]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/t1_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Remove /* foo.c */ comments
[thirdparty/openssl.git] / ssl / t1_lib.c
CommitLineData
58964a49
RE		 1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
0f113f3e 7 *
58964a49
RE		 8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
0f113f3e 14 *
58964a49
RE		 15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
0f113f3e 21 *
58964a49
RE		 22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
0f113f3e 36 * 4. If you include any Windows specific code (or a derivative thereof) from
58964a49
RE		 37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
0f113f3e 39 *
58964a49
RE		 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
0f113f3e 51 *
58964a49
RE		 52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
f1fd4544 57/* ====================================================================
52b8dad8 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
f1fd4544
BM		 59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
0f113f3e 65 * notice, this list of conditions and the following disclaimer.
f1fd4544
BM		 66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
58964a49
RE		 110
111#include <stdio.h>
ec577822 112#include <openssl/objects.h>
6434abbf
DSH		 113#include <openssl/evp.h>
114#include <openssl/hmac.h>
67c8e7f4 115#include <openssl/ocsp.h>
4817504d 116#include <openssl/rand.h>
09599b52 117#ifndef OPENSSL_NO_DH
0f113f3e
MC		 118# include <openssl/dh.h>
119# include <openssl/bn.h>
09599b52 120#endif
58964a49
RE		 121#include "ssl_locl.h"
122
6434abbf 123static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
0f113f3e
MC		 124 const unsigned char *sess_id, int sesslen,
125 SSL_SESSION **psess);
2daceb03 126static int ssl_check_clienthello_tlsext_early(SSL *s);
09e4e4b9 127int ssl_check_serverhello_tlsext(SSL *s);
6434abbf 128
0f113f3e
MC		 129SSL3_ENC_METHOD const TLSv1_enc_data = {
130 tls1_enc,
131 tls1_mac,
132 tls1_setup_key_block,
133 tls1_generate_master_secret,
134 tls1_change_cipher_state,
135 tls1_final_finish_mac,
136 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 137 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
138 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
139 tls1_alert_code,
140 tls1_export_keying_material,
141 0,
142 SSL3_HM_HEADER_LENGTH,
143 ssl3_set_handshake_header,
144 ssl3_handshake_write
145};
146
147SSL3_ENC_METHOD const TLSv1_1_enc_data = {
148 tls1_enc,
149 tls1_mac,
150 tls1_setup_key_block,
151 tls1_generate_master_secret,
152 tls1_change_cipher_state,
153 tls1_final_finish_mac,
154 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 155 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
156 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
157 tls1_alert_code,
158 tls1_export_keying_material,
159 SSL_ENC_FLAG_EXPLICIT_IV,
160 SSL3_HM_HEADER_LENGTH,
161 ssl3_set_handshake_header,
162 ssl3_handshake_write
163};
164
165SSL3_ENC_METHOD const TLSv1_2_enc_data = {
166 tls1_enc,
167 tls1_mac,
168 tls1_setup_key_block,
169 tls1_generate_master_secret,
170 tls1_change_cipher_state,
171 tls1_final_finish_mac,
172 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 173 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
174 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
175 tls1_alert_code,
176 tls1_export_keying_material,
177 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
178 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
179 SSL3_HM_HEADER_LENGTH,
180 ssl3_set_handshake_header,
181 ssl3_handshake_write
182};
58964a49 183
f3b656b2 184long tls1_default_timeout(void)
0f113f3e
MC		 185{
186 /*
187 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
188 * http, the cache would over fill
189 */
190 return (60 * 60 * 2);
191}
58964a49 192
6b691a5c 193int tls1_new(SSL *s)
0f113f3e
MC		 194{
195 if (!ssl3_new(s))
196 return (0);
197 s->method->ssl_clear(s);
198 return (1);
199}
58964a49 200
6b691a5c 201void tls1_free(SSL *s)
0f113f3e 202{
b548a1f1 203 OPENSSL_free(s->tlsext_session_ticket);
0f113f3e
MC		 204 ssl3_free(s);
205}
58964a49 206
6b691a5c 207void tls1_clear(SSL *s)
0f113f3e
MC		 208{
209 ssl3_clear(s);
4fa52141
VD		 210 if (s->method->version == TLS_ANY_VERSION)
211 s->version = TLS_MAX_VERSION;
212 else
213 s->version = s->method->version;
0f113f3e 214}
58964a49 215
525de5d3 216#ifndef OPENSSL_NO_EC
eda3766b 217
0f113f3e
MC		 218typedef struct {
219 int nid; /* Curve NID */
220 int secbits; /* Bits of security (from SP800-57) */
221 unsigned int flags; /* Flags: currently just field type */
222} tls_curve_info;
223
224# define TLS_CURVE_CHAR2 0x1
225# define TLS_CURVE_PRIME 0x0
226
227static const tls_curve_info nid_list[] = {
228 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
229 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
230 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
231 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
232 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
233 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
234 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
235 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
236 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
237 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
238 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
239 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
240 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
241 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
242 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
243 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
244 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
245 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
246 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
247 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
248 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
249 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
250 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
251 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
252 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
253 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
254 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
255 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
256};
257
258static const unsigned char ecformats_default[] = {
259 TLSEXT_ECPOINTFORMAT_uncompressed,
260 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
261 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
262};
263
fe6ef247
KR		 264/* The default curves */
265static const unsigned char eccurves_default[] = {
de57d237
EK		 266 /* Prefer P-256 which has the fastest and most secure implementations. */
267 0, 23, /* secp256r1 (23) */
268 /* Other >= 256-bit prime curves. */
0f113f3e
MC		 269 0, 25, /* secp521r1 (25) */
270 0, 28, /* brainpool512r1 (28) */
0f113f3e
MC		 271 0, 27, /* brainpoolP384r1 (27) */
272 0, 24, /* secp384r1 (24) */
de57d237
EK		 273 0, 26, /* brainpoolP256r1 (26) */
274 0, 22, /* secp256k1 (22) */
275 /* >= 256-bit binary curves. */
276 0, 14, /* sect571r1 (14) */
277 0, 13, /* sect571k1 (13) */
278 0, 11, /* sect409k1 (11) */
279 0, 12, /* sect409r1 (12) */
0f113f3e
MC		 280 0, 9, /* sect283k1 (9) */
281 0, 10, /* sect283r1 (10) */
de57d237
EK		 282};
283
284static const unsigned char eccurves_all[] = {
285 /* Prefer P-256 which has the fastest and most secure implementations. */
286 0, 23, /* secp256r1 (23) */
287 /* Other >= 256-bit prime curves. */
288 0, 25, /* secp521r1 (25) */
289 0, 28, /* brainpool512r1 (28) */
290 0, 27, /* brainpoolP384r1 (27) */
291 0, 24, /* secp384r1 (24) */
0f113f3e
MC		 292 0, 26, /* brainpoolP256r1 (26) */
293 0, 22, /* secp256k1 (22) */
de57d237
EK		 294 /* >= 256-bit binary curves. */
295 0, 14, /* sect571r1 (14) */
296 0, 13, /* sect571k1 (13) */
297 0, 11, /* sect409k1 (11) */
298 0, 12, /* sect409r1 (12) */
299 0, 9, /* sect283k1 (9) */
300 0, 10, /* sect283r1 (10) */
301 /*
302 * Remaining curves disabled by default but still permitted if set
303 * via an explicit callback or parameters.
304 */
305 0, 20, /* secp224k1 (20) */
306 0, 21, /* secp224r1 (21) */
307 0, 18, /* secp192k1 (18) */
308 0, 19, /* secp192r1 (19) */
309 0, 15, /* secp160k1 (15) */
310 0, 16, /* secp160r1 (16) */
311 0, 17, /* secp160r2 (17) */
0f113f3e
MC		 312 0, 8, /* sect239k1 (8) */
313 0, 6, /* sect233k1 (6) */
314 0, 7, /* sect233r1 (7) */
0f113f3e
MC		 315 0, 4, /* sect193r1 (4) */
316 0, 5, /* sect193r2 (5) */
0f113f3e
MC		 317 0, 1, /* sect163k1 (1) */
318 0, 2, /* sect163r1 (2) */
319 0, 3, /* sect163r2 (3) */
0f113f3e
MC		 320};
321
de57d237 322
0f113f3e
MC		 323static const unsigned char suiteb_curves[] = {
324 0, TLSEXT_curve_P_256,
325 0, TLSEXT_curve_P_384
326};
2ea80354 327
525de5d3 328int tls1_ec_curve_id2nid(int curve_id)
0f113f3e
MC		 329{
330 /* ECC curves from RFC 4492 and RFC 7027 */
b6eb9827 331 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
0f113f3e
MC		 332 return 0;
333 return nid_list[curve_id - 1].nid;
334}
525de5d3
DSH		 335
336int tls1_ec_nid2curve_id(int nid)
0f113f3e
MC		 337{
338 /* ECC curves from RFC 4492 and RFC 7027 */
339 switch (nid) {
340 case NID_sect163k1: /* sect163k1 (1) */
341 return 1;
342 case NID_sect163r1: /* sect163r1 (2) */
343 return 2;
344 case NID_sect163r2: /* sect163r2 (3) */
345 return 3;
346 case NID_sect193r1: /* sect193r1 (4) */
347 return 4;
348 case NID_sect193r2: /* sect193r2 (5) */
349 return 5;
350 case NID_sect233k1: /* sect233k1 (6) */
351 return 6;
352 case NID_sect233r1: /* sect233r1 (7) */
353 return 7;
354 case NID_sect239k1: /* sect239k1 (8) */
355 return 8;
356 case NID_sect283k1: /* sect283k1 (9) */
357 return 9;
358 case NID_sect283r1: /* sect283r1 (10) */
359 return 10;
360 case NID_sect409k1: /* sect409k1 (11) */
361 return 11;
362 case NID_sect409r1: /* sect409r1 (12) */
363 return 12;
364 case NID_sect571k1: /* sect571k1 (13) */
365 return 13;
366 case NID_sect571r1: /* sect571r1 (14) */
367 return 14;
368 case NID_secp160k1: /* secp160k1 (15) */
369 return 15;
370 case NID_secp160r1: /* secp160r1 (16) */
371 return 16;
372 case NID_secp160r2: /* secp160r2 (17) */
373 return 17;
374 case NID_secp192k1: /* secp192k1 (18) */
375 return 18;
376 case NID_X9_62_prime192v1: /* secp192r1 (19) */
377 return 19;
378 case NID_secp224k1: /* secp224k1 (20) */
379 return 20;
380 case NID_secp224r1: /* secp224r1 (21) */
381 return 21;
382 case NID_secp256k1: /* secp256k1 (22) */
383 return 22;
384 case NID_X9_62_prime256v1: /* secp256r1 (23) */
385 return 23;
386 case NID_secp384r1: /* secp384r1 (24) */
387 return 24;
388 case NID_secp521r1: /* secp521r1 (25) */
389 return 25;
390 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
391 return 26;
392 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
393 return 27;
394 case NID_brainpoolP512r1: /* brainpool512r1 (28) */
395 return 28;
396 default:
397 return 0;
398 }
399}
400
740580c2
EK		 401/*
402 * Get curves list, if "sess" is set return client curves otherwise
403 * preferred list.
404 * Sets |num_curves| to the number of curves in the list, i.e.,
405 * the length of |pcurves| is 2 * num_curves.
406 * Returns 1 on success and 0 if the client curves list has invalid format.
407 * The latter indicates an internal error: we should not be accepting such
408 * lists in the first place.
409 * TODO(emilia): we should really be storing the curves list in explicitly
410 * parsed form instead. (However, this would affect binary compatibility
411 * so cannot happen in the 1.0.x series.)
fd2b65ce 412 */
740580c2 413static int tls1_get_curvelist(SSL *s, int sess,
0f113f3e
MC		 414 const unsigned char **pcurves,
415 size_t *num_curves)
416{
417 size_t pcurveslen = 0;
418 if (sess) {
419 *pcurves = s->session->tlsext_ellipticcurvelist;
420 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
421 } else {
422 /* For Suite B mode only include P-256, P-384 */
423 switch (tls1_suiteb(s)) {
424 case SSL_CERT_FLAG_SUITEB_128_LOS:
425 *pcurves = suiteb_curves;
426 pcurveslen = sizeof(suiteb_curves);
427 break;
428
429 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
430 *pcurves = suiteb_curves;
431 pcurveslen = 2;
432 break;
433
434 case SSL_CERT_FLAG_SUITEB_192_LOS:
435 *pcurves = suiteb_curves + 2;
436 pcurveslen = 2;
437 break;
438 default:
439 *pcurves = s->tlsext_ellipticcurvelist;
440 pcurveslen = s->tlsext_ellipticcurvelist_length;
441 }
442 if (!*pcurves) {
fe6ef247
KR		 443 *pcurves = eccurves_default;
444 pcurveslen = sizeof(eccurves_default);
0f113f3e
MC		 445 }
446 }
447
448 /* We do not allow odd length arrays to enter the system. */
449 if (pcurveslen & 1) {
450 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
451 *num_curves = 0;
452 return 0;
453 } else {
454 *num_curves = pcurveslen / 2;
455 return 1;
456 }
457}
b362ccab
DSH		 458
459/* See if curve is allowed by security callback */
460static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
0f113f3e
MC		 461{
462 const tls_curve_info *cinfo;
463 if (curve[0])
464 return 1;
b6eb9827 465 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
0f113f3e
MC		 466 return 0;
467 cinfo = &nid_list[curve[1] - 1];
468# ifdef OPENSSL_NO_EC2M
469 if (cinfo->flags & TLS_CURVE_CHAR2)
470 return 0;
471# endif
472 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
473}
b362ccab 474
d18b716d
DSH		 475/* Check a curve is one of our preferences */
476int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
0f113f3e
MC		 477{
478 const unsigned char *curves;
479 size_t num_curves, i;
480 unsigned int suiteb_flags = tls1_suiteb(s);
481 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
482 return 0;
483 /* Check curve matches Suite B preferences */
484 if (suiteb_flags) {
485 unsigned long cid = s->s3->tmp.new_cipher->id;
486 if (p[1])
487 return 0;
488 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
489 if (p[2] != TLSEXT_curve_P_256)
490 return 0;
491 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
492 if (p[2] != TLSEXT_curve_P_384)
493 return 0;
494 } else /* Should never happen */
495 return 0;
496 }
497 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
498 return 0;
499 for (i = 0; i < num_curves; i++, curves += 2) {
500 if (p[1] == curves[0] && p[2] == curves[1])
501 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
502 }
503 return 0;
504}
d0595f17 505
1d97c843 506/*-
6977e8ee
KR		 507 * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef
508 * if there is no match.
509 * For nmatch == -1, return number of matches
376e2ca3
EK		 510 * For nmatch == -2, return the NID of the curve to use for
511 * an EC tmp key, or NID_undef if there is no match.
d0595f17 512 */
a4352630 513int tls1_shared_curve(SSL *s, int nmatch)
0f113f3e
MC		 514{
515 const unsigned char *pref, *supp;
516 size_t num_pref, num_supp, i, j;
517 int k;
518 /* Can't do anything on client side */
519 if (s->server == 0)
520 return -1;
521 if (nmatch == -2) {
522 if (tls1_suiteb(s)) {
523 /*
524 * For Suite B ciphersuite determines curve: we already know
525 * these are acceptable due to previous checks.
526 */
527 unsigned long cid = s->s3->tmp.new_cipher->id;
528 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
529 return NID_X9_62_prime256v1; /* P-256 */
530 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
531 return NID_secp384r1; /* P-384 */
532 /* Should never happen */
533 return NID_undef;
534 }
535 /* If not Suite B just return first preference shared curve */
536 nmatch = 0;
537 }
538 /*
539 * Avoid truncation. tls1_get_curvelist takes an int
540 * but s->options is a long...
541 */
542 if (!tls1_get_curvelist
543 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
544 &num_supp))
545 /* In practice, NID_undef == 0 but let's be precise. */
546 return nmatch == -1 ? 0 : NID_undef;
547 if (!tls1_get_curvelist
548 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
549 &num_pref))
550 return nmatch == -1 ? 0 : NID_undef;
3c06513f
KR		 551
552 /*
553 * If the client didn't send the elliptic_curves extension all of them
554 * are allowed.
555 */
556 if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
557 supp = eccurves_all;
558 num_supp = sizeof(eccurves_all) / 2;
559 } else if (num_pref == 0 &&
560 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
561 pref = eccurves_all;
562 num_pref = sizeof(eccurves_all) / 2;
563 }
564
0f113f3e
MC		 565 k = 0;
566 for (i = 0; i < num_pref; i++, pref += 2) {
567 const unsigned char *tsupp = supp;
568 for (j = 0; j < num_supp; j++, tsupp += 2) {
569 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
570 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
571 continue;
572 if (nmatch == k) {
573 int id = (pref[0] << 8) | pref[1];
574 return tls1_ec_curve_id2nid(id);
575 }
576 k++;
577 }
578 }
579 }
580 if (nmatch == -1)
581 return k;
582 /* Out of range (nmatch > k). */
583 return NID_undef;
584}
d0595f17
DSH		 585
586int tls1_set_curves(unsigned char **pext, size_t *pextlen,
0f113f3e
MC		 587 int *curves, size_t ncurves)
588{
589 unsigned char *clist, *p;
590 size_t i;
591 /*
592 * Bitmap of curves included to detect duplicates: only works while curve
593 * ids < 32
594 */
595 unsigned long dup_list = 0;
596 clist = OPENSSL_malloc(ncurves * 2);
a71edf3b 597 if (clist == NULL)
0f113f3e
MC		 598 return 0;
599 for (i = 0, p = clist; i < ncurves; i++) {
600 unsigned long idmask;
601 int id;
602 id = tls1_ec_nid2curve_id(curves[i]);
603 idmask = 1L << id;
604 if (!id || (dup_list & idmask)) {
605 OPENSSL_free(clist);
606 return 0;
607 }
608 dup_list |= idmask;
609 s2n(id, p);
610 }
b548a1f1 611 OPENSSL_free(*pext);
0f113f3e
MC		 612 *pext = clist;
613 *pextlen = ncurves * 2;
614 return 1;
615}
616
617# define MAX_CURVELIST 28
618
619typedef struct {
620 size_t nidcnt;
621 int nid_arr[MAX_CURVELIST];
622} nid_cb_st;
d0595f17
DSH		 623
624static int nid_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 625{
626 nid_cb_st *narg = arg;
627 size_t i;
628 int nid;
629 char etmp[20];
2747d73c
KR		 630 if (elem == NULL)
631 return 0;
0f113f3e
MC		 632 if (narg->nidcnt == MAX_CURVELIST)
633 return 0;
634 if (len > (int)(sizeof(etmp) - 1))
635 return 0;
636 memcpy(etmp, elem, len);
637 etmp[len] = 0;
638 nid = EC_curve_nist2nid(etmp);
639 if (nid == NID_undef)
640 nid = OBJ_sn2nid(etmp);
641 if (nid == NID_undef)
642 nid = OBJ_ln2nid(etmp);
643 if (nid == NID_undef)
644 return 0;
645 for (i = 0; i < narg->nidcnt; i++)
646 if (narg->nid_arr[i] == nid)
647 return 0;
648 narg->nid_arr[narg->nidcnt++] = nid;
649 return 1;
650}
651
d0595f17 652/* Set curves based on a colon separate list */
0f113f3e
MC		 653int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
654 const char *str)
655{
656 nid_cb_st ncb;
657 ncb.nidcnt = 0;
658 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
659 return 0;
660 if (pext == NULL)
661 return 1;
662 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
663}
664
fd2b65ce
DSH		 665/* For an EC key set TLS id and required compression based on parameters */
666static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
0f113f3e
MC		 667 EC_KEY *ec)
668{
669 int is_prime, id;
670 const EC_GROUP *grp;
671 const EC_METHOD *meth;
672 if (!ec)
673 return 0;
674 /* Determine if it is a prime field */
675 grp = EC_KEY_get0_group(ec);
676 if (!grp)
677 return 0;
678 meth = EC_GROUP_method_of(grp);
679 if (!meth)
680 return 0;
681 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
682 is_prime = 1;
683 else
684 is_prime = 0;
685 /* Determine curve ID */
686 id = EC_GROUP_get_curve_name(grp);
687 id = tls1_ec_nid2curve_id(id);
688 /* If we have an ID set it, otherwise set arbitrary explicit curve */
689 if (id) {
690 curve_id[0] = 0;
691 curve_id[1] = (unsigned char)id;
692 } else {
693 curve_id[0] = 0xff;
694 if (is_prime)
695 curve_id[1] = 0x01;
696 else
697 curve_id[1] = 0x02;
698 }
699 if (comp_id) {
700 if (EC_KEY_get0_public_key(ec) == NULL)
701 return 0;
702 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
703 if (is_prime)
704 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
705 else
706 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
707 } else
708 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
709 }
710 return 1;
711}
712
fd2b65ce
DSH		 713/* Check an EC key is compatible with extensions */
714static int tls1_check_ec_key(SSL *s,
0f113f3e
MC		 715 unsigned char *curve_id, unsigned char *comp_id)
716{
717 const unsigned char *pformats, *pcurves;
718 size_t num_formats, num_curves, i;
719 int j;
720 /*
721 * If point formats extension present check it, otherwise everything is
722 * supported (see RFC4492).
723 */
724 if (comp_id && s->session->tlsext_ecpointformatlist) {
725 pformats = s->session->tlsext_ecpointformatlist;
726 num_formats = s->session->tlsext_ecpointformatlist_length;
727 for (i = 0; i < num_formats; i++, pformats++) {
728 if (*comp_id == *pformats)
729 break;
730 }
731 if (i == num_formats)
732 return 0;
733 }
734 if (!curve_id)
735 return 1;
736 /* Check curve is consistent with client and server preferences */
737 for (j = 0; j <= 1; j++) {
738 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
739 return 0;
b79d2410
MC		 740 if (j == 1 && num_curves == 0) {
741 /*
742 * If we've not received any curves then skip this check.
743 * RFC 4492 does not require the supported elliptic curves extension
744 * so if it is not sent we can just choose any curve.
745 * It is invalid to send an empty list in the elliptic curves
746 * extension, so num_curves == 0 always means no extension.
747 */
748 break;
749 }
0f113f3e
MC		 750 for (i = 0; i < num_curves; i++, pcurves += 2) {
751 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
752 break;
753 }
754 if (i == num_curves)
755 return 0;
756 /* For clients can only check sent curve list */
757 if (!s->server)
758 break;
759 }
760 return 1;
761}
d61ff83b 762
5087afa1 763static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
0f113f3e
MC		 764 size_t *num_formats)
765{
766 /*
767 * If we have a custom point format list use it otherwise use default
768 */
769 if (s->tlsext_ecpointformatlist) {
770 *pformats = s->tlsext_ecpointformatlist;
771 *num_formats = s->tlsext_ecpointformatlist_length;
772 } else {
773 *pformats = ecformats_default;
774 /* For Suite B we don't support char2 fields */
775 if (tls1_suiteb(s))
776 *num_formats = sizeof(ecformats_default) - 1;
777 else
778 *num_formats = sizeof(ecformats_default);
779 }
780}
781
782/*
783 * Check cert parameters compatible with extensions: currently just checks EC
784 * certificates have compatible curves and compression.
d61ff83b 785 */
2ea80354 786static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 787{
788 unsigned char comp_id, curve_id[2];
789 EVP_PKEY *pkey;
790 int rv;
8382fd3a 791 pkey = X509_get0_pubkey(x);
0f113f3e
MC		 792 if (!pkey)
793 return 0;
794 /* If not EC nothing to do */
3aeb9348 795 if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
0f113f3e 796 return 1;
3aeb9348 797 rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey));
0f113f3e
MC		 798 if (!rv)
799 return 0;
800 /*
801 * Can't check curve_id for client certs as we don't have a supported
802 * curves extension.
803 */
804 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
805 if (!rv)
806 return 0;
807 /*
808 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
809 * SHA384+P-384, adjust digest if necessary.
810 */
811 if (set_ee_md && tls1_suiteb(s)) {
812 int check_md;
813 size_t i;
814 CERT *c = s->cert;
815 if (curve_id[0])
816 return 0;
817 /* Check to see we have necessary signing algorithm */
818 if (curve_id[1] == TLSEXT_curve_P_256)
819 check_md = NID_ecdsa_with_SHA256;
820 else if (curve_id[1] == TLSEXT_curve_P_384)
821 check_md = NID_ecdsa_with_SHA384;
822 else
823 return 0; /* Should never happen */
824 for (i = 0; i < c->shared_sigalgslen; i++)
825 if (check_md == c->shared_sigalgs[i].signandhash_nid)
826 break;
827 if (i == c->shared_sigalgslen)
828 return 0;
829 if (set_ee_md == 2) {
830 if (check_md == NID_ecdsa_with_SHA256)
d376e57d 831 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
0f113f3e 832 else
d376e57d 833 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
0f113f3e
MC		 834 }
835 }
836 return rv;
837}
838
10bf4fc2 839# ifndef OPENSSL_NO_EC
6977e8ee
KR		 840/*
841 * tls1_check_ec_tmp_key - Check EC temporary key compatiblity
842 * @s: SSL connection
843 * @cid: Cipher ID we're considering using
844 *
845 * Checks that the kECDHE cipher suite we're considering using
846 * is compatible with the client extensions.
847 *
848 * Returns 0 when the cipher can't be used or 1 when it can.
849 */
2ea80354 850int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
0f113f3e 851{
0f113f3e
MC		 852# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
853 /* Allow any curve: not just those peer supports */
854 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
855 return 1;
856# endif
857 /*
858 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
859 * curves permitted.
860 */
861 if (tls1_suiteb(s)) {
6977e8ee 862 unsigned char curve_id[2];
0f113f3e
MC		 863 /* Curve to check determined by ciphersuite */
864 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
865 curve_id[1] = TLSEXT_curve_P_256;
866 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
867 curve_id[1] = TLSEXT_curve_P_384;
868 else
869 return 0;
870 curve_id[0] = 0;
871 /* Check this curve is acceptable */
872 if (!tls1_check_ec_key(s, curve_id, NULL))
873 return 0;
fe6ef247 874 return 1;
0f113f3e 875 }
fe6ef247
KR		 876 /* Need a shared curve */
877 if (tls1_shared_curve(s, 0))
878 return 1;
6977e8ee 879 return 0;
0f113f3e 880}
10bf4fc2 881# endif /* OPENSSL_NO_EC */
d0595f17 882
14536c8c
DSH		 883#else
884
885static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 886{
887 return 1;
888}
14536c8c 889
0f113f3e 890#endif /* OPENSSL_NO_EC */
f1fd4544 891
0f113f3e
MC		 892/*
893 * List of supported signature algorithms and hashes. Should make this
fc101f88
DSH		 894 * customisable at some point, for now include everything we support.
895 */
896
e481f9b9
MC		 897#ifdef OPENSSL_NO_RSA
898# define tlsext_sigalg_rsa(md) /* */
899#else
900# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
901#endif
0f113f3e 902
e481f9b9
MC		 903#ifdef OPENSSL_NO_DSA
904# define tlsext_sigalg_dsa(md) /* */
905#else
906# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
907#endif
0f113f3e 908
e481f9b9
MC		 909#ifdef OPENSSL_NO_EC
910# define tlsext_sigalg_ecdsa(md) /* */
911#else
912# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
913#endif
0f113f3e 914
e481f9b9 915#define tlsext_sigalg(md) \
0f113f3e
MC		 916 tlsext_sigalg_rsa(md) \
917 tlsext_sigalg_dsa(md) \
918 tlsext_sigalg_ecdsa(md)
fc101f88 919
d97ed219 920static const unsigned char tls12_sigalgs[] = {
0f113f3e
MC		 921 tlsext_sigalg(TLSEXT_hash_sha512)
922 tlsext_sigalg(TLSEXT_hash_sha384)
0f113f3e
MC		 923 tlsext_sigalg(TLSEXT_hash_sha256)
924 tlsext_sigalg(TLSEXT_hash_sha224)
0f113f3e 925 tlsext_sigalg(TLSEXT_hash_sha1)
e44380a9
DB		 926#ifndef OPENSSL_NO_GOST
927 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
928 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
929 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
930#endif
fc101f88 931};
0f113f3e 932
e481f9b9 933#ifndef OPENSSL_NO_EC
d97ed219 934static const unsigned char suiteb_sigalgs[] = {
0f113f3e
MC		 935 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
936 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
2ea80354 937};
e481f9b9 938#endif
b7bfe69b 939size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
0f113f3e
MC		 940{
941 /*
942 * If Suite B mode use Suite B sigalgs only, ignore any other
943 * preferences.
944 */
e481f9b9 945#ifndef OPENSSL_NO_EC
0f113f3e
MC		 946 switch (tls1_suiteb(s)) {
947 case SSL_CERT_FLAG_SUITEB_128_LOS:
948 *psigs = suiteb_sigalgs;
949 return sizeof(suiteb_sigalgs);
950
951 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
952 *psigs = suiteb_sigalgs;
953 return 2;
954
955 case SSL_CERT_FLAG_SUITEB_192_LOS:
956 *psigs = suiteb_sigalgs + 2;
957 return 2;
958 }
e481f9b9 959#endif
0f113f3e
MC		 960 /* If server use client authentication sigalgs if not NULL */
961 if (s->server && s->cert->client_sigalgs) {
962 *psigs = s->cert->client_sigalgs;
963 return s->cert->client_sigalgslen;
964 } else if (s->cert->conf_sigalgs) {
965 *psigs = s->cert->conf_sigalgs;
966 return s->cert->conf_sigalgslen;
967 } else {
968 *psigs = tls12_sigalgs;
969 return sizeof(tls12_sigalgs);
970 }
971}
972
973/*
974 * Check signature algorithm is consistent with sent supported signature
ec4a50b3
DSH		 975 * algorithms and if so return relevant digest.
976 */
977int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
0f113f3e
MC		 978 const unsigned char *sig, EVP_PKEY *pkey)
979{
980 const unsigned char *sent_sigs;
981 size_t sent_sigslen, i;
982 int sigalg = tls12_get_sigid(pkey);
983 /* Should never happen */
984 if (sigalg == -1)
985 return -1;
986 /* Check key type is consistent with signature */
987 if (sigalg != (int)sig[1]) {
988 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
989 return 0;
990 }
e481f9b9 991#ifndef OPENSSL_NO_EC
3aeb9348 992 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
0f113f3e
MC		 993 unsigned char curve_id[2], comp_id;
994 /* Check compression and curve matches extensions */
3aeb9348 995 if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
0f113f3e
MC		 996 return 0;
997 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
998 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
999 return 0;
1000 }
1001 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
1002 if (tls1_suiteb(s)) {
1003 if (curve_id[0])
1004 return 0;
1005 if (curve_id[1] == TLSEXT_curve_P_256) {
1006 if (sig[0] != TLSEXT_hash_sha256) {
1007 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1008 SSL_R_ILLEGAL_SUITEB_DIGEST);
1009 return 0;
1010 }
1011 } else if (curve_id[1] == TLSEXT_curve_P_384) {
1012 if (sig[0] != TLSEXT_hash_sha384) {
1013 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1014 SSL_R_ILLEGAL_SUITEB_DIGEST);
1015 return 0;
1016 }
1017 } else
1018 return 0;
1019 }
1020 } else if (tls1_suiteb(s))
1021 return 0;
e481f9b9 1022#endif
0f113f3e
MC		 1023
1024 /* Check signature matches a type we sent */
1025 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1026 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
1027 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1028 break;
1029 }
1030 /* Allow fallback to SHA1 if not strict mode */
1031 if (i == sent_sigslen
1032 && (sig[0] != TLSEXT_hash_sha1
1033 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
1034 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1035 return 0;
1036 }
1037 *pmd = tls12_get_hash(sig[0]);
1038 if (*pmd == NULL) {
1039 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
1040 return 0;
1041 }
1042 /* Make sure security callback allows algorithm */
1043 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
1044 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
1045 (void *)sig)) {
1046 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1047 return 0;
1048 }
1049 /*
1050 * Store the digest used so applications can retrieve it if they wish.
1051 */
d376e57d 1052 s->s3->tmp.peer_md = *pmd;
0f113f3e
MC		 1053 return 1;
1054}
2ea80354 1055
0f113f3e
MC		 1056/*
1057 * Get a mask of disabled algorithms: an algorithm is disabled if it isn't
1058 * supported or doesn't appear in supported signature algorithms. Unlike
1059 * ssl_cipher_get_disabled this applies to a specific session and not global
1060 * settings.
b7bfe69b
DSH		 1061 */
1062void ssl_set_client_disabled(SSL *s)
0f113f3e 1063{
4d69f9e6
DSH		 1064 s->s3->tmp.mask_a = 0;
1065 s->s3->tmp.mask_k = 0;
0f113f3e
MC		 1066 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1067 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
4d69f9e6 1068 s->s3->tmp.mask_ssl = SSL_TLSV1_2;
0f113f3e 1069 else
4d69f9e6 1070 s->s3->tmp.mask_ssl = 0;
2b573382
DSH		 1071 /* Disable TLS 1.0 ciphers if using SSL v3 */
1072 if (s->client_version == SSL3_VERSION)
1073 s->s3->tmp.mask_ssl |= SSL_TLSV1;
4d69f9e6 1074 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
0f113f3e
MC		 1075 /*
1076 * Disable static DH if we don't include any appropriate signature
1077 * algorithms.
1078 */
4d69f9e6 1079 if (s->s3->tmp.mask_a & SSL_aRSA)
bc71f910 1080 s->s3->tmp.mask_k |= SSL_kECDHr;
4d69f9e6
DSH		 1081 if (s->s3->tmp.mask_a & SSL_aECDSA)
1082 s->s3->tmp.mask_k |= SSL_kECDHe;
0f113f3e
MC		 1083# ifndef OPENSSL_NO_PSK
1084 /* with PSK there must be client callback set */
1085 if (!s->psk_client_callback) {
4d69f9e6 1086 s->s3->tmp.mask_a |= SSL_aPSK;
fe5eef3a 1087 s->s3->tmp.mask_k |= SSL_PSK;
0f113f3e 1088 }
e481f9b9
MC		 1089#endif /* OPENSSL_NO_PSK */
1090#ifndef OPENSSL_NO_SRP
0f113f3e 1091 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
4d69f9e6
DSH		 1092 s->s3->tmp.mask_a |= SSL_aSRP;
1093 s->s3->tmp.mask_k |= SSL_kSRP;
0f113f3e 1094 }
e481f9b9 1095#endif
0f113f3e 1096}
fc101f88 1097
b362ccab 1098int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
0f113f3e 1099{
4d69f9e6
DSH		 1100 if (c->algorithm_ssl & s->s3->tmp.mask_ssl
1101 || c->algorithm_mkey & s->s3->tmp.mask_k
1102 || c->algorithm_auth & s->s3->tmp.mask_a)
0f113f3e
MC		 1103 return 1;
1104 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1105}
b362ccab
DSH		 1106
1107static int tls_use_ticket(SSL *s)
0f113f3e
MC		 1108{
1109 if (s->options & SSL_OP_NO_TICKET)
1110 return 0;
1111 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1112}
ed3883d2 1113
0f113f3e
MC		 1114unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
1115 unsigned char *limit, int *al)
1116{
1117 int extdatalen = 0;
1118 unsigned char *orig = buf;
1119 unsigned char *ret = buf;
e481f9b9 1120#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1121 /* See if we support any ECC ciphersuites */
1122 int using_ecc = 0;
1123 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1124 int i;
1125 unsigned long alg_k, alg_a;
1126 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1127
1128 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
4a640fb6 1129 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
0f113f3e
MC		 1130
1131 alg_k = c->algorithm_mkey;
1132 alg_a = c->algorithm_auth;
13be69f3 1133 if ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)
0f113f3e
MC		 1134 || (alg_a & SSL_aECDSA))) {
1135 using_ecc = 1;
1136 break;
1137 }
1138 }
1139 }
e481f9b9 1140#endif
ed3883d2 1141
0f113f3e 1142 ret += 2;
6434abbf 1143
0f113f3e
MC		 1144 if (ret >= limit)
1145 return NULL; /* this really never occurs, but ... */
5a3d8eeb 1146
0f113f3e
MC		 1147 /* Add RI if renegotiating */
1148 if (s->renegotiate) {
1149 int el;
5a3d8eeb 1150
0f113f3e
MC		 1151 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1152 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1153 return NULL;
1154 }
5a3d8eeb 1155
0f113f3e
MC		 1156 if ((limit - ret - 4 - el) < 0)
1157 return NULL;
5a3d8eeb 1158
0f113f3e
MC		 1159 s2n(TLSEXT_TYPE_renegotiate, ret);
1160 s2n(el, ret);
5a3d8eeb 1161
0f113f3e
MC		 1162 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1163 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1164 return NULL;
5a3d8eeb 1165 }
edc032b5 1166
0f113f3e
MC		 1167 ret += el;
1168 }
1169 /* Only add RI for SSLv3 */
1170 if (s->client_version == SSL3_VERSION)
1171 goto done;
1172
1173 if (s->tlsext_hostname != NULL) {
1174 /* Add TLS extension servername to the Client Hello message */
1175 unsigned long size_str;
1176 long lenmax;
1177
50e735f9
MC		 1178 /*-
1179 * check for enough space.
1180 * 4 for the servername type and entension length
1181 * 2 for servernamelist length
1182 * 1 for the hostname type
1183 * 2 for hostname length
1184 * + hostname length
1185 */
0f113f3e
MC		 1186
1187 if ((lenmax = limit - ret - 9) < 0
1188 || (size_str =
1189 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1190 return NULL;
1191
1192 /* extension type and length */
1193 s2n(TLSEXT_TYPE_server_name, ret);
1194 s2n(size_str + 5, ret);
1195
1196 /* length of servername list */
1197 s2n(size_str + 3, ret);
1198
1199 /* hostname type, length and hostname */
1200 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1201 s2n(size_str, ret);
1202 memcpy(ret, s->tlsext_hostname, size_str);
1203 ret += size_str;
1204 }
e481f9b9 1205#ifndef OPENSSL_NO_SRP
0f113f3e
MC		 1206 /* Add SRP username if there is one */
1207 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1208 * Client Hello message */
1209
1210 int login_len = strlen(s->srp_ctx.login);
1211 if (login_len > 255 || login_len == 0) {
1212 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1213 return NULL;
1214 }
761772d7 1215
50e735f9
MC		 1216 /*-
1217 * check for enough space.
1218 * 4 for the srp type type and entension length
1219 * 1 for the srp user identity
1220 * + srp user identity length
1221 */
0f113f3e
MC		 1222 if ((limit - ret - 5 - login_len) < 0)
1223 return NULL;
1224
1225 /* fill in the extension */
1226 s2n(TLSEXT_TYPE_srp, ret);
1227 s2n(login_len + 1, ret);
1228 (*ret++) = (unsigned char)login_len;
1229 memcpy(ret, s->srp_ctx.login, login_len);
1230 ret += login_len;
1231 }
e481f9b9 1232#endif
0f113f3e 1233
e481f9b9 1234#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1235 if (using_ecc) {
1236 /*
1237 * Add TLS extension ECPointFormats to the ClientHello message
1238 */
1239 long lenmax;
1240 const unsigned char *pcurves, *pformats;
1241 size_t num_curves, num_formats, curves_list_len;
1242 size_t i;
1243 unsigned char *etmp;
1244
1245 tls1_get_formatlist(s, &pformats, &num_formats);
1246
1247 if ((lenmax = limit - ret - 5) < 0)
1248 return NULL;
1249 if (num_formats > (size_t)lenmax)
1250 return NULL;
1251 if (num_formats > 255) {
1252 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1253 return NULL;
1254 }
4817504d 1255
0f113f3e
MC		 1256 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1257 /* The point format list has 1-byte length. */
1258 s2n(num_formats + 1, ret);
1259 *(ret++) = (unsigned char)num_formats;
1260 memcpy(ret, pformats, num_formats);
1261 ret += num_formats;
1262
1263 /*
1264 * Add TLS extension EllipticCurves to the ClientHello message
1265 */
1266 pcurves = s->tlsext_ellipticcurvelist;
1267 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1268 return NULL;
1269
1270 if ((lenmax = limit - ret - 6) < 0)
1271 return NULL;
1272 if (num_curves > (size_t)lenmax / 2)
1273 return NULL;
1274 if (num_curves > 65532 / 2) {
1275 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1276 return NULL;
1277 }
ee2ffc27 1278
0f113f3e
MC		 1279 s2n(TLSEXT_TYPE_elliptic_curves, ret);
1280 etmp = ret + 4;
1281 /* Copy curve ID if supported */
1282 for (i = 0; i < num_curves; i++, pcurves += 2) {
1283 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1284 *etmp++ = pcurves[0];
1285 *etmp++ = pcurves[1];
1286 }
1287 }
01f2f18f 1288
0f113f3e
MC		 1289 curves_list_len = etmp - ret - 4;
1290
1291 s2n(curves_list_len + 2, ret);
1292 s2n(curves_list_len, ret);
1293 ret += curves_list_len;
1294 }
e481f9b9 1295#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1296
1297 if (tls_use_ticket(s)) {
1298 int ticklen;
1299 if (!s->new_session && s->session && s->session->tlsext_tick)
1300 ticklen = s->session->tlsext_ticklen;
1301 else if (s->session && s->tlsext_session_ticket &&
1302 s->tlsext_session_ticket->data) {
1303 ticklen = s->tlsext_session_ticket->length;
1304 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
a71edf3b 1305 if (s->session->tlsext_tick == NULL)
0f113f3e
MC		 1306 return NULL;
1307 memcpy(s->session->tlsext_tick,
1308 s->tlsext_session_ticket->data, ticklen);
1309 s->session->tlsext_ticklen = ticklen;
1310 } else
1311 ticklen = 0;
1312 if (ticklen == 0 && s->tlsext_session_ticket &&
1313 s->tlsext_session_ticket->data == NULL)
1314 goto skip_ext;
1315 /*
1316 * Check for enough room 2 for extension type, 2 for len rest for
1317 * ticket
1318 */
1319 if ((long)(limit - ret - 4 - ticklen) < 0)
1320 return NULL;
1321 s2n(TLSEXT_TYPE_session_ticket, ret);
1322 s2n(ticklen, ret);
1323 if (ticklen) {
1324 memcpy(ret, s->session->tlsext_tick, ticklen);
1325 ret += ticklen;
1326 }
1327 }
1328 skip_ext:
1329
1330 if (SSL_USE_SIGALGS(s)) {
1331 size_t salglen;
1332 const unsigned char *salg;
1333 unsigned char *etmp;
1334 salglen = tls12_get_psigalgs(s, &salg);
1335 if ((size_t)(limit - ret) < salglen + 6)
1336 return NULL;
1337 s2n(TLSEXT_TYPE_signature_algorithms, ret);
1338 etmp = ret;
1339 /* Skip over lengths for now */
1340 ret += 4;
1341 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1342 /* Fill in lengths */
1343 s2n(salglen + 2, etmp);
1344 s2n(salglen, etmp);
1345 ret += salglen;
1346 }
0f113f3e
MC		 1347
1348 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1349 int i;
1350 long extlen, idlen, itmp;
1351 OCSP_RESPID *id;
1352
1353 idlen = 0;
1354 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1355 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1356 itmp = i2d_OCSP_RESPID(id, NULL);
1357 if (itmp <= 0)
1358 return NULL;
1359 idlen += itmp + 2;
860c3dd1
DSH		 1360 }
1361
0f113f3e
MC		 1362 if (s->tlsext_ocsp_exts) {
1363 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1364 if (extlen < 0)
1365 return NULL;
1366 } else
1367 extlen = 0;
1368
1369 if ((long)(limit - ret - 7 - extlen - idlen) < 0)
1370 return NULL;
1371 s2n(TLSEXT_TYPE_status_request, ret);
1372 if (extlen + idlen > 0xFFF0)
1373 return NULL;
1374 s2n(extlen + idlen + 5, ret);
1375 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1376 s2n(idlen, ret);
1377 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1378 /* save position of id len */
1379 unsigned char *q = ret;
1380 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1381 /* skip over id len */
1382 ret += 2;
1383 itmp = i2d_OCSP_RESPID(id, &ret);
1384 /* write id len */
1385 s2n(itmp, q);
1386 }
1387 s2n(extlen, ret);
1388 if (extlen > 0)
1389 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1390 }
e481f9b9 1391#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 1392 /* Add Heartbeat extension */
1393 if ((limit - ret - 4 - 1) < 0)
1394 return NULL;
1395 s2n(TLSEXT_TYPE_heartbeat, ret);
1396 s2n(1, ret);
50e735f9
MC		 1397 /*-
1398 * Set mode:
1399 * 1: peer may send requests
1400 * 2: peer not allowed to send requests
1401 */
0f113f3e
MC		 1402 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1403 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1404 else
1405 *(ret++) = SSL_TLSEXT_HB_ENABLED;
e481f9b9 1406#endif
0f113f3e 1407
e481f9b9 1408#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1409 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1410 /*
1411 * The client advertises an emtpy extension to indicate its support
1412 * for Next Protocol Negotiation
1413 */
1414 if (limit - ret - 4 < 0)
1415 return NULL;
1416 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1417 s2n(0, ret);
1418 }
e481f9b9 1419#endif
0f113f3e
MC		 1420
1421 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1422 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1423 return NULL;
1424 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1425 s2n(2 + s->alpn_client_proto_list_len, ret);
1426 s2n(s->alpn_client_proto_list_len, ret);
1427 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1428 ret += s->alpn_client_proto_list_len;
1429 }
e481f9b9 1430#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 1431 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1432 int el;
1433
69f68237
MC		 1434 /* Returns 0 on success!! */
1435 if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
1436 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1437 return NULL;
1438 }
0f113f3e
MC		 1439
1440 if ((limit - ret - 4 - el) < 0)
1441 return NULL;
1442
1443 s2n(TLSEXT_TYPE_use_srtp, ret);
1444 s2n(el, ret);
1445
1446 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1447 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1448 return NULL;
1449 }
1450 ret += el;
1451 }
e481f9b9 1452#endif
0f113f3e
MC		 1453 custom_ext_init(&s->cert->cli_ext);
1454 /* Add custom TLS Extensions to ClientHello */
1455 if (!custom_ext_add(s, 0, &ret, limit, al))
1456 return NULL;
e481f9b9 1457#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 1458 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1459 s2n(0, ret);
e481f9b9 1460#endif
ddc06b35
DSH		 1461 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1462 s2n(0, ret);
0f113f3e
MC		 1463
1464 /*
1465 * Add padding to workaround bugs in F5 terminators. See
1466 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1467 * code works out the length of all existing extensions it MUST always
1468 * appear last.
1469 */
1470 if (s->options & SSL_OP_TLSEXT_PADDING) {
1471 int hlen = ret - (unsigned char *)s->init_buf->data;
a3680c8f 1472
0f113f3e
MC		 1473 if (hlen > 0xff && hlen < 0x200) {
1474 hlen = 0x200 - hlen;
1475 if (hlen >= 4)
1476 hlen -= 4;
1477 else
1478 hlen = 0;
1479
1480 s2n(TLSEXT_TYPE_padding, ret);
1481 s2n(hlen, ret);
1482 memset(ret, 0, hlen);
1483 ret += hlen;
1484 }
1485 }
5a3d8eeb 1486
0f113f3e 1487 done:
5a3d8eeb 1488
0f113f3e
MC		 1489 if ((extdatalen = ret - orig - 2) == 0)
1490 return orig;
5a3d8eeb 1491
0f113f3e
MC		 1492 s2n(extdatalen, orig);
1493 return ret;
1494}
333f926d 1495
0f113f3e
MC		 1496unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1497 unsigned char *limit, int *al)
1498{
1499 int extdatalen = 0;
1500 unsigned char *orig = buf;
1501 unsigned char *ret = buf;
e481f9b9 1502#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1503 int next_proto_neg_seen;
e481f9b9
MC		 1504#endif
1505#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1506 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1507 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1508 int using_ecc = (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
1509 || (alg_a & SSL_aECDSA);
1510 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
e481f9b9 1511#endif
0f113f3e
MC		 1512
1513 ret += 2;
1514 if (ret >= limit)
1515 return NULL; /* this really never occurs, but ... */
1516
1517 if (s->s3->send_connection_binding) {
1518 int el;
1519
1520 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1521 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1522 return NULL;
1523 }
333f926d 1524
0f113f3e
MC		 1525 if ((limit - ret - 4 - el) < 0)
1526 return NULL;
333f926d 1527
0f113f3e
MC		 1528 s2n(TLSEXT_TYPE_renegotiate, ret);
1529 s2n(el, ret);
333f926d 1530
0f113f3e
MC		 1531 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1532 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1533 return NULL;
1534 }
333f926d 1535
0f113f3e
MC		 1536 ret += el;
1537 }
1538
1539 /* Only add RI for SSLv3 */
1540 if (s->version == SSL3_VERSION)
1541 goto done;
1542
1543 if (!s->hit && s->servername_done == 1
1544 && s->session->tlsext_hostname != NULL) {
1545 if ((long)(limit - ret - 4) < 0)
1546 return NULL;
1547
1548 s2n(TLSEXT_TYPE_server_name, ret);
1549 s2n(0, ret);
1550 }
e481f9b9 1551#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1552 if (using_ecc) {
1553 const unsigned char *plist;
1554 size_t plistlen;
1555 /*
1556 * Add TLS extension ECPointFormats to the ServerHello message
1557 */
1558 long lenmax;
1559
1560 tls1_get_formatlist(s, &plist, &plistlen);
1561
1562 if ((lenmax = limit - ret - 5) < 0)
1563 return NULL;
1564 if (plistlen > (size_t)lenmax)
1565 return NULL;
1566 if (plistlen > 255) {
1567 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1568 return NULL;
1569 }
4817504d 1570
0f113f3e
MC		 1571 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1572 s2n(plistlen + 1, ret);
1573 *(ret++) = (unsigned char)plistlen;
1574 memcpy(ret, plist, plistlen);
1575 ret += plistlen;
1576
1577 }
1578 /*
1579 * Currently the server should not respond with a SupportedCurves
1580 * extension
1581 */
e481f9b9 1582#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1583
1584 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1585 if ((long)(limit - ret - 4) < 0)
1586 return NULL;
1587 s2n(TLSEXT_TYPE_session_ticket, ret);
1588 s2n(0, ret);
1589 }
1590
1591 if (s->tlsext_status_expected) {
1592 if ((long)(limit - ret - 4) < 0)
1593 return NULL;
1594 s2n(TLSEXT_TYPE_status_request, ret);
1595 s2n(0, ret);
1596 }
0f113f3e 1597
e481f9b9 1598#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 1599 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1600 int el;
1601
69f68237 1602 /* Returns 0 on success!! */
61986d32 1603 if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
69f68237
MC		 1604 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1605 return NULL;
1606 }
0f113f3e
MC		 1607 if ((limit - ret - 4 - el) < 0)
1608 return NULL;
1609
1610 s2n(TLSEXT_TYPE_use_srtp, ret);
1611 s2n(el, ret);
1612
1613 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1614 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1615 return NULL;
1616 }
1617 ret += el;
1618 }
e481f9b9 1619#endif
0f113f3e
MC		 1620
1621 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1622 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1623 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1624 const unsigned char cryptopro_ext[36] = {
1625 0xfd, 0xe8, /* 65000 */
1626 0x00, 0x20, /* 32 bytes length */
1627 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1628 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1629 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1630 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1631 };
1632 if (limit - ret < 36)
1633 return NULL;
1634 memcpy(ret, cryptopro_ext, 36);
1635 ret += 36;
1636
1637 }
e481f9b9 1638#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 1639 /* Add Heartbeat extension if we've received one */
1640 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
1641 if ((limit - ret - 4 - 1) < 0)
1642 return NULL;
1643 s2n(TLSEXT_TYPE_heartbeat, ret);
1644 s2n(1, ret);
50e735f9
MC		 1645 /*-
1646 * Set mode:
1647 * 1: peer may send requests
1648 * 2: peer not allowed to send requests
1649 */
0f113f3e
MC		 1650 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1651 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1652 else
1653 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1654
1655 }
e481f9b9 1656#endif
0f113f3e 1657
e481f9b9 1658#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1659 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1660 s->s3->next_proto_neg_seen = 0;
1661 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1662 const unsigned char *npa;
1663 unsigned int npalen;
1664 int r;
1665
1666 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1667 s->
1668 ctx->next_protos_advertised_cb_arg);
1669 if (r == SSL_TLSEXT_ERR_OK) {
1670 if ((long)(limit - ret - 4 - npalen) < 0)
1671 return NULL;
1672 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1673 s2n(npalen, ret);
1674 memcpy(ret, npa, npalen);
1675 ret += npalen;
1676 s->s3->next_proto_neg_seen = 1;
1677 }
1678 }
e481f9b9 1679#endif
0f113f3e
MC		 1680 if (!custom_ext_add(s, 1, &ret, limit, al))
1681 return NULL;
e481f9b9 1682#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 1683 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1684 /*
1685 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1686 * for other cases too.
1687 */
1688 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
e44380a9
DB		 1689 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1690 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1691 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
0f113f3e
MC		 1692 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1693 else {
1694 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1695 s2n(0, ret);
1696 }
1697 }
e481f9b9 1698#endif
e7f0d921 1699 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
ddc06b35
DSH		 1700 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1701 s2n(0, ret);
1702 }
0f113f3e
MC		 1703
1704 if (s->s3->alpn_selected) {
1705 const unsigned char *selected = s->s3->alpn_selected;
1706 unsigned len = s->s3->alpn_selected_len;
1707
1708 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1709 return NULL;
1710 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1711 s2n(3 + len, ret);
1712 s2n(1 + len, ret);
1713 *ret++ = len;
1714 memcpy(ret, selected, len);
1715 ret += len;
1716 }
1717
1718 done:
1719
1720 if ((extdatalen = ret - orig - 2) == 0)
1721 return orig;
1722
1723 s2n(extdatalen, orig);
1724 return ret;
1725}
a398f821 1726
0f113f3e
MC		 1727/*
1728 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1729 * ClientHello. data: the contents of the extension, not including the type
1730 * and length. data_len: the number of bytes in |data| al: a pointer to the
1731 * alert value to send in the event of a non-zero return. returns: 0 on
1732 * success.
1733 */
9ceb2426 1734static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
0f113f3e 1735{
9ceb2426
MC		 1736 unsigned int data_len;
1737 unsigned int proto_len;
0f113f3e 1738 const unsigned char *selected;
9ceb2426 1739 unsigned char *data;
0f113f3e
MC		 1740 unsigned char selected_len;
1741 int r;
1742
1743 if (s->ctx->alpn_select_cb == NULL)
1744 return 0;
1745
0f113f3e
MC		 1746 /*
1747 * data should contain a uint16 length followed by a series of 8-bit,
1748 * length-prefixed strings.
1749 */
9ceb2426
MC		 1750 if (!PACKET_get_net_2(pkt, &data_len)
1751 || PACKET_remaining(pkt) != data_len
1752 || !PACKET_peek_bytes(pkt, &data, data_len))
0f113f3e
MC		 1753 goto parse_error;
1754
9ceb2426
MC		 1755 do {
1756 if (!PACKET_get_1(pkt, &proto_len)
1757 || proto_len == 0
1758 || !PACKET_forward(pkt, proto_len))
0f113f3e 1759 goto parse_error;
9ceb2426 1760 } while (PACKET_remaining(pkt));
0f113f3e
MC		 1761
1762 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1763 s->ctx->alpn_select_cb_arg);
1764 if (r == SSL_TLSEXT_ERR_OK) {
b548a1f1 1765 OPENSSL_free(s->s3->alpn_selected);
0f113f3e 1766 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
a71edf3b 1767 if (s->s3->alpn_selected == NULL) {
0f113f3e
MC		 1768 *al = SSL_AD_INTERNAL_ERROR;
1769 return -1;
1770 }
1771 memcpy(s->s3->alpn_selected, selected, selected_len);
1772 s->s3->alpn_selected_len = selected_len;
1773 }
1774 return 0;
1775
1776 parse_error:
1777 *al = SSL_AD_DECODE_ERROR;
1778 return -1;
1779}
6f017a8f 1780
e481f9b9 1781#ifndef OPENSSL_NO_EC
1d97c843
TH		 1782/*-
1783 * ssl_check_for_safari attempts to fingerprint Safari using OS X
dece3209
RS		 1784 * SecureTransport using the TLS extension block in |d|, of length |n|.
1785 * Safari, since 10.6, sends exactly these extensions, in this order:
1786 * SNI,
1787 * elliptic_curves
1788 * ec_point_formats
1789 *
1790 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1791 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1792 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1793 * 10.8..10.8.3 (which don't work).
1794 */
68a16628 1795static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
0f113f3e 1796{
9ceb2426
MC		 1797 unsigned int type, size;
1798 unsigned char *eblock1, *eblock2;
68a16628 1799 PACKET tmppkt;
9ceb2426 1800
0f113f3e
MC		 1801 static const unsigned char kSafariExtensionsBlock[] = {
1802 0x00, 0x0a, /* elliptic_curves extension */
1803 0x00, 0x08, /* 8 bytes */
1804 0x00, 0x06, /* 6 bytes of curve ids */
1805 0x00, 0x17, /* P-256 */
1806 0x00, 0x18, /* P-384 */
1807 0x00, 0x19, /* P-521 */
1808
1809 0x00, 0x0b, /* ec_point_formats */
1810 0x00, 0x02, /* 2 bytes */
1811 0x01, /* 1 point format */
1812 0x00, /* uncompressed */
1813 };
1814
1815 /* The following is only present in TLS 1.2 */
1816 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1817 0x00, 0x0d, /* signature_algorithms */
1818 0x00, 0x0c, /* 12 bytes */
1819 0x00, 0x0a, /* 10 bytes */
1820 0x05, 0x01, /* SHA-384/RSA */
1821 0x04, 0x01, /* SHA-256/RSA */
1822 0x02, 0x01, /* SHA-1/RSA */
1823 0x04, 0x03, /* SHA-256/ECDSA */
1824 0x02, 0x03, /* SHA-1/ECDSA */
1825 };
1826
68a16628
MC		 1827 tmppkt = *pkt;
1828
1829 if (!PACKET_forward(&tmppkt, 2)
1830 || !PACKET_get_net_2(&tmppkt, &type)
1831 || !PACKET_get_net_2(&tmppkt, &size)
1832 || !PACKET_forward(&tmppkt, size))
0f113f3e 1833 return;
0f113f3e
MC		 1834
1835 if (type != TLSEXT_TYPE_server_name)
1836 return;
1837
0f113f3e
MC		 1838 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
1839 const size_t len1 = sizeof(kSafariExtensionsBlock);
1840 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1841
68a16628
MC		 1842 if (!PACKET_get_bytes(&tmppkt, &eblock1, len1)
1843 || !PACKET_get_bytes(&tmppkt, &eblock2, len2)
1844 || PACKET_remaining(&tmppkt))
0f113f3e 1845 return;
9ceb2426 1846 if (memcmp(eblock1, kSafariExtensionsBlock, len1) != 0)
0f113f3e 1847 return;
9ceb2426 1848 if (memcmp(eblock2, kSafariTLS12ExtensionsBlock, len2) != 0)
0f113f3e
MC		 1849 return;
1850 } else {
1851 const size_t len = sizeof(kSafariExtensionsBlock);
1852
68a16628
MC		 1853 if (!PACKET_get_bytes(&tmppkt, &eblock1, len)
1854 || PACKET_remaining(&tmppkt))
0f113f3e 1855 return;
9ceb2426 1856 if (memcmp(eblock1, kSafariExtensionsBlock, len) != 0)
0f113f3e
MC		 1857 return;
1858 }
1859
1860 s->s3->is_probably_safari = 1;
dece3209 1861}
e481f9b9 1862#endif /* !OPENSSL_NO_EC */
0f113f3e 1863
9ceb2426 1864static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 1865{
9ceb2426
MC		 1866 unsigned int type;
1867 unsigned int size;
1868 unsigned int len;
1869 unsigned char *data;
0f113f3e
MC		 1870 int renegotiate_seen = 0;
1871
1872 s->servername_done = 0;
1873 s->tlsext_status_type = -1;
e481f9b9 1874#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1875 s->s3->next_proto_neg_seen = 0;
e481f9b9 1876#endif
0f113f3e 1877
b548a1f1
RS		 1878 OPENSSL_free(s->s3->alpn_selected);
1879 s->s3->alpn_selected = NULL;
e481f9b9 1880#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 1881 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1882 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
e481f9b9 1883#endif
0f113f3e 1884
e481f9b9 1885#ifndef OPENSSL_NO_EC
0f113f3e 1886 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
9ceb2426
MC		 1887 ssl_check_for_safari(s, pkt);
1888# endif /* !OPENSSL_NO_EC */
0f113f3e
MC		 1889
1890 /* Clear any signature algorithms extension received */
76106e60
DSH		 1891 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1892 s->s3->tmp.peer_sigalgs = NULL;
e481f9b9 1893#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e 1894 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 1895#endif
0f113f3e 1896
e481f9b9 1897#ifndef OPENSSL_NO_SRP
b548a1f1
RS		 1898 OPENSSL_free(s->srp_ctx.login);
1899 s->srp_ctx.login = NULL;
e481f9b9 1900#endif
0f113f3e
MC		 1901
1902 s->srtp_profile = NULL;
1903
9ceb2426 1904 if (PACKET_remaining(pkt) == 0)
1ae3fdbe
AL		 1905 goto ri_check;
1906
9ceb2426 1907 if (!PACKET_get_net_2(pkt, &len))
1ae3fdbe
AL		 1908 goto err;
1909
52a48f9e
AG		 1910 if (PACKET_remaining(pkt) != len)
1911 goto err;
1912
9ceb2426
MC		 1913 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
1914 PACKET subpkt;
0f113f3e 1915
9ceb2426 1916 if (!PACKET_peek_bytes(pkt, &data, size))
54e3ad00 1917 goto err;
9ceb2426 1918
0f113f3e
MC		 1919 if (s->tlsext_debug_cb)
1920 s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
9ceb2426
MC		 1921
1922 if (!PACKET_get_sub_packet(pkt, &subpkt, size))
1923 goto err;
1924
0f113f3e 1925 if (type == TLSEXT_TYPE_renegotiate) {
9ceb2426 1926 if (!ssl_parse_clienthello_renegotiate_ext(s, &subpkt, al))
0f113f3e
MC		 1927 return 0;
1928 renegotiate_seen = 1;
1929 } else if (s->version == SSL3_VERSION) {
1930 }
1d97c843
TH		 1931/*-
1932 * The servername extension is treated as follows:
1933 *
1934 * - Only the hostname type is supported with a maximum length of 255.
1935 * - The servername is rejected if too long or if it contains zeros,
1936 * in which case an fatal alert is generated.
1937 * - The servername field is maintained together with the session cache.
1938 * - When a session is resumed, the servername call back invoked in order
0f113f3e
MC		 1939 * to allow the application to position itself to the right context.
1940 * - The servername is acknowledged if it is new for a session or when
1941 * it is identical to a previously used for the same session.
1d97c843
TH		 1942 * Applications can control the behaviour. They can at any time
1943 * set a 'desirable' servername for a new SSL object. This can be the
1944 * case for example with HTTPS when a Host: header field is received and
1945 * a renegotiation is requested. In this case, a possible servername
1946 * presented in the new client hello is only acknowledged if it matches
0f113f3e 1947 * the value of the Host: field.
1d97c843 1948 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
0f113f3e
MC		 1949 * if they provide for changing an explicit servername context for the
1950 * session, i.e. when the session has been established with a servername
1951 * extension.
1952 * - On session reconnect, the servername extension may be absent.
1d97c843 1953 *
0f113f3e 1954 */
ed3883d2 1955
0f113f3e
MC		 1956 else if (type == TLSEXT_TYPE_server_name) {
1957 unsigned char *sdata;
9ceb2426
MC		 1958 unsigned int servname_type;
1959 unsigned int dsize;
1960 PACKET ssubpkt;
0f113f3e 1961
9ceb2426
MC		 1962 if (!PACKET_get_net_2(&subpkt, &dsize)
1963 || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
54e3ad00 1964 goto err;
0f113f3e 1965
9ceb2426
MC		 1966 while (PACKET_remaining(&ssubpkt) > 3) {
1967 if (!PACKET_get_1(&ssubpkt, &servname_type)
1968 || !PACKET_get_net_2(&ssubpkt, &len)
1969 || PACKET_remaining(&ssubpkt) < len)
54e3ad00
MC		 1970 goto err;
1971
0f113f3e
MC		 1972 if (s->servername_done == 0)
1973 switch (servname_type) {
1974 case TLSEXT_NAMETYPE_host_name:
1975 if (!s->hit) {
54e3ad00
MC		 1976 if (s->session->tlsext_hostname)
1977 goto err;
1978
0f113f3e
MC		 1979 if (len > TLSEXT_MAXLEN_host_name) {
1980 *al = TLS1_AD_UNRECOGNIZED_NAME;
1981 return 0;
1982 }
1983 if ((s->session->tlsext_hostname =
1984 OPENSSL_malloc(len + 1)) == NULL) {
1985 *al = TLS1_AD_INTERNAL_ERROR;
1986 return 0;
1987 }
9ceb2426
MC		 1988 if (!PACKET_copy_bytes(&ssubpkt,
1989 (unsigned char *)s->session
1990 ->tlsext_hostname,
1991 len)) {
1992 *al = SSL_AD_DECODE_ERROR;
1993 return 0;
1994 }
0f113f3e
MC		 1995 s->session->tlsext_hostname[len] = '\0';
1996 if (strlen(s->session->tlsext_hostname) != len) {
1997 OPENSSL_free(s->session->tlsext_hostname);
1998 s->session->tlsext_hostname = NULL;
1999 *al = TLS1_AD_UNRECOGNIZED_NAME;
2000 return 0;
2001 }
2002 s->servername_done = 1;
761772d7 2003
9ceb2426
MC		 2004 } else {
2005 if (!PACKET_get_bytes(&ssubpkt, &sdata, len)) {
2006 *al = SSL_AD_DECODE_ERROR;
2007 return 0;
2008 }
0f113f3e
MC		 2009 s->servername_done = s->session->tlsext_hostname
2010 && strlen(s->session->tlsext_hostname) == len
2011 && strncmp(s->session->tlsext_hostname,
2012 (char *)sdata, len) == 0;
9ceb2426 2013 }
b2284ed3 2014
0f113f3e 2015 break;
ee2ffc27 2016
0f113f3e
MC		 2017 default:
2018 break;
2019 }
0f113f3e 2020 }
9ceb2426 2021 /* We shouldn't have any bytes left */
bc6616a4 2022 if (PACKET_remaining(&ssubpkt) != 0)
54e3ad00 2023 goto err;
6f017a8f 2024
0f113f3e 2025 }
e481f9b9 2026#ifndef OPENSSL_NO_SRP
0f113f3e 2027 else if (type == TLSEXT_TYPE_srp) {
9ceb2426
MC		 2028 if (!PACKET_get_1(&subpkt, &len)
2029 || s->srp_ctx.login != NULL)
54e3ad00 2030 goto err;
9ceb2426 2031
0f113f3e
MC		 2032 if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
2033 return -1;
9ceb2426
MC		 2034 if (!PACKET_copy_bytes(&subpkt, (unsigned char *)s->srp_ctx.login,
2035 len))
2036 goto err;
0f113f3e
MC		 2037 s->srp_ctx.login[len] = '\0';
2038
9ceb2426
MC		 2039 if (strlen(s->srp_ctx.login) != len
2040 || PACKET_remaining(&subpkt))
54e3ad00 2041 goto err;
0f113f3e 2042 }
e481f9b9 2043#endif
0f113f3e 2044
e481f9b9 2045#ifndef OPENSSL_NO_EC
0f113f3e 2046 else if (type == TLSEXT_TYPE_ec_point_formats) {
9ceb2426 2047 unsigned int ecpointformatlist_length;
0f113f3e 2048
9ceb2426
MC		 2049 if (!PACKET_get_1(&subpkt, &ecpointformatlist_length)
2050 || ecpointformatlist_length == 0)
54e3ad00 2051 goto err;
9ceb2426 2052
0f113f3e 2053 if (!s->hit) {
b548a1f1
RS		 2054 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2055 s->session->tlsext_ecpointformatlist = NULL;
0f113f3e
MC		 2056 s->session->tlsext_ecpointformatlist_length = 0;
2057 if ((s->session->tlsext_ecpointformatlist =
2058 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2059 *al = TLS1_AD_INTERNAL_ERROR;
2060 return 0;
2061 }
2062 s->session->tlsext_ecpointformatlist_length =
2063 ecpointformatlist_length;
9ceb2426
MC		 2064 if (!PACKET_copy_bytes(&subpkt,
2065 s->session->tlsext_ecpointformatlist,
2066 ecpointformatlist_length))
2067 goto err;
2068 } else if (!PACKET_forward(&subpkt, ecpointformatlist_length)) {
2069 goto err;
2070 }
2071 /* We should have consumed all the bytes by now */
2072 if (PACKET_remaining(&subpkt)) {
2073 *al = TLS1_AD_DECODE_ERROR;
2074 return 0;
0f113f3e 2075 }
0f113f3e 2076 } else if (type == TLSEXT_TYPE_elliptic_curves) {
9ceb2426 2077 unsigned int ellipticcurvelist_length;
0f113f3e 2078
9ceb2426
MC		 2079 /* Each NamedCurve is 2 bytes and we must have at least 1 */
2080 if (!PACKET_get_net_2(&subpkt, &ellipticcurvelist_length)
2081 || ellipticcurvelist_length == 0
2082 || (ellipticcurvelist_length & 1) != 0)
2083 goto err;
54e3ad00 2084
0f113f3e 2085 if (!s->hit) {
54e3ad00
MC		 2086 if (s->session->tlsext_ellipticcurvelist)
2087 goto err;
2088
0f113f3e
MC		 2089 s->session->tlsext_ellipticcurvelist_length = 0;
2090 if ((s->session->tlsext_ellipticcurvelist =
2091 OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
2092 *al = TLS1_AD_INTERNAL_ERROR;
2093 return 0;
2094 }
2095 s->session->tlsext_ellipticcurvelist_length =
2096 ellipticcurvelist_length;
9ceb2426
MC		 2097 if (!PACKET_copy_bytes(&subpkt,
2098 s->session->tlsext_ellipticcurvelist,
2099 ellipticcurvelist_length))
2100 goto err;
2101 } else if (!PACKET_forward(&subpkt, ellipticcurvelist_length)) {
2102 goto err;
2103 }
2104 /* We should have consumed all the bytes by now */
2105 if (PACKET_remaining(&subpkt)) {
2106 goto err;
0f113f3e 2107 }
0f113f3e 2108 }
e481f9b9 2109#endif /* OPENSSL_NO_EC */
0f113f3e 2110 else if (type == TLSEXT_TYPE_session_ticket) {
9ceb2426
MC		 2111 if (!PACKET_forward(&subpkt, size)
2112 || (s->tls_session_ticket_ext_cb &&
2113 !s->tls_session_ticket_ext_cb(s, data, size,
2114 s->tls_session_ticket_ext_cb_arg))) {
0f113f3e
MC		 2115 *al = TLS1_AD_INTERNAL_ERROR;
2116 return 0;
2117 }
2118 } else if (type == TLSEXT_TYPE_signature_algorithms) {
9ceb2426
MC		 2119 unsigned int dsize;
2120
2121 if (s->s3->tmp.peer_sigalgs
2122 || !PACKET_get_net_2(&subpkt, &dsize)
2123 || (dsize & 1) != 0
2124 || (dsize == 0)
2125 || !PACKET_get_bytes(&subpkt, &data, dsize)
bc6616a4 2126 || PACKET_remaining(&subpkt) != 0
9ceb2426 2127 || !tls1_save_sigalgs(s, data, dsize)) {
54e3ad00 2128 goto err;
9ceb2426 2129 }
0f113f3e 2130 } else if (type == TLSEXT_TYPE_status_request) {
9ceb2426 2131 PACKET ssubpkt;
0f113f3e 2132
9ceb2426
MC		 2133 if (!PACKET_get_1(&subpkt,
2134 (unsigned int *)&s->tlsext_status_type))
54e3ad00 2135 goto err;
0f113f3e 2136
0f113f3e
MC		 2137 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
2138 const unsigned char *sdata;
9ceb2426 2139 unsigned int dsize;
0f113f3e 2140 /* Read in responder_id_list */
9ceb2426
MC		 2141 if (!PACKET_get_net_2(&subpkt, &dsize)
2142 || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
54e3ad00 2143 goto err;
9ceb2426
MC		 2144
2145 while (PACKET_remaining(&ssubpkt)) {
0f113f3e 2146 OCSP_RESPID *id;
9ceb2426
MC		 2147 unsigned int idsize;
2148
2149 if (PACKET_remaining(&ssubpkt) < 4
2150 || !PACKET_get_net_2(&ssubpkt, &idsize)
2151 || !PACKET_get_bytes(&ssubpkt, &data, idsize)) {
54e3ad00 2152 goto err;
9ceb2426 2153 }
0f113f3e
MC		 2154 sdata = data;
2155 data += idsize;
2156 id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
54e3ad00
MC		 2157 if (!id)
2158 goto err;
0f113f3e
MC		 2159 if (data != sdata) {
2160 OCSP_RESPID_free(id);
54e3ad00 2161 goto err;
0f113f3e
MC		 2162 }
2163 if (!s->tlsext_ocsp_ids
2164 && !(s->tlsext_ocsp_ids =
2165 sk_OCSP_RESPID_new_null())) {
2166 OCSP_RESPID_free(id);
2167 *al = SSL_AD_INTERNAL_ERROR;
2168 return 0;
2169 }
2170 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2171 OCSP_RESPID_free(id);
2172 *al = SSL_AD_INTERNAL_ERROR;
2173 return 0;
2174 }
2175 }
4817504d 2176
0f113f3e 2177 /* Read in request_extensions */
9ceb2426
MC		 2178 if (!PACKET_get_net_2(&subpkt, &dsize)
2179 || !PACKET_get_bytes(&subpkt, &data, dsize)
2180 || PACKET_remaining(&subpkt)) {
54e3ad00 2181 goto err;
9ceb2426 2182 }
0f113f3e
MC		 2183 sdata = data;
2184 if (dsize > 0) {
222561fe
RS		 2185 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2186 X509_EXTENSION_free);
0f113f3e
MC		 2187 s->tlsext_ocsp_exts =
2188 d2i_X509_EXTENSIONS(NULL, &sdata, dsize);
54e3ad00
MC		 2189 if (!s->tlsext_ocsp_exts || (data + dsize != sdata))
2190 goto err;
0f113f3e
MC		 2191 }
2192 }
2193 /*
2194 * We don't know what to do with any other type * so ignore it.
2195 */
2196 else
2197 s->tlsext_status_type = -1;
2198 }
e481f9b9 2199#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e 2200 else if (type == TLSEXT_TYPE_heartbeat) {
9ceb2426
MC		 2201 unsigned int hbtype;
2202
2203 if (!PACKET_get_1(&subpkt, &hbtype)
2204 || PACKET_remaining(&subpkt)) {
2205 *al = SSL_AD_DECODE_ERROR;
2206 return 0;
2207 }
2208 switch (hbtype) {
0f113f3e
MC		 2209 case 0x01: /* Client allows us to send HB requests */
2210 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2211 break;
2212 case 0x02: /* Client doesn't accept HB requests */
2213 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2214 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2215 break;
2216 default:
2217 *al = SSL_AD_ILLEGAL_PARAMETER;
2218 return 0;
2219 }
2220 }
e481f9b9
MC		 2221#endif
2222#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2223 else if (type == TLSEXT_TYPE_next_proto_neg &&
2224 s->s3->tmp.finish_md_len == 0 &&
2225 s->s3->alpn_selected == NULL) {
50e735f9
MC		 2226 /*-
2227 * We shouldn't accept this extension on a
2228 * renegotiation.
2229 *
2230 * s->new_session will be set on renegotiation, but we
2231 * probably shouldn't rely that it couldn't be set on
2232 * the initial renegotation too in certain cases (when
2233 * there's some other reason to disallow resuming an
2234 * earlier session -- the current code won't be doing
2235 * anything like that, but this might change).
2236 *
2237 * A valid sign that there's been a previous handshake
2238 * in this connection is if s->s3->tmp.finish_md_len >
2239 * 0. (We are talking about a check that will happen
2240 * in the Hello protocol round, well before a new
2241 * Finished message could have been computed.)
2242 */
0f113f3e
MC		 2243 s->s3->next_proto_neg_seen = 1;
2244 }
e481f9b9 2245#endif
0f113f3e
MC		 2246
2247 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2248 s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) {
9ceb2426 2249 if (tls1_alpn_handle_client_hello(s, &subpkt, al) != 0)
0f113f3e 2250 return 0;
e481f9b9 2251#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2252 /* ALPN takes precedence over NPN. */
2253 s->s3->next_proto_neg_seen = 0;
e481f9b9 2254#endif
0f113f3e 2255 }
5e3ff62c 2256
0f113f3e 2257 /* session ticket processed earlier */
e481f9b9 2258#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 2259 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2260 && type == TLSEXT_TYPE_use_srtp) {
9ceb2426 2261 if (ssl_parse_clienthello_use_srtp_ext(s, &subpkt, al))
0f113f3e
MC		 2262 return 0;
2263 }
e481f9b9
MC		 2264#endif
2265#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 2266 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2267 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 2268#endif
e7f0d921
DSH		 2269 /*
2270 * Note: extended master secret extension handled in
2271 * tls_check_serverhello_tlsext_early()
2272 */
2273
0f113f3e
MC		 2274 /*
2275 * If this ClientHello extension was unhandled and this is a
2276 * nonresumed connection, check whether the extension is a custom
2277 * TLS Extension (has a custom_srv_ext_record), and if so call the
2278 * callback and record the extension number so that an appropriate
2279 * ServerHello may be later returned.
2280 */
2281 else if (!s->hit) {
2282 if (custom_ext_parse(s, 1, type, data, size, al) <= 0)
2283 return 0;
2284 }
0f113f3e 2285 }
6f017a8f 2286
54e3ad00 2287 /* Spurious data on the end */
9ceb2426 2288 if (PACKET_remaining(pkt) != 0)
54e3ad00
MC		 2289 goto err;
2290
0f113f3e 2291 ri_check:
ed3883d2 2292
0f113f3e
MC		 2293 /* Need RI if renegotiating */
2294
2295 if (!renegotiate_seen && s->renegotiate &&
2296 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2297 *al = SSL_AD_HANDSHAKE_FAILURE;
2298 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2299 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2300 return 0;
2301 }
2302
2303 return 1;
54e3ad00
MC		 2304err:
2305 *al = SSL_AD_DECODE_ERROR;
2306 return 0;
0f113f3e
MC		 2307}
2308
9ceb2426 2309int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 2310{
2311 int al = -1;
2312 custom_ext_init(&s->cert->srv_ext);
9ceb2426 2313 if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 2314 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2315 return 0;
2316 }
2317
2318 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2319 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2320 return 0;
2321 }
2322 return 1;
2323}
2324
e481f9b9 2325#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2326/*
2327 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2328 * elements of zero length are allowed and the set of elements must exactly
2329 * fill the length of the block.
2330 */
50932c4a 2331static char ssl_next_proto_validate(PACKET *pkt)
0f113f3e 2332{
50932c4a 2333 unsigned int len;
0f113f3e 2334
50932c4a
MC		 2335 while (PACKET_remaining(pkt)) {
2336 if (!PACKET_get_1(pkt, &len)
2337 || !PACKET_forward(pkt, len))
0f113f3e 2338 return 0;
0f113f3e
MC		 2339 }
2340
50932c4a 2341 return 1;
0f113f3e 2342}
e481f9b9 2343#endif
0f113f3e 2344
50932c4a 2345static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 2346{
50932c4a 2347 unsigned int length, type, size;
0f113f3e
MC		 2348 int tlsext_servername = 0;
2349 int renegotiate_seen = 0;
2350
e481f9b9 2351#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 2352 s->s3->next_proto_neg_seen = 0;
e481f9b9 2353#endif
0f113f3e
MC		 2354 s->tlsext_ticket_expected = 0;
2355
b548a1f1
RS		 2356 OPENSSL_free(s->s3->alpn_selected);
2357 s->s3->alpn_selected = NULL;
e481f9b9 2358#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 2359 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2360 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
e481f9b9 2361#endif
0f113f3e 2362
e481f9b9 2363#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e 2364 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 2365#endif
0f113f3e 2366
e7f0d921
DSH		 2367 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2368
50932c4a 2369 if (!PACKET_get_net_2(pkt, &length))
0f113f3e
MC		 2370 goto ri_check;
2371
50932c4a 2372 if (PACKET_remaining(pkt) != length) {
0f113f3e
MC		 2373 *al = SSL_AD_DECODE_ERROR;
2374 return 0;
2375 }
2376
50932c4a
MC		 2377 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
2378 unsigned char *data;
2379 PACKET spkt;
0f113f3e 2380
50932c4a
MC		 2381 if (!PACKET_get_sub_packet(pkt, &spkt, size)
2382 || !PACKET_peek_bytes(&spkt, &data, size))
0f113f3e
MC		 2383 goto ri_check;
2384
2385 if (s->tlsext_debug_cb)
2386 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2387
2388 if (type == TLSEXT_TYPE_renegotiate) {
50932c4a 2389 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
0f113f3e
MC		 2390 return 0;
2391 renegotiate_seen = 1;
2392 } else if (s->version == SSL3_VERSION) {
2393 } else if (type == TLSEXT_TYPE_server_name) {
2394 if (s->tlsext_hostname == NULL || size > 0) {
2395 *al = TLS1_AD_UNRECOGNIZED_NAME;
2396 return 0;
2397 }
2398 tlsext_servername = 1;
2399 }
e481f9b9 2400#ifndef OPENSSL_NO_EC
0f113f3e 2401 else if (type == TLSEXT_TYPE_ec_point_formats) {
50932c4a
MC		 2402 unsigned int ecpointformatlist_length;
2403 if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
2404 || ecpointformatlist_length != size - 1) {
0f113f3e
MC		 2405 *al = TLS1_AD_DECODE_ERROR;
2406 return 0;
2407 }
2408 if (!s->hit) {
2409 s->session->tlsext_ecpointformatlist_length = 0;
b548a1f1 2410 OPENSSL_free(s->session->tlsext_ecpointformatlist);
0f113f3e
MC		 2411 if ((s->session->tlsext_ecpointformatlist =
2412 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2413 *al = TLS1_AD_INTERNAL_ERROR;
2414 return 0;
2415 }
2416 s->session->tlsext_ecpointformatlist_length =
2417 ecpointformatlist_length;
50932c4a
MC		 2418 if (!PACKET_copy_bytes(&spkt,
2419 s->session->tlsext_ecpointformatlist,
2420 ecpointformatlist_length)) {
2421 *al = TLS1_AD_DECODE_ERROR;
2422 return 0;
2423 }
2424
0f113f3e 2425 }
0f113f3e 2426 }
e481f9b9 2427#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2428
2429 else if (type == TLSEXT_TYPE_session_ticket) {
2430 if (s->tls_session_ticket_ext_cb &&
2431 !s->tls_session_ticket_ext_cb(s, data, size,
2432 s->tls_session_ticket_ext_cb_arg))
2433 {
2434 *al = TLS1_AD_INTERNAL_ERROR;
2435 return 0;
2436 }
2437 if (!tls_use_ticket(s) || (size > 0)) {
2438 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2439 return 0;
2440 }
2441 s->tlsext_ticket_expected = 1;
2442 }
0f113f3e
MC		 2443 else if (type == TLSEXT_TYPE_status_request) {
2444 /*
2445 * MUST be empty and only sent if we've requested a status
2446 * request message.
2447 */
2448 if ((s->tlsext_status_type == -1) || (size > 0)) {
2449 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2450 return 0;
2451 }
2452 /* Set flag to expect CertificateStatus message */
2453 s->tlsext_status_expected = 1;
2454 }
e481f9b9 2455#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2456 else if (type == TLSEXT_TYPE_next_proto_neg &&
2457 s->s3->tmp.finish_md_len == 0) {
2458 unsigned char *selected;
2459 unsigned char selected_len;
0f113f3e
MC		 2460 /* We must have requested it. */
2461 if (s->ctx->next_proto_select_cb == NULL) {
2462 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2463 return 0;
2464 }
2465 /* The data must be valid */
50932c4a 2466 if (!ssl_next_proto_validate(&spkt)) {
0f113f3e
MC		 2467 *al = TLS1_AD_DECODE_ERROR;
2468 return 0;
2469 }
2470 if (s->
2471 ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2472 size,
2473 s->ctx->next_proto_select_cb_arg) !=
2474 SSL_TLSEXT_ERR_OK) {
2475 *al = TLS1_AD_INTERNAL_ERROR;
2476 return 0;
2477 }
2478 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
a71edf3b 2479 if (s->next_proto_negotiated == NULL) {
0f113f3e
MC		 2480 *al = TLS1_AD_INTERNAL_ERROR;
2481 return 0;
2482 }
2483 memcpy(s->next_proto_negotiated, selected, selected_len);
2484 s->next_proto_negotiated_len = selected_len;
2485 s->s3->next_proto_neg_seen = 1;
2486 }
e481f9b9 2487#endif
0f113f3e
MC		 2488
2489 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2490 unsigned len;
0f113f3e
MC		 2491 /* We must have requested it. */
2492 if (s->alpn_client_proto_list == NULL) {
2493 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2494 return 0;
2495 }
50e735f9
MC		 2496 /*-
2497 * The extension data consists of:
2498 * uint16 list_length
2499 * uint8 proto_length;
2500 * uint8 proto[proto_length];
2501 */
50932c4a
MC		 2502 if (!PACKET_get_net_2(&spkt, &len)
2503 || PACKET_remaining(&spkt) != len
2504 || !PACKET_get_1(&spkt, &len)
2505 || PACKET_remaining(&spkt) != len) {
0f113f3e
MC		 2506 *al = TLS1_AD_DECODE_ERROR;
2507 return 0;
2508 }
b548a1f1 2509 OPENSSL_free(s->s3->alpn_selected);
0f113f3e 2510 s->s3->alpn_selected = OPENSSL_malloc(len);
a71edf3b 2511 if (s->s3->alpn_selected == NULL) {
0f113f3e
MC		 2512 *al = TLS1_AD_INTERNAL_ERROR;
2513 return 0;
2514 }
50932c4a
MC		 2515 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
2516 *al = TLS1_AD_DECODE_ERROR;
2517 return 0;
2518 }
0f113f3e
MC		 2519 s->s3->alpn_selected_len = len;
2520 }
e481f9b9 2521#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e 2522 else if (type == TLSEXT_TYPE_heartbeat) {
50932c4a
MC		 2523 unsigned int hbtype;
2524 if (!PACKET_get_1(&spkt, &hbtype)) {
2525 *al = SSL_AD_DECODE_ERROR;
2526 return 0;
2527 }
2528 switch (hbtype) {
0f113f3e
MC		 2529 case 0x01: /* Server allows us to send HB requests */
2530 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2531 break;
2532 case 0x02: /* Server doesn't accept HB requests */
2533 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2534 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2535 break;
2536 default:
2537 *al = SSL_AD_ILLEGAL_PARAMETER;
2538 return 0;
2539 }
2540 }
e481f9b9
MC		 2541#endif
2542#ifndef OPENSSL_NO_SRTP
0f113f3e 2543 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
50932c4a 2544 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
0f113f3e
MC		 2545 return 0;
2546 }
e481f9b9
MC		 2547#endif
2548#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 2549 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2550 /* Ignore if inappropriate ciphersuite */
2551 if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2552 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2553 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2554 }
e481f9b9 2555#endif
ddc06b35 2556 else if (type == TLSEXT_TYPE_extended_master_secret) {
e7f0d921 2557 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
ddc06b35
DSH		 2558 if (!s->hit)
2559 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2560 }
0f113f3e
MC		 2561 /*
2562 * If this extension type was not otherwise handled, but matches a
2563 * custom_cli_ext_record, then send it to the c callback
2564 */
2565 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2566 return 0;
0f113f3e
MC		 2567 }
2568
50932c4a 2569 if (PACKET_remaining(pkt) != 0) {
0f113f3e
MC		 2570 *al = SSL_AD_DECODE_ERROR;
2571 return 0;
2572 }
2573
2574 if (!s->hit && tlsext_servername == 1) {
2575 if (s->tlsext_hostname) {
2576 if (s->session->tlsext_hostname == NULL) {
7644a9ae 2577 s->session->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname);
0f113f3e
MC		 2578 if (!s->session->tlsext_hostname) {
2579 *al = SSL_AD_UNRECOGNIZED_NAME;
2580 return 0;
2581 }
2582 } else {
2583 *al = SSL_AD_DECODE_ERROR;
2584 return 0;
2585 }
2586 }
2587 }
2588
0f113f3e
MC		 2589 ri_check:
2590
2591 /*
2592 * Determine if we need to see RI. Strictly speaking if we want to avoid
2593 * an attack we should *always* see RI even on initial server hello
2594 * because the client doesn't see any renegotiation during an attack.
2595 * However this would mean we could not connect to any server which
2596 * doesn't support RI so for the immediate future tolerate RI absence on
2597 * initial connect only.
2598 */
2599 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2600 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2601 *al = SSL_AD_HANDSHAKE_FAILURE;
2602 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2603 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2604 return 0;
2605 }
2606
e7f0d921
DSH		 2607 if (s->hit) {
2608 /*
2609 * Check extended master secret extension is consistent with
2610 * original session.
2611 */
2612 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
2613 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
2614 *al = SSL_AD_HANDSHAKE_FAILURE;
2615 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
2616 return 0;
2617 }
2618 }
2619
0f113f3e
MC		 2620 return 1;
2621}
b2172f4f 2622
36ca4ba6 2623int ssl_prepare_clienthello_tlsext(SSL *s)
0f113f3e
MC		 2624{
2625
0f113f3e
MC		 2626 return 1;
2627}
36ca4ba6
BM		 2628
2629int ssl_prepare_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2630{
2631 return 1;
2632}
36ca4ba6 2633
2daceb03 2634static int ssl_check_clienthello_tlsext_early(SSL *s)
0f113f3e
MC		 2635{
2636 int ret = SSL_TLSEXT_ERR_NOACK;
2637 int al = SSL_AD_UNRECOGNIZED_NAME;
2638
e481f9b9 2639#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2640 /*
2641 * The handling of the ECPointFormats extension is done elsewhere, namely
2642 * in ssl3_choose_cipher in s3_lib.c.
2643 */
2644 /*
2645 * The handling of the EllipticCurves extension is done elsewhere, namely
2646 * in ssl3_choose_cipher in s3_lib.c.
2647 */
e481f9b9 2648#endif
0f113f3e
MC		 2649
2650 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2651 ret =
2652 s->ctx->tlsext_servername_callback(s, &al,
2653 s->ctx->tlsext_servername_arg);
2654 else if (s->initial_ctx != NULL
2655 && s->initial_ctx->tlsext_servername_callback != 0)
2656 ret =
2657 s->initial_ctx->tlsext_servername_callback(s, &al,
2658 s->
2659 initial_ctx->tlsext_servername_arg);
2660
0f113f3e
MC		 2661 switch (ret) {
2662 case SSL_TLSEXT_ERR_ALERT_FATAL:
2663 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2664 return -1;
2665
2666 case SSL_TLSEXT_ERR_ALERT_WARNING:
2667 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2668 return 1;
2669
2670 case SSL_TLSEXT_ERR_NOACK:
2671 s->servername_done = 0;
2672 default:
2673 return 1;
2674 }
2675}
d376e57d 2676/* Initialise digests to default values */
a0f63828 2677void ssl_set_default_md(SSL *s)
d376e57d
DSH		 2678{
2679 const EVP_MD **pmd = s->s3->tmp.md;
2680#ifndef OPENSSL_NO_DSA
152fbc28 2681 pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
d376e57d
DSH		 2682#endif
2683#ifndef OPENSSL_NO_RSA
d18d31a1 2684 if (SSL_USE_SIGALGS(s))
152fbc28 2685 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
d18d31a1 2686 else
152fbc28 2687 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
d18d31a1 2688 pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
d376e57d
DSH		 2689#endif
2690#ifndef OPENSSL_NO_EC
152fbc28 2691 pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
d376e57d 2692#endif
e44380a9 2693#ifndef OPENSSL_NO_GOST
152fbc28
DSH		 2694 pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
2695 pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
2696 pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
e44380a9 2697#endif
d376e57d 2698}
f1fd4544 2699
e469af8d 2700int tls1_set_server_sigalgs(SSL *s)
0f113f3e
MC		 2701{
2702 int al;
2703 size_t i;
2704 /* Clear any shared sigtnature algorithms */
b548a1f1
RS		 2705 OPENSSL_free(s->cert->shared_sigalgs);
2706 s->cert->shared_sigalgs = NULL;
2707 s->cert->shared_sigalgslen = 0;
0f113f3e
MC		 2708 /* Clear certificate digests and validity flags */
2709 for (i = 0; i < SSL_PKEY_NUM; i++) {
d376e57d 2710 s->s3->tmp.md[i] = NULL;
6383d316 2711 s->s3->tmp.valid_flags[i] = 0;
0f113f3e
MC		 2712 }
2713
2714 /* If sigalgs received process it. */
76106e60 2715 if (s->s3->tmp.peer_sigalgs) {
0f113f3e
MC		 2716 if (!tls1_process_sigalgs(s)) {
2717 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2718 al = SSL_AD_INTERNAL_ERROR;
2719 goto err;
2720 }
2721 /* Fatal error is no shared signature algorithms */
2722 if (!s->cert->shared_sigalgs) {
2723 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2724 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2725 al = SSL_AD_ILLEGAL_PARAMETER;
2726 goto err;
2727 }
d376e57d
DSH		 2728 } else {
2729 ssl_set_default_md(s);
2730 }
0f113f3e
MC		 2731 return 1;
2732 err:
2733 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2734 return 0;
2735}
e469af8d 2736
2daceb03 2737int ssl_check_clienthello_tlsext_late(SSL *s)
0f113f3e
MC		 2738{
2739 int ret = SSL_TLSEXT_ERR_OK;
4c9b0a03 2740 int al = SSL_AD_INTERNAL_ERROR;
0f113f3e
MC		 2741
2742 /*
2743 * If status request then ask callback what to do. Note: this must be
2744 * called after servername callbacks in case the certificate has changed,
2745 * and must be called after the cipher has been chosen because this may
2746 * influence which certificate is sent
2747 */
2748 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
2749 int r;
2750 CERT_PKEY *certpkey;
2751 certpkey = ssl_get_server_send_pkey(s);
2752 /* If no certificate can't return certificate status */
2753 if (certpkey == NULL) {
2754 s->tlsext_status_expected = 0;
2755 return 1;
2756 }
2757 /*
2758 * Set current certificate to one we will use so SSL_get_certificate
2759 * et al can pick it up.
2760 */
2761 s->cert->key = certpkey;
2762 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2763 switch (r) {
2764 /* We don't want to send a status request response */
2765 case SSL_TLSEXT_ERR_NOACK:
2766 s->tlsext_status_expected = 0;
2767 break;
2768 /* status request response should be sent */
2769 case SSL_TLSEXT_ERR_OK:
2770 if (s->tlsext_ocsp_resp)
2771 s->tlsext_status_expected = 1;
2772 else
2773 s->tlsext_status_expected = 0;
2774 break;
2775 /* something bad happened */
2776 case SSL_TLSEXT_ERR_ALERT_FATAL:
2777 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2778 al = SSL_AD_INTERNAL_ERROR;
2779 goto err;
2780 }
2781 } else
2782 s->tlsext_status_expected = 0;
2daceb03
BL		 2783
2784 err:
0f113f3e
MC		 2785 switch (ret) {
2786 case SSL_TLSEXT_ERR_ALERT_FATAL:
2787 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2788 return -1;
2789
2790 case SSL_TLSEXT_ERR_ALERT_WARNING:
2791 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2792 return 1;
2793
2794 default:
2795 return 1;
2796 }
2797}
2daceb03 2798
36ca4ba6 2799int ssl_check_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2800{
2801 int ret = SSL_TLSEXT_ERR_NOACK;
2802 int al = SSL_AD_UNRECOGNIZED_NAME;
2803
e481f9b9 2804#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2805 /*
2806 * If we are client and using an elliptic curve cryptography cipher
2807 * suite, then if server returns an EC point formats lists extension it
2808 * must contain uncompressed.
2809 */
2810 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2811 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2812 if ((s->tlsext_ecpointformatlist != NULL)
2813 && (s->tlsext_ecpointformatlist_length > 0)
2814 && (s->session->tlsext_ecpointformatlist != NULL)
2815 && (s->session->tlsext_ecpointformatlist_length > 0)
2816 && ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
2817 || (alg_a & SSL_aECDSA))) {
2818 /* we are using an ECC cipher */
2819 size_t i;
2820 unsigned char *list;
2821 int found_uncompressed = 0;
2822 list = s->session->tlsext_ecpointformatlist;
2823 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2824 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2825 found_uncompressed = 1;
2826 break;
2827 }
2828 }
2829 if (!found_uncompressed) {
2830 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2831 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2832 return -1;
2833 }
2834 }
2835 ret = SSL_TLSEXT_ERR_OK;
e481f9b9 2836#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2837
2838 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2839 ret =
2840 s->ctx->tlsext_servername_callback(s, &al,
2841 s->ctx->tlsext_servername_arg);
2842 else if (s->initial_ctx != NULL
2843 && s->initial_ctx->tlsext_servername_callback != 0)
2844 ret =
2845 s->initial_ctx->tlsext_servername_callback(s, &al,
2846 s->
2847 initial_ctx->tlsext_servername_arg);
2848
b1931d43
MC		 2849 /*
2850 * Ensure we get sensible values passed to tlsext_status_cb in the event
2851 * that we don't receive a status message
2852 */
bb1aaab4
MC		 2853 OPENSSL_free(s->tlsext_ocsp_resp);
2854 s->tlsext_ocsp_resp = NULL;
2855 s->tlsext_ocsp_resplen = -1;
0f113f3e
MC		 2856
2857 switch (ret) {
2858 case SSL_TLSEXT_ERR_ALERT_FATAL:
2859 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2860 return -1;
2861
2862 case SSL_TLSEXT_ERR_ALERT_WARNING:
2863 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2864 return 1;
2865
2866 case SSL_TLSEXT_ERR_NOACK:
2867 s->servername_done = 0;
2868 default:
2869 return 1;
2870 }
2871}
761772d7 2872
50932c4a 2873int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 2874{
2875 int al = -1;
2876 if (s->version < SSL3_VERSION)
2877 return 1;
50932c4a 2878 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 2879 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2880 return 0;
2881 }
2882
2883 if (ssl_check_serverhello_tlsext(s) <= 0) {
2884 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2885 return 0;
2886 }
2887 return 1;
09e4e4b9
DSH		 2888}
2889
1d97c843
TH		 2890/*-
2891 * Since the server cache lookup is done early on in the processing of the
e7f0d921
DSH		 2892 * ClientHello and other operations depend on the result some extensions
2893 * need to be handled at the same time.
2894 *
2895 * Two extensions are currently handled, session ticket and extended master
2896 * secret.
c519e89f 2897 *
b3e2272c
EK		 2898 * session_id: ClientHello session ID.
2899 * ext: ClientHello extensions (including length prefix)
c519e89f
BM		 2900 * ret: (output) on return, if a ticket was decrypted, then this is set to
2901 * point to the resulting session.
2902 *
2903 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2904 * ciphersuite, in which case we have no use for session tickets and one will
2905 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2906 *
2907 * Returns:
2908 * -1: fatal error, either from parsing or decrypting the ticket.
2909 * 0: no ticket was found (or was ignored, based on settings).
2910 * 1: a zero length extension was found, indicating that the client supports
2911 * session tickets but doesn't currently have one to offer.
2912 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2913 * couldn't be decrypted because of a non-fatal error.
2914 * 3: a ticket was successfully decrypted and *ret was set.
2915 *
2916 * Side effects:
2917 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2918 * a new session ticket to the client because the client indicated support
2919 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2920 * a session ticket or we couldn't use the one it gave us, or if
2921 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2922 * Otherwise, s->tlsext_ticket_expected is set to 0.
e7f0d921
DSH		 2923 *
2924 * For extended master secret flag is set if the extension is present.
2925 *
6434abbf 2926 */
e7f0d921
DSH		 2927int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
2928 const PACKET *session_id,
2929 SSL_SESSION **ret)
0f113f3e 2930{
9ceb2426 2931 unsigned int i;
b3e2272c 2932 PACKET local_ext = *ext;
9ceb2426 2933 int retv = -1;
0f113f3e 2934
e7f0d921
DSH		 2935 int have_ticket = 0;
2936 int use_ticket = tls_use_ticket(s);
2937
0f113f3e
MC		 2938 *ret = NULL;
2939 s->tlsext_ticket_expected = 0;
e7f0d921 2940 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
0f113f3e
MC		 2941
2942 /*
2943 * If tickets disabled behave as if no ticket present to permit stateful
2944 * resumption.
2945 */
9ceb2426 2946 if ((s->version <= SSL3_VERSION))
0f113f3e 2947 return 0;
9ceb2426 2948
b3e2272c 2949 if (!PACKET_get_net_2(&local_ext, &i)) {
9ceb2426
MC		 2950 retv = 0;
2951 goto end;
2952 }
b3e2272c 2953 while (PACKET_remaining(&local_ext) >= 4) {
9ceb2426
MC		 2954 unsigned int type, size;
2955
b3e2272c
EK		 2956 if (!PACKET_get_net_2(&local_ext, &type)
2957 || !PACKET_get_net_2(&local_ext, &size)) {
9ceb2426
MC		 2958 /* Shouldn't ever happen */
2959 retv = -1;
2960 goto end;
2961 }
b3e2272c 2962 if (PACKET_remaining(&local_ext) < size) {
9ceb2426
MC		 2963 retv = 0;
2964 goto end;
2965 }
e7f0d921 2966 if (type == TLSEXT_TYPE_session_ticket && use_ticket) {
0f113f3e 2967 int r;
9ceb2426
MC		 2968 unsigned char *etick;
2969
e7f0d921
DSH		 2970 /* Duplicate extension */
2971 if (have_ticket != 0) {
2972 retv = -1;
2973 goto end;
2974 }
2975 have_ticket = 1;
2976
0f113f3e
MC		 2977 if (size == 0) {
2978 /*
2979 * The client will accept a ticket but doesn't currently have
2980 * one.
2981 */
2982 s->tlsext_ticket_expected = 1;
9ceb2426 2983 retv = 1;
e7f0d921 2984 continue;
0f113f3e
MC		 2985 }
2986 if (s->tls_session_secret_cb) {
2987 /*
2988 * Indicate that the ticket couldn't be decrypted rather than
2989 * generating the session from ticket now, trigger
2990 * abbreviated handshake based on external mechanism to
2991 * calculate the master secret later.
2992 */
9ceb2426 2993 retv = 2;
e7f0d921 2994 continue;
9ceb2426 2995 }
b3e2272c 2996 if (!PACKET_get_bytes(&local_ext, &etick, size)) {
9ceb2426
MC		 2997 /* Shouldn't ever happen */
2998 retv = -1;
2999 goto end;
0f113f3e 3000 }
b3e2272c
EK		 3001 r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
3002 PACKET_remaining(session_id), ret);
0f113f3e
MC		 3003 switch (r) {
3004 case 2: /* ticket couldn't be decrypted */
3005 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 3006 retv = 2;
3007 break;
0f113f3e 3008 case 3: /* ticket was decrypted */
9ceb2426
MC		 3009 retv = r;
3010 break;
0f113f3e
MC		 3011 case 4: /* ticket decrypted but need to renew */
3012 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 3013 retv = 3;
3014 break;
0f113f3e 3015 default: /* fatal error */
9ceb2426
MC		 3016 retv = -1;
3017 break;
0f113f3e 3018 }
e7f0d921 3019 continue;
c83eda8c 3020 } else {
e7f0d921
DSH		 3021 if (type == TLSEXT_TYPE_extended_master_secret)
3022 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
b3e2272c 3023 if (!PACKET_forward(&local_ext, size)) {
c83eda8c
MC		 3024 retv = -1;
3025 goto end;
3026 }
0f113f3e 3027 }
0f113f3e 3028 }
e7f0d921
DSH		 3029 if (have_ticket == 0)
3030 retv = 0;
9ceb2426 3031end:
9ceb2426 3032 return retv;
0f113f3e 3033}
6434abbf 3034
1d97c843
TH		 3035/*-
3036 * tls_decrypt_ticket attempts to decrypt a session ticket.
c519e89f
BM		 3037 *
3038 * etick: points to the body of the session ticket extension.
3039 * eticklen: the length of the session tickets extenion.
3040 * sess_id: points at the session ID.
3041 * sesslen: the length of the session ID.
3042 * psess: (output) on return, if a ticket was decrypted, then this is set to
3043 * point to the resulting session.
3044 *
3045 * Returns:
bf7c6817 3046 * -2: fatal error, malloc failure.
c519e89f
BM		 3047 * -1: fatal error, either from parsing or decrypting the ticket.
3048 * 2: the ticket couldn't be decrypted.
3049 * 3: a ticket was successfully decrypted and *psess was set.
3050 * 4: same as 3, but the ticket needs to be renewed.
3051 */
0f113f3e
MC		 3052static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
3053 int eticklen, const unsigned char *sess_id,
3054 int sesslen, SSL_SESSION **psess)
3055{
3056 SSL_SESSION *sess;
3057 unsigned char *sdec;
3058 const unsigned char *p;
3059 int slen, mlen, renew_ticket = 0;
3060 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
bf7c6817 3061 HMAC_CTX *hctx = NULL;
846ec07d 3062 EVP_CIPHER_CTX *ctx;
0f113f3e
MC		 3063 SSL_CTX *tctx = s->initial_ctx;
3064 /* Need at least keyname + iv + some encrypted data */
3065 if (eticklen < 48)
3066 return 2;
3067 /* Initialize session ticket encryption and HMAC contexts */
bf7c6817
RL		 3068 hctx = HMAC_CTX_new();
3069 if (hctx == NULL)
3070 return -2;
846ec07d 3071 ctx = EVP_CIPHER_CTX_new();
0f113f3e
MC		 3072 if (tctx->tlsext_ticket_key_cb) {
3073 unsigned char *nctick = (unsigned char *)etick;
3074 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
846ec07d 3075 ctx, hctx, 0);
0f113f3e
MC		 3076 if (rv < 0)
3077 return -1;
3078 if (rv == 0)
3079 return 2;
3080 if (rv == 2)
3081 renew_ticket = 1;
3082 } else {
3083 /* Check key name matches */
3084 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3085 return 2;
bf7c6817 3086 if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16,
5f3d93e4 3087 EVP_sha256(), NULL) <= 0
846ec07d 3088 || EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL,
5f3d93e4
MC		 3089 tctx->tlsext_tick_aes_key,
3090 etick + 16) <= 0) {
3091 goto err;
3092 }
0f113f3e
MC		 3093 }
3094 /*
3095 * Attempt to process session ticket, first conduct sanity and integrity
3096 * checks on ticket.
3097 */
bf7c6817 3098 mlen = HMAC_size(hctx);
0f113f3e 3099 if (mlen < 0) {
5f3d93e4 3100 goto err;
0f113f3e
MC		 3101 }
3102 eticklen -= mlen;
3103 /* Check HMAC of encrypted ticket */
bf7c6817
RL		 3104 if (HMAC_Update(hctx, etick, eticklen) <= 0
3105 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
5f3d93e4
MC		 3106 goto err;
3107 }
bf7c6817 3108 HMAC_CTX_free(hctx);
0f113f3e 3109 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
846ec07d 3110 EVP_CIPHER_CTX_free(ctx);
0f113f3e
MC		 3111 return 2;
3112 }
3113 /* Attempt to decrypt session data */
3114 /* Move p after IV to start of encrypted ticket, update length */
846ec07d
RL		 3115 p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx);
3116 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx);
0f113f3e 3117 sdec = OPENSSL_malloc(eticklen);
5f3d93e4 3118 if (sdec == NULL
846ec07d
RL		 3119 || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) {
3120 EVP_CIPHER_CTX_free(ctx);
0f113f3e
MC		 3121 return -1;
3122 }
846ec07d
RL		 3123 if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) {
3124 EVP_CIPHER_CTX_free(ctx);
0f113f3e
MC		 3125 OPENSSL_free(sdec);
3126 return 2;
3127 }
3128 slen += mlen;
846ec07d
RL		 3129 EVP_CIPHER_CTX_free(ctx);
3130 ctx = NULL;
0f113f3e
MC		 3131 p = sdec;
3132
3133 sess = d2i_SSL_SESSION(NULL, &p, slen);
3134 OPENSSL_free(sdec);
3135 if (sess) {
3136 /*
3137 * The session ID, if non-empty, is used by some clients to detect
3138 * that the ticket has been accepted. So we copy it to the session
3139 * structure. If it is empty set length to zero as required by
3140 * standard.
3141 */
3142 if (sesslen)
3143 memcpy(sess->session_id, sess_id, sesslen);
3144 sess->session_id_length = sesslen;
3145 *psess = sess;
3146 if (renew_ticket)
3147 return 4;
3148 else
3149 return 3;
3150 }
3151 ERR_clear_error();
3152 /*
3153 * For session parse failure, indicate that we need to send a new ticket.
3154 */
3155 return 2;
5f3d93e4 3156err:
846ec07d 3157 EVP_CIPHER_CTX_free(ctx);
bf7c6817 3158 HMAC_CTX_free(hctx);
5f3d93e4 3159 return -1;
0f113f3e 3160}
6434abbf 3161
6b7be581
DSH		 3162/* Tables to translate from NIDs to TLS v1.2 ids */
3163
0f113f3e
MC		 3164typedef struct {
3165 int nid;
3166 int id;
3167} tls12_lookup;
6b7be581 3168
d97ed219 3169static const tls12_lookup tls12_md[] = {
0f113f3e
MC		 3170 {NID_md5, TLSEXT_hash_md5},
3171 {NID_sha1, TLSEXT_hash_sha1},
3172 {NID_sha224, TLSEXT_hash_sha224},
3173 {NID_sha256, TLSEXT_hash_sha256},
3174 {NID_sha384, TLSEXT_hash_sha384},
e44380a9
DB		 3175 {NID_sha512, TLSEXT_hash_sha512},
3176 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
3177 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
3178 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
6b7be581
DSH		 3179};
3180
d97ed219 3181static const tls12_lookup tls12_sig[] = {
0f113f3e
MC		 3182 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3183 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
e44380a9
DB		 3184 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
3185 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
3186 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
3187 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
6b7be581
DSH		 3188};
3189
d97ed219 3190static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3191{
3192 size_t i;
3193 for (i = 0; i < tlen; i++) {
3194 if (table[i].nid == nid)
3195 return table[i].id;
3196 }
3197 return -1;
3198}
e7f8ff43 3199
d97ed219 3200static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3201{
3202 size_t i;
3203 for (i = 0; i < tlen; i++) {
3204 if ((table[i].id) == id)
3205 return table[i].nid;
3206 }
3207 return NID_undef;
3208}
3209
3210int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
3211 const EVP_MD *md)
3212{
3213 int sig_id, md_id;
3214 if (!md)
3215 return 0;
b6eb9827 3216 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3217 if (md_id == -1)
3218 return 0;
3219 sig_id = tls12_get_sigid(pk);
3220 if (sig_id == -1)
3221 return 0;
3222 p[0] = (unsigned char)md_id;
3223 p[1] = (unsigned char)sig_id;
3224 return 1;
3225}
6b7be581 3226
a2f9200f 3227int tls12_get_sigid(const EVP_PKEY *pk)
0f113f3e 3228{
3aeb9348 3229 return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3230}
3231
3232typedef struct {
3233 int nid;
3234 int secbits;
7afd2312 3235 int md_idx;
e44380a9 3236 unsigned char tlsext_hash;
0f113f3e 3237} tls12_hash_info;
b362ccab
DSH		 3238
3239static const tls12_hash_info tls12_md_info[] = {
7afd2312
DSH		 3240 {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
3241 {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
3242 {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
3243 {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
3244 {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
3245 {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
3246 {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
3247 {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX, TLSEXT_hash_gostr34112012_256},
3248 {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX, TLSEXT_hash_gostr34112012_512},
b362ccab 3249};
a2f9200f 3250
b362ccab 3251static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
0f113f3e 3252{
e44380a9 3253 unsigned int i;
0f113f3e
MC		 3254 if (hash_alg == 0)
3255 return NULL;
e44380a9
DB		 3256
3257 for (i=0; i < OSSL_NELEM(tls12_md_info); i++)
3258 {
3259 if (tls12_md_info[i].tlsext_hash == hash_alg)
3260 return tls12_md_info + i;
3261 }
3262
3263 return NULL;
0f113f3e 3264}
a2f9200f 3265
b362ccab 3266const EVP_MD *tls12_get_hash(unsigned char hash_alg)
0f113f3e
MC		 3267{
3268 const tls12_hash_info *inf;
3269 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3270 return NULL;
3271 inf = tls12_get_hash_info(hash_alg);
7afd2312 3272 if (!inf)
0f113f3e 3273 return NULL;
7afd2312 3274 return ssl_md(inf->md_idx);
0f113f3e 3275}
a2f9200f 3276
4453cd8c 3277static int tls12_get_pkey_idx(unsigned char sig_alg)
0f113f3e
MC		 3278{
3279 switch (sig_alg) {
e481f9b9 3280#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3281 case TLSEXT_signature_rsa:
3282 return SSL_PKEY_RSA_SIGN;
e481f9b9
MC		 3283#endif
3284#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3285 case TLSEXT_signature_dsa:
3286 return SSL_PKEY_DSA_SIGN;
e481f9b9
MC		 3287#endif
3288#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3289 case TLSEXT_signature_ecdsa:
3290 return SSL_PKEY_ECC;
e481f9b9 3291#endif
e44380a9
DB		 3292# ifndef OPENSSL_NO_GOST
3293 case TLSEXT_signature_gostr34102001:
3294 return SSL_PKEY_GOST01;
3295
3296 case TLSEXT_signature_gostr34102012_256:
3297 return SSL_PKEY_GOST12_256;
3298
3299 case TLSEXT_signature_gostr34102012_512:
3300 return SSL_PKEY_GOST12_512;
3301# endif
0f113f3e
MC		 3302 }
3303 return -1;
3304}
4453cd8c
DSH		 3305
3306/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3307static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
0f113f3e
MC		 3308 int *psignhash_nid, const unsigned char *data)
3309{
330dcb09 3310 int sign_nid = NID_undef, hash_nid = NID_undef;
0f113f3e
MC		 3311 if (!phash_nid && !psign_nid && !psignhash_nid)
3312 return;
3313 if (phash_nid || psignhash_nid) {
b6eb9827 3314 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3315 if (phash_nid)
3316 *phash_nid = hash_nid;
3317 }
3318 if (psign_nid || psignhash_nid) {
b6eb9827 3319 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3320 if (psign_nid)
3321 *psign_nid = sign_nid;
3322 }
3323 if (psignhash_nid) {
330dcb09
MC		 3324 if (sign_nid == NID_undef || hash_nid == NID_undef
3325 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid,
3326 sign_nid) <= 0)
0f113f3e
MC		 3327 *psignhash_nid = NID_undef;
3328 }
3329}
3330
b362ccab
DSH		 3331/* Check to see if a signature algorithm is allowed */
3332static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
0f113f3e
MC		 3333{
3334 /* See if we have an entry in the hash table and it is enabled */
3335 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
7afd2312 3336 if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
0f113f3e
MC		 3337 return 0;
3338 /* See if public key algorithm allowed */
3339 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3340 return 0;
3341 /* Finally see if security callback allows it */
3342 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3343}
3344
3345/*
3346 * Get a mask of disabled public key algorithms based on supported signature
3347 * algorithms. For example if no signature algorithm supports RSA then RSA is
3348 * disabled.
b362ccab
DSH		 3349 */
3350
90d9e49a 3351void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
0f113f3e
MC		 3352{
3353 const unsigned char *sigalgs;
3354 size_t i, sigalgslen;
3355 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3356 /*
3357 * Now go through all signature algorithms seeing if we support any for
3358 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3359 * down calls to security callback only check if we have to.
3360 */
3361 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
3362 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3363 switch (sigalgs[1]) {
e481f9b9 3364#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3365 case TLSEXT_signature_rsa:
3366 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3367 have_rsa = 1;
3368 break;
e481f9b9
MC		 3369#endif
3370#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3371 case TLSEXT_signature_dsa:
3372 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3373 have_dsa = 1;
3374 break;
e481f9b9
MC		 3375#endif
3376#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3377 case TLSEXT_signature_ecdsa:
3378 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3379 have_ecdsa = 1;
3380 break;
e481f9b9 3381#endif
0f113f3e
MC		 3382 }
3383 }
3384 if (!have_rsa)
3385 *pmask_a |= SSL_aRSA;
3386 if (!have_dsa)
3387 *pmask_a |= SSL_aDSS;
3388 if (!have_ecdsa)
3389 *pmask_a |= SSL_aECDSA;
3390}
b362ccab
DSH		 3391
3392size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
0f113f3e
MC		 3393 const unsigned char *psig, size_t psiglen)
3394{
3395 unsigned char *tmpout = out;
3396 size_t i;
3397 for (i = 0; i < psiglen; i += 2, psig += 2) {
3398 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3399 *tmpout++ = psig[0];
3400 *tmpout++ = psig[1];
3401 }
3402 }
3403 return tmpout - out;
3404}
b362ccab 3405
4453cd8c 3406/* Given preference and allowed sigalgs set shared sigalgs */
b362ccab 3407static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
0f113f3e
MC		 3408 const unsigned char *pref, size_t preflen,
3409 const unsigned char *allow, size_t allowlen)
3410{
3411 const unsigned char *ptmp, *atmp;
3412 size_t i, j, nmatch = 0;
3413 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3414 /* Skip disabled hashes or signature algorithms */
3415 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3416 continue;
3417 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3418 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3419 nmatch++;
3420 if (shsig) {
3421 shsig->rhash = ptmp[0];
3422 shsig->rsign = ptmp[1];
3423 tls1_lookup_sigalg(&shsig->hash_nid,
3424 &shsig->sign_nid,
3425 &shsig->signandhash_nid, ptmp);
3426 shsig++;
3427 }
3428 break;
3429 }
3430 }
3431 }
3432 return nmatch;
3433}
4453cd8c
DSH		 3434
3435/* Set shared signature algorithms for SSL structures */
3436static int tls1_set_shared_sigalgs(SSL *s)
0f113f3e
MC		 3437{
3438 const unsigned char *pref, *allow, *conf;
3439 size_t preflen, allowlen, conflen;
3440 size_t nmatch;
3441 TLS_SIGALGS *salgs = NULL;
3442 CERT *c = s->cert;
3443 unsigned int is_suiteb = tls1_suiteb(s);
b548a1f1
RS		 3444
3445 OPENSSL_free(c->shared_sigalgs);
3446 c->shared_sigalgs = NULL;
3447 c->shared_sigalgslen = 0;
0f113f3e
MC		 3448 /* If client use client signature algorithms if not NULL */
3449 if (!s->server && c->client_sigalgs && !is_suiteb) {
3450 conf = c->client_sigalgs;
3451 conflen = c->client_sigalgslen;
3452 } else if (c->conf_sigalgs && !is_suiteb) {
3453 conf = c->conf_sigalgs;
3454 conflen = c->conf_sigalgslen;
3455 } else
3456 conflen = tls12_get_psigalgs(s, &conf);
3457 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3458 pref = conf;
3459 preflen = conflen;
76106e60
DSH		 3460 allow = s->s3->tmp.peer_sigalgs;
3461 allowlen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3462 } else {
3463 allow = conf;
3464 allowlen = conflen;
76106e60
DSH		 3465 pref = s->s3->tmp.peer_sigalgs;
3466 preflen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3467 }
3468 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
34e3edbf
DSH		 3469 if (nmatch) {
3470 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
a71edf3b 3471 if (salgs == NULL)
34e3edbf
DSH		 3472 return 0;
3473 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3474 } else {
3475 salgs = NULL;
3476 }
0f113f3e
MC		 3477 c->shared_sigalgs = salgs;
3478 c->shared_sigalgslen = nmatch;
3479 return 1;
3480}
4453cd8c 3481
6b7be581
DSH		 3482/* Set preferred digest for each key type */
3483
c800c27a 3484int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
0f113f3e
MC		 3485{
3486 CERT *c = s->cert;
3487 /* Extension ignored for inappropriate versions */
3488 if (!SSL_USE_SIGALGS(s))
3489 return 1;
3490 /* Should never happen */
3491 if (!c)
3492 return 0;
3493
76106e60
DSH		 3494 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3495 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3496 if (s->s3->tmp.peer_sigalgs == NULL)
0f113f3e 3497 return 0;
76106e60
DSH		 3498 s->s3->tmp.peer_sigalgslen = dsize;
3499 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
0f113f3e
MC		 3500 return 1;
3501}
6b7be581 3502
c800c27a 3503int tls1_process_sigalgs(SSL *s)
0f113f3e
MC		 3504{
3505 int idx;
3506 size_t i;
3507 const EVP_MD *md;
d376e57d 3508 const EVP_MD **pmd = s->s3->tmp.md;
f7d53487 3509 uint32_t *pvalid = s->s3->tmp.valid_flags;
0f113f3e
MC		 3510 CERT *c = s->cert;
3511 TLS_SIGALGS *sigptr;
3512 if (!tls1_set_shared_sigalgs(s))
3513 return 0;
3514
e481f9b9 3515#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
0f113f3e
MC		 3516 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3517 /*
3518 * Use first set signature preference to force message digest,
3519 * ignoring any peer preferences.
3520 */
3521 const unsigned char *sigs = NULL;
3522 if (s->server)
3523 sigs = c->conf_sigalgs;
3524 else
3525 sigs = c->client_sigalgs;
3526 if (sigs) {
3527 idx = tls12_get_pkey_idx(sigs[1]);
3528 md = tls12_get_hash(sigs[0]);
d376e57d 3529 pmd[idx] = md;
6383d316 3530 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3531 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3532 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3533 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3534 }
3535 }
3536 }
e481f9b9 3537#endif
0f113f3e
MC		 3538
3539 for (i = 0, sigptr = c->shared_sigalgs;
3540 i < c->shared_sigalgslen; i++, sigptr++) {
3541 idx = tls12_get_pkey_idx(sigptr->rsign);
d376e57d 3542 if (idx > 0 && pmd[idx] == NULL) {
0f113f3e 3543 md = tls12_get_hash(sigptr->rhash);
d376e57d 3544 pmd[idx] = md;
6383d316 3545 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3546 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3547 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3548 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3549 }
3550 }
6b7be581 3551
0f113f3e
MC		 3552 }
3553 /*
3554 * In strict mode leave unset digests as NULL to indicate we can't use
3555 * the certificate for signing.
3556 */
3557 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3558 /*
3559 * Set any remaining keys to default values. NOTE: if alg is not
3560 * supported it stays as NULL.
3561 */
e481f9b9 3562#ifndef OPENSSL_NO_DSA
d376e57d
DSH		 3563 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3564 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
e481f9b9
MC		 3565#endif
3566#ifndef OPENSSL_NO_RSA
d376e57d
DSH		 3567 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3568 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3569 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
0f113f3e 3570 }
e481f9b9
MC		 3571#endif
3572#ifndef OPENSSL_NO_EC
d376e57d
DSH		 3573 if (pmd[SSL_PKEY_ECC] == NULL)
3574 pmd[SSL_PKEY_ECC] = EVP_sha1();
e481f9b9 3575#endif
e44380a9
DB		 3576# ifndef OPENSSL_NO_GOST
3577 if (pmd[SSL_PKEY_GOST01] == NULL)
3578 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
3579 if (pmd[SSL_PKEY_GOST12_256] == NULL)
3580 pmd[SSL_PKEY_GOST12_256] = EVP_get_digestbynid(NID_id_GostR3411_2012_256);
3581 if (pmd[SSL_PKEY_GOST12_512] == NULL)
3582 pmd[SSL_PKEY_GOST12_512] = EVP_get_digestbynid(NID_id_GostR3411_2012_512);
3583# endif
0f113f3e
MC		 3584 }
3585 return 1;
3586}
4817504d 3587
e7f8ff43 3588int SSL_get_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3589 int *psign, int *phash, int *psignhash,
3590 unsigned char *rsig, unsigned char *rhash)
3591{
76106e60 3592 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
0f113f3e
MC		 3593 if (psig == NULL)
3594 return 0;
3595 if (idx >= 0) {
3596 idx <<= 1;
76106e60 3597 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
0f113f3e
MC		 3598 return 0;
3599 psig += idx;
3600 if (rhash)
3601 *rhash = psig[0];
3602 if (rsig)
3603 *rsig = psig[1];
3604 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3605 }
76106e60 3606 return s->s3->tmp.peer_sigalgslen / 2;
0f113f3e 3607}
4453cd8c
DSH		 3608
3609int SSL_get_shared_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3610 int *psign, int *phash, int *psignhash,
3611 unsigned char *rsig, unsigned char *rhash)
3612{
3613 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3614 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3615 return 0;
3616 shsigalgs += idx;
3617 if (phash)
3618 *phash = shsigalgs->hash_nid;
3619 if (psign)
3620 *psign = shsigalgs->sign_nid;
3621 if (psignhash)
3622 *psignhash = shsigalgs->signandhash_nid;
3623 if (rsig)
3624 *rsig = shsigalgs->rsign;
3625 if (rhash)
3626 *rhash = shsigalgs->rhash;
3627 return s->cert->shared_sigalgslen;
3628}
3629
e481f9b9 3630#ifndef OPENSSL_NO_HEARTBEATS
2c60ed04 3631int tls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length)
0f113f3e 3632{
2c60ed04 3633 unsigned char *pl;
0f113f3e
MC		 3634 unsigned short hbtype;
3635 unsigned int payload;
3636 unsigned int padding = 16; /* Use minimum padding */
3637
3638 if (s->msg_callback)
3639 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
258f8721 3640 p, length,
0f113f3e
MC		 3641 s, s->msg_callback_arg);
3642
3643 /* Read type and payload length first */
258f8721 3644 if (1 + 2 + 16 > length)
0f113f3e
MC		 3645 return 0; /* silently discard */
3646 hbtype = *p++;
3647 n2s(p, payload);
258f8721 3648 if (1 + 2 + payload + 16 > length)
0f113f3e
MC		 3649 return 0; /* silently discard per RFC 6520 sec. 4 */
3650 pl = p;
3651
3652 if (hbtype == TLS1_HB_REQUEST) {
3653 unsigned char *buffer, *bp;
3654 int r;
3655
3656 /*
3657 * Allocate memory for the response, size is 1 bytes message type,
3658 * plus 2 bytes payload length, plus payload, plus padding
3659 */
3660 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3661 if (buffer == NULL) {
3662 SSLerr(SSL_F_TLS1_PROCESS_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3663 return -1;
3664 }
3665 bp = buffer;
3666
3667 /* Enter response type, length and copy payload */
3668 *bp++ = TLS1_HB_RESPONSE;
3669 s2n(payload, bp);
3670 memcpy(bp, pl, payload);
3671 bp += payload;
3672 /* Random padding */
266483d2
MC		 3673 if (RAND_bytes(bp, padding) <= 0) {
3674 OPENSSL_free(buffer);
3675 return -1;
3676 }
0f113f3e
MC		 3677
3678 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer,
3679 3 + payload + padding);
3680
3681 if (r >= 0 && s->msg_callback)
3682 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3683 buffer, 3 + payload + padding,
3684 s, s->msg_callback_arg);
3685
3686 OPENSSL_free(buffer);
3687
3688 if (r < 0)
3689 return r;
3690 } else if (hbtype == TLS1_HB_RESPONSE) {
3691 unsigned int seq;
3692
3693 /*
3694 * We only send sequence numbers (2 bytes unsigned int), and 16
3695 * random bytes, so we just try to read the sequence number
3696 */
3697 n2s(pl, seq);
3698
3699 if (payload == 18 && seq == s->tlsext_hb_seq) {
3700 s->tlsext_hb_seq++;
3701 s->tlsext_hb_pending = 0;
3702 }
3703 }
3704
3705 return 0;
3706}
0f229cce 3707
0f113f3e
MC		 3708int tls1_heartbeat(SSL *s)
3709{
3710 unsigned char *buf, *p;
266483d2 3711 int ret = -1;
0f113f3e
MC		 3712 unsigned int payload = 18; /* Sequence number + random bytes */
3713 unsigned int padding = 16; /* Use minimum padding */
3714
3715 /* Only send if peer supports and accepts HB requests... */
3716 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3717 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
3718 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3719 return -1;
3720 }
3721
3722 /* ...and there is none in flight yet... */
3723 if (s->tlsext_hb_pending) {
3724 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
3725 return -1;
3726 }
3727
3728 /* ...and no handshake in progress. */
024f543c 3729 if (SSL_in_init(s) || ossl_statem_get_in_handshake(s)) {
0f113f3e
MC		 3730 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
3731 return -1;
3732 }
3733
50e735f9
MC		 3734 /*-
3735 * Create HeartBeat message, we just use a sequence number
3736 * as payload to distuingish different messages and add
3737 * some random stuff.
3738 * - Message Type, 1 byte
3739 * - Payload Length, 2 bytes (unsigned int)
3740 * - Payload, the sequence number (2 bytes uint)
3741 * - Payload, random bytes (16 bytes uint)
3742 * - Padding
3743 */
0f113f3e
MC		 3744 buf = OPENSSL_malloc(1 + 2 + payload + padding);
3745 if (buf == NULL) {
3746 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3747 return -1;
3748 }
3749 p = buf;
3750 /* Message Type */
3751 *p++ = TLS1_HB_REQUEST;
3752 /* Payload length (18 bytes here) */
3753 s2n(payload, p);
3754 /* Sequence number */
3755 s2n(s->tlsext_hb_seq, p);
3756 /* 16 random bytes */
266483d2
MC		 3757 if (RAND_bytes(p, 16) <= 0) {
3758 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3759 goto err;
3760 }
0f113f3e
MC		 3761 p += 16;
3762 /* Random padding */
266483d2
MC		 3763 if (RAND_bytes(p, padding) <= 0) {
3764 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3765 goto err;
3766 }
0f113f3e
MC		 3767
3768 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3769 if (ret >= 0) {
3770 if (s->msg_callback)
3771 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3772 buf, 3 + payload + padding,
3773 s, s->msg_callback_arg);
3774
3775 s->tlsext_hb_pending = 1;
3776 }
3777
266483d2 3778 err:
0f113f3e 3779 OPENSSL_free(buf);
0f113f3e
MC		 3780 return ret;
3781}
e481f9b9 3782#endif
0f113f3e 3783
e481f9b9 3784#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
0f229cce 3785
0f113f3e
MC		 3786typedef struct {
3787 size_t sigalgcnt;
3788 int sigalgs[MAX_SIGALGLEN];
3789} sig_cb_st;
0f229cce 3790
431f458d
DSH		 3791static void get_sigorhash(int *psig, int *phash, const char *str)
3792{
3793 if (strcmp(str, "RSA") == 0) {
3794 *psig = EVP_PKEY_RSA;
3795 } else if (strcmp(str, "DSA") == 0) {
3796 *psig = EVP_PKEY_DSA;
3797 } else if (strcmp(str, "ECDSA") == 0) {
3798 *psig = EVP_PKEY_EC;
3799 } else {
3800 *phash = OBJ_sn2nid(str);
3801 if (*phash == NID_undef)
3802 *phash = OBJ_ln2nid(str);
3803 }
3804}
3805
0f229cce 3806static int sig_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 3807{
3808 sig_cb_st *sarg = arg;
3809 size_t i;
3810 char etmp[20], *p;
431f458d 3811 int sig_alg = NID_undef, hash_alg = NID_undef;
2747d73c
KR		 3812 if (elem == NULL)
3813 return 0;
0f113f3e
MC		 3814 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3815 return 0;
3816 if (len > (int)(sizeof(etmp) - 1))
3817 return 0;
3818 memcpy(etmp, elem, len);
3819 etmp[len] = 0;
3820 p = strchr(etmp, '+');
3821 if (!p)
3822 return 0;
3823 *p = 0;
3824 p++;
3825 if (!*p)
3826 return 0;
3827
431f458d
DSH		 3828 get_sigorhash(&sig_alg, &hash_alg, etmp);
3829 get_sigorhash(&sig_alg, &hash_alg, p);
0f113f3e 3830
431f458d 3831 if (sig_alg == NID_undef || hash_alg == NID_undef)
0f113f3e
MC		 3832 return 0;
3833
3834 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3835 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3836 return 0;
3837 }
3838 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3839 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3840 return 1;
3841}
3842
3843/*
3844 * Set suppored signature algorithms based on a colon separated list of the
3845 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3846 */
3dbc46df 3847int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
0f113f3e
MC		 3848{
3849 sig_cb_st sig;
3850 sig.sigalgcnt = 0;
3851 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3852 return 0;
3853 if (c == NULL)
3854 return 1;
3855 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3856}
3857
3858int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
3859 int client)
3860{
3861 unsigned char *sigalgs, *sptr;
3862 int rhash, rsign;
3863 size_t i;
3864 if (salglen & 1)
3865 return 0;
3866 sigalgs = OPENSSL_malloc(salglen);
3867 if (sigalgs == NULL)
3868 return 0;
3869 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
b6eb9827
DSH		 3870 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3871 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3872
3873 if (rhash == -1 || rsign == -1)
3874 goto err;
3875 *sptr++ = rhash;
3876 *sptr++ = rsign;
3877 }
3878
3879 if (client) {
b548a1f1 3880 OPENSSL_free(c->client_sigalgs);
0f113f3e
MC		 3881 c->client_sigalgs = sigalgs;
3882 c->client_sigalgslen = salglen;
3883 } else {
b548a1f1 3884 OPENSSL_free(c->conf_sigalgs);
0f113f3e
MC		 3885 c->conf_sigalgs = sigalgs;
3886 c->conf_sigalgslen = salglen;
3887 }
3888
3889 return 1;
3890
3891 err:
3892 OPENSSL_free(sigalgs);
3893 return 0;
3894}
4453cd8c 3895
d61ff83b 3896static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
0f113f3e
MC		 3897{
3898 int sig_nid;
3899 size_t i;
3900 if (default_nid == -1)
3901 return 1;
3902 sig_nid = X509_get_signature_nid(x);
3903 if (default_nid)
3904 return sig_nid == default_nid ? 1 : 0;
3905 for (i = 0; i < c->shared_sigalgslen; i++)
3906 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3907 return 1;
3908 return 0;
3909}
3910
6dbb6219
DSH		 3911/* Check to see if a certificate issuer name matches list of CA names */
3912static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
0f113f3e
MC		 3913{
3914 X509_NAME *nm;
3915 int i;
3916 nm = X509_get_issuer_name(x);
3917 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3918 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3919 return 1;
3920 }
3921 return 0;
3922}
3923
3924/*
3925 * Check certificate chain is consistent with TLS extensions and is usable by
3926 * server. This servers two purposes: it allows users to check chains before
3927 * passing them to the server and it allows the server to check chains before
3928 * attempting to use them.
d61ff83b 3929 */
6dbb6219
DSH		 3930
3931/* Flags which need to be set for a certificate when stict mode not set */
3932
e481f9b9 3933#define CERT_PKEY_VALID_FLAGS \
0f113f3e 3934 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
6dbb6219 3935/* Strict mode flags */
e481f9b9 3936#define CERT_PKEY_STRICT_FLAGS \
0f113f3e
MC		 3937 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3938 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
6dbb6219 3939
d61ff83b 3940int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
0f113f3e
MC		 3941 int idx)
3942{
3943 int i;
3944 int rv = 0;
3945 int check_flags = 0, strict_mode;
3946 CERT_PKEY *cpk = NULL;
3947 CERT *c = s->cert;
f7d53487 3948 uint32_t *pvalid;
0f113f3e
MC		 3949 unsigned int suiteb_flags = tls1_suiteb(s);
3950 /* idx == -1 means checking server chains */
3951 if (idx != -1) {
3952 /* idx == -2 means checking client certificate chains */
3953 if (idx == -2) {
3954 cpk = c->key;
3955 idx = cpk - c->pkeys;
3956 } else
3957 cpk = c->pkeys + idx;
6383d316 3958 pvalid = s->s3->tmp.valid_flags + idx;
0f113f3e
MC		 3959 x = cpk->x509;
3960 pk = cpk->privatekey;
3961 chain = cpk->chain;
3962 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3963 /* If no cert or key, forget it */
3964 if (!x || !pk)
3965 goto end;
e481f9b9 3966#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
0f113f3e
MC		 3967 /* Allow any certificate to pass test */
3968 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3969 rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
3970 CERT_PKEY_VALID | CERT_PKEY_SIGN;
6383d316 3971 *pvalid = rv;
0f113f3e
MC		 3972 return rv;
3973 }
e481f9b9 3974#endif
0f113f3e
MC		 3975 } else {
3976 if (!x || !pk)
d813f9eb 3977 return 0;
0f113f3e
MC		 3978 idx = ssl_cert_type(x, pk);
3979 if (idx == -1)
d813f9eb 3980 return 0;
6383d316
DSH		 3981 pvalid = s->s3->tmp.valid_flags + idx;
3982
0f113f3e
MC		 3983 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3984 check_flags = CERT_PKEY_STRICT_FLAGS;
3985 else
3986 check_flags = CERT_PKEY_VALID_FLAGS;
3987 strict_mode = 1;
3988 }
3989
3990 if (suiteb_flags) {
3991 int ok;
3992 if (check_flags)
3993 check_flags |= CERT_PKEY_SUITEB;
3994 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3995 if (ok == X509_V_OK)
3996 rv |= CERT_PKEY_SUITEB;
3997 else if (!check_flags)
3998 goto end;
3999 }
4000
4001 /*
4002 * Check all signature algorithms are consistent with signature
4003 * algorithms extension if TLS 1.2 or later and strict mode.
4004 */
4005 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
4006 int default_nid;
4007 unsigned char rsign = 0;
76106e60 4008 if (s->s3->tmp.peer_sigalgs)
0f113f3e
MC		 4009 default_nid = 0;
4010 /* If no sigalgs extension use defaults from RFC5246 */
4011 else {
4012 switch (idx) {
4013 case SSL_PKEY_RSA_ENC:
4014 case SSL_PKEY_RSA_SIGN:
0f113f3e
MC		 4015 rsign = TLSEXT_signature_rsa;
4016 default_nid = NID_sha1WithRSAEncryption;
4017 break;
4018
4019 case SSL_PKEY_DSA_SIGN:
0f113f3e
MC		 4020 rsign = TLSEXT_signature_dsa;
4021 default_nid = NID_dsaWithSHA1;
4022 break;
4023
4024 case SSL_PKEY_ECC:
4025 rsign = TLSEXT_signature_ecdsa;
4026 default_nid = NID_ecdsa_with_SHA1;
4027 break;
4028
e44380a9
DB		 4029 case SSL_PKEY_GOST01:
4030 rsign = TLSEXT_signature_gostr34102001;
4031 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
4032 break;
4033
4034 case SSL_PKEY_GOST12_256:
4035 rsign = TLSEXT_signature_gostr34102012_256;
4036 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
4037 break;
4038
4039 case SSL_PKEY_GOST12_512:
4040 rsign = TLSEXT_signature_gostr34102012_512;
4041 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
4042 break;
4043
0f113f3e
MC		 4044 default:
4045 default_nid = -1;
4046 break;
4047 }
4048 }
4049 /*
4050 * If peer sent no signature algorithms extension and we have set
4051 * preferred signature algorithms check we support sha1.
4052 */
4053 if (default_nid > 0 && c->conf_sigalgs) {
4054 size_t j;
4055 const unsigned char *p = c->conf_sigalgs;
4056 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
4057 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4058 break;
4059 }
4060 if (j == c->conf_sigalgslen) {
4061 if (check_flags)
4062 goto skip_sigs;
4063 else
4064 goto end;
4065 }
4066 }
4067 /* Check signature algorithm of each cert in chain */
4068 if (!tls1_check_sig_alg(c, x, default_nid)) {
4069 if (!check_flags)
4070 goto end;
4071 } else
4072 rv |= CERT_PKEY_EE_SIGNATURE;
4073 rv |= CERT_PKEY_CA_SIGNATURE;
4074 for (i = 0; i < sk_X509_num(chain); i++) {
4075 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
4076 if (check_flags) {
4077 rv &= ~CERT_PKEY_CA_SIGNATURE;
4078 break;
4079 } else
4080 goto end;
4081 }
4082 }
4083 }
4084 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4085 else if (check_flags)
4086 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
4087 skip_sigs:
4088 /* Check cert parameters are consistent */
4089 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4090 rv |= CERT_PKEY_EE_PARAM;
4091 else if (!check_flags)
4092 goto end;
4093 if (!s->server)
4094 rv |= CERT_PKEY_CA_PARAM;
4095 /* In strict mode check rest of chain too */
4096 else if (strict_mode) {
4097 rv |= CERT_PKEY_CA_PARAM;
4098 for (i = 0; i < sk_X509_num(chain); i++) {
4099 X509 *ca = sk_X509_value(chain, i);
4100 if (!tls1_check_cert_param(s, ca, 0)) {
4101 if (check_flags) {
4102 rv &= ~CERT_PKEY_CA_PARAM;
4103 break;
4104 } else
4105 goto end;
4106 }
4107 }
4108 }
4109 if (!s->server && strict_mode) {
4110 STACK_OF(X509_NAME) *ca_dn;
4111 int check_type = 0;
3aeb9348 4112 switch (EVP_PKEY_id(pk)) {
0f113f3e
MC		 4113 case EVP_PKEY_RSA:
4114 check_type = TLS_CT_RSA_SIGN;
4115 break;
4116 case EVP_PKEY_DSA:
4117 check_type = TLS_CT_DSS_SIGN;
4118 break;
4119 case EVP_PKEY_EC:
4120 check_type = TLS_CT_ECDSA_SIGN;
4121 break;
0f113f3e
MC		 4122 }
4123 if (check_type) {
4124 const unsigned char *ctypes;
4125 int ctypelen;
4126 if (c->ctypes) {
4127 ctypes = c->ctypes;
4128 ctypelen = (int)c->ctype_num;
4129 } else {
4130 ctypes = (unsigned char *)s->s3->tmp.ctype;
4131 ctypelen = s->s3->tmp.ctype_num;
4132 }
4133 for (i = 0; i < ctypelen; i++) {
4134 if (ctypes[i] == check_type) {
4135 rv |= CERT_PKEY_CERT_TYPE;
4136 break;
4137 }
4138 }
4139 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4140 goto end;
4141 } else
4142 rv |= CERT_PKEY_CERT_TYPE;
4143
4144 ca_dn = s->s3->tmp.ca_names;
4145
4146 if (!sk_X509_NAME_num(ca_dn))
4147 rv |= CERT_PKEY_ISSUER_NAME;
4148
4149 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4150 if (ssl_check_ca_name(ca_dn, x))
4151 rv |= CERT_PKEY_ISSUER_NAME;
4152 }
4153 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4154 for (i = 0; i < sk_X509_num(chain); i++) {
4155 X509 *xtmp = sk_X509_value(chain, i);
4156 if (ssl_check_ca_name(ca_dn, xtmp)) {
4157 rv |= CERT_PKEY_ISSUER_NAME;
4158 break;
4159 }
4160 }
4161 }
4162 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4163 goto end;
4164 } else
4165 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
4166
4167 if (!check_flags || (rv & check_flags) == check_flags)
4168 rv |= CERT_PKEY_VALID;
4169
4170 end:
4171
4172 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
6383d316 4173 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
0f113f3e 4174 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
d376e57d 4175 else if (s->s3->tmp.md[idx] != NULL)
0f113f3e
MC		 4176 rv |= CERT_PKEY_SIGN;
4177 } else
4178 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
4179
4180 /*
4181 * When checking a CERT_PKEY structure all flags are irrelevant if the
4182 * chain is invalid.
4183 */
4184 if (!check_flags) {
4185 if (rv & CERT_PKEY_VALID)
6383d316 4186 *pvalid = rv;
0f113f3e
MC		 4187 else {
4188 /* Preserve explicit sign flag, clear rest */
6383d316 4189 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
0f113f3e
MC		 4190 return 0;
4191 }
4192 }
4193 return rv;
4194}
d61ff83b
DSH		 4195
4196/* Set validity of certificates in an SSL structure */
4197void tls1_set_cert_validity(SSL *s)
0f113f3e 4198{
17dd65e6
MC		 4199 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4200 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4201 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
17dd65e6 4202 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
e44380a9
DB		 4203 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
4204 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
4205 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
0f113f3e
MC		 4206}
4207
18d71588
DSH		 4208/* User level utiity function to check a chain is suitable */
4209int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
0f113f3e
MC		 4210{
4211 return tls1_check_chain(s, x, pk, chain, -1);
4212}
d61ff83b 4213
09599b52
DSH		 4214
4215#ifndef OPENSSL_NO_DH
4216DH *ssl_get_auto_dh(SSL *s)
0f113f3e
MC		 4217{
4218 int dh_secbits = 80;
4219 if (s->cert->dh_tmp_auto == 2)
4220 return DH_get_1024_160();
adc5506a 4221 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
0f113f3e
MC		 4222 if (s->s3->tmp.new_cipher->strength_bits == 256)
4223 dh_secbits = 128;
4224 else
4225 dh_secbits = 80;
4226 } else {
4227 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
4228 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
4229 }
4230
4231 if (dh_secbits >= 128) {
4232 DH *dhp = DH_new();
a71edf3b 4233 if (dhp == NULL)
0f113f3e
MC		 4234 return NULL;
4235 dhp->g = BN_new();
a71edf3b 4236 if (dhp->g != NULL)
0f113f3e
MC		 4237 BN_set_word(dhp->g, 2);
4238 if (dh_secbits >= 192)
4239 dhp->p = get_rfc3526_prime_8192(NULL);
4240 else
4241 dhp->p = get_rfc3526_prime_3072(NULL);
a71edf3b 4242 if (dhp->p == NULL || dhp->g == NULL) {
0f113f3e
MC		 4243 DH_free(dhp);
4244 return NULL;
4245 }
4246 return dhp;
4247 }
4248 if (dh_secbits >= 112)
4249 return DH_get_2048_224();
4250 return DH_get_1024_160();
4251}
09599b52 4252#endif
b362ccab
DSH		 4253
4254static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e 4255{
72245f34 4256 int secbits = -1;
8382fd3a 4257 EVP_PKEY *pkey = X509_get0_pubkey(x);
0f113f3e 4258 if (pkey) {
72245f34
DSH		 4259 /*
4260 * If no parameters this will return -1 and fail using the default
4261 * security callback for any non-zero security level. This will
4262 * reject keys which omit parameters but this only affects DSA and
4263 * omission of parameters is never (?) done in practice.
4264 */
0f113f3e 4265 secbits = EVP_PKEY_security_bits(pkey);
72245f34 4266 }
0f113f3e
MC		 4267 if (s)
4268 return ssl_security(s, op, secbits, 0, x);
4269 else
4270 return ssl_ctx_security(ctx, op, secbits, 0, x);
4271}
b362ccab
DSH		 4272
4273static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e
MC		 4274{
4275 /* Lookup signature algorithm digest */
4276 int secbits = -1, md_nid = NID_undef, sig_nid;
4277 sig_nid = X509_get_signature_nid(x);
4278 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4279 const EVP_MD *md;
4280 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4281 secbits = EVP_MD_size(md) * 4;
4282 }
4283 if (s)
4284 return ssl_security(s, op, secbits, md_nid, x);
4285 else
4286 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4287}
b362ccab
DSH		 4288
4289int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
0f113f3e
MC		 4290{
4291 if (vfy)
4292 vfy = SSL_SECOP_PEER;
4293 if (is_ee) {
4294 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4295 return SSL_R_EE_KEY_TOO_SMALL;
4296 } else {
4297 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4298 return SSL_R_CA_KEY_TOO_SMALL;
4299 }
4300 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4301 return SSL_R_CA_MD_TOO_WEAK;
4302 return 1;
4303}
4304
4305/*
4306 * Check security of a chain, if sk includes the end entity certificate then
4307 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4308 * one to the peer. Return values: 1 if ok otherwise error code to use
b362ccab
DSH		 4309 */
4310
4311int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
0f113f3e
MC		 4312{
4313 int rv, start_idx, i;
4314 if (x == NULL) {
4315 x = sk_X509_value(sk, 0);
4316 start_idx = 1;
4317 } else
4318 start_idx = 0;
4319
4320 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4321 if (rv != 1)
4322 return rv;
4323
4324 for (i = start_idx; i < sk_X509_num(sk); i++) {
4325 x = sk_X509_value(sk, i);
4326 rv = ssl_security_cert(s, NULL, x, vfy, 0);
4327 if (rv != 1)
4328 return rv;
4329 }
4330 return 1;
4331}
A mirror of the official openssl repository