]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/t1_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Implement tls13_change_cipher_state()
[thirdparty/openssl.git] / ssl / t1_lib.c
CommitLineData
846e33c7
RS		 1/*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
f1fd4544 3 *
846e33c7
RS		 4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
f1fd4544 8 */
58964a49
RE		 9
10#include <stdio.h>
aa474d1f 11#include <stdlib.h>
ec577822 12#include <openssl/objects.h>
6434abbf
DSH		 13#include <openssl/evp.h>
14#include <openssl/hmac.h>
67c8e7f4 15#include <openssl/ocsp.h>
5951e840
MC		 16#include <openssl/conf.h>
17#include <openssl/x509v3.h>
3c27208f
RS		 18#include <openssl/dh.h>
19#include <openssl/bn.h>
58964a49 20#include "ssl_locl.h"
3c27208f 21#include <openssl/ct.h>
58964a49 22
d736bc1a 23static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, size_t ticklen,
ec60ccc1 24 const unsigned char *sess_id, size_t sesslen,
0f113f3e 25 SSL_SESSION **psess);
2daceb03 26static int ssl_check_clienthello_tlsext_early(SSL *s);
aa474d1f 27static int ssl_check_serverhello_tlsext(SSL *s);
6434abbf 28
0f113f3e
MC		 29SSL3_ENC_METHOD const TLSv1_enc_data = {
30 tls1_enc,
31 tls1_mac,
32 tls1_setup_key_block,
33 tls1_generate_master_secret,
34 tls1_change_cipher_state,
35 tls1_final_finish_mac,
0f113f3e
MC		 36 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
37 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
38 tls1_alert_code,
39 tls1_export_keying_material,
40 0,
a29fa98c 41 ssl3_set_handshake_header,
2c7b4dbc 42 tls_close_construct_packet,
0f113f3e
MC		 43 ssl3_handshake_write
44};
45
46SSL3_ENC_METHOD const TLSv1_1_enc_data = {
47 tls1_enc,
48 tls1_mac,
49 tls1_setup_key_block,
50 tls1_generate_master_secret,
51 tls1_change_cipher_state,
52 tls1_final_finish_mac,
0f113f3e
MC		 53 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
54 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
55 tls1_alert_code,
56 tls1_export_keying_material,
57 SSL_ENC_FLAG_EXPLICIT_IV,
a29fa98c 58 ssl3_set_handshake_header,
2c7b4dbc 59 tls_close_construct_packet,
0f113f3e
MC		 60 ssl3_handshake_write
61};
62
63SSL3_ENC_METHOD const TLSv1_2_enc_data = {
64 tls1_enc,
65 tls1_mac,
66 tls1_setup_key_block,
67 tls1_generate_master_secret,
68 tls1_change_cipher_state,
69 tls1_final_finish_mac,
0f113f3e
MC		 70 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
71 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
72 tls1_alert_code,
73 tls1_export_keying_material,
74 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
75 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
a29fa98c 76 ssl3_set_handshake_header,
2c7b4dbc 77 tls_close_construct_packet,
0f113f3e
MC		 78 ssl3_handshake_write
79};
58964a49 80
582a17d6
MC		 81SSL3_ENC_METHOD const TLSv1_3_enc_data = {
82 tls1_enc,
83 tls1_mac,
84 tls1_setup_key_block,
85 tls1_generate_master_secret,
86 tls1_change_cipher_state,
87 tls1_final_finish_mac,
582a17d6
MC		 88 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
89 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
90 tls1_alert_code,
91 tls1_export_keying_material,
92 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
93 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
582a17d6
MC		 94 ssl3_set_handshake_header,
95 tls_close_construct_packet,
96 ssl3_handshake_write
97};
98
f3b656b2 99long tls1_default_timeout(void)
0f113f3e
MC		 100{
101 /*
102 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
103 * http, the cache would over fill
104 */
105 return (60 * 60 * 2);
106}
58964a49 107
6b691a5c 108int tls1_new(SSL *s)
0f113f3e
MC		 109{
110 if (!ssl3_new(s))
111 return (0);
112 s->method->ssl_clear(s);
113 return (1);
114}
58964a49 115
6b691a5c 116void tls1_free(SSL *s)
0f113f3e 117{
b548a1f1 118 OPENSSL_free(s->tlsext_session_ticket);
0f113f3e
MC		 119 ssl3_free(s);
120}
58964a49 121
6b691a5c 122void tls1_clear(SSL *s)
0f113f3e
MC		 123{
124 ssl3_clear(s);
4fa52141
VD		 125 if (s->method->version == TLS_ANY_VERSION)
126 s->version = TLS_MAX_VERSION;
127 else
128 s->version = s->method->version;
0f113f3e 129}
58964a49 130
525de5d3 131#ifndef OPENSSL_NO_EC
eda3766b 132
0f113f3e
MC		 133typedef struct {
134 int nid; /* Curve NID */
135 int secbits; /* Bits of security (from SP800-57) */
136 unsigned int flags; /* Flags: currently just field type */
137} tls_curve_info;
138
2dc1aeed
DSH		 139/*
140 * Table of curve information.
ddb4c047 141 * Do not delete entries or reorder this array! It is used as a lookup
2dc1aeed
DSH		 142 * table: the index of each entry is one less than the TLS curve id.
143 */
0f113f3e
MC		 144static const tls_curve_info nid_list[] = {
145 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
146 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
147 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
148 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
149 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
150 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
151 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
152 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
153 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
154 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
155 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
156 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
157 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
158 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
159 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
160 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
161 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
162 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
163 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
164 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
165 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
166 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
167 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
168 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
169 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
170 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
171 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
172 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
ec24630a 173 {NID_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
0f113f3e
MC		 174};
175
176static const unsigned char ecformats_default[] = {
177 TLSEXT_ECPOINTFORMAT_uncompressed,
178 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
179 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
180};
181
fe6ef247
KR		 182/* The default curves */
183static const unsigned char eccurves_default[] = {
1db3107a 184 0, 29, /* X25519 (29) */
de57d237 185 0, 23, /* secp256r1 (23) */
0f113f3e 186 0, 25, /* secp521r1 (25) */
0f113f3e 187 0, 24, /* secp384r1 (24) */
de57d237
EK		 188};
189
190static const unsigned char eccurves_all[] = {
1db3107a 191 0, 29, /* X25519 (29) */
de57d237 192 0, 23, /* secp256r1 (23) */
de57d237 193 0, 25, /* secp521r1 (25) */
de57d237 194 0, 24, /* secp384r1 (24) */
0f113f3e 195 0, 26, /* brainpoolP256r1 (26) */
ddb4c047
RS		 196 0, 27, /* brainpoolP384r1 (27) */
197 0, 28, /* brainpool512r1 (28) */
198
199 /*
200 * Remaining curves disabled by default but still permitted if set
201 * via an explicit callback or parameters.
202 */
0f113f3e 203 0, 22, /* secp256k1 (22) */
de57d237
EK		 204 0, 14, /* sect571r1 (14) */
205 0, 13, /* sect571k1 (13) */
206 0, 11, /* sect409k1 (11) */
207 0, 12, /* sect409r1 (12) */
208 0, 9, /* sect283k1 (9) */
209 0, 10, /* sect283r1 (10) */
de57d237
EK		 210 0, 20, /* secp224k1 (20) */
211 0, 21, /* secp224r1 (21) */
212 0, 18, /* secp192k1 (18) */
213 0, 19, /* secp192r1 (19) */
214 0, 15, /* secp160k1 (15) */
215 0, 16, /* secp160r1 (16) */
216 0, 17, /* secp160r2 (17) */
0f113f3e
MC		 217 0, 8, /* sect239k1 (8) */
218 0, 6, /* sect233k1 (6) */
219 0, 7, /* sect233r1 (7) */
0f113f3e
MC		 220 0, 4, /* sect193r1 (4) */
221 0, 5, /* sect193r2 (5) */
0f113f3e
MC		 222 0, 1, /* sect163k1 (1) */
223 0, 2, /* sect163r1 (2) */
224 0, 3, /* sect163r2 (3) */
0f113f3e
MC		 225};
226
227static const unsigned char suiteb_curves[] = {
228 0, TLSEXT_curve_P_256,
229 0, TLSEXT_curve_P_384
230};
2ea80354 231
ec24630a 232int tls1_ec_curve_id2nid(int curve_id, unsigned int *pflags)
0f113f3e 233{
ec24630a 234 const tls_curve_info *cinfo;
0f113f3e 235 /* ECC curves from RFC 4492 and RFC 7027 */
b6eb9827 236 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
0f113f3e 237 return 0;
ec24630a
DSH		 238 cinfo = nid_list + curve_id - 1;
239 if (pflags)
240 *pflags = cinfo->flags;
241 return cinfo->nid;
0f113f3e 242}
525de5d3
DSH		 243
244int tls1_ec_nid2curve_id(int nid)
0f113f3e 245{
2fa2d15a
DSH		 246 size_t i;
247 for (i = 0; i < OSSL_NELEM(nid_list); i++) {
248 if (nid_list[i].nid == nid)
348240c6 249 return (int)(i + 1);
0f113f3e 250 }
2fa2d15a 251 return 0;
0f113f3e
MC		 252}
253
740580c2
EK		 254/*
255 * Get curves list, if "sess" is set return client curves otherwise
256 * preferred list.
257 * Sets |num_curves| to the number of curves in the list, i.e.,
258 * the length of |pcurves| is 2 * num_curves.
259 * Returns 1 on success and 0 if the client curves list has invalid format.
260 * The latter indicates an internal error: we should not be accepting such
261 * lists in the first place.
262 * TODO(emilia): we should really be storing the curves list in explicitly
263 * parsed form instead. (However, this would affect binary compatibility
264 * so cannot happen in the 1.0.x series.)
fd2b65ce 265 */
740580c2 266static int tls1_get_curvelist(SSL *s, int sess,
a230b26e 267 const unsigned char **pcurves, size_t *num_curves)
0f113f3e
MC		 268{
269 size_t pcurveslen = 0;
270 if (sess) {
de4d764e
MC		 271 *pcurves = s->session->tlsext_supportedgroupslist;
272 pcurveslen = s->session->tlsext_supportedgroupslist_length;
0f113f3e
MC		 273 } else {
274 /* For Suite B mode only include P-256, P-384 */
275 switch (tls1_suiteb(s)) {
276 case SSL_CERT_FLAG_SUITEB_128_LOS:
277 *pcurves = suiteb_curves;
278 pcurveslen = sizeof(suiteb_curves);
279 break;
280
281 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
282 *pcurves = suiteb_curves;
283 pcurveslen = 2;
284 break;
285
286 case SSL_CERT_FLAG_SUITEB_192_LOS:
287 *pcurves = suiteb_curves + 2;
288 pcurveslen = 2;
289 break;
290 default:
de4d764e
MC		 291 *pcurves = s->tlsext_supportedgroupslist;
292 pcurveslen = s->tlsext_supportedgroupslist_length;
0f113f3e
MC		 293 }
294 if (!*pcurves) {
fe6ef247
KR		 295 *pcurves = eccurves_default;
296 pcurveslen = sizeof(eccurves_default);
0f113f3e
MC		 297 }
298 }
299
300 /* We do not allow odd length arrays to enter the system. */
301 if (pcurveslen & 1) {
302 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
303 *num_curves = 0;
304 return 0;
305 } else {
306 *num_curves = pcurveslen / 2;
307 return 1;
308 }
309}
b362ccab
DSH		 310
311/* See if curve is allowed by security callback */
312static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
0f113f3e
MC		 313{
314 const tls_curve_info *cinfo;
315 if (curve[0])
316 return 1;
b6eb9827 317 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
0f113f3e
MC		 318 return 0;
319 cinfo = &nid_list[curve[1] - 1];
320# ifdef OPENSSL_NO_EC2M
321 if (cinfo->flags & TLS_CURVE_CHAR2)
322 return 0;
323# endif
324 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
325}
b362ccab 326
d18b716d
DSH		 327/* Check a curve is one of our preferences */
328int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
0f113f3e
MC		 329{
330 const unsigned char *curves;
331 size_t num_curves, i;
332 unsigned int suiteb_flags = tls1_suiteb(s);
333 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
334 return 0;
335 /* Check curve matches Suite B preferences */
336 if (suiteb_flags) {
337 unsigned long cid = s->s3->tmp.new_cipher->id;
338 if (p[1])
339 return 0;
340 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
341 if (p[2] != TLSEXT_curve_P_256)
342 return 0;
343 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
344 if (p[2] != TLSEXT_curve_P_384)
345 return 0;
346 } else /* Should never happen */
347 return 0;
348 }
349 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
350 return 0;
351 for (i = 0; i < num_curves; i++, curves += 2) {
352 if (p[1] == curves[0] && p[2] == curves[1])
353 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
354 }
355 return 0;
356}
d0595f17 357
1d97c843 358/*-
de4d764e 359 * For nmatch >= 0, return the NID of the |nmatch|th shared group or NID_undef
6977e8ee
KR		 360 * if there is no match.
361 * For nmatch == -1, return number of matches
de4d764e 362 * For nmatch == -2, return the NID of the group to use for
376e2ca3 363 * an EC tmp key, or NID_undef if there is no match.
d0595f17 364 */
de4d764e 365int tls1_shared_group(SSL *s, int nmatch)
0f113f3e
MC		 366{
367 const unsigned char *pref, *supp;
368 size_t num_pref, num_supp, i, j;
369 int k;
370 /* Can't do anything on client side */
371 if (s->server == 0)
372 return -1;
373 if (nmatch == -2) {
374 if (tls1_suiteb(s)) {
375 /*
376 * For Suite B ciphersuite determines curve: we already know
377 * these are acceptable due to previous checks.
378 */
379 unsigned long cid = s->s3->tmp.new_cipher->id;
380 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
381 return NID_X9_62_prime256v1; /* P-256 */
382 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
383 return NID_secp384r1; /* P-384 */
384 /* Should never happen */
385 return NID_undef;
386 }
387 /* If not Suite B just return first preference shared curve */
388 nmatch = 0;
389 }
390 /*
391 * Avoid truncation. tls1_get_curvelist takes an int
392 * but s->options is a long...
393 */
394 if (!tls1_get_curvelist
395 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
396 &num_supp))
397 /* In practice, NID_undef == 0 but let's be precise. */
398 return nmatch == -1 ? 0 : NID_undef;
399 if (!tls1_get_curvelist
a230b26e 400 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref, &num_pref))
0f113f3e 401 return nmatch == -1 ? 0 : NID_undef;
3c06513f
KR		 402
403 /*
404 * If the client didn't send the elliptic_curves extension all of them
405 * are allowed.
406 */
407 if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
408 supp = eccurves_all;
409 num_supp = sizeof(eccurves_all) / 2;
410 } else if (num_pref == 0 &&
a230b26e 411 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
3c06513f
KR		 412 pref = eccurves_all;
413 num_pref = sizeof(eccurves_all) / 2;
414 }
415
0f113f3e
MC		 416 k = 0;
417 for (i = 0; i < num_pref; i++, pref += 2) {
418 const unsigned char *tsupp = supp;
419 for (j = 0; j < num_supp; j++, tsupp += 2) {
420 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
421 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
422 continue;
423 if (nmatch == k) {
424 int id = (pref[0] << 8) | pref[1];
ec24630a 425 return tls1_ec_curve_id2nid(id, NULL);
0f113f3e
MC		 426 }
427 k++;
428 }
429 }
430 }
431 if (nmatch == -1)
432 return k;
433 /* Out of range (nmatch > k). */
434 return NID_undef;
435}
d0595f17 436
de4d764e
MC		 437int tls1_set_groups(unsigned char **pext, size_t *pextlen,
438 int *groups, size_t ngroups)
0f113f3e 439{
de4d764e 440 unsigned char *glist, *p;
0f113f3e
MC		 441 size_t i;
442 /*
de4d764e 443 * Bitmap of groups included to detect duplicates: only works while group
0f113f3e
MC		 444 * ids < 32
445 */
446 unsigned long dup_list = 0;
de4d764e
MC		 447 glist = OPENSSL_malloc(ngroups * 2);
448 if (glist == NULL)
0f113f3e 449 return 0;
de4d764e 450 for (i = 0, p = glist; i < ngroups; i++) {
0f113f3e
MC		 451 unsigned long idmask;
452 int id;
de4d764e
MC		 453 /* TODO(TLS1.3): Convert for DH groups */
454 id = tls1_ec_nid2curve_id(groups[i]);
0f113f3e
MC		 455 idmask = 1L << id;
456 if (!id || (dup_list & idmask)) {
de4d764e 457 OPENSSL_free(glist);
0f113f3e
MC		 458 return 0;
459 }
460 dup_list |= idmask;
461 s2n(id, p);
462 }
b548a1f1 463 OPENSSL_free(*pext);
de4d764e
MC		 464 *pext = glist;
465 *pextlen = ngroups * 2;
0f113f3e
MC		 466 return 1;
467}
468
469# define MAX_CURVELIST 28
470
471typedef struct {
472 size_t nidcnt;
473 int nid_arr[MAX_CURVELIST];
474} nid_cb_st;
d0595f17
DSH		 475
476static int nid_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 477{
478 nid_cb_st *narg = arg;
479 size_t i;
480 int nid;
481 char etmp[20];
2747d73c
KR		 482 if (elem == NULL)
483 return 0;
0f113f3e
MC		 484 if (narg->nidcnt == MAX_CURVELIST)
485 return 0;
486 if (len > (int)(sizeof(etmp) - 1))
487 return 0;
488 memcpy(etmp, elem, len);
489 etmp[len] = 0;
490 nid = EC_curve_nist2nid(etmp);
491 if (nid == NID_undef)
492 nid = OBJ_sn2nid(etmp);
493 if (nid == NID_undef)
494 nid = OBJ_ln2nid(etmp);
495 if (nid == NID_undef)
496 return 0;
497 for (i = 0; i < narg->nidcnt; i++)
498 if (narg->nid_arr[i] == nid)
499 return 0;
500 narg->nid_arr[narg->nidcnt++] = nid;
501 return 1;
502}
503
de4d764e
MC		 504/* Set groups based on a colon separate list */
505int tls1_set_groups_list(unsigned char **pext, size_t *pextlen, const char *str)
0f113f3e
MC		 506{
507 nid_cb_st ncb;
508 ncb.nidcnt = 0;
509 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
510 return 0;
511 if (pext == NULL)
512 return 1;
de4d764e 513 return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
0f113f3e
MC		 514}
515
fd2b65ce
DSH		 516/* For an EC key set TLS id and required compression based on parameters */
517static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
0f113f3e
MC		 518 EC_KEY *ec)
519{
2235b7f2 520 int id;
0f113f3e 521 const EC_GROUP *grp;
0f113f3e
MC		 522 if (!ec)
523 return 0;
524 /* Determine if it is a prime field */
525 grp = EC_KEY_get0_group(ec);
526 if (!grp)
527 return 0;
0f113f3e
MC		 528 /* Determine curve ID */
529 id = EC_GROUP_get_curve_name(grp);
530 id = tls1_ec_nid2curve_id(id);
2235b7f2
DSH		 531 /* If no id return error: we don't support arbitrary explicit curves */
532 if (id == 0)
533 return 0;
534 curve_id[0] = 0;
535 curve_id[1] = (unsigned char)id;
0f113f3e
MC		 536 if (comp_id) {
537 if (EC_KEY_get0_public_key(ec) == NULL)
538 return 0;
2235b7f2
DSH		 539 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
540 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
541 } else {
542 if ((nid_list[id - 1].flags & TLS_CURVE_TYPE) == TLS_CURVE_PRIME)
0f113f3e
MC		 543 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
544 else
545 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
2235b7f2 546 }
0f113f3e
MC		 547 }
548 return 1;
549}
550
fd2b65ce
DSH		 551/* Check an EC key is compatible with extensions */
552static int tls1_check_ec_key(SSL *s,
0f113f3e
MC		 553 unsigned char *curve_id, unsigned char *comp_id)
554{
555 const unsigned char *pformats, *pcurves;
556 size_t num_formats, num_curves, i;
557 int j;
558 /*
559 * If point formats extension present check it, otherwise everything is
560 * supported (see RFC4492).
561 */
562 if (comp_id && s->session->tlsext_ecpointformatlist) {
563 pformats = s->session->tlsext_ecpointformatlist;
564 num_formats = s->session->tlsext_ecpointformatlist_length;
565 for (i = 0; i < num_formats; i++, pformats++) {
566 if (*comp_id == *pformats)
567 break;
568 }
569 if (i == num_formats)
570 return 0;
571 }
572 if (!curve_id)
573 return 1;
574 /* Check curve is consistent with client and server preferences */
575 for (j = 0; j <= 1; j++) {
576 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
577 return 0;
b79d2410
MC		 578 if (j == 1 && num_curves == 0) {
579 /*
580 * If we've not received any curves then skip this check.
581 * RFC 4492 does not require the supported elliptic curves extension
582 * so if it is not sent we can just choose any curve.
583 * It is invalid to send an empty list in the elliptic curves
584 * extension, so num_curves == 0 always means no extension.
585 */
586 break;
587 }
0f113f3e
MC		 588 for (i = 0; i < num_curves; i++, pcurves += 2) {
589 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
590 break;
591 }
592 if (i == num_curves)
593 return 0;
594 /* For clients can only check sent curve list */
595 if (!s->server)
596 break;
597 }
598 return 1;
599}
d61ff83b 600
5087afa1 601static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
0f113f3e
MC		 602 size_t *num_formats)
603{
604 /*
605 * If we have a custom point format list use it otherwise use default
606 */
607 if (s->tlsext_ecpointformatlist) {
608 *pformats = s->tlsext_ecpointformatlist;
609 *num_formats = s->tlsext_ecpointformatlist_length;
610 } else {
611 *pformats = ecformats_default;
612 /* For Suite B we don't support char2 fields */
613 if (tls1_suiteb(s))
614 *num_formats = sizeof(ecformats_default) - 1;
615 else
616 *num_formats = sizeof(ecformats_default);
617 }
618}
619
620/*
621 * Check cert parameters compatible with extensions: currently just checks EC
622 * certificates have compatible curves and compression.
d61ff83b 623 */
2ea80354 624static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 625{
626 unsigned char comp_id, curve_id[2];
627 EVP_PKEY *pkey;
628 int rv;
8382fd3a 629 pkey = X509_get0_pubkey(x);
0f113f3e
MC		 630 if (!pkey)
631 return 0;
632 /* If not EC nothing to do */
3aeb9348 633 if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
0f113f3e 634 return 1;
3aeb9348 635 rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey));
0f113f3e
MC		 636 if (!rv)
637 return 0;
638 /*
639 * Can't check curve_id for client certs as we don't have a supported
640 * curves extension.
641 */
642 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
643 if (!rv)
644 return 0;
645 /*
646 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
647 * SHA384+P-384, adjust digest if necessary.
648 */
649 if (set_ee_md && tls1_suiteb(s)) {
650 int check_md;
651 size_t i;
652 CERT *c = s->cert;
653 if (curve_id[0])
654 return 0;
655 /* Check to see we have necessary signing algorithm */
656 if (curve_id[1] == TLSEXT_curve_P_256)
657 check_md = NID_ecdsa_with_SHA256;
658 else if (curve_id[1] == TLSEXT_curve_P_384)
659 check_md = NID_ecdsa_with_SHA384;
660 else
661 return 0; /* Should never happen */
662 for (i = 0; i < c->shared_sigalgslen; i++)
663 if (check_md == c->shared_sigalgs[i].signandhash_nid)
664 break;
665 if (i == c->shared_sigalgslen)
666 return 0;
667 if (set_ee_md == 2) {
668 if (check_md == NID_ecdsa_with_SHA256)
d376e57d 669 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
0f113f3e 670 else
d376e57d 671 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
0f113f3e
MC		 672 }
673 }
674 return rv;
675}
676
10bf4fc2 677# ifndef OPENSSL_NO_EC
6977e8ee 678/*
8483a003 679 * tls1_check_ec_tmp_key - Check EC temporary key compatibility
6977e8ee
KR		 680 * @s: SSL connection
681 * @cid: Cipher ID we're considering using
682 *
683 * Checks that the kECDHE cipher suite we're considering using
684 * is compatible with the client extensions.
685 *
686 * Returns 0 when the cipher can't be used or 1 when it can.
687 */
2ea80354 688int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
0f113f3e 689{
0f113f3e
MC		 690 /*
691 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
692 * curves permitted.
693 */
694 if (tls1_suiteb(s)) {
6977e8ee 695 unsigned char curve_id[2];
0f113f3e
MC		 696 /* Curve to check determined by ciphersuite */
697 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
698 curve_id[1] = TLSEXT_curve_P_256;
699 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
700 curve_id[1] = TLSEXT_curve_P_384;
701 else
702 return 0;
703 curve_id[0] = 0;
704 /* Check this curve is acceptable */
705 if (!tls1_check_ec_key(s, curve_id, NULL))
706 return 0;
fe6ef247 707 return 1;
0f113f3e 708 }
fe6ef247 709 /* Need a shared curve */
de4d764e 710 if (tls1_shared_group(s, 0))
fe6ef247 711 return 1;
6977e8ee 712 return 0;
0f113f3e 713}
10bf4fc2 714# endif /* OPENSSL_NO_EC */
d0595f17 715
14536c8c
DSH		 716#else
717
718static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 719{
720 return 1;
721}
14536c8c 722
0f113f3e 723#endif /* OPENSSL_NO_EC */
f1fd4544 724
0f113f3e
MC		 725/*
726 * List of supported signature algorithms and hashes. Should make this
fc101f88
DSH		 727 * customisable at some point, for now include everything we support.
728 */
729
e481f9b9 730#ifdef OPENSSL_NO_RSA
a230b26e 731# define tlsext_sigalg_rsa(md) /* */
e481f9b9
MC		 732#else
733# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
734#endif
0f113f3e 735
e481f9b9 736#ifdef OPENSSL_NO_DSA
a230b26e 737# define tlsext_sigalg_dsa(md) /* */
e481f9b9
MC		 738#else
739# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
740#endif
0f113f3e 741
e481f9b9 742#ifdef OPENSSL_NO_EC
a230b26e 743# define tlsext_sigalg_ecdsa(md)/* */
e481f9b9
MC		 744#else
745# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
746#endif
0f113f3e 747
e481f9b9 748#define tlsext_sigalg(md) \
0f113f3e
MC		 749 tlsext_sigalg_rsa(md) \
750 tlsext_sigalg_dsa(md) \
751 tlsext_sigalg_ecdsa(md)
fc101f88 752
d97ed219 753static const unsigned char tls12_sigalgs[] = {
0f113f3e
MC		 754 tlsext_sigalg(TLSEXT_hash_sha512)
755 tlsext_sigalg(TLSEXT_hash_sha384)
0f113f3e
MC		 756 tlsext_sigalg(TLSEXT_hash_sha256)
757 tlsext_sigalg(TLSEXT_hash_sha224)
0f113f3e 758 tlsext_sigalg(TLSEXT_hash_sha1)
e44380a9
DB		 759#ifndef OPENSSL_NO_GOST
760 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
a230b26e
EK		 761 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
762 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
e44380a9 763#endif
fc101f88 764};
0f113f3e 765
e481f9b9 766#ifndef OPENSSL_NO_EC
d97ed219 767static const unsigned char suiteb_sigalgs[] = {
0f113f3e
MC		 768 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
769 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
2ea80354 770};
e481f9b9 771#endif
b7bfe69b 772size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
0f113f3e
MC		 773{
774 /*
775 * If Suite B mode use Suite B sigalgs only, ignore any other
776 * preferences.
777 */
e481f9b9 778#ifndef OPENSSL_NO_EC
0f113f3e
MC		 779 switch (tls1_suiteb(s)) {
780 case SSL_CERT_FLAG_SUITEB_128_LOS:
781 *psigs = suiteb_sigalgs;
782 return sizeof(suiteb_sigalgs);
783
784 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
785 *psigs = suiteb_sigalgs;
786 return 2;
787
788 case SSL_CERT_FLAG_SUITEB_192_LOS:
789 *psigs = suiteb_sigalgs + 2;
790 return 2;
791 }
e481f9b9 792#endif
0f113f3e
MC		 793 /* If server use client authentication sigalgs if not NULL */
794 if (s->server && s->cert->client_sigalgs) {
795 *psigs = s->cert->client_sigalgs;
796 return s->cert->client_sigalgslen;
797 } else if (s->cert->conf_sigalgs) {
798 *psigs = s->cert->conf_sigalgs;
799 return s->cert->conf_sigalgslen;
800 } else {
801 *psigs = tls12_sigalgs;
802 return sizeof(tls12_sigalgs);
803 }
804}
805
806/*
807 * Check signature algorithm is consistent with sent supported signature
ec4a50b3
DSH		 808 * algorithms and if so return relevant digest.
809 */
810int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
0f113f3e
MC		 811 const unsigned char *sig, EVP_PKEY *pkey)
812{
813 const unsigned char *sent_sigs;
814 size_t sent_sigslen, i;
815 int sigalg = tls12_get_sigid(pkey);
816 /* Should never happen */
817 if (sigalg == -1)
818 return -1;
819 /* Check key type is consistent with signature */
820 if (sigalg != (int)sig[1]) {
821 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
822 return 0;
823 }
e481f9b9 824#ifndef OPENSSL_NO_EC
3aeb9348 825 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
0f113f3e
MC		 826 unsigned char curve_id[2], comp_id;
827 /* Check compression and curve matches extensions */
3aeb9348 828 if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
0f113f3e
MC		 829 return 0;
830 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
831 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
832 return 0;
833 }
834 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
835 if (tls1_suiteb(s)) {
836 if (curve_id[0])
837 return 0;
838 if (curve_id[1] == TLSEXT_curve_P_256) {
839 if (sig[0] != TLSEXT_hash_sha256) {
840 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
841 SSL_R_ILLEGAL_SUITEB_DIGEST);
842 return 0;
843 }
844 } else if (curve_id[1] == TLSEXT_curve_P_384) {
845 if (sig[0] != TLSEXT_hash_sha384) {
846 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
847 SSL_R_ILLEGAL_SUITEB_DIGEST);
848 return 0;
849 }
850 } else
851 return 0;
852 }
853 } else if (tls1_suiteb(s))
854 return 0;
e481f9b9 855#endif
0f113f3e
MC		 856
857 /* Check signature matches a type we sent */
858 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
859 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
860 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
861 break;
862 }
863 /* Allow fallback to SHA1 if not strict mode */
864 if (i == sent_sigslen
865 && (sig[0] != TLSEXT_hash_sha1
866 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
867 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
868 return 0;
869 }
870 *pmd = tls12_get_hash(sig[0]);
871 if (*pmd == NULL) {
872 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
873 return 0;
874 }
875 /* Make sure security callback allows algorithm */
876 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
a230b26e 877 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd), (void *)sig)) {
0f113f3e
MC		 878 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
879 return 0;
880 }
881 /*
882 * Store the digest used so applications can retrieve it if they wish.
883 */
d376e57d 884 s->s3->tmp.peer_md = *pmd;
0f113f3e
MC		 885 return 1;
886}
2ea80354 887
0f113f3e 888/*
3eb2aff4
KR		 889 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
890 * supported, doesn't appear in supported signature algorithms, isn't supported
891 * by the enabled protocol versions or by the security level.
892 *
893 * This function should only be used for checking which ciphers are supported
894 * by the client.
895 *
896 * Call ssl_cipher_disabled() to check that it's enabled or not.
b7bfe69b
DSH		 897 */
898void ssl_set_client_disabled(SSL *s)
0f113f3e 899{
4d69f9e6
DSH		 900 s->s3->tmp.mask_a = 0;
901 s->s3->tmp.mask_k = 0;
4d69f9e6 902 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
3eb2aff4 903 ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
a230b26e 904#ifndef OPENSSL_NO_PSK
0f113f3e
MC		 905 /* with PSK there must be client callback set */
906 if (!s->psk_client_callback) {
4d69f9e6 907 s->s3->tmp.mask_a |= SSL_aPSK;
fe5eef3a 908 s->s3->tmp.mask_k |= SSL_PSK;
0f113f3e 909 }
a230b26e 910#endif /* OPENSSL_NO_PSK */
e481f9b9 911#ifndef OPENSSL_NO_SRP
0f113f3e 912 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
4d69f9e6
DSH		 913 s->s3->tmp.mask_a |= SSL_aSRP;
914 s->s3->tmp.mask_k |= SSL_kSRP;
0f113f3e 915 }
e481f9b9 916#endif
0f113f3e 917}
fc101f88 918
3eb2aff4
KR		 919/*
920 * ssl_cipher_disabled - check that a cipher is disabled or not
921 * @s: SSL connection that you want to use the cipher on
922 * @c: cipher to check
923 * @op: Security check that you want to do
924 *
925 * Returns 1 when it's disabled, 0 when enabled.
926 */
b362ccab 927int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
0f113f3e 928{
3eb2aff4 929 if (c->algorithm_mkey & s->s3->tmp.mask_k
4d69f9e6 930 || c->algorithm_auth & s->s3->tmp.mask_a)
0f113f3e 931 return 1;
3eb2aff4
KR		 932 if (s->s3->tmp.max_ver == 0)
933 return 1;
934 if (!SSL_IS_DTLS(s) && ((c->min_tls > s->s3->tmp.max_ver)
a230b26e 935 || (c->max_tls < s->s3->tmp.min_ver)))
3eb2aff4
KR		 936 return 1;
937 if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
a230b26e 938 || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
3eb2aff4
KR		 939 return 1;
940
0f113f3e
MC		 941 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
942}
b362ccab
DSH		 943
944static int tls_use_ticket(SSL *s)
0f113f3e 945{
9362c93e 946 if (s->options & SSL_OP_NO_TICKET || SSL_IS_TLS13(s))
0f113f3e
MC		 947 return 0;
948 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
949}
ed3883d2 950
a230b26e
EK		 951static int compare_uint(const void *p1, const void *p2)
952{
aa474d1f
EK		 953 unsigned int u1 = *((const unsigned int *)p1);
954 unsigned int u2 = *((const unsigned int *)p2);
955 if (u1 < u2)
956 return -1;
957 else if (u1 > u2)
958 return 1;
959 else
960 return 0;
961}
962
963/*
964 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
965 * more than one extension of the same type in a ClientHello or ServerHello.
966 * This function does an initial scan over the extensions block to filter those
967 * out. It returns 1 if all extensions are unique, and 0 if the extensions
968 * contain duplicates, could not be successfully parsed, or an internal error
969 * occurred.
970 */
a230b26e
EK		 971static int tls1_check_duplicate_extensions(const PACKET *packet)
972{
aa474d1f
EK		 973 PACKET extensions = *packet;
974 size_t num_extensions = 0, i = 0;
975 unsigned int *extension_types = NULL;
976 int ret = 0;
977
978 /* First pass: count the extensions. */
979 while (PACKET_remaining(&extensions) > 0) {
980 unsigned int type;
981 PACKET extension;
982 if (!PACKET_get_net_2(&extensions, &type) ||
983 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
984 goto done;
985 }
986 num_extensions++;
987 }
988
989 if (num_extensions <= 1)
990 return 1;
991
992 extension_types = OPENSSL_malloc(sizeof(unsigned int) * num_extensions);
993 if (extension_types == NULL) {
994 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_MALLOC_FAILURE);
995 goto done;
996 }
997
998 /* Second pass: gather the extension types. */
999 extensions = *packet;
1000 for (i = 0; i < num_extensions; i++) {
1001 PACKET extension;
1002 if (!PACKET_get_net_2(&extensions, &extension_types[i]) ||
1003 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
1004 /* This should not happen. */
1005 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
1006 goto done;
1007 }
1008 }
1009
1010 if (PACKET_remaining(&extensions) != 0) {
1011 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
1012 goto done;
1013 }
1014 /* Sort the extensions and make sure there are no duplicates. */
1015 qsort(extension_types, num_extensions, sizeof(unsigned int), compare_uint);
1016 for (i = 1; i < num_extensions; i++) {
1017 if (extension_types[i - 1] == extension_types[i])
1018 goto done;
1019 }
1020 ret = 1;
1021 done:
1022 OPENSSL_free(extension_types);
1023 return ret;
1024}
1025
ae2f7b37 1026int ssl_add_clienthello_tlsext(SSL *s, WPACKET *pkt, int *al)
0f113f3e 1027{
e481f9b9 1028#ifndef OPENSSL_NO_EC
d2c27a28
MC		 1029 const unsigned char *pcurves = NULL;
1030 size_t num_curves = 0;
0f113f3e 1031 int using_ecc = 0;
d2c27a28
MC		 1032
1033 /* See if we support any ECC ciphersuites */
1034 if ((s->version >= TLS1_VERSION && s->version <= TLS1_2_VERSION)
1035 || SSL_IS_DTLS(s)) {
0f113f3e
MC		 1036 int i;
1037 unsigned long alg_k, alg_a;
1038 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1039
1040 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
4a640fb6 1041 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
0f113f3e
MC		 1042
1043 alg_k = c->algorithm_mkey;
1044 alg_a = c->algorithm_auth;
ce0c1f2b 1045 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
a230b26e 1046 || (alg_a & SSL_aECDSA)) {
0f113f3e
MC		 1047 using_ecc = 1;
1048 break;
1049 }
1050 }
94ed2c67 1051 } else if (SSL_IS_TLS13(s)) {
d2c27a28
MC		 1052 /*
1053 * TODO(TLS1.3): We always use ECC for TLSv1.3 at the moment. This will
1054 * change if we implement DH key shares
1055 */
1056 using_ecc = 1;
1057 }
1058#else
94ed2c67 1059 if (SSL_IS_TLS13(s)) {
d2c27a28
MC		 1060 /* Shouldn't happen! */
1061 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1062 return 0;
0f113f3e 1063 }
e481f9b9 1064#endif
ed3883d2 1065
0f113f3e
MC		 1066 /* Add RI if renegotiating */
1067 if (s->renegotiate) {
08029dfa 1068 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
2f97192c
MC		 1069 || !WPACKET_start_sub_packet_u16(pkt)
1070 || !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished,
1071 s->s3->previous_client_finished_len)
1072 || !WPACKET_close(pkt)) {
0f113f3e 1073 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2c7b4dbc 1074 return 0;
5a3d8eeb 1075 }
0f113f3e
MC		 1076 }
1077 /* Only add RI for SSLv3 */
1078 if (s->client_version == SSL3_VERSION)
1079 goto done;
1080
1081 if (s->tlsext_hostname != NULL) {
1082 /* Add TLS extension servername to the Client Hello message */
08029dfa 1083 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
2c7b4dbc 1084 /* Sub-packet for server_name extension */
de451856 1085 || !WPACKET_start_sub_packet_u16(pkt)
2c7b4dbc 1086 /* Sub-packet for servername list (always 1 hostname)*/
de451856 1087 || !WPACKET_start_sub_packet_u16(pkt)
08029dfa 1088 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
b2b3024e
MC		 1089 || !WPACKET_sub_memcpy_u16(pkt, s->tlsext_hostname,
1090 strlen(s->tlsext_hostname))
0217dd19
MC		 1091 || !WPACKET_close(pkt)
1092 || !WPACKET_close(pkt)) {
2c7b4dbc
MC		 1093 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1094 return 0;
1095 }
0f113f3e 1096 }
e481f9b9 1097#ifndef OPENSSL_NO_SRP
0f113f3e 1098 /* Add SRP username if there is one */
2c7b4dbc 1099 if (s->srp_ctx.login != NULL) {
08029dfa 1100 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
2c7b4dbc 1101 /* Sub-packet for SRP extension */
de451856
MC		 1102 || !WPACKET_start_sub_packet_u16(pkt)
1103 || !WPACKET_start_sub_packet_u8(pkt)
2c7b4dbc 1104 /* login must not be zero...internal error if so */
de451856 1105 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
0217dd19 1106 || !WPACKET_memcpy(pkt, s->srp_ctx.login,
2c7b4dbc 1107 strlen(s->srp_ctx.login))
0217dd19
MC		 1108 || !WPACKET_close(pkt)
1109 || !WPACKET_close(pkt)) {
0f113f3e 1110 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2c7b4dbc 1111 return 0;
0f113f3e 1112 }
0f113f3e 1113 }
e481f9b9 1114#endif
0f113f3e 1115
e481f9b9 1116#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1117 if (using_ecc) {
1118 /*
1119 * Add TLS extension ECPointFormats to the ClientHello message
1120 */
d2c27a28
MC		 1121 const unsigned char *pformats, *pcurvestmp;
1122 size_t num_formats;
0f113f3e 1123 size_t i;
0f113f3e
MC		 1124
1125 tls1_get_formatlist(s, &pformats, &num_formats);
1126
08029dfa 1127 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
2c7b4dbc 1128 /* Sub-packet for formats extension */
de451856 1129 || !WPACKET_start_sub_packet_u16(pkt)
b2b3024e 1130 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
0217dd19 1131 || !WPACKET_close(pkt)) {
0f113f3e 1132 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2c7b4dbc 1133 return 0;
0f113f3e 1134 }
4817504d 1135
0f113f3e 1136 /*
de4d764e 1137 * Add TLS extension supported_groups to the ClientHello message
0f113f3e 1138 */
de4d764e
MC		 1139 /* TODO(TLS1.3): Add support for DHE groups */
1140 pcurves = s->tlsext_supportedgroupslist;
2c7b4dbc 1141 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
0f113f3e 1142 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2c7b4dbc 1143 return 0;
0f113f3e 1144 }
d2c27a28 1145 pcurvestmp = pcurves;
ee2ffc27 1146
de4d764e
MC		 1147 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1148 /* Sub-packet for supported_groups extension */
de451856
MC		 1149 || !WPACKET_start_sub_packet_u16(pkt)
1150 || !WPACKET_start_sub_packet_u16(pkt)) {
2c7b4dbc
MC		 1151 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1152 return 0;
1153 }
0f113f3e 1154 /* Copy curve ID if supported */
d2c27a28 1155 for (i = 0; i < num_curves; i++, pcurvestmp += 2) {
0f113f3e 1156 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
d2c27a28
MC		 1157 if (!WPACKET_put_bytes_u8(pkt, pcurvestmp[0])
1158 || !WPACKET_put_bytes_u8(pkt, pcurvestmp[1])) {
2c7b4dbc
MC		 1159 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
1160 ERR_R_INTERNAL_ERROR);
1161 return 0;
1162 }
0f113f3e
MC		 1163 }
1164 }
0217dd19 1165 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
2c7b4dbc
MC		 1166 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1167 return 0;
1168 }
0f113f3e 1169 }
a230b26e 1170#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1171
1172 if (tls_use_ticket(s)) {
348240c6 1173 size_t ticklen;
0f113f3e
MC		 1174 if (!s->new_session && s->session && s->session->tlsext_tick)
1175 ticklen = s->session->tlsext_ticklen;
1176 else if (s->session && s->tlsext_session_ticket &&
1177 s->tlsext_session_ticket->data) {
1178 ticklen = s->tlsext_session_ticket->length;
1179 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
2c7b4dbc
MC		 1180 if (s->session->tlsext_tick == NULL) {
1181 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1182 return 0;
1183 }
0f113f3e
MC		 1184 memcpy(s->session->tlsext_tick,
1185 s->tlsext_session_ticket->data, ticklen);
1186 s->session->tlsext_ticklen = ticklen;
1187 } else
1188 ticklen = 0;
1189 if (ticklen == 0 && s->tlsext_session_ticket &&
1190 s->tlsext_session_ticket->data == NULL)
1191 goto skip_ext;
2c7b4dbc 1192
08029dfa 1193 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
b2b3024e
MC		 1194 || !WPACKET_sub_memcpy_u16(pkt, s->session->tlsext_tick,
1195 ticklen)) {
2c7b4dbc
MC		 1196 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1197 return 0;
0f113f3e
MC		 1198 }
1199 }
1200 skip_ext:
1201
f7aa3185 1202 if (SSL_CLIENT_USE_SIGALGS(s)) {
0f113f3e
MC		 1203 size_t salglen;
1204 const unsigned char *salg;
2c7b4dbc 1205
0f113f3e 1206 salglen = tls12_get_psigalgs(s, &salg);
2c7b4dbc 1207
08029dfa 1208 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
2c7b4dbc 1209 /* Sub-packet for sig-algs extension */
de451856 1210 || !WPACKET_start_sub_packet_u16(pkt)
2c7b4dbc 1211 /* Sub-packet for the actual list */
de451856 1212 || !WPACKET_start_sub_packet_u16(pkt)
0217dd19
MC		 1213 || !tls12_copy_sigalgs(s, pkt, salg, salglen)
1214 || !WPACKET_close(pkt)
1215 || !WPACKET_close(pkt)) {
2c7b4dbc
MC		 1216 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1217 return 0;
1218 }
0f113f3e 1219 }
3e41ac35 1220#ifndef OPENSSL_NO_OCSP
0f113f3e
MC		 1221 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1222 int i;
0f113f3e 1223
08029dfa 1224 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
2c7b4dbc 1225 /* Sub-packet for status request extension */
de451856 1226 || !WPACKET_start_sub_packet_u16(pkt)
08029dfa 1227 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
2c7b4dbc 1228 /* Sub-packet for the ids */
de451856 1229 || !WPACKET_start_sub_packet_u16(pkt)) {
2c7b4dbc
MC		 1230 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1231 return 0;
1232 }
0f113f3e 1233 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
2c7b4dbc
MC		 1234 unsigned char *idbytes;
1235 int idlen;
1236 OCSP_RESPID *id;
2c7b4dbc 1237
0f113f3e 1238 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
2c7b4dbc
MC		 1239 idlen = i2d_OCSP_RESPID(id, NULL);
1240 if (idlen <= 0
1241 /* Sub-packet for an individual id */
dd8710dc 1242 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
b2b3024e 1243 || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
2c7b4dbc
MC		 1244 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1245 return 0;
1246 }
1247 }
0217dd19 1248 if (!WPACKET_close(pkt)
de451856 1249 || !WPACKET_start_sub_packet_u16(pkt)) {
2c7b4dbc
MC		 1250 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1251 return 0;
860c3dd1 1252 }
0f113f3e 1253 if (s->tlsext_ocsp_exts) {
2c7b4dbc
MC		 1254 unsigned char *extbytes;
1255 int extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
0f113f3e 1256
2c7b4dbc
MC		 1257 if (extlen < 0) {
1258 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1259 return 0;
1260 }
0217dd19 1261 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
2c7b4dbc
MC		 1262 || i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &extbytes)
1263 != extlen) {
1264 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1265 return 0;
1266 }
1267 }
0217dd19 1268 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
2c7b4dbc
MC		 1269 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1270 return 0;
0f113f3e 1271 }
0f113f3e 1272 }
3e41ac35 1273#endif
0f113f3e 1274
e481f9b9 1275#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1276 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1277 /*
8483a003 1278 * The client advertises an empty extension to indicate its support
0f113f3e
MC		 1279 * for Next Protocol Negotiation
1280 */
08029dfa
MC		 1281 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1282 || !WPACKET_put_bytes_u16(pkt, 0)) {
2c7b4dbc
MC		 1283 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1284 return 0;
1285 }
0f113f3e 1286 }
e481f9b9 1287#endif
0f113f3e 1288
817cd0d5
TS		 1289 /*
1290 * finish_md_len is non-zero during a renegotiation, so
1291 * this avoids sending ALPN during the renegotiation
1292 * (see longer comment below)
1293 */
0f113f3e 1294 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
08029dfa
MC		 1295 if (!WPACKET_put_bytes_u16(pkt,
1296 TLSEXT_TYPE_application_layer_protocol_negotiation)
2c7b4dbc 1297 /* Sub-packet ALPN extension */
de451856 1298 || !WPACKET_start_sub_packet_u16(pkt)
b2b3024e
MC		 1299 || !WPACKET_sub_memcpy_u16(pkt, s->alpn_client_proto_list,
1300 s->alpn_client_proto_list_len)
0217dd19 1301 || !WPACKET_close(pkt)) {
2c7b4dbc
MC		 1302 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1303 return 0;
1304 }
817cd0d5 1305 s->s3->alpn_sent = 1;
0f113f3e 1306 }
e481f9b9 1307#ifndef OPENSSL_NO_SRTP
0f113f3e 1308 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
7facdbd6 1309 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s);
2c7b4dbc
MC		 1310 SRTP_PROTECTION_PROFILE *prof;
1311 int i, ct;
2c7b4dbc 1312
08029dfa 1313 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
2c7b4dbc 1314 /* Sub-packet for SRTP extension */
de451856 1315 || !WPACKET_start_sub_packet_u16(pkt)
2c7b4dbc 1316 /* Sub-packet for the protection profile list */
de451856 1317 || !WPACKET_start_sub_packet_u16(pkt)) {
69f68237 1318 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2c7b4dbc 1319 return 0;
69f68237 1320 }
2c7b4dbc
MC		 1321 ct = sk_SRTP_PROTECTION_PROFILE_num(clnt);
1322 for (i = 0; i < ct; i++) {
1323 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
08029dfa 1324 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
2c7b4dbc
MC		 1325 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1326 return 0;
1327 }
1328 }
7facdbd6
MC		 1329 if (!WPACKET_close(pkt)
1330 /* Add an empty use_mki value */
1331 || !WPACKET_put_bytes_u8(pkt, 0)
1332 || !WPACKET_close(pkt)) {
0f113f3e 1333 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2c7b4dbc 1334 return 0;
0f113f3e 1335 }
0f113f3e 1336 }
e481f9b9 1337#endif
0f113f3e
MC		 1338 custom_ext_init(&s->cert->cli_ext);
1339 /* Add custom TLS Extensions to ClientHello */
2c7b4dbc
MC		 1340 if (!custom_ext_add(s, 0, pkt, al)) {
1341 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1342 return 0;
1343 }
1344
cde6145b
DW		 1345 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) {
1346 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
08029dfa 1347 || !WPACKET_put_bytes_u16(pkt, 0)) {
cde6145b
DW		 1348 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1349 return 0;
1350 }
2c7b4dbc
MC		 1351 }
1352
ed29e82a
RP		 1353#ifndef OPENSSL_NO_CT
1354 if (s->ct_validation_callback != NULL) {
08029dfa
MC		 1355 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
1356 || !WPACKET_put_bytes_u16(pkt, 0)) {
2c7b4dbc
MC		 1357 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1358 return 0;
1359 }
ed29e82a 1360 }
e481f9b9 1361#endif
2c7b4dbc 1362
08029dfa
MC		 1363 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1364 || !WPACKET_put_bytes_u16(pkt, 0)) {
2c7b4dbc
MC		 1365 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1366 return 0;
1367 }
0f113f3e 1368
d2c27a28 1369 /* TLS1.3 specific extensions */
f2342b7a 1370 if (SSL_IS_TLS13(s)) {
b5b253b1 1371 int min_version, max_version, reason, currv;
d2c27a28
MC		 1372 size_t i, sharessent = 0;
1373
1374 /* TODO(TLS1.3): Should we add this extension for versions < TLS1.3? */
1375 /* supported_versions extension */
b5b253b1
MC		 1376 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1377 || !WPACKET_start_sub_packet_u16(pkt)
1378 || !WPACKET_start_sub_packet_u8(pkt)) {
1379 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1380 return 0;
1381 }
1382 reason = ssl_get_client_min_max_version(s, &min_version, &max_version);
1383 if (reason != 0) {
1384 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, reason);
1385 return 0;
1386 }
f2342b7a
MC		 1387 /*
1388 * TODO(TLS1.3): There is some discussion on the TLS list as to wheter
1389 * we should include versions <TLS1.2. For the moment we do. To be
1390 * reviewed later.
1391 */
b5b253b1
MC		 1392 for (currv = max_version; currv >= min_version; currv--) {
1393 /* TODO(TLS1.3): Remove this first if clause prior to release!! */
1394 if (currv == TLS1_3_VERSION) {
1395 if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)) {
1396 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
1397 ERR_R_INTERNAL_ERROR);
1398 return 0;
1399 }
1400 } else if (!WPACKET_put_bytes_u16(pkt, currv)) {
1401 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1402 return 0;
1403 }
1404 }
1405 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1406 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1407 return 0;
1408 }
d2c27a28
MC		 1409
1410
1411 /* key_share extension */
1412 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1413 /* Extension data sub-packet */
1414 || !WPACKET_start_sub_packet_u16(pkt)
1415 /* KeyShare list sub-packet */
1416 || !WPACKET_start_sub_packet_u16(pkt)) {
1417 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1418 return 0;
1419 }
1420
1421 /*
1422 * TODO(TLS1.3): Make the number of key_shares sent configurable. For
1423 * now, just send one
1424 */
1425 for (i = 0; i < num_curves && sharessent < 1; i++, pcurves += 2) {
94ed2c67
MC		 1426 unsigned char *encodedPoint = NULL;
1427 unsigned int curve_id = 0;
1428 EVP_PKEY *key_share_key = NULL;
1429 size_t encodedlen;
1430
1431 if (!tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED))
1432 continue;
1433
1434 if (s->s3->tmp.pkey != NULL) {
1435 /* Shouldn't happen! */
1436 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
1437 ERR_R_INTERNAL_ERROR);
1438 return 0;
1439 }
d2c27a28 1440
94ed2c67
MC		 1441 /* Generate a key for this key_share */
1442 curve_id = (pcurves[0] << 8) | pcurves[1];
1443 key_share_key = ssl_generate_pkey_curve(curve_id);
1444 if (key_share_key == NULL) {
1445 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_EVP_LIB);
1446 return 0;
1447 }
d2c27a28 1448
94ed2c67
MC		 1449 /* Encode the public key. */
1450 encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key,
1451 &encodedPoint);
1452 if (encodedlen == 0) {
1453 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_EC_LIB);
1454 EVP_PKEY_free(key_share_key);
1455 return 0;
1456 }
d2c27a28 1457
94ed2c67
MC		 1458 /* Create KeyShareEntry */
1459 if (!WPACKET_put_bytes_u16(pkt, curve_id)
1460 || !WPACKET_sub_memcpy_u16(pkt, encodedPoint, encodedlen)) {
1461 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
1462 ERR_R_INTERNAL_ERROR);
1463 EVP_PKEY_free(key_share_key);
d2c27a28 1464 OPENSSL_free(encodedPoint);
94ed2c67 1465 return 0;
d2c27a28 1466 }
94ed2c67
MC		 1467
1468 /*
1469 * TODO(TLS1.3): When changing to send more than one key_share we're
1470 * going to need to be able to save more than one EVP_PKEY. For now
1471 * we reuse the existing tmp.pkey
1472 */
1473 s->s3->group_id = curve_id;
1474 s->s3->tmp.pkey = key_share_key;
1475 sharessent++;
1476 OPENSSL_free(encodedPoint);
d2c27a28
MC		 1477 }
1478 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1479 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1480 return 0;
1481 }
b5b253b1
MC		 1482 }
1483
0f113f3e
MC		 1484 /*
1485 * Add padding to workaround bugs in F5 terminators. See
1486 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1487 * code works out the length of all existing extensions it MUST always
1488 * appear last.
1489 */
1490 if (s->options & SSL_OP_TLSEXT_PADDING) {
2c7b4dbc
MC		 1491 unsigned char *padbytes;
1492 size_t hlen;
1493
ae2f7b37 1494 if (!WPACKET_get_total_written(pkt, &hlen)) {
2c7b4dbc
MC		 1495 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1496 return 0;
1497 }
a3680c8f 1498
0f113f3e
MC		 1499 if (hlen > 0xff && hlen < 0x200) {
1500 hlen = 0x200 - hlen;
1501 if (hlen >= 4)
1502 hlen -= 4;
1503 else
1504 hlen = 0;
1505
08029dfa 1506 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
b2b3024e 1507 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
2c7b4dbc
MC		 1508 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1509 return 0;
1510 }
1511 memset(padbytes, 0, hlen);
0f113f3e
MC		 1512 }
1513 }
5a3d8eeb 1514
0f113f3e 1515 done:
2c7b4dbc 1516 return 1;
0f113f3e 1517}
333f926d 1518
94ed2c67
MC		 1519/*
1520 * Add the key_share extension.
1521 *
1522 * Returns 1 on success or 0 on failure.
1523 */
1524static int add_client_key_share_ext(SSL *s, WPACKET *pkt, int *al)
1525{
1526 unsigned char *encodedPoint;
1527 size_t encoded_pt_len = 0;
1528 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1529
1530 if (ckey == NULL) {
1531 SSLerr(SSL_F_ADD_CLIENT_KEY_SHARE_EXT, ERR_R_INTERNAL_ERROR);
1532 return 0;
1533 }
1534
1535 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1536 || !WPACKET_start_sub_packet_u16(pkt)
1537 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1538 SSLerr(SSL_F_ADD_CLIENT_KEY_SHARE_EXT, ERR_R_INTERNAL_ERROR);
1539 return 0;
1540 }
1541
1542 skey = ssl_generate_pkey(ckey);
1543
1544 /* Generate encoding of server key */
1545 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1546 if (encoded_pt_len == 0) {
1547 SSLerr(SSL_F_ADD_CLIENT_KEY_SHARE_EXT, ERR_R_EC_LIB);
1548 EVP_PKEY_free(skey);
1549 return 0;
1550 }
1551
1552 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1553 || !WPACKET_close(pkt)) {
1554 SSLerr(SSL_F_ADD_CLIENT_KEY_SHARE_EXT, ERR_R_INTERNAL_ERROR);
1555 EVP_PKEY_free(skey);
1556 OPENSSL_free(encodedPoint);
1557 return 0;
1558 }
1559 OPENSSL_free(encodedPoint);
1560
1561 /* This causes the crypto state to be updated based on the derived keys */
1562 s->s3->tmp.pkey = skey;
1563 if (ssl_derive(s, skey, ckey, 1) == 0) {
1564 *al = SSL_AD_INTERNAL_ERROR;
1565 SSLerr(SSL_F_ADD_CLIENT_KEY_SHARE_EXT, ERR_R_INTERNAL_ERROR);
1566 return 0;
1567 }
1568
1569 return 1;
1570}
1571
8157d44b 1572int ssl_add_serverhello_tlsext(SSL *s, WPACKET *pkt, int *al)
0f113f3e 1573{
e481f9b9 1574#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1575 int next_proto_neg_seen;
e481f9b9
MC		 1576#endif
1577#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1578 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1579 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
ce0c1f2b 1580 int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
0f113f3e 1581 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
e481f9b9 1582#endif
0f113f3e 1583
8157d44b
MC		 1584 if (!WPACKET_start_sub_packet_u16(pkt)
1585 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH)) {
1586 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1587 return 0;
1588 }
333f926d 1589
8157d44b
MC		 1590 if (s->s3->send_connection_binding &&
1591 !ssl_add_serverhello_renegotiate_ext(s, pkt)) {
1592 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1593 return 0;
0f113f3e
MC		 1594 }
1595
1596 /* Only add RI for SSLv3 */
1597 if (s->version == SSL3_VERSION)
1598 goto done;
1599
1600 if (!s->hit && s->servername_done == 1
8157d44b
MC		 1601 && s->session->tlsext_hostname != NULL) {
1602 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1603 || !WPACKET_put_bytes_u16(pkt, 0)) {
1604 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1605 return 0;
1606 }
0f113f3e 1607 }
e481f9b9 1608#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1609 if (using_ecc) {
1610 const unsigned char *plist;
1611 size_t plistlen;
1612 /*
1613 * Add TLS extension ECPointFormats to the ServerHello message
1614 */
0f113f3e
MC		 1615 tls1_get_formatlist(s, &plist, &plistlen);
1616
8157d44b
MC		 1617 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1618 || !WPACKET_start_sub_packet_u16(pkt)
1619 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1620 || !WPACKET_close(pkt)) {
0f113f3e 1621 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
8157d44b 1622 return 0;
0f113f3e 1623 }
0f113f3e
MC		 1624 }
1625 /*
1626 * Currently the server should not respond with a SupportedCurves
1627 * extension
1628 */
a230b26e 1629#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1630
1631 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
8157d44b
MC		 1632 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1633 || !WPACKET_put_bytes_u16(pkt, 0)) {
1634 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1635 return 0;
1636 }
5c753de6 1637 } else {
a230b26e
EK		 1638 /*
1639 * if we don't add the above TLSEXT, we can't add a session ticket
1640 * later
1641 */
5c753de6 1642 s->tlsext_ticket_expected = 0;
0f113f3e
MC		 1643 }
1644
1645 if (s->tlsext_status_expected) {
8157d44b
MC		 1646 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1647 || !WPACKET_put_bytes_u16(pkt, 0)) {
1648 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1649 return 0;
1650 }
0f113f3e 1651 }
e481f9b9 1652#ifndef OPENSSL_NO_SRTP
0f113f3e 1653 if (SSL_IS_DTLS(s) && s->srtp_profile) {
8157d44b
MC		 1654 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1655 || !WPACKET_start_sub_packet_u16(pkt)
1656 || !WPACKET_put_bytes_u16(pkt, 2)
1657 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1658 || !WPACKET_put_bytes_u8(pkt, 0)
1659 || !WPACKET_close(pkt)) {
0f113f3e 1660 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
8157d44b 1661 return 0;
0f113f3e 1662 }
0f113f3e 1663 }
e481f9b9 1664#endif
0f113f3e
MC		 1665
1666 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1667 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1668 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1669 const unsigned char cryptopro_ext[36] = {
1670 0xfd, 0xe8, /* 65000 */
1671 0x00, 0x20, /* 32 bytes length */
1672 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1673 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1674 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1675 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1676 };
8157d44b
MC		 1677 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1678 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1679 return 0;
1680 }
0f113f3e 1681 }
0f113f3e 1682
e481f9b9 1683#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1684 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1685 s->s3->next_proto_neg_seen = 0;
1686 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1687 const unsigned char *npa;
1688 unsigned int npalen;
1689 int r;
1690
1691 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1692 s->
1693 ctx->next_protos_advertised_cb_arg);
1694 if (r == SSL_TLSEXT_ERR_OK) {
8157d44b
MC		 1695 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1696 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1697 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1698 return 0;
1699 }
0f113f3e
MC		 1700 s->s3->next_proto_neg_seen = 1;
1701 }
1702 }
e481f9b9 1703#endif
bcec3358 1704
94ed2c67
MC		 1705 if (SSL_IS_TLS13(s) && !s->hit && !add_client_key_share_ext(s, pkt, al))
1706 return 0;
bcec3358 1707
8157d44b
MC		 1708 if (!custom_ext_add(s, 1, pkt, al)) {
1709 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1710 return 0;
1711 }
1712
0f113f3e
MC		 1713 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1714 /*
1715 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1716 * for other cases too.
1717 */
1718 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
e44380a9
DB		 1719 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1720 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1721 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
0f113f3e
MC		 1722 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1723 else {
8157d44b
MC		 1724 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1725 || !WPACKET_put_bytes_u16(pkt, 0)) {
1726 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1727 return 0;
1728 }
0f113f3e
MC		 1729 }
1730 }
e7f0d921 1731 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
8157d44b
MC		 1732 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1733 || !WPACKET_put_bytes_u16(pkt, 0)) {
1734 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1735 return 0;
1736 }
ddc06b35 1737 }
0f113f3e 1738
817cd0d5 1739 if (s->s3->alpn_selected != NULL) {
8157d44b
MC		 1740 if (!WPACKET_put_bytes_u16(pkt,
1741 TLSEXT_TYPE_application_layer_protocol_negotiation)
1742 || !WPACKET_start_sub_packet_u16(pkt)
1743 || !WPACKET_start_sub_packet_u16(pkt)
1744 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1745 s->s3->alpn_selected_len)
1746 || !WPACKET_close(pkt)
1747 || !WPACKET_close(pkt)) {
1748 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1749 return 0;
1750 }
0f113f3e
MC		 1751 }
1752
1753 done:
8157d44b
MC		 1754 if (!WPACKET_close(pkt)) {
1755 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1756 return 0;
1757 }
1758 return 1;
0f113f3e 1759}
a398f821 1760
0f113f3e 1761/*
817cd0d5 1762 * Save the ALPN extension in a ClientHello.
06217867
EK		 1763 * pkt: the contents of the ALPN extension, not including type and length.
1764 * al: a pointer to the alert value to send in the event of a failure.
1765 * returns: 1 on success, 0 on error.
0f113f3e 1766 */
9ceb2426 1767static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
0f113f3e 1768{
06217867 1769 PACKET protocol_list, save_protocol_list, protocol;
0f113f3e 1770
06217867 1771 *al = SSL_AD_DECODE_ERROR;
0f113f3e 1772
06217867
EK		 1773 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
1774 || PACKET_remaining(&protocol_list) < 2) {
1775 return 0;
1776 }
0f113f3e 1777
06217867 1778 save_protocol_list = protocol_list;
9ceb2426 1779 do {
06217867
EK		 1780 /* Protocol names can't be empty. */
1781 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
1782 || PACKET_remaining(&protocol) == 0) {
1783 return 0;
1784 }
1785 } while (PACKET_remaining(&protocol_list) != 0);
1786
817cd0d5 1787 if (!PACKET_memdup(&save_protocol_list,
a230b26e 1788 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
817cd0d5
TS		 1789 *al = TLS1_AD_INTERNAL_ERROR;
1790 return 0;
1791 }
1792
1793 return 1;
1794}
1795
1796/*
1797 * Process the ALPN extension in a ClientHello.
817cd0d5 1798 * al: a pointer to the alert value to send in the event of a failure.
70c22888 1799 * returns 1 on success, 0 on error.
817cd0d5 1800 */
70c22888 1801static int tls1_alpn_handle_client_hello_late(SSL *s, int *al)
817cd0d5
TS		 1802{
1803 const unsigned char *selected = NULL;
1804 unsigned char selected_len = 0;
1805
1806 if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
1807 int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
1808 s->s3->alpn_proposed,
348240c6 1809 (unsigned int)s->s3->alpn_proposed_len,
817cd0d5 1810 s->ctx->alpn_select_cb_arg);
0f113f3e 1811
817cd0d5
TS		 1812 if (r == SSL_TLSEXT_ERR_OK) {
1813 OPENSSL_free(s->s3->alpn_selected);
1814 s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
1815 if (s->s3->alpn_selected == NULL) {
1816 *al = SSL_AD_INTERNAL_ERROR;
817cd0d5
TS		 1817 return 0;
1818 }
1819 s->s3->alpn_selected_len = selected_len;
0351baae
TS		 1820#ifndef OPENSSL_NO_NEXTPROTONEG
1821 /* ALPN takes precedence over NPN. */
1822 s->s3->next_proto_neg_seen = 0;
1823#endif
817cd0d5
TS		 1824 } else {
1825 *al = SSL_AD_NO_APPLICATION_PROTOCOL;
06217867 1826 return 0;
0f113f3e 1827 }
0f113f3e 1828 }
0f113f3e 1829
06217867 1830 return 1;
0f113f3e 1831}
6f017a8f 1832
e481f9b9 1833#ifndef OPENSSL_NO_EC
1d97c843
TH		 1834/*-
1835 * ssl_check_for_safari attempts to fingerprint Safari using OS X
3d33f3bb 1836 * SecureTransport using the TLS extension block in |hello|.
dece3209
RS		 1837 * Safari, since 10.6, sends exactly these extensions, in this order:
1838 * SNI,
1839 * elliptic_curves
1840 * ec_point_formats
1841 *
1842 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1843 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1844 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1845 * 10.8..10.8.3 (which don't work).
1846 */
902aca09 1847static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello)
0f113f3e 1848{
06217867
EK		 1849 unsigned int type;
1850 PACKET sni, tmppkt;
1851 size_t ext_len;
9ceb2426 1852
0f113f3e
MC		 1853 static const unsigned char kSafariExtensionsBlock[] = {
1854 0x00, 0x0a, /* elliptic_curves extension */
1855 0x00, 0x08, /* 8 bytes */
1856 0x00, 0x06, /* 6 bytes of curve ids */
1857 0x00, 0x17, /* P-256 */
1858 0x00, 0x18, /* P-384 */
1859 0x00, 0x19, /* P-521 */
1860
1861 0x00, 0x0b, /* ec_point_formats */
1862 0x00, 0x02, /* 2 bytes */
1863 0x01, /* 1 point format */
1864 0x00, /* uncompressed */
06217867 1865 /* The following is only present in TLS 1.2 */
0f113f3e
MC		 1866 0x00, 0x0d, /* signature_algorithms */
1867 0x00, 0x0c, /* 12 bytes */
1868 0x00, 0x0a, /* 10 bytes */
1869 0x05, 0x01, /* SHA-384/RSA */
1870 0x04, 0x01, /* SHA-256/RSA */
1871 0x02, 0x01, /* SHA-1/RSA */
1872 0x04, 0x03, /* SHA-256/ECDSA */
1873 0x02, 0x03, /* SHA-1/ECDSA */
1874 };
1875
06217867
EK		 1876 /* Length of the common prefix (first two extensions). */
1877 static const size_t kSafariCommonExtensionsLength = 18;
1878
1ab3836b 1879 tmppkt = hello->extensions;
68a16628
MC		 1880
1881 if (!PACKET_forward(&tmppkt, 2)
06217867
EK		 1882 || !PACKET_get_net_2(&tmppkt, &type)
1883 || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
0f113f3e 1884 return;
06217867 1885 }
0f113f3e
MC		 1886
1887 if (type != TLSEXT_TYPE_server_name)
1888 return;
1889
06217867
EK		 1890 ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
1891 sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
0f113f3e 1892
06217867
EK		 1893 s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
1894 ext_len);
dece3209 1895}
a230b26e 1896#endif /* !OPENSSL_NO_EC */
0f113f3e 1897
ef7daaf9
MC		 1898
1899/*
1900 * Process the supported_groups extension if present. Returns success if the
1901 * extension is absent, or if it has been successfully processed.
1902 *
94ed2c67 1903 * Returns 1 on success or 0 on failure
ef7daaf9
MC		 1904 */
1905static int tls_process_supported_groups(SSL *s, CLIENTHELLO_MSG *hello)
1906{
1907#ifndef OPENSSL_NO_EC
1908 PACKET supported_groups_list;
1909 RAW_EXTENSION *suppgroups = tls_get_extension_by_type(hello->pre_proc_exts,
1910 hello->num_extensions,
1911 TLSEXT_TYPE_supported_groups);
1912
1913 if (suppgroups == NULL)
1914 return 1;
1915
1916 /* Each group is 2 bytes and we must have at least 1. */
1917 if (!PACKET_as_length_prefixed_2(&suppgroups->data,
1918 &supported_groups_list)
1919 || PACKET_remaining(&supported_groups_list) == 0
1920 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
1921 return 0;
1922 }
1923
1924 if (!s->hit
1925 && !PACKET_memdup(&supported_groups_list,
1926 &s->session->tlsext_supportedgroupslist,
1927 &s->session->tlsext_supportedgroupslist_length)) {
1928 return 0;
1929 }
1930#endif
1931 return 1;
1932}
1933
1934/*
1935 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
1936 * and |checkallow| is 1 then additionally check if the group is allowed to be
94ed2c67
MC		 1937 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
1938 * 1) or 0 otherwise.
ef7daaf9
MC		 1939 */
1940static int check_in_list(SSL *s, unsigned int group_id,
1941 const unsigned char *groups, size_t num_groups,
1942 int checkallow)
1943{
1944 size_t i;
1945
1946 if (groups == NULL || num_groups == 0)
1947 return 0;
1948
1949 for (i = 0; i < num_groups; i++, groups += 2) {
1950 unsigned int share_id = (groups[0] << 8) | (groups[1]);
94ed2c67 1951
ef7daaf9
MC		 1952 if (group_id == share_id
1953 && (!checkallow || tls_curve_allowed(s, groups,
1954 SSL_SECOP_CURVE_CHECK))) {
1955 break;
1956 }
1957 }
1958
94ed2c67
MC		 1959 /* If i == num_groups then not in the list */
1960 return i < num_groups;
1961}
1962
1963/*
1964 * Process a key_share extension received in the ClientHello. |pkt| contains
1965 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
1966 * If a failure occurs then |*al| is set to an appropriate alert value.
1967 */
1968static int process_key_share_ext(SSL *s, PACKET *pkt, int *al)
1969{
1970 unsigned int group_id;
1971 PACKET key_share_list, encoded_pt;
9a519880
MC		 1972 const unsigned char *clntcurves, *srvrcurves;
1973 size_t clnt_num_curves, srvr_num_curves;
94ed2c67
MC		 1974 int group_nid, found = 0;
1975 unsigned int curve_flags;
1976
1977 /* Sanity check */
1978 if (s->s3->peer_tmp != NULL) {
1979 *al = SSL_AD_INTERNAL_ERROR;
1980 SSLerr(SSL_F_PROCESS_KEY_SHARE_EXT, ERR_R_INTERNAL_ERROR);
ef7daaf9
MC		 1981 return 0;
1982 }
1983
94ed2c67
MC		 1984 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
1985 *al = SSL_AD_HANDSHAKE_FAILURE;
1986 SSLerr(SSL_F_PROCESS_KEY_SHARE_EXT,
1987 SSL_R_LENGTH_MISMATCH);
1988 return 0;
1989 }
1990
9a519880
MC		 1991 /* Get our list of supported curves */
1992 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
1993 *al = SSL_AD_INTERNAL_ERROR;
1994 SSLerr(SSL_F_PROCESS_KEY_SHARE_EXT,
1995 ERR_R_INTERNAL_ERROR);
1996 return 0;
1997 }
1998
1999 /* Get the clients list of supported curves */
2000 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
2001 *al = SSL_AD_INTERNAL_ERROR;
2002 SSLerr(SSL_F_PROCESS_KEY_SHARE_EXT,
2003 ERR_R_INTERNAL_ERROR);
2004 return 0;
2005 }
2006
94ed2c67
MC		 2007 while (PACKET_remaining(&key_share_list) > 0) {
2008 if (!PACKET_get_net_2(&key_share_list, &group_id)
2009 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
2010 || PACKET_remaining(&encoded_pt) == 0) {
2011 *al = SSL_AD_HANDSHAKE_FAILURE;
2012 SSLerr(SSL_F_PROCESS_KEY_SHARE_EXT,
2013 SSL_R_LENGTH_MISMATCH);
2014 return 0;
2015 }
2016
2017 /*
2018 * If we already found a suitable key_share we loop through the
2019 * rest to verify the structure, but don't process them.
2020 */
2021 if (found)
2022 continue;
2023
2024 /* Check if this share is in supported_groups sent from client */
9a519880 2025 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
94ed2c67
MC		 2026 *al = SSL_AD_HANDSHAKE_FAILURE;
2027 SSLerr(SSL_F_PROCESS_KEY_SHARE_EXT,
2028 SSL_R_BAD_KEY_SHARE);
2029 return 0;
2030 }
2031
2032 /* Check if this share is for a group we can use */
9a519880 2033 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
94ed2c67
MC		 2034 /* Share not suitable */
2035 continue;
2036 }
2037
2038 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
2039
2040 if (group_nid == 0) {
2041 *al = SSL_AD_INTERNAL_ERROR;
2042 SSLerr(SSL_F_PROCESS_KEY_SHARE_EXT,
2043 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
2044 return 0;
2045 }
2046
2047 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
2048 /* Can happen for some curves, e.g. X25519 */
2049 EVP_PKEY *key = EVP_PKEY_new();
2050
2051 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
2052 *al = SSL_AD_INTERNAL_ERROR;
2053 SSLerr(SSL_F_PROCESS_KEY_SHARE_EXT, ERR_R_EVP_LIB);
2054 EVP_PKEY_free(key);
2055 return 0;
2056 }
2057 s->s3->peer_tmp = key;
2058 } else {
2059 /* Set up EVP_PKEY with named curve as parameters */
2060 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
2061 if (pctx == NULL
2062 || EVP_PKEY_paramgen_init(pctx) <= 0
2063 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
2064 group_nid) <= 0
2065 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
2066 *al = SSL_AD_INTERNAL_ERROR;
2067 SSLerr(SSL_F_PROCESS_KEY_SHARE_EXT, ERR_R_EVP_LIB);
2068 EVP_PKEY_CTX_free(pctx);
2069 return 0;
2070 }
2071 EVP_PKEY_CTX_free(pctx);
2072 pctx = NULL;
2073 }
2074 s->s3->group_id = group_id;
2075
2076 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
2077 PACKET_data(&encoded_pt),
2078 PACKET_remaining(&encoded_pt))) {
2079 *al = SSL_AD_DECODE_ERROR;
2080 SSLerr(SSL_F_PROCESS_KEY_SHARE_EXT, SSL_R_BAD_ECPOINT);
2081 return 0;
2082 }
2083
2084 found = 1;
2085 }
2086
ef7daaf9
MC		 2087 return 1;
2088}
2089
06217867 2090/*
64386324
MC		 2091 * Loop through all remaining ClientHello extensions that we collected earlier
2092 * and haven't already processed. For each one parse it and update the SSL
2093 * object as required.
06217867
EK		 2094 *
2095 * Behaviour upon resumption is extension-specific. If the extension has no
2096 * effect during resumption, it is parsed (to verify its format) but otherwise
2097 * ignored.
2098 *
64386324 2099 * Returns 1 on success and 0 on failure.
06217867
EK		 2100 * Upon failure, sets |al| to the appropriate alert.
2101 */
1ab3836b 2102static int ssl_scan_clienthello_tlsext(SSL *s, CLIENTHELLO_MSG *hello, int *al)
0f113f3e 2103{
1ab3836b 2104 size_t loop;
0f113f3e
MC		 2105 int renegotiate_seen = 0;
2106
06217867 2107 *al = SSL_AD_DECODE_ERROR;
0f113f3e
MC		 2108 s->servername_done = 0;
2109 s->tlsext_status_type = -1;
e481f9b9 2110#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 2111 s->s3->next_proto_neg_seen = 0;
e481f9b9 2112#endif
0f113f3e 2113
b548a1f1
RS		 2114 OPENSSL_free(s->s3->alpn_selected);
2115 s->s3->alpn_selected = NULL;
0351baae
TS		 2116 s->s3->alpn_selected_len = 0;
2117 OPENSSL_free(s->s3->alpn_proposed);
2118 s->s3->alpn_proposed = NULL;
2119 s->s3->alpn_proposed_len = 0;
0f113f3e 2120
e481f9b9 2121#ifndef OPENSSL_NO_EC
0f113f3e 2122 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1ab3836b 2123 ssl_check_for_safari(s, hello);
a230b26e 2124#endif /* !OPENSSL_NO_EC */
0f113f3e
MC		 2125
2126 /* Clear any signature algorithms extension received */
76106e60
DSH		 2127 OPENSSL_free(s->s3->tmp.peer_sigalgs);
2128 s->s3->tmp.peer_sigalgs = NULL;
0f113f3e 2129 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
0f113f3e 2130
e481f9b9 2131#ifndef OPENSSL_NO_SRP
b548a1f1
RS		 2132 OPENSSL_free(s->srp_ctx.login);
2133 s->srp_ctx.login = NULL;
e481f9b9 2134#endif
0f113f3e
MC		 2135
2136 s->srtp_profile = NULL;
2137
ef7daaf9
MC		 2138 /*
2139 * We process the supported_groups extension first so that is done before
2140 * we get to key_share which needs to use the information in it.
2141 */
2142 if (!tls_process_supported_groups(s, hello)) {
2143 *al = TLS1_AD_INTERNAL_ERROR;
2144 return 0;
2145 }
2146
06217867
EK		 2147 /*
2148 * We parse all extensions to ensure the ClientHello is well-formed but,
2149 * unless an extension specifies otherwise, we ignore extensions upon
2150 * resumption.
2151 */
1ab3836b 2152 for (loop = 0; loop < hello->num_extensions; loop++) {
b1b4b543
MC		 2153 RAW_EXTENSION *currext = &hello->pre_proc_exts[loop];
2154
0f113f3e 2155 if (s->tlsext_debug_cb)
b1b4b543
MC		 2156 s->tlsext_debug_cb(s, 0, currext->type,
2157 PACKET_data(&currext->data),
2158 PACKET_remaining(&currext->data),
06217867 2159 s->tlsext_debug_arg);
9ceb2426 2160
b1b4b543 2161 if (currext->type == TLSEXT_TYPE_renegotiate) {
1ab3836b 2162 if (!ssl_parse_clienthello_renegotiate_ext(s,
b1b4b543 2163 &currext->data, al))
0f113f3e
MC		 2164 return 0;
2165 renegotiate_seen = 1;
2166 } else if (s->version == SSL3_VERSION) {
2167 }
1d97c843
TH		 2168/*-
2169 * The servername extension is treated as follows:
2170 *
2171 * - Only the hostname type is supported with a maximum length of 255.
2172 * - The servername is rejected if too long or if it contains zeros,
2173 * in which case an fatal alert is generated.
2174 * - The servername field is maintained together with the session cache.
2175 * - When a session is resumed, the servername call back invoked in order
0f113f3e
MC		 2176 * to allow the application to position itself to the right context.
2177 * - The servername is acknowledged if it is new for a session or when
2178 * it is identical to a previously used for the same session.
1d97c843
TH		 2179 * Applications can control the behaviour. They can at any time
2180 * set a 'desirable' servername for a new SSL object. This can be the
2181 * case for example with HTTPS when a Host: header field is received and
2182 * a renegotiation is requested. In this case, a possible servername
2183 * presented in the new client hello is only acknowledged if it matches
0f113f3e 2184 * the value of the Host: field.
1d97c843 2185 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
0f113f3e
MC		 2186 * if they provide for changing an explicit servername context for the
2187 * session, i.e. when the session has been established with a servername
2188 * extension.
2189 * - On session reconnect, the servername extension may be absent.
1d97c843 2190 *
0f113f3e 2191 */
ed3883d2 2192
b1b4b543 2193 else if (currext->type == TLSEXT_TYPE_server_name) {
9ceb2426 2194 unsigned int servname_type;
06217867
EK		 2195 PACKET sni, hostname;
2196
b1b4b543 2197 if (!PACKET_as_length_prefixed_2(&currext->data, &sni)
06217867
EK		 2198 /* ServerNameList must be at least 1 byte long. */
2199 || PACKET_remaining(&sni) == 0) {
2200 return 0;
0f113f3e 2201 }
6f017a8f 2202
06217867
EK		 2203 /*
2204 * Although the server_name extension was intended to be
2205 * extensible to new name types, RFC 4366 defined the
8483a003 2206 * syntax inextensibility and OpenSSL 1.0.x parses it as
06217867
EK		 2207 * such.
2208 * RFC 6066 corrected the mistake but adding new name types
2209 * is nevertheless no longer feasible, so act as if no other
2210 * SNI types can exist, to simplify parsing.
2211 *
2212 * Also note that the RFC permits only one SNI value per type,
2213 * i.e., we can only have a single hostname.
2214 */
2215 if (!PACKET_get_1(&sni, &servname_type)
2216 || servname_type != TLSEXT_NAMETYPE_host_name
2217 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
2218 return 0;
2219 }
2220
2221 if (!s->hit) {
2222 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
2223 *al = TLS1_AD_UNRECOGNIZED_NAME;
2224 return 0;
2225 }
2226
2227 if (PACKET_contains_zero_byte(&hostname)) {
2228 *al = TLS1_AD_UNRECOGNIZED_NAME;
2229 return 0;
2230 }
2231
2232 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
2233 *al = TLS1_AD_INTERNAL_ERROR;
2234 return 0;
2235 }
2236
2237 s->servername_done = 1;
2238 } else {
2239 /*
2240 * TODO(openssl-team): if the SNI doesn't match, we MUST
2241 * fall back to a full handshake.
2242 */
2243 s->servername_done = s->session->tlsext_hostname
2244 && PACKET_equal(&hostname, s->session->tlsext_hostname,
2245 strlen(s->session->tlsext_hostname));
2246 }
0f113f3e 2247 }
e481f9b9 2248#ifndef OPENSSL_NO_SRP
b1b4b543 2249 else if (currext->type == TLSEXT_TYPE_srp) {
06217867
EK		 2250 PACKET srp_I;
2251
b1b4b543 2252 if (!PACKET_as_length_prefixed_1(&currext->data, &srp_I))
06217867
EK		 2253 return 0;
2254
2255 if (PACKET_contains_zero_byte(&srp_I))
2256 return 0;
2257
2258 /*
2259 * TODO(openssl-team): currently, we re-authenticate the user
2260 * upon resumption. Instead, we MUST ignore the login.
2261 */
2262 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
2263 *al = TLS1_AD_INTERNAL_ERROR;
2264 return 0;
2265 }
0f113f3e 2266 }
e481f9b9 2267#endif
0f113f3e 2268
e481f9b9 2269#ifndef OPENSSL_NO_EC
b1b4b543 2270 else if (currext->type == TLSEXT_TYPE_ec_point_formats) {
06217867 2271 PACKET ec_point_format_list;
0f113f3e 2272
b1b4b543 2273 if (!PACKET_as_length_prefixed_1(&currext->data,
1ab3836b 2274 &ec_point_format_list)
06217867
EK		 2275 || PACKET_remaining(&ec_point_format_list) == 0) {
2276 return 0;
2277 }
9ceb2426 2278
0f113f3e 2279 if (!s->hit) {
06217867
EK		 2280 if (!PACKET_memdup(&ec_point_format_list,
2281 &s->session->tlsext_ecpointformatlist,
a230b26e
EK		 2282 &s->
2283 session->tlsext_ecpointformatlist_length)) {
0f113f3e
MC		 2284 *al = TLS1_AD_INTERNAL_ERROR;
2285 return 0;
2286 }
0f113f3e 2287 }
0f113f3e 2288 }
a230b26e 2289#endif /* OPENSSL_NO_EC */
9362c93e
MC		 2290 else if (currext->type == TLSEXT_TYPE_session_ticket
2291 && !SSL_IS_TLS13(s)) {
06217867 2292 if (s->tls_session_ticket_ext_cb &&
1ab3836b 2293 !s->tls_session_ticket_ext_cb(s,
b1b4b543
MC		 2294 PACKET_data(&currext->data),
2295 PACKET_remaining(&currext->data),
1ab3836b 2296 s->tls_session_ticket_ext_cb_arg)) {
0f113f3e
MC		 2297 *al = TLS1_AD_INTERNAL_ERROR;
2298 return 0;
2299 }
b1b4b543 2300 } else if (currext->type == TLSEXT_TYPE_signature_algorithms) {
06217867
EK		 2301 PACKET supported_sig_algs;
2302
b1b4b543 2303 if (!PACKET_as_length_prefixed_2(&currext->data,
1ab3836b 2304 &supported_sig_algs)
06217867
EK		 2305 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
2306 || PACKET_remaining(&supported_sig_algs) == 0) {
2307 return 0;
2308 }
2309
a230b26e 2310 if (!s->hit) {
06217867
EK		 2311 if (!tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
2312 PACKET_remaining(&supported_sig_algs))) {
2313 return 0;
2314 }
9ceb2426 2315 }
b1b4b543
MC		 2316 } else if (currext->type == TLSEXT_TYPE_status_request) {
2317 if (!PACKET_get_1(&currext->data,
06217867
EK		 2318 (unsigned int *)&s->tlsext_status_type)) {
2319 return 0;
2320 }
3e41ac35 2321#ifndef OPENSSL_NO_OCSP
0f113f3e 2322 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
3e41ac35 2323 const unsigned char *ext_data;
06217867 2324 PACKET responder_id_list, exts;
a230b26e 2325 if (!PACKET_get_length_prefixed_2
b1b4b543 2326 (&currext->data, &responder_id_list))
06217867
EK		 2327 return 0;
2328
e408c09b
MC		 2329 /*
2330 * We remove any OCSP_RESPIDs from a previous handshake
2331 * to prevent unbounded memory growth - CVE-2016-6304
2332 */
2333 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
2334 OCSP_RESPID_free);
2335 if (PACKET_remaining(&responder_id_list) > 0) {
2336 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
2337 if (s->tlsext_ocsp_ids == NULL) {
2338 *al = SSL_AD_INTERNAL_ERROR;
2339 return 0;
2340 }
2341 } else {
2342 s->tlsext_ocsp_ids = NULL;
2343 }
2344
06217867 2345 while (PACKET_remaining(&responder_id_list) > 0) {
0f113f3e 2346 OCSP_RESPID *id;
06217867
EK		 2347 PACKET responder_id;
2348 const unsigned char *id_data;
9ceb2426 2349
06217867
EK		 2350 if (!PACKET_get_length_prefixed_2(&responder_id_list,
2351 &responder_id)
2352 || PACKET_remaining(&responder_id) == 0) {
2353 return 0;
9ceb2426 2354 }
06217867 2355
06217867 2356 id_data = PACKET_data(&responder_id);
348240c6 2357 /* TODO(size_t): Convert d2i_* to size_t */
06217867 2358 id = d2i_OCSP_RESPID(NULL, &id_data,
348240c6 2359 (int)PACKET_remaining(&responder_id));
06217867
EK		 2360 if (id == NULL)
2361 return 0;
2362
2363 if (id_data != PACKET_end(&responder_id)) {
0f113f3e 2364 OCSP_RESPID_free(id);
0f113f3e
MC		 2365 return 0;
2366 }
06217867 2367
0f113f3e
MC		 2368 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2369 OCSP_RESPID_free(id);
2370 *al = SSL_AD_INTERNAL_ERROR;
2371 return 0;
2372 }
2373 }
4817504d 2374
0f113f3e 2375 /* Read in request_extensions */
1ab3836b 2376 if (!PACKET_as_length_prefixed_2(
b1b4b543 2377 &currext->data, &exts))
06217867
EK		 2378 return 0;
2379
2380 if (PACKET_remaining(&exts) > 0) {
2381 ext_data = PACKET_data(&exts);
222561fe
RS		 2382 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2383 X509_EXTENSION_free);
0f113f3e 2384 s->tlsext_ocsp_exts =
06217867 2385 d2i_X509_EXTENSIONS(NULL, &ext_data,
348240c6 2386 (int)PACKET_remaining(&exts));
06217867
EK		 2387 if (s->tlsext_ocsp_exts == NULL
2388 || ext_data != PACKET_end(&exts)) {
2389 return 0;
2390 }
0f113f3e 2391 }
3e41ac35
MC		 2392 } else
2393#endif
2394 {
2395 /*
2396 * We don't know what to do with any other type so ignore it.
2397 */
0f113f3e 2398 s->tlsext_status_type = -1;
06217867 2399 }
0f113f3e 2400 }
e481f9b9 2401#ifndef OPENSSL_NO_NEXTPROTONEG
b1b4b543 2402 else if (currext->type == TLSEXT_TYPE_next_proto_neg
1ab3836b 2403 && s->s3->tmp.finish_md_len == 0) {
50e735f9
MC		 2404 /*-
2405 * We shouldn't accept this extension on a
2406 * renegotiation.
2407 *
2408 * s->new_session will be set on renegotiation, but we
2409 * probably shouldn't rely that it couldn't be set on
8483a003 2410 * the initial renegotiation too in certain cases (when
50e735f9
MC		 2411 * there's some other reason to disallow resuming an
2412 * earlier session -- the current code won't be doing
2413 * anything like that, but this might change).
2414 *
2415 * A valid sign that there's been a previous handshake
2416 * in this connection is if s->s3->tmp.finish_md_len >
2417 * 0. (We are talking about a check that will happen
2418 * in the Hello protocol round, well before a new
2419 * Finished message could have been computed.)
2420 */
0f113f3e
MC		 2421 s->s3->next_proto_neg_seen = 1;
2422 }
e481f9b9 2423#endif
0f113f3e 2424
b1b4b543 2425 else if (currext->type
1ab3836b
MC		 2426 == TLSEXT_TYPE_application_layer_protocol_negotiation
2427 && s->s3->tmp.finish_md_len == 0) {
2428 if (!tls1_alpn_handle_client_hello(s,
b1b4b543 2429 &currext->data, al))
0f113f3e 2430 return 0;
0f113f3e 2431 }
5e3ff62c 2432
0f113f3e 2433 /* session ticket processed earlier */
e481f9b9 2434#ifndef OPENSSL_NO_SRTP
0f113f3e 2435 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
b1b4b543 2436 && currext->type == TLSEXT_TYPE_use_srtp) {
1ab3836b 2437 if (ssl_parse_clienthello_use_srtp_ext(s,
b1b4b543 2438 &currext->data, al))
0f113f3e
MC		 2439 return 0;
2440 }
e481f9b9 2441#endif
b1b4b543 2442 else if (currext->type == TLSEXT_TYPE_encrypt_then_mac
b1834ad7 2443 && !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) {
0f113f3e 2444 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
b1834ad7 2445 } else if (currext->type == TLSEXT_TYPE_key_share
94ed2c67
MC		 2446 && SSL_IS_TLS13(s) && !s->hit
2447 && !process_key_share_ext(s, &currext->data, al)) {
2448 return 0;
b1834ad7 2449 }
e7f0d921
DSH		 2450 /*
2451 * Note: extended master secret extension handled in
1ab3836b 2452 * tls_check_client_ems_support()
e7f0d921
DSH		 2453 */
2454
0f113f3e
MC		 2455 /*
2456 * If this ClientHello extension was unhandled and this is a
2457 * nonresumed connection, check whether the extension is a custom
2458 * TLS Extension (has a custom_srv_ext_record), and if so call the
2459 * callback and record the extension number so that an appropriate
2460 * ServerHello may be later returned.
2461 */
2462 else if (!s->hit) {
b1b4b543
MC		 2463 if (custom_ext_parse(s, 1, currext->type,
2464 PACKET_data(&currext->data),
2465 PACKET_remaining(&currext->data), al) <= 0)
0f113f3e
MC		 2466 return 0;
2467 }
0f113f3e 2468 }
6f017a8f 2469
0f113f3e
MC		 2470 /* Need RI if renegotiating */
2471
2472 if (!renegotiate_seen && s->renegotiate &&
2473 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2474 *al = SSL_AD_HANDSHAKE_FAILURE;
2475 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2476 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2477 return 0;
2478 }
2479
06217867
EK		 2480 /*
2481 * This function currently has no state to clean up, so it returns directly.
2482 * If parsing fails at any point, the function returns early.
2483 * The SSL object may be left with partial data from extensions, but it must
2484 * then no longer be used, and clearing it up will free the leftovers.
2485 */
0f113f3e
MC		 2486 return 1;
2487}
2488
1ab3836b 2489int ssl_parse_clienthello_tlsext(SSL *s, CLIENTHELLO_MSG *hello)
0f113f3e
MC		 2490{
2491 int al = -1;
2492 custom_ext_init(&s->cert->srv_ext);
1ab3836b 2493 if (ssl_scan_clienthello_tlsext(s, hello, &al) <= 0) {
0f113f3e
MC		 2494 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2495 return 0;
2496 }
0f113f3e
MC		 2497 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2498 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2499 return 0;
2500 }
2501 return 1;
2502}
2503
e481f9b9 2504#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2505/*
2506 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2507 * elements of zero length are allowed and the set of elements must exactly
2508 * fill the length of the block.
2509 */
50932c4a 2510static char ssl_next_proto_validate(PACKET *pkt)
0f113f3e 2511{
b04f9479 2512 PACKET tmp_protocol;
0f113f3e 2513
50932c4a 2514 while (PACKET_remaining(pkt)) {
b04f9479 2515 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
a230b26e 2516 || PACKET_remaining(&tmp_protocol) == 0)
0f113f3e 2517 return 0;
0f113f3e
MC		 2518 }
2519
50932c4a 2520 return 1;
0f113f3e 2521}
e481f9b9 2522#endif
0f113f3e 2523
50932c4a 2524static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 2525{
50932c4a 2526 unsigned int length, type, size;
0f113f3e
MC		 2527 int tlsext_servername = 0;
2528 int renegotiate_seen = 0;
2529
e481f9b9 2530#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 2531 s->s3->next_proto_neg_seen = 0;
e481f9b9 2532#endif
0f113f3e
MC		 2533 s->tlsext_ticket_expected = 0;
2534
b548a1f1
RS		 2535 OPENSSL_free(s->s3->alpn_selected);
2536 s->s3->alpn_selected = NULL;
0f113f3e 2537
0f113f3e 2538 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
0f113f3e 2539
e7f0d921
DSH		 2540 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2541
50932c4a 2542 if (!PACKET_get_net_2(pkt, &length))
0f113f3e
MC		 2543 goto ri_check;
2544
50932c4a 2545 if (PACKET_remaining(pkt) != length) {
0f113f3e
MC		 2546 *al = SSL_AD_DECODE_ERROR;
2547 return 0;
2548 }
2549
aa474d1f
EK		 2550 if (!tls1_check_duplicate_extensions(pkt)) {
2551 *al = SSL_AD_DECODE_ERROR;
2552 return 0;
2553 }
2554
50932c4a 2555 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
b6981744 2556 const unsigned char *data;
50932c4a 2557 PACKET spkt;
0f113f3e 2558
50932c4a 2559 if (!PACKET_get_sub_packet(pkt, &spkt, size)
a230b26e 2560 || !PACKET_peek_bytes(&spkt, &data, size))
0f113f3e
MC		 2561 goto ri_check;
2562
2563 if (s->tlsext_debug_cb)
2564 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2565
2566 if (type == TLSEXT_TYPE_renegotiate) {
50932c4a 2567 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
0f113f3e
MC		 2568 return 0;
2569 renegotiate_seen = 1;
2570 } else if (s->version == SSL3_VERSION) {
2571 } else if (type == TLSEXT_TYPE_server_name) {
2572 if (s->tlsext_hostname == NULL || size > 0) {
2573 *al = TLS1_AD_UNRECOGNIZED_NAME;
2574 return 0;
2575 }
2576 tlsext_servername = 1;
2577 }
e481f9b9 2578#ifndef OPENSSL_NO_EC
0f113f3e 2579 else if (type == TLSEXT_TYPE_ec_point_formats) {
50932c4a
MC		 2580 unsigned int ecpointformatlist_length;
2581 if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
a230b26e 2582 || ecpointformatlist_length != size - 1) {
0f113f3e
MC		 2583 *al = TLS1_AD_DECODE_ERROR;
2584 return 0;
2585 }
2586 if (!s->hit) {
2587 s->session->tlsext_ecpointformatlist_length = 0;
b548a1f1 2588 OPENSSL_free(s->session->tlsext_ecpointformatlist);
0f113f3e
MC		 2589 if ((s->session->tlsext_ecpointformatlist =
2590 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2591 *al = TLS1_AD_INTERNAL_ERROR;
2592 return 0;
2593 }
2594 s->session->tlsext_ecpointformatlist_length =
2595 ecpointformatlist_length;
50932c4a
MC		 2596 if (!PACKET_copy_bytes(&spkt,
2597 s->session->tlsext_ecpointformatlist,
2598 ecpointformatlist_length)) {
2599 *al = TLS1_AD_DECODE_ERROR;
2600 return 0;
2601 }
2602
0f113f3e 2603 }
0f113f3e 2604 }
a230b26e 2605#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2606
2607 else if (type == TLSEXT_TYPE_session_ticket) {
2608 if (s->tls_session_ticket_ext_cb &&
2609 !s->tls_session_ticket_ext_cb(s, data, size,
2610 s->tls_session_ticket_ext_cb_arg))
2611 {
2612 *al = TLS1_AD_INTERNAL_ERROR;
2613 return 0;
2614 }
2615 if (!tls_use_ticket(s) || (size > 0)) {
2616 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2617 return 0;
2618 }
2619 s->tlsext_ticket_expected = 1;
a230b26e 2620 } else if (type == TLSEXT_TYPE_status_request) {
0f113f3e
MC		 2621 /*
2622 * MUST be empty and only sent if we've requested a status
2623 * request message.
2624 */
2625 if ((s->tlsext_status_type == -1) || (size > 0)) {
2626 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2627 return 0;
2628 }
2629 /* Set flag to expect CertificateStatus message */
2630 s->tlsext_status_expected = 1;
2631 }
ed29e82a
RP		 2632#ifndef OPENSSL_NO_CT
2633 /*
2634 * Only take it if we asked for it - i.e if there is no CT validation
2635 * callback set, then a custom extension MAY be processing it, so we
2636 * need to let control continue to flow to that.
2637 */
2638 else if (type == TLSEXT_TYPE_signed_certificate_timestamp &&
2639 s->ct_validation_callback != NULL) {
2640 /* Simply copy it off for later processing */
2641 if (s->tlsext_scts != NULL) {
2642 OPENSSL_free(s->tlsext_scts);
2643 s->tlsext_scts = NULL;
2644 }
2645 s->tlsext_scts_len = size;
2646 if (size > 0) {
2647 s->tlsext_scts = OPENSSL_malloc(size);
2648 if (s->tlsext_scts == NULL) {
2649 *al = TLS1_AD_INTERNAL_ERROR;
2650 return 0;
2651 }
2652 memcpy(s->tlsext_scts, data, size);
2653 }
2654 }
2655#endif
e481f9b9 2656#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2657 else if (type == TLSEXT_TYPE_next_proto_neg &&
2658 s->s3->tmp.finish_md_len == 0) {
2659 unsigned char *selected;
2660 unsigned char selected_len;
0f113f3e
MC		 2661 /* We must have requested it. */
2662 if (s->ctx->next_proto_select_cb == NULL) {
2663 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2664 return 0;
2665 }
2666 /* The data must be valid */
50932c4a 2667 if (!ssl_next_proto_validate(&spkt)) {
0f113f3e
MC		 2668 *al = TLS1_AD_DECODE_ERROR;
2669 return 0;
2670 }
a230b26e
EK		 2671 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2672 size,
2673 s->
2674 ctx->next_proto_select_cb_arg) !=
0f113f3e
MC		 2675 SSL_TLSEXT_ERR_OK) {
2676 *al = TLS1_AD_INTERNAL_ERROR;
2677 return 0;
2678 }
c31dbed7
MC		 2679 /*
2680 * Could be non-NULL if server has sent multiple NPN extensions in
2681 * a single Serverhello
2682 */
2683 OPENSSL_free(s->next_proto_negotiated);
0f113f3e 2684 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
a71edf3b 2685 if (s->next_proto_negotiated == NULL) {
0f113f3e
MC		 2686 *al = TLS1_AD_INTERNAL_ERROR;
2687 return 0;
2688 }
2689 memcpy(s->next_proto_negotiated, selected, selected_len);
2690 s->next_proto_negotiated_len = selected_len;
2691 s->s3->next_proto_neg_seen = 1;
2692 }
e481f9b9 2693#endif
0f113f3e
MC		 2694
2695 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2696 unsigned len;
0f113f3e 2697 /* We must have requested it. */
817cd0d5 2698 if (!s->s3->alpn_sent) {
0f113f3e
MC		 2699 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2700 return 0;
2701 }
50e735f9
MC		 2702 /*-
2703 * The extension data consists of:
2704 * uint16 list_length
2705 * uint8 proto_length;
2706 * uint8 proto[proto_length];
2707 */
50932c4a 2708 if (!PACKET_get_net_2(&spkt, &len)
a230b26e
EK		 2709 || PACKET_remaining(&spkt) != len || !PACKET_get_1(&spkt, &len)
2710 || PACKET_remaining(&spkt) != len) {
0f113f3e
MC		 2711 *al = TLS1_AD_DECODE_ERROR;
2712 return 0;
2713 }
b548a1f1 2714 OPENSSL_free(s->s3->alpn_selected);
0f113f3e 2715 s->s3->alpn_selected = OPENSSL_malloc(len);
a71edf3b 2716 if (s->s3->alpn_selected == NULL) {
0f113f3e
MC		 2717 *al = TLS1_AD_INTERNAL_ERROR;
2718 return 0;
2719 }
50932c4a
MC		 2720 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
2721 *al = TLS1_AD_DECODE_ERROR;
2722 return 0;
2723 }
0f113f3e
MC		 2724 s->s3->alpn_selected_len = len;
2725 }
e481f9b9 2726#ifndef OPENSSL_NO_SRTP
0f113f3e 2727 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
50932c4a 2728 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
0f113f3e
MC		 2729 return 0;
2730 }
e481f9b9 2731#endif
0f113f3e
MC		 2732 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2733 /* Ignore if inappropriate ciphersuite */
cde6145b
DW		 2734 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) &&
2735 s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
0f113f3e
MC		 2736 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2737 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
0f1e51ea 2738 } else if (type == TLSEXT_TYPE_extended_master_secret &&
94ed2c67 2739 (SSL_IS_DTLS(s) || !SSL_IS_TLS13(s))) {
e7f0d921 2740 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
ddc06b35
DSH		 2741 if (!s->hit)
2742 s->session->flags |= SSL_SESS_FLAG_EXTMS;
d7c42d71 2743 } else if (type == TLSEXT_TYPE_key_share
94ed2c67 2744 && SSL_IS_TLS13(s)) {
d7c42d71
MC		 2745 unsigned int group_id;
2746 PACKET encoded_pt;
2747 EVP_PKEY *ckey = s->s3->tmp.pkey, *skey = NULL;
2748
2749 /* Sanity check */
2750 if (ckey == NULL) {
2751 *al = SSL_AD_INTERNAL_ERROR;
2752 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2753 return 0;
2754 }
2755
2756 if (!PACKET_get_net_2(&spkt, &group_id)) {
2757 *al = SSL_AD_HANDSHAKE_FAILURE;
2758 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2759 SSL_R_LENGTH_MISMATCH);
2760 return 0;
2761 }
2762
2763 if (group_id != s->s3->group_id) {
2764 /*
2765 * This isn't for the group that we sent in the original
2766 * key_share!
2767 */
2768 *al = SSL_AD_HANDSHAKE_FAILURE;
2769 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2770 SSL_R_BAD_KEY_SHARE);
2771 return 0;
2772 }
2773
323f212a
MC		 2774 if (!PACKET_as_length_prefixed_2(&spkt, &encoded_pt)
2775 || PACKET_remaining(&encoded_pt) == 0) {
d7c42d71
MC		 2776 *al = SSL_AD_DECODE_ERROR;
2777 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2778 SSL_R_LENGTH_MISMATCH);
2779 return 0;
2780 }
2781
94ed2c67 2782 skey = ssl_generate_pkey(ckey);
d7c42d71
MC		 2783 if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt),
2784 PACKET_remaining(&encoded_pt))) {
2785 *al = SSL_AD_DECODE_ERROR;
2786 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_BAD_ECPOINT);
2787 return 0;
2788 }
2789
0f1e51ea
MC		 2790 if (ssl_derive(s, ckey, skey, 1) == 0) {
2791 *al = SSL_AD_INTERNAL_ERROR;
2792 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2793 EVP_PKEY_free(skey);
2794 return 0;
2795 }
d7c42d71 2796 EVP_PKEY_free(skey);
0f113f3e
MC		 2797 /*
2798 * If this extension type was not otherwise handled, but matches a
2799 * custom_cli_ext_record, then send it to the c callback
2800 */
d7c42d71 2801 } else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
0f113f3e 2802 return 0;
0f113f3e
MC		 2803 }
2804
50932c4a 2805 if (PACKET_remaining(pkt) != 0) {
0f113f3e
MC		 2806 *al = SSL_AD_DECODE_ERROR;
2807 return 0;
2808 }
2809
2810 if (!s->hit && tlsext_servername == 1) {
2811 if (s->tlsext_hostname) {
2812 if (s->session->tlsext_hostname == NULL) {
a230b26e
EK		 2813 s->session->tlsext_hostname =
2814 OPENSSL_strdup(s->tlsext_hostname);
0f113f3e
MC		 2815 if (!s->session->tlsext_hostname) {
2816 *al = SSL_AD_UNRECOGNIZED_NAME;
2817 return 0;
2818 }
2819 } else {
2820 *al = SSL_AD_DECODE_ERROR;
2821 return 0;
2822 }
2823 }
2824 }
2825
0f113f3e
MC		 2826 ri_check:
2827
2828 /*
2829 * Determine if we need to see RI. Strictly speaking if we want to avoid
2830 * an attack we should *always* see RI even on initial server hello
2831 * because the client doesn't see any renegotiation during an attack.
2832 * However this would mean we could not connect to any server which
e7653f3b 2833 * doesn't support RI so for the immediate future tolerate RI absence
0f113f3e
MC		 2834 */
2835 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2836 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2837 *al = SSL_AD_HANDSHAKE_FAILURE;
2838 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2839 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2840 return 0;
2841 }
2842
e7f0d921
DSH		 2843 if (s->hit) {
2844 /*
2845 * Check extended master secret extension is consistent with
2846 * original session.
2847 */
2848 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
2849 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
2850 *al = SSL_AD_HANDSHAKE_FAILURE;
2851 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
2852 return 0;
a230b26e 2853 }
e7f0d921
DSH		 2854 }
2855
0f113f3e
MC		 2856 return 1;
2857}
b2172f4f 2858
36ca4ba6 2859int ssl_prepare_clienthello_tlsext(SSL *s)
0f113f3e 2860{
817cd0d5 2861 s->s3->alpn_sent = 0;
0f113f3e
MC		 2862 return 1;
2863}
36ca4ba6
BM		 2864
2865int ssl_prepare_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2866{
2867 return 1;
2868}
36ca4ba6 2869
2daceb03 2870static int ssl_check_clienthello_tlsext_early(SSL *s)
0f113f3e
MC		 2871{
2872 int ret = SSL_TLSEXT_ERR_NOACK;
2873 int al = SSL_AD_UNRECOGNIZED_NAME;
2874
e481f9b9 2875#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2876 /*
2877 * The handling of the ECPointFormats extension is done elsewhere, namely
2878 * in ssl3_choose_cipher in s3_lib.c.
2879 */
2880 /*
2881 * The handling of the EllipticCurves extension is done elsewhere, namely
2882 * in ssl3_choose_cipher in s3_lib.c.
2883 */
e481f9b9 2884#endif
0f113f3e
MC		 2885
2886 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2887 ret =
2888 s->ctx->tlsext_servername_callback(s, &al,
2889 s->ctx->tlsext_servername_arg);
2890 else if (s->initial_ctx != NULL
2891 && s->initial_ctx->tlsext_servername_callback != 0)
2892 ret =
2893 s->initial_ctx->tlsext_servername_callback(s, &al,
2894 s->
2895 initial_ctx->tlsext_servername_arg);
2896
0f113f3e
MC		 2897 switch (ret) {
2898 case SSL_TLSEXT_ERR_ALERT_FATAL:
2899 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2900 return -1;
2901
2902 case SSL_TLSEXT_ERR_ALERT_WARNING:
2903 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2904 return 1;
2905
2906 case SSL_TLSEXT_ERR_NOACK:
2907 s->servername_done = 0;
2908 default:
2909 return 1;
2910 }
2911}
a230b26e 2912
d376e57d 2913/* Initialise digests to default values */
a0f63828 2914void ssl_set_default_md(SSL *s)
d376e57d
DSH		 2915{
2916 const EVP_MD **pmd = s->s3->tmp.md;
2917#ifndef OPENSSL_NO_DSA
152fbc28 2918 pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
d376e57d
DSH		 2919#endif
2920#ifndef OPENSSL_NO_RSA
d18d31a1 2921 if (SSL_USE_SIGALGS(s))
152fbc28 2922 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
d18d31a1 2923 else
152fbc28 2924 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
d18d31a1 2925 pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
d376e57d
DSH		 2926#endif
2927#ifndef OPENSSL_NO_EC
152fbc28 2928 pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
d376e57d 2929#endif
e44380a9 2930#ifndef OPENSSL_NO_GOST
152fbc28
DSH		 2931 pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
2932 pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
2933 pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
e44380a9 2934#endif
d376e57d 2935}
f1fd4544 2936
e469af8d 2937int tls1_set_server_sigalgs(SSL *s)
0f113f3e
MC		 2938{
2939 int al;
2940 size_t i;
8483a003
F		 2941
2942 /* Clear any shared signature algorithms */
b548a1f1
RS		 2943 OPENSSL_free(s->cert->shared_sigalgs);
2944 s->cert->shared_sigalgs = NULL;
2945 s->cert->shared_sigalgslen = 0;
0f113f3e
MC		 2946 /* Clear certificate digests and validity flags */
2947 for (i = 0; i < SSL_PKEY_NUM; i++) {
d376e57d 2948 s->s3->tmp.md[i] = NULL;
6383d316 2949 s->s3->tmp.valid_flags[i] = 0;
0f113f3e
MC		 2950 }
2951
2952 /* If sigalgs received process it. */
76106e60 2953 if (s->s3->tmp.peer_sigalgs) {
0f113f3e
MC		 2954 if (!tls1_process_sigalgs(s)) {
2955 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2956 al = SSL_AD_INTERNAL_ERROR;
2957 goto err;
2958 }
2959 /* Fatal error is no shared signature algorithms */
2960 if (!s->cert->shared_sigalgs) {
2961 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
f430ba31 2962 SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
0f113f3e
MC		 2963 al = SSL_AD_ILLEGAL_PARAMETER;
2964 goto err;
2965 }
d376e57d
DSH		 2966 } else {
2967 ssl_set_default_md(s);
2968 }
0f113f3e
MC		 2969 return 1;
2970 err:
2971 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2972 return 0;
2973}
e469af8d 2974
70c22888
EK		 2975/*
2976 * Upon success, returns 1.
2977 * Upon failure, returns 0 and sets |al| to the appropriate fatal alert.
2978 */
2979int ssl_check_clienthello_tlsext_late(SSL *s, int *al)
0f113f3e 2980{
70c22888 2981 s->tlsext_status_expected = 0;
0f113f3e
MC		 2982
2983 /*
2984 * If status request then ask callback what to do. Note: this must be
2985 * called after servername callbacks in case the certificate has changed,
2986 * and must be called after the cipher has been chosen because this may
2987 * influence which certificate is sent
2988 */
2989 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
70c22888 2990 int ret;
0f113f3e
MC		 2991 CERT_PKEY *certpkey;
2992 certpkey = ssl_get_server_send_pkey(s);
2993 /* If no certificate can't return certificate status */
70c22888
EK		 2994 if (certpkey != NULL) {
2995 /*
2996 * Set current certificate to one we will use so SSL_get_certificate
2997 * et al can pick it up.
2998 */
2999 s->cert->key = certpkey;
3000 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3001 switch (ret) {
3002 /* We don't want to send a status request response */
3003 case SSL_TLSEXT_ERR_NOACK:
0f113f3e 3004 s->tlsext_status_expected = 0;
70c22888
EK		 3005 break;
3006 /* status request response should be sent */
3007 case SSL_TLSEXT_ERR_OK:
3008 if (s->tlsext_ocsp_resp)
3009 s->tlsext_status_expected = 1;
3010 break;
3011 /* something bad happened */
3012 case SSL_TLSEXT_ERR_ALERT_FATAL:
3013 default:
3014 *al = SSL_AD_INTERNAL_ERROR;
3015 return 0;
3016 }
0f113f3e 3017 }
817cd0d5
TS		 3018 }
3019
70c22888
EK		 3020 if (!tls1_alpn_handle_client_hello_late(s, al)) {
3021 return 0;
0f113f3e 3022 }
70c22888
EK		 3023
3024 return 1;
0f113f3e 3025}
2daceb03 3026
36ca4ba6 3027int ssl_check_serverhello_tlsext(SSL *s)
0f113f3e
MC		 3028{
3029 int ret = SSL_TLSEXT_ERR_NOACK;
3030 int al = SSL_AD_UNRECOGNIZED_NAME;
3031
e481f9b9 3032#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3033 /*
3034 * If we are client and using an elliptic curve cryptography cipher
3035 * suite, then if server returns an EC point formats lists extension it
3036 * must contain uncompressed.
3037 */
3038 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3039 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3040 if ((s->tlsext_ecpointformatlist != NULL)
3041 && (s->tlsext_ecpointformatlist_length > 0)
3042 && (s->session->tlsext_ecpointformatlist != NULL)
3043 && (s->session->tlsext_ecpointformatlist_length > 0)
ce0c1f2b 3044 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
0f113f3e
MC		 3045 /* we are using an ECC cipher */
3046 size_t i;
3047 unsigned char *list;
3048 int found_uncompressed = 0;
3049 list = s->session->tlsext_ecpointformatlist;
3050 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
3051 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
3052 found_uncompressed = 1;
3053 break;
3054 }
3055 }
3056 if (!found_uncompressed) {
3057 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
3058 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
3059 return -1;
3060 }
3061 }
3062 ret = SSL_TLSEXT_ERR_OK;
a230b26e 3063#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 3064
3065 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
3066 ret =
3067 s->ctx->tlsext_servername_callback(s, &al,
3068 s->ctx->tlsext_servername_arg);
3069 else if (s->initial_ctx != NULL
3070 && s->initial_ctx->tlsext_servername_callback != 0)
3071 ret =
3072 s->initial_ctx->tlsext_servername_callback(s, &al,
3073 s->
3074 initial_ctx->tlsext_servername_arg);
3075
b1931d43
MC		 3076 /*
3077 * Ensure we get sensible values passed to tlsext_status_cb in the event
3078 * that we don't receive a status message
3079 */
bb1aaab4
MC		 3080 OPENSSL_free(s->tlsext_ocsp_resp);
3081 s->tlsext_ocsp_resp = NULL;
8b0e934a 3082 s->tlsext_ocsp_resplen = 0;
0f113f3e
MC		 3083
3084 switch (ret) {
3085 case SSL_TLSEXT_ERR_ALERT_FATAL:
3086 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3087 return -1;
3088
3089 case SSL_TLSEXT_ERR_ALERT_WARNING:
3090 ssl3_send_alert(s, SSL3_AL_WARNING, al);
3091 return 1;
3092
3093 case SSL_TLSEXT_ERR_NOACK:
3094 s->servername_done = 0;
3095 default:
3096 return 1;
3097 }
3098}
761772d7 3099
50932c4a 3100int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 3101{
3102 int al = -1;
3103 if (s->version < SSL3_VERSION)
3104 return 1;
50932c4a 3105 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 3106 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3107 return 0;
3108 }
3109
3110 if (ssl_check_serverhello_tlsext(s) <= 0) {
3111 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
3112 return 0;
3113 }
3114 return 1;
09e4e4b9
DSH		 3115}
3116
64386324
MC		 3117/*
3118 * Given a list of extensions that we collected earlier, find one of a given
3119 * type and return it.
3120 *
3121 * |exts| is the set of extensions previously collected.
3122 * |numexts| is the number of extensions that we have.
3123 * |type| the type of the extension that we are looking for.
3124 *
3125 * Returns a pointer to the found RAW_EXTENSION data, or NULL if not found.
3126 */
cd998837
MC		 3127RAW_EXTENSION *tls_get_extension_by_type(RAW_EXTENSION *exts, size_t numexts,
3128 unsigned int type)
1ab3836b
MC		 3129{
3130 size_t loop;
3131
3132 for (loop = 0; loop < numexts; loop++) {
3133 if (exts[loop].type == type)
3134 return &exts[loop];
3135 }
3136
3137 return NULL;
3138}
3139
1d97c843 3140/*-
1ab3836b 3141 * Gets the ticket information supplied by the client if any.
e7f0d921 3142 *
1ab3836b 3143 * hello: The parsed ClientHello data
c519e89f
BM		 3144 * ret: (output) on return, if a ticket was decrypted, then this is set to
3145 * point to the resulting session.
3146 *
3147 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
3148 * ciphersuite, in which case we have no use for session tickets and one will
3149 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
3150 *
3151 * Returns:
3152 * -1: fatal error, either from parsing or decrypting the ticket.
3153 * 0: no ticket was found (or was ignored, based on settings).
3154 * 1: a zero length extension was found, indicating that the client supports
3155 * session tickets but doesn't currently have one to offer.
3156 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
3157 * couldn't be decrypted because of a non-fatal error.
3158 * 3: a ticket was successfully decrypted and *ret was set.
3159 *
3160 * Side effects:
3161 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
3162 * a new session ticket to the client because the client indicated support
3163 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
3164 * a session ticket or we couldn't use the one it gave us, or if
3165 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
3166 * Otherwise, s->tlsext_ticket_expected is set to 0.
6434abbf 3167 */
1ab3836b
MC		 3168int tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
3169 SSL_SESSION **ret)
0f113f3e 3170{
1ab3836b
MC		 3171 int retv;
3172 const unsigned char *etick;
3173 size_t size;
3174 RAW_EXTENSION *ticketext;
e7f0d921 3175
0f113f3e
MC		 3176 *ret = NULL;
3177 s->tlsext_ticket_expected = 0;
3178
3179 /*
9362c93e
MC		 3180 * If tickets disabled or not supported by the protocol version
3181 * (e.g. TLSv1.3) behave as if no ticket present to permit stateful
0f113f3e
MC		 3182 * resumption.
3183 */
1ab3836b 3184 if (s->version <= SSL3_VERSION || !tls_use_ticket(s))
0f113f3e 3185 return 0;
9ceb2426 3186
cd998837
MC		 3187 ticketext = tls_get_extension_by_type(hello->pre_proc_exts,
3188 hello->num_extensions,
3189 TLSEXT_TYPE_session_ticket);
1ab3836b
MC		 3190 if (ticketext == NULL)
3191 return 0;
3192
3193 size = PACKET_remaining(&ticketext->data);
3194 if (size == 0) {
3195 /*
3196 * The client will accept a ticket but doesn't currently have
3197 * one.
3198 */
3199 s->tlsext_ticket_expected = 1;
3200 return 1;
9ceb2426 3201 }
1ab3836b
MC		 3202 if (s->tls_session_secret_cb) {
3203 /*
3204 * Indicate that the ticket couldn't be decrypted rather than
3205 * generating the session from ticket now, trigger
3206 * abbreviated handshake based on external mechanism to
3207 * calculate the master secret later.
3208 */
3209 return 2;
3210 }
3211 if (!PACKET_get_bytes(&ticketext->data, &etick, size)) {
3212 /* Shouldn't ever happen */
3213 return -1;
3214 }
3215 retv = tls_decrypt_ticket(s, etick, size, hello->session_id,
3216 hello->session_id_len, ret);
3217 switch (retv) {
3218 case 2: /* ticket couldn't be decrypted */
3219 s->tlsext_ticket_expected = 1;
3220 return 2;
9ceb2426 3221
1ab3836b
MC		 3222 case 3: /* ticket was decrypted */
3223 return 3;
9ceb2426 3224
1ab3836b
MC		 3225 case 4: /* ticket decrypted but need to renew */
3226 s->tlsext_ticket_expected = 1;
3227 return 3;
e7f0d921 3228
1ab3836b
MC		 3229 default: /* fatal error */
3230 return -1;
0f113f3e 3231 }
1ab3836b
MC		 3232}
3233
3234/*
de7d61d5 3235 * Sets the extended master secret flag if the extension is present in the
0f1e51ea 3236 * ClientHello and we can support it
de7d61d5
MC		 3237 * Returns:
3238 * 1 on success
3239 * 0 on error
1ab3836b 3240 */
902aca09 3241int tls_check_client_ems_support(SSL *s, const CLIENTHELLO_MSG *hello)
1ab3836b
MC		 3242{
3243 RAW_EXTENSION *emsext;
3244
3245 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
3246
0f1e51ea
MC		 3247 if (!SSL_IS_DTLS(s) && (s->version < TLS1_VERSION
3248 || s->version > TLS1_2_VERSION))
1ab3836b
MC		 3249 return 1;
3250
cd998837
MC		 3251 emsext = tls_get_extension_by_type(hello->pre_proc_exts,
3252 hello->num_extensions,
3253 TLSEXT_TYPE_extended_master_secret);
1ab3836b
MC		 3254
3255 /*
3256 * No extensions is a success - we have successfully discovered that the
3257 * client doesn't support EMS.
3258 */
3259 if (emsext == NULL)
3260 return 1;
3261
3262 /* The extensions must always be empty */
3263 if (PACKET_remaining(&emsext->data) != 0)
3264 return 0;
3265
3266 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
3267
3268 return 1;
0f113f3e 3269}
6434abbf 3270
1d97c843
TH		 3271/*-
3272 * tls_decrypt_ticket attempts to decrypt a session ticket.
c519e89f
BM		 3273 *
3274 * etick: points to the body of the session ticket extension.
8483a003 3275 * eticklen: the length of the session tickets extension.
c519e89f
BM		 3276 * sess_id: points at the session ID.
3277 * sesslen: the length of the session ID.
3278 * psess: (output) on return, if a ticket was decrypted, then this is set to
3279 * point to the resulting session.
3280 *
3281 * Returns:
bf7c6817 3282 * -2: fatal error, malloc failure.
c519e89f
BM		 3283 * -1: fatal error, either from parsing or decrypting the ticket.
3284 * 2: the ticket couldn't be decrypted.
3285 * 3: a ticket was successfully decrypted and *psess was set.
3286 * 4: same as 3, but the ticket needs to be renewed.
3287 */
0f113f3e 3288static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
d736bc1a 3289 size_t eticklen, const unsigned char *sess_id,
ec60ccc1 3290 size_t sesslen, SSL_SESSION **psess)
0f113f3e
MC		 3291{
3292 SSL_SESSION *sess;
3293 unsigned char *sdec;
3294 const unsigned char *p;
348240c6
MC		 3295 int slen, renew_ticket = 0, ret = -1, declen;
3296 size_t mlen;
0f113f3e 3297 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
bf7c6817 3298 HMAC_CTX *hctx = NULL;
846ec07d 3299 EVP_CIPHER_CTX *ctx;
0f113f3e 3300 SSL_CTX *tctx = s->initial_ctx;
e97763c9 3301
0f113f3e 3302 /* Initialize session ticket encryption and HMAC contexts */
bf7c6817
RL		 3303 hctx = HMAC_CTX_new();
3304 if (hctx == NULL)
3305 return -2;
846ec07d 3306 ctx = EVP_CIPHER_CTX_new();
35b1a433
MC		 3307 if (ctx == NULL) {
3308 ret = -2;
3309 goto err;
3310 }
0f113f3e
MC		 3311 if (tctx->tlsext_ticket_key_cb) {
3312 unsigned char *nctick = (unsigned char *)etick;
3313 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
846ec07d 3314 ctx, hctx, 0);
0f113f3e 3315 if (rv < 0)
35b1a433
MC		 3316 goto err;
3317 if (rv == 0) {
3318 ret = 2;
3319 goto err;
3320 }
0f113f3e
MC		 3321 if (rv == 2)
3322 renew_ticket = 1;
3323 } else {
3324 /* Check key name matches */
4e2e1ec9
TS		 3325 if (memcmp(etick, tctx->tlsext_tick_key_name,
3326 sizeof(tctx->tlsext_tick_key_name)) != 0) {
35b1a433
MC		 3327 ret = 2;
3328 goto err;
3329 }
4e2e1ec9
TS		 3330 if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
3331 sizeof(tctx->tlsext_tick_hmac_key),
5f3d93e4 3332 EVP_sha256(), NULL) <= 0
a230b26e
EK		 3333 || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
3334 tctx->tlsext_tick_aes_key,
3335 etick + sizeof(tctx->tlsext_tick_key_name)) <=
3336 0) {
5f3d93e4 3337 goto err;
a230b26e 3338 }
0f113f3e
MC		 3339 }
3340 /*
3341 * Attempt to process session ticket, first conduct sanity and integrity
3342 * checks on ticket.
3343 */
bf7c6817 3344 mlen = HMAC_size(hctx);
348240c6 3345 if (mlen == 0) {
5f3d93e4 3346 goto err;
0f113f3e 3347 }
e97763c9
DSH		 3348 /* Sanity check ticket length: must exceed keyname + IV + HMAC */
3349 if (eticklen <=
348240c6 3350 TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
e97763c9
DSH		 3351 ret = 2;
3352 goto err;
3353 }
0f113f3e
MC		 3354 eticklen -= mlen;
3355 /* Check HMAC of encrypted ticket */
bf7c6817 3356 if (HMAC_Update(hctx, etick, eticklen) <= 0
a230b26e 3357 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
5f3d93e4
MC		 3358 goto err;
3359 }
bf7c6817 3360 HMAC_CTX_free(hctx);
0f113f3e 3361 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
846ec07d 3362 EVP_CIPHER_CTX_free(ctx);
0f113f3e
MC		 3363 return 2;
3364 }
3365 /* Attempt to decrypt session data */
3366 /* Move p after IV to start of encrypted ticket, update length */
846ec07d
RL		 3367 p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx);
3368 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx);
0f113f3e 3369 sdec = OPENSSL_malloc(eticklen);
348240c6
MC		 3370 if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p,
3371 (int)eticklen) <= 0) {
846ec07d 3372 EVP_CIPHER_CTX_free(ctx);
d1247df2 3373 OPENSSL_free(sdec);
0f113f3e
MC		 3374 return -1;
3375 }
348240c6 3376 if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) {
846ec07d 3377 EVP_CIPHER_CTX_free(ctx);
0f113f3e
MC		 3378 OPENSSL_free(sdec);
3379 return 2;
3380 }
348240c6 3381 slen += declen;
846ec07d
RL		 3382 EVP_CIPHER_CTX_free(ctx);
3383 ctx = NULL;
0f113f3e
MC		 3384 p = sdec;
3385
3386 sess = d2i_SSL_SESSION(NULL, &p, slen);
3387 OPENSSL_free(sdec);
3388 if (sess) {
3389 /*
3390 * The session ID, if non-empty, is used by some clients to detect
3391 * that the ticket has been accepted. So we copy it to the session
3392 * structure. If it is empty set length to zero as required by
3393 * standard.
3394 */
3395 if (sesslen)
3396 memcpy(sess->session_id, sess_id, sesslen);
3397 sess->session_id_length = sesslen;
3398 *psess = sess;
3399 if (renew_ticket)
3400 return 4;
3401 else
3402 return 3;
3403 }
3404 ERR_clear_error();
3405 /*
3406 * For session parse failure, indicate that we need to send a new ticket.
3407 */
3408 return 2;
a230b26e 3409 err:
846ec07d 3410 EVP_CIPHER_CTX_free(ctx);
bf7c6817 3411 HMAC_CTX_free(hctx);
35b1a433 3412 return ret;
0f113f3e 3413}
6434abbf 3414
6b7be581
DSH		 3415/* Tables to translate from NIDs to TLS v1.2 ids */
3416
0f113f3e
MC		 3417typedef struct {
3418 int nid;
3419 int id;
3420} tls12_lookup;
6b7be581 3421
d97ed219 3422static const tls12_lookup tls12_md[] = {
0f113f3e
MC		 3423 {NID_md5, TLSEXT_hash_md5},
3424 {NID_sha1, TLSEXT_hash_sha1},
3425 {NID_sha224, TLSEXT_hash_sha224},
3426 {NID_sha256, TLSEXT_hash_sha256},
3427 {NID_sha384, TLSEXT_hash_sha384},
e44380a9
DB		 3428 {NID_sha512, TLSEXT_hash_sha512},
3429 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
3430 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
3431 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
6b7be581
DSH		 3432};
3433
d97ed219 3434static const tls12_lookup tls12_sig[] = {
0f113f3e
MC		 3435 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3436 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
e44380a9
DB		 3437 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
3438 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
3439 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
3440 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
6b7be581
DSH		 3441};
3442
d97ed219 3443static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3444{
3445 size_t i;
3446 for (i = 0; i < tlen; i++) {
3447 if (table[i].nid == nid)
3448 return table[i].id;
3449 }
3450 return -1;
3451}
e7f8ff43 3452
d97ed219 3453static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3454{
3455 size_t i;
3456 for (i = 0; i < tlen; i++) {
3457 if ((table[i].id) == id)
3458 return table[i].nid;
3459 }
3460 return NID_undef;
3461}
3462
6400f338
MC		 3463int tls12_get_sigandhash(WPACKET *pkt, const EVP_PKEY *pk, const EVP_MD *md)
3464{
3465 int sig_id, md_id;
418a18a2
MC		 3466
3467 if (md == NULL)
6400f338
MC		 3468 return 0;
3469 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
3470 if (md_id == -1)
3471 return 0;
3472 sig_id = tls12_get_sigid(pk);
3473 if (sig_id == -1)
3474 return 0;
08029dfa 3475 if (!WPACKET_put_bytes_u8(pkt, md_id) || !WPACKET_put_bytes_u8(pkt, sig_id))
6400f338
MC		 3476 return 0;
3477
3478 return 1;
3479}
3480
a2f9200f 3481int tls12_get_sigid(const EVP_PKEY *pk)
0f113f3e 3482{
3aeb9348 3483 return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3484}
3485
3486typedef struct {
3487 int nid;
3488 int secbits;
7afd2312 3489 int md_idx;
e44380a9 3490 unsigned char tlsext_hash;
0f113f3e 3491} tls12_hash_info;
b362ccab
DSH		 3492
3493static const tls12_hash_info tls12_md_info[] = {
7afd2312
DSH		 3494 {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
3495 {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
3496 {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
3497 {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
3498 {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
3499 {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
a230b26e
EK		 3500 {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
3501 {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX,
3502 TLSEXT_hash_gostr34112012_256},
3503 {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX,
3504 TLSEXT_hash_gostr34112012_512},
b362ccab 3505};
a2f9200f 3506
b362ccab 3507static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
0f113f3e 3508{
e44380a9 3509 unsigned int i;
0f113f3e
MC		 3510 if (hash_alg == 0)
3511 return NULL;
e44380a9 3512
a230b26e 3513 for (i = 0; i < OSSL_NELEM(tls12_md_info); i++) {
e44380a9
DB		 3514 if (tls12_md_info[i].tlsext_hash == hash_alg)
3515 return tls12_md_info + i;
3516 }
3517
3518 return NULL;
0f113f3e 3519}
a2f9200f 3520
b362ccab 3521const EVP_MD *tls12_get_hash(unsigned char hash_alg)
0f113f3e
MC		 3522{
3523 const tls12_hash_info *inf;
3524 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3525 return NULL;
3526 inf = tls12_get_hash_info(hash_alg);
7afd2312 3527 if (!inf)
0f113f3e 3528 return NULL;
7afd2312 3529 return ssl_md(inf->md_idx);
0f113f3e 3530}
a2f9200f 3531
4453cd8c 3532static int tls12_get_pkey_idx(unsigned char sig_alg)
0f113f3e
MC		 3533{
3534 switch (sig_alg) {
e481f9b9 3535#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3536 case TLSEXT_signature_rsa:
3537 return SSL_PKEY_RSA_SIGN;
e481f9b9
MC		 3538#endif
3539#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3540 case TLSEXT_signature_dsa:
3541 return SSL_PKEY_DSA_SIGN;
e481f9b9
MC		 3542#endif
3543#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3544 case TLSEXT_signature_ecdsa:
3545 return SSL_PKEY_ECC;
e481f9b9 3546#endif
a230b26e 3547#ifndef OPENSSL_NO_GOST
e44380a9
DB		 3548 case TLSEXT_signature_gostr34102001:
3549 return SSL_PKEY_GOST01;
3550
3551 case TLSEXT_signature_gostr34102012_256:
3552 return SSL_PKEY_GOST12_256;
3553
3554 case TLSEXT_signature_gostr34102012_512:
3555 return SSL_PKEY_GOST12_512;
a230b26e 3556#endif
0f113f3e
MC		 3557 }
3558 return -1;
3559}
4453cd8c
DSH		 3560
3561/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3562static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
0f113f3e
MC		 3563 int *psignhash_nid, const unsigned char *data)
3564{
330dcb09 3565 int sign_nid = NID_undef, hash_nid = NID_undef;
0f113f3e
MC		 3566 if (!phash_nid && !psign_nid && !psignhash_nid)
3567 return;
3568 if (phash_nid || psignhash_nid) {
b6eb9827 3569 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3570 if (phash_nid)
3571 *phash_nid = hash_nid;
3572 }
3573 if (psign_nid || psignhash_nid) {
b6eb9827 3574 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3575 if (psign_nid)
3576 *psign_nid = sign_nid;
3577 }
3578 if (psignhash_nid) {
330dcb09 3579 if (sign_nid == NID_undef || hash_nid == NID_undef
a230b26e 3580 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid) <= 0)
0f113f3e
MC		 3581 *psignhash_nid = NID_undef;
3582 }
3583}
3584
b362ccab
DSH		 3585/* Check to see if a signature algorithm is allowed */
3586static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
0f113f3e
MC		 3587{
3588 /* See if we have an entry in the hash table and it is enabled */
3589 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
7afd2312 3590 if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
0f113f3e
MC		 3591 return 0;
3592 /* See if public key algorithm allowed */
3593 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3594 return 0;
3595 /* Finally see if security callback allows it */
3596 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3597}
3598
3599/*
3600 * Get a mask of disabled public key algorithms based on supported signature
3601 * algorithms. For example if no signature algorithm supports RSA then RSA is
3602 * disabled.
b362ccab
DSH		 3603 */
3604
90d9e49a 3605void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
0f113f3e
MC		 3606{
3607 const unsigned char *sigalgs;
3608 size_t i, sigalgslen;
3609 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3610 /*
3611 * Now go through all signature algorithms seeing if we support any for
3612 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3613 * down calls to security callback only check if we have to.
3614 */
3615 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
3616 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3617 switch (sigalgs[1]) {
e481f9b9 3618#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3619 case TLSEXT_signature_rsa:
3620 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3621 have_rsa = 1;
3622 break;
e481f9b9
MC		 3623#endif
3624#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3625 case TLSEXT_signature_dsa:
3626 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3627 have_dsa = 1;
3628 break;
e481f9b9
MC		 3629#endif
3630#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3631 case TLSEXT_signature_ecdsa:
3632 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3633 have_ecdsa = 1;
3634 break;
e481f9b9 3635#endif
0f113f3e
MC		 3636 }
3637 }
3638 if (!have_rsa)
3639 *pmask_a |= SSL_aRSA;
3640 if (!have_dsa)
3641 *pmask_a |= SSL_aDSS;
3642 if (!have_ecdsa)
3643 *pmask_a |= SSL_aECDSA;
3644}
b362ccab 3645
ae2f7b37 3646int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
2c7b4dbc
MC		 3647 const unsigned char *psig, size_t psiglen)
3648{
3649 size_t i;
c0f9e23c 3650
2c7b4dbc
MC		 3651 for (i = 0; i < psiglen; i += 2, psig += 2) {
3652 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
08029dfa
MC		 3653 if (!WPACKET_put_bytes_u8(pkt, psig[0])
3654 || !WPACKET_put_bytes_u8(pkt, psig[1]))
2c7b4dbc
MC		 3655 return 0;
3656 }
3657 }
3658 return 1;
3659}
3660
4453cd8c 3661/* Given preference and allowed sigalgs set shared sigalgs */
348240c6
MC		 3662static size_t tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
3663 const unsigned char *pref, size_t preflen,
3664 const unsigned char *allow, size_t allowlen)
0f113f3e
MC		 3665{
3666 const unsigned char *ptmp, *atmp;
3667 size_t i, j, nmatch = 0;
3668 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3669 /* Skip disabled hashes or signature algorithms */
3670 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3671 continue;
3672 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3673 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3674 nmatch++;
3675 if (shsig) {
3676 shsig->rhash = ptmp[0];
3677 shsig->rsign = ptmp[1];
3678 tls1_lookup_sigalg(&shsig->hash_nid,
3679 &shsig->sign_nid,
3680 &shsig->signandhash_nid, ptmp);
3681 shsig++;
3682 }
3683 break;
3684 }
3685 }
3686 }
3687 return nmatch;
3688}
4453cd8c
DSH		 3689
3690/* Set shared signature algorithms for SSL structures */
3691static int tls1_set_shared_sigalgs(SSL *s)
0f113f3e
MC		 3692{
3693 const unsigned char *pref, *allow, *conf;
3694 size_t preflen, allowlen, conflen;
3695 size_t nmatch;
3696 TLS_SIGALGS *salgs = NULL;
3697 CERT *c = s->cert;
3698 unsigned int is_suiteb = tls1_suiteb(s);
b548a1f1
RS		 3699
3700 OPENSSL_free(c->shared_sigalgs);
3701 c->shared_sigalgs = NULL;
3702 c->shared_sigalgslen = 0;
0f113f3e
MC		 3703 /* If client use client signature algorithms if not NULL */
3704 if (!s->server && c->client_sigalgs && !is_suiteb) {
3705 conf = c->client_sigalgs;
3706 conflen = c->client_sigalgslen;
3707 } else if (c->conf_sigalgs && !is_suiteb) {
3708 conf = c->conf_sigalgs;
3709 conflen = c->conf_sigalgslen;
3710 } else
3711 conflen = tls12_get_psigalgs(s, &conf);
3712 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3713 pref = conf;
3714 preflen = conflen;
76106e60
DSH		 3715 allow = s->s3->tmp.peer_sigalgs;
3716 allowlen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3717 } else {
3718 allow = conf;
3719 allowlen = conflen;
76106e60
DSH		 3720 pref = s->s3->tmp.peer_sigalgs;
3721 preflen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3722 }
3723 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
34e3edbf
DSH		 3724 if (nmatch) {
3725 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
a71edf3b 3726 if (salgs == NULL)
34e3edbf
DSH		 3727 return 0;
3728 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3729 } else {
3730 salgs = NULL;
3731 }
0f113f3e
MC		 3732 c->shared_sigalgs = salgs;
3733 c->shared_sigalgslen = nmatch;
3734 return 1;
3735}
4453cd8c 3736
6b7be581
DSH		 3737/* Set preferred digest for each key type */
3738
d736bc1a 3739int tls1_save_sigalgs(SSL *s, const unsigned char *data, size_t dsize)
0f113f3e
MC		 3740{
3741 CERT *c = s->cert;
3742 /* Extension ignored for inappropriate versions */
3743 if (!SSL_USE_SIGALGS(s))
3744 return 1;
3745 /* Should never happen */
3746 if (!c)
3747 return 0;
3748
76106e60
DSH		 3749 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3750 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3751 if (s->s3->tmp.peer_sigalgs == NULL)
0f113f3e 3752 return 0;
76106e60
DSH		 3753 s->s3->tmp.peer_sigalgslen = dsize;
3754 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
0f113f3e
MC		 3755 return 1;
3756}
6b7be581 3757
c800c27a 3758int tls1_process_sigalgs(SSL *s)
0f113f3e
MC		 3759{
3760 int idx;
3761 size_t i;
3762 const EVP_MD *md;
d376e57d 3763 const EVP_MD **pmd = s->s3->tmp.md;
f7d53487 3764 uint32_t *pvalid = s->s3->tmp.valid_flags;
0f113f3e
MC		 3765 CERT *c = s->cert;
3766 TLS_SIGALGS *sigptr;
3767 if (!tls1_set_shared_sigalgs(s))
3768 return 0;
3769
0f113f3e
MC		 3770 for (i = 0, sigptr = c->shared_sigalgs;
3771 i < c->shared_sigalgslen; i++, sigptr++) {
3772 idx = tls12_get_pkey_idx(sigptr->rsign);
d376e57d 3773 if (idx > 0 && pmd[idx] == NULL) {
0f113f3e 3774 md = tls12_get_hash(sigptr->rhash);
d376e57d 3775 pmd[idx] = md;
6383d316 3776 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3777 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3778 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3779 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3780 }
3781 }
6b7be581 3782
0f113f3e
MC		 3783 }
3784 /*
3785 * In strict mode leave unset digests as NULL to indicate we can't use
3786 * the certificate for signing.
3787 */
3788 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3789 /*
3790 * Set any remaining keys to default values. NOTE: if alg is not
3791 * supported it stays as NULL.
3792 */
e481f9b9 3793#ifndef OPENSSL_NO_DSA
d376e57d
DSH		 3794 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3795 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
e481f9b9
MC		 3796#endif
3797#ifndef OPENSSL_NO_RSA
d376e57d
DSH		 3798 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3799 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3800 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
0f113f3e 3801 }
e481f9b9
MC		 3802#endif
3803#ifndef OPENSSL_NO_EC
d376e57d
DSH		 3804 if (pmd[SSL_PKEY_ECC] == NULL)
3805 pmd[SSL_PKEY_ECC] = EVP_sha1();
e481f9b9 3806#endif
a230b26e 3807#ifndef OPENSSL_NO_GOST
e44380a9
DB		 3808 if (pmd[SSL_PKEY_GOST01] == NULL)
3809 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
3810 if (pmd[SSL_PKEY_GOST12_256] == NULL)
a230b26e
EK		 3811 pmd[SSL_PKEY_GOST12_256] =
3812 EVP_get_digestbynid(NID_id_GostR3411_2012_256);
e44380a9 3813 if (pmd[SSL_PKEY_GOST12_512] == NULL)
a230b26e
EK		 3814 pmd[SSL_PKEY_GOST12_512] =
3815 EVP_get_digestbynid(NID_id_GostR3411_2012_512);
3816#endif
0f113f3e
MC		 3817 }
3818 return 1;
3819}
4817504d 3820
e7f8ff43 3821int SSL_get_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3822 int *psign, int *phash, int *psignhash,
3823 unsigned char *rsig, unsigned char *rhash)
3824{
76106e60 3825 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
348240c6
MC		 3826 size_t numsigalgs = s->s3->tmp.peer_sigalgslen / 2;
3827 if (psig == NULL || numsigalgs > INT_MAX)
0f113f3e
MC		 3828 return 0;
3829 if (idx >= 0) {
3830 idx <<= 1;
76106e60 3831 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
0f113f3e
MC		 3832 return 0;
3833 psig += idx;
3834 if (rhash)
3835 *rhash = psig[0];
3836 if (rsig)
3837 *rsig = psig[1];
3838 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3839 }
348240c6 3840 return (int)numsigalgs;
0f113f3e 3841}
4453cd8c
DSH		 3842
3843int SSL_get_shared_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3844 int *psign, int *phash, int *psignhash,
3845 unsigned char *rsig, unsigned char *rhash)
3846{
3847 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
348240c6
MC		 3848 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen
3849 || s->cert->shared_sigalgslen > INT_MAX)
0f113f3e
MC		 3850 return 0;
3851 shsigalgs += idx;
3852 if (phash)
3853 *phash = shsigalgs->hash_nid;
3854 if (psign)
3855 *psign = shsigalgs->sign_nid;
3856 if (psignhash)
3857 *psignhash = shsigalgs->signandhash_nid;
3858 if (rsig)
3859 *rsig = shsigalgs->rsign;
3860 if (rhash)
3861 *rhash = shsigalgs->rhash;
348240c6 3862 return (int)s->cert->shared_sigalgslen;
0f113f3e
MC		 3863}
3864
e481f9b9 3865#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
0f229cce 3866
0f113f3e
MC		 3867typedef struct {
3868 size_t sigalgcnt;
3869 int sigalgs[MAX_SIGALGLEN];
3870} sig_cb_st;
0f229cce 3871
431f458d
DSH		 3872static void get_sigorhash(int *psig, int *phash, const char *str)
3873{
3874 if (strcmp(str, "RSA") == 0) {
3875 *psig = EVP_PKEY_RSA;
3876 } else if (strcmp(str, "DSA") == 0) {
3877 *psig = EVP_PKEY_DSA;
3878 } else if (strcmp(str, "ECDSA") == 0) {
3879 *psig = EVP_PKEY_EC;
3880 } else {
3881 *phash = OBJ_sn2nid(str);
3882 if (*phash == NID_undef)
3883 *phash = OBJ_ln2nid(str);
3884 }
3885}
3886
0f229cce 3887static int sig_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 3888{
3889 sig_cb_st *sarg = arg;
3890 size_t i;
3891 char etmp[20], *p;
431f458d 3892 int sig_alg = NID_undef, hash_alg = NID_undef;
2747d73c
KR		 3893 if (elem == NULL)
3894 return 0;
0f113f3e
MC		 3895 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3896 return 0;
3897 if (len > (int)(sizeof(etmp) - 1))
3898 return 0;
3899 memcpy(etmp, elem, len);
3900 etmp[len] = 0;
3901 p = strchr(etmp, '+');
3902 if (!p)
3903 return 0;
3904 *p = 0;
3905 p++;
3906 if (!*p)
3907 return 0;
3908
431f458d
DSH		 3909 get_sigorhash(&sig_alg, &hash_alg, etmp);
3910 get_sigorhash(&sig_alg, &hash_alg, p);
0f113f3e 3911
431f458d 3912 if (sig_alg == NID_undef || hash_alg == NID_undef)
0f113f3e
MC		 3913 return 0;
3914
3915 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3916 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3917 return 0;
3918 }
3919 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3920 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3921 return 1;
3922}
3923
3924/*
9d22666e 3925 * Set supported signature algorithms based on a colon separated list of the
0f113f3e
MC		 3926 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3927 */
3dbc46df 3928int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
0f113f3e
MC		 3929{
3930 sig_cb_st sig;
3931 sig.sigalgcnt = 0;
3932 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3933 return 0;
3934 if (c == NULL)
3935 return 1;
3936 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3937}
3938
a230b26e 3939int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
0f113f3e
MC		 3940{
3941 unsigned char *sigalgs, *sptr;
3942 int rhash, rsign;
3943 size_t i;
3944 if (salglen & 1)
3945 return 0;
3946 sigalgs = OPENSSL_malloc(salglen);
3947 if (sigalgs == NULL)
3948 return 0;
3949 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
b6eb9827
DSH		 3950 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3951 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3952
3953 if (rhash == -1 || rsign == -1)
3954 goto err;
3955 *sptr++ = rhash;
3956 *sptr++ = rsign;
3957 }
3958
3959 if (client) {
b548a1f1 3960 OPENSSL_free(c->client_sigalgs);
0f113f3e
MC		 3961 c->client_sigalgs = sigalgs;
3962 c->client_sigalgslen = salglen;
3963 } else {
b548a1f1 3964 OPENSSL_free(c->conf_sigalgs);
0f113f3e
MC		 3965 c->conf_sigalgs = sigalgs;
3966 c->conf_sigalgslen = salglen;
3967 }
3968
3969 return 1;
3970
3971 err:
3972 OPENSSL_free(sigalgs);
3973 return 0;
3974}
4453cd8c 3975
d61ff83b 3976static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
0f113f3e
MC		 3977{
3978 int sig_nid;
3979 size_t i;
3980 if (default_nid == -1)
3981 return 1;
3982 sig_nid = X509_get_signature_nid(x);
3983 if (default_nid)
3984 return sig_nid == default_nid ? 1 : 0;
3985 for (i = 0; i < c->shared_sigalgslen; i++)
3986 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3987 return 1;
3988 return 0;
3989}
3990
6dbb6219
DSH		 3991/* Check to see if a certificate issuer name matches list of CA names */
3992static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
0f113f3e
MC		 3993{
3994 X509_NAME *nm;
3995 int i;
3996 nm = X509_get_issuer_name(x);
3997 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3998 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3999 return 1;
4000 }
4001 return 0;
4002}
4003
4004/*
4005 * Check certificate chain is consistent with TLS extensions and is usable by
4006 * server. This servers two purposes: it allows users to check chains before
4007 * passing them to the server and it allows the server to check chains before
4008 * attempting to use them.
d61ff83b 4009 */
6dbb6219
DSH		 4010
4011/* Flags which need to be set for a certificate when stict mode not set */
4012
e481f9b9 4013#define CERT_PKEY_VALID_FLAGS \
0f113f3e 4014 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
6dbb6219 4015/* Strict mode flags */
e481f9b9 4016#define CERT_PKEY_STRICT_FLAGS \
0f113f3e
MC		 4017 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
4018 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
6dbb6219 4019
d61ff83b 4020int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
0f113f3e
MC		 4021 int idx)
4022{
4023 int i;
4024 int rv = 0;
4025 int check_flags = 0, strict_mode;
4026 CERT_PKEY *cpk = NULL;
4027 CERT *c = s->cert;
f7d53487 4028 uint32_t *pvalid;
0f113f3e
MC		 4029 unsigned int suiteb_flags = tls1_suiteb(s);
4030 /* idx == -1 means checking server chains */
4031 if (idx != -1) {
4032 /* idx == -2 means checking client certificate chains */
4033 if (idx == -2) {
4034 cpk = c->key;
348240c6 4035 idx = (int)(cpk - c->pkeys);
0f113f3e
MC		 4036 } else
4037 cpk = c->pkeys + idx;
6383d316 4038 pvalid = s->s3->tmp.valid_flags + idx;
0f113f3e
MC		 4039 x = cpk->x509;
4040 pk = cpk->privatekey;
4041 chain = cpk->chain;
4042 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
4043 /* If no cert or key, forget it */
4044 if (!x || !pk)
4045 goto end;
0f113f3e
MC		 4046 } else {
4047 if (!x || !pk)
d813f9eb 4048 return 0;
0f113f3e
MC		 4049 idx = ssl_cert_type(x, pk);
4050 if (idx == -1)
d813f9eb 4051 return 0;
6383d316
DSH		 4052 pvalid = s->s3->tmp.valid_flags + idx;
4053
0f113f3e
MC		 4054 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
4055 check_flags = CERT_PKEY_STRICT_FLAGS;
4056 else
4057 check_flags = CERT_PKEY_VALID_FLAGS;
4058 strict_mode = 1;
4059 }
4060
4061 if (suiteb_flags) {
4062 int ok;
4063 if (check_flags)
4064 check_flags |= CERT_PKEY_SUITEB;
4065 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
4066 if (ok == X509_V_OK)
4067 rv |= CERT_PKEY_SUITEB;
4068 else if (!check_flags)
4069 goto end;
4070 }
4071
4072 /*
4073 * Check all signature algorithms are consistent with signature
4074 * algorithms extension if TLS 1.2 or later and strict mode.
4075 */
4076 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
4077 int default_nid;
4078 unsigned char rsign = 0;
76106e60 4079 if (s->s3->tmp.peer_sigalgs)
0f113f3e
MC		 4080 default_nid = 0;
4081 /* If no sigalgs extension use defaults from RFC5246 */
4082 else {
4083 switch (idx) {
4084 case SSL_PKEY_RSA_ENC:
4085 case SSL_PKEY_RSA_SIGN:
0f113f3e
MC		 4086 rsign = TLSEXT_signature_rsa;
4087 default_nid = NID_sha1WithRSAEncryption;
4088 break;
4089
4090 case SSL_PKEY_DSA_SIGN:
0f113f3e
MC		 4091 rsign = TLSEXT_signature_dsa;
4092 default_nid = NID_dsaWithSHA1;
4093 break;
4094
4095 case SSL_PKEY_ECC:
4096 rsign = TLSEXT_signature_ecdsa;
4097 default_nid = NID_ecdsa_with_SHA1;
4098 break;
4099
e44380a9
DB		 4100 case SSL_PKEY_GOST01:
4101 rsign = TLSEXT_signature_gostr34102001;
4102 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
4103 break;
4104
4105 case SSL_PKEY_GOST12_256:
4106 rsign = TLSEXT_signature_gostr34102012_256;
4107 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
4108 break;
4109
4110 case SSL_PKEY_GOST12_512:
4111 rsign = TLSEXT_signature_gostr34102012_512;
4112 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
4113 break;
4114
0f113f3e
MC		 4115 default:
4116 default_nid = -1;
4117 break;
4118 }
4119 }
4120 /*
4121 * If peer sent no signature algorithms extension and we have set
4122 * preferred signature algorithms check we support sha1.
4123 */
4124 if (default_nid > 0 && c->conf_sigalgs) {
4125 size_t j;
4126 const unsigned char *p = c->conf_sigalgs;
4127 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
4128 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4129 break;
4130 }
4131 if (j == c->conf_sigalgslen) {
4132 if (check_flags)
4133 goto skip_sigs;
4134 else
4135 goto end;
4136 }
4137 }
4138 /* Check signature algorithm of each cert in chain */
4139 if (!tls1_check_sig_alg(c, x, default_nid)) {
4140 if (!check_flags)
4141 goto end;
4142 } else
4143 rv |= CERT_PKEY_EE_SIGNATURE;
4144 rv |= CERT_PKEY_CA_SIGNATURE;
4145 for (i = 0; i < sk_X509_num(chain); i++) {
4146 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
4147 if (check_flags) {
4148 rv &= ~CERT_PKEY_CA_SIGNATURE;
4149 break;
4150 } else
4151 goto end;
4152 }
4153 }
4154 }
4155 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4156 else if (check_flags)
4157 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
4158 skip_sigs:
4159 /* Check cert parameters are consistent */
4160 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4161 rv |= CERT_PKEY_EE_PARAM;
4162 else if (!check_flags)
4163 goto end;
4164 if (!s->server)
4165 rv |= CERT_PKEY_CA_PARAM;
4166 /* In strict mode check rest of chain too */
4167 else if (strict_mode) {
4168 rv |= CERT_PKEY_CA_PARAM;
4169 for (i = 0; i < sk_X509_num(chain); i++) {
4170 X509 *ca = sk_X509_value(chain, i);
4171 if (!tls1_check_cert_param(s, ca, 0)) {
4172 if (check_flags) {
4173 rv &= ~CERT_PKEY_CA_PARAM;
4174 break;
4175 } else
4176 goto end;
4177 }
4178 }
4179 }
4180 if (!s->server && strict_mode) {
4181 STACK_OF(X509_NAME) *ca_dn;
4182 int check_type = 0;
3aeb9348 4183 switch (EVP_PKEY_id(pk)) {
0f113f3e
MC		 4184 case EVP_PKEY_RSA:
4185 check_type = TLS_CT_RSA_SIGN;
4186 break;
4187 case EVP_PKEY_DSA:
4188 check_type = TLS_CT_DSS_SIGN;
4189 break;
4190 case EVP_PKEY_EC:
4191 check_type = TLS_CT_ECDSA_SIGN;
4192 break;
0f113f3e
MC		 4193 }
4194 if (check_type) {
4195 const unsigned char *ctypes;
4196 int ctypelen;
4197 if (c->ctypes) {
4198 ctypes = c->ctypes;
4199 ctypelen = (int)c->ctype_num;
4200 } else {
4201 ctypes = (unsigned char *)s->s3->tmp.ctype;
4202 ctypelen = s->s3->tmp.ctype_num;
4203 }
4204 for (i = 0; i < ctypelen; i++) {
4205 if (ctypes[i] == check_type) {
4206 rv |= CERT_PKEY_CERT_TYPE;
4207 break;
4208 }
4209 }
4210 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4211 goto end;
4212 } else
4213 rv |= CERT_PKEY_CERT_TYPE;
4214
4215 ca_dn = s->s3->tmp.ca_names;
4216
4217 if (!sk_X509_NAME_num(ca_dn))
4218 rv |= CERT_PKEY_ISSUER_NAME;
4219
4220 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4221 if (ssl_check_ca_name(ca_dn, x))
4222 rv |= CERT_PKEY_ISSUER_NAME;
4223 }
4224 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4225 for (i = 0; i < sk_X509_num(chain); i++) {
4226 X509 *xtmp = sk_X509_value(chain, i);
4227 if (ssl_check_ca_name(ca_dn, xtmp)) {
4228 rv |= CERT_PKEY_ISSUER_NAME;
4229 break;
4230 }
4231 }
4232 }
4233 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4234 goto end;
4235 } else
4236 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
4237
4238 if (!check_flags || (rv & check_flags) == check_flags)
4239 rv |= CERT_PKEY_VALID;
4240
4241 end:
4242
4243 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
6383d316 4244 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
0f113f3e 4245 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
d376e57d 4246 else if (s->s3->tmp.md[idx] != NULL)
0f113f3e
MC		 4247 rv |= CERT_PKEY_SIGN;
4248 } else
4249 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
4250
4251 /*
4252 * When checking a CERT_PKEY structure all flags are irrelevant if the
4253 * chain is invalid.
4254 */
4255 if (!check_flags) {
4256 if (rv & CERT_PKEY_VALID)
6383d316 4257 *pvalid = rv;
0f113f3e
MC		 4258 else {
4259 /* Preserve explicit sign flag, clear rest */
6383d316 4260 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
0f113f3e
MC		 4261 return 0;
4262 }
4263 }
4264 return rv;
4265}
d61ff83b
DSH		 4266
4267/* Set validity of certificates in an SSL structure */
4268void tls1_set_cert_validity(SSL *s)
0f113f3e 4269{
17dd65e6
MC		 4270 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4271 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4272 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
17dd65e6 4273 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
e44380a9
DB		 4274 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
4275 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
4276 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
0f113f3e
MC		 4277}
4278
18d71588
DSH		 4279/* User level utiity function to check a chain is suitable */
4280int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
0f113f3e
MC		 4281{
4282 return tls1_check_chain(s, x, pk, chain, -1);
4283}
d61ff83b 4284
09599b52
DSH		 4285#ifndef OPENSSL_NO_DH
4286DH *ssl_get_auto_dh(SSL *s)
0f113f3e
MC		 4287{
4288 int dh_secbits = 80;
4289 if (s->cert->dh_tmp_auto == 2)
4290 return DH_get_1024_160();
adc5506a 4291 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
0f113f3e
MC		 4292 if (s->s3->tmp.new_cipher->strength_bits == 256)
4293 dh_secbits = 128;
4294 else
4295 dh_secbits = 80;
4296 } else {
4297 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
4298 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
4299 }
4300
4301 if (dh_secbits >= 128) {
4302 DH *dhp = DH_new();
0aeddcfa 4303 BIGNUM *p, *g;
a71edf3b 4304 if (dhp == NULL)
0f113f3e 4305 return NULL;
0aeddcfa
MC		 4306 g = BN_new();
4307 if (g != NULL)
4308 BN_set_word(g, 2);
0f113f3e 4309 if (dh_secbits >= 192)
9021a5df 4310 p = BN_get_rfc3526_prime_8192(NULL);
0f113f3e 4311 else
9021a5df 4312 p = BN_get_rfc3526_prime_3072(NULL);
0aeddcfa 4313 if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
0f113f3e 4314 DH_free(dhp);
0aeddcfa
MC		 4315 BN_free(p);
4316 BN_free(g);
0f113f3e
MC		 4317 return NULL;
4318 }
4319 return dhp;
4320 }
4321 if (dh_secbits >= 112)
4322 return DH_get_2048_224();
4323 return DH_get_1024_160();
4324}
09599b52 4325#endif
b362ccab
DSH		 4326
4327static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e 4328{
72245f34 4329 int secbits = -1;
8382fd3a 4330 EVP_PKEY *pkey = X509_get0_pubkey(x);
0f113f3e 4331 if (pkey) {
72245f34
DSH		 4332 /*
4333 * If no parameters this will return -1 and fail using the default
4334 * security callback for any non-zero security level. This will
4335 * reject keys which omit parameters but this only affects DSA and
4336 * omission of parameters is never (?) done in practice.
4337 */
0f113f3e 4338 secbits = EVP_PKEY_security_bits(pkey);
72245f34 4339 }
0f113f3e
MC		 4340 if (s)
4341 return ssl_security(s, op, secbits, 0, x);
4342 else
4343 return ssl_ctx_security(ctx, op, secbits, 0, x);
4344}
b362ccab
DSH		 4345
4346static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e
MC		 4347{
4348 /* Lookup signature algorithm digest */
4349 int secbits = -1, md_nid = NID_undef, sig_nid;
221c7b55
DSH		 4350 /* Don't check signature if self signed */
4351 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
4352 return 1;
0f113f3e
MC		 4353 sig_nid = X509_get_signature_nid(x);
4354 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4355 const EVP_MD *md;
4356 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4357 secbits = EVP_MD_size(md) * 4;
4358 }
4359 if (s)
4360 return ssl_security(s, op, secbits, md_nid, x);
4361 else
4362 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4363}
b362ccab
DSH		 4364
4365int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
0f113f3e
MC		 4366{
4367 if (vfy)
4368 vfy = SSL_SECOP_PEER;
4369 if (is_ee) {
4370 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4371 return SSL_R_EE_KEY_TOO_SMALL;
4372 } else {
4373 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4374 return SSL_R_CA_KEY_TOO_SMALL;
4375 }
4376 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4377 return SSL_R_CA_MD_TOO_WEAK;
4378 return 1;
4379}
4380
4381/*
4382 * Check security of a chain, if sk includes the end entity certificate then
4383 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4384 * one to the peer. Return values: 1 if ok otherwise error code to use
b362ccab
DSH		 4385 */
4386
4387int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
0f113f3e
MC		 4388{
4389 int rv, start_idx, i;
4390 if (x == NULL) {
4391 x = sk_X509_value(sk, 0);
4392 start_idx = 1;
4393 } else
4394 start_idx = 0;
4395
4396 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4397 if (rv != 1)
4398 return rv;
4399
4400 for (i = start_idx; i < sk_X509_num(sk); i++) {
4401 x = sk_X509_value(sk, i);
4402 rv = ssl_security_cert(s, NULL, x, vfy, 0);
4403 if (rv != 1)
4404 return rv;
4405 }
4406 return 1;
4407}
A mirror of the official openssl repository