• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119 
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121 
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124 				const unsigned char *sess_id, int sesslen,
125 				SSL_SESSION **psess);
126 #endif
127 
128 SSL3_ENC_METHOD TLSv1_enc_data={
129 	tls1_enc,
130 	tls1_mac,
131 	tls1_setup_key_block,
132 	tls1_generate_master_secret,
133 	tls1_change_cipher_state,
134 	tls1_final_finish_mac,
135 	TLS1_FINISH_MAC_LENGTH,
136 	tls1_cert_verify_mac,
137 	TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
138 	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
139 	tls1_alert_code,
140 	tls1_export_keying_material,
141 	};
142 
tls1_default_timeout(void)143 long tls1_default_timeout(void)
144 	{
145 	/* 2 hours, the 24 hours mentioned in the TLSv1 spec
146 	 * is way too long for http, the cache would over fill */
147 	return(60*60*2);
148 	}
149 
tls1_new(SSL * s)150 int tls1_new(SSL *s)
151 	{
152 	if (!ssl3_new(s)) return(0);
153 	s->method->ssl_clear(s);
154 	return(1);
155 	}
156 
tls1_free(SSL * s)157 void tls1_free(SSL *s)
158 	{
159 #ifndef OPENSSL_NO_TLSEXT
160 	if (s->tlsext_session_ticket)
161 		{
162 		OPENSSL_free(s->tlsext_session_ticket);
163 		}
164 #endif /* OPENSSL_NO_TLSEXT */
165 	ssl3_free(s);
166 	}
167 
tls1_clear(SSL * s)168 void tls1_clear(SSL *s)
169 	{
170 	ssl3_clear(s);
171 	s->version = s->method->version;
172 	}
173 
174 #ifndef OPENSSL_NO_EC
175 
176 static int nid_list[] =
177 	{
178 		NID_sect163k1, /* sect163k1 (1) */
179 		NID_sect163r1, /* sect163r1 (2) */
180 		NID_sect163r2, /* sect163r2 (3) */
181 		NID_sect193r1, /* sect193r1 (4) */
182 		NID_sect193r2, /* sect193r2 (5) */
183 		NID_sect233k1, /* sect233k1 (6) */
184 		NID_sect233r1, /* sect233r1 (7) */
185 		NID_sect239k1, /* sect239k1 (8) */
186 		NID_sect283k1, /* sect283k1 (9) */
187 		NID_sect283r1, /* sect283r1 (10) */
188 		NID_sect409k1, /* sect409k1 (11) */
189 		NID_sect409r1, /* sect409r1 (12) */
190 		NID_sect571k1, /* sect571k1 (13) */
191 		NID_sect571r1, /* sect571r1 (14) */
192 		NID_secp160k1, /* secp160k1 (15) */
193 		NID_secp160r1, /* secp160r1 (16) */
194 		NID_secp160r2, /* secp160r2 (17) */
195 		NID_secp192k1, /* secp192k1 (18) */
196 		NID_X9_62_prime192v1, /* secp192r1 (19) */
197 		NID_secp224k1, /* secp224k1 (20) */
198 		NID_secp224r1, /* secp224r1 (21) */
199 		NID_secp256k1, /* secp256k1 (22) */
200 		NID_X9_62_prime256v1, /* secp256r1 (23) */
201 		NID_secp384r1, /* secp384r1 (24) */
202 		NID_secp521r1  /* secp521r1 (25) */
203 	};
204 
205 static int pref_list[] =
206 	{
207 		NID_sect571r1, /* sect571r1 (14) */
208 		NID_sect571k1, /* sect571k1 (13) */
209 		NID_secp521r1, /* secp521r1 (25) */
210 		NID_sect409k1, /* sect409k1 (11) */
211 		NID_sect409r1, /* sect409r1 (12) */
212 		NID_secp384r1, /* secp384r1 (24) */
213 		NID_sect283k1, /* sect283k1 (9) */
214 		NID_sect283r1, /* sect283r1 (10) */
215 		NID_secp256k1, /* secp256k1 (22) */
216 		NID_X9_62_prime256v1, /* secp256r1 (23) */
217 		NID_sect239k1, /* sect239k1 (8) */
218 		NID_sect233k1, /* sect233k1 (6) */
219 		NID_sect233r1, /* sect233r1 (7) */
220 		NID_secp224k1, /* secp224k1 (20) */
221 		NID_secp224r1, /* secp224r1 (21) */
222 		NID_sect193r1, /* sect193r1 (4) */
223 		NID_sect193r2, /* sect193r2 (5) */
224 		NID_secp192k1, /* secp192k1 (18) */
225 		NID_X9_62_prime192v1, /* secp192r1 (19) */
226 		NID_sect163k1, /* sect163k1 (1) */
227 		NID_sect163r1, /* sect163r1 (2) */
228 		NID_sect163r2, /* sect163r2 (3) */
229 		NID_secp160k1, /* secp160k1 (15) */
230 		NID_secp160r1, /* secp160r1 (16) */
231 		NID_secp160r2, /* secp160r2 (17) */
232 	};
233 
tls1_ec_curve_id2nid(int curve_id)234 int tls1_ec_curve_id2nid(int curve_id)
235 	{
236 	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
237 	if ((curve_id < 1) || ((unsigned int)curve_id >
238 				sizeof(nid_list)/sizeof(nid_list[0])))
239 		return 0;
240 	return nid_list[curve_id-1];
241 	}
242 
tls1_ec_nid2curve_id(int nid)243 int tls1_ec_nid2curve_id(int nid)
244 	{
245 	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
246 	switch (nid)
247 		{
248 	case NID_sect163k1: /* sect163k1 (1) */
249 		return 1;
250 	case NID_sect163r1: /* sect163r1 (2) */
251 		return 2;
252 	case NID_sect163r2: /* sect163r2 (3) */
253 		return 3;
254 	case NID_sect193r1: /* sect193r1 (4) */
255 		return 4;
256 	case NID_sect193r2: /* sect193r2 (5) */
257 		return 5;
258 	case NID_sect233k1: /* sect233k1 (6) */
259 		return 6;
260 	case NID_sect233r1: /* sect233r1 (7) */
261 		return 7;
262 	case NID_sect239k1: /* sect239k1 (8) */
263 		return 8;
264 	case NID_sect283k1: /* sect283k1 (9) */
265 		return 9;
266 	case NID_sect283r1: /* sect283r1 (10) */
267 		return 10;
268 	case NID_sect409k1: /* sect409k1 (11) */
269 		return 11;
270 	case NID_sect409r1: /* sect409r1 (12) */
271 		return 12;
272 	case NID_sect571k1: /* sect571k1 (13) */
273 		return 13;
274 	case NID_sect571r1: /* sect571r1 (14) */
275 		return 14;
276 	case NID_secp160k1: /* secp160k1 (15) */
277 		return 15;
278 	case NID_secp160r1: /* secp160r1 (16) */
279 		return 16;
280 	case NID_secp160r2: /* secp160r2 (17) */
281 		return 17;
282 	case NID_secp192k1: /* secp192k1 (18) */
283 		return 18;
284 	case NID_X9_62_prime192v1: /* secp192r1 (19) */
285 		return 19;
286 	case NID_secp224k1: /* secp224k1 (20) */
287 		return 20;
288 	case NID_secp224r1: /* secp224r1 (21) */
289 		return 21;
290 	case NID_secp256k1: /* secp256k1 (22) */
291 		return 22;
292 	case NID_X9_62_prime256v1: /* secp256r1 (23) */
293 		return 23;
294 	case NID_secp384r1: /* secp384r1 (24) */
295 		return 24;
296 	case NID_secp521r1:  /* secp521r1 (25) */
297 		return 25;
298 	default:
299 		return 0;
300 		}
301 	}
302 #endif /* OPENSSL_NO_EC */
303 
304 #ifndef OPENSSL_NO_TLSEXT
305 
306 /* List of supported signature algorithms and hashes. Should make this
307  * customisable at some point, for now include everything we support.
308  */
309 
310 #ifdef OPENSSL_NO_RSA
311 #define tlsext_sigalg_rsa(md) /* */
312 #else
313 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
314 #endif
315 
316 #ifdef OPENSSL_NO_DSA
317 #define tlsext_sigalg_dsa(md) /* */
318 #else
319 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
320 #endif
321 
322 #ifdef OPENSSL_NO_ECDSA
323 #define tlsext_sigalg_ecdsa(md) /* */
324 #else
325 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
326 #endif
327 
328 #define tlsext_sigalg(md) \
329 		tlsext_sigalg_rsa(md) \
330 		tlsext_sigalg_dsa(md) \
331 		tlsext_sigalg_ecdsa(md)
332 
333 static unsigned char tls12_sigalgs[] = {
334 #ifndef OPENSSL_NO_SHA512
335 	tlsext_sigalg(TLSEXT_hash_sha512)
336 	tlsext_sigalg(TLSEXT_hash_sha384)
337 #endif
338 #ifndef OPENSSL_NO_SHA256
339 	tlsext_sigalg(TLSEXT_hash_sha256)
340 	tlsext_sigalg(TLSEXT_hash_sha224)
341 #endif
342 #ifndef OPENSSL_NO_SHA
343 	tlsext_sigalg(TLSEXT_hash_sha1)
344 #endif
345 #ifndef OPENSSL_NO_MD5
346 	tlsext_sigalg_rsa(TLSEXT_hash_md5)
347 #endif
348 };
349 
tls12_get_req_sig_algs(SSL * s,unsigned char * p)350 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
351 	{
352 	size_t slen = sizeof(tls12_sigalgs);
353 #ifdef OPENSSL_FIPS
354 	/* If FIPS mode don't include MD5 which is last */
355 	if (FIPS_mode())
356 		slen -= 2;
357 #endif
358 	if (p)
359 		memcpy(p, tls12_sigalgs, slen);
360 	return (int)slen;
361 	}
362 
ssl_add_clienthello_tlsext(SSL * s,unsigned char * p,unsigned char * limit)363 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
364 	{
365 	int extdatalen=0;
366 	unsigned char *ret = p;
367 
368 	/* don't add extensions for SSLv3 unless doing secure renegotiation */
369 	if (s->client_version == SSL3_VERSION
370 					&& !s->s3->send_connection_binding)
371 		return p;
372 
373 	ret+=2;
374 
375 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
376 
377  	if (s->tlsext_hostname != NULL)
378 		{
379 		/* Add TLS extension servername to the Client Hello message */
380 		unsigned long size_str;
381 		long lenmax;
382 
383 		/* check for enough space.
384 		   4 for the servername type and entension length
385 		   2 for servernamelist length
386 		   1 for the hostname type
387 		   2 for hostname length
388 		   + hostname length
389 		*/
390 
391 		if ((lenmax = limit - ret - 9) < 0
392 		    || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
393 			return NULL;
394 
395 		/* extension type and length */
396 		s2n(TLSEXT_TYPE_server_name,ret);
397 		s2n(size_str+5,ret);
398 
399 		/* length of servername list */
400 		s2n(size_str+3,ret);
401 
402 		/* hostname type, length and hostname */
403 		*(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
404 		s2n(size_str,ret);
405 		memcpy(ret, s->tlsext_hostname, size_str);
406 		ret+=size_str;
407 		}
408 
409         /* Add RI if renegotiating */
410         if (s->renegotiate)
411           {
412           int el;
413 
414           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
415               {
416               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
417               return NULL;
418               }
419 
420           if((limit - p - 4 - el) < 0) return NULL;
421 
422           s2n(TLSEXT_TYPE_renegotiate,ret);
423           s2n(el,ret);
424 
425           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
426               {
427               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
428               return NULL;
429               }
430 
431           ret += el;
432         }
433 
434 #ifndef OPENSSL_NO_SRP
435 	/* Add SRP username if there is one */
436 	if (s->srp_ctx.login != NULL)
437 		{ /* Add TLS extension SRP username to the Client Hello message */
438 
439 		int login_len = strlen(s->srp_ctx.login);
440 		if (login_len > 255 || login_len == 0)
441 			{
442 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
443 			return NULL;
444 			}
445 
446 		/* check for enough space.
447 		   4 for the srp type type and entension length
448 		   1 for the srp user identity
449 		   + srp user identity length
450 		*/
451 		if ((limit - ret - 5 - login_len) < 0) return NULL;
452 
453 		/* fill in the extension */
454 		s2n(TLSEXT_TYPE_srp,ret);
455 		s2n(login_len+1,ret);
456 		(*ret++) = (unsigned char) login_len;
457 		memcpy(ret, s->srp_ctx.login, login_len);
458 		ret+=login_len;
459 		}
460 #endif
461 
462 #ifndef OPENSSL_NO_EC
463 	if (s->tlsext_ecpointformatlist != NULL &&
464 	    s->version != DTLS1_VERSION)
465 		{
466 		/* Add TLS extension ECPointFormats to the ClientHello message */
467 		long lenmax;
468 
469 		if ((lenmax = limit - ret - 5) < 0) return NULL;
470 		if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
471 		if (s->tlsext_ecpointformatlist_length > 255)
472 			{
473 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
474 			return NULL;
475 			}
476 
477 		s2n(TLSEXT_TYPE_ec_point_formats,ret);
478 		s2n(s->tlsext_ecpointformatlist_length + 1,ret);
479 		*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
480 		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
481 		ret+=s->tlsext_ecpointformatlist_length;
482 		}
483 	if (s->tlsext_ellipticcurvelist != NULL &&
484 	    s->version != DTLS1_VERSION)
485 		{
486 		/* Add TLS extension EllipticCurves to the ClientHello message */
487 		long lenmax;
488 
489 		if ((lenmax = limit - ret - 6) < 0) return NULL;
490 		if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
491 		if (s->tlsext_ellipticcurvelist_length > 65532)
492 			{
493 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
494 			return NULL;
495 			}
496 
497 		s2n(TLSEXT_TYPE_elliptic_curves,ret);
498 		s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
499 
500 		/* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
501 		 * elliptic_curve_list, but the examples use two bytes.
502 		 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
503 		 * resolves this to two bytes.
504 		 */
505 		s2n(s->tlsext_ellipticcurvelist_length, ret);
506 		memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
507 		ret+=s->tlsext_ellipticcurvelist_length;
508 		}
509 #endif /* OPENSSL_NO_EC */
510 
511 	if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
512 		{
513 		int ticklen;
514 		if (!s->new_session && s->session && s->session->tlsext_tick)
515 			ticklen = s->session->tlsext_ticklen;
516 		else if (s->session && s->tlsext_session_ticket &&
517 			 s->tlsext_session_ticket->data)
518 			{
519 			ticklen = s->tlsext_session_ticket->length;
520 			s->session->tlsext_tick = OPENSSL_malloc(ticklen);
521 			if (!s->session->tlsext_tick)
522 				return NULL;
523 			memcpy(s->session->tlsext_tick,
524 			       s->tlsext_session_ticket->data,
525 			       ticklen);
526 			s->session->tlsext_ticklen = ticklen;
527 			}
528 		else
529 			ticklen = 0;
530 		if (ticklen == 0 && s->tlsext_session_ticket &&
531 		    s->tlsext_session_ticket->data == NULL)
532 			goto skip_ext;
533 		/* Check for enough room 2 for extension type, 2 for len
534  		 * rest for ticket
535   		 */
536 		if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
537 		s2n(TLSEXT_TYPE_session_ticket,ret);
538 		s2n(ticklen,ret);
539 		if (ticklen)
540 			{
541 			memcpy(ret, s->session->tlsext_tick, ticklen);
542 			ret += ticklen;
543 			}
544 		}
545 		skip_ext:
546 
547 	if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
548 		{
549 		if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
550 			return NULL;
551 		s2n(TLSEXT_TYPE_signature_algorithms,ret);
552 		s2n(sizeof(tls12_sigalgs) + 2, ret);
553 		s2n(sizeof(tls12_sigalgs), ret);
554 		memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
555 		ret += sizeof(tls12_sigalgs);
556 		}
557 
558 #ifdef TLSEXT_TYPE_opaque_prf_input
559 	if (s->s3->client_opaque_prf_input != NULL &&
560 	    s->version != DTLS1_VERSION)
561 		{
562 		size_t col = s->s3->client_opaque_prf_input_len;
563 
564 		if ((long)(limit - ret - 6 - col < 0))
565 			return NULL;
566 		if (col > 0xFFFD) /* can't happen */
567 			return NULL;
568 
569 		s2n(TLSEXT_TYPE_opaque_prf_input, ret);
570 		s2n(col + 2, ret);
571 		s2n(col, ret);
572 		memcpy(ret, s->s3->client_opaque_prf_input, col);
573 		ret += col;
574 		}
575 #endif
576 
577 	if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
578 	    s->version != DTLS1_VERSION)
579 		{
580 		int i;
581 		long extlen, idlen, itmp;
582 		OCSP_RESPID *id;
583 
584 		idlen = 0;
585 		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
586 			{
587 			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
588 			itmp = i2d_OCSP_RESPID(id, NULL);
589 			if (itmp <= 0)
590 				return NULL;
591 			idlen += itmp + 2;
592 			}
593 
594 		if (s->tlsext_ocsp_exts)
595 			{
596 			extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
597 			if (extlen < 0)
598 				return NULL;
599 			}
600 		else
601 			extlen = 0;
602 
603 		if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
604 		s2n(TLSEXT_TYPE_status_request, ret);
605 		if (extlen + idlen > 0xFFF0)
606 			return NULL;
607 		s2n(extlen + idlen + 5, ret);
608 		*(ret++) = TLSEXT_STATUSTYPE_ocsp;
609 		s2n(idlen, ret);
610 		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
611 			{
612 			/* save position of id len */
613 			unsigned char *q = ret;
614 			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
615 			/* skip over id len */
616 			ret += 2;
617 			itmp = i2d_OCSP_RESPID(id, &ret);
618 			/* write id len */
619 			s2n(itmp, q);
620 			}
621 		s2n(extlen, ret);
622 		if (extlen > 0)
623 			i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
624 		}
625 
626 #ifndef OPENSSL_NO_HEARTBEATS
627 	/* Add Heartbeat extension */
628 	s2n(TLSEXT_TYPE_heartbeat,ret);
629 	s2n(1,ret);
630 	/* Set mode:
631 	 * 1: peer may send requests
632 	 * 2: peer not allowed to send requests
633 	 */
634 	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
635 		*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
636 	else
637 		*(ret++) = SSL_TLSEXT_HB_ENABLED;
638 #endif
639 
640 #ifndef OPENSSL_NO_NEXTPROTONEG
641 	if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
642 		{
643 		/* The client advertises an emtpy extension to indicate its
644 		 * support for Next Protocol Negotiation */
645 		if (limit - ret - 4 < 0)
646 			return NULL;
647 		s2n(TLSEXT_TYPE_next_proto_neg,ret);
648 		s2n(0,ret);
649 		}
650 #endif
651 
652         if(SSL_get_srtp_profiles(s))
653                 {
654                 int el;
655 
656                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
657 
658                 if((limit - p - 4 - el) < 0) return NULL;
659 
660                 s2n(TLSEXT_TYPE_use_srtp,ret);
661                 s2n(el,ret);
662 
663                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
664 			{
665 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
666 			return NULL;
667 			}
668                 ret += el;
669                 }
670 
671 	if ((extdatalen = ret-p-2)== 0)
672 		return p;
673 
674 	s2n(extdatalen,p);
675 	return ret;
676 	}
677 
ssl_add_serverhello_tlsext(SSL * s,unsigned char * p,unsigned char * limit)678 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
679 	{
680 	int extdatalen=0;
681 	unsigned char *ret = p;
682 #ifndef OPENSSL_NO_NEXTPROTONEG
683 	int next_proto_neg_seen;
684 #endif
685 
686 	/* don't add extensions for SSLv3, unless doing secure renegotiation */
687 	if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
688 		return p;
689 
690 	ret+=2;
691 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
692 
693 	if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
694 		{
695 		if ((long)(limit - ret - 4) < 0) return NULL;
696 
697 		s2n(TLSEXT_TYPE_server_name,ret);
698 		s2n(0,ret);
699 		}
700 
701 	if(s->s3->send_connection_binding)
702         {
703           int el;
704 
705           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
706               {
707               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
708               return NULL;
709               }
710 
711           if((limit - p - 4 - el) < 0) return NULL;
712 
713           s2n(TLSEXT_TYPE_renegotiate,ret);
714           s2n(el,ret);
715 
716           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
717               {
718               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
719               return NULL;
720               }
721 
722           ret += el;
723         }
724 
725 #ifndef OPENSSL_NO_EC
726 	if (s->tlsext_ecpointformatlist != NULL &&
727 	    s->version != DTLS1_VERSION)
728 		{
729 		/* Add TLS extension ECPointFormats to the ServerHello message */
730 		long lenmax;
731 
732 		if ((lenmax = limit - ret - 5) < 0) return NULL;
733 		if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
734 		if (s->tlsext_ecpointformatlist_length > 255)
735 			{
736 			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
737 			return NULL;
738 			}
739 
740 		s2n(TLSEXT_TYPE_ec_point_formats,ret);
741 		s2n(s->tlsext_ecpointformatlist_length + 1,ret);
742 		*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
743 		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
744 		ret+=s->tlsext_ecpointformatlist_length;
745 
746 		}
747 	/* Currently the server should not respond with a SupportedCurves extension */
748 #endif /* OPENSSL_NO_EC */
749 
750 	if (s->tlsext_ticket_expected
751 		&& !(SSL_get_options(s) & SSL_OP_NO_TICKET))
752 		{
753 		if ((long)(limit - ret - 4) < 0) return NULL;
754 		s2n(TLSEXT_TYPE_session_ticket,ret);
755 		s2n(0,ret);
756 		}
757 
758 	if (s->tlsext_status_expected)
759 		{
760 		if ((long)(limit - ret - 4) < 0) return NULL;
761 		s2n(TLSEXT_TYPE_status_request,ret);
762 		s2n(0,ret);
763 		}
764 
765 #ifdef TLSEXT_TYPE_opaque_prf_input
766 	if (s->s3->server_opaque_prf_input != NULL &&
767 	    s->version != DTLS1_VERSION)
768 		{
769 		size_t sol = s->s3->server_opaque_prf_input_len;
770 
771 		if ((long)(limit - ret - 6 - sol) < 0)
772 			return NULL;
773 		if (sol > 0xFFFD) /* can't happen */
774 			return NULL;
775 
776 		s2n(TLSEXT_TYPE_opaque_prf_input, ret);
777 		s2n(sol + 2, ret);
778 		s2n(sol, ret);
779 		memcpy(ret, s->s3->server_opaque_prf_input, sol);
780 		ret += sol;
781 		}
782 #endif
783 
784         if(s->srtp_profile)
785                 {
786                 int el;
787 
788                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
789 
790                 if((limit - p - 4 - el) < 0) return NULL;
791 
792                 s2n(TLSEXT_TYPE_use_srtp,ret);
793                 s2n(el,ret);
794 
795                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
796 			{
797 			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
798 			return NULL;
799 			}
800                 ret+=el;
801                 }
802 
803 	if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
804 		&& (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
805 		{ const unsigned char cryptopro_ext[36] = {
806 			0xfd, 0xe8, /*65000*/
807 			0x00, 0x20, /*32 bytes length*/
808 			0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
809 			0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
810 			0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
811 			0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
812 			if (limit-ret<36) return NULL;
813 			memcpy(ret,cryptopro_ext,36);
814 			ret+=36;
815 
816 		}
817 
818 #ifndef OPENSSL_NO_HEARTBEATS
819 	/* Add Heartbeat extension if we've received one */
820 	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
821 		{
822 		s2n(TLSEXT_TYPE_heartbeat,ret);
823 		s2n(1,ret);
824 		/* Set mode:
825 		 * 1: peer may send requests
826 		 * 2: peer not allowed to send requests
827 		 */
828 		if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
829 			*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
830 		else
831 			*(ret++) = SSL_TLSEXT_HB_ENABLED;
832 
833 		}
834 #endif
835 
836 #ifndef OPENSSL_NO_NEXTPROTONEG
837 	next_proto_neg_seen = s->s3->next_proto_neg_seen;
838 	s->s3->next_proto_neg_seen = 0;
839 	if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
840 		{
841 		const unsigned char *npa;
842 		unsigned int npalen;
843 		int r;
844 
845 		r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
846 		if (r == SSL_TLSEXT_ERR_OK)
847 			{
848 			if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
849 			s2n(TLSEXT_TYPE_next_proto_neg,ret);
850 			s2n(npalen,ret);
851 			memcpy(ret, npa, npalen);
852 			ret += npalen;
853 			s->s3->next_proto_neg_seen = 1;
854 			}
855 		}
856 #endif
857 
858 	if ((extdatalen = ret-p-2)== 0)
859 		return p;
860 
861 	s2n(extdatalen,p);
862 	return ret;
863 	}
864 
ssl_parse_clienthello_tlsext(SSL * s,unsigned char ** p,unsigned char * d,int n,int * al)865 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
866 	{
867 	unsigned short type;
868 	unsigned short size;
869 	unsigned short len;
870 	unsigned char *data = *p;
871 	int renegotiate_seen = 0;
872 	int sigalg_seen = 0;
873 
874 	s->servername_done = 0;
875 	s->tlsext_status_type = -1;
876 #ifndef OPENSSL_NO_NEXTPROTONEG
877 	s->s3->next_proto_neg_seen = 0;
878 #endif
879 
880 #ifndef OPENSSL_NO_HEARTBEATS
881 	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
882 	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
883 #endif
884 
885 	if (data >= (d+n-2))
886 		goto ri_check;
887 	n2s(data,len);
888 
889 	if (data > (d+n-len))
890 		goto ri_check;
891 
892 	while (data <= (d+n-4))
893 		{
894 		n2s(data,type);
895 		n2s(data,size);
896 
897 		if (data+size > (d+n))
898 	   		goto ri_check;
899 #if 0
900 		fprintf(stderr,"Received extension type %d size %d\n",type,size);
901 #endif
902 		if (s->tlsext_debug_cb)
903 			s->tlsext_debug_cb(s, 0, type, data, size,
904 						s->tlsext_debug_arg);
905 /* The servername extension is treated as follows:
906 
907    - Only the hostname type is supported with a maximum length of 255.
908    - The servername is rejected if too long or if it contains zeros,
909      in which case an fatal alert is generated.
910    - The servername field is maintained together with the session cache.
911    - When a session is resumed, the servername call back invoked in order
912      to allow the application to position itself to the right context.
913    - The servername is acknowledged if it is new for a session or when
914      it is identical to a previously used for the same session.
915      Applications can control the behaviour.  They can at any time
916      set a 'desirable' servername for a new SSL object. This can be the
917      case for example with HTTPS when a Host: header field is received and
918      a renegotiation is requested. In this case, a possible servername
919      presented in the new client hello is only acknowledged if it matches
920      the value of the Host: field.
921    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
922      if they provide for changing an explicit servername context for the session,
923      i.e. when the session has been established with a servername extension.
924    - On session reconnect, the servername extension may be absent.
925 
926 */
927 
928 		if (type == TLSEXT_TYPE_server_name)
929 			{
930 			unsigned char *sdata;
931 			int servname_type;
932 			int dsize;
933 
934 			if (size < 2)
935 				{
936 				*al = SSL_AD_DECODE_ERROR;
937 				return 0;
938 				}
939 			n2s(data,dsize);
940 			size -= 2;
941 			if (dsize > size  )
942 				{
943 				*al = SSL_AD_DECODE_ERROR;
944 				return 0;
945 				}
946 
947 			sdata = data;
948 			while (dsize > 3)
949 				{
950 	 			servname_type = *(sdata++);
951 				n2s(sdata,len);
952 				dsize -= 3;
953 
954 				if (len > dsize)
955 					{
956 					*al = SSL_AD_DECODE_ERROR;
957 					return 0;
958 					}
959 				if (s->servername_done == 0)
960 				switch (servname_type)
961 					{
962 				case TLSEXT_NAMETYPE_host_name:
963 					if (!s->hit)
964 						{
965 						if(s->session->tlsext_hostname)
966 							{
967 							*al = SSL_AD_DECODE_ERROR;
968 							return 0;
969 							}
970 						if (len > TLSEXT_MAXLEN_host_name)
971 							{
972 							*al = TLS1_AD_UNRECOGNIZED_NAME;
973 							return 0;
974 							}
975 						if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
976 							{
977 							*al = TLS1_AD_INTERNAL_ERROR;
978 							return 0;
979 							}
980 						memcpy(s->session->tlsext_hostname, sdata, len);
981 						s->session->tlsext_hostname[len]='\0';
982 						if (strlen(s->session->tlsext_hostname) != len) {
983 							OPENSSL_free(s->session->tlsext_hostname);
984 							s->session->tlsext_hostname = NULL;
985 							*al = TLS1_AD_UNRECOGNIZED_NAME;
986 							return 0;
987 						}
988 						s->servername_done = 1;
989 
990 						}
991 					else
992 						s->servername_done = s->session->tlsext_hostname
993 							&& strlen(s->session->tlsext_hostname) == len
994 							&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
995 
996 					break;
997 
998 				default:
999 					break;
1000 					}
1001 
1002 				dsize -= len;
1003 				}
1004 			if (dsize != 0)
1005 				{
1006 				*al = SSL_AD_DECODE_ERROR;
1007 				return 0;
1008 				}
1009 
1010 			}
1011 #ifndef OPENSSL_NO_SRP
1012 		else if (type == TLSEXT_TYPE_srp)
1013 			{
1014 			if (size <= 0 || ((len = data[0])) != (size -1))
1015 				{
1016 				*al = SSL_AD_DECODE_ERROR;
1017 				return 0;
1018 				}
1019 			if (s->srp_ctx.login != NULL)
1020 				{
1021 				*al = SSL_AD_DECODE_ERROR;
1022 				return 0;
1023 				}
1024 			if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1025 				return -1;
1026 			memcpy(s->srp_ctx.login, &data[1], len);
1027 			s->srp_ctx.login[len]='\0';
1028 
1029 			if (strlen(s->srp_ctx.login) != len)
1030 				{
1031 				*al = SSL_AD_DECODE_ERROR;
1032 				return 0;
1033 				}
1034 			}
1035 #endif
1036 
1037 #ifndef OPENSSL_NO_EC
1038 		else if (type == TLSEXT_TYPE_ec_point_formats &&
1039 	             s->version != DTLS1_VERSION)
1040 			{
1041 			unsigned char *sdata = data;
1042 			int ecpointformatlist_length = *(sdata++);
1043 
1044 			if (ecpointformatlist_length != size - 1)
1045 				{
1046 				*al = TLS1_AD_DECODE_ERROR;
1047 				return 0;
1048 				}
1049 			if (!s->hit)
1050 				{
1051 				if(s->session->tlsext_ecpointformatlist)
1052 					{
1053 					OPENSSL_free(s->session->tlsext_ecpointformatlist);
1054 					s->session->tlsext_ecpointformatlist = NULL;
1055 					}
1056 				s->session->tlsext_ecpointformatlist_length = 0;
1057 				if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1058 					{
1059 					*al = TLS1_AD_INTERNAL_ERROR;
1060 					return 0;
1061 					}
1062 				s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1063 				memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1064 				}
1065 #if 0
1066 			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1067 			sdata = s->session->tlsext_ecpointformatlist;
1068 			for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1069 				fprintf(stderr,"%i ",*(sdata++));
1070 			fprintf(stderr,"\n");
1071 #endif
1072 			}
1073 		else if (type == TLSEXT_TYPE_elliptic_curves &&
1074 	             s->version != DTLS1_VERSION)
1075 			{
1076 			unsigned char *sdata = data;
1077 			int ellipticcurvelist_length = (*(sdata++) << 8);
1078 			ellipticcurvelist_length += (*(sdata++));
1079 
1080 			if (ellipticcurvelist_length != size - 2)
1081 				{
1082 				*al = TLS1_AD_DECODE_ERROR;
1083 				return 0;
1084 				}
1085 			if (!s->hit)
1086 				{
1087 				if(s->session->tlsext_ellipticcurvelist)
1088 					{
1089 					*al = TLS1_AD_DECODE_ERROR;
1090 					return 0;
1091 					}
1092 				s->session->tlsext_ellipticcurvelist_length = 0;
1093 				if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1094 					{
1095 					*al = TLS1_AD_INTERNAL_ERROR;
1096 					return 0;
1097 					}
1098 				s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1099 				memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1100 				}
1101 #if 0
1102 			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1103 			sdata = s->session->tlsext_ellipticcurvelist;
1104 			for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1105 				fprintf(stderr,"%i ",*(sdata++));
1106 			fprintf(stderr,"\n");
1107 #endif
1108 			}
1109 #endif /* OPENSSL_NO_EC */
1110 #ifdef TLSEXT_TYPE_opaque_prf_input
1111 		else if (type == TLSEXT_TYPE_opaque_prf_input &&
1112 	             s->version != DTLS1_VERSION)
1113 			{
1114 			unsigned char *sdata = data;
1115 
1116 			if (size < 2)
1117 				{
1118 				*al = SSL_AD_DECODE_ERROR;
1119 				return 0;
1120 				}
1121 			n2s(sdata, s->s3->client_opaque_prf_input_len);
1122 			if (s->s3->client_opaque_prf_input_len != size - 2)
1123 				{
1124 				*al = SSL_AD_DECODE_ERROR;
1125 				return 0;
1126 				}
1127 
1128 			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1129 				OPENSSL_free(s->s3->client_opaque_prf_input);
1130 			if (s->s3->client_opaque_prf_input_len == 0)
1131 				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1132 			else
1133 				s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1134 			if (s->s3->client_opaque_prf_input == NULL)
1135 				{
1136 				*al = TLS1_AD_INTERNAL_ERROR;
1137 				return 0;
1138 				}
1139 			}
1140 #endif
1141 		else if (type == TLSEXT_TYPE_session_ticket)
1142 			{
1143 			if (s->tls_session_ticket_ext_cb &&
1144 			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1145 				{
1146 				*al = TLS1_AD_INTERNAL_ERROR;
1147 				return 0;
1148 				}
1149 			}
1150 		else if (type == TLSEXT_TYPE_renegotiate)
1151 			{
1152 			if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1153 				return 0;
1154 			renegotiate_seen = 1;
1155 			}
1156 		else if (type == TLSEXT_TYPE_signature_algorithms)
1157 			{
1158 			int dsize;
1159 			if (sigalg_seen || size < 2)
1160 				{
1161 				*al = SSL_AD_DECODE_ERROR;
1162 				return 0;
1163 				}
1164 			sigalg_seen = 1;
1165 			n2s(data,dsize);
1166 			size -= 2;
1167 			if (dsize != size || dsize & 1)
1168 				{
1169 				*al = SSL_AD_DECODE_ERROR;
1170 				return 0;
1171 				}
1172 			if (!tls1_process_sigalgs(s, data, dsize))
1173 				{
1174 				*al = SSL_AD_DECODE_ERROR;
1175 				return 0;
1176 				}
1177 			}
1178 		else if (type == TLSEXT_TYPE_status_request &&
1179 		         s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1180 			{
1181 
1182 			if (size < 5)
1183 				{
1184 				*al = SSL_AD_DECODE_ERROR;
1185 				return 0;
1186 				}
1187 
1188 			s->tlsext_status_type = *data++;
1189 			size--;
1190 			if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1191 				{
1192 				const unsigned char *sdata;
1193 				int dsize;
1194 				/* Read in responder_id_list */
1195 				n2s(data,dsize);
1196 				size -= 2;
1197 				if (dsize > size  )
1198 					{
1199 					*al = SSL_AD_DECODE_ERROR;
1200 					return 0;
1201 					}
1202 				while (dsize > 0)
1203 					{
1204 					OCSP_RESPID *id;
1205 					int idsize;
1206 					if (dsize < 4)
1207 						{
1208 						*al = SSL_AD_DECODE_ERROR;
1209 						return 0;
1210 						}
1211 					n2s(data, idsize);
1212 					dsize -= 2 + idsize;
1213 					size -= 2 + idsize;
1214 					if (dsize < 0)
1215 						{
1216 						*al = SSL_AD_DECODE_ERROR;
1217 						return 0;
1218 						}
1219 					sdata = data;
1220 					data += idsize;
1221 					id = d2i_OCSP_RESPID(NULL,
1222 								&sdata, idsize);
1223 					if (!id)
1224 						{
1225 						*al = SSL_AD_DECODE_ERROR;
1226 						return 0;
1227 						}
1228 					if (data != sdata)
1229 						{
1230 						OCSP_RESPID_free(id);
1231 						*al = SSL_AD_DECODE_ERROR;
1232 						return 0;
1233 						}
1234 					if (!s->tlsext_ocsp_ids
1235 						&& !(s->tlsext_ocsp_ids =
1236 						sk_OCSP_RESPID_new_null()))
1237 						{
1238 						OCSP_RESPID_free(id);
1239 						*al = SSL_AD_INTERNAL_ERROR;
1240 						return 0;
1241 						}
1242 					if (!sk_OCSP_RESPID_push(
1243 							s->tlsext_ocsp_ids, id))
1244 						{
1245 						OCSP_RESPID_free(id);
1246 						*al = SSL_AD_INTERNAL_ERROR;
1247 						return 0;
1248 						}
1249 					}
1250 
1251 				/* Read in request_extensions */
1252 				if (size < 2)
1253 					{
1254 					*al = SSL_AD_DECODE_ERROR;
1255 					return 0;
1256 					}
1257 				n2s(data,dsize);
1258 				size -= 2;
1259 				if (dsize != size)
1260 					{
1261 					*al = SSL_AD_DECODE_ERROR;
1262 					return 0;
1263 					}
1264 				sdata = data;
1265 				if (dsize > 0)
1266 					{
1267 					if (s->tlsext_ocsp_exts)
1268 						{
1269 						sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1270 									   X509_EXTENSION_free);
1271 						}
1272 
1273 					s->tlsext_ocsp_exts =
1274 						d2i_X509_EXTENSIONS(NULL,
1275 							&sdata, dsize);
1276 					if (!s->tlsext_ocsp_exts
1277 						|| (data + dsize != sdata))
1278 						{
1279 						*al = SSL_AD_DECODE_ERROR;
1280 						return 0;
1281 						}
1282 					}
1283 				}
1284 				/* We don't know what to do with any other type
1285  			 	* so ignore it.
1286  			 	*/
1287 				else
1288 					s->tlsext_status_type = -1;
1289 			}
1290 #ifndef OPENSSL_NO_HEARTBEATS
1291 		else if (type == TLSEXT_TYPE_heartbeat)
1292 			{
1293 			switch(data[0])
1294 				{
1295 				case 0x01:	/* Client allows us to send HB requests */
1296 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1297 							break;
1298 				case 0x02:	/* Client doesn't accept HB requests */
1299 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1300 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1301 							break;
1302 				default:	*al = SSL_AD_ILLEGAL_PARAMETER;
1303 							return 0;
1304 				}
1305 			}
1306 #endif
1307 #ifndef OPENSSL_NO_NEXTPROTONEG
1308 		else if (type == TLSEXT_TYPE_next_proto_neg &&
1309 			 s->s3->tmp.finish_md_len == 0)
1310 			{
1311 			/* We shouldn't accept this extension on a
1312 			 * renegotiation.
1313 			 *
1314 			 * s->new_session will be set on renegotiation, but we
1315 			 * probably shouldn't rely that it couldn't be set on
1316 			 * the initial renegotation too in certain cases (when
1317 			 * there's some other reason to disallow resuming an
1318 			 * earlier session -- the current code won't be doing
1319 			 * anything like that, but this might change).
1320 
1321 			 * A valid sign that there's been a previous handshake
1322 			 * in this connection is if s->s3->tmp.finish_md_len >
1323 			 * 0.  (We are talking about a check that will happen
1324 			 * in the Hello protocol round, well before a new
1325 			 * Finished message could have been computed.) */
1326 			s->s3->next_proto_neg_seen = 1;
1327 			}
1328 #endif
1329 
1330 		/* session ticket processed earlier */
1331 		else if (type == TLSEXT_TYPE_use_srtp)
1332                         {
1333 			if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1334 							      al))
1335 				return 0;
1336                         }
1337 
1338 		data+=size;
1339 		}
1340 
1341 	*p = data;
1342 
1343 	ri_check:
1344 
1345 	/* Need RI if renegotiating */
1346 
1347 	if (!renegotiate_seen && s->renegotiate &&
1348 		!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1349 		{
1350 		*al = SSL_AD_HANDSHAKE_FAILURE;
1351 	 	SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1352 				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1353 		return 0;
1354 		}
1355 
1356 	return 1;
1357 	}
1358 
1359 #ifndef OPENSSL_NO_NEXTPROTONEG
1360 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1361  * elements of zero length are allowed and the set of elements must exactly fill
1362  * the length of the block. */
ssl_next_proto_validate(unsigned char * d,unsigned len)1363 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1364 	{
1365 	unsigned int off = 0;
1366 
1367 	while (off < len)
1368 		{
1369 		if (d[off] == 0)
1370 			return 0;
1371 		off += d[off];
1372 		off++;
1373 		}
1374 
1375 	return off == len;
1376 	}
1377 #endif
1378 
ssl_parse_serverhello_tlsext(SSL * s,unsigned char ** p,unsigned char * d,int n,int * al)1379 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1380 	{
1381 	unsigned short length;
1382 	unsigned short type;
1383 	unsigned short size;
1384 	unsigned char *data = *p;
1385 	int tlsext_servername = 0;
1386 	int renegotiate_seen = 0;
1387 
1388 #ifndef OPENSSL_NO_NEXTPROTONEG
1389 	s->s3->next_proto_neg_seen = 0;
1390 #endif
1391 
1392 #ifndef OPENSSL_NO_HEARTBEATS
1393 	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1394 	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1395 #endif
1396 
1397 	if (data >= (d+n-2))
1398 		goto ri_check;
1399 
1400 	n2s(data,length);
1401 	if (data+length != d+n)
1402 		{
1403 		*al = SSL_AD_DECODE_ERROR;
1404 		return 0;
1405 		}
1406 
1407 	while(data <= (d+n-4))
1408 		{
1409 		n2s(data,type);
1410 		n2s(data,size);
1411 
1412 		if (data+size > (d+n))
1413 	   		goto ri_check;
1414 
1415 		if (s->tlsext_debug_cb)
1416 			s->tlsext_debug_cb(s, 1, type, data, size,
1417 						s->tlsext_debug_arg);
1418 
1419 		if (type == TLSEXT_TYPE_server_name)
1420 			{
1421 			if (s->tlsext_hostname == NULL || size > 0)
1422 				{
1423 				*al = TLS1_AD_UNRECOGNIZED_NAME;
1424 				return 0;
1425 				}
1426 			tlsext_servername = 1;
1427 			}
1428 
1429 #ifndef OPENSSL_NO_EC
1430 		else if (type == TLSEXT_TYPE_ec_point_formats &&
1431 	             s->version != DTLS1_VERSION)
1432 			{
1433 			unsigned char *sdata = data;
1434 			int ecpointformatlist_length = *(sdata++);
1435 
1436 			if (ecpointformatlist_length != size - 1)
1437 				{
1438 				*al = TLS1_AD_DECODE_ERROR;
1439 				return 0;
1440 				}
1441 			s->session->tlsext_ecpointformatlist_length = 0;
1442 			if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1443 			if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1444 				{
1445 				*al = TLS1_AD_INTERNAL_ERROR;
1446 				return 0;
1447 				}
1448 			s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1449 			memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1450 #if 0
1451 			fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1452 			sdata = s->session->tlsext_ecpointformatlist;
1453 			for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1454 				fprintf(stderr,"%i ",*(sdata++));
1455 			fprintf(stderr,"\n");
1456 #endif
1457 			}
1458 #endif /* OPENSSL_NO_EC */
1459 
1460 		else if (type == TLSEXT_TYPE_session_ticket)
1461 			{
1462 			if (s->tls_session_ticket_ext_cb &&
1463 			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1464 				{
1465 				*al = TLS1_AD_INTERNAL_ERROR;
1466 				return 0;
1467 				}
1468 			if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1469 				|| (size > 0))
1470 				{
1471 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1472 				return 0;
1473 				}
1474 			s->tlsext_ticket_expected = 1;
1475 			}
1476 #ifdef TLSEXT_TYPE_opaque_prf_input
1477 		else if (type == TLSEXT_TYPE_opaque_prf_input &&
1478 	             s->version != DTLS1_VERSION)
1479 			{
1480 			unsigned char *sdata = data;
1481 
1482 			if (size < 2)
1483 				{
1484 				*al = SSL_AD_DECODE_ERROR;
1485 				return 0;
1486 				}
1487 			n2s(sdata, s->s3->server_opaque_prf_input_len);
1488 			if (s->s3->server_opaque_prf_input_len != size - 2)
1489 				{
1490 				*al = SSL_AD_DECODE_ERROR;
1491 				return 0;
1492 				}
1493 
1494 			if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1495 				OPENSSL_free(s->s3->server_opaque_prf_input);
1496 			if (s->s3->server_opaque_prf_input_len == 0)
1497 				s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1498 			else
1499 				s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1500 
1501 			if (s->s3->server_opaque_prf_input == NULL)
1502 				{
1503 				*al = TLS1_AD_INTERNAL_ERROR;
1504 				return 0;
1505 				}
1506 			}
1507 #endif
1508 		else if (type == TLSEXT_TYPE_status_request &&
1509 		         s->version != DTLS1_VERSION)
1510 			{
1511 			/* MUST be empty and only sent if we've requested
1512 			 * a status request message.
1513 			 */
1514 			if ((s->tlsext_status_type == -1) || (size > 0))
1515 				{
1516 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1517 				return 0;
1518 				}
1519 			/* Set flag to expect CertificateStatus message */
1520 			s->tlsext_status_expected = 1;
1521 			}
1522 #ifndef OPENSSL_NO_NEXTPROTONEG
1523 		else if (type == TLSEXT_TYPE_next_proto_neg &&
1524 			 s->s3->tmp.finish_md_len == 0)
1525 			{
1526 			unsigned char *selected;
1527 			unsigned char selected_len;
1528 
1529 			/* We must have requested it. */
1530 			if ((s->ctx->next_proto_select_cb == NULL))
1531 				{
1532 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1533 				return 0;
1534 				}
1535 			/* The data must be valid */
1536 			if (!ssl_next_proto_validate(data, size))
1537 				{
1538 				*al = TLS1_AD_DECODE_ERROR;
1539 				return 0;
1540 				}
1541 			if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1542 				{
1543 				*al = TLS1_AD_INTERNAL_ERROR;
1544 				return 0;
1545 				}
1546 			s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1547 			if (!s->next_proto_negotiated)
1548 				{
1549 				*al = TLS1_AD_INTERNAL_ERROR;
1550 				return 0;
1551 				}
1552 			memcpy(s->next_proto_negotiated, selected, selected_len);
1553 			s->next_proto_negotiated_len = selected_len;
1554 			s->s3->next_proto_neg_seen = 1;
1555 			}
1556 #endif
1557 		else if (type == TLSEXT_TYPE_renegotiate)
1558 			{
1559 			if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1560 				return 0;
1561 			renegotiate_seen = 1;
1562 			}
1563 #ifndef OPENSSL_NO_HEARTBEATS
1564 		else if (type == TLSEXT_TYPE_heartbeat)
1565 			{
1566 			switch(data[0])
1567 				{
1568 				case 0x01:	/* Server allows us to send HB requests */
1569 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1570 							break;
1571 				case 0x02:	/* Server doesn't accept HB requests */
1572 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1573 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1574 							break;
1575 				default:	*al = SSL_AD_ILLEGAL_PARAMETER;
1576 							return 0;
1577 				}
1578 			}
1579 #endif
1580 		else if (type == TLSEXT_TYPE_use_srtp)
1581                         {
1582                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1583 							      al))
1584                                 return 0;
1585                         }
1586 
1587 		data+=size;
1588 		}
1589 
1590 	if (data != d+n)
1591 		{
1592 		*al = SSL_AD_DECODE_ERROR;
1593 		return 0;
1594 		}
1595 
1596 	if (!s->hit && tlsext_servername == 1)
1597 		{
1598  		if (s->tlsext_hostname)
1599 			{
1600 			if (s->session->tlsext_hostname == NULL)
1601 				{
1602 				s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1603 				if (!s->session->tlsext_hostname)
1604 					{
1605 					*al = SSL_AD_UNRECOGNIZED_NAME;
1606 					return 0;
1607 					}
1608 				}
1609 			else
1610 				{
1611 				*al = SSL_AD_DECODE_ERROR;
1612 				return 0;
1613 				}
1614 			}
1615 		}
1616 
1617 	*p = data;
1618 
1619 	ri_check:
1620 
1621 	/* Determine if we need to see RI. Strictly speaking if we want to
1622 	 * avoid an attack we should *always* see RI even on initial server
1623 	 * hello because the client doesn't see any renegotiation during an
1624 	 * attack. However this would mean we could not connect to any server
1625 	 * which doesn't support RI so for the immediate future tolerate RI
1626 	 * absence on initial connect only.
1627 	 */
1628 	if (!renegotiate_seen
1629 		&& !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1630 		&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1631 		{
1632 		*al = SSL_AD_HANDSHAKE_FAILURE;
1633 		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1634 				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1635 		return 0;
1636 		}
1637 
1638 	return 1;
1639 	}
1640 
1641 
ssl_prepare_clienthello_tlsext(SSL * s)1642 int ssl_prepare_clienthello_tlsext(SSL *s)
1643 	{
1644 #ifndef OPENSSL_NO_EC
1645 	/* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1646 	 * and elliptic curves we support.
1647 	 */
1648 	int using_ecc = 0;
1649 	int i;
1650 	unsigned char *j;
1651 	unsigned long alg_k, alg_a;
1652 	STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1653 
1654 	for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1655 		{
1656 		SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1657 
1658 		alg_k = c->algorithm_mkey;
1659 		alg_a = c->algorithm_auth;
1660 		if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1661 			{
1662 			using_ecc = 1;
1663 			break;
1664 			}
1665 		}
1666 	using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1667 	if (using_ecc)
1668 		{
1669 		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1670 		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1671 			{
1672 			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1673 			return -1;
1674 			}
1675 		s->tlsext_ecpointformatlist_length = 3;
1676 		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1677 		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1678 		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1679 
1680 		/* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1681 		if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1682 		s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1683 		if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1684 			{
1685 			s->tlsext_ellipticcurvelist_length = 0;
1686 			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1687 			return -1;
1688 			}
1689 		for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1690 				sizeof(pref_list)/sizeof(pref_list[0]); i++)
1691 			{
1692 			int id = tls1_ec_nid2curve_id(pref_list[i]);
1693 			s2n(id,j);
1694 			}
1695 		}
1696 #endif /* OPENSSL_NO_EC */
1697 
1698 #ifdef TLSEXT_TYPE_opaque_prf_input
1699  	{
1700 		int r = 1;
1701 
1702 		if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1703 			{
1704 			r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1705 			if (!r)
1706 				return -1;
1707 			}
1708 
1709 		if (s->tlsext_opaque_prf_input != NULL)
1710 			{
1711 			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1712 				OPENSSL_free(s->s3->client_opaque_prf_input);
1713 
1714 			if (s->tlsext_opaque_prf_input_len == 0)
1715 				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1716 			else
1717 				s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1718 			if (s->s3->client_opaque_prf_input == NULL)
1719 				{
1720 				SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1721 				return -1;
1722 				}
1723 			s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1724 			}
1725 
1726 		if (r == 2)
1727 			/* at callback's request, insist on receiving an appropriate server opaque PRF input */
1728 			s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1729 	}
1730 #endif
1731 
1732 	return 1;
1733 	}
1734 
ssl_prepare_serverhello_tlsext(SSL * s)1735 int ssl_prepare_serverhello_tlsext(SSL *s)
1736 	{
1737 #ifndef OPENSSL_NO_EC
1738 	/* If we are server and using an ECC cipher suite, send the point formats we support
1739 	 * if the client sent us an ECPointsFormat extension.  Note that the server is not
1740 	 * supposed to send an EllipticCurves extension.
1741 	 */
1742 
1743 	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1744 	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1745 	int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1746 	using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1747 
1748 	if (using_ecc)
1749 		{
1750 		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1751 		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1752 			{
1753 			SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1754 			return -1;
1755 			}
1756 		s->tlsext_ecpointformatlist_length = 3;
1757 		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1758 		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1759 		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1760 		}
1761 #endif /* OPENSSL_NO_EC */
1762 
1763 	return 1;
1764 	}
1765 
ssl_check_clienthello_tlsext(SSL * s)1766 int ssl_check_clienthello_tlsext(SSL *s)
1767 	{
1768 	int ret=SSL_TLSEXT_ERR_NOACK;
1769 	int al = SSL_AD_UNRECOGNIZED_NAME;
1770 
1771 #ifndef OPENSSL_NO_EC
1772 	/* The handling of the ECPointFormats extension is done elsewhere, namely in
1773 	 * ssl3_choose_cipher in s3_lib.c.
1774 	 */
1775 	/* The handling of the EllipticCurves extension is done elsewhere, namely in
1776 	 * ssl3_choose_cipher in s3_lib.c.
1777 	 */
1778 #endif
1779 
1780 	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1781 		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1782 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1783 		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1784 
1785 	/* If status request then ask callback what to do.
1786  	 * Note: this must be called after servername callbacks in case
1787  	 * the certificate has changed.
1788  	 */
1789 	if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1790 		{
1791 		int r;
1792 		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1793 		switch (r)
1794 			{
1795 			/* We don't want to send a status request response */
1796 			case SSL_TLSEXT_ERR_NOACK:
1797 				s->tlsext_status_expected = 0;
1798 				break;
1799 			/* status request response should be sent */
1800 			case SSL_TLSEXT_ERR_OK:
1801 				if (s->tlsext_ocsp_resp)
1802 					s->tlsext_status_expected = 1;
1803 				else
1804 					s->tlsext_status_expected = 0;
1805 				break;
1806 			/* something bad happened */
1807 			case SSL_TLSEXT_ERR_ALERT_FATAL:
1808 				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1809 				al = SSL_AD_INTERNAL_ERROR;
1810 				goto err;
1811 			}
1812 		}
1813 	else
1814 		s->tlsext_status_expected = 0;
1815 
1816 #ifdef TLSEXT_TYPE_opaque_prf_input
1817  	{
1818 		/* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1819 		 * but we might be sending an alert in response to the client hello,
1820 		 * so this has to happen here in ssl_check_clienthello_tlsext(). */
1821 
1822 		int r = 1;
1823 
1824 		if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1825 			{
1826 			r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1827 			if (!r)
1828 				{
1829 				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1830 				al = SSL_AD_INTERNAL_ERROR;
1831 				goto err;
1832 				}
1833 			}
1834 
1835 		if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1836 			OPENSSL_free(s->s3->server_opaque_prf_input);
1837 		s->s3->server_opaque_prf_input = NULL;
1838 
1839 		if (s->tlsext_opaque_prf_input != NULL)
1840 			{
1841 			if (s->s3->client_opaque_prf_input != NULL &&
1842 				s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1843 				{
1844 				/* can only use this extension if we have a server opaque PRF input
1845 				 * of the same length as the client opaque PRF input! */
1846 
1847 				if (s->tlsext_opaque_prf_input_len == 0)
1848 					s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1849 				else
1850 					s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1851 				if (s->s3->server_opaque_prf_input == NULL)
1852 					{
1853 					ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1854 					al = SSL_AD_INTERNAL_ERROR;
1855 					goto err;
1856 					}
1857 				s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1858 				}
1859 			}
1860 
1861 		if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1862 			{
1863 			/* The callback wants to enforce use of the extension,
1864 			 * but we can't do that with the client opaque PRF input;
1865 			 * abort the handshake.
1866 			 */
1867 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1868 			al = SSL_AD_HANDSHAKE_FAILURE;
1869 			}
1870 	}
1871 
1872 #endif
1873  err:
1874 	switch (ret)
1875 		{
1876 		case SSL_TLSEXT_ERR_ALERT_FATAL:
1877 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
1878 			return -1;
1879 
1880 		case SSL_TLSEXT_ERR_ALERT_WARNING:
1881 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
1882 			return 1;
1883 
1884 		case SSL_TLSEXT_ERR_NOACK:
1885 			s->servername_done=0;
1886 			default:
1887 		return 1;
1888 		}
1889 	}
1890 
ssl_check_serverhello_tlsext(SSL * s)1891 int ssl_check_serverhello_tlsext(SSL *s)
1892 	{
1893 	int ret=SSL_TLSEXT_ERR_NOACK;
1894 	int al = SSL_AD_UNRECOGNIZED_NAME;
1895 
1896 #ifndef OPENSSL_NO_EC
1897 	/* If we are client and using an elliptic curve cryptography cipher
1898 	 * suite, then if server returns an EC point formats lists extension
1899 	 * it must contain uncompressed.
1900 	 */
1901 	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1902 	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1903 	if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
1904 	    (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
1905 	    ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1906 		{
1907 		/* we are using an ECC cipher */
1908 		size_t i;
1909 		unsigned char *list;
1910 		int found_uncompressed = 0;
1911 		list = s->session->tlsext_ecpointformatlist;
1912 		for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1913 			{
1914 			if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1915 				{
1916 				found_uncompressed = 1;
1917 				break;
1918 				}
1919 			}
1920 		if (!found_uncompressed)
1921 			{
1922 			SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1923 			return -1;
1924 			}
1925 		}
1926 	ret = SSL_TLSEXT_ERR_OK;
1927 #endif /* OPENSSL_NO_EC */
1928 
1929 	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1930 		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1931 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1932 		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1933 
1934 #ifdef TLSEXT_TYPE_opaque_prf_input
1935 	if (s->s3->server_opaque_prf_input_len > 0)
1936 		{
1937 		/* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1938 		 * So first verify that we really have a value from the server too. */
1939 
1940 		if (s->s3->server_opaque_prf_input == NULL)
1941 			{
1942 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1943 			al = SSL_AD_HANDSHAKE_FAILURE;
1944 			}
1945 
1946 		/* Anytime the server *has* sent an opaque PRF input, we need to check
1947 		 * that we have a client opaque PRF input of the same size. */
1948 		if (s->s3->client_opaque_prf_input == NULL ||
1949 		    s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1950 			{
1951 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1952 			al = SSL_AD_ILLEGAL_PARAMETER;
1953 			}
1954 		}
1955 #endif
1956 
1957 	/* If we've requested certificate status and we wont get one
1958  	 * tell the callback
1959  	 */
1960 	if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1961 			&& s->ctx && s->ctx->tlsext_status_cb)
1962 		{
1963 		int r;
1964 		/* Set resp to NULL, resplen to -1 so callback knows
1965  		 * there is no response.
1966  		 */
1967 		if (s->tlsext_ocsp_resp)
1968 			{
1969 			OPENSSL_free(s->tlsext_ocsp_resp);
1970 			s->tlsext_ocsp_resp = NULL;
1971 			}
1972 		s->tlsext_ocsp_resplen = -1;
1973 		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1974 		if (r == 0)
1975 			{
1976 			al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1977 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1978 			}
1979 		if (r < 0)
1980 			{
1981 			al = SSL_AD_INTERNAL_ERROR;
1982 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1983 			}
1984 		}
1985 
1986 	switch (ret)
1987 		{
1988 		case SSL_TLSEXT_ERR_ALERT_FATAL:
1989 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
1990 			return -1;
1991 
1992 		case SSL_TLSEXT_ERR_ALERT_WARNING:
1993 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
1994 			return 1;
1995 
1996 		case SSL_TLSEXT_ERR_NOACK:
1997 			s->servername_done=0;
1998 			default:
1999 		return 1;
2000 		}
2001 	}
2002 
2003 /* Since the server cache lookup is done early on in the processing of the
2004  * ClientHello, and other operations depend on the result, we need to handle
2005  * any TLS session ticket extension at the same time.
2006  *
2007  *   session_id: points at the session ID in the ClientHello. This code will
2008  *       read past the end of this in order to parse out the session ticket
2009  *       extension, if any.
2010  *   len: the length of the session ID.
2011  *   limit: a pointer to the first byte after the ClientHello.
2012  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2013  *       point to the resulting session.
2014  *
2015  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2016  * ciphersuite, in which case we have no use for session tickets and one will
2017  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2018  *
2019  * Returns:
2020  *   -1: fatal error, either from parsing or decrypting the ticket.
2021  *    0: no ticket was found (or was ignored, based on settings).
2022  *    1: a zero length extension was found, indicating that the client supports
2023  *       session tickets but doesn't currently have one to offer.
2024  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2025  *       couldn't be decrypted because of a non-fatal error.
2026  *    3: a ticket was successfully decrypted and *ret was set.
2027  *
2028  * Side effects:
2029  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2030  *   a new session ticket to the client because the client indicated support
2031  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2032  *   a session ticket or we couldn't use the one it gave us, or if
2033  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2034  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2035  */
tls1_process_ticket(SSL * s,unsigned char * session_id,int len,const unsigned char * limit,SSL_SESSION ** ret)2036 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2037 			const unsigned char *limit, SSL_SESSION **ret)
2038 	{
2039 	/* Point after session ID in client hello */
2040 	const unsigned char *p = session_id + len;
2041 	unsigned short i;
2042 
2043 	*ret = NULL;
2044 	s->tlsext_ticket_expected = 0;
2045 
2046 	/* If tickets disabled behave as if no ticket present
2047 	 * to permit stateful resumption.
2048 	 */
2049 	if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2050 		return 0;
2051 	if ((s->version <= SSL3_VERSION) || !limit)
2052 		return 0;
2053 	if (p >= limit)
2054 		return -1;
2055 	/* Skip past DTLS cookie */
2056 	if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2057 		{
2058 		i = *(p++);
2059 		p+= i;
2060 		if (p >= limit)
2061 			return -1;
2062 		}
2063 	/* Skip past cipher list */
2064 	n2s(p, i);
2065 	p+= i;
2066 	if (p >= limit)
2067 		return -1;
2068 	/* Skip past compression algorithm list */
2069 	i = *(p++);
2070 	p += i;
2071 	if (p > limit)
2072 		return -1;
2073 	/* Now at start of extensions */
2074 	if ((p + 2) >= limit)
2075 		return 0;
2076 	n2s(p, i);
2077 	while ((p + 4) <= limit)
2078 		{
2079 		unsigned short type, size;
2080 		n2s(p, type);
2081 		n2s(p, size);
2082 		if (p + size > limit)
2083 			return 0;
2084 		if (type == TLSEXT_TYPE_session_ticket)
2085 			{
2086 			int r;
2087 			if (size == 0)
2088 				{
2089 				/* The client will accept a ticket but doesn't
2090 				 * currently have one. */
2091 				s->tlsext_ticket_expected = 1;
2092 				return 1;
2093 				}
2094 			if (s->tls_session_secret_cb)
2095 				{
2096 				/* Indicate that the ticket couldn't be
2097 				 * decrypted rather than generating the session
2098 				 * from ticket now, trigger abbreviated
2099 				 * handshake based on external mechanism to
2100 				 * calculate the master secret later. */
2101 				return 2;
2102 				}
2103 			r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2104 			switch (r)
2105 				{
2106 				case 2: /* ticket couldn't be decrypted */
2107 					s->tlsext_ticket_expected = 1;
2108 					return 2;
2109 				case 3: /* ticket was decrypted */
2110 					return r;
2111 				case 4: /* ticket decrypted but need to renew */
2112 					s->tlsext_ticket_expected = 1;
2113 					return 3;
2114 				default: /* fatal error */
2115 					return -1;
2116 				}
2117 			}
2118 		p += size;
2119 		}
2120 	return 0;
2121 	}
2122 
2123 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2124  *
2125  *   etick: points to the body of the session ticket extension.
2126  *   eticklen: the length of the session tickets extenion.
2127  *   sess_id: points at the session ID.
2128  *   sesslen: the length of the session ID.
2129  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2130  *       point to the resulting session.
2131  *
2132  * Returns:
2133  *   -1: fatal error, either from parsing or decrypting the ticket.
2134  *    2: the ticket couldn't be decrypted.
2135  *    3: a ticket was successfully decrypted and *psess was set.
2136  *    4: same as 3, but the ticket needs to be renewed.
2137  */
tls_decrypt_ticket(SSL * s,const unsigned char * etick,int eticklen,const unsigned char * sess_id,int sesslen,SSL_SESSION ** psess)2138 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2139 				const unsigned char *sess_id, int sesslen,
2140 				SSL_SESSION **psess)
2141 	{
2142 	SSL_SESSION *sess;
2143 	unsigned char *sdec;
2144 	const unsigned char *p;
2145 	int slen, mlen, renew_ticket = 0;
2146 	unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2147 	HMAC_CTX hctx;
2148 	EVP_CIPHER_CTX ctx;
2149 	SSL_CTX *tctx = s->initial_ctx;
2150 	/* Need at least keyname + iv + some encrypted data */
2151 	if (eticklen < 48)
2152 		return 2;
2153 	/* Initialize session ticket encryption and HMAC contexts */
2154 	HMAC_CTX_init(&hctx);
2155 	EVP_CIPHER_CTX_init(&ctx);
2156 	if (tctx->tlsext_ticket_key_cb)
2157 		{
2158 		unsigned char *nctick = (unsigned char *)etick;
2159 		int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2160 							&ctx, &hctx, 0);
2161 		if (rv < 0)
2162 			return -1;
2163 		if (rv == 0)
2164 			return 2;
2165 		if (rv == 2)
2166 			renew_ticket = 1;
2167 		}
2168 	else
2169 		{
2170 		/* Check key name matches */
2171 		if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2172 			return 2;
2173 		HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2174 					tlsext_tick_md(), NULL);
2175 		EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2176 				tctx->tlsext_tick_aes_key, etick + 16);
2177 		}
2178 	/* Attempt to process session ticket, first conduct sanity and
2179 	 * integrity checks on ticket.
2180 	 */
2181 	mlen = HMAC_size(&hctx);
2182 	if (mlen < 0)
2183 		{
2184 		EVP_CIPHER_CTX_cleanup(&ctx);
2185 		return -1;
2186 		}
2187 	eticklen -= mlen;
2188 	/* Check HMAC of encrypted ticket */
2189 	HMAC_Update(&hctx, etick, eticklen);
2190 	HMAC_Final(&hctx, tick_hmac, NULL);
2191 	HMAC_CTX_cleanup(&hctx);
2192 	if (memcmp(tick_hmac, etick + eticklen, mlen))
2193 		return 2;
2194 	/* Attempt to decrypt session data */
2195 	/* Move p after IV to start of encrypted ticket, update length */
2196 	p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2197 	eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2198 	sdec = OPENSSL_malloc(eticklen);
2199 	if (!sdec)
2200 		{
2201 		EVP_CIPHER_CTX_cleanup(&ctx);
2202 		return -1;
2203 		}
2204 	EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2205 	if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2206 		return 2;
2207 	slen += mlen;
2208 	EVP_CIPHER_CTX_cleanup(&ctx);
2209 	p = sdec;
2210 
2211 	sess = d2i_SSL_SESSION(NULL, &p, slen);
2212 	OPENSSL_free(sdec);
2213 	if (sess)
2214 		{
2215 		/* The session ID, if non-empty, is used by some clients to
2216 		 * detect that the ticket has been accepted. So we copy it to
2217 		 * the session structure. If it is empty set length to zero
2218 		 * as required by standard.
2219 		 */
2220 		if (sesslen)
2221 			memcpy(sess->session_id, sess_id, sesslen);
2222 		sess->session_id_length = sesslen;
2223 		*psess = sess;
2224 		if (renew_ticket)
2225 			return 4;
2226 		else
2227 			return 3;
2228 		}
2229         ERR_clear_error();
2230 	/* For session parse failure, indicate that we need to send a new
2231 	 * ticket. */
2232 	return 2;
2233 	}
2234 
2235 /* Tables to translate from NIDs to TLS v1.2 ids */
2236 
2237 typedef struct
2238 	{
2239 	int nid;
2240 	int id;
2241 	} tls12_lookup;
2242 
2243 static tls12_lookup tls12_md[] = {
2244 #ifndef OPENSSL_NO_MD5
2245 	{NID_md5, TLSEXT_hash_md5},
2246 #endif
2247 #ifndef OPENSSL_NO_SHA
2248 	{NID_sha1, TLSEXT_hash_sha1},
2249 #endif
2250 #ifndef OPENSSL_NO_SHA256
2251 	{NID_sha224, TLSEXT_hash_sha224},
2252 	{NID_sha256, TLSEXT_hash_sha256},
2253 #endif
2254 #ifndef OPENSSL_NO_SHA512
2255 	{NID_sha384, TLSEXT_hash_sha384},
2256 	{NID_sha512, TLSEXT_hash_sha512}
2257 #endif
2258 };
2259 
2260 static tls12_lookup tls12_sig[] = {
2261 #ifndef OPENSSL_NO_RSA
2262 	{EVP_PKEY_RSA, TLSEXT_signature_rsa},
2263 #endif
2264 #ifndef OPENSSL_NO_DSA
2265 	{EVP_PKEY_DSA, TLSEXT_signature_dsa},
2266 #endif
2267 #ifndef OPENSSL_NO_ECDSA
2268 	{EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2269 #endif
2270 };
2271 
tls12_find_id(int nid,tls12_lookup * table,size_t tlen)2272 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2273 	{
2274 	size_t i;
2275 	for (i = 0; i < tlen; i++)
2276 		{
2277 		if (table[i].nid == nid)
2278 			return table[i].id;
2279 		}
2280 	return -1;
2281 	}
2282 #if 0
2283 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2284 	{
2285 	size_t i;
2286 	for (i = 0; i < tlen; i++)
2287 		{
2288 		if (table[i].id == id)
2289 			return table[i].nid;
2290 		}
2291 	return -1;
2292 	}
2293 #endif
2294 
tls12_get_sigandhash(unsigned char * p,const EVP_PKEY * pk,const EVP_MD * md)2295 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2296 	{
2297 	int sig_id, md_id;
2298 	if (!md)
2299 		return 0;
2300 	md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2301 				sizeof(tls12_md)/sizeof(tls12_lookup));
2302 	if (md_id == -1)
2303 		return 0;
2304 	sig_id = tls12_get_sigid(pk);
2305 	if (sig_id == -1)
2306 		return 0;
2307 	p[0] = (unsigned char)md_id;
2308 	p[1] = (unsigned char)sig_id;
2309 	return 1;
2310 	}
2311 
tls12_get_sigid(const EVP_PKEY * pk)2312 int tls12_get_sigid(const EVP_PKEY *pk)
2313 	{
2314 	return tls12_find_id(pk->type, tls12_sig,
2315 				sizeof(tls12_sig)/sizeof(tls12_lookup));
2316 	}
2317 
tls12_get_hash(unsigned char hash_alg)2318 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2319 	{
2320 	switch(hash_alg)
2321 		{
2322 #ifndef OPENSSL_NO_MD5
2323 		case TLSEXT_hash_md5:
2324 #ifdef OPENSSL_FIPS
2325 		if (FIPS_mode())
2326 			return NULL;
2327 #endif
2328 		return EVP_md5();
2329 #endif
2330 #ifndef OPENSSL_NO_SHA
2331 		case TLSEXT_hash_sha1:
2332 		return EVP_sha1();
2333 #endif
2334 #ifndef OPENSSL_NO_SHA256
2335 		case TLSEXT_hash_sha224:
2336 		return EVP_sha224();
2337 
2338 		case TLSEXT_hash_sha256:
2339 		return EVP_sha256();
2340 #endif
2341 #ifndef OPENSSL_NO_SHA512
2342 		case TLSEXT_hash_sha384:
2343 		return EVP_sha384();
2344 
2345 		case TLSEXT_hash_sha512:
2346 		return EVP_sha512();
2347 #endif
2348 		default:
2349 		return NULL;
2350 
2351 		}
2352 	}
2353 
2354 /* Set preferred digest for each key type */
2355 
tls1_process_sigalgs(SSL * s,const unsigned char * data,int dsize)2356 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2357 	{
2358 	int i, idx;
2359 	const EVP_MD *md;
2360 	CERT *c = s->cert;
2361 	/* Extension ignored for TLS versions below 1.2 */
2362 	if (TLS1_get_version(s) < TLS1_2_VERSION)
2363 		return 1;
2364 	/* Should never happen */
2365 	if (!c)
2366 		return 0;
2367 
2368 	c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2369 	c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2370 	c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2371 	c->pkeys[SSL_PKEY_ECC].digest = NULL;
2372 
2373 	for (i = 0; i < dsize; i += 2)
2374 		{
2375 		unsigned char hash_alg = data[i], sig_alg = data[i+1];
2376 
2377 		switch(sig_alg)
2378 			{
2379 #ifndef OPENSSL_NO_RSA
2380 			case TLSEXT_signature_rsa:
2381 			idx = SSL_PKEY_RSA_SIGN;
2382 			break;
2383 #endif
2384 #ifndef OPENSSL_NO_DSA
2385 			case TLSEXT_signature_dsa:
2386 			idx = SSL_PKEY_DSA_SIGN;
2387 			break;
2388 #endif
2389 #ifndef OPENSSL_NO_ECDSA
2390 			case TLSEXT_signature_ecdsa:
2391 			idx = SSL_PKEY_ECC;
2392 			break;
2393 #endif
2394 			default:
2395 			continue;
2396 			}
2397 
2398 		if (c->pkeys[idx].digest == NULL)
2399 			{
2400 			md = tls12_get_hash(hash_alg);
2401 			if (md)
2402 				{
2403 				c->pkeys[idx].digest = md;
2404 				if (idx == SSL_PKEY_RSA_SIGN)
2405 					c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2406 				}
2407 			}
2408 
2409 		}
2410 
2411 
2412 	/* Set any remaining keys to default values. NOTE: if alg is not
2413 	 * supported it stays as NULL.
2414 	 */
2415 #ifndef OPENSSL_NO_DSA
2416 	if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2417 		c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2418 #endif
2419 #ifndef OPENSSL_NO_RSA
2420 	if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2421 		{
2422 		c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2423 		c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2424 		}
2425 #endif
2426 #ifndef OPENSSL_NO_ECDSA
2427 	if (!c->pkeys[SSL_PKEY_ECC].digest)
2428 		c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
2429 #endif
2430 	return 1;
2431 	}
2432 
2433 #endif
2434 
2435 #ifndef OPENSSL_NO_HEARTBEATS
2436 int
tls1_process_heartbeat(SSL * s)2437 tls1_process_heartbeat(SSL *s)
2438 	{
2439 	unsigned char *p = &s->s3->rrec.data[0], *pl;
2440 	unsigned short hbtype;
2441 	unsigned int payload;
2442 	unsigned int padding = 16; /* Use minimum padding */
2443 
2444 	/* Read type and payload length first */
2445 	hbtype = *p++;
2446 	n2s(p, payload);
2447 	pl = p;
2448 
2449 	if (s->msg_callback)
2450 		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2451 			&s->s3->rrec.data[0], s->s3->rrec.length,
2452 			s, s->msg_callback_arg);
2453 
2454 	if (hbtype == TLS1_HB_REQUEST)
2455 		{
2456 		unsigned char *buffer, *bp;
2457 		int r;
2458 
2459 		/* Allocate memory for the response, size is 1 bytes
2460 		 * message type, plus 2 bytes payload length, plus
2461 		 * payload, plus padding
2462 		 */
2463 		buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2464 		bp = buffer;
2465 
2466 		/* Enter response type, length and copy payload */
2467 		*bp++ = TLS1_HB_RESPONSE;
2468 		s2n(payload, bp);
2469 		memcpy(bp, pl, payload);
2470 		bp += payload;
2471 		/* Random padding */
2472 		RAND_pseudo_bytes(bp, padding);
2473 
2474 		r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2475 
2476 		if (r >= 0 && s->msg_callback)
2477 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2478 				buffer, 3 + payload + padding,
2479 				s, s->msg_callback_arg);
2480 
2481 		OPENSSL_free(buffer);
2482 
2483 		if (r < 0)
2484 			return r;
2485 		}
2486 	else if (hbtype == TLS1_HB_RESPONSE)
2487 		{
2488 		unsigned int seq;
2489 
2490 		/* We only send sequence numbers (2 bytes unsigned int),
2491 		 * and 16 random bytes, so we just try to read the
2492 		 * sequence number */
2493 		n2s(pl, seq);
2494 
2495 		if (payload == 18 && seq == s->tlsext_hb_seq)
2496 			{
2497 			s->tlsext_hb_seq++;
2498 			s->tlsext_hb_pending = 0;
2499 			}
2500 		}
2501 
2502 	return 0;
2503 	}
2504 
2505 int
tls1_heartbeat(SSL * s)2506 tls1_heartbeat(SSL *s)
2507 	{
2508 	unsigned char *buf, *p;
2509 	int ret;
2510 	unsigned int payload = 18; /* Sequence number + random bytes */
2511 	unsigned int padding = 16; /* Use minimum padding */
2512 
2513 	/* Only send if peer supports and accepts HB requests... */
2514 	if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2515 	    s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2516 		{
2517 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2518 		return -1;
2519 		}
2520 
2521 	/* ...and there is none in flight yet... */
2522 	if (s->tlsext_hb_pending)
2523 		{
2524 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2525 		return -1;
2526 		}
2527 
2528 	/* ...and no handshake in progress. */
2529 	if (SSL_in_init(s) || s->in_handshake)
2530 		{
2531 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2532 		return -1;
2533 		}
2534 
2535 	/* Check if padding is too long, payload and padding
2536 	 * must not exceed 2^14 - 3 = 16381 bytes in total.
2537 	 */
2538 	OPENSSL_assert(payload + padding <= 16381);
2539 
2540 	/* Create HeartBeat message, we just use a sequence number
2541 	 * as payload to distuingish different messages and add
2542 	 * some random stuff.
2543 	 *  - Message Type, 1 byte
2544 	 *  - Payload Length, 2 bytes (unsigned int)
2545 	 *  - Payload, the sequence number (2 bytes uint)
2546 	 *  - Payload, random bytes (16 bytes uint)
2547 	 *  - Padding
2548 	 */
2549 	buf = OPENSSL_malloc(1 + 2 + payload + padding);
2550 	p = buf;
2551 	/* Message Type */
2552 	*p++ = TLS1_HB_REQUEST;
2553 	/* Payload length (18 bytes here) */
2554 	s2n(payload, p);
2555 	/* Sequence number */
2556 	s2n(s->tlsext_hb_seq, p);
2557 	/* 16 random bytes */
2558 	RAND_pseudo_bytes(p, 16);
2559 	p += 16;
2560 	/* Random padding */
2561 	RAND_pseudo_bytes(p, padding);
2562 
2563 	ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2564 	if (ret >= 0)
2565 		{
2566 		if (s->msg_callback)
2567 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2568 				buf, 3 + payload + padding,
2569 				s, s->msg_callback_arg);
2570 
2571 		s->tlsext_hb_pending = 1;
2572 		}
2573 
2574 	OPENSSL_free(buf);
2575 
2576 	return ret;
2577 	}
2578 #endif
2579