]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/t1_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add explanation and warning to TLS id table.
[thirdparty/openssl.git] / ssl / t1_lib.c
CommitLineData
58964a49
RE		 1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
0f113f3e 7 *
58964a49
RE		 8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
0f113f3e 14 *
58964a49
RE		 15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
0f113f3e 21 *
58964a49
RE		 22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
0f113f3e 36 * 4. If you include any Windows specific code (or a derivative thereof) from
58964a49
RE		 37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
0f113f3e 39 *
58964a49
RE		 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
0f113f3e 51 *
58964a49
RE		 52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
f1fd4544 57/* ====================================================================
52b8dad8 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
f1fd4544
BM		 59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
0f113f3e 65 * notice, this list of conditions and the following disclaimer.
f1fd4544
BM		 66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
58964a49
RE		 110
111#include <stdio.h>
ec577822 112#include <openssl/objects.h>
6434abbf
DSH		 113#include <openssl/evp.h>
114#include <openssl/hmac.h>
67c8e7f4 115#include <openssl/ocsp.h>
4817504d 116#include <openssl/rand.h>
09599b52 117#ifndef OPENSSL_NO_DH
0f113f3e
MC		 118# include <openssl/dh.h>
119# include <openssl/bn.h>
09599b52 120#endif
58964a49
RE		 121#include "ssl_locl.h"
122
6434abbf 123static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
0f113f3e
MC		 124 const unsigned char *sess_id, int sesslen,
125 SSL_SESSION **psess);
2daceb03 126static int ssl_check_clienthello_tlsext_early(SSL *s);
09e4e4b9 127int ssl_check_serverhello_tlsext(SSL *s);
6434abbf 128
0f113f3e
MC		 129SSL3_ENC_METHOD const TLSv1_enc_data = {
130 tls1_enc,
131 tls1_mac,
132 tls1_setup_key_block,
133 tls1_generate_master_secret,
134 tls1_change_cipher_state,
135 tls1_final_finish_mac,
136 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 137 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
138 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
139 tls1_alert_code,
140 tls1_export_keying_material,
141 0,
142 SSL3_HM_HEADER_LENGTH,
143 ssl3_set_handshake_header,
144 ssl3_handshake_write
145};
146
147SSL3_ENC_METHOD const TLSv1_1_enc_data = {
148 tls1_enc,
149 tls1_mac,
150 tls1_setup_key_block,
151 tls1_generate_master_secret,
152 tls1_change_cipher_state,
153 tls1_final_finish_mac,
154 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 155 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
156 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
157 tls1_alert_code,
158 tls1_export_keying_material,
159 SSL_ENC_FLAG_EXPLICIT_IV,
160 SSL3_HM_HEADER_LENGTH,
161 ssl3_set_handshake_header,
162 ssl3_handshake_write
163};
164
165SSL3_ENC_METHOD const TLSv1_2_enc_data = {
166 tls1_enc,
167 tls1_mac,
168 tls1_setup_key_block,
169 tls1_generate_master_secret,
170 tls1_change_cipher_state,
171 tls1_final_finish_mac,
172 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 173 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
174 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
175 tls1_alert_code,
176 tls1_export_keying_material,
177 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
178 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
179 SSL3_HM_HEADER_LENGTH,
180 ssl3_set_handshake_header,
181 ssl3_handshake_write
182};
58964a49 183
f3b656b2 184long tls1_default_timeout(void)
0f113f3e
MC		 185{
186 /*
187 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
188 * http, the cache would over fill
189 */
190 return (60 * 60 * 2);
191}
58964a49 192
6b691a5c 193int tls1_new(SSL *s)
0f113f3e
MC		 194{
195 if (!ssl3_new(s))
196 return (0);
197 s->method->ssl_clear(s);
198 return (1);
199}
58964a49 200
6b691a5c 201void tls1_free(SSL *s)
0f113f3e 202{
b548a1f1 203 OPENSSL_free(s->tlsext_session_ticket);
0f113f3e
MC		 204 ssl3_free(s);
205}
58964a49 206
6b691a5c 207void tls1_clear(SSL *s)
0f113f3e
MC		 208{
209 ssl3_clear(s);
4fa52141
VD		 210 if (s->method->version == TLS_ANY_VERSION)
211 s->version = TLS_MAX_VERSION;
212 else
213 s->version = s->method->version;
0f113f3e 214}
58964a49 215
525de5d3 216#ifndef OPENSSL_NO_EC
eda3766b 217
0f113f3e
MC		 218typedef struct {
219 int nid; /* Curve NID */
220 int secbits; /* Bits of security (from SP800-57) */
221 unsigned int flags; /* Flags: currently just field type */
222} tls_curve_info;
223
224# define TLS_CURVE_CHAR2 0x1
225# define TLS_CURVE_PRIME 0x0
226
2dc1aeed
DSH		 227/*
228 * Table of curve information.
229 * NB: do not delete entries or reorder this array. It is used as a lookup
230 * table: the index of each entry is one less than the TLS curve id.
231 */
232
0f113f3e
MC		 233static const tls_curve_info nid_list[] = {
234 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
235 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
236 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
237 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
238 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
239 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
240 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
241 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
242 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
243 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
244 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
245 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
246 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
247 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
248 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
249 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
250 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
251 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
252 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
253 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
254 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
255 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
256 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
257 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
258 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
259 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
260 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
261 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
262};
263
264static const unsigned char ecformats_default[] = {
265 TLSEXT_ECPOINTFORMAT_uncompressed,
266 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
267 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
268};
269
fe6ef247
KR		 270/* The default curves */
271static const unsigned char eccurves_default[] = {
de57d237
EK		 272 /* Prefer P-256 which has the fastest and most secure implementations. */
273 0, 23, /* secp256r1 (23) */
274 /* Other >= 256-bit prime curves. */
0f113f3e
MC		 275 0, 25, /* secp521r1 (25) */
276 0, 28, /* brainpool512r1 (28) */
0f113f3e
MC		 277 0, 27, /* brainpoolP384r1 (27) */
278 0, 24, /* secp384r1 (24) */
de57d237
EK		 279 0, 26, /* brainpoolP256r1 (26) */
280 0, 22, /* secp256k1 (22) */
281 /* >= 256-bit binary curves. */
282 0, 14, /* sect571r1 (14) */
283 0, 13, /* sect571k1 (13) */
284 0, 11, /* sect409k1 (11) */
285 0, 12, /* sect409r1 (12) */
0f113f3e
MC		 286 0, 9, /* sect283k1 (9) */
287 0, 10, /* sect283r1 (10) */
de57d237
EK		 288};
289
290static const unsigned char eccurves_all[] = {
291 /* Prefer P-256 which has the fastest and most secure implementations. */
292 0, 23, /* secp256r1 (23) */
293 /* Other >= 256-bit prime curves. */
294 0, 25, /* secp521r1 (25) */
295 0, 28, /* brainpool512r1 (28) */
296 0, 27, /* brainpoolP384r1 (27) */
297 0, 24, /* secp384r1 (24) */
0f113f3e
MC		 298 0, 26, /* brainpoolP256r1 (26) */
299 0, 22, /* secp256k1 (22) */
de57d237
EK		 300 /* >= 256-bit binary curves. */
301 0, 14, /* sect571r1 (14) */
302 0, 13, /* sect571k1 (13) */
303 0, 11, /* sect409k1 (11) */
304 0, 12, /* sect409r1 (12) */
305 0, 9, /* sect283k1 (9) */
306 0, 10, /* sect283r1 (10) */
307 /*
308 * Remaining curves disabled by default but still permitted if set
309 * via an explicit callback or parameters.
310 */
311 0, 20, /* secp224k1 (20) */
312 0, 21, /* secp224r1 (21) */
313 0, 18, /* secp192k1 (18) */
314 0, 19, /* secp192r1 (19) */
315 0, 15, /* secp160k1 (15) */
316 0, 16, /* secp160r1 (16) */
317 0, 17, /* secp160r2 (17) */
0f113f3e
MC		 318 0, 8, /* sect239k1 (8) */
319 0, 6, /* sect233k1 (6) */
320 0, 7, /* sect233r1 (7) */
0f113f3e
MC		 321 0, 4, /* sect193r1 (4) */
322 0, 5, /* sect193r2 (5) */
0f113f3e
MC		 323 0, 1, /* sect163k1 (1) */
324 0, 2, /* sect163r1 (2) */
325 0, 3, /* sect163r2 (3) */
0f113f3e
MC		 326};
327
de57d237 328
0f113f3e
MC		 329static const unsigned char suiteb_curves[] = {
330 0, TLSEXT_curve_P_256,
331 0, TLSEXT_curve_P_384
332};
2ea80354 333
525de5d3 334int tls1_ec_curve_id2nid(int curve_id)
0f113f3e
MC		 335{
336 /* ECC curves from RFC 4492 and RFC 7027 */
b6eb9827 337 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
0f113f3e
MC		 338 return 0;
339 return nid_list[curve_id - 1].nid;
340}
525de5d3
DSH		 341
342int tls1_ec_nid2curve_id(int nid)
0f113f3e
MC		 343{
344 /* ECC curves from RFC 4492 and RFC 7027 */
345 switch (nid) {
346 case NID_sect163k1: /* sect163k1 (1) */
347 return 1;
348 case NID_sect163r1: /* sect163r1 (2) */
349 return 2;
350 case NID_sect163r2: /* sect163r2 (3) */
351 return 3;
352 case NID_sect193r1: /* sect193r1 (4) */
353 return 4;
354 case NID_sect193r2: /* sect193r2 (5) */
355 return 5;
356 case NID_sect233k1: /* sect233k1 (6) */
357 return 6;
358 case NID_sect233r1: /* sect233r1 (7) */
359 return 7;
360 case NID_sect239k1: /* sect239k1 (8) */
361 return 8;
362 case NID_sect283k1: /* sect283k1 (9) */
363 return 9;
364 case NID_sect283r1: /* sect283r1 (10) */
365 return 10;
366 case NID_sect409k1: /* sect409k1 (11) */
367 return 11;
368 case NID_sect409r1: /* sect409r1 (12) */
369 return 12;
370 case NID_sect571k1: /* sect571k1 (13) */
371 return 13;
372 case NID_sect571r1: /* sect571r1 (14) */
373 return 14;
374 case NID_secp160k1: /* secp160k1 (15) */
375 return 15;
376 case NID_secp160r1: /* secp160r1 (16) */
377 return 16;
378 case NID_secp160r2: /* secp160r2 (17) */
379 return 17;
380 case NID_secp192k1: /* secp192k1 (18) */
381 return 18;
382 case NID_X9_62_prime192v1: /* secp192r1 (19) */
383 return 19;
384 case NID_secp224k1: /* secp224k1 (20) */
385 return 20;
386 case NID_secp224r1: /* secp224r1 (21) */
387 return 21;
388 case NID_secp256k1: /* secp256k1 (22) */
389 return 22;
390 case NID_X9_62_prime256v1: /* secp256r1 (23) */
391 return 23;
392 case NID_secp384r1: /* secp384r1 (24) */
393 return 24;
394 case NID_secp521r1: /* secp521r1 (25) */
395 return 25;
396 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
397 return 26;
398 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
399 return 27;
400 case NID_brainpoolP512r1: /* brainpool512r1 (28) */
401 return 28;
402 default:
403 return 0;
404 }
405}
406
740580c2
EK		 407/*
408 * Get curves list, if "sess" is set return client curves otherwise
409 * preferred list.
410 * Sets |num_curves| to the number of curves in the list, i.e.,
411 * the length of |pcurves| is 2 * num_curves.
412 * Returns 1 on success and 0 if the client curves list has invalid format.
413 * The latter indicates an internal error: we should not be accepting such
414 * lists in the first place.
415 * TODO(emilia): we should really be storing the curves list in explicitly
416 * parsed form instead. (However, this would affect binary compatibility
417 * so cannot happen in the 1.0.x series.)
fd2b65ce 418 */
740580c2 419static int tls1_get_curvelist(SSL *s, int sess,
0f113f3e
MC		 420 const unsigned char **pcurves,
421 size_t *num_curves)
422{
423 size_t pcurveslen = 0;
424 if (sess) {
425 *pcurves = s->session->tlsext_ellipticcurvelist;
426 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
427 } else {
428 /* For Suite B mode only include P-256, P-384 */
429 switch (tls1_suiteb(s)) {
430 case SSL_CERT_FLAG_SUITEB_128_LOS:
431 *pcurves = suiteb_curves;
432 pcurveslen = sizeof(suiteb_curves);
433 break;
434
435 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
436 *pcurves = suiteb_curves;
437 pcurveslen = 2;
438 break;
439
440 case SSL_CERT_FLAG_SUITEB_192_LOS:
441 *pcurves = suiteb_curves + 2;
442 pcurveslen = 2;
443 break;
444 default:
445 *pcurves = s->tlsext_ellipticcurvelist;
446 pcurveslen = s->tlsext_ellipticcurvelist_length;
447 }
448 if (!*pcurves) {
fe6ef247
KR		 449 *pcurves = eccurves_default;
450 pcurveslen = sizeof(eccurves_default);
0f113f3e
MC		 451 }
452 }
453
454 /* We do not allow odd length arrays to enter the system. */
455 if (pcurveslen & 1) {
456 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
457 *num_curves = 0;
458 return 0;
459 } else {
460 *num_curves = pcurveslen / 2;
461 return 1;
462 }
463}
b362ccab
DSH		 464
465/* See if curve is allowed by security callback */
466static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
0f113f3e
MC		 467{
468 const tls_curve_info *cinfo;
469 if (curve[0])
470 return 1;
b6eb9827 471 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
0f113f3e
MC		 472 return 0;
473 cinfo = &nid_list[curve[1] - 1];
474# ifdef OPENSSL_NO_EC2M
475 if (cinfo->flags & TLS_CURVE_CHAR2)
476 return 0;
477# endif
478 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
479}
b362ccab 480
d18b716d
DSH		 481/* Check a curve is one of our preferences */
482int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
0f113f3e
MC		 483{
484 const unsigned char *curves;
485 size_t num_curves, i;
486 unsigned int suiteb_flags = tls1_suiteb(s);
487 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
488 return 0;
489 /* Check curve matches Suite B preferences */
490 if (suiteb_flags) {
491 unsigned long cid = s->s3->tmp.new_cipher->id;
492 if (p[1])
493 return 0;
494 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
495 if (p[2] != TLSEXT_curve_P_256)
496 return 0;
497 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
498 if (p[2] != TLSEXT_curve_P_384)
499 return 0;
500 } else /* Should never happen */
501 return 0;
502 }
503 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
504 return 0;
505 for (i = 0; i < num_curves; i++, curves += 2) {
506 if (p[1] == curves[0] && p[2] == curves[1])
507 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
508 }
509 return 0;
510}
d0595f17 511
1d97c843 512/*-
6977e8ee
KR		 513 * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef
514 * if there is no match.
515 * For nmatch == -1, return number of matches
376e2ca3
EK		 516 * For nmatch == -2, return the NID of the curve to use for
517 * an EC tmp key, or NID_undef if there is no match.
d0595f17 518 */
a4352630 519int tls1_shared_curve(SSL *s, int nmatch)
0f113f3e
MC		 520{
521 const unsigned char *pref, *supp;
522 size_t num_pref, num_supp, i, j;
523 int k;
524 /* Can't do anything on client side */
525 if (s->server == 0)
526 return -1;
527 if (nmatch == -2) {
528 if (tls1_suiteb(s)) {
529 /*
530 * For Suite B ciphersuite determines curve: we already know
531 * these are acceptable due to previous checks.
532 */
533 unsigned long cid = s->s3->tmp.new_cipher->id;
534 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
535 return NID_X9_62_prime256v1; /* P-256 */
536 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
537 return NID_secp384r1; /* P-384 */
538 /* Should never happen */
539 return NID_undef;
540 }
541 /* If not Suite B just return first preference shared curve */
542 nmatch = 0;
543 }
544 /*
545 * Avoid truncation. tls1_get_curvelist takes an int
546 * but s->options is a long...
547 */
548 if (!tls1_get_curvelist
549 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
550 &num_supp))
551 /* In practice, NID_undef == 0 but let's be precise. */
552 return nmatch == -1 ? 0 : NID_undef;
553 if (!tls1_get_curvelist
554 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
555 &num_pref))
556 return nmatch == -1 ? 0 : NID_undef;
3c06513f
KR		 557
558 /*
559 * If the client didn't send the elliptic_curves extension all of them
560 * are allowed.
561 */
562 if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
563 supp = eccurves_all;
564 num_supp = sizeof(eccurves_all) / 2;
565 } else if (num_pref == 0 &&
566 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
567 pref = eccurves_all;
568 num_pref = sizeof(eccurves_all) / 2;
569 }
570
0f113f3e
MC		 571 k = 0;
572 for (i = 0; i < num_pref; i++, pref += 2) {
573 const unsigned char *tsupp = supp;
574 for (j = 0; j < num_supp; j++, tsupp += 2) {
575 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
576 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
577 continue;
578 if (nmatch == k) {
579 int id = (pref[0] << 8) | pref[1];
580 return tls1_ec_curve_id2nid(id);
581 }
582 k++;
583 }
584 }
585 }
586 if (nmatch == -1)
587 return k;
588 /* Out of range (nmatch > k). */
589 return NID_undef;
590}
d0595f17
DSH		 591
592int tls1_set_curves(unsigned char **pext, size_t *pextlen,
0f113f3e
MC		 593 int *curves, size_t ncurves)
594{
595 unsigned char *clist, *p;
596 size_t i;
597 /*
598 * Bitmap of curves included to detect duplicates: only works while curve
599 * ids < 32
600 */
601 unsigned long dup_list = 0;
602 clist = OPENSSL_malloc(ncurves * 2);
a71edf3b 603 if (clist == NULL)
0f113f3e
MC		 604 return 0;
605 for (i = 0, p = clist; i < ncurves; i++) {
606 unsigned long idmask;
607 int id;
608 id = tls1_ec_nid2curve_id(curves[i]);
609 idmask = 1L << id;
610 if (!id || (dup_list & idmask)) {
611 OPENSSL_free(clist);
612 return 0;
613 }
614 dup_list |= idmask;
615 s2n(id, p);
616 }
b548a1f1 617 OPENSSL_free(*pext);
0f113f3e
MC		 618 *pext = clist;
619 *pextlen = ncurves * 2;
620 return 1;
621}
622
623# define MAX_CURVELIST 28
624
625typedef struct {
626 size_t nidcnt;
627 int nid_arr[MAX_CURVELIST];
628} nid_cb_st;
d0595f17
DSH		 629
630static int nid_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 631{
632 nid_cb_st *narg = arg;
633 size_t i;
634 int nid;
635 char etmp[20];
2747d73c
KR		 636 if (elem == NULL)
637 return 0;
0f113f3e
MC		 638 if (narg->nidcnt == MAX_CURVELIST)
639 return 0;
640 if (len > (int)(sizeof(etmp) - 1))
641 return 0;
642 memcpy(etmp, elem, len);
643 etmp[len] = 0;
644 nid = EC_curve_nist2nid(etmp);
645 if (nid == NID_undef)
646 nid = OBJ_sn2nid(etmp);
647 if (nid == NID_undef)
648 nid = OBJ_ln2nid(etmp);
649 if (nid == NID_undef)
650 return 0;
651 for (i = 0; i < narg->nidcnt; i++)
652 if (narg->nid_arr[i] == nid)
653 return 0;
654 narg->nid_arr[narg->nidcnt++] = nid;
655 return 1;
656}
657
d0595f17 658/* Set curves based on a colon separate list */
0f113f3e
MC		 659int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
660 const char *str)
661{
662 nid_cb_st ncb;
663 ncb.nidcnt = 0;
664 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
665 return 0;
666 if (pext == NULL)
667 return 1;
668 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
669}
670
fd2b65ce
DSH		 671/* For an EC key set TLS id and required compression based on parameters */
672static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
0f113f3e
MC		 673 EC_KEY *ec)
674{
675 int is_prime, id;
676 const EC_GROUP *grp;
677 const EC_METHOD *meth;
678 if (!ec)
679 return 0;
680 /* Determine if it is a prime field */
681 grp = EC_KEY_get0_group(ec);
682 if (!grp)
683 return 0;
684 meth = EC_GROUP_method_of(grp);
685 if (!meth)
686 return 0;
687 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
688 is_prime = 1;
689 else
690 is_prime = 0;
691 /* Determine curve ID */
692 id = EC_GROUP_get_curve_name(grp);
693 id = tls1_ec_nid2curve_id(id);
694 /* If we have an ID set it, otherwise set arbitrary explicit curve */
695 if (id) {
696 curve_id[0] = 0;
697 curve_id[1] = (unsigned char)id;
698 } else {
699 curve_id[0] = 0xff;
700 if (is_prime)
701 curve_id[1] = 0x01;
702 else
703 curve_id[1] = 0x02;
704 }
705 if (comp_id) {
706 if (EC_KEY_get0_public_key(ec) == NULL)
707 return 0;
708 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
709 if (is_prime)
710 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
711 else
712 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
713 } else
714 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
715 }
716 return 1;
717}
718
fd2b65ce
DSH		 719/* Check an EC key is compatible with extensions */
720static int tls1_check_ec_key(SSL *s,
0f113f3e
MC		 721 unsigned char *curve_id, unsigned char *comp_id)
722{
723 const unsigned char *pformats, *pcurves;
724 size_t num_formats, num_curves, i;
725 int j;
726 /*
727 * If point formats extension present check it, otherwise everything is
728 * supported (see RFC4492).
729 */
730 if (comp_id && s->session->tlsext_ecpointformatlist) {
731 pformats = s->session->tlsext_ecpointformatlist;
732 num_formats = s->session->tlsext_ecpointformatlist_length;
733 for (i = 0; i < num_formats; i++, pformats++) {
734 if (*comp_id == *pformats)
735 break;
736 }
737 if (i == num_formats)
738 return 0;
739 }
740 if (!curve_id)
741 return 1;
742 /* Check curve is consistent with client and server preferences */
743 for (j = 0; j <= 1; j++) {
744 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
745 return 0;
b79d2410
MC		 746 if (j == 1 && num_curves == 0) {
747 /*
748 * If we've not received any curves then skip this check.
749 * RFC 4492 does not require the supported elliptic curves extension
750 * so if it is not sent we can just choose any curve.
751 * It is invalid to send an empty list in the elliptic curves
752 * extension, so num_curves == 0 always means no extension.
753 */
754 break;
755 }
0f113f3e
MC		 756 for (i = 0; i < num_curves; i++, pcurves += 2) {
757 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
758 break;
759 }
760 if (i == num_curves)
761 return 0;
762 /* For clients can only check sent curve list */
763 if (!s->server)
764 break;
765 }
766 return 1;
767}
d61ff83b 768
5087afa1 769static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
0f113f3e
MC		 770 size_t *num_formats)
771{
772 /*
773 * If we have a custom point format list use it otherwise use default
774 */
775 if (s->tlsext_ecpointformatlist) {
776 *pformats = s->tlsext_ecpointformatlist;
777 *num_formats = s->tlsext_ecpointformatlist_length;
778 } else {
779 *pformats = ecformats_default;
780 /* For Suite B we don't support char2 fields */
781 if (tls1_suiteb(s))
782 *num_formats = sizeof(ecformats_default) - 1;
783 else
784 *num_formats = sizeof(ecformats_default);
785 }
786}
787
788/*
789 * Check cert parameters compatible with extensions: currently just checks EC
790 * certificates have compatible curves and compression.
d61ff83b 791 */
2ea80354 792static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 793{
794 unsigned char comp_id, curve_id[2];
795 EVP_PKEY *pkey;
796 int rv;
8382fd3a 797 pkey = X509_get0_pubkey(x);
0f113f3e
MC		 798 if (!pkey)
799 return 0;
800 /* If not EC nothing to do */
3aeb9348 801 if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
0f113f3e 802 return 1;
3aeb9348 803 rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey));
0f113f3e
MC		 804 if (!rv)
805 return 0;
806 /*
807 * Can't check curve_id for client certs as we don't have a supported
808 * curves extension.
809 */
810 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
811 if (!rv)
812 return 0;
813 /*
814 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
815 * SHA384+P-384, adjust digest if necessary.
816 */
817 if (set_ee_md && tls1_suiteb(s)) {
818 int check_md;
819 size_t i;
820 CERT *c = s->cert;
821 if (curve_id[0])
822 return 0;
823 /* Check to see we have necessary signing algorithm */
824 if (curve_id[1] == TLSEXT_curve_P_256)
825 check_md = NID_ecdsa_with_SHA256;
826 else if (curve_id[1] == TLSEXT_curve_P_384)
827 check_md = NID_ecdsa_with_SHA384;
828 else
829 return 0; /* Should never happen */
830 for (i = 0; i < c->shared_sigalgslen; i++)
831 if (check_md == c->shared_sigalgs[i].signandhash_nid)
832 break;
833 if (i == c->shared_sigalgslen)
834 return 0;
835 if (set_ee_md == 2) {
836 if (check_md == NID_ecdsa_with_SHA256)
d376e57d 837 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
0f113f3e 838 else
d376e57d 839 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
0f113f3e
MC		 840 }
841 }
842 return rv;
843}
844
10bf4fc2 845# ifndef OPENSSL_NO_EC
6977e8ee
KR		 846/*
847 * tls1_check_ec_tmp_key - Check EC temporary key compatiblity
848 * @s: SSL connection
849 * @cid: Cipher ID we're considering using
850 *
851 * Checks that the kECDHE cipher suite we're considering using
852 * is compatible with the client extensions.
853 *
854 * Returns 0 when the cipher can't be used or 1 when it can.
855 */
2ea80354 856int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
0f113f3e 857{
0f113f3e
MC		 858# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
859 /* Allow any curve: not just those peer supports */
860 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
861 return 1;
862# endif
863 /*
864 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
865 * curves permitted.
866 */
867 if (tls1_suiteb(s)) {
6977e8ee 868 unsigned char curve_id[2];
0f113f3e
MC		 869 /* Curve to check determined by ciphersuite */
870 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
871 curve_id[1] = TLSEXT_curve_P_256;
872 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
873 curve_id[1] = TLSEXT_curve_P_384;
874 else
875 return 0;
876 curve_id[0] = 0;
877 /* Check this curve is acceptable */
878 if (!tls1_check_ec_key(s, curve_id, NULL))
879 return 0;
fe6ef247 880 return 1;
0f113f3e 881 }
fe6ef247
KR		 882 /* Need a shared curve */
883 if (tls1_shared_curve(s, 0))
884 return 1;
6977e8ee 885 return 0;
0f113f3e 886}
10bf4fc2 887# endif /* OPENSSL_NO_EC */
d0595f17 888
14536c8c
DSH		 889#else
890
891static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 892{
893 return 1;
894}
14536c8c 895
0f113f3e 896#endif /* OPENSSL_NO_EC */
f1fd4544 897
0f113f3e
MC		 898/*
899 * List of supported signature algorithms and hashes. Should make this
fc101f88
DSH		 900 * customisable at some point, for now include everything we support.
901 */
902
e481f9b9
MC		 903#ifdef OPENSSL_NO_RSA
904# define tlsext_sigalg_rsa(md) /* */
905#else
906# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
907#endif
0f113f3e 908
e481f9b9
MC		 909#ifdef OPENSSL_NO_DSA
910# define tlsext_sigalg_dsa(md) /* */
911#else
912# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
913#endif
0f113f3e 914
e481f9b9
MC		 915#ifdef OPENSSL_NO_EC
916# define tlsext_sigalg_ecdsa(md) /* */
917#else
918# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
919#endif
0f113f3e 920
e481f9b9 921#define tlsext_sigalg(md) \
0f113f3e
MC		 922 tlsext_sigalg_rsa(md) \
923 tlsext_sigalg_dsa(md) \
924 tlsext_sigalg_ecdsa(md)
fc101f88 925
d97ed219 926static const unsigned char tls12_sigalgs[] = {
0f113f3e
MC		 927 tlsext_sigalg(TLSEXT_hash_sha512)
928 tlsext_sigalg(TLSEXT_hash_sha384)
0f113f3e
MC		 929 tlsext_sigalg(TLSEXT_hash_sha256)
930 tlsext_sigalg(TLSEXT_hash_sha224)
0f113f3e 931 tlsext_sigalg(TLSEXT_hash_sha1)
e44380a9
DB		 932#ifndef OPENSSL_NO_GOST
933 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
934 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
935 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
936#endif
fc101f88 937};
0f113f3e 938
e481f9b9 939#ifndef OPENSSL_NO_EC
d97ed219 940static const unsigned char suiteb_sigalgs[] = {
0f113f3e
MC		 941 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
942 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
2ea80354 943};
e481f9b9 944#endif
b7bfe69b 945size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
0f113f3e
MC		 946{
947 /*
948 * If Suite B mode use Suite B sigalgs only, ignore any other
949 * preferences.
950 */
e481f9b9 951#ifndef OPENSSL_NO_EC
0f113f3e
MC		 952 switch (tls1_suiteb(s)) {
953 case SSL_CERT_FLAG_SUITEB_128_LOS:
954 *psigs = suiteb_sigalgs;
955 return sizeof(suiteb_sigalgs);
956
957 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
958 *psigs = suiteb_sigalgs;
959 return 2;
960
961 case SSL_CERT_FLAG_SUITEB_192_LOS:
962 *psigs = suiteb_sigalgs + 2;
963 return 2;
964 }
e481f9b9 965#endif
0f113f3e
MC		 966 /* If server use client authentication sigalgs if not NULL */
967 if (s->server && s->cert->client_sigalgs) {
968 *psigs = s->cert->client_sigalgs;
969 return s->cert->client_sigalgslen;
970 } else if (s->cert->conf_sigalgs) {
971 *psigs = s->cert->conf_sigalgs;
972 return s->cert->conf_sigalgslen;
973 } else {
974 *psigs = tls12_sigalgs;
975 return sizeof(tls12_sigalgs);
976 }
977}
978
979/*
980 * Check signature algorithm is consistent with sent supported signature
ec4a50b3
DSH		 981 * algorithms and if so return relevant digest.
982 */
983int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
0f113f3e
MC		 984 const unsigned char *sig, EVP_PKEY *pkey)
985{
986 const unsigned char *sent_sigs;
987 size_t sent_sigslen, i;
988 int sigalg = tls12_get_sigid(pkey);
989 /* Should never happen */
990 if (sigalg == -1)
991 return -1;
992 /* Check key type is consistent with signature */
993 if (sigalg != (int)sig[1]) {
994 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
995 return 0;
996 }
e481f9b9 997#ifndef OPENSSL_NO_EC
3aeb9348 998 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
0f113f3e
MC		 999 unsigned char curve_id[2], comp_id;
1000 /* Check compression and curve matches extensions */
3aeb9348 1001 if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
0f113f3e
MC		 1002 return 0;
1003 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
1004 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
1005 return 0;
1006 }
1007 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
1008 if (tls1_suiteb(s)) {
1009 if (curve_id[0])
1010 return 0;
1011 if (curve_id[1] == TLSEXT_curve_P_256) {
1012 if (sig[0] != TLSEXT_hash_sha256) {
1013 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1014 SSL_R_ILLEGAL_SUITEB_DIGEST);
1015 return 0;
1016 }
1017 } else if (curve_id[1] == TLSEXT_curve_P_384) {
1018 if (sig[0] != TLSEXT_hash_sha384) {
1019 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1020 SSL_R_ILLEGAL_SUITEB_DIGEST);
1021 return 0;
1022 }
1023 } else
1024 return 0;
1025 }
1026 } else if (tls1_suiteb(s))
1027 return 0;
e481f9b9 1028#endif
0f113f3e
MC		 1029
1030 /* Check signature matches a type we sent */
1031 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1032 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
1033 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1034 break;
1035 }
1036 /* Allow fallback to SHA1 if not strict mode */
1037 if (i == sent_sigslen
1038 && (sig[0] != TLSEXT_hash_sha1
1039 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
1040 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1041 return 0;
1042 }
1043 *pmd = tls12_get_hash(sig[0]);
1044 if (*pmd == NULL) {
1045 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
1046 return 0;
1047 }
1048 /* Make sure security callback allows algorithm */
1049 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
1050 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
1051 (void *)sig)) {
1052 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1053 return 0;
1054 }
1055 /*
1056 * Store the digest used so applications can retrieve it if they wish.
1057 */
d376e57d 1058 s->s3->tmp.peer_md = *pmd;
0f113f3e
MC		 1059 return 1;
1060}
2ea80354 1061
0f113f3e
MC		 1062/*
1063 * Get a mask of disabled algorithms: an algorithm is disabled if it isn't
1064 * supported or doesn't appear in supported signature algorithms. Unlike
1065 * ssl_cipher_get_disabled this applies to a specific session and not global
1066 * settings.
b7bfe69b
DSH		 1067 */
1068void ssl_set_client_disabled(SSL *s)
0f113f3e 1069{
4d69f9e6
DSH		 1070 s->s3->tmp.mask_a = 0;
1071 s->s3->tmp.mask_k = 0;
0f113f3e
MC		 1072 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1073 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
4d69f9e6 1074 s->s3->tmp.mask_ssl = SSL_TLSV1_2;
0f113f3e 1075 else
4d69f9e6 1076 s->s3->tmp.mask_ssl = 0;
2b573382
DSH		 1077 /* Disable TLS 1.0 ciphers if using SSL v3 */
1078 if (s->client_version == SSL3_VERSION)
1079 s->s3->tmp.mask_ssl |= SSL_TLSV1;
4d69f9e6 1080 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
0f113f3e
MC		 1081# ifndef OPENSSL_NO_PSK
1082 /* with PSK there must be client callback set */
1083 if (!s->psk_client_callback) {
4d69f9e6 1084 s->s3->tmp.mask_a |= SSL_aPSK;
fe5eef3a 1085 s->s3->tmp.mask_k |= SSL_PSK;
0f113f3e 1086 }
e481f9b9
MC		 1087#endif /* OPENSSL_NO_PSK */
1088#ifndef OPENSSL_NO_SRP
0f113f3e 1089 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
4d69f9e6
DSH		 1090 s->s3->tmp.mask_a |= SSL_aSRP;
1091 s->s3->tmp.mask_k |= SSL_kSRP;
0f113f3e 1092 }
e481f9b9 1093#endif
0f113f3e 1094}
fc101f88 1095
b362ccab 1096int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
0f113f3e 1097{
4d69f9e6
DSH		 1098 if (c->algorithm_ssl & s->s3->tmp.mask_ssl
1099 || c->algorithm_mkey & s->s3->tmp.mask_k
1100 || c->algorithm_auth & s->s3->tmp.mask_a)
0f113f3e
MC		 1101 return 1;
1102 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1103}
b362ccab
DSH		 1104
1105static int tls_use_ticket(SSL *s)
0f113f3e
MC		 1106{
1107 if (s->options & SSL_OP_NO_TICKET)
1108 return 0;
1109 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1110}
ed3883d2 1111
0f113f3e
MC		 1112unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
1113 unsigned char *limit, int *al)
1114{
1115 int extdatalen = 0;
1116 unsigned char *orig = buf;
1117 unsigned char *ret = buf;
e481f9b9 1118#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1119 /* See if we support any ECC ciphersuites */
1120 int using_ecc = 0;
1121 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1122 int i;
1123 unsigned long alg_k, alg_a;
1124 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1125
1126 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
4a640fb6 1127 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
0f113f3e
MC		 1128
1129 alg_k = c->algorithm_mkey;
1130 alg_a = c->algorithm_auth;
ce0c1f2b
DSH		 1131 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
1132 || (alg_a & SSL_aECDSA)) {
0f113f3e
MC		 1133 using_ecc = 1;
1134 break;
1135 }
1136 }
1137 }
e481f9b9 1138#endif
ed3883d2 1139
0f113f3e 1140 ret += 2;
6434abbf 1141
0f113f3e
MC		 1142 if (ret >= limit)
1143 return NULL; /* this really never occurs, but ... */
5a3d8eeb 1144
0f113f3e
MC		 1145 /* Add RI if renegotiating */
1146 if (s->renegotiate) {
1147 int el;
5a3d8eeb 1148
0f113f3e
MC		 1149 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1150 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1151 return NULL;
1152 }
5a3d8eeb 1153
0f113f3e
MC		 1154 if ((limit - ret - 4 - el) < 0)
1155 return NULL;
5a3d8eeb 1156
0f113f3e
MC		 1157 s2n(TLSEXT_TYPE_renegotiate, ret);
1158 s2n(el, ret);
5a3d8eeb 1159
0f113f3e
MC		 1160 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1161 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1162 return NULL;
5a3d8eeb 1163 }
edc032b5 1164
0f113f3e
MC		 1165 ret += el;
1166 }
1167 /* Only add RI for SSLv3 */
1168 if (s->client_version == SSL3_VERSION)
1169 goto done;
1170
1171 if (s->tlsext_hostname != NULL) {
1172 /* Add TLS extension servername to the Client Hello message */
1173 unsigned long size_str;
1174 long lenmax;
1175
50e735f9
MC		 1176 /*-
1177 * check for enough space.
1178 * 4 for the servername type and entension length
1179 * 2 for servernamelist length
1180 * 1 for the hostname type
1181 * 2 for hostname length
1182 * + hostname length
1183 */
0f113f3e
MC		 1184
1185 if ((lenmax = limit - ret - 9) < 0
1186 || (size_str =
1187 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1188 return NULL;
1189
1190 /* extension type and length */
1191 s2n(TLSEXT_TYPE_server_name, ret);
1192 s2n(size_str + 5, ret);
1193
1194 /* length of servername list */
1195 s2n(size_str + 3, ret);
1196
1197 /* hostname type, length and hostname */
1198 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1199 s2n(size_str, ret);
1200 memcpy(ret, s->tlsext_hostname, size_str);
1201 ret += size_str;
1202 }
e481f9b9 1203#ifndef OPENSSL_NO_SRP
0f113f3e
MC		 1204 /* Add SRP username if there is one */
1205 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1206 * Client Hello message */
1207
1208 int login_len = strlen(s->srp_ctx.login);
1209 if (login_len > 255 || login_len == 0) {
1210 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1211 return NULL;
1212 }
761772d7 1213
50e735f9
MC		 1214 /*-
1215 * check for enough space.
1216 * 4 for the srp type type and entension length
1217 * 1 for the srp user identity
1218 * + srp user identity length
1219 */
0f113f3e
MC		 1220 if ((limit - ret - 5 - login_len) < 0)
1221 return NULL;
1222
1223 /* fill in the extension */
1224 s2n(TLSEXT_TYPE_srp, ret);
1225 s2n(login_len + 1, ret);
1226 (*ret++) = (unsigned char)login_len;
1227 memcpy(ret, s->srp_ctx.login, login_len);
1228 ret += login_len;
1229 }
e481f9b9 1230#endif
0f113f3e 1231
e481f9b9 1232#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1233 if (using_ecc) {
1234 /*
1235 * Add TLS extension ECPointFormats to the ClientHello message
1236 */
1237 long lenmax;
1238 const unsigned char *pcurves, *pformats;
1239 size_t num_curves, num_formats, curves_list_len;
1240 size_t i;
1241 unsigned char *etmp;
1242
1243 tls1_get_formatlist(s, &pformats, &num_formats);
1244
1245 if ((lenmax = limit - ret - 5) < 0)
1246 return NULL;
1247 if (num_formats > (size_t)lenmax)
1248 return NULL;
1249 if (num_formats > 255) {
1250 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1251 return NULL;
1252 }
4817504d 1253
0f113f3e
MC		 1254 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1255 /* The point format list has 1-byte length. */
1256 s2n(num_formats + 1, ret);
1257 *(ret++) = (unsigned char)num_formats;
1258 memcpy(ret, pformats, num_formats);
1259 ret += num_formats;
1260
1261 /*
1262 * Add TLS extension EllipticCurves to the ClientHello message
1263 */
1264 pcurves = s->tlsext_ellipticcurvelist;
1265 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1266 return NULL;
1267
1268 if ((lenmax = limit - ret - 6) < 0)
1269 return NULL;
1270 if (num_curves > (size_t)lenmax / 2)
1271 return NULL;
1272 if (num_curves > 65532 / 2) {
1273 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1274 return NULL;
1275 }
ee2ffc27 1276
0f113f3e
MC		 1277 s2n(TLSEXT_TYPE_elliptic_curves, ret);
1278 etmp = ret + 4;
1279 /* Copy curve ID if supported */
1280 for (i = 0; i < num_curves; i++, pcurves += 2) {
1281 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1282 *etmp++ = pcurves[0];
1283 *etmp++ = pcurves[1];
1284 }
1285 }
01f2f18f 1286
0f113f3e
MC		 1287 curves_list_len = etmp - ret - 4;
1288
1289 s2n(curves_list_len + 2, ret);
1290 s2n(curves_list_len, ret);
1291 ret += curves_list_len;
1292 }
e481f9b9 1293#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1294
1295 if (tls_use_ticket(s)) {
1296 int ticklen;
1297 if (!s->new_session && s->session && s->session->tlsext_tick)
1298 ticklen = s->session->tlsext_ticklen;
1299 else if (s->session && s->tlsext_session_ticket &&
1300 s->tlsext_session_ticket->data) {
1301 ticklen = s->tlsext_session_ticket->length;
1302 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
a71edf3b 1303 if (s->session->tlsext_tick == NULL)
0f113f3e
MC		 1304 return NULL;
1305 memcpy(s->session->tlsext_tick,
1306 s->tlsext_session_ticket->data, ticklen);
1307 s->session->tlsext_ticklen = ticklen;
1308 } else
1309 ticklen = 0;
1310 if (ticklen == 0 && s->tlsext_session_ticket &&
1311 s->tlsext_session_ticket->data == NULL)
1312 goto skip_ext;
1313 /*
1314 * Check for enough room 2 for extension type, 2 for len rest for
1315 * ticket
1316 */
1317 if ((long)(limit - ret - 4 - ticklen) < 0)
1318 return NULL;
1319 s2n(TLSEXT_TYPE_session_ticket, ret);
1320 s2n(ticklen, ret);
1321 if (ticklen) {
1322 memcpy(ret, s->session->tlsext_tick, ticklen);
1323 ret += ticklen;
1324 }
1325 }
1326 skip_ext:
1327
1328 if (SSL_USE_SIGALGS(s)) {
1329 size_t salglen;
1330 const unsigned char *salg;
1331 unsigned char *etmp;
1332 salglen = tls12_get_psigalgs(s, &salg);
1333 if ((size_t)(limit - ret) < salglen + 6)
1334 return NULL;
1335 s2n(TLSEXT_TYPE_signature_algorithms, ret);
1336 etmp = ret;
1337 /* Skip over lengths for now */
1338 ret += 4;
1339 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1340 /* Fill in lengths */
1341 s2n(salglen + 2, etmp);
1342 s2n(salglen, etmp);
1343 ret += salglen;
1344 }
0f113f3e
MC		 1345
1346 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1347 int i;
1348 long extlen, idlen, itmp;
1349 OCSP_RESPID *id;
1350
1351 idlen = 0;
1352 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1353 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1354 itmp = i2d_OCSP_RESPID(id, NULL);
1355 if (itmp <= 0)
1356 return NULL;
1357 idlen += itmp + 2;
860c3dd1
DSH		 1358 }
1359
0f113f3e
MC		 1360 if (s->tlsext_ocsp_exts) {
1361 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1362 if (extlen < 0)
1363 return NULL;
1364 } else
1365 extlen = 0;
1366
1367 if ((long)(limit - ret - 7 - extlen - idlen) < 0)
1368 return NULL;
1369 s2n(TLSEXT_TYPE_status_request, ret);
1370 if (extlen + idlen > 0xFFF0)
1371 return NULL;
1372 s2n(extlen + idlen + 5, ret);
1373 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1374 s2n(idlen, ret);
1375 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1376 /* save position of id len */
1377 unsigned char *q = ret;
1378 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1379 /* skip over id len */
1380 ret += 2;
1381 itmp = i2d_OCSP_RESPID(id, &ret);
1382 /* write id len */
1383 s2n(itmp, q);
1384 }
1385 s2n(extlen, ret);
1386 if (extlen > 0)
1387 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1388 }
e481f9b9 1389#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7
RS		 1390 if (SSL_IS_DTLS(s)) {
1391 /* Add Heartbeat extension */
1392 if ((limit - ret - 4 - 1) < 0)
1393 return NULL;
1394 s2n(TLSEXT_TYPE_heartbeat, ret);
1395 s2n(1, ret);
1396 /*-
1397 * Set mode:
1398 * 1: peer may send requests
1399 * 2: peer not allowed to send requests
1400 */
1401 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
1402 *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
1403 else
1404 *(ret++) = SSL_DTLSEXT_HB_ENABLED;
1405 }
e481f9b9 1406#endif
0f113f3e 1407
e481f9b9 1408#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1409 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1410 /*
1411 * The client advertises an emtpy extension to indicate its support
1412 * for Next Protocol Negotiation
1413 */
1414 if (limit - ret - 4 < 0)
1415 return NULL;
1416 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1417 s2n(0, ret);
1418 }
e481f9b9 1419#endif
0f113f3e
MC		 1420
1421 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1422 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1423 return NULL;
1424 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1425 s2n(2 + s->alpn_client_proto_list_len, ret);
1426 s2n(s->alpn_client_proto_list_len, ret);
1427 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1428 ret += s->alpn_client_proto_list_len;
1429 }
e481f9b9 1430#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 1431 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1432 int el;
1433
69f68237
MC		 1434 /* Returns 0 on success!! */
1435 if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
1436 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1437 return NULL;
1438 }
0f113f3e
MC		 1439
1440 if ((limit - ret - 4 - el) < 0)
1441 return NULL;
1442
1443 s2n(TLSEXT_TYPE_use_srtp, ret);
1444 s2n(el, ret);
1445
1446 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1447 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1448 return NULL;
1449 }
1450 ret += el;
1451 }
e481f9b9 1452#endif
0f113f3e
MC		 1453 custom_ext_init(&s->cert->cli_ext);
1454 /* Add custom TLS Extensions to ClientHello */
1455 if (!custom_ext_add(s, 0, &ret, limit, al))
1456 return NULL;
e481f9b9 1457#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 1458 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1459 s2n(0, ret);
e481f9b9 1460#endif
ddc06b35
DSH		 1461 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1462 s2n(0, ret);
0f113f3e
MC		 1463
1464 /*
1465 * Add padding to workaround bugs in F5 terminators. See
1466 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1467 * code works out the length of all existing extensions it MUST always
1468 * appear last.
1469 */
1470 if (s->options & SSL_OP_TLSEXT_PADDING) {
1471 int hlen = ret - (unsigned char *)s->init_buf->data;
a3680c8f 1472
0f113f3e
MC		 1473 if (hlen > 0xff && hlen < 0x200) {
1474 hlen = 0x200 - hlen;
1475 if (hlen >= 4)
1476 hlen -= 4;
1477 else
1478 hlen = 0;
1479
1480 s2n(TLSEXT_TYPE_padding, ret);
1481 s2n(hlen, ret);
1482 memset(ret, 0, hlen);
1483 ret += hlen;
1484 }
1485 }
5a3d8eeb 1486
0f113f3e 1487 done:
5a3d8eeb 1488
0f113f3e
MC		 1489 if ((extdatalen = ret - orig - 2) == 0)
1490 return orig;
5a3d8eeb 1491
0f113f3e
MC		 1492 s2n(extdatalen, orig);
1493 return ret;
1494}
333f926d 1495
0f113f3e
MC		 1496unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1497 unsigned char *limit, int *al)
1498{
1499 int extdatalen = 0;
1500 unsigned char *orig = buf;
1501 unsigned char *ret = buf;
e481f9b9 1502#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1503 int next_proto_neg_seen;
e481f9b9
MC		 1504#endif
1505#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1506 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1507 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
ce0c1f2b 1508 int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
0f113f3e 1509 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
e481f9b9 1510#endif
0f113f3e
MC		 1511
1512 ret += 2;
1513 if (ret >= limit)
1514 return NULL; /* this really never occurs, but ... */
1515
1516 if (s->s3->send_connection_binding) {
1517 int el;
1518
1519 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1520 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1521 return NULL;
1522 }
333f926d 1523
0f113f3e
MC		 1524 if ((limit - ret - 4 - el) < 0)
1525 return NULL;
333f926d 1526
0f113f3e
MC		 1527 s2n(TLSEXT_TYPE_renegotiate, ret);
1528 s2n(el, ret);
333f926d 1529
0f113f3e
MC		 1530 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1531 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1532 return NULL;
1533 }
333f926d 1534
0f113f3e
MC		 1535 ret += el;
1536 }
1537
1538 /* Only add RI for SSLv3 */
1539 if (s->version == SSL3_VERSION)
1540 goto done;
1541
1542 if (!s->hit && s->servername_done == 1
1543 && s->session->tlsext_hostname != NULL) {
1544 if ((long)(limit - ret - 4) < 0)
1545 return NULL;
1546
1547 s2n(TLSEXT_TYPE_server_name, ret);
1548 s2n(0, ret);
1549 }
e481f9b9 1550#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1551 if (using_ecc) {
1552 const unsigned char *plist;
1553 size_t plistlen;
1554 /*
1555 * Add TLS extension ECPointFormats to the ServerHello message
1556 */
1557 long lenmax;
1558
1559 tls1_get_formatlist(s, &plist, &plistlen);
1560
1561 if ((lenmax = limit - ret - 5) < 0)
1562 return NULL;
1563 if (plistlen > (size_t)lenmax)
1564 return NULL;
1565 if (plistlen > 255) {
1566 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1567 return NULL;
1568 }
4817504d 1569
0f113f3e
MC		 1570 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1571 s2n(plistlen + 1, ret);
1572 *(ret++) = (unsigned char)plistlen;
1573 memcpy(ret, plist, plistlen);
1574 ret += plistlen;
1575
1576 }
1577 /*
1578 * Currently the server should not respond with a SupportedCurves
1579 * extension
1580 */
e481f9b9 1581#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1582
1583 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1584 if ((long)(limit - ret - 4) < 0)
1585 return NULL;
1586 s2n(TLSEXT_TYPE_session_ticket, ret);
1587 s2n(0, ret);
1588 }
1589
1590 if (s->tlsext_status_expected) {
1591 if ((long)(limit - ret - 4) < 0)
1592 return NULL;
1593 s2n(TLSEXT_TYPE_status_request, ret);
1594 s2n(0, ret);
1595 }
0f113f3e 1596
e481f9b9 1597#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 1598 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1599 int el;
1600
69f68237 1601 /* Returns 0 on success!! */
61986d32 1602 if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
69f68237
MC		 1603 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1604 return NULL;
1605 }
0f113f3e
MC		 1606 if ((limit - ret - 4 - el) < 0)
1607 return NULL;
1608
1609 s2n(TLSEXT_TYPE_use_srtp, ret);
1610 s2n(el, ret);
1611
1612 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1613 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1614 return NULL;
1615 }
1616 ret += el;
1617 }
e481f9b9 1618#endif
0f113f3e
MC		 1619
1620 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1621 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1622 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1623 const unsigned char cryptopro_ext[36] = {
1624 0xfd, 0xe8, /* 65000 */
1625 0x00, 0x20, /* 32 bytes length */
1626 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1627 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1628 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1629 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1630 };
1631 if (limit - ret < 36)
1632 return NULL;
1633 memcpy(ret, cryptopro_ext, 36);
1634 ret += 36;
1635
1636 }
e481f9b9 1637#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e 1638 /* Add Heartbeat extension if we've received one */
22e3dcb7 1639 if (SSL_IS_DTLS(s) && (s->tlsext_heartbeat & SSL_DTLSEXT_HB_ENABLED)) {
0f113f3e
MC		 1640 if ((limit - ret - 4 - 1) < 0)
1641 return NULL;
1642 s2n(TLSEXT_TYPE_heartbeat, ret);
1643 s2n(1, ret);
50e735f9
MC		 1644 /*-
1645 * Set mode:
1646 * 1: peer may send requests
1647 * 2: peer not allowed to send requests
1648 */
22e3dcb7
RS		 1649 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
1650 *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
0f113f3e 1651 else
22e3dcb7 1652 *(ret++) = SSL_DTLSEXT_HB_ENABLED;
0f113f3e
MC		 1653
1654 }
e481f9b9 1655#endif
0f113f3e 1656
e481f9b9 1657#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1658 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1659 s->s3->next_proto_neg_seen = 0;
1660 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1661 const unsigned char *npa;
1662 unsigned int npalen;
1663 int r;
1664
1665 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1666 s->
1667 ctx->next_protos_advertised_cb_arg);
1668 if (r == SSL_TLSEXT_ERR_OK) {
1669 if ((long)(limit - ret - 4 - npalen) < 0)
1670 return NULL;
1671 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1672 s2n(npalen, ret);
1673 memcpy(ret, npa, npalen);
1674 ret += npalen;
1675 s->s3->next_proto_neg_seen = 1;
1676 }
1677 }
e481f9b9 1678#endif
0f113f3e
MC		 1679 if (!custom_ext_add(s, 1, &ret, limit, al))
1680 return NULL;
e481f9b9 1681#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 1682 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1683 /*
1684 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1685 * for other cases too.
1686 */
1687 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
e44380a9
DB		 1688 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1689 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1690 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
0f113f3e
MC		 1691 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1692 else {
1693 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1694 s2n(0, ret);
1695 }
1696 }
e481f9b9 1697#endif
e7f0d921 1698 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
ddc06b35
DSH		 1699 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1700 s2n(0, ret);
1701 }
0f113f3e
MC		 1702
1703 if (s->s3->alpn_selected) {
1704 const unsigned char *selected = s->s3->alpn_selected;
1705 unsigned len = s->s3->alpn_selected_len;
1706
1707 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1708 return NULL;
1709 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1710 s2n(3 + len, ret);
1711 s2n(1 + len, ret);
1712 *ret++ = len;
1713 memcpy(ret, selected, len);
1714 ret += len;
1715 }
1716
1717 done:
1718
1719 if ((extdatalen = ret - orig - 2) == 0)
1720 return orig;
1721
1722 s2n(extdatalen, orig);
1723 return ret;
1724}
a398f821 1725
0f113f3e
MC		 1726/*
1727 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1728 * ClientHello. data: the contents of the extension, not including the type
1729 * and length. data_len: the number of bytes in |data| al: a pointer to the
1730 * alert value to send in the event of a non-zero return. returns: 0 on
1731 * success.
1732 */
9ceb2426 1733static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
0f113f3e 1734{
9ceb2426
MC		 1735 unsigned int data_len;
1736 unsigned int proto_len;
0f113f3e 1737 const unsigned char *selected;
b6981744 1738 const unsigned char *data;
0f113f3e
MC		 1739 unsigned char selected_len;
1740 int r;
1741
1742 if (s->ctx->alpn_select_cb == NULL)
1743 return 0;
1744
0f113f3e
MC		 1745 /*
1746 * data should contain a uint16 length followed by a series of 8-bit,
1747 * length-prefixed strings.
1748 */
9ceb2426
MC		 1749 if (!PACKET_get_net_2(pkt, &data_len)
1750 || PACKET_remaining(pkt) != data_len
1751 || !PACKET_peek_bytes(pkt, &data, data_len))
0f113f3e
MC		 1752 goto parse_error;
1753
9ceb2426
MC		 1754 do {
1755 if (!PACKET_get_1(pkt, &proto_len)
1756 || proto_len == 0
1757 || !PACKET_forward(pkt, proto_len))
0f113f3e 1758 goto parse_error;
9ceb2426 1759 } while (PACKET_remaining(pkt));
0f113f3e
MC		 1760
1761 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1762 s->ctx->alpn_select_cb_arg);
1763 if (r == SSL_TLSEXT_ERR_OK) {
b548a1f1 1764 OPENSSL_free(s->s3->alpn_selected);
0f113f3e 1765 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
a71edf3b 1766 if (s->s3->alpn_selected == NULL) {
0f113f3e
MC		 1767 *al = SSL_AD_INTERNAL_ERROR;
1768 return -1;
1769 }
1770 memcpy(s->s3->alpn_selected, selected, selected_len);
1771 s->s3->alpn_selected_len = selected_len;
1772 }
1773 return 0;
1774
1775 parse_error:
1776 *al = SSL_AD_DECODE_ERROR;
1777 return -1;
1778}
6f017a8f 1779
e481f9b9 1780#ifndef OPENSSL_NO_EC
1d97c843
TH		 1781/*-
1782 * ssl_check_for_safari attempts to fingerprint Safari using OS X
dece3209
RS		 1783 * SecureTransport using the TLS extension block in |d|, of length |n|.
1784 * Safari, since 10.6, sends exactly these extensions, in this order:
1785 * SNI,
1786 * elliptic_curves
1787 * ec_point_formats
1788 *
1789 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1790 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1791 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1792 * 10.8..10.8.3 (which don't work).
1793 */
68a16628 1794static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
0f113f3e 1795{
9ceb2426 1796 unsigned int type, size;
b6981744 1797 const unsigned char *eblock1, *eblock2;
68a16628 1798 PACKET tmppkt;
9ceb2426 1799
0f113f3e
MC		 1800 static const unsigned char kSafariExtensionsBlock[] = {
1801 0x00, 0x0a, /* elliptic_curves extension */
1802 0x00, 0x08, /* 8 bytes */
1803 0x00, 0x06, /* 6 bytes of curve ids */
1804 0x00, 0x17, /* P-256 */
1805 0x00, 0x18, /* P-384 */
1806 0x00, 0x19, /* P-521 */
1807
1808 0x00, 0x0b, /* ec_point_formats */
1809 0x00, 0x02, /* 2 bytes */
1810 0x01, /* 1 point format */
1811 0x00, /* uncompressed */
1812 };
1813
1814 /* The following is only present in TLS 1.2 */
1815 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1816 0x00, 0x0d, /* signature_algorithms */
1817 0x00, 0x0c, /* 12 bytes */
1818 0x00, 0x0a, /* 10 bytes */
1819 0x05, 0x01, /* SHA-384/RSA */
1820 0x04, 0x01, /* SHA-256/RSA */
1821 0x02, 0x01, /* SHA-1/RSA */
1822 0x04, 0x03, /* SHA-256/ECDSA */
1823 0x02, 0x03, /* SHA-1/ECDSA */
1824 };
1825
68a16628
MC		 1826 tmppkt = *pkt;
1827
1828 if (!PACKET_forward(&tmppkt, 2)
1829 || !PACKET_get_net_2(&tmppkt, &type)
1830 || !PACKET_get_net_2(&tmppkt, &size)
1831 || !PACKET_forward(&tmppkt, size))
0f113f3e 1832 return;
0f113f3e
MC		 1833
1834 if (type != TLSEXT_TYPE_server_name)
1835 return;
1836
0f113f3e
MC		 1837 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
1838 const size_t len1 = sizeof(kSafariExtensionsBlock);
1839 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1840
68a16628
MC		 1841 if (!PACKET_get_bytes(&tmppkt, &eblock1, len1)
1842 || !PACKET_get_bytes(&tmppkt, &eblock2, len2)
1843 || PACKET_remaining(&tmppkt))
0f113f3e 1844 return;
9ceb2426 1845 if (memcmp(eblock1, kSafariExtensionsBlock, len1) != 0)
0f113f3e 1846 return;
9ceb2426 1847 if (memcmp(eblock2, kSafariTLS12ExtensionsBlock, len2) != 0)
0f113f3e
MC		 1848 return;
1849 } else {
1850 const size_t len = sizeof(kSafariExtensionsBlock);
1851
68a16628
MC		 1852 if (!PACKET_get_bytes(&tmppkt, &eblock1, len)
1853 || PACKET_remaining(&tmppkt))
0f113f3e 1854 return;
9ceb2426 1855 if (memcmp(eblock1, kSafariExtensionsBlock, len) != 0)
0f113f3e
MC		 1856 return;
1857 }
1858
1859 s->s3->is_probably_safari = 1;
dece3209 1860}
e481f9b9 1861#endif /* !OPENSSL_NO_EC */
0f113f3e 1862
9ceb2426 1863static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 1864{
9ceb2426
MC		 1865 unsigned int type;
1866 unsigned int size;
1867 unsigned int len;
b6981744 1868 const unsigned char *data;
0f113f3e
MC		 1869 int renegotiate_seen = 0;
1870
1871 s->servername_done = 0;
1872 s->tlsext_status_type = -1;
e481f9b9 1873#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1874 s->s3->next_proto_neg_seen = 0;
e481f9b9 1875#endif
0f113f3e 1876
b548a1f1
RS		 1877 OPENSSL_free(s->s3->alpn_selected);
1878 s->s3->alpn_selected = NULL;
e481f9b9 1879#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7
RS		 1880 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
1881 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
e481f9b9 1882#endif
0f113f3e 1883
e481f9b9 1884#ifndef OPENSSL_NO_EC
0f113f3e 1885 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
9ceb2426
MC		 1886 ssl_check_for_safari(s, pkt);
1887# endif /* !OPENSSL_NO_EC */
0f113f3e
MC		 1888
1889 /* Clear any signature algorithms extension received */
76106e60
DSH		 1890 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1891 s->s3->tmp.peer_sigalgs = NULL;
e481f9b9 1892#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e 1893 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 1894#endif
0f113f3e 1895
e481f9b9 1896#ifndef OPENSSL_NO_SRP
b548a1f1
RS		 1897 OPENSSL_free(s->srp_ctx.login);
1898 s->srp_ctx.login = NULL;
e481f9b9 1899#endif
0f113f3e
MC		 1900
1901 s->srtp_profile = NULL;
1902
9ceb2426 1903 if (PACKET_remaining(pkt) == 0)
1ae3fdbe
AL		 1904 goto ri_check;
1905
9ceb2426 1906 if (!PACKET_get_net_2(pkt, &len))
1ae3fdbe
AL		 1907 goto err;
1908
52a48f9e
AG		 1909 if (PACKET_remaining(pkt) != len)
1910 goto err;
1911
9ceb2426
MC		 1912 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
1913 PACKET subpkt;
0f113f3e 1914
9ceb2426 1915 if (!PACKET_peek_bytes(pkt, &data, size))
54e3ad00 1916 goto err;
9ceb2426 1917
0f113f3e
MC		 1918 if (s->tlsext_debug_cb)
1919 s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
9ceb2426
MC		 1920
1921 if (!PACKET_get_sub_packet(pkt, &subpkt, size))
1922 goto err;
1923
0f113f3e 1924 if (type == TLSEXT_TYPE_renegotiate) {
9ceb2426 1925 if (!ssl_parse_clienthello_renegotiate_ext(s, &subpkt, al))
0f113f3e
MC		 1926 return 0;
1927 renegotiate_seen = 1;
1928 } else if (s->version == SSL3_VERSION) {
1929 }
1d97c843
TH		 1930/*-
1931 * The servername extension is treated as follows:
1932 *
1933 * - Only the hostname type is supported with a maximum length of 255.
1934 * - The servername is rejected if too long or if it contains zeros,
1935 * in which case an fatal alert is generated.
1936 * - The servername field is maintained together with the session cache.
1937 * - When a session is resumed, the servername call back invoked in order
0f113f3e
MC		 1938 * to allow the application to position itself to the right context.
1939 * - The servername is acknowledged if it is new for a session or when
1940 * it is identical to a previously used for the same session.
1d97c843
TH		 1941 * Applications can control the behaviour. They can at any time
1942 * set a 'desirable' servername for a new SSL object. This can be the
1943 * case for example with HTTPS when a Host: header field is received and
1944 * a renegotiation is requested. In this case, a possible servername
1945 * presented in the new client hello is only acknowledged if it matches
0f113f3e 1946 * the value of the Host: field.
1d97c843 1947 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
0f113f3e
MC		 1948 * if they provide for changing an explicit servername context for the
1949 * session, i.e. when the session has been established with a servername
1950 * extension.
1951 * - On session reconnect, the servername extension may be absent.
1d97c843 1952 *
0f113f3e 1953 */
ed3883d2 1954
0f113f3e 1955 else if (type == TLSEXT_TYPE_server_name) {
b6981744 1956 const unsigned char *sdata;
9ceb2426
MC		 1957 unsigned int servname_type;
1958 unsigned int dsize;
1959 PACKET ssubpkt;
0f113f3e 1960
9ceb2426
MC		 1961 if (!PACKET_get_net_2(&subpkt, &dsize)
1962 || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
54e3ad00 1963 goto err;
0f113f3e 1964
9ceb2426
MC		 1965 while (PACKET_remaining(&ssubpkt) > 3) {
1966 if (!PACKET_get_1(&ssubpkt, &servname_type)
1967 || !PACKET_get_net_2(&ssubpkt, &len)
1968 || PACKET_remaining(&ssubpkt) < len)
54e3ad00
MC		 1969 goto err;
1970
0f113f3e
MC		 1971 if (s->servername_done == 0)
1972 switch (servname_type) {
1973 case TLSEXT_NAMETYPE_host_name:
1974 if (!s->hit) {
54e3ad00
MC		 1975 if (s->session->tlsext_hostname)
1976 goto err;
1977
0f113f3e
MC		 1978 if (len > TLSEXT_MAXLEN_host_name) {
1979 *al = TLS1_AD_UNRECOGNIZED_NAME;
1980 return 0;
1981 }
1982 if ((s->session->tlsext_hostname =
1983 OPENSSL_malloc(len + 1)) == NULL) {
1984 *al = TLS1_AD_INTERNAL_ERROR;
1985 return 0;
1986 }
9ceb2426
MC		 1987 if (!PACKET_copy_bytes(&ssubpkt,
1988 (unsigned char *)s->session
1989 ->tlsext_hostname,
1990 len)) {
1991 *al = SSL_AD_DECODE_ERROR;
1992 return 0;
1993 }
0f113f3e
MC		 1994 s->session->tlsext_hostname[len] = '\0';
1995 if (strlen(s->session->tlsext_hostname) != len) {
1996 OPENSSL_free(s->session->tlsext_hostname);
1997 s->session->tlsext_hostname = NULL;
1998 *al = TLS1_AD_UNRECOGNIZED_NAME;
1999 return 0;
2000 }
2001 s->servername_done = 1;
761772d7 2002
9ceb2426
MC		 2003 } else {
2004 if (!PACKET_get_bytes(&ssubpkt, &sdata, len)) {
2005 *al = SSL_AD_DECODE_ERROR;
2006 return 0;
2007 }
0f113f3e
MC		 2008 s->servername_done = s->session->tlsext_hostname
2009 && strlen(s->session->tlsext_hostname) == len
2010 && strncmp(s->session->tlsext_hostname,
2011 (char *)sdata, len) == 0;
9ceb2426 2012 }
b2284ed3 2013
0f113f3e 2014 break;
ee2ffc27 2015
0f113f3e
MC		 2016 default:
2017 break;
2018 }
0f113f3e 2019 }
9ceb2426 2020 /* We shouldn't have any bytes left */
bc6616a4 2021 if (PACKET_remaining(&ssubpkt) != 0)
54e3ad00 2022 goto err;
6f017a8f 2023
0f113f3e 2024 }
e481f9b9 2025#ifndef OPENSSL_NO_SRP
0f113f3e 2026 else if (type == TLSEXT_TYPE_srp) {
9ceb2426
MC		 2027 if (!PACKET_get_1(&subpkt, &len)
2028 || s->srp_ctx.login != NULL)
54e3ad00 2029 goto err;
9ceb2426 2030
0f113f3e
MC		 2031 if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
2032 return -1;
9ceb2426
MC		 2033 if (!PACKET_copy_bytes(&subpkt, (unsigned char *)s->srp_ctx.login,
2034 len))
2035 goto err;
0f113f3e
MC		 2036 s->srp_ctx.login[len] = '\0';
2037
9ceb2426
MC		 2038 if (strlen(s->srp_ctx.login) != len
2039 || PACKET_remaining(&subpkt))
54e3ad00 2040 goto err;
0f113f3e 2041 }
e481f9b9 2042#endif
0f113f3e 2043
e481f9b9 2044#ifndef OPENSSL_NO_EC
0f113f3e 2045 else if (type == TLSEXT_TYPE_ec_point_formats) {
9ceb2426 2046 unsigned int ecpointformatlist_length;
0f113f3e 2047
9ceb2426
MC		 2048 if (!PACKET_get_1(&subpkt, &ecpointformatlist_length)
2049 || ecpointformatlist_length == 0)
54e3ad00 2050 goto err;
9ceb2426 2051
0f113f3e 2052 if (!s->hit) {
b548a1f1
RS		 2053 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2054 s->session->tlsext_ecpointformatlist = NULL;
0f113f3e
MC		 2055 s->session->tlsext_ecpointformatlist_length = 0;
2056 if ((s->session->tlsext_ecpointformatlist =
2057 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2058 *al = TLS1_AD_INTERNAL_ERROR;
2059 return 0;
2060 }
2061 s->session->tlsext_ecpointformatlist_length =
2062 ecpointformatlist_length;
9ceb2426
MC		 2063 if (!PACKET_copy_bytes(&subpkt,
2064 s->session->tlsext_ecpointformatlist,
2065 ecpointformatlist_length))
2066 goto err;
2067 } else if (!PACKET_forward(&subpkt, ecpointformatlist_length)) {
2068 goto err;
2069 }
2070 /* We should have consumed all the bytes by now */
2071 if (PACKET_remaining(&subpkt)) {
2072 *al = TLS1_AD_DECODE_ERROR;
2073 return 0;
0f113f3e 2074 }
0f113f3e 2075 } else if (type == TLSEXT_TYPE_elliptic_curves) {
9ceb2426 2076 unsigned int ellipticcurvelist_length;
0f113f3e 2077
9ceb2426
MC		 2078 /* Each NamedCurve is 2 bytes and we must have at least 1 */
2079 if (!PACKET_get_net_2(&subpkt, &ellipticcurvelist_length)
2080 || ellipticcurvelist_length == 0
2081 || (ellipticcurvelist_length & 1) != 0)
2082 goto err;
54e3ad00 2083
0f113f3e 2084 if (!s->hit) {
54e3ad00
MC		 2085 if (s->session->tlsext_ellipticcurvelist)
2086 goto err;
2087
0f113f3e
MC		 2088 s->session->tlsext_ellipticcurvelist_length = 0;
2089 if ((s->session->tlsext_ellipticcurvelist =
2090 OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
2091 *al = TLS1_AD_INTERNAL_ERROR;
2092 return 0;
2093 }
2094 s->session->tlsext_ellipticcurvelist_length =
2095 ellipticcurvelist_length;
9ceb2426
MC		 2096 if (!PACKET_copy_bytes(&subpkt,
2097 s->session->tlsext_ellipticcurvelist,
2098 ellipticcurvelist_length))
2099 goto err;
2100 } else if (!PACKET_forward(&subpkt, ellipticcurvelist_length)) {
2101 goto err;
2102 }
2103 /* We should have consumed all the bytes by now */
2104 if (PACKET_remaining(&subpkt)) {
2105 goto err;
0f113f3e 2106 }
0f113f3e 2107 }
e481f9b9 2108#endif /* OPENSSL_NO_EC */
0f113f3e 2109 else if (type == TLSEXT_TYPE_session_ticket) {
9ceb2426
MC		 2110 if (!PACKET_forward(&subpkt, size)
2111 || (s->tls_session_ticket_ext_cb &&
2112 !s->tls_session_ticket_ext_cb(s, data, size,
2113 s->tls_session_ticket_ext_cb_arg))) {
0f113f3e
MC		 2114 *al = TLS1_AD_INTERNAL_ERROR;
2115 return 0;
2116 }
2117 } else if (type == TLSEXT_TYPE_signature_algorithms) {
9ceb2426
MC		 2118 unsigned int dsize;
2119
2120 if (s->s3->tmp.peer_sigalgs
2121 || !PACKET_get_net_2(&subpkt, &dsize)
2122 || (dsize & 1) != 0
2123 || (dsize == 0)
2124 || !PACKET_get_bytes(&subpkt, &data, dsize)
bc6616a4 2125 || PACKET_remaining(&subpkt) != 0
9ceb2426 2126 || !tls1_save_sigalgs(s, data, dsize)) {
54e3ad00 2127 goto err;
9ceb2426 2128 }
0f113f3e 2129 } else if (type == TLSEXT_TYPE_status_request) {
9ceb2426 2130 PACKET ssubpkt;
0f113f3e 2131
9ceb2426
MC		 2132 if (!PACKET_get_1(&subpkt,
2133 (unsigned int *)&s->tlsext_status_type))
54e3ad00 2134 goto err;
0f113f3e 2135
0f113f3e
MC		 2136 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
2137 const unsigned char *sdata;
9ceb2426 2138 unsigned int dsize;
0f113f3e 2139 /* Read in responder_id_list */
9ceb2426
MC		 2140 if (!PACKET_get_net_2(&subpkt, &dsize)
2141 || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
54e3ad00 2142 goto err;
9ceb2426
MC		 2143
2144 while (PACKET_remaining(&ssubpkt)) {
0f113f3e 2145 OCSP_RESPID *id;
9ceb2426
MC		 2146 unsigned int idsize;
2147
2148 if (PACKET_remaining(&ssubpkt) < 4
2149 || !PACKET_get_net_2(&ssubpkt, &idsize)
2150 || !PACKET_get_bytes(&ssubpkt, &data, idsize)) {
54e3ad00 2151 goto err;
9ceb2426 2152 }
0f113f3e
MC		 2153 sdata = data;
2154 data += idsize;
2155 id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
54e3ad00
MC		 2156 if (!id)
2157 goto err;
0f113f3e
MC		 2158 if (data != sdata) {
2159 OCSP_RESPID_free(id);
54e3ad00 2160 goto err;
0f113f3e
MC		 2161 }
2162 if (!s->tlsext_ocsp_ids
2163 && !(s->tlsext_ocsp_ids =
2164 sk_OCSP_RESPID_new_null())) {
2165 OCSP_RESPID_free(id);
2166 *al = SSL_AD_INTERNAL_ERROR;
2167 return 0;
2168 }
2169 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2170 OCSP_RESPID_free(id);
2171 *al = SSL_AD_INTERNAL_ERROR;
2172 return 0;
2173 }
2174 }
4817504d 2175
0f113f3e 2176 /* Read in request_extensions */
9ceb2426
MC		 2177 if (!PACKET_get_net_2(&subpkt, &dsize)
2178 || !PACKET_get_bytes(&subpkt, &data, dsize)
2179 || PACKET_remaining(&subpkt)) {
54e3ad00 2180 goto err;
9ceb2426 2181 }
0f113f3e
MC		 2182 sdata = data;
2183 if (dsize > 0) {
222561fe
RS		 2184 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2185 X509_EXTENSION_free);
0f113f3e
MC		 2186 s->tlsext_ocsp_exts =
2187 d2i_X509_EXTENSIONS(NULL, &sdata, dsize);
54e3ad00
MC		 2188 if (!s->tlsext_ocsp_exts || (data + dsize != sdata))
2189 goto err;
0f113f3e
MC		 2190 }
2191 }
2192 /*
2193 * We don't know what to do with any other type * so ignore it.
2194 */
2195 else
2196 s->tlsext_status_type = -1;
2197 }
e481f9b9 2198#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7 2199 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
9ceb2426
MC		 2200 unsigned int hbtype;
2201
2202 if (!PACKET_get_1(&subpkt, &hbtype)
2203 || PACKET_remaining(&subpkt)) {
2204 *al = SSL_AD_DECODE_ERROR;
2205 return 0;
2206 }
2207 switch (hbtype) {
0f113f3e 2208 case 0x01: /* Client allows us to send HB requests */
22e3dcb7 2209 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
0f113f3e
MC		 2210 break;
2211 case 0x02: /* Client doesn't accept HB requests */
22e3dcb7
RS		 2212 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2213 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
0f113f3e
MC		 2214 break;
2215 default:
2216 *al = SSL_AD_ILLEGAL_PARAMETER;
2217 return 0;
2218 }
2219 }
e481f9b9
MC		 2220#endif
2221#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2222 else if (type == TLSEXT_TYPE_next_proto_neg &&
2223 s->s3->tmp.finish_md_len == 0 &&
2224 s->s3->alpn_selected == NULL) {
50e735f9
MC		 2225 /*-
2226 * We shouldn't accept this extension on a
2227 * renegotiation.
2228 *
2229 * s->new_session will be set on renegotiation, but we
2230 * probably shouldn't rely that it couldn't be set on
2231 * the initial renegotation too in certain cases (when
2232 * there's some other reason to disallow resuming an
2233 * earlier session -- the current code won't be doing
2234 * anything like that, but this might change).
2235 *
2236 * A valid sign that there's been a previous handshake
2237 * in this connection is if s->s3->tmp.finish_md_len >
2238 * 0. (We are talking about a check that will happen
2239 * in the Hello protocol round, well before a new
2240 * Finished message could have been computed.)
2241 */
0f113f3e
MC		 2242 s->s3->next_proto_neg_seen = 1;
2243 }
e481f9b9 2244#endif
0f113f3e
MC		 2245
2246 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2247 s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) {
9ceb2426 2248 if (tls1_alpn_handle_client_hello(s, &subpkt, al) != 0)
0f113f3e 2249 return 0;
e481f9b9 2250#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2251 /* ALPN takes precedence over NPN. */
2252 s->s3->next_proto_neg_seen = 0;
e481f9b9 2253#endif
0f113f3e 2254 }
5e3ff62c 2255
0f113f3e 2256 /* session ticket processed earlier */
e481f9b9 2257#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 2258 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2259 && type == TLSEXT_TYPE_use_srtp) {
9ceb2426 2260 if (ssl_parse_clienthello_use_srtp_ext(s, &subpkt, al))
0f113f3e
MC		 2261 return 0;
2262 }
e481f9b9
MC		 2263#endif
2264#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 2265 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2266 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 2267#endif
e7f0d921
DSH		 2268 /*
2269 * Note: extended master secret extension handled in
2270 * tls_check_serverhello_tlsext_early()
2271 */
2272
0f113f3e
MC		 2273 /*
2274 * If this ClientHello extension was unhandled and this is a
2275 * nonresumed connection, check whether the extension is a custom
2276 * TLS Extension (has a custom_srv_ext_record), and if so call the
2277 * callback and record the extension number so that an appropriate
2278 * ServerHello may be later returned.
2279 */
2280 else if (!s->hit) {
2281 if (custom_ext_parse(s, 1, type, data, size, al) <= 0)
2282 return 0;
2283 }
0f113f3e 2284 }
6f017a8f 2285
54e3ad00 2286 /* Spurious data on the end */
9ceb2426 2287 if (PACKET_remaining(pkt) != 0)
54e3ad00
MC		 2288 goto err;
2289
0f113f3e 2290 ri_check:
ed3883d2 2291
0f113f3e
MC		 2292 /* Need RI if renegotiating */
2293
2294 if (!renegotiate_seen && s->renegotiate &&
2295 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2296 *al = SSL_AD_HANDSHAKE_FAILURE;
2297 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2298 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2299 return 0;
2300 }
2301
2302 return 1;
54e3ad00
MC		 2303err:
2304 *al = SSL_AD_DECODE_ERROR;
2305 return 0;
0f113f3e
MC		 2306}
2307
9ceb2426 2308int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 2309{
2310 int al = -1;
2311 custom_ext_init(&s->cert->srv_ext);
9ceb2426 2312 if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 2313 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2314 return 0;
2315 }
2316
2317 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2318 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2319 return 0;
2320 }
2321 return 1;
2322}
2323
e481f9b9 2324#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2325/*
2326 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2327 * elements of zero length are allowed and the set of elements must exactly
2328 * fill the length of the block.
2329 */
50932c4a 2330static char ssl_next_proto_validate(PACKET *pkt)
0f113f3e 2331{
50932c4a 2332 unsigned int len;
0f113f3e 2333
50932c4a
MC		 2334 while (PACKET_remaining(pkt)) {
2335 if (!PACKET_get_1(pkt, &len)
2336 || !PACKET_forward(pkt, len))
0f113f3e 2337 return 0;
0f113f3e
MC		 2338 }
2339
50932c4a 2340 return 1;
0f113f3e 2341}
e481f9b9 2342#endif
0f113f3e 2343
50932c4a 2344static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 2345{
50932c4a 2346 unsigned int length, type, size;
0f113f3e
MC		 2347 int tlsext_servername = 0;
2348 int renegotiate_seen = 0;
2349
e481f9b9 2350#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 2351 s->s3->next_proto_neg_seen = 0;
e481f9b9 2352#endif
0f113f3e
MC		 2353 s->tlsext_ticket_expected = 0;
2354
b548a1f1
RS		 2355 OPENSSL_free(s->s3->alpn_selected);
2356 s->s3->alpn_selected = NULL;
e481f9b9 2357#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7
RS		 2358 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
2359 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
e481f9b9 2360#endif
0f113f3e 2361
e481f9b9 2362#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e 2363 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
e481f9b9 2364#endif
0f113f3e 2365
e7f0d921
DSH		 2366 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2367
50932c4a 2368 if (!PACKET_get_net_2(pkt, &length))
0f113f3e
MC		 2369 goto ri_check;
2370
50932c4a 2371 if (PACKET_remaining(pkt) != length) {
0f113f3e
MC		 2372 *al = SSL_AD_DECODE_ERROR;
2373 return 0;
2374 }
2375
50932c4a 2376 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
b6981744 2377 const unsigned char *data;
50932c4a 2378 PACKET spkt;
0f113f3e 2379
50932c4a
MC		 2380 if (!PACKET_get_sub_packet(pkt, &spkt, size)
2381 || !PACKET_peek_bytes(&spkt, &data, size))
0f113f3e
MC		 2382 goto ri_check;
2383
2384 if (s->tlsext_debug_cb)
2385 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2386
2387 if (type == TLSEXT_TYPE_renegotiate) {
50932c4a 2388 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
0f113f3e
MC		 2389 return 0;
2390 renegotiate_seen = 1;
2391 } else if (s->version == SSL3_VERSION) {
2392 } else if (type == TLSEXT_TYPE_server_name) {
2393 if (s->tlsext_hostname == NULL || size > 0) {
2394 *al = TLS1_AD_UNRECOGNIZED_NAME;
2395 return 0;
2396 }
2397 tlsext_servername = 1;
2398 }
e481f9b9 2399#ifndef OPENSSL_NO_EC
0f113f3e 2400 else if (type == TLSEXT_TYPE_ec_point_formats) {
50932c4a
MC		 2401 unsigned int ecpointformatlist_length;
2402 if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
2403 || ecpointformatlist_length != size - 1) {
0f113f3e
MC		 2404 *al = TLS1_AD_DECODE_ERROR;
2405 return 0;
2406 }
2407 if (!s->hit) {
2408 s->session->tlsext_ecpointformatlist_length = 0;
b548a1f1 2409 OPENSSL_free(s->session->tlsext_ecpointformatlist);
0f113f3e
MC		 2410 if ((s->session->tlsext_ecpointformatlist =
2411 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2412 *al = TLS1_AD_INTERNAL_ERROR;
2413 return 0;
2414 }
2415 s->session->tlsext_ecpointformatlist_length =
2416 ecpointformatlist_length;
50932c4a
MC		 2417 if (!PACKET_copy_bytes(&spkt,
2418 s->session->tlsext_ecpointformatlist,
2419 ecpointformatlist_length)) {
2420 *al = TLS1_AD_DECODE_ERROR;
2421 return 0;
2422 }
2423
0f113f3e 2424 }
0f113f3e 2425 }
e481f9b9 2426#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2427
2428 else if (type == TLSEXT_TYPE_session_ticket) {
2429 if (s->tls_session_ticket_ext_cb &&
2430 !s->tls_session_ticket_ext_cb(s, data, size,
2431 s->tls_session_ticket_ext_cb_arg))
2432 {
2433 *al = TLS1_AD_INTERNAL_ERROR;
2434 return 0;
2435 }
2436 if (!tls_use_ticket(s) || (size > 0)) {
2437 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2438 return 0;
2439 }
2440 s->tlsext_ticket_expected = 1;
2441 }
0f113f3e
MC		 2442 else if (type == TLSEXT_TYPE_status_request) {
2443 /*
2444 * MUST be empty and only sent if we've requested a status
2445 * request message.
2446 */
2447 if ((s->tlsext_status_type == -1) || (size > 0)) {
2448 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2449 return 0;
2450 }
2451 /* Set flag to expect CertificateStatus message */
2452 s->tlsext_status_expected = 1;
2453 }
e481f9b9 2454#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2455 else if (type == TLSEXT_TYPE_next_proto_neg &&
2456 s->s3->tmp.finish_md_len == 0) {
2457 unsigned char *selected;
2458 unsigned char selected_len;
0f113f3e
MC		 2459 /* We must have requested it. */
2460 if (s->ctx->next_proto_select_cb == NULL) {
2461 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2462 return 0;
2463 }
2464 /* The data must be valid */
50932c4a 2465 if (!ssl_next_proto_validate(&spkt)) {
0f113f3e
MC		 2466 *al = TLS1_AD_DECODE_ERROR;
2467 return 0;
2468 }
2469 if (s->
2470 ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2471 size,
2472 s->ctx->next_proto_select_cb_arg) !=
2473 SSL_TLSEXT_ERR_OK) {
2474 *al = TLS1_AD_INTERNAL_ERROR;
2475 return 0;
2476 }
2477 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
a71edf3b 2478 if (s->next_proto_negotiated == NULL) {
0f113f3e
MC		 2479 *al = TLS1_AD_INTERNAL_ERROR;
2480 return 0;
2481 }
2482 memcpy(s->next_proto_negotiated, selected, selected_len);
2483 s->next_proto_negotiated_len = selected_len;
2484 s->s3->next_proto_neg_seen = 1;
2485 }
e481f9b9 2486#endif
0f113f3e
MC		 2487
2488 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2489 unsigned len;
0f113f3e
MC		 2490 /* We must have requested it. */
2491 if (s->alpn_client_proto_list == NULL) {
2492 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2493 return 0;
2494 }
50e735f9
MC		 2495 /*-
2496 * The extension data consists of:
2497 * uint16 list_length
2498 * uint8 proto_length;
2499 * uint8 proto[proto_length];
2500 */
50932c4a
MC		 2501 if (!PACKET_get_net_2(&spkt, &len)
2502 || PACKET_remaining(&spkt) != len
2503 || !PACKET_get_1(&spkt, &len)
2504 || PACKET_remaining(&spkt) != len) {
0f113f3e
MC		 2505 *al = TLS1_AD_DECODE_ERROR;
2506 return 0;
2507 }
b548a1f1 2508 OPENSSL_free(s->s3->alpn_selected);
0f113f3e 2509 s->s3->alpn_selected = OPENSSL_malloc(len);
a71edf3b 2510 if (s->s3->alpn_selected == NULL) {
0f113f3e
MC		 2511 *al = TLS1_AD_INTERNAL_ERROR;
2512 return 0;
2513 }
50932c4a
MC		 2514 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
2515 *al = TLS1_AD_DECODE_ERROR;
2516 return 0;
2517 }
0f113f3e
MC		 2518 s->s3->alpn_selected_len = len;
2519 }
e481f9b9 2520#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7 2521 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
50932c4a
MC		 2522 unsigned int hbtype;
2523 if (!PACKET_get_1(&spkt, &hbtype)) {
2524 *al = SSL_AD_DECODE_ERROR;
2525 return 0;
2526 }
2527 switch (hbtype) {
0f113f3e 2528 case 0x01: /* Server allows us to send HB requests */
22e3dcb7 2529 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
0f113f3e
MC		 2530 break;
2531 case 0x02: /* Server doesn't accept HB requests */
22e3dcb7
RS		 2532 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2533 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
0f113f3e
MC		 2534 break;
2535 default:
2536 *al = SSL_AD_ILLEGAL_PARAMETER;
2537 return 0;
2538 }
2539 }
e481f9b9
MC		 2540#endif
2541#ifndef OPENSSL_NO_SRTP
0f113f3e 2542 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
50932c4a 2543 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
0f113f3e
MC		 2544 return 0;
2545 }
e481f9b9
MC		 2546#endif
2547#ifdef TLSEXT_TYPE_encrypt_then_mac
0f113f3e
MC		 2548 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2549 /* Ignore if inappropriate ciphersuite */
2550 if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2551 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2552 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2553 }
e481f9b9 2554#endif
ddc06b35 2555 else if (type == TLSEXT_TYPE_extended_master_secret) {
e7f0d921 2556 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
ddc06b35
DSH		 2557 if (!s->hit)
2558 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2559 }
0f113f3e
MC		 2560 /*
2561 * If this extension type was not otherwise handled, but matches a
2562 * custom_cli_ext_record, then send it to the c callback
2563 */
2564 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2565 return 0;
0f113f3e
MC		 2566 }
2567
50932c4a 2568 if (PACKET_remaining(pkt) != 0) {
0f113f3e
MC		 2569 *al = SSL_AD_DECODE_ERROR;
2570 return 0;
2571 }
2572
2573 if (!s->hit && tlsext_servername == 1) {
2574 if (s->tlsext_hostname) {
2575 if (s->session->tlsext_hostname == NULL) {
7644a9ae 2576 s->session->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname);
0f113f3e
MC		 2577 if (!s->session->tlsext_hostname) {
2578 *al = SSL_AD_UNRECOGNIZED_NAME;
2579 return 0;
2580 }
2581 } else {
2582 *al = SSL_AD_DECODE_ERROR;
2583 return 0;
2584 }
2585 }
2586 }
2587
0f113f3e
MC		 2588 ri_check:
2589
2590 /*
2591 * Determine if we need to see RI. Strictly speaking if we want to avoid
2592 * an attack we should *always* see RI even on initial server hello
2593 * because the client doesn't see any renegotiation during an attack.
2594 * However this would mean we could not connect to any server which
2595 * doesn't support RI so for the immediate future tolerate RI absence on
2596 * initial connect only.
2597 */
2598 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2599 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2600 *al = SSL_AD_HANDSHAKE_FAILURE;
2601 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2602 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2603 return 0;
2604 }
2605
e7f0d921
DSH		 2606 if (s->hit) {
2607 /*
2608 * Check extended master secret extension is consistent with
2609 * original session.
2610 */
2611 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
2612 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
2613 *al = SSL_AD_HANDSHAKE_FAILURE;
2614 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
2615 return 0;
2616 }
2617 }
2618
0f113f3e
MC		 2619 return 1;
2620}
b2172f4f 2621
36ca4ba6 2622int ssl_prepare_clienthello_tlsext(SSL *s)
0f113f3e
MC		 2623{
2624
0f113f3e
MC		 2625 return 1;
2626}
36ca4ba6
BM		 2627
2628int ssl_prepare_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2629{
2630 return 1;
2631}
36ca4ba6 2632
2daceb03 2633static int ssl_check_clienthello_tlsext_early(SSL *s)
0f113f3e
MC		 2634{
2635 int ret = SSL_TLSEXT_ERR_NOACK;
2636 int al = SSL_AD_UNRECOGNIZED_NAME;
2637
e481f9b9 2638#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2639 /*
2640 * The handling of the ECPointFormats extension is done elsewhere, namely
2641 * in ssl3_choose_cipher in s3_lib.c.
2642 */
2643 /*
2644 * The handling of the EllipticCurves extension is done elsewhere, namely
2645 * in ssl3_choose_cipher in s3_lib.c.
2646 */
e481f9b9 2647#endif
0f113f3e
MC		 2648
2649 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2650 ret =
2651 s->ctx->tlsext_servername_callback(s, &al,
2652 s->ctx->tlsext_servername_arg);
2653 else if (s->initial_ctx != NULL
2654 && s->initial_ctx->tlsext_servername_callback != 0)
2655 ret =
2656 s->initial_ctx->tlsext_servername_callback(s, &al,
2657 s->
2658 initial_ctx->tlsext_servername_arg);
2659
0f113f3e
MC		 2660 switch (ret) {
2661 case SSL_TLSEXT_ERR_ALERT_FATAL:
2662 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2663 return -1;
2664
2665 case SSL_TLSEXT_ERR_ALERT_WARNING:
2666 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2667 return 1;
2668
2669 case SSL_TLSEXT_ERR_NOACK:
2670 s->servername_done = 0;
2671 default:
2672 return 1;
2673 }
2674}
d376e57d 2675/* Initialise digests to default values */
a0f63828 2676void ssl_set_default_md(SSL *s)
d376e57d
DSH		 2677{
2678 const EVP_MD **pmd = s->s3->tmp.md;
2679#ifndef OPENSSL_NO_DSA
152fbc28 2680 pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
d376e57d
DSH		 2681#endif
2682#ifndef OPENSSL_NO_RSA
d18d31a1 2683 if (SSL_USE_SIGALGS(s))
152fbc28 2684 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
d18d31a1 2685 else
152fbc28 2686 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
d18d31a1 2687 pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
d376e57d
DSH		 2688#endif
2689#ifndef OPENSSL_NO_EC
152fbc28 2690 pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
d376e57d 2691#endif
e44380a9 2692#ifndef OPENSSL_NO_GOST
152fbc28
DSH		 2693 pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
2694 pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
2695 pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
e44380a9 2696#endif
d376e57d 2697}
f1fd4544 2698
e469af8d 2699int tls1_set_server_sigalgs(SSL *s)
0f113f3e
MC		 2700{
2701 int al;
2702 size_t i;
2703 /* Clear any shared sigtnature algorithms */
b548a1f1
RS		 2704 OPENSSL_free(s->cert->shared_sigalgs);
2705 s->cert->shared_sigalgs = NULL;
2706 s->cert->shared_sigalgslen = 0;
0f113f3e
MC		 2707 /* Clear certificate digests and validity flags */
2708 for (i = 0; i < SSL_PKEY_NUM; i++) {
d376e57d 2709 s->s3->tmp.md[i] = NULL;
6383d316 2710 s->s3->tmp.valid_flags[i] = 0;
0f113f3e
MC		 2711 }
2712
2713 /* If sigalgs received process it. */
76106e60 2714 if (s->s3->tmp.peer_sigalgs) {
0f113f3e
MC		 2715 if (!tls1_process_sigalgs(s)) {
2716 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2717 al = SSL_AD_INTERNAL_ERROR;
2718 goto err;
2719 }
2720 /* Fatal error is no shared signature algorithms */
2721 if (!s->cert->shared_sigalgs) {
2722 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2723 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2724 al = SSL_AD_ILLEGAL_PARAMETER;
2725 goto err;
2726 }
d376e57d
DSH		 2727 } else {
2728 ssl_set_default_md(s);
2729 }
0f113f3e
MC		 2730 return 1;
2731 err:
2732 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2733 return 0;
2734}
e469af8d 2735
2daceb03 2736int ssl_check_clienthello_tlsext_late(SSL *s)
0f113f3e
MC		 2737{
2738 int ret = SSL_TLSEXT_ERR_OK;
4c9b0a03 2739 int al = SSL_AD_INTERNAL_ERROR;
0f113f3e
MC		 2740
2741 /*
2742 * If status request then ask callback what to do. Note: this must be
2743 * called after servername callbacks in case the certificate has changed,
2744 * and must be called after the cipher has been chosen because this may
2745 * influence which certificate is sent
2746 */
2747 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
2748 int r;
2749 CERT_PKEY *certpkey;
2750 certpkey = ssl_get_server_send_pkey(s);
2751 /* If no certificate can't return certificate status */
2752 if (certpkey == NULL) {
2753 s->tlsext_status_expected = 0;
2754 return 1;
2755 }
2756 /*
2757 * Set current certificate to one we will use so SSL_get_certificate
2758 * et al can pick it up.
2759 */
2760 s->cert->key = certpkey;
2761 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2762 switch (r) {
2763 /* We don't want to send a status request response */
2764 case SSL_TLSEXT_ERR_NOACK:
2765 s->tlsext_status_expected = 0;
2766 break;
2767 /* status request response should be sent */
2768 case SSL_TLSEXT_ERR_OK:
2769 if (s->tlsext_ocsp_resp)
2770 s->tlsext_status_expected = 1;
2771 else
2772 s->tlsext_status_expected = 0;
2773 break;
2774 /* something bad happened */
2775 case SSL_TLSEXT_ERR_ALERT_FATAL:
2776 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2777 al = SSL_AD_INTERNAL_ERROR;
2778 goto err;
2779 }
2780 } else
2781 s->tlsext_status_expected = 0;
2daceb03
BL		 2782
2783 err:
0f113f3e
MC		 2784 switch (ret) {
2785 case SSL_TLSEXT_ERR_ALERT_FATAL:
2786 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2787 return -1;
2788
2789 case SSL_TLSEXT_ERR_ALERT_WARNING:
2790 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2791 return 1;
2792
2793 default:
2794 return 1;
2795 }
2796}
2daceb03 2797
36ca4ba6 2798int ssl_check_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2799{
2800 int ret = SSL_TLSEXT_ERR_NOACK;
2801 int al = SSL_AD_UNRECOGNIZED_NAME;
2802
e481f9b9 2803#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2804 /*
2805 * If we are client and using an elliptic curve cryptography cipher
2806 * suite, then if server returns an EC point formats lists extension it
2807 * must contain uncompressed.
2808 */
2809 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2810 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2811 if ((s->tlsext_ecpointformatlist != NULL)
2812 && (s->tlsext_ecpointformatlist_length > 0)
2813 && (s->session->tlsext_ecpointformatlist != NULL)
2814 && (s->session->tlsext_ecpointformatlist_length > 0)
ce0c1f2b 2815 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
0f113f3e
MC		 2816 /* we are using an ECC cipher */
2817 size_t i;
2818 unsigned char *list;
2819 int found_uncompressed = 0;
2820 list = s->session->tlsext_ecpointformatlist;
2821 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2822 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2823 found_uncompressed = 1;
2824 break;
2825 }
2826 }
2827 if (!found_uncompressed) {
2828 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2829 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2830 return -1;
2831 }
2832 }
2833 ret = SSL_TLSEXT_ERR_OK;
e481f9b9 2834#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2835
2836 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2837 ret =
2838 s->ctx->tlsext_servername_callback(s, &al,
2839 s->ctx->tlsext_servername_arg);
2840 else if (s->initial_ctx != NULL
2841 && s->initial_ctx->tlsext_servername_callback != 0)
2842 ret =
2843 s->initial_ctx->tlsext_servername_callback(s, &al,
2844 s->
2845 initial_ctx->tlsext_servername_arg);
2846
b1931d43
MC		 2847 /*
2848 * Ensure we get sensible values passed to tlsext_status_cb in the event
2849 * that we don't receive a status message
2850 */
bb1aaab4
MC		 2851 OPENSSL_free(s->tlsext_ocsp_resp);
2852 s->tlsext_ocsp_resp = NULL;
2853 s->tlsext_ocsp_resplen = -1;
0f113f3e
MC		 2854
2855 switch (ret) {
2856 case SSL_TLSEXT_ERR_ALERT_FATAL:
2857 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2858 return -1;
2859
2860 case SSL_TLSEXT_ERR_ALERT_WARNING:
2861 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2862 return 1;
2863
2864 case SSL_TLSEXT_ERR_NOACK:
2865 s->servername_done = 0;
2866 default:
2867 return 1;
2868 }
2869}
761772d7 2870
50932c4a 2871int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 2872{
2873 int al = -1;
2874 if (s->version < SSL3_VERSION)
2875 return 1;
50932c4a 2876 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 2877 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2878 return 0;
2879 }
2880
2881 if (ssl_check_serverhello_tlsext(s) <= 0) {
2882 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2883 return 0;
2884 }
2885 return 1;
09e4e4b9
DSH		 2886}
2887
1d97c843
TH		 2888/*-
2889 * Since the server cache lookup is done early on in the processing of the
e7f0d921
DSH		 2890 * ClientHello and other operations depend on the result some extensions
2891 * need to be handled at the same time.
2892 *
2893 * Two extensions are currently handled, session ticket and extended master
2894 * secret.
c519e89f 2895 *
b3e2272c
EK		 2896 * session_id: ClientHello session ID.
2897 * ext: ClientHello extensions (including length prefix)
c519e89f
BM		 2898 * ret: (output) on return, if a ticket was decrypted, then this is set to
2899 * point to the resulting session.
2900 *
2901 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2902 * ciphersuite, in which case we have no use for session tickets and one will
2903 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2904 *
2905 * Returns:
2906 * -1: fatal error, either from parsing or decrypting the ticket.
2907 * 0: no ticket was found (or was ignored, based on settings).
2908 * 1: a zero length extension was found, indicating that the client supports
2909 * session tickets but doesn't currently have one to offer.
2910 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2911 * couldn't be decrypted because of a non-fatal error.
2912 * 3: a ticket was successfully decrypted and *ret was set.
2913 *
2914 * Side effects:
2915 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2916 * a new session ticket to the client because the client indicated support
2917 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2918 * a session ticket or we couldn't use the one it gave us, or if
2919 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2920 * Otherwise, s->tlsext_ticket_expected is set to 0.
e7f0d921
DSH		 2921 *
2922 * For extended master secret flag is set if the extension is present.
2923 *
6434abbf 2924 */
e7f0d921
DSH		 2925int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
2926 const PACKET *session_id,
2927 SSL_SESSION **ret)
0f113f3e 2928{
9ceb2426 2929 unsigned int i;
b3e2272c 2930 PACKET local_ext = *ext;
9ceb2426 2931 int retv = -1;
0f113f3e 2932
e7f0d921
DSH		 2933 int have_ticket = 0;
2934 int use_ticket = tls_use_ticket(s);
2935
0f113f3e
MC		 2936 *ret = NULL;
2937 s->tlsext_ticket_expected = 0;
e7f0d921 2938 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
0f113f3e
MC		 2939
2940 /*
2941 * If tickets disabled behave as if no ticket present to permit stateful
2942 * resumption.
2943 */
9ceb2426 2944 if ((s->version <= SSL3_VERSION))
0f113f3e 2945 return 0;
9ceb2426 2946
b3e2272c 2947 if (!PACKET_get_net_2(&local_ext, &i)) {
9ceb2426
MC		 2948 retv = 0;
2949 goto end;
2950 }
b3e2272c 2951 while (PACKET_remaining(&local_ext) >= 4) {
9ceb2426
MC		 2952 unsigned int type, size;
2953
b3e2272c
EK		 2954 if (!PACKET_get_net_2(&local_ext, &type)
2955 || !PACKET_get_net_2(&local_ext, &size)) {
9ceb2426
MC		 2956 /* Shouldn't ever happen */
2957 retv = -1;
2958 goto end;
2959 }
b3e2272c 2960 if (PACKET_remaining(&local_ext) < size) {
9ceb2426
MC		 2961 retv = 0;
2962 goto end;
2963 }
e7f0d921 2964 if (type == TLSEXT_TYPE_session_ticket && use_ticket) {
0f113f3e 2965 int r;
b6981744 2966 const unsigned char *etick;
9ceb2426 2967
e7f0d921
DSH		 2968 /* Duplicate extension */
2969 if (have_ticket != 0) {
2970 retv = -1;
2971 goto end;
2972 }
2973 have_ticket = 1;
2974
0f113f3e
MC		 2975 if (size == 0) {
2976 /*
2977 * The client will accept a ticket but doesn't currently have
2978 * one.
2979 */
2980 s->tlsext_ticket_expected = 1;
9ceb2426 2981 retv = 1;
e7f0d921 2982 continue;
0f113f3e
MC		 2983 }
2984 if (s->tls_session_secret_cb) {
2985 /*
2986 * Indicate that the ticket couldn't be decrypted rather than
2987 * generating the session from ticket now, trigger
2988 * abbreviated handshake based on external mechanism to
2989 * calculate the master secret later.
2990 */
9ceb2426 2991 retv = 2;
e7f0d921 2992 continue;
9ceb2426 2993 }
b3e2272c 2994 if (!PACKET_get_bytes(&local_ext, &etick, size)) {
9ceb2426
MC		 2995 /* Shouldn't ever happen */
2996 retv = -1;
2997 goto end;
0f113f3e 2998 }
b3e2272c
EK		 2999 r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
3000 PACKET_remaining(session_id), ret);
0f113f3e
MC		 3001 switch (r) {
3002 case 2: /* ticket couldn't be decrypted */
3003 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 3004 retv = 2;
3005 break;
0f113f3e 3006 case 3: /* ticket was decrypted */
9ceb2426
MC		 3007 retv = r;
3008 break;
0f113f3e
MC		 3009 case 4: /* ticket decrypted but need to renew */
3010 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 3011 retv = 3;
3012 break;
0f113f3e 3013 default: /* fatal error */
9ceb2426
MC		 3014 retv = -1;
3015 break;
0f113f3e 3016 }
e7f0d921 3017 continue;
c83eda8c 3018 } else {
e7f0d921
DSH		 3019 if (type == TLSEXT_TYPE_extended_master_secret)
3020 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
b3e2272c 3021 if (!PACKET_forward(&local_ext, size)) {
c83eda8c
MC		 3022 retv = -1;
3023 goto end;
3024 }
0f113f3e 3025 }
0f113f3e 3026 }
e7f0d921
DSH		 3027 if (have_ticket == 0)
3028 retv = 0;
9ceb2426 3029end:
9ceb2426 3030 return retv;
0f113f3e 3031}
6434abbf 3032
1d97c843
TH		 3033/*-
3034 * tls_decrypt_ticket attempts to decrypt a session ticket.
c519e89f
BM		 3035 *
3036 * etick: points to the body of the session ticket extension.
3037 * eticklen: the length of the session tickets extenion.
3038 * sess_id: points at the session ID.
3039 * sesslen: the length of the session ID.
3040 * psess: (output) on return, if a ticket was decrypted, then this is set to
3041 * point to the resulting session.
3042 *
3043 * Returns:
bf7c6817 3044 * -2: fatal error, malloc failure.
c519e89f
BM		 3045 * -1: fatal error, either from parsing or decrypting the ticket.
3046 * 2: the ticket couldn't be decrypted.
3047 * 3: a ticket was successfully decrypted and *psess was set.
3048 * 4: same as 3, but the ticket needs to be renewed.
3049 */
0f113f3e
MC		 3050static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
3051 int eticklen, const unsigned char *sess_id,
3052 int sesslen, SSL_SESSION **psess)
3053{
3054 SSL_SESSION *sess;
3055 unsigned char *sdec;
3056 const unsigned char *p;
3057 int slen, mlen, renew_ticket = 0;
3058 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
bf7c6817 3059 HMAC_CTX *hctx = NULL;
846ec07d 3060 EVP_CIPHER_CTX *ctx;
0f113f3e
MC		 3061 SSL_CTX *tctx = s->initial_ctx;
3062 /* Need at least keyname + iv + some encrypted data */
3063 if (eticklen < 48)
3064 return 2;
3065 /* Initialize session ticket encryption and HMAC contexts */
bf7c6817
RL		 3066 hctx = HMAC_CTX_new();
3067 if (hctx == NULL)
3068 return -2;
846ec07d 3069 ctx = EVP_CIPHER_CTX_new();
0f113f3e
MC		 3070 if (tctx->tlsext_ticket_key_cb) {
3071 unsigned char *nctick = (unsigned char *)etick;
3072 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
846ec07d 3073 ctx, hctx, 0);
0f113f3e
MC		 3074 if (rv < 0)
3075 return -1;
3076 if (rv == 0)
3077 return 2;
3078 if (rv == 2)
3079 renew_ticket = 1;
3080 } else {
3081 /* Check key name matches */
3082 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3083 return 2;
bf7c6817 3084 if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16,
5f3d93e4 3085 EVP_sha256(), NULL) <= 0
846ec07d 3086 || EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL,
5f3d93e4
MC		 3087 tctx->tlsext_tick_aes_key,
3088 etick + 16) <= 0) {
3089 goto err;
3090 }
0f113f3e
MC		 3091 }
3092 /*
3093 * Attempt to process session ticket, first conduct sanity and integrity
3094 * checks on ticket.
3095 */
bf7c6817 3096 mlen = HMAC_size(hctx);
0f113f3e 3097 if (mlen < 0) {
5f3d93e4 3098 goto err;
0f113f3e
MC		 3099 }
3100 eticklen -= mlen;
3101 /* Check HMAC of encrypted ticket */
bf7c6817
RL		 3102 if (HMAC_Update(hctx, etick, eticklen) <= 0
3103 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
5f3d93e4
MC		 3104 goto err;
3105 }
bf7c6817 3106 HMAC_CTX_free(hctx);
0f113f3e 3107 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
846ec07d 3108 EVP_CIPHER_CTX_free(ctx);
0f113f3e
MC		 3109 return 2;
3110 }
3111 /* Attempt to decrypt session data */
3112 /* Move p after IV to start of encrypted ticket, update length */
846ec07d
RL		 3113 p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx);
3114 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx);
0f113f3e 3115 sdec = OPENSSL_malloc(eticklen);
5f3d93e4 3116 if (sdec == NULL
846ec07d
RL		 3117 || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) {
3118 EVP_CIPHER_CTX_free(ctx);
0f113f3e
MC		 3119 return -1;
3120 }
846ec07d
RL		 3121 if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) {
3122 EVP_CIPHER_CTX_free(ctx);
0f113f3e
MC		 3123 OPENSSL_free(sdec);
3124 return 2;
3125 }
3126 slen += mlen;
846ec07d
RL		 3127 EVP_CIPHER_CTX_free(ctx);
3128 ctx = NULL;
0f113f3e
MC		 3129 p = sdec;
3130
3131 sess = d2i_SSL_SESSION(NULL, &p, slen);
3132 OPENSSL_free(sdec);
3133 if (sess) {
3134 /*
3135 * The session ID, if non-empty, is used by some clients to detect
3136 * that the ticket has been accepted. So we copy it to the session
3137 * structure. If it is empty set length to zero as required by
3138 * standard.
3139 */
3140 if (sesslen)
3141 memcpy(sess->session_id, sess_id, sesslen);
3142 sess->session_id_length = sesslen;
3143 *psess = sess;
3144 if (renew_ticket)
3145 return 4;
3146 else
3147 return 3;
3148 }
3149 ERR_clear_error();
3150 /*
3151 * For session parse failure, indicate that we need to send a new ticket.
3152 */
3153 return 2;
5f3d93e4 3154err:
846ec07d 3155 EVP_CIPHER_CTX_free(ctx);
bf7c6817 3156 HMAC_CTX_free(hctx);
5f3d93e4 3157 return -1;
0f113f3e 3158}
6434abbf 3159
6b7be581
DSH		 3160/* Tables to translate from NIDs to TLS v1.2 ids */
3161
0f113f3e
MC		 3162typedef struct {
3163 int nid;
3164 int id;
3165} tls12_lookup;
6b7be581 3166
d97ed219 3167static const tls12_lookup tls12_md[] = {
0f113f3e
MC		 3168 {NID_md5, TLSEXT_hash_md5},
3169 {NID_sha1, TLSEXT_hash_sha1},
3170 {NID_sha224, TLSEXT_hash_sha224},
3171 {NID_sha256, TLSEXT_hash_sha256},
3172 {NID_sha384, TLSEXT_hash_sha384},
e44380a9
DB		 3173 {NID_sha512, TLSEXT_hash_sha512},
3174 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
3175 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
3176 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
6b7be581
DSH		 3177};
3178
d97ed219 3179static const tls12_lookup tls12_sig[] = {
0f113f3e
MC		 3180 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3181 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
e44380a9
DB		 3182 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
3183 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
3184 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
3185 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
6b7be581
DSH		 3186};
3187
d97ed219 3188static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3189{
3190 size_t i;
3191 for (i = 0; i < tlen; i++) {
3192 if (table[i].nid == nid)
3193 return table[i].id;
3194 }
3195 return -1;
3196}
e7f8ff43 3197
d97ed219 3198static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3199{
3200 size_t i;
3201 for (i = 0; i < tlen; i++) {
3202 if ((table[i].id) == id)
3203 return table[i].nid;
3204 }
3205 return NID_undef;
3206}
3207
3208int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
3209 const EVP_MD *md)
3210{
3211 int sig_id, md_id;
3212 if (!md)
3213 return 0;
b6eb9827 3214 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3215 if (md_id == -1)
3216 return 0;
3217 sig_id = tls12_get_sigid(pk);
3218 if (sig_id == -1)
3219 return 0;
3220 p[0] = (unsigned char)md_id;
3221 p[1] = (unsigned char)sig_id;
3222 return 1;
3223}
6b7be581 3224
a2f9200f 3225int tls12_get_sigid(const EVP_PKEY *pk)
0f113f3e 3226{
3aeb9348 3227 return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3228}
3229
3230typedef struct {
3231 int nid;
3232 int secbits;
7afd2312 3233 int md_idx;
e44380a9 3234 unsigned char tlsext_hash;
0f113f3e 3235} tls12_hash_info;
b362ccab
DSH		 3236
3237static const tls12_hash_info tls12_md_info[] = {
7afd2312
DSH		 3238 {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
3239 {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
3240 {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
3241 {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
3242 {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
3243 {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
3244 {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
3245 {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX, TLSEXT_hash_gostr34112012_256},
3246 {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX, TLSEXT_hash_gostr34112012_512},
b362ccab 3247};
a2f9200f 3248
b362ccab 3249static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
0f113f3e 3250{
e44380a9 3251 unsigned int i;
0f113f3e
MC		 3252 if (hash_alg == 0)
3253 return NULL;
e44380a9
DB		 3254
3255 for (i=0; i < OSSL_NELEM(tls12_md_info); i++)
3256 {
3257 if (tls12_md_info[i].tlsext_hash == hash_alg)
3258 return tls12_md_info + i;
3259 }
3260
3261 return NULL;
0f113f3e 3262}
a2f9200f 3263
b362ccab 3264const EVP_MD *tls12_get_hash(unsigned char hash_alg)
0f113f3e
MC		 3265{
3266 const tls12_hash_info *inf;
3267 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3268 return NULL;
3269 inf = tls12_get_hash_info(hash_alg);
7afd2312 3270 if (!inf)
0f113f3e 3271 return NULL;
7afd2312 3272 return ssl_md(inf->md_idx);
0f113f3e 3273}
a2f9200f 3274
4453cd8c 3275static int tls12_get_pkey_idx(unsigned char sig_alg)
0f113f3e
MC		 3276{
3277 switch (sig_alg) {
e481f9b9 3278#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3279 case TLSEXT_signature_rsa:
3280 return SSL_PKEY_RSA_SIGN;
e481f9b9
MC		 3281#endif
3282#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3283 case TLSEXT_signature_dsa:
3284 return SSL_PKEY_DSA_SIGN;
e481f9b9
MC		 3285#endif
3286#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3287 case TLSEXT_signature_ecdsa:
3288 return SSL_PKEY_ECC;
e481f9b9 3289#endif
e44380a9
DB		 3290# ifndef OPENSSL_NO_GOST
3291 case TLSEXT_signature_gostr34102001:
3292 return SSL_PKEY_GOST01;
3293
3294 case TLSEXT_signature_gostr34102012_256:
3295 return SSL_PKEY_GOST12_256;
3296
3297 case TLSEXT_signature_gostr34102012_512:
3298 return SSL_PKEY_GOST12_512;
3299# endif
0f113f3e
MC		 3300 }
3301 return -1;
3302}
4453cd8c
DSH		 3303
3304/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3305static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
0f113f3e
MC		 3306 int *psignhash_nid, const unsigned char *data)
3307{
330dcb09 3308 int sign_nid = NID_undef, hash_nid = NID_undef;
0f113f3e
MC		 3309 if (!phash_nid && !psign_nid && !psignhash_nid)
3310 return;
3311 if (phash_nid || psignhash_nid) {
b6eb9827 3312 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3313 if (phash_nid)
3314 *phash_nid = hash_nid;
3315 }
3316 if (psign_nid || psignhash_nid) {
b6eb9827 3317 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3318 if (psign_nid)
3319 *psign_nid = sign_nid;
3320 }
3321 if (psignhash_nid) {
330dcb09
MC		 3322 if (sign_nid == NID_undef || hash_nid == NID_undef
3323 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid,
3324 sign_nid) <= 0)
0f113f3e
MC		 3325 *psignhash_nid = NID_undef;
3326 }
3327}
3328
b362ccab
DSH		 3329/* Check to see if a signature algorithm is allowed */
3330static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
0f113f3e
MC		 3331{
3332 /* See if we have an entry in the hash table and it is enabled */
3333 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
7afd2312 3334 if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
0f113f3e
MC		 3335 return 0;
3336 /* See if public key algorithm allowed */
3337 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3338 return 0;
3339 /* Finally see if security callback allows it */
3340 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3341}
3342
3343/*
3344 * Get a mask of disabled public key algorithms based on supported signature
3345 * algorithms. For example if no signature algorithm supports RSA then RSA is
3346 * disabled.
b362ccab
DSH		 3347 */
3348
90d9e49a 3349void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
0f113f3e
MC		 3350{
3351 const unsigned char *sigalgs;
3352 size_t i, sigalgslen;
3353 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3354 /*
3355 * Now go through all signature algorithms seeing if we support any for
3356 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3357 * down calls to security callback only check if we have to.
3358 */
3359 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
3360 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3361 switch (sigalgs[1]) {
e481f9b9 3362#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3363 case TLSEXT_signature_rsa:
3364 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3365 have_rsa = 1;
3366 break;
e481f9b9
MC		 3367#endif
3368#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3369 case TLSEXT_signature_dsa:
3370 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3371 have_dsa = 1;
3372 break;
e481f9b9
MC		 3373#endif
3374#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3375 case TLSEXT_signature_ecdsa:
3376 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3377 have_ecdsa = 1;
3378 break;
e481f9b9 3379#endif
0f113f3e
MC		 3380 }
3381 }
3382 if (!have_rsa)
3383 *pmask_a |= SSL_aRSA;
3384 if (!have_dsa)
3385 *pmask_a |= SSL_aDSS;
3386 if (!have_ecdsa)
3387 *pmask_a |= SSL_aECDSA;
3388}
b362ccab
DSH		 3389
3390size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
0f113f3e
MC		 3391 const unsigned char *psig, size_t psiglen)
3392{
3393 unsigned char *tmpout = out;
3394 size_t i;
3395 for (i = 0; i < psiglen; i += 2, psig += 2) {
3396 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3397 *tmpout++ = psig[0];
3398 *tmpout++ = psig[1];
3399 }
3400 }
3401 return tmpout - out;
3402}
b362ccab 3403
4453cd8c 3404/* Given preference and allowed sigalgs set shared sigalgs */
b362ccab 3405static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
0f113f3e
MC		 3406 const unsigned char *pref, size_t preflen,
3407 const unsigned char *allow, size_t allowlen)
3408{
3409 const unsigned char *ptmp, *atmp;
3410 size_t i, j, nmatch = 0;
3411 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3412 /* Skip disabled hashes or signature algorithms */
3413 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3414 continue;
3415 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3416 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3417 nmatch++;
3418 if (shsig) {
3419 shsig->rhash = ptmp[0];
3420 shsig->rsign = ptmp[1];
3421 tls1_lookup_sigalg(&shsig->hash_nid,
3422 &shsig->sign_nid,
3423 &shsig->signandhash_nid, ptmp);
3424 shsig++;
3425 }
3426 break;
3427 }
3428 }
3429 }
3430 return nmatch;
3431}
4453cd8c
DSH		 3432
3433/* Set shared signature algorithms for SSL structures */
3434static int tls1_set_shared_sigalgs(SSL *s)
0f113f3e
MC		 3435{
3436 const unsigned char *pref, *allow, *conf;
3437 size_t preflen, allowlen, conflen;
3438 size_t nmatch;
3439 TLS_SIGALGS *salgs = NULL;
3440 CERT *c = s->cert;
3441 unsigned int is_suiteb = tls1_suiteb(s);
b548a1f1
RS		 3442
3443 OPENSSL_free(c->shared_sigalgs);
3444 c->shared_sigalgs = NULL;
3445 c->shared_sigalgslen = 0;
0f113f3e
MC		 3446 /* If client use client signature algorithms if not NULL */
3447 if (!s->server && c->client_sigalgs && !is_suiteb) {
3448 conf = c->client_sigalgs;
3449 conflen = c->client_sigalgslen;
3450 } else if (c->conf_sigalgs && !is_suiteb) {
3451 conf = c->conf_sigalgs;
3452 conflen = c->conf_sigalgslen;
3453 } else
3454 conflen = tls12_get_psigalgs(s, &conf);
3455 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3456 pref = conf;
3457 preflen = conflen;
76106e60
DSH		 3458 allow = s->s3->tmp.peer_sigalgs;
3459 allowlen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3460 } else {
3461 allow = conf;
3462 allowlen = conflen;
76106e60
DSH		 3463 pref = s->s3->tmp.peer_sigalgs;
3464 preflen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3465 }
3466 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
34e3edbf
DSH		 3467 if (nmatch) {
3468 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
a71edf3b 3469 if (salgs == NULL)
34e3edbf
DSH		 3470 return 0;
3471 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3472 } else {
3473 salgs = NULL;
3474 }
0f113f3e
MC		 3475 c->shared_sigalgs = salgs;
3476 c->shared_sigalgslen = nmatch;
3477 return 1;
3478}
4453cd8c 3479
6b7be581
DSH		 3480/* Set preferred digest for each key type */
3481
c800c27a 3482int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
0f113f3e
MC		 3483{
3484 CERT *c = s->cert;
3485 /* Extension ignored for inappropriate versions */
3486 if (!SSL_USE_SIGALGS(s))
3487 return 1;
3488 /* Should never happen */
3489 if (!c)
3490 return 0;
3491
76106e60
DSH		 3492 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3493 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3494 if (s->s3->tmp.peer_sigalgs == NULL)
0f113f3e 3495 return 0;
76106e60
DSH		 3496 s->s3->tmp.peer_sigalgslen = dsize;
3497 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
0f113f3e
MC		 3498 return 1;
3499}
6b7be581 3500
c800c27a 3501int tls1_process_sigalgs(SSL *s)
0f113f3e
MC		 3502{
3503 int idx;
3504 size_t i;
3505 const EVP_MD *md;
d376e57d 3506 const EVP_MD **pmd = s->s3->tmp.md;
f7d53487 3507 uint32_t *pvalid = s->s3->tmp.valid_flags;
0f113f3e
MC		 3508 CERT *c = s->cert;
3509 TLS_SIGALGS *sigptr;
3510 if (!tls1_set_shared_sigalgs(s))
3511 return 0;
3512
e481f9b9 3513#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
0f113f3e
MC		 3514 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3515 /*
3516 * Use first set signature preference to force message digest,
3517 * ignoring any peer preferences.
3518 */
3519 const unsigned char *sigs = NULL;
3520 if (s->server)
3521 sigs = c->conf_sigalgs;
3522 else
3523 sigs = c->client_sigalgs;
3524 if (sigs) {
3525 idx = tls12_get_pkey_idx(sigs[1]);
3526 md = tls12_get_hash(sigs[0]);
d376e57d 3527 pmd[idx] = md;
6383d316 3528 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3529 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3530 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3531 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3532 }
3533 }
3534 }
e481f9b9 3535#endif
0f113f3e
MC		 3536
3537 for (i = 0, sigptr = c->shared_sigalgs;
3538 i < c->shared_sigalgslen; i++, sigptr++) {
3539 idx = tls12_get_pkey_idx(sigptr->rsign);
d376e57d 3540 if (idx > 0 && pmd[idx] == NULL) {
0f113f3e 3541 md = tls12_get_hash(sigptr->rhash);
d376e57d 3542 pmd[idx] = md;
6383d316 3543 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3544 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3545 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3546 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3547 }
3548 }
6b7be581 3549
0f113f3e
MC		 3550 }
3551 /*
3552 * In strict mode leave unset digests as NULL to indicate we can't use
3553 * the certificate for signing.
3554 */
3555 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3556 /*
3557 * Set any remaining keys to default values. NOTE: if alg is not
3558 * supported it stays as NULL.
3559 */
e481f9b9 3560#ifndef OPENSSL_NO_DSA
d376e57d
DSH		 3561 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3562 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
e481f9b9
MC		 3563#endif
3564#ifndef OPENSSL_NO_RSA
d376e57d
DSH		 3565 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3566 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3567 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
0f113f3e 3568 }
e481f9b9
MC		 3569#endif
3570#ifndef OPENSSL_NO_EC
d376e57d
DSH		 3571 if (pmd[SSL_PKEY_ECC] == NULL)
3572 pmd[SSL_PKEY_ECC] = EVP_sha1();
e481f9b9 3573#endif
e44380a9
DB		 3574# ifndef OPENSSL_NO_GOST
3575 if (pmd[SSL_PKEY_GOST01] == NULL)
3576 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
3577 if (pmd[SSL_PKEY_GOST12_256] == NULL)
3578 pmd[SSL_PKEY_GOST12_256] = EVP_get_digestbynid(NID_id_GostR3411_2012_256);
3579 if (pmd[SSL_PKEY_GOST12_512] == NULL)
3580 pmd[SSL_PKEY_GOST12_512] = EVP_get_digestbynid(NID_id_GostR3411_2012_512);
3581# endif
0f113f3e
MC		 3582 }
3583 return 1;
3584}
4817504d 3585
e7f8ff43 3586int SSL_get_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3587 int *psign, int *phash, int *psignhash,
3588 unsigned char *rsig, unsigned char *rhash)
3589{
76106e60 3590 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
0f113f3e
MC		 3591 if (psig == NULL)
3592 return 0;
3593 if (idx >= 0) {
3594 idx <<= 1;
76106e60 3595 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
0f113f3e
MC		 3596 return 0;
3597 psig += idx;
3598 if (rhash)
3599 *rhash = psig[0];
3600 if (rsig)
3601 *rsig = psig[1];
3602 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3603 }
76106e60 3604 return s->s3->tmp.peer_sigalgslen / 2;
0f113f3e 3605}
4453cd8c
DSH		 3606
3607int SSL_get_shared_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3608 int *psign, int *phash, int *psignhash,
3609 unsigned char *rsig, unsigned char *rhash)
3610{
3611 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3612 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3613 return 0;
3614 shsigalgs += idx;
3615 if (phash)
3616 *phash = shsigalgs->hash_nid;
3617 if (psign)
3618 *psign = shsigalgs->sign_nid;
3619 if (psignhash)
3620 *psignhash = shsigalgs->signandhash_nid;
3621 if (rsig)
3622 *rsig = shsigalgs->rsign;
3623 if (rhash)
3624 *rhash = shsigalgs->rhash;
3625 return s->cert->shared_sigalgslen;
3626}
3627
e481f9b9 3628#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
0f229cce 3629
0f113f3e
MC		 3630typedef struct {
3631 size_t sigalgcnt;
3632 int sigalgs[MAX_SIGALGLEN];
3633} sig_cb_st;
0f229cce 3634
431f458d
DSH		 3635static void get_sigorhash(int *psig, int *phash, const char *str)
3636{
3637 if (strcmp(str, "RSA") == 0) {
3638 *psig = EVP_PKEY_RSA;
3639 } else if (strcmp(str, "DSA") == 0) {
3640 *psig = EVP_PKEY_DSA;
3641 } else if (strcmp(str, "ECDSA") == 0) {
3642 *psig = EVP_PKEY_EC;
3643 } else {
3644 *phash = OBJ_sn2nid(str);
3645 if (*phash == NID_undef)
3646 *phash = OBJ_ln2nid(str);
3647 }
3648}
3649
0f229cce 3650static int sig_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 3651{
3652 sig_cb_st *sarg = arg;
3653 size_t i;
3654 char etmp[20], *p;
431f458d 3655 int sig_alg = NID_undef, hash_alg = NID_undef;
2747d73c
KR		 3656 if (elem == NULL)
3657 return 0;
0f113f3e
MC		 3658 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3659 return 0;
3660 if (len > (int)(sizeof(etmp) - 1))
3661 return 0;
3662 memcpy(etmp, elem, len);
3663 etmp[len] = 0;
3664 p = strchr(etmp, '+');
3665 if (!p)
3666 return 0;
3667 *p = 0;
3668 p++;
3669 if (!*p)
3670 return 0;
3671
431f458d
DSH		 3672 get_sigorhash(&sig_alg, &hash_alg, etmp);
3673 get_sigorhash(&sig_alg, &hash_alg, p);
0f113f3e 3674
431f458d 3675 if (sig_alg == NID_undef || hash_alg == NID_undef)
0f113f3e
MC		 3676 return 0;
3677
3678 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3679 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3680 return 0;
3681 }
3682 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3683 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3684 return 1;
3685}
3686
3687/*
3688 * Set suppored signature algorithms based on a colon separated list of the
3689 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3690 */
3dbc46df 3691int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
0f113f3e
MC		 3692{
3693 sig_cb_st sig;
3694 sig.sigalgcnt = 0;
3695 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3696 return 0;
3697 if (c == NULL)
3698 return 1;
3699 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3700}
3701
3702int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
3703 int client)
3704{
3705 unsigned char *sigalgs, *sptr;
3706 int rhash, rsign;
3707 size_t i;
3708 if (salglen & 1)
3709 return 0;
3710 sigalgs = OPENSSL_malloc(salglen);
3711 if (sigalgs == NULL)
3712 return 0;
3713 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
b6eb9827
DSH		 3714 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3715 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3716
3717 if (rhash == -1 || rsign == -1)
3718 goto err;
3719 *sptr++ = rhash;
3720 *sptr++ = rsign;
3721 }
3722
3723 if (client) {
b548a1f1 3724 OPENSSL_free(c->client_sigalgs);
0f113f3e
MC		 3725 c->client_sigalgs = sigalgs;
3726 c->client_sigalgslen = salglen;
3727 } else {
b548a1f1 3728 OPENSSL_free(c->conf_sigalgs);
0f113f3e
MC		 3729 c->conf_sigalgs = sigalgs;
3730 c->conf_sigalgslen = salglen;
3731 }
3732
3733 return 1;
3734
3735 err:
3736 OPENSSL_free(sigalgs);
3737 return 0;
3738}
4453cd8c 3739
d61ff83b 3740static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
0f113f3e
MC		 3741{
3742 int sig_nid;
3743 size_t i;
3744 if (default_nid == -1)
3745 return 1;
3746 sig_nid = X509_get_signature_nid(x);
3747 if (default_nid)
3748 return sig_nid == default_nid ? 1 : 0;
3749 for (i = 0; i < c->shared_sigalgslen; i++)
3750 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3751 return 1;
3752 return 0;
3753}
3754
6dbb6219
DSH		 3755/* Check to see if a certificate issuer name matches list of CA names */
3756static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
0f113f3e
MC		 3757{
3758 X509_NAME *nm;
3759 int i;
3760 nm = X509_get_issuer_name(x);
3761 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3762 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3763 return 1;
3764 }
3765 return 0;
3766}
3767
3768/*
3769 * Check certificate chain is consistent with TLS extensions and is usable by
3770 * server. This servers two purposes: it allows users to check chains before
3771 * passing them to the server and it allows the server to check chains before
3772 * attempting to use them.
d61ff83b 3773 */
6dbb6219
DSH		 3774
3775/* Flags which need to be set for a certificate when stict mode not set */
3776
e481f9b9 3777#define CERT_PKEY_VALID_FLAGS \
0f113f3e 3778 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
6dbb6219 3779/* Strict mode flags */
e481f9b9 3780#define CERT_PKEY_STRICT_FLAGS \
0f113f3e
MC		 3781 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3782 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
6dbb6219 3783
d61ff83b 3784int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
0f113f3e
MC		 3785 int idx)
3786{
3787 int i;
3788 int rv = 0;
3789 int check_flags = 0, strict_mode;
3790 CERT_PKEY *cpk = NULL;
3791 CERT *c = s->cert;
f7d53487 3792 uint32_t *pvalid;
0f113f3e
MC		 3793 unsigned int suiteb_flags = tls1_suiteb(s);
3794 /* idx == -1 means checking server chains */
3795 if (idx != -1) {
3796 /* idx == -2 means checking client certificate chains */
3797 if (idx == -2) {
3798 cpk = c->key;
3799 idx = cpk - c->pkeys;
3800 } else
3801 cpk = c->pkeys + idx;
6383d316 3802 pvalid = s->s3->tmp.valid_flags + idx;
0f113f3e
MC		 3803 x = cpk->x509;
3804 pk = cpk->privatekey;
3805 chain = cpk->chain;
3806 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3807 /* If no cert or key, forget it */
3808 if (!x || !pk)
3809 goto end;
e481f9b9 3810#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
0f113f3e
MC		 3811 /* Allow any certificate to pass test */
3812 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3813 rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
3814 CERT_PKEY_VALID | CERT_PKEY_SIGN;
6383d316 3815 *pvalid = rv;
0f113f3e
MC		 3816 return rv;
3817 }
e481f9b9 3818#endif
0f113f3e
MC		 3819 } else {
3820 if (!x || !pk)
d813f9eb 3821 return 0;
0f113f3e
MC		 3822 idx = ssl_cert_type(x, pk);
3823 if (idx == -1)
d813f9eb 3824 return 0;
6383d316
DSH		 3825 pvalid = s->s3->tmp.valid_flags + idx;
3826
0f113f3e
MC		 3827 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3828 check_flags = CERT_PKEY_STRICT_FLAGS;
3829 else
3830 check_flags = CERT_PKEY_VALID_FLAGS;
3831 strict_mode = 1;
3832 }
3833
3834 if (suiteb_flags) {
3835 int ok;
3836 if (check_flags)
3837 check_flags |= CERT_PKEY_SUITEB;
3838 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3839 if (ok == X509_V_OK)
3840 rv |= CERT_PKEY_SUITEB;
3841 else if (!check_flags)
3842 goto end;
3843 }
3844
3845 /*
3846 * Check all signature algorithms are consistent with signature
3847 * algorithms extension if TLS 1.2 or later and strict mode.
3848 */
3849 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
3850 int default_nid;
3851 unsigned char rsign = 0;
76106e60 3852 if (s->s3->tmp.peer_sigalgs)
0f113f3e
MC		 3853 default_nid = 0;
3854 /* If no sigalgs extension use defaults from RFC5246 */
3855 else {
3856 switch (idx) {
3857 case SSL_PKEY_RSA_ENC:
3858 case SSL_PKEY_RSA_SIGN:
0f113f3e
MC		 3859 rsign = TLSEXT_signature_rsa;
3860 default_nid = NID_sha1WithRSAEncryption;
3861 break;
3862
3863 case SSL_PKEY_DSA_SIGN:
0f113f3e
MC		 3864 rsign = TLSEXT_signature_dsa;
3865 default_nid = NID_dsaWithSHA1;
3866 break;
3867
3868 case SSL_PKEY_ECC:
3869 rsign = TLSEXT_signature_ecdsa;
3870 default_nid = NID_ecdsa_with_SHA1;
3871 break;
3872
e44380a9
DB		 3873 case SSL_PKEY_GOST01:
3874 rsign = TLSEXT_signature_gostr34102001;
3875 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
3876 break;
3877
3878 case SSL_PKEY_GOST12_256:
3879 rsign = TLSEXT_signature_gostr34102012_256;
3880 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
3881 break;
3882
3883 case SSL_PKEY_GOST12_512:
3884 rsign = TLSEXT_signature_gostr34102012_512;
3885 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
3886 break;
3887
0f113f3e
MC		 3888 default:
3889 default_nid = -1;
3890 break;
3891 }
3892 }
3893 /*
3894 * If peer sent no signature algorithms extension and we have set
3895 * preferred signature algorithms check we support sha1.
3896 */
3897 if (default_nid > 0 && c->conf_sigalgs) {
3898 size_t j;
3899 const unsigned char *p = c->conf_sigalgs;
3900 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
3901 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
3902 break;
3903 }
3904 if (j == c->conf_sigalgslen) {
3905 if (check_flags)
3906 goto skip_sigs;
3907 else
3908 goto end;
3909 }
3910 }
3911 /* Check signature algorithm of each cert in chain */
3912 if (!tls1_check_sig_alg(c, x, default_nid)) {
3913 if (!check_flags)
3914 goto end;
3915 } else
3916 rv |= CERT_PKEY_EE_SIGNATURE;
3917 rv |= CERT_PKEY_CA_SIGNATURE;
3918 for (i = 0; i < sk_X509_num(chain); i++) {
3919 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
3920 if (check_flags) {
3921 rv &= ~CERT_PKEY_CA_SIGNATURE;
3922 break;
3923 } else
3924 goto end;
3925 }
3926 }
3927 }
3928 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
3929 else if (check_flags)
3930 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
3931 skip_sigs:
3932 /* Check cert parameters are consistent */
3933 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
3934 rv |= CERT_PKEY_EE_PARAM;
3935 else if (!check_flags)
3936 goto end;
3937 if (!s->server)
3938 rv |= CERT_PKEY_CA_PARAM;
3939 /* In strict mode check rest of chain too */
3940 else if (strict_mode) {
3941 rv |= CERT_PKEY_CA_PARAM;
3942 for (i = 0; i < sk_X509_num(chain); i++) {
3943 X509 *ca = sk_X509_value(chain, i);
3944 if (!tls1_check_cert_param(s, ca, 0)) {
3945 if (check_flags) {
3946 rv &= ~CERT_PKEY_CA_PARAM;
3947 break;
3948 } else
3949 goto end;
3950 }
3951 }
3952 }
3953 if (!s->server && strict_mode) {
3954 STACK_OF(X509_NAME) *ca_dn;
3955 int check_type = 0;
3aeb9348 3956 switch (EVP_PKEY_id(pk)) {
0f113f3e
MC		 3957 case EVP_PKEY_RSA:
3958 check_type = TLS_CT_RSA_SIGN;
3959 break;
3960 case EVP_PKEY_DSA:
3961 check_type = TLS_CT_DSS_SIGN;
3962 break;
3963 case EVP_PKEY_EC:
3964 check_type = TLS_CT_ECDSA_SIGN;
3965 break;
0f113f3e
MC		 3966 }
3967 if (check_type) {
3968 const unsigned char *ctypes;
3969 int ctypelen;
3970 if (c->ctypes) {
3971 ctypes = c->ctypes;
3972 ctypelen = (int)c->ctype_num;
3973 } else {
3974 ctypes = (unsigned char *)s->s3->tmp.ctype;
3975 ctypelen = s->s3->tmp.ctype_num;
3976 }
3977 for (i = 0; i < ctypelen; i++) {
3978 if (ctypes[i] == check_type) {
3979 rv |= CERT_PKEY_CERT_TYPE;
3980 break;
3981 }
3982 }
3983 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
3984 goto end;
3985 } else
3986 rv |= CERT_PKEY_CERT_TYPE;
3987
3988 ca_dn = s->s3->tmp.ca_names;
3989
3990 if (!sk_X509_NAME_num(ca_dn))
3991 rv |= CERT_PKEY_ISSUER_NAME;
3992
3993 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
3994 if (ssl_check_ca_name(ca_dn, x))
3995 rv |= CERT_PKEY_ISSUER_NAME;
3996 }
3997 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
3998 for (i = 0; i < sk_X509_num(chain); i++) {
3999 X509 *xtmp = sk_X509_value(chain, i);
4000 if (ssl_check_ca_name(ca_dn, xtmp)) {
4001 rv |= CERT_PKEY_ISSUER_NAME;
4002 break;
4003 }
4004 }
4005 }
4006 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4007 goto end;
4008 } else
4009 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
4010
4011 if (!check_flags || (rv & check_flags) == check_flags)
4012 rv |= CERT_PKEY_VALID;
4013
4014 end:
4015
4016 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
6383d316 4017 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
0f113f3e 4018 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
d376e57d 4019 else if (s->s3->tmp.md[idx] != NULL)
0f113f3e
MC		 4020 rv |= CERT_PKEY_SIGN;
4021 } else
4022 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
4023
4024 /*
4025 * When checking a CERT_PKEY structure all flags are irrelevant if the
4026 * chain is invalid.
4027 */
4028 if (!check_flags) {
4029 if (rv & CERT_PKEY_VALID)
6383d316 4030 *pvalid = rv;
0f113f3e
MC		 4031 else {
4032 /* Preserve explicit sign flag, clear rest */
6383d316 4033 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
0f113f3e
MC		 4034 return 0;
4035 }
4036 }
4037 return rv;
4038}
d61ff83b
DSH		 4039
4040/* Set validity of certificates in an SSL structure */
4041void tls1_set_cert_validity(SSL *s)
0f113f3e 4042{
17dd65e6
MC		 4043 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4044 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4045 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
17dd65e6 4046 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
e44380a9
DB		 4047 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
4048 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
4049 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
0f113f3e
MC		 4050}
4051
18d71588
DSH		 4052/* User level utiity function to check a chain is suitable */
4053int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
0f113f3e
MC		 4054{
4055 return tls1_check_chain(s, x, pk, chain, -1);
4056}
d61ff83b 4057
09599b52
DSH		 4058
4059#ifndef OPENSSL_NO_DH
4060DH *ssl_get_auto_dh(SSL *s)
0f113f3e
MC		 4061{
4062 int dh_secbits = 80;
4063 if (s->cert->dh_tmp_auto == 2)
4064 return DH_get_1024_160();
adc5506a 4065 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
0f113f3e
MC		 4066 if (s->s3->tmp.new_cipher->strength_bits == 256)
4067 dh_secbits = 128;
4068 else
4069 dh_secbits = 80;
4070 } else {
4071 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
4072 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
4073 }
4074
4075 if (dh_secbits >= 128) {
4076 DH *dhp = DH_new();
a71edf3b 4077 if (dhp == NULL)
0f113f3e
MC		 4078 return NULL;
4079 dhp->g = BN_new();
a71edf3b 4080 if (dhp->g != NULL)
0f113f3e
MC		 4081 BN_set_word(dhp->g, 2);
4082 if (dh_secbits >= 192)
4083 dhp->p = get_rfc3526_prime_8192(NULL);
4084 else
4085 dhp->p = get_rfc3526_prime_3072(NULL);
a71edf3b 4086 if (dhp->p == NULL || dhp->g == NULL) {
0f113f3e
MC		 4087 DH_free(dhp);
4088 return NULL;
4089 }
4090 return dhp;
4091 }
4092 if (dh_secbits >= 112)
4093 return DH_get_2048_224();
4094 return DH_get_1024_160();
4095}
09599b52 4096#endif
b362ccab
DSH		 4097
4098static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e 4099{
72245f34 4100 int secbits = -1;
8382fd3a 4101 EVP_PKEY *pkey = X509_get0_pubkey(x);
0f113f3e 4102 if (pkey) {
72245f34
DSH		 4103 /*
4104 * If no parameters this will return -1 and fail using the default
4105 * security callback for any non-zero security level. This will
4106 * reject keys which omit parameters but this only affects DSA and
4107 * omission of parameters is never (?) done in practice.
4108 */
0f113f3e 4109 secbits = EVP_PKEY_security_bits(pkey);
72245f34 4110 }
0f113f3e
MC		 4111 if (s)
4112 return ssl_security(s, op, secbits, 0, x);
4113 else
4114 return ssl_ctx_security(ctx, op, secbits, 0, x);
4115}
b362ccab
DSH		 4116
4117static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e
MC		 4118{
4119 /* Lookup signature algorithm digest */
4120 int secbits = -1, md_nid = NID_undef, sig_nid;
221c7b55
DSH		 4121 /* Don't check signature if self signed */
4122 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
4123 return 1;
0f113f3e
MC		 4124 sig_nid = X509_get_signature_nid(x);
4125 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4126 const EVP_MD *md;
4127 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4128 secbits = EVP_MD_size(md) * 4;
4129 }
4130 if (s)
4131 return ssl_security(s, op, secbits, md_nid, x);
4132 else
4133 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4134}
b362ccab
DSH		 4135
4136int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
0f113f3e
MC		 4137{
4138 if (vfy)
4139 vfy = SSL_SECOP_PEER;
4140 if (is_ee) {
4141 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4142 return SSL_R_EE_KEY_TOO_SMALL;
4143 } else {
4144 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4145 return SSL_R_CA_KEY_TOO_SMALL;
4146 }
4147 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4148 return SSL_R_CA_MD_TOO_WEAK;
4149 return 1;
4150}
4151
4152/*
4153 * Check security of a chain, if sk includes the end entity certificate then
4154 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4155 * one to the peer. Return values: 1 if ok otherwise error code to use
b362ccab
DSH		 4156 */
4157
4158int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
0f113f3e
MC		 4159{
4160 int rv, start_idx, i;
4161 if (x == NULL) {
4162 x = sk_X509_value(sk, 0);
4163 start_idx = 1;
4164 } else
4165 start_idx = 0;
4166
4167 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4168 if (rv != 1)
4169 return rv;
4170
4171 for (i = start_idx; i < sk_X509_num(sk); i++) {
4172 x = sk_X509_value(sk, i);
4173 rv = ssl_security_cert(s, NULL, x, vfy, 0);
4174 if (rv != 1)
4175 return rv;
4176 }
4177 return 1;
4178}
A mirror of the official openssl repository