]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/t1_lib.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Re-align some comments after running the reformat script.
[thirdparty/openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #ifndef OPENSSL_NO_DH
119 # include <openssl/dh.h>
120 # include <openssl/bn.h>
121 #endif
122 #include "ssl_locl.h"
123
124 const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;
125
126 #ifndef OPENSSL_NO_TLSEXT
127 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
128 const unsigned char *sess_id, int sesslen,
129 SSL_SESSION **psess);
130 static int ssl_check_clienthello_tlsext_early(SSL *s);
131 int ssl_check_serverhello_tlsext(SSL *s);
132 #endif
133
134 SSL3_ENC_METHOD const TLSv1_enc_data = {
135 tls1_enc,
136 tls1_mac,
137 tls1_setup_key_block,
138 tls1_generate_master_secret,
139 tls1_change_cipher_state,
140 tls1_final_finish_mac,
141 TLS1_FINISH_MAC_LENGTH,
142 tls1_cert_verify_mac,
143 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
144 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
145 tls1_alert_code,
146 tls1_export_keying_material,
147 0,
148 SSL3_HM_HEADER_LENGTH,
149 ssl3_set_handshake_header,
150 ssl3_handshake_write
151 };
152
153 SSL3_ENC_METHOD const TLSv1_1_enc_data = {
154 tls1_enc,
155 tls1_mac,
156 tls1_setup_key_block,
157 tls1_generate_master_secret,
158 tls1_change_cipher_state,
159 tls1_final_finish_mac,
160 TLS1_FINISH_MAC_LENGTH,
161 tls1_cert_verify_mac,
162 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
163 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
164 tls1_alert_code,
165 tls1_export_keying_material,
166 SSL_ENC_FLAG_EXPLICIT_IV,
167 SSL3_HM_HEADER_LENGTH,
168 ssl3_set_handshake_header,
169 ssl3_handshake_write
170 };
171
172 SSL3_ENC_METHOD const TLSv1_2_enc_data = {
173 tls1_enc,
174 tls1_mac,
175 tls1_setup_key_block,
176 tls1_generate_master_secret,
177 tls1_change_cipher_state,
178 tls1_final_finish_mac,
179 TLS1_FINISH_MAC_LENGTH,
180 tls1_cert_verify_mac,
181 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
182 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
183 tls1_alert_code,
184 tls1_export_keying_material,
185 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
186 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
187 SSL3_HM_HEADER_LENGTH,
188 ssl3_set_handshake_header,
189 ssl3_handshake_write
190 };
191
192 long tls1_default_timeout(void)
193 {
194 /*
195 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
196 * http, the cache would over fill
197 */
198 return (60 * 60 * 2);
199 }
200
201 int tls1_new(SSL *s)
202 {
203 if (!ssl3_new(s))
204 return (0);
205 s->method->ssl_clear(s);
206 return (1);
207 }
208
209 void tls1_free(SSL *s)
210 {
211 #ifndef OPENSSL_NO_TLSEXT
212 if (s->tlsext_session_ticket) {
213 OPENSSL_free(s->tlsext_session_ticket);
214 }
215 #endif /* OPENSSL_NO_TLSEXT */
216 ssl3_free(s);
217 }
218
219 void tls1_clear(SSL *s)
220 {
221 ssl3_clear(s);
222 s->version = s->method->version;
223 }
224
225 #ifndef OPENSSL_NO_EC
226
227 typedef struct {
228 int nid; /* Curve NID */
229 int secbits; /* Bits of security (from SP800-57) */
230 unsigned int flags; /* Flags: currently just field type */
231 } tls_curve_info;
232
233 # define TLS_CURVE_CHAR2 0x1
234 # define TLS_CURVE_PRIME 0x0
235
236 static const tls_curve_info nid_list[] = {
237 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
238 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
239 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
240 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
241 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
242 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
243 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
244 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
245 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
246 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
247 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
248 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
249 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
250 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
251 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
252 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
253 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
254 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
255 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
256 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
257 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
258 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
259 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
260 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
261 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
262 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
263 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
264 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
265 };
266
267 static const unsigned char ecformats_default[] = {
268 TLSEXT_ECPOINTFORMAT_uncompressed,
269 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
270 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
271 };
272
273 static const unsigned char eccurves_default[] = {
274 0, 14, /* sect571r1 (14) */
275 0, 13, /* sect571k1 (13) */
276 0, 25, /* secp521r1 (25) */
277 0, 28, /* brainpool512r1 (28) */
278 0, 11, /* sect409k1 (11) */
279 0, 12, /* sect409r1 (12) */
280 0, 27, /* brainpoolP384r1 (27) */
281 0, 24, /* secp384r1 (24) */
282 0, 9, /* sect283k1 (9) */
283 0, 10, /* sect283r1 (10) */
284 0, 26, /* brainpoolP256r1 (26) */
285 0, 22, /* secp256k1 (22) */
286 0, 23, /* secp256r1 (23) */
287 0, 8, /* sect239k1 (8) */
288 0, 6, /* sect233k1 (6) */
289 0, 7, /* sect233r1 (7) */
290 0, 20, /* secp224k1 (20) */
291 0, 21, /* secp224r1 (21) */
292 0, 4, /* sect193r1 (4) */
293 0, 5, /* sect193r2 (5) */
294 0, 18, /* secp192k1 (18) */
295 0, 19, /* secp192r1 (19) */
296 0, 1, /* sect163k1 (1) */
297 0, 2, /* sect163r1 (2) */
298 0, 3, /* sect163r2 (3) */
299 0, 15, /* secp160k1 (15) */
300 0, 16, /* secp160r1 (16) */
301 0, 17, /* secp160r2 (17) */
302 };
303
304 static const unsigned char suiteb_curves[] = {
305 0, TLSEXT_curve_P_256,
306 0, TLSEXT_curve_P_384
307 };
308
309 int tls1_ec_curve_id2nid(int curve_id)
310 {
311 /* ECC curves from RFC 4492 and RFC 7027 */
312 if ((curve_id < 1) || ((unsigned int)curve_id >
313 sizeof(nid_list) / sizeof(nid_list[0])))
314 return 0;
315 return nid_list[curve_id - 1].nid;
316 }
317
318 int tls1_ec_nid2curve_id(int nid)
319 {
320 /* ECC curves from RFC 4492 and RFC 7027 */
321 switch (nid) {
322 case NID_sect163k1: /* sect163k1 (1) */
323 return 1;
324 case NID_sect163r1: /* sect163r1 (2) */
325 return 2;
326 case NID_sect163r2: /* sect163r2 (3) */
327 return 3;
328 case NID_sect193r1: /* sect193r1 (4) */
329 return 4;
330 case NID_sect193r2: /* sect193r2 (5) */
331 return 5;
332 case NID_sect233k1: /* sect233k1 (6) */
333 return 6;
334 case NID_sect233r1: /* sect233r1 (7) */
335 return 7;
336 case NID_sect239k1: /* sect239k1 (8) */
337 return 8;
338 case NID_sect283k1: /* sect283k1 (9) */
339 return 9;
340 case NID_sect283r1: /* sect283r1 (10) */
341 return 10;
342 case NID_sect409k1: /* sect409k1 (11) */
343 return 11;
344 case NID_sect409r1: /* sect409r1 (12) */
345 return 12;
346 case NID_sect571k1: /* sect571k1 (13) */
347 return 13;
348 case NID_sect571r1: /* sect571r1 (14) */
349 return 14;
350 case NID_secp160k1: /* secp160k1 (15) */
351 return 15;
352 case NID_secp160r1: /* secp160r1 (16) */
353 return 16;
354 case NID_secp160r2: /* secp160r2 (17) */
355 return 17;
356 case NID_secp192k1: /* secp192k1 (18) */
357 return 18;
358 case NID_X9_62_prime192v1: /* secp192r1 (19) */
359 return 19;
360 case NID_secp224k1: /* secp224k1 (20) */
361 return 20;
362 case NID_secp224r1: /* secp224r1 (21) */
363 return 21;
364 case NID_secp256k1: /* secp256k1 (22) */
365 return 22;
366 case NID_X9_62_prime256v1: /* secp256r1 (23) */
367 return 23;
368 case NID_secp384r1: /* secp384r1 (24) */
369 return 24;
370 case NID_secp521r1: /* secp521r1 (25) */
371 return 25;
372 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
373 return 26;
374 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
375 return 27;
376 case NID_brainpoolP512r1: /* brainpool512r1 (28) */
377 return 28;
378 default:
379 return 0;
380 }
381 }
382
383 /*
384 * Get curves list, if "sess" is set return client curves otherwise
385 * preferred list.
386 * Sets |num_curves| to the number of curves in the list, i.e.,
387 * the length of |pcurves| is 2 * num_curves.
388 * Returns 1 on success and 0 if the client curves list has invalid format.
389 * The latter indicates an internal error: we should not be accepting such
390 * lists in the first place.
391 * TODO(emilia): we should really be storing the curves list in explicitly
392 * parsed form instead. (However, this would affect binary compatibility
393 * so cannot happen in the 1.0.x series.)
394 */
395 static int tls1_get_curvelist(SSL *s, int sess,
396 const unsigned char **pcurves,
397 size_t *num_curves)
398 {
399 size_t pcurveslen = 0;
400 if (sess) {
401 *pcurves = s->session->tlsext_ellipticcurvelist;
402 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
403 } else {
404 /* For Suite B mode only include P-256, P-384 */
405 switch (tls1_suiteb(s)) {
406 case SSL_CERT_FLAG_SUITEB_128_LOS:
407 *pcurves = suiteb_curves;
408 pcurveslen = sizeof(suiteb_curves);
409 break;
410
411 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
412 *pcurves = suiteb_curves;
413 pcurveslen = 2;
414 break;
415
416 case SSL_CERT_FLAG_SUITEB_192_LOS:
417 *pcurves = suiteb_curves + 2;
418 pcurveslen = 2;
419 break;
420 default:
421 *pcurves = s->tlsext_ellipticcurvelist;
422 pcurveslen = s->tlsext_ellipticcurvelist_length;
423 }
424 if (!*pcurves) {
425 *pcurves = eccurves_default;
426 pcurveslen = sizeof(eccurves_default);
427 }
428 }
429
430 /* We do not allow odd length arrays to enter the system. */
431 if (pcurveslen & 1) {
432 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
433 *num_curves = 0;
434 return 0;
435 } else {
436 *num_curves = pcurveslen / 2;
437 return 1;
438 }
439 }
440
441 /* See if curve is allowed by security callback */
442 static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
443 {
444 const tls_curve_info *cinfo;
445 if (curve[0])
446 return 1;
447 if ((curve[1] < 1) || ((size_t)curve[1] >
448 sizeof(nid_list) / sizeof(nid_list[0])))
449 return 0;
450 cinfo = &nid_list[curve[1] - 1];
451 # ifdef OPENSSL_NO_EC2M
452 if (cinfo->flags & TLS_CURVE_CHAR2)
453 return 0;
454 # endif
455 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
456 }
457
458 /* Check a curve is one of our preferences */
459 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
460 {
461 const unsigned char *curves;
462 size_t num_curves, i;
463 unsigned int suiteb_flags = tls1_suiteb(s);
464 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
465 return 0;
466 /* Check curve matches Suite B preferences */
467 if (suiteb_flags) {
468 unsigned long cid = s->s3->tmp.new_cipher->id;
469 if (p[1])
470 return 0;
471 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
472 if (p[2] != TLSEXT_curve_P_256)
473 return 0;
474 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
475 if (p[2] != TLSEXT_curve_P_384)
476 return 0;
477 } else /* Should never happen */
478 return 0;
479 }
480 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
481 return 0;
482 for (i = 0; i < num_curves; i++, curves += 2) {
483 if (p[1] == curves[0] && p[2] == curves[1])
484 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
485 }
486 return 0;
487 }
488
489 /*-
490 * Return |nmatch|th shared curve or NID_undef if there is no match.
491 * For nmatch == -1, return number of matches
492 * For nmatch == -2, return the NID of the curve to use for
493 * an EC tmp key, or NID_undef if there is no match.
494 */
495 int tls1_shared_curve(SSL *s, int nmatch)
496 {
497 const unsigned char *pref, *supp;
498 size_t num_pref, num_supp, i, j;
499 int k;
500 /* Can't do anything on client side */
501 if (s->server == 0)
502 return -1;
503 if (nmatch == -2) {
504 if (tls1_suiteb(s)) {
505 /*
506 * For Suite B ciphersuite determines curve: we already know
507 * these are acceptable due to previous checks.
508 */
509 unsigned long cid = s->s3->tmp.new_cipher->id;
510 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
511 return NID_X9_62_prime256v1; /* P-256 */
512 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
513 return NID_secp384r1; /* P-384 */
514 /* Should never happen */
515 return NID_undef;
516 }
517 /* If not Suite B just return first preference shared curve */
518 nmatch = 0;
519 }
520 /*
521 * Avoid truncation. tls1_get_curvelist takes an int
522 * but s->options is a long...
523 */
524 if (!tls1_get_curvelist
525 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
526 &num_supp))
527 /* In practice, NID_undef == 0 but let's be precise. */
528 return nmatch == -1 ? 0 : NID_undef;
529 if (!tls1_get_curvelist
530 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
531 &num_pref))
532 return nmatch == -1 ? 0 : NID_undef;
533 k = 0;
534 for (i = 0; i < num_pref; i++, pref += 2) {
535 const unsigned char *tsupp = supp;
536 for (j = 0; j < num_supp; j++, tsupp += 2) {
537 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
538 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
539 continue;
540 if (nmatch == k) {
541 int id = (pref[0] << 8) | pref[1];
542 return tls1_ec_curve_id2nid(id);
543 }
544 k++;
545 }
546 }
547 }
548 if (nmatch == -1)
549 return k;
550 /* Out of range (nmatch > k). */
551 return NID_undef;
552 }
553
554 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
555 int *curves, size_t ncurves)
556 {
557 unsigned char *clist, *p;
558 size_t i;
559 /*
560 * Bitmap of curves included to detect duplicates: only works while curve
561 * ids < 32
562 */
563 unsigned long dup_list = 0;
564 clist = OPENSSL_malloc(ncurves * 2);
565 if (!clist)
566 return 0;
567 for (i = 0, p = clist; i < ncurves; i++) {
568 unsigned long idmask;
569 int id;
570 id = tls1_ec_nid2curve_id(curves[i]);
571 idmask = 1L << id;
572 if (!id || (dup_list & idmask)) {
573 OPENSSL_free(clist);
574 return 0;
575 }
576 dup_list |= idmask;
577 s2n(id, p);
578 }
579 if (*pext)
580 OPENSSL_free(*pext);
581 *pext = clist;
582 *pextlen = ncurves * 2;
583 return 1;
584 }
585
586 # define MAX_CURVELIST 28
587
588 typedef struct {
589 size_t nidcnt;
590 int nid_arr[MAX_CURVELIST];
591 } nid_cb_st;
592
593 static int nid_cb(const char *elem, int len, void *arg)
594 {
595 nid_cb_st *narg = arg;
596 size_t i;
597 int nid;
598 char etmp[20];
599 if (narg->nidcnt == MAX_CURVELIST)
600 return 0;
601 if (len > (int)(sizeof(etmp) - 1))
602 return 0;
603 memcpy(etmp, elem, len);
604 etmp[len] = 0;
605 nid = EC_curve_nist2nid(etmp);
606 if (nid == NID_undef)
607 nid = OBJ_sn2nid(etmp);
608 if (nid == NID_undef)
609 nid = OBJ_ln2nid(etmp);
610 if (nid == NID_undef)
611 return 0;
612 for (i = 0; i < narg->nidcnt; i++)
613 if (narg->nid_arr[i] == nid)
614 return 0;
615 narg->nid_arr[narg->nidcnt++] = nid;
616 return 1;
617 }
618
619 /* Set curves based on a colon separate list */
620 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
621 const char *str)
622 {
623 nid_cb_st ncb;
624 ncb.nidcnt = 0;
625 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
626 return 0;
627 if (pext == NULL)
628 return 1;
629 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
630 }
631
632 /* For an EC key set TLS id and required compression based on parameters */
633 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
634 EC_KEY *ec)
635 {
636 int is_prime, id;
637 const EC_GROUP *grp;
638 const EC_METHOD *meth;
639 if (!ec)
640 return 0;
641 /* Determine if it is a prime field */
642 grp = EC_KEY_get0_group(ec);
643 if (!grp)
644 return 0;
645 meth = EC_GROUP_method_of(grp);
646 if (!meth)
647 return 0;
648 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
649 is_prime = 1;
650 else
651 is_prime = 0;
652 /* Determine curve ID */
653 id = EC_GROUP_get_curve_name(grp);
654 id = tls1_ec_nid2curve_id(id);
655 /* If we have an ID set it, otherwise set arbitrary explicit curve */
656 if (id) {
657 curve_id[0] = 0;
658 curve_id[1] = (unsigned char)id;
659 } else {
660 curve_id[0] = 0xff;
661 if (is_prime)
662 curve_id[1] = 0x01;
663 else
664 curve_id[1] = 0x02;
665 }
666 if (comp_id) {
667 if (EC_KEY_get0_public_key(ec) == NULL)
668 return 0;
669 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
670 if (is_prime)
671 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
672 else
673 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
674 } else
675 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
676 }
677 return 1;
678 }
679
680 /* Check an EC key is compatible with extensions */
681 static int tls1_check_ec_key(SSL *s,
682 unsigned char *curve_id, unsigned char *comp_id)
683 {
684 const unsigned char *pformats, *pcurves;
685 size_t num_formats, num_curves, i;
686 int j;
687 /*
688 * If point formats extension present check it, otherwise everything is
689 * supported (see RFC4492).
690 */
691 if (comp_id && s->session->tlsext_ecpointformatlist) {
692 pformats = s->session->tlsext_ecpointformatlist;
693 num_formats = s->session->tlsext_ecpointformatlist_length;
694 for (i = 0; i < num_formats; i++, pformats++) {
695 if (*comp_id == *pformats)
696 break;
697 }
698 if (i == num_formats)
699 return 0;
700 }
701 if (!curve_id)
702 return 1;
703 /* Check curve is consistent with client and server preferences */
704 for (j = 0; j <= 1; j++) {
705 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
706 return 0;
707 for (i = 0; i < num_curves; i++, pcurves += 2) {
708 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
709 break;
710 }
711 if (i == num_curves)
712 return 0;
713 /* For clients can only check sent curve list */
714 if (!s->server)
715 break;
716 }
717 return 1;
718 }
719
720 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
721 size_t *num_formats)
722 {
723 /*
724 * If we have a custom point format list use it otherwise use default
725 */
726 if (s->tlsext_ecpointformatlist) {
727 *pformats = s->tlsext_ecpointformatlist;
728 *num_formats = s->tlsext_ecpointformatlist_length;
729 } else {
730 *pformats = ecformats_default;
731 /* For Suite B we don't support char2 fields */
732 if (tls1_suiteb(s))
733 *num_formats = sizeof(ecformats_default) - 1;
734 else
735 *num_formats = sizeof(ecformats_default);
736 }
737 }
738
739 /*
740 * Check cert parameters compatible with extensions: currently just checks EC
741 * certificates have compatible curves and compression.
742 */
743 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
744 {
745 unsigned char comp_id, curve_id[2];
746 EVP_PKEY *pkey;
747 int rv;
748 pkey = X509_get_pubkey(x);
749 if (!pkey)
750 return 0;
751 /* If not EC nothing to do */
752 if (pkey->type != EVP_PKEY_EC) {
753 EVP_PKEY_free(pkey);
754 return 1;
755 }
756 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
757 EVP_PKEY_free(pkey);
758 if (!rv)
759 return 0;
760 /*
761 * Can't check curve_id for client certs as we don't have a supported
762 * curves extension.
763 */
764 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
765 if (!rv)
766 return 0;
767 /*
768 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
769 * SHA384+P-384, adjust digest if necessary.
770 */
771 if (set_ee_md && tls1_suiteb(s)) {
772 int check_md;
773 size_t i;
774 CERT *c = s->cert;
775 if (curve_id[0])
776 return 0;
777 /* Check to see we have necessary signing algorithm */
778 if (curve_id[1] == TLSEXT_curve_P_256)
779 check_md = NID_ecdsa_with_SHA256;
780 else if (curve_id[1] == TLSEXT_curve_P_384)
781 check_md = NID_ecdsa_with_SHA384;
782 else
783 return 0; /* Should never happen */
784 for (i = 0; i < c->shared_sigalgslen; i++)
785 if (check_md == c->shared_sigalgs[i].signandhash_nid)
786 break;
787 if (i == c->shared_sigalgslen)
788 return 0;
789 if (set_ee_md == 2) {
790 if (check_md == NID_ecdsa_with_SHA256)
791 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
792 else
793 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
794 }
795 }
796 return rv;
797 }
798
799 # ifndef OPENSSL_NO_ECDH
800 /* Check EC temporary key is compatible with client extensions */
801 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
802 {
803 unsigned char curve_id[2];
804 EC_KEY *ec = s->cert->ecdh_tmp;
805 # ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
806 /* Allow any curve: not just those peer supports */
807 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
808 return 1;
809 # endif
810 /*
811 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
812 * curves permitted.
813 */
814 if (tls1_suiteb(s)) {
815 /* Curve to check determined by ciphersuite */
816 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
817 curve_id[1] = TLSEXT_curve_P_256;
818 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
819 curve_id[1] = TLSEXT_curve_P_384;
820 else
821 return 0;
822 curve_id[0] = 0;
823 /* Check this curve is acceptable */
824 if (!tls1_check_ec_key(s, curve_id, NULL))
825 return 0;
826 /* If auto or setting curve from callback assume OK */
827 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
828 return 1;
829 /* Otherwise check curve is acceptable */
830 else {
831 unsigned char curve_tmp[2];
832 if (!ec)
833 return 0;
834 if (!tls1_set_ec_id(curve_tmp, NULL, ec))
835 return 0;
836 if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
837 return 1;
838 return 0;
839 }
840
841 }
842 if (s->cert->ecdh_tmp_auto) {
843 /* Need a shared curve */
844 if (tls1_shared_curve(s, 0))
845 return 1;
846 else
847 return 0;
848 }
849 if (!ec) {
850 if (s->cert->ecdh_tmp_cb)
851 return 1;
852 else
853 return 0;
854 }
855 if (!tls1_set_ec_id(curve_id, NULL, ec))
856 return 0;
857 /* Set this to allow use of invalid curves for testing */
858 # if 0
859 return 1;
860 # else
861 return tls1_check_ec_key(s, curve_id, NULL);
862 # endif
863 }
864 # endif /* OPENSSL_NO_ECDH */
865
866 #else
867
868 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
869 {
870 return 1;
871 }
872
873 #endif /* OPENSSL_NO_EC */
874
875 #ifndef OPENSSL_NO_TLSEXT
876
877 /*
878 * List of supported signature algorithms and hashes. Should make this
879 * customisable at some point, for now include everything we support.
880 */
881
882 # ifdef OPENSSL_NO_RSA
883 # define tlsext_sigalg_rsa(md) /* */
884 # else
885 # define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
886 # endif
887
888 # ifdef OPENSSL_NO_DSA
889 # define tlsext_sigalg_dsa(md) /* */
890 # else
891 # define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
892 # endif
893
894 # ifdef OPENSSL_NO_ECDSA
895 # define tlsext_sigalg_ecdsa(md)
896 /* */
897 # else
898 # define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
899 # endif
900
901 # define tlsext_sigalg(md) \
902 tlsext_sigalg_rsa(md) \
903 tlsext_sigalg_dsa(md) \
904 tlsext_sigalg_ecdsa(md)
905
906 static const unsigned char tls12_sigalgs[] = {
907 # ifndef OPENSSL_NO_SHA512
908 tlsext_sigalg(TLSEXT_hash_sha512)
909 tlsext_sigalg(TLSEXT_hash_sha384)
910 # endif
911 # ifndef OPENSSL_NO_SHA256
912 tlsext_sigalg(TLSEXT_hash_sha256)
913 tlsext_sigalg(TLSEXT_hash_sha224)
914 # endif
915 # ifndef OPENSSL_NO_SHA
916 tlsext_sigalg(TLSEXT_hash_sha1)
917 # endif
918 };
919
920 # ifndef OPENSSL_NO_ECDSA
921 static const unsigned char suiteb_sigalgs[] = {
922 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
923 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
924 };
925 # endif
926 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
927 {
928 /*
929 * If Suite B mode use Suite B sigalgs only, ignore any other
930 * preferences.
931 */
932 # ifndef OPENSSL_NO_EC
933 switch (tls1_suiteb(s)) {
934 case SSL_CERT_FLAG_SUITEB_128_LOS:
935 *psigs = suiteb_sigalgs;
936 return sizeof(suiteb_sigalgs);
937
938 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
939 *psigs = suiteb_sigalgs;
940 return 2;
941
942 case SSL_CERT_FLAG_SUITEB_192_LOS:
943 *psigs = suiteb_sigalgs + 2;
944 return 2;
945 }
946 # endif
947 /* If server use client authentication sigalgs if not NULL */
948 if (s->server && s->cert->client_sigalgs) {
949 *psigs = s->cert->client_sigalgs;
950 return s->cert->client_sigalgslen;
951 } else if (s->cert->conf_sigalgs) {
952 *psigs = s->cert->conf_sigalgs;
953 return s->cert->conf_sigalgslen;
954 } else {
955 *psigs = tls12_sigalgs;
956 return sizeof(tls12_sigalgs);
957 }
958 }
959
960 /*
961 * Check signature algorithm is consistent with sent supported signature
962 * algorithms and if so return relevant digest.
963 */
964 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
965 const unsigned char *sig, EVP_PKEY *pkey)
966 {
967 const unsigned char *sent_sigs;
968 size_t sent_sigslen, i;
969 int sigalg = tls12_get_sigid(pkey);
970 /* Should never happen */
971 if (sigalg == -1)
972 return -1;
973 /* Check key type is consistent with signature */
974 if (sigalg != (int)sig[1]) {
975 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
976 return 0;
977 }
978 # ifndef OPENSSL_NO_EC
979 if (pkey->type == EVP_PKEY_EC) {
980 unsigned char curve_id[2], comp_id;
981 /* Check compression and curve matches extensions */
982 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
983 return 0;
984 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
985 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
986 return 0;
987 }
988 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
989 if (tls1_suiteb(s)) {
990 if (curve_id[0])
991 return 0;
992 if (curve_id[1] == TLSEXT_curve_P_256) {
993 if (sig[0] != TLSEXT_hash_sha256) {
994 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
995 SSL_R_ILLEGAL_SUITEB_DIGEST);
996 return 0;
997 }
998 } else if (curve_id[1] == TLSEXT_curve_P_384) {
999 if (sig[0] != TLSEXT_hash_sha384) {
1000 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1001 SSL_R_ILLEGAL_SUITEB_DIGEST);
1002 return 0;
1003 }
1004 } else
1005 return 0;
1006 }
1007 } else if (tls1_suiteb(s))
1008 return 0;
1009 # endif
1010
1011 /* Check signature matches a type we sent */
1012 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1013 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
1014 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1015 break;
1016 }
1017 /* Allow fallback to SHA1 if not strict mode */
1018 if (i == sent_sigslen
1019 && (sig[0] != TLSEXT_hash_sha1
1020 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
1021 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1022 return 0;
1023 }
1024 *pmd = tls12_get_hash(sig[0]);
1025 if (*pmd == NULL) {
1026 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
1027 return 0;
1028 }
1029 /* Make sure security callback allows algorithm */
1030 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
1031 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
1032 (void *)sig)) {
1033 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1034 return 0;
1035 }
1036 /*
1037 * Store the digest used so applications can retrieve it if they wish.
1038 */
1039 if (s->session && s->session->sess_cert)
1040 s->session->sess_cert->peer_key->digest = *pmd;
1041 return 1;
1042 }
1043
1044 /*
1045 * Get a mask of disabled algorithms: an algorithm is disabled if it isn't
1046 * supported or doesn't appear in supported signature algorithms. Unlike
1047 * ssl_cipher_get_disabled this applies to a specific session and not global
1048 * settings.
1049 */
1050 void ssl_set_client_disabled(SSL *s)
1051 {
1052 CERT *c = s->cert;
1053 c->mask_a = 0;
1054 c->mask_k = 0;
1055 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1056 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1057 c->mask_ssl = SSL_TLSV1_2;
1058 else
1059 c->mask_ssl = 0;
1060 ssl_set_sig_mask(&c->mask_a, s, SSL_SECOP_SIGALG_MASK);
1061 /*
1062 * Disable static DH if we don't include any appropriate signature
1063 * algorithms.
1064 */
1065 if (c->mask_a & SSL_aRSA)
1066 c->mask_k |= SSL_kDHr | SSL_kECDHr;
1067 if (c->mask_a & SSL_aDSS)
1068 c->mask_k |= SSL_kDHd;
1069 if (c->mask_a & SSL_aECDSA)
1070 c->mask_k |= SSL_kECDHe;
1071 # ifndef OPENSSL_NO_KRB5
1072 if (!kssl_tgt_is_available(s->kssl_ctx)) {
1073 c->mask_a |= SSL_aKRB5;
1074 c->mask_k |= SSL_kKRB5;
1075 }
1076 # endif
1077 # ifndef OPENSSL_NO_PSK
1078 /* with PSK there must be client callback set */
1079 if (!s->psk_client_callback) {
1080 c->mask_a |= SSL_aPSK;
1081 c->mask_k |= SSL_kPSK;
1082 }
1083 # endif /* OPENSSL_NO_PSK */
1084 # ifndef OPENSSL_NO_SRP
1085 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
1086 c->mask_a |= SSL_aSRP;
1087 c->mask_k |= SSL_kSRP;
1088 }
1089 # endif
1090 c->valid = 1;
1091 }
1092
1093 int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
1094 {
1095 CERT *ct = s->cert;
1096 if (c->algorithm_ssl & ct->mask_ssl || c->algorithm_mkey & ct->mask_k
1097 || c->algorithm_auth & ct->mask_a)
1098 return 1;
1099 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1100 }
1101
1102 static int tls_use_ticket(SSL *s)
1103 {
1104 if (s->options & SSL_OP_NO_TICKET)
1105 return 0;
1106 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1107 }
1108
1109 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
1110 unsigned char *limit, int *al)
1111 {
1112 int extdatalen = 0;
1113 unsigned char *orig = buf;
1114 unsigned char *ret = buf;
1115 # ifndef OPENSSL_NO_EC
1116 /* See if we support any ECC ciphersuites */
1117 int using_ecc = 0;
1118 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1119 int i;
1120 unsigned long alg_k, alg_a;
1121 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1122
1123 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
1124 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1125
1126 alg_k = c->algorithm_mkey;
1127 alg_a = c->algorithm_auth;
1128 if ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe)
1129 || (alg_a & SSL_aECDSA))) {
1130 using_ecc = 1;
1131 break;
1132 }
1133 }
1134 }
1135 # endif
1136
1137 ret += 2;
1138
1139 if (ret >= limit)
1140 return NULL; /* this really never occurs, but ... */
1141
1142 /* Add RI if renegotiating */
1143 if (s->renegotiate) {
1144 int el;
1145
1146 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1147 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1148 return NULL;
1149 }
1150
1151 if ((limit - ret - 4 - el) < 0)
1152 return NULL;
1153
1154 s2n(TLSEXT_TYPE_renegotiate, ret);
1155 s2n(el, ret);
1156
1157 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1158 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1159 return NULL;
1160 }
1161
1162 ret += el;
1163 }
1164 /* Only add RI for SSLv3 */
1165 if (s->client_version == SSL3_VERSION)
1166 goto done;
1167
1168 if (s->tlsext_hostname != NULL) {
1169 /* Add TLS extension servername to the Client Hello message */
1170 unsigned long size_str;
1171 long lenmax;
1172
1173 /*-
1174 * check for enough space.
1175 * 4 for the servername type and entension length
1176 * 2 for servernamelist length
1177 * 1 for the hostname type
1178 * 2 for hostname length
1179 * + hostname length
1180 */
1181
1182 if ((lenmax = limit - ret - 9) < 0
1183 || (size_str =
1184 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1185 return NULL;
1186
1187 /* extension type and length */
1188 s2n(TLSEXT_TYPE_server_name, ret);
1189 s2n(size_str + 5, ret);
1190
1191 /* length of servername list */
1192 s2n(size_str + 3, ret);
1193
1194 /* hostname type, length and hostname */
1195 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1196 s2n(size_str, ret);
1197 memcpy(ret, s->tlsext_hostname, size_str);
1198 ret += size_str;
1199 }
1200 # ifndef OPENSSL_NO_SRP
1201 /* Add SRP username if there is one */
1202 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1203 * Client Hello message */
1204
1205 int login_len = strlen(s->srp_ctx.login);
1206 if (login_len > 255 || login_len == 0) {
1207 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1208 return NULL;
1209 }
1210
1211 /*-
1212 * check for enough space.
1213 * 4 for the srp type type and entension length
1214 * 1 for the srp user identity
1215 * + srp user identity length
1216 */
1217 if ((limit - ret - 5 - login_len) < 0)
1218 return NULL;
1219
1220 /* fill in the extension */
1221 s2n(TLSEXT_TYPE_srp, ret);
1222 s2n(login_len + 1, ret);
1223 (*ret++) = (unsigned char)login_len;
1224 memcpy(ret, s->srp_ctx.login, login_len);
1225 ret += login_len;
1226 }
1227 # endif
1228
1229 # ifndef OPENSSL_NO_EC
1230 if (using_ecc) {
1231 /*
1232 * Add TLS extension ECPointFormats to the ClientHello message
1233 */
1234 long lenmax;
1235 const unsigned char *pcurves, *pformats;
1236 size_t num_curves, num_formats, curves_list_len;
1237 size_t i;
1238 unsigned char *etmp;
1239
1240 tls1_get_formatlist(s, &pformats, &num_formats);
1241
1242 if ((lenmax = limit - ret - 5) < 0)
1243 return NULL;
1244 if (num_formats > (size_t)lenmax)
1245 return NULL;
1246 if (num_formats > 255) {
1247 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1248 return NULL;
1249 }
1250
1251 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1252 /* The point format list has 1-byte length. */
1253 s2n(num_formats + 1, ret);
1254 *(ret++) = (unsigned char)num_formats;
1255 memcpy(ret, pformats, num_formats);
1256 ret += num_formats;
1257
1258 /*
1259 * Add TLS extension EllipticCurves to the ClientHello message
1260 */
1261 pcurves = s->tlsext_ellipticcurvelist;
1262 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1263 return NULL;
1264
1265 if ((lenmax = limit - ret - 6) < 0)
1266 return NULL;
1267 if (num_curves > (size_t)lenmax / 2)
1268 return NULL;
1269 if (num_curves > 65532 / 2) {
1270 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1271 return NULL;
1272 }
1273
1274 s2n(TLSEXT_TYPE_elliptic_curves, ret);
1275 etmp = ret + 4;
1276 /* Copy curve ID if supported */
1277 for (i = 0; i < num_curves; i++, pcurves += 2) {
1278 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1279 *etmp++ = pcurves[0];
1280 *etmp++ = pcurves[1];
1281 }
1282 }
1283
1284 curves_list_len = etmp - ret - 4;
1285
1286 s2n(curves_list_len + 2, ret);
1287 s2n(curves_list_len, ret);
1288 ret += curves_list_len;
1289 }
1290 # endif /* OPENSSL_NO_EC */
1291
1292 if (tls_use_ticket(s)) {
1293 int ticklen;
1294 if (!s->new_session && s->session && s->session->tlsext_tick)
1295 ticklen = s->session->tlsext_ticklen;
1296 else if (s->session && s->tlsext_session_ticket &&
1297 s->tlsext_session_ticket->data) {
1298 ticklen = s->tlsext_session_ticket->length;
1299 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1300 if (!s->session->tlsext_tick)
1301 return NULL;
1302 memcpy(s->session->tlsext_tick,
1303 s->tlsext_session_ticket->data, ticklen);
1304 s->session->tlsext_ticklen = ticklen;
1305 } else
1306 ticklen = 0;
1307 if (ticklen == 0 && s->tlsext_session_ticket &&
1308 s->tlsext_session_ticket->data == NULL)
1309 goto skip_ext;
1310 /*
1311 * Check for enough room 2 for extension type, 2 for len rest for
1312 * ticket
1313 */
1314 if ((long)(limit - ret - 4 - ticklen) < 0)
1315 return NULL;
1316 s2n(TLSEXT_TYPE_session_ticket, ret);
1317 s2n(ticklen, ret);
1318 if (ticklen) {
1319 memcpy(ret, s->session->tlsext_tick, ticklen);
1320 ret += ticklen;
1321 }
1322 }
1323 skip_ext:
1324
1325 if (SSL_USE_SIGALGS(s)) {
1326 size_t salglen;
1327 const unsigned char *salg;
1328 unsigned char *etmp;
1329 salglen = tls12_get_psigalgs(s, &salg);
1330 if ((size_t)(limit - ret) < salglen + 6)
1331 return NULL;
1332 s2n(TLSEXT_TYPE_signature_algorithms, ret);
1333 etmp = ret;
1334 /* Skip over lengths for now */
1335 ret += 4;
1336 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1337 /* Fill in lengths */
1338 s2n(salglen + 2, etmp);
1339 s2n(salglen, etmp);
1340 ret += salglen;
1341 }
1342 # ifdef TLSEXT_TYPE_opaque_prf_input
1343 if (s->s3->client_opaque_prf_input != NULL) {
1344 size_t col = s->s3->client_opaque_prf_input_len;
1345
1346 if ((long)(limit - ret - 6 - col) < 0)
1347 return NULL;
1348 if (col > 0xFFFD) /* can't happen */
1349 return NULL;
1350
1351 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1352 s2n(col + 2, ret);
1353 s2n(col, ret);
1354 memcpy(ret, s->s3->client_opaque_prf_input, col);
1355 ret += col;
1356 }
1357 # endif
1358
1359 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1360 int i;
1361 long extlen, idlen, itmp;
1362 OCSP_RESPID *id;
1363
1364 idlen = 0;
1365 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1366 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1367 itmp = i2d_OCSP_RESPID(id, NULL);
1368 if (itmp <= 0)
1369 return NULL;
1370 idlen += itmp + 2;
1371 }
1372
1373 if (s->tlsext_ocsp_exts) {
1374 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1375 if (extlen < 0)
1376 return NULL;
1377 } else
1378 extlen = 0;
1379
1380 if ((long)(limit - ret - 7 - extlen - idlen) < 0)
1381 return NULL;
1382 s2n(TLSEXT_TYPE_status_request, ret);
1383 if (extlen + idlen > 0xFFF0)
1384 return NULL;
1385 s2n(extlen + idlen + 5, ret);
1386 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1387 s2n(idlen, ret);
1388 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1389 /* save position of id len */
1390 unsigned char *q = ret;
1391 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1392 /* skip over id len */
1393 ret += 2;
1394 itmp = i2d_OCSP_RESPID(id, &ret);
1395 /* write id len */
1396 s2n(itmp, q);
1397 }
1398 s2n(extlen, ret);
1399 if (extlen > 0)
1400 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1401 }
1402 # ifndef OPENSSL_NO_HEARTBEATS
1403 /* Add Heartbeat extension */
1404 if ((limit - ret - 4 - 1) < 0)
1405 return NULL;
1406 s2n(TLSEXT_TYPE_heartbeat, ret);
1407 s2n(1, ret);
1408 /*-
1409 * Set mode:
1410 * 1: peer may send requests
1411 * 2: peer not allowed to send requests
1412 */
1413 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1414 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1415 else
1416 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1417 # endif
1418
1419 # ifndef OPENSSL_NO_NEXTPROTONEG
1420 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1421 /*
1422 * The client advertises an emtpy extension to indicate its support
1423 * for Next Protocol Negotiation
1424 */
1425 if (limit - ret - 4 < 0)
1426 return NULL;
1427 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1428 s2n(0, ret);
1429 }
1430 # endif
1431
1432 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1433 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1434 return NULL;
1435 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1436 s2n(2 + s->alpn_client_proto_list_len, ret);
1437 s2n(s->alpn_client_proto_list_len, ret);
1438 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1439 ret += s->alpn_client_proto_list_len;
1440 }
1441 # ifndef OPENSSL_NO_SRTP
1442 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1443 int el;
1444
1445 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1446
1447 if ((limit - ret - 4 - el) < 0)
1448 return NULL;
1449
1450 s2n(TLSEXT_TYPE_use_srtp, ret);
1451 s2n(el, ret);
1452
1453 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1454 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1455 return NULL;
1456 }
1457 ret += el;
1458 }
1459 # endif
1460 custom_ext_init(&s->cert->cli_ext);
1461 /* Add custom TLS Extensions to ClientHello */
1462 if (!custom_ext_add(s, 0, &ret, limit, al))
1463 return NULL;
1464 # ifdef TLSEXT_TYPE_encrypt_then_mac
1465 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1466 s2n(0, ret);
1467 # endif
1468
1469 /*
1470 * Add padding to workaround bugs in F5 terminators. See
1471 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1472 * code works out the length of all existing extensions it MUST always
1473 * appear last.
1474 */
1475 if (s->options & SSL_OP_TLSEXT_PADDING) {
1476 int hlen = ret - (unsigned char *)s->init_buf->data;
1477 /*
1478 * The code in s23_clnt.c to build ClientHello messages includes the
1479 * 5-byte record header in the buffer, while the code in s3_clnt.c
1480 * does not.
1481 */
1482 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
1483 hlen -= 5;
1484 if (hlen > 0xff && hlen < 0x200) {
1485 hlen = 0x200 - hlen;
1486 if (hlen >= 4)
1487 hlen -= 4;
1488 else
1489 hlen = 0;
1490
1491 s2n(TLSEXT_TYPE_padding, ret);
1492 s2n(hlen, ret);
1493 memset(ret, 0, hlen);
1494 ret += hlen;
1495 }
1496 }
1497
1498 done:
1499
1500 if ((extdatalen = ret - orig - 2) == 0)
1501 return orig;
1502
1503 s2n(extdatalen, orig);
1504 return ret;
1505 }
1506
1507 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1508 unsigned char *limit, int *al)
1509 {
1510 int extdatalen = 0;
1511 unsigned char *orig = buf;
1512 unsigned char *ret = buf;
1513 # ifndef OPENSSL_NO_NEXTPROTONEG
1514 int next_proto_neg_seen;
1515 # endif
1516 # ifndef OPENSSL_NO_EC
1517 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1518 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1519 int using_ecc = (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
1520 || (alg_a & SSL_aECDSA);
1521 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1522 # endif
1523
1524 ret += 2;
1525 if (ret >= limit)
1526 return NULL; /* this really never occurs, but ... */
1527
1528 if (s->s3->send_connection_binding) {
1529 int el;
1530
1531 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1532 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1533 return NULL;
1534 }
1535
1536 if ((limit - ret - 4 - el) < 0)
1537 return NULL;
1538
1539 s2n(TLSEXT_TYPE_renegotiate, ret);
1540 s2n(el, ret);
1541
1542 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1543 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1544 return NULL;
1545 }
1546
1547 ret += el;
1548 }
1549
1550 /* Only add RI for SSLv3 */
1551 if (s->version == SSL3_VERSION)
1552 goto done;
1553
1554 if (!s->hit && s->servername_done == 1
1555 && s->session->tlsext_hostname != NULL) {
1556 if ((long)(limit - ret - 4) < 0)
1557 return NULL;
1558
1559 s2n(TLSEXT_TYPE_server_name, ret);
1560 s2n(0, ret);
1561 }
1562 # ifndef OPENSSL_NO_EC
1563 if (using_ecc) {
1564 const unsigned char *plist;
1565 size_t plistlen;
1566 /*
1567 * Add TLS extension ECPointFormats to the ServerHello message
1568 */
1569 long lenmax;
1570
1571 tls1_get_formatlist(s, &plist, &plistlen);
1572
1573 if ((lenmax = limit - ret - 5) < 0)
1574 return NULL;
1575 if (plistlen > (size_t)lenmax)
1576 return NULL;
1577 if (plistlen > 255) {
1578 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1579 return NULL;
1580 }
1581
1582 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1583 s2n(plistlen + 1, ret);
1584 *(ret++) = (unsigned char)plistlen;
1585 memcpy(ret, plist, plistlen);
1586 ret += plistlen;
1587
1588 }
1589 /*
1590 * Currently the server should not respond with a SupportedCurves
1591 * extension
1592 */
1593 # endif /* OPENSSL_NO_EC */
1594
1595 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1596 if ((long)(limit - ret - 4) < 0)
1597 return NULL;
1598 s2n(TLSEXT_TYPE_session_ticket, ret);
1599 s2n(0, ret);
1600 }
1601
1602 if (s->tlsext_status_expected) {
1603 if ((long)(limit - ret - 4) < 0)
1604 return NULL;
1605 s2n(TLSEXT_TYPE_status_request, ret);
1606 s2n(0, ret);
1607 }
1608 # ifdef TLSEXT_TYPE_opaque_prf_input
1609 if (s->s3->server_opaque_prf_input != NULL) {
1610 size_t sol = s->s3->server_opaque_prf_input_len;
1611
1612 if ((long)(limit - ret - 6 - sol) < 0)
1613 return NULL;
1614 if (sol > 0xFFFD) /* can't happen */
1615 return NULL;
1616
1617 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1618 s2n(sol + 2, ret);
1619 s2n(sol, ret);
1620 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1621 ret += sol;
1622 }
1623 # endif
1624
1625 # ifndef OPENSSL_NO_SRTP
1626 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1627 int el;
1628
1629 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1630
1631 if ((limit - ret - 4 - el) < 0)
1632 return NULL;
1633
1634 s2n(TLSEXT_TYPE_use_srtp, ret);
1635 s2n(el, ret);
1636
1637 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1638 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1639 return NULL;
1640 }
1641 ret += el;
1642 }
1643 # endif
1644
1645 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1646 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1647 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1648 const unsigned char cryptopro_ext[36] = {
1649 0xfd, 0xe8, /* 65000 */
1650 0x00, 0x20, /* 32 bytes length */
1651 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1652 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1653 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1654 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1655 };
1656 if (limit - ret < 36)
1657 return NULL;
1658 memcpy(ret, cryptopro_ext, 36);
1659 ret += 36;
1660
1661 }
1662 # ifndef OPENSSL_NO_HEARTBEATS
1663 /* Add Heartbeat extension if we've received one */
1664 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
1665 if ((limit - ret - 4 - 1) < 0)
1666 return NULL;
1667 s2n(TLSEXT_TYPE_heartbeat, ret);
1668 s2n(1, ret);
1669 /*-
1670 * Set mode:
1671 * 1: peer may send requests
1672 * 2: peer not allowed to send requests
1673 */
1674 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1675 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1676 else
1677 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1678
1679 }
1680 # endif
1681
1682 # ifndef OPENSSL_NO_NEXTPROTONEG
1683 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1684 s->s3->next_proto_neg_seen = 0;
1685 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1686 const unsigned char *npa;
1687 unsigned int npalen;
1688 int r;
1689
1690 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1691 s->
1692 ctx->next_protos_advertised_cb_arg);
1693 if (r == SSL_TLSEXT_ERR_OK) {
1694 if ((long)(limit - ret - 4 - npalen) < 0)
1695 return NULL;
1696 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1697 s2n(npalen, ret);
1698 memcpy(ret, npa, npalen);
1699 ret += npalen;
1700 s->s3->next_proto_neg_seen = 1;
1701 }
1702 }
1703 # endif
1704 if (!custom_ext_add(s, 1, &ret, limit, al))
1705 return NULL;
1706 # ifdef TLSEXT_TYPE_encrypt_then_mac
1707 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1708 /*
1709 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1710 * for other cases too.
1711 */
1712 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1713 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4)
1714 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1715 else {
1716 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1717 s2n(0, ret);
1718 }
1719 }
1720 # endif
1721
1722 if (s->s3->alpn_selected) {
1723 const unsigned char *selected = s->s3->alpn_selected;
1724 unsigned len = s->s3->alpn_selected_len;
1725
1726 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1727 return NULL;
1728 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1729 s2n(3 + len, ret);
1730 s2n(1 + len, ret);
1731 *ret++ = len;
1732 memcpy(ret, selected, len);
1733 ret += len;
1734 }
1735
1736 done:
1737
1738 if ((extdatalen = ret - orig - 2) == 0)
1739 return orig;
1740
1741 s2n(extdatalen, orig);
1742 return ret;
1743 }
1744
1745 /*
1746 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1747 * ClientHello. data: the contents of the extension, not including the type
1748 * and length. data_len: the number of bytes in |data| al: a pointer to the
1749 * alert value to send in the event of a non-zero return. returns: 0 on
1750 * success.
1751 */
1752 static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1753 unsigned data_len, int *al)
1754 {
1755 unsigned i;
1756 unsigned proto_len;
1757 const unsigned char *selected;
1758 unsigned char selected_len;
1759 int r;
1760
1761 if (s->ctx->alpn_select_cb == NULL)
1762 return 0;
1763
1764 if (data_len < 2)
1765 goto parse_error;
1766
1767 /*
1768 * data should contain a uint16 length followed by a series of 8-bit,
1769 * length-prefixed strings.
1770 */
1771 i = ((unsigned)data[0]) << 8 | ((unsigned)data[1]);
1772 data_len -= 2;
1773 data += 2;
1774 if (data_len != i)
1775 goto parse_error;
1776
1777 if (data_len < 2)
1778 goto parse_error;
1779
1780 for (i = 0; i < data_len;) {
1781 proto_len = data[i];
1782 i++;
1783
1784 if (proto_len == 0)
1785 goto parse_error;
1786
1787 if (i + proto_len < i || i + proto_len > data_len)
1788 goto parse_error;
1789
1790 i += proto_len;
1791 }
1792
1793 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1794 s->ctx->alpn_select_cb_arg);
1795 if (r == SSL_TLSEXT_ERR_OK) {
1796 if (s->s3->alpn_selected)
1797 OPENSSL_free(s->s3->alpn_selected);
1798 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
1799 if (!s->s3->alpn_selected) {
1800 *al = SSL_AD_INTERNAL_ERROR;
1801 return -1;
1802 }
1803 memcpy(s->s3->alpn_selected, selected, selected_len);
1804 s->s3->alpn_selected_len = selected_len;
1805 }
1806 return 0;
1807
1808 parse_error:
1809 *al = SSL_AD_DECODE_ERROR;
1810 return -1;
1811 }
1812
1813 # ifndef OPENSSL_NO_EC
1814 /*-
1815 * ssl_check_for_safari attempts to fingerprint Safari using OS X
1816 * SecureTransport using the TLS extension block in |d|, of length |n|.
1817 * Safari, since 10.6, sends exactly these extensions, in this order:
1818 * SNI,
1819 * elliptic_curves
1820 * ec_point_formats
1821 *
1822 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1823 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1824 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1825 * 10.8..10.8.3 (which don't work).
1826 */
1827 static void ssl_check_for_safari(SSL *s, const unsigned char *data,
1828 const unsigned char *d, int n)
1829 {
1830 unsigned short type, size;
1831 static const unsigned char kSafariExtensionsBlock[] = {
1832 0x00, 0x0a, /* elliptic_curves extension */
1833 0x00, 0x08, /* 8 bytes */
1834 0x00, 0x06, /* 6 bytes of curve ids */
1835 0x00, 0x17, /* P-256 */
1836 0x00, 0x18, /* P-384 */
1837 0x00, 0x19, /* P-521 */
1838
1839 0x00, 0x0b, /* ec_point_formats */
1840 0x00, 0x02, /* 2 bytes */
1841 0x01, /* 1 point format */
1842 0x00, /* uncompressed */
1843 };
1844
1845 /* The following is only present in TLS 1.2 */
1846 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1847 0x00, 0x0d, /* signature_algorithms */
1848 0x00, 0x0c, /* 12 bytes */
1849 0x00, 0x0a, /* 10 bytes */
1850 0x05, 0x01, /* SHA-384/RSA */
1851 0x04, 0x01, /* SHA-256/RSA */
1852 0x02, 0x01, /* SHA-1/RSA */
1853 0x04, 0x03, /* SHA-256/ECDSA */
1854 0x02, 0x03, /* SHA-1/ECDSA */
1855 };
1856
1857 if (data >= (d + n - 2))
1858 return;
1859 data += 2;
1860
1861 if (data > (d + n - 4))
1862 return;
1863 n2s(data, type);
1864 n2s(data, size);
1865
1866 if (type != TLSEXT_TYPE_server_name)
1867 return;
1868
1869 if (data + size > d + n)
1870 return;
1871 data += size;
1872
1873 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
1874 const size_t len1 = sizeof(kSafariExtensionsBlock);
1875 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1876
1877 if (data + len1 + len2 != d + n)
1878 return;
1879 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
1880 return;
1881 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
1882 return;
1883 } else {
1884 const size_t len = sizeof(kSafariExtensionsBlock);
1885
1886 if (data + len != d + n)
1887 return;
1888 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
1889 return;
1890 }
1891
1892 s->s3->is_probably_safari = 1;
1893 }
1894 # endif /* !OPENSSL_NO_EC */
1895
1896 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
1897 unsigned char *d, int n, int *al)
1898 {
1899 unsigned short type;
1900 unsigned short size;
1901 unsigned short len;
1902 unsigned char *data = *p;
1903 int renegotiate_seen = 0;
1904
1905 s->servername_done = 0;
1906 s->tlsext_status_type = -1;
1907 # ifndef OPENSSL_NO_NEXTPROTONEG
1908 s->s3->next_proto_neg_seen = 0;
1909 # endif
1910
1911 if (s->s3->alpn_selected) {
1912 OPENSSL_free(s->s3->alpn_selected);
1913 s->s3->alpn_selected = NULL;
1914 }
1915 # ifndef OPENSSL_NO_HEARTBEATS
1916 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1917 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1918 # endif
1919
1920 # ifndef OPENSSL_NO_EC
1921 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1922 ssl_check_for_safari(s, data, d, n);
1923 # endif /* !OPENSSL_NO_EC */
1924
1925 /* Clear any signature algorithms extension received */
1926 if (s->cert->peer_sigalgs) {
1927 OPENSSL_free(s->cert->peer_sigalgs);
1928 s->cert->peer_sigalgs = NULL;
1929 }
1930 # ifdef TLSEXT_TYPE_encrypt_then_mac
1931 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1932 # endif
1933
1934 # ifndef OPENSSL_NO_SRP
1935 if (s->srp_ctx.login != NULL) {
1936 OPENSSL_free(s->srp_ctx.login);
1937 s->srp_ctx.login = NULL;
1938 }
1939 # endif
1940
1941 s->srtp_profile = NULL;
1942
1943 if (data >= (d + n - 2))
1944 goto ri_check;
1945 n2s(data, len);
1946
1947 if (data > (d + n - len))
1948 goto ri_check;
1949
1950 while (data <= (d + n - 4)) {
1951 n2s(data, type);
1952 n2s(data, size);
1953
1954 if (data + size > (d + n))
1955 goto ri_check;
1956 # if 0
1957 fprintf(stderr, "Received extension type %d size %d\n", type, size);
1958 # endif
1959 if (s->tlsext_debug_cb)
1960 s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
1961 if (type == TLSEXT_TYPE_renegotiate) {
1962 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1963 return 0;
1964 renegotiate_seen = 1;
1965 } else if (s->version == SSL3_VERSION) {
1966 }
1967 /*-
1968 * The servername extension is treated as follows:
1969 *
1970 * - Only the hostname type is supported with a maximum length of 255.
1971 * - The servername is rejected if too long or if it contains zeros,
1972 * in which case an fatal alert is generated.
1973 * - The servername field is maintained together with the session cache.
1974 * - When a session is resumed, the servername call back invoked in order
1975 * to allow the application to position itself to the right context.
1976 * - The servername is acknowledged if it is new for a session or when
1977 * it is identical to a previously used for the same session.
1978 * Applications can control the behaviour. They can at any time
1979 * set a 'desirable' servername for a new SSL object. This can be the
1980 * case for example with HTTPS when a Host: header field is received and
1981 * a renegotiation is requested. In this case, a possible servername
1982 * presented in the new client hello is only acknowledged if it matches
1983 * the value of the Host: field.
1984 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1985 * if they provide for changing an explicit servername context for the
1986 * session, i.e. when the session has been established with a servername
1987 * extension.
1988 * - On session reconnect, the servername extension may be absent.
1989 *
1990 */
1991
1992 else if (type == TLSEXT_TYPE_server_name) {
1993 unsigned char *sdata;
1994 int servname_type;
1995 int dsize;
1996
1997 if (size < 2) {
1998 *al = SSL_AD_DECODE_ERROR;
1999 return 0;
2000 }
2001 n2s(data, dsize);
2002 size -= 2;
2003 if (dsize > size) {
2004 *al = SSL_AD_DECODE_ERROR;
2005 return 0;
2006 }
2007
2008 sdata = data;
2009 while (dsize > 3) {
2010 servname_type = *(sdata++);
2011 n2s(sdata, len);
2012 dsize -= 3;
2013
2014 if (len > dsize) {
2015 *al = SSL_AD_DECODE_ERROR;
2016 return 0;
2017 }
2018 if (s->servername_done == 0)
2019 switch (servname_type) {
2020 case TLSEXT_NAMETYPE_host_name:
2021 if (!s->hit) {
2022 if (s->session->tlsext_hostname) {
2023 *al = SSL_AD_DECODE_ERROR;
2024 return 0;
2025 }
2026 if (len > TLSEXT_MAXLEN_host_name) {
2027 *al = TLS1_AD_UNRECOGNIZED_NAME;
2028 return 0;
2029 }
2030 if ((s->session->tlsext_hostname =
2031 OPENSSL_malloc(len + 1)) == NULL) {
2032 *al = TLS1_AD_INTERNAL_ERROR;
2033 return 0;
2034 }
2035 memcpy(s->session->tlsext_hostname, sdata, len);
2036 s->session->tlsext_hostname[len] = '\0';
2037 if (strlen(s->session->tlsext_hostname) != len) {
2038 OPENSSL_free(s->session->tlsext_hostname);
2039 s->session->tlsext_hostname = NULL;
2040 *al = TLS1_AD_UNRECOGNIZED_NAME;
2041 return 0;
2042 }
2043 s->servername_done = 1;
2044
2045 } else
2046 s->servername_done = s->session->tlsext_hostname
2047 && strlen(s->session->tlsext_hostname) == len
2048 && strncmp(s->session->tlsext_hostname,
2049 (char *)sdata, len) == 0;
2050
2051 break;
2052
2053 default:
2054 break;
2055 }
2056
2057 dsize -= len;
2058 }
2059 if (dsize != 0) {
2060 *al = SSL_AD_DECODE_ERROR;
2061 return 0;
2062 }
2063
2064 }
2065 # ifndef OPENSSL_NO_SRP
2066 else if (type == TLSEXT_TYPE_srp) {
2067 if (size <= 0 || ((len = data[0])) != (size - 1)) {
2068 *al = SSL_AD_DECODE_ERROR;
2069 return 0;
2070 }
2071 if (s->srp_ctx.login != NULL) {
2072 *al = SSL_AD_DECODE_ERROR;
2073 return 0;
2074 }
2075 if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
2076 return -1;
2077 memcpy(s->srp_ctx.login, &data[1], len);
2078 s->srp_ctx.login[len] = '\0';
2079
2080 if (strlen(s->srp_ctx.login) != len) {
2081 *al = SSL_AD_DECODE_ERROR;
2082 return 0;
2083 }
2084 }
2085 # endif
2086
2087 # ifndef OPENSSL_NO_EC
2088 else if (type == TLSEXT_TYPE_ec_point_formats) {
2089 unsigned char *sdata = data;
2090 int ecpointformatlist_length = *(sdata++);
2091
2092 if (ecpointformatlist_length != size - 1 ||
2093 ecpointformatlist_length < 1) {
2094 *al = TLS1_AD_DECODE_ERROR;
2095 return 0;
2096 }
2097 if (!s->hit) {
2098 if (s->session->tlsext_ecpointformatlist) {
2099 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2100 s->session->tlsext_ecpointformatlist = NULL;
2101 }
2102 s->session->tlsext_ecpointformatlist_length = 0;
2103 if ((s->session->tlsext_ecpointformatlist =
2104 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2105 *al = TLS1_AD_INTERNAL_ERROR;
2106 return 0;
2107 }
2108 s->session->tlsext_ecpointformatlist_length =
2109 ecpointformatlist_length;
2110 memcpy(s->session->tlsext_ecpointformatlist, sdata,
2111 ecpointformatlist_length);
2112 }
2113 # if 0
2114 fprintf(stderr,
2115 "ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ",
2116 s->session->tlsext_ecpointformatlist_length);
2117 sdata = s->session->tlsext_ecpointformatlist;
2118 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2119 fprintf(stderr, "%i ", *(sdata++));
2120 fprintf(stderr, "\n");
2121 # endif
2122 } else if (type == TLSEXT_TYPE_elliptic_curves) {
2123 unsigned char *sdata = data;
2124 int ellipticcurvelist_length = (*(sdata++) << 8);
2125 ellipticcurvelist_length += (*(sdata++));
2126
2127 if (ellipticcurvelist_length != size - 2 ||
2128 ellipticcurvelist_length < 1 ||
2129 /* Each NamedCurve is 2 bytes. */
2130 ellipticcurvelist_length & 1) {
2131 *al = TLS1_AD_DECODE_ERROR;
2132 return 0;
2133 }
2134 if (!s->hit) {
2135 if (s->session->tlsext_ellipticcurvelist) {
2136 *al = TLS1_AD_DECODE_ERROR;
2137 return 0;
2138 }
2139 s->session->tlsext_ellipticcurvelist_length = 0;
2140 if ((s->session->tlsext_ellipticcurvelist =
2141 OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
2142 *al = TLS1_AD_INTERNAL_ERROR;
2143 return 0;
2144 }
2145 s->session->tlsext_ellipticcurvelist_length =
2146 ellipticcurvelist_length;
2147 memcpy(s->session->tlsext_ellipticcurvelist, sdata,
2148 ellipticcurvelist_length);
2149 }
2150 # if 0
2151 fprintf(stderr,
2152 "ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ",
2153 s->session->tlsext_ellipticcurvelist_length);
2154 sdata = s->session->tlsext_ellipticcurvelist;
2155 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
2156 fprintf(stderr, "%i ", *(sdata++));
2157 fprintf(stderr, "\n");
2158 # endif
2159 }
2160 # endif /* OPENSSL_NO_EC */
2161 # ifdef TLSEXT_TYPE_opaque_prf_input
2162 else if (type == TLSEXT_TYPE_opaque_prf_input) {
2163 unsigned char *sdata = data;
2164
2165 if (size < 2) {
2166 *al = SSL_AD_DECODE_ERROR;
2167 return 0;
2168 }
2169 n2s(sdata, s->s3->client_opaque_prf_input_len);
2170 if (s->s3->client_opaque_prf_input_len != size - 2) {
2171 *al = SSL_AD_DECODE_ERROR;
2172 return 0;
2173 }
2174
2175 if (s->s3->client_opaque_prf_input != NULL) {
2176 /* shouldn't really happen */
2177 OPENSSL_free(s->s3->client_opaque_prf_input);
2178 }
2179
2180 /* dummy byte just to get non-NULL */
2181 if (s->s3->client_opaque_prf_input_len == 0)
2182 s->s3->client_opaque_prf_input = OPENSSL_malloc(1);
2183 else
2184 s->s3->client_opaque_prf_input =
2185 BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
2186 if (s->s3->client_opaque_prf_input == NULL) {
2187 *al = TLS1_AD_INTERNAL_ERROR;
2188 return 0;
2189 }
2190 }
2191 # endif
2192 else if (type == TLSEXT_TYPE_session_ticket) {
2193 if (s->tls_session_ticket_ext_cb &&
2194 !s->tls_session_ticket_ext_cb(s, data, size,
2195 s->tls_session_ticket_ext_cb_arg))
2196 {
2197 *al = TLS1_AD_INTERNAL_ERROR;
2198 return 0;
2199 }
2200 } else if (type == TLSEXT_TYPE_signature_algorithms) {
2201 int dsize;
2202 if (s->cert->peer_sigalgs || size < 2) {
2203 *al = SSL_AD_DECODE_ERROR;
2204 return 0;
2205 }
2206 n2s(data, dsize);
2207 size -= 2;
2208 if (dsize != size || dsize & 1 || !dsize) {
2209 *al = SSL_AD_DECODE_ERROR;
2210 return 0;
2211 }
2212 if (!tls1_save_sigalgs(s, data, dsize)) {
2213 *al = SSL_AD_DECODE_ERROR;
2214 return 0;
2215 }
2216 } else if (type == TLSEXT_TYPE_status_request) {
2217
2218 if (size < 5) {
2219 *al = SSL_AD_DECODE_ERROR;
2220 return 0;
2221 }
2222
2223 s->tlsext_status_type = *data++;
2224 size--;
2225 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
2226 const unsigned char *sdata;
2227 int dsize;
2228 /* Read in responder_id_list */
2229 n2s(data, dsize);
2230 size -= 2;
2231 if (dsize > size) {
2232 *al = SSL_AD_DECODE_ERROR;
2233 return 0;
2234 }
2235 while (dsize > 0) {
2236 OCSP_RESPID *id;
2237 int idsize;
2238 if (dsize < 4) {
2239 *al = SSL_AD_DECODE_ERROR;
2240 return 0;
2241 }
2242 n2s(data, idsize);
2243 dsize -= 2 + idsize;
2244 size -= 2 + idsize;
2245 if (dsize < 0) {
2246 *al = SSL_AD_DECODE_ERROR;
2247 return 0;
2248 }
2249 sdata = data;
2250 data += idsize;
2251 id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
2252 if (!id) {
2253 *al = SSL_AD_DECODE_ERROR;
2254 return 0;
2255 }
2256 if (data != sdata) {
2257 OCSP_RESPID_free(id);
2258 *al = SSL_AD_DECODE_ERROR;
2259 return 0;
2260 }
2261 if (!s->tlsext_ocsp_ids
2262 && !(s->tlsext_ocsp_ids =
2263 sk_OCSP_RESPID_new_null())) {
2264 OCSP_RESPID_free(id);
2265 *al = SSL_AD_INTERNAL_ERROR;
2266 return 0;
2267 }
2268 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2269 OCSP_RESPID_free(id);
2270 *al = SSL_AD_INTERNAL_ERROR;
2271 return 0;
2272 }
2273 }
2274
2275 /* Read in request_extensions */
2276 if (size < 2) {
2277 *al = SSL_AD_DECODE_ERROR;
2278 return 0;
2279 }
2280 n2s(data, dsize);
2281 size -= 2;
2282 if (dsize != size) {
2283 *al = SSL_AD_DECODE_ERROR;
2284 return 0;
2285 }
2286 sdata = data;
2287 if (dsize > 0) {
2288 if (s->tlsext_ocsp_exts) {
2289 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2290 X509_EXTENSION_free);
2291 }
2292
2293 s->tlsext_ocsp_exts =
2294 d2i_X509_EXTENSIONS(NULL, &sdata, dsize);
2295 if (!s->tlsext_ocsp_exts || (data + dsize != sdata)) {
2296 *al = SSL_AD_DECODE_ERROR;
2297 return 0;
2298 }
2299 }
2300 }
2301 /*
2302 * We don't know what to do with any other type * so ignore it.
2303 */
2304 else
2305 s->tlsext_status_type = -1;
2306 }
2307 # ifndef OPENSSL_NO_HEARTBEATS
2308 else if (type == TLSEXT_TYPE_heartbeat) {
2309 switch (data[0]) {
2310 case 0x01: /* Client allows us to send HB requests */
2311 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2312 break;
2313 case 0x02: /* Client doesn't accept HB requests */
2314 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2315 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2316 break;
2317 default:
2318 *al = SSL_AD_ILLEGAL_PARAMETER;
2319 return 0;
2320 }
2321 }
2322 # endif
2323 # ifndef OPENSSL_NO_NEXTPROTONEG
2324 else if (type == TLSEXT_TYPE_next_proto_neg &&
2325 s->s3->tmp.finish_md_len == 0 &&
2326 s->s3->alpn_selected == NULL) {
2327 /*-
2328 * We shouldn't accept this extension on a
2329 * renegotiation.
2330 *
2331 * s->new_session will be set on renegotiation, but we
2332 * probably shouldn't rely that it couldn't be set on
2333 * the initial renegotation too in certain cases (when
2334 * there's some other reason to disallow resuming an
2335 * earlier session -- the current code won't be doing
2336 * anything like that, but this might change).
2337 *
2338 * A valid sign that there's been a previous handshake
2339 * in this connection is if s->s3->tmp.finish_md_len >
2340 * 0. (We are talking about a check that will happen
2341 * in the Hello protocol round, well before a new
2342 * Finished message could have been computed.)
2343 */
2344 s->s3->next_proto_neg_seen = 1;
2345 }
2346 # endif
2347
2348 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2349 s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) {
2350 if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
2351 return 0;
2352 # ifndef OPENSSL_NO_NEXTPROTONEG
2353 /* ALPN takes precedence over NPN. */
2354 s->s3->next_proto_neg_seen = 0;
2355 # endif
2356 }
2357
2358 /* session ticket processed earlier */
2359 # ifndef OPENSSL_NO_SRTP
2360 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2361 && type == TLSEXT_TYPE_use_srtp) {
2362 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
2363 return 0;
2364 }
2365 # endif
2366 # ifdef TLSEXT_TYPE_encrypt_then_mac
2367 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2368 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2369 # endif
2370 /*
2371 * If this ClientHello extension was unhandled and this is a
2372 * nonresumed connection, check whether the extension is a custom
2373 * TLS Extension (has a custom_srv_ext_record), and if so call the
2374 * callback and record the extension number so that an appropriate
2375 * ServerHello may be later returned.
2376 */
2377 else if (!s->hit) {
2378 if (custom_ext_parse(s, 1, type, data, size, al) <= 0)
2379 return 0;
2380 }
2381
2382 data += size;
2383 }
2384
2385 *p = data;
2386
2387 ri_check:
2388
2389 /* Need RI if renegotiating */
2390
2391 if (!renegotiate_seen && s->renegotiate &&
2392 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2393 *al = SSL_AD_HANDSHAKE_FAILURE;
2394 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2395 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2396 return 0;
2397 }
2398
2399 return 1;
2400 }
2401
2402 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
2403 int n)
2404 {
2405 int al = -1;
2406 custom_ext_init(&s->cert->srv_ext);
2407 if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) {
2408 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2409 return 0;
2410 }
2411
2412 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2413 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2414 return 0;
2415 }
2416 return 1;
2417 }
2418
2419 # ifndef OPENSSL_NO_NEXTPROTONEG
2420 /*
2421 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2422 * elements of zero length are allowed and the set of elements must exactly
2423 * fill the length of the block.
2424 */
2425 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2426 {
2427 unsigned int off = 0;
2428
2429 while (off < len) {
2430 if (d[off] == 0)
2431 return 0;
2432 off += d[off];
2433 off++;
2434 }
2435
2436 return off == len;
2437 }
2438 # endif
2439
2440 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
2441 unsigned char *d, int n, int *al)
2442 {
2443 unsigned short length;
2444 unsigned short type;
2445 unsigned short size;
2446 unsigned char *data = *p;
2447 int tlsext_servername = 0;
2448 int renegotiate_seen = 0;
2449
2450 # ifndef OPENSSL_NO_NEXTPROTONEG
2451 s->s3->next_proto_neg_seen = 0;
2452 # endif
2453 s->tlsext_ticket_expected = 0;
2454
2455 if (s->s3->alpn_selected) {
2456 OPENSSL_free(s->s3->alpn_selected);
2457 s->s3->alpn_selected = NULL;
2458 }
2459 # ifndef OPENSSL_NO_HEARTBEATS
2460 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2461 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2462 # endif
2463
2464 # ifdef TLSEXT_TYPE_encrypt_then_mac
2465 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
2466 # endif
2467
2468 if (data >= (d + n - 2))
2469 goto ri_check;
2470
2471 n2s(data, length);
2472 if (data + length != d + n) {
2473 *al = SSL_AD_DECODE_ERROR;
2474 return 0;
2475 }
2476
2477 while (data <= (d + n - 4)) {
2478 n2s(data, type);
2479 n2s(data, size);
2480
2481 if (data + size > (d + n))
2482 goto ri_check;
2483
2484 if (s->tlsext_debug_cb)
2485 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2486
2487 if (type == TLSEXT_TYPE_renegotiate) {
2488 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2489 return 0;
2490 renegotiate_seen = 1;
2491 } else if (s->version == SSL3_VERSION) {
2492 } else if (type == TLSEXT_TYPE_server_name) {
2493 if (s->tlsext_hostname == NULL || size > 0) {
2494 *al = TLS1_AD_UNRECOGNIZED_NAME;
2495 return 0;
2496 }
2497 tlsext_servername = 1;
2498 }
2499 # ifndef OPENSSL_NO_EC
2500 else if (type == TLSEXT_TYPE_ec_point_formats) {
2501 unsigned char *sdata = data;
2502 int ecpointformatlist_length = *(sdata++);
2503
2504 if (ecpointformatlist_length != size - 1) {
2505 *al = TLS1_AD_DECODE_ERROR;
2506 return 0;
2507 }
2508 if (!s->hit) {
2509 s->session->tlsext_ecpointformatlist_length = 0;
2510 if (s->session->tlsext_ecpointformatlist != NULL)
2511 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2512 if ((s->session->tlsext_ecpointformatlist =
2513 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2514 *al = TLS1_AD_INTERNAL_ERROR;
2515 return 0;
2516 }
2517 s->session->tlsext_ecpointformatlist_length =
2518 ecpointformatlist_length;
2519 memcpy(s->session->tlsext_ecpointformatlist, sdata,
2520 ecpointformatlist_length);
2521 }
2522 # if 0
2523 fprintf(stderr,
2524 "ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2525 sdata = s->session->tlsext_ecpointformatlist;
2526 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2527 fprintf(stderr, "%i ", *(sdata++));
2528 fprintf(stderr, "\n");
2529 # endif
2530 }
2531 # endif /* OPENSSL_NO_EC */
2532
2533 else if (type == TLSEXT_TYPE_session_ticket) {
2534 if (s->tls_session_ticket_ext_cb &&
2535 !s->tls_session_ticket_ext_cb(s, data, size,
2536 s->tls_session_ticket_ext_cb_arg))
2537 {
2538 *al = TLS1_AD_INTERNAL_ERROR;
2539 return 0;
2540 }
2541 if (!tls_use_ticket(s) || (size > 0)) {
2542 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2543 return 0;
2544 }
2545 s->tlsext_ticket_expected = 1;
2546 }
2547 # ifdef TLSEXT_TYPE_opaque_prf_input
2548 else if (type == TLSEXT_TYPE_opaque_prf_input) {
2549 unsigned char *sdata = data;
2550
2551 if (size < 2) {
2552 *al = SSL_AD_DECODE_ERROR;
2553 return 0;
2554 }
2555 n2s(sdata, s->s3->server_opaque_prf_input_len);
2556 if (s->s3->server_opaque_prf_input_len != size - 2) {
2557 *al = SSL_AD_DECODE_ERROR;
2558 return 0;
2559 }
2560
2561 if (s->s3->server_opaque_prf_input != NULL) {
2562 /* shouldn't really happen */
2563 OPENSSL_free(s->s3->server_opaque_prf_input);
2564 }
2565 if (s->s3->server_opaque_prf_input_len == 0) {
2566 /* dummy byte just to get non-NULL */
2567 s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
2568 } else {
2569 s->s3->server_opaque_prf_input =
2570 BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2571 }
2572
2573 if (s->s3->server_opaque_prf_input == NULL) {
2574 *al = TLS1_AD_INTERNAL_ERROR;
2575 return 0;
2576 }
2577 }
2578 # endif
2579 else if (type == TLSEXT_TYPE_status_request) {
2580 /*
2581 * MUST be empty and only sent if we've requested a status
2582 * request message.
2583 */
2584 if ((s->tlsext_status_type == -1) || (size > 0)) {
2585 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2586 return 0;
2587 }
2588 /* Set flag to expect CertificateStatus message */
2589 s->tlsext_status_expected = 1;
2590 }
2591 # ifndef OPENSSL_NO_NEXTPROTONEG
2592 else if (type == TLSEXT_TYPE_next_proto_neg &&
2593 s->s3->tmp.finish_md_len == 0) {
2594 unsigned char *selected;
2595 unsigned char selected_len;
2596
2597 /* We must have requested it. */
2598 if (s->ctx->next_proto_select_cb == NULL) {
2599 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2600 return 0;
2601 }
2602 /* The data must be valid */
2603 if (!ssl_next_proto_validate(data, size)) {
2604 *al = TLS1_AD_DECODE_ERROR;
2605 return 0;
2606 }
2607 if (s->
2608 ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2609 size,
2610 s->ctx->next_proto_select_cb_arg) !=
2611 SSL_TLSEXT_ERR_OK) {
2612 *al = TLS1_AD_INTERNAL_ERROR;
2613 return 0;
2614 }
2615 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2616 if (!s->next_proto_negotiated) {
2617 *al = TLS1_AD_INTERNAL_ERROR;
2618 return 0;
2619 }
2620 memcpy(s->next_proto_negotiated, selected, selected_len);
2621 s->next_proto_negotiated_len = selected_len;
2622 s->s3->next_proto_neg_seen = 1;
2623 }
2624 # endif
2625
2626 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2627 unsigned len;
2628
2629 /* We must have requested it. */
2630 if (s->alpn_client_proto_list == NULL) {
2631 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2632 return 0;
2633 }
2634 if (size < 4) {
2635 *al = TLS1_AD_DECODE_ERROR;
2636 return 0;
2637 }
2638 /*-
2639 * The extension data consists of:
2640 * uint16 list_length
2641 * uint8 proto_length;
2642 * uint8 proto[proto_length];
2643 */
2644 len = data[0];
2645 len <<= 8;
2646 len |= data[1];
2647 if (len != (unsigned)size - 2) {
2648 *al = TLS1_AD_DECODE_ERROR;
2649 return 0;
2650 }
2651 len = data[2];
2652 if (len != (unsigned)size - 3) {
2653 *al = TLS1_AD_DECODE_ERROR;
2654 return 0;
2655 }
2656 if (s->s3->alpn_selected)
2657 OPENSSL_free(s->s3->alpn_selected);
2658 s->s3->alpn_selected = OPENSSL_malloc(len);
2659 if (!s->s3->alpn_selected) {
2660 *al = TLS1_AD_INTERNAL_ERROR;
2661 return 0;
2662 }
2663 memcpy(s->s3->alpn_selected, data + 3, len);
2664 s->s3->alpn_selected_len = len;
2665 }
2666 # ifndef OPENSSL_NO_HEARTBEATS
2667 else if (type == TLSEXT_TYPE_heartbeat) {
2668 switch (data[0]) {
2669 case 0x01: /* Server allows us to send HB requests */
2670 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2671 break;
2672 case 0x02: /* Server doesn't accept HB requests */
2673 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2674 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2675 break;
2676 default:
2677 *al = SSL_AD_ILLEGAL_PARAMETER;
2678 return 0;
2679 }
2680 }
2681 # endif
2682 # ifndef OPENSSL_NO_SRTP
2683 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
2684 if (ssl_parse_serverhello_use_srtp_ext(s, data, size, al))
2685 return 0;
2686 }
2687 # endif
2688 # ifdef TLSEXT_TYPE_encrypt_then_mac
2689 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2690 /* Ignore if inappropriate ciphersuite */
2691 if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2692 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2693 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2694 }
2695 # endif
2696 /*
2697 * If this extension type was not otherwise handled, but matches a
2698 * custom_cli_ext_record, then send it to the c callback
2699 */
2700 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2701 return 0;
2702
2703 data += size;
2704 }
2705
2706 if (data != d + n) {
2707 *al = SSL_AD_DECODE_ERROR;
2708 return 0;
2709 }
2710
2711 if (!s->hit && tlsext_servername == 1) {
2712 if (s->tlsext_hostname) {
2713 if (s->session->tlsext_hostname == NULL) {
2714 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
2715 if (!s->session->tlsext_hostname) {
2716 *al = SSL_AD_UNRECOGNIZED_NAME;
2717 return 0;
2718 }
2719 } else {
2720 *al = SSL_AD_DECODE_ERROR;
2721 return 0;
2722 }
2723 }
2724 }
2725
2726 *p = data;
2727
2728 ri_check:
2729
2730 /*
2731 * Determine if we need to see RI. Strictly speaking if we want to avoid
2732 * an attack we should *always* see RI even on initial server hello
2733 * because the client doesn't see any renegotiation during an attack.
2734 * However this would mean we could not connect to any server which
2735 * doesn't support RI so for the immediate future tolerate RI absence on
2736 * initial connect only.
2737 */
2738 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2739 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2740 *al = SSL_AD_HANDSHAKE_FAILURE;
2741 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2742 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2743 return 0;
2744 }
2745
2746 return 1;
2747 }
2748
2749 int ssl_prepare_clienthello_tlsext(SSL *s)
2750 {
2751
2752 # ifdef TLSEXT_TYPE_opaque_prf_input
2753 {
2754 int r = 1;
2755
2756 if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
2757 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0,
2758 s->
2759 ctx->tlsext_opaque_prf_input_callback_arg);
2760 if (!r)
2761 return -1;
2762 }
2763
2764 if (s->tlsext_opaque_prf_input != NULL) {
2765 if (s->s3->client_opaque_prf_input != NULL) {
2766 /* shouldn't really happen */
2767 OPENSSL_free(s->s3->client_opaque_prf_input);
2768 }
2769
2770 if (s->tlsext_opaque_prf_input_len == 0) {
2771 /* dummy byte just to get non-NULL */
2772 s->s3->client_opaque_prf_input = OPENSSL_malloc(1);
2773 } else {
2774 s->s3->client_opaque_prf_input =
2775 BUF_memdup(s->tlsext_opaque_prf_input,
2776 s->tlsext_opaque_prf_input_len);
2777 }
2778 if (s->s3->client_opaque_prf_input == NULL) {
2779 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,
2780 ERR_R_MALLOC_FAILURE);
2781 return -1;
2782 }
2783 s->s3->client_opaque_prf_input_len =
2784 s->tlsext_opaque_prf_input_len;
2785 }
2786
2787 if (r == 2)
2788 /*
2789 * at callback's request, insist on receiving an appropriate
2790 * server opaque PRF input
2791 */
2792 s->s3->server_opaque_prf_input_len =
2793 s->tlsext_opaque_prf_input_len;
2794 }
2795 # endif
2796
2797 return 1;
2798 }
2799
2800 int ssl_prepare_serverhello_tlsext(SSL *s)
2801 {
2802 return 1;
2803 }
2804
2805 static int ssl_check_clienthello_tlsext_early(SSL *s)
2806 {
2807 int ret = SSL_TLSEXT_ERR_NOACK;
2808 int al = SSL_AD_UNRECOGNIZED_NAME;
2809
2810 # ifndef OPENSSL_NO_EC
2811 /*
2812 * The handling of the ECPointFormats extension is done elsewhere, namely
2813 * in ssl3_choose_cipher in s3_lib.c.
2814 */
2815 /*
2816 * The handling of the EllipticCurves extension is done elsewhere, namely
2817 * in ssl3_choose_cipher in s3_lib.c.
2818 */
2819 # endif
2820
2821 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2822 ret =
2823 s->ctx->tlsext_servername_callback(s, &al,
2824 s->ctx->tlsext_servername_arg);
2825 else if (s->initial_ctx != NULL
2826 && s->initial_ctx->tlsext_servername_callback != 0)
2827 ret =
2828 s->initial_ctx->tlsext_servername_callback(s, &al,
2829 s->
2830 initial_ctx->tlsext_servername_arg);
2831
2832 # ifdef TLSEXT_TYPE_opaque_prf_input
2833 {
2834 /*
2835 * This sort of belongs into ssl_prepare_serverhello_tlsext(), but we
2836 * might be sending an alert in response to the client hello, so this
2837 * has to happen here in ssl_check_clienthello_tlsext_early().
2838 */
2839
2840 int r = 1;
2841
2842 if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
2843 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0,
2844 s->
2845 ctx->tlsext_opaque_prf_input_callback_arg);
2846 if (!r) {
2847 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2848 al = SSL_AD_INTERNAL_ERROR;
2849 goto err;
2850 }
2851 }
2852
2853 if (s->s3->server_opaque_prf_input != NULL) {
2854 /* shouldn't really happen */
2855 OPENSSL_free(s->s3->server_opaque_prf_input);
2856 }
2857 s->s3->server_opaque_prf_input = NULL;
2858
2859 if (s->tlsext_opaque_prf_input != NULL) {
2860 if (s->s3->client_opaque_prf_input != NULL &&
2861 s->s3->client_opaque_prf_input_len ==
2862 s->tlsext_opaque_prf_input_len) {
2863 /*
2864 * can only use this extension if we have a server opaque PRF
2865 * input of the same length as the client opaque PRF input!
2866 */
2867
2868 if (s->tlsext_opaque_prf_input_len == 0) {
2869 /* dummy byte just to get non-NULL */
2870 s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
2871 } else {
2872 s->s3->server_opaque_prf_input =
2873 BUF_memdup(s->tlsext_opaque_prf_input,
2874 s->tlsext_opaque_prf_input_len);
2875 }
2876 if (s->s3->server_opaque_prf_input == NULL) {
2877 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2878 al = SSL_AD_INTERNAL_ERROR;
2879 goto err;
2880 }
2881 s->s3->server_opaque_prf_input_len =
2882 s->tlsext_opaque_prf_input_len;
2883 }
2884 }
2885
2886 if (r == 2 && s->s3->server_opaque_prf_input == NULL) {
2887 /*
2888 * The callback wants to enforce use of the extension, but we
2889 * can't do that with the client opaque PRF input; abort the
2890 * handshake.
2891 */
2892 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2893 al = SSL_AD_HANDSHAKE_FAILURE;
2894 }
2895 }
2896
2897 err:
2898 # endif
2899 switch (ret) {
2900 case SSL_TLSEXT_ERR_ALERT_FATAL:
2901 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2902 return -1;
2903
2904 case SSL_TLSEXT_ERR_ALERT_WARNING:
2905 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2906 return 1;
2907
2908 case SSL_TLSEXT_ERR_NOACK:
2909 s->servername_done = 0;
2910 default:
2911 return 1;
2912 }
2913 }
2914
2915 int tls1_set_server_sigalgs(SSL *s)
2916 {
2917 int al;
2918 size_t i;
2919 /* Clear any shared sigtnature algorithms */
2920 if (s->cert->shared_sigalgs) {
2921 OPENSSL_free(s->cert->shared_sigalgs);
2922 s->cert->shared_sigalgs = NULL;
2923 }
2924 /* Clear certificate digests and validity flags */
2925 for (i = 0; i < SSL_PKEY_NUM; i++) {
2926 s->cert->pkeys[i].digest = NULL;
2927 s->cert->pkeys[i].valid_flags = 0;
2928 }
2929
2930 /* If sigalgs received process it. */
2931 if (s->cert->peer_sigalgs) {
2932 if (!tls1_process_sigalgs(s)) {
2933 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2934 al = SSL_AD_INTERNAL_ERROR;
2935 goto err;
2936 }
2937 /* Fatal error is no shared signature algorithms */
2938 if (!s->cert->shared_sigalgs) {
2939 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2940 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2941 al = SSL_AD_ILLEGAL_PARAMETER;
2942 goto err;
2943 }
2944 } else
2945 ssl_cert_set_default_md(s->cert);
2946 return 1;
2947 err:
2948 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2949 return 0;
2950 }
2951
2952 int ssl_check_clienthello_tlsext_late(SSL *s)
2953 {
2954 int ret = SSL_TLSEXT_ERR_OK;
2955 int al;
2956
2957 /*
2958 * If status request then ask callback what to do. Note: this must be
2959 * called after servername callbacks in case the certificate has changed,
2960 * and must be called after the cipher has been chosen because this may
2961 * influence which certificate is sent
2962 */
2963 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
2964 int r;
2965 CERT_PKEY *certpkey;
2966 certpkey = ssl_get_server_send_pkey(s);
2967 /* If no certificate can't return certificate status */
2968 if (certpkey == NULL) {
2969 s->tlsext_status_expected = 0;
2970 return 1;
2971 }
2972 /*
2973 * Set current certificate to one we will use so SSL_get_certificate
2974 * et al can pick it up.
2975 */
2976 s->cert->key = certpkey;
2977 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2978 switch (r) {
2979 /* We don't want to send a status request response */
2980 case SSL_TLSEXT_ERR_NOACK:
2981 s->tlsext_status_expected = 0;
2982 break;
2983 /* status request response should be sent */
2984 case SSL_TLSEXT_ERR_OK:
2985 if (s->tlsext_ocsp_resp)
2986 s->tlsext_status_expected = 1;
2987 else
2988 s->tlsext_status_expected = 0;
2989 break;
2990 /* something bad happened */
2991 case SSL_TLSEXT_ERR_ALERT_FATAL:
2992 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2993 al = SSL_AD_INTERNAL_ERROR;
2994 goto err;
2995 }
2996 } else
2997 s->tlsext_status_expected = 0;
2998
2999 err:
3000 switch (ret) {
3001 case SSL_TLSEXT_ERR_ALERT_FATAL:
3002 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3003 return -1;
3004
3005 case SSL_TLSEXT_ERR_ALERT_WARNING:
3006 ssl3_send_alert(s, SSL3_AL_WARNING, al);
3007 return 1;
3008
3009 default:
3010 return 1;
3011 }
3012 }
3013
3014 int ssl_check_serverhello_tlsext(SSL *s)
3015 {
3016 int ret = SSL_TLSEXT_ERR_NOACK;
3017 int al = SSL_AD_UNRECOGNIZED_NAME;
3018
3019 # ifndef OPENSSL_NO_EC
3020 /*
3021 * If we are client and using an elliptic curve cryptography cipher
3022 * suite, then if server returns an EC point formats lists extension it
3023 * must contain uncompressed.
3024 */
3025 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3026 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3027 if ((s->tlsext_ecpointformatlist != NULL)
3028 && (s->tlsext_ecpointformatlist_length > 0)
3029 && (s->session->tlsext_ecpointformatlist != NULL)
3030 && (s->session->tlsext_ecpointformatlist_length > 0)
3031 && ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
3032 || (alg_a & SSL_aECDSA))) {
3033 /* we are using an ECC cipher */
3034 size_t i;
3035 unsigned char *list;
3036 int found_uncompressed = 0;
3037 list = s->session->tlsext_ecpointformatlist;
3038 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
3039 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
3040 found_uncompressed = 1;
3041 break;
3042 }
3043 }
3044 if (!found_uncompressed) {
3045 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
3046 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
3047 return -1;
3048 }
3049 }
3050 ret = SSL_TLSEXT_ERR_OK;
3051 # endif /* OPENSSL_NO_EC */
3052
3053 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
3054 ret =
3055 s->ctx->tlsext_servername_callback(s, &al,
3056 s->ctx->tlsext_servername_arg);
3057 else if (s->initial_ctx != NULL
3058 && s->initial_ctx->tlsext_servername_callback != 0)
3059 ret =
3060 s->initial_ctx->tlsext_servername_callback(s, &al,
3061 s->
3062 initial_ctx->tlsext_servername_arg);
3063
3064 # ifdef TLSEXT_TYPE_opaque_prf_input
3065 if (s->s3->server_opaque_prf_input_len > 0) {
3066 /*
3067 * This case may indicate that we, as a client, want to insist on
3068 * using opaque PRF inputs. So first verify that we really have a
3069 * value from the server too.
3070 */
3071
3072 if (s->s3->server_opaque_prf_input == NULL) {
3073 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3074 al = SSL_AD_HANDSHAKE_FAILURE;
3075 }
3076
3077 /*
3078 * Anytime the server *has* sent an opaque PRF input, we need to
3079 * check that we have a client opaque PRF input of the same size.
3080 */
3081 if (s->s3->client_opaque_prf_input == NULL ||
3082 s->s3->client_opaque_prf_input_len !=
3083 s->s3->server_opaque_prf_input_len) {
3084 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3085 al = SSL_AD_ILLEGAL_PARAMETER;
3086 }
3087 }
3088 # endif
3089
3090 /*
3091 * If we've requested certificate status and we wont get one tell the
3092 * callback
3093 */
3094 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
3095 && s->ctx && s->ctx->tlsext_status_cb) {
3096 int r;
3097 /*
3098 * Set resp to NULL, resplen to -1 so callback knows there is no
3099 * response.
3100 */
3101 if (s->tlsext_ocsp_resp) {
3102 OPENSSL_free(s->tlsext_ocsp_resp);
3103 s->tlsext_ocsp_resp = NULL;
3104 }
3105 s->tlsext_ocsp_resplen = -1;
3106 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3107 if (r == 0) {
3108 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
3109 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3110 }
3111 if (r < 0) {
3112 al = SSL_AD_INTERNAL_ERROR;
3113 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3114 }
3115 }
3116
3117 switch (ret) {
3118 case SSL_TLSEXT_ERR_ALERT_FATAL:
3119 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3120 return -1;
3121
3122 case SSL_TLSEXT_ERR_ALERT_WARNING:
3123 ssl3_send_alert(s, SSL3_AL_WARNING, al);
3124 return 1;
3125
3126 case SSL_TLSEXT_ERR_NOACK:
3127 s->servername_done = 0;
3128 default:
3129 return 1;
3130 }
3131 }
3132
3133 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
3134 int n)
3135 {
3136 int al = -1;
3137 if (s->version < SSL3_VERSION)
3138 return 1;
3139 if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) {
3140 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3141 return 0;
3142 }
3143
3144 if (ssl_check_serverhello_tlsext(s) <= 0) {
3145 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
3146 return 0;
3147 }
3148 return 1;
3149 }
3150
3151 /*-
3152 * Since the server cache lookup is done early on in the processing of the
3153 * ClientHello, and other operations depend on the result, we need to handle
3154 * any TLS session ticket extension at the same time.
3155 *
3156 * session_id: points at the session ID in the ClientHello. This code will
3157 * read past the end of this in order to parse out the session ticket
3158 * extension, if any.
3159 * len: the length of the session ID.
3160 * limit: a pointer to the first byte after the ClientHello.
3161 * ret: (output) on return, if a ticket was decrypted, then this is set to
3162 * point to the resulting session.
3163 *
3164 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
3165 * ciphersuite, in which case we have no use for session tickets and one will
3166 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
3167 *
3168 * Returns:
3169 * -1: fatal error, either from parsing or decrypting the ticket.
3170 * 0: no ticket was found (or was ignored, based on settings).
3171 * 1: a zero length extension was found, indicating that the client supports
3172 * session tickets but doesn't currently have one to offer.
3173 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
3174 * couldn't be decrypted because of a non-fatal error.
3175 * 3: a ticket was successfully decrypted and *ret was set.
3176 *
3177 * Side effects:
3178 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
3179 * a new session ticket to the client because the client indicated support
3180 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
3181 * a session ticket or we couldn't use the one it gave us, or if
3182 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
3183 * Otherwise, s->tlsext_ticket_expected is set to 0.
3184 */
3185 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
3186 const unsigned char *limit, SSL_SESSION **ret)
3187 {
3188 /* Point after session ID in client hello */
3189 const unsigned char *p = session_id + len;
3190 unsigned short i;
3191
3192 *ret = NULL;
3193 s->tlsext_ticket_expected = 0;
3194
3195 /*
3196 * If tickets disabled behave as if no ticket present to permit stateful
3197 * resumption.
3198 */
3199 if (!tls_use_ticket(s))
3200 return 0;
3201 if ((s->version <= SSL3_VERSION) || !limit)
3202 return 0;
3203 if (p >= limit)
3204 return -1;
3205 /* Skip past DTLS cookie */
3206 if (SSL_IS_DTLS(s)) {
3207 i = *(p++);
3208 p += i;
3209 if (p >= limit)
3210 return -1;
3211 }
3212 /* Skip past cipher list */
3213 n2s(p, i);
3214 p += i;
3215 if (p >= limit)
3216 return -1;
3217 /* Skip past compression algorithm list */
3218 i = *(p++);
3219 p += i;
3220 if (p > limit)
3221 return -1;
3222 /* Now at start of extensions */
3223 if ((p + 2) >= limit)
3224 return 0;
3225 n2s(p, i);
3226 while ((p + 4) <= limit) {
3227 unsigned short type, size;
3228 n2s(p, type);
3229 n2s(p, size);
3230 if (p + size > limit)
3231 return 0;
3232 if (type == TLSEXT_TYPE_session_ticket) {
3233 int r;
3234 if (size == 0) {
3235 /*
3236 * The client will accept a ticket but doesn't currently have
3237 * one.
3238 */
3239 s->tlsext_ticket_expected = 1;
3240 return 1;
3241 }
3242 if (s->tls_session_secret_cb) {
3243 /*
3244 * Indicate that the ticket couldn't be decrypted rather than
3245 * generating the session from ticket now, trigger
3246 * abbreviated handshake based on external mechanism to
3247 * calculate the master secret later.
3248 */
3249 return 2;
3250 }
3251 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
3252 switch (r) {
3253 case 2: /* ticket couldn't be decrypted */
3254 s->tlsext_ticket_expected = 1;
3255 return 2;
3256 case 3: /* ticket was decrypted */
3257 return r;
3258 case 4: /* ticket decrypted but need to renew */
3259 s->tlsext_ticket_expected = 1;
3260 return 3;
3261 default: /* fatal error */
3262 return -1;
3263 }
3264 }
3265 p += size;
3266 }
3267 return 0;
3268 }
3269
3270 /*-
3271 * tls_decrypt_ticket attempts to decrypt a session ticket.
3272 *
3273 * etick: points to the body of the session ticket extension.
3274 * eticklen: the length of the session tickets extenion.
3275 * sess_id: points at the session ID.
3276 * sesslen: the length of the session ID.
3277 * psess: (output) on return, if a ticket was decrypted, then this is set to
3278 * point to the resulting session.
3279 *
3280 * Returns:
3281 * -1: fatal error, either from parsing or decrypting the ticket.
3282 * 2: the ticket couldn't be decrypted.
3283 * 3: a ticket was successfully decrypted and *psess was set.
3284 * 4: same as 3, but the ticket needs to be renewed.
3285 */
3286 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
3287 int eticklen, const unsigned char *sess_id,
3288 int sesslen, SSL_SESSION **psess)
3289 {
3290 SSL_SESSION *sess;
3291 unsigned char *sdec;
3292 const unsigned char *p;
3293 int slen, mlen, renew_ticket = 0;
3294 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3295 HMAC_CTX hctx;
3296 EVP_CIPHER_CTX ctx;
3297 SSL_CTX *tctx = s->initial_ctx;
3298 /* Need at least keyname + iv + some encrypted data */
3299 if (eticklen < 48)
3300 return 2;
3301 /* Initialize session ticket encryption and HMAC contexts */
3302 HMAC_CTX_init(&hctx);
3303 EVP_CIPHER_CTX_init(&ctx);
3304 if (tctx->tlsext_ticket_key_cb) {
3305 unsigned char *nctick = (unsigned char *)etick;
3306 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3307 &ctx, &hctx, 0);
3308 if (rv < 0)
3309 return -1;
3310 if (rv == 0)
3311 return 2;
3312 if (rv == 2)
3313 renew_ticket = 1;
3314 } else {
3315 /* Check key name matches */
3316 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3317 return 2;
3318 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3319 tlsext_tick_md(), NULL);
3320 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3321 tctx->tlsext_tick_aes_key, etick + 16);
3322 }
3323 /*
3324 * Attempt to process session ticket, first conduct sanity and integrity
3325 * checks on ticket.
3326 */
3327 mlen = HMAC_size(&hctx);
3328 if (mlen < 0) {
3329 EVP_CIPHER_CTX_cleanup(&ctx);
3330 return -1;
3331 }
3332 eticklen -= mlen;
3333 /* Check HMAC of encrypted ticket */
3334 HMAC_Update(&hctx, etick, eticklen);
3335 HMAC_Final(&hctx, tick_hmac, NULL);
3336 HMAC_CTX_cleanup(&hctx);
3337 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
3338 EVP_CIPHER_CTX_cleanup(&ctx);
3339 return 2;
3340 }
3341 /* Attempt to decrypt session data */
3342 /* Move p after IV to start of encrypted ticket, update length */
3343 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3344 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3345 sdec = OPENSSL_malloc(eticklen);
3346 if (!sdec) {
3347 EVP_CIPHER_CTX_cleanup(&ctx);
3348 return -1;
3349 }
3350 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
3351 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
3352 EVP_CIPHER_CTX_cleanup(&ctx);
3353 OPENSSL_free(sdec);
3354 return 2;
3355 }
3356 slen += mlen;
3357 EVP_CIPHER_CTX_cleanup(&ctx);
3358 p = sdec;
3359
3360 sess = d2i_SSL_SESSION(NULL, &p, slen);
3361 OPENSSL_free(sdec);
3362 if (sess) {
3363 /*
3364 * The session ID, if non-empty, is used by some clients to detect
3365 * that the ticket has been accepted. So we copy it to the session
3366 * structure. If it is empty set length to zero as required by
3367 * standard.
3368 */
3369 if (sesslen)
3370 memcpy(sess->session_id, sess_id, sesslen);
3371 sess->session_id_length = sesslen;
3372 *psess = sess;
3373 if (renew_ticket)
3374 return 4;
3375 else
3376 return 3;
3377 }
3378 ERR_clear_error();
3379 /*
3380 * For session parse failure, indicate that we need to send a new ticket.
3381 */
3382 return 2;
3383 }
3384
3385 /* Tables to translate from NIDs to TLS v1.2 ids */
3386
3387 typedef struct {
3388 int nid;
3389 int id;
3390 } tls12_lookup;
3391
3392 static const tls12_lookup tls12_md[] = {
3393 {NID_md5, TLSEXT_hash_md5},
3394 {NID_sha1, TLSEXT_hash_sha1},
3395 {NID_sha224, TLSEXT_hash_sha224},
3396 {NID_sha256, TLSEXT_hash_sha256},
3397 {NID_sha384, TLSEXT_hash_sha384},
3398 {NID_sha512, TLSEXT_hash_sha512}
3399 };
3400
3401 static const tls12_lookup tls12_sig[] = {
3402 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3403 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3404 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
3405 };
3406
3407 static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
3408 {
3409 size_t i;
3410 for (i = 0; i < tlen; i++) {
3411 if (table[i].nid == nid)
3412 return table[i].id;
3413 }
3414 return -1;
3415 }
3416
3417 static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
3418 {
3419 size_t i;
3420 for (i = 0; i < tlen; i++) {
3421 if ((table[i].id) == id)
3422 return table[i].nid;
3423 }
3424 return NID_undef;
3425 }
3426
3427 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
3428 const EVP_MD *md)
3429 {
3430 int sig_id, md_id;
3431 if (!md)
3432 return 0;
3433 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
3434 sizeof(tls12_md) / sizeof(tls12_lookup));
3435 if (md_id == -1)
3436 return 0;
3437 sig_id = tls12_get_sigid(pk);
3438 if (sig_id == -1)
3439 return 0;
3440 p[0] = (unsigned char)md_id;
3441 p[1] = (unsigned char)sig_id;
3442 return 1;
3443 }
3444
3445 int tls12_get_sigid(const EVP_PKEY *pk)
3446 {
3447 return tls12_find_id(pk->type, tls12_sig,
3448 sizeof(tls12_sig) / sizeof(tls12_lookup));
3449 }
3450
3451 typedef struct {
3452 int nid;
3453 int secbits;
3454 const EVP_MD *(*mfunc) (void);
3455 } tls12_hash_info;
3456
3457 static const tls12_hash_info tls12_md_info[] = {
3458 # ifdef OPENSSL_NO_MD5
3459 {NID_md5, 64, 0},
3460 # else
3461 {NID_md5, 64, EVP_md5},
3462 # endif
3463 # ifdef OPENSSL_NO_SHA
3464 {NID_sha1, 80, 0},
3465 # else
3466 {NID_sha1, 80, EVP_sha1},
3467 # endif
3468 # ifdef OPENSSL_NO_SHA256
3469 {NID_sha224, 112, 0},
3470 {NID_sha256, 128, 0},
3471 # else
3472 {NID_sha224, 112, EVP_sha224},
3473 {NID_sha256, 128, EVP_sha256},
3474 # endif
3475 # ifdef OPENSSL_NO_SHA512
3476 {NID_sha384, 192, 0},
3477 {NID_sha512, 256, 0}
3478 # else
3479 {NID_sha384, 192, EVP_sha384},
3480 {NID_sha512, 256, EVP_sha512}
3481 # endif
3482 };
3483
3484 static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
3485 {
3486 if (hash_alg == 0)
3487 return NULL;
3488 if (hash_alg > sizeof(tls12_md_info) / sizeof(tls12_md_info[0]))
3489 return NULL;
3490 return tls12_md_info + hash_alg - 1;
3491 }
3492
3493 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3494 {
3495 const tls12_hash_info *inf;
3496 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3497 return NULL;
3498 inf = tls12_get_hash_info(hash_alg);
3499 if (!inf || !inf->mfunc)
3500 return NULL;
3501 return inf->mfunc();
3502 }
3503
3504 static int tls12_get_pkey_idx(unsigned char sig_alg)
3505 {
3506 switch (sig_alg) {
3507 # ifndef OPENSSL_NO_RSA
3508 case TLSEXT_signature_rsa:
3509 return SSL_PKEY_RSA_SIGN;
3510 # endif
3511 # ifndef OPENSSL_NO_DSA
3512 case TLSEXT_signature_dsa:
3513 return SSL_PKEY_DSA_SIGN;
3514 # endif
3515 # ifndef OPENSSL_NO_ECDSA
3516 case TLSEXT_signature_ecdsa:
3517 return SSL_PKEY_ECC;
3518 # endif
3519 }
3520 return -1;
3521 }
3522
3523 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
3524 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3525 int *psignhash_nid, const unsigned char *data)
3526 {
3527 int sign_nid = 0, hash_nid = 0;
3528 if (!phash_nid && !psign_nid && !psignhash_nid)
3529 return;
3530 if (phash_nid || psignhash_nid) {
3531 hash_nid = tls12_find_nid(data[0], tls12_md,
3532 sizeof(tls12_md) / sizeof(tls12_lookup));
3533 if (phash_nid)
3534 *phash_nid = hash_nid;
3535 }
3536 if (psign_nid || psignhash_nid) {
3537 sign_nid = tls12_find_nid(data[1], tls12_sig,
3538 sizeof(tls12_sig) / sizeof(tls12_lookup));
3539 if (psign_nid)
3540 *psign_nid = sign_nid;
3541 }
3542 if (psignhash_nid) {
3543 if (sign_nid && hash_nid)
3544 OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid);
3545 else
3546 *psignhash_nid = NID_undef;
3547 }
3548 }
3549
3550 /* Check to see if a signature algorithm is allowed */
3551 static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
3552 {
3553 /* See if we have an entry in the hash table and it is enabled */
3554 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
3555 if (!hinf || !hinf->mfunc)
3556 return 0;
3557 /* See if public key algorithm allowed */
3558 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3559 return 0;
3560 /* Finally see if security callback allows it */
3561 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3562 }
3563
3564 /*
3565 * Get a mask of disabled public key algorithms based on supported signature
3566 * algorithms. For example if no signature algorithm supports RSA then RSA is
3567 * disabled.
3568 */
3569
3570 void ssl_set_sig_mask(unsigned long *pmask_a, SSL *s, int op)
3571 {
3572 const unsigned char *sigalgs;
3573 size_t i, sigalgslen;
3574 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3575 /*
3576 * Now go through all signature algorithms seeing if we support any for
3577 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3578 * down calls to security callback only check if we have to.
3579 */
3580 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
3581 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3582 switch (sigalgs[1]) {
3583 # ifndef OPENSSL_NO_RSA
3584 case TLSEXT_signature_rsa:
3585 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3586 have_rsa = 1;
3587 break;
3588 # endif
3589 # ifndef OPENSSL_NO_DSA
3590 case TLSEXT_signature_dsa:
3591 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3592 have_dsa = 1;
3593 break;
3594 # endif
3595 # ifndef OPENSSL_NO_ECDSA
3596 case TLSEXT_signature_ecdsa:
3597 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3598 have_ecdsa = 1;
3599 break;
3600 # endif
3601 }
3602 }
3603 if (!have_rsa)
3604 *pmask_a |= SSL_aRSA;
3605 if (!have_dsa)
3606 *pmask_a |= SSL_aDSS;
3607 if (!have_ecdsa)
3608 *pmask_a |= SSL_aECDSA;
3609 }
3610
3611 size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
3612 const unsigned char *psig, size_t psiglen)
3613 {
3614 unsigned char *tmpout = out;
3615 size_t i;
3616 for (i = 0; i < psiglen; i += 2, psig += 2) {
3617 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3618 *tmpout++ = psig[0];
3619 *tmpout++ = psig[1];
3620 }
3621 }
3622 return tmpout - out;
3623 }
3624
3625 /* Given preference and allowed sigalgs set shared sigalgs */
3626 static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
3627 const unsigned char *pref, size_t preflen,
3628 const unsigned char *allow, size_t allowlen)
3629 {
3630 const unsigned char *ptmp, *atmp;
3631 size_t i, j, nmatch = 0;
3632 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3633 /* Skip disabled hashes or signature algorithms */
3634 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3635 continue;
3636 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3637 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3638 nmatch++;
3639 if (shsig) {
3640 shsig->rhash = ptmp[0];
3641 shsig->rsign = ptmp[1];
3642 tls1_lookup_sigalg(&shsig->hash_nid,
3643 &shsig->sign_nid,
3644 &shsig->signandhash_nid, ptmp);
3645 shsig++;
3646 }
3647 break;
3648 }
3649 }
3650 }
3651 return nmatch;
3652 }
3653
3654 /* Set shared signature algorithms for SSL structures */
3655 static int tls1_set_shared_sigalgs(SSL *s)
3656 {
3657 const unsigned char *pref, *allow, *conf;
3658 size_t preflen, allowlen, conflen;
3659 size_t nmatch;
3660 TLS_SIGALGS *salgs = NULL;
3661 CERT *c = s->cert;
3662 unsigned int is_suiteb = tls1_suiteb(s);
3663 if (c->shared_sigalgs) {
3664 OPENSSL_free(c->shared_sigalgs);
3665 c->shared_sigalgs = NULL;
3666 }
3667 /* If client use client signature algorithms if not NULL */
3668 if (!s->server && c->client_sigalgs && !is_suiteb) {
3669 conf = c->client_sigalgs;
3670 conflen = c->client_sigalgslen;
3671 } else if (c->conf_sigalgs && !is_suiteb) {
3672 conf = c->conf_sigalgs;
3673 conflen = c->conf_sigalgslen;
3674 } else
3675 conflen = tls12_get_psigalgs(s, &conf);
3676 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3677 pref = conf;
3678 preflen = conflen;
3679 allow = c->peer_sigalgs;
3680 allowlen = c->peer_sigalgslen;
3681 } else {
3682 allow = conf;
3683 allowlen = conflen;
3684 pref = c->peer_sigalgs;
3685 preflen = c->peer_sigalgslen;
3686 }
3687 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
3688 if (!nmatch)
3689 return 1;
3690 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3691 if (!salgs)
3692 return 0;
3693 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3694 c->shared_sigalgs = salgs;
3695 c->shared_sigalgslen = nmatch;
3696 return 1;
3697 }
3698
3699 /* Set preferred digest for each key type */
3700
3701 int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
3702 {
3703 CERT *c = s->cert;
3704 /* Extension ignored for inappropriate versions */
3705 if (!SSL_USE_SIGALGS(s))
3706 return 1;
3707 /* Should never happen */
3708 if (!c)
3709 return 0;
3710
3711 if (c->peer_sigalgs)
3712 OPENSSL_free(c->peer_sigalgs);
3713 c->peer_sigalgs = OPENSSL_malloc(dsize);
3714 if (!c->peer_sigalgs)
3715 return 0;
3716 c->peer_sigalgslen = dsize;
3717 memcpy(c->peer_sigalgs, data, dsize);
3718 return 1;
3719 }
3720
3721 int tls1_process_sigalgs(SSL *s)
3722 {
3723 int idx;
3724 size_t i;
3725 const EVP_MD *md;
3726 CERT *c = s->cert;
3727 TLS_SIGALGS *sigptr;
3728 if (!tls1_set_shared_sigalgs(s))
3729 return 0;
3730
3731 # ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
3732 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3733 /*
3734 * Use first set signature preference to force message digest,
3735 * ignoring any peer preferences.
3736 */
3737 const unsigned char *sigs = NULL;
3738 if (s->server)
3739 sigs = c->conf_sigalgs;
3740 else
3741 sigs = c->client_sigalgs;
3742 if (sigs) {
3743 idx = tls12_get_pkey_idx(sigs[1]);
3744 md = tls12_get_hash(sigs[0]);
3745 c->pkeys[idx].digest = md;
3746 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3747 if (idx == SSL_PKEY_RSA_SIGN) {
3748 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags =
3749 CERT_PKEY_EXPLICIT_SIGN;
3750 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3751 }
3752 }
3753 }
3754 # endif
3755
3756 for (i = 0, sigptr = c->shared_sigalgs;
3757 i < c->shared_sigalgslen; i++, sigptr++) {
3758 idx = tls12_get_pkey_idx(sigptr->rsign);
3759 if (idx > 0 && c->pkeys[idx].digest == NULL) {
3760 md = tls12_get_hash(sigptr->rhash);
3761 c->pkeys[idx].digest = md;
3762 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3763 if (idx == SSL_PKEY_RSA_SIGN) {
3764 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags =
3765 CERT_PKEY_EXPLICIT_SIGN;
3766 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3767 }
3768 }
3769
3770 }
3771 /*
3772 * In strict mode leave unset digests as NULL to indicate we can't use
3773 * the certificate for signing.
3774 */
3775 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3776 /*
3777 * Set any remaining keys to default values. NOTE: if alg is not
3778 * supported it stays as NULL.
3779 */
3780 # ifndef OPENSSL_NO_DSA
3781 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
3782 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
3783 # endif
3784 # ifndef OPENSSL_NO_RSA
3785 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
3786 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
3787 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
3788 }
3789 # endif
3790 # ifndef OPENSSL_NO_ECDSA
3791 if (!c->pkeys[SSL_PKEY_ECC].digest)
3792 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
3793 # endif
3794 }
3795 return 1;
3796 }
3797
3798 int SSL_get_sigalgs(SSL *s, int idx,
3799 int *psign, int *phash, int *psignhash,
3800 unsigned char *rsig, unsigned char *rhash)
3801 {
3802 const unsigned char *psig = s->cert->peer_sigalgs;
3803 if (psig == NULL)
3804 return 0;
3805 if (idx >= 0) {
3806 idx <<= 1;
3807 if (idx >= (int)s->cert->peer_sigalgslen)
3808 return 0;
3809 psig += idx;
3810 if (rhash)
3811 *rhash = psig[0];
3812 if (rsig)
3813 *rsig = psig[1];
3814 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3815 }
3816 return s->cert->peer_sigalgslen / 2;
3817 }
3818
3819 int SSL_get_shared_sigalgs(SSL *s, int idx,
3820 int *psign, int *phash, int *psignhash,
3821 unsigned char *rsig, unsigned char *rhash)
3822 {
3823 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3824 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3825 return 0;
3826 shsigalgs += idx;
3827 if (phash)
3828 *phash = shsigalgs->hash_nid;
3829 if (psign)
3830 *psign = shsigalgs->sign_nid;
3831 if (psignhash)
3832 *psignhash = shsigalgs->signandhash_nid;
3833 if (rsig)
3834 *rsig = shsigalgs->rsign;
3835 if (rhash)
3836 *rhash = shsigalgs->rhash;
3837 return s->cert->shared_sigalgslen;
3838 }
3839
3840 # ifndef OPENSSL_NO_HEARTBEATS
3841 int tls1_process_heartbeat(SSL *s)
3842 {
3843 unsigned char *p = &s->s3->rrec.data[0], *pl;
3844 unsigned short hbtype;
3845 unsigned int payload;
3846 unsigned int padding = 16; /* Use minimum padding */
3847
3848 if (s->msg_callback)
3849 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
3850 &s->s3->rrec.data[0], s->s3->rrec.length,
3851 s, s->msg_callback_arg);
3852
3853 /* Read type and payload length first */
3854 if (1 + 2 + 16 > s->s3->rrec.length)
3855 return 0; /* silently discard */
3856 hbtype = *p++;
3857 n2s(p, payload);
3858 if (1 + 2 + payload + 16 > s->s3->rrec.length)
3859 return 0; /* silently discard per RFC 6520 sec. 4 */
3860 pl = p;
3861
3862 if (hbtype == TLS1_HB_REQUEST) {
3863 unsigned char *buffer, *bp;
3864 int r;
3865
3866 /*
3867 * Allocate memory for the response, size is 1 bytes message type,
3868 * plus 2 bytes payload length, plus payload, plus padding
3869 */
3870 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3871 if (buffer == NULL) {
3872 SSLerr(SSL_F_TLS1_PROCESS_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3873 return -1;
3874 }
3875 bp = buffer;
3876
3877 /* Enter response type, length and copy payload */
3878 *bp++ = TLS1_HB_RESPONSE;
3879 s2n(payload, bp);
3880 memcpy(bp, pl, payload);
3881 bp += payload;
3882 /* Random padding */
3883 RAND_pseudo_bytes(bp, padding);
3884
3885 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer,
3886 3 + payload + padding);
3887
3888 if (r >= 0 && s->msg_callback)
3889 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3890 buffer, 3 + payload + padding,
3891 s, s->msg_callback_arg);
3892
3893 OPENSSL_free(buffer);
3894
3895 if (r < 0)
3896 return r;
3897 } else if (hbtype == TLS1_HB_RESPONSE) {
3898 unsigned int seq;
3899
3900 /*
3901 * We only send sequence numbers (2 bytes unsigned int), and 16
3902 * random bytes, so we just try to read the sequence number
3903 */
3904 n2s(pl, seq);
3905
3906 if (payload == 18 && seq == s->tlsext_hb_seq) {
3907 s->tlsext_hb_seq++;
3908 s->tlsext_hb_pending = 0;
3909 }
3910 }
3911
3912 return 0;
3913 }
3914
3915 int tls1_heartbeat(SSL *s)
3916 {
3917 unsigned char *buf, *p;
3918 int ret;
3919 unsigned int payload = 18; /* Sequence number + random bytes */
3920 unsigned int padding = 16; /* Use minimum padding */
3921
3922 /* Only send if peer supports and accepts HB requests... */
3923 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3924 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
3925 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3926 return -1;
3927 }
3928
3929 /* ...and there is none in flight yet... */
3930 if (s->tlsext_hb_pending) {
3931 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
3932 return -1;
3933 }
3934
3935 /* ...and no handshake in progress. */
3936 if (SSL_in_init(s) || s->in_handshake) {
3937 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
3938 return -1;
3939 }
3940
3941 /*
3942 * Check if padding is too long, payload and padding must not exceed 2^14
3943 * - 3 = 16381 bytes in total.
3944 */
3945 OPENSSL_assert(payload + padding <= 16381);
3946
3947 /*-
3948 * Create HeartBeat message, we just use a sequence number
3949 * as payload to distuingish different messages and add
3950 * some random stuff.
3951 * - Message Type, 1 byte
3952 * - Payload Length, 2 bytes (unsigned int)
3953 * - Payload, the sequence number (2 bytes uint)
3954 * - Payload, random bytes (16 bytes uint)
3955 * - Padding
3956 */
3957 buf = OPENSSL_malloc(1 + 2 + payload + padding);
3958 if (buf == NULL) {
3959 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3960 return -1;
3961 }
3962 p = buf;
3963 /* Message Type */
3964 *p++ = TLS1_HB_REQUEST;
3965 /* Payload length (18 bytes here) */
3966 s2n(payload, p);
3967 /* Sequence number */
3968 s2n(s->tlsext_hb_seq, p);
3969 /* 16 random bytes */
3970 RAND_pseudo_bytes(p, 16);
3971 p += 16;
3972 /* Random padding */
3973 RAND_pseudo_bytes(p, padding);
3974
3975 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3976 if (ret >= 0) {
3977 if (s->msg_callback)
3978 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3979 buf, 3 + payload + padding,
3980 s, s->msg_callback_arg);
3981
3982 s->tlsext_hb_pending = 1;
3983 }
3984
3985 OPENSSL_free(buf);
3986
3987 return ret;
3988 }
3989 # endif
3990
3991 # define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
3992
3993 typedef struct {
3994 size_t sigalgcnt;
3995 int sigalgs[MAX_SIGALGLEN];
3996 } sig_cb_st;
3997
3998 static int sig_cb(const char *elem, int len, void *arg)
3999 {
4000 sig_cb_st *sarg = arg;
4001 size_t i;
4002 char etmp[20], *p;
4003 int sig_alg, hash_alg;
4004 if (sarg->sigalgcnt == MAX_SIGALGLEN)
4005 return 0;
4006 if (len > (int)(sizeof(etmp) - 1))
4007 return 0;
4008 memcpy(etmp, elem, len);
4009 etmp[len] = 0;
4010 p = strchr(etmp, '+');
4011 if (!p)
4012 return 0;
4013 *p = 0;
4014 p++;
4015 if (!*p)
4016 return 0;
4017
4018 if (!strcmp(etmp, "RSA"))
4019 sig_alg = EVP_PKEY_RSA;
4020 else if (!strcmp(etmp, "DSA"))
4021 sig_alg = EVP_PKEY_DSA;
4022 else if (!strcmp(etmp, "ECDSA"))
4023 sig_alg = EVP_PKEY_EC;
4024 else
4025 return 0;
4026
4027 hash_alg = OBJ_sn2nid(p);
4028 if (hash_alg == NID_undef)
4029 hash_alg = OBJ_ln2nid(p);
4030 if (hash_alg == NID_undef)
4031 return 0;
4032
4033 for (i = 0; i < sarg->sigalgcnt; i += 2) {
4034 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
4035 return 0;
4036 }
4037 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
4038 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
4039 return 1;
4040 }
4041
4042 /*
4043 * Set suppored signature algorithms based on a colon separated list of the
4044 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
4045 */
4046 int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
4047 {
4048 sig_cb_st sig;
4049 sig.sigalgcnt = 0;
4050 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
4051 return 0;
4052 if (c == NULL)
4053 return 1;
4054 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
4055 }
4056
4057 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
4058 int client)
4059 {
4060 unsigned char *sigalgs, *sptr;
4061 int rhash, rsign;
4062 size_t i;
4063 if (salglen & 1)
4064 return 0;
4065 sigalgs = OPENSSL_malloc(salglen);
4066 if (sigalgs == NULL)
4067 return 0;
4068 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
4069 rhash = tls12_find_id(*psig_nids++, tls12_md,
4070 sizeof(tls12_md) / sizeof(tls12_lookup));
4071 rsign = tls12_find_id(*psig_nids++, tls12_sig,
4072 sizeof(tls12_sig) / sizeof(tls12_lookup));
4073
4074 if (rhash == -1 || rsign == -1)
4075 goto err;
4076 *sptr++ = rhash;
4077 *sptr++ = rsign;
4078 }
4079
4080 if (client) {
4081 if (c->client_sigalgs)
4082 OPENSSL_free(c->client_sigalgs);
4083 c->client_sigalgs = sigalgs;
4084 c->client_sigalgslen = salglen;
4085 } else {
4086 if (c->conf_sigalgs)
4087 OPENSSL_free(c->conf_sigalgs);
4088 c->conf_sigalgs = sigalgs;
4089 c->conf_sigalgslen = salglen;
4090 }
4091
4092 return 1;
4093
4094 err:
4095 OPENSSL_free(sigalgs);
4096 return 0;
4097 }
4098
4099 static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
4100 {
4101 int sig_nid;
4102 size_t i;
4103 if (default_nid == -1)
4104 return 1;
4105 sig_nid = X509_get_signature_nid(x);
4106 if (default_nid)
4107 return sig_nid == default_nid ? 1 : 0;
4108 for (i = 0; i < c->shared_sigalgslen; i++)
4109 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
4110 return 1;
4111 return 0;
4112 }
4113
4114 /* Check to see if a certificate issuer name matches list of CA names */
4115 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
4116 {
4117 X509_NAME *nm;
4118 int i;
4119 nm = X509_get_issuer_name(x);
4120 for (i = 0; i < sk_X509_NAME_num(names); i++) {
4121 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
4122 return 1;
4123 }
4124 return 0;
4125 }
4126
4127 /*
4128 * Check certificate chain is consistent with TLS extensions and is usable by
4129 * server. This servers two purposes: it allows users to check chains before
4130 * passing them to the server and it allows the server to check chains before
4131 * attempting to use them.
4132 */
4133
4134 /* Flags which need to be set for a certificate when stict mode not set */
4135
4136 # define CERT_PKEY_VALID_FLAGS \
4137 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
4138 /* Strict mode flags */
4139 # define CERT_PKEY_STRICT_FLAGS \
4140 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
4141 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
4142
4143 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
4144 int idx)
4145 {
4146 int i;
4147 int rv = 0;
4148 int check_flags = 0, strict_mode;
4149 CERT_PKEY *cpk = NULL;
4150 CERT *c = s->cert;
4151 unsigned int suiteb_flags = tls1_suiteb(s);
4152 /* idx == -1 means checking server chains */
4153 if (idx != -1) {
4154 /* idx == -2 means checking client certificate chains */
4155 if (idx == -2) {
4156 cpk = c->key;
4157 idx = cpk - c->pkeys;
4158 } else
4159 cpk = c->pkeys + idx;
4160 x = cpk->x509;
4161 pk = cpk->privatekey;
4162 chain = cpk->chain;
4163 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
4164 /* If no cert or key, forget it */
4165 if (!x || !pk)
4166 goto end;
4167 # ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
4168 /* Allow any certificate to pass test */
4169 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
4170 rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
4171 CERT_PKEY_VALID | CERT_PKEY_SIGN;
4172 cpk->valid_flags = rv;
4173 return rv;
4174 }
4175 # endif
4176 } else {
4177 if (!x || !pk)
4178 goto end;
4179 idx = ssl_cert_type(x, pk);
4180 if (idx == -1)
4181 goto end;
4182 cpk = c->pkeys + idx;
4183 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
4184 check_flags = CERT_PKEY_STRICT_FLAGS;
4185 else
4186 check_flags = CERT_PKEY_VALID_FLAGS;
4187 strict_mode = 1;
4188 }
4189
4190 if (suiteb_flags) {
4191 int ok;
4192 if (check_flags)
4193 check_flags |= CERT_PKEY_SUITEB;
4194 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
4195 if (ok == X509_V_OK)
4196 rv |= CERT_PKEY_SUITEB;
4197 else if (!check_flags)
4198 goto end;
4199 }
4200
4201 /*
4202 * Check all signature algorithms are consistent with signature
4203 * algorithms extension if TLS 1.2 or later and strict mode.
4204 */
4205 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
4206 int default_nid;
4207 unsigned char rsign = 0;
4208 if (c->peer_sigalgs)
4209 default_nid = 0;
4210 /* If no sigalgs extension use defaults from RFC5246 */
4211 else {
4212 switch (idx) {
4213 case SSL_PKEY_RSA_ENC:
4214 case SSL_PKEY_RSA_SIGN:
4215 case SSL_PKEY_DH_RSA:
4216 rsign = TLSEXT_signature_rsa;
4217 default_nid = NID_sha1WithRSAEncryption;
4218 break;
4219
4220 case SSL_PKEY_DSA_SIGN:
4221 case SSL_PKEY_DH_DSA:
4222 rsign = TLSEXT_signature_dsa;
4223 default_nid = NID_dsaWithSHA1;
4224 break;
4225
4226 case SSL_PKEY_ECC:
4227 rsign = TLSEXT_signature_ecdsa;
4228 default_nid = NID_ecdsa_with_SHA1;
4229 break;
4230
4231 default:
4232 default_nid = -1;
4233 break;
4234 }
4235 }
4236 /*
4237 * If peer sent no signature algorithms extension and we have set
4238 * preferred signature algorithms check we support sha1.
4239 */
4240 if (default_nid > 0 && c->conf_sigalgs) {
4241 size_t j;
4242 const unsigned char *p = c->conf_sigalgs;
4243 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
4244 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4245 break;
4246 }
4247 if (j == c->conf_sigalgslen) {
4248 if (check_flags)
4249 goto skip_sigs;
4250 else
4251 goto end;
4252 }
4253 }
4254 /* Check signature algorithm of each cert in chain */
4255 if (!tls1_check_sig_alg(c, x, default_nid)) {
4256 if (!check_flags)
4257 goto end;
4258 } else
4259 rv |= CERT_PKEY_EE_SIGNATURE;
4260 rv |= CERT_PKEY_CA_SIGNATURE;
4261 for (i = 0; i < sk_X509_num(chain); i++) {
4262 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
4263 if (check_flags) {
4264 rv &= ~CERT_PKEY_CA_SIGNATURE;
4265 break;
4266 } else
4267 goto end;
4268 }
4269 }
4270 }
4271 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4272 else if (check_flags)
4273 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
4274 skip_sigs:
4275 /* Check cert parameters are consistent */
4276 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4277 rv |= CERT_PKEY_EE_PARAM;
4278 else if (!check_flags)
4279 goto end;
4280 if (!s->server)
4281 rv |= CERT_PKEY_CA_PARAM;
4282 /* In strict mode check rest of chain too */
4283 else if (strict_mode) {
4284 rv |= CERT_PKEY_CA_PARAM;
4285 for (i = 0; i < sk_X509_num(chain); i++) {
4286 X509 *ca = sk_X509_value(chain, i);
4287 if (!tls1_check_cert_param(s, ca, 0)) {
4288 if (check_flags) {
4289 rv &= ~CERT_PKEY_CA_PARAM;
4290 break;
4291 } else
4292 goto end;
4293 }
4294 }
4295 }
4296 if (!s->server && strict_mode) {
4297 STACK_OF(X509_NAME) *ca_dn;
4298 int check_type = 0;
4299 switch (pk->type) {
4300 case EVP_PKEY_RSA:
4301 check_type = TLS_CT_RSA_SIGN;
4302 break;
4303 case EVP_PKEY_DSA:
4304 check_type = TLS_CT_DSS_SIGN;
4305 break;
4306 case EVP_PKEY_EC:
4307 check_type = TLS_CT_ECDSA_SIGN;
4308 break;
4309 case EVP_PKEY_DH:
4310 case EVP_PKEY_DHX:
4311 {
4312 int cert_type = X509_certificate_type(x, pk);
4313 if (cert_type & EVP_PKS_RSA)
4314 check_type = TLS_CT_RSA_FIXED_DH;
4315 if (cert_type & EVP_PKS_DSA)
4316 check_type = TLS_CT_DSS_FIXED_DH;
4317 }
4318 }
4319 if (check_type) {
4320 const unsigned char *ctypes;
4321 int ctypelen;
4322 if (c->ctypes) {
4323 ctypes = c->ctypes;
4324 ctypelen = (int)c->ctype_num;
4325 } else {
4326 ctypes = (unsigned char *)s->s3->tmp.ctype;
4327 ctypelen = s->s3->tmp.ctype_num;
4328 }
4329 for (i = 0; i < ctypelen; i++) {
4330 if (ctypes[i] == check_type) {
4331 rv |= CERT_PKEY_CERT_TYPE;
4332 break;
4333 }
4334 }
4335 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4336 goto end;
4337 } else
4338 rv |= CERT_PKEY_CERT_TYPE;
4339
4340 ca_dn = s->s3->tmp.ca_names;
4341
4342 if (!sk_X509_NAME_num(ca_dn))
4343 rv |= CERT_PKEY_ISSUER_NAME;
4344
4345 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4346 if (ssl_check_ca_name(ca_dn, x))
4347 rv |= CERT_PKEY_ISSUER_NAME;
4348 }
4349 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4350 for (i = 0; i < sk_X509_num(chain); i++) {
4351 X509 *xtmp = sk_X509_value(chain, i);
4352 if (ssl_check_ca_name(ca_dn, xtmp)) {
4353 rv |= CERT_PKEY_ISSUER_NAME;
4354 break;
4355 }
4356 }
4357 }
4358 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4359 goto end;
4360 } else
4361 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
4362
4363 if (!check_flags || (rv & check_flags) == check_flags)
4364 rv |= CERT_PKEY_VALID;
4365
4366 end:
4367
4368 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
4369 if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
4370 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
4371 else if (cpk->digest)
4372 rv |= CERT_PKEY_SIGN;
4373 } else
4374 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
4375
4376 /*
4377 * When checking a CERT_PKEY structure all flags are irrelevant if the
4378 * chain is invalid.
4379 */
4380 if (!check_flags) {
4381 if (rv & CERT_PKEY_VALID)
4382 cpk->valid_flags = rv;
4383 else {
4384 /* Preserve explicit sign flag, clear rest */
4385 cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
4386 return 0;
4387 }
4388 }
4389 return rv;
4390 }
4391
4392 /* Set validity of certificates in an SSL structure */
4393 void tls1_set_cert_validity(SSL *s)
4394 {
4395 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4396 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4397 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4398 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
4399 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
4400 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
4401 }
4402
4403 /* User level utiity function to check a chain is suitable */
4404 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
4405 {
4406 return tls1_check_chain(s, x, pk, chain, -1);
4407 }
4408
4409 #endif
4410
4411 #ifndef OPENSSL_NO_DH
4412 DH *ssl_get_auto_dh(SSL *s)
4413 {
4414 int dh_secbits = 80;
4415 if (s->cert->dh_tmp_auto == 2)
4416 return DH_get_1024_160();
4417 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) {
4418 if (s->s3->tmp.new_cipher->strength_bits == 256)
4419 dh_secbits = 128;
4420 else
4421 dh_secbits = 80;
4422 } else {
4423 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
4424 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
4425 }
4426
4427 if (dh_secbits >= 128) {
4428 DH *dhp = DH_new();
4429 if (!dhp)
4430 return NULL;
4431 dhp->g = BN_new();
4432 if (dhp->g)
4433 BN_set_word(dhp->g, 2);
4434 if (dh_secbits >= 192)
4435 dhp->p = get_rfc3526_prime_8192(NULL);
4436 else
4437 dhp->p = get_rfc3526_prime_3072(NULL);
4438 if (!dhp->p || !dhp->g) {
4439 DH_free(dhp);
4440 return NULL;
4441 }
4442 return dhp;
4443 }
4444 if (dh_secbits >= 112)
4445 return DH_get_2048_224();
4446 return DH_get_1024_160();
4447 }
4448 #endif
4449
4450 static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
4451 {
4452 int secbits;
4453 EVP_PKEY *pkey = X509_get_pubkey(x);
4454 if (pkey) {
4455 secbits = EVP_PKEY_security_bits(pkey);
4456 EVP_PKEY_free(pkey);
4457 } else
4458 secbits = -1;
4459 if (s)
4460 return ssl_security(s, op, secbits, 0, x);
4461 else
4462 return ssl_ctx_security(ctx, op, secbits, 0, x);
4463 }
4464
4465 static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
4466 {
4467 /* Lookup signature algorithm digest */
4468 int secbits = -1, md_nid = NID_undef, sig_nid;
4469 sig_nid = X509_get_signature_nid(x);
4470 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4471 const EVP_MD *md;
4472 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4473 secbits = EVP_MD_size(md) * 4;
4474 }
4475 if (s)
4476 return ssl_security(s, op, secbits, md_nid, x);
4477 else
4478 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4479 }
4480
4481 int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
4482 {
4483 if (vfy)
4484 vfy = SSL_SECOP_PEER;
4485 if (is_ee) {
4486 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4487 return SSL_R_EE_KEY_TOO_SMALL;
4488 } else {
4489 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4490 return SSL_R_CA_KEY_TOO_SMALL;
4491 }
4492 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4493 return SSL_R_CA_MD_TOO_WEAK;
4494 return 1;
4495 }
4496
4497 /*
4498 * Check security of a chain, if sk includes the end entity certificate then
4499 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4500 * one to the peer. Return values: 1 if ok otherwise error code to use
4501 */
4502
4503 int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
4504 {
4505 int rv, start_idx, i;
4506 if (x == NULL) {
4507 x = sk_X509_value(sk, 0);
4508 start_idx = 1;
4509 } else
4510 start_idx = 0;
4511
4512 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4513 if (rv != 1)
4514 return rv;
4515
4516 for (i = start_idx; i < sk_X509_num(sk); i++) {
4517 x = sk_X509_value(sk, i);
4518 rv = ssl_security_cert(s, NULL, x, vfy, 0);
4519 if (rv != 1)
4520 return rv;
4521 }
4522 return 1;
4523 }
A mirror of the official openssl repository