projects / openssl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Output supported curves in preference order instead of numerically.
[openssl.git] / ssl / t1_lib.c
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 3c6907f608faeef8ed2fd12d283baa1550311dbf..ac9931d7f2bd7b7c4876c8a7f2be701d21bb2779 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -166,10 +166,11 @@ void tls1_free(SSL *s)
 void tls1_clear(SSL *s)
        {
        ssl3_clear(s);
-       s->version=TLS1_VERSION;
+       s->version = s->method->version;
        }
 
 #ifndef OPENSSL_NO_EC
+
 static int nid_list[] =
        {
                NID_sect163k1, /* sect163k1 (1) */
@@ -198,7 +199,36 @@ static int nid_list[] =
                NID_secp384r1, /* secp384r1 (24) */
                NID_secp521r1  /* secp521r1 (25) */     
        };
-       
+
+static int pref_list[] =
+       {
+               NID_sect571r1, /* sect571r1 (14) */ 
+               NID_sect571k1, /* sect571k1 (13) */ 
+               NID_secp521r1, /* secp521r1 (25) */     
+               NID_sect409k1, /* sect409k1 (11) */ 
+               NID_sect409r1, /* sect409r1 (12) */
+               NID_secp384r1, /* secp384r1 (24) */
+               NID_sect283k1, /* sect283k1 (9) */
+               NID_sect283r1, /* sect283r1 (10) */ 
+               NID_secp256k1, /* secp256k1 (22) */ 
+               NID_X9_62_prime256v1, /* secp256r1 (23) */ 
+               NID_sect239k1, /* sect239k1 (8) */ 
+               NID_sect233k1, /* sect233k1 (6) */
+               NID_sect233r1, /* sect233r1 (7) */ 
+               NID_secp224k1, /* secp224k1 (20) */ 
+               NID_secp224r1, /* secp224r1 (21) */
+               NID_sect193r1, /* sect193r1 (4) */ 
+               NID_sect193r2, /* sect193r2 (5) */ 
+               NID_secp192k1, /* secp192k1 (18) */
+               NID_X9_62_prime192v1, /* secp192r1 (19) */ 
+               NID_sect163k1, /* sect163k1 (1) */
+               NID_sect163r1, /* sect163r1 (2) */
+               NID_sect163r2, /* sect163r2 (3) */
+               NID_secp160k1, /* secp160k1 (15) */
+               NID_secp160r1, /* secp160r1 (16) */ 
+               NID_secp160r2, /* secp160r2 (17) */ 
+       };
+
 int tls1_ec_curve_id2nid(int curve_id)
        {
        /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
@@ -270,11 +300,74 @@ int tls1_ec_nid2curve_id(int nid)
 #endif /* OPENSSL_NO_EC */
 
 #ifndef OPENSSL_NO_TLSEXT
+
+/* List of supported signature algorithms and hashes. Should make this
+ * customisable at some point, for now include everything we support.
+ */
+
+#ifdef OPENSSL_NO_RSA
+#define tlsext_sigalg_rsa(md) /* */
+#else
+#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
+#endif
+
+#ifdef OPENSSL_NO_DSA
+#define tlsext_sigalg_dsa(md) /* */
+#else
+#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
+#endif
+
+#ifdef OPENSSL_NO_ECDSA
+#define tlsext_sigalg_ecdsa(md) /* */
+#else
+#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_dsa,
+#endif
+
+#define tlsext_sigalg(md) \
+               tlsext_sigalg_rsa(md) \
+               tlsext_sigalg_dsa(md) \
+               tlsext_sigalg_ecdsa(md)
+
+static unsigned char tls12_sigalgs[] = {
+#ifndef OPENSSL_NO_SHA512
+       tlsext_sigalg(TLSEXT_hash_sha512)
+       tlsext_sigalg(TLSEXT_hash_sha384)
+#endif
+#ifndef OPENSSL_NO_SHA256
+       tlsext_sigalg(TLSEXT_hash_sha256)
+       tlsext_sigalg(TLSEXT_hash_sha224)
+#endif
+#ifndef OPENSSL_NO_SHA
+       tlsext_sigalg(TLSEXT_hash_sha1)
+#endif
+#ifndef OPENSSL_NO_MD5
+       tlsext_sigalg_rsa(TLSEXT_hash_md5)
+#endif
+};
+
+int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
+       {
+       size_t slen = sizeof(tls12_sigalgs);
+#ifdef OPENSSL_FIPS
+       /* If FIPS mode don't include MD5 which is last */
+       if (FIPS_mode())
+               slen -= 2;
+#endif
+       if (p)
+               memcpy(p, tls12_sigalgs, slen);
+       return (int)slen;
+       }
+
 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
        {
        int extdatalen=0;
        unsigned char *ret = p;
 
+       /* don't add extensions for SSLv3 unless doing secure renegotiation */
+       if (s->client_version == SSL3_VERSION
+                                       && !s->s3->send_connection_binding)
+               return p;
+
        ret+=2;
 
        if (ret>=limit) return NULL; /* this really never occurs, but ... */
@@ -311,8 +404,58 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                ret+=size_str;
                }
 
+        /* Add RI if renegotiating */
+        if (s->renegotiate)
+          {
+          int el;
+          
+          if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
+              {
+              SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+              return NULL;
+              }
+
+          if((limit - p - 4 - el) < 0) return NULL;
+          
+          s2n(TLSEXT_TYPE_renegotiate,ret);
+          s2n(el,ret);
+
+          if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
+              {
+              SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+              return NULL;
+              }
+
+          ret += el;
+        }
+
+#ifndef OPENSSL_NO_SRP
+#define MIN(x,y) (((x)<(y))?(x):(y))
+       /* we add SRP username the first time only if we have one! */
+       if (s->srp_ctx.login != NULL)
+               {/* Add TLS extension SRP username to the Client Hello message */
+               int login_len = MIN(strlen(s->srp_ctx.login) + 1, 255);
+               long lenmax; 
+
+               if ((lenmax = limit - ret - 5) < 0) return NULL; 
+               if (login_len > lenmax) return NULL;
+               if (login_len > 255)
+                       {
+                       SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+                       return NULL;
+                       }
+               s2n(TLSEXT_TYPE_srp,ret);
+               s2n(login_len+1,ret);
+
+               (*ret++) = (unsigned char) MIN(strlen(s->srp_ctx.login), 254);
+               memcpy(ret, s->srp_ctx.login, MIN(strlen(s->srp_ctx.login), 254));
+               ret+=login_len;
+               }
+#endif
+
 #ifndef OPENSSL_NO_EC
-       if (s->tlsext_ecpointformatlist != NULL)
+       if (s->tlsext_ecpointformatlist != NULL &&
+           s->version != DTLS1_VERSION)
                {
                /* Add TLS extension ECPointFormats to the ClientHello message */
                long lenmax; 
@@ -331,7 +474,8 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
                ret+=s->tlsext_ecpointformatlist_length;
                }
-       if (s->tlsext_ellipticcurvelist != NULL)
+       if (s->tlsext_ellipticcurvelist != NULL &&
+           s->version != DTLS1_VERSION)
                {
                /* Add TLS extension EllipticCurves to the ClientHello message */
                long lenmax; 
@@ -361,7 +505,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
        if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
                {
                int ticklen;
-               if (s->session && s->session->tlsext_tick)
+               if (!s->new_session && s->session && s->session->tlsext_tick)
                        ticklen = s->session->tlsext_ticklen;
                else if (s->session && s->tlsext_session_ticket &&
                         s->tlsext_session_ticket->data)
@@ -394,8 +538,20 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                }
                skip_ext:
 
+       if (TLS1_get_version(s) >= TLS1_2_VERSION)
+               {
+               if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
+                       return NULL; 
+               s2n(TLSEXT_TYPE_signature_algorithms,ret);
+               s2n(sizeof(tls12_sigalgs) + 2, ret);
+               s2n(sizeof(tls12_sigalgs), ret);
+               memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
+               ret += sizeof(tls12_sigalgs);
+               }
+
 #ifdef TLSEXT_TYPE_opaque_prf_input
-       if (s->s3->client_opaque_prf_input != NULL)
+       if (s->s3->client_opaque_prf_input != NULL &&
+           s->version != DTLS1_VERSION)
                {
                size_t col = s->s3->client_opaque_prf_input_len;
                
@@ -412,7 +568,8 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                }
 #endif
 
-       if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
+       if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
+           s->version != DTLS1_VERSION)
                {
                int i;
                long extlen, idlen, itmp;
@@ -472,6 +629,10 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
        int extdatalen=0;
        unsigned char *ret = p;
 
+       /* don't add extensions for SSLv3, unless doing secure renegotiation */
+       if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
+               return p;
+       
        ret+=2;
        if (ret>=limit) return NULL; /* this really never occurs, but ... */
 
@@ -482,8 +643,34 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
                s2n(TLSEXT_TYPE_server_name,ret);
                s2n(0,ret);
                }
+
+       if(s->s3->send_connection_binding)
+        {
+          int el;
+          
+          if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
+              {
+              SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+              return NULL;
+              }
+
+          if((limit - p - 4 - el) < 0) return NULL;
+          
+          s2n(TLSEXT_TYPE_renegotiate,ret);
+          s2n(el,ret);
+
+          if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
+              {
+              SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+              return NULL;
+              }
+
+          ret += el;
+        }
+
 #ifndef OPENSSL_NO_EC
-       if (s->tlsext_ecpointformatlist != NULL)
+       if (s->tlsext_ecpointformatlist != NULL &&
+           s->version != DTLS1_VERSION)
                {
                /* Add TLS extension ECPointFormats to the ServerHello message */
                long lenmax; 
@@ -522,7 +709,8 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
                }
 
 #ifdef TLSEXT_TYPE_opaque_prf_input
-       if (s->s3->server_opaque_prf_input != NULL)
+       if (s->s3->server_opaque_prf_input != NULL &&
+           s->version != DTLS1_VERSION)
                {
                size_t sol = s->s3->server_opaque_prf_input_len;
                
@@ -566,15 +754,18 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
        unsigned short size;
        unsigned short len;
        unsigned char *data = *p;
+       int renegotiate_seen = 0;
+       int sigalg_seen = 0;
+
        s->servername_done = 0;
        s->tlsext_status_type = -1;
 
        if (data >= (d+n-2))
-               return 1;
+               goto ri_check;
        n2s(data,len);
 
        if (data > (d+n-len)) 
-               return 1;
+               goto ri_check;
 
        while (data <= (d+n-4))
                {
@@ -582,7 +773,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                n2s(data,size);
 
                if (data+size > (d+n))
-                       return 1;
+                       goto ri_check;
 #if 0
                fprintf(stderr,"Received extension type %d size %d\n",type,size);
 #endif
@@ -647,14 +838,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                switch (servname_type)
                                        {
                                case TLSEXT_NAMETYPE_host_name:
-                                       if (s->session->tlsext_hostname == NULL)
+                                       if (!s->hit)
                                                {
-                                               if (len > TLSEXT_MAXLEN_host_name || 
-                                                       ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
+                                               if(s->session->tlsext_hostname)
+                                                       {
+                                                       *al = SSL_AD_DECODE_ERROR;
+                                                       return 0;
+                                                       }
+                                               if (len > TLSEXT_MAXLEN_host_name)
                                                        {
                                                        *al = TLS1_AD_UNRECOGNIZED_NAME;
                                                        return 0;
                                                        }
+                                               if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
+                                                       {
+                                                       *al = TLS1_AD_INTERNAL_ERROR;
+                                                       return 0;
+                                                       }
                                                memcpy(s->session->tlsext_hostname, sdata, len);
                                                s->session->tlsext_hostname[len]='\0';
                                                if (strlen(s->session->tlsext_hostname) != len) {
@@ -667,7 +867,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 
                                                }
                                        else 
-                                               s->servername_done = strlen(s->session->tlsext_hostname) == len 
+                                               s->servername_done = s->session->tlsext_hostname
+                                                       && strlen(s->session->tlsext_hostname) == len 
                                                        && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
                                        
                                        break;
@@ -685,9 +886,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                }
 
                        }
+#ifndef OPENSSL_NO_SRP
+               else if (type == TLSEXT_TYPE_srp)
+                       {
+                       if (size > 0)
+                               {
+                               len = data[0];
+                               if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
+                                       return -1;
+                               memcpy(s->srp_ctx.login, &data[1], len);
+                               s->srp_ctx.login[len]='\0';  
+                               }
+                       }
+#endif
 
 #ifndef OPENSSL_NO_EC
-               else if (type == TLSEXT_TYPE_ec_point_formats)
+               else if (type == TLSEXT_TYPE_ec_point_formats &&
+                    s->version != DTLS1_VERSION)
                        {
                        unsigned char *sdata = data;
                        int ecpointformatlist_length = *(sdata++);
@@ -697,15 +912,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                *al = TLS1_AD_DECODE_ERROR;
                                return 0;
                                }
-                       s->session->tlsext_ecpointformatlist_length = 0;
-                       if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
-                       if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
+                       if (!s->hit)
                                {
-                               *al = TLS1_AD_INTERNAL_ERROR;
-                               return 0;
+                               if(s->session->tlsext_ecpointformatlist)
+                                       {
+                                       OPENSSL_free(s->session->tlsext_ecpointformatlist);
+                                       s->session->tlsext_ecpointformatlist = NULL;
+                                       }
+                               s->session->tlsext_ecpointformatlist_length = 0;
+                               if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
+                                       {
+                                       *al = TLS1_AD_INTERNAL_ERROR;
+                                       return 0;
+                                       }
+                               s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
+                               memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
                                }
-                       s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
-                       memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
 #if 0
                        fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
                        sdata = s->session->tlsext_ecpointformatlist;
@@ -714,7 +936,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                        fprintf(stderr,"\n");
 #endif
                        }
-               else if (type == TLSEXT_TYPE_elliptic_curves)
+               else if (type == TLSEXT_TYPE_elliptic_curves &&
+                    s->version != DTLS1_VERSION)
                        {
                        unsigned char *sdata = data;
                        int ellipticcurvelist_length = (*(sdata++) << 8);
@@ -725,15 +948,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                *al = TLS1_AD_DECODE_ERROR;
                                return 0;
                                }
-                       s->session->tlsext_ellipticcurvelist_length = 0;
-                       if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist);
-                       if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
+                       if (!s->hit)
                                {
-                               *al = TLS1_AD_INTERNAL_ERROR;
-                               return 0;
+                               if(s->session->tlsext_ellipticcurvelist)
+                                       {
+                                       *al = TLS1_AD_DECODE_ERROR;
+                                       return 0;
+                                       }
+                               s->session->tlsext_ellipticcurvelist_length = 0;
+                               if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
+                                       {
+                                       *al = TLS1_AD_INTERNAL_ERROR;
+                                       return 0;
+                                       }
+                               s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
+                               memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
                                }
-                       s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
-                       memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
 #if 0
                        fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
                        sdata = s->session->tlsext_ellipticcurvelist;
@@ -744,7 +974,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                        }
 #endif /* OPENSSL_NO_EC */
 #ifdef TLSEXT_TYPE_opaque_prf_input
-               else if (type == TLSEXT_TYPE_opaque_prf_input)
+               else if (type == TLSEXT_TYPE_opaque_prf_input &&
+                    s->version != DTLS1_VERSION)
                        {
                        unsigned char *sdata = data;
 
@@ -782,8 +1013,36 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                return 0;
                                }
                        }
-               else if (type == TLSEXT_TYPE_status_request
-                                               && s->ctx->tlsext_status_cb)
+               else if (type == TLSEXT_TYPE_renegotiate)
+                       {
+                       if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
+                               return 0;
+                       renegotiate_seen = 1;
+                       }
+               else if (type == TLSEXT_TYPE_signature_algorithms)
+                       {
+                       int dsize;
+                       if (sigalg_seen || size < 2) 
+                               {
+                               *al = SSL_AD_DECODE_ERROR;
+                               return 0;
+                               }
+                       sigalg_seen = 1;
+                       n2s(data,dsize);
+                       size -= 2;
+                       if (dsize != size || dsize & 1) 
+                               {
+                               *al = SSL_AD_DECODE_ERROR;
+                               return 0;
+                               }
+                       if (!tls1_process_sigalgs(s, data, dsize))
+                               {
+                               *al = SSL_AD_DECODE_ERROR;
+                               return 0;
+                               }
+                       }
+               else if (type == TLSEXT_TYPE_status_request &&
+                        s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
                        {
                
                        if (size < 5) 
@@ -817,6 +1076,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                                }
                                        n2s(data, idsize);
                                        dsize -= 2 + idsize;
+                                       size -= 2 + idsize;
                                        if (dsize < 0)
                                                {
                                                *al = SSL_AD_DECODE_ERROR;
@@ -855,9 +1115,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                        }
 
                                /* Read in request_extensions */
+                               if (size < 2)
+                                       {
+                                       *al = SSL_AD_DECODE_ERROR;
+                                       return 0;
+                                       }
                                n2s(data,dsize);
                                size -= 2;
-                               if (dsize > size) 
+                               if (dsize != size)
                                        {
                                        *al = SSL_AD_DECODE_ERROR;
                                        return 0;
@@ -888,22 +1153,41 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                }
                                
        *p = data;
+
+       ri_check:
+
+       /* Need RI if renegotiating */
+
+       if (!renegotiate_seen && s->renegotiate &&
+               !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+               {
+               *al = SSL_AD_HANDSHAKE_FAILURE;
+               SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
+                               SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+               return 0;
+               }
+
        return 1;
        }
 
 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
        {
+       unsigned short length;
        unsigned short type;
        unsigned short size;
-       unsigned short len;  
        unsigned char *data = *p;
-
        int tlsext_servername = 0;
+       int renegotiate_seen = 0;
 
        if (data >= (d+n-2))
-               return 1;
+               goto ri_check;
 
-       n2s(data,len);
+       n2s(data,length);
+       if (data+length != d+n)
+               {
+               *al = SSL_AD_DECODE_ERROR;
+               return 0;
+               }
 
        while(data <= (d+n-4))
                {
@@ -911,7 +1195,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                n2s(data,size);
 
                if (data+size > (d+n))
-                       return 1;
+                       goto ri_check;
 
                if (s->tlsext_debug_cb)
                        s->tlsext_debug_cb(s, 1, type, data, size,
@@ -928,7 +1212,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                        }
 
 #ifndef OPENSSL_NO_EC
-               else if (type == TLSEXT_TYPE_ec_point_formats)
+               else if (type == TLSEXT_TYPE_ec_point_formats &&
+                    s->version != DTLS1_VERSION)
                        {
                        unsigned char *sdata = data;
                        int ecpointformatlist_length = *(sdata++);
@@ -974,7 +1259,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                        s->tlsext_ticket_expected = 1;
                        }
 #ifdef TLSEXT_TYPE_opaque_prf_input
-               else if (type == TLSEXT_TYPE_opaque_prf_input)
+               else if (type == TLSEXT_TYPE_opaque_prf_input &&
+                    s->version != DTLS1_VERSION)
                        {
                        unsigned char *sdata = data;
 
@@ -1004,7 +1290,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                }
                        }
 #endif
-               else if (type == TLSEXT_TYPE_status_request)
+               else if (type == TLSEXT_TYPE_status_request &&
+                        s->version != DTLS1_VERSION)
                        {
                        /* MUST be empty and only sent if we've requested
                         * a status request message.
@@ -1017,7 +1304,12 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                        /* Set flag to expect CertificateStatus message */
                        s->tlsext_status_expected = 1;
                        }
-
+               else if (type == TLSEXT_TYPE_renegotiate)
+                       {
+                       if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
+                               return 0;
+                       renegotiate_seen = 1;
+                       }
                data+=size;             
                }
 
@@ -1049,6 +1341,26 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                }
 
        *p = data;
+
+       ri_check:
+
+       /* Determine if we need to see RI. Strictly speaking if we want to
+        * avoid an attack we should *always* see RI even on initial server
+        * hello because the client doesn't see any renegotiation during an
+        * attack. However this would mean we could not connect to any server
+        * which doesn't support RI so for the immediate future tolerate RI
+        * absence on initial connect only.
+        */
+       if (!renegotiate_seen
+               && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
+               && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+               {
+               *al = SSL_AD_HANDSHAKE_FAILURE;
+               SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
+                               SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+               return 0;
+               }
+
        return 1;
        }
 
@@ -1077,7 +1389,7 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
                        break;
                        }
                }
-       using_ecc = using_ecc && (s->version == TLS1_VERSION);
+       using_ecc = using_ecc && (s->version >= TLS1_VERSION);
        if (using_ecc)
                {
                if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
@@ -1093,16 +1405,19 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
 
                /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
                if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
-               s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2;
+               s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
                if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
                        {
                        s->tlsext_ellipticcurvelist_length = 0;
                        SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
                        return -1;
                        }
-               for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <=
-                               sizeof(nid_list)/sizeof(nid_list[0]); i++)
-                       s2n(i,j);
+               for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
+                               sizeof(pref_list)/sizeof(pref_list[0]); i++)
+                       {
+                       int id = tls1_ec_nid2curve_id(pref_list[i]);
+                       s2n(id,j);
+                       }
                }
 #endif /* OPENSSL_NO_EC */
 
@@ -1305,23 +1620,20 @@ int ssl_check_serverhello_tlsext(SSL *s)
        int al = SSL_AD_UNRECOGNIZED_NAME;
 
 #ifndef OPENSSL_NO_EC
-       /* If we are client and using an elliptic curve cryptography cipher suite, then server
-        * must return a an EC point formats lists containing uncompressed.
+       /* If we are client and using an elliptic curve cryptography cipher
+        * suite, then if server returns an EC point formats lists extension
+        * it must contain uncompressed.
         */
        unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
        unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
        if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
+           (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
            ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
                {
                /* we are using an ECC cipher */
                size_t i;
                unsigned char *list;
                int found_uncompressed = 0;
-               if ((s->session->tlsext_ecpointformatlist == NULL) || (s->session->tlsext_ecpointformatlist_length == 0))
-                       {
-                       SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
-                       return -1;
-                       }
                list = s->session->tlsext_ecpointformatlist;
                for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
                        {
@@ -1436,6 +1748,14 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
                return 1;
        if (p >= limit)
                return -1;
+       /* Skip past DTLS cookie */
+       if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
+               {
+               i = *(p++);
+               p+= i;
+               if (p >= limit)
+                       return -1;
+               }
        /* Skip past cipher list */
        n2s(p, i);
        p+= i;
@@ -1500,16 +1820,17 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
        unsigned char tick_hmac[EVP_MAX_MD_SIZE];
        HMAC_CTX hctx;
        EVP_CIPHER_CTX ctx;
+       SSL_CTX *tctx = s->initial_ctx;
        /* Need at least keyname + iv + some encrypted data */
        if (eticklen < 48)
                goto tickerr;
        /* Initialize session ticket encryption and HMAC contexts */
        HMAC_CTX_init(&hctx);
        EVP_CIPHER_CTX_init(&ctx);
-       if (s->ctx->tlsext_ticket_key_cb)
+       if (tctx->tlsext_ticket_key_cb)
                {
                unsigned char *nctick = (unsigned char *)etick;
-               int rv = s->ctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
+               int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
                                                        &ctx, &hctx, 0);
                if (rv < 0)
                        return -1;
@@ -1521,12 +1842,12 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
        else
                {
                /* Check key name matches */
-               if (memcmp(etick, s->ctx->tlsext_tick_key_name, 16))
+               if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
                        goto tickerr;
-               HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16,
+               HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
                                        tlsext_tick_md(), NULL);
                EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
-                               s->ctx->tlsext_tick_aes_key, etick + 16);
+                               tctx->tlsext_tick_aes_key, etick + 16);
                }
        /* Attempt to process session ticket, first conduct sanity and
         * integrity checks on ticket.
@@ -1585,4 +1906,200 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
        return 0;
        }
 
+/* Tables to translate from NIDs to TLS v1.2 ids */
+
+typedef struct 
+       {
+       int nid;
+       int id;
+       } tls12_lookup;
+
+static tls12_lookup tls12_md[] = {
+#ifndef OPENSSL_NO_MD5
+       {NID_md5, TLSEXT_hash_md5},
+#endif
+#ifndef OPENSSL_NO_SHA
+       {NID_sha1, TLSEXT_hash_sha1},
+#endif
+#ifndef OPENSSL_NO_SHA256
+       {NID_sha224, TLSEXT_hash_sha224},
+       {NID_sha256, TLSEXT_hash_sha256},
+#endif
+#ifndef OPENSSL_NO_SHA512
+       {NID_sha384, TLSEXT_hash_sha384},
+       {NID_sha512, TLSEXT_hash_sha512}
+#endif
+};
+
+static tls12_lookup tls12_sig[] = {
+#ifndef OPENSSL_NO_RSA
+       {EVP_PKEY_RSA, TLSEXT_signature_rsa},
+#endif
+#ifndef OPENSSL_NO_RSA
+       {EVP_PKEY_DSA, TLSEXT_signature_dsa},
+#endif
+#ifndef OPENSSL_NO_ECDSA
+       {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
+#endif
+};
+
+static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
+       {
+       size_t i;
+       for (i = 0; i < tlen; i++)
+               {
+               if (table[i].nid == nid)
+                       return table[i].id;
+               }
+       return -1;
+       }
+#if 0
+static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
+       {
+       size_t i;
+       for (i = 0; i < tlen; i++)
+               {
+               if (table[i].id == id)
+                       return table[i].nid;
+               }
+       return -1;
+       }
+#endif
+
+int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
+       {
+       int sig_id, md_id;
+       md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
+                               sizeof(tls12_md)/sizeof(tls12_lookup));
+       if (md_id == -1)
+               return 0;
+       sig_id = tls12_get_sigid(pk);
+       if (sig_id == -1)
+               return 0;
+       p[0] = (unsigned char)md_id;
+       p[1] = (unsigned char)sig_id;
+       return 1;
+       }
+
+int tls12_get_sigid(const EVP_PKEY *pk)
+       {
+       return tls12_find_id(pk->type, tls12_sig,
+                               sizeof(tls12_sig)/sizeof(tls12_lookup));
+       }
+
+const EVP_MD *tls12_get_hash(unsigned char hash_alg)
+       {
+       switch(hash_alg)
+               {
+#ifndef OPENSSL_NO_MD5
+               case TLSEXT_hash_md5:
+#ifdef OPENSSL_FIPS
+               if (FIPS_mode())
+                       return NULL;
+#endif
+               return EVP_md5();
+#endif
+#ifndef OPENSSL_NO_SHA
+               case TLSEXT_hash_sha1:
+               return EVP_sha1();
+#endif
+#ifndef OPENSSL_NO_SHA256
+               case TLSEXT_hash_sha224:
+               return EVP_sha224();
+
+               case TLSEXT_hash_sha256:
+               return EVP_sha256();
+#endif
+#ifndef OPENSSL_NO_SHA512
+               case TLSEXT_hash_sha384:
+               return EVP_sha384();
+
+               case TLSEXT_hash_sha512:
+               return EVP_sha512();
+#endif
+               default:
+               return NULL;
+
+               }
+       }
+
+/* Set preferred digest for each key type */
+
+int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
+       {
+       int i, idx;
+       const EVP_MD *md;
+       CERT *c = s->cert;
+       /* Extension ignored for TLS versions below 1.2 */
+       if (TLS1_get_version(s) < TLS1_2_VERSION)
+               return 1;
+       /* Should never happen */
+       if (!c)
+               return 0;
+
+       c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
+       c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
+       c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
+       c->pkeys[SSL_PKEY_ECC].digest = NULL;
+
+       for (i = 0; i < dsize; i += 2)
+               {
+               unsigned char hash_alg = data[i], sig_alg = data[i+1];
+
+               switch(sig_alg)
+                       {
+#ifndef OPENSSL_NO_RSA
+                       case TLSEXT_signature_rsa:
+                       idx = SSL_PKEY_RSA_SIGN;
+                       break;
+#endif
+#ifndef OPENSSL_NO_DSA
+                       case TLSEXT_signature_dsa:
+                       idx = SSL_PKEY_DSA_SIGN;
+                       break;
+#endif
+#ifndef OPENSSL_NO_ECDSA
+                       case TLSEXT_signature_ecdsa:
+                       idx = SSL_PKEY_ECC;
+                       break;
+#endif
+                       default:
+                       continue;
+                       }
+
+               if (c->pkeys[idx].digest == NULL)
+                       {
+                       md = tls12_get_hash(hash_alg);
+                       if (md)
+                               {
+                               c->pkeys[idx].digest = md;
+                               if (idx == SSL_PKEY_RSA_SIGN)
+                                       c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
+                               }
+                       }
+
+               }
+
+
+       /* Set any remaining keys to default values. NOTE: if alg is not
+        * supported it stays as NULL.
+        */
+#ifndef OPENSSL_NO_DSA
+       if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
+               c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
+#endif
+#ifndef OPENSSL_NO_RSA
+       if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
+               {
+               c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
+               c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
+               }
+#endif
+#ifndef OPENSSL_NO_ECDSA
+       if (!c->pkeys[SSL_PKEY_ECC].digest)
+               c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
+#endif
+       return 1;
+       }
+
 #endif
Unnamed repository; edit this file 'description' to name the repository.