kris
/
boringssl
1
0
Derivar 0
Código Questões 0 Pedidos de integração 0 Lançamentos 0 Wiki Trabalho
Não pode escolher mais do que 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
255 Cometimentos
12 Ramos
38 MiB
 
 
 
 
 
 
Árvore: 019c3cc64a
Ramos Etiquetas
${ item.name }
Criar ramo ${ searchTerm }
de '019c3cc64a'
${ noResults }
boringssl/ssl/t1_lib.c

3840 linhas
99 KiB
Em bruto Responsabilidade Histórico 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  * 

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  * 

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  * 

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from 

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  * 

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  * 

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer. 

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com). */

  108. 

  109. #include <stdio.h>

  110. #include <stdlib.h>

  111. #include <assert.h>

  112. 

  113. #include <openssl/bytestring.h>

  114. #include <openssl/evp.h>

  115. #include <openssl/hmac.h>

  116. #include <openssl/mem.h>

  117. #include <openssl/obj.h>

  118. #include <openssl/rand.h>

  119. 

  120. #include "ssl_locl.h"

  121. static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,

  122. 				const unsigned char *sess_id, int sesslen,

  123. 				SSL_SESSION **psess);

  124. static int ssl_check_clienthello_tlsext_early(SSL *s);

  125. int ssl_check_serverhello_tlsext(SSL *s);

  126. 

  127. SSL3_ENC_METHOD TLSv1_enc_data={

  128. 	tls1_enc,

  129. 	tls1_mac,

  130. 	tls1_setup_key_block,

  131. 	tls1_generate_master_secret,

  132. 	tls1_change_cipher_state,

  133. 	tls1_final_finish_mac,

  134. 	TLS1_FINISH_MAC_LENGTH,

  135. 	tls1_cert_verify_mac,

  136. 	TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,

  137. 	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,

  138. 	tls1_alert_code,

  139. 	tls1_export_keying_material,

  140. 	0,

  141. 	SSL3_HM_HEADER_LENGTH,

  142. 	ssl3_set_handshake_header,

  143. 	ssl3_handshake_write

  144. 	};

  145. 

  146. SSL3_ENC_METHOD TLSv1_1_enc_data={

  147. 	tls1_enc,

  148. 	tls1_mac,

  149. 	tls1_setup_key_block,

  150. 	tls1_generate_master_secret,

  151. 	tls1_change_cipher_state,

  152. 	tls1_final_finish_mac,

  153. 	TLS1_FINISH_MAC_LENGTH,

  154. 	tls1_cert_verify_mac,

  155. 	TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,

  156. 	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,

  157. 	tls1_alert_code,

  158. 	tls1_export_keying_material,

  159. 	SSL_ENC_FLAG_EXPLICIT_IV,

  160. 	SSL3_HM_HEADER_LENGTH,

  161. 	ssl3_set_handshake_header,

  162. 	ssl3_handshake_write

  163. 	};

  164. 

  165. SSL3_ENC_METHOD TLSv1_2_enc_data={

  166. 	tls1_enc,

  167. 	tls1_mac,

  168. 	tls1_setup_key_block,

  169. 	tls1_generate_master_secret,

  170. 	tls1_change_cipher_state,

  171. 	tls1_final_finish_mac,

  172. 	TLS1_FINISH_MAC_LENGTH,

  173. 	tls1_cert_verify_mac,

  174. 	TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,

  175. 	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,

  176. 	tls1_alert_code,

  177. 	tls1_export_keying_material,

  178. 	SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF

  179. 		|SSL_ENC_FLAG_TLS1_2_CIPHERS,

  180. 	SSL3_HM_HEADER_LENGTH,

  181. 	ssl3_set_handshake_header,

  182. 	ssl3_handshake_write

  183. 	};

  184. 

  185. long tls1_default_timeout(void)

  186. 	{

  187. 	/* 2 hours, the 24 hours mentioned in the TLSv1 spec

  188. 	 * is way too long for http, the cache would over fill */

  189. 	return(60*60*2);

  190. 	}

  191. 

  192. int tls1_new(SSL *s)

  193. 	{

  194. 	if (!ssl3_new(s)) return(0);

  195. 	s->method->ssl_clear(s);

  196. 	return(1);

  197. 	}

  198. 

  199. void tls1_free(SSL *s)

  200. 	{

  201. 	if (s->tlsext_session_ticket)

  202. 		{

  203. 		OPENSSL_free(s->tlsext_session_ticket);

  204. 		}

  205. 	ssl3_free(s);

  206. 	}

  207. 

  208. void tls1_clear(SSL *s)

  209. 	{

  210. 	ssl3_clear(s);

  211. 	s->version = s->method->version;

  212. 	}

  213. 

  214. static int compare_uint16_t(const void *p1, const void *p2)

  215. 	{

  216. 	uint16_t u1 = *((const uint16_t*)p1);

  217. 	uint16_t u2 = *((const uint16_t*)p2);

  218. 	if (u1 < u2)

  219. 		{

  220. 		return -1;

  221. 		}

  222. 	else if (u1 > u2)

  223. 		{

  224. 		return 1;

  225. 		}

  226. 	else

  227. 		{

  228. 		return 0;

  229. 		}

  230. 	}

  231. 

  232. /* Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be more

  233.  * than one extension of the same type in a ClientHello or ServerHello. This

  234.  * function does an initial scan over the extensions block to filter those

  235.  * out. */

  236. static int tls1_check_duplicate_extensions(const CBS *cbs)

  237. 	{

  238. 	CBS extensions = *cbs;

  239. 	size_t num_extensions = 0, i = 0;

  240. 	uint16_t *extension_types = NULL;

  241. 	int ret = 0;

  242. 

  243. 	/* First pass: count the extensions. */

  244. 	while (CBS_len(&extensions) > 0)

  245. 		{

  246. 		uint16_t type;

  247. 		CBS extension;

  248. 

  249. 		if (!CBS_get_u16(&extensions, &type) ||

  250. 			!CBS_get_u16_length_prefixed(&extensions, &extension))

  251. 			{

  252. 			goto done;

  253. 			}

  254. 

  255. 		num_extensions++;

  256. 		}

  257. 

  258. 	extension_types = (uint16_t*)OPENSSL_malloc(sizeof(uint16_t) * num_extensions);

  259. 	if (extension_types == NULL)

  260. 		{

  261. 		OPENSSL_PUT_ERROR(SSL, tls1_check_duplicate_extensions, ERR_R_MALLOC_FAILURE);

  262. 		goto done;

  263. 		}

  264. 

  265. 	/* Second pass: gather the extension types. */

  266. 	extensions = *cbs;

  267. 	for (i = 0; i < num_extensions; i++)

  268. 		{

  269. 		CBS extension;

  270. 

  271. 		if (!CBS_get_u16(&extensions, &extension_types[i]) ||

  272. 			!CBS_get_u16_length_prefixed(&extensions, &extension))

  273. 			{

  274. 			/* This should not happen. */

  275. 			goto done;

  276. 			}

  277. 		}

  278. 	assert(CBS_len(&extensions) == 0);

  279. 

  280. 	/* Sort the extensions and make sure there are no duplicates. */

  281. 	qsort(extension_types, num_extensions, sizeof(uint16_t), compare_uint16_t);

  282. 	for (i = 1; i < num_extensions; i++)

  283. 		{

  284. 		if (extension_types[i-1] == extension_types[i])

  285. 			{

  286. 			goto done;

  287. 			}

  288. 		}

  289. 

  290. 	ret = 1;

  291. done:

  292. 	if (extension_types)

  293. 		OPENSSL_free(extension_types);

  294. 	return ret;

  295. 	}

  296. 

  297. char ssl_early_callback_init(struct ssl_early_callback_ctx *ctx)

  298. 	{

  299. 	CBS client_hello, session_id, cipher_suites, compression_methods, extensions;

  300. 

  301. 	CBS_init(&client_hello, ctx->client_hello, ctx->client_hello_len);

  302. 

  303. 	/* Skip client version. */

  304. 	if (!CBS_skip(&client_hello, 2))

  305. 		return 0;

  306. 

  307. 	/* Skip client nonce. */

  308. 	if (!CBS_skip(&client_hello, 32))

  309. 		return 0;

  310. 

  311. 	/* Extract session_id. */

  312. 	if (!CBS_get_u8_length_prefixed(&client_hello, &session_id))

  313. 		return 0;

  314. 	ctx->session_id = CBS_data(&session_id);

  315. 	ctx->session_id_len = CBS_len(&session_id);

  316. 

  317. 	/* Skip past DTLS cookie */

  318. 	if (ctx->ssl->version == DTLS1_VERSION || ctx->ssl->version == DTLS1_BAD_VER)

  319. 		{

  320. 		CBS cookie;

  321. 

  322. 		if (!CBS_get_u8_length_prefixed(&client_hello, &cookie))

  323. 			return 0;

  324. 		}

  325. 

  326. 	/* Extract cipher_suites. */

  327. 	if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) ||

  328. 		CBS_len(&cipher_suites) < 2 ||

  329. 		(CBS_len(&cipher_suites) & 1) != 0)

  330. 		return 0;

  331. 	ctx->cipher_suites = CBS_data(&cipher_suites);

  332. 	ctx->cipher_suites_len = CBS_len(&cipher_suites);

  333. 

  334. 	/* Extract compression_methods. */

  335. 	if (!CBS_get_u8_length_prefixed(&client_hello, &compression_methods) ||

  336. 		CBS_len(&compression_methods) < 1)

  337. 		return 0;

  338. 	ctx->compression_methods = CBS_data(&compression_methods);

  339. 	ctx->compression_methods_len = CBS_len(&compression_methods);

  340. 

  341. 	/* If the ClientHello ends here then it's valid, but doesn't have any

  342. 	 * extensions. (E.g. SSLv3.) */

  343. 	if (CBS_len(&client_hello) == 0)

  344. 		{

  345. 		ctx->extensions = NULL;

  346. 		ctx->extensions_len = 0;

  347. 		return 1;

  348. 		}

  349. 

  350. 	/* Extract extensions and check it is valid. */

  351. 	if (!CBS_get_u16_length_prefixed(&client_hello, &extensions) ||

  352. 		!tls1_check_duplicate_extensions(&extensions) ||

  353. 		CBS_len(&client_hello) != 0)

  354. 		return 0;

  355. 	ctx->extensions = CBS_data(&extensions);

  356. 	ctx->extensions_len = CBS_len(&extensions);

  357. 

  358. 	return 1;

  359. 	}

  360. 

  361. char

  362. SSL_early_callback_ctx_extension_get(const struct ssl_early_callback_ctx *ctx,

  363. 				     uint16_t extension_type,

  364. 				     const unsigned char **out_data,

  365. 				     size_t *out_len)

  366. 	{

  367. 	CBS extensions;

  368. 

  369. 	CBS_init(&extensions, ctx->extensions, ctx->extensions_len);

  370. 

  371. 	while (CBS_len(&extensions) != 0)

  372. 		{

  373. 		uint16_t type;

  374. 		CBS extension;

  375. 

  376. 		/* Decode the next extension. */

  377. 		if (!CBS_get_u16(&extensions, &type) ||

  378. 			!CBS_get_u16_length_prefixed(&extensions, &extension))

  379. 			return 0;

  380. 

  381. 		if (type == extension_type)

  382. 			{

  383. 			*out_data = CBS_data(&extension);

  384. 			*out_len = CBS_len(&extension);

  385. 			return 1;

  386. 			}

  387. 		}

  388. 

  389. 	return 0;

  390. 	}

  391. 

  392. #ifndef OPENSSL_NO_EC

  393. 

  394. static int nid_list[] =

  395. 	{

  396. 		NID_sect163k1, /* sect163k1 (1) */

  397. 		NID_sect163r1, /* sect163r1 (2) */

  398. 		NID_sect163r2, /* sect163r2 (3) */

  399. 		NID_sect193r1, /* sect193r1 (4) */ 

  400. 		NID_sect193r2, /* sect193r2 (5) */ 

  401. 		NID_sect233k1, /* sect233k1 (6) */

  402. 		NID_sect233r1, /* sect233r1 (7) */ 

  403. 		NID_sect239k1, /* sect239k1 (8) */ 

  404. 		NID_sect283k1, /* sect283k1 (9) */

  405. 		NID_sect283r1, /* sect283r1 (10) */ 

  406. 		NID_sect409k1, /* sect409k1 (11) */ 

  407. 		NID_sect409r1, /* sect409r1 (12) */

  408. 		NID_sect571k1, /* sect571k1 (13) */ 

  409. 		NID_sect571r1, /* sect571r1 (14) */ 

  410. 		NID_secp160k1, /* secp160k1 (15) */

  411. 		NID_secp160r1, /* secp160r1 (16) */ 

  412. 		NID_secp160r2, /* secp160r2 (17) */ 

  413. 		NID_secp192k1, /* secp192k1 (18) */

  414. 		NID_X9_62_prime192v1, /* secp192r1 (19) */ 

  415. 		NID_secp224k1, /* secp224k1 (20) */ 

  416. 		NID_secp224r1, /* secp224r1 (21) */

  417. 		NID_secp256k1, /* secp256k1 (22) */ 

  418. 		NID_X9_62_prime256v1, /* secp256r1 (23) */ 

  419. 		NID_secp384r1, /* secp384r1 (24) */

  420. 		NID_secp521r1,  /* secp521r1 (25) */	

  421. 		NID_brainpoolP256r1,  /* brainpoolP256r1 (26) */	

  422. 		NID_brainpoolP384r1,  /* brainpoolP384r1 (27) */	

  423. 		NID_brainpoolP512r1  /* brainpool512r1 (28) */	

  424. 	};

  425. 

  426. static const uint8_t ecformats_default[] =

  427. 	{

  428. 	TLSEXT_ECPOINTFORMAT_uncompressed,

  429. 	};

  430. 

  431. static const uint16_t eccurves_default[] =

  432. 	{

  433. 		23, /* secp256r1 (23) */

  434. 		24, /* secp384r1 (24) */

  435. 		25, /* secp521r1 (25) */

  436. 	};

  437. 

  438. static const uint16_t suiteb_curves[] =

  439. 	{

  440. 		TLSEXT_curve_P_256,

  441. 		TLSEXT_curve_P_384,

  442. 	};

  443. 

  444. int tls1_ec_curve_id2nid(uint16_t curve_id)

  445. 	{

  446. 	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */

  447. 	if (curve_id < 1 || curve_id > sizeof(nid_list)/sizeof(nid_list[0]))

  448. 		return OBJ_undef;

  449. 	return nid_list[curve_id-1];

  450. 	}

  451. 

  452. uint16_t tls1_ec_nid2curve_id(int nid)

  453. 	{

  454. 	size_t i;

  455. 	for (i = 0; i < sizeof(nid_list)/sizeof(nid_list[0]); i++)

  456. 		{

  457. 		/* nid_list[i] stores the NID corresponding to curve ID i+1. */

  458. 		if (nid == nid_list[i])

  459. 			return i + 1;

  460. 		}

  461. 	/* Use 0 for non-existent curve ID. Note: this assumes that curve ID 0

  462. 	 * will never be allocated. */

  463. 	return 0;

  464. 	}

  465. 

  466. /* tls1_get_curvelist sets |*out_curve_ids| and |*out_curve_ids_len| to the list

  467.  * of allowed curve IDs. If |get_client_curves| is non-zero, return the client

  468.  * curve list. Otherwise, return the preferred list. */

  469. static void tls1_get_curvelist(SSL *s, int get_client_curves,

  470. 	const uint16_t **out_curve_ids, size_t *out_curve_ids_len)

  471. 	{

  472. 	if (get_client_curves)

  473. 		{

  474. 		*out_curve_ids = s->session->tlsext_ellipticcurvelist;

  475. 		*out_curve_ids_len = s->session->tlsext_ellipticcurvelist_length;

  476. 		return;

  477. 		}

  478. 	/* For Suite B mode only include P-256, P-384 */

  479. 	switch (tls1_suiteb(s))

  480. 		{

  481. 	case SSL_CERT_FLAG_SUITEB_128_LOS:

  482. 		*out_curve_ids = suiteb_curves;

  483. 		*out_curve_ids_len = sizeof(suiteb_curves);

  484. 		break;

  485. 

  486. 	case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:

  487. 		*out_curve_ids = suiteb_curves;

  488. 		*out_curve_ids_len = 1;

  489. 		break;

  490. 

  491. 	case SSL_CERT_FLAG_SUITEB_192_LOS:

  492. 		*out_curve_ids = suiteb_curves + 1;

  493. 		*out_curve_ids_len = 1;

  494. 		break;

  495. 	default:

  496. 		*out_curve_ids = s->tlsext_ellipticcurvelist;

  497. 		*out_curve_ids_len = s->tlsext_ellipticcurvelist_length;

  498. 		}

  499. 	if (!*out_curve_ids)

  500. 		{

  501. 		*out_curve_ids = eccurves_default;

  502. 		*out_curve_ids_len = sizeof(eccurves_default);

  503. 		}

  504. 	}

  505. 

  506. int tls1_check_curve(SSL *s, CBS *cbs, uint16_t *out_curve_id)

  507. 	{

  508. 	uint8_t curve_type;

  509. 	uint16_t curve_id;

  510. 	const uint16_t *curves;

  511. 	size_t curves_len, i;

  512. 

  513. 	/* Only support named curves. */

  514. 	if (!CBS_get_u8(cbs, &curve_type) ||

  515. 		curve_type != NAMED_CURVE_TYPE ||

  516. 		!CBS_get_u16(cbs, &curve_id))

  517. 		return 0;

  518. 

  519. 	/* Check curve matches Suite B preferences */

  520. 	if (tls1_suiteb(s))

  521. 		{

  522. 		unsigned long cid = s->s3->tmp.new_cipher->id;

  523. 		if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)

  524. 			{

  525. 			if (curve_id != TLSEXT_curve_P_256)

  526. 				return 0;

  527. 			}

  528. 		else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)

  529. 			{

  530. 			if (curve_id != TLSEXT_curve_P_384)

  531. 				return 0;

  532. 			}

  533. 		else	/* Should never happen */

  534. 			return 0;

  535. 		}

  536. 	tls1_get_curvelist(s, 0, &curves, &curves_len);

  537. 	for (i = 0; i < curves_len; i++)

  538. 		{

  539. 		if (curve_id == curves[i])

  540. 			{

  541. 			*out_curve_id = curve_id;

  542. 			return 1;

  543. 			}

  544. 		}

  545. 	return 0;

  546. 	}

  547. 

  548. int tls1_get_shared_curve(SSL *s)

  549. 	{

  550. 	const uint16_t *pref, *supp;

  551. 	size_t preflen, supplen, i, j;

  552. 

  553. 	/* Can't do anything on client side */

  554. 	if (s->server == 0)

  555. 		return NID_undef;

  556. 

  557. 	if (tls1_suiteb(s))

  558. 		{

  559. 		/* For Suite B ciphersuite determines curve: we

  560. 		 * already know these are acceptable due to previous

  561. 		 * checks.

  562. 		 */

  563. 		unsigned long cid = s->s3->tmp.new_cipher->id;

  564. 		if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)

  565. 			return NID_X9_62_prime256v1; /* P-256 */

  566. 		if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)

  567. 			return NID_secp384r1; /* P-384 */

  568. 		/* Should never happen */

  569. 		return NID_undef;

  570. 		}

  571. 

  572. 	/* If not Suite B just return first preference shared curve */

  573. 	tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),

  574. 				&supp, &supplen);

  575. 	tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),

  576. 				&pref, &preflen);

  577. 	for (i = 0; i < preflen; i++)

  578. 		{

  579. 		for (j = 0; j < supplen; j++)

  580. 			{

  581. 			if (pref[i] == supp[j])

  582. 				return tls1_ec_curve_id2nid(pref[i]);

  583. 			}

  584. 		}

  585. 	return NID_undef;

  586. 	}

  587. 

  588. /* NOTE: tls1_ec_curve_id2nid and tls1_set_curves assume that

  589.  *

  590.  * (a) 0 is not a valid curve ID.

  591.  *

  592.  * (b) The largest curve ID is 31.

  593.  *

  594.  * Those implementations must be revised before adding support for curve IDs

  595.  * that break these assumptions. */

  596. OPENSSL_COMPILE_ASSERT(

  597. 	(sizeof(nid_list) / sizeof(nid_list[0])) < 32, small_curve_ids);

  598. 

  599. int tls1_set_curves(uint16_t **out_curve_ids, size_t *out_curve_ids_len,

  600. 	const int *curves, size_t ncurves)

  601. 	{

  602. 	uint16_t *curve_ids;

  603. 	size_t i;

  604. 	/* Bitmap of curves included to detect duplicates: only works

  605. 	 * while curve ids < 32 

  606. 	 */

  607. 	uint32_t dup_list = 0;

  608. 	curve_ids = (uint16_t*)OPENSSL_malloc(ncurves * sizeof(uint16_t));

  609. 	if (!curve_ids)

  610. 		return 0;

  611. 	for (i = 0; i < ncurves; i++)

  612. 		{

  613. 		uint32_t idmask;

  614. 		uint16_t id;

  615. 		id = tls1_ec_nid2curve_id(curves[i]);

  616. 		idmask = ((uint32_t)1) << id;

  617. 		if (!id || (dup_list & idmask))

  618. 			{

  619. 			OPENSSL_free(curve_ids);

  620. 			return 0;

  621. 			}

  622. 		dup_list |= idmask;

  623. 		curve_ids[i] = id;

  624. 		}

  625. 	if (*out_curve_ids)

  626. 		OPENSSL_free(*out_curve_ids);

  627. 	*out_curve_ids = curve_ids;

  628. 	*out_curve_ids_len = ncurves;

  629. 	return 1;

  630. 	}

  631. 

  632. /* tls1_curve_params_from_ec_key sets |*out_curve_id| and |*out_comp_id| to the

  633.  * TLS curve ID and point format, respectively, for |ec|. It returns one on

  634.  * success and zero on failure. */

  635. static int tls1_curve_params_from_ec_key(uint16_t *out_curve_id, uint8_t *out_comp_id, EC_KEY *ec)

  636. 	{

  637. 	int nid;

  638. 	uint16_t id;

  639. 	const EC_GROUP *grp;

  640. 	if (!ec)

  641. 		return 0;

  642. 

  643. 	grp = EC_KEY_get0_group(ec);

  644. 	if (!grp)

  645. 		return 0;

  646. 

  647. 	/* Determine curve ID */

  648. 	nid = EC_GROUP_get_curve_name(grp);

  649. 	id = tls1_ec_nid2curve_id(nid);

  650. 	if (!id)

  651. 		return 0;

  652. 

  653. 	/* Set the named curve ID. Arbitrary explicit curves are not

  654. 	 * supported. */

  655. 	*out_curve_id = id;

  656. 

  657. 	if (out_comp_id)

  658. 		{

  659.         	if (EC_KEY_get0_public_key(ec) == NULL)

  660. 			return 0;

  661. 		if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)

  662. 			*out_comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;

  663. 		else

  664. 			*out_comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;

  665. 		}

  666. 	return 1;

  667. 	}

  668. 

  669. /* Check an EC key is compatible with extensions */

  670. static int tls1_check_ec_key(SSL *s,

  671. 	const uint16_t *curve_id, const uint8_t *comp_id)

  672. 	{

  673. 	const uint16_t *curves;

  674. 	size_t curves_len, i;

  675. 	int j;

  676. 	/* If point formats extension present check it, otherwise everything

  677. 	 * is supported (see RFC4492).

  678. 	 */

  679. 	if (comp_id && s->session->tlsext_ecpointformatlist)

  680. 		{

  681. 		uint8_t *p = s->session->tlsext_ecpointformatlist;

  682. 		size_t plen = s->session->tlsext_ecpointformatlist_length;

  683. 		for (i = 0; i < plen; i++)

  684. 			{

  685. 			if (*comp_id == p[i])

  686. 				break;

  687. 			}

  688. 		if (i == plen)

  689. 			return 0;

  690. 		}

  691. 	if (!curve_id)

  692. 		return 1;

  693. 	/* Check curve is consistent with client and server preferences */

  694. 	for (j = 0; j <= 1; j++)

  695. 		{

  696. 		tls1_get_curvelist(s, j, &curves, &curves_len);

  697. 		for (i = 0; i < curves_len; i++)

  698. 			{

  699. 			if (curves[i] == *curve_id)

  700. 				break;

  701. 			}

  702. 		if (i == curves_len)

  703. 			return 0;

  704. 		/* For clients can only check sent curve list */

  705. 		if (!s->server)

  706. 			return 1;

  707. 		}

  708. 	return 1;

  709. 	}

  710. 

  711. static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,

  712. 					size_t *pformatslen)

  713. 	{

  714. 	/* If we have a custom point format list use it otherwise

  715. 	 * use default */

  716. 	if (s->tlsext_ecpointformatlist)

  717. 		{

  718. 		*pformats = s->tlsext_ecpointformatlist;

  719. 		*pformatslen = s->tlsext_ecpointformatlist_length;

  720. 		}

  721. 	else

  722. 		{

  723. 		*pformats = ecformats_default;

  724. 		/* For Suite B we don't support char2 fields */

  725. 		if (tls1_suiteb(s))

  726. 			*pformatslen = sizeof(ecformats_default) - 1;

  727. 		else

  728. 			*pformatslen = sizeof(ecformats_default);

  729. 		}

  730. 	}

  731. 

  732. /* Check cert parameters compatible with extensions: currently just checks

  733.  * EC certificates have compatible curves and compression.

  734.  */

  735. static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)

  736. 	{

  737. 	uint8_t comp_id;

  738. 	uint16_t curve_id;

  739. 	EVP_PKEY *pkey;

  740. 	int rv;

  741. 	pkey = X509_get_pubkey(x);

  742. 	if (!pkey)

  743. 		return 0;

  744. 	/* If not EC nothing to do */

  745. 	if (pkey->type != EVP_PKEY_EC)

  746. 		{

  747. 		EVP_PKEY_free(pkey);

  748. 		return 1;

  749. 		}

  750. 	rv = tls1_curve_params_from_ec_key(&curve_id, &comp_id, pkey->pkey.ec);

  751. 	EVP_PKEY_free(pkey);

  752. 	if (!rv)

  753. 		return 0;

  754. 	/* Can't check curve_id for client certs as we don't have a

  755. 	 * supported curves extension.

  756. 	 */

  757. 	rv = tls1_check_ec_key(s, s->server ? &curve_id : NULL, &comp_id);

  758. 	if (!rv)

  759. 		return 0;

  760. 	/* Special case for suite B. We *MUST* sign using SHA256+P-256 or

  761. 	 * SHA384+P-384, adjust digest if necessary.

  762. 	 */

  763. 	if (set_ee_md && tls1_suiteb(s))

  764. 		{

  765. 		int check_md;

  766. 		size_t i;

  767. 		CERT *c = s->cert;

  768. 		/* Check to see we have necessary signing algorithm */

  769. 		if (curve_id == TLSEXT_curve_P_256)

  770. 			check_md = NID_ecdsa_with_SHA256;

  771. 		else if (curve_id == TLSEXT_curve_P_384)

  772. 			check_md = NID_ecdsa_with_SHA384;

  773. 		else

  774. 			return 0; /* Should never happen */

  775. 		for (i = 0; i < c->shared_sigalgslen; i++)

  776. 			if (check_md == c->shared_sigalgs[i].signandhash_nid)

  777. 				break;

  778. 		if (i == c->shared_sigalgslen)

  779. 			return 0;

  780. 		if (set_ee_md == 2)

  781. 			{

  782. 			if (check_md == NID_ecdsa_with_SHA256)

  783. 				c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();

  784. 			else

  785. 				c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();

  786. 			}

  787. 		}

  788. 	return rv;

  789. 	}

  790. /* Check EC temporary key is compatible with client extensions */

  791. int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)

  792. 	{

  793. 	uint16_t curve_id;

  794. 	EC_KEY *ec = s->cert->ecdh_tmp;

  795. #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL

  796. 	/* Allow any curve: not just those peer supports */

  797. 	if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)

  798. 		return 1;

  799. #endif

  800. 	/* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384,

  801. 	 * no other curves permitted.

  802. 	 */

  803. 	if (tls1_suiteb(s))

  804. 		{

  805. 		/* Curve to check determined by ciphersuite */

  806. 		if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)

  807. 			curve_id = TLSEXT_curve_P_256;

  808. 		else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)

  809. 			curve_id = TLSEXT_curve_P_384;

  810. 		else

  811. 			return 0;

  812. 		/* Check this curve is acceptable */

  813. 		if (!tls1_check_ec_key(s, &curve_id, NULL))

  814. 			return 0;

  815. 		/* If auto or setting curve from callback assume OK */

  816. 		if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)

  817. 			return 1;

  818. 		/* Otherwise check curve is acceptable */

  819. 		else 

  820. 			{

  821. 			uint16_t curve_tmp;

  822. 			if (!ec)

  823. 				return 0;

  824. 			if (!tls1_curve_params_from_ec_key(&curve_tmp, NULL, ec))

  825. 				return 0;

  826. 			if (curve_tmp == curve_id)

  827. 				return 1;

  828. 			return 0;

  829. 			}

  830. 			

  831. 		}

  832. 	if (s->cert->ecdh_tmp_auto)

  833. 		{

  834. 		/* Need a shared curve */

  835. 		return tls1_get_shared_curve(s) != NID_undef;

  836. 		}

  837. 	if (!ec)

  838. 		{

  839. 		if (s->cert->ecdh_tmp_cb)

  840. 			return 1;

  841. 		else

  842. 			return 0;

  843. 		}

  844. 	if (!tls1_curve_params_from_ec_key(&curve_id, NULL, ec))

  845. 		return 0;

  846. /* Set this to allow use of invalid curves for testing */

  847. #if 0

  848. 	return 1;

  849. #else

  850. 	return tls1_check_ec_key(s, &curve_id, NULL);

  851. #endif

  852. 	}

  853. 

  854. #else

  855. 

  856. static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)

  857. 	{

  858. 	return 1;

  859. 	}

  860. 

  861. #endif /* OPENSSL_NO_EC */

  862. 

  863. 

  864. /* List of supported signature algorithms and hashes. Should make this

  865.  * customisable at some point, for now include everything we support.

  866.  */

  867. 

  868. #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,

  869. 

  870. #ifdef OPENSSL_NO_DSA

  871. #define tlsext_sigalg_dsa(md) /* */

  872. #else

  873. #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,

  874. #endif

  875. 

  876. #ifdef OPENSSL_NO_ECDSA

  877. #define tlsext_sigalg_ecdsa(md) /* */

  878. #else

  879. #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,

  880. #endif

  881. 

  882. #define tlsext_sigalg(md) \

  883. 		tlsext_sigalg_rsa(md) \

  884. 		tlsext_sigalg_dsa(md) \

  885. 		tlsext_sigalg_ecdsa(md)

  886. 

  887. static unsigned char tls12_sigalgs[] = {

  888. #ifndef OPENSSL_NO_SHA512

  889. 	tlsext_sigalg(TLSEXT_hash_sha512)

  890. 	tlsext_sigalg(TLSEXT_hash_sha384)

  891. #endif

  892. #ifndef OPENSSL_NO_SHA256

  893. 	tlsext_sigalg(TLSEXT_hash_sha256)

  894. 	tlsext_sigalg(TLSEXT_hash_sha224)

  895. #endif

  896. #ifndef OPENSSL_NO_SHA

  897. 	tlsext_sigalg(TLSEXT_hash_sha1)

  898. #endif

  899. };

  900. #ifndef OPENSSL_NO_ECDSA

  901. static unsigned char suiteb_sigalgs[] = {

  902. 	tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)

  903. 	tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)

  904. };

  905. #endif

  906. size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)

  907. 	{

  908. 	/* If Suite B mode use Suite B sigalgs only, ignore any other

  909. 	 * preferences.

  910. 	 */

  911. #ifndef OPENSSL_NO_EC

  912. 	switch (tls1_suiteb(s))

  913. 		{

  914. 	case SSL_CERT_FLAG_SUITEB_128_LOS:

  915. 		*psigs = suiteb_sigalgs;

  916. 		return sizeof(suiteb_sigalgs);

  917. 

  918. 	case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:

  919. 		*psigs = suiteb_sigalgs;

  920. 		return 2;

  921. 

  922. 	case SSL_CERT_FLAG_SUITEB_192_LOS:

  923. 		*psigs = suiteb_sigalgs + 2;

  924. 		return 2;

  925. 		}

  926. #endif

  927. 	/* If server use client authentication sigalgs if not NULL */

  928. 	if (s->server && s->cert->client_sigalgs)

  929. 		{

  930. 		*psigs = s->cert->client_sigalgs;

  931. 		return s->cert->client_sigalgslen;

  932. 		}

  933. 	else if (s->cert->conf_sigalgs)

  934. 		{

  935. 		*psigs = s->cert->conf_sigalgs;

  936. 		return s->cert->conf_sigalgslen;

  937. 		}

  938. 	else

  939. 		{

  940. 		*psigs = tls12_sigalgs;

  941. 		return sizeof(tls12_sigalgs);

  942. 		}

  943. 	}

  944. 

  945. /* tls12_check_peer_sigalg parses a SignatureAndHashAlgorithm out of

  946.  * |cbs|. It checks it is consistent with |s|'s sent supported

  947.  * signature algorithms and, if so, writes the relevant digest into

  948.  * |*out_md| and returns 1. Otherwise it returns 0 and writes an alert

  949.  * into |*out_alert|.

  950.  */

  951. int tls12_check_peer_sigalg(const EVP_MD **out_md, int *out_alert,

  952. 	SSL *s, CBS *cbs, EVP_PKEY *pkey)

  953. 	{

  954. 	const unsigned char *sent_sigs;

  955. 	size_t sent_sigslen, i;

  956. 	int sigalg = tls12_get_sigid(pkey);

  957. 	uint8_t hash, signature;

  958. 	/* Should never happen */

  959. 	if (sigalg == -1)

  960. 		{

  961. 		OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, ERR_R_INTERNAL_ERROR);

  962. 		*out_alert = SSL_AD_INTERNAL_ERROR;

  963. 		return 0;

  964. 		}

  965. 	if (!CBS_get_u8(cbs, &hash) ||

  966. 		!CBS_get_u8(cbs, &signature))

  967. 		{

  968. 		OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_DECODE_ERROR);

  969. 		*out_alert = SSL_AD_DECODE_ERROR;

  970. 		return 0;

  971. 		}

  972. 	/* Check key type is consistent with signature */

  973. 	if (sigalg != signature)

  974. 		{

  975. 		OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE);

  976. 		*out_alert = SSL_AD_ILLEGAL_PARAMETER;

  977. 		return 0;

  978. 		}

  979. #ifndef OPENSSL_NO_EC

  980. 	if (pkey->type == EVP_PKEY_EC)

  981. 		{

  982. 		uint16_t curve_id;

  983. 		uint8_t comp_id;

  984. 		/* Check compression and curve matches extensions */

  985. 		if (!tls1_curve_params_from_ec_key(&curve_id, &comp_id, pkey->pkey.ec))

  986. 			{

  987. 			*out_alert = SSL_AD_INTERNAL_ERROR;

  988. 			return 0;

  989. 			}

  990. 		if (!s->server && !tls1_check_ec_key(s, &curve_id, &comp_id))

  991. 			{

  992. 			OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_CURVE);

  993. 			*out_alert = SSL_AD_ILLEGAL_PARAMETER;

  994. 			return 0;

  995. 			}

  996. 		/* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */

  997. 		if (tls1_suiteb(s))

  998. 			{

  999. 			if (curve_id == TLSEXT_curve_P_256)

  1000. 				{

  1001. 				if (hash != TLSEXT_hash_sha256)

  1002. 					{

  1003. 					OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_ILLEGAL_SUITEB_DIGEST);

  1004. 					*out_alert = SSL_AD_ILLEGAL_PARAMETER;

  1005. 					return 0;

  1006. 					}

  1007. 				}

  1008. 			else if (curve_id == TLSEXT_curve_P_384)

  1009. 				{

  1010. 				if (hash != TLSEXT_hash_sha384)

  1011. 					{

  1012. 					OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_ILLEGAL_SUITEB_DIGEST);

  1013. 					*out_alert = SSL_AD_ILLEGAL_PARAMETER;

  1014. 					return 0;

  1015. 					}

  1016. 				}

  1017. 			else

  1018. 				{

  1019. 				*out_alert = SSL_AD_ILLEGAL_PARAMETER;

  1020. 				return 0;

  1021. 				}

  1022. 			}

  1023. 		}

  1024. 	else if (tls1_suiteb(s))

  1025. 		{

  1026. 		*out_alert = SSL_AD_ILLEGAL_PARAMETER;

  1027. 		return 0;

  1028. 		}

  1029. #endif

  1030. 

  1031. 	/* Check signature matches a type we sent */

  1032. 	sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);

  1033. 	for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2)

  1034. 		{

  1035. 		if (hash == sent_sigs[0] && signature == sent_sigs[1])

  1036. 			break;

  1037. 		}

  1038. 	/* Allow fallback to SHA1 if not strict mode */

  1039. 	if (i == sent_sigslen && (hash != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))

  1040. 		{

  1041. 		OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE);

  1042. 		*out_alert = SSL_AD_ILLEGAL_PARAMETER;

  1043. 		return 0;

  1044. 		}

  1045. 	*out_md = tls12_get_hash(hash);

  1046. 	if (*out_md == NULL)

  1047. 		{

  1048. 		OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_UNKNOWN_DIGEST);

  1049. 		*out_alert = SSL_AD_ILLEGAL_PARAMETER;

  1050. 		return 0;

  1051. 		}

  1052. 	/* Store the digest used so applications can retrieve it if they

  1053. 	 * wish.

  1054. 	 */

  1055. 	if (s->session && s->session->sess_cert)

  1056. 		s->session->sess_cert->peer_key->digest = *out_md;

  1057. 	return 1;

  1058. 	}

  1059. /* Get a mask of disabled algorithms: an algorithm is disabled

  1060.  * if it isn't supported or doesn't appear in supported signature

  1061.  * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific

  1062.  * session and not global settings.

  1063.  * 

  1064.  */

  1065. void ssl_set_client_disabled(SSL *s)

  1066. 	{

  1067. 	CERT *c = s->cert;

  1068. 	const unsigned char *sigalgs;

  1069. 	size_t i, sigalgslen;

  1070. 	int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;

  1071. 	c->mask_a = 0;

  1072. 	c->mask_k = 0;

  1073. 	/* Don't allow TLS 1.2 only ciphers if we don't suppport them */

  1074. 	if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))

  1075. 		c->mask_ssl = SSL_TLSV1_2;

  1076. 	else

  1077. 		c->mask_ssl = 0;

  1078. 	/* Now go through all signature algorithms seeing if we support

  1079. 	 * any for RSA, DSA, ECDSA. Do this for all versions not just

  1080. 	 * TLS 1.2.

  1081. 	 */

  1082. 	sigalgslen = tls12_get_psigalgs(s, &sigalgs);

  1083. 	for (i = 0; i < sigalgslen; i += 2, sigalgs += 2)

  1084. 		{

  1085. 		switch(sigalgs[1])

  1086. 			{

  1087. 		case TLSEXT_signature_rsa:

  1088. 			have_rsa = 1;

  1089. 			break;

  1090. #ifndef OPENSSL_NO_DSA

  1091. 		case TLSEXT_signature_dsa:

  1092. 			have_dsa = 1;

  1093. 			break;

  1094. #endif

  1095. #ifndef OPENSSL_NO_ECDSA

  1096. 		case TLSEXT_signature_ecdsa:

  1097. 			have_ecdsa = 1;

  1098. 			break;

  1099. #endif

  1100. 			}

  1101. 		}

  1102. 	/* Disable auth and static DH if we don't include any appropriate

  1103. 	 * signature algorithms.

  1104. 	 */

  1105. 	if (!have_rsa)

  1106. 		{

  1107. 		c->mask_a |= SSL_aRSA;

  1108. 		c->mask_k |= SSL_kDHr|SSL_kECDHr;

  1109. 		}

  1110. 	if (!have_dsa)

  1111. 		{

  1112. 		c->mask_a |= SSL_aDSS;

  1113. 		c->mask_k |= SSL_kDHd;

  1114. 		}

  1115. 	if (!have_ecdsa)

  1116. 		{

  1117. 		c->mask_a |= SSL_aECDSA;

  1118. 		c->mask_k |= SSL_kECDHe;

  1119. 		}

  1120. #ifndef OPENSSL_NO_PSK

  1121. 	/* with PSK there must be client callback set */

  1122. 	if (!s->psk_client_callback)

  1123. 		{

  1124. 		c->mask_a |= SSL_aPSK;

  1125. 		c->mask_k |= SSL_kPSK;

  1126. 		}

  1127. #endif /* OPENSSL_NO_PSK */

  1128. 	c->valid = 1;

  1129. 	}

  1130. 

  1131. /* header_len is the length of the ClientHello header written so far, used to

  1132.  * compute padding. It does not include the record header. Pass 0 if no padding

  1133.  * is to be done. */

  1134. unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, size_t header_len)

  1135. 	{

  1136. 	int extdatalen=0;

  1137. 	unsigned char *ret = buf;

  1138. 	unsigned char *orig = buf;

  1139. #ifndef OPENSSL_NO_EC

  1140. 	/* See if we support any ECC ciphersuites */

  1141. 	int using_ecc = 0;

  1142. 	if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s))

  1143. 		{

  1144. 		int i;

  1145. 		unsigned long alg_k, alg_a;

  1146. 		STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);

  1147. 

  1148. 		for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)

  1149. 			{

  1150. 			SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);

  1151. 

  1152. 			alg_k = c->algorithm_mkey;

  1153. 			alg_a = c->algorithm_auth;

  1154. 			if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)

  1155. 				|| (alg_a & SSL_aECDSA)))

  1156. 				{

  1157. 				using_ecc = 1;

  1158. 				break;

  1159. 				}

  1160. 			}

  1161. 		}

  1162. #endif

  1163. 

  1164. 	/* don't add extensions for SSLv3 unless doing secure renegotiation */

  1165. 	if (s->client_version == SSL3_VERSION

  1166. 					&& !s->s3->send_connection_binding)

  1167. 		return orig;

  1168. 

  1169. 	ret+=2;

  1170. 

  1171. 	if (ret>=limit) return NULL; /* this really never occurs, but ... */

  1172. 

  1173.  	if (s->tlsext_hostname != NULL)

  1174. 		{ 

  1175. 		/* Add TLS extension servername to the Client Hello message */

  1176. 		unsigned long size_str;

  1177. 		long lenmax; 

  1178. 

  1179. 		/* check for enough space.

  1180. 		   4 for the servername type and entension length

  1181. 		   2 for servernamelist length

  1182. 		   1 for the hostname type

  1183. 		   2 for hostname length

  1184. 		   + hostname length 

  1185. 		*/

  1186. 		   

  1187. 		if ((lenmax = limit - ret - 9) < 0 

  1188. 		    || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 

  1189. 			return NULL;

  1190. 			

  1191. 		/* extension type and length */

  1192. 		s2n(TLSEXT_TYPE_server_name,ret); 

  1193. 		s2n(size_str+5,ret);

  1194. 		

  1195. 		/* length of servername list */

  1196. 		s2n(size_str+3,ret);

  1197. 	

  1198. 		/* hostname type, length and hostname */

  1199. 		*(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;

  1200. 		s2n(size_str,ret);

  1201. 		memcpy(ret, s->tlsext_hostname, size_str);

  1202. 		ret+=size_str;

  1203. 		}

  1204. 

  1205.         /* Add RI if renegotiating */

  1206.         if (s->renegotiate)

  1207.           {

  1208.           int el;

  1209.           

  1210.           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))

  1211.               {

  1212.               OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);

  1213.               return NULL;

  1214.               }

  1215. 

  1216.           if((limit - ret - 4 - el) < 0) return NULL;

  1217.           

  1218.           s2n(TLSEXT_TYPE_renegotiate,ret);

  1219.           s2n(el,ret);

  1220. 

  1221.           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))

  1222.               {

  1223.               OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);

  1224.               return NULL;

  1225.               }

  1226. 

  1227.           ret += el;

  1228.         }

  1229. 

  1230. 	if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))

  1231. 		{

  1232. 		int ticklen;

  1233. 		if (!s->new_session && s->session && s->session->tlsext_tick)

  1234. 			ticklen = s->session->tlsext_ticklen;

  1235. 		else if (s->session && s->tlsext_session_ticket &&

  1236. 			 s->tlsext_session_ticket->data)

  1237. 			{

  1238. 			ticklen = s->tlsext_session_ticket->length;

  1239. 			s->session->tlsext_tick = OPENSSL_malloc(ticklen);

  1240. 			if (!s->session->tlsext_tick)

  1241. 				return NULL;

  1242. 			memcpy(s->session->tlsext_tick,

  1243. 			       s->tlsext_session_ticket->data,

  1244. 			       ticklen);

  1245. 			s->session->tlsext_ticklen = ticklen;

  1246. 			}

  1247. 		else

  1248. 			ticklen = 0;

  1249. 		if (ticklen == 0 && s->tlsext_session_ticket &&

  1250. 		    s->tlsext_session_ticket->data == NULL)

  1251. 			goto skip_ext;

  1252. 		/* Check for enough room 2 for extension type, 2 for len

  1253.  		 * rest for ticket

  1254.   		 */

  1255. 		if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;

  1256. 		s2n(TLSEXT_TYPE_session_ticket,ret); 

  1257. 		s2n(ticklen,ret);

  1258. 		if (ticklen)

  1259. 			{

  1260. 			memcpy(ret, s->session->tlsext_tick, ticklen);

  1261. 			ret += ticklen;

  1262. 			}

  1263. 		}

  1264. 		skip_ext:

  1265. 

  1266. 	if (SSL_USE_SIGALGS(s))

  1267. 		{

  1268. 		size_t salglen;

  1269. 		const unsigned char *salg;

  1270. 		salglen = tls12_get_psigalgs(s, &salg);

  1271. 		if ((size_t)(limit - ret) < salglen + 6)

  1272. 			return NULL; 

  1273. 		s2n(TLSEXT_TYPE_signature_algorithms,ret);

  1274. 		s2n(salglen + 2, ret);

  1275. 		s2n(salglen, ret);

  1276. 		memcpy(ret, salg, salglen);

  1277. 		ret += salglen;

  1278. 		}

  1279. 

  1280.         /* TODO(fork): we probably want OCSP stapling, but it currently pulls in a lot of code. */

  1281. #if 0

  1282. 	if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)

  1283. 		{

  1284. 		int i;

  1285. 		long extlen, idlen, itmp;

  1286. 		OCSP_RESPID *id;

  1287. 

  1288. 		idlen = 0;

  1289. 		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)

  1290. 			{

  1291. 			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);

  1292. 			itmp = i2d_OCSP_RESPID(id, NULL);

  1293. 			if (itmp <= 0)

  1294. 				return NULL;

  1295. 			idlen += itmp + 2;

  1296. 			}

  1297. 

  1298. 		if (s->tlsext_ocsp_exts)

  1299. 			{

  1300. 			extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);

  1301. 			if (extlen < 0)

  1302. 				return NULL;

  1303. 			}

  1304. 		else

  1305. 			extlen = 0;

  1306. 			

  1307. 		if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;

  1308. 		s2n(TLSEXT_TYPE_status_request, ret);

  1309. 		if (extlen + idlen > 0xFFF0)

  1310. 			return NULL;

  1311. 		s2n(extlen + idlen + 5, ret);

  1312. 		*(ret++) = TLSEXT_STATUSTYPE_ocsp;

  1313. 		s2n(idlen, ret);

  1314. 		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)

  1315. 			{

  1316. 			/* save position of id len */

  1317. 			unsigned char *q = ret;

  1318. 			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);

  1319. 			/* skip over id len */

  1320. 			ret += 2;

  1321. 			itmp = i2d_OCSP_RESPID(id, &ret);

  1322. 			/* write id len */

  1323. 			s2n(itmp, q);

  1324. 			}

  1325. 		s2n(extlen, ret);

  1326. 		if (extlen > 0)

  1327. 			i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);

  1328. 		}

  1329. #endif

  1330. 

  1331. #ifndef OPENSSL_NO_NEXTPROTONEG

  1332. 	if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)

  1333. 		{

  1334. 		/* The client advertises an emtpy extension to indicate its

  1335. 		 * support for Next Protocol Negotiation */

  1336. 		if (limit - ret - 4 < 0)

  1337. 			return NULL;

  1338. 		s2n(TLSEXT_TYPE_next_proto_neg,ret);

  1339. 		s2n(0,ret);

  1340. 		}

  1341. #endif

  1342. 

  1343. 	if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)

  1344. 		{

  1345. 		if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)

  1346. 			return NULL;

  1347. 		s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);

  1348. 		s2n(2 + s->alpn_client_proto_list_len,ret);

  1349. 		s2n(s->alpn_client_proto_list_len,ret);

  1350. 		memcpy(ret, s->alpn_client_proto_list,

  1351. 		       s->alpn_client_proto_list_len);

  1352. 		ret += s->alpn_client_proto_list_len;

  1353. 		}

  1354. 

  1355. 	if (s->tlsext_channel_id_enabled)

  1356. 		{

  1357. 		/* The client advertises an emtpy extension to indicate its

  1358. 		 * support for Channel ID. */

  1359. 		if (limit - ret - 4 < 0)

  1360. 			return NULL;

  1361. 		if (s->ctx->tlsext_channel_id_enabled_new)

  1362. 			s2n(TLSEXT_TYPE_channel_id_new,ret);

  1363. 		else

  1364. 			s2n(TLSEXT_TYPE_channel_id,ret);

  1365. 		s2n(0,ret);

  1366. 		}

  1367. 

  1368.         if(SSL_get_srtp_profiles(s))

  1369.                 {

  1370.                 int el;

  1371. 

  1372.                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);

  1373.                 

  1374.                 if((limit - ret - 4 - el) < 0) return NULL;

  1375. 

  1376.                 s2n(TLSEXT_TYPE_use_srtp,ret);

  1377.                 s2n(el,ret);

  1378. 

  1379.                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))

  1380. 			{

  1381. 			OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);

  1382. 			return NULL;

  1383. 			}

  1384.                 ret += el;

  1385.                 }

  1386. 

  1387. #ifndef OPENSSL_NO_EC

  1388. 	if (using_ecc)

  1389. 		{

  1390. 		/* Add TLS extension ECPointFormats to the ClientHello message */

  1391. 		long lenmax; 

  1392. 		const uint8_t *formats;

  1393. 		const uint16_t *curves;

  1394. 		size_t formats_len, curves_len, i;

  1395. 

  1396. 		tls1_get_formatlist(s, &formats, &formats_len);

  1397. 

  1398. 		if ((lenmax = limit - ret - 5) < 0) return NULL; 

  1399. 		if (formats_len > (size_t)lenmax) return NULL;

  1400. 		if (formats_len > 255)

  1401. 			{

  1402. 			OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);

  1403. 			return NULL;

  1404. 			}

  1405. 		

  1406. 		s2n(TLSEXT_TYPE_ec_point_formats,ret);

  1407. 		s2n(formats_len + 1,ret);

  1408. 		*(ret++) = (unsigned char)formats_len;

  1409. 		memcpy(ret, formats, formats_len);

  1410. 		ret+=formats_len;

  1411. 

  1412. 		/* Add TLS extension EllipticCurves to the ClientHello message */

  1413. 		tls1_get_curvelist(s, 0, &curves, &curves_len);

  1414. 

  1415. 		if ((lenmax = limit - ret - 6) < 0) return NULL; 

  1416. 		if ((curves_len * 2) > (size_t)lenmax) return NULL;

  1417. 		if ((curves_len * 2) > 65532)

  1418. 			{

  1419. 			OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);

  1420. 			return NULL;

  1421. 			}

  1422. 		

  1423. 		s2n(TLSEXT_TYPE_elliptic_curves,ret);

  1424. 		s2n((curves_len * 2) + 2, ret);

  1425. 

  1426. 		/* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for

  1427. 		 * elliptic_curve_list, but the examples use two bytes.

  1428. 		 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html

  1429. 		 * resolves this to two bytes.

  1430. 		 */

  1431. 		s2n(curves_len * 2, ret);

  1432. 		for (i = 0; i < curves_len; i++)

  1433. 			{

  1434. 			s2n(curves[i], ret);

  1435. 			}

  1436. 		}

  1437. #endif /* OPENSSL_NO_EC */

  1438. 

  1439. #ifdef TLSEXT_TYPE_padding

  1440. 	/* Add padding to workaround bugs in F5 terminators.

  1441. 	 * See https://tools.ietf.org/html/draft-agl-tls-padding-03

  1442. 	 *

  1443. 	 * NB: because this code works out the length of all existing

  1444. 	 * extensions it MUST always appear last. */

  1445. 	if (header_len > 0)

  1446. 		{

  1447. 		header_len += ret - orig;

  1448. 		if (header_len > 0xff && header_len < 0x200)

  1449. 			{

  1450. 			size_t padding_len = 0x200 - header_len;

  1451. 			/* Extensions take at least four bytes to encode. Always

  1452. 			 * include least one byte of data if including the

  1453. 			 * extension. WebSphere Application Server 7.0 is

  1454. 			 * intolerant to the last extension being zero-length. */

  1455. 			if (padding_len >= 4 + 1)

  1456. 				padding_len -= 4;

  1457. 			else

  1458. 				padding_len = 1;

  1459. 			if (limit - ret - 4 - (long)padding_len < 0)

  1460. 				return NULL;

  1461. 

  1462. 			s2n(TLSEXT_TYPE_padding, ret);

  1463. 			s2n(padding_len, ret);

  1464. 			memset(ret, 0, padding_len);

  1465. 			ret += padding_len;

  1466. 			}

  1467. 		}

  1468. #endif

  1469. 

  1470. 	if ((extdatalen = ret-orig-2)== 0)

  1471. 		return orig;

  1472. 

  1473. 	s2n(extdatalen, orig);

  1474. 	return ret;

  1475. 	}

  1476. 

  1477. unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)

  1478. 	{

  1479. 	int extdatalen=0;

  1480. 	unsigned char *orig = buf;

  1481. 	unsigned char *ret = buf;

  1482. #ifndef OPENSSL_NO_NEXTPROTONEG

  1483. 	int next_proto_neg_seen;

  1484. #endif

  1485. #ifndef OPENSSL_NO_EC

  1486. 	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

  1487. 	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;

  1488. 	int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);

  1489. 	using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);

  1490. #endif

  1491. 	/* don't add extensions for SSLv3, unless doing secure renegotiation */

  1492. 	if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)

  1493. 		return orig;

  1494. 	

  1495. 	ret+=2;

  1496. 	if (ret>=limit) return NULL; /* this really never occurs, but ... */

  1497. 

  1498. 	if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)

  1499. 		{ 

  1500. 		if ((long)(limit - ret - 4) < 0) return NULL; 

  1501. 

  1502. 		s2n(TLSEXT_TYPE_server_name,ret);

  1503. 		s2n(0,ret);

  1504. 		}

  1505. 

  1506. 	if(s->s3->send_connection_binding)

  1507.         {

  1508.           int el;

  1509.           

  1510.           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))

  1511.               {

  1512.               OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);

  1513.               return NULL;

  1514.               }

  1515. 

  1516.           if((limit - ret - 4 - el) < 0) return NULL;

  1517.           

  1518.           s2n(TLSEXT_TYPE_renegotiate,ret);

  1519.           s2n(el,ret);

  1520. 

  1521.           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))

  1522.               {

  1523.               OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);

  1524.               return NULL;

  1525.               }

  1526. 

  1527.           ret += el;

  1528.         }

  1529. 

  1530. #ifndef OPENSSL_NO_EC

  1531. 	if (using_ecc)

  1532. 		{

  1533. 		const unsigned char *plist;

  1534. 		size_t plistlen;

  1535. 		/* Add TLS extension ECPointFormats to the ServerHello message */

  1536. 		long lenmax; 

  1537. 

  1538. 		tls1_get_formatlist(s, &plist, &plistlen);

  1539. 

  1540. 		if ((lenmax = limit - ret - 5) < 0) return NULL; 

  1541. 		if (plistlen > (size_t)lenmax) return NULL;

  1542. 		if (plistlen > 255)

  1543. 			{

  1544. 			OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);

  1545. 			return NULL;

  1546. 			}

  1547. 		

  1548. 		s2n(TLSEXT_TYPE_ec_point_formats,ret);

  1549. 		s2n(plistlen + 1,ret);

  1550. 		*(ret++) = (unsigned char) plistlen;

  1551. 		memcpy(ret, plist, plistlen);

  1552. 		ret+=plistlen;

  1553. 

  1554. 		}

  1555. 	/* Currently the server should not respond with a SupportedCurves extension */

  1556. #endif /* OPENSSL_NO_EC */

  1557. 

  1558. 	if (s->tlsext_ticket_expected

  1559. 		&& !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 

  1560. 		{ 

  1561. 		if ((long)(limit - ret - 4) < 0) return NULL; 

  1562. 		s2n(TLSEXT_TYPE_session_ticket,ret);

  1563. 		s2n(0,ret);

  1564. 		}

  1565. 

  1566. 	if (s->tlsext_status_expected)

  1567. 		{ 

  1568. 		if ((long)(limit - ret - 4) < 0) return NULL; 

  1569. 		s2n(TLSEXT_TYPE_status_request,ret);

  1570. 		s2n(0,ret);

  1571. 		}

  1572. 

  1573.         if(s->srtp_profile)

  1574.                 {

  1575.                 int el;

  1576. 

  1577.                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);

  1578.                 

  1579.                 if((limit - ret - 4 - el) < 0) return NULL;

  1580. 

  1581.                 s2n(TLSEXT_TYPE_use_srtp,ret);

  1582.                 s2n(el,ret);

  1583. 

  1584.                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))

  1585. 			{

  1586. 			OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);

  1587. 			return NULL;

  1588. 			}

  1589.                 ret+=el;

  1590.                 }

  1591. 

  1592. #ifndef OPENSSL_NO_NEXTPROTONEG

  1593. 	next_proto_neg_seen = s->s3->next_proto_neg_seen;

  1594. 	s->s3->next_proto_neg_seen = 0;

  1595. 	if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)

  1596. 		{

  1597. 		const unsigned char *npa;

  1598. 		unsigned int npalen;

  1599. 		int r;

  1600. 

  1601. 		r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);

  1602. 		if (r == SSL_TLSEXT_ERR_OK)

  1603. 			{

  1604. 			if ((long)(limit - ret - 4 - npalen) < 0) return NULL;

  1605. 			s2n(TLSEXT_TYPE_next_proto_neg,ret);

  1606. 			s2n(npalen,ret);

  1607. 			memcpy(ret, npa, npalen);

  1608. 			ret += npalen;

  1609. 			s->s3->next_proto_neg_seen = 1;

  1610. 			}

  1611. 		}

  1612. #endif

  1613. 

  1614. 	if (s->s3->alpn_selected)

  1615. 		{

  1616. 		const uint8_t *selected = s->s3->alpn_selected;

  1617. 		size_t len = s->s3->alpn_selected_len;

  1618. 

  1619. 		if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)

  1620. 			return NULL;

  1621. 		s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);

  1622. 		s2n(3 + len,ret);

  1623. 		s2n(1 + len,ret);

  1624. 		*ret++ = len;

  1625. 		memcpy(ret, selected, len);

  1626. 		ret += len;

  1627. 		}

  1628. 

  1629. 	/* If the client advertised support for Channel ID, and we have it

  1630. 	 * enabled, then we want to echo it back. */

  1631. 	if (s->s3->tlsext_channel_id_valid)

  1632. 		{

  1633. 		if (limit - ret - 4 < 0)

  1634. 			return NULL;

  1635. 		if (s->s3->tlsext_channel_id_new)

  1636. 			s2n(TLSEXT_TYPE_channel_id_new,ret);

  1637. 		else

  1638. 			s2n(TLSEXT_TYPE_channel_id,ret);

  1639. 		s2n(0,ret);

  1640. 		}

  1641. 

  1642. 	if ((extdatalen = ret-orig-2) == 0)

  1643. 		return orig;

  1644. 

  1645. 	s2n(extdatalen, orig);

  1646. 	return ret;

  1647. 	}

  1648. 

  1649. /* tls1_alpn_handle_client_hello is called to process the ALPN extension in a

  1650.  * ClientHello.

  1651.  *   cbs: the contents of the extension, not including the type and length.

  1652.  *   out_alert: a pointer to the alert value to send in the event of a zero

  1653.  *       return.

  1654.  *

  1655.  *   returns: 1 on success. */

  1656. static int tls1_alpn_handle_client_hello(SSL *s, CBS *cbs, int *out_alert)

  1657. 	{

  1658. 	CBS protocol_name_list;

  1659. 	const unsigned char *selected;

  1660. 	unsigned char selected_len;

  1661. 	int r;

  1662. 

  1663. 	if (s->ctx->alpn_select_cb == NULL)

  1664. 		return 1;

  1665. 

  1666. 	if (!CBS_get_u16_length_prefixed(cbs, &protocol_name_list) ||

  1667. 		CBS_len(cbs) != 0 ||

  1668. 		CBS_len(&protocol_name_list) < 2)

  1669. 		goto parse_error;

  1670. 

  1671. 	/* Validate the protocol list. */

  1672. 	CBS protocol_name_list_copy = protocol_name_list;

  1673. 	while (CBS_len(&protocol_name_list_copy) > 0)

  1674. 		{

  1675. 		CBS protocol_name;

  1676. 

  1677. 		if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name))

  1678. 			goto parse_error;

  1679. 		}

  1680. 

  1681. 	r = s->ctx->alpn_select_cb(s, &selected, &selected_len,

  1682. 		CBS_data(&protocol_name_list), CBS_len(&protocol_name_list),

  1683. 		s->ctx->alpn_select_cb_arg);

  1684. 	if (r == SSL_TLSEXT_ERR_OK) {

  1685. 		if (s->s3->alpn_selected)

  1686. 			OPENSSL_free(s->s3->alpn_selected);

  1687. 		s->s3->alpn_selected = OPENSSL_malloc(selected_len);

  1688. 		if (!s->s3->alpn_selected)

  1689. 			{

  1690. 			*out_alert = SSL_AD_INTERNAL_ERROR;

  1691. 			return 0;

  1692. 			}

  1693. 		memcpy(s->s3->alpn_selected, selected, selected_len);

  1694. 		s->s3->alpn_selected_len = selected_len;

  1695. 	}

  1696. 	return 1;

  1697. 

  1698. parse_error:

  1699. 	*out_alert = SSL_AD_DECODE_ERROR;

  1700. 	return 0;

  1701. 	}

  1702. 

  1703. static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert)

  1704. 	{	

  1705. 	int renegotiate_seen = 0;

  1706. 	CBS extensions;

  1707. 	size_t i;

  1708. 

  1709. 	s->servername_done = 0;

  1710. 	s->tlsext_status_type = -1;

  1711. #ifndef OPENSSL_NO_NEXTPROTONEG

  1712. 	s->s3->next_proto_neg_seen = 0;

  1713. #endif

  1714. 

  1715. 	if (s->s3->alpn_selected)

  1716. 		{

  1717. 		OPENSSL_free(s->s3->alpn_selected);

  1718. 		s->s3->alpn_selected = NULL;

  1719. 		}

  1720. 

  1721. 	/* Clear any signature algorithms extension received */

  1722. 	if (s->cert->peer_sigalgs)

  1723. 		{

  1724. 		OPENSSL_free(s->cert->peer_sigalgs);

  1725. 		s->cert->peer_sigalgs = NULL;

  1726. 		}

  1727. 	/* Clear any shared sigtnature algorithms */

  1728. 	if (s->cert->shared_sigalgs)

  1729. 		{

  1730. 		OPENSSL_free(s->cert->shared_sigalgs);

  1731. 		s->cert->shared_sigalgs = NULL;

  1732. 		}

  1733. 	/* Clear certificate digests and validity flags */

  1734. 	for (i = 0; i < SSL_PKEY_NUM; i++)

  1735. 		{

  1736. 		s->cert->pkeys[i].digest = NULL;

  1737. 		s->cert->pkeys[i].valid_flags = 0;

  1738. 		}

  1739. 

  1740. 	/* TODO(fork): we probably want OCSP stapling support, but this pulls in

  1741. 	 * a lot of code. */

  1742. #if 0

  1743. 	/* Clear OCSP state. */

  1744. 	s->tlsext_status_type = -1;

  1745. 	if (s->tlsext_ocsp_ids)

  1746. 		{

  1747. 		sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);

  1748. 		s->tlsext_ocsp_ids = NULL;

  1749. 		}

  1750. 	if (s->tlsext_ocsp_exts)

  1751. 		{

  1752. 		sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free);

  1753. 		s->tlsext_ocsp_exts = NULL;

  1754. 		}

  1755. #endif

  1756. 

  1757. 	/* There may be no extensions. */

  1758. 	if (CBS_len(cbs) == 0)

  1759. 		{

  1760. 		goto ri_check;

  1761. 		}

  1762. 

  1763. 	/* Decode the extensions block and check it is valid. */

  1764. 	if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||

  1765. 		!tls1_check_duplicate_extensions(&extensions))

  1766. 		{

  1767. 		*out_alert = SSL_AD_DECODE_ERROR;

  1768. 		return 0;

  1769. 		}

  1770. 

  1771. 	while (CBS_len(&extensions) != 0)

  1772. 		{

  1773. 		uint16_t type;

  1774. 		CBS extension;

  1775. 

  1776. 		/* Decode the next extension. */

  1777. 		if (!CBS_get_u16(&extensions, &type) ||

  1778. 			!CBS_get_u16_length_prefixed(&extensions, &extension))

  1779. 			{

  1780. 			*out_alert = SSL_AD_DECODE_ERROR;

  1781. 			return 0;

  1782. 			}

  1783. 

  1784. 		if (s->tlsext_debug_cb)

  1785. 			{

  1786. 			s->tlsext_debug_cb(s, 0, type, (unsigned char*)CBS_data(&extension),

  1787. 				CBS_len(&extension), s->tlsext_debug_arg);

  1788. 			}

  1789. 

  1790. /* The servername extension is treated as follows:

  1791. 

  1792.    - Only the hostname type is supported with a maximum length of 255.

  1793.    - The servername is rejected if too long or if it contains zeros,

  1794.      in which case an fatal alert is generated.

  1795.    - The servername field is maintained together with the session cache.

  1796.    - When a session is resumed, the servername call back invoked in order

  1797.      to allow the application to position itself to the right context. 

  1798.    - The servername is acknowledged if it is new for a session or when 

  1799.      it is identical to a previously used for the same session. 

  1800.      Applications can control the behaviour.  They can at any time

  1801.      set a 'desirable' servername for a new SSL object. This can be the

  1802.      case for example with HTTPS when a Host: header field is received and

  1803.      a renegotiation is requested. In this case, a possible servername

  1804.      presented in the new client hello is only acknowledged if it matches

  1805.      the value of the Host: field. 

  1806.    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION

  1807.      if they provide for changing an explicit servername context for the session,

  1808.      i.e. when the session has been established with a servername extension. 

  1809.    - On session reconnect, the servername extension may be absent. 

  1810. 

  1811. */      

  1812. 

  1813. 		if (type == TLSEXT_TYPE_server_name)

  1814. 			{

  1815. 			CBS server_name_list;

  1816. 

  1817. 			if (!CBS_get_u16_length_prefixed(&extension, &server_name_list) ||

  1818. 				CBS_len(&server_name_list) < 1 ||

  1819. 				CBS_len(&extension) != 0)

  1820. 				{

  1821. 				*out_alert = SSL_AD_DECODE_ERROR;

  1822. 				return 0;

  1823. 				}

  1824. 

  1825. 			/* Decode each ServerName in the extension. */

  1826. 			while (CBS_len(&server_name_list) > 0)

  1827. 				{

  1828. 				uint8_t name_type;

  1829. 				CBS host_name;

  1830. 

  1831. 				/* Decode the NameType. */

  1832. 				if (!CBS_get_u8(&server_name_list, &name_type))

  1833. 					{

  1834. 					*out_alert = SSL_AD_DECODE_ERROR;

  1835. 					return 0;

  1836. 					}

  1837. 

  1838. 				/* Only host_name is supported. */

  1839. 				if (name_type != TLSEXT_NAMETYPE_host_name)

  1840. 					continue;

  1841. 

  1842. 				if (!s->hit)

  1843. 					{

  1844. 					if (s->session->tlsext_hostname)

  1845. 						{

  1846. 						/* The ServerNameList MUST NOT

  1847. 						   contain more than one name of

  1848. 						   the same name_type. */

  1849. 						*out_alert = SSL_AD_DECODE_ERROR;

  1850. 						return 0;

  1851. 						}

  1852. 

  1853. 					if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||

  1854. 						CBS_len(&host_name) < 1)

  1855. 						{

  1856. 						*out_alert = SSL_AD_DECODE_ERROR;

  1857. 						return 0;

  1858. 						}

  1859. 

  1860. 					if (CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||

  1861. 						CBS_contains_zero_byte(&host_name))

  1862. 						{

  1863. 						*out_alert = SSL_AD_UNRECOGNIZED_NAME;

  1864. 						return 0;

  1865. 						}

  1866. 

  1867. 					/* Copy the hostname as a string. */

  1868. 					if (!CBS_strdup(&host_name, &s->session->tlsext_hostname))

  1869. 						{

  1870. 						*out_alert = SSL_AD_INTERNAL_ERROR;

  1871. 						return 0;

  1872. 						}

  1873. 					s->servername_done = 1;

  1874. 					}

  1875. 				else

  1876. 					{

  1877. 					s->servername_done = s->session->tlsext_hostname

  1878. 						&& strlen(s->session->tlsext_hostname) == CBS_len(&host_name)

  1879. 						&& strncmp(s->session->tlsext_hostname,

  1880. 							(char *)CBS_data(&host_name), CBS_len(&host_name)) == 0;

  1881. 					}

  1882. 				}

  1883. 			}

  1884. 

  1885. #ifndef OPENSSL_NO_EC

  1886. 		else if (type == TLSEXT_TYPE_ec_point_formats)

  1887. 			{

  1888. 			CBS ec_point_format_list;

  1889. 

  1890. 			if (!CBS_get_u8_length_prefixed(&extension, &ec_point_format_list) ||

  1891. 				CBS_len(&extension) != 0)

  1892. 				{

  1893. 				*out_alert = SSL_AD_DECODE_ERROR;

  1894. 				return 0;

  1895. 				}

  1896. 

  1897. 			if (!s->hit)

  1898. 				{

  1899. 				if (!CBS_stow(&ec_point_format_list,

  1900. 						&s->session->tlsext_ecpointformatlist,

  1901. 						&s->session->tlsext_ecpointformatlist_length))

  1902. 					{

  1903. 					*out_alert = SSL_AD_INTERNAL_ERROR;

  1904. 					return 0;

  1905. 					}

  1906. 				}

  1907. 			}

  1908. 		else if (type == TLSEXT_TYPE_elliptic_curves)

  1909. 			{

  1910. 			CBS elliptic_curve_list;

  1911. 			size_t i, num_curves;

  1912. 

  1913. 			if (!CBS_get_u16_length_prefixed(&extension, &elliptic_curve_list) ||

  1914. 				CBS_len(&elliptic_curve_list) == 0 ||

  1915. 				(CBS_len(&elliptic_curve_list) & 1) != 0 ||

  1916. 				CBS_len(&extension) != 0)

  1917. 				{

  1918. 				*out_alert = SSL_AD_DECODE_ERROR;

  1919. 				return 0;

  1920. 				}

  1921. 

  1922. 			if (!s->hit)

  1923. 				{

  1924. 				if (s->session->tlsext_ellipticcurvelist)

  1925. 					{

  1926. 					OPENSSL_free(s->session->tlsext_ellipticcurvelist);

  1927. 					s->session->tlsext_ellipticcurvelist_length = 0;

  1928. 					}

  1929. 				s->session->tlsext_ellipticcurvelist =

  1930. 					(uint16_t*)OPENSSL_malloc(CBS_len(&elliptic_curve_list));

  1931. 				if (s->session->tlsext_ellipticcurvelist == NULL)

  1932. 					{

  1933. 					*out_alert = SSL_AD_INTERNAL_ERROR;

  1934. 					return 0;

  1935. 					}

  1936. 				num_curves = CBS_len(&elliptic_curve_list) / 2;

  1937. 				for (i = 0; i < num_curves; i++)

  1938. 					{

  1939. 					if (!CBS_get_u16(&elliptic_curve_list,

  1940. 							&s->session->tlsext_ellipticcurvelist[i]))

  1941. 						{

  1942. 						*out_alert = SSL_AD_INTERNAL_ERROR;

  1943. 						return 0;

  1944. 						}

  1945. 					}

  1946. 				if (CBS_len(&elliptic_curve_list) != 0)

  1947. 					{

  1948. 					*out_alert = SSL_AD_INTERNAL_ERROR;

  1949. 					return 0;

  1950. 					}

  1951. 				s->session->tlsext_ellipticcurvelist_length = num_curves;

  1952. 				}

  1953. 			}

  1954. #endif /* OPENSSL_NO_EC */

  1955. 		else if (type == TLSEXT_TYPE_session_ticket)

  1956. 			{

  1957. 			if (s->tls_session_ticket_ext_cb &&

  1958. 				!s->tls_session_ticket_ext_cb(s, CBS_data(&extension), CBS_len(&extension), s->tls_session_ticket_ext_cb_arg))

  1959. 				{

  1960. 				*out_alert = SSL_AD_INTERNAL_ERROR;

  1961. 				return 0;

  1962. 				}

  1963. 			}

  1964. 		else if (type == TLSEXT_TYPE_renegotiate)

  1965. 			{

  1966. 			if (!ssl_parse_clienthello_renegotiate_ext(s, &extension, out_alert))

  1967. 				return 0;

  1968. 			renegotiate_seen = 1;

  1969. 			}

  1970. 		else if (type == TLSEXT_TYPE_signature_algorithms)

  1971. 			{

  1972. 			CBS supported_signature_algorithms;

  1973. 

  1974. 			if (!CBS_get_u16_length_prefixed(&extension, &supported_signature_algorithms) ||

  1975. 				CBS_len(&extension) != 0)

  1976. 				{

  1977. 				*out_alert = SSL_AD_DECODE_ERROR;

  1978. 				return 0;

  1979. 				}

  1980. 

  1981. 			/* Ensure the signature algorithms are non-empty. It

  1982. 			 * contains a list of SignatureAndHashAlgorithms

  1983. 			 * which are two bytes each. */

  1984. 			if (CBS_len(&supported_signature_algorithms) == 0 ||

  1985. 				(CBS_len(&supported_signature_algorithms) % 2) != 0)

  1986. 				{

  1987. 				*out_alert = SSL_AD_DECODE_ERROR;

  1988. 				return 0;

  1989. 				}

  1990. 

  1991. 			if (!tls1_process_sigalgs(s,

  1992. 					CBS_data(&supported_signature_algorithms),

  1993. 					CBS_len(&supported_signature_algorithms)))

  1994. 				{

  1995. 				*out_alert = SSL_AD_DECODE_ERROR;

  1996. 				return 0;

  1997. 				}

  1998. 			/* If sigalgs received and no shared algorithms fatal

  1999. 			 * error.

  2000. 			 */

  2001. 			if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)

  2002. 				{

  2003. 				OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);

  2004. 				*out_alert = SSL_AD_ILLEGAL_PARAMETER;

  2005. 				return 0;

  2006. 				}

  2007. 			}

  2008. 

  2009.                 /* TODO(fork): we probably want OCSP stapling support, but this pulls in a lot of code. */

  2010. #if 0

  2011. 		else if (type == TLSEXT_TYPE_status_request)

  2012. 			{

  2013. 			uint8_t status_type;

  2014. 			CBS responder_id_list;

  2015. 			CBS request_extensions;

  2016. 

  2017. 			if (!CBS_get_u8(&extension, &status_type))

  2018. 				{

  2019. 				*out_alert = SSL_AD_DECODE_ERROR;

  2020. 				return 0;

  2021. 				}

  2022. 

  2023. 			/* Only OCSP is supported. */

  2024. 			if (status_type != TLSEXT_STATUSTYPE_ocsp)

  2025. 				continue;

  2026. 

  2027. 			s->tlsext_status_type = status_type;

  2028. 

  2029. 			/* Extension consists of a responder_id_list and

  2030. 			 * request_extensions. */

  2031. 			if (!CBS_get_u16_length_prefixed(&extension, &responder_id_list) ||

  2032. 				!CBS_get_u16_length_prefixed(&extension, &request_extensions) ||

  2033. 				CBS_len(&extension) != 0)

  2034. 				{

  2035. 				*out_alert = SSL_AD_DECODE_ERROR;

  2036. 				return 0;

  2037. 				}

  2038. 

  2039. 			if (CBS_len(&responder_id_list) > 0)

  2040. 				{

  2041. 				s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();

  2042. 				if (s->tlsext_ocsp_ids == NULL)

  2043. 					{

  2044. 					*out_alert = SSL_AD_INTERNAL_ERROR;

  2045. 					return 0;

  2046. 					}

  2047. 				}

  2048. 

  2049. 			/* Parse out the responder IDs. */

  2050. 			while (CBS_len(&responder_id_list) > 0)

  2051. 				{

  2052. 				CBS responder_id;

  2053. 				OCSP_RESPID *id;

  2054. 				const uint8_t *data;

  2055. 

  2056. 				/* Each ResponderID must have size at least 1. */

  2057. 				if (!CBS_get_u16_length_prefixed(&responder_id_list, &responder_id) ||

  2058. 					CBS_len(&responder_id) < 1)

  2059. 					{

  2060. 					*out_alert = SSL_AD_DECODE_ERROR;

  2061. 					return 0;

  2062. 					}

  2063. 

  2064. 				/* TODO(fork): Add CBS versions of d2i_FOO_BAR. */

  2065. 				data = CBS_data(&responder_id);

  2066. 				id = d2i_OCSP_RESPID(NULL, &data, CBS_len(&responder_id));

  2067. 				if (!id)

  2068. 					{

  2069. 					*out_alert = SSL_AD_DECODE_ERROR;

  2070. 					return 0;

  2071. 					}

  2072. 				if (!CBS_skip(&responder_id, data - CBS_data(&responder_id)))

  2073. 					{

  2074. 					/* This should never happen. */

  2075. 					*out_alert = SSL_AD_INTERNAL_ERROR;

  2076. 					OCSP_RESPID_free(id);

  2077. 					return 0;

  2078. 					}

  2079. 				if (CBS_len(&responder_id) != 0)

  2080. 					{

  2081. 					*out_alert = SSL_AD_DECODE_ERROR;

  2082. 					OCSP_RESPID_free(id);

  2083. 					return 0;

  2084. 					}

  2085. 

  2086. 				if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id))

  2087. 					{

  2088. 					*out_alert = SSL_AD_INTERNAL_ERROR;

  2089. 					OCSP_RESPID_free(id);

  2090. 					return 0;

  2091. 					}

  2092. 				}

  2093. 

  2094. 			/* Parse out request_extensions. */

  2095. 			if (CBS_len(&request_extensions) > 0)

  2096. 				{

  2097. 				const uint8_t *data;

  2098. 

  2099. 				data = CBS_data(&request_extensions);

  2100. 				s->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL,

  2101. 					&data, CBS_len(&request_extensions));

  2102. 				if (s->tlsext_ocsp_exts == NULL)

  2103. 					{

  2104. 					*out_alert = SSL_AD_DECODE_ERROR;

  2105. 					return 0;

  2106. 					}

  2107. 				if (!CBS_skip(&request_extensions, data - CBS_data(&request_extensions)))

  2108. 					{

  2109. 					/* This should never happen. */

  2110. 					*out_alert = SSL_AD_INTERNAL_ERROR;

  2111. 					return 0;

  2112. 					}

  2113. 				if (CBS_len(&request_extensions) != 0)

  2114. 					{

  2115. 					*out_alert = SSL_AD_DECODE_ERROR;

  2116. 					return 0;

  2117. 					}

  2118. 				}

  2119. 			}

  2120. #endif

  2121. 

  2122. #ifndef OPENSSL_NO_NEXTPROTONEG

  2123. 		else if (type == TLSEXT_TYPE_next_proto_neg &&

  2124. 			 s->s3->tmp.finish_md_len == 0 &&

  2125. 			 s->s3->alpn_selected == NULL)

  2126. 			{

  2127. 			/* The extension must be empty. */

  2128. 			if (CBS_len(&extension) != 0)

  2129. 				{

  2130. 				*out_alert = SSL_AD_DECODE_ERROR;

  2131. 				return 0;

  2132. 				}

  2133. 

  2134. 			/* We shouldn't accept this extension on a

  2135. 			 * renegotiation.

  2136. 			 *

  2137. 			 * s->new_session will be set on renegotiation, but we

  2138. 			 * probably shouldn't rely that it couldn't be set on

  2139. 			 * the initial renegotation too in certain cases (when

  2140. 			 * there's some other reason to disallow resuming an

  2141. 			 * earlier session -- the current code won't be doing

  2142. 			 * anything like that, but this might change).

  2143. 

  2144. 			 * A valid sign that there's been a previous handshake

  2145. 			 * in this connection is if s->s3->tmp.finish_md_len >

  2146. 			 * 0.  (We are talking about a check that will happen

  2147. 			 * in the Hello protocol round, well before a new

  2148. 			 * Finished message could have been computed.) */

  2149. 			s->s3->next_proto_neg_seen = 1;

  2150. 			}

  2151. #endif

  2152. 

  2153. 		else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&

  2154. 			 s->ctx->alpn_select_cb &&

  2155. 			 s->s3->tmp.finish_md_len == 0)

  2156. 			{

  2157. 			if (!tls1_alpn_handle_client_hello(s, &extension, out_alert))

  2158. 				return 0;

  2159. #ifndef OPENSSL_NO_NEXTPROTONEG

  2160. 			/* ALPN takes precedence over NPN. */

  2161. 			s->s3->next_proto_neg_seen = 0;

  2162. #endif

  2163. 			}

  2164. 

  2165. 		else if (type == TLSEXT_TYPE_channel_id &&

  2166. 			 s->tlsext_channel_id_enabled)

  2167. 			{

  2168. 			/* The extension must be empty. */

  2169. 			if (CBS_len(&extension) != 0)

  2170. 				{

  2171. 				*out_alert = SSL_AD_DECODE_ERROR;

  2172. 				return 0;

  2173. 				}

  2174. 

  2175. 			s->s3->tlsext_channel_id_valid = 1;

  2176. 			}

  2177. 

  2178. 		else if (type == TLSEXT_TYPE_channel_id_new &&

  2179. 			 s->tlsext_channel_id_enabled)

  2180. 			{

  2181. 			/* The extension must be empty. */

  2182. 			if (CBS_len(&extension) != 0)

  2183. 				{

  2184. 				*out_alert = SSL_AD_DECODE_ERROR;

  2185. 				return 0;

  2186. 				}

  2187. 

  2188. 			s->s3->tlsext_channel_id_valid = 1;

  2189. 			s->s3->tlsext_channel_id_new = 1;

  2190. 			}

  2191. 

  2192. 

  2193. 		/* session ticket processed earlier */

  2194. 		else if (type == TLSEXT_TYPE_use_srtp)

  2195.                         {

  2196. 			if (!ssl_parse_clienthello_use_srtp_ext(s, &extension, out_alert))

  2197. 				return 0;

  2198.                         }

  2199. 		}

  2200. 

  2201. 	ri_check:

  2202. 

  2203. 	/* Need RI if renegotiating */

  2204. 

  2205. 	if (!renegotiate_seen && s->renegotiate &&

  2206. 		!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))

  2207. 		{

  2208. 		*out_alert = SSL_AD_HANDSHAKE_FAILURE;

  2209. 	 	OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);

  2210. 		return 0;

  2211. 		}

  2212. 	/* If no signature algorithms extension set default values */

  2213. 	if (!s->cert->peer_sigalgs)

  2214. 		ssl_cert_set_default_md(s->cert);

  2215. 

  2216. 	return 1;

  2217. 	}

  2218. 

  2219. int ssl_parse_clienthello_tlsext(SSL *s, CBS *cbs)

  2220. 	{

  2221. 	int alert = -1;

  2222. 	if (ssl_scan_clienthello_tlsext(s, cbs, &alert) <= 0)

  2223. 		{

  2224. 		ssl3_send_alert(s, SSL3_AL_FATAL, alert);

  2225. 		return 0;

  2226. 		}

  2227. 

  2228. 	if (ssl_check_clienthello_tlsext_early(s) <= 0) 

  2229. 		{

  2230. 		OPENSSL_PUT_ERROR(SSL, ssl_parse_clienthello_tlsext, SSL_R_CLIENTHELLO_TLSEXT);

  2231. 		return 0;

  2232. 		}

  2233. 	return 1;

  2234. 	}

  2235. 

  2236. #ifndef OPENSSL_NO_NEXTPROTONEG

  2237. /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No

  2238.  * elements of zero length are allowed and the set of elements must exactly fill

  2239.  * the length of the block. */

  2240. static char ssl_next_proto_validate(const CBS *cbs)

  2241. 	{

  2242. 	CBS copy = *cbs;

  2243. 

  2244. 	while (CBS_len(&copy) != 0)

  2245. 		{

  2246. 		CBS proto;

  2247. 		if (!CBS_get_u8_length_prefixed(&copy, &proto) ||

  2248. 			CBS_len(&proto) == 0)

  2249. 			{

  2250. 			return 0;

  2251. 			}

  2252. 		}

  2253. 	return 1;

  2254. 	}

  2255. #endif

  2256. 

  2257. static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert)

  2258. 	{

  2259. 	int tlsext_servername = 0;

  2260. 	int renegotiate_seen = 0;

  2261. 	CBS extensions;

  2262. 

  2263. #ifndef OPENSSL_NO_NEXTPROTONEG

  2264. 	s->s3->next_proto_neg_seen = 0;

  2265. #endif

  2266. 

  2267.         s->tlsext_ticket_expected = 0;

  2268. 

  2269. 	if (s->s3->alpn_selected)

  2270. 		{

  2271. 		OPENSSL_free(s->s3->alpn_selected);

  2272. 		s->s3->alpn_selected = NULL;

  2273. 		}

  2274. 

  2275. 	/* There may be no extensions. */

  2276. 	if (CBS_len(cbs) == 0)

  2277. 		{

  2278. 		goto ri_check;

  2279. 		}

  2280. 

  2281. 	/* Decode the extensions block and check it is valid. */

  2282. 	if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||

  2283. 		!tls1_check_duplicate_extensions(&extensions))

  2284. 		{

  2285. 		*out_alert = SSL_AD_DECODE_ERROR;

  2286. 		return 0;

  2287. 		}

  2288. 

  2289. 	while (CBS_len(&extensions) != 0)

  2290. 		{

  2291. 		uint16_t type;

  2292. 		CBS extension;

  2293. 

  2294. 		/* Decode the next extension. */

  2295. 		if (!CBS_get_u16(&extensions, &type) ||

  2296. 			!CBS_get_u16_length_prefixed(&extensions, &extension))

  2297. 			{

  2298. 			*out_alert = SSL_AD_DECODE_ERROR;

  2299. 			return 0;

  2300. 			}

  2301. 

  2302. 		if (s->tlsext_debug_cb)

  2303. 			{

  2304. 			s->tlsext_debug_cb(s, 1, type, (unsigned char*)CBS_data(&extension),

  2305. 				CBS_len(&extension), s->tlsext_debug_arg);

  2306. 			}

  2307. 

  2308. 		if (type == TLSEXT_TYPE_server_name)

  2309. 			{

  2310. 			/* The extension must be empty. */

  2311. 			if (CBS_len(&extension) != 0)

  2312. 				{

  2313. 				*out_alert = SSL_AD_DECODE_ERROR;

  2314. 				return 0;

  2315. 				}

  2316. 			/* We must have sent it in ClientHello. */

  2317. 			if (s->tlsext_hostname == NULL)

  2318. 				{

  2319. 				*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;

  2320. 				return 0;

  2321. 				}

  2322. 			tlsext_servername = 1;

  2323. 			}

  2324. #ifndef OPENSSL_NO_EC

  2325. 		else if (type == TLSEXT_TYPE_ec_point_formats)

  2326. 			{

  2327. 			CBS ec_point_format_list;

  2328. 

  2329. 			if (!CBS_get_u8_length_prefixed(&extension, &ec_point_format_list) ||

  2330. 				CBS_len(&extension) != 0)

  2331. 				{

  2332. 				*out_alert = SSL_AD_DECODE_ERROR;

  2333. 				return 0;

  2334. 				}

  2335. 

  2336. 			if (!CBS_stow(&ec_point_format_list,

  2337. 					&s->session->tlsext_ecpointformatlist,

  2338. 					&s->session->tlsext_ecpointformatlist_length))

  2339. 				{

  2340. 				*out_alert = SSL_AD_INTERNAL_ERROR;

  2341. 				return 0;

  2342. 				}

  2343. 			}

  2344. #endif /* OPENSSL_NO_EC */

  2345. 		else if (type == TLSEXT_TYPE_session_ticket)

  2346. 			{

  2347. 			if (s->tls_session_ticket_ext_cb &&

  2348. 				!s->tls_session_ticket_ext_cb(s, CBS_data(&extension), CBS_len(&extension),

  2349.                                         s->tls_session_ticket_ext_cb_arg))

  2350. 				{

  2351. 				*out_alert = SSL_AD_INTERNAL_ERROR;

  2352. 				return 0;

  2353. 				}

  2354. 

  2355. 			if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || CBS_len(&extension) > 0)

  2356. 				{

  2357. 				*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;

  2358. 				return 0;

  2359. 				}

  2360. 

  2361. 			s->tlsext_ticket_expected = 1;

  2362. 			}

  2363. 		else if (type == TLSEXT_TYPE_status_request)

  2364. 			{

  2365. 			/* The extension MUST be empty and may only sent if

  2366. 			 * we've requested a status request message. */

  2367. 			if (CBS_len(&extension) != 0)

  2368. 				{

  2369. 				*out_alert = SSL_AD_DECODE_ERROR;

  2370. 				return 0;

  2371. 				}

  2372. 			if (s->tlsext_status_type == -1)

  2373. 				{

  2374. 				*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;

  2375. 				return 0;

  2376. 				}

  2377. 			/* Set a flag to expect a CertificateStatus message */

  2378. 			s->tlsext_status_expected = 1;

  2379. 			}

  2380. #ifndef OPENSSL_NO_NEXTPROTONEG

  2381. 		else if (type == TLSEXT_TYPE_next_proto_neg && s->s3->tmp.finish_md_len == 0) {

  2382. 		unsigned char *selected;

  2383. 		unsigned char selected_len;

  2384. 

  2385. 		/* We must have requested it. */

  2386. 		if (s->ctx->next_proto_select_cb == NULL)

  2387. 			{

  2388. 			*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;

  2389. 			return 0;

  2390. 			}

  2391. 

  2392. 		/* The data must be valid. */

  2393. 		if (!ssl_next_proto_validate(&extension))

  2394. 			{

  2395. 			*out_alert = SSL_AD_DECODE_ERROR;

  2396. 			return 0;

  2397. 			}

  2398. 

  2399. 		if (s->ctx->next_proto_select_cb(s, &selected, &selected_len,

  2400. 				CBS_data(&extension), CBS_len(&extension),

  2401. 				s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)

  2402. 			{

  2403. 			*out_alert = SSL_AD_INTERNAL_ERROR;

  2404. 			return 0;

  2405. 			}

  2406. 

  2407. 		s->next_proto_negotiated = BUF_memdup(selected, selected_len);

  2408. 		if (s->next_proto_negotiated == NULL)

  2409. 			{

  2410. 			*out_alert = SSL_AD_INTERNAL_ERROR;

  2411. 			return 0;

  2412. 			}

  2413. 		s->next_proto_negotiated_len = selected_len;

  2414. 		s->s3->next_proto_neg_seen = 1;

  2415. 		}

  2416. #endif

  2417. 		else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)

  2418. 			{

  2419. 			CBS protocol_name_list, protocol_name;

  2420. 

  2421. 			/* We must have requested it. */

  2422. 			if (s->alpn_client_proto_list == NULL)

  2423. 				{

  2424. 				*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;

  2425. 				return 0;

  2426. 				}

  2427. 

  2428. 			/* The extension data consists of a ProtocolNameList

  2429. 			 * which must have exactly one ProtocolName. Each of

  2430. 			 * these is length-prefixed. */

  2431. 			if (!CBS_get_u16_length_prefixed(&extension, &protocol_name_list) ||

  2432. 				CBS_len(&extension) != 0 ||

  2433. 				!CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) ||

  2434. 				CBS_len(&protocol_name_list) != 0)

  2435. 				{

  2436. 				*out_alert = SSL_AD_DECODE_ERROR;

  2437. 				return 0;

  2438. 				}

  2439. 

  2440. 			if (!CBS_stow(&protocol_name,

  2441. 					&s->s3->alpn_selected,

  2442. 					&s->s3->alpn_selected_len))

  2443. 				{

  2444. 				*out_alert = SSL_AD_INTERNAL_ERROR;

  2445. 				return 0;

  2446. 				}

  2447. 			}

  2448. 

  2449. 		else if (type == TLSEXT_TYPE_channel_id)

  2450. 			{

  2451. 			if (CBS_len(&extension) != 0)

  2452. 				{

  2453. 				*out_alert = SSL_AD_DECODE_ERROR;

  2454. 				return 0;

  2455. 				}

  2456. 			s->s3->tlsext_channel_id_valid = 1;

  2457. 			}

  2458. 		else if (type == TLSEXT_TYPE_channel_id_new)

  2459. 			{

  2460. 			if (CBS_len(&extension) != 0)

  2461. 				{

  2462. 				*out_alert = SSL_AD_DECODE_ERROR;

  2463. 				return 0;

  2464. 				}

  2465. 			s->s3->tlsext_channel_id_valid = 1;

  2466. 			s->s3->tlsext_channel_id_new = 1;

  2467. 			}

  2468. 

  2469. 		else if (type == TLSEXT_TYPE_renegotiate)

  2470. 			{

  2471. 			if (!ssl_parse_serverhello_renegotiate_ext(s, &extension, out_alert))

  2472. 				return 0;

  2473. 			renegotiate_seen = 1;

  2474. 			}

  2475. 		else if (type == TLSEXT_TYPE_use_srtp)

  2476.                         {

  2477.                         if (!ssl_parse_serverhello_use_srtp_ext(s, &extension, out_alert))

  2478.                                 return 0;

  2479.                         }

  2480. 		}

  2481. 

  2482. 	if (!s->hit && tlsext_servername == 1)

  2483. 		{

  2484.  		if (s->tlsext_hostname)

  2485. 			{

  2486. 			if (s->session->tlsext_hostname == NULL)

  2487. 				{

  2488. 				s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);	

  2489. 				if (!s->session->tlsext_hostname)

  2490. 					{

  2491. 					*out_alert = SSL_AD_UNRECOGNIZED_NAME;

  2492. 					return 0;

  2493. 					}

  2494. 				}

  2495. 			else 

  2496. 				{

  2497. 				*out_alert = SSL_AD_DECODE_ERROR;

  2498. 				return 0;

  2499. 				}

  2500. 			}

  2501. 		}

  2502. 

  2503. 	ri_check:

  2504. 

  2505. 	/* Determine if we need to see RI. Strictly speaking if we want to

  2506. 	 * avoid an attack we should *always* see RI even on initial server

  2507. 	 * hello because the client doesn't see any renegotiation during an

  2508. 	 * attack. However this would mean we could not connect to any server

  2509. 	 * which doesn't support RI so for the immediate future tolerate RI

  2510. 	 * absence on initial connect only.

  2511. 	 */

  2512. 	if (!renegotiate_seen

  2513. 		&& !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)

  2514. 		&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))

  2515. 		{

  2516. 		*out_alert = SSL_AD_HANDSHAKE_FAILURE;

  2517. 		OPENSSL_PUT_ERROR(SSL, ssl_scan_serverhello_tlsext, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);

  2518. 		return 0;

  2519. 		}

  2520. 

  2521. 	return 1;

  2522. 	}

  2523. 

  2524. 

  2525. int ssl_prepare_clienthello_tlsext(SSL *s)

  2526. 	{

  2527. 	return 1;

  2528. 	}

  2529. 

  2530. int ssl_prepare_serverhello_tlsext(SSL *s)

  2531. 	{

  2532. 	return 1;

  2533. 	}

  2534. 

  2535. static int ssl_check_clienthello_tlsext_early(SSL *s)

  2536. 	{

  2537. 	int ret=SSL_TLSEXT_ERR_NOACK;

  2538. 	int al = SSL_AD_UNRECOGNIZED_NAME;

  2539. 

  2540. #ifndef OPENSSL_NO_EC

  2541. 	/* The handling of the ECPointFormats extension is done elsewhere, namely in 

  2542. 	 * ssl3_choose_cipher in s3_lib.c.

  2543. 	 */

  2544. 	/* The handling of the EllipticCurves extension is done elsewhere, namely in 

  2545. 	 * ssl3_choose_cipher in s3_lib.c.

  2546. 	 */

  2547. #endif

  2548. 

  2549. 	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 

  2550. 		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);

  2551. 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 		

  2552. 		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);

  2553. 

  2554. 	switch (ret)

  2555. 		{

  2556. 		case SSL_TLSEXT_ERR_ALERT_FATAL:

  2557. 			ssl3_send_alert(s,SSL3_AL_FATAL,al); 

  2558. 			return -1;

  2559. 

  2560. 		case SSL_TLSEXT_ERR_ALERT_WARNING:

  2561. 			ssl3_send_alert(s,SSL3_AL_WARNING,al);

  2562. 			return 1; 

  2563. 					

  2564. 		case SSL_TLSEXT_ERR_NOACK:

  2565. 			s->servername_done=0;

  2566. 			default:

  2567. 		return 1;

  2568. 		}

  2569. 	}

  2570. 

  2571. int ssl_check_clienthello_tlsext_late(SSL *s)

  2572. 	{

  2573. 	int ret = SSL_TLSEXT_ERR_OK;

  2574. 	int al;

  2575. 

  2576. 	/* If status request then ask callback what to do.

  2577.  	 * Note: this must be called after servername callbacks in case

  2578.  	 * the certificate has changed, and must be called after the cipher

  2579. 	 * has been chosen because this may influence which certificate is sent

  2580.  	 */

  2581. 	if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)

  2582. 		{

  2583. 		int r;

  2584. 		CERT_PKEY *certpkey;

  2585. 		certpkey = ssl_get_server_send_pkey(s);

  2586. 		/* If no certificate can't return certificate status */

  2587. 		if (certpkey == NULL)

  2588. 			{

  2589. 			s->tlsext_status_expected = 0;

  2590. 			return 1;

  2591. 			}

  2592. 		/* Set current certificate to one we will use so

  2593. 		 * SSL_get_certificate et al can pick it up.

  2594. 		 */

  2595. 		s->cert->key = certpkey;

  2596. 		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);

  2597. 		switch (r)

  2598. 			{

  2599. 			/* We don't want to send a status request response */

  2600. 			case SSL_TLSEXT_ERR_NOACK:

  2601. 				s->tlsext_status_expected = 0;

  2602. 				break;

  2603. 			/* status request response should be sent */

  2604. 			case SSL_TLSEXT_ERR_OK:

  2605. 				if (s->tlsext_ocsp_resp)

  2606. 					s->tlsext_status_expected = 1;

  2607. 				else

  2608. 					s->tlsext_status_expected = 0;

  2609. 				break;

  2610. 			/* something bad happened */

  2611. 			case SSL_TLSEXT_ERR_ALERT_FATAL:

  2612. 				ret = SSL_TLSEXT_ERR_ALERT_FATAL;

  2613. 				al = SSL_AD_INTERNAL_ERROR;

  2614. 				goto err;

  2615. 			}

  2616. 		}

  2617. 	else

  2618. 		s->tlsext_status_expected = 0;

  2619. 

  2620.  err:

  2621. 	switch (ret)

  2622. 		{

  2623. 		case SSL_TLSEXT_ERR_ALERT_FATAL:

  2624. 			ssl3_send_alert(s, SSL3_AL_FATAL, al);

  2625. 			return -1;

  2626. 

  2627. 		case SSL_TLSEXT_ERR_ALERT_WARNING:

  2628. 			ssl3_send_alert(s, SSL3_AL_WARNING, al);

  2629. 			return 1; 

  2630. 

  2631. 		default:

  2632. 			return 1;

  2633. 		}

  2634. 	}

  2635. 

  2636. int ssl_check_serverhello_tlsext(SSL *s)

  2637. 	{

  2638. 	int ret=SSL_TLSEXT_ERR_NOACK;

  2639. 	int al = SSL_AD_UNRECOGNIZED_NAME;

  2640. 

  2641. #ifndef OPENSSL_NO_EC

  2642. 	/* If we are client and using an elliptic curve cryptography cipher

  2643. 	 * suite, then if server returns an EC point formats lists extension

  2644. 	 * it must contain uncompressed.

  2645. 	 */

  2646. 	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

  2647. 	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;

  2648. 	if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 

  2649. 	    (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 

  2650. 	    ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))

  2651. 		{

  2652. 		/* we are using an ECC cipher */

  2653. 		size_t i;

  2654. 		unsigned char *list;

  2655. 		int found_uncompressed = 0;

  2656. 		list = s->session->tlsext_ecpointformatlist;

  2657. 		for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)

  2658. 			{

  2659. 			if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)

  2660. 				{

  2661. 				found_uncompressed = 1;

  2662. 				break;

  2663. 				}

  2664. 			}

  2665. 		if (!found_uncompressed)

  2666. 			{

  2667. 			OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);

  2668. 			return -1;

  2669. 			}

  2670. 		}

  2671. 	ret = SSL_TLSEXT_ERR_OK;

  2672. #endif /* OPENSSL_NO_EC */

  2673. 

  2674. 	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 

  2675. 		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);

  2676. 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 		

  2677. 		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);

  2678. 

  2679. 	/* If we've requested certificate status and we wont get one

  2680.  	 * tell the callback

  2681.  	 */

  2682. 	if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)

  2683. 			&& s->ctx && s->ctx->tlsext_status_cb)

  2684. 		{

  2685. 		int r;

  2686. 		/* Set resp to NULL, resplen to -1 so callback knows

  2687.  		 * there is no response.

  2688.  		 */

  2689. 		if (s->tlsext_ocsp_resp)

  2690. 			{

  2691. 			OPENSSL_free(s->tlsext_ocsp_resp);

  2692. 			s->tlsext_ocsp_resp = NULL;

  2693. 			}

  2694. 		s->tlsext_ocsp_resplen = -1;

  2695. 		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);

  2696. 		if (r == 0)

  2697. 			{

  2698. 			al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;

  2699. 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;

  2700. 			}

  2701. 		if (r < 0)

  2702. 			{

  2703. 			al = SSL_AD_INTERNAL_ERROR;

  2704. 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;

  2705. 			}

  2706. 		}

  2707. 

  2708. 	switch (ret)

  2709. 		{

  2710. 		case SSL_TLSEXT_ERR_ALERT_FATAL:

  2711. 			ssl3_send_alert(s,SSL3_AL_FATAL,al); 

  2712. 			return -1;

  2713. 

  2714. 		case SSL_TLSEXT_ERR_ALERT_WARNING:

  2715. 			ssl3_send_alert(s,SSL3_AL_WARNING,al);

  2716. 			return 1; 

  2717. 					

  2718. 		case SSL_TLSEXT_ERR_NOACK:

  2719. 			s->servername_done=0;

  2720. 			default:

  2721. 		return 1;

  2722. 		}

  2723. 	}

  2724. 

  2725. int ssl_parse_serverhello_tlsext(SSL *s, CBS *cbs)

  2726. 	{

  2727. 	int alert = -1;

  2728. 	if (s->version < SSL3_VERSION)

  2729. 		return 1;

  2730. 

  2731. 	if (ssl_scan_serverhello_tlsext(s, cbs, &alert) <= 0)

  2732. 		{

  2733. 		ssl3_send_alert(s, SSL3_AL_FATAL, alert);

  2734. 		return 0;

  2735. 		}

  2736. 

  2737. 	if (ssl_check_serverhello_tlsext(s) <= 0)

  2738. 		{

  2739. 		OPENSSL_PUT_ERROR(SSL, ssl_parse_serverhello_tlsext, SSL_R_SERVERHELLO_TLSEXT);

  2740. 		return 0;

  2741. 		}

  2742. 

  2743. 	return 1;

  2744. 	}

  2745. 

  2746. /* Since the server cache lookup is done early on in the processing of the

  2747.  * ClientHello, and other operations depend on the result, we need to handle

  2748.  * any TLS session ticket extension at the same time.

  2749.  *

  2750.  *   ctx: contains the early callback context, which is the result of a

  2751.  *       shallow parse of the ClientHello.

  2752.  *   ret: (output) on return, if a ticket was decrypted, then this is set to

  2753.  *       point to the resulting session.

  2754.  *

  2755.  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key

  2756.  * ciphersuite, in which case we have no use for session tickets and one will

  2757.  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.

  2758.  *

  2759.  * Returns:

  2760.  *   -1: fatal error, either from parsing or decrypting the ticket.

  2761.  *    0: no ticket was found (or was ignored, based on settings).

  2762.  *    1: a zero length extension was found, indicating that the client supports

  2763.  *       session tickets but doesn't currently have one to offer.

  2764.  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but

  2765.  *       couldn't be decrypted because of a non-fatal error.

  2766.  *    3: a ticket was successfully decrypted and *ret was set.

  2767.  *

  2768.  * Side effects:

  2769.  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue

  2770.  *   a new session ticket to the client because the client indicated support

  2771.  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have

  2772.  *   a session ticket or we couldn't use the one it gave us, or if

  2773.  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.

  2774.  *   Otherwise, s->tlsext_ticket_expected is set to 0.

  2775.  */

  2776. int tls1_process_ticket(SSL *s, const struct ssl_early_callback_ctx *ctx,

  2777. 			SSL_SESSION **ret)

  2778. 	{

  2779. 	*ret = NULL;

  2780. 	s->tlsext_ticket_expected = 0;

  2781. 	const unsigned char *data;

  2782. 	size_t len;

  2783. 	int r;

  2784. 

  2785. 	/* If tickets disabled behave as if no ticket present

  2786. 	 * to permit stateful resumption.

  2787. 	 */

  2788. 	if (SSL_get_options(s) & SSL_OP_NO_TICKET)

  2789. 		return 0;

  2790. 	if ((s->version <= SSL3_VERSION) && !ctx->extensions)

  2791. 		return 0;

  2792. 	if (!SSL_early_callback_ctx_extension_get(

  2793. 		ctx, TLSEXT_TYPE_session_ticket, &data, &len))

  2794. 		{

  2795. 		return 0;

  2796. 		}

  2797. 	if (len == 0)

  2798. 		{

  2799. 		/* The client will accept a ticket but doesn't

  2800. 		 * currently have one. */

  2801. 		s->tlsext_ticket_expected = 1;

  2802. 		return 1;

  2803. 		}

  2804. 	if (s->tls_session_secret_cb)

  2805. 		{

  2806. 		/* Indicate that the ticket couldn't be

  2807. 		 * decrypted rather than generating the session

  2808. 		 * from ticket now, trigger abbreviated

  2809. 		 * handshake based on external mechanism to

  2810. 		 * calculate the master secret later. */

  2811. 		return 2;

  2812. 		}

  2813. 	r = tls_decrypt_ticket(s, data, len, ctx->session_id,

  2814. 			       ctx->session_id_len, ret);

  2815. 	switch (r)

  2816. 		{

  2817. 		case 2: /* ticket couldn't be decrypted */

  2818. 			s->tlsext_ticket_expected = 1;

  2819. 			return 2;

  2820. 		case 3: /* ticket was decrypted */

  2821. 			return r;

  2822. 		case 4: /* ticket decrypted but need to renew */

  2823. 			s->tlsext_ticket_expected = 1;

  2824. 			return 3;

  2825. 		default: /* fatal error */

  2826. 			return -1;

  2827. 		}

  2828. 	}

  2829. 

  2830. /* tls_decrypt_ticket attempts to decrypt a session ticket.

  2831.  *

  2832.  *   etick: points to the body of the session ticket extension.

  2833.  *   eticklen: the length of the session tickets extenion.

  2834.  *   sess_id: points at the session ID.

  2835.  *   sesslen: the length of the session ID.

  2836.  *   psess: (output) on return, if a ticket was decrypted, then this is set to

  2837.  *       point to the resulting session.

  2838.  *

  2839.  * Returns:

  2840.  *   -1: fatal error, either from parsing or decrypting the ticket.

  2841.  *    2: the ticket couldn't be decrypted.

  2842.  *    3: a ticket was successfully decrypted and *psess was set.

  2843.  *    4: same as 3, but the ticket needs to be renewed.

  2844.  */

  2845. static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,

  2846. 				const unsigned char *sess_id, int sesslen,

  2847. 				SSL_SESSION **psess)

  2848. 	{

  2849. 	SSL_SESSION *sess;

  2850. 	unsigned char *sdec;

  2851. 	const unsigned char *p;

  2852. 	int slen, mlen, renew_ticket = 0;

  2853. 	unsigned char tick_hmac[EVP_MAX_MD_SIZE];

  2854. 	HMAC_CTX hctx;

  2855. 	EVP_CIPHER_CTX ctx;

  2856. 	SSL_CTX *tctx = s->initial_ctx;

  2857. 	/* Need at least keyname + iv + some encrypted data */

  2858. 	if (eticklen < 48)

  2859. 		return 2;

  2860. 	/* Initialize session ticket encryption and HMAC contexts */

  2861. 	HMAC_CTX_init(&hctx);

  2862. 	EVP_CIPHER_CTX_init(&ctx);

  2863. 	if (tctx->tlsext_ticket_key_cb)

  2864. 		{

  2865. 		unsigned char *nctick = (unsigned char *)etick;

  2866. 		int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,

  2867. 							&ctx, &hctx, 0);

  2868. 		if (rv < 0)

  2869. 			return -1;

  2870. 		if (rv == 0)

  2871. 			return 2;

  2872. 		if (rv == 2)

  2873. 			renew_ticket = 1;

  2874. 		}

  2875. 	else

  2876. 		{

  2877. 		/* Check key name matches */

  2878. 		if (memcmp(etick, tctx->tlsext_tick_key_name, 16))

  2879. 			return 2;

  2880. 		HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,

  2881. 					tlsext_tick_md(), NULL);

  2882. 		EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,

  2883. 				tctx->tlsext_tick_aes_key, etick + 16);

  2884. 		}

  2885. 	/* Attempt to process session ticket, first conduct sanity and

  2886. 	 * integrity checks on ticket.

  2887. 	 */

  2888. 	mlen = HMAC_size(&hctx);

  2889. 	if (mlen < 0)

  2890. 		{

  2891. 		EVP_CIPHER_CTX_cleanup(&ctx);

  2892. 		return -1;

  2893. 		}

  2894. 	eticklen -= mlen;

  2895. 	/* Check HMAC of encrypted ticket */

  2896. 	HMAC_Update(&hctx, etick, eticklen);

  2897. 	HMAC_Final(&hctx, tick_hmac, NULL);

  2898. 	HMAC_CTX_cleanup(&hctx);

  2899. 	if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))

  2900. 		return 2;

  2901. 	/* Attempt to decrypt session data */

  2902. 	/* Move p after IV to start of encrypted ticket, update length */

  2903. 	p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);

  2904. 	eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);

  2905. 	sdec = OPENSSL_malloc(eticklen);

  2906. 	if (!sdec)

  2907. 		{

  2908. 		EVP_CIPHER_CTX_cleanup(&ctx);

  2909. 		return -1;

  2910. 		}

  2911. 	EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);

  2912. 	if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0)

  2913. 		return 2;

  2914. 	slen += mlen;

  2915. 	EVP_CIPHER_CTX_cleanup(&ctx);

  2916. 	p = sdec;

  2917. 

  2918. 	sess = d2i_SSL_SESSION(NULL, &p, slen);

  2919. 	OPENSSL_free(sdec);

  2920. 	if (sess)

  2921. 		{

  2922. 		/* The session ID, if non-empty, is used by some clients to

  2923. 		 * detect that the ticket has been accepted. So we copy it to

  2924. 		 * the session structure. If it is empty set length to zero

  2925. 		 * as required by standard.

  2926. 		 */

  2927. 		if (sesslen)

  2928. 			memcpy(sess->session_id, sess_id, sesslen);

  2929. 		sess->session_id_length = sesslen;

  2930. 		*psess = sess;

  2931. 		if (renew_ticket)

  2932. 			return 4;

  2933. 		else

  2934. 			return 3;

  2935. 		}

  2936.         ERR_clear_error();

  2937. 	/* For session parse failure, indicate that we need to send a new

  2938. 	 * ticket. */

  2939. 	return 2;

  2940. 	}

  2941. 

  2942. /* Tables to translate from NIDs to TLS v1.2 ids */

  2943. 

  2944. typedef struct 

  2945. 	{

  2946. 	int nid;

  2947. 	int id;

  2948. 	} tls12_lookup;

  2949. 

  2950. static tls12_lookup tls12_md[] = {

  2951. 	{NID_md5, TLSEXT_hash_md5},

  2952. 	{NID_sha1, TLSEXT_hash_sha1},

  2953. 	{NID_sha224, TLSEXT_hash_sha224},

  2954. 	{NID_sha256, TLSEXT_hash_sha256},

  2955. 	{NID_sha384, TLSEXT_hash_sha384},

  2956. 	{NID_sha512, TLSEXT_hash_sha512}

  2957. };

  2958. 

  2959. static tls12_lookup tls12_sig[] = {

  2960. 	{EVP_PKEY_RSA, TLSEXT_signature_rsa},

  2961. 	{EVP_PKEY_DSA, TLSEXT_signature_dsa},

  2962. 	{EVP_PKEY_EC, TLSEXT_signature_ecdsa}

  2963. };

  2964. 

  2965. static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)

  2966. 	{

  2967. 	size_t i;

  2968. 	for (i = 0; i < tlen; i++)

  2969. 		{

  2970. 		if (table[i].nid == nid)

  2971. 			return table[i].id;

  2972. 		}

  2973. 	return -1;

  2974. 	}

  2975. 

  2976. static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)

  2977. 	{

  2978. 	size_t i;

  2979. 	for (i = 0; i < tlen; i++)

  2980. 		{

  2981. 		if ((table[i].id) == id)

  2982. 			return table[i].nid;

  2983. 		}

  2984. 	return NID_undef;

  2985. 	}

  2986. 

  2987. int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)

  2988. 	{

  2989. 	int sig_id, md_id;

  2990. 	if (!md)

  2991. 		return 0;

  2992. 	md_id = tls12_find_id(EVP_MD_type(md), tls12_md,

  2993. 				sizeof(tls12_md)/sizeof(tls12_lookup));

  2994. 	if (md_id == -1)

  2995. 		return 0;

  2996. 	sig_id = tls12_get_sigid(pk);

  2997. 	if (sig_id == -1)

  2998. 		return 0;

  2999. 	p[0] = (unsigned char)md_id;

  3000. 	p[1] = (unsigned char)sig_id;

  3001. 	return 1;

  3002. 	}

  3003. 

  3004. int tls12_get_sigid(const EVP_PKEY *pk)

  3005. 	{

  3006. 	return tls12_find_id(pk->type, tls12_sig,

  3007. 				sizeof(tls12_sig)/sizeof(tls12_lookup));

  3008. 	}

  3009. 

  3010. const EVP_MD *tls12_get_hash(unsigned char hash_alg)

  3011. 	{

  3012. 	switch(hash_alg)

  3013. 		{

  3014. #ifndef OPENSSL_NO_MD5

  3015. 		case TLSEXT_hash_md5:

  3016. 		return EVP_md5();

  3017. #endif

  3018. #ifndef OPENSSL_NO_SHA

  3019. 		case TLSEXT_hash_sha1:

  3020. 		return EVP_sha1();

  3021. #endif

  3022. #ifndef OPENSSL_NO_SHA256

  3023. 		case TLSEXT_hash_sha224:

  3024. 		return EVP_sha224();

  3025. 

  3026. 		case TLSEXT_hash_sha256:

  3027. 		return EVP_sha256();

  3028. #endif

  3029. #ifndef OPENSSL_NO_SHA512

  3030. 		case TLSEXT_hash_sha384:

  3031. 		return EVP_sha384();

  3032. 

  3033. 		case TLSEXT_hash_sha512:

  3034. 		return EVP_sha512();

  3035. #endif

  3036. 		default:

  3037. 		return NULL;

  3038. 

  3039. 		}

  3040. 	}

  3041. 

  3042. static int tls12_get_pkey_idx(unsigned char sig_alg)

  3043. 	{

  3044. 	switch(sig_alg)

  3045. 		{

  3046. 	case TLSEXT_signature_rsa:

  3047. 		return SSL_PKEY_RSA_SIGN;

  3048. #ifndef OPENSSL_NO_DSA

  3049. 	case TLSEXT_signature_dsa:

  3050. 		return SSL_PKEY_DSA_SIGN;

  3051. #endif

  3052. #ifndef OPENSSL_NO_ECDSA

  3053. 	case TLSEXT_signature_ecdsa:

  3054. 		return SSL_PKEY_ECC;

  3055. #endif

  3056. 		}

  3057. 	return -1;

  3058. 	}

  3059. 

  3060. /* Convert TLS 1.2 signature algorithm extension values into NIDs */

  3061. static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,

  3062. 			int *psignhash_nid, const unsigned char *data)

  3063. 	{

  3064. 	int sign_nid = 0, hash_nid = 0;

  3065. 	if (!phash_nid && !psign_nid && !psignhash_nid)

  3066. 		return;

  3067. 	if (phash_nid || psignhash_nid)

  3068. 		{

  3069. 		hash_nid = tls12_find_nid(data[0], tls12_md,

  3070. 					sizeof(tls12_md)/sizeof(tls12_lookup));

  3071. 		if (phash_nid)

  3072. 			*phash_nid = hash_nid;

  3073. 		}

  3074. 	if (psign_nid || psignhash_nid)

  3075. 		{

  3076. 		sign_nid = tls12_find_nid(data[1], tls12_sig,

  3077. 					sizeof(tls12_sig)/sizeof(tls12_lookup));

  3078. 		if (psign_nid)

  3079. 			*psign_nid = sign_nid;

  3080. 		}

  3081. 	if (psignhash_nid)

  3082. 		{

  3083. 		if (sign_nid && hash_nid)

  3084. 			OBJ_find_sigid_by_algs(psignhash_nid,

  3085. 							hash_nid, sign_nid);

  3086. 		else

  3087. 			*psignhash_nid = NID_undef;

  3088. 		}

  3089. 	}

  3090. /* Given preference and allowed sigalgs set shared sigalgs */

  3091. static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,

  3092. 				const unsigned char *pref, size_t preflen,

  3093. 				const unsigned char *allow, size_t allowlen)

  3094. 	{

  3095. 	const unsigned char *ptmp, *atmp;

  3096. 	size_t i, j, nmatch = 0;

  3097. 	for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2)

  3098. 		{

  3099. 		/* Skip disabled hashes or signature algorithms */

  3100. 		if (tls12_get_hash(ptmp[0]) == NULL)

  3101. 			continue;

  3102. 		if (tls12_get_pkey_idx(ptmp[1]) == -1)

  3103. 			continue;

  3104. 		for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2)

  3105. 			{

  3106. 			if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1])

  3107. 				{

  3108. 				nmatch++;

  3109. 				if (shsig)

  3110. 					{

  3111. 					shsig->rhash = ptmp[0];

  3112. 					shsig->rsign = ptmp[1];

  3113. 					tls1_lookup_sigalg(&shsig->hash_nid,

  3114. 						&shsig->sign_nid,

  3115. 						&shsig->signandhash_nid,

  3116. 						ptmp);

  3117. 					shsig++;

  3118. 					}

  3119. 				break;

  3120. 				}

  3121. 			}

  3122. 		}

  3123. 	return nmatch;

  3124. 	}

  3125. 

  3126. /* Set shared signature algorithms for SSL structures */

  3127. static int tls1_set_shared_sigalgs(SSL *s)

  3128. 	{

  3129. 	const unsigned char *pref, *allow, *conf;

  3130. 	size_t preflen, allowlen, conflen;

  3131. 	size_t nmatch;

  3132. 	TLS_SIGALGS *salgs = NULL;

  3133. 	CERT *c = s->cert;

  3134. 	unsigned int is_suiteb = tls1_suiteb(s);

  3135. 	if (c->shared_sigalgs)

  3136. 		{

  3137. 		OPENSSL_free(c->shared_sigalgs);

  3138. 		c->shared_sigalgs = NULL;

  3139. 		}

  3140. 	/* If client use client signature algorithms if not NULL */

  3141. 	if (!s->server && c->client_sigalgs && !is_suiteb)

  3142. 		{

  3143. 		conf = c->client_sigalgs;

  3144. 		conflen = c->client_sigalgslen;

  3145. 		}

  3146. 	else if (c->conf_sigalgs && !is_suiteb)

  3147. 		{

  3148. 		conf = c->conf_sigalgs;

  3149. 		conflen = c->conf_sigalgslen;

  3150. 		}

  3151. 	else

  3152. 		conflen = tls12_get_psigalgs(s, &conf);

  3153. 	if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb)

  3154. 		{

  3155. 		pref = conf;

  3156. 		preflen = conflen;

  3157. 		allow = c->peer_sigalgs;

  3158. 		allowlen = c->peer_sigalgslen;

  3159. 		}

  3160. 	else

  3161. 		{

  3162. 		allow = conf;

  3163. 		allowlen = conflen;

  3164. 		pref = c->peer_sigalgs;

  3165. 		preflen = c->peer_sigalgslen;

  3166. 		}

  3167. 	nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);

  3168. 	if (!nmatch)

  3169. 		return 1;

  3170. 	salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));

  3171. 	if (!salgs)

  3172. 		return 0;

  3173. 	nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);

  3174. 	c->shared_sigalgs = salgs;

  3175. 	c->shared_sigalgslen = nmatch;

  3176. 	return 1;

  3177. 	}

  3178. 		

  3179. 

  3180. /* Set preferred digest for each key type */

  3181. 

  3182. int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)

  3183. 	{

  3184. 	int idx;

  3185. 	size_t i;

  3186. 	const EVP_MD *md;

  3187. 	CERT *c = s->cert;

  3188. 	TLS_SIGALGS *sigptr;

  3189. 	/* Extension ignored for inappropriate versions */

  3190. 	if (!SSL_USE_SIGALGS(s))

  3191. 		return 1;

  3192. 	/* Length must be even */

  3193. 	if (dsize % 2 != 0)

  3194. 		return 0;

  3195. 	/* Should never happen */

  3196. 	if (!c)

  3197. 		return 0;

  3198. 

  3199. 	if (c->peer_sigalgs)

  3200. 		OPENSSL_free(c->peer_sigalgs);

  3201. 	c->peer_sigalgs = OPENSSL_malloc(dsize);

  3202. 	if (!c->peer_sigalgs)

  3203. 		return 0;

  3204. 	c->peer_sigalgslen = dsize;

  3205. 	memcpy(c->peer_sigalgs, data, dsize);

  3206. 

  3207. 	tls1_set_shared_sigalgs(s);

  3208. 

  3209. #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL

  3210. 	if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)

  3211. 		{

  3212. 		/* Use first set signature preference to force message

  3213. 		 * digest, ignoring any peer preferences.

  3214. 		 */

  3215. 		const unsigned char *sigs = NULL;

  3216. 		if (s->server)

  3217. 			sigs = c->conf_sigalgs;

  3218. 		else

  3219. 			sigs = c->client_sigalgs;

  3220. 		if (sigs)

  3221. 			{

  3222. 			idx = tls12_get_pkey_idx(sigs[1]);

  3223. 			md = tls12_get_hash(sigs[0]);

  3224. 			c->pkeys[idx].digest = md;

  3225. 			c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;

  3226. 			if (idx == SSL_PKEY_RSA_SIGN)

  3227. 				{

  3228. 				c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;

  3229. 				c->pkeys[SSL_PKEY_RSA_ENC].digest = md;

  3230. 				}

  3231. 			}

  3232. 		}

  3233. #endif

  3234. 

  3235. 	for (i = 0, sigptr = c->shared_sigalgs;

  3236. 			i < c->shared_sigalgslen; i++, sigptr++)

  3237. 		{

  3238. 		idx = tls12_get_pkey_idx(sigptr->rsign);

  3239. 		if (idx > 0 && c->pkeys[idx].digest == NULL)

  3240. 			{

  3241. 			md = tls12_get_hash(sigptr->rhash);

  3242. 			c->pkeys[idx].digest = md;

  3243. 			c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;

  3244. 			if (idx == SSL_PKEY_RSA_SIGN)

  3245. 				{

  3246. 				c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;

  3247. 				c->pkeys[SSL_PKEY_RSA_ENC].digest = md;

  3248. 				}

  3249. 			}

  3250. 

  3251. 		}

  3252. 	/* In strict mode leave unset digests as NULL to indicate we can't

  3253. 	 * use the certificate for signing.

  3254. 	 */

  3255. 	if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))

  3256. 		{

  3257. 		/* Set any remaining keys to default values. NOTE: if alg is

  3258. 		 * not supported it stays as NULL.

  3259. 	 	 */

  3260. #ifndef OPENSSL_NO_DSA

  3261. 		if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)

  3262. 			c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();

  3263. #endif

  3264. 		if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)

  3265. 			{

  3266. 			c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();

  3267. 			c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();

  3268. 			}

  3269. #ifndef OPENSSL_NO_ECDSA

  3270. 		if (!c->pkeys[SSL_PKEY_ECC].digest)

  3271. 			c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();

  3272. #endif

  3273. 		}

  3274. 	return 1;

  3275. 	}

  3276. 

  3277. 

  3278. int SSL_get_sigalgs(SSL *s, int idx,

  3279. 			int *psign, int *phash, int *psignhash,

  3280. 			unsigned char *rsig, unsigned char *rhash)

  3281. 	{

  3282. 	const unsigned char *psig = s->cert->peer_sigalgs;

  3283. 	if (psig == NULL)

  3284. 		return 0;

  3285. 	if (idx >= 0)

  3286. 		{

  3287. 		idx <<= 1;

  3288. 		if (idx >= (int)s->cert->peer_sigalgslen)

  3289. 			return 0;

  3290. 		psig += idx;

  3291. 		if (rhash)

  3292. 			*rhash = psig[0];

  3293. 		if (rsig)

  3294. 			*rsig = psig[1];

  3295. 		tls1_lookup_sigalg(phash, psign, psignhash, psig);

  3296. 		}

  3297. 	return s->cert->peer_sigalgslen / 2;

  3298. 	}

  3299. 

  3300. int SSL_get_shared_sigalgs(SSL *s, int idx,

  3301. 			int *psign, int *phash, int *psignhash,

  3302. 			unsigned char *rsig, unsigned char *rhash)

  3303. 	{

  3304. 	TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;

  3305. 	if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)

  3306. 		return 0;

  3307. 	shsigalgs += idx;

  3308. 	if (phash)

  3309. 		*phash = shsigalgs->hash_nid;

  3310. 	if (psign)

  3311. 		*psign = shsigalgs->sign_nid;

  3312. 	if (psignhash)

  3313. 		*psignhash = shsigalgs->signandhash_nid;

  3314. 	if (rsig)

  3315. 		*rsig = shsigalgs->rsign;

  3316. 	if (rhash)

  3317. 		*rhash = shsigalgs->rhash;

  3318. 	return s->cert->shared_sigalgslen;

  3319. 	}

  3320. 	

  3321. /* tls1_channel_id_hash calculates the signed data for a Channel ID on the given

  3322.  * SSL connection and writes it to |md|. */

  3323. int

  3324. tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s)

  3325. 	{

  3326. 	EVP_MD_CTX ctx;

  3327. 	unsigned char temp_digest[EVP_MAX_MD_SIZE];

  3328. 	unsigned temp_digest_len;

  3329. 	int i;

  3330. 	static const char kClientIDMagic[] = "TLS Channel ID signature";

  3331. 

  3332. 	if (s->s3->handshake_buffer)

  3333. 		if (!ssl3_digest_cached_records(s))

  3334. 			return 0;

  3335. 

  3336. 	EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic));

  3337. 

  3338. 	if (s->hit && s->s3->tlsext_channel_id_new)

  3339. 		{

  3340. 		static const char kResumptionMagic[] = "Resumption";

  3341. 		EVP_DigestUpdate(md, kResumptionMagic,

  3342. 				 sizeof(kResumptionMagic));

  3343. 		if (s->session->original_handshake_hash_len == 0)

  3344. 			return 0;

  3345. 		EVP_DigestUpdate(md, s->session->original_handshake_hash,

  3346. 				 s->session->original_handshake_hash_len);

  3347. 		}

  3348. 

  3349. 	EVP_MD_CTX_init(&ctx);

  3350. 	for (i = 0; i < SSL_MAX_DIGEST; i++)

  3351. 		{

  3352. 		if (s->s3->handshake_dgst[i] == NULL)

  3353. 			continue;

  3354. 		EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]);

  3355. 		EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len);

  3356. 		EVP_DigestUpdate(md, temp_digest, temp_digest_len);

  3357. 		}

  3358. 	EVP_MD_CTX_cleanup(&ctx);

  3359. 

  3360. 	return 1;

  3361. 	}

  3362. 

  3363. /* tls1_record_handshake_hashes_for_channel_id records the current handshake

  3364.  * hashes in |s->session| so that Channel ID resumptions can sign that data. */

  3365. int tls1_record_handshake_hashes_for_channel_id(SSL *s)

  3366. 	{

  3367. 	int digest_len;

  3368. 	/* This function should never be called for a resumed session because

  3369. 	 * the handshake hashes that we wish to record are for the original,

  3370. 	 * full handshake. */

  3371. 	if (s->hit)

  3372. 		return -1;

  3373. 	/* It only makes sense to call this function if Channel IDs have been

  3374. 	 * negotiated. */

  3375. 	if (!s->s3->tlsext_channel_id_new)

  3376. 		return -1;

  3377. 

  3378. 	digest_len = tls1_handshake_digest(

  3379. 		s, s->session->original_handshake_hash,

  3380. 		sizeof(s->session->original_handshake_hash));

  3381. 	if (digest_len < 0)

  3382. 		return -1;

  3383. 

  3384. 	s->session->original_handshake_hash_len = digest_len;

  3385. 

  3386. 	return 1;

  3387. 	}

  3388. 

  3389. /* TODO(fork): remove */

  3390. #if 0

  3391. #define MAX_SIGALGLEN	(TLSEXT_hash_num * TLSEXT_signature_num * 2)

  3392. 

  3393. typedef struct

  3394. 	{

  3395. 	size_t sigalgcnt;

  3396. 	int sigalgs[MAX_SIGALGLEN];

  3397. 	} sig_cb_st;

  3398. 

  3399. static int sig_cb(const char *elem, int len, void *arg)

  3400. 	{

  3401. 	sig_cb_st *sarg = arg;

  3402. 	size_t i;

  3403. 	char etmp[20], *p;

  3404. 	int sig_alg, hash_alg;

  3405. 	if (sarg->sigalgcnt == MAX_SIGALGLEN)

  3406. 		return 0;

  3407. 	if (len > (int)(sizeof(etmp) - 1))

  3408. 		return 0;

  3409. 	memcpy(etmp, elem, len);

  3410. 	etmp[len] = 0;

  3411. 	p = strchr(etmp, '+');

  3412. 	if (!p)

  3413. 		return 0;

  3414. 	*p = 0;

  3415. 	p++;

  3416. 	if (!*p)

  3417. 		return 0;

  3418. 

  3419. 	if (!strcmp(etmp, "RSA"))

  3420. 		sig_alg = EVP_PKEY_RSA;

  3421. 	else if (!strcmp(etmp, "DSA"))

  3422. 		sig_alg = EVP_PKEY_DSA;

  3423. 	else if (!strcmp(etmp, "ECDSA"))

  3424. 		sig_alg = EVP_PKEY_EC;

  3425. 	else return 0;

  3426. 

  3427. 	hash_alg = OBJ_sn2nid(p);

  3428. 	if (hash_alg == NID_undef)

  3429. 		hash_alg = OBJ_ln2nid(p);

  3430. 	if (hash_alg == NID_undef)

  3431. 		return 0;

  3432. 

  3433. 	for (i = 0; i < sarg->sigalgcnt; i+=2)

  3434. 		{

  3435. 		if (sarg->sigalgs[i] == sig_alg

  3436. 			&& sarg->sigalgs[i + 1] == hash_alg)

  3437. 			return 0;

  3438. 		}

  3439. 	sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;

  3440. 	sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;

  3441. 	return 1;

  3442. 	}

  3443. 

  3444. /* Set suppored signature algorithms based on a colon separated list

  3445.  * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */

  3446. int tls1_set_sigalgs_list(CERT *c, const char *str, int client)

  3447. 	{

  3448. 	sig_cb_st sig;

  3449. 	sig.sigalgcnt = 0;

  3450. 	if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))

  3451. 		return 0;

  3452. 	if (c == NULL)

  3453. 		return 1;

  3454. 	return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);

  3455. 	}

  3456. #endif

  3457. 

  3458. int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)

  3459. 	{

  3460. 	unsigned char *sigalgs, *sptr;

  3461. 	int rhash, rsign;

  3462. 	size_t i;

  3463. 	if (salglen & 1)

  3464. 		return 0;

  3465. 	sigalgs = OPENSSL_malloc(salglen);

  3466. 	if (sigalgs == NULL)

  3467. 		return 0;

  3468. 	for (i = 0, sptr = sigalgs; i < salglen; i+=2)

  3469. 		{

  3470. 		rhash = tls12_find_id(*psig_nids++, tls12_md,

  3471. 					sizeof(tls12_md)/sizeof(tls12_lookup));

  3472. 		rsign = tls12_find_id(*psig_nids++, tls12_sig,

  3473. 				sizeof(tls12_sig)/sizeof(tls12_lookup));

  3474. 

  3475. 		if (rhash == -1 || rsign == -1)

  3476. 			goto err;

  3477. 		*sptr++ = rhash;

  3478. 		*sptr++ = rsign;

  3479. 		}

  3480. 

  3481. 	if (client)

  3482. 		{

  3483. 		if (c->client_sigalgs)

  3484. 			OPENSSL_free(c->client_sigalgs);

  3485. 		c->client_sigalgs = sigalgs;

  3486. 		c->client_sigalgslen = salglen;

  3487. 		}

  3488. 	else

  3489. 		{

  3490. 		if (c->conf_sigalgs)

  3491. 			OPENSSL_free(c->conf_sigalgs);

  3492. 		c->conf_sigalgs = sigalgs;

  3493. 		c->conf_sigalgslen = salglen;

  3494. 		}

  3495. 

  3496. 	return 1;

  3497. 

  3498. 	err:

  3499. 	OPENSSL_free(sigalgs);

  3500. 	return 0;

  3501. 	}

  3502. 

  3503. static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)

  3504. 	{

  3505. 	int sig_nid;

  3506. 	size_t i;

  3507. 	if (default_nid == -1)

  3508. 		return 1;

  3509. 	sig_nid = X509_get_signature_nid(x);

  3510. 	if (default_nid)

  3511. 		return sig_nid == default_nid ? 1 : 0;

  3512. 	for (i = 0; i < c->shared_sigalgslen; i++)

  3513. 		if (sig_nid == c->shared_sigalgs[i].signandhash_nid)

  3514. 			return 1;

  3515. 	return 0;

  3516. 	}

  3517. /* Check to see if a certificate issuer name matches list of CA names */

  3518. static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)

  3519. 	{

  3520. 	X509_NAME *nm;

  3521. 	int i;

  3522. 	nm = X509_get_issuer_name(x);

  3523. 	for (i = 0; i < sk_X509_NAME_num(names); i++)

  3524. 		{

  3525. 		if(!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))

  3526. 			return 1;

  3527. 		}

  3528. 	return 0;

  3529. 	}

  3530. 

  3531. /* Check certificate chain is consistent with TLS extensions and is

  3532.  * usable by server. This servers two purposes: it allows users to 

  3533.  * check chains before passing them to the server and it allows the

  3534.  * server to check chains before attempting to use them.

  3535.  */

  3536. 

  3537. /* Flags which need to be set for a certificate when stict mode not set */

  3538. 

  3539. #define CERT_PKEY_VALID_FLAGS \

  3540. 	(CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)

  3541. /* Strict mode flags */

  3542. #define CERT_PKEY_STRICT_FLAGS \

  3543. 	 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \

  3544. 	 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)

  3545. 

  3546. int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,

  3547. 									int idx)

  3548. 	{

  3549. 	int i;

  3550. 	int rv = 0;

  3551. 	int check_flags = 0, strict_mode;

  3552. 	CERT_PKEY *cpk = NULL;

  3553. 	CERT *c = s->cert;

  3554. 	unsigned int suiteb_flags = tls1_suiteb(s);

  3555. 	/* idx == -1 means checking server chains */

  3556. 	if (idx != -1)

  3557. 		{

  3558. 		/* idx == -2 means checking client certificate chains */

  3559. 		if (idx == -2)

  3560. 			{

  3561. 			cpk = c->key;

  3562. 			idx = cpk - c->pkeys;

  3563. 			}

  3564. 		else

  3565. 			cpk = c->pkeys + idx;

  3566. 		x = cpk->x509;

  3567. 		pk = cpk->privatekey;

  3568. 		chain = cpk->chain;

  3569. 		strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;

  3570. 		/* If no cert or key, forget it */

  3571. 		if (!x || !pk)

  3572. 			goto end;

  3573. #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL

  3574. 		/* Allow any certificate to pass test */

  3575. 		if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)

  3576. 			{

  3577. 			rv = CERT_PKEY_STRICT_FLAGS|CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_VALID|CERT_PKEY_SIGN;

  3578. 			cpk->valid_flags = rv;

  3579. 			return rv;

  3580. 			}

  3581. #endif

  3582. 		}

  3583. 	else

  3584. 		{

  3585. 		if (!x || !pk)

  3586. 			goto end;

  3587. 		idx = ssl_cert_type(x, pk);

  3588. 		if (idx == -1)

  3589. 			goto end;

  3590. 		cpk = c->pkeys + idx;

  3591. 		if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)

  3592. 			check_flags = CERT_PKEY_STRICT_FLAGS;

  3593. 		else

  3594. 			check_flags = CERT_PKEY_VALID_FLAGS;

  3595. 		strict_mode = 1;

  3596. 		}

  3597. 

  3598. 	if (suiteb_flags)

  3599. 		{

  3600. 		int ok;

  3601. 		if (check_flags)

  3602. 			check_flags |= CERT_PKEY_SUITEB;

  3603. 		ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);

  3604. 		if (ok != X509_V_OK)

  3605. 			{

  3606. 			if (check_flags)

  3607. 				rv |= CERT_PKEY_SUITEB;

  3608. 			else

  3609. 				goto end;

  3610. 			}

  3611. 		}

  3612. 

  3613. 	/* Check all signature algorithms are consistent with

  3614. 	 * signature algorithms extension if TLS 1.2 or later

  3615. 	 * and strict mode.

  3616. 	 */

  3617. 	if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode)

  3618. 		{

  3619. 		int default_nid;

  3620. 		unsigned char rsign = 0;

  3621. 		if (c->peer_sigalgs)

  3622. 			default_nid = 0;

  3623. 		/* If no sigalgs extension use defaults from RFC5246 */

  3624. 		else

  3625. 			{

  3626. 			switch(idx)

  3627. 				{	

  3628. 			case SSL_PKEY_RSA_ENC:

  3629. 			case SSL_PKEY_RSA_SIGN:

  3630. 			case SSL_PKEY_DH_RSA:

  3631. 				rsign = TLSEXT_signature_rsa;

  3632. 				default_nid = NID_sha1WithRSAEncryption;

  3633. 				break;

  3634. 

  3635. 			case SSL_PKEY_DSA_SIGN:

  3636. 			case SSL_PKEY_DH_DSA:

  3637. 				rsign = TLSEXT_signature_dsa;

  3638. 				default_nid = NID_dsaWithSHA1;

  3639. 				break;

  3640. 

  3641. 			case SSL_PKEY_ECC:

  3642. 				rsign = TLSEXT_signature_ecdsa;

  3643. 				default_nid = NID_ecdsa_with_SHA1;

  3644. 				break;

  3645. 

  3646. 			default:

  3647. 				default_nid = -1;

  3648. 				break;

  3649. 				}

  3650. 			}

  3651. 		/* If peer sent no signature algorithms extension and we

  3652. 		 * have set preferred signature algorithms check we support

  3653. 		 * sha1.

  3654. 		 */

  3655. 		if (default_nid > 0 && c->conf_sigalgs)

  3656. 			{

  3657. 			size_t j;

  3658. 			const unsigned char *p = c->conf_sigalgs;

  3659. 			for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2)

  3660. 				{

  3661. 				if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)

  3662. 					break;

  3663. 				}

  3664. 			if (j == c->conf_sigalgslen)

  3665. 				{

  3666. 				if (check_flags)

  3667. 					goto skip_sigs;

  3668. 				else

  3669. 					goto end;

  3670. 				}

  3671. 			}

  3672. 		/* Check signature algorithm of each cert in chain */

  3673. 		if (!tls1_check_sig_alg(c, x, default_nid))

  3674. 			{

  3675. 			if (!check_flags) goto end;

  3676. 			}

  3677. 		else

  3678. 			rv |= CERT_PKEY_EE_SIGNATURE;

  3679. 		rv |= CERT_PKEY_CA_SIGNATURE;

  3680. 		for (i = 0; i < sk_X509_num(chain); i++)

  3681. 			{

  3682. 			if (!tls1_check_sig_alg(c, sk_X509_value(chain, i),

  3683. 							default_nid))

  3684. 				{

  3685. 				if (check_flags)

  3686. 					{

  3687. 					rv &= ~CERT_PKEY_CA_SIGNATURE;

  3688. 					break;

  3689. 					}

  3690. 				else

  3691. 					goto end;

  3692. 				}

  3693. 			}

  3694. 		}

  3695. 	/* Else not TLS 1.2, so mark EE and CA signing algorithms OK */

  3696. 	else if(check_flags)

  3697. 		rv |= CERT_PKEY_EE_SIGNATURE|CERT_PKEY_CA_SIGNATURE;

  3698. 	skip_sigs:

  3699. 	/* Check cert parameters are consistent */

  3700. 	if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))

  3701. 		rv |= CERT_PKEY_EE_PARAM;

  3702. 	else if (!check_flags)

  3703. 		goto end;

  3704. 	if (!s->server)

  3705. 		rv |= CERT_PKEY_CA_PARAM;

  3706. 	/* In strict mode check rest of chain too */

  3707. 	else if (strict_mode)

  3708. 		{

  3709. 		rv |= CERT_PKEY_CA_PARAM;

  3710. 		for (i = 0; i < sk_X509_num(chain); i++)

  3711. 			{

  3712. 			X509 *ca = sk_X509_value(chain, i);

  3713. 			if (!tls1_check_cert_param(s, ca, 0))

  3714. 				{

  3715. 				if (check_flags)

  3716. 					{

  3717. 					rv &= ~CERT_PKEY_CA_PARAM;

  3718. 					break;

  3719. 					}

  3720. 				else

  3721. 					goto end;

  3722. 				}

  3723. 			}

  3724. 		}

  3725. 	if (!s->server && strict_mode)

  3726. 		{

  3727. 		STACK_OF(X509_NAME) *ca_dn;

  3728. 		uint8_t check_type = 0;

  3729. 		switch (pk->type)

  3730. 			{

  3731. 		case EVP_PKEY_RSA:

  3732. 			check_type = TLS_CT_RSA_SIGN;

  3733. 			break;

  3734. 		case EVP_PKEY_DSA:

  3735. 			check_type = TLS_CT_DSS_SIGN;

  3736. 			break;

  3737. 		case EVP_PKEY_EC:

  3738. 			check_type = TLS_CT_ECDSA_SIGN;

  3739. 			break;

  3740. 		case EVP_PKEY_DH:

  3741. 		case EVP_PKEY_DHX:

  3742. 				{

  3743. 				int cert_type = X509_certificate_type(x, pk);

  3744. 				if (cert_type & EVP_PKS_RSA)

  3745. 					check_type = TLS_CT_RSA_FIXED_DH;

  3746. 				if (cert_type & EVP_PKS_DSA)

  3747. 					check_type = TLS_CT_DSS_FIXED_DH;

  3748. 				}

  3749. 			}

  3750. 		if (check_type)

  3751. 			{

  3752. 			if (s->s3->tmp.certificate_types &&

  3753. 				memchr(s->s3->tmp.certificate_types, check_type, s->s3->tmp.num_certificate_types))

  3754. 				{

  3755. 					rv |= CERT_PKEY_CERT_TYPE;

  3756. 				}

  3757. 			if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)

  3758. 				goto end;

  3759. 			}

  3760. 		else

  3761. 			rv |= CERT_PKEY_CERT_TYPE;

  3762. 

  3763. 

  3764. 		ca_dn = s->s3->tmp.ca_names;

  3765. 

  3766. 		if (!sk_X509_NAME_num(ca_dn))

  3767. 			rv |= CERT_PKEY_ISSUER_NAME;

  3768. 

  3769. 		if (!(rv & CERT_PKEY_ISSUER_NAME))

  3770. 			{

  3771. 			if (ssl_check_ca_name(ca_dn, x))

  3772. 				rv |= CERT_PKEY_ISSUER_NAME;

  3773. 			}

  3774. 		if (!(rv & CERT_PKEY_ISSUER_NAME))

  3775. 			{

  3776. 			for (i = 0; i < sk_X509_num(chain); i++)

  3777. 				{

  3778. 				X509 *xtmp = sk_X509_value(chain, i);

  3779. 				if (ssl_check_ca_name(ca_dn, xtmp))

  3780. 					{

  3781. 					rv |= CERT_PKEY_ISSUER_NAME;

  3782. 					break;

  3783. 					}

  3784. 				}

  3785. 			}

  3786. 		if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))

  3787. 			goto end;

  3788. 		}

  3789. 	else

  3790. 		rv |= CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE;

  3791. 

  3792. 	if (!check_flags || (rv & check_flags) == check_flags)

  3793. 		rv |= CERT_PKEY_VALID;

  3794. 

  3795. 	end:

  3796. 

  3797. 	if (TLS1_get_version(s) >= TLS1_2_VERSION)

  3798. 		{

  3799. 		if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)

  3800. 			rv |= CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_SIGN;

  3801. 		else if (cpk->digest)

  3802. 			rv |= CERT_PKEY_SIGN;

  3803. 		}

  3804. 	else

  3805. 		rv |= CERT_PKEY_SIGN|CERT_PKEY_EXPLICIT_SIGN;

  3806. 

  3807. 	/* When checking a CERT_PKEY structure all flags are irrelevant

  3808. 	 * if the chain is invalid.

  3809. 	 */

  3810. 	if (!check_flags)

  3811. 		{

  3812. 		if (rv & CERT_PKEY_VALID)

  3813. 			cpk->valid_flags = rv;

  3814. 		else

  3815. 			{

  3816. 			/* Preserve explicit sign flag, clear rest */

  3817. 			cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;

  3818. 			return 0;

  3819. 			}

  3820. 		}

  3821. 	return rv;

  3822. 	}

  3823. 

  3824. /* Set validity of certificates in an SSL structure */

  3825. void tls1_set_cert_validity(SSL *s)

  3826. 	{

  3827. 	tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);

  3828. 	tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);

  3829. 	tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);

  3830. 	tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);

  3831. 	tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);

  3832. 	tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);

  3833. 	}

  3834. /* User level utiity function to check a chain is suitable */

  3835. int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)

  3836. 	{

  3837. 	return tls1_check_chain(s, x, pk, chain, -1);

  3838. 	}