]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/t1_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Rename some BUF_xxx to OPENSSL_xxx
[thirdparty/openssl.git] / ssl / t1_lib.c
CommitLineData
58964a49
RE		 1/* ssl/t1_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
0f113f3e 8 *
58964a49
RE		 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
0f113f3e 15 *
58964a49
RE		 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
0f113f3e 22 *
58964a49
RE		 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
0f113f3e 37 * 4. If you include any Windows specific code (or a derivative thereof) from
58964a49
RE		 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
0f113f3e 40 *
58964a49
RE		 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
0f113f3e 52 *
58964a49
RE		 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
f1fd4544 58/* ====================================================================
52b8dad8 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
f1fd4544
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
0f113f3e 66 * notice, this list of conditions and the following disclaimer.
f1fd4544
BM		 67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
58964a49
RE		 111
112#include <stdio.h>
ec577822 113#include <openssl/objects.h>
6434abbf
DSH		 114#include <openssl/evp.h>
115#include <openssl/hmac.h>
67c8e7f4 116#include <openssl/ocsp.h>
4817504d 117#include <openssl/rand.h>
09599b52 118#ifndef OPENSSL_NO_DH
0f113f3e
MC		 119# include <openssl/dh.h>
120# include <openssl/bn.h>
09599b52 121#endif
58964a49
RE		 122#include "ssl_locl.h"
123
6434abbf 124static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
0f113f3e
MC		 125 const unsigned char *sess_id, int sesslen,
126 SSL_SESSION **psess);
2daceb03 127static int ssl_check_clienthello_tlsext_early(SSL *s);
09e4e4b9 128int ssl_check_serverhello_tlsext(SSL *s);
6434abbf 129
0f113f3e
MC		 130SSL3_ENC_METHOD const TLSv1_enc_data = {
131 tls1_enc,
132 tls1_mac,
133 tls1_setup_key_block,
134 tls1_generate_master_secret,
135 tls1_change_cipher_state,
136 tls1_final_finish_mac,
137 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 138 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
139 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
140 tls1_alert_code,
141 tls1_export_keying_material,
142 0,
143 SSL3_HM_HEADER_LENGTH,
144 ssl3_set_handshake_header,
145 ssl3_handshake_write
146};
147
148SSL3_ENC_METHOD const TLSv1_1_enc_data = {
149 tls1_enc,
150 tls1_mac,
151 tls1_setup_key_block,
152 tls1_generate_master_secret,
153 tls1_change_cipher_state,
154 tls1_final_finish_mac,
155 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 156 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
157 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
158 tls1_alert_code,
159 tls1_export_keying_material,
160 SSL_ENC_FLAG_EXPLICIT_IV,
161 SSL3_HM_HEADER_LENGTH,
162 ssl3_set_handshake_header,
163 ssl3_handshake_write
164};
165
166SSL3_ENC_METHOD const TLSv1_2_enc_data = {
167 tls1_enc,
168 tls1_mac,
169 tls1_setup_key_block,
170 tls1_generate_master_secret,
171 tls1_change_cipher_state,
172 tls1_final_finish_mac,
173 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 174 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
175 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
176 tls1_alert_code,
177 tls1_export_keying_material,
178 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
179 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
180 SSL3_HM_HEADER_LENGTH,
181 ssl3_set_handshake_header,
182 ssl3_handshake_write
183};
58964a49 184
f3b656b2 185long tls1_default_timeout(void)
0f113f3e
MC		 186{
187 /*
188 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
189 * http, the cache would over fill
190 */
191 return (60 * 60 * 2);
192}
58964a49 193
6b691a5c 194int tls1_new(SSL *s)
0f113f3e
MC		 195{
196 if (!ssl3_new(s))
197 return (0);
198 s->method->ssl_clear(s);
199 return (1);
200}
58964a49 201
6b691a5c 202void tls1_free(SSL *s)
0f113f3e 203{
b548a1f1 204 OPENSSL_free(s->tlsext_session_ticket);
0f113f3e
MC		 205 ssl3_free(s);
206}
58964a49 207
6b691a5c 208void tls1_clear(SSL *s)
0f113f3e
MC		 209{
210 ssl3_clear(s);
211 s->version = s->method->version;
212}
58964a49 213
525de5d3 214#ifndef OPENSSL_NO_EC
eda3766b 215
0f113f3e
MC		 216typedef struct {
217 int nid; /* Curve NID */
218 int secbits; /* Bits of security (from SP800-57) */
219 unsigned int flags; /* Flags: currently just field type */
220} tls_curve_info;
221
222# define TLS_CURVE_CHAR2 0x1
223# define TLS_CURVE_PRIME 0x0
224
225static const tls_curve_info nid_list[] = {
226 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
227 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
228 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
229 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
230 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
231 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
232 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
233 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
234 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
235 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
236 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
237 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
238 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
239 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
240 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
241 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
242 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
243 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
244 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
245 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
246 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
247 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
248 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
249 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
250 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
251 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
252 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
253 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
254};
255
256static const unsigned char ecformats_default[] = {
257 TLSEXT_ECPOINTFORMAT_uncompressed,
258 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
259 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
260};
261
fe6ef247
KR		 262/* The default curves */
263static const unsigned char eccurves_default[] = {
de57d237
EK		 264 /* Prefer P-256 which has the fastest and most secure implementations. */
265 0, 23, /* secp256r1 (23) */
266 /* Other >= 256-bit prime curves. */
0f113f3e
MC		 267 0, 25, /* secp521r1 (25) */
268 0, 28, /* brainpool512r1 (28) */
0f113f3e
MC		 269 0, 27, /* brainpoolP384r1 (27) */
270 0, 24, /* secp384r1 (24) */
de57d237
EK		 271 0, 26, /* brainpoolP256r1 (26) */
272 0, 22, /* secp256k1 (22) */
273 /* >= 256-bit binary curves. */
274 0, 14, /* sect571r1 (14) */
275 0, 13, /* sect571k1 (13) */
276 0, 11, /* sect409k1 (11) */
277 0, 12, /* sect409r1 (12) */
0f113f3e
MC		 278 0, 9, /* sect283k1 (9) */
279 0, 10, /* sect283r1 (10) */
de57d237
EK		 280};
281
282static const unsigned char eccurves_all[] = {
283 /* Prefer P-256 which has the fastest and most secure implementations. */
284 0, 23, /* secp256r1 (23) */
285 /* Other >= 256-bit prime curves. */
286 0, 25, /* secp521r1 (25) */
287 0, 28, /* brainpool512r1 (28) */
288 0, 27, /* brainpoolP384r1 (27) */
289 0, 24, /* secp384r1 (24) */
0f113f3e
MC		 290 0, 26, /* brainpoolP256r1 (26) */
291 0, 22, /* secp256k1 (22) */
de57d237
EK		 292 /* >= 256-bit binary curves. */
293 0, 14, /* sect571r1 (14) */
294 0, 13, /* sect571k1 (13) */
295 0, 11, /* sect409k1 (11) */
296 0, 12, /* sect409r1 (12) */
297 0, 9, /* sect283k1 (9) */
298 0, 10, /* sect283r1 (10) */
299 /*
300 * Remaining curves disabled by default but still permitted if set
301 * via an explicit callback or parameters.
302 */
303 0, 20, /* secp224k1 (20) */
304 0, 21, /* secp224r1 (21) */
305 0, 18, /* secp192k1 (18) */
306 0, 19, /* secp192r1 (19) */
307 0, 15, /* secp160k1 (15) */
308 0, 16, /* secp160r1 (16) */
309 0, 17, /* secp160r2 (17) */
0f113f3e
MC		 310 0, 8, /* sect239k1 (8) */
311 0, 6, /* sect233k1 (6) */
312 0, 7, /* sect233r1 (7) */
0f113f3e
MC		 313 0, 4, /* sect193r1 (4) */
314 0, 5, /* sect193r2 (5) */
0f113f3e
MC		 315 0, 1, /* sect163k1 (1) */
316 0, 2, /* sect163r1 (2) */
317 0, 3, /* sect163r2 (3) */
0f113f3e
MC		 318};
319
de57d237 320
0f113f3e
MC		 321static const unsigned char suiteb_curves[] = {
322 0, TLSEXT_curve_P_256,
323 0, TLSEXT_curve_P_384
324};
2ea80354 325
525de5d3 326int tls1_ec_curve_id2nid(int curve_id)
0f113f3e
MC		 327{
328 /* ECC curves from RFC 4492 and RFC 7027 */
b6eb9827 329 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
0f113f3e
MC		 330 return 0;
331 return nid_list[curve_id - 1].nid;
332}
525de5d3
DSH		 333
334int tls1_ec_nid2curve_id(int nid)
0f113f3e
MC		 335{
336 /* ECC curves from RFC 4492 and RFC 7027 */
337 switch (nid) {
338 case NID_sect163k1: /* sect163k1 (1) */
339 return 1;
340 case NID_sect163r1: /* sect163r1 (2) */
341 return 2;
342 case NID_sect163r2: /* sect163r2 (3) */
343 return 3;
344 case NID_sect193r1: /* sect193r1 (4) */
345 return 4;
346 case NID_sect193r2: /* sect193r2 (5) */
347 return 5;
348 case NID_sect233k1: /* sect233k1 (6) */
349 return 6;
350 case NID_sect233r1: /* sect233r1 (7) */
351 return 7;
352 case NID_sect239k1: /* sect239k1 (8) */
353 return 8;
354 case NID_sect283k1: /* sect283k1 (9) */
355 return 9;
356 case NID_sect283r1: /* sect283r1 (10) */
357 return 10;
358 case NID_sect409k1: /* sect409k1 (11) */
359 return 11;
360 case NID_sect409r1: /* sect409r1 (12) */
361 return 12;
362 case NID_sect571k1: /* sect571k1 (13) */
363 return 13;
364 case NID_sect571r1: /* sect571r1 (14) */
365 return 14;
366 case NID_secp160k1: /* secp160k1 (15) */
367 return 15;
368 case NID_secp160r1: /* secp160r1 (16) */
369 return 16;
370 case NID_secp160r2: /* secp160r2 (17) */
371 return 17;
372 case NID_secp192k1: /* secp192k1 (18) */
373 return 18;
374 case NID_X9_62_prime192v1: /* secp192r1 (19) */
375 return 19;
376 case NID_secp224k1: /* secp224k1 (20) */
377 return 20;
378 case NID_secp224r1: /* secp224r1 (21) */
379 return 21;
380 case NID_secp256k1: /* secp256k1 (22) */
381 return 22;
382 case NID_X9_62_prime256v1: /* secp256r1 (23) */
383 return 23;
384 case NID_secp384r1: /* secp384r1 (24) */
385 return 24;
386 case NID_secp521r1: /* secp521r1 (25) */
387 return 25;
388 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
389 return 26;
390 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
391 return 27;
392 case NID_brainpoolP512r1: /* brainpool512r1 (28) */
393 return 28;
394 default:
395 return 0;
396 }
397}
398
740580c2
EK		 399/*
400 * Get curves list, if "sess" is set return client curves otherwise
401 * preferred list.
402 * Sets |num_curves| to the number of curves in the list, i.e.,
403 * the length of |pcurves| is 2 * num_curves.
404 * Returns 1 on success and 0 if the client curves list has invalid format.
405 * The latter indicates an internal error: we should not be accepting such
406 * lists in the first place.
407 * TODO(emilia): we should really be storing the curves list in explicitly
408 * parsed form instead. (However, this would affect binary compatibility
409 * so cannot happen in the 1.0.x series.)
fd2b65ce 410 */
740580c2 411static int tls1_get_curvelist(SSL *s, int sess,
0f113f3e
MC		 412 const unsigned char **pcurves,
413 size_t *num_curves)
414{
415 size_t pcurveslen = 0;
416 if (sess) {
417 *pcurves = s->session->tlsext_ellipticcurvelist;
418 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
419 } else {
420 /* For Suite B mode only include P-256, P-384 */
421 switch (tls1_suiteb(s)) {
422 case SSL_CERT_FLAG_SUITEB_128_LOS:
423 *pcurves = suiteb_curves;
424 pcurveslen = sizeof(suiteb_curves);
425 break;
426
427 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
428 *pcurves = suiteb_curves;
429 pcurveslen = 2;
430 break;
431
432 case SSL_CERT_FLAG_SUITEB_192_LOS:
433 *pcurves = suiteb_curves + 2;
434 pcurveslen = 2;
435 break;
436 default:
437 *pcurves = s->tlsext_ellipticcurvelist;
438 pcurveslen = s->tlsext_ellipticcurvelist_length;
439 }
440 if (!*pcurves) {
fe6ef247
KR		 441 *pcurves = eccurves_default;
442 pcurveslen = sizeof(eccurves_default);
0f113f3e
MC		 443 }
444 }
445
446 /* We do not allow odd length arrays to enter the system. */
447 if (pcurveslen & 1) {
448 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
449 *num_curves = 0;
450 return 0;
451 } else {
452 *num_curves = pcurveslen / 2;
453 return 1;
454 }
455}
b362ccab
DSH		 456
457/* See if curve is allowed by security callback */
458static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
0f113f3e
MC		 459{
460 const tls_curve_info *cinfo;
461 if (curve[0])
462 return 1;
b6eb9827 463 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
0f113f3e
MC		 464 return 0;
465 cinfo = &nid_list[curve[1] - 1];
466# ifdef OPENSSL_NO_EC2M
467 if (cinfo->flags & TLS_CURVE_CHAR2)
468 return 0;
469# endif
470 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
471}
b362ccab 472
d18b716d
DSH		 473/* Check a curve is one of our preferences */
474int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
0f113f3e
MC		 475{
476 const unsigned char *curves;
477 size_t num_curves, i;
478 unsigned int suiteb_flags = tls1_suiteb(s);
479 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
480 return 0;
481 /* Check curve matches Suite B preferences */
482 if (suiteb_flags) {
483 unsigned long cid = s->s3->tmp.new_cipher->id;
484 if (p[1])
485 return 0;
486 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
487 if (p[2] != TLSEXT_curve_P_256)
488 return 0;
489 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
490 if (p[2] != TLSEXT_curve_P_384)
491 return 0;
492 } else /* Should never happen */
493 return 0;
494 }
495 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
496 return 0;
497 for (i = 0; i < num_curves; i++, curves += 2) {
498 if (p[1] == curves[0] && p[2] == curves[1])
499 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
500 }
501 return 0;
502}
d0595f17 503
1d97c843 504/*-
6977e8ee
KR		 505 * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef
506 * if there is no match.
507 * For nmatch == -1, return number of matches
376e2ca3
EK		 508 * For nmatch == -2, return the NID of the curve to use for
509 * an EC tmp key, or NID_undef if there is no match.
d0595f17 510 */
a4352630 511int tls1_shared_curve(SSL *s, int nmatch)
0f113f3e
MC		 512{
513 const unsigned char *pref, *supp;
514 size_t num_pref, num_supp, i, j;
515 int k;
516 /* Can't do anything on client side */
517 if (s->server == 0)
518 return -1;
519 if (nmatch == -2) {
520 if (tls1_suiteb(s)) {
521 /*
522 * For Suite B ciphersuite determines curve: we already know
523 * these are acceptable due to previous checks.
524 */
525 unsigned long cid = s->s3->tmp.new_cipher->id;
526 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
527 return NID_X9_62_prime256v1; /* P-256 */
528 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
529 return NID_secp384r1; /* P-384 */
530 /* Should never happen */
531 return NID_undef;
532 }
533 /* If not Suite B just return first preference shared curve */
534 nmatch = 0;
535 }
536 /*
537 * Avoid truncation. tls1_get_curvelist takes an int
538 * but s->options is a long...
539 */
540 if (!tls1_get_curvelist
541 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
542 &num_supp))
543 /* In practice, NID_undef == 0 but let's be precise. */
544 return nmatch == -1 ? 0 : NID_undef;
545 if (!tls1_get_curvelist
546 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
547 &num_pref))
548 return nmatch == -1 ? 0 : NID_undef;
3c06513f
KR		 549
550 /*
551 * If the client didn't send the elliptic_curves extension all of them
552 * are allowed.
553 */
554 if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
555 supp = eccurves_all;
556 num_supp = sizeof(eccurves_all) / 2;
557 } else if (num_pref == 0 &&
558 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
559 pref = eccurves_all;
560 num_pref = sizeof(eccurves_all) / 2;
561 }
562
0f113f3e
MC		 563 k = 0;
564 for (i = 0; i < num_pref; i++, pref += 2) {
565 const unsigned char *tsupp = supp;
566 for (j = 0; j < num_supp; j++, tsupp += 2) {
567 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
568 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
569 continue;
570 if (nmatch == k) {
571 int id = (pref[0] << 8) | pref[1];
572 return tls1_ec_curve_id2nid(id);
573 }
574 k++;
575 }
576 }
577 }
578 if (nmatch == -1)
579 return k;
580 /* Out of range (nmatch > k). */
581 return NID_undef;
582}
d0595f17
DSH		 583
584int tls1_set_curves(unsigned char **pext, size_t *pextlen,
0f113f3e
MC		 585 int *curves, size_t ncurves)
586{
587 unsigned char *clist, *p;
588 size_t i;
589 /*
590 * Bitmap of curves included to detect duplicates: only works while curve
591 * ids < 32
592 */
593 unsigned long dup_list = 0;
594 clist = OPENSSL_malloc(ncurves * 2);
a71edf3b 595 if (clist == NULL)
0f113f3e
MC		 596 return 0;
597 for (i = 0, p = clist; i < ncurves; i++) {
598 unsigned long idmask;
599 int id;
600 id = tls1_ec_nid2curve_id(curves[i]);
601 idmask = 1L << id;
602 if (!id || (dup_list & idmask)) {
603 OPENSSL_free(clist);
604 return 0;
605 }
606 dup_list |= idmask;
607 s2n(id, p);
608 }
b548a1f1 609 OPENSSL_free(*pext);
0f113f3e
MC		 610 *pext = clist;
611 *pextlen = ncurves * 2;
612 return 1;
613}
614
615# define MAX_CURVELIST 28
616
617typedef struct {
618 size_t nidcnt;
619 int nid_arr[MAX_CURVELIST];
620} nid_cb_st;
d0595f17
DSH		 621
622static int nid_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 623{
624 nid_cb_st *narg = arg;
625 size_t i;
626 int nid;
627 char etmp[20];
2747d73c
KR		 628 if (elem == NULL)
629 return 0;
0f113f3e
MC		 630 if (narg->nidcnt == MAX_CURVELIST)
631 return 0;
632 if (len > (int)(sizeof(etmp) - 1))
633 return 0;
634 memcpy(etmp, elem, len);
635 etmp[len] = 0;
636 nid = EC_curve_nist2nid(etmp);
637 if (nid == NID_undef)
638 nid = OBJ_sn2nid(etmp);
639 if (nid == NID_undef)
640 nid = OBJ_ln2nid(etmp);
641 if (nid == NID_undef)
642 return 0;
643 for (i = 0; i < narg->nidcnt; i++)
644 if (narg->nid_arr[i] == nid)
645 return 0;
646 narg->nid_arr[narg->nidcnt++] = nid;
647 return 1;
648}
649
d0595f17 650/* Set curves based on a colon separate list */
0f113f3e
MC		 651int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
652 const char *str)
653{
654 nid_cb_st ncb;
655 ncb.nidcnt = 0;
656 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
657 return 0;
658 if (pext == NULL)
659 return 1;
660 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
661}
662
fd2b65ce
DSH		 663/* For an EC key set TLS id and required compression based on parameters */
664static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
0f113f3e
MC		 665 EC_KEY *ec)
666{
667 int is_prime, id;
668 const EC_GROUP *grp;
669 const EC_METHOD *meth;
670 if (!ec)
671 return 0;
672 /* Determine if it is a prime field */
673 grp = EC_KEY_get0_group(ec);
674 if (!grp)
675 return 0;
676 meth = EC_GROUP_method_of(grp);
677 if (!meth)
678 return 0;
679 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
680 is_prime = 1;
681 else
682 is_prime = 0;
683 /* Determine curve ID */
684 id = EC_GROUP_get_curve_name(grp);
685 id = tls1_ec_nid2curve_id(id);
686 /* If we have an ID set it, otherwise set arbitrary explicit curve */
687 if (id) {
688 curve_id[0] = 0;
689 curve_id[1] = (unsigned char)id;
690 } else {
691 curve_id[0] = 0xff;
692 if (is_prime)
693 curve_id[1] = 0x01;
694 else
695 curve_id[1] = 0x02;
696 }
697 if (comp_id) {
698 if (EC_KEY_get0_public_key(ec) == NULL)
699 return 0;
700 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
701 if (is_prime)
702 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
703 else
704 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
705 } else
706 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
707 }
708 return 1;
709}
710
fd2b65ce
DSH		 711/* Check an EC key is compatible with extensions */
712static int tls1_check_ec_key(SSL *s,
0f113f3e
MC		 713 unsigned char *curve_id, unsigned char *comp_id)
714{
715 const unsigned char *pformats, *pcurves;
716 size_t num_formats, num_curves, i;
717 int j;
718 /*
719 * If point formats extension present check it, otherwise everything is
720 * supported (see RFC4492).
721 */
722 if (comp_id && s->session->tlsext_ecpointformatlist) {
723 pformats = s->session->tlsext_ecpointformatlist;
724 num_formats = s->session->tlsext_ecpointformatlist_length;
725 for (i = 0; i < num_formats; i++, pformats++) {
726 if (*comp_id == *pformats)
727 break;
728 }
729 if (i == num_formats)
730 return 0;
731 }
732 if (!curve_id)
733 return 1;
734 /* Check curve is consistent with client and server preferences */
735 for (j = 0; j <= 1; j++) {
736 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
737 return 0;
b79d2410
MC		 738 if (j == 1 && num_curves == 0) {
739 /*
740 * If we've not received any curves then skip this check.
741 * RFC 4492 does not require the supported elliptic curves extension
742 * so if it is not sent we can just choose any curve.
743 * It is invalid to send an empty list in the elliptic curves
744 * extension, so num_curves == 0 always means no extension.
745 */
746 break;
747 }
0f113f3e
MC		 748 for (i = 0; i < num_curves; i++, pcurves += 2) {
749 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
750 break;
751 }
752 if (i == num_curves)
753 return 0;
754 /* For clients can only check sent curve list */
755 if (!s->server)
756 break;
757 }
758 return 1;
759}
d61ff83b 760
5087afa1 761static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
0f113f3e
MC		 762 size_t *num_formats)
763{
764 /*
765 * If we have a custom point format list use it otherwise use default
766 */
767 if (s->tlsext_ecpointformatlist) {
768 *pformats = s->tlsext_ecpointformatlist;
769 *num_formats = s->tlsext_ecpointformatlist_length;
770 } else {
771 *pformats = ecformats_default;
772 /* For Suite B we don't support char2 fields */
773 if (tls1_suiteb(s))
774 *num_formats = sizeof(ecformats_default) - 1;
775 else
776 *num_formats = sizeof(ecformats_default);
777 }
778}
779
780/*
781 * Check cert parameters compatible with extensions: currently just checks EC
782 * certificates have compatible curves and compression.
d61ff83b 783 */
2ea80354 784static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 785{
786 unsigned char comp_id, curve_id[2];
787 EVP_PKEY *pkey;
788 int rv;
789 pkey = X509_get_pubkey(x);
790 if (!pkey)
791 return 0;
792 /* If not EC nothing to do */
793 if (pkey->type != EVP_PKEY_EC) {
794 EVP_PKEY_free(pkey);
795 return 1;
796 }
797 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
798 EVP_PKEY_free(pkey);
799 if (!rv)
800 return 0;
801 /*
802 * Can't check curve_id for client certs as we don't have a supported
803 * curves extension.
804 */
805 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
806 if (!rv)
807 return 0;
808 /*
809 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
810 * SHA384+P-384, adjust digest if necessary.
811 */
812 if (set_ee_md && tls1_suiteb(s)) {
813 int check_md;
814 size_t i;
815 CERT *c = s->cert;
816 if (curve_id[0])
817 return 0;
818 /* Check to see we have necessary signing algorithm */
819 if (curve_id[1] == TLSEXT_curve_P_256)
820 check_md = NID_ecdsa_with_SHA256;
821 else if (curve_id[1] == TLSEXT_curve_P_384)
822 check_md = NID_ecdsa_with_SHA384;
823 else
824 return 0; /* Should never happen */
825 for (i = 0; i < c->shared_sigalgslen; i++)
826 if (check_md == c->shared_sigalgs[i].signandhash_nid)
827 break;
828 if (i == c->shared_sigalgslen)
829 return 0;
830 if (set_ee_md == 2) {
831 if (check_md == NID_ecdsa_with_SHA256)
d376e57d 832 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
0f113f3e 833 else
d376e57d 834 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
0f113f3e
MC		 835 }
836 }
837 return rv;
838}
839
10bf4fc2 840# ifndef OPENSSL_NO_EC
6977e8ee
KR		 841/*
842 * tls1_check_ec_tmp_key - Check EC temporary key compatiblity
843 * @s: SSL connection
844 * @cid: Cipher ID we're considering using
845 *
846 * Checks that the kECDHE cipher suite we're considering using
847 * is compatible with the client extensions.
848 *
849 * Returns 0 when the cipher can't be used or 1 when it can.
850 */
2ea80354 851int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
0f113f3e 852{
0f113f3e
MC		 853# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
854 /* Allow any curve: not just those peer supports */
855 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
856 return 1;
857# endif
858 /*
859 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
860 * curves permitted.
861 */
862 if (tls1_suiteb(s)) {
6977e8ee 863 unsigned char curve_id[2];
0f113f3e
MC		 864 /* Curve to check determined by ciphersuite */
865 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
866 curve_id[1] = TLSEXT_curve_P_256;
867 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
868 curve_id[1] = TLSEXT_curve_P_384;
869 else
870 return 0;
871 curve_id[0] = 0;
872 /* Check this curve is acceptable */
873 if (!tls1_check_ec_key(s, curve_id, NULL))
874 return 0;
fe6ef247 875 return 1;
0f113f3e 876 }
fe6ef247
KR		 877 /* Need a shared curve */
878 if (tls1_shared_curve(s, 0))
879 return 1;
6977e8ee 880 return 0;
0f113f3e 881}
10bf4fc2 882# endif /* OPENSSL_NO_EC */
d0595f17 883
14536c8c
DSH		 884#else
885
886static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 887{
888 return 1;
889}
14536c8c 890
0f113f3e 891#endif /* OPENSSL_NO_EC */
f1fd4544 892
0f113f3e
MC		 893/*
894 * List of supported signature algorithms and hashes. Should make this
fc101f88
DSH		 895 * customisable at some point, for now include everything we support.
896 */
897
e481f9b9
MC		 898#ifdef OPENSSL_NO_RSA
899# define tlsext_sigalg_rsa(md) /* */
900#else
901# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
902#endif
0f113f3e 903
e481f9b9
MC		 904#ifdef OPENSSL_NO_DSA
905# define tlsext_sigalg_dsa(md) /* */
906#else
907# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
908#endif
0f113f3e 909
e481f9b9
MC		 910#ifdef OPENSSL_NO_EC
911# define tlsext_sigalg_ecdsa(md) /* */
912#else
913# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
914#endif
0f113f3e 915
e481f9b9 916#define tlsext_sigalg(md) \
0f113f3e
MC		 917 tlsext_sigalg_rsa(md) \
918 tlsext_sigalg_dsa(md) \
919 tlsext_sigalg_ecdsa(md)
fc101f88 920
d97ed219 921static const unsigned char tls12_sigalgs[] = {
0f113f3e
MC		 922 tlsext_sigalg(TLSEXT_hash_sha512)
923 tlsext_sigalg(TLSEXT_hash_sha384)
0f113f3e
MC		 924 tlsext_sigalg(TLSEXT_hash_sha256)
925 tlsext_sigalg(TLSEXT_hash_sha224)
0f113f3e 926 tlsext_sigalg(TLSEXT_hash_sha1)
e44380a9
DB		 927#ifndef OPENSSL_NO_GOST
928 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
929 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
930 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
931#endif
fc101f88 932};
0f113f3e 933
e481f9b9 934#ifndef OPENSSL_NO_EC
d97ed219 935static const unsigned char suiteb_sigalgs[] = {
0f113f3e
MC		 936 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
937 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
2ea80354 938};
e481f9b9 939#endif
b7bfe69b 940size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
0f113f3e
MC		 941{
942 /*
943 * If Suite B mode use Suite B sigalgs only, ignore any other
944 * preferences.
945 */
e481f9b9 946#ifndef OPENSSL_NO_EC
0f113f3e
MC		 947 switch (tls1_suiteb(s)) {
948 case SSL_CERT_FLAG_SUITEB_128_LOS:
949 *psigs = suiteb_sigalgs;
950 return sizeof(suiteb_sigalgs);
951
952 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
953 *psigs = suiteb_sigalgs;
954 return 2;
955
956 case SSL_CERT_FLAG_SUITEB_192_LOS:
957 *psigs = suiteb_sigalgs + 2;
958 return 2;
959 }
e481f9b9 960#endif
0f113f3e
MC		 961 /* If server use client authentication sigalgs if not NULL */
962 if (s->server && s->cert->client_sigalgs) {
963 *psigs = s->cert->client_sigalgs;
964 return s->cert->client_sigalgslen;
965 } else if (s->cert->conf_sigalgs) {
966 *psigs = s->cert->conf_sigalgs;
967 return s->cert->conf_sigalgslen;
968 } else {
969 *psigs = tls12_sigalgs;
970 return sizeof(tls12_sigalgs);
971 }
972}
973
974/*
975 * Check signature algorithm is consistent with sent supported signature
ec4a50b3
DSH		 976 * algorithms and if so return relevant digest.
977 */
978int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
0f113f3e
MC		 979 const unsigned char *sig, EVP_PKEY *pkey)
980{
981 const unsigned char *sent_sigs;
982 size_t sent_sigslen, i;
983 int sigalg = tls12_get_sigid(pkey);
984 /* Should never happen */
985 if (sigalg == -1)
986 return -1;
987 /* Check key type is consistent with signature */
988 if (sigalg != (int)sig[1]) {
989 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
990 return 0;
991 }
e481f9b9 992#ifndef OPENSSL_NO_EC
0f113f3e
MC		 993 if (pkey->type == EVP_PKEY_EC) {
994 unsigned char curve_id[2], comp_id;
995 /* Check compression and curve matches extensions */
996 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
997 return 0;
998 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
999 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
1000 return 0;
1001 }
1002 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
1003 if (tls1_suiteb(s)) {
1004 if (curve_id[0])
1005 return 0;
1006 if (curve_id[1] == TLSEXT_curve_P_256) {
1007 if (sig[0] != TLSEXT_hash_sha256) {
1008 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1009 SSL_R_ILLEGAL_SUITEB_DIGEST);
1010 return 0;
1011 }
1012 } else if (curve_id[1] == TLSEXT_curve_P_384) {
1013 if (sig[0] != TLSEXT_hash_sha384) {
1014 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1015 SSL_R_ILLEGAL_SUITEB_DIGEST);
1016 return 0;
1017 }
1018 } else
1019 return 0;
1020 }
1021 } else if (tls1_suiteb(s))
1022 return 0;
e481f9b9 1023#endif
0f113f3e
MC		 1024
1025 /* Check signature matches a type we sent */
1026 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1027 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
1028 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1029 break;
1030 }
1031 /* Allow fallback to SHA1 if not strict mode */
1032 if (i == sent_sigslen
1033 && (sig[0] != TLSEXT_hash_sha1
1034 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
1035 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1036 return 0;
1037 }
1038 *pmd = tls12_get_hash(sig[0]);
1039 if (*pmd == NULL) {
1040 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
1041 return 0;
1042 }
1043 /* Make sure security callback allows algorithm */
1044 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
1045 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
1046 (void *)sig)) {
1047 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1048 return 0;
1049 }
1050 /*
1051 * Store the digest used so applications can retrieve it if they wish.
1052 */
d376e57d 1053 s->s3->tmp.peer_md = *pmd;
0f113f3e
MC		 1054 return 1;
1055}
2ea80354 1056
0f113f3e
MC		 1057/*
1058 * Get a mask of disabled algorithms: an algorithm is disabled if it isn't
1059 * supported or doesn't appear in supported signature algorithms. Unlike
1060 * ssl_cipher_get_disabled this applies to a specific session and not global
1061 * settings.
b7bfe69b
DSH		 1062 */
1063void ssl_set_client_disabled(SSL *s)
0f113f3e 1064{
4d69f9e6
DSH		 1065 s->s3->tmp.mask_a = 0;
1066 s->s3->tmp.mask_k = 0;
0f113f3e
MC		 1067 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1068 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
4d69f9e6 1069 s->s3->tmp.mask_ssl = SSL_TLSV1_2;
0f113f3e 1070 else
4d69f9e6 1071 s->s3->tmp.mask_ssl = 0;
2b573382
DSH		 1072 /* Disable TLS 1.0 ciphers if using SSL v3 */
1073 if (s->client_version == SSL3_VERSION)
1074 s->s3->tmp.mask_ssl |= SSL_TLSV1;
4d69f9e6 1075 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
0f113f3e
MC		 1076 /*
1077 * Disable static DH if we don't include any appropriate signature
1078 * algorithms.
1079 */
4d69f9e6
DSH		 1080 if (s->s3->tmp.mask_a & SSL_aRSA)
1081 s->s3->tmp.mask_k |= SSL_kDHr | SSL_kECDHr;
1082 if (s->s3->tmp.mask_a & SSL_aDSS)
1083 s->s3->tmp.mask_k |= SSL_kDHd;
1084 if (s->s3->tmp.mask_a & SSL_aECDSA)
1085 s->s3->tmp.mask_k |= SSL_kECDHe;
0f113f3e
MC		 1086# ifndef OPENSSL_NO_PSK
1087 /* with PSK there must be client callback set */
1088 if (!s->psk_client_callback) {
4d69f9e6 1089 s->s3->tmp.mask_a |= SSL_aPSK;
fe5eef3a 1090 s->s3->tmp.mask_k |= SSL_PSK;
0f113f3e 1091 }
e481f9b9
MC		 1092#endif /* OPENSSL_NO_PSK */
1093#ifndef OPENSSL_NO_SRP
0f113f3e 1094 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
4d69f9e6
DSH		 1095 s->s3->tmp.mask_a |= SSL_aSRP;
1096 s->s3->tmp.mask_k |= SSL_kSRP;
0f113f3e 1097 }
e481f9b9 1098#endif
0f113f3e 1099}
fc101f88 1100
b362ccab 1101int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
0f113f3e 1102{
4d69f9e6
DSH		 1103 if (c->algorithm_ssl & s->s3->tmp.mask_ssl
1104 || c->algorithm_mkey & s->s3->tmp.mask_k
1105 || c->algorithm_auth & s->s3->tmp.mask_a)
0f113f3e
MC		 1106 return 1;
1107 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1108}
b362ccab
DSH		 1109
1110static int tls_use_ticket(SSL *s)
0f113f3e
MC		 1111{
1112 if (s->options & SSL_OP_NO_TICKET)
1113 return 0;
1114 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1115}
ed3883d2 1116
0f113f3e
MC		 1117unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
1118 unsigned char *limit, int *al)
1119{
1120 int extdatalen = 0;
1121 unsigned char *orig = buf;
1122 unsigned char *ret = buf;
e481f9b9 1123#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1124 /* See if we support any ECC ciphersuites */
1125 int using_ecc = 0;
1126 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1127 int i;
1128 unsigned long alg_k, alg_a;
1129 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1130
1131 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
1132 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1133
1134 alg_k = c->algorithm_mkey;
1135 alg_a = c->algorithm_auth;
13be69f3 1136 if ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)
0f113f3e
MC		 1137 || (alg_a & SSL_aECDSA))) {
1138 using_ecc = 1;
1139 break;
1140 }
1141 }
1142 }
e481f9b9 1143#endif
ed3883d2 1144
0f113f3e 1145 ret += 2;
6434abbf 1146
0f113f3e
MC		 1147 if (ret >= limit)
1148 return NULL; /* this really never occurs, but ... */
5a3d8eeb 1149
0f113f3e
MC		 1150 /* Add RI if renegotiating */
1151 if (s->renegotiate) {
1152 int el;
5a3d8eeb 1153
0f113f3e
MC		 1154 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1155 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1156 return NULL;
1157 }
5a3d8eeb 1158
0f113f3e
MC		 1159 if ((limit - ret - 4 - el) < 0)
1160 return NULL;
5a3d8eeb 1161
0f113f3e
MC		 1162 s2n(TLSEXT_TYPE_renegotiate, ret);
1163 s2n(el, ret);
5a3d8eeb 1164
0f113f3e
MC		 1165 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1166 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1167 return NULL;
5a3d8eeb 1168 }
edc032b5 1169
0f113f3e
MC		 1170 ret += el;
1171 }
1172 /* Only add RI for SSLv3 */
1173 if (s->client_version == SSL3_VERSION)
1174 goto done;
1175
1176 if (s->tlsext_hostname != NULL) {
1177 /* Add TLS extension servername to the Client Hello message */
1178 unsigned long size_str;
1179 long lenmax;
1180
50e735f9
MC		 1181 /*-
1182 * check for enough space.
1183 * 4 for the servername type and entension length
1184 * 2 for servernamelist length
1185 * 1 for the hostname type
1186 * 2 for hostname length
1187 * + hostname length
1188 */
0f113f3e
MC		 1189
1190 if ((lenmax = limit - ret - 9) < 0
1191 || (size_str =
1192 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1193 return NULL;
1194
1195 /* extension type and length */
1196 s2n(TLSEXT_TYPE_server_name, ret);
1197 s2n(size_str + 5, ret);
1198
1199 /* length of servername list */
1200 s2n(size_str + 3, ret);
1201
1202 /* hostname type, length and hostname */
1203 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1204 s2n(size_str, ret);
1205 memcpy(ret, s->tlsext_hostname, size_str);
1206 ret += size_str;
1207 }
e481f9b9 1208#ifndef OPENSSL_NO_SRP
0f113f3e
MC		 1209 /* Add SRP username if there is one */
1210 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1211 * Client Hello message */
1212
1213 int login_len = strlen(s->srp_ctx.login);
1214 if (login_len > 255 || login_len == 0) {
1215 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1216 return NULL;
1217 }
761772d7 1218
50e735f9
MC		 1219 /*-
1220 * check for enough space.
1221 * 4 for the srp type type and entension length
1222 * 1 for the srp user identity
1223 * + srp user identity length
1224 */
0f113f3e
MC		 1225 if ((limit - ret - 5 - login_len) < 0)
1226 return NULL;
1227
1228 /* fill in the extension */
1229 s2n(TLSEXT_TYPE_srp, ret);
1230 s2n(login_len + 1, ret);
1231 (*ret++) = (unsigned char)login_len;
1232 memcpy(ret, s->srp_ctx.login, login_len);
1233 ret += login_len;
1234 }
e481f9b9 1235#endif
0f113f3e 1236
e481f9b9 1237#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1238 if (using_ecc) {
1239 /*
1240 * Add TLS extension ECPointFormats to the ClientHello message
1241 */
1242 long lenmax;
1243 const unsigned char *pcurves, *pformats;
1244 size_t num_curves, num_formats, curves_list_len;
1245 size_t i;
1246 unsigned char *etmp;
1247
1248 tls1_get_formatlist(s, &pformats, &num_formats);
1249
1250 if ((lenmax = limit - ret - 5) < 0)
1251 return NULL;
1252 if (num_formats > (size_t)lenmax)
1253 return NULL;
1254 if (num_formats > 255) {
1255 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1256 return NULL;
1257 }
4817504d 1258
0f113f3e
MC		 1259 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1260 /* The point format list has 1-byte length. */
1261 s2n(num_formats + 1, ret);
1262 *(ret++) = (unsigned char)num_formats;
1263 memcpy(ret, pformats, num_formats);
1264 ret += num_formats;
1265
1266 /*
1267 * Add TLS extension EllipticCurves to the ClientHello message
1268 */
1269 pcurves = s->tlsext_ellipticcurvelist;
1270 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1271 return NULL;
1272
1273 if ((lenmax = limit - ret - 6) < 0)
1274 return NULL;
1275 if (num_curves > (size_t)lenmax / 2)
1276 return NULL;
1277 if (num_curves > 65532 / 2) {
1278 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1279 return NULL;
1280 }
ee2ffc27 1281
0f113f3e
MC		 1282 s2n(TLSEXT_TYPE_elliptic_curves, ret);
1283 etmp = ret + 4;
1284 /* Copy curve ID if supported */
1285 for (i = 0; i < num_curves; i++, pcurves += 2) {
1286 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1287 *etmp++ = pcurves[0];
1288 *etmp++ = pcurves[1];
1289 }
1290 }
01f2f18f 1291
0f113f3e
MC		 1292 curves_list_len = etmp - ret - 4;
1293
1294 s2n(curves_list_len + 2, ret);
1295 s2n(curves_list_len, ret);
1296 ret += curves_list_len;
1297 }
e481f9b9 1298#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1299
1300 if (tls_use_ticket(s)) {
1301 int ticklen;
1302 if (!s->new_session && s->session && s->session->tlsext_tick)
1303 ticklen = s->session->tlsext_ticklen;
1304 else if (s->session && s->tlsext_session_ticket &&
1305 s->tlsext_session_ticket->data) {
1306 ticklen = s->tlsext_session_ticket->length;
1307 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
a71edf3b 1308 if (s->session->tlsext_tick == NULL)
0f113f3e
MC		 1309 return NULL;
1310 memcpy(s->session->tlsext_tick,
1311 s->tlsext_session_ticket->data, ticklen);
1312 s->session->tlsext_ticklen = ticklen;
1313 } else
1314 ticklen = 0;
1315 if (ticklen == 0 && s->tlsext_session_ticket &&
1316 s->tlsext_session_ticket->data == NULL)
1317 goto skip_ext;
1318 /*
1319 * Check for enough room 2 for extension type, 2 for len rest for
1320 * ticket
1321 */
1322 if ((long)(limit - ret - 4 - ticklen) < 0)
1323 return NULL;
1324 s2n(TLSEXT_TYPE_session_ticket, ret);
1325 s2n(ticklen, ret);
1326 if (ticklen) {
1327 memcpy(ret, s->session->tlsext_tick, ticklen);
1328 ret += ticklen;
1329 }
1330 }
1331 skip_ext:
1332
1333 if (SSL_USE_SIGALGS(s)) {
1334 size_t salglen;
1335 const unsigned char *salg;
1336 unsigned char *etmp;
1337 salglen = tls12_get_psigalgs(s, &salg);
1338 if ((size_t)(limit - ret) < salglen + 6)
1339 return NULL;
1340 s2n(TLSEXT_TYPE_signature_algorithms, ret);
1341 etmp = ret;
1342 /* Skip over lengths for now */
1343 ret += 4;
1344 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1345 /* Fill in lengths */
1346 s2n(salglen + 2, etmp);
1347 s2n(salglen, etmp);
1348 ret += salglen;
1349 }
0f113f3e
MC		 1350
1351 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1352 int i;
1353 long extlen, idlen, itmp;
1354 OCSP_RESPID *id;
1355
1356 idlen = 0;
1357 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1358 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1359 itmp = i2d_OCSP_RESPID(id, NULL);
1360 if (itmp <= 0)
1361 return NULL;
1362 idlen += itmp + 2;
860c3dd1
DSH		 1363 }
1364
0f113f3e
MC		 1365 if (s->tlsext_ocsp_exts) {
1366 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1367 if (extlen < 0)
1368 return NULL;
1369 } else
1370 extlen = 0;
1371
1372 if ((long)(limit - ret - 7 - extlen - idlen) < 0)
1373 return NULL;
1374 s2n(TLSEXT_TYPE_status_request, ret);
1375 if (extlen + idlen > 0xFFF0)
1376 return NULL;
1377 s2n(extlen + idlen + 5, ret);
1378 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1379 s2n(idlen, ret);
1380 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1381 /* save position of id len */
1382 unsigned char *q = ret;
1383 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1384 /* skip over id len */
1385 ret += 2;
1386 itmp = i2d_OCSP_RESPID(id, &ret);
1387 /* write id len */
1388 s2n(itmp, q);
1389 }
1390 s2n(extlen, ret);
1391 if (extlen > 0)
1392 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1393 }
e481f9b9 1394#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 1395 /* Add Heartbeat extension */
1396 if ((limit - ret - 4 - 1) < 0)
1397 return NULL;
1398 s2n(TLSEXT_TYPE_heartbeat, ret);
1399 s2n(1, ret);
50e735f9
MC		 1400 /*-
1401 * Set mode:
1402 * 1: peer may send requests
1403 * 2: peer not allowed to send requests
1404 */
0f113f3e
MC		 1405 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1406 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1407 else
1408 *(ret++) = SSL_TLSEXT_HB_ENABLED;
e481f9b9 1409#endif
0f113f3e 1410
e481f9b9 1411#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1412 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1413 /*
1414 * The client advertises an emtpy extension to indicate its support
1415 * for Next Protocol Negotiation
1416 */
1417 if (limit - ret - 4 < 0)
1418 return NULL;
1419 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1420 s2n(0, ret);
1421 }
e481f9b9 1422#endif
0f113f3e
MC		 1423
1424 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1425 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1426 return NULL;
1427 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1428 s2n(2 + s->alpn_client_proto_list_len, ret);
1429 s2n(s->alpn_client_proto_list_len, ret);
1430 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1431 ret += s->alpn_client_proto_list_len;
1432 }
e481f9b9 1433#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 1434 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1435 int el;
1436
69f68237
MC		 1437 /* Returns 0 on success!! */
1438 if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
1439 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1440 return NULL;
1441 }
0f113f3e
MC		 1442
1443 if ((limit - ret - 4 - el) < 0)
1444 return NULL;
1445
1446 s2n(TLSEXT_TYPE_use_srtp, ret);
1447 s2n(el, ret);
1448
1449 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1450 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1451 return NULL;
1452 }
1453 ret += el;
1454 }
e481f9b9 1455#endif
0f113f3e
MC		 1456 custom_ext_init(&s->cert->cli_ext);
1457 /* Add custom TLS Extensions to ClientHello */
1458 if (!custom_ext_add(s, 0, &ret, limit, al))
1459 return NULL;
e481f9b9 1460#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 1461 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1462 s2n(0, ret);
e481f9b9 1463#endif
ddc06b35
DSH		 1464 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1465 s2n(0, ret);
0f113f3e
MC		 1466
1467 /*
1468 * Add padding to workaround bugs in F5 terminators. See
1469 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1470 * code works out the length of all existing extensions it MUST always
1471 * appear last.
1472 */
1473 if (s->options & SSL_OP_TLSEXT_PADDING) {
1474 int hlen = ret - (unsigned char *)s->init_buf->data;
a3680c8f 1475
0f113f3e
MC		 1476 if (hlen > 0xff && hlen < 0x200) {
1477 hlen = 0x200 - hlen;
1478 if (hlen >= 4)
1479 hlen -= 4;
1480 else
1481 hlen = 0;
1482
1483 s2n(TLSEXT_TYPE_padding, ret);
1484 s2n(hlen, ret);
1485 memset(ret, 0, hlen);
1486 ret += hlen;
1487 }
1488 }
5a3d8eeb 1489
0f113f3e 1490 done:
5a3d8eeb 1491
0f113f3e
MC		 1492 if ((extdatalen = ret - orig - 2) == 0)
1493 return orig;
5a3d8eeb 1494
0f113f3e
MC		 1495 s2n(extdatalen, orig);
1496 return ret;
1497}
333f926d 1498
0f113f3e
MC		 1499unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1500 unsigned char *limit, int *al)
1501{
1502 int extdatalen = 0;
1503 unsigned char *orig = buf;
1504 unsigned char *ret = buf;
e481f9b9 1505#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1506 int next_proto_neg_seen;
e481f9b9
MC		 1507#endif
1508#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1509 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1510 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1511 int using_ecc = (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
1512 || (alg_a & SSL_aECDSA);
1513 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
e481f9b9 1514#endif
0f113f3e
MC		 1515
1516 ret += 2;
1517 if (ret >= limit)
1518 return NULL; /* this really never occurs, but ... */
1519
1520 if (s->s3->send_connection_binding) {
1521 int el;
1522
1523 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1524 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1525 return NULL;
1526 }
333f926d 1527
0f113f3e
MC		 1528 if ((limit - ret - 4 - el) < 0)
1529 return NULL;
333f926d 1530
0f113f3e
MC		 1531 s2n(TLSEXT_TYPE_renegotiate, ret);
1532 s2n(el, ret);
333f926d 1533
0f113f3e
MC		 1534 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1535 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1536 return NULL;
1537 }
333f926d 1538
0f113f3e
MC		 1539 ret += el;
1540 }
1541
1542 /* Only add RI for SSLv3 */
1543 if (s->version == SSL3_VERSION)
1544 goto done;
1545
1546 if (!s->hit && s->servername_done == 1
1547 && s->session->tlsext_hostname != NULL) {
1548 if ((long)(limit - ret - 4) < 0)
1549 return NULL;
1550
1551 s2n(TLSEXT_TYPE_server_name, ret);
1552 s2n(0, ret);
1553 }
e481f9b9 1554#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1555 if (using_ecc) {
1556 const unsigned char *plist;
1557 size_t plistlen;
1558 /*
1559 * Add TLS extension ECPointFormats to the ServerHello message
1560 */
1561 long lenmax;
1562
1563 tls1_get_formatlist(s, &plist, &plistlen);
1564
1565 if ((lenmax = limit - ret - 5) < 0)
1566 return NULL;
1567 if (plistlen > (size_t)lenmax)
1568 return NULL;
1569 if (plistlen > 255) {
1570 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1571 return NULL;
1572 }
4817504d 1573
0f113f3e
MC		 1574 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1575 s2n(plistlen + 1, ret);
1576 *(ret++) = (unsigned char)plistlen;
1577 memcpy(ret, plist, plistlen);
1578 ret += plistlen;
1579
1580 }
1581 /*
1582 * Currently the server should not respond with a SupportedCurves
1583 * extension
1584 */
e481f9b9 1585#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1586
1587 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1588 if ((long)(limit - ret - 4) < 0)
1589 return NULL;
1590 s2n(TLSEXT_TYPE_session_ticket, ret);
1591 s2n(0, ret);
1592 }
1593
1594 if (s->tlsext_status_expected) {
1595 if ((long)(limit - ret - 4) < 0)
1596 return NULL;
1597 s2n(TLSEXT_TYPE_status_request, ret);
1598 s2n(0, ret);
1599 }
0f113f3e 1600
e481f9b9 1601#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 1602 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1603 int el;
1604
69f68237 1605 /* Returns 0 on success!! */
61986d32 1606 if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
69f68237
MC		 1607 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1608 return NULL;
1609 }
0f113f3e
MC		 1610 if ((limit - ret - 4 - el) < 0)
1611 return NULL;
1612
1613 s2n(TLSEXT_TYPE_use_srtp, ret);
1614 s2n(el, ret);
1615
1616 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1617 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1618 return NULL;
1619 }
1620 ret += el;
1621 }
e481f9b9 1622#endif
0f113f3e
MC		 1623
1624 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1625 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1626 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1627 const unsigned char cryptopro_ext[36] = {
1628 0xfd, 0xe8, /* 65000 */
1629 0x00, 0x20, /* 32 bytes length */
1630 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1631 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1632 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1633 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1634 };
1635 if (limit - ret < 36)
1636 return NULL;
1637 memcpy(ret, cryptopro_ext, 36);
1638 ret += 36;
1639
1640 }
e481f9b9 1641#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 1642 /* Add Heartbeat extension if we've received one */
1643 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
1644 if ((limit - ret - 4 - 1) < 0)
1645 return NULL;
1646 s2n(TLSEXT_TYPE_heartbeat, ret);
1647 s2n(1, ret);
50e735f9
MC		 1648 /*-
1649 * Set mode:
1650 * 1: peer may send requests
1651 * 2: peer not allowed to send requests
1652 */
0f113f3e
MC		 1653 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1654 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1655 else
1656 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1657
1658 }
e481f9b9 1659#endif
0f113f3e 1660
e481f9b9 1661#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1662 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1663 s->s3->next_proto_neg_seen = 0;
1664 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1665 const unsigned char *npa;
1666 unsigned int npalen;
1667 int r;
1668
1669 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1670 s->
1671 ctx->next_protos_advertised_cb_arg);
1672 if (r == SSL_TLSEXT_ERR_OK) {
1673 if ((long)(limit - ret - 4 - npalen) < 0)
1674 return NULL;
1675 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1676 s2n(npalen, ret);
1677 memcpy(ret, npa, npalen);
1678 ret += npalen;
1679 s->s3->next_proto_neg_seen = 1;
1680 }
1681 }
e481f9b9 1682#endif
0f113f3e
MC		 1683 if (!custom_ext_add(s, 1, &ret, limit, al))
1684 return NULL;
e481f9b9 1685#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 1686 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1687 /*
1688 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1689 * for other cases too.
1690 */
1691 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
e44380a9
DB		 1692 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1693 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1694 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
0f113f3e
MC		 1695 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1696 else {
1697 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1698 s2n(0, ret);
1699 }
1700 }
e481f9b9 1701#endif
e7f0d921 1702 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
ddc06b35
DSH		 1703 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1704 s2n(0, ret);
1705 }
0f113f3e
MC		 1706
1707 if (s->s3->alpn_selected) {
1708 const unsigned char *selected = s->s3->alpn_selected;
1709 unsigned len = s->s3->alpn_selected_len;
1710
1711 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1712 return NULL;
1713 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1714 s2n(3 + len, ret);
1715 s2n(1 + len, ret);
1716 *ret++ = len;
1717 memcpy(ret, selected, len);
1718 ret += len;
1719 }
1720
1721 done:
1722
1723 if ((extdatalen = ret - orig - 2) == 0)
1724 return orig;
1725
1726 s2n(extdatalen, orig);
1727 return ret;
1728}
a398f821 1729
0f113f3e
MC		 1730/*
1731 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1732 * ClientHello. data: the contents of the extension, not including the type
1733 * and length. data_len: the number of bytes in |data| al: a pointer to the
1734 * alert value to send in the event of a non-zero return. returns: 0 on
1735 * success.
1736 */
9ceb2426 1737static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
0f113f3e 1738{
9ceb2426
MC		 1739 unsigned int data_len;
1740 unsigned int proto_len;
0f113f3e 1741 const unsigned char *selected;
9ceb2426 1742 unsigned char *data;
0f113f3e
MC		 1743 unsigned char selected_len;
1744 int r;
1745
1746 if (s->ctx->alpn_select_cb == NULL)
1747 return 0;
1748
0f113f3e
MC		 1749 /*
1750 * data should contain a uint16 length followed by a series of 8-bit,
1751 * length-prefixed strings.
1752 */
9ceb2426
MC		 1753 if (!PACKET_get_net_2(pkt, &data_len)
1754 || PACKET_remaining(pkt) != data_len
1755 || !PACKET_peek_bytes(pkt, &data, data_len))
0f113f3e
MC		 1756 goto parse_error;
1757
9ceb2426
MC		 1758 do {
1759 if (!PACKET_get_1(pkt, &proto_len)
1760 || proto_len == 0
1761 || !PACKET_forward(pkt, proto_len))
0f113f3e 1762 goto parse_error;
9ceb2426 1763 } while (PACKET_remaining(pkt));
0f113f3e
MC		 1764
1765 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1766 s->ctx->alpn_select_cb_arg);
1767 if (r == SSL_TLSEXT_ERR_OK) {
b548a1f1 1768 OPENSSL_free(s->s3->alpn_selected);
0f113f3e 1769 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
a71edf3b 1770 if (s->s3->alpn_selected == NULL) {
0f113f3e
MC		 1771 *al = SSL_AD_INTERNAL_ERROR;
1772 return -1;
1773 }
1774 memcpy(s->s3->alpn_selected, selected, selected_len);
1775 s->s3->alpn_selected_len = selected_len;
1776 }
1777 return 0;
1778
1779 parse_error:
1780 *al = SSL_AD_DECODE_ERROR;
1781 return -1;
1782}
6f017a8f 1783
e481f9b9 1784#ifndef OPENSSL_NO_EC
1d97c843
TH		 1785/*-
1786 * ssl_check_for_safari attempts to fingerprint Safari using OS X
dece3209
RS		 1787 * SecureTransport using the TLS extension block in |d|, of length |n|.
1788 * Safari, since 10.6, sends exactly these extensions, in this order:
1789 * SNI,
1790 * elliptic_curves
1791 * ec_point_formats
1792 *
1793 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1794 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1795 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1796 * 10.8..10.8.3 (which don't work).
1797 */
68a16628 1798static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
0f113f3e 1799{
9ceb2426
MC		 1800 unsigned int type, size;
1801 unsigned char *eblock1, *eblock2;
68a16628 1802 PACKET tmppkt;
9ceb2426 1803
0f113f3e
MC		 1804 static const unsigned char kSafariExtensionsBlock[] = {
1805 0x00, 0x0a, /* elliptic_curves extension */
1806 0x00, 0x08, /* 8 bytes */
1807 0x00, 0x06, /* 6 bytes of curve ids */
1808 0x00, 0x17, /* P-256 */
1809 0x00, 0x18, /* P-384 */
1810 0x00, 0x19, /* P-521 */
1811
1812 0x00, 0x0b, /* ec_point_formats */
1813 0x00, 0x02, /* 2 bytes */
1814 0x01, /* 1 point format */
1815 0x00, /* uncompressed */
1816 };
1817
1818 /* The following is only present in TLS 1.2 */
1819 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1820 0x00, 0x0d, /* signature_algorithms */
1821 0x00, 0x0c, /* 12 bytes */
1822 0x00, 0x0a, /* 10 bytes */
1823 0x05, 0x01, /* SHA-384/RSA */
1824 0x04, 0x01, /* SHA-256/RSA */
1825 0x02, 0x01, /* SHA-1/RSA */
1826 0x04, 0x03, /* SHA-256/ECDSA */
1827 0x02, 0x03, /* SHA-1/ECDSA */
1828 };
1829
68a16628
MC		 1830 tmppkt = *pkt;
1831
1832 if (!PACKET_forward(&tmppkt, 2)
1833 || !PACKET_get_net_2(&tmppkt, &type)
1834 || !PACKET_get_net_2(&tmppkt, &size)
1835 || !PACKET_forward(&tmppkt, size))
0f113f3e 1836 return;
0f113f3e
MC		 1837
1838 if (type != TLSEXT_TYPE_server_name)
1839 return;
1840
0f113f3e
MC		 1841 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
1842 const size_t len1 = sizeof(kSafariExtensionsBlock);
1843 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1844
68a16628
MC		 1845 if (!PACKET_get_bytes(&tmppkt, &eblock1, len1)
1846 || !PACKET_get_bytes(&tmppkt, &eblock2, len2)
1847 || PACKET_remaining(&tmppkt))
0f113f3e 1848 return;
9ceb2426 1849 if (memcmp(eblock1, kSafariExtensionsBlock, len1) != 0)
0f113f3e 1850 return;
9ceb2426 1851 if (memcmp(eblock2, kSafariTLS12ExtensionsBlock, len2) != 0)
0f113f3e
MC		 1852 return;
1853 } else {
1854 const size_t len = sizeof(kSafariExtensionsBlock);
1855
68a16628
MC		 1856 if (!PACKET_get_bytes(&tmppkt, &eblock1, len)
1857 || PACKET_remaining(&tmppkt))
0f113f3e 1858 return;
9ceb2426 1859 if (memcmp(eblock1, kSafariExtensionsBlock, len) != 0)
0f113f3e
MC		 1860 return;
1861 }
1862
1863 s->s3->is_probably_safari = 1;
dece3209 1864}
e481f9b9 1865#endif /* !OPENSSL_NO_EC */
0f113f3e 1866
9ceb2426 1867static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 1868{
9ceb2426
MC		 1869 unsigned int type;
1870 unsigned int size;
1871 unsigned int len;
1872 unsigned char *data;
0f113f3e
MC		 1873 int renegotiate_seen = 0;
1874
1875 s->servername_done = 0;
1876 s->tlsext_status_type = -1;
e481f9b9 1877#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1878 s->s3->next_proto_neg_seen = 0;
e481f9b9 1879#endif
0f113f3e 1880
b548a1f1
RS		 1881 OPENSSL_free(s->s3->alpn_selected);
1882 s->s3->alpn_selected = NULL;
e481f9b9 1883#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 1884 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1885 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
e481f9b9 1886#endif
0f113f3e 1887
e481f9b9 1888#ifndef OPENSSL_NO_EC
0f113f3e 1889 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
9ceb2426
MC		 1890 ssl_check_for_safari(s, pkt);
1891# endif /* !OPENSSL_NO_EC */
0f113f3e
MC		 1892
1893 /* Clear any signature algorithms extension received */
76106e60
DSH		 1894 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1895 s->s3->tmp.peer_sigalgs = NULL;
e481f9b9 1896#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e 1897 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 1898#endif
0f113f3e 1899
e481f9b9 1900#ifndef OPENSSL_NO_SRP
b548a1f1
RS		 1901 OPENSSL_free(s->srp_ctx.login);
1902 s->srp_ctx.login = NULL;
e481f9b9 1903#endif
0f113f3e
MC		 1904
1905 s->srtp_profile = NULL;
1906
9ceb2426 1907 if (PACKET_remaining(pkt) == 0)
1ae3fdbe
AL		 1908 goto ri_check;
1909
9ceb2426 1910 if (!PACKET_get_net_2(pkt, &len))
1ae3fdbe
AL		 1911 goto err;
1912
52a48f9e
AG		 1913 if (PACKET_remaining(pkt) != len)
1914 goto err;
1915
9ceb2426
MC		 1916 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
1917 PACKET subpkt;
0f113f3e 1918
9ceb2426 1919 if (!PACKET_peek_bytes(pkt, &data, size))
54e3ad00 1920 goto err;
9ceb2426 1921
0f113f3e
MC		 1922 if (s->tlsext_debug_cb)
1923 s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
9ceb2426
MC		 1924
1925 if (!PACKET_get_sub_packet(pkt, &subpkt, size))
1926 goto err;
1927
0f113f3e 1928 if (type == TLSEXT_TYPE_renegotiate) {
9ceb2426 1929 if (!ssl_parse_clienthello_renegotiate_ext(s, &subpkt, al))
0f113f3e
MC		 1930 return 0;
1931 renegotiate_seen = 1;
1932 } else if (s->version == SSL3_VERSION) {
1933 }
1d97c843
TH		 1934/*-
1935 * The servername extension is treated as follows:
1936 *
1937 * - Only the hostname type is supported with a maximum length of 255.
1938 * - The servername is rejected if too long or if it contains zeros,
1939 * in which case an fatal alert is generated.
1940 * - The servername field is maintained together with the session cache.
1941 * - When a session is resumed, the servername call back invoked in order
0f113f3e
MC		 1942 * to allow the application to position itself to the right context.
1943 * - The servername is acknowledged if it is new for a session or when
1944 * it is identical to a previously used for the same session.
1d97c843
TH		 1945 * Applications can control the behaviour. They can at any time
1946 * set a 'desirable' servername for a new SSL object. This can be the
1947 * case for example with HTTPS when a Host: header field is received and
1948 * a renegotiation is requested. In this case, a possible servername
1949 * presented in the new client hello is only acknowledged if it matches
0f113f3e 1950 * the value of the Host: field.
1d97c843 1951 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
0f113f3e
MC		 1952 * if they provide for changing an explicit servername context for the
1953 * session, i.e. when the session has been established with a servername
1954 * extension.
1955 * - On session reconnect, the servername extension may be absent.
1d97c843 1956 *
0f113f3e 1957 */
ed3883d2 1958
0f113f3e
MC		 1959 else if (type == TLSEXT_TYPE_server_name) {
1960 unsigned char *sdata;
9ceb2426
MC		 1961 unsigned int servname_type;
1962 unsigned int dsize;
1963 PACKET ssubpkt;
0f113f3e 1964
9ceb2426
MC		 1965 if (!PACKET_get_net_2(&subpkt, &dsize)
1966 || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
54e3ad00 1967 goto err;
0f113f3e 1968
9ceb2426
MC		 1969 while (PACKET_remaining(&ssubpkt) > 3) {
1970 if (!PACKET_get_1(&ssubpkt, &servname_type)
1971 || !PACKET_get_net_2(&ssubpkt, &len)
1972 || PACKET_remaining(&ssubpkt) < len)
54e3ad00
MC		 1973 goto err;
1974
0f113f3e
MC		 1975 if (s->servername_done == 0)
1976 switch (servname_type) {
1977 case TLSEXT_NAMETYPE_host_name:
1978 if (!s->hit) {
54e3ad00
MC		 1979 if (s->session->tlsext_hostname)
1980 goto err;
1981
0f113f3e
MC		 1982 if (len > TLSEXT_MAXLEN_host_name) {
1983 *al = TLS1_AD_UNRECOGNIZED_NAME;
1984 return 0;
1985 }
1986 if ((s->session->tlsext_hostname =
1987 OPENSSL_malloc(len + 1)) == NULL) {
1988 *al = TLS1_AD_INTERNAL_ERROR;
1989 return 0;
1990 }
9ceb2426
MC		 1991 if (!PACKET_copy_bytes(&ssubpkt,
1992 (unsigned char *)s->session
1993 ->tlsext_hostname,
1994 len)) {
1995 *al = SSL_AD_DECODE_ERROR;
1996 return 0;
1997 }
0f113f3e
MC		 1998 s->session->tlsext_hostname[len] = '\0';
1999 if (strlen(s->session->tlsext_hostname) != len) {
2000 OPENSSL_free(s->session->tlsext_hostname);
2001 s->session->tlsext_hostname = NULL;
2002 *al = TLS1_AD_UNRECOGNIZED_NAME;
2003 return 0;
2004 }
2005 s->servername_done = 1;
761772d7 2006
9ceb2426
MC		 2007 } else {
2008 if (!PACKET_get_bytes(&ssubpkt, &sdata, len)) {
2009 *al = SSL_AD_DECODE_ERROR;
2010 return 0;
2011 }
0f113f3e
MC		 2012 s->servername_done = s->session->tlsext_hostname
2013 && strlen(s->session->tlsext_hostname) == len
2014 && strncmp(s->session->tlsext_hostname,
2015 (char *)sdata, len) == 0;
9ceb2426 2016 }
b2284ed3 2017
0f113f3e 2018 break;
ee2ffc27 2019
0f113f3e
MC		 2020 default:
2021 break;
2022 }
0f113f3e 2023 }
9ceb2426 2024 /* We shouldn't have any bytes left */
bc6616a4 2025 if (PACKET_remaining(&ssubpkt) != 0)
54e3ad00 2026 goto err;
6f017a8f 2027
0f113f3e 2028 }
e481f9b9 2029#ifndef OPENSSL_NO_SRP
0f113f3e 2030 else if (type == TLSEXT_TYPE_srp) {
9ceb2426
MC		 2031 if (!PACKET_get_1(&subpkt, &len)
2032 || s->srp_ctx.login != NULL)
54e3ad00 2033 goto err;
9ceb2426 2034
0f113f3e
MC		 2035 if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
2036 return -1;
9ceb2426
MC		 2037 if (!PACKET_copy_bytes(&subpkt, (unsigned char *)s->srp_ctx.login,
2038 len))
2039 goto err;
0f113f3e
MC		 2040 s->srp_ctx.login[len] = '\0';
2041
9ceb2426
MC		 2042 if (strlen(s->srp_ctx.login) != len
2043 || PACKET_remaining(&subpkt))
54e3ad00 2044 goto err;
0f113f3e 2045 }
e481f9b9 2046#endif
0f113f3e 2047
e481f9b9 2048#ifndef OPENSSL_NO_EC
0f113f3e 2049 else if (type == TLSEXT_TYPE_ec_point_formats) {
9ceb2426 2050 unsigned int ecpointformatlist_length;
0f113f3e 2051
9ceb2426
MC		 2052 if (!PACKET_get_1(&subpkt, &ecpointformatlist_length)
2053 || ecpointformatlist_length == 0)
54e3ad00 2054 goto err;
9ceb2426 2055
0f113f3e 2056 if (!s->hit) {
b548a1f1
RS		 2057 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2058 s->session->tlsext_ecpointformatlist = NULL;
0f113f3e
MC		 2059 s->session->tlsext_ecpointformatlist_length = 0;
2060 if ((s->session->tlsext_ecpointformatlist =
2061 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2062 *al = TLS1_AD_INTERNAL_ERROR;
2063 return 0;
2064 }
2065 s->session->tlsext_ecpointformatlist_length =
2066 ecpointformatlist_length;
9ceb2426
MC		 2067 if (!PACKET_copy_bytes(&subpkt,
2068 s->session->tlsext_ecpointformatlist,
2069 ecpointformatlist_length))
2070 goto err;
2071 } else if (!PACKET_forward(&subpkt, ecpointformatlist_length)) {
2072 goto err;
2073 }
2074 /* We should have consumed all the bytes by now */
2075 if (PACKET_remaining(&subpkt)) {
2076 *al = TLS1_AD_DECODE_ERROR;
2077 return 0;
0f113f3e 2078 }
0f113f3e 2079 } else if (type == TLSEXT_TYPE_elliptic_curves) {
9ceb2426 2080 unsigned int ellipticcurvelist_length;
0f113f3e 2081
9ceb2426
MC		 2082 /* Each NamedCurve is 2 bytes and we must have at least 1 */
2083 if (!PACKET_get_net_2(&subpkt, &ellipticcurvelist_length)
2084 || ellipticcurvelist_length == 0
2085 || (ellipticcurvelist_length & 1) != 0)
2086 goto err;
54e3ad00 2087
0f113f3e 2088 if (!s->hit) {
54e3ad00
MC		 2089 if (s->session->tlsext_ellipticcurvelist)
2090 goto err;
2091
0f113f3e
MC		 2092 s->session->tlsext_ellipticcurvelist_length = 0;
2093 if ((s->session->tlsext_ellipticcurvelist =
2094 OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
2095 *al = TLS1_AD_INTERNAL_ERROR;
2096 return 0;
2097 }
2098 s->session->tlsext_ellipticcurvelist_length =
2099 ellipticcurvelist_length;
9ceb2426
MC		 2100 if (!PACKET_copy_bytes(&subpkt,
2101 s->session->tlsext_ellipticcurvelist,
2102 ellipticcurvelist_length))
2103 goto err;
2104 } else if (!PACKET_forward(&subpkt, ellipticcurvelist_length)) {
2105 goto err;
2106 }
2107 /* We should have consumed all the bytes by now */
2108 if (PACKET_remaining(&subpkt)) {
2109 goto err;
0f113f3e 2110 }
0f113f3e 2111 }
e481f9b9 2112#endif /* OPENSSL_NO_EC */
0f113f3e 2113 else if (type == TLSEXT_TYPE_session_ticket) {
9ceb2426
MC		 2114 if (!PACKET_forward(&subpkt, size)
2115 || (s->tls_session_ticket_ext_cb &&
2116 !s->tls_session_ticket_ext_cb(s, data, size,
2117 s->tls_session_ticket_ext_cb_arg))) {
0f113f3e
MC		 2118 *al = TLS1_AD_INTERNAL_ERROR;
2119 return 0;
2120 }
2121 } else if (type == TLSEXT_TYPE_signature_algorithms) {
9ceb2426
MC		 2122 unsigned int dsize;
2123
2124 if (s->s3->tmp.peer_sigalgs
2125 || !PACKET_get_net_2(&subpkt, &dsize)
2126 || (dsize & 1) != 0
2127 || (dsize == 0)
2128 || !PACKET_get_bytes(&subpkt, &data, dsize)
bc6616a4 2129 || PACKET_remaining(&subpkt) != 0
9ceb2426 2130 || !tls1_save_sigalgs(s, data, dsize)) {
54e3ad00 2131 goto err;
9ceb2426 2132 }
0f113f3e 2133 } else if (type == TLSEXT_TYPE_status_request) {
9ceb2426 2134 PACKET ssubpkt;
0f113f3e 2135
9ceb2426
MC		 2136 if (!PACKET_get_1(&subpkt,
2137 (unsigned int *)&s->tlsext_status_type))
54e3ad00 2138 goto err;
0f113f3e 2139
0f113f3e
MC		 2140 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
2141 const unsigned char *sdata;
9ceb2426 2142 unsigned int dsize;
0f113f3e 2143 /* Read in responder_id_list */
9ceb2426
MC		 2144 if (!PACKET_get_net_2(&subpkt, &dsize)
2145 || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
54e3ad00 2146 goto err;
9ceb2426
MC		 2147
2148 while (PACKET_remaining(&ssubpkt)) {
0f113f3e 2149 OCSP_RESPID *id;
9ceb2426
MC		 2150 unsigned int idsize;
2151
2152 if (PACKET_remaining(&ssubpkt) < 4
2153 || !PACKET_get_net_2(&ssubpkt, &idsize)
2154 || !PACKET_get_bytes(&ssubpkt, &data, idsize)) {
54e3ad00 2155 goto err;
9ceb2426 2156 }
0f113f3e
MC		 2157 sdata = data;
2158 data += idsize;
2159 id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
54e3ad00
MC		 2160 if (!id)
2161 goto err;
0f113f3e
MC		 2162 if (data != sdata) {
2163 OCSP_RESPID_free(id);
54e3ad00 2164 goto err;
0f113f3e
MC		 2165 }
2166 if (!s->tlsext_ocsp_ids
2167 && !(s->tlsext_ocsp_ids =
2168 sk_OCSP_RESPID_new_null())) {
2169 OCSP_RESPID_free(id);
2170 *al = SSL_AD_INTERNAL_ERROR;
2171 return 0;
2172 }
2173 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2174 OCSP_RESPID_free(id);
2175 *al = SSL_AD_INTERNAL_ERROR;
2176 return 0;
2177 }
2178 }
4817504d 2179
0f113f3e 2180 /* Read in request_extensions */
9ceb2426
MC		 2181 if (!PACKET_get_net_2(&subpkt, &dsize)
2182 || !PACKET_get_bytes(&subpkt, &data, dsize)
2183 || PACKET_remaining(&subpkt)) {
54e3ad00 2184 goto err;
9ceb2426 2185 }
0f113f3e
MC		 2186 sdata = data;
2187 if (dsize > 0) {
222561fe
RS		 2188 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2189 X509_EXTENSION_free);
0f113f3e
MC		 2190 s->tlsext_ocsp_exts =
2191 d2i_X509_EXTENSIONS(NULL, &sdata, dsize);
54e3ad00
MC		 2192 if (!s->tlsext_ocsp_exts || (data + dsize != sdata))
2193 goto err;
0f113f3e
MC		 2194 }
2195 }
2196 /*
2197 * We don't know what to do with any other type * so ignore it.
2198 */
2199 else
2200 s->tlsext_status_type = -1;
2201 }
e481f9b9 2202#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e 2203 else if (type == TLSEXT_TYPE_heartbeat) {
9ceb2426
MC		 2204 unsigned int hbtype;
2205
2206 if (!PACKET_get_1(&subpkt, &hbtype)
2207 || PACKET_remaining(&subpkt)) {
2208 *al = SSL_AD_DECODE_ERROR;
2209 return 0;
2210 }
2211 switch (hbtype) {
0f113f3e
MC		 2212 case 0x01: /* Client allows us to send HB requests */
2213 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2214 break;
2215 case 0x02: /* Client doesn't accept HB requests */
2216 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2217 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2218 break;
2219 default:
2220 *al = SSL_AD_ILLEGAL_PARAMETER;
2221 return 0;
2222 }
2223 }
e481f9b9
MC		 2224#endif
2225#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2226 else if (type == TLSEXT_TYPE_next_proto_neg &&
2227 s->s3->tmp.finish_md_len == 0 &&
2228 s->s3->alpn_selected == NULL) {
50e735f9
MC		 2229 /*-
2230 * We shouldn't accept this extension on a
2231 * renegotiation.
2232 *
2233 * s->new_session will be set on renegotiation, but we
2234 * probably shouldn't rely that it couldn't be set on
2235 * the initial renegotation too in certain cases (when
2236 * there's some other reason to disallow resuming an
2237 * earlier session -- the current code won't be doing
2238 * anything like that, but this might change).
2239 *
2240 * A valid sign that there's been a previous handshake
2241 * in this connection is if s->s3->tmp.finish_md_len >
2242 * 0. (We are talking about a check that will happen
2243 * in the Hello protocol round, well before a new
2244 * Finished message could have been computed.)
2245 */
0f113f3e
MC		 2246 s->s3->next_proto_neg_seen = 1;
2247 }
e481f9b9 2248#endif
0f113f3e
MC		 2249
2250 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2251 s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) {
9ceb2426 2252 if (tls1_alpn_handle_client_hello(s, &subpkt, al) != 0)
0f113f3e 2253 return 0;
e481f9b9 2254#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2255 /* ALPN takes precedence over NPN. */
2256 s->s3->next_proto_neg_seen = 0;
e481f9b9 2257#endif
0f113f3e 2258 }
5e3ff62c 2259
0f113f3e 2260 /* session ticket processed earlier */
e481f9b9 2261#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 2262 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2263 && type == TLSEXT_TYPE_use_srtp) {
9ceb2426 2264 if (ssl_parse_clienthello_use_srtp_ext(s, &subpkt, al))
0f113f3e
MC		 2265 return 0;
2266 }
e481f9b9
MC		 2267#endif
2268#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 2269 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2270 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 2271#endif
e7f0d921
DSH		 2272 /*
2273 * Note: extended master secret extension handled in
2274 * tls_check_serverhello_tlsext_early()
2275 */
2276
0f113f3e
MC		 2277 /*
2278 * If this ClientHello extension was unhandled and this is a
2279 * nonresumed connection, check whether the extension is a custom
2280 * TLS Extension (has a custom_srv_ext_record), and if so call the
2281 * callback and record the extension number so that an appropriate
2282 * ServerHello may be later returned.
2283 */
2284 else if (!s->hit) {
2285 if (custom_ext_parse(s, 1, type, data, size, al) <= 0)
2286 return 0;
2287 }
0f113f3e 2288 }
6f017a8f 2289
54e3ad00 2290 /* Spurious data on the end */
9ceb2426 2291 if (PACKET_remaining(pkt) != 0)
54e3ad00
MC		 2292 goto err;
2293
0f113f3e 2294 ri_check:
ed3883d2 2295
0f113f3e
MC		 2296 /* Need RI if renegotiating */
2297
2298 if (!renegotiate_seen && s->renegotiate &&
2299 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2300 *al = SSL_AD_HANDSHAKE_FAILURE;
2301 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2302 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2303 return 0;
2304 }
2305
2306 return 1;
54e3ad00
MC		 2307err:
2308 *al = SSL_AD_DECODE_ERROR;
2309 return 0;
0f113f3e
MC		 2310}
2311
9ceb2426 2312int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 2313{
2314 int al = -1;
2315 custom_ext_init(&s->cert->srv_ext);
9ceb2426 2316 if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 2317 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2318 return 0;
2319 }
2320
2321 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2322 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2323 return 0;
2324 }
2325 return 1;
2326}
2327
e481f9b9 2328#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2329/*
2330 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2331 * elements of zero length are allowed and the set of elements must exactly
2332 * fill the length of the block.
2333 */
50932c4a 2334static char ssl_next_proto_validate(PACKET *pkt)
0f113f3e 2335{
50932c4a 2336 unsigned int len;
0f113f3e 2337
50932c4a
MC		 2338 while (PACKET_remaining(pkt)) {
2339 if (!PACKET_get_1(pkt, &len)
2340 || !PACKET_forward(pkt, len))
0f113f3e 2341 return 0;
0f113f3e
MC		 2342 }
2343
50932c4a 2344 return 1;
0f113f3e 2345}
e481f9b9 2346#endif
0f113f3e 2347
50932c4a 2348static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 2349{
50932c4a 2350 unsigned int length, type, size;
0f113f3e
MC		 2351 int tlsext_servername = 0;
2352 int renegotiate_seen = 0;
2353
e481f9b9 2354#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 2355 s->s3->next_proto_neg_seen = 0;
e481f9b9 2356#endif
0f113f3e
MC		 2357 s->tlsext_ticket_expected = 0;
2358
b548a1f1
RS		 2359 OPENSSL_free(s->s3->alpn_selected);
2360 s->s3->alpn_selected = NULL;
e481f9b9 2361#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 2362 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2363 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
e481f9b9 2364#endif
0f113f3e 2365
e481f9b9 2366#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e 2367 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 2368#endif
0f113f3e 2369
e7f0d921
DSH		 2370 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2371
50932c4a 2372 if (!PACKET_get_net_2(pkt, &length))
0f113f3e
MC		 2373 goto ri_check;
2374
50932c4a 2375 if (PACKET_remaining(pkt) != length) {
0f113f3e
MC		 2376 *al = SSL_AD_DECODE_ERROR;
2377 return 0;
2378 }
2379
50932c4a
MC		 2380 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
2381 unsigned char *data;
2382 PACKET spkt;
0f113f3e 2383
50932c4a
MC		 2384 if (!PACKET_get_sub_packet(pkt, &spkt, size)
2385 || !PACKET_peek_bytes(&spkt, &data, size))
0f113f3e
MC		 2386 goto ri_check;
2387
2388 if (s->tlsext_debug_cb)
2389 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2390
2391 if (type == TLSEXT_TYPE_renegotiate) {
50932c4a 2392 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
0f113f3e
MC		 2393 return 0;
2394 renegotiate_seen = 1;
2395 } else if (s->version == SSL3_VERSION) {
2396 } else if (type == TLSEXT_TYPE_server_name) {
2397 if (s->tlsext_hostname == NULL || size > 0) {
2398 *al = TLS1_AD_UNRECOGNIZED_NAME;
2399 return 0;
2400 }
2401 tlsext_servername = 1;
2402 }
e481f9b9 2403#ifndef OPENSSL_NO_EC
0f113f3e 2404 else if (type == TLSEXT_TYPE_ec_point_formats) {
50932c4a
MC		 2405 unsigned int ecpointformatlist_length;
2406 if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
2407 || ecpointformatlist_length != size - 1) {
0f113f3e
MC		 2408 *al = TLS1_AD_DECODE_ERROR;
2409 return 0;
2410 }
2411 if (!s->hit) {
2412 s->session->tlsext_ecpointformatlist_length = 0;
b548a1f1 2413 OPENSSL_free(s->session->tlsext_ecpointformatlist);
0f113f3e
MC		 2414 if ((s->session->tlsext_ecpointformatlist =
2415 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2416 *al = TLS1_AD_INTERNAL_ERROR;
2417 return 0;
2418 }
2419 s->session->tlsext_ecpointformatlist_length =
2420 ecpointformatlist_length;
50932c4a
MC		 2421 if (!PACKET_copy_bytes(&spkt,
2422 s->session->tlsext_ecpointformatlist,
2423 ecpointformatlist_length)) {
2424 *al = TLS1_AD_DECODE_ERROR;
2425 return 0;
2426 }
2427
0f113f3e 2428 }
0f113f3e 2429 }
e481f9b9 2430#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2431
2432 else if (type == TLSEXT_TYPE_session_ticket) {
2433 if (s->tls_session_ticket_ext_cb &&
2434 !s->tls_session_ticket_ext_cb(s, data, size,
2435 s->tls_session_ticket_ext_cb_arg))
2436 {
2437 *al = TLS1_AD_INTERNAL_ERROR;
2438 return 0;
2439 }
2440 if (!tls_use_ticket(s) || (size > 0)) {
2441 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2442 return 0;
2443 }
2444 s->tlsext_ticket_expected = 1;
2445 }
0f113f3e
MC		 2446 else if (type == TLSEXT_TYPE_status_request) {
2447 /*
2448 * MUST be empty and only sent if we've requested a status
2449 * request message.
2450 */
2451 if ((s->tlsext_status_type == -1) || (size > 0)) {
2452 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2453 return 0;
2454 }
2455 /* Set flag to expect CertificateStatus message */
2456 s->tlsext_status_expected = 1;
2457 }
e481f9b9 2458#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2459 else if (type == TLSEXT_TYPE_next_proto_neg &&
2460 s->s3->tmp.finish_md_len == 0) {
2461 unsigned char *selected;
2462 unsigned char selected_len;
0f113f3e
MC		 2463 /* We must have requested it. */
2464 if (s->ctx->next_proto_select_cb == NULL) {
2465 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2466 return 0;
2467 }
2468 /* The data must be valid */
50932c4a 2469 if (!ssl_next_proto_validate(&spkt)) {
0f113f3e
MC		 2470 *al = TLS1_AD_DECODE_ERROR;
2471 return 0;
2472 }
2473 if (s->
2474 ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2475 size,
2476 s->ctx->next_proto_select_cb_arg) !=
2477 SSL_TLSEXT_ERR_OK) {
2478 *al = TLS1_AD_INTERNAL_ERROR;
2479 return 0;
2480 }
2481 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
a71edf3b 2482 if (s->next_proto_negotiated == NULL) {
0f113f3e
MC		 2483 *al = TLS1_AD_INTERNAL_ERROR;
2484 return 0;
2485 }
2486 memcpy(s->next_proto_negotiated, selected, selected_len);
2487 s->next_proto_negotiated_len = selected_len;
2488 s->s3->next_proto_neg_seen = 1;
2489 }
e481f9b9 2490#endif
0f113f3e
MC		 2491
2492 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2493 unsigned len;
0f113f3e
MC		 2494 /* We must have requested it. */
2495 if (s->alpn_client_proto_list == NULL) {
2496 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2497 return 0;
2498 }
50e735f9
MC		 2499 /*-
2500 * The extension data consists of:
2501 * uint16 list_length
2502 * uint8 proto_length;
2503 * uint8 proto[proto_length];
2504 */
50932c4a
MC		 2505 if (!PACKET_get_net_2(&spkt, &len)
2506 || PACKET_remaining(&spkt) != len
2507 || !PACKET_get_1(&spkt, &len)
2508 || PACKET_remaining(&spkt) != len) {
0f113f3e
MC		 2509 *al = TLS1_AD_DECODE_ERROR;
2510 return 0;
2511 }
b548a1f1 2512 OPENSSL_free(s->s3->alpn_selected);
0f113f3e 2513 s->s3->alpn_selected = OPENSSL_malloc(len);
a71edf3b 2514 if (s->s3->alpn_selected == NULL) {
0f113f3e
MC		 2515 *al = TLS1_AD_INTERNAL_ERROR;
2516 return 0;
2517 }
50932c4a
MC		 2518 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
2519 *al = TLS1_AD_DECODE_ERROR;
2520 return 0;
2521 }
0f113f3e
MC		 2522 s->s3->alpn_selected_len = len;
2523 }
e481f9b9 2524#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e 2525 else if (type == TLSEXT_TYPE_heartbeat) {
50932c4a
MC		 2526 unsigned int hbtype;
2527 if (!PACKET_get_1(&spkt, &hbtype)) {
2528 *al = SSL_AD_DECODE_ERROR;
2529 return 0;
2530 }
2531 switch (hbtype) {
0f113f3e
MC		 2532 case 0x01: /* Server allows us to send HB requests */
2533 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2534 break;
2535 case 0x02: /* Server doesn't accept HB requests */
2536 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2537 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2538 break;
2539 default:
2540 *al = SSL_AD_ILLEGAL_PARAMETER;
2541 return 0;
2542 }
2543 }
e481f9b9
MC		 2544#endif
2545#ifndef OPENSSL_NO_SRTP
0f113f3e 2546 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
50932c4a 2547 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
0f113f3e
MC		 2548 return 0;
2549 }
e481f9b9
MC		 2550#endif
2551#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 2552 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2553 /* Ignore if inappropriate ciphersuite */
2554 if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2555 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2556 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2557 }
e481f9b9 2558#endif
ddc06b35 2559 else if (type == TLSEXT_TYPE_extended_master_secret) {
e7f0d921 2560 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
ddc06b35
DSH		 2561 if (!s->hit)
2562 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2563 }
0f113f3e
MC		 2564 /*
2565 * If this extension type was not otherwise handled, but matches a
2566 * custom_cli_ext_record, then send it to the c callback
2567 */
2568 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2569 return 0;
0f113f3e
MC		 2570 }
2571
50932c4a 2572 if (PACKET_remaining(pkt) != 0) {
0f113f3e
MC		 2573 *al = SSL_AD_DECODE_ERROR;
2574 return 0;
2575 }
2576
2577 if (!s->hit && tlsext_servername == 1) {
2578 if (s->tlsext_hostname) {
2579 if (s->session->tlsext_hostname == NULL) {
7644a9ae 2580 s->session->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname);
0f113f3e
MC		 2581 if (!s->session->tlsext_hostname) {
2582 *al = SSL_AD_UNRECOGNIZED_NAME;
2583 return 0;
2584 }
2585 } else {
2586 *al = SSL_AD_DECODE_ERROR;
2587 return 0;
2588 }
2589 }
2590 }
2591
0f113f3e
MC		 2592 ri_check:
2593
2594 /*
2595 * Determine if we need to see RI. Strictly speaking if we want to avoid
2596 * an attack we should *always* see RI even on initial server hello
2597 * because the client doesn't see any renegotiation during an attack.
2598 * However this would mean we could not connect to any server which
2599 * doesn't support RI so for the immediate future tolerate RI absence on
2600 * initial connect only.
2601 */
2602 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2603 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2604 *al = SSL_AD_HANDSHAKE_FAILURE;
2605 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2606 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2607 return 0;
2608 }
2609
e7f0d921
DSH		 2610 if (s->hit) {
2611 /*
2612 * Check extended master secret extension is consistent with
2613 * original session.
2614 */
2615 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
2616 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
2617 *al = SSL_AD_HANDSHAKE_FAILURE;
2618 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
2619 return 0;
2620 }
2621 }
2622
0f113f3e
MC		 2623 return 1;
2624}
b2172f4f 2625
36ca4ba6 2626int ssl_prepare_clienthello_tlsext(SSL *s)
0f113f3e
MC		 2627{
2628
0f113f3e
MC		 2629 return 1;
2630}
36ca4ba6
BM		 2631
2632int ssl_prepare_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2633{
2634 return 1;
2635}
36ca4ba6 2636
2daceb03 2637static int ssl_check_clienthello_tlsext_early(SSL *s)
0f113f3e
MC		 2638{
2639 int ret = SSL_TLSEXT_ERR_NOACK;
2640 int al = SSL_AD_UNRECOGNIZED_NAME;
2641
e481f9b9 2642#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2643 /*
2644 * The handling of the ECPointFormats extension is done elsewhere, namely
2645 * in ssl3_choose_cipher in s3_lib.c.
2646 */
2647 /*
2648 * The handling of the EllipticCurves extension is done elsewhere, namely
2649 * in ssl3_choose_cipher in s3_lib.c.
2650 */
e481f9b9 2651#endif
0f113f3e
MC		 2652
2653 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2654 ret =
2655 s->ctx->tlsext_servername_callback(s, &al,
2656 s->ctx->tlsext_servername_arg);
2657 else if (s->initial_ctx != NULL
2658 && s->initial_ctx->tlsext_servername_callback != 0)
2659 ret =
2660 s->initial_ctx->tlsext_servername_callback(s, &al,
2661 s->
2662 initial_ctx->tlsext_servername_arg);
2663
0f113f3e
MC		 2664 switch (ret) {
2665 case SSL_TLSEXT_ERR_ALERT_FATAL:
2666 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2667 return -1;
2668
2669 case SSL_TLSEXT_ERR_ALERT_WARNING:
2670 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2671 return 1;
2672
2673 case SSL_TLSEXT_ERR_NOACK:
2674 s->servername_done = 0;
2675 default:
2676 return 1;
2677 }
2678}
d376e57d 2679/* Initialise digests to default values */
a0f63828 2680void ssl_set_default_md(SSL *s)
d376e57d
DSH		 2681{
2682 const EVP_MD **pmd = s->s3->tmp.md;
2683#ifndef OPENSSL_NO_DSA
152fbc28 2684 pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
d376e57d
DSH		 2685#endif
2686#ifndef OPENSSL_NO_RSA
d18d31a1 2687 if (SSL_USE_SIGALGS(s))
152fbc28 2688 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
d18d31a1 2689 else
152fbc28 2690 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
d18d31a1 2691 pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
d376e57d
DSH		 2692#endif
2693#ifndef OPENSSL_NO_EC
152fbc28 2694 pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
d376e57d 2695#endif
e44380a9 2696#ifndef OPENSSL_NO_GOST
152fbc28
DSH		 2697 pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
2698 pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
2699 pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
e44380a9 2700#endif
d376e57d 2701}
f1fd4544 2702
e469af8d 2703int tls1_set_server_sigalgs(SSL *s)
0f113f3e
MC		 2704{
2705 int al;
2706 size_t i;
2707 /* Clear any shared sigtnature algorithms */
b548a1f1
RS		 2708 OPENSSL_free(s->cert->shared_sigalgs);
2709 s->cert->shared_sigalgs = NULL;
2710 s->cert->shared_sigalgslen = 0;
0f113f3e
MC		 2711 /* Clear certificate digests and validity flags */
2712 for (i = 0; i < SSL_PKEY_NUM; i++) {
d376e57d 2713 s->s3->tmp.md[i] = NULL;
6383d316 2714 s->s3->tmp.valid_flags[i] = 0;
0f113f3e
MC		 2715 }
2716
2717 /* If sigalgs received process it. */
76106e60 2718 if (s->s3->tmp.peer_sigalgs) {
0f113f3e
MC		 2719 if (!tls1_process_sigalgs(s)) {
2720 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2721 al = SSL_AD_INTERNAL_ERROR;
2722 goto err;
2723 }
2724 /* Fatal error is no shared signature algorithms */
2725 if (!s->cert->shared_sigalgs) {
2726 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2727 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2728 al = SSL_AD_ILLEGAL_PARAMETER;
2729 goto err;
2730 }
d376e57d
DSH		 2731 } else {
2732 ssl_set_default_md(s);
2733 }
0f113f3e
MC		 2734 return 1;
2735 err:
2736 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2737 return 0;
2738}
e469af8d 2739
2daceb03 2740int ssl_check_clienthello_tlsext_late(SSL *s)
0f113f3e
MC		 2741{
2742 int ret = SSL_TLSEXT_ERR_OK;
4c9b0a03 2743 int al = SSL_AD_INTERNAL_ERROR;
0f113f3e
MC		 2744
2745 /*
2746 * If status request then ask callback what to do. Note: this must be
2747 * called after servername callbacks in case the certificate has changed,
2748 * and must be called after the cipher has been chosen because this may
2749 * influence which certificate is sent
2750 */
2751 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
2752 int r;
2753 CERT_PKEY *certpkey;
2754 certpkey = ssl_get_server_send_pkey(s);
2755 /* If no certificate can't return certificate status */
2756 if (certpkey == NULL) {
2757 s->tlsext_status_expected = 0;
2758 return 1;
2759 }
2760 /*
2761 * Set current certificate to one we will use so SSL_get_certificate
2762 * et al can pick it up.
2763 */
2764 s->cert->key = certpkey;
2765 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2766 switch (r) {
2767 /* We don't want to send a status request response */
2768 case SSL_TLSEXT_ERR_NOACK:
2769 s->tlsext_status_expected = 0;
2770 break;
2771 /* status request response should be sent */
2772 case SSL_TLSEXT_ERR_OK:
2773 if (s->tlsext_ocsp_resp)
2774 s->tlsext_status_expected = 1;
2775 else
2776 s->tlsext_status_expected = 0;
2777 break;
2778 /* something bad happened */
2779 case SSL_TLSEXT_ERR_ALERT_FATAL:
2780 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2781 al = SSL_AD_INTERNAL_ERROR;
2782 goto err;
2783 }
2784 } else
2785 s->tlsext_status_expected = 0;
2daceb03
BL		 2786
2787 err:
0f113f3e
MC		 2788 switch (ret) {
2789 case SSL_TLSEXT_ERR_ALERT_FATAL:
2790 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2791 return -1;
2792
2793 case SSL_TLSEXT_ERR_ALERT_WARNING:
2794 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2795 return 1;
2796
2797 default:
2798 return 1;
2799 }
2800}
2daceb03 2801
36ca4ba6 2802int ssl_check_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2803{
2804 int ret = SSL_TLSEXT_ERR_NOACK;
2805 int al = SSL_AD_UNRECOGNIZED_NAME;
2806
e481f9b9 2807#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2808 /*
2809 * If we are client and using an elliptic curve cryptography cipher
2810 * suite, then if server returns an EC point formats lists extension it
2811 * must contain uncompressed.
2812 */
2813 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2814 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2815 if ((s->tlsext_ecpointformatlist != NULL)
2816 && (s->tlsext_ecpointformatlist_length > 0)
2817 && (s->session->tlsext_ecpointformatlist != NULL)
2818 && (s->session->tlsext_ecpointformatlist_length > 0)
2819 && ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
2820 || (alg_a & SSL_aECDSA))) {
2821 /* we are using an ECC cipher */
2822 size_t i;
2823 unsigned char *list;
2824 int found_uncompressed = 0;
2825 list = s->session->tlsext_ecpointformatlist;
2826 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2827 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2828 found_uncompressed = 1;
2829 break;
2830 }
2831 }
2832 if (!found_uncompressed) {
2833 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2834 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2835 return -1;
2836 }
2837 }
2838 ret = SSL_TLSEXT_ERR_OK;
e481f9b9 2839#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2840
2841 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2842 ret =
2843 s->ctx->tlsext_servername_callback(s, &al,
2844 s->ctx->tlsext_servername_arg);
2845 else if (s->initial_ctx != NULL
2846 && s->initial_ctx->tlsext_servername_callback != 0)
2847 ret =
2848 s->initial_ctx->tlsext_servername_callback(s, &al,
2849 s->
2850 initial_ctx->tlsext_servername_arg);
2851
0f113f3e
MC		 2852 /*
2853 * If we've requested certificate status and we wont get one tell the
2854 * callback
2855 */
2856 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2857 && s->ctx && s->ctx->tlsext_status_cb) {
2858 int r;
2859 /*
2860 * Set resp to NULL, resplen to -1 so callback knows there is no
2861 * response.
2862 */
b548a1f1
RS		 2863 OPENSSL_free(s->tlsext_ocsp_resp);
2864 s->tlsext_ocsp_resp = NULL;
0f113f3e
MC		 2865 s->tlsext_ocsp_resplen = -1;
2866 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2867 if (r == 0) {
2868 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2869 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2870 }
2871 if (r < 0) {
2872 al = SSL_AD_INTERNAL_ERROR;
2873 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2874 }
2875 }
2876
2877 switch (ret) {
2878 case SSL_TLSEXT_ERR_ALERT_FATAL:
2879 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2880 return -1;
2881
2882 case SSL_TLSEXT_ERR_ALERT_WARNING:
2883 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2884 return 1;
2885
2886 case SSL_TLSEXT_ERR_NOACK:
2887 s->servername_done = 0;
2888 default:
2889 return 1;
2890 }
2891}
761772d7 2892
50932c4a 2893int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 2894{
2895 int al = -1;
2896 if (s->version < SSL3_VERSION)
2897 return 1;
50932c4a 2898 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 2899 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2900 return 0;
2901 }
2902
2903 if (ssl_check_serverhello_tlsext(s) <= 0) {
2904 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2905 return 0;
2906 }
2907 return 1;
09e4e4b9
DSH		 2908}
2909
1d97c843
TH		 2910/*-
2911 * Since the server cache lookup is done early on in the processing of the
e7f0d921
DSH		 2912 * ClientHello and other operations depend on the result some extensions
2913 * need to be handled at the same time.
2914 *
2915 * Two extensions are currently handled, session ticket and extended master
2916 * secret.
c519e89f 2917 *
b3e2272c
EK		 2918 * session_id: ClientHello session ID.
2919 * ext: ClientHello extensions (including length prefix)
c519e89f
BM		 2920 * ret: (output) on return, if a ticket was decrypted, then this is set to
2921 * point to the resulting session.
2922 *
2923 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2924 * ciphersuite, in which case we have no use for session tickets and one will
2925 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2926 *
2927 * Returns:
2928 * -1: fatal error, either from parsing or decrypting the ticket.
2929 * 0: no ticket was found (or was ignored, based on settings).
2930 * 1: a zero length extension was found, indicating that the client supports
2931 * session tickets but doesn't currently have one to offer.
2932 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2933 * couldn't be decrypted because of a non-fatal error.
2934 * 3: a ticket was successfully decrypted and *ret was set.
2935 *
2936 * Side effects:
2937 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2938 * a new session ticket to the client because the client indicated support
2939 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2940 * a session ticket or we couldn't use the one it gave us, or if
2941 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2942 * Otherwise, s->tlsext_ticket_expected is set to 0.
e7f0d921
DSH		 2943 *
2944 * For extended master secret flag is set if the extension is present.
2945 *
6434abbf 2946 */
e7f0d921
DSH		 2947int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
2948 const PACKET *session_id,
2949 SSL_SESSION **ret)
0f113f3e 2950{
9ceb2426 2951 unsigned int i;
b3e2272c 2952 PACKET local_ext = *ext;
9ceb2426 2953 int retv = -1;
0f113f3e 2954
e7f0d921
DSH		 2955 int have_ticket = 0;
2956 int use_ticket = tls_use_ticket(s);
2957
0f113f3e
MC		 2958 *ret = NULL;
2959 s->tlsext_ticket_expected = 0;
e7f0d921 2960 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
0f113f3e
MC		 2961
2962 /*
2963 * If tickets disabled behave as if no ticket present to permit stateful
2964 * resumption.
2965 */
9ceb2426 2966 if ((s->version <= SSL3_VERSION))
0f113f3e 2967 return 0;
9ceb2426 2968
b3e2272c 2969 if (!PACKET_get_net_2(&local_ext, &i)) {
9ceb2426
MC		 2970 retv = 0;
2971 goto end;
2972 }
b3e2272c 2973 while (PACKET_remaining(&local_ext) >= 4) {
9ceb2426
MC		 2974 unsigned int type, size;
2975
b3e2272c
EK		 2976 if (!PACKET_get_net_2(&local_ext, &type)
2977 || !PACKET_get_net_2(&local_ext, &size)) {
9ceb2426
MC		 2978 /* Shouldn't ever happen */
2979 retv = -1;
2980 goto end;
2981 }
b3e2272c 2982 if (PACKET_remaining(&local_ext) < size) {
9ceb2426
MC		 2983 retv = 0;
2984 goto end;
2985 }
e7f0d921 2986 if (type == TLSEXT_TYPE_session_ticket && use_ticket) {
0f113f3e 2987 int r;
9ceb2426
MC		 2988 unsigned char *etick;
2989
e7f0d921
DSH		 2990 /* Duplicate extension */
2991 if (have_ticket != 0) {
2992 retv = -1;
2993 goto end;
2994 }
2995 have_ticket = 1;
2996
0f113f3e
MC		 2997 if (size == 0) {
2998 /*
2999 * The client will accept a ticket but doesn't currently have
3000 * one.
3001 */
3002 s->tlsext_ticket_expected = 1;
9ceb2426 3003 retv = 1;
e7f0d921 3004 continue;
0f113f3e
MC		 3005 }
3006 if (s->tls_session_secret_cb) {
3007 /*
3008 * Indicate that the ticket couldn't be decrypted rather than
3009 * generating the session from ticket now, trigger
3010 * abbreviated handshake based on external mechanism to
3011 * calculate the master secret later.
3012 */
9ceb2426 3013 retv = 2;
e7f0d921 3014 continue;
9ceb2426 3015 }
b3e2272c 3016 if (!PACKET_get_bytes(&local_ext, &etick, size)) {
9ceb2426
MC		 3017 /* Shouldn't ever happen */
3018 retv = -1;
3019 goto end;
0f113f3e 3020 }
b3e2272c
EK		 3021 r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
3022 PACKET_remaining(session_id), ret);
0f113f3e
MC		 3023 switch (r) {
3024 case 2: /* ticket couldn't be decrypted */
3025 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 3026 retv = 2;
3027 break;
0f113f3e 3028 case 3: /* ticket was decrypted */
9ceb2426
MC		 3029 retv = r;
3030 break;
0f113f3e
MC		 3031 case 4: /* ticket decrypted but need to renew */
3032 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 3033 retv = 3;
3034 break;
0f113f3e 3035 default: /* fatal error */
9ceb2426
MC		 3036 retv = -1;
3037 break;
0f113f3e 3038 }
e7f0d921 3039 continue;
c83eda8c 3040 } else {
e7f0d921
DSH		 3041 if (type == TLSEXT_TYPE_extended_master_secret)
3042 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
b3e2272c 3043 if (!PACKET_forward(&local_ext, size)) {
c83eda8c
MC		 3044 retv = -1;
3045 goto end;
3046 }
0f113f3e 3047 }
0f113f3e 3048 }
e7f0d921
DSH		 3049 if (have_ticket == 0)
3050 retv = 0;
9ceb2426 3051end:
9ceb2426 3052 return retv;
0f113f3e 3053}
6434abbf 3054
1d97c843
TH		 3055/*-
3056 * tls_decrypt_ticket attempts to decrypt a session ticket.
c519e89f
BM		 3057 *
3058 * etick: points to the body of the session ticket extension.
3059 * eticklen: the length of the session tickets extenion.
3060 * sess_id: points at the session ID.
3061 * sesslen: the length of the session ID.
3062 * psess: (output) on return, if a ticket was decrypted, then this is set to
3063 * point to the resulting session.
3064 *
3065 * Returns:
bf7c6817 3066 * -2: fatal error, malloc failure.
c519e89f
BM		 3067 * -1: fatal error, either from parsing or decrypting the ticket.
3068 * 2: the ticket couldn't be decrypted.
3069 * 3: a ticket was successfully decrypted and *psess was set.
3070 * 4: same as 3, but the ticket needs to be renewed.
3071 */
0f113f3e
MC		 3072static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
3073 int eticklen, const unsigned char *sess_id,
3074 int sesslen, SSL_SESSION **psess)
3075{
3076 SSL_SESSION *sess;
3077 unsigned char *sdec;
3078 const unsigned char *p;
3079 int slen, mlen, renew_ticket = 0;
3080 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
bf7c6817 3081 HMAC_CTX *hctx = NULL;
0f113f3e
MC		 3082 EVP_CIPHER_CTX ctx;
3083 SSL_CTX *tctx = s->initial_ctx;
3084 /* Need at least keyname + iv + some encrypted data */
3085 if (eticklen < 48)
3086 return 2;
3087 /* Initialize session ticket encryption and HMAC contexts */
bf7c6817
RL		 3088 hctx = HMAC_CTX_new();
3089 if (hctx == NULL)
3090 return -2;
0f113f3e
MC		 3091 EVP_CIPHER_CTX_init(&ctx);
3092 if (tctx->tlsext_ticket_key_cb) {
3093 unsigned char *nctick = (unsigned char *)etick;
3094 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
bf7c6817 3095 &ctx, hctx, 0);
0f113f3e
MC		 3096 if (rv < 0)
3097 return -1;
3098 if (rv == 0)
3099 return 2;
3100 if (rv == 2)
3101 renew_ticket = 1;
3102 } else {
3103 /* Check key name matches */
3104 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3105 return 2;
bf7c6817 3106 if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16,
5f3d93e4
MC		 3107 EVP_sha256(), NULL) <= 0
3108 || EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3109 tctx->tlsext_tick_aes_key,
3110 etick + 16) <= 0) {
3111 goto err;
3112 }
0f113f3e
MC		 3113 }
3114 /*
3115 * Attempt to process session ticket, first conduct sanity and integrity
3116 * checks on ticket.
3117 */
bf7c6817 3118 mlen = HMAC_size(hctx);
0f113f3e 3119 if (mlen < 0) {
5f3d93e4 3120 goto err;
0f113f3e
MC		 3121 }
3122 eticklen -= mlen;
3123 /* Check HMAC of encrypted ticket */
bf7c6817
RL		 3124 if (HMAC_Update(hctx, etick, eticklen) <= 0
3125 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
5f3d93e4
MC		 3126 goto err;
3127 }
bf7c6817 3128 HMAC_CTX_free(hctx);
0f113f3e
MC		 3129 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
3130 EVP_CIPHER_CTX_cleanup(&ctx);
3131 return 2;
3132 }
3133 /* Attempt to decrypt session data */
3134 /* Move p after IV to start of encrypted ticket, update length */
3135 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3136 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3137 sdec = OPENSSL_malloc(eticklen);
5f3d93e4
MC		 3138 if (sdec == NULL
3139 || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) {
0f113f3e
MC		 3140 EVP_CIPHER_CTX_cleanup(&ctx);
3141 return -1;
3142 }
0f113f3e
MC		 3143 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
3144 EVP_CIPHER_CTX_cleanup(&ctx);
3145 OPENSSL_free(sdec);
3146 return 2;
3147 }
3148 slen += mlen;
3149 EVP_CIPHER_CTX_cleanup(&ctx);
3150 p = sdec;
3151
3152 sess = d2i_SSL_SESSION(NULL, &p, slen);
3153 OPENSSL_free(sdec);
3154 if (sess) {
3155 /*
3156 * The session ID, if non-empty, is used by some clients to detect
3157 * that the ticket has been accepted. So we copy it to the session
3158 * structure. If it is empty set length to zero as required by
3159 * standard.
3160 */
3161 if (sesslen)
3162 memcpy(sess->session_id, sess_id, sesslen);
3163 sess->session_id_length = sesslen;
3164 *psess = sess;
3165 if (renew_ticket)
3166 return 4;
3167 else
3168 return 3;
3169 }
3170 ERR_clear_error();
3171 /*
3172 * For session parse failure, indicate that we need to send a new ticket.
3173 */
3174 return 2;
5f3d93e4
MC		 3175err:
3176 EVP_CIPHER_CTX_cleanup(&ctx);
bf7c6817 3177 HMAC_CTX_free(hctx);
5f3d93e4 3178 return -1;
0f113f3e 3179}
6434abbf 3180
6b7be581
DSH		 3181/* Tables to translate from NIDs to TLS v1.2 ids */
3182
0f113f3e
MC		 3183typedef struct {
3184 int nid;
3185 int id;
3186} tls12_lookup;
6b7be581 3187
d97ed219 3188static const tls12_lookup tls12_md[] = {
0f113f3e
MC		 3189 {NID_md5, TLSEXT_hash_md5},
3190 {NID_sha1, TLSEXT_hash_sha1},
3191 {NID_sha224, TLSEXT_hash_sha224},
3192 {NID_sha256, TLSEXT_hash_sha256},
3193 {NID_sha384, TLSEXT_hash_sha384},
e44380a9
DB		 3194 {NID_sha512, TLSEXT_hash_sha512},
3195 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
3196 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
3197 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
6b7be581
DSH		 3198};
3199
d97ed219 3200static const tls12_lookup tls12_sig[] = {
0f113f3e
MC		 3201 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3202 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
e44380a9
DB		 3203 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
3204 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
3205 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
3206 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
6b7be581
DSH		 3207};
3208
d97ed219 3209static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3210{
3211 size_t i;
3212 for (i = 0; i < tlen; i++) {
3213 if (table[i].nid == nid)
3214 return table[i].id;
3215 }
3216 return -1;
3217}
e7f8ff43 3218
d97ed219 3219static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3220{
3221 size_t i;
3222 for (i = 0; i < tlen; i++) {
3223 if ((table[i].id) == id)
3224 return table[i].nid;
3225 }
3226 return NID_undef;
3227}
3228
3229int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
3230 const EVP_MD *md)
3231{
3232 int sig_id, md_id;
3233 if (!md)
3234 return 0;
b6eb9827 3235 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3236 if (md_id == -1)
3237 return 0;
3238 sig_id = tls12_get_sigid(pk);
3239 if (sig_id == -1)
3240 return 0;
3241 p[0] = (unsigned char)md_id;
3242 p[1] = (unsigned char)sig_id;
3243 return 1;
3244}
6b7be581 3245
a2f9200f 3246int tls12_get_sigid(const EVP_PKEY *pk)
0f113f3e 3247{
b6eb9827 3248 return tls12_find_id(pk->type, tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3249}
3250
3251typedef struct {
3252 int nid;
3253 int secbits;
7afd2312 3254 int md_idx;
e44380a9 3255 unsigned char tlsext_hash;
0f113f3e 3256} tls12_hash_info;
b362ccab
DSH		 3257
3258static const tls12_hash_info tls12_md_info[] = {
7afd2312
DSH		 3259 {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
3260 {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
3261 {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
3262 {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
3263 {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
3264 {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
3265 {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
3266 {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX, TLSEXT_hash_gostr34112012_256},
3267 {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX, TLSEXT_hash_gostr34112012_512},
b362ccab 3268};
a2f9200f 3269
b362ccab 3270static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
0f113f3e 3271{
e44380a9 3272 unsigned int i;
0f113f3e
MC		 3273 if (hash_alg == 0)
3274 return NULL;
e44380a9
DB		 3275
3276 for (i=0; i < OSSL_NELEM(tls12_md_info); i++)
3277 {
3278 if (tls12_md_info[i].tlsext_hash == hash_alg)
3279 return tls12_md_info + i;
3280 }
3281
3282 return NULL;
0f113f3e 3283}
a2f9200f 3284
b362ccab 3285const EVP_MD *tls12_get_hash(unsigned char hash_alg)
0f113f3e
MC		 3286{
3287 const tls12_hash_info *inf;
3288 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3289 return NULL;
3290 inf = tls12_get_hash_info(hash_alg);
7afd2312 3291 if (!inf)
0f113f3e 3292 return NULL;
7afd2312 3293 return ssl_md(inf->md_idx);
0f113f3e 3294}
a2f9200f 3295
4453cd8c 3296static int tls12_get_pkey_idx(unsigned char sig_alg)
0f113f3e
MC		 3297{
3298 switch (sig_alg) {
e481f9b9 3299#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3300 case TLSEXT_signature_rsa:
3301 return SSL_PKEY_RSA_SIGN;
e481f9b9
MC		 3302#endif
3303#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3304 case TLSEXT_signature_dsa:
3305 return SSL_PKEY_DSA_SIGN;
e481f9b9
MC		 3306#endif
3307#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3308 case TLSEXT_signature_ecdsa:
3309 return SSL_PKEY_ECC;
e481f9b9 3310#endif
e44380a9
DB		 3311# ifndef OPENSSL_NO_GOST
3312 case TLSEXT_signature_gostr34102001:
3313 return SSL_PKEY_GOST01;
3314
3315 case TLSEXT_signature_gostr34102012_256:
3316 return SSL_PKEY_GOST12_256;
3317
3318 case TLSEXT_signature_gostr34102012_512:
3319 return SSL_PKEY_GOST12_512;
3320# endif
0f113f3e
MC		 3321 }
3322 return -1;
3323}
4453cd8c
DSH		 3324
3325/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3326static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
0f113f3e
MC		 3327 int *psignhash_nid, const unsigned char *data)
3328{
330dcb09 3329 int sign_nid = NID_undef, hash_nid = NID_undef;
0f113f3e
MC		 3330 if (!phash_nid && !psign_nid && !psignhash_nid)
3331 return;
3332 if (phash_nid || psignhash_nid) {
b6eb9827 3333 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3334 if (phash_nid)
3335 *phash_nid = hash_nid;
3336 }
3337 if (psign_nid || psignhash_nid) {
b6eb9827 3338 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3339 if (psign_nid)
3340 *psign_nid = sign_nid;
3341 }
3342 if (psignhash_nid) {
330dcb09
MC		 3343 if (sign_nid == NID_undef || hash_nid == NID_undef
3344 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid,
3345 sign_nid) <= 0)
0f113f3e
MC		 3346 *psignhash_nid = NID_undef;
3347 }
3348}
3349
b362ccab
DSH		 3350/* Check to see if a signature algorithm is allowed */
3351static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
0f113f3e
MC		 3352{
3353 /* See if we have an entry in the hash table and it is enabled */
3354 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
7afd2312 3355 if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
0f113f3e
MC		 3356 return 0;
3357 /* See if public key algorithm allowed */
3358 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3359 return 0;
3360 /* Finally see if security callback allows it */
3361 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3362}
3363
3364/*
3365 * Get a mask of disabled public key algorithms based on supported signature
3366 * algorithms. For example if no signature algorithm supports RSA then RSA is
3367 * disabled.
b362ccab
DSH		 3368 */
3369
90d9e49a 3370void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
0f113f3e
MC		 3371{
3372 const unsigned char *sigalgs;
3373 size_t i, sigalgslen;
3374 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3375 /*
3376 * Now go through all signature algorithms seeing if we support any for
3377 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3378 * down calls to security callback only check if we have to.
3379 */
3380 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
3381 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3382 switch (sigalgs[1]) {
e481f9b9 3383#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3384 case TLSEXT_signature_rsa:
3385 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3386 have_rsa = 1;
3387 break;
e481f9b9
MC		 3388#endif
3389#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3390 case TLSEXT_signature_dsa:
3391 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3392 have_dsa = 1;
3393 break;
e481f9b9
MC		 3394#endif
3395#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3396 case TLSEXT_signature_ecdsa:
3397 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3398 have_ecdsa = 1;
3399 break;
e481f9b9 3400#endif
0f113f3e
MC		 3401 }
3402 }
3403 if (!have_rsa)
3404 *pmask_a |= SSL_aRSA;
3405 if (!have_dsa)
3406 *pmask_a |= SSL_aDSS;
3407 if (!have_ecdsa)
3408 *pmask_a |= SSL_aECDSA;
3409}
b362ccab
DSH		 3410
3411size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
0f113f3e
MC		 3412 const unsigned char *psig, size_t psiglen)
3413{
3414 unsigned char *tmpout = out;
3415 size_t i;
3416 for (i = 0; i < psiglen; i += 2, psig += 2) {
3417 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3418 *tmpout++ = psig[0];
3419 *tmpout++ = psig[1];
3420 }
3421 }
3422 return tmpout - out;
3423}
b362ccab 3424
4453cd8c 3425/* Given preference and allowed sigalgs set shared sigalgs */
b362ccab 3426static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
0f113f3e
MC		 3427 const unsigned char *pref, size_t preflen,
3428 const unsigned char *allow, size_t allowlen)
3429{
3430 const unsigned char *ptmp, *atmp;
3431 size_t i, j, nmatch = 0;
3432 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3433 /* Skip disabled hashes or signature algorithms */
3434 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3435 continue;
3436 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3437 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3438 nmatch++;
3439 if (shsig) {
3440 shsig->rhash = ptmp[0];
3441 shsig->rsign = ptmp[1];
3442 tls1_lookup_sigalg(&shsig->hash_nid,
3443 &shsig->sign_nid,
3444 &shsig->signandhash_nid, ptmp);
3445 shsig++;
3446 }
3447 break;
3448 }
3449 }
3450 }
3451 return nmatch;
3452}
4453cd8c
DSH		 3453
3454/* Set shared signature algorithms for SSL structures */
3455static int tls1_set_shared_sigalgs(SSL *s)
0f113f3e
MC		 3456{
3457 const unsigned char *pref, *allow, *conf;
3458 size_t preflen, allowlen, conflen;
3459 size_t nmatch;
3460 TLS_SIGALGS *salgs = NULL;
3461 CERT *c = s->cert;
3462 unsigned int is_suiteb = tls1_suiteb(s);
b548a1f1
RS		 3463
3464 OPENSSL_free(c->shared_sigalgs);
3465 c->shared_sigalgs = NULL;
3466 c->shared_sigalgslen = 0;
0f113f3e
MC		 3467 /* If client use client signature algorithms if not NULL */
3468 if (!s->server && c->client_sigalgs && !is_suiteb) {
3469 conf = c->client_sigalgs;
3470 conflen = c->client_sigalgslen;
3471 } else if (c->conf_sigalgs && !is_suiteb) {
3472 conf = c->conf_sigalgs;
3473 conflen = c->conf_sigalgslen;
3474 } else
3475 conflen = tls12_get_psigalgs(s, &conf);
3476 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3477 pref = conf;
3478 preflen = conflen;
76106e60
DSH		 3479 allow = s->s3->tmp.peer_sigalgs;
3480 allowlen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3481 } else {
3482 allow = conf;
3483 allowlen = conflen;
76106e60
DSH		 3484 pref = s->s3->tmp.peer_sigalgs;
3485 preflen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3486 }
3487 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
34e3edbf
DSH		 3488 if (nmatch) {
3489 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
a71edf3b 3490 if (salgs == NULL)
34e3edbf
DSH		 3491 return 0;
3492 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3493 } else {
3494 salgs = NULL;
3495 }
0f113f3e
MC		 3496 c->shared_sigalgs = salgs;
3497 c->shared_sigalgslen = nmatch;
3498 return 1;
3499}
4453cd8c 3500
6b7be581
DSH		 3501/* Set preferred digest for each key type */
3502
c800c27a 3503int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
0f113f3e
MC		 3504{
3505 CERT *c = s->cert;
3506 /* Extension ignored for inappropriate versions */
3507 if (!SSL_USE_SIGALGS(s))
3508 return 1;
3509 /* Should never happen */
3510 if (!c)
3511 return 0;
3512
76106e60
DSH		 3513 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3514 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3515 if (s->s3->tmp.peer_sigalgs == NULL)
0f113f3e 3516 return 0;
76106e60
DSH		 3517 s->s3->tmp.peer_sigalgslen = dsize;
3518 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
0f113f3e
MC		 3519 return 1;
3520}
6b7be581 3521
c800c27a 3522int tls1_process_sigalgs(SSL *s)
0f113f3e
MC		 3523{
3524 int idx;
3525 size_t i;
3526 const EVP_MD *md;
d376e57d 3527 const EVP_MD **pmd = s->s3->tmp.md;
f7d53487 3528 uint32_t *pvalid = s->s3->tmp.valid_flags;
0f113f3e
MC		 3529 CERT *c = s->cert;
3530 TLS_SIGALGS *sigptr;
3531 if (!tls1_set_shared_sigalgs(s))
3532 return 0;
3533
e481f9b9 3534#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
0f113f3e
MC		 3535 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3536 /*
3537 * Use first set signature preference to force message digest,
3538 * ignoring any peer preferences.
3539 */
3540 const unsigned char *sigs = NULL;
3541 if (s->server)
3542 sigs = c->conf_sigalgs;
3543 else
3544 sigs = c->client_sigalgs;
3545 if (sigs) {
3546 idx = tls12_get_pkey_idx(sigs[1]);
3547 md = tls12_get_hash(sigs[0]);
d376e57d 3548 pmd[idx] = md;
6383d316 3549 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3550 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3551 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3552 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3553 }
3554 }
3555 }
e481f9b9 3556#endif
0f113f3e
MC		 3557
3558 for (i = 0, sigptr = c->shared_sigalgs;
3559 i < c->shared_sigalgslen; i++, sigptr++) {
3560 idx = tls12_get_pkey_idx(sigptr->rsign);
d376e57d 3561 if (idx > 0 && pmd[idx] == NULL) {
0f113f3e 3562 md = tls12_get_hash(sigptr->rhash);
d376e57d 3563 pmd[idx] = md;
6383d316 3564 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3565 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3566 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3567 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3568 }
3569 }
6b7be581 3570
0f113f3e
MC		 3571 }
3572 /*
3573 * In strict mode leave unset digests as NULL to indicate we can't use
3574 * the certificate for signing.
3575 */
3576 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3577 /*
3578 * Set any remaining keys to default values. NOTE: if alg is not
3579 * supported it stays as NULL.
3580 */
e481f9b9 3581#ifndef OPENSSL_NO_DSA
d376e57d
DSH		 3582 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3583 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
e481f9b9
MC		 3584#endif
3585#ifndef OPENSSL_NO_RSA
d376e57d
DSH		 3586 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3587 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3588 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
0f113f3e 3589 }
e481f9b9
MC		 3590#endif
3591#ifndef OPENSSL_NO_EC
d376e57d
DSH		 3592 if (pmd[SSL_PKEY_ECC] == NULL)
3593 pmd[SSL_PKEY_ECC] = EVP_sha1();
e481f9b9 3594#endif
e44380a9
DB		 3595# ifndef OPENSSL_NO_GOST
3596 if (pmd[SSL_PKEY_GOST01] == NULL)
3597 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
3598 if (pmd[SSL_PKEY_GOST12_256] == NULL)
3599 pmd[SSL_PKEY_GOST12_256] = EVP_get_digestbynid(NID_id_GostR3411_2012_256);
3600 if (pmd[SSL_PKEY_GOST12_512] == NULL)
3601 pmd[SSL_PKEY_GOST12_512] = EVP_get_digestbynid(NID_id_GostR3411_2012_512);
3602# endif
0f113f3e
MC		 3603 }
3604 return 1;
3605}
4817504d 3606
e7f8ff43 3607int SSL_get_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3608 int *psign, int *phash, int *psignhash,
3609 unsigned char *rsig, unsigned char *rhash)
3610{
76106e60 3611 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
0f113f3e
MC		 3612 if (psig == NULL)
3613 return 0;
3614 if (idx >= 0) {
3615 idx <<= 1;
76106e60 3616 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
0f113f3e
MC		 3617 return 0;
3618 psig += idx;
3619 if (rhash)
3620 *rhash = psig[0];
3621 if (rsig)
3622 *rsig = psig[1];
3623 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3624 }
76106e60 3625 return s->s3->tmp.peer_sigalgslen / 2;
0f113f3e 3626}
4453cd8c
DSH		 3627
3628int SSL_get_shared_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3629 int *psign, int *phash, int *psignhash,
3630 unsigned char *rsig, unsigned char *rhash)
3631{
3632 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3633 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3634 return 0;
3635 shsigalgs += idx;
3636 if (phash)
3637 *phash = shsigalgs->hash_nid;
3638 if (psign)
3639 *psign = shsigalgs->sign_nid;
3640 if (psignhash)
3641 *psignhash = shsigalgs->signandhash_nid;
3642 if (rsig)
3643 *rsig = shsigalgs->rsign;
3644 if (rhash)
3645 *rhash = shsigalgs->rhash;
3646 return s->cert->shared_sigalgslen;
3647}
3648
e481f9b9 3649#ifndef OPENSSL_NO_HEARTBEATS
2c60ed04 3650int tls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length)
0f113f3e 3651{
2c60ed04 3652 unsigned char *pl;
0f113f3e
MC		 3653 unsigned short hbtype;
3654 unsigned int payload;
3655 unsigned int padding = 16; /* Use minimum padding */
3656
3657 if (s->msg_callback)
3658 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
258f8721 3659 p, length,
0f113f3e
MC		 3660 s, s->msg_callback_arg);
3661
3662 /* Read type and payload length first */
258f8721 3663 if (1 + 2 + 16 > length)
0f113f3e
MC		 3664 return 0; /* silently discard */
3665 hbtype = *p++;
3666 n2s(p, payload);
258f8721 3667 if (1 + 2 + payload + 16 > length)
0f113f3e
MC		 3668 return 0; /* silently discard per RFC 6520 sec. 4 */
3669 pl = p;
3670
3671 if (hbtype == TLS1_HB_REQUEST) {
3672 unsigned char *buffer, *bp;
3673 int r;
3674
3675 /*
3676 * Allocate memory for the response, size is 1 bytes message type,
3677 * plus 2 bytes payload length, plus payload, plus padding
3678 */
3679 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3680 if (buffer == NULL) {
3681 SSLerr(SSL_F_TLS1_PROCESS_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3682 return -1;
3683 }
3684 bp = buffer;
3685
3686 /* Enter response type, length and copy payload */
3687 *bp++ = TLS1_HB_RESPONSE;
3688 s2n(payload, bp);
3689 memcpy(bp, pl, payload);
3690 bp += payload;
3691 /* Random padding */
266483d2
MC		 3692 if (RAND_bytes(bp, padding) <= 0) {
3693 OPENSSL_free(buffer);
3694 return -1;
3695 }
0f113f3e
MC		 3696
3697 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer,
3698 3 + payload + padding);
3699
3700 if (r >= 0 && s->msg_callback)
3701 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3702 buffer, 3 + payload + padding,
3703 s, s->msg_callback_arg);
3704
3705 OPENSSL_free(buffer);
3706
3707 if (r < 0)
3708 return r;
3709 } else if (hbtype == TLS1_HB_RESPONSE) {
3710 unsigned int seq;
3711
3712 /*
3713 * We only send sequence numbers (2 bytes unsigned int), and 16
3714 * random bytes, so we just try to read the sequence number
3715 */
3716 n2s(pl, seq);
3717
3718 if (payload == 18 && seq == s->tlsext_hb_seq) {
3719 s->tlsext_hb_seq++;
3720 s->tlsext_hb_pending = 0;
3721 }
3722 }
3723
3724 return 0;
3725}
0f229cce 3726
0f113f3e
MC		 3727int tls1_heartbeat(SSL *s)
3728{
3729 unsigned char *buf, *p;
266483d2 3730 int ret = -1;
0f113f3e
MC		 3731 unsigned int payload = 18; /* Sequence number + random bytes */
3732 unsigned int padding = 16; /* Use minimum padding */
3733
3734 /* Only send if peer supports and accepts HB requests... */
3735 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3736 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
3737 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3738 return -1;
3739 }
3740
3741 /* ...and there is none in flight yet... */
3742 if (s->tlsext_hb_pending) {
3743 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
3744 return -1;
3745 }
3746
3747 /* ...and no handshake in progress. */
024f543c 3748 if (SSL_in_init(s) || ossl_statem_get_in_handshake(s)) {
0f113f3e
MC		 3749 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
3750 return -1;
3751 }
3752
50e735f9
MC		 3753 /*-
3754 * Create HeartBeat message, we just use a sequence number
3755 * as payload to distuingish different messages and add
3756 * some random stuff.
3757 * - Message Type, 1 byte
3758 * - Payload Length, 2 bytes (unsigned int)
3759 * - Payload, the sequence number (2 bytes uint)
3760 * - Payload, random bytes (16 bytes uint)
3761 * - Padding
3762 */
0f113f3e
MC		 3763 buf = OPENSSL_malloc(1 + 2 + payload + padding);
3764 if (buf == NULL) {
3765 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3766 return -1;
3767 }
3768 p = buf;
3769 /* Message Type */
3770 *p++ = TLS1_HB_REQUEST;
3771 /* Payload length (18 bytes here) */
3772 s2n(payload, p);
3773 /* Sequence number */
3774 s2n(s->tlsext_hb_seq, p);
3775 /* 16 random bytes */
266483d2
MC		 3776 if (RAND_bytes(p, 16) <= 0) {
3777 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3778 goto err;
3779 }
0f113f3e
MC		 3780 p += 16;
3781 /* Random padding */
266483d2
MC		 3782 if (RAND_bytes(p, padding) <= 0) {
3783 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3784 goto err;
3785 }
0f113f3e
MC		 3786
3787 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3788 if (ret >= 0) {
3789 if (s->msg_callback)
3790 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3791 buf, 3 + payload + padding,
3792 s, s->msg_callback_arg);
3793
3794 s->tlsext_hb_pending = 1;
3795 }
3796
266483d2 3797 err:
0f113f3e 3798 OPENSSL_free(buf);
0f113f3e
MC		 3799 return ret;
3800}
e481f9b9 3801#endif
0f113f3e 3802
e481f9b9 3803#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
0f229cce 3804
0f113f3e
MC		 3805typedef struct {
3806 size_t sigalgcnt;
3807 int sigalgs[MAX_SIGALGLEN];
3808} sig_cb_st;
0f229cce 3809
431f458d
DSH		 3810static void get_sigorhash(int *psig, int *phash, const char *str)
3811{
3812 if (strcmp(str, "RSA") == 0) {
3813 *psig = EVP_PKEY_RSA;
3814 } else if (strcmp(str, "DSA") == 0) {
3815 *psig = EVP_PKEY_DSA;
3816 } else if (strcmp(str, "ECDSA") == 0) {
3817 *psig = EVP_PKEY_EC;
3818 } else {
3819 *phash = OBJ_sn2nid(str);
3820 if (*phash == NID_undef)
3821 *phash = OBJ_ln2nid(str);
3822 }
3823}
3824
0f229cce 3825static int sig_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 3826{
3827 sig_cb_st *sarg = arg;
3828 size_t i;
3829 char etmp[20], *p;
431f458d 3830 int sig_alg = NID_undef, hash_alg = NID_undef;
2747d73c
KR		 3831 if (elem == NULL)
3832 return 0;
0f113f3e
MC		 3833 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3834 return 0;
3835 if (len > (int)(sizeof(etmp) - 1))
3836 return 0;
3837 memcpy(etmp, elem, len);
3838 etmp[len] = 0;
3839 p = strchr(etmp, '+');
3840 if (!p)
3841 return 0;
3842 *p = 0;
3843 p++;
3844 if (!*p)
3845 return 0;
3846
431f458d
DSH		 3847 get_sigorhash(&sig_alg, &hash_alg, etmp);
3848 get_sigorhash(&sig_alg, &hash_alg, p);
0f113f3e 3849
431f458d 3850 if (sig_alg == NID_undef || hash_alg == NID_undef)
0f113f3e
MC		 3851 return 0;
3852
3853 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3854 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3855 return 0;
3856 }
3857 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3858 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3859 return 1;
3860}
3861
3862/*
3863 * Set suppored signature algorithms based on a colon separated list of the
3864 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3865 */
3dbc46df 3866int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
0f113f3e
MC		 3867{
3868 sig_cb_st sig;
3869 sig.sigalgcnt = 0;
3870 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3871 return 0;
3872 if (c == NULL)
3873 return 1;
3874 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3875}
3876
3877int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
3878 int client)
3879{
3880 unsigned char *sigalgs, *sptr;
3881 int rhash, rsign;
3882 size_t i;
3883 if (salglen & 1)
3884 return 0;
3885 sigalgs = OPENSSL_malloc(salglen);
3886 if (sigalgs == NULL)
3887 return 0;
3888 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
b6eb9827
DSH		 3889 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3890 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3891
3892 if (rhash == -1 || rsign == -1)
3893 goto err;
3894 *sptr++ = rhash;
3895 *sptr++ = rsign;
3896 }
3897
3898 if (client) {
b548a1f1 3899 OPENSSL_free(c->client_sigalgs);
0f113f3e
MC		 3900 c->client_sigalgs = sigalgs;
3901 c->client_sigalgslen = salglen;
3902 } else {
b548a1f1 3903 OPENSSL_free(c->conf_sigalgs);
0f113f3e
MC		 3904 c->conf_sigalgs = sigalgs;
3905 c->conf_sigalgslen = salglen;
3906 }
3907
3908 return 1;
3909
3910 err:
3911 OPENSSL_free(sigalgs);
3912 return 0;
3913}
4453cd8c 3914
d61ff83b 3915static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
0f113f3e
MC		 3916{
3917 int sig_nid;
3918 size_t i;
3919 if (default_nid == -1)
3920 return 1;
3921 sig_nid = X509_get_signature_nid(x);
3922 if (default_nid)
3923 return sig_nid == default_nid ? 1 : 0;
3924 for (i = 0; i < c->shared_sigalgslen; i++)
3925 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3926 return 1;
3927 return 0;
3928}
3929
6dbb6219
DSH		 3930/* Check to see if a certificate issuer name matches list of CA names */
3931static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
0f113f3e
MC		 3932{
3933 X509_NAME *nm;
3934 int i;
3935 nm = X509_get_issuer_name(x);
3936 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3937 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3938 return 1;
3939 }
3940 return 0;
3941}
3942
3943/*
3944 * Check certificate chain is consistent with TLS extensions and is usable by
3945 * server. This servers two purposes: it allows users to check chains before
3946 * passing them to the server and it allows the server to check chains before
3947 * attempting to use them.
d61ff83b 3948 */
6dbb6219
DSH		 3949
3950/* Flags which need to be set for a certificate when stict mode not set */
3951
e481f9b9 3952#define CERT_PKEY_VALID_FLAGS \
0f113f3e 3953 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
6dbb6219 3954/* Strict mode flags */
e481f9b9 3955#define CERT_PKEY_STRICT_FLAGS \
0f113f3e
MC		 3956 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3957 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
6dbb6219 3958
d61ff83b 3959int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
0f113f3e
MC		 3960 int idx)
3961{
3962 int i;
3963 int rv = 0;
3964 int check_flags = 0, strict_mode;
3965 CERT_PKEY *cpk = NULL;
3966 CERT *c = s->cert;
f7d53487 3967 uint32_t *pvalid;
0f113f3e
MC		 3968 unsigned int suiteb_flags = tls1_suiteb(s);
3969 /* idx == -1 means checking server chains */
3970 if (idx != -1) {
3971 /* idx == -2 means checking client certificate chains */
3972 if (idx == -2) {
3973 cpk = c->key;
3974 idx = cpk - c->pkeys;
3975 } else
3976 cpk = c->pkeys + idx;
6383d316 3977 pvalid = s->s3->tmp.valid_flags + idx;
0f113f3e
MC		 3978 x = cpk->x509;
3979 pk = cpk->privatekey;
3980 chain = cpk->chain;
3981 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3982 /* If no cert or key, forget it */
3983 if (!x || !pk)
3984 goto end;
e481f9b9 3985#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
0f113f3e
MC		 3986 /* Allow any certificate to pass test */
3987 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3988 rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
3989 CERT_PKEY_VALID | CERT_PKEY_SIGN;
6383d316 3990 *pvalid = rv;
0f113f3e
MC		 3991 return rv;
3992 }
e481f9b9 3993#endif
0f113f3e
MC		 3994 } else {
3995 if (!x || !pk)
d813f9eb 3996 return 0;
0f113f3e
MC		 3997 idx = ssl_cert_type(x, pk);
3998 if (idx == -1)
d813f9eb 3999 return 0;
6383d316
DSH		 4000 pvalid = s->s3->tmp.valid_flags + idx;
4001
0f113f3e
MC		 4002 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
4003 check_flags = CERT_PKEY_STRICT_FLAGS;
4004 else
4005 check_flags = CERT_PKEY_VALID_FLAGS;
4006 strict_mode = 1;
4007 }
4008
4009 if (suiteb_flags) {
4010 int ok;
4011 if (check_flags)
4012 check_flags |= CERT_PKEY_SUITEB;
4013 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
4014 if (ok == X509_V_OK)
4015 rv |= CERT_PKEY_SUITEB;
4016 else if (!check_flags)
4017 goto end;
4018 }
4019
4020 /*
4021 * Check all signature algorithms are consistent with signature
4022 * algorithms extension if TLS 1.2 or later and strict mode.
4023 */
4024 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
4025 int default_nid;
4026 unsigned char rsign = 0;
76106e60 4027 if (s->s3->tmp.peer_sigalgs)
0f113f3e
MC		 4028 default_nid = 0;
4029 /* If no sigalgs extension use defaults from RFC5246 */
4030 else {
4031 switch (idx) {
4032 case SSL_PKEY_RSA_ENC:
4033 case SSL_PKEY_RSA_SIGN:
4034 case SSL_PKEY_DH_RSA:
4035 rsign = TLSEXT_signature_rsa;
4036 default_nid = NID_sha1WithRSAEncryption;
4037 break;
4038
4039 case SSL_PKEY_DSA_SIGN:
4040 case SSL_PKEY_DH_DSA:
4041 rsign = TLSEXT_signature_dsa;
4042 default_nid = NID_dsaWithSHA1;
4043 break;
4044
4045 case SSL_PKEY_ECC:
4046 rsign = TLSEXT_signature_ecdsa;
4047 default_nid = NID_ecdsa_with_SHA1;
4048 break;
4049
e44380a9
DB		 4050 case SSL_PKEY_GOST01:
4051 rsign = TLSEXT_signature_gostr34102001;
4052 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
4053 break;
4054
4055 case SSL_PKEY_GOST12_256:
4056 rsign = TLSEXT_signature_gostr34102012_256;
4057 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
4058 break;
4059
4060 case SSL_PKEY_GOST12_512:
4061 rsign = TLSEXT_signature_gostr34102012_512;
4062 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
4063 break;
4064
0f113f3e
MC		 4065 default:
4066 default_nid = -1;
4067 break;
4068 }
4069 }
4070 /*
4071 * If peer sent no signature algorithms extension and we have set
4072 * preferred signature algorithms check we support sha1.
4073 */
4074 if (default_nid > 0 && c->conf_sigalgs) {
4075 size_t j;
4076 const unsigned char *p = c->conf_sigalgs;
4077 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
4078 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4079 break;
4080 }
4081 if (j == c->conf_sigalgslen) {
4082 if (check_flags)
4083 goto skip_sigs;
4084 else
4085 goto end;
4086 }
4087 }
4088 /* Check signature algorithm of each cert in chain */
4089 if (!tls1_check_sig_alg(c, x, default_nid)) {
4090 if (!check_flags)
4091 goto end;
4092 } else
4093 rv |= CERT_PKEY_EE_SIGNATURE;
4094 rv |= CERT_PKEY_CA_SIGNATURE;
4095 for (i = 0; i < sk_X509_num(chain); i++) {
4096 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
4097 if (check_flags) {
4098 rv &= ~CERT_PKEY_CA_SIGNATURE;
4099 break;
4100 } else
4101 goto end;
4102 }
4103 }
4104 }
4105 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4106 else if (check_flags)
4107 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
4108 skip_sigs:
4109 /* Check cert parameters are consistent */
4110 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4111 rv |= CERT_PKEY_EE_PARAM;
4112 else if (!check_flags)
4113 goto end;
4114 if (!s->server)
4115 rv |= CERT_PKEY_CA_PARAM;
4116 /* In strict mode check rest of chain too */
4117 else if (strict_mode) {
4118 rv |= CERT_PKEY_CA_PARAM;
4119 for (i = 0; i < sk_X509_num(chain); i++) {
4120 X509 *ca = sk_X509_value(chain, i);
4121 if (!tls1_check_cert_param(s, ca, 0)) {
4122 if (check_flags) {
4123 rv &= ~CERT_PKEY_CA_PARAM;
4124 break;
4125 } else
4126 goto end;
4127 }
4128 }
4129 }
4130 if (!s->server && strict_mode) {
4131 STACK_OF(X509_NAME) *ca_dn;
4132 int check_type = 0;
4133 switch (pk->type) {
4134 case EVP_PKEY_RSA:
4135 check_type = TLS_CT_RSA_SIGN;
4136 break;
4137 case EVP_PKEY_DSA:
4138 check_type = TLS_CT_DSS_SIGN;
4139 break;
4140 case EVP_PKEY_EC:
4141 check_type = TLS_CT_ECDSA_SIGN;
4142 break;
4143 case EVP_PKEY_DH:
4144 case EVP_PKEY_DHX:
4145 {
4146 int cert_type = X509_certificate_type(x, pk);
4147 if (cert_type & EVP_PKS_RSA)
4148 check_type = TLS_CT_RSA_FIXED_DH;
4149 if (cert_type & EVP_PKS_DSA)
4150 check_type = TLS_CT_DSS_FIXED_DH;
4151 }
4152 }
4153 if (check_type) {
4154 const unsigned char *ctypes;
4155 int ctypelen;
4156 if (c->ctypes) {
4157 ctypes = c->ctypes;
4158 ctypelen = (int)c->ctype_num;
4159 } else {
4160 ctypes = (unsigned char *)s->s3->tmp.ctype;
4161 ctypelen = s->s3->tmp.ctype_num;
4162 }
4163 for (i = 0; i < ctypelen; i++) {
4164 if (ctypes[i] == check_type) {
4165 rv |= CERT_PKEY_CERT_TYPE;
4166 break;
4167 }
4168 }
4169 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4170 goto end;
4171 } else
4172 rv |= CERT_PKEY_CERT_TYPE;
4173
4174 ca_dn = s->s3->tmp.ca_names;
4175
4176 if (!sk_X509_NAME_num(ca_dn))
4177 rv |= CERT_PKEY_ISSUER_NAME;
4178
4179 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4180 if (ssl_check_ca_name(ca_dn, x))
4181 rv |= CERT_PKEY_ISSUER_NAME;
4182 }
4183 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4184 for (i = 0; i < sk_X509_num(chain); i++) {
4185 X509 *xtmp = sk_X509_value(chain, i);
4186 if (ssl_check_ca_name(ca_dn, xtmp)) {
4187 rv |= CERT_PKEY_ISSUER_NAME;
4188 break;
4189 }
4190 }
4191 }
4192 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4193 goto end;
4194 } else
4195 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
4196
4197 if (!check_flags || (rv & check_flags) == check_flags)
4198 rv |= CERT_PKEY_VALID;
4199
4200 end:
4201
4202 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
6383d316 4203 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
0f113f3e 4204 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
d376e57d 4205 else if (s->s3->tmp.md[idx] != NULL)
0f113f3e
MC		 4206 rv |= CERT_PKEY_SIGN;
4207 } else
4208 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
4209
4210 /*
4211 * When checking a CERT_PKEY structure all flags are irrelevant if the
4212 * chain is invalid.
4213 */
4214 if (!check_flags) {
4215 if (rv & CERT_PKEY_VALID)
6383d316 4216 *pvalid = rv;
0f113f3e
MC		 4217 else {
4218 /* Preserve explicit sign flag, clear rest */
6383d316 4219 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
0f113f3e
MC		 4220 return 0;
4221 }
4222 }
4223 return rv;
4224}
d61ff83b
DSH		 4225
4226/* Set validity of certificates in an SSL structure */
4227void tls1_set_cert_validity(SSL *s)
0f113f3e 4228{
17dd65e6
MC		 4229 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4230 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4231 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4232 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
4233 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
4234 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
e44380a9
DB		 4235 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
4236 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
4237 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
0f113f3e
MC		 4238}
4239
18d71588
DSH		 4240/* User level utiity function to check a chain is suitable */
4241int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
0f113f3e
MC		 4242{
4243 return tls1_check_chain(s, x, pk, chain, -1);
4244}
d61ff83b 4245
09599b52
DSH		 4246
4247#ifndef OPENSSL_NO_DH
4248DH *ssl_get_auto_dh(SSL *s)
0f113f3e
MC		 4249{
4250 int dh_secbits = 80;
4251 if (s->cert->dh_tmp_auto == 2)
4252 return DH_get_1024_160();
adc5506a 4253 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
0f113f3e
MC		 4254 if (s->s3->tmp.new_cipher->strength_bits == 256)
4255 dh_secbits = 128;
4256 else
4257 dh_secbits = 80;
4258 } else {
4259 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
4260 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
4261 }
4262
4263 if (dh_secbits >= 128) {
4264 DH *dhp = DH_new();
a71edf3b 4265 if (dhp == NULL)
0f113f3e
MC		 4266 return NULL;
4267 dhp->g = BN_new();
a71edf3b 4268 if (dhp->g != NULL)
0f113f3e
MC		 4269 BN_set_word(dhp->g, 2);
4270 if (dh_secbits >= 192)
4271 dhp->p = get_rfc3526_prime_8192(NULL);
4272 else
4273 dhp->p = get_rfc3526_prime_3072(NULL);
a71edf3b 4274 if (dhp->p == NULL || dhp->g == NULL) {
0f113f3e
MC		 4275 DH_free(dhp);
4276 return NULL;
4277 }
4278 return dhp;
4279 }
4280 if (dh_secbits >= 112)
4281 return DH_get_2048_224();
4282 return DH_get_1024_160();
4283}
09599b52 4284#endif
b362ccab
DSH		 4285
4286static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e
MC		 4287{
4288 int secbits;
4289 EVP_PKEY *pkey = X509_get_pubkey(x);
4290 if (pkey) {
4291 secbits = EVP_PKEY_security_bits(pkey);
4292 EVP_PKEY_free(pkey);
4293 } else
4294 secbits = -1;
4295 if (s)
4296 return ssl_security(s, op, secbits, 0, x);
4297 else
4298 return ssl_ctx_security(ctx, op, secbits, 0, x);
4299}
b362ccab
DSH		 4300
4301static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e
MC		 4302{
4303 /* Lookup signature algorithm digest */
4304 int secbits = -1, md_nid = NID_undef, sig_nid;
4305 sig_nid = X509_get_signature_nid(x);
4306 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4307 const EVP_MD *md;
4308 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4309 secbits = EVP_MD_size(md) * 4;
4310 }
4311 if (s)
4312 return ssl_security(s, op, secbits, md_nid, x);
4313 else
4314 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4315}
b362ccab
DSH		 4316
4317int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
0f113f3e
MC		 4318{
4319 if (vfy)
4320 vfy = SSL_SECOP_PEER;
4321 if (is_ee) {
4322 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4323 return SSL_R_EE_KEY_TOO_SMALL;
4324 } else {
4325 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4326 return SSL_R_CA_KEY_TOO_SMALL;
4327 }
4328 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4329 return SSL_R_CA_MD_TOO_WEAK;
4330 return 1;
4331}
4332
4333/*
4334 * Check security of a chain, if sk includes the end entity certificate then
4335 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4336 * one to the peer. Return values: 1 if ok otherwise error code to use
b362ccab
DSH		 4337 */
4338
4339int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
0f113f3e
MC		 4340{
4341 int rv, start_idx, i;
4342 if (x == NULL) {
4343 x = sk_X509_value(sk, 0);
4344 start_idx = 1;
4345 } else
4346 start_idx = 0;
4347
4348 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4349 if (rv != 1)
4350 return rv;
4351
4352 for (i = start_idx; i < sk_X509_num(sk); i++) {
4353 x = sk_X509_value(sk, i);
4354 rv = ssl_security_cert(s, NULL, x, vfy, 0);
4355 if (rv != 1)
4356 return rv;
4357 }
4358 return 1;
4359}
A mirror of the official openssl repository