]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/t1_lib.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
constify PACKET
[thirdparty/openssl.git] / ssl / t1_lib.c
1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110
111 #include <stdio.h>
112 #include <openssl/objects.h>
113 #include <openssl/evp.h>
114 #include <openssl/hmac.h>
115 #include <openssl/ocsp.h>
116 #include <openssl/rand.h>
117 #ifndef OPENSSL_NO_DH
118 # include <openssl/dh.h>
119 # include <openssl/bn.h>
120 #endif
121 #include "ssl_locl.h"
122
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124 const unsigned char *sess_id, int sesslen,
125 SSL_SESSION **psess);
126 static int ssl_check_clienthello_tlsext_early(SSL *s);
127 int ssl_check_serverhello_tlsext(SSL *s);
128
129 SSL3_ENC_METHOD const TLSv1_enc_data = {
130 tls1_enc,
131 tls1_mac,
132 tls1_setup_key_block,
133 tls1_generate_master_secret,
134 tls1_change_cipher_state,
135 tls1_final_finish_mac,
136 TLS1_FINISH_MAC_LENGTH,
137 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
138 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
139 tls1_alert_code,
140 tls1_export_keying_material,
141 0,
142 SSL3_HM_HEADER_LENGTH,
143 ssl3_set_handshake_header,
144 ssl3_handshake_write
145 };
146
147 SSL3_ENC_METHOD const TLSv1_1_enc_data = {
148 tls1_enc,
149 tls1_mac,
150 tls1_setup_key_block,
151 tls1_generate_master_secret,
152 tls1_change_cipher_state,
153 tls1_final_finish_mac,
154 TLS1_FINISH_MAC_LENGTH,
155 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
156 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
157 tls1_alert_code,
158 tls1_export_keying_material,
159 SSL_ENC_FLAG_EXPLICIT_IV,
160 SSL3_HM_HEADER_LENGTH,
161 ssl3_set_handshake_header,
162 ssl3_handshake_write
163 };
164
165 SSL3_ENC_METHOD const TLSv1_2_enc_data = {
166 tls1_enc,
167 tls1_mac,
168 tls1_setup_key_block,
169 tls1_generate_master_secret,
170 tls1_change_cipher_state,
171 tls1_final_finish_mac,
172 TLS1_FINISH_MAC_LENGTH,
173 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
174 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
175 tls1_alert_code,
176 tls1_export_keying_material,
177 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
178 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
179 SSL3_HM_HEADER_LENGTH,
180 ssl3_set_handshake_header,
181 ssl3_handshake_write
182 };
183
184 long tls1_default_timeout(void)
185 {
186 /*
187 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
188 * http, the cache would over fill
189 */
190 return (60 * 60 * 2);
191 }
192
193 int tls1_new(SSL *s)
194 {
195 if (!ssl3_new(s))
196 return (0);
197 s->method->ssl_clear(s);
198 return (1);
199 }
200
201 void tls1_free(SSL *s)
202 {
203 OPENSSL_free(s->tlsext_session_ticket);
204 ssl3_free(s);
205 }
206
207 void tls1_clear(SSL *s)
208 {
209 ssl3_clear(s);
210 if (s->method->version == TLS_ANY_VERSION)
211 s->version = TLS_MAX_VERSION;
212 else
213 s->version = s->method->version;
214 }
215
216 #ifndef OPENSSL_NO_EC
217
218 typedef struct {
219 int nid; /* Curve NID */
220 int secbits; /* Bits of security (from SP800-57) */
221 unsigned int flags; /* Flags: currently just field type */
222 } tls_curve_info;
223
224 # define TLS_CURVE_CHAR2 0x1
225 # define TLS_CURVE_PRIME 0x0
226
227 static const tls_curve_info nid_list[] = {
228 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
229 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
230 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
231 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
232 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
233 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
234 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
235 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
236 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
237 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
238 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
239 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
240 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
241 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
242 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
243 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
244 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
245 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
246 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
247 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
248 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
249 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
250 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
251 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
252 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
253 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
254 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
255 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
256 };
257
258 static const unsigned char ecformats_default[] = {
259 TLSEXT_ECPOINTFORMAT_uncompressed,
260 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
261 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
262 };
263
264 /* The default curves */
265 static const unsigned char eccurves_default[] = {
266 /* Prefer P-256 which has the fastest and most secure implementations. */
267 0, 23, /* secp256r1 (23) */
268 /* Other >= 256-bit prime curves. */
269 0, 25, /* secp521r1 (25) */
270 0, 28, /* brainpool512r1 (28) */
271 0, 27, /* brainpoolP384r1 (27) */
272 0, 24, /* secp384r1 (24) */
273 0, 26, /* brainpoolP256r1 (26) */
274 0, 22, /* secp256k1 (22) */
275 /* >= 256-bit binary curves. */
276 0, 14, /* sect571r1 (14) */
277 0, 13, /* sect571k1 (13) */
278 0, 11, /* sect409k1 (11) */
279 0, 12, /* sect409r1 (12) */
280 0, 9, /* sect283k1 (9) */
281 0, 10, /* sect283r1 (10) */
282 };
283
284 static const unsigned char eccurves_all[] = {
285 /* Prefer P-256 which has the fastest and most secure implementations. */
286 0, 23, /* secp256r1 (23) */
287 /* Other >= 256-bit prime curves. */
288 0, 25, /* secp521r1 (25) */
289 0, 28, /* brainpool512r1 (28) */
290 0, 27, /* brainpoolP384r1 (27) */
291 0, 24, /* secp384r1 (24) */
292 0, 26, /* brainpoolP256r1 (26) */
293 0, 22, /* secp256k1 (22) */
294 /* >= 256-bit binary curves. */
295 0, 14, /* sect571r1 (14) */
296 0, 13, /* sect571k1 (13) */
297 0, 11, /* sect409k1 (11) */
298 0, 12, /* sect409r1 (12) */
299 0, 9, /* sect283k1 (9) */
300 0, 10, /* sect283r1 (10) */
301 /*
302 * Remaining curves disabled by default but still permitted if set
303 * via an explicit callback or parameters.
304 */
305 0, 20, /* secp224k1 (20) */
306 0, 21, /* secp224r1 (21) */
307 0, 18, /* secp192k1 (18) */
308 0, 19, /* secp192r1 (19) */
309 0, 15, /* secp160k1 (15) */
310 0, 16, /* secp160r1 (16) */
311 0, 17, /* secp160r2 (17) */
312 0, 8, /* sect239k1 (8) */
313 0, 6, /* sect233k1 (6) */
314 0, 7, /* sect233r1 (7) */
315 0, 4, /* sect193r1 (4) */
316 0, 5, /* sect193r2 (5) */
317 0, 1, /* sect163k1 (1) */
318 0, 2, /* sect163r1 (2) */
319 0, 3, /* sect163r2 (3) */
320 };
321
322
323 static const unsigned char suiteb_curves[] = {
324 0, TLSEXT_curve_P_256,
325 0, TLSEXT_curve_P_384
326 };
327
328 int tls1_ec_curve_id2nid(int curve_id)
329 {
330 /* ECC curves from RFC 4492 and RFC 7027 */
331 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
332 return 0;
333 return nid_list[curve_id - 1].nid;
334 }
335
336 int tls1_ec_nid2curve_id(int nid)
337 {
338 /* ECC curves from RFC 4492 and RFC 7027 */
339 switch (nid) {
340 case NID_sect163k1: /* sect163k1 (1) */
341 return 1;
342 case NID_sect163r1: /* sect163r1 (2) */
343 return 2;
344 case NID_sect163r2: /* sect163r2 (3) */
345 return 3;
346 case NID_sect193r1: /* sect193r1 (4) */
347 return 4;
348 case NID_sect193r2: /* sect193r2 (5) */
349 return 5;
350 case NID_sect233k1: /* sect233k1 (6) */
351 return 6;
352 case NID_sect233r1: /* sect233r1 (7) */
353 return 7;
354 case NID_sect239k1: /* sect239k1 (8) */
355 return 8;
356 case NID_sect283k1: /* sect283k1 (9) */
357 return 9;
358 case NID_sect283r1: /* sect283r1 (10) */
359 return 10;
360 case NID_sect409k1: /* sect409k1 (11) */
361 return 11;
362 case NID_sect409r1: /* sect409r1 (12) */
363 return 12;
364 case NID_sect571k1: /* sect571k1 (13) */
365 return 13;
366 case NID_sect571r1: /* sect571r1 (14) */
367 return 14;
368 case NID_secp160k1: /* secp160k1 (15) */
369 return 15;
370 case NID_secp160r1: /* secp160r1 (16) */
371 return 16;
372 case NID_secp160r2: /* secp160r2 (17) */
373 return 17;
374 case NID_secp192k1: /* secp192k1 (18) */
375 return 18;
376 case NID_X9_62_prime192v1: /* secp192r1 (19) */
377 return 19;
378 case NID_secp224k1: /* secp224k1 (20) */
379 return 20;
380 case NID_secp224r1: /* secp224r1 (21) */
381 return 21;
382 case NID_secp256k1: /* secp256k1 (22) */
383 return 22;
384 case NID_X9_62_prime256v1: /* secp256r1 (23) */
385 return 23;
386 case NID_secp384r1: /* secp384r1 (24) */
387 return 24;
388 case NID_secp521r1: /* secp521r1 (25) */
389 return 25;
390 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
391 return 26;
392 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
393 return 27;
394 case NID_brainpoolP512r1: /* brainpool512r1 (28) */
395 return 28;
396 default:
397 return 0;
398 }
399 }
400
401 /*
402 * Get curves list, if "sess" is set return client curves otherwise
403 * preferred list.
404 * Sets |num_curves| to the number of curves in the list, i.e.,
405 * the length of |pcurves| is 2 * num_curves.
406 * Returns 1 on success and 0 if the client curves list has invalid format.
407 * The latter indicates an internal error: we should not be accepting such
408 * lists in the first place.
409 * TODO(emilia): we should really be storing the curves list in explicitly
410 * parsed form instead. (However, this would affect binary compatibility
411 * so cannot happen in the 1.0.x series.)
412 */
413 static int tls1_get_curvelist(SSL *s, int sess,
414 const unsigned char **pcurves,
415 size_t *num_curves)
416 {
417 size_t pcurveslen = 0;
418 if (sess) {
419 *pcurves = s->session->tlsext_ellipticcurvelist;
420 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
421 } else {
422 /* For Suite B mode only include P-256, P-384 */
423 switch (tls1_suiteb(s)) {
424 case SSL_CERT_FLAG_SUITEB_128_LOS:
425 *pcurves = suiteb_curves;
426 pcurveslen = sizeof(suiteb_curves);
427 break;
428
429 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
430 *pcurves = suiteb_curves;
431 pcurveslen = 2;
432 break;
433
434 case SSL_CERT_FLAG_SUITEB_192_LOS:
435 *pcurves = suiteb_curves + 2;
436 pcurveslen = 2;
437 break;
438 default:
439 *pcurves = s->tlsext_ellipticcurvelist;
440 pcurveslen = s->tlsext_ellipticcurvelist_length;
441 }
442 if (!*pcurves) {
443 *pcurves = eccurves_default;
444 pcurveslen = sizeof(eccurves_default);
445 }
446 }
447
448 /* We do not allow odd length arrays to enter the system. */
449 if (pcurveslen & 1) {
450 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
451 *num_curves = 0;
452 return 0;
453 } else {
454 *num_curves = pcurveslen / 2;
455 return 1;
456 }
457 }
458
459 /* See if curve is allowed by security callback */
460 static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
461 {
462 const tls_curve_info *cinfo;
463 if (curve[0])
464 return 1;
465 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
466 return 0;
467 cinfo = &nid_list[curve[1] - 1];
468 # ifdef OPENSSL_NO_EC2M
469 if (cinfo->flags & TLS_CURVE_CHAR2)
470 return 0;
471 # endif
472 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
473 }
474
475 /* Check a curve is one of our preferences */
476 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
477 {
478 const unsigned char *curves;
479 size_t num_curves, i;
480 unsigned int suiteb_flags = tls1_suiteb(s);
481 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
482 return 0;
483 /* Check curve matches Suite B preferences */
484 if (suiteb_flags) {
485 unsigned long cid = s->s3->tmp.new_cipher->id;
486 if (p[1])
487 return 0;
488 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
489 if (p[2] != TLSEXT_curve_P_256)
490 return 0;
491 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
492 if (p[2] != TLSEXT_curve_P_384)
493 return 0;
494 } else /* Should never happen */
495 return 0;
496 }
497 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
498 return 0;
499 for (i = 0; i < num_curves; i++, curves += 2) {
500 if (p[1] == curves[0] && p[2] == curves[1])
501 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
502 }
503 return 0;
504 }
505
506 /*-
507 * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef
508 * if there is no match.
509 * For nmatch == -1, return number of matches
510 * For nmatch == -2, return the NID of the curve to use for
511 * an EC tmp key, or NID_undef if there is no match.
512 */
513 int tls1_shared_curve(SSL *s, int nmatch)
514 {
515 const unsigned char *pref, *supp;
516 size_t num_pref, num_supp, i, j;
517 int k;
518 /* Can't do anything on client side */
519 if (s->server == 0)
520 return -1;
521 if (nmatch == -2) {
522 if (tls1_suiteb(s)) {
523 /*
524 * For Suite B ciphersuite determines curve: we already know
525 * these are acceptable due to previous checks.
526 */
527 unsigned long cid = s->s3->tmp.new_cipher->id;
528 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
529 return NID_X9_62_prime256v1; /* P-256 */
530 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
531 return NID_secp384r1; /* P-384 */
532 /* Should never happen */
533 return NID_undef;
534 }
535 /* If not Suite B just return first preference shared curve */
536 nmatch = 0;
537 }
538 /*
539 * Avoid truncation. tls1_get_curvelist takes an int
540 * but s->options is a long...
541 */
542 if (!tls1_get_curvelist
543 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
544 &num_supp))
545 /* In practice, NID_undef == 0 but let's be precise. */
546 return nmatch == -1 ? 0 : NID_undef;
547 if (!tls1_get_curvelist
548 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
549 &num_pref))
550 return nmatch == -1 ? 0 : NID_undef;
551
552 /*
553 * If the client didn't send the elliptic_curves extension all of them
554 * are allowed.
555 */
556 if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
557 supp = eccurves_all;
558 num_supp = sizeof(eccurves_all) / 2;
559 } else if (num_pref == 0 &&
560 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
561 pref = eccurves_all;
562 num_pref = sizeof(eccurves_all) / 2;
563 }
564
565 k = 0;
566 for (i = 0; i < num_pref; i++, pref += 2) {
567 const unsigned char *tsupp = supp;
568 for (j = 0; j < num_supp; j++, tsupp += 2) {
569 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
570 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
571 continue;
572 if (nmatch == k) {
573 int id = (pref[0] << 8) | pref[1];
574 return tls1_ec_curve_id2nid(id);
575 }
576 k++;
577 }
578 }
579 }
580 if (nmatch == -1)
581 return k;
582 /* Out of range (nmatch > k). */
583 return NID_undef;
584 }
585
586 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
587 int *curves, size_t ncurves)
588 {
589 unsigned char *clist, *p;
590 size_t i;
591 /*
592 * Bitmap of curves included to detect duplicates: only works while curve
593 * ids < 32
594 */
595 unsigned long dup_list = 0;
596 clist = OPENSSL_malloc(ncurves * 2);
597 if (clist == NULL)
598 return 0;
599 for (i = 0, p = clist; i < ncurves; i++) {
600 unsigned long idmask;
601 int id;
602 id = tls1_ec_nid2curve_id(curves[i]);
603 idmask = 1L << id;
604 if (!id || (dup_list & idmask)) {
605 OPENSSL_free(clist);
606 return 0;
607 }
608 dup_list |= idmask;
609 s2n(id, p);
610 }
611 OPENSSL_free(*pext);
612 *pext = clist;
613 *pextlen = ncurves * 2;
614 return 1;
615 }
616
617 # define MAX_CURVELIST 28
618
619 typedef struct {
620 size_t nidcnt;
621 int nid_arr[MAX_CURVELIST];
622 } nid_cb_st;
623
624 static int nid_cb(const char *elem, int len, void *arg)
625 {
626 nid_cb_st *narg = arg;
627 size_t i;
628 int nid;
629 char etmp[20];
630 if (elem == NULL)
631 return 0;
632 if (narg->nidcnt == MAX_CURVELIST)
633 return 0;
634 if (len > (int)(sizeof(etmp) - 1))
635 return 0;
636 memcpy(etmp, elem, len);
637 etmp[len] = 0;
638 nid = EC_curve_nist2nid(etmp);
639 if (nid == NID_undef)
640 nid = OBJ_sn2nid(etmp);
641 if (nid == NID_undef)
642 nid = OBJ_ln2nid(etmp);
643 if (nid == NID_undef)
644 return 0;
645 for (i = 0; i < narg->nidcnt; i++)
646 if (narg->nid_arr[i] == nid)
647 return 0;
648 narg->nid_arr[narg->nidcnt++] = nid;
649 return 1;
650 }
651
652 /* Set curves based on a colon separate list */
653 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
654 const char *str)
655 {
656 nid_cb_st ncb;
657 ncb.nidcnt = 0;
658 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
659 return 0;
660 if (pext == NULL)
661 return 1;
662 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
663 }
664
665 /* For an EC key set TLS id and required compression based on parameters */
666 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
667 EC_KEY *ec)
668 {
669 int is_prime, id;
670 const EC_GROUP *grp;
671 const EC_METHOD *meth;
672 if (!ec)
673 return 0;
674 /* Determine if it is a prime field */
675 grp = EC_KEY_get0_group(ec);
676 if (!grp)
677 return 0;
678 meth = EC_GROUP_method_of(grp);
679 if (!meth)
680 return 0;
681 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
682 is_prime = 1;
683 else
684 is_prime = 0;
685 /* Determine curve ID */
686 id = EC_GROUP_get_curve_name(grp);
687 id = tls1_ec_nid2curve_id(id);
688 /* If we have an ID set it, otherwise set arbitrary explicit curve */
689 if (id) {
690 curve_id[0] = 0;
691 curve_id[1] = (unsigned char)id;
692 } else {
693 curve_id[0] = 0xff;
694 if (is_prime)
695 curve_id[1] = 0x01;
696 else
697 curve_id[1] = 0x02;
698 }
699 if (comp_id) {
700 if (EC_KEY_get0_public_key(ec) == NULL)
701 return 0;
702 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
703 if (is_prime)
704 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
705 else
706 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
707 } else
708 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
709 }
710 return 1;
711 }
712
713 /* Check an EC key is compatible with extensions */
714 static int tls1_check_ec_key(SSL *s,
715 unsigned char *curve_id, unsigned char *comp_id)
716 {
717 const unsigned char *pformats, *pcurves;
718 size_t num_formats, num_curves, i;
719 int j;
720 /*
721 * If point formats extension present check it, otherwise everything is
722 * supported (see RFC4492).
723 */
724 if (comp_id && s->session->tlsext_ecpointformatlist) {
725 pformats = s->session->tlsext_ecpointformatlist;
726 num_formats = s->session->tlsext_ecpointformatlist_length;
727 for (i = 0; i < num_formats; i++, pformats++) {
728 if (*comp_id == *pformats)
729 break;
730 }
731 if (i == num_formats)
732 return 0;
733 }
734 if (!curve_id)
735 return 1;
736 /* Check curve is consistent with client and server preferences */
737 for (j = 0; j <= 1; j++) {
738 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
739 return 0;
740 if (j == 1 && num_curves == 0) {
741 /*
742 * If we've not received any curves then skip this check.
743 * RFC 4492 does not require the supported elliptic curves extension
744 * so if it is not sent we can just choose any curve.
745 * It is invalid to send an empty list in the elliptic curves
746 * extension, so num_curves == 0 always means no extension.
747 */
748 break;
749 }
750 for (i = 0; i < num_curves; i++, pcurves += 2) {
751 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
752 break;
753 }
754 if (i == num_curves)
755 return 0;
756 /* For clients can only check sent curve list */
757 if (!s->server)
758 break;
759 }
760 return 1;
761 }
762
763 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
764 size_t *num_formats)
765 {
766 /*
767 * If we have a custom point format list use it otherwise use default
768 */
769 if (s->tlsext_ecpointformatlist) {
770 *pformats = s->tlsext_ecpointformatlist;
771 *num_formats = s->tlsext_ecpointformatlist_length;
772 } else {
773 *pformats = ecformats_default;
774 /* For Suite B we don't support char2 fields */
775 if (tls1_suiteb(s))
776 *num_formats = sizeof(ecformats_default) - 1;
777 else
778 *num_formats = sizeof(ecformats_default);
779 }
780 }
781
782 /*
783 * Check cert parameters compatible with extensions: currently just checks EC
784 * certificates have compatible curves and compression.
785 */
786 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
787 {
788 unsigned char comp_id, curve_id[2];
789 EVP_PKEY *pkey;
790 int rv;
791 pkey = X509_get0_pubkey(x);
792 if (!pkey)
793 return 0;
794 /* If not EC nothing to do */
795 if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
796 return 1;
797 rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey));
798 if (!rv)
799 return 0;
800 /*
801 * Can't check curve_id for client certs as we don't have a supported
802 * curves extension.
803 */
804 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
805 if (!rv)
806 return 0;
807 /*
808 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
809 * SHA384+P-384, adjust digest if necessary.
810 */
811 if (set_ee_md && tls1_suiteb(s)) {
812 int check_md;
813 size_t i;
814 CERT *c = s->cert;
815 if (curve_id[0])
816 return 0;
817 /* Check to see we have necessary signing algorithm */
818 if (curve_id[1] == TLSEXT_curve_P_256)
819 check_md = NID_ecdsa_with_SHA256;
820 else if (curve_id[1] == TLSEXT_curve_P_384)
821 check_md = NID_ecdsa_with_SHA384;
822 else
823 return 0; /* Should never happen */
824 for (i = 0; i < c->shared_sigalgslen; i++)
825 if (check_md == c->shared_sigalgs[i].signandhash_nid)
826 break;
827 if (i == c->shared_sigalgslen)
828 return 0;
829 if (set_ee_md == 2) {
830 if (check_md == NID_ecdsa_with_SHA256)
831 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
832 else
833 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
834 }
835 }
836 return rv;
837 }
838
839 # ifndef OPENSSL_NO_EC
840 /*
841 * tls1_check_ec_tmp_key - Check EC temporary key compatiblity
842 * @s: SSL connection
843 * @cid: Cipher ID we're considering using
844 *
845 * Checks that the kECDHE cipher suite we're considering using
846 * is compatible with the client extensions.
847 *
848 * Returns 0 when the cipher can't be used or 1 when it can.
849 */
850 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
851 {
852 # ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
853 /* Allow any curve: not just those peer supports */
854 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
855 return 1;
856 # endif
857 /*
858 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
859 * curves permitted.
860 */
861 if (tls1_suiteb(s)) {
862 unsigned char curve_id[2];
863 /* Curve to check determined by ciphersuite */
864 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
865 curve_id[1] = TLSEXT_curve_P_256;
866 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
867 curve_id[1] = TLSEXT_curve_P_384;
868 else
869 return 0;
870 curve_id[0] = 0;
871 /* Check this curve is acceptable */
872 if (!tls1_check_ec_key(s, curve_id, NULL))
873 return 0;
874 return 1;
875 }
876 /* Need a shared curve */
877 if (tls1_shared_curve(s, 0))
878 return 1;
879 return 0;
880 }
881 # endif /* OPENSSL_NO_EC */
882
883 #else
884
885 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
886 {
887 return 1;
888 }
889
890 #endif /* OPENSSL_NO_EC */
891
892 /*
893 * List of supported signature algorithms and hashes. Should make this
894 * customisable at some point, for now include everything we support.
895 */
896
897 #ifdef OPENSSL_NO_RSA
898 # define tlsext_sigalg_rsa(md) /* */
899 #else
900 # define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
901 #endif
902
903 #ifdef OPENSSL_NO_DSA
904 # define tlsext_sigalg_dsa(md) /* */
905 #else
906 # define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
907 #endif
908
909 #ifdef OPENSSL_NO_EC
910 # define tlsext_sigalg_ecdsa(md) /* */
911 #else
912 # define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
913 #endif
914
915 #define tlsext_sigalg(md) \
916 tlsext_sigalg_rsa(md) \
917 tlsext_sigalg_dsa(md) \
918 tlsext_sigalg_ecdsa(md)
919
920 static const unsigned char tls12_sigalgs[] = {
921 tlsext_sigalg(TLSEXT_hash_sha512)
922 tlsext_sigalg(TLSEXT_hash_sha384)
923 tlsext_sigalg(TLSEXT_hash_sha256)
924 tlsext_sigalg(TLSEXT_hash_sha224)
925 tlsext_sigalg(TLSEXT_hash_sha1)
926 #ifndef OPENSSL_NO_GOST
927 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
928 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
929 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
930 #endif
931 };
932
933 #ifndef OPENSSL_NO_EC
934 static const unsigned char suiteb_sigalgs[] = {
935 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
936 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
937 };
938 #endif
939 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
940 {
941 /*
942 * If Suite B mode use Suite B sigalgs only, ignore any other
943 * preferences.
944 */
945 #ifndef OPENSSL_NO_EC
946 switch (tls1_suiteb(s)) {
947 case SSL_CERT_FLAG_SUITEB_128_LOS:
948 *psigs = suiteb_sigalgs;
949 return sizeof(suiteb_sigalgs);
950
951 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
952 *psigs = suiteb_sigalgs;
953 return 2;
954
955 case SSL_CERT_FLAG_SUITEB_192_LOS:
956 *psigs = suiteb_sigalgs + 2;
957 return 2;
958 }
959 #endif
960 /* If server use client authentication sigalgs if not NULL */
961 if (s->server && s->cert->client_sigalgs) {
962 *psigs = s->cert->client_sigalgs;
963 return s->cert->client_sigalgslen;
964 } else if (s->cert->conf_sigalgs) {
965 *psigs = s->cert->conf_sigalgs;
966 return s->cert->conf_sigalgslen;
967 } else {
968 *psigs = tls12_sigalgs;
969 return sizeof(tls12_sigalgs);
970 }
971 }
972
973 /*
974 * Check signature algorithm is consistent with sent supported signature
975 * algorithms and if so return relevant digest.
976 */
977 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
978 const unsigned char *sig, EVP_PKEY *pkey)
979 {
980 const unsigned char *sent_sigs;
981 size_t sent_sigslen, i;
982 int sigalg = tls12_get_sigid(pkey);
983 /* Should never happen */
984 if (sigalg == -1)
985 return -1;
986 /* Check key type is consistent with signature */
987 if (sigalg != (int)sig[1]) {
988 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
989 return 0;
990 }
991 #ifndef OPENSSL_NO_EC
992 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
993 unsigned char curve_id[2], comp_id;
994 /* Check compression and curve matches extensions */
995 if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
996 return 0;
997 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
998 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
999 return 0;
1000 }
1001 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
1002 if (tls1_suiteb(s)) {
1003 if (curve_id[0])
1004 return 0;
1005 if (curve_id[1] == TLSEXT_curve_P_256) {
1006 if (sig[0] != TLSEXT_hash_sha256) {
1007 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1008 SSL_R_ILLEGAL_SUITEB_DIGEST);
1009 return 0;
1010 }
1011 } else if (curve_id[1] == TLSEXT_curve_P_384) {
1012 if (sig[0] != TLSEXT_hash_sha384) {
1013 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1014 SSL_R_ILLEGAL_SUITEB_DIGEST);
1015 return 0;
1016 }
1017 } else
1018 return 0;
1019 }
1020 } else if (tls1_suiteb(s))
1021 return 0;
1022 #endif
1023
1024 /* Check signature matches a type we sent */
1025 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1026 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
1027 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1028 break;
1029 }
1030 /* Allow fallback to SHA1 if not strict mode */
1031 if (i == sent_sigslen
1032 && (sig[0] != TLSEXT_hash_sha1
1033 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
1034 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1035 return 0;
1036 }
1037 *pmd = tls12_get_hash(sig[0]);
1038 if (*pmd == NULL) {
1039 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
1040 return 0;
1041 }
1042 /* Make sure security callback allows algorithm */
1043 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
1044 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
1045 (void *)sig)) {
1046 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1047 return 0;
1048 }
1049 /*
1050 * Store the digest used so applications can retrieve it if they wish.
1051 */
1052 s->s3->tmp.peer_md = *pmd;
1053 return 1;
1054 }
1055
1056 /*
1057 * Get a mask of disabled algorithms: an algorithm is disabled if it isn't
1058 * supported or doesn't appear in supported signature algorithms. Unlike
1059 * ssl_cipher_get_disabled this applies to a specific session and not global
1060 * settings.
1061 */
1062 void ssl_set_client_disabled(SSL *s)
1063 {
1064 s->s3->tmp.mask_a = 0;
1065 s->s3->tmp.mask_k = 0;
1066 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1067 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1068 s->s3->tmp.mask_ssl = SSL_TLSV1_2;
1069 else
1070 s->s3->tmp.mask_ssl = 0;
1071 /* Disable TLS 1.0 ciphers if using SSL v3 */
1072 if (s->client_version == SSL3_VERSION)
1073 s->s3->tmp.mask_ssl |= SSL_TLSV1;
1074 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
1075 /*
1076 * Disable static DH if we don't include any appropriate signature
1077 * algorithms.
1078 */
1079 if (s->s3->tmp.mask_a & SSL_aRSA)
1080 s->s3->tmp.mask_k |= SSL_kECDHr;
1081 if (s->s3->tmp.mask_a & SSL_aECDSA)
1082 s->s3->tmp.mask_k |= SSL_kECDHe;
1083 # ifndef OPENSSL_NO_PSK
1084 /* with PSK there must be client callback set */
1085 if (!s->psk_client_callback) {
1086 s->s3->tmp.mask_a |= SSL_aPSK;
1087 s->s3->tmp.mask_k |= SSL_PSK;
1088 }
1089 #endif /* OPENSSL_NO_PSK */
1090 #ifndef OPENSSL_NO_SRP
1091 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
1092 s->s3->tmp.mask_a |= SSL_aSRP;
1093 s->s3->tmp.mask_k |= SSL_kSRP;
1094 }
1095 #endif
1096 }
1097
1098 int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
1099 {
1100 if (c->algorithm_ssl & s->s3->tmp.mask_ssl
1101 || c->algorithm_mkey & s->s3->tmp.mask_k
1102 || c->algorithm_auth & s->s3->tmp.mask_a)
1103 return 1;
1104 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1105 }
1106
1107 static int tls_use_ticket(SSL *s)
1108 {
1109 if (s->options & SSL_OP_NO_TICKET)
1110 return 0;
1111 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1112 }
1113
1114 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
1115 unsigned char *limit, int *al)
1116 {
1117 int extdatalen = 0;
1118 unsigned char *orig = buf;
1119 unsigned char *ret = buf;
1120 #ifndef OPENSSL_NO_EC
1121 /* See if we support any ECC ciphersuites */
1122 int using_ecc = 0;
1123 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1124 int i;
1125 unsigned long alg_k, alg_a;
1126 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1127
1128 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
1129 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1130
1131 alg_k = c->algorithm_mkey;
1132 alg_a = c->algorithm_auth;
1133 if ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)
1134 || (alg_a & SSL_aECDSA))) {
1135 using_ecc = 1;
1136 break;
1137 }
1138 }
1139 }
1140 #endif
1141
1142 ret += 2;
1143
1144 if (ret >= limit)
1145 return NULL; /* this really never occurs, but ... */
1146
1147 /* Add RI if renegotiating */
1148 if (s->renegotiate) {
1149 int el;
1150
1151 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1152 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1153 return NULL;
1154 }
1155
1156 if ((limit - ret - 4 - el) < 0)
1157 return NULL;
1158
1159 s2n(TLSEXT_TYPE_renegotiate, ret);
1160 s2n(el, ret);
1161
1162 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1163 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1164 return NULL;
1165 }
1166
1167 ret += el;
1168 }
1169 /* Only add RI for SSLv3 */
1170 if (s->client_version == SSL3_VERSION)
1171 goto done;
1172
1173 if (s->tlsext_hostname != NULL) {
1174 /* Add TLS extension servername to the Client Hello message */
1175 unsigned long size_str;
1176 long lenmax;
1177
1178 /*-
1179 * check for enough space.
1180 * 4 for the servername type and entension length
1181 * 2 for servernamelist length
1182 * 1 for the hostname type
1183 * 2 for hostname length
1184 * + hostname length
1185 */
1186
1187 if ((lenmax = limit - ret - 9) < 0
1188 || (size_str =
1189 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1190 return NULL;
1191
1192 /* extension type and length */
1193 s2n(TLSEXT_TYPE_server_name, ret);
1194 s2n(size_str + 5, ret);
1195
1196 /* length of servername list */
1197 s2n(size_str + 3, ret);
1198
1199 /* hostname type, length and hostname */
1200 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1201 s2n(size_str, ret);
1202 memcpy(ret, s->tlsext_hostname, size_str);
1203 ret += size_str;
1204 }
1205 #ifndef OPENSSL_NO_SRP
1206 /* Add SRP username if there is one */
1207 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1208 * Client Hello message */
1209
1210 int login_len = strlen(s->srp_ctx.login);
1211 if (login_len > 255 || login_len == 0) {
1212 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1213 return NULL;
1214 }
1215
1216 /*-
1217 * check for enough space.
1218 * 4 for the srp type type and entension length
1219 * 1 for the srp user identity
1220 * + srp user identity length
1221 */
1222 if ((limit - ret - 5 - login_len) < 0)
1223 return NULL;
1224
1225 /* fill in the extension */
1226 s2n(TLSEXT_TYPE_srp, ret);
1227 s2n(login_len + 1, ret);
1228 (*ret++) = (unsigned char)login_len;
1229 memcpy(ret, s->srp_ctx.login, login_len);
1230 ret += login_len;
1231 }
1232 #endif
1233
1234 #ifndef OPENSSL_NO_EC
1235 if (using_ecc) {
1236 /*
1237 * Add TLS extension ECPointFormats to the ClientHello message
1238 */
1239 long lenmax;
1240 const unsigned char *pcurves, *pformats;
1241 size_t num_curves, num_formats, curves_list_len;
1242 size_t i;
1243 unsigned char *etmp;
1244
1245 tls1_get_formatlist(s, &pformats, &num_formats);
1246
1247 if ((lenmax = limit - ret - 5) < 0)
1248 return NULL;
1249 if (num_formats > (size_t)lenmax)
1250 return NULL;
1251 if (num_formats > 255) {
1252 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1253 return NULL;
1254 }
1255
1256 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1257 /* The point format list has 1-byte length. */
1258 s2n(num_formats + 1, ret);
1259 *(ret++) = (unsigned char)num_formats;
1260 memcpy(ret, pformats, num_formats);
1261 ret += num_formats;
1262
1263 /*
1264 * Add TLS extension EllipticCurves to the ClientHello message
1265 */
1266 pcurves = s->tlsext_ellipticcurvelist;
1267 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1268 return NULL;
1269
1270 if ((lenmax = limit - ret - 6) < 0)
1271 return NULL;
1272 if (num_curves > (size_t)lenmax / 2)
1273 return NULL;
1274 if (num_curves > 65532 / 2) {
1275 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1276 return NULL;
1277 }
1278
1279 s2n(TLSEXT_TYPE_elliptic_curves, ret);
1280 etmp = ret + 4;
1281 /* Copy curve ID if supported */
1282 for (i = 0; i < num_curves; i++, pcurves += 2) {
1283 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1284 *etmp++ = pcurves[0];
1285 *etmp++ = pcurves[1];
1286 }
1287 }
1288
1289 curves_list_len = etmp - ret - 4;
1290
1291 s2n(curves_list_len + 2, ret);
1292 s2n(curves_list_len, ret);
1293 ret += curves_list_len;
1294 }
1295 #endif /* OPENSSL_NO_EC */
1296
1297 if (tls_use_ticket(s)) {
1298 int ticklen;
1299 if (!s->new_session && s->session && s->session->tlsext_tick)
1300 ticklen = s->session->tlsext_ticklen;
1301 else if (s->session && s->tlsext_session_ticket &&
1302 s->tlsext_session_ticket->data) {
1303 ticklen = s->tlsext_session_ticket->length;
1304 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1305 if (s->session->tlsext_tick == NULL)
1306 return NULL;
1307 memcpy(s->session->tlsext_tick,
1308 s->tlsext_session_ticket->data, ticklen);
1309 s->session->tlsext_ticklen = ticklen;
1310 } else
1311 ticklen = 0;
1312 if (ticklen == 0 && s->tlsext_session_ticket &&
1313 s->tlsext_session_ticket->data == NULL)
1314 goto skip_ext;
1315 /*
1316 * Check for enough room 2 for extension type, 2 for len rest for
1317 * ticket
1318 */
1319 if ((long)(limit - ret - 4 - ticklen) < 0)
1320 return NULL;
1321 s2n(TLSEXT_TYPE_session_ticket, ret);
1322 s2n(ticklen, ret);
1323 if (ticklen) {
1324 memcpy(ret, s->session->tlsext_tick, ticklen);
1325 ret += ticklen;
1326 }
1327 }
1328 skip_ext:
1329
1330 if (SSL_USE_SIGALGS(s)) {
1331 size_t salglen;
1332 const unsigned char *salg;
1333 unsigned char *etmp;
1334 salglen = tls12_get_psigalgs(s, &salg);
1335 if ((size_t)(limit - ret) < salglen + 6)
1336 return NULL;
1337 s2n(TLSEXT_TYPE_signature_algorithms, ret);
1338 etmp = ret;
1339 /* Skip over lengths for now */
1340 ret += 4;
1341 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1342 /* Fill in lengths */
1343 s2n(salglen + 2, etmp);
1344 s2n(salglen, etmp);
1345 ret += salglen;
1346 }
1347
1348 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1349 int i;
1350 long extlen, idlen, itmp;
1351 OCSP_RESPID *id;
1352
1353 idlen = 0;
1354 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1355 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1356 itmp = i2d_OCSP_RESPID(id, NULL);
1357 if (itmp <= 0)
1358 return NULL;
1359 idlen += itmp + 2;
1360 }
1361
1362 if (s->tlsext_ocsp_exts) {
1363 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1364 if (extlen < 0)
1365 return NULL;
1366 } else
1367 extlen = 0;
1368
1369 if ((long)(limit - ret - 7 - extlen - idlen) < 0)
1370 return NULL;
1371 s2n(TLSEXT_TYPE_status_request, ret);
1372 if (extlen + idlen > 0xFFF0)
1373 return NULL;
1374 s2n(extlen + idlen + 5, ret);
1375 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1376 s2n(idlen, ret);
1377 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1378 /* save position of id len */
1379 unsigned char *q = ret;
1380 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1381 /* skip over id len */
1382 ret += 2;
1383 itmp = i2d_OCSP_RESPID(id, &ret);
1384 /* write id len */
1385 s2n(itmp, q);
1386 }
1387 s2n(extlen, ret);
1388 if (extlen > 0)
1389 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1390 }
1391 #ifndef OPENSSL_NO_HEARTBEATS
1392 /* Add Heartbeat extension */
1393 if ((limit - ret - 4 - 1) < 0)
1394 return NULL;
1395 s2n(TLSEXT_TYPE_heartbeat, ret);
1396 s2n(1, ret);
1397 /*-
1398 * Set mode:
1399 * 1: peer may send requests
1400 * 2: peer not allowed to send requests
1401 */
1402 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1403 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1404 else
1405 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1406 #endif
1407
1408 #ifndef OPENSSL_NO_NEXTPROTONEG
1409 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1410 /*
1411 * The client advertises an emtpy extension to indicate its support
1412 * for Next Protocol Negotiation
1413 */
1414 if (limit - ret - 4 < 0)
1415 return NULL;
1416 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1417 s2n(0, ret);
1418 }
1419 #endif
1420
1421 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1422 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1423 return NULL;
1424 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1425 s2n(2 + s->alpn_client_proto_list_len, ret);
1426 s2n(s->alpn_client_proto_list_len, ret);
1427 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1428 ret += s->alpn_client_proto_list_len;
1429 }
1430 #ifndef OPENSSL_NO_SRTP
1431 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1432 int el;
1433
1434 /* Returns 0 on success!! */
1435 if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
1436 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1437 return NULL;
1438 }
1439
1440 if ((limit - ret - 4 - el) < 0)
1441 return NULL;
1442
1443 s2n(TLSEXT_TYPE_use_srtp, ret);
1444 s2n(el, ret);
1445
1446 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1447 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1448 return NULL;
1449 }
1450 ret += el;
1451 }
1452 #endif
1453 custom_ext_init(&s->cert->cli_ext);
1454 /* Add custom TLS Extensions to ClientHello */
1455 if (!custom_ext_add(s, 0, &ret, limit, al))
1456 return NULL;
1457 #ifdef TLSEXT_TYPE_encrypt_then_mac
1458 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1459 s2n(0, ret);
1460 #endif
1461 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1462 s2n(0, ret);
1463
1464 /*
1465 * Add padding to workaround bugs in F5 terminators. See
1466 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1467 * code works out the length of all existing extensions it MUST always
1468 * appear last.
1469 */
1470 if (s->options & SSL_OP_TLSEXT_PADDING) {
1471 int hlen = ret - (unsigned char *)s->init_buf->data;
1472
1473 if (hlen > 0xff && hlen < 0x200) {
1474 hlen = 0x200 - hlen;
1475 if (hlen >= 4)
1476 hlen -= 4;
1477 else
1478 hlen = 0;
1479
1480 s2n(TLSEXT_TYPE_padding, ret);
1481 s2n(hlen, ret);
1482 memset(ret, 0, hlen);
1483 ret += hlen;
1484 }
1485 }
1486
1487 done:
1488
1489 if ((extdatalen = ret - orig - 2) == 0)
1490 return orig;
1491
1492 s2n(extdatalen, orig);
1493 return ret;
1494 }
1495
1496 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1497 unsigned char *limit, int *al)
1498 {
1499 int extdatalen = 0;
1500 unsigned char *orig = buf;
1501 unsigned char *ret = buf;
1502 #ifndef OPENSSL_NO_NEXTPROTONEG
1503 int next_proto_neg_seen;
1504 #endif
1505 #ifndef OPENSSL_NO_EC
1506 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1507 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1508 int using_ecc = (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
1509 || (alg_a & SSL_aECDSA);
1510 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1511 #endif
1512
1513 ret += 2;
1514 if (ret >= limit)
1515 return NULL; /* this really never occurs, but ... */
1516
1517 if (s->s3->send_connection_binding) {
1518 int el;
1519
1520 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1521 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1522 return NULL;
1523 }
1524
1525 if ((limit - ret - 4 - el) < 0)
1526 return NULL;
1527
1528 s2n(TLSEXT_TYPE_renegotiate, ret);
1529 s2n(el, ret);
1530
1531 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1532 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1533 return NULL;
1534 }
1535
1536 ret += el;
1537 }
1538
1539 /* Only add RI for SSLv3 */
1540 if (s->version == SSL3_VERSION)
1541 goto done;
1542
1543 if (!s->hit && s->servername_done == 1
1544 && s->session->tlsext_hostname != NULL) {
1545 if ((long)(limit - ret - 4) < 0)
1546 return NULL;
1547
1548 s2n(TLSEXT_TYPE_server_name, ret);
1549 s2n(0, ret);
1550 }
1551 #ifndef OPENSSL_NO_EC
1552 if (using_ecc) {
1553 const unsigned char *plist;
1554 size_t plistlen;
1555 /*
1556 * Add TLS extension ECPointFormats to the ServerHello message
1557 */
1558 long lenmax;
1559
1560 tls1_get_formatlist(s, &plist, &plistlen);
1561
1562 if ((lenmax = limit - ret - 5) < 0)
1563 return NULL;
1564 if (plistlen > (size_t)lenmax)
1565 return NULL;
1566 if (plistlen > 255) {
1567 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1568 return NULL;
1569 }
1570
1571 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1572 s2n(plistlen + 1, ret);
1573 *(ret++) = (unsigned char)plistlen;
1574 memcpy(ret, plist, plistlen);
1575 ret += plistlen;
1576
1577 }
1578 /*
1579 * Currently the server should not respond with a SupportedCurves
1580 * extension
1581 */
1582 #endif /* OPENSSL_NO_EC */
1583
1584 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1585 if ((long)(limit - ret - 4) < 0)
1586 return NULL;
1587 s2n(TLSEXT_TYPE_session_ticket, ret);
1588 s2n(0, ret);
1589 }
1590
1591 if (s->tlsext_status_expected) {
1592 if ((long)(limit - ret - 4) < 0)
1593 return NULL;
1594 s2n(TLSEXT_TYPE_status_request, ret);
1595 s2n(0, ret);
1596 }
1597
1598 #ifndef OPENSSL_NO_SRTP
1599 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1600 int el;
1601
1602 /* Returns 0 on success!! */
1603 if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
1604 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1605 return NULL;
1606 }
1607 if ((limit - ret - 4 - el) < 0)
1608 return NULL;
1609
1610 s2n(TLSEXT_TYPE_use_srtp, ret);
1611 s2n(el, ret);
1612
1613 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1614 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1615 return NULL;
1616 }
1617 ret += el;
1618 }
1619 #endif
1620
1621 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1622 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1623 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1624 const unsigned char cryptopro_ext[36] = {
1625 0xfd, 0xe8, /* 65000 */
1626 0x00, 0x20, /* 32 bytes length */
1627 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1628 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1629 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1630 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1631 };
1632 if (limit - ret < 36)
1633 return NULL;
1634 memcpy(ret, cryptopro_ext, 36);
1635 ret += 36;
1636
1637 }
1638 #ifndef OPENSSL_NO_HEARTBEATS
1639 /* Add Heartbeat extension if we've received one */
1640 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
1641 if ((limit - ret - 4 - 1) < 0)
1642 return NULL;
1643 s2n(TLSEXT_TYPE_heartbeat, ret);
1644 s2n(1, ret);
1645 /*-
1646 * Set mode:
1647 * 1: peer may send requests
1648 * 2: peer not allowed to send requests
1649 */
1650 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1651 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1652 else
1653 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1654
1655 }
1656 #endif
1657
1658 #ifndef OPENSSL_NO_NEXTPROTONEG
1659 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1660 s->s3->next_proto_neg_seen = 0;
1661 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1662 const unsigned char *npa;
1663 unsigned int npalen;
1664 int r;
1665
1666 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1667 s->
1668 ctx->next_protos_advertised_cb_arg);
1669 if (r == SSL_TLSEXT_ERR_OK) {
1670 if ((long)(limit - ret - 4 - npalen) < 0)
1671 return NULL;
1672 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1673 s2n(npalen, ret);
1674 memcpy(ret, npa, npalen);
1675 ret += npalen;
1676 s->s3->next_proto_neg_seen = 1;
1677 }
1678 }
1679 #endif
1680 if (!custom_ext_add(s, 1, &ret, limit, al))
1681 return NULL;
1682 #ifdef TLSEXT_TYPE_encrypt_then_mac
1683 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1684 /*
1685 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1686 * for other cases too.
1687 */
1688 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1689 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1690 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1691 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
1692 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1693 else {
1694 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1695 s2n(0, ret);
1696 }
1697 }
1698 #endif
1699 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
1700 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1701 s2n(0, ret);
1702 }
1703
1704 if (s->s3->alpn_selected) {
1705 const unsigned char *selected = s->s3->alpn_selected;
1706 unsigned len = s->s3->alpn_selected_len;
1707
1708 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1709 return NULL;
1710 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1711 s2n(3 + len, ret);
1712 s2n(1 + len, ret);
1713 *ret++ = len;
1714 memcpy(ret, selected, len);
1715 ret += len;
1716 }
1717
1718 done:
1719
1720 if ((extdatalen = ret - orig - 2) == 0)
1721 return orig;
1722
1723 s2n(extdatalen, orig);
1724 return ret;
1725 }
1726
1727 /*
1728 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1729 * ClientHello. data: the contents of the extension, not including the type
1730 * and length. data_len: the number of bytes in |data| al: a pointer to the
1731 * alert value to send in the event of a non-zero return. returns: 0 on
1732 * success.
1733 */
1734 static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
1735 {
1736 unsigned int data_len;
1737 unsigned int proto_len;
1738 const unsigned char *selected;
1739 const unsigned char *data;
1740 unsigned char selected_len;
1741 int r;
1742
1743 if (s->ctx->alpn_select_cb == NULL)
1744 return 0;
1745
1746 /*
1747 * data should contain a uint16 length followed by a series of 8-bit,
1748 * length-prefixed strings.
1749 */
1750 if (!PACKET_get_net_2(pkt, &data_len)
1751 || PACKET_remaining(pkt) != data_len
1752 || !PACKET_peek_bytes(pkt, &data, data_len))
1753 goto parse_error;
1754
1755 do {
1756 if (!PACKET_get_1(pkt, &proto_len)
1757 || proto_len == 0
1758 || !PACKET_forward(pkt, proto_len))
1759 goto parse_error;
1760 } while (PACKET_remaining(pkt));
1761
1762 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1763 s->ctx->alpn_select_cb_arg);
1764 if (r == SSL_TLSEXT_ERR_OK) {
1765 OPENSSL_free(s->s3->alpn_selected);
1766 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
1767 if (s->s3->alpn_selected == NULL) {
1768 *al = SSL_AD_INTERNAL_ERROR;
1769 return -1;
1770 }
1771 memcpy(s->s3->alpn_selected, selected, selected_len);
1772 s->s3->alpn_selected_len = selected_len;
1773 }
1774 return 0;
1775
1776 parse_error:
1777 *al = SSL_AD_DECODE_ERROR;
1778 return -1;
1779 }
1780
1781 #ifndef OPENSSL_NO_EC
1782 /*-
1783 * ssl_check_for_safari attempts to fingerprint Safari using OS X
1784 * SecureTransport using the TLS extension block in |d|, of length |n|.
1785 * Safari, since 10.6, sends exactly these extensions, in this order:
1786 * SNI,
1787 * elliptic_curves
1788 * ec_point_formats
1789 *
1790 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1791 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1792 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1793 * 10.8..10.8.3 (which don't work).
1794 */
1795 static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
1796 {
1797 unsigned int type, size;
1798 const unsigned char *eblock1, *eblock2;
1799 PACKET tmppkt;
1800
1801 static const unsigned char kSafariExtensionsBlock[] = {
1802 0x00, 0x0a, /* elliptic_curves extension */
1803 0x00, 0x08, /* 8 bytes */
1804 0x00, 0x06, /* 6 bytes of curve ids */
1805 0x00, 0x17, /* P-256 */
1806 0x00, 0x18, /* P-384 */
1807 0x00, 0x19, /* P-521 */
1808
1809 0x00, 0x0b, /* ec_point_formats */
1810 0x00, 0x02, /* 2 bytes */
1811 0x01, /* 1 point format */
1812 0x00, /* uncompressed */
1813 };
1814
1815 /* The following is only present in TLS 1.2 */
1816 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1817 0x00, 0x0d, /* signature_algorithms */
1818 0x00, 0x0c, /* 12 bytes */
1819 0x00, 0x0a, /* 10 bytes */
1820 0x05, 0x01, /* SHA-384/RSA */
1821 0x04, 0x01, /* SHA-256/RSA */
1822 0x02, 0x01, /* SHA-1/RSA */
1823 0x04, 0x03, /* SHA-256/ECDSA */
1824 0x02, 0x03, /* SHA-1/ECDSA */
1825 };
1826
1827 tmppkt = *pkt;
1828
1829 if (!PACKET_forward(&tmppkt, 2)
1830 || !PACKET_get_net_2(&tmppkt, &type)
1831 || !PACKET_get_net_2(&tmppkt, &size)
1832 || !PACKET_forward(&tmppkt, size))
1833 return;
1834
1835 if (type != TLSEXT_TYPE_server_name)
1836 return;
1837
1838 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
1839 const size_t len1 = sizeof(kSafariExtensionsBlock);
1840 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1841
1842 if (!PACKET_get_bytes(&tmppkt, &eblock1, len1)
1843 || !PACKET_get_bytes(&tmppkt, &eblock2, len2)
1844 || PACKET_remaining(&tmppkt))
1845 return;
1846 if (memcmp(eblock1, kSafariExtensionsBlock, len1) != 0)
1847 return;
1848 if (memcmp(eblock2, kSafariTLS12ExtensionsBlock, len2) != 0)
1849 return;
1850 } else {
1851 const size_t len = sizeof(kSafariExtensionsBlock);
1852
1853 if (!PACKET_get_bytes(&tmppkt, &eblock1, len)
1854 || PACKET_remaining(&tmppkt))
1855 return;
1856 if (memcmp(eblock1, kSafariExtensionsBlock, len) != 0)
1857 return;
1858 }
1859
1860 s->s3->is_probably_safari = 1;
1861 }
1862 #endif /* !OPENSSL_NO_EC */
1863
1864 static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
1865 {
1866 unsigned int type;
1867 unsigned int size;
1868 unsigned int len;
1869 const unsigned char *data;
1870 int renegotiate_seen = 0;
1871
1872 s->servername_done = 0;
1873 s->tlsext_status_type = -1;
1874 #ifndef OPENSSL_NO_NEXTPROTONEG
1875 s->s3->next_proto_neg_seen = 0;
1876 #endif
1877
1878 OPENSSL_free(s->s3->alpn_selected);
1879 s->s3->alpn_selected = NULL;
1880 #ifndef OPENSSL_NO_HEARTBEATS
1881 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1882 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1883 #endif
1884
1885 #ifndef OPENSSL_NO_EC
1886 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1887 ssl_check_for_safari(s, pkt);
1888 # endif /* !OPENSSL_NO_EC */
1889
1890 /* Clear any signature algorithms extension received */
1891 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1892 s->s3->tmp.peer_sigalgs = NULL;
1893 #ifdef TLSEXT_TYPE_encrypt_then_mac
1894 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1895 #endif
1896
1897 #ifndef OPENSSL_NO_SRP
1898 OPENSSL_free(s->srp_ctx.login);
1899 s->srp_ctx.login = NULL;
1900 #endif
1901
1902 s->srtp_profile = NULL;
1903
1904 if (PACKET_remaining(pkt) == 0)
1905 goto ri_check;
1906
1907 if (!PACKET_get_net_2(pkt, &len))
1908 goto err;
1909
1910 if (PACKET_remaining(pkt) != len)
1911 goto err;
1912
1913 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
1914 PACKET subpkt;
1915
1916 if (!PACKET_peek_bytes(pkt, &data, size))
1917 goto err;
1918
1919 if (s->tlsext_debug_cb)
1920 s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
1921
1922 if (!PACKET_get_sub_packet(pkt, &subpkt, size))
1923 goto err;
1924
1925 if (type == TLSEXT_TYPE_renegotiate) {
1926 if (!ssl_parse_clienthello_renegotiate_ext(s, &subpkt, al))
1927 return 0;
1928 renegotiate_seen = 1;
1929 } else if (s->version == SSL3_VERSION) {
1930 }
1931 /*-
1932 * The servername extension is treated as follows:
1933 *
1934 * - Only the hostname type is supported with a maximum length of 255.
1935 * - The servername is rejected if too long or if it contains zeros,
1936 * in which case an fatal alert is generated.
1937 * - The servername field is maintained together with the session cache.
1938 * - When a session is resumed, the servername call back invoked in order
1939 * to allow the application to position itself to the right context.
1940 * - The servername is acknowledged if it is new for a session or when
1941 * it is identical to a previously used for the same session.
1942 * Applications can control the behaviour. They can at any time
1943 * set a 'desirable' servername for a new SSL object. This can be the
1944 * case for example with HTTPS when a Host: header field is received and
1945 * a renegotiation is requested. In this case, a possible servername
1946 * presented in the new client hello is only acknowledged if it matches
1947 * the value of the Host: field.
1948 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1949 * if they provide for changing an explicit servername context for the
1950 * session, i.e. when the session has been established with a servername
1951 * extension.
1952 * - On session reconnect, the servername extension may be absent.
1953 *
1954 */
1955
1956 else if (type == TLSEXT_TYPE_server_name) {
1957 const unsigned char *sdata;
1958 unsigned int servname_type;
1959 unsigned int dsize;
1960 PACKET ssubpkt;
1961
1962 if (!PACKET_get_net_2(&subpkt, &dsize)
1963 || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
1964 goto err;
1965
1966 while (PACKET_remaining(&ssubpkt) > 3) {
1967 if (!PACKET_get_1(&ssubpkt, &servname_type)
1968 || !PACKET_get_net_2(&ssubpkt, &len)
1969 || PACKET_remaining(&ssubpkt) < len)
1970 goto err;
1971
1972 if (s->servername_done == 0)
1973 switch (servname_type) {
1974 case TLSEXT_NAMETYPE_host_name:
1975 if (!s->hit) {
1976 if (s->session->tlsext_hostname)
1977 goto err;
1978
1979 if (len > TLSEXT_MAXLEN_host_name) {
1980 *al = TLS1_AD_UNRECOGNIZED_NAME;
1981 return 0;
1982 }
1983 if ((s->session->tlsext_hostname =
1984 OPENSSL_malloc(len + 1)) == NULL) {
1985 *al = TLS1_AD_INTERNAL_ERROR;
1986 return 0;
1987 }
1988 if (!PACKET_copy_bytes(&ssubpkt,
1989 (unsigned char *)s->session
1990 ->tlsext_hostname,
1991 len)) {
1992 *al = SSL_AD_DECODE_ERROR;
1993 return 0;
1994 }
1995 s->session->tlsext_hostname[len] = '\0';
1996 if (strlen(s->session->tlsext_hostname) != len) {
1997 OPENSSL_free(s->session->tlsext_hostname);
1998 s->session->tlsext_hostname = NULL;
1999 *al = TLS1_AD_UNRECOGNIZED_NAME;
2000 return 0;
2001 }
2002 s->servername_done = 1;
2003
2004 } else {
2005 if (!PACKET_get_bytes(&ssubpkt, &sdata, len)) {
2006 *al = SSL_AD_DECODE_ERROR;
2007 return 0;
2008 }
2009 s->servername_done = s->session->tlsext_hostname
2010 && strlen(s->session->tlsext_hostname) == len
2011 && strncmp(s->session->tlsext_hostname,
2012 (char *)sdata, len) == 0;
2013 }
2014
2015 break;
2016
2017 default:
2018 break;
2019 }
2020 }
2021 /* We shouldn't have any bytes left */
2022 if (PACKET_remaining(&ssubpkt) != 0)
2023 goto err;
2024
2025 }
2026 #ifndef OPENSSL_NO_SRP
2027 else if (type == TLSEXT_TYPE_srp) {
2028 if (!PACKET_get_1(&subpkt, &len)
2029 || s->srp_ctx.login != NULL)
2030 goto err;
2031
2032 if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
2033 return -1;
2034 if (!PACKET_copy_bytes(&subpkt, (unsigned char *)s->srp_ctx.login,
2035 len))
2036 goto err;
2037 s->srp_ctx.login[len] = '\0';
2038
2039 if (strlen(s->srp_ctx.login) != len
2040 || PACKET_remaining(&subpkt))
2041 goto err;
2042 }
2043 #endif
2044
2045 #ifndef OPENSSL_NO_EC
2046 else if (type == TLSEXT_TYPE_ec_point_formats) {
2047 unsigned int ecpointformatlist_length;
2048
2049 if (!PACKET_get_1(&subpkt, &ecpointformatlist_length)
2050 || ecpointformatlist_length == 0)
2051 goto err;
2052
2053 if (!s->hit) {
2054 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2055 s->session->tlsext_ecpointformatlist = NULL;
2056 s->session->tlsext_ecpointformatlist_length = 0;
2057 if ((s->session->tlsext_ecpointformatlist =
2058 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2059 *al = TLS1_AD_INTERNAL_ERROR;
2060 return 0;
2061 }
2062 s->session->tlsext_ecpointformatlist_length =
2063 ecpointformatlist_length;
2064 if (!PACKET_copy_bytes(&subpkt,
2065 s->session->tlsext_ecpointformatlist,
2066 ecpointformatlist_length))
2067 goto err;
2068 } else if (!PACKET_forward(&subpkt, ecpointformatlist_length)) {
2069 goto err;
2070 }
2071 /* We should have consumed all the bytes by now */
2072 if (PACKET_remaining(&subpkt)) {
2073 *al = TLS1_AD_DECODE_ERROR;
2074 return 0;
2075 }
2076 } else if (type == TLSEXT_TYPE_elliptic_curves) {
2077 unsigned int ellipticcurvelist_length;
2078
2079 /* Each NamedCurve is 2 bytes and we must have at least 1 */
2080 if (!PACKET_get_net_2(&subpkt, &ellipticcurvelist_length)
2081 || ellipticcurvelist_length == 0
2082 || (ellipticcurvelist_length & 1) != 0)
2083 goto err;
2084
2085 if (!s->hit) {
2086 if (s->session->tlsext_ellipticcurvelist)
2087 goto err;
2088
2089 s->session->tlsext_ellipticcurvelist_length = 0;
2090 if ((s->session->tlsext_ellipticcurvelist =
2091 OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
2092 *al = TLS1_AD_INTERNAL_ERROR;
2093 return 0;
2094 }
2095 s->session->tlsext_ellipticcurvelist_length =
2096 ellipticcurvelist_length;
2097 if (!PACKET_copy_bytes(&subpkt,
2098 s->session->tlsext_ellipticcurvelist,
2099 ellipticcurvelist_length))
2100 goto err;
2101 } else if (!PACKET_forward(&subpkt, ellipticcurvelist_length)) {
2102 goto err;
2103 }
2104 /* We should have consumed all the bytes by now */
2105 if (PACKET_remaining(&subpkt)) {
2106 goto err;
2107 }
2108 }
2109 #endif /* OPENSSL_NO_EC */
2110 else if (type == TLSEXT_TYPE_session_ticket) {
2111 if (!PACKET_forward(&subpkt, size)
2112 || (s->tls_session_ticket_ext_cb &&
2113 !s->tls_session_ticket_ext_cb(s, data, size,
2114 s->tls_session_ticket_ext_cb_arg))) {
2115 *al = TLS1_AD_INTERNAL_ERROR;
2116 return 0;
2117 }
2118 } else if (type == TLSEXT_TYPE_signature_algorithms) {
2119 unsigned int dsize;
2120
2121 if (s->s3->tmp.peer_sigalgs
2122 || !PACKET_get_net_2(&subpkt, &dsize)
2123 || (dsize & 1) != 0
2124 || (dsize == 0)
2125 || !PACKET_get_bytes(&subpkt, &data, dsize)
2126 || PACKET_remaining(&subpkt) != 0
2127 || !tls1_save_sigalgs(s, data, dsize)) {
2128 goto err;
2129 }
2130 } else if (type == TLSEXT_TYPE_status_request) {
2131 PACKET ssubpkt;
2132
2133 if (!PACKET_get_1(&subpkt,
2134 (unsigned int *)&s->tlsext_status_type))
2135 goto err;
2136
2137 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
2138 const unsigned char *sdata;
2139 unsigned int dsize;
2140 /* Read in responder_id_list */
2141 if (!PACKET_get_net_2(&subpkt, &dsize)
2142 || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
2143 goto err;
2144
2145 while (PACKET_remaining(&ssubpkt)) {
2146 OCSP_RESPID *id;
2147 unsigned int idsize;
2148
2149 if (PACKET_remaining(&ssubpkt) < 4
2150 || !PACKET_get_net_2(&ssubpkt, &idsize)
2151 || !PACKET_get_bytes(&ssubpkt, &data, idsize)) {
2152 goto err;
2153 }
2154 sdata = data;
2155 data += idsize;
2156 id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
2157 if (!id)
2158 goto err;
2159 if (data != sdata) {
2160 OCSP_RESPID_free(id);
2161 goto err;
2162 }
2163 if (!s->tlsext_ocsp_ids
2164 && !(s->tlsext_ocsp_ids =
2165 sk_OCSP_RESPID_new_null())) {
2166 OCSP_RESPID_free(id);
2167 *al = SSL_AD_INTERNAL_ERROR;
2168 return 0;
2169 }
2170 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2171 OCSP_RESPID_free(id);
2172 *al = SSL_AD_INTERNAL_ERROR;
2173 return 0;
2174 }
2175 }
2176
2177 /* Read in request_extensions */
2178 if (!PACKET_get_net_2(&subpkt, &dsize)
2179 || !PACKET_get_bytes(&subpkt, &data, dsize)
2180 || PACKET_remaining(&subpkt)) {
2181 goto err;
2182 }
2183 sdata = data;
2184 if (dsize > 0) {
2185 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2186 X509_EXTENSION_free);
2187 s->tlsext_ocsp_exts =
2188 d2i_X509_EXTENSIONS(NULL, &sdata, dsize);
2189 if (!s->tlsext_ocsp_exts || (data + dsize != sdata))
2190 goto err;
2191 }
2192 }
2193 /*
2194 * We don't know what to do with any other type * so ignore it.
2195 */
2196 else
2197 s->tlsext_status_type = -1;
2198 }
2199 #ifndef OPENSSL_NO_HEARTBEATS
2200 else if (type == TLSEXT_TYPE_heartbeat) {
2201 unsigned int hbtype;
2202
2203 if (!PACKET_get_1(&subpkt, &hbtype)
2204 || PACKET_remaining(&subpkt)) {
2205 *al = SSL_AD_DECODE_ERROR;
2206 return 0;
2207 }
2208 switch (hbtype) {
2209 case 0x01: /* Client allows us to send HB requests */
2210 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2211 break;
2212 case 0x02: /* Client doesn't accept HB requests */
2213 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2214 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2215 break;
2216 default:
2217 *al = SSL_AD_ILLEGAL_PARAMETER;
2218 return 0;
2219 }
2220 }
2221 #endif
2222 #ifndef OPENSSL_NO_NEXTPROTONEG
2223 else if (type == TLSEXT_TYPE_next_proto_neg &&
2224 s->s3->tmp.finish_md_len == 0 &&
2225 s->s3->alpn_selected == NULL) {
2226 /*-
2227 * We shouldn't accept this extension on a
2228 * renegotiation.
2229 *
2230 * s->new_session will be set on renegotiation, but we
2231 * probably shouldn't rely that it couldn't be set on
2232 * the initial renegotation too in certain cases (when
2233 * there's some other reason to disallow resuming an
2234 * earlier session -- the current code won't be doing
2235 * anything like that, but this might change).
2236 *
2237 * A valid sign that there's been a previous handshake
2238 * in this connection is if s->s3->tmp.finish_md_len >
2239 * 0. (We are talking about a check that will happen
2240 * in the Hello protocol round, well before a new
2241 * Finished message could have been computed.)
2242 */
2243 s->s3->next_proto_neg_seen = 1;
2244 }
2245 #endif
2246
2247 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2248 s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) {
2249 if (tls1_alpn_handle_client_hello(s, &subpkt, al) != 0)
2250 return 0;
2251 #ifndef OPENSSL_NO_NEXTPROTONEG
2252 /* ALPN takes precedence over NPN. */
2253 s->s3->next_proto_neg_seen = 0;
2254 #endif
2255 }
2256
2257 /* session ticket processed earlier */
2258 #ifndef OPENSSL_NO_SRTP
2259 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2260 && type == TLSEXT_TYPE_use_srtp) {
2261 if (ssl_parse_clienthello_use_srtp_ext(s, &subpkt, al))
2262 return 0;
2263 }
2264 #endif
2265 #ifdef TLSEXT_TYPE_encrypt_then_mac
2266 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2267 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2268 #endif
2269 /*
2270 * Note: extended master secret extension handled in
2271 * tls_check_serverhello_tlsext_early()
2272 */
2273
2274 /*
2275 * If this ClientHello extension was unhandled and this is a
2276 * nonresumed connection, check whether the extension is a custom
2277 * TLS Extension (has a custom_srv_ext_record), and if so call the
2278 * callback and record the extension number so that an appropriate
2279 * ServerHello may be later returned.
2280 */
2281 else if (!s->hit) {
2282 if (custom_ext_parse(s, 1, type, data, size, al) <= 0)
2283 return 0;
2284 }
2285 }
2286
2287 /* Spurious data on the end */
2288 if (PACKET_remaining(pkt) != 0)
2289 goto err;
2290
2291 ri_check:
2292
2293 /* Need RI if renegotiating */
2294
2295 if (!renegotiate_seen && s->renegotiate &&
2296 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2297 *al = SSL_AD_HANDSHAKE_FAILURE;
2298 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2299 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2300 return 0;
2301 }
2302
2303 return 1;
2304 err:
2305 *al = SSL_AD_DECODE_ERROR;
2306 return 0;
2307 }
2308
2309 int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
2310 {
2311 int al = -1;
2312 custom_ext_init(&s->cert->srv_ext);
2313 if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
2314 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2315 return 0;
2316 }
2317
2318 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2319 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2320 return 0;
2321 }
2322 return 1;
2323 }
2324
2325 #ifndef OPENSSL_NO_NEXTPROTONEG
2326 /*
2327 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2328 * elements of zero length are allowed and the set of elements must exactly
2329 * fill the length of the block.
2330 */
2331 static char ssl_next_proto_validate(PACKET *pkt)
2332 {
2333 unsigned int len;
2334
2335 while (PACKET_remaining(pkt)) {
2336 if (!PACKET_get_1(pkt, &len)
2337 || !PACKET_forward(pkt, len))
2338 return 0;
2339 }
2340
2341 return 1;
2342 }
2343 #endif
2344
2345 static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
2346 {
2347 unsigned int length, type, size;
2348 int tlsext_servername = 0;
2349 int renegotiate_seen = 0;
2350
2351 #ifndef OPENSSL_NO_NEXTPROTONEG
2352 s->s3->next_proto_neg_seen = 0;
2353 #endif
2354 s->tlsext_ticket_expected = 0;
2355
2356 OPENSSL_free(s->s3->alpn_selected);
2357 s->s3->alpn_selected = NULL;
2358 #ifndef OPENSSL_NO_HEARTBEATS
2359 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2360 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2361 #endif
2362
2363 #ifdef TLSEXT_TYPE_encrypt_then_mac
2364 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
2365 #endif
2366
2367 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2368
2369 if (!PACKET_get_net_2(pkt, &length))
2370 goto ri_check;
2371
2372 if (PACKET_remaining(pkt) != length) {
2373 *al = SSL_AD_DECODE_ERROR;
2374 return 0;
2375 }
2376
2377 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
2378 const unsigned char *data;
2379 PACKET spkt;
2380
2381 if (!PACKET_get_sub_packet(pkt, &spkt, size)
2382 || !PACKET_peek_bytes(&spkt, &data, size))
2383 goto ri_check;
2384
2385 if (s->tlsext_debug_cb)
2386 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2387
2388 if (type == TLSEXT_TYPE_renegotiate) {
2389 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
2390 return 0;
2391 renegotiate_seen = 1;
2392 } else if (s->version == SSL3_VERSION) {
2393 } else if (type == TLSEXT_TYPE_server_name) {
2394 if (s->tlsext_hostname == NULL || size > 0) {
2395 *al = TLS1_AD_UNRECOGNIZED_NAME;
2396 return 0;
2397 }
2398 tlsext_servername = 1;
2399 }
2400 #ifndef OPENSSL_NO_EC
2401 else if (type == TLSEXT_TYPE_ec_point_formats) {
2402 unsigned int ecpointformatlist_length;
2403 if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
2404 || ecpointformatlist_length != size - 1) {
2405 *al = TLS1_AD_DECODE_ERROR;
2406 return 0;
2407 }
2408 if (!s->hit) {
2409 s->session->tlsext_ecpointformatlist_length = 0;
2410 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2411 if ((s->session->tlsext_ecpointformatlist =
2412 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2413 *al = TLS1_AD_INTERNAL_ERROR;
2414 return 0;
2415 }
2416 s->session->tlsext_ecpointformatlist_length =
2417 ecpointformatlist_length;
2418 if (!PACKET_copy_bytes(&spkt,
2419 s->session->tlsext_ecpointformatlist,
2420 ecpointformatlist_length)) {
2421 *al = TLS1_AD_DECODE_ERROR;
2422 return 0;
2423 }
2424
2425 }
2426 }
2427 #endif /* OPENSSL_NO_EC */
2428
2429 else if (type == TLSEXT_TYPE_session_ticket) {
2430 if (s->tls_session_ticket_ext_cb &&
2431 !s->tls_session_ticket_ext_cb(s, data, size,
2432 s->tls_session_ticket_ext_cb_arg))
2433 {
2434 *al = TLS1_AD_INTERNAL_ERROR;
2435 return 0;
2436 }
2437 if (!tls_use_ticket(s) || (size > 0)) {
2438 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2439 return 0;
2440 }
2441 s->tlsext_ticket_expected = 1;
2442 }
2443 else if (type == TLSEXT_TYPE_status_request) {
2444 /*
2445 * MUST be empty and only sent if we've requested a status
2446 * request message.
2447 */
2448 if ((s->tlsext_status_type == -1) || (size > 0)) {
2449 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2450 return 0;
2451 }
2452 /* Set flag to expect CertificateStatus message */
2453 s->tlsext_status_expected = 1;
2454 }
2455 #ifndef OPENSSL_NO_NEXTPROTONEG
2456 else if (type == TLSEXT_TYPE_next_proto_neg &&
2457 s->s3->tmp.finish_md_len == 0) {
2458 unsigned char *selected;
2459 unsigned char selected_len;
2460 /* We must have requested it. */
2461 if (s->ctx->next_proto_select_cb == NULL) {
2462 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2463 return 0;
2464 }
2465 /* The data must be valid */
2466 if (!ssl_next_proto_validate(&spkt)) {
2467 *al = TLS1_AD_DECODE_ERROR;
2468 return 0;
2469 }
2470 if (s->
2471 ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2472 size,
2473 s->ctx->next_proto_select_cb_arg) !=
2474 SSL_TLSEXT_ERR_OK) {
2475 *al = TLS1_AD_INTERNAL_ERROR;
2476 return 0;
2477 }
2478 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2479 if (s->next_proto_negotiated == NULL) {
2480 *al = TLS1_AD_INTERNAL_ERROR;
2481 return 0;
2482 }
2483 memcpy(s->next_proto_negotiated, selected, selected_len);
2484 s->next_proto_negotiated_len = selected_len;
2485 s->s3->next_proto_neg_seen = 1;
2486 }
2487 #endif
2488
2489 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2490 unsigned len;
2491 /* We must have requested it. */
2492 if (s->alpn_client_proto_list == NULL) {
2493 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2494 return 0;
2495 }
2496 /*-
2497 * The extension data consists of:
2498 * uint16 list_length
2499 * uint8 proto_length;
2500 * uint8 proto[proto_length];
2501 */
2502 if (!PACKET_get_net_2(&spkt, &len)
2503 || PACKET_remaining(&spkt) != len
2504 || !PACKET_get_1(&spkt, &len)
2505 || PACKET_remaining(&spkt) != len) {
2506 *al = TLS1_AD_DECODE_ERROR;
2507 return 0;
2508 }
2509 OPENSSL_free(s->s3->alpn_selected);
2510 s->s3->alpn_selected = OPENSSL_malloc(len);
2511 if (s->s3->alpn_selected == NULL) {
2512 *al = TLS1_AD_INTERNAL_ERROR;
2513 return 0;
2514 }
2515 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
2516 *al = TLS1_AD_DECODE_ERROR;
2517 return 0;
2518 }
2519 s->s3->alpn_selected_len = len;
2520 }
2521 #ifndef OPENSSL_NO_HEARTBEATS
2522 else if (type == TLSEXT_TYPE_heartbeat) {
2523 unsigned int hbtype;
2524 if (!PACKET_get_1(&spkt, &hbtype)) {
2525 *al = SSL_AD_DECODE_ERROR;
2526 return 0;
2527 }
2528 switch (hbtype) {
2529 case 0x01: /* Server allows us to send HB requests */
2530 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2531 break;
2532 case 0x02: /* Server doesn't accept HB requests */
2533 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2534 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2535 break;
2536 default:
2537 *al = SSL_AD_ILLEGAL_PARAMETER;
2538 return 0;
2539 }
2540 }
2541 #endif
2542 #ifndef OPENSSL_NO_SRTP
2543 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
2544 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
2545 return 0;
2546 }
2547 #endif
2548 #ifdef TLSEXT_TYPE_encrypt_then_mac
2549 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2550 /* Ignore if inappropriate ciphersuite */
2551 if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2552 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2553 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2554 }
2555 #endif
2556 else if (type == TLSEXT_TYPE_extended_master_secret) {
2557 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
2558 if (!s->hit)
2559 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2560 }
2561 /*
2562 * If this extension type was not otherwise handled, but matches a
2563 * custom_cli_ext_record, then send it to the c callback
2564 */
2565 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2566 return 0;
2567 }
2568
2569 if (PACKET_remaining(pkt) != 0) {
2570 *al = SSL_AD_DECODE_ERROR;
2571 return 0;
2572 }
2573
2574 if (!s->hit && tlsext_servername == 1) {
2575 if (s->tlsext_hostname) {
2576 if (s->session->tlsext_hostname == NULL) {
2577 s->session->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname);
2578 if (!s->session->tlsext_hostname) {
2579 *al = SSL_AD_UNRECOGNIZED_NAME;
2580 return 0;
2581 }
2582 } else {
2583 *al = SSL_AD_DECODE_ERROR;
2584 return 0;
2585 }
2586 }
2587 }
2588
2589 ri_check:
2590
2591 /*
2592 * Determine if we need to see RI. Strictly speaking if we want to avoid
2593 * an attack we should *always* see RI even on initial server hello
2594 * because the client doesn't see any renegotiation during an attack.
2595 * However this would mean we could not connect to any server which
2596 * doesn't support RI so for the immediate future tolerate RI absence on
2597 * initial connect only.
2598 */
2599 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2600 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2601 *al = SSL_AD_HANDSHAKE_FAILURE;
2602 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2603 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2604 return 0;
2605 }
2606
2607 if (s->hit) {
2608 /*
2609 * Check extended master secret extension is consistent with
2610 * original session.
2611 */
2612 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
2613 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
2614 *al = SSL_AD_HANDSHAKE_FAILURE;
2615 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
2616 return 0;
2617 }
2618 }
2619
2620 return 1;
2621 }
2622
2623 int ssl_prepare_clienthello_tlsext(SSL *s)
2624 {
2625
2626 return 1;
2627 }
2628
2629 int ssl_prepare_serverhello_tlsext(SSL *s)
2630 {
2631 return 1;
2632 }
2633
2634 static int ssl_check_clienthello_tlsext_early(SSL *s)
2635 {
2636 int ret = SSL_TLSEXT_ERR_NOACK;
2637 int al = SSL_AD_UNRECOGNIZED_NAME;
2638
2639 #ifndef OPENSSL_NO_EC
2640 /*
2641 * The handling of the ECPointFormats extension is done elsewhere, namely
2642 * in ssl3_choose_cipher in s3_lib.c.
2643 */
2644 /*
2645 * The handling of the EllipticCurves extension is done elsewhere, namely
2646 * in ssl3_choose_cipher in s3_lib.c.
2647 */
2648 #endif
2649
2650 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2651 ret =
2652 s->ctx->tlsext_servername_callback(s, &al,
2653 s->ctx->tlsext_servername_arg);
2654 else if (s->initial_ctx != NULL
2655 && s->initial_ctx->tlsext_servername_callback != 0)
2656 ret =
2657 s->initial_ctx->tlsext_servername_callback(s, &al,
2658 s->
2659 initial_ctx->tlsext_servername_arg);
2660
2661 switch (ret) {
2662 case SSL_TLSEXT_ERR_ALERT_FATAL:
2663 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2664 return -1;
2665
2666 case SSL_TLSEXT_ERR_ALERT_WARNING:
2667 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2668 return 1;
2669
2670 case SSL_TLSEXT_ERR_NOACK:
2671 s->servername_done = 0;
2672 default:
2673 return 1;
2674 }
2675 }
2676 /* Initialise digests to default values */
2677 void ssl_set_default_md(SSL *s)
2678 {
2679 const EVP_MD **pmd = s->s3->tmp.md;
2680 #ifndef OPENSSL_NO_DSA
2681 pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
2682 #endif
2683 #ifndef OPENSSL_NO_RSA
2684 if (SSL_USE_SIGALGS(s))
2685 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
2686 else
2687 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
2688 pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
2689 #endif
2690 #ifndef OPENSSL_NO_EC
2691 pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
2692 #endif
2693 #ifndef OPENSSL_NO_GOST
2694 pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
2695 pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
2696 pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
2697 #endif
2698 }
2699
2700 int tls1_set_server_sigalgs(SSL *s)
2701 {
2702 int al;
2703 size_t i;
2704 /* Clear any shared sigtnature algorithms */
2705 OPENSSL_free(s->cert->shared_sigalgs);
2706 s->cert->shared_sigalgs = NULL;
2707 s->cert->shared_sigalgslen = 0;
2708 /* Clear certificate digests and validity flags */
2709 for (i = 0; i < SSL_PKEY_NUM; i++) {
2710 s->s3->tmp.md[i] = NULL;
2711 s->s3->tmp.valid_flags[i] = 0;
2712 }
2713
2714 /* If sigalgs received process it. */
2715 if (s->s3->tmp.peer_sigalgs) {
2716 if (!tls1_process_sigalgs(s)) {
2717 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2718 al = SSL_AD_INTERNAL_ERROR;
2719 goto err;
2720 }
2721 /* Fatal error is no shared signature algorithms */
2722 if (!s->cert->shared_sigalgs) {
2723 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2724 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2725 al = SSL_AD_ILLEGAL_PARAMETER;
2726 goto err;
2727 }
2728 } else {
2729 ssl_set_default_md(s);
2730 }
2731 return 1;
2732 err:
2733 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2734 return 0;
2735 }
2736
2737 int ssl_check_clienthello_tlsext_late(SSL *s)
2738 {
2739 int ret = SSL_TLSEXT_ERR_OK;
2740 int al = SSL_AD_INTERNAL_ERROR;
2741
2742 /*
2743 * If status request then ask callback what to do. Note: this must be
2744 * called after servername callbacks in case the certificate has changed,
2745 * and must be called after the cipher has been chosen because this may
2746 * influence which certificate is sent
2747 */
2748 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
2749 int r;
2750 CERT_PKEY *certpkey;
2751 certpkey = ssl_get_server_send_pkey(s);
2752 /* If no certificate can't return certificate status */
2753 if (certpkey == NULL) {
2754 s->tlsext_status_expected = 0;
2755 return 1;
2756 }
2757 /*
2758 * Set current certificate to one we will use so SSL_get_certificate
2759 * et al can pick it up.
2760 */
2761 s->cert->key = certpkey;
2762 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2763 switch (r) {
2764 /* We don't want to send a status request response */
2765 case SSL_TLSEXT_ERR_NOACK:
2766 s->tlsext_status_expected = 0;
2767 break;
2768 /* status request response should be sent */
2769 case SSL_TLSEXT_ERR_OK:
2770 if (s->tlsext_ocsp_resp)
2771 s->tlsext_status_expected = 1;
2772 else
2773 s->tlsext_status_expected = 0;
2774 break;
2775 /* something bad happened */
2776 case SSL_TLSEXT_ERR_ALERT_FATAL:
2777 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2778 al = SSL_AD_INTERNAL_ERROR;
2779 goto err;
2780 }
2781 } else
2782 s->tlsext_status_expected = 0;
2783
2784 err:
2785 switch (ret) {
2786 case SSL_TLSEXT_ERR_ALERT_FATAL:
2787 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2788 return -1;
2789
2790 case SSL_TLSEXT_ERR_ALERT_WARNING:
2791 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2792 return 1;
2793
2794 default:
2795 return 1;
2796 }
2797 }
2798
2799 int ssl_check_serverhello_tlsext(SSL *s)
2800 {
2801 int ret = SSL_TLSEXT_ERR_NOACK;
2802 int al = SSL_AD_UNRECOGNIZED_NAME;
2803
2804 #ifndef OPENSSL_NO_EC
2805 /*
2806 * If we are client and using an elliptic curve cryptography cipher
2807 * suite, then if server returns an EC point formats lists extension it
2808 * must contain uncompressed.
2809 */
2810 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2811 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2812 if ((s->tlsext_ecpointformatlist != NULL)
2813 && (s->tlsext_ecpointformatlist_length > 0)
2814 && (s->session->tlsext_ecpointformatlist != NULL)
2815 && (s->session->tlsext_ecpointformatlist_length > 0)
2816 && ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
2817 || (alg_a & SSL_aECDSA))) {
2818 /* we are using an ECC cipher */
2819 size_t i;
2820 unsigned char *list;
2821 int found_uncompressed = 0;
2822 list = s->session->tlsext_ecpointformatlist;
2823 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2824 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2825 found_uncompressed = 1;
2826 break;
2827 }
2828 }
2829 if (!found_uncompressed) {
2830 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2831 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2832 return -1;
2833 }
2834 }
2835 ret = SSL_TLSEXT_ERR_OK;
2836 #endif /* OPENSSL_NO_EC */
2837
2838 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2839 ret =
2840 s->ctx->tlsext_servername_callback(s, &al,
2841 s->ctx->tlsext_servername_arg);
2842 else if (s->initial_ctx != NULL
2843 && s->initial_ctx->tlsext_servername_callback != 0)
2844 ret =
2845 s->initial_ctx->tlsext_servername_callback(s, &al,
2846 s->
2847 initial_ctx->tlsext_servername_arg);
2848
2849 /*
2850 * Ensure we get sensible values passed to tlsext_status_cb in the event
2851 * that we don't receive a status message
2852 */
2853 OPENSSL_free(s->tlsext_ocsp_resp);
2854 s->tlsext_ocsp_resp = NULL;
2855 s->tlsext_ocsp_resplen = -1;
2856
2857 switch (ret) {
2858 case SSL_TLSEXT_ERR_ALERT_FATAL:
2859 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2860 return -1;
2861
2862 case SSL_TLSEXT_ERR_ALERT_WARNING:
2863 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2864 return 1;
2865
2866 case SSL_TLSEXT_ERR_NOACK:
2867 s->servername_done = 0;
2868 default:
2869 return 1;
2870 }
2871 }
2872
2873 int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
2874 {
2875 int al = -1;
2876 if (s->version < SSL3_VERSION)
2877 return 1;
2878 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
2879 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2880 return 0;
2881 }
2882
2883 if (ssl_check_serverhello_tlsext(s) <= 0) {
2884 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2885 return 0;
2886 }
2887 return 1;
2888 }
2889
2890 /*-
2891 * Since the server cache lookup is done early on in the processing of the
2892 * ClientHello and other operations depend on the result some extensions
2893 * need to be handled at the same time.
2894 *
2895 * Two extensions are currently handled, session ticket and extended master
2896 * secret.
2897 *
2898 * session_id: ClientHello session ID.
2899 * ext: ClientHello extensions (including length prefix)
2900 * ret: (output) on return, if a ticket was decrypted, then this is set to
2901 * point to the resulting session.
2902 *
2903 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2904 * ciphersuite, in which case we have no use for session tickets and one will
2905 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2906 *
2907 * Returns:
2908 * -1: fatal error, either from parsing or decrypting the ticket.
2909 * 0: no ticket was found (or was ignored, based on settings).
2910 * 1: a zero length extension was found, indicating that the client supports
2911 * session tickets but doesn't currently have one to offer.
2912 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2913 * couldn't be decrypted because of a non-fatal error.
2914 * 3: a ticket was successfully decrypted and *ret was set.
2915 *
2916 * Side effects:
2917 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2918 * a new session ticket to the client because the client indicated support
2919 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2920 * a session ticket or we couldn't use the one it gave us, or if
2921 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2922 * Otherwise, s->tlsext_ticket_expected is set to 0.
2923 *
2924 * For extended master secret flag is set if the extension is present.
2925 *
2926 */
2927 int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
2928 const PACKET *session_id,
2929 SSL_SESSION **ret)
2930 {
2931 unsigned int i;
2932 PACKET local_ext = *ext;
2933 int retv = -1;
2934
2935 int have_ticket = 0;
2936 int use_ticket = tls_use_ticket(s);
2937
2938 *ret = NULL;
2939 s->tlsext_ticket_expected = 0;
2940 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2941
2942 /*
2943 * If tickets disabled behave as if no ticket present to permit stateful
2944 * resumption.
2945 */
2946 if ((s->version <= SSL3_VERSION))
2947 return 0;
2948
2949 if (!PACKET_get_net_2(&local_ext, &i)) {
2950 retv = 0;
2951 goto end;
2952 }
2953 while (PACKET_remaining(&local_ext) >= 4) {
2954 unsigned int type, size;
2955
2956 if (!PACKET_get_net_2(&local_ext, &type)
2957 || !PACKET_get_net_2(&local_ext, &size)) {
2958 /* Shouldn't ever happen */
2959 retv = -1;
2960 goto end;
2961 }
2962 if (PACKET_remaining(&local_ext) < size) {
2963 retv = 0;
2964 goto end;
2965 }
2966 if (type == TLSEXT_TYPE_session_ticket && use_ticket) {
2967 int r;
2968 const unsigned char *etick;
2969
2970 /* Duplicate extension */
2971 if (have_ticket != 0) {
2972 retv = -1;
2973 goto end;
2974 }
2975 have_ticket = 1;
2976
2977 if (size == 0) {
2978 /*
2979 * The client will accept a ticket but doesn't currently have
2980 * one.
2981 */
2982 s->tlsext_ticket_expected = 1;
2983 retv = 1;
2984 continue;
2985 }
2986 if (s->tls_session_secret_cb) {
2987 /*
2988 * Indicate that the ticket couldn't be decrypted rather than
2989 * generating the session from ticket now, trigger
2990 * abbreviated handshake based on external mechanism to
2991 * calculate the master secret later.
2992 */
2993 retv = 2;
2994 continue;
2995 }
2996 if (!PACKET_get_bytes(&local_ext, &etick, size)) {
2997 /* Shouldn't ever happen */
2998 retv = -1;
2999 goto end;
3000 }
3001 r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
3002 PACKET_remaining(session_id), ret);
3003 switch (r) {
3004 case 2: /* ticket couldn't be decrypted */
3005 s->tlsext_ticket_expected = 1;
3006 retv = 2;
3007 break;
3008 case 3: /* ticket was decrypted */
3009 retv = r;
3010 break;
3011 case 4: /* ticket decrypted but need to renew */
3012 s->tlsext_ticket_expected = 1;
3013 retv = 3;
3014 break;
3015 default: /* fatal error */
3016 retv = -1;
3017 break;
3018 }
3019 continue;
3020 } else {
3021 if (type == TLSEXT_TYPE_extended_master_secret)
3022 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
3023 if (!PACKET_forward(&local_ext, size)) {
3024 retv = -1;
3025 goto end;
3026 }
3027 }
3028 }
3029 if (have_ticket == 0)
3030 retv = 0;
3031 end:
3032 return retv;
3033 }
3034
3035 /*-
3036 * tls_decrypt_ticket attempts to decrypt a session ticket.
3037 *
3038 * etick: points to the body of the session ticket extension.
3039 * eticklen: the length of the session tickets extenion.
3040 * sess_id: points at the session ID.
3041 * sesslen: the length of the session ID.
3042 * psess: (output) on return, if a ticket was decrypted, then this is set to
3043 * point to the resulting session.
3044 *
3045 * Returns:
3046 * -2: fatal error, malloc failure.
3047 * -1: fatal error, either from parsing or decrypting the ticket.
3048 * 2: the ticket couldn't be decrypted.
3049 * 3: a ticket was successfully decrypted and *psess was set.
3050 * 4: same as 3, but the ticket needs to be renewed.
3051 */
3052 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
3053 int eticklen, const unsigned char *sess_id,
3054 int sesslen, SSL_SESSION **psess)
3055 {
3056 SSL_SESSION *sess;
3057 unsigned char *sdec;
3058 const unsigned char *p;
3059 int slen, mlen, renew_ticket = 0;
3060 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3061 HMAC_CTX *hctx = NULL;
3062 EVP_CIPHER_CTX *ctx;
3063 SSL_CTX *tctx = s->initial_ctx;
3064 /* Need at least keyname + iv + some encrypted data */
3065 if (eticklen < 48)
3066 return 2;
3067 /* Initialize session ticket encryption and HMAC contexts */
3068 hctx = HMAC_CTX_new();
3069 if (hctx == NULL)
3070 return -2;
3071 ctx = EVP_CIPHER_CTX_new();
3072 if (tctx->tlsext_ticket_key_cb) {
3073 unsigned char *nctick = (unsigned char *)etick;
3074 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3075 ctx, hctx, 0);
3076 if (rv < 0)
3077 return -1;
3078 if (rv == 0)
3079 return 2;
3080 if (rv == 2)
3081 renew_ticket = 1;
3082 } else {
3083 /* Check key name matches */
3084 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3085 return 2;
3086 if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16,
3087 EVP_sha256(), NULL) <= 0
3088 || EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL,
3089 tctx->tlsext_tick_aes_key,
3090 etick + 16) <= 0) {
3091 goto err;
3092 }
3093 }
3094 /*
3095 * Attempt to process session ticket, first conduct sanity and integrity
3096 * checks on ticket.
3097 */
3098 mlen = HMAC_size(hctx);
3099 if (mlen < 0) {
3100 goto err;
3101 }
3102 eticklen -= mlen;
3103 /* Check HMAC of encrypted ticket */
3104 if (HMAC_Update(hctx, etick, eticklen) <= 0
3105 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
3106 goto err;
3107 }
3108 HMAC_CTX_free(hctx);
3109 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
3110 EVP_CIPHER_CTX_free(ctx);
3111 return 2;
3112 }
3113 /* Attempt to decrypt session data */
3114 /* Move p after IV to start of encrypted ticket, update length */
3115 p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx);
3116 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx);
3117 sdec = OPENSSL_malloc(eticklen);
3118 if (sdec == NULL
3119 || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) {
3120 EVP_CIPHER_CTX_free(ctx);
3121 return -1;
3122 }
3123 if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) {
3124 EVP_CIPHER_CTX_free(ctx);
3125 OPENSSL_free(sdec);
3126 return 2;
3127 }
3128 slen += mlen;
3129 EVP_CIPHER_CTX_free(ctx);
3130 ctx = NULL;
3131 p = sdec;
3132
3133 sess = d2i_SSL_SESSION(NULL, &p, slen);
3134 OPENSSL_free(sdec);
3135 if (sess) {
3136 /*
3137 * The session ID, if non-empty, is used by some clients to detect
3138 * that the ticket has been accepted. So we copy it to the session
3139 * structure. If it is empty set length to zero as required by
3140 * standard.
3141 */
3142 if (sesslen)
3143 memcpy(sess->session_id, sess_id, sesslen);
3144 sess->session_id_length = sesslen;
3145 *psess = sess;
3146 if (renew_ticket)
3147 return 4;
3148 else
3149 return 3;
3150 }
3151 ERR_clear_error();
3152 /*
3153 * For session parse failure, indicate that we need to send a new ticket.
3154 */
3155 return 2;
3156 err:
3157 EVP_CIPHER_CTX_free(ctx);
3158 HMAC_CTX_free(hctx);
3159 return -1;
3160 }
3161
3162 /* Tables to translate from NIDs to TLS v1.2 ids */
3163
3164 typedef struct {
3165 int nid;
3166 int id;
3167 } tls12_lookup;
3168
3169 static const tls12_lookup tls12_md[] = {
3170 {NID_md5, TLSEXT_hash_md5},
3171 {NID_sha1, TLSEXT_hash_sha1},
3172 {NID_sha224, TLSEXT_hash_sha224},
3173 {NID_sha256, TLSEXT_hash_sha256},
3174 {NID_sha384, TLSEXT_hash_sha384},
3175 {NID_sha512, TLSEXT_hash_sha512},
3176 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
3177 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
3178 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
3179 };
3180
3181 static const tls12_lookup tls12_sig[] = {
3182 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3183 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3184 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
3185 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
3186 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
3187 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
3188 };
3189
3190 static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
3191 {
3192 size_t i;
3193 for (i = 0; i < tlen; i++) {
3194 if (table[i].nid == nid)
3195 return table[i].id;
3196 }
3197 return -1;
3198 }
3199
3200 static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
3201 {
3202 size_t i;
3203 for (i = 0; i < tlen; i++) {
3204 if ((table[i].id) == id)
3205 return table[i].nid;
3206 }
3207 return NID_undef;
3208 }
3209
3210 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
3211 const EVP_MD *md)
3212 {
3213 int sig_id, md_id;
3214 if (!md)
3215 return 0;
3216 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
3217 if (md_id == -1)
3218 return 0;
3219 sig_id = tls12_get_sigid(pk);
3220 if (sig_id == -1)
3221 return 0;
3222 p[0] = (unsigned char)md_id;
3223 p[1] = (unsigned char)sig_id;
3224 return 1;
3225 }
3226
3227 int tls12_get_sigid(const EVP_PKEY *pk)
3228 {
3229 return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
3230 }
3231
3232 typedef struct {
3233 int nid;
3234 int secbits;
3235 int md_idx;
3236 unsigned char tlsext_hash;
3237 } tls12_hash_info;
3238
3239 static const tls12_hash_info tls12_md_info[] = {
3240 {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
3241 {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
3242 {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
3243 {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
3244 {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
3245 {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
3246 {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
3247 {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX, TLSEXT_hash_gostr34112012_256},
3248 {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX, TLSEXT_hash_gostr34112012_512},
3249 };
3250
3251 static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
3252 {
3253 unsigned int i;
3254 if (hash_alg == 0)
3255 return NULL;
3256
3257 for (i=0; i < OSSL_NELEM(tls12_md_info); i++)
3258 {
3259 if (tls12_md_info[i].tlsext_hash == hash_alg)
3260 return tls12_md_info + i;
3261 }
3262
3263 return NULL;
3264 }
3265
3266 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3267 {
3268 const tls12_hash_info *inf;
3269 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3270 return NULL;
3271 inf = tls12_get_hash_info(hash_alg);
3272 if (!inf)
3273 return NULL;
3274 return ssl_md(inf->md_idx);
3275 }
3276
3277 static int tls12_get_pkey_idx(unsigned char sig_alg)
3278 {
3279 switch (sig_alg) {
3280 #ifndef OPENSSL_NO_RSA
3281 case TLSEXT_signature_rsa:
3282 return SSL_PKEY_RSA_SIGN;
3283 #endif
3284 #ifndef OPENSSL_NO_DSA
3285 case TLSEXT_signature_dsa:
3286 return SSL_PKEY_DSA_SIGN;
3287 #endif
3288 #ifndef OPENSSL_NO_EC
3289 case TLSEXT_signature_ecdsa:
3290 return SSL_PKEY_ECC;
3291 #endif
3292 # ifndef OPENSSL_NO_GOST
3293 case TLSEXT_signature_gostr34102001:
3294 return SSL_PKEY_GOST01;
3295
3296 case TLSEXT_signature_gostr34102012_256:
3297 return SSL_PKEY_GOST12_256;
3298
3299 case TLSEXT_signature_gostr34102012_512:
3300 return SSL_PKEY_GOST12_512;
3301 # endif
3302 }
3303 return -1;
3304 }
3305
3306 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
3307 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3308 int *psignhash_nid, const unsigned char *data)
3309 {
3310 int sign_nid = NID_undef, hash_nid = NID_undef;
3311 if (!phash_nid && !psign_nid && !psignhash_nid)
3312 return;
3313 if (phash_nid || psignhash_nid) {
3314 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
3315 if (phash_nid)
3316 *phash_nid = hash_nid;
3317 }
3318 if (psign_nid || psignhash_nid) {
3319 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
3320 if (psign_nid)
3321 *psign_nid = sign_nid;
3322 }
3323 if (psignhash_nid) {
3324 if (sign_nid == NID_undef || hash_nid == NID_undef
3325 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid,
3326 sign_nid) <= 0)
3327 *psignhash_nid = NID_undef;
3328 }
3329 }
3330
3331 /* Check to see if a signature algorithm is allowed */
3332 static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
3333 {
3334 /* See if we have an entry in the hash table and it is enabled */
3335 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
3336 if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
3337 return 0;
3338 /* See if public key algorithm allowed */
3339 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3340 return 0;
3341 /* Finally see if security callback allows it */
3342 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3343 }
3344
3345 /*
3346 * Get a mask of disabled public key algorithms based on supported signature
3347 * algorithms. For example if no signature algorithm supports RSA then RSA is
3348 * disabled.
3349 */
3350
3351 void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
3352 {
3353 const unsigned char *sigalgs;
3354 size_t i, sigalgslen;
3355 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3356 /*
3357 * Now go through all signature algorithms seeing if we support any for
3358 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3359 * down calls to security callback only check if we have to.
3360 */
3361 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
3362 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3363 switch (sigalgs[1]) {
3364 #ifndef OPENSSL_NO_RSA
3365 case TLSEXT_signature_rsa:
3366 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3367 have_rsa = 1;
3368 break;
3369 #endif
3370 #ifndef OPENSSL_NO_DSA
3371 case TLSEXT_signature_dsa:
3372 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3373 have_dsa = 1;
3374 break;
3375 #endif
3376 #ifndef OPENSSL_NO_EC
3377 case TLSEXT_signature_ecdsa:
3378 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3379 have_ecdsa = 1;
3380 break;
3381 #endif
3382 }
3383 }
3384 if (!have_rsa)
3385 *pmask_a |= SSL_aRSA;
3386 if (!have_dsa)
3387 *pmask_a |= SSL_aDSS;
3388 if (!have_ecdsa)
3389 *pmask_a |= SSL_aECDSA;
3390 }
3391
3392 size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
3393 const unsigned char *psig, size_t psiglen)
3394 {
3395 unsigned char *tmpout = out;
3396 size_t i;
3397 for (i = 0; i < psiglen; i += 2, psig += 2) {
3398 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3399 *tmpout++ = psig[0];
3400 *tmpout++ = psig[1];
3401 }
3402 }
3403 return tmpout - out;
3404 }
3405
3406 /* Given preference and allowed sigalgs set shared sigalgs */
3407 static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
3408 const unsigned char *pref, size_t preflen,
3409 const unsigned char *allow, size_t allowlen)
3410 {
3411 const unsigned char *ptmp, *atmp;
3412 size_t i, j, nmatch = 0;
3413 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3414 /* Skip disabled hashes or signature algorithms */
3415 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3416 continue;
3417 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3418 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3419 nmatch++;
3420 if (shsig) {
3421 shsig->rhash = ptmp[0];
3422 shsig->rsign = ptmp[1];
3423 tls1_lookup_sigalg(&shsig->hash_nid,
3424 &shsig->sign_nid,
3425 &shsig->signandhash_nid, ptmp);
3426 shsig++;
3427 }
3428 break;
3429 }
3430 }
3431 }
3432 return nmatch;
3433 }
3434
3435 /* Set shared signature algorithms for SSL structures */
3436 static int tls1_set_shared_sigalgs(SSL *s)
3437 {
3438 const unsigned char *pref, *allow, *conf;
3439 size_t preflen, allowlen, conflen;
3440 size_t nmatch;
3441 TLS_SIGALGS *salgs = NULL;
3442 CERT *c = s->cert;
3443 unsigned int is_suiteb = tls1_suiteb(s);
3444
3445 OPENSSL_free(c->shared_sigalgs);
3446 c->shared_sigalgs = NULL;
3447 c->shared_sigalgslen = 0;
3448 /* If client use client signature algorithms if not NULL */
3449 if (!s->server && c->client_sigalgs && !is_suiteb) {
3450 conf = c->client_sigalgs;
3451 conflen = c->client_sigalgslen;
3452 } else if (c->conf_sigalgs && !is_suiteb) {
3453 conf = c->conf_sigalgs;
3454 conflen = c->conf_sigalgslen;
3455 } else
3456 conflen = tls12_get_psigalgs(s, &conf);
3457 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3458 pref = conf;
3459 preflen = conflen;
3460 allow = s->s3->tmp.peer_sigalgs;
3461 allowlen = s->s3->tmp.peer_sigalgslen;
3462 } else {
3463 allow = conf;
3464 allowlen = conflen;
3465 pref = s->s3->tmp.peer_sigalgs;
3466 preflen = s->s3->tmp.peer_sigalgslen;
3467 }
3468 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
3469 if (nmatch) {
3470 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3471 if (salgs == NULL)
3472 return 0;
3473 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3474 } else {
3475 salgs = NULL;
3476 }
3477 c->shared_sigalgs = salgs;
3478 c->shared_sigalgslen = nmatch;
3479 return 1;
3480 }
3481
3482 /* Set preferred digest for each key type */
3483
3484 int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
3485 {
3486 CERT *c = s->cert;
3487 /* Extension ignored for inappropriate versions */
3488 if (!SSL_USE_SIGALGS(s))
3489 return 1;
3490 /* Should never happen */
3491 if (!c)
3492 return 0;
3493
3494 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3495 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3496 if (s->s3->tmp.peer_sigalgs == NULL)
3497 return 0;
3498 s->s3->tmp.peer_sigalgslen = dsize;
3499 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
3500 return 1;
3501 }
3502
3503 int tls1_process_sigalgs(SSL *s)
3504 {
3505 int idx;
3506 size_t i;
3507 const EVP_MD *md;
3508 const EVP_MD **pmd = s->s3->tmp.md;
3509 uint32_t *pvalid = s->s3->tmp.valid_flags;
3510 CERT *c = s->cert;
3511 TLS_SIGALGS *sigptr;
3512 if (!tls1_set_shared_sigalgs(s))
3513 return 0;
3514
3515 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
3516 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3517 /*
3518 * Use first set signature preference to force message digest,
3519 * ignoring any peer preferences.
3520 */
3521 const unsigned char *sigs = NULL;
3522 if (s->server)
3523 sigs = c->conf_sigalgs;
3524 else
3525 sigs = c->client_sigalgs;
3526 if (sigs) {
3527 idx = tls12_get_pkey_idx(sigs[1]);
3528 md = tls12_get_hash(sigs[0]);
3529 pmd[idx] = md;
3530 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
3531 if (idx == SSL_PKEY_RSA_SIGN) {
3532 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
3533 pmd[SSL_PKEY_RSA_ENC] = md;
3534 }
3535 }
3536 }
3537 #endif
3538
3539 for (i = 0, sigptr = c->shared_sigalgs;
3540 i < c->shared_sigalgslen; i++, sigptr++) {
3541 idx = tls12_get_pkey_idx(sigptr->rsign);
3542 if (idx > 0 && pmd[idx] == NULL) {
3543 md = tls12_get_hash(sigptr->rhash);
3544 pmd[idx] = md;
3545 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
3546 if (idx == SSL_PKEY_RSA_SIGN) {
3547 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
3548 pmd[SSL_PKEY_RSA_ENC] = md;
3549 }
3550 }
3551
3552 }
3553 /*
3554 * In strict mode leave unset digests as NULL to indicate we can't use
3555 * the certificate for signing.
3556 */
3557 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3558 /*
3559 * Set any remaining keys to default values. NOTE: if alg is not
3560 * supported it stays as NULL.
3561 */
3562 #ifndef OPENSSL_NO_DSA
3563 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3564 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
3565 #endif
3566 #ifndef OPENSSL_NO_RSA
3567 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3568 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3569 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
3570 }
3571 #endif
3572 #ifndef OPENSSL_NO_EC
3573 if (pmd[SSL_PKEY_ECC] == NULL)
3574 pmd[SSL_PKEY_ECC] = EVP_sha1();
3575 #endif
3576 # ifndef OPENSSL_NO_GOST
3577 if (pmd[SSL_PKEY_GOST01] == NULL)
3578 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
3579 if (pmd[SSL_PKEY_GOST12_256] == NULL)
3580 pmd[SSL_PKEY_GOST12_256] = EVP_get_digestbynid(NID_id_GostR3411_2012_256);
3581 if (pmd[SSL_PKEY_GOST12_512] == NULL)
3582 pmd[SSL_PKEY_GOST12_512] = EVP_get_digestbynid(NID_id_GostR3411_2012_512);
3583 # endif
3584 }
3585 return 1;
3586 }
3587
3588 int SSL_get_sigalgs(SSL *s, int idx,
3589 int *psign, int *phash, int *psignhash,
3590 unsigned char *rsig, unsigned char *rhash)
3591 {
3592 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
3593 if (psig == NULL)
3594 return 0;
3595 if (idx >= 0) {
3596 idx <<= 1;
3597 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
3598 return 0;
3599 psig += idx;
3600 if (rhash)
3601 *rhash = psig[0];
3602 if (rsig)
3603 *rsig = psig[1];
3604 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3605 }
3606 return s->s3->tmp.peer_sigalgslen / 2;
3607 }
3608
3609 int SSL_get_shared_sigalgs(SSL *s, int idx,
3610 int *psign, int *phash, int *psignhash,
3611 unsigned char *rsig, unsigned char *rhash)
3612 {
3613 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3614 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3615 return 0;
3616 shsigalgs += idx;
3617 if (phash)
3618 *phash = shsigalgs->hash_nid;
3619 if (psign)
3620 *psign = shsigalgs->sign_nid;
3621 if (psignhash)
3622 *psignhash = shsigalgs->signandhash_nid;
3623 if (rsig)
3624 *rsig = shsigalgs->rsign;
3625 if (rhash)
3626 *rhash = shsigalgs->rhash;
3627 return s->cert->shared_sigalgslen;
3628 }
3629
3630 #ifndef OPENSSL_NO_HEARTBEATS
3631 int tls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length)
3632 {
3633 unsigned char *pl;
3634 unsigned short hbtype;
3635 unsigned int payload;
3636 unsigned int padding = 16; /* Use minimum padding */
3637
3638 if (s->msg_callback)
3639 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
3640 p, length,
3641 s, s->msg_callback_arg);
3642
3643 /* Read type and payload length first */
3644 if (1 + 2 + 16 > length)
3645 return 0; /* silently discard */
3646 hbtype = *p++;
3647 n2s(p, payload);
3648 if (1 + 2 + payload + 16 > length)
3649 return 0; /* silently discard per RFC 6520 sec. 4 */
3650 pl = p;
3651
3652 if (hbtype == TLS1_HB_REQUEST) {
3653 unsigned char *buffer, *bp;
3654 int r;
3655
3656 /*
3657 * Allocate memory for the response, size is 1 bytes message type,
3658 * plus 2 bytes payload length, plus payload, plus padding
3659 */
3660 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3661 if (buffer == NULL) {
3662 SSLerr(SSL_F_TLS1_PROCESS_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3663 return -1;
3664 }
3665 bp = buffer;
3666
3667 /* Enter response type, length and copy payload */
3668 *bp++ = TLS1_HB_RESPONSE;
3669 s2n(payload, bp);
3670 memcpy(bp, pl, payload);
3671 bp += payload;
3672 /* Random padding */
3673 if (RAND_bytes(bp, padding) <= 0) {
3674 OPENSSL_free(buffer);
3675 return -1;
3676 }
3677
3678 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer,
3679 3 + payload + padding);
3680
3681 if (r >= 0 && s->msg_callback)
3682 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3683 buffer, 3 + payload + padding,
3684 s, s->msg_callback_arg);
3685
3686 OPENSSL_free(buffer);
3687
3688 if (r < 0)
3689 return r;
3690 } else if (hbtype == TLS1_HB_RESPONSE) {
3691 unsigned int seq;
3692
3693 /*
3694 * We only send sequence numbers (2 bytes unsigned int), and 16
3695 * random bytes, so we just try to read the sequence number
3696 */
3697 n2s(pl, seq);
3698
3699 if (payload == 18 && seq == s->tlsext_hb_seq) {
3700 s->tlsext_hb_seq++;
3701 s->tlsext_hb_pending = 0;
3702 }
3703 }
3704
3705 return 0;
3706 }
3707
3708 int tls1_heartbeat(SSL *s)
3709 {
3710 unsigned char *buf, *p;
3711 int ret = -1;
3712 unsigned int payload = 18; /* Sequence number + random bytes */
3713 unsigned int padding = 16; /* Use minimum padding */
3714
3715 /* Only send if peer supports and accepts HB requests... */
3716 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3717 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
3718 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3719 return -1;
3720 }
3721
3722 /* ...and there is none in flight yet... */
3723 if (s->tlsext_hb_pending) {
3724 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
3725 return -1;
3726 }
3727
3728 /* ...and no handshake in progress. */
3729 if (SSL_in_init(s) || ossl_statem_get_in_handshake(s)) {
3730 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
3731 return -1;
3732 }
3733
3734 /*-
3735 * Create HeartBeat message, we just use a sequence number
3736 * as payload to distuingish different messages and add
3737 * some random stuff.
3738 * - Message Type, 1 byte
3739 * - Payload Length, 2 bytes (unsigned int)
3740 * - Payload, the sequence number (2 bytes uint)
3741 * - Payload, random bytes (16 bytes uint)
3742 * - Padding
3743 */
3744 buf = OPENSSL_malloc(1 + 2 + payload + padding);
3745 if (buf == NULL) {
3746 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3747 return -1;
3748 }
3749 p = buf;
3750 /* Message Type */
3751 *p++ = TLS1_HB_REQUEST;
3752 /* Payload length (18 bytes here) */
3753 s2n(payload, p);
3754 /* Sequence number */
3755 s2n(s->tlsext_hb_seq, p);
3756 /* 16 random bytes */
3757 if (RAND_bytes(p, 16) <= 0) {
3758 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3759 goto err;
3760 }
3761 p += 16;
3762 /* Random padding */
3763 if (RAND_bytes(p, padding) <= 0) {
3764 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3765 goto err;
3766 }
3767
3768 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3769 if (ret >= 0) {
3770 if (s->msg_callback)
3771 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3772 buf, 3 + payload + padding,
3773 s, s->msg_callback_arg);
3774
3775 s->tlsext_hb_pending = 1;
3776 }
3777
3778 err:
3779 OPENSSL_free(buf);
3780 return ret;
3781 }
3782 #endif
3783
3784 #define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
3785
3786 typedef struct {
3787 size_t sigalgcnt;
3788 int sigalgs[MAX_SIGALGLEN];
3789 } sig_cb_st;
3790
3791 static void get_sigorhash(int *psig, int *phash, const char *str)
3792 {
3793 if (strcmp(str, "RSA") == 0) {
3794 *psig = EVP_PKEY_RSA;
3795 } else if (strcmp(str, "DSA") == 0) {
3796 *psig = EVP_PKEY_DSA;
3797 } else if (strcmp(str, "ECDSA") == 0) {
3798 *psig = EVP_PKEY_EC;
3799 } else {
3800 *phash = OBJ_sn2nid(str);
3801 if (*phash == NID_undef)
3802 *phash = OBJ_ln2nid(str);
3803 }
3804 }
3805
3806 static int sig_cb(const char *elem, int len, void *arg)
3807 {
3808 sig_cb_st *sarg = arg;
3809 size_t i;
3810 char etmp[20], *p;
3811 int sig_alg = NID_undef, hash_alg = NID_undef;
3812 if (elem == NULL)
3813 return 0;
3814 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3815 return 0;
3816 if (len > (int)(sizeof(etmp) - 1))
3817 return 0;
3818 memcpy(etmp, elem, len);
3819 etmp[len] = 0;
3820 p = strchr(etmp, '+');
3821 if (!p)
3822 return 0;
3823 *p = 0;
3824 p++;
3825 if (!*p)
3826 return 0;
3827
3828 get_sigorhash(&sig_alg, &hash_alg, etmp);
3829 get_sigorhash(&sig_alg, &hash_alg, p);
3830
3831 if (sig_alg == NID_undef || hash_alg == NID_undef)
3832 return 0;
3833
3834 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3835 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3836 return 0;
3837 }
3838 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3839 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3840 return 1;
3841 }
3842
3843 /*
3844 * Set suppored signature algorithms based on a colon separated list of the
3845 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3846 */
3847 int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
3848 {
3849 sig_cb_st sig;
3850 sig.sigalgcnt = 0;
3851 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3852 return 0;
3853 if (c == NULL)
3854 return 1;
3855 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3856 }
3857
3858 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
3859 int client)
3860 {
3861 unsigned char *sigalgs, *sptr;
3862 int rhash, rsign;
3863 size_t i;
3864 if (salglen & 1)
3865 return 0;
3866 sigalgs = OPENSSL_malloc(salglen);
3867 if (sigalgs == NULL)
3868 return 0;
3869 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
3870 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3871 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
3872
3873 if (rhash == -1 || rsign == -1)
3874 goto err;
3875 *sptr++ = rhash;
3876 *sptr++ = rsign;
3877 }
3878
3879 if (client) {
3880 OPENSSL_free(c->client_sigalgs);
3881 c->client_sigalgs = sigalgs;
3882 c->client_sigalgslen = salglen;
3883 } else {
3884 OPENSSL_free(c->conf_sigalgs);
3885 c->conf_sigalgs = sigalgs;
3886 c->conf_sigalgslen = salglen;
3887 }
3888
3889 return 1;
3890
3891 err:
3892 OPENSSL_free(sigalgs);
3893 return 0;
3894 }
3895
3896 static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
3897 {
3898 int sig_nid;
3899 size_t i;
3900 if (default_nid == -1)
3901 return 1;
3902 sig_nid = X509_get_signature_nid(x);
3903 if (default_nid)
3904 return sig_nid == default_nid ? 1 : 0;
3905 for (i = 0; i < c->shared_sigalgslen; i++)
3906 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3907 return 1;
3908 return 0;
3909 }
3910
3911 /* Check to see if a certificate issuer name matches list of CA names */
3912 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
3913 {
3914 X509_NAME *nm;
3915 int i;
3916 nm = X509_get_issuer_name(x);
3917 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3918 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3919 return 1;
3920 }
3921 return 0;
3922 }
3923
3924 /*
3925 * Check certificate chain is consistent with TLS extensions and is usable by
3926 * server. This servers two purposes: it allows users to check chains before
3927 * passing them to the server and it allows the server to check chains before
3928 * attempting to use them.
3929 */
3930
3931 /* Flags which need to be set for a certificate when stict mode not set */
3932
3933 #define CERT_PKEY_VALID_FLAGS \
3934 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
3935 /* Strict mode flags */
3936 #define CERT_PKEY_STRICT_FLAGS \
3937 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3938 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
3939
3940 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
3941 int idx)
3942 {
3943 int i;
3944 int rv = 0;
3945 int check_flags = 0, strict_mode;
3946 CERT_PKEY *cpk = NULL;
3947 CERT *c = s->cert;
3948 uint32_t *pvalid;
3949 unsigned int suiteb_flags = tls1_suiteb(s);
3950 /* idx == -1 means checking server chains */
3951 if (idx != -1) {
3952 /* idx == -2 means checking client certificate chains */
3953 if (idx == -2) {
3954 cpk = c->key;
3955 idx = cpk - c->pkeys;
3956 } else
3957 cpk = c->pkeys + idx;
3958 pvalid = s->s3->tmp.valid_flags + idx;
3959 x = cpk->x509;
3960 pk = cpk->privatekey;
3961 chain = cpk->chain;
3962 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3963 /* If no cert or key, forget it */
3964 if (!x || !pk)
3965 goto end;
3966 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
3967 /* Allow any certificate to pass test */
3968 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3969 rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
3970 CERT_PKEY_VALID | CERT_PKEY_SIGN;
3971 *pvalid = rv;
3972 return rv;
3973 }
3974 #endif
3975 } else {
3976 if (!x || !pk)
3977 return 0;
3978 idx = ssl_cert_type(x, pk);
3979 if (idx == -1)
3980 return 0;
3981 pvalid = s->s3->tmp.valid_flags + idx;
3982
3983 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3984 check_flags = CERT_PKEY_STRICT_FLAGS;
3985 else
3986 check_flags = CERT_PKEY_VALID_FLAGS;
3987 strict_mode = 1;
3988 }
3989
3990 if (suiteb_flags) {
3991 int ok;
3992 if (check_flags)
3993 check_flags |= CERT_PKEY_SUITEB;
3994 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3995 if (ok == X509_V_OK)
3996 rv |= CERT_PKEY_SUITEB;
3997 else if (!check_flags)
3998 goto end;
3999 }
4000
4001 /*
4002 * Check all signature algorithms are consistent with signature
4003 * algorithms extension if TLS 1.2 or later and strict mode.
4004 */
4005 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
4006 int default_nid;
4007 unsigned char rsign = 0;
4008 if (s->s3->tmp.peer_sigalgs)
4009 default_nid = 0;
4010 /* If no sigalgs extension use defaults from RFC5246 */
4011 else {
4012 switch (idx) {
4013 case SSL_PKEY_RSA_ENC:
4014 case SSL_PKEY_RSA_SIGN:
4015 rsign = TLSEXT_signature_rsa;
4016 default_nid = NID_sha1WithRSAEncryption;
4017 break;
4018
4019 case SSL_PKEY_DSA_SIGN:
4020 rsign = TLSEXT_signature_dsa;
4021 default_nid = NID_dsaWithSHA1;
4022 break;
4023
4024 case SSL_PKEY_ECC:
4025 rsign = TLSEXT_signature_ecdsa;
4026 default_nid = NID_ecdsa_with_SHA1;
4027 break;
4028
4029 case SSL_PKEY_GOST01:
4030 rsign = TLSEXT_signature_gostr34102001;
4031 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
4032 break;
4033
4034 case SSL_PKEY_GOST12_256:
4035 rsign = TLSEXT_signature_gostr34102012_256;
4036 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
4037 break;
4038
4039 case SSL_PKEY_GOST12_512:
4040 rsign = TLSEXT_signature_gostr34102012_512;
4041 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
4042 break;
4043
4044 default:
4045 default_nid = -1;
4046 break;
4047 }
4048 }
4049 /*
4050 * If peer sent no signature algorithms extension and we have set
4051 * preferred signature algorithms check we support sha1.
4052 */
4053 if (default_nid > 0 && c->conf_sigalgs) {
4054 size_t j;
4055 const unsigned char *p = c->conf_sigalgs;
4056 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
4057 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4058 break;
4059 }
4060 if (j == c->conf_sigalgslen) {
4061 if (check_flags)
4062 goto skip_sigs;
4063 else
4064 goto end;
4065 }
4066 }
4067 /* Check signature algorithm of each cert in chain */
4068 if (!tls1_check_sig_alg(c, x, default_nid)) {
4069 if (!check_flags)
4070 goto end;
4071 } else
4072 rv |= CERT_PKEY_EE_SIGNATURE;
4073 rv |= CERT_PKEY_CA_SIGNATURE;
4074 for (i = 0; i < sk_X509_num(chain); i++) {
4075 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
4076 if (check_flags) {
4077 rv &= ~CERT_PKEY_CA_SIGNATURE;
4078 break;
4079 } else
4080 goto end;
4081 }
4082 }
4083 }
4084 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4085 else if (check_flags)
4086 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
4087 skip_sigs:
4088 /* Check cert parameters are consistent */
4089 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4090 rv |= CERT_PKEY_EE_PARAM;
4091 else if (!check_flags)
4092 goto end;
4093 if (!s->server)
4094 rv |= CERT_PKEY_CA_PARAM;
4095 /* In strict mode check rest of chain too */
4096 else if (strict_mode) {
4097 rv |= CERT_PKEY_CA_PARAM;
4098 for (i = 0; i < sk_X509_num(chain); i++) {
4099 X509 *ca = sk_X509_value(chain, i);
4100 if (!tls1_check_cert_param(s, ca, 0)) {
4101 if (check_flags) {
4102 rv &= ~CERT_PKEY_CA_PARAM;
4103 break;
4104 } else
4105 goto end;
4106 }
4107 }
4108 }
4109 if (!s->server && strict_mode) {
4110 STACK_OF(X509_NAME) *ca_dn;
4111 int check_type = 0;
4112 switch (EVP_PKEY_id(pk)) {
4113 case EVP_PKEY_RSA:
4114 check_type = TLS_CT_RSA_SIGN;
4115 break;
4116 case EVP_PKEY_DSA:
4117 check_type = TLS_CT_DSS_SIGN;
4118 break;
4119 case EVP_PKEY_EC:
4120 check_type = TLS_CT_ECDSA_SIGN;
4121 break;
4122 }
4123 if (check_type) {
4124 const unsigned char *ctypes;
4125 int ctypelen;
4126 if (c->ctypes) {
4127 ctypes = c->ctypes;
4128 ctypelen = (int)c->ctype_num;
4129 } else {
4130 ctypes = (unsigned char *)s->s3->tmp.ctype;
4131 ctypelen = s->s3->tmp.ctype_num;
4132 }
4133 for (i = 0; i < ctypelen; i++) {
4134 if (ctypes[i] == check_type) {
4135 rv |= CERT_PKEY_CERT_TYPE;
4136 break;
4137 }
4138 }
4139 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4140 goto end;
4141 } else
4142 rv |= CERT_PKEY_CERT_TYPE;
4143
4144 ca_dn = s->s3->tmp.ca_names;
4145
4146 if (!sk_X509_NAME_num(ca_dn))
4147 rv |= CERT_PKEY_ISSUER_NAME;
4148
4149 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4150 if (ssl_check_ca_name(ca_dn, x))
4151 rv |= CERT_PKEY_ISSUER_NAME;
4152 }
4153 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4154 for (i = 0; i < sk_X509_num(chain); i++) {
4155 X509 *xtmp = sk_X509_value(chain, i);
4156 if (ssl_check_ca_name(ca_dn, xtmp)) {
4157 rv |= CERT_PKEY_ISSUER_NAME;
4158 break;
4159 }
4160 }
4161 }
4162 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4163 goto end;
4164 } else
4165 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
4166
4167 if (!check_flags || (rv & check_flags) == check_flags)
4168 rv |= CERT_PKEY_VALID;
4169
4170 end:
4171
4172 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
4173 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
4174 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
4175 else if (s->s3->tmp.md[idx] != NULL)
4176 rv |= CERT_PKEY_SIGN;
4177 } else
4178 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
4179
4180 /*
4181 * When checking a CERT_PKEY structure all flags are irrelevant if the
4182 * chain is invalid.
4183 */
4184 if (!check_flags) {
4185 if (rv & CERT_PKEY_VALID)
4186 *pvalid = rv;
4187 else {
4188 /* Preserve explicit sign flag, clear rest */
4189 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
4190 return 0;
4191 }
4192 }
4193 return rv;
4194 }
4195
4196 /* Set validity of certificates in an SSL structure */
4197 void tls1_set_cert_validity(SSL *s)
4198 {
4199 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4200 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4201 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4202 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
4203 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
4204 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
4205 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
4206 }
4207
4208 /* User level utiity function to check a chain is suitable */
4209 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
4210 {
4211 return tls1_check_chain(s, x, pk, chain, -1);
4212 }
4213
4214
4215 #ifndef OPENSSL_NO_DH
4216 DH *ssl_get_auto_dh(SSL *s)
4217 {
4218 int dh_secbits = 80;
4219 if (s->cert->dh_tmp_auto == 2)
4220 return DH_get_1024_160();
4221 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
4222 if (s->s3->tmp.new_cipher->strength_bits == 256)
4223 dh_secbits = 128;
4224 else
4225 dh_secbits = 80;
4226 } else {
4227 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
4228 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
4229 }
4230
4231 if (dh_secbits >= 128) {
4232 DH *dhp = DH_new();
4233 if (dhp == NULL)
4234 return NULL;
4235 dhp->g = BN_new();
4236 if (dhp->g != NULL)
4237 BN_set_word(dhp->g, 2);
4238 if (dh_secbits >= 192)
4239 dhp->p = get_rfc3526_prime_8192(NULL);
4240 else
4241 dhp->p = get_rfc3526_prime_3072(NULL);
4242 if (dhp->p == NULL || dhp->g == NULL) {
4243 DH_free(dhp);
4244 return NULL;
4245 }
4246 return dhp;
4247 }
4248 if (dh_secbits >= 112)
4249 return DH_get_2048_224();
4250 return DH_get_1024_160();
4251 }
4252 #endif
4253
4254 static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
4255 {
4256 int secbits = -1;
4257 EVP_PKEY *pkey = X509_get0_pubkey(x);
4258 if (pkey) {
4259 /*
4260 * If no parameters this will return -1 and fail using the default
4261 * security callback for any non-zero security level. This will
4262 * reject keys which omit parameters but this only affects DSA and
4263 * omission of parameters is never (?) done in practice.
4264 */
4265 secbits = EVP_PKEY_security_bits(pkey);
4266 }
4267 if (s)
4268 return ssl_security(s, op, secbits, 0, x);
4269 else
4270 return ssl_ctx_security(ctx, op, secbits, 0, x);
4271 }
4272
4273 static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
4274 {
4275 /* Lookup signature algorithm digest */
4276 int secbits = -1, md_nid = NID_undef, sig_nid;
4277 sig_nid = X509_get_signature_nid(x);
4278 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4279 const EVP_MD *md;
4280 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4281 secbits = EVP_MD_size(md) * 4;
4282 }
4283 if (s)
4284 return ssl_security(s, op, secbits, md_nid, x);
4285 else
4286 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4287 }
4288
4289 int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
4290 {
4291 if (vfy)
4292 vfy = SSL_SECOP_PEER;
4293 if (is_ee) {
4294 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4295 return SSL_R_EE_KEY_TOO_SMALL;
4296 } else {
4297 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4298 return SSL_R_CA_KEY_TOO_SMALL;
4299 }
4300 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4301 return SSL_R_CA_MD_TOO_WEAK;
4302 return 1;
4303 }
4304
4305 /*
4306 * Check security of a chain, if sk includes the end entity certificate then
4307 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4308 * one to the peer. Return values: 1 if ok otherwise error code to use
4309 */
4310
4311 int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
4312 {
4313 int rv, start_idx, i;
4314 if (x == NULL) {
4315 x = sk_X509_value(sk, 0);
4316 start_idx = 1;
4317 } else
4318 start_idx = 0;
4319
4320 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4321 if (rv != 1)
4322 return rv;
4323
4324 for (i = start_idx; i < sk_X509_num(sk); i++) {
4325 x = sk_X509_value(sk, i);
4326 rv = ssl_security_cert(s, NULL, x, vfy, 0);
4327 if (rv != 1)
4328 return rv;
4329 }
4330 return 1;
4331 }
A mirror of the official openssl repository