]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/t1_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Remove dh512.pem
[thirdparty/openssl.git] / ssl / t1_lib.c
CommitLineData
58964a49
RE		 1/* ssl/t1_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
0f113f3e 8 *
58964a49
RE		 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
0f113f3e 15 *
58964a49
RE		 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
0f113f3e 22 *
58964a49
RE		 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
0f113f3e 37 * 4. If you include any Windows specific code (or a derivative thereof) from
58964a49
RE		 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
0f113f3e 40 *
58964a49
RE		 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
0f113f3e 52 *
58964a49
RE		 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
f1fd4544 58/* ====================================================================
52b8dad8 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
f1fd4544
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
0f113f3e 66 * notice, this list of conditions and the following disclaimer.
f1fd4544
BM		 67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
58964a49
RE		 111
112#include <stdio.h>
ec577822 113#include <openssl/objects.h>
6434abbf
DSH		 114#include <openssl/evp.h>
115#include <openssl/hmac.h>
67c8e7f4 116#include <openssl/ocsp.h>
4817504d 117#include <openssl/rand.h>
09599b52 118#ifndef OPENSSL_NO_DH
0f113f3e
MC		 119# include <openssl/dh.h>
120# include <openssl/bn.h>
09599b52 121#endif
58964a49
RE		 122#include "ssl_locl.h"
123
0f113f3e 124const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;
58964a49 125
367eb1f1 126#ifndef OPENSSL_NO_TLSEXT
6434abbf 127static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
0f113f3e
MC		 128 const unsigned char *sess_id, int sesslen,
129 SSL_SESSION **psess);
2daceb03 130static int ssl_check_clienthello_tlsext_early(SSL *s);
09e4e4b9 131int ssl_check_serverhello_tlsext(SSL *s);
367eb1f1 132#endif
6434abbf 133
0f113f3e
MC		 134SSL3_ENC_METHOD const TLSv1_enc_data = {
135 tls1_enc,
136 tls1_mac,
137 tls1_setup_key_block,
138 tls1_generate_master_secret,
139 tls1_change_cipher_state,
140 tls1_final_finish_mac,
141 TLS1_FINISH_MAC_LENGTH,
142 tls1_cert_verify_mac,
143 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
144 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
145 tls1_alert_code,
146 tls1_export_keying_material,
147 0,
148 SSL3_HM_HEADER_LENGTH,
149 ssl3_set_handshake_header,
150 ssl3_handshake_write
151};
152
153SSL3_ENC_METHOD const TLSv1_1_enc_data = {
154 tls1_enc,
155 tls1_mac,
156 tls1_setup_key_block,
157 tls1_generate_master_secret,
158 tls1_change_cipher_state,
159 tls1_final_finish_mac,
160 TLS1_FINISH_MAC_LENGTH,
161 tls1_cert_verify_mac,
162 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
163 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
164 tls1_alert_code,
165 tls1_export_keying_material,
166 SSL_ENC_FLAG_EXPLICIT_IV,
167 SSL3_HM_HEADER_LENGTH,
168 ssl3_set_handshake_header,
169 ssl3_handshake_write
170};
171
172SSL3_ENC_METHOD const TLSv1_2_enc_data = {
173 tls1_enc,
174 tls1_mac,
175 tls1_setup_key_block,
176 tls1_generate_master_secret,
177 tls1_change_cipher_state,
178 tls1_final_finish_mac,
179 TLS1_FINISH_MAC_LENGTH,
180 tls1_cert_verify_mac,
181 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
182 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
183 tls1_alert_code,
184 tls1_export_keying_material,
185 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
186 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
187 SSL3_HM_HEADER_LENGTH,
188 ssl3_set_handshake_header,
189 ssl3_handshake_write
190};
58964a49 191
f3b656b2 192long tls1_default_timeout(void)
0f113f3e
MC		 193{
194 /*
195 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
196 * http, the cache would over fill
197 */
198 return (60 * 60 * 2);
199}
58964a49 200
6b691a5c 201int tls1_new(SSL *s)
0f113f3e
MC		 202{
203 if (!ssl3_new(s))
204 return (0);
205 s->method->ssl_clear(s);
206 return (1);
207}
58964a49 208
6b691a5c 209void tls1_free(SSL *s)
0f113f3e 210{
12bf56c0 211#ifndef OPENSSL_NO_TLSEXT
b548a1f1 212 OPENSSL_free(s->tlsext_session_ticket);
0f113f3e
MC		 213#endif /* OPENSSL_NO_TLSEXT */
214 ssl3_free(s);
215}
58964a49 216
6b691a5c 217void tls1_clear(SSL *s)
0f113f3e
MC		 218{
219 ssl3_clear(s);
220 s->version = s->method->version;
221}
58964a49 222
525de5d3 223#ifndef OPENSSL_NO_EC
eda3766b 224
0f113f3e
MC		 225typedef struct {
226 int nid; /* Curve NID */
227 int secbits; /* Bits of security (from SP800-57) */
228 unsigned int flags; /* Flags: currently just field type */
229} tls_curve_info;
230
231# define TLS_CURVE_CHAR2 0x1
232# define TLS_CURVE_PRIME 0x0
233
234static const tls_curve_info nid_list[] = {
235 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
236 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
237 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
238 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
239 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
240 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
241 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
242 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
243 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
244 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
245 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
246 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
247 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
248 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
249 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
250 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
251 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
252 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
253 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
254 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
255 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
256 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
257 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
258 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
259 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
260 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
261 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
262 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
263};
264
265static const unsigned char ecformats_default[] = {
266 TLSEXT_ECPOINTFORMAT_uncompressed,
267 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
268 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
269};
270
271static const unsigned char eccurves_default[] = {
272 0, 14, /* sect571r1 (14) */
273 0, 13, /* sect571k1 (13) */
274 0, 25, /* secp521r1 (25) */
275 0, 28, /* brainpool512r1 (28) */
276 0, 11, /* sect409k1 (11) */
277 0, 12, /* sect409r1 (12) */
278 0, 27, /* brainpoolP384r1 (27) */
279 0, 24, /* secp384r1 (24) */
280 0, 9, /* sect283k1 (9) */
281 0, 10, /* sect283r1 (10) */
282 0, 26, /* brainpoolP256r1 (26) */
283 0, 22, /* secp256k1 (22) */
284 0, 23, /* secp256r1 (23) */
285 0, 8, /* sect239k1 (8) */
286 0, 6, /* sect233k1 (6) */
287 0, 7, /* sect233r1 (7) */
288 0, 20, /* secp224k1 (20) */
289 0, 21, /* secp224r1 (21) */
290 0, 4, /* sect193r1 (4) */
291 0, 5, /* sect193r2 (5) */
292 0, 18, /* secp192k1 (18) */
293 0, 19, /* secp192r1 (19) */
294 0, 1, /* sect163k1 (1) */
295 0, 2, /* sect163r1 (2) */
296 0, 3, /* sect163r2 (3) */
297 0, 15, /* secp160k1 (15) */
298 0, 16, /* secp160r1 (16) */
299 0, 17, /* secp160r2 (17) */
300};
301
302static const unsigned char suiteb_curves[] = {
303 0, TLSEXT_curve_P_256,
304 0, TLSEXT_curve_P_384
305};
2ea80354 306
525de5d3 307int tls1_ec_curve_id2nid(int curve_id)
0f113f3e
MC		 308{
309 /* ECC curves from RFC 4492 and RFC 7027 */
b6eb9827 310 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
0f113f3e
MC		 311 return 0;
312 return nid_list[curve_id - 1].nid;
313}
525de5d3
DSH		 314
315int tls1_ec_nid2curve_id(int nid)
0f113f3e
MC		 316{
317 /* ECC curves from RFC 4492 and RFC 7027 */
318 switch (nid) {
319 case NID_sect163k1: /* sect163k1 (1) */
320 return 1;
321 case NID_sect163r1: /* sect163r1 (2) */
322 return 2;
323 case NID_sect163r2: /* sect163r2 (3) */
324 return 3;
325 case NID_sect193r1: /* sect193r1 (4) */
326 return 4;
327 case NID_sect193r2: /* sect193r2 (5) */
328 return 5;
329 case NID_sect233k1: /* sect233k1 (6) */
330 return 6;
331 case NID_sect233r1: /* sect233r1 (7) */
332 return 7;
333 case NID_sect239k1: /* sect239k1 (8) */
334 return 8;
335 case NID_sect283k1: /* sect283k1 (9) */
336 return 9;
337 case NID_sect283r1: /* sect283r1 (10) */
338 return 10;
339 case NID_sect409k1: /* sect409k1 (11) */
340 return 11;
341 case NID_sect409r1: /* sect409r1 (12) */
342 return 12;
343 case NID_sect571k1: /* sect571k1 (13) */
344 return 13;
345 case NID_sect571r1: /* sect571r1 (14) */
346 return 14;
347 case NID_secp160k1: /* secp160k1 (15) */
348 return 15;
349 case NID_secp160r1: /* secp160r1 (16) */
350 return 16;
351 case NID_secp160r2: /* secp160r2 (17) */
352 return 17;
353 case NID_secp192k1: /* secp192k1 (18) */
354 return 18;
355 case NID_X9_62_prime192v1: /* secp192r1 (19) */
356 return 19;
357 case NID_secp224k1: /* secp224k1 (20) */
358 return 20;
359 case NID_secp224r1: /* secp224r1 (21) */
360 return 21;
361 case NID_secp256k1: /* secp256k1 (22) */
362 return 22;
363 case NID_X9_62_prime256v1: /* secp256r1 (23) */
364 return 23;
365 case NID_secp384r1: /* secp384r1 (24) */
366 return 24;
367 case NID_secp521r1: /* secp521r1 (25) */
368 return 25;
369 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
370 return 26;
371 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
372 return 27;
373 case NID_brainpoolP512r1: /* brainpool512r1 (28) */
374 return 28;
375 default:
376 return 0;
377 }
378}
379
740580c2
EK		 380/*
381 * Get curves list, if "sess" is set return client curves otherwise
382 * preferred list.
383 * Sets |num_curves| to the number of curves in the list, i.e.,
384 * the length of |pcurves| is 2 * num_curves.
385 * Returns 1 on success and 0 if the client curves list has invalid format.
386 * The latter indicates an internal error: we should not be accepting such
387 * lists in the first place.
388 * TODO(emilia): we should really be storing the curves list in explicitly
389 * parsed form instead. (However, this would affect binary compatibility
390 * so cannot happen in the 1.0.x series.)
fd2b65ce 391 */
740580c2 392static int tls1_get_curvelist(SSL *s, int sess,
0f113f3e
MC		 393 const unsigned char **pcurves,
394 size_t *num_curves)
395{
396 size_t pcurveslen = 0;
397 if (sess) {
398 *pcurves = s->session->tlsext_ellipticcurvelist;
399 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
400 } else {
401 /* For Suite B mode only include P-256, P-384 */
402 switch (tls1_suiteb(s)) {
403 case SSL_CERT_FLAG_SUITEB_128_LOS:
404 *pcurves = suiteb_curves;
405 pcurveslen = sizeof(suiteb_curves);
406 break;
407
408 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
409 *pcurves = suiteb_curves;
410 pcurveslen = 2;
411 break;
412
413 case SSL_CERT_FLAG_SUITEB_192_LOS:
414 *pcurves = suiteb_curves + 2;
415 pcurveslen = 2;
416 break;
417 default:
418 *pcurves = s->tlsext_ellipticcurvelist;
419 pcurveslen = s->tlsext_ellipticcurvelist_length;
420 }
421 if (!*pcurves) {
422 *pcurves = eccurves_default;
423 pcurveslen = sizeof(eccurves_default);
424 }
425 }
426
427 /* We do not allow odd length arrays to enter the system. */
428 if (pcurveslen & 1) {
429 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
430 *num_curves = 0;
431 return 0;
432 } else {
433 *num_curves = pcurveslen / 2;
434 return 1;
435 }
436}
b362ccab
DSH		 437
438/* See if curve is allowed by security callback */
439static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
0f113f3e
MC		 440{
441 const tls_curve_info *cinfo;
442 if (curve[0])
443 return 1;
b6eb9827 444 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
0f113f3e
MC		 445 return 0;
446 cinfo = &nid_list[curve[1] - 1];
447# ifdef OPENSSL_NO_EC2M
448 if (cinfo->flags & TLS_CURVE_CHAR2)
449 return 0;
450# endif
451 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
452}
b362ccab 453
d18b716d
DSH		 454/* Check a curve is one of our preferences */
455int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
0f113f3e
MC		 456{
457 const unsigned char *curves;
458 size_t num_curves, i;
459 unsigned int suiteb_flags = tls1_suiteb(s);
460 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
461 return 0;
462 /* Check curve matches Suite B preferences */
463 if (suiteb_flags) {
464 unsigned long cid = s->s3->tmp.new_cipher->id;
465 if (p[1])
466 return 0;
467 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
468 if (p[2] != TLSEXT_curve_P_256)
469 return 0;
470 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
471 if (p[2] != TLSEXT_curve_P_384)
472 return 0;
473 } else /* Should never happen */
474 return 0;
475 }
476 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
477 return 0;
478 for (i = 0; i < num_curves; i++, curves += 2) {
479 if (p[1] == curves[0] && p[2] == curves[1])
480 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
481 }
482 return 0;
483}
d0595f17 484
1d97c843 485/*-
376e2ca3
EK		 486 * Return |nmatch|th shared curve or NID_undef if there is no match.
487 * For nmatch == -1, return number of matches
488 * For nmatch == -2, return the NID of the curve to use for
489 * an EC tmp key, or NID_undef if there is no match.
d0595f17 490 */
a4352630 491int tls1_shared_curve(SSL *s, int nmatch)
0f113f3e
MC		 492{
493 const unsigned char *pref, *supp;
494 size_t num_pref, num_supp, i, j;
495 int k;
496 /* Can't do anything on client side */
497 if (s->server == 0)
498 return -1;
499 if (nmatch == -2) {
500 if (tls1_suiteb(s)) {
501 /*
502 * For Suite B ciphersuite determines curve: we already know
503 * these are acceptable due to previous checks.
504 */
505 unsigned long cid = s->s3->tmp.new_cipher->id;
506 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
507 return NID_X9_62_prime256v1; /* P-256 */
508 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
509 return NID_secp384r1; /* P-384 */
510 /* Should never happen */
511 return NID_undef;
512 }
513 /* If not Suite B just return first preference shared curve */
514 nmatch = 0;
515 }
516 /*
517 * Avoid truncation. tls1_get_curvelist takes an int
518 * but s->options is a long...
519 */
520 if (!tls1_get_curvelist
521 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
522 &num_supp))
523 /* In practice, NID_undef == 0 but let's be precise. */
524 return nmatch == -1 ? 0 : NID_undef;
525 if (!tls1_get_curvelist
526 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
527 &num_pref))
528 return nmatch == -1 ? 0 : NID_undef;
529 k = 0;
530 for (i = 0; i < num_pref; i++, pref += 2) {
531 const unsigned char *tsupp = supp;
532 for (j = 0; j < num_supp; j++, tsupp += 2) {
533 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
534 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
535 continue;
536 if (nmatch == k) {
537 int id = (pref[0] << 8) | pref[1];
538 return tls1_ec_curve_id2nid(id);
539 }
540 k++;
541 }
542 }
543 }
544 if (nmatch == -1)
545 return k;
546 /* Out of range (nmatch > k). */
547 return NID_undef;
548}
d0595f17
DSH		 549
550int tls1_set_curves(unsigned char **pext, size_t *pextlen,
0f113f3e
MC		 551 int *curves, size_t ncurves)
552{
553 unsigned char *clist, *p;
554 size_t i;
555 /*
556 * Bitmap of curves included to detect duplicates: only works while curve
557 * ids < 32
558 */
559 unsigned long dup_list = 0;
560 clist = OPENSSL_malloc(ncurves * 2);
561 if (!clist)
562 return 0;
563 for (i = 0, p = clist; i < ncurves; i++) {
564 unsigned long idmask;
565 int id;
566 id = tls1_ec_nid2curve_id(curves[i]);
567 idmask = 1L << id;
568 if (!id || (dup_list & idmask)) {
569 OPENSSL_free(clist);
570 return 0;
571 }
572 dup_list |= idmask;
573 s2n(id, p);
574 }
b548a1f1 575 OPENSSL_free(*pext);
0f113f3e
MC		 576 *pext = clist;
577 *pextlen = ncurves * 2;
578 return 1;
579}
580
581# define MAX_CURVELIST 28
582
583typedef struct {
584 size_t nidcnt;
585 int nid_arr[MAX_CURVELIST];
586} nid_cb_st;
d0595f17
DSH		 587
588static int nid_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 589{
590 nid_cb_st *narg = arg;
591 size_t i;
592 int nid;
593 char etmp[20];
2747d73c
KR		 594 if (elem == NULL)
595 return 0;
0f113f3e
MC		 596 if (narg->nidcnt == MAX_CURVELIST)
597 return 0;
598 if (len > (int)(sizeof(etmp) - 1))
599 return 0;
600 memcpy(etmp, elem, len);
601 etmp[len] = 0;
602 nid = EC_curve_nist2nid(etmp);
603 if (nid == NID_undef)
604 nid = OBJ_sn2nid(etmp);
605 if (nid == NID_undef)
606 nid = OBJ_ln2nid(etmp);
607 if (nid == NID_undef)
608 return 0;
609 for (i = 0; i < narg->nidcnt; i++)
610 if (narg->nid_arr[i] == nid)
611 return 0;
612 narg->nid_arr[narg->nidcnt++] = nid;
613 return 1;
614}
615
d0595f17 616/* Set curves based on a colon separate list */
0f113f3e
MC		 617int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
618 const char *str)
619{
620 nid_cb_st ncb;
621 ncb.nidcnt = 0;
622 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
623 return 0;
624 if (pext == NULL)
625 return 1;
626 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
627}
628
fd2b65ce
DSH		 629/* For an EC key set TLS id and required compression based on parameters */
630static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
0f113f3e
MC		 631 EC_KEY *ec)
632{
633 int is_prime, id;
634 const EC_GROUP *grp;
635 const EC_METHOD *meth;
636 if (!ec)
637 return 0;
638 /* Determine if it is a prime field */
639 grp = EC_KEY_get0_group(ec);
640 if (!grp)
641 return 0;
642 meth = EC_GROUP_method_of(grp);
643 if (!meth)
644 return 0;
645 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
646 is_prime = 1;
647 else
648 is_prime = 0;
649 /* Determine curve ID */
650 id = EC_GROUP_get_curve_name(grp);
651 id = tls1_ec_nid2curve_id(id);
652 /* If we have an ID set it, otherwise set arbitrary explicit curve */
653 if (id) {
654 curve_id[0] = 0;
655 curve_id[1] = (unsigned char)id;
656 } else {
657 curve_id[0] = 0xff;
658 if (is_prime)
659 curve_id[1] = 0x01;
660 else
661 curve_id[1] = 0x02;
662 }
663 if (comp_id) {
664 if (EC_KEY_get0_public_key(ec) == NULL)
665 return 0;
666 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
667 if (is_prime)
668 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
669 else
670 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
671 } else
672 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
673 }
674 return 1;
675}
676
fd2b65ce
DSH		 677/* Check an EC key is compatible with extensions */
678static int tls1_check_ec_key(SSL *s,
0f113f3e
MC		 679 unsigned char *curve_id, unsigned char *comp_id)
680{
681 const unsigned char *pformats, *pcurves;
682 size_t num_formats, num_curves, i;
683 int j;
684 /*
685 * If point formats extension present check it, otherwise everything is
686 * supported (see RFC4492).
687 */
688 if (comp_id && s->session->tlsext_ecpointformatlist) {
689 pformats = s->session->tlsext_ecpointformatlist;
690 num_formats = s->session->tlsext_ecpointformatlist_length;
691 for (i = 0; i < num_formats; i++, pformats++) {
692 if (*comp_id == *pformats)
693 break;
694 }
695 if (i == num_formats)
696 return 0;
697 }
698 if (!curve_id)
699 return 1;
700 /* Check curve is consistent with client and server preferences */
701 for (j = 0; j <= 1; j++) {
702 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
703 return 0;
b79d2410
MC		 704 if (j == 1 && num_curves == 0) {
705 /*
706 * If we've not received any curves then skip this check.
707 * RFC 4492 does not require the supported elliptic curves extension
708 * so if it is not sent we can just choose any curve.
709 * It is invalid to send an empty list in the elliptic curves
710 * extension, so num_curves == 0 always means no extension.
711 */
712 break;
713 }
0f113f3e
MC		 714 for (i = 0; i < num_curves; i++, pcurves += 2) {
715 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
716 break;
717 }
718 if (i == num_curves)
719 return 0;
720 /* For clients can only check sent curve list */
721 if (!s->server)
722 break;
723 }
724 return 1;
725}
d61ff83b 726
5087afa1 727static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
0f113f3e
MC		 728 size_t *num_formats)
729{
730 /*
731 * If we have a custom point format list use it otherwise use default
732 */
733 if (s->tlsext_ecpointformatlist) {
734 *pformats = s->tlsext_ecpointformatlist;
735 *num_formats = s->tlsext_ecpointformatlist_length;
736 } else {
737 *pformats = ecformats_default;
738 /* For Suite B we don't support char2 fields */
739 if (tls1_suiteb(s))
740 *num_formats = sizeof(ecformats_default) - 1;
741 else
742 *num_formats = sizeof(ecformats_default);
743 }
744}
745
746/*
747 * Check cert parameters compatible with extensions: currently just checks EC
748 * certificates have compatible curves and compression.
d61ff83b 749 */
2ea80354 750static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 751{
752 unsigned char comp_id, curve_id[2];
753 EVP_PKEY *pkey;
754 int rv;
755 pkey = X509_get_pubkey(x);
756 if (!pkey)
757 return 0;
758 /* If not EC nothing to do */
759 if (pkey->type != EVP_PKEY_EC) {
760 EVP_PKEY_free(pkey);
761 return 1;
762 }
763 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
764 EVP_PKEY_free(pkey);
765 if (!rv)
766 return 0;
767 /*
768 * Can't check curve_id for client certs as we don't have a supported
769 * curves extension.
770 */
771 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
772 if (!rv)
773 return 0;
774 /*
775 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
776 * SHA384+P-384, adjust digest if necessary.
777 */
778 if (set_ee_md && tls1_suiteb(s)) {
779 int check_md;
780 size_t i;
781 CERT *c = s->cert;
782 if (curve_id[0])
783 return 0;
784 /* Check to see we have necessary signing algorithm */
785 if (curve_id[1] == TLSEXT_curve_P_256)
786 check_md = NID_ecdsa_with_SHA256;
787 else if (curve_id[1] == TLSEXT_curve_P_384)
788 check_md = NID_ecdsa_with_SHA384;
789 else
790 return 0; /* Should never happen */
791 for (i = 0; i < c->shared_sigalgslen; i++)
792 if (check_md == c->shared_sigalgs[i].signandhash_nid)
793 break;
794 if (i == c->shared_sigalgslen)
795 return 0;
796 if (set_ee_md == 2) {
797 if (check_md == NID_ecdsa_with_SHA256)
d376e57d 798 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
0f113f3e 799 else
d376e57d 800 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
0f113f3e
MC		 801 }
802 }
803 return rv;
804}
805
10bf4fc2 806# ifndef OPENSSL_NO_EC
fd2b65ce 807/* Check EC temporary key is compatible with client extensions */
2ea80354 808int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
0f113f3e
MC		 809{
810 unsigned char curve_id[2];
811 EC_KEY *ec = s->cert->ecdh_tmp;
812# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
813 /* Allow any curve: not just those peer supports */
814 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
815 return 1;
816# endif
817 /*
818 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
819 * curves permitted.
820 */
821 if (tls1_suiteb(s)) {
822 /* Curve to check determined by ciphersuite */
823 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
824 curve_id[1] = TLSEXT_curve_P_256;
825 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
826 curve_id[1] = TLSEXT_curve_P_384;
827 else
828 return 0;
829 curve_id[0] = 0;
830 /* Check this curve is acceptable */
831 if (!tls1_check_ec_key(s, curve_id, NULL))
832 return 0;
833 /* If auto or setting curve from callback assume OK */
834 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
835 return 1;
836 /* Otherwise check curve is acceptable */
837 else {
838 unsigned char curve_tmp[2];
839 if (!ec)
840 return 0;
841 if (!tls1_set_ec_id(curve_tmp, NULL, ec))
842 return 0;
843 if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
844 return 1;
845 return 0;
846 }
847
848 }
849 if (s->cert->ecdh_tmp_auto) {
850 /* Need a shared curve */
851 if (tls1_shared_curve(s, 0))
852 return 1;
853 else
854 return 0;
855 }
856 if (!ec) {
857 if (s->cert->ecdh_tmp_cb)
858 return 1;
859 else
860 return 0;
861 }
862 if (!tls1_set_ec_id(curve_id, NULL, ec))
863 return 0;
d18b716d 864/* Set this to allow use of invalid curves for testing */
0f113f3e
MC		 865# if 0
866 return 1;
867# else
868 return tls1_check_ec_key(s, curve_id, NULL);
869# endif
870}
10bf4fc2 871# endif /* OPENSSL_NO_EC */
d0595f17 872
14536c8c
DSH		 873#else
874
875static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 876{
877 return 1;
878}
14536c8c 879
0f113f3e 880#endif /* OPENSSL_NO_EC */
f1fd4544 881
ed3883d2 882#ifndef OPENSSL_NO_TLSEXT
fc101f88 883
0f113f3e
MC		 884/*
885 * List of supported signature algorithms and hashes. Should make this
fc101f88
DSH		 886 * customisable at some point, for now include everything we support.
887 */
888
0f113f3e
MC		 889# ifdef OPENSSL_NO_RSA
890# define tlsext_sigalg_rsa(md) /* */
891# else
892# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
893# endif
894
895# ifdef OPENSSL_NO_DSA
896# define tlsext_sigalg_dsa(md) /* */
897# else
898# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
899# endif
900
10bf4fc2
RS		 901# ifdef OPENSSL_NO_EC
902# define tlsext_sigalg_ecdsa(md) /* */
0f113f3e
MC		 903# else
904# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
905# endif
906
907# define tlsext_sigalg(md) \
908 tlsext_sigalg_rsa(md) \
909 tlsext_sigalg_dsa(md) \
910 tlsext_sigalg_ecdsa(md)
fc101f88 911
d97ed219 912static const unsigned char tls12_sigalgs[] = {
0f113f3e
MC		 913 tlsext_sigalg(TLSEXT_hash_sha512)
914 tlsext_sigalg(TLSEXT_hash_sha384)
0f113f3e
MC		 915 tlsext_sigalg(TLSEXT_hash_sha256)
916 tlsext_sigalg(TLSEXT_hash_sha224)
0f113f3e 917 tlsext_sigalg(TLSEXT_hash_sha1)
fc101f88 918};
0f113f3e 919
10bf4fc2 920# ifndef OPENSSL_NO_EC
d97ed219 921static const unsigned char suiteb_sigalgs[] = {
0f113f3e
MC		 922 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
923 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
2ea80354 924};
0f113f3e 925# endif
b7bfe69b 926size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
0f113f3e
MC		 927{
928 /*
929 * If Suite B mode use Suite B sigalgs only, ignore any other
930 * preferences.
931 */
932# ifndef OPENSSL_NO_EC
933 switch (tls1_suiteb(s)) {
934 case SSL_CERT_FLAG_SUITEB_128_LOS:
935 *psigs = suiteb_sigalgs;
936 return sizeof(suiteb_sigalgs);
937
938 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
939 *psigs = suiteb_sigalgs;
940 return 2;
941
942 case SSL_CERT_FLAG_SUITEB_192_LOS:
943 *psigs = suiteb_sigalgs + 2;
944 return 2;
945 }
946# endif
947 /* If server use client authentication sigalgs if not NULL */
948 if (s->server && s->cert->client_sigalgs) {
949 *psigs = s->cert->client_sigalgs;
950 return s->cert->client_sigalgslen;
951 } else if (s->cert->conf_sigalgs) {
952 *psigs = s->cert->conf_sigalgs;
953 return s->cert->conf_sigalgslen;
954 } else {
955 *psigs = tls12_sigalgs;
956 return sizeof(tls12_sigalgs);
957 }
958}
959
960/*
961 * Check signature algorithm is consistent with sent supported signature
ec4a50b3
DSH		 962 * algorithms and if so return relevant digest.
963 */
964int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
0f113f3e
MC		 965 const unsigned char *sig, EVP_PKEY *pkey)
966{
967 const unsigned char *sent_sigs;
968 size_t sent_sigslen, i;
969 int sigalg = tls12_get_sigid(pkey);
970 /* Should never happen */
971 if (sigalg == -1)
972 return -1;
973 /* Check key type is consistent with signature */
974 if (sigalg != (int)sig[1]) {
975 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
976 return 0;
977 }
978# ifndef OPENSSL_NO_EC
979 if (pkey->type == EVP_PKEY_EC) {
980 unsigned char curve_id[2], comp_id;
981 /* Check compression and curve matches extensions */
982 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
983 return 0;
984 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
985 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
986 return 0;
987 }
988 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
989 if (tls1_suiteb(s)) {
990 if (curve_id[0])
991 return 0;
992 if (curve_id[1] == TLSEXT_curve_P_256) {
993 if (sig[0] != TLSEXT_hash_sha256) {
994 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
995 SSL_R_ILLEGAL_SUITEB_DIGEST);
996 return 0;
997 }
998 } else if (curve_id[1] == TLSEXT_curve_P_384) {
999 if (sig[0] != TLSEXT_hash_sha384) {
1000 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1001 SSL_R_ILLEGAL_SUITEB_DIGEST);
1002 return 0;
1003 }
1004 } else
1005 return 0;
1006 }
1007 } else if (tls1_suiteb(s))
1008 return 0;
1009# endif
1010
1011 /* Check signature matches a type we sent */
1012 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1013 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
1014 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1015 break;
1016 }
1017 /* Allow fallback to SHA1 if not strict mode */
1018 if (i == sent_sigslen
1019 && (sig[0] != TLSEXT_hash_sha1
1020 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
1021 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1022 return 0;
1023 }
1024 *pmd = tls12_get_hash(sig[0]);
1025 if (*pmd == NULL) {
1026 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
1027 return 0;
1028 }
1029 /* Make sure security callback allows algorithm */
1030 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
1031 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
1032 (void *)sig)) {
1033 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1034 return 0;
1035 }
1036 /*
1037 * Store the digest used so applications can retrieve it if they wish.
1038 */
d376e57d 1039 s->s3->tmp.peer_md = *pmd;
0f113f3e
MC		 1040 return 1;
1041}
2ea80354 1042
0f113f3e
MC		 1043/*
1044 * Get a mask of disabled algorithms: an algorithm is disabled if it isn't
1045 * supported or doesn't appear in supported signature algorithms. Unlike
1046 * ssl_cipher_get_disabled this applies to a specific session and not global
1047 * settings.
b7bfe69b
DSH		 1048 */
1049void ssl_set_client_disabled(SSL *s)
0f113f3e 1050{
4d69f9e6
DSH		 1051 s->s3->tmp.mask_a = 0;
1052 s->s3->tmp.mask_k = 0;
0f113f3e
MC		 1053 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1054 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
4d69f9e6 1055 s->s3->tmp.mask_ssl = SSL_TLSV1_2;
0f113f3e 1056 else
4d69f9e6
DSH		 1057 s->s3->tmp.mask_ssl = 0;
1058 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
0f113f3e
MC		 1059 /*
1060 * Disable static DH if we don't include any appropriate signature
1061 * algorithms.
1062 */
4d69f9e6
DSH		 1063 if (s->s3->tmp.mask_a & SSL_aRSA)
1064 s->s3->tmp.mask_k |= SSL_kDHr | SSL_kECDHr;
1065 if (s->s3->tmp.mask_a & SSL_aDSS)
1066 s->s3->tmp.mask_k |= SSL_kDHd;
1067 if (s->s3->tmp.mask_a & SSL_aECDSA)
1068 s->s3->tmp.mask_k |= SSL_kECDHe;
0f113f3e
MC		 1069# ifndef OPENSSL_NO_PSK
1070 /* with PSK there must be client callback set */
1071 if (!s->psk_client_callback) {
4d69f9e6
DSH		 1072 s->s3->tmp.mask_a |= SSL_aPSK;
1073 s->s3->tmp.mask_k |= SSL_kPSK;
0f113f3e
MC		 1074 }
1075# endif /* OPENSSL_NO_PSK */
1076# ifndef OPENSSL_NO_SRP
1077 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
4d69f9e6
DSH		 1078 s->s3->tmp.mask_a |= SSL_aSRP;
1079 s->s3->tmp.mask_k |= SSL_kSRP;
0f113f3e
MC		 1080 }
1081# endif
0f113f3e 1082}
fc101f88 1083
b362ccab 1084int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
0f113f3e 1085{
4d69f9e6
DSH		 1086 if (c->algorithm_ssl & s->s3->tmp.mask_ssl
1087 || c->algorithm_mkey & s->s3->tmp.mask_k
1088 || c->algorithm_auth & s->s3->tmp.mask_a)
0f113f3e
MC		 1089 return 1;
1090 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1091}
b362ccab
DSH		 1092
1093static int tls_use_ticket(SSL *s)
0f113f3e
MC		 1094{
1095 if (s->options & SSL_OP_NO_TICKET)
1096 return 0;
1097 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1098}
ed3883d2 1099
0f113f3e
MC		 1100unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
1101 unsigned char *limit, int *al)
1102{
1103 int extdatalen = 0;
1104 unsigned char *orig = buf;
1105 unsigned char *ret = buf;
1106# ifndef OPENSSL_NO_EC
1107 /* See if we support any ECC ciphersuites */
1108 int using_ecc = 0;
1109 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1110 int i;
1111 unsigned long alg_k, alg_a;
1112 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1113
1114 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
1115 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1116
1117 alg_k = c->algorithm_mkey;
1118 alg_a = c->algorithm_auth;
1119 if ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe)
1120 || (alg_a & SSL_aECDSA))) {
1121 using_ecc = 1;
1122 break;
1123 }
1124 }
1125 }
1126# endif
ed3883d2 1127
0f113f3e 1128 ret += 2;
6434abbf 1129
0f113f3e
MC		 1130 if (ret >= limit)
1131 return NULL; /* this really never occurs, but ... */
5a3d8eeb 1132
0f113f3e
MC		 1133 /* Add RI if renegotiating */
1134 if (s->renegotiate) {
1135 int el;
5a3d8eeb 1136
0f113f3e
MC		 1137 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1138 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1139 return NULL;
1140 }
5a3d8eeb 1141
0f113f3e
MC		 1142 if ((limit - ret - 4 - el) < 0)
1143 return NULL;
5a3d8eeb 1144
0f113f3e
MC		 1145 s2n(TLSEXT_TYPE_renegotiate, ret);
1146 s2n(el, ret);
5a3d8eeb 1147
0f113f3e
MC		 1148 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1149 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1150 return NULL;
5a3d8eeb 1151 }
edc032b5 1152
0f113f3e
MC		 1153 ret += el;
1154 }
1155 /* Only add RI for SSLv3 */
1156 if (s->client_version == SSL3_VERSION)
1157 goto done;
1158
1159 if (s->tlsext_hostname != NULL) {
1160 /* Add TLS extension servername to the Client Hello message */
1161 unsigned long size_str;
1162 long lenmax;
1163
50e735f9
MC		 1164 /*-
1165 * check for enough space.
1166 * 4 for the servername type and entension length
1167 * 2 for servernamelist length
1168 * 1 for the hostname type
1169 * 2 for hostname length
1170 * + hostname length
1171 */
0f113f3e
MC		 1172
1173 if ((lenmax = limit - ret - 9) < 0
1174 || (size_str =
1175 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1176 return NULL;
1177
1178 /* extension type and length */
1179 s2n(TLSEXT_TYPE_server_name, ret);
1180 s2n(size_str + 5, ret);
1181
1182 /* length of servername list */
1183 s2n(size_str + 3, ret);
1184
1185 /* hostname type, length and hostname */
1186 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1187 s2n(size_str, ret);
1188 memcpy(ret, s->tlsext_hostname, size_str);
1189 ret += size_str;
1190 }
1191# ifndef OPENSSL_NO_SRP
1192 /* Add SRP username if there is one */
1193 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1194 * Client Hello message */
1195
1196 int login_len = strlen(s->srp_ctx.login);
1197 if (login_len > 255 || login_len == 0) {
1198 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1199 return NULL;
1200 }
761772d7 1201
50e735f9
MC		 1202 /*-
1203 * check for enough space.
1204 * 4 for the srp type type and entension length
1205 * 1 for the srp user identity
1206 * + srp user identity length
1207 */
0f113f3e
MC		 1208 if ((limit - ret - 5 - login_len) < 0)
1209 return NULL;
1210
1211 /* fill in the extension */
1212 s2n(TLSEXT_TYPE_srp, ret);
1213 s2n(login_len + 1, ret);
1214 (*ret++) = (unsigned char)login_len;
1215 memcpy(ret, s->srp_ctx.login, login_len);
1216 ret += login_len;
1217 }
1218# endif
1219
1220# ifndef OPENSSL_NO_EC
1221 if (using_ecc) {
1222 /*
1223 * Add TLS extension ECPointFormats to the ClientHello message
1224 */
1225 long lenmax;
1226 const unsigned char *pcurves, *pformats;
1227 size_t num_curves, num_formats, curves_list_len;
1228 size_t i;
1229 unsigned char *etmp;
1230
1231 tls1_get_formatlist(s, &pformats, &num_formats);
1232
1233 if ((lenmax = limit - ret - 5) < 0)
1234 return NULL;
1235 if (num_formats > (size_t)lenmax)
1236 return NULL;
1237 if (num_formats > 255) {
1238 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1239 return NULL;
1240 }
4817504d 1241
0f113f3e
MC		 1242 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1243 /* The point format list has 1-byte length. */
1244 s2n(num_formats + 1, ret);
1245 *(ret++) = (unsigned char)num_formats;
1246 memcpy(ret, pformats, num_formats);
1247 ret += num_formats;
1248
1249 /*
1250 * Add TLS extension EllipticCurves to the ClientHello message
1251 */
1252 pcurves = s->tlsext_ellipticcurvelist;
1253 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1254 return NULL;
1255
1256 if ((lenmax = limit - ret - 6) < 0)
1257 return NULL;
1258 if (num_curves > (size_t)lenmax / 2)
1259 return NULL;
1260 if (num_curves > 65532 / 2) {
1261 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1262 return NULL;
1263 }
ee2ffc27 1264
0f113f3e
MC		 1265 s2n(TLSEXT_TYPE_elliptic_curves, ret);
1266 etmp = ret + 4;
1267 /* Copy curve ID if supported */
1268 for (i = 0; i < num_curves; i++, pcurves += 2) {
1269 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1270 *etmp++ = pcurves[0];
1271 *etmp++ = pcurves[1];
1272 }
1273 }
01f2f18f 1274
0f113f3e
MC		 1275 curves_list_len = etmp - ret - 4;
1276
1277 s2n(curves_list_len + 2, ret);
1278 s2n(curves_list_len, ret);
1279 ret += curves_list_len;
1280 }
1281# endif /* OPENSSL_NO_EC */
1282
1283 if (tls_use_ticket(s)) {
1284 int ticklen;
1285 if (!s->new_session && s->session && s->session->tlsext_tick)
1286 ticklen = s->session->tlsext_ticklen;
1287 else if (s->session && s->tlsext_session_ticket &&
1288 s->tlsext_session_ticket->data) {
1289 ticklen = s->tlsext_session_ticket->length;
1290 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1291 if (!s->session->tlsext_tick)
1292 return NULL;
1293 memcpy(s->session->tlsext_tick,
1294 s->tlsext_session_ticket->data, ticklen);
1295 s->session->tlsext_ticklen = ticklen;
1296 } else
1297 ticklen = 0;
1298 if (ticklen == 0 && s->tlsext_session_ticket &&
1299 s->tlsext_session_ticket->data == NULL)
1300 goto skip_ext;
1301 /*
1302 * Check for enough room 2 for extension type, 2 for len rest for
1303 * ticket
1304 */
1305 if ((long)(limit - ret - 4 - ticklen) < 0)
1306 return NULL;
1307 s2n(TLSEXT_TYPE_session_ticket, ret);
1308 s2n(ticklen, ret);
1309 if (ticklen) {
1310 memcpy(ret, s->session->tlsext_tick, ticklen);
1311 ret += ticklen;
1312 }
1313 }
1314 skip_ext:
1315
1316 if (SSL_USE_SIGALGS(s)) {
1317 size_t salglen;
1318 const unsigned char *salg;
1319 unsigned char *etmp;
1320 salglen = tls12_get_psigalgs(s, &salg);
1321 if ((size_t)(limit - ret) < salglen + 6)
1322 return NULL;
1323 s2n(TLSEXT_TYPE_signature_algorithms, ret);
1324 etmp = ret;
1325 /* Skip over lengths for now */
1326 ret += 4;
1327 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1328 /* Fill in lengths */
1329 s2n(salglen + 2, etmp);
1330 s2n(salglen, etmp);
1331 ret += salglen;
1332 }
0f113f3e
MC		 1333
1334 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1335 int i;
1336 long extlen, idlen, itmp;
1337 OCSP_RESPID *id;
1338
1339 idlen = 0;
1340 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1341 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1342 itmp = i2d_OCSP_RESPID(id, NULL);
1343 if (itmp <= 0)
1344 return NULL;
1345 idlen += itmp + 2;
860c3dd1
DSH		 1346 }
1347
0f113f3e
MC		 1348 if (s->tlsext_ocsp_exts) {
1349 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1350 if (extlen < 0)
1351 return NULL;
1352 } else
1353 extlen = 0;
1354
1355 if ((long)(limit - ret - 7 - extlen - idlen) < 0)
1356 return NULL;
1357 s2n(TLSEXT_TYPE_status_request, ret);
1358 if (extlen + idlen > 0xFFF0)
1359 return NULL;
1360 s2n(extlen + idlen + 5, ret);
1361 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1362 s2n(idlen, ret);
1363 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1364 /* save position of id len */
1365 unsigned char *q = ret;
1366 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1367 /* skip over id len */
1368 ret += 2;
1369 itmp = i2d_OCSP_RESPID(id, &ret);
1370 /* write id len */
1371 s2n(itmp, q);
1372 }
1373 s2n(extlen, ret);
1374 if (extlen > 0)
1375 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1376 }
1377# ifndef OPENSSL_NO_HEARTBEATS
1378 /* Add Heartbeat extension */
1379 if ((limit - ret - 4 - 1) < 0)
1380 return NULL;
1381 s2n(TLSEXT_TYPE_heartbeat, ret);
1382 s2n(1, ret);
50e735f9
MC		 1383 /*-
1384 * Set mode:
1385 * 1: peer may send requests
1386 * 2: peer not allowed to send requests
1387 */
0f113f3e
MC		 1388 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1389 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1390 else
1391 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1392# endif
1393
1394# ifndef OPENSSL_NO_NEXTPROTONEG
1395 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1396 /*
1397 * The client advertises an emtpy extension to indicate its support
1398 * for Next Protocol Negotiation
1399 */
1400 if (limit - ret - 4 < 0)
1401 return NULL;
1402 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1403 s2n(0, ret);
1404 }
1405# endif
1406
1407 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1408 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1409 return NULL;
1410 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1411 s2n(2 + s->alpn_client_proto_list_len, ret);
1412 s2n(s->alpn_client_proto_list_len, ret);
1413 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1414 ret += s->alpn_client_proto_list_len;
1415 }
1416# ifndef OPENSSL_NO_SRTP
1417 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1418 int el;
1419
69f68237
MC		 1420 /* Returns 0 on success!! */
1421 if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
1422 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1423 return NULL;
1424 }
0f113f3e
MC		 1425
1426 if ((limit - ret - 4 - el) < 0)
1427 return NULL;
1428
1429 s2n(TLSEXT_TYPE_use_srtp, ret);
1430 s2n(el, ret);
1431
1432 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1433 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1434 return NULL;
1435 }
1436 ret += el;
1437 }
1438# endif
1439 custom_ext_init(&s->cert->cli_ext);
1440 /* Add custom TLS Extensions to ClientHello */
1441 if (!custom_ext_add(s, 0, &ret, limit, al))
1442 return NULL;
1443# ifdef TLSEXT_TYPE_encrypt_then_mac
1444 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1445 s2n(0, ret);
1446# endif
ddc06b35
DSH		 1447 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1448 s2n(0, ret);
0f113f3e
MC		 1449
1450 /*
1451 * Add padding to workaround bugs in F5 terminators. See
1452 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1453 * code works out the length of all existing extensions it MUST always
1454 * appear last.
1455 */
1456 if (s->options & SSL_OP_TLSEXT_PADDING) {
1457 int hlen = ret - (unsigned char *)s->init_buf->data;
a3680c8f 1458
0f113f3e
MC		 1459 if (hlen > 0xff && hlen < 0x200) {
1460 hlen = 0x200 - hlen;
1461 if (hlen >= 4)
1462 hlen -= 4;
1463 else
1464 hlen = 0;
1465
1466 s2n(TLSEXT_TYPE_padding, ret);
1467 s2n(hlen, ret);
1468 memset(ret, 0, hlen);
1469 ret += hlen;
1470 }
1471 }
5a3d8eeb 1472
0f113f3e 1473 done:
5a3d8eeb 1474
0f113f3e
MC		 1475 if ((extdatalen = ret - orig - 2) == 0)
1476 return orig;
5a3d8eeb 1477
0f113f3e
MC		 1478 s2n(extdatalen, orig);
1479 return ret;
1480}
333f926d 1481
0f113f3e
MC		 1482unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1483 unsigned char *limit, int *al)
1484{
1485 int extdatalen = 0;
1486 unsigned char *orig = buf;
1487 unsigned char *ret = buf;
1488# ifndef OPENSSL_NO_NEXTPROTONEG
1489 int next_proto_neg_seen;
1490# endif
1491# ifndef OPENSSL_NO_EC
1492 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1493 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1494 int using_ecc = (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
1495 || (alg_a & SSL_aECDSA);
1496 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1497# endif
1498
1499 ret += 2;
1500 if (ret >= limit)
1501 return NULL; /* this really never occurs, but ... */
1502
1503 if (s->s3->send_connection_binding) {
1504 int el;
1505
1506 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1507 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1508 return NULL;
1509 }
333f926d 1510
0f113f3e
MC		 1511 if ((limit - ret - 4 - el) < 0)
1512 return NULL;
333f926d 1513
0f113f3e
MC		 1514 s2n(TLSEXT_TYPE_renegotiate, ret);
1515 s2n(el, ret);
333f926d 1516
0f113f3e
MC		 1517 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1518 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1519 return NULL;
1520 }
333f926d 1521
0f113f3e
MC		 1522 ret += el;
1523 }
1524
1525 /* Only add RI for SSLv3 */
1526 if (s->version == SSL3_VERSION)
1527 goto done;
1528
1529 if (!s->hit && s->servername_done == 1
1530 && s->session->tlsext_hostname != NULL) {
1531 if ((long)(limit - ret - 4) < 0)
1532 return NULL;
1533
1534 s2n(TLSEXT_TYPE_server_name, ret);
1535 s2n(0, ret);
1536 }
1537# ifndef OPENSSL_NO_EC
1538 if (using_ecc) {
1539 const unsigned char *plist;
1540 size_t plistlen;
1541 /*
1542 * Add TLS extension ECPointFormats to the ServerHello message
1543 */
1544 long lenmax;
1545
1546 tls1_get_formatlist(s, &plist, &plistlen);
1547
1548 if ((lenmax = limit - ret - 5) < 0)
1549 return NULL;
1550 if (plistlen > (size_t)lenmax)
1551 return NULL;
1552 if (plistlen > 255) {
1553 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1554 return NULL;
1555 }
4817504d 1556
0f113f3e
MC		 1557 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1558 s2n(plistlen + 1, ret);
1559 *(ret++) = (unsigned char)plistlen;
1560 memcpy(ret, plist, plistlen);
1561 ret += plistlen;
1562
1563 }
1564 /*
1565 * Currently the server should not respond with a SupportedCurves
1566 * extension
1567 */
1568# endif /* OPENSSL_NO_EC */
1569
1570 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1571 if ((long)(limit - ret - 4) < 0)
1572 return NULL;
1573 s2n(TLSEXT_TYPE_session_ticket, ret);
1574 s2n(0, ret);
1575 }
1576
1577 if (s->tlsext_status_expected) {
1578 if ((long)(limit - ret - 4) < 0)
1579 return NULL;
1580 s2n(TLSEXT_TYPE_status_request, ret);
1581 s2n(0, ret);
1582 }
0f113f3e
MC		 1583
1584# ifndef OPENSSL_NO_SRTP
1585 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1586 int el;
1587
69f68237 1588 /* Returns 0 on success!! */
61986d32 1589 if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
69f68237
MC		 1590 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1591 return NULL;
1592 }
0f113f3e
MC		 1593 if ((limit - ret - 4 - el) < 0)
1594 return NULL;
1595
1596 s2n(TLSEXT_TYPE_use_srtp, ret);
1597 s2n(el, ret);
1598
1599 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1600 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1601 return NULL;
1602 }
1603 ret += el;
1604 }
1605# endif
1606
1607 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1608 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1609 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1610 const unsigned char cryptopro_ext[36] = {
1611 0xfd, 0xe8, /* 65000 */
1612 0x00, 0x20, /* 32 bytes length */
1613 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1614 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1615 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1616 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1617 };
1618 if (limit - ret < 36)
1619 return NULL;
1620 memcpy(ret, cryptopro_ext, 36);
1621 ret += 36;
1622
1623 }
1624# ifndef OPENSSL_NO_HEARTBEATS
1625 /* Add Heartbeat extension if we've received one */
1626 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
1627 if ((limit - ret - 4 - 1) < 0)
1628 return NULL;
1629 s2n(TLSEXT_TYPE_heartbeat, ret);
1630 s2n(1, ret);
50e735f9
MC		 1631 /*-
1632 * Set mode:
1633 * 1: peer may send requests
1634 * 2: peer not allowed to send requests
1635 */
0f113f3e
MC		 1636 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1637 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1638 else
1639 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1640
1641 }
1642# endif
1643
1644# ifndef OPENSSL_NO_NEXTPROTONEG
1645 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1646 s->s3->next_proto_neg_seen = 0;
1647 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1648 const unsigned char *npa;
1649 unsigned int npalen;
1650 int r;
1651
1652 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1653 s->
1654 ctx->next_protos_advertised_cb_arg);
1655 if (r == SSL_TLSEXT_ERR_OK) {
1656 if ((long)(limit - ret - 4 - npalen) < 0)
1657 return NULL;
1658 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1659 s2n(npalen, ret);
1660 memcpy(ret, npa, npalen);
1661 ret += npalen;
1662 s->s3->next_proto_neg_seen = 1;
1663 }
1664 }
1665# endif
1666 if (!custom_ext_add(s, 1, &ret, limit, al))
1667 return NULL;
1668# ifdef TLSEXT_TYPE_encrypt_then_mac
1669 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1670 /*
1671 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1672 * for other cases too.
1673 */
1674 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1675 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4)
1676 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1677 else {
1678 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1679 s2n(0, ret);
1680 }
1681 }
1682# endif
ddc06b35
DSH		 1683 if (!s->hit && s->session->flags & SSL_SESS_FLAG_EXTMS) {
1684 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1685 s2n(0, ret);
1686 }
0f113f3e
MC		 1687
1688 if (s->s3->alpn_selected) {
1689 const unsigned char *selected = s->s3->alpn_selected;
1690 unsigned len = s->s3->alpn_selected_len;
1691
1692 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1693 return NULL;
1694 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1695 s2n(3 + len, ret);
1696 s2n(1 + len, ret);
1697 *ret++ = len;
1698 memcpy(ret, selected, len);
1699 ret += len;
1700 }
1701
1702 done:
1703
1704 if ((extdatalen = ret - orig - 2) == 0)
1705 return orig;
1706
1707 s2n(extdatalen, orig);
1708 return ret;
1709}
a398f821 1710
0f113f3e
MC		 1711/*
1712 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1713 * ClientHello. data: the contents of the extension, not including the type
1714 * and length. data_len: the number of bytes in |data| al: a pointer to the
1715 * alert value to send in the event of a non-zero return. returns: 0 on
1716 * success.
1717 */
6f017a8f 1718static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
0f113f3e
MC		 1719 unsigned data_len, int *al)
1720{
1721 unsigned i;
1722 unsigned proto_len;
1723 const unsigned char *selected;
1724 unsigned char selected_len;
1725 int r;
1726
1727 if (s->ctx->alpn_select_cb == NULL)
1728 return 0;
1729
1730 if (data_len < 2)
1731 goto parse_error;
1732
1733 /*
1734 * data should contain a uint16 length followed by a series of 8-bit,
1735 * length-prefixed strings.
1736 */
1737 i = ((unsigned)data[0]) << 8 | ((unsigned)data[1]);
1738 data_len -= 2;
1739 data += 2;
1740 if (data_len != i)
1741 goto parse_error;
1742
1743 if (data_len < 2)
1744 goto parse_error;
1745
1746 for (i = 0; i < data_len;) {
1747 proto_len = data[i];
1748 i++;
1749
1750 if (proto_len == 0)
1751 goto parse_error;
1752
1753 if (i + proto_len < i || i + proto_len > data_len)
1754 goto parse_error;
1755
1756 i += proto_len;
1757 }
1758
1759 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1760 s->ctx->alpn_select_cb_arg);
1761 if (r == SSL_TLSEXT_ERR_OK) {
b548a1f1 1762 OPENSSL_free(s->s3->alpn_selected);
0f113f3e
MC		 1763 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
1764 if (!s->s3->alpn_selected) {
1765 *al = SSL_AD_INTERNAL_ERROR;
1766 return -1;
1767 }
1768 memcpy(s->s3->alpn_selected, selected, selected_len);
1769 s->s3->alpn_selected_len = selected_len;
1770 }
1771 return 0;
1772
1773 parse_error:
1774 *al = SSL_AD_DECODE_ERROR;
1775 return -1;
1776}
6f017a8f 1777
0f113f3e 1778# ifndef OPENSSL_NO_EC
1d97c843
TH		 1779/*-
1780 * ssl_check_for_safari attempts to fingerprint Safari using OS X
dece3209
RS		 1781 * SecureTransport using the TLS extension block in |d|, of length |n|.
1782 * Safari, since 10.6, sends exactly these extensions, in this order:
1783 * SNI,
1784 * elliptic_curves
1785 * ec_point_formats
1786 *
1787 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1788 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1789 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1790 * 10.8..10.8.3 (which don't work).
1791 */
0f113f3e
MC		 1792static void ssl_check_for_safari(SSL *s, const unsigned char *data,
1793 const unsigned char *d, int n)
1794{
1795 unsigned short type, size;
1796 static const unsigned char kSafariExtensionsBlock[] = {
1797 0x00, 0x0a, /* elliptic_curves extension */
1798 0x00, 0x08, /* 8 bytes */
1799 0x00, 0x06, /* 6 bytes of curve ids */
1800 0x00, 0x17, /* P-256 */
1801 0x00, 0x18, /* P-384 */
1802 0x00, 0x19, /* P-521 */
1803
1804 0x00, 0x0b, /* ec_point_formats */
1805 0x00, 0x02, /* 2 bytes */
1806 0x01, /* 1 point format */
1807 0x00, /* uncompressed */
1808 };
1809
1810 /* The following is only present in TLS 1.2 */
1811 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1812 0x00, 0x0d, /* signature_algorithms */
1813 0x00, 0x0c, /* 12 bytes */
1814 0x00, 0x0a, /* 10 bytes */
1815 0x05, 0x01, /* SHA-384/RSA */
1816 0x04, 0x01, /* SHA-256/RSA */
1817 0x02, 0x01, /* SHA-1/RSA */
1818 0x04, 0x03, /* SHA-256/ECDSA */
1819 0x02, 0x03, /* SHA-1/ECDSA */
1820 };
1821
1822 if (data >= (d + n - 2))
1823 return;
1824 data += 2;
1825
1826 if (data > (d + n - 4))
1827 return;
1828 n2s(data, type);
1829 n2s(data, size);
1830
1831 if (type != TLSEXT_TYPE_server_name)
1832 return;
1833
1834 if (data + size > d + n)
1835 return;
1836 data += size;
1837
1838 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
1839 const size_t len1 = sizeof(kSafariExtensionsBlock);
1840 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1841
1842 if (data + len1 + len2 != d + n)
1843 return;
1844 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
1845 return;
1846 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
1847 return;
1848 } else {
1849 const size_t len = sizeof(kSafariExtensionsBlock);
1850
1851 if (data + len != d + n)
1852 return;
1853 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
1854 return;
1855 }
1856
1857 s->s3->is_probably_safari = 1;
dece3209 1858}
0f113f3e
MC		 1859# endif /* !OPENSSL_NO_EC */
1860
1861static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
1862 unsigned char *d, int n, int *al)
1863{
1864 unsigned short type;
1865 unsigned short size;
1866 unsigned short len;
1867 unsigned char *data = *p;
1868 int renegotiate_seen = 0;
1869
1870 s->servername_done = 0;
1871 s->tlsext_status_type = -1;
1872# ifndef OPENSSL_NO_NEXTPROTONEG
1873 s->s3->next_proto_neg_seen = 0;
1874# endif
1875
b548a1f1
RS		 1876 OPENSSL_free(s->s3->alpn_selected);
1877 s->s3->alpn_selected = NULL;
0f113f3e
MC		 1878# ifndef OPENSSL_NO_HEARTBEATS
1879 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1880 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1881# endif
1882
1883# ifndef OPENSSL_NO_EC
1884 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1885 ssl_check_for_safari(s, data, d, n);
1886# endif /* !OPENSSL_NO_EC */
1887
1888 /* Clear any signature algorithms extension received */
76106e60
DSH		 1889 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1890 s->s3->tmp.peer_sigalgs = NULL;
0f113f3e
MC		 1891# ifdef TLSEXT_TYPE_encrypt_then_mac
1892 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1893# endif
1894
1895# ifndef OPENSSL_NO_SRP
b548a1f1
RS		 1896 OPENSSL_free(s->srp_ctx.login);
1897 s->srp_ctx.login = NULL;
0f113f3e
MC		 1898# endif
1899
1900 s->srtp_profile = NULL;
1901
1902 if (data >= (d + n - 2))
1903 goto ri_check;
1904 n2s(data, len);
1905
1906 if (data > (d + n - len))
1907 goto ri_check;
1908
1909 while (data <= (d + n - 4)) {
1910 n2s(data, type);
1911 n2s(data, size);
1912
1913 if (data + size > (d + n))
1914 goto ri_check;
0f113f3e
MC		 1915 if (s->tlsext_debug_cb)
1916 s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
1917 if (type == TLSEXT_TYPE_renegotiate) {
1918 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1919 return 0;
1920 renegotiate_seen = 1;
1921 } else if (s->version == SSL3_VERSION) {
1922 }
1d97c843
TH		 1923/*-
1924 * The servername extension is treated as follows:
1925 *
1926 * - Only the hostname type is supported with a maximum length of 255.
1927 * - The servername is rejected if too long or if it contains zeros,
1928 * in which case an fatal alert is generated.
1929 * - The servername field is maintained together with the session cache.
1930 * - When a session is resumed, the servername call back invoked in order
0f113f3e
MC		 1931 * to allow the application to position itself to the right context.
1932 * - The servername is acknowledged if it is new for a session or when
1933 * it is identical to a previously used for the same session.
1d97c843
TH		 1934 * Applications can control the behaviour. They can at any time
1935 * set a 'desirable' servername for a new SSL object. This can be the
1936 * case for example with HTTPS when a Host: header field is received and
1937 * a renegotiation is requested. In this case, a possible servername
1938 * presented in the new client hello is only acknowledged if it matches
0f113f3e 1939 * the value of the Host: field.
1d97c843 1940 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
0f113f3e
MC		 1941 * if they provide for changing an explicit servername context for the
1942 * session, i.e. when the session has been established with a servername
1943 * extension.
1944 * - On session reconnect, the servername extension may be absent.
1d97c843 1945 *
0f113f3e 1946 */
ed3883d2 1947
0f113f3e
MC		 1948 else if (type == TLSEXT_TYPE_server_name) {
1949 unsigned char *sdata;
1950 int servname_type;
1951 int dsize;
1952
1953 if (size < 2) {
1954 *al = SSL_AD_DECODE_ERROR;
1955 return 0;
1956 }
1957 n2s(data, dsize);
1958 size -= 2;
1959 if (dsize > size) {
1960 *al = SSL_AD_DECODE_ERROR;
1961 return 0;
1962 }
1963
1964 sdata = data;
1965 while (dsize > 3) {
1966 servname_type = *(sdata++);
1967 n2s(sdata, len);
1968 dsize -= 3;
1969
1970 if (len > dsize) {
1971 *al = SSL_AD_DECODE_ERROR;
1972 return 0;
1973 }
1974 if (s->servername_done == 0)
1975 switch (servname_type) {
1976 case TLSEXT_NAMETYPE_host_name:
1977 if (!s->hit) {
1978 if (s->session->tlsext_hostname) {
1979 *al = SSL_AD_DECODE_ERROR;
1980 return 0;
1981 }
1982 if (len > TLSEXT_MAXLEN_host_name) {
1983 *al = TLS1_AD_UNRECOGNIZED_NAME;
1984 return 0;
1985 }
1986 if ((s->session->tlsext_hostname =
1987 OPENSSL_malloc(len + 1)) == NULL) {
1988 *al = TLS1_AD_INTERNAL_ERROR;
1989 return 0;
1990 }
1991 memcpy(s->session->tlsext_hostname, sdata, len);
1992 s->session->tlsext_hostname[len] = '\0';
1993 if (strlen(s->session->tlsext_hostname) != len) {
1994 OPENSSL_free(s->session->tlsext_hostname);
1995 s->session->tlsext_hostname = NULL;
1996 *al = TLS1_AD_UNRECOGNIZED_NAME;
1997 return 0;
1998 }
1999 s->servername_done = 1;
761772d7 2000
0f113f3e
MC		 2001 } else
2002 s->servername_done = s->session->tlsext_hostname
2003 && strlen(s->session->tlsext_hostname) == len
2004 && strncmp(s->session->tlsext_hostname,
2005 (char *)sdata, len) == 0;
b2284ed3 2006
0f113f3e 2007 break;
ee2ffc27 2008
0f113f3e
MC		 2009 default:
2010 break;
2011 }
6f31dd72 2012
0f113f3e
MC		 2013 dsize -= len;
2014 }
2015 if (dsize != 0) {
2016 *al = SSL_AD_DECODE_ERROR;
2017 return 0;
2018 }
6f017a8f 2019
0f113f3e
MC		 2020 }
2021# ifndef OPENSSL_NO_SRP
2022 else if (type == TLSEXT_TYPE_srp) {
2023 if (size <= 0 || ((len = data[0])) != (size - 1)) {
2024 *al = SSL_AD_DECODE_ERROR;
2025 return 0;
2026 }
2027 if (s->srp_ctx.login != NULL) {
2028 *al = SSL_AD_DECODE_ERROR;
2029 return 0;
2030 }
2031 if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
2032 return -1;
2033 memcpy(s->srp_ctx.login, &data[1], len);
2034 s->srp_ctx.login[len] = '\0';
2035
2036 if (strlen(s->srp_ctx.login) != len) {
2037 *al = SSL_AD_DECODE_ERROR;
2038 return 0;
2039 }
2040 }
2041# endif
2042
2043# ifndef OPENSSL_NO_EC
2044 else if (type == TLSEXT_TYPE_ec_point_formats) {
2045 unsigned char *sdata = data;
2046 int ecpointformatlist_length = *(sdata++);
2047
2048 if (ecpointformatlist_length != size - 1 ||
2049 ecpointformatlist_length < 1) {
2050 *al = TLS1_AD_DECODE_ERROR;
2051 return 0;
2052 }
2053 if (!s->hit) {
b548a1f1
RS		 2054 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2055 s->session->tlsext_ecpointformatlist = NULL;
0f113f3e
MC		 2056 s->session->tlsext_ecpointformatlist_length = 0;
2057 if ((s->session->tlsext_ecpointformatlist =
2058 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2059 *al = TLS1_AD_INTERNAL_ERROR;
2060 return 0;
2061 }
2062 s->session->tlsext_ecpointformatlist_length =
2063 ecpointformatlist_length;
2064 memcpy(s->session->tlsext_ecpointformatlist, sdata,
2065 ecpointformatlist_length);
2066 }
0f113f3e
MC		 2067 } else if (type == TLSEXT_TYPE_elliptic_curves) {
2068 unsigned char *sdata = data;
2069 int ellipticcurvelist_length = (*(sdata++) << 8);
2070 ellipticcurvelist_length += (*(sdata++));
2071
2072 if (ellipticcurvelist_length != size - 2 ||
2073 ellipticcurvelist_length < 1 ||
2074 /* Each NamedCurve is 2 bytes. */
2075 ellipticcurvelist_length & 1) {
2076 *al = TLS1_AD_DECODE_ERROR;
2077 return 0;
2078 }
2079 if (!s->hit) {
2080 if (s->session->tlsext_ellipticcurvelist) {
2081 *al = TLS1_AD_DECODE_ERROR;
2082 return 0;
2083 }
2084 s->session->tlsext_ellipticcurvelist_length = 0;
2085 if ((s->session->tlsext_ellipticcurvelist =
2086 OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
2087 *al = TLS1_AD_INTERNAL_ERROR;
2088 return 0;
2089 }
2090 s->session->tlsext_ellipticcurvelist_length =
2091 ellipticcurvelist_length;
2092 memcpy(s->session->tlsext_ellipticcurvelist, sdata,
2093 ellipticcurvelist_length);
2094 }
0f113f3e
MC		 2095 }
2096# endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2097 else if (type == TLSEXT_TYPE_session_ticket) {
2098 if (s->tls_session_ticket_ext_cb &&
2099 !s->tls_session_ticket_ext_cb(s, data, size,
2100 s->tls_session_ticket_ext_cb_arg))
2101 {
2102 *al = TLS1_AD_INTERNAL_ERROR;
2103 return 0;
2104 }
2105 } else if (type == TLSEXT_TYPE_signature_algorithms) {
2106 int dsize;
76106e60 2107 if (s->s3->tmp.peer_sigalgs || size < 2) {
0f113f3e
MC		 2108 *al = SSL_AD_DECODE_ERROR;
2109 return 0;
2110 }
2111 n2s(data, dsize);
2112 size -= 2;
2113 if (dsize != size || dsize & 1 || !dsize) {
2114 *al = SSL_AD_DECODE_ERROR;
2115 return 0;
2116 }
2117 if (!tls1_save_sigalgs(s, data, dsize)) {
2118 *al = SSL_AD_DECODE_ERROR;
2119 return 0;
2120 }
2121 } else if (type == TLSEXT_TYPE_status_request) {
2122
2123 if (size < 5) {
2124 *al = SSL_AD_DECODE_ERROR;
2125 return 0;
2126 }
2127
2128 s->tlsext_status_type = *data++;
2129 size--;
2130 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
2131 const unsigned char *sdata;
2132 int dsize;
2133 /* Read in responder_id_list */
2134 n2s(data, dsize);
2135 size -= 2;
2136 if (dsize > size) {
2137 *al = SSL_AD_DECODE_ERROR;
2138 return 0;
2139 }
2140 while (dsize > 0) {
2141 OCSP_RESPID *id;
2142 int idsize;
2143 if (dsize < 4) {
2144 *al = SSL_AD_DECODE_ERROR;
2145 return 0;
2146 }
2147 n2s(data, idsize);
2148 dsize -= 2 + idsize;
2149 size -= 2 + idsize;
2150 if (dsize < 0) {
2151 *al = SSL_AD_DECODE_ERROR;
2152 return 0;
2153 }
2154 sdata = data;
2155 data += idsize;
2156 id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
2157 if (!id) {
2158 *al = SSL_AD_DECODE_ERROR;
2159 return 0;
2160 }
2161 if (data != sdata) {
2162 OCSP_RESPID_free(id);
2163 *al = SSL_AD_DECODE_ERROR;
2164 return 0;
2165 }
2166 if (!s->tlsext_ocsp_ids
2167 && !(s->tlsext_ocsp_ids =
2168 sk_OCSP_RESPID_new_null())) {
2169 OCSP_RESPID_free(id);
2170 *al = SSL_AD_INTERNAL_ERROR;
2171 return 0;
2172 }
2173 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2174 OCSP_RESPID_free(id);
2175 *al = SSL_AD_INTERNAL_ERROR;
2176 return 0;
2177 }
2178 }
4817504d 2179
0f113f3e
MC		 2180 /* Read in request_extensions */
2181 if (size < 2) {
2182 *al = SSL_AD_DECODE_ERROR;
2183 return 0;
2184 }
2185 n2s(data, dsize);
2186 size -= 2;
2187 if (dsize != size) {
2188 *al = SSL_AD_DECODE_ERROR;
2189 return 0;
2190 }
2191 sdata = data;
2192 if (dsize > 0) {
222561fe
RS		 2193 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2194 X509_EXTENSION_free);
0f113f3e
MC		 2195 s->tlsext_ocsp_exts =
2196 d2i_X509_EXTENSIONS(NULL, &sdata, dsize);
2197 if (!s->tlsext_ocsp_exts || (data + dsize != sdata)) {
2198 *al = SSL_AD_DECODE_ERROR;
2199 return 0;
2200 }
2201 }
2202 }
2203 /*
2204 * We don't know what to do with any other type * so ignore it.
2205 */
2206 else
2207 s->tlsext_status_type = -1;
2208 }
2209# ifndef OPENSSL_NO_HEARTBEATS
2210 else if (type == TLSEXT_TYPE_heartbeat) {
2211 switch (data[0]) {
2212 case 0x01: /* Client allows us to send HB requests */
2213 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2214 break;
2215 case 0x02: /* Client doesn't accept HB requests */
2216 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2217 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2218 break;
2219 default:
2220 *al = SSL_AD_ILLEGAL_PARAMETER;
2221 return 0;
2222 }
2223 }
2224# endif
2225# ifndef OPENSSL_NO_NEXTPROTONEG
2226 else if (type == TLSEXT_TYPE_next_proto_neg &&
2227 s->s3->tmp.finish_md_len == 0 &&
2228 s->s3->alpn_selected == NULL) {
50e735f9
MC		 2229 /*-
2230 * We shouldn't accept this extension on a
2231 * renegotiation.
2232 *
2233 * s->new_session will be set on renegotiation, but we
2234 * probably shouldn't rely that it couldn't be set on
2235 * the initial renegotation too in certain cases (when
2236 * there's some other reason to disallow resuming an
2237 * earlier session -- the current code won't be doing
2238 * anything like that, but this might change).
2239 *
2240 * A valid sign that there's been a previous handshake
2241 * in this connection is if s->s3->tmp.finish_md_len >
2242 * 0. (We are talking about a check that will happen
2243 * in the Hello protocol round, well before a new
2244 * Finished message could have been computed.)
2245 */
0f113f3e
MC		 2246 s->s3->next_proto_neg_seen = 1;
2247 }
2248# endif
2249
2250 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2251 s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) {
2252 if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
2253 return 0;
2254# ifndef OPENSSL_NO_NEXTPROTONEG
2255 /* ALPN takes precedence over NPN. */
2256 s->s3->next_proto_neg_seen = 0;
2257# endif
2258 }
5e3ff62c 2259
0f113f3e
MC		 2260 /* session ticket processed earlier */
2261# ifndef OPENSSL_NO_SRTP
2262 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2263 && type == TLSEXT_TYPE_use_srtp) {
2264 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
2265 return 0;
2266 }
2267# endif
2268# ifdef TLSEXT_TYPE_encrypt_then_mac
2269 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2270 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2271# endif
ddc06b35
DSH		 2272 else if (type == TLSEXT_TYPE_extended_master_secret) {
2273 if (!s->hit)
2274 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2275 }
0f113f3e
MC		 2276 /*
2277 * If this ClientHello extension was unhandled and this is a
2278 * nonresumed connection, check whether the extension is a custom
2279 * TLS Extension (has a custom_srv_ext_record), and if so call the
2280 * callback and record the extension number so that an appropriate
2281 * ServerHello may be later returned.
2282 */
2283 else if (!s->hit) {
2284 if (custom_ext_parse(s, 1, type, data, size, al) <= 0)
2285 return 0;
2286 }
ed3883d2 2287
0f113f3e
MC		 2288 data += size;
2289 }
6f017a8f 2290
0f113f3e
MC		 2291 *p = data;
2292
2293 ri_check:
ed3883d2 2294
0f113f3e
MC		 2295 /* Need RI if renegotiating */
2296
2297 if (!renegotiate_seen && s->renegotiate &&
2298 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2299 *al = SSL_AD_HANDSHAKE_FAILURE;
2300 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2301 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2302 return 0;
2303 }
2304
2305 return 1;
2306}
2307
2308int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
2309 int n)
2310{
2311 int al = -1;
2312 custom_ext_init(&s->cert->srv_ext);
2313 if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) {
2314 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2315 return 0;
2316 }
2317
2318 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2319 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2320 return 0;
2321 }
2322 return 1;
2323}
2324
2325# ifndef OPENSSL_NO_NEXTPROTONEG
2326/*
2327 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2328 * elements of zero length are allowed and the set of elements must exactly
2329 * fill the length of the block.
2330 */
2331static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2332{
2333 unsigned int off = 0;
2334
2335 while (off < len) {
2336 if (d[off] == 0)
2337 return 0;
2338 off += d[off];
2339 off++;
2340 }
2341
2342 return off == len;
2343}
2344# endif
2345
2346static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
2347 unsigned char *d, int n, int *al)
2348{
2349 unsigned short length;
2350 unsigned short type;
2351 unsigned short size;
2352 unsigned char *data = *p;
2353 int tlsext_servername = 0;
2354 int renegotiate_seen = 0;
2355
2356# ifndef OPENSSL_NO_NEXTPROTONEG
2357 s->s3->next_proto_neg_seen = 0;
2358# endif
2359 s->tlsext_ticket_expected = 0;
2360
b548a1f1
RS		 2361 OPENSSL_free(s->s3->alpn_selected);
2362 s->s3->alpn_selected = NULL;
0f113f3e
MC		 2363# ifndef OPENSSL_NO_HEARTBEATS
2364 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2365 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2366# endif
2367
2368# ifdef TLSEXT_TYPE_encrypt_then_mac
2369 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
2370# endif
2371
2372 if (data >= (d + n - 2))
2373 goto ri_check;
2374
2375 n2s(data, length);
2376 if (data + length != d + n) {
2377 *al = SSL_AD_DECODE_ERROR;
2378 return 0;
2379 }
2380
2381 while (data <= (d + n - 4)) {
2382 n2s(data, type);
2383 n2s(data, size);
2384
2385 if (data + size > (d + n))
2386 goto ri_check;
2387
2388 if (s->tlsext_debug_cb)
2389 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2390
2391 if (type == TLSEXT_TYPE_renegotiate) {
2392 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2393 return 0;
2394 renegotiate_seen = 1;
2395 } else if (s->version == SSL3_VERSION) {
2396 } else if (type == TLSEXT_TYPE_server_name) {
2397 if (s->tlsext_hostname == NULL || size > 0) {
2398 *al = TLS1_AD_UNRECOGNIZED_NAME;
2399 return 0;
2400 }
2401 tlsext_servername = 1;
2402 }
2403# ifndef OPENSSL_NO_EC
2404 else if (type == TLSEXT_TYPE_ec_point_formats) {
2405 unsigned char *sdata = data;
2406 int ecpointformatlist_length = *(sdata++);
2407
2408 if (ecpointformatlist_length != size - 1) {
2409 *al = TLS1_AD_DECODE_ERROR;
2410 return 0;
2411 }
2412 if (!s->hit) {
2413 s->session->tlsext_ecpointformatlist_length = 0;
b548a1f1 2414 OPENSSL_free(s->session->tlsext_ecpointformatlist);
0f113f3e
MC		 2415 if ((s->session->tlsext_ecpointformatlist =
2416 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2417 *al = TLS1_AD_INTERNAL_ERROR;
2418 return 0;
2419 }
2420 s->session->tlsext_ecpointformatlist_length =
2421 ecpointformatlist_length;
2422 memcpy(s->session->tlsext_ecpointformatlist, sdata,
2423 ecpointformatlist_length);
2424 }
0f113f3e
MC		 2425 }
2426# endif /* OPENSSL_NO_EC */
2427
2428 else if (type == TLSEXT_TYPE_session_ticket) {
2429 if (s->tls_session_ticket_ext_cb &&
2430 !s->tls_session_ticket_ext_cb(s, data, size,
2431 s->tls_session_ticket_ext_cb_arg))
2432 {
2433 *al = TLS1_AD_INTERNAL_ERROR;
2434 return 0;
2435 }
2436 if (!tls_use_ticket(s) || (size > 0)) {
2437 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2438 return 0;
2439 }
2440 s->tlsext_ticket_expected = 1;
2441 }
0f113f3e
MC		 2442 else if (type == TLSEXT_TYPE_status_request) {
2443 /*
2444 * MUST be empty and only sent if we've requested a status
2445 * request message.
2446 */
2447 if ((s->tlsext_status_type == -1) || (size > 0)) {
2448 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2449 return 0;
2450 }
2451 /* Set flag to expect CertificateStatus message */
2452 s->tlsext_status_expected = 1;
2453 }
2454# ifndef OPENSSL_NO_NEXTPROTONEG
2455 else if (type == TLSEXT_TYPE_next_proto_neg &&
2456 s->s3->tmp.finish_md_len == 0) {
2457 unsigned char *selected;
2458 unsigned char selected_len;
2459
2460 /* We must have requested it. */
2461 if (s->ctx->next_proto_select_cb == NULL) {
2462 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2463 return 0;
2464 }
2465 /* The data must be valid */
2466 if (!ssl_next_proto_validate(data, size)) {
2467 *al = TLS1_AD_DECODE_ERROR;
2468 return 0;
2469 }
2470 if (s->
2471 ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2472 size,
2473 s->ctx->next_proto_select_cb_arg) !=
2474 SSL_TLSEXT_ERR_OK) {
2475 *al = TLS1_AD_INTERNAL_ERROR;
2476 return 0;
2477 }
2478 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2479 if (!s->next_proto_negotiated) {
2480 *al = TLS1_AD_INTERNAL_ERROR;
2481 return 0;
2482 }
2483 memcpy(s->next_proto_negotiated, selected, selected_len);
2484 s->next_proto_negotiated_len = selected_len;
2485 s->s3->next_proto_neg_seen = 1;
2486 }
2487# endif
2488
2489 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2490 unsigned len;
2491
2492 /* We must have requested it. */
2493 if (s->alpn_client_proto_list == NULL) {
2494 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2495 return 0;
2496 }
2497 if (size < 4) {
2498 *al = TLS1_AD_DECODE_ERROR;
2499 return 0;
2500 }
50e735f9
MC		 2501 /*-
2502 * The extension data consists of:
2503 * uint16 list_length
2504 * uint8 proto_length;
2505 * uint8 proto[proto_length];
2506 */
0f113f3e
MC		 2507 len = data[0];
2508 len <<= 8;
2509 len |= data[1];
2510 if (len != (unsigned)size - 2) {
2511 *al = TLS1_AD_DECODE_ERROR;
2512 return 0;
2513 }
2514 len = data[2];
2515 if (len != (unsigned)size - 3) {
2516 *al = TLS1_AD_DECODE_ERROR;
2517 return 0;
2518 }
b548a1f1 2519 OPENSSL_free(s->s3->alpn_selected);
0f113f3e
MC		 2520 s->s3->alpn_selected = OPENSSL_malloc(len);
2521 if (!s->s3->alpn_selected) {
2522 *al = TLS1_AD_INTERNAL_ERROR;
2523 return 0;
2524 }
2525 memcpy(s->s3->alpn_selected, data + 3, len);
2526 s->s3->alpn_selected_len = len;
2527 }
2528# ifndef OPENSSL_NO_HEARTBEATS
2529 else if (type == TLSEXT_TYPE_heartbeat) {
2530 switch (data[0]) {
2531 case 0x01: /* Server allows us to send HB requests */
2532 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2533 break;
2534 case 0x02: /* Server doesn't accept HB requests */
2535 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2536 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2537 break;
2538 default:
2539 *al = SSL_AD_ILLEGAL_PARAMETER;
2540 return 0;
2541 }
2542 }
2543# endif
2544# ifndef OPENSSL_NO_SRTP
2545 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
2546 if (ssl_parse_serverhello_use_srtp_ext(s, data, size, al))
2547 return 0;
2548 }
2549# endif
2550# ifdef TLSEXT_TYPE_encrypt_then_mac
2551 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2552 /* Ignore if inappropriate ciphersuite */
2553 if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2554 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2555 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2556 }
2557# endif
ddc06b35
DSH		 2558 else if (type == TLSEXT_TYPE_extended_master_secret) {
2559 if (!s->hit)
2560 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2561 }
0f113f3e
MC		 2562 /*
2563 * If this extension type was not otherwise handled, but matches a
2564 * custom_cli_ext_record, then send it to the c callback
2565 */
2566 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2567 return 0;
2568
2569 data += size;
2570 }
2571
2572 if (data != d + n) {
2573 *al = SSL_AD_DECODE_ERROR;
2574 return 0;
2575 }
2576
2577 if (!s->hit && tlsext_servername == 1) {
2578 if (s->tlsext_hostname) {
2579 if (s->session->tlsext_hostname == NULL) {
2580 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
2581 if (!s->session->tlsext_hostname) {
2582 *al = SSL_AD_UNRECOGNIZED_NAME;
2583 return 0;
2584 }
2585 } else {
2586 *al = SSL_AD_DECODE_ERROR;
2587 return 0;
2588 }
2589 }
2590 }
2591
2592 *p = data;
2593
2594 ri_check:
2595
2596 /*
2597 * Determine if we need to see RI. Strictly speaking if we want to avoid
2598 * an attack we should *always* see RI even on initial server hello
2599 * because the client doesn't see any renegotiation during an attack.
2600 * However this would mean we could not connect to any server which
2601 * doesn't support RI so for the immediate future tolerate RI absence on
2602 * initial connect only.
2603 */
2604 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2605 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2606 *al = SSL_AD_HANDSHAKE_FAILURE;
2607 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2608 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2609 return 0;
2610 }
2611
2612 return 1;
2613}
b2172f4f 2614
36ca4ba6 2615int ssl_prepare_clienthello_tlsext(SSL *s)
0f113f3e
MC		 2616{
2617
0f113f3e
MC		 2618 return 1;
2619}
36ca4ba6
BM		 2620
2621int ssl_prepare_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2622{
2623 return 1;
2624}
36ca4ba6 2625
2daceb03 2626static int ssl_check_clienthello_tlsext_early(SSL *s)
0f113f3e
MC		 2627{
2628 int ret = SSL_TLSEXT_ERR_NOACK;
2629 int al = SSL_AD_UNRECOGNIZED_NAME;
2630
2631# ifndef OPENSSL_NO_EC
2632 /*
2633 * The handling of the ECPointFormats extension is done elsewhere, namely
2634 * in ssl3_choose_cipher in s3_lib.c.
2635 */
2636 /*
2637 * The handling of the EllipticCurves extension is done elsewhere, namely
2638 * in ssl3_choose_cipher in s3_lib.c.
2639 */
2640# endif
2641
2642 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2643 ret =
2644 s->ctx->tlsext_servername_callback(s, &al,
2645 s->ctx->tlsext_servername_arg);
2646 else if (s->initial_ctx != NULL
2647 && s->initial_ctx->tlsext_servername_callback != 0)
2648 ret =
2649 s->initial_ctx->tlsext_servername_callback(s, &al,
2650 s->
2651 initial_ctx->tlsext_servername_arg);
2652
0f113f3e
MC		 2653 switch (ret) {
2654 case SSL_TLSEXT_ERR_ALERT_FATAL:
2655 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2656 return -1;
2657
2658 case SSL_TLSEXT_ERR_ALERT_WARNING:
2659 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2660 return 1;
2661
2662 case SSL_TLSEXT_ERR_NOACK:
2663 s->servername_done = 0;
2664 default:
2665 return 1;
2666 }
2667}
d376e57d
DSH		 2668/* Initialise digests to default values */
2669static void ssl_set_default_md(SSL *s)
2670{
2671 const EVP_MD **pmd = s->s3->tmp.md;
2672#ifndef OPENSSL_NO_DSA
2673 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
2674#endif
2675#ifndef OPENSSL_NO_RSA
2676 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
2677 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
2678#endif
2679#ifndef OPENSSL_NO_EC
2680 pmd[SSL_PKEY_ECC] = EVP_sha1();
2681#endif
2682}
f1fd4544 2683
e469af8d 2684int tls1_set_server_sigalgs(SSL *s)
0f113f3e
MC		 2685{
2686 int al;
2687 size_t i;
2688 /* Clear any shared sigtnature algorithms */
b548a1f1
RS		 2689 OPENSSL_free(s->cert->shared_sigalgs);
2690 s->cert->shared_sigalgs = NULL;
2691 s->cert->shared_sigalgslen = 0;
0f113f3e
MC		 2692 /* Clear certificate digests and validity flags */
2693 for (i = 0; i < SSL_PKEY_NUM; i++) {
d376e57d 2694 s->s3->tmp.md[i] = NULL;
6383d316 2695 s->s3->tmp.valid_flags[i] = 0;
0f113f3e
MC		 2696 }
2697
2698 /* If sigalgs received process it. */
76106e60 2699 if (s->s3->tmp.peer_sigalgs) {
0f113f3e
MC		 2700 if (!tls1_process_sigalgs(s)) {
2701 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2702 al = SSL_AD_INTERNAL_ERROR;
2703 goto err;
2704 }
2705 /* Fatal error is no shared signature algorithms */
2706 if (!s->cert->shared_sigalgs) {
2707 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2708 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2709 al = SSL_AD_ILLEGAL_PARAMETER;
2710 goto err;
2711 }
d376e57d
DSH		 2712 } else {
2713 ssl_set_default_md(s);
2714 }
0f113f3e
MC		 2715 return 1;
2716 err:
2717 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2718 return 0;
2719}
e469af8d 2720
2daceb03 2721int ssl_check_clienthello_tlsext_late(SSL *s)
0f113f3e
MC		 2722{
2723 int ret = SSL_TLSEXT_ERR_OK;
4c9b0a03 2724 int al = SSL_AD_INTERNAL_ERROR;
0f113f3e
MC		 2725
2726 /*
2727 * If status request then ask callback what to do. Note: this must be
2728 * called after servername callbacks in case the certificate has changed,
2729 * and must be called after the cipher has been chosen because this may
2730 * influence which certificate is sent
2731 */
2732 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
2733 int r;
2734 CERT_PKEY *certpkey;
2735 certpkey = ssl_get_server_send_pkey(s);
2736 /* If no certificate can't return certificate status */
2737 if (certpkey == NULL) {
2738 s->tlsext_status_expected = 0;
2739 return 1;
2740 }
2741 /*
2742 * Set current certificate to one we will use so SSL_get_certificate
2743 * et al can pick it up.
2744 */
2745 s->cert->key = certpkey;
2746 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2747 switch (r) {
2748 /* We don't want to send a status request response */
2749 case SSL_TLSEXT_ERR_NOACK:
2750 s->tlsext_status_expected = 0;
2751 break;
2752 /* status request response should be sent */
2753 case SSL_TLSEXT_ERR_OK:
2754 if (s->tlsext_ocsp_resp)
2755 s->tlsext_status_expected = 1;
2756 else
2757 s->tlsext_status_expected = 0;
2758 break;
2759 /* something bad happened */
2760 case SSL_TLSEXT_ERR_ALERT_FATAL:
2761 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2762 al = SSL_AD_INTERNAL_ERROR;
2763 goto err;
2764 }
2765 } else
2766 s->tlsext_status_expected = 0;
2daceb03
BL		 2767
2768 err:
0f113f3e
MC		 2769 switch (ret) {
2770 case SSL_TLSEXT_ERR_ALERT_FATAL:
2771 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2772 return -1;
2773
2774 case SSL_TLSEXT_ERR_ALERT_WARNING:
2775 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2776 return 1;
2777
2778 default:
2779 return 1;
2780 }
2781}
2daceb03 2782
36ca4ba6 2783int ssl_check_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2784{
2785 int ret = SSL_TLSEXT_ERR_NOACK;
2786 int al = SSL_AD_UNRECOGNIZED_NAME;
2787
2788# ifndef OPENSSL_NO_EC
2789 /*
2790 * If we are client and using an elliptic curve cryptography cipher
2791 * suite, then if server returns an EC point formats lists extension it
2792 * must contain uncompressed.
2793 */
2794 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2795 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2796 if ((s->tlsext_ecpointformatlist != NULL)
2797 && (s->tlsext_ecpointformatlist_length > 0)
2798 && (s->session->tlsext_ecpointformatlist != NULL)
2799 && (s->session->tlsext_ecpointformatlist_length > 0)
2800 && ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
2801 || (alg_a & SSL_aECDSA))) {
2802 /* we are using an ECC cipher */
2803 size_t i;
2804 unsigned char *list;
2805 int found_uncompressed = 0;
2806 list = s->session->tlsext_ecpointformatlist;
2807 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2808 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2809 found_uncompressed = 1;
2810 break;
2811 }
2812 }
2813 if (!found_uncompressed) {
2814 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2815 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2816 return -1;
2817 }
2818 }
2819 ret = SSL_TLSEXT_ERR_OK;
2820# endif /* OPENSSL_NO_EC */
2821
2822 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2823 ret =
2824 s->ctx->tlsext_servername_callback(s, &al,
2825 s->ctx->tlsext_servername_arg);
2826 else if (s->initial_ctx != NULL
2827 && s->initial_ctx->tlsext_servername_callback != 0)
2828 ret =
2829 s->initial_ctx->tlsext_servername_callback(s, &al,
2830 s->
2831 initial_ctx->tlsext_servername_arg);
2832
0f113f3e
MC		 2833 /*
2834 * If we've requested certificate status and we wont get one tell the
2835 * callback
2836 */
2837 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2838 && s->ctx && s->ctx->tlsext_status_cb) {
2839 int r;
2840 /*
2841 * Set resp to NULL, resplen to -1 so callback knows there is no
2842 * response.
2843 */
b548a1f1
RS		 2844 OPENSSL_free(s->tlsext_ocsp_resp);
2845 s->tlsext_ocsp_resp = NULL;
0f113f3e
MC		 2846 s->tlsext_ocsp_resplen = -1;
2847 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2848 if (r == 0) {
2849 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2850 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2851 }
2852 if (r < 0) {
2853 al = SSL_AD_INTERNAL_ERROR;
2854 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2855 }
2856 }
2857
2858 switch (ret) {
2859 case SSL_TLSEXT_ERR_ALERT_FATAL:
2860 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2861 return -1;
2862
2863 case SSL_TLSEXT_ERR_ALERT_WARNING:
2864 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2865 return 1;
2866
2867 case SSL_TLSEXT_ERR_NOACK:
2868 s->servername_done = 0;
2869 default:
2870 return 1;
2871 }
2872}
761772d7 2873
0f113f3e
MC		 2874int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
2875 int n)
2876{
2877 int al = -1;
2878 if (s->version < SSL3_VERSION)
2879 return 1;
2880 if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) {
2881 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2882 return 0;
2883 }
2884
2885 if (ssl_check_serverhello_tlsext(s) <= 0) {
2886 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2887 return 0;
2888 }
2889 return 1;
09e4e4b9
DSH		 2890}
2891
1d97c843
TH		 2892/*-
2893 * Since the server cache lookup is done early on in the processing of the
c519e89f
BM		 2894 * ClientHello, and other operations depend on the result, we need to handle
2895 * any TLS session ticket extension at the same time.
2896 *
2897 * session_id: points at the session ID in the ClientHello. This code will
2898 * read past the end of this in order to parse out the session ticket
2899 * extension, if any.
2900 * len: the length of the session ID.
2901 * limit: a pointer to the first byte after the ClientHello.
2902 * ret: (output) on return, if a ticket was decrypted, then this is set to
2903 * point to the resulting session.
2904 *
2905 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2906 * ciphersuite, in which case we have no use for session tickets and one will
2907 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2908 *
2909 * Returns:
2910 * -1: fatal error, either from parsing or decrypting the ticket.
2911 * 0: no ticket was found (or was ignored, based on settings).
2912 * 1: a zero length extension was found, indicating that the client supports
2913 * session tickets but doesn't currently have one to offer.
2914 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2915 * couldn't be decrypted because of a non-fatal error.
2916 * 3: a ticket was successfully decrypted and *ret was set.
2917 *
2918 * Side effects:
2919 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2920 * a new session ticket to the client because the client indicated support
2921 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2922 * a session ticket or we couldn't use the one it gave us, or if
2923 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2924 * Otherwise, s->tlsext_ticket_expected is set to 0.
6434abbf 2925 */
6434abbf 2926int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
0f113f3e
MC		 2927 const unsigned char *limit, SSL_SESSION **ret)
2928{
2929 /* Point after session ID in client hello */
2930 const unsigned char *p = session_id + len;
2931 unsigned short i;
2932
2933 *ret = NULL;
2934 s->tlsext_ticket_expected = 0;
2935
2936 /*
2937 * If tickets disabled behave as if no ticket present to permit stateful
2938 * resumption.
2939 */
2940 if (!tls_use_ticket(s))
2941 return 0;
2942 if ((s->version <= SSL3_VERSION) || !limit)
2943 return 0;
2944 if (p >= limit)
2945 return -1;
2946 /* Skip past DTLS cookie */
2947 if (SSL_IS_DTLS(s)) {
2948 i = *(p++);
2949 p += i;
2950 if (p >= limit)
2951 return -1;
2952 }
2953 /* Skip past cipher list */
2954 n2s(p, i);
2955 p += i;
2956 if (p >= limit)
2957 return -1;
2958 /* Skip past compression algorithm list */
2959 i = *(p++);
2960 p += i;
2961 if (p > limit)
2962 return -1;
2963 /* Now at start of extensions */
2964 if ((p + 2) >= limit)
2965 return 0;
2966 n2s(p, i);
2967 while ((p + 4) <= limit) {
2968 unsigned short type, size;
2969 n2s(p, type);
2970 n2s(p, size);
2971 if (p + size > limit)
2972 return 0;
2973 if (type == TLSEXT_TYPE_session_ticket) {
2974 int r;
2975 if (size == 0) {
2976 /*
2977 * The client will accept a ticket but doesn't currently have
2978 * one.
2979 */
2980 s->tlsext_ticket_expected = 1;
2981 return 1;
2982 }
2983 if (s->tls_session_secret_cb) {
2984 /*
2985 * Indicate that the ticket couldn't be decrypted rather than
2986 * generating the session from ticket now, trigger
2987 * abbreviated handshake based on external mechanism to
2988 * calculate the master secret later.
2989 */
2990 return 2;
2991 }
2992 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2993 switch (r) {
2994 case 2: /* ticket couldn't be decrypted */
2995 s->tlsext_ticket_expected = 1;
2996 return 2;
2997 case 3: /* ticket was decrypted */
2998 return r;
2999 case 4: /* ticket decrypted but need to renew */
3000 s->tlsext_ticket_expected = 1;
3001 return 3;
3002 default: /* fatal error */
3003 return -1;
3004 }
3005 }
3006 p += size;
3007 }
3008 return 0;
3009}
6434abbf 3010
1d97c843
TH		 3011/*-
3012 * tls_decrypt_ticket attempts to decrypt a session ticket.
c519e89f
BM		 3013 *
3014 * etick: points to the body of the session ticket extension.
3015 * eticklen: the length of the session tickets extenion.
3016 * sess_id: points at the session ID.
3017 * sesslen: the length of the session ID.
3018 * psess: (output) on return, if a ticket was decrypted, then this is set to
3019 * point to the resulting session.
3020 *
3021 * Returns:
3022 * -1: fatal error, either from parsing or decrypting the ticket.
3023 * 2: the ticket couldn't be decrypted.
3024 * 3: a ticket was successfully decrypted and *psess was set.
3025 * 4: same as 3, but the ticket needs to be renewed.
3026 */
0f113f3e
MC		 3027static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
3028 int eticklen, const unsigned char *sess_id,
3029 int sesslen, SSL_SESSION **psess)
3030{
3031 SSL_SESSION *sess;
3032 unsigned char *sdec;
3033 const unsigned char *p;
3034 int slen, mlen, renew_ticket = 0;
3035 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3036 HMAC_CTX hctx;
3037 EVP_CIPHER_CTX ctx;
3038 SSL_CTX *tctx = s->initial_ctx;
3039 /* Need at least keyname + iv + some encrypted data */
3040 if (eticklen < 48)
3041 return 2;
3042 /* Initialize session ticket encryption and HMAC contexts */
3043 HMAC_CTX_init(&hctx);
3044 EVP_CIPHER_CTX_init(&ctx);
3045 if (tctx->tlsext_ticket_key_cb) {
3046 unsigned char *nctick = (unsigned char *)etick;
3047 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3048 &ctx, &hctx, 0);
3049 if (rv < 0)
3050 return -1;
3051 if (rv == 0)
3052 return 2;
3053 if (rv == 2)
3054 renew_ticket = 1;
3055 } else {
3056 /* Check key name matches */
3057 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3058 return 2;
3059 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
474e469b 3060 EVP_sha256(), NULL);
0f113f3e
MC		 3061 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3062 tctx->tlsext_tick_aes_key, etick + 16);
3063 }
3064 /*
3065 * Attempt to process session ticket, first conduct sanity and integrity
3066 * checks on ticket.
3067 */
3068 mlen = HMAC_size(&hctx);
3069 if (mlen < 0) {
3070 EVP_CIPHER_CTX_cleanup(&ctx);
3071 return -1;
3072 }
3073 eticklen -= mlen;
3074 /* Check HMAC of encrypted ticket */
3075 HMAC_Update(&hctx, etick, eticklen);
3076 HMAC_Final(&hctx, tick_hmac, NULL);
3077 HMAC_CTX_cleanup(&hctx);
3078 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
3079 EVP_CIPHER_CTX_cleanup(&ctx);
3080 return 2;
3081 }
3082 /* Attempt to decrypt session data */
3083 /* Move p after IV to start of encrypted ticket, update length */
3084 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3085 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3086 sdec = OPENSSL_malloc(eticklen);
3087 if (!sdec) {
3088 EVP_CIPHER_CTX_cleanup(&ctx);
3089 return -1;
3090 }
3091 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
3092 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
3093 EVP_CIPHER_CTX_cleanup(&ctx);
3094 OPENSSL_free(sdec);
3095 return 2;
3096 }
3097 slen += mlen;
3098 EVP_CIPHER_CTX_cleanup(&ctx);
3099 p = sdec;
3100
3101 sess = d2i_SSL_SESSION(NULL, &p, slen);
3102 OPENSSL_free(sdec);
3103 if (sess) {
3104 /*
3105 * The session ID, if non-empty, is used by some clients to detect
3106 * that the ticket has been accepted. So we copy it to the session
3107 * structure. If it is empty set length to zero as required by
3108 * standard.
3109 */
3110 if (sesslen)
3111 memcpy(sess->session_id, sess_id, sesslen);
3112 sess->session_id_length = sesslen;
3113 *psess = sess;
3114 if (renew_ticket)
3115 return 4;
3116 else
3117 return 3;
3118 }
3119 ERR_clear_error();
3120 /*
3121 * For session parse failure, indicate that we need to send a new ticket.
3122 */
3123 return 2;
3124}
6434abbf 3125
6b7be581
DSH		 3126/* Tables to translate from NIDs to TLS v1.2 ids */
3127
0f113f3e
MC		 3128typedef struct {
3129 int nid;
3130 int id;
3131} tls12_lookup;
6b7be581 3132
d97ed219 3133static const tls12_lookup tls12_md[] = {
0f113f3e
MC		 3134 {NID_md5, TLSEXT_hash_md5},
3135 {NID_sha1, TLSEXT_hash_sha1},
3136 {NID_sha224, TLSEXT_hash_sha224},
3137 {NID_sha256, TLSEXT_hash_sha256},
3138 {NID_sha384, TLSEXT_hash_sha384},
3139 {NID_sha512, TLSEXT_hash_sha512}
6b7be581
DSH		 3140};
3141
d97ed219 3142static const tls12_lookup tls12_sig[] = {
0f113f3e
MC		 3143 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3144 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3145 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
6b7be581
DSH		 3146};
3147
d97ed219 3148static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3149{
3150 size_t i;
3151 for (i = 0; i < tlen; i++) {
3152 if (table[i].nid == nid)
3153 return table[i].id;
3154 }
3155 return -1;
3156}
e7f8ff43 3157
d97ed219 3158static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3159{
3160 size_t i;
3161 for (i = 0; i < tlen; i++) {
3162 if ((table[i].id) == id)
3163 return table[i].nid;
3164 }
3165 return NID_undef;
3166}
3167
3168int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
3169 const EVP_MD *md)
3170{
3171 int sig_id, md_id;
3172 if (!md)
3173 return 0;
b6eb9827 3174 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3175 if (md_id == -1)
3176 return 0;
3177 sig_id = tls12_get_sigid(pk);
3178 if (sig_id == -1)
3179 return 0;
3180 p[0] = (unsigned char)md_id;
3181 p[1] = (unsigned char)sig_id;
3182 return 1;
3183}
6b7be581 3184
a2f9200f 3185int tls12_get_sigid(const EVP_PKEY *pk)
0f113f3e 3186{
b6eb9827 3187 return tls12_find_id(pk->type, tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3188}
3189
3190typedef struct {
3191 int nid;
3192 int secbits;
3193 const EVP_MD *(*mfunc) (void);
3194} tls12_hash_info;
b362ccab
DSH		 3195
3196static const tls12_hash_info tls12_md_info[] = {
0f113f3e
MC		 3197# ifdef OPENSSL_NO_MD5
3198 {NID_md5, 64, 0},
3199# else
3200 {NID_md5, 64, EVP_md5},
3201# endif
0f113f3e 3202 {NID_sha1, 80, EVP_sha1},
0f113f3e
MC		 3203 {NID_sha224, 112, EVP_sha224},
3204 {NID_sha256, 128, EVP_sha256},
0f113f3e
MC		 3205 {NID_sha384, 192, EVP_sha384},
3206 {NID_sha512, 256, EVP_sha512}
b362ccab 3207};
a2f9200f 3208
b362ccab 3209static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
0f113f3e
MC		 3210{
3211 if (hash_alg == 0)
3212 return NULL;
b6eb9827 3213 if (hash_alg > OSSL_NELEM(tls12_md_info))
0f113f3e
MC		 3214 return NULL;
3215 return tls12_md_info + hash_alg - 1;
3216}
a2f9200f 3217
b362ccab 3218const EVP_MD *tls12_get_hash(unsigned char hash_alg)
0f113f3e
MC		 3219{
3220 const tls12_hash_info *inf;
3221 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3222 return NULL;
3223 inf = tls12_get_hash_info(hash_alg);
3224 if (!inf || !inf->mfunc)
3225 return NULL;
3226 return inf->mfunc();
3227}
a2f9200f 3228
4453cd8c 3229static int tls12_get_pkey_idx(unsigned char sig_alg)
0f113f3e
MC		 3230{
3231 switch (sig_alg) {
3232# ifndef OPENSSL_NO_RSA
3233 case TLSEXT_signature_rsa:
3234 return SSL_PKEY_RSA_SIGN;
3235# endif
3236# ifndef OPENSSL_NO_DSA
3237 case TLSEXT_signature_dsa:
3238 return SSL_PKEY_DSA_SIGN;
3239# endif
10bf4fc2 3240# ifndef OPENSSL_NO_EC
0f113f3e
MC		 3241 case TLSEXT_signature_ecdsa:
3242 return SSL_PKEY_ECC;
3243# endif
3244 }
3245 return -1;
3246}
4453cd8c
DSH		 3247
3248/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3249static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
0f113f3e
MC		 3250 int *psignhash_nid, const unsigned char *data)
3251{
3252 int sign_nid = 0, hash_nid = 0;
3253 if (!phash_nid && !psign_nid && !psignhash_nid)
3254 return;
3255 if (phash_nid || psignhash_nid) {
b6eb9827 3256 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3257 if (phash_nid)
3258 *phash_nid = hash_nid;
3259 }
3260 if (psign_nid || psignhash_nid) {
b6eb9827 3261 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3262 if (psign_nid)
3263 *psign_nid = sign_nid;
3264 }
3265 if (psignhash_nid) {
3266 if (sign_nid && hash_nid)
3267 OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid);
3268 else
3269 *psignhash_nid = NID_undef;
3270 }
3271}
3272
b362ccab
DSH		 3273/* Check to see if a signature algorithm is allowed */
3274static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
0f113f3e
MC		 3275{
3276 /* See if we have an entry in the hash table and it is enabled */
3277 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
3278 if (!hinf || !hinf->mfunc)
3279 return 0;
3280 /* See if public key algorithm allowed */
3281 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3282 return 0;
3283 /* Finally see if security callback allows it */
3284 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3285}
3286
3287/*
3288 * Get a mask of disabled public key algorithms based on supported signature
3289 * algorithms. For example if no signature algorithm supports RSA then RSA is
3290 * disabled.
b362ccab
DSH		 3291 */
3292
3293void ssl_set_sig_mask(unsigned long *pmask_a, SSL *s, int op)
0f113f3e
MC		 3294{
3295 const unsigned char *sigalgs;
3296 size_t i, sigalgslen;
3297 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3298 /*
3299 * Now go through all signature algorithms seeing if we support any for
3300 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3301 * down calls to security callback only check if we have to.
3302 */
3303 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
3304 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3305 switch (sigalgs[1]) {
3306# ifndef OPENSSL_NO_RSA
3307 case TLSEXT_signature_rsa:
3308 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3309 have_rsa = 1;
3310 break;
3311# endif
3312# ifndef OPENSSL_NO_DSA
3313 case TLSEXT_signature_dsa:
3314 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3315 have_dsa = 1;
3316 break;
3317# endif
10bf4fc2 3318# ifndef OPENSSL_NO_EC
0f113f3e
MC		 3319 case TLSEXT_signature_ecdsa:
3320 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3321 have_ecdsa = 1;
3322 break;
3323# endif
3324 }
3325 }
3326 if (!have_rsa)
3327 *pmask_a |= SSL_aRSA;
3328 if (!have_dsa)
3329 *pmask_a |= SSL_aDSS;
3330 if (!have_ecdsa)
3331 *pmask_a |= SSL_aECDSA;
3332}
b362ccab
DSH		 3333
3334size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
0f113f3e
MC		 3335 const unsigned char *psig, size_t psiglen)
3336{
3337 unsigned char *tmpout = out;
3338 size_t i;
3339 for (i = 0; i < psiglen; i += 2, psig += 2) {
3340 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3341 *tmpout++ = psig[0];
3342 *tmpout++ = psig[1];
3343 }
3344 }
3345 return tmpout - out;
3346}
b362ccab 3347
4453cd8c 3348/* Given preference and allowed sigalgs set shared sigalgs */
b362ccab 3349static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
0f113f3e
MC		 3350 const unsigned char *pref, size_t preflen,
3351 const unsigned char *allow, size_t allowlen)
3352{
3353 const unsigned char *ptmp, *atmp;
3354 size_t i, j, nmatch = 0;
3355 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3356 /* Skip disabled hashes or signature algorithms */
3357 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3358 continue;
3359 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3360 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3361 nmatch++;
3362 if (shsig) {
3363 shsig->rhash = ptmp[0];
3364 shsig->rsign = ptmp[1];
3365 tls1_lookup_sigalg(&shsig->hash_nid,
3366 &shsig->sign_nid,
3367 &shsig->signandhash_nid, ptmp);
3368 shsig++;
3369 }
3370 break;
3371 }
3372 }
3373 }
3374 return nmatch;
3375}
4453cd8c
DSH		 3376
3377/* Set shared signature algorithms for SSL structures */
3378static int tls1_set_shared_sigalgs(SSL *s)
0f113f3e
MC		 3379{
3380 const unsigned char *pref, *allow, *conf;
3381 size_t preflen, allowlen, conflen;
3382 size_t nmatch;
3383 TLS_SIGALGS *salgs = NULL;
3384 CERT *c = s->cert;
3385 unsigned int is_suiteb = tls1_suiteb(s);
b548a1f1
RS		 3386
3387 OPENSSL_free(c->shared_sigalgs);
3388 c->shared_sigalgs = NULL;
3389 c->shared_sigalgslen = 0;
0f113f3e
MC		 3390 /* If client use client signature algorithms if not NULL */
3391 if (!s->server && c->client_sigalgs && !is_suiteb) {
3392 conf = c->client_sigalgs;
3393 conflen = c->client_sigalgslen;
3394 } else if (c->conf_sigalgs && !is_suiteb) {
3395 conf = c->conf_sigalgs;
3396 conflen = c->conf_sigalgslen;
3397 } else
3398 conflen = tls12_get_psigalgs(s, &conf);
3399 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3400 pref = conf;
3401 preflen = conflen;
76106e60
DSH		 3402 allow = s->s3->tmp.peer_sigalgs;
3403 allowlen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3404 } else {
3405 allow = conf;
3406 allowlen = conflen;
76106e60
DSH		 3407 pref = s->s3->tmp.peer_sigalgs;
3408 preflen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3409 }
3410 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
34e3edbf
DSH		 3411 if (nmatch) {
3412 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3413 if (!salgs)
3414 return 0;
3415 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3416 } else {
3417 salgs = NULL;
3418 }
0f113f3e
MC		 3419 c->shared_sigalgs = salgs;
3420 c->shared_sigalgslen = nmatch;
3421 return 1;
3422}
4453cd8c 3423
6b7be581
DSH		 3424/* Set preferred digest for each key type */
3425
c800c27a 3426int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
0f113f3e
MC		 3427{
3428 CERT *c = s->cert;
3429 /* Extension ignored for inappropriate versions */
3430 if (!SSL_USE_SIGALGS(s))
3431 return 1;
3432 /* Should never happen */
3433 if (!c)
3434 return 0;
3435
76106e60
DSH		 3436 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3437 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3438 if (s->s3->tmp.peer_sigalgs == NULL)
0f113f3e 3439 return 0;
76106e60
DSH		 3440 s->s3->tmp.peer_sigalgslen = dsize;
3441 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
0f113f3e
MC		 3442 return 1;
3443}
6b7be581 3444
c800c27a 3445int tls1_process_sigalgs(SSL *s)
0f113f3e
MC		 3446{
3447 int idx;
3448 size_t i;
3449 const EVP_MD *md;
d376e57d 3450 const EVP_MD **pmd = s->s3->tmp.md;
6383d316 3451 int *pvalid = s->s3->tmp.valid_flags;
0f113f3e
MC		 3452 CERT *c = s->cert;
3453 TLS_SIGALGS *sigptr;
3454 if (!tls1_set_shared_sigalgs(s))
3455 return 0;
3456
3457# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
3458 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3459 /*
3460 * Use first set signature preference to force message digest,
3461 * ignoring any peer preferences.
3462 */
3463 const unsigned char *sigs = NULL;
3464 if (s->server)
3465 sigs = c->conf_sigalgs;
3466 else
3467 sigs = c->client_sigalgs;
3468 if (sigs) {
3469 idx = tls12_get_pkey_idx(sigs[1]);
3470 md = tls12_get_hash(sigs[0]);
d376e57d 3471 pmd[idx] = md;
6383d316 3472 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3473 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3474 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3475 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3476 }
3477 }
3478 }
3479# endif
3480
3481 for (i = 0, sigptr = c->shared_sigalgs;
3482 i < c->shared_sigalgslen; i++, sigptr++) {
3483 idx = tls12_get_pkey_idx(sigptr->rsign);
d376e57d 3484 if (idx > 0 && pmd[idx] == NULL) {
0f113f3e 3485 md = tls12_get_hash(sigptr->rhash);
d376e57d 3486 pmd[idx] = md;
6383d316 3487 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3488 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3489 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3490 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3491 }
3492 }
6b7be581 3493
0f113f3e
MC		 3494 }
3495 /*
3496 * In strict mode leave unset digests as NULL to indicate we can't use
3497 * the certificate for signing.
3498 */
3499 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3500 /*
3501 * Set any remaining keys to default values. NOTE: if alg is not
3502 * supported it stays as NULL.
3503 */
3504# ifndef OPENSSL_NO_DSA
d376e57d
DSH		 3505 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3506 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
0f113f3e
MC		 3507# endif
3508# ifndef OPENSSL_NO_RSA
d376e57d
DSH		 3509 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3510 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3511 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
0f113f3e
MC		 3512 }
3513# endif
10bf4fc2 3514# ifndef OPENSSL_NO_EC
d376e57d
DSH		 3515 if (pmd[SSL_PKEY_ECC] == NULL)
3516 pmd[SSL_PKEY_ECC] = EVP_sha1();
0f113f3e
MC		 3517# endif
3518 }
3519 return 1;
3520}
4817504d 3521
e7f8ff43 3522int SSL_get_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3523 int *psign, int *phash, int *psignhash,
3524 unsigned char *rsig, unsigned char *rhash)
3525{
76106e60 3526 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
0f113f3e
MC		 3527 if (psig == NULL)
3528 return 0;
3529 if (idx >= 0) {
3530 idx <<= 1;
76106e60 3531 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
0f113f3e
MC		 3532 return 0;
3533 psig += idx;
3534 if (rhash)
3535 *rhash = psig[0];
3536 if (rsig)
3537 *rsig = psig[1];
3538 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3539 }
76106e60 3540 return s->s3->tmp.peer_sigalgslen / 2;
0f113f3e 3541}
4453cd8c
DSH		 3542
3543int SSL_get_shared_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3544 int *psign, int *phash, int *psignhash,
3545 unsigned char *rsig, unsigned char *rhash)
3546{
3547 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3548 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3549 return 0;
3550 shsigalgs += idx;
3551 if (phash)
3552 *phash = shsigalgs->hash_nid;
3553 if (psign)
3554 *psign = shsigalgs->sign_nid;
3555 if (psignhash)
3556 *psignhash = shsigalgs->signandhash_nid;
3557 if (rsig)
3558 *rsig = shsigalgs->rsign;
3559 if (rhash)
3560 *rhash = shsigalgs->rhash;
3561 return s->cert->shared_sigalgslen;
3562}
3563
3564# ifndef OPENSSL_NO_HEARTBEATS
2c60ed04 3565int tls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length)
0f113f3e 3566{
2c60ed04 3567 unsigned char *pl;
0f113f3e
MC		 3568 unsigned short hbtype;
3569 unsigned int payload;
3570 unsigned int padding = 16; /* Use minimum padding */
3571
3572 if (s->msg_callback)
3573 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
258f8721 3574 p, length,
0f113f3e
MC		 3575 s, s->msg_callback_arg);
3576
3577 /* Read type and payload length first */
258f8721 3578 if (1 + 2 + 16 > length)
0f113f3e
MC		 3579 return 0; /* silently discard */
3580 hbtype = *p++;
3581 n2s(p, payload);
258f8721 3582 if (1 + 2 + payload + 16 > length)
0f113f3e
MC		 3583 return 0; /* silently discard per RFC 6520 sec. 4 */
3584 pl = p;
3585
3586 if (hbtype == TLS1_HB_REQUEST) {
3587 unsigned char *buffer, *bp;
3588 int r;
3589
3590 /*
3591 * Allocate memory for the response, size is 1 bytes message type,
3592 * plus 2 bytes payload length, plus payload, plus padding
3593 */
3594 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3595 if (buffer == NULL) {
3596 SSLerr(SSL_F_TLS1_PROCESS_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3597 return -1;
3598 }
3599 bp = buffer;
3600
3601 /* Enter response type, length and copy payload */
3602 *bp++ = TLS1_HB_RESPONSE;
3603 s2n(payload, bp);
3604 memcpy(bp, pl, payload);
3605 bp += payload;
3606 /* Random padding */
266483d2
MC		 3607 if (RAND_bytes(bp, padding) <= 0) {
3608 OPENSSL_free(buffer);
3609 return -1;
3610 }
0f113f3e
MC		 3611
3612 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer,
3613 3 + payload + padding);
3614
3615 if (r >= 0 && s->msg_callback)
3616 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3617 buffer, 3 + payload + padding,
3618 s, s->msg_callback_arg);
3619
3620 OPENSSL_free(buffer);
3621
3622 if (r < 0)
3623 return r;
3624 } else if (hbtype == TLS1_HB_RESPONSE) {
3625 unsigned int seq;
3626
3627 /*
3628 * We only send sequence numbers (2 bytes unsigned int), and 16
3629 * random bytes, so we just try to read the sequence number
3630 */
3631 n2s(pl, seq);
3632
3633 if (payload == 18 && seq == s->tlsext_hb_seq) {
3634 s->tlsext_hb_seq++;
3635 s->tlsext_hb_pending = 0;
3636 }
3637 }
3638
3639 return 0;
3640}
0f229cce 3641
0f113f3e
MC		 3642int tls1_heartbeat(SSL *s)
3643{
3644 unsigned char *buf, *p;
266483d2 3645 int ret = -1;
0f113f3e
MC		 3646 unsigned int payload = 18; /* Sequence number + random bytes */
3647 unsigned int padding = 16; /* Use minimum padding */
3648
3649 /* Only send if peer supports and accepts HB requests... */
3650 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3651 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
3652 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3653 return -1;
3654 }
3655
3656 /* ...and there is none in flight yet... */
3657 if (s->tlsext_hb_pending) {
3658 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
3659 return -1;
3660 }
3661
3662 /* ...and no handshake in progress. */
3663 if (SSL_in_init(s) || s->in_handshake) {
3664 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
3665 return -1;
3666 }
3667
3668 /*
3669 * Check if padding is too long, payload and padding must not exceed 2^14
3670 * - 3 = 16381 bytes in total.
3671 */
3672 OPENSSL_assert(payload + padding <= 16381);
3673
50e735f9
MC		 3674 /*-
3675 * Create HeartBeat message, we just use a sequence number
3676 * as payload to distuingish different messages and add
3677 * some random stuff.
3678 * - Message Type, 1 byte
3679 * - Payload Length, 2 bytes (unsigned int)
3680 * - Payload, the sequence number (2 bytes uint)
3681 * - Payload, random bytes (16 bytes uint)
3682 * - Padding
3683 */
0f113f3e
MC		 3684 buf = OPENSSL_malloc(1 + 2 + payload + padding);
3685 if (buf == NULL) {
3686 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3687 return -1;
3688 }
3689 p = buf;
3690 /* Message Type */
3691 *p++ = TLS1_HB_REQUEST;
3692 /* Payload length (18 bytes here) */
3693 s2n(payload, p);
3694 /* Sequence number */
3695 s2n(s->tlsext_hb_seq, p);
3696 /* 16 random bytes */
266483d2
MC		 3697 if (RAND_bytes(p, 16) <= 0) {
3698 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3699 goto err;
3700 }
0f113f3e
MC		 3701 p += 16;
3702 /* Random padding */
266483d2
MC		 3703 if (RAND_bytes(p, padding) <= 0) {
3704 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3705 goto err;
3706 }
0f113f3e
MC		 3707
3708 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3709 if (ret >= 0) {
3710 if (s->msg_callback)
3711 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3712 buf, 3 + payload + padding,
3713 s, s->msg_callback_arg);
3714
3715 s->tlsext_hb_pending = 1;
3716 }
3717
266483d2 3718 err:
0f113f3e 3719 OPENSSL_free(buf);
0f113f3e
MC		 3720 return ret;
3721}
3722# endif
3723
3724# define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
0f229cce 3725
0f113f3e
MC		 3726typedef struct {
3727 size_t sigalgcnt;
3728 int sigalgs[MAX_SIGALGLEN];
3729} sig_cb_st;
0f229cce
DSH		 3730
3731static int sig_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 3732{
3733 sig_cb_st *sarg = arg;
3734 size_t i;
3735 char etmp[20], *p;
3736 int sig_alg, hash_alg;
2747d73c
KR		 3737 if (elem == NULL)
3738 return 0;
0f113f3e
MC		 3739 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3740 return 0;
3741 if (len > (int)(sizeof(etmp) - 1))
3742 return 0;
3743 memcpy(etmp, elem, len);
3744 etmp[len] = 0;
3745 p = strchr(etmp, '+');
3746 if (!p)
3747 return 0;
3748 *p = 0;
3749 p++;
3750 if (!*p)
3751 return 0;
3752
86885c28 3753 if (strcmp(etmp, "RSA") == 0)
0f113f3e 3754 sig_alg = EVP_PKEY_RSA;
86885c28 3755 else if (strcmp(etmp, "DSA") == 0)
0f113f3e 3756 sig_alg = EVP_PKEY_DSA;
86885c28 3757 else if (strcmp(etmp, "ECDSA") == 0)
0f113f3e
MC		 3758 sig_alg = EVP_PKEY_EC;
3759 else
3760 return 0;
3761
3762 hash_alg = OBJ_sn2nid(p);
3763 if (hash_alg == NID_undef)
3764 hash_alg = OBJ_ln2nid(p);
3765 if (hash_alg == NID_undef)
3766 return 0;
3767
3768 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3769 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3770 return 0;
3771 }
3772 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3773 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3774 return 1;
3775}
3776
3777/*
3778 * Set suppored signature algorithms based on a colon separated list of the
3779 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3780 */
3dbc46df 3781int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
0f113f3e
MC		 3782{
3783 sig_cb_st sig;
3784 sig.sigalgcnt = 0;
3785 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3786 return 0;
3787 if (c == NULL)
3788 return 1;
3789 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3790}
3791
3792int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
3793 int client)
3794{
3795 unsigned char *sigalgs, *sptr;
3796 int rhash, rsign;
3797 size_t i;
3798 if (salglen & 1)
3799 return 0;
3800 sigalgs = OPENSSL_malloc(salglen);
3801 if (sigalgs == NULL)
3802 return 0;
3803 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
b6eb9827
DSH		 3804 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3805 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3806
3807 if (rhash == -1 || rsign == -1)
3808 goto err;
3809 *sptr++ = rhash;
3810 *sptr++ = rsign;
3811 }
3812
3813 if (client) {
b548a1f1 3814 OPENSSL_free(c->client_sigalgs);
0f113f3e
MC		 3815 c->client_sigalgs = sigalgs;
3816 c->client_sigalgslen = salglen;
3817 } else {
b548a1f1 3818 OPENSSL_free(c->conf_sigalgs);
0f113f3e
MC		 3819 c->conf_sigalgs = sigalgs;
3820 c->conf_sigalgslen = salglen;
3821 }
3822
3823 return 1;
3824
3825 err:
3826 OPENSSL_free(sigalgs);
3827 return 0;
3828}
4453cd8c 3829
d61ff83b 3830static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
0f113f3e
MC		 3831{
3832 int sig_nid;
3833 size_t i;
3834 if (default_nid == -1)
3835 return 1;
3836 sig_nid = X509_get_signature_nid(x);
3837 if (default_nid)
3838 return sig_nid == default_nid ? 1 : 0;
3839 for (i = 0; i < c->shared_sigalgslen; i++)
3840 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3841 return 1;
3842 return 0;
3843}
3844
6dbb6219
DSH		 3845/* Check to see if a certificate issuer name matches list of CA names */
3846static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
0f113f3e
MC		 3847{
3848 X509_NAME *nm;
3849 int i;
3850 nm = X509_get_issuer_name(x);
3851 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3852 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3853 return 1;
3854 }
3855 return 0;
3856}
3857
3858/*
3859 * Check certificate chain is consistent with TLS extensions and is usable by
3860 * server. This servers two purposes: it allows users to check chains before
3861 * passing them to the server and it allows the server to check chains before
3862 * attempting to use them.
d61ff83b 3863 */
6dbb6219
DSH		 3864
3865/* Flags which need to be set for a certificate when stict mode not set */
3866
0f113f3e
MC		 3867# define CERT_PKEY_VALID_FLAGS \
3868 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
6dbb6219 3869/* Strict mode flags */
0f113f3e
MC		 3870# define CERT_PKEY_STRICT_FLAGS \
3871 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3872 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
6dbb6219 3873
d61ff83b 3874int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
0f113f3e
MC		 3875 int idx)
3876{
3877 int i;
3878 int rv = 0;
3879 int check_flags = 0, strict_mode;
3880 CERT_PKEY *cpk = NULL;
3881 CERT *c = s->cert;
6383d316 3882 int *pvalid;
0f113f3e
MC		 3883 unsigned int suiteb_flags = tls1_suiteb(s);
3884 /* idx == -1 means checking server chains */
3885 if (idx != -1) {
3886 /* idx == -2 means checking client certificate chains */
3887 if (idx == -2) {
3888 cpk = c->key;
3889 idx = cpk - c->pkeys;
3890 } else
3891 cpk = c->pkeys + idx;
6383d316 3892 pvalid = s->s3->tmp.valid_flags + idx;
0f113f3e
MC		 3893 x = cpk->x509;
3894 pk = cpk->privatekey;
3895 chain = cpk->chain;
3896 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3897 /* If no cert or key, forget it */
3898 if (!x || !pk)
3899 goto end;
3900# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
3901 /* Allow any certificate to pass test */
3902 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3903 rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
3904 CERT_PKEY_VALID | CERT_PKEY_SIGN;
6383d316 3905 *pvalid = rv;
0f113f3e
MC		 3906 return rv;
3907 }
3908# endif
3909 } else {
3910 if (!x || !pk)
d813f9eb 3911 return 0;
0f113f3e
MC		 3912 idx = ssl_cert_type(x, pk);
3913 if (idx == -1)
d813f9eb 3914 return 0;
0f113f3e 3915 cpk = c->pkeys + idx;
6383d316
DSH		 3916 pvalid = s->s3->tmp.valid_flags + idx;
3917
0f113f3e
MC		 3918 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3919 check_flags = CERT_PKEY_STRICT_FLAGS;
3920 else
3921 check_flags = CERT_PKEY_VALID_FLAGS;
3922 strict_mode = 1;
3923 }
3924
3925 if (suiteb_flags) {
3926 int ok;
3927 if (check_flags)
3928 check_flags |= CERT_PKEY_SUITEB;
3929 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3930 if (ok == X509_V_OK)
3931 rv |= CERT_PKEY_SUITEB;
3932 else if (!check_flags)
3933 goto end;
3934 }
3935
3936 /*
3937 * Check all signature algorithms are consistent with signature
3938 * algorithms extension if TLS 1.2 or later and strict mode.
3939 */
3940 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
3941 int default_nid;
3942 unsigned char rsign = 0;
76106e60 3943 if (s->s3->tmp.peer_sigalgs)
0f113f3e
MC		 3944 default_nid = 0;
3945 /* If no sigalgs extension use defaults from RFC5246 */
3946 else {
3947 switch (idx) {
3948 case SSL_PKEY_RSA_ENC:
3949 case SSL_PKEY_RSA_SIGN:
3950 case SSL_PKEY_DH_RSA:
3951 rsign = TLSEXT_signature_rsa;
3952 default_nid = NID_sha1WithRSAEncryption;
3953 break;
3954
3955 case SSL_PKEY_DSA_SIGN:
3956 case SSL_PKEY_DH_DSA:
3957 rsign = TLSEXT_signature_dsa;
3958 default_nid = NID_dsaWithSHA1;
3959 break;
3960
3961 case SSL_PKEY_ECC:
3962 rsign = TLSEXT_signature_ecdsa;
3963 default_nid = NID_ecdsa_with_SHA1;
3964 break;
3965
3966 default:
3967 default_nid = -1;
3968 break;
3969 }
3970 }
3971 /*
3972 * If peer sent no signature algorithms extension and we have set
3973 * preferred signature algorithms check we support sha1.
3974 */
3975 if (default_nid > 0 && c->conf_sigalgs) {
3976 size_t j;
3977 const unsigned char *p = c->conf_sigalgs;
3978 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
3979 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
3980 break;
3981 }
3982 if (j == c->conf_sigalgslen) {
3983 if (check_flags)
3984 goto skip_sigs;
3985 else
3986 goto end;
3987 }
3988 }
3989 /* Check signature algorithm of each cert in chain */
3990 if (!tls1_check_sig_alg(c, x, default_nid)) {
3991 if (!check_flags)
3992 goto end;
3993 } else
3994 rv |= CERT_PKEY_EE_SIGNATURE;
3995 rv |= CERT_PKEY_CA_SIGNATURE;
3996 for (i = 0; i < sk_X509_num(chain); i++) {
3997 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
3998 if (check_flags) {
3999 rv &= ~CERT_PKEY_CA_SIGNATURE;
4000 break;
4001 } else
4002 goto end;
4003 }
4004 }
4005 }
4006 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4007 else if (check_flags)
4008 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
4009 skip_sigs:
4010 /* Check cert parameters are consistent */
4011 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4012 rv |= CERT_PKEY_EE_PARAM;
4013 else if (!check_flags)
4014 goto end;
4015 if (!s->server)
4016 rv |= CERT_PKEY_CA_PARAM;
4017 /* In strict mode check rest of chain too */
4018 else if (strict_mode) {
4019 rv |= CERT_PKEY_CA_PARAM;
4020 for (i = 0; i < sk_X509_num(chain); i++) {
4021 X509 *ca = sk_X509_value(chain, i);
4022 if (!tls1_check_cert_param(s, ca, 0)) {
4023 if (check_flags) {
4024 rv &= ~CERT_PKEY_CA_PARAM;
4025 break;
4026 } else
4027 goto end;
4028 }
4029 }
4030 }
4031 if (!s->server && strict_mode) {
4032 STACK_OF(X509_NAME) *ca_dn;
4033 int check_type = 0;
4034 switch (pk->type) {
4035 case EVP_PKEY_RSA:
4036 check_type = TLS_CT_RSA_SIGN;
4037 break;
4038 case EVP_PKEY_DSA:
4039 check_type = TLS_CT_DSS_SIGN;
4040 break;
4041 case EVP_PKEY_EC:
4042 check_type = TLS_CT_ECDSA_SIGN;
4043 break;
4044 case EVP_PKEY_DH:
4045 case EVP_PKEY_DHX:
4046 {
4047 int cert_type = X509_certificate_type(x, pk);
4048 if (cert_type & EVP_PKS_RSA)
4049 check_type = TLS_CT_RSA_FIXED_DH;
4050 if (cert_type & EVP_PKS_DSA)
4051 check_type = TLS_CT_DSS_FIXED_DH;
4052 }
4053 }
4054 if (check_type) {
4055 const unsigned char *ctypes;
4056 int ctypelen;
4057 if (c->ctypes) {
4058 ctypes = c->ctypes;
4059 ctypelen = (int)c->ctype_num;
4060 } else {
4061 ctypes = (unsigned char *)s->s3->tmp.ctype;
4062 ctypelen = s->s3->tmp.ctype_num;
4063 }
4064 for (i = 0; i < ctypelen; i++) {
4065 if (ctypes[i] == check_type) {
4066 rv |= CERT_PKEY_CERT_TYPE;
4067 break;
4068 }
4069 }
4070 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4071 goto end;
4072 } else
4073 rv |= CERT_PKEY_CERT_TYPE;
4074
4075 ca_dn = s->s3->tmp.ca_names;
4076
4077 if (!sk_X509_NAME_num(ca_dn))
4078 rv |= CERT_PKEY_ISSUER_NAME;
4079
4080 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4081 if (ssl_check_ca_name(ca_dn, x))
4082 rv |= CERT_PKEY_ISSUER_NAME;
4083 }
4084 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4085 for (i = 0; i < sk_X509_num(chain); i++) {
4086 X509 *xtmp = sk_X509_value(chain, i);
4087 if (ssl_check_ca_name(ca_dn, xtmp)) {
4088 rv |= CERT_PKEY_ISSUER_NAME;
4089 break;
4090 }
4091 }
4092 }
4093 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4094 goto end;
4095 } else
4096 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
4097
4098 if (!check_flags || (rv & check_flags) == check_flags)
4099 rv |= CERT_PKEY_VALID;
4100
4101 end:
4102
4103 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
6383d316 4104 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
0f113f3e 4105 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
d376e57d 4106 else if (s->s3->tmp.md[idx] != NULL)
0f113f3e
MC		 4107 rv |= CERT_PKEY_SIGN;
4108 } else
4109 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
4110
4111 /*
4112 * When checking a CERT_PKEY structure all flags are irrelevant if the
4113 * chain is invalid.
4114 */
4115 if (!check_flags) {
4116 if (rv & CERT_PKEY_VALID)
6383d316 4117 *pvalid = rv;
0f113f3e
MC		 4118 else {
4119 /* Preserve explicit sign flag, clear rest */
6383d316 4120 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
0f113f3e
MC		 4121 return 0;
4122 }
4123 }
4124 return rv;
4125}
d61ff83b
DSH		 4126
4127/* Set validity of certificates in an SSL structure */
4128void tls1_set_cert_validity(SSL *s)
0f113f3e 4129{
17dd65e6
MC		 4130 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4131 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4132 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4133 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
4134 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
4135 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
0f113f3e
MC		 4136}
4137
18d71588
DSH		 4138/* User level utiity function to check a chain is suitable */
4139int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
0f113f3e
MC		 4140{
4141 return tls1_check_chain(s, x, pk, chain, -1);
4142}
d61ff83b 4143
4453cd8c 4144#endif
09599b52
DSH		 4145
4146#ifndef OPENSSL_NO_DH
4147DH *ssl_get_auto_dh(SSL *s)
0f113f3e
MC		 4148{
4149 int dh_secbits = 80;
4150 if (s->cert->dh_tmp_auto == 2)
4151 return DH_get_1024_160();
4152 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) {
4153 if (s->s3->tmp.new_cipher->strength_bits == 256)
4154 dh_secbits = 128;
4155 else
4156 dh_secbits = 80;
4157 } else {
4158 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
4159 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
4160 }
4161
4162 if (dh_secbits >= 128) {
4163 DH *dhp = DH_new();
4164 if (!dhp)
4165 return NULL;
4166 dhp->g = BN_new();
4167 if (dhp->g)
4168 BN_set_word(dhp->g, 2);
4169 if (dh_secbits >= 192)
4170 dhp->p = get_rfc3526_prime_8192(NULL);
4171 else
4172 dhp->p = get_rfc3526_prime_3072(NULL);
4173 if (!dhp->p || !dhp->g) {
4174 DH_free(dhp);
4175 return NULL;
4176 }
4177 return dhp;
4178 }
4179 if (dh_secbits >= 112)
4180 return DH_get_2048_224();
4181 return DH_get_1024_160();
4182}
09599b52 4183#endif
b362ccab
DSH		 4184
4185static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e
MC		 4186{
4187 int secbits;
4188 EVP_PKEY *pkey = X509_get_pubkey(x);
4189 if (pkey) {
4190 secbits = EVP_PKEY_security_bits(pkey);
4191 EVP_PKEY_free(pkey);
4192 } else
4193 secbits = -1;
4194 if (s)
4195 return ssl_security(s, op, secbits, 0, x);
4196 else
4197 return ssl_ctx_security(ctx, op, secbits, 0, x);
4198}
b362ccab
DSH		 4199
4200static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e
MC		 4201{
4202 /* Lookup signature algorithm digest */
4203 int secbits = -1, md_nid = NID_undef, sig_nid;
4204 sig_nid = X509_get_signature_nid(x);
4205 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4206 const EVP_MD *md;
4207 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4208 secbits = EVP_MD_size(md) * 4;
4209 }
4210 if (s)
4211 return ssl_security(s, op, secbits, md_nid, x);
4212 else
4213 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4214}
b362ccab
DSH		 4215
4216int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
0f113f3e
MC		 4217{
4218 if (vfy)
4219 vfy = SSL_SECOP_PEER;
4220 if (is_ee) {
4221 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4222 return SSL_R_EE_KEY_TOO_SMALL;
4223 } else {
4224 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4225 return SSL_R_CA_KEY_TOO_SMALL;
4226 }
4227 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4228 return SSL_R_CA_MD_TOO_WEAK;
4229 return 1;
4230}
4231
4232/*
4233 * Check security of a chain, if sk includes the end entity certificate then
4234 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4235 * one to the peer. Return values: 1 if ok otherwise error code to use
b362ccab
DSH		 4236 */
4237
4238int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
0f113f3e
MC		 4239{
4240 int rv, start_idx, i;
4241 if (x == NULL) {
4242 x = sk_X509_value(sk, 0);
4243 start_idx = 1;
4244 } else
4245 start_idx = 0;
4246
4247 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4248 if (rv != 1)
4249 return rv;
4250
4251 for (i = start_idx; i < sk_X509_num(sk); i++) {
4252 x = sk_X509_value(sk, i);
4253 rv = ssl_security_cert(s, NULL, x, vfy, 0);
4254 if (rv != 1)
4255 return rv;
4256 }
4257 return 1;
4258}
A mirror of the official openssl repository