]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/t1_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
x86_64 assembly pack: tune clang version detection.
[thirdparty/openssl.git] / ssl / t1_lib.c
CommitLineData
58964a49
RE		 1/* ssl/t1_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
0f113f3e 8 *
58964a49
RE		 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
0f113f3e 15 *
58964a49
RE		 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
0f113f3e 22 *
58964a49
RE		 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
0f113f3e 37 * 4. If you include any Windows specific code (or a derivative thereof) from
58964a49
RE		 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
0f113f3e 40 *
58964a49
RE		 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
0f113f3e 52 *
58964a49
RE		 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
f1fd4544 58/* ====================================================================
52b8dad8 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
f1fd4544
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
0f113f3e 66 * notice, this list of conditions and the following disclaimer.
f1fd4544
BM		 67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
58964a49
RE		 111
112#include <stdio.h>
ec577822 113#include <openssl/objects.h>
6434abbf
DSH		 114#include <openssl/evp.h>
115#include <openssl/hmac.h>
67c8e7f4 116#include <openssl/ocsp.h>
4817504d 117#include <openssl/rand.h>
09599b52 118#ifndef OPENSSL_NO_DH
0f113f3e
MC		 119# include <openssl/dh.h>
120# include <openssl/bn.h>
09599b52 121#endif
58964a49
RE		 122#include "ssl_locl.h"
123
6434abbf 124static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
0f113f3e
MC		 125 const unsigned char *sess_id, int sesslen,
126 SSL_SESSION **psess);
2daceb03 127static int ssl_check_clienthello_tlsext_early(SSL *s);
09e4e4b9 128int ssl_check_serverhello_tlsext(SSL *s);
6434abbf 129
0f113f3e
MC		 130SSL3_ENC_METHOD const TLSv1_enc_data = {
131 tls1_enc,
132 tls1_mac,
133 tls1_setup_key_block,
134 tls1_generate_master_secret,
135 tls1_change_cipher_state,
136 tls1_final_finish_mac,
137 TLS1_FINISH_MAC_LENGTH,
138 tls1_cert_verify_mac,
139 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
140 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
141 tls1_alert_code,
142 tls1_export_keying_material,
143 0,
144 SSL3_HM_HEADER_LENGTH,
145 ssl3_set_handshake_header,
146 ssl3_handshake_write
147};
148
149SSL3_ENC_METHOD const TLSv1_1_enc_data = {
150 tls1_enc,
151 tls1_mac,
152 tls1_setup_key_block,
153 tls1_generate_master_secret,
154 tls1_change_cipher_state,
155 tls1_final_finish_mac,
156 TLS1_FINISH_MAC_LENGTH,
157 tls1_cert_verify_mac,
158 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
159 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
160 tls1_alert_code,
161 tls1_export_keying_material,
162 SSL_ENC_FLAG_EXPLICIT_IV,
163 SSL3_HM_HEADER_LENGTH,
164 ssl3_set_handshake_header,
165 ssl3_handshake_write
166};
167
168SSL3_ENC_METHOD const TLSv1_2_enc_data = {
169 tls1_enc,
170 tls1_mac,
171 tls1_setup_key_block,
172 tls1_generate_master_secret,
173 tls1_change_cipher_state,
174 tls1_final_finish_mac,
175 TLS1_FINISH_MAC_LENGTH,
176 tls1_cert_verify_mac,
177 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
178 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
179 tls1_alert_code,
180 tls1_export_keying_material,
181 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
182 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
183 SSL3_HM_HEADER_LENGTH,
184 ssl3_set_handshake_header,
185 ssl3_handshake_write
186};
58964a49 187
f3b656b2 188long tls1_default_timeout(void)
0f113f3e
MC		 189{
190 /*
191 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
192 * http, the cache would over fill
193 */
194 return (60 * 60 * 2);
195}
58964a49 196
6b691a5c 197int tls1_new(SSL *s)
0f113f3e
MC		 198{
199 if (!ssl3_new(s))
200 return (0);
201 s->method->ssl_clear(s);
202 return (1);
203}
58964a49 204
6b691a5c 205void tls1_free(SSL *s)
0f113f3e 206{
b548a1f1 207 OPENSSL_free(s->tlsext_session_ticket);
0f113f3e
MC		 208 ssl3_free(s);
209}
58964a49 210
6b691a5c 211void tls1_clear(SSL *s)
0f113f3e
MC		 212{
213 ssl3_clear(s);
214 s->version = s->method->version;
215}
58964a49 216
525de5d3 217#ifndef OPENSSL_NO_EC
eda3766b 218
0f113f3e
MC		 219typedef struct {
220 int nid; /* Curve NID */
221 int secbits; /* Bits of security (from SP800-57) */
222 unsigned int flags; /* Flags: currently just field type */
223} tls_curve_info;
224
225# define TLS_CURVE_CHAR2 0x1
226# define TLS_CURVE_PRIME 0x0
227
228static const tls_curve_info nid_list[] = {
229 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
230 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
231 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
232 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
233 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
234 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
235 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
236 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
237 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
238 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
239 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
240 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
241 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
242 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
243 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
244 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
245 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
246 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
247 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
248 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
249 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
250 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
251 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
252 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
253 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
254 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
255 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
256 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
257};
258
259static const unsigned char ecformats_default[] = {
260 TLSEXT_ECPOINTFORMAT_uncompressed,
261 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
262 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
263};
264
de57d237
EK		 265/* The client's default curves / the server's 'auto' curves. */
266static const unsigned char eccurves_auto[] = {
267 /* Prefer P-256 which has the fastest and most secure implementations. */
268 0, 23, /* secp256r1 (23) */
269 /* Other >= 256-bit prime curves. */
0f113f3e
MC		 270 0, 25, /* secp521r1 (25) */
271 0, 28, /* brainpool512r1 (28) */
0f113f3e
MC		 272 0, 27, /* brainpoolP384r1 (27) */
273 0, 24, /* secp384r1 (24) */
de57d237
EK		 274 0, 26, /* brainpoolP256r1 (26) */
275 0, 22, /* secp256k1 (22) */
276 /* >= 256-bit binary curves. */
277 0, 14, /* sect571r1 (14) */
278 0, 13, /* sect571k1 (13) */
279 0, 11, /* sect409k1 (11) */
280 0, 12, /* sect409r1 (12) */
0f113f3e
MC		 281 0, 9, /* sect283k1 (9) */
282 0, 10, /* sect283r1 (10) */
de57d237
EK		 283};
284
285static const unsigned char eccurves_all[] = {
286 /* Prefer P-256 which has the fastest and most secure implementations. */
287 0, 23, /* secp256r1 (23) */
288 /* Other >= 256-bit prime curves. */
289 0, 25, /* secp521r1 (25) */
290 0, 28, /* brainpool512r1 (28) */
291 0, 27, /* brainpoolP384r1 (27) */
292 0, 24, /* secp384r1 (24) */
0f113f3e
MC		 293 0, 26, /* brainpoolP256r1 (26) */
294 0, 22, /* secp256k1 (22) */
de57d237
EK		 295 /* >= 256-bit binary curves. */
296 0, 14, /* sect571r1 (14) */
297 0, 13, /* sect571k1 (13) */
298 0, 11, /* sect409k1 (11) */
299 0, 12, /* sect409r1 (12) */
300 0, 9, /* sect283k1 (9) */
301 0, 10, /* sect283r1 (10) */
302 /*
303 * Remaining curves disabled by default but still permitted if set
304 * via an explicit callback or parameters.
305 */
306 0, 20, /* secp224k1 (20) */
307 0, 21, /* secp224r1 (21) */
308 0, 18, /* secp192k1 (18) */
309 0, 19, /* secp192r1 (19) */
310 0, 15, /* secp160k1 (15) */
311 0, 16, /* secp160r1 (16) */
312 0, 17, /* secp160r2 (17) */
0f113f3e
MC		 313 0, 8, /* sect239k1 (8) */
314 0, 6, /* sect233k1 (6) */
315 0, 7, /* sect233r1 (7) */
0f113f3e
MC		 316 0, 4, /* sect193r1 (4) */
317 0, 5, /* sect193r2 (5) */
0f113f3e
MC		 318 0, 1, /* sect163k1 (1) */
319 0, 2, /* sect163r1 (2) */
320 0, 3, /* sect163r2 (3) */
0f113f3e
MC		 321};
322
de57d237 323
0f113f3e
MC		 324static const unsigned char suiteb_curves[] = {
325 0, TLSEXT_curve_P_256,
326 0, TLSEXT_curve_P_384
327};
2ea80354 328
525de5d3 329int tls1_ec_curve_id2nid(int curve_id)
0f113f3e
MC		 330{
331 /* ECC curves from RFC 4492 and RFC 7027 */
b6eb9827 332 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
0f113f3e
MC		 333 return 0;
334 return nid_list[curve_id - 1].nid;
335}
525de5d3
DSH		 336
337int tls1_ec_nid2curve_id(int nid)
0f113f3e
MC		 338{
339 /* ECC curves from RFC 4492 and RFC 7027 */
340 switch (nid) {
341 case NID_sect163k1: /* sect163k1 (1) */
342 return 1;
343 case NID_sect163r1: /* sect163r1 (2) */
344 return 2;
345 case NID_sect163r2: /* sect163r2 (3) */
346 return 3;
347 case NID_sect193r1: /* sect193r1 (4) */
348 return 4;
349 case NID_sect193r2: /* sect193r2 (5) */
350 return 5;
351 case NID_sect233k1: /* sect233k1 (6) */
352 return 6;
353 case NID_sect233r1: /* sect233r1 (7) */
354 return 7;
355 case NID_sect239k1: /* sect239k1 (8) */
356 return 8;
357 case NID_sect283k1: /* sect283k1 (9) */
358 return 9;
359 case NID_sect283r1: /* sect283r1 (10) */
360 return 10;
361 case NID_sect409k1: /* sect409k1 (11) */
362 return 11;
363 case NID_sect409r1: /* sect409r1 (12) */
364 return 12;
365 case NID_sect571k1: /* sect571k1 (13) */
366 return 13;
367 case NID_sect571r1: /* sect571r1 (14) */
368 return 14;
369 case NID_secp160k1: /* secp160k1 (15) */
370 return 15;
371 case NID_secp160r1: /* secp160r1 (16) */
372 return 16;
373 case NID_secp160r2: /* secp160r2 (17) */
374 return 17;
375 case NID_secp192k1: /* secp192k1 (18) */
376 return 18;
377 case NID_X9_62_prime192v1: /* secp192r1 (19) */
378 return 19;
379 case NID_secp224k1: /* secp224k1 (20) */
380 return 20;
381 case NID_secp224r1: /* secp224r1 (21) */
382 return 21;
383 case NID_secp256k1: /* secp256k1 (22) */
384 return 22;
385 case NID_X9_62_prime256v1: /* secp256r1 (23) */
386 return 23;
387 case NID_secp384r1: /* secp384r1 (24) */
388 return 24;
389 case NID_secp521r1: /* secp521r1 (25) */
390 return 25;
391 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
392 return 26;
393 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
394 return 27;
395 case NID_brainpoolP512r1: /* brainpool512r1 (28) */
396 return 28;
397 default:
398 return 0;
399 }
400}
401
740580c2
EK		 402/*
403 * Get curves list, if "sess" is set return client curves otherwise
404 * preferred list.
405 * Sets |num_curves| to the number of curves in the list, i.e.,
406 * the length of |pcurves| is 2 * num_curves.
407 * Returns 1 on success and 0 if the client curves list has invalid format.
408 * The latter indicates an internal error: we should not be accepting such
409 * lists in the first place.
410 * TODO(emilia): we should really be storing the curves list in explicitly
411 * parsed form instead. (However, this would affect binary compatibility
412 * so cannot happen in the 1.0.x series.)
fd2b65ce 413 */
740580c2 414static int tls1_get_curvelist(SSL *s, int sess,
0f113f3e
MC		 415 const unsigned char **pcurves,
416 size_t *num_curves)
417{
418 size_t pcurveslen = 0;
419 if (sess) {
420 *pcurves = s->session->tlsext_ellipticcurvelist;
421 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
422 } else {
423 /* For Suite B mode only include P-256, P-384 */
424 switch (tls1_suiteb(s)) {
425 case SSL_CERT_FLAG_SUITEB_128_LOS:
426 *pcurves = suiteb_curves;
427 pcurveslen = sizeof(suiteb_curves);
428 break;
429
430 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
431 *pcurves = suiteb_curves;
432 pcurveslen = 2;
433 break;
434
435 case SSL_CERT_FLAG_SUITEB_192_LOS:
436 *pcurves = suiteb_curves + 2;
437 pcurveslen = 2;
438 break;
439 default:
440 *pcurves = s->tlsext_ellipticcurvelist;
441 pcurveslen = s->tlsext_ellipticcurvelist_length;
442 }
443 if (!*pcurves) {
6329b609 444 if (!s->server || s->cert->ecdh_tmp_auto) {
de57d237
EK		 445 *pcurves = eccurves_auto;
446 pcurveslen = sizeof(eccurves_auto);
447 } else {
448 *pcurves = eccurves_all;
449 pcurveslen = sizeof(eccurves_all);
450 }
0f113f3e
MC		 451 }
452 }
453
454 /* We do not allow odd length arrays to enter the system. */
455 if (pcurveslen & 1) {
456 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
457 *num_curves = 0;
458 return 0;
459 } else {
460 *num_curves = pcurveslen / 2;
461 return 1;
462 }
463}
b362ccab
DSH		 464
465/* See if curve is allowed by security callback */
466static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
0f113f3e
MC		 467{
468 const tls_curve_info *cinfo;
469 if (curve[0])
470 return 1;
b6eb9827 471 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
0f113f3e
MC		 472 return 0;
473 cinfo = &nid_list[curve[1] - 1];
474# ifdef OPENSSL_NO_EC2M
475 if (cinfo->flags & TLS_CURVE_CHAR2)
476 return 0;
477# endif
478 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
479}
b362ccab 480
d18b716d
DSH		 481/* Check a curve is one of our preferences */
482int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
0f113f3e
MC		 483{
484 const unsigned char *curves;
485 size_t num_curves, i;
486 unsigned int suiteb_flags = tls1_suiteb(s);
487 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
488 return 0;
489 /* Check curve matches Suite B preferences */
490 if (suiteb_flags) {
491 unsigned long cid = s->s3->tmp.new_cipher->id;
492 if (p[1])
493 return 0;
494 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
495 if (p[2] != TLSEXT_curve_P_256)
496 return 0;
497 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
498 if (p[2] != TLSEXT_curve_P_384)
499 return 0;
500 } else /* Should never happen */
501 return 0;
502 }
503 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
504 return 0;
505 for (i = 0; i < num_curves; i++, curves += 2) {
506 if (p[1] == curves[0] && p[2] == curves[1])
507 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
508 }
509 return 0;
510}
d0595f17 511
1d97c843 512/*-
376e2ca3
EK		 513 * Return |nmatch|th shared curve or NID_undef if there is no match.
514 * For nmatch == -1, return number of matches
515 * For nmatch == -2, return the NID of the curve to use for
516 * an EC tmp key, or NID_undef if there is no match.
d0595f17 517 */
a4352630 518int tls1_shared_curve(SSL *s, int nmatch)
0f113f3e
MC		 519{
520 const unsigned char *pref, *supp;
521 size_t num_pref, num_supp, i, j;
522 int k;
523 /* Can't do anything on client side */
524 if (s->server == 0)
525 return -1;
526 if (nmatch == -2) {
527 if (tls1_suiteb(s)) {
528 /*
529 * For Suite B ciphersuite determines curve: we already know
530 * these are acceptable due to previous checks.
531 */
532 unsigned long cid = s->s3->tmp.new_cipher->id;
533 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
534 return NID_X9_62_prime256v1; /* P-256 */
535 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
536 return NID_secp384r1; /* P-384 */
537 /* Should never happen */
538 return NID_undef;
539 }
540 /* If not Suite B just return first preference shared curve */
541 nmatch = 0;
542 }
543 /*
544 * Avoid truncation. tls1_get_curvelist takes an int
545 * but s->options is a long...
546 */
547 if (!tls1_get_curvelist
548 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
549 &num_supp))
550 /* In practice, NID_undef == 0 but let's be precise. */
551 return nmatch == -1 ? 0 : NID_undef;
552 if (!tls1_get_curvelist
553 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
554 &num_pref))
555 return nmatch == -1 ? 0 : NID_undef;
3c06513f
KR		 556
557 /*
558 * If the client didn't send the elliptic_curves extension all of them
559 * are allowed.
560 */
561 if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
562 supp = eccurves_all;
563 num_supp = sizeof(eccurves_all) / 2;
564 } else if (num_pref == 0 &&
565 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
566 pref = eccurves_all;
567 num_pref = sizeof(eccurves_all) / 2;
568 }
569
0f113f3e
MC		 570 k = 0;
571 for (i = 0; i < num_pref; i++, pref += 2) {
572 const unsigned char *tsupp = supp;
573 for (j = 0; j < num_supp; j++, tsupp += 2) {
574 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
575 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
576 continue;
577 if (nmatch == k) {
578 int id = (pref[0] << 8) | pref[1];
579 return tls1_ec_curve_id2nid(id);
580 }
581 k++;
582 }
583 }
584 }
585 if (nmatch == -1)
586 return k;
587 /* Out of range (nmatch > k). */
588 return NID_undef;
589}
d0595f17
DSH		 590
591int tls1_set_curves(unsigned char **pext, size_t *pextlen,
0f113f3e
MC		 592 int *curves, size_t ncurves)
593{
594 unsigned char *clist, *p;
595 size_t i;
596 /*
597 * Bitmap of curves included to detect duplicates: only works while curve
598 * ids < 32
599 */
600 unsigned long dup_list = 0;
601 clist = OPENSSL_malloc(ncurves * 2);
a71edf3b 602 if (clist == NULL)
0f113f3e
MC		 603 return 0;
604 for (i = 0, p = clist; i < ncurves; i++) {
605 unsigned long idmask;
606 int id;
607 id = tls1_ec_nid2curve_id(curves[i]);
608 idmask = 1L << id;
609 if (!id || (dup_list & idmask)) {
610 OPENSSL_free(clist);
611 return 0;
612 }
613 dup_list |= idmask;
614 s2n(id, p);
615 }
b548a1f1 616 OPENSSL_free(*pext);
0f113f3e
MC		 617 *pext = clist;
618 *pextlen = ncurves * 2;
619 return 1;
620}
621
622# define MAX_CURVELIST 28
623
624typedef struct {
625 size_t nidcnt;
626 int nid_arr[MAX_CURVELIST];
627} nid_cb_st;
d0595f17
DSH		 628
629static int nid_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 630{
631 nid_cb_st *narg = arg;
632 size_t i;
633 int nid;
634 char etmp[20];
2747d73c
KR		 635 if (elem == NULL)
636 return 0;
0f113f3e
MC		 637 if (narg->nidcnt == MAX_CURVELIST)
638 return 0;
639 if (len > (int)(sizeof(etmp) - 1))
640 return 0;
641 memcpy(etmp, elem, len);
642 etmp[len] = 0;
643 nid = EC_curve_nist2nid(etmp);
644 if (nid == NID_undef)
645 nid = OBJ_sn2nid(etmp);
646 if (nid == NID_undef)
647 nid = OBJ_ln2nid(etmp);
648 if (nid == NID_undef)
649 return 0;
650 for (i = 0; i < narg->nidcnt; i++)
651 if (narg->nid_arr[i] == nid)
652 return 0;
653 narg->nid_arr[narg->nidcnt++] = nid;
654 return 1;
655}
656
d0595f17 657/* Set curves based on a colon separate list */
0f113f3e
MC		 658int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
659 const char *str)
660{
661 nid_cb_st ncb;
662 ncb.nidcnt = 0;
663 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
664 return 0;
665 if (pext == NULL)
666 return 1;
667 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
668}
669
fd2b65ce
DSH		 670/* For an EC key set TLS id and required compression based on parameters */
671static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
0f113f3e
MC		 672 EC_KEY *ec)
673{
674 int is_prime, id;
675 const EC_GROUP *grp;
676 const EC_METHOD *meth;
677 if (!ec)
678 return 0;
679 /* Determine if it is a prime field */
680 grp = EC_KEY_get0_group(ec);
681 if (!grp)
682 return 0;
683 meth = EC_GROUP_method_of(grp);
684 if (!meth)
685 return 0;
686 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
687 is_prime = 1;
688 else
689 is_prime = 0;
690 /* Determine curve ID */
691 id = EC_GROUP_get_curve_name(grp);
692 id = tls1_ec_nid2curve_id(id);
693 /* If we have an ID set it, otherwise set arbitrary explicit curve */
694 if (id) {
695 curve_id[0] = 0;
696 curve_id[1] = (unsigned char)id;
697 } else {
698 curve_id[0] = 0xff;
699 if (is_prime)
700 curve_id[1] = 0x01;
701 else
702 curve_id[1] = 0x02;
703 }
704 if (comp_id) {
705 if (EC_KEY_get0_public_key(ec) == NULL)
706 return 0;
707 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
708 if (is_prime)
709 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
710 else
711 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
712 } else
713 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
714 }
715 return 1;
716}
717
fd2b65ce
DSH		 718/* Check an EC key is compatible with extensions */
719static int tls1_check_ec_key(SSL *s,
0f113f3e
MC		 720 unsigned char *curve_id, unsigned char *comp_id)
721{
722 const unsigned char *pformats, *pcurves;
723 size_t num_formats, num_curves, i;
724 int j;
725 /*
726 * If point formats extension present check it, otherwise everything is
727 * supported (see RFC4492).
728 */
729 if (comp_id && s->session->tlsext_ecpointformatlist) {
730 pformats = s->session->tlsext_ecpointformatlist;
731 num_formats = s->session->tlsext_ecpointformatlist_length;
732 for (i = 0; i < num_formats; i++, pformats++) {
733 if (*comp_id == *pformats)
734 break;
735 }
736 if (i == num_formats)
737 return 0;
738 }
739 if (!curve_id)
740 return 1;
741 /* Check curve is consistent with client and server preferences */
742 for (j = 0; j <= 1; j++) {
743 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
744 return 0;
b79d2410
MC		 745 if (j == 1 && num_curves == 0) {
746 /*
747 * If we've not received any curves then skip this check.
748 * RFC 4492 does not require the supported elliptic curves extension
749 * so if it is not sent we can just choose any curve.
750 * It is invalid to send an empty list in the elliptic curves
751 * extension, so num_curves == 0 always means no extension.
752 */
753 break;
754 }
0f113f3e
MC		 755 for (i = 0; i < num_curves; i++, pcurves += 2) {
756 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
757 break;
758 }
759 if (i == num_curves)
760 return 0;
761 /* For clients can only check sent curve list */
762 if (!s->server)
763 break;
764 }
765 return 1;
766}
d61ff83b 767
5087afa1 768static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
0f113f3e
MC		 769 size_t *num_formats)
770{
771 /*
772 * If we have a custom point format list use it otherwise use default
773 */
774 if (s->tlsext_ecpointformatlist) {
775 *pformats = s->tlsext_ecpointformatlist;
776 *num_formats = s->tlsext_ecpointformatlist_length;
777 } else {
778 *pformats = ecformats_default;
779 /* For Suite B we don't support char2 fields */
780 if (tls1_suiteb(s))
781 *num_formats = sizeof(ecformats_default) - 1;
782 else
783 *num_formats = sizeof(ecformats_default);
784 }
785}
786
787/*
788 * Check cert parameters compatible with extensions: currently just checks EC
789 * certificates have compatible curves and compression.
d61ff83b 790 */
2ea80354 791static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 792{
793 unsigned char comp_id, curve_id[2];
794 EVP_PKEY *pkey;
795 int rv;
796 pkey = X509_get_pubkey(x);
797 if (!pkey)
798 return 0;
799 /* If not EC nothing to do */
800 if (pkey->type != EVP_PKEY_EC) {
801 EVP_PKEY_free(pkey);
802 return 1;
803 }
804 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
805 EVP_PKEY_free(pkey);
806 if (!rv)
807 return 0;
808 /*
809 * Can't check curve_id for client certs as we don't have a supported
810 * curves extension.
811 */
812 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
813 if (!rv)
814 return 0;
815 /*
816 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
817 * SHA384+P-384, adjust digest if necessary.
818 */
819 if (set_ee_md && tls1_suiteb(s)) {
820 int check_md;
821 size_t i;
822 CERT *c = s->cert;
823 if (curve_id[0])
824 return 0;
825 /* Check to see we have necessary signing algorithm */
826 if (curve_id[1] == TLSEXT_curve_P_256)
827 check_md = NID_ecdsa_with_SHA256;
828 else if (curve_id[1] == TLSEXT_curve_P_384)
829 check_md = NID_ecdsa_with_SHA384;
830 else
831 return 0; /* Should never happen */
832 for (i = 0; i < c->shared_sigalgslen; i++)
833 if (check_md == c->shared_sigalgs[i].signandhash_nid)
834 break;
835 if (i == c->shared_sigalgslen)
836 return 0;
837 if (set_ee_md == 2) {
838 if (check_md == NID_ecdsa_with_SHA256)
d376e57d 839 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
0f113f3e 840 else
d376e57d 841 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
0f113f3e
MC		 842 }
843 }
844 return rv;
845}
846
10bf4fc2 847# ifndef OPENSSL_NO_EC
fd2b65ce 848/* Check EC temporary key is compatible with client extensions */
2ea80354 849int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
0f113f3e
MC		 850{
851 unsigned char curve_id[2];
852 EC_KEY *ec = s->cert->ecdh_tmp;
853# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
854 /* Allow any curve: not just those peer supports */
855 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
856 return 1;
857# endif
858 /*
859 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
860 * curves permitted.
861 */
862 if (tls1_suiteb(s)) {
863 /* Curve to check determined by ciphersuite */
864 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
865 curve_id[1] = TLSEXT_curve_P_256;
866 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
867 curve_id[1] = TLSEXT_curve_P_384;
868 else
869 return 0;
870 curve_id[0] = 0;
871 /* Check this curve is acceptable */
872 if (!tls1_check_ec_key(s, curve_id, NULL))
873 return 0;
874 /* If auto or setting curve from callback assume OK */
875 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
876 return 1;
877 /* Otherwise check curve is acceptable */
878 else {
879 unsigned char curve_tmp[2];
880 if (!ec)
881 return 0;
882 if (!tls1_set_ec_id(curve_tmp, NULL, ec))
883 return 0;
884 if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
885 return 1;
886 return 0;
887 }
888
889 }
890 if (s->cert->ecdh_tmp_auto) {
891 /* Need a shared curve */
892 if (tls1_shared_curve(s, 0))
893 return 1;
894 else
895 return 0;
896 }
897 if (!ec) {
898 if (s->cert->ecdh_tmp_cb)
899 return 1;
900 else
901 return 0;
902 }
903 if (!tls1_set_ec_id(curve_id, NULL, ec))
904 return 0;
d18b716d 905/* Set this to allow use of invalid curves for testing */
0f113f3e
MC		 906# if 0
907 return 1;
908# else
909 return tls1_check_ec_key(s, curve_id, NULL);
910# endif
911}
10bf4fc2 912# endif /* OPENSSL_NO_EC */
d0595f17 913
14536c8c
DSH		 914#else
915
916static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 917{
918 return 1;
919}
14536c8c 920
0f113f3e 921#endif /* OPENSSL_NO_EC */
f1fd4544 922
0f113f3e
MC		 923/*
924 * List of supported signature algorithms and hashes. Should make this
fc101f88
DSH		 925 * customisable at some point, for now include everything we support.
926 */
927
e481f9b9
MC		 928#ifdef OPENSSL_NO_RSA
929# define tlsext_sigalg_rsa(md) /* */
930#else
931# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
932#endif
0f113f3e 933
e481f9b9
MC		 934#ifdef OPENSSL_NO_DSA
935# define tlsext_sigalg_dsa(md) /* */
936#else
937# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
938#endif
0f113f3e 939
e481f9b9
MC		 940#ifdef OPENSSL_NO_EC
941# define tlsext_sigalg_ecdsa(md) /* */
942#else
943# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
944#endif
0f113f3e 945
e481f9b9 946#define tlsext_sigalg(md) \
0f113f3e
MC		 947 tlsext_sigalg_rsa(md) \
948 tlsext_sigalg_dsa(md) \
949 tlsext_sigalg_ecdsa(md)
fc101f88 950
d97ed219 951static const unsigned char tls12_sigalgs[] = {
0f113f3e
MC		 952 tlsext_sigalg(TLSEXT_hash_sha512)
953 tlsext_sigalg(TLSEXT_hash_sha384)
0f113f3e
MC		 954 tlsext_sigalg(TLSEXT_hash_sha256)
955 tlsext_sigalg(TLSEXT_hash_sha224)
0f113f3e 956 tlsext_sigalg(TLSEXT_hash_sha1)
fc101f88 957};
0f113f3e 958
e481f9b9 959#ifndef OPENSSL_NO_EC
d97ed219 960static const unsigned char suiteb_sigalgs[] = {
0f113f3e
MC		 961 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
962 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
2ea80354 963};
e481f9b9 964#endif
b7bfe69b 965size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
0f113f3e
MC		 966{
967 /*
968 * If Suite B mode use Suite B sigalgs only, ignore any other
969 * preferences.
970 */
e481f9b9 971#ifndef OPENSSL_NO_EC
0f113f3e
MC		 972 switch (tls1_suiteb(s)) {
973 case SSL_CERT_FLAG_SUITEB_128_LOS:
974 *psigs = suiteb_sigalgs;
975 return sizeof(suiteb_sigalgs);
976
977 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
978 *psigs = suiteb_sigalgs;
979 return 2;
980
981 case SSL_CERT_FLAG_SUITEB_192_LOS:
982 *psigs = suiteb_sigalgs + 2;
983 return 2;
984 }
e481f9b9 985#endif
0f113f3e
MC		 986 /* If server use client authentication sigalgs if not NULL */
987 if (s->server && s->cert->client_sigalgs) {
988 *psigs = s->cert->client_sigalgs;
989 return s->cert->client_sigalgslen;
990 } else if (s->cert->conf_sigalgs) {
991 *psigs = s->cert->conf_sigalgs;
992 return s->cert->conf_sigalgslen;
993 } else {
994 *psigs = tls12_sigalgs;
995 return sizeof(tls12_sigalgs);
996 }
997}
998
999/*
1000 * Check signature algorithm is consistent with sent supported signature
ec4a50b3
DSH		 1001 * algorithms and if so return relevant digest.
1002 */
1003int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
0f113f3e
MC		 1004 const unsigned char *sig, EVP_PKEY *pkey)
1005{
1006 const unsigned char *sent_sigs;
1007 size_t sent_sigslen, i;
1008 int sigalg = tls12_get_sigid(pkey);
1009 /* Should never happen */
1010 if (sigalg == -1)
1011 return -1;
1012 /* Check key type is consistent with signature */
1013 if (sigalg != (int)sig[1]) {
1014 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1015 return 0;
1016 }
e481f9b9 1017#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1018 if (pkey->type == EVP_PKEY_EC) {
1019 unsigned char curve_id[2], comp_id;
1020 /* Check compression and curve matches extensions */
1021 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
1022 return 0;
1023 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
1024 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
1025 return 0;
1026 }
1027 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
1028 if (tls1_suiteb(s)) {
1029 if (curve_id[0])
1030 return 0;
1031 if (curve_id[1] == TLSEXT_curve_P_256) {
1032 if (sig[0] != TLSEXT_hash_sha256) {
1033 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1034 SSL_R_ILLEGAL_SUITEB_DIGEST);
1035 return 0;
1036 }
1037 } else if (curve_id[1] == TLSEXT_curve_P_384) {
1038 if (sig[0] != TLSEXT_hash_sha384) {
1039 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1040 SSL_R_ILLEGAL_SUITEB_DIGEST);
1041 return 0;
1042 }
1043 } else
1044 return 0;
1045 }
1046 } else if (tls1_suiteb(s))
1047 return 0;
e481f9b9 1048#endif
0f113f3e
MC		 1049
1050 /* Check signature matches a type we sent */
1051 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1052 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
1053 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1054 break;
1055 }
1056 /* Allow fallback to SHA1 if not strict mode */
1057 if (i == sent_sigslen
1058 && (sig[0] != TLSEXT_hash_sha1
1059 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
1060 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1061 return 0;
1062 }
1063 *pmd = tls12_get_hash(sig[0]);
1064 if (*pmd == NULL) {
1065 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
1066 return 0;
1067 }
1068 /* Make sure security callback allows algorithm */
1069 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
1070 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
1071 (void *)sig)) {
1072 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1073 return 0;
1074 }
1075 /*
1076 * Store the digest used so applications can retrieve it if they wish.
1077 */
d376e57d 1078 s->s3->tmp.peer_md = *pmd;
0f113f3e
MC		 1079 return 1;
1080}
2ea80354 1081
0f113f3e
MC		 1082/*
1083 * Get a mask of disabled algorithms: an algorithm is disabled if it isn't
1084 * supported or doesn't appear in supported signature algorithms. Unlike
1085 * ssl_cipher_get_disabled this applies to a specific session and not global
1086 * settings.
b7bfe69b
DSH		 1087 */
1088void ssl_set_client_disabled(SSL *s)
0f113f3e 1089{
4d69f9e6
DSH		 1090 s->s3->tmp.mask_a = 0;
1091 s->s3->tmp.mask_k = 0;
0f113f3e
MC		 1092 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1093 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
4d69f9e6 1094 s->s3->tmp.mask_ssl = SSL_TLSV1_2;
0f113f3e 1095 else
4d69f9e6 1096 s->s3->tmp.mask_ssl = 0;
2b573382
DSH		 1097 /* Disable TLS 1.0 ciphers if using SSL v3 */
1098 if (s->client_version == SSL3_VERSION)
1099 s->s3->tmp.mask_ssl |= SSL_TLSV1;
4d69f9e6 1100 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
0f113f3e
MC		 1101 /*
1102 * Disable static DH if we don't include any appropriate signature
1103 * algorithms.
1104 */
4d69f9e6
DSH		 1105 if (s->s3->tmp.mask_a & SSL_aRSA)
1106 s->s3->tmp.mask_k |= SSL_kDHr | SSL_kECDHr;
1107 if (s->s3->tmp.mask_a & SSL_aDSS)
1108 s->s3->tmp.mask_k |= SSL_kDHd;
1109 if (s->s3->tmp.mask_a & SSL_aECDSA)
1110 s->s3->tmp.mask_k |= SSL_kECDHe;
0f113f3e
MC		 1111# ifndef OPENSSL_NO_PSK
1112 /* with PSK there must be client callback set */
1113 if (!s->psk_client_callback) {
4d69f9e6 1114 s->s3->tmp.mask_a |= SSL_aPSK;
fe5eef3a 1115 s->s3->tmp.mask_k |= SSL_PSK;
0f113f3e 1116 }
e481f9b9
MC		 1117#endif /* OPENSSL_NO_PSK */
1118#ifndef OPENSSL_NO_SRP
0f113f3e 1119 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
4d69f9e6
DSH		 1120 s->s3->tmp.mask_a |= SSL_aSRP;
1121 s->s3->tmp.mask_k |= SSL_kSRP;
0f113f3e 1122 }
e481f9b9 1123#endif
0f113f3e 1124}
fc101f88 1125
b362ccab 1126int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
0f113f3e 1127{
4d69f9e6
DSH		 1128 if (c->algorithm_ssl & s->s3->tmp.mask_ssl
1129 || c->algorithm_mkey & s->s3->tmp.mask_k
1130 || c->algorithm_auth & s->s3->tmp.mask_a)
0f113f3e
MC		 1131 return 1;
1132 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1133}
b362ccab
DSH		 1134
1135static int tls_use_ticket(SSL *s)
0f113f3e
MC		 1136{
1137 if (s->options & SSL_OP_NO_TICKET)
1138 return 0;
1139 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1140}
ed3883d2 1141
0f113f3e
MC		 1142unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
1143 unsigned char *limit, int *al)
1144{
1145 int extdatalen = 0;
1146 unsigned char *orig = buf;
1147 unsigned char *ret = buf;
e481f9b9 1148#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1149 /* See if we support any ECC ciphersuites */
1150 int using_ecc = 0;
1151 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1152 int i;
1153 unsigned long alg_k, alg_a;
1154 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1155
1156 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
1157 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1158
1159 alg_k = c->algorithm_mkey;
1160 alg_a = c->algorithm_auth;
13be69f3 1161 if ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)
0f113f3e
MC		 1162 || (alg_a & SSL_aECDSA))) {
1163 using_ecc = 1;
1164 break;
1165 }
1166 }
1167 }
e481f9b9 1168#endif
ed3883d2 1169
0f113f3e 1170 ret += 2;
6434abbf 1171
0f113f3e
MC		 1172 if (ret >= limit)
1173 return NULL; /* this really never occurs, but ... */
5a3d8eeb 1174
0f113f3e
MC		 1175 /* Add RI if renegotiating */
1176 if (s->renegotiate) {
1177 int el;
5a3d8eeb 1178
0f113f3e
MC		 1179 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1180 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1181 return NULL;
1182 }
5a3d8eeb 1183
0f113f3e
MC		 1184 if ((limit - ret - 4 - el) < 0)
1185 return NULL;
5a3d8eeb 1186
0f113f3e
MC		 1187 s2n(TLSEXT_TYPE_renegotiate, ret);
1188 s2n(el, ret);
5a3d8eeb 1189
0f113f3e
MC		 1190 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1191 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1192 return NULL;
5a3d8eeb 1193 }
edc032b5 1194
0f113f3e
MC		 1195 ret += el;
1196 }
1197 /* Only add RI for SSLv3 */
1198 if (s->client_version == SSL3_VERSION)
1199 goto done;
1200
1201 if (s->tlsext_hostname != NULL) {
1202 /* Add TLS extension servername to the Client Hello message */
1203 unsigned long size_str;
1204 long lenmax;
1205
50e735f9
MC		 1206 /*-
1207 * check for enough space.
1208 * 4 for the servername type and entension length
1209 * 2 for servernamelist length
1210 * 1 for the hostname type
1211 * 2 for hostname length
1212 * + hostname length
1213 */
0f113f3e
MC		 1214
1215 if ((lenmax = limit - ret - 9) < 0
1216 || (size_str =
1217 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1218 return NULL;
1219
1220 /* extension type and length */
1221 s2n(TLSEXT_TYPE_server_name, ret);
1222 s2n(size_str + 5, ret);
1223
1224 /* length of servername list */
1225 s2n(size_str + 3, ret);
1226
1227 /* hostname type, length and hostname */
1228 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1229 s2n(size_str, ret);
1230 memcpy(ret, s->tlsext_hostname, size_str);
1231 ret += size_str;
1232 }
e481f9b9 1233#ifndef OPENSSL_NO_SRP
0f113f3e
MC		 1234 /* Add SRP username if there is one */
1235 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1236 * Client Hello message */
1237
1238 int login_len = strlen(s->srp_ctx.login);
1239 if (login_len > 255 || login_len == 0) {
1240 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1241 return NULL;
1242 }
761772d7 1243
50e735f9
MC		 1244 /*-
1245 * check for enough space.
1246 * 4 for the srp type type and entension length
1247 * 1 for the srp user identity
1248 * + srp user identity length
1249 */
0f113f3e
MC		 1250 if ((limit - ret - 5 - login_len) < 0)
1251 return NULL;
1252
1253 /* fill in the extension */
1254 s2n(TLSEXT_TYPE_srp, ret);
1255 s2n(login_len + 1, ret);
1256 (*ret++) = (unsigned char)login_len;
1257 memcpy(ret, s->srp_ctx.login, login_len);
1258 ret += login_len;
1259 }
e481f9b9 1260#endif
0f113f3e 1261
e481f9b9 1262#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1263 if (using_ecc) {
1264 /*
1265 * Add TLS extension ECPointFormats to the ClientHello message
1266 */
1267 long lenmax;
1268 const unsigned char *pcurves, *pformats;
1269 size_t num_curves, num_formats, curves_list_len;
1270 size_t i;
1271 unsigned char *etmp;
1272
1273 tls1_get_formatlist(s, &pformats, &num_formats);
1274
1275 if ((lenmax = limit - ret - 5) < 0)
1276 return NULL;
1277 if (num_formats > (size_t)lenmax)
1278 return NULL;
1279 if (num_formats > 255) {
1280 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1281 return NULL;
1282 }
4817504d 1283
0f113f3e
MC		 1284 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1285 /* The point format list has 1-byte length. */
1286 s2n(num_formats + 1, ret);
1287 *(ret++) = (unsigned char)num_formats;
1288 memcpy(ret, pformats, num_formats);
1289 ret += num_formats;
1290
1291 /*
1292 * Add TLS extension EllipticCurves to the ClientHello message
1293 */
1294 pcurves = s->tlsext_ellipticcurvelist;
1295 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1296 return NULL;
1297
1298 if ((lenmax = limit - ret - 6) < 0)
1299 return NULL;
1300 if (num_curves > (size_t)lenmax / 2)
1301 return NULL;
1302 if (num_curves > 65532 / 2) {
1303 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1304 return NULL;
1305 }
ee2ffc27 1306
0f113f3e
MC		 1307 s2n(TLSEXT_TYPE_elliptic_curves, ret);
1308 etmp = ret + 4;
1309 /* Copy curve ID if supported */
1310 for (i = 0; i < num_curves; i++, pcurves += 2) {
1311 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1312 *etmp++ = pcurves[0];
1313 *etmp++ = pcurves[1];
1314 }
1315 }
01f2f18f 1316
0f113f3e
MC		 1317 curves_list_len = etmp - ret - 4;
1318
1319 s2n(curves_list_len + 2, ret);
1320 s2n(curves_list_len, ret);
1321 ret += curves_list_len;
1322 }
e481f9b9 1323#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1324
1325 if (tls_use_ticket(s)) {
1326 int ticklen;
1327 if (!s->new_session && s->session && s->session->tlsext_tick)
1328 ticklen = s->session->tlsext_ticklen;
1329 else if (s->session && s->tlsext_session_ticket &&
1330 s->tlsext_session_ticket->data) {
1331 ticklen = s->tlsext_session_ticket->length;
1332 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
a71edf3b 1333 if (s->session->tlsext_tick == NULL)
0f113f3e
MC		 1334 return NULL;
1335 memcpy(s->session->tlsext_tick,
1336 s->tlsext_session_ticket->data, ticklen);
1337 s->session->tlsext_ticklen = ticklen;
1338 } else
1339 ticklen = 0;
1340 if (ticklen == 0 && s->tlsext_session_ticket &&
1341 s->tlsext_session_ticket->data == NULL)
1342 goto skip_ext;
1343 /*
1344 * Check for enough room 2 for extension type, 2 for len rest for
1345 * ticket
1346 */
1347 if ((long)(limit - ret - 4 - ticklen) < 0)
1348 return NULL;
1349 s2n(TLSEXT_TYPE_session_ticket, ret);
1350 s2n(ticklen, ret);
1351 if (ticklen) {
1352 memcpy(ret, s->session->tlsext_tick, ticklen);
1353 ret += ticklen;
1354 }
1355 }
1356 skip_ext:
1357
1358 if (SSL_USE_SIGALGS(s)) {
1359 size_t salglen;
1360 const unsigned char *salg;
1361 unsigned char *etmp;
1362 salglen = tls12_get_psigalgs(s, &salg);
1363 if ((size_t)(limit - ret) < salglen + 6)
1364 return NULL;
1365 s2n(TLSEXT_TYPE_signature_algorithms, ret);
1366 etmp = ret;
1367 /* Skip over lengths for now */
1368 ret += 4;
1369 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1370 /* Fill in lengths */
1371 s2n(salglen + 2, etmp);
1372 s2n(salglen, etmp);
1373 ret += salglen;
1374 }
0f113f3e
MC		 1375
1376 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1377 int i;
1378 long extlen, idlen, itmp;
1379 OCSP_RESPID *id;
1380
1381 idlen = 0;
1382 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1383 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1384 itmp = i2d_OCSP_RESPID(id, NULL);
1385 if (itmp <= 0)
1386 return NULL;
1387 idlen += itmp + 2;
860c3dd1
DSH		 1388 }
1389
0f113f3e
MC		 1390 if (s->tlsext_ocsp_exts) {
1391 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1392 if (extlen < 0)
1393 return NULL;
1394 } else
1395 extlen = 0;
1396
1397 if ((long)(limit - ret - 7 - extlen - idlen) < 0)
1398 return NULL;
1399 s2n(TLSEXT_TYPE_status_request, ret);
1400 if (extlen + idlen > 0xFFF0)
1401 return NULL;
1402 s2n(extlen + idlen + 5, ret);
1403 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1404 s2n(idlen, ret);
1405 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1406 /* save position of id len */
1407 unsigned char *q = ret;
1408 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1409 /* skip over id len */
1410 ret += 2;
1411 itmp = i2d_OCSP_RESPID(id, &ret);
1412 /* write id len */
1413 s2n(itmp, q);
1414 }
1415 s2n(extlen, ret);
1416 if (extlen > 0)
1417 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1418 }
e481f9b9 1419#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 1420 /* Add Heartbeat extension */
1421 if ((limit - ret - 4 - 1) < 0)
1422 return NULL;
1423 s2n(TLSEXT_TYPE_heartbeat, ret);
1424 s2n(1, ret);
50e735f9
MC		 1425 /*-
1426 * Set mode:
1427 * 1: peer may send requests
1428 * 2: peer not allowed to send requests
1429 */
0f113f3e
MC		 1430 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1431 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1432 else
1433 *(ret++) = SSL_TLSEXT_HB_ENABLED;
e481f9b9 1434#endif
0f113f3e 1435
e481f9b9 1436#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1437 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1438 /*
1439 * The client advertises an emtpy extension to indicate its support
1440 * for Next Protocol Negotiation
1441 */
1442 if (limit - ret - 4 < 0)
1443 return NULL;
1444 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1445 s2n(0, ret);
1446 }
e481f9b9 1447#endif
0f113f3e
MC		 1448
1449 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1450 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1451 return NULL;
1452 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1453 s2n(2 + s->alpn_client_proto_list_len, ret);
1454 s2n(s->alpn_client_proto_list_len, ret);
1455 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1456 ret += s->alpn_client_proto_list_len;
1457 }
e481f9b9 1458#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 1459 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1460 int el;
1461
69f68237
MC		 1462 /* Returns 0 on success!! */
1463 if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
1464 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1465 return NULL;
1466 }
0f113f3e
MC		 1467
1468 if ((limit - ret - 4 - el) < 0)
1469 return NULL;
1470
1471 s2n(TLSEXT_TYPE_use_srtp, ret);
1472 s2n(el, ret);
1473
1474 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1475 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1476 return NULL;
1477 }
1478 ret += el;
1479 }
e481f9b9 1480#endif
0f113f3e
MC		 1481 custom_ext_init(&s->cert->cli_ext);
1482 /* Add custom TLS Extensions to ClientHello */
1483 if (!custom_ext_add(s, 0, &ret, limit, al))
1484 return NULL;
e481f9b9 1485#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 1486 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1487 s2n(0, ret);
e481f9b9 1488#endif
ddc06b35
DSH		 1489 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1490 s2n(0, ret);
0f113f3e
MC		 1491
1492 /*
1493 * Add padding to workaround bugs in F5 terminators. See
1494 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1495 * code works out the length of all existing extensions it MUST always
1496 * appear last.
1497 */
1498 if (s->options & SSL_OP_TLSEXT_PADDING) {
1499 int hlen = ret - (unsigned char *)s->init_buf->data;
a3680c8f 1500
0f113f3e
MC		 1501 if (hlen > 0xff && hlen < 0x200) {
1502 hlen = 0x200 - hlen;
1503 if (hlen >= 4)
1504 hlen -= 4;
1505 else
1506 hlen = 0;
1507
1508 s2n(TLSEXT_TYPE_padding, ret);
1509 s2n(hlen, ret);
1510 memset(ret, 0, hlen);
1511 ret += hlen;
1512 }
1513 }
5a3d8eeb 1514
0f113f3e 1515 done:
5a3d8eeb 1516
0f113f3e
MC		 1517 if ((extdatalen = ret - orig - 2) == 0)
1518 return orig;
5a3d8eeb 1519
0f113f3e
MC		 1520 s2n(extdatalen, orig);
1521 return ret;
1522}
333f926d 1523
0f113f3e
MC		 1524unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1525 unsigned char *limit, int *al)
1526{
1527 int extdatalen = 0;
1528 unsigned char *orig = buf;
1529 unsigned char *ret = buf;
e481f9b9 1530#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1531 int next_proto_neg_seen;
e481f9b9
MC		 1532#endif
1533#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1534 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1535 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1536 int using_ecc = (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
1537 || (alg_a & SSL_aECDSA);
1538 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
e481f9b9 1539#endif
0f113f3e
MC		 1540
1541 ret += 2;
1542 if (ret >= limit)
1543 return NULL; /* this really never occurs, but ... */
1544
1545 if (s->s3->send_connection_binding) {
1546 int el;
1547
1548 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1549 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1550 return NULL;
1551 }
333f926d 1552
0f113f3e
MC		 1553 if ((limit - ret - 4 - el) < 0)
1554 return NULL;
333f926d 1555
0f113f3e
MC		 1556 s2n(TLSEXT_TYPE_renegotiate, ret);
1557 s2n(el, ret);
333f926d 1558
0f113f3e
MC		 1559 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1560 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1561 return NULL;
1562 }
333f926d 1563
0f113f3e
MC		 1564 ret += el;
1565 }
1566
1567 /* Only add RI for SSLv3 */
1568 if (s->version == SSL3_VERSION)
1569 goto done;
1570
1571 if (!s->hit && s->servername_done == 1
1572 && s->session->tlsext_hostname != NULL) {
1573 if ((long)(limit - ret - 4) < 0)
1574 return NULL;
1575
1576 s2n(TLSEXT_TYPE_server_name, ret);
1577 s2n(0, ret);
1578 }
e481f9b9 1579#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1580 if (using_ecc) {
1581 const unsigned char *plist;
1582 size_t plistlen;
1583 /*
1584 * Add TLS extension ECPointFormats to the ServerHello message
1585 */
1586 long lenmax;
1587
1588 tls1_get_formatlist(s, &plist, &plistlen);
1589
1590 if ((lenmax = limit - ret - 5) < 0)
1591 return NULL;
1592 if (plistlen > (size_t)lenmax)
1593 return NULL;
1594 if (plistlen > 255) {
1595 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1596 return NULL;
1597 }
4817504d 1598
0f113f3e
MC		 1599 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1600 s2n(plistlen + 1, ret);
1601 *(ret++) = (unsigned char)plistlen;
1602 memcpy(ret, plist, plistlen);
1603 ret += plistlen;
1604
1605 }
1606 /*
1607 * Currently the server should not respond with a SupportedCurves
1608 * extension
1609 */
e481f9b9 1610#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1611
1612 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1613 if ((long)(limit - ret - 4) < 0)
1614 return NULL;
1615 s2n(TLSEXT_TYPE_session_ticket, ret);
1616 s2n(0, ret);
1617 }
1618
1619 if (s->tlsext_status_expected) {
1620 if ((long)(limit - ret - 4) < 0)
1621 return NULL;
1622 s2n(TLSEXT_TYPE_status_request, ret);
1623 s2n(0, ret);
1624 }
0f113f3e 1625
e481f9b9 1626#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 1627 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1628 int el;
1629
69f68237 1630 /* Returns 0 on success!! */
61986d32 1631 if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
69f68237
MC		 1632 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1633 return NULL;
1634 }
0f113f3e
MC		 1635 if ((limit - ret - 4 - el) < 0)
1636 return NULL;
1637
1638 s2n(TLSEXT_TYPE_use_srtp, ret);
1639 s2n(el, ret);
1640
1641 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1642 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1643 return NULL;
1644 }
1645 ret += el;
1646 }
e481f9b9 1647#endif
0f113f3e
MC		 1648
1649 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1650 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1651 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1652 const unsigned char cryptopro_ext[36] = {
1653 0xfd, 0xe8, /* 65000 */
1654 0x00, 0x20, /* 32 bytes length */
1655 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1656 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1657 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1658 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1659 };
1660 if (limit - ret < 36)
1661 return NULL;
1662 memcpy(ret, cryptopro_ext, 36);
1663 ret += 36;
1664
1665 }
e481f9b9 1666#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 1667 /* Add Heartbeat extension if we've received one */
1668 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
1669 if ((limit - ret - 4 - 1) < 0)
1670 return NULL;
1671 s2n(TLSEXT_TYPE_heartbeat, ret);
1672 s2n(1, ret);
50e735f9
MC		 1673 /*-
1674 * Set mode:
1675 * 1: peer may send requests
1676 * 2: peer not allowed to send requests
1677 */
0f113f3e
MC		 1678 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1679 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1680 else
1681 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1682
1683 }
e481f9b9 1684#endif
0f113f3e 1685
e481f9b9 1686#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1687 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1688 s->s3->next_proto_neg_seen = 0;
1689 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1690 const unsigned char *npa;
1691 unsigned int npalen;
1692 int r;
1693
1694 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1695 s->
1696 ctx->next_protos_advertised_cb_arg);
1697 if (r == SSL_TLSEXT_ERR_OK) {
1698 if ((long)(limit - ret - 4 - npalen) < 0)
1699 return NULL;
1700 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1701 s2n(npalen, ret);
1702 memcpy(ret, npa, npalen);
1703 ret += npalen;
1704 s->s3->next_proto_neg_seen = 1;
1705 }
1706 }
e481f9b9 1707#endif
0f113f3e
MC		 1708 if (!custom_ext_add(s, 1, &ret, limit, al))
1709 return NULL;
e481f9b9 1710#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 1711 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1712 /*
1713 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1714 * for other cases too.
1715 */
1716 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1717 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4)
1718 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1719 else {
1720 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1721 s2n(0, ret);
1722 }
1723 }
e481f9b9 1724#endif
ddc06b35
DSH		 1725 if (!s->hit && s->session->flags & SSL_SESS_FLAG_EXTMS) {
1726 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1727 s2n(0, ret);
1728 }
0f113f3e
MC		 1729
1730 if (s->s3->alpn_selected) {
1731 const unsigned char *selected = s->s3->alpn_selected;
1732 unsigned len = s->s3->alpn_selected_len;
1733
1734 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1735 return NULL;
1736 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1737 s2n(3 + len, ret);
1738 s2n(1 + len, ret);
1739 *ret++ = len;
1740 memcpy(ret, selected, len);
1741 ret += len;
1742 }
1743
1744 done:
1745
1746 if ((extdatalen = ret - orig - 2) == 0)
1747 return orig;
1748
1749 s2n(extdatalen, orig);
1750 return ret;
1751}
a398f821 1752
0f113f3e
MC		 1753/*
1754 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1755 * ClientHello. data: the contents of the extension, not including the type
1756 * and length. data_len: the number of bytes in |data| al: a pointer to the
1757 * alert value to send in the event of a non-zero return. returns: 0 on
1758 * success.
1759 */
9ceb2426 1760static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
0f113f3e 1761{
9ceb2426
MC		 1762 unsigned int data_len;
1763 unsigned int proto_len;
0f113f3e 1764 const unsigned char *selected;
9ceb2426 1765 unsigned char *data;
0f113f3e
MC		 1766 unsigned char selected_len;
1767 int r;
1768
1769 if (s->ctx->alpn_select_cb == NULL)
1770 return 0;
1771
0f113f3e
MC		 1772 /*
1773 * data should contain a uint16 length followed by a series of 8-bit,
1774 * length-prefixed strings.
1775 */
9ceb2426
MC		 1776 if (!PACKET_get_net_2(pkt, &data_len)
1777 || PACKET_remaining(pkt) != data_len
1778 || !PACKET_peek_bytes(pkt, &data, data_len))
0f113f3e
MC		 1779 goto parse_error;
1780
9ceb2426
MC		 1781 do {
1782 if (!PACKET_get_1(pkt, &proto_len)
1783 || proto_len == 0
1784 || !PACKET_forward(pkt, proto_len))
0f113f3e 1785 goto parse_error;
9ceb2426 1786 } while (PACKET_remaining(pkt));
0f113f3e
MC		 1787
1788 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1789 s->ctx->alpn_select_cb_arg);
1790 if (r == SSL_TLSEXT_ERR_OK) {
b548a1f1 1791 OPENSSL_free(s->s3->alpn_selected);
0f113f3e 1792 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
a71edf3b 1793 if (s->s3->alpn_selected == NULL) {
0f113f3e
MC		 1794 *al = SSL_AD_INTERNAL_ERROR;
1795 return -1;
1796 }
1797 memcpy(s->s3->alpn_selected, selected, selected_len);
1798 s->s3->alpn_selected_len = selected_len;
1799 }
1800 return 0;
1801
1802 parse_error:
1803 *al = SSL_AD_DECODE_ERROR;
1804 return -1;
1805}
6f017a8f 1806
e481f9b9 1807#ifndef OPENSSL_NO_EC
1d97c843
TH		 1808/*-
1809 * ssl_check_for_safari attempts to fingerprint Safari using OS X
dece3209
RS		 1810 * SecureTransport using the TLS extension block in |d|, of length |n|.
1811 * Safari, since 10.6, sends exactly these extensions, in this order:
1812 * SNI,
1813 * elliptic_curves
1814 * ec_point_formats
1815 *
1816 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1817 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1818 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1819 * 10.8..10.8.3 (which don't work).
1820 */
68a16628 1821static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
0f113f3e 1822{
9ceb2426
MC		 1823 unsigned int type, size;
1824 unsigned char *eblock1, *eblock2;
68a16628 1825 PACKET tmppkt;
9ceb2426 1826
0f113f3e
MC		 1827 static const unsigned char kSafariExtensionsBlock[] = {
1828 0x00, 0x0a, /* elliptic_curves extension */
1829 0x00, 0x08, /* 8 bytes */
1830 0x00, 0x06, /* 6 bytes of curve ids */
1831 0x00, 0x17, /* P-256 */
1832 0x00, 0x18, /* P-384 */
1833 0x00, 0x19, /* P-521 */
1834
1835 0x00, 0x0b, /* ec_point_formats */
1836 0x00, 0x02, /* 2 bytes */
1837 0x01, /* 1 point format */
1838 0x00, /* uncompressed */
1839 };
1840
1841 /* The following is only present in TLS 1.2 */
1842 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1843 0x00, 0x0d, /* signature_algorithms */
1844 0x00, 0x0c, /* 12 bytes */
1845 0x00, 0x0a, /* 10 bytes */
1846 0x05, 0x01, /* SHA-384/RSA */
1847 0x04, 0x01, /* SHA-256/RSA */
1848 0x02, 0x01, /* SHA-1/RSA */
1849 0x04, 0x03, /* SHA-256/ECDSA */
1850 0x02, 0x03, /* SHA-1/ECDSA */
1851 };
1852
68a16628
MC		 1853 tmppkt = *pkt;
1854
1855 if (!PACKET_forward(&tmppkt, 2)
1856 || !PACKET_get_net_2(&tmppkt, &type)
1857 || !PACKET_get_net_2(&tmppkt, &size)
1858 || !PACKET_forward(&tmppkt, size))
0f113f3e 1859 return;
0f113f3e
MC		 1860
1861 if (type != TLSEXT_TYPE_server_name)
1862 return;
1863
0f113f3e
MC		 1864 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
1865 const size_t len1 = sizeof(kSafariExtensionsBlock);
1866 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1867
68a16628
MC		 1868 if (!PACKET_get_bytes(&tmppkt, &eblock1, len1)
1869 || !PACKET_get_bytes(&tmppkt, &eblock2, len2)
1870 || PACKET_remaining(&tmppkt))
0f113f3e 1871 return;
9ceb2426 1872 if (memcmp(eblock1, kSafariExtensionsBlock, len1) != 0)
0f113f3e 1873 return;
9ceb2426 1874 if (memcmp(eblock2, kSafariTLS12ExtensionsBlock, len2) != 0)
0f113f3e
MC		 1875 return;
1876 } else {
1877 const size_t len = sizeof(kSafariExtensionsBlock);
1878
68a16628
MC		 1879 if (!PACKET_get_bytes(&tmppkt, &eblock1, len)
1880 || PACKET_remaining(&tmppkt))
0f113f3e 1881 return;
9ceb2426 1882 if (memcmp(eblock1, kSafariExtensionsBlock, len) != 0)
0f113f3e
MC		 1883 return;
1884 }
1885
1886 s->s3->is_probably_safari = 1;
dece3209 1887}
e481f9b9 1888#endif /* !OPENSSL_NO_EC */
0f113f3e 1889
9ceb2426 1890static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 1891{
9ceb2426
MC		 1892 unsigned int type;
1893 unsigned int size;
1894 unsigned int len;
1895 unsigned char *data;
0f113f3e
MC		 1896 int renegotiate_seen = 0;
1897
1898 s->servername_done = 0;
1899 s->tlsext_status_type = -1;
e481f9b9 1900#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1901 s->s3->next_proto_neg_seen = 0;
e481f9b9 1902#endif
0f113f3e 1903
b548a1f1
RS		 1904 OPENSSL_free(s->s3->alpn_selected);
1905 s->s3->alpn_selected = NULL;
e481f9b9 1906#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 1907 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1908 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
e481f9b9 1909#endif
0f113f3e 1910
e481f9b9 1911#ifndef OPENSSL_NO_EC
0f113f3e 1912 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
9ceb2426
MC		 1913 ssl_check_for_safari(s, pkt);
1914# endif /* !OPENSSL_NO_EC */
0f113f3e
MC		 1915
1916 /* Clear any signature algorithms extension received */
76106e60
DSH		 1917 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1918 s->s3->tmp.peer_sigalgs = NULL;
e481f9b9 1919#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e 1920 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 1921#endif
0f113f3e 1922
e481f9b9 1923#ifndef OPENSSL_NO_SRP
b548a1f1
RS		 1924 OPENSSL_free(s->srp_ctx.login);
1925 s->srp_ctx.login = NULL;
e481f9b9 1926#endif
0f113f3e
MC		 1927
1928 s->srtp_profile = NULL;
1929
9ceb2426 1930 if (PACKET_remaining(pkt) == 0)
1ae3fdbe
AL		 1931 goto ri_check;
1932
9ceb2426 1933 if (!PACKET_get_net_2(pkt, &len))
1ae3fdbe
AL		 1934 goto err;
1935
52a48f9e
AG		 1936 if (PACKET_remaining(pkt) != len)
1937 goto err;
1938
9ceb2426
MC		 1939 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
1940 PACKET subpkt;
0f113f3e 1941
9ceb2426 1942 if (!PACKET_peek_bytes(pkt, &data, size))
54e3ad00 1943 goto err;
9ceb2426 1944
0f113f3e
MC		 1945 if (s->tlsext_debug_cb)
1946 s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
9ceb2426
MC		 1947
1948 if (!PACKET_get_sub_packet(pkt, &subpkt, size))
1949 goto err;
1950
0f113f3e 1951 if (type == TLSEXT_TYPE_renegotiate) {
9ceb2426 1952 if (!ssl_parse_clienthello_renegotiate_ext(s, &subpkt, al))
0f113f3e
MC		 1953 return 0;
1954 renegotiate_seen = 1;
1955 } else if (s->version == SSL3_VERSION) {
1956 }
1d97c843
TH		 1957/*-
1958 * The servername extension is treated as follows:
1959 *
1960 * - Only the hostname type is supported with a maximum length of 255.
1961 * - The servername is rejected if too long or if it contains zeros,
1962 * in which case an fatal alert is generated.
1963 * - The servername field is maintained together with the session cache.
1964 * - When a session is resumed, the servername call back invoked in order
0f113f3e
MC		 1965 * to allow the application to position itself to the right context.
1966 * - The servername is acknowledged if it is new for a session or when
1967 * it is identical to a previously used for the same session.
1d97c843
TH		 1968 * Applications can control the behaviour. They can at any time
1969 * set a 'desirable' servername for a new SSL object. This can be the
1970 * case for example with HTTPS when a Host: header field is received and
1971 * a renegotiation is requested. In this case, a possible servername
1972 * presented in the new client hello is only acknowledged if it matches
0f113f3e 1973 * the value of the Host: field.
1d97c843 1974 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
0f113f3e
MC		 1975 * if they provide for changing an explicit servername context for the
1976 * session, i.e. when the session has been established with a servername
1977 * extension.
1978 * - On session reconnect, the servername extension may be absent.
1d97c843 1979 *
0f113f3e 1980 */
ed3883d2 1981
0f113f3e
MC		 1982 else if (type == TLSEXT_TYPE_server_name) {
1983 unsigned char *sdata;
9ceb2426
MC		 1984 unsigned int servname_type;
1985 unsigned int dsize;
1986 PACKET ssubpkt;
0f113f3e 1987
9ceb2426
MC		 1988 if (!PACKET_get_net_2(&subpkt, &dsize)
1989 || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
54e3ad00 1990 goto err;
0f113f3e 1991
9ceb2426
MC		 1992 while (PACKET_remaining(&ssubpkt) > 3) {
1993 if (!PACKET_get_1(&ssubpkt, &servname_type)
1994 || !PACKET_get_net_2(&ssubpkt, &len)
1995 || PACKET_remaining(&ssubpkt) < len)
54e3ad00
MC		 1996 goto err;
1997
0f113f3e
MC		 1998 if (s->servername_done == 0)
1999 switch (servname_type) {
2000 case TLSEXT_NAMETYPE_host_name:
2001 if (!s->hit) {
54e3ad00
MC		 2002 if (s->session->tlsext_hostname)
2003 goto err;
2004
0f113f3e
MC		 2005 if (len > TLSEXT_MAXLEN_host_name) {
2006 *al = TLS1_AD_UNRECOGNIZED_NAME;
2007 return 0;
2008 }
2009 if ((s->session->tlsext_hostname =
2010 OPENSSL_malloc(len + 1)) == NULL) {
2011 *al = TLS1_AD_INTERNAL_ERROR;
2012 return 0;
2013 }
9ceb2426
MC		 2014 if (!PACKET_copy_bytes(&ssubpkt,
2015 (unsigned char *)s->session
2016 ->tlsext_hostname,
2017 len)) {
2018 *al = SSL_AD_DECODE_ERROR;
2019 return 0;
2020 }
0f113f3e
MC		 2021 s->session->tlsext_hostname[len] = '\0';
2022 if (strlen(s->session->tlsext_hostname) != len) {
2023 OPENSSL_free(s->session->tlsext_hostname);
2024 s->session->tlsext_hostname = NULL;
2025 *al = TLS1_AD_UNRECOGNIZED_NAME;
2026 return 0;
2027 }
2028 s->servername_done = 1;
761772d7 2029
9ceb2426
MC		 2030 } else {
2031 if (!PACKET_get_bytes(&ssubpkt, &sdata, len)) {
2032 *al = SSL_AD_DECODE_ERROR;
2033 return 0;
2034 }
0f113f3e
MC		 2035 s->servername_done = s->session->tlsext_hostname
2036 && strlen(s->session->tlsext_hostname) == len
2037 && strncmp(s->session->tlsext_hostname,
2038 (char *)sdata, len) == 0;
9ceb2426 2039 }
b2284ed3 2040
0f113f3e 2041 break;
ee2ffc27 2042
0f113f3e
MC		 2043 default:
2044 break;
2045 }
0f113f3e 2046 }
9ceb2426 2047 /* We shouldn't have any bytes left */
bc6616a4 2048 if (PACKET_remaining(&ssubpkt) != 0)
54e3ad00 2049 goto err;
6f017a8f 2050
0f113f3e 2051 }
e481f9b9 2052#ifndef OPENSSL_NO_SRP
0f113f3e 2053 else if (type == TLSEXT_TYPE_srp) {
9ceb2426
MC		 2054 if (!PACKET_get_1(&subpkt, &len)
2055 || s->srp_ctx.login != NULL)
54e3ad00 2056 goto err;
9ceb2426 2057
0f113f3e
MC		 2058 if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
2059 return -1;
9ceb2426
MC		 2060 if (!PACKET_copy_bytes(&subpkt, (unsigned char *)s->srp_ctx.login,
2061 len))
2062 goto err;
0f113f3e
MC		 2063 s->srp_ctx.login[len] = '\0';
2064
9ceb2426
MC		 2065 if (strlen(s->srp_ctx.login) != len
2066 || PACKET_remaining(&subpkt))
54e3ad00 2067 goto err;
0f113f3e 2068 }
e481f9b9 2069#endif
0f113f3e 2070
e481f9b9 2071#ifndef OPENSSL_NO_EC
0f113f3e 2072 else if (type == TLSEXT_TYPE_ec_point_formats) {
9ceb2426 2073 unsigned int ecpointformatlist_length;
0f113f3e 2074
9ceb2426
MC		 2075 if (!PACKET_get_1(&subpkt, &ecpointformatlist_length)
2076 || ecpointformatlist_length == 0)
54e3ad00 2077 goto err;
9ceb2426 2078
0f113f3e 2079 if (!s->hit) {
b548a1f1
RS		 2080 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2081 s->session->tlsext_ecpointformatlist = NULL;
0f113f3e
MC		 2082 s->session->tlsext_ecpointformatlist_length = 0;
2083 if ((s->session->tlsext_ecpointformatlist =
2084 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2085 *al = TLS1_AD_INTERNAL_ERROR;
2086 return 0;
2087 }
2088 s->session->tlsext_ecpointformatlist_length =
2089 ecpointformatlist_length;
9ceb2426
MC		 2090 if (!PACKET_copy_bytes(&subpkt,
2091 s->session->tlsext_ecpointformatlist,
2092 ecpointformatlist_length))
2093 goto err;
2094 } else if (!PACKET_forward(&subpkt, ecpointformatlist_length)) {
2095 goto err;
2096 }
2097 /* We should have consumed all the bytes by now */
2098 if (PACKET_remaining(&subpkt)) {
2099 *al = TLS1_AD_DECODE_ERROR;
2100 return 0;
0f113f3e 2101 }
0f113f3e 2102 } else if (type == TLSEXT_TYPE_elliptic_curves) {
9ceb2426 2103 unsigned int ellipticcurvelist_length;
0f113f3e 2104
9ceb2426
MC		 2105 /* Each NamedCurve is 2 bytes and we must have at least 1 */
2106 if (!PACKET_get_net_2(&subpkt, &ellipticcurvelist_length)
2107 || ellipticcurvelist_length == 0
2108 || (ellipticcurvelist_length & 1) != 0)
2109 goto err;
54e3ad00 2110
0f113f3e 2111 if (!s->hit) {
54e3ad00
MC		 2112 if (s->session->tlsext_ellipticcurvelist)
2113 goto err;
2114
0f113f3e
MC		 2115 s->session->tlsext_ellipticcurvelist_length = 0;
2116 if ((s->session->tlsext_ellipticcurvelist =
2117 OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
2118 *al = TLS1_AD_INTERNAL_ERROR;
2119 return 0;
2120 }
2121 s->session->tlsext_ellipticcurvelist_length =
2122 ellipticcurvelist_length;
9ceb2426
MC		 2123 if (!PACKET_copy_bytes(&subpkt,
2124 s->session->tlsext_ellipticcurvelist,
2125 ellipticcurvelist_length))
2126 goto err;
2127 } else if (!PACKET_forward(&subpkt, ellipticcurvelist_length)) {
2128 goto err;
2129 }
2130 /* We should have consumed all the bytes by now */
2131 if (PACKET_remaining(&subpkt)) {
2132 goto err;
0f113f3e 2133 }
0f113f3e 2134 }
e481f9b9 2135#endif /* OPENSSL_NO_EC */
0f113f3e 2136 else if (type == TLSEXT_TYPE_session_ticket) {
9ceb2426
MC		 2137 if (!PACKET_forward(&subpkt, size)
2138 || (s->tls_session_ticket_ext_cb &&
2139 !s->tls_session_ticket_ext_cb(s, data, size,
2140 s->tls_session_ticket_ext_cb_arg))) {
0f113f3e
MC		 2141 *al = TLS1_AD_INTERNAL_ERROR;
2142 return 0;
2143 }
2144 } else if (type == TLSEXT_TYPE_signature_algorithms) {
9ceb2426
MC		 2145 unsigned int dsize;
2146
2147 if (s->s3->tmp.peer_sigalgs
2148 || !PACKET_get_net_2(&subpkt, &dsize)
2149 || (dsize & 1) != 0
2150 || (dsize == 0)
2151 || !PACKET_get_bytes(&subpkt, &data, dsize)
bc6616a4 2152 || PACKET_remaining(&subpkt) != 0
9ceb2426 2153 || !tls1_save_sigalgs(s, data, dsize)) {
54e3ad00 2154 goto err;
9ceb2426 2155 }
0f113f3e 2156 } else if (type == TLSEXT_TYPE_status_request) {
9ceb2426 2157 PACKET ssubpkt;
0f113f3e 2158
9ceb2426
MC		 2159 if (!PACKET_get_1(&subpkt,
2160 (unsigned int *)&s->tlsext_status_type))
54e3ad00 2161 goto err;
0f113f3e 2162
0f113f3e
MC		 2163 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
2164 const unsigned char *sdata;
9ceb2426 2165 unsigned int dsize;
0f113f3e 2166 /* Read in responder_id_list */
9ceb2426
MC		 2167 if (!PACKET_get_net_2(&subpkt, &dsize)
2168 || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
54e3ad00 2169 goto err;
9ceb2426
MC		 2170
2171 while (PACKET_remaining(&ssubpkt)) {
0f113f3e 2172 OCSP_RESPID *id;
9ceb2426
MC		 2173 unsigned int idsize;
2174
2175 if (PACKET_remaining(&ssubpkt) < 4
2176 || !PACKET_get_net_2(&ssubpkt, &idsize)
2177 || !PACKET_get_bytes(&ssubpkt, &data, idsize)) {
54e3ad00 2178 goto err;
9ceb2426 2179 }
0f113f3e
MC		 2180 sdata = data;
2181 data += idsize;
2182 id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
54e3ad00
MC		 2183 if (!id)
2184 goto err;
0f113f3e
MC		 2185 if (data != sdata) {
2186 OCSP_RESPID_free(id);
54e3ad00 2187 goto err;
0f113f3e
MC		 2188 }
2189 if (!s->tlsext_ocsp_ids
2190 && !(s->tlsext_ocsp_ids =
2191 sk_OCSP_RESPID_new_null())) {
2192 OCSP_RESPID_free(id);
2193 *al = SSL_AD_INTERNAL_ERROR;
2194 return 0;
2195 }
2196 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2197 OCSP_RESPID_free(id);
2198 *al = SSL_AD_INTERNAL_ERROR;
2199 return 0;
2200 }
2201 }
4817504d 2202
0f113f3e 2203 /* Read in request_extensions */
9ceb2426
MC		 2204 if (!PACKET_get_net_2(&subpkt, &dsize)
2205 || !PACKET_get_bytes(&subpkt, &data, dsize)
2206 || PACKET_remaining(&subpkt)) {
54e3ad00 2207 goto err;
9ceb2426 2208 }
0f113f3e
MC		 2209 sdata = data;
2210 if (dsize > 0) {
222561fe
RS		 2211 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2212 X509_EXTENSION_free);
0f113f3e
MC		 2213 s->tlsext_ocsp_exts =
2214 d2i_X509_EXTENSIONS(NULL, &sdata, dsize);
54e3ad00
MC		 2215 if (!s->tlsext_ocsp_exts || (data + dsize != sdata))
2216 goto err;
0f113f3e
MC		 2217 }
2218 }
2219 /*
2220 * We don't know what to do with any other type * so ignore it.
2221 */
2222 else
2223 s->tlsext_status_type = -1;
2224 }
e481f9b9 2225#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e 2226 else if (type == TLSEXT_TYPE_heartbeat) {
9ceb2426
MC		 2227 unsigned int hbtype;
2228
2229 if (!PACKET_get_1(&subpkt, &hbtype)
2230 || PACKET_remaining(&subpkt)) {
2231 *al = SSL_AD_DECODE_ERROR;
2232 return 0;
2233 }
2234 switch (hbtype) {
0f113f3e
MC		 2235 case 0x01: /* Client allows us to send HB requests */
2236 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2237 break;
2238 case 0x02: /* Client doesn't accept HB requests */
2239 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2240 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2241 break;
2242 default:
2243 *al = SSL_AD_ILLEGAL_PARAMETER;
2244 return 0;
2245 }
2246 }
e481f9b9
MC		 2247#endif
2248#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2249 else if (type == TLSEXT_TYPE_next_proto_neg &&
2250 s->s3->tmp.finish_md_len == 0 &&
2251 s->s3->alpn_selected == NULL) {
50e735f9
MC		 2252 /*-
2253 * We shouldn't accept this extension on a
2254 * renegotiation.
2255 *
2256 * s->new_session will be set on renegotiation, but we
2257 * probably shouldn't rely that it couldn't be set on
2258 * the initial renegotation too in certain cases (when
2259 * there's some other reason to disallow resuming an
2260 * earlier session -- the current code won't be doing
2261 * anything like that, but this might change).
2262 *
2263 * A valid sign that there's been a previous handshake
2264 * in this connection is if s->s3->tmp.finish_md_len >
2265 * 0. (We are talking about a check that will happen
2266 * in the Hello protocol round, well before a new
2267 * Finished message could have been computed.)
2268 */
0f113f3e
MC		 2269 s->s3->next_proto_neg_seen = 1;
2270 }
e481f9b9 2271#endif
0f113f3e
MC		 2272
2273 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2274 s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) {
9ceb2426 2275 if (tls1_alpn_handle_client_hello(s, &subpkt, al) != 0)
0f113f3e 2276 return 0;
e481f9b9 2277#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2278 /* ALPN takes precedence over NPN. */
2279 s->s3->next_proto_neg_seen = 0;
e481f9b9 2280#endif
0f113f3e 2281 }
5e3ff62c 2282
0f113f3e 2283 /* session ticket processed earlier */
e481f9b9 2284#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 2285 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2286 && type == TLSEXT_TYPE_use_srtp) {
9ceb2426 2287 if (ssl_parse_clienthello_use_srtp_ext(s, &subpkt, al))
0f113f3e
MC		 2288 return 0;
2289 }
e481f9b9
MC		 2290#endif
2291#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 2292 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2293 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 2294#endif
ddc06b35
DSH		 2295 else if (type == TLSEXT_TYPE_extended_master_secret) {
2296 if (!s->hit)
2297 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2298 }
0f113f3e
MC		 2299 /*
2300 * If this ClientHello extension was unhandled and this is a
2301 * nonresumed connection, check whether the extension is a custom
2302 * TLS Extension (has a custom_srv_ext_record), and if so call the
2303 * callback and record the extension number so that an appropriate
2304 * ServerHello may be later returned.
2305 */
2306 else if (!s->hit) {
2307 if (custom_ext_parse(s, 1, type, data, size, al) <= 0)
2308 return 0;
2309 }
0f113f3e 2310 }
6f017a8f 2311
54e3ad00 2312 /* Spurious data on the end */
9ceb2426 2313 if (PACKET_remaining(pkt) != 0)
54e3ad00
MC		 2314 goto err;
2315
0f113f3e 2316 ri_check:
ed3883d2 2317
0f113f3e
MC		 2318 /* Need RI if renegotiating */
2319
2320 if (!renegotiate_seen && s->renegotiate &&
2321 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2322 *al = SSL_AD_HANDSHAKE_FAILURE;
2323 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2324 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2325 return 0;
2326 }
2327
2328 return 1;
54e3ad00
MC		 2329err:
2330 *al = SSL_AD_DECODE_ERROR;
2331 return 0;
0f113f3e
MC		 2332}
2333
9ceb2426 2334int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 2335{
2336 int al = -1;
2337 custom_ext_init(&s->cert->srv_ext);
9ceb2426 2338 if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 2339 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2340 return 0;
2341 }
2342
2343 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2344 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2345 return 0;
2346 }
2347 return 1;
2348}
2349
e481f9b9 2350#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2351/*
2352 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2353 * elements of zero length are allowed and the set of elements must exactly
2354 * fill the length of the block.
2355 */
50932c4a 2356static char ssl_next_proto_validate(PACKET *pkt)
0f113f3e 2357{
50932c4a 2358 unsigned int len;
0f113f3e 2359
50932c4a
MC		 2360 while (PACKET_remaining(pkt)) {
2361 if (!PACKET_get_1(pkt, &len)
2362 || !PACKET_forward(pkt, len))
0f113f3e 2363 return 0;
0f113f3e
MC		 2364 }
2365
50932c4a 2366 return 1;
0f113f3e 2367}
e481f9b9 2368#endif
0f113f3e 2369
50932c4a 2370static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 2371{
50932c4a 2372 unsigned int length, type, size;
0f113f3e
MC		 2373 int tlsext_servername = 0;
2374 int renegotiate_seen = 0;
2375
e481f9b9 2376#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 2377 s->s3->next_proto_neg_seen = 0;
e481f9b9 2378#endif
0f113f3e
MC		 2379 s->tlsext_ticket_expected = 0;
2380
b548a1f1
RS		 2381 OPENSSL_free(s->s3->alpn_selected);
2382 s->s3->alpn_selected = NULL;
e481f9b9 2383#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 2384 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2385 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
e481f9b9 2386#endif
0f113f3e 2387
e481f9b9 2388#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e 2389 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 2390#endif
0f113f3e 2391
50932c4a 2392 if (!PACKET_get_net_2(pkt, &length))
0f113f3e
MC		 2393 goto ri_check;
2394
50932c4a 2395 if (PACKET_remaining(pkt) != length) {
0f113f3e
MC		 2396 *al = SSL_AD_DECODE_ERROR;
2397 return 0;
2398 }
2399
50932c4a
MC		 2400 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
2401 unsigned char *data;
2402 PACKET spkt;
0f113f3e 2403
50932c4a
MC		 2404 if (!PACKET_get_sub_packet(pkt, &spkt, size)
2405 || !PACKET_peek_bytes(&spkt, &data, size))
0f113f3e
MC		 2406 goto ri_check;
2407
2408 if (s->tlsext_debug_cb)
2409 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2410
2411 if (type == TLSEXT_TYPE_renegotiate) {
50932c4a 2412 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
0f113f3e
MC		 2413 return 0;
2414 renegotiate_seen = 1;
2415 } else if (s->version == SSL3_VERSION) {
2416 } else if (type == TLSEXT_TYPE_server_name) {
2417 if (s->tlsext_hostname == NULL || size > 0) {
2418 *al = TLS1_AD_UNRECOGNIZED_NAME;
2419 return 0;
2420 }
2421 tlsext_servername = 1;
2422 }
e481f9b9 2423#ifndef OPENSSL_NO_EC
0f113f3e 2424 else if (type == TLSEXT_TYPE_ec_point_formats) {
50932c4a
MC		 2425 unsigned int ecpointformatlist_length;
2426 if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
2427 || ecpointformatlist_length != size - 1) {
0f113f3e
MC		 2428 *al = TLS1_AD_DECODE_ERROR;
2429 return 0;
2430 }
2431 if (!s->hit) {
2432 s->session->tlsext_ecpointformatlist_length = 0;
b548a1f1 2433 OPENSSL_free(s->session->tlsext_ecpointformatlist);
0f113f3e
MC		 2434 if ((s->session->tlsext_ecpointformatlist =
2435 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2436 *al = TLS1_AD_INTERNAL_ERROR;
2437 return 0;
2438 }
2439 s->session->tlsext_ecpointformatlist_length =
2440 ecpointformatlist_length;
50932c4a
MC		 2441 if (!PACKET_copy_bytes(&spkt,
2442 s->session->tlsext_ecpointformatlist,
2443 ecpointformatlist_length)) {
2444 *al = TLS1_AD_DECODE_ERROR;
2445 return 0;
2446 }
2447
0f113f3e 2448 }
0f113f3e 2449 }
e481f9b9 2450#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2451
2452 else if (type == TLSEXT_TYPE_session_ticket) {
2453 if (s->tls_session_ticket_ext_cb &&
2454 !s->tls_session_ticket_ext_cb(s, data, size,
2455 s->tls_session_ticket_ext_cb_arg))
2456 {
2457 *al = TLS1_AD_INTERNAL_ERROR;
2458 return 0;
2459 }
2460 if (!tls_use_ticket(s) || (size > 0)) {
2461 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2462 return 0;
2463 }
2464 s->tlsext_ticket_expected = 1;
2465 }
0f113f3e
MC		 2466 else if (type == TLSEXT_TYPE_status_request) {
2467 /*
2468 * MUST be empty and only sent if we've requested a status
2469 * request message.
2470 */
2471 if ((s->tlsext_status_type == -1) || (size > 0)) {
2472 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2473 return 0;
2474 }
2475 /* Set flag to expect CertificateStatus message */
2476 s->tlsext_status_expected = 1;
2477 }
e481f9b9 2478#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2479 else if (type == TLSEXT_TYPE_next_proto_neg &&
2480 s->s3->tmp.finish_md_len == 0) {
2481 unsigned char *selected;
2482 unsigned char selected_len;
0f113f3e
MC		 2483 /* We must have requested it. */
2484 if (s->ctx->next_proto_select_cb == NULL) {
2485 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2486 return 0;
2487 }
2488 /* The data must be valid */
50932c4a 2489 if (!ssl_next_proto_validate(&spkt)) {
0f113f3e
MC		 2490 *al = TLS1_AD_DECODE_ERROR;
2491 return 0;
2492 }
2493 if (s->
2494 ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2495 size,
2496 s->ctx->next_proto_select_cb_arg) !=
2497 SSL_TLSEXT_ERR_OK) {
2498 *al = TLS1_AD_INTERNAL_ERROR;
2499 return 0;
2500 }
2501 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
a71edf3b 2502 if (s->next_proto_negotiated == NULL) {
0f113f3e
MC		 2503 *al = TLS1_AD_INTERNAL_ERROR;
2504 return 0;
2505 }
2506 memcpy(s->next_proto_negotiated, selected, selected_len);
2507 s->next_proto_negotiated_len = selected_len;
2508 s->s3->next_proto_neg_seen = 1;
2509 }
e481f9b9 2510#endif
0f113f3e
MC		 2511
2512 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2513 unsigned len;
0f113f3e
MC		 2514 /* We must have requested it. */
2515 if (s->alpn_client_proto_list == NULL) {
2516 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2517 return 0;
2518 }
50e735f9
MC		 2519 /*-
2520 * The extension data consists of:
2521 * uint16 list_length
2522 * uint8 proto_length;
2523 * uint8 proto[proto_length];
2524 */
50932c4a
MC		 2525 if (!PACKET_get_net_2(&spkt, &len)
2526 || PACKET_remaining(&spkt) != len
2527 || !PACKET_get_1(&spkt, &len)
2528 || PACKET_remaining(&spkt) != len) {
0f113f3e
MC		 2529 *al = TLS1_AD_DECODE_ERROR;
2530 return 0;
2531 }
b548a1f1 2532 OPENSSL_free(s->s3->alpn_selected);
0f113f3e 2533 s->s3->alpn_selected = OPENSSL_malloc(len);
a71edf3b 2534 if (s->s3->alpn_selected == NULL) {
0f113f3e
MC		 2535 *al = TLS1_AD_INTERNAL_ERROR;
2536 return 0;
2537 }
50932c4a
MC		 2538 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
2539 *al = TLS1_AD_DECODE_ERROR;
2540 return 0;
2541 }
0f113f3e
MC		 2542 s->s3->alpn_selected_len = len;
2543 }
e481f9b9 2544#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e 2545 else if (type == TLSEXT_TYPE_heartbeat) {
50932c4a
MC		 2546 unsigned int hbtype;
2547 if (!PACKET_get_1(&spkt, &hbtype)) {
2548 *al = SSL_AD_DECODE_ERROR;
2549 return 0;
2550 }
2551 switch (hbtype) {
0f113f3e
MC		 2552 case 0x01: /* Server allows us to send HB requests */
2553 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2554 break;
2555 case 0x02: /* Server doesn't accept HB requests */
2556 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2557 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2558 break;
2559 default:
2560 *al = SSL_AD_ILLEGAL_PARAMETER;
2561 return 0;
2562 }
2563 }
e481f9b9
MC		 2564#endif
2565#ifndef OPENSSL_NO_SRTP
0f113f3e 2566 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
50932c4a 2567 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
0f113f3e
MC		 2568 return 0;
2569 }
e481f9b9
MC		 2570#endif
2571#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 2572 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2573 /* Ignore if inappropriate ciphersuite */
2574 if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2575 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2576 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2577 }
e481f9b9 2578#endif
ddc06b35
DSH		 2579 else if (type == TLSEXT_TYPE_extended_master_secret) {
2580 if (!s->hit)
2581 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2582 }
0f113f3e
MC		 2583 /*
2584 * If this extension type was not otherwise handled, but matches a
2585 * custom_cli_ext_record, then send it to the c callback
2586 */
2587 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2588 return 0;
0f113f3e
MC		 2589 }
2590
50932c4a 2591 if (PACKET_remaining(pkt) != 0) {
0f113f3e
MC		 2592 *al = SSL_AD_DECODE_ERROR;
2593 return 0;
2594 }
2595
2596 if (!s->hit && tlsext_servername == 1) {
2597 if (s->tlsext_hostname) {
2598 if (s->session->tlsext_hostname == NULL) {
2599 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
2600 if (!s->session->tlsext_hostname) {
2601 *al = SSL_AD_UNRECOGNIZED_NAME;
2602 return 0;
2603 }
2604 } else {
2605 *al = SSL_AD_DECODE_ERROR;
2606 return 0;
2607 }
2608 }
2609 }
2610
0f113f3e
MC		 2611 ri_check:
2612
2613 /*
2614 * Determine if we need to see RI. Strictly speaking if we want to avoid
2615 * an attack we should *always* see RI even on initial server hello
2616 * because the client doesn't see any renegotiation during an attack.
2617 * However this would mean we could not connect to any server which
2618 * doesn't support RI so for the immediate future tolerate RI absence on
2619 * initial connect only.
2620 */
2621 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2622 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2623 *al = SSL_AD_HANDSHAKE_FAILURE;
2624 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2625 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2626 return 0;
2627 }
2628
2629 return 1;
2630}
b2172f4f 2631
36ca4ba6 2632int ssl_prepare_clienthello_tlsext(SSL *s)
0f113f3e
MC		 2633{
2634
0f113f3e
MC		 2635 return 1;
2636}
36ca4ba6
BM		 2637
2638int ssl_prepare_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2639{
2640 return 1;
2641}
36ca4ba6 2642
2daceb03 2643static int ssl_check_clienthello_tlsext_early(SSL *s)
0f113f3e
MC		 2644{
2645 int ret = SSL_TLSEXT_ERR_NOACK;
2646 int al = SSL_AD_UNRECOGNIZED_NAME;
2647
e481f9b9 2648#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2649 /*
2650 * The handling of the ECPointFormats extension is done elsewhere, namely
2651 * in ssl3_choose_cipher in s3_lib.c.
2652 */
2653 /*
2654 * The handling of the EllipticCurves extension is done elsewhere, namely
2655 * in ssl3_choose_cipher in s3_lib.c.
2656 */
e481f9b9 2657#endif
0f113f3e
MC		 2658
2659 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2660 ret =
2661 s->ctx->tlsext_servername_callback(s, &al,
2662 s->ctx->tlsext_servername_arg);
2663 else if (s->initial_ctx != NULL
2664 && s->initial_ctx->tlsext_servername_callback != 0)
2665 ret =
2666 s->initial_ctx->tlsext_servername_callback(s, &al,
2667 s->
2668 initial_ctx->tlsext_servername_arg);
2669
0f113f3e
MC		 2670 switch (ret) {
2671 case SSL_TLSEXT_ERR_ALERT_FATAL:
2672 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2673 return -1;
2674
2675 case SSL_TLSEXT_ERR_ALERT_WARNING:
2676 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2677 return 1;
2678
2679 case SSL_TLSEXT_ERR_NOACK:
2680 s->servername_done = 0;
2681 default:
2682 return 1;
2683 }
2684}
d376e57d
DSH		 2685/* Initialise digests to default values */
2686static void ssl_set_default_md(SSL *s)
2687{
2688 const EVP_MD **pmd = s->s3->tmp.md;
2689#ifndef OPENSSL_NO_DSA
2690 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
2691#endif
2692#ifndef OPENSSL_NO_RSA
2693 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
2694 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
2695#endif
2696#ifndef OPENSSL_NO_EC
2697 pmd[SSL_PKEY_ECC] = EVP_sha1();
2698#endif
2699}
f1fd4544 2700
e469af8d 2701int tls1_set_server_sigalgs(SSL *s)
0f113f3e
MC		 2702{
2703 int al;
2704 size_t i;
2705 /* Clear any shared sigtnature algorithms */
b548a1f1
RS		 2706 OPENSSL_free(s->cert->shared_sigalgs);
2707 s->cert->shared_sigalgs = NULL;
2708 s->cert->shared_sigalgslen = 0;
0f113f3e
MC		 2709 /* Clear certificate digests and validity flags */
2710 for (i = 0; i < SSL_PKEY_NUM; i++) {
d376e57d 2711 s->s3->tmp.md[i] = NULL;
6383d316 2712 s->s3->tmp.valid_flags[i] = 0;
0f113f3e
MC		 2713 }
2714
2715 /* If sigalgs received process it. */
76106e60 2716 if (s->s3->tmp.peer_sigalgs) {
0f113f3e
MC		 2717 if (!tls1_process_sigalgs(s)) {
2718 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2719 al = SSL_AD_INTERNAL_ERROR;
2720 goto err;
2721 }
2722 /* Fatal error is no shared signature algorithms */
2723 if (!s->cert->shared_sigalgs) {
2724 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2725 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2726 al = SSL_AD_ILLEGAL_PARAMETER;
2727 goto err;
2728 }
d376e57d
DSH		 2729 } else {
2730 ssl_set_default_md(s);
2731 }
0f113f3e
MC		 2732 return 1;
2733 err:
2734 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2735 return 0;
2736}
e469af8d 2737
2daceb03 2738int ssl_check_clienthello_tlsext_late(SSL *s)
0f113f3e
MC		 2739{
2740 int ret = SSL_TLSEXT_ERR_OK;
4c9b0a03 2741 int al = SSL_AD_INTERNAL_ERROR;
0f113f3e
MC		 2742
2743 /*
2744 * If status request then ask callback what to do. Note: this must be
2745 * called after servername callbacks in case the certificate has changed,
2746 * and must be called after the cipher has been chosen because this may
2747 * influence which certificate is sent
2748 */
2749 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
2750 int r;
2751 CERT_PKEY *certpkey;
2752 certpkey = ssl_get_server_send_pkey(s);
2753 /* If no certificate can't return certificate status */
2754 if (certpkey == NULL) {
2755 s->tlsext_status_expected = 0;
2756 return 1;
2757 }
2758 /*
2759 * Set current certificate to one we will use so SSL_get_certificate
2760 * et al can pick it up.
2761 */
2762 s->cert->key = certpkey;
2763 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2764 switch (r) {
2765 /* We don't want to send a status request response */
2766 case SSL_TLSEXT_ERR_NOACK:
2767 s->tlsext_status_expected = 0;
2768 break;
2769 /* status request response should be sent */
2770 case SSL_TLSEXT_ERR_OK:
2771 if (s->tlsext_ocsp_resp)
2772 s->tlsext_status_expected = 1;
2773 else
2774 s->tlsext_status_expected = 0;
2775 break;
2776 /* something bad happened */
2777 case SSL_TLSEXT_ERR_ALERT_FATAL:
2778 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2779 al = SSL_AD_INTERNAL_ERROR;
2780 goto err;
2781 }
2782 } else
2783 s->tlsext_status_expected = 0;
2daceb03
BL		 2784
2785 err:
0f113f3e
MC		 2786 switch (ret) {
2787 case SSL_TLSEXT_ERR_ALERT_FATAL:
2788 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2789 return -1;
2790
2791 case SSL_TLSEXT_ERR_ALERT_WARNING:
2792 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2793 return 1;
2794
2795 default:
2796 return 1;
2797 }
2798}
2daceb03 2799
36ca4ba6 2800int ssl_check_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2801{
2802 int ret = SSL_TLSEXT_ERR_NOACK;
2803 int al = SSL_AD_UNRECOGNIZED_NAME;
2804
e481f9b9 2805#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2806 /*
2807 * If we are client and using an elliptic curve cryptography cipher
2808 * suite, then if server returns an EC point formats lists extension it
2809 * must contain uncompressed.
2810 */
2811 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2812 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2813 if ((s->tlsext_ecpointformatlist != NULL)
2814 && (s->tlsext_ecpointformatlist_length > 0)
2815 && (s->session->tlsext_ecpointformatlist != NULL)
2816 && (s->session->tlsext_ecpointformatlist_length > 0)
2817 && ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
2818 || (alg_a & SSL_aECDSA))) {
2819 /* we are using an ECC cipher */
2820 size_t i;
2821 unsigned char *list;
2822 int found_uncompressed = 0;
2823 list = s->session->tlsext_ecpointformatlist;
2824 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2825 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2826 found_uncompressed = 1;
2827 break;
2828 }
2829 }
2830 if (!found_uncompressed) {
2831 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2832 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2833 return -1;
2834 }
2835 }
2836 ret = SSL_TLSEXT_ERR_OK;
e481f9b9 2837#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2838
2839 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2840 ret =
2841 s->ctx->tlsext_servername_callback(s, &al,
2842 s->ctx->tlsext_servername_arg);
2843 else if (s->initial_ctx != NULL
2844 && s->initial_ctx->tlsext_servername_callback != 0)
2845 ret =
2846 s->initial_ctx->tlsext_servername_callback(s, &al,
2847 s->
2848 initial_ctx->tlsext_servername_arg);
2849
0f113f3e
MC		 2850 /*
2851 * If we've requested certificate status and we wont get one tell the
2852 * callback
2853 */
2854 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2855 && s->ctx && s->ctx->tlsext_status_cb) {
2856 int r;
2857 /*
2858 * Set resp to NULL, resplen to -1 so callback knows there is no
2859 * response.
2860 */
b548a1f1
RS		 2861 OPENSSL_free(s->tlsext_ocsp_resp);
2862 s->tlsext_ocsp_resp = NULL;
0f113f3e
MC		 2863 s->tlsext_ocsp_resplen = -1;
2864 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2865 if (r == 0) {
2866 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2867 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2868 }
2869 if (r < 0) {
2870 al = SSL_AD_INTERNAL_ERROR;
2871 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2872 }
2873 }
2874
2875 switch (ret) {
2876 case SSL_TLSEXT_ERR_ALERT_FATAL:
2877 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2878 return -1;
2879
2880 case SSL_TLSEXT_ERR_ALERT_WARNING:
2881 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2882 return 1;
2883
2884 case SSL_TLSEXT_ERR_NOACK:
2885 s->servername_done = 0;
2886 default:
2887 return 1;
2888 }
2889}
761772d7 2890
50932c4a 2891int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 2892{
2893 int al = -1;
2894 if (s->version < SSL3_VERSION)
2895 return 1;
50932c4a 2896 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 2897 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2898 return 0;
2899 }
2900
2901 if (ssl_check_serverhello_tlsext(s) <= 0) {
2902 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2903 return 0;
2904 }
2905 return 1;
09e4e4b9
DSH		 2906}
2907
1d97c843
TH		 2908/*-
2909 * Since the server cache lookup is done early on in the processing of the
c519e89f
BM		 2910 * ClientHello, and other operations depend on the result, we need to handle
2911 * any TLS session ticket extension at the same time.
2912 *
b3e2272c
EK		 2913 * session_id: ClientHello session ID.
2914 * ext: ClientHello extensions (including length prefix)
c519e89f
BM		 2915 * ret: (output) on return, if a ticket was decrypted, then this is set to
2916 * point to the resulting session.
2917 *
2918 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2919 * ciphersuite, in which case we have no use for session tickets and one will
2920 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2921 *
2922 * Returns:
2923 * -1: fatal error, either from parsing or decrypting the ticket.
2924 * 0: no ticket was found (or was ignored, based on settings).
2925 * 1: a zero length extension was found, indicating that the client supports
2926 * session tickets but doesn't currently have one to offer.
2927 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2928 * couldn't be decrypted because of a non-fatal error.
2929 * 3: a ticket was successfully decrypted and *ret was set.
2930 *
2931 * Side effects:
2932 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2933 * a new session ticket to the client because the client indicated support
2934 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2935 * a session ticket or we couldn't use the one it gave us, or if
2936 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2937 * Otherwise, s->tlsext_ticket_expected is set to 0.
6434abbf 2938 */
b3e2272c
EK		 2939int tls1_process_ticket(SSL *s, const PACKET *ext, const PACKET *session_id,
2940 SSL_SESSION **ret)
0f113f3e 2941{
9ceb2426 2942 unsigned int i;
b3e2272c 2943 PACKET local_ext = *ext;
9ceb2426 2944 int retv = -1;
0f113f3e
MC		 2945
2946 *ret = NULL;
2947 s->tlsext_ticket_expected = 0;
2948
2949 /*
2950 * If tickets disabled behave as if no ticket present to permit stateful
2951 * resumption.
2952 */
2953 if (!tls_use_ticket(s))
2954 return 0;
9ceb2426 2955 if ((s->version <= SSL3_VERSION))
0f113f3e 2956 return 0;
9ceb2426 2957
b3e2272c 2958 if (!PACKET_get_net_2(&local_ext, &i)) {
9ceb2426
MC		 2959 retv = 0;
2960 goto end;
2961 }
b3e2272c 2962 while (PACKET_remaining(&local_ext) >= 4) {
9ceb2426
MC		 2963 unsigned int type, size;
2964
b3e2272c
EK		 2965 if (!PACKET_get_net_2(&local_ext, &type)
2966 || !PACKET_get_net_2(&local_ext, &size)) {
9ceb2426
MC		 2967 /* Shouldn't ever happen */
2968 retv = -1;
2969 goto end;
2970 }
b3e2272c 2971 if (PACKET_remaining(&local_ext) < size) {
9ceb2426
MC		 2972 retv = 0;
2973 goto end;
2974 }
0f113f3e
MC		 2975 if (type == TLSEXT_TYPE_session_ticket) {
2976 int r;
9ceb2426
MC		 2977 unsigned char *etick;
2978
0f113f3e
MC		 2979 if (size == 0) {
2980 /*
2981 * The client will accept a ticket but doesn't currently have
2982 * one.
2983 */
2984 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 2985 retv = 1;
2986 goto end;
0f113f3e
MC		 2987 }
2988 if (s->tls_session_secret_cb) {
2989 /*
2990 * Indicate that the ticket couldn't be decrypted rather than
2991 * generating the session from ticket now, trigger
2992 * abbreviated handshake based on external mechanism to
2993 * calculate the master secret later.
2994 */
9ceb2426
MC		 2995 retv = 2;
2996 goto end;
2997 }
b3e2272c 2998 if (!PACKET_get_bytes(&local_ext, &etick, size)) {
9ceb2426
MC		 2999 /* Shouldn't ever happen */
3000 retv = -1;
3001 goto end;
0f113f3e 3002 }
b3e2272c
EK		 3003 r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
3004 PACKET_remaining(session_id), ret);
0f113f3e
MC		 3005 switch (r) {
3006 case 2: /* ticket couldn't be decrypted */
3007 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 3008 retv = 2;
3009 break;
0f113f3e 3010 case 3: /* ticket was decrypted */
9ceb2426
MC		 3011 retv = r;
3012 break;
0f113f3e
MC		 3013 case 4: /* ticket decrypted but need to renew */
3014 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 3015 retv = 3;
3016 break;
0f113f3e 3017 default: /* fatal error */
9ceb2426
MC		 3018 retv = -1;
3019 break;
0f113f3e 3020 }
9ceb2426 3021 goto end;
c83eda8c 3022 } else {
b3e2272c 3023 if (!PACKET_forward(&local_ext, size)) {
c83eda8c
MC		 3024 retv = -1;
3025 goto end;
3026 }
0f113f3e 3027 }
0f113f3e 3028 }
9ceb2426
MC		 3029 retv = 0;
3030end:
9ceb2426 3031 return retv;
0f113f3e 3032}
6434abbf 3033
1d97c843
TH		 3034/*-
3035 * tls_decrypt_ticket attempts to decrypt a session ticket.
c519e89f
BM		 3036 *
3037 * etick: points to the body of the session ticket extension.
3038 * eticklen: the length of the session tickets extenion.
3039 * sess_id: points at the session ID.
3040 * sesslen: the length of the session ID.
3041 * psess: (output) on return, if a ticket was decrypted, then this is set to
3042 * point to the resulting session.
3043 *
3044 * Returns:
3045 * -1: fatal error, either from parsing or decrypting the ticket.
3046 * 2: the ticket couldn't be decrypted.
3047 * 3: a ticket was successfully decrypted and *psess was set.
3048 * 4: same as 3, but the ticket needs to be renewed.
3049 */
0f113f3e
MC		 3050static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
3051 int eticklen, const unsigned char *sess_id,
3052 int sesslen, SSL_SESSION **psess)
3053{
3054 SSL_SESSION *sess;
3055 unsigned char *sdec;
3056 const unsigned char *p;
3057 int slen, mlen, renew_ticket = 0;
3058 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3059 HMAC_CTX hctx;
3060 EVP_CIPHER_CTX ctx;
3061 SSL_CTX *tctx = s->initial_ctx;
3062 /* Need at least keyname + iv + some encrypted data */
3063 if (eticklen < 48)
3064 return 2;
3065 /* Initialize session ticket encryption and HMAC contexts */
3066 HMAC_CTX_init(&hctx);
3067 EVP_CIPHER_CTX_init(&ctx);
3068 if (tctx->tlsext_ticket_key_cb) {
3069 unsigned char *nctick = (unsigned char *)etick;
3070 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3071 &ctx, &hctx, 0);
3072 if (rv < 0)
3073 return -1;
3074 if (rv == 0)
3075 return 2;
3076 if (rv == 2)
3077 renew_ticket = 1;
3078 } else {
3079 /* Check key name matches */
3080 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3081 return 2;
5f3d93e4
MC		 3082 if (HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3083 EVP_sha256(), NULL) <= 0
3084 || EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3085 tctx->tlsext_tick_aes_key,
3086 etick + 16) <= 0) {
3087 goto err;
3088 }
0f113f3e
MC		 3089 }
3090 /*
3091 * Attempt to process session ticket, first conduct sanity and integrity
3092 * checks on ticket.
3093 */
3094 mlen = HMAC_size(&hctx);
3095 if (mlen < 0) {
5f3d93e4 3096 goto err;
0f113f3e
MC		 3097 }
3098 eticklen -= mlen;
3099 /* Check HMAC of encrypted ticket */
5f3d93e4
MC		 3100 if (HMAC_Update(&hctx, etick, eticklen) <= 0
3101 || HMAC_Final(&hctx, tick_hmac, NULL) <= 0) {
3102 goto err;
3103 }
0f113f3e
MC		 3104 HMAC_CTX_cleanup(&hctx);
3105 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
3106 EVP_CIPHER_CTX_cleanup(&ctx);
3107 return 2;
3108 }
3109 /* Attempt to decrypt session data */
3110 /* Move p after IV to start of encrypted ticket, update length */
3111 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3112 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3113 sdec = OPENSSL_malloc(eticklen);
5f3d93e4
MC		 3114 if (sdec == NULL
3115 || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) {
0f113f3e
MC		 3116 EVP_CIPHER_CTX_cleanup(&ctx);
3117 return -1;
3118 }
0f113f3e
MC		 3119 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
3120 EVP_CIPHER_CTX_cleanup(&ctx);
3121 OPENSSL_free(sdec);
3122 return 2;
3123 }
3124 slen += mlen;
3125 EVP_CIPHER_CTX_cleanup(&ctx);
3126 p = sdec;
3127
3128 sess = d2i_SSL_SESSION(NULL, &p, slen);
3129 OPENSSL_free(sdec);
3130 if (sess) {
3131 /*
3132 * The session ID, if non-empty, is used by some clients to detect
3133 * that the ticket has been accepted. So we copy it to the session
3134 * structure. If it is empty set length to zero as required by
3135 * standard.
3136 */
3137 if (sesslen)
3138 memcpy(sess->session_id, sess_id, sesslen);
3139 sess->session_id_length = sesslen;
3140 *psess = sess;
3141 if (renew_ticket)
3142 return 4;
3143 else
3144 return 3;
3145 }
3146 ERR_clear_error();
3147 /*
3148 * For session parse failure, indicate that we need to send a new ticket.
3149 */
3150 return 2;
5f3d93e4
MC		 3151err:
3152 EVP_CIPHER_CTX_cleanup(&ctx);
3153 HMAC_CTX_cleanup(&hctx);
3154 return -1;
0f113f3e 3155}
6434abbf 3156
6b7be581
DSH		 3157/* Tables to translate from NIDs to TLS v1.2 ids */
3158
0f113f3e
MC		 3159typedef struct {
3160 int nid;
3161 int id;
3162} tls12_lookup;
6b7be581 3163
d97ed219 3164static const tls12_lookup tls12_md[] = {
0f113f3e
MC		 3165 {NID_md5, TLSEXT_hash_md5},
3166 {NID_sha1, TLSEXT_hash_sha1},
3167 {NID_sha224, TLSEXT_hash_sha224},
3168 {NID_sha256, TLSEXT_hash_sha256},
3169 {NID_sha384, TLSEXT_hash_sha384},
3170 {NID_sha512, TLSEXT_hash_sha512}
6b7be581
DSH		 3171};
3172
d97ed219 3173static const tls12_lookup tls12_sig[] = {
0f113f3e
MC		 3174 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3175 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3176 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
6b7be581
DSH		 3177};
3178
d97ed219 3179static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3180{
3181 size_t i;
3182 for (i = 0; i < tlen; i++) {
3183 if (table[i].nid == nid)
3184 return table[i].id;
3185 }
3186 return -1;
3187}
e7f8ff43 3188
d97ed219 3189static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3190{
3191 size_t i;
3192 for (i = 0; i < tlen; i++) {
3193 if ((table[i].id) == id)
3194 return table[i].nid;
3195 }
3196 return NID_undef;
3197}
3198
3199int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
3200 const EVP_MD *md)
3201{
3202 int sig_id, md_id;
3203 if (!md)
3204 return 0;
b6eb9827 3205 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3206 if (md_id == -1)
3207 return 0;
3208 sig_id = tls12_get_sigid(pk);
3209 if (sig_id == -1)
3210 return 0;
3211 p[0] = (unsigned char)md_id;
3212 p[1] = (unsigned char)sig_id;
3213 return 1;
3214}
6b7be581 3215
a2f9200f 3216int tls12_get_sigid(const EVP_PKEY *pk)
0f113f3e 3217{
b6eb9827 3218 return tls12_find_id(pk->type, tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3219}
3220
3221typedef struct {
3222 int nid;
3223 int secbits;
3224 const EVP_MD *(*mfunc) (void);
3225} tls12_hash_info;
b362ccab
DSH		 3226
3227static const tls12_hash_info tls12_md_info[] = {
e481f9b9 3228#ifdef OPENSSL_NO_MD5
0f113f3e 3229 {NID_md5, 64, 0},
e481f9b9 3230#else
0f113f3e 3231 {NID_md5, 64, EVP_md5},
e481f9b9 3232#endif
0f113f3e 3233 {NID_sha1, 80, EVP_sha1},
0f113f3e
MC		 3234 {NID_sha224, 112, EVP_sha224},
3235 {NID_sha256, 128, EVP_sha256},
0f113f3e
MC		 3236 {NID_sha384, 192, EVP_sha384},
3237 {NID_sha512, 256, EVP_sha512}
b362ccab 3238};
a2f9200f 3239
b362ccab 3240static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
0f113f3e
MC		 3241{
3242 if (hash_alg == 0)
3243 return NULL;
b6eb9827 3244 if (hash_alg > OSSL_NELEM(tls12_md_info))
0f113f3e
MC		 3245 return NULL;
3246 return tls12_md_info + hash_alg - 1;
3247}
a2f9200f 3248
b362ccab 3249const EVP_MD *tls12_get_hash(unsigned char hash_alg)
0f113f3e
MC		 3250{
3251 const tls12_hash_info *inf;
3252 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3253 return NULL;
3254 inf = tls12_get_hash_info(hash_alg);
3255 if (!inf || !inf->mfunc)
3256 return NULL;
3257 return inf->mfunc();
3258}
a2f9200f 3259
4453cd8c 3260static int tls12_get_pkey_idx(unsigned char sig_alg)
0f113f3e
MC		 3261{
3262 switch (sig_alg) {
e481f9b9 3263#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3264 case TLSEXT_signature_rsa:
3265 return SSL_PKEY_RSA_SIGN;
e481f9b9
MC		 3266#endif
3267#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3268 case TLSEXT_signature_dsa:
3269 return SSL_PKEY_DSA_SIGN;
e481f9b9
MC		 3270#endif
3271#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3272 case TLSEXT_signature_ecdsa:
3273 return SSL_PKEY_ECC;
e481f9b9 3274#endif
0f113f3e
MC		 3275 }
3276 return -1;
3277}
4453cd8c
DSH		 3278
3279/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3280static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
0f113f3e
MC		 3281 int *psignhash_nid, const unsigned char *data)
3282{
3283 int sign_nid = 0, hash_nid = 0;
3284 if (!phash_nid && !psign_nid && !psignhash_nid)
3285 return;
3286 if (phash_nid || psignhash_nid) {
b6eb9827 3287 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3288 if (phash_nid)
3289 *phash_nid = hash_nid;
3290 }
3291 if (psign_nid || psignhash_nid) {
b6eb9827 3292 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3293 if (psign_nid)
3294 *psign_nid = sign_nid;
3295 }
3296 if (psignhash_nid) {
3297 if (sign_nid && hash_nid)
3298 OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid);
3299 else
3300 *psignhash_nid = NID_undef;
3301 }
3302}
3303
b362ccab
DSH		 3304/* Check to see if a signature algorithm is allowed */
3305static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
0f113f3e
MC		 3306{
3307 /* See if we have an entry in the hash table and it is enabled */
3308 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
3309 if (!hinf || !hinf->mfunc)
3310 return 0;
3311 /* See if public key algorithm allowed */
3312 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3313 return 0;
3314 /* Finally see if security callback allows it */
3315 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3316}
3317
3318/*
3319 * Get a mask of disabled public key algorithms based on supported signature
3320 * algorithms. For example if no signature algorithm supports RSA then RSA is
3321 * disabled.
b362ccab
DSH		 3322 */
3323
90d9e49a 3324void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
0f113f3e
MC		 3325{
3326 const unsigned char *sigalgs;
3327 size_t i, sigalgslen;
3328 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3329 /*
3330 * Now go through all signature algorithms seeing if we support any for
3331 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3332 * down calls to security callback only check if we have to.
3333 */
3334 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
3335 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3336 switch (sigalgs[1]) {
e481f9b9 3337#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3338 case TLSEXT_signature_rsa:
3339 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3340 have_rsa = 1;
3341 break;
e481f9b9
MC		 3342#endif
3343#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3344 case TLSEXT_signature_dsa:
3345 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3346 have_dsa = 1;
3347 break;
e481f9b9
MC		 3348#endif
3349#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3350 case TLSEXT_signature_ecdsa:
3351 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3352 have_ecdsa = 1;
3353 break;
e481f9b9 3354#endif
0f113f3e
MC		 3355 }
3356 }
3357 if (!have_rsa)
3358 *pmask_a |= SSL_aRSA;
3359 if (!have_dsa)
3360 *pmask_a |= SSL_aDSS;
3361 if (!have_ecdsa)
3362 *pmask_a |= SSL_aECDSA;
3363}
b362ccab
DSH		 3364
3365size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
0f113f3e
MC		 3366 const unsigned char *psig, size_t psiglen)
3367{
3368 unsigned char *tmpout = out;
3369 size_t i;
3370 for (i = 0; i < psiglen; i += 2, psig += 2) {
3371 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3372 *tmpout++ = psig[0];
3373 *tmpout++ = psig[1];
3374 }
3375 }
3376 return tmpout - out;
3377}
b362ccab 3378
4453cd8c 3379/* Given preference and allowed sigalgs set shared sigalgs */
b362ccab 3380static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
0f113f3e
MC		 3381 const unsigned char *pref, size_t preflen,
3382 const unsigned char *allow, size_t allowlen)
3383{
3384 const unsigned char *ptmp, *atmp;
3385 size_t i, j, nmatch = 0;
3386 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3387 /* Skip disabled hashes or signature algorithms */
3388 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3389 continue;
3390 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3391 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3392 nmatch++;
3393 if (shsig) {
3394 shsig->rhash = ptmp[0];
3395 shsig->rsign = ptmp[1];
3396 tls1_lookup_sigalg(&shsig->hash_nid,
3397 &shsig->sign_nid,
3398 &shsig->signandhash_nid, ptmp);
3399 shsig++;
3400 }
3401 break;
3402 }
3403 }
3404 }
3405 return nmatch;
3406}
4453cd8c
DSH		 3407
3408/* Set shared signature algorithms for SSL structures */
3409static int tls1_set_shared_sigalgs(SSL *s)
0f113f3e
MC		 3410{
3411 const unsigned char *pref, *allow, *conf;
3412 size_t preflen, allowlen, conflen;
3413 size_t nmatch;
3414 TLS_SIGALGS *salgs = NULL;
3415 CERT *c = s->cert;
3416 unsigned int is_suiteb = tls1_suiteb(s);
b548a1f1
RS		 3417
3418 OPENSSL_free(c->shared_sigalgs);
3419 c->shared_sigalgs = NULL;
3420 c->shared_sigalgslen = 0;
0f113f3e
MC		 3421 /* If client use client signature algorithms if not NULL */
3422 if (!s->server && c->client_sigalgs && !is_suiteb) {
3423 conf = c->client_sigalgs;
3424 conflen = c->client_sigalgslen;
3425 } else if (c->conf_sigalgs && !is_suiteb) {
3426 conf = c->conf_sigalgs;
3427 conflen = c->conf_sigalgslen;
3428 } else
3429 conflen = tls12_get_psigalgs(s, &conf);
3430 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3431 pref = conf;
3432 preflen = conflen;
76106e60
DSH		 3433 allow = s->s3->tmp.peer_sigalgs;
3434 allowlen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3435 } else {
3436 allow = conf;
3437 allowlen = conflen;
76106e60
DSH		 3438 pref = s->s3->tmp.peer_sigalgs;
3439 preflen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3440 }
3441 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
34e3edbf
DSH		 3442 if (nmatch) {
3443 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
a71edf3b 3444 if (salgs == NULL)
34e3edbf
DSH		 3445 return 0;
3446 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3447 } else {
3448 salgs = NULL;
3449 }
0f113f3e
MC		 3450 c->shared_sigalgs = salgs;
3451 c->shared_sigalgslen = nmatch;
3452 return 1;
3453}
4453cd8c 3454
6b7be581
DSH		 3455/* Set preferred digest for each key type */
3456
c800c27a 3457int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
0f113f3e
MC		 3458{
3459 CERT *c = s->cert;
3460 /* Extension ignored for inappropriate versions */
3461 if (!SSL_USE_SIGALGS(s))
3462 return 1;
3463 /* Should never happen */
3464 if (!c)
3465 return 0;
3466
76106e60
DSH		 3467 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3468 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3469 if (s->s3->tmp.peer_sigalgs == NULL)
0f113f3e 3470 return 0;
76106e60
DSH		 3471 s->s3->tmp.peer_sigalgslen = dsize;
3472 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
0f113f3e
MC		 3473 return 1;
3474}
6b7be581 3475
c800c27a 3476int tls1_process_sigalgs(SSL *s)
0f113f3e
MC		 3477{
3478 int idx;
3479 size_t i;
3480 const EVP_MD *md;
d376e57d 3481 const EVP_MD **pmd = s->s3->tmp.md;
f7d53487 3482 uint32_t *pvalid = s->s3->tmp.valid_flags;
0f113f3e
MC		 3483 CERT *c = s->cert;
3484 TLS_SIGALGS *sigptr;
3485 if (!tls1_set_shared_sigalgs(s))
3486 return 0;
3487
e481f9b9 3488#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
0f113f3e
MC		 3489 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3490 /*
3491 * Use first set signature preference to force message digest,
3492 * ignoring any peer preferences.
3493 */
3494 const unsigned char *sigs = NULL;
3495 if (s->server)
3496 sigs = c->conf_sigalgs;
3497 else
3498 sigs = c->client_sigalgs;
3499 if (sigs) {
3500 idx = tls12_get_pkey_idx(sigs[1]);
3501 md = tls12_get_hash(sigs[0]);
d376e57d 3502 pmd[idx] = md;
6383d316 3503 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3504 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3505 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3506 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3507 }
3508 }
3509 }
e481f9b9 3510#endif
0f113f3e
MC		 3511
3512 for (i = 0, sigptr = c->shared_sigalgs;
3513 i < c->shared_sigalgslen; i++, sigptr++) {
3514 idx = tls12_get_pkey_idx(sigptr->rsign);
d376e57d 3515 if (idx > 0 && pmd[idx] == NULL) {
0f113f3e 3516 md = tls12_get_hash(sigptr->rhash);
d376e57d 3517 pmd[idx] = md;
6383d316 3518 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3519 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3520 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3521 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3522 }
3523 }
6b7be581 3524
0f113f3e
MC		 3525 }
3526 /*
3527 * In strict mode leave unset digests as NULL to indicate we can't use
3528 * the certificate for signing.
3529 */
3530 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3531 /*
3532 * Set any remaining keys to default values. NOTE: if alg is not
3533 * supported it stays as NULL.
3534 */
e481f9b9 3535#ifndef OPENSSL_NO_DSA
d376e57d
DSH		 3536 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3537 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
e481f9b9
MC		 3538#endif
3539#ifndef OPENSSL_NO_RSA
d376e57d
DSH		 3540 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3541 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3542 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
0f113f3e 3543 }
e481f9b9
MC		 3544#endif
3545#ifndef OPENSSL_NO_EC
d376e57d
DSH		 3546 if (pmd[SSL_PKEY_ECC] == NULL)
3547 pmd[SSL_PKEY_ECC] = EVP_sha1();
e481f9b9 3548#endif
0f113f3e
MC		 3549 }
3550 return 1;
3551}
4817504d 3552
e7f8ff43 3553int SSL_get_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3554 int *psign, int *phash, int *psignhash,
3555 unsigned char *rsig, unsigned char *rhash)
3556{
76106e60 3557 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
0f113f3e
MC		 3558 if (psig == NULL)
3559 return 0;
3560 if (idx >= 0) {
3561 idx <<= 1;
76106e60 3562 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
0f113f3e
MC		 3563 return 0;
3564 psig += idx;
3565 if (rhash)
3566 *rhash = psig[0];
3567 if (rsig)
3568 *rsig = psig[1];
3569 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3570 }
76106e60 3571 return s->s3->tmp.peer_sigalgslen / 2;
0f113f3e 3572}
4453cd8c
DSH		 3573
3574int SSL_get_shared_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3575 int *psign, int *phash, int *psignhash,
3576 unsigned char *rsig, unsigned char *rhash)
3577{
3578 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3579 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3580 return 0;
3581 shsigalgs += idx;
3582 if (phash)
3583 *phash = shsigalgs->hash_nid;
3584 if (psign)
3585 *psign = shsigalgs->sign_nid;
3586 if (psignhash)
3587 *psignhash = shsigalgs->signandhash_nid;
3588 if (rsig)
3589 *rsig = shsigalgs->rsign;
3590 if (rhash)
3591 *rhash = shsigalgs->rhash;
3592 return s->cert->shared_sigalgslen;
3593}
3594
e481f9b9 3595#ifndef OPENSSL_NO_HEARTBEATS
2c60ed04 3596int tls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length)
0f113f3e 3597{
2c60ed04 3598 unsigned char *pl;
0f113f3e
MC		 3599 unsigned short hbtype;
3600 unsigned int payload;
3601 unsigned int padding = 16; /* Use minimum padding */
3602
3603 if (s->msg_callback)
3604 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
258f8721 3605 p, length,
0f113f3e
MC		 3606 s, s->msg_callback_arg);
3607
3608 /* Read type and payload length first */
258f8721 3609 if (1 + 2 + 16 > length)
0f113f3e
MC		 3610 return 0; /* silently discard */
3611 hbtype = *p++;
3612 n2s(p, payload);
258f8721 3613 if (1 + 2 + payload + 16 > length)
0f113f3e
MC		 3614 return 0; /* silently discard per RFC 6520 sec. 4 */
3615 pl = p;
3616
3617 if (hbtype == TLS1_HB_REQUEST) {
3618 unsigned char *buffer, *bp;
3619 int r;
3620
3621 /*
3622 * Allocate memory for the response, size is 1 bytes message type,
3623 * plus 2 bytes payload length, plus payload, plus padding
3624 */
3625 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3626 if (buffer == NULL) {
3627 SSLerr(SSL_F_TLS1_PROCESS_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3628 return -1;
3629 }
3630 bp = buffer;
3631
3632 /* Enter response type, length and copy payload */
3633 *bp++ = TLS1_HB_RESPONSE;
3634 s2n(payload, bp);
3635 memcpy(bp, pl, payload);
3636 bp += payload;
3637 /* Random padding */
266483d2
MC		 3638 if (RAND_bytes(bp, padding) <= 0) {
3639 OPENSSL_free(buffer);
3640 return -1;
3641 }
0f113f3e
MC		 3642
3643 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer,
3644 3 + payload + padding);
3645
3646 if (r >= 0 && s->msg_callback)
3647 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3648 buffer, 3 + payload + padding,
3649 s, s->msg_callback_arg);
3650
3651 OPENSSL_free(buffer);
3652
3653 if (r < 0)
3654 return r;
3655 } else if (hbtype == TLS1_HB_RESPONSE) {
3656 unsigned int seq;
3657
3658 /*
3659 * We only send sequence numbers (2 bytes unsigned int), and 16
3660 * random bytes, so we just try to read the sequence number
3661 */
3662 n2s(pl, seq);
3663
3664 if (payload == 18 && seq == s->tlsext_hb_seq) {
3665 s->tlsext_hb_seq++;
3666 s->tlsext_hb_pending = 0;
3667 }
3668 }
3669
3670 return 0;
3671}
0f229cce 3672
0f113f3e
MC		 3673int tls1_heartbeat(SSL *s)
3674{
3675 unsigned char *buf, *p;
266483d2 3676 int ret = -1;
0f113f3e
MC		 3677 unsigned int payload = 18; /* Sequence number + random bytes */
3678 unsigned int padding = 16; /* Use minimum padding */
3679
3680 /* Only send if peer supports and accepts HB requests... */
3681 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3682 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
3683 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3684 return -1;
3685 }
3686
3687 /* ...and there is none in flight yet... */
3688 if (s->tlsext_hb_pending) {
3689 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
3690 return -1;
3691 }
3692
3693 /* ...and no handshake in progress. */
024f543c 3694 if (SSL_in_init(s) || ossl_statem_get_in_handshake(s)) {
0f113f3e
MC		 3695 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
3696 return -1;
3697 }
3698
50e735f9
MC		 3699 /*-
3700 * Create HeartBeat message, we just use a sequence number
3701 * as payload to distuingish different messages and add
3702 * some random stuff.
3703 * - Message Type, 1 byte
3704 * - Payload Length, 2 bytes (unsigned int)
3705 * - Payload, the sequence number (2 bytes uint)
3706 * - Payload, random bytes (16 bytes uint)
3707 * - Padding
3708 */
0f113f3e
MC		 3709 buf = OPENSSL_malloc(1 + 2 + payload + padding);
3710 if (buf == NULL) {
3711 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3712 return -1;
3713 }
3714 p = buf;
3715 /* Message Type */
3716 *p++ = TLS1_HB_REQUEST;
3717 /* Payload length (18 bytes here) */
3718 s2n(payload, p);
3719 /* Sequence number */
3720 s2n(s->tlsext_hb_seq, p);
3721 /* 16 random bytes */
266483d2
MC		 3722 if (RAND_bytes(p, 16) <= 0) {
3723 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3724 goto err;
3725 }
0f113f3e
MC		 3726 p += 16;
3727 /* Random padding */
266483d2
MC		 3728 if (RAND_bytes(p, padding) <= 0) {
3729 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3730 goto err;
3731 }
0f113f3e
MC		 3732
3733 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3734 if (ret >= 0) {
3735 if (s->msg_callback)
3736 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3737 buf, 3 + payload + padding,
3738 s, s->msg_callback_arg);
3739
3740 s->tlsext_hb_pending = 1;
3741 }
3742
266483d2 3743 err:
0f113f3e 3744 OPENSSL_free(buf);
0f113f3e
MC		 3745 return ret;
3746}
e481f9b9 3747#endif
0f113f3e 3748
e481f9b9 3749#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
0f229cce 3750
0f113f3e
MC		 3751typedef struct {
3752 size_t sigalgcnt;
3753 int sigalgs[MAX_SIGALGLEN];
3754} sig_cb_st;
0f229cce 3755
431f458d
DSH		 3756static void get_sigorhash(int *psig, int *phash, const char *str)
3757{
3758 if (strcmp(str, "RSA") == 0) {
3759 *psig = EVP_PKEY_RSA;
3760 } else if (strcmp(str, "DSA") == 0) {
3761 *psig = EVP_PKEY_DSA;
3762 } else if (strcmp(str, "ECDSA") == 0) {
3763 *psig = EVP_PKEY_EC;
3764 } else {
3765 *phash = OBJ_sn2nid(str);
3766 if (*phash == NID_undef)
3767 *phash = OBJ_ln2nid(str);
3768 }
3769}
3770
0f229cce 3771static int sig_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 3772{
3773 sig_cb_st *sarg = arg;
3774 size_t i;
3775 char etmp[20], *p;
431f458d 3776 int sig_alg = NID_undef, hash_alg = NID_undef;
2747d73c
KR		 3777 if (elem == NULL)
3778 return 0;
0f113f3e
MC		 3779 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3780 return 0;
3781 if (len > (int)(sizeof(etmp) - 1))
3782 return 0;
3783 memcpy(etmp, elem, len);
3784 etmp[len] = 0;
3785 p = strchr(etmp, '+');
3786 if (!p)
3787 return 0;
3788 *p = 0;
3789 p++;
3790 if (!*p)
3791 return 0;
3792
431f458d
DSH		 3793 get_sigorhash(&sig_alg, &hash_alg, etmp);
3794 get_sigorhash(&sig_alg, &hash_alg, p);
0f113f3e 3795
431f458d 3796 if (sig_alg == NID_undef || hash_alg == NID_undef)
0f113f3e
MC		 3797 return 0;
3798
3799 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3800 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3801 return 0;
3802 }
3803 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3804 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3805 return 1;
3806}
3807
3808/*
3809 * Set suppored signature algorithms based on a colon separated list of the
3810 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3811 */
3dbc46df 3812int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
0f113f3e
MC		 3813{
3814 sig_cb_st sig;
3815 sig.sigalgcnt = 0;
3816 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3817 return 0;
3818 if (c == NULL)
3819 return 1;
3820 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3821}
3822
3823int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
3824 int client)
3825{
3826 unsigned char *sigalgs, *sptr;
3827 int rhash, rsign;
3828 size_t i;
3829 if (salglen & 1)
3830 return 0;
3831 sigalgs = OPENSSL_malloc(salglen);
3832 if (sigalgs == NULL)
3833 return 0;
3834 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
b6eb9827
DSH		 3835 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3836 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3837
3838 if (rhash == -1 || rsign == -1)
3839 goto err;
3840 *sptr++ = rhash;
3841 *sptr++ = rsign;
3842 }
3843
3844 if (client) {
b548a1f1 3845 OPENSSL_free(c->client_sigalgs);
0f113f3e
MC		 3846 c->client_sigalgs = sigalgs;
3847 c->client_sigalgslen = salglen;
3848 } else {
b548a1f1 3849 OPENSSL_free(c->conf_sigalgs);
0f113f3e
MC		 3850 c->conf_sigalgs = sigalgs;
3851 c->conf_sigalgslen = salglen;
3852 }
3853
3854 return 1;
3855
3856 err:
3857 OPENSSL_free(sigalgs);
3858 return 0;
3859}
4453cd8c 3860
d61ff83b 3861static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
0f113f3e
MC		 3862{
3863 int sig_nid;
3864 size_t i;
3865 if (default_nid == -1)
3866 return 1;
3867 sig_nid = X509_get_signature_nid(x);
3868 if (default_nid)
3869 return sig_nid == default_nid ? 1 : 0;
3870 for (i = 0; i < c->shared_sigalgslen; i++)
3871 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3872 return 1;
3873 return 0;
3874}
3875
6dbb6219
DSH		 3876/* Check to see if a certificate issuer name matches list of CA names */
3877static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
0f113f3e
MC		 3878{
3879 X509_NAME *nm;
3880 int i;
3881 nm = X509_get_issuer_name(x);
3882 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3883 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3884 return 1;
3885 }
3886 return 0;
3887}
3888
3889/*
3890 * Check certificate chain is consistent with TLS extensions and is usable by
3891 * server. This servers two purposes: it allows users to check chains before
3892 * passing them to the server and it allows the server to check chains before
3893 * attempting to use them.
d61ff83b 3894 */
6dbb6219
DSH		 3895
3896/* Flags which need to be set for a certificate when stict mode not set */
3897
e481f9b9 3898#define CERT_PKEY_VALID_FLAGS \
0f113f3e 3899 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
6dbb6219 3900/* Strict mode flags */
e481f9b9 3901#define CERT_PKEY_STRICT_FLAGS \
0f113f3e
MC		 3902 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3903 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
6dbb6219 3904
d61ff83b 3905int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
0f113f3e
MC		 3906 int idx)
3907{
3908 int i;
3909 int rv = 0;
3910 int check_flags = 0, strict_mode;
3911 CERT_PKEY *cpk = NULL;
3912 CERT *c = s->cert;
f7d53487 3913 uint32_t *pvalid;
0f113f3e
MC		 3914 unsigned int suiteb_flags = tls1_suiteb(s);
3915 /* idx == -1 means checking server chains */
3916 if (idx != -1) {
3917 /* idx == -2 means checking client certificate chains */
3918 if (idx == -2) {
3919 cpk = c->key;
3920 idx = cpk - c->pkeys;
3921 } else
3922 cpk = c->pkeys + idx;
6383d316 3923 pvalid = s->s3->tmp.valid_flags + idx;
0f113f3e
MC		 3924 x = cpk->x509;
3925 pk = cpk->privatekey;
3926 chain = cpk->chain;
3927 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3928 /* If no cert or key, forget it */
3929 if (!x || !pk)
3930 goto end;
e481f9b9 3931#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
0f113f3e
MC		 3932 /* Allow any certificate to pass test */
3933 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3934 rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
3935 CERT_PKEY_VALID | CERT_PKEY_SIGN;
6383d316 3936 *pvalid = rv;
0f113f3e
MC		 3937 return rv;
3938 }
e481f9b9 3939#endif
0f113f3e
MC		 3940 } else {
3941 if (!x || !pk)
d813f9eb 3942 return 0;
0f113f3e
MC		 3943 idx = ssl_cert_type(x, pk);
3944 if (idx == -1)
d813f9eb 3945 return 0;
6383d316
DSH		 3946 pvalid = s->s3->tmp.valid_flags + idx;
3947
0f113f3e
MC		 3948 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3949 check_flags = CERT_PKEY_STRICT_FLAGS;
3950 else
3951 check_flags = CERT_PKEY_VALID_FLAGS;
3952 strict_mode = 1;
3953 }
3954
3955 if (suiteb_flags) {
3956 int ok;
3957 if (check_flags)
3958 check_flags |= CERT_PKEY_SUITEB;
3959 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3960 if (ok == X509_V_OK)
3961 rv |= CERT_PKEY_SUITEB;
3962 else if (!check_flags)
3963 goto end;
3964 }
3965
3966 /*
3967 * Check all signature algorithms are consistent with signature
3968 * algorithms extension if TLS 1.2 or later and strict mode.
3969 */
3970 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
3971 int default_nid;
3972 unsigned char rsign = 0;
76106e60 3973 if (s->s3->tmp.peer_sigalgs)
0f113f3e
MC		 3974 default_nid = 0;
3975 /* If no sigalgs extension use defaults from RFC5246 */
3976 else {
3977 switch (idx) {
3978 case SSL_PKEY_RSA_ENC:
3979 case SSL_PKEY_RSA_SIGN:
3980 case SSL_PKEY_DH_RSA:
3981 rsign = TLSEXT_signature_rsa;
3982 default_nid = NID_sha1WithRSAEncryption;
3983 break;
3984
3985 case SSL_PKEY_DSA_SIGN:
3986 case SSL_PKEY_DH_DSA:
3987 rsign = TLSEXT_signature_dsa;
3988 default_nid = NID_dsaWithSHA1;
3989 break;
3990
3991 case SSL_PKEY_ECC:
3992 rsign = TLSEXT_signature_ecdsa;
3993 default_nid = NID_ecdsa_with_SHA1;
3994 break;
3995
3996 default:
3997 default_nid = -1;
3998 break;
3999 }
4000 }
4001 /*
4002 * If peer sent no signature algorithms extension and we have set
4003 * preferred signature algorithms check we support sha1.
4004 */
4005 if (default_nid > 0 && c->conf_sigalgs) {
4006 size_t j;
4007 const unsigned char *p = c->conf_sigalgs;
4008 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
4009 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4010 break;
4011 }
4012 if (j == c->conf_sigalgslen) {
4013 if (check_flags)
4014 goto skip_sigs;
4015 else
4016 goto end;
4017 }
4018 }
4019 /* Check signature algorithm of each cert in chain */
4020 if (!tls1_check_sig_alg(c, x, default_nid)) {
4021 if (!check_flags)
4022 goto end;
4023 } else
4024 rv |= CERT_PKEY_EE_SIGNATURE;
4025 rv |= CERT_PKEY_CA_SIGNATURE;
4026 for (i = 0; i < sk_X509_num(chain); i++) {
4027 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
4028 if (check_flags) {
4029 rv &= ~CERT_PKEY_CA_SIGNATURE;
4030 break;
4031 } else
4032 goto end;
4033 }
4034 }
4035 }
4036 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4037 else if (check_flags)
4038 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
4039 skip_sigs:
4040 /* Check cert parameters are consistent */
4041 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4042 rv |= CERT_PKEY_EE_PARAM;
4043 else if (!check_flags)
4044 goto end;
4045 if (!s->server)
4046 rv |= CERT_PKEY_CA_PARAM;
4047 /* In strict mode check rest of chain too */
4048 else if (strict_mode) {
4049 rv |= CERT_PKEY_CA_PARAM;
4050 for (i = 0; i < sk_X509_num(chain); i++) {
4051 X509 *ca = sk_X509_value(chain, i);
4052 if (!tls1_check_cert_param(s, ca, 0)) {
4053 if (check_flags) {
4054 rv &= ~CERT_PKEY_CA_PARAM;
4055 break;
4056 } else
4057 goto end;
4058 }
4059 }
4060 }
4061 if (!s->server && strict_mode) {
4062 STACK_OF(X509_NAME) *ca_dn;
4063 int check_type = 0;
4064 switch (pk->type) {
4065 case EVP_PKEY_RSA:
4066 check_type = TLS_CT_RSA_SIGN;
4067 break;
4068 case EVP_PKEY_DSA:
4069 check_type = TLS_CT_DSS_SIGN;
4070 break;
4071 case EVP_PKEY_EC:
4072 check_type = TLS_CT_ECDSA_SIGN;
4073 break;
4074 case EVP_PKEY_DH:
4075 case EVP_PKEY_DHX:
4076 {
4077 int cert_type = X509_certificate_type(x, pk);
4078 if (cert_type & EVP_PKS_RSA)
4079 check_type = TLS_CT_RSA_FIXED_DH;
4080 if (cert_type & EVP_PKS_DSA)
4081 check_type = TLS_CT_DSS_FIXED_DH;
4082 }
4083 }
4084 if (check_type) {
4085 const unsigned char *ctypes;
4086 int ctypelen;
4087 if (c->ctypes) {
4088 ctypes = c->ctypes;
4089 ctypelen = (int)c->ctype_num;
4090 } else {
4091 ctypes = (unsigned char *)s->s3->tmp.ctype;
4092 ctypelen = s->s3->tmp.ctype_num;
4093 }
4094 for (i = 0; i < ctypelen; i++) {
4095 if (ctypes[i] == check_type) {
4096 rv |= CERT_PKEY_CERT_TYPE;
4097 break;
4098 }
4099 }
4100 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4101 goto end;
4102 } else
4103 rv |= CERT_PKEY_CERT_TYPE;
4104
4105 ca_dn = s->s3->tmp.ca_names;
4106
4107 if (!sk_X509_NAME_num(ca_dn))
4108 rv |= CERT_PKEY_ISSUER_NAME;
4109
4110 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4111 if (ssl_check_ca_name(ca_dn, x))
4112 rv |= CERT_PKEY_ISSUER_NAME;
4113 }
4114 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4115 for (i = 0; i < sk_X509_num(chain); i++) {
4116 X509 *xtmp = sk_X509_value(chain, i);
4117 if (ssl_check_ca_name(ca_dn, xtmp)) {
4118 rv |= CERT_PKEY_ISSUER_NAME;
4119 break;
4120 }
4121 }
4122 }
4123 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4124 goto end;
4125 } else
4126 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
4127
4128 if (!check_flags || (rv & check_flags) == check_flags)
4129 rv |= CERT_PKEY_VALID;
4130
4131 end:
4132
4133 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
6383d316 4134 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
0f113f3e 4135 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
d376e57d 4136 else if (s->s3->tmp.md[idx] != NULL)
0f113f3e
MC		 4137 rv |= CERT_PKEY_SIGN;
4138 } else
4139 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
4140
4141 /*
4142 * When checking a CERT_PKEY structure all flags are irrelevant if the
4143 * chain is invalid.
4144 */
4145 if (!check_flags) {
4146 if (rv & CERT_PKEY_VALID)
6383d316 4147 *pvalid = rv;
0f113f3e
MC		 4148 else {
4149 /* Preserve explicit sign flag, clear rest */
6383d316 4150 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
0f113f3e
MC		 4151 return 0;
4152 }
4153 }
4154 return rv;
4155}
d61ff83b
DSH		 4156
4157/* Set validity of certificates in an SSL structure */
4158void tls1_set_cert_validity(SSL *s)
0f113f3e 4159{
17dd65e6
MC		 4160 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4161 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4162 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4163 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
4164 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
4165 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
0f113f3e
MC		 4166}
4167
18d71588
DSH		 4168/* User level utiity function to check a chain is suitable */
4169int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
0f113f3e
MC		 4170{
4171 return tls1_check_chain(s, x, pk, chain, -1);
4172}
d61ff83b 4173
09599b52
DSH		 4174
4175#ifndef OPENSSL_NO_DH
4176DH *ssl_get_auto_dh(SSL *s)
0f113f3e
MC		 4177{
4178 int dh_secbits = 80;
4179 if (s->cert->dh_tmp_auto == 2)
4180 return DH_get_1024_160();
adc5506a 4181 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
0f113f3e
MC		 4182 if (s->s3->tmp.new_cipher->strength_bits == 256)
4183 dh_secbits = 128;
4184 else
4185 dh_secbits = 80;
4186 } else {
4187 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
4188 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
4189 }
4190
4191 if (dh_secbits >= 128) {
4192 DH *dhp = DH_new();
a71edf3b 4193 if (dhp == NULL)
0f113f3e
MC		 4194 return NULL;
4195 dhp->g = BN_new();
a71edf3b 4196 if (dhp->g != NULL)
0f113f3e
MC		 4197 BN_set_word(dhp->g, 2);
4198 if (dh_secbits >= 192)
4199 dhp->p = get_rfc3526_prime_8192(NULL);
4200 else
4201 dhp->p = get_rfc3526_prime_3072(NULL);
a71edf3b 4202 if (dhp->p == NULL || dhp->g == NULL) {
0f113f3e
MC		 4203 DH_free(dhp);
4204 return NULL;
4205 }
4206 return dhp;
4207 }
4208 if (dh_secbits >= 112)
4209 return DH_get_2048_224();
4210 return DH_get_1024_160();
4211}
09599b52 4212#endif
b362ccab
DSH		 4213
4214static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e
MC		 4215{
4216 int secbits;
4217 EVP_PKEY *pkey = X509_get_pubkey(x);
4218 if (pkey) {
4219 secbits = EVP_PKEY_security_bits(pkey);
4220 EVP_PKEY_free(pkey);
4221 } else
4222 secbits = -1;
4223 if (s)
4224 return ssl_security(s, op, secbits, 0, x);
4225 else
4226 return ssl_ctx_security(ctx, op, secbits, 0, x);
4227}
b362ccab
DSH		 4228
4229static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e
MC		 4230{
4231 /* Lookup signature algorithm digest */
4232 int secbits = -1, md_nid = NID_undef, sig_nid;
4233 sig_nid = X509_get_signature_nid(x);
4234 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4235 const EVP_MD *md;
4236 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4237 secbits = EVP_MD_size(md) * 4;
4238 }
4239 if (s)
4240 return ssl_security(s, op, secbits, md_nid, x);
4241 else
4242 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4243}
b362ccab
DSH		 4244
4245int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
0f113f3e
MC		 4246{
4247 if (vfy)
4248 vfy = SSL_SECOP_PEER;
4249 if (is_ee) {
4250 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4251 return SSL_R_EE_KEY_TOO_SMALL;
4252 } else {
4253 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4254 return SSL_R_CA_KEY_TOO_SMALL;
4255 }
4256 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4257 return SSL_R_CA_MD_TOO_WEAK;
4258 return 1;
4259}
4260
4261/*
4262 * Check security of a chain, if sk includes the end entity certificate then
4263 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4264 * one to the peer. Return values: 1 if ok otherwise error code to use
b362ccab
DSH		 4265 */
4266
4267int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
0f113f3e
MC		 4268{
4269 int rv, start_idx, i;
4270 if (x == NULL) {
4271 x = sk_X509_value(sk, 0);
4272 start_idx = 1;
4273 } else
4274 start_idx = 0;
4275
4276 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4277 if (rv != 1)
4278 return rv;
4279
4280 for (i = start_idx; i < sk_X509_num(sk); i++) {
4281 x = sk_X509_value(sk, i);
4282 rv = ssl_security_cert(s, NULL, x, vfy, 0);
4283 if (rv != 1)
4284 return rv;
4285 }
4286 return 1;
4287}
Mirror of https://github.com/openssl/openssl.git