]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/t1_lib.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
mark all block comments that need format preserving so that
[thirdparty/openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #ifdef OPENSSL_NO_EC2M
117 #include <openssl/ec.h>
118 #endif
119 #include <openssl/ocsp.h>
120 #include <openssl/rand.h>
121 #include "ssl_locl.h"
122
123 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
124
125 #ifndef OPENSSL_NO_TLSEXT
126 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
127 const unsigned char *sess_id, int sesslen,
128 SSL_SESSION **psess);
129 static int ssl_check_clienthello_tlsext_early(SSL *s);
130 int ssl_check_serverhello_tlsext(SSL *s);
131 #endif
132
133 SSL3_ENC_METHOD TLSv1_enc_data={
134 tls1_enc,
135 tls1_mac,
136 tls1_setup_key_block,
137 tls1_generate_master_secret,
138 tls1_change_cipher_state,
139 tls1_final_finish_mac,
140 TLS1_FINISH_MAC_LENGTH,
141 tls1_cert_verify_mac,
142 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
143 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
144 tls1_alert_code,
145 tls1_export_keying_material,
146 0,
147 SSL3_HM_HEADER_LENGTH,
148 ssl3_set_handshake_header,
149 ssl3_handshake_write
150 };
151
152 SSL3_ENC_METHOD TLSv1_1_enc_data={
153 tls1_enc,
154 tls1_mac,
155 tls1_setup_key_block,
156 tls1_generate_master_secret,
157 tls1_change_cipher_state,
158 tls1_final_finish_mac,
159 TLS1_FINISH_MAC_LENGTH,
160 tls1_cert_verify_mac,
161 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
162 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
163 tls1_alert_code,
164 tls1_export_keying_material,
165 SSL_ENC_FLAG_EXPLICIT_IV,
166 SSL3_HM_HEADER_LENGTH,
167 ssl3_set_handshake_header,
168 ssl3_handshake_write
169 };
170
171 SSL3_ENC_METHOD TLSv1_2_enc_data={
172 tls1_enc,
173 tls1_mac,
174 tls1_setup_key_block,
175 tls1_generate_master_secret,
176 tls1_change_cipher_state,
177 tls1_final_finish_mac,
178 TLS1_FINISH_MAC_LENGTH,
179 tls1_cert_verify_mac,
180 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
181 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
182 tls1_alert_code,
183 tls1_export_keying_material,
184 SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF
185 |SSL_ENC_FLAG_TLS1_2_CIPHERS,
186 SSL3_HM_HEADER_LENGTH,
187 ssl3_set_handshake_header,
188 ssl3_handshake_write
189 };
190
191 long tls1_default_timeout(void)
192 {
193 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
194 * is way too long for http, the cache would over fill */
195 return(60*60*2);
196 }
197
198 int tls1_new(SSL *s)
199 {
200 if (!ssl3_new(s)) return(0);
201 s->method->ssl_clear(s);
202 return(1);
203 }
204
205 void tls1_free(SSL *s)
206 {
207 #ifndef OPENSSL_NO_TLSEXT
208 if (s->tlsext_session_ticket)
209 {
210 OPENSSL_free(s->tlsext_session_ticket);
211 }
212 #endif /* OPENSSL_NO_TLSEXT */
213 ssl3_free(s);
214 }
215
216 void tls1_clear(SSL *s)
217 {
218 ssl3_clear(s);
219 s->version = s->method->version;
220 }
221
222 #ifndef OPENSSL_NO_EC
223
224 static int nid_list[] =
225 {
226 NID_sect163k1, /* sect163k1 (1) */
227 NID_sect163r1, /* sect163r1 (2) */
228 NID_sect163r2, /* sect163r2 (3) */
229 NID_sect193r1, /* sect193r1 (4) */
230 NID_sect193r2, /* sect193r2 (5) */
231 NID_sect233k1, /* sect233k1 (6) */
232 NID_sect233r1, /* sect233r1 (7) */
233 NID_sect239k1, /* sect239k1 (8) */
234 NID_sect283k1, /* sect283k1 (9) */
235 NID_sect283r1, /* sect283r1 (10) */
236 NID_sect409k1, /* sect409k1 (11) */
237 NID_sect409r1, /* sect409r1 (12) */
238 NID_sect571k1, /* sect571k1 (13) */
239 NID_sect571r1, /* sect571r1 (14) */
240 NID_secp160k1, /* secp160k1 (15) */
241 NID_secp160r1, /* secp160r1 (16) */
242 NID_secp160r2, /* secp160r2 (17) */
243 NID_secp192k1, /* secp192k1 (18) */
244 NID_X9_62_prime192v1, /* secp192r1 (19) */
245 NID_secp224k1, /* secp224k1 (20) */
246 NID_secp224r1, /* secp224r1 (21) */
247 NID_secp256k1, /* secp256k1 (22) */
248 NID_X9_62_prime256v1, /* secp256r1 (23) */
249 NID_secp384r1, /* secp384r1 (24) */
250 NID_secp521r1, /* secp521r1 (25) */
251 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */
252 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */
253 NID_brainpoolP512r1 /* brainpool512r1 (28) */
254 };
255
256
257 static const unsigned char ecformats_default[] =
258 {
259 TLSEXT_ECPOINTFORMAT_uncompressed,
260 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
261 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
262 };
263
264 static const unsigned char eccurves_default[] =
265 {
266 #ifndef OPENSSL_NO_EC2M
267 0,14, /* sect571r1 (14) */
268 0,13, /* sect571k1 (13) */
269 #endif
270 0,25, /* secp521r1 (25) */
271 0,28, /* brainpool512r1 (28) */
272 #ifndef OPENSSL_NO_EC2M
273 0,11, /* sect409k1 (11) */
274 0,12, /* sect409r1 (12) */
275 #endif
276 0,27, /* brainpoolP384r1 (27) */
277 0,24, /* secp384r1 (24) */
278 #ifndef OPENSSL_NO_EC2M
279 0,9, /* sect283k1 (9) */
280 0,10, /* sect283r1 (10) */
281 #endif
282 0,26, /* brainpoolP256r1 (26) */
283 0,22, /* secp256k1 (22) */
284 0,23, /* secp256r1 (23) */
285 #ifndef OPENSSL_NO_EC2M
286 0,8, /* sect239k1 (8) */
287 0,6, /* sect233k1 (6) */
288 0,7, /* sect233r1 (7) */
289 #endif
290 0,20, /* secp224k1 (20) */
291 0,21, /* secp224r1 (21) */
292 #ifndef OPENSSL_NO_EC2M
293 0,4, /* sect193r1 (4) */
294 0,5, /* sect193r2 (5) */
295 #endif
296 0,18, /* secp192k1 (18) */
297 0,19, /* secp192r1 (19) */
298 #ifndef OPENSSL_NO_EC2M
299 0,1, /* sect163k1 (1) */
300 0,2, /* sect163r1 (2) */
301 0,3, /* sect163r2 (3) */
302 #endif
303 0,15, /* secp160k1 (15) */
304 0,16, /* secp160r1 (16) */
305 0,17, /* secp160r2 (17) */
306 };
307
308 static const unsigned char suiteb_curves[] =
309 {
310 0, TLSEXT_curve_P_256,
311 0, TLSEXT_curve_P_384
312 };
313
314 #ifdef OPENSSL_FIPS
315 /* Brainpool not allowed in FIPS mode */
316 static const unsigned char fips_curves_default[] =
317 {
318 #ifndef OPENSSL_NO_EC2M
319 0,14, /* sect571r1 (14) */
320 0,13, /* sect571k1 (13) */
321 #endif
322 0,25, /* secp521r1 (25) */
323 #ifndef OPENSSL_NO_EC2M
324 0,11, /* sect409k1 (11) */
325 0,12, /* sect409r1 (12) */
326 #endif
327 0,24, /* secp384r1 (24) */
328 #ifndef OPENSSL_NO_EC2M
329 0,9, /* sect283k1 (9) */
330 0,10, /* sect283r1 (10) */
331 #endif
332 0,22, /* secp256k1 (22) */
333 0,23, /* secp256r1 (23) */
334 #ifndef OPENSSL_NO_EC2M
335 0,8, /* sect239k1 (8) */
336 0,6, /* sect233k1 (6) */
337 0,7, /* sect233r1 (7) */
338 #endif
339 0,20, /* secp224k1 (20) */
340 0,21, /* secp224r1 (21) */
341 #ifndef OPENSSL_NO_EC2M
342 0,4, /* sect193r1 (4) */
343 0,5, /* sect193r2 (5) */
344 #endif
345 0,18, /* secp192k1 (18) */
346 0,19, /* secp192r1 (19) */
347 #ifndef OPENSSL_NO_EC2M
348 0,1, /* sect163k1 (1) */
349 0,2, /* sect163r1 (2) */
350 0,3, /* sect163r2 (3) */
351 #endif
352 0,15, /* secp160k1 (15) */
353 0,16, /* secp160r1 (16) */
354 0,17, /* secp160r2 (17) */
355 };
356 #endif
357
358 int tls1_ec_curve_id2nid(int curve_id)
359 {
360 /* ECC curves from RFC 4492 and RFC 7027 */
361 if ((curve_id < 1) || ((unsigned int)curve_id >
362 sizeof(nid_list)/sizeof(nid_list[0])))
363 return 0;
364 return nid_list[curve_id-1];
365 }
366
367 int tls1_ec_nid2curve_id(int nid)
368 {
369 /* ECC curves from RFC 4492 and RFC 7027 */
370 switch (nid)
371 {
372 case NID_sect163k1: /* sect163k1 (1) */
373 return 1;
374 case NID_sect163r1: /* sect163r1 (2) */
375 return 2;
376 case NID_sect163r2: /* sect163r2 (3) */
377 return 3;
378 case NID_sect193r1: /* sect193r1 (4) */
379 return 4;
380 case NID_sect193r2: /* sect193r2 (5) */
381 return 5;
382 case NID_sect233k1: /* sect233k1 (6) */
383 return 6;
384 case NID_sect233r1: /* sect233r1 (7) */
385 return 7;
386 case NID_sect239k1: /* sect239k1 (8) */
387 return 8;
388 case NID_sect283k1: /* sect283k1 (9) */
389 return 9;
390 case NID_sect283r1: /* sect283r1 (10) */
391 return 10;
392 case NID_sect409k1: /* sect409k1 (11) */
393 return 11;
394 case NID_sect409r1: /* sect409r1 (12) */
395 return 12;
396 case NID_sect571k1: /* sect571k1 (13) */
397 return 13;
398 case NID_sect571r1: /* sect571r1 (14) */
399 return 14;
400 case NID_secp160k1: /* secp160k1 (15) */
401 return 15;
402 case NID_secp160r1: /* secp160r1 (16) */
403 return 16;
404 case NID_secp160r2: /* secp160r2 (17) */
405 return 17;
406 case NID_secp192k1: /* secp192k1 (18) */
407 return 18;
408 case NID_X9_62_prime192v1: /* secp192r1 (19) */
409 return 19;
410 case NID_secp224k1: /* secp224k1 (20) */
411 return 20;
412 case NID_secp224r1: /* secp224r1 (21) */
413 return 21;
414 case NID_secp256k1: /* secp256k1 (22) */
415 return 22;
416 case NID_X9_62_prime256v1: /* secp256r1 (23) */
417 return 23;
418 case NID_secp384r1: /* secp384r1 (24) */
419 return 24;
420 case NID_secp521r1: /* secp521r1 (25) */
421 return 25;
422 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
423 return 26;
424 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
425 return 27;
426 case NID_brainpoolP512r1: /* brainpool512r1 (28) */
427 return 28;
428 default:
429 return 0;
430 }
431 }
432 /*
433 * Get curves list, if "sess" is set return client curves otherwise
434 * preferred list.
435 * Sets |num_curves| to the number of curves in the list, i.e.,
436 * the length of |pcurves| is 2 * num_curves.
437 * Returns 1 on success and 0 if the client curves list has invalid format.
438 * The latter indicates an internal error: we should not be accepting such
439 * lists in the first place.
440 * TODO(emilia): we should really be storing the curves list in explicitly
441 * parsed form instead. (However, this would affect binary compatibility
442 * so cannot happen in the 1.0.x series.)
443 */
444 static int tls1_get_curvelist(SSL *s, int sess,
445 const unsigned char **pcurves,
446 size_t *num_curves)
447 {
448 size_t pcurveslen = 0;
449 if (sess)
450 {
451 *pcurves = s->session->tlsext_ellipticcurvelist;
452 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
453 }
454 else
455 {
456 /* For Suite B mode only include P-256, P-384 */
457 switch (tls1_suiteb(s))
458 {
459 case SSL_CERT_FLAG_SUITEB_128_LOS:
460 *pcurves = suiteb_curves;
461 pcurveslen = sizeof(suiteb_curves);
462 break;
463
464 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
465 *pcurves = suiteb_curves;
466 pcurveslen = 2;
467 break;
468
469 case SSL_CERT_FLAG_SUITEB_192_LOS:
470 *pcurves = suiteb_curves + 2;
471 pcurveslen = 2;
472 break;
473 default:
474 *pcurves = s->tlsext_ellipticcurvelist;
475 pcurveslen = s->tlsext_ellipticcurvelist_length;
476 }
477 if (!*pcurves)
478 {
479 #ifdef OPENSSL_FIPS
480 if (FIPS_mode())
481 {
482 *pcurves = fips_curves_default;
483 *pcurveslen = sizeof(fips_curves_default);
484 }
485 else
486 #endif
487 {
488 *pcurves = eccurves_default;
489 pcurveslen = sizeof(eccurves_default);
490 }
491 }
492 }
493 /* We do not allow odd length arrays to enter the system. */
494 if (pcurveslen & 1)
495 {
496 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
497 *num_curves = 0;
498 return 0;
499 }
500 else
501 {
502 *num_curves = pcurveslen / 2;
503 return 1;
504 }
505 }
506 /* Check a curve is one of our preferences */
507 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
508 {
509 const unsigned char *curves;
510 size_t num_curves, i;
511 unsigned int suiteb_flags = tls1_suiteb(s);
512 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
513 return 0;
514 /* Check curve matches Suite B preferences */
515 if (suiteb_flags)
516 {
517 unsigned long cid = s->s3->tmp.new_cipher->id;
518 if (p[1])
519 return 0;
520 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
521 {
522 if (p[2] != TLSEXT_curve_P_256)
523 return 0;
524 }
525 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
526 {
527 if (p[2] != TLSEXT_curve_P_384)
528 return 0;
529 }
530 else /* Should never happen */
531 return 0;
532 }
533 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
534 return 0;
535 for (i = 0; i < num_curves; i++, curves += 2)
536 {
537 if (p[1] == curves[0] && p[2] == curves[1])
538 return 1;
539 }
540 return 0;
541 }
542
543 /*-
544 * Return |nmatch|th shared curve or NID_undef if there is no match.
545 * For nmatch == -1, return number of matches
546 * For nmatch == -2, return the NID of the curve to use for
547 * an EC tmp key, or NID_undef if there is no match.
548 */
549 int tls1_shared_curve(SSL *s, int nmatch)
550 {
551 const unsigned char *pref, *supp;
552 size_t num_pref, num_supp, i, j;
553 int k;
554 /* Can't do anything on client side */
555 if (s->server == 0)
556 return -1;
557 if (nmatch == -2)
558 {
559 if (tls1_suiteb(s))
560 {
561 /* For Suite B ciphersuite determines curve: we
562 * already know these are acceptable due to previous
563 * checks.
564 */
565 unsigned long cid = s->s3->tmp.new_cipher->id;
566 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
567 return NID_X9_62_prime256v1; /* P-256 */
568 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
569 return NID_secp384r1; /* P-384 */
570 /* Should never happen */
571 return NID_undef;
572 }
573 /* If not Suite B just return first preference shared curve */
574 nmatch = 0;
575 }
576 /*
577 * Avoid truncation. tls1_get_curvelist takes an int
578 * but s->options is a long...
579 */
580 if (!tls1_get_curvelist(s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0,
581 &supp, &num_supp))
582 /* In practice, NID_undef == 0 but let's be precise. */
583 return nmatch == -1 ? 0 : NID_undef;
584 if(!tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
585 &pref, &num_pref))
586 return nmatch == -1 ? 0 : NID_undef;
587 k = 0;
588 for (i = 0; i < num_pref; i++, pref+=2)
589 {
590 const unsigned char *tsupp = supp;
591 for (j = 0; j < num_supp; j++, tsupp+=2)
592 {
593 if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
594 {
595 if (nmatch == k)
596 {
597 int id = (pref[0] << 8) | pref[1];
598 return tls1_ec_curve_id2nid(id);
599 }
600 k++;
601 }
602 }
603 }
604 if (nmatch == -1)
605 return k;
606 /* Out of range (nmatch > k). */
607 return NID_undef;
608 }
609
610 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
611 int *curves, size_t ncurves)
612 {
613 unsigned char *clist, *p;
614 size_t i;
615 /* Bitmap of curves included to detect duplicates: only works
616 * while curve ids < 32
617 */
618 unsigned long dup_list = 0;
619 #ifdef OPENSSL_NO_EC2M
620 EC_GROUP *curve;
621 #endif
622
623 clist = OPENSSL_malloc(ncurves * 2);
624 if (!clist)
625 return 0;
626 for (i = 0, p = clist; i < ncurves; i++)
627 {
628 unsigned long idmask;
629 int id;
630 id = tls1_ec_nid2curve_id(curves[i]);
631 #ifdef OPENSSL_FIPS
632 /* NB: 25 is last curve ID supported by FIPS module */
633 if (FIPS_mode() && id > 25)
634 {
635 OPENSSL_free(clist);
636 return 0;
637 }
638 #endif
639 #ifdef OPENSSL_NO_EC2M
640 curve = EC_GROUP_new_by_curve_name(curves[i]);
641 if(!curve ||
642 EC_METHOD_get_field_type(EC_GROUP_method_of(curve))
643 == NID_X9_62_characteristic_two_field)
644 {
645 if(curve) EC_GROUP_free(curve);
646 OPENSSL_free(clist);
647 return 0;
648 }
649 else
650 EC_GROUP_free(curve);
651 #endif
652 idmask = 1L << id;
653 if (!id || (dup_list & idmask))
654 {
655 OPENSSL_free(clist);
656 return 0;
657 }
658 dup_list |= idmask;
659 s2n(id, p);
660 }
661 if (*pext)
662 OPENSSL_free(*pext);
663 *pext = clist;
664 *pextlen = ncurves * 2;
665 return 1;
666 }
667
668 #define MAX_CURVELIST 28
669
670 typedef struct
671 {
672 size_t nidcnt;
673 int nid_arr[MAX_CURVELIST];
674 } nid_cb_st;
675
676 static int nid_cb(const char *elem, int len, void *arg)
677 {
678 nid_cb_st *narg = arg;
679 size_t i;
680 int nid;
681 char etmp[20];
682 if (narg->nidcnt == MAX_CURVELIST)
683 return 0;
684 if (len > (int)(sizeof(etmp) - 1))
685 return 0;
686 memcpy(etmp, elem, len);
687 etmp[len] = 0;
688 nid = EC_curve_nist2nid(etmp);
689 if (nid == NID_undef)
690 nid = OBJ_sn2nid(etmp);
691 if (nid == NID_undef)
692 nid = OBJ_ln2nid(etmp);
693 if (nid == NID_undef)
694 return 0;
695 for (i = 0; i < narg->nidcnt; i++)
696 if (narg->nid_arr[i] == nid)
697 return 0;
698 narg->nid_arr[narg->nidcnt++] = nid;
699 return 1;
700 }
701 /* Set curves based on a colon separate list */
702 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
703 const char *str)
704 {
705 nid_cb_st ncb;
706 ncb.nidcnt = 0;
707 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
708 return 0;
709 if (pext == NULL)
710 return 1;
711 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
712 }
713 /* For an EC key set TLS id and required compression based on parameters */
714 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
715 EC_KEY *ec)
716 {
717 int is_prime, id;
718 const EC_GROUP *grp;
719 const EC_METHOD *meth;
720 if (!ec)
721 return 0;
722 /* Determine if it is a prime field */
723 grp = EC_KEY_get0_group(ec);
724 if (!grp)
725 return 0;
726 meth = EC_GROUP_method_of(grp);
727 if (!meth)
728 return 0;
729 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
730 is_prime = 1;
731 else
732 is_prime = 0;
733 /* Determine curve ID */
734 id = EC_GROUP_get_curve_name(grp);
735 id = tls1_ec_nid2curve_id(id);
736 /* If we have an ID set it, otherwise set arbitrary explicit curve */
737 if (id)
738 {
739 curve_id[0] = 0;
740 curve_id[1] = (unsigned char)id;
741 }
742 else
743 {
744 curve_id[0] = 0xff;
745 if (is_prime)
746 curve_id[1] = 0x01;
747 else
748 curve_id[1] = 0x02;
749 }
750 if (comp_id)
751 {
752 if (EC_KEY_get0_public_key(ec) == NULL)
753 return 0;
754 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
755 {
756 if (is_prime)
757 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
758 else
759 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
760 }
761 else
762 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
763 }
764 return 1;
765 }
766 /* Check an EC key is compatible with extensions */
767 static int tls1_check_ec_key(SSL *s,
768 unsigned char *curve_id, unsigned char *comp_id)
769 {
770 const unsigned char *pformats, *pcurves;
771 size_t num_formats, num_curves, i;
772 int j;
773 /* If point formats extension present check it, otherwise everything
774 * is supported (see RFC4492).
775 */
776 if (comp_id && s->session->tlsext_ecpointformatlist)
777 {
778 pformats = s->session->tlsext_ecpointformatlist;
779 num_formats = s->session->tlsext_ecpointformatlist_length;
780 for (i = 0; i < num_formats; i++, pformats++)
781 {
782 if (*comp_id == *pformats)
783 break;
784 }
785 if (i == num_formats)
786 return 0;
787 }
788 if (!curve_id)
789 return 1;
790 /* Check curve is consistent with client and server preferences */
791 for (j = 0; j <= 1; j++)
792 {
793 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
794 return 0;
795 for (i = 0; i < num_curves; i++, pcurves += 2)
796 {
797 if (pcurves[0] == curve_id[0] &&
798 pcurves[1] == curve_id[1])
799 break;
800 }
801 if (i == num_curves)
802 return 0;
803 /* For clients can only check sent curve list */
804 if (!s->server)
805 return 1;
806 }
807 return 1;
808 }
809
810 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
811 size_t *num_formats)
812 {
813 /* If we have a custom point format list use it otherwise
814 * use default */
815 if (s->tlsext_ecpointformatlist)
816 {
817 *pformats = s->tlsext_ecpointformatlist;
818 *num_formats = s->tlsext_ecpointformatlist_length;
819 }
820 else
821 {
822 *pformats = ecformats_default;
823 /* For Suite B we don't support char2 fields */
824 if (tls1_suiteb(s))
825 *num_formats = sizeof(ecformats_default) - 1;
826 else
827 *num_formats = sizeof(ecformats_default);
828 }
829 }
830
831 /* Check cert parameters compatible with extensions: currently just checks
832 * EC certificates have compatible curves and compression.
833 */
834 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
835 {
836 unsigned char comp_id, curve_id[2];
837 EVP_PKEY *pkey;
838 int rv;
839 pkey = X509_get_pubkey(x);
840 if (!pkey)
841 return 0;
842 /* If not EC nothing to do */
843 if (pkey->type != EVP_PKEY_EC)
844 {
845 EVP_PKEY_free(pkey);
846 return 1;
847 }
848 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
849 EVP_PKEY_free(pkey);
850 if (!rv)
851 return 0;
852 /* Can't check curve_id for client certs as we don't have a
853 * supported curves extension.
854 */
855 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
856 if (!rv)
857 return 0;
858 /* Special case for suite B. We *MUST* sign using SHA256+P-256 or
859 * SHA384+P-384, adjust digest if necessary.
860 */
861 if (set_ee_md && tls1_suiteb(s))
862 {
863 int check_md;
864 size_t i;
865 CERT *c = s->cert;
866 if (curve_id[0])
867 return 0;
868 /* Check to see we have necessary signing algorithm */
869 if (curve_id[1] == TLSEXT_curve_P_256)
870 check_md = NID_ecdsa_with_SHA256;
871 else if (curve_id[1] == TLSEXT_curve_P_384)
872 check_md = NID_ecdsa_with_SHA384;
873 else
874 return 0; /* Should never happen */
875 for (i = 0; i < c->shared_sigalgslen; i++)
876 if (check_md == c->shared_sigalgs[i].signandhash_nid)
877 break;
878 if (i == c->shared_sigalgslen)
879 return 0;
880 if (set_ee_md == 2)
881 {
882 if (check_md == NID_ecdsa_with_SHA256)
883 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
884 else
885 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
886 }
887 }
888 return rv;
889 }
890 #ifndef OPENSSL_NO_ECDH
891 /* Check EC temporary key is compatible with client extensions */
892 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
893 {
894 unsigned char curve_id[2];
895 EC_KEY *ec = s->cert->ecdh_tmp;
896 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
897 /* Allow any curve: not just those peer supports */
898 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
899 return 1;
900 #endif
901 /* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384,
902 * no other curves permitted.
903 */
904 if (tls1_suiteb(s))
905 {
906 /* Curve to check determined by ciphersuite */
907 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
908 curve_id[1] = TLSEXT_curve_P_256;
909 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
910 curve_id[1] = TLSEXT_curve_P_384;
911 else
912 return 0;
913 curve_id[0] = 0;
914 /* Check this curve is acceptable */
915 if (!tls1_check_ec_key(s, curve_id, NULL))
916 return 0;
917 /* If auto or setting curve from callback assume OK */
918 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
919 return 1;
920 /* Otherwise check curve is acceptable */
921 else
922 {
923 unsigned char curve_tmp[2];
924 if (!ec)
925 return 0;
926 if (!tls1_set_ec_id(curve_tmp, NULL, ec))
927 return 0;
928 if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
929 return 1;
930 return 0;
931 }
932
933 }
934 if (s->cert->ecdh_tmp_auto)
935 {
936 /* Need a shared curve */
937 if (tls1_shared_curve(s, 0))
938 return 1;
939 else return 0;
940 }
941 if (!ec)
942 {
943 if (s->cert->ecdh_tmp_cb)
944 return 1;
945 else
946 return 0;
947 }
948 if (!tls1_set_ec_id(curve_id, NULL, ec))
949 return 0;
950 /* Set this to allow use of invalid curves for testing */
951 #if 0
952 return 1;
953 #else
954 return tls1_check_ec_key(s, curve_id, NULL);
955 #endif
956 }
957 #endif /* OPENSSL_NO_ECDH */
958
959 #else
960
961 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
962 {
963 return 1;
964 }
965
966 #endif /* OPENSSL_NO_EC */
967
968 #ifndef OPENSSL_NO_TLSEXT
969
970 /* List of supported signature algorithms and hashes. Should make this
971 * customisable at some point, for now include everything we support.
972 */
973
974 #ifdef OPENSSL_NO_RSA
975 #define tlsext_sigalg_rsa(md) /* */
976 #else
977 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
978 #endif
979
980 #ifdef OPENSSL_NO_DSA
981 #define tlsext_sigalg_dsa(md) /* */
982 #else
983 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
984 #endif
985
986 #ifdef OPENSSL_NO_ECDSA
987 #define tlsext_sigalg_ecdsa(md) /* */
988 #else
989 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
990 #endif
991
992 #define tlsext_sigalg(md) \
993 tlsext_sigalg_rsa(md) \
994 tlsext_sigalg_dsa(md) \
995 tlsext_sigalg_ecdsa(md)
996
997 static unsigned char tls12_sigalgs[] = {
998 #ifndef OPENSSL_NO_SHA512
999 tlsext_sigalg(TLSEXT_hash_sha512)
1000 tlsext_sigalg(TLSEXT_hash_sha384)
1001 #endif
1002 #ifndef OPENSSL_NO_SHA256
1003 tlsext_sigalg(TLSEXT_hash_sha256)
1004 tlsext_sigalg(TLSEXT_hash_sha224)
1005 #endif
1006 #ifndef OPENSSL_NO_SHA
1007 tlsext_sigalg(TLSEXT_hash_sha1)
1008 #endif
1009 };
1010 #ifndef OPENSSL_NO_ECDSA
1011 static unsigned char suiteb_sigalgs[] = {
1012 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
1013 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
1014 };
1015 #endif
1016 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
1017 {
1018 /* If Suite B mode use Suite B sigalgs only, ignore any other
1019 * preferences.
1020 */
1021 #ifndef OPENSSL_NO_EC
1022 switch (tls1_suiteb(s))
1023 {
1024 case SSL_CERT_FLAG_SUITEB_128_LOS:
1025 *psigs = suiteb_sigalgs;
1026 return sizeof(suiteb_sigalgs);
1027
1028 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
1029 *psigs = suiteb_sigalgs;
1030 return 2;
1031
1032 case SSL_CERT_FLAG_SUITEB_192_LOS:
1033 *psigs = suiteb_sigalgs + 2;
1034 return 2;
1035 }
1036 #endif
1037 /* If server use client authentication sigalgs if not NULL */
1038 if (s->server && s->cert->client_sigalgs)
1039 {
1040 *psigs = s->cert->client_sigalgs;
1041 return s->cert->client_sigalgslen;
1042 }
1043 else if (s->cert->conf_sigalgs)
1044 {
1045 *psigs = s->cert->conf_sigalgs;
1046 return s->cert->conf_sigalgslen;
1047 }
1048 else
1049 {
1050 *psigs = tls12_sigalgs;
1051 return sizeof(tls12_sigalgs);
1052 }
1053 }
1054 /* Check signature algorithm is consistent with sent supported signature
1055 * algorithms and if so return relevant digest.
1056 */
1057 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
1058 const unsigned char *sig, EVP_PKEY *pkey)
1059 {
1060 const unsigned char *sent_sigs;
1061 size_t sent_sigslen, i;
1062 int sigalg = tls12_get_sigid(pkey);
1063 /* Should never happen */
1064 if (sigalg == -1)
1065 return -1;
1066 /* Check key type is consistent with signature */
1067 if (sigalg != (int)sig[1])
1068 {
1069 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
1070 return 0;
1071 }
1072 #ifndef OPENSSL_NO_EC
1073 if (pkey->type == EVP_PKEY_EC)
1074 {
1075 unsigned char curve_id[2], comp_id;
1076 /* Check compression and curve matches extensions */
1077 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
1078 return 0;
1079 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id))
1080 {
1081 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_CURVE);
1082 return 0;
1083 }
1084 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
1085 if (tls1_suiteb(s))
1086 {
1087 if (curve_id[0])
1088 return 0;
1089 if (curve_id[1] == TLSEXT_curve_P_256)
1090 {
1091 if (sig[0] != TLSEXT_hash_sha256)
1092 {
1093 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1094 SSL_R_ILLEGAL_SUITEB_DIGEST);
1095 return 0;
1096 }
1097 }
1098 else if (curve_id[1] == TLSEXT_curve_P_384)
1099 {
1100 if (sig[0] != TLSEXT_hash_sha384)
1101 {
1102 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1103 SSL_R_ILLEGAL_SUITEB_DIGEST);
1104 return 0;
1105 }
1106 }
1107 else
1108 return 0;
1109 }
1110 }
1111 else if (tls1_suiteb(s))
1112 return 0;
1113 #endif
1114
1115 /* Check signature matches a type we sent */
1116 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1117 for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2)
1118 {
1119 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1120 break;
1121 }
1122 /* Allow fallback to SHA1 if not strict mode */
1123 if (i == sent_sigslen && (sig[0] != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
1124 {
1125 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
1126 return 0;
1127 }
1128 *pmd = tls12_get_hash(sig[0]);
1129 if (*pmd == NULL)
1130 {
1131 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_UNKNOWN_DIGEST);
1132 return 0;
1133 }
1134 /* Store the digest used so applications can retrieve it if they
1135 * wish.
1136 */
1137 if (s->session && s->session->sess_cert)
1138 s->session->sess_cert->peer_key->digest = *pmd;
1139 return 1;
1140 }
1141 /* Get a mask of disabled algorithms: an algorithm is disabled
1142 * if it isn't supported or doesn't appear in supported signature
1143 * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific
1144 * session and not global settings.
1145 *
1146 */
1147 void ssl_set_client_disabled(SSL *s)
1148 {
1149 CERT *c = s->cert;
1150 const unsigned char *sigalgs;
1151 size_t i, sigalgslen;
1152 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
1153 c->mask_a = 0;
1154 c->mask_k = 0;
1155 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1156 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1157 c->mask_ssl = SSL_TLSV1_2;
1158 else
1159 c->mask_ssl = 0;
1160 /* Now go through all signature algorithms seeing if we support
1161 * any for RSA, DSA, ECDSA. Do this for all versions not just
1162 * TLS 1.2.
1163 */
1164 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
1165 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2)
1166 {
1167 switch(sigalgs[1])
1168 {
1169 #ifndef OPENSSL_NO_RSA
1170 case TLSEXT_signature_rsa:
1171 have_rsa = 1;
1172 break;
1173 #endif
1174 #ifndef OPENSSL_NO_DSA
1175 case TLSEXT_signature_dsa:
1176 have_dsa = 1;
1177 break;
1178 #endif
1179 #ifndef OPENSSL_NO_ECDSA
1180 case TLSEXT_signature_ecdsa:
1181 have_ecdsa = 1;
1182 break;
1183 #endif
1184 }
1185 }
1186 /* Disable auth and static DH if we don't include any appropriate
1187 * signature algorithms.
1188 */
1189 if (!have_rsa)
1190 {
1191 c->mask_a |= SSL_aRSA;
1192 c->mask_k |= SSL_kDHr|SSL_kECDHr;
1193 }
1194 if (!have_dsa)
1195 {
1196 c->mask_a |= SSL_aDSS;
1197 c->mask_k |= SSL_kDHd;
1198 }
1199 if (!have_ecdsa)
1200 {
1201 c->mask_a |= SSL_aECDSA;
1202 c->mask_k |= SSL_kECDHe;
1203 }
1204 #ifndef OPENSSL_NO_KRB5
1205 if (!kssl_tgt_is_available(s->kssl_ctx))
1206 {
1207 c->mask_a |= SSL_aKRB5;
1208 c->mask_k |= SSL_kKRB5;
1209 }
1210 #endif
1211 #ifndef OPENSSL_NO_PSK
1212 /* with PSK there must be client callback set */
1213 if (!s->psk_client_callback)
1214 {
1215 c->mask_a |= SSL_aPSK;
1216 c->mask_k |= SSL_kPSK;
1217 }
1218 #endif /* OPENSSL_NO_PSK */
1219 #ifndef OPENSSL_NO_SRP
1220 if (!(s->srp_ctx.srp_Mask & SSL_kSRP))
1221 {
1222 c->mask_a |= SSL_aSRP;
1223 c->mask_k |= SSL_kSRP;
1224 }
1225 #endif
1226 c->valid = 1;
1227 }
1228
1229 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, int *al)
1230 {
1231 int extdatalen=0;
1232 unsigned char *orig = buf;
1233 unsigned char *ret = buf;
1234 #ifndef OPENSSL_NO_EC
1235 /* See if we support any ECC ciphersuites */
1236 int using_ecc = 0;
1237 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s))
1238 {
1239 int i;
1240 unsigned long alg_k, alg_a;
1241 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1242
1243 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1244 {
1245 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1246
1247 alg_k = c->algorithm_mkey;
1248 alg_a = c->algorithm_auth;
1249 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
1250 || (alg_a & SSL_aECDSA)))
1251 {
1252 using_ecc = 1;
1253 break;
1254 }
1255 }
1256 }
1257 #endif
1258
1259 /* don't add extensions for SSLv3 unless doing secure renegotiation */
1260 if (s->client_version == SSL3_VERSION
1261 && !s->s3->send_connection_binding)
1262 return orig;
1263
1264 ret+=2;
1265
1266 if (ret>=limit) return NULL; /* this really never occurs, but ... */
1267
1268 if (s->tlsext_hostname != NULL)
1269 {
1270 /* Add TLS extension servername to the Client Hello message */
1271 unsigned long size_str;
1272 long lenmax;
1273
1274 /*-
1275 * check for enough space.
1276 * 4 for the servername type and entension length
1277 * 2 for servernamelist length
1278 * 1 for the hostname type
1279 * 2 for hostname length
1280 * + hostname length
1281 */
1282
1283 if ((lenmax = limit - ret - 9) < 0
1284 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1285 return NULL;
1286
1287 /* extension type and length */
1288 s2n(TLSEXT_TYPE_server_name,ret);
1289 s2n(size_str+5,ret);
1290
1291 /* length of servername list */
1292 s2n(size_str+3,ret);
1293
1294 /* hostname type, length and hostname */
1295 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
1296 s2n(size_str,ret);
1297 memcpy(ret, s->tlsext_hostname, size_str);
1298 ret+=size_str;
1299 }
1300
1301 /* Add RI if renegotiating */
1302 if (s->renegotiate)
1303 {
1304 int el;
1305
1306 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
1307 {
1308 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1309 return NULL;
1310 }
1311
1312 if((limit - ret - 4 - el) < 0) return NULL;
1313
1314 s2n(TLSEXT_TYPE_renegotiate,ret);
1315 s2n(el,ret);
1316
1317 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
1318 {
1319 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1320 return NULL;
1321 }
1322
1323 ret += el;
1324 }
1325
1326 #ifndef OPENSSL_NO_SRP
1327 /* Add SRP username if there is one */
1328 if (s->srp_ctx.login != NULL)
1329 { /* Add TLS extension SRP username to the Client Hello message */
1330
1331 int login_len = strlen(s->srp_ctx.login);
1332 if (login_len > 255 || login_len == 0)
1333 {
1334 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1335 return NULL;
1336 }
1337
1338 /*-
1339 * check for enough space.
1340 * 4 for the srp type type and entension length
1341 * 1 for the srp user identity
1342 * + srp user identity length
1343 */
1344 if ((limit - ret - 5 - login_len) < 0) return NULL;
1345
1346 /* fill in the extension */
1347 s2n(TLSEXT_TYPE_srp,ret);
1348 s2n(login_len+1,ret);
1349 (*ret++) = (unsigned char) login_len;
1350 memcpy(ret, s->srp_ctx.login, login_len);
1351 ret+=login_len;
1352 }
1353 #endif
1354
1355 #ifndef OPENSSL_NO_EC
1356 if (using_ecc)
1357 {
1358 /* Add TLS extension ECPointFormats to the ClientHello message */
1359 long lenmax;
1360 const unsigned char *pcurves, *pformats;
1361 size_t num_curves, num_formats, curves_list_len;
1362
1363 tls1_get_formatlist(s, &pformats, &num_formats);
1364
1365 if ((lenmax = limit - ret - 5) < 0) return NULL;
1366 if (num_formats > (size_t)lenmax) return NULL;
1367 if (num_formats > 255)
1368 {
1369 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1370 return NULL;
1371 }
1372
1373 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1374 /* The point format list has 1-byte length. */
1375 s2n(num_formats + 1,ret);
1376 *(ret++) = (unsigned char)num_formats ;
1377 memcpy(ret, pformats, num_formats);
1378 ret+=num_formats;
1379
1380 /* Add TLS extension EllipticCurves to the ClientHello message */
1381 pcurves = s->tlsext_ellipticcurvelist;
1382 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1383 return NULL;
1384
1385 if ((lenmax = limit - ret - 6) < 0) return NULL;
1386 if (num_curves > (size_t)lenmax / 2) return NULL;
1387 if (num_curves > 65532 / 2)
1388 {
1389 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1390 return NULL;
1391 }
1392 curves_list_len = 2*num_curves;
1393 s2n(TLSEXT_TYPE_elliptic_curves,ret);
1394 s2n(curves_list_len + 2, ret);
1395 s2n(curves_list_len, ret);
1396 memcpy(ret, pcurves, curves_list_len);
1397 ret+=curves_list_len;
1398 }
1399 #endif /* OPENSSL_NO_EC */
1400
1401 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
1402 {
1403 int ticklen;
1404 if (!s->new_session && s->session && s->session->tlsext_tick)
1405 ticklen = s->session->tlsext_ticklen;
1406 else if (s->session && s->tlsext_session_ticket &&
1407 s->tlsext_session_ticket->data)
1408 {
1409 ticklen = s->tlsext_session_ticket->length;
1410 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1411 if (!s->session->tlsext_tick)
1412 return NULL;
1413 memcpy(s->session->tlsext_tick,
1414 s->tlsext_session_ticket->data,
1415 ticklen);
1416 s->session->tlsext_ticklen = ticklen;
1417 }
1418 else
1419 ticklen = 0;
1420 if (ticklen == 0 && s->tlsext_session_ticket &&
1421 s->tlsext_session_ticket->data == NULL)
1422 goto skip_ext;
1423 /* Check for enough room 2 for extension type, 2 for len
1424 * rest for ticket
1425 */
1426 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
1427 s2n(TLSEXT_TYPE_session_ticket,ret);
1428 s2n(ticklen,ret);
1429 if (ticklen)
1430 {
1431 memcpy(ret, s->session->tlsext_tick, ticklen);
1432 ret += ticklen;
1433 }
1434 }
1435 skip_ext:
1436
1437 if (SSL_USE_SIGALGS(s))
1438 {
1439 size_t salglen;
1440 const unsigned char *salg;
1441 salglen = tls12_get_psigalgs(s, &salg);
1442 if ((size_t)(limit - ret) < salglen + 6)
1443 return NULL;
1444 s2n(TLSEXT_TYPE_signature_algorithms,ret);
1445 s2n(salglen + 2, ret);
1446 s2n(salglen, ret);
1447 memcpy(ret, salg, salglen);
1448 ret += salglen;
1449 }
1450
1451 #ifdef TLSEXT_TYPE_opaque_prf_input
1452 if (s->s3->client_opaque_prf_input != NULL)
1453 {
1454 size_t col = s->s3->client_opaque_prf_input_len;
1455
1456 if ((long)(limit - ret - 6 - col < 0))
1457 return NULL;
1458 if (col > 0xFFFD) /* can't happen */
1459 return NULL;
1460
1461 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1462 s2n(col + 2, ret);
1463 s2n(col, ret);
1464 memcpy(ret, s->s3->client_opaque_prf_input, col);
1465 ret += col;
1466 }
1467 #endif
1468
1469 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1470 {
1471 int i;
1472 long extlen, idlen, itmp;
1473 OCSP_RESPID *id;
1474
1475 idlen = 0;
1476 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1477 {
1478 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1479 itmp = i2d_OCSP_RESPID(id, NULL);
1480 if (itmp <= 0)
1481 return NULL;
1482 idlen += itmp + 2;
1483 }
1484
1485 if (s->tlsext_ocsp_exts)
1486 {
1487 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1488 if (extlen < 0)
1489 return NULL;
1490 }
1491 else
1492 extlen = 0;
1493
1494 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
1495 s2n(TLSEXT_TYPE_status_request, ret);
1496 if (extlen + idlen > 0xFFF0)
1497 return NULL;
1498 s2n(extlen + idlen + 5, ret);
1499 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1500 s2n(idlen, ret);
1501 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1502 {
1503 /* save position of id len */
1504 unsigned char *q = ret;
1505 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1506 /* skip over id len */
1507 ret += 2;
1508 itmp = i2d_OCSP_RESPID(id, &ret);
1509 /* write id len */
1510 s2n(itmp, q);
1511 }
1512 s2n(extlen, ret);
1513 if (extlen > 0)
1514 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1515 }
1516
1517 #ifndef OPENSSL_NO_HEARTBEATS
1518 /* Add Heartbeat extension */
1519 if ((limit - ret - 4 - 1) < 0)
1520 return NULL;
1521 s2n(TLSEXT_TYPE_heartbeat,ret);
1522 s2n(1,ret);
1523 /*-
1524 * Set mode:
1525 * 1: peer may send requests
1526 * 2: peer not allowed to send requests
1527 */
1528 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1529 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1530 else
1531 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1532 #endif
1533
1534 #ifndef OPENSSL_NO_NEXTPROTONEG
1535 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
1536 {
1537 /* The client advertises an emtpy extension to indicate its
1538 * support for Next Protocol Negotiation */
1539 if (limit - ret - 4 < 0)
1540 return NULL;
1541 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1542 s2n(0,ret);
1543 }
1544 #endif
1545
1546 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)
1547 {
1548 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1549 return NULL;
1550 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1551 s2n(2 + s->alpn_client_proto_list_len,ret);
1552 s2n(s->alpn_client_proto_list_len,ret);
1553 memcpy(ret, s->alpn_client_proto_list,
1554 s->alpn_client_proto_list_len);
1555 ret += s->alpn_client_proto_list_len;
1556 }
1557
1558 #ifndef OPENSSL_NO_SRTP
1559 if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
1560 {
1561 int el;
1562
1563 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1564
1565 if((limit - ret - 4 - el) < 0) return NULL;
1566
1567 s2n(TLSEXT_TYPE_use_srtp,ret);
1568 s2n(el,ret);
1569
1570 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1571 {
1572 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1573 return NULL;
1574 }
1575 ret += el;
1576 }
1577 #endif
1578 custom_ext_init(&s->cert->cli_ext);
1579 /* Add custom TLS Extensions to ClientHello */
1580 if (!custom_ext_add(s, 0, &ret, limit, al))
1581 return NULL;
1582
1583 /* Add padding to workaround bugs in F5 terminators.
1584 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
1585 *
1586 * NB: because this code works out the length of all existing
1587 * extensions it MUST always appear last.
1588 */
1589 if (s->options & SSL_OP_TLSEXT_PADDING)
1590 {
1591 int hlen = ret - (unsigned char *)s->init_buf->data;
1592 /* The code in s23_clnt.c to build ClientHello messages
1593 * includes the 5-byte record header in the buffer, while
1594 * the code in s3_clnt.c does not.
1595 */
1596 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
1597 hlen -= 5;
1598 if (hlen > 0xff && hlen < 0x200)
1599 {
1600 hlen = 0x200 - hlen;
1601 if (hlen >= 4)
1602 hlen -= 4;
1603 else
1604 hlen = 0;
1605
1606 s2n(TLSEXT_TYPE_padding, ret);
1607 s2n(hlen, ret);
1608 memset(ret, 0, hlen);
1609 ret += hlen;
1610 }
1611 }
1612
1613 if ((extdatalen = ret-orig-2)== 0)
1614 return orig;
1615
1616 s2n(extdatalen, orig);
1617 return ret;
1618 }
1619
1620 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, int *al)
1621 {
1622 int extdatalen=0;
1623 unsigned char *orig = buf;
1624 unsigned char *ret = buf;
1625 #ifndef OPENSSL_NO_NEXTPROTONEG
1626 int next_proto_neg_seen;
1627 #endif
1628 #ifndef OPENSSL_NO_EC
1629 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1630 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1631 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1632 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1633 #endif
1634 /* don't add extensions for SSLv3, unless doing secure renegotiation */
1635 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1636 return orig;
1637
1638 ret+=2;
1639 if (ret>=limit) return NULL; /* this really never occurs, but ... */
1640
1641 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1642 {
1643 if ((long)(limit - ret - 4) < 0) return NULL;
1644
1645 s2n(TLSEXT_TYPE_server_name,ret);
1646 s2n(0,ret);
1647 }
1648
1649 if(s->s3->send_connection_binding)
1650 {
1651 int el;
1652
1653 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1654 {
1655 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1656 return NULL;
1657 }
1658
1659 if((limit - ret - 4 - el) < 0) return NULL;
1660
1661 s2n(TLSEXT_TYPE_renegotiate,ret);
1662 s2n(el,ret);
1663
1664 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1665 {
1666 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1667 return NULL;
1668 }
1669
1670 ret += el;
1671 }
1672
1673 #ifndef OPENSSL_NO_EC
1674 if (using_ecc)
1675 {
1676 const unsigned char *plist;
1677 size_t plistlen;
1678 /* Add TLS extension ECPointFormats to the ServerHello message */
1679 long lenmax;
1680
1681 tls1_get_formatlist(s, &plist, &plistlen);
1682
1683 if ((lenmax = limit - ret - 5) < 0) return NULL;
1684 if (plistlen > (size_t)lenmax) return NULL;
1685 if (plistlen > 255)
1686 {
1687 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1688 return NULL;
1689 }
1690
1691 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1692 s2n(plistlen + 1,ret);
1693 *(ret++) = (unsigned char) plistlen;
1694 memcpy(ret, plist, plistlen);
1695 ret+=plistlen;
1696
1697 }
1698 /* Currently the server should not respond with a SupportedCurves extension */
1699 #endif /* OPENSSL_NO_EC */
1700
1701 if (s->tlsext_ticket_expected
1702 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
1703 {
1704 if ((long)(limit - ret - 4) < 0) return NULL;
1705 s2n(TLSEXT_TYPE_session_ticket,ret);
1706 s2n(0,ret);
1707 }
1708
1709 if (s->tlsext_status_expected)
1710 {
1711 if ((long)(limit - ret - 4) < 0) return NULL;
1712 s2n(TLSEXT_TYPE_status_request,ret);
1713 s2n(0,ret);
1714 }
1715
1716 #ifdef TLSEXT_TYPE_opaque_prf_input
1717 if (s->s3->server_opaque_prf_input != NULL)
1718 {
1719 size_t sol = s->s3->server_opaque_prf_input_len;
1720
1721 if ((long)(limit - ret - 6 - sol) < 0)
1722 return NULL;
1723 if (sol > 0xFFFD) /* can't happen */
1724 return NULL;
1725
1726 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1727 s2n(sol + 2, ret);
1728 s2n(sol, ret);
1729 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1730 ret += sol;
1731 }
1732 #endif
1733
1734 #ifndef OPENSSL_NO_SRTP
1735 if(SSL_IS_DTLS(s) && s->srtp_profile)
1736 {
1737 int el;
1738
1739 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1740
1741 if((limit - ret - 4 - el) < 0) return NULL;
1742
1743 s2n(TLSEXT_TYPE_use_srtp,ret);
1744 s2n(el,ret);
1745
1746 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1747 {
1748 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1749 return NULL;
1750 }
1751 ret+=el;
1752 }
1753 #endif
1754
1755 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
1756 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1757 { const unsigned char cryptopro_ext[36] = {
1758 0xfd, 0xe8, /*65000*/
1759 0x00, 0x20, /*32 bytes length*/
1760 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1761 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1762 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1763 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1764 if (limit-ret<36) return NULL;
1765 memcpy(ret,cryptopro_ext,36);
1766 ret+=36;
1767
1768 }
1769
1770 #ifndef OPENSSL_NO_HEARTBEATS
1771 /* Add Heartbeat extension if we've received one */
1772 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1773 {
1774 if ((limit - ret - 4 - 1) < 0)
1775 return NULL;
1776 s2n(TLSEXT_TYPE_heartbeat,ret);
1777 s2n(1,ret);
1778 /*-
1779 * Set mode:
1780 * 1: peer may send requests
1781 * 2: peer not allowed to send requests
1782 */
1783 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1784 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1785 else
1786 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1787
1788 }
1789 #endif
1790
1791 #ifndef OPENSSL_NO_NEXTPROTONEG
1792 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1793 s->s3->next_proto_neg_seen = 0;
1794 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1795 {
1796 const unsigned char *npa;
1797 unsigned int npalen;
1798 int r;
1799
1800 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1801 if (r == SSL_TLSEXT_ERR_OK)
1802 {
1803 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1804 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1805 s2n(npalen,ret);
1806 memcpy(ret, npa, npalen);
1807 ret += npalen;
1808 s->s3->next_proto_neg_seen = 1;
1809 }
1810 }
1811 #endif
1812 if (!custom_ext_add(s, 1, &ret, limit, al))
1813 return NULL;
1814
1815 if (s->s3->alpn_selected)
1816 {
1817 const unsigned char *selected = s->s3->alpn_selected;
1818 unsigned len = s->s3->alpn_selected_len;
1819
1820 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1821 return NULL;
1822 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1823 s2n(3 + len,ret);
1824 s2n(1 + len,ret);
1825 *ret++ = len;
1826 memcpy(ret, selected, len);
1827 ret += len;
1828 }
1829
1830 if ((extdatalen = ret-orig-2)== 0)
1831 return orig;
1832
1833 s2n(extdatalen, orig);
1834 return ret;
1835 }
1836
1837 #ifndef OPENSSL_NO_EC
1838 /*-
1839 * ssl_check_for_safari attempts to fingerprint Safari using OS X
1840 * SecureTransport using the TLS extension block in |d|, of length |n|.
1841 * Safari, since 10.6, sends exactly these extensions, in this order:
1842 * SNI,
1843 * elliptic_curves
1844 * ec_point_formats
1845 *
1846 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1847 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1848 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1849 * 10.8..10.8.3 (which don't work).
1850 */
1851 static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
1852 unsigned short type, size;
1853 static const unsigned char kSafariExtensionsBlock[] = {
1854 0x00, 0x0a, /* elliptic_curves extension */
1855 0x00, 0x08, /* 8 bytes */
1856 0x00, 0x06, /* 6 bytes of curve ids */
1857 0x00, 0x17, /* P-256 */
1858 0x00, 0x18, /* P-384 */
1859 0x00, 0x19, /* P-521 */
1860
1861 0x00, 0x0b, /* ec_point_formats */
1862 0x00, 0x02, /* 2 bytes */
1863 0x01, /* 1 point format */
1864 0x00, /* uncompressed */
1865 };
1866
1867 /* The following is only present in TLS 1.2 */
1868 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1869 0x00, 0x0d, /* signature_algorithms */
1870 0x00, 0x0c, /* 12 bytes */
1871 0x00, 0x0a, /* 10 bytes */
1872 0x05, 0x01, /* SHA-384/RSA */
1873 0x04, 0x01, /* SHA-256/RSA */
1874 0x02, 0x01, /* SHA-1/RSA */
1875 0x04, 0x03, /* SHA-256/ECDSA */
1876 0x02, 0x03, /* SHA-1/ECDSA */
1877 };
1878
1879 if (data >= (d+n-2))
1880 return;
1881 data += 2;
1882
1883 if (data > (d+n-4))
1884 return;
1885 n2s(data,type);
1886 n2s(data,size);
1887
1888 if (type != TLSEXT_TYPE_server_name)
1889 return;
1890
1891 if (data+size > d+n)
1892 return;
1893 data += size;
1894
1895 if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
1896 {
1897 const size_t len1 = sizeof(kSafariExtensionsBlock);
1898 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1899
1900 if (data + len1 + len2 != d+n)
1901 return;
1902 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
1903 return;
1904 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
1905 return;
1906 }
1907 else
1908 {
1909 const size_t len = sizeof(kSafariExtensionsBlock);
1910
1911 if (data + len != d+n)
1912 return;
1913 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
1914 return;
1915 }
1916
1917 s->s3->is_probably_safari = 1;
1918 }
1919 #endif /* !OPENSSL_NO_EC */
1920
1921 /* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1922 * ClientHello.
1923 * data: the contents of the extension, not including the type and length.
1924 * data_len: the number of bytes in |data|
1925 * al: a pointer to the alert value to send in the event of a non-zero
1926 * return.
1927 *
1928 * returns: 0 on success. */
1929 static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1930 unsigned data_len, int *al)
1931 {
1932 unsigned i;
1933 unsigned proto_len;
1934 const unsigned char *selected;
1935 unsigned char selected_len;
1936 int r;
1937
1938 if (s->ctx->alpn_select_cb == NULL)
1939 return 0;
1940
1941 if (data_len < 2)
1942 goto parse_error;
1943
1944 /* data should contain a uint16 length followed by a series of 8-bit,
1945 * length-prefixed strings. */
1946 i = ((unsigned) data[0]) << 8 |
1947 ((unsigned) data[1]);
1948 data_len -= 2;
1949 data += 2;
1950 if (data_len != i)
1951 goto parse_error;
1952
1953 if (data_len < 2)
1954 goto parse_error;
1955
1956 for (i = 0; i < data_len;)
1957 {
1958 proto_len = data[i];
1959 i++;
1960
1961 if (proto_len == 0)
1962 goto parse_error;
1963
1964 if (i + proto_len < i || i + proto_len > data_len)
1965 goto parse_error;
1966
1967 i += proto_len;
1968 }
1969
1970 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1971 s->ctx->alpn_select_cb_arg);
1972 if (r == SSL_TLSEXT_ERR_OK) {
1973 if (s->s3->alpn_selected)
1974 OPENSSL_free(s->s3->alpn_selected);
1975 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
1976 if (!s->s3->alpn_selected)
1977 {
1978 *al = SSL_AD_INTERNAL_ERROR;
1979 return -1;
1980 }
1981 memcpy(s->s3->alpn_selected, selected, selected_len);
1982 s->s3->alpn_selected_len = selected_len;
1983 }
1984 return 0;
1985
1986 parse_error:
1987 *al = SSL_AD_DECODE_ERROR;
1988 return -1;
1989 }
1990
1991 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1992 {
1993 unsigned short type;
1994 unsigned short size;
1995 unsigned short len;
1996 unsigned char *data = *p;
1997 int renegotiate_seen = 0;
1998
1999 s->servername_done = 0;
2000 s->tlsext_status_type = -1;
2001 #ifndef OPENSSL_NO_NEXTPROTONEG
2002 s->s3->next_proto_neg_seen = 0;
2003 #endif
2004
2005 if (s->s3->alpn_selected)
2006 {
2007 OPENSSL_free(s->s3->alpn_selected);
2008 s->s3->alpn_selected = NULL;
2009 }
2010
2011 #ifndef OPENSSL_NO_HEARTBEATS
2012 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2013 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2014 #endif
2015
2016 #ifndef OPENSSL_NO_EC
2017 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
2018 ssl_check_for_safari(s, data, d, n);
2019 #endif /* !OPENSSL_NO_EC */
2020
2021 /* Clear any signature algorithms extension received */
2022 if (s->cert->peer_sigalgs)
2023 {
2024 OPENSSL_free(s->cert->peer_sigalgs);
2025 s->cert->peer_sigalgs = NULL;
2026 }
2027
2028 #ifndef OPENSSL_NO_SRP
2029 if (s->srp_ctx.login != NULL)
2030 {
2031 OPENSSL_free(s->srp_ctx.login);
2032 s->srp_ctx.login = NULL;
2033 }
2034 #endif
2035
2036 s->srtp_profile = NULL;
2037
2038 if (data >= (d+n-2))
2039 goto ri_check;
2040 n2s(data,len);
2041
2042 if (data > (d+n-len))
2043 goto ri_check;
2044
2045 while (data <= (d+n-4))
2046 {
2047 n2s(data,type);
2048 n2s(data,size);
2049
2050 if (data+size > (d+n))
2051 goto ri_check;
2052 #if 0
2053 fprintf(stderr,"Received extension type %d size %d\n",type,size);
2054 #endif
2055 if (s->tlsext_debug_cb)
2056 s->tlsext_debug_cb(s, 0, type, data, size,
2057 s->tlsext_debug_arg);
2058 /*-
2059 * The servername extension is treated as follows:
2060 *
2061 * - Only the hostname type is supported with a maximum length of 255.
2062 * - The servername is rejected if too long or if it contains zeros,
2063 * in which case an fatal alert is generated.
2064 * - The servername field is maintained together with the session cache.
2065 * - When a session is resumed, the servername call back invoked in order
2066 * to allow the application to position itself to the right context.
2067 * - The servername is acknowledged if it is new for a session or when
2068 * it is identical to a previously used for the same session.
2069 * Applications can control the behaviour. They can at any time
2070 * set a 'desirable' servername for a new SSL object. This can be the
2071 * case for example with HTTPS when a Host: header field is received and
2072 * a renegotiation is requested. In this case, a possible servername
2073 * presented in the new client hello is only acknowledged if it matches
2074 * the value of the Host: field.
2075 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2076 * if they provide for changing an explicit servername context for the
2077 * session, i.e. when the session has been established with a servername
2078 * extension.
2079 * - On session reconnect, the servername extension may be absent.
2080 *
2081 */
2082
2083 if (type == TLSEXT_TYPE_server_name)
2084 {
2085 unsigned char *sdata;
2086 int servname_type;
2087 int dsize;
2088
2089 if (size < 2)
2090 {
2091 *al = SSL_AD_DECODE_ERROR;
2092 return 0;
2093 }
2094 n2s(data,dsize);
2095 size -= 2;
2096 if (dsize > size )
2097 {
2098 *al = SSL_AD_DECODE_ERROR;
2099 return 0;
2100 }
2101
2102 sdata = data;
2103 while (dsize > 3)
2104 {
2105 servname_type = *(sdata++);
2106 n2s(sdata,len);
2107 dsize -= 3;
2108
2109 if (len > dsize)
2110 {
2111 *al = SSL_AD_DECODE_ERROR;
2112 return 0;
2113 }
2114 if (s->servername_done == 0)
2115 switch (servname_type)
2116 {
2117 case TLSEXT_NAMETYPE_host_name:
2118 if (!s->hit)
2119 {
2120 if(s->session->tlsext_hostname)
2121 {
2122 *al = SSL_AD_DECODE_ERROR;
2123 return 0;
2124 }
2125 if (len > TLSEXT_MAXLEN_host_name)
2126 {
2127 *al = TLS1_AD_UNRECOGNIZED_NAME;
2128 return 0;
2129 }
2130 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
2131 {
2132 *al = TLS1_AD_INTERNAL_ERROR;
2133 return 0;
2134 }
2135 memcpy(s->session->tlsext_hostname, sdata, len);
2136 s->session->tlsext_hostname[len]='\0';
2137 if (strlen(s->session->tlsext_hostname) != len) {
2138 OPENSSL_free(s->session->tlsext_hostname);
2139 s->session->tlsext_hostname = NULL;
2140 *al = TLS1_AD_UNRECOGNIZED_NAME;
2141 return 0;
2142 }
2143 s->servername_done = 1;
2144
2145 }
2146 else
2147 s->servername_done = s->session->tlsext_hostname
2148 && strlen(s->session->tlsext_hostname) == len
2149 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
2150
2151 break;
2152
2153 default:
2154 break;
2155 }
2156
2157 dsize -= len;
2158 }
2159 if (dsize != 0)
2160 {
2161 *al = SSL_AD_DECODE_ERROR;
2162 return 0;
2163 }
2164
2165 }
2166 #ifndef OPENSSL_NO_SRP
2167 else if (type == TLSEXT_TYPE_srp)
2168 {
2169 if (size <= 0 || ((len = data[0])) != (size -1))
2170 {
2171 *al = SSL_AD_DECODE_ERROR;
2172 return 0;
2173 }
2174 if (s->srp_ctx.login != NULL)
2175 {
2176 *al = SSL_AD_DECODE_ERROR;
2177 return 0;
2178 }
2179 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
2180 return -1;
2181 memcpy(s->srp_ctx.login, &data[1], len);
2182 s->srp_ctx.login[len]='\0';
2183
2184 if (strlen(s->srp_ctx.login) != len)
2185 {
2186 *al = SSL_AD_DECODE_ERROR;
2187 return 0;
2188 }
2189 }
2190 #endif
2191
2192 #ifndef OPENSSL_NO_EC
2193 else if (type == TLSEXT_TYPE_ec_point_formats)
2194 {
2195 unsigned char *sdata = data;
2196 int ecpointformatlist_length = *(sdata++);
2197
2198 if (ecpointformatlist_length != size - 1 ||
2199 ecpointformatlist_length < 1)
2200 {
2201 *al = TLS1_AD_DECODE_ERROR;
2202 return 0;
2203 }
2204 if (!s->hit)
2205 {
2206 if(s->session->tlsext_ecpointformatlist)
2207 {
2208 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2209 s->session->tlsext_ecpointformatlist = NULL;
2210 }
2211 s->session->tlsext_ecpointformatlist_length = 0;
2212 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2213 {
2214 *al = TLS1_AD_INTERNAL_ERROR;
2215 return 0;
2216 }
2217 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2218 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2219 }
2220 #if 0
2221 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
2222 sdata = s->session->tlsext_ecpointformatlist;
2223 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2224 fprintf(stderr,"%i ",*(sdata++));
2225 fprintf(stderr,"\n");
2226 #endif
2227 }
2228 else if (type == TLSEXT_TYPE_elliptic_curves)
2229 {
2230 unsigned char *sdata = data;
2231 int ellipticcurvelist_length = (*(sdata++) << 8);
2232 ellipticcurvelist_length += (*(sdata++));
2233
2234 if (ellipticcurvelist_length != size - 2 ||
2235 ellipticcurvelist_length < 1 ||
2236 /* Each NamedCurve is 2 bytes. */
2237 ellipticcurvelist_length & 1)
2238 {
2239 *al = TLS1_AD_DECODE_ERROR;
2240 return 0;
2241 }
2242 if (!s->hit)
2243 {
2244 if(s->session->tlsext_ellipticcurvelist)
2245 {
2246 *al = TLS1_AD_DECODE_ERROR;
2247 return 0;
2248 }
2249 s->session->tlsext_ellipticcurvelist_length = 0;
2250 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
2251 {
2252 *al = TLS1_AD_INTERNAL_ERROR;
2253 return 0;
2254 }
2255 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
2256 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
2257 }
2258 #if 0
2259 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
2260 sdata = s->session->tlsext_ellipticcurvelist;
2261 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
2262 fprintf(stderr,"%i ",*(sdata++));
2263 fprintf(stderr,"\n");
2264 #endif
2265 }
2266 #endif /* OPENSSL_NO_EC */
2267 #ifdef TLSEXT_TYPE_opaque_prf_input
2268 else if (type == TLSEXT_TYPE_opaque_prf_input)
2269 {
2270 unsigned char *sdata = data;
2271
2272 if (size < 2)
2273 {
2274 *al = SSL_AD_DECODE_ERROR;
2275 return 0;
2276 }
2277 n2s(sdata, s->s3->client_opaque_prf_input_len);
2278 if (s->s3->client_opaque_prf_input_len != size - 2)
2279 {
2280 *al = SSL_AD_DECODE_ERROR;
2281 return 0;
2282 }
2283
2284 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2285 OPENSSL_free(s->s3->client_opaque_prf_input);
2286 if (s->s3->client_opaque_prf_input_len == 0)
2287 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2288 else
2289 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
2290 if (s->s3->client_opaque_prf_input == NULL)
2291 {
2292 *al = TLS1_AD_INTERNAL_ERROR;
2293 return 0;
2294 }
2295 }
2296 #endif
2297 else if (type == TLSEXT_TYPE_session_ticket)
2298 {
2299 if (s->tls_session_ticket_ext_cb &&
2300 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2301 {
2302 *al = TLS1_AD_INTERNAL_ERROR;
2303 return 0;
2304 }
2305 }
2306 else if (type == TLSEXT_TYPE_renegotiate)
2307 {
2308 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
2309 return 0;
2310 renegotiate_seen = 1;
2311 }
2312 else if (type == TLSEXT_TYPE_signature_algorithms)
2313 {
2314 int dsize;
2315 if (s->cert->peer_sigalgs || size < 2)
2316 {
2317 *al = SSL_AD_DECODE_ERROR;
2318 return 0;
2319 }
2320 n2s(data,dsize);
2321 size -= 2;
2322 if (dsize != size || dsize & 1 || !dsize)
2323 {
2324 *al = SSL_AD_DECODE_ERROR;
2325 return 0;
2326 }
2327 if (!tls1_save_sigalgs(s, data, dsize))
2328 {
2329 *al = SSL_AD_DECODE_ERROR;
2330 return 0;
2331 }
2332 }
2333 else if (type == TLSEXT_TYPE_status_request)
2334 {
2335
2336 if (size < 5)
2337 {
2338 *al = SSL_AD_DECODE_ERROR;
2339 return 0;
2340 }
2341
2342 s->tlsext_status_type = *data++;
2343 size--;
2344 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
2345 {
2346 const unsigned char *sdata;
2347 int dsize;
2348 /* Read in responder_id_list */
2349 n2s(data,dsize);
2350 size -= 2;
2351 if (dsize > size )
2352 {
2353 *al = SSL_AD_DECODE_ERROR;
2354 return 0;
2355 }
2356 while (dsize > 0)
2357 {
2358 OCSP_RESPID *id;
2359 int idsize;
2360 if (dsize < 4)
2361 {
2362 *al = SSL_AD_DECODE_ERROR;
2363 return 0;
2364 }
2365 n2s(data, idsize);
2366 dsize -= 2 + idsize;
2367 size -= 2 + idsize;
2368 if (dsize < 0)
2369 {
2370 *al = SSL_AD_DECODE_ERROR;
2371 return 0;
2372 }
2373 sdata = data;
2374 data += idsize;
2375 id = d2i_OCSP_RESPID(NULL,
2376 &sdata, idsize);
2377 if (!id)
2378 {
2379 *al = SSL_AD_DECODE_ERROR;
2380 return 0;
2381 }
2382 if (data != sdata)
2383 {
2384 OCSP_RESPID_free(id);
2385 *al = SSL_AD_DECODE_ERROR;
2386 return 0;
2387 }
2388 if (!s->tlsext_ocsp_ids
2389 && !(s->tlsext_ocsp_ids =
2390 sk_OCSP_RESPID_new_null()))
2391 {
2392 OCSP_RESPID_free(id);
2393 *al = SSL_AD_INTERNAL_ERROR;
2394 return 0;
2395 }
2396 if (!sk_OCSP_RESPID_push(
2397 s->tlsext_ocsp_ids, id))
2398 {
2399 OCSP_RESPID_free(id);
2400 *al = SSL_AD_INTERNAL_ERROR;
2401 return 0;
2402 }
2403 }
2404
2405 /* Read in request_extensions */
2406 if (size < 2)
2407 {
2408 *al = SSL_AD_DECODE_ERROR;
2409 return 0;
2410 }
2411 n2s(data,dsize);
2412 size -= 2;
2413 if (dsize != size)
2414 {
2415 *al = SSL_AD_DECODE_ERROR;
2416 return 0;
2417 }
2418 sdata = data;
2419 if (dsize > 0)
2420 {
2421 if (s->tlsext_ocsp_exts)
2422 {
2423 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2424 X509_EXTENSION_free);
2425 }
2426
2427 s->tlsext_ocsp_exts =
2428 d2i_X509_EXTENSIONS(NULL,
2429 &sdata, dsize);
2430 if (!s->tlsext_ocsp_exts
2431 || (data + dsize != sdata))
2432 {
2433 *al = SSL_AD_DECODE_ERROR;
2434 return 0;
2435 }
2436 }
2437 }
2438 /* We don't know what to do with any other type
2439 * so ignore it.
2440 */
2441 else
2442 s->tlsext_status_type = -1;
2443 }
2444 #ifndef OPENSSL_NO_HEARTBEATS
2445 else if (type == TLSEXT_TYPE_heartbeat)
2446 {
2447 switch(data[0])
2448 {
2449 case 0x01: /* Client allows us to send HB requests */
2450 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2451 break;
2452 case 0x02: /* Client doesn't accept HB requests */
2453 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2454 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2455 break;
2456 default: *al = SSL_AD_ILLEGAL_PARAMETER;
2457 return 0;
2458 }
2459 }
2460 #endif
2461 #ifndef OPENSSL_NO_NEXTPROTONEG
2462 else if (type == TLSEXT_TYPE_next_proto_neg &&
2463 s->s3->tmp.finish_md_len == 0 &&
2464 s->s3->alpn_selected == NULL)
2465 {
2466 /*-
2467 * We shouldn't accept this extension on a
2468 * renegotiation.
2469 *
2470 * s->new_session will be set on renegotiation, but we
2471 * probably shouldn't rely that it couldn't be set on
2472 * the initial renegotation too in certain cases (when
2473 * there's some other reason to disallow resuming an
2474 * earlier session -- the current code won't be doing
2475 * anything like that, but this might change).
2476 *
2477 * A valid sign that there's been a previous handshake
2478 * in this connection is if s->s3->tmp.finish_md_len >
2479 * 0. (We are talking about a check that will happen
2480 * in the Hello protocol round, well before a new
2481 * Finished message could have been computed.)
2482 */
2483 s->s3->next_proto_neg_seen = 1;
2484 }
2485 #endif
2486
2487 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2488 s->ctx->alpn_select_cb &&
2489 s->s3->tmp.finish_md_len == 0)
2490 {
2491 if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
2492 return 0;
2493 #ifndef OPENSSL_NO_NEXTPROTONEG
2494 /* ALPN takes precedence over NPN. */
2495 s->s3->next_proto_neg_seen = 0;
2496 #endif
2497 }
2498
2499 /* session ticket processed earlier */
2500 #ifndef OPENSSL_NO_SRTP
2501 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2502 && type == TLSEXT_TYPE_use_srtp)
2503 {
2504 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
2505 al))
2506 return 0;
2507 }
2508 #endif
2509
2510 data+=size;
2511 }
2512
2513 *p = data;
2514
2515 ri_check:
2516
2517 /* Need RI if renegotiating */
2518
2519 if (!renegotiate_seen && s->renegotiate &&
2520 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2521 {
2522 *al = SSL_AD_HANDSHAKE_FAILURE;
2523 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2524 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2525 return 0;
2526 }
2527
2528 return 1;
2529 }
2530
2531 /*
2532 * Parse any custom extensions found. "data" is the start of the extension data
2533 * and "limit" is the end of the record. TODO: add strict syntax checking.
2534 */
2535
2536 static int ssl_scan_clienthello_custom_tlsext(SSL *s, const unsigned char *data, const unsigned char *limit, int *al)
2537 {
2538 unsigned short type, size, len;
2539 /* If resumed session or no custom extensions nothing to do */
2540 if (s->hit || s->cert->srv_ext.meths_count == 0)
2541 return 1;
2542
2543 if (data >= limit - 2)
2544 return 1;
2545 n2s(data, len);
2546
2547 if (data > limit - len)
2548 return 1;
2549
2550 while (data <= limit - 4)
2551 {
2552 n2s(data, type);
2553 n2s(data, size);
2554
2555 if (data+size > limit)
2556 return 1;
2557 if (custom_ext_parse(s, 1 /* server */, type, data, size, al) <= 0)
2558 return 0;
2559
2560 data+=size;
2561 }
2562
2563 return 1;
2564 }
2565
2566 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
2567 {
2568 int al = -1;
2569 unsigned char *ptmp = *p;
2570 /*
2571 * Internally supported extensions are parsed first so SNI can be handled
2572 * before custom extensions. An application processing SNI will typically
2573 * switch the parent context using SSL_set_SSL_CTX and custom extensions
2574 * need to be handled by the new SSL_CTX structure.
2575 */
2576 if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0)
2577 {
2578 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2579 return 0;
2580 }
2581
2582 if (ssl_check_clienthello_tlsext_early(s) <= 0)
2583 {
2584 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
2585 return 0;
2586 }
2587
2588 custom_ext_init(&s->cert->srv_ext);
2589 if (ssl_scan_clienthello_custom_tlsext(s, ptmp, d + n, &al) <= 0)
2590 {
2591 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2592 return 0;
2593 }
2594
2595 return 1;
2596 }
2597
2598 #ifndef OPENSSL_NO_NEXTPROTONEG
2599 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2600 * elements of zero length are allowed and the set of elements must exactly fill
2601 * the length of the block. */
2602 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2603 {
2604 unsigned int off = 0;
2605
2606 while (off < len)
2607 {
2608 if (d[off] == 0)
2609 return 0;
2610 off += d[off];
2611 off++;
2612 }
2613
2614 return off == len;
2615 }
2616 #endif
2617
2618 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2619 {
2620 unsigned short length;
2621 unsigned short type;
2622 unsigned short size;
2623 unsigned char *data = *p;
2624 int tlsext_servername = 0;
2625 int renegotiate_seen = 0;
2626
2627 #ifndef OPENSSL_NO_NEXTPROTONEG
2628 s->s3->next_proto_neg_seen = 0;
2629 #endif
2630 s->tlsext_ticket_expected = 0;
2631
2632 if (s->s3->alpn_selected)
2633 {
2634 OPENSSL_free(s->s3->alpn_selected);
2635 s->s3->alpn_selected = NULL;
2636 }
2637
2638 #ifndef OPENSSL_NO_HEARTBEATS
2639 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2640 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2641 #endif
2642
2643 if (data >= (d+n-2))
2644 goto ri_check;
2645
2646 n2s(data,length);
2647 if (data+length != d+n)
2648 {
2649 *al = SSL_AD_DECODE_ERROR;
2650 return 0;
2651 }
2652
2653 while(data <= (d+n-4))
2654 {
2655 n2s(data,type);
2656 n2s(data,size);
2657
2658 if (data+size > (d+n))
2659 goto ri_check;
2660
2661 if (s->tlsext_debug_cb)
2662 s->tlsext_debug_cb(s, 1, type, data, size,
2663 s->tlsext_debug_arg);
2664
2665 if (type == TLSEXT_TYPE_server_name)
2666 {
2667 if (s->tlsext_hostname == NULL || size > 0)
2668 {
2669 *al = TLS1_AD_UNRECOGNIZED_NAME;
2670 return 0;
2671 }
2672 tlsext_servername = 1;
2673 }
2674
2675 #ifndef OPENSSL_NO_EC
2676 else if (type == TLSEXT_TYPE_ec_point_formats)
2677 {
2678 unsigned char *sdata = data;
2679 int ecpointformatlist_length = *(sdata++);
2680
2681 if (ecpointformatlist_length != size - 1)
2682 {
2683 *al = TLS1_AD_DECODE_ERROR;
2684 return 0;
2685 }
2686 if (!s->hit)
2687 {
2688 s->session->tlsext_ecpointformatlist_length = 0;
2689 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
2690 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2691 {
2692 *al = TLS1_AD_INTERNAL_ERROR;
2693 return 0;
2694 }
2695 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2696 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2697 }
2698 #if 0
2699 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2700 sdata = s->session->tlsext_ecpointformatlist;
2701 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2702 fprintf(stderr,"%i ",*(sdata++));
2703 fprintf(stderr,"\n");
2704 #endif
2705 }
2706 #endif /* OPENSSL_NO_EC */
2707
2708 else if (type == TLSEXT_TYPE_session_ticket)
2709 {
2710 if (s->tls_session_ticket_ext_cb &&
2711 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2712 {
2713 *al = TLS1_AD_INTERNAL_ERROR;
2714 return 0;
2715 }
2716 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2717 || (size > 0))
2718 {
2719 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2720 return 0;
2721 }
2722 s->tlsext_ticket_expected = 1;
2723 }
2724 #ifdef TLSEXT_TYPE_opaque_prf_input
2725 else if (type == TLSEXT_TYPE_opaque_prf_input)
2726 {
2727 unsigned char *sdata = data;
2728
2729 if (size < 2)
2730 {
2731 *al = SSL_AD_DECODE_ERROR;
2732 return 0;
2733 }
2734 n2s(sdata, s->s3->server_opaque_prf_input_len);
2735 if (s->s3->server_opaque_prf_input_len != size - 2)
2736 {
2737 *al = SSL_AD_DECODE_ERROR;
2738 return 0;
2739 }
2740
2741 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2742 OPENSSL_free(s->s3->server_opaque_prf_input);
2743 if (s->s3->server_opaque_prf_input_len == 0)
2744 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2745 else
2746 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2747
2748 if (s->s3->server_opaque_prf_input == NULL)
2749 {
2750 *al = TLS1_AD_INTERNAL_ERROR;
2751 return 0;
2752 }
2753 }
2754 #endif
2755 else if (type == TLSEXT_TYPE_status_request)
2756 {
2757 /* MUST be empty and only sent if we've requested
2758 * a status request message.
2759 */
2760 if ((s->tlsext_status_type == -1) || (size > 0))
2761 {
2762 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2763 return 0;
2764 }
2765 /* Set flag to expect CertificateStatus message */
2766 s->tlsext_status_expected = 1;
2767 }
2768 #ifndef OPENSSL_NO_NEXTPROTONEG
2769 else if (type == TLSEXT_TYPE_next_proto_neg &&
2770 s->s3->tmp.finish_md_len == 0)
2771 {
2772 unsigned char *selected;
2773 unsigned char selected_len;
2774
2775 /* We must have requested it. */
2776 if (s->ctx->next_proto_select_cb == NULL)
2777 {
2778 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2779 return 0;
2780 }
2781 /* The data must be valid */
2782 if (!ssl_next_proto_validate(data, size))
2783 {
2784 *al = TLS1_AD_DECODE_ERROR;
2785 return 0;
2786 }
2787 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2788 {
2789 *al = TLS1_AD_INTERNAL_ERROR;
2790 return 0;
2791 }
2792 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2793 if (!s->next_proto_negotiated)
2794 {
2795 *al = TLS1_AD_INTERNAL_ERROR;
2796 return 0;
2797 }
2798 memcpy(s->next_proto_negotiated, selected, selected_len);
2799 s->next_proto_negotiated_len = selected_len;
2800 s->s3->next_proto_neg_seen = 1;
2801 }
2802 #endif
2803
2804 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)
2805 {
2806 unsigned len;
2807
2808 /* We must have requested it. */
2809 if (s->alpn_client_proto_list == NULL)
2810 {
2811 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2812 return 0;
2813 }
2814 if (size < 4)
2815 {
2816 *al = TLS1_AD_DECODE_ERROR;
2817 return 0;
2818 }
2819 /*-
2820 * The extension data consists of:
2821 * uint16 list_length
2822 * uint8 proto_length;
2823 * uint8 proto[proto_length];
2824 */
2825 len = data[0];
2826 len <<= 8;
2827 len |= data[1];
2828 if (len != (unsigned) size - 2)
2829 {
2830 *al = TLS1_AD_DECODE_ERROR;
2831 return 0;
2832 }
2833 len = data[2];
2834 if (len != (unsigned) size - 3)
2835 {
2836 *al = TLS1_AD_DECODE_ERROR;
2837 return 0;
2838 }
2839 if (s->s3->alpn_selected)
2840 OPENSSL_free(s->s3->alpn_selected);
2841 s->s3->alpn_selected = OPENSSL_malloc(len);
2842 if (!s->s3->alpn_selected)
2843 {
2844 *al = TLS1_AD_INTERNAL_ERROR;
2845 return 0;
2846 }
2847 memcpy(s->s3->alpn_selected, data + 3, len);
2848 s->s3->alpn_selected_len = len;
2849 }
2850
2851 else if (type == TLSEXT_TYPE_renegotiate)
2852 {
2853 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2854 return 0;
2855 renegotiate_seen = 1;
2856 }
2857 #ifndef OPENSSL_NO_HEARTBEATS
2858 else if (type == TLSEXT_TYPE_heartbeat)
2859 {
2860 switch(data[0])
2861 {
2862 case 0x01: /* Server allows us to send HB requests */
2863 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2864 break;
2865 case 0x02: /* Server doesn't accept HB requests */
2866 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2867 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2868 break;
2869 default: *al = SSL_AD_ILLEGAL_PARAMETER;
2870 return 0;
2871 }
2872 }
2873 #endif
2874 #ifndef OPENSSL_NO_SRTP
2875 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
2876 {
2877 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2878 al))
2879 return 0;
2880 }
2881 #endif
2882 /* If this extension type was not otherwise handled, but
2883 * matches a custom_cli_ext_record, then send it to the c
2884 * callback */
2885 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2886 return 0;
2887
2888 data += size;
2889 }
2890
2891 if (data != d+n)
2892 {
2893 *al = SSL_AD_DECODE_ERROR;
2894 return 0;
2895 }
2896
2897 if (!s->hit && tlsext_servername == 1)
2898 {
2899 if (s->tlsext_hostname)
2900 {
2901 if (s->session->tlsext_hostname == NULL)
2902 {
2903 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
2904 if (!s->session->tlsext_hostname)
2905 {
2906 *al = SSL_AD_UNRECOGNIZED_NAME;
2907 return 0;
2908 }
2909 }
2910 else
2911 {
2912 *al = SSL_AD_DECODE_ERROR;
2913 return 0;
2914 }
2915 }
2916 }
2917
2918 *p = data;
2919
2920 ri_check:
2921
2922 /* Determine if we need to see RI. Strictly speaking if we want to
2923 * avoid an attack we should *always* see RI even on initial server
2924 * hello because the client doesn't see any renegotiation during an
2925 * attack. However this would mean we could not connect to any server
2926 * which doesn't support RI so for the immediate future tolerate RI
2927 * absence on initial connect only.
2928 */
2929 if (!renegotiate_seen
2930 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2931 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2932 {
2933 *al = SSL_AD_HANDSHAKE_FAILURE;
2934 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2935 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2936 return 0;
2937 }
2938
2939 return 1;
2940 }
2941
2942
2943 int ssl_prepare_clienthello_tlsext(SSL *s)
2944 {
2945
2946 #ifdef TLSEXT_TYPE_opaque_prf_input
2947 {
2948 int r = 1;
2949
2950 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2951 {
2952 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2953 if (!r)
2954 return -1;
2955 }
2956
2957 if (s->tlsext_opaque_prf_input != NULL)
2958 {
2959 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2960 OPENSSL_free(s->s3->client_opaque_prf_input);
2961
2962 if (s->tlsext_opaque_prf_input_len == 0)
2963 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2964 else
2965 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2966 if (s->s3->client_opaque_prf_input == NULL)
2967 {
2968 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2969 return -1;
2970 }
2971 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2972 }
2973
2974 if (r == 2)
2975 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2976 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2977 }
2978 #endif
2979
2980 return 1;
2981 }
2982
2983 int ssl_prepare_serverhello_tlsext(SSL *s)
2984 {
2985 return 1;
2986 }
2987
2988 static int ssl_check_clienthello_tlsext_early(SSL *s)
2989 {
2990 int ret=SSL_TLSEXT_ERR_NOACK;
2991 int al = SSL_AD_UNRECOGNIZED_NAME;
2992
2993 #ifndef OPENSSL_NO_EC
2994 /* The handling of the ECPointFormats extension is done elsewhere, namely in
2995 * ssl3_choose_cipher in s3_lib.c.
2996 */
2997 /* The handling of the EllipticCurves extension is done elsewhere, namely in
2998 * ssl3_choose_cipher in s3_lib.c.
2999 */
3000 #endif
3001
3002 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
3003 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
3004 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
3005 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
3006
3007 #ifdef TLSEXT_TYPE_opaque_prf_input
3008 {
3009 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
3010 * but we might be sending an alert in response to the client hello,
3011 * so this has to happen here in
3012 * ssl_check_clienthello_tlsext_early(). */
3013
3014 int r = 1;
3015
3016 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
3017 {
3018 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
3019 if (!r)
3020 {
3021 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3022 al = SSL_AD_INTERNAL_ERROR;
3023 goto err;
3024 }
3025 }
3026
3027 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
3028 OPENSSL_free(s->s3->server_opaque_prf_input);
3029 s->s3->server_opaque_prf_input = NULL;
3030
3031 if (s->tlsext_opaque_prf_input != NULL)
3032 {
3033 if (s->s3->client_opaque_prf_input != NULL &&
3034 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
3035 {
3036 /* can only use this extension if we have a server opaque PRF input
3037 * of the same length as the client opaque PRF input! */
3038
3039 if (s->tlsext_opaque_prf_input_len == 0)
3040 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
3041 else
3042 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
3043 if (s->s3->server_opaque_prf_input == NULL)
3044 {
3045 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3046 al = SSL_AD_INTERNAL_ERROR;
3047 goto err;
3048 }
3049 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
3050 }
3051 }
3052
3053 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
3054 {
3055 /* The callback wants to enforce use of the extension,
3056 * but we can't do that with the client opaque PRF input;
3057 * abort the handshake.
3058 */
3059 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3060 al = SSL_AD_HANDSHAKE_FAILURE;
3061 }
3062 }
3063
3064 err:
3065 #endif
3066 switch (ret)
3067 {
3068 case SSL_TLSEXT_ERR_ALERT_FATAL:
3069 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3070 return -1;
3071
3072 case SSL_TLSEXT_ERR_ALERT_WARNING:
3073 ssl3_send_alert(s,SSL3_AL_WARNING,al);
3074 return 1;
3075
3076 case SSL_TLSEXT_ERR_NOACK:
3077 s->servername_done=0;
3078 default:
3079 return 1;
3080 }
3081 }
3082
3083 int tls1_set_server_sigalgs(SSL *s)
3084 {
3085 int al;
3086 size_t i;
3087 /* Clear any shared sigtnature algorithms */
3088 if (s->cert->shared_sigalgs)
3089 {
3090 OPENSSL_free(s->cert->shared_sigalgs);
3091 s->cert->shared_sigalgs = NULL;
3092 }
3093 /* Clear certificate digests and validity flags */
3094 for (i = 0; i < SSL_PKEY_NUM; i++)
3095 {
3096 s->cert->pkeys[i].digest = NULL;
3097 s->cert->pkeys[i].valid_flags = 0;
3098 }
3099
3100 /* If sigalgs received process it. */
3101 if (s->cert->peer_sigalgs)
3102 {
3103 if (!tls1_process_sigalgs(s))
3104 {
3105 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
3106 ERR_R_MALLOC_FAILURE);
3107 al = SSL_AD_INTERNAL_ERROR;
3108 goto err;
3109 }
3110 /* Fatal error is no shared signature algorithms */
3111 if (!s->cert->shared_sigalgs)
3112 {
3113 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
3114 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
3115 al = SSL_AD_ILLEGAL_PARAMETER;
3116 goto err;
3117 }
3118 }
3119 else
3120 ssl_cert_set_default_md(s->cert);
3121 return 1;
3122 err:
3123 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3124 return 0;
3125 }
3126
3127 int ssl_check_clienthello_tlsext_late(SSL *s)
3128 {
3129 int ret = SSL_TLSEXT_ERR_OK;
3130 int al;
3131
3132 /* If status request then ask callback what to do.
3133 * Note: this must be called after servername callbacks in case
3134 * the certificate has changed, and must be called after the cipher
3135 * has been chosen because this may influence which certificate is sent
3136 */
3137 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
3138 {
3139 int r;
3140 CERT_PKEY *certpkey;
3141 certpkey = ssl_get_server_send_pkey(s);
3142 /* If no certificate can't return certificate status */
3143 if (certpkey == NULL)
3144 {
3145 s->tlsext_status_expected = 0;
3146 return 1;
3147 }
3148 /* Set current certificate to one we will use so
3149 * SSL_get_certificate et al can pick it up.
3150 */
3151 s->cert->key = certpkey;
3152 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3153 switch (r)
3154 {
3155 /* We don't want to send a status request response */
3156 case SSL_TLSEXT_ERR_NOACK:
3157 s->tlsext_status_expected = 0;
3158 break;
3159 /* status request response should be sent */
3160 case SSL_TLSEXT_ERR_OK:
3161 if (s->tlsext_ocsp_resp)
3162 s->tlsext_status_expected = 1;
3163 else
3164 s->tlsext_status_expected = 0;
3165 break;
3166 /* something bad happened */
3167 case SSL_TLSEXT_ERR_ALERT_FATAL:
3168 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3169 al = SSL_AD_INTERNAL_ERROR;
3170 goto err;
3171 }
3172 }
3173 else
3174 s->tlsext_status_expected = 0;
3175
3176 err:
3177 switch (ret)
3178 {
3179 case SSL_TLSEXT_ERR_ALERT_FATAL:
3180 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3181 return -1;
3182
3183 case SSL_TLSEXT_ERR_ALERT_WARNING:
3184 ssl3_send_alert(s, SSL3_AL_WARNING, al);
3185 return 1;
3186
3187 default:
3188 return 1;
3189 }
3190 }
3191
3192 int ssl_check_serverhello_tlsext(SSL *s)
3193 {
3194 int ret=SSL_TLSEXT_ERR_NOACK;
3195 int al = SSL_AD_UNRECOGNIZED_NAME;
3196
3197 #ifndef OPENSSL_NO_EC
3198 /* If we are client and using an elliptic curve cryptography cipher
3199 * suite, then if server returns an EC point formats lists extension
3200 * it must contain uncompressed.
3201 */
3202 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3203 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3204 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
3205 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
3206 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
3207 {
3208 /* we are using an ECC cipher */
3209 size_t i;
3210 unsigned char *list;
3211 int found_uncompressed = 0;
3212 list = s->session->tlsext_ecpointformatlist;
3213 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
3214 {
3215 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
3216 {
3217 found_uncompressed = 1;
3218 break;
3219 }
3220 }
3221 if (!found_uncompressed)
3222 {
3223 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
3224 return -1;
3225 }
3226 }
3227 ret = SSL_TLSEXT_ERR_OK;
3228 #endif /* OPENSSL_NO_EC */
3229
3230 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
3231 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
3232 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
3233 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
3234
3235 #ifdef TLSEXT_TYPE_opaque_prf_input
3236 if (s->s3->server_opaque_prf_input_len > 0)
3237 {
3238 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
3239 * So first verify that we really have a value from the server too. */
3240
3241 if (s->s3->server_opaque_prf_input == NULL)
3242 {
3243 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3244 al = SSL_AD_HANDSHAKE_FAILURE;
3245 }
3246
3247 /* Anytime the server *has* sent an opaque PRF input, we need to check
3248 * that we have a client opaque PRF input of the same size. */
3249 if (s->s3->client_opaque_prf_input == NULL ||
3250 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
3251 {
3252 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3253 al = SSL_AD_ILLEGAL_PARAMETER;
3254 }
3255 }
3256 #endif
3257
3258 /* If we've requested certificate status and we wont get one
3259 * tell the callback
3260 */
3261 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
3262 && s->ctx && s->ctx->tlsext_status_cb)
3263 {
3264 int r;
3265 /* Set resp to NULL, resplen to -1 so callback knows
3266 * there is no response.
3267 */
3268 if (s->tlsext_ocsp_resp)
3269 {
3270 OPENSSL_free(s->tlsext_ocsp_resp);
3271 s->tlsext_ocsp_resp = NULL;
3272 }
3273 s->tlsext_ocsp_resplen = -1;
3274 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3275 if (r == 0)
3276 {
3277 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
3278 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3279 }
3280 if (r < 0)
3281 {
3282 al = SSL_AD_INTERNAL_ERROR;
3283 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3284 }
3285 }
3286
3287 switch (ret)
3288 {
3289 case SSL_TLSEXT_ERR_ALERT_FATAL:
3290 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3291 return -1;
3292
3293 case SSL_TLSEXT_ERR_ALERT_WARNING:
3294 ssl3_send_alert(s,SSL3_AL_WARNING,al);
3295 return 1;
3296
3297 case SSL_TLSEXT_ERR_NOACK:
3298 s->servername_done=0;
3299 default:
3300 return 1;
3301 }
3302 }
3303
3304 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
3305 {
3306 int al = -1;
3307 if (s->version < SSL3_VERSION)
3308 return 1;
3309 if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0)
3310 {
3311 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3312 return 0;
3313 }
3314
3315 if (ssl_check_serverhello_tlsext(s) <= 0)
3316 {
3317 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,SSL_R_SERVERHELLO_TLSEXT);
3318 return 0;
3319 }
3320 return 1;
3321 }
3322
3323 /*-
3324 * Since the server cache lookup is done early on in the processing of the
3325 * ClientHello, and other operations depend on the result, we need to handle
3326 * any TLS session ticket extension at the same time.
3327 *
3328 * session_id: points at the session ID in the ClientHello. This code will
3329 * read past the end of this in order to parse out the session ticket
3330 * extension, if any.
3331 * len: the length of the session ID.
3332 * limit: a pointer to the first byte after the ClientHello.
3333 * ret: (output) on return, if a ticket was decrypted, then this is set to
3334 * point to the resulting session.
3335 *
3336 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
3337 * ciphersuite, in which case we have no use for session tickets and one will
3338 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
3339 *
3340 * Returns:
3341 * -1: fatal error, either from parsing or decrypting the ticket.
3342 * 0: no ticket was found (or was ignored, based on settings).
3343 * 1: a zero length extension was found, indicating that the client supports
3344 * session tickets but doesn't currently have one to offer.
3345 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
3346 * couldn't be decrypted because of a non-fatal error.
3347 * 3: a ticket was successfully decrypted and *ret was set.
3348 *
3349 * Side effects:
3350 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
3351 * a new session ticket to the client because the client indicated support
3352 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
3353 * a session ticket or we couldn't use the one it gave us, or if
3354 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
3355 * Otherwise, s->tlsext_ticket_expected is set to 0.
3356 */
3357 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
3358 const unsigned char *limit, SSL_SESSION **ret)
3359 {
3360 /* Point after session ID in client hello */
3361 const unsigned char *p = session_id + len;
3362 unsigned short i;
3363
3364 *ret = NULL;
3365 s->tlsext_ticket_expected = 0;
3366
3367 /* If tickets disabled behave as if no ticket present
3368 * to permit stateful resumption.
3369 */
3370 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
3371 return 0;
3372 if ((s->version <= SSL3_VERSION) || !limit)
3373 return 0;
3374 if (p >= limit)
3375 return -1;
3376 /* Skip past DTLS cookie */
3377 if (SSL_IS_DTLS(s))
3378 {
3379 i = *(p++);
3380 p+= i;
3381 if (p >= limit)
3382 return -1;
3383 }
3384 /* Skip past cipher list */
3385 n2s(p, i);
3386 p+= i;
3387 if (p >= limit)
3388 return -1;
3389 /* Skip past compression algorithm list */
3390 i = *(p++);
3391 p += i;
3392 if (p > limit)
3393 return -1;
3394 /* Now at start of extensions */
3395 if ((p + 2) >= limit)
3396 return 0;
3397 n2s(p, i);
3398 while ((p + 4) <= limit)
3399 {
3400 unsigned short type, size;
3401 n2s(p, type);
3402 n2s(p, size);
3403 if (p + size > limit)
3404 return 0;
3405 if (type == TLSEXT_TYPE_session_ticket)
3406 {
3407 int r;
3408 if (size == 0)
3409 {
3410 /* The client will accept a ticket but doesn't
3411 * currently have one. */
3412 s->tlsext_ticket_expected = 1;
3413 return 1;
3414 }
3415 if (s->tls_session_secret_cb)
3416 {
3417 /* Indicate that the ticket couldn't be
3418 * decrypted rather than generating the session
3419 * from ticket now, trigger abbreviated
3420 * handshake based on external mechanism to
3421 * calculate the master secret later. */
3422 return 2;
3423 }
3424 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
3425 switch (r)
3426 {
3427 case 2: /* ticket couldn't be decrypted */
3428 s->tlsext_ticket_expected = 1;
3429 return 2;
3430 case 3: /* ticket was decrypted */
3431 return r;
3432 case 4: /* ticket decrypted but need to renew */
3433 s->tlsext_ticket_expected = 1;
3434 return 3;
3435 default: /* fatal error */
3436 return -1;
3437 }
3438 }
3439 p += size;
3440 }
3441 return 0;
3442 }
3443
3444 /*-
3445 * tls_decrypt_ticket attempts to decrypt a session ticket.
3446 *
3447 * etick: points to the body of the session ticket extension.
3448 * eticklen: the length of the session tickets extenion.
3449 * sess_id: points at the session ID.
3450 * sesslen: the length of the session ID.
3451 * psess: (output) on return, if a ticket was decrypted, then this is set to
3452 * point to the resulting session.
3453 *
3454 * Returns:
3455 * -1: fatal error, either from parsing or decrypting the ticket.
3456 * 2: the ticket couldn't be decrypted.
3457 * 3: a ticket was successfully decrypted and *psess was set.
3458 * 4: same as 3, but the ticket needs to be renewed.
3459 */
3460 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
3461 const unsigned char *sess_id, int sesslen,
3462 SSL_SESSION **psess)
3463 {
3464 SSL_SESSION *sess;
3465 unsigned char *sdec;
3466 const unsigned char *p;
3467 int slen, mlen, renew_ticket = 0;
3468 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3469 HMAC_CTX hctx;
3470 EVP_CIPHER_CTX ctx;
3471 SSL_CTX *tctx = s->initial_ctx;
3472 /* Need at least keyname + iv + some encrypted data */
3473 if (eticklen < 48)
3474 return 2;
3475 /* Initialize session ticket encryption and HMAC contexts */
3476 HMAC_CTX_init(&hctx);
3477 EVP_CIPHER_CTX_init(&ctx);
3478 if (tctx->tlsext_ticket_key_cb)
3479 {
3480 unsigned char *nctick = (unsigned char *)etick;
3481 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3482 &ctx, &hctx, 0);
3483 if (rv < 0)
3484 return -1;
3485 if (rv == 0)
3486 return 2;
3487 if (rv == 2)
3488 renew_ticket = 1;
3489 }
3490 else
3491 {
3492 /* Check key name matches */
3493 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3494 return 2;
3495 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3496 tlsext_tick_md(), NULL);
3497 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3498 tctx->tlsext_tick_aes_key, etick + 16);
3499 }
3500 /* Attempt to process session ticket, first conduct sanity and
3501 * integrity checks on ticket.
3502 */
3503 mlen = HMAC_size(&hctx);
3504 if (mlen < 0)
3505 {
3506 EVP_CIPHER_CTX_cleanup(&ctx);
3507 return -1;
3508 }
3509 eticklen -= mlen;
3510 /* Check HMAC of encrypted ticket */
3511 HMAC_Update(&hctx, etick, eticklen);
3512 HMAC_Final(&hctx, tick_hmac, NULL);
3513 HMAC_CTX_cleanup(&hctx);
3514 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
3515 {
3516 EVP_CIPHER_CTX_cleanup(&ctx);
3517 return 2;
3518 }
3519 /* Attempt to decrypt session data */
3520 /* Move p after IV to start of encrypted ticket, update length */
3521 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3522 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3523 sdec = OPENSSL_malloc(eticklen);
3524 if (!sdec)
3525 {
3526 EVP_CIPHER_CTX_cleanup(&ctx);
3527 return -1;
3528 }
3529 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
3530 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
3531 {
3532 EVP_CIPHER_CTX_cleanup(&ctx);
3533 OPENSSL_free(sdec);
3534 return 2;
3535 }
3536 slen += mlen;
3537 EVP_CIPHER_CTX_cleanup(&ctx);
3538 p = sdec;
3539
3540 sess = d2i_SSL_SESSION(NULL, &p, slen);
3541 OPENSSL_free(sdec);
3542 if (sess)
3543 {
3544 /* The session ID, if non-empty, is used by some clients to
3545 * detect that the ticket has been accepted. So we copy it to
3546 * the session structure. If it is empty set length to zero
3547 * as required by standard.
3548 */
3549 if (sesslen)
3550 memcpy(sess->session_id, sess_id, sesslen);
3551 sess->session_id_length = sesslen;
3552 *psess = sess;
3553 if (renew_ticket)
3554 return 4;
3555 else
3556 return 3;
3557 }
3558 ERR_clear_error();
3559 /* For session parse failure, indicate that we need to send a new
3560 * ticket. */
3561 return 2;
3562 }
3563
3564 /* Tables to translate from NIDs to TLS v1.2 ids */
3565
3566 typedef struct
3567 {
3568 int nid;
3569 int id;
3570 } tls12_lookup;
3571
3572 static tls12_lookup tls12_md[] = {
3573 {NID_md5, TLSEXT_hash_md5},
3574 {NID_sha1, TLSEXT_hash_sha1},
3575 {NID_sha224, TLSEXT_hash_sha224},
3576 {NID_sha256, TLSEXT_hash_sha256},
3577 {NID_sha384, TLSEXT_hash_sha384},
3578 {NID_sha512, TLSEXT_hash_sha512}
3579 };
3580
3581 static tls12_lookup tls12_sig[] = {
3582 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3583 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3584 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
3585 };
3586
3587 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
3588 {
3589 size_t i;
3590 for (i = 0; i < tlen; i++)
3591 {
3592 if (table[i].nid == nid)
3593 return table[i].id;
3594 }
3595 return -1;
3596 }
3597
3598 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
3599 {
3600 size_t i;
3601 for (i = 0; i < tlen; i++)
3602 {
3603 if ((table[i].id) == id)
3604 return table[i].nid;
3605 }
3606 return NID_undef;
3607 }
3608
3609 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
3610 {
3611 int sig_id, md_id;
3612 if (!md)
3613 return 0;
3614 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
3615 sizeof(tls12_md)/sizeof(tls12_lookup));
3616 if (md_id == -1)
3617 return 0;
3618 sig_id = tls12_get_sigid(pk);
3619 if (sig_id == -1)
3620 return 0;
3621 p[0] = (unsigned char)md_id;
3622 p[1] = (unsigned char)sig_id;
3623 return 1;
3624 }
3625
3626 int tls12_get_sigid(const EVP_PKEY *pk)
3627 {
3628 return tls12_find_id(pk->type, tls12_sig,
3629 sizeof(tls12_sig)/sizeof(tls12_lookup));
3630 }
3631
3632 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3633 {
3634 switch(hash_alg)
3635 {
3636 #ifndef OPENSSL_NO_MD5
3637 case TLSEXT_hash_md5:
3638 #ifdef OPENSSL_FIPS
3639 if (FIPS_mode())
3640 return NULL;
3641 #endif
3642 return EVP_md5();
3643 #endif
3644 #ifndef OPENSSL_NO_SHA
3645 case TLSEXT_hash_sha1:
3646 return EVP_sha1();
3647 #endif
3648 #ifndef OPENSSL_NO_SHA256
3649 case TLSEXT_hash_sha224:
3650 return EVP_sha224();
3651
3652 case TLSEXT_hash_sha256:
3653 return EVP_sha256();
3654 #endif
3655 #ifndef OPENSSL_NO_SHA512
3656 case TLSEXT_hash_sha384:
3657 return EVP_sha384();
3658
3659 case TLSEXT_hash_sha512:
3660 return EVP_sha512();
3661 #endif
3662 default:
3663 return NULL;
3664
3665 }
3666 }
3667
3668 static int tls12_get_pkey_idx(unsigned char sig_alg)
3669 {
3670 switch(sig_alg)
3671 {
3672 #ifndef OPENSSL_NO_RSA
3673 case TLSEXT_signature_rsa:
3674 return SSL_PKEY_RSA_SIGN;
3675 #endif
3676 #ifndef OPENSSL_NO_DSA
3677 case TLSEXT_signature_dsa:
3678 return SSL_PKEY_DSA_SIGN;
3679 #endif
3680 #ifndef OPENSSL_NO_ECDSA
3681 case TLSEXT_signature_ecdsa:
3682 return SSL_PKEY_ECC;
3683 #endif
3684 }
3685 return -1;
3686 }
3687
3688 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
3689 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3690 int *psignhash_nid, const unsigned char *data)
3691 {
3692 int sign_nid = 0, hash_nid = 0;
3693 if (!phash_nid && !psign_nid && !psignhash_nid)
3694 return;
3695 if (phash_nid || psignhash_nid)
3696 {
3697 hash_nid = tls12_find_nid(data[0], tls12_md,
3698 sizeof(tls12_md)/sizeof(tls12_lookup));
3699 if (phash_nid)
3700 *phash_nid = hash_nid;
3701 }
3702 if (psign_nid || psignhash_nid)
3703 {
3704 sign_nid = tls12_find_nid(data[1], tls12_sig,
3705 sizeof(tls12_sig)/sizeof(tls12_lookup));
3706 if (psign_nid)
3707 *psign_nid = sign_nid;
3708 }
3709 if (psignhash_nid)
3710 {
3711 if (sign_nid && hash_nid)
3712 OBJ_find_sigid_by_algs(psignhash_nid,
3713 hash_nid, sign_nid);
3714 else
3715 *psignhash_nid = NID_undef;
3716 }
3717 }
3718 /* Given preference and allowed sigalgs set shared sigalgs */
3719 static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
3720 const unsigned char *pref, size_t preflen,
3721 const unsigned char *allow, size_t allowlen)
3722 {
3723 const unsigned char *ptmp, *atmp;
3724 size_t i, j, nmatch = 0;
3725 for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2)
3726 {
3727 /* Skip disabled hashes or signature algorithms */
3728 if (tls12_get_hash(ptmp[0]) == NULL)
3729 continue;
3730 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3731 continue;
3732 for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2)
3733 {
3734 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1])
3735 {
3736 nmatch++;
3737 if (shsig)
3738 {
3739 shsig->rhash = ptmp[0];
3740 shsig->rsign = ptmp[1];
3741 tls1_lookup_sigalg(&shsig->hash_nid,
3742 &shsig->sign_nid,
3743 &shsig->signandhash_nid,
3744 ptmp);
3745 shsig++;
3746 }
3747 break;
3748 }
3749 }
3750 }
3751 return nmatch;
3752 }
3753
3754 /* Set shared signature algorithms for SSL structures */
3755 static int tls1_set_shared_sigalgs(SSL *s)
3756 {
3757 const unsigned char *pref, *allow, *conf;
3758 size_t preflen, allowlen, conflen;
3759 size_t nmatch;
3760 TLS_SIGALGS *salgs = NULL;
3761 CERT *c = s->cert;
3762 unsigned int is_suiteb = tls1_suiteb(s);
3763 if (c->shared_sigalgs)
3764 {
3765 OPENSSL_free(c->shared_sigalgs);
3766 c->shared_sigalgs = NULL;
3767 }
3768 /* If client use client signature algorithms if not NULL */
3769 if (!s->server && c->client_sigalgs && !is_suiteb)
3770 {
3771 conf = c->client_sigalgs;
3772 conflen = c->client_sigalgslen;
3773 }
3774 else if (c->conf_sigalgs && !is_suiteb)
3775 {
3776 conf = c->conf_sigalgs;
3777 conflen = c->conf_sigalgslen;
3778 }
3779 else
3780 conflen = tls12_get_psigalgs(s, &conf);
3781 if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb)
3782 {
3783 pref = conf;
3784 preflen = conflen;
3785 allow = c->peer_sigalgs;
3786 allowlen = c->peer_sigalgslen;
3787 }
3788 else
3789 {
3790 allow = conf;
3791 allowlen = conflen;
3792 pref = c->peer_sigalgs;
3793 preflen = c->peer_sigalgslen;
3794 }
3795 nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
3796 if (!nmatch)
3797 return 1;
3798 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3799 if (!salgs)
3800 return 0;
3801 nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
3802 c->shared_sigalgs = salgs;
3803 c->shared_sigalgslen = nmatch;
3804 return 1;
3805 }
3806
3807
3808 /* Set preferred digest for each key type */
3809
3810 int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
3811 {
3812 CERT *c = s->cert;
3813 /* Extension ignored for inappropriate versions */
3814 if (!SSL_USE_SIGALGS(s))
3815 return 1;
3816 /* Should never happen */
3817 if (!c)
3818 return 0;
3819
3820 if (c->peer_sigalgs)
3821 OPENSSL_free(c->peer_sigalgs);
3822 c->peer_sigalgs = OPENSSL_malloc(dsize);
3823 if (!c->peer_sigalgs)
3824 return 0;
3825 c->peer_sigalgslen = dsize;
3826 memcpy(c->peer_sigalgs, data, dsize);
3827 return 1;
3828 }
3829
3830 int tls1_process_sigalgs(SSL *s)
3831 {
3832 int idx;
3833 size_t i;
3834 const EVP_MD *md;
3835 CERT *c = s->cert;
3836 TLS_SIGALGS *sigptr;
3837 if (!tls1_set_shared_sigalgs(s))
3838 return 0;
3839
3840 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
3841 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
3842 {
3843 /* Use first set signature preference to force message
3844 * digest, ignoring any peer preferences.
3845 */
3846 const unsigned char *sigs = NULL;
3847 if (s->server)
3848 sigs = c->conf_sigalgs;
3849 else
3850 sigs = c->client_sigalgs;
3851 if (sigs)
3852 {
3853 idx = tls12_get_pkey_idx(sigs[1]);
3854 md = tls12_get_hash(sigs[0]);
3855 c->pkeys[idx].digest = md;
3856 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3857 if (idx == SSL_PKEY_RSA_SIGN)
3858 {
3859 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3860 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3861 }
3862 }
3863 }
3864 #endif
3865
3866 for (i = 0, sigptr = c->shared_sigalgs;
3867 i < c->shared_sigalgslen; i++, sigptr++)
3868 {
3869 idx = tls12_get_pkey_idx(sigptr->rsign);
3870 if (idx > 0 && c->pkeys[idx].digest == NULL)
3871 {
3872 md = tls12_get_hash(sigptr->rhash);
3873 c->pkeys[idx].digest = md;
3874 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3875 if (idx == SSL_PKEY_RSA_SIGN)
3876 {
3877 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3878 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3879 }
3880 }
3881
3882 }
3883 /* In strict mode leave unset digests as NULL to indicate we can't
3884 * use the certificate for signing.
3885 */
3886 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
3887 {
3888 /* Set any remaining keys to default values. NOTE: if alg is
3889 * not supported it stays as NULL.
3890 */
3891 #ifndef OPENSSL_NO_DSA
3892 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
3893 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
3894 #endif
3895 #ifndef OPENSSL_NO_RSA
3896 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
3897 {
3898 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
3899 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
3900 }
3901 #endif
3902 #ifndef OPENSSL_NO_ECDSA
3903 if (!c->pkeys[SSL_PKEY_ECC].digest)
3904 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
3905 #endif
3906 }
3907 return 1;
3908 }
3909
3910
3911 int SSL_get_sigalgs(SSL *s, int idx,
3912 int *psign, int *phash, int *psignhash,
3913 unsigned char *rsig, unsigned char *rhash)
3914 {
3915 const unsigned char *psig = s->cert->peer_sigalgs;
3916 if (psig == NULL)
3917 return 0;
3918 if (idx >= 0)
3919 {
3920 idx <<= 1;
3921 if (idx >= (int)s->cert->peer_sigalgslen)
3922 return 0;
3923 psig += idx;
3924 if (rhash)
3925 *rhash = psig[0];
3926 if (rsig)
3927 *rsig = psig[1];
3928 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3929 }
3930 return s->cert->peer_sigalgslen / 2;
3931 }
3932
3933 int SSL_get_shared_sigalgs(SSL *s, int idx,
3934 int *psign, int *phash, int *psignhash,
3935 unsigned char *rsig, unsigned char *rhash)
3936 {
3937 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3938 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3939 return 0;
3940 shsigalgs += idx;
3941 if (phash)
3942 *phash = shsigalgs->hash_nid;
3943 if (psign)
3944 *psign = shsigalgs->sign_nid;
3945 if (psignhash)
3946 *psignhash = shsigalgs->signandhash_nid;
3947 if (rsig)
3948 *rsig = shsigalgs->rsign;
3949 if (rhash)
3950 *rhash = shsigalgs->rhash;
3951 return s->cert->shared_sigalgslen;
3952 }
3953
3954
3955 #ifndef OPENSSL_NO_HEARTBEATS
3956 int
3957 tls1_process_heartbeat(SSL *s)
3958 {
3959 unsigned char *p = &s->s3->rrec.data[0], *pl;
3960 unsigned short hbtype;
3961 unsigned int payload;
3962 unsigned int padding = 16; /* Use minimum padding */
3963
3964 if (s->msg_callback)
3965 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
3966 &s->s3->rrec.data[0], s->s3->rrec.length,
3967 s, s->msg_callback_arg);
3968
3969 /* Read type and payload length first */
3970 if (1 + 2 + 16 > s->s3->rrec.length)
3971 return 0; /* silently discard */
3972 hbtype = *p++;
3973 n2s(p, payload);
3974 if (1 + 2 + payload + 16 > s->s3->rrec.length)
3975 return 0; /* silently discard per RFC 6520 sec. 4 */
3976 pl = p;
3977
3978 if (hbtype == TLS1_HB_REQUEST)
3979 {
3980 unsigned char *buffer, *bp;
3981 int r;
3982
3983 /* Allocate memory for the response, size is 1 bytes
3984 * message type, plus 2 bytes payload length, plus
3985 * payload, plus padding
3986 */
3987 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3988 bp = buffer;
3989
3990 /* Enter response type, length and copy payload */
3991 *bp++ = TLS1_HB_RESPONSE;
3992 s2n(payload, bp);
3993 memcpy(bp, pl, payload);
3994 bp += payload;
3995 /* Random padding */
3996 RAND_pseudo_bytes(bp, padding);
3997
3998 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
3999
4000 if (r >= 0 && s->msg_callback)
4001 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
4002 buffer, 3 + payload + padding,
4003 s, s->msg_callback_arg);
4004
4005 OPENSSL_free(buffer);
4006
4007 if (r < 0)
4008 return r;
4009 }
4010 else if (hbtype == TLS1_HB_RESPONSE)
4011 {
4012 unsigned int seq;
4013
4014 /* We only send sequence numbers (2 bytes unsigned int),
4015 * and 16 random bytes, so we just try to read the
4016 * sequence number */
4017 n2s(pl, seq);
4018
4019 if (payload == 18 && seq == s->tlsext_hb_seq)
4020 {
4021 s->tlsext_hb_seq++;
4022 s->tlsext_hb_pending = 0;
4023 }
4024 }
4025
4026 return 0;
4027 }
4028
4029 int
4030 tls1_heartbeat(SSL *s)
4031 {
4032 unsigned char *buf, *p;
4033 int ret;
4034 unsigned int payload = 18; /* Sequence number + random bytes */
4035 unsigned int padding = 16; /* Use minimum padding */
4036
4037 /* Only send if peer supports and accepts HB requests... */
4038 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
4039 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
4040 {
4041 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
4042 return -1;
4043 }
4044
4045 /* ...and there is none in flight yet... */
4046 if (s->tlsext_hb_pending)
4047 {
4048 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
4049 return -1;
4050 }
4051
4052 /* ...and no handshake in progress. */
4053 if (SSL_in_init(s) || s->in_handshake)
4054 {
4055 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
4056 return -1;
4057 }
4058
4059 /* Check if padding is too long, payload and padding
4060 * must not exceed 2^14 - 3 = 16381 bytes in total.
4061 */
4062 OPENSSL_assert(payload + padding <= 16381);
4063
4064 /*-
4065 * Create HeartBeat message, we just use a sequence number
4066 * as payload to distuingish different messages and add
4067 * some random stuff.
4068 * - Message Type, 1 byte
4069 * - Payload Length, 2 bytes (unsigned int)
4070 * - Payload, the sequence number (2 bytes uint)
4071 * - Payload, random bytes (16 bytes uint)
4072 * - Padding
4073 */
4074 buf = OPENSSL_malloc(1 + 2 + payload + padding);
4075 p = buf;
4076 /* Message Type */
4077 *p++ = TLS1_HB_REQUEST;
4078 /* Payload length (18 bytes here) */
4079 s2n(payload, p);
4080 /* Sequence number */
4081 s2n(s->tlsext_hb_seq, p);
4082 /* 16 random bytes */
4083 RAND_pseudo_bytes(p, 16);
4084 p += 16;
4085 /* Random padding */
4086 RAND_pseudo_bytes(p, padding);
4087
4088 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
4089 if (ret >= 0)
4090 {
4091 if (s->msg_callback)
4092 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
4093 buf, 3 + payload + padding,
4094 s, s->msg_callback_arg);
4095
4096 s->tlsext_hb_pending = 1;
4097 }
4098
4099 OPENSSL_free(buf);
4100
4101 return ret;
4102 }
4103 #endif
4104
4105 #define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
4106
4107 typedef struct
4108 {
4109 size_t sigalgcnt;
4110 int sigalgs[MAX_SIGALGLEN];
4111 } sig_cb_st;
4112
4113 static int sig_cb(const char *elem, int len, void *arg)
4114 {
4115 sig_cb_st *sarg = arg;
4116 size_t i;
4117 char etmp[20], *p;
4118 int sig_alg, hash_alg;
4119 if (sarg->sigalgcnt == MAX_SIGALGLEN)
4120 return 0;
4121 if (len > (int)(sizeof(etmp) - 1))
4122 return 0;
4123 memcpy(etmp, elem, len);
4124 etmp[len] = 0;
4125 p = strchr(etmp, '+');
4126 if (!p)
4127 return 0;
4128 *p = 0;
4129 p++;
4130 if (!*p)
4131 return 0;
4132
4133 if (!strcmp(etmp, "RSA"))
4134 sig_alg = EVP_PKEY_RSA;
4135 else if (!strcmp(etmp, "DSA"))
4136 sig_alg = EVP_PKEY_DSA;
4137 else if (!strcmp(etmp, "ECDSA"))
4138 sig_alg = EVP_PKEY_EC;
4139 else return 0;
4140
4141 hash_alg = OBJ_sn2nid(p);
4142 if (hash_alg == NID_undef)
4143 hash_alg = OBJ_ln2nid(p);
4144 if (hash_alg == NID_undef)
4145 return 0;
4146
4147 for (i = 0; i < sarg->sigalgcnt; i+=2)
4148 {
4149 if (sarg->sigalgs[i] == sig_alg
4150 && sarg->sigalgs[i + 1] == hash_alg)
4151 return 0;
4152 }
4153 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
4154 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
4155 return 1;
4156 }
4157
4158 /* Set suppored signature algorithms based on a colon separated list
4159 * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */
4160 int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
4161 {
4162 sig_cb_st sig;
4163 sig.sigalgcnt = 0;
4164 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
4165 return 0;
4166 if (c == NULL)
4167 return 1;
4168 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
4169 }
4170
4171 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
4172 {
4173 unsigned char *sigalgs, *sptr;
4174 int rhash, rsign;
4175 size_t i;
4176 if (salglen & 1)
4177 return 0;
4178 sigalgs = OPENSSL_malloc(salglen);
4179 if (sigalgs == NULL)
4180 return 0;
4181 for (i = 0, sptr = sigalgs; i < salglen; i+=2)
4182 {
4183 rhash = tls12_find_id(*psig_nids++, tls12_md,
4184 sizeof(tls12_md)/sizeof(tls12_lookup));
4185 rsign = tls12_find_id(*psig_nids++, tls12_sig,
4186 sizeof(tls12_sig)/sizeof(tls12_lookup));
4187
4188 if (rhash == -1 || rsign == -1)
4189 goto err;
4190 *sptr++ = rhash;
4191 *sptr++ = rsign;
4192 }
4193
4194 if (client)
4195 {
4196 if (c->client_sigalgs)
4197 OPENSSL_free(c->client_sigalgs);
4198 c->client_sigalgs = sigalgs;
4199 c->client_sigalgslen = salglen;
4200 }
4201 else
4202 {
4203 if (c->conf_sigalgs)
4204 OPENSSL_free(c->conf_sigalgs);
4205 c->conf_sigalgs = sigalgs;
4206 c->conf_sigalgslen = salglen;
4207 }
4208
4209 return 1;
4210
4211 err:
4212 OPENSSL_free(sigalgs);
4213 return 0;
4214 }
4215
4216 static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
4217 {
4218 int sig_nid;
4219 size_t i;
4220 if (default_nid == -1)
4221 return 1;
4222 sig_nid = X509_get_signature_nid(x);
4223 if (default_nid)
4224 return sig_nid == default_nid ? 1 : 0;
4225 for (i = 0; i < c->shared_sigalgslen; i++)
4226 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
4227 return 1;
4228 return 0;
4229 }
4230 /* Check to see if a certificate issuer name matches list of CA names */
4231 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
4232 {
4233 X509_NAME *nm;
4234 int i;
4235 nm = X509_get_issuer_name(x);
4236 for (i = 0; i < sk_X509_NAME_num(names); i++)
4237 {
4238 if(!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
4239 return 1;
4240 }
4241 return 0;
4242 }
4243
4244 /* Check certificate chain is consistent with TLS extensions and is
4245 * usable by server. This servers two purposes: it allows users to
4246 * check chains before passing them to the server and it allows the
4247 * server to check chains before attempting to use them.
4248 */
4249
4250 /* Flags which need to be set for a certificate when stict mode not set */
4251
4252 #define CERT_PKEY_VALID_FLAGS \
4253 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
4254 /* Strict mode flags */
4255 #define CERT_PKEY_STRICT_FLAGS \
4256 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
4257 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
4258
4259 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
4260 int idx)
4261 {
4262 int i;
4263 int rv = 0;
4264 int check_flags = 0, strict_mode;
4265 CERT_PKEY *cpk = NULL;
4266 CERT *c = s->cert;
4267 unsigned int suiteb_flags = tls1_suiteb(s);
4268 /* idx == -1 means checking server chains */
4269 if (idx != -1)
4270 {
4271 /* idx == -2 means checking client certificate chains */
4272 if (idx == -2)
4273 {
4274 cpk = c->key;
4275 idx = cpk - c->pkeys;
4276 }
4277 else
4278 cpk = c->pkeys + idx;
4279 x = cpk->x509;
4280 pk = cpk->privatekey;
4281 chain = cpk->chain;
4282 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
4283 /* If no cert or key, forget it */
4284 if (!x || !pk)
4285 goto end;
4286 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
4287 /* Allow any certificate to pass test */
4288 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
4289 {
4290 rv = CERT_PKEY_STRICT_FLAGS|CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_VALID|CERT_PKEY_SIGN;
4291 cpk->valid_flags = rv;
4292 return rv;
4293 }
4294 #endif
4295 }
4296 else
4297 {
4298 if (!x || !pk)
4299 goto end;
4300 idx = ssl_cert_type(x, pk);
4301 if (idx == -1)
4302 goto end;
4303 cpk = c->pkeys + idx;
4304 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
4305 check_flags = CERT_PKEY_STRICT_FLAGS;
4306 else
4307 check_flags = CERT_PKEY_VALID_FLAGS;
4308 strict_mode = 1;
4309 }
4310
4311 if (suiteb_flags)
4312 {
4313 int ok;
4314 if (check_flags)
4315 check_flags |= CERT_PKEY_SUITEB;
4316 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
4317 if (ok == X509_V_OK)
4318 rv |= CERT_PKEY_SUITEB;
4319 else if (!check_flags)
4320 goto end;
4321 }
4322
4323 /* Check all signature algorithms are consistent with
4324 * signature algorithms extension if TLS 1.2 or later
4325 * and strict mode.
4326 */
4327 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode)
4328 {
4329 int default_nid;
4330 unsigned char rsign = 0;
4331 if (c->peer_sigalgs)
4332 default_nid = 0;
4333 /* If no sigalgs extension use defaults from RFC5246 */
4334 else
4335 {
4336 switch(idx)
4337 {
4338 case SSL_PKEY_RSA_ENC:
4339 case SSL_PKEY_RSA_SIGN:
4340 case SSL_PKEY_DH_RSA:
4341 rsign = TLSEXT_signature_rsa;
4342 default_nid = NID_sha1WithRSAEncryption;
4343 break;
4344
4345 case SSL_PKEY_DSA_SIGN:
4346 case SSL_PKEY_DH_DSA:
4347 rsign = TLSEXT_signature_dsa;
4348 default_nid = NID_dsaWithSHA1;
4349 break;
4350
4351 case SSL_PKEY_ECC:
4352 rsign = TLSEXT_signature_ecdsa;
4353 default_nid = NID_ecdsa_with_SHA1;
4354 break;
4355
4356 default:
4357 default_nid = -1;
4358 break;
4359 }
4360 }
4361 /* If peer sent no signature algorithms extension and we
4362 * have set preferred signature algorithms check we support
4363 * sha1.
4364 */
4365 if (default_nid > 0 && c->conf_sigalgs)
4366 {
4367 size_t j;
4368 const unsigned char *p = c->conf_sigalgs;
4369 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2)
4370 {
4371 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4372 break;
4373 }
4374 if (j == c->conf_sigalgslen)
4375 {
4376 if (check_flags)
4377 goto skip_sigs;
4378 else
4379 goto end;
4380 }
4381 }
4382 /* Check signature algorithm of each cert in chain */
4383 if (!tls1_check_sig_alg(c, x, default_nid))
4384 {
4385 if (!check_flags) goto end;
4386 }
4387 else
4388 rv |= CERT_PKEY_EE_SIGNATURE;
4389 rv |= CERT_PKEY_CA_SIGNATURE;
4390 for (i = 0; i < sk_X509_num(chain); i++)
4391 {
4392 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i),
4393 default_nid))
4394 {
4395 if (check_flags)
4396 {
4397 rv &= ~CERT_PKEY_CA_SIGNATURE;
4398 break;
4399 }
4400 else
4401 goto end;
4402 }
4403 }
4404 }
4405 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4406 else if(check_flags)
4407 rv |= CERT_PKEY_EE_SIGNATURE|CERT_PKEY_CA_SIGNATURE;
4408 skip_sigs:
4409 /* Check cert parameters are consistent */
4410 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4411 rv |= CERT_PKEY_EE_PARAM;
4412 else if (!check_flags)
4413 goto end;
4414 if (!s->server)
4415 rv |= CERT_PKEY_CA_PARAM;
4416 /* In strict mode check rest of chain too */
4417 else if (strict_mode)
4418 {
4419 rv |= CERT_PKEY_CA_PARAM;
4420 for (i = 0; i < sk_X509_num(chain); i++)
4421 {
4422 X509 *ca = sk_X509_value(chain, i);
4423 if (!tls1_check_cert_param(s, ca, 0))
4424 {
4425 if (check_flags)
4426 {
4427 rv &= ~CERT_PKEY_CA_PARAM;
4428 break;
4429 }
4430 else
4431 goto end;
4432 }
4433 }
4434 }
4435 if (!s->server && strict_mode)
4436 {
4437 STACK_OF(X509_NAME) *ca_dn;
4438 int check_type = 0;
4439 switch (pk->type)
4440 {
4441 case EVP_PKEY_RSA:
4442 check_type = TLS_CT_RSA_SIGN;
4443 break;
4444 case EVP_PKEY_DSA:
4445 check_type = TLS_CT_DSS_SIGN;
4446 break;
4447 case EVP_PKEY_EC:
4448 check_type = TLS_CT_ECDSA_SIGN;
4449 break;
4450 case EVP_PKEY_DH:
4451 case EVP_PKEY_DHX:
4452 {
4453 int cert_type = X509_certificate_type(x, pk);
4454 if (cert_type & EVP_PKS_RSA)
4455 check_type = TLS_CT_RSA_FIXED_DH;
4456 if (cert_type & EVP_PKS_DSA)
4457 check_type = TLS_CT_DSS_FIXED_DH;
4458 }
4459 }
4460 if (check_type)
4461 {
4462 const unsigned char *ctypes;
4463 int ctypelen;
4464 if (c->ctypes)
4465 {
4466 ctypes = c->ctypes;
4467 ctypelen = (int)c->ctype_num;
4468 }
4469 else
4470 {
4471 ctypes = (unsigned char *)s->s3->tmp.ctype;
4472 ctypelen = s->s3->tmp.ctype_num;
4473 }
4474 for (i = 0; i < ctypelen; i++)
4475 {
4476 if (ctypes[i] == check_type)
4477 {
4478 rv |= CERT_PKEY_CERT_TYPE;
4479 break;
4480 }
4481 }
4482 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4483 goto end;
4484 }
4485 else
4486 rv |= CERT_PKEY_CERT_TYPE;
4487
4488
4489 ca_dn = s->s3->tmp.ca_names;
4490
4491 if (!sk_X509_NAME_num(ca_dn))
4492 rv |= CERT_PKEY_ISSUER_NAME;
4493
4494 if (!(rv & CERT_PKEY_ISSUER_NAME))
4495 {
4496 if (ssl_check_ca_name(ca_dn, x))
4497 rv |= CERT_PKEY_ISSUER_NAME;
4498 }
4499 if (!(rv & CERT_PKEY_ISSUER_NAME))
4500 {
4501 for (i = 0; i < sk_X509_num(chain); i++)
4502 {
4503 X509 *xtmp = sk_X509_value(chain, i);
4504 if (ssl_check_ca_name(ca_dn, xtmp))
4505 {
4506 rv |= CERT_PKEY_ISSUER_NAME;
4507 break;
4508 }
4509 }
4510 }
4511 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4512 goto end;
4513 }
4514 else
4515 rv |= CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE;
4516
4517 if (!check_flags || (rv & check_flags) == check_flags)
4518 rv |= CERT_PKEY_VALID;
4519
4520 end:
4521
4522 if (TLS1_get_version(s) >= TLS1_2_VERSION)
4523 {
4524 if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
4525 rv |= CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_SIGN;
4526 else if (cpk->digest)
4527 rv |= CERT_PKEY_SIGN;
4528 }
4529 else
4530 rv |= CERT_PKEY_SIGN|CERT_PKEY_EXPLICIT_SIGN;
4531
4532 /* When checking a CERT_PKEY structure all flags are irrelevant
4533 * if the chain is invalid.
4534 */
4535 if (!check_flags)
4536 {
4537 if (rv & CERT_PKEY_VALID)
4538 cpk->valid_flags = rv;
4539 else
4540 {
4541 /* Preserve explicit sign flag, clear rest */
4542 cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
4543 return 0;
4544 }
4545 }
4546 return rv;
4547 }
4548
4549 /* Set validity of certificates in an SSL structure */
4550 void tls1_set_cert_validity(SSL *s)
4551 {
4552 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4553 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4554 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4555 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
4556 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
4557 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
4558 }
4559 /* User level utiity function to check a chain is suitable */
4560 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
4561 {
4562 return tls1_check_chain(s, x, pk, chain, -1);
4563 }
4564
4565 #endif
A mirror of the official openssl repository