]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/t1_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Convert the mac functions to just return 1 for success and 0 for failure
[thirdparty/openssl.git] / ssl / t1_lib.c
CommitLineData
846e33c7
RS		 1/*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
f1fd4544 3 *
846e33c7
RS		 4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
f1fd4544 8 */
58964a49
RE		 9
10#include <stdio.h>
aa474d1f 11#include <stdlib.h>
ec577822 12#include <openssl/objects.h>
6434abbf
DSH		 13#include <openssl/evp.h>
14#include <openssl/hmac.h>
67c8e7f4 15#include <openssl/ocsp.h>
5951e840
MC		 16#include <openssl/conf.h>
17#include <openssl/x509v3.h>
3c27208f
RS		 18#include <openssl/dh.h>
19#include <openssl/bn.h>
58964a49 20#include "ssl_locl.h"
3c27208f 21#include <openssl/ct.h>
58964a49 22
d736bc1a 23static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, size_t ticklen,
ec60ccc1 24 const unsigned char *sess_id, size_t sesslen,
0f113f3e 25 SSL_SESSION **psess);
2daceb03 26static int ssl_check_clienthello_tlsext_early(SSL *s);
aa474d1f 27static int ssl_check_serverhello_tlsext(SSL *s);
6434abbf 28
0f113f3e
MC		 29SSL3_ENC_METHOD const TLSv1_enc_data = {
30 tls1_enc,
31 tls1_mac,
32 tls1_setup_key_block,
33 tls1_generate_master_secret,
34 tls1_change_cipher_state,
35 tls1_final_finish_mac,
0f113f3e
MC		 36 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
37 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
38 tls1_alert_code,
39 tls1_export_keying_material,
40 0,
a29fa98c 41 ssl3_set_handshake_header,
2c7b4dbc 42 tls_close_construct_packet,
0f113f3e
MC		 43 ssl3_handshake_write
44};
45
46SSL3_ENC_METHOD const TLSv1_1_enc_data = {
47 tls1_enc,
48 tls1_mac,
49 tls1_setup_key_block,
50 tls1_generate_master_secret,
51 tls1_change_cipher_state,
52 tls1_final_finish_mac,
0f113f3e
MC		 53 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
54 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
55 tls1_alert_code,
56 tls1_export_keying_material,
57 SSL_ENC_FLAG_EXPLICIT_IV,
a29fa98c 58 ssl3_set_handshake_header,
2c7b4dbc 59 tls_close_construct_packet,
0f113f3e
MC		 60 ssl3_handshake_write
61};
62
63SSL3_ENC_METHOD const TLSv1_2_enc_data = {
64 tls1_enc,
65 tls1_mac,
66 tls1_setup_key_block,
67 tls1_generate_master_secret,
68 tls1_change_cipher_state,
69 tls1_final_finish_mac,
0f113f3e
MC		 70 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
71 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
72 tls1_alert_code,
73 tls1_export_keying_material,
74 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
75 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
a29fa98c 76 ssl3_set_handshake_header,
2c7b4dbc 77 tls_close_construct_packet,
0f113f3e
MC		 78 ssl3_handshake_write
79};
58964a49 80
582a17d6
MC		 81SSL3_ENC_METHOD const TLSv1_3_enc_data = {
82 tls1_enc,
83 tls1_mac,
84 tls1_setup_key_block,
85 tls1_generate_master_secret,
86 tls1_change_cipher_state,
87 tls1_final_finish_mac,
582a17d6
MC		 88 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
89 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
90 tls1_alert_code,
91 tls1_export_keying_material,
92 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
93 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
582a17d6
MC		 94 ssl3_set_handshake_header,
95 tls_close_construct_packet,
96 ssl3_handshake_write
97};
98
f3b656b2 99long tls1_default_timeout(void)
0f113f3e
MC		 100{
101 /*
102 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
103 * http, the cache would over fill
104 */
105 return (60 * 60 * 2);
106}
58964a49 107
6b691a5c 108int tls1_new(SSL *s)
0f113f3e
MC		 109{
110 if (!ssl3_new(s))
111 return (0);
112 s->method->ssl_clear(s);
113 return (1);
114}
58964a49 115
6b691a5c 116void tls1_free(SSL *s)
0f113f3e 117{
b548a1f1 118 OPENSSL_free(s->tlsext_session_ticket);
0f113f3e
MC		 119 ssl3_free(s);
120}
58964a49 121
6b691a5c 122void tls1_clear(SSL *s)
0f113f3e
MC		 123{
124 ssl3_clear(s);
4fa52141
VD		 125 if (s->method->version == TLS_ANY_VERSION)
126 s->version = TLS_MAX_VERSION;
127 else
128 s->version = s->method->version;
0f113f3e 129}
58964a49 130
525de5d3 131#ifndef OPENSSL_NO_EC
eda3766b 132
0f113f3e
MC		 133typedef struct {
134 int nid; /* Curve NID */
135 int secbits; /* Bits of security (from SP800-57) */
136 unsigned int flags; /* Flags: currently just field type */
137} tls_curve_info;
138
2dc1aeed
DSH		 139/*
140 * Table of curve information.
ddb4c047 141 * Do not delete entries or reorder this array! It is used as a lookup
2dc1aeed
DSH		 142 * table: the index of each entry is one less than the TLS curve id.
143 */
0f113f3e
MC		 144static const tls_curve_info nid_list[] = {
145 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
146 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
147 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
148 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
149 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
150 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
151 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
152 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
153 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
154 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
155 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
156 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
157 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
158 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
159 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
160 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
161 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
162 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
163 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
164 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
165 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
166 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
167 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
168 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
169 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
170 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
171 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
172 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
ec24630a 173 {NID_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
0f113f3e
MC		 174};
175
176static const unsigned char ecformats_default[] = {
177 TLSEXT_ECPOINTFORMAT_uncompressed,
178 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
179 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
180};
181
fe6ef247
KR		 182/* The default curves */
183static const unsigned char eccurves_default[] = {
1db3107a 184 0, 29, /* X25519 (29) */
de57d237 185 0, 23, /* secp256r1 (23) */
0f113f3e 186 0, 25, /* secp521r1 (25) */
0f113f3e 187 0, 24, /* secp384r1 (24) */
de57d237
EK		 188};
189
190static const unsigned char eccurves_all[] = {
1db3107a 191 0, 29, /* X25519 (29) */
de57d237 192 0, 23, /* secp256r1 (23) */
de57d237 193 0, 25, /* secp521r1 (25) */
de57d237 194 0, 24, /* secp384r1 (24) */
0f113f3e 195 0, 26, /* brainpoolP256r1 (26) */
ddb4c047
RS		 196 0, 27, /* brainpoolP384r1 (27) */
197 0, 28, /* brainpool512r1 (28) */
198
199 /*
200 * Remaining curves disabled by default but still permitted if set
201 * via an explicit callback or parameters.
202 */
0f113f3e 203 0, 22, /* secp256k1 (22) */
de57d237
EK		 204 0, 14, /* sect571r1 (14) */
205 0, 13, /* sect571k1 (13) */
206 0, 11, /* sect409k1 (11) */
207 0, 12, /* sect409r1 (12) */
208 0, 9, /* sect283k1 (9) */
209 0, 10, /* sect283r1 (10) */
de57d237
EK		 210 0, 20, /* secp224k1 (20) */
211 0, 21, /* secp224r1 (21) */
212 0, 18, /* secp192k1 (18) */
213 0, 19, /* secp192r1 (19) */
214 0, 15, /* secp160k1 (15) */
215 0, 16, /* secp160r1 (16) */
216 0, 17, /* secp160r2 (17) */
0f113f3e
MC		 217 0, 8, /* sect239k1 (8) */
218 0, 6, /* sect233k1 (6) */
219 0, 7, /* sect233r1 (7) */
0f113f3e
MC		 220 0, 4, /* sect193r1 (4) */
221 0, 5, /* sect193r2 (5) */
0f113f3e
MC		 222 0, 1, /* sect163k1 (1) */
223 0, 2, /* sect163r1 (2) */
224 0, 3, /* sect163r2 (3) */
0f113f3e
MC		 225};
226
227static const unsigned char suiteb_curves[] = {
228 0, TLSEXT_curve_P_256,
229 0, TLSEXT_curve_P_384
230};
2ea80354 231
ec24630a 232int tls1_ec_curve_id2nid(int curve_id, unsigned int *pflags)
0f113f3e 233{
ec24630a 234 const tls_curve_info *cinfo;
0f113f3e 235 /* ECC curves from RFC 4492 and RFC 7027 */
b6eb9827 236 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
0f113f3e 237 return 0;
ec24630a
DSH		 238 cinfo = nid_list + curve_id - 1;
239 if (pflags)
240 *pflags = cinfo->flags;
241 return cinfo->nid;
0f113f3e 242}
525de5d3
DSH		 243
244int tls1_ec_nid2curve_id(int nid)
0f113f3e 245{
2fa2d15a
DSH		 246 size_t i;
247 for (i = 0; i < OSSL_NELEM(nid_list); i++) {
248 if (nid_list[i].nid == nid)
249 return i + 1;
0f113f3e 250 }
2fa2d15a 251 return 0;
0f113f3e
MC		 252}
253
740580c2
EK		 254/*
255 * Get curves list, if "sess" is set return client curves otherwise
256 * preferred list.
257 * Sets |num_curves| to the number of curves in the list, i.e.,
258 * the length of |pcurves| is 2 * num_curves.
259 * Returns 1 on success and 0 if the client curves list has invalid format.
260 * The latter indicates an internal error: we should not be accepting such
261 * lists in the first place.
262 * TODO(emilia): we should really be storing the curves list in explicitly
263 * parsed form instead. (However, this would affect binary compatibility
264 * so cannot happen in the 1.0.x series.)
fd2b65ce 265 */
740580c2 266static int tls1_get_curvelist(SSL *s, int sess,
a230b26e 267 const unsigned char **pcurves, size_t *num_curves)
0f113f3e
MC		 268{
269 size_t pcurveslen = 0;
270 if (sess) {
271 *pcurves = s->session->tlsext_ellipticcurvelist;
272 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
273 } else {
274 /* For Suite B mode only include P-256, P-384 */
275 switch (tls1_suiteb(s)) {
276 case SSL_CERT_FLAG_SUITEB_128_LOS:
277 *pcurves = suiteb_curves;
278 pcurveslen = sizeof(suiteb_curves);
279 break;
280
281 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
282 *pcurves = suiteb_curves;
283 pcurveslen = 2;
284 break;
285
286 case SSL_CERT_FLAG_SUITEB_192_LOS:
287 *pcurves = suiteb_curves + 2;
288 pcurveslen = 2;
289 break;
290 default:
291 *pcurves = s->tlsext_ellipticcurvelist;
292 pcurveslen = s->tlsext_ellipticcurvelist_length;
293 }
294 if (!*pcurves) {
fe6ef247
KR		 295 *pcurves = eccurves_default;
296 pcurveslen = sizeof(eccurves_default);
0f113f3e
MC		 297 }
298 }
299
300 /* We do not allow odd length arrays to enter the system. */
301 if (pcurveslen & 1) {
302 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
303 *num_curves = 0;
304 return 0;
305 } else {
306 *num_curves = pcurveslen / 2;
307 return 1;
308 }
309}
b362ccab
DSH		 310
311/* See if curve is allowed by security callback */
312static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
0f113f3e
MC		 313{
314 const tls_curve_info *cinfo;
315 if (curve[0])
316 return 1;
b6eb9827 317 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
0f113f3e
MC		 318 return 0;
319 cinfo = &nid_list[curve[1] - 1];
320# ifdef OPENSSL_NO_EC2M
321 if (cinfo->flags & TLS_CURVE_CHAR2)
322 return 0;
323# endif
324 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
325}
b362ccab 326
d18b716d
DSH		 327/* Check a curve is one of our preferences */
328int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
0f113f3e
MC		 329{
330 const unsigned char *curves;
331 size_t num_curves, i;
332 unsigned int suiteb_flags = tls1_suiteb(s);
333 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
334 return 0;
335 /* Check curve matches Suite B preferences */
336 if (suiteb_flags) {
337 unsigned long cid = s->s3->tmp.new_cipher->id;
338 if (p[1])
339 return 0;
340 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
341 if (p[2] != TLSEXT_curve_P_256)
342 return 0;
343 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
344 if (p[2] != TLSEXT_curve_P_384)
345 return 0;
346 } else /* Should never happen */
347 return 0;
348 }
349 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
350 return 0;
351 for (i = 0; i < num_curves; i++, curves += 2) {
352 if (p[1] == curves[0] && p[2] == curves[1])
353 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
354 }
355 return 0;
356}
d0595f17 357
1d97c843 358/*-
6977e8ee
KR		 359 * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef
360 * if there is no match.
361 * For nmatch == -1, return number of matches
376e2ca3
EK		 362 * For nmatch == -2, return the NID of the curve to use for
363 * an EC tmp key, or NID_undef if there is no match.
d0595f17 364 */
a4352630 365int tls1_shared_curve(SSL *s, int nmatch)
0f113f3e
MC		 366{
367 const unsigned char *pref, *supp;
368 size_t num_pref, num_supp, i, j;
369 int k;
370 /* Can't do anything on client side */
371 if (s->server == 0)
372 return -1;
373 if (nmatch == -2) {
374 if (tls1_suiteb(s)) {
375 /*
376 * For Suite B ciphersuite determines curve: we already know
377 * these are acceptable due to previous checks.
378 */
379 unsigned long cid = s->s3->tmp.new_cipher->id;
380 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
381 return NID_X9_62_prime256v1; /* P-256 */
382 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
383 return NID_secp384r1; /* P-384 */
384 /* Should never happen */
385 return NID_undef;
386 }
387 /* If not Suite B just return first preference shared curve */
388 nmatch = 0;
389 }
390 /*
391 * Avoid truncation. tls1_get_curvelist takes an int
392 * but s->options is a long...
393 */
394 if (!tls1_get_curvelist
395 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
396 &num_supp))
397 /* In practice, NID_undef == 0 but let's be precise. */
398 return nmatch == -1 ? 0 : NID_undef;
399 if (!tls1_get_curvelist
a230b26e 400 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref, &num_pref))
0f113f3e 401 return nmatch == -1 ? 0 : NID_undef;
3c06513f
KR		 402
403 /*
404 * If the client didn't send the elliptic_curves extension all of them
405 * are allowed.
406 */
407 if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
408 supp = eccurves_all;
409 num_supp = sizeof(eccurves_all) / 2;
410 } else if (num_pref == 0 &&
a230b26e 411 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
3c06513f
KR		 412 pref = eccurves_all;
413 num_pref = sizeof(eccurves_all) / 2;
414 }
415
0f113f3e
MC		 416 k = 0;
417 for (i = 0; i < num_pref; i++, pref += 2) {
418 const unsigned char *tsupp = supp;
419 for (j = 0; j < num_supp; j++, tsupp += 2) {
420 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
421 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
422 continue;
423 if (nmatch == k) {
424 int id = (pref[0] << 8) | pref[1];
ec24630a 425 return tls1_ec_curve_id2nid(id, NULL);
0f113f3e
MC		 426 }
427 k++;
428 }
429 }
430 }
431 if (nmatch == -1)
432 return k;
433 /* Out of range (nmatch > k). */
434 return NID_undef;
435}
d0595f17
DSH		 436
437int tls1_set_curves(unsigned char **pext, size_t *pextlen,
0f113f3e
MC		 438 int *curves, size_t ncurves)
439{
440 unsigned char *clist, *p;
441 size_t i;
442 /*
443 * Bitmap of curves included to detect duplicates: only works while curve
444 * ids < 32
445 */
446 unsigned long dup_list = 0;
447 clist = OPENSSL_malloc(ncurves * 2);
a71edf3b 448 if (clist == NULL)
0f113f3e
MC		 449 return 0;
450 for (i = 0, p = clist; i < ncurves; i++) {
451 unsigned long idmask;
452 int id;
453 id = tls1_ec_nid2curve_id(curves[i]);
454 idmask = 1L << id;
455 if (!id || (dup_list & idmask)) {
456 OPENSSL_free(clist);
457 return 0;
458 }
459 dup_list |= idmask;
460 s2n(id, p);
461 }
b548a1f1 462 OPENSSL_free(*pext);
0f113f3e
MC		 463 *pext = clist;
464 *pextlen = ncurves * 2;
465 return 1;
466}
467
468# define MAX_CURVELIST 28
469
470typedef struct {
471 size_t nidcnt;
472 int nid_arr[MAX_CURVELIST];
473} nid_cb_st;
d0595f17
DSH		 474
475static int nid_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 476{
477 nid_cb_st *narg = arg;
478 size_t i;
479 int nid;
480 char etmp[20];
2747d73c
KR		 481 if (elem == NULL)
482 return 0;
0f113f3e
MC		 483 if (narg->nidcnt == MAX_CURVELIST)
484 return 0;
485 if (len > (int)(sizeof(etmp) - 1))
486 return 0;
487 memcpy(etmp, elem, len);
488 etmp[len] = 0;
489 nid = EC_curve_nist2nid(etmp);
490 if (nid == NID_undef)
491 nid = OBJ_sn2nid(etmp);
492 if (nid == NID_undef)
493 nid = OBJ_ln2nid(etmp);
494 if (nid == NID_undef)
495 return 0;
496 for (i = 0; i < narg->nidcnt; i++)
497 if (narg->nid_arr[i] == nid)
498 return 0;
499 narg->nid_arr[narg->nidcnt++] = nid;
500 return 1;
501}
502
d0595f17 503/* Set curves based on a colon separate list */
a230b26e 504int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, const char *str)
0f113f3e
MC		 505{
506 nid_cb_st ncb;
507 ncb.nidcnt = 0;
508 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
509 return 0;
510 if (pext == NULL)
511 return 1;
512 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
513}
514
fd2b65ce
DSH		 515/* For an EC key set TLS id and required compression based on parameters */
516static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
0f113f3e
MC		 517 EC_KEY *ec)
518{
2235b7f2 519 int id;
0f113f3e 520 const EC_GROUP *grp;
0f113f3e
MC		 521 if (!ec)
522 return 0;
523 /* Determine if it is a prime field */
524 grp = EC_KEY_get0_group(ec);
525 if (!grp)
526 return 0;
0f113f3e
MC		 527 /* Determine curve ID */
528 id = EC_GROUP_get_curve_name(grp);
529 id = tls1_ec_nid2curve_id(id);
2235b7f2
DSH		 530 /* If no id return error: we don't support arbitrary explicit curves */
531 if (id == 0)
532 return 0;
533 curve_id[0] = 0;
534 curve_id[1] = (unsigned char)id;
0f113f3e
MC		 535 if (comp_id) {
536 if (EC_KEY_get0_public_key(ec) == NULL)
537 return 0;
2235b7f2
DSH		 538 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
539 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
540 } else {
541 if ((nid_list[id - 1].flags & TLS_CURVE_TYPE) == TLS_CURVE_PRIME)
0f113f3e
MC		 542 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
543 else
544 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
2235b7f2 545 }
0f113f3e
MC		 546 }
547 return 1;
548}
549
fd2b65ce
DSH		 550/* Check an EC key is compatible with extensions */
551static int tls1_check_ec_key(SSL *s,
0f113f3e
MC		 552 unsigned char *curve_id, unsigned char *comp_id)
553{
554 const unsigned char *pformats, *pcurves;
555 size_t num_formats, num_curves, i;
556 int j;
557 /*
558 * If point formats extension present check it, otherwise everything is
559 * supported (see RFC4492).
560 */
561 if (comp_id && s->session->tlsext_ecpointformatlist) {
562 pformats = s->session->tlsext_ecpointformatlist;
563 num_formats = s->session->tlsext_ecpointformatlist_length;
564 for (i = 0; i < num_formats; i++, pformats++) {
565 if (*comp_id == *pformats)
566 break;
567 }
568 if (i == num_formats)
569 return 0;
570 }
571 if (!curve_id)
572 return 1;
573 /* Check curve is consistent with client and server preferences */
574 for (j = 0; j <= 1; j++) {
575 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
576 return 0;
b79d2410
MC		 577 if (j == 1 && num_curves == 0) {
578 /*
579 * If we've not received any curves then skip this check.
580 * RFC 4492 does not require the supported elliptic curves extension
581 * so if it is not sent we can just choose any curve.
582 * It is invalid to send an empty list in the elliptic curves
583 * extension, so num_curves == 0 always means no extension.
584 */
585 break;
586 }
0f113f3e
MC		 587 for (i = 0; i < num_curves; i++, pcurves += 2) {
588 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
589 break;
590 }
591 if (i == num_curves)
592 return 0;
593 /* For clients can only check sent curve list */
594 if (!s->server)
595 break;
596 }
597 return 1;
598}
d61ff83b 599
5087afa1 600static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
0f113f3e
MC		 601 size_t *num_formats)
602{
603 /*
604 * If we have a custom point format list use it otherwise use default
605 */
606 if (s->tlsext_ecpointformatlist) {
607 *pformats = s->tlsext_ecpointformatlist;
608 *num_formats = s->tlsext_ecpointformatlist_length;
609 } else {
610 *pformats = ecformats_default;
611 /* For Suite B we don't support char2 fields */
612 if (tls1_suiteb(s))
613 *num_formats = sizeof(ecformats_default) - 1;
614 else
615 *num_formats = sizeof(ecformats_default);
616 }
617}
618
619/*
620 * Check cert parameters compatible with extensions: currently just checks EC
621 * certificates have compatible curves and compression.
d61ff83b 622 */
2ea80354 623static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 624{
625 unsigned char comp_id, curve_id[2];
626 EVP_PKEY *pkey;
627 int rv;
8382fd3a 628 pkey = X509_get0_pubkey(x);
0f113f3e
MC		 629 if (!pkey)
630 return 0;
631 /* If not EC nothing to do */
3aeb9348 632 if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
0f113f3e 633 return 1;
3aeb9348 634 rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey));
0f113f3e
MC		 635 if (!rv)
636 return 0;
637 /*
638 * Can't check curve_id for client certs as we don't have a supported
639 * curves extension.
640 */
641 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
642 if (!rv)
643 return 0;
644 /*
645 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
646 * SHA384+P-384, adjust digest if necessary.
647 */
648 if (set_ee_md && tls1_suiteb(s)) {
649 int check_md;
650 size_t i;
651 CERT *c = s->cert;
652 if (curve_id[0])
653 return 0;
654 /* Check to see we have necessary signing algorithm */
655 if (curve_id[1] == TLSEXT_curve_P_256)
656 check_md = NID_ecdsa_with_SHA256;
657 else if (curve_id[1] == TLSEXT_curve_P_384)
658 check_md = NID_ecdsa_with_SHA384;
659 else
660 return 0; /* Should never happen */
661 for (i = 0; i < c->shared_sigalgslen; i++)
662 if (check_md == c->shared_sigalgs[i].signandhash_nid)
663 break;
664 if (i == c->shared_sigalgslen)
665 return 0;
666 if (set_ee_md == 2) {
667 if (check_md == NID_ecdsa_with_SHA256)
d376e57d 668 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
0f113f3e 669 else
d376e57d 670 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
0f113f3e
MC		 671 }
672 }
673 return rv;
674}
675
10bf4fc2 676# ifndef OPENSSL_NO_EC
6977e8ee 677/*
8483a003 678 * tls1_check_ec_tmp_key - Check EC temporary key compatibility
6977e8ee
KR		 679 * @s: SSL connection
680 * @cid: Cipher ID we're considering using
681 *
682 * Checks that the kECDHE cipher suite we're considering using
683 * is compatible with the client extensions.
684 *
685 * Returns 0 when the cipher can't be used or 1 when it can.
686 */
2ea80354 687int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
0f113f3e 688{
0f113f3e
MC		 689 /*
690 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
691 * curves permitted.
692 */
693 if (tls1_suiteb(s)) {
6977e8ee 694 unsigned char curve_id[2];
0f113f3e
MC		 695 /* Curve to check determined by ciphersuite */
696 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
697 curve_id[1] = TLSEXT_curve_P_256;
698 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
699 curve_id[1] = TLSEXT_curve_P_384;
700 else
701 return 0;
702 curve_id[0] = 0;
703 /* Check this curve is acceptable */
704 if (!tls1_check_ec_key(s, curve_id, NULL))
705 return 0;
fe6ef247 706 return 1;
0f113f3e 707 }
fe6ef247
KR		 708 /* Need a shared curve */
709 if (tls1_shared_curve(s, 0))
710 return 1;
6977e8ee 711 return 0;
0f113f3e 712}
10bf4fc2 713# endif /* OPENSSL_NO_EC */
d0595f17 714
14536c8c
DSH		 715#else
716
717static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 718{
719 return 1;
720}
14536c8c 721
0f113f3e 722#endif /* OPENSSL_NO_EC */
f1fd4544 723
0f113f3e
MC		 724/*
725 * List of supported signature algorithms and hashes. Should make this
fc101f88
DSH		 726 * customisable at some point, for now include everything we support.
727 */
728
e481f9b9 729#ifdef OPENSSL_NO_RSA
a230b26e 730# define tlsext_sigalg_rsa(md) /* */
e481f9b9
MC		 731#else
732# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
733#endif
0f113f3e 734
e481f9b9 735#ifdef OPENSSL_NO_DSA
a230b26e 736# define tlsext_sigalg_dsa(md) /* */
e481f9b9
MC		 737#else
738# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
739#endif
0f113f3e 740
e481f9b9 741#ifdef OPENSSL_NO_EC
a230b26e 742# define tlsext_sigalg_ecdsa(md)/* */
e481f9b9
MC		 743#else
744# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
745#endif
0f113f3e 746
e481f9b9 747#define tlsext_sigalg(md) \
0f113f3e
MC		 748 tlsext_sigalg_rsa(md) \
749 tlsext_sigalg_dsa(md) \
750 tlsext_sigalg_ecdsa(md)
fc101f88 751
d97ed219 752static const unsigned char tls12_sigalgs[] = {
0f113f3e
MC		 753 tlsext_sigalg(TLSEXT_hash_sha512)
754 tlsext_sigalg(TLSEXT_hash_sha384)
0f113f3e
MC		 755 tlsext_sigalg(TLSEXT_hash_sha256)
756 tlsext_sigalg(TLSEXT_hash_sha224)
0f113f3e 757 tlsext_sigalg(TLSEXT_hash_sha1)
e44380a9
DB		 758#ifndef OPENSSL_NO_GOST
759 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
a230b26e
EK		 760 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
761 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
e44380a9 762#endif
fc101f88 763};
0f113f3e 764
e481f9b9 765#ifndef OPENSSL_NO_EC
d97ed219 766static const unsigned char suiteb_sigalgs[] = {
0f113f3e
MC		 767 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
768 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
2ea80354 769};
e481f9b9 770#endif
b7bfe69b 771size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
0f113f3e
MC		 772{
773 /*
774 * If Suite B mode use Suite B sigalgs only, ignore any other
775 * preferences.
776 */
e481f9b9 777#ifndef OPENSSL_NO_EC
0f113f3e
MC		 778 switch (tls1_suiteb(s)) {
779 case SSL_CERT_FLAG_SUITEB_128_LOS:
780 *psigs = suiteb_sigalgs;
781 return sizeof(suiteb_sigalgs);
782
783 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
784 *psigs = suiteb_sigalgs;
785 return 2;
786
787 case SSL_CERT_FLAG_SUITEB_192_LOS:
788 *psigs = suiteb_sigalgs + 2;
789 return 2;
790 }
e481f9b9 791#endif
0f113f3e
MC		 792 /* If server use client authentication sigalgs if not NULL */
793 if (s->server && s->cert->client_sigalgs) {
794 *psigs = s->cert->client_sigalgs;
795 return s->cert->client_sigalgslen;
796 } else if (s->cert->conf_sigalgs) {
797 *psigs = s->cert->conf_sigalgs;
798 return s->cert->conf_sigalgslen;
799 } else {
800 *psigs = tls12_sigalgs;
801 return sizeof(tls12_sigalgs);
802 }
803}
804
805/*
806 * Check signature algorithm is consistent with sent supported signature
ec4a50b3
DSH		 807 * algorithms and if so return relevant digest.
808 */
809int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
0f113f3e
MC		 810 const unsigned char *sig, EVP_PKEY *pkey)
811{
812 const unsigned char *sent_sigs;
813 size_t sent_sigslen, i;
814 int sigalg = tls12_get_sigid(pkey);
815 /* Should never happen */
816 if (sigalg == -1)
817 return -1;
818 /* Check key type is consistent with signature */
819 if (sigalg != (int)sig[1]) {
820 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
821 return 0;
822 }
e481f9b9 823#ifndef OPENSSL_NO_EC
3aeb9348 824 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
0f113f3e
MC		 825 unsigned char curve_id[2], comp_id;
826 /* Check compression and curve matches extensions */
3aeb9348 827 if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
0f113f3e
MC		 828 return 0;
829 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
830 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
831 return 0;
832 }
833 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
834 if (tls1_suiteb(s)) {
835 if (curve_id[0])
836 return 0;
837 if (curve_id[1] == TLSEXT_curve_P_256) {
838 if (sig[0] != TLSEXT_hash_sha256) {
839 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
840 SSL_R_ILLEGAL_SUITEB_DIGEST);
841 return 0;
842 }
843 } else if (curve_id[1] == TLSEXT_curve_P_384) {
844 if (sig[0] != TLSEXT_hash_sha384) {
845 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
846 SSL_R_ILLEGAL_SUITEB_DIGEST);
847 return 0;
848 }
849 } else
850 return 0;
851 }
852 } else if (tls1_suiteb(s))
853 return 0;
e481f9b9 854#endif
0f113f3e
MC		 855
856 /* Check signature matches a type we sent */
857 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
858 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
859 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
860 break;
861 }
862 /* Allow fallback to SHA1 if not strict mode */
863 if (i == sent_sigslen
864 && (sig[0] != TLSEXT_hash_sha1
865 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
866 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
867 return 0;
868 }
869 *pmd = tls12_get_hash(sig[0]);
870 if (*pmd == NULL) {
871 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
872 return 0;
873 }
874 /* Make sure security callback allows algorithm */
875 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
a230b26e 876 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd), (void *)sig)) {
0f113f3e
MC		 877 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
878 return 0;
879 }
880 /*
881 * Store the digest used so applications can retrieve it if they wish.
882 */
d376e57d 883 s->s3->tmp.peer_md = *pmd;
0f113f3e
MC		 884 return 1;
885}
2ea80354 886
0f113f3e 887/*
3eb2aff4
KR		 888 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
889 * supported, doesn't appear in supported signature algorithms, isn't supported
890 * by the enabled protocol versions or by the security level.
891 *
892 * This function should only be used for checking which ciphers are supported
893 * by the client.
894 *
895 * Call ssl_cipher_disabled() to check that it's enabled or not.
b7bfe69b
DSH		 896 */
897void ssl_set_client_disabled(SSL *s)
0f113f3e 898{
4d69f9e6
DSH		 899 s->s3->tmp.mask_a = 0;
900 s->s3->tmp.mask_k = 0;
4d69f9e6 901 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
3eb2aff4 902 ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
a230b26e 903#ifndef OPENSSL_NO_PSK
0f113f3e
MC		 904 /* with PSK there must be client callback set */
905 if (!s->psk_client_callback) {
4d69f9e6 906 s->s3->tmp.mask_a |= SSL_aPSK;
fe5eef3a 907 s->s3->tmp.mask_k |= SSL_PSK;
0f113f3e 908 }
a230b26e 909#endif /* OPENSSL_NO_PSK */
e481f9b9 910#ifndef OPENSSL_NO_SRP
0f113f3e 911 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
4d69f9e6
DSH		 912 s->s3->tmp.mask_a |= SSL_aSRP;
913 s->s3->tmp.mask_k |= SSL_kSRP;
0f113f3e 914 }
e481f9b9 915#endif
0f113f3e 916}
fc101f88 917
3eb2aff4
KR		 918/*
919 * ssl_cipher_disabled - check that a cipher is disabled or not
920 * @s: SSL connection that you want to use the cipher on
921 * @c: cipher to check
922 * @op: Security check that you want to do
923 *
924 * Returns 1 when it's disabled, 0 when enabled.
925 */
b362ccab 926int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
0f113f3e 927{
3eb2aff4 928 if (c->algorithm_mkey & s->s3->tmp.mask_k
4d69f9e6 929 || c->algorithm_auth & s->s3->tmp.mask_a)
0f113f3e 930 return 1;
3eb2aff4
KR		 931 if (s->s3->tmp.max_ver == 0)
932 return 1;
933 if (!SSL_IS_DTLS(s) && ((c->min_tls > s->s3->tmp.max_ver)
a230b26e 934 || (c->max_tls < s->s3->tmp.min_ver)))
3eb2aff4
KR		 935 return 1;
936 if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
a230b26e 937 || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
3eb2aff4
KR		 938 return 1;
939
0f113f3e
MC		 940 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
941}
b362ccab
DSH		 942
943static int tls_use_ticket(SSL *s)
0f113f3e
MC		 944{
945 if (s->options & SSL_OP_NO_TICKET)
946 return 0;
947 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
948}
ed3883d2 949
a230b26e
EK		 950static int compare_uint(const void *p1, const void *p2)
951{
aa474d1f
EK		 952 unsigned int u1 = *((const unsigned int *)p1);
953 unsigned int u2 = *((const unsigned int *)p2);
954 if (u1 < u2)
955 return -1;
956 else if (u1 > u2)
957 return 1;
958 else
959 return 0;
960}
961
962/*
963 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
964 * more than one extension of the same type in a ClientHello or ServerHello.
965 * This function does an initial scan over the extensions block to filter those
966 * out. It returns 1 if all extensions are unique, and 0 if the extensions
967 * contain duplicates, could not be successfully parsed, or an internal error
968 * occurred.
969 */
a230b26e
EK		 970static int tls1_check_duplicate_extensions(const PACKET *packet)
971{
aa474d1f
EK		 972 PACKET extensions = *packet;
973 size_t num_extensions = 0, i = 0;
974 unsigned int *extension_types = NULL;
975 int ret = 0;
976
977 /* First pass: count the extensions. */
978 while (PACKET_remaining(&extensions) > 0) {
979 unsigned int type;
980 PACKET extension;
981 if (!PACKET_get_net_2(&extensions, &type) ||
982 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
983 goto done;
984 }
985 num_extensions++;
986 }
987
988 if (num_extensions <= 1)
989 return 1;
990
991 extension_types = OPENSSL_malloc(sizeof(unsigned int) * num_extensions);
992 if (extension_types == NULL) {
993 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_MALLOC_FAILURE);
994 goto done;
995 }
996
997 /* Second pass: gather the extension types. */
998 extensions = *packet;
999 for (i = 0; i < num_extensions; i++) {
1000 PACKET extension;
1001 if (!PACKET_get_net_2(&extensions, &extension_types[i]) ||
1002 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
1003 /* This should not happen. */
1004 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
1005 goto done;
1006 }
1007 }
1008
1009 if (PACKET_remaining(&extensions) != 0) {
1010 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
1011 goto done;
1012 }
1013 /* Sort the extensions and make sure there are no duplicates. */
1014 qsort(extension_types, num_extensions, sizeof(unsigned int), compare_uint);
1015 for (i = 1; i < num_extensions; i++) {
1016 if (extension_types[i - 1] == extension_types[i])
1017 goto done;
1018 }
1019 ret = 1;
1020 done:
1021 OPENSSL_free(extension_types);
1022 return ret;
1023}
1024
ae2f7b37 1025int ssl_add_clienthello_tlsext(SSL *s, WPACKET *pkt, int *al)
0f113f3e 1026{
e481f9b9 1027#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1028 /* See if we support any ECC ciphersuites */
1029 int using_ecc = 0;
1030 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1031 int i;
1032 unsigned long alg_k, alg_a;
1033 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1034
1035 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
4a640fb6 1036 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
0f113f3e
MC		 1037
1038 alg_k = c->algorithm_mkey;
1039 alg_a = c->algorithm_auth;
ce0c1f2b 1040 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
a230b26e 1041 || (alg_a & SSL_aECDSA)) {
0f113f3e
MC		 1042 using_ecc = 1;
1043 break;
1044 }
1045 }
1046 }
e481f9b9 1047#endif
ed3883d2 1048
0f113f3e
MC		 1049 /* Add RI if renegotiating */
1050 if (s->renegotiate) {
08029dfa 1051 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
2f97192c
MC		 1052 || !WPACKET_start_sub_packet_u16(pkt)
1053 || !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished,
1054 s->s3->previous_client_finished_len)
1055 || !WPACKET_close(pkt)) {
0f113f3e 1056 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2c7b4dbc 1057 return 0;
5a3d8eeb 1058 }
0f113f3e
MC		 1059 }
1060 /* Only add RI for SSLv3 */
1061 if (s->client_version == SSL3_VERSION)
1062 goto done;
1063
1064 if (s->tlsext_hostname != NULL) {
1065 /* Add TLS extension servername to the Client Hello message */
08029dfa 1066 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
2c7b4dbc 1067 /* Sub-packet for server_name extension */
de451856 1068 || !WPACKET_start_sub_packet_u16(pkt)
2c7b4dbc 1069 /* Sub-packet for servername list (always 1 hostname)*/
de451856 1070 || !WPACKET_start_sub_packet_u16(pkt)
08029dfa 1071 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
b2b3024e
MC		 1072 || !WPACKET_sub_memcpy_u16(pkt, s->tlsext_hostname,
1073 strlen(s->tlsext_hostname))
0217dd19
MC		 1074 || !WPACKET_close(pkt)
1075 || !WPACKET_close(pkt)) {
2c7b4dbc
MC		 1076 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1077 return 0;
1078 }
0f113f3e 1079 }
e481f9b9 1080#ifndef OPENSSL_NO_SRP
0f113f3e 1081 /* Add SRP username if there is one */
2c7b4dbc 1082 if (s->srp_ctx.login != NULL) {
08029dfa 1083 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
2c7b4dbc 1084 /* Sub-packet for SRP extension */
de451856
MC		 1085 || !WPACKET_start_sub_packet_u16(pkt)
1086 || !WPACKET_start_sub_packet_u8(pkt)
2c7b4dbc 1087 /* login must not be zero...internal error if so */
de451856 1088 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
0217dd19 1089 || !WPACKET_memcpy(pkt, s->srp_ctx.login,
2c7b4dbc 1090 strlen(s->srp_ctx.login))
0217dd19
MC		 1091 || !WPACKET_close(pkt)
1092 || !WPACKET_close(pkt)) {
0f113f3e 1093 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2c7b4dbc 1094 return 0;
0f113f3e 1095 }
0f113f3e 1096 }
e481f9b9 1097#endif
0f113f3e 1098
e481f9b9 1099#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1100 if (using_ecc) {
1101 /*
1102 * Add TLS extension ECPointFormats to the ClientHello message
1103 */
0f113f3e 1104 const unsigned char *pcurves, *pformats;
2c7b4dbc 1105 size_t num_curves, num_formats;
0f113f3e 1106 size_t i;
0f113f3e
MC		 1107
1108 tls1_get_formatlist(s, &pformats, &num_formats);
1109
08029dfa 1110 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
2c7b4dbc 1111 /* Sub-packet for formats extension */
de451856 1112 || !WPACKET_start_sub_packet_u16(pkt)
b2b3024e 1113 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
0217dd19 1114 || !WPACKET_close(pkt)) {
0f113f3e 1115 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2c7b4dbc 1116 return 0;
0f113f3e 1117 }
4817504d 1118
0f113f3e
MC		 1119 /*
1120 * Add TLS extension EllipticCurves to the ClientHello message
1121 */
1122 pcurves = s->tlsext_ellipticcurvelist;
2c7b4dbc 1123 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
0f113f3e 1124 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2c7b4dbc 1125 return 0;
0f113f3e 1126 }
ee2ffc27 1127
08029dfa 1128 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_elliptic_curves)
2c7b4dbc 1129 /* Sub-packet for curves extension */
de451856
MC		 1130 || !WPACKET_start_sub_packet_u16(pkt)
1131 || !WPACKET_start_sub_packet_u16(pkt)) {
2c7b4dbc
MC		 1132 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1133 return 0;
1134 }
0f113f3e
MC		 1135 /* Copy curve ID if supported */
1136 for (i = 0; i < num_curves; i++, pcurves += 2) {
1137 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
08029dfa
MC		 1138 if (!WPACKET_put_bytes_u8(pkt, pcurves[0])
1139 || !WPACKET_put_bytes_u8(pkt, pcurves[1])) {
2c7b4dbc
MC		 1140 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
1141 ERR_R_INTERNAL_ERROR);
1142 return 0;
1143 }
0f113f3e
MC		 1144 }
1145 }
0217dd19 1146 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
2c7b4dbc
MC		 1147 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1148 return 0;
1149 }
0f113f3e 1150 }
a230b26e 1151#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1152
1153 if (tls_use_ticket(s)) {
1154 int ticklen;
1155 if (!s->new_session && s->session && s->session->tlsext_tick)
1156 ticklen = s->session->tlsext_ticklen;
1157 else if (s->session && s->tlsext_session_ticket &&
1158 s->tlsext_session_ticket->data) {
1159 ticklen = s->tlsext_session_ticket->length;
1160 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
2c7b4dbc
MC		 1161 if (s->session->tlsext_tick == NULL) {
1162 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1163 return 0;
1164 }
0f113f3e
MC		 1165 memcpy(s->session->tlsext_tick,
1166 s->tlsext_session_ticket->data, ticklen);
1167 s->session->tlsext_ticklen = ticklen;
1168 } else
1169 ticklen = 0;
1170 if (ticklen == 0 && s->tlsext_session_ticket &&
1171 s->tlsext_session_ticket->data == NULL)
1172 goto skip_ext;
2c7b4dbc 1173
08029dfa 1174 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
b2b3024e
MC		 1175 || !WPACKET_sub_memcpy_u16(pkt, s->session->tlsext_tick,
1176 ticklen)) {
2c7b4dbc
MC		 1177 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1178 return 0;
0f113f3e
MC		 1179 }
1180 }
1181 skip_ext:
1182
f7aa3185 1183 if (SSL_CLIENT_USE_SIGALGS(s)) {
0f113f3e
MC		 1184 size_t salglen;
1185 const unsigned char *salg;
2c7b4dbc 1186
0f113f3e 1187 salglen = tls12_get_psigalgs(s, &salg);
2c7b4dbc 1188
08029dfa 1189 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
2c7b4dbc 1190 /* Sub-packet for sig-algs extension */
de451856 1191 || !WPACKET_start_sub_packet_u16(pkt)
2c7b4dbc 1192 /* Sub-packet for the actual list */
de451856 1193 || !WPACKET_start_sub_packet_u16(pkt)
0217dd19
MC		 1194 || !tls12_copy_sigalgs(s, pkt, salg, salglen)
1195 || !WPACKET_close(pkt)
1196 || !WPACKET_close(pkt)) {
2c7b4dbc
MC		 1197 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1198 return 0;
1199 }
0f113f3e 1200 }
3e41ac35 1201#ifndef OPENSSL_NO_OCSP
0f113f3e
MC		 1202 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1203 int i;
0f113f3e 1204
08029dfa 1205 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
2c7b4dbc 1206 /* Sub-packet for status request extension */
de451856 1207 || !WPACKET_start_sub_packet_u16(pkt)
08029dfa 1208 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
2c7b4dbc 1209 /* Sub-packet for the ids */
de451856 1210 || !WPACKET_start_sub_packet_u16(pkt)) {
2c7b4dbc
MC		 1211 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1212 return 0;
1213 }
0f113f3e 1214 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
2c7b4dbc
MC		 1215 unsigned char *idbytes;
1216 int idlen;
1217 OCSP_RESPID *id;
2c7b4dbc 1218
0f113f3e 1219 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
2c7b4dbc
MC		 1220 idlen = i2d_OCSP_RESPID(id, NULL);
1221 if (idlen <= 0
1222 /* Sub-packet for an individual id */
dd8710dc 1223 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
b2b3024e 1224 || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
2c7b4dbc
MC		 1225 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1226 return 0;
1227 }
1228 }
0217dd19 1229 if (!WPACKET_close(pkt)
de451856 1230 || !WPACKET_start_sub_packet_u16(pkt)) {
2c7b4dbc
MC		 1231 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1232 return 0;
860c3dd1 1233 }
0f113f3e 1234 if (s->tlsext_ocsp_exts) {
2c7b4dbc
MC		 1235 unsigned char *extbytes;
1236 int extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
0f113f3e 1237
2c7b4dbc
MC		 1238 if (extlen < 0) {
1239 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1240 return 0;
1241 }
0217dd19 1242 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
2c7b4dbc
MC		 1243 || i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &extbytes)
1244 != extlen) {
1245 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1246 return 0;
1247 }
1248 }
0217dd19 1249 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
2c7b4dbc
MC		 1250 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1251 return 0;
0f113f3e 1252 }
0f113f3e 1253 }
3e41ac35 1254#endif
e481f9b9 1255#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7 1256 if (SSL_IS_DTLS(s)) {
2c7b4dbc
MC		 1257 unsigned int mode;
1258
22e3dcb7
RS		 1259 /*-
1260 * Set mode:
1261 * 1: peer may send requests
1262 * 2: peer not allowed to send requests
1263 */
1264 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
2c7b4dbc 1265 mode = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
22e3dcb7 1266 else
2c7b4dbc
MC		 1267 mode = SSL_DTLSEXT_HB_ENABLED;
1268
08029dfa 1269 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_heartbeat)
2c7b4dbc 1270 /* Sub-packet for Hearbeat extension */
de451856 1271 || !WPACKET_start_sub_packet_u16(pkt)
08029dfa 1272 || !WPACKET_put_bytes_u8(pkt, mode)
0217dd19 1273 || !WPACKET_close(pkt)) {
2c7b4dbc
MC		 1274 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1275 return 0;
1276 }
22e3dcb7 1277 }
e481f9b9 1278#endif
0f113f3e 1279
e481f9b9 1280#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1281 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1282 /*
8483a003 1283 * The client advertises an empty extension to indicate its support
0f113f3e
MC		 1284 * for Next Protocol Negotiation
1285 */
08029dfa
MC		 1286 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1287 || !WPACKET_put_bytes_u16(pkt, 0)) {
2c7b4dbc
MC		 1288 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1289 return 0;
1290 }
0f113f3e 1291 }
e481f9b9 1292#endif
0f113f3e 1293
817cd0d5
TS		 1294 /*
1295 * finish_md_len is non-zero during a renegotiation, so
1296 * this avoids sending ALPN during the renegotiation
1297 * (see longer comment below)
1298 */
0f113f3e 1299 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
08029dfa
MC		 1300 if (!WPACKET_put_bytes_u16(pkt,
1301 TLSEXT_TYPE_application_layer_protocol_negotiation)
2c7b4dbc 1302 /* Sub-packet ALPN extension */
de451856 1303 || !WPACKET_start_sub_packet_u16(pkt)
b2b3024e
MC		 1304 || !WPACKET_sub_memcpy_u16(pkt, s->alpn_client_proto_list,
1305 s->alpn_client_proto_list_len)
0217dd19 1306 || !WPACKET_close(pkt)) {
2c7b4dbc
MC		 1307 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1308 return 0;
1309 }
817cd0d5 1310 s->s3->alpn_sent = 1;
0f113f3e 1311 }
e481f9b9 1312#ifndef OPENSSL_NO_SRTP
0f113f3e 1313 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
7facdbd6 1314 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s);
2c7b4dbc
MC		 1315 SRTP_PROTECTION_PROFILE *prof;
1316 int i, ct;
2c7b4dbc 1317
08029dfa 1318 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
2c7b4dbc 1319 /* Sub-packet for SRTP extension */
de451856 1320 || !WPACKET_start_sub_packet_u16(pkt)
2c7b4dbc 1321 /* Sub-packet for the protection profile list */
de451856 1322 || !WPACKET_start_sub_packet_u16(pkt)) {
69f68237 1323 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2c7b4dbc 1324 return 0;
69f68237 1325 }
2c7b4dbc
MC		 1326 ct = sk_SRTP_PROTECTION_PROFILE_num(clnt);
1327 for (i = 0; i < ct; i++) {
1328 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
08029dfa 1329 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
2c7b4dbc
MC		 1330 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1331 return 0;
1332 }
1333 }
7facdbd6
MC		 1334 if (!WPACKET_close(pkt)
1335 /* Add an empty use_mki value */
1336 || !WPACKET_put_bytes_u8(pkt, 0)
1337 || !WPACKET_close(pkt)) {
0f113f3e 1338 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2c7b4dbc 1339 return 0;
0f113f3e 1340 }
0f113f3e 1341 }
e481f9b9 1342#endif
0f113f3e
MC		 1343 custom_ext_init(&s->cert->cli_ext);
1344 /* Add custom TLS Extensions to ClientHello */
2c7b4dbc
MC		 1345 if (!custom_ext_add(s, 0, pkt, al)) {
1346 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1347 return 0;
1348 }
1349
cde6145b
DW		 1350 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) {
1351 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
08029dfa 1352 || !WPACKET_put_bytes_u16(pkt, 0)) {
cde6145b
DW		 1353 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1354 return 0;
1355 }
2c7b4dbc
MC		 1356 }
1357
ed29e82a
RP		 1358#ifndef OPENSSL_NO_CT
1359 if (s->ct_validation_callback != NULL) {
08029dfa
MC		 1360 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
1361 || !WPACKET_put_bytes_u16(pkt, 0)) {
2c7b4dbc
MC		 1362 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1363 return 0;
1364 }
ed29e82a 1365 }
e481f9b9 1366#endif
2c7b4dbc 1367
08029dfa
MC		 1368 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1369 || !WPACKET_put_bytes_u16(pkt, 0)) {
2c7b4dbc
MC		 1370 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1371 return 0;
1372 }
0f113f3e
MC		 1373
1374 /*
1375 * Add padding to workaround bugs in F5 terminators. See
1376 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1377 * code works out the length of all existing extensions it MUST always
1378 * appear last.
1379 */
1380 if (s->options & SSL_OP_TLSEXT_PADDING) {
2c7b4dbc
MC		 1381 unsigned char *padbytes;
1382 size_t hlen;
1383
ae2f7b37 1384 if (!WPACKET_get_total_written(pkt, &hlen)) {
2c7b4dbc
MC		 1385 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1386 return 0;
1387 }
a3680c8f 1388
0f113f3e
MC		 1389 if (hlen > 0xff && hlen < 0x200) {
1390 hlen = 0x200 - hlen;
1391 if (hlen >= 4)
1392 hlen -= 4;
1393 else
1394 hlen = 0;
1395
08029dfa 1396 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
b2b3024e 1397 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
2c7b4dbc
MC		 1398 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1399 return 0;
1400 }
1401 memset(padbytes, 0, hlen);
0f113f3e
MC		 1402 }
1403 }
5a3d8eeb 1404
0f113f3e 1405 done:
2c7b4dbc 1406 return 1;
0f113f3e 1407}
333f926d 1408
8157d44b 1409int ssl_add_serverhello_tlsext(SSL *s, WPACKET *pkt, int *al)
0f113f3e 1410{
e481f9b9 1411#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1412 int next_proto_neg_seen;
e481f9b9
MC		 1413#endif
1414#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1415 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1416 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
ce0c1f2b 1417 int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
0f113f3e 1418 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
e481f9b9 1419#endif
0f113f3e 1420
8157d44b
MC		 1421 if (!WPACKET_start_sub_packet_u16(pkt)
1422 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH)) {
1423 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1424 return 0;
1425 }
333f926d 1426
8157d44b
MC		 1427 if (s->s3->send_connection_binding &&
1428 !ssl_add_serverhello_renegotiate_ext(s, pkt)) {
1429 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1430 return 0;
0f113f3e
MC		 1431 }
1432
1433 /* Only add RI for SSLv3 */
1434 if (s->version == SSL3_VERSION)
1435 goto done;
1436
1437 if (!s->hit && s->servername_done == 1
8157d44b
MC		 1438 && s->session->tlsext_hostname != NULL) {
1439 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1440 || !WPACKET_put_bytes_u16(pkt, 0)) {
1441 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1442 return 0;
1443 }
0f113f3e 1444 }
e481f9b9 1445#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1446 if (using_ecc) {
1447 const unsigned char *plist;
1448 size_t plistlen;
1449 /*
1450 * Add TLS extension ECPointFormats to the ServerHello message
1451 */
0f113f3e
MC		 1452 tls1_get_formatlist(s, &plist, &plistlen);
1453
8157d44b
MC		 1454 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1455 || !WPACKET_start_sub_packet_u16(pkt)
1456 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1457 || !WPACKET_close(pkt)) {
0f113f3e 1458 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
8157d44b 1459 return 0;
0f113f3e 1460 }
0f113f3e
MC		 1461 }
1462 /*
1463 * Currently the server should not respond with a SupportedCurves
1464 * extension
1465 */
a230b26e 1466#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1467
1468 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
8157d44b
MC		 1469 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1470 || !WPACKET_put_bytes_u16(pkt, 0)) {
1471 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1472 return 0;
1473 }
5c753de6 1474 } else {
a230b26e
EK		 1475 /*
1476 * if we don't add the above TLSEXT, we can't add a session ticket
1477 * later
1478 */
5c753de6 1479 s->tlsext_ticket_expected = 0;
0f113f3e
MC		 1480 }
1481
1482 if (s->tlsext_status_expected) {
8157d44b
MC		 1483 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1484 || !WPACKET_put_bytes_u16(pkt, 0)) {
1485 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1486 return 0;
1487 }
0f113f3e 1488 }
e481f9b9 1489#ifndef OPENSSL_NO_SRTP
0f113f3e 1490 if (SSL_IS_DTLS(s) && s->srtp_profile) {
8157d44b
MC		 1491 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1492 || !WPACKET_start_sub_packet_u16(pkt)
1493 || !WPACKET_put_bytes_u16(pkt, 2)
1494 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1495 || !WPACKET_put_bytes_u8(pkt, 0)
1496 || !WPACKET_close(pkt)) {
0f113f3e 1497 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
8157d44b 1498 return 0;
0f113f3e 1499 }
0f113f3e 1500 }
e481f9b9 1501#endif
0f113f3e
MC		 1502
1503 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1504 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1505 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1506 const unsigned char cryptopro_ext[36] = {
1507 0xfd, 0xe8, /* 65000 */
1508 0x00, 0x20, /* 32 bytes length */
1509 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1510 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1511 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1512 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1513 };
8157d44b
MC		 1514 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1515 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1516 return 0;
1517 }
0f113f3e 1518 }
e481f9b9 1519#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e 1520 /* Add Heartbeat extension if we've received one */
22e3dcb7 1521 if (SSL_IS_DTLS(s) && (s->tlsext_heartbeat & SSL_DTLSEXT_HB_ENABLED)) {
7507e73d 1522 unsigned int mode;
50e735f9
MC		 1523 /*-
1524 * Set mode:
1525 * 1: peer may send requests
1526 * 2: peer not allowed to send requests
1527 */
22e3dcb7 1528 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
8157d44b 1529 mode = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
0f113f3e 1530 else
8157d44b
MC		 1531 mode = SSL_DTLSEXT_HB_ENABLED;
1532
1533 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_heartbeat)
1534 || !WPACKET_start_sub_packet_u16(pkt)
1535 || !WPACKET_put_bytes_u8(pkt, mode)
1536 || !WPACKET_close(pkt)) {
1537 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1538 return 0;
1539 }
0f113f3e
MC		 1540
1541 }
e481f9b9 1542#endif
0f113f3e 1543
e481f9b9 1544#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1545 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1546 s->s3->next_proto_neg_seen = 0;
1547 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1548 const unsigned char *npa;
1549 unsigned int npalen;
1550 int r;
1551
1552 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1553 s->
1554 ctx->next_protos_advertised_cb_arg);
1555 if (r == SSL_TLSEXT_ERR_OK) {
8157d44b
MC		 1556 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1557 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1558 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1559 return 0;
1560 }
0f113f3e
MC		 1561 s->s3->next_proto_neg_seen = 1;
1562 }
1563 }
e481f9b9 1564#endif
8157d44b
MC		 1565 if (!custom_ext_add(s, 1, pkt, al)) {
1566 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1567 return 0;
1568 }
1569
0f113f3e
MC		 1570 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1571 /*
1572 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1573 * for other cases too.
1574 */
1575 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
e44380a9
DB		 1576 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1577 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1578 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
0f113f3e
MC		 1579 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1580 else {
8157d44b
MC		 1581 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1582 || !WPACKET_put_bytes_u16(pkt, 0)) {
1583 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1584 return 0;
1585 }
0f113f3e
MC		 1586 }
1587 }
e7f0d921 1588 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
8157d44b
MC		 1589 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1590 || !WPACKET_put_bytes_u16(pkt, 0)) {
1591 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1592 return 0;
1593 }
ddc06b35 1594 }
0f113f3e 1595
817cd0d5 1596 if (s->s3->alpn_selected != NULL) {
8157d44b
MC		 1597 if (!WPACKET_put_bytes_u16(pkt,
1598 TLSEXT_TYPE_application_layer_protocol_negotiation)
1599 || !WPACKET_start_sub_packet_u16(pkt)
1600 || !WPACKET_start_sub_packet_u16(pkt)
1601 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1602 s->s3->alpn_selected_len)
1603 || !WPACKET_close(pkt)
1604 || !WPACKET_close(pkt)) {
1605 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1606 return 0;
1607 }
0f113f3e
MC		 1608 }
1609
1610 done:
8157d44b
MC		 1611 if (!WPACKET_close(pkt)) {
1612 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1613 return 0;
1614 }
1615 return 1;
0f113f3e 1616}
a398f821 1617
0f113f3e 1618/*
817cd0d5 1619 * Save the ALPN extension in a ClientHello.
06217867
EK		 1620 * pkt: the contents of the ALPN extension, not including type and length.
1621 * al: a pointer to the alert value to send in the event of a failure.
1622 * returns: 1 on success, 0 on error.
0f113f3e 1623 */
9ceb2426 1624static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
0f113f3e 1625{
06217867 1626 PACKET protocol_list, save_protocol_list, protocol;
0f113f3e 1627
06217867 1628 *al = SSL_AD_DECODE_ERROR;
0f113f3e 1629
06217867
EK		 1630 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
1631 || PACKET_remaining(&protocol_list) < 2) {
1632 return 0;
1633 }
0f113f3e 1634
06217867 1635 save_protocol_list = protocol_list;
9ceb2426 1636 do {
06217867
EK		 1637 /* Protocol names can't be empty. */
1638 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
1639 || PACKET_remaining(&protocol) == 0) {
1640 return 0;
1641 }
1642 } while (PACKET_remaining(&protocol_list) != 0);
1643
817cd0d5 1644 if (!PACKET_memdup(&save_protocol_list,
a230b26e 1645 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
817cd0d5
TS		 1646 *al = TLS1_AD_INTERNAL_ERROR;
1647 return 0;
1648 }
1649
1650 return 1;
1651}
1652
1653/*
1654 * Process the ALPN extension in a ClientHello.
817cd0d5 1655 * al: a pointer to the alert value to send in the event of a failure.
70c22888 1656 * returns 1 on success, 0 on error.
817cd0d5 1657 */
70c22888 1658static int tls1_alpn_handle_client_hello_late(SSL *s, int *al)
817cd0d5
TS		 1659{
1660 const unsigned char *selected = NULL;
1661 unsigned char selected_len = 0;
1662
1663 if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
1664 int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
1665 s->s3->alpn_proposed,
1666 s->s3->alpn_proposed_len,
1667 s->ctx->alpn_select_cb_arg);
0f113f3e 1668
817cd0d5
TS		 1669 if (r == SSL_TLSEXT_ERR_OK) {
1670 OPENSSL_free(s->s3->alpn_selected);
1671 s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
1672 if (s->s3->alpn_selected == NULL) {
1673 *al = SSL_AD_INTERNAL_ERROR;
817cd0d5
TS		 1674 return 0;
1675 }
1676 s->s3->alpn_selected_len = selected_len;
0351baae
TS		 1677#ifndef OPENSSL_NO_NEXTPROTONEG
1678 /* ALPN takes precedence over NPN. */
1679 s->s3->next_proto_neg_seen = 0;
1680#endif
817cd0d5
TS		 1681 } else {
1682 *al = SSL_AD_NO_APPLICATION_PROTOCOL;
06217867 1683 return 0;
0f113f3e 1684 }
0f113f3e 1685 }
0f113f3e 1686
06217867 1687 return 1;
0f113f3e 1688}
6f017a8f 1689
e481f9b9 1690#ifndef OPENSSL_NO_EC
1d97c843
TH		 1691/*-
1692 * ssl_check_for_safari attempts to fingerprint Safari using OS X
06217867 1693 * SecureTransport using the TLS extension block in |pkt|.
dece3209
RS		 1694 * Safari, since 10.6, sends exactly these extensions, in this order:
1695 * SNI,
1696 * elliptic_curves
1697 * ec_point_formats
1698 *
1699 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1700 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1701 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1702 * 10.8..10.8.3 (which don't work).
1703 */
68a16628 1704static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
0f113f3e 1705{
06217867
EK		 1706 unsigned int type;
1707 PACKET sni, tmppkt;
1708 size_t ext_len;
9ceb2426 1709
0f113f3e
MC		 1710 static const unsigned char kSafariExtensionsBlock[] = {
1711 0x00, 0x0a, /* elliptic_curves extension */
1712 0x00, 0x08, /* 8 bytes */
1713 0x00, 0x06, /* 6 bytes of curve ids */
1714 0x00, 0x17, /* P-256 */
1715 0x00, 0x18, /* P-384 */
1716 0x00, 0x19, /* P-521 */
1717
1718 0x00, 0x0b, /* ec_point_formats */
1719 0x00, 0x02, /* 2 bytes */
1720 0x01, /* 1 point format */
1721 0x00, /* uncompressed */
06217867 1722 /* The following is only present in TLS 1.2 */
0f113f3e
MC		 1723 0x00, 0x0d, /* signature_algorithms */
1724 0x00, 0x0c, /* 12 bytes */
1725 0x00, 0x0a, /* 10 bytes */
1726 0x05, 0x01, /* SHA-384/RSA */
1727 0x04, 0x01, /* SHA-256/RSA */
1728 0x02, 0x01, /* SHA-1/RSA */
1729 0x04, 0x03, /* SHA-256/ECDSA */
1730 0x02, 0x03, /* SHA-1/ECDSA */
1731 };
1732
06217867
EK		 1733 /* Length of the common prefix (first two extensions). */
1734 static const size_t kSafariCommonExtensionsLength = 18;
1735
68a16628
MC		 1736 tmppkt = *pkt;
1737
1738 if (!PACKET_forward(&tmppkt, 2)
06217867
EK		 1739 || !PACKET_get_net_2(&tmppkt, &type)
1740 || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
0f113f3e 1741 return;
06217867 1742 }
0f113f3e
MC		 1743
1744 if (type != TLSEXT_TYPE_server_name)
1745 return;
1746
06217867
EK		 1747 ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
1748 sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
0f113f3e 1749
06217867
EK		 1750 s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
1751 ext_len);
dece3209 1752}
a230b26e 1753#endif /* !OPENSSL_NO_EC */
0f113f3e 1754
06217867
EK		 1755/*
1756 * Parse ClientHello extensions and stash extension info in various parts of
1757 * the SSL object. Verify that there are no duplicate extensions.
1758 *
1759 * Behaviour upon resumption is extension-specific. If the extension has no
1760 * effect during resumption, it is parsed (to verify its format) but otherwise
1761 * ignored.
1762 *
1763 * Consumes the entire packet in |pkt|. Returns 1 on success and 0 on failure.
1764 * Upon failure, sets |al| to the appropriate alert.
1765 */
9ceb2426 1766static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 1767{
9ceb2426 1768 unsigned int type;
0f113f3e 1769 int renegotiate_seen = 0;
06217867 1770 PACKET extensions;
0f113f3e 1771
06217867 1772 *al = SSL_AD_DECODE_ERROR;
0f113f3e
MC		 1773 s->servername_done = 0;
1774 s->tlsext_status_type = -1;
e481f9b9 1775#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1776 s->s3->next_proto_neg_seen = 0;
e481f9b9 1777#endif
0f113f3e 1778
b548a1f1
RS		 1779 OPENSSL_free(s->s3->alpn_selected);
1780 s->s3->alpn_selected = NULL;
0351baae
TS		 1781 s->s3->alpn_selected_len = 0;
1782 OPENSSL_free(s->s3->alpn_proposed);
1783 s->s3->alpn_proposed = NULL;
1784 s->s3->alpn_proposed_len = 0;
e481f9b9 1785#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7
RS		 1786 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
1787 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
e481f9b9 1788#endif
0f113f3e 1789
e481f9b9 1790#ifndef OPENSSL_NO_EC
0f113f3e 1791 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
9ceb2426 1792 ssl_check_for_safari(s, pkt);
a230b26e 1793#endif /* !OPENSSL_NO_EC */
0f113f3e
MC		 1794
1795 /* Clear any signature algorithms extension received */
76106e60
DSH		 1796 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1797 s->s3->tmp.peer_sigalgs = NULL;
0f113f3e 1798 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
0f113f3e 1799
e481f9b9 1800#ifndef OPENSSL_NO_SRP
b548a1f1
RS		 1801 OPENSSL_free(s->srp_ctx.login);
1802 s->srp_ctx.login = NULL;
e481f9b9 1803#endif
0f113f3e
MC		 1804
1805 s->srtp_profile = NULL;
1806
9ceb2426 1807 if (PACKET_remaining(pkt) == 0)
1ae3fdbe
AL		 1808 goto ri_check;
1809
06217867
EK		 1810 if (!PACKET_as_length_prefixed_2(pkt, &extensions))
1811 return 0;
aa474d1f 1812
06217867
EK		 1813 if (!tls1_check_duplicate_extensions(&extensions))
1814 return 0;
0f113f3e 1815
06217867
EK		 1816 /*
1817 * We parse all extensions to ensure the ClientHello is well-formed but,
1818 * unless an extension specifies otherwise, we ignore extensions upon
1819 * resumption.
1820 */
1821 while (PACKET_get_net_2(&extensions, &type)) {
1822 PACKET extension;
1823 if (!PACKET_get_length_prefixed_2(&extensions, &extension))
1824 return 0;
9ceb2426 1825
0f113f3e 1826 if (s->tlsext_debug_cb)
06217867
EK		 1827 s->tlsext_debug_cb(s, 0, type, PACKET_data(&extension),
1828 PACKET_remaining(&extension),
1829 s->tlsext_debug_arg);
9ceb2426 1830
0f113f3e 1831 if (type == TLSEXT_TYPE_renegotiate) {
06217867 1832 if (!ssl_parse_clienthello_renegotiate_ext(s, &extension, al))
0f113f3e
MC		 1833 return 0;
1834 renegotiate_seen = 1;
1835 } else if (s->version == SSL3_VERSION) {
1836 }
1d97c843
TH		 1837/*-
1838 * The servername extension is treated as follows:
1839 *
1840 * - Only the hostname type is supported with a maximum length of 255.
1841 * - The servername is rejected if too long or if it contains zeros,
1842 * in which case an fatal alert is generated.
1843 * - The servername field is maintained together with the session cache.
1844 * - When a session is resumed, the servername call back invoked in order
0f113f3e
MC		 1845 * to allow the application to position itself to the right context.
1846 * - The servername is acknowledged if it is new for a session or when
1847 * it is identical to a previously used for the same session.
1d97c843
TH		 1848 * Applications can control the behaviour. They can at any time
1849 * set a 'desirable' servername for a new SSL object. This can be the
1850 * case for example with HTTPS when a Host: header field is received and
1851 * a renegotiation is requested. In this case, a possible servername
1852 * presented in the new client hello is only acknowledged if it matches
0f113f3e 1853 * the value of the Host: field.
1d97c843 1854 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
0f113f3e
MC		 1855 * if they provide for changing an explicit servername context for the
1856 * session, i.e. when the session has been established with a servername
1857 * extension.
1858 * - On session reconnect, the servername extension may be absent.
1d97c843 1859 *
0f113f3e 1860 */
ed3883d2 1861
0f113f3e 1862 else if (type == TLSEXT_TYPE_server_name) {
9ceb2426 1863 unsigned int servname_type;
06217867
EK		 1864 PACKET sni, hostname;
1865
1866 if (!PACKET_as_length_prefixed_2(&extension, &sni)
1867 /* ServerNameList must be at least 1 byte long. */
1868 || PACKET_remaining(&sni) == 0) {
1869 return 0;
0f113f3e 1870 }
6f017a8f 1871
06217867
EK		 1872 /*
1873 * Although the server_name extension was intended to be
1874 * extensible to new name types, RFC 4366 defined the
8483a003 1875 * syntax inextensibility and OpenSSL 1.0.x parses it as
06217867
EK		 1876 * such.
1877 * RFC 6066 corrected the mistake but adding new name types
1878 * is nevertheless no longer feasible, so act as if no other
1879 * SNI types can exist, to simplify parsing.
1880 *
1881 * Also note that the RFC permits only one SNI value per type,
1882 * i.e., we can only have a single hostname.
1883 */
1884 if (!PACKET_get_1(&sni, &servname_type)
1885 || servname_type != TLSEXT_NAMETYPE_host_name
1886 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
1887 return 0;
1888 }
1889
1890 if (!s->hit) {
1891 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
1892 *al = TLS1_AD_UNRECOGNIZED_NAME;
1893 return 0;
1894 }
1895
1896 if (PACKET_contains_zero_byte(&hostname)) {
1897 *al = TLS1_AD_UNRECOGNIZED_NAME;
1898 return 0;
1899 }
1900
1901 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
1902 *al = TLS1_AD_INTERNAL_ERROR;
1903 return 0;
1904 }
1905
1906 s->servername_done = 1;
1907 } else {
1908 /*
1909 * TODO(openssl-team): if the SNI doesn't match, we MUST
1910 * fall back to a full handshake.
1911 */
1912 s->servername_done = s->session->tlsext_hostname
1913 && PACKET_equal(&hostname, s->session->tlsext_hostname,
1914 strlen(s->session->tlsext_hostname));
1915 }
0f113f3e 1916 }
e481f9b9 1917#ifndef OPENSSL_NO_SRP
0f113f3e 1918 else if (type == TLSEXT_TYPE_srp) {
06217867
EK		 1919 PACKET srp_I;
1920
1921 if (!PACKET_as_length_prefixed_1(&extension, &srp_I))
1922 return 0;
1923
1924 if (PACKET_contains_zero_byte(&srp_I))
1925 return 0;
1926
1927 /*
1928 * TODO(openssl-team): currently, we re-authenticate the user
1929 * upon resumption. Instead, we MUST ignore the login.
1930 */
1931 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
1932 *al = TLS1_AD_INTERNAL_ERROR;
1933 return 0;
1934 }
0f113f3e 1935 }
e481f9b9 1936#endif
0f113f3e 1937
e481f9b9 1938#ifndef OPENSSL_NO_EC
0f113f3e 1939 else if (type == TLSEXT_TYPE_ec_point_formats) {
06217867 1940 PACKET ec_point_format_list;
0f113f3e 1941
a230b26e 1942 if (!PACKET_as_length_prefixed_1(&extension, &ec_point_format_list)
06217867
EK		 1943 || PACKET_remaining(&ec_point_format_list) == 0) {
1944 return 0;
1945 }
9ceb2426 1946
0f113f3e 1947 if (!s->hit) {
06217867
EK		 1948 if (!PACKET_memdup(&ec_point_format_list,
1949 &s->session->tlsext_ecpointformatlist,
a230b26e
EK		 1950 &s->
1951 session->tlsext_ecpointformatlist_length)) {
0f113f3e
MC		 1952 *al = TLS1_AD_INTERNAL_ERROR;
1953 return 0;
1954 }
0f113f3e 1955 }
0f113f3e 1956 } else if (type == TLSEXT_TYPE_elliptic_curves) {
06217867 1957 PACKET elliptic_curve_list;
0f113f3e 1958
06217867 1959 /* Each NamedCurve is 2 bytes and we must have at least 1. */
a230b26e 1960 if (!PACKET_as_length_prefixed_2(&extension, &elliptic_curve_list)
06217867
EK		 1961 || PACKET_remaining(&elliptic_curve_list) == 0
1962 || (PACKET_remaining(&elliptic_curve_list) % 2) != 0) {
1963 return 0;
1964 }
54e3ad00 1965
0f113f3e 1966 if (!s->hit) {
06217867
EK		 1967 if (!PACKET_memdup(&elliptic_curve_list,
1968 &s->session->tlsext_ellipticcurvelist,
a230b26e
EK		 1969 &s->
1970 session->tlsext_ellipticcurvelist_length)) {
0f113f3e
MC		 1971 *al = TLS1_AD_INTERNAL_ERROR;
1972 return 0;
1973 }
0f113f3e 1974 }
0f113f3e 1975 }
a230b26e 1976#endif /* OPENSSL_NO_EC */
0f113f3e 1977 else if (type == TLSEXT_TYPE_session_ticket) {
06217867
EK		 1978 if (s->tls_session_ticket_ext_cb &&
1979 !s->tls_session_ticket_ext_cb(s, PACKET_data(&extension),
1980 PACKET_remaining(&extension),
a230b26e
EK		 1981 s->tls_session_ticket_ext_cb_arg))
1982 {
0f113f3e
MC		 1983 *al = TLS1_AD_INTERNAL_ERROR;
1984 return 0;
1985 }
1986 } else if (type == TLSEXT_TYPE_signature_algorithms) {
06217867
EK		 1987 PACKET supported_sig_algs;
1988
1989 if (!PACKET_as_length_prefixed_2(&extension, &supported_sig_algs)
1990 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
1991 || PACKET_remaining(&supported_sig_algs) == 0) {
1992 return 0;
1993 }
1994
a230b26e 1995 if (!s->hit) {
06217867
EK		 1996 if (!tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
1997 PACKET_remaining(&supported_sig_algs))) {
1998 return 0;
1999 }
9ceb2426 2000 }
0f113f3e 2001 } else if (type == TLSEXT_TYPE_status_request) {
06217867
EK		 2002 if (!PACKET_get_1(&extension,
2003 (unsigned int *)&s->tlsext_status_type)) {
2004 return 0;
2005 }
3e41ac35 2006#ifndef OPENSSL_NO_OCSP
0f113f3e 2007 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
3e41ac35 2008 const unsigned char *ext_data;
06217867 2009 PACKET responder_id_list, exts;
a230b26e
EK		 2010 if (!PACKET_get_length_prefixed_2
2011 (&extension, &responder_id_list))
06217867
EK		 2012 return 0;
2013
e408c09b
MC		 2014 /*
2015 * We remove any OCSP_RESPIDs from a previous handshake
2016 * to prevent unbounded memory growth - CVE-2016-6304
2017 */
2018 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
2019 OCSP_RESPID_free);
2020 if (PACKET_remaining(&responder_id_list) > 0) {
2021 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
2022 if (s->tlsext_ocsp_ids == NULL) {
2023 *al = SSL_AD_INTERNAL_ERROR;
2024 return 0;
2025 }
2026 } else {
2027 s->tlsext_ocsp_ids = NULL;
2028 }
2029
06217867 2030 while (PACKET_remaining(&responder_id_list) > 0) {
0f113f3e 2031 OCSP_RESPID *id;
06217867
EK		 2032 PACKET responder_id;
2033 const unsigned char *id_data;
9ceb2426 2034
06217867
EK		 2035 if (!PACKET_get_length_prefixed_2(&responder_id_list,
2036 &responder_id)
2037 || PACKET_remaining(&responder_id) == 0) {
2038 return 0;
9ceb2426 2039 }
06217867 2040
06217867
EK		 2041 id_data = PACKET_data(&responder_id);
2042 id = d2i_OCSP_RESPID(NULL, &id_data,
2043 PACKET_remaining(&responder_id));
2044 if (id == NULL)
2045 return 0;
2046
2047 if (id_data != PACKET_end(&responder_id)) {
0f113f3e 2048 OCSP_RESPID_free(id);
0f113f3e
MC		 2049 return 0;
2050 }
06217867 2051
0f113f3e
MC		 2052 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2053 OCSP_RESPID_free(id);
2054 *al = SSL_AD_INTERNAL_ERROR;
2055 return 0;
2056 }
2057 }
4817504d 2058
0f113f3e 2059 /* Read in request_extensions */
06217867
EK		 2060 if (!PACKET_as_length_prefixed_2(&extension, &exts))
2061 return 0;
2062
2063 if (PACKET_remaining(&exts) > 0) {
2064 ext_data = PACKET_data(&exts);
222561fe
RS		 2065 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2066 X509_EXTENSION_free);
0f113f3e 2067 s->tlsext_ocsp_exts =
06217867
EK		 2068 d2i_X509_EXTENSIONS(NULL, &ext_data,
2069 PACKET_remaining(&exts));
2070 if (s->tlsext_ocsp_exts == NULL
2071 || ext_data != PACKET_end(&exts)) {
2072 return 0;
2073 }
0f113f3e 2074 }
3e41ac35
MC		 2075 } else
2076#endif
2077 {
2078 /*
2079 * We don't know what to do with any other type so ignore it.
2080 */
0f113f3e 2081 s->tlsext_status_type = -1;
06217867 2082 }
0f113f3e 2083 }
e481f9b9 2084#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7 2085 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
9ceb2426
MC		 2086 unsigned int hbtype;
2087
06217867 2088 if (!PACKET_get_1(&extension, &hbtype)
a230b26e 2089 || PACKET_remaining(&extension)) {
9ceb2426
MC		 2090 *al = SSL_AD_DECODE_ERROR;
2091 return 0;
2092 }
2093 switch (hbtype) {
0f113f3e 2094 case 0x01: /* Client allows us to send HB requests */
22e3dcb7 2095 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
0f113f3e
MC		 2096 break;
2097 case 0x02: /* Client doesn't accept HB requests */
22e3dcb7
RS		 2098 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2099 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
0f113f3e
MC		 2100 break;
2101 default:
2102 *al = SSL_AD_ILLEGAL_PARAMETER;
2103 return 0;
2104 }
2105 }
e481f9b9
MC		 2106#endif
2107#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 2108 else if (type == TLSEXT_TYPE_next_proto_neg &&
0351baae 2109 s->s3->tmp.finish_md_len == 0) {
50e735f9
MC		 2110 /*-
2111 * We shouldn't accept this extension on a
2112 * renegotiation.
2113 *
2114 * s->new_session will be set on renegotiation, but we
2115 * probably shouldn't rely that it couldn't be set on
8483a003 2116 * the initial renegotiation too in certain cases (when
50e735f9
MC		 2117 * there's some other reason to disallow resuming an
2118 * earlier session -- the current code won't be doing
2119 * anything like that, but this might change).
2120 *
2121 * A valid sign that there's been a previous handshake
2122 * in this connection is if s->s3->tmp.finish_md_len >
2123 * 0. (We are talking about a check that will happen
2124 * in the Hello protocol round, well before a new
2125 * Finished message could have been computed.)
2126 */
0f113f3e
MC		 2127 s->s3->next_proto_neg_seen = 1;
2128 }
e481f9b9 2129#endif
0f113f3e
MC		 2130
2131 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
06217867
EK		 2132 s->s3->tmp.finish_md_len == 0) {
2133 if (!tls1_alpn_handle_client_hello(s, &extension, al))
0f113f3e 2134 return 0;
0f113f3e 2135 }
5e3ff62c 2136
0f113f3e 2137 /* session ticket processed earlier */
e481f9b9 2138#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 2139 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2140 && type == TLSEXT_TYPE_use_srtp) {
06217867 2141 if (ssl_parse_clienthello_use_srtp_ext(s, &extension, al))
0f113f3e
MC		 2142 return 0;
2143 }
e481f9b9 2144#endif
cde6145b
DW		 2145 else if (type == TLSEXT_TYPE_encrypt_then_mac &&
2146 !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
0f113f3e 2147 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
e7f0d921
DSH		 2148 /*
2149 * Note: extended master secret extension handled in
2150 * tls_check_serverhello_tlsext_early()
2151 */
2152
0f113f3e
MC		 2153 /*
2154 * If this ClientHello extension was unhandled and this is a
2155 * nonresumed connection, check whether the extension is a custom
2156 * TLS Extension (has a custom_srv_ext_record), and if so call the
2157 * callback and record the extension number so that an appropriate
2158 * ServerHello may be later returned.
2159 */
2160 else if (!s->hit) {
06217867
EK		 2161 if (custom_ext_parse(s, 1, type, PACKET_data(&extension),
2162 PACKET_remaining(&extension), al) <= 0)
0f113f3e
MC		 2163 return 0;
2164 }
0f113f3e 2165 }
6f017a8f 2166
06217867 2167 if (PACKET_remaining(pkt) != 0) {
a230b26e
EK		 2168 /*
2169 * tls1_check_duplicate_extensions should ensure this never happens.
2170 */
06217867
EK		 2171 *al = SSL_AD_INTERNAL_ERROR;
2172 return 0;
2173 }
54e3ad00 2174
0f113f3e 2175 ri_check:
ed3883d2 2176
0f113f3e
MC		 2177 /* Need RI if renegotiating */
2178
2179 if (!renegotiate_seen && s->renegotiate &&
2180 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2181 *al = SSL_AD_HANDSHAKE_FAILURE;
2182 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2183 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2184 return 0;
2185 }
2186
06217867
EK		 2187 /*
2188 * This function currently has no state to clean up, so it returns directly.
2189 * If parsing fails at any point, the function returns early.
2190 * The SSL object may be left with partial data from extensions, but it must
2191 * then no longer be used, and clearing it up will free the leftovers.
2192 */
0f113f3e
MC		 2193 return 1;
2194}
2195
9ceb2426 2196int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 2197{
2198 int al = -1;
2199 custom_ext_init(&s->cert->srv_ext);
9ceb2426 2200 if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 2201 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2202 return 0;
2203 }
0f113f3e
MC		 2204 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2205 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2206 return 0;
2207 }
2208 return 1;
2209}
2210
e481f9b9 2211#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2212/*
2213 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2214 * elements of zero length are allowed and the set of elements must exactly
2215 * fill the length of the block.
2216 */
50932c4a 2217static char ssl_next_proto_validate(PACKET *pkt)
0f113f3e 2218{
b04f9479 2219 PACKET tmp_protocol;
0f113f3e 2220
50932c4a 2221 while (PACKET_remaining(pkt)) {
b04f9479 2222 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
a230b26e 2223 || PACKET_remaining(&tmp_protocol) == 0)
0f113f3e 2224 return 0;
0f113f3e
MC		 2225 }
2226
50932c4a 2227 return 1;
0f113f3e 2228}
e481f9b9 2229#endif
0f113f3e 2230
50932c4a 2231static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 2232{
50932c4a 2233 unsigned int length, type, size;
0f113f3e
MC		 2234 int tlsext_servername = 0;
2235 int renegotiate_seen = 0;
2236
e481f9b9 2237#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 2238 s->s3->next_proto_neg_seen = 0;
e481f9b9 2239#endif
0f113f3e
MC		 2240 s->tlsext_ticket_expected = 0;
2241
b548a1f1
RS		 2242 OPENSSL_free(s->s3->alpn_selected);
2243 s->s3->alpn_selected = NULL;
e481f9b9 2244#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7
RS		 2245 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
2246 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
e481f9b9 2247#endif
0f113f3e 2248
0f113f3e 2249 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
0f113f3e 2250
e7f0d921
DSH		 2251 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2252
50932c4a 2253 if (!PACKET_get_net_2(pkt, &length))
0f113f3e
MC		 2254 goto ri_check;
2255
50932c4a 2256 if (PACKET_remaining(pkt) != length) {
0f113f3e
MC		 2257 *al = SSL_AD_DECODE_ERROR;
2258 return 0;
2259 }
2260
aa474d1f
EK		 2261 if (!tls1_check_duplicate_extensions(pkt)) {
2262 *al = SSL_AD_DECODE_ERROR;
2263 return 0;
2264 }
2265
50932c4a 2266 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
b6981744 2267 const unsigned char *data;
50932c4a 2268 PACKET spkt;
0f113f3e 2269
50932c4a 2270 if (!PACKET_get_sub_packet(pkt, &spkt, size)
a230b26e 2271 || !PACKET_peek_bytes(&spkt, &data, size))
0f113f3e
MC		 2272 goto ri_check;
2273
2274 if (s->tlsext_debug_cb)
2275 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2276
2277 if (type == TLSEXT_TYPE_renegotiate) {
50932c4a 2278 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
0f113f3e
MC		 2279 return 0;
2280 renegotiate_seen = 1;
2281 } else if (s->version == SSL3_VERSION) {
2282 } else if (type == TLSEXT_TYPE_server_name) {
2283 if (s->tlsext_hostname == NULL || size > 0) {
2284 *al = TLS1_AD_UNRECOGNIZED_NAME;
2285 return 0;
2286 }
2287 tlsext_servername = 1;
2288 }
e481f9b9 2289#ifndef OPENSSL_NO_EC
0f113f3e 2290 else if (type == TLSEXT_TYPE_ec_point_formats) {
50932c4a
MC		 2291 unsigned int ecpointformatlist_length;
2292 if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
a230b26e 2293 || ecpointformatlist_length != size - 1) {
0f113f3e
MC		 2294 *al = TLS1_AD_DECODE_ERROR;
2295 return 0;
2296 }
2297 if (!s->hit) {
2298 s->session->tlsext_ecpointformatlist_length = 0;
b548a1f1 2299 OPENSSL_free(s->session->tlsext_ecpointformatlist);
0f113f3e
MC		 2300 if ((s->session->tlsext_ecpointformatlist =
2301 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2302 *al = TLS1_AD_INTERNAL_ERROR;
2303 return 0;
2304 }
2305 s->session->tlsext_ecpointformatlist_length =
2306 ecpointformatlist_length;
50932c4a
MC		 2307 if (!PACKET_copy_bytes(&spkt,
2308 s->session->tlsext_ecpointformatlist,
2309 ecpointformatlist_length)) {
2310 *al = TLS1_AD_DECODE_ERROR;
2311 return 0;
2312 }
2313
0f113f3e 2314 }
0f113f3e 2315 }
a230b26e 2316#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2317
2318 else if (type == TLSEXT_TYPE_session_ticket) {
2319 if (s->tls_session_ticket_ext_cb &&
2320 !s->tls_session_ticket_ext_cb(s, data, size,
2321 s->tls_session_ticket_ext_cb_arg))
2322 {
2323 *al = TLS1_AD_INTERNAL_ERROR;
2324 return 0;
2325 }
2326 if (!tls_use_ticket(s) || (size > 0)) {
2327 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2328 return 0;
2329 }
2330 s->tlsext_ticket_expected = 1;
a230b26e 2331 } else if (type == TLSEXT_TYPE_status_request) {
0f113f3e
MC		 2332 /*
2333 * MUST be empty and only sent if we've requested a status
2334 * request message.
2335 */
2336 if ((s->tlsext_status_type == -1) || (size > 0)) {
2337 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2338 return 0;
2339 }
2340 /* Set flag to expect CertificateStatus message */
2341 s->tlsext_status_expected = 1;
2342 }
ed29e82a
RP		 2343#ifndef OPENSSL_NO_CT
2344 /*
2345 * Only take it if we asked for it - i.e if there is no CT validation
2346 * callback set, then a custom extension MAY be processing it, so we
2347 * need to let control continue to flow to that.
2348 */
2349 else if (type == TLSEXT_TYPE_signed_certificate_timestamp &&
2350 s->ct_validation_callback != NULL) {
2351 /* Simply copy it off for later processing */
2352 if (s->tlsext_scts != NULL) {
2353 OPENSSL_free(s->tlsext_scts);
2354 s->tlsext_scts = NULL;
2355 }
2356 s->tlsext_scts_len = size;
2357 if (size > 0) {
2358 s->tlsext_scts = OPENSSL_malloc(size);
2359 if (s->tlsext_scts == NULL) {
2360 *al = TLS1_AD_INTERNAL_ERROR;
2361 return 0;
2362 }
2363 memcpy(s->tlsext_scts, data, size);
2364 }
2365 }
2366#endif
e481f9b9 2367#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2368 else if (type == TLSEXT_TYPE_next_proto_neg &&
2369 s->s3->tmp.finish_md_len == 0) {
2370 unsigned char *selected;
2371 unsigned char selected_len;
0f113f3e
MC		 2372 /* We must have requested it. */
2373 if (s->ctx->next_proto_select_cb == NULL) {
2374 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2375 return 0;
2376 }
2377 /* The data must be valid */
50932c4a 2378 if (!ssl_next_proto_validate(&spkt)) {
0f113f3e
MC		 2379 *al = TLS1_AD_DECODE_ERROR;
2380 return 0;
2381 }
a230b26e
EK		 2382 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2383 size,
2384 s->
2385 ctx->next_proto_select_cb_arg) !=
0f113f3e
MC		 2386 SSL_TLSEXT_ERR_OK) {
2387 *al = TLS1_AD_INTERNAL_ERROR;
2388 return 0;
2389 }
c31dbed7
MC		 2390 /*
2391 * Could be non-NULL if server has sent multiple NPN extensions in
2392 * a single Serverhello
2393 */
2394 OPENSSL_free(s->next_proto_negotiated);
0f113f3e 2395 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
a71edf3b 2396 if (s->next_proto_negotiated == NULL) {
0f113f3e
MC		 2397 *al = TLS1_AD_INTERNAL_ERROR;
2398 return 0;
2399 }
2400 memcpy(s->next_proto_negotiated, selected, selected_len);
2401 s->next_proto_negotiated_len = selected_len;
2402 s->s3->next_proto_neg_seen = 1;
2403 }
e481f9b9 2404#endif
0f113f3e
MC		 2405
2406 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2407 unsigned len;
0f113f3e 2408 /* We must have requested it. */
817cd0d5 2409 if (!s->s3->alpn_sent) {
0f113f3e
MC		 2410 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2411 return 0;
2412 }
50e735f9
MC		 2413 /*-
2414 * The extension data consists of:
2415 * uint16 list_length
2416 * uint8 proto_length;
2417 * uint8 proto[proto_length];
2418 */
50932c4a 2419 if (!PACKET_get_net_2(&spkt, &len)
a230b26e
EK		 2420 || PACKET_remaining(&spkt) != len || !PACKET_get_1(&spkt, &len)
2421 || PACKET_remaining(&spkt) != len) {
0f113f3e
MC		 2422 *al = TLS1_AD_DECODE_ERROR;
2423 return 0;
2424 }
b548a1f1 2425 OPENSSL_free(s->s3->alpn_selected);
0f113f3e 2426 s->s3->alpn_selected = OPENSSL_malloc(len);
a71edf3b 2427 if (s->s3->alpn_selected == NULL) {
0f113f3e
MC		 2428 *al = TLS1_AD_INTERNAL_ERROR;
2429 return 0;
2430 }
50932c4a
MC		 2431 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
2432 *al = TLS1_AD_DECODE_ERROR;
2433 return 0;
2434 }
0f113f3e
MC		 2435 s->s3->alpn_selected_len = len;
2436 }
e481f9b9 2437#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7 2438 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
50932c4a
MC		 2439 unsigned int hbtype;
2440 if (!PACKET_get_1(&spkt, &hbtype)) {
2441 *al = SSL_AD_DECODE_ERROR;
2442 return 0;
2443 }
2444 switch (hbtype) {
0f113f3e 2445 case 0x01: /* Server allows us to send HB requests */
22e3dcb7 2446 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
0f113f3e
MC		 2447 break;
2448 case 0x02: /* Server doesn't accept HB requests */
22e3dcb7
RS		 2449 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2450 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
0f113f3e
MC		 2451 break;
2452 default:
2453 *al = SSL_AD_ILLEGAL_PARAMETER;
2454 return 0;
2455 }
2456 }
e481f9b9
MC		 2457#endif
2458#ifndef OPENSSL_NO_SRTP
0f113f3e 2459 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
50932c4a 2460 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
0f113f3e
MC		 2461 return 0;
2462 }
e481f9b9 2463#endif
0f113f3e
MC		 2464 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2465 /* Ignore if inappropriate ciphersuite */
cde6145b
DW		 2466 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) &&
2467 s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
0f113f3e
MC		 2468 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2469 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
a230b26e 2470 } else if (type == TLSEXT_TYPE_extended_master_secret) {
e7f0d921 2471 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
ddc06b35
DSH		 2472 if (!s->hit)
2473 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2474 }
0f113f3e
MC		 2475 /*
2476 * If this extension type was not otherwise handled, but matches a
2477 * custom_cli_ext_record, then send it to the c callback
2478 */
2479 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2480 return 0;
0f113f3e
MC		 2481 }
2482
50932c4a 2483 if (PACKET_remaining(pkt) != 0) {
0f113f3e
MC		 2484 *al = SSL_AD_DECODE_ERROR;
2485 return 0;
2486 }
2487
2488 if (!s->hit && tlsext_servername == 1) {
2489 if (s->tlsext_hostname) {
2490 if (s->session->tlsext_hostname == NULL) {
a230b26e
EK		 2491 s->session->tlsext_hostname =
2492 OPENSSL_strdup(s->tlsext_hostname);
0f113f3e
MC		 2493 if (!s->session->tlsext_hostname) {
2494 *al = SSL_AD_UNRECOGNIZED_NAME;
2495 return 0;
2496 }
2497 } else {
2498 *al = SSL_AD_DECODE_ERROR;
2499 return 0;
2500 }
2501 }
2502 }
2503
0f113f3e
MC		 2504 ri_check:
2505
2506 /*
2507 * Determine if we need to see RI. Strictly speaking if we want to avoid
2508 * an attack we should *always* see RI even on initial server hello
2509 * because the client doesn't see any renegotiation during an attack.
2510 * However this would mean we could not connect to any server which
e7653f3b 2511 * doesn't support RI so for the immediate future tolerate RI absence
0f113f3e
MC		 2512 */
2513 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2514 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2515 *al = SSL_AD_HANDSHAKE_FAILURE;
2516 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2517 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2518 return 0;
2519 }
2520
e7f0d921
DSH		 2521 if (s->hit) {
2522 /*
2523 * Check extended master secret extension is consistent with
2524 * original session.
2525 */
2526 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
2527 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
2528 *al = SSL_AD_HANDSHAKE_FAILURE;
2529 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
2530 return 0;
a230b26e 2531 }
e7f0d921
DSH		 2532 }
2533
0f113f3e
MC		 2534 return 1;
2535}
b2172f4f 2536
36ca4ba6 2537int ssl_prepare_clienthello_tlsext(SSL *s)
0f113f3e 2538{
817cd0d5 2539 s->s3->alpn_sent = 0;
0f113f3e
MC		 2540 return 1;
2541}
36ca4ba6
BM		 2542
2543int ssl_prepare_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2544{
2545 return 1;
2546}
36ca4ba6 2547
2daceb03 2548static int ssl_check_clienthello_tlsext_early(SSL *s)
0f113f3e
MC		 2549{
2550 int ret = SSL_TLSEXT_ERR_NOACK;
2551 int al = SSL_AD_UNRECOGNIZED_NAME;
2552
e481f9b9 2553#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2554 /*
2555 * The handling of the ECPointFormats extension is done elsewhere, namely
2556 * in ssl3_choose_cipher in s3_lib.c.
2557 */
2558 /*
2559 * The handling of the EllipticCurves extension is done elsewhere, namely
2560 * in ssl3_choose_cipher in s3_lib.c.
2561 */
e481f9b9 2562#endif
0f113f3e
MC		 2563
2564 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2565 ret =
2566 s->ctx->tlsext_servername_callback(s, &al,
2567 s->ctx->tlsext_servername_arg);
2568 else if (s->initial_ctx != NULL
2569 && s->initial_ctx->tlsext_servername_callback != 0)
2570 ret =
2571 s->initial_ctx->tlsext_servername_callback(s, &al,
2572 s->
2573 initial_ctx->tlsext_servername_arg);
2574
0f113f3e
MC		 2575 switch (ret) {
2576 case SSL_TLSEXT_ERR_ALERT_FATAL:
2577 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2578 return -1;
2579
2580 case SSL_TLSEXT_ERR_ALERT_WARNING:
2581 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2582 return 1;
2583
2584 case SSL_TLSEXT_ERR_NOACK:
2585 s->servername_done = 0;
2586 default:
2587 return 1;
2588 }
2589}
a230b26e 2590
d376e57d 2591/* Initialise digests to default values */
a0f63828 2592void ssl_set_default_md(SSL *s)
d376e57d
DSH		 2593{
2594 const EVP_MD **pmd = s->s3->tmp.md;
2595#ifndef OPENSSL_NO_DSA
152fbc28 2596 pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
d376e57d
DSH		 2597#endif
2598#ifndef OPENSSL_NO_RSA
d18d31a1 2599 if (SSL_USE_SIGALGS(s))
152fbc28 2600 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
d18d31a1 2601 else
152fbc28 2602 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
d18d31a1 2603 pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
d376e57d
DSH		 2604#endif
2605#ifndef OPENSSL_NO_EC
152fbc28 2606 pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
d376e57d 2607#endif
e44380a9 2608#ifndef OPENSSL_NO_GOST
152fbc28
DSH		 2609 pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
2610 pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
2611 pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
e44380a9 2612#endif
d376e57d 2613}
f1fd4544 2614
e469af8d 2615int tls1_set_server_sigalgs(SSL *s)
0f113f3e
MC		 2616{
2617 int al;
2618 size_t i;
8483a003
F		 2619
2620 /* Clear any shared signature algorithms */
b548a1f1
RS		 2621 OPENSSL_free(s->cert->shared_sigalgs);
2622 s->cert->shared_sigalgs = NULL;
2623 s->cert->shared_sigalgslen = 0;
0f113f3e
MC		 2624 /* Clear certificate digests and validity flags */
2625 for (i = 0; i < SSL_PKEY_NUM; i++) {
d376e57d 2626 s->s3->tmp.md[i] = NULL;
6383d316 2627 s->s3->tmp.valid_flags[i] = 0;
0f113f3e
MC		 2628 }
2629
2630 /* If sigalgs received process it. */
76106e60 2631 if (s->s3->tmp.peer_sigalgs) {
0f113f3e
MC		 2632 if (!tls1_process_sigalgs(s)) {
2633 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2634 al = SSL_AD_INTERNAL_ERROR;
2635 goto err;
2636 }
2637 /* Fatal error is no shared signature algorithms */
2638 if (!s->cert->shared_sigalgs) {
2639 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
f430ba31 2640 SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
0f113f3e
MC		 2641 al = SSL_AD_ILLEGAL_PARAMETER;
2642 goto err;
2643 }
d376e57d
DSH		 2644 } else {
2645 ssl_set_default_md(s);
2646 }
0f113f3e
MC		 2647 return 1;
2648 err:
2649 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2650 return 0;
2651}
e469af8d 2652
70c22888
EK		 2653/*
2654 * Upon success, returns 1.
2655 * Upon failure, returns 0 and sets |al| to the appropriate fatal alert.
2656 */
2657int ssl_check_clienthello_tlsext_late(SSL *s, int *al)
0f113f3e 2658{
70c22888 2659 s->tlsext_status_expected = 0;
0f113f3e
MC		 2660
2661 /*
2662 * If status request then ask callback what to do. Note: this must be
2663 * called after servername callbacks in case the certificate has changed,
2664 * and must be called after the cipher has been chosen because this may
2665 * influence which certificate is sent
2666 */
2667 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
70c22888 2668 int ret;
0f113f3e
MC		 2669 CERT_PKEY *certpkey;
2670 certpkey = ssl_get_server_send_pkey(s);
2671 /* If no certificate can't return certificate status */
70c22888
EK		 2672 if (certpkey != NULL) {
2673 /*
2674 * Set current certificate to one we will use so SSL_get_certificate
2675 * et al can pick it up.
2676 */
2677 s->cert->key = certpkey;
2678 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2679 switch (ret) {
2680 /* We don't want to send a status request response */
2681 case SSL_TLSEXT_ERR_NOACK:
0f113f3e 2682 s->tlsext_status_expected = 0;
70c22888
EK		 2683 break;
2684 /* status request response should be sent */
2685 case SSL_TLSEXT_ERR_OK:
2686 if (s->tlsext_ocsp_resp)
2687 s->tlsext_status_expected = 1;
2688 break;
2689 /* something bad happened */
2690 case SSL_TLSEXT_ERR_ALERT_FATAL:
2691 default:
2692 *al = SSL_AD_INTERNAL_ERROR;
2693 return 0;
2694 }
0f113f3e 2695 }
817cd0d5
TS		 2696 }
2697
70c22888
EK		 2698 if (!tls1_alpn_handle_client_hello_late(s, al)) {
2699 return 0;
0f113f3e 2700 }
70c22888
EK		 2701
2702 return 1;
0f113f3e 2703}
2daceb03 2704
36ca4ba6 2705int ssl_check_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2706{
2707 int ret = SSL_TLSEXT_ERR_NOACK;
2708 int al = SSL_AD_UNRECOGNIZED_NAME;
2709
e481f9b9 2710#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2711 /*
2712 * If we are client and using an elliptic curve cryptography cipher
2713 * suite, then if server returns an EC point formats lists extension it
2714 * must contain uncompressed.
2715 */
2716 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2717 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2718 if ((s->tlsext_ecpointformatlist != NULL)
2719 && (s->tlsext_ecpointformatlist_length > 0)
2720 && (s->session->tlsext_ecpointformatlist != NULL)
2721 && (s->session->tlsext_ecpointformatlist_length > 0)
ce0c1f2b 2722 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
0f113f3e
MC		 2723 /* we are using an ECC cipher */
2724 size_t i;
2725 unsigned char *list;
2726 int found_uncompressed = 0;
2727 list = s->session->tlsext_ecpointformatlist;
2728 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2729 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2730 found_uncompressed = 1;
2731 break;
2732 }
2733 }
2734 if (!found_uncompressed) {
2735 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2736 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2737 return -1;
2738 }
2739 }
2740 ret = SSL_TLSEXT_ERR_OK;
a230b26e 2741#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2742
2743 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2744 ret =
2745 s->ctx->tlsext_servername_callback(s, &al,
2746 s->ctx->tlsext_servername_arg);
2747 else if (s->initial_ctx != NULL
2748 && s->initial_ctx->tlsext_servername_callback != 0)
2749 ret =
2750 s->initial_ctx->tlsext_servername_callback(s, &al,
2751 s->
2752 initial_ctx->tlsext_servername_arg);
2753
b1931d43
MC		 2754 /*
2755 * Ensure we get sensible values passed to tlsext_status_cb in the event
2756 * that we don't receive a status message
2757 */
bb1aaab4
MC		 2758 OPENSSL_free(s->tlsext_ocsp_resp);
2759 s->tlsext_ocsp_resp = NULL;
8b0e934a 2760 s->tlsext_ocsp_resplen = 0;
0f113f3e
MC		 2761
2762 switch (ret) {
2763 case SSL_TLSEXT_ERR_ALERT_FATAL:
2764 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2765 return -1;
2766
2767 case SSL_TLSEXT_ERR_ALERT_WARNING:
2768 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2769 return 1;
2770
2771 case SSL_TLSEXT_ERR_NOACK:
2772 s->servername_done = 0;
2773 default:
2774 return 1;
2775 }
2776}
761772d7 2777
50932c4a 2778int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 2779{
2780 int al = -1;
2781 if (s->version < SSL3_VERSION)
2782 return 1;
50932c4a 2783 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 2784 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2785 return 0;
2786 }
2787
2788 if (ssl_check_serverhello_tlsext(s) <= 0) {
2789 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2790 return 0;
2791 }
2792 return 1;
09e4e4b9
DSH		 2793}
2794
1d97c843
TH		 2795/*-
2796 * Since the server cache lookup is done early on in the processing of the
e7f0d921
DSH		 2797 * ClientHello and other operations depend on the result some extensions
2798 * need to be handled at the same time.
2799 *
2800 * Two extensions are currently handled, session ticket and extended master
2801 * secret.
c519e89f 2802 *
b3e2272c
EK		 2803 * session_id: ClientHello session ID.
2804 * ext: ClientHello extensions (including length prefix)
c519e89f
BM		 2805 * ret: (output) on return, if a ticket was decrypted, then this is set to
2806 * point to the resulting session.
2807 *
2808 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2809 * ciphersuite, in which case we have no use for session tickets and one will
2810 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2811 *
2812 * Returns:
2813 * -1: fatal error, either from parsing or decrypting the ticket.
2814 * 0: no ticket was found (or was ignored, based on settings).
2815 * 1: a zero length extension was found, indicating that the client supports
2816 * session tickets but doesn't currently have one to offer.
2817 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2818 * couldn't be decrypted because of a non-fatal error.
2819 * 3: a ticket was successfully decrypted and *ret was set.
2820 *
2821 * Side effects:
2822 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2823 * a new session ticket to the client because the client indicated support
2824 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2825 * a session ticket or we couldn't use the one it gave us, or if
2826 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2827 * Otherwise, s->tlsext_ticket_expected is set to 0.
e7f0d921
DSH		 2828 *
2829 * For extended master secret flag is set if the extension is present.
2830 *
6434abbf 2831 */
e7f0d921
DSH		 2832int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
2833 const PACKET *session_id,
2834 SSL_SESSION **ret)
0f113f3e 2835{
9ceb2426 2836 unsigned int i;
b3e2272c 2837 PACKET local_ext = *ext;
9ceb2426 2838 int retv = -1;
0f113f3e 2839
e7f0d921
DSH		 2840 int have_ticket = 0;
2841 int use_ticket = tls_use_ticket(s);
2842
0f113f3e
MC		 2843 *ret = NULL;
2844 s->tlsext_ticket_expected = 0;
e7f0d921 2845 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
0f113f3e
MC		 2846
2847 /*
2848 * If tickets disabled behave as if no ticket present to permit stateful
2849 * resumption.
2850 */
9ceb2426 2851 if ((s->version <= SSL3_VERSION))
0f113f3e 2852 return 0;
9ceb2426 2853
b3e2272c 2854 if (!PACKET_get_net_2(&local_ext, &i)) {
9ceb2426
MC		 2855 retv = 0;
2856 goto end;
2857 }
b3e2272c 2858 while (PACKET_remaining(&local_ext) >= 4) {
9ceb2426
MC		 2859 unsigned int type, size;
2860
b3e2272c 2861 if (!PACKET_get_net_2(&local_ext, &type)
a230b26e 2862 || !PACKET_get_net_2(&local_ext, &size)) {
9ceb2426
MC		 2863 /* Shouldn't ever happen */
2864 retv = -1;
2865 goto end;
2866 }
b3e2272c 2867 if (PACKET_remaining(&local_ext) < size) {
9ceb2426
MC		 2868 retv = 0;
2869 goto end;
2870 }
e7f0d921 2871 if (type == TLSEXT_TYPE_session_ticket && use_ticket) {
0f113f3e 2872 int r;
b6981744 2873 const unsigned char *etick;
9ceb2426 2874
e7f0d921
DSH		 2875 /* Duplicate extension */
2876 if (have_ticket != 0) {
2877 retv = -1;
2878 goto end;
2879 }
2880 have_ticket = 1;
2881
0f113f3e
MC		 2882 if (size == 0) {
2883 /*
2884 * The client will accept a ticket but doesn't currently have
2885 * one.
2886 */
2887 s->tlsext_ticket_expected = 1;
9ceb2426 2888 retv = 1;
e7f0d921 2889 continue;
0f113f3e
MC		 2890 }
2891 if (s->tls_session_secret_cb) {
2892 /*
2893 * Indicate that the ticket couldn't be decrypted rather than
2894 * generating the session from ticket now, trigger
2895 * abbreviated handshake based on external mechanism to
2896 * calculate the master secret later.
2897 */
9ceb2426 2898 retv = 2;
e7f0d921 2899 continue;
9ceb2426 2900 }
b3e2272c 2901 if (!PACKET_get_bytes(&local_ext, &etick, size)) {
9ceb2426
MC		 2902 /* Shouldn't ever happen */
2903 retv = -1;
2904 goto end;
0f113f3e 2905 }
b3e2272c
EK		 2906 r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
2907 PACKET_remaining(session_id), ret);
0f113f3e
MC		 2908 switch (r) {
2909 case 2: /* ticket couldn't be decrypted */
2910 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 2911 retv = 2;
2912 break;
0f113f3e 2913 case 3: /* ticket was decrypted */
9ceb2426
MC		 2914 retv = r;
2915 break;
0f113f3e
MC		 2916 case 4: /* ticket decrypted but need to renew */
2917 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 2918 retv = 3;
2919 break;
0f113f3e 2920 default: /* fatal error */
9ceb2426
MC		 2921 retv = -1;
2922 break;
0f113f3e 2923 }
e7f0d921 2924 continue;
c83eda8c 2925 } else {
e7f0d921
DSH		 2926 if (type == TLSEXT_TYPE_extended_master_secret)
2927 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
b3e2272c 2928 if (!PACKET_forward(&local_ext, size)) {
c83eda8c
MC		 2929 retv = -1;
2930 goto end;
2931 }
0f113f3e 2932 }
0f113f3e 2933 }
e7f0d921
DSH		 2934 if (have_ticket == 0)
2935 retv = 0;
a230b26e 2936 end:
9ceb2426 2937 return retv;
0f113f3e 2938}
6434abbf 2939
1d97c843
TH		 2940/*-
2941 * tls_decrypt_ticket attempts to decrypt a session ticket.
c519e89f
BM		 2942 *
2943 * etick: points to the body of the session ticket extension.
8483a003 2944 * eticklen: the length of the session tickets extension.
c519e89f
BM		 2945 * sess_id: points at the session ID.
2946 * sesslen: the length of the session ID.
2947 * psess: (output) on return, if a ticket was decrypted, then this is set to
2948 * point to the resulting session.
2949 *
2950 * Returns:
bf7c6817 2951 * -2: fatal error, malloc failure.
c519e89f
BM		 2952 * -1: fatal error, either from parsing or decrypting the ticket.
2953 * 2: the ticket couldn't be decrypted.
2954 * 3: a ticket was successfully decrypted and *psess was set.
2955 * 4: same as 3, but the ticket needs to be renewed.
2956 */
0f113f3e 2957static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
d736bc1a 2958 size_t eticklen, const unsigned char *sess_id,
ec60ccc1 2959 size_t sesslen, SSL_SESSION **psess)
0f113f3e
MC		 2960{
2961 SSL_SESSION *sess;
2962 unsigned char *sdec;
2963 const unsigned char *p;
35b1a433 2964 int slen, mlen, renew_ticket = 0, ret = -1;
0f113f3e 2965 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
bf7c6817 2966 HMAC_CTX *hctx = NULL;
846ec07d 2967 EVP_CIPHER_CTX *ctx;
0f113f3e 2968 SSL_CTX *tctx = s->initial_ctx;
e97763c9 2969
0f113f3e 2970 /* Initialize session ticket encryption and HMAC contexts */
bf7c6817
RL		 2971 hctx = HMAC_CTX_new();
2972 if (hctx == NULL)
2973 return -2;
846ec07d 2974 ctx = EVP_CIPHER_CTX_new();
35b1a433
MC		 2975 if (ctx == NULL) {
2976 ret = -2;
2977 goto err;
2978 }
0f113f3e
MC		 2979 if (tctx->tlsext_ticket_key_cb) {
2980 unsigned char *nctick = (unsigned char *)etick;
2981 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
846ec07d 2982 ctx, hctx, 0);
0f113f3e 2983 if (rv < 0)
35b1a433
MC		 2984 goto err;
2985 if (rv == 0) {
2986 ret = 2;
2987 goto err;
2988 }
0f113f3e
MC		 2989 if (rv == 2)
2990 renew_ticket = 1;
2991 } else {
2992 /* Check key name matches */
4e2e1ec9
TS		 2993 if (memcmp(etick, tctx->tlsext_tick_key_name,
2994 sizeof(tctx->tlsext_tick_key_name)) != 0) {
35b1a433
MC		 2995 ret = 2;
2996 goto err;
2997 }
4e2e1ec9
TS		 2998 if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
2999 sizeof(tctx->tlsext_tick_hmac_key),
5f3d93e4 3000 EVP_sha256(), NULL) <= 0
a230b26e
EK		 3001 || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
3002 tctx->tlsext_tick_aes_key,
3003 etick + sizeof(tctx->tlsext_tick_key_name)) <=
3004 0) {
5f3d93e4 3005 goto err;
a230b26e 3006 }
0f113f3e
MC		 3007 }
3008 /*
3009 * Attempt to process session ticket, first conduct sanity and integrity
3010 * checks on ticket.
3011 */
d736bc1a 3012 /* TODO(size_t) : convert me */
bf7c6817 3013 mlen = HMAC_size(hctx);
0f113f3e 3014 if (mlen < 0) {
5f3d93e4 3015 goto err;
0f113f3e 3016 }
e97763c9
DSH		 3017 /* Sanity check ticket length: must exceed keyname + IV + HMAC */
3018 if (eticklen <=
d736bc1a 3019 TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + (size_t)mlen) {
e97763c9
DSH		 3020 ret = 2;
3021 goto err;
3022 }
0f113f3e
MC		 3023 eticklen -= mlen;
3024 /* Check HMAC of encrypted ticket */
bf7c6817 3025 if (HMAC_Update(hctx, etick, eticklen) <= 0
a230b26e 3026 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
5f3d93e4
MC		 3027 goto err;
3028 }
bf7c6817 3029 HMAC_CTX_free(hctx);
0f113f3e 3030 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
846ec07d 3031 EVP_CIPHER_CTX_free(ctx);
0f113f3e
MC		 3032 return 2;
3033 }
3034 /* Attempt to decrypt session data */
3035 /* Move p after IV to start of encrypted ticket, update length */
846ec07d
RL		 3036 p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx);
3037 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx);
0f113f3e 3038 sdec = OPENSSL_malloc(eticklen);
a230b26e 3039 if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) {
846ec07d 3040 EVP_CIPHER_CTX_free(ctx);
d1247df2 3041 OPENSSL_free(sdec);
0f113f3e
MC		 3042 return -1;
3043 }
846ec07d
RL		 3044 if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) {
3045 EVP_CIPHER_CTX_free(ctx);
0f113f3e
MC		 3046 OPENSSL_free(sdec);
3047 return 2;
3048 }
3049 slen += mlen;
846ec07d
RL		 3050 EVP_CIPHER_CTX_free(ctx);
3051 ctx = NULL;
0f113f3e
MC		 3052 p = sdec;
3053
3054 sess = d2i_SSL_SESSION(NULL, &p, slen);
3055 OPENSSL_free(sdec);
3056 if (sess) {
3057 /*
3058 * The session ID, if non-empty, is used by some clients to detect
3059 * that the ticket has been accepted. So we copy it to the session
3060 * structure. If it is empty set length to zero as required by
3061 * standard.
3062 */
3063 if (sesslen)
3064 memcpy(sess->session_id, sess_id, sesslen);
3065 sess->session_id_length = sesslen;
3066 *psess = sess;
3067 if (renew_ticket)
3068 return 4;
3069 else
3070 return 3;
3071 }
3072 ERR_clear_error();
3073 /*
3074 * For session parse failure, indicate that we need to send a new ticket.
3075 */
3076 return 2;
a230b26e 3077 err:
846ec07d 3078 EVP_CIPHER_CTX_free(ctx);
bf7c6817 3079 HMAC_CTX_free(hctx);
35b1a433 3080 return ret;
0f113f3e 3081}
6434abbf 3082
6b7be581
DSH		 3083/* Tables to translate from NIDs to TLS v1.2 ids */
3084
0f113f3e
MC		 3085typedef struct {
3086 int nid;
3087 int id;
3088} tls12_lookup;
6b7be581 3089
d97ed219 3090static const tls12_lookup tls12_md[] = {
0f113f3e
MC		 3091 {NID_md5, TLSEXT_hash_md5},
3092 {NID_sha1, TLSEXT_hash_sha1},
3093 {NID_sha224, TLSEXT_hash_sha224},
3094 {NID_sha256, TLSEXT_hash_sha256},
3095 {NID_sha384, TLSEXT_hash_sha384},
e44380a9
DB		 3096 {NID_sha512, TLSEXT_hash_sha512},
3097 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
3098 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
3099 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
6b7be581
DSH		 3100};
3101
d97ed219 3102static const tls12_lookup tls12_sig[] = {
0f113f3e
MC		 3103 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3104 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
e44380a9
DB		 3105 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
3106 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
3107 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
3108 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
6b7be581
DSH		 3109};
3110
d97ed219 3111static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3112{
3113 size_t i;
3114 for (i = 0; i < tlen; i++) {
3115 if (table[i].nid == nid)
3116 return table[i].id;
3117 }
3118 return -1;
3119}
e7f8ff43 3120
d97ed219 3121static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3122{
3123 size_t i;
3124 for (i = 0; i < tlen; i++) {
3125 if ((table[i].id) == id)
3126 return table[i].nid;
3127 }
3128 return NID_undef;
3129}
3130
6400f338
MC		 3131int tls12_get_sigandhash(WPACKET *pkt, const EVP_PKEY *pk, const EVP_MD *md)
3132{
3133 int sig_id, md_id;
418a18a2
MC		 3134
3135 if (md == NULL)
6400f338
MC		 3136 return 0;
3137 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
3138 if (md_id == -1)
3139 return 0;
3140 sig_id = tls12_get_sigid(pk);
3141 if (sig_id == -1)
3142 return 0;
08029dfa 3143 if (!WPACKET_put_bytes_u8(pkt, md_id) || !WPACKET_put_bytes_u8(pkt, sig_id))
6400f338
MC		 3144 return 0;
3145
3146 return 1;
3147}
3148
a2f9200f 3149int tls12_get_sigid(const EVP_PKEY *pk)
0f113f3e 3150{
3aeb9348 3151 return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3152}
3153
3154typedef struct {
3155 int nid;
3156 int secbits;
7afd2312 3157 int md_idx;
e44380a9 3158 unsigned char tlsext_hash;
0f113f3e 3159} tls12_hash_info;
b362ccab
DSH		 3160
3161static const tls12_hash_info tls12_md_info[] = {
7afd2312
DSH		 3162 {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
3163 {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
3164 {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
3165 {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
3166 {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
3167 {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
a230b26e
EK		 3168 {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
3169 {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX,
3170 TLSEXT_hash_gostr34112012_256},
3171 {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX,
3172 TLSEXT_hash_gostr34112012_512},
b362ccab 3173};
a2f9200f 3174
b362ccab 3175static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
0f113f3e 3176{
e44380a9 3177 unsigned int i;
0f113f3e
MC		 3178 if (hash_alg == 0)
3179 return NULL;
e44380a9 3180
a230b26e 3181 for (i = 0; i < OSSL_NELEM(tls12_md_info); i++) {
e44380a9
DB		 3182 if (tls12_md_info[i].tlsext_hash == hash_alg)
3183 return tls12_md_info + i;
3184 }
3185
3186 return NULL;
0f113f3e 3187}
a2f9200f 3188
b362ccab 3189const EVP_MD *tls12_get_hash(unsigned char hash_alg)
0f113f3e
MC		 3190{
3191 const tls12_hash_info *inf;
3192 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3193 return NULL;
3194 inf = tls12_get_hash_info(hash_alg);
7afd2312 3195 if (!inf)
0f113f3e 3196 return NULL;
7afd2312 3197 return ssl_md(inf->md_idx);
0f113f3e 3198}
a2f9200f 3199
4453cd8c 3200static int tls12_get_pkey_idx(unsigned char sig_alg)
0f113f3e
MC		 3201{
3202 switch (sig_alg) {
e481f9b9 3203#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3204 case TLSEXT_signature_rsa:
3205 return SSL_PKEY_RSA_SIGN;
e481f9b9
MC		 3206#endif
3207#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3208 case TLSEXT_signature_dsa:
3209 return SSL_PKEY_DSA_SIGN;
e481f9b9
MC		 3210#endif
3211#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3212 case TLSEXT_signature_ecdsa:
3213 return SSL_PKEY_ECC;
e481f9b9 3214#endif
a230b26e 3215#ifndef OPENSSL_NO_GOST
e44380a9
DB		 3216 case TLSEXT_signature_gostr34102001:
3217 return SSL_PKEY_GOST01;
3218
3219 case TLSEXT_signature_gostr34102012_256:
3220 return SSL_PKEY_GOST12_256;
3221
3222 case TLSEXT_signature_gostr34102012_512:
3223 return SSL_PKEY_GOST12_512;
a230b26e 3224#endif
0f113f3e
MC		 3225 }
3226 return -1;
3227}
4453cd8c
DSH		 3228
3229/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3230static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
0f113f3e
MC		 3231 int *psignhash_nid, const unsigned char *data)
3232{
330dcb09 3233 int sign_nid = NID_undef, hash_nid = NID_undef;
0f113f3e
MC		 3234 if (!phash_nid && !psign_nid && !psignhash_nid)
3235 return;
3236 if (phash_nid || psignhash_nid) {
b6eb9827 3237 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3238 if (phash_nid)
3239 *phash_nid = hash_nid;
3240 }
3241 if (psign_nid || psignhash_nid) {
b6eb9827 3242 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3243 if (psign_nid)
3244 *psign_nid = sign_nid;
3245 }
3246 if (psignhash_nid) {
330dcb09 3247 if (sign_nid == NID_undef || hash_nid == NID_undef
a230b26e 3248 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid) <= 0)
0f113f3e
MC		 3249 *psignhash_nid = NID_undef;
3250 }
3251}
3252
b362ccab
DSH		 3253/* Check to see if a signature algorithm is allowed */
3254static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
0f113f3e
MC		 3255{
3256 /* See if we have an entry in the hash table and it is enabled */
3257 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
7afd2312 3258 if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
0f113f3e
MC		 3259 return 0;
3260 /* See if public key algorithm allowed */
3261 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3262 return 0;
3263 /* Finally see if security callback allows it */
3264 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3265}
3266
3267/*
3268 * Get a mask of disabled public key algorithms based on supported signature
3269 * algorithms. For example if no signature algorithm supports RSA then RSA is
3270 * disabled.
b362ccab
DSH		 3271 */
3272
90d9e49a 3273void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
0f113f3e
MC		 3274{
3275 const unsigned char *sigalgs;
3276 size_t i, sigalgslen;
3277 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3278 /*
3279 * Now go through all signature algorithms seeing if we support any for
3280 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3281 * down calls to security callback only check if we have to.
3282 */
3283 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
3284 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3285 switch (sigalgs[1]) {
e481f9b9 3286#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3287 case TLSEXT_signature_rsa:
3288 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3289 have_rsa = 1;
3290 break;
e481f9b9
MC		 3291#endif
3292#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3293 case TLSEXT_signature_dsa:
3294 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3295 have_dsa = 1;
3296 break;
e481f9b9
MC		 3297#endif
3298#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3299 case TLSEXT_signature_ecdsa:
3300 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3301 have_ecdsa = 1;
3302 break;
e481f9b9 3303#endif
0f113f3e
MC		 3304 }
3305 }
3306 if (!have_rsa)
3307 *pmask_a |= SSL_aRSA;
3308 if (!have_dsa)
3309 *pmask_a |= SSL_aDSS;
3310 if (!have_ecdsa)
3311 *pmask_a |= SSL_aECDSA;
3312}
b362ccab 3313
ae2f7b37 3314int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
2c7b4dbc
MC		 3315 const unsigned char *psig, size_t psiglen)
3316{
3317 size_t i;
c0f9e23c 3318
2c7b4dbc
MC		 3319 for (i = 0; i < psiglen; i += 2, psig += 2) {
3320 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
08029dfa
MC		 3321 if (!WPACKET_put_bytes_u8(pkt, psig[0])
3322 || !WPACKET_put_bytes_u8(pkt, psig[1]))
2c7b4dbc
MC		 3323 return 0;
3324 }
3325 }
3326 return 1;
3327}
3328
4453cd8c 3329/* Given preference and allowed sigalgs set shared sigalgs */
b362ccab 3330static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
0f113f3e
MC		 3331 const unsigned char *pref, size_t preflen,
3332 const unsigned char *allow, size_t allowlen)
3333{
3334 const unsigned char *ptmp, *atmp;
3335 size_t i, j, nmatch = 0;
3336 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3337 /* Skip disabled hashes or signature algorithms */
3338 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3339 continue;
3340 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3341 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3342 nmatch++;
3343 if (shsig) {
3344 shsig->rhash = ptmp[0];
3345 shsig->rsign = ptmp[1];
3346 tls1_lookup_sigalg(&shsig->hash_nid,
3347 &shsig->sign_nid,
3348 &shsig->signandhash_nid, ptmp);
3349 shsig++;
3350 }
3351 break;
3352 }
3353 }
3354 }
3355 return nmatch;
3356}
4453cd8c
DSH		 3357
3358/* Set shared signature algorithms for SSL structures */
3359static int tls1_set_shared_sigalgs(SSL *s)
0f113f3e
MC		 3360{
3361 const unsigned char *pref, *allow, *conf;
3362 size_t preflen, allowlen, conflen;
3363 size_t nmatch;
3364 TLS_SIGALGS *salgs = NULL;
3365 CERT *c = s->cert;
3366 unsigned int is_suiteb = tls1_suiteb(s);
b548a1f1
RS		 3367
3368 OPENSSL_free(c->shared_sigalgs);
3369 c->shared_sigalgs = NULL;
3370 c->shared_sigalgslen = 0;
0f113f3e
MC		 3371 /* If client use client signature algorithms if not NULL */
3372 if (!s->server && c->client_sigalgs && !is_suiteb) {
3373 conf = c->client_sigalgs;
3374 conflen = c->client_sigalgslen;
3375 } else if (c->conf_sigalgs && !is_suiteb) {
3376 conf = c->conf_sigalgs;
3377 conflen = c->conf_sigalgslen;
3378 } else
3379 conflen = tls12_get_psigalgs(s, &conf);
3380 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3381 pref = conf;
3382 preflen = conflen;
76106e60
DSH		 3383 allow = s->s3->tmp.peer_sigalgs;
3384 allowlen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3385 } else {
3386 allow = conf;
3387 allowlen = conflen;
76106e60
DSH		 3388 pref = s->s3->tmp.peer_sigalgs;
3389 preflen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3390 }
3391 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
34e3edbf
DSH		 3392 if (nmatch) {
3393 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
a71edf3b 3394 if (salgs == NULL)
34e3edbf
DSH		 3395 return 0;
3396 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3397 } else {
3398 salgs = NULL;
3399 }
0f113f3e
MC		 3400 c->shared_sigalgs = salgs;
3401 c->shared_sigalgslen = nmatch;
3402 return 1;
3403}
4453cd8c 3404
6b7be581
DSH		 3405/* Set preferred digest for each key type */
3406
d736bc1a 3407int tls1_save_sigalgs(SSL *s, const unsigned char *data, size_t dsize)
0f113f3e
MC		 3408{
3409 CERT *c = s->cert;
3410 /* Extension ignored for inappropriate versions */
3411 if (!SSL_USE_SIGALGS(s))
3412 return 1;
3413 /* Should never happen */
3414 if (!c)
3415 return 0;
3416
76106e60
DSH		 3417 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3418 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3419 if (s->s3->tmp.peer_sigalgs == NULL)
0f113f3e 3420 return 0;
76106e60
DSH		 3421 s->s3->tmp.peer_sigalgslen = dsize;
3422 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
0f113f3e
MC		 3423 return 1;
3424}
6b7be581 3425
c800c27a 3426int tls1_process_sigalgs(SSL *s)
0f113f3e
MC		 3427{
3428 int idx;
3429 size_t i;
3430 const EVP_MD *md;
d376e57d 3431 const EVP_MD **pmd = s->s3->tmp.md;
f7d53487 3432 uint32_t *pvalid = s->s3->tmp.valid_flags;
0f113f3e
MC		 3433 CERT *c = s->cert;
3434 TLS_SIGALGS *sigptr;
3435 if (!tls1_set_shared_sigalgs(s))
3436 return 0;
3437
0f113f3e
MC		 3438 for (i = 0, sigptr = c->shared_sigalgs;
3439 i < c->shared_sigalgslen; i++, sigptr++) {
3440 idx = tls12_get_pkey_idx(sigptr->rsign);
d376e57d 3441 if (idx > 0 && pmd[idx] == NULL) {
0f113f3e 3442 md = tls12_get_hash(sigptr->rhash);
d376e57d 3443 pmd[idx] = md;
6383d316 3444 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3445 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3446 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3447 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3448 }
3449 }
6b7be581 3450
0f113f3e
MC		 3451 }
3452 /*
3453 * In strict mode leave unset digests as NULL to indicate we can't use
3454 * the certificate for signing.
3455 */
3456 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3457 /*
3458 * Set any remaining keys to default values. NOTE: if alg is not
3459 * supported it stays as NULL.
3460 */
e481f9b9 3461#ifndef OPENSSL_NO_DSA
d376e57d
DSH		 3462 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3463 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
e481f9b9
MC		 3464#endif
3465#ifndef OPENSSL_NO_RSA
d376e57d
DSH		 3466 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3467 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3468 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
0f113f3e 3469 }
e481f9b9
MC		 3470#endif
3471#ifndef OPENSSL_NO_EC
d376e57d
DSH		 3472 if (pmd[SSL_PKEY_ECC] == NULL)
3473 pmd[SSL_PKEY_ECC] = EVP_sha1();
e481f9b9 3474#endif
a230b26e 3475#ifndef OPENSSL_NO_GOST
e44380a9
DB		 3476 if (pmd[SSL_PKEY_GOST01] == NULL)
3477 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
3478 if (pmd[SSL_PKEY_GOST12_256] == NULL)
a230b26e
EK		 3479 pmd[SSL_PKEY_GOST12_256] =
3480 EVP_get_digestbynid(NID_id_GostR3411_2012_256);
e44380a9 3481 if (pmd[SSL_PKEY_GOST12_512] == NULL)
a230b26e
EK		 3482 pmd[SSL_PKEY_GOST12_512] =
3483 EVP_get_digestbynid(NID_id_GostR3411_2012_512);
3484#endif
0f113f3e
MC		 3485 }
3486 return 1;
3487}
4817504d 3488
e7f8ff43 3489int SSL_get_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3490 int *psign, int *phash, int *psignhash,
3491 unsigned char *rsig, unsigned char *rhash)
3492{
76106e60 3493 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
0f113f3e
MC		 3494 if (psig == NULL)
3495 return 0;
3496 if (idx >= 0) {
3497 idx <<= 1;
76106e60 3498 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
0f113f3e
MC		 3499 return 0;
3500 psig += idx;
3501 if (rhash)
3502 *rhash = psig[0];
3503 if (rsig)
3504 *rsig = psig[1];
3505 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3506 }
76106e60 3507 return s->s3->tmp.peer_sigalgslen / 2;
0f113f3e 3508}
4453cd8c
DSH		 3509
3510int SSL_get_shared_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3511 int *psign, int *phash, int *psignhash,
3512 unsigned char *rsig, unsigned char *rhash)
3513{
3514 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3515 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3516 return 0;
3517 shsigalgs += idx;
3518 if (phash)
3519 *phash = shsigalgs->hash_nid;
3520 if (psign)
3521 *psign = shsigalgs->sign_nid;
3522 if (psignhash)
3523 *psignhash = shsigalgs->signandhash_nid;
3524 if (rsig)
3525 *rsig = shsigalgs->rsign;
3526 if (rhash)
3527 *rhash = shsigalgs->rhash;
3528 return s->cert->shared_sigalgslen;
3529}
3530
e481f9b9 3531#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
0f229cce 3532
0f113f3e
MC		 3533typedef struct {
3534 size_t sigalgcnt;
3535 int sigalgs[MAX_SIGALGLEN];
3536} sig_cb_st;
0f229cce 3537
431f458d
DSH		 3538static void get_sigorhash(int *psig, int *phash, const char *str)
3539{
3540 if (strcmp(str, "RSA") == 0) {
3541 *psig = EVP_PKEY_RSA;
3542 } else if (strcmp(str, "DSA") == 0) {
3543 *psig = EVP_PKEY_DSA;
3544 } else if (strcmp(str, "ECDSA") == 0) {
3545 *psig = EVP_PKEY_EC;
3546 } else {
3547 *phash = OBJ_sn2nid(str);
3548 if (*phash == NID_undef)
3549 *phash = OBJ_ln2nid(str);
3550 }
3551}
3552
0f229cce 3553static int sig_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 3554{
3555 sig_cb_st *sarg = arg;
3556 size_t i;
3557 char etmp[20], *p;
431f458d 3558 int sig_alg = NID_undef, hash_alg = NID_undef;
2747d73c
KR		 3559 if (elem == NULL)
3560 return 0;
0f113f3e
MC		 3561 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3562 return 0;
3563 if (len > (int)(sizeof(etmp) - 1))
3564 return 0;
3565 memcpy(etmp, elem, len);
3566 etmp[len] = 0;
3567 p = strchr(etmp, '+');
3568 if (!p)
3569 return 0;
3570 *p = 0;
3571 p++;
3572 if (!*p)
3573 return 0;
3574
431f458d
DSH		 3575 get_sigorhash(&sig_alg, &hash_alg, etmp);
3576 get_sigorhash(&sig_alg, &hash_alg, p);
0f113f3e 3577
431f458d 3578 if (sig_alg == NID_undef || hash_alg == NID_undef)
0f113f3e
MC		 3579 return 0;
3580
3581 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3582 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3583 return 0;
3584 }
3585 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3586 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3587 return 1;
3588}
3589
3590/*
9d22666e 3591 * Set supported signature algorithms based on a colon separated list of the
0f113f3e
MC		 3592 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3593 */
3dbc46df 3594int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
0f113f3e
MC		 3595{
3596 sig_cb_st sig;
3597 sig.sigalgcnt = 0;
3598 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3599 return 0;
3600 if (c == NULL)
3601 return 1;
3602 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3603}
3604
a230b26e 3605int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
0f113f3e
MC		 3606{
3607 unsigned char *sigalgs, *sptr;
3608 int rhash, rsign;
3609 size_t i;
3610 if (salglen & 1)
3611 return 0;
3612 sigalgs = OPENSSL_malloc(salglen);
3613 if (sigalgs == NULL)
3614 return 0;
3615 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
b6eb9827
DSH		 3616 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3617 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3618
3619 if (rhash == -1 || rsign == -1)
3620 goto err;
3621 *sptr++ = rhash;
3622 *sptr++ = rsign;
3623 }
3624
3625 if (client) {
b548a1f1 3626 OPENSSL_free(c->client_sigalgs);
0f113f3e
MC		 3627 c->client_sigalgs = sigalgs;
3628 c->client_sigalgslen = salglen;
3629 } else {
b548a1f1 3630 OPENSSL_free(c->conf_sigalgs);
0f113f3e
MC		 3631 c->conf_sigalgs = sigalgs;
3632 c->conf_sigalgslen = salglen;
3633 }
3634
3635 return 1;
3636
3637 err:
3638 OPENSSL_free(sigalgs);
3639 return 0;
3640}
4453cd8c 3641
d61ff83b 3642static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
0f113f3e
MC		 3643{
3644 int sig_nid;
3645 size_t i;
3646 if (default_nid == -1)
3647 return 1;
3648 sig_nid = X509_get_signature_nid(x);
3649 if (default_nid)
3650 return sig_nid == default_nid ? 1 : 0;
3651 for (i = 0; i < c->shared_sigalgslen; i++)
3652 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3653 return 1;
3654 return 0;
3655}
3656
6dbb6219
DSH		 3657/* Check to see if a certificate issuer name matches list of CA names */
3658static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
0f113f3e
MC		 3659{
3660 X509_NAME *nm;
3661 int i;
3662 nm = X509_get_issuer_name(x);
3663 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3664 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3665 return 1;
3666 }
3667 return 0;
3668}
3669
3670/*
3671 * Check certificate chain is consistent with TLS extensions and is usable by
3672 * server. This servers two purposes: it allows users to check chains before
3673 * passing them to the server and it allows the server to check chains before
3674 * attempting to use them.
d61ff83b 3675 */
6dbb6219
DSH		 3676
3677/* Flags which need to be set for a certificate when stict mode not set */
3678
e481f9b9 3679#define CERT_PKEY_VALID_FLAGS \
0f113f3e 3680 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
6dbb6219 3681/* Strict mode flags */
e481f9b9 3682#define CERT_PKEY_STRICT_FLAGS \
0f113f3e
MC		 3683 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3684 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
6dbb6219 3685
d61ff83b 3686int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
0f113f3e
MC		 3687 int idx)
3688{
3689 int i;
3690 int rv = 0;
3691 int check_flags = 0, strict_mode;
3692 CERT_PKEY *cpk = NULL;
3693 CERT *c = s->cert;
f7d53487 3694 uint32_t *pvalid;
0f113f3e
MC		 3695 unsigned int suiteb_flags = tls1_suiteb(s);
3696 /* idx == -1 means checking server chains */
3697 if (idx != -1) {
3698 /* idx == -2 means checking client certificate chains */
3699 if (idx == -2) {
3700 cpk = c->key;
3701 idx = cpk - c->pkeys;
3702 } else
3703 cpk = c->pkeys + idx;
6383d316 3704 pvalid = s->s3->tmp.valid_flags + idx;
0f113f3e
MC		 3705 x = cpk->x509;
3706 pk = cpk->privatekey;
3707 chain = cpk->chain;
3708 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3709 /* If no cert or key, forget it */
3710 if (!x || !pk)
3711 goto end;
0f113f3e
MC		 3712 } else {
3713 if (!x || !pk)
d813f9eb 3714 return 0;
0f113f3e
MC		 3715 idx = ssl_cert_type(x, pk);
3716 if (idx == -1)
d813f9eb 3717 return 0;
6383d316
DSH		 3718 pvalid = s->s3->tmp.valid_flags + idx;
3719
0f113f3e
MC		 3720 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3721 check_flags = CERT_PKEY_STRICT_FLAGS;
3722 else
3723 check_flags = CERT_PKEY_VALID_FLAGS;
3724 strict_mode = 1;
3725 }
3726
3727 if (suiteb_flags) {
3728 int ok;
3729 if (check_flags)
3730 check_flags |= CERT_PKEY_SUITEB;
3731 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3732 if (ok == X509_V_OK)
3733 rv |= CERT_PKEY_SUITEB;
3734 else if (!check_flags)
3735 goto end;
3736 }
3737
3738 /*
3739 * Check all signature algorithms are consistent with signature
3740 * algorithms extension if TLS 1.2 or later and strict mode.
3741 */
3742 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
3743 int default_nid;
3744 unsigned char rsign = 0;
76106e60 3745 if (s->s3->tmp.peer_sigalgs)
0f113f3e
MC		 3746 default_nid = 0;
3747 /* If no sigalgs extension use defaults from RFC5246 */
3748 else {
3749 switch (idx) {
3750 case SSL_PKEY_RSA_ENC:
3751 case SSL_PKEY_RSA_SIGN:
0f113f3e
MC		 3752 rsign = TLSEXT_signature_rsa;
3753 default_nid = NID_sha1WithRSAEncryption;
3754 break;
3755
3756 case SSL_PKEY_DSA_SIGN:
0f113f3e
MC		 3757 rsign = TLSEXT_signature_dsa;
3758 default_nid = NID_dsaWithSHA1;
3759 break;
3760
3761 case SSL_PKEY_ECC:
3762 rsign = TLSEXT_signature_ecdsa;
3763 default_nid = NID_ecdsa_with_SHA1;
3764 break;
3765
e44380a9
DB		 3766 case SSL_PKEY_GOST01:
3767 rsign = TLSEXT_signature_gostr34102001;
3768 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
3769 break;
3770
3771 case SSL_PKEY_GOST12_256:
3772 rsign = TLSEXT_signature_gostr34102012_256;
3773 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
3774 break;
3775
3776 case SSL_PKEY_GOST12_512:
3777 rsign = TLSEXT_signature_gostr34102012_512;
3778 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
3779 break;
3780
0f113f3e
MC		 3781 default:
3782 default_nid = -1;
3783 break;
3784 }
3785 }
3786 /*
3787 * If peer sent no signature algorithms extension and we have set
3788 * preferred signature algorithms check we support sha1.
3789 */
3790 if (default_nid > 0 && c->conf_sigalgs) {
3791 size_t j;
3792 const unsigned char *p = c->conf_sigalgs;
3793 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
3794 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
3795 break;
3796 }
3797 if (j == c->conf_sigalgslen) {
3798 if (check_flags)
3799 goto skip_sigs;
3800 else
3801 goto end;
3802 }
3803 }
3804 /* Check signature algorithm of each cert in chain */
3805 if (!tls1_check_sig_alg(c, x, default_nid)) {
3806 if (!check_flags)
3807 goto end;
3808 } else
3809 rv |= CERT_PKEY_EE_SIGNATURE;
3810 rv |= CERT_PKEY_CA_SIGNATURE;
3811 for (i = 0; i < sk_X509_num(chain); i++) {
3812 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
3813 if (check_flags) {
3814 rv &= ~CERT_PKEY_CA_SIGNATURE;
3815 break;
3816 } else
3817 goto end;
3818 }
3819 }
3820 }
3821 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
3822 else if (check_flags)
3823 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
3824 skip_sigs:
3825 /* Check cert parameters are consistent */
3826 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
3827 rv |= CERT_PKEY_EE_PARAM;
3828 else if (!check_flags)
3829 goto end;
3830 if (!s->server)
3831 rv |= CERT_PKEY_CA_PARAM;
3832 /* In strict mode check rest of chain too */
3833 else if (strict_mode) {
3834 rv |= CERT_PKEY_CA_PARAM;
3835 for (i = 0; i < sk_X509_num(chain); i++) {
3836 X509 *ca = sk_X509_value(chain, i);
3837 if (!tls1_check_cert_param(s, ca, 0)) {
3838 if (check_flags) {
3839 rv &= ~CERT_PKEY_CA_PARAM;
3840 break;
3841 } else
3842 goto end;
3843 }
3844 }
3845 }
3846 if (!s->server && strict_mode) {
3847 STACK_OF(X509_NAME) *ca_dn;
3848 int check_type = 0;
3aeb9348 3849 switch (EVP_PKEY_id(pk)) {
0f113f3e
MC		 3850 case EVP_PKEY_RSA:
3851 check_type = TLS_CT_RSA_SIGN;
3852 break;
3853 case EVP_PKEY_DSA:
3854 check_type = TLS_CT_DSS_SIGN;
3855 break;
3856 case EVP_PKEY_EC:
3857 check_type = TLS_CT_ECDSA_SIGN;
3858 break;
0f113f3e
MC		 3859 }
3860 if (check_type) {
3861 const unsigned char *ctypes;
3862 int ctypelen;
3863 if (c->ctypes) {
3864 ctypes = c->ctypes;
3865 ctypelen = (int)c->ctype_num;
3866 } else {
3867 ctypes = (unsigned char *)s->s3->tmp.ctype;
3868 ctypelen = s->s3->tmp.ctype_num;
3869 }
3870 for (i = 0; i < ctypelen; i++) {
3871 if (ctypes[i] == check_type) {
3872 rv |= CERT_PKEY_CERT_TYPE;
3873 break;
3874 }
3875 }
3876 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
3877 goto end;
3878 } else
3879 rv |= CERT_PKEY_CERT_TYPE;
3880
3881 ca_dn = s->s3->tmp.ca_names;
3882
3883 if (!sk_X509_NAME_num(ca_dn))
3884 rv |= CERT_PKEY_ISSUER_NAME;
3885
3886 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
3887 if (ssl_check_ca_name(ca_dn, x))
3888 rv |= CERT_PKEY_ISSUER_NAME;
3889 }
3890 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
3891 for (i = 0; i < sk_X509_num(chain); i++) {
3892 X509 *xtmp = sk_X509_value(chain, i);
3893 if (ssl_check_ca_name(ca_dn, xtmp)) {
3894 rv |= CERT_PKEY_ISSUER_NAME;
3895 break;
3896 }
3897 }
3898 }
3899 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
3900 goto end;
3901 } else
3902 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
3903
3904 if (!check_flags || (rv & check_flags) == check_flags)
3905 rv |= CERT_PKEY_VALID;
3906
3907 end:
3908
3909 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
6383d316 3910 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
0f113f3e 3911 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
d376e57d 3912 else if (s->s3->tmp.md[idx] != NULL)
0f113f3e
MC		 3913 rv |= CERT_PKEY_SIGN;
3914 } else
3915 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
3916
3917 /*
3918 * When checking a CERT_PKEY structure all flags are irrelevant if the
3919 * chain is invalid.
3920 */
3921 if (!check_flags) {
3922 if (rv & CERT_PKEY_VALID)
6383d316 3923 *pvalid = rv;
0f113f3e
MC		 3924 else {
3925 /* Preserve explicit sign flag, clear rest */
6383d316 3926 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
0f113f3e
MC		 3927 return 0;
3928 }
3929 }
3930 return rv;
3931}
d61ff83b
DSH		 3932
3933/* Set validity of certificates in an SSL structure */
3934void tls1_set_cert_validity(SSL *s)
0f113f3e 3935{
17dd65e6
MC		 3936 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
3937 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
3938 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
17dd65e6 3939 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
e44380a9
DB		 3940 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
3941 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
3942 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
0f113f3e
MC		 3943}
3944
18d71588
DSH		 3945/* User level utiity function to check a chain is suitable */
3946int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
0f113f3e
MC		 3947{
3948 return tls1_check_chain(s, x, pk, chain, -1);
3949}
d61ff83b 3950
09599b52
DSH		 3951#ifndef OPENSSL_NO_DH
3952DH *ssl_get_auto_dh(SSL *s)
0f113f3e
MC		 3953{
3954 int dh_secbits = 80;
3955 if (s->cert->dh_tmp_auto == 2)
3956 return DH_get_1024_160();
adc5506a 3957 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
0f113f3e
MC		 3958 if (s->s3->tmp.new_cipher->strength_bits == 256)
3959 dh_secbits = 128;
3960 else
3961 dh_secbits = 80;
3962 } else {
3963 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
3964 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
3965 }
3966
3967 if (dh_secbits >= 128) {
3968 DH *dhp = DH_new();
0aeddcfa 3969 BIGNUM *p, *g;
a71edf3b 3970 if (dhp == NULL)
0f113f3e 3971 return NULL;
0aeddcfa
MC		 3972 g = BN_new();
3973 if (g != NULL)
3974 BN_set_word(g, 2);
0f113f3e 3975 if (dh_secbits >= 192)
9021a5df 3976 p = BN_get_rfc3526_prime_8192(NULL);
0f113f3e 3977 else
9021a5df 3978 p = BN_get_rfc3526_prime_3072(NULL);
0aeddcfa 3979 if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
0f113f3e 3980 DH_free(dhp);
0aeddcfa
MC		 3981 BN_free(p);
3982 BN_free(g);
0f113f3e
MC		 3983 return NULL;
3984 }
3985 return dhp;
3986 }
3987 if (dh_secbits >= 112)
3988 return DH_get_2048_224();
3989 return DH_get_1024_160();
3990}
09599b52 3991#endif
b362ccab
DSH		 3992
3993static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e 3994{
72245f34 3995 int secbits = -1;
8382fd3a 3996 EVP_PKEY *pkey = X509_get0_pubkey(x);
0f113f3e 3997 if (pkey) {
72245f34
DSH		 3998 /*
3999 * If no parameters this will return -1 and fail using the default
4000 * security callback for any non-zero security level. This will
4001 * reject keys which omit parameters but this only affects DSA and
4002 * omission of parameters is never (?) done in practice.
4003 */
0f113f3e 4004 secbits = EVP_PKEY_security_bits(pkey);
72245f34 4005 }
0f113f3e
MC		 4006 if (s)
4007 return ssl_security(s, op, secbits, 0, x);
4008 else
4009 return ssl_ctx_security(ctx, op, secbits, 0, x);
4010}
b362ccab
DSH		 4011
4012static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e
MC		 4013{
4014 /* Lookup signature algorithm digest */
4015 int secbits = -1, md_nid = NID_undef, sig_nid;
221c7b55
DSH		 4016 /* Don't check signature if self signed */
4017 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
4018 return 1;
0f113f3e
MC		 4019 sig_nid = X509_get_signature_nid(x);
4020 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4021 const EVP_MD *md;
4022 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4023 secbits = EVP_MD_size(md) * 4;
4024 }
4025 if (s)
4026 return ssl_security(s, op, secbits, md_nid, x);
4027 else
4028 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4029}
b362ccab
DSH		 4030
4031int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
0f113f3e
MC		 4032{
4033 if (vfy)
4034 vfy = SSL_SECOP_PEER;
4035 if (is_ee) {
4036 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4037 return SSL_R_EE_KEY_TOO_SMALL;
4038 } else {
4039 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4040 return SSL_R_CA_KEY_TOO_SMALL;
4041 }
4042 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4043 return SSL_R_CA_MD_TOO_WEAK;
4044 return 1;
4045}
4046
4047/*
4048 * Check security of a chain, if sk includes the end entity certificate then
4049 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4050 * one to the peer. Return values: 1 if ok otherwise error code to use
b362ccab
DSH		 4051 */
4052
4053int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
0f113f3e
MC		 4054{
4055 int rv, start_idx, i;
4056 if (x == NULL) {
4057 x = sk_X509_value(sk, 0);
4058 start_idx = 1;
4059 } else
4060 start_idx = 0;
4061
4062 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4063 if (rv != 1)
4064 return rv;
4065
4066 for (i = start_idx; i < sk_X509_num(sk); i++) {
4067 x = sk_X509_value(sk, i);
4068 rv = ssl_security_cert(s, NULL, x, vfy, 0);
4069 if (rv != 1)
4070 return rv;
4071 }
4072 return 1;
4073}
A mirror of the official openssl repository