]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/t1_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fix heartbeat compilation error
[thirdparty/openssl.git] / ssl / t1_lib.c
CommitLineData
846e33c7
RS		 1/*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
f1fd4544 3 *
846e33c7
RS		 4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
f1fd4544 8 */
58964a49
RE		 9
10#include <stdio.h>
aa474d1f 11#include <stdlib.h>
ec577822 12#include <openssl/objects.h>
6434abbf
DSH		 13#include <openssl/evp.h>
14#include <openssl/hmac.h>
67c8e7f4 15#include <openssl/ocsp.h>
5951e840
MC		 16#include <openssl/conf.h>
17#include <openssl/x509v3.h>
3c27208f
RS		 18#include <openssl/dh.h>
19#include <openssl/bn.h>
58964a49 20#include "ssl_locl.h"
3c27208f 21#include <openssl/ct.h>
58964a49 22
6434abbf 23static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
0f113f3e
MC		 24 const unsigned char *sess_id, int sesslen,
25 SSL_SESSION **psess);
2daceb03 26static int ssl_check_clienthello_tlsext_early(SSL *s);
aa474d1f 27static int ssl_check_serverhello_tlsext(SSL *s);
6434abbf 28
0f113f3e
MC		 29SSL3_ENC_METHOD const TLSv1_enc_data = {
30 tls1_enc,
31 tls1_mac,
32 tls1_setup_key_block,
33 tls1_generate_master_secret,
34 tls1_change_cipher_state,
35 tls1_final_finish_mac,
36 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 37 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
38 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
39 tls1_alert_code,
40 tls1_export_keying_material,
41 0,
42 SSL3_HM_HEADER_LENGTH,
43 ssl3_set_handshake_header,
2c7b4dbc
MC		 44 ssl3_set_handshake_header2,
45 tls_close_construct_packet,
0f113f3e
MC		 46 ssl3_handshake_write
47};
48
49SSL3_ENC_METHOD const TLSv1_1_enc_data = {
50 tls1_enc,
51 tls1_mac,
52 tls1_setup_key_block,
53 tls1_generate_master_secret,
54 tls1_change_cipher_state,
55 tls1_final_finish_mac,
56 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 57 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
58 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
59 tls1_alert_code,
60 tls1_export_keying_material,
61 SSL_ENC_FLAG_EXPLICIT_IV,
62 SSL3_HM_HEADER_LENGTH,
63 ssl3_set_handshake_header,
2c7b4dbc
MC		 64 ssl3_set_handshake_header2,
65 tls_close_construct_packet,
0f113f3e
MC		 66 ssl3_handshake_write
67};
68
69SSL3_ENC_METHOD const TLSv1_2_enc_data = {
70 tls1_enc,
71 tls1_mac,
72 tls1_setup_key_block,
73 tls1_generate_master_secret,
74 tls1_change_cipher_state,
75 tls1_final_finish_mac,
76 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 77 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
78 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
79 tls1_alert_code,
80 tls1_export_keying_material,
81 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
82 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
83 SSL3_HM_HEADER_LENGTH,
84 ssl3_set_handshake_header,
2c7b4dbc
MC		 85 ssl3_set_handshake_header2,
86 tls_close_construct_packet,
0f113f3e
MC		 87 ssl3_handshake_write
88};
58964a49 89
f3b656b2 90long tls1_default_timeout(void)
0f113f3e
MC		 91{
92 /*
93 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
94 * http, the cache would over fill
95 */
96 return (60 * 60 * 2);
97}
58964a49 98
6b691a5c 99int tls1_new(SSL *s)
0f113f3e
MC		 100{
101 if (!ssl3_new(s))
102 return (0);
103 s->method->ssl_clear(s);
104 return (1);
105}
58964a49 106
6b691a5c 107void tls1_free(SSL *s)
0f113f3e 108{
b548a1f1 109 OPENSSL_free(s->tlsext_session_ticket);
0f113f3e
MC		 110 ssl3_free(s);
111}
58964a49 112
6b691a5c 113void tls1_clear(SSL *s)
0f113f3e
MC		 114{
115 ssl3_clear(s);
4fa52141
VD		 116 if (s->method->version == TLS_ANY_VERSION)
117 s->version = TLS_MAX_VERSION;
118 else
119 s->version = s->method->version;
0f113f3e 120}
58964a49 121
525de5d3 122#ifndef OPENSSL_NO_EC
eda3766b 123
0f113f3e
MC		 124typedef struct {
125 int nid; /* Curve NID */
126 int secbits; /* Bits of security (from SP800-57) */
127 unsigned int flags; /* Flags: currently just field type */
128} tls_curve_info;
129
2dc1aeed
DSH		 130/*
131 * Table of curve information.
ddb4c047 132 * Do not delete entries or reorder this array! It is used as a lookup
2dc1aeed
DSH		 133 * table: the index of each entry is one less than the TLS curve id.
134 */
0f113f3e
MC		 135static const tls_curve_info nid_list[] = {
136 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
137 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
138 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
139 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
140 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
141 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
142 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
143 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
144 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
145 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
146 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
147 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
148 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
149 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
150 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
151 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
152 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
153 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
154 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
155 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
156 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
157 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
158 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
159 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
160 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
161 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
162 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
163 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
ec24630a 164 {NID_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
0f113f3e
MC		 165};
166
167static const unsigned char ecformats_default[] = {
168 TLSEXT_ECPOINTFORMAT_uncompressed,
169 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
170 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
171};
172
fe6ef247
KR		 173/* The default curves */
174static const unsigned char eccurves_default[] = {
1db3107a 175 0, 29, /* X25519 (29) */
de57d237 176 0, 23, /* secp256r1 (23) */
0f113f3e 177 0, 25, /* secp521r1 (25) */
0f113f3e 178 0, 24, /* secp384r1 (24) */
de57d237
EK		 179};
180
181static const unsigned char eccurves_all[] = {
1db3107a 182 0, 29, /* X25519 (29) */
de57d237 183 0, 23, /* secp256r1 (23) */
de57d237 184 0, 25, /* secp521r1 (25) */
de57d237 185 0, 24, /* secp384r1 (24) */
0f113f3e 186 0, 26, /* brainpoolP256r1 (26) */
ddb4c047
RS		 187 0, 27, /* brainpoolP384r1 (27) */
188 0, 28, /* brainpool512r1 (28) */
189
190 /*
191 * Remaining curves disabled by default but still permitted if set
192 * via an explicit callback or parameters.
193 */
0f113f3e 194 0, 22, /* secp256k1 (22) */
de57d237
EK		 195 0, 14, /* sect571r1 (14) */
196 0, 13, /* sect571k1 (13) */
197 0, 11, /* sect409k1 (11) */
198 0, 12, /* sect409r1 (12) */
199 0, 9, /* sect283k1 (9) */
200 0, 10, /* sect283r1 (10) */
de57d237
EK		 201 0, 20, /* secp224k1 (20) */
202 0, 21, /* secp224r1 (21) */
203 0, 18, /* secp192k1 (18) */
204 0, 19, /* secp192r1 (19) */
205 0, 15, /* secp160k1 (15) */
206 0, 16, /* secp160r1 (16) */
207 0, 17, /* secp160r2 (17) */
0f113f3e
MC		 208 0, 8, /* sect239k1 (8) */
209 0, 6, /* sect233k1 (6) */
210 0, 7, /* sect233r1 (7) */
0f113f3e
MC		 211 0, 4, /* sect193r1 (4) */
212 0, 5, /* sect193r2 (5) */
0f113f3e
MC		 213 0, 1, /* sect163k1 (1) */
214 0, 2, /* sect163r1 (2) */
215 0, 3, /* sect163r2 (3) */
0f113f3e
MC		 216};
217
218static const unsigned char suiteb_curves[] = {
219 0, TLSEXT_curve_P_256,
220 0, TLSEXT_curve_P_384
221};
2ea80354 222
ec24630a 223int tls1_ec_curve_id2nid(int curve_id, unsigned int *pflags)
0f113f3e 224{
ec24630a 225 const tls_curve_info *cinfo;
0f113f3e 226 /* ECC curves from RFC 4492 and RFC 7027 */
b6eb9827 227 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
0f113f3e 228 return 0;
ec24630a
DSH		 229 cinfo = nid_list + curve_id - 1;
230 if (pflags)
231 *pflags = cinfo->flags;
232 return cinfo->nid;
0f113f3e 233}
525de5d3
DSH		 234
235int tls1_ec_nid2curve_id(int nid)
0f113f3e 236{
2fa2d15a
DSH		 237 size_t i;
238 for (i = 0; i < OSSL_NELEM(nid_list); i++) {
239 if (nid_list[i].nid == nid)
240 return i + 1;
0f113f3e 241 }
2fa2d15a 242 return 0;
0f113f3e
MC		 243}
244
740580c2
EK		 245/*
246 * Get curves list, if "sess" is set return client curves otherwise
247 * preferred list.
248 * Sets |num_curves| to the number of curves in the list, i.e.,
249 * the length of |pcurves| is 2 * num_curves.
250 * Returns 1 on success and 0 if the client curves list has invalid format.
251 * The latter indicates an internal error: we should not be accepting such
252 * lists in the first place.
253 * TODO(emilia): we should really be storing the curves list in explicitly
254 * parsed form instead. (However, this would affect binary compatibility
255 * so cannot happen in the 1.0.x series.)
fd2b65ce 256 */
740580c2 257static int tls1_get_curvelist(SSL *s, int sess,
a230b26e 258 const unsigned char **pcurves, size_t *num_curves)
0f113f3e
MC		 259{
260 size_t pcurveslen = 0;
261 if (sess) {
262 *pcurves = s->session->tlsext_ellipticcurvelist;
263 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
264 } else {
265 /* For Suite B mode only include P-256, P-384 */
266 switch (tls1_suiteb(s)) {
267 case SSL_CERT_FLAG_SUITEB_128_LOS:
268 *pcurves = suiteb_curves;
269 pcurveslen = sizeof(suiteb_curves);
270 break;
271
272 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
273 *pcurves = suiteb_curves;
274 pcurveslen = 2;
275 break;
276
277 case SSL_CERT_FLAG_SUITEB_192_LOS:
278 *pcurves = suiteb_curves + 2;
279 pcurveslen = 2;
280 break;
281 default:
282 *pcurves = s->tlsext_ellipticcurvelist;
283 pcurveslen = s->tlsext_ellipticcurvelist_length;
284 }
285 if (!*pcurves) {
fe6ef247
KR		 286 *pcurves = eccurves_default;
287 pcurveslen = sizeof(eccurves_default);
0f113f3e
MC		 288 }
289 }
290
291 /* We do not allow odd length arrays to enter the system. */
292 if (pcurveslen & 1) {
293 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
294 *num_curves = 0;
295 return 0;
296 } else {
297 *num_curves = pcurveslen / 2;
298 return 1;
299 }
300}
b362ccab
DSH		 301
302/* See if curve is allowed by security callback */
303static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
0f113f3e
MC		 304{
305 const tls_curve_info *cinfo;
306 if (curve[0])
307 return 1;
b6eb9827 308 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
0f113f3e
MC		 309 return 0;
310 cinfo = &nid_list[curve[1] - 1];
311# ifdef OPENSSL_NO_EC2M
312 if (cinfo->flags & TLS_CURVE_CHAR2)
313 return 0;
314# endif
315 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
316}
b362ccab 317
d18b716d
DSH		 318/* Check a curve is one of our preferences */
319int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
0f113f3e
MC		 320{
321 const unsigned char *curves;
322 size_t num_curves, i;
323 unsigned int suiteb_flags = tls1_suiteb(s);
324 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
325 return 0;
326 /* Check curve matches Suite B preferences */
327 if (suiteb_flags) {
328 unsigned long cid = s->s3->tmp.new_cipher->id;
329 if (p[1])
330 return 0;
331 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
332 if (p[2] != TLSEXT_curve_P_256)
333 return 0;
334 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
335 if (p[2] != TLSEXT_curve_P_384)
336 return 0;
337 } else /* Should never happen */
338 return 0;
339 }
340 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
341 return 0;
342 for (i = 0; i < num_curves; i++, curves += 2) {
343 if (p[1] == curves[0] && p[2] == curves[1])
344 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
345 }
346 return 0;
347}
d0595f17 348
1d97c843 349/*-
6977e8ee
KR		 350 * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef
351 * if there is no match.
352 * For nmatch == -1, return number of matches
376e2ca3
EK		 353 * For nmatch == -2, return the NID of the curve to use for
354 * an EC tmp key, or NID_undef if there is no match.
d0595f17 355 */
a4352630 356int tls1_shared_curve(SSL *s, int nmatch)
0f113f3e
MC		 357{
358 const unsigned char *pref, *supp;
359 size_t num_pref, num_supp, i, j;
360 int k;
361 /* Can't do anything on client side */
362 if (s->server == 0)
363 return -1;
364 if (nmatch == -2) {
365 if (tls1_suiteb(s)) {
366 /*
367 * For Suite B ciphersuite determines curve: we already know
368 * these are acceptable due to previous checks.
369 */
370 unsigned long cid = s->s3->tmp.new_cipher->id;
371 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
372 return NID_X9_62_prime256v1; /* P-256 */
373 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
374 return NID_secp384r1; /* P-384 */
375 /* Should never happen */
376 return NID_undef;
377 }
378 /* If not Suite B just return first preference shared curve */
379 nmatch = 0;
380 }
381 /*
382 * Avoid truncation. tls1_get_curvelist takes an int
383 * but s->options is a long...
384 */
385 if (!tls1_get_curvelist
386 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
387 &num_supp))
388 /* In practice, NID_undef == 0 but let's be precise. */
389 return nmatch == -1 ? 0 : NID_undef;
390 if (!tls1_get_curvelist
a230b26e 391 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref, &num_pref))
0f113f3e 392 return nmatch == -1 ? 0 : NID_undef;
3c06513f
KR		 393
394 /*
395 * If the client didn't send the elliptic_curves extension all of them
396 * are allowed.
397 */
398 if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
399 supp = eccurves_all;
400 num_supp = sizeof(eccurves_all) / 2;
401 } else if (num_pref == 0 &&
a230b26e 402 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
3c06513f
KR		 403 pref = eccurves_all;
404 num_pref = sizeof(eccurves_all) / 2;
405 }
406
0f113f3e
MC		 407 k = 0;
408 for (i = 0; i < num_pref; i++, pref += 2) {
409 const unsigned char *tsupp = supp;
410 for (j = 0; j < num_supp; j++, tsupp += 2) {
411 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
412 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
413 continue;
414 if (nmatch == k) {
415 int id = (pref[0] << 8) | pref[1];
ec24630a 416 return tls1_ec_curve_id2nid(id, NULL);
0f113f3e
MC		 417 }
418 k++;
419 }
420 }
421 }
422 if (nmatch == -1)
423 return k;
424 /* Out of range (nmatch > k). */
425 return NID_undef;
426}
d0595f17
DSH		 427
428int tls1_set_curves(unsigned char **pext, size_t *pextlen,
0f113f3e
MC		 429 int *curves, size_t ncurves)
430{
431 unsigned char *clist, *p;
432 size_t i;
433 /*
434 * Bitmap of curves included to detect duplicates: only works while curve
435 * ids < 32
436 */
437 unsigned long dup_list = 0;
438 clist = OPENSSL_malloc(ncurves * 2);
a71edf3b 439 if (clist == NULL)
0f113f3e
MC		 440 return 0;
441 for (i = 0, p = clist; i < ncurves; i++) {
442 unsigned long idmask;
443 int id;
444 id = tls1_ec_nid2curve_id(curves[i]);
445 idmask = 1L << id;
446 if (!id || (dup_list & idmask)) {
447 OPENSSL_free(clist);
448 return 0;
449 }
450 dup_list |= idmask;
451 s2n(id, p);
452 }
b548a1f1 453 OPENSSL_free(*pext);
0f113f3e
MC		 454 *pext = clist;
455 *pextlen = ncurves * 2;
456 return 1;
457}
458
459# define MAX_CURVELIST 28
460
461typedef struct {
462 size_t nidcnt;
463 int nid_arr[MAX_CURVELIST];
464} nid_cb_st;
d0595f17
DSH		 465
466static int nid_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 467{
468 nid_cb_st *narg = arg;
469 size_t i;
470 int nid;
471 char etmp[20];
2747d73c
KR		 472 if (elem == NULL)
473 return 0;
0f113f3e
MC		 474 if (narg->nidcnt == MAX_CURVELIST)
475 return 0;
476 if (len > (int)(sizeof(etmp) - 1))
477 return 0;
478 memcpy(etmp, elem, len);
479 etmp[len] = 0;
480 nid = EC_curve_nist2nid(etmp);
481 if (nid == NID_undef)
482 nid = OBJ_sn2nid(etmp);
483 if (nid == NID_undef)
484 nid = OBJ_ln2nid(etmp);
485 if (nid == NID_undef)
486 return 0;
487 for (i = 0; i < narg->nidcnt; i++)
488 if (narg->nid_arr[i] == nid)
489 return 0;
490 narg->nid_arr[narg->nidcnt++] = nid;
491 return 1;
492}
493
d0595f17 494/* Set curves based on a colon separate list */
a230b26e 495int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, const char *str)
0f113f3e
MC		 496{
497 nid_cb_st ncb;
498 ncb.nidcnt = 0;
499 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
500 return 0;
501 if (pext == NULL)
502 return 1;
503 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
504}
505
fd2b65ce
DSH		 506/* For an EC key set TLS id and required compression based on parameters */
507static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
0f113f3e
MC		 508 EC_KEY *ec)
509{
2235b7f2 510 int id;
0f113f3e 511 const EC_GROUP *grp;
0f113f3e
MC		 512 if (!ec)
513 return 0;
514 /* Determine if it is a prime field */
515 grp = EC_KEY_get0_group(ec);
516 if (!grp)
517 return 0;
0f113f3e
MC		 518 /* Determine curve ID */
519 id = EC_GROUP_get_curve_name(grp);
520 id = tls1_ec_nid2curve_id(id);
2235b7f2
DSH		 521 /* If no id return error: we don't support arbitrary explicit curves */
522 if (id == 0)
523 return 0;
524 curve_id[0] = 0;
525 curve_id[1] = (unsigned char)id;
0f113f3e
MC		 526 if (comp_id) {
527 if (EC_KEY_get0_public_key(ec) == NULL)
528 return 0;
2235b7f2
DSH		 529 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
530 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
531 } else {
532 if ((nid_list[id - 1].flags & TLS_CURVE_TYPE) == TLS_CURVE_PRIME)
0f113f3e
MC		 533 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
534 else
535 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
2235b7f2 536 }
0f113f3e
MC		 537 }
538 return 1;
539}
540
fd2b65ce
DSH		 541/* Check an EC key is compatible with extensions */
542static int tls1_check_ec_key(SSL *s,
0f113f3e
MC		 543 unsigned char *curve_id, unsigned char *comp_id)
544{
545 const unsigned char *pformats, *pcurves;
546 size_t num_formats, num_curves, i;
547 int j;
548 /*
549 * If point formats extension present check it, otherwise everything is
550 * supported (see RFC4492).
551 */
552 if (comp_id && s->session->tlsext_ecpointformatlist) {
553 pformats = s->session->tlsext_ecpointformatlist;
554 num_formats = s->session->tlsext_ecpointformatlist_length;
555 for (i = 0; i < num_formats; i++, pformats++) {
556 if (*comp_id == *pformats)
557 break;
558 }
559 if (i == num_formats)
560 return 0;
561 }
562 if (!curve_id)
563 return 1;
564 /* Check curve is consistent with client and server preferences */
565 for (j = 0; j <= 1; j++) {
566 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
567 return 0;
b79d2410
MC		 568 if (j == 1 && num_curves == 0) {
569 /*
570 * If we've not received any curves then skip this check.
571 * RFC 4492 does not require the supported elliptic curves extension
572 * so if it is not sent we can just choose any curve.
573 * It is invalid to send an empty list in the elliptic curves
574 * extension, so num_curves == 0 always means no extension.
575 */
576 break;
577 }
0f113f3e
MC		 578 for (i = 0; i < num_curves; i++, pcurves += 2) {
579 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
580 break;
581 }
582 if (i == num_curves)
583 return 0;
584 /* For clients can only check sent curve list */
585 if (!s->server)
586 break;
587 }
588 return 1;
589}
d61ff83b 590
5087afa1 591static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
0f113f3e
MC		 592 size_t *num_formats)
593{
594 /*
595 * If we have a custom point format list use it otherwise use default
596 */
597 if (s->tlsext_ecpointformatlist) {
598 *pformats = s->tlsext_ecpointformatlist;
599 *num_formats = s->tlsext_ecpointformatlist_length;
600 } else {
601 *pformats = ecformats_default;
602 /* For Suite B we don't support char2 fields */
603 if (tls1_suiteb(s))
604 *num_formats = sizeof(ecformats_default) - 1;
605 else
606 *num_formats = sizeof(ecformats_default);
607 }
608}
609
610/*
611 * Check cert parameters compatible with extensions: currently just checks EC
612 * certificates have compatible curves and compression.
d61ff83b 613 */
2ea80354 614static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 615{
616 unsigned char comp_id, curve_id[2];
617 EVP_PKEY *pkey;
618 int rv;
8382fd3a 619 pkey = X509_get0_pubkey(x);
0f113f3e
MC		 620 if (!pkey)
621 return 0;
622 /* If not EC nothing to do */
3aeb9348 623 if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
0f113f3e 624 return 1;
3aeb9348 625 rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey));
0f113f3e
MC		 626 if (!rv)
627 return 0;
628 /*
629 * Can't check curve_id for client certs as we don't have a supported
630 * curves extension.
631 */
632 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
633 if (!rv)
634 return 0;
635 /*
636 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
637 * SHA384+P-384, adjust digest if necessary.
638 */
639 if (set_ee_md && tls1_suiteb(s)) {
640 int check_md;
641 size_t i;
642 CERT *c = s->cert;
643 if (curve_id[0])
644 return 0;
645 /* Check to see we have necessary signing algorithm */
646 if (curve_id[1] == TLSEXT_curve_P_256)
647 check_md = NID_ecdsa_with_SHA256;
648 else if (curve_id[1] == TLSEXT_curve_P_384)
649 check_md = NID_ecdsa_with_SHA384;
650 else
651 return 0; /* Should never happen */
652 for (i = 0; i < c->shared_sigalgslen; i++)
653 if (check_md == c->shared_sigalgs[i].signandhash_nid)
654 break;
655 if (i == c->shared_sigalgslen)
656 return 0;
657 if (set_ee_md == 2) {
658 if (check_md == NID_ecdsa_with_SHA256)
d376e57d 659 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
0f113f3e 660 else
d376e57d 661 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
0f113f3e
MC		 662 }
663 }
664 return rv;
665}
666
10bf4fc2 667# ifndef OPENSSL_NO_EC
6977e8ee 668/*
8483a003 669 * tls1_check_ec_tmp_key - Check EC temporary key compatibility
6977e8ee
KR		 670 * @s: SSL connection
671 * @cid: Cipher ID we're considering using
672 *
673 * Checks that the kECDHE cipher suite we're considering using
674 * is compatible with the client extensions.
675 *
676 * Returns 0 when the cipher can't be used or 1 when it can.
677 */
2ea80354 678int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
0f113f3e 679{
0f113f3e
MC		 680 /*
681 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
682 * curves permitted.
683 */
684 if (tls1_suiteb(s)) {
6977e8ee 685 unsigned char curve_id[2];
0f113f3e
MC		 686 /* Curve to check determined by ciphersuite */
687 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
688 curve_id[1] = TLSEXT_curve_P_256;
689 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
690 curve_id[1] = TLSEXT_curve_P_384;
691 else
692 return 0;
693 curve_id[0] = 0;
694 /* Check this curve is acceptable */
695 if (!tls1_check_ec_key(s, curve_id, NULL))
696 return 0;
fe6ef247 697 return 1;
0f113f3e 698 }
fe6ef247
KR		 699 /* Need a shared curve */
700 if (tls1_shared_curve(s, 0))
701 return 1;
6977e8ee 702 return 0;
0f113f3e 703}
10bf4fc2 704# endif /* OPENSSL_NO_EC */
d0595f17 705
14536c8c
DSH		 706#else
707
708static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 709{
710 return 1;
711}
14536c8c 712
0f113f3e 713#endif /* OPENSSL_NO_EC */
f1fd4544 714
0f113f3e
MC		 715/*
716 * List of supported signature algorithms and hashes. Should make this
fc101f88
DSH		 717 * customisable at some point, for now include everything we support.
718 */
719
e481f9b9 720#ifdef OPENSSL_NO_RSA
a230b26e 721# define tlsext_sigalg_rsa(md) /* */
e481f9b9
MC		 722#else
723# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
724#endif
0f113f3e 725
e481f9b9 726#ifdef OPENSSL_NO_DSA
a230b26e 727# define tlsext_sigalg_dsa(md) /* */
e481f9b9
MC		 728#else
729# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
730#endif
0f113f3e 731
e481f9b9 732#ifdef OPENSSL_NO_EC
a230b26e 733# define tlsext_sigalg_ecdsa(md)/* */
e481f9b9
MC		 734#else
735# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
736#endif
0f113f3e 737
e481f9b9 738#define tlsext_sigalg(md) \
0f113f3e
MC		 739 tlsext_sigalg_rsa(md) \
740 tlsext_sigalg_dsa(md) \
741 tlsext_sigalg_ecdsa(md)
fc101f88 742
d97ed219 743static const unsigned char tls12_sigalgs[] = {
0f113f3e
MC		 744 tlsext_sigalg(TLSEXT_hash_sha512)
745 tlsext_sigalg(TLSEXT_hash_sha384)
0f113f3e
MC		 746 tlsext_sigalg(TLSEXT_hash_sha256)
747 tlsext_sigalg(TLSEXT_hash_sha224)
0f113f3e 748 tlsext_sigalg(TLSEXT_hash_sha1)
e44380a9
DB		 749#ifndef OPENSSL_NO_GOST
750 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
a230b26e
EK		 751 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
752 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
e44380a9 753#endif
fc101f88 754};
0f113f3e 755
e481f9b9 756#ifndef OPENSSL_NO_EC
d97ed219 757static const unsigned char suiteb_sigalgs[] = {
0f113f3e
MC		 758 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
759 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
2ea80354 760};
e481f9b9 761#endif
b7bfe69b 762size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
0f113f3e
MC		 763{
764 /*
765 * If Suite B mode use Suite B sigalgs only, ignore any other
766 * preferences.
767 */
e481f9b9 768#ifndef OPENSSL_NO_EC
0f113f3e
MC		 769 switch (tls1_suiteb(s)) {
770 case SSL_CERT_FLAG_SUITEB_128_LOS:
771 *psigs = suiteb_sigalgs;
772 return sizeof(suiteb_sigalgs);
773
774 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
775 *psigs = suiteb_sigalgs;
776 return 2;
777
778 case SSL_CERT_FLAG_SUITEB_192_LOS:
779 *psigs = suiteb_sigalgs + 2;
780 return 2;
781 }
e481f9b9 782#endif
0f113f3e
MC		 783 /* If server use client authentication sigalgs if not NULL */
784 if (s->server && s->cert->client_sigalgs) {
785 *psigs = s->cert->client_sigalgs;
786 return s->cert->client_sigalgslen;
787 } else if (s->cert->conf_sigalgs) {
788 *psigs = s->cert->conf_sigalgs;
789 return s->cert->conf_sigalgslen;
790 } else {
791 *psigs = tls12_sigalgs;
792 return sizeof(tls12_sigalgs);
793 }
794}
795
796/*
797 * Check signature algorithm is consistent with sent supported signature
ec4a50b3
DSH		 798 * algorithms and if so return relevant digest.
799 */
800int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
0f113f3e
MC		 801 const unsigned char *sig, EVP_PKEY *pkey)
802{
803 const unsigned char *sent_sigs;
804 size_t sent_sigslen, i;
805 int sigalg = tls12_get_sigid(pkey);
806 /* Should never happen */
807 if (sigalg == -1)
808 return -1;
809 /* Check key type is consistent with signature */
810 if (sigalg != (int)sig[1]) {
811 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
812 return 0;
813 }
e481f9b9 814#ifndef OPENSSL_NO_EC
3aeb9348 815 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
0f113f3e
MC		 816 unsigned char curve_id[2], comp_id;
817 /* Check compression and curve matches extensions */
3aeb9348 818 if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
0f113f3e
MC		 819 return 0;
820 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
821 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
822 return 0;
823 }
824 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
825 if (tls1_suiteb(s)) {
826 if (curve_id[0])
827 return 0;
828 if (curve_id[1] == TLSEXT_curve_P_256) {
829 if (sig[0] != TLSEXT_hash_sha256) {
830 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
831 SSL_R_ILLEGAL_SUITEB_DIGEST);
832 return 0;
833 }
834 } else if (curve_id[1] == TLSEXT_curve_P_384) {
835 if (sig[0] != TLSEXT_hash_sha384) {
836 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
837 SSL_R_ILLEGAL_SUITEB_DIGEST);
838 return 0;
839 }
840 } else
841 return 0;
842 }
843 } else if (tls1_suiteb(s))
844 return 0;
e481f9b9 845#endif
0f113f3e
MC		 846
847 /* Check signature matches a type we sent */
848 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
849 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
850 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
851 break;
852 }
853 /* Allow fallback to SHA1 if not strict mode */
854 if (i == sent_sigslen
855 && (sig[0] != TLSEXT_hash_sha1
856 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
857 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
858 return 0;
859 }
860 *pmd = tls12_get_hash(sig[0]);
861 if (*pmd == NULL) {
862 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
863 return 0;
864 }
865 /* Make sure security callback allows algorithm */
866 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
a230b26e 867 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd), (void *)sig)) {
0f113f3e
MC		 868 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
869 return 0;
870 }
871 /*
872 * Store the digest used so applications can retrieve it if they wish.
873 */
d376e57d 874 s->s3->tmp.peer_md = *pmd;
0f113f3e
MC		 875 return 1;
876}
2ea80354 877
0f113f3e 878/*
3eb2aff4
KR		 879 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
880 * supported, doesn't appear in supported signature algorithms, isn't supported
881 * by the enabled protocol versions or by the security level.
882 *
883 * This function should only be used for checking which ciphers are supported
884 * by the client.
885 *
886 * Call ssl_cipher_disabled() to check that it's enabled or not.
b7bfe69b
DSH		 887 */
888void ssl_set_client_disabled(SSL *s)
0f113f3e 889{
4d69f9e6
DSH		 890 s->s3->tmp.mask_a = 0;
891 s->s3->tmp.mask_k = 0;
4d69f9e6 892 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
3eb2aff4 893 ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
a230b26e 894#ifndef OPENSSL_NO_PSK
0f113f3e
MC		 895 /* with PSK there must be client callback set */
896 if (!s->psk_client_callback) {
4d69f9e6 897 s->s3->tmp.mask_a |= SSL_aPSK;
fe5eef3a 898 s->s3->tmp.mask_k |= SSL_PSK;
0f113f3e 899 }
a230b26e 900#endif /* OPENSSL_NO_PSK */
e481f9b9 901#ifndef OPENSSL_NO_SRP
0f113f3e 902 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
4d69f9e6
DSH		 903 s->s3->tmp.mask_a |= SSL_aSRP;
904 s->s3->tmp.mask_k |= SSL_kSRP;
0f113f3e 905 }
e481f9b9 906#endif
0f113f3e 907}
fc101f88 908
3eb2aff4
KR		 909/*
910 * ssl_cipher_disabled - check that a cipher is disabled or not
911 * @s: SSL connection that you want to use the cipher on
912 * @c: cipher to check
913 * @op: Security check that you want to do
914 *
915 * Returns 1 when it's disabled, 0 when enabled.
916 */
b362ccab 917int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
0f113f3e 918{
3eb2aff4 919 if (c->algorithm_mkey & s->s3->tmp.mask_k
4d69f9e6 920 || c->algorithm_auth & s->s3->tmp.mask_a)
0f113f3e 921 return 1;
3eb2aff4
KR		 922 if (s->s3->tmp.max_ver == 0)
923 return 1;
924 if (!SSL_IS_DTLS(s) && ((c->min_tls > s->s3->tmp.max_ver)
a230b26e 925 || (c->max_tls < s->s3->tmp.min_ver)))
3eb2aff4
KR		 926 return 1;
927 if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
a230b26e 928 || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
3eb2aff4
KR		 929 return 1;
930
0f113f3e
MC		 931 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
932}
b362ccab
DSH		 933
934static int tls_use_ticket(SSL *s)
0f113f3e
MC		 935{
936 if (s->options & SSL_OP_NO_TICKET)
937 return 0;
938 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
939}
ed3883d2 940
a230b26e
EK		 941static int compare_uint(const void *p1, const void *p2)
942{
aa474d1f
EK		 943 unsigned int u1 = *((const unsigned int *)p1);
944 unsigned int u2 = *((const unsigned int *)p2);
945 if (u1 < u2)
946 return -1;
947 else if (u1 > u2)
948 return 1;
949 else
950 return 0;
951}
952
953/*
954 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
955 * more than one extension of the same type in a ClientHello or ServerHello.
956 * This function does an initial scan over the extensions block to filter those
957 * out. It returns 1 if all extensions are unique, and 0 if the extensions
958 * contain duplicates, could not be successfully parsed, or an internal error
959 * occurred.
960 */
a230b26e
EK		 961static int tls1_check_duplicate_extensions(const PACKET *packet)
962{
aa474d1f
EK		 963 PACKET extensions = *packet;
964 size_t num_extensions = 0, i = 0;
965 unsigned int *extension_types = NULL;
966 int ret = 0;
967
968 /* First pass: count the extensions. */
969 while (PACKET_remaining(&extensions) > 0) {
970 unsigned int type;
971 PACKET extension;
972 if (!PACKET_get_net_2(&extensions, &type) ||
973 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
974 goto done;
975 }
976 num_extensions++;
977 }
978
979 if (num_extensions <= 1)
980 return 1;
981
982 extension_types = OPENSSL_malloc(sizeof(unsigned int) * num_extensions);
983 if (extension_types == NULL) {
984 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_MALLOC_FAILURE);
985 goto done;
986 }
987
988 /* Second pass: gather the extension types. */
989 extensions = *packet;
990 for (i = 0; i < num_extensions; i++) {
991 PACKET extension;
992 if (!PACKET_get_net_2(&extensions, &extension_types[i]) ||
993 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
994 /* This should not happen. */
995 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
996 goto done;
997 }
998 }
999
1000 if (PACKET_remaining(&extensions) != 0) {
1001 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
1002 goto done;
1003 }
1004 /* Sort the extensions and make sure there are no duplicates. */
1005 qsort(extension_types, num_extensions, sizeof(unsigned int), compare_uint);
1006 for (i = 1; i < num_extensions; i++) {
1007 if (extension_types[i - 1] == extension_types[i])
1008 goto done;
1009 }
1010 ret = 1;
1011 done:
1012 OPENSSL_free(extension_types);
1013 return ret;
1014}
1015
ae2f7b37 1016int ssl_add_clienthello_tlsext(SSL *s, WPACKET *pkt, int *al)
0f113f3e 1017{
e481f9b9 1018#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1019 /* See if we support any ECC ciphersuites */
1020 int using_ecc = 0;
1021 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1022 int i;
1023 unsigned long alg_k, alg_a;
1024 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1025
1026 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
4a640fb6 1027 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
0f113f3e
MC		 1028
1029 alg_k = c->algorithm_mkey;
1030 alg_a = c->algorithm_auth;
ce0c1f2b 1031 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
a230b26e 1032 || (alg_a & SSL_aECDSA)) {
0f113f3e
MC		 1033 using_ecc = 1;
1034 break;
1035 }
1036 }
1037 }
e481f9b9 1038#endif
ed3883d2 1039
0f113f3e
MC		 1040 /* Add RI if renegotiating */
1041 if (s->renegotiate) {
08029dfa 1042 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
2f97192c
MC		 1043 || !WPACKET_start_sub_packet_u16(pkt)
1044 || !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished,
1045 s->s3->previous_client_finished_len)
1046 || !WPACKET_close(pkt)) {
0f113f3e 1047 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2c7b4dbc 1048 return 0;
5a3d8eeb 1049 }
0f113f3e
MC		 1050 }
1051 /* Only add RI for SSLv3 */
1052 if (s->client_version == SSL3_VERSION)
1053 goto done;
1054
1055 if (s->tlsext_hostname != NULL) {
1056 /* Add TLS extension servername to the Client Hello message */
08029dfa 1057 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
2c7b4dbc 1058 /* Sub-packet for server_name extension */
de451856 1059 || !WPACKET_start_sub_packet_u16(pkt)
2c7b4dbc 1060 /* Sub-packet for servername list (always 1 hostname)*/
de451856 1061 || !WPACKET_start_sub_packet_u16(pkt)
08029dfa 1062 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
b2b3024e
MC		 1063 || !WPACKET_sub_memcpy_u16(pkt, s->tlsext_hostname,
1064 strlen(s->tlsext_hostname))
0217dd19
MC		 1065 || !WPACKET_close(pkt)
1066 || !WPACKET_close(pkt)) {
2c7b4dbc
MC		 1067 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1068 return 0;
1069 }
0f113f3e 1070 }
e481f9b9 1071#ifndef OPENSSL_NO_SRP
0f113f3e 1072 /* Add SRP username if there is one */
2c7b4dbc 1073 if (s->srp_ctx.login != NULL) {
08029dfa 1074 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
2c7b4dbc 1075 /* Sub-packet for SRP extension */
de451856
MC		 1076 || !WPACKET_start_sub_packet_u16(pkt)
1077 || !WPACKET_start_sub_packet_u8(pkt)
2c7b4dbc 1078 /* login must not be zero...internal error if so */
de451856 1079 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
0217dd19 1080 || !WPACKET_memcpy(pkt, s->srp_ctx.login,
2c7b4dbc 1081 strlen(s->srp_ctx.login))
0217dd19
MC		 1082 || !WPACKET_close(pkt)
1083 || !WPACKET_close(pkt)) {
0f113f3e 1084 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2c7b4dbc 1085 return 0;
0f113f3e 1086 }
0f113f3e 1087 }
e481f9b9 1088#endif
0f113f3e 1089
e481f9b9 1090#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1091 if (using_ecc) {
1092 /*
1093 * Add TLS extension ECPointFormats to the ClientHello message
1094 */
0f113f3e 1095 const unsigned char *pcurves, *pformats;
2c7b4dbc 1096 size_t num_curves, num_formats;
0f113f3e 1097 size_t i;
0f113f3e
MC		 1098
1099 tls1_get_formatlist(s, &pformats, &num_formats);
1100
08029dfa 1101 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
2c7b4dbc 1102 /* Sub-packet for formats extension */
de451856 1103 || !WPACKET_start_sub_packet_u16(pkt)
b2b3024e 1104 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
0217dd19 1105 || !WPACKET_close(pkt)) {
0f113f3e 1106 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2c7b4dbc 1107 return 0;
0f113f3e 1108 }
4817504d 1109
0f113f3e
MC		 1110 /*
1111 * Add TLS extension EllipticCurves to the ClientHello message
1112 */
1113 pcurves = s->tlsext_ellipticcurvelist;
2c7b4dbc 1114 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
0f113f3e 1115 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2c7b4dbc 1116 return 0;
0f113f3e 1117 }
ee2ffc27 1118
08029dfa 1119 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_elliptic_curves)
2c7b4dbc 1120 /* Sub-packet for curves extension */
de451856
MC		 1121 || !WPACKET_start_sub_packet_u16(pkt)
1122 || !WPACKET_start_sub_packet_u16(pkt)) {
2c7b4dbc
MC		 1123 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1124 return 0;
1125 }
0f113f3e
MC		 1126 /* Copy curve ID if supported */
1127 for (i = 0; i < num_curves; i++, pcurves += 2) {
1128 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
08029dfa
MC		 1129 if (!WPACKET_put_bytes_u8(pkt, pcurves[0])
1130 || !WPACKET_put_bytes_u8(pkt, pcurves[1])) {
2c7b4dbc
MC		 1131 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
1132 ERR_R_INTERNAL_ERROR);
1133 return 0;
1134 }
0f113f3e
MC		 1135 }
1136 }
0217dd19 1137 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
2c7b4dbc
MC		 1138 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1139 return 0;
1140 }
0f113f3e 1141 }
a230b26e 1142#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1143
1144 if (tls_use_ticket(s)) {
1145 int ticklen;
1146 if (!s->new_session && s->session && s->session->tlsext_tick)
1147 ticklen = s->session->tlsext_ticklen;
1148 else if (s->session && s->tlsext_session_ticket &&
1149 s->tlsext_session_ticket->data) {
1150 ticklen = s->tlsext_session_ticket->length;
1151 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
2c7b4dbc
MC		 1152 if (s->session->tlsext_tick == NULL) {
1153 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1154 return 0;
1155 }
0f113f3e
MC		 1156 memcpy(s->session->tlsext_tick,
1157 s->tlsext_session_ticket->data, ticklen);
1158 s->session->tlsext_ticklen = ticklen;
1159 } else
1160 ticklen = 0;
1161 if (ticklen == 0 && s->tlsext_session_ticket &&
1162 s->tlsext_session_ticket->data == NULL)
1163 goto skip_ext;
2c7b4dbc 1164
08029dfa 1165 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
b2b3024e
MC		 1166 || !WPACKET_sub_memcpy_u16(pkt, s->session->tlsext_tick,
1167 ticklen)) {
2c7b4dbc
MC		 1168 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1169 return 0;
0f113f3e
MC		 1170 }
1171 }
1172 skip_ext:
1173
f7aa3185 1174 if (SSL_CLIENT_USE_SIGALGS(s)) {
0f113f3e
MC		 1175 size_t salglen;
1176 const unsigned char *salg;
2c7b4dbc 1177
0f113f3e 1178 salglen = tls12_get_psigalgs(s, &salg);
2c7b4dbc 1179
08029dfa 1180 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
2c7b4dbc 1181 /* Sub-packet for sig-algs extension */
de451856 1182 || !WPACKET_start_sub_packet_u16(pkt)
2c7b4dbc 1183 /* Sub-packet for the actual list */
de451856 1184 || !WPACKET_start_sub_packet_u16(pkt)
0217dd19
MC		 1185 || !tls12_copy_sigalgs(s, pkt, salg, salglen)
1186 || !WPACKET_close(pkt)
1187 || !WPACKET_close(pkt)) {
2c7b4dbc
MC		 1188 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1189 return 0;
1190 }
0f113f3e 1191 }
3e41ac35 1192#ifndef OPENSSL_NO_OCSP
0f113f3e
MC		 1193 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1194 int i;
0f113f3e 1195
08029dfa 1196 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
2c7b4dbc 1197 /* Sub-packet for status request extension */
de451856 1198 || !WPACKET_start_sub_packet_u16(pkt)
08029dfa 1199 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
2c7b4dbc 1200 /* Sub-packet for the ids */
de451856 1201 || !WPACKET_start_sub_packet_u16(pkt)) {
2c7b4dbc
MC		 1202 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1203 return 0;
1204 }
0f113f3e 1205 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
2c7b4dbc
MC		 1206 unsigned char *idbytes;
1207 int idlen;
1208 OCSP_RESPID *id;
2c7b4dbc 1209
0f113f3e 1210 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
2c7b4dbc
MC		 1211 idlen = i2d_OCSP_RESPID(id, NULL);
1212 if (idlen <= 0
1213 /* Sub-packet for an individual id */
dd8710dc 1214 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
b2b3024e 1215 || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
2c7b4dbc
MC		 1216 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1217 return 0;
1218 }
1219 }
0217dd19 1220 if (!WPACKET_close(pkt)
de451856 1221 || !WPACKET_start_sub_packet_u16(pkt)) {
2c7b4dbc
MC		 1222 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1223 return 0;
860c3dd1 1224 }
0f113f3e 1225 if (s->tlsext_ocsp_exts) {
2c7b4dbc
MC		 1226 unsigned char *extbytes;
1227 int extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
0f113f3e 1228
2c7b4dbc
MC		 1229 if (extlen < 0) {
1230 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1231 return 0;
1232 }
0217dd19 1233 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
2c7b4dbc
MC		 1234 || i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &extbytes)
1235 != extlen) {
1236 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1237 return 0;
1238 }
1239 }
0217dd19 1240 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
2c7b4dbc
MC		 1241 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1242 return 0;
0f113f3e 1243 }
0f113f3e 1244 }
3e41ac35 1245#endif
e481f9b9 1246#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7 1247 if (SSL_IS_DTLS(s)) {
2c7b4dbc
MC		 1248 unsigned int mode;
1249
22e3dcb7
RS		 1250 /*-
1251 * Set mode:
1252 * 1: peer may send requests
1253 * 2: peer not allowed to send requests
1254 */
1255 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
2c7b4dbc 1256 mode = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
22e3dcb7 1257 else
2c7b4dbc
MC		 1258 mode = SSL_DTLSEXT_HB_ENABLED;
1259
08029dfa 1260 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_heartbeat)
2c7b4dbc 1261 /* Sub-packet for Hearbeat extension */
de451856 1262 || !WPACKET_start_sub_packet_u16(pkt)
08029dfa 1263 || !WPACKET_put_bytes_u8(pkt, mode)
0217dd19 1264 || !WPACKET_close(pkt)) {
2c7b4dbc
MC		 1265 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1266 return 0;
1267 }
22e3dcb7 1268 }
e481f9b9 1269#endif
0f113f3e 1270
e481f9b9 1271#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1272 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1273 /*
8483a003 1274 * The client advertises an empty extension to indicate its support
0f113f3e
MC		 1275 * for Next Protocol Negotiation
1276 */
08029dfa
MC		 1277 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1278 || !WPACKET_put_bytes_u16(pkt, 0)) {
2c7b4dbc
MC		 1279 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1280 return 0;
1281 }
0f113f3e 1282 }
e481f9b9 1283#endif
0f113f3e 1284
817cd0d5
TS		 1285 /*
1286 * finish_md_len is non-zero during a renegotiation, so
1287 * this avoids sending ALPN during the renegotiation
1288 * (see longer comment below)
1289 */
0f113f3e 1290 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
08029dfa
MC		 1291 if (!WPACKET_put_bytes_u16(pkt,
1292 TLSEXT_TYPE_application_layer_protocol_negotiation)
2c7b4dbc 1293 /* Sub-packet ALPN extension */
de451856 1294 || !WPACKET_start_sub_packet_u16(pkt)
b2b3024e
MC		 1295 || !WPACKET_sub_memcpy_u16(pkt, s->alpn_client_proto_list,
1296 s->alpn_client_proto_list_len)
0217dd19 1297 || !WPACKET_close(pkt)) {
2c7b4dbc
MC		 1298 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1299 return 0;
1300 }
817cd0d5 1301 s->s3->alpn_sent = 1;
0f113f3e 1302 }
e481f9b9 1303#ifndef OPENSSL_NO_SRTP
0f113f3e 1304 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
2c7b4dbc
MC		 1305 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = 0;
1306 SRTP_PROTECTION_PROFILE *prof;
1307 int i, ct;
2c7b4dbc 1308
08029dfa 1309 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
2c7b4dbc 1310 /* Sub-packet for SRTP extension */
de451856 1311 || !WPACKET_start_sub_packet_u16(pkt)
2c7b4dbc 1312 /* Sub-packet for the protection profile list */
de451856 1313 || !WPACKET_start_sub_packet_u16(pkt)) {
69f68237 1314 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2c7b4dbc 1315 return 0;
69f68237 1316 }
2c7b4dbc
MC		 1317 ct = sk_SRTP_PROTECTION_PROFILE_num(clnt);
1318 for (i = 0; i < ct; i++) {
1319 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
08029dfa 1320 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
2c7b4dbc
MC		 1321 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1322 return 0;
1323 }
1324 }
0217dd19 1325 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
0f113f3e 1326 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2c7b4dbc 1327 return 0;
0f113f3e 1328 }
0f113f3e 1329 }
e481f9b9 1330#endif
0f113f3e
MC		 1331 custom_ext_init(&s->cert->cli_ext);
1332 /* Add custom TLS Extensions to ClientHello */
2c7b4dbc
MC		 1333 if (!custom_ext_add(s, 0, pkt, al)) {
1334 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1335 return 0;
1336 }
1337
08029dfa
MC		 1338 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1339 || !WPACKET_put_bytes_u16(pkt, 0)) {
2c7b4dbc
MC		 1340 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1341 return 0;
1342 }
1343
ed29e82a
RP		 1344#ifndef OPENSSL_NO_CT
1345 if (s->ct_validation_callback != NULL) {
08029dfa
MC		 1346 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
1347 || !WPACKET_put_bytes_u16(pkt, 0)) {
2c7b4dbc
MC		 1348 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1349 return 0;
1350 }
ed29e82a 1351 }
e481f9b9 1352#endif
2c7b4dbc 1353
08029dfa
MC		 1354 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1355 || !WPACKET_put_bytes_u16(pkt, 0)) {
2c7b4dbc
MC		 1356 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1357 return 0;
1358 }
0f113f3e
MC		 1359
1360 /*
1361 * Add padding to workaround bugs in F5 terminators. See
1362 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1363 * code works out the length of all existing extensions it MUST always
1364 * appear last.
1365 */
1366 if (s->options & SSL_OP_TLSEXT_PADDING) {
2c7b4dbc
MC		 1367 unsigned char *padbytes;
1368 size_t hlen;
1369
ae2f7b37 1370 if (!WPACKET_get_total_written(pkt, &hlen)) {
2c7b4dbc
MC		 1371 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1372 return 0;
1373 }
a3680c8f 1374
0f113f3e
MC		 1375 if (hlen > 0xff && hlen < 0x200) {
1376 hlen = 0x200 - hlen;
1377 if (hlen >= 4)
1378 hlen -= 4;
1379 else
1380 hlen = 0;
1381
08029dfa 1382 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
b2b3024e 1383 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
2c7b4dbc
MC		 1384 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1385 return 0;
1386 }
1387 memset(padbytes, 0, hlen);
0f113f3e
MC		 1388 }
1389 }
5a3d8eeb 1390
0f113f3e 1391 done:
2c7b4dbc 1392 return 1;
0f113f3e 1393}
333f926d 1394
8157d44b 1395int ssl_add_serverhello_tlsext(SSL *s, WPACKET *pkt, int *al)
0f113f3e 1396{
e481f9b9 1397#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1398 int next_proto_neg_seen;
e481f9b9
MC		 1399#endif
1400#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1401 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1402 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
ce0c1f2b 1403 int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
0f113f3e 1404 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
e481f9b9 1405#endif
0f113f3e 1406
8157d44b
MC		 1407 if (!WPACKET_start_sub_packet_u16(pkt)
1408 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH)) {
1409 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1410 return 0;
1411 }
333f926d 1412
8157d44b
MC		 1413 if (s->s3->send_connection_binding &&
1414 !ssl_add_serverhello_renegotiate_ext(s, pkt)) {
1415 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1416 return 0;
0f113f3e
MC		 1417 }
1418
1419 /* Only add RI for SSLv3 */
1420 if (s->version == SSL3_VERSION)
1421 goto done;
1422
1423 if (!s->hit && s->servername_done == 1
8157d44b
MC		 1424 && s->session->tlsext_hostname != NULL) {
1425 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1426 || !WPACKET_put_bytes_u16(pkt, 0)) {
1427 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1428 return 0;
1429 }
0f113f3e 1430 }
e481f9b9 1431#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1432 if (using_ecc) {
1433 const unsigned char *plist;
1434 size_t plistlen;
1435 /*
1436 * Add TLS extension ECPointFormats to the ServerHello message
1437 */
0f113f3e
MC		 1438 tls1_get_formatlist(s, &plist, &plistlen);
1439
8157d44b
MC		 1440 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1441 || !WPACKET_start_sub_packet_u16(pkt)
1442 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1443 || !WPACKET_close(pkt)) {
0f113f3e 1444 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
8157d44b 1445 return 0;
0f113f3e 1446 }
0f113f3e
MC		 1447 }
1448 /*
1449 * Currently the server should not respond with a SupportedCurves
1450 * extension
1451 */
a230b26e 1452#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1453
1454 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
8157d44b
MC		 1455 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1456 || !WPACKET_put_bytes_u16(pkt, 0)) {
1457 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1458 return 0;
1459 }
5c753de6 1460 } else {
a230b26e
EK		 1461 /*
1462 * if we don't add the above TLSEXT, we can't add a session ticket
1463 * later
1464 */
5c753de6 1465 s->tlsext_ticket_expected = 0;
0f113f3e
MC		 1466 }
1467
1468 if (s->tlsext_status_expected) {
8157d44b
MC		 1469 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1470 || !WPACKET_put_bytes_u16(pkt, 0)) {
1471 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1472 return 0;
1473 }
0f113f3e 1474 }
e481f9b9 1475#ifndef OPENSSL_NO_SRTP
0f113f3e 1476 if (SSL_IS_DTLS(s) && s->srtp_profile) {
8157d44b
MC		 1477 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1478 || !WPACKET_start_sub_packet_u16(pkt)
1479 || !WPACKET_put_bytes_u16(pkt, 2)
1480 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1481 || !WPACKET_put_bytes_u8(pkt, 0)
1482 || !WPACKET_close(pkt)) {
0f113f3e 1483 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
8157d44b 1484 return 0;
0f113f3e 1485 }
0f113f3e 1486 }
e481f9b9 1487#endif
0f113f3e
MC		 1488
1489 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1490 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1491 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1492 const unsigned char cryptopro_ext[36] = {
1493 0xfd, 0xe8, /* 65000 */
1494 0x00, 0x20, /* 32 bytes length */
1495 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1496 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1497 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1498 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1499 };
8157d44b
MC		 1500 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1501 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1502 return 0;
1503 }
0f113f3e 1504 }
e481f9b9 1505#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e 1506 /* Add Heartbeat extension if we've received one */
22e3dcb7 1507 if (SSL_IS_DTLS(s) && (s->tlsext_heartbeat & SSL_DTLSEXT_HB_ENABLED)) {
7507e73d 1508 unsigned int mode;
50e735f9
MC		 1509 /*-
1510 * Set mode:
1511 * 1: peer may send requests
1512 * 2: peer not allowed to send requests
1513 */
22e3dcb7 1514 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
8157d44b 1515 mode = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
0f113f3e 1516 else
8157d44b
MC		 1517 mode = SSL_DTLSEXT_HB_ENABLED;
1518
1519 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_heartbeat)
1520 || !WPACKET_start_sub_packet_u16(pkt)
1521 || !WPACKET_put_bytes_u8(pkt, mode)
1522 || !WPACKET_close(pkt)) {
1523 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1524 return 0;
1525 }
0f113f3e
MC		 1526
1527 }
e481f9b9 1528#endif
0f113f3e 1529
e481f9b9 1530#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1531 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1532 s->s3->next_proto_neg_seen = 0;
1533 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1534 const unsigned char *npa;
1535 unsigned int npalen;
1536 int r;
1537
1538 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1539 s->
1540 ctx->next_protos_advertised_cb_arg);
1541 if (r == SSL_TLSEXT_ERR_OK) {
8157d44b
MC		 1542 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1543 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1544 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1545 return 0;
1546 }
0f113f3e
MC		 1547 s->s3->next_proto_neg_seen = 1;
1548 }
1549 }
e481f9b9 1550#endif
8157d44b
MC		 1551 if (!custom_ext_add(s, 1, pkt, al)) {
1552 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1553 return 0;
1554 }
1555
0f113f3e
MC		 1556 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1557 /*
1558 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1559 * for other cases too.
1560 */
1561 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
e44380a9
DB		 1562 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1563 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1564 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
0f113f3e
MC		 1565 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1566 else {
8157d44b
MC		 1567 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1568 || !WPACKET_put_bytes_u16(pkt, 0)) {
1569 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1570 return 0;
1571 }
0f113f3e
MC		 1572 }
1573 }
e7f0d921 1574 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
8157d44b
MC		 1575 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1576 || !WPACKET_put_bytes_u16(pkt, 0)) {
1577 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1578 return 0;
1579 }
ddc06b35 1580 }
0f113f3e 1581
817cd0d5 1582 if (s->s3->alpn_selected != NULL) {
8157d44b
MC		 1583 if (!WPACKET_put_bytes_u16(pkt,
1584 TLSEXT_TYPE_application_layer_protocol_negotiation)
1585 || !WPACKET_start_sub_packet_u16(pkt)
1586 || !WPACKET_start_sub_packet_u16(pkt)
1587 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1588 s->s3->alpn_selected_len)
1589 || !WPACKET_close(pkt)
1590 || !WPACKET_close(pkt)) {
1591 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1592 return 0;
1593 }
0f113f3e
MC		 1594 }
1595
1596 done:
8157d44b
MC		 1597 if (!WPACKET_close(pkt)) {
1598 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1599 return 0;
1600 }
1601 return 1;
0f113f3e 1602}
a398f821 1603
0f113f3e 1604/*
817cd0d5 1605 * Save the ALPN extension in a ClientHello.
06217867
EK		 1606 * pkt: the contents of the ALPN extension, not including type and length.
1607 * al: a pointer to the alert value to send in the event of a failure.
1608 * returns: 1 on success, 0 on error.
0f113f3e 1609 */
9ceb2426 1610static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
0f113f3e 1611{
06217867 1612 PACKET protocol_list, save_protocol_list, protocol;
0f113f3e 1613
06217867 1614 *al = SSL_AD_DECODE_ERROR;
0f113f3e 1615
06217867
EK		 1616 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
1617 || PACKET_remaining(&protocol_list) < 2) {
1618 return 0;
1619 }
0f113f3e 1620
06217867 1621 save_protocol_list = protocol_list;
9ceb2426 1622 do {
06217867
EK		 1623 /* Protocol names can't be empty. */
1624 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
1625 || PACKET_remaining(&protocol) == 0) {
1626 return 0;
1627 }
1628 } while (PACKET_remaining(&protocol_list) != 0);
1629
817cd0d5 1630 if (!PACKET_memdup(&save_protocol_list,
a230b26e 1631 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
817cd0d5
TS		 1632 *al = TLS1_AD_INTERNAL_ERROR;
1633 return 0;
1634 }
1635
1636 return 1;
1637}
1638
1639/*
1640 * Process the ALPN extension in a ClientHello.
817cd0d5 1641 * al: a pointer to the alert value to send in the event of a failure.
70c22888 1642 * returns 1 on success, 0 on error.
817cd0d5 1643 */
70c22888 1644static int tls1_alpn_handle_client_hello_late(SSL *s, int *al)
817cd0d5
TS		 1645{
1646 const unsigned char *selected = NULL;
1647 unsigned char selected_len = 0;
1648
1649 if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
1650 int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
1651 s->s3->alpn_proposed,
1652 s->s3->alpn_proposed_len,
1653 s->ctx->alpn_select_cb_arg);
0f113f3e 1654
817cd0d5
TS		 1655 if (r == SSL_TLSEXT_ERR_OK) {
1656 OPENSSL_free(s->s3->alpn_selected);
1657 s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
1658 if (s->s3->alpn_selected == NULL) {
1659 *al = SSL_AD_INTERNAL_ERROR;
817cd0d5
TS		 1660 return 0;
1661 }
1662 s->s3->alpn_selected_len = selected_len;
0351baae
TS		 1663#ifndef OPENSSL_NO_NEXTPROTONEG
1664 /* ALPN takes precedence over NPN. */
1665 s->s3->next_proto_neg_seen = 0;
1666#endif
817cd0d5
TS		 1667 } else {
1668 *al = SSL_AD_NO_APPLICATION_PROTOCOL;
06217867 1669 return 0;
0f113f3e 1670 }
0f113f3e 1671 }
0f113f3e 1672
06217867 1673 return 1;
0f113f3e 1674}
6f017a8f 1675
e481f9b9 1676#ifndef OPENSSL_NO_EC
1d97c843
TH		 1677/*-
1678 * ssl_check_for_safari attempts to fingerprint Safari using OS X
06217867 1679 * SecureTransport using the TLS extension block in |pkt|.
dece3209
RS		 1680 * Safari, since 10.6, sends exactly these extensions, in this order:
1681 * SNI,
1682 * elliptic_curves
1683 * ec_point_formats
1684 *
1685 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1686 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1687 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1688 * 10.8..10.8.3 (which don't work).
1689 */
68a16628 1690static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
0f113f3e 1691{
06217867
EK		 1692 unsigned int type;
1693 PACKET sni, tmppkt;
1694 size_t ext_len;
9ceb2426 1695
0f113f3e
MC		 1696 static const unsigned char kSafariExtensionsBlock[] = {
1697 0x00, 0x0a, /* elliptic_curves extension */
1698 0x00, 0x08, /* 8 bytes */
1699 0x00, 0x06, /* 6 bytes of curve ids */
1700 0x00, 0x17, /* P-256 */
1701 0x00, 0x18, /* P-384 */
1702 0x00, 0x19, /* P-521 */
1703
1704 0x00, 0x0b, /* ec_point_formats */
1705 0x00, 0x02, /* 2 bytes */
1706 0x01, /* 1 point format */
1707 0x00, /* uncompressed */
06217867 1708 /* The following is only present in TLS 1.2 */
0f113f3e
MC		 1709 0x00, 0x0d, /* signature_algorithms */
1710 0x00, 0x0c, /* 12 bytes */
1711 0x00, 0x0a, /* 10 bytes */
1712 0x05, 0x01, /* SHA-384/RSA */
1713 0x04, 0x01, /* SHA-256/RSA */
1714 0x02, 0x01, /* SHA-1/RSA */
1715 0x04, 0x03, /* SHA-256/ECDSA */
1716 0x02, 0x03, /* SHA-1/ECDSA */
1717 };
1718
06217867
EK		 1719 /* Length of the common prefix (first two extensions). */
1720 static const size_t kSafariCommonExtensionsLength = 18;
1721
68a16628
MC		 1722 tmppkt = *pkt;
1723
1724 if (!PACKET_forward(&tmppkt, 2)
06217867
EK		 1725 || !PACKET_get_net_2(&tmppkt, &type)
1726 || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
0f113f3e 1727 return;
06217867 1728 }
0f113f3e
MC		 1729
1730 if (type != TLSEXT_TYPE_server_name)
1731 return;
1732
06217867
EK		 1733 ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
1734 sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
0f113f3e 1735
06217867
EK		 1736 s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
1737 ext_len);
dece3209 1738}
a230b26e 1739#endif /* !OPENSSL_NO_EC */
0f113f3e 1740
06217867
EK		 1741/*
1742 * Parse ClientHello extensions and stash extension info in various parts of
1743 * the SSL object. Verify that there are no duplicate extensions.
1744 *
1745 * Behaviour upon resumption is extension-specific. If the extension has no
1746 * effect during resumption, it is parsed (to verify its format) but otherwise
1747 * ignored.
1748 *
1749 * Consumes the entire packet in |pkt|. Returns 1 on success and 0 on failure.
1750 * Upon failure, sets |al| to the appropriate alert.
1751 */
9ceb2426 1752static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 1753{
9ceb2426 1754 unsigned int type;
0f113f3e 1755 int renegotiate_seen = 0;
06217867 1756 PACKET extensions;
0f113f3e 1757
06217867 1758 *al = SSL_AD_DECODE_ERROR;
0f113f3e
MC		 1759 s->servername_done = 0;
1760 s->tlsext_status_type = -1;
e481f9b9 1761#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1762 s->s3->next_proto_neg_seen = 0;
e481f9b9 1763#endif
0f113f3e 1764
b548a1f1
RS		 1765 OPENSSL_free(s->s3->alpn_selected);
1766 s->s3->alpn_selected = NULL;
0351baae
TS		 1767 s->s3->alpn_selected_len = 0;
1768 OPENSSL_free(s->s3->alpn_proposed);
1769 s->s3->alpn_proposed = NULL;
1770 s->s3->alpn_proposed_len = 0;
e481f9b9 1771#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7
RS		 1772 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
1773 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
e481f9b9 1774#endif
0f113f3e 1775
e481f9b9 1776#ifndef OPENSSL_NO_EC
0f113f3e 1777 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
9ceb2426 1778 ssl_check_for_safari(s, pkt);
a230b26e 1779#endif /* !OPENSSL_NO_EC */
0f113f3e
MC		 1780
1781 /* Clear any signature algorithms extension received */
76106e60
DSH		 1782 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1783 s->s3->tmp.peer_sigalgs = NULL;
0f113f3e 1784 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
0f113f3e 1785
e481f9b9 1786#ifndef OPENSSL_NO_SRP
b548a1f1
RS		 1787 OPENSSL_free(s->srp_ctx.login);
1788 s->srp_ctx.login = NULL;
e481f9b9 1789#endif
0f113f3e
MC		 1790
1791 s->srtp_profile = NULL;
1792
9ceb2426 1793 if (PACKET_remaining(pkt) == 0)
1ae3fdbe
AL		 1794 goto ri_check;
1795
06217867
EK		 1796 if (!PACKET_as_length_prefixed_2(pkt, &extensions))
1797 return 0;
aa474d1f 1798
06217867
EK		 1799 if (!tls1_check_duplicate_extensions(&extensions))
1800 return 0;
0f113f3e 1801
06217867
EK		 1802 /*
1803 * We parse all extensions to ensure the ClientHello is well-formed but,
1804 * unless an extension specifies otherwise, we ignore extensions upon
1805 * resumption.
1806 */
1807 while (PACKET_get_net_2(&extensions, &type)) {
1808 PACKET extension;
1809 if (!PACKET_get_length_prefixed_2(&extensions, &extension))
1810 return 0;
9ceb2426 1811
0f113f3e 1812 if (s->tlsext_debug_cb)
06217867
EK		 1813 s->tlsext_debug_cb(s, 0, type, PACKET_data(&extension),
1814 PACKET_remaining(&extension),
1815 s->tlsext_debug_arg);
9ceb2426 1816
0f113f3e 1817 if (type == TLSEXT_TYPE_renegotiate) {
06217867 1818 if (!ssl_parse_clienthello_renegotiate_ext(s, &extension, al))
0f113f3e
MC		 1819 return 0;
1820 renegotiate_seen = 1;
1821 } else if (s->version == SSL3_VERSION) {
1822 }
1d97c843
TH		 1823/*-
1824 * The servername extension is treated as follows:
1825 *
1826 * - Only the hostname type is supported with a maximum length of 255.
1827 * - The servername is rejected if too long or if it contains zeros,
1828 * in which case an fatal alert is generated.
1829 * - The servername field is maintained together with the session cache.
1830 * - When a session is resumed, the servername call back invoked in order
0f113f3e
MC		 1831 * to allow the application to position itself to the right context.
1832 * - The servername is acknowledged if it is new for a session or when
1833 * it is identical to a previously used for the same session.
1d97c843
TH		 1834 * Applications can control the behaviour. They can at any time
1835 * set a 'desirable' servername for a new SSL object. This can be the
1836 * case for example with HTTPS when a Host: header field is received and
1837 * a renegotiation is requested. In this case, a possible servername
1838 * presented in the new client hello is only acknowledged if it matches
0f113f3e 1839 * the value of the Host: field.
1d97c843 1840 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
0f113f3e
MC		 1841 * if they provide for changing an explicit servername context for the
1842 * session, i.e. when the session has been established with a servername
1843 * extension.
1844 * - On session reconnect, the servername extension may be absent.
1d97c843 1845 *
0f113f3e 1846 */
ed3883d2 1847
0f113f3e 1848 else if (type == TLSEXT_TYPE_server_name) {
9ceb2426 1849 unsigned int servname_type;
06217867
EK		 1850 PACKET sni, hostname;
1851
1852 if (!PACKET_as_length_prefixed_2(&extension, &sni)
1853 /* ServerNameList must be at least 1 byte long. */
1854 || PACKET_remaining(&sni) == 0) {
1855 return 0;
0f113f3e 1856 }
6f017a8f 1857
06217867
EK		 1858 /*
1859 * Although the server_name extension was intended to be
1860 * extensible to new name types, RFC 4366 defined the
8483a003 1861 * syntax inextensibility and OpenSSL 1.0.x parses it as
06217867
EK		 1862 * such.
1863 * RFC 6066 corrected the mistake but adding new name types
1864 * is nevertheless no longer feasible, so act as if no other
1865 * SNI types can exist, to simplify parsing.
1866 *
1867 * Also note that the RFC permits only one SNI value per type,
1868 * i.e., we can only have a single hostname.
1869 */
1870 if (!PACKET_get_1(&sni, &servname_type)
1871 || servname_type != TLSEXT_NAMETYPE_host_name
1872 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
1873 return 0;
1874 }
1875
1876 if (!s->hit) {
1877 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
1878 *al = TLS1_AD_UNRECOGNIZED_NAME;
1879 return 0;
1880 }
1881
1882 if (PACKET_contains_zero_byte(&hostname)) {
1883 *al = TLS1_AD_UNRECOGNIZED_NAME;
1884 return 0;
1885 }
1886
1887 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
1888 *al = TLS1_AD_INTERNAL_ERROR;
1889 return 0;
1890 }
1891
1892 s->servername_done = 1;
1893 } else {
1894 /*
1895 * TODO(openssl-team): if the SNI doesn't match, we MUST
1896 * fall back to a full handshake.
1897 */
1898 s->servername_done = s->session->tlsext_hostname
1899 && PACKET_equal(&hostname, s->session->tlsext_hostname,
1900 strlen(s->session->tlsext_hostname));
1901 }
0f113f3e 1902 }
e481f9b9 1903#ifndef OPENSSL_NO_SRP
0f113f3e 1904 else if (type == TLSEXT_TYPE_srp) {
06217867
EK		 1905 PACKET srp_I;
1906
1907 if (!PACKET_as_length_prefixed_1(&extension, &srp_I))
1908 return 0;
1909
1910 if (PACKET_contains_zero_byte(&srp_I))
1911 return 0;
1912
1913 /*
1914 * TODO(openssl-team): currently, we re-authenticate the user
1915 * upon resumption. Instead, we MUST ignore the login.
1916 */
1917 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
1918 *al = TLS1_AD_INTERNAL_ERROR;
1919 return 0;
1920 }
0f113f3e 1921 }
e481f9b9 1922#endif
0f113f3e 1923
e481f9b9 1924#ifndef OPENSSL_NO_EC
0f113f3e 1925 else if (type == TLSEXT_TYPE_ec_point_formats) {
06217867 1926 PACKET ec_point_format_list;
0f113f3e 1927
a230b26e 1928 if (!PACKET_as_length_prefixed_1(&extension, &ec_point_format_list)
06217867
EK		 1929 || PACKET_remaining(&ec_point_format_list) == 0) {
1930 return 0;
1931 }
9ceb2426 1932
0f113f3e 1933 if (!s->hit) {
06217867
EK		 1934 if (!PACKET_memdup(&ec_point_format_list,
1935 &s->session->tlsext_ecpointformatlist,
a230b26e
EK		 1936 &s->
1937 session->tlsext_ecpointformatlist_length)) {
0f113f3e
MC		 1938 *al = TLS1_AD_INTERNAL_ERROR;
1939 return 0;
1940 }
0f113f3e 1941 }
0f113f3e 1942 } else if (type == TLSEXT_TYPE_elliptic_curves) {
06217867 1943 PACKET elliptic_curve_list;
0f113f3e 1944
06217867 1945 /* Each NamedCurve is 2 bytes and we must have at least 1. */
a230b26e 1946 if (!PACKET_as_length_prefixed_2(&extension, &elliptic_curve_list)
06217867
EK		 1947 || PACKET_remaining(&elliptic_curve_list) == 0
1948 || (PACKET_remaining(&elliptic_curve_list) % 2) != 0) {
1949 return 0;
1950 }
54e3ad00 1951
0f113f3e 1952 if (!s->hit) {
06217867
EK		 1953 if (!PACKET_memdup(&elliptic_curve_list,
1954 &s->session->tlsext_ellipticcurvelist,
a230b26e
EK		 1955 &s->
1956 session->tlsext_ellipticcurvelist_length)) {
0f113f3e
MC		 1957 *al = TLS1_AD_INTERNAL_ERROR;
1958 return 0;
1959 }
0f113f3e 1960 }
0f113f3e 1961 }
a230b26e 1962#endif /* OPENSSL_NO_EC */
0f113f3e 1963 else if (type == TLSEXT_TYPE_session_ticket) {
06217867
EK		 1964 if (s->tls_session_ticket_ext_cb &&
1965 !s->tls_session_ticket_ext_cb(s, PACKET_data(&extension),
1966 PACKET_remaining(&extension),
a230b26e
EK		 1967 s->tls_session_ticket_ext_cb_arg))
1968 {
0f113f3e
MC		 1969 *al = TLS1_AD_INTERNAL_ERROR;
1970 return 0;
1971 }
1972 } else if (type == TLSEXT_TYPE_signature_algorithms) {
06217867
EK		 1973 PACKET supported_sig_algs;
1974
1975 if (!PACKET_as_length_prefixed_2(&extension, &supported_sig_algs)
1976 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
1977 || PACKET_remaining(&supported_sig_algs) == 0) {
1978 return 0;
1979 }
1980
a230b26e 1981 if (!s->hit) {
06217867
EK		 1982 if (!tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
1983 PACKET_remaining(&supported_sig_algs))) {
1984 return 0;
1985 }
9ceb2426 1986 }
0f113f3e 1987 } else if (type == TLSEXT_TYPE_status_request) {
06217867
EK		 1988 if (!PACKET_get_1(&extension,
1989 (unsigned int *)&s->tlsext_status_type)) {
1990 return 0;
1991 }
3e41ac35 1992#ifndef OPENSSL_NO_OCSP
0f113f3e 1993 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
3e41ac35 1994 const unsigned char *ext_data;
06217867 1995 PACKET responder_id_list, exts;
a230b26e
EK		 1996 if (!PACKET_get_length_prefixed_2
1997 (&extension, &responder_id_list))
06217867
EK		 1998 return 0;
1999
e408c09b
MC		 2000 /*
2001 * We remove any OCSP_RESPIDs from a previous handshake
2002 * to prevent unbounded memory growth - CVE-2016-6304
2003 */
2004 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
2005 OCSP_RESPID_free);
2006 if (PACKET_remaining(&responder_id_list) > 0) {
2007 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
2008 if (s->tlsext_ocsp_ids == NULL) {
2009 *al = SSL_AD_INTERNAL_ERROR;
2010 return 0;
2011 }
2012 } else {
2013 s->tlsext_ocsp_ids = NULL;
2014 }
2015
06217867 2016 while (PACKET_remaining(&responder_id_list) > 0) {
0f113f3e 2017 OCSP_RESPID *id;
06217867
EK		 2018 PACKET responder_id;
2019 const unsigned char *id_data;
9ceb2426 2020
06217867
EK		 2021 if (!PACKET_get_length_prefixed_2(&responder_id_list,
2022 &responder_id)
2023 || PACKET_remaining(&responder_id) == 0) {
2024 return 0;
9ceb2426 2025 }
06217867 2026
06217867
EK		 2027 id_data = PACKET_data(&responder_id);
2028 id = d2i_OCSP_RESPID(NULL, &id_data,
2029 PACKET_remaining(&responder_id));
2030 if (id == NULL)
2031 return 0;
2032
2033 if (id_data != PACKET_end(&responder_id)) {
0f113f3e 2034 OCSP_RESPID_free(id);
0f113f3e
MC		 2035 return 0;
2036 }
06217867 2037
0f113f3e
MC		 2038 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2039 OCSP_RESPID_free(id);
2040 *al = SSL_AD_INTERNAL_ERROR;
2041 return 0;
2042 }
2043 }
4817504d 2044
0f113f3e 2045 /* Read in request_extensions */
06217867
EK		 2046 if (!PACKET_as_length_prefixed_2(&extension, &exts))
2047 return 0;
2048
2049 if (PACKET_remaining(&exts) > 0) {
2050 ext_data = PACKET_data(&exts);
222561fe
RS		 2051 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2052 X509_EXTENSION_free);
0f113f3e 2053 s->tlsext_ocsp_exts =
06217867
EK		 2054 d2i_X509_EXTENSIONS(NULL, &ext_data,
2055 PACKET_remaining(&exts));
2056 if (s->tlsext_ocsp_exts == NULL
2057 || ext_data != PACKET_end(&exts)) {
2058 return 0;
2059 }
0f113f3e 2060 }
3e41ac35
MC		 2061 } else
2062#endif
2063 {
2064 /*
2065 * We don't know what to do with any other type so ignore it.
2066 */
0f113f3e 2067 s->tlsext_status_type = -1;
06217867 2068 }
0f113f3e 2069 }
e481f9b9 2070#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7 2071 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
9ceb2426
MC		 2072 unsigned int hbtype;
2073
06217867 2074 if (!PACKET_get_1(&extension, &hbtype)
a230b26e 2075 || PACKET_remaining(&extension)) {
9ceb2426
MC		 2076 *al = SSL_AD_DECODE_ERROR;
2077 return 0;
2078 }
2079 switch (hbtype) {
0f113f3e 2080 case 0x01: /* Client allows us to send HB requests */
22e3dcb7 2081 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
0f113f3e
MC		 2082 break;
2083 case 0x02: /* Client doesn't accept HB requests */
22e3dcb7
RS		 2084 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2085 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
0f113f3e
MC		 2086 break;
2087 default:
2088 *al = SSL_AD_ILLEGAL_PARAMETER;
2089 return 0;
2090 }
2091 }
e481f9b9
MC		 2092#endif
2093#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 2094 else if (type == TLSEXT_TYPE_next_proto_neg &&
0351baae 2095 s->s3->tmp.finish_md_len == 0) {
50e735f9
MC		 2096 /*-
2097 * We shouldn't accept this extension on a
2098 * renegotiation.
2099 *
2100 * s->new_session will be set on renegotiation, but we
2101 * probably shouldn't rely that it couldn't be set on
8483a003 2102 * the initial renegotiation too in certain cases (when
50e735f9
MC		 2103 * there's some other reason to disallow resuming an
2104 * earlier session -- the current code won't be doing
2105 * anything like that, but this might change).
2106 *
2107 * A valid sign that there's been a previous handshake
2108 * in this connection is if s->s3->tmp.finish_md_len >
2109 * 0. (We are talking about a check that will happen
2110 * in the Hello protocol round, well before a new
2111 * Finished message could have been computed.)
2112 */
0f113f3e
MC		 2113 s->s3->next_proto_neg_seen = 1;
2114 }
e481f9b9 2115#endif
0f113f3e
MC		 2116
2117 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
06217867
EK		 2118 s->s3->tmp.finish_md_len == 0) {
2119 if (!tls1_alpn_handle_client_hello(s, &extension, al))
0f113f3e 2120 return 0;
0f113f3e 2121 }
5e3ff62c 2122
0f113f3e 2123 /* session ticket processed earlier */
e481f9b9 2124#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 2125 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2126 && type == TLSEXT_TYPE_use_srtp) {
06217867 2127 if (ssl_parse_clienthello_use_srtp_ext(s, &extension, al))
0f113f3e
MC		 2128 return 0;
2129 }
e481f9b9 2130#endif
0f113f3e
MC		 2131 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2132 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
e7f0d921
DSH		 2133 /*
2134 * Note: extended master secret extension handled in
2135 * tls_check_serverhello_tlsext_early()
2136 */
2137
0f113f3e
MC		 2138 /*
2139 * If this ClientHello extension was unhandled and this is a
2140 * nonresumed connection, check whether the extension is a custom
2141 * TLS Extension (has a custom_srv_ext_record), and if so call the
2142 * callback and record the extension number so that an appropriate
2143 * ServerHello may be later returned.
2144 */
2145 else if (!s->hit) {
06217867
EK		 2146 if (custom_ext_parse(s, 1, type, PACKET_data(&extension),
2147 PACKET_remaining(&extension), al) <= 0)
0f113f3e
MC		 2148 return 0;
2149 }
0f113f3e 2150 }
6f017a8f 2151
06217867 2152 if (PACKET_remaining(pkt) != 0) {
a230b26e
EK		 2153 /*
2154 * tls1_check_duplicate_extensions should ensure this never happens.
2155 */
06217867
EK		 2156 *al = SSL_AD_INTERNAL_ERROR;
2157 return 0;
2158 }
54e3ad00 2159
0f113f3e 2160 ri_check:
ed3883d2 2161
0f113f3e
MC		 2162 /* Need RI if renegotiating */
2163
2164 if (!renegotiate_seen && s->renegotiate &&
2165 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2166 *al = SSL_AD_HANDSHAKE_FAILURE;
2167 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2168 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2169 return 0;
2170 }
2171
06217867
EK		 2172 /*
2173 * This function currently has no state to clean up, so it returns directly.
2174 * If parsing fails at any point, the function returns early.
2175 * The SSL object may be left with partial data from extensions, but it must
2176 * then no longer be used, and clearing it up will free the leftovers.
2177 */
0f113f3e
MC		 2178 return 1;
2179}
2180
9ceb2426 2181int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 2182{
2183 int al = -1;
2184 custom_ext_init(&s->cert->srv_ext);
9ceb2426 2185 if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 2186 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2187 return 0;
2188 }
0f113f3e
MC		 2189 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2190 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2191 return 0;
2192 }
2193 return 1;
2194}
2195
e481f9b9 2196#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2197/*
2198 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2199 * elements of zero length are allowed and the set of elements must exactly
2200 * fill the length of the block.
2201 */
50932c4a 2202static char ssl_next_proto_validate(PACKET *pkt)
0f113f3e 2203{
b04f9479 2204 PACKET tmp_protocol;
0f113f3e 2205
50932c4a 2206 while (PACKET_remaining(pkt)) {
b04f9479 2207 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
a230b26e 2208 || PACKET_remaining(&tmp_protocol) == 0)
0f113f3e 2209 return 0;
0f113f3e
MC		 2210 }
2211
50932c4a 2212 return 1;
0f113f3e 2213}
e481f9b9 2214#endif
0f113f3e 2215
50932c4a 2216static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 2217{
50932c4a 2218 unsigned int length, type, size;
0f113f3e
MC		 2219 int tlsext_servername = 0;
2220 int renegotiate_seen = 0;
2221
e481f9b9 2222#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 2223 s->s3->next_proto_neg_seen = 0;
e481f9b9 2224#endif
0f113f3e
MC		 2225 s->tlsext_ticket_expected = 0;
2226
b548a1f1
RS		 2227 OPENSSL_free(s->s3->alpn_selected);
2228 s->s3->alpn_selected = NULL;
e481f9b9 2229#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7
RS		 2230 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
2231 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
e481f9b9 2232#endif
0f113f3e 2233
0f113f3e 2234 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
0f113f3e 2235
e7f0d921
DSH		 2236 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2237
50932c4a 2238 if (!PACKET_get_net_2(pkt, &length))
0f113f3e
MC		 2239 goto ri_check;
2240
50932c4a 2241 if (PACKET_remaining(pkt) != length) {
0f113f3e
MC		 2242 *al = SSL_AD_DECODE_ERROR;
2243 return 0;
2244 }
2245
aa474d1f
EK		 2246 if (!tls1_check_duplicate_extensions(pkt)) {
2247 *al = SSL_AD_DECODE_ERROR;
2248 return 0;
2249 }
2250
50932c4a 2251 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
b6981744 2252 const unsigned char *data;
50932c4a 2253 PACKET spkt;
0f113f3e 2254
50932c4a 2255 if (!PACKET_get_sub_packet(pkt, &spkt, size)
a230b26e 2256 || !PACKET_peek_bytes(&spkt, &data, size))
0f113f3e
MC		 2257 goto ri_check;
2258
2259 if (s->tlsext_debug_cb)
2260 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2261
2262 if (type == TLSEXT_TYPE_renegotiate) {
50932c4a 2263 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
0f113f3e
MC		 2264 return 0;
2265 renegotiate_seen = 1;
2266 } else if (s->version == SSL3_VERSION) {
2267 } else if (type == TLSEXT_TYPE_server_name) {
2268 if (s->tlsext_hostname == NULL || size > 0) {
2269 *al = TLS1_AD_UNRECOGNIZED_NAME;
2270 return 0;
2271 }
2272 tlsext_servername = 1;
2273 }
e481f9b9 2274#ifndef OPENSSL_NO_EC
0f113f3e 2275 else if (type == TLSEXT_TYPE_ec_point_formats) {
50932c4a
MC		 2276 unsigned int ecpointformatlist_length;
2277 if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
a230b26e 2278 || ecpointformatlist_length != size - 1) {
0f113f3e
MC		 2279 *al = TLS1_AD_DECODE_ERROR;
2280 return 0;
2281 }
2282 if (!s->hit) {
2283 s->session->tlsext_ecpointformatlist_length = 0;
b548a1f1 2284 OPENSSL_free(s->session->tlsext_ecpointformatlist);
0f113f3e
MC		 2285 if ((s->session->tlsext_ecpointformatlist =
2286 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2287 *al = TLS1_AD_INTERNAL_ERROR;
2288 return 0;
2289 }
2290 s->session->tlsext_ecpointformatlist_length =
2291 ecpointformatlist_length;
50932c4a
MC		 2292 if (!PACKET_copy_bytes(&spkt,
2293 s->session->tlsext_ecpointformatlist,
2294 ecpointformatlist_length)) {
2295 *al = TLS1_AD_DECODE_ERROR;
2296 return 0;
2297 }
2298
0f113f3e 2299 }
0f113f3e 2300 }
a230b26e 2301#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2302
2303 else if (type == TLSEXT_TYPE_session_ticket) {
2304 if (s->tls_session_ticket_ext_cb &&
2305 !s->tls_session_ticket_ext_cb(s, data, size,
2306 s->tls_session_ticket_ext_cb_arg))
2307 {
2308 *al = TLS1_AD_INTERNAL_ERROR;
2309 return 0;
2310 }
2311 if (!tls_use_ticket(s) || (size > 0)) {
2312 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2313 return 0;
2314 }
2315 s->tlsext_ticket_expected = 1;
a230b26e 2316 } else if (type == TLSEXT_TYPE_status_request) {
0f113f3e
MC		 2317 /*
2318 * MUST be empty and only sent if we've requested a status
2319 * request message.
2320 */
2321 if ((s->tlsext_status_type == -1) || (size > 0)) {
2322 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2323 return 0;
2324 }
2325 /* Set flag to expect CertificateStatus message */
2326 s->tlsext_status_expected = 1;
2327 }
ed29e82a
RP		 2328#ifndef OPENSSL_NO_CT
2329 /*
2330 * Only take it if we asked for it - i.e if there is no CT validation
2331 * callback set, then a custom extension MAY be processing it, so we
2332 * need to let control continue to flow to that.
2333 */
2334 else if (type == TLSEXT_TYPE_signed_certificate_timestamp &&
2335 s->ct_validation_callback != NULL) {
2336 /* Simply copy it off for later processing */
2337 if (s->tlsext_scts != NULL) {
2338 OPENSSL_free(s->tlsext_scts);
2339 s->tlsext_scts = NULL;
2340 }
2341 s->tlsext_scts_len = size;
2342 if (size > 0) {
2343 s->tlsext_scts = OPENSSL_malloc(size);
2344 if (s->tlsext_scts == NULL) {
2345 *al = TLS1_AD_INTERNAL_ERROR;
2346 return 0;
2347 }
2348 memcpy(s->tlsext_scts, data, size);
2349 }
2350 }
2351#endif
e481f9b9 2352#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2353 else if (type == TLSEXT_TYPE_next_proto_neg &&
2354 s->s3->tmp.finish_md_len == 0) {
2355 unsigned char *selected;
2356 unsigned char selected_len;
0f113f3e
MC		 2357 /* We must have requested it. */
2358 if (s->ctx->next_proto_select_cb == NULL) {
2359 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2360 return 0;
2361 }
2362 /* The data must be valid */
50932c4a 2363 if (!ssl_next_proto_validate(&spkt)) {
0f113f3e
MC		 2364 *al = TLS1_AD_DECODE_ERROR;
2365 return 0;
2366 }
a230b26e
EK		 2367 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2368 size,
2369 s->
2370 ctx->next_proto_select_cb_arg) !=
0f113f3e
MC		 2371 SSL_TLSEXT_ERR_OK) {
2372 *al = TLS1_AD_INTERNAL_ERROR;
2373 return 0;
2374 }
c31dbed7
MC		 2375 /*
2376 * Could be non-NULL if server has sent multiple NPN extensions in
2377 * a single Serverhello
2378 */
2379 OPENSSL_free(s->next_proto_negotiated);
0f113f3e 2380 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
a71edf3b 2381 if (s->next_proto_negotiated == NULL) {
0f113f3e
MC		 2382 *al = TLS1_AD_INTERNAL_ERROR;
2383 return 0;
2384 }
2385 memcpy(s->next_proto_negotiated, selected, selected_len);
2386 s->next_proto_negotiated_len = selected_len;
2387 s->s3->next_proto_neg_seen = 1;
2388 }
e481f9b9 2389#endif
0f113f3e
MC		 2390
2391 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2392 unsigned len;
0f113f3e 2393 /* We must have requested it. */
817cd0d5 2394 if (!s->s3->alpn_sent) {
0f113f3e
MC		 2395 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2396 return 0;
2397 }
50e735f9
MC		 2398 /*-
2399 * The extension data consists of:
2400 * uint16 list_length
2401 * uint8 proto_length;
2402 * uint8 proto[proto_length];
2403 */
50932c4a 2404 if (!PACKET_get_net_2(&spkt, &len)
a230b26e
EK		 2405 || PACKET_remaining(&spkt) != len || !PACKET_get_1(&spkt, &len)
2406 || PACKET_remaining(&spkt) != len) {
0f113f3e
MC		 2407 *al = TLS1_AD_DECODE_ERROR;
2408 return 0;
2409 }
b548a1f1 2410 OPENSSL_free(s->s3->alpn_selected);
0f113f3e 2411 s->s3->alpn_selected = OPENSSL_malloc(len);
a71edf3b 2412 if (s->s3->alpn_selected == NULL) {
0f113f3e
MC		 2413 *al = TLS1_AD_INTERNAL_ERROR;
2414 return 0;
2415 }
50932c4a
MC		 2416 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
2417 *al = TLS1_AD_DECODE_ERROR;
2418 return 0;
2419 }
0f113f3e
MC		 2420 s->s3->alpn_selected_len = len;
2421 }
e481f9b9 2422#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7 2423 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
50932c4a
MC		 2424 unsigned int hbtype;
2425 if (!PACKET_get_1(&spkt, &hbtype)) {
2426 *al = SSL_AD_DECODE_ERROR;
2427 return 0;
2428 }
2429 switch (hbtype) {
0f113f3e 2430 case 0x01: /* Server allows us to send HB requests */
22e3dcb7 2431 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
0f113f3e
MC		 2432 break;
2433 case 0x02: /* Server doesn't accept HB requests */
22e3dcb7
RS		 2434 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2435 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
0f113f3e
MC		 2436 break;
2437 default:
2438 *al = SSL_AD_ILLEGAL_PARAMETER;
2439 return 0;
2440 }
2441 }
e481f9b9
MC		 2442#endif
2443#ifndef OPENSSL_NO_SRTP
0f113f3e 2444 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
50932c4a 2445 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
0f113f3e
MC		 2446 return 0;
2447 }
e481f9b9 2448#endif
0f113f3e
MC		 2449 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2450 /* Ignore if inappropriate ciphersuite */
2451 if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2452 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2453 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
a230b26e 2454 } else if (type == TLSEXT_TYPE_extended_master_secret) {
e7f0d921 2455 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
ddc06b35
DSH		 2456 if (!s->hit)
2457 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2458 }
0f113f3e
MC		 2459 /*
2460 * If this extension type was not otherwise handled, but matches a
2461 * custom_cli_ext_record, then send it to the c callback
2462 */
2463 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2464 return 0;
0f113f3e
MC		 2465 }
2466
50932c4a 2467 if (PACKET_remaining(pkt) != 0) {
0f113f3e
MC		 2468 *al = SSL_AD_DECODE_ERROR;
2469 return 0;
2470 }
2471
2472 if (!s->hit && tlsext_servername == 1) {
2473 if (s->tlsext_hostname) {
2474 if (s->session->tlsext_hostname == NULL) {
a230b26e
EK		 2475 s->session->tlsext_hostname =
2476 OPENSSL_strdup(s->tlsext_hostname);
0f113f3e
MC		 2477 if (!s->session->tlsext_hostname) {
2478 *al = SSL_AD_UNRECOGNIZED_NAME;
2479 return 0;
2480 }
2481 } else {
2482 *al = SSL_AD_DECODE_ERROR;
2483 return 0;
2484 }
2485 }
2486 }
2487
0f113f3e
MC		 2488 ri_check:
2489
2490 /*
2491 * Determine if we need to see RI. Strictly speaking if we want to avoid
2492 * an attack we should *always* see RI even on initial server hello
2493 * because the client doesn't see any renegotiation during an attack.
2494 * However this would mean we could not connect to any server which
e7653f3b 2495 * doesn't support RI so for the immediate future tolerate RI absence
0f113f3e
MC		 2496 */
2497 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2498 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2499 *al = SSL_AD_HANDSHAKE_FAILURE;
2500 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2501 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2502 return 0;
2503 }
2504
e7f0d921
DSH		 2505 if (s->hit) {
2506 /*
2507 * Check extended master secret extension is consistent with
2508 * original session.
2509 */
2510 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
2511 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
2512 *al = SSL_AD_HANDSHAKE_FAILURE;
2513 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
2514 return 0;
a230b26e 2515 }
e7f0d921
DSH		 2516 }
2517
0f113f3e
MC		 2518 return 1;
2519}
b2172f4f 2520
36ca4ba6 2521int ssl_prepare_clienthello_tlsext(SSL *s)
0f113f3e 2522{
817cd0d5 2523 s->s3->alpn_sent = 0;
0f113f3e
MC		 2524 return 1;
2525}
36ca4ba6
BM		 2526
2527int ssl_prepare_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2528{
2529 return 1;
2530}
36ca4ba6 2531
2daceb03 2532static int ssl_check_clienthello_tlsext_early(SSL *s)
0f113f3e
MC		 2533{
2534 int ret = SSL_TLSEXT_ERR_NOACK;
2535 int al = SSL_AD_UNRECOGNIZED_NAME;
2536
e481f9b9 2537#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2538 /*
2539 * The handling of the ECPointFormats extension is done elsewhere, namely
2540 * in ssl3_choose_cipher in s3_lib.c.
2541 */
2542 /*
2543 * The handling of the EllipticCurves extension is done elsewhere, namely
2544 * in ssl3_choose_cipher in s3_lib.c.
2545 */
e481f9b9 2546#endif
0f113f3e
MC		 2547
2548 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2549 ret =
2550 s->ctx->tlsext_servername_callback(s, &al,
2551 s->ctx->tlsext_servername_arg);
2552 else if (s->initial_ctx != NULL
2553 && s->initial_ctx->tlsext_servername_callback != 0)
2554 ret =
2555 s->initial_ctx->tlsext_servername_callback(s, &al,
2556 s->
2557 initial_ctx->tlsext_servername_arg);
2558
0f113f3e
MC		 2559 switch (ret) {
2560 case SSL_TLSEXT_ERR_ALERT_FATAL:
2561 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2562 return -1;
2563
2564 case SSL_TLSEXT_ERR_ALERT_WARNING:
2565 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2566 return 1;
2567
2568 case SSL_TLSEXT_ERR_NOACK:
2569 s->servername_done = 0;
2570 default:
2571 return 1;
2572 }
2573}
a230b26e 2574
d376e57d 2575/* Initialise digests to default values */
a0f63828 2576void ssl_set_default_md(SSL *s)
d376e57d
DSH		 2577{
2578 const EVP_MD **pmd = s->s3->tmp.md;
2579#ifndef OPENSSL_NO_DSA
152fbc28 2580 pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
d376e57d
DSH		 2581#endif
2582#ifndef OPENSSL_NO_RSA
d18d31a1 2583 if (SSL_USE_SIGALGS(s))
152fbc28 2584 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
d18d31a1 2585 else
152fbc28 2586 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
d18d31a1 2587 pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
d376e57d
DSH		 2588#endif
2589#ifndef OPENSSL_NO_EC
152fbc28 2590 pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
d376e57d 2591#endif
e44380a9 2592#ifndef OPENSSL_NO_GOST
152fbc28
DSH		 2593 pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
2594 pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
2595 pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
e44380a9 2596#endif
d376e57d 2597}
f1fd4544 2598
e469af8d 2599int tls1_set_server_sigalgs(SSL *s)
0f113f3e
MC		 2600{
2601 int al;
2602 size_t i;
8483a003
F		 2603
2604 /* Clear any shared signature algorithms */
b548a1f1
RS		 2605 OPENSSL_free(s->cert->shared_sigalgs);
2606 s->cert->shared_sigalgs = NULL;
2607 s->cert->shared_sigalgslen = 0;
0f113f3e
MC		 2608 /* Clear certificate digests and validity flags */
2609 for (i = 0; i < SSL_PKEY_NUM; i++) {
d376e57d 2610 s->s3->tmp.md[i] = NULL;
6383d316 2611 s->s3->tmp.valid_flags[i] = 0;
0f113f3e
MC		 2612 }
2613
2614 /* If sigalgs received process it. */
76106e60 2615 if (s->s3->tmp.peer_sigalgs) {
0f113f3e
MC		 2616 if (!tls1_process_sigalgs(s)) {
2617 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2618 al = SSL_AD_INTERNAL_ERROR;
2619 goto err;
2620 }
2621 /* Fatal error is no shared signature algorithms */
2622 if (!s->cert->shared_sigalgs) {
2623 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
f430ba31 2624 SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
0f113f3e
MC		 2625 al = SSL_AD_ILLEGAL_PARAMETER;
2626 goto err;
2627 }
d376e57d
DSH		 2628 } else {
2629 ssl_set_default_md(s);
2630 }
0f113f3e
MC		 2631 return 1;
2632 err:
2633 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2634 return 0;
2635}
e469af8d 2636
70c22888
EK		 2637/*
2638 * Upon success, returns 1.
2639 * Upon failure, returns 0 and sets |al| to the appropriate fatal alert.
2640 */
2641int ssl_check_clienthello_tlsext_late(SSL *s, int *al)
0f113f3e 2642{
70c22888 2643 s->tlsext_status_expected = 0;
0f113f3e
MC		 2644
2645 /*
2646 * If status request then ask callback what to do. Note: this must be
2647 * called after servername callbacks in case the certificate has changed,
2648 * and must be called after the cipher has been chosen because this may
2649 * influence which certificate is sent
2650 */
2651 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
70c22888 2652 int ret;
0f113f3e
MC		 2653 CERT_PKEY *certpkey;
2654 certpkey = ssl_get_server_send_pkey(s);
2655 /* If no certificate can't return certificate status */
70c22888
EK		 2656 if (certpkey != NULL) {
2657 /*
2658 * Set current certificate to one we will use so SSL_get_certificate
2659 * et al can pick it up.
2660 */
2661 s->cert->key = certpkey;
2662 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2663 switch (ret) {
2664 /* We don't want to send a status request response */
2665 case SSL_TLSEXT_ERR_NOACK:
0f113f3e 2666 s->tlsext_status_expected = 0;
70c22888
EK		 2667 break;
2668 /* status request response should be sent */
2669 case SSL_TLSEXT_ERR_OK:
2670 if (s->tlsext_ocsp_resp)
2671 s->tlsext_status_expected = 1;
2672 break;
2673 /* something bad happened */
2674 case SSL_TLSEXT_ERR_ALERT_FATAL:
2675 default:
2676 *al = SSL_AD_INTERNAL_ERROR;
2677 return 0;
2678 }
0f113f3e 2679 }
817cd0d5
TS		 2680 }
2681
70c22888
EK		 2682 if (!tls1_alpn_handle_client_hello_late(s, al)) {
2683 return 0;
0f113f3e 2684 }
70c22888
EK		 2685
2686 return 1;
0f113f3e 2687}
2daceb03 2688
36ca4ba6 2689int ssl_check_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2690{
2691 int ret = SSL_TLSEXT_ERR_NOACK;
2692 int al = SSL_AD_UNRECOGNIZED_NAME;
2693
e481f9b9 2694#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2695 /*
2696 * If we are client and using an elliptic curve cryptography cipher
2697 * suite, then if server returns an EC point formats lists extension it
2698 * must contain uncompressed.
2699 */
2700 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2701 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2702 if ((s->tlsext_ecpointformatlist != NULL)
2703 && (s->tlsext_ecpointformatlist_length > 0)
2704 && (s->session->tlsext_ecpointformatlist != NULL)
2705 && (s->session->tlsext_ecpointformatlist_length > 0)
ce0c1f2b 2706 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
0f113f3e
MC		 2707 /* we are using an ECC cipher */
2708 size_t i;
2709 unsigned char *list;
2710 int found_uncompressed = 0;
2711 list = s->session->tlsext_ecpointformatlist;
2712 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2713 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2714 found_uncompressed = 1;
2715 break;
2716 }
2717 }
2718 if (!found_uncompressed) {
2719 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2720 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2721 return -1;
2722 }
2723 }
2724 ret = SSL_TLSEXT_ERR_OK;
a230b26e 2725#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2726
2727 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2728 ret =
2729 s->ctx->tlsext_servername_callback(s, &al,
2730 s->ctx->tlsext_servername_arg);
2731 else if (s->initial_ctx != NULL
2732 && s->initial_ctx->tlsext_servername_callback != 0)
2733 ret =
2734 s->initial_ctx->tlsext_servername_callback(s, &al,
2735 s->
2736 initial_ctx->tlsext_servername_arg);
2737
b1931d43
MC		 2738 /*
2739 * Ensure we get sensible values passed to tlsext_status_cb in the event
2740 * that we don't receive a status message
2741 */
bb1aaab4
MC		 2742 OPENSSL_free(s->tlsext_ocsp_resp);
2743 s->tlsext_ocsp_resp = NULL;
2744 s->tlsext_ocsp_resplen = -1;
0f113f3e
MC		 2745
2746 switch (ret) {
2747 case SSL_TLSEXT_ERR_ALERT_FATAL:
2748 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2749 return -1;
2750
2751 case SSL_TLSEXT_ERR_ALERT_WARNING:
2752 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2753 return 1;
2754
2755 case SSL_TLSEXT_ERR_NOACK:
2756 s->servername_done = 0;
2757 default:
2758 return 1;
2759 }
2760}
761772d7 2761
50932c4a 2762int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 2763{
2764 int al = -1;
2765 if (s->version < SSL3_VERSION)
2766 return 1;
50932c4a 2767 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 2768 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2769 return 0;
2770 }
2771
2772 if (ssl_check_serverhello_tlsext(s) <= 0) {
2773 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2774 return 0;
2775 }
2776 return 1;
09e4e4b9
DSH		 2777}
2778
1d97c843
TH		 2779/*-
2780 * Since the server cache lookup is done early on in the processing of the
e7f0d921
DSH		 2781 * ClientHello and other operations depend on the result some extensions
2782 * need to be handled at the same time.
2783 *
2784 * Two extensions are currently handled, session ticket and extended master
2785 * secret.
c519e89f 2786 *
b3e2272c
EK		 2787 * session_id: ClientHello session ID.
2788 * ext: ClientHello extensions (including length prefix)
c519e89f
BM		 2789 * ret: (output) on return, if a ticket was decrypted, then this is set to
2790 * point to the resulting session.
2791 *
2792 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2793 * ciphersuite, in which case we have no use for session tickets and one will
2794 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2795 *
2796 * Returns:
2797 * -1: fatal error, either from parsing or decrypting the ticket.
2798 * 0: no ticket was found (or was ignored, based on settings).
2799 * 1: a zero length extension was found, indicating that the client supports
2800 * session tickets but doesn't currently have one to offer.
2801 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2802 * couldn't be decrypted because of a non-fatal error.
2803 * 3: a ticket was successfully decrypted and *ret was set.
2804 *
2805 * Side effects:
2806 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2807 * a new session ticket to the client because the client indicated support
2808 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2809 * a session ticket or we couldn't use the one it gave us, or if
2810 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2811 * Otherwise, s->tlsext_ticket_expected is set to 0.
e7f0d921
DSH		 2812 *
2813 * For extended master secret flag is set if the extension is present.
2814 *
6434abbf 2815 */
e7f0d921
DSH		 2816int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
2817 const PACKET *session_id,
2818 SSL_SESSION **ret)
0f113f3e 2819{
9ceb2426 2820 unsigned int i;
b3e2272c 2821 PACKET local_ext = *ext;
9ceb2426 2822 int retv = -1;
0f113f3e 2823
e7f0d921
DSH		 2824 int have_ticket = 0;
2825 int use_ticket = tls_use_ticket(s);
2826
0f113f3e
MC		 2827 *ret = NULL;
2828 s->tlsext_ticket_expected = 0;
e7f0d921 2829 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
0f113f3e
MC		 2830
2831 /*
2832 * If tickets disabled behave as if no ticket present to permit stateful
2833 * resumption.
2834 */
9ceb2426 2835 if ((s->version <= SSL3_VERSION))
0f113f3e 2836 return 0;
9ceb2426 2837
b3e2272c 2838 if (!PACKET_get_net_2(&local_ext, &i)) {
9ceb2426
MC		 2839 retv = 0;
2840 goto end;
2841 }
b3e2272c 2842 while (PACKET_remaining(&local_ext) >= 4) {
9ceb2426
MC		 2843 unsigned int type, size;
2844
b3e2272c 2845 if (!PACKET_get_net_2(&local_ext, &type)
a230b26e 2846 || !PACKET_get_net_2(&local_ext, &size)) {
9ceb2426
MC		 2847 /* Shouldn't ever happen */
2848 retv = -1;
2849 goto end;
2850 }
b3e2272c 2851 if (PACKET_remaining(&local_ext) < size) {
9ceb2426
MC		 2852 retv = 0;
2853 goto end;
2854 }
e7f0d921 2855 if (type == TLSEXT_TYPE_session_ticket && use_ticket) {
0f113f3e 2856 int r;
b6981744 2857 const unsigned char *etick;
9ceb2426 2858
e7f0d921
DSH		 2859 /* Duplicate extension */
2860 if (have_ticket != 0) {
2861 retv = -1;
2862 goto end;
2863 }
2864 have_ticket = 1;
2865
0f113f3e
MC		 2866 if (size == 0) {
2867 /*
2868 * The client will accept a ticket but doesn't currently have
2869 * one.
2870 */
2871 s->tlsext_ticket_expected = 1;
9ceb2426 2872 retv = 1;
e7f0d921 2873 continue;
0f113f3e
MC		 2874 }
2875 if (s->tls_session_secret_cb) {
2876 /*
2877 * Indicate that the ticket couldn't be decrypted rather than
2878 * generating the session from ticket now, trigger
2879 * abbreviated handshake based on external mechanism to
2880 * calculate the master secret later.
2881 */
9ceb2426 2882 retv = 2;
e7f0d921 2883 continue;
9ceb2426 2884 }
b3e2272c 2885 if (!PACKET_get_bytes(&local_ext, &etick, size)) {
9ceb2426
MC		 2886 /* Shouldn't ever happen */
2887 retv = -1;
2888 goto end;
0f113f3e 2889 }
b3e2272c
EK		 2890 r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
2891 PACKET_remaining(session_id), ret);
0f113f3e
MC		 2892 switch (r) {
2893 case 2: /* ticket couldn't be decrypted */
2894 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 2895 retv = 2;
2896 break;
0f113f3e 2897 case 3: /* ticket was decrypted */
9ceb2426
MC		 2898 retv = r;
2899 break;
0f113f3e
MC		 2900 case 4: /* ticket decrypted but need to renew */
2901 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 2902 retv = 3;
2903 break;
0f113f3e 2904 default: /* fatal error */
9ceb2426
MC		 2905 retv = -1;
2906 break;
0f113f3e 2907 }
e7f0d921 2908 continue;
c83eda8c 2909 } else {
e7f0d921
DSH		 2910 if (type == TLSEXT_TYPE_extended_master_secret)
2911 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
b3e2272c 2912 if (!PACKET_forward(&local_ext, size)) {
c83eda8c
MC		 2913 retv = -1;
2914 goto end;
2915 }
0f113f3e 2916 }
0f113f3e 2917 }
e7f0d921
DSH		 2918 if (have_ticket == 0)
2919 retv = 0;
a230b26e 2920 end:
9ceb2426 2921 return retv;
0f113f3e 2922}
6434abbf 2923
1d97c843
TH		 2924/*-
2925 * tls_decrypt_ticket attempts to decrypt a session ticket.
c519e89f
BM		 2926 *
2927 * etick: points to the body of the session ticket extension.
8483a003 2928 * eticklen: the length of the session tickets extension.
c519e89f
BM		 2929 * sess_id: points at the session ID.
2930 * sesslen: the length of the session ID.
2931 * psess: (output) on return, if a ticket was decrypted, then this is set to
2932 * point to the resulting session.
2933 *
2934 * Returns:
bf7c6817 2935 * -2: fatal error, malloc failure.
c519e89f
BM		 2936 * -1: fatal error, either from parsing or decrypting the ticket.
2937 * 2: the ticket couldn't be decrypted.
2938 * 3: a ticket was successfully decrypted and *psess was set.
2939 * 4: same as 3, but the ticket needs to be renewed.
2940 */
0f113f3e
MC		 2941static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
2942 int eticklen, const unsigned char *sess_id,
2943 int sesslen, SSL_SESSION **psess)
2944{
2945 SSL_SESSION *sess;
2946 unsigned char *sdec;
2947 const unsigned char *p;
35b1a433 2948 int slen, mlen, renew_ticket = 0, ret = -1;
0f113f3e 2949 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
bf7c6817 2950 HMAC_CTX *hctx = NULL;
846ec07d 2951 EVP_CIPHER_CTX *ctx;
0f113f3e 2952 SSL_CTX *tctx = s->initial_ctx;
e97763c9 2953
0f113f3e 2954 /* Initialize session ticket encryption and HMAC contexts */
bf7c6817
RL		 2955 hctx = HMAC_CTX_new();
2956 if (hctx == NULL)
2957 return -2;
846ec07d 2958 ctx = EVP_CIPHER_CTX_new();
35b1a433
MC		 2959 if (ctx == NULL) {
2960 ret = -2;
2961 goto err;
2962 }
0f113f3e
MC		 2963 if (tctx->tlsext_ticket_key_cb) {
2964 unsigned char *nctick = (unsigned char *)etick;
2965 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
846ec07d 2966 ctx, hctx, 0);
0f113f3e 2967 if (rv < 0)
35b1a433
MC		 2968 goto err;
2969 if (rv == 0) {
2970 ret = 2;
2971 goto err;
2972 }
0f113f3e
MC		 2973 if (rv == 2)
2974 renew_ticket = 1;
2975 } else {
2976 /* Check key name matches */
4e2e1ec9
TS		 2977 if (memcmp(etick, tctx->tlsext_tick_key_name,
2978 sizeof(tctx->tlsext_tick_key_name)) != 0) {
35b1a433
MC		 2979 ret = 2;
2980 goto err;
2981 }
4e2e1ec9
TS		 2982 if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
2983 sizeof(tctx->tlsext_tick_hmac_key),
5f3d93e4 2984 EVP_sha256(), NULL) <= 0
a230b26e
EK		 2985 || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
2986 tctx->tlsext_tick_aes_key,
2987 etick + sizeof(tctx->tlsext_tick_key_name)) <=
2988 0) {
5f3d93e4 2989 goto err;
a230b26e 2990 }
0f113f3e
MC		 2991 }
2992 /*
2993 * Attempt to process session ticket, first conduct sanity and integrity
2994 * checks on ticket.
2995 */
bf7c6817 2996 mlen = HMAC_size(hctx);
0f113f3e 2997 if (mlen < 0) {
5f3d93e4 2998 goto err;
0f113f3e 2999 }
e97763c9
DSH		 3000 /* Sanity check ticket length: must exceed keyname + IV + HMAC */
3001 if (eticklen <=
3002 TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
3003 ret = 2;
3004 goto err;
3005 }
0f113f3e
MC		 3006 eticklen -= mlen;
3007 /* Check HMAC of encrypted ticket */
bf7c6817 3008 if (HMAC_Update(hctx, etick, eticklen) <= 0
a230b26e 3009 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
5f3d93e4
MC		 3010 goto err;
3011 }
bf7c6817 3012 HMAC_CTX_free(hctx);
0f113f3e 3013 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
846ec07d 3014 EVP_CIPHER_CTX_free(ctx);
0f113f3e
MC		 3015 return 2;
3016 }
3017 /* Attempt to decrypt session data */
3018 /* Move p after IV to start of encrypted ticket, update length */
846ec07d
RL		 3019 p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx);
3020 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx);
0f113f3e 3021 sdec = OPENSSL_malloc(eticklen);
a230b26e 3022 if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) {
846ec07d 3023 EVP_CIPHER_CTX_free(ctx);
d1247df2 3024 OPENSSL_free(sdec);
0f113f3e
MC		 3025 return -1;
3026 }
846ec07d
RL		 3027 if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) {
3028 EVP_CIPHER_CTX_free(ctx);
0f113f3e
MC		 3029 OPENSSL_free(sdec);
3030 return 2;
3031 }
3032 slen += mlen;
846ec07d
RL		 3033 EVP_CIPHER_CTX_free(ctx);
3034 ctx = NULL;
0f113f3e
MC		 3035 p = sdec;
3036
3037 sess = d2i_SSL_SESSION(NULL, &p, slen);
3038 OPENSSL_free(sdec);
3039 if (sess) {
3040 /*
3041 * The session ID, if non-empty, is used by some clients to detect
3042 * that the ticket has been accepted. So we copy it to the session
3043 * structure. If it is empty set length to zero as required by
3044 * standard.
3045 */
3046 if (sesslen)
3047 memcpy(sess->session_id, sess_id, sesslen);
3048 sess->session_id_length = sesslen;
3049 *psess = sess;
3050 if (renew_ticket)
3051 return 4;
3052 else
3053 return 3;
3054 }
3055 ERR_clear_error();
3056 /*
3057 * For session parse failure, indicate that we need to send a new ticket.
3058 */
3059 return 2;
a230b26e 3060 err:
846ec07d 3061 EVP_CIPHER_CTX_free(ctx);
bf7c6817 3062 HMAC_CTX_free(hctx);
35b1a433 3063 return ret;
0f113f3e 3064}
6434abbf 3065
6b7be581
DSH		 3066/* Tables to translate from NIDs to TLS v1.2 ids */
3067
0f113f3e
MC		 3068typedef struct {
3069 int nid;
3070 int id;
3071} tls12_lookup;
6b7be581 3072
d97ed219 3073static const tls12_lookup tls12_md[] = {
0f113f3e
MC		 3074 {NID_md5, TLSEXT_hash_md5},
3075 {NID_sha1, TLSEXT_hash_sha1},
3076 {NID_sha224, TLSEXT_hash_sha224},
3077 {NID_sha256, TLSEXT_hash_sha256},
3078 {NID_sha384, TLSEXT_hash_sha384},
e44380a9
DB		 3079 {NID_sha512, TLSEXT_hash_sha512},
3080 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
3081 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
3082 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
6b7be581
DSH		 3083};
3084
d97ed219 3085static const tls12_lookup tls12_sig[] = {
0f113f3e
MC		 3086 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3087 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
e44380a9
DB		 3088 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
3089 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
3090 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
3091 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
6b7be581
DSH		 3092};
3093
d97ed219 3094static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3095{
3096 size_t i;
3097 for (i = 0; i < tlen; i++) {
3098 if (table[i].nid == nid)
3099 return table[i].id;
3100 }
3101 return -1;
3102}
e7f8ff43 3103
d97ed219 3104static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3105{
3106 size_t i;
3107 for (i = 0; i < tlen; i++) {
3108 if ((table[i].id) == id)
3109 return table[i].nid;
3110 }
3111 return NID_undef;
3112}
3113
6400f338
MC		 3114int tls12_get_sigandhash(WPACKET *pkt, const EVP_PKEY *pk, const EVP_MD *md)
3115{
3116 int sig_id, md_id;
418a18a2
MC		 3117
3118 if (md == NULL)
6400f338
MC		 3119 return 0;
3120 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
3121 if (md_id == -1)
3122 return 0;
3123 sig_id = tls12_get_sigid(pk);
3124 if (sig_id == -1)
3125 return 0;
08029dfa 3126 if (!WPACKET_put_bytes_u8(pkt, md_id) || !WPACKET_put_bytes_u8(pkt, sig_id))
6400f338
MC		 3127 return 0;
3128
3129 return 1;
3130}
3131
3132/*
3133 * Old version of the tls12_get_sigandhash function used by code that has not
3134 * yet been converted to WPACKET yet. It will be deleted once WPACKET conversion
3135 * is complete.
3136 * TODO - DELETE ME
3137 */
3138int tls12_get_sigandhash_old(unsigned char *p, const EVP_PKEY *pk,
3139 const EVP_MD *md)
0f113f3e
MC		 3140{
3141 int sig_id, md_id;
3142 if (!md)
3143 return 0;
b6eb9827 3144 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3145 if (md_id == -1)
3146 return 0;
3147 sig_id = tls12_get_sigid(pk);
3148 if (sig_id == -1)
3149 return 0;
3150 p[0] = (unsigned char)md_id;
3151 p[1] = (unsigned char)sig_id;
3152 return 1;
3153}
6b7be581 3154
a2f9200f 3155int tls12_get_sigid(const EVP_PKEY *pk)
0f113f3e 3156{
3aeb9348 3157 return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3158}
3159
3160typedef struct {
3161 int nid;
3162 int secbits;
7afd2312 3163 int md_idx;
e44380a9 3164 unsigned char tlsext_hash;
0f113f3e 3165} tls12_hash_info;
b362ccab
DSH		 3166
3167static const tls12_hash_info tls12_md_info[] = {
7afd2312
DSH		 3168 {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
3169 {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
3170 {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
3171 {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
3172 {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
3173 {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
a230b26e
EK		 3174 {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
3175 {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX,
3176 TLSEXT_hash_gostr34112012_256},
3177 {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX,
3178 TLSEXT_hash_gostr34112012_512},
b362ccab 3179};
a2f9200f 3180
b362ccab 3181static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
0f113f3e 3182{
e44380a9 3183 unsigned int i;
0f113f3e
MC		 3184 if (hash_alg == 0)
3185 return NULL;
e44380a9 3186
a230b26e 3187 for (i = 0; i < OSSL_NELEM(tls12_md_info); i++) {
e44380a9
DB		 3188 if (tls12_md_info[i].tlsext_hash == hash_alg)
3189 return tls12_md_info + i;
3190 }
3191
3192 return NULL;
0f113f3e 3193}
a2f9200f 3194
b362ccab 3195const EVP_MD *tls12_get_hash(unsigned char hash_alg)
0f113f3e
MC		 3196{
3197 const tls12_hash_info *inf;
3198 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3199 return NULL;
3200 inf = tls12_get_hash_info(hash_alg);
7afd2312 3201 if (!inf)
0f113f3e 3202 return NULL;
7afd2312 3203 return ssl_md(inf->md_idx);
0f113f3e 3204}
a2f9200f 3205
4453cd8c 3206static int tls12_get_pkey_idx(unsigned char sig_alg)
0f113f3e
MC		 3207{
3208 switch (sig_alg) {
e481f9b9 3209#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3210 case TLSEXT_signature_rsa:
3211 return SSL_PKEY_RSA_SIGN;
e481f9b9
MC		 3212#endif
3213#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3214 case TLSEXT_signature_dsa:
3215 return SSL_PKEY_DSA_SIGN;
e481f9b9
MC		 3216#endif
3217#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3218 case TLSEXT_signature_ecdsa:
3219 return SSL_PKEY_ECC;
e481f9b9 3220#endif
a230b26e 3221#ifndef OPENSSL_NO_GOST
e44380a9
DB		 3222 case TLSEXT_signature_gostr34102001:
3223 return SSL_PKEY_GOST01;
3224
3225 case TLSEXT_signature_gostr34102012_256:
3226 return SSL_PKEY_GOST12_256;
3227
3228 case TLSEXT_signature_gostr34102012_512:
3229 return SSL_PKEY_GOST12_512;
a230b26e 3230#endif
0f113f3e
MC		 3231 }
3232 return -1;
3233}
4453cd8c
DSH		 3234
3235/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3236static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
0f113f3e
MC		 3237 int *psignhash_nid, const unsigned char *data)
3238{
330dcb09 3239 int sign_nid = NID_undef, hash_nid = NID_undef;
0f113f3e
MC		 3240 if (!phash_nid && !psign_nid && !psignhash_nid)
3241 return;
3242 if (phash_nid || psignhash_nid) {
b6eb9827 3243 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3244 if (phash_nid)
3245 *phash_nid = hash_nid;
3246 }
3247 if (psign_nid || psignhash_nid) {
b6eb9827 3248 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3249 if (psign_nid)
3250 *psign_nid = sign_nid;
3251 }
3252 if (psignhash_nid) {
330dcb09 3253 if (sign_nid == NID_undef || hash_nid == NID_undef
a230b26e 3254 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid) <= 0)
0f113f3e
MC		 3255 *psignhash_nid = NID_undef;
3256 }
3257}
3258
b362ccab
DSH		 3259/* Check to see if a signature algorithm is allowed */
3260static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
0f113f3e
MC		 3261{
3262 /* See if we have an entry in the hash table and it is enabled */
3263 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
7afd2312 3264 if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
0f113f3e
MC		 3265 return 0;
3266 /* See if public key algorithm allowed */
3267 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3268 return 0;
3269 /* Finally see if security callback allows it */
3270 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3271}
3272
3273/*
3274 * Get a mask of disabled public key algorithms based on supported signature
3275 * algorithms. For example if no signature algorithm supports RSA then RSA is
3276 * disabled.
b362ccab
DSH		 3277 */
3278
90d9e49a 3279void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
0f113f3e
MC		 3280{
3281 const unsigned char *sigalgs;
3282 size_t i, sigalgslen;
3283 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3284 /*
3285 * Now go through all signature algorithms seeing if we support any for
3286 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3287 * down calls to security callback only check if we have to.
3288 */
3289 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
3290 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3291 switch (sigalgs[1]) {
e481f9b9 3292#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3293 case TLSEXT_signature_rsa:
3294 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3295 have_rsa = 1;
3296 break;
e481f9b9
MC		 3297#endif
3298#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3299 case TLSEXT_signature_dsa:
3300 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3301 have_dsa = 1;
3302 break;
e481f9b9
MC		 3303#endif
3304#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3305 case TLSEXT_signature_ecdsa:
3306 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3307 have_ecdsa = 1;
3308 break;
e481f9b9 3309#endif
0f113f3e
MC		 3310 }
3311 }
3312 if (!have_rsa)
3313 *pmask_a |= SSL_aRSA;
3314 if (!have_dsa)
3315 *pmask_a |= SSL_aDSS;
3316 if (!have_ecdsa)
3317 *pmask_a |= SSL_aECDSA;
3318}
b362ccab 3319
2c7b4dbc
MC		 3320/*
3321 * Old version of the tls12_copy_sigalgs function used by code that has not
ae2f7b37 3322 * yet been converted to WPACKET yet. It will be deleted once WPACKET conversion
2c7b4dbc
MC		 3323 * is complete.
3324 * TODO - DELETE ME
3325 */
3326size_t tls12_copy_sigalgs_old(SSL *s, unsigned char *out,
0f113f3e
MC		 3327 const unsigned char *psig, size_t psiglen)
3328{
3329 unsigned char *tmpout = out;
3330 size_t i;
3331 for (i = 0; i < psiglen; i += 2, psig += 2) {
3332 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3333 *tmpout++ = psig[0];
3334 *tmpout++ = psig[1];
3335 }
3336 }
3337 return tmpout - out;
3338}
b362ccab 3339
ae2f7b37 3340int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
2c7b4dbc
MC		 3341 const unsigned char *psig, size_t psiglen)
3342{
3343 size_t i;
c0f9e23c 3344
2c7b4dbc
MC		 3345 for (i = 0; i < psiglen; i += 2, psig += 2) {
3346 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
08029dfa
MC		 3347 if (!WPACKET_put_bytes_u8(pkt, psig[0])
3348 || !WPACKET_put_bytes_u8(pkt, psig[1]))
2c7b4dbc
MC		 3349 return 0;
3350 }
3351 }
3352 return 1;
3353}
3354
4453cd8c 3355/* Given preference and allowed sigalgs set shared sigalgs */
b362ccab 3356static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
0f113f3e
MC		 3357 const unsigned char *pref, size_t preflen,
3358 const unsigned char *allow, size_t allowlen)
3359{
3360 const unsigned char *ptmp, *atmp;
3361 size_t i, j, nmatch = 0;
3362 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3363 /* Skip disabled hashes or signature algorithms */
3364 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3365 continue;
3366 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3367 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3368 nmatch++;
3369 if (shsig) {
3370 shsig->rhash = ptmp[0];
3371 shsig->rsign = ptmp[1];
3372 tls1_lookup_sigalg(&shsig->hash_nid,
3373 &shsig->sign_nid,
3374 &shsig->signandhash_nid, ptmp);
3375 shsig++;
3376 }
3377 break;
3378 }
3379 }
3380 }
3381 return nmatch;
3382}
4453cd8c
DSH		 3383
3384/* Set shared signature algorithms for SSL structures */
3385static int tls1_set_shared_sigalgs(SSL *s)
0f113f3e
MC		 3386{
3387 const unsigned char *pref, *allow, *conf;
3388 size_t preflen, allowlen, conflen;
3389 size_t nmatch;
3390 TLS_SIGALGS *salgs = NULL;
3391 CERT *c = s->cert;
3392 unsigned int is_suiteb = tls1_suiteb(s);
b548a1f1
RS		 3393
3394 OPENSSL_free(c->shared_sigalgs);
3395 c->shared_sigalgs = NULL;
3396 c->shared_sigalgslen = 0;
0f113f3e
MC		 3397 /* If client use client signature algorithms if not NULL */
3398 if (!s->server && c->client_sigalgs && !is_suiteb) {
3399 conf = c->client_sigalgs;
3400 conflen = c->client_sigalgslen;
3401 } else if (c->conf_sigalgs && !is_suiteb) {
3402 conf = c->conf_sigalgs;
3403 conflen = c->conf_sigalgslen;
3404 } else
3405 conflen = tls12_get_psigalgs(s, &conf);
3406 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3407 pref = conf;
3408 preflen = conflen;
76106e60
DSH		 3409 allow = s->s3->tmp.peer_sigalgs;
3410 allowlen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3411 } else {
3412 allow = conf;
3413 allowlen = conflen;
76106e60
DSH		 3414 pref = s->s3->tmp.peer_sigalgs;
3415 preflen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3416 }
3417 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
34e3edbf
DSH		 3418 if (nmatch) {
3419 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
a71edf3b 3420 if (salgs == NULL)
34e3edbf
DSH		 3421 return 0;
3422 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3423 } else {
3424 salgs = NULL;
3425 }
0f113f3e
MC		 3426 c->shared_sigalgs = salgs;
3427 c->shared_sigalgslen = nmatch;
3428 return 1;
3429}
4453cd8c 3430
6b7be581
DSH		 3431/* Set preferred digest for each key type */
3432
c800c27a 3433int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
0f113f3e
MC		 3434{
3435 CERT *c = s->cert;
3436 /* Extension ignored for inappropriate versions */
3437 if (!SSL_USE_SIGALGS(s))
3438 return 1;
3439 /* Should never happen */
3440 if (!c)
3441 return 0;
3442
76106e60
DSH		 3443 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3444 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3445 if (s->s3->tmp.peer_sigalgs == NULL)
0f113f3e 3446 return 0;
76106e60
DSH		 3447 s->s3->tmp.peer_sigalgslen = dsize;
3448 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
0f113f3e
MC		 3449 return 1;
3450}
6b7be581 3451
c800c27a 3452int tls1_process_sigalgs(SSL *s)
0f113f3e
MC		 3453{
3454 int idx;
3455 size_t i;
3456 const EVP_MD *md;
d376e57d 3457 const EVP_MD **pmd = s->s3->tmp.md;
f7d53487 3458 uint32_t *pvalid = s->s3->tmp.valid_flags;
0f113f3e
MC		 3459 CERT *c = s->cert;
3460 TLS_SIGALGS *sigptr;
3461 if (!tls1_set_shared_sigalgs(s))
3462 return 0;
3463
0f113f3e
MC		 3464 for (i = 0, sigptr = c->shared_sigalgs;
3465 i < c->shared_sigalgslen; i++, sigptr++) {
3466 idx = tls12_get_pkey_idx(sigptr->rsign);
d376e57d 3467 if (idx > 0 && pmd[idx] == NULL) {
0f113f3e 3468 md = tls12_get_hash(sigptr->rhash);
d376e57d 3469 pmd[idx] = md;
6383d316 3470 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3471 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3472 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3473 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3474 }
3475 }
6b7be581 3476
0f113f3e
MC		 3477 }
3478 /*
3479 * In strict mode leave unset digests as NULL to indicate we can't use
3480 * the certificate for signing.
3481 */
3482 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3483 /*
3484 * Set any remaining keys to default values. NOTE: if alg is not
3485 * supported it stays as NULL.
3486 */
e481f9b9 3487#ifndef OPENSSL_NO_DSA
d376e57d
DSH		 3488 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3489 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
e481f9b9
MC		 3490#endif
3491#ifndef OPENSSL_NO_RSA
d376e57d
DSH		 3492 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3493 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3494 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
0f113f3e 3495 }
e481f9b9
MC		 3496#endif
3497#ifndef OPENSSL_NO_EC
d376e57d
DSH		 3498 if (pmd[SSL_PKEY_ECC] == NULL)
3499 pmd[SSL_PKEY_ECC] = EVP_sha1();
e481f9b9 3500#endif
a230b26e 3501#ifndef OPENSSL_NO_GOST
e44380a9
DB		 3502 if (pmd[SSL_PKEY_GOST01] == NULL)
3503 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
3504 if (pmd[SSL_PKEY_GOST12_256] == NULL)
a230b26e
EK		 3505 pmd[SSL_PKEY_GOST12_256] =
3506 EVP_get_digestbynid(NID_id_GostR3411_2012_256);
e44380a9 3507 if (pmd[SSL_PKEY_GOST12_512] == NULL)
a230b26e
EK		 3508 pmd[SSL_PKEY_GOST12_512] =
3509 EVP_get_digestbynid(NID_id_GostR3411_2012_512);
3510#endif
0f113f3e
MC		 3511 }
3512 return 1;
3513}
4817504d 3514
e7f8ff43 3515int SSL_get_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3516 int *psign, int *phash, int *psignhash,
3517 unsigned char *rsig, unsigned char *rhash)
3518{
76106e60 3519 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
0f113f3e
MC		 3520 if (psig == NULL)
3521 return 0;
3522 if (idx >= 0) {
3523 idx <<= 1;
76106e60 3524 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
0f113f3e
MC		 3525 return 0;
3526 psig += idx;
3527 if (rhash)
3528 *rhash = psig[0];
3529 if (rsig)
3530 *rsig = psig[1];
3531 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3532 }
76106e60 3533 return s->s3->tmp.peer_sigalgslen / 2;
0f113f3e 3534}
4453cd8c
DSH		 3535
3536int SSL_get_shared_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3537 int *psign, int *phash, int *psignhash,
3538 unsigned char *rsig, unsigned char *rhash)
3539{
3540 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3541 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3542 return 0;
3543 shsigalgs += idx;
3544 if (phash)
3545 *phash = shsigalgs->hash_nid;
3546 if (psign)
3547 *psign = shsigalgs->sign_nid;
3548 if (psignhash)
3549 *psignhash = shsigalgs->signandhash_nid;
3550 if (rsig)
3551 *rsig = shsigalgs->rsign;
3552 if (rhash)
3553 *rhash = shsigalgs->rhash;
3554 return s->cert->shared_sigalgslen;
3555}
3556
e481f9b9 3557#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
0f229cce 3558
0f113f3e
MC		 3559typedef struct {
3560 size_t sigalgcnt;
3561 int sigalgs[MAX_SIGALGLEN];
3562} sig_cb_st;
0f229cce 3563
431f458d
DSH		 3564static void get_sigorhash(int *psig, int *phash, const char *str)
3565{
3566 if (strcmp(str, "RSA") == 0) {
3567 *psig = EVP_PKEY_RSA;
3568 } else if (strcmp(str, "DSA") == 0) {
3569 *psig = EVP_PKEY_DSA;
3570 } else if (strcmp(str, "ECDSA") == 0) {
3571 *psig = EVP_PKEY_EC;
3572 } else {
3573 *phash = OBJ_sn2nid(str);
3574 if (*phash == NID_undef)
3575 *phash = OBJ_ln2nid(str);
3576 }
3577}
3578
0f229cce 3579static int sig_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 3580{
3581 sig_cb_st *sarg = arg;
3582 size_t i;
3583 char etmp[20], *p;
431f458d 3584 int sig_alg = NID_undef, hash_alg = NID_undef;
2747d73c
KR		 3585 if (elem == NULL)
3586 return 0;
0f113f3e
MC		 3587 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3588 return 0;
3589 if (len > (int)(sizeof(etmp) - 1))
3590 return 0;
3591 memcpy(etmp, elem, len);
3592 etmp[len] = 0;
3593 p = strchr(etmp, '+');
3594 if (!p)
3595 return 0;
3596 *p = 0;
3597 p++;
3598 if (!*p)
3599 return 0;
3600
431f458d
DSH		 3601 get_sigorhash(&sig_alg, &hash_alg, etmp);
3602 get_sigorhash(&sig_alg, &hash_alg, p);
0f113f3e 3603
431f458d 3604 if (sig_alg == NID_undef || hash_alg == NID_undef)
0f113f3e
MC		 3605 return 0;
3606
3607 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3608 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3609 return 0;
3610 }
3611 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3612 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3613 return 1;
3614}
3615
3616/*
9d22666e 3617 * Set supported signature algorithms based on a colon separated list of the
0f113f3e
MC		 3618 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3619 */
3dbc46df 3620int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
0f113f3e
MC		 3621{
3622 sig_cb_st sig;
3623 sig.sigalgcnt = 0;
3624 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3625 return 0;
3626 if (c == NULL)
3627 return 1;
3628 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3629}
3630
a230b26e 3631int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
0f113f3e
MC		 3632{
3633 unsigned char *sigalgs, *sptr;
3634 int rhash, rsign;
3635 size_t i;
3636 if (salglen & 1)
3637 return 0;
3638 sigalgs = OPENSSL_malloc(salglen);
3639 if (sigalgs == NULL)
3640 return 0;
3641 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
b6eb9827
DSH		 3642 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3643 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3644
3645 if (rhash == -1 || rsign == -1)
3646 goto err;
3647 *sptr++ = rhash;
3648 *sptr++ = rsign;
3649 }
3650
3651 if (client) {
b548a1f1 3652 OPENSSL_free(c->client_sigalgs);
0f113f3e
MC		 3653 c->client_sigalgs = sigalgs;
3654 c->client_sigalgslen = salglen;
3655 } else {
b548a1f1 3656 OPENSSL_free(c->conf_sigalgs);
0f113f3e
MC		 3657 c->conf_sigalgs = sigalgs;
3658 c->conf_sigalgslen = salglen;
3659 }
3660
3661 return 1;
3662
3663 err:
3664 OPENSSL_free(sigalgs);
3665 return 0;
3666}
4453cd8c 3667
d61ff83b 3668static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
0f113f3e
MC		 3669{
3670 int sig_nid;
3671 size_t i;
3672 if (default_nid == -1)
3673 return 1;
3674 sig_nid = X509_get_signature_nid(x);
3675 if (default_nid)
3676 return sig_nid == default_nid ? 1 : 0;
3677 for (i = 0; i < c->shared_sigalgslen; i++)
3678 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3679 return 1;
3680 return 0;
3681}
3682
6dbb6219
DSH		 3683/* Check to see if a certificate issuer name matches list of CA names */
3684static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
0f113f3e
MC		 3685{
3686 X509_NAME *nm;
3687 int i;
3688 nm = X509_get_issuer_name(x);
3689 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3690 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3691 return 1;
3692 }
3693 return 0;
3694}
3695
3696/*
3697 * Check certificate chain is consistent with TLS extensions and is usable by
3698 * server. This servers two purposes: it allows users to check chains before
3699 * passing them to the server and it allows the server to check chains before
3700 * attempting to use them.
d61ff83b 3701 */
6dbb6219
DSH		 3702
3703/* Flags which need to be set for a certificate when stict mode not set */
3704
e481f9b9 3705#define CERT_PKEY_VALID_FLAGS \
0f113f3e 3706 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
6dbb6219 3707/* Strict mode flags */
e481f9b9 3708#define CERT_PKEY_STRICT_FLAGS \
0f113f3e
MC		 3709 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3710 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
6dbb6219 3711
d61ff83b 3712int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
0f113f3e
MC		 3713 int idx)
3714{
3715 int i;
3716 int rv = 0;
3717 int check_flags = 0, strict_mode;
3718 CERT_PKEY *cpk = NULL;
3719 CERT *c = s->cert;
f7d53487 3720 uint32_t *pvalid;
0f113f3e
MC		 3721 unsigned int suiteb_flags = tls1_suiteb(s);
3722 /* idx == -1 means checking server chains */
3723 if (idx != -1) {
3724 /* idx == -2 means checking client certificate chains */
3725 if (idx == -2) {
3726 cpk = c->key;
3727 idx = cpk - c->pkeys;
3728 } else
3729 cpk = c->pkeys + idx;
6383d316 3730 pvalid = s->s3->tmp.valid_flags + idx;
0f113f3e
MC		 3731 x = cpk->x509;
3732 pk = cpk->privatekey;
3733 chain = cpk->chain;
3734 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3735 /* If no cert or key, forget it */
3736 if (!x || !pk)
3737 goto end;
0f113f3e
MC		 3738 } else {
3739 if (!x || !pk)
d813f9eb 3740 return 0;
0f113f3e
MC		 3741 idx = ssl_cert_type(x, pk);
3742 if (idx == -1)
d813f9eb 3743 return 0;
6383d316
DSH		 3744 pvalid = s->s3->tmp.valid_flags + idx;
3745
0f113f3e
MC		 3746 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3747 check_flags = CERT_PKEY_STRICT_FLAGS;
3748 else
3749 check_flags = CERT_PKEY_VALID_FLAGS;
3750 strict_mode = 1;
3751 }
3752
3753 if (suiteb_flags) {
3754 int ok;
3755 if (check_flags)
3756 check_flags |= CERT_PKEY_SUITEB;
3757 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3758 if (ok == X509_V_OK)
3759 rv |= CERT_PKEY_SUITEB;
3760 else if (!check_flags)
3761 goto end;
3762 }
3763
3764 /*
3765 * Check all signature algorithms are consistent with signature
3766 * algorithms extension if TLS 1.2 or later and strict mode.
3767 */
3768 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
3769 int default_nid;
3770 unsigned char rsign = 0;
76106e60 3771 if (s->s3->tmp.peer_sigalgs)
0f113f3e
MC		 3772 default_nid = 0;
3773 /* If no sigalgs extension use defaults from RFC5246 */
3774 else {
3775 switch (idx) {
3776 case SSL_PKEY_RSA_ENC:
3777 case SSL_PKEY_RSA_SIGN:
0f113f3e
MC		 3778 rsign = TLSEXT_signature_rsa;
3779 default_nid = NID_sha1WithRSAEncryption;
3780 break;
3781
3782 case SSL_PKEY_DSA_SIGN:
0f113f3e
MC		 3783 rsign = TLSEXT_signature_dsa;
3784 default_nid = NID_dsaWithSHA1;
3785 break;
3786
3787 case SSL_PKEY_ECC:
3788 rsign = TLSEXT_signature_ecdsa;
3789 default_nid = NID_ecdsa_with_SHA1;
3790 break;
3791
e44380a9
DB		 3792 case SSL_PKEY_GOST01:
3793 rsign = TLSEXT_signature_gostr34102001;
3794 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
3795 break;
3796
3797 case SSL_PKEY_GOST12_256:
3798 rsign = TLSEXT_signature_gostr34102012_256;
3799 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
3800 break;
3801
3802 case SSL_PKEY_GOST12_512:
3803 rsign = TLSEXT_signature_gostr34102012_512;
3804 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
3805 break;
3806
0f113f3e
MC		 3807 default:
3808 default_nid = -1;
3809 break;
3810 }
3811 }
3812 /*
3813 * If peer sent no signature algorithms extension and we have set
3814 * preferred signature algorithms check we support sha1.
3815 */
3816 if (default_nid > 0 && c->conf_sigalgs) {
3817 size_t j;
3818 const unsigned char *p = c->conf_sigalgs;
3819 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
3820 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
3821 break;
3822 }
3823 if (j == c->conf_sigalgslen) {
3824 if (check_flags)
3825 goto skip_sigs;
3826 else
3827 goto end;
3828 }
3829 }
3830 /* Check signature algorithm of each cert in chain */
3831 if (!tls1_check_sig_alg(c, x, default_nid)) {
3832 if (!check_flags)
3833 goto end;
3834 } else
3835 rv |= CERT_PKEY_EE_SIGNATURE;
3836 rv |= CERT_PKEY_CA_SIGNATURE;
3837 for (i = 0; i < sk_X509_num(chain); i++) {
3838 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
3839 if (check_flags) {
3840 rv &= ~CERT_PKEY_CA_SIGNATURE;
3841 break;
3842 } else
3843 goto end;
3844 }
3845 }
3846 }
3847 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
3848 else if (check_flags)
3849 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
3850 skip_sigs:
3851 /* Check cert parameters are consistent */
3852 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
3853 rv |= CERT_PKEY_EE_PARAM;
3854 else if (!check_flags)
3855 goto end;
3856 if (!s->server)
3857 rv |= CERT_PKEY_CA_PARAM;
3858 /* In strict mode check rest of chain too */
3859 else if (strict_mode) {
3860 rv |= CERT_PKEY_CA_PARAM;
3861 for (i = 0; i < sk_X509_num(chain); i++) {
3862 X509 *ca = sk_X509_value(chain, i);
3863 if (!tls1_check_cert_param(s, ca, 0)) {
3864 if (check_flags) {
3865 rv &= ~CERT_PKEY_CA_PARAM;
3866 break;
3867 } else
3868 goto end;
3869 }
3870 }
3871 }
3872 if (!s->server && strict_mode) {
3873 STACK_OF(X509_NAME) *ca_dn;
3874 int check_type = 0;
3aeb9348 3875 switch (EVP_PKEY_id(pk)) {
0f113f3e
MC		 3876 case EVP_PKEY_RSA:
3877 check_type = TLS_CT_RSA_SIGN;
3878 break;
3879 case EVP_PKEY_DSA:
3880 check_type = TLS_CT_DSS_SIGN;
3881 break;
3882 case EVP_PKEY_EC:
3883 check_type = TLS_CT_ECDSA_SIGN;
3884 break;
0f113f3e
MC		 3885 }
3886 if (check_type) {
3887 const unsigned char *ctypes;
3888 int ctypelen;
3889 if (c->ctypes) {
3890 ctypes = c->ctypes;
3891 ctypelen = (int)c->ctype_num;
3892 } else {
3893 ctypes = (unsigned char *)s->s3->tmp.ctype;
3894 ctypelen = s->s3->tmp.ctype_num;
3895 }
3896 for (i = 0; i < ctypelen; i++) {
3897 if (ctypes[i] == check_type) {
3898 rv |= CERT_PKEY_CERT_TYPE;
3899 break;
3900 }
3901 }
3902 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
3903 goto end;
3904 } else
3905 rv |= CERT_PKEY_CERT_TYPE;
3906
3907 ca_dn = s->s3->tmp.ca_names;
3908
3909 if (!sk_X509_NAME_num(ca_dn))
3910 rv |= CERT_PKEY_ISSUER_NAME;
3911
3912 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
3913 if (ssl_check_ca_name(ca_dn, x))
3914 rv |= CERT_PKEY_ISSUER_NAME;
3915 }
3916 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
3917 for (i = 0; i < sk_X509_num(chain); i++) {
3918 X509 *xtmp = sk_X509_value(chain, i);
3919 if (ssl_check_ca_name(ca_dn, xtmp)) {
3920 rv |= CERT_PKEY_ISSUER_NAME;
3921 break;
3922 }
3923 }
3924 }
3925 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
3926 goto end;
3927 } else
3928 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
3929
3930 if (!check_flags || (rv & check_flags) == check_flags)
3931 rv |= CERT_PKEY_VALID;
3932
3933 end:
3934
3935 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
6383d316 3936 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
0f113f3e 3937 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
d376e57d 3938 else if (s->s3->tmp.md[idx] != NULL)
0f113f3e
MC		 3939 rv |= CERT_PKEY_SIGN;
3940 } else
3941 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
3942
3943 /*
3944 * When checking a CERT_PKEY structure all flags are irrelevant if the
3945 * chain is invalid.
3946 */
3947 if (!check_flags) {
3948 if (rv & CERT_PKEY_VALID)
6383d316 3949 *pvalid = rv;
0f113f3e
MC		 3950 else {
3951 /* Preserve explicit sign flag, clear rest */
6383d316 3952 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
0f113f3e
MC		 3953 return 0;
3954 }
3955 }
3956 return rv;
3957}
d61ff83b
DSH		 3958
3959/* Set validity of certificates in an SSL structure */
3960void tls1_set_cert_validity(SSL *s)
0f113f3e 3961{
17dd65e6
MC		 3962 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
3963 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
3964 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
17dd65e6 3965 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
e44380a9
DB		 3966 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
3967 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
3968 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
0f113f3e
MC		 3969}
3970
18d71588
DSH		 3971/* User level utiity function to check a chain is suitable */
3972int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
0f113f3e
MC		 3973{
3974 return tls1_check_chain(s, x, pk, chain, -1);
3975}
d61ff83b 3976
09599b52
DSH		 3977#ifndef OPENSSL_NO_DH
3978DH *ssl_get_auto_dh(SSL *s)
0f113f3e
MC		 3979{
3980 int dh_secbits = 80;
3981 if (s->cert->dh_tmp_auto == 2)
3982 return DH_get_1024_160();
adc5506a 3983 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
0f113f3e
MC		 3984 if (s->s3->tmp.new_cipher->strength_bits == 256)
3985 dh_secbits = 128;
3986 else
3987 dh_secbits = 80;
3988 } else {
3989 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
3990 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
3991 }
3992
3993 if (dh_secbits >= 128) {
3994 DH *dhp = DH_new();
0aeddcfa 3995 BIGNUM *p, *g;
a71edf3b 3996 if (dhp == NULL)
0f113f3e 3997 return NULL;
0aeddcfa
MC		 3998 g = BN_new();
3999 if (g != NULL)
4000 BN_set_word(g, 2);
0f113f3e 4001 if (dh_secbits >= 192)
9021a5df 4002 p = BN_get_rfc3526_prime_8192(NULL);
0f113f3e 4003 else
9021a5df 4004 p = BN_get_rfc3526_prime_3072(NULL);
0aeddcfa 4005 if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
0f113f3e 4006 DH_free(dhp);
0aeddcfa
MC		 4007 BN_free(p);
4008 BN_free(g);
0f113f3e
MC		 4009 return NULL;
4010 }
4011 return dhp;
4012 }
4013 if (dh_secbits >= 112)
4014 return DH_get_2048_224();
4015 return DH_get_1024_160();
4016}
09599b52 4017#endif
b362ccab
DSH		 4018
4019static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e 4020{
72245f34 4021 int secbits = -1;
8382fd3a 4022 EVP_PKEY *pkey = X509_get0_pubkey(x);
0f113f3e 4023 if (pkey) {
72245f34
DSH		 4024 /*
4025 * If no parameters this will return -1 and fail using the default
4026 * security callback for any non-zero security level. This will
4027 * reject keys which omit parameters but this only affects DSA and
4028 * omission of parameters is never (?) done in practice.
4029 */
0f113f3e 4030 secbits = EVP_PKEY_security_bits(pkey);
72245f34 4031 }
0f113f3e
MC		 4032 if (s)
4033 return ssl_security(s, op, secbits, 0, x);
4034 else
4035 return ssl_ctx_security(ctx, op, secbits, 0, x);
4036}
b362ccab
DSH		 4037
4038static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e
MC		 4039{
4040 /* Lookup signature algorithm digest */
4041 int secbits = -1, md_nid = NID_undef, sig_nid;
221c7b55
DSH		 4042 /* Don't check signature if self signed */
4043 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
4044 return 1;
0f113f3e
MC		 4045 sig_nid = X509_get_signature_nid(x);
4046 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4047 const EVP_MD *md;
4048 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4049 secbits = EVP_MD_size(md) * 4;
4050 }
4051 if (s)
4052 return ssl_security(s, op, secbits, md_nid, x);
4053 else
4054 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4055}
b362ccab
DSH		 4056
4057int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
0f113f3e
MC		 4058{
4059 if (vfy)
4060 vfy = SSL_SECOP_PEER;
4061 if (is_ee) {
4062 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4063 return SSL_R_EE_KEY_TOO_SMALL;
4064 } else {
4065 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4066 return SSL_R_CA_KEY_TOO_SMALL;
4067 }
4068 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4069 return SSL_R_CA_MD_TOO_WEAK;
4070 return 1;
4071}
4072
4073/*
4074 * Check security of a chain, if sk includes the end entity certificate then
4075 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4076 * one to the peer. Return values: 1 if ok otherwise error code to use
b362ccab
DSH		 4077 */
4078
4079int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
0f113f3e
MC		 4080{
4081 int rv, start_idx, i;
4082 if (x == NULL) {
4083 x = sk_X509_value(sk, 0);
4084 start_idx = 1;
4085 } else
4086 start_idx = 0;
4087
4088 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4089 if (rv != 1)
4090 return rv;
4091
4092 for (i = start_idx; i < sk_X509_num(sk); i++) {
4093 x = sk_X509_value(sk, i);
4094 rv = ssl_security_cert(s, NULL, x, vfy, 0);
4095 if (rv != 1)
4096 return rv;
4097 }
4098 return 1;
4099}
A mirror of the official openssl repository