Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 95c29f3cd1f6c08c6c0927868683392eea727ccb / . / ssl / t1_lib.c
blob: 644d70b663571dd4f6405973e04ce56b54e0c6c3 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame^]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
109#include <stdio.h>
110#include <assert.h>
111
112#include <openssl/evp.h>
113#include <openssl/hmac.h>
114#include <openssl/mem.h>
115#include <openssl/obj.h>
116#include <openssl/rand.h>
117
118#include "ssl_locl.h"
119#ifndef OPENSSL_NO_TLSEXT
120static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
121 const unsigned char *sess_id, int sesslen,
122 SSL_SESSION **psess);
123static int ssl_check_clienthello_tlsext_early(SSL *s);
124int ssl_check_serverhello_tlsext(SSL *s);
125#endif
126
127SSL3_ENC_METHOD TLSv1_enc_data={
128 tls1_enc,
129 tls1_mac,
130 tls1_setup_key_block,
131 tls1_generate_master_secret,
132 tls1_change_cipher_state,
133 tls1_final_finish_mac,
134 TLS1_FINISH_MAC_LENGTH,
135 tls1_cert_verify_mac,
136 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138 tls1_alert_code,
139 tls1_export_keying_material,
140 0,
141 SSL3_HM_HEADER_LENGTH,
142 ssl3_set_handshake_header,
143 ssl3_handshake_write
144 };
145
146SSL3_ENC_METHOD TLSv1_1_enc_data={
147 tls1_enc,
148 tls1_mac,
149 tls1_setup_key_block,
150 tls1_generate_master_secret,
151 tls1_change_cipher_state,
152 tls1_final_finish_mac,
153 TLS1_FINISH_MAC_LENGTH,
154 tls1_cert_verify_mac,
155 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
156 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
157 tls1_alert_code,
158 tls1_export_keying_material,
159 SSL_ENC_FLAG_EXPLICIT_IV,
160 SSL3_HM_HEADER_LENGTH,
161 ssl3_set_handshake_header,
162 ssl3_handshake_write
163 };
164
165SSL3_ENC_METHOD TLSv1_2_enc_data={
166 tls1_enc,
167 tls1_mac,
168 tls1_setup_key_block,
169 tls1_generate_master_secret,
170 tls1_change_cipher_state,
171 tls1_final_finish_mac,
172 TLS1_FINISH_MAC_LENGTH,
173 tls1_cert_verify_mac,
174 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
175 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
176 tls1_alert_code,
177 tls1_export_keying_material,
178 SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF
179 |SSL_ENC_FLAG_TLS1_2_CIPHERS,
180 SSL3_HM_HEADER_LENGTH,
181 ssl3_set_handshake_header,
182 ssl3_handshake_write
183 };
184
185long tls1_default_timeout(void)
186 {
187 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
188 * is way too long for http, the cache would over fill */
189 return(60*60*2);
190 }
191
192int tls1_new(SSL *s)
193 {
194 if (!ssl3_new(s)) return(0);
195 s->method->ssl_clear(s);
196 return(1);
197 }
198
199void tls1_free(SSL *s)
200 {
201#ifndef OPENSSL_NO_TLSEXT
202 if (s->tlsext_session_ticket)
203 {
204 OPENSSL_free(s->tlsext_session_ticket);
205 }
206#endif /* OPENSSL_NO_TLSEXT */
207 ssl3_free(s);
208 }
209
210void tls1_clear(SSL *s)
211 {
212 ssl3_clear(s);
213 s->version = s->method->version;
214 }
215
216#ifndef OPENSSL_NO_EC
217
218static int nid_list[] =
219 {
220 NID_sect163k1, /* sect163k1 (1) */
221 NID_sect163r1, /* sect163r1 (2) */
222 NID_sect163r2, /* sect163r2 (3) */
223 NID_sect193r1, /* sect193r1 (4) */
224 NID_sect193r2, /* sect193r2 (5) */
225 NID_sect233k1, /* sect233k1 (6) */
226 NID_sect233r1, /* sect233r1 (7) */
227 NID_sect239k1, /* sect239k1 (8) */
228 NID_sect283k1, /* sect283k1 (9) */
229 NID_sect283r1, /* sect283r1 (10) */
230 NID_sect409k1, /* sect409k1 (11) */
231 NID_sect409r1, /* sect409r1 (12) */
232 NID_sect571k1, /* sect571k1 (13) */
233 NID_sect571r1, /* sect571r1 (14) */
234 NID_secp160k1, /* secp160k1 (15) */
235 NID_secp160r1, /* secp160r1 (16) */
236 NID_secp160r2, /* secp160r2 (17) */
237 NID_secp192k1, /* secp192k1 (18) */
238 NID_X9_62_prime192v1, /* secp192r1 (19) */
239 NID_secp224k1, /* secp224k1 (20) */
240 NID_secp224r1, /* secp224r1 (21) */
241 NID_secp256k1, /* secp256k1 (22) */
242 NID_X9_62_prime256v1, /* secp256r1 (23) */
243 NID_secp384r1, /* secp384r1 (24) */
244 NID_secp521r1, /* secp521r1 (25) */
245 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */
246 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */
247 NID_brainpoolP512r1 /* brainpool512r1 (28) */
248 };
249
250
251static const unsigned char ecformats_default[] =
252 {
253 TLSEXT_ECPOINTFORMAT_uncompressed,
254 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
255 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
256 };
257
258static const unsigned char eccurves_default[] =
259 {
260 0,14, /* sect571r1 (14) */
261 0,13, /* sect571k1 (13) */
262 0,25, /* secp521r1 (25) */
263 0,28, /* brainpool512r1 (28) */
264 0,11, /* sect409k1 (11) */
265 0,12, /* sect409r1 (12) */
266 0,27, /* brainpoolP384r1 (27) */
267 0,24, /* secp384r1 (24) */
268 0,9, /* sect283k1 (9) */
269 0,10, /* sect283r1 (10) */
270 0,26, /* brainpoolP256r1 (26) */
271 0,22, /* secp256k1 (22) */
272 0,23, /* secp256r1 (23) */
273 0,8, /* sect239k1 (8) */
274 0,6, /* sect233k1 (6) */
275 0,7, /* sect233r1 (7) */
276 0,20, /* secp224k1 (20) */
277 0,21, /* secp224r1 (21) */
278 0,4, /* sect193r1 (4) */
279 0,5, /* sect193r2 (5) */
280 0,18, /* secp192k1 (18) */
281 0,19, /* secp192r1 (19) */
282 0,1, /* sect163k1 (1) */
283 0,2, /* sect163r1 (2) */
284 0,3, /* sect163r2 (3) */
285 0,15, /* secp160k1 (15) */
286 0,16, /* secp160r1 (16) */
287 0,17, /* secp160r2 (17) */
288 };
289
290static const unsigned char suiteb_curves[] =
291 {
292 0, TLSEXT_curve_P_256,
293 0, TLSEXT_curve_P_384
294 };
295
296int tls1_ec_curve_id2nid(int curve_id)
297 {
298 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
299 if ((curve_id < 1) || ((unsigned int)curve_id >
300 sizeof(nid_list)/sizeof(nid_list[0])))
301 return 0;
302 return nid_list[curve_id-1];
303 }
304
305int tls1_ec_nid2curve_id(int nid)
306 {
307 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
308 switch (nid)
309 {
310 case NID_sect163k1: /* sect163k1 (1) */
311 return 1;
312 case NID_sect163r1: /* sect163r1 (2) */
313 return 2;
314 case NID_sect163r2: /* sect163r2 (3) */
315 return 3;
316 case NID_sect193r1: /* sect193r1 (4) */
317 return 4;
318 case NID_sect193r2: /* sect193r2 (5) */
319 return 5;
320 case NID_sect233k1: /* sect233k1 (6) */
321 return 6;
322 case NID_sect233r1: /* sect233r1 (7) */
323 return 7;
324 case NID_sect239k1: /* sect239k1 (8) */
325 return 8;
326 case NID_sect283k1: /* sect283k1 (9) */
327 return 9;
328 case NID_sect283r1: /* sect283r1 (10) */
329 return 10;
330 case NID_sect409k1: /* sect409k1 (11) */
331 return 11;
332 case NID_sect409r1: /* sect409r1 (12) */
333 return 12;
334 case NID_sect571k1: /* sect571k1 (13) */
335 return 13;
336 case NID_sect571r1: /* sect571r1 (14) */
337 return 14;
338 case NID_secp160k1: /* secp160k1 (15) */
339 return 15;
340 case NID_secp160r1: /* secp160r1 (16) */
341 return 16;
342 case NID_secp160r2: /* secp160r2 (17) */
343 return 17;
344 case NID_secp192k1: /* secp192k1 (18) */
345 return 18;
346 case NID_X9_62_prime192v1: /* secp192r1 (19) */
347 return 19;
348 case NID_secp224k1: /* secp224k1 (20) */
349 return 20;
350 case NID_secp224r1: /* secp224r1 (21) */
351 return 21;
352 case NID_secp256k1: /* secp256k1 (22) */
353 return 22;
354 case NID_X9_62_prime256v1: /* secp256r1 (23) */
355 return 23;
356 case NID_secp384r1: /* secp384r1 (24) */
357 return 24;
358 case NID_secp521r1: /* secp521r1 (25) */
359 return 25;
360 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
361 return 26;
362 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
363 return 27;
364 case NID_brainpoolP512r1: /* brainpool512r1 (28) */
365 return 28;
366 default:
367 return 0;
368 }
369 }
370/* Get curves list, if "sess" is set return client curves otherwise
371 * preferred list
372 */
373static void tls1_get_curvelist(SSL *s, int sess,
374 const unsigned char **pcurves,
375 size_t *pcurveslen)
376 {
377 if (sess)
378 {
379 *pcurves = s->session->tlsext_ellipticcurvelist;
380 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
381 return;
382 }
383 /* For Suite B mode only include P-256, P-384 */
384 switch (tls1_suiteb(s))
385 {
386 case SSL_CERT_FLAG_SUITEB_128_LOS:
387 *pcurves = suiteb_curves;
388 *pcurveslen = sizeof(suiteb_curves);
389 break;
390
391 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
392 *pcurves = suiteb_curves;
393 *pcurveslen = 2;
394 break;
395
396 case SSL_CERT_FLAG_SUITEB_192_LOS:
397 *pcurves = suiteb_curves + 2;
398 *pcurveslen = 2;
399 break;
400 default:
401 *pcurves = s->tlsext_ellipticcurvelist;
402 *pcurveslen = s->tlsext_ellipticcurvelist_length;
403 }
404 if (!*pcurves)
405 {
406 *pcurves = eccurves_default;
407 *pcurveslen = sizeof(eccurves_default);
408 }
409 }
410/* Check a curve is one of our preferences */
411int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
412 {
413 const unsigned char *curves;
414 size_t curveslen, i;
415 unsigned int suiteb_flags = tls1_suiteb(s);
416 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
417 return 0;
418 /* Check curve matches Suite B preferences */
419 if (suiteb_flags)
420 {
421 unsigned long cid = s->s3->tmp.new_cipher->id;
422 if (p[1])
423 return 0;
424 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
425 {
426 if (p[2] != TLSEXT_curve_P_256)
427 return 0;
428 }
429 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
430 {
431 if (p[2] != TLSEXT_curve_P_384)
432 return 0;
433 }
434 else /* Should never happen */
435 return 0;
436 }
437 tls1_get_curvelist(s, 0, &curves, &curveslen);
438 for (i = 0; i < curveslen; i += 2, curves += 2)
439 {
440 if (p[1] == curves[0] && p[2] == curves[1])
441 return 1;
442 }
443 return 0;
444 }
445
446/* Return nth shared curve. If nmatch == -1 return number of
447 * matches. For nmatch == -2 return the NID of the curve to use for
448 * an EC tmp key.
449 */
450
451int tls1_shared_curve(SSL *s, int nmatch)
452 {
453 const unsigned char *pref, *supp;
454 size_t preflen, supplen, i, j;
455 int k;
456 /* Can't do anything on client side */
457 if (s->server == 0)
458 return -1;
459 if (nmatch == -2)
460 {
461 if (tls1_suiteb(s))
462 {
463 /* For Suite B ciphersuite determines curve: we
464 * already know these are acceptable due to previous
465 * checks.
466 */
467 unsigned long cid = s->s3->tmp.new_cipher->id;
468 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
469 return NID_X9_62_prime256v1; /* P-256 */
470 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
471 return NID_secp384r1; /* P-384 */
472 /* Should never happen */
473 return NID_undef;
474 }
475 /* If not Suite B just return first preference shared curve */
476 nmatch = 0;
477 }
478 tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
479 &supp, &supplen);
480 tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
481 &pref, &preflen);
482 preflen /= 2;
483 supplen /= 2;
484 k = 0;
485 for (i = 0; i < preflen; i++, pref+=2)
486 {
487 const unsigned char *tsupp = supp;
488 for (j = 0; j < supplen; j++, tsupp+=2)
489 {
490 if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
491 {
492 if (nmatch == k)
493 {
494 int id = (pref[0] << 8) | pref[1];
495 return tls1_ec_curve_id2nid(id);
496 }
497 k++;
498 }
499 }
500 }
501 if (nmatch == -1)
502 return k;
503 return 0;
504 }
505
506int tls1_set_curves(unsigned char **pext, size_t *pextlen,
507 int *curves, size_t ncurves)
508 {
509 unsigned char *clist, *p;
510 size_t i;
511 /* Bitmap of curves included to detect duplicates: only works
512 * while curve ids < 32
513 */
514 unsigned long dup_list = 0;
515 clist = OPENSSL_malloc(ncurves * 2);
516 if (!clist)
517 return 0;
518 for (i = 0, p = clist; i < ncurves; i++)
519 {
520 unsigned long idmask;
521 int id;
522 id = tls1_ec_nid2curve_id(curves[i]);
523 idmask = 1L << id;
524 if (!id || (dup_list & idmask))
525 {
526 OPENSSL_free(clist);
527 return 0;
528 }
529 dup_list |= idmask;
530 s2n(id, p);
531 }
532 if (*pext)
533 OPENSSL_free(*pext);
534 *pext = clist;
535 *pextlen = ncurves * 2;
536 return 1;
537 }
538
539/* TODO(fork): remove */
540#if 0
541#define MAX_CURVELIST 28
542
543typedef struct
544 {
545 size_t nidcnt;
546 int nid_arr[MAX_CURVELIST];
547 } nid_cb_st;
548
549static int nid_cb(const char *elem, int len, void *arg)
550 {
551 nid_cb_st *narg = arg;
552 size_t i;
553 int nid;
554 char etmp[20];
555 if (narg->nidcnt == MAX_CURVELIST)
556 return 0;
557 if (len > (int)(sizeof(etmp) - 1))
558 return 0;
559 memcpy(etmp, elem, len);
560 etmp[len] = 0;
561 nid = EC_curve_nist2nid(etmp);
562 if (nid == NID_undef)
563 nid = OBJ_sn2nid(etmp);
564 if (nid == NID_undef)
565 nid = OBJ_ln2nid(etmp);
566 if (nid == NID_undef)
567 return 0;
568 for (i = 0; i < narg->nidcnt; i++)
569 if (narg->nid_arr[i] == nid)
570 return 0;
571 narg->nid_arr[narg->nidcnt++] = nid;
572 return 1;
573 }
574/* Set curves based on a colon separate list */
575int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
576 const char *str)
577 {
578 nid_cb_st ncb;
579 ncb.nidcnt = 0;
580 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
581 return 0;
582 if (pext == NULL)
583 return 1;
584 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
585 }
586#endif
587
588/* For an EC key set TLS id and required compression based on parameters */
589static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
590 EC_KEY *ec)
591 {
592 int is_prime = 1, id;
593 const EC_GROUP *grp;
594 if (!ec)
595 return 0;
596
597 /* TODO(fork): remove. All curves are prime now. */
598 grp = EC_KEY_get0_group(ec);
599 if (!grp)
600 return 0;
601#if 0
602 /* Determine if it is a prime field */
603 meth = EC_GROUP_method_of(grp);
604 if (!meth)
605 return 0;
606 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
607 is_prime = 1;
608 else
609 is_prime = 0;
610#endif
611
612 /* Determine curve ID */
613 id = EC_GROUP_get_curve_name(grp);
614 id = tls1_ec_nid2curve_id(id);
615 /* If we have an ID set it, otherwise set arbitrary explicit curve */
616 if (id)
617 {
618 curve_id[0] = 0;
619 curve_id[1] = (unsigned char)id;
620 }
621 else
622 {
623 curve_id[0] = 0xff;
624 if (is_prime)
625 curve_id[1] = 0x01;
626 else
627 curve_id[1] = 0x02;
628 }
629 if (comp_id)
630 {
631 if (EC_KEY_get0_public_key(ec) == NULL)
632 return 0;
633 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
634 {
635 if (is_prime)
636 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
637 else
638 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
639 }
640 else
641 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
642 }
643 return 1;
644 }
645/* Check an EC key is compatible with extensions */
646static int tls1_check_ec_key(SSL *s,
647 unsigned char *curve_id, unsigned char *comp_id)
648 {
649 const unsigned char *p;
650 size_t plen, i;
651 int j;
652 /* If point formats extension present check it, otherwise everything
653 * is supported (see RFC4492).
654 */
655 if (comp_id && s->session->tlsext_ecpointformatlist)
656 {
657 p = s->session->tlsext_ecpointformatlist;
658 plen = s->session->tlsext_ecpointformatlist_length;
659 for (i = 0; i < plen; i++, p++)
660 {
661 if (*comp_id == *p)
662 break;
663 }
664 if (i == plen)
665 return 0;
666 }
667 if (!curve_id)
668 return 1;
669 /* Check curve is consistent with client and server preferences */
670 for (j = 0; j <= 1; j++)
671 {
672 tls1_get_curvelist(s, j, &p, &plen);
673 for (i = 0; i < plen; i+=2, p+=2)
674 {
675 if (p[0] == curve_id[0] && p[1] == curve_id[1])
676 break;
677 }
678 if (i == plen)
679 return 0;
680 /* For clients can only check sent curve list */
681 if (!s->server)
682 return 1;
683 }
684 return 1;
685 }
686
687static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
688 size_t *pformatslen)
689 {
690 /* If we have a custom point format list use it otherwise
691 * use default */
692 if (s->tlsext_ecpointformatlist)
693 {
694 *pformats = s->tlsext_ecpointformatlist;
695 *pformatslen = s->tlsext_ecpointformatlist_length;
696 }
697 else
698 {
699 *pformats = ecformats_default;
700 /* For Suite B we don't support char2 fields */
701 if (tls1_suiteb(s))
702 *pformatslen = sizeof(ecformats_default) - 1;
703 else
704 *pformatslen = sizeof(ecformats_default);
705 }
706 }
707
708/* Check cert parameters compatible with extensions: currently just checks
709 * EC certificates have compatible curves and compression.
710 */
711static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
712 {
713 unsigned char comp_id, curve_id[2];
714 EVP_PKEY *pkey;
715 int rv;
716 pkey = X509_get_pubkey(x);
717 if (!pkey)
718 return 0;
719 /* If not EC nothing to do */
720 if (pkey->type != EVP_PKEY_EC)
721 {
722 EVP_PKEY_free(pkey);
723 return 1;
724 }
725 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
726 EVP_PKEY_free(pkey);
727 if (!rv)
728 return 0;
729 /* Can't check curve_id for client certs as we don't have a
730 * supported curves extension.
731 */
732 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
733 if (!rv)
734 return 0;
735 /* Special case for suite B. We *MUST* sign using SHA256+P-256 or
736 * SHA384+P-384, adjust digest if necessary.
737 */
738 if (set_ee_md && tls1_suiteb(s))
739 {
740 int check_md;
741 size_t i;
742 CERT *c = s->cert;
743 if (curve_id[0])
744 return 0;
745 /* Check to see we have necessary signing algorithm */
746 if (curve_id[1] == TLSEXT_curve_P_256)
747 check_md = NID_ecdsa_with_SHA256;
748 else if (curve_id[1] == TLSEXT_curve_P_384)
749 check_md = NID_ecdsa_with_SHA384;
750 else
751 return 0; /* Should never happen */
752 for (i = 0; i < c->shared_sigalgslen; i++)
753 if (check_md == c->shared_sigalgs[i].signandhash_nid)
754 break;
755 if (i == c->shared_sigalgslen)
756 return 0;
757 if (set_ee_md == 2)
758 {
759 if (check_md == NID_ecdsa_with_SHA256)
760 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
761 else
762 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
763 }
764 }
765 return rv;
766 }
767/* Check EC temporary key is compatible with client extensions */
768int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
769 {
770 unsigned char curve_id[2];
771 EC_KEY *ec = s->cert->ecdh_tmp;
772#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
773 /* Allow any curve: not just those peer supports */
774 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
775 return 1;
776#endif
777 /* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384,
778 * no other curves permitted.
779 */
780 if (tls1_suiteb(s))
781 {
782 /* Curve to check determined by ciphersuite */
783 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
784 curve_id[1] = TLSEXT_curve_P_256;
785 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
786 curve_id[1] = TLSEXT_curve_P_384;
787 else
788 return 0;
789 curve_id[0] = 0;
790 /* Check this curve is acceptable */
791 if (!tls1_check_ec_key(s, curve_id, NULL))
792 return 0;
793 /* If auto or setting curve from callback assume OK */
794 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
795 return 1;
796 /* Otherwise check curve is acceptable */
797 else
798 {
799 unsigned char curve_tmp[2];
800 if (!ec)
801 return 0;
802 if (!tls1_set_ec_id(curve_tmp, NULL, ec))
803 return 0;
804 if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
805 return 1;
806 return 0;
807 }
808
809 }
810 if (s->cert->ecdh_tmp_auto)
811 {
812 /* Need a shared curve */
813 if (tls1_shared_curve(s, 0))
814 return 1;
815 else return 0;
816 }
817 if (!ec)
818 {
819 if (s->cert->ecdh_tmp_cb)
820 return 1;
821 else
822 return 0;
823 }
824 if (!tls1_set_ec_id(curve_id, NULL, ec))
825 return 0;
826/* Set this to allow use of invalid curves for testing */
827#if 0
828 return 1;
829#else
830 return tls1_check_ec_key(s, curve_id, NULL);
831#endif
832 }
833
834#else
835
836static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
837 {
838 return 1;
839 }
840
841#endif /* OPENSSL_NO_EC */
842
843#ifndef OPENSSL_NO_TLSEXT
844
845/* List of supported signature algorithms and hashes. Should make this
846 * customisable at some point, for now include everything we support.
847 */
848
849#ifdef OPENSSL_NO_RSA
850#define tlsext_sigalg_rsa(md) /* */
851#else
852#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
853#endif
854
855#ifdef OPENSSL_NO_DSA
856#define tlsext_sigalg_dsa(md) /* */
857#else
858#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
859#endif
860
861#ifdef OPENSSL_NO_ECDSA
862#define tlsext_sigalg_ecdsa(md) /* */
863#else
864#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
865#endif
866
867#define tlsext_sigalg(md) \
868 tlsext_sigalg_rsa(md) \
869 tlsext_sigalg_dsa(md) \
870 tlsext_sigalg_ecdsa(md)
871
872static unsigned char tls12_sigalgs[] = {
873#ifndef OPENSSL_NO_SHA512
874 tlsext_sigalg(TLSEXT_hash_sha512)
875 tlsext_sigalg(TLSEXT_hash_sha384)
876#endif
877#ifndef OPENSSL_NO_SHA256
878 tlsext_sigalg(TLSEXT_hash_sha256)
879 tlsext_sigalg(TLSEXT_hash_sha224)
880#endif
881#ifndef OPENSSL_NO_SHA
882 tlsext_sigalg(TLSEXT_hash_sha1)
883#endif
884};
885#ifndef OPENSSL_NO_ECDSA
886static unsigned char suiteb_sigalgs[] = {
887 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
888 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
889};
890#endif
891size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
892 {
893 /* If Suite B mode use Suite B sigalgs only, ignore any other
894 * preferences.
895 */
896#ifndef OPENSSL_NO_EC
897 switch (tls1_suiteb(s))
898 {
899 case SSL_CERT_FLAG_SUITEB_128_LOS:
900 *psigs = suiteb_sigalgs;
901 return sizeof(suiteb_sigalgs);
902
903 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
904 *psigs = suiteb_sigalgs;
905 return 2;
906
907 case SSL_CERT_FLAG_SUITEB_192_LOS:
908 *psigs = suiteb_sigalgs + 2;
909 return 2;
910 }
911#endif
912 /* If server use client authentication sigalgs if not NULL */
913 if (s->server && s->cert->client_sigalgs)
914 {
915 *psigs = s->cert->client_sigalgs;
916 return s->cert->client_sigalgslen;
917 }
918 else if (s->cert->conf_sigalgs)
919 {
920 *psigs = s->cert->conf_sigalgs;
921 return s->cert->conf_sigalgslen;
922 }
923 else
924 {
925 *psigs = tls12_sigalgs;
926 return sizeof(tls12_sigalgs);
927 }
928 }
929/* Check signature algorithm is consistent with sent supported signature
930 * algorithms and if so return relevant digest.
931 */
932int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
933 const unsigned char *sig, EVP_PKEY *pkey)
934 {
935 const unsigned char *sent_sigs;
936 size_t sent_sigslen, i;
937 int sigalg = tls12_get_sigid(pkey);
938 /* Should never happen */
939 if (sigalg == -1)
940 return -1;
941 /* Check key type is consistent with signature */
942 if (sigalg != (int)sig[1])
943 {
944 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE);
945 return 0;
946 }
947#ifndef OPENSSL_NO_EC
948 if (pkey->type == EVP_PKEY_EC)
949 {
950 unsigned char curve_id[2], comp_id;
951 /* Check compression and curve matches extensions */
952 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
953 return 0;
954 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id))
955 {
956 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_CURVE);
957 return 0;
958 }
959 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
960 if (tls1_suiteb(s))
961 {
962 if (curve_id[0])
963 return 0;
964 if (curve_id[1] == TLSEXT_curve_P_256)
965 {
966 if (sig[0] != TLSEXT_hash_sha256)
967 {
968 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_ILLEGAL_SUITEB_DIGEST);
969 return 0;
970 }
971 }
972 else if (curve_id[1] == TLSEXT_curve_P_384)
973 {
974 if (sig[0] != TLSEXT_hash_sha384)
975 {
976 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_ILLEGAL_SUITEB_DIGEST);
977 return 0;
978 }
979 }
980 else
981 return 0;
982 }
983 }
984 else if (tls1_suiteb(s))
985 return 0;
986#endif
987
988 /* Check signature matches a type we sent */
989 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
990 for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2)
991 {
992 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
993 break;
994 }
995 /* Allow fallback to SHA1 if not strict mode */
996 if (i == sent_sigslen && (sig[0] != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
997 {
998 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE);
999 return 0;
1000 }
1001 *pmd = tls12_get_hash(sig[0]);
1002 if (*pmd == NULL)
1003 {
1004 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_UNKNOWN_DIGEST);
1005 return 0;
1006 }
1007 /* Store the digest used so applications can retrieve it if they
1008 * wish.
1009 */
1010 if (s->session && s->session->sess_cert)
1011 s->session->sess_cert->peer_key->digest = *pmd;
1012 return 1;
1013 }
1014/* Get a mask of disabled algorithms: an algorithm is disabled
1015 * if it isn't supported or doesn't appear in supported signature
1016 * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific
1017 * session and not global settings.
1018 *
1019 */
1020void ssl_set_client_disabled(SSL *s)
1021 {
1022 CERT *c = s->cert;
1023 const unsigned char *sigalgs;
1024 size_t i, sigalgslen;
1025 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
1026 c->mask_a = 0;
1027 c->mask_k = 0;
1028 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1029 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1030 c->mask_ssl = SSL_TLSV1_2;
1031 else
1032 c->mask_ssl = 0;
1033 /* Now go through all signature algorithms seeing if we support
1034 * any for RSA, DSA, ECDSA. Do this for all versions not just
1035 * TLS 1.2.
1036 */
1037 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
1038 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2)
1039 {
1040 switch(sigalgs[1])
1041 {
1042#ifndef OPENSSL_NO_RSA
1043 case TLSEXT_signature_rsa:
1044 have_rsa = 1;
1045 break;
1046#endif
1047#ifndef OPENSSL_NO_DSA
1048 case TLSEXT_signature_dsa:
1049 have_dsa = 1;
1050 break;
1051#endif
1052#ifndef OPENSSL_NO_ECDSA
1053 case TLSEXT_signature_ecdsa:
1054 have_ecdsa = 1;
1055 break;
1056#endif
1057 }
1058 }
1059 /* Disable auth and static DH if we don't include any appropriate
1060 * signature algorithms.
1061 */
1062 if (!have_rsa)
1063 {
1064 c->mask_a |= SSL_aRSA;
1065 c->mask_k |= SSL_kDHr|SSL_kECDHr;
1066 }
1067 if (!have_dsa)
1068 {
1069 c->mask_a |= SSL_aDSS;
1070 c->mask_k |= SSL_kDHd;
1071 }
1072 if (!have_ecdsa)
1073 {
1074 c->mask_a |= SSL_aECDSA;
1075 c->mask_k |= SSL_kECDHe;
1076 }
1077#ifndef OPENSSL_NO_PSK
1078 /* with PSK there must be client callback set */
1079 if (!s->psk_client_callback)
1080 {
1081 c->mask_a |= SSL_aPSK;
1082 c->mask_k |= SSL_kPSK;
1083 }
1084#endif /* OPENSSL_NO_PSK */
1085 c->valid = 1;
1086 }
1087
1088/* byte_compare is a compare function for qsort(3) that compares bytes. */
1089static int byte_compare(const void *in_a, const void *in_b)
1090 {
1091 unsigned char a = *((const unsigned char*) in_a);
1092 unsigned char b = *((const unsigned char*) in_b);
1093
1094 if (a > b)
1095 return 1;
1096 else if (a < b)
1097 return -1;
1098 return 0;
1099}
1100
1101unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1102 {
1103 int extdatalen=0;
1104 unsigned char *ret = p;
1105#ifndef OPENSSL_NO_EC
1106 /* See if we support any ECC ciphersuites */
1107 int using_ecc = 0;
1108 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s))
1109 {
1110 int i;
1111 unsigned long alg_k, alg_a;
1112 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1113
1114 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1115 {
1116 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1117
1118 alg_k = c->algorithm_mkey;
1119 alg_a = c->algorithm_auth;
1120 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
1121 || (alg_a & SSL_aECDSA)))
1122 {
1123 using_ecc = 1;
1124 break;
1125 }
1126 }
1127 }
1128#endif
1129
1130 /* don't add extensions for SSLv3 unless doing secure renegotiation */
1131 if (s->client_version == SSL3_VERSION
1132 && !s->s3->send_connection_binding)
1133 return p;
1134
1135 ret+=2;
1136
1137 if (ret>=limit) return NULL; /* this really never occurs, but ... */
1138
1139 if (s->tlsext_hostname != NULL)
1140 {
1141 /* Add TLS extension servername to the Client Hello message */
1142 unsigned long size_str;
1143 long lenmax;
1144
1145 /* check for enough space.
1146 4 for the servername type and entension length
1147 2 for servernamelist length
1148 1 for the hostname type
1149 2 for hostname length
1150 + hostname length
1151 */
1152
1153 if ((lenmax = limit - ret - 9) < 0
1154 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1155 return NULL;
1156
1157 /* extension type and length */
1158 s2n(TLSEXT_TYPE_server_name,ret);
1159 s2n(size_str+5,ret);
1160
1161 /* length of servername list */
1162 s2n(size_str+3,ret);
1163
1164 /* hostname type, length and hostname */
1165 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
1166 s2n(size_str,ret);
1167 memcpy(ret, s->tlsext_hostname, size_str);
1168 ret+=size_str;
1169 }
1170
1171 /* Add RI if renegotiating */
1172 if (s->renegotiate)
1173 {
1174 int el;
1175
1176 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
1177 {
1178 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1179 return NULL;
1180 }
1181
1182 if((limit - p - 4 - el) < 0) return NULL;
1183
1184 s2n(TLSEXT_TYPE_renegotiate,ret);
1185 s2n(el,ret);
1186
1187 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
1188 {
1189 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1190 return NULL;
1191 }
1192
1193 ret += el;
1194 }
1195
1196
1197#ifndef OPENSSL_NO_EC
1198 if (using_ecc)
1199 {
1200 /* Add TLS extension ECPointFormats to the ClientHello message */
1201 long lenmax;
1202 const unsigned char *plist;
1203 size_t plistlen;
1204
1205 tls1_get_formatlist(s, &plist, &plistlen);
1206
1207 if ((lenmax = limit - ret - 5) < 0) return NULL;
1208 if (plistlen > (size_t)lenmax) return NULL;
1209 if (plistlen > 255)
1210 {
1211 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1212 return NULL;
1213 }
1214
1215 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1216 s2n(plistlen + 1,ret);
1217 *(ret++) = (unsigned char)plistlen ;
1218 memcpy(ret, plist, plistlen);
1219 ret+=plistlen;
1220
1221 /* Add TLS extension EllipticCurves to the ClientHello message */
1222 plist = s->tlsext_ellipticcurvelist;
1223 tls1_get_curvelist(s, 0, &plist, &plistlen);
1224
1225 if ((lenmax = limit - ret - 6) < 0) return NULL;
1226 if (plistlen > (size_t)lenmax) return NULL;
1227 if (plistlen > 65532)
1228 {
1229 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1230 return NULL;
1231 }
1232
1233 s2n(TLSEXT_TYPE_elliptic_curves,ret);
1234 s2n(plistlen + 2, ret);
1235
1236 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
1237 * elliptic_curve_list, but the examples use two bytes.
1238 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
1239 * resolves this to two bytes.
1240 */
1241 s2n(plistlen, ret);
1242 memcpy(ret, plist, plistlen);
1243 ret+=plistlen;
1244 }
1245#endif /* OPENSSL_NO_EC */
1246
1247 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
1248 {
1249 int ticklen;
1250 if (!s->new_session && s->session && s->session->tlsext_tick)
1251 ticklen = s->session->tlsext_ticklen;
1252 else if (s->session && s->tlsext_session_ticket &&
1253 s->tlsext_session_ticket->data)
1254 {
1255 ticklen = s->tlsext_session_ticket->length;
1256 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1257 if (!s->session->tlsext_tick)
1258 return NULL;
1259 memcpy(s->session->tlsext_tick,
1260 s->tlsext_session_ticket->data,
1261 ticklen);
1262 s->session->tlsext_ticklen = ticklen;
1263 }
1264 else
1265 ticklen = 0;
1266 if (ticklen == 0 && s->tlsext_session_ticket &&
1267 s->tlsext_session_ticket->data == NULL)
1268 goto skip_ext;
1269 /* Check for enough room 2 for extension type, 2 for len
1270 * rest for ticket
1271 */
1272 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
1273 s2n(TLSEXT_TYPE_session_ticket,ret);
1274 s2n(ticklen,ret);
1275 if (ticklen)
1276 {
1277 memcpy(ret, s->session->tlsext_tick, ticklen);
1278 ret += ticklen;
1279 }
1280 }
1281 skip_ext:
1282
1283 if (SSL_USE_SIGALGS(s))
1284 {
1285 size_t salglen;
1286 const unsigned char *salg;
1287 salglen = tls12_get_psigalgs(s, &salg);
1288 if ((size_t)(limit - ret) < salglen + 6)
1289 return NULL;
1290 s2n(TLSEXT_TYPE_signature_algorithms,ret);
1291 s2n(salglen + 2, ret);
1292 s2n(salglen, ret);
1293 memcpy(ret, salg, salglen);
1294 ret += salglen;
1295 }
1296
1297#ifdef TLSEXT_TYPE_opaque_prf_input
1298 if (s->s3->client_opaque_prf_input != NULL)
1299 {
1300 size_t col = s->s3->client_opaque_prf_input_len;
1301
1302 if ((long)(limit - ret - 6 - col < 0))
1303 return NULL;
1304 if (col > 0xFFFD) /* can't happen */
1305 return NULL;
1306
1307 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1308 s2n(col + 2, ret);
1309 s2n(col, ret);
1310 memcpy(ret, s->s3->client_opaque_prf_input, col);
1311 ret += col;
1312 }
1313#endif
1314
1315 /* TODO(fork): we probably want OCSP stapling, but it currently pulls in a lot of code. */
1316#if 0
1317 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1318 {
1319 int i;
1320 long extlen, idlen, itmp;
1321 OCSP_RESPID *id;
1322
1323 idlen = 0;
1324 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1325 {
1326 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1327 itmp = i2d_OCSP_RESPID(id, NULL);
1328 if (itmp <= 0)
1329 return NULL;
1330 idlen += itmp + 2;
1331 }
1332
1333 if (s->tlsext_ocsp_exts)
1334 {
1335 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1336 if (extlen < 0)
1337 return NULL;
1338 }
1339 else
1340 extlen = 0;
1341
1342 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
1343 s2n(TLSEXT_TYPE_status_request, ret);
1344 if (extlen + idlen > 0xFFF0)
1345 return NULL;
1346 s2n(extlen + idlen + 5, ret);
1347 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1348 s2n(idlen, ret);
1349 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1350 {
1351 /* save position of id len */
1352 unsigned char *q = ret;
1353 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1354 /* skip over id len */
1355 ret += 2;
1356 itmp = i2d_OCSP_RESPID(id, &ret);
1357 /* write id len */
1358 s2n(itmp, q);
1359 }
1360 s2n(extlen, ret);
1361 if (extlen > 0)
1362 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1363 }
1364#endif
1365
1366#ifndef OPENSSL_NO_HEARTBEATS
1367 /* Add Heartbeat extension */
1368 s2n(TLSEXT_TYPE_heartbeat,ret);
1369 s2n(1,ret);
1370 /* Set mode:
1371 * 1: peer may send requests
1372 * 2: peer not allowed to send requests
1373 */
1374 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1375 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1376 else
1377 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1378#endif
1379
1380#ifndef OPENSSL_NO_NEXTPROTONEG
1381 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
1382 {
1383 /* The client advertises an emtpy extension to indicate its
1384 * support for Next Protocol Negotiation */
1385 if (limit - ret - 4 < 0)
1386 return NULL;
1387 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1388 s2n(0,ret);
1389 }
1390#endif
1391
1392 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)
1393 {
1394 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1395 return NULL;
1396 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1397 s2n(2 + s->alpn_client_proto_list_len,ret);
1398 s2n(s->alpn_client_proto_list_len,ret);
1399 memcpy(ret, s->alpn_client_proto_list,
1400 s->alpn_client_proto_list_len);
1401 ret += s->alpn_client_proto_list_len;
1402 }
1403
1404 if(SSL_get_srtp_profiles(s))
1405 {
1406 int el;
1407
1408 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1409
1410 if((limit - p - 4 - el) < 0) return NULL;
1411
1412 s2n(TLSEXT_TYPE_use_srtp,ret);
1413 s2n(el,ret);
1414
1415 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1416 {
1417 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1418 return NULL;
1419 }
1420 ret += el;
1421 }
1422
1423 /* Add TLS extension Server_Authz_DataFormats to the ClientHello */
1424 /* 2 bytes for extension type */
1425 /* 2 bytes for extension length */
1426 /* 1 byte for the list length */
1427 /* 1 byte for the list (we only support audit proofs) */
1428 if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
1429 {
1430 const unsigned short ext_len = 2;
1431 const unsigned char list_len = 1;
1432
1433 if (limit < ret + 6)
1434 return NULL;
1435
1436 s2n(TLSEXT_TYPE_server_authz, ret);
1437 /* Extension length: 2 bytes */
1438 s2n(ext_len, ret);
1439 *(ret++) = list_len;
1440 *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
1441 }
1442
1443 /* Add custom TLS Extensions to ClientHello */
1444 if (s->ctx->custom_cli_ext_records_count)
1445 {
1446 size_t i;
1447 custom_cli_ext_record* record;
1448
1449 for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
1450 {
1451 const unsigned char* out = NULL;
1452 unsigned short outlen = 0;
1453
1454 record = &s->ctx->custom_cli_ext_records[i];
1455 /* NULL callback sends empty extension */
1456 /* -1 from callback omits extension */
1457 if (record->fn1)
1458 {
1459 int cb_retval = 0;
1460 cb_retval = record->fn1(s, record->ext_type,
1461 &out, &outlen,
1462 record->arg);
1463 if (cb_retval == 0)
1464 return NULL; /* error */
1465 if (cb_retval == -1)
1466 continue; /* skip this extension */
1467 }
1468 if (limit < ret + 4 + outlen)
1469 return NULL;
1470 s2n(record->ext_type, ret);
1471 s2n(outlen, ret);
1472 memcpy(ret, out, outlen);
1473 ret += outlen;
1474 }
1475 }
1476
1477#ifdef TLSEXT_TYPE_padding
1478 /* Add padding to workaround bugs in F5 terminators.
1479 * See https://tools.ietf.org/html/draft-agl-tls-padding-02
1480 *
1481 * NB: because this code works out the length of all existing
1482 * extensions it MUST always appear last.
1483 */
1484 {
1485 int hlen = ret - (unsigned char *)s->init_buf->data;
1486 /* The code in s23_clnt.c to build ClientHello messages includes the
1487 * 5-byte record header in the buffer, while the code in s3_clnt.c does
1488 * not. */
1489 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
1490 hlen -= 5;
1491 if (hlen > 0xff && hlen < 0x200)
1492 {
1493 hlen = 0x200 - hlen;
1494 if (hlen >= 4)
1495 hlen -= 4;
1496 else
1497 hlen = 0;
1498
1499 s2n(TLSEXT_TYPE_padding, ret);
1500 s2n(hlen, ret);
1501 memset(ret, 0, hlen);
1502 ret += hlen;
1503 }
1504#endif
1505
1506 if ((extdatalen = ret-p-2) == 0)
1507 return p;
1508
1509 s2n(extdatalen,p);
1510 return ret;
1511 }
1512
1513unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1514 {
1515 int extdatalen=0;
1516 unsigned char *ret = p;
1517#ifndef OPENSSL_NO_NEXTPROTONEG
1518 int next_proto_neg_seen;
1519#endif
1520#ifndef OPENSSL_NO_EC
1521 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1522 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1523 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1524 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1525#endif
1526 /* don't add extensions for SSLv3, unless doing secure renegotiation */
1527 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1528 return p;
1529
1530 ret+=2;
1531 if (ret>=limit) return NULL; /* this really never occurs, but ... */
1532
1533 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1534 {
1535 if ((long)(limit - ret - 4) < 0) return NULL;
1536
1537 s2n(TLSEXT_TYPE_server_name,ret);
1538 s2n(0,ret);
1539 }
1540
1541 if(s->s3->send_connection_binding)
1542 {
1543 int el;
1544
1545 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1546 {
1547 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1548 return NULL;
1549 }
1550
1551 if((limit - p - 4 - el) < 0) return NULL;
1552
1553 s2n(TLSEXT_TYPE_renegotiate,ret);
1554 s2n(el,ret);
1555
1556 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1557 {
1558 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1559 return NULL;
1560 }
1561
1562 ret += el;
1563 }
1564
1565#ifndef OPENSSL_NO_EC
1566 if (using_ecc)
1567 {
1568 const unsigned char *plist;
1569 size_t plistlen;
1570 /* Add TLS extension ECPointFormats to the ServerHello message */
1571 long lenmax;
1572
1573 tls1_get_formatlist(s, &plist, &plistlen);
1574
1575 if ((lenmax = limit - ret - 5) < 0) return NULL;
1576 if (plistlen > (size_t)lenmax) return NULL;
1577 if (plistlen > 255)
1578 {
1579 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1580 return NULL;
1581 }
1582
1583 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1584 s2n(plistlen + 1,ret);
1585 *(ret++) = (unsigned char) plistlen;
1586 memcpy(ret, plist, plistlen);
1587 ret+=plistlen;
1588
1589 }
1590 /* Currently the server should not respond with a SupportedCurves extension */
1591#endif /* OPENSSL_NO_EC */
1592
1593 if (s->tlsext_ticket_expected
1594 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
1595 {
1596 if ((long)(limit - ret - 4) < 0) return NULL;
1597 s2n(TLSEXT_TYPE_session_ticket,ret);
1598 s2n(0,ret);
1599 }
1600
1601 if (s->tlsext_status_expected)
1602 {
1603 if ((long)(limit - ret - 4) < 0) return NULL;
1604 s2n(TLSEXT_TYPE_status_request,ret);
1605 s2n(0,ret);
1606 }
1607
1608#ifdef TLSEXT_TYPE_opaque_prf_input
1609 if (s->s3->server_opaque_prf_input != NULL)
1610 {
1611 size_t sol = s->s3->server_opaque_prf_input_len;
1612
1613 if ((long)(limit - ret - 6 - sol) < 0)
1614 return NULL;
1615 if (sol > 0xFFFD) /* can't happen */
1616 return NULL;
1617
1618 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1619 s2n(sol + 2, ret);
1620 s2n(sol, ret);
1621 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1622 ret += sol;
1623 }
1624#endif
1625
1626 if(s->srtp_profile)
1627 {
1628 int el;
1629
1630 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1631
1632 if((limit - p - 4 - el) < 0) return NULL;
1633
1634 s2n(TLSEXT_TYPE_use_srtp,ret);
1635 s2n(el,ret);
1636
1637 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1638 {
1639 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1640 return NULL;
1641 }
1642 ret+=el;
1643 }
1644
1645 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
1646 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1647 { const unsigned char cryptopro_ext[36] = {
1648 0xfd, 0xe8, /*65000*/
1649 0x00, 0x20, /*32 bytes length*/
1650 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1651 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1652 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1653 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1654 if (limit-ret<36) return NULL;
1655 memcpy(ret,cryptopro_ext,36);
1656 ret+=36;
1657
1658 }
1659
1660#ifndef OPENSSL_NO_HEARTBEATS
1661 /* Add Heartbeat extension if we've received one */
1662 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1663 {
1664 s2n(TLSEXT_TYPE_heartbeat,ret);
1665 s2n(1,ret);
1666 /* Set mode:
1667 * 1: peer may send requests
1668 * 2: peer not allowed to send requests
1669 */
1670 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1671 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1672 else
1673 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1674
1675 }
1676#endif
1677
1678#ifndef OPENSSL_NO_NEXTPROTONEG
1679 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1680 s->s3->next_proto_neg_seen = 0;
1681 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1682 {
1683 const unsigned char *npa;
1684 unsigned int npalen;
1685 int r;
1686
1687 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1688 if (r == SSL_TLSEXT_ERR_OK)
1689 {
1690 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1691 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1692 s2n(npalen,ret);
1693 memcpy(ret, npa, npalen);
1694 ret += npalen;
1695 s->s3->next_proto_neg_seen = 1;
1696 }
1697 }
1698#endif
1699
1700 /* If the client supports authz then see whether we have any to offer
1701 * to it. */
1702 if (s->s3->tlsext_authz_client_types_len)
1703 {
1704 size_t authz_length;
1705 /* By now we already know the new cipher, so we can look ahead
1706 * to see whether the cert we are going to send
1707 * has any authz data attached to it. */
1708 const unsigned char* authz = ssl_get_authz_data(s, &authz_length);
1709 const unsigned char* const orig_authz = authz;
1710 size_t i;
1711 unsigned authz_count = 0;
1712
1713 /* The authz data contains a number of the following structures:
1714 * uint8_t authz_type
1715 * uint16_t length
1716 * uint8_t data[length]
1717 *
1718 * First we walk over it to find the number of authz elements. */
1719 for (i = 0; i < authz_length; i++)
1720 {
1721 unsigned short length;
1722 unsigned char type;
1723
1724 type = *(authz++);
1725 if (memchr(s->s3->tlsext_authz_client_types,
1726 type,
1727 s->s3->tlsext_authz_client_types_len) != NULL)
1728 authz_count++;
1729
1730 n2s(authz, length);
1731 /* n2s increments authz by 2 */
1732 i += 2;
1733 authz += length;
1734 i += length;
1735 }
1736
1737 if (authz_count)
1738 {
1739 /* Add TLS extension server_authz to the ServerHello message
1740 * 2 bytes for extension type
1741 * 2 bytes for extension length
1742 * 1 byte for the list length
1743 * n bytes for the list */
1744 const unsigned short ext_len = 1 + authz_count;
1745
1746 if ((long)(limit - ret - 4 - ext_len) < 0) return NULL;
1747 s2n(TLSEXT_TYPE_server_authz, ret);
1748 s2n(ext_len, ret);
1749 *(ret++) = authz_count;
1750 s->s3->tlsext_authz_promised_to_client = 1;
1751 }
1752
1753 authz = orig_authz;
1754 for (i = 0; i < authz_length; i++)
1755 {
1756 unsigned short length;
1757 unsigned char type;
1758
1759 authz_count++;
1760 type = *(authz++);
1761 if (memchr(s->s3->tlsext_authz_client_types,
1762 type,
1763 s->s3->tlsext_authz_client_types_len) != NULL)
1764 *(ret++) = type;
1765 n2s(authz, length);
1766 /* n2s increments authz by 2 */
1767 i += 2;
1768 authz += length;
1769 i += length;
1770 }
1771 }
1772
1773 /* If custom types were sent in ClientHello, add ServerHello responses */
1774 if (s->s3->tlsext_custom_types_count)
1775 {
1776 size_t i;
1777
1778 for (i = 0; i < s->s3->tlsext_custom_types_count; i++)
1779 {
1780 size_t j;
1781 custom_srv_ext_record *record;
1782
1783 for (j = 0; j < s->ctx->custom_srv_ext_records_count; j++)
1784 {
1785 record = &s->ctx->custom_srv_ext_records[j];
1786 if (s->s3->tlsext_custom_types[i] == record->ext_type)
1787 {
1788 const unsigned char *out = NULL;
1789 unsigned short outlen = 0;
1790 int cb_retval = 0;
1791
1792 /* NULL callback or -1 omits extension */
1793 if (!record->fn2)
1794 break;
1795 cb_retval = record->fn2(s, record->ext_type,
1796 &out, &outlen,
1797 record->arg);
1798 if (cb_retval == 0)
1799 return NULL; /* error */
1800 if (cb_retval == -1)
1801 break; /* skip this extension */
1802 if (limit < ret + 4 + outlen)
1803 return NULL;
1804 s2n(record->ext_type, ret);
1805 s2n(outlen, ret);
1806 memcpy(ret, out, outlen);
1807 ret += outlen;
1808 break;
1809 }
1810 }
1811 }
1812 }
1813
1814 if (s->s3->alpn_selected)
1815 {
1816 const unsigned char *selected = s->s3->alpn_selected;
1817 unsigned len = s->s3->alpn_selected_len;
1818
1819 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1820 return NULL;
1821 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1822 s2n(3 + len,ret);
1823 s2n(1 + len,ret);
1824 *ret++ = len;
1825 memcpy(ret, selected, len);
1826 ret += len;
1827 }
1828
1829 if ((extdatalen = ret-p-2)== 0)
1830 return p;
1831
1832 s2n(extdatalen,p);
1833 return ret;
1834 }
1835
1836#ifndef OPENSSL_NO_EC
1837/* ssl_check_for_safari attempts to fingerprint Safari using OS X
1838 * SecureTransport using the TLS extension block in |d|, of length |n|.
1839 * Safari, since 10.6, sends exactly these extensions, in this order:
1840 * SNI,
1841 * elliptic_curves
1842 * ec_point_formats
1843 *
1844 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1845 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1846 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1847 * 10.8..10.8.3 (which don't work).
1848 */
1849static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
1850 unsigned short type, size;
1851 static const unsigned char kSafariExtensionsBlock[] = {
1852 0x00, 0x0a, /* elliptic_curves extension */
1853 0x00, 0x08, /* 8 bytes */
1854 0x00, 0x06, /* 6 bytes of curve ids */
1855 0x00, 0x17, /* P-256 */
1856 0x00, 0x18, /* P-384 */
1857 0x00, 0x19, /* P-521 */
1858
1859 0x00, 0x0b, /* ec_point_formats */
1860 0x00, 0x02, /* 2 bytes */
1861 0x01, /* 1 point format */
1862 0x00, /* uncompressed */
1863 };
1864
1865 /* The following is only present in TLS 1.2 */
1866 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1867 0x00, 0x0d, /* signature_algorithms */
1868 0x00, 0x0c, /* 12 bytes */
1869 0x00, 0x0a, /* 10 bytes */
1870 0x05, 0x01, /* SHA-384/RSA */
1871 0x04, 0x01, /* SHA-256/RSA */
1872 0x02, 0x01, /* SHA-1/RSA */
1873 0x04, 0x03, /* SHA-256/ECDSA */
1874 0x02, 0x03, /* SHA-1/ECDSA */
1875 };
1876
1877 if (data >= (d+n-2))
1878 return;
1879 data += 2;
1880
1881 if (data > (d+n-4))
1882 return;
1883 n2s(data,type);
1884 n2s(data,size);
1885
1886 if (type != TLSEXT_TYPE_server_name)
1887 return;
1888
1889 if (data+size > d+n)
1890 return;
1891 data += size;
1892
1893 if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
1894 {
1895 const size_t len1 = sizeof(kSafariExtensionsBlock);
1896 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1897
1898 if (data + len1 + len2 != d+n)
1899 return;
1900 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
1901 return;
1902 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
1903 return;
1904 }
1905 else
1906 {
1907 const size_t len = sizeof(kSafariExtensionsBlock);
1908
1909 if (data + len != d+n)
1910 return;
1911 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
1912 return;
1913 }
1914
1915 s->s3->is_probably_safari = 1;
1916}
1917#endif /* !OPENSSL_NO_EC */
1918
1919/* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1920 * ClientHello.
1921 * data: the contents of the extension, not including the type and length.
1922 * data_len: the number of bytes in |data|
1923 * al: a pointer to the alert value to send in the event of a non-zero
1924 * return.
1925 *
1926 * returns: 0 on success. */
1927static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1928 unsigned data_len, int *al)
1929 {
1930 unsigned i;
1931 unsigned proto_len;
1932 const unsigned char *selected;
1933 unsigned char selected_len;
1934 int r;
1935
1936 if (s->ctx->alpn_select_cb == NULL)
1937 return 0;
1938
1939 if (data_len < 2)
1940 goto parse_error;
1941
1942 /* data should contain a uint16 length followed by a series of 8-bit,
1943 * length-prefixed strings. */
1944 i = ((unsigned) data[0]) << 8 |
1945 ((unsigned) data[1]);
1946 data_len -= 2;
1947 data += 2;
1948 if (data_len != i)
1949 goto parse_error;
1950
1951 if (data_len < 2)
1952 goto parse_error;
1953
1954 for (i = 0; i < data_len;)
1955 {
1956 proto_len = data[i];
1957 i++;
1958
1959 if (proto_len == 0)
1960 goto parse_error;
1961
1962 if (i + proto_len < i || i + proto_len > data_len)
1963 goto parse_error;
1964
1965 i += proto_len;
1966 }
1967
1968 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1969 s->ctx->alpn_select_cb_arg);
1970 if (r == SSL_TLSEXT_ERR_OK) {
1971 if (s->s3->alpn_selected)
1972 OPENSSL_free(s->s3->alpn_selected);
1973 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
1974 if (!s->s3->alpn_selected)
1975 {
1976 *al = SSL_AD_INTERNAL_ERROR;
1977 return -1;
1978 }
1979 memcpy(s->s3->alpn_selected, selected, selected_len);
1980 s->s3->alpn_selected_len = selected_len;
1981 }
1982 return 0;
1983
1984parse_error:
1985 *al = SSL_AD_DECODE_ERROR;
1986 return -1;
1987 }
1988
1989static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1990 {
1991 unsigned short type;
1992 unsigned short size;
1993 unsigned short len;
1994 unsigned char *data = *p;
1995 int renegotiate_seen = 0;
1996 size_t i;
1997
1998 s->servername_done = 0;
1999 s->tlsext_status_type = -1;
2000#ifndef OPENSSL_NO_NEXTPROTONEG
2001 s->s3->next_proto_neg_seen = 0;
2002#endif
2003
2004 /* Clear observed custom extensions */
2005 s->s3->tlsext_custom_types_count = 0;
2006 if (s->s3->tlsext_custom_types != NULL)
2007 {
2008 OPENSSL_free(s->s3->tlsext_custom_types);
2009 s->s3->tlsext_custom_types = NULL;
2010 }
2011
2012 if (s->s3->alpn_selected)
2013 {
2014 OPENSSL_free(s->s3->alpn_selected);
2015 s->s3->alpn_selected = NULL;
2016 }
2017
2018#ifndef OPENSSL_NO_HEARTBEATS
2019 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2020 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2021#endif
2022
2023#ifndef OPENSSL_NO_EC
2024 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
2025 ssl_check_for_safari(s, data, d, n);
2026#endif /* !OPENSSL_NO_EC */
2027
2028 /* Clear any signature algorithms extension received */
2029 if (s->cert->peer_sigalgs)
2030 {
2031 OPENSSL_free(s->cert->peer_sigalgs);
2032 s->cert->peer_sigalgs = NULL;
2033 }
2034 /* Clear any shared sigtnature algorithms */
2035 if (s->cert->shared_sigalgs)
2036 {
2037 OPENSSL_free(s->cert->shared_sigalgs);
2038 s->cert->shared_sigalgs = NULL;
2039 }
2040 /* Clear certificate digests and validity flags */
2041 for (i = 0; i < SSL_PKEY_NUM; i++)
2042 {
2043 s->cert->pkeys[i].digest = NULL;
2044 s->cert->pkeys[i].valid_flags = 0;
2045 }
2046
2047 if (data >= (d+n-2))
2048 goto ri_check;
2049 n2s(data,len);
2050
2051 if (data > (d+n-len))
2052 goto ri_check;
2053
2054 while (data <= (d+n-4))
2055 {
2056 n2s(data,type);
2057 n2s(data,size);
2058
2059 if (data+size > (d+n))
2060 goto ri_check;
2061#if 0
2062 fprintf(stderr,"Received extension type %d size %d\n",type,size);
2063#endif
2064 if (s->tlsext_debug_cb)
2065 s->tlsext_debug_cb(s, 0, type, data, size,
2066 s->tlsext_debug_arg);
2067/* The servername extension is treated as follows:
2068
2069 - Only the hostname type is supported with a maximum length of 255.
2070 - The servername is rejected if too long or if it contains zeros,
2071 in which case an fatal alert is generated.
2072 - The servername field is maintained together with the session cache.
2073 - When a session is resumed, the servername call back invoked in order
2074 to allow the application to position itself to the right context.
2075 - The servername is acknowledged if it is new for a session or when
2076 it is identical to a previously used for the same session.
2077 Applications can control the behaviour. They can at any time
2078 set a 'desirable' servername for a new SSL object. This can be the
2079 case for example with HTTPS when a Host: header field is received and
2080 a renegotiation is requested. In this case, a possible servername
2081 presented in the new client hello is only acknowledged if it matches
2082 the value of the Host: field.
2083 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2084 if they provide for changing an explicit servername context for the session,
2085 i.e. when the session has been established with a servername extension.
2086 - On session reconnect, the servername extension may be absent.
2087
2088*/
2089
2090 if (type == TLSEXT_TYPE_server_name)
2091 {
2092 unsigned char *sdata;
2093 int servname_type;
2094 int dsize;
2095
2096 if (size < 2)
2097 {
2098 *al = SSL_AD_DECODE_ERROR;
2099 return 0;
2100 }
2101 n2s(data,dsize);
2102 size -= 2;
2103 if (dsize > size )
2104 {
2105 *al = SSL_AD_DECODE_ERROR;
2106 return 0;
2107 }
2108
2109 sdata = data;
2110 while (dsize > 3)
2111 {
2112 servname_type = *(sdata++);
2113 n2s(sdata,len);
2114 dsize -= 3;
2115
2116 if (len > dsize)
2117 {
2118 *al = SSL_AD_DECODE_ERROR;
2119 return 0;
2120 }
2121 if (s->servername_done == 0)
2122 switch (servname_type)
2123 {
2124 case TLSEXT_NAMETYPE_host_name:
2125 if (!s->hit)
2126 {
2127 if(s->session->tlsext_hostname)
2128 {
2129 *al = SSL_AD_DECODE_ERROR;
2130 return 0;
2131 }
2132 if (len > TLSEXT_MAXLEN_host_name)
2133 {
2134 *al = TLS1_AD_UNRECOGNIZED_NAME;
2135 return 0;
2136 }
2137 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
2138 {
2139 *al = TLS1_AD_INTERNAL_ERROR;
2140 return 0;
2141 }
2142 memcpy(s->session->tlsext_hostname, sdata, len);
2143 s->session->tlsext_hostname[len]='\0';
2144 if (strlen(s->session->tlsext_hostname) != len) {
2145 OPENSSL_free(s->session->tlsext_hostname);
2146 s->session->tlsext_hostname = NULL;
2147 *al = TLS1_AD_UNRECOGNIZED_NAME;
2148 return 0;
2149 }
2150 s->servername_done = 1;
2151
2152 }
2153 else
2154 s->servername_done = s->session->tlsext_hostname
2155 && strlen(s->session->tlsext_hostname) == len
2156 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
2157
2158 break;
2159
2160 default:
2161 break;
2162 }
2163
2164 dsize -= len;
2165 }
2166 if (dsize != 0)
2167 {
2168 *al = SSL_AD_DECODE_ERROR;
2169 return 0;
2170 }
2171
2172 }
2173
2174#ifndef OPENSSL_NO_EC
2175 else if (type == TLSEXT_TYPE_ec_point_formats)
2176 {
2177 unsigned char *sdata = data;
2178 int ecpointformatlist_length = *(sdata++);
2179
2180 if (ecpointformatlist_length != size - 1 ||
2181 ecpointformatlist_length < 1)
2182 {
2183 *al = TLS1_AD_DECODE_ERROR;
2184 return 0;
2185 }
2186 if (!s->hit)
2187 {
2188 if(s->session->tlsext_ecpointformatlist)
2189 {
2190 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2191 s->session->tlsext_ecpointformatlist = NULL;
2192 }
2193 s->session->tlsext_ecpointformatlist_length = 0;
2194 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2195 {
2196 *al = TLS1_AD_INTERNAL_ERROR;
2197 return 0;
2198 }
2199 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2200 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2201 }
2202#if 0
2203 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
2204 sdata = s->session->tlsext_ecpointformatlist;
2205 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2206 fprintf(stderr,"%i ",*(sdata++));
2207 fprintf(stderr,"\n");
2208#endif
2209 }
2210 else if (type == TLSEXT_TYPE_elliptic_curves)
2211 {
2212 unsigned char *sdata = data;
2213 int ellipticcurvelist_length = (*(sdata++) << 8);
2214 ellipticcurvelist_length += (*(sdata++));
2215
2216 if (ellipticcurvelist_length != size - 2 ||
2217 ellipticcurvelist_length < 1)
2218 {
2219 *al = TLS1_AD_DECODE_ERROR;
2220 return 0;
2221 }
2222 if (!s->hit)
2223 {
2224 if(s->session->tlsext_ellipticcurvelist)
2225 {
2226 *al = TLS1_AD_DECODE_ERROR;
2227 return 0;
2228 }
2229 s->session->tlsext_ellipticcurvelist_length = 0;
2230 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
2231 {
2232 *al = TLS1_AD_INTERNAL_ERROR;
2233 return 0;
2234 }
2235 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
2236 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
2237 }
2238#if 0
2239 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
2240 sdata = s->session->tlsext_ellipticcurvelist;
2241 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
2242 fprintf(stderr,"%i ",*(sdata++));
2243 fprintf(stderr,"\n");
2244#endif
2245 }
2246#endif /* OPENSSL_NO_EC */
2247#ifdef TLSEXT_TYPE_opaque_prf_input
2248 else if (type == TLSEXT_TYPE_opaque_prf_input)
2249 {
2250 unsigned char *sdata = data;
2251
2252 if (size < 2)
2253 {
2254 *al = SSL_AD_DECODE_ERROR;
2255 return 0;
2256 }
2257 n2s(sdata, s->s3->client_opaque_prf_input_len);
2258 if (s->s3->client_opaque_prf_input_len != size - 2)
2259 {
2260 *al = SSL_AD_DECODE_ERROR;
2261 return 0;
2262 }
2263
2264 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2265 OPENSSL_free(s->s3->client_opaque_prf_input);
2266 if (s->s3->client_opaque_prf_input_len == 0)
2267 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2268 else
2269 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
2270 if (s->s3->client_opaque_prf_input == NULL)
2271 {
2272 *al = TLS1_AD_INTERNAL_ERROR;
2273 return 0;
2274 }
2275 }
2276#endif
2277 else if (type == TLSEXT_TYPE_session_ticket)
2278 {
2279 if (s->tls_session_ticket_ext_cb &&
2280 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2281 {
2282 *al = TLS1_AD_INTERNAL_ERROR;
2283 return 0;
2284 }
2285 }
2286 else if (type == TLSEXT_TYPE_renegotiate)
2287 {
2288 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
2289 return 0;
2290 renegotiate_seen = 1;
2291 }
2292 else if (type == TLSEXT_TYPE_signature_algorithms)
2293 {
2294 int dsize;
2295 if (s->cert->peer_sigalgs || size < 2)
2296 {
2297 *al = SSL_AD_DECODE_ERROR;
2298 return 0;
2299 }
2300 n2s(data,dsize);
2301 size -= 2;
2302 if (dsize != size || dsize & 1 || !dsize)
2303 {
2304 *al = SSL_AD_DECODE_ERROR;
2305 return 0;
2306 }
2307 if (!tls1_process_sigalgs(s, data, dsize))
2308 {
2309 *al = SSL_AD_DECODE_ERROR;
2310 return 0;
2311 }
2312 /* If sigalgs received and no shared algorithms fatal
2313 * error.
2314 */
2315 if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
2316 {
2317 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2318 *al = SSL_AD_ILLEGAL_PARAMETER;
2319 return 0;
2320 }
2321 }
2322
2323 /* TODO(fork): we probably want OCSP stapling support, but this pulls in a lot of code. */
2324#if 0
2325 else if (type == TLSEXT_TYPE_status_request)
2326 {
2327
2328 if (size < 5)
2329 {
2330 *al = SSL_AD_DECODE_ERROR;
2331 return 0;
2332 }
2333
2334 s->tlsext_status_type = *data++;
2335 size--;
2336 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
2337 {
2338 const unsigned char *sdata;
2339 int dsize;
2340 /* Read in responder_id_list */
2341 n2s(data,dsize);
2342 size -= 2;
2343 if (dsize > size )
2344 {
2345 *al = SSL_AD_DECODE_ERROR;
2346 return 0;
2347 }
2348 while (dsize > 0)
2349 {
2350 OCSP_RESPID *id;
2351 int idsize;
2352 if (dsize < 4)
2353 {
2354 *al = SSL_AD_DECODE_ERROR;
2355 return 0;
2356 }
2357 n2s(data, idsize);
2358 dsize -= 2 + idsize;
2359 size -= 2 + idsize;
2360 if (dsize < 0)
2361 {
2362 *al = SSL_AD_DECODE_ERROR;
2363 return 0;
2364 }
2365 sdata = data;
2366 data += idsize;
2367 id = d2i_OCSP_RESPID(NULL,
2368 &sdata, idsize);
2369 if (!id)
2370 {
2371 *al = SSL_AD_DECODE_ERROR;
2372 return 0;
2373 }
2374 if (data != sdata)
2375 {
2376 OCSP_RESPID_free(id);
2377 *al = SSL_AD_DECODE_ERROR;
2378 return 0;
2379 }
2380 if (!s->tlsext_ocsp_ids
2381 && !(s->tlsext_ocsp_ids =
2382 sk_OCSP_RESPID_new_null()))
2383 {
2384 OCSP_RESPID_free(id);
2385 *al = SSL_AD_INTERNAL_ERROR;
2386 return 0;
2387 }
2388 if (!sk_OCSP_RESPID_push(
2389 s->tlsext_ocsp_ids, id))
2390 {
2391 OCSP_RESPID_free(id);
2392 *al = SSL_AD_INTERNAL_ERROR;
2393 return 0;
2394 }
2395 }
2396
2397 /* Read in request_extensions */
2398 if (size < 2)
2399 {
2400 *al = SSL_AD_DECODE_ERROR;
2401 return 0;
2402 }
2403 n2s(data,dsize);
2404 size -= 2;
2405 if (dsize != size)
2406 {
2407 *al = SSL_AD_DECODE_ERROR;
2408 return 0;
2409 }
2410 sdata = data;
2411 if (dsize > 0)
2412 {
2413 if (s->tlsext_ocsp_exts)
2414 {
2415 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2416 X509_EXTENSION_free);
2417 }
2418
2419 s->tlsext_ocsp_exts =
2420 d2i_X509_EXTENSIONS(NULL,
2421 &sdata, dsize);
2422 if (!s->tlsext_ocsp_exts
2423 || (data + dsize != sdata))
2424 {
2425 *al = SSL_AD_DECODE_ERROR;
2426 return 0;
2427 }
2428 }
2429 }
2430 /* We don't know what to do with any other type
2431 * so ignore it.
2432 */
2433 else
2434 s->tlsext_status_type = -1;
2435 }
2436#endif
2437
2438#ifndef OPENSSL_NO_HEARTBEATS
2439 else if (type == TLSEXT_TYPE_heartbeat)
2440 {
2441 switch(data[0])
2442 {
2443 case 0x01: /* Client allows us to send HB requests */
2444 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2445 break;
2446 case 0x02: /* Client doesn't accept HB requests */
2447 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2448 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2449 break;
2450 default: *al = SSL_AD_ILLEGAL_PARAMETER;
2451 return 0;
2452 }
2453 }
2454#endif
2455#ifndef OPENSSL_NO_NEXTPROTONEG
2456 else if (type == TLSEXT_TYPE_next_proto_neg &&
2457 s->s3->tmp.finish_md_len == 0 &&
2458 s->s3->alpn_selected == NULL)
2459 {
2460 /* We shouldn't accept this extension on a
2461 * renegotiation.
2462 *
2463 * s->new_session will be set on renegotiation, but we
2464 * probably shouldn't rely that it couldn't be set on
2465 * the initial renegotation too in certain cases (when
2466 * there's some other reason to disallow resuming an
2467 * earlier session -- the current code won't be doing
2468 * anything like that, but this might change).
2469
2470 * A valid sign that there's been a previous handshake
2471 * in this connection is if s->s3->tmp.finish_md_len >
2472 * 0. (We are talking about a check that will happen
2473 * in the Hello protocol round, well before a new
2474 * Finished message could have been computed.) */
2475 s->s3->next_proto_neg_seen = 1;
2476 }
2477#endif
2478
2479 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2480 s->ctx->alpn_select_cb &&
2481 s->s3->tmp.finish_md_len == 0)
2482 {
2483 if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
2484 return 0;
2485#ifndef OPENSSL_NO_NEXTPROTONEG
2486 /* ALPN takes precedence over NPN. */
2487 s->s3->next_proto_neg_seen = 0;
2488#endif
2489 }
2490
2491 /* session ticket processed earlier */
2492 else if (type == TLSEXT_TYPE_use_srtp)
2493 {
2494 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
2495 al))
2496 return 0;
2497 }
2498
2499 else if (type == TLSEXT_TYPE_server_authz)
2500 {
2501 unsigned char *sdata = data;
2502 unsigned char server_authz_dataformatlist_length;
2503
2504 if (size == 0)
2505 {
2506 *al = TLS1_AD_DECODE_ERROR;
2507 return 0;
2508 }
2509
2510 server_authz_dataformatlist_length = *(sdata++);
2511
2512 if (server_authz_dataformatlist_length != size - 1)
2513 {
2514 *al = TLS1_AD_DECODE_ERROR;
2515 return 0;
2516 }
2517
2518 /* Successful session resumption uses the same authz
2519 * information as the original session so we ignore this
2520 * in the case of a session resumption. */
2521 if (!s->hit)
2522 {
2523 if (s->s3->tlsext_authz_client_types != NULL)
2524 OPENSSL_free(s->s3->tlsext_authz_client_types);
2525 s->s3->tlsext_authz_client_types =
2526 OPENSSL_malloc(server_authz_dataformatlist_length);
2527 if (!s->s3->tlsext_authz_client_types)
2528 {
2529 *al = TLS1_AD_INTERNAL_ERROR;
2530 return 0;
2531 }
2532
2533 s->s3->tlsext_authz_client_types_len =
2534 server_authz_dataformatlist_length;
2535 memcpy(s->s3->tlsext_authz_client_types,
2536 sdata,
2537 server_authz_dataformatlist_length);
2538
2539 /* Sort the types in order to check for duplicates. */
2540 qsort(s->s3->tlsext_authz_client_types,
2541 server_authz_dataformatlist_length,
2542 1 /* element size */,
2543 byte_compare);
2544
2545 for (i = 0; i < server_authz_dataformatlist_length; i++)
2546 {
2547 if (i > 0 &&
2548 s->s3->tlsext_authz_client_types[i] ==
2549 s->s3->tlsext_authz_client_types[i-1])
2550 {
2551 *al = TLS1_AD_DECODE_ERROR;
2552 return 0;
2553 }
2554 }
2555 }
2556 }
2557
2558 /* If this ClientHello extension was unhandled and this is
2559 * a nonresumed connection, check whether the extension is a
2560 * custom TLS Extension (has a custom_srv_ext_record), and if
2561 * so call the callback and record the extension number so that
2562 * an appropriate ServerHello may be later returned.
2563 */
2564 else if (!s->hit && s->ctx->custom_srv_ext_records_count)
2565 {
2566 custom_srv_ext_record *record;
2567
2568 for (i=0; i < s->ctx->custom_srv_ext_records_count; i++)
2569 {
2570 record = &s->ctx->custom_srv_ext_records[i];
2571 if (type == record->ext_type)
2572 {
2573 size_t j;
2574
2575 /* Error on duplicate TLS Extensions */
2576 for (j = 0; j < s->s3->tlsext_custom_types_count; j++)
2577 {
2578 if (type == s->s3->tlsext_custom_types[j])
2579 {
2580 *al = TLS1_AD_DECODE_ERROR;
2581 return 0;
2582 }
2583 }
2584
2585 /* NULL callback still notes the extension */
2586 if (record->fn1 && !record->fn1(s, type, data, size, al, record->arg))
2587 return 0;
2588
2589 /* Add the (non-duplicated) entry */
2590 s->s3->tlsext_custom_types_count++;
2591 s->s3->tlsext_custom_types = OPENSSL_realloc(
2592 s->s3->tlsext_custom_types,
2593 s->s3->tlsext_custom_types_count * 2);
2594 if (s->s3->tlsext_custom_types == NULL)
2595 {
2596 s->s3->tlsext_custom_types = 0;
2597 *al = TLS1_AD_INTERNAL_ERROR;
2598 return 0;
2599 }
2600 s->s3->tlsext_custom_types[
2601 s->s3->tlsext_custom_types_count - 1] = type;
2602 }
2603 }
2604 }
2605
2606 data+=size;
2607 }
2608
2609 *p = data;
2610
2611 ri_check:
2612
2613 /* Need RI if renegotiating */
2614
2615 if (!renegotiate_seen && s->renegotiate &&
2616 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2617 {
2618 *al = SSL_AD_HANDSHAKE_FAILURE;
2619 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2620 return 0;
2621 }
2622 /* If no signature algorithms extension set default values */
2623 if (!s->cert->peer_sigalgs)
2624 ssl_cert_set_default_md(s->cert);
2625
2626 return 1;
2627 }
2628
2629int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
2630 {
2631 int al = -1;
2632 if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0)
2633 {
2634 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2635 return 0;
2636 }
2637
2638 if (ssl_check_clienthello_tlsext_early(s) <= 0)
2639 {
2640 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_CLIENTHELLO_TLSEXT);
2641 return 0;
2642 }
2643 return 1;
2644}
2645
2646#ifndef OPENSSL_NO_NEXTPROTONEG
2647/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2648 * elements of zero length are allowed and the set of elements must exactly fill
2649 * the length of the block. */
2650static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2651 {
2652 unsigned int off = 0;
2653
2654 while (off < len)
2655 {
2656 if (d[off] == 0)
2657 return 0;
2658 off += d[off];
2659 off++;
2660 }
2661
2662 return off == len;
2663 }
2664#endif
2665
2666static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2667 {
2668 unsigned short length;
2669 unsigned short type;
2670 unsigned short size;
2671 unsigned char *data = *p;
2672 int tlsext_servername = 0;
2673 int renegotiate_seen = 0;
2674
2675#ifndef OPENSSL_NO_NEXTPROTONEG
2676 s->s3->next_proto_neg_seen = 0;
2677#endif
2678
2679 if (s->s3->alpn_selected)
2680 {
2681 OPENSSL_free(s->s3->alpn_selected);
2682 s->s3->alpn_selected = NULL;
2683 }
2684
2685#ifndef OPENSSL_NO_HEARTBEATS
2686 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2687 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2688#endif
2689
2690 if (data >= (d+n-2))
2691 goto ri_check;
2692
2693 n2s(data,length);
2694 if (data+length != d+n)
2695 {
2696 *al = SSL_AD_DECODE_ERROR;
2697 return 0;
2698 }
2699
2700 while(data <= (d+n-4))
2701 {
2702 n2s(data,type);
2703 n2s(data,size);
2704
2705 if (data+size > (d+n))
2706 goto ri_check;
2707
2708 if (s->tlsext_debug_cb)
2709 s->tlsext_debug_cb(s, 1, type, data, size,
2710 s->tlsext_debug_arg);
2711
2712 if (type == TLSEXT_TYPE_server_name)
2713 {
2714 if (s->tlsext_hostname == NULL || size > 0)
2715 {
2716 *al = TLS1_AD_UNRECOGNIZED_NAME;
2717 return 0;
2718 }
2719 tlsext_servername = 1;
2720 }
2721
2722#ifndef OPENSSL_NO_EC
2723 else if (type == TLSEXT_TYPE_ec_point_formats)
2724 {
2725 unsigned char *sdata = data;
2726 int ecpointformatlist_length = *(sdata++);
2727
2728 if (ecpointformatlist_length != size - 1)
2729 {
2730 *al = TLS1_AD_DECODE_ERROR;
2731 return 0;
2732 }
2733 s->session->tlsext_ecpointformatlist_length = 0;
2734 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
2735 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2736 {
2737 *al = TLS1_AD_INTERNAL_ERROR;
2738 return 0;
2739 }
2740 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2741 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2742#if 0
2743 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2744 sdata = s->session->tlsext_ecpointformatlist;
2745 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2746 fprintf(stderr,"%i ",*(sdata++));
2747 fprintf(stderr,"\n");
2748#endif
2749 }
2750#endif /* OPENSSL_NO_EC */
2751
2752 else if (type == TLSEXT_TYPE_session_ticket)
2753 {
2754 if (s->tls_session_ticket_ext_cb &&
2755 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2756 {
2757 *al = TLS1_AD_INTERNAL_ERROR;
2758 return 0;
2759 }
2760 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2761 || (size > 0))
2762 {
2763 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2764 return 0;
2765 }
2766 s->tlsext_ticket_expected = 1;
2767 }
2768#ifdef TLSEXT_TYPE_opaque_prf_input
2769 else if (type == TLSEXT_TYPE_opaque_prf_input)
2770 {
2771 unsigned char *sdata = data;
2772
2773 if (size < 2)
2774 {
2775 *al = SSL_AD_DECODE_ERROR;
2776 return 0;
2777 }
2778 n2s(sdata, s->s3->server_opaque_prf_input_len);
2779 if (s->s3->server_opaque_prf_input_len != size - 2)
2780 {
2781 *al = SSL_AD_DECODE_ERROR;
2782 return 0;
2783 }
2784
2785 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2786 OPENSSL_free(s->s3->server_opaque_prf_input);
2787 if (s->s3->server_opaque_prf_input_len == 0)
2788 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2789 else
2790 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2791
2792 if (s->s3->server_opaque_prf_input == NULL)
2793 {
2794 *al = TLS1_AD_INTERNAL_ERROR;
2795 return 0;
2796 }
2797 }
2798#endif
2799 else if (type == TLSEXT_TYPE_status_request)
2800 {
2801 /* MUST be empty and only sent if we've requested
2802 * a status request message.
2803 */
2804 if ((s->tlsext_status_type == -1) || (size > 0))
2805 {
2806 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2807 return 0;
2808 }
2809 /* Set flag to expect CertificateStatus message */
2810 s->tlsext_status_expected = 1;
2811 }
2812#ifndef OPENSSL_NO_NEXTPROTONEG
2813 else if (type == TLSEXT_TYPE_next_proto_neg &&
2814 s->s3->tmp.finish_md_len == 0)
2815 {
2816 unsigned char *selected;
2817 unsigned char selected_len;
2818
2819 /* We must have requested it. */
2820 if (s->ctx->next_proto_select_cb == NULL)
2821 {
2822 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2823 return 0;
2824 }
2825 /* The data must be valid */
2826 if (!ssl_next_proto_validate(data, size))
2827 {
2828 *al = TLS1_AD_DECODE_ERROR;
2829 return 0;
2830 }
2831 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2832 {
2833 *al = TLS1_AD_INTERNAL_ERROR;
2834 return 0;
2835 }
2836 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2837 if (!s->next_proto_negotiated)
2838 {
2839 *al = TLS1_AD_INTERNAL_ERROR;
2840 return 0;
2841 }
2842 memcpy(s->next_proto_negotiated, selected, selected_len);
2843 s->next_proto_negotiated_len = selected_len;
2844 s->s3->next_proto_neg_seen = 1;
2845 }
2846#endif
2847
2848 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)
2849 {
2850 unsigned len;
2851
2852 /* We must have requested it. */
2853 if (s->alpn_client_proto_list == NULL)
2854 {
2855 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2856 return 0;
2857 }
2858 if (size < 4)
2859 {
2860 *al = TLS1_AD_DECODE_ERROR;
2861 return 0;
2862 }
2863 /* The extension data consists of:
2864 * uint16 list_length
2865 * uint8 proto_length;
2866 * uint8 proto[proto_length]; */
2867 len = data[0];
2868 len <<= 8;
2869 len |= data[1];
2870 if (len != (unsigned) size - 2)
2871 {
2872 *al = TLS1_AD_DECODE_ERROR;
2873 return 0;
2874 }
2875 len = data[2];
2876 if (len != (unsigned) size - 3)
2877 {
2878 *al = TLS1_AD_DECODE_ERROR;
2879 return 0;
2880 }
2881 if (s->s3->alpn_selected)
2882 OPENSSL_free(s->s3->alpn_selected);
2883 s->s3->alpn_selected = OPENSSL_malloc(len);
2884 if (!s->s3->alpn_selected)
2885 {
2886 *al = TLS1_AD_INTERNAL_ERROR;
2887 return 0;
2888 }
2889 memcpy(s->s3->alpn_selected, data + 3, len);
2890 s->s3->alpn_selected_len = len;
2891 }
2892
2893 else if (type == TLSEXT_TYPE_renegotiate)
2894 {
2895 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2896 return 0;
2897 renegotiate_seen = 1;
2898 }
2899#ifndef OPENSSL_NO_HEARTBEATS
2900 else if (type == TLSEXT_TYPE_heartbeat)
2901 {
2902 switch(data[0])
2903 {
2904 case 0x01: /* Server allows us to send HB requests */
2905 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2906 break;
2907 case 0x02: /* Server doesn't accept HB requests */
2908 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2909 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2910 break;
2911 default: *al = SSL_AD_ILLEGAL_PARAMETER;
2912 return 0;
2913 }
2914 }
2915#endif
2916 else if (type == TLSEXT_TYPE_use_srtp)
2917 {
2918 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2919 al))
2920 return 0;
2921 }
2922
2923 else if (type == TLSEXT_TYPE_server_authz)
2924 {
2925 /* We only support audit proofs. It's an error to send
2926 * an authz hello extension if the client
2927 * didn't request a proof. */
2928 unsigned char *sdata = data;
2929 unsigned char server_authz_dataformatlist_length;
2930
2931 if (!s->ctx->tlsext_authz_server_audit_proof_cb)
2932 {
2933 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2934 return 0;
2935 }
2936
2937 if (!size)
2938 {
2939 *al = TLS1_AD_DECODE_ERROR;
2940 return 0;
2941 }
2942
2943 server_authz_dataformatlist_length = *(sdata++);
2944 if (server_authz_dataformatlist_length != size - 1)
2945 {
2946 *al = TLS1_AD_DECODE_ERROR;
2947 return 0;
2948 }
2949
2950 /* We only support audit proofs, so a legal ServerHello
2951 * authz list contains exactly one entry. */
2952 if (server_authz_dataformatlist_length != 1 ||
2953 sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof)
2954 {
2955 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2956 return 0;
2957 }
2958
2959 s->s3->tlsext_authz_server_promised = 1;
2960 }
2961
2962 /* If this extension type was not otherwise handled, but
2963 * matches a custom_cli_ext_record, then send it to the c
2964 * callback */
2965 else if (s->ctx->custom_cli_ext_records_count)
2966 {
2967 size_t i;
2968 custom_cli_ext_record* record;
2969
2970 for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
2971 {
2972 record = &s->ctx->custom_cli_ext_records[i];
2973 if (record->ext_type == type)
2974 {
2975 if (record->fn2 && !record->fn2(s, type, data, size, al, record->arg))
2976 return 0;
2977 break;
2978 }
2979 }
2980 }
2981
2982 data += size;
2983 }
2984
2985 if (data != d+n)
2986 {
2987 *al = SSL_AD_DECODE_ERROR;
2988 return 0;
2989 }
2990
2991 if (!s->hit && tlsext_servername == 1)
2992 {
2993 if (s->tlsext_hostname)
2994 {
2995 if (s->session->tlsext_hostname == NULL)
2996 {
2997 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
2998 if (!s->session->tlsext_hostname)
2999 {
3000 *al = SSL_AD_UNRECOGNIZED_NAME;
3001 return 0;
3002 }
3003 }
3004 else
3005 {
3006 *al = SSL_AD_DECODE_ERROR;
3007 return 0;
3008 }
3009 }
3010 }
3011
3012 *p = data;
3013
3014 ri_check:
3015
3016 /* Determine if we need to see RI. Strictly speaking if we want to
3017 * avoid an attack we should *always* see RI even on initial server
3018 * hello because the client doesn't see any renegotiation during an
3019 * attack. However this would mean we could not connect to any server
3020 * which doesn't support RI so for the immediate future tolerate RI
3021 * absence on initial connect only.
3022 */
3023 if (!renegotiate_seen
3024 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
3025 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
3026 {
3027 *al = SSL_AD_HANDSHAKE_FAILURE;
3028 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
3029 return 0;
3030 }
3031
3032 return 1;
3033 }
3034
3035
3036int ssl_prepare_clienthello_tlsext(SSL *s)
3037 {
3038
3039#ifdef TLSEXT_TYPE_opaque_prf_input
3040 {
3041 int r = 1;
3042
3043 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
3044 {
3045 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
3046 if (!r)
3047 return -1;
3048 }
3049
3050 if (s->tlsext_opaque_prf_input != NULL)
3051 {
3052 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
3053 OPENSSL_free(s->s3->client_opaque_prf_input);
3054
3055 if (s->tlsext_opaque_prf_input_len == 0)
3056 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
3057 else
3058 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
3059 if (s->s3->client_opaque_prf_input == NULL)
3060 {
3061 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_MALLOC_FAILURE);
3062 return -1;
3063 }
3064 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
3065 }
3066
3067 if (r == 2)
3068 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
3069 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
3070 }
3071#endif
3072
3073 return 1;
3074 }
3075
3076int ssl_prepare_serverhello_tlsext(SSL *s)
3077 {
3078 return 1;
3079 }
3080
3081static int ssl_check_clienthello_tlsext_early(SSL *s)
3082 {
3083 int ret=SSL_TLSEXT_ERR_NOACK;
3084 int al = SSL_AD_UNRECOGNIZED_NAME;
3085
3086#ifndef OPENSSL_NO_EC
3087 /* The handling of the ECPointFormats extension is done elsewhere, namely in
3088 * ssl3_choose_cipher in s3_lib.c.
3089 */
3090 /* The handling of the EllipticCurves extension is done elsewhere, namely in
3091 * ssl3_choose_cipher in s3_lib.c.
3092 */
3093#endif
3094
3095 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
3096 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
3097 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
3098 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
3099
3100#ifdef TLSEXT_TYPE_opaque_prf_input
3101 {
3102 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
3103 * but we might be sending an alert in response to the client hello,
3104 * so this has to happen here in
3105 * ssl_check_clienthello_tlsext_early(). */
3106
3107 int r = 1;
3108
3109 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
3110 {
3111 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
3112 if (!r)
3113 {
3114 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3115 al = SSL_AD_INTERNAL_ERROR;
3116 goto err;
3117 }
3118 }
3119
3120 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
3121 OPENSSL_free(s->s3->server_opaque_prf_input);
3122 s->s3->server_opaque_prf_input = NULL;
3123
3124 if (s->tlsext_opaque_prf_input != NULL)
3125 {
3126 if (s->s3->client_opaque_prf_input != NULL &&
3127 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
3128 {
3129 /* can only use this extension if we have a server opaque PRF input
3130 * of the same length as the client opaque PRF input! */
3131
3132 if (s->tlsext_opaque_prf_input_len == 0)
3133 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
3134 else
3135 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
3136 if (s->s3->server_opaque_prf_input == NULL)
3137 {
3138 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3139 al = SSL_AD_INTERNAL_ERROR;
3140 goto err;
3141 }
3142 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
3143 }
3144 }
3145
3146 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
3147 {
3148 /* The callback wants to enforce use of the extension,
3149 * but we can't do that with the client opaque PRF input;
3150 * abort the handshake.
3151 */
3152 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3153 al = SSL_AD_HANDSHAKE_FAILURE;
3154 }
3155 }
3156
3157 err:
3158#endif
3159 switch (ret)
3160 {
3161 case SSL_TLSEXT_ERR_ALERT_FATAL:
3162 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3163 return -1;
3164
3165 case SSL_TLSEXT_ERR_ALERT_WARNING:
3166 ssl3_send_alert(s,SSL3_AL_WARNING,al);
3167 return 1;
3168
3169 case SSL_TLSEXT_ERR_NOACK:
3170 s->servername_done=0;
3171 default:
3172 return 1;
3173 }
3174 }
3175
3176int ssl_check_clienthello_tlsext_late(SSL *s)
3177 {
3178 int ret = SSL_TLSEXT_ERR_OK;
3179 int al;
3180
3181 /* If status request then ask callback what to do.
3182 * Note: this must be called after servername callbacks in case
3183 * the certificate has changed, and must be called after the cipher
3184 * has been chosen because this may influence which certificate is sent
3185 */
3186 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
3187 {
3188 int r;
3189 CERT_PKEY *certpkey;
3190 certpkey = ssl_get_server_send_pkey(s);
3191 /* If no certificate can't return certificate status */
3192 if (certpkey == NULL)
3193 {
3194 s->tlsext_status_expected = 0;
3195 return 1;
3196 }
3197 /* Set current certificate to one we will use so
3198 * SSL_get_certificate et al can pick it up.
3199 */
3200 s->cert->key = certpkey;
3201 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3202 switch (r)
3203 {
3204 /* We don't want to send a status request response */
3205 case SSL_TLSEXT_ERR_NOACK:
3206 s->tlsext_status_expected = 0;
3207 break;
3208 /* status request response should be sent */
3209 case SSL_TLSEXT_ERR_OK:
3210 if (s->tlsext_ocsp_resp)
3211 s->tlsext_status_expected = 1;
3212 else
3213 s->tlsext_status_expected = 0;
3214 break;
3215 /* something bad happened */
3216 case SSL_TLSEXT_ERR_ALERT_FATAL:
3217 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3218 al = SSL_AD_INTERNAL_ERROR;
3219 goto err;
3220 }
3221 }
3222 else
3223 s->tlsext_status_expected = 0;
3224
3225 err:
3226 switch (ret)
3227 {
3228 case SSL_TLSEXT_ERR_ALERT_FATAL:
3229 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3230 return -1;
3231
3232 case SSL_TLSEXT_ERR_ALERT_WARNING:
3233 ssl3_send_alert(s, SSL3_AL_WARNING, al);
3234 return 1;
3235
3236 default:
3237 return 1;
3238 }
3239 }
3240
3241int ssl_check_serverhello_tlsext(SSL *s)
3242 {
3243 int ret=SSL_TLSEXT_ERR_NOACK;
3244 int al = SSL_AD_UNRECOGNIZED_NAME;
3245
3246#ifndef OPENSSL_NO_EC
3247 /* If we are client and using an elliptic curve cryptography cipher
3248 * suite, then if server returns an EC point formats lists extension
3249 * it must contain uncompressed.
3250 */
3251 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3252 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3253 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
3254 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
3255 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
3256 {
3257 /* we are using an ECC cipher */
3258 size_t i;
3259 unsigned char *list;
3260 int found_uncompressed = 0;
3261 list = s->session->tlsext_ecpointformatlist;
3262 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
3263 {
3264 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
3265 {
3266 found_uncompressed = 1;
3267 break;
3268 }
3269 }
3270 if (!found_uncompressed)
3271 {
3272 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
3273 return -1;
3274 }
3275 }
3276 ret = SSL_TLSEXT_ERR_OK;
3277#endif /* OPENSSL_NO_EC */
3278
3279 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
3280 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
3281 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
3282 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
3283
3284#ifdef TLSEXT_TYPE_opaque_prf_input
3285 if (s->s3->server_opaque_prf_input_len > 0)
3286 {
3287 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
3288 * So first verify that we really have a value from the server too. */
3289
3290 if (s->s3->server_opaque_prf_input == NULL)
3291 {
3292 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3293 al = SSL_AD_HANDSHAKE_FAILURE;
3294 }
3295
3296 /* Anytime the server *has* sent an opaque PRF input, we need to check
3297 * that we have a client opaque PRF input of the same size. */
3298 if (s->s3->client_opaque_prf_input == NULL ||
3299 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
3300 {
3301 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3302 al = SSL_AD_ILLEGAL_PARAMETER;
3303 }
3304 }
3305#endif
3306
3307 /* If we've requested certificate status and we wont get one
3308 * tell the callback
3309 */
3310 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
3311 && s->ctx && s->ctx->tlsext_status_cb)
3312 {
3313 int r;
3314 /* Set resp to NULL, resplen to -1 so callback knows
3315 * there is no response.
3316 */
3317 if (s->tlsext_ocsp_resp)
3318 {
3319 OPENSSL_free(s->tlsext_ocsp_resp);
3320 s->tlsext_ocsp_resp = NULL;
3321 }
3322 s->tlsext_ocsp_resplen = -1;
3323 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3324 if (r == 0)
3325 {
3326 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
3327 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3328 }
3329 if (r < 0)
3330 {
3331 al = SSL_AD_INTERNAL_ERROR;
3332 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3333 }
3334 }
3335
3336 switch (ret)
3337 {
3338 case SSL_TLSEXT_ERR_ALERT_FATAL:
3339 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3340 return -1;
3341
3342 case SSL_TLSEXT_ERR_ALERT_WARNING:
3343 ssl3_send_alert(s,SSL3_AL_WARNING,al);
3344 return 1;
3345
3346 case SSL_TLSEXT_ERR_NOACK:
3347 s->servername_done=0;
3348 default:
3349 return 1;
3350 }
3351 }
3352
3353int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
3354 {
3355 int al = -1;
3356 if (s->version < SSL3_VERSION)
3357 return 1;
3358 if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0)
3359 {
3360 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3361 return 0;
3362 }
3363
3364 if (ssl_check_serverhello_tlsext(s) <= 0)
3365 {
3366 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_SERVERHELLO_TLSEXT);
3367 return 0;
3368 }
3369 return 1;
3370}
3371
3372/* Since the server cache lookup is done early on in the processing of the
3373 * ClientHello, and other operations depend on the result, we need to handle
3374 * any TLS session ticket extension at the same time.
3375 *
3376 * session_id: points at the session ID in the ClientHello. This code will
3377 * read past the end of this in order to parse out the session ticket
3378 * extension, if any.
3379 * len: the length of the session ID.
3380 * limit: a pointer to the first byte after the ClientHello.
3381 * ret: (output) on return, if a ticket was decrypted, then this is set to
3382 * point to the resulting session.
3383 *
3384 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
3385 * ciphersuite, in which case we have no use for session tickets and one will
3386 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
3387 *
3388 * Returns:
3389 * -1: fatal error, either from parsing or decrypting the ticket.
3390 * 0: no ticket was found (or was ignored, based on settings).
3391 * 1: a zero length extension was found, indicating that the client supports
3392 * session tickets but doesn't currently have one to offer.
3393 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
3394 * couldn't be decrypted because of a non-fatal error.
3395 * 3: a ticket was successfully decrypted and *ret was set.
3396 *
3397 * Side effects:
3398 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
3399 * a new session ticket to the client because the client indicated support
3400 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
3401 * a session ticket or we couldn't use the one it gave us, or if
3402 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
3403 * Otherwise, s->tlsext_ticket_expected is set to 0.
3404 */
3405int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
3406 const unsigned char *limit, SSL_SESSION **ret)
3407 {
3408 /* Point after session ID in client hello */
3409 const unsigned char *p = session_id + len;
3410 unsigned short i;
3411
3412 *ret = NULL;
3413 s->tlsext_ticket_expected = 0;
3414
3415 /* If tickets disabled behave as if no ticket present
3416 * to permit stateful resumption.
3417 */
3418 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
3419 return 0;
3420 if ((s->version <= SSL3_VERSION) || !limit)
3421 return 0;
3422 if (p >= limit)
3423 return -1;
3424 /* Skip past DTLS cookie */
3425 if (SSL_IS_DTLS(s))
3426 {
3427 i = *(p++);
3428 p+= i;
3429 if (p >= limit)
3430 return -1;
3431 }
3432 /* Skip past cipher list */
3433 n2s(p, i);
3434 p+= i;
3435 if (p >= limit)
3436 return -1;
3437 /* Skip past compression algorithm list */
3438 i = *(p++);
3439 p += i;
3440 if (p > limit)
3441 return -1;
3442 /* Now at start of extensions */
3443 if ((p + 2) >= limit)
3444 return 0;
3445 n2s(p, i);
3446 while ((p + 4) <= limit)
3447 {
3448 unsigned short type, size;
3449 n2s(p, type);
3450 n2s(p, size);
3451 if (p + size > limit)
3452 return 0;
3453 if (type == TLSEXT_TYPE_session_ticket)
3454 {
3455 int r;
3456 if (size == 0)
3457 {
3458 /* The client will accept a ticket but doesn't
3459 * currently have one. */
3460 s->tlsext_ticket_expected = 1;
3461 return 1;
3462 }
3463 if (s->tls_session_secret_cb)
3464 {
3465 /* Indicate that the ticket couldn't be
3466 * decrypted rather than generating the session
3467 * from ticket now, trigger abbreviated
3468 * handshake based on external mechanism to
3469 * calculate the master secret later. */
3470 return 2;
3471 }
3472 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
3473 switch (r)
3474 {
3475 case 2: /* ticket couldn't be decrypted */
3476 s->tlsext_ticket_expected = 1;
3477 return 2;
3478 case 3: /* ticket was decrypted */
3479 return r;
3480 case 4: /* ticket decrypted but need to renew */
3481 s->tlsext_ticket_expected = 1;
3482 return 3;
3483 default: /* fatal error */
3484 return -1;
3485 }
3486 }
3487 p += size;
3488 }
3489 return 0;
3490 }
3491
3492/* tls_decrypt_ticket attempts to decrypt a session ticket.
3493 *
3494 * etick: points to the body of the session ticket extension.
3495 * eticklen: the length of the session tickets extenion.
3496 * sess_id: points at the session ID.
3497 * sesslen: the length of the session ID.
3498 * psess: (output) on return, if a ticket was decrypted, then this is set to
3499 * point to the resulting session.
3500 *
3501 * Returns:
3502 * -1: fatal error, either from parsing or decrypting the ticket.
3503 * 2: the ticket couldn't be decrypted.
3504 * 3: a ticket was successfully decrypted and *psess was set.
3505 * 4: same as 3, but the ticket needs to be renewed.
3506 */
3507static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
3508 const unsigned char *sess_id, int sesslen,
3509 SSL_SESSION **psess)
3510 {
3511 SSL_SESSION *sess;
3512 unsigned char *sdec;
3513 const unsigned char *p;
3514 int slen, mlen, renew_ticket = 0;
3515 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3516 HMAC_CTX hctx;
3517 EVP_CIPHER_CTX ctx;
3518 SSL_CTX *tctx = s->initial_ctx;
3519 /* Need at least keyname + iv + some encrypted data */
3520 if (eticklen < 48)
3521 return 2;
3522 /* Initialize session ticket encryption and HMAC contexts */
3523 HMAC_CTX_init(&hctx);
3524 EVP_CIPHER_CTX_init(&ctx);
3525 if (tctx->tlsext_ticket_key_cb)
3526 {
3527 unsigned char *nctick = (unsigned char *)etick;
3528 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3529 &ctx, &hctx, 0);
3530 if (rv < 0)
3531 return -1;
3532 if (rv == 0)
3533 return 2;
3534 if (rv == 2)
3535 renew_ticket = 1;
3536 }
3537 else
3538 {
3539 /* Check key name matches */
3540 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3541 return 2;
3542 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3543 tlsext_tick_md(), NULL);
3544 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3545 tctx->tlsext_tick_aes_key, etick + 16);
3546 }
3547 /* Attempt to process session ticket, first conduct sanity and
3548 * integrity checks on ticket.
3549 */
3550 mlen = HMAC_size(&hctx);
3551 if (mlen < 0)
3552 {
3553 EVP_CIPHER_CTX_cleanup(&ctx);
3554 return -1;
3555 }
3556 eticklen -= mlen;
3557 /* Check HMAC of encrypted ticket */
3558 HMAC_Update(&hctx, etick, eticklen);
3559 HMAC_Final(&hctx, tick_hmac, NULL);
3560 HMAC_CTX_cleanup(&hctx);
3561 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
3562 return 2;
3563 /* Attempt to decrypt session data */
3564 /* Move p after IV to start of encrypted ticket, update length */
3565 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3566 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3567 sdec = OPENSSL_malloc(eticklen);
3568 if (!sdec)
3569 {
3570 EVP_CIPHER_CTX_cleanup(&ctx);
3571 return -1;
3572 }
3573 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
3574 if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0)
3575 return 2;
3576 slen += mlen;
3577 EVP_CIPHER_CTX_cleanup(&ctx);
3578 p = sdec;
3579
3580 sess = d2i_SSL_SESSION(NULL, &p, slen);
3581 OPENSSL_free(sdec);
3582 if (sess)
3583 {
3584 /* The session ID, if non-empty, is used by some clients to
3585 * detect that the ticket has been accepted. So we copy it to
3586 * the session structure. If it is empty set length to zero
3587 * as required by standard.
3588 */
3589 if (sesslen)
3590 memcpy(sess->session_id, sess_id, sesslen);
3591 sess->session_id_length = sesslen;
3592 *psess = sess;
3593 if (renew_ticket)
3594 return 4;
3595 else
3596 return 3;
3597 }
3598 ERR_clear_error();
3599 /* For session parse failure, indicate that we need to send a new
3600 * ticket. */
3601 return 2;
3602 }
3603
3604/* Tables to translate from NIDs to TLS v1.2 ids */
3605
3606typedef struct
3607 {
3608 int nid;
3609 int id;
3610 } tls12_lookup;
3611
3612static tls12_lookup tls12_md[] = {
3613 {NID_md5, TLSEXT_hash_md5},
3614 {NID_sha1, TLSEXT_hash_sha1},
3615 {NID_sha224, TLSEXT_hash_sha224},
3616 {NID_sha256, TLSEXT_hash_sha256},
3617 {NID_sha384, TLSEXT_hash_sha384},
3618 {NID_sha512, TLSEXT_hash_sha512}
3619};
3620
3621static tls12_lookup tls12_sig[] = {
3622 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3623 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3624 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
3625};
3626
3627static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
3628 {
3629 size_t i;
3630 for (i = 0; i < tlen; i++)
3631 {
3632 if (table[i].nid == nid)
3633 return table[i].id;
3634 }
3635 return -1;
3636 }
3637
3638static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
3639 {
3640 size_t i;
3641 for (i = 0; i < tlen; i++)
3642 {
3643 if ((table[i].id) == id)
3644 return table[i].nid;
3645 }
3646 return NID_undef;
3647 }
3648
3649int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
3650 {
3651 int sig_id, md_id;
3652 if (!md)
3653 return 0;
3654 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
3655 sizeof(tls12_md)/sizeof(tls12_lookup));
3656 if (md_id == -1)
3657 return 0;
3658 sig_id = tls12_get_sigid(pk);
3659 if (sig_id == -1)
3660 return 0;
3661 p[0] = (unsigned char)md_id;
3662 p[1] = (unsigned char)sig_id;
3663 return 1;
3664 }
3665
3666int tls12_get_sigid(const EVP_PKEY *pk)
3667 {
3668 return tls12_find_id(pk->type, tls12_sig,
3669 sizeof(tls12_sig)/sizeof(tls12_lookup));
3670 }
3671
3672const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3673 {
3674 switch(hash_alg)
3675 {
3676#ifndef OPENSSL_NO_MD5
3677 case TLSEXT_hash_md5:
3678#ifdef OPENSSL_FIPS
3679 if (FIPS_mode())
3680 return NULL;
3681#endif
3682 return EVP_md5();
3683#endif
3684#ifndef OPENSSL_NO_SHA
3685 case TLSEXT_hash_sha1:
3686 return EVP_sha1();
3687#endif
3688#ifndef OPENSSL_NO_SHA256
3689 case TLSEXT_hash_sha224:
3690 return EVP_sha224();
3691
3692 case TLSEXT_hash_sha256:
3693 return EVP_sha256();
3694#endif
3695#ifndef OPENSSL_NO_SHA512
3696 case TLSEXT_hash_sha384:
3697 return EVP_sha384();
3698
3699 case TLSEXT_hash_sha512:
3700 return EVP_sha512();
3701#endif
3702 default:
3703 return NULL;
3704
3705 }
3706 }
3707
3708static int tls12_get_pkey_idx(unsigned char sig_alg)
3709 {
3710 switch(sig_alg)
3711 {
3712#ifndef OPENSSL_NO_RSA
3713 case TLSEXT_signature_rsa:
3714 return SSL_PKEY_RSA_SIGN;
3715#endif
3716#ifndef OPENSSL_NO_DSA
3717 case TLSEXT_signature_dsa:
3718 return SSL_PKEY_DSA_SIGN;
3719#endif
3720#ifndef OPENSSL_NO_ECDSA
3721 case TLSEXT_signature_ecdsa:
3722 return SSL_PKEY_ECC;
3723#endif
3724 }
3725 return -1;
3726 }
3727
3728/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3729static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3730 int *psignhash_nid, const unsigned char *data)
3731 {
3732 int sign_nid = 0, hash_nid = 0;
3733 if (!phash_nid && !psign_nid && !psignhash_nid)
3734 return;
3735 if (phash_nid || psignhash_nid)
3736 {
3737 hash_nid = tls12_find_nid(data[0], tls12_md,
3738 sizeof(tls12_md)/sizeof(tls12_lookup));
3739 if (phash_nid)
3740 *phash_nid = hash_nid;
3741 }
3742 if (psign_nid || psignhash_nid)
3743 {
3744 sign_nid = tls12_find_nid(data[1], tls12_sig,
3745 sizeof(tls12_sig)/sizeof(tls12_lookup));
3746 if (psign_nid)
3747 *psign_nid = sign_nid;
3748 }
3749 if (psignhash_nid)
3750 {
3751 if (sign_nid && hash_nid)
3752 OBJ_find_sigid_by_algs(psignhash_nid,
3753 hash_nid, sign_nid);
3754 else
3755 *psignhash_nid = NID_undef;
3756 }
3757 }
3758/* Given preference and allowed sigalgs set shared sigalgs */
3759static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
3760 const unsigned char *pref, size_t preflen,
3761 const unsigned char *allow, size_t allowlen)
3762 {
3763 const unsigned char *ptmp, *atmp;
3764 size_t i, j, nmatch = 0;
3765 for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2)
3766 {
3767 /* Skip disabled hashes or signature algorithms */
3768 if (tls12_get_hash(ptmp[0]) == NULL)
3769 continue;
3770 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3771 continue;
3772 for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2)
3773 {
3774 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1])
3775 {
3776 nmatch++;
3777 if (shsig)
3778 {
3779 shsig->rhash = ptmp[0];
3780 shsig->rsign = ptmp[1];
3781 tls1_lookup_sigalg(&shsig->hash_nid,
3782 &shsig->sign_nid,
3783 &shsig->signandhash_nid,
3784 ptmp);
3785 shsig++;
3786 }
3787 break;
3788 }
3789 }
3790 }
3791 return nmatch;
3792 }
3793
3794/* Set shared signature algorithms for SSL structures */
3795static int tls1_set_shared_sigalgs(SSL *s)
3796 {
3797 const unsigned char *pref, *allow, *conf;
3798 size_t preflen, allowlen, conflen;
3799 size_t nmatch;
3800 TLS_SIGALGS *salgs = NULL;
3801 CERT *c = s->cert;
3802 unsigned int is_suiteb = tls1_suiteb(s);
3803 /* If client use client signature algorithms if not NULL */
3804 if (!s->server && c->client_sigalgs && !is_suiteb)
3805 {
3806 conf = c->client_sigalgs;
3807 conflen = c->client_sigalgslen;
3808 }
3809 else if (c->conf_sigalgs && !is_suiteb)
3810 {
3811 conf = c->conf_sigalgs;
3812 conflen = c->conf_sigalgslen;
3813 }
3814 else
3815 conflen = tls12_get_psigalgs(s, &conf);
3816 if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb)
3817 {
3818 pref = conf;
3819 preflen = conflen;
3820 allow = c->peer_sigalgs;
3821 allowlen = c->peer_sigalgslen;
3822 }
3823 else
3824 {
3825 allow = conf;
3826 allowlen = conflen;
3827 pref = c->peer_sigalgs;
3828 preflen = c->peer_sigalgslen;
3829 }
3830 nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
3831 if (!nmatch)
3832 return 1;
3833 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3834 if (!salgs)
3835 return 0;
3836 nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
3837 c->shared_sigalgs = salgs;
3838 c->shared_sigalgslen = nmatch;
3839 return 1;
3840 }
3841
3842
3843/* Set preferred digest for each key type */
3844
3845int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
3846 {
3847 int idx;
3848 size_t i;
3849 const EVP_MD *md;
3850 CERT *c = s->cert;
3851 TLS_SIGALGS *sigptr;
3852 /* Extension ignored for inappropriate versions */
3853 if (!SSL_USE_SIGALGS(s))
3854 return 1;
3855 /* Should never happen */
3856 if (!c)
3857 return 0;
3858
3859 c->peer_sigalgs = OPENSSL_malloc(dsize);
3860 if (!c->peer_sigalgs)
3861 return 0;
3862 c->peer_sigalgslen = dsize;
3863 memcpy(c->peer_sigalgs, data, dsize);
3864
3865 tls1_set_shared_sigalgs(s);
3866
3867#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
3868 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
3869 {
3870 /* Use first set signature preference to force message
3871 * digest, ignoring any peer preferences.
3872 */
3873 const unsigned char *sigs = NULL;
3874 if (s->server)
3875 sigs = c->conf_sigalgs;
3876 else
3877 sigs = c->client_sigalgs;
3878 if (sigs)
3879 {
3880 idx = tls12_get_pkey_idx(sigs[1]);
3881 md = tls12_get_hash(sigs[0]);
3882 c->pkeys[idx].digest = md;
3883 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3884 if (idx == SSL_PKEY_RSA_SIGN)
3885 {
3886 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3887 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3888 }
3889 }
3890 }
3891#endif
3892
3893 for (i = 0, sigptr = c->shared_sigalgs;
3894 i < c->shared_sigalgslen; i++, sigptr++)
3895 {
3896 idx = tls12_get_pkey_idx(sigptr->rsign);
3897 if (idx > 0 && c->pkeys[idx].digest == NULL)
3898 {
3899 md = tls12_get_hash(sigptr->rhash);
3900 c->pkeys[idx].digest = md;
3901 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3902 if (idx == SSL_PKEY_RSA_SIGN)
3903 {
3904 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3905 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3906 }
3907 }
3908
3909 }
3910 /* In strict mode leave unset digests as NULL to indicate we can't
3911 * use the certificate for signing.
3912 */
3913 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
3914 {
3915 /* Set any remaining keys to default values. NOTE: if alg is
3916 * not supported it stays as NULL.
3917 */
3918#ifndef OPENSSL_NO_DSA
3919 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
3920 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
3921#endif
3922#ifndef OPENSSL_NO_RSA
3923 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
3924 {
3925 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
3926 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
3927 }
3928#endif
3929#ifndef OPENSSL_NO_ECDSA
3930 if (!c->pkeys[SSL_PKEY_ECC].digest)
3931 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
3932#endif
3933 }
3934 return 1;
3935 }
3936
3937
3938int SSL_get_sigalgs(SSL *s, int idx,
3939 int *psign, int *phash, int *psignhash,
3940 unsigned char *rsig, unsigned char *rhash)
3941 {
3942 const unsigned char *psig = s->cert->peer_sigalgs;
3943 if (psig == NULL)
3944 return 0;
3945 if (idx >= 0)
3946 {
3947 idx <<= 1;
3948 if (idx >= (int)s->cert->peer_sigalgslen)
3949 return 0;
3950 psig += idx;
3951 if (rhash)
3952 *rhash = psig[0];
3953 if (rsig)
3954 *rsig = psig[1];
3955 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3956 }
3957 return s->cert->peer_sigalgslen / 2;
3958 }
3959
3960int SSL_get_shared_sigalgs(SSL *s, int idx,
3961 int *psign, int *phash, int *psignhash,
3962 unsigned char *rsig, unsigned char *rhash)
3963 {
3964 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3965 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3966 return 0;
3967 shsigalgs += idx;
3968 if (phash)
3969 *phash = shsigalgs->hash_nid;
3970 if (psign)
3971 *psign = shsigalgs->sign_nid;
3972 if (psignhash)
3973 *psignhash = shsigalgs->signandhash_nid;
3974 if (rsig)
3975 *rsig = shsigalgs->rsign;
3976 if (rhash)
3977 *rhash = shsigalgs->rhash;
3978 return s->cert->shared_sigalgslen;
3979 }
3980
3981
3982#ifndef OPENSSL_NO_HEARTBEATS
3983int
3984tls1_process_heartbeat(SSL *s)
3985 {
3986 unsigned char *p = &s->s3->rrec.data[0], *pl;
3987 unsigned short hbtype;
3988 unsigned int payload;
3989 unsigned int padding = 16; /* Use minimum padding */
3990
3991 /* Read type and payload length first */
3992 hbtype = *p++;
3993 n2s(p, payload);
3994 pl = p;
3995
3996 if (s->msg_callback)
3997 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
3998 &s->s3->rrec.data[0], s->s3->rrec.length,
3999 s, s->msg_callback_arg);
4000
4001 if (hbtype == TLS1_HB_REQUEST)
4002 {
4003 unsigned char *buffer, *bp;
4004 int r;
4005
4006 /* Allocate memory for the response, size is 1 bytes
4007 * message type, plus 2 bytes payload length, plus
4008 * payload, plus padding
4009 */
4010 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
4011 bp = buffer;
4012
4013 /* Enter response type, length and copy payload */
4014 *bp++ = TLS1_HB_RESPONSE;
4015 s2n(payload, bp);
4016 memcpy(bp, pl, payload);
4017 bp += payload;
4018 /* Random padding */
4019 RAND_pseudo_bytes(bp, padding);
4020
4021 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
4022
4023 if (r >= 0 && s->msg_callback)
4024 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
4025 buffer, 3 + payload + padding,
4026 s, s->msg_callback_arg);
4027
4028 OPENSSL_free(buffer);
4029
4030 if (r < 0)
4031 return r;
4032 }
4033 else if (hbtype == TLS1_HB_RESPONSE)
4034 {
4035 unsigned int seq;
4036
4037 /* We only send sequence numbers (2 bytes unsigned int),
4038 * and 16 random bytes, so we just try to read the
4039 * sequence number */
4040 n2s(pl, seq);
4041
4042 if (payload == 18 && seq == s->tlsext_hb_seq)
4043 {
4044 s->tlsext_hb_seq++;
4045 s->tlsext_hb_pending = 0;
4046 }
4047 }
4048
4049 return 0;
4050 }
4051
4052int
4053tls1_heartbeat(SSL *s)
4054 {
4055 unsigned char *buf, *p;
4056 int ret;
4057 unsigned int payload = 18; /* Sequence number + random bytes */
4058 unsigned int padding = 16; /* Use minimum padding */
4059
4060 /* Only send if peer supports and accepts HB requests... */
4061 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
4062 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
4063 {
4064 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
4065 return -1;
4066 }
4067
4068 /* ...and there is none in flight yet... */
4069 if (s->tlsext_hb_pending)
4070 {
4071 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_TLS_HEARTBEAT_PENDING);
4072 return -1;
4073 }
4074
4075 /* ...and no handshake in progress. */
4076 if (SSL_in_init(s) || s->in_handshake)
4077 {
4078 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_UNEXPECTED_MESSAGE);
4079 return -1;
4080 }
4081
4082 /* Check if padding is too long, payload and padding
4083 * must not exceed 2^14 - 3 = 16381 bytes in total.
4084 */
4085 assert(payload + padding <= 16381);
4086
4087 /* Create HeartBeat message, we just use a sequence number
4088 * as payload to distuingish different messages and add
4089 * some random stuff.
4090 * - Message Type, 1 byte
4091 * - Payload Length, 2 bytes (unsigned int)
4092 * - Payload, the sequence number (2 bytes uint)
4093 * - Payload, random bytes (16 bytes uint)
4094 * - Padding
4095 */
4096 buf = OPENSSL_malloc(1 + 2 + payload + padding);
4097 p = buf;
4098 /* Message Type */
4099 *p++ = TLS1_HB_REQUEST;
4100 /* Payload length (18 bytes here) */
4101 s2n(payload, p);
4102 /* Sequence number */
4103 s2n(s->tlsext_hb_seq, p);
4104 /* 16 random bytes */
4105 RAND_pseudo_bytes(p, 16);
4106 p += 16;
4107 /* Random padding */
4108 RAND_pseudo_bytes(p, padding);
4109
4110 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
4111 if (ret >= 0)
4112 {
4113 if (s->msg_callback)
4114 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
4115 buf, 3 + payload + padding,
4116 s, s->msg_callback_arg);
4117
4118 s->tlsext_hb_pending = 1;
4119 }
4120
4121 OPENSSL_free(buf);
4122
4123 return ret;
4124 }
4125#endif
4126
4127/* TODO(fork): remove */
4128#if 0
4129#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
4130
4131typedef struct
4132 {
4133 size_t sigalgcnt;
4134 int sigalgs[MAX_SIGALGLEN];
4135 } sig_cb_st;
4136
4137static int sig_cb(const char *elem, int len, void *arg)
4138 {
4139 sig_cb_st *sarg = arg;
4140 size_t i;
4141 char etmp[20], *p;
4142 int sig_alg, hash_alg;
4143 if (sarg->sigalgcnt == MAX_SIGALGLEN)
4144 return 0;
4145 if (len > (int)(sizeof(etmp) - 1))
4146 return 0;
4147 memcpy(etmp, elem, len);
4148 etmp[len] = 0;
4149 p = strchr(etmp, '+');
4150 if (!p)
4151 return 0;
4152 *p = 0;
4153 p++;
4154 if (!*p)
4155 return 0;
4156
4157 if (!strcmp(etmp, "RSA"))
4158 sig_alg = EVP_PKEY_RSA;
4159 else if (!strcmp(etmp, "DSA"))
4160 sig_alg = EVP_PKEY_DSA;
4161 else if (!strcmp(etmp, "ECDSA"))
4162 sig_alg = EVP_PKEY_EC;
4163 else return 0;
4164
4165 hash_alg = OBJ_sn2nid(p);
4166 if (hash_alg == NID_undef)
4167 hash_alg = OBJ_ln2nid(p);
4168 if (hash_alg == NID_undef)
4169 return 0;
4170
4171 for (i = 0; i < sarg->sigalgcnt; i+=2)
4172 {
4173 if (sarg->sigalgs[i] == sig_alg
4174 && sarg->sigalgs[i + 1] == hash_alg)
4175 return 0;
4176 }
4177 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
4178 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
4179 return 1;
4180 }
4181
4182/* Set suppored signature algorithms based on a colon separated list
4183 * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */
4184int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
4185 {
4186 sig_cb_st sig;
4187 sig.sigalgcnt = 0;
4188 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
4189 return 0;
4190 if (c == NULL)
4191 return 1;
4192 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
4193 }
4194#endif
4195
4196int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
4197 {
4198 unsigned char *sigalgs, *sptr;
4199 int rhash, rsign;
4200 size_t i;
4201 if (salglen & 1)
4202 return 0;
4203 sigalgs = OPENSSL_malloc(salglen);
4204 if (sigalgs == NULL)
4205 return 0;
4206 for (i = 0, sptr = sigalgs; i < salglen; i+=2)
4207 {
4208 rhash = tls12_find_id(*psig_nids++, tls12_md,
4209 sizeof(tls12_md)/sizeof(tls12_lookup));
4210 rsign = tls12_find_id(*psig_nids++, tls12_sig,
4211 sizeof(tls12_sig)/sizeof(tls12_lookup));
4212
4213 if (rhash == -1 || rsign == -1)
4214 goto err;
4215 *sptr++ = rhash;
4216 *sptr++ = rsign;
4217 }
4218
4219 if (client)
4220 {
4221 if (c->client_sigalgs)
4222 OPENSSL_free(c->client_sigalgs);
4223 c->client_sigalgs = sigalgs;
4224 c->client_sigalgslen = salglen;
4225 }
4226 else
4227 {
4228 if (c->conf_sigalgs)
4229 OPENSSL_free(c->conf_sigalgs);
4230 c->conf_sigalgs = sigalgs;
4231 c->conf_sigalgslen = salglen;
4232 }
4233
4234 return 1;
4235
4236 err:
4237 OPENSSL_free(sigalgs);
4238 return 0;
4239 }
4240
4241static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
4242 {
4243 int sig_nid;
4244 size_t i;
4245 if (default_nid == -1)
4246 return 1;
4247 sig_nid = X509_get_signature_nid(x);
4248 if (default_nid)
4249 return sig_nid == default_nid ? 1 : 0;
4250 for (i = 0; i < c->shared_sigalgslen; i++)
4251 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
4252 return 1;
4253 return 0;
4254 }
4255/* Check to see if a certificate issuer name matches list of CA names */
4256static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
4257 {
4258 X509_NAME *nm;
4259 int i;
4260 nm = X509_get_issuer_name(x);
4261 for (i = 0; i < sk_X509_NAME_num(names); i++)
4262 {
4263 if(!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
4264 return 1;
4265 }
4266 return 0;
4267 }
4268
4269/* Check certificate chain is consistent with TLS extensions and is
4270 * usable by server. This servers two purposes: it allows users to
4271 * check chains before passing them to the server and it allows the
4272 * server to check chains before attempting to use them.
4273 */
4274
4275/* Flags which need to be set for a certificate when stict mode not set */
4276
4277#define CERT_PKEY_VALID_FLAGS \
4278 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
4279/* Strict mode flags */
4280#define CERT_PKEY_STRICT_FLAGS \
4281 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
4282 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
4283
4284int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
4285 int idx)
4286 {
4287 int i;
4288 int rv = 0;
4289 int check_flags = 0, strict_mode;
4290 CERT_PKEY *cpk = NULL;
4291 CERT *c = s->cert;
4292 unsigned int suiteb_flags = tls1_suiteb(s);
4293 /* idx == -1 means checking server chains */
4294 if (idx != -1)
4295 {
4296 /* idx == -2 means checking client certificate chains */
4297 if (idx == -2)
4298 {
4299 cpk = c->key;
4300 idx = cpk - c->pkeys;
4301 }
4302 else
4303 cpk = c->pkeys + idx;
4304 x = cpk->x509;
4305 pk = cpk->privatekey;
4306 chain = cpk->chain;
4307 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
4308 /* If no cert or key, forget it */
4309 if (!x || !pk)
4310 goto end;
4311#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
4312 /* Allow any certificate to pass test */
4313 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
4314 {
4315 rv = CERT_PKEY_STRICT_FLAGS|CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_VALID|CERT_PKEY_SIGN;
4316 cpk->valid_flags = rv;
4317 return rv;
4318 }
4319#endif
4320 }
4321 else
4322 {
4323 if (!x || !pk)
4324 goto end;
4325 idx = ssl_cert_type(x, pk);
4326 if (idx == -1)
4327 goto end;
4328 cpk = c->pkeys + idx;
4329 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
4330 check_flags = CERT_PKEY_STRICT_FLAGS;
4331 else
4332 check_flags = CERT_PKEY_VALID_FLAGS;
4333 strict_mode = 1;
4334 }
4335
4336 if (suiteb_flags)
4337 {
4338 int ok;
4339 if (check_flags)
4340 check_flags |= CERT_PKEY_SUITEB;
4341 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
4342 if (ok != X509_V_OK)
4343 {
4344 if (check_flags)
4345 rv |= CERT_PKEY_SUITEB;
4346 else
4347 goto end;
4348 }
4349 }
4350
4351 /* Check all signature algorithms are consistent with
4352 * signature algorithms extension if TLS 1.2 or later
4353 * and strict mode.
4354 */
4355 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode)
4356 {
4357 int default_nid;
4358 unsigned char rsign = 0;
4359 if (c->peer_sigalgs)
4360 default_nid = 0;
4361 /* If no sigalgs extension use defaults from RFC5246 */
4362 else
4363 {
4364 switch(idx)
4365 {
4366 case SSL_PKEY_RSA_ENC:
4367 case SSL_PKEY_RSA_SIGN:
4368 case SSL_PKEY_DH_RSA:
4369 rsign = TLSEXT_signature_rsa;
4370 default_nid = NID_sha1WithRSAEncryption;
4371 break;
4372
4373 case SSL_PKEY_DSA_SIGN:
4374 case SSL_PKEY_DH_DSA:
4375 rsign = TLSEXT_signature_dsa;
4376 default_nid = NID_dsaWithSHA1;
4377 break;
4378
4379 case SSL_PKEY_ECC:
4380 rsign = TLSEXT_signature_ecdsa;
4381 default_nid = NID_ecdsa_with_SHA1;
4382 break;
4383
4384 default:
4385 default_nid = -1;
4386 break;
4387 }
4388 }
4389 /* If peer sent no signature algorithms extension and we
4390 * have set preferred signature algorithms check we support
4391 * sha1.
4392 */
4393 if (default_nid > 0 && c->conf_sigalgs)
4394 {
4395 size_t j;
4396 const unsigned char *p = c->conf_sigalgs;
4397 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2)
4398 {
4399 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4400 break;
4401 }
4402 if (j == c->conf_sigalgslen)
4403 {
4404 if (check_flags)
4405 goto skip_sigs;
4406 else
4407 goto end;
4408 }
4409 }
4410 /* Check signature algorithm of each cert in chain */
4411 if (!tls1_check_sig_alg(c, x, default_nid))
4412 {
4413 if (!check_flags) goto end;
4414 }
4415 else
4416 rv |= CERT_PKEY_EE_SIGNATURE;
4417 rv |= CERT_PKEY_CA_SIGNATURE;
4418 for (i = 0; i < sk_X509_num(chain); i++)
4419 {
4420 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i),
4421 default_nid))
4422 {
4423 if (check_flags)
4424 {
4425 rv &= ~CERT_PKEY_CA_SIGNATURE;
4426 break;
4427 }
4428 else
4429 goto end;
4430 }
4431 }
4432 }
4433 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4434 else if(check_flags)
4435 rv |= CERT_PKEY_EE_SIGNATURE|CERT_PKEY_CA_SIGNATURE;
4436 skip_sigs:
4437 /* Check cert parameters are consistent */
4438 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4439 rv |= CERT_PKEY_EE_PARAM;
4440 else if (!check_flags)
4441 goto end;
4442 if (!s->server)
4443 rv |= CERT_PKEY_CA_PARAM;
4444 /* In strict mode check rest of chain too */
4445 else if (strict_mode)
4446 {
4447 rv |= CERT_PKEY_CA_PARAM;
4448 for (i = 0; i < sk_X509_num(chain); i++)
4449 {
4450 X509 *ca = sk_X509_value(chain, i);
4451 if (!tls1_check_cert_param(s, ca, 0))
4452 {
4453 if (check_flags)
4454 {
4455 rv &= ~CERT_PKEY_CA_PARAM;
4456 break;
4457 }
4458 else
4459 goto end;
4460 }
4461 }
4462 }
4463 if (!s->server && strict_mode)
4464 {
4465 STACK_OF(X509_NAME) *ca_dn;
4466 int check_type = 0;
4467 switch (pk->type)
4468 {
4469 case EVP_PKEY_RSA:
4470 check_type = TLS_CT_RSA_SIGN;
4471 break;
4472 case EVP_PKEY_DSA:
4473 check_type = TLS_CT_DSS_SIGN;
4474 break;
4475 case EVP_PKEY_EC:
4476 check_type = TLS_CT_ECDSA_SIGN;
4477 break;
4478 case EVP_PKEY_DH:
4479 case EVP_PKEY_DHX:
4480 {
4481 int cert_type = X509_certificate_type(x, pk);
4482 if (cert_type & EVP_PKS_RSA)
4483 check_type = TLS_CT_RSA_FIXED_DH;
4484 if (cert_type & EVP_PKS_DSA)
4485 check_type = TLS_CT_DSS_FIXED_DH;
4486 }
4487 }
4488 if (check_type)
4489 {
4490 const unsigned char *ctypes;
4491 int ctypelen;
4492 if (c->ctypes)
4493 {
4494 ctypes = c->ctypes;
4495 ctypelen = (int)c->ctype_num;
4496 }
4497 else
4498 {
4499 ctypes = (unsigned char *)s->s3->tmp.ctype;
4500 ctypelen = s->s3->tmp.ctype_num;
4501 }
4502 for (i = 0; i < ctypelen; i++)
4503 {
4504 if (ctypes[i] == check_type)
4505 {
4506 rv |= CERT_PKEY_CERT_TYPE;
4507 break;
4508 }
4509 }
4510 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4511 goto end;
4512 }
4513 else
4514 rv |= CERT_PKEY_CERT_TYPE;
4515
4516
4517 ca_dn = s->s3->tmp.ca_names;
4518
4519 if (!sk_X509_NAME_num(ca_dn))
4520 rv |= CERT_PKEY_ISSUER_NAME;
4521
4522 if (!(rv & CERT_PKEY_ISSUER_NAME))
4523 {
4524 if (ssl_check_ca_name(ca_dn, x))
4525 rv |= CERT_PKEY_ISSUER_NAME;
4526 }
4527 if (!(rv & CERT_PKEY_ISSUER_NAME))
4528 {
4529 for (i = 0; i < sk_X509_num(chain); i++)
4530 {
4531 X509 *xtmp = sk_X509_value(chain, i);
4532 if (ssl_check_ca_name(ca_dn, xtmp))
4533 {
4534 rv |= CERT_PKEY_ISSUER_NAME;
4535 break;
4536 }
4537 }
4538 }
4539 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4540 goto end;
4541 }
4542 else
4543 rv |= CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE;
4544
4545 if (!check_flags || (rv & check_flags) == check_flags)
4546 rv |= CERT_PKEY_VALID;
4547
4548 end:
4549
4550 if (TLS1_get_version(s) >= TLS1_2_VERSION)
4551 {
4552 if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
4553 rv |= CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_SIGN;
4554 else if (cpk->digest)
4555 rv |= CERT_PKEY_SIGN;
4556 }
4557 else
4558 rv |= CERT_PKEY_SIGN|CERT_PKEY_EXPLICIT_SIGN;
4559
4560 /* When checking a CERT_PKEY structure all flags are irrelevant
4561 * if the chain is invalid.
4562 */
4563 if (!check_flags)
4564 {
4565 if (rv & CERT_PKEY_VALID)
4566 cpk->valid_flags = rv;
4567 else
4568 {
4569 /* Preserve explicit sign flag, clear rest */
4570 cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
4571 return 0;
4572 }
4573 }
4574 return rv;
4575 }
4576
4577/* Set validity of certificates in an SSL structure */
4578void tls1_set_cert_validity(SSL *s)
4579 {
4580 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4581 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4582 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4583 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
4584 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
4585 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
4586 }
4587/* User level utiity function to check a chain is suitable */
4588int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
4589 {
4590 return tls1_check_chain(s, x, pk, chain, -1);
4591 }
4592
4593#endif