]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/t1_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Curve25519: avoid undefined behaviour
[thirdparty/openssl.git] / ssl / t1_lib.c
CommitLineData
58964a49
RE		 1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
0f113f3e 7 *
58964a49
RE		 8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
0f113f3e 14 *
58964a49
RE		 15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
0f113f3e 21 *
58964a49
RE		 22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
0f113f3e 36 * 4. If you include any Windows specific code (or a derivative thereof) from
58964a49
RE		 37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
0f113f3e 39 *
58964a49
RE		 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
0f113f3e 51 *
58964a49
RE		 52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
f1fd4544 57/* ====================================================================
52b8dad8 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
f1fd4544
BM		 59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
0f113f3e 65 * notice, this list of conditions and the following disclaimer.
f1fd4544
BM		 66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
58964a49
RE		 110
111#include <stdio.h>
aa474d1f 112#include <stdlib.h>
ec577822 113#include <openssl/objects.h>
6434abbf
DSH		 114#include <openssl/evp.h>
115#include <openssl/hmac.h>
67c8e7f4 116#include <openssl/ocsp.h>
4817504d 117#include <openssl/rand.h>
09599b52 118#ifndef OPENSSL_NO_DH
0f113f3e
MC		 119# include <openssl/dh.h>
120# include <openssl/bn.h>
09599b52 121#endif
58964a49
RE		 122#include "ssl_locl.h"
123
6434abbf 124static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
0f113f3e
MC		 125 const unsigned char *sess_id, int sesslen,
126 SSL_SESSION **psess);
2daceb03 127static int ssl_check_clienthello_tlsext_early(SSL *s);
aa474d1f 128static int ssl_check_serverhello_tlsext(SSL *s);
6434abbf 129
0f113f3e
MC		 130SSL3_ENC_METHOD const TLSv1_enc_data = {
131 tls1_enc,
132 tls1_mac,
133 tls1_setup_key_block,
134 tls1_generate_master_secret,
135 tls1_change_cipher_state,
136 tls1_final_finish_mac,
137 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 138 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
139 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
140 tls1_alert_code,
141 tls1_export_keying_material,
142 0,
143 SSL3_HM_HEADER_LENGTH,
144 ssl3_set_handshake_header,
145 ssl3_handshake_write
146};
147
148SSL3_ENC_METHOD const TLSv1_1_enc_data = {
149 tls1_enc,
150 tls1_mac,
151 tls1_setup_key_block,
152 tls1_generate_master_secret,
153 tls1_change_cipher_state,
154 tls1_final_finish_mac,
155 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 156 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
157 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
158 tls1_alert_code,
159 tls1_export_keying_material,
160 SSL_ENC_FLAG_EXPLICIT_IV,
161 SSL3_HM_HEADER_LENGTH,
162 ssl3_set_handshake_header,
163 ssl3_handshake_write
164};
165
166SSL3_ENC_METHOD const TLSv1_2_enc_data = {
167 tls1_enc,
168 tls1_mac,
169 tls1_setup_key_block,
170 tls1_generate_master_secret,
171 tls1_change_cipher_state,
172 tls1_final_finish_mac,
173 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 174 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
175 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
176 tls1_alert_code,
177 tls1_export_keying_material,
178 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
179 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
180 SSL3_HM_HEADER_LENGTH,
181 ssl3_set_handshake_header,
182 ssl3_handshake_write
183};
58964a49 184
f3b656b2 185long tls1_default_timeout(void)
0f113f3e
MC		 186{
187 /*
188 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
189 * http, the cache would over fill
190 */
191 return (60 * 60 * 2);
192}
58964a49 193
6b691a5c 194int tls1_new(SSL *s)
0f113f3e
MC		 195{
196 if (!ssl3_new(s))
197 return (0);
198 s->method->ssl_clear(s);
199 return (1);
200}
58964a49 201
6b691a5c 202void tls1_free(SSL *s)
0f113f3e 203{
b548a1f1 204 OPENSSL_free(s->tlsext_session_ticket);
0f113f3e
MC		 205 ssl3_free(s);
206}
58964a49 207
6b691a5c 208void tls1_clear(SSL *s)
0f113f3e
MC		 209{
210 ssl3_clear(s);
4fa52141
VD		 211 if (s->method->version == TLS_ANY_VERSION)
212 s->version = TLS_MAX_VERSION;
213 else
214 s->version = s->method->version;
0f113f3e 215}
58964a49 216
525de5d3 217#ifndef OPENSSL_NO_EC
eda3766b 218
0f113f3e
MC		 219typedef struct {
220 int nid; /* Curve NID */
221 int secbits; /* Bits of security (from SP800-57) */
222 unsigned int flags; /* Flags: currently just field type */
223} tls_curve_info;
224
1db3107a
DSH		 225/* Mask for curve type */
226# define TLS_CURVE_TYPE 0x3
0f113f3e 227# define TLS_CURVE_PRIME 0x0
1db3107a
DSH		 228# define TLS_CURVE_CHAR2 0x1
229# define TLS_CURVE_CUSTOM 0x2
0f113f3e 230
2dc1aeed
DSH		 231/*
232 * Table of curve information.
233 * NB: do not delete entries or reorder this array. It is used as a lookup
234 * table: the index of each entry is one less than the TLS curve id.
235 */
236
0f113f3e
MC		 237static const tls_curve_info nid_list[] = {
238 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
239 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
240 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
241 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
242 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
243 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
244 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
245 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
246 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
247 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
248 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
249 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
250 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
251 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
252 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
253 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
254 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
255 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
256 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
257 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
258 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
259 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
260 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
261 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
262 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
263 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
264 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
265 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
1db3107a
DSH		 266 /* X25519 (29) */
267 {NID_X25519, 128, TLS_CURVE_CUSTOM},
0f113f3e
MC		 268};
269
270static const unsigned char ecformats_default[] = {
271 TLSEXT_ECPOINTFORMAT_uncompressed,
272 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
273 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
274};
275
fe6ef247
KR		 276/* The default curves */
277static const unsigned char eccurves_default[] = {
1db3107a 278 0, 29, /* X25519 (29) */
de57d237
EK		 279 /* Prefer P-256 which has the fastest and most secure implementations. */
280 0, 23, /* secp256r1 (23) */
281 /* Other >= 256-bit prime curves. */
0f113f3e
MC		 282 0, 25, /* secp521r1 (25) */
283 0, 28, /* brainpool512r1 (28) */
0f113f3e
MC		 284 0, 27, /* brainpoolP384r1 (27) */
285 0, 24, /* secp384r1 (24) */
de57d237
EK		 286 0, 26, /* brainpoolP256r1 (26) */
287 0, 22, /* secp256k1 (22) */
288 /* >= 256-bit binary curves. */
289 0, 14, /* sect571r1 (14) */
290 0, 13, /* sect571k1 (13) */
291 0, 11, /* sect409k1 (11) */
292 0, 12, /* sect409r1 (12) */
0f113f3e
MC		 293 0, 9, /* sect283k1 (9) */
294 0, 10, /* sect283r1 (10) */
de57d237
EK		 295};
296
297static const unsigned char eccurves_all[] = {
1db3107a 298 0, 29, /* X25519 (29) */
de57d237
EK		 299 /* Prefer P-256 which has the fastest and most secure implementations. */
300 0, 23, /* secp256r1 (23) */
301 /* Other >= 256-bit prime curves. */
302 0, 25, /* secp521r1 (25) */
303 0, 28, /* brainpool512r1 (28) */
304 0, 27, /* brainpoolP384r1 (27) */
305 0, 24, /* secp384r1 (24) */
0f113f3e
MC		 306 0, 26, /* brainpoolP256r1 (26) */
307 0, 22, /* secp256k1 (22) */
de57d237
EK		 308 /* >= 256-bit binary curves. */
309 0, 14, /* sect571r1 (14) */
310 0, 13, /* sect571k1 (13) */
311 0, 11, /* sect409k1 (11) */
312 0, 12, /* sect409r1 (12) */
313 0, 9, /* sect283k1 (9) */
314 0, 10, /* sect283r1 (10) */
315 /*
316 * Remaining curves disabled by default but still permitted if set
317 * via an explicit callback or parameters.
318 */
319 0, 20, /* secp224k1 (20) */
320 0, 21, /* secp224r1 (21) */
321 0, 18, /* secp192k1 (18) */
322 0, 19, /* secp192r1 (19) */
323 0, 15, /* secp160k1 (15) */
324 0, 16, /* secp160r1 (16) */
325 0, 17, /* secp160r2 (17) */
0f113f3e
MC		 326 0, 8, /* sect239k1 (8) */
327 0, 6, /* sect233k1 (6) */
328 0, 7, /* sect233r1 (7) */
0f113f3e
MC		 329 0, 4, /* sect193r1 (4) */
330 0, 5, /* sect193r2 (5) */
0f113f3e
MC		 331 0, 1, /* sect163k1 (1) */
332 0, 2, /* sect163r1 (2) */
333 0, 3, /* sect163r2 (3) */
0f113f3e
MC		 334};
335
de57d237 336
0f113f3e
MC		 337static const unsigned char suiteb_curves[] = {
338 0, TLSEXT_curve_P_256,
339 0, TLSEXT_curve_P_384
340};
2ea80354 341
525de5d3 342int tls1_ec_curve_id2nid(int curve_id)
0f113f3e
MC		 343{
344 /* ECC curves from RFC 4492 and RFC 7027 */
b6eb9827 345 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
0f113f3e
MC		 346 return 0;
347 return nid_list[curve_id - 1].nid;
348}
525de5d3
DSH		 349
350int tls1_ec_nid2curve_id(int nid)
0f113f3e 351{
2fa2d15a
DSH		 352 size_t i;
353 for (i = 0; i < OSSL_NELEM(nid_list); i++) {
354 if (nid_list[i].nid == nid)
355 return i + 1;
0f113f3e 356 }
2fa2d15a 357 return 0;
0f113f3e
MC		 358}
359
740580c2
EK		 360/*
361 * Get curves list, if "sess" is set return client curves otherwise
362 * preferred list.
363 * Sets |num_curves| to the number of curves in the list, i.e.,
364 * the length of |pcurves| is 2 * num_curves.
365 * Returns 1 on success and 0 if the client curves list has invalid format.
366 * The latter indicates an internal error: we should not be accepting such
367 * lists in the first place.
368 * TODO(emilia): we should really be storing the curves list in explicitly
369 * parsed form instead. (However, this would affect binary compatibility
370 * so cannot happen in the 1.0.x series.)
fd2b65ce 371 */
740580c2 372static int tls1_get_curvelist(SSL *s, int sess,
0f113f3e
MC		 373 const unsigned char **pcurves,
374 size_t *num_curves)
375{
376 size_t pcurveslen = 0;
377 if (sess) {
378 *pcurves = s->session->tlsext_ellipticcurvelist;
379 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
380 } else {
381 /* For Suite B mode only include P-256, P-384 */
382 switch (tls1_suiteb(s)) {
383 case SSL_CERT_FLAG_SUITEB_128_LOS:
384 *pcurves = suiteb_curves;
385 pcurveslen = sizeof(suiteb_curves);
386 break;
387
388 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
389 *pcurves = suiteb_curves;
390 pcurveslen = 2;
391 break;
392
393 case SSL_CERT_FLAG_SUITEB_192_LOS:
394 *pcurves = suiteb_curves + 2;
395 pcurveslen = 2;
396 break;
397 default:
398 *pcurves = s->tlsext_ellipticcurvelist;
399 pcurveslen = s->tlsext_ellipticcurvelist_length;
400 }
401 if (!*pcurves) {
fe6ef247
KR		 402 *pcurves = eccurves_default;
403 pcurveslen = sizeof(eccurves_default);
0f113f3e
MC		 404 }
405 }
406
407 /* We do not allow odd length arrays to enter the system. */
408 if (pcurveslen & 1) {
409 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
410 *num_curves = 0;
411 return 0;
412 } else {
413 *num_curves = pcurveslen / 2;
414 return 1;
415 }
416}
b362ccab
DSH		 417
418/* See if curve is allowed by security callback */
419static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
0f113f3e
MC		 420{
421 const tls_curve_info *cinfo;
422 if (curve[0])
423 return 1;
b6eb9827 424 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
0f113f3e
MC		 425 return 0;
426 cinfo = &nid_list[curve[1] - 1];
427# ifdef OPENSSL_NO_EC2M
428 if (cinfo->flags & TLS_CURVE_CHAR2)
429 return 0;
430# endif
431 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
432}
b362ccab 433
d18b716d
DSH		 434/* Check a curve is one of our preferences */
435int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
0f113f3e
MC		 436{
437 const unsigned char *curves;
438 size_t num_curves, i;
439 unsigned int suiteb_flags = tls1_suiteb(s);
440 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
441 return 0;
442 /* Check curve matches Suite B preferences */
443 if (suiteb_flags) {
444 unsigned long cid = s->s3->tmp.new_cipher->id;
445 if (p[1])
446 return 0;
447 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
448 if (p[2] != TLSEXT_curve_P_256)
449 return 0;
450 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
451 if (p[2] != TLSEXT_curve_P_384)
452 return 0;
453 } else /* Should never happen */
454 return 0;
455 }
456 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
457 return 0;
458 for (i = 0; i < num_curves; i++, curves += 2) {
459 if (p[1] == curves[0] && p[2] == curves[1])
460 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
461 }
462 return 0;
463}
d0595f17 464
1d97c843 465/*-
6977e8ee
KR		 466 * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef
467 * if there is no match.
468 * For nmatch == -1, return number of matches
376e2ca3
EK		 469 * For nmatch == -2, return the NID of the curve to use for
470 * an EC tmp key, or NID_undef if there is no match.
d0595f17 471 */
a4352630 472int tls1_shared_curve(SSL *s, int nmatch)
0f113f3e
MC		 473{
474 const unsigned char *pref, *supp;
475 size_t num_pref, num_supp, i, j;
476 int k;
477 /* Can't do anything on client side */
478 if (s->server == 0)
479 return -1;
480 if (nmatch == -2) {
481 if (tls1_suiteb(s)) {
482 /*
483 * For Suite B ciphersuite determines curve: we already know
484 * these are acceptable due to previous checks.
485 */
486 unsigned long cid = s->s3->tmp.new_cipher->id;
487 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
488 return NID_X9_62_prime256v1; /* P-256 */
489 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
490 return NID_secp384r1; /* P-384 */
491 /* Should never happen */
492 return NID_undef;
493 }
494 /* If not Suite B just return first preference shared curve */
495 nmatch = 0;
496 }
497 /*
498 * Avoid truncation. tls1_get_curvelist takes an int
499 * but s->options is a long...
500 */
501 if (!tls1_get_curvelist
502 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
503 &num_supp))
504 /* In practice, NID_undef == 0 but let's be precise. */
505 return nmatch == -1 ? 0 : NID_undef;
506 if (!tls1_get_curvelist
507 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
508 &num_pref))
509 return nmatch == -1 ? 0 : NID_undef;
3c06513f
KR		 510
511 /*
512 * If the client didn't send the elliptic_curves extension all of them
513 * are allowed.
514 */
515 if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
516 supp = eccurves_all;
517 num_supp = sizeof(eccurves_all) / 2;
518 } else if (num_pref == 0 &&
519 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
520 pref = eccurves_all;
521 num_pref = sizeof(eccurves_all) / 2;
522 }
523
0f113f3e
MC		 524 k = 0;
525 for (i = 0; i < num_pref; i++, pref += 2) {
526 const unsigned char *tsupp = supp;
527 for (j = 0; j < num_supp; j++, tsupp += 2) {
528 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
529 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
530 continue;
531 if (nmatch == k) {
532 int id = (pref[0] << 8) | pref[1];
533 return tls1_ec_curve_id2nid(id);
534 }
535 k++;
536 }
537 }
538 }
539 if (nmatch == -1)
540 return k;
541 /* Out of range (nmatch > k). */
542 return NID_undef;
543}
d0595f17
DSH		 544
545int tls1_set_curves(unsigned char **pext, size_t *pextlen,
0f113f3e
MC		 546 int *curves, size_t ncurves)
547{
548 unsigned char *clist, *p;
549 size_t i;
550 /*
551 * Bitmap of curves included to detect duplicates: only works while curve
552 * ids < 32
553 */
554 unsigned long dup_list = 0;
555 clist = OPENSSL_malloc(ncurves * 2);
a71edf3b 556 if (clist == NULL)
0f113f3e
MC		 557 return 0;
558 for (i = 0, p = clist; i < ncurves; i++) {
559 unsigned long idmask;
560 int id;
561 id = tls1_ec_nid2curve_id(curves[i]);
562 idmask = 1L << id;
563 if (!id || (dup_list & idmask)) {
564 OPENSSL_free(clist);
565 return 0;
566 }
567 dup_list |= idmask;
568 s2n(id, p);
569 }
b548a1f1 570 OPENSSL_free(*pext);
0f113f3e
MC		 571 *pext = clist;
572 *pextlen = ncurves * 2;
573 return 1;
574}
575
576# define MAX_CURVELIST 28
577
578typedef struct {
579 size_t nidcnt;
580 int nid_arr[MAX_CURVELIST];
581} nid_cb_st;
d0595f17
DSH		 582
583static int nid_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 584{
585 nid_cb_st *narg = arg;
586 size_t i;
587 int nid;
588 char etmp[20];
2747d73c
KR		 589 if (elem == NULL)
590 return 0;
0f113f3e
MC		 591 if (narg->nidcnt == MAX_CURVELIST)
592 return 0;
593 if (len > (int)(sizeof(etmp) - 1))
594 return 0;
595 memcpy(etmp, elem, len);
596 etmp[len] = 0;
597 nid = EC_curve_nist2nid(etmp);
598 if (nid == NID_undef)
599 nid = OBJ_sn2nid(etmp);
600 if (nid == NID_undef)
601 nid = OBJ_ln2nid(etmp);
602 if (nid == NID_undef)
603 return 0;
604 for (i = 0; i < narg->nidcnt; i++)
605 if (narg->nid_arr[i] == nid)
606 return 0;
607 narg->nid_arr[narg->nidcnt++] = nid;
608 return 1;
609}
610
d0595f17 611/* Set curves based on a colon separate list */
0f113f3e
MC		 612int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
613 const char *str)
614{
615 nid_cb_st ncb;
616 ncb.nidcnt = 0;
617 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
618 return 0;
619 if (pext == NULL)
620 return 1;
621 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
622}
623
fd2b65ce
DSH		 624/* For an EC key set TLS id and required compression based on parameters */
625static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
0f113f3e
MC		 626 EC_KEY *ec)
627{
2235b7f2 628 int id;
0f113f3e 629 const EC_GROUP *grp;
0f113f3e
MC		 630 if (!ec)
631 return 0;
632 /* Determine if it is a prime field */
633 grp = EC_KEY_get0_group(ec);
634 if (!grp)
635 return 0;
0f113f3e
MC		 636 /* Determine curve ID */
637 id = EC_GROUP_get_curve_name(grp);
638 id = tls1_ec_nid2curve_id(id);
2235b7f2
DSH		 639 /* If no id return error: we don't support arbitrary explicit curves */
640 if (id == 0)
641 return 0;
642 curve_id[0] = 0;
643 curve_id[1] = (unsigned char)id;
0f113f3e
MC		 644 if (comp_id) {
645 if (EC_KEY_get0_public_key(ec) == NULL)
646 return 0;
2235b7f2
DSH		 647 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
648 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
649 } else {
650 if ((nid_list[id - 1].flags & TLS_CURVE_TYPE) == TLS_CURVE_PRIME)
0f113f3e
MC		 651 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
652 else
653 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
2235b7f2 654 }
0f113f3e
MC		 655 }
656 return 1;
657}
658
fd2b65ce
DSH		 659/* Check an EC key is compatible with extensions */
660static int tls1_check_ec_key(SSL *s,
0f113f3e
MC		 661 unsigned char *curve_id, unsigned char *comp_id)
662{
663 const unsigned char *pformats, *pcurves;
664 size_t num_formats, num_curves, i;
665 int j;
666 /*
667 * If point formats extension present check it, otherwise everything is
668 * supported (see RFC4492).
669 */
670 if (comp_id && s->session->tlsext_ecpointformatlist) {
671 pformats = s->session->tlsext_ecpointformatlist;
672 num_formats = s->session->tlsext_ecpointformatlist_length;
673 for (i = 0; i < num_formats; i++, pformats++) {
674 if (*comp_id == *pformats)
675 break;
676 }
677 if (i == num_formats)
678 return 0;
679 }
680 if (!curve_id)
681 return 1;
682 /* Check curve is consistent with client and server preferences */
683 for (j = 0; j <= 1; j++) {
684 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
685 return 0;
b79d2410
MC		 686 if (j == 1 && num_curves == 0) {
687 /*
688 * If we've not received any curves then skip this check.
689 * RFC 4492 does not require the supported elliptic curves extension
690 * so if it is not sent we can just choose any curve.
691 * It is invalid to send an empty list in the elliptic curves
692 * extension, so num_curves == 0 always means no extension.
693 */
694 break;
695 }
0f113f3e
MC		 696 for (i = 0; i < num_curves; i++, pcurves += 2) {
697 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
698 break;
699 }
700 if (i == num_curves)
701 return 0;
702 /* For clients can only check sent curve list */
703 if (!s->server)
704 break;
705 }
706 return 1;
707}
d61ff83b 708
5087afa1 709static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
0f113f3e
MC		 710 size_t *num_formats)
711{
712 /*
713 * If we have a custom point format list use it otherwise use default
714 */
715 if (s->tlsext_ecpointformatlist) {
716 *pformats = s->tlsext_ecpointformatlist;
717 *num_formats = s->tlsext_ecpointformatlist_length;
718 } else {
719 *pformats = ecformats_default;
720 /* For Suite B we don't support char2 fields */
721 if (tls1_suiteb(s))
722 *num_formats = sizeof(ecformats_default) - 1;
723 else
724 *num_formats = sizeof(ecformats_default);
725 }
726}
727
728/*
729 * Check cert parameters compatible with extensions: currently just checks EC
730 * certificates have compatible curves and compression.
d61ff83b 731 */
2ea80354 732static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 733{
734 unsigned char comp_id, curve_id[2];
735 EVP_PKEY *pkey;
736 int rv;
8382fd3a 737 pkey = X509_get0_pubkey(x);
0f113f3e
MC		 738 if (!pkey)
739 return 0;
740 /* If not EC nothing to do */
3aeb9348 741 if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
0f113f3e 742 return 1;
3aeb9348 743 rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey));
0f113f3e
MC		 744 if (!rv)
745 return 0;
746 /*
747 * Can't check curve_id for client certs as we don't have a supported
748 * curves extension.
749 */
750 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
751 if (!rv)
752 return 0;
753 /*
754 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
755 * SHA384+P-384, adjust digest if necessary.
756 */
757 if (set_ee_md && tls1_suiteb(s)) {
758 int check_md;
759 size_t i;
760 CERT *c = s->cert;
761 if (curve_id[0])
762 return 0;
763 /* Check to see we have necessary signing algorithm */
764 if (curve_id[1] == TLSEXT_curve_P_256)
765 check_md = NID_ecdsa_with_SHA256;
766 else if (curve_id[1] == TLSEXT_curve_P_384)
767 check_md = NID_ecdsa_with_SHA384;
768 else
769 return 0; /* Should never happen */
770 for (i = 0; i < c->shared_sigalgslen; i++)
771 if (check_md == c->shared_sigalgs[i].signandhash_nid)
772 break;
773 if (i == c->shared_sigalgslen)
774 return 0;
775 if (set_ee_md == 2) {
776 if (check_md == NID_ecdsa_with_SHA256)
d376e57d 777 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
0f113f3e 778 else
d376e57d 779 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
0f113f3e
MC		 780 }
781 }
782 return rv;
783}
784
10bf4fc2 785# ifndef OPENSSL_NO_EC
6977e8ee
KR		 786/*
787 * tls1_check_ec_tmp_key - Check EC temporary key compatiblity
788 * @s: SSL connection
789 * @cid: Cipher ID we're considering using
790 *
791 * Checks that the kECDHE cipher suite we're considering using
792 * is compatible with the client extensions.
793 *
794 * Returns 0 when the cipher can't be used or 1 when it can.
795 */
2ea80354 796int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
0f113f3e 797{
0f113f3e
MC		 798 /*
799 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
800 * curves permitted.
801 */
802 if (tls1_suiteb(s)) {
6977e8ee 803 unsigned char curve_id[2];
0f113f3e
MC		 804 /* Curve to check determined by ciphersuite */
805 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
806 curve_id[1] = TLSEXT_curve_P_256;
807 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
808 curve_id[1] = TLSEXT_curve_P_384;
809 else
810 return 0;
811 curve_id[0] = 0;
812 /* Check this curve is acceptable */
813 if (!tls1_check_ec_key(s, curve_id, NULL))
814 return 0;
fe6ef247 815 return 1;
0f113f3e 816 }
fe6ef247
KR		 817 /* Need a shared curve */
818 if (tls1_shared_curve(s, 0))
819 return 1;
6977e8ee 820 return 0;
0f113f3e 821}
10bf4fc2 822# endif /* OPENSSL_NO_EC */
d0595f17 823
14536c8c
DSH		 824#else
825
826static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 827{
828 return 1;
829}
14536c8c 830
0f113f3e 831#endif /* OPENSSL_NO_EC */
f1fd4544 832
0f113f3e
MC		 833/*
834 * List of supported signature algorithms and hashes. Should make this
fc101f88
DSH		 835 * customisable at some point, for now include everything we support.
836 */
837
e481f9b9
MC		 838#ifdef OPENSSL_NO_RSA
839# define tlsext_sigalg_rsa(md) /* */
840#else
841# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
842#endif
0f113f3e 843
e481f9b9
MC		 844#ifdef OPENSSL_NO_DSA
845# define tlsext_sigalg_dsa(md) /* */
846#else
847# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
848#endif
0f113f3e 849
e481f9b9
MC		 850#ifdef OPENSSL_NO_EC
851# define tlsext_sigalg_ecdsa(md) /* */
852#else
853# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
854#endif
0f113f3e 855
e481f9b9 856#define tlsext_sigalg(md) \
0f113f3e
MC		 857 tlsext_sigalg_rsa(md) \
858 tlsext_sigalg_dsa(md) \
859 tlsext_sigalg_ecdsa(md)
fc101f88 860
d97ed219 861static const unsigned char tls12_sigalgs[] = {
0f113f3e
MC		 862 tlsext_sigalg(TLSEXT_hash_sha512)
863 tlsext_sigalg(TLSEXT_hash_sha384)
0f113f3e
MC		 864 tlsext_sigalg(TLSEXT_hash_sha256)
865 tlsext_sigalg(TLSEXT_hash_sha224)
0f113f3e 866 tlsext_sigalg(TLSEXT_hash_sha1)
e44380a9
DB		 867#ifndef OPENSSL_NO_GOST
868 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
869 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
870 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
871#endif
fc101f88 872};
0f113f3e 873
e481f9b9 874#ifndef OPENSSL_NO_EC
d97ed219 875static const unsigned char suiteb_sigalgs[] = {
0f113f3e
MC		 876 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
877 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
2ea80354 878};
e481f9b9 879#endif
b7bfe69b 880size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
0f113f3e
MC		 881{
882 /*
883 * If Suite B mode use Suite B sigalgs only, ignore any other
884 * preferences.
885 */
e481f9b9 886#ifndef OPENSSL_NO_EC
0f113f3e
MC		 887 switch (tls1_suiteb(s)) {
888 case SSL_CERT_FLAG_SUITEB_128_LOS:
889 *psigs = suiteb_sigalgs;
890 return sizeof(suiteb_sigalgs);
891
892 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
893 *psigs = suiteb_sigalgs;
894 return 2;
895
896 case SSL_CERT_FLAG_SUITEB_192_LOS:
897 *psigs = suiteb_sigalgs + 2;
898 return 2;
899 }
e481f9b9 900#endif
0f113f3e
MC		 901 /* If server use client authentication sigalgs if not NULL */
902 if (s->server && s->cert->client_sigalgs) {
903 *psigs = s->cert->client_sigalgs;
904 return s->cert->client_sigalgslen;
905 } else if (s->cert->conf_sigalgs) {
906 *psigs = s->cert->conf_sigalgs;
907 return s->cert->conf_sigalgslen;
908 } else {
909 *psigs = tls12_sigalgs;
910 return sizeof(tls12_sigalgs);
911 }
912}
913
914/*
915 * Check signature algorithm is consistent with sent supported signature
ec4a50b3
DSH		 916 * algorithms and if so return relevant digest.
917 */
918int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
0f113f3e
MC		 919 const unsigned char *sig, EVP_PKEY *pkey)
920{
921 const unsigned char *sent_sigs;
922 size_t sent_sigslen, i;
923 int sigalg = tls12_get_sigid(pkey);
924 /* Should never happen */
925 if (sigalg == -1)
926 return -1;
927 /* Check key type is consistent with signature */
928 if (sigalg != (int)sig[1]) {
929 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
930 return 0;
931 }
e481f9b9 932#ifndef OPENSSL_NO_EC
3aeb9348 933 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
0f113f3e
MC		 934 unsigned char curve_id[2], comp_id;
935 /* Check compression and curve matches extensions */
3aeb9348 936 if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
0f113f3e
MC		 937 return 0;
938 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
939 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
940 return 0;
941 }
942 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
943 if (tls1_suiteb(s)) {
944 if (curve_id[0])
945 return 0;
946 if (curve_id[1] == TLSEXT_curve_P_256) {
947 if (sig[0] != TLSEXT_hash_sha256) {
948 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
949 SSL_R_ILLEGAL_SUITEB_DIGEST);
950 return 0;
951 }
952 } else if (curve_id[1] == TLSEXT_curve_P_384) {
953 if (sig[0] != TLSEXT_hash_sha384) {
954 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
955 SSL_R_ILLEGAL_SUITEB_DIGEST);
956 return 0;
957 }
958 } else
959 return 0;
960 }
961 } else if (tls1_suiteb(s))
962 return 0;
e481f9b9 963#endif
0f113f3e
MC		 964
965 /* Check signature matches a type we sent */
966 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
967 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
968 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
969 break;
970 }
971 /* Allow fallback to SHA1 if not strict mode */
972 if (i == sent_sigslen
973 && (sig[0] != TLSEXT_hash_sha1
974 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
975 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
976 return 0;
977 }
978 *pmd = tls12_get_hash(sig[0]);
979 if (*pmd == NULL) {
980 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
981 return 0;
982 }
983 /* Make sure security callback allows algorithm */
984 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
985 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
986 (void *)sig)) {
987 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
988 return 0;
989 }
990 /*
991 * Store the digest used so applications can retrieve it if they wish.
992 */
d376e57d 993 s->s3->tmp.peer_md = *pmd;
0f113f3e
MC		 994 return 1;
995}
2ea80354 996
0f113f3e
MC		 997/*
998 * Get a mask of disabled algorithms: an algorithm is disabled if it isn't
999 * supported or doesn't appear in supported signature algorithms. Unlike
1000 * ssl_cipher_get_disabled this applies to a specific session and not global
1001 * settings.
b7bfe69b
DSH		 1002 */
1003void ssl_set_client_disabled(SSL *s)
0f113f3e 1004{
4d69f9e6
DSH		 1005 s->s3->tmp.mask_a = 0;
1006 s->s3->tmp.mask_k = 0;
0f113f3e
MC		 1007 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1008 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
4d69f9e6 1009 s->s3->tmp.mask_ssl = SSL_TLSV1_2;
0f113f3e 1010 else
4d69f9e6 1011 s->s3->tmp.mask_ssl = 0;
2b573382
DSH		 1012 /* Disable TLS 1.0 ciphers if using SSL v3 */
1013 if (s->client_version == SSL3_VERSION)
1014 s->s3->tmp.mask_ssl |= SSL_TLSV1;
4d69f9e6 1015 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
0f113f3e
MC		 1016# ifndef OPENSSL_NO_PSK
1017 /* with PSK there must be client callback set */
1018 if (!s->psk_client_callback) {
4d69f9e6 1019 s->s3->tmp.mask_a |= SSL_aPSK;
fe5eef3a 1020 s->s3->tmp.mask_k |= SSL_PSK;
0f113f3e 1021 }
e481f9b9
MC		 1022#endif /* OPENSSL_NO_PSK */
1023#ifndef OPENSSL_NO_SRP
0f113f3e 1024 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
4d69f9e6
DSH		 1025 s->s3->tmp.mask_a |= SSL_aSRP;
1026 s->s3->tmp.mask_k |= SSL_kSRP;
0f113f3e 1027 }
e481f9b9 1028#endif
0f113f3e 1029}
fc101f88 1030
b362ccab 1031int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
0f113f3e 1032{
4d69f9e6
DSH		 1033 if (c->algorithm_ssl & s->s3->tmp.mask_ssl
1034 || c->algorithm_mkey & s->s3->tmp.mask_k
1035 || c->algorithm_auth & s->s3->tmp.mask_a)
0f113f3e
MC		 1036 return 1;
1037 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1038}
b362ccab
DSH		 1039
1040static int tls_use_ticket(SSL *s)
0f113f3e
MC		 1041{
1042 if (s->options & SSL_OP_NO_TICKET)
1043 return 0;
1044 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1045}
ed3883d2 1046
aa474d1f
EK		 1047static int compare_uint(const void *p1, const void *p2) {
1048 unsigned int u1 = *((const unsigned int *)p1);
1049 unsigned int u2 = *((const unsigned int *)p2);
1050 if (u1 < u2)
1051 return -1;
1052 else if (u1 > u2)
1053 return 1;
1054 else
1055 return 0;
1056}
1057
1058/*
1059 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
1060 * more than one extension of the same type in a ClientHello or ServerHello.
1061 * This function does an initial scan over the extensions block to filter those
1062 * out. It returns 1 if all extensions are unique, and 0 if the extensions
1063 * contain duplicates, could not be successfully parsed, or an internal error
1064 * occurred.
1065 */
1066static int tls1_check_duplicate_extensions(const PACKET *packet) {
1067 PACKET extensions = *packet;
1068 size_t num_extensions = 0, i = 0;
1069 unsigned int *extension_types = NULL;
1070 int ret = 0;
1071
1072 /* First pass: count the extensions. */
1073 while (PACKET_remaining(&extensions) > 0) {
1074 unsigned int type;
1075 PACKET extension;
1076 if (!PACKET_get_net_2(&extensions, &type) ||
1077 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
1078 goto done;
1079 }
1080 num_extensions++;
1081 }
1082
1083 if (num_extensions <= 1)
1084 return 1;
1085
1086 extension_types = OPENSSL_malloc(sizeof(unsigned int) * num_extensions);
1087 if (extension_types == NULL) {
1088 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_MALLOC_FAILURE);
1089 goto done;
1090 }
1091
1092 /* Second pass: gather the extension types. */
1093 extensions = *packet;
1094 for (i = 0; i < num_extensions; i++) {
1095 PACKET extension;
1096 if (!PACKET_get_net_2(&extensions, &extension_types[i]) ||
1097 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
1098 /* This should not happen. */
1099 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
1100 goto done;
1101 }
1102 }
1103
1104 if (PACKET_remaining(&extensions) != 0) {
1105 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
1106 goto done;
1107 }
1108 /* Sort the extensions and make sure there are no duplicates. */
1109 qsort(extension_types, num_extensions, sizeof(unsigned int), compare_uint);
1110 for (i = 1; i < num_extensions; i++) {
1111 if (extension_types[i - 1] == extension_types[i])
1112 goto done;
1113 }
1114 ret = 1;
1115 done:
1116 OPENSSL_free(extension_types);
1117 return ret;
1118}
1119
0f113f3e
MC		 1120unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
1121 unsigned char *limit, int *al)
1122{
1123 int extdatalen = 0;
1124 unsigned char *orig = buf;
1125 unsigned char *ret = buf;
e481f9b9 1126#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1127 /* See if we support any ECC ciphersuites */
1128 int using_ecc = 0;
1129 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1130 int i;
1131 unsigned long alg_k, alg_a;
1132 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1133
1134 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
4a640fb6 1135 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
0f113f3e
MC		 1136
1137 alg_k = c->algorithm_mkey;
1138 alg_a = c->algorithm_auth;
ce0c1f2b
DSH		 1139 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
1140 || (alg_a & SSL_aECDSA)) {
0f113f3e
MC		 1141 using_ecc = 1;
1142 break;
1143 }
1144 }
1145 }
e481f9b9 1146#endif
ed3883d2 1147
0f113f3e 1148 ret += 2;
6434abbf 1149
0f113f3e
MC		 1150 if (ret >= limit)
1151 return NULL; /* this really never occurs, but ... */
5a3d8eeb 1152
0f113f3e
MC		 1153 /* Add RI if renegotiating */
1154 if (s->renegotiate) {
1155 int el;
5a3d8eeb 1156
0f113f3e
MC		 1157 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1158 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1159 return NULL;
1160 }
5a3d8eeb 1161
0f113f3e
MC		 1162 if ((limit - ret - 4 - el) < 0)
1163 return NULL;
5a3d8eeb 1164
0f113f3e
MC		 1165 s2n(TLSEXT_TYPE_renegotiate, ret);
1166 s2n(el, ret);
5a3d8eeb 1167
0f113f3e
MC		 1168 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1169 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1170 return NULL;
5a3d8eeb 1171 }
edc032b5 1172
0f113f3e
MC		 1173 ret += el;
1174 }
1175 /* Only add RI for SSLv3 */
1176 if (s->client_version == SSL3_VERSION)
1177 goto done;
1178
1179 if (s->tlsext_hostname != NULL) {
1180 /* Add TLS extension servername to the Client Hello message */
1181 unsigned long size_str;
1182 long lenmax;
1183
50e735f9
MC		 1184 /*-
1185 * check for enough space.
1186 * 4 for the servername type and entension length
1187 * 2 for servernamelist length
1188 * 1 for the hostname type
1189 * 2 for hostname length
1190 * + hostname length
1191 */
0f113f3e
MC		 1192
1193 if ((lenmax = limit - ret - 9) < 0
1194 || (size_str =
1195 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1196 return NULL;
1197
1198 /* extension type and length */
1199 s2n(TLSEXT_TYPE_server_name, ret);
1200 s2n(size_str + 5, ret);
1201
1202 /* length of servername list */
1203 s2n(size_str + 3, ret);
1204
1205 /* hostname type, length and hostname */
1206 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1207 s2n(size_str, ret);
1208 memcpy(ret, s->tlsext_hostname, size_str);
1209 ret += size_str;
1210 }
e481f9b9 1211#ifndef OPENSSL_NO_SRP
0f113f3e
MC		 1212 /* Add SRP username if there is one */
1213 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1214 * Client Hello message */
1215
1216 int login_len = strlen(s->srp_ctx.login);
1217 if (login_len > 255 || login_len == 0) {
1218 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1219 return NULL;
1220 }
761772d7 1221
50e735f9
MC		 1222 /*-
1223 * check for enough space.
1224 * 4 for the srp type type and entension length
1225 * 1 for the srp user identity
1226 * + srp user identity length
1227 */
0f113f3e
MC		 1228 if ((limit - ret - 5 - login_len) < 0)
1229 return NULL;
1230
1231 /* fill in the extension */
1232 s2n(TLSEXT_TYPE_srp, ret);
1233 s2n(login_len + 1, ret);
1234 (*ret++) = (unsigned char)login_len;
1235 memcpy(ret, s->srp_ctx.login, login_len);
1236 ret += login_len;
1237 }
e481f9b9 1238#endif
0f113f3e 1239
e481f9b9 1240#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1241 if (using_ecc) {
1242 /*
1243 * Add TLS extension ECPointFormats to the ClientHello message
1244 */
1245 long lenmax;
1246 const unsigned char *pcurves, *pformats;
1247 size_t num_curves, num_formats, curves_list_len;
1248 size_t i;
1249 unsigned char *etmp;
1250
1251 tls1_get_formatlist(s, &pformats, &num_formats);
1252
1253 if ((lenmax = limit - ret - 5) < 0)
1254 return NULL;
1255 if (num_formats > (size_t)lenmax)
1256 return NULL;
1257 if (num_formats > 255) {
1258 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1259 return NULL;
1260 }
4817504d 1261
0f113f3e
MC		 1262 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1263 /* The point format list has 1-byte length. */
1264 s2n(num_formats + 1, ret);
1265 *(ret++) = (unsigned char)num_formats;
1266 memcpy(ret, pformats, num_formats);
1267 ret += num_formats;
1268
1269 /*
1270 * Add TLS extension EllipticCurves to the ClientHello message
1271 */
1272 pcurves = s->tlsext_ellipticcurvelist;
1273 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1274 return NULL;
1275
1276 if ((lenmax = limit - ret - 6) < 0)
1277 return NULL;
1278 if (num_curves > (size_t)lenmax / 2)
1279 return NULL;
1280 if (num_curves > 65532 / 2) {
1281 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1282 return NULL;
1283 }
ee2ffc27 1284
0f113f3e
MC		 1285 s2n(TLSEXT_TYPE_elliptic_curves, ret);
1286 etmp = ret + 4;
1287 /* Copy curve ID if supported */
1288 for (i = 0; i < num_curves; i++, pcurves += 2) {
1289 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1290 *etmp++ = pcurves[0];
1291 *etmp++ = pcurves[1];
1292 }
1293 }
01f2f18f 1294
0f113f3e
MC		 1295 curves_list_len = etmp - ret - 4;
1296
1297 s2n(curves_list_len + 2, ret);
1298 s2n(curves_list_len, ret);
1299 ret += curves_list_len;
1300 }
e481f9b9 1301#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1302
1303 if (tls_use_ticket(s)) {
1304 int ticklen;
1305 if (!s->new_session && s->session && s->session->tlsext_tick)
1306 ticklen = s->session->tlsext_ticklen;
1307 else if (s->session && s->tlsext_session_ticket &&
1308 s->tlsext_session_ticket->data) {
1309 ticklen = s->tlsext_session_ticket->length;
1310 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
a71edf3b 1311 if (s->session->tlsext_tick == NULL)
0f113f3e
MC		 1312 return NULL;
1313 memcpy(s->session->tlsext_tick,
1314 s->tlsext_session_ticket->data, ticklen);
1315 s->session->tlsext_ticklen = ticklen;
1316 } else
1317 ticklen = 0;
1318 if (ticklen == 0 && s->tlsext_session_ticket &&
1319 s->tlsext_session_ticket->data == NULL)
1320 goto skip_ext;
1321 /*
1322 * Check for enough room 2 for extension type, 2 for len rest for
1323 * ticket
1324 */
1325 if ((long)(limit - ret - 4 - ticklen) < 0)
1326 return NULL;
1327 s2n(TLSEXT_TYPE_session_ticket, ret);
1328 s2n(ticklen, ret);
1329 if (ticklen) {
1330 memcpy(ret, s->session->tlsext_tick, ticklen);
1331 ret += ticklen;
1332 }
1333 }
1334 skip_ext:
1335
1336 if (SSL_USE_SIGALGS(s)) {
1337 size_t salglen;
1338 const unsigned char *salg;
1339 unsigned char *etmp;
1340 salglen = tls12_get_psigalgs(s, &salg);
1341 if ((size_t)(limit - ret) < salglen + 6)
1342 return NULL;
1343 s2n(TLSEXT_TYPE_signature_algorithms, ret);
1344 etmp = ret;
1345 /* Skip over lengths for now */
1346 ret += 4;
1347 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1348 /* Fill in lengths */
1349 s2n(salglen + 2, etmp);
1350 s2n(salglen, etmp);
1351 ret += salglen;
1352 }
0f113f3e
MC		 1353
1354 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1355 int i;
1356 long extlen, idlen, itmp;
1357 OCSP_RESPID *id;
1358
1359 idlen = 0;
1360 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1361 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1362 itmp = i2d_OCSP_RESPID(id, NULL);
1363 if (itmp <= 0)
1364 return NULL;
1365 idlen += itmp + 2;
860c3dd1
DSH		 1366 }
1367
0f113f3e
MC		 1368 if (s->tlsext_ocsp_exts) {
1369 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1370 if (extlen < 0)
1371 return NULL;
1372 } else
1373 extlen = 0;
1374
1375 if ((long)(limit - ret - 7 - extlen - idlen) < 0)
1376 return NULL;
1377 s2n(TLSEXT_TYPE_status_request, ret);
1378 if (extlen + idlen > 0xFFF0)
1379 return NULL;
1380 s2n(extlen + idlen + 5, ret);
1381 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1382 s2n(idlen, ret);
1383 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1384 /* save position of id len */
1385 unsigned char *q = ret;
1386 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1387 /* skip over id len */
1388 ret += 2;
1389 itmp = i2d_OCSP_RESPID(id, &ret);
1390 /* write id len */
1391 s2n(itmp, q);
1392 }
1393 s2n(extlen, ret);
1394 if (extlen > 0)
1395 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1396 }
e481f9b9 1397#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7
RS		 1398 if (SSL_IS_DTLS(s)) {
1399 /* Add Heartbeat extension */
1400 if ((limit - ret - 4 - 1) < 0)
1401 return NULL;
1402 s2n(TLSEXT_TYPE_heartbeat, ret);
1403 s2n(1, ret);
1404 /*-
1405 * Set mode:
1406 * 1: peer may send requests
1407 * 2: peer not allowed to send requests
1408 */
1409 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
1410 *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
1411 else
1412 *(ret++) = SSL_DTLSEXT_HB_ENABLED;
1413 }
e481f9b9 1414#endif
0f113f3e 1415
e481f9b9 1416#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1417 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1418 /*
1419 * The client advertises an emtpy extension to indicate its support
1420 * for Next Protocol Negotiation
1421 */
1422 if (limit - ret - 4 < 0)
1423 return NULL;
1424 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1425 s2n(0, ret);
1426 }
e481f9b9 1427#endif
0f113f3e
MC		 1428
1429 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1430 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1431 return NULL;
1432 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1433 s2n(2 + s->alpn_client_proto_list_len, ret);
1434 s2n(s->alpn_client_proto_list_len, ret);
1435 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1436 ret += s->alpn_client_proto_list_len;
1437 }
e481f9b9 1438#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 1439 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1440 int el;
1441
69f68237
MC		 1442 /* Returns 0 on success!! */
1443 if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
1444 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1445 return NULL;
1446 }
0f113f3e
MC		 1447
1448 if ((limit - ret - 4 - el) < 0)
1449 return NULL;
1450
1451 s2n(TLSEXT_TYPE_use_srtp, ret);
1452 s2n(el, ret);
1453
1454 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1455 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1456 return NULL;
1457 }
1458 ret += el;
1459 }
e481f9b9 1460#endif
0f113f3e
MC		 1461 custom_ext_init(&s->cert->cli_ext);
1462 /* Add custom TLS Extensions to ClientHello */
1463 if (!custom_ext_add(s, 0, &ret, limit, al))
1464 return NULL;
e481f9b9 1465#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 1466 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1467 s2n(0, ret);
e481f9b9 1468#endif
ddc06b35
DSH		 1469 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1470 s2n(0, ret);
0f113f3e
MC		 1471
1472 /*
1473 * Add padding to workaround bugs in F5 terminators. See
1474 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1475 * code works out the length of all existing extensions it MUST always
1476 * appear last.
1477 */
1478 if (s->options & SSL_OP_TLSEXT_PADDING) {
1479 int hlen = ret - (unsigned char *)s->init_buf->data;
a3680c8f 1480
0f113f3e
MC		 1481 if (hlen > 0xff && hlen < 0x200) {
1482 hlen = 0x200 - hlen;
1483 if (hlen >= 4)
1484 hlen -= 4;
1485 else
1486 hlen = 0;
1487
1488 s2n(TLSEXT_TYPE_padding, ret);
1489 s2n(hlen, ret);
1490 memset(ret, 0, hlen);
1491 ret += hlen;
1492 }
1493 }
5a3d8eeb 1494
0f113f3e 1495 done:
5a3d8eeb 1496
0f113f3e
MC		 1497 if ((extdatalen = ret - orig - 2) == 0)
1498 return orig;
5a3d8eeb 1499
0f113f3e
MC		 1500 s2n(extdatalen, orig);
1501 return ret;
1502}
333f926d 1503
0f113f3e
MC		 1504unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1505 unsigned char *limit, int *al)
1506{
1507 int extdatalen = 0;
1508 unsigned char *orig = buf;
1509 unsigned char *ret = buf;
e481f9b9 1510#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1511 int next_proto_neg_seen;
e481f9b9
MC		 1512#endif
1513#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1514 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1515 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
ce0c1f2b 1516 int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
0f113f3e 1517 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
e481f9b9 1518#endif
0f113f3e
MC		 1519
1520 ret += 2;
1521 if (ret >= limit)
1522 return NULL; /* this really never occurs, but ... */
1523
1524 if (s->s3->send_connection_binding) {
1525 int el;
1526
1527 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1528 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1529 return NULL;
1530 }
333f926d 1531
0f113f3e
MC		 1532 if ((limit - ret - 4 - el) < 0)
1533 return NULL;
333f926d 1534
0f113f3e
MC		 1535 s2n(TLSEXT_TYPE_renegotiate, ret);
1536 s2n(el, ret);
333f926d 1537
0f113f3e
MC		 1538 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1539 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1540 return NULL;
1541 }
333f926d 1542
0f113f3e
MC		 1543 ret += el;
1544 }
1545
1546 /* Only add RI for SSLv3 */
1547 if (s->version == SSL3_VERSION)
1548 goto done;
1549
1550 if (!s->hit && s->servername_done == 1
1551 && s->session->tlsext_hostname != NULL) {
1552 if ((long)(limit - ret - 4) < 0)
1553 return NULL;
1554
1555 s2n(TLSEXT_TYPE_server_name, ret);
1556 s2n(0, ret);
1557 }
e481f9b9 1558#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1559 if (using_ecc) {
1560 const unsigned char *plist;
1561 size_t plistlen;
1562 /*
1563 * Add TLS extension ECPointFormats to the ServerHello message
1564 */
1565 long lenmax;
1566
1567 tls1_get_formatlist(s, &plist, &plistlen);
1568
1569 if ((lenmax = limit - ret - 5) < 0)
1570 return NULL;
1571 if (plistlen > (size_t)lenmax)
1572 return NULL;
1573 if (plistlen > 255) {
1574 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1575 return NULL;
1576 }
4817504d 1577
0f113f3e
MC		 1578 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1579 s2n(plistlen + 1, ret);
1580 *(ret++) = (unsigned char)plistlen;
1581 memcpy(ret, plist, plistlen);
1582 ret += plistlen;
1583
1584 }
1585 /*
1586 * Currently the server should not respond with a SupportedCurves
1587 * extension
1588 */
e481f9b9 1589#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1590
1591 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1592 if ((long)(limit - ret - 4) < 0)
1593 return NULL;
1594 s2n(TLSEXT_TYPE_session_ticket, ret);
1595 s2n(0, ret);
1596 }
1597
1598 if (s->tlsext_status_expected) {
1599 if ((long)(limit - ret - 4) < 0)
1600 return NULL;
1601 s2n(TLSEXT_TYPE_status_request, ret);
1602 s2n(0, ret);
1603 }
0f113f3e 1604
e481f9b9 1605#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 1606 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1607 int el;
1608
69f68237 1609 /* Returns 0 on success!! */
61986d32 1610 if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
69f68237
MC		 1611 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1612 return NULL;
1613 }
0f113f3e
MC		 1614 if ((limit - ret - 4 - el) < 0)
1615 return NULL;
1616
1617 s2n(TLSEXT_TYPE_use_srtp, ret);
1618 s2n(el, ret);
1619
1620 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1621 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1622 return NULL;
1623 }
1624 ret += el;
1625 }
e481f9b9 1626#endif
0f113f3e
MC		 1627
1628 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1629 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1630 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1631 const unsigned char cryptopro_ext[36] = {
1632 0xfd, 0xe8, /* 65000 */
1633 0x00, 0x20, /* 32 bytes length */
1634 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1635 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1636 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1637 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1638 };
1639 if (limit - ret < 36)
1640 return NULL;
1641 memcpy(ret, cryptopro_ext, 36);
1642 ret += 36;
1643
1644 }
e481f9b9 1645#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e 1646 /* Add Heartbeat extension if we've received one */
22e3dcb7 1647 if (SSL_IS_DTLS(s) && (s->tlsext_heartbeat & SSL_DTLSEXT_HB_ENABLED)) {
0f113f3e
MC		 1648 if ((limit - ret - 4 - 1) < 0)
1649 return NULL;
1650 s2n(TLSEXT_TYPE_heartbeat, ret);
1651 s2n(1, ret);
50e735f9
MC		 1652 /*-
1653 * Set mode:
1654 * 1: peer may send requests
1655 * 2: peer not allowed to send requests
1656 */
22e3dcb7
RS		 1657 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
1658 *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
0f113f3e 1659 else
22e3dcb7 1660 *(ret++) = SSL_DTLSEXT_HB_ENABLED;
0f113f3e
MC		 1661
1662 }
e481f9b9 1663#endif
0f113f3e 1664
e481f9b9 1665#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1666 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1667 s->s3->next_proto_neg_seen = 0;
1668 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1669 const unsigned char *npa;
1670 unsigned int npalen;
1671 int r;
1672
1673 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1674 s->
1675 ctx->next_protos_advertised_cb_arg);
1676 if (r == SSL_TLSEXT_ERR_OK) {
1677 if ((long)(limit - ret - 4 - npalen) < 0)
1678 return NULL;
1679 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1680 s2n(npalen, ret);
1681 memcpy(ret, npa, npalen);
1682 ret += npalen;
1683 s->s3->next_proto_neg_seen = 1;
1684 }
1685 }
e481f9b9 1686#endif
0f113f3e
MC		 1687 if (!custom_ext_add(s, 1, &ret, limit, al))
1688 return NULL;
e481f9b9 1689#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 1690 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1691 /*
1692 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1693 * for other cases too.
1694 */
1695 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
e44380a9
DB		 1696 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1697 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1698 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
0f113f3e
MC		 1699 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1700 else {
1701 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1702 s2n(0, ret);
1703 }
1704 }
e481f9b9 1705#endif
e7f0d921 1706 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
ddc06b35
DSH		 1707 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1708 s2n(0, ret);
1709 }
0f113f3e
MC		 1710
1711 if (s->s3->alpn_selected) {
1712 const unsigned char *selected = s->s3->alpn_selected;
1713 unsigned len = s->s3->alpn_selected_len;
1714
1715 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1716 return NULL;
1717 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1718 s2n(3 + len, ret);
1719 s2n(1 + len, ret);
1720 *ret++ = len;
1721 memcpy(ret, selected, len);
1722 ret += len;
1723 }
1724
1725 done:
1726
1727 if ((extdatalen = ret - orig - 2) == 0)
1728 return orig;
1729
1730 s2n(extdatalen, orig);
1731 return ret;
1732}
a398f821 1733
0f113f3e 1734/*
06217867
EK		 1735 * Process the ALPN extension in a ClientHello.
1736 * pkt: the contents of the ALPN extension, not including type and length.
1737 * al: a pointer to the alert value to send in the event of a failure.
1738 * returns: 1 on success, 0 on error.
0f113f3e 1739 */
9ceb2426 1740static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
0f113f3e 1741{
0f113f3e
MC		 1742 const unsigned char *selected;
1743 unsigned char selected_len;
1744 int r;
06217867 1745 PACKET protocol_list, save_protocol_list, protocol;
0f113f3e 1746
06217867 1747 *al = SSL_AD_DECODE_ERROR;
0f113f3e 1748
06217867
EK		 1749 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
1750 || PACKET_remaining(&protocol_list) < 2) {
1751 return 0;
1752 }
0f113f3e 1753
06217867 1754 save_protocol_list = protocol_list;
9ceb2426 1755 do {
06217867
EK		 1756 /* Protocol names can't be empty. */
1757 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
1758 || PACKET_remaining(&protocol) == 0) {
1759 return 0;
1760 }
1761 } while (PACKET_remaining(&protocol_list) != 0);
1762
1763 if (s->ctx->alpn_select_cb == NULL)
1764 return 1;
0f113f3e 1765
06217867
EK		 1766 r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
1767 PACKET_data(&save_protocol_list),
1768 PACKET_remaining(&save_protocol_list),
0f113f3e
MC		 1769 s->ctx->alpn_select_cb_arg);
1770 if (r == SSL_TLSEXT_ERR_OK) {
b548a1f1 1771 OPENSSL_free(s->s3->alpn_selected);
0f113f3e 1772 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
a71edf3b 1773 if (s->s3->alpn_selected == NULL) {
0f113f3e 1774 *al = SSL_AD_INTERNAL_ERROR;
06217867 1775 return 0;
0f113f3e
MC		 1776 }
1777 memcpy(s->s3->alpn_selected, selected, selected_len);
1778 s->s3->alpn_selected_len = selected_len;
06217867
EK		 1779 } else {
1780 *al = SSL_AD_NO_APPLICATION_PROTOCOL;
1781 return 0;
0f113f3e 1782 }
0f113f3e 1783
06217867 1784 return 1;
0f113f3e 1785}
6f017a8f 1786
e481f9b9 1787#ifndef OPENSSL_NO_EC
1d97c843
TH		 1788/*-
1789 * ssl_check_for_safari attempts to fingerprint Safari using OS X
06217867 1790 * SecureTransport using the TLS extension block in |pkt|.
dece3209
RS		 1791 * Safari, since 10.6, sends exactly these extensions, in this order:
1792 * SNI,
1793 * elliptic_curves
1794 * ec_point_formats
1795 *
1796 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1797 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1798 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1799 * 10.8..10.8.3 (which don't work).
1800 */
68a16628 1801static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
0f113f3e 1802{
06217867
EK		 1803 unsigned int type;
1804 PACKET sni, tmppkt;
1805 size_t ext_len;
9ceb2426 1806
0f113f3e
MC		 1807 static const unsigned char kSafariExtensionsBlock[] = {
1808 0x00, 0x0a, /* elliptic_curves extension */
1809 0x00, 0x08, /* 8 bytes */
1810 0x00, 0x06, /* 6 bytes of curve ids */
1811 0x00, 0x17, /* P-256 */
1812 0x00, 0x18, /* P-384 */
1813 0x00, 0x19, /* P-521 */
1814
1815 0x00, 0x0b, /* ec_point_formats */
1816 0x00, 0x02, /* 2 bytes */
1817 0x01, /* 1 point format */
1818 0x00, /* uncompressed */
06217867 1819 /* The following is only present in TLS 1.2 */
0f113f3e
MC		 1820 0x00, 0x0d, /* signature_algorithms */
1821 0x00, 0x0c, /* 12 bytes */
1822 0x00, 0x0a, /* 10 bytes */
1823 0x05, 0x01, /* SHA-384/RSA */
1824 0x04, 0x01, /* SHA-256/RSA */
1825 0x02, 0x01, /* SHA-1/RSA */
1826 0x04, 0x03, /* SHA-256/ECDSA */
1827 0x02, 0x03, /* SHA-1/ECDSA */
1828 };
1829
06217867
EK		 1830 /* Length of the common prefix (first two extensions). */
1831 static const size_t kSafariCommonExtensionsLength = 18;
1832
68a16628
MC		 1833 tmppkt = *pkt;
1834
1835 if (!PACKET_forward(&tmppkt, 2)
06217867
EK		 1836 || !PACKET_get_net_2(&tmppkt, &type)
1837 || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
0f113f3e 1838 return;
06217867 1839 }
0f113f3e
MC		 1840
1841 if (type != TLSEXT_TYPE_server_name)
1842 return;
1843
06217867
EK		 1844 ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
1845 sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
0f113f3e 1846
06217867
EK		 1847 s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
1848 ext_len);
dece3209 1849}
e481f9b9 1850#endif /* !OPENSSL_NO_EC */
0f113f3e 1851
06217867
EK		 1852/*
1853 * Parse ClientHello extensions and stash extension info in various parts of
1854 * the SSL object. Verify that there are no duplicate extensions.
1855 *
1856 * Behaviour upon resumption is extension-specific. If the extension has no
1857 * effect during resumption, it is parsed (to verify its format) but otherwise
1858 * ignored.
1859 *
1860 * Consumes the entire packet in |pkt|. Returns 1 on success and 0 on failure.
1861 * Upon failure, sets |al| to the appropriate alert.
1862 */
9ceb2426 1863static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 1864{
9ceb2426 1865 unsigned int type;
0f113f3e 1866 int renegotiate_seen = 0;
06217867 1867 PACKET extensions;
0f113f3e 1868
06217867 1869 *al = SSL_AD_DECODE_ERROR;
0f113f3e
MC		 1870 s->servername_done = 0;
1871 s->tlsext_status_type = -1;
e481f9b9 1872#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1873 s->s3->next_proto_neg_seen = 0;
e481f9b9 1874#endif
0f113f3e 1875
b548a1f1
RS		 1876 OPENSSL_free(s->s3->alpn_selected);
1877 s->s3->alpn_selected = NULL;
e481f9b9 1878#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7
RS		 1879 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
1880 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
e481f9b9 1881#endif
0f113f3e 1882
e481f9b9 1883#ifndef OPENSSL_NO_EC
0f113f3e 1884 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
9ceb2426
MC		 1885 ssl_check_for_safari(s, pkt);
1886# endif /* !OPENSSL_NO_EC */
0f113f3e
MC		 1887
1888 /* Clear any signature algorithms extension received */
76106e60
DSH		 1889 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1890 s->s3->tmp.peer_sigalgs = NULL;
e481f9b9 1891#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e 1892 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 1893#endif
0f113f3e 1894
e481f9b9 1895#ifndef OPENSSL_NO_SRP
b548a1f1
RS		 1896 OPENSSL_free(s->srp_ctx.login);
1897 s->srp_ctx.login = NULL;
e481f9b9 1898#endif
0f113f3e
MC		 1899
1900 s->srtp_profile = NULL;
1901
9ceb2426 1902 if (PACKET_remaining(pkt) == 0)
1ae3fdbe
AL		 1903 goto ri_check;
1904
06217867
EK		 1905 if (!PACKET_as_length_prefixed_2(pkt, &extensions))
1906 return 0;
aa474d1f 1907
06217867
EK		 1908 if (!tls1_check_duplicate_extensions(&extensions))
1909 return 0;
0f113f3e 1910
06217867
EK		 1911 /*
1912 * We parse all extensions to ensure the ClientHello is well-formed but,
1913 * unless an extension specifies otherwise, we ignore extensions upon
1914 * resumption.
1915 */
1916 while (PACKET_get_net_2(&extensions, &type)) {
1917 PACKET extension;
1918 if (!PACKET_get_length_prefixed_2(&extensions, &extension))
1919 return 0;
9ceb2426 1920
0f113f3e 1921 if (s->tlsext_debug_cb)
06217867
EK		 1922 s->tlsext_debug_cb(s, 0, type, PACKET_data(&extension),
1923 PACKET_remaining(&extension),
1924 s->tlsext_debug_arg);
9ceb2426 1925
0f113f3e 1926 if (type == TLSEXT_TYPE_renegotiate) {
06217867 1927 if (!ssl_parse_clienthello_renegotiate_ext(s, &extension, al))
0f113f3e
MC		 1928 return 0;
1929 renegotiate_seen = 1;
1930 } else if (s->version == SSL3_VERSION) {
1931 }
1d97c843
TH		 1932/*-
1933 * The servername extension is treated as follows:
1934 *
1935 * - Only the hostname type is supported with a maximum length of 255.
1936 * - The servername is rejected if too long or if it contains zeros,
1937 * in which case an fatal alert is generated.
1938 * - The servername field is maintained together with the session cache.
1939 * - When a session is resumed, the servername call back invoked in order
0f113f3e
MC		 1940 * to allow the application to position itself to the right context.
1941 * - The servername is acknowledged if it is new for a session or when
1942 * it is identical to a previously used for the same session.
1d97c843
TH		 1943 * Applications can control the behaviour. They can at any time
1944 * set a 'desirable' servername for a new SSL object. This can be the
1945 * case for example with HTTPS when a Host: header field is received and
1946 * a renegotiation is requested. In this case, a possible servername
1947 * presented in the new client hello is only acknowledged if it matches
0f113f3e 1948 * the value of the Host: field.
1d97c843 1949 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
0f113f3e
MC		 1950 * if they provide for changing an explicit servername context for the
1951 * session, i.e. when the session has been established with a servername
1952 * extension.
1953 * - On session reconnect, the servername extension may be absent.
1d97c843 1954 *
0f113f3e 1955 */
ed3883d2 1956
0f113f3e 1957 else if (type == TLSEXT_TYPE_server_name) {
9ceb2426 1958 unsigned int servname_type;
06217867
EK		 1959 PACKET sni, hostname;
1960
1961 if (!PACKET_as_length_prefixed_2(&extension, &sni)
1962 /* ServerNameList must be at least 1 byte long. */
1963 || PACKET_remaining(&sni) == 0) {
1964 return 0;
0f113f3e 1965 }
6f017a8f 1966
06217867
EK		 1967 /*
1968 * Although the server_name extension was intended to be
1969 * extensible to new name types, RFC 4366 defined the
1970 * syntax inextensibly and OpenSSL 1.0.x parses it as
1971 * such.
1972 * RFC 6066 corrected the mistake but adding new name types
1973 * is nevertheless no longer feasible, so act as if no other
1974 * SNI types can exist, to simplify parsing.
1975 *
1976 * Also note that the RFC permits only one SNI value per type,
1977 * i.e., we can only have a single hostname.
1978 */
1979 if (!PACKET_get_1(&sni, &servname_type)
1980 || servname_type != TLSEXT_NAMETYPE_host_name
1981 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
1982 return 0;
1983 }
1984
1985 if (!s->hit) {
1986 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
1987 *al = TLS1_AD_UNRECOGNIZED_NAME;
1988 return 0;
1989 }
1990
1991 if (PACKET_contains_zero_byte(&hostname)) {
1992 *al = TLS1_AD_UNRECOGNIZED_NAME;
1993 return 0;
1994 }
1995
1996 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
1997 *al = TLS1_AD_INTERNAL_ERROR;
1998 return 0;
1999 }
2000
2001 s->servername_done = 1;
2002 } else {
2003 /*
2004 * TODO(openssl-team): if the SNI doesn't match, we MUST
2005 * fall back to a full handshake.
2006 */
2007 s->servername_done = s->session->tlsext_hostname
2008 && PACKET_equal(&hostname, s->session->tlsext_hostname,
2009 strlen(s->session->tlsext_hostname));
2010 }
0f113f3e 2011 }
e481f9b9 2012#ifndef OPENSSL_NO_SRP
0f113f3e 2013 else if (type == TLSEXT_TYPE_srp) {
06217867
EK		 2014 PACKET srp_I;
2015
2016 if (!PACKET_as_length_prefixed_1(&extension, &srp_I))
2017 return 0;
2018
2019 if (PACKET_contains_zero_byte(&srp_I))
2020 return 0;
2021
2022 /*
2023 * TODO(openssl-team): currently, we re-authenticate the user
2024 * upon resumption. Instead, we MUST ignore the login.
2025 */
2026 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
2027 *al = TLS1_AD_INTERNAL_ERROR;
2028 return 0;
2029 }
0f113f3e 2030 }
e481f9b9 2031#endif
0f113f3e 2032
e481f9b9 2033#ifndef OPENSSL_NO_EC
0f113f3e 2034 else if (type == TLSEXT_TYPE_ec_point_formats) {
06217867 2035 PACKET ec_point_format_list;
0f113f3e 2036
06217867
EK		 2037 if (!PACKET_as_length_prefixed_1(&extension,
2038 &ec_point_format_list)
2039 || PACKET_remaining(&ec_point_format_list) == 0) {
2040 return 0;
2041 }
9ceb2426 2042
0f113f3e 2043 if (!s->hit) {
06217867
EK		 2044 if (!PACKET_memdup(&ec_point_format_list,
2045 &s->session->tlsext_ecpointformatlist,
2046 &s->session->tlsext_ecpointformatlist_length)) {
0f113f3e
MC		 2047 *al = TLS1_AD_INTERNAL_ERROR;
2048 return 0;
2049 }
0f113f3e 2050 }
0f113f3e 2051 } else if (type == TLSEXT_TYPE_elliptic_curves) {
06217867 2052 PACKET elliptic_curve_list;
0f113f3e 2053
06217867
EK		 2054 /* Each NamedCurve is 2 bytes and we must have at least 1. */
2055 if (!PACKET_as_length_prefixed_2(&extension,
2056 &elliptic_curve_list)
2057 || PACKET_remaining(&elliptic_curve_list) == 0
2058 || (PACKET_remaining(&elliptic_curve_list) % 2) != 0) {
2059 return 0;
2060 }
54e3ad00 2061
0f113f3e 2062 if (!s->hit) {
06217867
EK		 2063 if (!PACKET_memdup(&elliptic_curve_list,
2064 &s->session->tlsext_ellipticcurvelist,
2065 &s->session->tlsext_ellipticcurvelist_length)) {
0f113f3e
MC		 2066 *al = TLS1_AD_INTERNAL_ERROR;
2067 return 0;
2068 }
0f113f3e 2069 }
0f113f3e 2070 }
e481f9b9 2071#endif /* OPENSSL_NO_EC */
0f113f3e 2072 else if (type == TLSEXT_TYPE_session_ticket) {
06217867
EK		 2073 if (s->tls_session_ticket_ext_cb &&
2074 !s->tls_session_ticket_ext_cb(s, PACKET_data(&extension),
2075 PACKET_remaining(&extension),
2076 s->tls_session_ticket_ext_cb_arg)) {
0f113f3e
MC		 2077 *al = TLS1_AD_INTERNAL_ERROR;
2078 return 0;
2079 }
2080 } else if (type == TLSEXT_TYPE_signature_algorithms) {
06217867
EK		 2081 PACKET supported_sig_algs;
2082
2083 if (!PACKET_as_length_prefixed_2(&extension, &supported_sig_algs)
2084 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
2085 || PACKET_remaining(&supported_sig_algs) == 0) {
2086 return 0;
2087 }
2088
2089 if (!s->hit) {
2090 if (!tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
2091 PACKET_remaining(&supported_sig_algs))) {
2092 return 0;
2093 }
9ceb2426 2094 }
0f113f3e 2095 } else if (type == TLSEXT_TYPE_status_request) {
06217867 2096 const unsigned char *ext_data;
0f113f3e 2097
06217867
EK		 2098 if (!PACKET_get_1(&extension,
2099 (unsigned int *)&s->tlsext_status_type)) {
2100 return 0;
2101 }
0f113f3e 2102
0f113f3e 2103 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
06217867
EK		 2104 PACKET responder_id_list, exts;
2105 if (!PACKET_get_length_prefixed_2(&extension, &responder_id_list))
2106 return 0;
2107
2108 while (PACKET_remaining(&responder_id_list) > 0) {
0f113f3e 2109 OCSP_RESPID *id;
06217867
EK		 2110 PACKET responder_id;
2111 const unsigned char *id_data;
9ceb2426 2112
06217867
EK		 2113 if (!PACKET_get_length_prefixed_2(&responder_id_list,
2114 &responder_id)
2115 || PACKET_remaining(&responder_id) == 0) {
2116 return 0;
9ceb2426 2117 }
06217867
EK		 2118
2119 if (s->tlsext_ocsp_ids == NULL
2120 && (s->tlsext_ocsp_ids =
2121 sk_OCSP_RESPID_new_null()) == NULL) {
2122 *al = SSL_AD_INTERNAL_ERROR;
2123 return 0;
0f113f3e 2124 }
06217867
EK		 2125
2126 id_data = PACKET_data(&responder_id);
2127 id = d2i_OCSP_RESPID(NULL, &id_data,
2128 PACKET_remaining(&responder_id));
2129 if (id == NULL)
2130 return 0;
2131
2132 if (id_data != PACKET_end(&responder_id)) {
0f113f3e 2133 OCSP_RESPID_free(id);
0f113f3e
MC		 2134 return 0;
2135 }
06217867 2136
0f113f3e
MC		 2137 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2138 OCSP_RESPID_free(id);
2139 *al = SSL_AD_INTERNAL_ERROR;
2140 return 0;
2141 }
2142 }
4817504d 2143
0f113f3e 2144 /* Read in request_extensions */
06217867
EK		 2145 if (!PACKET_as_length_prefixed_2(&extension, &exts))
2146 return 0;
2147
2148 if (PACKET_remaining(&exts) > 0) {
2149 ext_data = PACKET_data(&exts);
222561fe
RS		 2150 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2151 X509_EXTENSION_free);
0f113f3e 2152 s->tlsext_ocsp_exts =
06217867
EK		 2153 d2i_X509_EXTENSIONS(NULL, &ext_data,
2154 PACKET_remaining(&exts));
2155 if (s->tlsext_ocsp_exts == NULL
2156 || ext_data != PACKET_end(&exts)) {
2157 return 0;
2158 }
0f113f3e 2159 }
0f113f3e
MC		 2160 /*
2161 * We don't know what to do with any other type * so ignore it.
2162 */
06217867 2163 } else {
0f113f3e 2164 s->tlsext_status_type = -1;
06217867 2165 }
0f113f3e 2166 }
e481f9b9 2167#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7 2168 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
9ceb2426
MC		 2169 unsigned int hbtype;
2170
06217867
EK		 2171 if (!PACKET_get_1(&extension, &hbtype)
2172 || PACKET_remaining(&extension)) {
9ceb2426
MC		 2173 *al = SSL_AD_DECODE_ERROR;
2174 return 0;
2175 }
2176 switch (hbtype) {
0f113f3e 2177 case 0x01: /* Client allows us to send HB requests */
22e3dcb7 2178 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
0f113f3e
MC		 2179 break;
2180 case 0x02: /* Client doesn't accept HB requests */
22e3dcb7
RS		 2181 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2182 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
0f113f3e
MC		 2183 break;
2184 default:
2185 *al = SSL_AD_ILLEGAL_PARAMETER;
2186 return 0;
2187 }
2188 }
e481f9b9
MC		 2189#endif
2190#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2191 else if (type == TLSEXT_TYPE_next_proto_neg &&
2192 s->s3->tmp.finish_md_len == 0 &&
2193 s->s3->alpn_selected == NULL) {
50e735f9
MC		 2194 /*-
2195 * We shouldn't accept this extension on a
2196 * renegotiation.
2197 *
2198 * s->new_session will be set on renegotiation, but we
2199 * probably shouldn't rely that it couldn't be set on
2200 * the initial renegotation too in certain cases (when
2201 * there's some other reason to disallow resuming an
2202 * earlier session -- the current code won't be doing
2203 * anything like that, but this might change).
2204 *
2205 * A valid sign that there's been a previous handshake
2206 * in this connection is if s->s3->tmp.finish_md_len >
2207 * 0. (We are talking about a check that will happen
2208 * in the Hello protocol round, well before a new
2209 * Finished message could have been computed.)
2210 */
0f113f3e
MC		 2211 s->s3->next_proto_neg_seen = 1;
2212 }
e481f9b9 2213#endif
0f113f3e
MC		 2214
2215 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
06217867
EK		 2216 s->s3->tmp.finish_md_len == 0) {
2217 if (!tls1_alpn_handle_client_hello(s, &extension, al))
0f113f3e 2218 return 0;
e481f9b9 2219#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2220 /* ALPN takes precedence over NPN. */
2221 s->s3->next_proto_neg_seen = 0;
e481f9b9 2222#endif
0f113f3e 2223 }
5e3ff62c 2224
0f113f3e 2225 /* session ticket processed earlier */
e481f9b9 2226#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 2227 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2228 && type == TLSEXT_TYPE_use_srtp) {
06217867 2229 if (ssl_parse_clienthello_use_srtp_ext(s, &extension, al))
0f113f3e
MC		 2230 return 0;
2231 }
e481f9b9
MC		 2232#endif
2233#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 2234 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2235 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 2236#endif
e7f0d921
DSH		 2237 /*
2238 * Note: extended master secret extension handled in
2239 * tls_check_serverhello_tlsext_early()
2240 */
2241
0f113f3e
MC		 2242 /*
2243 * If this ClientHello extension was unhandled and this is a
2244 * nonresumed connection, check whether the extension is a custom
2245 * TLS Extension (has a custom_srv_ext_record), and if so call the
2246 * callback and record the extension number so that an appropriate
2247 * ServerHello may be later returned.
2248 */
2249 else if (!s->hit) {
06217867
EK		 2250 if (custom_ext_parse(s, 1, type, PACKET_data(&extension),
2251 PACKET_remaining(&extension), al) <= 0)
0f113f3e
MC		 2252 return 0;
2253 }
0f113f3e 2254 }
6f017a8f 2255
06217867
EK		 2256 if (PACKET_remaining(pkt) != 0) {
2257 /* tls1_check_duplicate_extensions should ensure this never happens. */
2258 *al = SSL_AD_INTERNAL_ERROR;
2259 return 0;
2260 }
54e3ad00 2261
0f113f3e 2262 ri_check:
ed3883d2 2263
0f113f3e
MC		 2264 /* Need RI if renegotiating */
2265
2266 if (!renegotiate_seen && s->renegotiate &&
2267 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2268 *al = SSL_AD_HANDSHAKE_FAILURE;
2269 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2270 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2271 return 0;
2272 }
2273
06217867
EK		 2274 /*
2275 * This function currently has no state to clean up, so it returns directly.
2276 * If parsing fails at any point, the function returns early.
2277 * The SSL object may be left with partial data from extensions, but it must
2278 * then no longer be used, and clearing it up will free the leftovers.
2279 */
0f113f3e
MC		 2280 return 1;
2281}
2282
9ceb2426 2283int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 2284{
2285 int al = -1;
2286 custom_ext_init(&s->cert->srv_ext);
9ceb2426 2287 if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 2288 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2289 return 0;
2290 }
0f113f3e
MC		 2291 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2292 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2293 return 0;
2294 }
2295 return 1;
2296}
2297
e481f9b9 2298#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2299/*
2300 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2301 * elements of zero length are allowed and the set of elements must exactly
2302 * fill the length of the block.
2303 */
50932c4a 2304static char ssl_next_proto_validate(PACKET *pkt)
0f113f3e 2305{
50932c4a 2306 unsigned int len;
0f113f3e 2307
50932c4a
MC		 2308 while (PACKET_remaining(pkt)) {
2309 if (!PACKET_get_1(pkt, &len)
2310 || !PACKET_forward(pkt, len))
0f113f3e 2311 return 0;
0f113f3e
MC		 2312 }
2313
50932c4a 2314 return 1;
0f113f3e 2315}
e481f9b9 2316#endif
0f113f3e 2317
50932c4a 2318static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 2319{
50932c4a 2320 unsigned int length, type, size;
0f113f3e
MC		 2321 int tlsext_servername = 0;
2322 int renegotiate_seen = 0;
2323
e481f9b9 2324#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 2325 s->s3->next_proto_neg_seen = 0;
e481f9b9 2326#endif
0f113f3e
MC		 2327 s->tlsext_ticket_expected = 0;
2328
b548a1f1
RS		 2329 OPENSSL_free(s->s3->alpn_selected);
2330 s->s3->alpn_selected = NULL;
e481f9b9 2331#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7
RS		 2332 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
2333 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
e481f9b9 2334#endif
0f113f3e 2335
e481f9b9 2336#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e 2337 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 2338#endif
0f113f3e 2339
e7f0d921
DSH		 2340 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2341
50932c4a 2342 if (!PACKET_get_net_2(pkt, &length))
0f113f3e
MC		 2343 goto ri_check;
2344
50932c4a 2345 if (PACKET_remaining(pkt) != length) {
0f113f3e
MC		 2346 *al = SSL_AD_DECODE_ERROR;
2347 return 0;
2348 }
2349
aa474d1f
EK		 2350 if (!tls1_check_duplicate_extensions(pkt)) {
2351 *al = SSL_AD_DECODE_ERROR;
2352 return 0;
2353 }
2354
50932c4a 2355 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
b6981744 2356 const unsigned char *data;
50932c4a 2357 PACKET spkt;
0f113f3e 2358
50932c4a
MC		 2359 if (!PACKET_get_sub_packet(pkt, &spkt, size)
2360 || !PACKET_peek_bytes(&spkt, &data, size))
0f113f3e
MC		 2361 goto ri_check;
2362
2363 if (s->tlsext_debug_cb)
2364 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2365
2366 if (type == TLSEXT_TYPE_renegotiate) {
50932c4a 2367 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
0f113f3e
MC		 2368 return 0;
2369 renegotiate_seen = 1;
2370 } else if (s->version == SSL3_VERSION) {
2371 } else if (type == TLSEXT_TYPE_server_name) {
2372 if (s->tlsext_hostname == NULL || size > 0) {
2373 *al = TLS1_AD_UNRECOGNIZED_NAME;
2374 return 0;
2375 }
2376 tlsext_servername = 1;
2377 }
e481f9b9 2378#ifndef OPENSSL_NO_EC
0f113f3e 2379 else if (type == TLSEXT_TYPE_ec_point_formats) {
50932c4a
MC		 2380 unsigned int ecpointformatlist_length;
2381 if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
2382 || ecpointformatlist_length != size - 1) {
0f113f3e
MC		 2383 *al = TLS1_AD_DECODE_ERROR;
2384 return 0;
2385 }
2386 if (!s->hit) {
2387 s->session->tlsext_ecpointformatlist_length = 0;
b548a1f1 2388 OPENSSL_free(s->session->tlsext_ecpointformatlist);
0f113f3e
MC		 2389 if ((s->session->tlsext_ecpointformatlist =
2390 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2391 *al = TLS1_AD_INTERNAL_ERROR;
2392 return 0;
2393 }
2394 s->session->tlsext_ecpointformatlist_length =
2395 ecpointformatlist_length;
50932c4a
MC		 2396 if (!PACKET_copy_bytes(&spkt,
2397 s->session->tlsext_ecpointformatlist,
2398 ecpointformatlist_length)) {
2399 *al = TLS1_AD_DECODE_ERROR;
2400 return 0;
2401 }
2402
0f113f3e 2403 }
0f113f3e 2404 }
e481f9b9 2405#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2406
2407 else if (type == TLSEXT_TYPE_session_ticket) {
2408 if (s->tls_session_ticket_ext_cb &&
2409 !s->tls_session_ticket_ext_cb(s, data, size,
2410 s->tls_session_ticket_ext_cb_arg))
2411 {
2412 *al = TLS1_AD_INTERNAL_ERROR;
2413 return 0;
2414 }
2415 if (!tls_use_ticket(s) || (size > 0)) {
2416 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2417 return 0;
2418 }
2419 s->tlsext_ticket_expected = 1;
2420 }
0f113f3e
MC		 2421 else if (type == TLSEXT_TYPE_status_request) {
2422 /*
2423 * MUST be empty and only sent if we've requested a status
2424 * request message.
2425 */
2426 if ((s->tlsext_status_type == -1) || (size > 0)) {
2427 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2428 return 0;
2429 }
2430 /* Set flag to expect CertificateStatus message */
2431 s->tlsext_status_expected = 1;
2432 }
e481f9b9 2433#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2434 else if (type == TLSEXT_TYPE_next_proto_neg &&
2435 s->s3->tmp.finish_md_len == 0) {
2436 unsigned char *selected;
2437 unsigned char selected_len;
0f113f3e
MC		 2438 /* We must have requested it. */
2439 if (s->ctx->next_proto_select_cb == NULL) {
2440 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2441 return 0;
2442 }
2443 /* The data must be valid */
50932c4a 2444 if (!ssl_next_proto_validate(&spkt)) {
0f113f3e
MC		 2445 *al = TLS1_AD_DECODE_ERROR;
2446 return 0;
2447 }
2448 if (s->
2449 ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2450 size,
2451 s->ctx->next_proto_select_cb_arg) !=
2452 SSL_TLSEXT_ERR_OK) {
2453 *al = TLS1_AD_INTERNAL_ERROR;
2454 return 0;
2455 }
2456 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
a71edf3b 2457 if (s->next_proto_negotiated == NULL) {
0f113f3e
MC		 2458 *al = TLS1_AD_INTERNAL_ERROR;
2459 return 0;
2460 }
2461 memcpy(s->next_proto_negotiated, selected, selected_len);
2462 s->next_proto_negotiated_len = selected_len;
2463 s->s3->next_proto_neg_seen = 1;
2464 }
e481f9b9 2465#endif
0f113f3e
MC		 2466
2467 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2468 unsigned len;
0f113f3e
MC		 2469 /* We must have requested it. */
2470 if (s->alpn_client_proto_list == NULL) {
2471 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2472 return 0;
2473 }
50e735f9
MC		 2474 /*-
2475 * The extension data consists of:
2476 * uint16 list_length
2477 * uint8 proto_length;
2478 * uint8 proto[proto_length];
2479 */
50932c4a
MC		 2480 if (!PACKET_get_net_2(&spkt, &len)
2481 || PACKET_remaining(&spkt) != len
2482 || !PACKET_get_1(&spkt, &len)
2483 || PACKET_remaining(&spkt) != len) {
0f113f3e
MC		 2484 *al = TLS1_AD_DECODE_ERROR;
2485 return 0;
2486 }
b548a1f1 2487 OPENSSL_free(s->s3->alpn_selected);
0f113f3e 2488 s->s3->alpn_selected = OPENSSL_malloc(len);
a71edf3b 2489 if (s->s3->alpn_selected == NULL) {
0f113f3e
MC		 2490 *al = TLS1_AD_INTERNAL_ERROR;
2491 return 0;
2492 }
50932c4a
MC		 2493 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
2494 *al = TLS1_AD_DECODE_ERROR;
2495 return 0;
2496 }
0f113f3e
MC		 2497 s->s3->alpn_selected_len = len;
2498 }
e481f9b9 2499#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7 2500 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
50932c4a
MC		 2501 unsigned int hbtype;
2502 if (!PACKET_get_1(&spkt, &hbtype)) {
2503 *al = SSL_AD_DECODE_ERROR;
2504 return 0;
2505 }
2506 switch (hbtype) {
0f113f3e 2507 case 0x01: /* Server allows us to send HB requests */
22e3dcb7 2508 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
0f113f3e
MC		 2509 break;
2510 case 0x02: /* Server doesn't accept HB requests */
22e3dcb7
RS		 2511 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2512 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
0f113f3e
MC		 2513 break;
2514 default:
2515 *al = SSL_AD_ILLEGAL_PARAMETER;
2516 return 0;
2517 }
2518 }
e481f9b9
MC		 2519#endif
2520#ifndef OPENSSL_NO_SRTP
0f113f3e 2521 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
50932c4a 2522 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
0f113f3e
MC		 2523 return 0;
2524 }
e481f9b9
MC		 2525#endif
2526#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 2527 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2528 /* Ignore if inappropriate ciphersuite */
2529 if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2530 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2531 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2532 }
e481f9b9 2533#endif
ddc06b35 2534 else if (type == TLSEXT_TYPE_extended_master_secret) {
e7f0d921 2535 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
ddc06b35
DSH		 2536 if (!s->hit)
2537 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2538 }
0f113f3e
MC		 2539 /*
2540 * If this extension type was not otherwise handled, but matches a
2541 * custom_cli_ext_record, then send it to the c callback
2542 */
2543 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2544 return 0;
0f113f3e
MC		 2545 }
2546
50932c4a 2547 if (PACKET_remaining(pkt) != 0) {
0f113f3e
MC		 2548 *al = SSL_AD_DECODE_ERROR;
2549 return 0;
2550 }
2551
2552 if (!s->hit && tlsext_servername == 1) {
2553 if (s->tlsext_hostname) {
2554 if (s->session->tlsext_hostname == NULL) {
7644a9ae 2555 s->session->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname);
0f113f3e
MC		 2556 if (!s->session->tlsext_hostname) {
2557 *al = SSL_AD_UNRECOGNIZED_NAME;
2558 return 0;
2559 }
2560 } else {
2561 *al = SSL_AD_DECODE_ERROR;
2562 return 0;
2563 }
2564 }
2565 }
2566
0f113f3e
MC		 2567 ri_check:
2568
2569 /*
2570 * Determine if we need to see RI. Strictly speaking if we want to avoid
2571 * an attack we should *always* see RI even on initial server hello
2572 * because the client doesn't see any renegotiation during an attack.
2573 * However this would mean we could not connect to any server which
2574 * doesn't support RI so for the immediate future tolerate RI absence on
2575 * initial connect only.
2576 */
2577 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2578 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2579 *al = SSL_AD_HANDSHAKE_FAILURE;
2580 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2581 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2582 return 0;
2583 }
2584
e7f0d921
DSH		 2585 if (s->hit) {
2586 /*
2587 * Check extended master secret extension is consistent with
2588 * original session.
2589 */
2590 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
2591 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
2592 *al = SSL_AD_HANDSHAKE_FAILURE;
2593 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
2594 return 0;
2595 }
2596 }
2597
0f113f3e
MC		 2598 return 1;
2599}
b2172f4f 2600
36ca4ba6 2601int ssl_prepare_clienthello_tlsext(SSL *s)
0f113f3e
MC		 2602{
2603
0f113f3e
MC		 2604 return 1;
2605}
36ca4ba6
BM		 2606
2607int ssl_prepare_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2608{
2609 return 1;
2610}
36ca4ba6 2611
2daceb03 2612static int ssl_check_clienthello_tlsext_early(SSL *s)
0f113f3e
MC		 2613{
2614 int ret = SSL_TLSEXT_ERR_NOACK;
2615 int al = SSL_AD_UNRECOGNIZED_NAME;
2616
e481f9b9 2617#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2618 /*
2619 * The handling of the ECPointFormats extension is done elsewhere, namely
2620 * in ssl3_choose_cipher in s3_lib.c.
2621 */
2622 /*
2623 * The handling of the EllipticCurves extension is done elsewhere, namely
2624 * in ssl3_choose_cipher in s3_lib.c.
2625 */
e481f9b9 2626#endif
0f113f3e
MC		 2627
2628 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2629 ret =
2630 s->ctx->tlsext_servername_callback(s, &al,
2631 s->ctx->tlsext_servername_arg);
2632 else if (s->initial_ctx != NULL
2633 && s->initial_ctx->tlsext_servername_callback != 0)
2634 ret =
2635 s->initial_ctx->tlsext_servername_callback(s, &al,
2636 s->
2637 initial_ctx->tlsext_servername_arg);
2638
0f113f3e
MC		 2639 switch (ret) {
2640 case SSL_TLSEXT_ERR_ALERT_FATAL:
2641 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2642 return -1;
2643
2644 case SSL_TLSEXT_ERR_ALERT_WARNING:
2645 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2646 return 1;
2647
2648 case SSL_TLSEXT_ERR_NOACK:
2649 s->servername_done = 0;
2650 default:
2651 return 1;
2652 }
2653}
d376e57d 2654/* Initialise digests to default values */
a0f63828 2655void ssl_set_default_md(SSL *s)
d376e57d
DSH		 2656{
2657 const EVP_MD **pmd = s->s3->tmp.md;
2658#ifndef OPENSSL_NO_DSA
152fbc28 2659 pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
d376e57d
DSH		 2660#endif
2661#ifndef OPENSSL_NO_RSA
d18d31a1 2662 if (SSL_USE_SIGALGS(s))
152fbc28 2663 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
d18d31a1 2664 else
152fbc28 2665 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
d18d31a1 2666 pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
d376e57d
DSH		 2667#endif
2668#ifndef OPENSSL_NO_EC
152fbc28 2669 pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
d376e57d 2670#endif
e44380a9 2671#ifndef OPENSSL_NO_GOST
152fbc28
DSH		 2672 pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
2673 pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
2674 pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
e44380a9 2675#endif
d376e57d 2676}
f1fd4544 2677
e469af8d 2678int tls1_set_server_sigalgs(SSL *s)
0f113f3e
MC		 2679{
2680 int al;
2681 size_t i;
2682 /* Clear any shared sigtnature algorithms */
b548a1f1
RS		 2683 OPENSSL_free(s->cert->shared_sigalgs);
2684 s->cert->shared_sigalgs = NULL;
2685 s->cert->shared_sigalgslen = 0;
0f113f3e
MC		 2686 /* Clear certificate digests and validity flags */
2687 for (i = 0; i < SSL_PKEY_NUM; i++) {
d376e57d 2688 s->s3->tmp.md[i] = NULL;
6383d316 2689 s->s3->tmp.valid_flags[i] = 0;
0f113f3e
MC		 2690 }
2691
2692 /* If sigalgs received process it. */
76106e60 2693 if (s->s3->tmp.peer_sigalgs) {
0f113f3e
MC		 2694 if (!tls1_process_sigalgs(s)) {
2695 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2696 al = SSL_AD_INTERNAL_ERROR;
2697 goto err;
2698 }
2699 /* Fatal error is no shared signature algorithms */
2700 if (!s->cert->shared_sigalgs) {
2701 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2702 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2703 al = SSL_AD_ILLEGAL_PARAMETER;
2704 goto err;
2705 }
d376e57d
DSH		 2706 } else {
2707 ssl_set_default_md(s);
2708 }
0f113f3e
MC		 2709 return 1;
2710 err:
2711 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2712 return 0;
2713}
e469af8d 2714
2daceb03 2715int ssl_check_clienthello_tlsext_late(SSL *s)
0f113f3e
MC		 2716{
2717 int ret = SSL_TLSEXT_ERR_OK;
4c9b0a03 2718 int al = SSL_AD_INTERNAL_ERROR;
0f113f3e
MC		 2719
2720 /*
2721 * If status request then ask callback what to do. Note: this must be
2722 * called after servername callbacks in case the certificate has changed,
2723 * and must be called after the cipher has been chosen because this may
2724 * influence which certificate is sent
2725 */
2726 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
2727 int r;
2728 CERT_PKEY *certpkey;
2729 certpkey = ssl_get_server_send_pkey(s);
2730 /* If no certificate can't return certificate status */
2731 if (certpkey == NULL) {
2732 s->tlsext_status_expected = 0;
2733 return 1;
2734 }
2735 /*
2736 * Set current certificate to one we will use so SSL_get_certificate
2737 * et al can pick it up.
2738 */
2739 s->cert->key = certpkey;
2740 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2741 switch (r) {
2742 /* We don't want to send a status request response */
2743 case SSL_TLSEXT_ERR_NOACK:
2744 s->tlsext_status_expected = 0;
2745 break;
2746 /* status request response should be sent */
2747 case SSL_TLSEXT_ERR_OK:
2748 if (s->tlsext_ocsp_resp)
2749 s->tlsext_status_expected = 1;
2750 else
2751 s->tlsext_status_expected = 0;
2752 break;
2753 /* something bad happened */
2754 case SSL_TLSEXT_ERR_ALERT_FATAL:
2755 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2756 al = SSL_AD_INTERNAL_ERROR;
2757 goto err;
2758 }
2759 } else
2760 s->tlsext_status_expected = 0;
2daceb03
BL		 2761
2762 err:
0f113f3e
MC		 2763 switch (ret) {
2764 case SSL_TLSEXT_ERR_ALERT_FATAL:
2765 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2766 return -1;
2767
2768 case SSL_TLSEXT_ERR_ALERT_WARNING:
2769 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2770 return 1;
2771
2772 default:
2773 return 1;
2774 }
2775}
2daceb03 2776
36ca4ba6 2777int ssl_check_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2778{
2779 int ret = SSL_TLSEXT_ERR_NOACK;
2780 int al = SSL_AD_UNRECOGNIZED_NAME;
2781
e481f9b9 2782#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2783 /*
2784 * If we are client and using an elliptic curve cryptography cipher
2785 * suite, then if server returns an EC point formats lists extension it
2786 * must contain uncompressed.
2787 */
2788 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2789 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2790 if ((s->tlsext_ecpointformatlist != NULL)
2791 && (s->tlsext_ecpointformatlist_length > 0)
2792 && (s->session->tlsext_ecpointformatlist != NULL)
2793 && (s->session->tlsext_ecpointformatlist_length > 0)
ce0c1f2b 2794 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
0f113f3e
MC		 2795 /* we are using an ECC cipher */
2796 size_t i;
2797 unsigned char *list;
2798 int found_uncompressed = 0;
2799 list = s->session->tlsext_ecpointformatlist;
2800 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2801 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2802 found_uncompressed = 1;
2803 break;
2804 }
2805 }
2806 if (!found_uncompressed) {
2807 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2808 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2809 return -1;
2810 }
2811 }
2812 ret = SSL_TLSEXT_ERR_OK;
e481f9b9 2813#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2814
2815 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2816 ret =
2817 s->ctx->tlsext_servername_callback(s, &al,
2818 s->ctx->tlsext_servername_arg);
2819 else if (s->initial_ctx != NULL
2820 && s->initial_ctx->tlsext_servername_callback != 0)
2821 ret =
2822 s->initial_ctx->tlsext_servername_callback(s, &al,
2823 s->
2824 initial_ctx->tlsext_servername_arg);
2825
b1931d43
MC		 2826 /*
2827 * Ensure we get sensible values passed to tlsext_status_cb in the event
2828 * that we don't receive a status message
2829 */
bb1aaab4
MC		 2830 OPENSSL_free(s->tlsext_ocsp_resp);
2831 s->tlsext_ocsp_resp = NULL;
2832 s->tlsext_ocsp_resplen = -1;
0f113f3e
MC		 2833
2834 switch (ret) {
2835 case SSL_TLSEXT_ERR_ALERT_FATAL:
2836 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2837 return -1;
2838
2839 case SSL_TLSEXT_ERR_ALERT_WARNING:
2840 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2841 return 1;
2842
2843 case SSL_TLSEXT_ERR_NOACK:
2844 s->servername_done = 0;
2845 default:
2846 return 1;
2847 }
2848}
761772d7 2849
50932c4a 2850int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 2851{
2852 int al = -1;
2853 if (s->version < SSL3_VERSION)
2854 return 1;
50932c4a 2855 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 2856 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2857 return 0;
2858 }
2859
2860 if (ssl_check_serverhello_tlsext(s) <= 0) {
2861 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2862 return 0;
2863 }
2864 return 1;
09e4e4b9
DSH		 2865}
2866
1d97c843
TH		 2867/*-
2868 * Since the server cache lookup is done early on in the processing of the
e7f0d921
DSH		 2869 * ClientHello and other operations depend on the result some extensions
2870 * need to be handled at the same time.
2871 *
2872 * Two extensions are currently handled, session ticket and extended master
2873 * secret.
c519e89f 2874 *
b3e2272c
EK		 2875 * session_id: ClientHello session ID.
2876 * ext: ClientHello extensions (including length prefix)
c519e89f
BM		 2877 * ret: (output) on return, if a ticket was decrypted, then this is set to
2878 * point to the resulting session.
2879 *
2880 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2881 * ciphersuite, in which case we have no use for session tickets and one will
2882 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2883 *
2884 * Returns:
2885 * -1: fatal error, either from parsing or decrypting the ticket.
2886 * 0: no ticket was found (or was ignored, based on settings).
2887 * 1: a zero length extension was found, indicating that the client supports
2888 * session tickets but doesn't currently have one to offer.
2889 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2890 * couldn't be decrypted because of a non-fatal error.
2891 * 3: a ticket was successfully decrypted and *ret was set.
2892 *
2893 * Side effects:
2894 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2895 * a new session ticket to the client because the client indicated support
2896 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2897 * a session ticket or we couldn't use the one it gave us, or if
2898 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2899 * Otherwise, s->tlsext_ticket_expected is set to 0.
e7f0d921
DSH		 2900 *
2901 * For extended master secret flag is set if the extension is present.
2902 *
6434abbf 2903 */
e7f0d921
DSH		 2904int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
2905 const PACKET *session_id,
2906 SSL_SESSION **ret)
0f113f3e 2907{
9ceb2426 2908 unsigned int i;
b3e2272c 2909 PACKET local_ext = *ext;
9ceb2426 2910 int retv = -1;
0f113f3e 2911
e7f0d921
DSH		 2912 int have_ticket = 0;
2913 int use_ticket = tls_use_ticket(s);
2914
0f113f3e
MC		 2915 *ret = NULL;
2916 s->tlsext_ticket_expected = 0;
e7f0d921 2917 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
0f113f3e
MC		 2918
2919 /*
2920 * If tickets disabled behave as if no ticket present to permit stateful
2921 * resumption.
2922 */
9ceb2426 2923 if ((s->version <= SSL3_VERSION))
0f113f3e 2924 return 0;
9ceb2426 2925
b3e2272c 2926 if (!PACKET_get_net_2(&local_ext, &i)) {
9ceb2426
MC		 2927 retv = 0;
2928 goto end;
2929 }
b3e2272c 2930 while (PACKET_remaining(&local_ext) >= 4) {
9ceb2426
MC		 2931 unsigned int type, size;
2932
b3e2272c
EK		 2933 if (!PACKET_get_net_2(&local_ext, &type)
2934 || !PACKET_get_net_2(&local_ext, &size)) {
9ceb2426
MC		 2935 /* Shouldn't ever happen */
2936 retv = -1;
2937 goto end;
2938 }
b3e2272c 2939 if (PACKET_remaining(&local_ext) < size) {
9ceb2426
MC		 2940 retv = 0;
2941 goto end;
2942 }
e7f0d921 2943 if (type == TLSEXT_TYPE_session_ticket && use_ticket) {
0f113f3e 2944 int r;
b6981744 2945 const unsigned char *etick;
9ceb2426 2946
e7f0d921
DSH		 2947 /* Duplicate extension */
2948 if (have_ticket != 0) {
2949 retv = -1;
2950 goto end;
2951 }
2952 have_ticket = 1;
2953
0f113f3e
MC		 2954 if (size == 0) {
2955 /*
2956 * The client will accept a ticket but doesn't currently have
2957 * one.
2958 */
2959 s->tlsext_ticket_expected = 1;
9ceb2426 2960 retv = 1;
e7f0d921 2961 continue;
0f113f3e
MC		 2962 }
2963 if (s->tls_session_secret_cb) {
2964 /*
2965 * Indicate that the ticket couldn't be decrypted rather than
2966 * generating the session from ticket now, trigger
2967 * abbreviated handshake based on external mechanism to
2968 * calculate the master secret later.
2969 */
9ceb2426 2970 retv = 2;
e7f0d921 2971 continue;
9ceb2426 2972 }
b3e2272c 2973 if (!PACKET_get_bytes(&local_ext, &etick, size)) {
9ceb2426
MC		 2974 /* Shouldn't ever happen */
2975 retv = -1;
2976 goto end;
0f113f3e 2977 }
b3e2272c
EK		 2978 r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
2979 PACKET_remaining(session_id), ret);
0f113f3e
MC		 2980 switch (r) {
2981 case 2: /* ticket couldn't be decrypted */
2982 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 2983 retv = 2;
2984 break;
0f113f3e 2985 case 3: /* ticket was decrypted */
9ceb2426
MC		 2986 retv = r;
2987 break;
0f113f3e
MC		 2988 case 4: /* ticket decrypted but need to renew */
2989 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 2990 retv = 3;
2991 break;
0f113f3e 2992 default: /* fatal error */
9ceb2426
MC		 2993 retv = -1;
2994 break;
0f113f3e 2995 }
e7f0d921 2996 continue;
c83eda8c 2997 } else {
e7f0d921
DSH		 2998 if (type == TLSEXT_TYPE_extended_master_secret)
2999 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
b3e2272c 3000 if (!PACKET_forward(&local_ext, size)) {
c83eda8c
MC		 3001 retv = -1;
3002 goto end;
3003 }
0f113f3e 3004 }
0f113f3e 3005 }
e7f0d921
DSH		 3006 if (have_ticket == 0)
3007 retv = 0;
9ceb2426 3008end:
9ceb2426 3009 return retv;
0f113f3e 3010}
6434abbf 3011
1d97c843
TH		 3012/*-
3013 * tls_decrypt_ticket attempts to decrypt a session ticket.
c519e89f
BM		 3014 *
3015 * etick: points to the body of the session ticket extension.
3016 * eticklen: the length of the session tickets extenion.
3017 * sess_id: points at the session ID.
3018 * sesslen: the length of the session ID.
3019 * psess: (output) on return, if a ticket was decrypted, then this is set to
3020 * point to the resulting session.
3021 *
3022 * Returns:
bf7c6817 3023 * -2: fatal error, malloc failure.
c519e89f
BM		 3024 * -1: fatal error, either from parsing or decrypting the ticket.
3025 * 2: the ticket couldn't be decrypted.
3026 * 3: a ticket was successfully decrypted and *psess was set.
3027 * 4: same as 3, but the ticket needs to be renewed.
3028 */
0f113f3e
MC		 3029static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
3030 int eticklen, const unsigned char *sess_id,
3031 int sesslen, SSL_SESSION **psess)
3032{
3033 SSL_SESSION *sess;
3034 unsigned char *sdec;
3035 const unsigned char *p;
35b1a433 3036 int slen, mlen, renew_ticket = 0, ret = -1;
0f113f3e 3037 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
bf7c6817 3038 HMAC_CTX *hctx = NULL;
846ec07d 3039 EVP_CIPHER_CTX *ctx;
0f113f3e
MC		 3040 SSL_CTX *tctx = s->initial_ctx;
3041 /* Need at least keyname + iv + some encrypted data */
3042 if (eticklen < 48)
3043 return 2;
3044 /* Initialize session ticket encryption and HMAC contexts */
bf7c6817
RL		 3045 hctx = HMAC_CTX_new();
3046 if (hctx == NULL)
3047 return -2;
846ec07d 3048 ctx = EVP_CIPHER_CTX_new();
35b1a433
MC		 3049 if (ctx == NULL) {
3050 ret = -2;
3051 goto err;
3052 }
0f113f3e
MC		 3053 if (tctx->tlsext_ticket_key_cb) {
3054 unsigned char *nctick = (unsigned char *)etick;
3055 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
846ec07d 3056 ctx, hctx, 0);
0f113f3e 3057 if (rv < 0)
35b1a433
MC		 3058 goto err;
3059 if (rv == 0) {
3060 ret = 2;
3061 goto err;
3062 }
0f113f3e
MC		 3063 if (rv == 2)
3064 renew_ticket = 1;
3065 } else {
3066 /* Check key name matches */
35b1a433
MC		 3067 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) {
3068 ret = 2;
3069 goto err;
3070 }
bf7c6817 3071 if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16,
5f3d93e4 3072 EVP_sha256(), NULL) <= 0
846ec07d 3073 || EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL,
5f3d93e4
MC		 3074 tctx->tlsext_tick_aes_key,
3075 etick + 16) <= 0) {
3076 goto err;
3077 }
0f113f3e
MC		 3078 }
3079 /*
3080 * Attempt to process session ticket, first conduct sanity and integrity
3081 * checks on ticket.
3082 */
bf7c6817 3083 mlen = HMAC_size(hctx);
0f113f3e 3084 if (mlen < 0) {
5f3d93e4 3085 goto err;
0f113f3e
MC		 3086 }
3087 eticklen -= mlen;
3088 /* Check HMAC of encrypted ticket */
bf7c6817
RL		 3089 if (HMAC_Update(hctx, etick, eticklen) <= 0
3090 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
5f3d93e4
MC		 3091 goto err;
3092 }
bf7c6817 3093 HMAC_CTX_free(hctx);
0f113f3e 3094 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
846ec07d 3095 EVP_CIPHER_CTX_free(ctx);
0f113f3e
MC		 3096 return 2;
3097 }
3098 /* Attempt to decrypt session data */
3099 /* Move p after IV to start of encrypted ticket, update length */
846ec07d
RL		 3100 p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx);
3101 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx);
0f113f3e 3102 sdec = OPENSSL_malloc(eticklen);
5f3d93e4 3103 if (sdec == NULL
846ec07d
RL		 3104 || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) {
3105 EVP_CIPHER_CTX_free(ctx);
0f113f3e
MC		 3106 return -1;
3107 }
846ec07d
RL		 3108 if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) {
3109 EVP_CIPHER_CTX_free(ctx);
0f113f3e
MC		 3110 OPENSSL_free(sdec);
3111 return 2;
3112 }
3113 slen += mlen;
846ec07d
RL		 3114 EVP_CIPHER_CTX_free(ctx);
3115 ctx = NULL;
0f113f3e
MC		 3116 p = sdec;
3117
3118 sess = d2i_SSL_SESSION(NULL, &p, slen);
3119 OPENSSL_free(sdec);
3120 if (sess) {
3121 /*
3122 * The session ID, if non-empty, is used by some clients to detect
3123 * that the ticket has been accepted. So we copy it to the session
3124 * structure. If it is empty set length to zero as required by
3125 * standard.
3126 */
3127 if (sesslen)
3128 memcpy(sess->session_id, sess_id, sesslen);
3129 sess->session_id_length = sesslen;
3130 *psess = sess;
3131 if (renew_ticket)
3132 return 4;
3133 else
3134 return 3;
3135 }
3136 ERR_clear_error();
3137 /*
3138 * For session parse failure, indicate that we need to send a new ticket.
3139 */
3140 return 2;
5f3d93e4 3141err:
846ec07d 3142 EVP_CIPHER_CTX_free(ctx);
bf7c6817 3143 HMAC_CTX_free(hctx);
35b1a433 3144 return ret;
0f113f3e 3145}
6434abbf 3146
6b7be581
DSH		 3147/* Tables to translate from NIDs to TLS v1.2 ids */
3148
0f113f3e
MC		 3149typedef struct {
3150 int nid;
3151 int id;
3152} tls12_lookup;
6b7be581 3153
d97ed219 3154static const tls12_lookup tls12_md[] = {
0f113f3e
MC		 3155 {NID_md5, TLSEXT_hash_md5},
3156 {NID_sha1, TLSEXT_hash_sha1},
3157 {NID_sha224, TLSEXT_hash_sha224},
3158 {NID_sha256, TLSEXT_hash_sha256},
3159 {NID_sha384, TLSEXT_hash_sha384},
e44380a9
DB		 3160 {NID_sha512, TLSEXT_hash_sha512},
3161 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
3162 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
3163 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
6b7be581
DSH		 3164};
3165
d97ed219 3166static const tls12_lookup tls12_sig[] = {
0f113f3e
MC		 3167 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3168 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
e44380a9
DB		 3169 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
3170 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
3171 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
3172 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
6b7be581
DSH		 3173};
3174
d97ed219 3175static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3176{
3177 size_t i;
3178 for (i = 0; i < tlen; i++) {
3179 if (table[i].nid == nid)
3180 return table[i].id;
3181 }
3182 return -1;
3183}
e7f8ff43 3184
d97ed219 3185static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3186{
3187 size_t i;
3188 for (i = 0; i < tlen; i++) {
3189 if ((table[i].id) == id)
3190 return table[i].nid;
3191 }
3192 return NID_undef;
3193}
3194
3195int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
3196 const EVP_MD *md)
3197{
3198 int sig_id, md_id;
3199 if (!md)
3200 return 0;
b6eb9827 3201 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3202 if (md_id == -1)
3203 return 0;
3204 sig_id = tls12_get_sigid(pk);
3205 if (sig_id == -1)
3206 return 0;
3207 p[0] = (unsigned char)md_id;
3208 p[1] = (unsigned char)sig_id;
3209 return 1;
3210}
6b7be581 3211
a2f9200f 3212int tls12_get_sigid(const EVP_PKEY *pk)
0f113f3e 3213{
3aeb9348 3214 return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3215}
3216
3217typedef struct {
3218 int nid;
3219 int secbits;
7afd2312 3220 int md_idx;
e44380a9 3221 unsigned char tlsext_hash;
0f113f3e 3222} tls12_hash_info;
b362ccab
DSH		 3223
3224static const tls12_hash_info tls12_md_info[] = {
7afd2312
DSH		 3225 {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
3226 {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
3227 {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
3228 {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
3229 {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
3230 {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
3231 {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
3232 {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX, TLSEXT_hash_gostr34112012_256},
3233 {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX, TLSEXT_hash_gostr34112012_512},
b362ccab 3234};
a2f9200f 3235
b362ccab 3236static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
0f113f3e 3237{
e44380a9 3238 unsigned int i;
0f113f3e
MC		 3239 if (hash_alg == 0)
3240 return NULL;
e44380a9
DB		 3241
3242 for (i=0; i < OSSL_NELEM(tls12_md_info); i++)
3243 {
3244 if (tls12_md_info[i].tlsext_hash == hash_alg)
3245 return tls12_md_info + i;
3246 }
3247
3248 return NULL;
0f113f3e 3249}
a2f9200f 3250
b362ccab 3251const EVP_MD *tls12_get_hash(unsigned char hash_alg)
0f113f3e
MC		 3252{
3253 const tls12_hash_info *inf;
3254 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3255 return NULL;
3256 inf = tls12_get_hash_info(hash_alg);
7afd2312 3257 if (!inf)
0f113f3e 3258 return NULL;
7afd2312 3259 return ssl_md(inf->md_idx);
0f113f3e 3260}
a2f9200f 3261
4453cd8c 3262static int tls12_get_pkey_idx(unsigned char sig_alg)
0f113f3e
MC		 3263{
3264 switch (sig_alg) {
e481f9b9 3265#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3266 case TLSEXT_signature_rsa:
3267 return SSL_PKEY_RSA_SIGN;
e481f9b9
MC		 3268#endif
3269#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3270 case TLSEXT_signature_dsa:
3271 return SSL_PKEY_DSA_SIGN;
e481f9b9
MC		 3272#endif
3273#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3274 case TLSEXT_signature_ecdsa:
3275 return SSL_PKEY_ECC;
e481f9b9 3276#endif
e44380a9
DB		 3277# ifndef OPENSSL_NO_GOST
3278 case TLSEXT_signature_gostr34102001:
3279 return SSL_PKEY_GOST01;
3280
3281 case TLSEXT_signature_gostr34102012_256:
3282 return SSL_PKEY_GOST12_256;
3283
3284 case TLSEXT_signature_gostr34102012_512:
3285 return SSL_PKEY_GOST12_512;
3286# endif
0f113f3e
MC		 3287 }
3288 return -1;
3289}
4453cd8c
DSH		 3290
3291/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3292static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
0f113f3e
MC		 3293 int *psignhash_nid, const unsigned char *data)
3294{
330dcb09 3295 int sign_nid = NID_undef, hash_nid = NID_undef;
0f113f3e
MC		 3296 if (!phash_nid && !psign_nid && !psignhash_nid)
3297 return;
3298 if (phash_nid || psignhash_nid) {
b6eb9827 3299 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3300 if (phash_nid)
3301 *phash_nid = hash_nid;
3302 }
3303 if (psign_nid || psignhash_nid) {
b6eb9827 3304 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3305 if (psign_nid)
3306 *psign_nid = sign_nid;
3307 }
3308 if (psignhash_nid) {
330dcb09
MC		 3309 if (sign_nid == NID_undef || hash_nid == NID_undef
3310 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid,
3311 sign_nid) <= 0)
0f113f3e
MC		 3312 *psignhash_nid = NID_undef;
3313 }
3314}
3315
b362ccab
DSH		 3316/* Check to see if a signature algorithm is allowed */
3317static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
0f113f3e
MC		 3318{
3319 /* See if we have an entry in the hash table and it is enabled */
3320 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
7afd2312 3321 if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
0f113f3e
MC		 3322 return 0;
3323 /* See if public key algorithm allowed */
3324 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3325 return 0;
3326 /* Finally see if security callback allows it */
3327 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3328}
3329
3330/*
3331 * Get a mask of disabled public key algorithms based on supported signature
3332 * algorithms. For example if no signature algorithm supports RSA then RSA is
3333 * disabled.
b362ccab
DSH		 3334 */
3335
90d9e49a 3336void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
0f113f3e
MC		 3337{
3338 const unsigned char *sigalgs;
3339 size_t i, sigalgslen;
3340 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3341 /*
3342 * Now go through all signature algorithms seeing if we support any for
3343 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3344 * down calls to security callback only check if we have to.
3345 */
3346 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
3347 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3348 switch (sigalgs[1]) {
e481f9b9 3349#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3350 case TLSEXT_signature_rsa:
3351 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3352 have_rsa = 1;
3353 break;
e481f9b9
MC		 3354#endif
3355#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3356 case TLSEXT_signature_dsa:
3357 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3358 have_dsa = 1;
3359 break;
e481f9b9
MC		 3360#endif
3361#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3362 case TLSEXT_signature_ecdsa:
3363 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3364 have_ecdsa = 1;
3365 break;
e481f9b9 3366#endif
0f113f3e
MC		 3367 }
3368 }
3369 if (!have_rsa)
3370 *pmask_a |= SSL_aRSA;
3371 if (!have_dsa)
3372 *pmask_a |= SSL_aDSS;
3373 if (!have_ecdsa)
3374 *pmask_a |= SSL_aECDSA;
3375}
b362ccab
DSH		 3376
3377size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
0f113f3e
MC		 3378 const unsigned char *psig, size_t psiglen)
3379{
3380 unsigned char *tmpout = out;
3381 size_t i;
3382 for (i = 0; i < psiglen; i += 2, psig += 2) {
3383 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3384 *tmpout++ = psig[0];
3385 *tmpout++ = psig[1];
3386 }
3387 }
3388 return tmpout - out;
3389}
b362ccab 3390
4453cd8c 3391/* Given preference and allowed sigalgs set shared sigalgs */
b362ccab 3392static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
0f113f3e
MC		 3393 const unsigned char *pref, size_t preflen,
3394 const unsigned char *allow, size_t allowlen)
3395{
3396 const unsigned char *ptmp, *atmp;
3397 size_t i, j, nmatch = 0;
3398 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3399 /* Skip disabled hashes or signature algorithms */
3400 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3401 continue;
3402 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3403 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3404 nmatch++;
3405 if (shsig) {
3406 shsig->rhash = ptmp[0];
3407 shsig->rsign = ptmp[1];
3408 tls1_lookup_sigalg(&shsig->hash_nid,
3409 &shsig->sign_nid,
3410 &shsig->signandhash_nid, ptmp);
3411 shsig++;
3412 }
3413 break;
3414 }
3415 }
3416 }
3417 return nmatch;
3418}
4453cd8c
DSH		 3419
3420/* Set shared signature algorithms for SSL structures */
3421static int tls1_set_shared_sigalgs(SSL *s)
0f113f3e
MC		 3422{
3423 const unsigned char *pref, *allow, *conf;
3424 size_t preflen, allowlen, conflen;
3425 size_t nmatch;
3426 TLS_SIGALGS *salgs = NULL;
3427 CERT *c = s->cert;
3428 unsigned int is_suiteb = tls1_suiteb(s);
b548a1f1
RS		 3429
3430 OPENSSL_free(c->shared_sigalgs);
3431 c->shared_sigalgs = NULL;
3432 c->shared_sigalgslen = 0;
0f113f3e
MC		 3433 /* If client use client signature algorithms if not NULL */
3434 if (!s->server && c->client_sigalgs && !is_suiteb) {
3435 conf = c->client_sigalgs;
3436 conflen = c->client_sigalgslen;
3437 } else if (c->conf_sigalgs && !is_suiteb) {
3438 conf = c->conf_sigalgs;
3439 conflen = c->conf_sigalgslen;
3440 } else
3441 conflen = tls12_get_psigalgs(s, &conf);
3442 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3443 pref = conf;
3444 preflen = conflen;
76106e60
DSH		 3445 allow = s->s3->tmp.peer_sigalgs;
3446 allowlen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3447 } else {
3448 allow = conf;
3449 allowlen = conflen;
76106e60
DSH		 3450 pref = s->s3->tmp.peer_sigalgs;
3451 preflen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3452 }
3453 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
34e3edbf
DSH		 3454 if (nmatch) {
3455 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
a71edf3b 3456 if (salgs == NULL)
34e3edbf
DSH		 3457 return 0;
3458 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3459 } else {
3460 salgs = NULL;
3461 }
0f113f3e
MC		 3462 c->shared_sigalgs = salgs;
3463 c->shared_sigalgslen = nmatch;
3464 return 1;
3465}
4453cd8c 3466
6b7be581
DSH		 3467/* Set preferred digest for each key type */
3468
c800c27a 3469int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
0f113f3e
MC		 3470{
3471 CERT *c = s->cert;
3472 /* Extension ignored for inappropriate versions */
3473 if (!SSL_USE_SIGALGS(s))
3474 return 1;
3475 /* Should never happen */
3476 if (!c)
3477 return 0;
3478
76106e60
DSH		 3479 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3480 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3481 if (s->s3->tmp.peer_sigalgs == NULL)
0f113f3e 3482 return 0;
76106e60
DSH		 3483 s->s3->tmp.peer_sigalgslen = dsize;
3484 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
0f113f3e
MC		 3485 return 1;
3486}
6b7be581 3487
c800c27a 3488int tls1_process_sigalgs(SSL *s)
0f113f3e
MC		 3489{
3490 int idx;
3491 size_t i;
3492 const EVP_MD *md;
d376e57d 3493 const EVP_MD **pmd = s->s3->tmp.md;
f7d53487 3494 uint32_t *pvalid = s->s3->tmp.valid_flags;
0f113f3e
MC		 3495 CERT *c = s->cert;
3496 TLS_SIGALGS *sigptr;
3497 if (!tls1_set_shared_sigalgs(s))
3498 return 0;
3499
0f113f3e
MC		 3500 for (i = 0, sigptr = c->shared_sigalgs;
3501 i < c->shared_sigalgslen; i++, sigptr++) {
3502 idx = tls12_get_pkey_idx(sigptr->rsign);
d376e57d 3503 if (idx > 0 && pmd[idx] == NULL) {
0f113f3e 3504 md = tls12_get_hash(sigptr->rhash);
d376e57d 3505 pmd[idx] = md;
6383d316 3506 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3507 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3508 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3509 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3510 }
3511 }
6b7be581 3512
0f113f3e
MC		 3513 }
3514 /*
3515 * In strict mode leave unset digests as NULL to indicate we can't use
3516 * the certificate for signing.
3517 */
3518 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3519 /*
3520 * Set any remaining keys to default values. NOTE: if alg is not
3521 * supported it stays as NULL.
3522 */
e481f9b9 3523#ifndef OPENSSL_NO_DSA
d376e57d
DSH		 3524 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3525 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
e481f9b9
MC		 3526#endif
3527#ifndef OPENSSL_NO_RSA
d376e57d
DSH		 3528 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3529 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3530 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
0f113f3e 3531 }
e481f9b9
MC		 3532#endif
3533#ifndef OPENSSL_NO_EC
d376e57d
DSH		 3534 if (pmd[SSL_PKEY_ECC] == NULL)
3535 pmd[SSL_PKEY_ECC] = EVP_sha1();
e481f9b9 3536#endif
e44380a9
DB		 3537# ifndef OPENSSL_NO_GOST
3538 if (pmd[SSL_PKEY_GOST01] == NULL)
3539 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
3540 if (pmd[SSL_PKEY_GOST12_256] == NULL)
3541 pmd[SSL_PKEY_GOST12_256] = EVP_get_digestbynid(NID_id_GostR3411_2012_256);
3542 if (pmd[SSL_PKEY_GOST12_512] == NULL)
3543 pmd[SSL_PKEY_GOST12_512] = EVP_get_digestbynid(NID_id_GostR3411_2012_512);
3544# endif
0f113f3e
MC		 3545 }
3546 return 1;
3547}
4817504d 3548
e7f8ff43 3549int SSL_get_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3550 int *psign, int *phash, int *psignhash,
3551 unsigned char *rsig, unsigned char *rhash)
3552{
76106e60 3553 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
0f113f3e
MC		 3554 if (psig == NULL)
3555 return 0;
3556 if (idx >= 0) {
3557 idx <<= 1;
76106e60 3558 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
0f113f3e
MC		 3559 return 0;
3560 psig += idx;
3561 if (rhash)
3562 *rhash = psig[0];
3563 if (rsig)
3564 *rsig = psig[1];
3565 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3566 }
76106e60 3567 return s->s3->tmp.peer_sigalgslen / 2;
0f113f3e 3568}
4453cd8c
DSH		 3569
3570int SSL_get_shared_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3571 int *psign, int *phash, int *psignhash,
3572 unsigned char *rsig, unsigned char *rhash)
3573{
3574 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3575 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3576 return 0;
3577 shsigalgs += idx;
3578 if (phash)
3579 *phash = shsigalgs->hash_nid;
3580 if (psign)
3581 *psign = shsigalgs->sign_nid;
3582 if (psignhash)
3583 *psignhash = shsigalgs->signandhash_nid;
3584 if (rsig)
3585 *rsig = shsigalgs->rsign;
3586 if (rhash)
3587 *rhash = shsigalgs->rhash;
3588 return s->cert->shared_sigalgslen;
3589}
3590
e481f9b9 3591#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
0f229cce 3592
0f113f3e
MC		 3593typedef struct {
3594 size_t sigalgcnt;
3595 int sigalgs[MAX_SIGALGLEN];
3596} sig_cb_st;
0f229cce 3597
431f458d
DSH		 3598static void get_sigorhash(int *psig, int *phash, const char *str)
3599{
3600 if (strcmp(str, "RSA") == 0) {
3601 *psig = EVP_PKEY_RSA;
3602 } else if (strcmp(str, "DSA") == 0) {
3603 *psig = EVP_PKEY_DSA;
3604 } else if (strcmp(str, "ECDSA") == 0) {
3605 *psig = EVP_PKEY_EC;
3606 } else {
3607 *phash = OBJ_sn2nid(str);
3608 if (*phash == NID_undef)
3609 *phash = OBJ_ln2nid(str);
3610 }
3611}
3612
0f229cce 3613static int sig_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 3614{
3615 sig_cb_st *sarg = arg;
3616 size_t i;
3617 char etmp[20], *p;
431f458d 3618 int sig_alg = NID_undef, hash_alg = NID_undef;
2747d73c
KR		 3619 if (elem == NULL)
3620 return 0;
0f113f3e
MC		 3621 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3622 return 0;
3623 if (len > (int)(sizeof(etmp) - 1))
3624 return 0;
3625 memcpy(etmp, elem, len);
3626 etmp[len] = 0;
3627 p = strchr(etmp, '+');
3628 if (!p)
3629 return 0;
3630 *p = 0;
3631 p++;
3632 if (!*p)
3633 return 0;
3634
431f458d
DSH		 3635 get_sigorhash(&sig_alg, &hash_alg, etmp);
3636 get_sigorhash(&sig_alg, &hash_alg, p);
0f113f3e 3637
431f458d 3638 if (sig_alg == NID_undef || hash_alg == NID_undef)
0f113f3e
MC		 3639 return 0;
3640
3641 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3642 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3643 return 0;
3644 }
3645 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3646 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3647 return 1;
3648}
3649
3650/*
3651 * Set suppored signature algorithms based on a colon separated list of the
3652 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3653 */
3dbc46df 3654int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
0f113f3e
MC		 3655{
3656 sig_cb_st sig;
3657 sig.sigalgcnt = 0;
3658 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3659 return 0;
3660 if (c == NULL)
3661 return 1;
3662 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3663}
3664
3665int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
3666 int client)
3667{
3668 unsigned char *sigalgs, *sptr;
3669 int rhash, rsign;
3670 size_t i;
3671 if (salglen & 1)
3672 return 0;
3673 sigalgs = OPENSSL_malloc(salglen);
3674 if (sigalgs == NULL)
3675 return 0;
3676 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
b6eb9827
DSH		 3677 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3678 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3679
3680 if (rhash == -1 || rsign == -1)
3681 goto err;
3682 *sptr++ = rhash;
3683 *sptr++ = rsign;
3684 }
3685
3686 if (client) {
b548a1f1 3687 OPENSSL_free(c->client_sigalgs);
0f113f3e
MC		 3688 c->client_sigalgs = sigalgs;
3689 c->client_sigalgslen = salglen;
3690 } else {
b548a1f1 3691 OPENSSL_free(c->conf_sigalgs);
0f113f3e
MC		 3692 c->conf_sigalgs = sigalgs;
3693 c->conf_sigalgslen = salglen;
3694 }
3695
3696 return 1;
3697
3698 err:
3699 OPENSSL_free(sigalgs);
3700 return 0;
3701}
4453cd8c 3702
d61ff83b 3703static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
0f113f3e
MC		 3704{
3705 int sig_nid;
3706 size_t i;
3707 if (default_nid == -1)
3708 return 1;
3709 sig_nid = X509_get_signature_nid(x);
3710 if (default_nid)
3711 return sig_nid == default_nid ? 1 : 0;
3712 for (i = 0; i < c->shared_sigalgslen; i++)
3713 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3714 return 1;
3715 return 0;
3716}
3717
6dbb6219
DSH		 3718/* Check to see if a certificate issuer name matches list of CA names */
3719static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
0f113f3e
MC		 3720{
3721 X509_NAME *nm;
3722 int i;
3723 nm = X509_get_issuer_name(x);
3724 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3725 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3726 return 1;
3727 }
3728 return 0;
3729}
3730
3731/*
3732 * Check certificate chain is consistent with TLS extensions and is usable by
3733 * server. This servers two purposes: it allows users to check chains before
3734 * passing them to the server and it allows the server to check chains before
3735 * attempting to use them.
d61ff83b 3736 */
6dbb6219
DSH		 3737
3738/* Flags which need to be set for a certificate when stict mode not set */
3739
e481f9b9 3740#define CERT_PKEY_VALID_FLAGS \
0f113f3e 3741 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
6dbb6219 3742/* Strict mode flags */
e481f9b9 3743#define CERT_PKEY_STRICT_FLAGS \
0f113f3e
MC		 3744 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3745 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
6dbb6219 3746
d61ff83b 3747int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
0f113f3e
MC		 3748 int idx)
3749{
3750 int i;
3751 int rv = 0;
3752 int check_flags = 0, strict_mode;
3753 CERT_PKEY *cpk = NULL;
3754 CERT *c = s->cert;
f7d53487 3755 uint32_t *pvalid;
0f113f3e
MC		 3756 unsigned int suiteb_flags = tls1_suiteb(s);
3757 /* idx == -1 means checking server chains */
3758 if (idx != -1) {
3759 /* idx == -2 means checking client certificate chains */
3760 if (idx == -2) {
3761 cpk = c->key;
3762 idx = cpk - c->pkeys;
3763 } else
3764 cpk = c->pkeys + idx;
6383d316 3765 pvalid = s->s3->tmp.valid_flags + idx;
0f113f3e
MC		 3766 x = cpk->x509;
3767 pk = cpk->privatekey;
3768 chain = cpk->chain;
3769 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3770 /* If no cert or key, forget it */
3771 if (!x || !pk)
3772 goto end;
0f113f3e
MC		 3773 } else {
3774 if (!x || !pk)
d813f9eb 3775 return 0;
0f113f3e
MC		 3776 idx = ssl_cert_type(x, pk);
3777 if (idx == -1)
d813f9eb 3778 return 0;
6383d316
DSH		 3779 pvalid = s->s3->tmp.valid_flags + idx;
3780
0f113f3e
MC		 3781 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3782 check_flags = CERT_PKEY_STRICT_FLAGS;
3783 else
3784 check_flags = CERT_PKEY_VALID_FLAGS;
3785 strict_mode = 1;
3786 }
3787
3788 if (suiteb_flags) {
3789 int ok;
3790 if (check_flags)
3791 check_flags |= CERT_PKEY_SUITEB;
3792 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3793 if (ok == X509_V_OK)
3794 rv |= CERT_PKEY_SUITEB;
3795 else if (!check_flags)
3796 goto end;
3797 }
3798
3799 /*
3800 * Check all signature algorithms are consistent with signature
3801 * algorithms extension if TLS 1.2 or later and strict mode.
3802 */
3803 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
3804 int default_nid;
3805 unsigned char rsign = 0;
76106e60 3806 if (s->s3->tmp.peer_sigalgs)
0f113f3e
MC		 3807 default_nid = 0;
3808 /* If no sigalgs extension use defaults from RFC5246 */
3809 else {
3810 switch (idx) {
3811 case SSL_PKEY_RSA_ENC:
3812 case SSL_PKEY_RSA_SIGN:
0f113f3e
MC		 3813 rsign = TLSEXT_signature_rsa;
3814 default_nid = NID_sha1WithRSAEncryption;
3815 break;
3816
3817 case SSL_PKEY_DSA_SIGN:
0f113f3e
MC		 3818 rsign = TLSEXT_signature_dsa;
3819 default_nid = NID_dsaWithSHA1;
3820 break;
3821
3822 case SSL_PKEY_ECC:
3823 rsign = TLSEXT_signature_ecdsa;
3824 default_nid = NID_ecdsa_with_SHA1;
3825 break;
3826
e44380a9
DB		 3827 case SSL_PKEY_GOST01:
3828 rsign = TLSEXT_signature_gostr34102001;
3829 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
3830 break;
3831
3832 case SSL_PKEY_GOST12_256:
3833 rsign = TLSEXT_signature_gostr34102012_256;
3834 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
3835 break;
3836
3837 case SSL_PKEY_GOST12_512:
3838 rsign = TLSEXT_signature_gostr34102012_512;
3839 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
3840 break;
3841
0f113f3e
MC		 3842 default:
3843 default_nid = -1;
3844 break;
3845 }
3846 }
3847 /*
3848 * If peer sent no signature algorithms extension and we have set
3849 * preferred signature algorithms check we support sha1.
3850 */
3851 if (default_nid > 0 && c->conf_sigalgs) {
3852 size_t j;
3853 const unsigned char *p = c->conf_sigalgs;
3854 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
3855 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
3856 break;
3857 }
3858 if (j == c->conf_sigalgslen) {
3859 if (check_flags)
3860 goto skip_sigs;
3861 else
3862 goto end;
3863 }
3864 }
3865 /* Check signature algorithm of each cert in chain */
3866 if (!tls1_check_sig_alg(c, x, default_nid)) {
3867 if (!check_flags)
3868 goto end;
3869 } else
3870 rv |= CERT_PKEY_EE_SIGNATURE;
3871 rv |= CERT_PKEY_CA_SIGNATURE;
3872 for (i = 0; i < sk_X509_num(chain); i++) {
3873 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
3874 if (check_flags) {
3875 rv &= ~CERT_PKEY_CA_SIGNATURE;
3876 break;
3877 } else
3878 goto end;
3879 }
3880 }
3881 }
3882 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
3883 else if (check_flags)
3884 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
3885 skip_sigs:
3886 /* Check cert parameters are consistent */
3887 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
3888 rv |= CERT_PKEY_EE_PARAM;
3889 else if (!check_flags)
3890 goto end;
3891 if (!s->server)
3892 rv |= CERT_PKEY_CA_PARAM;
3893 /* In strict mode check rest of chain too */
3894 else if (strict_mode) {
3895 rv |= CERT_PKEY_CA_PARAM;
3896 for (i = 0; i < sk_X509_num(chain); i++) {
3897 X509 *ca = sk_X509_value(chain, i);
3898 if (!tls1_check_cert_param(s, ca, 0)) {
3899 if (check_flags) {
3900 rv &= ~CERT_PKEY_CA_PARAM;
3901 break;
3902 } else
3903 goto end;
3904 }
3905 }
3906 }
3907 if (!s->server && strict_mode) {
3908 STACK_OF(X509_NAME) *ca_dn;
3909 int check_type = 0;
3aeb9348 3910 switch (EVP_PKEY_id(pk)) {
0f113f3e
MC		 3911 case EVP_PKEY_RSA:
3912 check_type = TLS_CT_RSA_SIGN;
3913 break;
3914 case EVP_PKEY_DSA:
3915 check_type = TLS_CT_DSS_SIGN;
3916 break;
3917 case EVP_PKEY_EC:
3918 check_type = TLS_CT_ECDSA_SIGN;
3919 break;
0f113f3e
MC		 3920 }
3921 if (check_type) {
3922 const unsigned char *ctypes;
3923 int ctypelen;
3924 if (c->ctypes) {
3925 ctypes = c->ctypes;
3926 ctypelen = (int)c->ctype_num;
3927 } else {
3928 ctypes = (unsigned char *)s->s3->tmp.ctype;
3929 ctypelen = s->s3->tmp.ctype_num;
3930 }
3931 for (i = 0; i < ctypelen; i++) {
3932 if (ctypes[i] == check_type) {
3933 rv |= CERT_PKEY_CERT_TYPE;
3934 break;
3935 }
3936 }
3937 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
3938 goto end;
3939 } else
3940 rv |= CERT_PKEY_CERT_TYPE;
3941
3942 ca_dn = s->s3->tmp.ca_names;
3943
3944 if (!sk_X509_NAME_num(ca_dn))
3945 rv |= CERT_PKEY_ISSUER_NAME;
3946
3947 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
3948 if (ssl_check_ca_name(ca_dn, x))
3949 rv |= CERT_PKEY_ISSUER_NAME;
3950 }
3951 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
3952 for (i = 0; i < sk_X509_num(chain); i++) {
3953 X509 *xtmp = sk_X509_value(chain, i);
3954 if (ssl_check_ca_name(ca_dn, xtmp)) {
3955 rv |= CERT_PKEY_ISSUER_NAME;
3956 break;
3957 }
3958 }
3959 }
3960 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
3961 goto end;
3962 } else
3963 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
3964
3965 if (!check_flags || (rv & check_flags) == check_flags)
3966 rv |= CERT_PKEY_VALID;
3967
3968 end:
3969
3970 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
6383d316 3971 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
0f113f3e 3972 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
d376e57d 3973 else if (s->s3->tmp.md[idx] != NULL)
0f113f3e
MC		 3974 rv |= CERT_PKEY_SIGN;
3975 } else
3976 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
3977
3978 /*
3979 * When checking a CERT_PKEY structure all flags are irrelevant if the
3980 * chain is invalid.
3981 */
3982 if (!check_flags) {
3983 if (rv & CERT_PKEY_VALID)
6383d316 3984 *pvalid = rv;
0f113f3e
MC		 3985 else {
3986 /* Preserve explicit sign flag, clear rest */
6383d316 3987 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
0f113f3e
MC		 3988 return 0;
3989 }
3990 }
3991 return rv;
3992}
d61ff83b
DSH		 3993
3994/* Set validity of certificates in an SSL structure */
3995void tls1_set_cert_validity(SSL *s)
0f113f3e 3996{
17dd65e6
MC		 3997 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
3998 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
3999 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
17dd65e6 4000 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
e44380a9
DB		 4001 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
4002 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
4003 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
0f113f3e
MC		 4004}
4005
18d71588
DSH		 4006/* User level utiity function to check a chain is suitable */
4007int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
0f113f3e
MC		 4008{
4009 return tls1_check_chain(s, x, pk, chain, -1);
4010}
d61ff83b 4011
09599b52
DSH		 4012
4013#ifndef OPENSSL_NO_DH
4014DH *ssl_get_auto_dh(SSL *s)
0f113f3e
MC		 4015{
4016 int dh_secbits = 80;
4017 if (s->cert->dh_tmp_auto == 2)
4018 return DH_get_1024_160();
adc5506a 4019 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
0f113f3e
MC		 4020 if (s->s3->tmp.new_cipher->strength_bits == 256)
4021 dh_secbits = 128;
4022 else
4023 dh_secbits = 80;
4024 } else {
4025 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
4026 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
4027 }
4028
4029 if (dh_secbits >= 128) {
4030 DH *dhp = DH_new();
a71edf3b 4031 if (dhp == NULL)
0f113f3e
MC		 4032 return NULL;
4033 dhp->g = BN_new();
a71edf3b 4034 if (dhp->g != NULL)
0f113f3e
MC		 4035 BN_set_word(dhp->g, 2);
4036 if (dh_secbits >= 192)
4037 dhp->p = get_rfc3526_prime_8192(NULL);
4038 else
4039 dhp->p = get_rfc3526_prime_3072(NULL);
a71edf3b 4040 if (dhp->p == NULL || dhp->g == NULL) {
0f113f3e
MC		 4041 DH_free(dhp);
4042 return NULL;
4043 }
4044 return dhp;
4045 }
4046 if (dh_secbits >= 112)
4047 return DH_get_2048_224();
4048 return DH_get_1024_160();
4049}
09599b52 4050#endif
b362ccab
DSH		 4051
4052static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e 4053{
72245f34 4054 int secbits = -1;
8382fd3a 4055 EVP_PKEY *pkey = X509_get0_pubkey(x);
0f113f3e 4056 if (pkey) {
72245f34
DSH		 4057 /*
4058 * If no parameters this will return -1 and fail using the default
4059 * security callback for any non-zero security level. This will
4060 * reject keys which omit parameters but this only affects DSA and
4061 * omission of parameters is never (?) done in practice.
4062 */
0f113f3e 4063 secbits = EVP_PKEY_security_bits(pkey);
72245f34 4064 }
0f113f3e
MC		 4065 if (s)
4066 return ssl_security(s, op, secbits, 0, x);
4067 else
4068 return ssl_ctx_security(ctx, op, secbits, 0, x);
4069}
b362ccab
DSH		 4070
4071static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e
MC		 4072{
4073 /* Lookup signature algorithm digest */
4074 int secbits = -1, md_nid = NID_undef, sig_nid;
221c7b55
DSH		 4075 /* Don't check signature if self signed */
4076 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
4077 return 1;
0f113f3e
MC		 4078 sig_nid = X509_get_signature_nid(x);
4079 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4080 const EVP_MD *md;
4081 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4082 secbits = EVP_MD_size(md) * 4;
4083 }
4084 if (s)
4085 return ssl_security(s, op, secbits, md_nid, x);
4086 else
4087 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4088}
b362ccab
DSH		 4089
4090int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
0f113f3e
MC		 4091{
4092 if (vfy)
4093 vfy = SSL_SECOP_PEER;
4094 if (is_ee) {
4095 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4096 return SSL_R_EE_KEY_TOO_SMALL;
4097 } else {
4098 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4099 return SSL_R_CA_KEY_TOO_SMALL;
4100 }
4101 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4102 return SSL_R_CA_MD_TOO_WEAK;
4103 return 1;
4104}
4105
4106/*
4107 * Check security of a chain, if sk includes the end entity certificate then
4108 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4109 * one to the peer. Return values: 1 if ok otherwise error code to use
b362ccab
DSH		 4110 */
4111
4112int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
0f113f3e
MC		 4113{
4114 int rv, start_idx, i;
4115 if (x == NULL) {
4116 x = sk_X509_value(sk, 0);
4117 start_idx = 1;
4118 } else
4119 start_idx = 0;
4120
4121 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4122 if (rv != 1)
4123 return rv;
4124
4125 for (i = start_idx; i < sk_X509_num(sk); i++) {
4126 x = sk_X509_value(sk, i);
4127 rv = ssl_security_cert(s, NULL, x, vfy, 0);
4128 if (rv != 1)
4129 return rv;
4130 }
4131 return 1;
4132}
A mirror of the official openssl repository