]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/t1_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
80-test_pkcs12.t: skip the test on Windows with non-Greek locale.
[thirdparty/openssl.git] / ssl / t1_lib.c
CommitLineData
846e33c7
RS		 1/*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
f1fd4544 3 *
846e33c7
RS		 4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
f1fd4544 8 */
58964a49
RE		 9
10#include <stdio.h>
aa474d1f 11#include <stdlib.h>
ec577822 12#include <openssl/objects.h>
6434abbf
DSH		 13#include <openssl/evp.h>
14#include <openssl/hmac.h>
67c8e7f4 15#include <openssl/ocsp.h>
5951e840
MC		 16#include <openssl/conf.h>
17#include <openssl/x509v3.h>
3c27208f
RS		 18#include <openssl/dh.h>
19#include <openssl/bn.h>
58964a49 20#include "ssl_locl.h"
3c27208f 21#include <openssl/ct.h>
58964a49 22
6434abbf 23static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
0f113f3e
MC		 24 const unsigned char *sess_id, int sesslen,
25 SSL_SESSION **psess);
2daceb03 26static int ssl_check_clienthello_tlsext_early(SSL *s);
aa474d1f 27static int ssl_check_serverhello_tlsext(SSL *s);
6434abbf 28
0f113f3e
MC		 29SSL3_ENC_METHOD const TLSv1_enc_data = {
30 tls1_enc,
31 tls1_mac,
32 tls1_setup_key_block,
33 tls1_generate_master_secret,
34 tls1_change_cipher_state,
35 tls1_final_finish_mac,
36 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 37 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
38 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
39 tls1_alert_code,
40 tls1_export_keying_material,
41 0,
42 SSL3_HM_HEADER_LENGTH,
43 ssl3_set_handshake_header,
44 ssl3_handshake_write
45};
46
47SSL3_ENC_METHOD const TLSv1_1_enc_data = {
48 tls1_enc,
49 tls1_mac,
50 tls1_setup_key_block,
51 tls1_generate_master_secret,
52 tls1_change_cipher_state,
53 tls1_final_finish_mac,
54 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 55 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
56 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
57 tls1_alert_code,
58 tls1_export_keying_material,
59 SSL_ENC_FLAG_EXPLICIT_IV,
60 SSL3_HM_HEADER_LENGTH,
61 ssl3_set_handshake_header,
62 ssl3_handshake_write
63};
64
65SSL3_ENC_METHOD const TLSv1_2_enc_data = {
66 tls1_enc,
67 tls1_mac,
68 tls1_setup_key_block,
69 tls1_generate_master_secret,
70 tls1_change_cipher_state,
71 tls1_final_finish_mac,
72 TLS1_FINISH_MAC_LENGTH,
0f113f3e
MC		 73 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
74 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
75 tls1_alert_code,
76 tls1_export_keying_material,
77 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
78 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
79 SSL3_HM_HEADER_LENGTH,
80 ssl3_set_handshake_header,
81 ssl3_handshake_write
82};
58964a49 83
f3b656b2 84long tls1_default_timeout(void)
0f113f3e
MC		 85{
86 /*
87 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
88 * http, the cache would over fill
89 */
90 return (60 * 60 * 2);
91}
58964a49 92
6b691a5c 93int tls1_new(SSL *s)
0f113f3e
MC		 94{
95 if (!ssl3_new(s))
96 return (0);
97 s->method->ssl_clear(s);
98 return (1);
99}
58964a49 100
6b691a5c 101void tls1_free(SSL *s)
0f113f3e 102{
b548a1f1 103 OPENSSL_free(s->tlsext_session_ticket);
0f113f3e
MC		 104 ssl3_free(s);
105}
58964a49 106
6b691a5c 107void tls1_clear(SSL *s)
0f113f3e
MC		 108{
109 ssl3_clear(s);
4fa52141
VD		 110 if (s->method->version == TLS_ANY_VERSION)
111 s->version = TLS_MAX_VERSION;
112 else
113 s->version = s->method->version;
0f113f3e 114}
58964a49 115
525de5d3 116#ifndef OPENSSL_NO_EC
eda3766b 117
0f113f3e
MC		 118typedef struct {
119 int nid; /* Curve NID */
120 int secbits; /* Bits of security (from SP800-57) */
121 unsigned int flags; /* Flags: currently just field type */
122} tls_curve_info;
123
2dc1aeed
DSH		 124/*
125 * Table of curve information.
ddb4c047 126 * Do not delete entries or reorder this array! It is used as a lookup
2dc1aeed
DSH		 127 * table: the index of each entry is one less than the TLS curve id.
128 */
0f113f3e
MC		 129static const tls_curve_info nid_list[] = {
130 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
131 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
132 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
133 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
134 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
135 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
136 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
137 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
138 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
139 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
140 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
141 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
142 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
143 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
144 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
145 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
146 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
147 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
148 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
149 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
150 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
151 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
152 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
153 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
154 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
155 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
156 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
157 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
ec24630a 158 {NID_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
0f113f3e
MC		 159};
160
161static const unsigned char ecformats_default[] = {
162 TLSEXT_ECPOINTFORMAT_uncompressed,
163 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
164 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
165};
166
fe6ef247
KR		 167/* The default curves */
168static const unsigned char eccurves_default[] = {
1db3107a 169 0, 29, /* X25519 (29) */
de57d237 170 0, 23, /* secp256r1 (23) */
0f113f3e 171 0, 25, /* secp521r1 (25) */
0f113f3e 172 0, 24, /* secp384r1 (24) */
de57d237
EK		 173};
174
175static const unsigned char eccurves_all[] = {
1db3107a 176 0, 29, /* X25519 (29) */
de57d237 177 0, 23, /* secp256r1 (23) */
de57d237 178 0, 25, /* secp521r1 (25) */
de57d237 179 0, 24, /* secp384r1 (24) */
0f113f3e 180 0, 26, /* brainpoolP256r1 (26) */
ddb4c047
RS		 181 0, 27, /* brainpoolP384r1 (27) */
182 0, 28, /* brainpool512r1 (28) */
183
184 /*
185 * Remaining curves disabled by default but still permitted if set
186 * via an explicit callback or parameters.
187 */
0f113f3e 188 0, 22, /* secp256k1 (22) */
de57d237
EK		 189 0, 14, /* sect571r1 (14) */
190 0, 13, /* sect571k1 (13) */
191 0, 11, /* sect409k1 (11) */
192 0, 12, /* sect409r1 (12) */
193 0, 9, /* sect283k1 (9) */
194 0, 10, /* sect283r1 (10) */
de57d237
EK		 195 0, 20, /* secp224k1 (20) */
196 0, 21, /* secp224r1 (21) */
197 0, 18, /* secp192k1 (18) */
198 0, 19, /* secp192r1 (19) */
199 0, 15, /* secp160k1 (15) */
200 0, 16, /* secp160r1 (16) */
201 0, 17, /* secp160r2 (17) */
0f113f3e
MC		 202 0, 8, /* sect239k1 (8) */
203 0, 6, /* sect233k1 (6) */
204 0, 7, /* sect233r1 (7) */
0f113f3e
MC		 205 0, 4, /* sect193r1 (4) */
206 0, 5, /* sect193r2 (5) */
0f113f3e
MC		 207 0, 1, /* sect163k1 (1) */
208 0, 2, /* sect163r1 (2) */
209 0, 3, /* sect163r2 (3) */
0f113f3e
MC		 210};
211
212static const unsigned char suiteb_curves[] = {
213 0, TLSEXT_curve_P_256,
214 0, TLSEXT_curve_P_384
215};
2ea80354 216
ec24630a 217int tls1_ec_curve_id2nid(int curve_id, unsigned int *pflags)
0f113f3e 218{
ec24630a 219 const tls_curve_info *cinfo;
0f113f3e 220 /* ECC curves from RFC 4492 and RFC 7027 */
b6eb9827 221 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
0f113f3e 222 return 0;
ec24630a
DSH		 223 cinfo = nid_list + curve_id - 1;
224 if (pflags)
225 *pflags = cinfo->flags;
226 return cinfo->nid;
0f113f3e 227}
525de5d3
DSH		 228
229int tls1_ec_nid2curve_id(int nid)
0f113f3e 230{
2fa2d15a
DSH		 231 size_t i;
232 for (i = 0; i < OSSL_NELEM(nid_list); i++) {
233 if (nid_list[i].nid == nid)
234 return i + 1;
0f113f3e 235 }
2fa2d15a 236 return 0;
0f113f3e
MC		 237}
238
740580c2
EK		 239/*
240 * Get curves list, if "sess" is set return client curves otherwise
241 * preferred list.
242 * Sets |num_curves| to the number of curves in the list, i.e.,
243 * the length of |pcurves| is 2 * num_curves.
244 * Returns 1 on success and 0 if the client curves list has invalid format.
245 * The latter indicates an internal error: we should not be accepting such
246 * lists in the first place.
247 * TODO(emilia): we should really be storing the curves list in explicitly
248 * parsed form instead. (However, this would affect binary compatibility
249 * so cannot happen in the 1.0.x series.)
fd2b65ce 250 */
740580c2 251static int tls1_get_curvelist(SSL *s, int sess,
a230b26e 252 const unsigned char **pcurves, size_t *num_curves)
0f113f3e
MC		 253{
254 size_t pcurveslen = 0;
255 if (sess) {
256 *pcurves = s->session->tlsext_ellipticcurvelist;
257 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
258 } else {
259 /* For Suite B mode only include P-256, P-384 */
260 switch (tls1_suiteb(s)) {
261 case SSL_CERT_FLAG_SUITEB_128_LOS:
262 *pcurves = suiteb_curves;
263 pcurveslen = sizeof(suiteb_curves);
264 break;
265
266 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
267 *pcurves = suiteb_curves;
268 pcurveslen = 2;
269 break;
270
271 case SSL_CERT_FLAG_SUITEB_192_LOS:
272 *pcurves = suiteb_curves + 2;
273 pcurveslen = 2;
274 break;
275 default:
276 *pcurves = s->tlsext_ellipticcurvelist;
277 pcurveslen = s->tlsext_ellipticcurvelist_length;
278 }
279 if (!*pcurves) {
fe6ef247
KR		 280 *pcurves = eccurves_default;
281 pcurveslen = sizeof(eccurves_default);
0f113f3e
MC		 282 }
283 }
284
285 /* We do not allow odd length arrays to enter the system. */
286 if (pcurveslen & 1) {
287 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
288 *num_curves = 0;
289 return 0;
290 } else {
291 *num_curves = pcurveslen / 2;
292 return 1;
293 }
294}
b362ccab
DSH		 295
296/* See if curve is allowed by security callback */
297static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
0f113f3e
MC		 298{
299 const tls_curve_info *cinfo;
300 if (curve[0])
301 return 1;
b6eb9827 302 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
0f113f3e
MC		 303 return 0;
304 cinfo = &nid_list[curve[1] - 1];
305# ifdef OPENSSL_NO_EC2M
306 if (cinfo->flags & TLS_CURVE_CHAR2)
307 return 0;
308# endif
309 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
310}
b362ccab 311
d18b716d
DSH		 312/* Check a curve is one of our preferences */
313int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
0f113f3e
MC		 314{
315 const unsigned char *curves;
316 size_t num_curves, i;
317 unsigned int suiteb_flags = tls1_suiteb(s);
318 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
319 return 0;
320 /* Check curve matches Suite B preferences */
321 if (suiteb_flags) {
322 unsigned long cid = s->s3->tmp.new_cipher->id;
323 if (p[1])
324 return 0;
325 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
326 if (p[2] != TLSEXT_curve_P_256)
327 return 0;
328 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
329 if (p[2] != TLSEXT_curve_P_384)
330 return 0;
331 } else /* Should never happen */
332 return 0;
333 }
334 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
335 return 0;
336 for (i = 0; i < num_curves; i++, curves += 2) {
337 if (p[1] == curves[0] && p[2] == curves[1])
338 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
339 }
340 return 0;
341}
d0595f17 342
1d97c843 343/*-
6977e8ee
KR		 344 * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef
345 * if there is no match.
346 * For nmatch == -1, return number of matches
376e2ca3
EK		 347 * For nmatch == -2, return the NID of the curve to use for
348 * an EC tmp key, or NID_undef if there is no match.
d0595f17 349 */
a4352630 350int tls1_shared_curve(SSL *s, int nmatch)
0f113f3e
MC		 351{
352 const unsigned char *pref, *supp;
353 size_t num_pref, num_supp, i, j;
354 int k;
355 /* Can't do anything on client side */
356 if (s->server == 0)
357 return -1;
358 if (nmatch == -2) {
359 if (tls1_suiteb(s)) {
360 /*
361 * For Suite B ciphersuite determines curve: we already know
362 * these are acceptable due to previous checks.
363 */
364 unsigned long cid = s->s3->tmp.new_cipher->id;
365 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
366 return NID_X9_62_prime256v1; /* P-256 */
367 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
368 return NID_secp384r1; /* P-384 */
369 /* Should never happen */
370 return NID_undef;
371 }
372 /* If not Suite B just return first preference shared curve */
373 nmatch = 0;
374 }
375 /*
376 * Avoid truncation. tls1_get_curvelist takes an int
377 * but s->options is a long...
378 */
379 if (!tls1_get_curvelist
380 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
381 &num_supp))
382 /* In practice, NID_undef == 0 but let's be precise. */
383 return nmatch == -1 ? 0 : NID_undef;
384 if (!tls1_get_curvelist
a230b26e 385 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref, &num_pref))
0f113f3e 386 return nmatch == -1 ? 0 : NID_undef;
3c06513f
KR		 387
388 /*
389 * If the client didn't send the elliptic_curves extension all of them
390 * are allowed.
391 */
392 if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
393 supp = eccurves_all;
394 num_supp = sizeof(eccurves_all) / 2;
395 } else if (num_pref == 0 &&
a230b26e 396 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
3c06513f
KR		 397 pref = eccurves_all;
398 num_pref = sizeof(eccurves_all) / 2;
399 }
400
0f113f3e
MC		 401 k = 0;
402 for (i = 0; i < num_pref; i++, pref += 2) {
403 const unsigned char *tsupp = supp;
404 for (j = 0; j < num_supp; j++, tsupp += 2) {
405 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
406 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
407 continue;
408 if (nmatch == k) {
409 int id = (pref[0] << 8) | pref[1];
ec24630a 410 return tls1_ec_curve_id2nid(id, NULL);
0f113f3e
MC		 411 }
412 k++;
413 }
414 }
415 }
416 if (nmatch == -1)
417 return k;
418 /* Out of range (nmatch > k). */
419 return NID_undef;
420}
d0595f17
DSH		 421
422int tls1_set_curves(unsigned char **pext, size_t *pextlen,
0f113f3e
MC		 423 int *curves, size_t ncurves)
424{
425 unsigned char *clist, *p;
426 size_t i;
427 /*
428 * Bitmap of curves included to detect duplicates: only works while curve
429 * ids < 32
430 */
431 unsigned long dup_list = 0;
432 clist = OPENSSL_malloc(ncurves * 2);
a71edf3b 433 if (clist == NULL)
0f113f3e
MC		 434 return 0;
435 for (i = 0, p = clist; i < ncurves; i++) {
436 unsigned long idmask;
437 int id;
438 id = tls1_ec_nid2curve_id(curves[i]);
439 idmask = 1L << id;
440 if (!id || (dup_list & idmask)) {
441 OPENSSL_free(clist);
442 return 0;
443 }
444 dup_list |= idmask;
445 s2n(id, p);
446 }
b548a1f1 447 OPENSSL_free(*pext);
0f113f3e
MC		 448 *pext = clist;
449 *pextlen = ncurves * 2;
450 return 1;
451}
452
453# define MAX_CURVELIST 28
454
455typedef struct {
456 size_t nidcnt;
457 int nid_arr[MAX_CURVELIST];
458} nid_cb_st;
d0595f17
DSH		 459
460static int nid_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 461{
462 nid_cb_st *narg = arg;
463 size_t i;
464 int nid;
465 char etmp[20];
2747d73c
KR		 466 if (elem == NULL)
467 return 0;
0f113f3e
MC		 468 if (narg->nidcnt == MAX_CURVELIST)
469 return 0;
470 if (len > (int)(sizeof(etmp) - 1))
471 return 0;
472 memcpy(etmp, elem, len);
473 etmp[len] = 0;
474 nid = EC_curve_nist2nid(etmp);
475 if (nid == NID_undef)
476 nid = OBJ_sn2nid(etmp);
477 if (nid == NID_undef)
478 nid = OBJ_ln2nid(etmp);
479 if (nid == NID_undef)
480 return 0;
481 for (i = 0; i < narg->nidcnt; i++)
482 if (narg->nid_arr[i] == nid)
483 return 0;
484 narg->nid_arr[narg->nidcnt++] = nid;
485 return 1;
486}
487
d0595f17 488/* Set curves based on a colon separate list */
a230b26e 489int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, const char *str)
0f113f3e
MC		 490{
491 nid_cb_st ncb;
492 ncb.nidcnt = 0;
493 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
494 return 0;
495 if (pext == NULL)
496 return 1;
497 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
498}
499
fd2b65ce
DSH		 500/* For an EC key set TLS id and required compression based on parameters */
501static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
0f113f3e
MC		 502 EC_KEY *ec)
503{
2235b7f2 504 int id;
0f113f3e 505 const EC_GROUP *grp;
0f113f3e
MC		 506 if (!ec)
507 return 0;
508 /* Determine if it is a prime field */
509 grp = EC_KEY_get0_group(ec);
510 if (!grp)
511 return 0;
0f113f3e
MC		 512 /* Determine curve ID */
513 id = EC_GROUP_get_curve_name(grp);
514 id = tls1_ec_nid2curve_id(id);
2235b7f2
DSH		 515 /* If no id return error: we don't support arbitrary explicit curves */
516 if (id == 0)
517 return 0;
518 curve_id[0] = 0;
519 curve_id[1] = (unsigned char)id;
0f113f3e
MC		 520 if (comp_id) {
521 if (EC_KEY_get0_public_key(ec) == NULL)
522 return 0;
2235b7f2
DSH		 523 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
524 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
525 } else {
526 if ((nid_list[id - 1].flags & TLS_CURVE_TYPE) == TLS_CURVE_PRIME)
0f113f3e
MC		 527 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
528 else
529 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
2235b7f2 530 }
0f113f3e
MC		 531 }
532 return 1;
533}
534
fd2b65ce
DSH		 535/* Check an EC key is compatible with extensions */
536static int tls1_check_ec_key(SSL *s,
0f113f3e
MC		 537 unsigned char *curve_id, unsigned char *comp_id)
538{
539 const unsigned char *pformats, *pcurves;
540 size_t num_formats, num_curves, i;
541 int j;
542 /*
543 * If point formats extension present check it, otherwise everything is
544 * supported (see RFC4492).
545 */
546 if (comp_id && s->session->tlsext_ecpointformatlist) {
547 pformats = s->session->tlsext_ecpointformatlist;
548 num_formats = s->session->tlsext_ecpointformatlist_length;
549 for (i = 0; i < num_formats; i++, pformats++) {
550 if (*comp_id == *pformats)
551 break;
552 }
553 if (i == num_formats)
554 return 0;
555 }
556 if (!curve_id)
557 return 1;
558 /* Check curve is consistent with client and server preferences */
559 for (j = 0; j <= 1; j++) {
560 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
561 return 0;
b79d2410
MC		 562 if (j == 1 && num_curves == 0) {
563 /*
564 * If we've not received any curves then skip this check.
565 * RFC 4492 does not require the supported elliptic curves extension
566 * so if it is not sent we can just choose any curve.
567 * It is invalid to send an empty list in the elliptic curves
568 * extension, so num_curves == 0 always means no extension.
569 */
570 break;
571 }
0f113f3e
MC		 572 for (i = 0; i < num_curves; i++, pcurves += 2) {
573 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
574 break;
575 }
576 if (i == num_curves)
577 return 0;
578 /* For clients can only check sent curve list */
579 if (!s->server)
580 break;
581 }
582 return 1;
583}
d61ff83b 584
5087afa1 585static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
0f113f3e
MC		 586 size_t *num_formats)
587{
588 /*
589 * If we have a custom point format list use it otherwise use default
590 */
591 if (s->tlsext_ecpointformatlist) {
592 *pformats = s->tlsext_ecpointformatlist;
593 *num_formats = s->tlsext_ecpointformatlist_length;
594 } else {
595 *pformats = ecformats_default;
596 /* For Suite B we don't support char2 fields */
597 if (tls1_suiteb(s))
598 *num_formats = sizeof(ecformats_default) - 1;
599 else
600 *num_formats = sizeof(ecformats_default);
601 }
602}
603
604/*
605 * Check cert parameters compatible with extensions: currently just checks EC
606 * certificates have compatible curves and compression.
d61ff83b 607 */
2ea80354 608static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 609{
610 unsigned char comp_id, curve_id[2];
611 EVP_PKEY *pkey;
612 int rv;
8382fd3a 613 pkey = X509_get0_pubkey(x);
0f113f3e
MC		 614 if (!pkey)
615 return 0;
616 /* If not EC nothing to do */
3aeb9348 617 if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
0f113f3e 618 return 1;
3aeb9348 619 rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey));
0f113f3e
MC		 620 if (!rv)
621 return 0;
622 /*
623 * Can't check curve_id for client certs as we don't have a supported
624 * curves extension.
625 */
626 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
627 if (!rv)
628 return 0;
629 /*
630 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
631 * SHA384+P-384, adjust digest if necessary.
632 */
633 if (set_ee_md && tls1_suiteb(s)) {
634 int check_md;
635 size_t i;
636 CERT *c = s->cert;
637 if (curve_id[0])
638 return 0;
639 /* Check to see we have necessary signing algorithm */
640 if (curve_id[1] == TLSEXT_curve_P_256)
641 check_md = NID_ecdsa_with_SHA256;
642 else if (curve_id[1] == TLSEXT_curve_P_384)
643 check_md = NID_ecdsa_with_SHA384;
644 else
645 return 0; /* Should never happen */
646 for (i = 0; i < c->shared_sigalgslen; i++)
647 if (check_md == c->shared_sigalgs[i].signandhash_nid)
648 break;
649 if (i == c->shared_sigalgslen)
650 return 0;
651 if (set_ee_md == 2) {
652 if (check_md == NID_ecdsa_with_SHA256)
d376e57d 653 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
0f113f3e 654 else
d376e57d 655 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
0f113f3e
MC		 656 }
657 }
658 return rv;
659}
660
10bf4fc2 661# ifndef OPENSSL_NO_EC
6977e8ee 662/*
8483a003 663 * tls1_check_ec_tmp_key - Check EC temporary key compatibility
6977e8ee
KR		 664 * @s: SSL connection
665 * @cid: Cipher ID we're considering using
666 *
667 * Checks that the kECDHE cipher suite we're considering using
668 * is compatible with the client extensions.
669 *
670 * Returns 0 when the cipher can't be used or 1 when it can.
671 */
2ea80354 672int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
0f113f3e 673{
0f113f3e
MC		 674 /*
675 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
676 * curves permitted.
677 */
678 if (tls1_suiteb(s)) {
6977e8ee 679 unsigned char curve_id[2];
0f113f3e
MC		 680 /* Curve to check determined by ciphersuite */
681 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
682 curve_id[1] = TLSEXT_curve_P_256;
683 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
684 curve_id[1] = TLSEXT_curve_P_384;
685 else
686 return 0;
687 curve_id[0] = 0;
688 /* Check this curve is acceptable */
689 if (!tls1_check_ec_key(s, curve_id, NULL))
690 return 0;
fe6ef247 691 return 1;
0f113f3e 692 }
fe6ef247
KR		 693 /* Need a shared curve */
694 if (tls1_shared_curve(s, 0))
695 return 1;
6977e8ee 696 return 0;
0f113f3e 697}
10bf4fc2 698# endif /* OPENSSL_NO_EC */
d0595f17 699
14536c8c
DSH		 700#else
701
702static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
0f113f3e
MC		 703{
704 return 1;
705}
14536c8c 706
0f113f3e 707#endif /* OPENSSL_NO_EC */
f1fd4544 708
0f113f3e
MC		 709/*
710 * List of supported signature algorithms and hashes. Should make this
fc101f88
DSH		 711 * customisable at some point, for now include everything we support.
712 */
713
e481f9b9 714#ifdef OPENSSL_NO_RSA
a230b26e 715# define tlsext_sigalg_rsa(md) /* */
e481f9b9
MC		 716#else
717# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
718#endif
0f113f3e 719
e481f9b9 720#ifdef OPENSSL_NO_DSA
a230b26e 721# define tlsext_sigalg_dsa(md) /* */
e481f9b9
MC		 722#else
723# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
724#endif
0f113f3e 725
e481f9b9 726#ifdef OPENSSL_NO_EC
a230b26e 727# define tlsext_sigalg_ecdsa(md)/* */
e481f9b9
MC		 728#else
729# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
730#endif
0f113f3e 731
e481f9b9 732#define tlsext_sigalg(md) \
0f113f3e
MC		 733 tlsext_sigalg_rsa(md) \
734 tlsext_sigalg_dsa(md) \
735 tlsext_sigalg_ecdsa(md)
fc101f88 736
d97ed219 737static const unsigned char tls12_sigalgs[] = {
0f113f3e
MC		 738 tlsext_sigalg(TLSEXT_hash_sha512)
739 tlsext_sigalg(TLSEXT_hash_sha384)
0f113f3e
MC		 740 tlsext_sigalg(TLSEXT_hash_sha256)
741 tlsext_sigalg(TLSEXT_hash_sha224)
0f113f3e 742 tlsext_sigalg(TLSEXT_hash_sha1)
e44380a9
DB		 743#ifndef OPENSSL_NO_GOST
744 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
a230b26e
EK		 745 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
746 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
e44380a9 747#endif
fc101f88 748};
0f113f3e 749
e481f9b9 750#ifndef OPENSSL_NO_EC
d97ed219 751static const unsigned char suiteb_sigalgs[] = {
0f113f3e
MC		 752 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
753 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
2ea80354 754};
e481f9b9 755#endif
b7bfe69b 756size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
0f113f3e
MC		 757{
758 /*
759 * If Suite B mode use Suite B sigalgs only, ignore any other
760 * preferences.
761 */
e481f9b9 762#ifndef OPENSSL_NO_EC
0f113f3e
MC		 763 switch (tls1_suiteb(s)) {
764 case SSL_CERT_FLAG_SUITEB_128_LOS:
765 *psigs = suiteb_sigalgs;
766 return sizeof(suiteb_sigalgs);
767
768 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
769 *psigs = suiteb_sigalgs;
770 return 2;
771
772 case SSL_CERT_FLAG_SUITEB_192_LOS:
773 *psigs = suiteb_sigalgs + 2;
774 return 2;
775 }
e481f9b9 776#endif
0f113f3e
MC		 777 /* If server use client authentication sigalgs if not NULL */
778 if (s->server && s->cert->client_sigalgs) {
779 *psigs = s->cert->client_sigalgs;
780 return s->cert->client_sigalgslen;
781 } else if (s->cert->conf_sigalgs) {
782 *psigs = s->cert->conf_sigalgs;
783 return s->cert->conf_sigalgslen;
784 } else {
785 *psigs = tls12_sigalgs;
786 return sizeof(tls12_sigalgs);
787 }
788}
789
790/*
791 * Check signature algorithm is consistent with sent supported signature
ec4a50b3
DSH		 792 * algorithms and if so return relevant digest.
793 */
794int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
0f113f3e
MC		 795 const unsigned char *sig, EVP_PKEY *pkey)
796{
797 const unsigned char *sent_sigs;
798 size_t sent_sigslen, i;
799 int sigalg = tls12_get_sigid(pkey);
800 /* Should never happen */
801 if (sigalg == -1)
802 return -1;
803 /* Check key type is consistent with signature */
804 if (sigalg != (int)sig[1]) {
805 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
806 return 0;
807 }
e481f9b9 808#ifndef OPENSSL_NO_EC
3aeb9348 809 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
0f113f3e
MC		 810 unsigned char curve_id[2], comp_id;
811 /* Check compression and curve matches extensions */
3aeb9348 812 if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
0f113f3e
MC		 813 return 0;
814 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
815 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
816 return 0;
817 }
818 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
819 if (tls1_suiteb(s)) {
820 if (curve_id[0])
821 return 0;
822 if (curve_id[1] == TLSEXT_curve_P_256) {
823 if (sig[0] != TLSEXT_hash_sha256) {
824 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
825 SSL_R_ILLEGAL_SUITEB_DIGEST);
826 return 0;
827 }
828 } else if (curve_id[1] == TLSEXT_curve_P_384) {
829 if (sig[0] != TLSEXT_hash_sha384) {
830 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
831 SSL_R_ILLEGAL_SUITEB_DIGEST);
832 return 0;
833 }
834 } else
835 return 0;
836 }
837 } else if (tls1_suiteb(s))
838 return 0;
e481f9b9 839#endif
0f113f3e
MC		 840
841 /* Check signature matches a type we sent */
842 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
843 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
844 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
845 break;
846 }
847 /* Allow fallback to SHA1 if not strict mode */
848 if (i == sent_sigslen
849 && (sig[0] != TLSEXT_hash_sha1
850 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
851 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
852 return 0;
853 }
854 *pmd = tls12_get_hash(sig[0]);
855 if (*pmd == NULL) {
856 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
857 return 0;
858 }
859 /* Make sure security callback allows algorithm */
860 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
a230b26e 861 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd), (void *)sig)) {
0f113f3e
MC		 862 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
863 return 0;
864 }
865 /*
866 * Store the digest used so applications can retrieve it if they wish.
867 */
d376e57d 868 s->s3->tmp.peer_md = *pmd;
0f113f3e
MC		 869 return 1;
870}
2ea80354 871
0f113f3e 872/*
3eb2aff4
KR		 873 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
874 * supported, doesn't appear in supported signature algorithms, isn't supported
875 * by the enabled protocol versions or by the security level.
876 *
877 * This function should only be used for checking which ciphers are supported
878 * by the client.
879 *
880 * Call ssl_cipher_disabled() to check that it's enabled or not.
b7bfe69b
DSH		 881 */
882void ssl_set_client_disabled(SSL *s)
0f113f3e 883{
4d69f9e6
DSH		 884 s->s3->tmp.mask_a = 0;
885 s->s3->tmp.mask_k = 0;
4d69f9e6 886 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
3eb2aff4 887 ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
a230b26e 888#ifndef OPENSSL_NO_PSK
0f113f3e
MC		 889 /* with PSK there must be client callback set */
890 if (!s->psk_client_callback) {
4d69f9e6 891 s->s3->tmp.mask_a |= SSL_aPSK;
fe5eef3a 892 s->s3->tmp.mask_k |= SSL_PSK;
0f113f3e 893 }
a230b26e 894#endif /* OPENSSL_NO_PSK */
e481f9b9 895#ifndef OPENSSL_NO_SRP
0f113f3e 896 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
4d69f9e6
DSH		 897 s->s3->tmp.mask_a |= SSL_aSRP;
898 s->s3->tmp.mask_k |= SSL_kSRP;
0f113f3e 899 }
e481f9b9 900#endif
0f113f3e 901}
fc101f88 902
3eb2aff4
KR		 903/*
904 * ssl_cipher_disabled - check that a cipher is disabled or not
905 * @s: SSL connection that you want to use the cipher on
906 * @c: cipher to check
907 * @op: Security check that you want to do
908 *
909 * Returns 1 when it's disabled, 0 when enabled.
910 */
b362ccab 911int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
0f113f3e 912{
3eb2aff4 913 if (c->algorithm_mkey & s->s3->tmp.mask_k
4d69f9e6 914 || c->algorithm_auth & s->s3->tmp.mask_a)
0f113f3e 915 return 1;
3eb2aff4
KR		 916 if (s->s3->tmp.max_ver == 0)
917 return 1;
918 if (!SSL_IS_DTLS(s) && ((c->min_tls > s->s3->tmp.max_ver)
a230b26e 919 || (c->max_tls < s->s3->tmp.min_ver)))
3eb2aff4
KR		 920 return 1;
921 if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
a230b26e 922 || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
3eb2aff4
KR		 923 return 1;
924
0f113f3e
MC		 925 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
926}
b362ccab
DSH		 927
928static int tls_use_ticket(SSL *s)
0f113f3e
MC		 929{
930 if (s->options & SSL_OP_NO_TICKET)
931 return 0;
932 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
933}
ed3883d2 934
a230b26e
EK		 935static int compare_uint(const void *p1, const void *p2)
936{
aa474d1f
EK		 937 unsigned int u1 = *((const unsigned int *)p1);
938 unsigned int u2 = *((const unsigned int *)p2);
939 if (u1 < u2)
940 return -1;
941 else if (u1 > u2)
942 return 1;
943 else
944 return 0;
945}
946
947/*
948 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
949 * more than one extension of the same type in a ClientHello or ServerHello.
950 * This function does an initial scan over the extensions block to filter those
951 * out. It returns 1 if all extensions are unique, and 0 if the extensions
952 * contain duplicates, could not be successfully parsed, or an internal error
953 * occurred.
954 */
a230b26e
EK		 955static int tls1_check_duplicate_extensions(const PACKET *packet)
956{
aa474d1f
EK		 957 PACKET extensions = *packet;
958 size_t num_extensions = 0, i = 0;
959 unsigned int *extension_types = NULL;
960 int ret = 0;
961
962 /* First pass: count the extensions. */
963 while (PACKET_remaining(&extensions) > 0) {
964 unsigned int type;
965 PACKET extension;
966 if (!PACKET_get_net_2(&extensions, &type) ||
967 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
968 goto done;
969 }
970 num_extensions++;
971 }
972
973 if (num_extensions <= 1)
974 return 1;
975
976 extension_types = OPENSSL_malloc(sizeof(unsigned int) * num_extensions);
977 if (extension_types == NULL) {
978 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_MALLOC_FAILURE);
979 goto done;
980 }
981
982 /* Second pass: gather the extension types. */
983 extensions = *packet;
984 for (i = 0; i < num_extensions; i++) {
985 PACKET extension;
986 if (!PACKET_get_net_2(&extensions, &extension_types[i]) ||
987 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
988 /* This should not happen. */
989 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
990 goto done;
991 }
992 }
993
994 if (PACKET_remaining(&extensions) != 0) {
995 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
996 goto done;
997 }
998 /* Sort the extensions and make sure there are no duplicates. */
999 qsort(extension_types, num_extensions, sizeof(unsigned int), compare_uint);
1000 for (i = 1; i < num_extensions; i++) {
1001 if (extension_types[i - 1] == extension_types[i])
1002 goto done;
1003 }
1004 ret = 1;
1005 done:
1006 OPENSSL_free(extension_types);
1007 return ret;
1008}
1009
0f113f3e
MC		 1010unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
1011 unsigned char *limit, int *al)
1012{
1013 int extdatalen = 0;
1014 unsigned char *orig = buf;
1015 unsigned char *ret = buf;
e481f9b9 1016#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1017 /* See if we support any ECC ciphersuites */
1018 int using_ecc = 0;
1019 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1020 int i;
1021 unsigned long alg_k, alg_a;
1022 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1023
1024 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
4a640fb6 1025 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
0f113f3e
MC		 1026
1027 alg_k = c->algorithm_mkey;
1028 alg_a = c->algorithm_auth;
ce0c1f2b 1029 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
a230b26e 1030 || (alg_a & SSL_aECDSA)) {
0f113f3e
MC		 1031 using_ecc = 1;
1032 break;
1033 }
1034 }
1035 }
e481f9b9 1036#endif
ed3883d2 1037
0f113f3e 1038 ret += 2;
6434abbf 1039
0f113f3e
MC		 1040 if (ret >= limit)
1041 return NULL; /* this really never occurs, but ... */
5a3d8eeb 1042
0f113f3e
MC		 1043 /* Add RI if renegotiating */
1044 if (s->renegotiate) {
1045 int el;
5a3d8eeb 1046
0f113f3e
MC		 1047 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1048 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1049 return NULL;
1050 }
5a3d8eeb 1051
0f113f3e
MC		 1052 if ((limit - ret - 4 - el) < 0)
1053 return NULL;
5a3d8eeb 1054
0f113f3e
MC		 1055 s2n(TLSEXT_TYPE_renegotiate, ret);
1056 s2n(el, ret);
5a3d8eeb 1057
0f113f3e
MC		 1058 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1059 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1060 return NULL;
5a3d8eeb 1061 }
edc032b5 1062
0f113f3e
MC		 1063 ret += el;
1064 }
1065 /* Only add RI for SSLv3 */
1066 if (s->client_version == SSL3_VERSION)
1067 goto done;
1068
1069 if (s->tlsext_hostname != NULL) {
1070 /* Add TLS extension servername to the Client Hello message */
1071 unsigned long size_str;
1072 long lenmax;
1073
50e735f9
MC		 1074 /*-
1075 * check for enough space.
8483a003 1076 * 4 for the servername type and extension length
50e735f9
MC		 1077 * 2 for servernamelist length
1078 * 1 for the hostname type
1079 * 2 for hostname length
1080 * + hostname length
1081 */
0f113f3e
MC		 1082
1083 if ((lenmax = limit - ret - 9) < 0
a230b26e 1084 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
0f113f3e
MC		 1085 return NULL;
1086
1087 /* extension type and length */
1088 s2n(TLSEXT_TYPE_server_name, ret);
1089 s2n(size_str + 5, ret);
1090
1091 /* length of servername list */
1092 s2n(size_str + 3, ret);
1093
1094 /* hostname type, length and hostname */
1095 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1096 s2n(size_str, ret);
1097 memcpy(ret, s->tlsext_hostname, size_str);
1098 ret += size_str;
1099 }
e481f9b9 1100#ifndef OPENSSL_NO_SRP
0f113f3e
MC		 1101 /* Add SRP username if there is one */
1102 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1103 * Client Hello message */
1104
1105 int login_len = strlen(s->srp_ctx.login);
1106 if (login_len > 255 || login_len == 0) {
1107 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1108 return NULL;
1109 }
761772d7 1110
50e735f9
MC		 1111 /*-
1112 * check for enough space.
8483a003 1113 * 4 for the srp type type and extension length
50e735f9
MC		 1114 * 1 for the srp user identity
1115 * + srp user identity length
1116 */
0f113f3e
MC		 1117 if ((limit - ret - 5 - login_len) < 0)
1118 return NULL;
1119
1120 /* fill in the extension */
1121 s2n(TLSEXT_TYPE_srp, ret);
1122 s2n(login_len + 1, ret);
1123 (*ret++) = (unsigned char)login_len;
1124 memcpy(ret, s->srp_ctx.login, login_len);
1125 ret += login_len;
1126 }
e481f9b9 1127#endif
0f113f3e 1128
e481f9b9 1129#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1130 if (using_ecc) {
1131 /*
1132 * Add TLS extension ECPointFormats to the ClientHello message
1133 */
1134 long lenmax;
1135 const unsigned char *pcurves, *pformats;
1136 size_t num_curves, num_formats, curves_list_len;
1137 size_t i;
1138 unsigned char *etmp;
1139
1140 tls1_get_formatlist(s, &pformats, &num_formats);
1141
1142 if ((lenmax = limit - ret - 5) < 0)
1143 return NULL;
1144 if (num_formats > (size_t)lenmax)
1145 return NULL;
1146 if (num_formats > 255) {
1147 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1148 return NULL;
1149 }
4817504d 1150
0f113f3e
MC		 1151 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1152 /* The point format list has 1-byte length. */
1153 s2n(num_formats + 1, ret);
1154 *(ret++) = (unsigned char)num_formats;
1155 memcpy(ret, pformats, num_formats);
1156 ret += num_formats;
1157
1158 /*
1159 * Add TLS extension EllipticCurves to the ClientHello message
1160 */
1161 pcurves = s->tlsext_ellipticcurvelist;
1162 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1163 return NULL;
1164
1165 if ((lenmax = limit - ret - 6) < 0)
1166 return NULL;
1167 if (num_curves > (size_t)lenmax / 2)
1168 return NULL;
1169 if (num_curves > 65532 / 2) {
1170 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1171 return NULL;
1172 }
ee2ffc27 1173
0f113f3e
MC		 1174 s2n(TLSEXT_TYPE_elliptic_curves, ret);
1175 etmp = ret + 4;
1176 /* Copy curve ID if supported */
1177 for (i = 0; i < num_curves; i++, pcurves += 2) {
1178 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1179 *etmp++ = pcurves[0];
1180 *etmp++ = pcurves[1];
1181 }
1182 }
01f2f18f 1183
0f113f3e
MC		 1184 curves_list_len = etmp - ret - 4;
1185
1186 s2n(curves_list_len + 2, ret);
1187 s2n(curves_list_len, ret);
1188 ret += curves_list_len;
1189 }
a230b26e 1190#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1191
1192 if (tls_use_ticket(s)) {
1193 int ticklen;
1194 if (!s->new_session && s->session && s->session->tlsext_tick)
1195 ticklen = s->session->tlsext_ticklen;
1196 else if (s->session && s->tlsext_session_ticket &&
1197 s->tlsext_session_ticket->data) {
1198 ticklen = s->tlsext_session_ticket->length;
1199 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
a71edf3b 1200 if (s->session->tlsext_tick == NULL)
0f113f3e
MC		 1201 return NULL;
1202 memcpy(s->session->tlsext_tick,
1203 s->tlsext_session_ticket->data, ticklen);
1204 s->session->tlsext_ticklen = ticklen;
1205 } else
1206 ticklen = 0;
1207 if (ticklen == 0 && s->tlsext_session_ticket &&
1208 s->tlsext_session_ticket->data == NULL)
1209 goto skip_ext;
1210 /*
1211 * Check for enough room 2 for extension type, 2 for len rest for
1212 * ticket
1213 */
1214 if ((long)(limit - ret - 4 - ticklen) < 0)
1215 return NULL;
1216 s2n(TLSEXT_TYPE_session_ticket, ret);
1217 s2n(ticklen, ret);
1218 if (ticklen) {
1219 memcpy(ret, s->session->tlsext_tick, ticklen);
1220 ret += ticklen;
1221 }
1222 }
1223 skip_ext:
1224
f7aa3185 1225 if (SSL_CLIENT_USE_SIGALGS(s)) {
0f113f3e
MC		 1226 size_t salglen;
1227 const unsigned char *salg;
1228 unsigned char *etmp;
1229 salglen = tls12_get_psigalgs(s, &salg);
1230 if ((size_t)(limit - ret) < salglen + 6)
1231 return NULL;
1232 s2n(TLSEXT_TYPE_signature_algorithms, ret);
1233 etmp = ret;
1234 /* Skip over lengths for now */
1235 ret += 4;
1236 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1237 /* Fill in lengths */
1238 s2n(salglen + 2, etmp);
1239 s2n(salglen, etmp);
1240 ret += salglen;
1241 }
3e41ac35 1242#ifndef OPENSSL_NO_OCSP
0f113f3e
MC		 1243 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1244 int i;
1245 long extlen, idlen, itmp;
1246 OCSP_RESPID *id;
1247
1248 idlen = 0;
1249 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1250 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1251 itmp = i2d_OCSP_RESPID(id, NULL);
1252 if (itmp <= 0)
1253 return NULL;
1254 idlen += itmp + 2;
860c3dd1
DSH		 1255 }
1256
0f113f3e
MC		 1257 if (s->tlsext_ocsp_exts) {
1258 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1259 if (extlen < 0)
1260 return NULL;
1261 } else
1262 extlen = 0;
1263
1264 if ((long)(limit - ret - 7 - extlen - idlen) < 0)
1265 return NULL;
1266 s2n(TLSEXT_TYPE_status_request, ret);
1267 if (extlen + idlen > 0xFFF0)
1268 return NULL;
1269 s2n(extlen + idlen + 5, ret);
1270 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1271 s2n(idlen, ret);
1272 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1273 /* save position of id len */
1274 unsigned char *q = ret;
1275 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1276 /* skip over id len */
1277 ret += 2;
1278 itmp = i2d_OCSP_RESPID(id, &ret);
1279 /* write id len */
1280 s2n(itmp, q);
1281 }
1282 s2n(extlen, ret);
1283 if (extlen > 0)
1284 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1285 }
3e41ac35 1286#endif
e481f9b9 1287#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7
RS		 1288 if (SSL_IS_DTLS(s)) {
1289 /* Add Heartbeat extension */
1290 if ((limit - ret - 4 - 1) < 0)
1291 return NULL;
1292 s2n(TLSEXT_TYPE_heartbeat, ret);
1293 s2n(1, ret);
1294 /*-
1295 * Set mode:
1296 * 1: peer may send requests
1297 * 2: peer not allowed to send requests
1298 */
1299 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
1300 *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
1301 else
1302 *(ret++) = SSL_DTLSEXT_HB_ENABLED;
1303 }
e481f9b9 1304#endif
0f113f3e 1305
e481f9b9 1306#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1307 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1308 /*
8483a003 1309 * The client advertises an empty extension to indicate its support
0f113f3e
MC		 1310 * for Next Protocol Negotiation
1311 */
1312 if (limit - ret - 4 < 0)
1313 return NULL;
1314 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1315 s2n(0, ret);
1316 }
e481f9b9 1317#endif
0f113f3e 1318
817cd0d5
TS		 1319 /*
1320 * finish_md_len is non-zero during a renegotiation, so
1321 * this avoids sending ALPN during the renegotiation
1322 * (see longer comment below)
1323 */
0f113f3e
MC		 1324 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1325 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1326 return NULL;
1327 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1328 s2n(2 + s->alpn_client_proto_list_len, ret);
1329 s2n(s->alpn_client_proto_list_len, ret);
1330 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1331 ret += s->alpn_client_proto_list_len;
817cd0d5 1332 s->s3->alpn_sent = 1;
0f113f3e 1333 }
e481f9b9 1334#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 1335 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1336 int el;
1337
69f68237
MC		 1338 /* Returns 0 on success!! */
1339 if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
1340 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1341 return NULL;
1342 }
0f113f3e
MC		 1343
1344 if ((limit - ret - 4 - el) < 0)
1345 return NULL;
1346
1347 s2n(TLSEXT_TYPE_use_srtp, ret);
1348 s2n(el, ret);
1349
1350 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1351 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1352 return NULL;
1353 }
1354 ret += el;
1355 }
e481f9b9 1356#endif
0f113f3e
MC		 1357 custom_ext_init(&s->cert->cli_ext);
1358 /* Add custom TLS Extensions to ClientHello */
1359 if (!custom_ext_add(s, 0, &ret, limit, al))
1360 return NULL;
0f113f3e
MC		 1361 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1362 s2n(0, ret);
ed29e82a
RP		 1363#ifndef OPENSSL_NO_CT
1364 if (s->ct_validation_callback != NULL) {
1365 s2n(TLSEXT_TYPE_signed_certificate_timestamp, ret);
1366 s2n(0, ret);
1367 }
e481f9b9 1368#endif
ddc06b35
DSH		 1369 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1370 s2n(0, ret);
0f113f3e
MC		 1371
1372 /*
1373 * Add padding to workaround bugs in F5 terminators. See
1374 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1375 * code works out the length of all existing extensions it MUST always
1376 * appear last.
1377 */
1378 if (s->options & SSL_OP_TLSEXT_PADDING) {
1379 int hlen = ret - (unsigned char *)s->init_buf->data;
a3680c8f 1380
0f113f3e
MC		 1381 if (hlen > 0xff && hlen < 0x200) {
1382 hlen = 0x200 - hlen;
1383 if (hlen >= 4)
1384 hlen -= 4;
1385 else
1386 hlen = 0;
1387
1388 s2n(TLSEXT_TYPE_padding, ret);
1389 s2n(hlen, ret);
1390 memset(ret, 0, hlen);
1391 ret += hlen;
1392 }
1393 }
5a3d8eeb 1394
0f113f3e 1395 done:
5a3d8eeb 1396
0f113f3e
MC		 1397 if ((extdatalen = ret - orig - 2) == 0)
1398 return orig;
5a3d8eeb 1399
0f113f3e
MC		 1400 s2n(extdatalen, orig);
1401 return ret;
1402}
333f926d 1403
0f113f3e
MC		 1404unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1405 unsigned char *limit, int *al)
1406{
1407 int extdatalen = 0;
1408 unsigned char *orig = buf;
1409 unsigned char *ret = buf;
e481f9b9 1410#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1411 int next_proto_neg_seen;
e481f9b9
MC		 1412#endif
1413#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1414 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1415 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
ce0c1f2b 1416 int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
0f113f3e 1417 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
e481f9b9 1418#endif
0f113f3e
MC		 1419
1420 ret += 2;
1421 if (ret >= limit)
1422 return NULL; /* this really never occurs, but ... */
1423
1424 if (s->s3->send_connection_binding) {
1425 int el;
1426
1427 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1428 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1429 return NULL;
1430 }
333f926d 1431
0f113f3e
MC		 1432 if ((limit - ret - 4 - el) < 0)
1433 return NULL;
333f926d 1434
0f113f3e
MC		 1435 s2n(TLSEXT_TYPE_renegotiate, ret);
1436 s2n(el, ret);
333f926d 1437
0f113f3e
MC		 1438 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1439 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1440 return NULL;
1441 }
333f926d 1442
0f113f3e
MC		 1443 ret += el;
1444 }
1445
1446 /* Only add RI for SSLv3 */
1447 if (s->version == SSL3_VERSION)
1448 goto done;
1449
1450 if (!s->hit && s->servername_done == 1
1451 && s->session->tlsext_hostname != NULL) {
1452 if ((long)(limit - ret - 4) < 0)
1453 return NULL;
1454
1455 s2n(TLSEXT_TYPE_server_name, ret);
1456 s2n(0, ret);
1457 }
e481f9b9 1458#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1459 if (using_ecc) {
1460 const unsigned char *plist;
1461 size_t plistlen;
1462 /*
1463 * Add TLS extension ECPointFormats to the ServerHello message
1464 */
1465 long lenmax;
1466
1467 tls1_get_formatlist(s, &plist, &plistlen);
1468
1469 if ((lenmax = limit - ret - 5) < 0)
1470 return NULL;
1471 if (plistlen > (size_t)lenmax)
1472 return NULL;
1473 if (plistlen > 255) {
1474 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1475 return NULL;
1476 }
4817504d 1477
0f113f3e
MC		 1478 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1479 s2n(plistlen + 1, ret);
1480 *(ret++) = (unsigned char)plistlen;
1481 memcpy(ret, plist, plistlen);
1482 ret += plistlen;
1483
1484 }
1485 /*
1486 * Currently the server should not respond with a SupportedCurves
1487 * extension
1488 */
a230b26e 1489#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 1490
1491 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1492 if ((long)(limit - ret - 4) < 0)
1493 return NULL;
1494 s2n(TLSEXT_TYPE_session_ticket, ret);
1495 s2n(0, ret);
5c753de6 1496 } else {
a230b26e
EK		 1497 /*
1498 * if we don't add the above TLSEXT, we can't add a session ticket
1499 * later
1500 */
5c753de6 1501 s->tlsext_ticket_expected = 0;
0f113f3e
MC		 1502 }
1503
1504 if (s->tlsext_status_expected) {
1505 if ((long)(limit - ret - 4) < 0)
1506 return NULL;
1507 s2n(TLSEXT_TYPE_status_request, ret);
1508 s2n(0, ret);
1509 }
e481f9b9 1510#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 1511 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1512 int el;
1513
69f68237 1514 /* Returns 0 on success!! */
61986d32 1515 if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
69f68237
MC		 1516 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1517 return NULL;
1518 }
0f113f3e
MC		 1519 if ((limit - ret - 4 - el) < 0)
1520 return NULL;
1521
1522 s2n(TLSEXT_TYPE_use_srtp, ret);
1523 s2n(el, ret);
1524
1525 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1526 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1527 return NULL;
1528 }
1529 ret += el;
1530 }
e481f9b9 1531#endif
0f113f3e
MC		 1532
1533 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1534 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1535 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1536 const unsigned char cryptopro_ext[36] = {
1537 0xfd, 0xe8, /* 65000 */
1538 0x00, 0x20, /* 32 bytes length */
1539 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1540 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1541 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1542 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1543 };
1544 if (limit - ret < 36)
1545 return NULL;
1546 memcpy(ret, cryptopro_ext, 36);
1547 ret += 36;
1548
1549 }
e481f9b9 1550#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e 1551 /* Add Heartbeat extension if we've received one */
22e3dcb7 1552 if (SSL_IS_DTLS(s) && (s->tlsext_heartbeat & SSL_DTLSEXT_HB_ENABLED)) {
0f113f3e
MC		 1553 if ((limit - ret - 4 - 1) < 0)
1554 return NULL;
1555 s2n(TLSEXT_TYPE_heartbeat, ret);
1556 s2n(1, ret);
50e735f9
MC		 1557 /*-
1558 * Set mode:
1559 * 1: peer may send requests
1560 * 2: peer not allowed to send requests
1561 */
22e3dcb7
RS		 1562 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
1563 *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
0f113f3e 1564 else
22e3dcb7 1565 *(ret++) = SSL_DTLSEXT_HB_ENABLED;
0f113f3e
MC		 1566
1567 }
e481f9b9 1568#endif
0f113f3e 1569
e481f9b9 1570#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1571 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1572 s->s3->next_proto_neg_seen = 0;
1573 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1574 const unsigned char *npa;
1575 unsigned int npalen;
1576 int r;
1577
1578 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1579 s->
1580 ctx->next_protos_advertised_cb_arg);
1581 if (r == SSL_TLSEXT_ERR_OK) {
1582 if ((long)(limit - ret - 4 - npalen) < 0)
1583 return NULL;
1584 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1585 s2n(npalen, ret);
1586 memcpy(ret, npa, npalen);
1587 ret += npalen;
1588 s->s3->next_proto_neg_seen = 1;
1589 }
1590 }
e481f9b9 1591#endif
0f113f3e
MC		 1592 if (!custom_ext_add(s, 1, &ret, limit, al))
1593 return NULL;
0f113f3e
MC		 1594 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1595 /*
1596 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1597 * for other cases too.
1598 */
1599 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
e44380a9
DB		 1600 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1601 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1602 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
0f113f3e
MC		 1603 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1604 else {
1605 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1606 s2n(0, ret);
1607 }
1608 }
e7f0d921 1609 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
ddc06b35
DSH		 1610 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1611 s2n(0, ret);
1612 }
0f113f3e 1613
817cd0d5 1614 if (s->s3->alpn_selected != NULL) {
0f113f3e 1615 const unsigned char *selected = s->s3->alpn_selected;
817cd0d5 1616 unsigned int len = s->s3->alpn_selected_len;
0f113f3e
MC		 1617
1618 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1619 return NULL;
1620 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1621 s2n(3 + len, ret);
1622 s2n(1 + len, ret);
1623 *ret++ = len;
1624 memcpy(ret, selected, len);
1625 ret += len;
1626 }
1627
1628 done:
1629
1630 if ((extdatalen = ret - orig - 2) == 0)
1631 return orig;
1632
1633 s2n(extdatalen, orig);
1634 return ret;
1635}
a398f821 1636
0f113f3e 1637/*
817cd0d5 1638 * Save the ALPN extension in a ClientHello.
06217867
EK		 1639 * pkt: the contents of the ALPN extension, not including type and length.
1640 * al: a pointer to the alert value to send in the event of a failure.
1641 * returns: 1 on success, 0 on error.
0f113f3e 1642 */
9ceb2426 1643static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
0f113f3e 1644{
06217867 1645 PACKET protocol_list, save_protocol_list, protocol;
0f113f3e 1646
06217867 1647 *al = SSL_AD_DECODE_ERROR;
0f113f3e 1648
06217867
EK		 1649 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
1650 || PACKET_remaining(&protocol_list) < 2) {
1651 return 0;
1652 }
0f113f3e 1653
06217867 1654 save_protocol_list = protocol_list;
9ceb2426 1655 do {
06217867
EK		 1656 /* Protocol names can't be empty. */
1657 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
1658 || PACKET_remaining(&protocol) == 0) {
1659 return 0;
1660 }
1661 } while (PACKET_remaining(&protocol_list) != 0);
1662
817cd0d5 1663 if (!PACKET_memdup(&save_protocol_list,
a230b26e 1664 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
817cd0d5
TS		 1665 *al = TLS1_AD_INTERNAL_ERROR;
1666 return 0;
1667 }
1668
1669 return 1;
1670}
1671
1672/*
1673 * Process the ALPN extension in a ClientHello.
817cd0d5 1674 * al: a pointer to the alert value to send in the event of a failure.
70c22888 1675 * returns 1 on success, 0 on error.
817cd0d5 1676 */
70c22888 1677static int tls1_alpn_handle_client_hello_late(SSL *s, int *al)
817cd0d5
TS		 1678{
1679 const unsigned char *selected = NULL;
1680 unsigned char selected_len = 0;
1681
1682 if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
1683 int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
1684 s->s3->alpn_proposed,
1685 s->s3->alpn_proposed_len,
1686 s->ctx->alpn_select_cb_arg);
0f113f3e 1687
817cd0d5
TS		 1688 if (r == SSL_TLSEXT_ERR_OK) {
1689 OPENSSL_free(s->s3->alpn_selected);
1690 s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
1691 if (s->s3->alpn_selected == NULL) {
1692 *al = SSL_AD_INTERNAL_ERROR;
817cd0d5
TS		 1693 return 0;
1694 }
1695 s->s3->alpn_selected_len = selected_len;
0351baae
TS		 1696#ifndef OPENSSL_NO_NEXTPROTONEG
1697 /* ALPN takes precedence over NPN. */
1698 s->s3->next_proto_neg_seen = 0;
1699#endif
817cd0d5
TS		 1700 } else {
1701 *al = SSL_AD_NO_APPLICATION_PROTOCOL;
06217867 1702 return 0;
0f113f3e 1703 }
0f113f3e 1704 }
0f113f3e 1705
06217867 1706 return 1;
0f113f3e 1707}
6f017a8f 1708
e481f9b9 1709#ifndef OPENSSL_NO_EC
1d97c843
TH		 1710/*-
1711 * ssl_check_for_safari attempts to fingerprint Safari using OS X
06217867 1712 * SecureTransport using the TLS extension block in |pkt|.
dece3209
RS		 1713 * Safari, since 10.6, sends exactly these extensions, in this order:
1714 * SNI,
1715 * elliptic_curves
1716 * ec_point_formats
1717 *
1718 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1719 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1720 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1721 * 10.8..10.8.3 (which don't work).
1722 */
68a16628 1723static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
0f113f3e 1724{
06217867
EK		 1725 unsigned int type;
1726 PACKET sni, tmppkt;
1727 size_t ext_len;
9ceb2426 1728
0f113f3e
MC		 1729 static const unsigned char kSafariExtensionsBlock[] = {
1730 0x00, 0x0a, /* elliptic_curves extension */
1731 0x00, 0x08, /* 8 bytes */
1732 0x00, 0x06, /* 6 bytes of curve ids */
1733 0x00, 0x17, /* P-256 */
1734 0x00, 0x18, /* P-384 */
1735 0x00, 0x19, /* P-521 */
1736
1737 0x00, 0x0b, /* ec_point_formats */
1738 0x00, 0x02, /* 2 bytes */
1739 0x01, /* 1 point format */
1740 0x00, /* uncompressed */
06217867 1741 /* The following is only present in TLS 1.2 */
0f113f3e
MC		 1742 0x00, 0x0d, /* signature_algorithms */
1743 0x00, 0x0c, /* 12 bytes */
1744 0x00, 0x0a, /* 10 bytes */
1745 0x05, 0x01, /* SHA-384/RSA */
1746 0x04, 0x01, /* SHA-256/RSA */
1747 0x02, 0x01, /* SHA-1/RSA */
1748 0x04, 0x03, /* SHA-256/ECDSA */
1749 0x02, 0x03, /* SHA-1/ECDSA */
1750 };
1751
06217867
EK		 1752 /* Length of the common prefix (first two extensions). */
1753 static const size_t kSafariCommonExtensionsLength = 18;
1754
68a16628
MC		 1755 tmppkt = *pkt;
1756
1757 if (!PACKET_forward(&tmppkt, 2)
06217867
EK		 1758 || !PACKET_get_net_2(&tmppkt, &type)
1759 || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
0f113f3e 1760 return;
06217867 1761 }
0f113f3e
MC		 1762
1763 if (type != TLSEXT_TYPE_server_name)
1764 return;
1765
06217867
EK		 1766 ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
1767 sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
0f113f3e 1768
06217867
EK		 1769 s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
1770 ext_len);
dece3209 1771}
a230b26e 1772#endif /* !OPENSSL_NO_EC */
0f113f3e 1773
06217867
EK		 1774/*
1775 * Parse ClientHello extensions and stash extension info in various parts of
1776 * the SSL object. Verify that there are no duplicate extensions.
1777 *
1778 * Behaviour upon resumption is extension-specific. If the extension has no
1779 * effect during resumption, it is parsed (to verify its format) but otherwise
1780 * ignored.
1781 *
1782 * Consumes the entire packet in |pkt|. Returns 1 on success and 0 on failure.
1783 * Upon failure, sets |al| to the appropriate alert.
1784 */
9ceb2426 1785static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 1786{
9ceb2426 1787 unsigned int type;
0f113f3e 1788 int renegotiate_seen = 0;
06217867 1789 PACKET extensions;
0f113f3e 1790
06217867 1791 *al = SSL_AD_DECODE_ERROR;
0f113f3e
MC		 1792 s->servername_done = 0;
1793 s->tlsext_status_type = -1;
e481f9b9 1794#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 1795 s->s3->next_proto_neg_seen = 0;
e481f9b9 1796#endif
0f113f3e 1797
b548a1f1
RS		 1798 OPENSSL_free(s->s3->alpn_selected);
1799 s->s3->alpn_selected = NULL;
0351baae
TS		 1800 s->s3->alpn_selected_len = 0;
1801 OPENSSL_free(s->s3->alpn_proposed);
1802 s->s3->alpn_proposed = NULL;
1803 s->s3->alpn_proposed_len = 0;
e481f9b9 1804#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7
RS		 1805 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
1806 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
e481f9b9 1807#endif
0f113f3e 1808
e481f9b9 1809#ifndef OPENSSL_NO_EC
0f113f3e 1810 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
9ceb2426 1811 ssl_check_for_safari(s, pkt);
a230b26e 1812#endif /* !OPENSSL_NO_EC */
0f113f3e
MC		 1813
1814 /* Clear any signature algorithms extension received */
76106e60
DSH		 1815 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1816 s->s3->tmp.peer_sigalgs = NULL;
0f113f3e 1817 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
0f113f3e 1818
e481f9b9 1819#ifndef OPENSSL_NO_SRP
b548a1f1
RS		 1820 OPENSSL_free(s->srp_ctx.login);
1821 s->srp_ctx.login = NULL;
e481f9b9 1822#endif
0f113f3e
MC		 1823
1824 s->srtp_profile = NULL;
1825
9ceb2426 1826 if (PACKET_remaining(pkt) == 0)
1ae3fdbe
AL		 1827 goto ri_check;
1828
06217867
EK		 1829 if (!PACKET_as_length_prefixed_2(pkt, &extensions))
1830 return 0;
aa474d1f 1831
06217867
EK		 1832 if (!tls1_check_duplicate_extensions(&extensions))
1833 return 0;
0f113f3e 1834
06217867
EK		 1835 /*
1836 * We parse all extensions to ensure the ClientHello is well-formed but,
1837 * unless an extension specifies otherwise, we ignore extensions upon
1838 * resumption.
1839 */
1840 while (PACKET_get_net_2(&extensions, &type)) {
1841 PACKET extension;
1842 if (!PACKET_get_length_prefixed_2(&extensions, &extension))
1843 return 0;
9ceb2426 1844
0f113f3e 1845 if (s->tlsext_debug_cb)
06217867
EK		 1846 s->tlsext_debug_cb(s, 0, type, PACKET_data(&extension),
1847 PACKET_remaining(&extension),
1848 s->tlsext_debug_arg);
9ceb2426 1849
0f113f3e 1850 if (type == TLSEXT_TYPE_renegotiate) {
06217867 1851 if (!ssl_parse_clienthello_renegotiate_ext(s, &extension, al))
0f113f3e
MC		 1852 return 0;
1853 renegotiate_seen = 1;
1854 } else if (s->version == SSL3_VERSION) {
1855 }
1d97c843
TH		 1856/*-
1857 * The servername extension is treated as follows:
1858 *
1859 * - Only the hostname type is supported with a maximum length of 255.
1860 * - The servername is rejected if too long or if it contains zeros,
1861 * in which case an fatal alert is generated.
1862 * - The servername field is maintained together with the session cache.
1863 * - When a session is resumed, the servername call back invoked in order
0f113f3e
MC		 1864 * to allow the application to position itself to the right context.
1865 * - The servername is acknowledged if it is new for a session or when
1866 * it is identical to a previously used for the same session.
1d97c843
TH		 1867 * Applications can control the behaviour. They can at any time
1868 * set a 'desirable' servername for a new SSL object. This can be the
1869 * case for example with HTTPS when a Host: header field is received and
1870 * a renegotiation is requested. In this case, a possible servername
1871 * presented in the new client hello is only acknowledged if it matches
0f113f3e 1872 * the value of the Host: field.
1d97c843 1873 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
0f113f3e
MC		 1874 * if they provide for changing an explicit servername context for the
1875 * session, i.e. when the session has been established with a servername
1876 * extension.
1877 * - On session reconnect, the servername extension may be absent.
1d97c843 1878 *
0f113f3e 1879 */
ed3883d2 1880
0f113f3e 1881 else if (type == TLSEXT_TYPE_server_name) {
9ceb2426 1882 unsigned int servname_type;
06217867
EK		 1883 PACKET sni, hostname;
1884
1885 if (!PACKET_as_length_prefixed_2(&extension, &sni)
1886 /* ServerNameList must be at least 1 byte long. */
1887 || PACKET_remaining(&sni) == 0) {
1888 return 0;
0f113f3e 1889 }
6f017a8f 1890
06217867
EK		 1891 /*
1892 * Although the server_name extension was intended to be
1893 * extensible to new name types, RFC 4366 defined the
8483a003 1894 * syntax inextensibility and OpenSSL 1.0.x parses it as
06217867
EK		 1895 * such.
1896 * RFC 6066 corrected the mistake but adding new name types
1897 * is nevertheless no longer feasible, so act as if no other
1898 * SNI types can exist, to simplify parsing.
1899 *
1900 * Also note that the RFC permits only one SNI value per type,
1901 * i.e., we can only have a single hostname.
1902 */
1903 if (!PACKET_get_1(&sni, &servname_type)
1904 || servname_type != TLSEXT_NAMETYPE_host_name
1905 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
1906 return 0;
1907 }
1908
1909 if (!s->hit) {
1910 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
1911 *al = TLS1_AD_UNRECOGNIZED_NAME;
1912 return 0;
1913 }
1914
1915 if (PACKET_contains_zero_byte(&hostname)) {
1916 *al = TLS1_AD_UNRECOGNIZED_NAME;
1917 return 0;
1918 }
1919
1920 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
1921 *al = TLS1_AD_INTERNAL_ERROR;
1922 return 0;
1923 }
1924
1925 s->servername_done = 1;
1926 } else {
1927 /*
1928 * TODO(openssl-team): if the SNI doesn't match, we MUST
1929 * fall back to a full handshake.
1930 */
1931 s->servername_done = s->session->tlsext_hostname
1932 && PACKET_equal(&hostname, s->session->tlsext_hostname,
1933 strlen(s->session->tlsext_hostname));
1934 }
0f113f3e 1935 }
e481f9b9 1936#ifndef OPENSSL_NO_SRP
0f113f3e 1937 else if (type == TLSEXT_TYPE_srp) {
06217867
EK		 1938 PACKET srp_I;
1939
1940 if (!PACKET_as_length_prefixed_1(&extension, &srp_I))
1941 return 0;
1942
1943 if (PACKET_contains_zero_byte(&srp_I))
1944 return 0;
1945
1946 /*
1947 * TODO(openssl-team): currently, we re-authenticate the user
1948 * upon resumption. Instead, we MUST ignore the login.
1949 */
1950 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
1951 *al = TLS1_AD_INTERNAL_ERROR;
1952 return 0;
1953 }
0f113f3e 1954 }
e481f9b9 1955#endif
0f113f3e 1956
e481f9b9 1957#ifndef OPENSSL_NO_EC
0f113f3e 1958 else if (type == TLSEXT_TYPE_ec_point_formats) {
06217867 1959 PACKET ec_point_format_list;
0f113f3e 1960
a230b26e 1961 if (!PACKET_as_length_prefixed_1(&extension, &ec_point_format_list)
06217867
EK		 1962 || PACKET_remaining(&ec_point_format_list) == 0) {
1963 return 0;
1964 }
9ceb2426 1965
0f113f3e 1966 if (!s->hit) {
06217867
EK		 1967 if (!PACKET_memdup(&ec_point_format_list,
1968 &s->session->tlsext_ecpointformatlist,
a230b26e
EK		 1969 &s->
1970 session->tlsext_ecpointformatlist_length)) {
0f113f3e
MC		 1971 *al = TLS1_AD_INTERNAL_ERROR;
1972 return 0;
1973 }
0f113f3e 1974 }
0f113f3e 1975 } else if (type == TLSEXT_TYPE_elliptic_curves) {
06217867 1976 PACKET elliptic_curve_list;
0f113f3e 1977
06217867 1978 /* Each NamedCurve is 2 bytes and we must have at least 1. */
a230b26e 1979 if (!PACKET_as_length_prefixed_2(&extension, &elliptic_curve_list)
06217867
EK		 1980 || PACKET_remaining(&elliptic_curve_list) == 0
1981 || (PACKET_remaining(&elliptic_curve_list) % 2) != 0) {
1982 return 0;
1983 }
54e3ad00 1984
0f113f3e 1985 if (!s->hit) {
06217867
EK		 1986 if (!PACKET_memdup(&elliptic_curve_list,
1987 &s->session->tlsext_ellipticcurvelist,
a230b26e
EK		 1988 &s->
1989 session->tlsext_ellipticcurvelist_length)) {
0f113f3e
MC		 1990 *al = TLS1_AD_INTERNAL_ERROR;
1991 return 0;
1992 }
0f113f3e 1993 }
0f113f3e 1994 }
a230b26e 1995#endif /* OPENSSL_NO_EC */
0f113f3e 1996 else if (type == TLSEXT_TYPE_session_ticket) {
06217867
EK		 1997 if (s->tls_session_ticket_ext_cb &&
1998 !s->tls_session_ticket_ext_cb(s, PACKET_data(&extension),
1999 PACKET_remaining(&extension),
a230b26e
EK		 2000 s->tls_session_ticket_ext_cb_arg))
2001 {
0f113f3e
MC		 2002 *al = TLS1_AD_INTERNAL_ERROR;
2003 return 0;
2004 }
2005 } else if (type == TLSEXT_TYPE_signature_algorithms) {
06217867
EK		 2006 PACKET supported_sig_algs;
2007
2008 if (!PACKET_as_length_prefixed_2(&extension, &supported_sig_algs)
2009 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
2010 || PACKET_remaining(&supported_sig_algs) == 0) {
2011 return 0;
2012 }
2013
a230b26e 2014 if (!s->hit) {
06217867
EK		 2015 if (!tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
2016 PACKET_remaining(&supported_sig_algs))) {
2017 return 0;
2018 }
9ceb2426 2019 }
0f113f3e 2020 } else if (type == TLSEXT_TYPE_status_request) {
06217867
EK		 2021 if (!PACKET_get_1(&extension,
2022 (unsigned int *)&s->tlsext_status_type)) {
2023 return 0;
2024 }
3e41ac35 2025#ifndef OPENSSL_NO_OCSP
0f113f3e 2026 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
3e41ac35 2027 const unsigned char *ext_data;
06217867 2028 PACKET responder_id_list, exts;
a230b26e
EK		 2029 if (!PACKET_get_length_prefixed_2
2030 (&extension, &responder_id_list))
06217867
EK		 2031 return 0;
2032
2033 while (PACKET_remaining(&responder_id_list) > 0) {
0f113f3e 2034 OCSP_RESPID *id;
06217867
EK		 2035 PACKET responder_id;
2036 const unsigned char *id_data;
9ceb2426 2037
06217867
EK		 2038 if (!PACKET_get_length_prefixed_2(&responder_id_list,
2039 &responder_id)
2040 || PACKET_remaining(&responder_id) == 0) {
2041 return 0;
9ceb2426 2042 }
06217867
EK		 2043
2044 if (s->tlsext_ocsp_ids == NULL
2045 && (s->tlsext_ocsp_ids =
2046 sk_OCSP_RESPID_new_null()) == NULL) {
2047 *al = SSL_AD_INTERNAL_ERROR;
2048 return 0;
0f113f3e 2049 }
06217867
EK		 2050
2051 id_data = PACKET_data(&responder_id);
2052 id = d2i_OCSP_RESPID(NULL, &id_data,
2053 PACKET_remaining(&responder_id));
2054 if (id == NULL)
2055 return 0;
2056
2057 if (id_data != PACKET_end(&responder_id)) {
0f113f3e 2058 OCSP_RESPID_free(id);
0f113f3e
MC		 2059 return 0;
2060 }
06217867 2061
0f113f3e
MC		 2062 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2063 OCSP_RESPID_free(id);
2064 *al = SSL_AD_INTERNAL_ERROR;
2065 return 0;
2066 }
2067 }
4817504d 2068
0f113f3e 2069 /* Read in request_extensions */
06217867
EK		 2070 if (!PACKET_as_length_prefixed_2(&extension, &exts))
2071 return 0;
2072
2073 if (PACKET_remaining(&exts) > 0) {
2074 ext_data = PACKET_data(&exts);
222561fe
RS		 2075 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2076 X509_EXTENSION_free);
0f113f3e 2077 s->tlsext_ocsp_exts =
06217867
EK		 2078 d2i_X509_EXTENSIONS(NULL, &ext_data,
2079 PACKET_remaining(&exts));
2080 if (s->tlsext_ocsp_exts == NULL
2081 || ext_data != PACKET_end(&exts)) {
2082 return 0;
2083 }
0f113f3e 2084 }
3e41ac35
MC		 2085 } else
2086#endif
2087 {
2088 /*
2089 * We don't know what to do with any other type so ignore it.
2090 */
0f113f3e 2091 s->tlsext_status_type = -1;
06217867 2092 }
0f113f3e 2093 }
e481f9b9 2094#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7 2095 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
9ceb2426
MC		 2096 unsigned int hbtype;
2097
06217867 2098 if (!PACKET_get_1(&extension, &hbtype)
a230b26e 2099 || PACKET_remaining(&extension)) {
9ceb2426
MC		 2100 *al = SSL_AD_DECODE_ERROR;
2101 return 0;
2102 }
2103 switch (hbtype) {
0f113f3e 2104 case 0x01: /* Client allows us to send HB requests */
22e3dcb7 2105 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
0f113f3e
MC		 2106 break;
2107 case 0x02: /* Client doesn't accept HB requests */
22e3dcb7
RS		 2108 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2109 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
0f113f3e
MC		 2110 break;
2111 default:
2112 *al = SSL_AD_ILLEGAL_PARAMETER;
2113 return 0;
2114 }
2115 }
e481f9b9
MC		 2116#endif
2117#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 2118 else if (type == TLSEXT_TYPE_next_proto_neg &&
0351baae 2119 s->s3->tmp.finish_md_len == 0) {
50e735f9
MC		 2120 /*-
2121 * We shouldn't accept this extension on a
2122 * renegotiation.
2123 *
2124 * s->new_session will be set on renegotiation, but we
2125 * probably shouldn't rely that it couldn't be set on
8483a003 2126 * the initial renegotiation too in certain cases (when
50e735f9
MC		 2127 * there's some other reason to disallow resuming an
2128 * earlier session -- the current code won't be doing
2129 * anything like that, but this might change).
2130 *
2131 * A valid sign that there's been a previous handshake
2132 * in this connection is if s->s3->tmp.finish_md_len >
2133 * 0. (We are talking about a check that will happen
2134 * in the Hello protocol round, well before a new
2135 * Finished message could have been computed.)
2136 */
0f113f3e
MC		 2137 s->s3->next_proto_neg_seen = 1;
2138 }
e481f9b9 2139#endif
0f113f3e
MC		 2140
2141 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
06217867
EK		 2142 s->s3->tmp.finish_md_len == 0) {
2143 if (!tls1_alpn_handle_client_hello(s, &extension, al))
0f113f3e 2144 return 0;
0f113f3e 2145 }
5e3ff62c 2146
0f113f3e 2147 /* session ticket processed earlier */
e481f9b9 2148#ifndef OPENSSL_NO_SRTP
0f113f3e
MC		 2149 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2150 && type == TLSEXT_TYPE_use_srtp) {
06217867 2151 if (ssl_parse_clienthello_use_srtp_ext(s, &extension, al))
0f113f3e
MC		 2152 return 0;
2153 }
e481f9b9 2154#endif
0f113f3e
MC		 2155 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2156 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
e7f0d921
DSH		 2157 /*
2158 * Note: extended master secret extension handled in
2159 * tls_check_serverhello_tlsext_early()
2160 */
2161
0f113f3e
MC		 2162 /*
2163 * If this ClientHello extension was unhandled and this is a
2164 * nonresumed connection, check whether the extension is a custom
2165 * TLS Extension (has a custom_srv_ext_record), and if so call the
2166 * callback and record the extension number so that an appropriate
2167 * ServerHello may be later returned.
2168 */
2169 else if (!s->hit) {
06217867
EK		 2170 if (custom_ext_parse(s, 1, type, PACKET_data(&extension),
2171 PACKET_remaining(&extension), al) <= 0)
0f113f3e
MC		 2172 return 0;
2173 }
0f113f3e 2174 }
6f017a8f 2175
06217867 2176 if (PACKET_remaining(pkt) != 0) {
a230b26e
EK		 2177 /*
2178 * tls1_check_duplicate_extensions should ensure this never happens.
2179 */
06217867
EK		 2180 *al = SSL_AD_INTERNAL_ERROR;
2181 return 0;
2182 }
54e3ad00 2183
0f113f3e 2184 ri_check:
ed3883d2 2185
0f113f3e
MC		 2186 /* Need RI if renegotiating */
2187
2188 if (!renegotiate_seen && s->renegotiate &&
2189 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2190 *al = SSL_AD_HANDSHAKE_FAILURE;
2191 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2192 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2193 return 0;
2194 }
2195
06217867
EK		 2196 /*
2197 * This function currently has no state to clean up, so it returns directly.
2198 * If parsing fails at any point, the function returns early.
2199 * The SSL object may be left with partial data from extensions, but it must
2200 * then no longer be used, and clearing it up will free the leftovers.
2201 */
0f113f3e
MC		 2202 return 1;
2203}
2204
9ceb2426 2205int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 2206{
2207 int al = -1;
2208 custom_ext_init(&s->cert->srv_ext);
9ceb2426 2209 if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 2210 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2211 return 0;
2212 }
0f113f3e
MC		 2213 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2214 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2215 return 0;
2216 }
2217 return 1;
2218}
2219
e481f9b9 2220#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2221/*
2222 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2223 * elements of zero length are allowed and the set of elements must exactly
2224 * fill the length of the block.
2225 */
50932c4a 2226static char ssl_next_proto_validate(PACKET *pkt)
0f113f3e 2227{
b04f9479 2228 PACKET tmp_protocol;
0f113f3e 2229
50932c4a 2230 while (PACKET_remaining(pkt)) {
b04f9479 2231 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
a230b26e 2232 || PACKET_remaining(&tmp_protocol) == 0)
0f113f3e 2233 return 0;
0f113f3e
MC		 2234 }
2235
50932c4a 2236 return 1;
0f113f3e 2237}
e481f9b9 2238#endif
0f113f3e 2239
50932c4a 2240static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
0f113f3e 2241{
50932c4a 2242 unsigned int length, type, size;
0f113f3e
MC		 2243 int tlsext_servername = 0;
2244 int renegotiate_seen = 0;
2245
e481f9b9 2246#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 2247 s->s3->next_proto_neg_seen = 0;
e481f9b9 2248#endif
0f113f3e
MC		 2249 s->tlsext_ticket_expected = 0;
2250
b548a1f1
RS		 2251 OPENSSL_free(s->s3->alpn_selected);
2252 s->s3->alpn_selected = NULL;
e481f9b9 2253#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7
RS		 2254 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
2255 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
e481f9b9 2256#endif
0f113f3e 2257
0f113f3e 2258 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
0f113f3e 2259
e7f0d921
DSH		 2260 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2261
50932c4a 2262 if (!PACKET_get_net_2(pkt, &length))
0f113f3e
MC		 2263 goto ri_check;
2264
50932c4a 2265 if (PACKET_remaining(pkt) != length) {
0f113f3e
MC		 2266 *al = SSL_AD_DECODE_ERROR;
2267 return 0;
2268 }
2269
aa474d1f
EK		 2270 if (!tls1_check_duplicate_extensions(pkt)) {
2271 *al = SSL_AD_DECODE_ERROR;
2272 return 0;
2273 }
2274
50932c4a 2275 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
b6981744 2276 const unsigned char *data;
50932c4a 2277 PACKET spkt;
0f113f3e 2278
50932c4a 2279 if (!PACKET_get_sub_packet(pkt, &spkt, size)
a230b26e 2280 || !PACKET_peek_bytes(&spkt, &data, size))
0f113f3e
MC		 2281 goto ri_check;
2282
2283 if (s->tlsext_debug_cb)
2284 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2285
2286 if (type == TLSEXT_TYPE_renegotiate) {
50932c4a 2287 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
0f113f3e
MC		 2288 return 0;
2289 renegotiate_seen = 1;
2290 } else if (s->version == SSL3_VERSION) {
2291 } else if (type == TLSEXT_TYPE_server_name) {
2292 if (s->tlsext_hostname == NULL || size > 0) {
2293 *al = TLS1_AD_UNRECOGNIZED_NAME;
2294 return 0;
2295 }
2296 tlsext_servername = 1;
2297 }
e481f9b9 2298#ifndef OPENSSL_NO_EC
0f113f3e 2299 else if (type == TLSEXT_TYPE_ec_point_formats) {
50932c4a
MC		 2300 unsigned int ecpointformatlist_length;
2301 if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
a230b26e 2302 || ecpointformatlist_length != size - 1) {
0f113f3e
MC		 2303 *al = TLS1_AD_DECODE_ERROR;
2304 return 0;
2305 }
2306 if (!s->hit) {
2307 s->session->tlsext_ecpointformatlist_length = 0;
b548a1f1 2308 OPENSSL_free(s->session->tlsext_ecpointformatlist);
0f113f3e
MC		 2309 if ((s->session->tlsext_ecpointformatlist =
2310 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2311 *al = TLS1_AD_INTERNAL_ERROR;
2312 return 0;
2313 }
2314 s->session->tlsext_ecpointformatlist_length =
2315 ecpointformatlist_length;
50932c4a
MC		 2316 if (!PACKET_copy_bytes(&spkt,
2317 s->session->tlsext_ecpointformatlist,
2318 ecpointformatlist_length)) {
2319 *al = TLS1_AD_DECODE_ERROR;
2320 return 0;
2321 }
2322
0f113f3e 2323 }
0f113f3e 2324 }
a230b26e 2325#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2326
2327 else if (type == TLSEXT_TYPE_session_ticket) {
2328 if (s->tls_session_ticket_ext_cb &&
2329 !s->tls_session_ticket_ext_cb(s, data, size,
2330 s->tls_session_ticket_ext_cb_arg))
2331 {
2332 *al = TLS1_AD_INTERNAL_ERROR;
2333 return 0;
2334 }
2335 if (!tls_use_ticket(s) || (size > 0)) {
2336 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2337 return 0;
2338 }
2339 s->tlsext_ticket_expected = 1;
a230b26e 2340 } else if (type == TLSEXT_TYPE_status_request) {
0f113f3e
MC		 2341 /*
2342 * MUST be empty and only sent if we've requested a status
2343 * request message.
2344 */
2345 if ((s->tlsext_status_type == -1) || (size > 0)) {
2346 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2347 return 0;
2348 }
2349 /* Set flag to expect CertificateStatus message */
2350 s->tlsext_status_expected = 1;
2351 }
ed29e82a
RP		 2352#ifndef OPENSSL_NO_CT
2353 /*
2354 * Only take it if we asked for it - i.e if there is no CT validation
2355 * callback set, then a custom extension MAY be processing it, so we
2356 * need to let control continue to flow to that.
2357 */
2358 else if (type == TLSEXT_TYPE_signed_certificate_timestamp &&
2359 s->ct_validation_callback != NULL) {
2360 /* Simply copy it off for later processing */
2361 if (s->tlsext_scts != NULL) {
2362 OPENSSL_free(s->tlsext_scts);
2363 s->tlsext_scts = NULL;
2364 }
2365 s->tlsext_scts_len = size;
2366 if (size > 0) {
2367 s->tlsext_scts = OPENSSL_malloc(size);
2368 if (s->tlsext_scts == NULL) {
2369 *al = TLS1_AD_INTERNAL_ERROR;
2370 return 0;
2371 }
2372 memcpy(s->tlsext_scts, data, size);
2373 }
2374 }
2375#endif
e481f9b9 2376#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2377 else if (type == TLSEXT_TYPE_next_proto_neg &&
2378 s->s3->tmp.finish_md_len == 0) {
2379 unsigned char *selected;
2380 unsigned char selected_len;
0f113f3e
MC		 2381 /* We must have requested it. */
2382 if (s->ctx->next_proto_select_cb == NULL) {
2383 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2384 return 0;
2385 }
2386 /* The data must be valid */
50932c4a 2387 if (!ssl_next_proto_validate(&spkt)) {
0f113f3e
MC		 2388 *al = TLS1_AD_DECODE_ERROR;
2389 return 0;
2390 }
a230b26e
EK		 2391 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2392 size,
2393 s->
2394 ctx->next_proto_select_cb_arg) !=
0f113f3e
MC		 2395 SSL_TLSEXT_ERR_OK) {
2396 *al = TLS1_AD_INTERNAL_ERROR;
2397 return 0;
2398 }
2399 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
a71edf3b 2400 if (s->next_proto_negotiated == NULL) {
0f113f3e
MC		 2401 *al = TLS1_AD_INTERNAL_ERROR;
2402 return 0;
2403 }
2404 memcpy(s->next_proto_negotiated, selected, selected_len);
2405 s->next_proto_negotiated_len = selected_len;
2406 s->s3->next_proto_neg_seen = 1;
2407 }
e481f9b9 2408#endif
0f113f3e
MC		 2409
2410 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2411 unsigned len;
0f113f3e 2412 /* We must have requested it. */
817cd0d5 2413 if (!s->s3->alpn_sent) {
0f113f3e
MC		 2414 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2415 return 0;
2416 }
50e735f9
MC		 2417 /*-
2418 * The extension data consists of:
2419 * uint16 list_length
2420 * uint8 proto_length;
2421 * uint8 proto[proto_length];
2422 */
50932c4a 2423 if (!PACKET_get_net_2(&spkt, &len)
a230b26e
EK		 2424 || PACKET_remaining(&spkt) != len || !PACKET_get_1(&spkt, &len)
2425 || PACKET_remaining(&spkt) != len) {
0f113f3e
MC		 2426 *al = TLS1_AD_DECODE_ERROR;
2427 return 0;
2428 }
b548a1f1 2429 OPENSSL_free(s->s3->alpn_selected);
0f113f3e 2430 s->s3->alpn_selected = OPENSSL_malloc(len);
a71edf3b 2431 if (s->s3->alpn_selected == NULL) {
0f113f3e
MC		 2432 *al = TLS1_AD_INTERNAL_ERROR;
2433 return 0;
2434 }
50932c4a
MC		 2435 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
2436 *al = TLS1_AD_DECODE_ERROR;
2437 return 0;
2438 }
0f113f3e
MC		 2439 s->s3->alpn_selected_len = len;
2440 }
e481f9b9 2441#ifndef OPENSSL_NO_HEARTBEATS
22e3dcb7 2442 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
50932c4a
MC		 2443 unsigned int hbtype;
2444 if (!PACKET_get_1(&spkt, &hbtype)) {
2445 *al = SSL_AD_DECODE_ERROR;
2446 return 0;
2447 }
2448 switch (hbtype) {
0f113f3e 2449 case 0x01: /* Server allows us to send HB requests */
22e3dcb7 2450 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
0f113f3e
MC		 2451 break;
2452 case 0x02: /* Server doesn't accept HB requests */
22e3dcb7
RS		 2453 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2454 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
0f113f3e
MC		 2455 break;
2456 default:
2457 *al = SSL_AD_ILLEGAL_PARAMETER;
2458 return 0;
2459 }
2460 }
e481f9b9
MC		 2461#endif
2462#ifndef OPENSSL_NO_SRTP
0f113f3e 2463 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
50932c4a 2464 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
0f113f3e
MC		 2465 return 0;
2466 }
e481f9b9 2467#endif
0f113f3e
MC		 2468 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2469 /* Ignore if inappropriate ciphersuite */
2470 if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2471 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2472 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
a230b26e 2473 } else if (type == TLSEXT_TYPE_extended_master_secret) {
e7f0d921 2474 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
ddc06b35
DSH		 2475 if (!s->hit)
2476 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2477 }
0f113f3e
MC		 2478 /*
2479 * If this extension type was not otherwise handled, but matches a
2480 * custom_cli_ext_record, then send it to the c callback
2481 */
2482 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2483 return 0;
0f113f3e
MC		 2484 }
2485
50932c4a 2486 if (PACKET_remaining(pkt) != 0) {
0f113f3e
MC		 2487 *al = SSL_AD_DECODE_ERROR;
2488 return 0;
2489 }
2490
2491 if (!s->hit && tlsext_servername == 1) {
2492 if (s->tlsext_hostname) {
2493 if (s->session->tlsext_hostname == NULL) {
a230b26e
EK		 2494 s->session->tlsext_hostname =
2495 OPENSSL_strdup(s->tlsext_hostname);
0f113f3e
MC		 2496 if (!s->session->tlsext_hostname) {
2497 *al = SSL_AD_UNRECOGNIZED_NAME;
2498 return 0;
2499 }
2500 } else {
2501 *al = SSL_AD_DECODE_ERROR;
2502 return 0;
2503 }
2504 }
2505 }
2506
0f113f3e
MC		 2507 ri_check:
2508
2509 /*
2510 * Determine if we need to see RI. Strictly speaking if we want to avoid
2511 * an attack we should *always* see RI even on initial server hello
2512 * because the client doesn't see any renegotiation during an attack.
2513 * However this would mean we could not connect to any server which
e7653f3b 2514 * doesn't support RI so for the immediate future tolerate RI absence
0f113f3e
MC		 2515 */
2516 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2517 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2518 *al = SSL_AD_HANDSHAKE_FAILURE;
2519 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2520 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2521 return 0;
2522 }
2523
e7f0d921
DSH		 2524 if (s->hit) {
2525 /*
2526 * Check extended master secret extension is consistent with
2527 * original session.
2528 */
2529 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
2530 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
2531 *al = SSL_AD_HANDSHAKE_FAILURE;
2532 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
2533 return 0;
a230b26e 2534 }
e7f0d921
DSH		 2535 }
2536
0f113f3e
MC		 2537 return 1;
2538}
b2172f4f 2539
36ca4ba6 2540int ssl_prepare_clienthello_tlsext(SSL *s)
0f113f3e 2541{
817cd0d5 2542 s->s3->alpn_sent = 0;
0f113f3e
MC		 2543 return 1;
2544}
36ca4ba6
BM		 2545
2546int ssl_prepare_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2547{
2548 return 1;
2549}
36ca4ba6 2550
2daceb03 2551static int ssl_check_clienthello_tlsext_early(SSL *s)
0f113f3e
MC		 2552{
2553 int ret = SSL_TLSEXT_ERR_NOACK;
2554 int al = SSL_AD_UNRECOGNIZED_NAME;
2555
e481f9b9 2556#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2557 /*
2558 * The handling of the ECPointFormats extension is done elsewhere, namely
2559 * in ssl3_choose_cipher in s3_lib.c.
2560 */
2561 /*
2562 * The handling of the EllipticCurves extension is done elsewhere, namely
2563 * in ssl3_choose_cipher in s3_lib.c.
2564 */
e481f9b9 2565#endif
0f113f3e
MC		 2566
2567 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2568 ret =
2569 s->ctx->tlsext_servername_callback(s, &al,
2570 s->ctx->tlsext_servername_arg);
2571 else if (s->initial_ctx != NULL
2572 && s->initial_ctx->tlsext_servername_callback != 0)
2573 ret =
2574 s->initial_ctx->tlsext_servername_callback(s, &al,
2575 s->
2576 initial_ctx->tlsext_servername_arg);
2577
0f113f3e
MC		 2578 switch (ret) {
2579 case SSL_TLSEXT_ERR_ALERT_FATAL:
2580 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2581 return -1;
2582
2583 case SSL_TLSEXT_ERR_ALERT_WARNING:
2584 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2585 return 1;
2586
2587 case SSL_TLSEXT_ERR_NOACK:
2588 s->servername_done = 0;
2589 default:
2590 return 1;
2591 }
2592}
a230b26e 2593
d376e57d 2594/* Initialise digests to default values */
a0f63828 2595void ssl_set_default_md(SSL *s)
d376e57d
DSH		 2596{
2597 const EVP_MD **pmd = s->s3->tmp.md;
2598#ifndef OPENSSL_NO_DSA
152fbc28 2599 pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
d376e57d
DSH		 2600#endif
2601#ifndef OPENSSL_NO_RSA
d18d31a1 2602 if (SSL_USE_SIGALGS(s))
152fbc28 2603 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
d18d31a1 2604 else
152fbc28 2605 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
d18d31a1 2606 pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
d376e57d
DSH		 2607#endif
2608#ifndef OPENSSL_NO_EC
152fbc28 2609 pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
d376e57d 2610#endif
e44380a9 2611#ifndef OPENSSL_NO_GOST
152fbc28
DSH		 2612 pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
2613 pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
2614 pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
e44380a9 2615#endif
d376e57d 2616}
f1fd4544 2617
e469af8d 2618int tls1_set_server_sigalgs(SSL *s)
0f113f3e
MC		 2619{
2620 int al;
2621 size_t i;
8483a003
F		 2622
2623 /* Clear any shared signature algorithms */
b548a1f1
RS		 2624 OPENSSL_free(s->cert->shared_sigalgs);
2625 s->cert->shared_sigalgs = NULL;
2626 s->cert->shared_sigalgslen = 0;
0f113f3e
MC		 2627 /* Clear certificate digests and validity flags */
2628 for (i = 0; i < SSL_PKEY_NUM; i++) {
d376e57d 2629 s->s3->tmp.md[i] = NULL;
6383d316 2630 s->s3->tmp.valid_flags[i] = 0;
0f113f3e
MC		 2631 }
2632
2633 /* If sigalgs received process it. */
76106e60 2634 if (s->s3->tmp.peer_sigalgs) {
0f113f3e
MC		 2635 if (!tls1_process_sigalgs(s)) {
2636 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2637 al = SSL_AD_INTERNAL_ERROR;
2638 goto err;
2639 }
2640 /* Fatal error is no shared signature algorithms */
2641 if (!s->cert->shared_sigalgs) {
2642 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
f430ba31 2643 SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
0f113f3e
MC		 2644 al = SSL_AD_ILLEGAL_PARAMETER;
2645 goto err;
2646 }
d376e57d
DSH		 2647 } else {
2648 ssl_set_default_md(s);
2649 }
0f113f3e
MC		 2650 return 1;
2651 err:
2652 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2653 return 0;
2654}
e469af8d 2655
70c22888
EK		 2656/*
2657 * Upon success, returns 1.
2658 * Upon failure, returns 0 and sets |al| to the appropriate fatal alert.
2659 */
2660int ssl_check_clienthello_tlsext_late(SSL *s, int *al)
0f113f3e 2661{
70c22888 2662 s->tlsext_status_expected = 0;
0f113f3e
MC		 2663
2664 /*
2665 * If status request then ask callback what to do. Note: this must be
2666 * called after servername callbacks in case the certificate has changed,
2667 * and must be called after the cipher has been chosen because this may
2668 * influence which certificate is sent
2669 */
2670 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
70c22888 2671 int ret;
0f113f3e
MC		 2672 CERT_PKEY *certpkey;
2673 certpkey = ssl_get_server_send_pkey(s);
2674 /* If no certificate can't return certificate status */
70c22888
EK		 2675 if (certpkey != NULL) {
2676 /*
2677 * Set current certificate to one we will use so SSL_get_certificate
2678 * et al can pick it up.
2679 */
2680 s->cert->key = certpkey;
2681 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2682 switch (ret) {
2683 /* We don't want to send a status request response */
2684 case SSL_TLSEXT_ERR_NOACK:
0f113f3e 2685 s->tlsext_status_expected = 0;
70c22888
EK		 2686 break;
2687 /* status request response should be sent */
2688 case SSL_TLSEXT_ERR_OK:
2689 if (s->tlsext_ocsp_resp)
2690 s->tlsext_status_expected = 1;
2691 break;
2692 /* something bad happened */
2693 case SSL_TLSEXT_ERR_ALERT_FATAL:
2694 default:
2695 *al = SSL_AD_INTERNAL_ERROR;
2696 return 0;
2697 }
0f113f3e 2698 }
817cd0d5
TS		 2699 }
2700
70c22888
EK		 2701 if (!tls1_alpn_handle_client_hello_late(s, al)) {
2702 return 0;
0f113f3e 2703 }
70c22888
EK		 2704
2705 return 1;
0f113f3e 2706}
2daceb03 2707
36ca4ba6 2708int ssl_check_serverhello_tlsext(SSL *s)
0f113f3e
MC		 2709{
2710 int ret = SSL_TLSEXT_ERR_NOACK;
2711 int al = SSL_AD_UNRECOGNIZED_NAME;
2712
e481f9b9 2713#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2714 /*
2715 * If we are client and using an elliptic curve cryptography cipher
2716 * suite, then if server returns an EC point formats lists extension it
2717 * must contain uncompressed.
2718 */
2719 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2720 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2721 if ((s->tlsext_ecpointformatlist != NULL)
2722 && (s->tlsext_ecpointformatlist_length > 0)
2723 && (s->session->tlsext_ecpointformatlist != NULL)
2724 && (s->session->tlsext_ecpointformatlist_length > 0)
ce0c1f2b 2725 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
0f113f3e
MC		 2726 /* we are using an ECC cipher */
2727 size_t i;
2728 unsigned char *list;
2729 int found_uncompressed = 0;
2730 list = s->session->tlsext_ecpointformatlist;
2731 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2732 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2733 found_uncompressed = 1;
2734 break;
2735 }
2736 }
2737 if (!found_uncompressed) {
2738 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2739 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2740 return -1;
2741 }
2742 }
2743 ret = SSL_TLSEXT_ERR_OK;
a230b26e 2744#endif /* OPENSSL_NO_EC */
0f113f3e
MC		 2745
2746 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2747 ret =
2748 s->ctx->tlsext_servername_callback(s, &al,
2749 s->ctx->tlsext_servername_arg);
2750 else if (s->initial_ctx != NULL
2751 && s->initial_ctx->tlsext_servername_callback != 0)
2752 ret =
2753 s->initial_ctx->tlsext_servername_callback(s, &al,
2754 s->
2755 initial_ctx->tlsext_servername_arg);
2756
b1931d43
MC		 2757 /*
2758 * Ensure we get sensible values passed to tlsext_status_cb in the event
2759 * that we don't receive a status message
2760 */
bb1aaab4
MC		 2761 OPENSSL_free(s->tlsext_ocsp_resp);
2762 s->tlsext_ocsp_resp = NULL;
2763 s->tlsext_ocsp_resplen = -1;
0f113f3e
MC		 2764
2765 switch (ret) {
2766 case SSL_TLSEXT_ERR_ALERT_FATAL:
2767 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2768 return -1;
2769
2770 case SSL_TLSEXT_ERR_ALERT_WARNING:
2771 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2772 return 1;
2773
2774 case SSL_TLSEXT_ERR_NOACK:
2775 s->servername_done = 0;
2776 default:
2777 return 1;
2778 }
2779}
761772d7 2780
50932c4a 2781int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
0f113f3e
MC		 2782{
2783 int al = -1;
2784 if (s->version < SSL3_VERSION)
2785 return 1;
50932c4a 2786 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
0f113f3e
MC		 2787 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2788 return 0;
2789 }
2790
2791 if (ssl_check_serverhello_tlsext(s) <= 0) {
2792 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2793 return 0;
2794 }
2795 return 1;
09e4e4b9
DSH		 2796}
2797
1d97c843
TH		 2798/*-
2799 * Since the server cache lookup is done early on in the processing of the
e7f0d921
DSH		 2800 * ClientHello and other operations depend on the result some extensions
2801 * need to be handled at the same time.
2802 *
2803 * Two extensions are currently handled, session ticket and extended master
2804 * secret.
c519e89f 2805 *
b3e2272c
EK		 2806 * session_id: ClientHello session ID.
2807 * ext: ClientHello extensions (including length prefix)
c519e89f
BM		 2808 * ret: (output) on return, if a ticket was decrypted, then this is set to
2809 * point to the resulting session.
2810 *
2811 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2812 * ciphersuite, in which case we have no use for session tickets and one will
2813 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2814 *
2815 * Returns:
2816 * -1: fatal error, either from parsing or decrypting the ticket.
2817 * 0: no ticket was found (or was ignored, based on settings).
2818 * 1: a zero length extension was found, indicating that the client supports
2819 * session tickets but doesn't currently have one to offer.
2820 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2821 * couldn't be decrypted because of a non-fatal error.
2822 * 3: a ticket was successfully decrypted and *ret was set.
2823 *
2824 * Side effects:
2825 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2826 * a new session ticket to the client because the client indicated support
2827 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2828 * a session ticket or we couldn't use the one it gave us, or if
2829 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2830 * Otherwise, s->tlsext_ticket_expected is set to 0.
e7f0d921
DSH		 2831 *
2832 * For extended master secret flag is set if the extension is present.
2833 *
6434abbf 2834 */
e7f0d921
DSH		 2835int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
2836 const PACKET *session_id,
2837 SSL_SESSION **ret)
0f113f3e 2838{
9ceb2426 2839 unsigned int i;
b3e2272c 2840 PACKET local_ext = *ext;
9ceb2426 2841 int retv = -1;
0f113f3e 2842
e7f0d921
DSH		 2843 int have_ticket = 0;
2844 int use_ticket = tls_use_ticket(s);
2845
0f113f3e
MC		 2846 *ret = NULL;
2847 s->tlsext_ticket_expected = 0;
e7f0d921 2848 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
0f113f3e
MC		 2849
2850 /*
2851 * If tickets disabled behave as if no ticket present to permit stateful
2852 * resumption.
2853 */
9ceb2426 2854 if ((s->version <= SSL3_VERSION))
0f113f3e 2855 return 0;
9ceb2426 2856
b3e2272c 2857 if (!PACKET_get_net_2(&local_ext, &i)) {
9ceb2426
MC		 2858 retv = 0;
2859 goto end;
2860 }
b3e2272c 2861 while (PACKET_remaining(&local_ext) >= 4) {
9ceb2426
MC		 2862 unsigned int type, size;
2863
b3e2272c 2864 if (!PACKET_get_net_2(&local_ext, &type)
a230b26e 2865 || !PACKET_get_net_2(&local_ext, &size)) {
9ceb2426
MC		 2866 /* Shouldn't ever happen */
2867 retv = -1;
2868 goto end;
2869 }
b3e2272c 2870 if (PACKET_remaining(&local_ext) < size) {
9ceb2426
MC		 2871 retv = 0;
2872 goto end;
2873 }
e7f0d921 2874 if (type == TLSEXT_TYPE_session_ticket && use_ticket) {
0f113f3e 2875 int r;
b6981744 2876 const unsigned char *etick;
9ceb2426 2877
e7f0d921
DSH		 2878 /* Duplicate extension */
2879 if (have_ticket != 0) {
2880 retv = -1;
2881 goto end;
2882 }
2883 have_ticket = 1;
2884
0f113f3e
MC		 2885 if (size == 0) {
2886 /*
2887 * The client will accept a ticket but doesn't currently have
2888 * one.
2889 */
2890 s->tlsext_ticket_expected = 1;
9ceb2426 2891 retv = 1;
e7f0d921 2892 continue;
0f113f3e
MC		 2893 }
2894 if (s->tls_session_secret_cb) {
2895 /*
2896 * Indicate that the ticket couldn't be decrypted rather than
2897 * generating the session from ticket now, trigger
2898 * abbreviated handshake based on external mechanism to
2899 * calculate the master secret later.
2900 */
9ceb2426 2901 retv = 2;
e7f0d921 2902 continue;
9ceb2426 2903 }
b3e2272c 2904 if (!PACKET_get_bytes(&local_ext, &etick, size)) {
9ceb2426
MC		 2905 /* Shouldn't ever happen */
2906 retv = -1;
2907 goto end;
0f113f3e 2908 }
b3e2272c
EK		 2909 r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
2910 PACKET_remaining(session_id), ret);
0f113f3e
MC		 2911 switch (r) {
2912 case 2: /* ticket couldn't be decrypted */
2913 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 2914 retv = 2;
2915 break;
0f113f3e 2916 case 3: /* ticket was decrypted */
9ceb2426
MC		 2917 retv = r;
2918 break;
0f113f3e
MC		 2919 case 4: /* ticket decrypted but need to renew */
2920 s->tlsext_ticket_expected = 1;
9ceb2426
MC		 2921 retv = 3;
2922 break;
0f113f3e 2923 default: /* fatal error */
9ceb2426
MC		 2924 retv = -1;
2925 break;
0f113f3e 2926 }
e7f0d921 2927 continue;
c83eda8c 2928 } else {
e7f0d921
DSH		 2929 if (type == TLSEXT_TYPE_extended_master_secret)
2930 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
b3e2272c 2931 if (!PACKET_forward(&local_ext, size)) {
c83eda8c
MC		 2932 retv = -1;
2933 goto end;
2934 }
0f113f3e 2935 }
0f113f3e 2936 }
e7f0d921
DSH		 2937 if (have_ticket == 0)
2938 retv = 0;
a230b26e 2939 end:
9ceb2426 2940 return retv;
0f113f3e 2941}
6434abbf 2942
1d97c843
TH		 2943/*-
2944 * tls_decrypt_ticket attempts to decrypt a session ticket.
c519e89f
BM		 2945 *
2946 * etick: points to the body of the session ticket extension.
8483a003 2947 * eticklen: the length of the session tickets extension.
c519e89f
BM		 2948 * sess_id: points at the session ID.
2949 * sesslen: the length of the session ID.
2950 * psess: (output) on return, if a ticket was decrypted, then this is set to
2951 * point to the resulting session.
2952 *
2953 * Returns:
bf7c6817 2954 * -2: fatal error, malloc failure.
c519e89f
BM		 2955 * -1: fatal error, either from parsing or decrypting the ticket.
2956 * 2: the ticket couldn't be decrypted.
2957 * 3: a ticket was successfully decrypted and *psess was set.
2958 * 4: same as 3, but the ticket needs to be renewed.
2959 */
0f113f3e
MC		 2960static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
2961 int eticklen, const unsigned char *sess_id,
2962 int sesslen, SSL_SESSION **psess)
2963{
2964 SSL_SESSION *sess;
2965 unsigned char *sdec;
2966 const unsigned char *p;
35b1a433 2967 int slen, mlen, renew_ticket = 0, ret = -1;
0f113f3e 2968 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
bf7c6817 2969 HMAC_CTX *hctx = NULL;
846ec07d 2970 EVP_CIPHER_CTX *ctx;
0f113f3e
MC		 2971 SSL_CTX *tctx = s->initial_ctx;
2972 /* Need at least keyname + iv + some encrypted data */
2973 if (eticklen < 48)
2974 return 2;
2975 /* Initialize session ticket encryption and HMAC contexts */
bf7c6817
RL		 2976 hctx = HMAC_CTX_new();
2977 if (hctx == NULL)
2978 return -2;
846ec07d 2979 ctx = EVP_CIPHER_CTX_new();
35b1a433
MC		 2980 if (ctx == NULL) {
2981 ret = -2;
2982 goto err;
2983 }
0f113f3e
MC		 2984 if (tctx->tlsext_ticket_key_cb) {
2985 unsigned char *nctick = (unsigned char *)etick;
2986 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
846ec07d 2987 ctx, hctx, 0);
0f113f3e 2988 if (rv < 0)
35b1a433
MC		 2989 goto err;
2990 if (rv == 0) {
2991 ret = 2;
2992 goto err;
2993 }
0f113f3e
MC		 2994 if (rv == 2)
2995 renew_ticket = 1;
2996 } else {
2997 /* Check key name matches */
4e2e1ec9
TS		 2998 if (memcmp(etick, tctx->tlsext_tick_key_name,
2999 sizeof(tctx->tlsext_tick_key_name)) != 0) {
35b1a433
MC		 3000 ret = 2;
3001 goto err;
3002 }
4e2e1ec9
TS		 3003 if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
3004 sizeof(tctx->tlsext_tick_hmac_key),
5f3d93e4 3005 EVP_sha256(), NULL) <= 0
a230b26e
EK		 3006 || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
3007 tctx->tlsext_tick_aes_key,
3008 etick + sizeof(tctx->tlsext_tick_key_name)) <=
3009 0) {
5f3d93e4 3010 goto err;
a230b26e 3011 }
0f113f3e
MC		 3012 }
3013 /*
3014 * Attempt to process session ticket, first conduct sanity and integrity
3015 * checks on ticket.
3016 */
bf7c6817 3017 mlen = HMAC_size(hctx);
0f113f3e 3018 if (mlen < 0) {
5f3d93e4 3019 goto err;
0f113f3e
MC		 3020 }
3021 eticklen -= mlen;
3022 /* Check HMAC of encrypted ticket */
bf7c6817 3023 if (HMAC_Update(hctx, etick, eticklen) <= 0
a230b26e 3024 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
5f3d93e4
MC		 3025 goto err;
3026 }
bf7c6817 3027 HMAC_CTX_free(hctx);
0f113f3e 3028 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
846ec07d 3029 EVP_CIPHER_CTX_free(ctx);
0f113f3e
MC		 3030 return 2;
3031 }
3032 /* Attempt to decrypt session data */
3033 /* Move p after IV to start of encrypted ticket, update length */
846ec07d
RL		 3034 p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx);
3035 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx);
0f113f3e 3036 sdec = OPENSSL_malloc(eticklen);
a230b26e 3037 if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) {
846ec07d 3038 EVP_CIPHER_CTX_free(ctx);
d1247df2 3039 OPENSSL_free(sdec);
0f113f3e
MC		 3040 return -1;
3041 }
846ec07d
RL		 3042 if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) {
3043 EVP_CIPHER_CTX_free(ctx);
0f113f3e
MC		 3044 OPENSSL_free(sdec);
3045 return 2;
3046 }
3047 slen += mlen;
846ec07d
RL		 3048 EVP_CIPHER_CTX_free(ctx);
3049 ctx = NULL;
0f113f3e
MC		 3050 p = sdec;
3051
3052 sess = d2i_SSL_SESSION(NULL, &p, slen);
3053 OPENSSL_free(sdec);
3054 if (sess) {
3055 /*
3056 * The session ID, if non-empty, is used by some clients to detect
3057 * that the ticket has been accepted. So we copy it to the session
3058 * structure. If it is empty set length to zero as required by
3059 * standard.
3060 */
3061 if (sesslen)
3062 memcpy(sess->session_id, sess_id, sesslen);
3063 sess->session_id_length = sesslen;
3064 *psess = sess;
3065 if (renew_ticket)
3066 return 4;
3067 else
3068 return 3;
3069 }
3070 ERR_clear_error();
3071 /*
3072 * For session parse failure, indicate that we need to send a new ticket.
3073 */
3074 return 2;
a230b26e 3075 err:
846ec07d 3076 EVP_CIPHER_CTX_free(ctx);
bf7c6817 3077 HMAC_CTX_free(hctx);
35b1a433 3078 return ret;
0f113f3e 3079}
6434abbf 3080
6b7be581
DSH		 3081/* Tables to translate from NIDs to TLS v1.2 ids */
3082
0f113f3e
MC		 3083typedef struct {
3084 int nid;
3085 int id;
3086} tls12_lookup;
6b7be581 3087
d97ed219 3088static const tls12_lookup tls12_md[] = {
0f113f3e
MC		 3089 {NID_md5, TLSEXT_hash_md5},
3090 {NID_sha1, TLSEXT_hash_sha1},
3091 {NID_sha224, TLSEXT_hash_sha224},
3092 {NID_sha256, TLSEXT_hash_sha256},
3093 {NID_sha384, TLSEXT_hash_sha384},
e44380a9
DB		 3094 {NID_sha512, TLSEXT_hash_sha512},
3095 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
3096 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
3097 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
6b7be581
DSH		 3098};
3099
d97ed219 3100static const tls12_lookup tls12_sig[] = {
0f113f3e
MC		 3101 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3102 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
e44380a9
DB		 3103 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
3104 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
3105 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
3106 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
6b7be581
DSH		 3107};
3108
d97ed219 3109static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3110{
3111 size_t i;
3112 for (i = 0; i < tlen; i++) {
3113 if (table[i].nid == nid)
3114 return table[i].id;
3115 }
3116 return -1;
3117}
e7f8ff43 3118
d97ed219 3119static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
0f113f3e
MC		 3120{
3121 size_t i;
3122 for (i = 0; i < tlen; i++) {
3123 if ((table[i].id) == id)
3124 return table[i].nid;
3125 }
3126 return NID_undef;
3127}
3128
a230b26e 3129int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
0f113f3e
MC		 3130{
3131 int sig_id, md_id;
3132 if (!md)
3133 return 0;
b6eb9827 3134 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3135 if (md_id == -1)
3136 return 0;
3137 sig_id = tls12_get_sigid(pk);
3138 if (sig_id == -1)
3139 return 0;
3140 p[0] = (unsigned char)md_id;
3141 p[1] = (unsigned char)sig_id;
3142 return 1;
3143}
6b7be581 3144
a2f9200f 3145int tls12_get_sigid(const EVP_PKEY *pk)
0f113f3e 3146{
3aeb9348 3147 return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3148}
3149
3150typedef struct {
3151 int nid;
3152 int secbits;
7afd2312 3153 int md_idx;
e44380a9 3154 unsigned char tlsext_hash;
0f113f3e 3155} tls12_hash_info;
b362ccab
DSH		 3156
3157static const tls12_hash_info tls12_md_info[] = {
7afd2312
DSH		 3158 {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
3159 {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
3160 {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
3161 {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
3162 {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
3163 {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
a230b26e
EK		 3164 {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
3165 {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX,
3166 TLSEXT_hash_gostr34112012_256},
3167 {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX,
3168 TLSEXT_hash_gostr34112012_512},
b362ccab 3169};
a2f9200f 3170
b362ccab 3171static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
0f113f3e 3172{
e44380a9 3173 unsigned int i;
0f113f3e
MC		 3174 if (hash_alg == 0)
3175 return NULL;
e44380a9 3176
a230b26e 3177 for (i = 0; i < OSSL_NELEM(tls12_md_info); i++) {
e44380a9
DB		 3178 if (tls12_md_info[i].tlsext_hash == hash_alg)
3179 return tls12_md_info + i;
3180 }
3181
3182 return NULL;
0f113f3e 3183}
a2f9200f 3184
b362ccab 3185const EVP_MD *tls12_get_hash(unsigned char hash_alg)
0f113f3e
MC		 3186{
3187 const tls12_hash_info *inf;
3188 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3189 return NULL;
3190 inf = tls12_get_hash_info(hash_alg);
7afd2312 3191 if (!inf)
0f113f3e 3192 return NULL;
7afd2312 3193 return ssl_md(inf->md_idx);
0f113f3e 3194}
a2f9200f 3195
4453cd8c 3196static int tls12_get_pkey_idx(unsigned char sig_alg)
0f113f3e
MC		 3197{
3198 switch (sig_alg) {
e481f9b9 3199#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3200 case TLSEXT_signature_rsa:
3201 return SSL_PKEY_RSA_SIGN;
e481f9b9
MC		 3202#endif
3203#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3204 case TLSEXT_signature_dsa:
3205 return SSL_PKEY_DSA_SIGN;
e481f9b9
MC		 3206#endif
3207#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3208 case TLSEXT_signature_ecdsa:
3209 return SSL_PKEY_ECC;
e481f9b9 3210#endif
a230b26e 3211#ifndef OPENSSL_NO_GOST
e44380a9
DB		 3212 case TLSEXT_signature_gostr34102001:
3213 return SSL_PKEY_GOST01;
3214
3215 case TLSEXT_signature_gostr34102012_256:
3216 return SSL_PKEY_GOST12_256;
3217
3218 case TLSEXT_signature_gostr34102012_512:
3219 return SSL_PKEY_GOST12_512;
a230b26e 3220#endif
0f113f3e
MC		 3221 }
3222 return -1;
3223}
4453cd8c
DSH		 3224
3225/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3226static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
0f113f3e
MC		 3227 int *psignhash_nid, const unsigned char *data)
3228{
330dcb09 3229 int sign_nid = NID_undef, hash_nid = NID_undef;
0f113f3e
MC		 3230 if (!phash_nid && !psign_nid && !psignhash_nid)
3231 return;
3232 if (phash_nid || psignhash_nid) {
b6eb9827 3233 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
0f113f3e
MC		 3234 if (phash_nid)
3235 *phash_nid = hash_nid;
3236 }
3237 if (psign_nid || psignhash_nid) {
b6eb9827 3238 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3239 if (psign_nid)
3240 *psign_nid = sign_nid;
3241 }
3242 if (psignhash_nid) {
330dcb09 3243 if (sign_nid == NID_undef || hash_nid == NID_undef
a230b26e 3244 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid) <= 0)
0f113f3e
MC		 3245 *psignhash_nid = NID_undef;
3246 }
3247}
3248
b362ccab
DSH		 3249/* Check to see if a signature algorithm is allowed */
3250static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
0f113f3e
MC		 3251{
3252 /* See if we have an entry in the hash table and it is enabled */
3253 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
7afd2312 3254 if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
0f113f3e
MC		 3255 return 0;
3256 /* See if public key algorithm allowed */
3257 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3258 return 0;
3259 /* Finally see if security callback allows it */
3260 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3261}
3262
3263/*
3264 * Get a mask of disabled public key algorithms based on supported signature
3265 * algorithms. For example if no signature algorithm supports RSA then RSA is
3266 * disabled.
b362ccab
DSH		 3267 */
3268
90d9e49a 3269void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
0f113f3e
MC		 3270{
3271 const unsigned char *sigalgs;
3272 size_t i, sigalgslen;
3273 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3274 /*
3275 * Now go through all signature algorithms seeing if we support any for
3276 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3277 * down calls to security callback only check if we have to.
3278 */
3279 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
3280 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3281 switch (sigalgs[1]) {
e481f9b9 3282#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 3283 case TLSEXT_signature_rsa:
3284 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3285 have_rsa = 1;
3286 break;
e481f9b9
MC		 3287#endif
3288#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3289 case TLSEXT_signature_dsa:
3290 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3291 have_dsa = 1;
3292 break;
e481f9b9
MC		 3293#endif
3294#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3295 case TLSEXT_signature_ecdsa:
3296 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3297 have_ecdsa = 1;
3298 break;
e481f9b9 3299#endif
0f113f3e
MC		 3300 }
3301 }
3302 if (!have_rsa)
3303 *pmask_a |= SSL_aRSA;
3304 if (!have_dsa)
3305 *pmask_a |= SSL_aDSS;
3306 if (!have_ecdsa)
3307 *pmask_a |= SSL_aECDSA;
3308}
b362ccab
DSH		 3309
3310size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
0f113f3e
MC		 3311 const unsigned char *psig, size_t psiglen)
3312{
3313 unsigned char *tmpout = out;
3314 size_t i;
3315 for (i = 0; i < psiglen; i += 2, psig += 2) {
3316 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3317 *tmpout++ = psig[0];
3318 *tmpout++ = psig[1];
3319 }
3320 }
3321 return tmpout - out;
3322}
b362ccab 3323
4453cd8c 3324/* Given preference and allowed sigalgs set shared sigalgs */
b362ccab 3325static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
0f113f3e
MC		 3326 const unsigned char *pref, size_t preflen,
3327 const unsigned char *allow, size_t allowlen)
3328{
3329 const unsigned char *ptmp, *atmp;
3330 size_t i, j, nmatch = 0;
3331 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3332 /* Skip disabled hashes or signature algorithms */
3333 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3334 continue;
3335 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3336 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3337 nmatch++;
3338 if (shsig) {
3339 shsig->rhash = ptmp[0];
3340 shsig->rsign = ptmp[1];
3341 tls1_lookup_sigalg(&shsig->hash_nid,
3342 &shsig->sign_nid,
3343 &shsig->signandhash_nid, ptmp);
3344 shsig++;
3345 }
3346 break;
3347 }
3348 }
3349 }
3350 return nmatch;
3351}
4453cd8c
DSH		 3352
3353/* Set shared signature algorithms for SSL structures */
3354static int tls1_set_shared_sigalgs(SSL *s)
0f113f3e
MC		 3355{
3356 const unsigned char *pref, *allow, *conf;
3357 size_t preflen, allowlen, conflen;
3358 size_t nmatch;
3359 TLS_SIGALGS *salgs = NULL;
3360 CERT *c = s->cert;
3361 unsigned int is_suiteb = tls1_suiteb(s);
b548a1f1
RS		 3362
3363 OPENSSL_free(c->shared_sigalgs);
3364 c->shared_sigalgs = NULL;
3365 c->shared_sigalgslen = 0;
0f113f3e
MC		 3366 /* If client use client signature algorithms if not NULL */
3367 if (!s->server && c->client_sigalgs && !is_suiteb) {
3368 conf = c->client_sigalgs;
3369 conflen = c->client_sigalgslen;
3370 } else if (c->conf_sigalgs && !is_suiteb) {
3371 conf = c->conf_sigalgs;
3372 conflen = c->conf_sigalgslen;
3373 } else
3374 conflen = tls12_get_psigalgs(s, &conf);
3375 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3376 pref = conf;
3377 preflen = conflen;
76106e60
DSH		 3378 allow = s->s3->tmp.peer_sigalgs;
3379 allowlen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3380 } else {
3381 allow = conf;
3382 allowlen = conflen;
76106e60
DSH		 3383 pref = s->s3->tmp.peer_sigalgs;
3384 preflen = s->s3->tmp.peer_sigalgslen;
0f113f3e
MC		 3385 }
3386 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
34e3edbf
DSH		 3387 if (nmatch) {
3388 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
a71edf3b 3389 if (salgs == NULL)
34e3edbf
DSH		 3390 return 0;
3391 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3392 } else {
3393 salgs = NULL;
3394 }
0f113f3e
MC		 3395 c->shared_sigalgs = salgs;
3396 c->shared_sigalgslen = nmatch;
3397 return 1;
3398}
4453cd8c 3399
6b7be581
DSH		 3400/* Set preferred digest for each key type */
3401
c800c27a 3402int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
0f113f3e
MC		 3403{
3404 CERT *c = s->cert;
3405 /* Extension ignored for inappropriate versions */
3406 if (!SSL_USE_SIGALGS(s))
3407 return 1;
3408 /* Should never happen */
3409 if (!c)
3410 return 0;
3411
76106e60
DSH		 3412 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3413 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3414 if (s->s3->tmp.peer_sigalgs == NULL)
0f113f3e 3415 return 0;
76106e60
DSH		 3416 s->s3->tmp.peer_sigalgslen = dsize;
3417 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
0f113f3e
MC		 3418 return 1;
3419}
6b7be581 3420
c800c27a 3421int tls1_process_sigalgs(SSL *s)
0f113f3e
MC		 3422{
3423 int idx;
3424 size_t i;
3425 const EVP_MD *md;
d376e57d 3426 const EVP_MD **pmd = s->s3->tmp.md;
f7d53487 3427 uint32_t *pvalid = s->s3->tmp.valid_flags;
0f113f3e
MC		 3428 CERT *c = s->cert;
3429 TLS_SIGALGS *sigptr;
3430 if (!tls1_set_shared_sigalgs(s))
3431 return 0;
3432
0f113f3e
MC		 3433 for (i = 0, sigptr = c->shared_sigalgs;
3434 i < c->shared_sigalgslen; i++, sigptr++) {
3435 idx = tls12_get_pkey_idx(sigptr->rsign);
d376e57d 3436 if (idx > 0 && pmd[idx] == NULL) {
0f113f3e 3437 md = tls12_get_hash(sigptr->rhash);
d376e57d 3438 pmd[idx] = md;
6383d316 3439 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
0f113f3e 3440 if (idx == SSL_PKEY_RSA_SIGN) {
6383d316 3441 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
d376e57d 3442 pmd[SSL_PKEY_RSA_ENC] = md;
0f113f3e
MC		 3443 }
3444 }
6b7be581 3445
0f113f3e
MC		 3446 }
3447 /*
3448 * In strict mode leave unset digests as NULL to indicate we can't use
3449 * the certificate for signing.
3450 */
3451 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3452 /*
3453 * Set any remaining keys to default values. NOTE: if alg is not
3454 * supported it stays as NULL.
3455 */
e481f9b9 3456#ifndef OPENSSL_NO_DSA
d376e57d
DSH		 3457 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3458 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
e481f9b9
MC		 3459#endif
3460#ifndef OPENSSL_NO_RSA
d376e57d
DSH		 3461 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3462 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3463 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
0f113f3e 3464 }
e481f9b9
MC		 3465#endif
3466#ifndef OPENSSL_NO_EC
d376e57d
DSH		 3467 if (pmd[SSL_PKEY_ECC] == NULL)
3468 pmd[SSL_PKEY_ECC] = EVP_sha1();
e481f9b9 3469#endif
a230b26e 3470#ifndef OPENSSL_NO_GOST
e44380a9
DB		 3471 if (pmd[SSL_PKEY_GOST01] == NULL)
3472 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
3473 if (pmd[SSL_PKEY_GOST12_256] == NULL)
a230b26e
EK		 3474 pmd[SSL_PKEY_GOST12_256] =
3475 EVP_get_digestbynid(NID_id_GostR3411_2012_256);
e44380a9 3476 if (pmd[SSL_PKEY_GOST12_512] == NULL)
a230b26e
EK		 3477 pmd[SSL_PKEY_GOST12_512] =
3478 EVP_get_digestbynid(NID_id_GostR3411_2012_512);
3479#endif
0f113f3e
MC		 3480 }
3481 return 1;
3482}
4817504d 3483
e7f8ff43 3484int SSL_get_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3485 int *psign, int *phash, int *psignhash,
3486 unsigned char *rsig, unsigned char *rhash)
3487{
76106e60 3488 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
0f113f3e
MC		 3489 if (psig == NULL)
3490 return 0;
3491 if (idx >= 0) {
3492 idx <<= 1;
76106e60 3493 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
0f113f3e
MC		 3494 return 0;
3495 psig += idx;
3496 if (rhash)
3497 *rhash = psig[0];
3498 if (rsig)
3499 *rsig = psig[1];
3500 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3501 }
76106e60 3502 return s->s3->tmp.peer_sigalgslen / 2;
0f113f3e 3503}
4453cd8c
DSH		 3504
3505int SSL_get_shared_sigalgs(SSL *s, int idx,
0f113f3e
MC		 3506 int *psign, int *phash, int *psignhash,
3507 unsigned char *rsig, unsigned char *rhash)
3508{
3509 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3510 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3511 return 0;
3512 shsigalgs += idx;
3513 if (phash)
3514 *phash = shsigalgs->hash_nid;
3515 if (psign)
3516 *psign = shsigalgs->sign_nid;
3517 if (psignhash)
3518 *psignhash = shsigalgs->signandhash_nid;
3519 if (rsig)
3520 *rsig = shsigalgs->rsign;
3521 if (rhash)
3522 *rhash = shsigalgs->rhash;
3523 return s->cert->shared_sigalgslen;
3524}
3525
e481f9b9 3526#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
0f229cce 3527
0f113f3e
MC		 3528typedef struct {
3529 size_t sigalgcnt;
3530 int sigalgs[MAX_SIGALGLEN];
3531} sig_cb_st;
0f229cce 3532
431f458d
DSH		 3533static void get_sigorhash(int *psig, int *phash, const char *str)
3534{
3535 if (strcmp(str, "RSA") == 0) {
3536 *psig = EVP_PKEY_RSA;
3537 } else if (strcmp(str, "DSA") == 0) {
3538 *psig = EVP_PKEY_DSA;
3539 } else if (strcmp(str, "ECDSA") == 0) {
3540 *psig = EVP_PKEY_EC;
3541 } else {
3542 *phash = OBJ_sn2nid(str);
3543 if (*phash == NID_undef)
3544 *phash = OBJ_ln2nid(str);
3545 }
3546}
3547
0f229cce 3548static int sig_cb(const char *elem, int len, void *arg)
0f113f3e
MC		 3549{
3550 sig_cb_st *sarg = arg;
3551 size_t i;
3552 char etmp[20], *p;
431f458d 3553 int sig_alg = NID_undef, hash_alg = NID_undef;
2747d73c
KR		 3554 if (elem == NULL)
3555 return 0;
0f113f3e
MC		 3556 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3557 return 0;
3558 if (len > (int)(sizeof(etmp) - 1))
3559 return 0;
3560 memcpy(etmp, elem, len);
3561 etmp[len] = 0;
3562 p = strchr(etmp, '+');
3563 if (!p)
3564 return 0;
3565 *p = 0;
3566 p++;
3567 if (!*p)
3568 return 0;
3569
431f458d
DSH		 3570 get_sigorhash(&sig_alg, &hash_alg, etmp);
3571 get_sigorhash(&sig_alg, &hash_alg, p);
0f113f3e 3572
431f458d 3573 if (sig_alg == NID_undef || hash_alg == NID_undef)
0f113f3e
MC		 3574 return 0;
3575
3576 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3577 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3578 return 0;
3579 }
3580 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3581 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3582 return 1;
3583}
3584
3585/*
9d22666e 3586 * Set supported signature algorithms based on a colon separated list of the
0f113f3e
MC		 3587 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3588 */
3dbc46df 3589int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
0f113f3e
MC		 3590{
3591 sig_cb_st sig;
3592 sig.sigalgcnt = 0;
3593 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3594 return 0;
3595 if (c == NULL)
3596 return 1;
3597 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3598}
3599
a230b26e 3600int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
0f113f3e
MC		 3601{
3602 unsigned char *sigalgs, *sptr;
3603 int rhash, rsign;
3604 size_t i;
3605 if (salglen & 1)
3606 return 0;
3607 sigalgs = OPENSSL_malloc(salglen);
3608 if (sigalgs == NULL)
3609 return 0;
3610 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
b6eb9827
DSH		 3611 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3612 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
0f113f3e
MC		 3613
3614 if (rhash == -1 || rsign == -1)
3615 goto err;
3616 *sptr++ = rhash;
3617 *sptr++ = rsign;
3618 }
3619
3620 if (client) {
b548a1f1 3621 OPENSSL_free(c->client_sigalgs);
0f113f3e
MC		 3622 c->client_sigalgs = sigalgs;
3623 c->client_sigalgslen = salglen;
3624 } else {
b548a1f1 3625 OPENSSL_free(c->conf_sigalgs);
0f113f3e
MC		 3626 c->conf_sigalgs = sigalgs;
3627 c->conf_sigalgslen = salglen;
3628 }
3629
3630 return 1;
3631
3632 err:
3633 OPENSSL_free(sigalgs);
3634 return 0;
3635}
4453cd8c 3636
d61ff83b 3637static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
0f113f3e
MC		 3638{
3639 int sig_nid;
3640 size_t i;
3641 if (default_nid == -1)
3642 return 1;
3643 sig_nid = X509_get_signature_nid(x);
3644 if (default_nid)
3645 return sig_nid == default_nid ? 1 : 0;
3646 for (i = 0; i < c->shared_sigalgslen; i++)
3647 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3648 return 1;
3649 return 0;
3650}
3651
6dbb6219
DSH		 3652/* Check to see if a certificate issuer name matches list of CA names */
3653static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
0f113f3e
MC		 3654{
3655 X509_NAME *nm;
3656 int i;
3657 nm = X509_get_issuer_name(x);
3658 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3659 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3660 return 1;
3661 }
3662 return 0;
3663}
3664
3665/*
3666 * Check certificate chain is consistent with TLS extensions and is usable by
3667 * server. This servers two purposes: it allows users to check chains before
3668 * passing them to the server and it allows the server to check chains before
3669 * attempting to use them.
d61ff83b 3670 */
6dbb6219
DSH		 3671
3672/* Flags which need to be set for a certificate when stict mode not set */
3673
e481f9b9 3674#define CERT_PKEY_VALID_FLAGS \
0f113f3e 3675 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
6dbb6219 3676/* Strict mode flags */
e481f9b9 3677#define CERT_PKEY_STRICT_FLAGS \
0f113f3e
MC		 3678 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3679 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
6dbb6219 3680
d61ff83b 3681int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
0f113f3e
MC		 3682 int idx)
3683{
3684 int i;
3685 int rv = 0;
3686 int check_flags = 0, strict_mode;
3687 CERT_PKEY *cpk = NULL;
3688 CERT *c = s->cert;
f7d53487 3689 uint32_t *pvalid;
0f113f3e
MC		 3690 unsigned int suiteb_flags = tls1_suiteb(s);
3691 /* idx == -1 means checking server chains */
3692 if (idx != -1) {
3693 /* idx == -2 means checking client certificate chains */
3694 if (idx == -2) {
3695 cpk = c->key;
3696 idx = cpk - c->pkeys;
3697 } else
3698 cpk = c->pkeys + idx;
6383d316 3699 pvalid = s->s3->tmp.valid_flags + idx;
0f113f3e
MC		 3700 x = cpk->x509;
3701 pk = cpk->privatekey;
3702 chain = cpk->chain;
3703 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3704 /* If no cert or key, forget it */
3705 if (!x || !pk)
3706 goto end;
0f113f3e
MC		 3707 } else {
3708 if (!x || !pk)
d813f9eb 3709 return 0;
0f113f3e
MC		 3710 idx = ssl_cert_type(x, pk);
3711 if (idx == -1)
d813f9eb 3712 return 0;
6383d316
DSH		 3713 pvalid = s->s3->tmp.valid_flags + idx;
3714
0f113f3e
MC		 3715 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3716 check_flags = CERT_PKEY_STRICT_FLAGS;
3717 else
3718 check_flags = CERT_PKEY_VALID_FLAGS;
3719 strict_mode = 1;
3720 }
3721
3722 if (suiteb_flags) {
3723 int ok;
3724 if (check_flags)
3725 check_flags |= CERT_PKEY_SUITEB;
3726 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3727 if (ok == X509_V_OK)
3728 rv |= CERT_PKEY_SUITEB;
3729 else if (!check_flags)
3730 goto end;
3731 }
3732
3733 /*
3734 * Check all signature algorithms are consistent with signature
3735 * algorithms extension if TLS 1.2 or later and strict mode.
3736 */
3737 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
3738 int default_nid;
3739 unsigned char rsign = 0;
76106e60 3740 if (s->s3->tmp.peer_sigalgs)
0f113f3e
MC		 3741 default_nid = 0;
3742 /* If no sigalgs extension use defaults from RFC5246 */
3743 else {
3744 switch (idx) {
3745 case SSL_PKEY_RSA_ENC:
3746 case SSL_PKEY_RSA_SIGN:
0f113f3e
MC		 3747 rsign = TLSEXT_signature_rsa;
3748 default_nid = NID_sha1WithRSAEncryption;
3749 break;
3750
3751 case SSL_PKEY_DSA_SIGN:
0f113f3e
MC		 3752 rsign = TLSEXT_signature_dsa;
3753 default_nid = NID_dsaWithSHA1;
3754 break;
3755
3756 case SSL_PKEY_ECC:
3757 rsign = TLSEXT_signature_ecdsa;
3758 default_nid = NID_ecdsa_with_SHA1;
3759 break;
3760
e44380a9
DB		 3761 case SSL_PKEY_GOST01:
3762 rsign = TLSEXT_signature_gostr34102001;
3763 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
3764 break;
3765
3766 case SSL_PKEY_GOST12_256:
3767 rsign = TLSEXT_signature_gostr34102012_256;
3768 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
3769 break;
3770
3771 case SSL_PKEY_GOST12_512:
3772 rsign = TLSEXT_signature_gostr34102012_512;
3773 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
3774 break;
3775
0f113f3e
MC		 3776 default:
3777 default_nid = -1;
3778 break;
3779 }
3780 }
3781 /*
3782 * If peer sent no signature algorithms extension and we have set
3783 * preferred signature algorithms check we support sha1.
3784 */
3785 if (default_nid > 0 && c->conf_sigalgs) {
3786 size_t j;
3787 const unsigned char *p = c->conf_sigalgs;
3788 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
3789 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
3790 break;
3791 }
3792 if (j == c->conf_sigalgslen) {
3793 if (check_flags)
3794 goto skip_sigs;
3795 else
3796 goto end;
3797 }
3798 }
3799 /* Check signature algorithm of each cert in chain */
3800 if (!tls1_check_sig_alg(c, x, default_nid)) {
3801 if (!check_flags)
3802 goto end;
3803 } else
3804 rv |= CERT_PKEY_EE_SIGNATURE;
3805 rv |= CERT_PKEY_CA_SIGNATURE;
3806 for (i = 0; i < sk_X509_num(chain); i++) {
3807 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
3808 if (check_flags) {
3809 rv &= ~CERT_PKEY_CA_SIGNATURE;
3810 break;
3811 } else
3812 goto end;
3813 }
3814 }
3815 }
3816 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
3817 else if (check_flags)
3818 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
3819 skip_sigs:
3820 /* Check cert parameters are consistent */
3821 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
3822 rv |= CERT_PKEY_EE_PARAM;
3823 else if (!check_flags)
3824 goto end;
3825 if (!s->server)
3826 rv |= CERT_PKEY_CA_PARAM;
3827 /* In strict mode check rest of chain too */
3828 else if (strict_mode) {
3829 rv |= CERT_PKEY_CA_PARAM;
3830 for (i = 0; i < sk_X509_num(chain); i++) {
3831 X509 *ca = sk_X509_value(chain, i);
3832 if (!tls1_check_cert_param(s, ca, 0)) {
3833 if (check_flags) {
3834 rv &= ~CERT_PKEY_CA_PARAM;
3835 break;
3836 } else
3837 goto end;
3838 }
3839 }
3840 }
3841 if (!s->server && strict_mode) {
3842 STACK_OF(X509_NAME) *ca_dn;
3843 int check_type = 0;
3aeb9348 3844 switch (EVP_PKEY_id(pk)) {
0f113f3e
MC		 3845 case EVP_PKEY_RSA:
3846 check_type = TLS_CT_RSA_SIGN;
3847 break;
3848 case EVP_PKEY_DSA:
3849 check_type = TLS_CT_DSS_SIGN;
3850 break;
3851 case EVP_PKEY_EC:
3852 check_type = TLS_CT_ECDSA_SIGN;
3853 break;
0f113f3e
MC		 3854 }
3855 if (check_type) {
3856 const unsigned char *ctypes;
3857 int ctypelen;
3858 if (c->ctypes) {
3859 ctypes = c->ctypes;
3860 ctypelen = (int)c->ctype_num;
3861 } else {
3862 ctypes = (unsigned char *)s->s3->tmp.ctype;
3863 ctypelen = s->s3->tmp.ctype_num;
3864 }
3865 for (i = 0; i < ctypelen; i++) {
3866 if (ctypes[i] == check_type) {
3867 rv |= CERT_PKEY_CERT_TYPE;
3868 break;
3869 }
3870 }
3871 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
3872 goto end;
3873 } else
3874 rv |= CERT_PKEY_CERT_TYPE;
3875
3876 ca_dn = s->s3->tmp.ca_names;
3877
3878 if (!sk_X509_NAME_num(ca_dn))
3879 rv |= CERT_PKEY_ISSUER_NAME;
3880
3881 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
3882 if (ssl_check_ca_name(ca_dn, x))
3883 rv |= CERT_PKEY_ISSUER_NAME;
3884 }
3885 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
3886 for (i = 0; i < sk_X509_num(chain); i++) {
3887 X509 *xtmp = sk_X509_value(chain, i);
3888 if (ssl_check_ca_name(ca_dn, xtmp)) {
3889 rv |= CERT_PKEY_ISSUER_NAME;
3890 break;
3891 }
3892 }
3893 }
3894 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
3895 goto end;
3896 } else
3897 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
3898
3899 if (!check_flags || (rv & check_flags) == check_flags)
3900 rv |= CERT_PKEY_VALID;
3901
3902 end:
3903
3904 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
6383d316 3905 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
0f113f3e 3906 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
d376e57d 3907 else if (s->s3->tmp.md[idx] != NULL)
0f113f3e
MC		 3908 rv |= CERT_PKEY_SIGN;
3909 } else
3910 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
3911
3912 /*
3913 * When checking a CERT_PKEY structure all flags are irrelevant if the
3914 * chain is invalid.
3915 */
3916 if (!check_flags) {
3917 if (rv & CERT_PKEY_VALID)
6383d316 3918 *pvalid = rv;
0f113f3e
MC		 3919 else {
3920 /* Preserve explicit sign flag, clear rest */
6383d316 3921 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
0f113f3e
MC		 3922 return 0;
3923 }
3924 }
3925 return rv;
3926}
d61ff83b
DSH		 3927
3928/* Set validity of certificates in an SSL structure */
3929void tls1_set_cert_validity(SSL *s)
0f113f3e 3930{
17dd65e6
MC		 3931 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
3932 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
3933 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
17dd65e6 3934 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
e44380a9
DB		 3935 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
3936 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
3937 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
0f113f3e
MC		 3938}
3939
18d71588
DSH		 3940/* User level utiity function to check a chain is suitable */
3941int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
0f113f3e
MC		 3942{
3943 return tls1_check_chain(s, x, pk, chain, -1);
3944}
d61ff83b 3945
09599b52
DSH		 3946#ifndef OPENSSL_NO_DH
3947DH *ssl_get_auto_dh(SSL *s)
0f113f3e
MC		 3948{
3949 int dh_secbits = 80;
3950 if (s->cert->dh_tmp_auto == 2)
3951 return DH_get_1024_160();
adc5506a 3952 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
0f113f3e
MC		 3953 if (s->s3->tmp.new_cipher->strength_bits == 256)
3954 dh_secbits = 128;
3955 else
3956 dh_secbits = 80;
3957 } else {
3958 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
3959 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
3960 }
3961
3962 if (dh_secbits >= 128) {
3963 DH *dhp = DH_new();
0aeddcfa 3964 BIGNUM *p, *g;
a71edf3b 3965 if (dhp == NULL)
0f113f3e 3966 return NULL;
0aeddcfa
MC		 3967 g = BN_new();
3968 if (g != NULL)
3969 BN_set_word(g, 2);
0f113f3e 3970 if (dh_secbits >= 192)
9021a5df 3971 p = BN_get_rfc3526_prime_8192(NULL);
0f113f3e 3972 else
9021a5df 3973 p = BN_get_rfc3526_prime_3072(NULL);
0aeddcfa 3974 if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
0f113f3e 3975 DH_free(dhp);
0aeddcfa
MC		 3976 BN_free(p);
3977 BN_free(g);
0f113f3e
MC		 3978 return NULL;
3979 }
3980 return dhp;
3981 }
3982 if (dh_secbits >= 112)
3983 return DH_get_2048_224();
3984 return DH_get_1024_160();
3985}
09599b52 3986#endif
b362ccab
DSH		 3987
3988static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e 3989{
72245f34 3990 int secbits = -1;
8382fd3a 3991 EVP_PKEY *pkey = X509_get0_pubkey(x);
0f113f3e 3992 if (pkey) {
72245f34
DSH		 3993 /*
3994 * If no parameters this will return -1 and fail using the default
3995 * security callback for any non-zero security level. This will
3996 * reject keys which omit parameters but this only affects DSA and
3997 * omission of parameters is never (?) done in practice.
3998 */
0f113f3e 3999 secbits = EVP_PKEY_security_bits(pkey);
72245f34 4000 }
0f113f3e
MC		 4001 if (s)
4002 return ssl_security(s, op, secbits, 0, x);
4003 else
4004 return ssl_ctx_security(ctx, op, secbits, 0, x);
4005}
b362ccab
DSH		 4006
4007static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
0f113f3e
MC		 4008{
4009 /* Lookup signature algorithm digest */
4010 int secbits = -1, md_nid = NID_undef, sig_nid;
221c7b55
DSH		 4011 /* Don't check signature if self signed */
4012 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
4013 return 1;
0f113f3e
MC		 4014 sig_nid = X509_get_signature_nid(x);
4015 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4016 const EVP_MD *md;
4017 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4018 secbits = EVP_MD_size(md) * 4;
4019 }
4020 if (s)
4021 return ssl_security(s, op, secbits, md_nid, x);
4022 else
4023 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4024}
b362ccab
DSH		 4025
4026int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
0f113f3e
MC		 4027{
4028 if (vfy)
4029 vfy = SSL_SECOP_PEER;
4030 if (is_ee) {
4031 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4032 return SSL_R_EE_KEY_TOO_SMALL;
4033 } else {
4034 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4035 return SSL_R_CA_KEY_TOO_SMALL;
4036 }
4037 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4038 return SSL_R_CA_MD_TOO_WEAK;
4039 return 1;
4040}
4041
4042/*
4043 * Check security of a chain, if sk includes the end entity certificate then
4044 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4045 * one to the peer. Return values: 1 if ok otherwise error code to use
b362ccab
DSH		 4046 */
4047
4048int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
0f113f3e
MC		 4049{
4050 int rv, start_idx, i;
4051 if (x == NULL) {
4052 x = sk_X509_value(sk, 0);
4053 start_idx = 1;
4054 } else
4055 start_idx = 0;
4056
4057 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4058 if (rv != 1)
4059 return rv;
4060
4061 for (i = start_idx; i < sk_X509_num(sk); i++) {
4062 x = sk_X509_value(sk, i);
4063 rv = ssl_security_cert(s, NULL, x, vfy, 0);
4064 if (rv != 1)
4065 return rv;
4066 }
4067 return 1;
4068}
A mirror of the official openssl repository