7f4
DSH		 2323 {
2324 int r;
2325 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2326 switch (r)
2327 {
2328 /* We don't want to send a status request response */
2329 case SSL_TLSEXT_ERR_NOACK:
2330 s->tlsext_status_expected = 0;
2331 break;
2332 /* status request response should be sent */
2333 case SSL_TLSEXT_ERR_OK:
2334 if (s->tlsext_ocsp_resp)
2335 s->tlsext_status_expected = 1;
2336 else
2337 s->tlsext_status_expected = 0;
2338 break;
2339 /* something bad happened */
2340 case SSL_TLSEXT_ERR_ALERT_FATAL:
2341 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2342 al = SSL_AD_INTERNAL_ERROR;
2343 goto err;
2344 }
2345 }
2346 else
2347 s->tlsext_status_expected = 0;
761772d7
BM		 2348
2349#ifdef TLSEXT_TYPE_opaque_prf_input
2350 {
2351 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
2352 * but we might be sending an alert in response to the client hello,
2353 * so this has to happen here in ssl_check_clienthello_tlsext(). */
2354
2355 int r = 1;
2356
2357 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2358 {
2359 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2360 if (!r)
2361 {
2362 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2363 al = SSL_AD_INTERNAL_ERROR;
2364 goto err;
2365 }
2366 }
2367
2368 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2369 OPENSSL_free(s->s3->server_opaque_prf_input);
2370 s->s3->server_opaque_prf_input = NULL;
2371
2372 if (s->tlsext_opaque_prf_input != NULL)
2373 {
2374 if (s->s3->client_opaque_prf_input != NULL &&
2375 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
2376 {
2377 /* can only use this extension if we have a server opaque PRF input
2378 * of the same length as the client opaque PRF input! */
2379
02c27b11
BM		 2380 if (s->tlsext_opaque_prf_input_len == 0)
2381 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2382 else
2383 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
761772d7
BM		 2384 if (s->s3->server_opaque_prf_input == NULL)
2385 {
2386 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2387 al = SSL_AD_INTERNAL_ERROR;
2388 goto err;
2389 }
2390 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2391 }
2392 }
2393
2394 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
2395 {
2396 /* The callback wants to enforce use of the extension,
2397 * but we can't do that with the client opaque PRF input;
2398 * abort the handshake.
2399 */
2400 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2401 al = SSL_AD_HANDSHAKE_FAILURE;
2402 }
2403 }
761772d7 2404
67c8e7f4 2405#endif
761772d7 2406 err:
52b8dad8
BM		 2407 switch (ret)
2408 {
36ca4ba6
BM		 2409 case SSL_TLSEXT_ERR_ALERT_FATAL:
2410 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2411 return -1;
2412
2413 case SSL_TLSEXT_ERR_ALERT_WARNING:
2414 ssl3_send_alert(s,SSL3_AL_WARNING,al);
2415 return 1;
2416
2417 case SSL_TLSEXT_ERR_NOACK:
2418 s->servername_done=0;
2419 default:
2420 return 1;
52b8dad8 2421 }
36ca4ba6 2422 }
f1fd4544 2423
36ca4ba6
BM		 2424int ssl_check_serverhello_tlsext(SSL *s)
2425 {
2426 int ret=SSL_TLSEXT_ERR_NOACK;
58ece833 2427 int al = SSL_AD_UNRECOGNIZED_NAME;
241520e6 2428
36ca4ba6 2429#ifndef OPENSSL_NO_EC
d0205686
DSH		 2430 /* If we are client and using an elliptic curve cryptography cipher
2431 * suite, then if server returns an EC point formats lists extension
2432 * it must contain uncompressed.
36ca4ba6 2433 */
52b8dad8
BM		 2434 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2435 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
36ca4ba6 2436 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
d0205686 2437 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
52b8dad8 2438 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
36ca4ba6
BM		 2439 {
2440 /* we are using an ECC cipher */
90bdfd97 2441 size_t i;
36ca4ba6
BM		 2442 unsigned char *list;
2443 int found_uncompressed = 0;
b9865f11 2444 list = s->session->tlsext_ecpointformatlist;
36ca4ba6
BM		 2445 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2446 {
2447 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2448 {
2449 found_uncompressed = 1;
2450 break;
2451 }
2452 }
2453 if (!found_uncompressed)
2454 {
a291745e 2455 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
36ca4ba6
BM		 2456 return -1;
2457 }
2458 }
2459 ret = SSL_TLSEXT_ERR_OK;
2460#endif /* OPENSSL_NO_EC */
2461
241520e6 2462 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
58ece833 2463 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
241520e6 2464 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
58ece833 2465 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
241520e6 2466
761772d7
BM		 2467#ifdef TLSEXT_TYPE_opaque_prf_input
2468 if (s->s3->server_opaque_prf_input_len > 0)
2469 {
2470 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2471 * So first verify that we really have a value from the server too. */
2472
2473 if (s->s3->server_opaque_prf_input == NULL)
2474 {
2475 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2476 al = SSL_AD_HANDSHAKE_FAILURE;
2477 }
2478
2479 /* Anytime the server *has* sent an opaque PRF input, we need to check
2480 * that we have a client opaque PRF input of the same size. */
2481 if (s->s3->client_opaque_prf_input == NULL ||
2482 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2483 {
2484 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2485 al = SSL_AD_ILLEGAL_PARAMETER;
2486 }
2487 }
2488#endif
2489
04e2ab2c
DSH		 2490 /* If we've requested certificate status and we wont get one
2491 * tell the callback
2492 */
2493 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
121f9e74 2494 && s->ctx && s->ctx->tlsext_status_cb)
04e2ab2c
DSH		 2495 {
2496 int r;
2497 /* Set resp to NULL, resplen to -1 so callback knows
2498 * there is no response.
2499 */
2500 if (s->tlsext_ocsp_resp)
2501 {
2502 OPENSSL_free(s->tlsext_ocsp_resp);
2503 s->tlsext_ocsp_resp = NULL;
2504 }
2505 s->tlsext_ocsp_resplen = -1;
2506 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2507 if (r == 0)
2508 {
2509 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2510 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2511 }
2512 if (r < 0)
2513 {
2514 al = SSL_AD_INTERNAL_ERROR;
2515 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2516 }
2517 }
2518
52b8dad8
BM		 2519 switch (ret)
2520 {
58ece833
BM		 2521 case SSL_TLSEXT_ERR_ALERT_FATAL:
2522 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2523 return -1;
2524
2525 case SSL_TLSEXT_ERR_ALERT_WARNING:
2526 ssl3_send_alert(s,SSL3_AL_WARNING,al);
2527 return 1;
2528
2529 case SSL_TLSEXT_ERR_NOACK:
2530 s->servername_done=0;
2531 default:
2532 return 1;
52b8dad8 2533 }
f1fd4544 2534 }
33273721 2535
09e4e4b9
DSH		 2536int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
2537 {
2538 int al = -1;
2539 if (s->version < SSL3_VERSION)
2540 return 1;
2541 if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0)
2542 {
2543 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2544 return 0;
2545 }
2546
2547 if (ssl_check_serverhello_tlsext(s) <= 0)
2548 {
2549 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,SSL_R_SERVERHELLO_TLSEXT);
2550 return 0;
2551 }
2552 return 1;
2553}
2554
c519e89f
BM		 2555/* Since the server cache lookup is done early on in the processing of the
2556 * ClientHello, and other operations depend on the result, we need to handle
2557 * any TLS session ticket extension at the same time.
2558 *
2559 * session_id: points at the session ID in the ClientHello. This code will
2560 * read past the end of this in order to parse out the session ticket
2561 * extension, if any.
2562 * len: the length of the session ID.
2563 * limit: a pointer to the first byte after the ClientHello.
2564 * ret: (output) on return, if a ticket was decrypted, then this is set to
2565 * point to the resulting session.
2566 *
2567 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2568 * ciphersuite, in which case we have no use for session tickets and one will
2569 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2570 *
2571 * Returns:
2572 * -1: fatal error, either from parsing or decrypting the ticket.
2573 * 0: no ticket was found (or was ignored, based on settings).
2574 * 1: a zero length extension was found, indicating that the client supports
2575 * session tickets but doesn't currently have one to offer.
2576 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2577 * couldn't be decrypted because of a non-fatal error.
2578 * 3: a ticket was successfully decrypted and *ret was set.
2579 *
2580 * Side effects:
2581 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2582 * a new session ticket to the client because the client indicated support
2583 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2584 * a session ticket or we couldn't use the one it gave us, or if
2585 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2586 * Otherwise, s->tlsext_ticket_expected is set to 0.
6434abbf 2587 */
6434abbf 2588int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
c519e89f 2589 const unsigned char *limit, SSL_SESSION **ret)
6434abbf
DSH		 2590 {
2591 /* Point after session ID in client hello */
2592 const unsigned char *p = session_id + len;
2593 unsigned short i;
e8da6a1d 2594
c519e89f
BM		 2595 *ret = NULL;
2596 s->tlsext_ticket_expected = 0;
2597
e8da6a1d 2598 /* If tickets disabled behave as if no ticket present
c519e89f
BM		 2599 * to permit stateful resumption.
2600 */
e8da6a1d 2601 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
c519e89f 2602 return 0;
6434abbf 2603 if ((s->version <= SSL3_VERSION) || !limit)
c519e89f 2604 return 0;
6434abbf
DSH		 2605 if (p >= limit)
2606 return -1;
07a9d1a2
DSH		 2607 /* Skip past DTLS cookie */
2608 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2609 {
2610 i = *(p++);
2611 p+= i;
2612 if (p >= limit)
2613 return -1;
2614 }
6434abbf
DSH		 2615 /* Skip past cipher list */
2616 n2s(p, i);
2617 p+= i;
2618 if (p >= limit)
2619 return -1;
2620 /* Skip past compression algorithm list */
2621 i = *(p++);
2622 p += i;
2623 if (p > limit)
2624 return -1;
2625 /* Now at start of extensions */
2626 if ((p + 2) >= limit)
c519e89f 2627 return 0;
6434abbf
DSH		 2628 n2s(p, i);
2629 while ((p + 4) <= limit)
2630 {
2631 unsigned short type, size;
2632 n2s(p, type);
2633 n2s(p, size);
2634 if (p + size > limit)
c519e89f 2635 return 0;
6434abbf
DSH		 2636 if (type == TLSEXT_TYPE_session_ticket)
2637 {
c519e89f 2638 int r;
6434abbf
DSH		 2639 if (size == 0)
2640 {
c519e89f
BM		 2641 /* The client will accept a ticket but doesn't
2642 * currently have one. */
6434abbf 2643 s->tlsext_ticket_expected = 1;
c519e89f 2644 return 1;
6434abbf 2645 }
12bf56c0
DSH		 2646 if (s->tls_session_secret_cb)
2647 {
c519e89f
BM		 2648 /* Indicate that the ticket couldn't be
2649 * decrypted rather than generating the session
2650 * from ticket now, trigger abbreviated
2651 * handshake based on external mechanism to
2652 * calculate the master secret later. */
2653 return 2;
2654 }
2655 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2656 switch (r)
2657 {
2658 case 2: /* ticket couldn't be decrypted */
2659 s->tlsext_ticket_expected = 1;
2660 return 2;
2661 case 3: /* ticket was decrypted */
2662 return r;
2663 case 4: /* ticket decrypted but need to renew */
2664 s->tlsext_ticket_expected = 1;
2665 return 3;
2666 default: /* fatal error */
2667 return -1;
12bf56c0 2668 }
6434abbf
DSH		 2669 }
2670 p += size;
2671 }
c519e89f 2672 return 0;
6434abbf
DSH		 2673 }
2674
c519e89f
BM		 2675/* tls_decrypt_ticket attempts to decrypt a session ticket.
2676 *
2677 * etick: points to the body of the session ticket extension.
2678 * eticklen: the length of the session tickets extenion.
2679 * sess_id: points at the session ID.
2680 * sesslen: the length of the session ID.
2681 * psess: (output) on return, if a ticket was decrypted, then this is set to
2682 * point to the resulting session.
2683 *
2684 * Returns:
2685 * -1: fatal error, either from parsing or decrypting the ticket.
2686 * 2: the ticket couldn't be decrypted.
2687 * 3: a ticket was successfully decrypted and *psess was set.
2688 * 4: same as 3, but the ticket needs to be renewed.
2689 */
6434abbf
DSH		 2690static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2691 const unsigned char *sess_id, int sesslen,
2692 SSL_SESSION **psess)
2693 {
2694 SSL_SESSION *sess;
2695 unsigned char *sdec;
2696 const unsigned char *p;
8a2062fe 2697 int slen, mlen, renew_ticket = 0;
6434abbf
DSH		 2698 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2699 HMAC_CTX hctx;
2700 EVP_CIPHER_CTX ctx;
661dc143 2701 SSL_CTX *tctx = s->initial_ctx;
8a2062fe
DSH		 2702 /* Need at least keyname + iv + some encrypted data */
2703 if (eticklen < 48)
c519e89f 2704 return 2;
8a2062fe
DSH		 2705 /* Initialize session ticket encryption and HMAC contexts */
2706 HMAC_CTX_init(&hctx);
2707 EVP_CIPHER_CTX_init(&ctx);
661dc143 2708 if (tctx->tlsext_ticket_key_cb)
8a2062fe
DSH		 2709 {
2710 unsigned char *nctick = (unsigned char *)etick;
661dc143 2711 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
8a2062fe
DSH		 2712 &ctx, &hctx, 0);
2713 if (rv < 0)
2714 return -1;
2715 if (rv == 0)
c519e89f 2716 return 2;
8a2062fe
DSH		 2717 if (rv == 2)
2718 renew_ticket = 1;
2719 }
2720 else
2721 {
2722 /* Check key name matches */
661dc143 2723 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
c519e89f 2724 return 2;
661dc143 2725 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
8a2062fe
DSH		 2726 tlsext_tick_md(), NULL);
2727 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
661dc143 2728 tctx->tlsext_tick_aes_key, etick + 16);
8a2062fe 2729 }
6434abbf 2730 /* Attempt to process session ticket, first conduct sanity and
c519e89f
BM		 2731 * integrity checks on ticket.
2732 */
8a2062fe 2733 mlen = HMAC_size(&hctx);
0eab41fb
BL		 2734 if (mlen < 0)
2735 {
2736 EVP_CIPHER_CTX_cleanup(&ctx);
2737 return -1;
2738 }
6434abbf 2739 eticklen -= mlen;
6434abbf 2740 /* Check HMAC of encrypted ticket */
6434abbf
DSH		 2741 HMAC_Update(&hctx, etick, eticklen);
2742 HMAC_Final(&hctx, tick_hmac, NULL);
2743 HMAC_CTX_cleanup(&hctx);
2744 if (memcmp(tick_hmac, etick + eticklen, mlen))
c519e89f 2745 return 2;
6434abbf 2746 /* Attempt to decrypt session data */
6434abbf 2747 /* Move p after IV to start of encrypted ticket, update length */
8a2062fe
DSH		 2748 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2749 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
6434abbf
DSH		 2750 sdec = OPENSSL_malloc(eticklen);
2751 if (!sdec)
2752 {
2753 EVP_CIPHER_CTX_cleanup(&ctx);
2754 return -1;
2755 }
2756 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2757 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
c519e89f 2758 return 2;
6434abbf
DSH		 2759 slen += mlen;
2760 EVP_CIPHER_CTX_cleanup(&ctx);
2761 p = sdec;
c519e89f 2762
6434abbf
DSH		 2763 sess = d2i_SSL_SESSION(NULL, &p, slen);
2764 OPENSSL_free(sdec);
2765 if (sess)
2766 {
c519e89f
BM		 2767 /* The session ID, if non-empty, is used by some clients to
2768 * detect that the ticket has been accepted. So we copy it to
2769 * the session structure. If it is empty set length to zero
2770 * as required by standard.
2771 */
6434abbf
DSH		 2772 if (sesslen)
2773 memcpy(sess->session_id, sess_id, sesslen);
2774 sess->session_id_length = sesslen;
2775 *psess = sess;
c519e89f
BM		 2776 if (renew_ticket)
2777 return 4;
2778 else
2779 return 3;
6434abbf 2780 }
c519e89f
BM		 2781 ERR_clear_error();
2782 /* For session parse failure, indicate that we need to send a new
2783 * ticket. */
2784 return 2;
6434abbf 2785 }
6434abbf 2786
6b7be581
DSH		 2787/* Tables to translate from NIDs to TLS v1.2 ids */
2788
2789typedef struct
2790 {
2791 int nid;
2792 int id;
2793 } tls12_lookup;
2794
2795static tls12_lookup tls12_md[] = {
6b7be581 2796 {NID_md5, TLSEXT_hash_md5},
6b7be581 2797 {NID_sha1, TLSEXT_hash_sha1},
6b7be581
DSH		 2798 {NID_sha224, TLSEXT_hash_sha224},
2799 {NID_sha256, TLSEXT_hash_sha256},
6b7be581
DSH		 2800 {NID_sha384, TLSEXT_hash_sha384},
2801 {NID_sha512, TLSEXT_hash_sha512}
6b7be581
DSH		 2802};
2803
2804static tls12_lookup tls12_sig[] = {
6b7be581 2805 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
6b7be581 2806 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
6b7be581 2807 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
6b7be581
DSH		 2808};
2809
2810static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2811 {
2812 size_t i;
2813 for (i = 0; i < tlen; i++)
2814 {
2815 if (table[i].nid == nid)
2816 return table[i].id;
2817 }
2818 return -1;
2819 }
e7f8ff43 2820
6b7be581
DSH		 2821static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2822 {
2823 size_t i;
2824 for (i = 0; i < tlen; i++)
2825 {
e7f8ff43 2826 if ((table[i].id) == id)
6b7be581
DSH		 2827 return table[i].nid;
2828 }
e7f8ff43 2829 return NID_undef;
6b7be581 2830 }
a2f9200f
DSH		 2831
2832int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
6b7be581
DSH		 2833 {
2834 int sig_id, md_id;
1db5f356
DSH		 2835 if (!md)
2836 return 0;
6b7be581
DSH		 2837 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2838 sizeof(tls12_md)/sizeof(tls12_lookup));
2839 if (md_id == -1)
2840 return 0;
a2f9200f 2841 sig_id = tls12_get_sigid(pk);
6b7be581
DSH		 2842 if (sig_id == -1)
2843 return 0;
2844 p[0] = (unsigned char)md_id;
2845 p[1] = (unsigned char)sig_id;
2846 return 1;
2847 }
2848
a2f9200f
DSH		 2849int tls12_get_sigid(const EVP_PKEY *pk)
2850 {
2851 return tls12_find_id(pk->type, tls12_sig,
2852 sizeof(tls12_sig)/sizeof(tls12_lookup));
2853 }
2854
2855const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2856 {
2857 switch(hash_alg)
2858 {
2859#ifndef OPENSSL_NO_MD5
2860 case TLSEXT_hash_md5:
ebc5e72f
DSH		 2861#ifdef OPENSSL_FIPS
2862 if (FIPS_mode())
2863 return NULL;
2864#endif
a2f9200f
DSH		 2865 return EVP_md5();
2866#endif
2867#ifndef OPENSSL_NO_SHA
2868 case TLSEXT_hash_sha1:
2869 return EVP_sha1();
2870#endif
2871#ifndef OPENSSL_NO_SHA256
2872 case TLSEXT_hash_sha224:
2873 return EVP_sha224();
2874
2875 case TLSEXT_hash_sha256:
2876 return EVP_sha256();
2877#endif
2878#ifndef OPENSSL_NO_SHA512
2879 case TLSEXT_hash_sha384:
2880 return EVP_sha384();
2881
2882 case TLSEXT_hash_sha512:
2883 return EVP_sha512();
2884#endif
2885 default:
2886 return NULL;
2887
2888 }
2889 }
2890
4453cd8c
DSH		 2891static int tls12_get_pkey_idx(unsigned char sig_alg)
2892 {
2893 switch(sig_alg)
2894 {
2895#ifndef OPENSSL_NO_RSA
2896 case TLSEXT_signature_rsa:
2897 return SSL_PKEY_RSA_SIGN;
2898#endif
2899#ifndef OPENSSL_NO_DSA
2900 case TLSEXT_signature_dsa:
2901 return SSL_PKEY_DSA_SIGN;
2902#endif
2903#ifndef OPENSSL_NO_ECDSA
2904 case TLSEXT_signature_ecdsa:
2905 return SSL_PKEY_ECC;
2906#endif
2907 }
2908 return -1;
2909 }
2910
2911/* Convert TLS 1.2 signature algorithm extension values into NIDs */
2912static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
2913 int *psignhash_nid, const unsigned char *data)
2914 {
2915 int sign_nid, hash_nid;
2916 if (!phash_nid && !psign_nid && !psignhash_nid)
2917 return;
2918 if (phash_nid || psignhash_nid)
2919 {
2920 hash_nid = tls12_find_nid(data[0], tls12_md,
2921 sizeof(tls12_md)/sizeof(tls12_lookup));
2922 if (phash_nid)
2923 *phash_nid = hash_nid;
2924 }
2925 if (psign_nid || psignhash_nid)
2926 {
2927 sign_nid = tls12_find_nid(data[1], tls12_sig,
2928 sizeof(tls12_sig)/sizeof(tls12_lookup));
2929 if (psign_nid)
2930 *psign_nid = sign_nid;
2931 }
2932 if (psignhash_nid)
2933 {
2934 if (sign_nid && hash_nid)
2935 OBJ_find_sigid_by_algs(psignhash_nid,
2936 hash_nid, sign_nid);
2937 else
2938 *psignhash_nid = NID_undef;
2939 }
2940 }
2941/* Given preference and allowed sigalgs set shared sigalgs */
2942static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
2943 const unsigned char *pref, size_t preflen,
2944 const unsigned char *allow, size_t allowlen)
2945 {
2946 const unsigned char *ptmp, *atmp;
2947 size_t i, j, nmatch = 0;
2948 for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2)
2949 {
2950 /* Skip disabled hashes or signature algorithms */
2951 if (tls12_get_hash(ptmp[0]) == NULL)
2952 continue;
2953 if (tls12_get_pkey_idx(ptmp[1]) == -1)
2954 continue;
2955 for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2)
2956 {
2957 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1])
2958 {
2959 nmatch++;
2960 if (shsig)
2961 {
2962 shsig->rhash = ptmp[0];
2963 shsig->rsign = ptmp[1];
2964 tls1_lookup_sigalg(&shsig->hash_nid,
2965 &shsig->sign_nid,
2966 &shsig->signandhash_nid,
2967 ptmp);
2968 shsig++;
2969 }
2970 break;
2971 }
2972 }
2973 }
2974 return nmatch;
2975 }
2976
2977/* Set shared signature algorithms for SSL structures */
2978static int tls1_set_shared_sigalgs(SSL *s)
2979 {
2980 const unsigned char *pref, *allow, *conf;
2981 size_t preflen, allowlen, conflen;
2982 size_t nmatch;
2983 TLS_SIGALGS *salgs = NULL;
2984 CERT *c = s->cert;
3dbc46df
DSH		 2985 /* If client use client signature algorithms if not NULL */
2986 if (!s->server && c->client_sigalgs)
2987 {
2988 conf = c->client_sigalgs;
2989 conflen = c->client_sigalgslen;
2990 }
2991 else if (c->conf_sigalgs)
2992 {
2993 conf = c->conf_sigalgs;
4453cd8c 2994 conflen = c->conf_sigalgslen;
3dbc46df 2995 }
4453cd8c
DSH		 2996 else
2997 {
2998 conf = tls12_sigalgs;
2999 conflen = sizeof(tls12_sigalgs);
3000#ifdef OPENSSL_FIPS
3001 if (FIPS_mode())
3002 conflen -= 2;
3003#endif
3004 }
3005 if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
3006 {
3007 pref = conf;
3008 preflen = conflen;
3009 allow = c->peer_sigalgs;
3010 allowlen = c->peer_sigalgslen;
3011 }
3012 else
3013 {
3014 allow = conf;
3015 allowlen = conflen;
3016 pref = c->peer_sigalgs;
3017 preflen = c->peer_sigalgslen;
3018 }
3019 nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
3020 if (!nmatch)
3021 return 1;
3022 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3023 if (!salgs)
3024 return 0;
3025 nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
3026 c->shared_sigalgs = salgs;
3027 c->shared_sigalgslen = nmatch;
3028 return 1;
3029 }
3030
3031
6b7be581
DSH		 3032/* Set preferred digest for each key type */
3033
8f829124 3034int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
6b7be581 3035 {
4453cd8c
DSH		 3036 int idx;
3037 size_t i;
6b7be581
DSH		 3038 const EVP_MD *md;
3039 CERT *c = s->cert;
e7f8ff43 3040 TLS_SIGALGS *sigptr;
6b7be581 3041 /* Extension ignored for TLS versions below 1.2 */
238b6361 3042 if (TLS1_get_version(s) < TLS1_2_VERSION)
6b7be581 3043 return 1;
8f829124
DSH		 3044 /* Should never happen */
3045 if (!c)
3046 return 0;
6b7be581
DSH		 3047
3048 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
3049 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
3050 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
3051 c->pkeys[SSL_PKEY_ECC].digest = NULL;
3052
4453cd8c 3053 c->peer_sigalgs = OPENSSL_malloc(dsize);
0f229cce 3054 if (!c->peer_sigalgs)
e7f8ff43 3055 return 0;
4453cd8c
DSH		 3056 c->peer_sigalgslen = dsize;
3057 memcpy(c->peer_sigalgs, data, dsize);
6b7be581 3058
4453cd8c 3059 tls1_set_shared_sigalgs(s);
6b7be581 3060
4453cd8c
DSH		 3061 for (i = 0, sigptr = c->shared_sigalgs;
3062 i < c->shared_sigalgslen; i++, sigptr++)
3063 {
3064 idx = tls12_get_pkey_idx(sigptr->rsign);
3065 if (idx > 0 && c->pkeys[idx].digest == NULL)
6b7be581 3066 {
e7f8ff43 3067 md = tls12_get_hash(sigptr->rhash);
4453cd8c
DSH		 3068 c->pkeys[idx].digest = md;
3069 if (idx == SSL_PKEY_RSA_SIGN)
3070 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
6b7be581
DSH		 3071 }
3072
6b7be581 3073 }
d61ff83b
DSH		 3074 /* In strict mode leave unset digests as NULL to indicate we can't
3075 * use the certificate for signing.
6b7be581 3076 */
d61ff83b
DSH		 3077 if (!(s->cert->cert_flags & SSL_CERT_FLAG_TLS_STRICT))
3078 {
3079 /* Set any remaining keys to default values. NOTE: if alg is
3080 * not supported it stays as NULL.
3081 */
6b7be581 3082#ifndef OPENSSL_NO_DSA
d61ff83b
DSH		 3083 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
3084 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
6b7be581
DSH		 3085#endif
3086#ifndef OPENSSL_NO_RSA
d61ff83b
DSH		 3087 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
3088 {
3089 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
3090 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
3091 }
6b7be581
DSH		 3092#endif
3093#ifndef OPENSSL_NO_ECDSA
d61ff83b
DSH		 3094 if (!c->pkeys[SSL_PKEY_ECC].digest)
3095 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
6b7be581 3096#endif
d61ff83b 3097 }
6b7be581
DSH		 3098 return 1;
3099 }
3100
4817504d 3101
e7f8ff43 3102int SSL_get_sigalgs(SSL *s, int idx,
4453cd8c 3103 int *psign, int *phash, int *psignhash,
e7f8ff43
DSH		 3104 unsigned char *rsig, unsigned char *rhash)
3105 {
4453cd8c
DSH		 3106 const unsigned char *psig = s->cert->peer_sigalgs;
3107 if (psig == NULL)
e7f8ff43
DSH		 3108 return 0;
3109 if (idx >= 0)
3110 {
4453cd8c 3111 idx <<= 1;
0f229cce 3112 if (idx >= (int)s->cert->peer_sigalgslen)
e7f8ff43 3113 return 0;
4453cd8c 3114 psig += idx;
e7f8ff43 3115 if (rhash)
4453cd8c
DSH		 3116 *rhash = psig[0];
3117 if (rsig)
3118 *rsig = psig[1];
3119 tls1_lookup_sigalg(phash, psign, psignhash, psig);
e7f8ff43 3120 }
4453cd8c
DSH		 3121 return s->cert->peer_sigalgslen / 2;
3122 }
3123
3124int SSL_get_shared_sigalgs(SSL *s, int idx,
3125 int *psign, int *phash, int *psignhash,
3126 unsigned char *rsig, unsigned char *rhash)
3127 {
3128 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3129 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3130 return 0;
3131 shsigalgs += idx;
3132 if (phash)
3133 *phash = shsigalgs->hash_nid;
3134 if (psign)
3135 *psign = shsigalgs->sign_nid;
3136 if (psignhash)
3137 *psignhash = shsigalgs->signandhash_nid;
3138 if (rsig)
3139 *rsig = shsigalgs->rsign;
3140 if (rhash)
3141 *rhash = shsigalgs->rhash;
3142 return s->cert->shared_sigalgslen;
e7f8ff43
DSH		 3143 }
3144
3145
4817504d
DSH		 3146#ifndef OPENSSL_NO_HEARTBEATS
3147int
3148tls1_process_heartbeat(SSL *s)
3149 {
3150 unsigned char *p = &s->s3->rrec.data[0], *pl;
3151 unsigned short hbtype;
3152 unsigned int payload;
3153 unsigned int padding = 16; /* Use minimum padding */
3154
3155 /* Read type and payload length first */
3156 hbtype = *p++;
3157 n2s(p, payload);
3158 pl = p;
3159
3160 if (s->msg_callback)
3161 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
3162 &s->s3->rrec.data[0], s->s3->rrec.length,
3163 s, s->msg_callback_arg);
3164
3165 if (hbtype == TLS1_HB_REQUEST)
3166 {
3167 unsigned char *buffer, *bp;
3168 int r;
3169
3170 /* Allocate memory for the response, size is 1 bytes
3171 * message type, plus 2 bytes payload length, plus
3172 * payload, plus padding
3173 */
3174 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3175 bp = buffer;
3176
3177 /* Enter response type, length and copy payload */
3178 *bp++ = TLS1_HB_RESPONSE;
3179 s2n(payload, bp);
3180 memcpy(bp, pl, payload);
57cb030c
DSH		 3181 bp += payload;
3182 /* Random padding */
3183 RAND_pseudo_bytes(bp, padding);
3184
4817504d
DSH		 3185 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
3186
3187 if (r >= 0 && s->msg_callback)
3188 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3189 buffer, 3 + payload + padding,
3190 s, s->msg_callback_arg);
3191
3192 OPENSSL_free(buffer);
3193
3194 if (r < 0)
3195 return r;
3196 }
3197 else if (hbtype == TLS1_HB_RESPONSE)
3198 {
3199 unsigned int seq;
3200
3201 /* We only send sequence numbers (2 bytes unsigned int),
3202 * and 16 random bytes, so we just try to read the
3203 * sequence number */
3204 n2s(pl, seq);
3205
3206 if (payload == 18 && seq == s->tlsext_hb_seq)
3207 {
3208 s->tlsext_hb_seq++;
3209 s->tlsext_hb_pending = 0;
3210 }
3211 }
3212
3213 return 0;
3214 }
3215
3216int
3217tls1_heartbeat(SSL *s)
3218 {
3219 unsigned char *buf, *p;
3220 int ret;
3221 unsigned int payload = 18; /* Sequence number + random bytes */
3222 unsigned int padding = 16; /* Use minimum padding */
3223
3224 /* Only send if peer supports and accepts HB requests... */
3225 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3226 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
3227 {
3228 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3229 return -1;
3230 }
3231
3232 /* ...and there is none in flight yet... */
3233 if (s->tlsext_hb_pending)
3234 {
3235 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
3236 return -1;
3237 }
3238
3239 /* ...and no handshake in progress. */
3240 if (SSL_in_init(s) || s->in_handshake)
3241 {
3242 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
3243 return -1;
3244 }
3245
3246 /* Check if padding is too long, payload and padding
3247 * must not exceed 2^14 - 3 = 16381 bytes in total.
3248 */
3249 OPENSSL_assert(payload + padding <= 16381);
3250
3251 /* Create HeartBeat message, we just use a sequence number
3252 * as payload to distuingish different messages and add
3253 * some random stuff.
3254 * - Message Type, 1 byte
3255 * - Payload Length, 2 bytes (unsigned int)
3256 * - Payload, the sequence number (2 bytes uint)
3257 * - Payload, random bytes (16 bytes uint)
3258 * - Padding
3259 */
3260 buf = OPENSSL_malloc(1 + 2 + payload + padding);
3261 p = buf;
3262 /* Message Type */
3263 *p++ = TLS1_HB_REQUEST;
3264 /* Payload length (18 bytes here) */
3265 s2n(payload, p);
3266 /* Sequence number */
3267 s2n(s->tlsext_hb_seq, p);
3268 /* 16 random bytes */
3269 RAND_pseudo_bytes(p, 16);
3270 p += 16;
3271 /* Random padding */
3272 RAND_pseudo_bytes(p, padding);
3273
3274 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3275 if (ret >= 0)
3276 {
3277 if (s->msg_callback)
3278 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3279 buf, 3 + payload + padding,
3280 s, s->msg_callback_arg);
3281
3282 s->tlsext_hb_pending = 1;
3283 }
3284
3285 OPENSSL_free(buf);
3286
3287 return ret;
3288 }
3289#endif
0f229cce 3290
4453cd8c 3291#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
0f229cce
DSH		 3292
3293typedef struct
3294 {
3295 size_t sigalgcnt;
3296 int sigalgs[MAX_SIGALGLEN];
3297 } sig_cb_st;
3298
3299static int sig_cb(const char *elem, int len, void *arg)
3300 {
3301 sig_cb_st *sarg = arg;
3302 size_t i;
3303 char etmp[20], *p;
3304 int sig_alg, hash_alg;
3305 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3306 return 0;
3307 if (len > (int)(sizeof(etmp) - 1))
3308 return 0;
3309 memcpy(etmp, elem, len);
3310 etmp[len] = 0;
3311 p = strchr(etmp, '+');
3312 if (!p)
3313 return 0;
3314 *p = 0;
3315 p++;
3316 if (!*p)
3317 return 0;
3318
3319 if (!strcmp(etmp, "RSA"))
3320 sig_alg = EVP_PKEY_RSA;
3321 else if (!strcmp(etmp, "DSA"))
3322 sig_alg = EVP_PKEY_DSA;
3323 else if (!strcmp(etmp, "ECDSA"))
3324 sig_alg = EVP_PKEY_EC;
3325 else return 0;
3326
3327 hash_alg = OBJ_sn2nid(p);
3328 if (hash_alg == NID_undef)
3329 hash_alg = OBJ_ln2nid(p);
3330 if (hash_alg == NID_undef)
3331 return 0;
3332
3333 for (i = 0; i < sarg->sigalgcnt; i+=2)
3334 {
3335 if (sarg->sigalgs[i] == sig_alg
3336 && sarg->sigalgs[i + 1] == hash_alg)
3337 return 0;
3338 }
3339 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3340 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3341 return 1;
3342 }
3343
3344/* Set suppored signature algorithms based on a colon separated list
3345 * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */
3dbc46df 3346int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
0f229cce
DSH		 3347 {
3348 sig_cb_st sig;
3349 sig.sigalgcnt = 0;
3350 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3351 return 0;
3dbc46df 3352 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
0f229cce
DSH		 3353 }
3354
3dbc46df 3355int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
0f229cce 3356 {
4453cd8c 3357 unsigned char *sigalgs, *sptr;
0f229cce
DSH		 3358 int rhash, rsign;
3359 size_t i;
3360 if (salglen & 1)
3361 return 0;
4453cd8c 3362 sigalgs = OPENSSL_malloc(salglen);
0f229cce
DSH		 3363 if (sigalgs == NULL)
3364 return 0;
4453cd8c 3365 for (i = 0, sptr = sigalgs; i < salglen; i+=2)
0f229cce 3366 {
4453cd8c 3367 rhash = tls12_find_id(*psig_nids++, tls12_md,
0f229cce 3368 sizeof(tls12_md)/sizeof(tls12_lookup));
4453cd8c 3369 rsign = tls12_find_id(*psig_nids++, tls12_sig,
0f229cce
DSH		 3370 sizeof(tls12_sig)/sizeof(tls12_lookup));
3371
3372 if (rhash == -1 || rsign == -1)
3373 goto err;
4453cd8c
DSH		 3374 *sptr++ = rhash;
3375 *sptr++ = rsign;
0f229cce
DSH		 3376 }
3377
3dbc46df
DSH		 3378 if (client)
3379 {
3380 if (c->client_sigalgs)
3381 OPENSSL_free(c->client_sigalgs);
3382 c->client_sigalgs = sigalgs;
3383 c->client_sigalgslen = salglen;
3384 }
3385 else
3386 {
3387 if (c->conf_sigalgs)
3388 OPENSSL_free(c->conf_sigalgs);
3389 c->conf_sigalgs = sigalgs;
3390 c->conf_sigalgslen = salglen;
3391 }
0f229cce 3392
0f229cce
DSH		 3393 return 1;
3394
3395 err:
3396 OPENSSL_free(sigalgs);
3397 return 0;
3398 }
4453cd8c 3399
d61ff83b
DSH		 3400static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
3401 {
3402 int sig_nid;
3403 size_t i;
3404 if (default_nid == -1)
3405 return 1;
3406 sig_nid = X509_get_signature_nid(x);
3407 if (default_nid)
3408 return sig_nid == default_nid ? 1 : 0;
3409 for (i = 0; i < c->shared_sigalgslen; i++)
3410 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3411 return 1;
3412 return 0;
3413 }
3414
3415/* Check certificate chain is consistent with TLS extensions and is
3416 * usable by server.
3417 */
3418int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
3419 int idx)
3420 {
3421 int i;
3422 int rv = CERT_PKEY_INVALID;
3423 CERT_PKEY *cpk = NULL;
3424 CERT *c = s->cert;
3425 if (idx != -1)
3426 {
3427 cpk = c->pkeys + idx;
3428 x = cpk->x509;
3429 pk = cpk->privatekey;
3430 chain = cpk->chain;
3431 /* If no cert or key, forget it */
3432 if (!x || !pk)
3433 goto end;
3434 }
3435 else
3436 {
3437 idx = ssl_cert_type(x, pk);
3438 if (idx == -1)
3439 goto end;
3440 }
3441
3442 /* Check all signature algorithms are consistent with
3443 * signature algorithms extension if TLS 1.2 or later
3444 * and strict mode.
3445 */
3446 if (TLS1_get_version(s) >= TLS1_2_VERSION
3447 && c->cert_flags & SSL_CERT_FLAG_TLS_STRICT)
3448 {
3449 int default_nid;
3450 unsigned char rsign = 0;
3451 if (c->peer_sigalgs)
3452 default_nid = 0;
3453 /* If no sigalgs extension use defaults from RFC5246 */
3454 else
3455 {
3456 switch(idx)
3457 {
3458 case SSL_PKEY_RSA_ENC:
3459 case SSL_PKEY_RSA_SIGN:
3460 case SSL_PKEY_DH_RSA:
3461 rsign = TLSEXT_signature_rsa;
3462 default_nid = NID_sha1WithRSAEncryption;
3463 break;
3464
3465 case SSL_PKEY_DSA_SIGN:
3466 case SSL_PKEY_DH_DSA:
3467 rsign = TLSEXT_signature_dsa;
3468 default_nid = NID_dsaWithSHA1;
3469 break;
3470
3471 case SSL_PKEY_ECC:
3472 rsign = TLSEXT_signature_ecdsa;
3473 default_nid = NID_ecdsa_with_SHA1;
3474 break;
3475
3476 default:
3477 default_nid = -1;
3478 break;
3479 }
3480 }
3481 /* If peer sent no signature algorithms extension and we
3482 * have set preferred signature algorithms check we support
3483 * sha1.
3484 */
3dbc46df 3485 if (s->server && default_nid > 0 && c->conf_sigalgs)
d61ff83b
DSH		 3486 {
3487 size_t j;
3488 const unsigned char *p = c->conf_sigalgs;
3489 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2)
3490 {
3491 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
3492 break;
3493 }
3494 if (j == c->conf_sigalgslen)
3495 goto end;
3496 }
3497 /* Check signature algorithm of each cert in chain */
3498 if (!tls1_check_sig_alg(c, x, default_nid))
3499 goto end;
3500 for (i = 0; i < sk_X509_num(chain); i++)
3501 {
3502 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i),
3503 default_nid))
3504 goto end;
3505 }
3506 }
3507
3508 /* Check cert parameters are consistent */
3509 if (!tls1_check_cert_param(s, x))
3510 goto end;
3511 /* In strict mode check rest of chain too */
3512 if (c->cert_flags & SSL_CERT_FLAG_TLS_STRICT)
3513 {
3514 for (i = 0; i < sk_X509_num(chain); i++)
3515 {
3516 if (!tls1_check_cert_param(s, sk_X509_value(chain, i)))
3517 goto end;
3518 }
3519 }
3520 rv = CERT_PKEY_VALID;
3521
3522 end:
3523 if (cpk)
3524 {
3525 if (rv && cpk->digest)
3526 rv |= CERT_PKEY_SIGN;
3527 cpk->valid_flags = rv;
3528 }
3529 return rv;
3530 }
3531
3532/* Set validity of certificates in an SSL structure */
3533void tls1_set_cert_validity(SSL *s)
3534 {
3535 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
3536 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
3537 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
3538 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
3539 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
3540 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
3541 }
18d71588
DSH		 3542/* User level utiity function to check a chain is suitable */
3543int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
3544 {
3545 return tls1_check_chain(s, x, pk, chain, -1);
3546 }
d61ff83b 3547
4453cd8c 3548#endif
A mirror of the official openssl repository