]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/t1_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
typo
[thirdparty/openssl.git] / ssl / t1_lib.c
CommitLineData
58964a49
RE		 1/* ssl/t1_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
f1fd4544 58/* ====================================================================
52b8dad8 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
f1fd4544
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
58964a49
RE		 111
112#include <stdio.h>
ec577822 113#include <openssl/objects.h>
6434abbf
DSH		 114#include <openssl/evp.h>
115#include <openssl/hmac.h>
67c8e7f4 116#include <openssl/ocsp.h>
4817504d 117#include <openssl/rand.h>
58964a49
RE		 118#include "ssl_locl.h"
119
42182852 120const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
58964a49 121
367eb1f1 122#ifndef OPENSSL_NO_TLSEXT
6434abbf
DSH		 123static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124 const unsigned char *sess_id, int sesslen,
125 SSL_SESSION **psess);
09e4e4b9
DSH		 126static int ssl_check_clienthello_tlsext(SSL *s);
127int ssl_check_serverhello_tlsext(SSL *s);
367eb1f1 128#endif
6434abbf 129
f3b656b2 130SSL3_ENC_METHOD TLSv1_enc_data={
58964a49
RE		 131 tls1_enc,
132 tls1_mac,
133 tls1_setup_key_block,
134 tls1_generate_master_secret,
135 tls1_change_cipher_state,
136 tls1_final_finish_mac,
137 TLS1_FINISH_MAC_LENGTH,
138 tls1_cert_verify_mac,
139 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
140 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
141 tls1_alert_code,
e0af0405 142 tls1_export_keying_material,
58964a49
RE		 143 };
144
f3b656b2 145long tls1_default_timeout(void)
58964a49
RE		 146 {
147 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
148 * is way too long for http, the cache would over fill */
149 return(60*60*2);
150 }
151
6b691a5c 152int tls1_new(SSL *s)
58964a49
RE		 153 {
154 if (!ssl3_new(s)) return(0);
155 s->method->ssl_clear(s);
156 return(1);
157 }
158
6b691a5c 159void tls1_free(SSL *s)
58964a49 160 {
12bf56c0
DSH		 161#ifndef OPENSSL_NO_TLSEXT
162 if (s->tlsext_session_ticket)
163 {
164 OPENSSL_free(s->tlsext_session_ticket);
165 }
166#endif /* OPENSSL_NO_TLSEXT */
58964a49
RE		 167 ssl3_free(s);
168 }
169
6b691a5c 170void tls1_clear(SSL *s)
58964a49
RE		 171 {
172 ssl3_clear(s);
637f374a 173 s->version = s->method->version;
58964a49
RE		 174 }
175
525de5d3 176#ifndef OPENSSL_NO_EC
eda3766b 177
525de5d3
DSH		 178static int nid_list[] =
179 {
180 NID_sect163k1, /* sect163k1 (1) */
181 NID_sect163r1, /* sect163r1 (2) */
182 NID_sect163r2, /* sect163r2 (3) */
183 NID_sect193r1, /* sect193r1 (4) */
184 NID_sect193r2, /* sect193r2 (5) */
185 NID_sect233k1, /* sect233k1 (6) */
186 NID_sect233r1, /* sect233r1 (7) */
187 NID_sect239k1, /* sect239k1 (8) */
188 NID_sect283k1, /* sect283k1 (9) */
189 NID_sect283r1, /* sect283r1 (10) */
190 NID_sect409k1, /* sect409k1 (11) */
191 NID_sect409r1, /* sect409r1 (12) */
192 NID_sect571k1, /* sect571k1 (13) */
193 NID_sect571r1, /* sect571r1 (14) */
194 NID_secp160k1, /* secp160k1 (15) */
195 NID_secp160r1, /* secp160r1 (16) */
196 NID_secp160r2, /* secp160r2 (17) */
197 NID_secp192k1, /* secp192k1 (18) */
198 NID_X9_62_prime192v1, /* secp192r1 (19) */
199 NID_secp224k1, /* secp224k1 (20) */
200 NID_secp224r1, /* secp224r1 (21) */
201 NID_secp256k1, /* secp256k1 (22) */
202 NID_X9_62_prime256v1, /* secp256r1 (23) */
203 NID_secp384r1, /* secp384r1 (24) */
204 NID_secp521r1 /* secp521r1 (25) */
205 };
eda3766b 206
d0595f17
DSH		 207
208static const unsigned char ecformats_default[] =
eda3766b 209 {
d0595f17
DSH		 210 TLSEXT_ECPOINTFORMAT_uncompressed,
211 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
212 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
213 };
214
215static const unsigned char eccurves_default[] =
216 {
217 0,14, /* sect571r1 (14) */
218 0,13, /* sect571k1 (13) */
219 0,25, /* secp521r1 (25) */
220 0,11, /* sect409k1 (11) */
221 0,12, /* sect409r1 (12) */
222 0,24, /* secp384r1 (24) */
223 0,9, /* sect283k1 (9) */
224 0,10, /* sect283r1 (10) */
225 0,22, /* secp256k1 (22) */
226 0,23, /* secp256r1 (23) */
227 0,8, /* sect239k1 (8) */
228 0,6, /* sect233k1 (6) */
229 0,7, /* sect233r1 (7) */
230 0,20, /* secp224k1 (20) */
231 0,21, /* secp224r1 (21) */
232 0,4, /* sect193r1 (4) */
233 0,5, /* sect193r2 (5) */
234 0,18, /* secp192k1 (18) */
235 0,19, /* secp192r1 (19) */
236 0,1, /* sect163k1 (1) */
237 0,2, /* sect163r1 (2) */
238 0,3, /* sect163r2 (3) */
239 0,15, /* secp160k1 (15) */
240 0,16, /* secp160r1 (16) */
241 0,17, /* secp160r2 (17) */
eda3766b
DSH		 242 };
243
525de5d3
DSH		 244int tls1_ec_curve_id2nid(int curve_id)
245 {
246 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
1e26a8ba
GT		 247 if ((curve_id < 1) || ((unsigned int)curve_id >
248 sizeof(nid_list)/sizeof(nid_list[0])))
249 return 0;
525de5d3
DSH		 250 return nid_list[curve_id-1];
251 }
252
253int tls1_ec_nid2curve_id(int nid)
254 {
255 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
256 switch (nid)
257 {
258 case NID_sect163k1: /* sect163k1 (1) */
259 return 1;
260 case NID_sect163r1: /* sect163r1 (2) */
261 return 2;
262 case NID_sect163r2: /* sect163r2 (3) */
263 return 3;
264 case NID_sect193r1: /* sect193r1 (4) */
265 return 4;
266 case NID_sect193r2: /* sect193r2 (5) */
267 return 5;
268 case NID_sect233k1: /* sect233k1 (6) */
269 return 6;
270 case NID_sect233r1: /* sect233r1 (7) */
271 return 7;
272 case NID_sect239k1: /* sect239k1 (8) */
273 return 8;
274 case NID_sect283k1: /* sect283k1 (9) */
275 return 9;
276 case NID_sect283r1: /* sect283r1 (10) */
277 return 10;
278 case NID_sect409k1: /* sect409k1 (11) */
279 return 11;
280 case NID_sect409r1: /* sect409r1 (12) */
281 return 12;
282 case NID_sect571k1: /* sect571k1 (13) */
283 return 13;
284 case NID_sect571r1: /* sect571r1 (14) */
285 return 14;
286 case NID_secp160k1: /* secp160k1 (15) */
287 return 15;
288 case NID_secp160r1: /* secp160r1 (16) */
289 return 16;
290 case NID_secp160r2: /* secp160r2 (17) */
291 return 17;
292 case NID_secp192k1: /* secp192k1 (18) */
293 return 18;
294 case NID_X9_62_prime192v1: /* secp192r1 (19) */
295 return 19;
296 case NID_secp224k1: /* secp224k1 (20) */
297 return 20;
298 case NID_secp224r1: /* secp224r1 (21) */
299 return 21;
300 case NID_secp256k1: /* secp256k1 (22) */
301 return 22;
302 case NID_X9_62_prime256v1: /* secp256r1 (23) */
303 return 23;
304 case NID_secp384r1: /* secp384r1 (24) */
305 return 24;
306 case NID_secp521r1: /* secp521r1 (25) */
307 return 25;
308 default:
309 return 0;
310 }
311 }
fd2b65ce
DSH		 312/* Get curves list, if "sess" is set return client curves otherwise
313 * preferred list
314 */
315static void tls1_get_curvelist(SSL *s, int sess,
316 const unsigned char **pcurves,
317 size_t *pcurveslen)
318 {
319 if (sess)
320 {
321 *pcurves = s->session->tlsext_ellipticcurvelist;
322 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
323 }
324 else
325 {
326 *pcurves = s->tlsext_ellipticcurvelist;
327 *pcurveslen = s->tlsext_ellipticcurvelist_length;
328 }
329 /* If not set use default: for now static structure */
330 if (!*pcurves)
331 {
332 *pcurves = eccurves_default;
333 *pcurveslen = sizeof(eccurves_default);
334 }
335 }
d0595f17 336
a4352630
DSH		 337/* Return nth shared curve. If nmatch == -1 return number of
338 * matches.
d0595f17 339 */
a4352630
DSH		 340
341int tls1_shared_curve(SSL *s, int nmatch)
d0595f17
DSH		 342 {
343 const unsigned char *pref, *supp;
344 size_t preflen, supplen, i, j;
345 int k;
a4352630
DSH		 346 /* Can't do anything on client side */
347 if (s->server == 0)
348 return -1;
349 tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
350 &supp, &supplen);
351 tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
352 &pref, &preflen);
353 preflen /= 2;
354 supplen /= 2;
d0595f17
DSH		 355 k = 0;
356 for (i = 0; i < preflen; i++, pref+=2)
357 {
358 const unsigned char *tsupp = supp;
359 for (j = 0; j < supplen; j++, tsupp+=2)
360 {
361 if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
362 {
363 if (nmatch == k)
a4352630
DSH		 364 {
365 int id = (pref[0] << 8) | pref[1];
366 return tls1_ec_curve_id2nid(id);
367 }
d0595f17
DSH		 368 k++;
369 }
370 }
371 }
d0595f17 372 if (nmatch == -1)
a4352630
DSH		 373 return k;
374 return 0;
d0595f17
DSH		 375 }
376
377int tls1_set_curves(unsigned char **pext, size_t *pextlen,
378 int *curves, size_t ncurves)
379 {
380 unsigned char *clist, *p;
381 size_t i;
382 /* Bitmap of curves included to detect duplicates: only works
383 * while curve ids < 32
384 */
385 unsigned long dup_list = 0;
386 clist = OPENSSL_malloc(ncurves * 2);
387 if (!clist)
388 return 0;
389 for (i = 0, p = clist; i < ncurves; i++)
390 {
391 unsigned long idmask;
392 int id;
393 id = tls1_ec_nid2curve_id(curves[i]);
394 idmask = 1L << id;
395 if (!id || (dup_list & idmask))
396 {
397 OPENSSL_free(clist);
398 return 0;
399 }
400 dup_list |= idmask;
401 s2n(id, p);
402 }
403 if (*pext)
404 OPENSSL_free(*pext);
405 *pext = clist;
406 *pextlen = ncurves * 2;
407 return 1;
408 }
409
410#define MAX_CURVELIST 25
411
412typedef struct
413 {
414 size_t nidcnt;
415 int nid_arr[MAX_CURVELIST];
416 } nid_cb_st;
417
418static int nid_cb(const char *elem, int len, void *arg)
419 {
420 nid_cb_st *narg = arg;
421 size_t i;
422 int nid;
423 char etmp[20];
424 if (narg->nidcnt == MAX_CURVELIST)
425 return 0;
426 if (len > (int)(sizeof(etmp) - 1))
427 return 0;
428 memcpy(etmp, elem, len);
429 etmp[len] = 0;
430 nid = EC_curve_nist2nid(etmp);
431 if (nid == NID_undef)
432 nid = OBJ_sn2nid(etmp);
433 if (nid == NID_undef)
434 nid = OBJ_ln2nid(etmp);
435 if (nid == NID_undef)
436 return 0;
437 for (i = 0; i < narg->nidcnt; i++)
438 if (narg->nid_arr[i] == nid)
439 return 0;
440 narg->nid_arr[narg->nidcnt++] = nid;
441 return 1;
442 }
443/* Set curves based on a colon separate list */
444int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
445 const char *str)
446 {
447 nid_cb_st ncb;
448 ncb.nidcnt = 0;
449 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
450 return 0;
451 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
452 }
fd2b65ce
DSH		 453/* For an EC key set TLS id and required compression based on parameters */
454static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
455 EC_KEY *ec)
456 {
457 int is_prime, id;
458 const EC_GROUP *grp;
459 const EC_POINT *pt;
460 const EC_METHOD *meth;
461 if (!ec)
462 return 0;
463 /* Determine if it is a prime field */
464 grp = EC_KEY_get0_group(ec);
465 pt = EC_KEY_get0_public_key(ec);
466 if (!grp || !pt)
467 return 0;
468 meth = EC_GROUP_method_of(grp);
469 if (!meth)
470 return 0;
471 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
472 is_prime = 1;
473 else
474 is_prime = 0;
475 /* Determine curve ID */
476 id = EC_GROUP_get_curve_name(grp);
477 id = tls1_ec_nid2curve_id(id);
478 /* If we have an ID set it, otherwise set arbitrary explicit curve */
479 if (id)
480 {
481 curve_id[0] = 0;
482 curve_id[1] = (unsigned char)id;
483 }
484 else
485 {
486 curve_id[0] = 0xff;
487 if (is_prime)
488 curve_id[1] = 0x01;
489 else
490 curve_id[1] = 0x02;
491 }
492 if (comp_id)
493 {
494 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
495 {
496 if (is_prime)
497 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
498 else
499 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
500 }
501 else
502 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
503 }
504 return 1;
505 }
506/* Check an EC key is compatible with extensions */
507static int tls1_check_ec_key(SSL *s,
508 unsigned char *curve_id, unsigned char *comp_id)
509 {
510 const unsigned char *p;
511 size_t plen, i;
a4352630 512 int j;
fd2b65ce
DSH		 513 /* If point formats extension present check it, otherwise everything
514 * is supported (see RFC4492).
515 */
516 if (comp_id && s->session->tlsext_ecpointformatlist)
517 {
518 p = s->session->tlsext_ecpointformatlist;
519 plen = s->session->tlsext_ecpointformatlist_length;
520 for (i = 0; i < plen; i++, p++)
521 {
522 if (*comp_id == *p)
523 break;
524 }
525 if (i == plen)
526 return 0;
527 }
a4352630
DSH		 528 /* Check curve is consistent with client and server preferences */
529 for (j = 0; j <= 1; j++)
fd2b65ce 530 {
a4352630 531 tls1_get_curvelist(s, j, &p, &plen);
fd2b65ce
DSH		 532 for (i = 0; i < plen; i+=2, p+=2)
533 {
534 if (p[0] == curve_id[0] && p[1] == curve_id[1])
a4352630 535 break;
fd2b65ce 536 }
a4352630
DSH		 537 if (i == plen)
538 return 0;
fd2b65ce
DSH		 539 }
540 return 1;
541 }
d61ff83b
DSH		 542
543/* Check cert parameters compatible with extensions: currently just checks
544 * EC certificates have compatible curves and compression.
545 */
546static int tls1_check_cert_param(SSL *s, X509 *x)
fd2b65ce 547 {
fd2b65ce 548 unsigned char comp_id, curve_id[2];
d61ff83b
DSH		 549 EVP_PKEY *pkey;
550 int rv;
551 pkey = X509_get_pubkey(x);
fd2b65ce
DSH		 552 if (!pkey)
553 return 0;
d61ff83b
DSH		 554 /* If not EC nothing to do */
555 if (pkey->type != EVP_PKEY_EC)
556 {
557 EVP_PKEY_free(pkey);
558 return 1;
559 }
fd2b65ce
DSH		 560 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
561 EVP_PKEY_free(pkey);
562 if (!rv)
563 return 0;
564 return tls1_check_ec_key(s, curve_id, &comp_id);
565 }
566/* Check EC temporary key is compatible with client extensions */
567int tls1_check_ec_tmp_key(SSL *s)
568 {
569 unsigned char curve_id[2];
570 EC_KEY *ec = s->cert->ecdh_tmp;
a4352630
DSH		 571 if (s->cert->ecdh_tmp_auto)
572 {
573 /* Need a shared curve */
574 if (tls1_shared_curve(s, 0))
575 return 1;
576 else return 0;
577 }
fd2b65ce
DSH		 578 if (!ec)
579 {
580 if (s->cert->ecdh_tmp_cb)
581 return 1;
582 else
583 return 0;
584 }
585 if (!tls1_set_ec_id(curve_id, NULL, ec))
1e4cb467 586 return 0;
fd2b65ce
DSH		 587 return tls1_check_ec_key(s, curve_id, NULL);
588 }
d0595f17 589
525de5d3 590#endif /* OPENSSL_NO_EC */
f1fd4544 591
ed3883d2 592#ifndef OPENSSL_NO_TLSEXT
fc101f88
DSH		 593
594/* List of supported signature algorithms and hashes. Should make this
595 * customisable at some point, for now include everything we support.
596 */
597
598#ifdef OPENSSL_NO_RSA
599#define tlsext_sigalg_rsa(md) /* */
600#else
601#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
602#endif
603
604#ifdef OPENSSL_NO_DSA
605#define tlsext_sigalg_dsa(md) /* */
606#else
607#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
608#endif
609
610#ifdef OPENSSL_NO_ECDSA
611#define tlsext_sigalg_ecdsa(md) /* */
612#else
654ac273 613#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
fc101f88
DSH		 614#endif
615
616#define tlsext_sigalg(md) \
617 tlsext_sigalg_rsa(md) \
618 tlsext_sigalg_dsa(md) \
619 tlsext_sigalg_ecdsa(md)
620
621static unsigned char tls12_sigalgs[] = {
622#ifndef OPENSSL_NO_SHA512
623 tlsext_sigalg(TLSEXT_hash_sha512)
624 tlsext_sigalg(TLSEXT_hash_sha384)
625#endif
626#ifndef OPENSSL_NO_SHA256
627 tlsext_sigalg(TLSEXT_hash_sha256)
628 tlsext_sigalg(TLSEXT_hash_sha224)
629#endif
630#ifndef OPENSSL_NO_SHA
631 tlsext_sigalg(TLSEXT_hash_sha1)
632#endif
633#ifndef OPENSSL_NO_MD5
634 tlsext_sigalg_rsa(TLSEXT_hash_md5)
635#endif
636};
637
b7bfe69b 638size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
f37f20ff 639 {
3dbc46df
DSH		 640 /* If server use client authentication sigalgs if not NULL */
641 if (s->server && s->cert->client_sigalgs)
642 {
b7bfe69b
DSH		 643 *psigs = s->cert->client_sigalgs;
644 return s->cert->client_sigalgslen;
3dbc46df
DSH		 645 }
646 else if (s->cert->conf_sigalgs)
647 {
b7bfe69b
DSH		 648 *psigs = s->cert->conf_sigalgs;
649 return s->cert->conf_sigalgslen;
3dbc46df 650 }
4453cd8c 651 else
0f229cce 652 {
b7bfe69b 653 *psigs = tls12_sigalgs;
ebc5e72f 654#ifdef OPENSSL_FIPS
4453cd8c
DSH		 655 /* If FIPS mode don't include MD5 which is last */
656 if (FIPS_mode())
b7bfe69b
DSH		 657 return sizeof(tls12_sigalgs) - 2;
658 else
ebc5e72f 659#endif
b7bfe69b 660 return sizeof(tls12_sigalgs);
4453cd8c 661 }
b7bfe69b
DSH		 662 }
663/* Get a mask of disabled algorithms: an algorithm is disabled
664 * if it isn't supported or doesn't appear in supported signature
665 * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific
666 * session and not global settings.
667 *
668 */
669void ssl_set_client_disabled(SSL *s)
670 {
671 CERT *c = s->cert;
672 const unsigned char *sigalgs;
673 size_t i, sigalgslen;
674 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
675 c->mask_a = 0;
676 c->mask_k = 0;
677 /* If less than TLS 1.2 don't allow TLS 1.2 only ciphers */
678 if (TLS1_get_version(s) < TLS1_2_VERSION)
679 c->mask_ssl = SSL_TLSV1_2;
680 else
681 c->mask_ssl = 0;
682 /* Now go through all signature algorithms seeing if we support
683 * any for RSA, DSA, ECDSA. Do this for all versions not just
684 * TLS 1.2.
685 */
686 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
687 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2)
688 {
689 switch(sigalgs[1])
690 {
691#ifndef OPENSSL_NO_RSA
692 case TLSEXT_signature_rsa:
693 have_rsa = 1;
694 break;
695#endif
696#ifndef OPENSSL_NO_DSA
697 case TLSEXT_signature_dsa:
698 have_dsa = 1;
699 break;
700#endif
701#ifndef OPENSSL_NO_ECDSA
702 case TLSEXT_signature_ecdsa:
703 have_ecdsa = 1;
704 break;
705#endif
706 }
707 }
708 /* Disable auth and static DH if we don't include any appropriate
709 * signature algorithms.
710 */
711 if (!have_rsa)
712 {
713 c->mask_a |= SSL_aRSA;
714 c->mask_k |= SSL_kDHr|SSL_kECDHr;
715 }
716 if (!have_dsa)
717 {
718 c->mask_a |= SSL_aDSS;
719 c->mask_k |= SSL_kDHd;
720 }
721 if (!have_ecdsa)
722 {
723 c->mask_a |= SSL_aECDSA;
724 c->mask_k |= SSL_kECDHe;
725 }
726#ifndef OPENSSL_NO_KRB5
727 if (!kssl_tgt_is_available(s->kssl_ctx))
728 {
729 c->mask_a |= SSL_aKRB5;
730 c->mask_k |= SSL_kKRB5;
731 }
732#endif
733#ifndef OPENSSL_NO_PSK
734 /* with PSK there must be client callback set */
735 if (!s->psk_client_callback)
736 {
737 c->mask_a |= SSL_aPSK;
738 c->mask_k |= SSL_kPSK;
739 }
740#endif /* OPENSSL_NO_PSK */
741 c->valid = 1;
f37f20ff 742 }
fc101f88 743
a9e1c50b
BL		 744/* byte_compare is a compare function for qsort(3) that compares bytes. */
745static int byte_compare(const void *in_a, const void *in_b)
746 {
747 unsigned char a = *((const unsigned char*) in_a);
748 unsigned char b = *((const unsigned char*) in_b);
749
750 if (a > b)
751 return 1;
752 else if (a < b)
753 return -1;
754 return 0;
755}
756
f1fd4544
BM		 757unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
758 {
ed3883d2
BM		 759 int extdatalen=0;
760 unsigned char *ret = p;
d0595f17
DSH		 761#ifndef OPENSSL_NO_EC
762 /* See if we support any ECC ciphersuites */
763 int using_ecc = 0;
764 if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION)
765 {
766 int i;
767 unsigned long alg_k, alg_a;
768 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
769
770 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
771 {
772 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
773
774 alg_k = c->algorithm_mkey;
775 alg_a = c->algorithm_auth;
776 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
777 || (alg_a & SSL_aECDSA)))
778 {
779 using_ecc = 1;
780 break;
781 }
782 }
783 }
784#endif
ed3883d2 785
13f6d57b
DSH		 786 /* don't add extensions for SSLv3 unless doing secure renegotiation */
787 if (s->client_version == SSL3_VERSION
788 && !s->s3->send_connection_binding)
5f8f94a6
DSH		 789 return p;
790
ed3883d2
BM		 791 ret+=2;
792
793 if (ret>=limit) return NULL; /* this really never occurs, but ... */
6434abbf 794
a70183bc 795 if (s->tlsext_hostname != NULL)
f1fd4544 796 {
ed3883d2
BM		 797 /* Add TLS extension servername to the Client Hello message */
798 unsigned long size_str;
799 long lenmax;
800
a70183bc 801 /* check for enough space.
52b8dad8
BM		 802 4 for the servername type and entension length
803 2 for servernamelist length
804 1 for the hostname type
805 2 for hostname length
806 + hostname length
a70183bc 807 */
52b8dad8 808
761772d7
BM		 809 if ((lenmax = limit - ret - 9) < 0
810 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
a70183bc
BM		 811 return NULL;
812
813 /* extension type and length */
814 s2n(TLSEXT_TYPE_server_name,ret);
815 s2n(size_str+5,ret);
f1fd4544 816
a70183bc 817 /* length of servername list */
ed3883d2 818 s2n(size_str+3,ret);
a70183bc
BM		 819
820 /* hostname type, length and hostname */
f1fd4544 821 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
ed3883d2 822 s2n(size_str,ret);
ed3883d2
BM		 823 memcpy(ret, s->tlsext_hostname, size_str);
824 ret+=size_str;
f1fd4544 825 }
761772d7 826
423c66f1 827 /* Add RI if renegotiating */
bdd53508 828 if (s->renegotiate)
423c66f1 829 {
860c3dd1
DSH		 830 int el;
831
832 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
833 {
834 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
835 return NULL;
836 }
837
838 if((limit - p - 4 - el) < 0) return NULL;
839
840 s2n(TLSEXT_TYPE_renegotiate,ret);
841 s2n(el,ret);
842
843 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
844 {
845 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
846 return NULL;
847 }
848
849 ret += el;
850 }
851
edc032b5 852#ifndef OPENSSL_NO_SRP
1df80b65 853 /* Add SRP username if there is one */
edc032b5 854 if (s->srp_ctx.login != NULL)
1df80b65 855 { /* Add TLS extension SRP username to the Client Hello message */
edc032b5 856
1df80b65
DSH		 857 int login_len = strlen(s->srp_ctx.login);
858 if (login_len > 255 || login_len == 0)
edc032b5
BL		 859 {
860 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
861 return NULL;
1df80b65
DSH		 862 }
863
864 /* check for enough space.
865 4 for the srp type type and entension length
866 1 for the srp user identity
867 + srp user identity length
868 */
869 if ((limit - ret - 5 - login_len) < 0) return NULL;
870
871 /* fill in the extension */
edc032b5
BL		 872 s2n(TLSEXT_TYPE_srp,ret);
873 s2n(login_len+1,ret);
1df80b65
DSH		 874 (*ret++) = (unsigned char) login_len;
875 memcpy(ret, s->srp_ctx.login, login_len);
edc032b5
BL		 876 ret+=login_len;
877 }
878#endif
879
36ca4ba6 880#ifndef OPENSSL_NO_EC
d0595f17 881 if (using_ecc)
36ca4ba6
BM		 882 {
883 /* Add TLS extension ECPointFormats to the ClientHello message */
884 long lenmax;
d0595f17
DSH		 885 const unsigned char *plist;
886 size_t plistlen;
887 /* If we have a custom point format list use it otherwise
888 * use default */
889 plist = s->tlsext_ecpointformatlist;
890 if (plist)
891 plistlen = s->tlsext_ecpointformatlist_length;
892 else
893 {
894 plist = ecformats_default;
895 plistlen = sizeof(ecformats_default);
896 }
36ca4ba6 897
761772d7 898 if ((lenmax = limit - ret - 5) < 0) return NULL;
d0595f17
DSH		 899 if (plistlen > (size_t)lenmax) return NULL;
900 if (plistlen > 255)
019fdc78
BM		 901 {
902 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
903 return NULL;
904 }
36ca4ba6
BM		 905
906 s2n(TLSEXT_TYPE_ec_point_formats,ret);
d0595f17
DSH		 907 s2n(plistlen + 1,ret);
908 *(ret++) = (unsigned char)plistlen ;
909 memcpy(ret, plist, plistlen);
910 ret+=plistlen;
911
33273721 912 /* Add TLS extension EllipticCurves to the ClientHello message */
d0595f17 913 plist = s->tlsext_ellipticcurvelist;
fd2b65ce 914 tls1_get_curvelist(s, 0, &plist, &plistlen);
33273721 915
761772d7 916 if ((lenmax = limit - ret - 6) < 0) return NULL;
d0595f17
DSH		 917 if (plistlen > (size_t)lenmax) return NULL;
918 if (plistlen > 65532)
33273721
BM		 919 {
920 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
921 return NULL;
922 }
923
924 s2n(TLSEXT_TYPE_elliptic_curves,ret);
d0595f17 925 s2n(plistlen + 2, ret);
a4974de9
BM		 926
927 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
928 * elliptic_curve_list, but the examples use two bytes.
929 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
930 * resolves this to two bytes.
931 */
d0595f17
DSH		 932 s2n(plistlen, ret);
933 memcpy(ret, plist, plistlen);
934 ret+=plistlen;
33273721 935 }
36ca4ba6 936#endif /* OPENSSL_NO_EC */
d3442bc7 937
6434abbf
DSH		 938 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
939 {
940 int ticklen;
7ba3838a 941 if (!s->new_session && s->session && s->session->tlsext_tick)
6434abbf 942 ticklen = s->session->tlsext_ticklen;
12bf56c0
DSH		 943 else if (s->session && s->tlsext_session_ticket &&
944 s->tlsext_session_ticket->data)
945 {
946 ticklen = s->tlsext_session_ticket->length;
947 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
948 if (!s->session->tlsext_tick)
949 return NULL;
950 memcpy(s->session->tlsext_tick,
951 s->tlsext_session_ticket->data,
952 ticklen);
953 s->session->tlsext_ticklen = ticklen;
954 }
6434abbf
DSH		 955 else
956 ticklen = 0;
12bf56c0
DSH		 957 if (ticklen == 0 && s->tlsext_session_ticket &&
958 s->tlsext_session_ticket->data == NULL)
959 goto skip_ext;
6434abbf
DSH		 960 /* Check for enough room 2 for extension type, 2 for len
961 * rest for ticket
962 */
761772d7 963 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
6434abbf
DSH		 964 s2n(TLSEXT_TYPE_session_ticket,ret);
965 s2n(ticklen,ret);
966 if (ticklen)
967 {
968 memcpy(ret, s->session->tlsext_tick, ticklen);
969 ret += ticklen;
970 }
971 }
12bf56c0 972 skip_ext:
6434abbf 973
7744ef1a 974 if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
a2f9200f 975 {
0f229cce 976 size_t salglen;
b7bfe69b
DSH		 977 const unsigned char *salg;
978 salglen = tls12_get_psigalgs(s, &salg);
0f229cce 979 if ((size_t)(limit - ret) < salglen + 6)
a2f9200f
DSH		 980 return NULL;
981 s2n(TLSEXT_TYPE_signature_algorithms,ret);
0f229cce
DSH		 982 s2n(salglen + 2, ret);
983 s2n(salglen, ret);
b7bfe69b 984 memcpy(ret, salg, salglen);
0f229cce 985 ret += salglen;
a2f9200f
DSH		 986 }
987
761772d7 988#ifdef TLSEXT_TYPE_opaque_prf_input
8025e251
DSH		 989 if (s->s3->client_opaque_prf_input != NULL &&
990 s->version != DTLS1_VERSION)
761772d7
BM		 991 {
992 size_t col = s->s3->client_opaque_prf_input_len;
993
994 if ((long)(limit - ret - 6 - col < 0))
995 return NULL;
996 if (col > 0xFFFD) /* can't happen */
997 return NULL;
998
999 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1000 s2n(col + 2, ret);
1001 s2n(col, ret);
1002 memcpy(ret, s->s3->client_opaque_prf_input, col);
1003 ret += col;
1004 }
1005#endif
1006
8025e251
DSH		 1007 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
1008 s->version != DTLS1_VERSION)
67c8e7f4
DSH		 1009 {
1010 int i;
1011 long extlen, idlen, itmp;
1012 OCSP_RESPID *id;
1013
1014 idlen = 0;
1015 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1016 {
1017 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1018 itmp = i2d_OCSP_RESPID(id, NULL);
1019 if (itmp <= 0)
1020 return NULL;
1021 idlen += itmp + 2;
1022 }
1023
1024 if (s->tlsext_ocsp_exts)
1025 {
1026 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1027 if (extlen < 0)
1028 return NULL;
1029 }
1030 else
1031 extlen = 0;
1032
1033 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
1034 s2n(TLSEXT_TYPE_status_request, ret);
1035 if (extlen + idlen > 0xFFF0)
1036 return NULL;
1037 s2n(extlen + idlen + 5, ret);
1038 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1039 s2n(idlen, ret);
1040 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1041 {
1042 /* save position of id len */
1043 unsigned char *q = ret;
1044 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1045 /* skip over id len */
1046 ret += 2;
1047 itmp = i2d_OCSP_RESPID(id, &ret);
1048 /* write id len */
1049 s2n(itmp, q);
1050 }
1051 s2n(extlen, ret);
1052 if (extlen > 0)
1053 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1054 }
1055
4817504d
DSH		 1056#ifndef OPENSSL_NO_HEARTBEATS
1057 /* Add Heartbeat extension */
1058 s2n(TLSEXT_TYPE_heartbeat,ret);
1059 s2n(1,ret);
1060 /* Set mode:
1061 * 1: peer may send requests
1062 * 2: peer not allowed to send requests
1063 */
1064 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1065 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1066 else
1067 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1068#endif
1069
bf48836c 1070#ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 1071 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
1072 {
1073 /* The client advertises an emtpy extension to indicate its
1074 * support for Next Protocol Negotiation */
1075 if (limit - ret - 4 < 0)
1076 return NULL;
1077 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1078 s2n(0,ret);
1079 }
1080#endif
1081
333f926d
BL		 1082 if(SSL_get_srtp_profiles(s))
1083 {
1084 int el;
1085
1086 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1087
1088 if((limit - p - 4 - el) < 0) return NULL;
1089
1090 s2n(TLSEXT_TYPE_use_srtp,ret);
1091 s2n(el,ret);
1092
1093 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1094 {
1095 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1096 return NULL;
1097 }
1098 ret += el;
1099 }
1100
a9e1c50b
BL		 1101 /* Add TLS extension Server_Authz_DataFormats to the ClientHello */
1102 /* 2 bytes for extension type */
1103 /* 2 bytes for extension length */
1104 /* 1 byte for the list length */
1105 /* 1 byte for the list (we only support audit proofs) */
1106 if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
1107 {
1108 size_t lenmax;
1109 const unsigned short ext_len = 2;
1110 const unsigned char list_len = 1;
1111
1112 if ((lenmax = limit - ret - 6) < 0) return NULL;
1113
1114 s2n(TLSEXT_TYPE_server_authz, ret);
1115 /* Extension length: 2 bytes */
1116 s2n(ext_len, ret);
1117 *(ret++) = list_len;
1118 *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
1119 }
1120
1121 if ((extdatalen = ret-p-2) == 0)
ed3883d2
BM		 1122 return p;
1123
1124 s2n(extdatalen,p);
1125 return ret;
52b8dad8 1126 }
ed3883d2 1127
f1fd4544
BM		 1128unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1129 {
ed3883d2
BM		 1130 int extdatalen=0;
1131 unsigned char *ret = p;
bf48836c
BL		 1132#ifndef OPENSSL_NO_NEXTPROTONEG
1133 int next_proto_neg_seen;
ee2ffc27 1134#endif
ed3883d2 1135
13f6d57b
DSH		 1136 /* don't add extensions for SSLv3, unless doing secure renegotiation */
1137 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
5f8f94a6
DSH		 1138 return p;
1139
a13c20f6 1140 ret+=2;
ed3883d2
BM		 1141 if (ret>=limit) return NULL; /* this really never occurs, but ... */
1142
a13c20f6 1143 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
f1fd4544 1144 {
761772d7 1145 if ((long)(limit - ret - 4) < 0) return NULL;
ed3883d2
BM		 1146
1147 s2n(TLSEXT_TYPE_server_name,ret);
1148 s2n(0,ret);
f1fd4544 1149 }
860c3dd1 1150
8025e251 1151 if(s->s3->send_connection_binding)
860c3dd1
DSH		 1152 {
1153 int el;
1154
1155 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1156 {
1157 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1158 return NULL;
1159 }
1160
1161 if((limit - p - 4 - el) < 0) return NULL;
1162
1163 s2n(TLSEXT_TYPE_renegotiate,ret);
1164 s2n(el,ret);
1165
1166 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1167 {
1168 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1169 return NULL;
1170 }
1171
1172 ret += el;
1173 }
1174
36ca4ba6 1175#ifndef OPENSSL_NO_EC
8025e251
DSH		 1176 if (s->tlsext_ecpointformatlist != NULL &&
1177 s->version != DTLS1_VERSION)
36ca4ba6
BM		 1178 {
1179 /* Add TLS extension ECPointFormats to the ServerHello message */
1180 long lenmax;
1181
761772d7 1182 if ((lenmax = limit - ret - 5) < 0) return NULL;
36ca4ba6 1183 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
019fdc78
BM		 1184 if (s->tlsext_ecpointformatlist_length > 255)
1185 {
1186 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1187 return NULL;
1188 }
36ca4ba6
BM		 1189
1190 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1191 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
1192 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
1193 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
1194 ret+=s->tlsext_ecpointformatlist_length;
a70183bc 1195
36ca4ba6 1196 }
33273721 1197 /* Currently the server should not respond with a SupportedCurves extension */
36ca4ba6 1198#endif /* OPENSSL_NO_EC */
67c8e7f4 1199
6434abbf
DSH		 1200 if (s->tlsext_ticket_expected
1201 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
1202 {
761772d7 1203 if ((long)(limit - ret - 4) < 0) return NULL;
6434abbf
DSH		 1204 s2n(TLSEXT_TYPE_session_ticket,ret);
1205 s2n(0,ret);
1206 }
761772d7 1207
67c8e7f4
DSH		 1208 if (s->tlsext_status_expected)
1209 {
1210 if ((long)(limit - ret - 4) < 0) return NULL;
1211 s2n(TLSEXT_TYPE_status_request,ret);
1212 s2n(0,ret);
1213 }
1214
761772d7 1215#ifdef TLSEXT_TYPE_opaque_prf_input
8025e251
DSH		 1216 if (s->s3->server_opaque_prf_input != NULL &&
1217 s->version != DTLS1_VERSION)
761772d7
BM		 1218 {
1219 size_t sol = s->s3->server_opaque_prf_input_len;
6434abbf 1220
761772d7
BM		 1221 if ((long)(limit - ret - 6 - sol) < 0)
1222 return NULL;
1223 if (sol > 0xFFFD) /* can't happen */
1224 return NULL;
1225
1226 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1227 s2n(sol + 2, ret);
1228 s2n(sol, ret);
1229 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1230 ret += sol;
1231 }
1232#endif
333f926d
BL		 1233
1234 if(s->srtp_profile)
1235 {
1236 int el;
1237
1238 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1239
1240 if((limit - p - 4 - el) < 0) return NULL;
1241
1242 s2n(TLSEXT_TYPE_use_srtp,ret);
1243 s2n(el,ret);
1244
1245 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1246 {
7a236261 1247 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
333f926d
BL		 1248 return NULL;
1249 }
1250 ret+=el;
1251 }
1252
0e1dba93
DSH		 1253 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
1254 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1255 { const unsigned char cryptopro_ext[36] = {
1256 0xfd, 0xe8, /*65000*/
1257 0x00, 0x20, /*32 bytes length*/
1258 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1259 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1260 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1261 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1262 if (limit-ret<36) return NULL;
1263 memcpy(ret,cryptopro_ext,36);
1264 ret+=36;
1265
1266 }
761772d7 1267
4817504d 1268#ifndef OPENSSL_NO_HEARTBEATS
5733919d
DSH		 1269 /* Add Heartbeat extension if we've received one */
1270 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1271 {
1272 s2n(TLSEXT_TYPE_heartbeat,ret);
1273 s2n(1,ret);
1274 /* Set mode:
1275 * 1: peer may send requests
1276 * 2: peer not allowed to send requests
1277 */
1278 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1279 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1280 else
1281 *(ret++) = SSL_TLSEXT_HB_ENABLED;
192540b5 1282
5733919d 1283 }
4817504d
DSH		 1284#endif
1285
bf48836c 1286#ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 1287 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1288 s->s3->next_proto_neg_seen = 0;
1289 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1290 {
1291 const unsigned char *npa;
1292 unsigned int npalen;
1293 int r;
1294
1295 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1296 if (r == SSL_TLSEXT_ERR_OK)
1297 {
1298 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1299 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1300 s2n(npalen,ret);
1301 memcpy(ret, npa, npalen);
1302 ret += npalen;
1303 s->s3->next_proto_neg_seen = 1;
1304 }
1305 }
1306#endif
1307
a9e1c50b
BL		 1308 /* If the client supports authz then see whether we have any to offer
1309 * to it. */
1310 if (s->s3->tlsext_authz_client_types_len)
1311 {
1312 size_t authz_length;
1313 /* By now we already know the new cipher, so we can look ahead
1314 * to see whether the cert we are going to send
1315 * has any authz data attached to it. */
1316 const unsigned char* authz = ssl_get_authz_data(s, &authz_length);
1317 const unsigned char* const orig_authz = authz;
1318 size_t i;
1319 unsigned authz_count = 0;
1320
1321 /* The authz data contains a number of the following structures:
1322 * uint8_t authz_type
1323 * uint16_t length
1324 * uint8_t data[length]
1325 *
1326 * First we walk over it to find the number of authz elements. */
1327 for (i = 0; i < authz_length; i++)
1328 {
1329 unsigned short length;
1330 unsigned char type;
1331
1332 type = *(authz++);
1333 if (memchr(s->s3->tlsext_authz_client_types,
1334 type,
1335 s->s3->tlsext_authz_client_types_len) != NULL)
1336 authz_count++;
1337
1338 n2s(authz, length);
aeda172a
BL		 1339 /* n2s increments authz by 2 */
1340 i += 2;
a9e1c50b
BL		 1341 authz += length;
1342 i += length;
1343 }
1344
1345 if (authz_count)
1346 {
1347 /* Add TLS extension server_authz to the ServerHello message
1348 * 2 bytes for extension type
1349 * 2 bytes for extension length
1350 * 1 byte for the list length
1351 * n bytes for the list */
1352 const unsigned short ext_len = 1 + authz_count;
1353
1354 if ((long)(limit - ret - 4 - ext_len) < 0) return NULL;
1355 s2n(TLSEXT_TYPE_server_authz, ret);
1356 s2n(ext_len, ret);
1357 *(ret++) = authz_count;
1358 s->s3->tlsext_authz_promised_to_client = 1;
1359 }
1360
1361 authz = orig_authz;
1362 for (i = 0; i < authz_length; i++)
1363 {
1364 unsigned short length;
1365 unsigned char type;
1366
1367 authz_count++;
1368 type = *(authz++);
1369 if (memchr(s->s3->tlsext_authz_client_types,
1370 type,
1371 s->s3->tlsext_authz_client_types_len) != NULL)
1372 *(ret++) = type;
1373 n2s(authz, length);
aeda172a
BL		 1374 /* n2s increments authz by 2 */
1375 i += 2;
a9e1c50b
BL		 1376 authz += length;
1377 i += length;
1378 }
1379 }
1380
ed3883d2
BM		 1381 if ((extdatalen = ret-p-2)== 0)
1382 return p;
1383
1384 s2n(extdatalen,p);
1385 return ret;
52b8dad8 1386 }
ed3883d2 1387
b2284ed3
DSH		 1388static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1389 {
ed3883d2
BM		 1390 unsigned short type;
1391 unsigned short size;
1392 unsigned short len;
f1fd4544 1393 unsigned char *data = *p;
860c3dd1
DSH		 1394 int renegotiate_seen = 0;
1395
a13c20f6 1396 s->servername_done = 0;
67c8e7f4 1397 s->tlsext_status_type = -1;
6f31dd72
BM		 1398#ifndef OPENSSL_NO_NEXTPROTONEG
1399 s->s3->next_proto_neg_seen = 0;
1400#endif
ed3883d2 1401
4817504d
DSH		 1402#ifndef OPENSSL_NO_HEARTBEATS
1403 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1404 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1405#endif
4453cd8c
DSH		 1406 /* Clear any signature algorithms extension received */
1407 if (s->cert->peer_sigalgs)
1408 {
1409 OPENSSL_free(s->cert->peer_sigalgs);
1410 s->cert->peer_sigalgs = NULL;
1411 }
1412 /* Clear any shared sigtnature algorithms */
1413 if (s->cert->shared_sigalgs)
1414 {
1415 OPENSSL_free(s->cert->shared_sigalgs);
1416 s->cert->shared_sigalgs = NULL;
1417 }
4817504d 1418
ed3883d2 1419 if (data >= (d+n-2))
c27c9cb4 1420 goto ri_check;
ed3883d2
BM		 1421 n2s(data,len);
1422
52b8dad8 1423 if (data > (d+n-len))
c27c9cb4 1424 goto ri_check;
ed3883d2 1425
f1fd4544
BM		 1426 while (data <= (d+n-4))
1427 {
ed3883d2
BM		 1428 n2s(data,type);
1429 n2s(data,size);
1430
1431 if (data+size > (d+n))
c27c9cb4 1432 goto ri_check;
8e3b2dbb 1433#if 0
0e1dba93 1434 fprintf(stderr,"Received extension type %d size %d\n",type,size);
8e3b2dbb 1435#endif
6434abbf
DSH		 1436 if (s->tlsext_debug_cb)
1437 s->tlsext_debug_cb(s, 0, type, data, size,
1438 s->tlsext_debug_arg);
a13c20f6
BM		 1439/* The servername extension is treated as follows:
1440
1441 - Only the hostname type is supported with a maximum length of 255.
1442 - The servername is rejected if too long or if it contains zeros,
1443 in which case an fatal alert is generated.
1444 - The servername field is maintained together with the session cache.
1445 - When a session is resumed, the servername call back invoked in order
1446 to allow the application to position itself to the right context.
1447 - The servername is acknowledged if it is new for a session or when
1448 it is identical to a previously used for the same session.
1449 Applications can control the behaviour. They can at any time
1450 set a 'desirable' servername for a new SSL object. This can be the
1451 case for example with HTTPS when a Host: header field is received and
1452 a renegotiation is requested. In this case, a possible servername
1453 presented in the new client hello is only acknowledged if it matches
1454 the value of the Host: field.
1455 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1456 if they provide for changing an explicit servername context for the session,
1457 i.e. when the session has been established with a servername extension.
1458 - On session reconnect, the servername extension may be absent.
1459
1460*/
1461
f1fd4544
BM		 1462 if (type == TLSEXT_TYPE_server_name)
1463 {
a70183bc 1464 unsigned char *sdata;
ed3883d2 1465 int servname_type;
a70183bc
BM		 1466 int dsize;
1467
1468 if (size < 2)
1469 {
1470 *al = SSL_AD_DECODE_ERROR;
1471 return 0;
1472 }
1473 n2s(data,dsize);
52b8dad8 1474 size -= 2;
a70183bc 1475 if (dsize > size )
f1fd4544 1476 {
a70183bc
BM		 1477 *al = SSL_AD_DECODE_ERROR;
1478 return 0;
1479 }
1480
1481 sdata = data;
1482 while (dsize > 3)
1483 {
1484 servname_type = *(sdata++);
ed3883d2 1485 n2s(sdata,len);
a70183bc
BM		 1486 dsize -= 3;
1487
1488 if (len > dsize)
f1fd4544
BM		 1489 {
1490 *al = SSL_AD_DECODE_ERROR;
1491 return 0;
1492 }
a70183bc 1493 if (s->servername_done == 0)
f1fd4544
BM		 1494 switch (servname_type)
1495 {
1496 case TLSEXT_NAMETYPE_host_name:
732d31be 1497 if (!s->hit)
f1fd4544 1498 {
732d31be
DSH		 1499 if(s->session->tlsext_hostname)
1500 {
1501 *al = SSL_AD_DECODE_ERROR;
1502 return 0;
1503 }
1504 if (len > TLSEXT_MAXLEN_host_name)
f1fd4544
BM		 1505 {
1506 *al = TLS1_AD_UNRECOGNIZED_NAME;
1507 return 0;
1508 }
732d31be
DSH		 1509 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1510 {
1511 *al = TLS1_AD_INTERNAL_ERROR;
1512 return 0;
1513 }
ed3883d2 1514 memcpy(s->session->tlsext_hostname, sdata, len);
a13c20f6
BM		 1515 s->session->tlsext_hostname[len]='\0';
1516 if (strlen(s->session->tlsext_hostname) != len) {
1517 OPENSSL_free(s->session->tlsext_hostname);
40a70628 1518 s->session->tlsext_hostname = NULL;
a13c20f6
BM		 1519 *al = TLS1_AD_UNRECOGNIZED_NAME;
1520 return 0;
f1fd4544 1521 }
a13c20f6
BM		 1522 s->servername_done = 1;
1523
a13c20f6
BM		 1524 }
1525 else
732d31be
DSH		 1526 s->servername_done = s->session->tlsext_hostname
1527 && strlen(s->session->tlsext_hostname) == len
6b9e941e 1528 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
a13c20f6 1529
ed3883d2 1530 break;
f1fd4544 1531
ed3883d2
BM		 1532 default:
1533 break;
f1fd4544 1534 }
52b8dad8 1535
a70183bc 1536 dsize -= len;
f1fd4544 1537 }
a70183bc
BM		 1538 if (dsize != 0)
1539 {
1540 *al = SSL_AD_DECODE_ERROR;
1541 return 0;
1542 }
1543
ed3883d2 1544 }
edc032b5
BL		 1545#ifndef OPENSSL_NO_SRP
1546 else if (type == TLSEXT_TYPE_srp)
1547 {
1df80b65
DSH		 1548 if (size <= 0 || ((len = data[0])) != (size -1))
1549 {
1550 *al = SSL_AD_DECODE_ERROR;
1551 return 0;
1552 }
1553 if (s->srp_ctx.login != NULL)
edc032b5 1554 {
1df80b65
DSH		 1555 *al = SSL_AD_DECODE_ERROR;
1556 return 0;
1557 }
1558 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1559 return -1;
1560 memcpy(s->srp_ctx.login, &data[1], len);
1561 s->srp_ctx.login[len]='\0';
1562
1563 if (strlen(s->srp_ctx.login) != len)
1564 {
1565 *al = SSL_AD_DECODE_ERROR;
1566 return 0;
edc032b5
BL		 1567 }
1568 }
1569#endif
ed3883d2 1570
36ca4ba6 1571#ifndef OPENSSL_NO_EC
8025e251
DSH		 1572 else if (type == TLSEXT_TYPE_ec_point_formats &&
1573 s->version != DTLS1_VERSION)
36ca4ba6
BM		 1574 {
1575 unsigned char *sdata = data;
1576 int ecpointformatlist_length = *(sdata++);
36ca4ba6
BM		 1577
1578 if (ecpointformatlist_length != size - 1)
1579 {
1580 *al = TLS1_AD_DECODE_ERROR;
1581 return 0;
1582 }
732d31be 1583 if (!s->hit)
36ca4ba6 1584 {
732d31be
DSH		 1585 if(s->session->tlsext_ecpointformatlist)
1586 {
7d5686d3
DSH		 1587 OPENSSL_free(s->session->tlsext_ecpointformatlist);
1588 s->session->tlsext_ecpointformatlist = NULL;
732d31be
DSH		 1589 }
1590 s->session->tlsext_ecpointformatlist_length = 0;
1591 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1592 {
1593 *al = TLS1_AD_INTERNAL_ERROR;
1594 return 0;
1595 }
1596 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1597 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
36ca4ba6 1598 }
36ca4ba6
BM		 1599#if 0
1600 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1601 sdata = s->session->tlsext_ecpointformatlist;
1602 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1603 fprintf(stderr,"%i ",*(sdata++));
1604 fprintf(stderr,"\n");
33273721
BM		 1605#endif
1606 }
8025e251
DSH		 1607 else if (type == TLSEXT_TYPE_elliptic_curves &&
1608 s->version != DTLS1_VERSION)
33273721
BM		 1609 {
1610 unsigned char *sdata = data;
1611 int ellipticcurvelist_length = (*(sdata++) << 8);
1612 ellipticcurvelist_length += (*(sdata++));
1613
1614 if (ellipticcurvelist_length != size - 2)
1615 {
1616 *al = TLS1_AD_DECODE_ERROR;
1617 return 0;
1618 }
732d31be 1619 if (!s->hit)
33273721 1620 {
732d31be
DSH		 1621 if(s->session->tlsext_ellipticcurvelist)
1622 {
1623 *al = TLS1_AD_DECODE_ERROR;
1624 return 0;
1625 }
1626 s->session->tlsext_ellipticcurvelist_length = 0;
1627 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1628 {
1629 *al = TLS1_AD_INTERNAL_ERROR;
1630 return 0;
1631 }
1632 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1633 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
33273721 1634 }
33273721
BM		 1635#if 0
1636 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1637 sdata = s->session->tlsext_ellipticcurvelist;
1638 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1639 fprintf(stderr,"%i ",*(sdata++));
1640 fprintf(stderr,"\n");
36ca4ba6
BM		 1641#endif
1642 }
c6a27f01 1643#endif /* OPENSSL_NO_EC */
761772d7 1644#ifdef TLSEXT_TYPE_opaque_prf_input
8025e251
DSH		 1645 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1646 s->version != DTLS1_VERSION)
761772d7
BM		 1647 {
1648 unsigned char *sdata = data;
1649
1650 if (size < 2)
1651 {
1652 *al = SSL_AD_DECODE_ERROR;
1653 return 0;
1654 }
1655 n2s(sdata, s->s3->client_opaque_prf_input_len);
1656 if (s->s3->client_opaque_prf_input_len != size - 2)
1657 {
1658 *al = SSL_AD_DECODE_ERROR;
1659 return 0;
1660 }
1661
1662 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1663 OPENSSL_free(s->s3->client_opaque_prf_input);
02c27b11
BM		 1664 if (s->s3->client_opaque_prf_input_len == 0)
1665 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1666 else
1667 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
761772d7
BM		 1668 if (s->s3->client_opaque_prf_input == NULL)
1669 {
1670 *al = TLS1_AD_INTERNAL_ERROR;
1671 return 0;
1672 }
1673 }
1674#endif
12bf56c0
DSH		 1675 else if (type == TLSEXT_TYPE_session_ticket)
1676 {
1677 if (s->tls_session_ticket_ext_cb &&
1678 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1679 {
1680 *al = TLS1_AD_INTERNAL_ERROR;
1681 return 0;
1682 }
1683 }
860c3dd1
DSH		 1684 else if (type == TLSEXT_TYPE_renegotiate)
1685 {
1686 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1687 return 0;
1688 renegotiate_seen = 1;
1689 }
6b7be581
DSH		 1690 else if (type == TLSEXT_TYPE_signature_algorithms)
1691 {
1692 int dsize;
4453cd8c 1693 if (s->cert->peer_sigalgs || size < 2)
6b7be581
DSH		 1694 {
1695 *al = SSL_AD_DECODE_ERROR;
1696 return 0;
1697 }
6b7be581
DSH		 1698 n2s(data,dsize);
1699 size -= 2;
4453cd8c 1700 if (dsize != size || dsize & 1 || !dsize)
6b7be581
DSH		 1701 {
1702 *al = SSL_AD_DECODE_ERROR;
1703 return 0;
1704 }
1705 if (!tls1_process_sigalgs(s, data, dsize))
1706 {
1707 *al = SSL_AD_DECODE_ERROR;
1708 return 0;
1709 }
4453cd8c
DSH		 1710 /* If sigalgs received and no shared algorithms fatal
1711 * error.
1712 */
1713 if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
1714 {
1715 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
1716 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
1717 *al = SSL_AD_ILLEGAL_PARAMETER;
1718 return 0;
1719 }
6b7be581 1720 }
8025e251
DSH		 1721 else if (type == TLSEXT_TYPE_status_request &&
1722 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
67c8e7f4
DSH		 1723 {
1724
1725 if (size < 5)
1726 {
1727 *al = SSL_AD_DECODE_ERROR;
1728 return 0;
1729 }
1730
1731 s->tlsext_status_type = *data++;
1732 size--;
1733 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1734 {
1735 const unsigned char *sdata;
1736 int dsize;
1737 /* Read in responder_id_list */
1738 n2s(data,dsize);
1739 size -= 2;
1740 if (dsize > size )
1741 {
1742 *al = SSL_AD_DECODE_ERROR;
1743 return 0;
1744 }
1745 while (dsize > 0)
1746 {
1747 OCSP_RESPID *id;
1748 int idsize;
1749 if (dsize < 4)
1750 {
1751 *al = SSL_AD_DECODE_ERROR;
1752 return 0;
1753 }
1754 n2s(data, idsize);
1755 dsize -= 2 + idsize;
9770924f 1756 size -= 2 + idsize;
67c8e7f4
DSH		 1757 if (dsize < 0)
1758 {
1759 *al = SSL_AD_DECODE_ERROR;
1760 return 0;
1761 }
1762 sdata = data;
1763 data += idsize;
1764 id = d2i_OCSP_RESPID(NULL,
1765 &sdata, idsize);
1766 if (!id)
1767 {
1768 *al = SSL_AD_DECODE_ERROR;
1769 return 0;
1770 }
1771 if (data != sdata)
1772 {
1773 OCSP_RESPID_free(id);
1774 *al = SSL_AD_DECODE_ERROR;
1775 return 0;
1776 }
1777 if (!s->tlsext_ocsp_ids
1778 && !(s->tlsext_ocsp_ids =
1779 sk_OCSP_RESPID_new_null()))
1780 {
1781 OCSP_RESPID_free(id);
1782 *al = SSL_AD_INTERNAL_ERROR;
1783 return 0;
1784 }
1785 if (!sk_OCSP_RESPID_push(
1786 s->tlsext_ocsp_ids, id))
1787 {
1788 OCSP_RESPID_free(id);
1789 *al = SSL_AD_INTERNAL_ERROR;
1790 return 0;
1791 }
1792 }
1793
1794 /* Read in request_extensions */
9770924f
BM		 1795 if (size < 2)
1796 {
1797 *al = SSL_AD_DECODE_ERROR;
1798 return 0;
1799 }
67c8e7f4
DSH		 1800 n2s(data,dsize);
1801 size -= 2;
9770924f 1802 if (dsize != size)
67c8e7f4
DSH		 1803 {
1804 *al = SSL_AD_DECODE_ERROR;
1805 return 0;
1806 }
1807 sdata = data;
1808 if (dsize > 0)
1809 {
25536ea6
DSH		 1810 if (s->tlsext_ocsp_exts)
1811 {
1812 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1813 X509_EXTENSION_free);
1814 }
1815
67c8e7f4
DSH		 1816 s->tlsext_ocsp_exts =
1817 d2i_X509_EXTENSIONS(NULL,
1818 &sdata, dsize);
1819 if (!s->tlsext_ocsp_exts
1820 || (data + dsize != sdata))
1821 {
1822 *al = SSL_AD_DECODE_ERROR;
1823 return 0;
1824 }
1825 }
1826 }
1827 /* We don't know what to do with any other type
1828 * so ignore it.
1829 */
1830 else
1831 s->tlsext_status_type = -1;
1832 }
4817504d
DSH		 1833#ifndef OPENSSL_NO_HEARTBEATS
1834 else if (type == TLSEXT_TYPE_heartbeat)
1835 {
1836 switch(data[0])
1837 {
1838 case 0x01: /* Client allows us to send HB requests */
1839 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1840 break;
1841 case 0x02: /* Client doesn't accept HB requests */
1842 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1843 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1844 break;
192540b5
DSH		 1845 default: *al = SSL_AD_ILLEGAL_PARAMETER;
1846 return 0;
4817504d
DSH		 1847 }
1848 }
1849#endif
bf48836c 1850#ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27 1851 else if (type == TLSEXT_TYPE_next_proto_neg &&
71fa4513 1852 s->s3->tmp.finish_md_len == 0)
ee2ffc27
BL		 1853 {
1854 /* We shouldn't accept this extension on a
1855 * renegotiation.
1856 *
1857 * s->new_session will be set on renegotiation, but we
1858 * probably shouldn't rely that it couldn't be set on
1859 * the initial renegotation too in certain cases (when
1860 * there's some other reason to disallow resuming an
1861 * earlier session -- the current code won't be doing
1862 * anything like that, but this might change).
1863
1864 * A valid sign that there's been a previous handshake
1865 * in this connection is if s->s3->tmp.finish_md_len >
1866 * 0. (We are talking about a check that will happen
1867 * in the Hello protocol round, well before a new
1868 * Finished message could have been computed.) */
1869 s->s3->next_proto_neg_seen = 1;
1870 }
1871#endif
761772d7 1872
6434abbf 1873 /* session ticket processed earlier */
333f926d
BL		 1874 else if (type == TLSEXT_TYPE_use_srtp)
1875 {
1876 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1877 al))
1878 return 0;
1879 }
1880
a9e1c50b
BL		 1881 else if (type == TLSEXT_TYPE_server_authz)
1882 {
1883 unsigned char *sdata = data;
1884 unsigned char server_authz_dataformatlist_length;
1885
1886 if (size == 0)
1887 {
1888 *al = TLS1_AD_DECODE_ERROR;
1889 return 0;
1890 }
1891
1892 server_authz_dataformatlist_length = *(sdata++);
1893
1894 if (server_authz_dataformatlist_length != size - 1)
1895 {
1896 *al = TLS1_AD_DECODE_ERROR;
1897 return 0;
1898 }
1899
1900 /* Successful session resumption uses the same authz
1901 * information as the original session so we ignore this
1902 * in the case of a session resumption. */
1903 if (!s->hit)
1904 {
1905 size_t i;
195b9eee
BL		 1906 if (s->s3->tlsext_authz_client_types != NULL)
1907 OPENSSL_free(s->s3->tlsext_authz_client_types);
a9e1c50b
BL		 1908 s->s3->tlsext_authz_client_types =
1909 OPENSSL_malloc(server_authz_dataformatlist_length);
1910 if (!s->s3->tlsext_authz_client_types)
1911 {
1912 *al = TLS1_AD_INTERNAL_ERROR;
1913 return 0;
1914 }
1915
1916 s->s3->tlsext_authz_client_types_len =
1917 server_authz_dataformatlist_length;
1918 memcpy(s->s3->tlsext_authz_client_types,
1919 sdata,
1920 server_authz_dataformatlist_length);
1921
1922 /* Sort the types in order to check for duplicates. */
1923 qsort(s->s3->tlsext_authz_client_types,
1924 server_authz_dataformatlist_length,
1925 1 /* element size */,
1926 byte_compare);
1927
1928 for (i = 0; i < server_authz_dataformatlist_length; i++)
1929 {
1930 if (i > 0 &&
1931 s->s3->tlsext_authz_client_types[i] ==
1932 s->s3->tlsext_authz_client_types[i-1])
1933 {
1934 *al = TLS1_AD_DECODE_ERROR;
1935 return 0;
1936 }
1937 }
1938 }
1939 }
1940
6434abbf 1941 data+=size;
f1fd4544 1942 }
a9e1c50b 1943
f1fd4544 1944 *p = data;
c27c9cb4
DSH		 1945
1946 ri_check:
1947
1948 /* Need RI if renegotiating */
1949
bdd53508 1950 if (!renegotiate_seen && s->renegotiate &&
c27c9cb4
DSH		 1951 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1952 {
fbed9f81 1953 *al = SSL_AD_HANDSHAKE_FAILURE;
aa09c2c6 1954 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
c27c9cb4
DSH		 1955 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1956 return 0;
1957 }
4453cd8c
DSH		 1958 /* If no signature algorithms extension set default values */
1959 if (!s->cert->peer_sigalgs)
1960 ssl_cert_set_default_md(s->cert);
c27c9cb4 1961
f1fd4544 1962 return 1;
52b8dad8 1963 }
f1fd4544 1964
b2284ed3
DSH		 1965int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
1966 {
1967 int al = -1;
1968 if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0)
1969 {
1970 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1971 return 0;
1972 }
1973
1974 if (ssl_check_clienthello_tlsext(s) <= 0)
1975 {
aa09c2c6 1976 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
b2284ed3
DSH		 1977 return 0;
1978 }
1979 return 1;
1980}
1981
bf48836c 1982#ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 1983/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1984 * elements of zero length are allowed and the set of elements must exactly fill
1985 * the length of the block. */
71fa4513 1986static char ssl_next_proto_validate(unsigned char *d, unsigned len)
ee2ffc27
BL		 1987 {
1988 unsigned int off = 0;
1989
1990 while (off < len)
1991 {
1992 if (d[off] == 0)
1993 return 0;
1994 off += d[off];
1995 off++;
1996 }
1997
1998 return off == len;
1999 }
2000#endif
2001
09e4e4b9 2002static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
f1fd4544 2003 {
c8bbd98a 2004 unsigned short length;
ed3883d2
BM		 2005 unsigned short type;
2006 unsigned short size;
ed3883d2 2007 unsigned char *data = *p;
ed3883d2 2008 int tlsext_servername = 0;
860c3dd1 2009 int renegotiate_seen = 0;
ed3883d2 2010
6f31dd72
BM		 2011#ifndef OPENSSL_NO_NEXTPROTONEG
2012 s->s3->next_proto_neg_seen = 0;
2013#endif
2014
4817504d
DSH		 2015#ifndef OPENSSL_NO_HEARTBEATS
2016 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2017 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2018#endif
2019
ed3883d2 2020 if (data >= (d+n-2))
c27c9cb4 2021 goto ri_check;
ed3883d2 2022
c8bbd98a
BL		 2023 n2s(data,length);
2024 if (data+length != d+n)
2025 {
2026 *al = SSL_AD_DECODE_ERROR;
2027 return 0;
2028 }
ed3883d2 2029
f1fd4544
BM		 2030 while(data <= (d+n-4))
2031 {
ed3883d2
BM		 2032 n2s(data,type);
2033 n2s(data,size);
2034
2035 if (data+size > (d+n))
c27c9cb4 2036 goto ri_check;
f1fd4544 2037
6434abbf
DSH		 2038 if (s->tlsext_debug_cb)
2039 s->tlsext_debug_cb(s, 1, type, data, size,
2040 s->tlsext_debug_arg);
2041
f1fd4544
BM		 2042 if (type == TLSEXT_TYPE_server_name)
2043 {
2044 if (s->tlsext_hostname == NULL || size > 0)
2045 {
2046 *al = TLS1_AD_UNRECOGNIZED_NAME;
2047 return 0;
2048 }
ed3883d2 2049 tlsext_servername = 1;
f1fd4544 2050 }
ed3883d2 2051
36ca4ba6 2052#ifndef OPENSSL_NO_EC
8025e251
DSH		 2053 else if (type == TLSEXT_TYPE_ec_point_formats &&
2054 s->version != DTLS1_VERSION)
36ca4ba6
BM		 2055 {
2056 unsigned char *sdata = data;
2057 int ecpointformatlist_length = *(sdata++);
36ca4ba6
BM		 2058
2059 if (ecpointformatlist_length != size - 1)
2060 {
2061 *al = TLS1_AD_DECODE_ERROR;
2062 return 0;
2063 }
2064 s->session->tlsext_ecpointformatlist_length = 0;
b6acb8d0 2065 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
36ca4ba6
BM		 2066 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2067 {
2068 *al = TLS1_AD_INTERNAL_ERROR;
2069 return 0;
2070 }
2071 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2072 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2073#if 0
2074 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2075 sdata = s->session->tlsext_ecpointformatlist;
2076 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2077 fprintf(stderr,"%i ",*(sdata++));
2078 fprintf(stderr,"\n");
2079#endif
2080 }
c6a27f01 2081#endif /* OPENSSL_NO_EC */
6434abbf
DSH		 2082
2083 else if (type == TLSEXT_TYPE_session_ticket)
2084 {
12bf56c0
DSH		 2085 if (s->tls_session_ticket_ext_cb &&
2086 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2087 {
2088 *al = TLS1_AD_INTERNAL_ERROR;
2089 return 0;
2090 }
6434abbf
DSH		 2091 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2092 || (size > 0))
2093 {
2094 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2095 return 0;
2096 }
2097 s->tlsext_ticket_expected = 1;
2098 }
761772d7 2099#ifdef TLSEXT_TYPE_opaque_prf_input
8025e251
DSH		 2100 else if (type == TLSEXT_TYPE_opaque_prf_input &&
2101 s->version != DTLS1_VERSION)
761772d7
BM		 2102 {
2103 unsigned char *sdata = data;
2104
2105 if (size < 2)
2106 {
2107 *al = SSL_AD_DECODE_ERROR;
2108 return 0;
2109 }
2110 n2s(sdata, s->s3->server_opaque_prf_input_len);
2111 if (s->s3->server_opaque_prf_input_len != size - 2)
2112 {
2113 *al = SSL_AD_DECODE_ERROR;
2114 return 0;
2115 }
2116
2117 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2118 OPENSSL_free(s->s3->server_opaque_prf_input);
02c27b11
BM		 2119 if (s->s3->server_opaque_prf_input_len == 0)
2120 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2121 else
2122 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
761772d7
BM		 2123
2124 if (s->s3->server_opaque_prf_input == NULL)
2125 {
2126 *al = TLS1_AD_INTERNAL_ERROR;
2127 return 0;
2128 }
2129 }
2130#endif
8025e251
DSH		 2131 else if (type == TLSEXT_TYPE_status_request &&
2132 s->version != DTLS1_VERSION)
67c8e7f4
DSH		 2133 {
2134 /* MUST be empty and only sent if we've requested
2135 * a status request message.
2136 */
2137 if ((s->tlsext_status_type == -1) || (size > 0))
2138 {
2139 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2140 return 0;
2141 }
2142 /* Set flag to expect CertificateStatus message */
2143 s->tlsext_status_expected = 1;
2144 }
bf48836c 2145#ifndef OPENSSL_NO_NEXTPROTONEG
6f31dd72
BM		 2146 else if (type == TLSEXT_TYPE_next_proto_neg &&
2147 s->s3->tmp.finish_md_len == 0)
ee2ffc27
BL		 2148 {
2149 unsigned char *selected;
2150 unsigned char selected_len;
2151
2152 /* We must have requested it. */
2153 if ((s->ctx->next_proto_select_cb == NULL))
2154 {
2155 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2156 return 0;
2157 }
2158 /* The data must be valid */
2159 if (!ssl_next_proto_validate(data, size))
2160 {
2161 *al = TLS1_AD_DECODE_ERROR;
2162 return 0;
2163 }
2164 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2165 {
2166 *al = TLS1_AD_INTERNAL_ERROR;
2167 return 0;
2168 }
2169 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2170 if (!s->next_proto_negotiated)
2171 {
2172 *al = TLS1_AD_INTERNAL_ERROR;
2173 return 0;
2174 }
2175 memcpy(s->next_proto_negotiated, selected, selected_len);
2176 s->next_proto_negotiated_len = selected_len;
6f31dd72 2177 s->s3->next_proto_neg_seen = 1;
ee2ffc27
BL		 2178 }
2179#endif
860c3dd1
DSH		 2180 else if (type == TLSEXT_TYPE_renegotiate)
2181 {
2182 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2183 return 0;
2184 renegotiate_seen = 1;
2185 }
4817504d
DSH		 2186#ifndef OPENSSL_NO_HEARTBEATS
2187 else if (type == TLSEXT_TYPE_heartbeat)
2188 {
2189 switch(data[0])
2190 {
2191 case 0x01: /* Server allows us to send HB requests */
2192 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2193 break;
2194 case 0x02: /* Server doesn't accept HB requests */
2195 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2196 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2197 break;
192540b5
DSH		 2198 default: *al = SSL_AD_ILLEGAL_PARAMETER;
2199 return 0;
4817504d
DSH		 2200 }
2201 }
2202#endif
333f926d
BL		 2203 else if (type == TLSEXT_TYPE_use_srtp)
2204 {
2205 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2206 al))
2207 return 0;
2208 }
2209
a9e1c50b
BL		 2210 else if (type == TLSEXT_TYPE_server_authz)
2211 {
2212 /* We only support audit proofs. It's an error to send
2213 * an authz hello extension if the client
2214 * didn't request a proof. */
2215 unsigned char *sdata = data;
2216 unsigned char server_authz_dataformatlist_length;
2217
2218 if (!s->ctx->tlsext_authz_server_audit_proof_cb)
2219 {
2220 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2221 return 0;
2222 }
2223
2224 if (!size)
2225 {
2226 *al = TLS1_AD_DECODE_ERROR;
2227 return 0;
2228 }
2229
2230 server_authz_dataformatlist_length = *(sdata++);
2231 if (server_authz_dataformatlist_length != size - 1)
2232 {
2233 *al = TLS1_AD_DECODE_ERROR;
2234 return 0;
2235 }
2236
2237 /* We only support audit proofs, so a legal ServerHello
2238 * authz list contains exactly one entry. */
2239 if (server_authz_dataformatlist_length != 1 ||
2240 sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof)
2241 {
2242 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2243 return 0;
2244 }
2245
2246 s->s3->tlsext_authz_server_promised = 1;
2247 }
2248
2249 data += size;
f1fd4544 2250 }
ed3883d2
BM		 2251
2252 if (data != d+n)
f1fd4544
BM		 2253 {
2254 *al = SSL_AD_DECODE_ERROR;
2255 return 0;
2256 }
ed3883d2 2257
f1fd4544
BM		 2258 if (!s->hit && tlsext_servername == 1)
2259 {
2260 if (s->tlsext_hostname)
2261 {
2262 if (s->session->tlsext_hostname == NULL)
2263 {
ed3883d2
BM		 2264 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
2265 if (!s->session->tlsext_hostname)
f1fd4544
BM		 2266 {
2267 *al = SSL_AD_UNRECOGNIZED_NAME;
2268 return 0;
2269 }
2270 }
2271 else
2272 {
2273 *al = SSL_AD_DECODE_ERROR;
2274 return 0;
2275 }
ed3883d2 2276 }
f1fd4544 2277 }
ed3883d2 2278
f1fd4544 2279 *p = data;
c27c9cb4
DSH		 2280
2281 ri_check:
2282
2283 /* Determine if we need to see RI. Strictly speaking if we want to
2284 * avoid an attack we should *always* see RI even on initial server
2285 * hello because the client doesn't see any renegotiation during an
2286 * attack. However this would mean we could not connect to any server
2287 * which doesn't support RI so for the immediate future tolerate RI
2288 * absence on initial connect only.
2289 */
c2c49969
DSH		 2290 if (!renegotiate_seen
2291 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
ef51b4b9 2292 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
c27c9cb4 2293 {
fbed9f81 2294 *al = SSL_AD_HANDSHAKE_FAILURE;
09e4e4b9 2295 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
c27c9cb4
DSH		 2296 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2297 return 0;
2298 }
2299
f1fd4544 2300 return 1;
52b8dad8 2301 }
ed3883d2 2302
b2172f4f 2303
36ca4ba6
BM		 2304int ssl_prepare_clienthello_tlsext(SSL *s)
2305 {
761772d7
BM		 2306
2307#ifdef TLSEXT_TYPE_opaque_prf_input
2308 {
2309 int r = 1;
2310
2311 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2312 {
2313 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2314 if (!r)
2315 return -1;
2316 }
2317
2318 if (s->tlsext_opaque_prf_input != NULL)
2319 {
2320 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2321 OPENSSL_free(s->s3->client_opaque_prf_input);
2322
02c27b11
BM		 2323 if (s->tlsext_opaque_prf_input_len == 0)
2324 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2325 else
2326 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
761772d7
BM		 2327 if (s->s3->client_opaque_prf_input == NULL)
2328 {
2329 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2330 return -1;
2331 }
2332 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2333 }
2334
2335 if (r == 2)
2336 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2337 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2338 }
2339#endif
2340
36ca4ba6 2341 return 1;
52b8dad8 2342 }
36ca4ba6
BM		 2343
2344int ssl_prepare_serverhello_tlsext(SSL *s)
2345 {
2346#ifndef OPENSSL_NO_EC
b6acb8d0 2347 /* If we are server and using an ECC cipher suite, send the point formats we support
33273721
BM		 2348 * if the client sent us an ECPointsFormat extension. Note that the server is not
2349 * supposed to send an EllipticCurves extension.
36ca4ba6 2350 */
36ca4ba6 2351
52b8dad8
BM		 2352 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2353 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2354 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
2355 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
2356
36ca4ba6
BM		 2357 if (using_ecc)
2358 {
b6acb8d0
BM		 2359 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
2360 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
36ca4ba6 2361 {
a291745e 2362 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
36ca4ba6
BM		 2363 return -1;
2364 }
b6acb8d0
BM		 2365 s->tlsext_ecpointformatlist_length = 3;
2366 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
2367 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
2368 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
36ca4ba6
BM		 2369 }
2370#endif /* OPENSSL_NO_EC */
761772d7 2371
36ca4ba6 2372 return 1;
52b8dad8 2373 }
36ca4ba6 2374
09e4e4b9 2375static int ssl_check_clienthello_tlsext(SSL *s)
f1fd4544 2376 {
241520e6 2377 int ret=SSL_TLSEXT_ERR_NOACK;
36ca4ba6
BM		 2378 int al = SSL_AD_UNRECOGNIZED_NAME;
2379
2380#ifndef OPENSSL_NO_EC
33273721
BM		 2381 /* The handling of the ECPointFormats extension is done elsewhere, namely in
2382 * ssl3_choose_cipher in s3_lib.c.
2383 */
2384 /* The handling of the EllipticCurves extension is done elsewhere, namely in
2385 * ssl3_choose_cipher in s3_lib.c.
36ca4ba6
BM		 2386 */
2387#endif
2388
2389 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2390 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2391 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
2392 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2393
67c8e7f4
DSH		 2394 /* If status request then ask callback what to do.
2395 * Note: this must be called after servername callbacks in case
2396 * the certificate has changed.
2397 */
2bd45dc9 2398 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
67c8e7f4
DSH		 2399 {
2400 int r;
2401 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2402 switch (r)
2403 {
2404 /* We don't want to send a status request response */
2405 case SSL_TLSEXT_ERR_NOACK:
2406 s->tlsext_status_expected = 0;
2407 break;
2408 /* status request response should be sent */
2409 case SSL_TLSEXT_ERR_OK:
2410 if (s->tlsext_ocsp_resp)
2411 s->tlsext_status_expected = 1;
2412 else
2413 s->tlsext_status_expected = 0;
2414 break;
2415 /* something bad happened */
2416 case SSL_TLSEXT_ERR_ALERT_FATAL:
2417 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2418 al = SSL_AD_INTERNAL_ERROR;
2419 goto err;
2420 }
2421 }
2422 else
2423 s->tlsext_status_expected = 0;
761772d7
BM		 2424
2425#ifdef TLSEXT_TYPE_opaque_prf_input
2426 {
2427 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
2428 * but we might be sending an alert in response to the client hello,
2429 * so this has to happen here in ssl_check_clienthello_tlsext(). */
2430
2431 int r = 1;
2432
2433 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2434 {
2435 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2436 if (!r)
2437 {
2438 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2439 al = SSL_AD_INTERNAL_ERROR;
2440 goto err;
2441 }
2442 }
2443
2444 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2445 OPENSSL_free(s->s3->server_opaque_prf_input);
2446 s->s3->server_opaque_prf_input = NULL;
2447
2448 if (s->tlsext_opaque_prf_input != NULL)
2449 {
2450 if (s->s3->client_opaque_prf_input != NULL &&
2451 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
2452 {
2453 /* can only use this extension if we have a server opaque PRF input
2454 * of the same length as the client opaque PRF input! */
2455
02c27b11
BM		 2456 if (s->tlsext_opaque_prf_input_len == 0)
2457 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2458 else
2459 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
761772d7
BM		 2460 if (s->s3->server_opaque_prf_input == NULL)
2461 {
2462 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2463 al = SSL_AD_INTERNAL_ERROR;
2464 goto err;
2465 }
2466 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2467 }
2468 }
2469
2470 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
2471 {
2472 /* The callback wants to enforce use of the extension,
2473 * but we can't do that with the client opaque PRF input;
2474 * abort the handshake.
2475 */
2476 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2477 al = SSL_AD_HANDSHAKE_FAILURE;
2478 }
2479 }
761772d7 2480
67c8e7f4 2481#endif
761772d7 2482 err:
52b8dad8
BM		 2483 switch (ret)
2484 {
36ca4ba6
BM		 2485 case SSL_TLSEXT_ERR_ALERT_FATAL:
2486 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2487 return -1;
2488
2489 case SSL_TLSEXT_ERR_ALERT_WARNING:
2490 ssl3_send_alert(s,SSL3_AL_WARNING,al);
2491 return 1;
2492
2493 case SSL_TLSEXT_ERR_NOACK:
2494 s->servername_done=0;
2495 default:
2496 return 1;
52b8dad8 2497 }
36ca4ba6 2498 }
f1fd4544 2499
36ca4ba6
BM		 2500int ssl_check_serverhello_tlsext(SSL *s)
2501 {
2502 int ret=SSL_TLSEXT_ERR_NOACK;
58ece833 2503 int al = SSL_AD_UNRECOGNIZED_NAME;
241520e6 2504
36ca4ba6 2505#ifndef OPENSSL_NO_EC
d0205686
DSH		 2506 /* If we are client and using an elliptic curve cryptography cipher
2507 * suite, then if server returns an EC point formats lists extension
2508 * it must contain uncompressed.
36ca4ba6 2509 */
52b8dad8
BM		 2510 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2511 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
36ca4ba6 2512 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
d0205686 2513 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
52b8dad8 2514 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
36ca4ba6
BM		 2515 {
2516 /* we are using an ECC cipher */
90bdfd97 2517 size_t i;
36ca4ba6
BM		 2518 unsigned char *list;
2519 int found_uncompressed = 0;
b9865f11 2520 list = s->session->tlsext_ecpointformatlist;
36ca4ba6
BM		 2521 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2522 {
2523 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2524 {
2525 found_uncompressed = 1;
2526 break;
2527 }
2528 }
2529 if (!found_uncompressed)
2530 {
a291745e 2531 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
36ca4ba6
BM		 2532 return -1;
2533 }
2534 }
2535 ret = SSL_TLSEXT_ERR_OK;
2536#endif /* OPENSSL_NO_EC */
2537
241520e6 2538 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
58ece833 2539 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
241520e6 2540 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
58ece833 2541 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
241520e6 2542
761772d7
BM		 2543#ifdef TLSEXT_TYPE_opaque_prf_input
2544 if (s->s3->server_opaque_prf_input_len > 0)
2545 {
2546 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2547 * So first verify that we really have a value from the server too. */
2548
2549 if (s->s3->server_opaque_prf_input == NULL)
2550 {
2551 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2552 al = SSL_AD_HANDSHAKE_FAILURE;
2553 }
2554
2555 /* Anytime the server *has* sent an opaque PRF input, we need to check
2556 * that we have a client opaque PRF input of the same size. */
2557 if (s->s3->client_opaque_prf_input == NULL ||
2558 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2559 {
2560 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2561 al = SSL_AD_ILLEGAL_PARAMETER;
2562 }
2563 }
2564#endif
2565
04e2ab2c
DSH		 2566 /* If we've requested certificate status and we wont get one
2567 * tell the callback
2568 */
2569 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
121f9e74 2570 && s->ctx && s->ctx->tlsext_status_cb)
04e2ab2c
DSH		 2571 {
2572 int r;
2573 /* Set resp to NULL, resplen to -1 so callback knows
2574 * there is no response.
2575 */
2576 if (s->tlsext_ocsp_resp)
2577 {
2578 OPENSSL_free(s->tlsext_ocsp_resp);
2579 s->tlsext_ocsp_resp = NULL;
2580 }
2581 s->tlsext_ocsp_resplen = -1;
2582 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2583 if (r == 0)
2584 {
2585 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2586 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2587 }
2588 if (r < 0)
2589 {
2590 al = SSL_AD_INTERNAL_ERROR;
2591 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2592 }
2593 }
2594
52b8dad8
BM		 2595 switch (ret)
2596 {
58ece833
BM		 2597 case SSL_TLSEXT_ERR_ALERT_FATAL:
2598 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2599 return -1;
2600
2601 case SSL_TLSEXT_ERR_ALERT_WARNING:
2602 ssl3_send_alert(s,SSL3_AL_WARNING,al);
2603 return 1;
2604
2605 case SSL_TLSEXT_ERR_NOACK:
2606 s->servername_done=0;
2607 default:
2608 return 1;
52b8dad8 2609 }
f1fd4544 2610 }
33273721 2611
09e4e4b9
DSH		 2612int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
2613 {
2614 int al = -1;
2615 if (s->version < SSL3_VERSION)
2616 return 1;
2617 if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0)
2618 {
2619 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2620 return 0;
2621 }
2622
2623 if (ssl_check_serverhello_tlsext(s) <= 0)
2624 {
2625 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,SSL_R_SERVERHELLO_TLSEXT);
2626 return 0;
2627 }
2628 return 1;
2629}
2630
c519e89f
BM		 2631/* Since the server cache lookup is done early on in the processing of the
2632 * ClientHello, and other operations depend on the result, we need to handle
2633 * any TLS session ticket extension at the same time.
2634 *
2635 * session_id: points at the session ID in the ClientHello. This code will
2636 * read past the end of this in order to parse out the session ticket
2637 * extension, if any.
2638 * len: the length of the session ID.
2639 * limit: a pointer to the first byte after the ClientHello.
2640 * ret: (output) on return, if a ticket was decrypted, then this is set to
2641 * point to the resulting session.
2642 *
2643 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2644 * ciphersuite, in which case we have no use for session tickets and one will
2645 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2646 *
2647 * Returns:
2648 * -1: fatal error, either from parsing or decrypting the ticket.
2649 * 0: no ticket was found (or was ignored, based on settings).
2650 * 1: a zero length extension was found, indicating that the client supports
2651 * session tickets but doesn't currently have one to offer.
2652 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2653 * couldn't be decrypted because of a non-fatal error.
2654 * 3: a ticket was successfully decrypted and *ret was set.
2655 *
2656 * Side effects:
2657 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2658 * a new session ticket to the client because the client indicated support
2659 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2660 * a session ticket or we couldn't use the one it gave us, or if
2661 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2662 * Otherwise, s->tlsext_ticket_expected is set to 0.
6434abbf 2663 */
6434abbf 2664int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
c519e89f 2665 const unsigned char *limit, SSL_SESSION **ret)
6434abbf
DSH		 2666 {
2667 /* Point after session ID in client hello */
2668 const unsigned char *p = session_id + len;
2669 unsigned short i;
e8da6a1d 2670
c519e89f
BM		 2671 *ret = NULL;
2672 s->tlsext_ticket_expected = 0;
2673
e8da6a1d 2674 /* If tickets disabled behave as if no ticket present
c519e89f
BM		 2675 * to permit stateful resumption.
2676 */
e8da6a1d 2677 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
c519e89f 2678 return 0;
6434abbf 2679 if ((s->version <= SSL3_VERSION) || !limit)
c519e89f 2680 return 0;
6434abbf
DSH		 2681 if (p >= limit)
2682 return -1;
07a9d1a2
DSH		 2683 /* Skip past DTLS cookie */
2684 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2685 {
2686 i = *(p++);
2687 p+= i;
2688 if (p >= limit)
2689 return -1;
2690 }
6434abbf
DSH		 2691 /* Skip past cipher list */
2692 n2s(p, i);
2693 p+= i;
2694 if (p >= limit)
2695 return -1;
2696 /* Skip past compression algorithm list */
2697 i = *(p++);
2698 p += i;
2699 if (p > limit)
2700 return -1;
2701 /* Now at start of extensions */
2702 if ((p + 2) >= limit)
c519e89f 2703 return 0;
6434abbf
DSH		 2704 n2s(p, i);
2705 while ((p + 4) <= limit)
2706 {
2707 unsigned short type, size;
2708 n2s(p, type);
2709 n2s(p, size);
2710 if (p + size > limit)
c519e89f 2711 return 0;
6434abbf
DSH		 2712 if (type == TLSEXT_TYPE_session_ticket)
2713 {
c519e89f 2714 int r;
6434abbf
DSH		 2715 if (size == 0)
2716 {
c519e89f
BM		 2717 /* The client will accept a ticket but doesn't
2718 * currently have one. */
6434abbf 2719 s->tlsext_ticket_expected = 1;
c519e89f 2720 return 1;
6434abbf 2721 }
12bf56c0
DSH		 2722 if (s->tls_session_secret_cb)
2723 {
c519e89f
BM		 2724 /* Indicate that the ticket couldn't be
2725 * decrypted rather than generating the session
2726 * from ticket now, trigger abbreviated
2727 * handshake based on external mechanism to
2728 * calculate the master secret later. */
2729 return 2;
2730 }
2731 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2732 switch (r)
2733 {
2734 case 2: /* ticket couldn't be decrypted */
2735 s->tlsext_ticket_expected = 1;
2736 return 2;
2737 case 3: /* ticket was decrypted */
2738 return r;
2739 case 4: /* ticket decrypted but need to renew */
2740 s->tlsext_ticket_expected = 1;
2741 return 3;
2742 default: /* fatal error */
2743 return -1;
12bf56c0 2744 }
6434abbf
DSH		 2745 }
2746 p += size;
2747 }
c519e89f 2748 return 0;
6434abbf
DSH		 2749 }
2750
c519e89f
BM		 2751/* tls_decrypt_ticket attempts to decrypt a session ticket.
2752 *
2753 * etick: points to the body of the session ticket extension.
2754 * eticklen: the length of the session tickets extenion.
2755 * sess_id: points at the session ID.
2756 * sesslen: the length of the session ID.
2757 * psess: (output) on return, if a ticket was decrypted, then this is set to
2758 * point to the resulting session.
2759 *
2760 * Returns:
2761 * -1: fatal error, either from parsing or decrypting the ticket.
2762 * 2: the ticket couldn't be decrypted.
2763 * 3: a ticket was successfully decrypted and *psess was set.
2764 * 4: same as 3, but the ticket needs to be renewed.
2765 */
6434abbf
DSH		 2766static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2767 const unsigned char *sess_id, int sesslen,
2768 SSL_SESSION **psess)
2769 {
2770 SSL_SESSION *sess;
2771 unsigned char *sdec;
2772 const unsigned char *p;
8a2062fe 2773 int slen, mlen, renew_ticket = 0;
6434abbf
DSH		 2774 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2775 HMAC_CTX hctx;
2776 EVP_CIPHER_CTX ctx;
661dc143 2777 SSL_CTX *tctx = s->initial_ctx;
8a2062fe
DSH		 2778 /* Need at least keyname + iv + some encrypted data */
2779 if (eticklen < 48)
c519e89f 2780 return 2;
8a2062fe
DSH		 2781 /* Initialize session ticket encryption and HMAC contexts */
2782 HMAC_CTX_init(&hctx);
2783 EVP_CIPHER_CTX_init(&ctx);
661dc143 2784 if (tctx->tlsext_ticket_key_cb)
8a2062fe
DSH		 2785 {
2786 unsigned char *nctick = (unsigned char *)etick;
661dc143 2787 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
8a2062fe
DSH		 2788 &ctx, &hctx, 0);
2789 if (rv < 0)
2790 return -1;
2791 if (rv == 0)
c519e89f 2792 return 2;
8a2062fe
DSH		 2793 if (rv == 2)
2794 renew_ticket = 1;
2795 }
2796 else
2797 {
2798 /* Check key name matches */
661dc143 2799 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
c519e89f 2800 return 2;
661dc143 2801 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
8a2062fe
DSH		 2802 tlsext_tick_md(), NULL);
2803 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
661dc143 2804 tctx->tlsext_tick_aes_key, etick + 16);
8a2062fe 2805 }
6434abbf 2806 /* Attempt to process session ticket, first conduct sanity and
c519e89f
BM		 2807 * integrity checks on ticket.
2808 */
8a2062fe 2809 mlen = HMAC_size(&hctx);
0eab41fb
BL		 2810 if (mlen < 0)
2811 {
2812 EVP_CIPHER_CTX_cleanup(&ctx);
2813 return -1;
2814 }
6434abbf 2815 eticklen -= mlen;
6434abbf 2816 /* Check HMAC of encrypted ticket */
6434abbf
DSH		 2817 HMAC_Update(&hctx, etick, eticklen);
2818 HMAC_Final(&hctx, tick_hmac, NULL);
2819 HMAC_CTX_cleanup(&hctx);
2820 if (memcmp(tick_hmac, etick + eticklen, mlen))
c519e89f 2821 return 2;
6434abbf 2822 /* Attempt to decrypt session data */
6434abbf 2823 /* Move p after IV to start of encrypted ticket, update length */
8a2062fe
DSH		 2824 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2825 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
6434abbf
DSH		 2826 sdec = OPENSSL_malloc(eticklen);
2827 if (!sdec)
2828 {
2829 EVP_CIPHER_CTX_cleanup(&ctx);
2830 return -1;
2831 }
2832 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2833 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
c519e89f 2834 return 2;
6434abbf
DSH		 2835 slen += mlen;
2836 EVP_CIPHER_CTX_cleanup(&ctx);
2837 p = sdec;
c519e89f 2838
6434abbf
DSH		 2839 sess = d2i_SSL_SESSION(NULL, &p, slen);
2840 OPENSSL_free(sdec);
2841 if (sess)
2842 {
c519e89f
BM		 2843 /* The session ID, if non-empty, is used by some clients to
2844 * detect that the ticket has been accepted. So we copy it to
2845 * the session structure. If it is empty set length to zero
2846 * as required by standard.
2847 */
6434abbf
DSH		 2848 if (sesslen)
2849 memcpy(sess->session_id, sess_id, sesslen);
2850 sess->session_id_length = sesslen;
2851 *psess = sess;
c519e89f
BM		 2852 if (renew_ticket)
2853 return 4;
2854 else
2855 return 3;
6434abbf 2856 }
c519e89f
BM		 2857 ERR_clear_error();
2858 /* For session parse failure, indicate that we need to send a new
2859 * ticket. */
2860 return 2;
6434abbf 2861 }
6434abbf 2862
6b7be581
DSH		 2863/* Tables to translate from NIDs to TLS v1.2 ids */
2864
2865typedef struct
2866 {
2867 int nid;
2868 int id;
2869 } tls12_lookup;
2870
2871static tls12_lookup tls12_md[] = {
6b7be581 2872 {NID_md5, TLSEXT_hash_md5},
6b7be581 2873 {NID_sha1, TLSEXT_hash_sha1},
6b7be581
DSH		 2874 {NID_sha224, TLSEXT_hash_sha224},
2875 {NID_sha256, TLSEXT_hash_sha256},
6b7be581
DSH		 2876 {NID_sha384, TLSEXT_hash_sha384},
2877 {NID_sha512, TLSEXT_hash_sha512}
6b7be581
DSH		 2878};
2879
2880static tls12_lookup tls12_sig[] = {
6b7be581 2881 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
6b7be581 2882 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
6b7be581 2883 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
6b7be581
DSH		 2884};
2885
2886static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2887 {
2888 size_t i;
2889 for (i = 0; i < tlen; i++)
2890 {
2891 if (table[i].nid == nid)
2892 return table[i].id;
2893 }
2894 return -1;
2895 }
e7f8ff43 2896
6b7be581
DSH		 2897static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2898 {
2899 size_t i;
2900 for (i = 0; i < tlen; i++)
2901 {
e7f8ff43 2902 if ((table[i].id) == id)
6b7be581
DSH		 2903 return table[i].nid;
2904 }
e7f8ff43 2905 return NID_undef;
6b7be581 2906 }
a2f9200f
DSH		 2907
2908int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
6b7be581
DSH		 2909 {
2910 int sig_id, md_id;
1db5f356
DSH		 2911 if (!md)
2912 return 0;
6b7be581
DSH		 2913 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2914 sizeof(tls12_md)/sizeof(tls12_lookup));
2915 if (md_id == -1)
2916 return 0;
a2f9200f 2917 sig_id = tls12_get_sigid(pk);
6b7be581
DSH		 2918 if (sig_id == -1)
2919 return 0;
2920 p[0] = (unsigned char)md_id;
2921 p[1] = (unsigned char)sig_id;
2922 return 1;
2923 }
2924
a2f9200f
DSH		 2925int tls12_get_sigid(const EVP_PKEY *pk)
2926 {
2927 return tls12_find_id(pk->type, tls12_sig,
2928 sizeof(tls12_sig)/sizeof(tls12_lookup));
2929 }
2930
2931const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2932 {
2933 switch(hash_alg)
2934 {
2935#ifndef OPENSSL_NO_MD5
2936 case TLSEXT_hash_md5:
ebc5e72f
DSH		 2937#ifdef OPENSSL_FIPS
2938 if (FIPS_mode())
2939 return NULL;
2940#endif
a2f9200f
DSH		 2941 return EVP_md5();
2942#endif
2943#ifndef OPENSSL_NO_SHA
2944 case TLSEXT_hash_sha1:
2945 return EVP_sha1();
2946#endif
2947#ifndef OPENSSL_NO_SHA256
2948 case TLSEXT_hash_sha224:
2949 return EVP_sha224();
2950
2951 case TLSEXT_hash_sha256:
2952 return EVP_sha256();
2953#endif
2954#ifndef OPENSSL_NO_SHA512
2955 case TLSEXT_hash_sha384:
2956 return EVP_sha384();
2957
2958 case TLSEXT_hash_sha512:
2959 return EVP_sha512();
2960#endif
2961 default:
2962 return NULL;
2963
2964 }
2965 }
2966
4453cd8c
DSH		 2967static int tls12_get_pkey_idx(unsigned char sig_alg)
2968 {
2969 switch(sig_alg)
2970 {
2971#ifndef OPENSSL_NO_RSA
2972 case TLSEXT_signature_rsa:
2973 return SSL_PKEY_RSA_SIGN;
2974#endif
2975#ifndef OPENSSL_NO_DSA
2976 case TLSEXT_signature_dsa:
2977 return SSL_PKEY_DSA_SIGN;
2978#endif
2979#ifndef OPENSSL_NO_ECDSA
2980 case TLSEXT_signature_ecdsa:
2981 return SSL_PKEY_ECC;
2982#endif
2983 }
2984 return -1;
2985 }
2986
2987/* Convert TLS 1.2 signature algorithm extension values into NIDs */
2988static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
2989 int *psignhash_nid, const unsigned char *data)
2990 {
8e2a06bf 2991 int sign_nid = 0, hash_nid = 0;
4453cd8c
DSH		 2992 if (!phash_nid && !psign_nid && !psignhash_nid)
2993 return;
2994 if (phash_nid || psignhash_nid)
2995 {
2996 hash_nid = tls12_find_nid(data[0], tls12_md,
2997 sizeof(tls12_md)/sizeof(tls12_lookup));
2998 if (phash_nid)
2999 *phash_nid = hash_nid;
3000 }
3001 if (psign_nid || psignhash_nid)
3002 {
3003 sign_nid = tls12_find_nid(data[1], tls12_sig,
3004 sizeof(tls12_sig)/sizeof(tls12_lookup));
3005 if (psign_nid)
3006 *psign_nid = sign_nid;
3007 }
3008 if (psignhash_nid)
3009 {
3010 if (sign_nid && hash_nid)
3011 OBJ_find_sigid_by_algs(psignhash_nid,
3012 hash_nid, sign_nid);
3013 else
3014 *psignhash_nid = NID_undef;
3015 }
3016 }
3017/* Given preference and allowed sigalgs set shared sigalgs */
3018static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
3019 const unsigned char *pref, size_t preflen,
3020 const unsigned char *allow, size_t allowlen)
3021 {
3022 const unsigned char *ptmp, *atmp;
3023 size_t i, j, nmatch = 0;
3024 for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2)
3025 {
3026 /* Skip disabled hashes or signature algorithms */
3027 if (tls12_get_hash(ptmp[0]) == NULL)
3028 continue;
3029 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3030 continue;
3031 for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2)
3032 {
3033 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1])
3034 {
3035 nmatch++;
3036 if (shsig)
3037 {
3038 shsig->rhash = ptmp[0];
3039 shsig->rsign = ptmp[1];
3040 tls1_lookup_sigalg(&shsig->hash_nid,
3041 &shsig->sign_nid,
3042 &shsig->signandhash_nid,
3043 ptmp);
3044 shsig++;
3045 }
3046 break;
3047 }
3048 }
3049 }
3050 return nmatch;
3051 }
3052
3053/* Set shared signature algorithms for SSL structures */
3054static int tls1_set_shared_sigalgs(SSL *s)
3055 {
3056 const unsigned char *pref, *allow, *conf;
3057 size_t preflen, allowlen, conflen;
3058 size_t nmatch;
3059 TLS_SIGALGS *salgs = NULL;
3060 CERT *c = s->cert;
3dbc46df
DSH		 3061 /* If client use client signature algorithms if not NULL */
3062 if (!s->server && c->client_sigalgs)
3063 {
3064 conf = c->client_sigalgs;
3065 conflen = c->client_sigalgslen;
3066 }
3067 else if (c->conf_sigalgs)
3068 {
3069 conf = c->conf_sigalgs;
4453cd8c 3070 conflen = c->conf_sigalgslen;
3dbc46df 3071 }
4453cd8c
DSH		 3072 else
3073 {
3074 conf = tls12_sigalgs;
3075 conflen = sizeof(tls12_sigalgs);
3076#ifdef OPENSSL_FIPS
3077 if (FIPS_mode())
3078 conflen -= 2;
3079#endif
3080 }
3081 if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
3082 {
3083 pref = conf;
3084 preflen = conflen;
3085 allow = c->peer_sigalgs;
3086 allowlen = c->peer_sigalgslen;
3087 }
3088 else
3089 {
3090 allow = conf;
3091 allowlen = conflen;
3092 pref = c->peer_sigalgs;
3093 preflen = c->peer_sigalgslen;
3094 }
3095 nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
3096 if (!nmatch)
3097 return 1;
3098 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3099 if (!salgs)
3100 return 0;
3101 nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
3102 c->shared_sigalgs = salgs;
3103 c->shared_sigalgslen = nmatch;
3104 return 1;
3105 }
3106
3107
6b7be581
DSH		 3108/* Set preferred digest for each key type */
3109
8f829124 3110int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
6b7be581 3111 {
4453cd8c
DSH		 3112 int idx;
3113 size_t i;
6b7be581
DSH		 3114 const EVP_MD *md;
3115 CERT *c = s->cert;
e7f8ff43 3116 TLS_SIGALGS *sigptr;
6b7be581 3117 /* Extension ignored for TLS versions below 1.2 */
238b6361 3118 if (TLS1_get_version(s) < TLS1_2_VERSION)
6b7be581 3119 return 1;
8f829124
DSH		 3120 /* Should never happen */
3121 if (!c)
3122 return 0;
6b7be581
DSH		 3123
3124 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
3125 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
3126 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
3127 c->pkeys[SSL_PKEY_ECC].digest = NULL;
3128
4453cd8c 3129 c->peer_sigalgs = OPENSSL_malloc(dsize);
0f229cce 3130 if (!c->peer_sigalgs)
e7f8ff43 3131 return 0;
4453cd8c
DSH		 3132 c->peer_sigalgslen = dsize;
3133 memcpy(c->peer_sigalgs, data, dsize);
6b7be581 3134
4453cd8c 3135 tls1_set_shared_sigalgs(s);
6b7be581 3136
4453cd8c
DSH		 3137 for (i = 0, sigptr = c->shared_sigalgs;
3138 i < c->shared_sigalgslen; i++, sigptr++)
3139 {
3140 idx = tls12_get_pkey_idx(sigptr->rsign);
3141 if (idx > 0 && c->pkeys[idx].digest == NULL)
6b7be581 3142 {
e7f8ff43 3143 md = tls12_get_hash(sigptr->rhash);
4453cd8c
DSH		 3144 c->pkeys[idx].digest = md;
3145 if (idx == SSL_PKEY_RSA_SIGN)
3146 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
6b7be581
DSH		 3147 }
3148
6b7be581 3149 }
d61ff83b
DSH		 3150 /* In strict mode leave unset digests as NULL to indicate we can't
3151 * use the certificate for signing.
6b7be581 3152 */
d61ff83b
DSH		 3153 if (!(s->cert->cert_flags & SSL_CERT_FLAG_TLS_STRICT))
3154 {
3155 /* Set any remaining keys to default values. NOTE: if alg is
3156 * not supported it stays as NULL.
3157 */
6b7be581 3158#ifndef OPENSSL_NO_DSA
d61ff83b
DSH		 3159 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
3160 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
6b7be581
DSH		 3161#endif
3162#ifndef OPENSSL_NO_RSA
d61ff83b
DSH		 3163 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
3164 {
3165 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
3166 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
3167 }
6b7be581
DSH		 3168#endif
3169#ifndef OPENSSL_NO_ECDSA
d61ff83b
DSH		 3170 if (!c->pkeys[SSL_PKEY_ECC].digest)
3171 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
6b7be581 3172#endif
d61ff83b 3173 }
6b7be581
DSH		 3174 return 1;
3175 }
3176
4817504d 3177
e7f8ff43 3178int SSL_get_sigalgs(SSL *s, int idx,
4453cd8c 3179 int *psign, int *phash, int *psignhash,
e7f8ff43
DSH		 3180 unsigned char *rsig, unsigned char *rhash)
3181 {
4453cd8c
DSH		 3182 const unsigned char *psig = s->cert->peer_sigalgs;
3183 if (psig == NULL)
e7f8ff43
DSH		 3184 return 0;
3185 if (idx >= 0)
3186 {
4453cd8c 3187 idx <<= 1;
0f229cce 3188 if (idx >= (int)s->cert->peer_sigalgslen)
e7f8ff43 3189 return 0;
4453cd8c 3190 psig += idx;
e7f8ff43 3191 if (rhash)
4453cd8c
DSH		 3192 *rhash = psig[0];
3193 if (rsig)
3194 *rsig = psig[1];
3195 tls1_lookup_sigalg(phash, psign, psignhash, psig);
e7f8ff43 3196 }
4453cd8c
DSH		 3197 return s->cert->peer_sigalgslen / 2;
3198 }
3199
3200int SSL_get_shared_sigalgs(SSL *s, int idx,
3201 int *psign, int *phash, int *psignhash,
3202 unsigned char *rsig, unsigned char *rhash)
3203 {
3204 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3205 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3206 return 0;
3207 shsigalgs += idx;
3208 if (phash)
3209 *phash = shsigalgs->hash_nid;
3210 if (psign)
3211 *psign = shsigalgs->sign_nid;
3212 if (psignhash)
3213 *psignhash = shsigalgs->signandhash_nid;
3214 if (rsig)
3215 *rsig = shsigalgs->rsign;
3216 if (rhash)
3217 *rhash = shsigalgs->rhash;
3218 return s->cert->shared_sigalgslen;
e7f8ff43
DSH		 3219 }
3220
3221
4817504d
DSH		 3222#ifndef OPENSSL_NO_HEARTBEATS
3223int
3224tls1_process_heartbeat(SSL *s)
3225 {
3226 unsigned char *p = &s->s3->rrec.data[0], *pl;
3227 unsigned short hbtype;
3228 unsigned int payload;
3229 unsigned int padding = 16; /* Use minimum padding */
3230
3231 /* Read type and payload length first */
3232 hbtype = *p++;
3233 n2s(p, payload);
3234 pl = p;
3235
3236 if (s->msg_callback)
3237 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
3238 &s->s3->rrec.data[0], s->s3->rrec.length,
3239 s, s->msg_callback_arg);
3240
3241 if (hbtype == TLS1_HB_REQUEST)
3242 {
3243 unsigned char *buffer, *bp;
3244 int r;
3245
3246 /* Allocate memory for the response, size is 1 bytes
3247 * message type, plus 2 bytes payload length, plus
3248 * payload, plus padding
3249 */
3250 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3251 bp = buffer;
3252
3253 /* Enter response type, length and copy payload */
3254 *bp++ = TLS1_HB_RESPONSE;
3255 s2n(payload, bp);
3256 memcpy(bp, pl, payload);
57cb030c
DSH		 3257 bp += payload;
3258 /* Random padding */
3259 RAND_pseudo_bytes(bp, padding);
3260
4817504d
DSH		 3261 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
3262
3263 if (r >= 0 && s->msg_callback)
3264 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3265 buffer, 3 + payload + padding,
3266 s, s->msg_callback_arg);
3267
3268 OPENSSL_free(buffer);
3269
3270 if (r < 0)
3271 return r;
3272 }
3273 else if (hbtype == TLS1_HB_RESPONSE)
3274 {
3275 unsigned int seq;
3276
3277 /* We only send sequence numbers (2 bytes unsigned int),
3278 * and 16 random bytes, so we just try to read the
3279 * sequence number */
3280 n2s(pl, seq);
3281
3282 if (payload == 18 && seq == s->tlsext_hb_seq)
3283 {
3284 s->tlsext_hb_seq++;
3285 s->tlsext_hb_pending = 0;
3286 }
3287 }
3288
3289 return 0;
3290 }
3291
3292int
3293tls1_heartbeat(SSL *s)
3294 {
3295 unsigned char *buf, *p;
3296 int ret;
3297 unsigned int payload = 18; /* Sequence number + random bytes */
3298 unsigned int padding = 16; /* Use minimum padding */
3299
3300 /* Only send if peer supports and accepts HB requests... */
3301 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3302 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
3303 {
3304 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3305 return -1;
3306 }
3307
3308 /* ...and there is none in flight yet... */
3309 if (s->tlsext_hb_pending)
3310 {
3311 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
3312 return -1;
3313 }
3314
3315 /* ...and no handshake in progress. */
3316 if (SSL_in_init(s) || s->in_handshake)
3317 {
3318 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
3319 return -1;
3320 }
3321
3322 /* Check if padding is too long, payload and padding
3323 * must not exceed 2^14 - 3 = 16381 bytes in total.
3324 */
3325 OPENSSL_assert(payload + padding <= 16381);
3326
3327 /* Create HeartBeat message, we just use a sequence number
3328 * as payload to distuingish different messages and add
3329 * some random stuff.
3330 * - Message Type, 1 byte
3331 * - Payload Length, 2 bytes (unsigned int)
3332 * - Payload, the sequence number (2 bytes uint)
3333 * - Payload, random bytes (16 bytes uint)
3334 * - Padding
3335 */
3336 buf = OPENSSL_malloc(1 + 2 + payload + padding);
3337 p = buf;
3338 /* Message Type */
3339 *p++ = TLS1_HB_REQUEST;
3340 /* Payload length (18 bytes here) */
3341 s2n(payload, p);
3342 /* Sequence number */
3343 s2n(s->tlsext_hb_seq, p);
3344 /* 16 random bytes */
3345 RAND_pseudo_bytes(p, 16);
3346 p += 16;
3347 /* Random padding */
3348 RAND_pseudo_bytes(p, padding);
3349
3350 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3351 if (ret >= 0)
3352 {
3353 if (s->msg_callback)
3354 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3355 buf, 3 + payload + padding,
3356 s, s->msg_callback_arg);
3357
3358 s->tlsext_hb_pending = 1;
3359 }
3360
3361 OPENSSL_free(buf);
3362
3363 return ret;
3364 }
3365#endif
0f229cce 3366
4453cd8c 3367#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
0f229cce
DSH		 3368
3369typedef struct
3370 {
3371 size_t sigalgcnt;
3372 int sigalgs[MAX_SIGALGLEN];
3373 } sig_cb_st;
3374
3375static int sig_cb(const char *elem, int len, void *arg)
3376 {
3377 sig_cb_st *sarg = arg;
3378 size_t i;
3379 char etmp[20], *p;
3380 int sig_alg, hash_alg;
3381 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3382 return 0;
3383 if (len > (int)(sizeof(etmp) - 1))
3384 return 0;
3385 memcpy(etmp, elem, len);
3386 etmp[len] = 0;
3387 p = strchr(etmp, '+');
3388 if (!p)
3389 return 0;
3390 *p = 0;
3391 p++;
3392 if (!*p)
3393 return 0;
3394
3395 if (!strcmp(etmp, "RSA"))
3396 sig_alg = EVP_PKEY_RSA;
3397 else if (!strcmp(etmp, "DSA"))
3398 sig_alg = EVP_PKEY_DSA;
3399 else if (!strcmp(etmp, "ECDSA"))
3400 sig_alg = EVP_PKEY_EC;
3401 else return 0;
3402
3403 hash_alg = OBJ_sn2nid(p);
3404 if (hash_alg == NID_undef)
3405 hash_alg = OBJ_ln2nid(p);
3406 if (hash_alg == NID_undef)
3407 return 0;
3408
3409 for (i = 0; i < sarg->sigalgcnt; i+=2)
3410 {
3411 if (sarg->sigalgs[i] == sig_alg
3412 && sarg->sigalgs[i + 1] == hash_alg)
3413 return 0;
3414 }
3415 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3416 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3417 return 1;
3418 }
3419
3420/* Set suppored signature algorithms based on a colon separated list
3421 * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */
3dbc46df 3422int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
0f229cce
DSH		 3423 {
3424 sig_cb_st sig;
3425 sig.sigalgcnt = 0;
3426 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3427 return 0;
3dbc46df 3428 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
0f229cce
DSH		 3429 }
3430
3dbc46df 3431int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
0f229cce 3432 {
4453cd8c 3433 unsigned char *sigalgs, *sptr;
0f229cce
DSH		 3434 int rhash, rsign;
3435 size_t i;
3436 if (salglen & 1)
3437 return 0;
4453cd8c 3438 sigalgs = OPENSSL_malloc(salglen);
0f229cce
DSH		 3439 if (sigalgs == NULL)
3440 return 0;
4453cd8c 3441 for (i = 0, sptr = sigalgs; i < salglen; i+=2)
0f229cce 3442 {
4453cd8c 3443 rhash = tls12_find_id(*psig_nids++, tls12_md,
0f229cce 3444 sizeof(tls12_md)/sizeof(tls12_lookup));
4453cd8c 3445 rsign = tls12_find_id(*psig_nids++, tls12_sig,
0f229cce
DSH		 3446 sizeof(tls12_sig)/sizeof(tls12_lookup));
3447
3448 if (rhash == -1 || rsign == -1)
3449 goto err;
4453cd8c
DSH		 3450 *sptr++ = rhash;
3451 *sptr++ = rsign;
0f229cce
DSH		 3452 }
3453
3dbc46df
DSH		 3454 if (client)
3455 {
3456 if (c->client_sigalgs)
3457 OPENSSL_free(c->client_sigalgs);
3458 c->client_sigalgs = sigalgs;
3459 c->client_sigalgslen = salglen;
3460 }
3461 else
3462 {
3463 if (c->conf_sigalgs)
3464 OPENSSL_free(c->conf_sigalgs);
3465 c->conf_sigalgs = sigalgs;
3466 c->conf_sigalgslen = salglen;
3467 }
0f229cce 3468
0f229cce
DSH		 3469 return 1;
3470
3471 err:
3472 OPENSSL_free(sigalgs);
3473 return 0;
3474 }
4453cd8c 3475
d61ff83b
DSH		 3476static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
3477 {
3478 int sig_nid;
3479 size_t i;
3480 if (default_nid == -1)
3481 return 1;
3482 sig_nid = X509_get_signature_nid(x);
3483 if (default_nid)
3484 return sig_nid == default_nid ? 1 : 0;
3485 for (i = 0; i < c->shared_sigalgslen; i++)
3486 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3487 return 1;
3488 return 0;
3489 }
3490
3491/* Check certificate chain is consistent with TLS extensions and is
3492 * usable by server.
3493 */
3494int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
3495 int idx)
3496 {
3497 int i;
3498 int rv = CERT_PKEY_INVALID;
3499 CERT_PKEY *cpk = NULL;
3500 CERT *c = s->cert;
3501 if (idx != -1)
3502 {
3503 cpk = c->pkeys + idx;
3504 x = cpk->x509;
3505 pk = cpk->privatekey;
3506 chain = cpk->chain;
3507 /* If no cert or key, forget it */
3508 if (!x || !pk)
3509 goto end;
3510 }
3511 else
3512 {
3513 idx = ssl_cert_type(x, pk);
3514 if (idx == -1)
3515 goto end;
3516 }
3517
3518 /* Check all signature algorithms are consistent with
3519 * signature algorithms extension if TLS 1.2 or later
3520 * and strict mode.
3521 */
3522 if (TLS1_get_version(s) >= TLS1_2_VERSION
3523 && c->cert_flags & SSL_CERT_FLAG_TLS_STRICT)
3524 {
3525 int default_nid;
3526 unsigned char rsign = 0;
3527 if (c->peer_sigalgs)
3528 default_nid = 0;
3529 /* If no sigalgs extension use defaults from RFC5246 */
3530 else
3531 {
3532 switch(idx)
3533 {
3534 case SSL_PKEY_RSA_ENC:
3535 case SSL_PKEY_RSA_SIGN:
3536 case SSL_PKEY_DH_RSA:
3537 rsign = TLSEXT_signature_rsa;
3538 default_nid = NID_sha1WithRSAEncryption;
3539 break;
3540
3541 case SSL_PKEY_DSA_SIGN:
3542 case SSL_PKEY_DH_DSA:
3543 rsign = TLSEXT_signature_dsa;
3544 default_nid = NID_dsaWithSHA1;
3545 break;
3546
3547 case SSL_PKEY_ECC:
3548 rsign = TLSEXT_signature_ecdsa;
3549 default_nid = NID_ecdsa_with_SHA1;
3550 break;
3551
3552 default:
3553 default_nid = -1;
3554 break;
3555 }
3556 }
3557 /* If peer sent no signature algorithms extension and we
3558 * have set preferred signature algorithms check we support
3559 * sha1.
3560 */
15a70fe5 3561 if (default_nid > 0 && c->conf_sigalgs)
d61ff83b
DSH		 3562 {
3563 size_t j;
3564 const unsigned char *p = c->conf_sigalgs;
3565 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2)
3566 {
3567 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
3568 break;
3569 }
3570 if (j == c->conf_sigalgslen)
3571 goto end;
3572 }
3573 /* Check signature algorithm of each cert in chain */
3574 if (!tls1_check_sig_alg(c, x, default_nid))
3575 goto end;
3576 for (i = 0; i < sk_X509_num(chain); i++)
3577 {
3578 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i),
3579 default_nid))
3580 goto end;
3581 }
3582 }
3583
3584 /* Check cert parameters are consistent */
3585 if (!tls1_check_cert_param(s, x))
3586 goto end;
3587 /* In strict mode check rest of chain too */
3588 if (c->cert_flags & SSL_CERT_FLAG_TLS_STRICT)
3589 {
3590 for (i = 0; i < sk_X509_num(chain); i++)
3591 {
3592 if (!tls1_check_cert_param(s, sk_X509_value(chain, i)))
3593 goto end;
3594 }
3595 }
3596 rv = CERT_PKEY_VALID;
3597
3598 end:
3599 if (cpk)
3600 {
3601 if (rv && cpk->digest)
3602 rv |= CERT_PKEY_SIGN;
3603 cpk->valid_flags = rv;
3604 }
3605 return rv;
3606 }
3607
3608/* Set validity of certificates in an SSL structure */
3609void tls1_set_cert_validity(SSL *s)
3610 {
3611 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
3612 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
3613 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
3614 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
3615 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
3616 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
3617 }
18d71588
DSH		 3618/* User level utiity function to check a chain is suitable */
3619int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
3620 {
3621 return tls1_check_chain(s, x, pk, chain, -1);
3622 }
d61ff83b 3623
4453cd8c 3624#endif
A mirror of the official openssl repository