2
0

t1_lib.c 146 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442444344444445444644474448444944504451445244534454445544564457445844594460446144624463446444654466446744684469447044714472447344744475447644774478447944804481448244834484448544864487448844894490449144924493449444954496449744984499450045014502450345044505450645074508450945104511451245134514451545164517451845194520452145224523452445254526452745284529453045314532453345344535453645374538453945404541454245434544454545464547454845494550455145524553455445554556455745584559
  1. /* ssl/t1_lib.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. #include <stdio.h>
  112. #include <openssl/objects.h>
  113. #include <openssl/evp.h>
  114. #include <openssl/hmac.h>
  115. #ifndef OPENSSL_NO_EC
  116. #ifdef OPENSSL_NO_EC2M
  117. # include <openssl/ec.h>
  118. #endif
  119. #endif
  120. #include <openssl/ocsp.h>
  121. #include <openssl/rand.h>
  122. #include "ssl_locl.h"
  123. const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;
  124. #ifndef OPENSSL_NO_TLSEXT
  125. static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
  126. const unsigned char *sess_id, int sesslen,
  127. SSL_SESSION **psess);
  128. static int ssl_check_clienthello_tlsext_early(SSL *s);
  129. int ssl_check_serverhello_tlsext(SSL *s);
  130. #endif
  131. #define CHECKLEN(curr, val, limit) \
  132. (((curr) >= (limit)) || (size_t)((limit) - (curr)) < (size_t)(val))
  133. SSL3_ENC_METHOD TLSv1_enc_data = {
  134. tls1_enc,
  135. tls1_mac,
  136. tls1_setup_key_block,
  137. tls1_generate_master_secret,
  138. tls1_change_cipher_state,
  139. tls1_final_finish_mac,
  140. TLS1_FINISH_MAC_LENGTH,
  141. tls1_cert_verify_mac,
  142. TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
  143. TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  144. tls1_alert_code,
  145. tls1_export_keying_material,
  146. 0,
  147. SSL3_HM_HEADER_LENGTH,
  148. ssl3_set_handshake_header,
  149. ssl3_handshake_write
  150. };
  151. SSL3_ENC_METHOD TLSv1_1_enc_data = {
  152. tls1_enc,
  153. tls1_mac,
  154. tls1_setup_key_block,
  155. tls1_generate_master_secret,
  156. tls1_change_cipher_state,
  157. tls1_final_finish_mac,
  158. TLS1_FINISH_MAC_LENGTH,
  159. tls1_cert_verify_mac,
  160. TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
  161. TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  162. tls1_alert_code,
  163. tls1_export_keying_material,
  164. SSL_ENC_FLAG_EXPLICIT_IV,
  165. SSL3_HM_HEADER_LENGTH,
  166. ssl3_set_handshake_header,
  167. ssl3_handshake_write
  168. };
  169. SSL3_ENC_METHOD TLSv1_2_enc_data = {
  170. tls1_enc,
  171. tls1_mac,
  172. tls1_setup_key_block,
  173. tls1_generate_master_secret,
  174. tls1_change_cipher_state,
  175. tls1_final_finish_mac,
  176. TLS1_FINISH_MAC_LENGTH,
  177. tls1_cert_verify_mac,
  178. TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
  179. TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  180. tls1_alert_code,
  181. tls1_export_keying_material,
  182. SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
  183. | SSL_ENC_FLAG_TLS1_2_CIPHERS,
  184. SSL3_HM_HEADER_LENGTH,
  185. ssl3_set_handshake_header,
  186. ssl3_handshake_write
  187. };
  188. long tls1_default_timeout(void)
  189. {
  190. /*
  191. * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
  192. * http, the cache would over fill
  193. */
  194. return (60 * 60 * 2);
  195. }
  196. int tls1_new(SSL *s)
  197. {
  198. if (!ssl3_new(s))
  199. return (0);
  200. s->method->ssl_clear(s);
  201. return (1);
  202. }
  203. void tls1_free(SSL *s)
  204. {
  205. #ifndef OPENSSL_NO_TLSEXT
  206. if (s->tlsext_session_ticket) {
  207. OPENSSL_free(s->tlsext_session_ticket);
  208. }
  209. #endif /* OPENSSL_NO_TLSEXT */
  210. ssl3_free(s);
  211. }
  212. void tls1_clear(SSL *s)
  213. {
  214. ssl3_clear(s);
  215. s->version = s->method->version;
  216. }
  217. #ifndef OPENSSL_NO_EC
  218. static int nid_list[] = {
  219. NID_sect163k1, /* sect163k1 (1) */
  220. NID_sect163r1, /* sect163r1 (2) */
  221. NID_sect163r2, /* sect163r2 (3) */
  222. NID_sect193r1, /* sect193r1 (4) */
  223. NID_sect193r2, /* sect193r2 (5) */
  224. NID_sect233k1, /* sect233k1 (6) */
  225. NID_sect233r1, /* sect233r1 (7) */
  226. NID_sect239k1, /* sect239k1 (8) */
  227. NID_sect283k1, /* sect283k1 (9) */
  228. NID_sect283r1, /* sect283r1 (10) */
  229. NID_sect409k1, /* sect409k1 (11) */
  230. NID_sect409r1, /* sect409r1 (12) */
  231. NID_sect571k1, /* sect571k1 (13) */
  232. NID_sect571r1, /* sect571r1 (14) */
  233. NID_secp160k1, /* secp160k1 (15) */
  234. NID_secp160r1, /* secp160r1 (16) */
  235. NID_secp160r2, /* secp160r2 (17) */
  236. NID_secp192k1, /* secp192k1 (18) */
  237. NID_X9_62_prime192v1, /* secp192r1 (19) */
  238. NID_secp224k1, /* secp224k1 (20) */
  239. NID_secp224r1, /* secp224r1 (21) */
  240. NID_secp256k1, /* secp256k1 (22) */
  241. NID_X9_62_prime256v1, /* secp256r1 (23) */
  242. NID_secp384r1, /* secp384r1 (24) */
  243. NID_secp521r1, /* secp521r1 (25) */
  244. NID_brainpoolP256r1, /* brainpoolP256r1 (26) */
  245. NID_brainpoolP384r1, /* brainpoolP384r1 (27) */
  246. NID_brainpoolP512r1 /* brainpool512r1 (28) */
  247. };
  248. static const unsigned char ecformats_default[] = {
  249. TLSEXT_ECPOINTFORMAT_uncompressed,
  250. TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
  251. TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
  252. };
  253. /* The client's default curves / the server's 'auto' curves. */
  254. static const unsigned char eccurves_auto[] = {
  255. /* Prefer P-256 which has the fastest and most secure implementations. */
  256. 0, 23, /* secp256r1 (23) */
  257. /* Other >= 256-bit prime curves. */
  258. 0, 25, /* secp521r1 (25) */
  259. 0, 28, /* brainpool512r1 (28) */
  260. 0, 27, /* brainpoolP384r1 (27) */
  261. 0, 24, /* secp384r1 (24) */
  262. 0, 26, /* brainpoolP256r1 (26) */
  263. 0, 22, /* secp256k1 (22) */
  264. # ifndef OPENSSL_NO_EC2M
  265. /* >= 256-bit binary curves. */
  266. 0, 14, /* sect571r1 (14) */
  267. 0, 13, /* sect571k1 (13) */
  268. 0, 11, /* sect409k1 (11) */
  269. 0, 12, /* sect409r1 (12) */
  270. 0, 9, /* sect283k1 (9) */
  271. 0, 10, /* sect283r1 (10) */
  272. # endif
  273. };
  274. static const unsigned char eccurves_all[] = {
  275. /* Prefer P-256 which has the fastest and most secure implementations. */
  276. 0, 23, /* secp256r1 (23) */
  277. /* Other >= 256-bit prime curves. */
  278. 0, 25, /* secp521r1 (25) */
  279. 0, 28, /* brainpool512r1 (28) */
  280. 0, 27, /* brainpoolP384r1 (27) */
  281. 0, 24, /* secp384r1 (24) */
  282. 0, 26, /* brainpoolP256r1 (26) */
  283. 0, 22, /* secp256k1 (22) */
  284. # ifndef OPENSSL_NO_EC2M
  285. /* >= 256-bit binary curves. */
  286. 0, 14, /* sect571r1 (14) */
  287. 0, 13, /* sect571k1 (13) */
  288. 0, 11, /* sect409k1 (11) */
  289. 0, 12, /* sect409r1 (12) */
  290. 0, 9, /* sect283k1 (9) */
  291. 0, 10, /* sect283r1 (10) */
  292. # endif
  293. /*
  294. * Remaining curves disabled by default but still permitted if set
  295. * via an explicit callback or parameters.
  296. */
  297. 0, 20, /* secp224k1 (20) */
  298. 0, 21, /* secp224r1 (21) */
  299. 0, 18, /* secp192k1 (18) */
  300. 0, 19, /* secp192r1 (19) */
  301. 0, 15, /* secp160k1 (15) */
  302. 0, 16, /* secp160r1 (16) */
  303. 0, 17, /* secp160r2 (17) */
  304. # ifndef OPENSSL_NO_EC2M
  305. 0, 8, /* sect239k1 (8) */
  306. 0, 6, /* sect233k1 (6) */
  307. 0, 7, /* sect233r1 (7) */
  308. 0, 4, /* sect193r1 (4) */
  309. 0, 5, /* sect193r2 (5) */
  310. 0, 1, /* sect163k1 (1) */
  311. 0, 2, /* sect163r1 (2) */
  312. 0, 3, /* sect163r2 (3) */
  313. # endif
  314. };
  315. static const unsigned char suiteb_curves[] = {
  316. 0, TLSEXT_curve_P_256,
  317. 0, TLSEXT_curve_P_384
  318. };
  319. # ifdef OPENSSL_FIPS
  320. /* Brainpool not allowed in FIPS mode */
  321. static const unsigned char fips_curves_default[] = {
  322. # ifndef OPENSSL_NO_EC2M
  323. 0, 14, /* sect571r1 (14) */
  324. 0, 13, /* sect571k1 (13) */
  325. # endif
  326. 0, 25, /* secp521r1 (25) */
  327. # ifndef OPENSSL_NO_EC2M
  328. 0, 11, /* sect409k1 (11) */
  329. 0, 12, /* sect409r1 (12) */
  330. # endif
  331. 0, 24, /* secp384r1 (24) */
  332. # ifndef OPENSSL_NO_EC2M
  333. 0, 9, /* sect283k1 (9) */
  334. 0, 10, /* sect283r1 (10) */
  335. # endif
  336. 0, 22, /* secp256k1 (22) */
  337. 0, 23, /* secp256r1 (23) */
  338. # ifndef OPENSSL_NO_EC2M
  339. 0, 8, /* sect239k1 (8) */
  340. 0, 6, /* sect233k1 (6) */
  341. 0, 7, /* sect233r1 (7) */
  342. # endif
  343. 0, 20, /* secp224k1 (20) */
  344. 0, 21, /* secp224r1 (21) */
  345. # ifndef OPENSSL_NO_EC2M
  346. 0, 4, /* sect193r1 (4) */
  347. 0, 5, /* sect193r2 (5) */
  348. # endif
  349. 0, 18, /* secp192k1 (18) */
  350. 0, 19, /* secp192r1 (19) */
  351. # ifndef OPENSSL_NO_EC2M
  352. 0, 1, /* sect163k1 (1) */
  353. 0, 2, /* sect163r1 (2) */
  354. 0, 3, /* sect163r2 (3) */
  355. # endif
  356. 0, 15, /* secp160k1 (15) */
  357. 0, 16, /* secp160r1 (16) */
  358. 0, 17, /* secp160r2 (17) */
  359. };
  360. # endif
  361. int tls1_ec_curve_id2nid(int curve_id)
  362. {
  363. /* ECC curves from RFC 4492 and RFC 7027 */
  364. if ((curve_id < 1) || ((unsigned int)curve_id >
  365. sizeof(nid_list) / sizeof(nid_list[0])))
  366. return 0;
  367. return nid_list[curve_id - 1];
  368. }
  369. int tls1_ec_nid2curve_id(int nid)
  370. {
  371. /* ECC curves from RFC 4492 and RFC 7027 */
  372. switch (nid) {
  373. case NID_sect163k1: /* sect163k1 (1) */
  374. return 1;
  375. case NID_sect163r1: /* sect163r1 (2) */
  376. return 2;
  377. case NID_sect163r2: /* sect163r2 (3) */
  378. return 3;
  379. case NID_sect193r1: /* sect193r1 (4) */
  380. return 4;
  381. case NID_sect193r2: /* sect193r2 (5) */
  382. return 5;
  383. case NID_sect233k1: /* sect233k1 (6) */
  384. return 6;
  385. case NID_sect233r1: /* sect233r1 (7) */
  386. return 7;
  387. case NID_sect239k1: /* sect239k1 (8) */
  388. return 8;
  389. case NID_sect283k1: /* sect283k1 (9) */
  390. return 9;
  391. case NID_sect283r1: /* sect283r1 (10) */
  392. return 10;
  393. case NID_sect409k1: /* sect409k1 (11) */
  394. return 11;
  395. case NID_sect409r1: /* sect409r1 (12) */
  396. return 12;
  397. case NID_sect571k1: /* sect571k1 (13) */
  398. return 13;
  399. case NID_sect571r1: /* sect571r1 (14) */
  400. return 14;
  401. case NID_secp160k1: /* secp160k1 (15) */
  402. return 15;
  403. case NID_secp160r1: /* secp160r1 (16) */
  404. return 16;
  405. case NID_secp160r2: /* secp160r2 (17) */
  406. return 17;
  407. case NID_secp192k1: /* secp192k1 (18) */
  408. return 18;
  409. case NID_X9_62_prime192v1: /* secp192r1 (19) */
  410. return 19;
  411. case NID_secp224k1: /* secp224k1 (20) */
  412. return 20;
  413. case NID_secp224r1: /* secp224r1 (21) */
  414. return 21;
  415. case NID_secp256k1: /* secp256k1 (22) */
  416. return 22;
  417. case NID_X9_62_prime256v1: /* secp256r1 (23) */
  418. return 23;
  419. case NID_secp384r1: /* secp384r1 (24) */
  420. return 24;
  421. case NID_secp521r1: /* secp521r1 (25) */
  422. return 25;
  423. case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
  424. return 26;
  425. case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
  426. return 27;
  427. case NID_brainpoolP512r1: /* brainpool512r1 (28) */
  428. return 28;
  429. default:
  430. return 0;
  431. }
  432. }
  433. /*
  434. * Get curves list, if "sess" is set return client curves otherwise
  435. * preferred list.
  436. * Sets |num_curves| to the number of curves in the list, i.e.,
  437. * the length of |pcurves| is 2 * num_curves.
  438. * Returns 1 on success and 0 if the client curves list has invalid format.
  439. * The latter indicates an internal error: we should not be accepting such
  440. * lists in the first place.
  441. * TODO(emilia): we should really be storing the curves list in explicitly
  442. * parsed form instead. (However, this would affect binary compatibility
  443. * so cannot happen in the 1.0.x series.)
  444. */
  445. static int tls1_get_curvelist(SSL *s, int sess,
  446. const unsigned char **pcurves,
  447. size_t *num_curves)
  448. {
  449. size_t pcurveslen = 0;
  450. if (sess) {
  451. *pcurves = s->session->tlsext_ellipticcurvelist;
  452. pcurveslen = s->session->tlsext_ellipticcurvelist_length;
  453. } else {
  454. /* For Suite B mode only include P-256, P-384 */
  455. switch (tls1_suiteb(s)) {
  456. case SSL_CERT_FLAG_SUITEB_128_LOS:
  457. *pcurves = suiteb_curves;
  458. pcurveslen = sizeof(suiteb_curves);
  459. break;
  460. case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
  461. *pcurves = suiteb_curves;
  462. pcurveslen = 2;
  463. break;
  464. case SSL_CERT_FLAG_SUITEB_192_LOS:
  465. *pcurves = suiteb_curves + 2;
  466. pcurveslen = 2;
  467. break;
  468. default:
  469. *pcurves = s->tlsext_ellipticcurvelist;
  470. pcurveslen = s->tlsext_ellipticcurvelist_length;
  471. }
  472. if (!*pcurves) {
  473. # ifdef OPENSSL_FIPS
  474. if (FIPS_mode()) {
  475. *pcurves = fips_curves_default;
  476. pcurveslen = sizeof(fips_curves_default);
  477. } else
  478. # endif
  479. {
  480. if (!s->server || s->cert->ecdh_tmp_auto) {
  481. *pcurves = eccurves_auto;
  482. pcurveslen = sizeof(eccurves_auto);
  483. } else {
  484. *pcurves = eccurves_all;
  485. pcurveslen = sizeof(eccurves_all);
  486. }
  487. }
  488. }
  489. }
  490. /* We do not allow odd length arrays to enter the system. */
  491. if (pcurveslen & 1) {
  492. SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
  493. *num_curves = 0;
  494. return 0;
  495. } else {
  496. *num_curves = pcurveslen / 2;
  497. return 1;
  498. }
  499. }
  500. /* Check a curve is one of our preferences */
  501. int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
  502. {
  503. const unsigned char *curves;
  504. size_t num_curves, i;
  505. unsigned int suiteb_flags = tls1_suiteb(s);
  506. if (len != 3 || p[0] != NAMED_CURVE_TYPE)
  507. return 0;
  508. /* Check curve matches Suite B preferences */
  509. if (suiteb_flags) {
  510. unsigned long cid = s->s3->tmp.new_cipher->id;
  511. if (p[1])
  512. return 0;
  513. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
  514. if (p[2] != TLSEXT_curve_P_256)
  515. return 0;
  516. } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
  517. if (p[2] != TLSEXT_curve_P_384)
  518. return 0;
  519. } else /* Should never happen */
  520. return 0;
  521. }
  522. if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
  523. return 0;
  524. for (i = 0; i < num_curves; i++, curves += 2) {
  525. if (p[1] == curves[0] && p[2] == curves[1])
  526. return 1;
  527. }
  528. return 0;
  529. }
  530. /*-
  531. * Return |nmatch|th shared curve or NID_undef if there is no match.
  532. * For nmatch == -1, return number of matches
  533. * For nmatch == -2, return the NID of the curve to use for
  534. * an EC tmp key, or NID_undef if there is no match.
  535. */
  536. int tls1_shared_curve(SSL *s, int nmatch)
  537. {
  538. const unsigned char *pref, *supp;
  539. size_t num_pref, num_supp, i, j;
  540. int k;
  541. /* Can't do anything on client side */
  542. if (s->server == 0)
  543. return -1;
  544. if (nmatch == -2) {
  545. if (tls1_suiteb(s)) {
  546. /*
  547. * For Suite B ciphersuite determines curve: we already know
  548. * these are acceptable due to previous checks.
  549. */
  550. unsigned long cid = s->s3->tmp.new_cipher->id;
  551. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
  552. return NID_X9_62_prime256v1; /* P-256 */
  553. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
  554. return NID_secp384r1; /* P-384 */
  555. /* Should never happen */
  556. return NID_undef;
  557. }
  558. /* If not Suite B just return first preference shared curve */
  559. nmatch = 0;
  560. }
  561. /*
  562. * Avoid truncation. tls1_get_curvelist takes an int
  563. * but s->options is a long...
  564. */
  565. if (!tls1_get_curvelist
  566. (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
  567. &num_supp))
  568. /* In practice, NID_undef == 0 but let's be precise. */
  569. return nmatch == -1 ? 0 : NID_undef;
  570. if (!tls1_get_curvelist
  571. (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
  572. &num_pref))
  573. return nmatch == -1 ? 0 : NID_undef;
  574. /*
  575. * If the client didn't send the elliptic_curves extension all of them
  576. * are allowed.
  577. */
  578. if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
  579. supp = eccurves_all;
  580. num_supp = sizeof(eccurves_all) / 2;
  581. } else if (num_pref == 0 &&
  582. (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
  583. pref = eccurves_all;
  584. num_pref = sizeof(eccurves_all) / 2;
  585. }
  586. k = 0;
  587. for (i = 0; i < num_pref; i++, pref += 2) {
  588. const unsigned char *tsupp = supp;
  589. for (j = 0; j < num_supp; j++, tsupp += 2) {
  590. if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
  591. if (nmatch == k) {
  592. int id = (pref[0] << 8) | pref[1];
  593. return tls1_ec_curve_id2nid(id);
  594. }
  595. k++;
  596. }
  597. }
  598. }
  599. if (nmatch == -1)
  600. return k;
  601. /* Out of range (nmatch > k). */
  602. return NID_undef;
  603. }
  604. int tls1_set_curves(unsigned char **pext, size_t *pextlen,
  605. int *curves, size_t ncurves)
  606. {
  607. unsigned char *clist, *p;
  608. size_t i;
  609. /*
  610. * Bitmap of curves included to detect duplicates: only works while curve
  611. * ids < 32
  612. */
  613. unsigned long dup_list = 0;
  614. # ifdef OPENSSL_NO_EC2M
  615. EC_GROUP *curve;
  616. # endif
  617. clist = OPENSSL_malloc(ncurves * 2);
  618. if (!clist)
  619. return 0;
  620. for (i = 0, p = clist; i < ncurves; i++) {
  621. unsigned long idmask;
  622. int id;
  623. id = tls1_ec_nid2curve_id(curves[i]);
  624. # ifdef OPENSSL_FIPS
  625. /* NB: 25 is last curve ID supported by FIPS module */
  626. if (FIPS_mode() && id > 25) {
  627. OPENSSL_free(clist);
  628. return 0;
  629. }
  630. # endif
  631. # ifdef OPENSSL_NO_EC2M
  632. curve = EC_GROUP_new_by_curve_name(curves[i]);
  633. if (!curve || EC_METHOD_get_field_type(EC_GROUP_method_of(curve))
  634. == NID_X9_62_characteristic_two_field) {
  635. if (curve)
  636. EC_GROUP_free(curve);
  637. OPENSSL_free(clist);
  638. return 0;
  639. } else
  640. EC_GROUP_free(curve);
  641. # endif
  642. idmask = 1L << id;
  643. if (!id || (dup_list & idmask)) {
  644. OPENSSL_free(clist);
  645. return 0;
  646. }
  647. dup_list |= idmask;
  648. s2n(id, p);
  649. }
  650. if (*pext)
  651. OPENSSL_free(*pext);
  652. *pext = clist;
  653. *pextlen = ncurves * 2;
  654. return 1;
  655. }
  656. # define MAX_CURVELIST 28
  657. typedef struct {
  658. size_t nidcnt;
  659. int nid_arr[MAX_CURVELIST];
  660. } nid_cb_st;
  661. static int nid_cb(const char *elem, int len, void *arg)
  662. {
  663. nid_cb_st *narg = arg;
  664. size_t i;
  665. int nid;
  666. char etmp[20];
  667. if (elem == NULL)
  668. return 0;
  669. if (narg->nidcnt == MAX_CURVELIST)
  670. return 0;
  671. if (len > (int)(sizeof(etmp) - 1))
  672. return 0;
  673. memcpy(etmp, elem, len);
  674. etmp[len] = 0;
  675. nid = EC_curve_nist2nid(etmp);
  676. if (nid == NID_undef)
  677. nid = OBJ_sn2nid(etmp);
  678. if (nid == NID_undef)
  679. nid = OBJ_ln2nid(etmp);
  680. if (nid == NID_undef)
  681. return 0;
  682. for (i = 0; i < narg->nidcnt; i++)
  683. if (narg->nid_arr[i] == nid)
  684. return 0;
  685. narg->nid_arr[narg->nidcnt++] = nid;
  686. return 1;
  687. }
  688. /* Set curves based on a colon separate list */
  689. int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
  690. const char *str)
  691. {
  692. nid_cb_st ncb;
  693. ncb.nidcnt = 0;
  694. if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
  695. return 0;
  696. if (pext == NULL)
  697. return 1;
  698. return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
  699. }
  700. /* For an EC key set TLS id and required compression based on parameters */
  701. static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
  702. EC_KEY *ec)
  703. {
  704. int is_prime, id;
  705. const EC_GROUP *grp;
  706. const EC_METHOD *meth;
  707. if (!ec)
  708. return 0;
  709. /* Determine if it is a prime field */
  710. grp = EC_KEY_get0_group(ec);
  711. if (!grp)
  712. return 0;
  713. meth = EC_GROUP_method_of(grp);
  714. if (!meth)
  715. return 0;
  716. if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
  717. is_prime = 1;
  718. else
  719. is_prime = 0;
  720. /* Determine curve ID */
  721. id = EC_GROUP_get_curve_name(grp);
  722. id = tls1_ec_nid2curve_id(id);
  723. /* If we have an ID set it, otherwise set arbitrary explicit curve */
  724. if (id) {
  725. curve_id[0] = 0;
  726. curve_id[1] = (unsigned char)id;
  727. } else {
  728. curve_id[0] = 0xff;
  729. if (is_prime)
  730. curve_id[1] = 0x01;
  731. else
  732. curve_id[1] = 0x02;
  733. }
  734. if (comp_id) {
  735. if (EC_KEY_get0_public_key(ec) == NULL)
  736. return 0;
  737. if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
  738. if (is_prime)
  739. *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
  740. else
  741. *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
  742. } else
  743. *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
  744. }
  745. return 1;
  746. }
  747. /* Check an EC key is compatible with extensions */
  748. static int tls1_check_ec_key(SSL *s,
  749. unsigned char *curve_id, unsigned char *comp_id)
  750. {
  751. const unsigned char *pformats, *pcurves;
  752. size_t num_formats, num_curves, i;
  753. int j;
  754. /*
  755. * If point formats extension present check it, otherwise everything is
  756. * supported (see RFC4492).
  757. */
  758. if (comp_id && s->session->tlsext_ecpointformatlist) {
  759. pformats = s->session->tlsext_ecpointformatlist;
  760. num_formats = s->session->tlsext_ecpointformatlist_length;
  761. for (i = 0; i < num_formats; i++, pformats++) {
  762. if (*comp_id == *pformats)
  763. break;
  764. }
  765. if (i == num_formats)
  766. return 0;
  767. }
  768. if (!curve_id)
  769. return 1;
  770. /* Check curve is consistent with client and server preferences */
  771. for (j = 0; j <= 1; j++) {
  772. if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
  773. return 0;
  774. if (j == 1 && num_curves == 0) {
  775. /*
  776. * If we've not received any curves then skip this check.
  777. * RFC 4492 does not require the supported elliptic curves extension
  778. * so if it is not sent we can just choose any curve.
  779. * It is invalid to send an empty list in the elliptic curves
  780. * extension, so num_curves == 0 always means no extension.
  781. */
  782. break;
  783. }
  784. for (i = 0; i < num_curves; i++, pcurves += 2) {
  785. if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
  786. break;
  787. }
  788. if (i == num_curves)
  789. return 0;
  790. /* For clients can only check sent curve list */
  791. if (!s->server)
  792. return 1;
  793. }
  794. return 1;
  795. }
  796. static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
  797. size_t *num_formats)
  798. {
  799. /*
  800. * If we have a custom point format list use it otherwise use default
  801. */
  802. if (s->tlsext_ecpointformatlist) {
  803. *pformats = s->tlsext_ecpointformatlist;
  804. *num_formats = s->tlsext_ecpointformatlist_length;
  805. } else {
  806. *pformats = ecformats_default;
  807. /* For Suite B we don't support char2 fields */
  808. if (tls1_suiteb(s))
  809. *num_formats = sizeof(ecformats_default) - 1;
  810. else
  811. *num_formats = sizeof(ecformats_default);
  812. }
  813. }
  814. /*
  815. * Check cert parameters compatible with extensions: currently just checks EC
  816. * certificates have compatible curves and compression.
  817. */
  818. static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
  819. {
  820. unsigned char comp_id, curve_id[2];
  821. EVP_PKEY *pkey;
  822. int rv;
  823. pkey = X509_get_pubkey(x);
  824. if (!pkey)
  825. return 0;
  826. /* If not EC nothing to do */
  827. if (pkey->type != EVP_PKEY_EC) {
  828. EVP_PKEY_free(pkey);
  829. return 1;
  830. }
  831. rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
  832. EVP_PKEY_free(pkey);
  833. if (!rv)
  834. return 0;
  835. /*
  836. * Can't check curve_id for client certs as we don't have a supported
  837. * curves extension.
  838. */
  839. rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
  840. if (!rv)
  841. return 0;
  842. /*
  843. * Special case for suite B. We *MUST* sign using SHA256+P-256 or
  844. * SHA384+P-384, adjust digest if necessary.
  845. */
  846. if (set_ee_md && tls1_suiteb(s)) {
  847. int check_md;
  848. size_t i;
  849. CERT *c = s->cert;
  850. if (curve_id[0])
  851. return 0;
  852. /* Check to see we have necessary signing algorithm */
  853. if (curve_id[1] == TLSEXT_curve_P_256)
  854. check_md = NID_ecdsa_with_SHA256;
  855. else if (curve_id[1] == TLSEXT_curve_P_384)
  856. check_md = NID_ecdsa_with_SHA384;
  857. else
  858. return 0; /* Should never happen */
  859. for (i = 0; i < c->shared_sigalgslen; i++)
  860. if (check_md == c->shared_sigalgs[i].signandhash_nid)
  861. break;
  862. if (i == c->shared_sigalgslen)
  863. return 0;
  864. if (set_ee_md == 2) {
  865. if (check_md == NID_ecdsa_with_SHA256)
  866. c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
  867. else
  868. c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
  869. }
  870. }
  871. return rv;
  872. }
  873. # ifndef OPENSSL_NO_ECDH
  874. /* Check EC temporary key is compatible with client extensions */
  875. int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
  876. {
  877. unsigned char curve_id[2];
  878. EC_KEY *ec = s->cert->ecdh_tmp;
  879. # ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
  880. /* Allow any curve: not just those peer supports */
  881. if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
  882. return 1;
  883. # endif
  884. /*
  885. * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
  886. * curves permitted.
  887. */
  888. if (tls1_suiteb(s)) {
  889. /* Curve to check determined by ciphersuite */
  890. if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
  891. curve_id[1] = TLSEXT_curve_P_256;
  892. else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
  893. curve_id[1] = TLSEXT_curve_P_384;
  894. else
  895. return 0;
  896. curve_id[0] = 0;
  897. /* Check this curve is acceptable */
  898. if (!tls1_check_ec_key(s, curve_id, NULL))
  899. return 0;
  900. /* If auto or setting curve from callback assume OK */
  901. if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
  902. return 1;
  903. /* Otherwise check curve is acceptable */
  904. else {
  905. unsigned char curve_tmp[2];
  906. if (!ec)
  907. return 0;
  908. if (!tls1_set_ec_id(curve_tmp, NULL, ec))
  909. return 0;
  910. if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
  911. return 1;
  912. return 0;
  913. }
  914. }
  915. if (s->cert->ecdh_tmp_auto) {
  916. /* Need a shared curve */
  917. if (tls1_shared_curve(s, 0))
  918. return 1;
  919. else
  920. return 0;
  921. }
  922. if (!ec) {
  923. if (s->cert->ecdh_tmp_cb)
  924. return 1;
  925. else
  926. return 0;
  927. }
  928. if (!tls1_set_ec_id(curve_id, NULL, ec))
  929. return 0;
  930. /* Set this to allow use of invalid curves for testing */
  931. # if 0
  932. return 1;
  933. # else
  934. return tls1_check_ec_key(s, curve_id, NULL);
  935. # endif
  936. }
  937. # endif /* OPENSSL_NO_ECDH */
  938. #else
  939. static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
  940. {
  941. return 1;
  942. }
  943. #endif /* OPENSSL_NO_EC */
  944. #ifndef OPENSSL_NO_TLSEXT
  945. /*
  946. * List of supported signature algorithms and hashes. Should make this
  947. * customisable at some point, for now include everything we support.
  948. */
  949. # ifdef OPENSSL_NO_RSA
  950. # define tlsext_sigalg_rsa(md) /* */
  951. # else
  952. # define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
  953. # endif
  954. # ifdef OPENSSL_NO_DSA
  955. # define tlsext_sigalg_dsa(md) /* */
  956. # else
  957. # define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
  958. # endif
  959. # ifdef OPENSSL_NO_ECDSA
  960. # define tlsext_sigalg_ecdsa(md)
  961. /* */
  962. # else
  963. # define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
  964. # endif
  965. # define tlsext_sigalg(md) \
  966. tlsext_sigalg_rsa(md) \
  967. tlsext_sigalg_dsa(md) \
  968. tlsext_sigalg_ecdsa(md)
  969. static unsigned char tls12_sigalgs[] = {
  970. # ifndef OPENSSL_NO_SHA512
  971. tlsext_sigalg(TLSEXT_hash_sha512)
  972. tlsext_sigalg(TLSEXT_hash_sha384)
  973. # endif
  974. # ifndef OPENSSL_NO_SHA256
  975. tlsext_sigalg(TLSEXT_hash_sha256)
  976. tlsext_sigalg(TLSEXT_hash_sha224)
  977. # endif
  978. # ifndef OPENSSL_NO_SHA
  979. tlsext_sigalg(TLSEXT_hash_sha1)
  980. # endif
  981. };
  982. # ifndef OPENSSL_NO_ECDSA
  983. static unsigned char suiteb_sigalgs[] = {
  984. tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
  985. tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
  986. };
  987. # endif
  988. size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs)
  989. {
  990. /*
  991. * If Suite B mode use Suite B sigalgs only, ignore any other
  992. * preferences.
  993. */
  994. # ifndef OPENSSL_NO_EC
  995. switch (tls1_suiteb(s)) {
  996. case SSL_CERT_FLAG_SUITEB_128_LOS:
  997. *psigs = suiteb_sigalgs;
  998. return sizeof(suiteb_sigalgs);
  999. case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
  1000. *psigs = suiteb_sigalgs;
  1001. return 2;
  1002. case SSL_CERT_FLAG_SUITEB_192_LOS:
  1003. *psigs = suiteb_sigalgs + 2;
  1004. return 2;
  1005. }
  1006. # endif
  1007. /* If server use client authentication sigalgs if not NULL */
  1008. if (s->server == sent && s->cert->client_sigalgs) {
  1009. *psigs = s->cert->client_sigalgs;
  1010. return s->cert->client_sigalgslen;
  1011. } else if (s->cert->conf_sigalgs) {
  1012. *psigs = s->cert->conf_sigalgs;
  1013. return s->cert->conf_sigalgslen;
  1014. } else {
  1015. *psigs = tls12_sigalgs;
  1016. return sizeof(tls12_sigalgs);
  1017. }
  1018. }
  1019. /*
  1020. * Check signature algorithm is consistent with sent supported signature
  1021. * algorithms and if so return relevant digest.
  1022. */
  1023. int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
  1024. const unsigned char *sig, EVP_PKEY *pkey)
  1025. {
  1026. const unsigned char *sent_sigs;
  1027. size_t sent_sigslen, i;
  1028. int sigalg = tls12_get_sigid(pkey);
  1029. /* Should never happen */
  1030. if (sigalg == -1)
  1031. return -1;
  1032. /* Check key type is consistent with signature */
  1033. if (sigalg != (int)sig[1]) {
  1034. SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
  1035. return 0;
  1036. }
  1037. # ifndef OPENSSL_NO_EC
  1038. if (pkey->type == EVP_PKEY_EC) {
  1039. unsigned char curve_id[2], comp_id;
  1040. /* Check compression and curve matches extensions */
  1041. if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
  1042. return 0;
  1043. if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
  1044. SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
  1045. return 0;
  1046. }
  1047. /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
  1048. if (tls1_suiteb(s)) {
  1049. if (curve_id[0])
  1050. return 0;
  1051. if (curve_id[1] == TLSEXT_curve_P_256) {
  1052. if (sig[0] != TLSEXT_hash_sha256) {
  1053. SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
  1054. SSL_R_ILLEGAL_SUITEB_DIGEST);
  1055. return 0;
  1056. }
  1057. } else if (curve_id[1] == TLSEXT_curve_P_384) {
  1058. if (sig[0] != TLSEXT_hash_sha384) {
  1059. SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
  1060. SSL_R_ILLEGAL_SUITEB_DIGEST);
  1061. return 0;
  1062. }
  1063. } else
  1064. return 0;
  1065. }
  1066. } else if (tls1_suiteb(s))
  1067. return 0;
  1068. # endif
  1069. /* Check signature matches a type we sent */
  1070. sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
  1071. for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
  1072. if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
  1073. break;
  1074. }
  1075. /* Allow fallback to SHA1 if not strict mode */
  1076. if (i == sent_sigslen
  1077. && (sig[0] != TLSEXT_hash_sha1
  1078. || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
  1079. SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
  1080. return 0;
  1081. }
  1082. *pmd = tls12_get_hash(sig[0]);
  1083. if (*pmd == NULL) {
  1084. SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
  1085. return 0;
  1086. }
  1087. /*
  1088. * Store the digest used so applications can retrieve it if they wish.
  1089. */
  1090. if (s->session && s->session->sess_cert)
  1091. s->session->sess_cert->peer_key->digest = *pmd;
  1092. return 1;
  1093. }
  1094. /*
  1095. * Get a mask of disabled algorithms: an algorithm is disabled if it isn't
  1096. * supported or doesn't appear in supported signature algorithms. Unlike
  1097. * ssl_cipher_get_disabled this applies to a specific session and not global
  1098. * settings.
  1099. */
  1100. void ssl_set_client_disabled(SSL *s)
  1101. {
  1102. CERT *c = s->cert;
  1103. const unsigned char *sigalgs;
  1104. size_t i, sigalgslen;
  1105. int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
  1106. c->mask_a = 0;
  1107. c->mask_k = 0;
  1108. /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
  1109. if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
  1110. c->mask_ssl = SSL_TLSV1_2;
  1111. else
  1112. c->mask_ssl = 0;
  1113. /*
  1114. * Now go through all signature algorithms seeing if we support any for
  1115. * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2.
  1116. */
  1117. sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
  1118. for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
  1119. switch (sigalgs[1]) {
  1120. # ifndef OPENSSL_NO_RSA
  1121. case TLSEXT_signature_rsa:
  1122. have_rsa = 1;
  1123. break;
  1124. # endif
  1125. # ifndef OPENSSL_NO_DSA
  1126. case TLSEXT_signature_dsa:
  1127. have_dsa = 1;
  1128. break;
  1129. # endif
  1130. # ifndef OPENSSL_NO_ECDSA
  1131. case TLSEXT_signature_ecdsa:
  1132. have_ecdsa = 1;
  1133. break;
  1134. # endif
  1135. }
  1136. }
  1137. /*
  1138. * Disable auth and static DH if we don't include any appropriate
  1139. * signature algorithms.
  1140. */
  1141. if (!have_rsa) {
  1142. c->mask_a |= SSL_aRSA;
  1143. c->mask_k |= SSL_kDHr | SSL_kECDHr;
  1144. }
  1145. if (!have_dsa) {
  1146. c->mask_a |= SSL_aDSS;
  1147. c->mask_k |= SSL_kDHd;
  1148. }
  1149. if (!have_ecdsa) {
  1150. c->mask_a |= SSL_aECDSA;
  1151. c->mask_k |= SSL_kECDHe;
  1152. }
  1153. # ifndef OPENSSL_NO_KRB5
  1154. if (!kssl_tgt_is_available(s->kssl_ctx)) {
  1155. c->mask_a |= SSL_aKRB5;
  1156. c->mask_k |= SSL_kKRB5;
  1157. }
  1158. # endif
  1159. # ifndef OPENSSL_NO_PSK
  1160. /* with PSK there must be client callback set */
  1161. if (!s->psk_client_callback) {
  1162. c->mask_a |= SSL_aPSK;
  1163. c->mask_k |= SSL_kPSK;
  1164. }
  1165. # endif /* OPENSSL_NO_PSK */
  1166. # ifndef OPENSSL_NO_SRP
  1167. if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
  1168. c->mask_a |= SSL_aSRP;
  1169. c->mask_k |= SSL_kSRP;
  1170. }
  1171. # endif
  1172. c->valid = 1;
  1173. }
  1174. unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
  1175. unsigned char *limit, int *al)
  1176. {
  1177. int extdatalen = 0;
  1178. unsigned char *orig = buf;
  1179. unsigned char *ret = buf;
  1180. # ifndef OPENSSL_NO_EC
  1181. /* See if we support any ECC ciphersuites */
  1182. int using_ecc = 0;
  1183. if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
  1184. int i;
  1185. unsigned long alg_k, alg_a;
  1186. STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
  1187. for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
  1188. SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
  1189. alg_k = c->algorithm_mkey;
  1190. alg_a = c->algorithm_auth;
  1191. if ((alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe)
  1192. || (alg_a & SSL_aECDSA))) {
  1193. using_ecc = 1;
  1194. break;
  1195. }
  1196. }
  1197. }
  1198. # endif
  1199. /* don't add extensions for SSLv3 unless doing secure renegotiation */
  1200. if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding)
  1201. return orig;
  1202. ret += 2;
  1203. if (ret >= limit)
  1204. return NULL; /* this really never occurs, but ... */
  1205. if (s->tlsext_hostname != NULL) {
  1206. /* Add TLS extension servername to the Client Hello message */
  1207. size_t size_str;
  1208. /*-
  1209. * check for enough space.
  1210. * 4 for the servername type and entension length
  1211. * 2 for servernamelist length
  1212. * 1 for the hostname type
  1213. * 2 for hostname length
  1214. * + hostname length
  1215. */
  1216. size_str = strlen(s->tlsext_hostname);
  1217. if (CHECKLEN(ret, 9 + size_str, limit))
  1218. return NULL;
  1219. /* extension type and length */
  1220. s2n(TLSEXT_TYPE_server_name, ret);
  1221. s2n(size_str + 5, ret);
  1222. /* length of servername list */
  1223. s2n(size_str + 3, ret);
  1224. /* hostname type, length and hostname */
  1225. *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
  1226. s2n(size_str, ret);
  1227. memcpy(ret, s->tlsext_hostname, size_str);
  1228. ret += size_str;
  1229. }
  1230. /* Add RI if renegotiating */
  1231. if (s->renegotiate) {
  1232. int el;
  1233. if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
  1234. SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  1235. return NULL;
  1236. }
  1237. if ((limit - ret - 4 - el) < 0)
  1238. return NULL;
  1239. s2n(TLSEXT_TYPE_renegotiate, ret);
  1240. s2n(el, ret);
  1241. if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
  1242. SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  1243. return NULL;
  1244. }
  1245. ret += el;
  1246. }
  1247. # ifndef OPENSSL_NO_SRP
  1248. /* Add SRP username if there is one */
  1249. if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
  1250. * Client Hello message */
  1251. size_t login_len = strlen(s->srp_ctx.login);
  1252. if (login_len > 255 || login_len == 0) {
  1253. SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  1254. return NULL;
  1255. }
  1256. /*-
  1257. * check for enough space.
  1258. * 4 for the srp type type and entension length
  1259. * 1 for the srp user identity
  1260. * + srp user identity length
  1261. */
  1262. if (CHECKLEN(ret, 5 + login_len, limit))
  1263. return NULL;
  1264. /* fill in the extension */
  1265. s2n(TLSEXT_TYPE_srp, ret);
  1266. s2n(login_len + 1, ret);
  1267. (*ret++) = (unsigned char)login_len;
  1268. memcpy(ret, s->srp_ctx.login, login_len);
  1269. ret += login_len;
  1270. }
  1271. # endif
  1272. # ifndef OPENSSL_NO_EC
  1273. if (using_ecc) {
  1274. /*
  1275. * Add TLS extension ECPointFormats to the ClientHello message
  1276. */
  1277. const unsigned char *pcurves, *pformats;
  1278. size_t num_curves, num_formats, curves_list_len;
  1279. tls1_get_formatlist(s, &pformats, &num_formats);
  1280. if (num_formats > 255) {
  1281. SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  1282. return NULL;
  1283. }
  1284. /*-
  1285. * check for enough space.
  1286. * 4 bytes for the ec point formats type and extension length
  1287. * 1 byte for the length of the formats
  1288. * + formats length
  1289. */
  1290. if (CHECKLEN(ret, 5 + num_formats, limit))
  1291. return NULL;
  1292. s2n(TLSEXT_TYPE_ec_point_formats, ret);
  1293. /* The point format list has 1-byte length. */
  1294. s2n(num_formats + 1, ret);
  1295. *(ret++) = (unsigned char)num_formats;
  1296. memcpy(ret, pformats, num_formats);
  1297. ret += num_formats;
  1298. /*
  1299. * Add TLS extension EllipticCurves to the ClientHello message
  1300. */
  1301. pcurves = s->tlsext_ellipticcurvelist;
  1302. if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
  1303. return NULL;
  1304. if (num_curves > 65532 / 2) {
  1305. SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  1306. return NULL;
  1307. }
  1308. curves_list_len = 2 * num_curves;
  1309. /*-
  1310. * check for enough space.
  1311. * 4 bytes for the ec curves type and extension length
  1312. * 2 bytes for the curve list length
  1313. * + curve list length
  1314. */
  1315. if (CHECKLEN(ret, 6 + curves_list_len, limit))
  1316. return NULL;
  1317. s2n(TLSEXT_TYPE_elliptic_curves, ret);
  1318. s2n(curves_list_len + 2, ret);
  1319. s2n(curves_list_len, ret);
  1320. memcpy(ret, pcurves, curves_list_len);
  1321. ret += curves_list_len;
  1322. }
  1323. # endif /* OPENSSL_NO_EC */
  1324. if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
  1325. size_t ticklen;
  1326. if (!s->new_session && s->session && s->session->tlsext_tick)
  1327. ticklen = s->session->tlsext_ticklen;
  1328. else if (s->session && s->tlsext_session_ticket &&
  1329. s->tlsext_session_ticket->data) {
  1330. ticklen = s->tlsext_session_ticket->length;
  1331. s->session->tlsext_tick = OPENSSL_malloc(ticklen);
  1332. if (!s->session->tlsext_tick)
  1333. return NULL;
  1334. memcpy(s->session->tlsext_tick,
  1335. s->tlsext_session_ticket->data, ticklen);
  1336. s->session->tlsext_ticklen = ticklen;
  1337. } else
  1338. ticklen = 0;
  1339. if (ticklen == 0 && s->tlsext_session_ticket &&
  1340. s->tlsext_session_ticket->data == NULL)
  1341. goto skip_ext;
  1342. /*
  1343. * Check for enough room 2 for extension type, 2 for len rest for
  1344. * ticket
  1345. */
  1346. if (CHECKLEN(ret, 4 + ticklen, limit))
  1347. return NULL;
  1348. s2n(TLSEXT_TYPE_session_ticket, ret);
  1349. s2n(ticklen, ret);
  1350. if (ticklen > 0) {
  1351. memcpy(ret, s->session->tlsext_tick, ticklen);
  1352. ret += ticklen;
  1353. }
  1354. }
  1355. skip_ext:
  1356. if (SSL_CLIENT_USE_SIGALGS(s)) {
  1357. size_t salglen;
  1358. const unsigned char *salg;
  1359. salglen = tls12_get_psigalgs(s, 1, &salg);
  1360. /*-
  1361. * check for enough space.
  1362. * 4 bytes for the sigalgs type and extension length
  1363. * 2 bytes for the sigalg list length
  1364. * + sigalg list length
  1365. */
  1366. if (CHECKLEN(ret, salglen + 6, limit))
  1367. return NULL;
  1368. s2n(TLSEXT_TYPE_signature_algorithms, ret);
  1369. s2n(salglen + 2, ret);
  1370. s2n(salglen, ret);
  1371. memcpy(ret, salg, salglen);
  1372. ret += salglen;
  1373. }
  1374. # ifdef TLSEXT_TYPE_opaque_prf_input
  1375. if (s->s3->client_opaque_prf_input != NULL) {
  1376. size_t col = s->s3->client_opaque_prf_input_len;
  1377. if ((long)(limit - ret - 6 - col < 0))
  1378. return NULL;
  1379. if (col > 0xFFFD) /* can't happen */
  1380. return NULL;
  1381. s2n(TLSEXT_TYPE_opaque_prf_input, ret);
  1382. s2n(col + 2, ret);
  1383. s2n(col, ret);
  1384. memcpy(ret, s->s3->client_opaque_prf_input, col);
  1385. ret += col;
  1386. }
  1387. # endif
  1388. if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
  1389. int i;
  1390. size_t extlen, idlen;
  1391. int lentmp;
  1392. OCSP_RESPID *id;
  1393. idlen = 0;
  1394. for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
  1395. id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
  1396. lentmp = i2d_OCSP_RESPID(id, NULL);
  1397. if (lentmp <= 0)
  1398. return NULL;
  1399. idlen += (size_t)lentmp + 2;
  1400. }
  1401. if (s->tlsext_ocsp_exts) {
  1402. lentmp = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
  1403. if (lentmp < 0)
  1404. return NULL;
  1405. extlen = (size_t)lentmp;
  1406. } else
  1407. extlen = 0;
  1408. if (extlen + idlen > 0xFFF0)
  1409. return NULL;
  1410. /*
  1411. * 2 bytes for status request type
  1412. * 2 bytes for status request len
  1413. * 1 byte for OCSP request type
  1414. * 2 bytes for length of ids
  1415. * 2 bytes for length of extensions
  1416. * + length of ids
  1417. * + length of extensions
  1418. */
  1419. if (CHECKLEN(ret, 9 + idlen + extlen, limit))
  1420. return NULL;
  1421. s2n(TLSEXT_TYPE_status_request, ret);
  1422. s2n(extlen + idlen + 5, ret);
  1423. *(ret++) = TLSEXT_STATUSTYPE_ocsp;
  1424. s2n(idlen, ret);
  1425. for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
  1426. /* save position of id len */
  1427. unsigned char *q = ret;
  1428. id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
  1429. /* skip over id len */
  1430. ret += 2;
  1431. lentmp = i2d_OCSP_RESPID(id, &ret);
  1432. /* write id len */
  1433. s2n(lentmp, q);
  1434. }
  1435. s2n(extlen, ret);
  1436. if (extlen > 0)
  1437. i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
  1438. }
  1439. # ifndef OPENSSL_NO_HEARTBEATS
  1440. /* Add Heartbeat extension */
  1441. /*-
  1442. * check for enough space.
  1443. * 4 bytes for the heartbeat ext type and extension length
  1444. * 1 byte for the mode
  1445. */
  1446. if (CHECKLEN(ret, 5, limit))
  1447. return NULL;
  1448. s2n(TLSEXT_TYPE_heartbeat, ret);
  1449. s2n(1, ret);
  1450. /*-
  1451. * Set mode:
  1452. * 1: peer may send requests
  1453. * 2: peer not allowed to send requests
  1454. */
  1455. if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
  1456. *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
  1457. else
  1458. *(ret++) = SSL_TLSEXT_HB_ENABLED;
  1459. # endif
  1460. # ifndef OPENSSL_NO_NEXTPROTONEG
  1461. if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
  1462. /*
  1463. * The client advertises an emtpy extension to indicate its support
  1464. * for Next Protocol Negotiation
  1465. */
  1466. /*-
  1467. * check for enough space.
  1468. * 4 bytes for the NPN ext type and extension length
  1469. */
  1470. if (CHECKLEN(ret, 4, limit))
  1471. return NULL;
  1472. s2n(TLSEXT_TYPE_next_proto_neg, ret);
  1473. s2n(0, ret);
  1474. }
  1475. # endif
  1476. if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
  1477. /*-
  1478. * check for enough space.
  1479. * 4 bytes for the ALPN type and extension length
  1480. * 2 bytes for the ALPN protocol list length
  1481. * + ALPN protocol list length
  1482. */
  1483. if (CHECKLEN(ret, 6 + s->alpn_client_proto_list_len, limit))
  1484. return NULL;
  1485. s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
  1486. s2n(2 + s->alpn_client_proto_list_len, ret);
  1487. s2n(s->alpn_client_proto_list_len, ret);
  1488. memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
  1489. ret += s->alpn_client_proto_list_len;
  1490. s->cert->alpn_sent = 1;
  1491. }
  1492. # ifndef OPENSSL_NO_SRTP
  1493. if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
  1494. int el;
  1495. ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
  1496. /*-
  1497. * check for enough space.
  1498. * 4 bytes for the SRTP type and extension length
  1499. * + SRTP profiles length
  1500. */
  1501. if (CHECKLEN(ret, 4 + el, limit))
  1502. return NULL;
  1503. s2n(TLSEXT_TYPE_use_srtp, ret);
  1504. s2n(el, ret);
  1505. if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
  1506. SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  1507. return NULL;
  1508. }
  1509. ret += el;
  1510. }
  1511. # endif
  1512. custom_ext_init(&s->cert->cli_ext);
  1513. /* Add custom TLS Extensions to ClientHello */
  1514. if (!custom_ext_add(s, 0, &ret, limit, al))
  1515. return NULL;
  1516. /*
  1517. * Add padding to workaround bugs in F5 terminators. See
  1518. * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
  1519. * code works out the length of all existing extensions it MUST always
  1520. * appear last.
  1521. */
  1522. if (s->options & SSL_OP_TLSEXT_PADDING) {
  1523. int hlen = ret - (unsigned char *)s->init_buf->data;
  1524. /*
  1525. * The code in s23_clnt.c to build ClientHello messages includes the
  1526. * 5-byte record header in the buffer, while the code in s3_clnt.c
  1527. * does not.
  1528. */
  1529. if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
  1530. hlen -= 5;
  1531. if (hlen > 0xff && hlen < 0x200) {
  1532. hlen = 0x200 - hlen;
  1533. if (hlen >= 4)
  1534. hlen -= 4;
  1535. else
  1536. hlen = 0;
  1537. /*-
  1538. * check for enough space. Strictly speaking we know we've already
  1539. * got enough space because to get here the message size is < 0x200,
  1540. * but we know that we've allocated far more than that in the buffer
  1541. * - but for consistency and robustness we're going to check anyway.
  1542. *
  1543. * 4 bytes for the padding type and extension length
  1544. * + padding length
  1545. */
  1546. if (CHECKLEN(ret, 4 + hlen, limit))
  1547. return NULL;
  1548. s2n(TLSEXT_TYPE_padding, ret);
  1549. s2n(hlen, ret);
  1550. memset(ret, 0, hlen);
  1551. ret += hlen;
  1552. }
  1553. }
  1554. if ((extdatalen = ret - orig - 2) == 0)
  1555. return orig;
  1556. s2n(extdatalen, orig);
  1557. return ret;
  1558. }
  1559. unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
  1560. unsigned char *limit, int *al)
  1561. {
  1562. int extdatalen = 0;
  1563. unsigned char *orig = buf;
  1564. unsigned char *ret = buf;
  1565. # ifndef OPENSSL_NO_NEXTPROTONEG
  1566. int next_proto_neg_seen;
  1567. # endif
  1568. # ifndef OPENSSL_NO_EC
  1569. unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  1570. unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
  1571. int using_ecc = (alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe))
  1572. || (alg_a & SSL_aECDSA);
  1573. using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
  1574. # endif
  1575. /*
  1576. * don't add extensions for SSLv3, unless doing secure renegotiation
  1577. */
  1578. if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
  1579. return orig;
  1580. ret += 2;
  1581. if (ret >= limit)
  1582. return NULL; /* this really never occurs, but ... */
  1583. if (!s->hit && s->servername_done == 1
  1584. && s->session->tlsext_hostname != NULL) {
  1585. if ((long)(limit - ret - 4) < 0)
  1586. return NULL;
  1587. s2n(TLSEXT_TYPE_server_name, ret);
  1588. s2n(0, ret);
  1589. }
  1590. if (s->s3->send_connection_binding) {
  1591. int el;
  1592. if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
  1593. SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  1594. return NULL;
  1595. }
  1596. /*-
  1597. * check for enough space.
  1598. * 4 bytes for the reneg type and extension length
  1599. * + reneg data length
  1600. */
  1601. if (CHECKLEN(ret, 4 + el, limit))
  1602. return NULL;
  1603. s2n(TLSEXT_TYPE_renegotiate, ret);
  1604. s2n(el, ret);
  1605. if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
  1606. SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  1607. return NULL;
  1608. }
  1609. ret += el;
  1610. }
  1611. # ifndef OPENSSL_NO_EC
  1612. if (using_ecc) {
  1613. const unsigned char *plist;
  1614. size_t plistlen;
  1615. /*
  1616. * Add TLS extension ECPointFormats to the ServerHello message
  1617. */
  1618. tls1_get_formatlist(s, &plist, &plistlen);
  1619. if (plistlen > 255) {
  1620. SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  1621. return NULL;
  1622. }
  1623. /*-
  1624. * check for enough space.
  1625. * 4 bytes for the ec points format type and extension length
  1626. * 1 byte for the points format list length
  1627. * + length of points format list
  1628. */
  1629. if (CHECKLEN(ret, 5 + plistlen, limit))
  1630. return NULL;
  1631. s2n(TLSEXT_TYPE_ec_point_formats, ret);
  1632. s2n(plistlen + 1, ret);
  1633. *(ret++) = (unsigned char)plistlen;
  1634. memcpy(ret, plist, plistlen);
  1635. ret += plistlen;
  1636. }
  1637. /*
  1638. * Currently the server should not respond with a SupportedCurves
  1639. * extension
  1640. */
  1641. # endif /* OPENSSL_NO_EC */
  1642. if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
  1643. /*-
  1644. * check for enough space.
  1645. * 4 bytes for the Ticket type and extension length
  1646. */
  1647. if (CHECKLEN(ret, 4, limit))
  1648. return NULL;
  1649. s2n(TLSEXT_TYPE_session_ticket, ret);
  1650. s2n(0, ret);
  1651. } else {
  1652. /* if we don't add the above TLSEXT, we can't add a session ticket later */
  1653. s->tlsext_ticket_expected = 0;
  1654. }
  1655. if (s->tlsext_status_expected) {
  1656. /*-
  1657. * check for enough space.
  1658. * 4 bytes for the Status request type and extension length
  1659. */
  1660. if (CHECKLEN(ret, 4, limit))
  1661. return NULL;
  1662. s2n(TLSEXT_TYPE_status_request, ret);
  1663. s2n(0, ret);
  1664. }
  1665. # ifdef TLSEXT_TYPE_opaque_prf_input
  1666. if (s->s3->server_opaque_prf_input != NULL) {
  1667. size_t sol = s->s3->server_opaque_prf_input_len;
  1668. if ((long)(limit - ret - 6 - sol) < 0)
  1669. return NULL;
  1670. if (sol > 0xFFFD) /* can't happen */
  1671. return NULL;
  1672. s2n(TLSEXT_TYPE_opaque_prf_input, ret);
  1673. s2n(sol + 2, ret);
  1674. s2n(sol, ret);
  1675. memcpy(ret, s->s3->server_opaque_prf_input, sol);
  1676. ret += sol;
  1677. }
  1678. # endif
  1679. # ifndef OPENSSL_NO_SRTP
  1680. if (SSL_IS_DTLS(s) && s->srtp_profile) {
  1681. int el;
  1682. ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
  1683. /*-
  1684. * check for enough space.
  1685. * 4 bytes for the SRTP profiles type and extension length
  1686. * + length of the SRTP profiles list
  1687. */
  1688. if (CHECKLEN(ret, 4 + el, limit))
  1689. return NULL;
  1690. s2n(TLSEXT_TYPE_use_srtp, ret);
  1691. s2n(el, ret);
  1692. if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
  1693. SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  1694. return NULL;
  1695. }
  1696. ret += el;
  1697. }
  1698. # endif
  1699. if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
  1700. || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
  1701. && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
  1702. const unsigned char cryptopro_ext[36] = {
  1703. 0xfd, 0xe8, /* 65000 */
  1704. 0x00, 0x20, /* 32 bytes length */
  1705. 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
  1706. 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
  1707. 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
  1708. 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
  1709. };
  1710. /* check for enough space. */
  1711. if (CHECKLEN(ret, sizeof(cryptopro_ext), limit))
  1712. return NULL;
  1713. memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext));
  1714. ret += sizeof(cryptopro_ext);
  1715. }
  1716. # ifndef OPENSSL_NO_HEARTBEATS
  1717. /* Add Heartbeat extension if we've received one */
  1718. if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
  1719. /*-
  1720. * check for enough space.
  1721. * 4 bytes for the Heartbeat type and extension length
  1722. * 1 byte for the mode
  1723. */
  1724. if (CHECKLEN(ret, 5, limit))
  1725. return NULL;
  1726. s2n(TLSEXT_TYPE_heartbeat, ret);
  1727. s2n(1, ret);
  1728. /*-
  1729. * Set mode:
  1730. * 1: peer may send requests
  1731. * 2: peer not allowed to send requests
  1732. */
  1733. if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
  1734. *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
  1735. else
  1736. *(ret++) = SSL_TLSEXT_HB_ENABLED;
  1737. }
  1738. # endif
  1739. # ifndef OPENSSL_NO_NEXTPROTONEG
  1740. next_proto_neg_seen = s->s3->next_proto_neg_seen;
  1741. s->s3->next_proto_neg_seen = 0;
  1742. if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
  1743. const unsigned char *npa;
  1744. unsigned int npalen;
  1745. int r;
  1746. r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
  1747. s->
  1748. ctx->next_protos_advertised_cb_arg);
  1749. if (r == SSL_TLSEXT_ERR_OK) {
  1750. /*-
  1751. * check for enough space.
  1752. * 4 bytes for the NPN type and extension length
  1753. * + length of protocols list
  1754. */
  1755. if (CHECKLEN(ret, 4 + npalen, limit))
  1756. return NULL;
  1757. s2n(TLSEXT_TYPE_next_proto_neg, ret);
  1758. s2n(npalen, ret);
  1759. memcpy(ret, npa, npalen);
  1760. ret += npalen;
  1761. s->s3->next_proto_neg_seen = 1;
  1762. }
  1763. }
  1764. # endif
  1765. if (!custom_ext_add(s, 1, &ret, limit, al))
  1766. return NULL;
  1767. if (s->s3->alpn_selected) {
  1768. const unsigned char *selected = s->s3->alpn_selected;
  1769. size_t len = s->s3->alpn_selected_len;
  1770. /*-
  1771. * check for enough space.
  1772. * 4 bytes for the ALPN type and extension length
  1773. * 2 bytes for ALPN data length
  1774. * 1 byte for selected protocol length
  1775. * + length of the selected protocol
  1776. */
  1777. if (CHECKLEN(ret, 7 + len, limit))
  1778. return NULL;
  1779. s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
  1780. s2n(3 + len, ret);
  1781. s2n(1 + len, ret);
  1782. *ret++ = len;
  1783. memcpy(ret, selected, len);
  1784. ret += len;
  1785. }
  1786. if ((extdatalen = ret - orig - 2) == 0)
  1787. return orig;
  1788. s2n(extdatalen, orig);
  1789. return ret;
  1790. }
  1791. # ifndef OPENSSL_NO_EC
  1792. /*-
  1793. * ssl_check_for_safari attempts to fingerprint Safari using OS X
  1794. * SecureTransport using the TLS extension block in |d|, of length |n|.
  1795. * Safari, since 10.6, sends exactly these extensions, in this order:
  1796. * SNI,
  1797. * elliptic_curves
  1798. * ec_point_formats
  1799. *
  1800. * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
  1801. * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
  1802. * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
  1803. * 10.8..10.8.3 (which don't work).
  1804. */
  1805. static void ssl_check_for_safari(SSL *s, const unsigned char *data,
  1806. const unsigned char *limit)
  1807. {
  1808. unsigned short type, size;
  1809. static const unsigned char kSafariExtensionsBlock[] = {
  1810. 0x00, 0x0a, /* elliptic_curves extension */
  1811. 0x00, 0x08, /* 8 bytes */
  1812. 0x00, 0x06, /* 6 bytes of curve ids */
  1813. 0x00, 0x17, /* P-256 */
  1814. 0x00, 0x18, /* P-384 */
  1815. 0x00, 0x19, /* P-521 */
  1816. 0x00, 0x0b, /* ec_point_formats */
  1817. 0x00, 0x02, /* 2 bytes */
  1818. 0x01, /* 1 point format */
  1819. 0x00, /* uncompressed */
  1820. };
  1821. /* The following is only present in TLS 1.2 */
  1822. static const unsigned char kSafariTLS12ExtensionsBlock[] = {
  1823. 0x00, 0x0d, /* signature_algorithms */
  1824. 0x00, 0x0c, /* 12 bytes */
  1825. 0x00, 0x0a, /* 10 bytes */
  1826. 0x05, 0x01, /* SHA-384/RSA */
  1827. 0x04, 0x01, /* SHA-256/RSA */
  1828. 0x02, 0x01, /* SHA-1/RSA */
  1829. 0x04, 0x03, /* SHA-256/ECDSA */
  1830. 0x02, 0x03, /* SHA-1/ECDSA */
  1831. };
  1832. if (limit - data <= 2)
  1833. return;
  1834. data += 2;
  1835. if (limit - data < 4)
  1836. return;
  1837. n2s(data, type);
  1838. n2s(data, size);
  1839. if (type != TLSEXT_TYPE_server_name)
  1840. return;
  1841. if (limit - data < size)
  1842. return;
  1843. data += size;
  1844. if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
  1845. const size_t len1 = sizeof(kSafariExtensionsBlock);
  1846. const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
  1847. if (limit - data != (int)(len1 + len2))
  1848. return;
  1849. if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
  1850. return;
  1851. if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
  1852. return;
  1853. } else {
  1854. const size_t len = sizeof(kSafariExtensionsBlock);
  1855. if (limit - data != (int)(len))
  1856. return;
  1857. if (memcmp(data, kSafariExtensionsBlock, len) != 0)
  1858. return;
  1859. }
  1860. s->s3->is_probably_safari = 1;
  1861. }
  1862. # endif /* !OPENSSL_NO_EC */
  1863. /*
  1864. * tls1_alpn_handle_client_hello is called to save the ALPN extension in a
  1865. * ClientHello. data: the contents of the extension, not including the type
  1866. * and length. data_len: the number of bytes in |data| al: a pointer to the
  1867. * alert value to send in the event of a non-zero return. returns: 0 on
  1868. * success.
  1869. */
  1870. static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
  1871. unsigned data_len, int *al)
  1872. {
  1873. unsigned i;
  1874. unsigned proto_len;
  1875. if (data_len < 2)
  1876. goto parse_error;
  1877. /*
  1878. * data should contain a uint16 length followed by a series of 8-bit,
  1879. * length-prefixed strings.
  1880. */
  1881. i = ((unsigned)data[0]) << 8 | ((unsigned)data[1]);
  1882. data_len -= 2;
  1883. data += 2;
  1884. if (data_len != i)
  1885. goto parse_error;
  1886. if (data_len < 2)
  1887. goto parse_error;
  1888. for (i = 0; i < data_len;) {
  1889. proto_len = data[i];
  1890. i++;
  1891. if (proto_len == 0)
  1892. goto parse_error;
  1893. if (i + proto_len < i || i + proto_len > data_len)
  1894. goto parse_error;
  1895. i += proto_len;
  1896. }
  1897. if (s->cert->alpn_proposed != NULL)
  1898. OPENSSL_free(s->cert->alpn_proposed);
  1899. s->cert->alpn_proposed = OPENSSL_malloc(data_len);
  1900. if (s->cert->alpn_proposed == NULL) {
  1901. *al = SSL_AD_INTERNAL_ERROR;
  1902. return -1;
  1903. }
  1904. memcpy(s->cert->alpn_proposed, data, data_len);
  1905. s->cert->alpn_proposed_len = data_len;
  1906. return 0;
  1907. parse_error:
  1908. *al = SSL_AD_DECODE_ERROR;
  1909. return -1;
  1910. }
  1911. /*
  1912. * Process the ALPN extension in a ClientHello.
  1913. * al: a pointer to the alert value to send in the event of a failure.
  1914. * returns 1 on success, 0 on failure: al set only on failure
  1915. */
  1916. static int tls1_alpn_handle_client_hello_late(SSL *s, int *al)
  1917. {
  1918. const unsigned char *selected = NULL;
  1919. unsigned char selected_len = 0;
  1920. if (s->ctx->alpn_select_cb != NULL && s->cert->alpn_proposed != NULL) {
  1921. int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
  1922. s->cert->alpn_proposed,
  1923. s->cert->alpn_proposed_len,
  1924. s->ctx->alpn_select_cb_arg);
  1925. if (r == SSL_TLSEXT_ERR_OK) {
  1926. OPENSSL_free(s->s3->alpn_selected);
  1927. s->s3->alpn_selected = OPENSSL_malloc(selected_len);
  1928. if (s->s3->alpn_selected == NULL) {
  1929. *al = SSL_AD_INTERNAL_ERROR;
  1930. return 0;
  1931. }
  1932. memcpy(s->s3->alpn_selected, selected, selected_len);
  1933. s->s3->alpn_selected_len = selected_len;
  1934. # ifndef OPENSSL_NO_NEXTPROTONEG
  1935. /* ALPN takes precedence over NPN. */
  1936. s->s3->next_proto_neg_seen = 0;
  1937. # endif
  1938. }
  1939. }
  1940. return 1;
  1941. }
  1942. static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
  1943. unsigned char *limit, int *al)
  1944. {
  1945. unsigned short type;
  1946. unsigned short size;
  1947. unsigned short len;
  1948. unsigned char *data = *p;
  1949. int renegotiate_seen = 0;
  1950. s->servername_done = 0;
  1951. s->tlsext_status_type = -1;
  1952. # ifndef OPENSSL_NO_NEXTPROTONEG
  1953. s->s3->next_proto_neg_seen = 0;
  1954. # endif
  1955. if (s->s3->alpn_selected) {
  1956. OPENSSL_free(s->s3->alpn_selected);
  1957. s->s3->alpn_selected = NULL;
  1958. }
  1959. s->s3->alpn_selected_len = 0;
  1960. if (s->cert->alpn_proposed) {
  1961. OPENSSL_free(s->cert->alpn_proposed);
  1962. s->cert->alpn_proposed = NULL;
  1963. }
  1964. s->cert->alpn_proposed_len = 0;
  1965. # ifndef OPENSSL_NO_HEARTBEATS
  1966. s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
  1967. SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
  1968. # endif
  1969. # ifndef OPENSSL_NO_EC
  1970. if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
  1971. ssl_check_for_safari(s, data, limit);
  1972. # endif /* !OPENSSL_NO_EC */
  1973. /* Clear any signature algorithms extension received */
  1974. if (s->cert->peer_sigalgs) {
  1975. OPENSSL_free(s->cert->peer_sigalgs);
  1976. s->cert->peer_sigalgs = NULL;
  1977. }
  1978. # ifndef OPENSSL_NO_SRP
  1979. if (s->srp_ctx.login != NULL) {
  1980. OPENSSL_free(s->srp_ctx.login);
  1981. s->srp_ctx.login = NULL;
  1982. }
  1983. # endif
  1984. s->srtp_profile = NULL;
  1985. if (data == limit)
  1986. goto ri_check;
  1987. if (limit - data < 2)
  1988. goto err;
  1989. n2s(data, len);
  1990. if (limit - data != len)
  1991. goto err;
  1992. while (limit - data >= 4) {
  1993. n2s(data, type);
  1994. n2s(data, size);
  1995. if (limit - data < size)
  1996. goto err;
  1997. # if 0
  1998. fprintf(stderr, "Received extension type %d size %d\n", type, size);
  1999. # endif
  2000. if (s->tlsext_debug_cb)
  2001. s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
  2002. /*-
  2003. * The servername extension is treated as follows:
  2004. *
  2005. * - Only the hostname type is supported with a maximum length of 255.
  2006. * - The servername is rejected if too long or if it contains zeros,
  2007. * in which case an fatal alert is generated.
  2008. * - The servername field is maintained together with the session cache.
  2009. * - When a session is resumed, the servername call back invoked in order
  2010. * to allow the application to position itself to the right context.
  2011. * - The servername is acknowledged if it is new for a session or when
  2012. * it is identical to a previously used for the same session.
  2013. * Applications can control the behaviour. They can at any time
  2014. * set a 'desirable' servername for a new SSL object. This can be the
  2015. * case for example with HTTPS when a Host: header field is received and
  2016. * a renegotiation is requested. In this case, a possible servername
  2017. * presented in the new client hello is only acknowledged if it matches
  2018. * the value of the Host: field.
  2019. * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
  2020. * if they provide for changing an explicit servername context for the
  2021. * session, i.e. when the session has been established with a servername
  2022. * extension.
  2023. * - On session reconnect, the servername extension may be absent.
  2024. *
  2025. */
  2026. if (type == TLSEXT_TYPE_server_name) {
  2027. unsigned char *sdata;
  2028. int servname_type;
  2029. int dsize;
  2030. if (size < 2)
  2031. goto err;
  2032. n2s(data, dsize);
  2033. size -= 2;
  2034. if (dsize > size)
  2035. goto err;
  2036. sdata = data;
  2037. while (dsize > 3) {
  2038. servname_type = *(sdata++);
  2039. n2s(sdata, len);
  2040. dsize -= 3;
  2041. if (len > dsize)
  2042. goto err;
  2043. if (s->servername_done == 0)
  2044. switch (servname_type) {
  2045. case TLSEXT_NAMETYPE_host_name:
  2046. if (!s->hit) {
  2047. if (s->session->tlsext_hostname)
  2048. goto err;
  2049. if (len > TLSEXT_MAXLEN_host_name) {
  2050. *al = TLS1_AD_UNRECOGNIZED_NAME;
  2051. return 0;
  2052. }
  2053. if ((s->session->tlsext_hostname =
  2054. OPENSSL_malloc(len + 1)) == NULL) {
  2055. *al = TLS1_AD_INTERNAL_ERROR;
  2056. return 0;
  2057. }
  2058. memcpy(s->session->tlsext_hostname, sdata, len);
  2059. s->session->tlsext_hostname[len] = '\0';
  2060. if (strlen(s->session->tlsext_hostname) != len) {
  2061. OPENSSL_free(s->session->tlsext_hostname);
  2062. s->session->tlsext_hostname = NULL;
  2063. *al = TLS1_AD_UNRECOGNIZED_NAME;
  2064. return 0;
  2065. }
  2066. s->servername_done = 1;
  2067. } else
  2068. s->servername_done = s->session->tlsext_hostname
  2069. && strlen(s->session->tlsext_hostname) == len
  2070. && strncmp(s->session->tlsext_hostname,
  2071. (char *)sdata, len) == 0;
  2072. break;
  2073. default:
  2074. break;
  2075. }
  2076. dsize -= len;
  2077. }
  2078. if (dsize != 0)
  2079. goto err;
  2080. }
  2081. # ifndef OPENSSL_NO_SRP
  2082. else if (type == TLSEXT_TYPE_srp) {
  2083. if (size == 0 || ((len = data[0])) != (size - 1))
  2084. goto err;
  2085. if (s->srp_ctx.login != NULL)
  2086. goto err;
  2087. if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
  2088. return -1;
  2089. memcpy(s->srp_ctx.login, &data[1], len);
  2090. s->srp_ctx.login[len] = '\0';
  2091. if (strlen(s->srp_ctx.login) != len)
  2092. goto err;
  2093. }
  2094. # endif
  2095. # ifndef OPENSSL_NO_EC
  2096. else if (type == TLSEXT_TYPE_ec_point_formats) {
  2097. unsigned char *sdata = data;
  2098. int ecpointformatlist_length = *(sdata++);
  2099. if (ecpointformatlist_length != size - 1 ||
  2100. ecpointformatlist_length < 1)
  2101. goto err;
  2102. if (!s->hit) {
  2103. if (s->session->tlsext_ecpointformatlist) {
  2104. OPENSSL_free(s->session->tlsext_ecpointformatlist);
  2105. s->session->tlsext_ecpointformatlist = NULL;
  2106. }
  2107. s->session->tlsext_ecpointformatlist_length = 0;
  2108. if ((s->session->tlsext_ecpointformatlist =
  2109. OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
  2110. *al = TLS1_AD_INTERNAL_ERROR;
  2111. return 0;
  2112. }
  2113. s->session->tlsext_ecpointformatlist_length =
  2114. ecpointformatlist_length;
  2115. memcpy(s->session->tlsext_ecpointformatlist, sdata,
  2116. ecpointformatlist_length);
  2117. }
  2118. # if 0
  2119. fprintf(stderr,
  2120. "ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ",
  2121. s->session->tlsext_ecpointformatlist_length);
  2122. sdata = s->session->tlsext_ecpointformatlist;
  2123. for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
  2124. fprintf(stderr, "%i ", *(sdata++));
  2125. fprintf(stderr, "\n");
  2126. # endif
  2127. } else if (type == TLSEXT_TYPE_elliptic_curves) {
  2128. unsigned char *sdata = data;
  2129. int ellipticcurvelist_length = (*(sdata++) << 8);
  2130. ellipticcurvelist_length += (*(sdata++));
  2131. if (ellipticcurvelist_length != size - 2 ||
  2132. ellipticcurvelist_length < 1 ||
  2133. /* Each NamedCurve is 2 bytes. */
  2134. ellipticcurvelist_length & 1)
  2135. goto err;
  2136. if (!s->hit) {
  2137. if (s->session->tlsext_ellipticcurvelist)
  2138. goto err;
  2139. s->session->tlsext_ellipticcurvelist_length = 0;
  2140. if ((s->session->tlsext_ellipticcurvelist =
  2141. OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
  2142. *al = TLS1_AD_INTERNAL_ERROR;
  2143. return 0;
  2144. }
  2145. s->session->tlsext_ellipticcurvelist_length =
  2146. ellipticcurvelist_length;
  2147. memcpy(s->session->tlsext_ellipticcurvelist, sdata,
  2148. ellipticcurvelist_length);
  2149. }
  2150. # if 0
  2151. fprintf(stderr,
  2152. "ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ",
  2153. s->session->tlsext_ellipticcurvelist_length);
  2154. sdata = s->session->tlsext_ellipticcurvelist;
  2155. for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
  2156. fprintf(stderr, "%i ", *(sdata++));
  2157. fprintf(stderr, "\n");
  2158. # endif
  2159. }
  2160. # endif /* OPENSSL_NO_EC */
  2161. # ifdef TLSEXT_TYPE_opaque_prf_input
  2162. else if (type == TLSEXT_TYPE_opaque_prf_input) {
  2163. unsigned char *sdata = data;
  2164. if (size < 2) {
  2165. *al = SSL_AD_DECODE_ERROR;
  2166. return 0;
  2167. }
  2168. n2s(sdata, s->s3->client_opaque_prf_input_len);
  2169. if (s->s3->client_opaque_prf_input_len != size - 2) {
  2170. *al = SSL_AD_DECODE_ERROR;
  2171. return 0;
  2172. }
  2173. if (s->s3->client_opaque_prf_input != NULL) {
  2174. /* shouldn't really happen */
  2175. OPENSSL_free(s->s3->client_opaque_prf_input);
  2176. }
  2177. /* dummy byte just to get non-NULL */
  2178. if (s->s3->client_opaque_prf_input_len == 0)
  2179. s->s3->client_opaque_prf_input = OPENSSL_malloc(1);
  2180. else
  2181. s->s3->client_opaque_prf_input =
  2182. BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
  2183. if (s->s3->client_opaque_prf_input == NULL) {
  2184. *al = TLS1_AD_INTERNAL_ERROR;
  2185. return 0;
  2186. }
  2187. }
  2188. # endif
  2189. else if (type == TLSEXT_TYPE_session_ticket) {
  2190. if (s->tls_session_ticket_ext_cb &&
  2191. !s->tls_session_ticket_ext_cb(s, data, size,
  2192. s->tls_session_ticket_ext_cb_arg))
  2193. {
  2194. *al = TLS1_AD_INTERNAL_ERROR;
  2195. return 0;
  2196. }
  2197. } else if (type == TLSEXT_TYPE_renegotiate) {
  2198. if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
  2199. return 0;
  2200. renegotiate_seen = 1;
  2201. } else if (type == TLSEXT_TYPE_signature_algorithms) {
  2202. int dsize;
  2203. if (s->cert->peer_sigalgs || size < 2)
  2204. goto err;
  2205. n2s(data, dsize);
  2206. size -= 2;
  2207. if (dsize != size || dsize & 1 || !dsize)
  2208. goto err;
  2209. if (!tls1_save_sigalgs(s, data, dsize))
  2210. goto err;
  2211. } else if (type == TLSEXT_TYPE_status_request) {
  2212. if (size < 5)
  2213. goto err;
  2214. s->tlsext_status_type = *data++;
  2215. size--;
  2216. if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
  2217. const unsigned char *sdata;
  2218. int dsize;
  2219. /* Read in responder_id_list */
  2220. n2s(data, dsize);
  2221. size -= 2;
  2222. if (dsize > size)
  2223. goto err;
  2224. /*
  2225. * We remove any OCSP_RESPIDs from a previous handshake
  2226. * to prevent unbounded memory growth - CVE-2016-6304
  2227. */
  2228. sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
  2229. OCSP_RESPID_free);
  2230. if (dsize > 0) {
  2231. s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
  2232. if (s->tlsext_ocsp_ids == NULL) {
  2233. *al = SSL_AD_INTERNAL_ERROR;
  2234. return 0;
  2235. }
  2236. } else {
  2237. s->tlsext_ocsp_ids = NULL;
  2238. }
  2239. while (dsize > 0) {
  2240. OCSP_RESPID *id;
  2241. int idsize;
  2242. if (dsize < 4)
  2243. goto err;
  2244. n2s(data, idsize);
  2245. dsize -= 2 + idsize;
  2246. size -= 2 + idsize;
  2247. if (dsize < 0)
  2248. goto err;
  2249. sdata = data;
  2250. data += idsize;
  2251. id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
  2252. if (!id)
  2253. goto err;
  2254. if (data != sdata) {
  2255. OCSP_RESPID_free(id);
  2256. goto err;
  2257. }
  2258. if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
  2259. OCSP_RESPID_free(id);
  2260. *al = SSL_AD_INTERNAL_ERROR;
  2261. return 0;
  2262. }
  2263. }
  2264. /* Read in request_extensions */
  2265. if (size < 2)
  2266. goto err;
  2267. n2s(data, dsize);
  2268. size -= 2;
  2269. if (dsize != size)
  2270. goto err;
  2271. sdata = data;
  2272. if (dsize > 0) {
  2273. if (s->tlsext_ocsp_exts) {
  2274. sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
  2275. X509_EXTENSION_free);
  2276. }
  2277. s->tlsext_ocsp_exts =
  2278. d2i_X509_EXTENSIONS(NULL, &sdata, dsize);
  2279. if (!s->tlsext_ocsp_exts || (data + dsize != sdata))
  2280. goto err;
  2281. }
  2282. }
  2283. /*
  2284. * We don't know what to do with any other type * so ignore it.
  2285. */
  2286. else
  2287. s->tlsext_status_type = -1;
  2288. }
  2289. # ifndef OPENSSL_NO_HEARTBEATS
  2290. else if (type == TLSEXT_TYPE_heartbeat) {
  2291. switch (data[0]) {
  2292. case 0x01: /* Client allows us to send HB requests */
  2293. s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
  2294. break;
  2295. case 0x02: /* Client doesn't accept HB requests */
  2296. s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
  2297. s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
  2298. break;
  2299. default:
  2300. *al = SSL_AD_ILLEGAL_PARAMETER;
  2301. return 0;
  2302. }
  2303. }
  2304. # endif
  2305. # ifndef OPENSSL_NO_NEXTPROTONEG
  2306. else if (type == TLSEXT_TYPE_next_proto_neg &&
  2307. s->s3->tmp.finish_md_len == 0) {
  2308. /*-
  2309. * We shouldn't accept this extension on a
  2310. * renegotiation.
  2311. *
  2312. * s->new_session will be set on renegotiation, but we
  2313. * probably shouldn't rely that it couldn't be set on
  2314. * the initial renegotation too in certain cases (when
  2315. * there's some other reason to disallow resuming an
  2316. * earlier session -- the current code won't be doing
  2317. * anything like that, but this might change).
  2318. *
  2319. * A valid sign that there's been a previous handshake
  2320. * in this connection is if s->s3->tmp.finish_md_len >
  2321. * 0. (We are talking about a check that will happen
  2322. * in the Hello protocol round, well before a new
  2323. * Finished message could have been computed.)
  2324. */
  2325. s->s3->next_proto_neg_seen = 1;
  2326. }
  2327. # endif
  2328. else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
  2329. s->s3->tmp.finish_md_len == 0) {
  2330. if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
  2331. return 0;
  2332. }
  2333. /* session ticket processed earlier */
  2334. # ifndef OPENSSL_NO_SRTP
  2335. else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
  2336. && type == TLSEXT_TYPE_use_srtp) {
  2337. if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
  2338. return 0;
  2339. }
  2340. # endif
  2341. data += size;
  2342. }
  2343. /* Spurious data on the end */
  2344. if (data != limit)
  2345. goto err;
  2346. *p = data;
  2347. ri_check:
  2348. /* Need RI if renegotiating */
  2349. if (!renegotiate_seen && s->renegotiate &&
  2350. !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
  2351. *al = SSL_AD_HANDSHAKE_FAILURE;
  2352. SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
  2353. SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
  2354. return 0;
  2355. }
  2356. return 1;
  2357. err:
  2358. *al = SSL_AD_DECODE_ERROR;
  2359. return 0;
  2360. }
  2361. /*
  2362. * Parse any custom extensions found. "data" is the start of the extension data
  2363. * and "limit" is the end of the record. TODO: add strict syntax checking.
  2364. */
  2365. static int ssl_scan_clienthello_custom_tlsext(SSL *s,
  2366. const unsigned char *data,
  2367. const unsigned char *limit,
  2368. int *al)
  2369. {
  2370. unsigned short type, size, len;
  2371. /* If resumed session or no custom extensions nothing to do */
  2372. if (s->hit || s->cert->srv_ext.meths_count == 0)
  2373. return 1;
  2374. if (limit - data <= 2)
  2375. return 1;
  2376. n2s(data, len);
  2377. if (limit - data < len)
  2378. return 1;
  2379. while (limit - data >= 4) {
  2380. n2s(data, type);
  2381. n2s(data, size);
  2382. if (limit - data < size)
  2383. return 1;
  2384. if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0)
  2385. return 0;
  2386. data += size;
  2387. }
  2388. return 1;
  2389. }
  2390. int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p,
  2391. unsigned char *limit)
  2392. {
  2393. int al = -1;
  2394. unsigned char *ptmp = *p;
  2395. /*
  2396. * Internally supported extensions are parsed first so SNI can be handled
  2397. * before custom extensions. An application processing SNI will typically
  2398. * switch the parent context using SSL_set_SSL_CTX and custom extensions
  2399. * need to be handled by the new SSL_CTX structure.
  2400. */
  2401. if (ssl_scan_clienthello_tlsext(s, p, limit, &al) <= 0) {
  2402. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  2403. return 0;
  2404. }
  2405. if (ssl_check_clienthello_tlsext_early(s) <= 0) {
  2406. SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
  2407. return 0;
  2408. }
  2409. custom_ext_init(&s->cert->srv_ext);
  2410. if (ssl_scan_clienthello_custom_tlsext(s, ptmp, limit, &al) <= 0) {
  2411. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  2412. return 0;
  2413. }
  2414. return 1;
  2415. }
  2416. # ifndef OPENSSL_NO_NEXTPROTONEG
  2417. /*
  2418. * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
  2419. * elements of zero length are allowed and the set of elements must exactly
  2420. * fill the length of the block.
  2421. */
  2422. static char ssl_next_proto_validate(unsigned char *d, unsigned len)
  2423. {
  2424. unsigned int off = 0;
  2425. while (off < len) {
  2426. if (d[off] == 0)
  2427. return 0;
  2428. off += d[off];
  2429. off++;
  2430. }
  2431. return off == len;
  2432. }
  2433. # endif
  2434. static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
  2435. unsigned char *d, int n, int *al)
  2436. {
  2437. unsigned short length;
  2438. unsigned short type;
  2439. unsigned short size;
  2440. unsigned char *data = *p;
  2441. int tlsext_servername = 0;
  2442. int renegotiate_seen = 0;
  2443. # ifndef OPENSSL_NO_NEXTPROTONEG
  2444. s->s3->next_proto_neg_seen = 0;
  2445. # endif
  2446. s->tlsext_ticket_expected = 0;
  2447. if (s->s3->alpn_selected) {
  2448. OPENSSL_free(s->s3->alpn_selected);
  2449. s->s3->alpn_selected = NULL;
  2450. }
  2451. # ifndef OPENSSL_NO_HEARTBEATS
  2452. s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
  2453. SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
  2454. # endif
  2455. if ((d + n) - data <= 2)
  2456. goto ri_check;
  2457. n2s(data, length);
  2458. if ((d + n) - data != length) {
  2459. *al = SSL_AD_DECODE_ERROR;
  2460. return 0;
  2461. }
  2462. while ((d + n) - data >= 4) {
  2463. n2s(data, type);
  2464. n2s(data, size);
  2465. if ((d + n) - data < size)
  2466. goto ri_check;
  2467. if (s->tlsext_debug_cb)
  2468. s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
  2469. if (type == TLSEXT_TYPE_server_name) {
  2470. if (s->tlsext_hostname == NULL || size > 0) {
  2471. *al = TLS1_AD_UNRECOGNIZED_NAME;
  2472. return 0;
  2473. }
  2474. tlsext_servername = 1;
  2475. }
  2476. # ifndef OPENSSL_NO_EC
  2477. else if (type == TLSEXT_TYPE_ec_point_formats) {
  2478. unsigned char *sdata = data;
  2479. int ecpointformatlist_length = *(sdata++);
  2480. if (ecpointformatlist_length != size - 1) {
  2481. *al = TLS1_AD_DECODE_ERROR;
  2482. return 0;
  2483. }
  2484. if (!s->hit) {
  2485. s->session->tlsext_ecpointformatlist_length = 0;
  2486. if (s->session->tlsext_ecpointformatlist != NULL)
  2487. OPENSSL_free(s->session->tlsext_ecpointformatlist);
  2488. if ((s->session->tlsext_ecpointformatlist =
  2489. OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
  2490. *al = TLS1_AD_INTERNAL_ERROR;
  2491. return 0;
  2492. }
  2493. s->session->tlsext_ecpointformatlist_length =
  2494. ecpointformatlist_length;
  2495. memcpy(s->session->tlsext_ecpointformatlist, sdata,
  2496. ecpointformatlist_length);
  2497. }
  2498. # if 0
  2499. fprintf(stderr,
  2500. "ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
  2501. sdata = s->session->tlsext_ecpointformatlist;
  2502. for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
  2503. fprintf(stderr, "%i ", *(sdata++));
  2504. fprintf(stderr, "\n");
  2505. # endif
  2506. }
  2507. # endif /* OPENSSL_NO_EC */
  2508. else if (type == TLSEXT_TYPE_session_ticket) {
  2509. if (s->tls_session_ticket_ext_cb &&
  2510. !s->tls_session_ticket_ext_cb(s, data, size,
  2511. s->tls_session_ticket_ext_cb_arg))
  2512. {
  2513. *al = TLS1_AD_INTERNAL_ERROR;
  2514. return 0;
  2515. }
  2516. if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
  2517. || (size > 0)) {
  2518. *al = TLS1_AD_UNSUPPORTED_EXTENSION;
  2519. return 0;
  2520. }
  2521. s->tlsext_ticket_expected = 1;
  2522. }
  2523. # ifdef TLSEXT_TYPE_opaque_prf_input
  2524. else if (type == TLSEXT_TYPE_opaque_prf_input) {
  2525. unsigned char *sdata = data;
  2526. if (size < 2) {
  2527. *al = SSL_AD_DECODE_ERROR;
  2528. return 0;
  2529. }
  2530. n2s(sdata, s->s3->server_opaque_prf_input_len);
  2531. if (s->s3->server_opaque_prf_input_len != size - 2) {
  2532. *al = SSL_AD_DECODE_ERROR;
  2533. return 0;
  2534. }
  2535. if (s->s3->server_opaque_prf_input != NULL) {
  2536. /* shouldn't really happen */
  2537. OPENSSL_free(s->s3->server_opaque_prf_input);
  2538. }
  2539. if (s->s3->server_opaque_prf_input_len == 0) {
  2540. /* dummy byte just to get non-NULL */
  2541. s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
  2542. } else {
  2543. s->s3->server_opaque_prf_input =
  2544. BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
  2545. }
  2546. if (s->s3->server_opaque_prf_input == NULL) {
  2547. *al = TLS1_AD_INTERNAL_ERROR;
  2548. return 0;
  2549. }
  2550. }
  2551. # endif
  2552. else if (type == TLSEXT_TYPE_status_request) {
  2553. /*
  2554. * MUST be empty and only sent if we've requested a status
  2555. * request message.
  2556. */
  2557. if ((s->tlsext_status_type == -1) || (size > 0)) {
  2558. *al = TLS1_AD_UNSUPPORTED_EXTENSION;
  2559. return 0;
  2560. }
  2561. /* Set flag to expect CertificateStatus message */
  2562. s->tlsext_status_expected = 1;
  2563. }
  2564. # ifndef OPENSSL_NO_NEXTPROTONEG
  2565. else if (type == TLSEXT_TYPE_next_proto_neg &&
  2566. s->s3->tmp.finish_md_len == 0) {
  2567. unsigned char *selected;
  2568. unsigned char selected_len;
  2569. /* We must have requested it. */
  2570. if (s->ctx->next_proto_select_cb == NULL) {
  2571. *al = TLS1_AD_UNSUPPORTED_EXTENSION;
  2572. return 0;
  2573. }
  2574. /* The data must be valid */
  2575. if (!ssl_next_proto_validate(data, size)) {
  2576. *al = TLS1_AD_DECODE_ERROR;
  2577. return 0;
  2578. }
  2579. if (s->
  2580. ctx->next_proto_select_cb(s, &selected, &selected_len, data,
  2581. size,
  2582. s->ctx->next_proto_select_cb_arg) !=
  2583. SSL_TLSEXT_ERR_OK) {
  2584. *al = TLS1_AD_INTERNAL_ERROR;
  2585. return 0;
  2586. }
  2587. /*
  2588. * Could be non-NULL if server has sent multiple NPN extensions in
  2589. * a single Serverhello
  2590. */
  2591. OPENSSL_free(s->next_proto_negotiated);
  2592. s->next_proto_negotiated = OPENSSL_malloc(selected_len);
  2593. if (!s->next_proto_negotiated) {
  2594. *al = TLS1_AD_INTERNAL_ERROR;
  2595. return 0;
  2596. }
  2597. memcpy(s->next_proto_negotiated, selected, selected_len);
  2598. s->next_proto_negotiated_len = selected_len;
  2599. s->s3->next_proto_neg_seen = 1;
  2600. }
  2601. # endif
  2602. else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
  2603. unsigned len;
  2604. /* We must have requested it. */
  2605. if (!s->cert->alpn_sent) {
  2606. *al = TLS1_AD_UNSUPPORTED_EXTENSION;
  2607. return 0;
  2608. }
  2609. if (size < 4) {
  2610. *al = TLS1_AD_DECODE_ERROR;
  2611. return 0;
  2612. }
  2613. /*-
  2614. * The extension data consists of:
  2615. * uint16 list_length
  2616. * uint8 proto_length;
  2617. * uint8 proto[proto_length];
  2618. */
  2619. len = data[0];
  2620. len <<= 8;
  2621. len |= data[1];
  2622. if (len != (unsigned)size - 2) {
  2623. *al = TLS1_AD_DECODE_ERROR;
  2624. return 0;
  2625. }
  2626. len = data[2];
  2627. if (len != (unsigned)size - 3) {
  2628. *al = TLS1_AD_DECODE_ERROR;
  2629. return 0;
  2630. }
  2631. if (s->s3->alpn_selected)
  2632. OPENSSL_free(s->s3->alpn_selected);
  2633. s->s3->alpn_selected = OPENSSL_malloc(len);
  2634. if (!s->s3->alpn_selected) {
  2635. *al = TLS1_AD_INTERNAL_ERROR;
  2636. return 0;
  2637. }
  2638. memcpy(s->s3->alpn_selected, data + 3, len);
  2639. s->s3->alpn_selected_len = len;
  2640. }
  2641. else if (type == TLSEXT_TYPE_renegotiate) {
  2642. if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
  2643. return 0;
  2644. renegotiate_seen = 1;
  2645. }
  2646. # ifndef OPENSSL_NO_HEARTBEATS
  2647. else if (type == TLSEXT_TYPE_heartbeat) {
  2648. switch (data[0]) {
  2649. case 0x01: /* Server allows us to send HB requests */
  2650. s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
  2651. break;
  2652. case 0x02: /* Server doesn't accept HB requests */
  2653. s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
  2654. s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
  2655. break;
  2656. default:
  2657. *al = SSL_AD_ILLEGAL_PARAMETER;
  2658. return 0;
  2659. }
  2660. }
  2661. # endif
  2662. # ifndef OPENSSL_NO_SRTP
  2663. else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
  2664. if (ssl_parse_serverhello_use_srtp_ext(s, data, size, al))
  2665. return 0;
  2666. }
  2667. # endif
  2668. /*
  2669. * If this extension type was not otherwise handled, but matches a
  2670. * custom_cli_ext_record, then send it to the c callback
  2671. */
  2672. else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
  2673. return 0;
  2674. data += size;
  2675. }
  2676. if (data != d + n) {
  2677. *al = SSL_AD_DECODE_ERROR;
  2678. return 0;
  2679. }
  2680. if (!s->hit && tlsext_servername == 1) {
  2681. if (s->tlsext_hostname) {
  2682. if (s->session->tlsext_hostname == NULL) {
  2683. s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
  2684. if (!s->session->tlsext_hostname) {
  2685. *al = SSL_AD_UNRECOGNIZED_NAME;
  2686. return 0;
  2687. }
  2688. } else {
  2689. *al = SSL_AD_DECODE_ERROR;
  2690. return 0;
  2691. }
  2692. }
  2693. }
  2694. *p = data;
  2695. ri_check:
  2696. /*
  2697. * Determine if we need to see RI. Strictly speaking if we want to avoid
  2698. * an attack we should *always* see RI even on initial server hello
  2699. * because the client doesn't see any renegotiation during an attack.
  2700. * However this would mean we could not connect to any server which
  2701. * doesn't support RI so for the immediate future tolerate RI absence on
  2702. * initial connect only.
  2703. */
  2704. if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
  2705. && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
  2706. *al = SSL_AD_HANDSHAKE_FAILURE;
  2707. SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
  2708. SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
  2709. return 0;
  2710. }
  2711. return 1;
  2712. }
  2713. int ssl_prepare_clienthello_tlsext(SSL *s)
  2714. {
  2715. # ifdef TLSEXT_TYPE_opaque_prf_input
  2716. {
  2717. int r = 1;
  2718. if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
  2719. r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0,
  2720. s->
  2721. ctx->tlsext_opaque_prf_input_callback_arg);
  2722. if (!r)
  2723. return -1;
  2724. }
  2725. if (s->tlsext_opaque_prf_input != NULL) {
  2726. if (s->s3->client_opaque_prf_input != NULL) {
  2727. /* shouldn't really happen */
  2728. OPENSSL_free(s->s3->client_opaque_prf_input);
  2729. }
  2730. if (s->tlsext_opaque_prf_input_len == 0) {
  2731. /* dummy byte just to get non-NULL */
  2732. s->s3->client_opaque_prf_input = OPENSSL_malloc(1);
  2733. } else {
  2734. s->s3->client_opaque_prf_input =
  2735. BUF_memdup(s->tlsext_opaque_prf_input,
  2736. s->tlsext_opaque_prf_input_len);
  2737. }
  2738. if (s->s3->client_opaque_prf_input == NULL) {
  2739. SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,
  2740. ERR_R_MALLOC_FAILURE);
  2741. return -1;
  2742. }
  2743. s->s3->client_opaque_prf_input_len =
  2744. s->tlsext_opaque_prf_input_len;
  2745. }
  2746. if (r == 2)
  2747. /*
  2748. * at callback's request, insist on receiving an appropriate
  2749. * server opaque PRF input
  2750. */
  2751. s->s3->server_opaque_prf_input_len =
  2752. s->tlsext_opaque_prf_input_len;
  2753. }
  2754. # endif
  2755. s->cert->alpn_sent = 0;
  2756. return 1;
  2757. }
  2758. int ssl_prepare_serverhello_tlsext(SSL *s)
  2759. {
  2760. return 1;
  2761. }
  2762. static int ssl_check_clienthello_tlsext_early(SSL *s)
  2763. {
  2764. int ret = SSL_TLSEXT_ERR_NOACK;
  2765. int al = SSL_AD_UNRECOGNIZED_NAME;
  2766. # ifndef OPENSSL_NO_EC
  2767. /*
  2768. * The handling of the ECPointFormats extension is done elsewhere, namely
  2769. * in ssl3_choose_cipher in s3_lib.c.
  2770. */
  2771. /*
  2772. * The handling of the EllipticCurves extension is done elsewhere, namely
  2773. * in ssl3_choose_cipher in s3_lib.c.
  2774. */
  2775. # endif
  2776. if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
  2777. ret =
  2778. s->ctx->tlsext_servername_callback(s, &al,
  2779. s->ctx->tlsext_servername_arg);
  2780. else if (s->initial_ctx != NULL
  2781. && s->initial_ctx->tlsext_servername_callback != 0)
  2782. ret =
  2783. s->initial_ctx->tlsext_servername_callback(s, &al,
  2784. s->
  2785. initial_ctx->tlsext_servername_arg);
  2786. # ifdef TLSEXT_TYPE_opaque_prf_input
  2787. {
  2788. /*
  2789. * This sort of belongs into ssl_prepare_serverhello_tlsext(), but we
  2790. * might be sending an alert in response to the client hello, so this
  2791. * has to happen here in ssl_check_clienthello_tlsext_early().
  2792. */
  2793. int r = 1;
  2794. if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
  2795. r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0,
  2796. s->
  2797. ctx->tlsext_opaque_prf_input_callback_arg);
  2798. if (!r) {
  2799. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  2800. al = SSL_AD_INTERNAL_ERROR;
  2801. goto err;
  2802. }
  2803. }
  2804. if (s->s3->server_opaque_prf_input != NULL) {
  2805. /* shouldn't really happen */
  2806. OPENSSL_free(s->s3->server_opaque_prf_input);
  2807. }
  2808. s->s3->server_opaque_prf_input = NULL;
  2809. if (s->tlsext_opaque_prf_input != NULL) {
  2810. if (s->s3->client_opaque_prf_input != NULL &&
  2811. s->s3->client_opaque_prf_input_len ==
  2812. s->tlsext_opaque_prf_input_len) {
  2813. /*
  2814. * can only use this extension if we have a server opaque PRF
  2815. * input of the same length as the client opaque PRF input!
  2816. */
  2817. if (s->tlsext_opaque_prf_input_len == 0) {
  2818. /* dummy byte just to get non-NULL */
  2819. s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
  2820. } else {
  2821. s->s3->server_opaque_prf_input =
  2822. BUF_memdup(s->tlsext_opaque_prf_input,
  2823. s->tlsext_opaque_prf_input_len);
  2824. }
  2825. if (s->s3->server_opaque_prf_input == NULL) {
  2826. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  2827. al = SSL_AD_INTERNAL_ERROR;
  2828. goto err;
  2829. }
  2830. s->s3->server_opaque_prf_input_len =
  2831. s->tlsext_opaque_prf_input_len;
  2832. }
  2833. }
  2834. if (r == 2 && s->s3->server_opaque_prf_input == NULL) {
  2835. /*
  2836. * The callback wants to enforce use of the extension, but we
  2837. * can't do that with the client opaque PRF input; abort the
  2838. * handshake.
  2839. */
  2840. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  2841. al = SSL_AD_HANDSHAKE_FAILURE;
  2842. }
  2843. }
  2844. err:
  2845. # endif
  2846. switch (ret) {
  2847. case SSL_TLSEXT_ERR_ALERT_FATAL:
  2848. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  2849. return -1;
  2850. case SSL_TLSEXT_ERR_ALERT_WARNING:
  2851. ssl3_send_alert(s, SSL3_AL_WARNING, al);
  2852. return 1;
  2853. case SSL_TLSEXT_ERR_NOACK:
  2854. s->servername_done = 0;
  2855. default:
  2856. return 1;
  2857. }
  2858. }
  2859. int tls1_set_server_sigalgs(SSL *s)
  2860. {
  2861. int al;
  2862. size_t i;
  2863. /* Clear any shared sigtnature algorithms */
  2864. if (s->cert->shared_sigalgs) {
  2865. OPENSSL_free(s->cert->shared_sigalgs);
  2866. s->cert->shared_sigalgs = NULL;
  2867. s->cert->shared_sigalgslen = 0;
  2868. }
  2869. /* Clear certificate digests and validity flags */
  2870. for (i = 0; i < SSL_PKEY_NUM; i++) {
  2871. s->cert->pkeys[i].digest = NULL;
  2872. s->cert->pkeys[i].valid_flags = 0;
  2873. }
  2874. /* If sigalgs received process it. */
  2875. if (s->cert->peer_sigalgs) {
  2876. if (!tls1_process_sigalgs(s)) {
  2877. SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
  2878. al = SSL_AD_INTERNAL_ERROR;
  2879. goto err;
  2880. }
  2881. /* Fatal error is no shared signature algorithms */
  2882. if (!s->cert->shared_sigalgs) {
  2883. SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
  2884. SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
  2885. al = SSL_AD_ILLEGAL_PARAMETER;
  2886. goto err;
  2887. }
  2888. } else
  2889. ssl_cert_set_default_md(s->cert);
  2890. return 1;
  2891. err:
  2892. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  2893. return 0;
  2894. }
  2895. /*
  2896. * Upon success, returns 1.
  2897. * Upon failure, returns 0 and sets |al| to the appropriate fatal alert.
  2898. */
  2899. int ssl_check_clienthello_tlsext_late(SSL *s, int *al)
  2900. {
  2901. /*
  2902. * If status request then ask callback what to do. Note: this must be
  2903. * called after servername callbacks in case the certificate has changed,
  2904. * and must be called after the cipher has been chosen because this may
  2905. * influence which certificate is sent
  2906. */
  2907. if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
  2908. int ret;
  2909. CERT_PKEY *certpkey;
  2910. certpkey = ssl_get_server_send_pkey(s);
  2911. /* If no certificate can't return certificate status */
  2912. if (certpkey != NULL) {
  2913. /*
  2914. * Set current certificate to one we will use so SSL_get_certificate
  2915. * et al can pick it up.
  2916. */
  2917. s->cert->key = certpkey;
  2918. ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
  2919. switch (ret) {
  2920. /* We don't want to send a status request response */
  2921. case SSL_TLSEXT_ERR_NOACK:
  2922. s->tlsext_status_expected = 0;
  2923. break;
  2924. /* status request response should be sent */
  2925. case SSL_TLSEXT_ERR_OK:
  2926. if (s->tlsext_ocsp_resp)
  2927. s->tlsext_status_expected = 1;
  2928. break;
  2929. /* something bad happened */
  2930. case SSL_TLSEXT_ERR_ALERT_FATAL:
  2931. default:
  2932. *al = SSL_AD_INTERNAL_ERROR;
  2933. return 0;
  2934. }
  2935. }
  2936. }
  2937. if (!tls1_alpn_handle_client_hello_late(s, al)) {
  2938. return 0;
  2939. }
  2940. return 1;
  2941. }
  2942. int ssl_check_serverhello_tlsext(SSL *s)
  2943. {
  2944. int ret = SSL_TLSEXT_ERR_NOACK;
  2945. int al = SSL_AD_UNRECOGNIZED_NAME;
  2946. # ifndef OPENSSL_NO_EC
  2947. /*
  2948. * If we are client and using an elliptic curve cryptography cipher
  2949. * suite, then if server returns an EC point formats lists extension it
  2950. * must contain uncompressed.
  2951. */
  2952. unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  2953. unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
  2954. if ((s->tlsext_ecpointformatlist != NULL)
  2955. && (s->tlsext_ecpointformatlist_length > 0)
  2956. && (s->session->tlsext_ecpointformatlist != NULL)
  2957. && (s->session->tlsext_ecpointformatlist_length > 0)
  2958. && ((alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe))
  2959. || (alg_a & SSL_aECDSA))) {
  2960. /* we are using an ECC cipher */
  2961. size_t i;
  2962. unsigned char *list;
  2963. int found_uncompressed = 0;
  2964. list = s->session->tlsext_ecpointformatlist;
  2965. for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
  2966. if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
  2967. found_uncompressed = 1;
  2968. break;
  2969. }
  2970. }
  2971. if (!found_uncompressed) {
  2972. SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
  2973. SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
  2974. return -1;
  2975. }
  2976. }
  2977. ret = SSL_TLSEXT_ERR_OK;
  2978. # endif /* OPENSSL_NO_EC */
  2979. if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
  2980. ret =
  2981. s->ctx->tlsext_servername_callback(s, &al,
  2982. s->ctx->tlsext_servername_arg);
  2983. else if (s->initial_ctx != NULL
  2984. && s->initial_ctx->tlsext_servername_callback != 0)
  2985. ret =
  2986. s->initial_ctx->tlsext_servername_callback(s, &al,
  2987. s->
  2988. initial_ctx->tlsext_servername_arg);
  2989. # ifdef TLSEXT_TYPE_opaque_prf_input
  2990. if (s->s3->server_opaque_prf_input_len > 0) {
  2991. /*
  2992. * This case may indicate that we, as a client, want to insist on
  2993. * using opaque PRF inputs. So first verify that we really have a
  2994. * value from the server too.
  2995. */
  2996. if (s->s3->server_opaque_prf_input == NULL) {
  2997. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  2998. al = SSL_AD_HANDSHAKE_FAILURE;
  2999. }
  3000. /*
  3001. * Anytime the server *has* sent an opaque PRF input, we need to
  3002. * check that we have a client opaque PRF input of the same size.
  3003. */
  3004. if (s->s3->client_opaque_prf_input == NULL ||
  3005. s->s3->client_opaque_prf_input_len !=
  3006. s->s3->server_opaque_prf_input_len) {
  3007. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  3008. al = SSL_AD_ILLEGAL_PARAMETER;
  3009. }
  3010. }
  3011. # endif
  3012. OPENSSL_free(s->tlsext_ocsp_resp);
  3013. s->tlsext_ocsp_resp = NULL;
  3014. s->tlsext_ocsp_resplen = -1;
  3015. /*
  3016. * If we've requested certificate status and we wont get one tell the
  3017. * callback
  3018. */
  3019. if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
  3020. && !(s->hit) && s->ctx && s->ctx->tlsext_status_cb) {
  3021. int r;
  3022. /*
  3023. * Call callback with resp == NULL and resplen == -1 so callback
  3024. * knows there is no response
  3025. */
  3026. r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
  3027. if (r == 0) {
  3028. al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
  3029. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  3030. }
  3031. if (r < 0) {
  3032. al = SSL_AD_INTERNAL_ERROR;
  3033. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  3034. }
  3035. }
  3036. switch (ret) {
  3037. case SSL_TLSEXT_ERR_ALERT_FATAL:
  3038. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  3039. return -1;
  3040. case SSL_TLSEXT_ERR_ALERT_WARNING:
  3041. ssl3_send_alert(s, SSL3_AL_WARNING, al);
  3042. return 1;
  3043. case SSL_TLSEXT_ERR_NOACK:
  3044. s->servername_done = 0;
  3045. default:
  3046. return 1;
  3047. }
  3048. }
  3049. int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
  3050. int n)
  3051. {
  3052. int al = -1;
  3053. if (s->version < SSL3_VERSION)
  3054. return 1;
  3055. if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) {
  3056. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  3057. return 0;
  3058. }
  3059. if (ssl_check_serverhello_tlsext(s) <= 0) {
  3060. SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
  3061. return 0;
  3062. }
  3063. return 1;
  3064. }
  3065. /*-
  3066. * Since the server cache lookup is done early on in the processing of the
  3067. * ClientHello, and other operations depend on the result, we need to handle
  3068. * any TLS session ticket extension at the same time.
  3069. *
  3070. * session_id: points at the session ID in the ClientHello. This code will
  3071. * read past the end of this in order to parse out the session ticket
  3072. * extension, if any.
  3073. * len: the length of the session ID.
  3074. * limit: a pointer to the first byte after the ClientHello.
  3075. * ret: (output) on return, if a ticket was decrypted, then this is set to
  3076. * point to the resulting session.
  3077. *
  3078. * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
  3079. * ciphersuite, in which case we have no use for session tickets and one will
  3080. * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
  3081. *
  3082. * Returns:
  3083. * -1: fatal error, either from parsing or decrypting the ticket.
  3084. * 0: no ticket was found (or was ignored, based on settings).
  3085. * 1: a zero length extension was found, indicating that the client supports
  3086. * session tickets but doesn't currently have one to offer.
  3087. * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
  3088. * couldn't be decrypted because of a non-fatal error.
  3089. * 3: a ticket was successfully decrypted and *ret was set.
  3090. *
  3091. * Side effects:
  3092. * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
  3093. * a new session ticket to the client because the client indicated support
  3094. * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
  3095. * a session ticket or we couldn't use the one it gave us, or if
  3096. * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
  3097. * Otherwise, s->tlsext_ticket_expected is set to 0.
  3098. */
  3099. int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
  3100. const unsigned char *limit, SSL_SESSION **ret)
  3101. {
  3102. /* Point after session ID in client hello */
  3103. const unsigned char *p = session_id + len;
  3104. unsigned short i;
  3105. *ret = NULL;
  3106. s->tlsext_ticket_expected = 0;
  3107. /*
  3108. * If tickets disabled behave as if no ticket present to permit stateful
  3109. * resumption.
  3110. */
  3111. if (SSL_get_options(s) & SSL_OP_NO_TICKET)
  3112. return 0;
  3113. if ((s->version <= SSL3_VERSION) || !limit)
  3114. return 0;
  3115. if (p >= limit)
  3116. return -1;
  3117. /* Skip past DTLS cookie */
  3118. if (SSL_IS_DTLS(s)) {
  3119. i = *(p++);
  3120. if (limit - p <= i)
  3121. return -1;
  3122. p += i;
  3123. }
  3124. /* Skip past cipher list */
  3125. n2s(p, i);
  3126. if (limit - p <= i)
  3127. return -1;
  3128. p += i;
  3129. /* Skip past compression algorithm list */
  3130. i = *(p++);
  3131. if (limit - p < i)
  3132. return -1;
  3133. p += i;
  3134. /* Now at start of extensions */
  3135. if (limit - p <= 2)
  3136. return 0;
  3137. n2s(p, i);
  3138. while (limit - p >= 4) {
  3139. unsigned short type, size;
  3140. n2s(p, type);
  3141. n2s(p, size);
  3142. if (limit - p < size)
  3143. return 0;
  3144. if (type == TLSEXT_TYPE_session_ticket) {
  3145. int r;
  3146. if (size == 0) {
  3147. /*
  3148. * The client will accept a ticket but doesn't currently have
  3149. * one.
  3150. */
  3151. s->tlsext_ticket_expected = 1;
  3152. return 1;
  3153. }
  3154. if (s->tls_session_secret_cb) {
  3155. /*
  3156. * Indicate that the ticket couldn't be decrypted rather than
  3157. * generating the session from ticket now, trigger
  3158. * abbreviated handshake based on external mechanism to
  3159. * calculate the master secret later.
  3160. */
  3161. return 2;
  3162. }
  3163. r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
  3164. switch (r) {
  3165. case 2: /* ticket couldn't be decrypted */
  3166. s->tlsext_ticket_expected = 1;
  3167. return 2;
  3168. case 3: /* ticket was decrypted */
  3169. return r;
  3170. case 4: /* ticket decrypted but need to renew */
  3171. s->tlsext_ticket_expected = 1;
  3172. return 3;
  3173. default: /* fatal error */
  3174. return -1;
  3175. }
  3176. }
  3177. p += size;
  3178. }
  3179. return 0;
  3180. }
  3181. /*-
  3182. * tls_decrypt_ticket attempts to decrypt a session ticket.
  3183. *
  3184. * etick: points to the body of the session ticket extension.
  3185. * eticklen: the length of the session tickets extenion.
  3186. * sess_id: points at the session ID.
  3187. * sesslen: the length of the session ID.
  3188. * psess: (output) on return, if a ticket was decrypted, then this is set to
  3189. * point to the resulting session.
  3190. *
  3191. * Returns:
  3192. * -1: fatal error, either from parsing or decrypting the ticket.
  3193. * 2: the ticket couldn't be decrypted.
  3194. * 3: a ticket was successfully decrypted and *psess was set.
  3195. * 4: same as 3, but the ticket needs to be renewed.
  3196. */
  3197. static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
  3198. int eticklen, const unsigned char *sess_id,
  3199. int sesslen, SSL_SESSION **psess)
  3200. {
  3201. SSL_SESSION *sess;
  3202. unsigned char *sdec;
  3203. const unsigned char *p;
  3204. int slen, mlen, renew_ticket = 0;
  3205. unsigned char tick_hmac[EVP_MAX_MD_SIZE];
  3206. HMAC_CTX hctx;
  3207. EVP_CIPHER_CTX ctx;
  3208. SSL_CTX *tctx = s->initial_ctx;
  3209. /* Initialize session ticket encryption and HMAC contexts */
  3210. HMAC_CTX_init(&hctx);
  3211. EVP_CIPHER_CTX_init(&ctx);
  3212. if (tctx->tlsext_ticket_key_cb) {
  3213. unsigned char *nctick = (unsigned char *)etick;
  3214. int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
  3215. &ctx, &hctx, 0);
  3216. if (rv < 0)
  3217. return -1;
  3218. if (rv == 0)
  3219. return 2;
  3220. if (rv == 2)
  3221. renew_ticket = 1;
  3222. } else {
  3223. /* Check key name matches */
  3224. if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
  3225. return 2;
  3226. if (HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
  3227. tlsext_tick_md(), NULL) <= 0
  3228. || EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
  3229. tctx->tlsext_tick_aes_key,
  3230. etick + 16) <= 0) {
  3231. goto err;
  3232. }
  3233. }
  3234. /*
  3235. * Attempt to process session ticket, first conduct sanity and integrity
  3236. * checks on ticket.
  3237. */
  3238. mlen = HMAC_size(&hctx);
  3239. if (mlen < 0) {
  3240. goto err;
  3241. }
  3242. /* Sanity check ticket length: must exceed keyname + IV + HMAC */
  3243. if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) {
  3244. HMAC_CTX_cleanup(&hctx);
  3245. EVP_CIPHER_CTX_cleanup(&ctx);
  3246. return 2;
  3247. }
  3248. eticklen -= mlen;
  3249. /* Check HMAC of encrypted ticket */
  3250. if (HMAC_Update(&hctx, etick, eticklen) <= 0
  3251. || HMAC_Final(&hctx, tick_hmac, NULL) <= 0) {
  3252. goto err;
  3253. }
  3254. HMAC_CTX_cleanup(&hctx);
  3255. if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
  3256. EVP_CIPHER_CTX_cleanup(&ctx);
  3257. return 2;
  3258. }
  3259. /* Attempt to decrypt session data */
  3260. /* Move p after IV to start of encrypted ticket, update length */
  3261. p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
  3262. eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
  3263. sdec = OPENSSL_malloc(eticklen);
  3264. if (sdec == NULL
  3265. || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) {
  3266. EVP_CIPHER_CTX_cleanup(&ctx);
  3267. OPENSSL_free(sdec);
  3268. return -1;
  3269. }
  3270. if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
  3271. EVP_CIPHER_CTX_cleanup(&ctx);
  3272. OPENSSL_free(sdec);
  3273. return 2;
  3274. }
  3275. slen += mlen;
  3276. EVP_CIPHER_CTX_cleanup(&ctx);
  3277. p = sdec;
  3278. sess = d2i_SSL_SESSION(NULL, &p, slen);
  3279. slen -= p - sdec;
  3280. OPENSSL_free(sdec);
  3281. if (sess) {
  3282. /* Some additional consistency checks */
  3283. if (slen != 0 || sess->session_id_length != 0) {
  3284. SSL_SESSION_free(sess);
  3285. return 2;
  3286. }
  3287. /*
  3288. * The session ID, if non-empty, is used by some clients to detect
  3289. * that the ticket has been accepted. So we copy it to the session
  3290. * structure. If it is empty set length to zero as required by
  3291. * standard.
  3292. */
  3293. if (sesslen)
  3294. memcpy(sess->session_id, sess_id, sesslen);
  3295. sess->session_id_length = sesslen;
  3296. *psess = sess;
  3297. if (renew_ticket)
  3298. return 4;
  3299. else
  3300. return 3;
  3301. }
  3302. ERR_clear_error();
  3303. /*
  3304. * For session parse failure, indicate that we need to send a new ticket.
  3305. */
  3306. return 2;
  3307. err:
  3308. EVP_CIPHER_CTX_cleanup(&ctx);
  3309. HMAC_CTX_cleanup(&hctx);
  3310. return -1;
  3311. }
  3312. /* Tables to translate from NIDs to TLS v1.2 ids */
  3313. typedef struct {
  3314. int nid;
  3315. int id;
  3316. } tls12_lookup;
  3317. static tls12_lookup tls12_md[] = {
  3318. {NID_md5, TLSEXT_hash_md5},
  3319. {NID_sha1, TLSEXT_hash_sha1},
  3320. {NID_sha224, TLSEXT_hash_sha224},
  3321. {NID_sha256, TLSEXT_hash_sha256},
  3322. {NID_sha384, TLSEXT_hash_sha384},
  3323. {NID_sha512, TLSEXT_hash_sha512}
  3324. };
  3325. static tls12_lookup tls12_sig[] = {
  3326. {EVP_PKEY_RSA, TLSEXT_signature_rsa},
  3327. {EVP_PKEY_DSA, TLSEXT_signature_dsa},
  3328. {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
  3329. };
  3330. static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
  3331. {
  3332. size_t i;
  3333. for (i = 0; i < tlen; i++) {
  3334. if (table[i].nid == nid)
  3335. return table[i].id;
  3336. }
  3337. return -1;
  3338. }
  3339. static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
  3340. {
  3341. size_t i;
  3342. for (i = 0; i < tlen; i++) {
  3343. if ((table[i].id) == id)
  3344. return table[i].nid;
  3345. }
  3346. return NID_undef;
  3347. }
  3348. int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
  3349. const EVP_MD *md)
  3350. {
  3351. int sig_id, md_id;
  3352. if (!md)
  3353. return 0;
  3354. md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
  3355. sizeof(tls12_md) / sizeof(tls12_lookup));
  3356. if (md_id == -1)
  3357. return 0;
  3358. sig_id = tls12_get_sigid(pk);
  3359. if (sig_id == -1)
  3360. return 0;
  3361. p[0] = (unsigned char)md_id;
  3362. p[1] = (unsigned char)sig_id;
  3363. return 1;
  3364. }
  3365. int tls12_get_sigid(const EVP_PKEY *pk)
  3366. {
  3367. return tls12_find_id(pk->type, tls12_sig,
  3368. sizeof(tls12_sig) / sizeof(tls12_lookup));
  3369. }
  3370. const EVP_MD *tls12_get_hash(unsigned char hash_alg)
  3371. {
  3372. switch (hash_alg) {
  3373. # ifndef OPENSSL_NO_MD5
  3374. case TLSEXT_hash_md5:
  3375. # ifdef OPENSSL_FIPS
  3376. if (FIPS_mode())
  3377. return NULL;
  3378. # endif
  3379. return EVP_md5();
  3380. # endif
  3381. # ifndef OPENSSL_NO_SHA
  3382. case TLSEXT_hash_sha1:
  3383. return EVP_sha1();
  3384. # endif
  3385. # ifndef OPENSSL_NO_SHA256
  3386. case TLSEXT_hash_sha224:
  3387. return EVP_sha224();
  3388. case TLSEXT_hash_sha256:
  3389. return EVP_sha256();
  3390. # endif
  3391. # ifndef OPENSSL_NO_SHA512
  3392. case TLSEXT_hash_sha384:
  3393. return EVP_sha384();
  3394. case TLSEXT_hash_sha512:
  3395. return EVP_sha512();
  3396. # endif
  3397. default:
  3398. return NULL;
  3399. }
  3400. }
  3401. static int tls12_get_pkey_idx(unsigned char sig_alg)
  3402. {
  3403. switch (sig_alg) {
  3404. # ifndef OPENSSL_NO_RSA
  3405. case TLSEXT_signature_rsa:
  3406. return SSL_PKEY_RSA_SIGN;
  3407. # endif
  3408. # ifndef OPENSSL_NO_DSA
  3409. case TLSEXT_signature_dsa:
  3410. return SSL_PKEY_DSA_SIGN;
  3411. # endif
  3412. # ifndef OPENSSL_NO_ECDSA
  3413. case TLSEXT_signature_ecdsa:
  3414. return SSL_PKEY_ECC;
  3415. # endif
  3416. }
  3417. return -1;
  3418. }
  3419. /* Convert TLS 1.2 signature algorithm extension values into NIDs */
  3420. static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
  3421. int *psignhash_nid, const unsigned char *data)
  3422. {
  3423. int sign_nid = NID_undef, hash_nid = NID_undef;
  3424. if (!phash_nid && !psign_nid && !psignhash_nid)
  3425. return;
  3426. if (phash_nid || psignhash_nid) {
  3427. hash_nid = tls12_find_nid(data[0], tls12_md,
  3428. sizeof(tls12_md) / sizeof(tls12_lookup));
  3429. if (phash_nid)
  3430. *phash_nid = hash_nid;
  3431. }
  3432. if (psign_nid || psignhash_nid) {
  3433. sign_nid = tls12_find_nid(data[1], tls12_sig,
  3434. sizeof(tls12_sig) / sizeof(tls12_lookup));
  3435. if (psign_nid)
  3436. *psign_nid = sign_nid;
  3437. }
  3438. if (psignhash_nid) {
  3439. if (sign_nid == NID_undef || hash_nid == NID_undef
  3440. || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid,
  3441. sign_nid) <= 0)
  3442. *psignhash_nid = NID_undef;
  3443. }
  3444. }
  3445. /* Given preference and allowed sigalgs set shared sigalgs */
  3446. static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
  3447. const unsigned char *pref, size_t preflen,
  3448. const unsigned char *allow,
  3449. size_t allowlen)
  3450. {
  3451. const unsigned char *ptmp, *atmp;
  3452. size_t i, j, nmatch = 0;
  3453. for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
  3454. /* Skip disabled hashes or signature algorithms */
  3455. if (tls12_get_hash(ptmp[0]) == NULL)
  3456. continue;
  3457. if (tls12_get_pkey_idx(ptmp[1]) == -1)
  3458. continue;
  3459. for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
  3460. if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
  3461. nmatch++;
  3462. if (shsig) {
  3463. shsig->rhash = ptmp[0];
  3464. shsig->rsign = ptmp[1];
  3465. tls1_lookup_sigalg(&shsig->hash_nid,
  3466. &shsig->sign_nid,
  3467. &shsig->signandhash_nid, ptmp);
  3468. shsig++;
  3469. }
  3470. break;
  3471. }
  3472. }
  3473. }
  3474. return nmatch;
  3475. }
  3476. /* Set shared signature algorithms for SSL structures */
  3477. static int tls1_set_shared_sigalgs(SSL *s)
  3478. {
  3479. const unsigned char *pref, *allow, *conf;
  3480. size_t preflen, allowlen, conflen;
  3481. size_t nmatch;
  3482. TLS_SIGALGS *salgs = NULL;
  3483. CERT *c = s->cert;
  3484. unsigned int is_suiteb = tls1_suiteb(s);
  3485. if (c->shared_sigalgs) {
  3486. OPENSSL_free(c->shared_sigalgs);
  3487. c->shared_sigalgs = NULL;
  3488. c->shared_sigalgslen = 0;
  3489. }
  3490. /* If client use client signature algorithms if not NULL */
  3491. if (!s->server && c->client_sigalgs && !is_suiteb) {
  3492. conf = c->client_sigalgs;
  3493. conflen = c->client_sigalgslen;
  3494. } else if (c->conf_sigalgs && !is_suiteb) {
  3495. conf = c->conf_sigalgs;
  3496. conflen = c->conf_sigalgslen;
  3497. } else
  3498. conflen = tls12_get_psigalgs(s, 0, &conf);
  3499. if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
  3500. pref = conf;
  3501. preflen = conflen;
  3502. allow = c->peer_sigalgs;
  3503. allowlen = c->peer_sigalgslen;
  3504. } else {
  3505. allow = conf;
  3506. allowlen = conflen;
  3507. pref = c->peer_sigalgs;
  3508. preflen = c->peer_sigalgslen;
  3509. }
  3510. nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
  3511. if (nmatch) {
  3512. salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
  3513. if (!salgs)
  3514. return 0;
  3515. nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
  3516. } else {
  3517. salgs = NULL;
  3518. }
  3519. c->shared_sigalgs = salgs;
  3520. c->shared_sigalgslen = nmatch;
  3521. return 1;
  3522. }
  3523. /* Set preferred digest for each key type */
  3524. int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
  3525. {
  3526. CERT *c = s->cert;
  3527. /* Extension ignored for inappropriate versions */
  3528. if (!SSL_USE_SIGALGS(s))
  3529. return 1;
  3530. /* Should never happen */
  3531. if (!c)
  3532. return 0;
  3533. if (c->peer_sigalgs)
  3534. OPENSSL_free(c->peer_sigalgs);
  3535. c->peer_sigalgs = OPENSSL_malloc(dsize);
  3536. if (!c->peer_sigalgs)
  3537. return 0;
  3538. c->peer_sigalgslen = dsize;
  3539. memcpy(c->peer_sigalgs, data, dsize);
  3540. return 1;
  3541. }
  3542. int tls1_process_sigalgs(SSL *s)
  3543. {
  3544. int idx;
  3545. size_t i;
  3546. const EVP_MD *md;
  3547. CERT *c = s->cert;
  3548. TLS_SIGALGS *sigptr;
  3549. if (!tls1_set_shared_sigalgs(s))
  3550. return 0;
  3551. # ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
  3552. if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
  3553. /*
  3554. * Use first set signature preference to force message digest,
  3555. * ignoring any peer preferences.
  3556. */
  3557. const unsigned char *sigs = NULL;
  3558. if (s->server)
  3559. sigs = c->conf_sigalgs;
  3560. else
  3561. sigs = c->client_sigalgs;
  3562. if (sigs) {
  3563. idx = tls12_get_pkey_idx(sigs[1]);
  3564. md = tls12_get_hash(sigs[0]);
  3565. c->pkeys[idx].digest = md;
  3566. c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
  3567. if (idx == SSL_PKEY_RSA_SIGN) {
  3568. c->pkeys[SSL_PKEY_RSA_ENC].valid_flags =
  3569. CERT_PKEY_EXPLICIT_SIGN;
  3570. c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
  3571. }
  3572. }
  3573. }
  3574. # endif
  3575. for (i = 0, sigptr = c->shared_sigalgs;
  3576. i < c->shared_sigalgslen; i++, sigptr++) {
  3577. idx = tls12_get_pkey_idx(sigptr->rsign);
  3578. if (idx > 0 && c->pkeys[idx].digest == NULL) {
  3579. md = tls12_get_hash(sigptr->rhash);
  3580. c->pkeys[idx].digest = md;
  3581. c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
  3582. if (idx == SSL_PKEY_RSA_SIGN) {
  3583. c->pkeys[SSL_PKEY_RSA_ENC].valid_flags =
  3584. CERT_PKEY_EXPLICIT_SIGN;
  3585. c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
  3586. }
  3587. }
  3588. }
  3589. /*
  3590. * In strict mode leave unset digests as NULL to indicate we can't use
  3591. * the certificate for signing.
  3592. */
  3593. if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
  3594. /*
  3595. * Set any remaining keys to default values. NOTE: if alg is not
  3596. * supported it stays as NULL.
  3597. */
  3598. # ifndef OPENSSL_NO_DSA
  3599. if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
  3600. c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
  3601. # endif
  3602. # ifndef OPENSSL_NO_RSA
  3603. if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
  3604. c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
  3605. c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
  3606. }
  3607. # endif
  3608. # ifndef OPENSSL_NO_ECDSA
  3609. if (!c->pkeys[SSL_PKEY_ECC].digest)
  3610. c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
  3611. # endif
  3612. }
  3613. return 1;
  3614. }
  3615. int SSL_get_sigalgs(SSL *s, int idx,
  3616. int *psign, int *phash, int *psignhash,
  3617. unsigned char *rsig, unsigned char *rhash)
  3618. {
  3619. const unsigned char *psig = s->cert->peer_sigalgs;
  3620. if (psig == NULL)
  3621. return 0;
  3622. if (idx >= 0) {
  3623. idx <<= 1;
  3624. if (idx >= (int)s->cert->peer_sigalgslen)
  3625. return 0;
  3626. psig += idx;
  3627. if (rhash)
  3628. *rhash = psig[0];
  3629. if (rsig)
  3630. *rsig = psig[1];
  3631. tls1_lookup_sigalg(phash, psign, psignhash, psig);
  3632. }
  3633. return s->cert->peer_sigalgslen / 2;
  3634. }
  3635. int SSL_get_shared_sigalgs(SSL *s, int idx,
  3636. int *psign, int *phash, int *psignhash,
  3637. unsigned char *rsig, unsigned char *rhash)
  3638. {
  3639. TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
  3640. if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
  3641. return 0;
  3642. shsigalgs += idx;
  3643. if (phash)
  3644. *phash = shsigalgs->hash_nid;
  3645. if (psign)
  3646. *psign = shsigalgs->sign_nid;
  3647. if (psignhash)
  3648. *psignhash = shsigalgs->signandhash_nid;
  3649. if (rsig)
  3650. *rsig = shsigalgs->rsign;
  3651. if (rhash)
  3652. *rhash = shsigalgs->rhash;
  3653. return s->cert->shared_sigalgslen;
  3654. }
  3655. # ifndef OPENSSL_NO_HEARTBEATS
  3656. int tls1_process_heartbeat(SSL *s)
  3657. {
  3658. unsigned char *p = &s->s3->rrec.data[0], *pl;
  3659. unsigned short hbtype;
  3660. unsigned int payload;
  3661. unsigned int padding = 16; /* Use minimum padding */
  3662. if (s->msg_callback)
  3663. s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
  3664. &s->s3->rrec.data[0], s->s3->rrec.length,
  3665. s, s->msg_callback_arg);
  3666. /* Read type and payload length first */
  3667. if (1 + 2 + 16 > s->s3->rrec.length)
  3668. return 0; /* silently discard */
  3669. hbtype = *p++;
  3670. n2s(p, payload);
  3671. if (1 + 2 + payload + 16 > s->s3->rrec.length)
  3672. return 0; /* silently discard per RFC 6520 sec. 4 */
  3673. pl = p;
  3674. if (hbtype == TLS1_HB_REQUEST) {
  3675. unsigned char *buffer, *bp;
  3676. int r;
  3677. /*
  3678. * Allocate memory for the response, size is 1 bytes message type,
  3679. * plus 2 bytes payload length, plus payload, plus padding
  3680. */
  3681. buffer = OPENSSL_malloc(1 + 2 + payload + padding);
  3682. if (buffer == NULL)
  3683. return -1;
  3684. bp = buffer;
  3685. /* Enter response type, length and copy payload */
  3686. *bp++ = TLS1_HB_RESPONSE;
  3687. s2n(payload, bp);
  3688. memcpy(bp, pl, payload);
  3689. bp += payload;
  3690. /* Random padding */
  3691. if (RAND_bytes(bp, padding) <= 0) {
  3692. OPENSSL_free(buffer);
  3693. return -1;
  3694. }
  3695. r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer,
  3696. 3 + payload + padding);
  3697. if (r >= 0 && s->msg_callback)
  3698. s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
  3699. buffer, 3 + payload + padding,
  3700. s, s->msg_callback_arg);
  3701. OPENSSL_free(buffer);
  3702. if (r < 0)
  3703. return r;
  3704. } else if (hbtype == TLS1_HB_RESPONSE) {
  3705. unsigned int seq;
  3706. /*
  3707. * We only send sequence numbers (2 bytes unsigned int), and 16
  3708. * random bytes, so we just try to read the sequence number
  3709. */
  3710. n2s(pl, seq);
  3711. if (payload == 18 && seq == s->tlsext_hb_seq) {
  3712. s->tlsext_hb_seq++;
  3713. s->tlsext_hb_pending = 0;
  3714. }
  3715. }
  3716. return 0;
  3717. }
  3718. int tls1_heartbeat(SSL *s)
  3719. {
  3720. unsigned char *buf, *p;
  3721. int ret = -1;
  3722. unsigned int payload = 18; /* Sequence number + random bytes */
  3723. unsigned int padding = 16; /* Use minimum padding */
  3724. /* Only send if peer supports and accepts HB requests... */
  3725. if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
  3726. s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
  3727. SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
  3728. return -1;
  3729. }
  3730. /* ...and there is none in flight yet... */
  3731. if (s->tlsext_hb_pending) {
  3732. SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
  3733. return -1;
  3734. }
  3735. /* ...and no handshake in progress. */
  3736. if (SSL_in_init(s) || s->in_handshake) {
  3737. SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
  3738. return -1;
  3739. }
  3740. /*
  3741. * Check if padding is too long, payload and padding must not exceed 2^14
  3742. * - 3 = 16381 bytes in total.
  3743. */
  3744. OPENSSL_assert(payload + padding <= 16381);
  3745. /*-
  3746. * Create HeartBeat message, we just use a sequence number
  3747. * as payload to distuingish different messages and add
  3748. * some random stuff.
  3749. * - Message Type, 1 byte
  3750. * - Payload Length, 2 bytes (unsigned int)
  3751. * - Payload, the sequence number (2 bytes uint)
  3752. * - Payload, random bytes (16 bytes uint)
  3753. * - Padding
  3754. */
  3755. buf = OPENSSL_malloc(1 + 2 + payload + padding);
  3756. if (buf == NULL)
  3757. return -1;
  3758. p = buf;
  3759. /* Message Type */
  3760. *p++ = TLS1_HB_REQUEST;
  3761. /* Payload length (18 bytes here) */
  3762. s2n(payload, p);
  3763. /* Sequence number */
  3764. s2n(s->tlsext_hb_seq, p);
  3765. /* 16 random bytes */
  3766. if (RAND_bytes(p, 16) <= 0) {
  3767. SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
  3768. goto err;
  3769. }
  3770. p += 16;
  3771. /* Random padding */
  3772. if (RAND_bytes(p, padding) <= 0) {
  3773. SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
  3774. goto err;
  3775. }
  3776. ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
  3777. if (ret >= 0) {
  3778. if (s->msg_callback)
  3779. s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
  3780. buf, 3 + payload + padding,
  3781. s, s->msg_callback_arg);
  3782. s->tlsext_hb_pending = 1;
  3783. }
  3784. err:
  3785. OPENSSL_free(buf);
  3786. return ret;
  3787. }
  3788. # endif
  3789. # define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
  3790. typedef struct {
  3791. size_t sigalgcnt;
  3792. int sigalgs[MAX_SIGALGLEN];
  3793. } sig_cb_st;
  3794. static int sig_cb(const char *elem, int len, void *arg)
  3795. {
  3796. sig_cb_st *sarg = arg;
  3797. size_t i;
  3798. char etmp[20], *p;
  3799. int sig_alg, hash_alg;
  3800. if (elem == NULL)
  3801. return 0;
  3802. if (sarg->sigalgcnt == MAX_SIGALGLEN)
  3803. return 0;
  3804. if (len > (int)(sizeof(etmp) - 1))
  3805. return 0;
  3806. memcpy(etmp, elem, len);
  3807. etmp[len] = 0;
  3808. p = strchr(etmp, '+');
  3809. if (!p)
  3810. return 0;
  3811. *p = 0;
  3812. p++;
  3813. if (!*p)
  3814. return 0;
  3815. if (!strcmp(etmp, "RSA"))
  3816. sig_alg = EVP_PKEY_RSA;
  3817. else if (!strcmp(etmp, "DSA"))
  3818. sig_alg = EVP_PKEY_DSA;
  3819. else if (!strcmp(etmp, "ECDSA"))
  3820. sig_alg = EVP_PKEY_EC;
  3821. else
  3822. return 0;
  3823. hash_alg = OBJ_sn2nid(p);
  3824. if (hash_alg == NID_undef)
  3825. hash_alg = OBJ_ln2nid(p);
  3826. if (hash_alg == NID_undef)
  3827. return 0;
  3828. for (i = 0; i < sarg->sigalgcnt; i += 2) {
  3829. if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
  3830. return 0;
  3831. }
  3832. sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
  3833. sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
  3834. return 1;
  3835. }
  3836. /*
  3837. * Set suppored signature algorithms based on a colon separated list of the
  3838. * form sig+hash e.g. RSA+SHA512:DSA+SHA512
  3839. */
  3840. int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
  3841. {
  3842. sig_cb_st sig;
  3843. sig.sigalgcnt = 0;
  3844. if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
  3845. return 0;
  3846. if (c == NULL)
  3847. return 1;
  3848. return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
  3849. }
  3850. int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
  3851. int client)
  3852. {
  3853. unsigned char *sigalgs, *sptr;
  3854. int rhash, rsign;
  3855. size_t i;
  3856. if (salglen & 1)
  3857. return 0;
  3858. sigalgs = OPENSSL_malloc(salglen);
  3859. if (sigalgs == NULL)
  3860. return 0;
  3861. for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
  3862. rhash = tls12_find_id(*psig_nids++, tls12_md,
  3863. sizeof(tls12_md) / sizeof(tls12_lookup));
  3864. rsign = tls12_find_id(*psig_nids++, tls12_sig,
  3865. sizeof(tls12_sig) / sizeof(tls12_lookup));
  3866. if (rhash == -1 || rsign == -1)
  3867. goto err;
  3868. *sptr++ = rhash;
  3869. *sptr++ = rsign;
  3870. }
  3871. if (client) {
  3872. if (c->client_sigalgs)
  3873. OPENSSL_free(c->client_sigalgs);
  3874. c->client_sigalgs = sigalgs;
  3875. c->client_sigalgslen = salglen;
  3876. } else {
  3877. if (c->conf_sigalgs)
  3878. OPENSSL_free(c->conf_sigalgs);
  3879. c->conf_sigalgs = sigalgs;
  3880. c->conf_sigalgslen = salglen;
  3881. }
  3882. return 1;
  3883. err:
  3884. OPENSSL_free(sigalgs);
  3885. return 0;
  3886. }
  3887. static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
  3888. {
  3889. int sig_nid;
  3890. size_t i;
  3891. if (default_nid == -1)
  3892. return 1;
  3893. sig_nid = X509_get_signature_nid(x);
  3894. if (default_nid)
  3895. return sig_nid == default_nid ? 1 : 0;
  3896. for (i = 0; i < c->shared_sigalgslen; i++)
  3897. if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
  3898. return 1;
  3899. return 0;
  3900. }
  3901. /* Check to see if a certificate issuer name matches list of CA names */
  3902. static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
  3903. {
  3904. X509_NAME *nm;
  3905. int i;
  3906. nm = X509_get_issuer_name(x);
  3907. for (i = 0; i < sk_X509_NAME_num(names); i++) {
  3908. if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
  3909. return 1;
  3910. }
  3911. return 0;
  3912. }
  3913. /*
  3914. * Check certificate chain is consistent with TLS extensions and is usable by
  3915. * server. This servers two purposes: it allows users to check chains before
  3916. * passing them to the server and it allows the server to check chains before
  3917. * attempting to use them.
  3918. */
  3919. /* Flags which need to be set for a certificate when stict mode not set */
  3920. # define CERT_PKEY_VALID_FLAGS \
  3921. (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
  3922. /* Strict mode flags */
  3923. # define CERT_PKEY_STRICT_FLAGS \
  3924. (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
  3925. | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
  3926. int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
  3927. int idx)
  3928. {
  3929. int i;
  3930. int rv = 0;
  3931. int check_flags = 0, strict_mode;
  3932. CERT_PKEY *cpk = NULL;
  3933. CERT *c = s->cert;
  3934. unsigned int suiteb_flags = tls1_suiteb(s);
  3935. /* idx == -1 means checking server chains */
  3936. if (idx != -1) {
  3937. /* idx == -2 means checking client certificate chains */
  3938. if (idx == -2) {
  3939. cpk = c->key;
  3940. idx = cpk - c->pkeys;
  3941. } else
  3942. cpk = c->pkeys + idx;
  3943. x = cpk->x509;
  3944. pk = cpk->privatekey;
  3945. chain = cpk->chain;
  3946. strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
  3947. /* If no cert or key, forget it */
  3948. if (!x || !pk)
  3949. goto end;
  3950. # ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
  3951. /* Allow any certificate to pass test */
  3952. if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
  3953. rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
  3954. CERT_PKEY_VALID | CERT_PKEY_SIGN;
  3955. cpk->valid_flags = rv;
  3956. return rv;
  3957. }
  3958. # endif
  3959. } else {
  3960. if (!x || !pk)
  3961. return 0;
  3962. idx = ssl_cert_type(x, pk);
  3963. if (idx == -1)
  3964. return 0;
  3965. cpk = c->pkeys + idx;
  3966. if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
  3967. check_flags = CERT_PKEY_STRICT_FLAGS;
  3968. else
  3969. check_flags = CERT_PKEY_VALID_FLAGS;
  3970. strict_mode = 1;
  3971. }
  3972. if (suiteb_flags) {
  3973. int ok;
  3974. if (check_flags)
  3975. check_flags |= CERT_PKEY_SUITEB;
  3976. ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
  3977. if (ok == X509_V_OK)
  3978. rv |= CERT_PKEY_SUITEB;
  3979. else if (!check_flags)
  3980. goto end;
  3981. }
  3982. /*
  3983. * Check all signature algorithms are consistent with signature
  3984. * algorithms extension if TLS 1.2 or later and strict mode.
  3985. */
  3986. if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
  3987. int default_nid;
  3988. unsigned char rsign = 0;
  3989. if (c->peer_sigalgs)
  3990. default_nid = 0;
  3991. /* If no sigalgs extension use defaults from RFC5246 */
  3992. else {
  3993. switch (idx) {
  3994. case SSL_PKEY_RSA_ENC:
  3995. case SSL_PKEY_RSA_SIGN:
  3996. case SSL_PKEY_DH_RSA:
  3997. rsign = TLSEXT_signature_rsa;
  3998. default_nid = NID_sha1WithRSAEncryption;
  3999. break;
  4000. case SSL_PKEY_DSA_SIGN:
  4001. case SSL_PKEY_DH_DSA:
  4002. rsign = TLSEXT_signature_dsa;
  4003. default_nid = NID_dsaWithSHA1;
  4004. break;
  4005. case SSL_PKEY_ECC:
  4006. rsign = TLSEXT_signature_ecdsa;
  4007. default_nid = NID_ecdsa_with_SHA1;
  4008. break;
  4009. default:
  4010. default_nid = -1;
  4011. break;
  4012. }
  4013. }
  4014. /*
  4015. * If peer sent no signature algorithms extension and we have set
  4016. * preferred signature algorithms check we support sha1.
  4017. */
  4018. if (default_nid > 0 && c->conf_sigalgs) {
  4019. size_t j;
  4020. const unsigned char *p = c->conf_sigalgs;
  4021. for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
  4022. if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
  4023. break;
  4024. }
  4025. if (j == c->conf_sigalgslen) {
  4026. if (check_flags)
  4027. goto skip_sigs;
  4028. else
  4029. goto end;
  4030. }
  4031. }
  4032. /* Check signature algorithm of each cert in chain */
  4033. if (!tls1_check_sig_alg(c, x, default_nid)) {
  4034. if (!check_flags)
  4035. goto end;
  4036. } else
  4037. rv |= CERT_PKEY_EE_SIGNATURE;
  4038. rv |= CERT_PKEY_CA_SIGNATURE;
  4039. for (i = 0; i < sk_X509_num(chain); i++) {
  4040. if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
  4041. if (check_flags) {
  4042. rv &= ~CERT_PKEY_CA_SIGNATURE;
  4043. break;
  4044. } else
  4045. goto end;
  4046. }
  4047. }
  4048. }
  4049. /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
  4050. else if (check_flags)
  4051. rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
  4052. skip_sigs:
  4053. /* Check cert parameters are consistent */
  4054. if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
  4055. rv |= CERT_PKEY_EE_PARAM;
  4056. else if (!check_flags)
  4057. goto end;
  4058. if (!s->server)
  4059. rv |= CERT_PKEY_CA_PARAM;
  4060. /* In strict mode check rest of chain too */
  4061. else if (strict_mode) {
  4062. rv |= CERT_PKEY_CA_PARAM;
  4063. for (i = 0; i < sk_X509_num(chain); i++) {
  4064. X509 *ca = sk_X509_value(chain, i);
  4065. if (!tls1_check_cert_param(s, ca, 0)) {
  4066. if (check_flags) {
  4067. rv &= ~CERT_PKEY_CA_PARAM;
  4068. break;
  4069. } else
  4070. goto end;
  4071. }
  4072. }
  4073. }
  4074. if (!s->server && strict_mode) {
  4075. STACK_OF(X509_NAME) *ca_dn;
  4076. int check_type = 0;
  4077. switch (pk->type) {
  4078. case EVP_PKEY_RSA:
  4079. check_type = TLS_CT_RSA_SIGN;
  4080. break;
  4081. case EVP_PKEY_DSA:
  4082. check_type = TLS_CT_DSS_SIGN;
  4083. break;
  4084. case EVP_PKEY_EC:
  4085. check_type = TLS_CT_ECDSA_SIGN;
  4086. break;
  4087. case EVP_PKEY_DH:
  4088. case EVP_PKEY_DHX:
  4089. {
  4090. int cert_type = X509_certificate_type(x, pk);
  4091. if (cert_type & EVP_PKS_RSA)
  4092. check_type = TLS_CT_RSA_FIXED_DH;
  4093. if (cert_type & EVP_PKS_DSA)
  4094. check_type = TLS_CT_DSS_FIXED_DH;
  4095. }
  4096. }
  4097. if (check_type) {
  4098. const unsigned char *ctypes;
  4099. int ctypelen;
  4100. if (c->ctypes) {
  4101. ctypes = c->ctypes;
  4102. ctypelen = (int)c->ctype_num;
  4103. } else {
  4104. ctypes = (unsigned char *)s->s3->tmp.ctype;
  4105. ctypelen = s->s3->tmp.ctype_num;
  4106. }
  4107. for (i = 0; i < ctypelen; i++) {
  4108. if (ctypes[i] == check_type) {
  4109. rv |= CERT_PKEY_CERT_TYPE;
  4110. break;
  4111. }
  4112. }
  4113. if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
  4114. goto end;
  4115. } else
  4116. rv |= CERT_PKEY_CERT_TYPE;
  4117. ca_dn = s->s3->tmp.ca_names;
  4118. if (!sk_X509_NAME_num(ca_dn))
  4119. rv |= CERT_PKEY_ISSUER_NAME;
  4120. if (!(rv & CERT_PKEY_ISSUER_NAME)) {
  4121. if (ssl_check_ca_name(ca_dn, x))
  4122. rv |= CERT_PKEY_ISSUER_NAME;
  4123. }
  4124. if (!(rv & CERT_PKEY_ISSUER_NAME)) {
  4125. for (i = 0; i < sk_X509_num(chain); i++) {
  4126. X509 *xtmp = sk_X509_value(chain, i);
  4127. if (ssl_check_ca_name(ca_dn, xtmp)) {
  4128. rv |= CERT_PKEY_ISSUER_NAME;
  4129. break;
  4130. }
  4131. }
  4132. }
  4133. if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
  4134. goto end;
  4135. } else
  4136. rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
  4137. if (!check_flags || (rv & check_flags) == check_flags)
  4138. rv |= CERT_PKEY_VALID;
  4139. end:
  4140. if (TLS1_get_version(s) >= TLS1_2_VERSION) {
  4141. if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
  4142. rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
  4143. else if (cpk->digest)
  4144. rv |= CERT_PKEY_SIGN;
  4145. } else
  4146. rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
  4147. /*
  4148. * When checking a CERT_PKEY structure all flags are irrelevant if the
  4149. * chain is invalid.
  4150. */
  4151. if (!check_flags) {
  4152. if (rv & CERT_PKEY_VALID)
  4153. cpk->valid_flags = rv;
  4154. else {
  4155. /* Preserve explicit sign flag, clear rest */
  4156. cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
  4157. return 0;
  4158. }
  4159. }
  4160. return rv;
  4161. }
  4162. /* Set validity of certificates in an SSL structure */
  4163. void tls1_set_cert_validity(SSL *s)
  4164. {
  4165. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
  4166. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
  4167. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
  4168. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
  4169. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
  4170. tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
  4171. }
  4172. /* User level utiity function to check a chain is suitable */
  4173. int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
  4174. {
  4175. return tls1_check_chain(s, x, pk, chain, -1);
  4176. }
  4177. #endif