projects / dragonfly.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Update LibreSSL from version 2.4.2 => 2.4.3
[dragonfly.git] / crypto / libressl / ssl / t1_lib.c
1 /* $OpenBSD: t1_lib.c,v 1.87 2016/05/30 13:42:54 beck Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/objects.h>
117 #include <openssl/ocsp.h>
118
119 #include "ssl_locl.h"
120 #include "bytestring.h"
121
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123     const unsigned char *sess_id, int sesslen,
124     SSL_SESSION **psess);
125
126 SSL3_ENC_METHOD TLSv1_enc_data = {
127         .enc = tls1_enc,
128         .mac = tls1_mac,
129         .setup_key_block = tls1_setup_key_block,
130         .generate_master_secret = tls1_generate_master_secret,
131         .change_cipher_state = tls1_change_cipher_state,
132         .final_finish_mac = tls1_final_finish_mac,
133         .finish_mac_length = TLS1_FINISH_MAC_LENGTH,
134         .cert_verify_mac = tls1_cert_verify_mac,
135         .client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
136         .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
137         .server_finished_label = TLS_MD_SERVER_FINISH_CONST,
138         .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
139         .alert_value = tls1_alert_code,
140         .export_keying_material = tls1_export_keying_material,
141         .enc_flags = 0,
142 };
143
144 SSL3_ENC_METHOD TLSv1_1_enc_data = {
145         .enc = tls1_enc,
146         .mac = tls1_mac,
147         .setup_key_block = tls1_setup_key_block,
148         .generate_master_secret = tls1_generate_master_secret,
149         .change_cipher_state = tls1_change_cipher_state,
150         .final_finish_mac = tls1_final_finish_mac,
151         .finish_mac_length = TLS1_FINISH_MAC_LENGTH,
152         .cert_verify_mac = tls1_cert_verify_mac,
153         .client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
154         .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
155         .server_finished_label = TLS_MD_SERVER_FINISH_CONST,
156         .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
157         .alert_value = tls1_alert_code,
158         .export_keying_material = tls1_export_keying_material,
159         .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV,
160 };
161
162 SSL3_ENC_METHOD TLSv1_2_enc_data = {
163         .enc = tls1_enc,
164         .mac = tls1_mac,
165         .setup_key_block = tls1_setup_key_block,
166         .generate_master_secret = tls1_generate_master_secret,
167         .change_cipher_state = tls1_change_cipher_state,
168         .final_finish_mac = tls1_final_finish_mac,
169         .finish_mac_length = TLS1_FINISH_MAC_LENGTH,
170         .cert_verify_mac = tls1_cert_verify_mac,
171         .client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
172         .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
173         .server_finished_label = TLS_MD_SERVER_FINISH_CONST,
174         .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
175         .alert_value = tls1_alert_code,
176         .export_keying_material = tls1_export_keying_material,
177         .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|
178             SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS,
179 };
180
181 long
182 tls1_default_timeout(void)
183 {
184         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
185          * is way too long for http, the cache would over fill */
186         return (60 * 60 * 2);
187 }
188
189 int
190 tls1_new(SSL *s)
191 {
192         if (!ssl3_new(s))
193                 return (0);
194         s->method->ssl_clear(s);
195         return (1);
196 }
197
198 void
199 tls1_free(SSL *s)
200 {
201         if (s == NULL)
202                 return;
203
204         free(s->tlsext_session_ticket);
205         ssl3_free(s);
206 }
207
208 void
209 tls1_clear(SSL *s)
210 {
211         ssl3_clear(s);
212         s->version = s->method->version;
213 }
214
215
216 static int nid_list[] = {
217         NID_sect163k1,          /* sect163k1 (1) */
218         NID_sect163r1,          /* sect163r1 (2) */
219         NID_sect163r2,          /* sect163r2 (3) */
220         NID_sect193r1,          /* sect193r1 (4) */
221         NID_sect193r2,          /* sect193r2 (5) */
222         NID_sect233k1,          /* sect233k1 (6) */
223         NID_sect233r1,          /* sect233r1 (7) */
224         NID_sect239k1,          /* sect239k1 (8) */
225         NID_sect283k1,          /* sect283k1 (9) */
226         NID_sect283r1,          /* sect283r1 (10) */
227         NID_sect409k1,          /* sect409k1 (11) */
228         NID_sect409r1,          /* sect409r1 (12) */
229         NID_sect571k1,          /* sect571k1 (13) */
230         NID_sect571r1,          /* sect571r1 (14) */
231         NID_secp160k1,          /* secp160k1 (15) */
232         NID_secp160r1,          /* secp160r1 (16) */
233         NID_secp160r2,          /* secp160r2 (17) */
234         NID_secp192k1,          /* secp192k1 (18) */
235         NID_X9_62_prime192v1,   /* secp192r1 (19) */
236         NID_secp224k1,          /* secp224k1 (20) */
237         NID_secp224r1,          /* secp224r1 (21) */
238         NID_secp256k1,          /* secp256k1 (22) */
239         NID_X9_62_prime256v1,   /* secp256r1 (23) */
240         NID_secp384r1,          /* secp384r1 (24) */
241         NID_secp521r1,          /* secp521r1 (25) */
242         NID_brainpoolP256r1,    /* brainpoolP256r1 (26) */
243         NID_brainpoolP384r1,    /* brainpoolP384r1 (27) */
244         NID_brainpoolP512r1     /* brainpoolP512r1 (28) */
245 };
246
247 static const uint8_t ecformats_default[] = {
248         TLSEXT_ECPOINTFORMAT_uncompressed,
249         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
250         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
251 };
252
253 static const uint16_t eccurves_default[] = {
254         14,                     /* sect571r1 (14) */
255         13,                     /* sect571k1 (13) */
256         25,                     /* secp521r1 (25) */
257         28,                     /* brainpool512r1 (28) */
258         11,                     /* sect409k1 (11) */
259         12,                     /* sect409r1 (12) */
260         27,                     /* brainpoolP384r1 (27) */
261         24,                     /* secp384r1 (24) */
262         9,                      /* sect283k1 (9) */
263         10,                     /* sect283r1 (10) */
264         26,                     /* brainpoolP256r1 (26) */
265         22,                     /* secp256k1 (22) */
266         23,                     /* secp256r1 (23) */
267         8,                      /* sect239k1 (8) */
268         6,                      /* sect233k1 (6) */
269         7,                      /* sect233r1 (7) */
270         20,                     /* secp224k1 (20) */
271         21,                     /* secp224r1 (21) */
272         4,                      /* sect193r1 (4) */
273         5,                      /* sect193r2 (5) */
274         18,                     /* secp192k1 (18) */
275         19,                     /* secp192r1 (19) */
276         1,                      /* sect163k1 (1) */
277         2,                      /* sect163r1 (2) */
278         3,                      /* sect163r2 (3) */
279         15,                     /* secp160k1 (15) */
280         16,                     /* secp160r1 (16) */
281         17,                     /* secp160r2 (17) */
282 };
283
284 int
285 tls1_ec_curve_id2nid(uint16_t curve_id)
286 {
287         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
288         if ((curve_id < 1) ||
289             ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0])))
290                 return 0;
291         return nid_list[curve_id - 1];
292 }
293
294 uint16_t
295 tls1_ec_nid2curve_id(int nid)
296 {
297         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
298         switch (nid) {
299         case NID_sect163k1: /* sect163k1 (1) */
300                 return 1;
301         case NID_sect163r1: /* sect163r1 (2) */
302                 return 2;
303         case NID_sect163r2: /* sect163r2 (3) */
304                 return 3;
305         case NID_sect193r1: /* sect193r1 (4) */
306                 return 4;
307         case NID_sect193r2: /* sect193r2 (5) */
308                 return 5;
309         case NID_sect233k1: /* sect233k1 (6) */
310                 return 6;
311         case NID_sect233r1: /* sect233r1 (7) */
312                 return 7;
313         case NID_sect239k1: /* sect239k1 (8) */
314                 return 8;
315         case NID_sect283k1: /* sect283k1 (9) */
316                 return 9;
317         case NID_sect283r1: /* sect283r1 (10) */
318                 return 10;
319         case NID_sect409k1: /* sect409k1 (11) */
320                 return 11;
321         case NID_sect409r1: /* sect409r1 (12) */
322                 return 12;
323         case NID_sect571k1: /* sect571k1 (13) */
324                 return 13;
325         case NID_sect571r1: /* sect571r1 (14) */
326                 return 14;
327         case NID_secp160k1: /* secp160k1 (15) */
328                 return 15;
329         case NID_secp160r1: /* secp160r1 (16) */
330                 return 16;
331         case NID_secp160r2: /* secp160r2 (17) */
332                 return 17;
333         case NID_secp192k1: /* secp192k1 (18) */
334                 return 18;
335         case NID_X9_62_prime192v1: /* secp192r1 (19) */
336                 return 19;
337         case NID_secp224k1: /* secp224k1 (20) */
338                 return 20;
339         case NID_secp224r1: /* secp224r1 (21) */
340                 return 21;
341         case NID_secp256k1: /* secp256k1 (22) */
342                 return 22;
343         case NID_X9_62_prime256v1: /* secp256r1 (23) */
344                 return 23;
345         case NID_secp384r1: /* secp384r1 (24) */
346                 return 24;
347         case NID_secp521r1: /* secp521r1 (25) */
348                 return 25;
349         case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
350                 return 26;
351         case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
352                 return 27;
353         case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */
354                 return 28;
355         default:
356                 return 0;
357         }
358 }
359
360 /*
361  * Return the appropriate format list. If client_formats is non-zero, return
362  * the client/session formats. Otherwise return the custom format list if one
363  * exists, or the default formats if a custom list has not been specified.
364  */
365 static void
366 tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats,
367     size_t *pformatslen)
368 {
369         if (client_formats != 0) {
370                 *pformats = s->session->tlsext_ecpointformatlist;
371                 *pformatslen = s->session->tlsext_ecpointformatlist_length;
372                 return;
373         }
374
375         *pformats = s->tlsext_ecpointformatlist;
376         *pformatslen = s->tlsext_ecpointformatlist_length;
377         if (*pformats == NULL) {
378                 *pformats = ecformats_default;
379                 *pformatslen = sizeof(ecformats_default);
380         }
381 }
382
383 /*
384  * Return the appropriate curve list. If client_curves is non-zero, return
385  * the client/session curves. Otherwise return the custom curve list if one
386  * exists, or the default curves if a custom list has not been specified.
387  */
388 static void
389 tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves,
390     size_t *pcurveslen)
391 {
392         if (client_curves != 0) {
393                 *pcurves = s->session->tlsext_ellipticcurvelist;
394                 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
395                 return;
396         }
397
398         *pcurves = s->tlsext_ellipticcurvelist;
399         *pcurveslen = s->tlsext_ellipticcurvelist_length;
400         if (*pcurves == NULL) {
401                 *pcurves = eccurves_default;
402                 *pcurveslen = sizeof(eccurves_default) / 2;
403         }
404 }
405
406 /* Check that a curve is one of our preferences. */
407 int
408 tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
409 {
410         CBS cbs;
411         const uint16_t *curves;
412         size_t curveslen, i;
413         uint8_t type;
414         uint16_t cid;
415
416         CBS_init(&cbs, p, len);
417
418         /* Only named curves are supported. */
419         if (CBS_len(&cbs) != 3 ||
420             !CBS_get_u8(&cbs, &type) ||
421             type != NAMED_CURVE_TYPE ||
422             !CBS_get_u16(&cbs, &cid))
423                 return (0);
424
425         tls1_get_curvelist(s, 0, &curves, &curveslen);
426
427         for (i = 0; i < curveslen; i++) {
428                 if (curves[i] == cid)
429                         return (1);
430         }
431         return (0);
432 }
433
434 int
435 tls1_get_shared_curve(SSL *s)
436 {
437         size_t preflen, supplen, i, j;
438         const uint16_t *pref, *supp;
439         unsigned long server_pref;
440
441         /* Cannot do anything on the client side. */
442         if (s->server == 0)
443                 return (NID_undef);
444
445         /* Return first preference shared curve. */
446         server_pref = (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE);
447         tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen);
448         tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen);
449
450         for (i = 0; i < preflen; i++) {
451                 for (j = 0; j < supplen; j++) {
452                         if (pref[i] == supp[j])
453                                 return (tls1_ec_curve_id2nid(pref[i]));
454                 }
455         }
456         return (NID_undef);
457 }
458
459 /* For an EC key set TLS ID and required compression based on parameters. */
460 static int
461 tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec)
462 {
463         const EC_GROUP *grp;
464         const EC_METHOD *meth;
465         int is_prime = 0;
466         int nid, id;
467
468         if (ec == NULL)
469                 return (0);
470
471         /* Determine if it is a prime field. */
472         if ((grp = EC_KEY_get0_group(ec)) == NULL)
473                 return (0);
474         if ((meth = EC_GROUP_method_of(grp)) == NULL)
475                 return (0);
476         if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
477                 is_prime = 1;
478
479         /* Determine curve ID. */
480         nid = EC_GROUP_get_curve_name(grp);
481         id = tls1_ec_nid2curve_id(nid);
482
483         /* If we have an ID set it, otherwise set arbitrary explicit curve. */
484         if (id != 0)
485                 *curve_id = id;
486         else
487                 *curve_id = is_prime ? 0xff01 : 0xff02;
488
489         /* Specify the compression identifier. */
490         if (comp_id != NULL) {
491                 if (EC_KEY_get0_public_key(ec) == NULL)
492                         return (0);
493
494                 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
495                         *comp_id = is_prime ?
496                             TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime :
497                             TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
498                 } else {
499                         *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
500                 }
501         }
502         return (1);
503 }
504
505 /* Check that an EC key is compatible with extensions. */
506 static int
507 tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id)
508 {
509         size_t curveslen, formatslen, i;
510         const uint16_t *curves;
511         const uint8_t *formats;
512
513         /*
514          * Check point formats extension if present, otherwise everything
515          * is supported (see RFC4492).
516          */
517         tls1_get_formatlist(s, 1, &formats, &formatslen);
518         if (comp_id != NULL && formats != NULL) {
519                 for (i = 0; i < formatslen; i++) {
520                         if (formats[i] == *comp_id)
521                                 break;
522                 }
523                 if (i == formatslen)
524                         return (0);
525         }
526
527         /*
528          * Check curve list if present, otherwise everything is supported.
529          */
530         tls1_get_curvelist(s, 1, &curves, &curveslen);
531         if (curve_id != NULL && curves != NULL) {
532                 for (i = 0; i < curveslen; i++) {
533                         if (curves[i] == *curve_id)
534                                 break;
535                 }
536                 if (i == curveslen)
537                         return (0);
538         }
539
540         return (1);
541 }
542
543 /* Check EC server key is compatible with client extensions. */
544 int
545 tls1_check_ec_server_key(SSL *s)
546 {
547         CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
548         uint16_t curve_id;
549         uint8_t comp_id;
550         EVP_PKEY *pkey;
551         int rv;
552
553         if (cpk->x509 == NULL || cpk->privatekey == NULL)
554                 return (0);
555         if ((pkey = X509_get_pubkey(cpk->x509)) == NULL)
556                 return (0);
557         rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec);
558         EVP_PKEY_free(pkey);
559         if (rv != 1)
560                 return (0);
561
562         return tls1_check_ec_key(s, &curve_id, &comp_id);
563 }
564
565 /* Check EC temporary key is compatible with client extensions. */
566 int
567 tls1_check_ec_tmp_key(SSL *s)
568 {
569         EC_KEY *ec = s->cert->ecdh_tmp;
570         uint16_t curve_id;
571
572         if (s->cert->ecdh_tmp_auto != 0) {
573                 /* Need a shared curve. */
574                 if (tls1_get_shared_curve(s) != NID_undef)
575                         return (1);
576                 return (0);
577         }
578
579         if (ec == NULL) {
580                 if (s->cert->ecdh_tmp_cb != NULL)
581                         return (1);
582                 return (0);
583         }
584         if (tls1_set_ec_id(&curve_id, NULL, ec) != 1)
585                 return (0);
586
587         return tls1_check_ec_key(s, &curve_id, NULL);
588 }
589
590 /*
591  * List of supported signature algorithms and hashes. Should make this
592  * customisable at some point, for now include everything we support.
593  */
594
595 static unsigned char tls12_sigalgs[] = {
596         TLSEXT_hash_sha512, TLSEXT_signature_rsa,
597         TLSEXT_hash_sha512, TLSEXT_signature_dsa,
598         TLSEXT_hash_sha512, TLSEXT_signature_ecdsa,
599 #ifndef OPENSSL_NO_GOST
600         TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512,
601 #endif
602
603         TLSEXT_hash_sha384, TLSEXT_signature_rsa,
604         TLSEXT_hash_sha384, TLSEXT_signature_dsa,
605         TLSEXT_hash_sha384, TLSEXT_signature_ecdsa,
606
607         TLSEXT_hash_sha256, TLSEXT_signature_rsa,
608         TLSEXT_hash_sha256, TLSEXT_signature_dsa,
609         TLSEXT_hash_sha256, TLSEXT_signature_ecdsa,
610
611 #ifndef OPENSSL_NO_GOST
612         TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256,
613         TLSEXT_hash_gost94, TLSEXT_signature_gostr01,
614 #endif
615
616         TLSEXT_hash_sha224, TLSEXT_signature_rsa,
617         TLSEXT_hash_sha224, TLSEXT_signature_dsa,
618         TLSEXT_hash_sha224, TLSEXT_signature_ecdsa,
619
620         TLSEXT_hash_sha1, TLSEXT_signature_rsa,
621         TLSEXT_hash_sha1, TLSEXT_signature_dsa,
622         TLSEXT_hash_sha1, TLSEXT_signature_ecdsa,
623 };
624
625 int
626 tls12_get_req_sig_algs(SSL *s, unsigned char *p)
627 {
628         size_t slen = sizeof(tls12_sigalgs);
629
630         if (p)
631                 memcpy(p, tls12_sigalgs, slen);
632         return (int)slen;
633 }
634
635 unsigned char *
636 ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
637 {
638         int extdatalen = 0;
639         unsigned char *ret = p;
640         int using_ecc = 0;
641
642         /* See if we support any ECC ciphersuites. */
643         if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) {
644                 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
645                 unsigned long alg_k, alg_a;
646                 int i;
647
648                 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
649                         SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
650
651                         alg_k = c->algorithm_mkey;
652                         alg_a = c->algorithm_auth;
653
654                         if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) ||
655                             (alg_a & SSL_aECDSA))) {
656                                 using_ecc = 1;
657                                 break;
658                         }
659                 }
660         }
661
662         ret += 2;
663
664         if (ret >= limit)
665                 return NULL; /* this really never occurs, but ... */
666
667         if (s->tlsext_hostname != NULL) {
668                 /* Add TLS extension servername to the Client Hello message */
669                 size_t size_str, lenmax;
670
671                 /* check for enough space.
672                    4 for the servername type and extension length
673                    2 for servernamelist length
674                    1 for the hostname type
675                    2 for hostname length
676                    + hostname length
677                 */
678
679                 if ((size_t)(limit - ret) < 9)
680                         return NULL;
681
682                 lenmax = limit - ret - 9;
683                 if ((size_str = strlen(s->tlsext_hostname)) > lenmax)
684                         return NULL;
685
686                 /* extension type and length */
687                 s2n(TLSEXT_TYPE_server_name, ret);
688
689                 s2n(size_str + 5, ret);
690
691                 /* length of servername list */
692                 s2n(size_str + 3, ret);
693
694                 /* hostname type, length and hostname */
695                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
696                 s2n(size_str, ret);
697                 memcpy(ret, s->tlsext_hostname, size_str);
698                 ret += size_str;
699         }
700
701         /* Add RI if renegotiating */
702         if (s->renegotiate) {
703                 int el;
704
705                 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
706                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
707                             ERR_R_INTERNAL_ERROR);
708                         return NULL;
709                 }
710
711                 if ((size_t)(limit - ret) < 4 + el)
712                         return NULL;
713
714                 s2n(TLSEXT_TYPE_renegotiate, ret);
715                 s2n(el, ret);
716
717                 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
718                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
719                             ERR_R_INTERNAL_ERROR);
720                         return NULL;
721                 }
722
723                 ret += el;
724         }
725
726         if (using_ecc) {
727                 size_t curveslen, formatslen, lenmax;
728                 const uint16_t *curves;
729                 const uint8_t *formats;
730                 int i;
731
732                 /*
733                  * Add TLS extension ECPointFormats to the ClientHello message.
734                  */
735                 tls1_get_formatlist(s, 0, &formats, &formatslen);
736
737                 if ((size_t)(limit - ret) < 5)
738                         return NULL;
739
740                 lenmax = limit - ret - 5;
741                 if (formatslen > lenmax)
742                         return NULL;
743                 if (formatslen > 255) {
744                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
745                             ERR_R_INTERNAL_ERROR);
746                         return NULL;
747                 }
748
749                 s2n(TLSEXT_TYPE_ec_point_formats, ret);
750                 s2n(formatslen + 1, ret);
751                 *(ret++) = (unsigned char)formatslen;
752                 memcpy(ret, formats, formatslen);
753                 ret += formatslen;
754
755                 /*
756                  * Add TLS extension EllipticCurves to the ClientHello message.
757                  */
758                 tls1_get_curvelist(s, 0, &curves, &curveslen);
759
760                 if ((size_t)(limit - ret) < 6)
761                         return NULL;
762
763                 lenmax = limit - ret - 6;
764                 if (curveslen > lenmax)
765                         return NULL;
766                 if (curveslen > 65532) {
767                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
768                             ERR_R_INTERNAL_ERROR);
769                         return NULL;
770                 }
771
772                 s2n(TLSEXT_TYPE_elliptic_curves, ret);
773                 s2n((curveslen * 2) + 2, ret);
774
775                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
776                  * elliptic_curve_list, but the examples use two bytes.
777                  * https://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
778                  * resolves this to two bytes.
779                  */
780                 s2n(curveslen * 2, ret);
781                 for (i = 0; i < curveslen; i++)
782                         s2n(curves[i], ret);
783         }
784
785         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
786                 int ticklen;
787                 if (!s->new_session && s->session && s->session->tlsext_tick)
788                         ticklen = s->session->tlsext_ticklen;
789                 else if (s->session && s->tlsext_session_ticket &&
790                     s->tlsext_session_ticket->data) {
791                         ticklen = s->tlsext_session_ticket->length;
792                         s->session->tlsext_tick = malloc(ticklen);
793                         if (!s->session->tlsext_tick)
794                                 return NULL;
795                         memcpy(s->session->tlsext_tick,
796                             s->tlsext_session_ticket->data, ticklen);
797                         s->session->tlsext_ticklen = ticklen;
798                 } else
799                         ticklen = 0;
800                 if (ticklen == 0 && s->tlsext_session_ticket &&
801                     s->tlsext_session_ticket->data == NULL)
802                         goto skip_ext;
803                 /* Check for enough room 2 for extension type, 2 for len
804                  * rest for ticket
805                  */
806                 if ((size_t)(limit - ret) < 4 + ticklen)
807                         return NULL;
808                 s2n(TLSEXT_TYPE_session_ticket, ret);
809
810                 s2n(ticklen, ret);
811                 if (ticklen) {
812                         memcpy(ret, s->session->tlsext_tick, ticklen);
813                         ret += ticklen;
814                 }
815         }
816 skip_ext:
817
818         if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
819                 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
820                         return NULL;
821
822                 s2n(TLSEXT_TYPE_signature_algorithms, ret);
823                 s2n(sizeof(tls12_sigalgs) + 2, ret);
824                 s2n(sizeof(tls12_sigalgs), ret);
825                 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
826                 ret += sizeof(tls12_sigalgs);
827         }
828
829         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
830             s->version != DTLS1_VERSION) {
831                 int i;
832                 long extlen, idlen, itmp;
833                 OCSP_RESPID *id;
834
835                 idlen = 0;
836                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
837                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
838                         itmp = i2d_OCSP_RESPID(id, NULL);
839                         if (itmp <= 0)
840                                 return NULL;
841                         idlen += itmp + 2;
842                 }
843
844                 if (s->tlsext_ocsp_exts) {
845                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
846                         if (extlen < 0)
847                                 return NULL;
848                 } else
849                         extlen = 0;
850
851                 if ((size_t)(limit - ret) < 7 + extlen + idlen)
852                         return NULL;
853                 s2n(TLSEXT_TYPE_status_request, ret);
854                 if (extlen + idlen > 0xFFF0)
855                         return NULL;
856                 s2n(extlen + idlen + 5, ret);
857                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
858                 s2n(idlen, ret);
859                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
860                         /* save position of id len */
861                         unsigned char *q = ret;
862                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
863                         /* skip over id len */
864                         ret += 2;
865                         itmp = i2d_OCSP_RESPID(id, &ret);
866                         /* write id len */
867                         s2n(itmp, q);
868                 }
869                 s2n(extlen, ret);
870                 if (extlen > 0)
871                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
872         }
873
874         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
875                 /* The client advertises an emtpy extension to indicate its
876                  * support for Next Protocol Negotiation */
877                 if ((size_t)(limit - ret) < 4)
878                         return NULL;
879                 s2n(TLSEXT_TYPE_next_proto_neg, ret);
880                 s2n(0, ret);
881         }
882
883         if (s->alpn_client_proto_list != NULL &&
884             s->s3->tmp.finish_md_len == 0) {
885                 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
886                         return (NULL);
887                 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
888                 s2n(2 + s->alpn_client_proto_list_len, ret);
889                 s2n(s->alpn_client_proto_list_len, ret);
890                 memcpy(ret, s->alpn_client_proto_list,
891                     s->alpn_client_proto_list_len);
892                 ret += s->alpn_client_proto_list_len;
893         }
894
895 #ifndef OPENSSL_NO_SRTP
896         if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
897                 int el;
898
899                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
900
901                 if ((size_t)(limit - ret) < 4 + el)
902                         return NULL;
903
904                 s2n(TLSEXT_TYPE_use_srtp, ret);
905                 s2n(el, ret);
906
907                 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
908                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
909                             ERR_R_INTERNAL_ERROR);
910                         return NULL;
911                 }
912                 ret += el;
913         }
914 #endif
915
916         /*
917          * Add padding to workaround bugs in F5 terminators.
918          * See https://tools.ietf.org/html/draft-agl-tls-padding-03
919          *
920          * Note that this seems to trigger issues with IronPort SMTP
921          * appliances.
922          *
923          * NB: because this code works out the length of all existing
924          * extensions it MUST always appear last.
925          */
926         if (s->options & SSL_OP_TLSEXT_PADDING) {
927                 int hlen = ret - (unsigned char *)s->init_buf->data;
928
929                 /*
930                  * The code in s23_clnt.c to build ClientHello messages
931                  * includes the 5-byte record header in the buffer, while the
932                  * code in s3_clnt.c does not.
933                  */
934                 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
935                         hlen -= 5;
936                 if (hlen > 0xff && hlen < 0x200) {
937                         hlen = 0x200 - hlen;
938                         if (hlen >= 4)
939                                 hlen -= 4;
940                         else
941                                 hlen = 0;
942
943                         s2n(TLSEXT_TYPE_padding, ret);
944                         s2n(hlen, ret);
945                         memset(ret, 0, hlen);
946                         ret += hlen;
947                 }
948         }
949
950         if ((extdatalen = ret - p - 2) == 0)
951                 return p;
952
953         s2n(extdatalen, p);
954         return ret;
955 }
956
957 unsigned char *
958 ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
959 {
960         int using_ecc, extdatalen = 0;
961         unsigned long alg_a, alg_k;
962         unsigned char *ret = p;
963         int next_proto_neg_seen;
964
965         alg_a = s->s3->tmp.new_cipher->algorithm_auth;
966         alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
967         using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) ||
968             alg_a & SSL_aECDSA) &&
969             s->session->tlsext_ecpointformatlist != NULL;
970
971         ret += 2;
972         if (ret >= limit)
973                 return NULL; /* this really never occurs, but ... */
974
975         if (!s->hit && s->servername_done == 1 &&
976             s->session->tlsext_hostname != NULL) {
977                 if ((size_t)(limit - ret) < 4)
978                         return NULL;
979
980                 s2n(TLSEXT_TYPE_server_name, ret);
981                 s2n(0, ret);
982         }
983
984         if (s->s3->send_connection_binding) {
985                 int el;
986
987                 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
988                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
989                             ERR_R_INTERNAL_ERROR);
990                         return NULL;
991                 }
992
993                 if ((size_t)(limit - ret) < 4 + el)
994                         return NULL;
995
996                 s2n(TLSEXT_TYPE_renegotiate, ret);
997                 s2n(el, ret);
998
999                 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1000                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
1001                             ERR_R_INTERNAL_ERROR);
1002                         return NULL;
1003                 }
1004
1005                 ret += el;
1006         }
1007
1008         if (using_ecc && s->version != DTLS1_VERSION) {
1009                 const unsigned char *formats;
1010                 size_t formatslen, lenmax;
1011
1012                 /*
1013                  * Add TLS extension ECPointFormats to the ServerHello message.
1014                  */
1015                 tls1_get_formatlist(s, 0, &formats, &formatslen);
1016
1017                 if ((size_t)(limit - ret) < 5)
1018                         return NULL;
1019
1020                 lenmax = limit - ret - 5;
1021                 if (formatslen > lenmax)
1022                         return NULL;
1023                 if (formatslen > 255) {
1024                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
1025                             ERR_R_INTERNAL_ERROR);
1026                         return NULL;
1027                 }
1028
1029                 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1030                 s2n(formatslen + 1, ret);
1031                 *(ret++) = (unsigned char)formatslen;
1032                 memcpy(ret, formats, formatslen);
1033                 ret += formatslen;
1034         }
1035
1036         /*
1037          * Currently the server should not respond with a SupportedCurves
1038          * extension.
1039          */
1040
1041         if (s->tlsext_ticket_expected &&
1042             !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
1043                 if ((size_t)(limit - ret) < 4)
1044                         return NULL;
1045
1046                 s2n(TLSEXT_TYPE_session_ticket, ret);
1047                 s2n(0, ret);
1048         }
1049
1050         if (s->tlsext_status_expected) {
1051                 if ((size_t)(limit - ret) < 4)
1052                         return NULL;
1053
1054                 s2n(TLSEXT_TYPE_status_request, ret);
1055                 s2n(0, ret);
1056         }
1057
1058 #ifndef OPENSSL_NO_SRTP
1059         if (SSL_IS_DTLS(s) && s->srtp_profile) {
1060                 int el;
1061
1062                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1063
1064                 if ((size_t)(limit - ret) < 4 + el)
1065                         return NULL;
1066
1067                 s2n(TLSEXT_TYPE_use_srtp, ret);
1068                 s2n(el, ret);
1069
1070                 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1071                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
1072                             ERR_R_INTERNAL_ERROR);
1073                         return NULL;
1074                 }
1075                 ret += el;
1076         }
1077 #endif
1078
1079         if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 ||
1080             (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) &&
1081             (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1082                 static const unsigned char cryptopro_ext[36] = {
1083                         0xfd, 0xe8, /*65000*/
1084                         0x00, 0x20, /*32 bytes length*/
1085                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1086                         0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1087                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1088                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1089                 };
1090                 if ((size_t)(limit - ret) < sizeof(cryptopro_ext))
1091                         return NULL;
1092                 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext));
1093                 ret += sizeof(cryptopro_ext);
1094         }
1095
1096         next_proto_neg_seen = s->s3->next_proto_neg_seen;
1097         s->s3->next_proto_neg_seen = 0;
1098         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1099                 const unsigned char *npa;
1100                 unsigned int npalen;
1101                 int r;
1102
1103                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1104                     s->ctx->next_protos_advertised_cb_arg);
1105                 if (r == SSL_TLSEXT_ERR_OK) {
1106                         if ((size_t)(limit - ret) < 4 + npalen)
1107                                 return NULL;
1108                         s2n(TLSEXT_TYPE_next_proto_neg, ret);
1109                         s2n(npalen, ret);
1110                         memcpy(ret, npa, npalen);
1111                         ret += npalen;
1112                         s->s3->next_proto_neg_seen = 1;
1113                 }
1114         }
1115
1116         if (s->s3->alpn_selected != NULL) {
1117                 const unsigned char *selected = s->s3->alpn_selected;
1118                 unsigned int len = s->s3->alpn_selected_len;
1119
1120                 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1121                         return (NULL);
1122                 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1123                 s2n(3 + len, ret);
1124                 s2n(1 + len, ret);
1125                 *ret++ = len;
1126                 memcpy(ret, selected, len);
1127                 ret += len;
1128         }
1129
1130         if ((extdatalen = ret - p - 2) == 0)
1131                 return p;
1132
1133         s2n(extdatalen, p);
1134         return ret;
1135 }
1136
1137 /*
1138  * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1139  * ClientHello.
1140  *   data: the contents of the extension, not including the type and length.
1141  *   data_len: the number of bytes in data.
1142  *   al: a pointer to the alert value to send in the event of a non-zero
1143  *       return.
1144  *   returns: 1 on success.
1145  */
1146 static int
1147 tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1148     unsigned int data_len, int *al)
1149 {
1150         CBS cbs, proto_name_list, alpn;
1151         const unsigned char *selected;
1152         unsigned char selected_len;
1153         int r;
1154
1155         if (s->ctx->alpn_select_cb == NULL)
1156                 return (1);
1157
1158         if (data_len < 2)
1159                 goto parse_error;
1160
1161         CBS_init(&cbs, data, data_len);
1162
1163         /*
1164          * data should contain a uint16 length followed by a series of 8-bit,
1165          * length-prefixed strings.
1166          */
1167         if (!CBS_get_u16_length_prefixed(&cbs, &alpn) ||
1168             CBS_len(&alpn) < 2 ||
1169             CBS_len(&cbs) != 0)
1170                 goto parse_error;
1171
1172         /* Validate data before sending to callback. */
1173         CBS_dup(&alpn, &proto_name_list);
1174         while (CBS_len(&proto_name_list) > 0) {
1175                 CBS proto_name;
1176
1177                 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name) ||
1178                     CBS_len(&proto_name) == 0)
1179                         goto parse_error;
1180         }
1181
1182         r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
1183             CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg);
1184         if (r == SSL_TLSEXT_ERR_OK) {
1185                 free(s->s3->alpn_selected);
1186                 if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) {
1187                         *al = SSL_AD_INTERNAL_ERROR;
1188                         return (-1);
1189                 }
1190                 memcpy(s->s3->alpn_selected, selected, selected_len);
1191                 s->s3->alpn_selected_len = selected_len;
1192         }
1193
1194         return (1);
1195
1196 parse_error:
1197         *al = SSL_AD_DECODE_ERROR;
1198         return (0);
1199 }
1200
1201 int
1202 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1203     int n, int *al)
1204 {
1205         unsigned short type;
1206         unsigned short size;
1207         unsigned short len;
1208         unsigned char *data = *p;
1209         int renegotiate_seen = 0;
1210         int sigalg_seen = 0;
1211
1212         s->servername_done = 0;
1213         s->tlsext_status_type = -1;
1214         s->s3->next_proto_neg_seen = 0;
1215         free(s->s3->alpn_selected);
1216         s->s3->alpn_selected = NULL;
1217
1218         if (data >= (d + n - 2))
1219                 goto ri_check;
1220         n2s(data, len);
1221
1222         if (data > (d + n - len))
1223                 goto ri_check;
1224
1225         while (data <= (d + n - 4)) {
1226                 n2s(data, type);
1227                 n2s(data, size);
1228
1229                 if (data + size > (d + n))
1230                         goto ri_check;
1231                 if (s->tlsext_debug_cb)
1232                         s->tlsext_debug_cb(s, 0, type, data, size,
1233                             s->tlsext_debug_arg);
1234 /* The servername extension is treated as follows:
1235
1236    - Only the hostname type is supported with a maximum length of 255.
1237    - The servername is rejected if too long or if it contains zeros,
1238      in which case an fatal alert is generated.
1239    - The servername field is maintained together with the session cache.
1240    - When a session is resumed, the servername call back invoked in order
1241      to allow the application to position itself to the right context.
1242    - The servername is acknowledged if it is new for a session or when
1243      it is identical to a previously used for the same session.
1244      Applications can control the behaviour.  They can at any time
1245      set a 'desirable' servername for a new SSL object. This can be the
1246      case for example with HTTPS when a Host: header field is received and
1247      a renegotiation is requested. In this case, a possible servername
1248      presented in the new client hello is only acknowledged if it matches
1249      the value of the Host: field.
1250    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1251      if they provide for changing an explicit servername context for the session,
1252      i.e. when the session has been established with a servername extension.
1253    - On session reconnect, the servername extension may be absent.
1254
1255 */
1256
1257                 if (type == TLSEXT_TYPE_server_name) {
1258                         unsigned char *sdata;
1259                         int servname_type;
1260                         int dsize;
1261
1262                         if (size < 2) {
1263                                 *al = SSL_AD_DECODE_ERROR;
1264                                 return 0;
1265                         }
1266                         n2s(data, dsize);
1267
1268                         size -= 2;
1269                         if (dsize > size) {
1270                                 *al = SSL_AD_DECODE_ERROR;
1271                                 return 0;
1272                         }
1273
1274                         sdata = data;
1275                         while (dsize > 3) {
1276                                 servname_type = *(sdata++);
1277
1278                                 n2s(sdata, len);
1279                                 dsize -= 3;
1280
1281                                 if (len > dsize) {
1282                                         *al = SSL_AD_DECODE_ERROR;
1283                                         return 0;
1284                                 }
1285                                 if (s->servername_done == 0)
1286                                         switch (servname_type) {
1287                                         case TLSEXT_NAMETYPE_host_name:
1288                                                 if (!s->hit) {
1289                                                         if (s->session->tlsext_hostname) {
1290                                                                 *al = SSL_AD_DECODE_ERROR;
1291                                                                 return 0;
1292                                                         }
1293                                                         if (len > TLSEXT_MAXLEN_host_name) {
1294                                                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1295                                                                 return 0;
1296                                                         }
1297                                                         if ((s->session->tlsext_hostname =
1298                                                             malloc(len + 1)) == NULL) {
1299                                                                 *al = TLS1_AD_INTERNAL_ERROR;
1300                                                                 return 0;
1301                                                         }
1302                                                         memcpy(s->session->tlsext_hostname, sdata, len);
1303                                                         s->session->tlsext_hostname[len] = '\0';
1304                                                         if (strlen(s->session->tlsext_hostname) != len) {
1305                                                                 free(s->session->tlsext_hostname);
1306                                                                 s->session->tlsext_hostname = NULL;
1307                                                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1308                                                                 return 0;
1309                                                         }
1310                                                         s->servername_done = 1;
1311
1312
1313                                                 } else {
1314                                                         s->servername_done = s->session->tlsext_hostname &&
1315                                                             strlen(s->session->tlsext_hostname) == len &&
1316                                                             strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1317                                                 }
1318                                                 break;
1319
1320                                         default:
1321                                                 break;
1322                                         }
1323
1324                                 dsize -= len;
1325                         }
1326                         if (dsize != 0) {
1327                                 *al = SSL_AD_DECODE_ERROR;
1328                                 return 0;
1329                         }
1330
1331                 }
1332
1333                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1334                     s->version != DTLS1_VERSION) {
1335                         unsigned char *sdata = data;
1336                         size_t formatslen;
1337                         uint8_t *formats;
1338
1339                         if (size < 1) {
1340                                 *al = TLS1_AD_DECODE_ERROR;
1341                                 return 0;
1342                         }
1343                         formatslen = *(sdata++);
1344                         if (formatslen != size - 1) {
1345                                 *al = TLS1_AD_DECODE_ERROR;
1346                                 return 0;
1347                         }
1348
1349                         if (!s->hit) {
1350                                 free(s->session->tlsext_ecpointformatlist);
1351                                 s->session->tlsext_ecpointformatlist = NULL;
1352                                 s->session->tlsext_ecpointformatlist_length = 0;
1353
1354                                 if ((formats = reallocarray(NULL, formatslen,
1355                                     sizeof(uint8_t))) == NULL) {
1356                                         *al = TLS1_AD_INTERNAL_ERROR;
1357                                         return 0;
1358                                 }
1359                                 memcpy(formats, sdata, formatslen);
1360                                 s->session->tlsext_ecpointformatlist = formats;
1361                                 s->session->tlsext_ecpointformatlist_length =
1362                                     formatslen;
1363                         }
1364                 } else if (type == TLSEXT_TYPE_elliptic_curves &&
1365                     s->version != DTLS1_VERSION) {
1366                         unsigned char *sdata = data;
1367                         size_t curveslen, i;
1368                         uint16_t *curves;
1369
1370                         if (size < 2) {
1371                                 *al = TLS1_AD_DECODE_ERROR;
1372                                 return 0;
1373                         }
1374                         n2s(sdata, curveslen);
1375                         if (curveslen != size - 2 || curveslen % 2 != 0) {
1376                                 *al = TLS1_AD_DECODE_ERROR;
1377                                 return 0;
1378                         }
1379                         curveslen /= 2;
1380
1381                         if (!s->hit) {
1382                                 if (s->session->tlsext_ellipticcurvelist) {
1383                                         *al = TLS1_AD_DECODE_ERROR;
1384                                         return 0;
1385                                 }
1386                                 s->session->tlsext_ellipticcurvelist_length = 0;
1387                                 if ((curves = reallocarray(NULL, curveslen,
1388                                     sizeof(uint16_t))) == NULL) {
1389                                         *al = TLS1_AD_INTERNAL_ERROR;
1390                                         return 0;
1391                                 }
1392                                 for (i = 0; i < curveslen; i++)
1393                                         n2s(sdata, curves[i]);
1394                                 s->session->tlsext_ellipticcurvelist = curves;
1395                                 s->session->tlsext_ellipticcurvelist_length = curveslen;
1396                         }
1397                 }
1398                 else if (type == TLSEXT_TYPE_session_ticket) {
1399                         if (s->tls_session_ticket_ext_cb &&
1400                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
1401                                 *al = TLS1_AD_INTERNAL_ERROR;
1402                                 return 0;
1403                         }
1404                 } else if (type == TLSEXT_TYPE_renegotiate) {
1405                         if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1406                                 return 0;
1407                         renegotiate_seen = 1;
1408                 } else if (type == TLSEXT_TYPE_signature_algorithms) {
1409                         int dsize;
1410                         if (sigalg_seen || size < 2) {
1411                                 *al = SSL_AD_DECODE_ERROR;
1412                                 return 0;
1413                         }
1414                         sigalg_seen = 1;
1415                         n2s(data, dsize);
1416                         size -= 2;
1417                         if (dsize != size || dsize & 1) {
1418                                 *al = SSL_AD_DECODE_ERROR;
1419                                 return 0;
1420                         }
1421                         if (!tls1_process_sigalgs(s, data, dsize)) {
1422                                 *al = SSL_AD_DECODE_ERROR;
1423                                 return 0;
1424                         }
1425                 } else if (type == TLSEXT_TYPE_status_request &&
1426                     s->version != DTLS1_VERSION) {
1427
1428                         if (size < 5) {
1429                                 *al = SSL_AD_DECODE_ERROR;
1430                                 return 0;
1431                         }
1432
1433                         s->tlsext_status_type = *data++;
1434                         size--;
1435                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1436                                 const unsigned char *sdata;
1437                                 int dsize;
1438                                 /* Read in responder_id_list */
1439                                 n2s(data, dsize);
1440                                 size -= 2;
1441                                 if (dsize > size) {
1442                                         *al = SSL_AD_DECODE_ERROR;
1443                                         return 0;
1444                                 }
1445
1446                                 /*
1447                                  * We remove any OCSP_RESPIDs from a
1448                                  * previous handshake to prevent
1449                                  * unbounded memory growth.
1450                                  */
1451                                 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
1452                                     OCSP_RESPID_free);
1453                                 s->tlsext_ocsp_ids = NULL;
1454                                 if (dsize > 0) {
1455                                         s->tlsext_ocsp_ids =
1456                                             sk_OCSP_RESPID_new_null();
1457                                         if (s->tlsext_ocsp_ids == NULL) {
1458                                                 *al = SSL_AD_INTERNAL_ERROR;
1459                                                 return 0;
1460                                         }
1461                                 }
1462
1463                                 while (dsize > 0) {
1464                                         OCSP_RESPID *id;
1465                                         int idsize;
1466                                         if (dsize < 4) {
1467                                                 *al = SSL_AD_DECODE_ERROR;
1468                                                 return 0;
1469                                         }
1470                                         n2s(data, idsize);
1471                                         dsize -= 2 + idsize;
1472                                         size -= 2 + idsize;
1473                                         if (dsize < 0) {
1474                                                 *al = SSL_AD_DECODE_ERROR;
1475                                                 return 0;
1476                                         }
1477                                         sdata = data;
1478                                         data += idsize;
1479                                         id = d2i_OCSP_RESPID(NULL,
1480                                             &sdata, idsize);
1481                                         if (!id) {
1482                                                 *al = SSL_AD_DECODE_ERROR;
1483                                                 return 0;
1484                                         }
1485                                         if (data != sdata) {
1486                                                 OCSP_RESPID_free(id);
1487                                                 *al = SSL_AD_DECODE_ERROR;
1488                                                 return 0;
1489                                         }
1490                                         if (!sk_OCSP_RESPID_push(
1491                                             s->tlsext_ocsp_ids, id)) {
1492                                                 OCSP_RESPID_free(id);
1493                                                 *al = SSL_AD_INTERNAL_ERROR;
1494                                                 return 0;
1495                                         }
1496                                 }
1497
1498                                 /* Read in request_extensions */
1499                                 if (size < 2) {
1500                                         *al = SSL_AD_DECODE_ERROR;
1501                                         return 0;
1502                                 }
1503                                 n2s(data, dsize);
1504                                 size -= 2;
1505                                 if (dsize != size) {
1506                                         *al = SSL_AD_DECODE_ERROR;
1507                                         return 0;
1508                                 }
1509                                 sdata = data;
1510                                 if (dsize > 0) {
1511                                         if (s->tlsext_ocsp_exts) {
1512                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1513                                                     X509_EXTENSION_free);
1514                                         }
1515
1516                                         s->tlsext_ocsp_exts =
1517                                             d2i_X509_EXTENSIONS(NULL,
1518                                             &sdata, dsize);
1519                                         if (!s->tlsext_ocsp_exts ||
1520                                                     (data + dsize != sdata)) {
1521                                                 *al = SSL_AD_DECODE_ERROR;
1522                                                 return 0;
1523                                         }
1524                                 }
1525                         } else {
1526                                 /* We don't know what to do with any other type
1527                                 * so ignore it.
1528                                 */
1529                                 s->tlsext_status_type = -1;
1530                         }
1531                 }
1532                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1533                     s->s3->tmp.finish_md_len == 0 &&
1534                     s->s3->alpn_selected == NULL) {
1535                         /* We shouldn't accept this extension on a
1536                          * renegotiation.
1537                          *
1538                          * s->new_session will be set on renegotiation, but we
1539                          * probably shouldn't rely that it couldn't be set on
1540                          * the initial renegotation too in certain cases (when
1541                          * there's some other reason to disallow resuming an
1542                          * earlier session -- the current code won't be doing
1543                          * anything like that, but this might change).
1544
1545                          * A valid sign that there's been a previous handshake
1546                          * in this connection is if s->s3->tmp.finish_md_len >
1547                          * 0.  (We are talking about a check that will happen
1548                          * in the Hello protocol round, well before a new
1549                          * Finished message could have been computed.) */
1550                         s->s3->next_proto_neg_seen = 1;
1551                 }
1552                 else if (type ==
1553                     TLSEXT_TYPE_application_layer_protocol_negotiation &&
1554                     s->ctx->alpn_select_cb != NULL &&
1555                     s->s3->tmp.finish_md_len == 0) {
1556                         if (tls1_alpn_handle_client_hello(s, data,
1557                             size, al) != 1)
1558                                 return (0);
1559                         /* ALPN takes precedence over NPN. */
1560                         s->s3->next_proto_neg_seen = 0;
1561                 }
1562
1563                 /* session ticket processed earlier */
1564 #ifndef OPENSSL_NO_SRTP
1565                 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
1566                         if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
1567                                 return 0;
1568                 }
1569 #endif
1570
1571                 data += size;
1572         }
1573
1574         *p = data;
1575
1576 ri_check:
1577
1578         /* Need RI if renegotiating */
1579
1580         if (!renegotiate_seen && s->renegotiate) {
1581                 *al = SSL_AD_HANDSHAKE_FAILURE;
1582                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1583                     SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1584                 return 0;
1585         }
1586
1587         return 1;
1588 }
1589
1590 /*
1591  * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1592  * elements of zero length are allowed and the set of elements must exactly fill
1593  * the length of the block.
1594  */
1595 static char
1596 ssl_next_proto_validate(const unsigned char *d, unsigned int len)
1597 {
1598         CBS npn, value;
1599
1600         CBS_init(&npn, d, len);
1601         while (CBS_len(&npn) > 0) {
1602                 if (!CBS_get_u8_length_prefixed(&npn, &value) ||
1603                     CBS_len(&value) == 0)
1604                         return 0;
1605         }
1606         return 1;
1607 }
1608
1609 int
1610 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1611     int n, int *al)
1612 {
1613         unsigned short length;
1614         unsigned short type;
1615         unsigned short size;
1616         unsigned char *data = *p;
1617         int tlsext_servername = 0;
1618         int renegotiate_seen = 0;
1619
1620         s->s3->next_proto_neg_seen = 0;
1621         free(s->s3->alpn_selected);
1622         s->s3->alpn_selected = NULL;
1623
1624         if (data >= (d + n - 2))
1625                 goto ri_check;
1626
1627         n2s(data, length);
1628         if (data + length != d + n) {
1629                 *al = SSL_AD_DECODE_ERROR;
1630                 return 0;
1631         }
1632
1633         while (data <= (d + n - 4)) {
1634                 n2s(data, type);
1635                 n2s(data, size);
1636
1637                 if (data + size > (d + n))
1638                         goto ri_check;
1639
1640                 if (s->tlsext_debug_cb)
1641                         s->tlsext_debug_cb(s, 1, type, data, size,
1642                             s->tlsext_debug_arg);
1643
1644                 if (type == TLSEXT_TYPE_server_name) {
1645                         if (s->tlsext_hostname == NULL || size > 0) {
1646                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1647                                 return 0;
1648                         }
1649                         tlsext_servername = 1;
1650
1651                 }
1652                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1653                     s->version != DTLS1_VERSION) {
1654                         unsigned char *sdata = data;
1655                         size_t formatslen;
1656                         uint8_t *formats;
1657
1658                         if (size < 1) {
1659                                 *al = TLS1_AD_DECODE_ERROR;
1660                                 return 0;
1661                         }
1662                         formatslen = *(sdata++);
1663                         if (formatslen != size - 1) {
1664                                 *al = TLS1_AD_DECODE_ERROR;
1665                                 return 0;
1666                         }
1667
1668                         if (!s->hit) {
1669                                 free(s->session->tlsext_ecpointformatlist);
1670                                 s->session->tlsext_ecpointformatlist = NULL;
1671                                 s->session->tlsext_ecpointformatlist_length = 0;
1672
1673                                 if ((formats = reallocarray(NULL, formatslen,
1674                                     sizeof(uint8_t))) == NULL) {
1675                                         *al = TLS1_AD_INTERNAL_ERROR;
1676                                         return 0;
1677                                 }
1678                                 memcpy(formats, sdata, formatslen);
1679                                 s->session->tlsext_ecpointformatlist = formats;
1680                                 s->session->tlsext_ecpointformatlist_length =
1681                                     formatslen;
1682                         }
1683                 }
1684                 else if (type == TLSEXT_TYPE_session_ticket) {
1685                         if (s->tls_session_ticket_ext_cb &&
1686                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
1687                                 *al = TLS1_AD_INTERNAL_ERROR;
1688                                 return 0;
1689                         }
1690                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) {
1691                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1692                                 return 0;
1693                         }
1694                         s->tlsext_ticket_expected = 1;
1695                 }
1696                 else if (type == TLSEXT_TYPE_status_request &&
1697                     s->version != DTLS1_VERSION) {
1698                         /* MUST be empty and only sent if we've requested
1699                          * a status request message.
1700                          */
1701                         if ((s->tlsext_status_type == -1) || (size > 0)) {
1702                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1703                                 return 0;
1704                         }
1705                         /* Set flag to expect CertificateStatus message */
1706                         s->tlsext_status_expected = 1;
1707                 }
1708                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1709                     s->s3->tmp.finish_md_len == 0) {
1710                         unsigned char *selected;
1711                         unsigned char selected_len;
1712
1713                         /* We must have requested it. */
1714                         if (s->ctx->next_proto_select_cb == NULL) {
1715                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1716                                 return 0;
1717                         }
1718                         /* The data must be valid */
1719                         if (!ssl_next_proto_validate(data, size)) {
1720                                 *al = TLS1_AD_DECODE_ERROR;
1721                                 return 0;
1722                         }
1723                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) {
1724                                 *al = TLS1_AD_INTERNAL_ERROR;
1725                                 return 0;
1726                         }
1727                         s->next_proto_negotiated = malloc(selected_len);
1728                         if (!s->next_proto_negotiated) {
1729                                 *al = TLS1_AD_INTERNAL_ERROR;
1730                                 return 0;
1731                         }
1732                         memcpy(s->next_proto_negotiated, selected, selected_len);
1733                         s->next_proto_negotiated_len = selected_len;
1734                         s->s3->next_proto_neg_seen = 1;
1735                 }
1736                 else if (type ==
1737                     TLSEXT_TYPE_application_layer_protocol_negotiation) {
1738                         unsigned int len;
1739
1740                         /* We must have requested it. */
1741                         if (s->alpn_client_proto_list == NULL) {
1742                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1743                                 return 0;
1744                         }
1745                         if (size < 4) {
1746                                 *al = TLS1_AD_DECODE_ERROR;
1747                                 return (0);
1748                         }
1749
1750                         /* The extension data consists of:
1751                          *   uint16 list_length
1752                          *   uint8 proto_length;
1753                          *   uint8 proto[proto_length]; */
1754                         len = ((unsigned int)data[0]) << 8 |
1755                             ((unsigned int)data[1]);
1756                         if (len != (unsigned int)size - 2) {
1757                                 *al = TLS1_AD_DECODE_ERROR;
1758                                 return (0);
1759                         }
1760                         len = data[2];
1761                         if (len != (unsigned int)size - 3) {
1762                                 *al = TLS1_AD_DECODE_ERROR;
1763                                 return (0);
1764                         }
1765                         free(s->s3->alpn_selected);
1766                         s->s3->alpn_selected = malloc(len);
1767                         if (s->s3->alpn_selected == NULL) {
1768                                 *al = TLS1_AD_INTERNAL_ERROR;
1769                                 return (0);
1770                         }
1771                         memcpy(s->s3->alpn_selected, data + 3, len);
1772                         s->s3->alpn_selected_len = len;
1773
1774                 } else if (type == TLSEXT_TYPE_renegotiate) {
1775                         if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1776                                 return 0;
1777                         renegotiate_seen = 1;
1778                 }
1779 #ifndef OPENSSL_NO_SRTP
1780                 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
1781                         if (ssl_parse_serverhello_use_srtp_ext(s, data,
1782                             size, al))
1783                                 return 0;
1784                 }
1785 #endif
1786
1787                 data += size;
1788
1789         }
1790
1791         if (data != d + n) {
1792                 *al = SSL_AD_DECODE_ERROR;
1793                 return 0;
1794         }
1795
1796         if (!s->hit && tlsext_servername == 1) {
1797                 if (s->tlsext_hostname) {
1798                         if (s->session->tlsext_hostname == NULL) {
1799                                 s->session->tlsext_hostname =
1800                                     strdup(s->tlsext_hostname);
1801
1802                                 if (!s->session->tlsext_hostname) {
1803                                         *al = SSL_AD_UNRECOGNIZED_NAME;
1804                                         return 0;
1805                                 }
1806                         } else {
1807                                 *al = SSL_AD_DECODE_ERROR;
1808                                 return 0;
1809                         }
1810                 }
1811         }
1812
1813         *p = data;
1814
1815 ri_check:
1816
1817         /* Determine if we need to see RI. Strictly speaking if we want to
1818          * avoid an attack we should *always* see RI even on initial server
1819          * hello because the client doesn't see any renegotiation during an
1820          * attack. However this would mean we could not connect to any server
1821          * which doesn't support RI so for the immediate future tolerate RI
1822          * absence on initial connect only.
1823          */
1824         if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
1825                 *al = SSL_AD_HANDSHAKE_FAILURE;
1826                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1827                     SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1828                 return 0;
1829         }
1830
1831         return 1;
1832 }
1833
1834 int
1835 ssl_check_clienthello_tlsext_early(SSL *s)
1836 {
1837         int ret = SSL_TLSEXT_ERR_NOACK;
1838         int al = SSL_AD_UNRECOGNIZED_NAME;
1839
1840         /* The handling of the ECPointFormats extension is done elsewhere, namely in
1841          * ssl3_choose_cipher in s3_lib.c.
1842          */
1843         /* The handling of the EllipticCurves extension is done elsewhere, namely in
1844          * ssl3_choose_cipher in s3_lib.c.
1845          */
1846
1847         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1848                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1849         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1850                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1851
1852         switch (ret) {
1853         case SSL_TLSEXT_ERR_ALERT_FATAL:
1854                 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1855                 return -1;
1856         case SSL_TLSEXT_ERR_ALERT_WARNING:
1857                 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1858                 return 1;
1859         case SSL_TLSEXT_ERR_NOACK:
1860                 s->servername_done = 0;
1861         default:
1862                 return 1;
1863         }
1864 }
1865
1866 int
1867 ssl_check_clienthello_tlsext_late(SSL *s)
1868 {
1869         int ret = SSL_TLSEXT_ERR_OK;
1870         int al = 0;     /* XXX gcc3 */
1871
1872         /* If status request then ask callback what to do.
1873          * Note: this must be called after servername callbacks in case
1874          * the certificate has changed, and must be called after the cipher
1875          * has been chosen because this may influence which certificate is sent
1876          */
1877         if ((s->tlsext_status_type != -1) &&
1878             s->ctx && s->ctx->tlsext_status_cb) {
1879                 int r;
1880                 CERT_PKEY *certpkey;
1881                 certpkey = ssl_get_server_send_pkey(s);
1882                 /* If no certificate can't return certificate status */
1883                 if (certpkey == NULL) {
1884                         s->tlsext_status_expected = 0;
1885                         return 1;
1886                 }
1887                 /* Set current certificate to one we will use so
1888                  * SSL_get_certificate et al can pick it up.
1889                  */
1890                 s->cert->key = certpkey;
1891                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1892                 switch (r) {
1893                         /* We don't want to send a status request response */
1894                 case SSL_TLSEXT_ERR_NOACK:
1895                         s->tlsext_status_expected = 0;
1896                         break;
1897                         /* status request response should be sent */
1898                 case SSL_TLSEXT_ERR_OK:
1899                         if (s->tlsext_ocsp_resp)
1900                                 s->tlsext_status_expected = 1;
1901                         else
1902                                 s->tlsext_status_expected = 0;
1903                         break;
1904                         /* something bad happened */
1905                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1906                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1907                         al = SSL_AD_INTERNAL_ERROR;
1908                         goto err;
1909                 }
1910         } else
1911                 s->tlsext_status_expected = 0;
1912
1913 err:
1914         switch (ret) {
1915         case SSL_TLSEXT_ERR_ALERT_FATAL:
1916                 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1917                 return -1;
1918         case SSL_TLSEXT_ERR_ALERT_WARNING:
1919                 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1920                 return 1;
1921         default:
1922                 return 1;
1923         }
1924 }
1925
1926 int
1927 ssl_check_serverhello_tlsext(SSL *s)
1928 {
1929         int ret = SSL_TLSEXT_ERR_NOACK;
1930         int al = SSL_AD_UNRECOGNIZED_NAME;
1931
1932         /* If we are client and using an elliptic curve cryptography cipher
1933          * suite, then if server returns an EC point formats lists extension
1934          * it must contain uncompressed.
1935          */
1936         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1937         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1938         if ((s->tlsext_ecpointformatlist != NULL) &&
1939             (s->tlsext_ecpointformatlist_length > 0) &&
1940             (s->session->tlsext_ecpointformatlist != NULL) &&
1941             (s->session->tlsext_ecpointformatlist_length > 0) &&
1942             ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) {
1943                 /* we are using an ECC cipher */
1944                 size_t i;
1945                 unsigned char *list;
1946                 int found_uncompressed = 0;
1947                 list = s->session->tlsext_ecpointformatlist;
1948                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
1949                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
1950                                 found_uncompressed = 1;
1951                                 break;
1952                         }
1953                 }
1954                 if (!found_uncompressed) {
1955                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1956                         return -1;
1957                 }
1958         }
1959         ret = SSL_TLSEXT_ERR_OK;
1960
1961         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1962                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1963         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1964                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1965
1966         /* If we've requested certificate status and we wont get one
1967          * tell the callback
1968          */
1969         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) &&
1970             s->ctx && s->ctx->tlsext_status_cb) {
1971                 int r;
1972                 /* Set resp to NULL, resplen to -1 so callback knows
1973                  * there is no response.
1974                  */
1975                 free(s->tlsext_ocsp_resp);
1976                 s->tlsext_ocsp_resp = NULL;
1977                 s->tlsext_ocsp_resplen = -1;
1978                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1979                 if (r == 0) {
1980                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1981                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1982                 }
1983                 if (r < 0) {
1984                         al = SSL_AD_INTERNAL_ERROR;
1985                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1986                 }
1987         }
1988
1989         switch (ret) {
1990         case SSL_TLSEXT_ERR_ALERT_FATAL:
1991                 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1992
1993                 return -1;
1994         case SSL_TLSEXT_ERR_ALERT_WARNING:
1995                 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1996
1997                 return 1;
1998         case SSL_TLSEXT_ERR_NOACK:
1999                 s->servername_done = 0;
2000         default:
2001                 return 1;
2002         }
2003 }
2004
2005 /* Since the server cache lookup is done early on in the processing of the
2006  * ClientHello, and other operations depend on the result, we need to handle
2007  * any TLS session ticket extension at the same time.
2008  *
2009  *   session_id: points at the session ID in the ClientHello. This code will
2010  *       read past the end of this in order to parse out the session ticket
2011  *       extension, if any.
2012  *   len: the length of the session ID.
2013  *   limit: a pointer to the first byte after the ClientHello.
2014  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2015  *       point to the resulting session.
2016  *
2017  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2018  * ciphersuite, in which case we have no use for session tickets and one will
2019  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2020  *
2021  * Returns:
2022  *   -1: fatal error, either from parsing or decrypting the ticket.
2023  *    0: no ticket was found (or was ignored, based on settings).
2024  *    1: a zero length extension was found, indicating that the client supports
2025  *       session tickets but doesn't currently have one to offer.
2026  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2027  *       couldn't be decrypted because of a non-fatal error.
2028  *    3: a ticket was successfully decrypted and *ret was set.
2029  *
2030  * Side effects:
2031  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2032  *   a new session ticket to the client because the client indicated support
2033  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2034  *   a session ticket or we couldn't use the one it gave us, or if
2035  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2036  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2037  */
2038 int
2039 tls1_process_ticket(SSL *s, const unsigned char *session, int session_len,
2040     const unsigned char *limit, SSL_SESSION **ret)
2041 {
2042         /* Point after session ID in client hello */
2043         CBS session_id, cookie, cipher_list, compress_algo, extensions;
2044
2045         *ret = NULL;
2046         s->tlsext_ticket_expected = 0;
2047
2048         /* If tickets disabled behave as if no ticket present
2049          * to permit stateful resumption.
2050          */
2051         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2052                 return 0;
2053         if (!limit)
2054                 return 0;
2055
2056         if (limit < session)
2057                 return -1;
2058
2059         CBS_init(&session_id, session, limit - session);
2060
2061         /* Skip past the session id */
2062         if (!CBS_skip(&session_id, session_len))
2063                 return -1;
2064
2065         /* Skip past DTLS cookie */
2066         if (SSL_IS_DTLS(s)) {
2067                 if (!CBS_get_u8_length_prefixed(&session_id, &cookie))
2068                         return -1;
2069         }
2070
2071         /* Skip past cipher list */
2072         if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list))
2073                 return -1;
2074
2075         /* Skip past compression algorithm list */
2076         if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo))
2077                 return -1;
2078
2079         /* Now at start of extensions */
2080         if (CBS_len(&session_id) == 0)
2081                 return 0;
2082         if (!CBS_get_u16_length_prefixed(&session_id, &extensions))
2083                 return -1;
2084
2085         while (CBS_len(&extensions) > 0) {
2086                 CBS ext_data;
2087                 uint16_t ext_type;
2088
2089                 if (!CBS_get_u16(&extensions, &ext_type) ||
2090                     !CBS_get_u16_length_prefixed(&extensions, &ext_data))
2091                         return -1;
2092
2093                 if (ext_type == TLSEXT_TYPE_session_ticket) {
2094                         int r;
2095                         if (CBS_len(&ext_data) == 0) {
2096                                 /* The client will accept a ticket but doesn't
2097                                  * currently have one. */
2098                                 s->tlsext_ticket_expected = 1;
2099                                 return 1;
2100                         }
2101                         if (s->tls_session_secret_cb) {
2102                                 /* Indicate that the ticket couldn't be
2103                                  * decrypted rather than generating the session
2104                                  * from ticket now, trigger abbreviated
2105                                  * handshake based on external mechanism to
2106                                  * calculate the master secret later. */
2107                                 return 2;
2108                         }
2109
2110                         r = tls_decrypt_ticket(s, CBS_data(&ext_data),
2111                             CBS_len(&ext_data), session, session_len, ret);
2112
2113                         switch (r) {
2114                         case 2: /* ticket couldn't be decrypted */
2115                                 s->tlsext_ticket_expected = 1;
2116                                 return 2;
2117                         case 3: /* ticket was decrypted */
2118                                 return r;
2119                         case 4: /* ticket decrypted but need to renew */
2120                                 s->tlsext_ticket_expected = 1;
2121                                 return 3;
2122                         default: /* fatal error */
2123                                 return -1;
2124                         }
2125                 }
2126         }
2127         return 0;
2128 }
2129
2130 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2131  *
2132  *   etick: points to the body of the session ticket extension.
2133  *   eticklen: the length of the session tickets extenion.
2134  *   sess_id: points at the session ID.
2135  *   sesslen: the length of the session ID.
2136  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2137  *       point to the resulting session.
2138  *
2139  * Returns:
2140  *   -1: fatal error, either from parsing or decrypting the ticket.
2141  *    2: the ticket couldn't be decrypted.
2142  *    3: a ticket was successfully decrypted and *psess was set.
2143  *    4: same as 3, but the ticket needs to be renewed.
2144  */
2145 static int
2146 tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2147     const unsigned char *sess_id, int sesslen, SSL_SESSION **psess)
2148 {
2149         SSL_SESSION *sess;
2150         unsigned char *sdec;
2151         const unsigned char *p;
2152         int slen, mlen, renew_ticket = 0;
2153         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2154         HMAC_CTX hctx;
2155         EVP_CIPHER_CTX ctx;
2156         SSL_CTX *tctx = s->initial_ctx;
2157         /* Need at least keyname + iv + some encrypted data */
2158         if (eticklen < 48)
2159                 return 2;
2160         /* Initialize session ticket encryption and HMAC contexts */
2161         HMAC_CTX_init(&hctx);
2162         EVP_CIPHER_CTX_init(&ctx);
2163         if (tctx->tlsext_ticket_key_cb) {
2164                 unsigned char *nctick = (unsigned char *)etick;
2165                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2166                     &ctx, &hctx, 0);
2167                 if (rv < 0) {
2168                         EVP_CIPHER_CTX_cleanup(&ctx);
2169                         return -1;
2170                 }
2171                 if (rv == 0) {
2172                         EVP_CIPHER_CTX_cleanup(&ctx);
2173                         return 2;
2174                 }
2175                 if (rv == 2)
2176                         renew_ticket = 1;
2177         } else {
2178                 /* Check key name matches */
2179                 if (timingsafe_memcmp(etick, tctx->tlsext_tick_key_name, 16))
2180                         return 2;
2181                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2182                     tlsext_tick_md(), NULL);
2183                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2184                     tctx->tlsext_tick_aes_key, etick + 16);
2185         }
2186         /* Attempt to process session ticket, first conduct sanity and
2187          * integrity checks on ticket.
2188          */
2189         mlen = HMAC_size(&hctx);
2190         if (mlen < 0) {
2191                 EVP_CIPHER_CTX_cleanup(&ctx);
2192                 return -1;
2193         }
2194         eticklen -= mlen;
2195         /* Check HMAC of encrypted ticket */
2196         HMAC_Update(&hctx, etick, eticklen);
2197         HMAC_Final(&hctx, tick_hmac, NULL);
2198         HMAC_CTX_cleanup(&hctx);
2199         if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) {
2200                 EVP_CIPHER_CTX_cleanup(&ctx);
2201                 return 2;
2202         }
2203         /* Attempt to decrypt session data */
2204         /* Move p after IV to start of encrypted ticket, update length */
2205         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2206         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2207         sdec = malloc(eticklen);
2208         if (!sdec) {
2209                 EVP_CIPHER_CTX_cleanup(&ctx);
2210                 return -1;
2211         }
2212         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2213         if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) {
2214                 free(sdec);
2215                 EVP_CIPHER_CTX_cleanup(&ctx);
2216                 return 2;
2217         }
2218         slen += mlen;
2219         EVP_CIPHER_CTX_cleanup(&ctx);
2220         p = sdec;
2221
2222         sess = d2i_SSL_SESSION(NULL, &p, slen);
2223         free(sdec);
2224         if (sess) {
2225                 /* The session ID, if non-empty, is used by some clients to
2226                  * detect that the ticket has been accepted. So we copy it to
2227                  * the session structure. If it is empty set length to zero
2228                  * as required by standard.
2229                  */
2230                 if (sesslen)
2231                         memcpy(sess->session_id, sess_id, sesslen);
2232                 sess->session_id_length = sesslen;
2233                 *psess = sess;
2234                 if (renew_ticket)
2235                         return 4;
2236                 else
2237                         return 3;
2238         }
2239         ERR_clear_error();
2240         /* For session parse failure, indicate that we need to send a new
2241          * ticket. */
2242         return 2;
2243 }
2244
2245 /* Tables to translate from NIDs to TLS v1.2 ids */
2246
2247 typedef struct {
2248         int nid;
2249         int id;
2250 } tls12_lookup;
2251
2252 static tls12_lookup tls12_md[] = {
2253         {NID_md5, TLSEXT_hash_md5},
2254         {NID_sha1, TLSEXT_hash_sha1},
2255         {NID_sha224, TLSEXT_hash_sha224},
2256         {NID_sha256, TLSEXT_hash_sha256},
2257         {NID_sha384, TLSEXT_hash_sha384},
2258         {NID_sha512, TLSEXT_hash_sha512},
2259         {NID_id_GostR3411_94, TLSEXT_hash_gost94},
2260         {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256},
2261         {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512}
2262 };
2263
2264 static tls12_lookup tls12_sig[] = {
2265         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2266         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2267         {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
2268         {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01},
2269 };
2270
2271 static int
2272 tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2273 {
2274         size_t i;
2275         for (i = 0; i < tlen; i++) {
2276                 if (table[i].nid == nid)
2277                         return table[i].id;
2278         }
2279         return -1;
2280 }
2281
2282 int
2283 tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2284 {
2285         int sig_id, md_id;
2286         if (!md)
2287                 return 0;
2288         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2289             sizeof(tls12_md) / sizeof(tls12_lookup));
2290         if (md_id == -1)
2291                 return 0;
2292         sig_id = tls12_get_sigid(pk);
2293         if (sig_id == -1)
2294                 return 0;
2295         p[0] = (unsigned char)md_id;
2296         p[1] = (unsigned char)sig_id;
2297         return 1;
2298 }
2299
2300 int
2301 tls12_get_sigid(const EVP_PKEY *pk)
2302 {
2303         return tls12_find_id(pk->type, tls12_sig,
2304             sizeof(tls12_sig) / sizeof(tls12_lookup));
2305 }
2306
2307 const EVP_MD *
2308 tls12_get_hash(unsigned char hash_alg)
2309 {
2310         switch (hash_alg) {
2311         case TLSEXT_hash_sha1:
2312                 return EVP_sha1();
2313         case TLSEXT_hash_sha224:
2314                 return EVP_sha224();
2315         case TLSEXT_hash_sha256:
2316                 return EVP_sha256();
2317         case TLSEXT_hash_sha384:
2318                 return EVP_sha384();
2319         case TLSEXT_hash_sha512:
2320                 return EVP_sha512();
2321 #ifndef OPENSSL_NO_GOST
2322         case TLSEXT_hash_gost94:
2323                 return EVP_gostr341194();
2324         case TLSEXT_hash_streebog_256:
2325                 return EVP_streebog256();
2326         case TLSEXT_hash_streebog_512:
2327                 return EVP_streebog512();
2328 #endif
2329         default:
2330                 return NULL;
2331         }
2332 }
2333
2334 /* Set preferred digest for each key type */
2335
2336 int
2337 tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2338 {
2339         int idx;
2340         const EVP_MD *md;
2341         CERT *c = s->cert;
2342         CBS cbs;
2343
2344         /* Extension ignored for inappropriate versions */
2345         if (!SSL_USE_SIGALGS(s))
2346                 return 1;
2347
2348         /* Should never happen */
2349         if (!c || dsize < 0)
2350                 return 0;
2351
2352         CBS_init(&cbs, data, dsize);
2353
2354         c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2355         c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2356         c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2357         c->pkeys[SSL_PKEY_ECC].digest = NULL;
2358         c->pkeys[SSL_PKEY_GOST01].digest = NULL;
2359
2360         while (CBS_len(&cbs) > 0) {
2361                 uint8_t hash_alg, sig_alg;
2362
2363                 if (!CBS_get_u8(&cbs, &hash_alg) ||
2364                     !CBS_get_u8(&cbs, &sig_alg)) {
2365                         /* Should never happen */
2366                         return 0;
2367                 }
2368
2369                 switch (sig_alg) {
2370                 case TLSEXT_signature_rsa:
2371                         idx = SSL_PKEY_RSA_SIGN;
2372                         break;
2373                 case TLSEXT_signature_dsa:
2374                         idx = SSL_PKEY_DSA_SIGN;
2375                         break;
2376                 case TLSEXT_signature_ecdsa:
2377                         idx = SSL_PKEY_ECC;
2378                         break;
2379                 case TLSEXT_signature_gostr01:
2380                 case TLSEXT_signature_gostr12_256:
2381                 case TLSEXT_signature_gostr12_512:
2382                         idx = SSL_PKEY_GOST01;
2383                         break;
2384                 default:
2385                         continue;
2386                 }
2387
2388                 if (c->pkeys[idx].digest == NULL) {
2389                         md = tls12_get_hash(hash_alg);
2390                         if (md) {
2391                                 c->pkeys[idx].digest = md;
2392                                 if (idx == SSL_PKEY_RSA_SIGN)
2393                                         c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2394                         }
2395                 }
2396
2397         }
2398
2399         /* Set any remaining keys to default values. NOTE: if alg is not
2400          * supported it stays as NULL.
2401          */
2402         if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2403                 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2404         if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
2405                 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2406                 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2407         }
2408         if (!c->pkeys[SSL_PKEY_ECC].digest)
2409                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2410 #ifndef OPENSSL_NO_GOST
2411         if (!c->pkeys[SSL_PKEY_GOST01].digest)
2412                 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194();
2413 #endif
2414         return 1;
2415 }
DragonFly Project Source