]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/t1_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Only support >= 256-bit elliptic curves with ecdh_auto (server) or by default (client).
[thirdparty/openssl.git] / ssl / t1_lib.c
CommitLineData
58964a49
RE		 1/* ssl/t1_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
0f113f3e 8 *
58964a49
RE		 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
0f113f3e 15 *
58964a49
RE		 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
0f113f3e 22 *
58964a49
RE		 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
0f113f3e 37 * 4. If you include any Windows specific code (or a derivative thereof) from
58964a49
RE		 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
0f113f3e 40 *
58964a49
RE		 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
0f113f3e 52 *
58964a49
RE		 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
f1fd4544 58/* ====================================================================
52b8dad8 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
f1fd4544
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
0f113f3e 66 * notice, this list of conditions and the following disclaimer.
f1fd4544
BM		 67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
58964a49
RE		 111
112#include <stdio.h>
ec577822 113#include <openssl/objects.h>
6434abbf
DSH		 114#include <openssl/evp.h>
115#include <openssl/hmac.h>
67c8e7f4 116#include <openssl/ocsp.h>
4817504d 117#include <openssl/rand.h>
09599b52 118#ifndef OPENSSL_NO_DH
0f113f3e
MC		 119# include <openssl/dh.h>
120# include <openssl/bn.h>
09599b52 121#endif
58964a49
RE		 122#include "ssl_locl.h"
123
0f113f3e 124const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;
58964a49 125
367eb1f1 126#ifndef OPENSSL_NO_TLSEXT
6434abbf 127static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
0f113f3e
MC		 128 const unsigned char *sess_id, int sesslen,
129 SSL_SESSION **psess);
2daceb03 130static int ssl_check_clienthello_tlsext_early(SSL *s);
09e4e4b9 131int ssl_check_serverhello_tlsext(SSL *s);
367eb1f1 132#endif
6434abbf 133
0f113f3e
MC		 134SSL3_ENC_METHOD const TLSv1_enc_data = {
135 tls1_enc,
136 tls1_mac,
137 tls1_setup_key_block,
138 tls1_generate_master_secret,
139 tls1_change_cipher_state,
140 tls1_final_finish_mac,
141 TLS1_FINISH_MAC_LENGTH,
142 tls1_cert_verify_mac,
143 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
144 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
145 tls1_alert_code,
146 tls1_export_keying_material,
147 0,
148 SSL3_HM_HEADER_LENGTH,
149 ssl3_set_handshake_header,
150 ssl3_handshake_write
151};
152
153SSL3_ENC_METHOD const TLSv1_1_enc_data = {
154 tls1_enc,
155 tls1_mac,
156 tls1_setup_key_block,
157 tls1_generate_master_secret,
158 tls1_change_cipher_state,
159 tls1_final_finish_mac,
160 TLS1_FINISH_MAC_LENGTH,
161 tls1_cert_verify_mac,
162 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
163 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
164 tls1_alert_code,
165 tls1_export_keying_material,
166 SSL_ENC_FLAG_EXPLICIT_IV,
167 SSL3_HM_HEADER_LENGTH,
168 ssl3_set_handshake_header,
169 ssl3_handshake_write
170};
171
172SSL3_ENC_METHOD const TLSv1_2_enc_data = {
173 tls1_enc,
174 tls1_mac,
175 tls1_setup_key_block,
176 tls1_generate_master_secret,
177 tls1_change_cipher_state,
178 tls1_final_finish_mac,
179 TLS1_FINISH_MAC_LENGTH,
180 tls1_cert_verify_mac,
181 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
182 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
183 tls1_alert_code,
184 tls1_export_keying_material,
185 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
186 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
187 SSL3_HM_HEADER_LENGTH,
188 ssl3_set_handshake_header,
189 ssl3_handshake_write
190};
58964a49 191
f3b656b2 192long tls1_default_timeout(void)
0f113f3e
MC		 193{
194 /*
195 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
196 * http, the cache would over fill
197 */
198 return (60 * 60 * 2);
199}
58964a49 200
6b691a5c 201int tls1_new(SSL *s)
0f113f3e
MC		 202{
203 if (!ssl3_new(s))
204 return (0);
205 s->method->ssl_clear(s);
206 return (1);
207}
58964a49 208
6b691a5c 209void tls1_free(SSL *s)
0f113f3e 210{
12bf56c0 211#ifndef OPENSSL_NO_TLSEXT
b548a1f1 212 OPENSSL_free(s->tlsext_session_ticket);
0f113f3e
MC		 213#endif /* OPENSSL_NO_TLSEXT */
214 ssl3_free(s);
215}
58964a49 216
6b691a5c 217void tls1_clear(SSL *s)
0f113f3e
MC		 218{
219 ssl3_clear(s);
220 s->version = s->method->version;
221}
58964a49 222
525de5d3 223#ifndef OPENSSL_NO_EC
eda3766b 224
0f113f3e
MC		 225typedef struct {
226 int nid; /* Curve NID */
227 int secbits; /* Bits of security (from SP800-57) */
228 unsigned int flags; /* Flags: currently just field type */
229} tls_curve_info;
230
231# define TLS_CURVE_CHAR2 0x1
232# define TLS_CURVE_PRIME 0x0
233
234static const tls_curve_info nid_list[] = {
235 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
236 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
237 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
238 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
239 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
240 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
241 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
242 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
243 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
244 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
245 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
246 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
247 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
248 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
249 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
250 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
251 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
252 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
253 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
254 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
255 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
256 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
257 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
258 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
259 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
260 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
261 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
262 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
263};
264
265static const unsigned char ecformats_default[] = {
266 TLSEXT_ECPOINTFORMAT_uncompressed,
267 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
268 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
269};
270
de57d237
EK		 271/* The client's default curves / the server's 'auto' curves. */
272static const unsigned char eccurves_auto[] = {
273 /* Prefer P-256 which has the fastest and most secure implementations. */
274 0, 23, /* secp256r1 (23) */
275 /* Other >= 256-bit prime curves. */
0f113f3e
MC		 276 0, 25, /* secp521r1 (25) */
277 0, 28, /* brainpool512r1 (28) */
0f113f3e
MC		 278 0, 27, /* brainpoolP384r1 (27) */
279 0, 24, /* secp384r1 (24) */
de57d237
EK		 280 0, 26, /* brainpoolP256r1 (26) */
281 0, 22, /* secp256k1 (22) */
282 /* >= 256-bit binary curves. */
283 0, 14, /* sect571r1 (14) */
284 0, 13, /* sect571k1 (13) */
285 0, 11, /* sect409k1 (11) */
286 0, 12, /* sect409r1 (12) */
0f113f3e
MC		 287 0, 9, /* sect283k1 (9) */
288 0, 10, /* sect283r1 (10) */
de57d237
EK		 289};
290
291static const unsigned char eccurves_all[] = {
292 /* Prefer P-256 which has the fastest and most secure implementations. */
293 0, 23, /* secp256r1 (23) */
294 /* Other >= 256-bit prime curves. */
295 0, 25, /* secp521r1 (25) */
296 0, 28, /* brainpool512r1 (28) */
297 0, 27, /* brainpoolP384r1 (27) */
298 0, 24, /* secp384r1 (24) */
0f113f3e
MC		 299 0, 26, /* brainpoolP256r1 (26) */
300 0, 22, /* secp256k1 (22) */
de57d237
EK		 301 /* >= 256-bit binary curves. */
302 0, 14, /* sect571r1 (14) */
303 0, 13, /* sect571k1 (13) */
304 0, 11, /* sect409k1 (11) */
305 0, 12, /* sect409r1 (12) */
306 0, 9, /* sect283k1 (9) */
307 0, 10, /* sect283r1 (10) */
308 /*
309 * Remaining curves disabled by default but still permitted if set
310 * via an explicit callback or parameters.
311 */
312 0, 20, /* secp224k1 (20) */
313 0, 21, /* secp224r1 (21) */
314 0, 18, /* secp192k1 (18) */
315 0, 19, /* secp192r1 (19) */
316 0, 15, /* secp160k1 (15) */
317 0, 16, /* secp160r1 (16) */
318 0, 17, /* secp160r2 (17) */
0f113f3e
MC		 319 0, 8, /* sect239k1 (8) */
320 0, 6, /* sect233k1 (6) */
321 0, 7, /* sect233r1 (7) */
0f113f3e
MC		 322 0, 4, /* sect193r1 (4) */
323 0, 5, /* sect193r2 (5) */
0f113f3e
MC		 324 0, 1, /* sect163k1 (1) */
325 0, 2, /* sect163r1 (2) */
326 0, 3, /* sect163r2 (3) */
0f113f3e
MC		 327};
328
de57d237 329
0f113f3e
MC		 330static const unsigned char suiteb_curves[] = {
331 0, TLSEXT_curve_P_256,
332 0, TLSEXT_curve_P_384
333};
2ea80354 334
525de5d3 335int tls1_ec_curve_id2nid(int curve_id)
0f113f3e
MC		 336{
337 /* ECC curves from RFC 4492 and RFC 7027 */
b6eb9827 338 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
0f113f3e
MC		 339 return 0;
340 return nid_list[curve_id - 1].nid;
341}
525de5d3
DSH		 342
343int tls1_ec_nid2curve_id(int nid)
0f113f3e
MC		 344{
345 /* ECC curves from RFC 4492 and RFC 7027 */
346 switch (nid) {
347 case NID_sect163k1: /* sect163k1 (1) */
348 return 1;
349 case NID_sect163r1: /* sect163r1 (2) */
350 return 2;
351 case NID_sect163r2: /* sect163r2 (3) */
352 return 3;
353 case NID_sect193r1: /* sect193r1 (4) */
354 return 4;
355 case NID_sect193r2: /* sect193r2 (5) */
356 return 5;
357 case NID_sect233k1: /* sect233k1 (6) */
358 return 6;
359 case NID_sect233r1: /* sect233r1 (7) */
360 return 7;
361 case NID_sect239k1: /* sect239k1 (8) */
362 return 8;
363 case NID_sect283k1: /* sect283k1 (9) */
364 return 9;
365 case NID_sect283r1: /* sect283r1 (10) */
366 return 10;
367 case NID_sect409k1: /* sect409k1 (11) */
368 return 11;
369 case NID_sect409r1: /* sect409r1 (12) */
370 return 12;
371 case NID_sect571k1: /* sect571k1 (13) */
372 return 13;
373 case NID_sect571r1: /* sect571r1 (14) */
374 return 14;
375 case NID_secp160k1: /* secp160k1 (15) */
376 return 15;
377 case NID_secp160r1: /* secp160r1 (16) */
378 return 16;
379 case NID_secp160r2: /* secp160r2 (17) */
380 return 17;
381 case NID_secp192k1: /* secp192k1 (18) */
382 return 18;
383 case NID_X9_62_prime192v1: /* secp192r1 (19) */
384 return 19;
385 case NID_secp224k1: /* secp224k1 (20) */
386 return 20;
387 case NID_secp224r1: /* secp224r1 (21) */
388 return 21;
389 case NID_secp256k1: /* secp256k1 (22) */
390 return 22;
391 case NID_X9_62_prime256v1: /* secp256r1 (23) */
392 return 23;
393 case NID_secp384r1: /* secp384r1 (24) */
394 return 24;
395 case NID_secp521r1: /* secp521r1 (25) */
396 return 25;
397 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
398 return 26;
399 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
400 return 27;
401 case NID_brainpoolP512r1: /* brainpool512r1 (28) */
402 return 28;
403 default:
404 return 0;
405 }
406}
407
740580c2
EK		 408/*
409 * Get curves list, if "sess" is set return client curves otherwise
410 * preferred list.
411 * Sets |num_curves| to the number of curves in the list, i.e.,
412 * the length of |pcurves| is 2 * num_curves.
413 * Returns 1 on success and 0 if the client curves list has invalid format.
414 * The latter indicates an internal error: we should not be accepting such
415 * lists in the first place.
416 * TODO(emilia): we should really be storing the curves list in explicitly
417 * parsed form instead. (However, this would affect binary compatibility
418 * so cannot happen in the 1.0.x series.)
fd2b65ce 419 */
740580c2 420static int tls1_get_curvelist(SSL *s, int sess,
0f113f3e
MC		 421 const unsigned char **pcurves,
422 size_t *num_curves)
423{
424 size_t pcurveslen = 0;
425 if (sess) {
426 *pcurves = s->session->tlsext_ellipticcurvelist;
427 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
428 } else {
429 /* For Suite B mode only include P-256, P-384 */
430 switch (tls1_suiteb(s)) {
431 case SSL_CERT_FLAG_SUITEB_128_LOS:
432 *pcurves = suiteb_curves;
433 pcurveslen = sizeof(suiteb_curves);
434 break;
435
436 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
437 *pcurves = suiteb_curves;
438 pcurveslen = 2;
439 break;
440
441 case SSL_CERT_FLAG_SUITEB_192_LOS:
442 *pcurves = suiteb_curves + 2;
443 pcurveslen = 2;
444 break;
445 default:
446 *pcurves = s->tlsext_ellipticcurvelist;
447 pcurveslen = s->tlsext_ellipticcurvelist_length;
448 }
449 if (!*pcurves) {
de57d237
EK		 450 if (!s->server || (s->cert && s->cert->ecdh_tmp_auto)) {
451 *pcurves = eccurves_auto;
452 pcurveslen = sizeof(eccurves_auto);
453 } else {
454 *pcurves = eccurves_all;
455 pcurveslen = sizeof(eccurves_all);
456 }
0f113f3e
MC		 457 }
458 }
459
460 /* We do not allow odd length arrays to enter the system. */
461 if (pcurveslen & 1) {
462 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
463 *num_curves = 0;
464 return 0;
465 } else {
466 *num_curves = pcurveslen / 2;
467 return 1;
468 }
469}
b362ccab
DSH		 470
471/* See if curve is allowed by security callback */
472static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
0f113f3e
MC		 473{
474 const tls_curve_info *cinfo;
475 if (curve[0])
476 return 1;
b6eb9827 477 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
0f113f3e
MC		 478 return 0;
479 cinfo = &nid_list[curve[1] - 1];
480# ifdef OPENSSL_NO_EC2M
481 if (cinfo->flags & TLS_CURVE_CHAR2)
482 return 0;
483# endif
484 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
485}
b362ccab 486
d18b716d
DSH		 487/* Check a curve is one of our preferences */
488int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
0f113f3e
MC		 489{
490 const unsigned char *curves;
491 size_t num_curves, i;
492 unsigned int suiteb_flags = tls1_suiteb(s);
493 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
494 return 0;
495 /* Check curve matches Suite B preferences */
496 if (suiteb_flags) {
497 unsigned long cid = s->s3->tmp.new_cipher->id;
498 if (p[1])
499 return 0;
500 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
501 if (p[2] != TLSEXT_curve_P_256)
502 return 0;
503 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
504 if (p[2] != TLSEXT_curve_P_384)
505 return 0;
506 } else /* Should never happen */
507 return 0;
508 }
509 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
510 return 0;
511 for (i = 0; i < num_curves; i++, curves += 2) {
512 if (p[1] == curves[0] && p[2] == curves[1])
513 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
514 }
515 return 0;
516}
d0595f17 517
1d97c843 518/*-
376e2ca3
EK		 519 * Return |nmatch|th shared curve or NID_undef if there is no match.
520 * For nmatch == -1, return number of matches
521 * For nmatch == -2, return the NID of the curve to use for
522 * an EC tmp key, or NID_undef if there is no match.
d0595f17 523 */
a4352630 524int tls1_shared_curve(SSL *s, int nmatch)
0f113f3e
MC		 525{
526 const unsigned char *pref, *supp;
527 size_t num_pref, num_supp, i, j;
528 int k;
529 /* Can't do anything on client side */
530 if (s->server == 0)
531 return -1;
532 if (nmatch == -2) {
533 if (tls1_suiteb(s)) {
534 /*
535 * For Suite B ciphersuite determines curve: we already know
536 * these are acceptable due to previous checks.
537 */
538 unsigned long cid = s->s3->tmp.new_cipher->id;
539 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
540 return NID_X9_62_prime256v1; /* P-256 */
541 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
542 return NID_secp384r1; /* P-384 */
543 /* Should never happen */
544 return NID_undef;
545 }
546 /* If not Suite B just return first preference shared curve */
547 nmatch = 0;
548 }
549 /*
550 * Avoid truncation. tls1_get_curvelist takes an int
551 * but s->options is a long...
552 */
553 if (!tls1_get_curvelist
554 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
555 &num_supp))
556 /* In practice, NID_undef == 0 but let's be precise. */
557 return nmatch == -1 ? 0 : NID_undef;
558 if (!tls1_get_curvelist
559 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
560 &num_pref))
561 return nmatch == -1 ? 0 : NID_undef;
562 k = 0;
563 for (i = 0; i < num_pref; i++, pref += 2) {
564 const unsigned char *tsupp = supp;
565 for (j = 0; j < num_supp; j++, tsupp += 2) {
566 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
567 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
568 continue;
569 if (nmatch == k) {
570 int id = (pref[0] << 8) | pref[1];
571 return tls1_ec_curve_id2nid(id);
572 }
573 k++;
574 }
575 }
576 }
577 if (nmatch == -1)
578 return k;
579 /* Out of range (nmatch > k). */
580 return NID_undef;
581}
d0595f17
DSH		 582
583int tls1_set_curves(unsigned char **pext, size_t *pextlen,
0f113f3e
MC		 584 int *curves, size_t ncurves)
585{
586 unsigned char *clist, *p;
587 size_t i;
588 /*
589 * Bitmap of curves included to detect duplicates: only works while curve
590 * ids < 32
591 */
592 unsigned long dup_list = 0;
593 clist = OPENSSL_malloc(ncurves * 2);
594 if (!clist)
595 return 0;
596 for (i = 0, p = clist; i < ncurves; i++) {
597 unsigned long idmask;
598 int id;
599 id = tls1_ec_nid2curve_id(curves[i]);
600 idmask = 1L << id;
601 if (!id || (dup_list & idmask)) {
602 OPENSSL_free(clist);
603 return 0;
604 }
605 dup_list |= idmask;
606 s2n(id, p);
607 }
b548a1f1 608 OPENSSL_free(*pext);
0f113f3e
MC		 609 *pext = clist;
610 *pextlen = ncurves * 2;
611 return 1;
612}
613
614# define MAX_CURVELIST 28
615
616typedef struct {
617 size_t nidcnt;
618 int nid_arr[MAX_CURVELIST];
619} nid_cb_st;
d0595f17
DSH		 620
621static int nid_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 622{
623 nid_cb_st *narg = arg;
624 size_t i;
625 int nid;
626 char etmp[20];
2747d73c
KR		 627 if (elem == NULL)
628 return 0;
0f113f3e
MC		 629 if (narg->nidcnt == MAX_CURVELIST)
630 return 0;
631 if (len > (int)(sizeof(etmp) - 1))
632 return 0;
633 memcpy(etmp, elem, len);
634 etmp[len] = 0;
635 nid = EC_curve_nist2nid(etmp);
636 if (nid == NID_undef)
637 nid = OBJ_sn2nid(etmp);
638 if (nid == NID_undef)
639 nid = OBJ_ln2nid(etmp);
640 if (nid == NID_undef)
641 return 0;
642 for (i = 0; i < narg->nidcnt; i++)
643 if (narg->nid_arr[i] == nid)
644 return 0;
645 narg->nid_arr[narg->nidcnt++] = nid;
646 return 1;
647}
648
d0595f17 649/* Set curves based on a colon separate list */
0f113f3e
MC		 650int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
651 const char *str)
652{
653 nid_cb_st ncb;
654 ncb.nidcnt = 0;
655 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
656 return 0;
657 if (pext == NULL)
658 return 1;
659 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
660}
661
fd2b65ce
DSH		 662/* For an EC key set TLS id and required compression based on parameters */
663static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
0f113f3e
MC		 664 EC_KEY *ec)
665{
666 int is_prime, id;
667 const EC_GROUP *grp;
668 const EC_METHOD *meth;
669 if (!ec)
670 return 0;
671 /* Determine if it is a prime field */
672 grp = EC_KEY_get0_group(ec);
673 if (!grp)
674 return 0;
675 meth = EC_GROUP_method_of(grp);
676 if (!meth)
677 return 0;
678 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
679 is_prime = 1;
680 else
681 is_prime = 0;
682 /* Determine curve ID */
683 id = EC_GROUP_get_curve_name(grp);
684 id = tls1_ec_nid2curve_id(id);
685 /* If we have an ID set it, otherwise set arbitrary explicit curve */
686 if (id) {
687 curve_id[0] = 0;
688 curve_id[1] = (unsigned char)id;
689 } else {
690 curve_id[0] = 0xff;
691 if (is_prime)
692 curve_id[1] = 0x01;
693 else
694 curve_id[1] = 0x02;
695 }
696 if (comp_id) {
697 if (EC_KEY_get0_public_key(ec) == NULL)
698 return 0;
699 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
700 if (is_prime)
701 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
702 else
703 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
704 } else
705 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
706 }
707 return 1;
708}
709
fd2b65ce
DSH		 710/* Check an EC key is compatible with extensions */
711static int tls1_check_ec_key(SSL *s,
0f113f3e
MC		 712 unsigned char *curve_id, unsigned char *comp_id)
713{
714 const unsigned char *pformats, *pcurves;
715 size_t num_formats, num_curves, i;
716 int j;
717 /*
718 * If point formats extension present check it, otherwise everything is
719 * supported (see RFC4492).
720 */
721 if (comp_id && s->session->tlsext_ecpointformatlist) {
722 pformats = s->session->tlsext_ecpointformatlist;
723 num_formats = s->session->tlsext_ecpointformatlist_length;
724 for (i = 0; i < num_formats; i++, pformats++) {
725 if (*comp_id == *pformats)
726 break;
727 }
728 if (i == num_formats)
729 return 0;
730 }
731 if (!curve_id)
732 return 1;
733 /* Check curve is consistent with client and server preferences */
734 for (j = 0; j <= 1; j++) {
735 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
736 return 0;
b79d2410
MC		 737 if (j == 1 && num_curves == 0) {
738 /*
739 * If we've not received any curves then skip this check.
740 * RFC 4492 does not require the supported elliptic curves extension
741 * so if it is not sent we can just choose any curve.
742 * It is invalid to send an empty list in the elliptic curves
743 * extension, so num_curves == 0 always means no extension.
744 */
745 break;
746 }
0f113f3e
MC		 747 for (i = 0; i < num_curves; i++, pcurves += 2) {
748 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
749 break;
750 }
751 if (i == num_curves)
752 return 0;
753 /* For clients can only check sent curve list */
754 if (!s->server)
755 break;
756 }
757 return 1;
758}
d61ff83b 759
5087afa1 760static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
0f113f3e
MC		 761 size_t *num_formats)
762{
763 /*
764 * If we have a custom point format list use it otherwise use default
765 */
766 if (s->tlsext_ecpointformatlist) {
767 *pformats = s->tlsext_ecpointformatlist;
768 *num_formats = s->tlsext_ecpointformatlist_length;
769 } else {
770 *pformats = ecformats_default;
771 /* For Suite B we don't support char2 fields */
772 if (tls1_suiteb(s))
773 *num_formats = sizeof(ecformats_default) - 1;
774 else
775 *num_formats = sizeof(ecformats_default);
776 }
777}
778
779/*
780 * Check cert parameters compatible with extensions: currently just checks EC
781 * certificates have compatible curves and compression.
d61ff83b 782 */
2ea80354 783static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 784{
785 unsigned char comp_id, curve_id[2];
786 EVP_PKEY *pkey;
787 int rv;
788 pkey = X509_get_pubkey(x);
789 if (!pkey)
790 return 0;
791 /* If not EC nothing to do */
792 if (pkey->type != EVP_PKEY_EC) {
793 EVP_PKEY_free(pkey);
794 return 1;
795 }
796 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
797 EVP_PKEY_free(pkey);
798 if (!rv)
799 return 0;
800 /*
801 * Can't check curve_id for client certs as we don't have a supported
802 * curves extension.
803 */
804 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
805 if (!rv)
806 return 0;
807 /*
808 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
809 * SHA384+P-384, adjust digest if necessary.
810 */
811 if (set_ee_md && tls1_suiteb(s)) {
812 int check_md;
813 size_t i;
814 CERT *c = s->cert;
815 if (curve_id[0])
816 return 0;
817 /* Check to see we have necessary signing algorithm */
818 if (curve_id[1] == TLSEXT_curve_P_256)
819 check_md = NID_ecdsa_with_SHA256;
820 else if (curve_id[1] == TLSEXT_curve_P_384)
821 check_md = NID_ecdsa_with_SHA384;
822 else
823 return 0; /* Should never happen */
824 for (i = 0; i < c->shared_sigalgslen; i++)
825 if (check_md == c->shared_sigalgs[i].signandhash_nid)
826 break;
827 if (i == c->shared_sigalgslen)
828 return 0;
829 if (set_ee_md == 2) {
830 if (check_md == NID_ecdsa_with_SHA256)
d376e57d 831 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
0f113f3e 832 else
d376e57d 833 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
0f113f3e
MC		 834 }
835 }
836 return rv;
837}
838
10bf4fc2 839# ifndef OPENSSL_NO_EC
fd2b65ce 840/* Check EC temporary key is compatible with client extensions */
2ea80354 841int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
0f113f3e
MC		 842{
843 unsigned char curve_id[2];
844 EC_KEY *ec = s->cert->ecdh_tmp;
845# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
846 /* Allow any curve: not just those peer supports */
847 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
848 return 1;
849# endif
850 /*
851 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
852 * curves permitted.
853 */
854 if (tls1_suiteb(s)) {
855 /* Curve to check determined by ciphersuite */
856 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
857 curve_id[1] = TLSEXT_curve_P_256;
858 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
859 curve_id[1] = TLSEXT_curve_P_384;
860 else
861 return 0;
862 curve_id[0] = 0;
863 /* Check this curve is acceptable */
864 if (!tls1_check_ec_key(s, curve_id, NULL))
865 return 0;
866 /* If auto or setting curve from callback assume OK */
867 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
868 return 1;
869 /* Otherwise check curve is acceptable */
870 else {
871 unsigned char curve_tmp[2];
872 if (!ec)
873 return 0;
874 if (!tls1_set_ec_id(curve_tmp, NULL, ec))
875 return 0;
876 if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
877 return 1;
878 return 0;
879 }
880
881 }
882 if (s->cert->ecdh_tmp_auto) {
883 /* Need a shared curve */
884 if (tls1_shared_curve(s, 0))
885 return 1;
886 else
887 return 0;
888 }
889 if (!ec) {
890 if (s->cert->ecdh_tmp_cb)
891 return 1;
892 else
893 return 0;
894 }
895 if (!tls1_set_ec_id(curve_id, NULL, ec))
896 return 0;
d18b716d 897/* Set this to allow use of invalid curves for testing */
0f113f3e
MC		 898# if 0
899 return 1;
900# else
901 return tls1_check_ec_key(s, curve_id, NULL);
902# endif
903}
10bf4fc2 904# endif /* OPENSSL_NO_EC */
d0595f17 905
14536c8c
DSH		 906#else
907
908static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 909{
910 return 1;
911}
14536c8c 912
0f113f3e 913#endif /* OPENSSL_NO_EC */
f1fd4544 914
ed3883d2 915#ifndef OPENSSL_NO_TLSEXT
fc101f88 916
0f113f3e
MC		 917/*
918 * List of supported signature algorithms and hashes. Should make this
fc101f88
DSH		 919 * customisable at some point, for now include everything we support.
920 */
921
0f113f3e
MC		 922# ifdef OPENSSL_NO_RSA
923# define tlsext_sigalg_rsa(md) /* */
924# else
925# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
926# endif
927
928# ifdef OPENSSL_NO_DSA
929# define tlsext_sigalg_dsa(md) /* */
930# else
931# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
932# endif
933
10bf4fc2
RS		 934# ifdef OPENSSL_NO_EC
935# define tlsext_sigalg_ecdsa(md) /* */
0f113f3e
MC		 936# else
937# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
938# endif
939
940# define tlsext_sigalg(md) \
941 tlsext_sigalg_rsa(md) \
942 tlsext_sigalg_dsa(md) \
943 tlsext_sigalg_ecdsa(md)
fc101f88 944
d97ed219 945static const unsigned char tls12_sigalgs[] = {
0f113f3e
MC		 946 tlsext_sigalg(TLSEXT_hash_sha512)
947 tlsext_sigalg(TLSEXT_hash_sha384)
0f113f3e
MC		 948 tlsext_sigalg(TLSEXT_hash_sha256)
949 tlsext_sigalg(TLSEXT_hash_sha224)
0f113f3e 950 tlsext_sigalg(TLSEXT_hash_sha1)
fc101f88 951};
0f113f3e 952
10bf4fc2 953# ifndef OPENSSL_NO_EC
d97ed219 954static const unsigned char suiteb_sigalgs[] = {
0f113f3e
MC		 955 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
956 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
2ea80354 957};
0f113f3e 958# endif
b7bfe69b 959size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
0f113f3e
MC		 960{
961 /*
962 * If Suite B mode use Suite B sigalgs only, ignore any other
963 * preferences.
964 */
965# ifndef OPENSSL_NO_EC
966 switch (tls1_suiteb(s)) {
967 case SSL_CERT_FLAG_SUITEB_128_LOS:
968 *psigs = suiteb_sigalgs;
969 return sizeof(suiteb_sigalgs);
970
971 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
972 *psigs = suiteb_sigalgs;
973 return 2;
974
975 case SSL_CERT_FLAG_SUITEB_192_LOS:
976 *psigs = suiteb_sigalgs + 2;
977 return 2;
978 }
979# endif
980 /* If server use client authentication sigalgs if not NULL */
981 if (s->server && s->cert->client_sigalgs) {
982 *psigs = s->cert->client_sigalgs;
983 return s->cert->client_sigalgslen;
984 } else if (s->cert->conf_sigalgs) {
985 *psigs = s->cert->conf_sigalgs;
986 return s->cert->conf_sigalgslen;
987 } else {
988 *psigs = tls12_sigalgs;
989 return sizeof(tls12_sigalgs);
990 }
991}
992
993/*
994 * Check signature algorithm is consistent with sent supported signature
ec4a50b3
DSH		 995 * algorithms and if so return relevant digest.
996 */
997int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
0f113f3e
MC		 998 const unsigned char *sig, EVP_PKEY *pkey)
999{
1000 const unsigned char *sent_sigs;
1001 size_t sent_sigslen, i;
1002 int sigalg = tls12_get_sigid(pkey);
1003 /* Should never happen */
1004 if (sigalg == -1)
1005 return -1;
1006 /* Check key type is consistent with signature */
1007 if (sigalg != (int)sig[1]) {
1008 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1009 return 0;
1010 }
1011# ifndef OPENSSL_NO_EC
1012 if (pkey->type == EVP_PKEY_EC) {
1013 unsigned char curve_id[2], comp_id;
1014 /* Check compression and curve matches extensions */
1015 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
1016 return 0;
1017 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
1018 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
1019 return 0;
1020 }
1021 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
1022 if (tls1_suiteb(s)) {
1023 if (curve_id[0])
1024 return 0;
1025 if (curve_id[1] == TLSEXT_curve_P_256) {
1026 if (sig[0] != TLSEXT_hash_sha256) {
1027 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1028 SSL_R_ILLEGAL_SUITEB_DIGEST);
1029 return 0;
1030 }
1031 } else if (curve_id[1] == TLSEXT_curve_P_384) {
1032 if (sig[0] != TLSEXT_hash_sha384) {
1033 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1034 SSL_R_ILLEGAL_SUITEB_DIGEST);
1035 return 0;
1036 }
1037 } else
1038 return 0;
1039 }
1040 } else if (tls1_suiteb(s))
1041 return 0;
1042# endif
1043
1044 /* Check signature matches a type we sent */
1045 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1046 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
1047 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1048 break;
1049 }
1050 /* Allow fallback to SHA1 if not strict mode */
1051 if (i == sent_sigslen
1052 && (sig[0] != TLSEXT_hash_sha1
1053 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
1054 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1055 return 0;
1056 }
1057 *pmd = tls12_get_hash(sig[0]);
1058 if (*pmd == NULL) {
1059 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
1060 return 0;
1061 }
1062 /* Make sure security callback allows algorithm */
1063 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
1064 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
1065 (void *)sig)) {
1066 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1067 return 0;
1068 }
1069 /*
1070 * Store the digest used so applications can retrieve it if they wish.
1071 */
d376e57d 1072 s->s3->tmp.peer_md = *pmd;
0f113f3e
MC		 1073 return 1;
1074}
2ea80354 1075
0f113f3e
MC		 1076/*
1077 * Get a mask of disabled algorithms: an algorithm is disabled if it isn't
1078 * supported or doesn't appear in supported signature algorithms. Unlike
1079 * ssl_cipher_get_disabled this applies to a specific session and not global
1080 * settings.
b7bfe69b
DSH		 1081 */
1082void ssl_set_client_disabled(SSL *s)
0f113f3e 1083{
4d69f9e6
DSH		 1084 s->s3->tmp.mask_a = 0;
1085 s->s3->tmp.mask_k = 0;
0f113f3e
MC		 1086 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1087 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
4d69f9e6 1088 s->s3->tmp.mask_ssl = SSL_TLSV1_2;
0f113f3e 1089 else
4d69f9e6
DSH		 1090 s->s3->tmp.mask_ssl = 0;
1091 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
0f113f3e
MC		 1092 /*
1093 * Disable static DH if we don't include any appropriate signature
1094 * algorithms.
1095 */
4d69f9e6
DSH		 1096 if (s->s3->tmp.mask_a & SSL_aRSA)
1097 s->s3->tmp.mask_k |= SSL_kDHr | SSL_kECDHr;
1098 if (s->s3->tmp.mask_a & SSL_aDSS)
1099 s->s3->tmp.mask_k |= SSL_kDHd;
1100 if (s->s3->tmp.mask_a & SSL_aECDSA)
1101 s->s3->tmp.mask_k |= SSL_kECDHe;
0f113f3e
MC		 1102# ifndef OPENSSL_NO_PSK
1103 /* with PSK there must be client callback set */
1104 if (!s->psk_client_callback) {
4d69f9e6
DSH		 1105 s->s3->tmp.mask_a |= SSL_aPSK;
1106 s->s3->tmp.mask_k |= SSL_kPSK;
0f113f3e
MC		 1107 }
1108# endif /* OPENSSL_NO_PSK */
1109# ifndef OPENSSL_NO_SRP
1110 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
4d69f9e6
DSH		 1111 s->s3->tmp.mask_a |= SSL_aSRP;
1112 s->s3->tmp.mask_k |= SSL_kSRP;
0f113f3e
MC		 1113 }
1114# endif
0f113f3e 1115}
fc101f88 1116
b362ccab 1117int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
0f113f3e 1118{
4d69f9e6
DSH		 1119 if (c->algorithm_ssl & s->s3->tmp.mask_ssl
1120 || c->algorithm_mkey & s->s3->tmp.mask_k
1121 || c->algorithm_auth & s->s3->tmp.mask_a)
0f113f3e
MC		 1122 return 1;
1123 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1124}
b362ccab
DSH		 1125
1126static int tls_use_ticket(SSL *s)
0f113f3e
MC		 1127{
1128 if (s->options & SSL_OP_NO_TICKET)
1129 return 0;
1130 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1131}
ed3883d2 1132
0f113f3e
MC		 1133unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
1134 unsigned char *limit, int *al)
1135{
1136 int extdatalen = 0;
1137 unsigned char *orig = buf;
1138 unsigned char *ret = buf;
1139# ifndef OPENSSL_NO_EC
1140 /* See if we support any ECC ciphersuites */
1141 int using_ecc = 0;
1142 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1143 int i;
1144 unsigned long alg_k, alg_a;
1145 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1146
1147 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
1148 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1149
1150 alg_k = c->algorithm_mkey;
1151 alg_a = c->algorithm_auth;
1152 if ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe)
1153 || (alg_a & SSL_aECDSA))) {
1154 using_ecc = 1;
1155 break;
1156 }
1157 }
1158 }
1159# endif
ed3883d2 1160
0f113f3e 1161 ret += 2;
6434abbf 1162
0f113f3e
MC		 1163 if (ret >= limit)
1164 return NULL; /* this really never occurs, but ... */
5a3d8eeb 1165
0f113f3e
MC		 1166 /* Add RI if renegotiating */
1167 if (s->renegotiate) {
1168 int el;
5a3d8eeb 1169
0f113f3e
MC		 1170 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1171 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1172 return NULL;
1173 }
5a3d8eeb 1174
0f113f3e
MC		 1175 if ((limit - ret - 4 - el) < 0)
1176 return NULL;
5a3d8eeb 1177
0f113f3e
MC		 1178 s2n(TLSEXT_TYPE_renegotiate, ret);
1179 s2n(el, ret);
5a3d8eeb 1180
0f113f3e
MC		 1181 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1182 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1183 return NULL;
5a3d8eeb 1184 }
edc032b5 1185
0f113f3e
MC		 1186 ret += el;
1187 }
1188 /* Only add RI for SSLv3 */
1189 if (s->client_version == SSL3_VERSION)
1190 goto done;
1191
1192 if (s->tlsext_hostname != NULL) {
1193 /* Add TLS extension servername to the Client Hello message */
1194 unsigned long size_str;
1195 long lenmax;
1196
50e735f9
MC		 1197 /*-
1198 * check for enough space.
1199 * 4 for the servername type and entension length
1200 * 2 for servernamelist length
1201 * 1 for the hostname type
1202 * 2 for hostname length
1203 * + hostname length
1204 */
0f113f3e
MC		 1205
1206 if ((lenmax = limit - ret - 9) < 0
1207 || (size_str =
1208 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1209 return NULL;
1210
1211 /* extension type and length */
1212 s2n(TLSEXT_TYPE_server_name, ret);
1213 s2n(size_str + 5, ret);
1214
1215 /* length of servername list */
1216 s2n(size_str + 3, ret);
1217
1218 /* hostname type, length and hostname */
1219 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1220 s2n(size_str, ret);
1221 memcpy(ret, s->tlsext_hostname, size_str);
1222 ret += size_str;
1223 }
1224# ifndef OPENSSL_NO_SRP
1225 /* Add SRP username if there is one */
1226 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1227 * Client Hello message */
1228
1229 int login_len = strlen(s->srp_ctx.login);
1230 if (login_len > 255 || login_len == 0) {
1231 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1232 return NULL;
1233 }
761772d7 1234
50e735f9
MC		 1235 /*-
1236 * check for enough space.
1237 * 4 for the srp type type and entension length
1238 * 1 for the srp user identity
1239 * + srp user identity length
1240 */
0f113f3e
MC		 1241 if ((limit - ret - 5 - login_len) < 0)
1242 return NULL;
1243
1244 /* fill in the extension */
1245 s2n(TLSEXT_TYPE_srp, ret);
1246 s2n(login_len + 1, ret);
1247 (*ret++) = (unsigned char)login_len;
1248 memcpy(ret, s->srp_ctx.login, login_len);
1249 ret += login_len;
1250 }
1251# endif
1252
1253# ifndef OPENSSL_NO_EC
1254 if (using_ecc) {
1255 /*
1256 * Add TLS extension ECPointFormats to the ClientHello message
1257 */
1258 long lenmax;
1259 const unsigned char *pcurves, *pformats;
1260 size_t num_curves, num_formats, curves_list_len;
1261 size_t i;
1262 unsigned char *etmp;
1263
1264 tls1_get_formatlist(s, &pformats, &num_formats);
1265
1266 if ((lenmax = limit - ret - 5) < 0)
1267 return NULL;
1268 if (num_formats > (size_t)lenmax)
1269 return NULL;
1270 if (num_formats > 255) {
1271 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1272 return NULL;
1273 }
4817504d 1274
0f113f3e
MC		 1275 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1276 /* The point format list has 1-byte length. */
1277 s2n(num_formats + 1, ret);
1278 *(ret++) = (unsigned char)num_formats;
1279 memcpy(ret, pformats, num_formats);
1280 ret += num_formats;
1281
1282 /*
1283 * Add TLS extension EllipticCurves to the ClientHello message
1284 */
1285 pcurves = s->tlsext_ellipticcurvelist;
1286 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1287 return NULL;
1288
1289 if ((lenmax = limit - ret - 6) < 0)
1290 return NULL;
1291 if (num_curves > (size_t)lenmax / 2)
1292 return NULL;
1293 if (num_curves > 65532 / 2) {
1294 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1295 return NULL;
1296 }
ee2ffc27 1297
0f113f3e
MC		 1298 s2n(TLSEXT_TYPE_elliptic_curves, ret);
1299 etmp = ret + 4;
1300 /* Copy curve ID if supported */
1301 for (i = 0; i < num_curves; i++, pcurves += 2) {
1302 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1303 *etmp++ = pcurves[0];
1304 *etmp++ = pcurves[1];
1305 }
1306 }
01f2f18f 1307
0f113f3e
MC		 1308 curves_list_len = etmp - ret - 4;
1309
1310 s2n(curves_list_len + 2, ret);
1311 s2n(curves_list_len, ret);
1312 ret += curves_list_len;
1313 }
1314# endif /* OPENSSL_NO_EC */
1315
1316 if (tls_use_ticket(s)) {
1317 int ticklen;
1318 if (!s->new_session && s->session && s->session->tlsext_tick)
1319 ticklen = s->session->tlsext_ticklen;
1320 else if (s->session && s->tlsext_session_ticket &&
1321 s->tlsext_session_ticket->data) {
1322 ticklen = s->tlsext_session_ticket->length;
1323 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1324 if (!s->session->tlsext_tick)
1325 return NULL;
1326 memcpy(s->session->tlsext_tick,
1327 s->tlsext_session_ticket->data, ticklen);
1328 s->session->tlsext_ticklen = ticklen;
1329 } else
1330 ticklen = 0;
1331 if (ticklen == 0 && s->tlsext_session_ticket &&
1332 s->tlsext_session_ticket->data == NULL)
1333 goto skip_ext;
1334 /*
1335 * Check for enough room 2 for extension type, 2 for len rest for
1336 * ticket
1337 */
1338 if ((long)(limit - ret - 4 - ticklen) < 0)
1339 return NULL;
1340 s2n(TLSEXT_TYPE_session_ticket, ret);
1341 s2n(ticklen, ret);
1342 if (ticklen) {
1343 memcpy(ret, s->session->tlsext_tick, ticklen);
1344 ret += ticklen;
1345 }
1346 }
1347 skip_ext:
1348
1349 if (SSL_USE_SIGALGS(s)) {
1350 size_t salglen;
1351 const unsigned char *salg;
1352 unsigned char *etmp;
1353 salglen = tls12_get_psigalgs(s, &salg);
1354 if ((size_t)(limit - ret) < salglen + 6)
1355 return NULL;
1356 s2n(TLSEXT_TYPE_signature_algorithms, ret);
1357 etmp = ret;
1358 /* Skip over lengths for now */
1359 ret += 4;
1360 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1361 /* Fill in lengths */
1362 s2n(salglen + 2, etmp);
1363 s2n(salglen, etmp);
1364 ret += salglen;
1365 }
0f113f3e
MC		 1366
1367 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1368 int i;
1369 long extlen, idlen, itmp;
1370 OCSP_RESPID *id;
1371
1372 idlen = 0;
1373 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1374 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1375 itmp = i2d_OCSP_RESPID(id, NULL);
1376 if (itmp <= 0)
1377 return NULL;
1378 idlen += itmp + 2;
860c3dd1
DSH		 1379 }
1380
0f113f3e
MC		 1381 if (s->tlsext_ocsp_exts) {
1382 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1383 if (extlen < 0)
1384 return NULL;
1385 } else
1386 extlen = 0;
1387
1388 if ((long)(limit - ret - 7 - extlen - idlen) < 0)
1389 return NULL;
1390 s2n(TLSEXT_TYPE_status_request, ret);
1391 if (extlen + idlen > 0xFFF0)
1392 return NULL;
1393 s2n(extlen + idlen + 5, ret);
1394 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1395 s2n(idlen, ret);
1396 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1397 /* save position of id len */
1398 unsigned char *q = ret;
1399 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1400 /* skip over id len */
1401 ret += 2;
1402 itmp = i2d_OCSP_RESPID(id, &ret);
1403 /* write id len */
1404 s2n(itmp, q);
1405 }
1406 s2n(extlen, ret);
1407 if (extlen > 0)
1408 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1409 }
1410# ifndef OPENSSL_NO_HEARTBEATS
1411 /* Add Heartbeat extension */
1412 if ((limit - ret - 4 - 1) < 0)
1413 return NULL;
1414 s2n(TLSEXT_TYPE_heartbeat, ret);
1415 s2n(1, ret);
50e735f9
MC		 1416 /*-
1417 * Set mode:
1418 * 1: peer may send requests
1419 * 2: peer not allowed to send requests
1420 */
0f113f3e
MC		 1421 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1422 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1423 else
1424 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1425# endif
1426
1427# ifndef OPENSSL_NO_NEXTPROTONEG
1428 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1429 /*
1430 * The client advertises an emtpy extension to indicate its support
1431 * for Next Protocol Negotiation
1432 */
1433 if (limit - ret - 4 < 0)
1434 return NULL;
1435 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1436 s2n(0, ret);
1437 }
1438# endif
1439
1440 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1441 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1442 return NULL;
1443 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1444 s2n(2 + s->alpn_client_proto_list_len, ret);
1445 s2n(s->alpn_client_proto_list_len, ret);
1446 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1447 ret += s->alpn_client_proto_list_len;
1448 }
1449# ifndef OPENSSL_NO_SRTP
1450 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1451 int el;
1452
69f68237
MC		 1453 /* Returns 0 on success!! */
1454 if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
1455 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1456 return NULL;
1457 }
0f113f3e
MC		 1458
1459 if ((limit - ret - 4 - el) < 0)
1460 return NULL;
1461
1462 s2n(TLSEXT_TYPE_use_srtp, ret);
1463 s2n(el, ret);
1464
1465 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1466 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1467 return NULL;
1468 }
1469 ret += el;
1470 }
1471# endif
1472 custom_ext_init(&s->cert->cli_ext);
1473 /* Add custom TLS Extensions to ClientHello */
1474 if (!custom_ext_add(s, 0, &ret, limit, al))
1475 return NULL;
1476# ifdef TLSEXT_TYPE_encrypt_then_mac
1477 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1478 s2n(0, ret);
1479# endif
ddc06b35
DSH		 1480 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1481 s2n(0, ret);
0f113f3e
MC		 1482
1483 /*
1484 * Add padding to workaround bugs in F5 terminators. See
1485 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1486 * code works out the length of all existing extensions it MUST always
1487 * appear last.
1488 */
1489 if (s->options & SSL_OP_TLSEXT_PADDING) {
1490 int hlen = ret - (unsigned char *)s->init_buf->data;
a3680c8f 1491
0f113f3e
MC		 1492 if (hlen > 0xff && hlen < 0x200) {
1493 hlen = 0x200 - hlen;
1494 if (hlen >= 4)
1495 hlen -= 4;
1496 else
1497 hlen = 0;
1498
1499 s2n(TLSEXT_TYPE_padding, ret);
1500 s2n(hlen, ret);
1501 memset(ret, 0, hlen);
1502 ret += hlen;
1503 }
1504 }
5a3d8eeb 1505
0f113f3e 1506 done:
5a3d8eeb 1507
0f113f3e
MC		 1508 if ((extdatalen = ret - orig - 2) == 0)
1509 return orig;
5a3d8eeb 1510
0f113f3e
MC		 1511 s2n(extdatalen, orig);
1512 return ret;
1513}
333f926d 1514
0f113f3e
MC		 1515unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1516 unsigned char *limit, int *al)
1517{
1518 int extdatalen = 0;
1519 unsigned char *orig = buf;
1520 unsigned char *ret = buf;
1521# ifndef OPENSSL_NO_NEXTPROTONEG
1522 int next_proto_neg_seen;
1523# endif
1524# ifndef OPENSSL_NO_EC
1525 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1526 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1527 int using_ecc = (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
1528 || (alg_a & SSL_aECDSA);
1529 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1530# endif
1531
1532 ret += 2;
1533 if (ret >= limit)
1534 return NULL; /* this really never occurs, but ... */
1535
1536 if (s->s3->send_connection_binding) {
1537 int el;
1538
1539 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1540 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1541 return NULL;
1542 }
333f926d 1543
0f113f3e
MC		 1544 if ((limit - ret - 4 - el) < 0)
1545 return NULL;
333f926d 1546
0f113f3e
MC		 1547 s2n(TLSEXT_TYPE_renegotiate, ret);
1548 s2n(el, ret);
333f926d 1549
0f113f3e
MC		 1550 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1551 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1552 return NULL;
1553 }
333f926d 1554
0f113f3e
MC		 1555 ret += el;
1556 }
1557
1558 /* Only add RI for SSLv3 */
1559 if (s->version == SSL3_VERSION)
1560 goto done;
1561
1562 if (!s->hit && s->servername_done == 1
1563 && s->session->tlsext_hostname != NULL) {
1564 if ((long)(limit - ret - 4) < 0)
1565 return NULL;
1566
1567 s2n(TLSEXT_TYPE_server_name, ret);
1568 s2n(0, ret);
1569 }
1570# ifndef OPENSSL_NO_EC
1571 if (using_ecc) {
1572 const unsigned char *plist;
1573 size_t plistlen;
1574 /*
1575 * Add TLS extension ECPointFormats to the ServerHello message
1576 */
1577 long lenmax;
1578
1579 tls1_get_formatlist(s, &plist, &plistlen);
1580
1581 if ((lenmax = limit - ret - 5) < 0)
1582 return NULL;
1583 if (plistlen > (size_t)lenmax)
1584 return NULL;
1585 if (plistlen > 255) {
1586 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1587 return NULL;
1588 }
4817504d 1589
0f113f3e
MC		 1590 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1591 s2n(plistlen + 1, ret);
1592 *(ret++) = (unsigned char)plistlen;
1593 memcpy(ret, plist, plistlen);
1594 ret += plistlen;
1595
1596 }
1597 /*
1598 * Currently the server should not respond with a SupportedCurves
1599 * extension
1600 */
1601# endif /* OPENSSL_NO_EC */
1602
1603 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1604 if ((long)(limit - ret - 4) < 0)
1605 return NULL;
1606 s2n(TLSEXT_TYPE_session_ticket, ret);
1607 s2n(0, ret);
1608 }
1609
1610 if (s->tlsext_status_expected) {
1611 if ((long)(limit - ret - 4) < 0)
1612 return NULL;
1613 s2n(TLSEXT_TYPE_status_request, ret);
1614 s2n(0, ret);
1615 }
0f113f3e
MC		 1616
1617# ifndef OPENSSL_NO_SRTP
1618 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1619 int el;
1620
69f68237 1621 /* Returns 0 on success!! */
61986d32 1622 if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
69f68237
MC		 1623 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1624 return NULL;
1625 }
0f113f3e
MC		 1626 if ((limit - ret - 4 - el) < 0)
1627 return NULL;
1628
1629 s2n(TLSEXT_TYPE_use_srtp, ret);
1630 s2n(el, ret);
1631
1632 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1633 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1634 return NULL;
1635 }
1636 ret += el;
1637 }
1638# endif
1639
1640 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1641 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1642 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1643 const unsigned char cryptopro_ext[36] = {
1644 0xfd, 0xe8, /* 65000 */
1645 0x00, 0x20, /* 32 bytes length */
1646 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1647 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1648 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1649 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1650 };
1651 if (limit - ret < 36)
1652 return NULL;
1653 memcpy(ret, cryptopro_ext, 36);
1654 ret += 36;
1655
1656 }
1657# ifndef OPENSSL_NO_HEARTBEATS
1658 /* Add Heartbeat extension if we've received one */
1659 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
1660 if ((limit - ret - 4 - 1) < 0)
1661 return NULL;
1662 s2n(TLSEXT_TYPE_heartbeat, ret);
1663 s2n(1, ret);
50e735f9
MC		 1664 /*-
1665 * Set mode:
1666 * 1: peer may send requests
1667 * 2: peer not allowed to send requests
1668 */
0f113f3e
MC		 1669 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1670 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1671 else
1672 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1673
1674 }
1675# endif
1676
1677# ifndef OPENSSL_NO_NEXTPROTONEG
1678 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1679 s->s3->next_proto_neg_seen = 0;
1680 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1681 const unsigned char *npa;
1682 unsigned int npalen;
1683 int r;
1684
1685 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1686 s->
1687 ctx->next_protos_advertised_cb_arg);
1688 if (r == SSL_TLSEXT_ERR_OK) {
1689 if ((long)(limit - ret - 4 - npalen) < 0)
1690 return NULL;
1691 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1692 s2n(npalen, ret);
1693 memcpy(ret, npa, npalen);
1694 ret += npalen;
1695 s->s3->next_proto_neg_seen = 1;
1696 }
1697 }
1698# endif
1699 if (!custom_ext_add(s, 1, &ret, limit, al))
1700 return NULL;
1701# ifdef TLSEXT_TYPE_encrypt_then_mac
1702 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1703 /*
1704 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1705 * for other cases too.
1706 */
1707 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1708 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4)
1709 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1710 else {
1711 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1712 s2n(0, ret);
1713 }
1714 }
1715# endif
ddc06b35
DSH		 1716 if (!s->hit && s->session->flags & SSL_SESS_FLAG_EXTMS) {
1717 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1718 s2n(0, ret);
1719 }
0f113f3e
MC		 1720
1721 if (s->s3->alpn_selected) {
1722 const unsigned char *selected = s->s3->alpn_selected;
1723 unsigned len = s->s3->alpn_selected_len;
1724
1725 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1726 return NULL;
1727 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1728 s2n(3 + len, ret);
1729 s2n(1 + len, ret);
1730 *ret++ = len;
1731 memcpy(ret, selected, len);
1732 ret += len;
1733 }
1734
1735 done:
1736
1737 if ((extdatalen = ret - orig - 2) == 0)
1738 return orig;
1739
1740 s2n(extdatalen, orig);
1741 return ret;
1742}
a398f821 1743
0f113f3e
MC		 1744/*
1745 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1746 * ClientHello. data: the contents of the extension, not including the type
1747 * and length. data_len: the number of bytes in |data| al: a pointer to the
1748 * alert value to send in the event of a non-zero return. returns: 0 on
1749 * success.
1750 */
6f017a8f 1751static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
0f113f3e
MC		 1752 unsigned data_len, int *al)
1753{
1754 unsigned i;
1755 unsigned proto_len;
1756 const unsigned char *selected;
1757 unsigned char selected_len;
1758 int r;
1759
1760 if (s->ctx->alpn_select_cb == NULL)
1761 return 0;
1762
1763 if (data_len < 2)
1764 goto parse_error;
1765
1766 /*
1767 * data should contain a uint16 length followed by a series of 8-bit,
1768 * length-prefixed strings.
1769 */
1770 i = ((unsigned)data[0]) << 8 | ((unsigned)data[1]);
1771 data_len -= 2;
1772 data += 2;
1773 if (data_len != i)
1774 goto parse_error;
1775
1776 if (data_len < 2)
1777 goto parse_error;
1778
1779 for (i = 0; i < data_len;) {
1780 proto_len = data[i];
1781 i++;
1782
1783 if (proto_len == 0)
1784 goto parse_error;
1785
1786 if (i + proto_len < i || i + proto_len > data_len)
1787 goto parse_error;
1788
1789 i += proto_len;
1790 }
1791
1792 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1793 s->ctx->alpn_select_cb_arg);
1794 if (r == SSL_TLSEXT_ERR_OK) {
b548a1f1 1795 OPENSSL_free(s->s3->alpn_selected);
0f113f3e
MC		 1796 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
1797 if (!s->s3->alpn_selected) {
1798 *al = SSL_AD_INTERNAL_ERROR;
1799 return -1;
1800 }
1801 memcpy(s->s3->alpn_selected, selected, selected_len);
1802 s->s3->alpn_selected_len = selected_len;
1803 }
1804 return 0;
1805
1806 parse_error:
1807 *al = SSL_AD_DECODE_ERROR;
1808 return -1;
1809}
6f017a8f 1810
0f113f3e 1811# ifndef OPENSSL_NO_EC
1d97c843
TH		 1812/*-
1813 * ssl_check_for_safari attempts to fingerprint Safari using OS X
dece3209
RS		 1814 * SecureTransport using the TLS extension block in |d|, of length |n|.
1815 * Safari, since 10.6, sends exactly these extensions, in this order:
1816 * SNI,
1817 * elliptic_curves
1818 * ec_point_formats
1819 *
1820 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1821 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1822 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1823 * 10.8..10.8.3 (which don't work).
1824 */
0f113f3e
MC		 1825static void ssl_check_for_safari(SSL *s, const unsigned char *data,
1826 const unsigned char *d, int n)
1827{
1828 unsigned short type, size;
1829 static const unsigned char kSafariExtensionsBlock[] = {
1830 0x00, 0x0a, /* elliptic_curves extension */
1831 0x00, 0x08, /* 8 bytes */
1832 0x00, 0x06, /* 6 bytes of curve ids */
1833 0x00, 0x17, /* P-256 */
1834 0x00, 0x18, /* P-384 */
1835 0x00, 0x19, /* P-521 */
1836
1837 0x00, 0x0b, /* ec_point_formats */
1838 0x00, 0x02, /* 2 bytes */
1839 0x01, /* 1 point format */
1840 0x00, /* uncompressed */
1841 };
1842
1843 /* The following is only present in TLS 1.2 */
1844 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1845 0x00, 0x0d, /* signature_algorithms */
1846 0x00, 0x0c, /* 12 bytes */
1847 0x00, 0x0a, /* 10 bytes */
1848 0x05, 0x01, /* SHA-384/RSA */
1849 0x04, 0x01, /* SHA-256/RSA */
1850 0x02, 0x01, /* SHA-1/RSA */
1851 0x04, 0x03, /* SHA-256/ECDSA */
1852 0x02, 0x03, /* SHA-1/ECDSA */
1853 };
1854
1855 if (data >= (d + n - 2))
1856 return;
1857 data += 2;
1858
1859 if (data > (d + n - 4))
1860 return;
1861 n2s(data, type);
1862 n2s(data, size);
1863
1864 if (type != TLSEXT_TYPE_server_name)
1865 return;
1866
1867 if (data + size > d + n)
1868 return;
1869 data += size;
1870
1871 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
1872 const size_t len1 = sizeof(kSafariExtensionsBlock);
1873 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1874
1875 if (data + len1 + len2 != d + n)
1876 return;
1877 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
1878 return;
1879 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
1880 return;
1881 } else {
1882 const size_t len = sizeof(kSafariExtensionsBlock);
1883
1884 if (data + len != d + n)
1885 return;
1886 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
1887 return;
1888 }
1889
1890 s->s3->is_probably_safari = 1;
dece3209 1891}
0f113f3e
MC		 1892# endif /* !OPENSSL_NO_EC */
1893
1894static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
1895 unsigned char *d, int n, int *al)
1896{
1897 unsigned short type;
1898 unsigned short size;
1899 unsigned short len;
1900 unsigned char *data = *p;
1901 int renegotiate_seen = 0;
1902
1903 s->servername_done = 0;
1904 s->tlsext_status_type = -1;
1905# ifndef OPENSSL_NO_NEXTPROTONEG
1906 s->s3->next_proto_neg_seen = 0;
1907# endif
1908
b548a1f1
RS		 1909 OPENSSL_free(s->s3->alpn_selected);
1910 s->s3->alpn_selected = NULL;
0f113f3e
MC		 1911# ifndef OPENSSL_NO_HEARTBEATS
1912 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1913 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1914# endif
1915
1916# ifndef OPENSSL_NO_EC
1917 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1918 ssl_check_for_safari(s, data, d, n);
1919# endif /* !OPENSSL_NO_EC */
1920
1921 /* Clear any signature algorithms extension received */
76106e60
DSH		 1922 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1923 s->s3->tmp.peer_sigalgs = NULL;
0f113f3e
MC		 1924# ifdef TLSEXT_TYPE_encrypt_then_mac
1925 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1926# endif
1927
1928# ifndef OPENSSL_NO_SRP
b548a1f1
RS		 1929 OPENSSL_free(s->srp_ctx.login);
1930 s->srp_ctx.login = NULL;
0f113f3e
MC		 1931# endif
1932
1933 s->srtp_profile = NULL;
1934
1935 if (data >= (d + n - 2))
1936 goto ri_check;
1937 n2s(data, len);
1938
1939 if (data > (d + n - len))
1940 goto ri_check;
1941
1942 while (data <= (d + n - 4)) {
1943 n2s(data, type);
1944 n2s(data, size);
1945
1946 if (data + size > (d + n))
1947 goto ri_check;
0f113f3e
MC		 1948 if (s->tlsext_debug_cb)
1949 s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
1950 if (type == TLSEXT_TYPE_renegotiate) {
1951 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1952 return 0;
1953 renegotiate_seen = 1;
1954 } else if (s->version == SSL3_VERSION) {
1955 }
1d97c843
TH		 1956/*-
1957 * The servername extension is treated as follows:
1958 *
1959 * - Only the hostname type is supported with a maximum length of 255.
1960 * - The servername is rejected if too long or if it contains zeros,
1961 * in which case an fatal alert is generated.
1962 * - The servername field is maintained together with the session cache.
1963 * - When a session is resumed, the servername call back invoked in order
0f113f3e
MC		 1964 * to allow the application to position itself to the right context.
1965 * - The servername is acknowledged if it is new for a session or when
1966 * it is identical to a previously used for the same session.
1d97c843
TH		 1967 * Applications can control the behaviour. They can at any time
1968 * set a 'desirable' servername for a new SSL object. This can be the
1969 * case for example with HTTPS when a Host: header field is received and
1970 * a renegotiation is requested. In this case, a possible servername
1971 * presented in the new client hello is only acknowledged if it matches
0f113f3e 1972 * the value of the Host: field.
1d97c843 1973 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
0f113f3e
MC		 1974 * if they provide for changing an explicit servername context for the
1975 * session, i.e. when the session has been established with a servername
1976 * extension.
1977 * - On session reconnect, the servername extension may be absent.
1d97c843 1978 *
0f113f3e 1979 */
ed3883d2 1980
0f113f3e
MC		 1981 else if (type == TLSEXT_TYPE_server_name) {
1982 unsigned char *sdata;
1983 int servname_type;
1984 int dsize;
1985
1986 if (size < 2) {
1987 *al = SSL_AD_DECODE_ERROR;
1988 return 0;
1989 }
1990 n2s(data, dsize);
1991 size -= 2;
1992 if (dsize > size) {
1993 *al = SSL_AD_DECODE_ERROR;
1994 return 0;
1995 }
1996
1997 sdata = data;
1998 while (dsize > 3) {
1999 servname_type = *(sdata++);
2000 n2s(sdata, len);
2001 dsize -= 3;
2002
2003 if (len > dsize) {
2004 *al = SSL_AD_DECODE_ERROR;
2005 return 0;
2006 }
2007 if (s->servername_done == 0)
2008 switch (servname_type) {
2009 case TLSEXT_NAMETYPE_host_name:
2010 if (!s->hit) {
2011 if (s->session->tlsext_hostname) {
2012 *al = SSL_AD_DECODE_ERROR;
2013 return 0;
2014 }
2015 if (len > TLSEXT_MAXLEN_host_name) {
2016 *al = TLS1_AD_UNRECOGNIZED_NAME;
2017 return 0;
2018 }
2019 if ((s->session->tlsext_hostname =
2020 OPENSSL_malloc(len + 1)) == NULL) {
2021 *al = TLS1_AD_INTERNAL_ERROR;
2022 return 0;
2023 }
2024 memcpy(s->session->tlsext_hostname, sdata, len);
2025 s->session->tlsext_hostname[len] = '\0';
2026 if (strlen(s->session->tlsext_hostname) != len) {
2027 OPENSSL_free(s->session->tlsext_hostname);
2028 s->session->tlsext_hostname = NULL;
2029 *al = TLS1_AD_UNRECOGNIZED_NAME;
2030 return 0;
2031 }
2032 s->servername_done = 1;
761772d7 2033
0f113f3e
MC		 2034 } else
2035 s->servername_done = s->session->tlsext_hostname
2036 && strlen(s->session->tlsext_hostname) == len
2037 && strncmp(s->session->tlsext_hostname,
2038 (char *)sdata, len) == 0;
b2284ed3 2039
0f113f3e 2040 break;
ee2ffc27 2041
0f113f3e
MC		 2042 default:
2043 break;
2044 }
6f31dd72 2045
0f113f3e
MC		 2046 dsize -= len;
2047 }
2048 if (dsize != 0) {
2049 *al = SSL_AD_DECODE_ERROR;
2050 return 0;
2051 }
6f017a8f 2052
0f113f3e
MC		 2053 }
2054# ifndef OPENSSL_NO_SRP
2055 else if (type == TLSEXT_TYPE_srp) {
2056 if (size <= 0 || ((len = data[0])) != (size - 1)) {
2057 *al = SSL_AD_DECODE_ERROR;
2058 return 0;
2059 }
2060 if (s->srp_ctx.login != NULL) {
2061 *al = SSL_AD_DECODE_ERROR;
2062 return 0;
2063 }
2064 if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
2065 return -1;
2066 memcpy(s->srp_ctx.login, &data[1], len);
2067 s->srp_ctx.login[len] = '\0';
2068
2069 if (strlen(s->srp_ctx.login) != len) {
2070 *al = SSL_AD_DECODE_ERROR;
2071 return 0;
2072 }
2073 }
2074# endif
2075
2076# ifndef OPENSSL_NO_EC
2077 else if (type == TLSEXT_TYPE_ec_point_formats) {
2078 unsigned char *sdata = data;
2079 int ecpointformatlist_length = *(sdata++);
2080
2081 if (ecpointformatlist_length != size - 1 ||
2082 ecpointformatlist_length < 1) {
2083 *al = TLS1_AD_DECODE_ERROR;
2084 return 0;
2085 }
2086 if (!s->hit) {
b548a1f1
RS		 2087 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2088 s->session->tlsext_ecpointformatlist = NULL;
0f113f3e
MC		 2089 s->session->tlsext_ecpointformatlist_length = 0;
2090 if ((s->session->tlsext_ecpointformatlist =
2091 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2092 *al = TLS1_AD_INTERNAL_ERROR;
2093 return 0;
2094 }
2095 s->session->tlsext_ecpointformatlist_length =
2096 ecpointformatlist_length;
2097 memcpy(s->session->tlsext_ecpointformatlist, sdata,
2098 ecpointformatlist_length);
2099 }
0f113f3e
MC		 2100 } else if (type == TLSEXT_TYPE_elliptic_curves) {
2101 unsigned char *sdata = data;
2102 int ellipticcurvelist_length = (*(sdata++) << 8);
2103 ellipticcurvelist_length += (*(sdata++));
2104
2105 if (ellipticcurvelist_length != size - 2 ||
2106 ellipticcurvelist_length < 1 ||
2107 /* Each NamedCurve is 2 bytes. */
2108 ellipticcurvelist_length & 1) {
2109 *al = TLS1_AD_DECODE_ERROR;
2110 return 0;
2111 }
2112 if (!s->hit) {
2113 if (s->session->tlsext_ellipticcurvelist) {
2114 *al = TLS1_AD_DECODE_ERROR;
2115 return 0;
2116 }
2117 s->session->tlsext_ellipticcurvelist_length = 0;
2118 if ((s->session->tlsext_ellipticcurvelist =
2119 OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
2120 *al = TLS1_AD_INTERNAL_ERROR;
2121 return 0;
2122 }
2123 s->session->tlsext_ellipticcurvelist_length =
2124 ellipticcurvelist_length;
2125 memcpy(s->session->tlsext_ellipticcurvelist, sdata,
2126 ellipticcurvelist_length);
2127 }
0f113f3e
MC		 2128 }
2129# endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2130 else if (type == TLSEXT_TYPE_session_ticket) {
2131 if (s->tls_session_ticket_ext_cb &&
2132 !s->tls_session_ticket_ext_cb(s, data, size,
2133 s->tls_session_ticket_ext_cb_arg))
2134 {
2135 *al = TLS1_AD_INTERNAL_ERROR;
2136 return 0;
2137 }
2138 } else if (type == TLSEXT_TYPE_signature_algorithms) {
2139 int dsize;
76106e60 2140 if (s->s3->tmp.peer_sigalgs || size < 2) {
0f113f3e
MC		 2141 *al = SSL_AD_DECODE_ERROR;
2142 return 0;
2143 }
2144 n2s(data, dsize);
2145 size -= 2;
2146 if (dsize != size || dsize & 1 || !dsize) {
2147 *al = SSL_AD_DECODE_ERROR;
2148 return 0;
2149 }
2150 if (!tls1_save_sigalgs(s, data, dsize)) {
2151 *al = SSL_AD_DECODE_ERROR;
2152 return 0;
2153 }
2154 } else if (type == TLSEXT_TYPE_status_request) {
2155
2156 if (size < 5) {
2157 *al = SSL_AD_DECODE_ERROR;
2158 return 0;
2159 }
2160
2161 s->tlsext_status_type = *data++;
2162 size--;
2163 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
2164 const unsigned char *sdata;
2165 int dsize;
2166 /* Read in responder_id_list */
2167 n2s(data, dsize);
2168 size -= 2;
2169 if (dsize > size) {
2170 *al = SSL_AD_DECODE_ERROR;
2171 return 0;
2172 }
2173 while (dsize > 0) {
2174 OCSP_RESPID *id;
2175 int idsize;
2176 if (dsize < 4) {
2177 *al = SSL_AD_DECODE_ERROR;
2178 return 0;
2179 }
2180 n2s(data, idsize);
2181 dsize -= 2 + idsize;
2182 size -= 2 + idsize;
2183 if (dsize < 0) {
2184 *al = SSL_AD_DECODE_ERROR;
2185 return 0;
2186 }
2187 sdata = data;
2188 data += idsize;
2189 id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
2190 if (!id) {
2191 *al = SSL_AD_DECODE_ERROR;
2192 return 0;
2193 }
2194 if (data != sdata) {
2195 OCSP_RESPID_free(id);
2196 *al = SSL_AD_DECODE_ERROR;
2197 return 0;
2198 }
2199 if (!s->tlsext_ocsp_ids
2200 && !(s->tlsext_ocsp_ids =
2201 sk_OCSP_RESPID_new_null())) {
2202 OCSP_RESPID_free(id);
2203 *al = SSL_AD_INTERNAL_ERROR;
2204 return 0;
2205 }
2206 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2207 OCSP_RESPID_free(id);
2208 *al = SSL_AD_INTERNAL_ERROR;
2209 return 0;
2210 }
2211 }
4817504d 2212
0f113f3e
MC		 2213 /* Read in request_extensions */
2214 if (size < 2) {
2215 *al = SSL_AD_DECODE_ERROR;
2216 return 0;
2217 }
2218 n2s(data, dsize);
2219 size -= 2;
2220 if (dsize != size) {
2221 *al = SSL_AD_DECODE_ERROR;
2222 return 0;
2223 }
2224 sdata = data;
2225 if (dsize > 0) {
222561fe
RS		 2226 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2227 X509_EXTENSION_free);
0f113f3e
MC		 2228 s->tlsext_ocsp_exts =
2229 d2i_X509_EXTENSIONS(NULL, &sdata, dsize);
2230 if (!s->tlsext_ocsp_exts || (data + dsize != sdata)) {
2231 *al = SSL_AD_DECODE_ERROR;
2232 return 0;
2233 }
2234 }
2235 }
2236 /*
2237 * We don't know what to do with any other type * so ignore it.
2238 */
2239 else
2240 s->tlsext_status_type = -1;
2241 }
2242# ifndef OPENSSL_NO_HEARTBEATS
2243 else if (type == TLSEXT_TYPE_heartbeat) {
2244 switch (data[0]) {
2245 case 0x01: /* Client allows us to send HB requests */
2246 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2247 break;
2248 case 0x02: /* Client doesn't accept HB requests */
2249 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2250 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2251 break;
2252 default:
2253 *al = SSL_AD_ILLEGAL_PARAMETER;
2254 return 0;
2255 }
2256 }
2257# endif
2258# ifndef OPENSSL_NO_NEXTPROTONEG
2259 else if (type == TLSEXT_TYPE_next_proto_neg &&
2260 s->s3->tmp.finish_md_len == 0 &&
2261 s->s3->alpn_selected == NULL) {
50e735f9
MC		 2262 /*-
2263 * We shouldn't accept this extension on a
2264 * renegotiation.
2265 *
2266 * s->new_session will be set on renegotiation, but we
2267 * probably shouldn't rely that it couldn't be set on
2268 * the initial renegotation too in certain cases (when
2269 * there's some other reason to disallow resuming an
2270 * earlier session -- the current code won't be doing
2271 * anything like that, but this might change).
2272 *
2273 * A valid sign that there's been a previous handshake
2274 * in this connection is if s->s3->tmp.finish_md_len >
2275 * 0. (We are talking about a check that will happen
2276 * in the Hello protocol round, well before a new
2277 * Finished message could have been computed.)
2278 */
0f113f3e
MC		 2279 s->s3->next_proto_neg_seen = 1;
2280 }
2281# endif
2282
2283 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2284 s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) {
2285 if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
2286 return 0;
2287# ifndef OPENSSL_NO_NEXTPROTONEG
2288 /* ALPN takes precedence over NPN. */
2289 s->s3->next_proto_neg_seen = 0;
2290# endif
2291 }
5e3ff62c 2292
0f113f3e
MC		 2293 /* session ticket processed earlier */
2294# ifndef OPENSSL_NO_SRTP
2295 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2296 && type == TLSEXT_TYPE_use_srtp) {
2297 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
2298 return 0;
2299 }
2300# endif
2301# ifdef TLSEXT_TYPE_encrypt_then_mac
2302 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2303 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2304# endif
ddc06b35
DSH		 2305 else if (type == TLSEXT_TYPE_extended_master_secret) {
2306 if (!s->hit)
2307 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2308 }
0f113f3e
MC		 2309 /*
2310 * If this ClientHello extension was unhandled and this is a
2311 * nonresumed connection, check whether the extension is a custom
2312 * TLS Extension (has a custom_srv_ext_record), and if so call the
2313 * callback and record the extension number so that an appropriate
2314 * ServerHello may be later returned.
2315 */
2316 else if (!s->hit) {
2317 if (custom_ext_parse(s, 1, type, data, size, al) <= 0)
2318 return 0;
2319 }
ed3883d2 2320
0f113f3e
MC		 2321 data += size;
2322 }
6f017a8f 2323
0f113f3e
MC		 2324 *p = data;
2325
2326 ri_check:
ed3883d2 2327
0f113f3e
MC		 2328 /* Need RI if renegotiating */
2329
2330 if (!renegotiate_seen && s->renegotiate &&
2331 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2332 *al = SSL_AD_HANDSHAKE_FAILURE;
2333 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2334 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2335 return 0;
2336 }
2337
2338 return 1;
2339}
2340
2341int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
2342 int n)
2343{
2344 int al = -1;
2345 custom_ext_init(&s->cert->srv_ext);
2346 if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) {
2347 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2348 return 0;
2349 }
2350
2351 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2352 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2353 return 0;
2354 }
2355 return 1;
2356}
2357
2358# ifndef OPENSSL_NO_NEXTPROTONEG
2359/*
2360 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2361 * elements of zero length are allowed and the set of elements must exactly
2362 * fill the length of the block.
2363 */
2364static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2365{
2366 unsigned int off = 0;
2367
2368 while (off < len) {
2369 if (d[off] == 0)
2370 return 0;
2371 off += d[off];
2372 off++;
2373 }
2374
2375 return off == len;
2376}
2377# endif
2378
2379static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
2380 unsigned char *d, int n, int *al)
2381{
2382 unsigned short length;
2383 unsigned short type;
2384 unsigned short size;
2385 unsigned char *data = *p;
2386 int tlsext_servername = 0;
2387 int renegotiate_seen = 0;
2388
2389# ifndef OPENSSL_NO_NEXTPROTONEG
2390 s->s3->next_proto_neg_seen = 0;
2391# endif
2392 s->tlsext_ticket_expected = 0;
2393
b548a1f1
RS		 2394 OPENSSL_free(s->s3->alpn_selected);
2395 s->s3->alpn_selected = NULL;
0f113f3e
MC		 2396# ifndef OPENSSL_NO_HEARTBEATS
2397 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2398 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2399# endif
2400
2401# ifdef TLSEXT_TYPE_encrypt_then_mac
2402 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
2403# endif
2404
2405 if (data >= (d + n - 2))
2406 goto ri_check;
2407
2408 n2s(data, length);
2409 if (data + length != d + n) {
2410 *al = SSL_AD_DECODE_ERROR;
2411 return 0;
2412 }
2413
2414 while (data <= (d + n - 4)) {
2415 n2s(data, type);
2416 n2s(data, size);
2417
2418 if (data + size > (d + n))
2419 goto ri_check;
2420
2421 if (s->tlsext_debug_cb)
2422 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2423
2424 if (type == TLSEXT_TYPE_renegotiate) {
2425 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2426 return 0;
2427 renegotiate_seen = 1;
2428 } else if (s->version == SSL3_VERSION) {
2429 } else if (type == TLSEXT_TYPE_server_name) {
2430 if (s->tlsext_hostname == NULL || size > 0) {
2431 *al = TLS1_AD_UNRECOGNIZED_NAME;
2432 return 0;
2433 }
2434 tlsext_servername = 1;
2435 }
2436# ifndef OPENSSL_NO_EC
2437 else if (type == TLSEXT_TYPE_ec_point_formats) {
2438 unsigned char *sdata = data;
2439 int ecpointformatlist_length = *(sdata++);
2440
2441 if (ecpointformatlist_length != size - 1) {
2442 *al = TLS1_AD_DECODE_ERROR;
2443 return 0;
2444 }
2445 if (!s->hit) {
2446 s->session->tlsext_ecpointformatlist_length = 0;
b548a1f1 2447 OPENSSL_free(s->session->tlsext_ecpointformatlist);
0f113f3e
MC		 2448 if ((s->session->tlsext_ecpointformatlist =
2449 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2450 *al = TLS1_AD_INTERNAL_ERROR;
2451 return 0;
2452 }
2453 s->session->tlsext_ecpointformatlist_length =
2454 ecpointformatlist_length;
2455 memcpy(s->session->tlsext_ecpointformatlist, sdata,
2456 ecpointformatlist_length);
2457 }
0f113f3e
MC		 2458 }
2459# endif /* OPENSSL_NO_EC */
2460
2461 else if (type == TLSEXT_TYPE_session_ticket) {
2462 if (s->tls_session_ticket_ext_cb &&
2463 !s->tls_session_ticket_ext_cb(s, data, size,
2464 s->tls_session_ticket_ext_cb_arg))
2465 {
2466 *al = TLS1_AD_INTERNAL_ERROR;
2467 return 0;
2468 }
2469 if (!tls_use_ticket(s) || (size > 0)) {
2470 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2471 return 0;
2472 }
2473 s->tlsext_ticket_expected = 1;
2474 }
0f113f3e
MC		 2475 else if (type == TLSEXT_TYPE_status_request) {
2476 /*
2477 * MUST be empty and only sent if we've requested a status
2478 * request message.
2479 */
2480 if ((s->tlsext_status_type == -1) || (size > 0)) {
2481 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2482 return 0;
2483 }
2484 /* Set flag to expect CertificateStatus message */
2485 s->tlsext_status_expected = 1;
2486 }
2487# ifndef OPENSSL_NO_NEXTPROTONEG
2488 else if (type == TLSEXT_TYPE_next_proto_neg &&
2489 s->s3->tmp.finish_md_len == 0) {
2490 unsigned char *selected;
2491 unsigned char selected_len;
2492
2493 /* We must have requested it. */
2494 if (s->ctx->next_proto_select_cb == NULL) {
2495 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2496 return 0;
2497 }
2498 /* The data must be valid */
2499 if (!ssl_next_proto_validate(data, size)) {
2500 *al = TLS1_AD_DECODE_ERROR;
2501 return 0;
2502 }
2503 if (s->
2504 ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2505 size,
2506 s->ctx->next_proto_select_cb_arg) !=
2507 SSL_TLSEXT_ERR_OK) {
2508 *al = TLS1_AD_INTERNAL_ERROR;
2509 return 0;
2510 }
2511 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2512 if (!s->next_proto_negotiated) {
2513 *al = TLS1_AD_INTERNAL_ERROR;
2514 return 0;
2515 }
2516 memcpy(s->next_proto_negotiated, selected, selected_len);
2517 s->next_proto_negotiated_len = selected_len;
2518 s->s3->next_proto_neg_seen = 1;
2519 }
2520# endif
2521
2522 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2523 unsigned len;
2524
2525 /* We must have requested it. */
2526 if (s->alpn_client_proto_list == NULL) {
2527 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2528 return 0;
2529 }
2530 if (size < 4) {
2531 *al = TLS1_AD_DECODE_ERROR;
2532 return 0;
2533 }
50e735f9
MC		 2534 /*-
2535 * The extension data consists of:
2536 * uint16 list_length
2537 * uint8 proto_length;
2538 * uint8 proto[proto_length];
2539 */
0f113f3e
MC		 2540 len = data[0];
2541 len <<= 8;
2542 len |= data[1];
2543 if (len != (unsigned)size - 2) {
2544 *al = TLS1_AD_DECODE_ERROR;
2545 return 0;
2546 }
2547 len = data[2];
2548 if (len != (unsigned)size - 3) {
2549 *al = TLS1_AD_DECODE_ERROR;
2550 return 0;
2551 }
b548a1f1 2552 OPENSSL_free(s->s3->alpn_selected);
0f113f3e
MC		 2553 s->s3->alpn_selected = OPENSSL_malloc(len);
2554 if (!s->s3->alpn_selected) {
2555 *al = TLS1_AD_INTERNAL_ERROR;
2556 return 0;
2557 }
2558 memcpy(s->s3->alpn_selected, data + 3, len);
2559 s->s3->alpn_selected_len = len;
2560 }
2561# ifndef OPENSSL_NO_HEARTBEATS
2562 else if (type == TLSEXT_TYPE_heartbeat) {
2563 switch (data[0]) {
2564 case 0x01: /* Server allows us to send HB requests */
2565 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2566 break;
2567 case 0x02: /* Server doesn't accept HB requests */
2568 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2569 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2570 break;
2571 default:
2572 *al = SSL_AD_ILLEGAL_PARAMETER;
2573 return 0;
2574 }
2575 }
2576# endif
2577# ifndef OPENSSL_NO_SRTP
2578 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
2579 if (ssl_parse_serverhello_use_srtp_ext(s, data, size, al))
2580 return 0;
2581 }
2582# endif
2583# ifdef TLSEXT_TYPE_encrypt_then_mac
2584 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2585 /* Ignore if inappropriate ciphersuite */
2586 if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2587 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2588 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2589 }
2590# endif
ddc06b35
DSH		 2591 else if (type == TLSEXT_TYPE_extended_master_secret) {
2592 if (!s->hit)
2593 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2594 }
0f113f3e
MC		 2595 /*
2596 * If this extension type was not otherwise handled, but matches a
2597 * custom_cli_ext_record, then send it to the c callback
2598 */
2599 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2600 return 0;
2601
2602 data += size;
2603 }
2604
2605 if (data != d + n) {
2606 *al = SSL_AD_DECODE_ERROR;
2607 return 0;
2608 }
2609
2610 if (!s->hit && tlsext_servername == 1) {
2611 if (s->tlsext_hostname) {
2612 if (s->session->tlsext_hostname == NULL) {
2613 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
2614 if (!s->session->tlsext_hostname) {
2615 *al = SSL_AD_UNRECOGNIZED_NAME;
2616 return 0;
2617 }
2618 } else {
2619 *al = SSL_AD_DECODE_ERROR;
2620 return 0;
2621 }
2622 }
2623 }
2624
2625 *p = data;
2626
2627 ri_check:
2628
2629 /*
2630 * Determine if we need to see RI. Strictly speaking if we want to avoid
2631 * an attack we should *always* see RI even on initial server hello
2632 * because the client doesn't see any renegotiation during an attack.
2633 * However this would mean we could not connect to any server which
2634 * doesn't support RI so for the immediate future tolerate RI absence on
2635 * initial connect only.
2636 */
2637 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2638 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2639 *al = SSL_AD_HANDSHAKE_FAILURE;
2640 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2641 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2642 return 0;
2643 }
2644
2645 return 1;
2646}
b2172f4f 2647
36ca4ba6 2648int ssl_prepare_clienthello_tlsext(SSL *s)
0f113f3e
MC		 2649{
2650
0f113f3e
MC		 2651 return 1;
2652}
36ca4ba6
BM		 2653
2654int ssl_prepare_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2655{
2656 return 1;
2657}
36ca4ba6 2658
2daceb03 2659static int ssl_check_clienthello_tlsext_early(SSL *s)
0f113f3e
MC		 2660{
2661 int ret = SSL_TLSEXT_ERR_NOACK;
2662 int al = SSL_AD_UNRECOGNIZED_NAME;
2663
2664# ifndef OPENSSL_NO_EC
2665 /*
2666 * The handling of the ECPointFormats extension is done elsewhere, namely
2667 * in ssl3_choose_cipher in s3_lib.c.
2668 */
2669 /*
2670 * The handling of the EllipticCurves extension is done elsewhere, namely
2671 * in ssl3_choose_cipher in s3_lib.c.
2672 */
2673# endif
2674
2675 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2676 ret =
2677 s->ctx->tlsext_servername_callback(s, &al,
2678 s->ctx->tlsext_servername_arg);
2679 else if (s->initial_ctx != NULL
2680 && s->initial_ctx->tlsext_servername_callback != 0)
2681 ret =
2682 s->initial_ctx->tlsext_servername_callback(s, &al,
2683 s->
2684 initial_ctx->tlsext_servername_arg);
2685
0f113f3e
MC		 2686 switch (ret) {
2687 case SSL_TLSEXT_ERR_ALERT_FATAL:
2688 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2689 return -1;
2690
2691 case SSL_TLSEXT_ERR_ALERT_WARNING:
2692 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2693 return 1;
2694
2695 case SSL_TLSEXT_ERR_NOACK:
2696 s->servername_done = 0;
2697 default:
2698 return 1;
2699 }
2700}
d376e57d
DSH		 2701/* Initialise digests to default values */
2702static void ssl_set_default_md(SSL *s)
2703{
2704 const EVP_MD **pmd = s->s3->tmp.md;
2705#ifndef OPENSSL_NO_DSA
2706 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
2707#endif
2708#ifndef OPENSSL_NO_RSA
2709 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
2710 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
2711#endif
2712#ifndef OPENSSL_NO_EC
2713 pmd[SSL_PKEY_ECC] = EVP_sha1();
2714#endif
2715}
f1fd4544 2716
e469af8d 2717int tls1_set_server_sigalgs(SSL *s)
0f113f3e
MC		 2718{
2719 int al;
2720 size_t i;
2721 /* Clear any shared sigtnature algorithms */
b548a1f1
RS		 2722 OPENSSL_free(s->cert->shared_sigalgs);
2723 s->cert->shared_sigalgs = NULL;
2724 s->cert->shared_sigalgslen = 0;
0f113f3e
MC		 2725 /* Clear certificate digests and validity flags */
2726 for (i = 0; i < SSL_PKEY_NUM; i++) {
d376e57d 2727 s->s3->tmp.md[i] = NULL;
6383d316 2728 s->s3->tmp.valid_flags[i] = 0;
0f113f3e
MC		 2729 }
2730
2731 /* If sigalgs received process it. */
76106e60 2732 if (s->s3->tmp.peer_sigalgs) {
0f113f3e
MC		 2733 if (!tls1_process_sigalgs(s)) {
2734 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2735 al = SSL_AD_INTERNAL_ERROR;
2736 goto err;
2737 }
2738 /* Fatal error is no shared signature algorithms */
2739 if (!s->cert->shared_sigalgs) {
2740 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2741 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2742 al = SSL_AD_ILLEGAL_PARAMETER;
2743 goto err;
2744 }
d376e57d
DSH		 2745 } else {
2746 ssl_set_default_md(s);
2747 }
0f113f3e
MC		 2748 return 1;
2749 err:
2750 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2751 return 0;
2752}
e469af8d 2753
2daceb03 2754int ssl_check_clienthello_tlsext_late(SSL *s)
0f113f3e
MC		 2755{
2756 int ret = SSL_TLSEXT_ERR_OK;
4c9b0a03 2757 int al = SSL_AD_INTERNAL_ERROR;
0f113f3e
MC		 2758
2759 /*
2760 * If status request then ask callback what to do. Note: this must be
2761 * called after servername callbacks in case the certificate has changed,
2762 * and must be called after the cipher has been chosen because this may
2763 * influence which certificate is sent
2764 */
2765 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
2766 int r;
2767 CERT_PKEY *certpkey;
2768 certpkey = ssl_get_server_send_pkey(s);
2769 /* If no certificate can't return certificate status */
2770 if (certpkey == NULL) {
2771 s->tlsext_status_expected = 0;
2772 return 1;
2773 }
2774 /*
2775 * Set current certificate to one we will use so SSL_get_certificate
2776 * et al can pick it up.
2777 */
2778 s->cert->key = certpkey;
2779 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2780 switch (r) {
2781 /* We don't want to send a status request response */
2782 case SSL_TLSEXT_ERR_NOACK:
2783 s->tlsext_status_expected = 0;
2784 break;
2785 /* status request response should be sent */
2786 case SSL_TLSEXT_ERR_OK:
2787 if (s->tlsext_ocsp_resp)
2788 s->tlsext_status_expected = 1;
2789 else
2790 s->tlsext_status_expected = 0;
2791 break;
2792 /* something bad happened */
2793 case SSL_TLSEXT_ERR_ALERT_FATAL:
2794 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2795 al = SSL_AD_INTERNAL_ERROR;
2796 goto err;
2797 }
2798 } else
2799 s->tlsext_status_expected = 0;
2daceb03
BL		 2800
2801 err:
0f113f3e
MC		 2802 switch (ret) {
2803 case SSL_TLSEXT_ERR_ALERT_FATAL:
2804 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2805 return -1;
2806
2807 case SSL_TLSEXT_ERR_ALERT_WARNING:
2808 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2809 return 1;
2810
2811 default:
2812 return 1;
2813 }
2814}
2daceb03 2815
36ca4ba6 2816int ssl_check_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2817{
2818 int ret = SSL_TLSEXT_ERR_NOACK;
2819 int al = SSL_AD_UNRECOGNIZED_NAME;
2820
2821# ifndef OPENSSL_NO_EC
2822 /*
2823 * If we are client and using an elliptic curve cryptography cipher
2824 * suite, then if server returns an EC point formats lists extension it
2825 * must contain uncompressed.
2826 */
2827 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2828 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2829 if ((s->tlsext_ecpointformatlist != NULL)
2830 && (s->tlsext_ecpointformatlist_length > 0)
2831 && (s->session->tlsext_ecpointformatlist != NULL)
2832 && (s->session->tlsext_ecpointformatlist_length > 0)
2833 && ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
2834 || (alg_a & SSL_aECDSA))) {
2835 /* we are using an ECC cipher */
2836 size_t i;
2837 unsigned char *list;
2838 int found_uncompressed = 0;
2839 list = s->session->tlsext_ecpointformatlist;
2840 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2841 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2842 found_uncompressed = 1;
2843 break;
2844 }
2845 }
2846 if (!found_uncompressed) {
2847 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2848 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2849 return -1;
2850 }
2851 }
2852 ret = SSL_TLSEXT_ERR_OK;
2853# endif /* OPENSSL_NO_EC */
2854
2855 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2856 ret =
2857 s->ctx->tlsext_servername_callback(s, &al,
2858 s->ctx->tlsext_servername_arg);
2859 else if (s->initial_ctx != NULL
2860 && s->initial_ctx->tlsext_servername_callback != 0)
2861 ret =
2862 s->initial_ctx->tlsext_servername_callback(s, &al,
2863 s->
2864 initial_ctx->tlsext_servername_arg);
2865
0f113f3e
MC		 2866 /*
2867 * If we've requested certificate status and we wont get one tell the
2868 * callback
2869 */
2870 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2871 && s->ctx && s->ctx->tlsext_status_cb) {
2872 int r;
2873 /*
2874 * Set resp to NULL, resplen to -1 so callback knows there is no
2875 * response.
2876 */
b548a1f1
RS		 2877 OPENSSL_free(s->tlsext_ocsp_resp);
2878 s->tlsext_ocsp_resp = NULL;
0f113f3e
MC		 2879 s->tlsext_ocsp_resplen = -1;
2880 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2881 if (r == 0) {
2882 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2883 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2884 }
2885 if (r < 0) {
2886 al = SSL_AD_INTERNAL_ERROR;
2887 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2888 }
2889 }
2890
2891 switch (ret) {
2892 case SSL_TLSEXT_ERR_ALERT_FATAL:
2893 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2894 return -1;
2895
2896 case SSL_TLSEXT_ERR_ALERT_WARNING:
2897 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2898 return 1;
2899
2900 case SSL_TLSEXT_ERR_NOACK:
2901 s->servername_done = 0;
2902 default:
2903 return 1;
2904 }
2905}
761772d7 2906
0f113f3e
MC		 2907int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
2908 int n)
2909{
2910 int al = -1;
2911 if (s->version < SSL3_VERSION)
2912 return 1;
2913 if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) {
2914 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2915 return 0;
2916 }
2917
2918 if (ssl_check_serverhello_tlsext(s) <= 0) {
2919 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2920 return 0;
2921 }
2922 return 1;
09e4e4b9
DSH		 2923}
2924
1d97c843
TH		 2925/*-
2926 * Since the server cache lookup is done early on in the processing of the
c519e89f
BM		 2927 * ClientHello, and other operations depend on the result, we need to handle
2928 * any TLS session ticket extension at the same time.
2929 *
2930 * session_id: points at the session ID in the ClientHello. This code will
2931 * read past the end of this in order to parse out the session ticket
2932 * extension, if any.
2933 * len: the length of the session ID.
2934 * limit: a pointer to the first byte after the ClientHello.
2935 * ret: (output) on return, if a ticket was decrypted, then this is set to
2936 * point to the resulting session.
2937 *
2938 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2939 * ciphersuite, in which case we have no use for session tickets and one will
2940 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2941 *
2942 * Returns:
2943 * -1: fatal error, either from parsing or decrypting the ticket.
2944 * 0: no ticket was found (or was ignored, based on settings).
2945 * 1: a zero length extension was found, indicating that the client supports
2946 * session tickets but doesn't currently have one to offer.
2947 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2948 * couldn't be decrypted because of a non-fatal error.
2949 * 3: a ticket was successfully decrypted and *ret was set.
2950 *
2951 * Side effects:
2952 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2953 * a new session ticket to the client because the client indicated support
2954 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2955 * a session ticket or we couldn't use the one it gave us, or if
2956 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2957 * Otherwise, s->tlsext_ticket_expected is set to 0.
6434abbf 2958 */
6434abbf 2959int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
0f113f3e
MC		 2960 const unsigned char *limit, SSL_SESSION **ret)
2961{
2962 /* Point after session ID in client hello */
2963 const unsigned char *p = session_id + len;
2964 unsigned short i;
2965
2966 *ret = NULL;
2967 s->tlsext_ticket_expected = 0;
2968
2969 /*
2970 * If tickets disabled behave as if no ticket present to permit stateful
2971 * resumption.
2972 */
2973 if (!tls_use_ticket(s))
2974 return 0;
2975 if ((s->version <= SSL3_VERSION) || !limit)
2976 return 0;
2977 if (p >= limit)
2978 return -1;
2979 /* Skip past DTLS cookie */
2980 if (SSL_IS_DTLS(s)) {
2981 i = *(p++);
2982 p += i;
2983 if (p >= limit)
2984 return -1;
2985 }
2986 /* Skip past cipher list */
2987 n2s(p, i);
2988 p += i;
2989 if (p >= limit)
2990 return -1;
2991 /* Skip past compression algorithm list */
2992 i = *(p++);
2993 p += i;
2994 if (p > limit)
2995 return -1;
2996 /* Now at start of extensions */
2997 if ((p + 2) >= limit)
2998 return 0;
2999 n2s(p, i);
3000 while ((p + 4) <= limit) {
3001 unsigned short type, size;
3002 n2s(p, type);
3003 n2s(p, size);
3004 if (p + size > limit)
3005 return 0;
3006 if (type == TLSEXT_TYPE_session_ticket) {
3007 int r;
3008 if (size == 0) {
3009 /*
3010 * The client will accept a ticket but doesn't currently have
3011 * one.
3012 */
3013 s->tlsext_ticket_expected = 1;
3014 return 1;
3015 }
3016 if (s->tls_session_secret_cb) {
3017 /*
3018 * Indicate that the ticket couldn't be decrypted rather than
3019 * generating the session from ticket now, trigger
3020 * abbreviated handshake based on external mechanism to
3021 * calculate the master secret later.
3022 */
3023 return 2;
3024 }
3025 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
3026 switch (r) {
3027 case 2: /* ticket couldn't be decrypted */
3028 s->tlsext_ticket_expected = 1;
3029 return 2;
3030 case 3: /* ticket was decrypted */
3031 return r;
3032 case 4: /* ticket decrypted but need to renew */
3033 s->tlsext_ticket_expected = 1;
3034 return 3;
3035 default: /* fatal error */
3036 return -1;
3037 }
3038 }
3039 p += size;
3040 }
3041 return 0;
3042}
6434abbf 3043
1d97c843
TH		 3044/*-
3045 * tls_decrypt_ticket attempts to decrypt a session ticket.
c519e89f
BM		 3046 *
3047 * etick: points to the body of the session ticket extension.
3048 * eticklen: the length of the session tickets extenion.
3049 * sess_id: points at the session ID.
3050 * sesslen: the length of the session ID.
3051 * psess: (output) on return, if a ticket was decrypted, then this is set to
3052 * point to the resulting session.
3053 *
3054 * Returns:
3055 * -1: fatal error, either from parsing or decrypting the ticket.
3056 * 2: the ticket couldn't be decrypted.
3057 * 3: a ticket was successfully decrypted and *psess was set.
3058 * 4: same as 3, but the ticket needs to be renewed.
3059 */
0f113f3e
MC		 3060static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
3061 int eticklen, const unsigned char *sess_id,
3062 int sesslen, SSL_SESSION **psess)
3063{
3064 SSL_SESSION *sess;
3065 unsigned char *sdec;
3066 const unsigned char *p;
3067 int slen, mlen, renew_ticket = 0;
3068 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3069 HMAC_CTX hctx;
3070 EVP_CIPHER_CTX ctx;
3071 SSL_CTX *tctx = s->initial_ctx;
3072 /* Need at least keyname + iv + some encrypted data */
3073 if (eticklen < 48)
3074 return 2;
3075 /* Initialize session ticket encryption and HMAC contexts */
3076 HMAC_CTX_init(&hctx);
3077 EVP_CIPHER_CTX_init(&ctx);
3078 if (tctx->tlsext_ticket_key_cb) {
3079 unsigned char *nctick = (unsigned char *)etick;
3080 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3081 &ctx, &hctx, 0);
3082 if (rv < 0)
3083 return -1;
3084 if (rv == 0)
3085 return 2;
3086 if (rv == 2)
3087 renew_ticket = 1;
3088 } else {
3089 /* Check key name matches */
3090 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3091 return 2;
3092 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
474e469b 3093 EVP_sha256(), NULL);
0f113f3e
MC		 3094 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3095 tctx->tlsext_tick_aes_key, etick + 16);
3096 }
3097 /*
3098 * Attempt to process session ticket, first conduct sanity and integrity
3099 * checks on ticket.
3100 */
3101 mlen = HMAC_size(&hctx);
3102 if (mlen < 0) {
3103 EVP_CIPHER_CTX_cleanup(&ctx);
3104 return -1;
3105 }
3106 eticklen -= mlen;
3107 /* Check HMAC of encrypted ticket */
3108 HMAC_Update(&hctx, etick, eticklen);
3109 HMAC_Final(&hctx, tick_hmac, NULL);
3110 HMAC_CTX_cleanup(&hctx);
3111 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
3112 EVP_CIPHER_CTX_cleanup(&ctx);
3113 return 2;
3114 }
3115 /* Attempt to decrypt session data */
3116 /* Move p after IV to start of encrypted ticket, update length */
3117 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3118 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3119 sdec = OPENSSL_malloc(eticklen);
3120 if (!sdec) {
3121 EVP_CIPHER_CTX_cleanup(&ctx);
3122 return -1;
3123 }
3124 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
3125 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
3126 EVP_CIPHER_CTX_cleanup(&ctx);
3127 OPENSSL_free(sdec);
3128 return 2;
3129 }
3130 slen += mlen;
3131 EVP_CIPHER_CTX_cleanup(&ctx);
3132 p = sdec;
3133
3134 sess = d2i_SSL_SESSION(NULL, &p, slen);
3135 OPENSSL_free(sdec);
3136 if (sess) {
3137 /*
3138 * The session ID, if non-empty, is used by some clients to detect
3139 * that the ticket has been accepted. So we copy it to the session
3140 * structure. If it is empty set length to zero as required by
3141 * standard.
3142 */
3143 if (sesslen)
3144 memcpy(sess->session_id, sess_id, sesslen);
3145 sess->session_id_length = sesslen;
3146 *psess = sess;
3147 if (renew_ticket)
3148 return 4;
3149 else
3150 return 3;
3151 }
3152 ERR_clear_error();
3153 /*
3154 * For session parse failure, indicate that we need to send a new ticket.
3155 */
3156 return 2;
3157}
6434abbf 3158
6b7be581
DSH		 3159/* Tables to translate from NIDs to TLS v1.2 ids */
3160
0f113f3e
MC		 3161typedef struct {
3162 int nid;
3163 int id;
3164} tls12_lookup;
6b7be581 3165
d97ed219 3166static const tls12_lookup tls12_md[] = {
0f113f3e
MC		 3167 {NID_md5, TLSEXT_hash_md5},
3168 {NID_sha1, TLSEXT_hash_sha1},
3169 {NID_sha224, TLSEXT_hash_sha224},
3170 {NID_sha256, TLSEXT_hash_sha256},
3171 {NID_sha384, TLSEXT_hash_sha384},
3172 {NID_sha512, TLSEXT_hash_sha512}
6b7be581
DSH		 3173};
3174
d97ed219 3175static const tls12_lookup tls12_sig[] = {
0f113f3e
MC		 3176 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3177 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3178 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
6b7be581
DSH		 3179};
3180
d97ed219 3181static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3182{
3183 size_t i;
3184 for (i = 0; i < tlen; i++) {
3185 if (table[i].nid == nid)
3186 return table[i].id;
3187 }
3188 return -1;
3189}
e7f8ff43 3190
d97ed219 3191static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3192{
3193 size_t i;
3194 for (i = 0; i < tlen; i++) {
3195 if ((table[i].id) == id)
3196 return table[i].nid;
3197 }
3198 return NID_undef;
3199}
3200
3201int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
3202 const EVP_MD *md)
3203{
3204 int sig_id, md_id;
3205 if (!md)
3206 return 0;
b6eb9827 3207 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3208 if (md_id == -1)
3209 return 0;
3210 sig_id = tls12_get_sigid(pk);
3211 if (sig_id == -1)
3212 return 0;
3213 p[0] = (unsigned char)md_id;
3214 p[1] = (unsigned char)sig_id;
3215 return 1;
3216}
6b7be581 3217
a2f9200f 3218int tls12_get_sigid(const EVP_PKEY *pk)
0f113f3e 3219{
b6eb9827 3220 return tls12_find_id(pk->type, tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3221}
3222
3223typedef struct {
3224 int nid;
3225 int secbits;
3226 const EVP_MD *(*mfunc) (void);
3227} tls12_hash_info;
b362ccab
DSH		 3228
3229static const tls12_hash_info tls12_md_info[] = {
0f113f3e
MC		 3230# ifdef OPENSSL_NO_MD5
3231 {NID_md5, 64, 0},
3232# else
3233 {NID_md5, 64, EVP_md5},
3234# endif
0f113f3e 3235 {NID_sha1, 80, EVP_sha1},
0f113f3e
MC		 3236 {NID_sha224, 112, EVP_sha224},
3237 {NID_sha256, 128, EVP_sha256},
0f113f3e
MC		 3238 {NID_sha384, 192, EVP_sha384},
3239 {NID_sha512, 256, EVP_sha512}
b362ccab 3240};
a2f9200f 3241
b362ccab 3242static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
0f113f3e
MC		 3243{
3244 if (hash_alg == 0)
3245 return NULL;
b6eb9827 3246 if (hash_alg > OSSL_NELEM(tls12_md_info))
0f113f3e
MC		 3247 return NULL;
3248 return tls12_md_info + hash_alg - 1;
3249}
a2f9200f 3250
b362ccab 3251const EVP_MD *tls12_get_hash(unsigned char hash_alg)
0f113f3e
MC		 3252{
3253 const tls12_hash_info *inf;
3254 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3255 return NULL;
3256 inf = tls12_get_hash_info(hash_alg);
3257 if (!inf || !inf->mfunc)
3258 return NULL;
3259 return inf->mfunc();
3260}
a2f9200f 3261
4453cd8c 3262static int tls12_get_pkey_idx(unsigned char sig_alg)
0f113f3e
MC		 3263{
3264 switch (sig_alg) {
3265# ifndef OPENSSL_NO_RSA
3266 case TLSEXT_signature_rsa:
3267 return SSL_PKEY_RSA_SIGN;
3268# endif
3269# ifndef OPENSSL_NO_DSA
3270 case TLSEXT_signature_dsa:
3271 return SSL_PKEY_DSA_SIGN;
3272# endif
10bf4fc2 3273# ifndef OPENSSL_NO_EC
0f113f3e
MC		 3274 case TLSEXT_signature_ecdsa:
3275 return SSL_PKEY_ECC;
3276# endif
3277 }
3278 return -1;
3279}
4453cd8c
DSH		 3280
3281/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3282static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
0f113f3e
MC		 3283 int *psignhash_nid, const unsigned char *data)
3284{
3285 int sign_nid = 0, hash_nid = 0;
3286 if (!phash_nid && !psign_nid && !psignhash_nid)
3287 return;
3288 if (phash_nid || psignhash_nid) {
b6eb9827 3289 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3290 if (phash_nid)
3291 *phash_nid = hash_nid;
3292 }
3293 if (psign_nid || psignhash_nid) {
b6eb9827 3294 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3295 if (psign_nid)
3296 *psign_nid = sign_nid;
3297 }
3298 if (psignhash_nid) {
3299 if (sign_nid && hash_nid)
3300 OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid);
3301 else
3302 *psignhash_nid = NID_undef;
3303 }
3304}
3305
b362ccab
DSH		 3306/* Check to see if a signature algorithm is allowed */
3307static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
0f113f3e
MC		 3308{
3309 /* See if we have an entry in the hash table and it is enabled */
3310 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
3311 if (!hinf || !hinf->mfunc)
3312 return 0;
3313 /* See if public key algorithm allowed */
3314 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3315 return 0;
3316 /* Finally see if security callback allows it */
3317 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3318}
3319
3320/*
3321 * Get a mask of disabled public key algorithms based on supported signature
3322 * algorithms. For example if no signature algorithm supports RSA then RSA is
3323 * disabled.
b362ccab
DSH		 3324 */
3325
3326void ssl_set_sig_mask(unsigned long *pmask_a, SSL *s, int op)
0f113f3e
MC		 3327{
3328 const unsigned char *sigalgs;
3329 size_t i, sigalgslen;
3330 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3331 /*
3332 * Now go through all signature algorithms seeing if we support any for
3333 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3334 * down calls to security callback only check if we have to.
3335 */
3336 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
3337 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3338 switch (sigalgs[1]) {
3339# ifndef OPENSSL_NO_RSA
3340 case TLSEXT_signature_rsa:
3341 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3342 have_rsa = 1;
3343 break;
3344# endif
3345# ifndef OPENSSL_NO_DSA
3346 case TLSEXT_signature_dsa:
3347 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3348 have_dsa = 1;
3349 break;
3350# endif
10bf4fc2 3351# ifndef OPENSSL_NO_EC
0f113f3e
MC		 3352 case TLSEXT_signature_ecdsa:
3353 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3354 have_ecdsa = 1;
3355 break;
3356# endif
3357 }
3358 }
3359 if (!have_rsa)
3360 *pmask_a |= SSL_aRSA;
3361 if (!have_dsa)
3362 *pmask_a |= SSL_aDSS;
3363 if (!have_ecdsa)
3364 *pmask_a |= SSL_aECDSA;
3365}
b362ccab
DSH		 3366
3367size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
0f113f3e
MC		 3368 const unsigned char *psig, size_t psiglen)
3369{
3370 unsigned char *tmpout = out;
3371 size_t i;
3372 for (i = 0; i < psiglen; i += 2, psig += 2) {
3373 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3374 *tmpout++ = psig[0];
3375 *tmpout++ = psig[1];
3376 }
3377 }
3378 return tmpout - out;
3379}
b362ccab 3380
4453cd8c 3381/* Given preference and allowed sigalgs set shared sigalgs */
b362ccab 3382static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
0f113f3e
MC		 3383 const unsigned char *pref, size_t preflen,
3384 const unsigned char *allow, size_t allowlen)
3385{
3386 const unsigned char *ptmp, *atmp;
3387 size_t i, j, nmatch = 0;
3388 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3389 /* Skip disabled hashes or signature algorithms */
3390 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3391 continue;
3392 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3393 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3394 nmatch++;
3395 if (shsig) {
3396 shsig->rhash = ptmp[0];
3397 shsig->rsign = ptmp[1];
3398 tls1_lookup_sigalg(&shsig->hash_nid,
3399 &shsig->sign_nid,
3400 &shsig->signandhash_nid, ptmp);
3401 shsig++;
3402 }
3403 break;
3404 }
3405 }
3406 }
3407 return nmatch;
3408}
4453cd8c
DSH		 3409
3410/* Set shared signature algorithms for SSL structures */
3411static int tls1_set_shared_sigalgs(SSL *s)
0f113f3e
MC		 3412{
3413 const unsigned char *pref, *allow, *conf;
3414 size_t preflen, allowlen, conflen;
3415 size_t nmatch;
3416 TLS_SIGALGS *salgs = NULL;
3417 CERT *c = s->cert;
3418 unsigned int is_suiteb = tls1_suiteb(s);
b548a1f1
RS		 3419
3420 OPENSSL_free(c->shared_sigalgs);
3421 c->shared_sigalgs = NULL;
3422 c->shared_sigalgslen = 0;
0f113f3e
MC		 3423 /* If client use client signature algorithms if not NULL */
3424 if (!s->server && c->client_sigalgs && !is_suiteb) {
3425 conf = c->client_sigalgs;
3426 conflen = c->client_sigalgslen;
3427 } else if (c->conf_sigalgs && !is_suiteb) {
3428 conf = c->conf_sigalgs;
3429 conflen = c->conf_sigalgslen;
3430 } else
3431 conflen = tls12_get_psigalgs(s, &conf);
3432 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3433 pref = conf;
3434 preflen = conflen;
76106e60
DSH		 3435 allow = s->s3->tmp.peer_sigalgs;
3436 allowlen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3437 } else {
3438 allow = conf;
3439 allowlen = conflen;
76106e60
DSH		 3440 pref = s->s3->tmp.peer_sigalgs;
3441 preflen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3442 }
3443 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
34e3edbf
DSH		 3444 if (nmatch) {
3445 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3446 if (!salgs)
3447 return 0;
3448 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3449 } else {
3450 salgs = NULL;
3451 }
0f113f3e
MC		 3452 c->shared_sigalgs = salgs;
3453 c->shared_sigalgslen = nmatch;
3454 return 1;
3455}
4453cd8c 3456
6b7be581
DSH		 3457/* Set preferred digest for each key type */
3458
c800c27a 3459int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
0f113f3e
MC		 3460{
3461 CERT *c = s->cert;
3462 /* Extension ignored for inappropriate versions */
3463 if (!SSL_USE_SIGALGS(s))
3464 return 1;
3465 /* Should never happen */
3466 if (!c)
3467 return 0;
3468
76106e60
DSH		 3469 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3470 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3471 if (s->s3->tmp.peer_sigalgs == NULL)
0f113f3e 3472 return 0;
76106e60
DSH		 3473 s->s3->tmp.peer_sigalgslen = dsize;
3474 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
0f113f3e
MC		 3475 return 1;
3476}
6b7be581 3477
c800c27a 3478int tls1_process_sigalgs(SSL *s)
0f113f3e
MC		 3479{
3480 int idx;
3481 size_t i;
3482 const EVP_MD *md;
d376e57d 3483 const EVP_MD **pmd = s->s3->tmp.md;
6383d316 3484 int *pvalid = s->s3->tmp.valid_flags;
0f113f3e
MC		 3485 CERT *c = s->cert;
3486 TLS_SIGALGS *sigptr;
3487 if (!tls1_set_shared_sigalgs(s))
3488 return 0;
3489
3490# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
3491 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3492 /*
3493 * Use first set signature preference to force message digest,
3494 * ignoring any peer preferences.
3495 */
3496 const unsigned char *sigs = NULL;
3497 if (s->server)
3498 sigs = c->conf_sigalgs;
3499 else
3500 sigs = c->client_sigalgs;
3501 if (sigs) {
3502 idx = tls12_get_pkey_idx(sigs[1]);
3503 md = tls12_get_hash(sigs[0]);
d376e57d 3504 pmd[idx] = md;
6383d316 3505 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3506 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3507 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3508 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3509 }
3510 }
3511 }
3512# endif
3513
3514 for (i = 0, sigptr = c->shared_sigalgs;
3515 i < c->shared_sigalgslen; i++, sigptr++) {
3516 idx = tls12_get_pkey_idx(sigptr->rsign);
d376e57d 3517 if (idx > 0 && pmd[idx] == NULL) {
0f113f3e 3518 md = tls12_get_hash(sigptr->rhash);
d376e57d 3519 pmd[idx] = md;
6383d316 3520 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3521 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3522 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3523 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3524 }
3525 }
6b7be581 3526
0f113f3e
MC		 3527 }
3528 /*
3529 * In strict mode leave unset digests as NULL to indicate we can't use
3530 * the certificate for signing.
3531 */
3532 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3533 /*
3534 * Set any remaining keys to default values. NOTE: if alg is not
3535 * supported it stays as NULL.
3536 */
3537# ifndef OPENSSL_NO_DSA
d376e57d
DSH		 3538 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3539 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
0f113f3e
MC		 3540# endif
3541# ifndef OPENSSL_NO_RSA
d376e57d
DSH		 3542 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3543 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3544 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
0f113f3e
MC		 3545 }
3546# endif
10bf4fc2 3547# ifndef OPENSSL_NO_EC
d376e57d
DSH		 3548 if (pmd[SSL_PKEY_ECC] == NULL)
3549 pmd[SSL_PKEY_ECC] = EVP_sha1();
0f113f3e
MC		 3550# endif
3551 }
3552 return 1;
3553}
4817504d 3554
e7f8ff43 3555int SSL_get_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3556 int *psign, int *phash, int *psignhash,
3557 unsigned char *rsig, unsigned char *rhash)
3558{
76106e60 3559 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
0f113f3e
MC		 3560 if (psig == NULL)
3561 return 0;
3562 if (idx >= 0) {
3563 idx <<= 1;
76106e60 3564 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
0f113f3e
MC		 3565 return 0;
3566 psig += idx;
3567 if (rhash)
3568 *rhash = psig[0];
3569 if (rsig)
3570 *rsig = psig[1];
3571 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3572 }
76106e60 3573 return s->s3->tmp.peer_sigalgslen / 2;
0f113f3e 3574}
4453cd8c
DSH		 3575
3576int SSL_get_shared_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3577 int *psign, int *phash, int *psignhash,
3578 unsigned char *rsig, unsigned char *rhash)
3579{
3580 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3581 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3582 return 0;
3583 shsigalgs += idx;
3584 if (phash)
3585 *phash = shsigalgs->hash_nid;
3586 if (psign)
3587 *psign = shsigalgs->sign_nid;
3588 if (psignhash)
3589 *psignhash = shsigalgs->signandhash_nid;
3590 if (rsig)
3591 *rsig = shsigalgs->rsign;
3592 if (rhash)
3593 *rhash = shsigalgs->rhash;
3594 return s->cert->shared_sigalgslen;
3595}
3596
3597# ifndef OPENSSL_NO_HEARTBEATS
2c60ed04 3598int tls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length)
0f113f3e 3599{
2c60ed04 3600 unsigned char *pl;
0f113f3e
MC		 3601 unsigned short hbtype;
3602 unsigned int payload;
3603 unsigned int padding = 16; /* Use minimum padding */
3604
3605 if (s->msg_callback)
3606 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
258f8721 3607 p, length,
0f113f3e
MC		 3608 s, s->msg_callback_arg);
3609
3610 /* Read type and payload length first */
258f8721 3611 if (1 + 2 + 16 > length)
0f113f3e
MC		 3612 return 0; /* silently discard */
3613 hbtype = *p++;
3614 n2s(p, payload);
258f8721 3615 if (1 + 2 + payload + 16 > length)
0f113f3e
MC		 3616 return 0; /* silently discard per RFC 6520 sec. 4 */
3617 pl = p;
3618
3619 if (hbtype == TLS1_HB_REQUEST) {
3620 unsigned char *buffer, *bp;
3621 int r;
3622
3623 /*
3624 * Allocate memory for the response, size is 1 bytes message type,
3625 * plus 2 bytes payload length, plus payload, plus padding
3626 */
3627 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3628 if (buffer == NULL) {
3629 SSLerr(SSL_F_TLS1_PROCESS_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3630 return -1;
3631 }
3632 bp = buffer;
3633
3634 /* Enter response type, length and copy payload */
3635 *bp++ = TLS1_HB_RESPONSE;
3636 s2n(payload, bp);
3637 memcpy(bp, pl, payload);
3638 bp += payload;
3639 /* Random padding */
266483d2
MC		 3640 if (RAND_bytes(bp, padding) <= 0) {
3641 OPENSSL_free(buffer);
3642 return -1;
3643 }
0f113f3e
MC		 3644
3645 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer,
3646 3 + payload + padding);
3647
3648 if (r >= 0 && s->msg_callback)
3649 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3650 buffer, 3 + payload + padding,
3651 s, s->msg_callback_arg);
3652
3653 OPENSSL_free(buffer);
3654
3655 if (r < 0)
3656 return r;
3657 } else if (hbtype == TLS1_HB_RESPONSE) {
3658 unsigned int seq;
3659
3660 /*
3661 * We only send sequence numbers (2 bytes unsigned int), and 16
3662 * random bytes, so we just try to read the sequence number
3663 */
3664 n2s(pl, seq);
3665
3666 if (payload == 18 && seq == s->tlsext_hb_seq) {
3667 s->tlsext_hb_seq++;
3668 s->tlsext_hb_pending = 0;
3669 }
3670 }
3671
3672 return 0;
3673}
0f229cce 3674
0f113f3e
MC		 3675int tls1_heartbeat(SSL *s)
3676{
3677 unsigned char *buf, *p;
266483d2 3678 int ret = -1;
0f113f3e
MC		 3679 unsigned int payload = 18; /* Sequence number + random bytes */
3680 unsigned int padding = 16; /* Use minimum padding */
3681
3682 /* Only send if peer supports and accepts HB requests... */
3683 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3684 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
3685 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3686 return -1;
3687 }
3688
3689 /* ...and there is none in flight yet... */
3690 if (s->tlsext_hb_pending) {
3691 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
3692 return -1;
3693 }
3694
3695 /* ...and no handshake in progress. */
3696 if (SSL_in_init(s) || s->in_handshake) {
3697 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
3698 return -1;
3699 }
3700
3701 /*
3702 * Check if padding is too long, payload and padding must not exceed 2^14
3703 * - 3 = 16381 bytes in total.
3704 */
3705 OPENSSL_assert(payload + padding <= 16381);
3706
50e735f9
MC		 3707 /*-
3708 * Create HeartBeat message, we just use a sequence number
3709 * as payload to distuingish different messages and add
3710 * some random stuff.
3711 * - Message Type, 1 byte
3712 * - Payload Length, 2 bytes (unsigned int)
3713 * - Payload, the sequence number (2 bytes uint)
3714 * - Payload, random bytes (16 bytes uint)
3715 * - Padding
3716 */
0f113f3e
MC		 3717 buf = OPENSSL_malloc(1 + 2 + payload + padding);
3718 if (buf == NULL) {
3719 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3720 return -1;
3721 }
3722 p = buf;
3723 /* Message Type */
3724 *p++ = TLS1_HB_REQUEST;
3725 /* Payload length (18 bytes here) */
3726 s2n(payload, p);
3727 /* Sequence number */
3728 s2n(s->tlsext_hb_seq, p);
3729 /* 16 random bytes */
266483d2
MC		 3730 if (RAND_bytes(p, 16) <= 0) {
3731 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3732 goto err;
3733 }
0f113f3e
MC		 3734 p += 16;
3735 /* Random padding */
266483d2
MC		 3736 if (RAND_bytes(p, padding) <= 0) {
3737 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3738 goto err;
3739 }
0f113f3e
MC		 3740
3741 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3742 if (ret >= 0) {
3743 if (s->msg_callback)
3744 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3745 buf, 3 + payload + padding,
3746 s, s->msg_callback_arg);
3747
3748 s->tlsext_hb_pending = 1;
3749 }
3750
266483d2 3751 err:
0f113f3e 3752 OPENSSL_free(buf);
0f113f3e
MC		 3753 return ret;
3754}
3755# endif
3756
3757# define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
0f229cce 3758
0f113f3e
MC		 3759typedef struct {
3760 size_t sigalgcnt;
3761 int sigalgs[MAX_SIGALGLEN];
3762} sig_cb_st;
0f229cce
DSH		 3763
3764static int sig_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 3765{
3766 sig_cb_st *sarg = arg;
3767 size_t i;
3768 char etmp[20], *p;
3769 int sig_alg, hash_alg;
2747d73c
KR		 3770 if (elem == NULL)
3771 return 0;
0f113f3e
MC		 3772 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3773 return 0;
3774 if (len > (int)(sizeof(etmp) - 1))
3775 return 0;
3776 memcpy(etmp, elem, len);
3777 etmp[len] = 0;
3778 p = strchr(etmp, '+');
3779 if (!p)
3780 return 0;
3781 *p = 0;
3782 p++;
3783 if (!*p)
3784 return 0;
3785
86885c28 3786 if (strcmp(etmp, "RSA") == 0)
0f113f3e 3787 sig_alg = EVP_PKEY_RSA;
86885c28 3788 else if (strcmp(etmp, "DSA") == 0)
0f113f3e 3789 sig_alg = EVP_PKEY_DSA;
86885c28 3790 else if (strcmp(etmp, "ECDSA") == 0)
0f113f3e
MC		 3791 sig_alg = EVP_PKEY_EC;
3792 else
3793 return 0;
3794
3795 hash_alg = OBJ_sn2nid(p);
3796 if (hash_alg == NID_undef)
3797 hash_alg = OBJ_ln2nid(p);
3798 if (hash_alg == NID_undef)
3799 return 0;
3800
3801 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3802 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3803 return 0;
3804 }
3805 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3806 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3807 return 1;
3808}
3809
3810/*
3811 * Set suppored signature algorithms based on a colon separated list of the
3812 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3813 */
3dbc46df 3814int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
0f113f3e
MC		 3815{
3816 sig_cb_st sig;
3817 sig.sigalgcnt = 0;
3818 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3819 return 0;
3820 if (c == NULL)
3821 return 1;
3822 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3823}
3824
3825int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
3826 int client)
3827{
3828 unsigned char *sigalgs, *sptr;
3829 int rhash, rsign;
3830 size_t i;
3831 if (salglen & 1)
3832 return 0;
3833 sigalgs = OPENSSL_malloc(salglen);
3834 if (sigalgs == NULL)
3835 return 0;
3836 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
b6eb9827
DSH		 3837 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3838 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3839
3840 if (rhash == -1 || rsign == -1)
3841 goto err;
3842 *sptr++ = rhash;
3843 *sptr++ = rsign;
3844 }
3845
3846 if (client) {
b548a1f1 3847 OPENSSL_free(c->client_sigalgs);
0f113f3e
MC		 3848 c->client_sigalgs = sigalgs;
3849 c->client_sigalgslen = salglen;
3850 } else {
b548a1f1 3851 OPENSSL_free(c->conf_sigalgs);
0f113f3e
MC		 3852 c->conf_sigalgs = sigalgs;
3853 c->conf_sigalgslen = salglen;
3854 }
3855
3856 return 1;
3857
3858 err:
3859 OPENSSL_free(sigalgs);
3860 return 0;
3861}
4453cd8c 3862
d61ff83b 3863static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
0f113f3e
MC		 3864{
3865 int sig_nid;
3866 size_t i;
3867 if (default_nid == -1)
3868 return 1;
3869 sig_nid = X509_get_signature_nid(x);
3870 if (default_nid)
3871 return sig_nid == default_nid ? 1 : 0;
3872 for (i = 0; i < c->shared_sigalgslen; i++)
3873 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3874 return 1;
3875 return 0;
3876}
3877
6dbb6219
DSH		 3878/* Check to see if a certificate issuer name matches list of CA names */
3879static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
0f113f3e
MC		 3880{
3881 X509_NAME *nm;
3882 int i;
3883 nm = X509_get_issuer_name(x);
3884 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3885 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3886 return 1;
3887 }
3888 return 0;
3889}
3890
3891/*
3892 * Check certificate chain is consistent with TLS extensions and is usable by
3893 * server. This servers two purposes: it allows users to check chains before
3894 * passing them to the server and it allows the server to check chains before
3895 * attempting to use them.
d61ff83b 3896 */
6dbb6219
DSH		 3897
3898/* Flags which need to be set for a certificate when stict mode not set */
3899
0f113f3e
MC		 3900# define CERT_PKEY_VALID_FLAGS \
3901 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
6dbb6219 3902/* Strict mode flags */
0f113f3e
MC		 3903# define CERT_PKEY_STRICT_FLAGS \
3904 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3905 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
6dbb6219 3906
d61ff83b 3907int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
0f113f3e
MC		 3908 int idx)
3909{
3910 int i;
3911 int rv = 0;
3912 int check_flags = 0, strict_mode;
3913 CERT_PKEY *cpk = NULL;
3914 CERT *c = s->cert;
6383d316 3915 int *pvalid;
0f113f3e
MC		 3916 unsigned int suiteb_flags = tls1_suiteb(s);
3917 /* idx == -1 means checking server chains */
3918 if (idx != -1) {
3919 /* idx == -2 means checking client certificate chains */
3920 if (idx == -2) {
3921 cpk = c->key;
3922 idx = cpk - c->pkeys;
3923 } else
3924 cpk = c->pkeys + idx;
6383d316 3925 pvalid = s->s3->tmp.valid_flags + idx;
0f113f3e
MC		 3926 x = cpk->x509;
3927 pk = cpk->privatekey;
3928 chain = cpk->chain;
3929 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3930 /* If no cert or key, forget it */
3931 if (!x || !pk)
3932 goto end;
3933# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
3934 /* Allow any certificate to pass test */
3935 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3936 rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
3937 CERT_PKEY_VALID | CERT_PKEY_SIGN;
6383d316 3938 *pvalid = rv;
0f113f3e
MC		 3939 return rv;
3940 }
3941# endif
3942 } else {
3943 if (!x || !pk)
d813f9eb 3944 return 0;
0f113f3e
MC		 3945 idx = ssl_cert_type(x, pk);
3946 if (idx == -1)
d813f9eb 3947 return 0;
0f113f3e 3948 cpk = c->pkeys + idx;
6383d316
DSH		 3949 pvalid = s->s3->tmp.valid_flags + idx;
3950
0f113f3e
MC		 3951 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3952 check_flags = CERT_PKEY_STRICT_FLAGS;
3953 else
3954 check_flags = CERT_PKEY_VALID_FLAGS;
3955 strict_mode = 1;
3956 }
3957
3958 if (suiteb_flags) {
3959 int ok;
3960 if (check_flags)
3961 check_flags |= CERT_PKEY_SUITEB;
3962 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3963 if (ok == X509_V_OK)
3964 rv |= CERT_PKEY_SUITEB;
3965 else if (!check_flags)
3966 goto end;
3967 }
3968
3969 /*
3970 * Check all signature algorithms are consistent with signature
3971 * algorithms extension if TLS 1.2 or later and strict mode.
3972 */
3973 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
3974 int default_nid;
3975 unsigned char rsign = 0;
76106e60 3976 if (s->s3->tmp.peer_sigalgs)
0f113f3e
MC		 3977 default_nid = 0;
3978 /* If no sigalgs extension use defaults from RFC5246 */
3979 else {
3980 switch (idx) {
3981 case SSL_PKEY_RSA_ENC:
3982 case SSL_PKEY_RSA_SIGN:
3983 case SSL_PKEY_DH_RSA:
3984 rsign = TLSEXT_signature_rsa;
3985 default_nid = NID_sha1WithRSAEncryption;
3986 break;
3987
3988 case SSL_PKEY_DSA_SIGN:
3989 case SSL_PKEY_DH_DSA:
3990 rsign = TLSEXT_signature_dsa;
3991 default_nid = NID_dsaWithSHA1;
3992 break;
3993
3994 case SSL_PKEY_ECC:
3995 rsign = TLSEXT_signature_ecdsa;
3996 default_nid = NID_ecdsa_with_SHA1;
3997 break;
3998
3999 default:
4000 default_nid = -1;
4001 break;
4002 }
4003 }
4004 /*
4005 * If peer sent no signature algorithms extension and we have set
4006 * preferred signature algorithms check we support sha1.
4007 */
4008 if (default_nid > 0 && c->conf_sigalgs) {
4009 size_t j;
4010 const unsigned char *p = c->conf_sigalgs;
4011 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
4012 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4013 break;
4014 }
4015 if (j == c->conf_sigalgslen) {
4016 if (check_flags)
4017 goto skip_sigs;
4018 else
4019 goto end;
4020 }
4021 }
4022 /* Check signature algorithm of each cert in chain */
4023 if (!tls1_check_sig_alg(c, x, default_nid)) {
4024 if (!check_flags)
4025 goto end;
4026 } else
4027 rv |= CERT_PKEY_EE_SIGNATURE;
4028 rv |= CERT_PKEY_CA_SIGNATURE;
4029 for (i = 0; i < sk_X509_num(chain); i++) {
4030 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
4031 if (check_flags) {
4032 rv &= ~CERT_PKEY_CA_SIGNATURE;
4033 break;
4034 } else
4035 goto end;
4036 }
4037 }
4038 }
4039 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4040 else if (check_flags)
4041 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
4042 skip_sigs:
4043 /* Check cert parameters are consistent */
4044 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4045 rv |= CERT_PKEY_EE_PARAM;
4046 else if (!check_flags)
4047 goto end;
4048 if (!s->server)
4049 rv |= CERT_PKEY_CA_PARAM;
4050 /* In strict mode check rest of chain too */
4051 else if (strict_mode) {
4052 rv |= CERT_PKEY_CA_PARAM;
4053 for (i = 0; i < sk_X509_num(chain); i++) {
4054 X509 *ca = sk_X509_value(chain, i);
4055 if (!tls1_check_cert_param(s, ca, 0)) {
4056 if (check_flags) {
4057 rv &= ~CERT_PKEY_CA_PARAM;
4058 break;
4059 } else
4060 goto end;
4061 }
4062 }
4063 }
4064 if (!s->server && strict_mode) {
4065 STACK_OF(X509_NAME) *ca_dn;
4066 int check_type = 0;
4067 switch (pk->type) {
4068 case EVP_PKEY_RSA:
4069 check_type = TLS_CT_RSA_SIGN;
4070 break;
4071 case EVP_PKEY_DSA:
4072 check_type = TLS_CT_DSS_SIGN;
4073 break;
4074 case EVP_PKEY_EC:
4075 check_type = TLS_CT_ECDSA_SIGN;
4076 break;
4077 case EVP_PKEY_DH:
4078 case EVP_PKEY_DHX:
4079 {
4080 int cert_type = X509_certificate_type(x, pk);
4081 if (cert_type & EVP_PKS_RSA)
4082 check_type = TLS_CT_RSA_FIXED_DH;
4083 if (cert_type & EVP_PKS_DSA)
4084 check_type = TLS_CT_DSS_FIXED_DH;
4085 }
4086 }
4087 if (check_type) {
4088 const unsigned char *ctypes;
4089 int ctypelen;
4090 if (c->ctypes) {
4091 ctypes = c->ctypes;
4092 ctypelen = (int)c->ctype_num;
4093 } else {
4094 ctypes = (unsigned char *)s->s3->tmp.ctype;
4095 ctypelen = s->s3->tmp.ctype_num;
4096 }
4097 for (i = 0; i < ctypelen; i++) {
4098 if (ctypes[i] == check_type) {
4099 rv |= CERT_PKEY_CERT_TYPE;
4100 break;
4101 }
4102 }
4103 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4104 goto end;
4105 } else
4106 rv |= CERT_PKEY_CERT_TYPE;
4107
4108 ca_dn = s->s3->tmp.ca_names;
4109
4110 if (!sk_X509_NAME_num(ca_dn))
4111 rv |= CERT_PKEY_ISSUER_NAME;
4112
4113 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4114 if (ssl_check_ca_name(ca_dn, x))
4115 rv |= CERT_PKEY_ISSUER_NAME;
4116 }
4117 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4118 for (i = 0; i < sk_X509_num(chain); i++) {
4119 X509 *xtmp = sk_X509_value(chain, i);
4120 if (ssl_check_ca_name(ca_dn, xtmp)) {
4121 rv |= CERT_PKEY_ISSUER_NAME;
4122 break;
4123 }
4124 }
4125 }
4126 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4127 goto end;
4128 } else
4129 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
4130
4131 if (!check_flags || (rv & check_flags) == check_flags)
4132 rv |= CERT_PKEY_VALID;
4133
4134 end:
4135
4136 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
6383d316 4137 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
0f113f3e 4138 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
d376e57d 4139 else if (s->s3->tmp.md[idx] != NULL)
0f113f3e
MC		 4140 rv |= CERT_PKEY_SIGN;
4141 } else
4142 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
4143
4144 /*
4145 * When checking a CERT_PKEY structure all flags are irrelevant if the
4146 * chain is invalid.
4147 */
4148 if (!check_flags) {
4149 if (rv & CERT_PKEY_VALID)
6383d316 4150 *pvalid = rv;
0f113f3e
MC		 4151 else {
4152 /* Preserve explicit sign flag, clear rest */
6383d316 4153 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
0f113f3e
MC		 4154 return 0;
4155 }
4156 }
4157 return rv;
4158}
d61ff83b
DSH		 4159
4160/* Set validity of certificates in an SSL structure */
4161void tls1_set_cert_validity(SSL *s)
0f113f3e 4162{
17dd65e6
MC		 4163 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4164 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4165 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4166 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
4167 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
4168 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
0f113f3e
MC		 4169}
4170
18d71588
DSH		 4171/* User level utiity function to check a chain is suitable */
4172int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
0f113f3e
MC		 4173{
4174 return tls1_check_chain(s, x, pk, chain, -1);
4175}
d61ff83b 4176
4453cd8c 4177#endif
09599b52
DSH		 4178
4179#ifndef OPENSSL_NO_DH
4180DH *ssl_get_auto_dh(SSL *s)
0f113f3e
MC		 4181{
4182 int dh_secbits = 80;
4183 if (s->cert->dh_tmp_auto == 2)
4184 return DH_get_1024_160();
4185 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) {
4186 if (s->s3->tmp.new_cipher->strength_bits == 256)
4187 dh_secbits = 128;
4188 else
4189 dh_secbits = 80;
4190 } else {
4191 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
4192 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
4193 }
4194
4195 if (dh_secbits >= 128) {
4196 DH *dhp = DH_new();
4197 if (!dhp)
4198 return NULL;
4199 dhp->g = BN_new();
4200 if (dhp->g)
4201 BN_set_word(dhp->g, 2);
4202 if (dh_secbits >= 192)
4203 dhp->p = get_rfc3526_prime_8192(NULL);
4204 else
4205 dhp->p = get_rfc3526_prime_3072(NULL);
4206 if (!dhp->p || !dhp->g) {
4207 DH_free(dhp);
4208 return NULL;
4209 }
4210 return dhp;
4211 }
4212 if (dh_secbits >= 112)
4213 return DH_get_2048_224();
4214 return DH_get_1024_160();
4215}
09599b52 4216#endif
b362ccab
DSH		 4217
4218static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e
MC		 4219{
4220 int secbits;
4221 EVP_PKEY *pkey = X509_get_pubkey(x);
4222 if (pkey) {
4223 secbits = EVP_PKEY_security_bits(pkey);
4224 EVP_PKEY_free(pkey);
4225 } else
4226 secbits = -1;
4227 if (s)
4228 return ssl_security(s, op, secbits, 0, x);
4229 else
4230 return ssl_ctx_security(ctx, op, secbits, 0, x);
4231}
b362ccab
DSH		 4232
4233static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e
MC		 4234{
4235 /* Lookup signature algorithm digest */
4236 int secbits = -1, md_nid = NID_undef, sig_nid;
4237 sig_nid = X509_get_signature_nid(x);
4238 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4239 const EVP_MD *md;
4240 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4241 secbits = EVP_MD_size(md) * 4;
4242 }
4243 if (s)
4244 return ssl_security(s, op, secbits, md_nid, x);
4245 else
4246 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4247}
b362ccab
DSH		 4248
4249int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
0f113f3e
MC		 4250{
4251 if (vfy)
4252 vfy = SSL_SECOP_PEER;
4253 if (is_ee) {
4254 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4255 return SSL_R_EE_KEY_TOO_SMALL;
4256 } else {
4257 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4258 return SSL_R_CA_KEY_TOO_SMALL;
4259 }
4260 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4261 return SSL_R_CA_MD_TOO_WEAK;
4262 return 1;
4263}
4264
4265/*
4266 * Check security of a chain, if sk includes the end entity certificate then
4267 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4268 * one to the peer. Return values: 1 if ok otherwise error code to use
b362ccab
DSH		 4269 */
4270
4271int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
0f113f3e
MC		 4272{
4273 int rv, start_idx, i;
4274 if (x == NULL) {
4275 x = sk_X509_value(sk, 0);
4276 start_idx = 1;
4277 } else
4278 start_idx = 0;
4279
4280 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4281 if (rv != 1)
4282 return rv;
4283
4284 for (i = start_idx; i < sk_X509_num(sk); i++) {
4285 x = sk_X509_value(sk, i);
4286 rv = ssl_security_cert(s, NULL, x, vfy, 0);
4287 if (rv != 1)
4288 return rv;
4289 }
4290 return 1;
4291}
Mirror of https://github.com/openssl/openssl.git