]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/t1_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add MD5+SHA1
[thirdparty/openssl.git] / ssl / t1_lib.c
CommitLineData
58964a49
RE		 1/* ssl/t1_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
0f113f3e 8 *
58964a49
RE		 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
0f113f3e 15 *
58964a49
RE		 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
0f113f3e 22 *
58964a49
RE		 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
0f113f3e 37 * 4. If you include any Windows specific code (or a derivative thereof) from
58964a49
RE		 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
0f113f3e 40 *
58964a49
RE		 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
0f113f3e 52 *
58964a49
RE		 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
f1fd4544 58/* ====================================================================
52b8dad8 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
f1fd4544
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
0f113f3e 66 * notice, this list of conditions and the following disclaimer.
f1fd4544
BM		 67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
58964a49
RE		 111
112#include <stdio.h>
ec577822 113#include <openssl/objects.h>
6434abbf
DSH		 114#include <openssl/evp.h>
115#include <openssl/hmac.h>
67c8e7f4 116#include <openssl/ocsp.h>
4817504d 117#include <openssl/rand.h>
09599b52 118#ifndef OPENSSL_NO_DH
0f113f3e
MC		 119# include <openssl/dh.h>
120# include <openssl/bn.h>
09599b52 121#endif
58964a49
RE		 122#include "ssl_locl.h"
123
6434abbf 124static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
0f113f3e
MC		 125 const unsigned char *sess_id, int sesslen,
126 SSL_SESSION **psess);
2daceb03 127static int ssl_check_clienthello_tlsext_early(SSL *s);
09e4e4b9 128int ssl_check_serverhello_tlsext(SSL *s);
6434abbf 129
0f113f3e
MC		 130SSL3_ENC_METHOD const TLSv1_enc_data = {
131 tls1_enc,
132 tls1_mac,
133 tls1_setup_key_block,
134 tls1_generate_master_secret,
135 tls1_change_cipher_state,
136 tls1_final_finish_mac,
137 TLS1_FINISH_MAC_LENGTH,
138 tls1_cert_verify_mac,
139 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
140 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
141 tls1_alert_code,
142 tls1_export_keying_material,
143 0,
144 SSL3_HM_HEADER_LENGTH,
145 ssl3_set_handshake_header,
146 ssl3_handshake_write
147};
148
149SSL3_ENC_METHOD const TLSv1_1_enc_data = {
150 tls1_enc,
151 tls1_mac,
152 tls1_setup_key_block,
153 tls1_generate_master_secret,
154 tls1_change_cipher_state,
155 tls1_final_finish_mac,
156 TLS1_FINISH_MAC_LENGTH,
157 tls1_cert_verify_mac,
158 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
159 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
160 tls1_alert_code,
161 tls1_export_keying_material,
162 SSL_ENC_FLAG_EXPLICIT_IV,
163 SSL3_HM_HEADER_LENGTH,
164 ssl3_set_handshake_header,
165 ssl3_handshake_write
166};
167
168SSL3_ENC_METHOD const TLSv1_2_enc_data = {
169 tls1_enc,
170 tls1_mac,
171 tls1_setup_key_block,
172 tls1_generate_master_secret,
173 tls1_change_cipher_state,
174 tls1_final_finish_mac,
175 TLS1_FINISH_MAC_LENGTH,
176 tls1_cert_verify_mac,
177 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
178 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
179 tls1_alert_code,
180 tls1_export_keying_material,
181 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
182 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
183 SSL3_HM_HEADER_LENGTH,
184 ssl3_set_handshake_header,
185 ssl3_handshake_write
186};
58964a49 187
f3b656b2 188long tls1_default_timeout(void)
0f113f3e
MC		 189{
190 /*
191 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
192 * http, the cache would over fill
193 */
194 return (60 * 60 * 2);
195}
58964a49 196
6b691a5c 197int tls1_new(SSL *s)
0f113f3e
MC		 198{
199 if (!ssl3_new(s))
200 return (0);
201 s->method->ssl_clear(s);
202 return (1);
203}
58964a49 204
6b691a5c 205void tls1_free(SSL *s)
0f113f3e 206{
b548a1f1 207 OPENSSL_free(s->tlsext_session_ticket);
0f113f3e
MC		 208 ssl3_free(s);
209}
58964a49 210
6b691a5c 211void tls1_clear(SSL *s)
0f113f3e
MC		 212{
213 ssl3_clear(s);
214 s->version = s->method->version;
215}
58964a49 216
525de5d3 217#ifndef OPENSSL_NO_EC
eda3766b 218
0f113f3e
MC		 219typedef struct {
220 int nid; /* Curve NID */
221 int secbits; /* Bits of security (from SP800-57) */
222 unsigned int flags; /* Flags: currently just field type */
223} tls_curve_info;
224
225# define TLS_CURVE_CHAR2 0x1
226# define TLS_CURVE_PRIME 0x0
227
228static const tls_curve_info nid_list[] = {
229 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
230 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
231 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
232 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
233 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
234 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
235 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
236 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
237 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
238 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
239 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
240 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
241 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
242 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
243 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
244 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
245 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
246 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
247 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
248 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
249 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
250 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
251 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
252 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
253 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
254 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
255 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
256 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
257};
258
259static const unsigned char ecformats_default[] = {
260 TLSEXT_ECPOINTFORMAT_uncompressed,
261 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
262 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
263};
264
de57d237
EK		 265/* The client's default curves / the server's 'auto' curves. */
266static const unsigned char eccurves_auto[] = {
267 /* Prefer P-256 which has the fastest and most secure implementations. */
268 0, 23, /* secp256r1 (23) */
269 /* Other >= 256-bit prime curves. */
0f113f3e
MC		 270 0, 25, /* secp521r1 (25) */
271 0, 28, /* brainpool512r1 (28) */
0f113f3e
MC		 272 0, 27, /* brainpoolP384r1 (27) */
273 0, 24, /* secp384r1 (24) */
de57d237
EK		 274 0, 26, /* brainpoolP256r1 (26) */
275 0, 22, /* secp256k1 (22) */
276 /* >= 256-bit binary curves. */
277 0, 14, /* sect571r1 (14) */
278 0, 13, /* sect571k1 (13) */
279 0, 11, /* sect409k1 (11) */
280 0, 12, /* sect409r1 (12) */
0f113f3e
MC		 281 0, 9, /* sect283k1 (9) */
282 0, 10, /* sect283r1 (10) */
de57d237
EK		 283};
284
285static const unsigned char eccurves_all[] = {
286 /* Prefer P-256 which has the fastest and most secure implementations. */
287 0, 23, /* secp256r1 (23) */
288 /* Other >= 256-bit prime curves. */
289 0, 25, /* secp521r1 (25) */
290 0, 28, /* brainpool512r1 (28) */
291 0, 27, /* brainpoolP384r1 (27) */
292 0, 24, /* secp384r1 (24) */
0f113f3e
MC		 293 0, 26, /* brainpoolP256r1 (26) */
294 0, 22, /* secp256k1 (22) */
de57d237
EK		 295 /* >= 256-bit binary curves. */
296 0, 14, /* sect571r1 (14) */
297 0, 13, /* sect571k1 (13) */
298 0, 11, /* sect409k1 (11) */
299 0, 12, /* sect409r1 (12) */
300 0, 9, /* sect283k1 (9) */
301 0, 10, /* sect283r1 (10) */
302 /*
303 * Remaining curves disabled by default but still permitted if set
304 * via an explicit callback or parameters.
305 */
306 0, 20, /* secp224k1 (20) */
307 0, 21, /* secp224r1 (21) */
308 0, 18, /* secp192k1 (18) */
309 0, 19, /* secp192r1 (19) */
310 0, 15, /* secp160k1 (15) */
311 0, 16, /* secp160r1 (16) */
312 0, 17, /* secp160r2 (17) */
0f113f3e
MC		 313 0, 8, /* sect239k1 (8) */
314 0, 6, /* sect233k1 (6) */
315 0, 7, /* sect233r1 (7) */
0f113f3e
MC		 316 0, 4, /* sect193r1 (4) */
317 0, 5, /* sect193r2 (5) */
0f113f3e
MC		 318 0, 1, /* sect163k1 (1) */
319 0, 2, /* sect163r1 (2) */
320 0, 3, /* sect163r2 (3) */
0f113f3e
MC		 321};
322
de57d237 323
0f113f3e
MC		 324static const unsigned char suiteb_curves[] = {
325 0, TLSEXT_curve_P_256,
326 0, TLSEXT_curve_P_384
327};
2ea80354 328
525de5d3 329int tls1_ec_curve_id2nid(int curve_id)
0f113f3e
MC		 330{
331 /* ECC curves from RFC 4492 and RFC 7027 */
b6eb9827 332 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
0f113f3e
MC		 333 return 0;
334 return nid_list[curve_id - 1].nid;
335}
525de5d3
DSH		 336
337int tls1_ec_nid2curve_id(int nid)
0f113f3e
MC		 338{
339 /* ECC curves from RFC 4492 and RFC 7027 */
340 switch (nid) {
341 case NID_sect163k1: /* sect163k1 (1) */
342 return 1;
343 case NID_sect163r1: /* sect163r1 (2) */
344 return 2;
345 case NID_sect163r2: /* sect163r2 (3) */
346 return 3;
347 case NID_sect193r1: /* sect193r1 (4) */
348 return 4;
349 case NID_sect193r2: /* sect193r2 (5) */
350 return 5;
351 case NID_sect233k1: /* sect233k1 (6) */
352 return 6;
353 case NID_sect233r1: /* sect233r1 (7) */
354 return 7;
355 case NID_sect239k1: /* sect239k1 (8) */
356 return 8;
357 case NID_sect283k1: /* sect283k1 (9) */
358 return 9;
359 case NID_sect283r1: /* sect283r1 (10) */
360 return 10;
361 case NID_sect409k1: /* sect409k1 (11) */
362 return 11;
363 case NID_sect409r1: /* sect409r1 (12) */
364 return 12;
365 case NID_sect571k1: /* sect571k1 (13) */
366 return 13;
367 case NID_sect571r1: /* sect571r1 (14) */
368 return 14;
369 case NID_secp160k1: /* secp160k1 (15) */
370 return 15;
371 case NID_secp160r1: /* secp160r1 (16) */
372 return 16;
373 case NID_secp160r2: /* secp160r2 (17) */
374 return 17;
375 case NID_secp192k1: /* secp192k1 (18) */
376 return 18;
377 case NID_X9_62_prime192v1: /* secp192r1 (19) */
378 return 19;
379 case NID_secp224k1: /* secp224k1 (20) */
380 return 20;
381 case NID_secp224r1: /* secp224r1 (21) */
382 return 21;
383 case NID_secp256k1: /* secp256k1 (22) */
384 return 22;
385 case NID_X9_62_prime256v1: /* secp256r1 (23) */
386 return 23;
387 case NID_secp384r1: /* secp384r1 (24) */
388 return 24;
389 case NID_secp521r1: /* secp521r1 (25) */
390 return 25;
391 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
392 return 26;
393 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
394 return 27;
395 case NID_brainpoolP512r1: /* brainpool512r1 (28) */
396 return 28;
397 default:
398 return 0;
399 }
400}
401
740580c2
EK		 402/*
403 * Get curves list, if "sess" is set return client curves otherwise
404 * preferred list.
405 * Sets |num_curves| to the number of curves in the list, i.e.,
406 * the length of |pcurves| is 2 * num_curves.
407 * Returns 1 on success and 0 if the client curves list has invalid format.
408 * The latter indicates an internal error: we should not be accepting such
409 * lists in the first place.
410 * TODO(emilia): we should really be storing the curves list in explicitly
411 * parsed form instead. (However, this would affect binary compatibility
412 * so cannot happen in the 1.0.x series.)
fd2b65ce 413 */
740580c2 414static int tls1_get_curvelist(SSL *s, int sess,
0f113f3e
MC		 415 const unsigned char **pcurves,
416 size_t *num_curves)
417{
418 size_t pcurveslen = 0;
419 if (sess) {
420 *pcurves = s->session->tlsext_ellipticcurvelist;
421 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
422 } else {
423 /* For Suite B mode only include P-256, P-384 */
424 switch (tls1_suiteb(s)) {
425 case SSL_CERT_FLAG_SUITEB_128_LOS:
426 *pcurves = suiteb_curves;
427 pcurveslen = sizeof(suiteb_curves);
428 break;
429
430 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
431 *pcurves = suiteb_curves;
432 pcurveslen = 2;
433 break;
434
435 case SSL_CERT_FLAG_SUITEB_192_LOS:
436 *pcurves = suiteb_curves + 2;
437 pcurveslen = 2;
438 break;
439 default:
440 *pcurves = s->tlsext_ellipticcurvelist;
441 pcurveslen = s->tlsext_ellipticcurvelist_length;
442 }
443 if (!*pcurves) {
6329b609 444 if (!s->server || s->cert->ecdh_tmp_auto) {
de57d237
EK		 445 *pcurves = eccurves_auto;
446 pcurveslen = sizeof(eccurves_auto);
447 } else {
448 *pcurves = eccurves_all;
449 pcurveslen = sizeof(eccurves_all);
450 }
0f113f3e
MC		 451 }
452 }
453
454 /* We do not allow odd length arrays to enter the system. */
455 if (pcurveslen & 1) {
456 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
457 *num_curves = 0;
458 return 0;
459 } else {
460 *num_curves = pcurveslen / 2;
461 return 1;
462 }
463}
b362ccab
DSH		 464
465/* See if curve is allowed by security callback */
466static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
0f113f3e
MC		 467{
468 const tls_curve_info *cinfo;
469 if (curve[0])
470 return 1;
b6eb9827 471 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
0f113f3e
MC		 472 return 0;
473 cinfo = &nid_list[curve[1] - 1];
474# ifdef OPENSSL_NO_EC2M
475 if (cinfo->flags & TLS_CURVE_CHAR2)
476 return 0;
477# endif
478 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
479}
b362ccab 480
d18b716d
DSH		 481/* Check a curve is one of our preferences */
482int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
0f113f3e
MC		 483{
484 const unsigned char *curves;
485 size_t num_curves, i;
486 unsigned int suiteb_flags = tls1_suiteb(s);
487 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
488 return 0;
489 /* Check curve matches Suite B preferences */
490 if (suiteb_flags) {
491 unsigned long cid = s->s3->tmp.new_cipher->id;
492 if (p[1])
493 return 0;
494 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
495 if (p[2] != TLSEXT_curve_P_256)
496 return 0;
497 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
498 if (p[2] != TLSEXT_curve_P_384)
499 return 0;
500 } else /* Should never happen */
501 return 0;
502 }
503 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
504 return 0;
505 for (i = 0; i < num_curves; i++, curves += 2) {
506 if (p[1] == curves[0] && p[2] == curves[1])
507 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
508 }
509 return 0;
510}
d0595f17 511
1d97c843 512/*-
376e2ca3
EK		 513 * Return |nmatch|th shared curve or NID_undef if there is no match.
514 * For nmatch == -1, return number of matches
515 * For nmatch == -2, return the NID of the curve to use for
516 * an EC tmp key, or NID_undef if there is no match.
d0595f17 517 */
a4352630 518int tls1_shared_curve(SSL *s, int nmatch)
0f113f3e
MC		 519{
520 const unsigned char *pref, *supp;
521 size_t num_pref, num_supp, i, j;
522 int k;
523 /* Can't do anything on client side */
524 if (s->server == 0)
525 return -1;
526 if (nmatch == -2) {
527 if (tls1_suiteb(s)) {
528 /*
529 * For Suite B ciphersuite determines curve: we already know
530 * these are acceptable due to previous checks.
531 */
532 unsigned long cid = s->s3->tmp.new_cipher->id;
533 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
534 return NID_X9_62_prime256v1; /* P-256 */
535 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
536 return NID_secp384r1; /* P-384 */
537 /* Should never happen */
538 return NID_undef;
539 }
540 /* If not Suite B just return first preference shared curve */
541 nmatch = 0;
542 }
543 /*
544 * Avoid truncation. tls1_get_curvelist takes an int
545 * but s->options is a long...
546 */
547 if (!tls1_get_curvelist
548 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
549 &num_supp))
550 /* In practice, NID_undef == 0 but let's be precise. */
551 return nmatch == -1 ? 0 : NID_undef;
552 if (!tls1_get_curvelist
553 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
554 &num_pref))
555 return nmatch == -1 ? 0 : NID_undef;
3c06513f
KR		 556
557 /*
558 * If the client didn't send the elliptic_curves extension all of them
559 * are allowed.
560 */
561 if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
562 supp = eccurves_all;
563 num_supp = sizeof(eccurves_all) / 2;
564 } else if (num_pref == 0 &&
565 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
566 pref = eccurves_all;
567 num_pref = sizeof(eccurves_all) / 2;
568 }
569
0f113f3e
MC		 570 k = 0;
571 for (i = 0; i < num_pref; i++, pref += 2) {
572 const unsigned char *tsupp = supp;
573 for (j = 0; j < num_supp; j++, tsupp += 2) {
574 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
575 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
576 continue;
577 if (nmatch == k) {
578 int id = (pref[0] << 8) | pref[1];
579 return tls1_ec_curve_id2nid(id);
580 }
581 k++;
582 }
583 }
584 }
585 if (nmatch == -1)
586 return k;
587 /* Out of range (nmatch > k). */
588 return NID_undef;
589}
d0595f17
DSH		 590
591int tls1_set_curves(unsigned char **pext, size_t *pextlen,
0f113f3e
MC		 592 int *curves, size_t ncurves)
593{
594 unsigned char *clist, *p;
595 size_t i;
596 /*
597 * Bitmap of curves included to detect duplicates: only works while curve
598 * ids < 32
599 */
600 unsigned long dup_list = 0;
601 clist = OPENSSL_malloc(ncurves * 2);
a71edf3b 602 if (clist == NULL)
0f113f3e
MC		 603 return 0;
604 for (i = 0, p = clist; i < ncurves; i++) {
605 unsigned long idmask;
606 int id;
607 id = tls1_ec_nid2curve_id(curves[i]);
608 idmask = 1L << id;
609 if (!id || (dup_list & idmask)) {
610 OPENSSL_free(clist);
611 return 0;
612 }
613 dup_list |= idmask;
614 s2n(id, p);
615 }
b548a1f1 616 OPENSSL_free(*pext);
0f113f3e
MC		 617 *pext = clist;
618 *pextlen = ncurves * 2;
619 return 1;
620}
621
622# define MAX_CURVELIST 28
623
624typedef struct {
625 size_t nidcnt;
626 int nid_arr[MAX_CURVELIST];
627} nid_cb_st;
d0595f17
DSH		 628
629static int nid_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 630{
631 nid_cb_st *narg = arg;
632 size_t i;
633 int nid;
634 char etmp[20];
2747d73c
KR		 635 if (elem == NULL)
636 return 0;
0f113f3e
MC		 637 if (narg->nidcnt == MAX_CURVELIST)
638 return 0;
639 if (len > (int)(sizeof(etmp) - 1))
640 return 0;
641 memcpy(etmp, elem, len);
642 etmp[len] = 0;
643 nid = EC_curve_nist2nid(etmp);
644 if (nid == NID_undef)
645 nid = OBJ_sn2nid(etmp);
646 if (nid == NID_undef)
647 nid = OBJ_ln2nid(etmp);
648 if (nid == NID_undef)
649 return 0;
650 for (i = 0; i < narg->nidcnt; i++)
651 if (narg->nid_arr[i] == nid)
652 return 0;
653 narg->nid_arr[narg->nidcnt++] = nid;
654 return 1;
655}
656
d0595f17 657/* Set curves based on a colon separate list */
0f113f3e
MC		 658int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
659 const char *str)
660{
661 nid_cb_st ncb;
662 ncb.nidcnt = 0;
663 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
664 return 0;
665 if (pext == NULL)
666 return 1;
667 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
668}
669
fd2b65ce
DSH		 670/* For an EC key set TLS id and required compression based on parameters */
671static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
0f113f3e
MC		 672 EC_KEY *ec)
673{
674 int is_prime, id;
675 const EC_GROUP *grp;
676 const EC_METHOD *meth;
677 if (!ec)
678 return 0;
679 /* Determine if it is a prime field */
680 grp = EC_KEY_get0_group(ec);
681 if (!grp)
682 return 0;
683 meth = EC_GROUP_method_of(grp);
684 if (!meth)
685 return 0;
686 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
687 is_prime = 1;
688 else
689 is_prime = 0;
690 /* Determine curve ID */
691 id = EC_GROUP_get_curve_name(grp);
692 id = tls1_ec_nid2curve_id(id);
693 /* If we have an ID set it, otherwise set arbitrary explicit curve */
694 if (id) {
695 curve_id[0] = 0;
696 curve_id[1] = (unsigned char)id;
697 } else {
698 curve_id[0] = 0xff;
699 if (is_prime)
700 curve_id[1] = 0x01;
701 else
702 curve_id[1] = 0x02;
703 }
704 if (comp_id) {
705 if (EC_KEY_get0_public_key(ec) == NULL)
706 return 0;
707 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
708 if (is_prime)
709 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
710 else
711 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
712 } else
713 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
714 }
715 return 1;
716}
717
fd2b65ce
DSH		 718/* Check an EC key is compatible with extensions */
719static int tls1_check_ec_key(SSL *s,
0f113f3e
MC		 720 unsigned char *curve_id, unsigned char *comp_id)
721{
722 const unsigned char *pformats, *pcurves;
723 size_t num_formats, num_curves, i;
724 int j;
725 /*
726 * If point formats extension present check it, otherwise everything is
727 * supported (see RFC4492).
728 */
729 if (comp_id && s->session->tlsext_ecpointformatlist) {
730 pformats = s->session->tlsext_ecpointformatlist;
731 num_formats = s->session->tlsext_ecpointformatlist_length;
732 for (i = 0; i < num_formats; i++, pformats++) {
733 if (*comp_id == *pformats)
734 break;
735 }
736 if (i == num_formats)
737 return 0;
738 }
739 if (!curve_id)
740 return 1;
741 /* Check curve is consistent with client and server preferences */
742 for (j = 0; j <= 1; j++) {
743 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
744 return 0;
b79d2410
MC		 745 if (j == 1 && num_curves == 0) {
746 /*
747 * If we've not received any curves then skip this check.
748 * RFC 4492 does not require the supported elliptic curves extension
749 * so if it is not sent we can just choose any curve.
750 * It is invalid to send an empty list in the elliptic curves
751 * extension, so num_curves == 0 always means no extension.
752 */
753 break;
754 }
0f113f3e
MC		 755 for (i = 0; i < num_curves; i++, pcurves += 2) {
756 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
757 break;
758 }
759 if (i == num_curves)
760 return 0;
761 /* For clients can only check sent curve list */
762 if (!s->server)
763 break;
764 }
765 return 1;
766}
d61ff83b 767
5087afa1 768static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
0f113f3e
MC		 769 size_t *num_formats)
770{
771 /*
772 * If we have a custom point format list use it otherwise use default
773 */
774 if (s->tlsext_ecpointformatlist) {
775 *pformats = s->tlsext_ecpointformatlist;
776 *num_formats = s->tlsext_ecpointformatlist_length;
777 } else {
778 *pformats = ecformats_default;
779 /* For Suite B we don't support char2 fields */
780 if (tls1_suiteb(s))
781 *num_formats = sizeof(ecformats_default) - 1;
782 else
783 *num_formats = sizeof(ecformats_default);
784 }
785}
786
787/*
788 * Check cert parameters compatible with extensions: currently just checks EC
789 * certificates have compatible curves and compression.
d61ff83b 790 */
2ea80354 791static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 792{
793 unsigned char comp_id, curve_id[2];
794 EVP_PKEY *pkey;
795 int rv;
796 pkey = X509_get_pubkey(x);
797 if (!pkey)
798 return 0;
799 /* If not EC nothing to do */
800 if (pkey->type != EVP_PKEY_EC) {
801 EVP_PKEY_free(pkey);
802 return 1;
803 }
804 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
805 EVP_PKEY_free(pkey);
806 if (!rv)
807 return 0;
808 /*
809 * Can't check curve_id for client certs as we don't have a supported
810 * curves extension.
811 */
812 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
813 if (!rv)
814 return 0;
815 /*
816 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
817 * SHA384+P-384, adjust digest if necessary.
818 */
819 if (set_ee_md && tls1_suiteb(s)) {
820 int check_md;
821 size_t i;
822 CERT *c = s->cert;
823 if (curve_id[0])
824 return 0;
825 /* Check to see we have necessary signing algorithm */
826 if (curve_id[1] == TLSEXT_curve_P_256)
827 check_md = NID_ecdsa_with_SHA256;
828 else if (curve_id[1] == TLSEXT_curve_P_384)
829 check_md = NID_ecdsa_with_SHA384;
830 else
831 return 0; /* Should never happen */
832 for (i = 0; i < c->shared_sigalgslen; i++)
833 if (check_md == c->shared_sigalgs[i].signandhash_nid)
834 break;
835 if (i == c->shared_sigalgslen)
836 return 0;
837 if (set_ee_md == 2) {
838 if (check_md == NID_ecdsa_with_SHA256)
d376e57d 839 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
0f113f3e 840 else
d376e57d 841 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
0f113f3e
MC		 842 }
843 }
844 return rv;
845}
846
10bf4fc2 847# ifndef OPENSSL_NO_EC
fd2b65ce 848/* Check EC temporary key is compatible with client extensions */
2ea80354 849int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
0f113f3e
MC		 850{
851 unsigned char curve_id[2];
852 EC_KEY *ec = s->cert->ecdh_tmp;
853# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
854 /* Allow any curve: not just those peer supports */
855 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
856 return 1;
857# endif
858 /*
859 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
860 * curves permitted.
861 */
862 if (tls1_suiteb(s)) {
863 /* Curve to check determined by ciphersuite */
864 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
865 curve_id[1] = TLSEXT_curve_P_256;
866 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
867 curve_id[1] = TLSEXT_curve_P_384;
868 else
869 return 0;
870 curve_id[0] = 0;
871 /* Check this curve is acceptable */
872 if (!tls1_check_ec_key(s, curve_id, NULL))
873 return 0;
874 /* If auto or setting curve from callback assume OK */
875 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
876 return 1;
877 /* Otherwise check curve is acceptable */
878 else {
879 unsigned char curve_tmp[2];
880 if (!ec)
881 return 0;
882 if (!tls1_set_ec_id(curve_tmp, NULL, ec))
883 return 0;
884 if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
885 return 1;
886 return 0;
887 }
888
889 }
890 if (s->cert->ecdh_tmp_auto) {
891 /* Need a shared curve */
892 if (tls1_shared_curve(s, 0))
893 return 1;
894 else
895 return 0;
896 }
897 if (!ec) {
898 if (s->cert->ecdh_tmp_cb)
899 return 1;
900 else
901 return 0;
902 }
903 if (!tls1_set_ec_id(curve_id, NULL, ec))
904 return 0;
d18b716d 905/* Set this to allow use of invalid curves for testing */
0f113f3e
MC		 906# if 0
907 return 1;
908# else
909 return tls1_check_ec_key(s, curve_id, NULL);
910# endif
911}
10bf4fc2 912# endif /* OPENSSL_NO_EC */
d0595f17 913
14536c8c
DSH		 914#else
915
916static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 917{
918 return 1;
919}
14536c8c 920
0f113f3e 921#endif /* OPENSSL_NO_EC */
f1fd4544 922
0f113f3e
MC		 923/*
924 * List of supported signature algorithms and hashes. Should make this
fc101f88
DSH		 925 * customisable at some point, for now include everything we support.
926 */
927
e481f9b9
MC		 928#ifdef OPENSSL_NO_RSA
929# define tlsext_sigalg_rsa(md) /* */
930#else
931# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
932#endif
0f113f3e 933
e481f9b9
MC		 934#ifdef OPENSSL_NO_DSA
935# define tlsext_sigalg_dsa(md) /* */
936#else
937# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
938#endif
0f113f3e 939
e481f9b9
MC		 940#ifdef OPENSSL_NO_EC
941# define tlsext_sigalg_ecdsa(md) /* */
942#else
943# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
944#endif
0f113f3e 945
e481f9b9 946#define tlsext_sigalg(md) \
0f113f3e
MC		 947 tlsext_sigalg_rsa(md) \
948 tlsext_sigalg_dsa(md) \
949 tlsext_sigalg_ecdsa(md)
fc101f88 950
d97ed219 951static const unsigned char tls12_sigalgs[] = {
0f113f3e
MC		 952 tlsext_sigalg(TLSEXT_hash_sha512)
953 tlsext_sigalg(TLSEXT_hash_sha384)
0f113f3e
MC		 954 tlsext_sigalg(TLSEXT_hash_sha256)
955 tlsext_sigalg(TLSEXT_hash_sha224)
0f113f3e 956 tlsext_sigalg(TLSEXT_hash_sha1)
e44380a9
DB		 957#ifndef OPENSSL_NO_GOST
958 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
959 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
960 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
961#endif
fc101f88 962};
0f113f3e 963
e481f9b9 964#ifndef OPENSSL_NO_EC
d97ed219 965static const unsigned char suiteb_sigalgs[] = {
0f113f3e
MC		 966 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
967 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
2ea80354 968};
e481f9b9 969#endif
b7bfe69b 970size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
0f113f3e
MC		 971{
972 /*
973 * If Suite B mode use Suite B sigalgs only, ignore any other
974 * preferences.
975 */
e481f9b9 976#ifndef OPENSSL_NO_EC
0f113f3e
MC		 977 switch (tls1_suiteb(s)) {
978 case SSL_CERT_FLAG_SUITEB_128_LOS:
979 *psigs = suiteb_sigalgs;
980 return sizeof(suiteb_sigalgs);
981
982 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
983 *psigs = suiteb_sigalgs;
984 return 2;
985
986 case SSL_CERT_FLAG_SUITEB_192_LOS:
987 *psigs = suiteb_sigalgs + 2;
988 return 2;
989 }
e481f9b9 990#endif
0f113f3e
MC		 991 /* If server use client authentication sigalgs if not NULL */
992 if (s->server && s->cert->client_sigalgs) {
993 *psigs = s->cert->client_sigalgs;
994 return s->cert->client_sigalgslen;
995 } else if (s->cert->conf_sigalgs) {
996 *psigs = s->cert->conf_sigalgs;
997 return s->cert->conf_sigalgslen;
998 } else {
999 *psigs = tls12_sigalgs;
e44380a9
DB		 1000#ifndef OPENSSL_NO_GOST
1001 /*
1002 * We expect that GOST 2001 signature and GOST 34.11-94 hash are present in all engines
1003 * and GOST 2012 algorithms are not always present.
1004 * It may change when the old algorithms are deprecated.
1005 */
1006 if ((EVP_get_digestbynid(NID_id_GostR3411_94) != NULL)
1007 && (EVP_get_digestbynid(NID_id_GostR3411_2012_256) == NULL)) {
1008 return sizeof(tls12_sigalgs) - 4;
1009 } else if (EVP_get_digestbynid(NID_id_GostR3411_94) == NULL) {
1010 return sizeof(tls12_sigalgs) - 6;
1011 }
0f113f3e 1012 return sizeof(tls12_sigalgs);
e44380a9
DB		 1013#else
1014 return sizeof(tls12_sigalgs);
1015#endif
0f113f3e
MC		 1016 }
1017}
1018
1019/*
1020 * Check signature algorithm is consistent with sent supported signature
ec4a50b3
DSH		 1021 * algorithms and if so return relevant digest.
1022 */
1023int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
0f113f3e
MC		 1024 const unsigned char *sig, EVP_PKEY *pkey)
1025{
1026 const unsigned char *sent_sigs;
1027 size_t sent_sigslen, i;
1028 int sigalg = tls12_get_sigid(pkey);
1029 /* Should never happen */
1030 if (sigalg == -1)
1031 return -1;
1032 /* Check key type is consistent with signature */
1033 if (sigalg != (int)sig[1]) {
1034 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1035 return 0;
1036 }
e481f9b9 1037#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1038 if (pkey->type == EVP_PKEY_EC) {
1039 unsigned char curve_id[2], comp_id;
1040 /* Check compression and curve matches extensions */
1041 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
1042 return 0;
1043 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
1044 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
1045 return 0;
1046 }
1047 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
1048 if (tls1_suiteb(s)) {
1049 if (curve_id[0])
1050 return 0;
1051 if (curve_id[1] == TLSEXT_curve_P_256) {
1052 if (sig[0] != TLSEXT_hash_sha256) {
1053 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1054 SSL_R_ILLEGAL_SUITEB_DIGEST);
1055 return 0;
1056 }
1057 } else if (curve_id[1] == TLSEXT_curve_P_384) {
1058 if (sig[0] != TLSEXT_hash_sha384) {
1059 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1060 SSL_R_ILLEGAL_SUITEB_DIGEST);
1061 return 0;
1062 }
1063 } else
1064 return 0;
1065 }
1066 } else if (tls1_suiteb(s))
1067 return 0;
e481f9b9 1068#endif
0f113f3e
MC		 1069
1070 /* Check signature matches a type we sent */
1071 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1072 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
1073 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1074 break;
1075 }
1076 /* Allow fallback to SHA1 if not strict mode */
1077 if (i == sent_sigslen
1078 && (sig[0] != TLSEXT_hash_sha1
1079 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
1080 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1081 return 0;
1082 }
1083 *pmd = tls12_get_hash(sig[0]);
1084 if (*pmd == NULL) {
1085 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
1086 return 0;
1087 }
1088 /* Make sure security callback allows algorithm */
1089 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
1090 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
1091 (void *)sig)) {
1092 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1093 return 0;
1094 }
1095 /*
1096 * Store the digest used so applications can retrieve it if they wish.
1097 */
d376e57d 1098 s->s3->tmp.peer_md = *pmd;
0f113f3e
MC		 1099 return 1;
1100}
2ea80354 1101
0f113f3e
MC		 1102/*
1103 * Get a mask of disabled algorithms: an algorithm is disabled if it isn't
1104 * supported or doesn't appear in supported signature algorithms. Unlike
1105 * ssl_cipher_get_disabled this applies to a specific session and not global
1106 * settings.
b7bfe69b
DSH		 1107 */
1108void ssl_set_client_disabled(SSL *s)
0f113f3e 1109{
4d69f9e6
DSH		 1110 s->s3->tmp.mask_a = 0;
1111 s->s3->tmp.mask_k = 0;
0f113f3e
MC		 1112 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1113 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
4d69f9e6 1114 s->s3->tmp.mask_ssl = SSL_TLSV1_2;
0f113f3e 1115 else
4d69f9e6 1116 s->s3->tmp.mask_ssl = 0;
2b573382
DSH		 1117 /* Disable TLS 1.0 ciphers if using SSL v3 */
1118 if (s->client_version == SSL3_VERSION)
1119 s->s3->tmp.mask_ssl |= SSL_TLSV1;
4d69f9e6 1120 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
0f113f3e
MC		 1121 /*
1122 * Disable static DH if we don't include any appropriate signature
1123 * algorithms.
1124 */
4d69f9e6
DSH		 1125 if (s->s3->tmp.mask_a & SSL_aRSA)
1126 s->s3->tmp.mask_k |= SSL_kDHr | SSL_kECDHr;
1127 if (s->s3->tmp.mask_a & SSL_aDSS)
1128 s->s3->tmp.mask_k |= SSL_kDHd;
1129 if (s->s3->tmp.mask_a & SSL_aECDSA)
1130 s->s3->tmp.mask_k |= SSL_kECDHe;
0f113f3e
MC		 1131# ifndef OPENSSL_NO_PSK
1132 /* with PSK there must be client callback set */
1133 if (!s->psk_client_callback) {
4d69f9e6 1134 s->s3->tmp.mask_a |= SSL_aPSK;
fe5eef3a 1135 s->s3->tmp.mask_k |= SSL_PSK;
0f113f3e 1136 }
e481f9b9
MC		 1137#endif /* OPENSSL_NO_PSK */
1138#ifndef OPENSSL_NO_SRP
0f113f3e 1139 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
4d69f9e6
DSH		 1140 s->s3->tmp.mask_a |= SSL_aSRP;
1141 s->s3->tmp.mask_k |= SSL_kSRP;
0f113f3e 1142 }
e481f9b9 1143#endif
0f113f3e 1144}
fc101f88 1145
b362ccab 1146int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
0f113f3e 1147{
4d69f9e6
DSH		 1148 if (c->algorithm_ssl & s->s3->tmp.mask_ssl
1149 || c->algorithm_mkey & s->s3->tmp.mask_k
1150 || c->algorithm_auth & s->s3->tmp.mask_a)
0f113f3e
MC		 1151 return 1;
1152 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1153}
b362ccab
DSH		 1154
1155static int tls_use_ticket(SSL *s)
0f113f3e
MC		 1156{
1157 if (s->options & SSL_OP_NO_TICKET)
1158 return 0;
1159 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1160}
ed3883d2 1161
0f113f3e
MC		 1162unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
1163 unsigned char *limit, int *al)
1164{
1165 int extdatalen = 0;
1166 unsigned char *orig = buf;
1167 unsigned char *ret = buf;
e481f9b9 1168#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1169 /* See if we support any ECC ciphersuites */
1170 int using_ecc = 0;
1171 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1172 int i;
1173 unsigned long alg_k, alg_a;
1174 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1175
1176 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
1177 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1178
1179 alg_k = c->algorithm_mkey;
1180 alg_a = c->algorithm_auth;
13be69f3 1181 if ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)
0f113f3e
MC		 1182 || (alg_a & SSL_aECDSA))) {
1183 using_ecc = 1;
1184 break;
1185 }
1186 }
1187 }
e481f9b9 1188#endif
ed3883d2 1189
0f113f3e 1190 ret += 2;
6434abbf 1191
0f113f3e
MC		 1192 if (ret >= limit)
1193 return NULL; /* this really never occurs, but ... */
5a3d8eeb 1194
0f113f3e
MC		 1195 /* Add RI if renegotiating */
1196 if (s->renegotiate) {
1197 int el;
5a3d8eeb 1198
0f113f3e
MC		 1199 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1200 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1201 return NULL;
1202 }
5a3d8eeb 1203
0f113f3e
MC		 1204 if ((limit - ret - 4 - el) < 0)
1205 return NULL;
5a3d8eeb 1206
0f113f3e
MC		 1207 s2n(TLSEXT_TYPE_renegotiate, ret);
1208 s2n(el, ret);
5a3d8eeb 1209
0f113f3e
MC		 1210 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1211 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1212 return NULL;
5a3d8eeb 1213 }
edc032b5 1214
0f113f3e
MC		 1215 ret += el;
1216 }
1217 /* Only add RI for SSLv3 */
1218 if (s->client_version == SSL3_VERSION)
1219 goto done;
1220
1221 if (s->tlsext_hostname != NULL) {
1222 /* Add TLS extension servername to the Client Hello message */
1223 unsigned long size_str;
1224 long lenmax;
1225
50e735f9
MC		 1226 /*-
1227 * check for enough space.
1228 * 4 for the servername type and entension length
1229 * 2 for servernamelist length
1230 * 1 for the hostname type
1231 * 2 for hostname length
1232 * + hostname length
1233 */
0f113f3e
MC		 1234
1235 if ((lenmax = limit - ret - 9) < 0
1236 || (size_str =
1237 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1238 return NULL;
1239
1240 /* extension type and length */
1241 s2n(TLSEXT_TYPE_server_name, ret);
1242 s2n(size_str + 5, ret);
1243
1244 /* length of servername list */
1245 s2n(size_str + 3, ret);
1246
1247 /* hostname type, length and hostname */
1248 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1249 s2n(size_str, ret);
1250 memcpy(ret, s->tlsext_hostname, size_str);
1251 ret += size_str;
1252 }
e481f9b9 1253#ifndef OPENSSL_NO_SRP
0f113f3e
MC		 1254 /* Add SRP username if there is one */
1255 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1256 * Client Hello message */
1257
1258 int login_len = strlen(s->srp_ctx.login);
1259 if (login_len > 255 || login_len == 0) {
1260 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1261 return NULL;
1262 }
761772d7 1263
50e735f9
MC		 1264 /*-
1265 * check for enough space.
1266 * 4 for the srp type type and entension length
1267 * 1 for the srp user identity
1268 * + srp user identity length
1269 */
0f113f3e
MC		 1270 if ((limit - ret - 5 - login_len) < 0)
1271 return NULL;
1272
1273 /* fill in the extension */
1274 s2n(TLSEXT_TYPE_srp, ret);
1275 s2n(login_len + 1, ret);
1276 (*ret++) = (unsigned char)login_len;
1277 memcpy(ret, s->srp_ctx.login, login_len);
1278 ret += login_len;
1279 }
e481f9b9 1280#endif
0f113f3e 1281
e481f9b9 1282#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1283 if (using_ecc) {
1284 /*
1285 * Add TLS extension ECPointFormats to the ClientHello message
1286 */
1287 long lenmax;
1288 const unsigned char *pcurves, *pformats;
1289 size_t num_curves, num_formats, curves_list_len;
1290 size_t i;
1291 unsigned char *etmp;
1292
1293 tls1_get_formatlist(s, &pformats, &num_formats);
1294
1295 if ((lenmax = limit - ret - 5) < 0)
1296 return NULL;
1297 if (num_formats > (size_t)lenmax)
1298 return NULL;
1299 if (num_formats > 255) {
1300 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1301 return NULL;
1302 }
4817504d 1303
0f113f3e
MC		 1304 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1305 /* The point format list has 1-byte length. */
1306 s2n(num_formats + 1, ret);
1307 *(ret++) = (unsigned char)num_formats;
1308 memcpy(ret, pformats, num_formats);
1309 ret += num_formats;
1310
1311 /*
1312 * Add TLS extension EllipticCurves to the ClientHello message
1313 */
1314 pcurves = s->tlsext_ellipticcurvelist;
1315 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1316 return NULL;
1317
1318 if ((lenmax = limit - ret - 6) < 0)
1319 return NULL;
1320 if (num_curves > (size_t)lenmax / 2)
1321 return NULL;
1322 if (num_curves > 65532 / 2) {
1323 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1324 return NULL;
1325 }
ee2ffc27 1326
0f113f3e
MC		 1327 s2n(TLSEXT_TYPE_elliptic_curves, ret);
1328 etmp = ret + 4;
1329 /* Copy curve ID if supported */
1330 for (i = 0; i < num_curves; i++, pcurves += 2) {
1331 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1332 *etmp++ = pcurves[0];
1333 *etmp++ = pcurves[1];
1334 }
1335 }
01f2f18f 1336
0f113f3e
MC		 1337 curves_list_len = etmp - ret - 4;
1338
1339 s2n(curves_list_len + 2, ret);
1340 s2n(curves_list_len, ret);
1341 ret += curves_list_len;
1342 }
e481f9b9 1343#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1344
1345 if (tls_use_ticket(s)) {
1346 int ticklen;
1347 if (!s->new_session && s->session && s->session->tlsext_tick)
1348 ticklen = s->session->tlsext_ticklen;
1349 else if (s->session && s->tlsext_session_ticket &&
1350 s->tlsext_session_ticket->data) {
1351 ticklen = s->tlsext_session_ticket->length;
1352 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
a71edf3b 1353 if (s->session->tlsext_tick == NULL)
0f113f3e
MC		 1354 return NULL;
1355 memcpy(s->session->tlsext_tick,
1356 s->tlsext_session_ticket->data, ticklen);
1357 s->session->tlsext_ticklen = ticklen;
1358 } else
1359 ticklen = 0;
1360 if (ticklen == 0 && s->tlsext_session_ticket &&
1361 s->tlsext_session_ticket->data == NULL)
1362 goto skip_ext;
1363 /*
1364 * Check for enough room 2 for extension type, 2 for len rest for
1365 * ticket
1366 */
1367 if ((long)(limit - ret - 4 - ticklen) < 0)
1368 return NULL;
1369 s2n(TLSEXT_TYPE_session_ticket, ret);
1370 s2n(ticklen, ret);
1371 if (ticklen) {
1372 memcpy(ret, s->session->tlsext_tick, ticklen);
1373 ret += ticklen;
1374 }
1375 }
1376 skip_ext:
1377
1378 if (SSL_USE_SIGALGS(s)) {
1379 size_t salglen;
1380 const unsigned char *salg;
1381 unsigned char *etmp;
1382 salglen = tls12_get_psigalgs(s, &salg);
1383 if ((size_t)(limit - ret) < salglen + 6)
1384 return NULL;
1385 s2n(TLSEXT_TYPE_signature_algorithms, ret);
1386 etmp = ret;
1387 /* Skip over lengths for now */
1388 ret += 4;
1389 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1390 /* Fill in lengths */
1391 s2n(salglen + 2, etmp);
1392 s2n(salglen, etmp);
1393 ret += salglen;
1394 }
0f113f3e
MC		 1395
1396 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1397 int i;
1398 long extlen, idlen, itmp;
1399 OCSP_RESPID *id;
1400
1401 idlen = 0;
1402 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1403 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1404 itmp = i2d_OCSP_RESPID(id, NULL);
1405 if (itmp <= 0)
1406 return NULL;
1407 idlen += itmp + 2;
860c3dd1
DSH		 1408 }
1409
0f113f3e
MC		 1410 if (s->tlsext_ocsp_exts) {
1411 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1412 if (extlen < 0)
1413 return NULL;
1414 } else
1415 extlen = 0;
1416
1417 if ((long)(limit - ret - 7 - extlen - idlen) < 0)
1418 return NULL;
1419 s2n(TLSEXT_TYPE_status_request, ret);
1420 if (extlen + idlen > 0xFFF0)
1421 return NULL;
1422 s2n(extlen + idlen + 5, ret);
1423 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1424 s2n(idlen, ret);
1425 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1426 /* save position of id len */
1427 unsigned char *q = ret;
1428 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1429 /* skip over id len */
1430 ret += 2;
1431 itmp = i2d_OCSP_RESPID(id, &ret);
1432 /* write id len */
1433 s2n(itmp, q);
1434 }
1435 s2n(extlen, ret);
1436 if (extlen > 0)
1437 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1438 }
e481f9b9 1439#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 1440 /* Add Heartbeat extension */
1441 if ((limit - ret - 4 - 1) < 0)
1442 return NULL;
1443 s2n(TLSEXT_TYPE_heartbeat, ret);
1444 s2n(1, ret);
50e735f9
MC		 1445 /*-
1446 * Set mode:
1447 * 1: peer may send requests
1448 * 2: peer not allowed to send requests
1449 */
0f113f3e
MC		 1450 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1451 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1452 else
1453 *(ret++) = SSL_TLSEXT_HB_ENABLED;
e481f9b9 1454#endif
0f113f3e 1455
e481f9b9 1456#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1457 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1458 /*
1459 * The client advertises an emtpy extension to indicate its support
1460 * for Next Protocol Negotiation
1461 */
1462 if (limit - ret - 4 < 0)
1463 return NULL;
1464 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1465 s2n(0, ret);
1466 }
e481f9b9 1467#endif
0f113f3e
MC		 1468
1469 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1470 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1471 return NULL;
1472 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1473 s2n(2 + s->alpn_client_proto_list_len, ret);
1474 s2n(s->alpn_client_proto_list_len, ret);
1475 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1476 ret += s->alpn_client_proto_list_len;
1477 }
e481f9b9 1478#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 1479 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1480 int el;
1481
69f68237
MC		 1482 /* Returns 0 on success!! */
1483 if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
1484 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1485 return NULL;
1486 }
0f113f3e
MC		 1487
1488 if ((limit - ret - 4 - el) < 0)
1489 return NULL;
1490
1491 s2n(TLSEXT_TYPE_use_srtp, ret);
1492 s2n(el, ret);
1493
1494 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1495 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1496 return NULL;
1497 }
1498 ret += el;
1499 }
e481f9b9 1500#endif
0f113f3e
MC		 1501 custom_ext_init(&s->cert->cli_ext);
1502 /* Add custom TLS Extensions to ClientHello */
1503 if (!custom_ext_add(s, 0, &ret, limit, al))
1504 return NULL;
e481f9b9 1505#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 1506 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1507 s2n(0, ret);
e481f9b9 1508#endif
ddc06b35
DSH		 1509 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1510 s2n(0, ret);
0f113f3e
MC		 1511
1512 /*
1513 * Add padding to workaround bugs in F5 terminators. See
1514 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1515 * code works out the length of all existing extensions it MUST always
1516 * appear last.
1517 */
1518 if (s->options & SSL_OP_TLSEXT_PADDING) {
1519 int hlen = ret - (unsigned char *)s->init_buf->data;
a3680c8f 1520
0f113f3e
MC		 1521 if (hlen > 0xff && hlen < 0x200) {
1522 hlen = 0x200 - hlen;
1523 if (hlen >= 4)
1524 hlen -= 4;
1525 else
1526 hlen = 0;
1527
1528 s2n(TLSEXT_TYPE_padding, ret);
1529 s2n(hlen, ret);
1530 memset(ret, 0, hlen);
1531 ret += hlen;
1532 }
1533 }
5a3d8eeb 1534
0f113f3e 1535 done:
5a3d8eeb 1536
0f113f3e
MC		 1537 if ((extdatalen = ret - orig - 2) == 0)
1538 return orig;
5a3d8eeb 1539
0f113f3e
MC		 1540 s2n(extdatalen, orig);
1541 return ret;
1542}
333f926d 1543
0f113f3e
MC		 1544unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1545 unsigned char *limit, int *al)
1546{
1547 int extdatalen = 0;
1548 unsigned char *orig = buf;
1549 unsigned char *ret = buf;
e481f9b9 1550#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1551 int next_proto_neg_seen;
e481f9b9
MC		 1552#endif
1553#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1554 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1555 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1556 int using_ecc = (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
1557 || (alg_a & SSL_aECDSA);
1558 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
e481f9b9 1559#endif
0f113f3e
MC		 1560
1561 ret += 2;
1562 if (ret >= limit)
1563 return NULL; /* this really never occurs, but ... */
1564
1565 if (s->s3->send_connection_binding) {
1566 int el;
1567
1568 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1569 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1570 return NULL;
1571 }
333f926d 1572
0f113f3e
MC		 1573 if ((limit - ret - 4 - el) < 0)
1574 return NULL;
333f926d 1575
0f113f3e
MC		 1576 s2n(TLSEXT_TYPE_renegotiate, ret);
1577 s2n(el, ret);
333f926d 1578
0f113f3e
MC		 1579 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1580 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1581 return NULL;
1582 }
333f926d 1583
0f113f3e
MC		 1584 ret += el;
1585 }
1586
1587 /* Only add RI for SSLv3 */
1588 if (s->version == SSL3_VERSION)
1589 goto done;
1590
1591 if (!s->hit && s->servername_done == 1
1592 && s->session->tlsext_hostname != NULL) {
1593 if ((long)(limit - ret - 4) < 0)
1594 return NULL;
1595
1596 s2n(TLSEXT_TYPE_server_name, ret);
1597 s2n(0, ret);
1598 }
e481f9b9 1599#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1600 if (using_ecc) {
1601 const unsigned char *plist;
1602 size_t plistlen;
1603 /*
1604 * Add TLS extension ECPointFormats to the ServerHello message
1605 */
1606 long lenmax;
1607
1608 tls1_get_formatlist(s, &plist, &plistlen);
1609
1610 if ((lenmax = limit - ret - 5) < 0)
1611 return NULL;
1612 if (plistlen > (size_t)lenmax)
1613 return NULL;
1614 if (plistlen > 255) {
1615 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1616 return NULL;
1617 }
4817504d 1618
0f113f3e
MC		 1619 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1620 s2n(plistlen + 1, ret);
1621 *(ret++) = (unsigned char)plistlen;
1622 memcpy(ret, plist, plistlen);
1623 ret += plistlen;
1624
1625 }
1626 /*
1627 * Currently the server should not respond with a SupportedCurves
1628 * extension
1629 */
e481f9b9 1630#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1631
1632 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1633 if ((long)(limit - ret - 4) < 0)
1634 return NULL;
1635 s2n(TLSEXT_TYPE_session_ticket, ret);
1636 s2n(0, ret);
1637 }
1638
1639 if (s->tlsext_status_expected) {
1640 if ((long)(limit - ret - 4) < 0)
1641 return NULL;
1642 s2n(TLSEXT_TYPE_status_request, ret);
1643 s2n(0, ret);
1644 }
0f113f3e 1645
e481f9b9 1646#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 1647 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1648 int el;
1649
69f68237 1650 /* Returns 0 on success!! */
61986d32 1651 if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
69f68237
MC		 1652 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1653 return NULL;
1654 }
0f113f3e
MC		 1655 if ((limit - ret - 4 - el) < 0)
1656 return NULL;
1657
1658 s2n(TLSEXT_TYPE_use_srtp, ret);
1659 s2n(el, ret);
1660
1661 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1662 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1663 return NULL;
1664 }
1665 ret += el;
1666 }
e481f9b9 1667#endif
0f113f3e
MC		 1668
1669 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1670 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1671 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1672 const unsigned char cryptopro_ext[36] = {
1673 0xfd, 0xe8, /* 65000 */
1674 0x00, 0x20, /* 32 bytes length */
1675 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1676 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1677 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1678 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1679 };
1680 if (limit - ret < 36)
1681 return NULL;
1682 memcpy(ret, cryptopro_ext, 36);
1683 ret += 36;
1684
1685 }
e481f9b9 1686#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 1687 /* Add Heartbeat extension if we've received one */
1688 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
1689 if ((limit - ret - 4 - 1) < 0)
1690 return NULL;
1691 s2n(TLSEXT_TYPE_heartbeat, ret);
1692 s2n(1, ret);
50e735f9
MC		 1693 /*-
1694 * Set mode:
1695 * 1: peer may send requests
1696 * 2: peer not allowed to send requests
1697 */
0f113f3e
MC		 1698 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1699 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1700 else
1701 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1702
1703 }
e481f9b9 1704#endif
0f113f3e 1705
e481f9b9 1706#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1707 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1708 s->s3->next_proto_neg_seen = 0;
1709 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1710 const unsigned char *npa;
1711 unsigned int npalen;
1712 int r;
1713
1714 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1715 s->
1716 ctx->next_protos_advertised_cb_arg);
1717 if (r == SSL_TLSEXT_ERR_OK) {
1718 if ((long)(limit - ret - 4 - npalen) < 0)
1719 return NULL;
1720 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1721 s2n(npalen, ret);
1722 memcpy(ret, npa, npalen);
1723 ret += npalen;
1724 s->s3->next_proto_neg_seen = 1;
1725 }
1726 }
e481f9b9 1727#endif
0f113f3e
MC		 1728 if (!custom_ext_add(s, 1, &ret, limit, al))
1729 return NULL;
e481f9b9 1730#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 1731 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1732 /*
1733 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1734 * for other cases too.
1735 */
1736 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
e44380a9
DB		 1737 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1738 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1739 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
0f113f3e
MC		 1740 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1741 else {
1742 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1743 s2n(0, ret);
1744 }
1745 }
e481f9b9 1746#endif
ddc06b35
DSH		 1747 if (!s->hit && s->session->flags & SSL_SESS_FLAG_EXTMS) {
1748 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1749 s2n(0, ret);
1750 }
0f113f3e
MC		 1751
1752 if (s->s3->alpn_selected) {
1753 const unsigned char *selected = s->s3->alpn_selected;
1754 unsigned len = s->s3->alpn_selected_len;
1755
1756 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1757 return NULL;
1758 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1759 s2n(3 + len, ret);
1760 s2n(1 + len, ret);
1761 *ret++ = len;
1762 memcpy(ret, selected, len);
1763 ret += len;
1764 }
1765
1766 done:
1767
1768 if ((extdatalen = ret - orig - 2) == 0)
1769 return orig;
1770
1771 s2n(extdatalen, orig);
1772 return ret;
1773}
a398f821 1774
0f113f3e
MC		 1775/*
1776 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1777 * ClientHello. data: the contents of the extension, not including the type
1778 * and length. data_len: the number of bytes in |data| al: a pointer to the
1779 * alert value to send in the event of a non-zero return. returns: 0 on
1780 * success.
1781 */
9ceb2426 1782static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
0f113f3e 1783{
9ceb2426
MC		 1784 unsigned int data_len;
1785 unsigned int proto_len;
0f113f3e 1786 const unsigned char *selected;
9ceb2426 1787 unsigned char *data;
0f113f3e
MC		 1788 unsigned char selected_len;
1789 int r;
1790
1791 if (s->ctx->alpn_select_cb == NULL)
1792 return 0;
1793
0f113f3e
MC		 1794 /*
1795 * data should contain a uint16 length followed by a series of 8-bit,
1796 * length-prefixed strings.
1797 */
9ceb2426
MC		 1798 if (!PACKET_get_net_2(pkt, &data_len)
1799 || PACKET_remaining(pkt) != data_len
1800 || !PACKET_peek_bytes(pkt, &data, data_len))
0f113f3e
MC		 1801 goto parse_error;
1802
9ceb2426
MC		 1803 do {
1804 if (!PACKET_get_1(pkt, &proto_len)
1805 || proto_len == 0
1806 || !PACKET_forward(pkt, proto_len))
0f113f3e 1807 goto parse_error;
9ceb2426 1808 } while (PACKET_remaining(pkt));
0f113f3e
MC		 1809
1810 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1811 s->ctx->alpn_select_cb_arg);
1812 if (r == SSL_TLSEXT_ERR_OK) {
b548a1f1 1813 OPENSSL_free(s->s3->alpn_selected);
0f113f3e 1814 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
a71edf3b 1815 if (s->s3->alpn_selected == NULL) {
0f113f3e
MC		 1816 *al = SSL_AD_INTERNAL_ERROR;
1817 return -1;
1818 }
1819 memcpy(s->s3->alpn_selected, selected, selected_len);
1820 s->s3->alpn_selected_len = selected_len;
1821 }
1822 return 0;
1823
1824 parse_error:
1825 *al = SSL_AD_DECODE_ERROR;
1826 return -1;
1827}
6f017a8f 1828
e481f9b9 1829#ifndef OPENSSL_NO_EC
1d97c843
TH		 1830/*-
1831 * ssl_check_for_safari attempts to fingerprint Safari using OS X
dece3209
RS		 1832 * SecureTransport using the TLS extension block in |d|, of length |n|.
1833 * Safari, since 10.6, sends exactly these extensions, in this order:
1834 * SNI,
1835 * elliptic_curves
1836 * ec_point_formats
1837 *
1838 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1839 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1840 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1841 * 10.8..10.8.3 (which don't work).
1842 */
68a16628 1843static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
0f113f3e 1844{
9ceb2426
MC		 1845 unsigned int type, size;
1846 unsigned char *eblock1, *eblock2;
68a16628 1847 PACKET tmppkt;
9ceb2426 1848
0f113f3e
MC		 1849 static const unsigned char kSafariExtensionsBlock[] = {
1850 0x00, 0x0a, /* elliptic_curves extension */
1851 0x00, 0x08, /* 8 bytes */
1852 0x00, 0x06, /* 6 bytes of curve ids */
1853 0x00, 0x17, /* P-256 */
1854 0x00, 0x18, /* P-384 */
1855 0x00, 0x19, /* P-521 */
1856
1857 0x00, 0x0b, /* ec_point_formats */
1858 0x00, 0x02, /* 2 bytes */
1859 0x01, /* 1 point format */
1860 0x00, /* uncompressed */
1861 };
1862
1863 /* The following is only present in TLS 1.2 */
1864 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1865 0x00, 0x0d, /* signature_algorithms */
1866 0x00, 0x0c, /* 12 bytes */
1867 0x00, 0x0a, /* 10 bytes */
1868 0x05, 0x01, /* SHA-384/RSA */
1869 0x04, 0x01, /* SHA-256/RSA */
1870 0x02, 0x01, /* SHA-1/RSA */
1871 0x04, 0x03, /* SHA-256/ECDSA */
1872 0x02, 0x03, /* SHA-1/ECDSA */
1873 };
1874
68a16628
MC		 1875 tmppkt = *pkt;
1876
1877 if (!PACKET_forward(&tmppkt, 2)
1878 || !PACKET_get_net_2(&tmppkt, &type)
1879 || !PACKET_get_net_2(&tmppkt, &size)
1880 || !PACKET_forward(&tmppkt, size))
0f113f3e 1881 return;
0f113f3e
MC		 1882
1883 if (type != TLSEXT_TYPE_server_name)
1884 return;
1885
0f113f3e
MC		 1886 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
1887 const size_t len1 = sizeof(kSafariExtensionsBlock);
1888 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1889
68a16628
MC		 1890 if (!PACKET_get_bytes(&tmppkt, &eblock1, len1)
1891 || !PACKET_get_bytes(&tmppkt, &eblock2, len2)
1892 || PACKET_remaining(&tmppkt))
0f113f3e 1893 return;
9ceb2426 1894 if (memcmp(eblock1, kSafariExtensionsBlock, len1) != 0)
0f113f3e 1895 return;
9ceb2426 1896 if (memcmp(eblock2, kSafariTLS12ExtensionsBlock, len2) != 0)
0f113f3e
MC		 1897 return;
1898 } else {
1899 const size_t len = sizeof(kSafariExtensionsBlock);
1900
68a16628
MC		 1901 if (!PACKET_get_bytes(&tmppkt, &eblock1, len)
1902 || PACKET_remaining(&tmppkt))
0f113f3e 1903 return;
9ceb2426 1904 if (memcmp(eblock1, kSafariExtensionsBlock, len) != 0)
0f113f3e
MC		 1905 return;
1906 }
1907
1908 s->s3->is_probably_safari = 1;
dece3209 1909}
e481f9b9 1910#endif /* !OPENSSL_NO_EC */
0f113f3e 1911
9ceb2426 1912static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 1913{
9ceb2426
MC		 1914 unsigned int type;
1915 unsigned int size;
1916 unsigned int len;
1917 unsigned char *data;
0f113f3e
MC		 1918 int renegotiate_seen = 0;
1919
1920 s->servername_done = 0;
1921 s->tlsext_status_type = -1;
e481f9b9 1922#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1923 s->s3->next_proto_neg_seen = 0;
e481f9b9 1924#endif
0f113f3e 1925
b548a1f1
RS		 1926 OPENSSL_free(s->s3->alpn_selected);
1927 s->s3->alpn_selected = NULL;
e481f9b9 1928#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 1929 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1930 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
e481f9b9 1931#endif
0f113f3e 1932
e481f9b9 1933#ifndef OPENSSL_NO_EC
0f113f3e 1934 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
9ceb2426
MC		 1935 ssl_check_for_safari(s, pkt);
1936# endif /* !OPENSSL_NO_EC */
0f113f3e
MC		 1937
1938 /* Clear any signature algorithms extension received */
76106e60
DSH		 1939 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1940 s->s3->tmp.peer_sigalgs = NULL;
e481f9b9 1941#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e 1942 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 1943#endif
0f113f3e 1944
e481f9b9 1945#ifndef OPENSSL_NO_SRP
b548a1f1
RS		 1946 OPENSSL_free(s->srp_ctx.login);
1947 s->srp_ctx.login = NULL;
e481f9b9 1948#endif
0f113f3e
MC		 1949
1950 s->srtp_profile = NULL;
1951
9ceb2426 1952 if (PACKET_remaining(pkt) == 0)
1ae3fdbe
AL		 1953 goto ri_check;
1954
9ceb2426 1955 if (!PACKET_get_net_2(pkt, &len))
1ae3fdbe
AL		 1956 goto err;
1957
52a48f9e
AG		 1958 if (PACKET_remaining(pkt) != len)
1959 goto err;
1960
9ceb2426
MC		 1961 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
1962 PACKET subpkt;
0f113f3e 1963
9ceb2426 1964 if (!PACKET_peek_bytes(pkt, &data, size))
54e3ad00 1965 goto err;
9ceb2426 1966
0f113f3e
MC		 1967 if (s->tlsext_debug_cb)
1968 s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
9ceb2426
MC		 1969
1970 if (!PACKET_get_sub_packet(pkt, &subpkt, size))
1971 goto err;
1972
0f113f3e 1973 if (type == TLSEXT_TYPE_renegotiate) {
9ceb2426 1974 if (!ssl_parse_clienthello_renegotiate_ext(s, &subpkt, al))
0f113f3e
MC		 1975 return 0;
1976 renegotiate_seen = 1;
1977 } else if (s->version == SSL3_VERSION) {
1978 }
1d97c843
TH		 1979/*-
1980 * The servername extension is treated as follows:
1981 *
1982 * - Only the hostname type is supported with a maximum length of 255.
1983 * - The servername is rejected if too long or if it contains zeros,
1984 * in which case an fatal alert is generated.
1985 * - The servername field is maintained together with the session cache.
1986 * - When a session is resumed, the servername call back invoked in order
0f113f3e
MC		 1987 * to allow the application to position itself to the right context.
1988 * - The servername is acknowledged if it is new for a session or when
1989 * it is identical to a previously used for the same session.
1d97c843
TH		 1990 * Applications can control the behaviour. They can at any time
1991 * set a 'desirable' servername for a new SSL object. This can be the
1992 * case for example with HTTPS when a Host: header field is received and
1993 * a renegotiation is requested. In this case, a possible servername
1994 * presented in the new client hello is only acknowledged if it matches
0f113f3e 1995 * the value of the Host: field.
1d97c843 1996 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
0f113f3e
MC		 1997 * if they provide for changing an explicit servername context for the
1998 * session, i.e. when the session has been established with a servername
1999 * extension.
2000 * - On session reconnect, the servername extension may be absent.
1d97c843 2001 *
0f113f3e 2002 */
ed3883d2 2003
0f113f3e
MC		 2004 else if (type == TLSEXT_TYPE_server_name) {
2005 unsigned char *sdata;
9ceb2426
MC		 2006 unsigned int servname_type;
2007 unsigned int dsize;
2008 PACKET ssubpkt;
0f113f3e 2009
9ceb2426
MC		 2010 if (!PACKET_get_net_2(&subpkt, &dsize)
2011 || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
54e3ad00 2012 goto err;
0f113f3e 2013
9ceb2426
MC		 2014 while (PACKET_remaining(&ssubpkt) > 3) {
2015 if (!PACKET_get_1(&ssubpkt, &servname_type)
2016 || !PACKET_get_net_2(&ssubpkt, &len)
2017 || PACKET_remaining(&ssubpkt) < len)
54e3ad00
MC		 2018 goto err;
2019
0f113f3e
MC		 2020 if (s->servername_done == 0)
2021 switch (servname_type) {
2022 case TLSEXT_NAMETYPE_host_name:
2023 if (!s->hit) {
54e3ad00
MC		 2024 if (s->session->tlsext_hostname)
2025 goto err;
2026
0f113f3e
MC		 2027 if (len > TLSEXT_MAXLEN_host_name) {
2028 *al = TLS1_AD_UNRECOGNIZED_NAME;
2029 return 0;
2030 }
2031 if ((s->session->tlsext_hostname =
2032 OPENSSL_malloc(len + 1)) == NULL) {
2033 *al = TLS1_AD_INTERNAL_ERROR;
2034 return 0;
2035 }
9ceb2426
MC		 2036 if (!PACKET_copy_bytes(&ssubpkt,
2037 (unsigned char *)s->session
2038 ->tlsext_hostname,
2039 len)) {
2040 *al = SSL_AD_DECODE_ERROR;
2041 return 0;
2042 }
0f113f3e
MC		 2043 s->session->tlsext_hostname[len] = '\0';
2044 if (strlen(s->session->tlsext_hostname) != len) {
2045 OPENSSL_free(s->session->tlsext_hostname);
2046 s->session->tlsext_hostname = NULL;
2047 *al = TLS1_AD_UNRECOGNIZED_NAME;
2048 return 0;
2049 }
2050 s->servername_done = 1;
761772d7 2051
9ceb2426
MC		 2052 } else {
2053 if (!PACKET_get_bytes(&ssubpkt, &sdata, len)) {
2054 *al = SSL_AD_DECODE_ERROR;
2055 return 0;
2056 }
0f113f3e
MC		 2057 s->servername_done = s->session->tlsext_hostname
2058 && strlen(s->session->tlsext_hostname) == len
2059 && strncmp(s->session->tlsext_hostname,
2060 (char *)sdata, len) == 0;
9ceb2426 2061 }
b2284ed3 2062
0f113f3e 2063 break;
ee2ffc27 2064
0f113f3e
MC		 2065 default:
2066 break;
2067 }
0f113f3e 2068 }
9ceb2426 2069 /* We shouldn't have any bytes left */
bc6616a4 2070 if (PACKET_remaining(&ssubpkt) != 0)
54e3ad00 2071 goto err;
6f017a8f 2072
0f113f3e 2073 }
e481f9b9 2074#ifndef OPENSSL_NO_SRP
0f113f3e 2075 else if (type == TLSEXT_TYPE_srp) {
9ceb2426
MC		 2076 if (!PACKET_get_1(&subpkt, &len)
2077 || s->srp_ctx.login != NULL)
54e3ad00 2078 goto err;
9ceb2426 2079
0f113f3e
MC		 2080 if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
2081 return -1;
9ceb2426
MC		 2082 if (!PACKET_copy_bytes(&subpkt, (unsigned char *)s->srp_ctx.login,
2083 len))
2084 goto err;
0f113f3e
MC		 2085 s->srp_ctx.login[len] = '\0';
2086
9ceb2426
MC		 2087 if (strlen(s->srp_ctx.login) != len
2088 || PACKET_remaining(&subpkt))
54e3ad00 2089 goto err;
0f113f3e 2090 }
e481f9b9 2091#endif
0f113f3e 2092
e481f9b9 2093#ifndef OPENSSL_NO_EC
0f113f3e 2094 else if (type == TLSEXT_TYPE_ec_point_formats) {
9ceb2426 2095 unsigned int ecpointformatlist_length;
0f113f3e 2096
9ceb2426
MC		 2097 if (!PACKET_get_1(&subpkt, &ecpointformatlist_length)
2098 || ecpointformatlist_length == 0)
54e3ad00 2099 goto err;
9ceb2426 2100
0f113f3e 2101 if (!s->hit) {
b548a1f1
RS		 2102 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2103 s->session->tlsext_ecpointformatlist = NULL;
0f113f3e
MC		 2104 s->session->tlsext_ecpointformatlist_length = 0;
2105 if ((s->session->tlsext_ecpointformatlist =
2106 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2107 *al = TLS1_AD_INTERNAL_ERROR;
2108 return 0;
2109 }
2110 s->session->tlsext_ecpointformatlist_length =
2111 ecpointformatlist_length;
9ceb2426
MC		 2112 if (!PACKET_copy_bytes(&subpkt,
2113 s->session->tlsext_ecpointformatlist,
2114 ecpointformatlist_length))
2115 goto err;
2116 } else if (!PACKET_forward(&subpkt, ecpointformatlist_length)) {
2117 goto err;
2118 }
2119 /* We should have consumed all the bytes by now */
2120 if (PACKET_remaining(&subpkt)) {
2121 *al = TLS1_AD_DECODE_ERROR;
2122 return 0;
0f113f3e 2123 }
0f113f3e 2124 } else if (type == TLSEXT_TYPE_elliptic_curves) {
9ceb2426 2125 unsigned int ellipticcurvelist_length;
0f113f3e 2126
9ceb2426
MC		 2127 /* Each NamedCurve is 2 bytes and we must have at least 1 */
2128 if (!PACKET_get_net_2(&subpkt, &ellipticcurvelist_length)
2129 || ellipticcurvelist_length == 0
2130 || (ellipticcurvelist_length & 1) != 0)
2131 goto err;
54e3ad00 2132
0f113f3e 2133 if (!s->hit) {
54e3ad00
MC		 2134 if (s->session->tlsext_ellipticcurvelist)
2135 goto err;
2136
0f113f3e
MC		 2137 s->session->tlsext_ellipticcurvelist_length = 0;
2138 if ((s->session->tlsext_ellipticcurvelist =
2139 OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
2140 *al = TLS1_AD_INTERNAL_ERROR;
2141 return 0;
2142 }
2143 s->session->tlsext_ellipticcurvelist_length =
2144 ellipticcurvelist_length;
9ceb2426
MC		 2145 if (!PACKET_copy_bytes(&subpkt,
2146 s->session->tlsext_ellipticcurvelist,
2147 ellipticcurvelist_length))
2148 goto err;
2149 } else if (!PACKET_forward(&subpkt, ellipticcurvelist_length)) {
2150 goto err;
2151 }
2152 /* We should have consumed all the bytes by now */
2153 if (PACKET_remaining(&subpkt)) {
2154 goto err;
0f113f3e 2155 }
0f113f3e 2156 }
e481f9b9 2157#endif /* OPENSSL_NO_EC */
0f113f3e 2158 else if (type == TLSEXT_TYPE_session_ticket) {
9ceb2426
MC		 2159 if (!PACKET_forward(&subpkt, size)
2160 || (s->tls_session_ticket_ext_cb &&
2161 !s->tls_session_ticket_ext_cb(s, data, size,
2162 s->tls_session_ticket_ext_cb_arg))) {
0f113f3e
MC		 2163 *al = TLS1_AD_INTERNAL_ERROR;
2164 return 0;
2165 }
2166 } else if (type == TLSEXT_TYPE_signature_algorithms) {
9ceb2426
MC		 2167 unsigned int dsize;
2168
2169 if (s->s3->tmp.peer_sigalgs
2170 || !PACKET_get_net_2(&subpkt, &dsize)
2171 || (dsize & 1) != 0
2172 || (dsize == 0)
2173 || !PACKET_get_bytes(&subpkt, &data, dsize)
bc6616a4 2174 || PACKET_remaining(&subpkt) != 0
9ceb2426 2175 || !tls1_save_sigalgs(s, data, dsize)) {
54e3ad00 2176 goto err;
9ceb2426 2177 }
0f113f3e 2178 } else if (type == TLSEXT_TYPE_status_request) {
9ceb2426 2179 PACKET ssubpkt;
0f113f3e 2180
9ceb2426
MC		 2181 if (!PACKET_get_1(&subpkt,
2182 (unsigned int *)&s->tlsext_status_type))
54e3ad00 2183 goto err;
0f113f3e 2184
0f113f3e
MC		 2185 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
2186 const unsigned char *sdata;
9ceb2426 2187 unsigned int dsize;
0f113f3e 2188 /* Read in responder_id_list */
9ceb2426
MC		 2189 if (!PACKET_get_net_2(&subpkt, &dsize)
2190 || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
54e3ad00 2191 goto err;
9ceb2426
MC		 2192
2193 while (PACKET_remaining(&ssubpkt)) {
0f113f3e 2194 OCSP_RESPID *id;
9ceb2426
MC		 2195 unsigned int idsize;
2196
2197 if (PACKET_remaining(&ssubpkt) < 4
2198 || !PACKET_get_net_2(&ssubpkt, &idsize)
2199 || !PACKET_get_bytes(&ssubpkt, &data, idsize)) {
54e3ad00 2200 goto err;
9ceb2426 2201 }
0f113f3e
MC		 2202 sdata = data;
2203 data += idsize;
2204 id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
54e3ad00
MC		 2205 if (!id)
2206 goto err;
0f113f3e
MC		 2207 if (data != sdata) {
2208 OCSP_RESPID_free(id);
54e3ad00 2209 goto err;
0f113f3e
MC		 2210 }
2211 if (!s->tlsext_ocsp_ids
2212 && !(s->tlsext_ocsp_ids =
2213 sk_OCSP_RESPID_new_null())) {
2214 OCSP_RESPID_free(id);
2215 *al = SSL_AD_INTERNAL_ERROR;
2216 return 0;
2217 }
2218 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2219 OCSP_RESPID_free(id);
2220 *al = SSL_AD_INTERNAL_ERROR;
2221 return 0;
2222 }
2223 }
4817504d 2224
0f113f3e 2225 /* Read in request_extensions */
9ceb2426
MC		 2226 if (!PACKET_get_net_2(&subpkt, &dsize)
2227 || !PACKET_get_bytes(&subpkt, &data, dsize)
2228 || PACKET_remaining(&subpkt)) {
54e3ad00 2229 goto err;
9ceb2426 2230 }
0f113f3e
MC		 2231 sdata = data;
2232 if (dsize > 0) {
222561fe
RS		 2233 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2234 X509_EXTENSION_free);
0f113f3e
MC		 2235 s->tlsext_ocsp_exts =
2236 d2i_X509_EXTENSIONS(NULL, &sdata, dsize);
54e3ad00
MC		 2237 if (!s->tlsext_ocsp_exts || (data + dsize != sdata))
2238 goto err;
0f113f3e
MC		 2239 }
2240 }
2241 /*
2242 * We don't know what to do with any other type * so ignore it.
2243 */
2244 else
2245 s->tlsext_status_type = -1;
2246 }
e481f9b9 2247#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e 2248 else if (type == TLSEXT_TYPE_heartbeat) {
9ceb2426
MC		 2249 unsigned int hbtype;
2250
2251 if (!PACKET_get_1(&subpkt, &hbtype)
2252 || PACKET_remaining(&subpkt)) {
2253 *al = SSL_AD_DECODE_ERROR;
2254 return 0;
2255 }
2256 switch (hbtype) {
0f113f3e
MC		 2257 case 0x01: /* Client allows us to send HB requests */
2258 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2259 break;
2260 case 0x02: /* Client doesn't accept HB requests */
2261 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2262 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2263 break;
2264 default:
2265 *al = SSL_AD_ILLEGAL_PARAMETER;
2266 return 0;
2267 }
2268 }
e481f9b9
MC		 2269#endif
2270#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2271 else if (type == TLSEXT_TYPE_next_proto_neg &&
2272 s->s3->tmp.finish_md_len == 0 &&
2273 s->s3->alpn_selected == NULL) {
50e735f9
MC		 2274 /*-
2275 * We shouldn't accept this extension on a
2276 * renegotiation.
2277 *
2278 * s->new_session will be set on renegotiation, but we
2279 * probably shouldn't rely that it couldn't be set on
2280 * the initial renegotation too in certain cases (when
2281 * there's some other reason to disallow resuming an
2282 * earlier session -- the current code won't be doing
2283 * anything like that, but this might change).
2284 *
2285 * A valid sign that there's been a previous handshake
2286 * in this connection is if s->s3->tmp.finish_md_len >
2287 * 0. (We are talking about a check that will happen
2288 * in the Hello protocol round, well before a new
2289 * Finished message could have been computed.)
2290 */
0f113f3e
MC		 2291 s->s3->next_proto_neg_seen = 1;
2292 }
e481f9b9 2293#endif
0f113f3e
MC		 2294
2295 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2296 s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) {
9ceb2426 2297 if (tls1_alpn_handle_client_hello(s, &subpkt, al) != 0)
0f113f3e 2298 return 0;
e481f9b9 2299#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2300 /* ALPN takes precedence over NPN. */
2301 s->s3->next_proto_neg_seen = 0;
e481f9b9 2302#endif
0f113f3e 2303 }
5e3ff62c 2304
0f113f3e 2305 /* session ticket processed earlier */
e481f9b9 2306#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 2307 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2308 && type == TLSEXT_TYPE_use_srtp) {
9ceb2426 2309 if (ssl_parse_clienthello_use_srtp_ext(s, &subpkt, al))
0f113f3e
MC		 2310 return 0;
2311 }
e481f9b9
MC		 2312#endif
2313#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 2314 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2315 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 2316#endif
ddc06b35
DSH		 2317 else if (type == TLSEXT_TYPE_extended_master_secret) {
2318 if (!s->hit)
2319 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2320 }
0f113f3e
MC		 2321 /*
2322 * If this ClientHello extension was unhandled and this is a
2323 * nonresumed connection, check whether the extension is a custom
2324 * TLS Extension (has a custom_srv_ext_record), and if so call the
2325 * callback and record the extension number so that an appropriate
2326 * ServerHello may be later returned.
2327 */
2328 else if (!s->hit) {
2329 if (custom_ext_parse(s, 1, type, data, size, al) <= 0)
2330 return 0;
2331 }
0f113f3e 2332 }
6f017a8f 2333
54e3ad00 2334 /* Spurious data on the end */
9ceb2426 2335 if (PACKET_remaining(pkt) != 0)
54e3ad00
MC		 2336 goto err;
2337
0f113f3e 2338 ri_check:
ed3883d2 2339
0f113f3e
MC		 2340 /* Need RI if renegotiating */
2341
2342 if (!renegotiate_seen && s->renegotiate &&
2343 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2344 *al = SSL_AD_HANDSHAKE_FAILURE;
2345 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2346 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2347 return 0;
2348 }
2349
2350 return 1;
54e3ad00
MC		 2351err:
2352 *al = SSL_AD_DECODE_ERROR;
2353 return 0;
0f113f3e
MC		 2354}
2355
9ceb2426 2356int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 2357{
2358 int al = -1;
2359 custom_ext_init(&s->cert->srv_ext);
9ceb2426 2360 if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 2361 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2362 return 0;
2363 }
2364
2365 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2366 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2367 return 0;
2368 }
2369 return 1;
2370}
2371
e481f9b9 2372#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2373/*
2374 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2375 * elements of zero length are allowed and the set of elements must exactly
2376 * fill the length of the block.
2377 */
50932c4a 2378static char ssl_next_proto_validate(PACKET *pkt)
0f113f3e 2379{
50932c4a 2380 unsigned int len;
0f113f3e 2381
50932c4a
MC		 2382 while (PACKET_remaining(pkt)) {
2383 if (!PACKET_get_1(pkt, &len)
2384 || !PACKET_forward(pkt, len))
0f113f3e 2385 return 0;
0f113f3e
MC		 2386 }
2387
50932c4a 2388 return 1;
0f113f3e 2389}
e481f9b9 2390#endif
0f113f3e 2391
50932c4a 2392static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 2393{
50932c4a 2394 unsigned int length, type, size;
0f113f3e
MC		 2395 int tlsext_servername = 0;
2396 int renegotiate_seen = 0;
2397
e481f9b9 2398#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 2399 s->s3->next_proto_neg_seen = 0;
e481f9b9 2400#endif
0f113f3e
MC		 2401 s->tlsext_ticket_expected = 0;
2402
b548a1f1
RS		 2403 OPENSSL_free(s->s3->alpn_selected);
2404 s->s3->alpn_selected = NULL;
e481f9b9 2405#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 2406 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2407 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
e481f9b9 2408#endif
0f113f3e 2409
e481f9b9 2410#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e 2411 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 2412#endif
0f113f3e 2413
50932c4a 2414 if (!PACKET_get_net_2(pkt, &length))
0f113f3e
MC		 2415 goto ri_check;
2416
50932c4a 2417 if (PACKET_remaining(pkt) != length) {
0f113f3e
MC		 2418 *al = SSL_AD_DECODE_ERROR;
2419 return 0;
2420 }
2421
50932c4a
MC		 2422 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
2423 unsigned char *data;
2424 PACKET spkt;
0f113f3e 2425
50932c4a
MC		 2426 if (!PACKET_get_sub_packet(pkt, &spkt, size)
2427 || !PACKET_peek_bytes(&spkt, &data, size))
0f113f3e
MC		 2428 goto ri_check;
2429
2430 if (s->tlsext_debug_cb)
2431 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2432
2433 if (type == TLSEXT_TYPE_renegotiate) {
50932c4a 2434 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
0f113f3e
MC		 2435 return 0;
2436 renegotiate_seen = 1;
2437 } else if (s->version == SSL3_VERSION) {
2438 } else if (type == TLSEXT_TYPE_server_name) {
2439 if (s->tlsext_hostname == NULL || size > 0) {
2440 *al = TLS1_AD_UNRECOGNIZED_NAME;
2441 return 0;
2442 }
2443 tlsext_servername = 1;
2444 }
e481f9b9 2445#ifndef OPENSSL_NO_EC
0f113f3e 2446 else if (type == TLSEXT_TYPE_ec_point_formats) {
50932c4a
MC		 2447 unsigned int ecpointformatlist_length;
2448 if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
2449 || ecpointformatlist_length != size - 1) {
0f113f3e
MC		 2450 *al = TLS1_AD_DECODE_ERROR;
2451 return 0;
2452 }
2453 if (!s->hit) {
2454 s->session->tlsext_ecpointformatlist_length = 0;
b548a1f1 2455 OPENSSL_free(s->session->tlsext_ecpointformatlist);
0f113f3e
MC		 2456 if ((s->session->tlsext_ecpointformatlist =
2457 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2458 *al = TLS1_AD_INTERNAL_ERROR;
2459 return 0;
2460 }
2461 s->session->tlsext_ecpointformatlist_length =
2462 ecpointformatlist_length;
50932c4a
MC		 2463 if (!PACKET_copy_bytes(&spkt,
2464 s->session->tlsext_ecpointformatlist,
2465 ecpointformatlist_length)) {
2466 *al = TLS1_AD_DECODE_ERROR;
2467 return 0;
2468 }
2469
0f113f3e 2470 }
0f113f3e 2471 }
e481f9b9 2472#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2473
2474 else if (type == TLSEXT_TYPE_session_ticket) {
2475 if (s->tls_session_ticket_ext_cb &&
2476 !s->tls_session_ticket_ext_cb(s, data, size,
2477 s->tls_session_ticket_ext_cb_arg))
2478 {
2479 *al = TLS1_AD_INTERNAL_ERROR;
2480 return 0;
2481 }
2482 if (!tls_use_ticket(s) || (size > 0)) {
2483 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2484 return 0;
2485 }
2486 s->tlsext_ticket_expected = 1;
2487 }
0f113f3e
MC		 2488 else if (type == TLSEXT_TYPE_status_request) {
2489 /*
2490 * MUST be empty and only sent if we've requested a status
2491 * request message.
2492 */
2493 if ((s->tlsext_status_type == -1) || (size > 0)) {
2494 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2495 return 0;
2496 }
2497 /* Set flag to expect CertificateStatus message */
2498 s->tlsext_status_expected = 1;
2499 }
e481f9b9 2500#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2501 else if (type == TLSEXT_TYPE_next_proto_neg &&
2502 s->s3->tmp.finish_md_len == 0) {
2503 unsigned char *selected;
2504 unsigned char selected_len;
0f113f3e
MC		 2505 /* We must have requested it. */
2506 if (s->ctx->next_proto_select_cb == NULL) {
2507 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2508 return 0;
2509 }
2510 /* The data must be valid */
50932c4a 2511 if (!ssl_next_proto_validate(&spkt)) {
0f113f3e
MC		 2512 *al = TLS1_AD_DECODE_ERROR;
2513 return 0;
2514 }
2515 if (s->
2516 ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2517 size,
2518 s->ctx->next_proto_select_cb_arg) !=
2519 SSL_TLSEXT_ERR_OK) {
2520 *al = TLS1_AD_INTERNAL_ERROR;
2521 return 0;
2522 }
2523 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
a71edf3b 2524 if (s->next_proto_negotiated == NULL) {
0f113f3e
MC		 2525 *al = TLS1_AD_INTERNAL_ERROR;
2526 return 0;
2527 }
2528 memcpy(s->next_proto_negotiated, selected, selected_len);
2529 s->next_proto_negotiated_len = selected_len;
2530 s->s3->next_proto_neg_seen = 1;
2531 }
e481f9b9 2532#endif
0f113f3e
MC		 2533
2534 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2535 unsigned len;
0f113f3e
MC		 2536 /* We must have requested it. */
2537 if (s->alpn_client_proto_list == NULL) {
2538 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2539 return 0;
2540 }
50e735f9
MC		 2541 /*-
2542 * The extension data consists of:
2543 * uint16 list_length
2544 * uint8 proto_length;
2545 * uint8 proto[proto_length];
2546 */
50932c4a
MC		 2547 if (!PACKET_get_net_2(&spkt, &len)
2548 || PACKET_remaining(&spkt) != len
2549 || !PACKET_get_1(&spkt, &len)
2550 || PACKET_remaining(&spkt) != len) {
0f113f3e
MC		 2551 *al = TLS1_AD_DECODE_ERROR;
2552 return 0;
2553 }
b548a1f1 2554 OPENSSL_free(s->s3->alpn_selected);
0f113f3e 2555 s->s3->alpn_selected = OPENSSL_malloc(len);
a71edf3b 2556 if (s->s3->alpn_selected == NULL) {
0f113f3e
MC		 2557 *al = TLS1_AD_INTERNAL_ERROR;
2558 return 0;
2559 }
50932c4a
MC		 2560 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
2561 *al = TLS1_AD_DECODE_ERROR;
2562 return 0;
2563 }
0f113f3e
MC		 2564 s->s3->alpn_selected_len = len;
2565 }
e481f9b9 2566#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e 2567 else if (type == TLSEXT_TYPE_heartbeat) {
50932c4a
MC		 2568 unsigned int hbtype;
2569 if (!PACKET_get_1(&spkt, &hbtype)) {
2570 *al = SSL_AD_DECODE_ERROR;
2571 return 0;
2572 }
2573 switch (hbtype) {
0f113f3e
MC		 2574 case 0x01: /* Server allows us to send HB requests */
2575 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2576 break;
2577 case 0x02: /* Server doesn't accept HB requests */
2578 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2579 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2580 break;
2581 default:
2582 *al = SSL_AD_ILLEGAL_PARAMETER;
2583 return 0;
2584 }
2585 }
e481f9b9
MC		 2586#endif
2587#ifndef OPENSSL_NO_SRTP
0f113f3e 2588 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
50932c4a 2589 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
0f113f3e
MC		 2590 return 0;
2591 }
e481f9b9
MC		 2592#endif
2593#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 2594 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2595 /* Ignore if inappropriate ciphersuite */
2596 if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2597 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2598 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2599 }
e481f9b9 2600#endif
ddc06b35
DSH		 2601 else if (type == TLSEXT_TYPE_extended_master_secret) {
2602 if (!s->hit)
2603 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2604 }
0f113f3e
MC		 2605 /*
2606 * If this extension type was not otherwise handled, but matches a
2607 * custom_cli_ext_record, then send it to the c callback
2608 */
2609 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2610 return 0;
0f113f3e
MC		 2611 }
2612
50932c4a 2613 if (PACKET_remaining(pkt) != 0) {
0f113f3e
MC		 2614 *al = SSL_AD_DECODE_ERROR;
2615 return 0;
2616 }
2617
2618 if (!s->hit && tlsext_servername == 1) {
2619 if (s->tlsext_hostname) {
2620 if (s->session->tlsext_hostname == NULL) {
2621 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
2622 if (!s->session->tlsext_hostname) {
2623 *al = SSL_AD_UNRECOGNIZED_NAME;
2624 return 0;
2625 }
2626 } else {
2627 *al = SSL_AD_DECODE_ERROR;
2628 return 0;
2629 }
2630 }
2631 }
2632
0f113f3e
MC		 2633 ri_check:
2634
2635 /*
2636 * Determine if we need to see RI. Strictly speaking if we want to avoid
2637 * an attack we should *always* see RI even on initial server hello
2638 * because the client doesn't see any renegotiation during an attack.
2639 * However this would mean we could not connect to any server which
2640 * doesn't support RI so for the immediate future tolerate RI absence on
2641 * initial connect only.
2642 */
2643 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2644 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2645 *al = SSL_AD_HANDSHAKE_FAILURE;
2646 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2647 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2648 return 0;
2649 }
2650
2651 return 1;
2652}
b2172f4f 2653
36ca4ba6 2654int ssl_prepare_clienthello_tlsext(SSL *s)
0f113f3e
MC		 2655{
2656
0f113f3e
MC		 2657 return 1;
2658}
36ca4ba6
BM		 2659
2660int ssl_prepare_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2661{
2662 return 1;
2663}
36ca4ba6 2664
2daceb03 2665static int ssl_check_clienthello_tlsext_early(SSL *s)
0f113f3e
MC		 2666{
2667 int ret = SSL_TLSEXT_ERR_NOACK;
2668 int al = SSL_AD_UNRECOGNIZED_NAME;
2669
e481f9b9 2670#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2671 /*
2672 * The handling of the ECPointFormats extension is done elsewhere, namely
2673 * in ssl3_choose_cipher in s3_lib.c.
2674 */
2675 /*
2676 * The handling of the EllipticCurves extension is done elsewhere, namely
2677 * in ssl3_choose_cipher in s3_lib.c.
2678 */
e481f9b9 2679#endif
0f113f3e
MC		 2680
2681 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2682 ret =
2683 s->ctx->tlsext_servername_callback(s, &al,
2684 s->ctx->tlsext_servername_arg);
2685 else if (s->initial_ctx != NULL
2686 && s->initial_ctx->tlsext_servername_callback != 0)
2687 ret =
2688 s->initial_ctx->tlsext_servername_callback(s, &al,
2689 s->
2690 initial_ctx->tlsext_servername_arg);
2691
0f113f3e
MC		 2692 switch (ret) {
2693 case SSL_TLSEXT_ERR_ALERT_FATAL:
2694 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2695 return -1;
2696
2697 case SSL_TLSEXT_ERR_ALERT_WARNING:
2698 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2699 return 1;
2700
2701 case SSL_TLSEXT_ERR_NOACK:
2702 s->servername_done = 0;
2703 default:
2704 return 1;
2705 }
2706}
d376e57d
DSH		 2707/* Initialise digests to default values */
2708static void ssl_set_default_md(SSL *s)
2709{
2710 const EVP_MD **pmd = s->s3->tmp.md;
2711#ifndef OPENSSL_NO_DSA
2712 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
2713#endif
2714#ifndef OPENSSL_NO_RSA
2715 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
2716 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
2717#endif
2718#ifndef OPENSSL_NO_EC
2719 pmd[SSL_PKEY_ECC] = EVP_sha1();
2720#endif
e44380a9
DB		 2721#ifndef OPENSSL_NO_GOST
2722 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
2723 pmd[SSL_PKEY_GOST12_256] = EVP_get_digestbynid(NID_id_GostR3411_2012_256);
2724 pmd[SSL_PKEY_GOST12_512] = EVP_get_digestbynid(NID_id_GostR3411_2012_512);
2725#endif
d376e57d 2726}
f1fd4544 2727
e469af8d 2728int tls1_set_server_sigalgs(SSL *s)
0f113f3e
MC		 2729{
2730 int al;
2731 size_t i;
2732 /* Clear any shared sigtnature algorithms */
b548a1f1
RS		 2733 OPENSSL_free(s->cert->shared_sigalgs);
2734 s->cert->shared_sigalgs = NULL;
2735 s->cert->shared_sigalgslen = 0;
0f113f3e
MC		 2736 /* Clear certificate digests and validity flags */
2737 for (i = 0; i < SSL_PKEY_NUM; i++) {
d376e57d 2738 s->s3->tmp.md[i] = NULL;
6383d316 2739 s->s3->tmp.valid_flags[i] = 0;
0f113f3e
MC		 2740 }
2741
2742 /* If sigalgs received process it. */
76106e60 2743 if (s->s3->tmp.peer_sigalgs) {
0f113f3e
MC		 2744 if (!tls1_process_sigalgs(s)) {
2745 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2746 al = SSL_AD_INTERNAL_ERROR;
2747 goto err;
2748 }
2749 /* Fatal error is no shared signature algorithms */
2750 if (!s->cert->shared_sigalgs) {
2751 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2752 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2753 al = SSL_AD_ILLEGAL_PARAMETER;
2754 goto err;
2755 }
d376e57d
DSH		 2756 } else {
2757 ssl_set_default_md(s);
2758 }
0f113f3e
MC		 2759 return 1;
2760 err:
2761 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2762 return 0;
2763}
e469af8d 2764
2daceb03 2765int ssl_check_clienthello_tlsext_late(SSL *s)
0f113f3e
MC		 2766{
2767 int ret = SSL_TLSEXT_ERR_OK;
4c9b0a03 2768 int al = SSL_AD_INTERNAL_ERROR;
0f113f3e
MC		 2769
2770 /*
2771 * If status request then ask callback what to do. Note: this must be
2772 * called after servername callbacks in case the certificate has changed,
2773 * and must be called after the cipher has been chosen because this may
2774 * influence which certificate is sent
2775 */
2776 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
2777 int r;
2778 CERT_PKEY *certpkey;
2779 certpkey = ssl_get_server_send_pkey(s);
2780 /* If no certificate can't return certificate status */
2781 if (certpkey == NULL) {
2782 s->tlsext_status_expected = 0;
2783 return 1;
2784 }
2785 /*
2786 * Set current certificate to one we will use so SSL_get_certificate
2787 * et al can pick it up.
2788 */
2789 s->cert->key = certpkey;
2790 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2791 switch (r) {
2792 /* We don't want to send a status request response */
2793 case SSL_TLSEXT_ERR_NOACK:
2794 s->tlsext_status_expected = 0;
2795 break;
2796 /* status request response should be sent */
2797 case SSL_TLSEXT_ERR_OK:
2798 if (s->tlsext_ocsp_resp)
2799 s->tlsext_status_expected = 1;
2800 else
2801 s->tlsext_status_expected = 0;
2802 break;
2803 /* something bad happened */
2804 case SSL_TLSEXT_ERR_ALERT_FATAL:
2805 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2806 al = SSL_AD_INTERNAL_ERROR;
2807 goto err;
2808 }
2809 } else
2810 s->tlsext_status_expected = 0;
2daceb03
BL		 2811
2812 err:
0f113f3e
MC		 2813 switch (ret) {
2814 case SSL_TLSEXT_ERR_ALERT_FATAL:
2815 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2816 return -1;
2817
2818 case SSL_TLSEXT_ERR_ALERT_WARNING:
2819 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2820 return 1;
2821
2822 default:
2823 return 1;
2824 }
2825}
2daceb03 2826
36ca4ba6 2827int ssl_check_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2828{
2829 int ret = SSL_TLSEXT_ERR_NOACK;
2830 int al = SSL_AD_UNRECOGNIZED_NAME;
2831
e481f9b9 2832#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2833 /*
2834 * If we are client and using an elliptic curve cryptography cipher
2835 * suite, then if server returns an EC point formats lists extension it
2836 * must contain uncompressed.
2837 */
2838 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2839 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2840 if ((s->tlsext_ecpointformatlist != NULL)
2841 && (s->tlsext_ecpointformatlist_length > 0)
2842 && (s->session->tlsext_ecpointformatlist != NULL)
2843 && (s->session->tlsext_ecpointformatlist_length > 0)
2844 && ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
2845 || (alg_a & SSL_aECDSA))) {
2846 /* we are using an ECC cipher */
2847 size_t i;
2848 unsigned char *list;
2849 int found_uncompressed = 0;
2850 list = s->session->tlsext_ecpointformatlist;
2851 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2852 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2853 found_uncompressed = 1;
2854 break;
2855 }
2856 }
2857 if (!found_uncompressed) {
2858 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2859 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2860 return -1;
2861 }
2862 }
2863 ret = SSL_TLSEXT_ERR_OK;
e481f9b9 2864#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2865
2866 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2867 ret =
2868 s->ctx->tlsext_servername_callback(s, &al,
2869 s->ctx->tlsext_servername_arg);
2870 else if (s->initial_ctx != NULL
2871 && s->initial_ctx->tlsext_servername_callback != 0)
2872 ret =
2873 s->initial_ctx->tlsext_servername_callback(s, &al,
2874 s->
2875 initial_ctx->tlsext_servername_arg);
2876
0f113f3e
MC		 2877 /*
2878 * If we've requested certificate status and we wont get one tell the
2879 * callback
2880 */
2881 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2882 && s->ctx && s->ctx->tlsext_status_cb) {
2883 int r;
2884 /*
2885 * Set resp to NULL, resplen to -1 so callback knows there is no
2886 * response.
2887 */
b548a1f1
RS		 2888 OPENSSL_free(s->tlsext_ocsp_resp);
2889 s->tlsext_ocsp_resp = NULL;
0f113f3e
MC		 2890 s->tlsext_ocsp_resplen = -1;
2891 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2892 if (r == 0) {
2893 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2894 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2895 }
2896 if (r < 0) {
2897 al = SSL_AD_INTERNAL_ERROR;
2898 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2899 }
2900 }
2901
2902 switch (ret) {
2903 case SSL_TLSEXT_ERR_ALERT_FATAL:
2904 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2905 return -1;
2906
2907 case SSL_TLSEXT_ERR_ALERT_WARNING:
2908 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2909 return 1;
2910
2911 case SSL_TLSEXT_ERR_NOACK:
2912 s->servername_done = 0;
2913 default:
2914 return 1;
2915 }
2916}
761772d7 2917
50932c4a 2918int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 2919{
2920 int al = -1;
2921 if (s->version < SSL3_VERSION)
2922 return 1;
50932c4a 2923 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 2924 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2925 return 0;
2926 }
2927
2928 if (ssl_check_serverhello_tlsext(s) <= 0) {
2929 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2930 return 0;
2931 }
2932 return 1;
09e4e4b9
DSH		 2933}
2934
1d97c843
TH		 2935/*-
2936 * Since the server cache lookup is done early on in the processing of the
c519e89f
BM		 2937 * ClientHello, and other operations depend on the result, we need to handle
2938 * any TLS session ticket extension at the same time.
2939 *
b3e2272c
EK		 2940 * session_id: ClientHello session ID.
2941 * ext: ClientHello extensions (including length prefix)
c519e89f
BM		 2942 * ret: (output) on return, if a ticket was decrypted, then this is set to
2943 * point to the resulting session.
2944 *
2945 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2946 * ciphersuite, in which case we have no use for session tickets and one will
2947 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2948 *
2949 * Returns:
2950 * -1: fatal error, either from parsing or decrypting the ticket.
2951 * 0: no ticket was found (or was ignored, based on settings).
2952 * 1: a zero length extension was found, indicating that the client supports
2953 * session tickets but doesn't currently have one to offer.
2954 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2955 * couldn't be decrypted because of a non-fatal error.
2956 * 3: a ticket was successfully decrypted and *ret was set.
2957 *
2958 * Side effects:
2959 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2960 * a new session ticket to the client because the client indicated support
2961 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2962 * a session ticket or we couldn't use the one it gave us, or if
2963 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2964 * Otherwise, s->tlsext_ticket_expected is set to 0.
6434abbf 2965 */
b3e2272c
EK		 2966int tls1_process_ticket(SSL *s, const PACKET *ext, const PACKET *session_id,
2967 SSL_SESSION **ret)
0f113f3e 2968{
9ceb2426 2969 unsigned int i;
b3e2272c 2970 PACKET local_ext = *ext;
9ceb2426 2971 int retv = -1;
0f113f3e
MC		 2972
2973 *ret = NULL;
2974 s->tlsext_ticket_expected = 0;
2975
2976 /*
2977 * If tickets disabled behave as if no ticket present to permit stateful
2978 * resumption.
2979 */
2980 if (!tls_use_ticket(s))
2981 return 0;
9ceb2426 2982 if ((s->version <= SSL3_VERSION))
0f113f3e 2983 return 0;
9ceb2426 2984
b3e2272c 2985 if (!PACKET_get_net_2(&local_ext, &i)) {
9ceb2426
MC		 2986 retv = 0;
2987 goto end;
2988 }
b3e2272c 2989 while (PACKET_remaining(&local_ext) >= 4) {
9ceb2426
MC		 2990 unsigned int type, size;
2991
b3e2272c
EK		 2992 if (!PACKET_get_net_2(&local_ext, &type)
2993 || !PACKET_get_net_2(&local_ext, &size)) {
9ceb2426
MC		 2994 /* Shouldn't ever happen */
2995 retv = -1;
2996 goto end;
2997 }
b3e2272c 2998 if (PACKET_remaining(&local_ext) < size) {
9ceb2426
MC		 2999 retv = 0;
3000 goto end;
3001 }
0f113f3e
MC		 3002 if (type == TLSEXT_TYPE_session_ticket) {
3003 int r;
9ceb2426
MC		 3004 unsigned char *etick;
3005
0f113f3e
MC		 3006 if (size == 0) {
3007 /*
3008 * The client will accept a ticket but doesn't currently have
3009 * one.
3010 */
3011 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 3012 retv = 1;
3013 goto end;
0f113f3e
MC		 3014 }
3015 if (s->tls_session_secret_cb) {
3016 /*
3017 * Indicate that the ticket couldn't be decrypted rather than
3018 * generating the session from ticket now, trigger
3019 * abbreviated handshake based on external mechanism to
3020 * calculate the master secret later.
3021 */
9ceb2426
MC		 3022 retv = 2;
3023 goto end;
3024 }
b3e2272c 3025 if (!PACKET_get_bytes(&local_ext, &etick, size)) {
9ceb2426
MC		 3026 /* Shouldn't ever happen */
3027 retv = -1;
3028 goto end;
0f113f3e 3029 }
b3e2272c
EK		 3030 r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
3031 PACKET_remaining(session_id), ret);
0f113f3e
MC		 3032 switch (r) {
3033 case 2: /* ticket couldn't be decrypted */
3034 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 3035 retv = 2;
3036 break;
0f113f3e 3037 case 3: /* ticket was decrypted */
9ceb2426
MC		 3038 retv = r;
3039 break;
0f113f3e
MC		 3040 case 4: /* ticket decrypted but need to renew */
3041 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 3042 retv = 3;
3043 break;
0f113f3e 3044 default: /* fatal error */
9ceb2426
MC		 3045 retv = -1;
3046 break;
0f113f3e 3047 }
9ceb2426 3048 goto end;
c83eda8c 3049 } else {
b3e2272c 3050 if (!PACKET_forward(&local_ext, size)) {
c83eda8c
MC		 3051 retv = -1;
3052 goto end;
3053 }
0f113f3e 3054 }
0f113f3e 3055 }
9ceb2426
MC		 3056 retv = 0;
3057end:
9ceb2426 3058 return retv;
0f113f3e 3059}
6434abbf 3060
1d97c843
TH		 3061/*-
3062 * tls_decrypt_ticket attempts to decrypt a session ticket.
c519e89f
BM		 3063 *
3064 * etick: points to the body of the session ticket extension.
3065 * eticklen: the length of the session tickets extenion.
3066 * sess_id: points at the session ID.
3067 * sesslen: the length of the session ID.
3068 * psess: (output) on return, if a ticket was decrypted, then this is set to
3069 * point to the resulting session.
3070 *
3071 * Returns:
3072 * -1: fatal error, either from parsing or decrypting the ticket.
3073 * 2: the ticket couldn't be decrypted.
3074 * 3: a ticket was successfully decrypted and *psess was set.
3075 * 4: same as 3, but the ticket needs to be renewed.
3076 */
0f113f3e
MC		 3077static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
3078 int eticklen, const unsigned char *sess_id,
3079 int sesslen, SSL_SESSION **psess)
3080{
3081 SSL_SESSION *sess;
3082 unsigned char *sdec;
3083 const unsigned char *p;
3084 int slen, mlen, renew_ticket = 0;
3085 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3086 HMAC_CTX hctx;
3087 EVP_CIPHER_CTX ctx;
3088 SSL_CTX *tctx = s->initial_ctx;
3089 /* Need at least keyname + iv + some encrypted data */
3090 if (eticklen < 48)
3091 return 2;
3092 /* Initialize session ticket encryption and HMAC contexts */
3093 HMAC_CTX_init(&hctx);
3094 EVP_CIPHER_CTX_init(&ctx);
3095 if (tctx->tlsext_ticket_key_cb) {
3096 unsigned char *nctick = (unsigned char *)etick;
3097 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3098 &ctx, &hctx, 0);
3099 if (rv < 0)
3100 return -1;
3101 if (rv == 0)
3102 return 2;
3103 if (rv == 2)
3104 renew_ticket = 1;
3105 } else {
3106 /* Check key name matches */
3107 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3108 return 2;
5f3d93e4
MC		 3109 if (HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3110 EVP_sha256(), NULL) <= 0
3111 || EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3112 tctx->tlsext_tick_aes_key,
3113 etick + 16) <= 0) {
3114 goto err;
3115 }
0f113f3e
MC		 3116 }
3117 /*
3118 * Attempt to process session ticket, first conduct sanity and integrity
3119 * checks on ticket.
3120 */
3121 mlen = HMAC_size(&hctx);
3122 if (mlen < 0) {
5f3d93e4 3123 goto err;
0f113f3e
MC		 3124 }
3125 eticklen -= mlen;
3126 /* Check HMAC of encrypted ticket */
5f3d93e4
MC		 3127 if (HMAC_Update(&hctx, etick, eticklen) <= 0
3128 || HMAC_Final(&hctx, tick_hmac, NULL) <= 0) {
3129 goto err;
3130 }
0f113f3e
MC		 3131 HMAC_CTX_cleanup(&hctx);
3132 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
3133 EVP_CIPHER_CTX_cleanup(&ctx);
3134 return 2;
3135 }
3136 /* Attempt to decrypt session data */
3137 /* Move p after IV to start of encrypted ticket, update length */
3138 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3139 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3140 sdec = OPENSSL_malloc(eticklen);
5f3d93e4
MC		 3141 if (sdec == NULL
3142 || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) {
0f113f3e
MC		 3143 EVP_CIPHER_CTX_cleanup(&ctx);
3144 return -1;
3145 }
0f113f3e
MC		 3146 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
3147 EVP_CIPHER_CTX_cleanup(&ctx);
3148 OPENSSL_free(sdec);
3149 return 2;
3150 }
3151 slen += mlen;
3152 EVP_CIPHER_CTX_cleanup(&ctx);
3153 p = sdec;
3154
3155 sess = d2i_SSL_SESSION(NULL, &p, slen);
3156 OPENSSL_free(sdec);
3157 if (sess) {
3158 /*
3159 * The session ID, if non-empty, is used by some clients to detect
3160 * that the ticket has been accepted. So we copy it to the session
3161 * structure. If it is empty set length to zero as required by
3162 * standard.
3163 */
3164 if (sesslen)
3165 memcpy(sess->session_id, sess_id, sesslen);
3166 sess->session_id_length = sesslen;
3167 *psess = sess;
3168 if (renew_ticket)
3169 return 4;
3170 else
3171 return 3;
3172 }
3173 ERR_clear_error();
3174 /*
3175 * For session parse failure, indicate that we need to send a new ticket.
3176 */
3177 return 2;
5f3d93e4
MC		 3178err:
3179 EVP_CIPHER_CTX_cleanup(&ctx);
3180 HMAC_CTX_cleanup(&hctx);
3181 return -1;
0f113f3e 3182}
6434abbf 3183
6b7be581
DSH		 3184/* Tables to translate from NIDs to TLS v1.2 ids */
3185
0f113f3e
MC		 3186typedef struct {
3187 int nid;
3188 int id;
3189} tls12_lookup;
6b7be581 3190
d97ed219 3191static const tls12_lookup tls12_md[] = {
0f113f3e
MC		 3192 {NID_md5, TLSEXT_hash_md5},
3193 {NID_sha1, TLSEXT_hash_sha1},
3194 {NID_sha224, TLSEXT_hash_sha224},
3195 {NID_sha256, TLSEXT_hash_sha256},
3196 {NID_sha384, TLSEXT_hash_sha384},
e44380a9
DB		 3197 {NID_sha512, TLSEXT_hash_sha512},
3198 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
3199 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
3200 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
6b7be581
DSH		 3201};
3202
d97ed219 3203static const tls12_lookup tls12_sig[] = {
0f113f3e
MC		 3204 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3205 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
e44380a9
DB		 3206 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
3207 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
3208 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
3209 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
6b7be581
DSH		 3210};
3211
d97ed219 3212static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3213{
3214 size_t i;
3215 for (i = 0; i < tlen; i++) {
3216 if (table[i].nid == nid)
3217 return table[i].id;
3218 }
3219 return -1;
3220}
e7f8ff43 3221
d97ed219 3222static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3223{
3224 size_t i;
3225 for (i = 0; i < tlen; i++) {
3226 if ((table[i].id) == id)
3227 return table[i].nid;
3228 }
3229 return NID_undef;
3230}
3231
3232int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
3233 const EVP_MD *md)
3234{
3235 int sig_id, md_id;
3236 if (!md)
3237 return 0;
b6eb9827 3238 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3239 if (md_id == -1)
3240 return 0;
3241 sig_id = tls12_get_sigid(pk);
3242 if (sig_id == -1)
3243 return 0;
3244 p[0] = (unsigned char)md_id;
3245 p[1] = (unsigned char)sig_id;
3246 return 1;
3247}
6b7be581 3248
a2f9200f 3249int tls12_get_sigid(const EVP_PKEY *pk)
0f113f3e 3250{
b6eb9827 3251 return tls12_find_id(pk->type, tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3252}
3253
3254typedef struct {
3255 int nid;
3256 int secbits;
3257 const EVP_MD *(*mfunc) (void);
e44380a9 3258 unsigned char tlsext_hash;
0f113f3e 3259} tls12_hash_info;
b362ccab 3260
e44380a9
DB		 3261static const EVP_MD* md_gost94()
3262{
3263 return EVP_get_digestbynid(NID_id_GostR3411_94);
3264}
3265
3266static const EVP_MD* md_gost2012_256()
3267{
3268 return EVP_get_digestbynid(NID_id_GostR3411_2012_256);
3269}
3270
3271static const EVP_MD* md_gost2012_512()
3272{
3273 return EVP_get_digestbynid(NID_id_GostR3411_2012_512);
3274}
3275
b362ccab 3276static const tls12_hash_info tls12_md_info[] = {
e481f9b9 3277#ifdef OPENSSL_NO_MD5
e44380a9 3278 {NID_md5, 64, 0, TLSEXT_hash_md5},
e481f9b9 3279#else
e44380a9 3280 {NID_md5, 64, EVP_md5, TLSEXT_hash_md5},
e481f9b9 3281#endif
e44380a9
DB		 3282 {NID_sha1, 80, EVP_sha1, TLSEXT_hash_sha1},
3283 {NID_sha224, 112, EVP_sha224, TLSEXT_hash_sha224},
3284 {NID_sha256, 128, EVP_sha256, TLSEXT_hash_sha256},
3285 {NID_sha384, 192, EVP_sha384, TLSEXT_hash_sha384},
3286 {NID_sha512, 256, EVP_sha512, TLSEXT_hash_sha512},
3287 {NID_id_GostR3411_94, 128, md_gost94, TLSEXT_hash_gostr3411},
3288 {NID_id_GostR3411_2012_256, 128, md_gost2012_256, TLSEXT_hash_gostr34112012_256},
3289 {NID_id_GostR3411_2012_512, 256, md_gost2012_512, TLSEXT_hash_gostr34112012_512},
b362ccab 3290};
a2f9200f 3291
b362ccab 3292static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
0f113f3e 3293{
e44380a9 3294 unsigned int i;
0f113f3e
MC		 3295 if (hash_alg == 0)
3296 return NULL;
e44380a9
DB		 3297
3298 for (i=0; i < OSSL_NELEM(tls12_md_info); i++)
3299 {
3300 if (tls12_md_info[i].tlsext_hash == hash_alg)
3301 return tls12_md_info + i;
3302 }
3303
3304 return NULL;
0f113f3e 3305}
a2f9200f 3306
b362ccab 3307const EVP_MD *tls12_get_hash(unsigned char hash_alg)
0f113f3e
MC		 3308{
3309 const tls12_hash_info *inf;
3310 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3311 return NULL;
3312 inf = tls12_get_hash_info(hash_alg);
3313 if (!inf || !inf->mfunc)
3314 return NULL;
3315 return inf->mfunc();
3316}
a2f9200f 3317
4453cd8c 3318static int tls12_get_pkey_idx(unsigned char sig_alg)
0f113f3e
MC		 3319{
3320 switch (sig_alg) {
e481f9b9 3321#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3322 case TLSEXT_signature_rsa:
3323 return SSL_PKEY_RSA_SIGN;
e481f9b9
MC		 3324#endif
3325#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3326 case TLSEXT_signature_dsa:
3327 return SSL_PKEY_DSA_SIGN;
e481f9b9
MC		 3328#endif
3329#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3330 case TLSEXT_signature_ecdsa:
3331 return SSL_PKEY_ECC;
e481f9b9 3332#endif
e44380a9
DB		 3333# ifndef OPENSSL_NO_GOST
3334 case TLSEXT_signature_gostr34102001:
3335 return SSL_PKEY_GOST01;
3336
3337 case TLSEXT_signature_gostr34102012_256:
3338 return SSL_PKEY_GOST12_256;
3339
3340 case TLSEXT_signature_gostr34102012_512:
3341 return SSL_PKEY_GOST12_512;
3342# endif
0f113f3e
MC		 3343 }
3344 return -1;
3345}
4453cd8c
DSH		 3346
3347/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3348static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
0f113f3e
MC		 3349 int *psignhash_nid, const unsigned char *data)
3350{
3351 int sign_nid = 0, hash_nid = 0;
3352 if (!phash_nid && !psign_nid && !psignhash_nid)
3353 return;
3354 if (phash_nid || psignhash_nid) {
b6eb9827 3355 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3356 if (phash_nid)
3357 *phash_nid = hash_nid;
3358 }
3359 if (psign_nid || psignhash_nid) {
b6eb9827 3360 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3361 if (psign_nid)
3362 *psign_nid = sign_nid;
3363 }
3364 if (psignhash_nid) {
3365 if (sign_nid && hash_nid)
3366 OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid);
3367 else
3368 *psignhash_nid = NID_undef;
3369 }
3370}
3371
b362ccab
DSH		 3372/* Check to see if a signature algorithm is allowed */
3373static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
0f113f3e
MC		 3374{
3375 /* See if we have an entry in the hash table and it is enabled */
3376 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
3377 if (!hinf || !hinf->mfunc)
3378 return 0;
3379 /* See if public key algorithm allowed */
3380 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3381 return 0;
3382 /* Finally see if security callback allows it */
3383 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3384}
3385
3386/*
3387 * Get a mask of disabled public key algorithms based on supported signature
3388 * algorithms. For example if no signature algorithm supports RSA then RSA is
3389 * disabled.
b362ccab
DSH		 3390 */
3391
90d9e49a 3392void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
0f113f3e
MC		 3393{
3394 const unsigned char *sigalgs;
3395 size_t i, sigalgslen;
3396 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3397 /*
3398 * Now go through all signature algorithms seeing if we support any for
3399 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3400 * down calls to security callback only check if we have to.
3401 */
3402 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
3403 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3404 switch (sigalgs[1]) {
e481f9b9 3405#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3406 case TLSEXT_signature_rsa:
3407 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3408 have_rsa = 1;
3409 break;
e481f9b9
MC		 3410#endif
3411#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3412 case TLSEXT_signature_dsa:
3413 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3414 have_dsa = 1;
3415 break;
e481f9b9
MC		 3416#endif
3417#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3418 case TLSEXT_signature_ecdsa:
3419 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3420 have_ecdsa = 1;
3421 break;
e481f9b9 3422#endif
0f113f3e
MC		 3423 }
3424 }
3425 if (!have_rsa)
3426 *pmask_a |= SSL_aRSA;
3427 if (!have_dsa)
3428 *pmask_a |= SSL_aDSS;
3429 if (!have_ecdsa)
3430 *pmask_a |= SSL_aECDSA;
3431}
b362ccab
DSH		 3432
3433size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
0f113f3e
MC		 3434 const unsigned char *psig, size_t psiglen)
3435{
3436 unsigned char *tmpout = out;
3437 size_t i;
3438 for (i = 0; i < psiglen; i += 2, psig += 2) {
3439 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3440 *tmpout++ = psig[0];
3441 *tmpout++ = psig[1];
3442 }
3443 }
3444 return tmpout - out;
3445}
b362ccab 3446
4453cd8c 3447/* Given preference and allowed sigalgs set shared sigalgs */
b362ccab 3448static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
0f113f3e
MC		 3449 const unsigned char *pref, size_t preflen,
3450 const unsigned char *allow, size_t allowlen)
3451{
3452 const unsigned char *ptmp, *atmp;
3453 size_t i, j, nmatch = 0;
3454 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3455 /* Skip disabled hashes or signature algorithms */
3456 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3457 continue;
3458 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3459 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3460 nmatch++;
3461 if (shsig) {
3462 shsig->rhash = ptmp[0];
3463 shsig->rsign = ptmp[1];
3464 tls1_lookup_sigalg(&shsig->hash_nid,
3465 &shsig->sign_nid,
3466 &shsig->signandhash_nid, ptmp);
3467 shsig++;
3468 }
3469 break;
3470 }
3471 }
3472 }
3473 return nmatch;
3474}
4453cd8c
DSH		 3475
3476/* Set shared signature algorithms for SSL structures */
3477static int tls1_set_shared_sigalgs(SSL *s)
0f113f3e
MC		 3478{
3479 const unsigned char *pref, *allow, *conf;
3480 size_t preflen, allowlen, conflen;
3481 size_t nmatch;
3482 TLS_SIGALGS *salgs = NULL;
3483 CERT *c = s->cert;
3484 unsigned int is_suiteb = tls1_suiteb(s);
b548a1f1
RS		 3485
3486 OPENSSL_free(c->shared_sigalgs);
3487 c->shared_sigalgs = NULL;
3488 c->shared_sigalgslen = 0;
0f113f3e
MC		 3489 /* If client use client signature algorithms if not NULL */
3490 if (!s->server && c->client_sigalgs && !is_suiteb) {
3491 conf = c->client_sigalgs;
3492 conflen = c->client_sigalgslen;
3493 } else if (c->conf_sigalgs && !is_suiteb) {
3494 conf = c->conf_sigalgs;
3495 conflen = c->conf_sigalgslen;
3496 } else
3497 conflen = tls12_get_psigalgs(s, &conf);
3498 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3499 pref = conf;
3500 preflen = conflen;
76106e60
DSH		 3501 allow = s->s3->tmp.peer_sigalgs;
3502 allowlen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3503 } else {
3504 allow = conf;
3505 allowlen = conflen;
76106e60
DSH		 3506 pref = s->s3->tmp.peer_sigalgs;
3507 preflen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3508 }
3509 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
34e3edbf
DSH		 3510 if (nmatch) {
3511 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
a71edf3b 3512 if (salgs == NULL)
34e3edbf
DSH		 3513 return 0;
3514 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3515 } else {
3516 salgs = NULL;
3517 }
0f113f3e
MC		 3518 c->shared_sigalgs = salgs;
3519 c->shared_sigalgslen = nmatch;
3520 return 1;
3521}
4453cd8c 3522
6b7be581
DSH		 3523/* Set preferred digest for each key type */
3524
c800c27a 3525int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
0f113f3e
MC		 3526{
3527 CERT *c = s->cert;
3528 /* Extension ignored for inappropriate versions */
3529 if (!SSL_USE_SIGALGS(s))
3530 return 1;
3531 /* Should never happen */
3532 if (!c)
3533 return 0;
3534
76106e60
DSH		 3535 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3536 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3537 if (s->s3->tmp.peer_sigalgs == NULL)
0f113f3e 3538 return 0;
76106e60
DSH		 3539 s->s3->tmp.peer_sigalgslen = dsize;
3540 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
0f113f3e
MC		 3541 return 1;
3542}
6b7be581 3543
c800c27a 3544int tls1_process_sigalgs(SSL *s)
0f113f3e
MC		 3545{
3546 int idx;
3547 size_t i;
3548 const EVP_MD *md;
d376e57d 3549 const EVP_MD **pmd = s->s3->tmp.md;
f7d53487 3550 uint32_t *pvalid = s->s3->tmp.valid_flags;
0f113f3e
MC		 3551 CERT *c = s->cert;
3552 TLS_SIGALGS *sigptr;
3553 if (!tls1_set_shared_sigalgs(s))
3554 return 0;
3555
e481f9b9 3556#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
0f113f3e
MC		 3557 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3558 /*
3559 * Use first set signature preference to force message digest,
3560 * ignoring any peer preferences.
3561 */
3562 const unsigned char *sigs = NULL;
3563 if (s->server)
3564 sigs = c->conf_sigalgs;
3565 else
3566 sigs = c->client_sigalgs;
3567 if (sigs) {
3568 idx = tls12_get_pkey_idx(sigs[1]);
3569 md = tls12_get_hash(sigs[0]);
d376e57d 3570 pmd[idx] = md;
6383d316 3571 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3572 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3573 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3574 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3575 }
3576 }
3577 }
e481f9b9 3578#endif
0f113f3e
MC		 3579
3580 for (i = 0, sigptr = c->shared_sigalgs;
3581 i < c->shared_sigalgslen; i++, sigptr++) {
3582 idx = tls12_get_pkey_idx(sigptr->rsign);
d376e57d 3583 if (idx > 0 && pmd[idx] == NULL) {
0f113f3e 3584 md = tls12_get_hash(sigptr->rhash);
d376e57d 3585 pmd[idx] = md;
6383d316 3586 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3587 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3588 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3589 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3590 }
3591 }
6b7be581 3592
0f113f3e
MC		 3593 }
3594 /*
3595 * In strict mode leave unset digests as NULL to indicate we can't use
3596 * the certificate for signing.
3597 */
3598 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3599 /*
3600 * Set any remaining keys to default values. NOTE: if alg is not
3601 * supported it stays as NULL.
3602 */
e481f9b9 3603#ifndef OPENSSL_NO_DSA
d376e57d
DSH		 3604 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3605 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
e481f9b9
MC		 3606#endif
3607#ifndef OPENSSL_NO_RSA
d376e57d
DSH		 3608 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3609 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3610 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
0f113f3e 3611 }
e481f9b9
MC		 3612#endif
3613#ifndef OPENSSL_NO_EC
d376e57d
DSH		 3614 if (pmd[SSL_PKEY_ECC] == NULL)
3615 pmd[SSL_PKEY_ECC] = EVP_sha1();
e481f9b9 3616#endif
e44380a9
DB		 3617# ifndef OPENSSL_NO_GOST
3618 if (pmd[SSL_PKEY_GOST01] == NULL)
3619 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
3620 if (pmd[SSL_PKEY_GOST12_256] == NULL)
3621 pmd[SSL_PKEY_GOST12_256] = EVP_get_digestbynid(NID_id_GostR3411_2012_256);
3622 if (pmd[SSL_PKEY_GOST12_512] == NULL)
3623 pmd[SSL_PKEY_GOST12_512] = EVP_get_digestbynid(NID_id_GostR3411_2012_512);
3624# endif
0f113f3e
MC		 3625 }
3626 return 1;
3627}
4817504d 3628
e7f8ff43 3629int SSL_get_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3630 int *psign, int *phash, int *psignhash,
3631 unsigned char *rsig, unsigned char *rhash)
3632{
76106e60 3633 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
0f113f3e
MC		 3634 if (psig == NULL)
3635 return 0;
3636 if (idx >= 0) {
3637 idx <<= 1;
76106e60 3638 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
0f113f3e
MC		 3639 return 0;
3640 psig += idx;
3641 if (rhash)
3642 *rhash = psig[0];
3643 if (rsig)
3644 *rsig = psig[1];
3645 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3646 }
76106e60 3647 return s->s3->tmp.peer_sigalgslen / 2;
0f113f3e 3648}
4453cd8c
DSH		 3649
3650int SSL_get_shared_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3651 int *psign, int *phash, int *psignhash,
3652 unsigned char *rsig, unsigned char *rhash)
3653{
3654 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3655 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3656 return 0;
3657 shsigalgs += idx;
3658 if (phash)
3659 *phash = shsigalgs->hash_nid;
3660 if (psign)
3661 *psign = shsigalgs->sign_nid;
3662 if (psignhash)
3663 *psignhash = shsigalgs->signandhash_nid;
3664 if (rsig)
3665 *rsig = shsigalgs->rsign;
3666 if (rhash)
3667 *rhash = shsigalgs->rhash;
3668 return s->cert->shared_sigalgslen;
3669}
3670
e481f9b9 3671#ifndef OPENSSL_NO_HEARTBEATS
2c60ed04 3672int tls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length)
0f113f3e 3673{
2c60ed04 3674 unsigned char *pl;
0f113f3e
MC		 3675 unsigned short hbtype;
3676 unsigned int payload;
3677 unsigned int padding = 16; /* Use minimum padding */
3678
3679 if (s->msg_callback)
3680 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
258f8721 3681 p, length,
0f113f3e
MC		 3682 s, s->msg_callback_arg);
3683
3684 /* Read type and payload length first */
258f8721 3685 if (1 + 2 + 16 > length)
0f113f3e
MC		 3686 return 0; /* silently discard */
3687 hbtype = *p++;
3688 n2s(p, payload);
258f8721 3689 if (1 + 2 + payload + 16 > length)
0f113f3e
MC		 3690 return 0; /* silently discard per RFC 6520 sec. 4 */
3691 pl = p;
3692
3693 if (hbtype == TLS1_HB_REQUEST) {
3694 unsigned char *buffer, *bp;
3695 int r;
3696
3697 /*
3698 * Allocate memory for the response, size is 1 bytes message type,
3699 * plus 2 bytes payload length, plus payload, plus padding
3700 */
3701 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3702 if (buffer == NULL) {
3703 SSLerr(SSL_F_TLS1_PROCESS_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3704 return -1;
3705 }
3706 bp = buffer;
3707
3708 /* Enter response type, length and copy payload */
3709 *bp++ = TLS1_HB_RESPONSE;
3710 s2n(payload, bp);
3711 memcpy(bp, pl, payload);
3712 bp += payload;
3713 /* Random padding */
266483d2
MC		 3714 if (RAND_bytes(bp, padding) <= 0) {
3715 OPENSSL_free(buffer);
3716 return -1;
3717 }
0f113f3e
MC		 3718
3719 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer,
3720 3 + payload + padding);
3721
3722 if (r >= 0 && s->msg_callback)
3723 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3724 buffer, 3 + payload + padding,
3725 s, s->msg_callback_arg);
3726
3727 OPENSSL_free(buffer);
3728
3729 if (r < 0)
3730 return r;
3731 } else if (hbtype == TLS1_HB_RESPONSE) {
3732 unsigned int seq;
3733
3734 /*
3735 * We only send sequence numbers (2 bytes unsigned int), and 16
3736 * random bytes, so we just try to read the sequence number
3737 */
3738 n2s(pl, seq);
3739
3740 if (payload == 18 && seq == s->tlsext_hb_seq) {
3741 s->tlsext_hb_seq++;
3742 s->tlsext_hb_pending = 0;
3743 }
3744 }
3745
3746 return 0;
3747}
0f229cce 3748
0f113f3e
MC		 3749int tls1_heartbeat(SSL *s)
3750{
3751 unsigned char *buf, *p;
266483d2 3752 int ret = -1;
0f113f3e
MC		 3753 unsigned int payload = 18; /* Sequence number + random bytes */
3754 unsigned int padding = 16; /* Use minimum padding */
3755
3756 /* Only send if peer supports and accepts HB requests... */
3757 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3758 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
3759 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3760 return -1;
3761 }
3762
3763 /* ...and there is none in flight yet... */
3764 if (s->tlsext_hb_pending) {
3765 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
3766 return -1;
3767 }
3768
3769 /* ...and no handshake in progress. */
024f543c 3770 if (SSL_in_init(s) || ossl_statem_get_in_handshake(s)) {
0f113f3e
MC		 3771 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
3772 return -1;
3773 }
3774
50e735f9
MC		 3775 /*-
3776 * Create HeartBeat message, we just use a sequence number
3777 * as payload to distuingish different messages and add
3778 * some random stuff.
3779 * - Message Type, 1 byte
3780 * - Payload Length, 2 bytes (unsigned int)
3781 * - Payload, the sequence number (2 bytes uint)
3782 * - Payload, random bytes (16 bytes uint)
3783 * - Padding
3784 */
0f113f3e
MC		 3785 buf = OPENSSL_malloc(1 + 2 + payload + padding);
3786 if (buf == NULL) {
3787 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3788 return -1;
3789 }
3790 p = buf;
3791 /* Message Type */
3792 *p++ = TLS1_HB_REQUEST;
3793 /* Payload length (18 bytes here) */
3794 s2n(payload, p);
3795 /* Sequence number */
3796 s2n(s->tlsext_hb_seq, p);
3797 /* 16 random bytes */
266483d2
MC		 3798 if (RAND_bytes(p, 16) <= 0) {
3799 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3800 goto err;
3801 }
0f113f3e
MC		 3802 p += 16;
3803 /* Random padding */
266483d2
MC		 3804 if (RAND_bytes(p, padding) <= 0) {
3805 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3806 goto err;
3807 }
0f113f3e
MC		 3808
3809 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3810 if (ret >= 0) {
3811 if (s->msg_callback)
3812 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3813 buf, 3 + payload + padding,
3814 s, s->msg_callback_arg);
3815
3816 s->tlsext_hb_pending = 1;
3817 }
3818
266483d2 3819 err:
0f113f3e 3820 OPENSSL_free(buf);
0f113f3e
MC		 3821 return ret;
3822}
e481f9b9 3823#endif
0f113f3e 3824
e481f9b9 3825#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
0f229cce 3826
0f113f3e
MC		 3827typedef struct {
3828 size_t sigalgcnt;
3829 int sigalgs[MAX_SIGALGLEN];
3830} sig_cb_st;
0f229cce 3831
431f458d
DSH		 3832static void get_sigorhash(int *psig, int *phash, const char *str)
3833{
3834 if (strcmp(str, "RSA") == 0) {
3835 *psig = EVP_PKEY_RSA;
3836 } else if (strcmp(str, "DSA") == 0) {
3837 *psig = EVP_PKEY_DSA;
3838 } else if (strcmp(str, "ECDSA") == 0) {
3839 *psig = EVP_PKEY_EC;
3840 } else {
3841 *phash = OBJ_sn2nid(str);
3842 if (*phash == NID_undef)
3843 *phash = OBJ_ln2nid(str);
3844 }
3845}
3846
0f229cce 3847static int sig_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 3848{
3849 sig_cb_st *sarg = arg;
3850 size_t i;
3851 char etmp[20], *p;
431f458d 3852 int sig_alg = NID_undef, hash_alg = NID_undef;
2747d73c
KR		 3853 if (elem == NULL)
3854 return 0;
0f113f3e
MC		 3855 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3856 return 0;
3857 if (len > (int)(sizeof(etmp) - 1))
3858 return 0;
3859 memcpy(etmp, elem, len);
3860 etmp[len] = 0;
3861 p = strchr(etmp, '+');
3862 if (!p)
3863 return 0;
3864 *p = 0;
3865 p++;
3866 if (!*p)
3867 return 0;
3868
431f458d
DSH		 3869 get_sigorhash(&sig_alg, &hash_alg, etmp);
3870 get_sigorhash(&sig_alg, &hash_alg, p);
0f113f3e 3871
431f458d 3872 if (sig_alg == NID_undef || hash_alg == NID_undef)
0f113f3e
MC		 3873 return 0;
3874
3875 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3876 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3877 return 0;
3878 }
3879 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3880 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3881 return 1;
3882}
3883
3884/*
3885 * Set suppored signature algorithms based on a colon separated list of the
3886 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3887 */
3dbc46df 3888int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
0f113f3e
MC		 3889{
3890 sig_cb_st sig;
3891 sig.sigalgcnt = 0;
3892 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3893 return 0;
3894 if (c == NULL)
3895 return 1;
3896 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3897}
3898
3899int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
3900 int client)
3901{
3902 unsigned char *sigalgs, *sptr;
3903 int rhash, rsign;
3904 size_t i;
3905 if (salglen & 1)
3906 return 0;
3907 sigalgs = OPENSSL_malloc(salglen);
3908 if (sigalgs == NULL)
3909 return 0;
3910 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
b6eb9827
DSH		 3911 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3912 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3913
3914 if (rhash == -1 || rsign == -1)
3915 goto err;
3916 *sptr++ = rhash;
3917 *sptr++ = rsign;
3918 }
3919
3920 if (client) {
b548a1f1 3921 OPENSSL_free(c->client_sigalgs);
0f113f3e
MC		 3922 c->client_sigalgs = sigalgs;
3923 c->client_sigalgslen = salglen;
3924 } else {
b548a1f1 3925 OPENSSL_free(c->conf_sigalgs);
0f113f3e
MC		 3926 c->conf_sigalgs = sigalgs;
3927 c->conf_sigalgslen = salglen;
3928 }
3929
3930 return 1;
3931
3932 err:
3933 OPENSSL_free(sigalgs);
3934 return 0;
3935}
4453cd8c 3936
d61ff83b 3937static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
0f113f3e
MC		 3938{
3939 int sig_nid;
3940 size_t i;
3941 if (default_nid == -1)
3942 return 1;
3943 sig_nid = X509_get_signature_nid(x);
3944 if (default_nid)
3945 return sig_nid == default_nid ? 1 : 0;
3946 for (i = 0; i < c->shared_sigalgslen; i++)
3947 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3948 return 1;
3949 return 0;
3950}
3951
6dbb6219
DSH		 3952/* Check to see if a certificate issuer name matches list of CA names */
3953static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
0f113f3e
MC		 3954{
3955 X509_NAME *nm;
3956 int i;
3957 nm = X509_get_issuer_name(x);
3958 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3959 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3960 return 1;
3961 }
3962 return 0;
3963}
3964
3965/*
3966 * Check certificate chain is consistent with TLS extensions and is usable by
3967 * server. This servers two purposes: it allows users to check chains before
3968 * passing them to the server and it allows the server to check chains before
3969 * attempting to use them.
d61ff83b 3970 */
6dbb6219
DSH		 3971
3972/* Flags which need to be set for a certificate when stict mode not set */
3973
e481f9b9 3974#define CERT_PKEY_VALID_FLAGS \
0f113f3e 3975 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
6dbb6219 3976/* Strict mode flags */
e481f9b9 3977#define CERT_PKEY_STRICT_FLAGS \
0f113f3e
MC		 3978 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3979 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
6dbb6219 3980
d61ff83b 3981int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
0f113f3e
MC		 3982 int idx)
3983{
3984 int i;
3985 int rv = 0;
3986 int check_flags = 0, strict_mode;
3987 CERT_PKEY *cpk = NULL;
3988 CERT *c = s->cert;
f7d53487 3989 uint32_t *pvalid;
0f113f3e
MC		 3990 unsigned int suiteb_flags = tls1_suiteb(s);
3991 /* idx == -1 means checking server chains */
3992 if (idx != -1) {
3993 /* idx == -2 means checking client certificate chains */
3994 if (idx == -2) {
3995 cpk = c->key;
3996 idx = cpk - c->pkeys;
3997 } else
3998 cpk = c->pkeys + idx;
6383d316 3999 pvalid = s->s3->tmp.valid_flags + idx;
0f113f3e
MC		 4000 x = cpk->x509;
4001 pk = cpk->privatekey;
4002 chain = cpk->chain;
4003 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
4004 /* If no cert or key, forget it */
4005 if (!x || !pk)
4006 goto end;
e481f9b9 4007#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
0f113f3e
MC		 4008 /* Allow any certificate to pass test */
4009 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
4010 rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
4011 CERT_PKEY_VALID | CERT_PKEY_SIGN;
6383d316 4012 *pvalid = rv;
0f113f3e
MC		 4013 return rv;
4014 }
e481f9b9 4015#endif
0f113f3e
MC		 4016 } else {
4017 if (!x || !pk)
d813f9eb 4018 return 0;
0f113f3e
MC		 4019 idx = ssl_cert_type(x, pk);
4020 if (idx == -1)
d813f9eb 4021 return 0;
6383d316
DSH		 4022 pvalid = s->s3->tmp.valid_flags + idx;
4023
0f113f3e
MC		 4024 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
4025 check_flags = CERT_PKEY_STRICT_FLAGS;
4026 else
4027 check_flags = CERT_PKEY_VALID_FLAGS;
4028 strict_mode = 1;
4029 }
4030
4031 if (suiteb_flags) {
4032 int ok;
4033 if (check_flags)
4034 check_flags |= CERT_PKEY_SUITEB;
4035 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
4036 if (ok == X509_V_OK)
4037 rv |= CERT_PKEY_SUITEB;
4038 else if (!check_flags)
4039 goto end;
4040 }
4041
4042 /*
4043 * Check all signature algorithms are consistent with signature
4044 * algorithms extension if TLS 1.2 or later and strict mode.
4045 */
4046 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
4047 int default_nid;
4048 unsigned char rsign = 0;
76106e60 4049 if (s->s3->tmp.peer_sigalgs)
0f113f3e
MC		 4050 default_nid = 0;
4051 /* If no sigalgs extension use defaults from RFC5246 */
4052 else {
4053 switch (idx) {
4054 case SSL_PKEY_RSA_ENC:
4055 case SSL_PKEY_RSA_SIGN:
4056 case SSL_PKEY_DH_RSA:
4057 rsign = TLSEXT_signature_rsa;
4058 default_nid = NID_sha1WithRSAEncryption;
4059 break;
4060
4061 case SSL_PKEY_DSA_SIGN:
4062 case SSL_PKEY_DH_DSA:
4063 rsign = TLSEXT_signature_dsa;
4064 default_nid = NID_dsaWithSHA1;
4065 break;
4066
4067 case SSL_PKEY_ECC:
4068 rsign = TLSEXT_signature_ecdsa;
4069 default_nid = NID_ecdsa_with_SHA1;
4070 break;
4071
e44380a9
DB		 4072 case SSL_PKEY_GOST01:
4073 rsign = TLSEXT_signature_gostr34102001;
4074 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
4075 break;
4076
4077 case SSL_PKEY_GOST12_256:
4078 rsign = TLSEXT_signature_gostr34102012_256;
4079 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
4080 break;
4081
4082 case SSL_PKEY_GOST12_512:
4083 rsign = TLSEXT_signature_gostr34102012_512;
4084 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
4085 break;
4086
0f113f3e
MC		 4087 default:
4088 default_nid = -1;
4089 break;
4090 }
4091 }
4092 /*
4093 * If peer sent no signature algorithms extension and we have set
4094 * preferred signature algorithms check we support sha1.
4095 */
4096 if (default_nid > 0 && c->conf_sigalgs) {
4097 size_t j;
4098 const unsigned char *p = c->conf_sigalgs;
4099 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
4100 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4101 break;
4102 }
4103 if (j == c->conf_sigalgslen) {
4104 if (check_flags)
4105 goto skip_sigs;
4106 else
4107 goto end;
4108 }
4109 }
4110 /* Check signature algorithm of each cert in chain */
4111 if (!tls1_check_sig_alg(c, x, default_nid)) {
4112 if (!check_flags)
4113 goto end;
4114 } else
4115 rv |= CERT_PKEY_EE_SIGNATURE;
4116 rv |= CERT_PKEY_CA_SIGNATURE;
4117 for (i = 0; i < sk_X509_num(chain); i++) {
4118 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
4119 if (check_flags) {
4120 rv &= ~CERT_PKEY_CA_SIGNATURE;
4121 break;
4122 } else
4123 goto end;
4124 }
4125 }
4126 }
4127 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4128 else if (check_flags)
4129 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
4130 skip_sigs:
4131 /* Check cert parameters are consistent */
4132 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4133 rv |= CERT_PKEY_EE_PARAM;
4134 else if (!check_flags)
4135 goto end;
4136 if (!s->server)
4137 rv |= CERT_PKEY_CA_PARAM;
4138 /* In strict mode check rest of chain too */
4139 else if (strict_mode) {
4140 rv |= CERT_PKEY_CA_PARAM;
4141 for (i = 0; i < sk_X509_num(chain); i++) {
4142 X509 *ca = sk_X509_value(chain, i);
4143 if (!tls1_check_cert_param(s, ca, 0)) {
4144 if (check_flags) {
4145 rv &= ~CERT_PKEY_CA_PARAM;
4146 break;
4147 } else
4148 goto end;
4149 }
4150 }
4151 }
4152 if (!s->server && strict_mode) {
4153 STACK_OF(X509_NAME) *ca_dn;
4154 int check_type = 0;
4155 switch (pk->type) {
4156 case EVP_PKEY_RSA:
4157 check_type = TLS_CT_RSA_SIGN;
4158 break;
4159 case EVP_PKEY_DSA:
4160 check_type = TLS_CT_DSS_SIGN;
4161 break;
4162 case EVP_PKEY_EC:
4163 check_type = TLS_CT_ECDSA_SIGN;
4164 break;
4165 case EVP_PKEY_DH:
4166 case EVP_PKEY_DHX:
4167 {
4168 int cert_type = X509_certificate_type(x, pk);
4169 if (cert_type & EVP_PKS_RSA)
4170 check_type = TLS_CT_RSA_FIXED_DH;
4171 if (cert_type & EVP_PKS_DSA)
4172 check_type = TLS_CT_DSS_FIXED_DH;
4173 }
4174 }
4175 if (check_type) {
4176 const unsigned char *ctypes;
4177 int ctypelen;
4178 if (c->ctypes) {
4179 ctypes = c->ctypes;
4180 ctypelen = (int)c->ctype_num;
4181 } else {
4182 ctypes = (unsigned char *)s->s3->tmp.ctype;
4183 ctypelen = s->s3->tmp.ctype_num;
4184 }
4185 for (i = 0; i < ctypelen; i++) {
4186 if (ctypes[i] == check_type) {
4187 rv |= CERT_PKEY_CERT_TYPE;
4188 break;
4189 }
4190 }
4191 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4192 goto end;
4193 } else
4194 rv |= CERT_PKEY_CERT_TYPE;
4195
4196 ca_dn = s->s3->tmp.ca_names;
4197
4198 if (!sk_X509_NAME_num(ca_dn))
4199 rv |= CERT_PKEY_ISSUER_NAME;
4200
4201 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4202 if (ssl_check_ca_name(ca_dn, x))
4203 rv |= CERT_PKEY_ISSUER_NAME;
4204 }
4205 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4206 for (i = 0; i < sk_X509_num(chain); i++) {
4207 X509 *xtmp = sk_X509_value(chain, i);
4208 if (ssl_check_ca_name(ca_dn, xtmp)) {
4209 rv |= CERT_PKEY_ISSUER_NAME;
4210 break;
4211 }
4212 }
4213 }
4214 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4215 goto end;
4216 } else
4217 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
4218
4219 if (!check_flags || (rv & check_flags) == check_flags)
4220 rv |= CERT_PKEY_VALID;
4221
4222 end:
4223
4224 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
6383d316 4225 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
0f113f3e 4226 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
d376e57d 4227 else if (s->s3->tmp.md[idx] != NULL)
0f113f3e
MC		 4228 rv |= CERT_PKEY_SIGN;
4229 } else
4230 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
4231
4232 /*
4233 * When checking a CERT_PKEY structure all flags are irrelevant if the
4234 * chain is invalid.
4235 */
4236 if (!check_flags) {
4237 if (rv & CERT_PKEY_VALID)
6383d316 4238 *pvalid = rv;
0f113f3e
MC		 4239 else {
4240 /* Preserve explicit sign flag, clear rest */
6383d316 4241 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
0f113f3e
MC		 4242 return 0;
4243 }
4244 }
4245 return rv;
4246}
d61ff83b
DSH		 4247
4248/* Set validity of certificates in an SSL structure */
4249void tls1_set_cert_validity(SSL *s)
0f113f3e 4250{
17dd65e6
MC		 4251 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4252 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4253 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4254 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
4255 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
4256 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
e44380a9
DB		 4257 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
4258 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
4259 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
0f113f3e
MC		 4260}
4261
18d71588
DSH		 4262/* User level utiity function to check a chain is suitable */
4263int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
0f113f3e
MC		 4264{
4265 return tls1_check_chain(s, x, pk, chain, -1);
4266}
d61ff83b 4267
09599b52
DSH		 4268
4269#ifndef OPENSSL_NO_DH
4270DH *ssl_get_auto_dh(SSL *s)
0f113f3e
MC		 4271{
4272 int dh_secbits = 80;
4273 if (s->cert->dh_tmp_auto == 2)
4274 return DH_get_1024_160();
adc5506a 4275 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
0f113f3e
MC		 4276 if (s->s3->tmp.new_cipher->strength_bits == 256)
4277 dh_secbits = 128;
4278 else
4279 dh_secbits = 80;
4280 } else {
4281 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
4282 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
4283 }
4284
4285 if (dh_secbits >= 128) {
4286 DH *dhp = DH_new();
a71edf3b 4287 if (dhp == NULL)
0f113f3e
MC		 4288 return NULL;
4289 dhp->g = BN_new();
a71edf3b 4290 if (dhp->g != NULL)
0f113f3e
MC		 4291 BN_set_word(dhp->g, 2);
4292 if (dh_secbits >= 192)
4293 dhp->p = get_rfc3526_prime_8192(NULL);
4294 else
4295 dhp->p = get_rfc3526_prime_3072(NULL);
a71edf3b 4296 if (dhp->p == NULL || dhp->g == NULL) {
0f113f3e
MC		 4297 DH_free(dhp);
4298 return NULL;
4299 }
4300 return dhp;
4301 }
4302 if (dh_secbits >= 112)
4303 return DH_get_2048_224();
4304 return DH_get_1024_160();
4305}
09599b52 4306#endif
b362ccab
DSH		 4307
4308static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e
MC		 4309{
4310 int secbits;
4311 EVP_PKEY *pkey = X509_get_pubkey(x);
4312 if (pkey) {
4313 secbits = EVP_PKEY_security_bits(pkey);
4314 EVP_PKEY_free(pkey);
4315 } else
4316 secbits = -1;
4317 if (s)
4318 return ssl_security(s, op, secbits, 0, x);
4319 else
4320 return ssl_ctx_security(ctx, op, secbits, 0, x);
4321}
b362ccab
DSH		 4322
4323static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e
MC		 4324{
4325 /* Lookup signature algorithm digest */
4326 int secbits = -1, md_nid = NID_undef, sig_nid;
4327 sig_nid = X509_get_signature_nid(x);
4328 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4329 const EVP_MD *md;
4330 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4331 secbits = EVP_MD_size(md) * 4;
4332 }
4333 if (s)
4334 return ssl_security(s, op, secbits, md_nid, x);
4335 else
4336 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4337}
b362ccab
DSH		 4338
4339int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
0f113f3e
MC		 4340{
4341 if (vfy)
4342 vfy = SSL_SECOP_PEER;
4343 if (is_ee) {
4344 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4345 return SSL_R_EE_KEY_TOO_SMALL;
4346 } else {
4347 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4348 return SSL_R_CA_KEY_TOO_SMALL;
4349 }
4350 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4351 return SSL_R_CA_MD_TOO_WEAK;
4352 return 1;
4353}
4354
4355/*
4356 * Check security of a chain, if sk includes the end entity certificate then
4357 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4358 * one to the peer. Return values: 1 if ok otherwise error code to use
b362ccab
DSH		 4359 */
4360
4361int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
0f113f3e
MC		 4362{
4363 int rv, start_idx, i;
4364 if (x == NULL) {
4365 x = sk_X509_value(sk, 0);
4366 start_idx = 1;
4367 } else
4368 start_idx = 0;
4369
4370 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4371 if (rv != 1)
4372 return rv;
4373
4374 for (i = start_idx; i < sk_X509_num(sk); i++) {
4375 x = sk_X509_value(sk, i);
4376 rv = ssl_security_cert(s, NULL, x, vfy, 0);
4377 if (rv != 1)
4378 return rv;
4379 }
4380 return 1;
4381}
A mirror of the official openssl repository