195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * All rights reserved. 395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * This package is an SSL implementation written 595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * by Eric Young (eay@cryptsoft.com). 695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * The implementation was written so as to conform with Netscapes SSL. 795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * This library is free for commercial and non-commercial use as long as 995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * the following conditions are aheared to. The following conditions 1095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * apply to all code found in this distribution, be it the RC4, RSA, 1195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * included with this distribution is covered by the same copyright terms 1395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * except that the holder is Tim Hudson (tjh@cryptsoft.com). 1495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 1595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * Copyright remains Eric Young's, and as such any Copyright notices in 1695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * the code are not to be removed. 1795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * If this package is used in a product, Eric Young should be given attribution 1895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * as the author of the parts of the library used. 1995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * This can be in the form of a textual message at program startup or 2095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * in documentation (online or textual) provided with the package. 2195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 2295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * Redistribution and use in source and binary forms, with or without 2395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * modification, are permitted provided that the following conditions 2495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * are met: 2595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 1. Redistributions of source code must retain the copyright 2695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * notice, this list of conditions and the following disclaimer. 2795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 2. Redistributions in binary form must reproduce the above copyright 2895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * notice, this list of conditions and the following disclaimer in the 2995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * documentation and/or other materials provided with the distribution. 3095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 3. All advertising materials mentioning features or use of this software 3195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * must display the following acknowledgement: 3295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * "This product includes cryptographic software written by 3395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * Eric Young (eay@cryptsoft.com)" 3495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * The word 'cryptographic' can be left out if the rouines from the library 3595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * being used are not cryptographic related :-). 3695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 4. If you include any Windows specific code (or a derivative thereof) from 3795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * the apps directory (application code) you must include an acknowledgement: 3895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 3995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 4095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 4995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * SUCH DAMAGE. 5195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 5295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * The licence and distribution terms for any publically available version or 5395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * derivative of this code cannot be changed. i.e. this code cannot simply be 5495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * copied and put under another distribution licence 5595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * [including the GNU Public Licence.] 5695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 5795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* ==================================================================== 5895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 5995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 6095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * Redistribution and use in source and binary forms, with or without 6195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * modification, are permitted provided that the following conditions 6295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * are met: 6395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 6495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 1. Redistributions of source code must retain the above copyright 6595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * notice, this list of conditions and the following disclaimer. 6695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 6795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 2. Redistributions in binary form must reproduce the above copyright 6895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * notice, this list of conditions and the following disclaimer in 6995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * the documentation and/or other materials provided with the 7095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * distribution. 7195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 7295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 3. All advertising materials mentioning features or use of this 7395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * software must display the following acknowledgment: 7495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * "This product includes software developed by the OpenSSL Project 7595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 7695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 7795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 7895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * endorse or promote products derived from this software without 7995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * prior written permission. For written permission, please contact 8095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * openssl-core@openssl.org. 8195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 8295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 5. Products derived from this software may not be called "OpenSSL" 8395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * nor may "OpenSSL" appear in their names without prior written 8495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * permission of the OpenSSL Project. 8595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 8695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 6. Redistributions of any form whatsoever must retain the following 8795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * acknowledgment: 8895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * "This product includes software developed by the OpenSSL Project 8995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 9095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 9195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 9295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 9395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 9495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 9595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 9695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 9795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 9895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 9995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 10095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 10195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 10295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * OF THE POSSIBILITY OF SUCH DAMAGE. 10395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * ==================================================================== 10495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 10595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * This product includes cryptographic software written by Eric Young 10695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * (eay@cryptsoft.com). This product includes software written by Tim 10795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * Hudson (tjh@cryptsoft.com). */ 10895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 10995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#include <stdio.h> 11035a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin#include <stdlib.h> 11195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#include <assert.h> 11295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 11303973096f416e694b676160ca481553bb44738ebDavid Benjamin#include <openssl/bytestring.h> 11495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#include <openssl/evp.h> 11595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#include <openssl/hmac.h> 11695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#include <openssl/mem.h> 11795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#include <openssl/obj.h> 11895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#include <openssl/rand.h> 11995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 12095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#include "ssl_locl.h" 12195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleystatic int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 12295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley const unsigned char *sess_id, int sesslen, 12395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley SSL_SESSION **psess); 1246c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjaminstatic int ssl_check_clienthello_tlsext(SSL *s); 1256c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjaminstatic int ssl_check_serverhello_tlsext(SSL *s); 12695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 12795c29f3cd1f6c08c6c0927868683392eea727ccAdam LangleySSL3_ENC_METHOD TLSv1_enc_data={ 12895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_enc, 12995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_mac, 13095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_setup_key_block, 13195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_generate_master_secret, 13295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_change_cipher_state, 13395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_final_finish_mac, 13495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley TLS1_FINISH_MAC_LENGTH, 13595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_cert_verify_mac, 13695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 13795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 13895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_alert_code, 13995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_export_keying_material, 14095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 0, 14195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley SSL3_HM_HEADER_LENGTH, 14295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ssl3_set_handshake_header, 14395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ssl3_handshake_write 14495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley }; 14595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 14695c29f3cd1f6c08c6c0927868683392eea727ccAdam LangleySSL3_ENC_METHOD TLSv1_1_enc_data={ 14795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_enc, 14895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_mac, 14995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_setup_key_block, 15095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_generate_master_secret, 15195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_change_cipher_state, 15295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_final_finish_mac, 15395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley TLS1_FINISH_MAC_LENGTH, 15495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_cert_verify_mac, 15595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 15695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 15795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_alert_code, 15895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_export_keying_material, 15995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley SSL_ENC_FLAG_EXPLICIT_IV, 16095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley SSL3_HM_HEADER_LENGTH, 16195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ssl3_set_handshake_header, 16295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ssl3_handshake_write 16395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley }; 16495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 16595c29f3cd1f6c08c6c0927868683392eea727ccAdam LangleySSL3_ENC_METHOD TLSv1_2_enc_data={ 16695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_enc, 16795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_mac, 16895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_setup_key_block, 16995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_generate_master_secret, 17095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_change_cipher_state, 17195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_final_finish_mac, 17295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley TLS1_FINISH_MAC_LENGTH, 17395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_cert_verify_mac, 17495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 17595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 17695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_alert_code, 17795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_export_keying_material, 17895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF 17995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley |SSL_ENC_FLAG_TLS1_2_CIPHERS, 18095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley SSL3_HM_HEADER_LENGTH, 18195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ssl3_set_handshake_header, 18295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ssl3_handshake_write 18395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley }; 18495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 18535a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjaminstatic int compare_uint16_t(const void *p1, const void *p2) 18635a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin { 18735a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin uint16_t u1 = *((const uint16_t*)p1); 18835a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin uint16_t u2 = *((const uint16_t*)p2); 18935a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin if (u1 < u2) 19035a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin { 19135a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin return -1; 19235a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin } 19335a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin else if (u1 > u2) 19435a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin { 19535a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin return 1; 19635a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin } 19735a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin else 19835a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin { 19935a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin return 0; 20035a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin } 20135a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin } 20235a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin 20335a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin/* Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be more 20435a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin * than one extension of the same type in a ClientHello or ServerHello. This 20535a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin * function does an initial scan over the extensions block to filter those 20635a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin * out. */ 20735a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjaminstatic int tls1_check_duplicate_extensions(const CBS *cbs) 20835a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin { 20935a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin CBS extensions = *cbs; 21035a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin size_t num_extensions = 0, i = 0; 21135a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin uint16_t *extension_types = NULL; 21235a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin int ret = 0; 21335a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin 21435a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin /* First pass: count the extensions. */ 21535a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin while (CBS_len(&extensions) > 0) 21635a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin { 21735a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin uint16_t type; 21835a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin CBS extension; 21935a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin 22035a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin if (!CBS_get_u16(&extensions, &type) || 22135a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin !CBS_get_u16_length_prefixed(&extensions, &extension)) 22235a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin { 22335a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin goto done; 22435a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin } 22535a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin 22635a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin num_extensions++; 22735a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin } 22835a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin 2299a37359008fb981b669a83553bfb8969cbc6019cDavid Benjamin if (num_extensions == 0) 2309a37359008fb981b669a83553bfb8969cbc6019cDavid Benjamin { 2319a37359008fb981b669a83553bfb8969cbc6019cDavid Benjamin return 1; 2329a37359008fb981b669a83553bfb8969cbc6019cDavid Benjamin } 2339a37359008fb981b669a83553bfb8969cbc6019cDavid Benjamin 23435a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin extension_types = (uint16_t*)OPENSSL_malloc(sizeof(uint16_t) * num_extensions); 23535a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin if (extension_types == NULL) 23635a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin { 23735a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin OPENSSL_PUT_ERROR(SSL, tls1_check_duplicate_extensions, ERR_R_MALLOC_FAILURE); 23835a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin goto done; 23935a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin } 24035a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin 24135a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin /* Second pass: gather the extension types. */ 24235a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin extensions = *cbs; 24335a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin for (i = 0; i < num_extensions; i++) 24435a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin { 24535a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin CBS extension; 24635a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin 24735a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin if (!CBS_get_u16(&extensions, &extension_types[i]) || 24835a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin !CBS_get_u16_length_prefixed(&extensions, &extension)) 24935a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin { 25035a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin /* This should not happen. */ 25135a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin goto done; 25235a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin } 25335a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin } 25435a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin assert(CBS_len(&extensions) == 0); 25535a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin 25635a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin /* Sort the extensions and make sure there are no duplicates. */ 25735a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin qsort(extension_types, num_extensions, sizeof(uint16_t), compare_uint16_t); 25835a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin for (i = 1; i < num_extensions; i++) 25935a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin { 26035a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin if (extension_types[i-1] == extension_types[i]) 26135a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin { 26235a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin goto done; 26335a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin } 26435a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin } 26535a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin 26635a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin ret = 1; 26735a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamindone: 26835a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin if (extension_types) 26935a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin OPENSSL_free(extension_types); 27035a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin return ret; 27135a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin } 27235a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin 273dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langleychar ssl_early_callback_init(struct ssl_early_callback_ctx *ctx) 274dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley { 2758f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin CBS client_hello, session_id, cipher_suites, compression_methods, extensions; 2768f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin 2778f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin CBS_init(&client_hello, ctx->client_hello, ctx->client_hello_len); 278dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley 279dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley /* Skip client version. */ 2808f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin if (!CBS_skip(&client_hello, 2)) 281dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley return 0; 282dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley 283dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley /* Skip client nonce. */ 2848f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin if (!CBS_skip(&client_hello, 32)) 285dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley return 0; 286dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley 2878f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin /* Extract session_id. */ 2888f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin if (!CBS_get_u8_length_prefixed(&client_hello, &session_id)) 289dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley return 0; 2908f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin ctx->session_id = CBS_data(&session_id); 2918f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin ctx->session_id_len = CBS_len(&session_id); 292dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley 293dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley /* Skip past DTLS cookie */ 29409bd58d1f1c71ed7ea687d0295e23793ad3d98faDavid Benjamin if (SSL_IS_DTLS(ctx->ssl)) 295dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley { 2968f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin CBS cookie; 297dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley 2988f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin if (!CBS_get_u8_length_prefixed(&client_hello, &cookie)) 299dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley return 0; 300dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley } 301dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley 3028f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin /* Extract cipher_suites. */ 3038f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) || 3048f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin CBS_len(&cipher_suites) < 2 || 3058f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin (CBS_len(&cipher_suites) & 1) != 0) 306dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley return 0; 3078f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin ctx->cipher_suites = CBS_data(&cipher_suites); 3088f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin ctx->cipher_suites_len = CBS_len(&cipher_suites); 309dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley 3108f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin /* Extract compression_methods. */ 3118f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin if (!CBS_get_u8_length_prefixed(&client_hello, &compression_methods) || 3128f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin CBS_len(&compression_methods) < 1) 313dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley return 0; 3148f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin ctx->compression_methods = CBS_data(&compression_methods); 3158f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin ctx->compression_methods_len = CBS_len(&compression_methods); 316dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley 317dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley /* If the ClientHello ends here then it's valid, but doesn't have any 318dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley * extensions. (E.g. SSLv3.) */ 3198f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin if (CBS_len(&client_hello) == 0) 320dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley { 321dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley ctx->extensions = NULL; 322dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley ctx->extensions_len = 0; 323dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley return 1; 324dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley } 325dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley 3268f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin /* Extract extensions and check it is valid. */ 3278f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin if (!CBS_get_u16_length_prefixed(&client_hello, &extensions) || 3288f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin !tls1_check_duplicate_extensions(&extensions) || 3298f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin CBS_len(&client_hello) != 0) 330dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley return 0; 3318f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin ctx->extensions = CBS_data(&extensions); 3328f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin ctx->extensions_len = CBS_len(&extensions); 333dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley 334dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley return 1; 335dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley } 336dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley 337dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langleychar 338dc9b1411279f02e604367bc56fca8cf2acc9d531Adam LangleySSL_early_callback_ctx_extension_get(const struct ssl_early_callback_ctx *ctx, 339dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley uint16_t extension_type, 340dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley const unsigned char **out_data, 341dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley size_t *out_len) 342dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley { 3438f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin CBS extensions; 344dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley 3458f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin CBS_init(&extensions, ctx->extensions, ctx->extensions_len); 3468f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin 3478f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin while (CBS_len(&extensions) != 0) 348dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley { 3498f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin uint16_t type; 3508f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin CBS extension; 351dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley 3528f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin /* Decode the next extension. */ 3538f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin if (!CBS_get_u16(&extensions, &type) || 3548f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin !CBS_get_u16_length_prefixed(&extensions, &extension)) 355dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley return 0; 356dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley 3578f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin if (type == extension_type) 358dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley { 3598f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin *out_data = CBS_data(&extension); 3608f2c20eb7068429b5883d6e334d9cb0f0102f44dDavid Benjamin *out_len = CBS_len(&extension); 361dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley return 1; 362dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley } 363dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley } 364dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley 365dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley return 0; 366dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley } 367dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley 36895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 369cff6472442de2e65f95fa04893b12b1412118f60David Benjaminstatic const int nid_list[] = 37095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 37195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_sect163k1, /* sect163k1 (1) */ 37295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_sect163r1, /* sect163r1 (2) */ 37395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_sect163r2, /* sect163r2 (3) */ 37495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_sect193r1, /* sect193r1 (4) */ 37595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_sect193r2, /* sect193r2 (5) */ 37695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_sect233k1, /* sect233k1 (6) */ 37795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_sect233r1, /* sect233r1 (7) */ 37895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_sect239k1, /* sect239k1 (8) */ 37995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_sect283k1, /* sect283k1 (9) */ 38095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_sect283r1, /* sect283r1 (10) */ 38195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_sect409k1, /* sect409k1 (11) */ 38295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_sect409r1, /* sect409r1 (12) */ 38395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_sect571k1, /* sect571k1 (13) */ 38495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_sect571r1, /* sect571r1 (14) */ 38595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_secp160k1, /* secp160k1 (15) */ 38695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_secp160r1, /* secp160r1 (16) */ 38795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_secp160r2, /* secp160r2 (17) */ 38895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_secp192k1, /* secp192k1 (18) */ 38995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_X9_62_prime192v1, /* secp192r1 (19) */ 39095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_secp224k1, /* secp224k1 (20) */ 39195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_secp224r1, /* secp224r1 (21) */ 39295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_secp256k1, /* secp256k1 (22) */ 39395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_X9_62_prime256v1, /* secp256r1 (23) */ 39495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_secp384r1, /* secp384r1 (24) */ 39595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_secp521r1, /* secp521r1 (25) */ 39695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_brainpoolP256r1, /* brainpoolP256r1 (26) */ 39795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_brainpoolP384r1, /* brainpoolP384r1 (27) */ 39895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley NID_brainpoolP512r1 /* brainpool512r1 (28) */ 39995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley }; 40095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 401072334d943ef81d45f75d97cd722b46f1293f773David Benjaminstatic const uint8_t ecformats_default[] = 40295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 40395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley TLSEXT_ECPOINTFORMAT_uncompressed, 40495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley }; 40595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 406072334d943ef81d45f75d97cd722b46f1293f773David Benjaminstatic const uint16_t eccurves_default[] = 40795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 408072334d943ef81d45f75d97cd722b46f1293f773David Benjamin 23, /* secp256r1 (23) */ 409072334d943ef81d45f75d97cd722b46f1293f773David Benjamin 24, /* secp384r1 (24) */ 410072334d943ef81d45f75d97cd722b46f1293f773David Benjamin 25, /* secp521r1 (25) */ 41195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley }; 41295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 413072334d943ef81d45f75d97cd722b46f1293f773David Benjaminint tls1_ec_curve_id2nid(uint16_t curve_id) 41495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 41595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 416072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (curve_id < 1 || curve_id > sizeof(nid_list)/sizeof(nid_list[0])) 417072334d943ef81d45f75d97cd722b46f1293f773David Benjamin return OBJ_undef; 41895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return nid_list[curve_id-1]; 41995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 42095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 421072334d943ef81d45f75d97cd722b46f1293f773David Benjaminuint16_t tls1_ec_nid2curve_id(int nid) 42295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 423072334d943ef81d45f75d97cd722b46f1293f773David Benjamin size_t i; 424072334d943ef81d45f75d97cd722b46f1293f773David Benjamin for (i = 0; i < sizeof(nid_list)/sizeof(nid_list[0]); i++) 42595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 426072334d943ef81d45f75d97cd722b46f1293f773David Benjamin /* nid_list[i] stores the NID corresponding to curve ID i+1. */ 427072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (nid == nid_list[i]) 428072334d943ef81d45f75d97cd722b46f1293f773David Benjamin return i + 1; 42995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 430072334d943ef81d45f75d97cd722b46f1293f773David Benjamin /* Use 0 for non-existent curve ID. Note: this assumes that curve ID 0 431072334d943ef81d45f75d97cd722b46f1293f773David Benjamin * will never be allocated. */ 432072334d943ef81d45f75d97cd722b46f1293f773David Benjamin return 0; 43395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 434072334d943ef81d45f75d97cd722b46f1293f773David Benjamin 435072334d943ef81d45f75d97cd722b46f1293f773David Benjamin/* tls1_get_curvelist sets |*out_curve_ids| and |*out_curve_ids_len| to the list 436072334d943ef81d45f75d97cd722b46f1293f773David Benjamin * of allowed curve IDs. If |get_client_curves| is non-zero, return the client 437072334d943ef81d45f75d97cd722b46f1293f773David Benjamin * curve list. Otherwise, return the preferred list. */ 438072334d943ef81d45f75d97cd722b46f1293f773David Benjaminstatic void tls1_get_curvelist(SSL *s, int get_client_curves, 439072334d943ef81d45f75d97cd722b46f1293f773David Benjamin const uint16_t **out_curve_ids, size_t *out_curve_ids_len) 44095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 441072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (get_client_curves) 44295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 443072334d943ef81d45f75d97cd722b46f1293f773David Benjamin *out_curve_ids = s->session->tlsext_ellipticcurvelist; 444072334d943ef81d45f75d97cd722b46f1293f773David Benjamin *out_curve_ids_len = s->session->tlsext_ellipticcurvelist_length; 44595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return; 44695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 44795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 448335d10d201a22598c2b2c379148c9a095b8ab175David Benjamin *out_curve_ids = s->tlsext_ellipticcurvelist; 449335d10d201a22598c2b2c379148c9a095b8ab175David Benjamin *out_curve_ids_len = s->tlsext_ellipticcurvelist_length; 450072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (!*out_curve_ids) 45195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 452072334d943ef81d45f75d97cd722b46f1293f773David Benjamin *out_curve_ids = eccurves_default; 4530eb5a2df4a3028e7283189c2be2849493106a18bDavid Benjamin *out_curve_ids_len = sizeof(eccurves_default) / sizeof(eccurves_default[0]); 45495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 45595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 456ed43958853bda3e1ef817dd7c46306f88cfedb08David Benjamin 457ed43958853bda3e1ef817dd7c46306f88cfedb08David Benjaminint tls1_check_curve(SSL *s, CBS *cbs, uint16_t *out_curve_id) 45895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 459ed43958853bda3e1ef817dd7c46306f88cfedb08David Benjamin uint8_t curve_type; 460ed43958853bda3e1ef817dd7c46306f88cfedb08David Benjamin uint16_t curve_id; 461072334d943ef81d45f75d97cd722b46f1293f773David Benjamin const uint16_t *curves; 462072334d943ef81d45f75d97cd722b46f1293f773David Benjamin size_t curves_len, i; 463ed43958853bda3e1ef817dd7c46306f88cfedb08David Benjamin 464ed43958853bda3e1ef817dd7c46306f88cfedb08David Benjamin /* Only support named curves. */ 465ed43958853bda3e1ef817dd7c46306f88cfedb08David Benjamin if (!CBS_get_u8(cbs, &curve_type) || 466ed43958853bda3e1ef817dd7c46306f88cfedb08David Benjamin curve_type != NAMED_CURVE_TYPE || 467ed43958853bda3e1ef817dd7c46306f88cfedb08David Benjamin !CBS_get_u16(cbs, &curve_id)) 46895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 469ed43958853bda3e1ef817dd7c46306f88cfedb08David Benjamin 470072334d943ef81d45f75d97cd722b46f1293f773David Benjamin tls1_get_curvelist(s, 0, &curves, &curves_len); 471072334d943ef81d45f75d97cd722b46f1293f773David Benjamin for (i = 0; i < curves_len; i++) 47295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 473072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (curve_id == curves[i]) 474ed43958853bda3e1ef817dd7c46306f88cfedb08David Benjamin { 475ed43958853bda3e1ef817dd7c46306f88cfedb08David Benjamin *out_curve_id = curve_id; 47695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 477ed43958853bda3e1ef817dd7c46306f88cfedb08David Benjamin } 47895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 47995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 48095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 48195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 482072334d943ef81d45f75d97cd722b46f1293f773David Benjaminint tls1_get_shared_curve(SSL *s) 48395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 484072334d943ef81d45f75d97cd722b46f1293f773David Benjamin const uint16_t *pref, *supp; 48595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley size_t preflen, supplen, i, j; 486072334d943ef81d45f75d97cd722b46f1293f773David Benjamin 48795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Can't do anything on client side */ 48895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->server == 0) 489072334d943ef81d45f75d97cd722b46f1293f773David Benjamin return NID_undef; 490072334d943ef81d45f75d97cd722b46f1293f773David Benjamin 491335d10d201a22598c2b2c379148c9a095b8ab175David Benjamin /* Return first preference shared curve */ 49295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), 49395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley &supp, &supplen); 49495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), 49595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley &pref, &preflen); 496072334d943ef81d45f75d97cd722b46f1293f773David Benjamin for (i = 0; i < preflen; i++) 49795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 498072334d943ef81d45f75d97cd722b46f1293f773David Benjamin for (j = 0; j < supplen; j++) 49995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 500072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (pref[i] == supp[j]) 501072334d943ef81d45f75d97cd722b46f1293f773David Benjamin return tls1_ec_curve_id2nid(pref[i]); 50295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 50395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 504072334d943ef81d45f75d97cd722b46f1293f773David Benjamin return NID_undef; 50595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 50695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 507072334d943ef81d45f75d97cd722b46f1293f773David Benjamin/* NOTE: tls1_ec_curve_id2nid and tls1_set_curves assume that 508072334d943ef81d45f75d97cd722b46f1293f773David Benjamin * 509072334d943ef81d45f75d97cd722b46f1293f773David Benjamin * (a) 0 is not a valid curve ID. 510072334d943ef81d45f75d97cd722b46f1293f773David Benjamin * 511072334d943ef81d45f75d97cd722b46f1293f773David Benjamin * (b) The largest curve ID is 31. 512072334d943ef81d45f75d97cd722b46f1293f773David Benjamin * 513072334d943ef81d45f75d97cd722b46f1293f773David Benjamin * Those implementations must be revised before adding support for curve IDs 514072334d943ef81d45f75d97cd722b46f1293f773David Benjamin * that break these assumptions. */ 515072334d943ef81d45f75d97cd722b46f1293f773David BenjaminOPENSSL_COMPILE_ASSERT( 516072334d943ef81d45f75d97cd722b46f1293f773David Benjamin (sizeof(nid_list) / sizeof(nid_list[0])) < 32, small_curve_ids); 517072334d943ef81d45f75d97cd722b46f1293f773David Benjamin 518072334d943ef81d45f75d97cd722b46f1293f773David Benjaminint tls1_set_curves(uint16_t **out_curve_ids, size_t *out_curve_ids_len, 519072334d943ef81d45f75d97cd722b46f1293f773David Benjamin const int *curves, size_t ncurves) 52095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 521072334d943ef81d45f75d97cd722b46f1293f773David Benjamin uint16_t *curve_ids; 52295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley size_t i; 52395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Bitmap of curves included to detect duplicates: only works 52495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * while curve ids < 32 52595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 526072334d943ef81d45f75d97cd722b46f1293f773David Benjamin uint32_t dup_list = 0; 527072334d943ef81d45f75d97cd722b46f1293f773David Benjamin curve_ids = (uint16_t*)OPENSSL_malloc(ncurves * sizeof(uint16_t)); 528072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (!curve_ids) 52995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 530072334d943ef81d45f75d97cd722b46f1293f773David Benjamin for (i = 0; i < ncurves; i++) 53195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 532072334d943ef81d45f75d97cd722b46f1293f773David Benjamin uint32_t idmask; 533072334d943ef81d45f75d97cd722b46f1293f773David Benjamin uint16_t id; 53495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley id = tls1_ec_nid2curve_id(curves[i]); 535072334d943ef81d45f75d97cd722b46f1293f773David Benjamin idmask = ((uint32_t)1) << id; 53695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!id || (dup_list & idmask)) 53795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 538072334d943ef81d45f75d97cd722b46f1293f773David Benjamin OPENSSL_free(curve_ids); 53995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 54095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 54195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley dup_list |= idmask; 542072334d943ef81d45f75d97cd722b46f1293f773David Benjamin curve_ids[i] = id; 54395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 544072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (*out_curve_ids) 545072334d943ef81d45f75d97cd722b46f1293f773David Benjamin OPENSSL_free(*out_curve_ids); 546072334d943ef81d45f75d97cd722b46f1293f773David Benjamin *out_curve_ids = curve_ids; 547072334d943ef81d45f75d97cd722b46f1293f773David Benjamin *out_curve_ids_len = ncurves; 54895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 54995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 55095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 551072334d943ef81d45f75d97cd722b46f1293f773David Benjamin/* tls1_curve_params_from_ec_key sets |*out_curve_id| and |*out_comp_id| to the 552072334d943ef81d45f75d97cd722b46f1293f773David Benjamin * TLS curve ID and point format, respectively, for |ec|. It returns one on 553072334d943ef81d45f75d97cd722b46f1293f773David Benjamin * success and zero on failure. */ 554072334d943ef81d45f75d97cd722b46f1293f773David Benjaminstatic int tls1_curve_params_from_ec_key(uint16_t *out_curve_id, uint8_t *out_comp_id, EC_KEY *ec) 55595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 55695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int nid; 557072334d943ef81d45f75d97cd722b46f1293f773David Benjamin uint16_t id; 55895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley const EC_GROUP *grp; 55995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!ec) 56095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 56195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 56295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley grp = EC_KEY_get0_group(ec); 56395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!grp) 56495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 56595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 56695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Determine curve ID */ 567072334d943ef81d45f75d97cd722b46f1293f773David Benjamin nid = EC_GROUP_get_curve_name(grp); 568072334d943ef81d45f75d97cd722b46f1293f773David Benjamin id = tls1_ec_nid2curve_id(nid); 569072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (!id) 570072334d943ef81d45f75d97cd722b46f1293f773David Benjamin return 0; 571072334d943ef81d45f75d97cd722b46f1293f773David Benjamin 572072334d943ef81d45f75d97cd722b46f1293f773David Benjamin /* Set the named curve ID. Arbitrary explicit curves are not 573072334d943ef81d45f75d97cd722b46f1293f773David Benjamin * supported. */ 574072334d943ef81d45f75d97cd722b46f1293f773David Benjamin *out_curve_id = id; 575072334d943ef81d45f75d97cd722b46f1293f773David Benjamin 576072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (out_comp_id) 57795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 57895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (EC_KEY_get0_public_key(ec) == NULL) 57995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 58095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) 581072334d943ef81d45f75d97cd722b46f1293f773David Benjamin *out_comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 58295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 583072334d943ef81d45f75d97cd722b46f1293f773David Benjamin *out_comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 58495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 58595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 58695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 587072334d943ef81d45f75d97cd722b46f1293f773David Benjamin 58895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* Check an EC key is compatible with extensions */ 58995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleystatic int tls1_check_ec_key(SSL *s, 590072334d943ef81d45f75d97cd722b46f1293f773David Benjamin const uint16_t *curve_id, const uint8_t *comp_id) 59195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 592072334d943ef81d45f75d97cd722b46f1293f773David Benjamin const uint16_t *curves; 593072334d943ef81d45f75d97cd722b46f1293f773David Benjamin size_t curves_len, i; 59495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int j; 59595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* If point formats extension present check it, otherwise everything 59695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * is supported (see RFC4492). 59795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 59895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (comp_id && s->session->tlsext_ecpointformatlist) 59995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 600072334d943ef81d45f75d97cd722b46f1293f773David Benjamin uint8_t *p = s->session->tlsext_ecpointformatlist; 601072334d943ef81d45f75d97cd722b46f1293f773David Benjamin size_t plen = s->session->tlsext_ecpointformatlist_length; 602072334d943ef81d45f75d97cd722b46f1293f773David Benjamin for (i = 0; i < plen; i++) 60395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 604072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (*comp_id == p[i]) 60595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley break; 60695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 60795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (i == plen) 60895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 60995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 61095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!curve_id) 61195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 61295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Check curve is consistent with client and server preferences */ 61395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley for (j = 0; j <= 1; j++) 61495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 615072334d943ef81d45f75d97cd722b46f1293f773David Benjamin tls1_get_curvelist(s, j, &curves, &curves_len); 616072334d943ef81d45f75d97cd722b46f1293f773David Benjamin for (i = 0; i < curves_len; i++) 61795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 618072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (curves[i] == *curve_id) 61995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley break; 62095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 621072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (i == curves_len) 62295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 62395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* For clients can only check sent curve list */ 62495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!s->server) 62595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 62695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 62795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 62895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 62995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 63095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleystatic void tls1_get_formatlist(SSL *s, const unsigned char **pformats, 63195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley size_t *pformatslen) 63295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 63395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* If we have a custom point format list use it otherwise 63495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * use default */ 63595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->tlsext_ecpointformatlist) 63695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 63795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *pformats = s->tlsext_ecpointformatlist; 63895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *pformatslen = s->tlsext_ecpointformatlist_length; 63995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 64095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 64195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 64295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *pformats = ecformats_default; 643335d10d201a22598c2b2c379148c9a095b8ab175David Benjamin *pformatslen = sizeof(ecformats_default); 64495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 64595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 64695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 64795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* Check cert parameters compatible with extensions: currently just checks 64895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * EC certificates have compatible curves and compression. 64995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 65095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleystatic int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) 65195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 652072334d943ef81d45f75d97cd722b46f1293f773David Benjamin uint8_t comp_id; 653072334d943ef81d45f75d97cd722b46f1293f773David Benjamin uint16_t curve_id; 65495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley EVP_PKEY *pkey; 65595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int rv; 65695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley pkey = X509_get_pubkey(x); 65795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!pkey) 65895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 65995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* If not EC nothing to do */ 66095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (pkey->type != EVP_PKEY_EC) 66195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 66295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley EVP_PKEY_free(pkey); 66395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 66495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 665072334d943ef81d45f75d97cd722b46f1293f773David Benjamin rv = tls1_curve_params_from_ec_key(&curve_id, &comp_id, pkey->pkey.ec); 66695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley EVP_PKEY_free(pkey); 66795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!rv) 66895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 66995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Can't check curve_id for client certs as we don't have a 67095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * supported curves extension. 67195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 672335d10d201a22598c2b2c379148c9a095b8ab175David Benjamin return tls1_check_ec_key(s, s->server ? &curve_id : NULL, &comp_id); 67395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 67495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* Check EC temporary key is compatible with client extensions */ 67595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleyint tls1_check_ec_tmp_key(SSL *s, unsigned long cid) 67695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 677072334d943ef81d45f75d97cd722b46f1293f773David Benjamin uint16_t curve_id; 67895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley EC_KEY *ec = s->cert->ecdh_tmp; 67995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL 68095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Allow any curve: not just those peer supports */ 68195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) 68295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 68395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#endif 68495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->cert->ecdh_tmp_auto) 68595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 68695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Need a shared curve */ 687072334d943ef81d45f75d97cd722b46f1293f773David Benjamin return tls1_get_shared_curve(s) != NID_undef; 68895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 68995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!ec) 69095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 69195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->cert->ecdh_tmp_cb) 69295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 69395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 69495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 69595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 696072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (!tls1_curve_params_from_ec_key(&curve_id, NULL, ec)) 69795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 69895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* Set this to allow use of invalid curves for testing */ 69995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#if 0 70095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 70195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#else 702072334d943ef81d45f75d97cd722b46f1293f773David Benjamin return tls1_check_ec_key(s, &curve_id, NULL); 70395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#endif 70495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 70595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 70695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 70795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 70895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* List of supported signature algorithms and hashes. Should make this 70995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * customisable at some point, for now include everything we support. 71095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 71195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 71295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa, 71395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 71495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, 71595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 71695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#define tlsext_sigalg(md) \ 71795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tlsext_sigalg_rsa(md) \ 71895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tlsext_sigalg_ecdsa(md) 71995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 720cff6472442de2e65f95fa04893b12b1412118f60David Benjaminstatic const uint8_t tls12_sigalgs[] = { 72195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tlsext_sigalg(TLSEXT_hash_sha512) 72295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tlsext_sigalg(TLSEXT_hash_sha384) 72395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tlsext_sigalg(TLSEXT_hash_sha256) 72495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tlsext_sigalg(TLSEXT_hash_sha224) 72595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tlsext_sigalg(TLSEXT_hash_sha1) 72695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley}; 72795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleysize_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs) 72895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 72995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* If server use client authentication sigalgs if not NULL */ 73095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->server && s->cert->client_sigalgs) 73195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 73295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *psigs = s->cert->client_sigalgs; 73395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return s->cert->client_sigalgslen; 73495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 73595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (s->cert->conf_sigalgs) 73695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 73795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *psigs = s->cert->conf_sigalgs; 73895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return s->cert->conf_sigalgslen; 73995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 74095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 74195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 74295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *psigs = tls12_sigalgs; 74395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return sizeof(tls12_sigalgs); 74495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 74595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 74605da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin 74705da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin/* tls12_check_peer_sigalg parses a SignatureAndHashAlgorithm out of 74805da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin * |cbs|. It checks it is consistent with |s|'s sent supported 74905da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin * signature algorithms and, if so, writes the relevant digest into 75005da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin * |*out_md| and returns 1. Otherwise it returns 0 and writes an alert 75105da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin * into |*out_alert|. 75295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 75305da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjaminint tls12_check_peer_sigalg(const EVP_MD **out_md, int *out_alert, 75405da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin SSL *s, CBS *cbs, EVP_PKEY *pkey) 75595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 75695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley const unsigned char *sent_sigs; 75795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley size_t sent_sigslen, i; 75895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int sigalg = tls12_get_sigid(pkey); 75905da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin uint8_t hash, signature; 76095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Should never happen */ 76195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (sigalg == -1) 76205da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin { 76305da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, ERR_R_INTERNAL_ERROR); 76405da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin *out_alert = SSL_AD_INTERNAL_ERROR; 76505da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin return 0; 76605da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin } 76705da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin if (!CBS_get_u8(cbs, &hash) || 76805da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin !CBS_get_u8(cbs, &signature)) 76905da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin { 77005da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_DECODE_ERROR); 77105da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin *out_alert = SSL_AD_DECODE_ERROR; 77205da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin return 0; 77305da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin } 77495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Check key type is consistent with signature */ 77505da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin if (sigalg != signature) 77695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 77795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE); 77805da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin *out_alert = SSL_AD_ILLEGAL_PARAMETER; 77995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 78095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 78195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (pkey->type == EVP_PKEY_EC) 78295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 783072334d943ef81d45f75d97cd722b46f1293f773David Benjamin uint16_t curve_id; 784072334d943ef81d45f75d97cd722b46f1293f773David Benjamin uint8_t comp_id; 78595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Check compression and curve matches extensions */ 786072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (!tls1_curve_params_from_ec_key(&curve_id, &comp_id, pkey->pkey.ec)) 78705da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin { 78805da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin *out_alert = SSL_AD_INTERNAL_ERROR; 78995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 79005da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin } 791072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (!s->server && !tls1_check_ec_key(s, &curve_id, &comp_id)) 79295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 79395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_CURVE); 79405da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin *out_alert = SSL_AD_ILLEGAL_PARAMETER; 79595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 79695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 79705da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin } 79895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 79995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Check signature matches a type we sent */ 80095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley sent_sigslen = tls12_get_psigalgs(s, &sent_sigs); 80195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2) 80295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 80305da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin if (hash == sent_sigs[0] && signature == sent_sigs[1]) 80495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley break; 80595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 80695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Allow fallback to SHA1 if not strict mode */ 80705da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin if (i == sent_sigslen && (hash != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) 80895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 80995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE); 81005da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin *out_alert = SSL_AD_ILLEGAL_PARAMETER; 81195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 81295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 81305da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin *out_md = tls12_get_hash(hash); 81405da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin if (*out_md == NULL) 81595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 81695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_UNKNOWN_DIGEST); 81705da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin *out_alert = SSL_AD_ILLEGAL_PARAMETER; 81895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 81995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 82095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Store the digest used so applications can retrieve it if they 82195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * wish. 82295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 82395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->session && s->session->sess_cert) 82405da6e1641bb8b3576b97dfc4fba22ee6c5d0453David Benjamin s->session->sess_cert->peer_key->digest = *out_md; 82595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 82695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 82795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* Get a mask of disabled algorithms: an algorithm is disabled 82895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * if it isn't supported or doesn't appear in supported signature 82995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific 83095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * session and not global settings. 83195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 83295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 83395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleyvoid ssl_set_client_disabled(SSL *s) 83495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 83595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley CERT *c = s->cert; 83695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley const unsigned char *sigalgs; 83795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley size_t i, sigalgslen; 838ef2116d33c3c1b38005eb59caa2aaa6300a9b450David Benjamin int have_rsa = 0, have_ecdsa = 0; 83995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->mask_a = 0; 84095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->mask_k = 0; 84195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Don't allow TLS 1.2 only ciphers if we don't suppport them */ 84295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s)) 84395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->mask_ssl = SSL_TLSV1_2; 84495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 84595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->mask_ssl = 0; 84695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Now go through all signature algorithms seeing if we support 84795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * any for RSA, DSA, ECDSA. Do this for all versions not just 84895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * TLS 1.2. 84995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 85095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley sigalgslen = tls12_get_psigalgs(s, &sigalgs); 85195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) 85295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 85395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley switch(sigalgs[1]) 85495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 85595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case TLSEXT_signature_rsa: 85695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley have_rsa = 1; 85795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley break; 85895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case TLSEXT_signature_ecdsa: 85995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley have_ecdsa = 1; 86095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley break; 86195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 86295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 8630da0e18a60754e1d8cc520110f5a449ab01a47efDavid Benjamin /* Disable auth if we don't include any appropriate signature 8640da0e18a60754e1d8cc520110f5a449ab01a47efDavid Benjamin * algorithms. 86595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 86695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!have_rsa) 86795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 86895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->mask_a |= SSL_aRSA; 86995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 87095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!have_ecdsa) 87195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 87295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->mask_a |= SSL_aECDSA; 87395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 87495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* with PSK there must be client callback set */ 87595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!s->psk_client_callback) 87695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 87795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->mask_a |= SSL_aPSK; 87895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->mask_k |= SSL_kPSK; 87995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 88095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->valid = 1; 88195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 88295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 883b0c235ed366d10674542db784668fe3e13f23709Adam Langley/* header_len is the length of the ClientHello header written so far, used to 884b0c235ed366d10674542db784668fe3e13f23709Adam Langley * compute padding. It does not include the record header. Pass 0 if no padding 885b0c235ed366d10674542db784668fe3e13f23709Adam Langley * is to be done. */ 886b0c235ed366d10674542db784668fe3e13f23709Adam Langleyunsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, size_t header_len) 88795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 88895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int extdatalen=0; 889b0c235ed366d10674542db784668fe3e13f23709Adam Langley unsigned char *ret = buf; 890b0c235ed366d10674542db784668fe3e13f23709Adam Langley unsigned char *orig = buf; 89195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* See if we support any ECC ciphersuites */ 89295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int using_ecc = 0; 89395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) 89495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 89595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int i; 89695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley unsigned long alg_k, alg_a; 89795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 89895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 89995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) 90095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 9016f2600199c82330240de9a7f65a801b6f606b7b3David Benjamin const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 90295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 90395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley alg_k = c->algorithm_mkey; 90495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley alg_a = c->algorithm_auth; 9050da0e18a60754e1d8cc520110f5a449ab01a47efDavid Benjamin if ((alg_k & SSL_kEECDH) || (alg_a & SSL_aECDSA)) 90695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 90795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley using_ecc = 1; 90895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley break; 90995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 91095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 91195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 91295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 91395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* don't add extensions for SSLv3 unless doing secure renegotiation */ 91495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->client_version == SSL3_VERSION 91595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley && !s->s3->send_connection_binding) 916b0c235ed366d10674542db784668fe3e13f23709Adam Langley return orig; 91795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 91895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ret+=2; 91995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 92095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (ret>=limit) return NULL; /* this really never occurs, but ... */ 92195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 92295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->tlsext_hostname != NULL) 92395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 92495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Add TLS extension servername to the Client Hello message */ 92595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley unsigned long size_str; 92695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley long lenmax; 92795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 92895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* check for enough space. 92995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 4 for the servername type and entension length 93095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 2 for servernamelist length 93195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1 for the hostname type 93295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 2 for hostname length 93395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley + hostname length 93495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 93595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 93695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if ((lenmax = limit - ret - 9) < 0 93795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 93895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return NULL; 93995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 94095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* extension type and length */ 94195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(TLSEXT_TYPE_server_name,ret); 94295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(size_str+5,ret); 94395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 94495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* length of servername list */ 94595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(size_str+3,ret); 94695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 94795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* hostname type, length and hostname */ 94895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 94995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(size_str,ret); 95095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley memcpy(ret, s->tlsext_hostname, size_str); 95195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ret+=size_str; 95295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 95395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 95495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Add RI if renegotiating */ 95595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->renegotiate) 95695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 95795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int el; 95895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 95995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) 96095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 96195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR); 96295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return NULL; 96395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 96495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 965b0c235ed366d10674542db784668fe3e13f23709Adam Langley if((limit - ret - 4 - el) < 0) return NULL; 96695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 96795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(TLSEXT_TYPE_renegotiate,ret); 96895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(el,ret); 96995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 97095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) 97195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 97295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR); 97395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return NULL; 97495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 97595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 97695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ret += el; 97795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 97895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 97995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) 98095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 98195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int ticklen; 98295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!s->new_session && s->session && s->session->tlsext_tick) 98395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ticklen = s->session->tlsext_ticklen; 98495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (s->session && s->tlsext_session_ticket && 98595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->tlsext_session_ticket->data) 98695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 987072c953f40fde513b4e2b63a86e8cb8aed7aa2aeDavid Benjamin s->session->tlsext_tick = BUF_memdup( 988072c953f40fde513b4e2b63a86e8cb8aed7aa2aeDavid Benjamin s->tlsext_session_ticket->data, 989072c953f40fde513b4e2b63a86e8cb8aed7aa2aeDavid Benjamin s->tlsext_session_ticket->length); 99095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!s->session->tlsext_tick) 99195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return NULL; 992072c953f40fde513b4e2b63a86e8cb8aed7aa2aeDavid Benjamin ticklen = s->tlsext_session_ticket->length; 99395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->session->tlsext_ticklen = ticklen; 99495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 99595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 99695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ticklen = 0; 99795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (ticklen == 0 && s->tlsext_session_ticket && 99895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->tlsext_session_ticket->data == NULL) 99995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley goto skip_ext; 100095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Check for enough room 2 for extension type, 2 for len 100195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * rest for ticket 100295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 100395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if ((long)(limit - ret - 4 - ticklen) < 0) return NULL; 100495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(TLSEXT_TYPE_session_ticket,ret); 100595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(ticklen,ret); 100695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (ticklen) 100795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 100895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley memcpy(ret, s->session->tlsext_tick, ticklen); 100995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ret += ticklen; 101095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 101195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 101295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley skip_ext: 101395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 101495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (SSL_USE_SIGALGS(s)) 101595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 101695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley size_t salglen; 101795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley const unsigned char *salg; 101895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley salglen = tls12_get_psigalgs(s, &salg); 101995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if ((size_t)(limit - ret) < salglen + 6) 102095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return NULL; 102195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(TLSEXT_TYPE_signature_algorithms,ret); 102295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(salglen + 2, ret); 102395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(salglen, ret); 102495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley memcpy(ret, salg, salglen); 102595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ret += salglen; 102695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 102795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 10286c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin if (s->ocsp_stapling_enabled) 102995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 10306c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin /* The status_request extension is excessively extensible at 10316c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin * every layer. On the client, only support requesting OCSP 10326c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin * responses with an empty responder_id_list and no 10336c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin * extensions. */ 10346c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin if (limit - ret - 4 - 1 - 2 - 2 < 0) return NULL; 103595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 103695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(TLSEXT_TYPE_status_request, ret); 10376c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin s2n(1 + 2 + 2, ret); 10386c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin /* status_type */ 103995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *(ret++) = TLSEXT_STATUSTYPE_ocsp; 10406c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin /* responder_id_list - empty */ 10416c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin s2n(0, ret); 10426c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin /* request_extensions - empty */ 10436c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin s2n(0, ret); 104495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 104595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 104695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) 104795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 104895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* The client advertises an emtpy extension to indicate its 104995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * support for Next Protocol Negotiation */ 105095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (limit - ret - 4 < 0) 105195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return NULL; 105295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(TLSEXT_TYPE_next_proto_neg,ret); 105395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(0,ret); 105495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 105595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 10569169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland if (s->signed_cert_timestamps_enabled && !s->s3->tmp.finish_md_len) 10579169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland { 10589169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland /* The client advertises an empty extension to indicate its support for 10599169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland * certificate timestamps. */ 10609169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland if (limit - ret - 4 < 0) 10619169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland return NULL; 10629169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland s2n(TLSEXT_TYPE_certificate_timestamp,ret); 10639169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland s2n(0,ret); 10649169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland } 10659169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland 106695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) 106795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 106895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len) 106995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return NULL; 107095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret); 107195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(2 + s->alpn_client_proto_list_len,ret); 107295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(s->alpn_client_proto_list_len,ret); 107395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley memcpy(ret, s->alpn_client_proto_list, 107495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->alpn_client_proto_list_len); 107595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ret += s->alpn_client_proto_list_len; 107695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 107795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 10781258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley if (s->tlsext_channel_id_enabled) 10791258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley { 10801258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley /* The client advertises an emtpy extension to indicate its 10811258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley * support for Channel ID. */ 10821258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley if (limit - ret - 4 < 0) 10831258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley return NULL; 10841258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley if (s->ctx->tlsext_channel_id_enabled_new) 10851258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley s2n(TLSEXT_TYPE_channel_id_new,ret); 10861258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley else 10871258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley s2n(TLSEXT_TYPE_channel_id,ret); 10881258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley s2n(0,ret); 10891258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley } 10901258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley 109195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if(SSL_get_srtp_profiles(s)) 109295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 109395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int el; 109495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 109595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 109695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1097b0c235ed366d10674542db784668fe3e13f23709Adam Langley if((limit - ret - 4 - el) < 0) return NULL; 109895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 109995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(TLSEXT_TYPE_use_srtp,ret); 110095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(el,ret); 110195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1102120a674c003b2e5950d77415c464b5db20c43972David Benjamin if(!ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) 110395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 110495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR); 110595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return NULL; 110695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 110795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ret += el; 110895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 110995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1110c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley if (using_ecc) 1111c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley { 1112c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley /* Add TLS extension ECPointFormats to the ClientHello message */ 1113c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley long lenmax; 1114072334d943ef81d45f75d97cd722b46f1293f773David Benjamin const uint8_t *formats; 1115072334d943ef81d45f75d97cd722b46f1293f773David Benjamin const uint16_t *curves; 1116072334d943ef81d45f75d97cd722b46f1293f773David Benjamin size_t formats_len, curves_len, i; 1117c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley 1118072334d943ef81d45f75d97cd722b46f1293f773David Benjamin tls1_get_formatlist(s, &formats, &formats_len); 1119c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley 1120c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley if ((lenmax = limit - ret - 5) < 0) return NULL; 1121072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (formats_len > (size_t)lenmax) return NULL; 1122072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (formats_len > 255) 1123c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley { 1124c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR); 1125c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley return NULL; 1126c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley } 1127c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley 1128c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley s2n(TLSEXT_TYPE_ec_point_formats,ret); 1129072334d943ef81d45f75d97cd722b46f1293f773David Benjamin s2n(formats_len + 1,ret); 1130072334d943ef81d45f75d97cd722b46f1293f773David Benjamin *(ret++) = (unsigned char)formats_len; 1131072334d943ef81d45f75d97cd722b46f1293f773David Benjamin memcpy(ret, formats, formats_len); 1132072334d943ef81d45f75d97cd722b46f1293f773David Benjamin ret+=formats_len; 1133c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley 1134c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley /* Add TLS extension EllipticCurves to the ClientHello message */ 1135072334d943ef81d45f75d97cd722b46f1293f773David Benjamin tls1_get_curvelist(s, 0, &curves, &curves_len); 1136c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley 1137c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley if ((lenmax = limit - ret - 6) < 0) return NULL; 1138072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if ((curves_len * 2) > (size_t)lenmax) return NULL; 1139072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if ((curves_len * 2) > 65532) 1140c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley { 1141c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR); 1142c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley return NULL; 1143c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley } 1144c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley 1145c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley s2n(TLSEXT_TYPE_elliptic_curves,ret); 1146072334d943ef81d45f75d97cd722b46f1293f773David Benjamin s2n((curves_len * 2) + 2, ret); 1147c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley 1148c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for 1149c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley * elliptic_curve_list, but the examples use two bytes. 1150c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html 1151c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley * resolves this to two bytes. 1152c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley */ 1153072334d943ef81d45f75d97cd722b46f1293f773David Benjamin s2n(curves_len * 2, ret); 1154072334d943ef81d45f75d97cd722b46f1293f773David Benjamin for (i = 0; i < curves_len; i++) 1155072334d943ef81d45f75d97cd722b46f1293f773David Benjamin { 1156072334d943ef81d45f75d97cd722b46f1293f773David Benjamin s2n(curves[i], ret); 1157072334d943ef81d45f75d97cd722b46f1293f773David Benjamin } 1158c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley } 1159c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley 116095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#ifdef TLSEXT_TYPE_padding 116195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Add padding to workaround bugs in F5 terminators. 1162b0c235ed366d10674542db784668fe3e13f23709Adam Langley * See https://tools.ietf.org/html/draft-agl-tls-padding-03 116395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 116495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * NB: because this code works out the length of all existing 1165b0c235ed366d10674542db784668fe3e13f23709Adam Langley * extensions it MUST always appear last. */ 1166b0c235ed366d10674542db784668fe3e13f23709Adam Langley if (header_len > 0) 116795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1168b0c235ed366d10674542db784668fe3e13f23709Adam Langley header_len += ret - orig; 1169b0c235ed366d10674542db784668fe3e13f23709Adam Langley if (header_len > 0xff && header_len < 0x200) 1170b0c235ed366d10674542db784668fe3e13f23709Adam Langley { 1171b0c235ed366d10674542db784668fe3e13f23709Adam Langley size_t padding_len = 0x200 - header_len; 1172c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley /* Extensions take at least four bytes to encode. Always 1173c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley * include least one byte of data if including the 1174c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley * extension. WebSphere Application Server 7.0 is 1175c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley * intolerant to the last extension being zero-length. */ 1176c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley if (padding_len >= 4 + 1) 1177b0c235ed366d10674542db784668fe3e13f23709Adam Langley padding_len -= 4; 1178b0c235ed366d10674542db784668fe3e13f23709Adam Langley else 1179c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5Adam Langley padding_len = 1; 1180b0c235ed366d10674542db784668fe3e13f23709Adam Langley if (limit - ret - 4 - (long)padding_len < 0) 1181b0c235ed366d10674542db784668fe3e13f23709Adam Langley return NULL; 118295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1183b0c235ed366d10674542db784668fe3e13f23709Adam Langley s2n(TLSEXT_TYPE_padding, ret); 1184b0c235ed366d10674542db784668fe3e13f23709Adam Langley s2n(padding_len, ret); 1185b0c235ed366d10674542db784668fe3e13f23709Adam Langley memset(ret, 0, padding_len); 1186b0c235ed366d10674542db784668fe3e13f23709Adam Langley ret += padding_len; 1187b0c235ed366d10674542db784668fe3e13f23709Adam Langley } 118895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 118995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#endif 119095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1191b0c235ed366d10674542db784668fe3e13f23709Adam Langley if ((extdatalen = ret-orig-2)== 0) 1192b0c235ed366d10674542db784668fe3e13f23709Adam Langley return orig; 119395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1194b0c235ed366d10674542db784668fe3e13f23709Adam Langley s2n(extdatalen, orig); 119595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return ret; 119695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 119795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1198b0c235ed366d10674542db784668fe3e13f23709Adam Langleyunsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit) 119995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 120095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int extdatalen=0; 1201b0c235ed366d10674542db784668fe3e13f23709Adam Langley unsigned char *orig = buf; 1202b0c235ed366d10674542db784668fe3e13f23709Adam Langley unsigned char *ret = buf; 120395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int next_proto_neg_seen; 120495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 120595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 12060da0e18a60754e1d8cc520110f5a449ab01a47efDavid Benjamin int using_ecc = (alg_k & SSL_kEECDH) || (alg_a & SSL_aECDSA); 120795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); 120895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* don't add extensions for SSLv3, unless doing secure renegotiation */ 120995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 1210b0c235ed366d10674542db784668fe3e13f23709Adam Langley return orig; 121195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 121295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ret+=2; 121395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (ret>=limit) return NULL; /* this really never occurs, but ... */ 121495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1215ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley if (!s->hit && s->should_ack_sni && s->session->tlsext_hostname != NULL) 121695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 121795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if ((long)(limit - ret - 4) < 0) return NULL; 121895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 121995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(TLSEXT_TYPE_server_name,ret); 122095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(0,ret); 122195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 122295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 122395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if(s->s3->send_connection_binding) 122495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 122595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int el; 122695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 122795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) 122895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 122995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR); 123095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return NULL; 123195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 123295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1233b0c235ed366d10674542db784668fe3e13f23709Adam Langley if((limit - ret - 4 - el) < 0) return NULL; 123495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 123595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(TLSEXT_TYPE_renegotiate,ret); 123695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(el,ret); 123795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 123895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) 123995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 124095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR); 124195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return NULL; 124295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 124395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 124495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ret += el; 124595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 124695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 124795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (using_ecc) 124895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 124995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley const unsigned char *plist; 125095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley size_t plistlen; 125195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Add TLS extension ECPointFormats to the ServerHello message */ 125295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley long lenmax; 125395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 125495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_get_formatlist(s, &plist, &plistlen); 125595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 125695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if ((lenmax = limit - ret - 5) < 0) return NULL; 125795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (plistlen > (size_t)lenmax) return NULL; 125895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (plistlen > 255) 125995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 126095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR); 126195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return NULL; 126295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 126395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 126495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(TLSEXT_TYPE_ec_point_formats,ret); 126595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(plistlen + 1,ret); 126695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *(ret++) = (unsigned char) plistlen; 126795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley memcpy(ret, plist, plistlen); 126895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ret+=plistlen; 126995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 127095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 127195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Currently the server should not respond with a SupportedCurves extension */ 127295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 127395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->tlsext_ticket_expected 127495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 127595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 127695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if ((long)(limit - ret - 4) < 0) return NULL; 127795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(TLSEXT_TYPE_session_ticket,ret); 127895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(0,ret); 127995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 128095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 12816c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin if (s->s3->tmp.certificate_status_expected) 128295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 128395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if ((long)(limit - ret - 4) < 0) return NULL; 128495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(TLSEXT_TYPE_status_request,ret); 128595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(0,ret); 128695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 128795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 128895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if(s->srtp_profile) 128995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 129095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int el; 129195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 129295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 129395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1294b0c235ed366d10674542db784668fe3e13f23709Adam Langley if((limit - ret - 4 - el) < 0) return NULL; 129595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 129695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(TLSEXT_TYPE_use_srtp,ret); 129795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(el,ret); 129895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1299120a674c003b2e5950d77415c464b5db20c43972David Benjamin if(!ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) 130095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 130195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR); 130295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return NULL; 130395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 130495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ret+=el; 130595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 130695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 130795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley next_proto_neg_seen = s->s3->next_proto_neg_seen; 130895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->s3->next_proto_neg_seen = 0; 130995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) 131095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 131195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley const unsigned char *npa; 131295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley unsigned int npalen; 131395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int r; 131495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 131595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg); 131695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (r == SSL_TLSEXT_ERR_OK) 131795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 131895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if ((long)(limit - ret - 4 - npalen) < 0) return NULL; 131995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(TLSEXT_TYPE_next_proto_neg,ret); 132095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(npalen,ret); 132195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley memcpy(ret, npa, npalen); 132295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ret += npalen; 132395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->s3->next_proto_neg_seen = 1; 132495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 132595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 132695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 132795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->s3->alpn_selected) 132895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 132903973096f416e694b676160ca481553bb44738ebDavid Benjamin const uint8_t *selected = s->s3->alpn_selected; 133003973096f416e694b676160ca481553bb44738ebDavid Benjamin size_t len = s->s3->alpn_selected_len; 133195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 133295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if ((long)(limit - ret - 4 - 2 - 1 - len) < 0) 133395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return NULL; 133495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret); 133595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(3 + len,ret); 133695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s2n(1 + len,ret); 133795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *ret++ = len; 133895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley memcpy(ret, selected, len); 133995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ret += len; 134095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 134195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 13421258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley /* If the client advertised support for Channel ID, and we have it 13431258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley * enabled, then we want to echo it back. */ 13441258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley if (s->s3->tlsext_channel_id_valid) 13451258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley { 13461258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley if (limit - ret - 4 < 0) 13471258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley return NULL; 13481258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley if (s->s3->tlsext_channel_id_new) 13491258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley s2n(TLSEXT_TYPE_channel_id_new,ret); 13501258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley else 13511258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley s2n(TLSEXT_TYPE_channel_id,ret); 13521258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley s2n(0,ret); 13531258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley } 13541258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley 1355b0c235ed366d10674542db784668fe3e13f23709Adam Langley if ((extdatalen = ret-orig-2) == 0) 1356b0c235ed366d10674542db784668fe3e13f23709Adam Langley return orig; 135795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1358b0c235ed366d10674542db784668fe3e13f23709Adam Langley s2n(extdatalen, orig); 135995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return ret; 136095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 136195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 136295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* tls1_alpn_handle_client_hello is called to process the ALPN extension in a 136395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * ClientHello. 1364dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin * cbs: the contents of the extension, not including the type and length. 1365dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin * out_alert: a pointer to the alert value to send in the event of a zero 136695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * return. 136795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 1368dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin * returns: 1 on success. */ 1369dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjaminstatic int tls1_alpn_handle_client_hello(SSL *s, CBS *cbs, int *out_alert) 137095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1371ded93581f1674f81faa0dba4b15a842756066ab2Adam Langley CBS protocol_name_list, protocol_name_list_copy; 137295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley const unsigned char *selected; 137395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley unsigned char selected_len; 137495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int r; 137595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 137695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->ctx->alpn_select_cb == NULL) 1377dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin return 1; 137895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1379dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (!CBS_get_u16_length_prefixed(cbs, &protocol_name_list) || 1380dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin CBS_len(cbs) != 0 || 1381dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin CBS_len(&protocol_name_list) < 2) 138295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley goto parse_error; 138395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1384dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin /* Validate the protocol list. */ 1385ded93581f1674f81faa0dba4b15a842756066ab2Adam Langley protocol_name_list_copy = protocol_name_list; 1386dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin while (CBS_len(&protocol_name_list_copy) > 0) 138795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1388dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin CBS protocol_name; 138995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1390dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name)) 139195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley goto parse_error; 139295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 139395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1394dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin r = s->ctx->alpn_select_cb(s, &selected, &selected_len, 1395dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin CBS_data(&protocol_name_list), CBS_len(&protocol_name_list), 1396dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin s->ctx->alpn_select_cb_arg); 139795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (r == SSL_TLSEXT_ERR_OK) { 139895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->s3->alpn_selected) 139995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_free(s->s3->alpn_selected); 1400072c953f40fde513b4e2b63a86e8cb8aed7aa2aeDavid Benjamin s->s3->alpn_selected = BUF_memdup(selected, selected_len); 140195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!s->s3->alpn_selected) 140295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1403dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_INTERNAL_ERROR; 1404dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin return 0; 140595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 140695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->s3->alpn_selected_len = selected_len; 140795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 1408dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin return 1; 140995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 141095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleyparse_error: 1411dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_DECODE_ERROR; 1412dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin return 0; 141395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 141495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1415dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjaminstatic int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) 141695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 141795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int renegotiate_seen = 0; 1418dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin CBS extensions; 141995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley size_t i; 142095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1421ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley s->should_ack_sni = 0; 142295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->s3->next_proto_neg_seen = 0; 14236c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin s->s3->tmp.certificate_status_expected = 0; 142495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 142595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->s3->alpn_selected) 142695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 142795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_free(s->s3->alpn_selected); 142895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->s3->alpn_selected = NULL; 142995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 143095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 143195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Clear any signature algorithms extension received */ 143295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->cert->peer_sigalgs) 143395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 143495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_free(s->cert->peer_sigalgs); 143595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->cert->peer_sigalgs = NULL; 143695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 143795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Clear any shared sigtnature algorithms */ 143895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->cert->shared_sigalgs) 143995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 144095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_free(s->cert->shared_sigalgs); 144195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->cert->shared_sigalgs = NULL; 144295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 144395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Clear certificate digests and validity flags */ 144495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley for (i = 0; i < SSL_PKEY_NUM; i++) 144595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 144695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->cert->pkeys[i].digest = NULL; 144795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->cert->pkeys[i].valid_flags = 0; 144895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 144995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1450dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin /* There may be no extensions. */ 1451dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (CBS_len(cbs) == 0) 1452dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin { 145395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley goto ri_check; 1454dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin } 145595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 145635a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin /* Decode the extensions block and check it is valid. */ 145735a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin if (!CBS_get_u16_length_prefixed(cbs, &extensions) || 145835a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin !tls1_check_duplicate_extensions(&extensions)) 1459dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin { 1460dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_DECODE_ERROR; 1461dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin return 0; 1462dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin } 1463dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin 1464dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin while (CBS_len(&extensions) != 0) 146595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1466dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin uint16_t type; 1467dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin CBS extension; 1468dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin 1469dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin /* Decode the next extension. */ 1470dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (!CBS_get_u16(&extensions, &type) || 1471dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin !CBS_get_u16_length_prefixed(&extensions, &extension)) 1472dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin { 1473dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_DECODE_ERROR; 1474dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin return 0; 1475dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin } 147695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 147795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->tlsext_debug_cb) 1478dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin { 1479dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin s->tlsext_debug_cb(s, 0, type, (unsigned char*)CBS_data(&extension), 1480dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin CBS_len(&extension), s->tlsext_debug_arg); 1481dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin } 1482dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin 148395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* The servername extension is treated as follows: 148495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 148595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley - Only the hostname type is supported with a maximum length of 255. 148695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley - The servername is rejected if too long or if it contains zeros, 148795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley in which case an fatal alert is generated. 148895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley - The servername field is maintained together with the session cache. 148995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley - When a session is resumed, the servername call back invoked in order 149095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley to allow the application to position itself to the right context. 149195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley - The servername is acknowledged if it is new for a session or when 149295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley it is identical to a previously used for the same session. 149395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley Applications can control the behaviour. They can at any time 149495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley set a 'desirable' servername for a new SSL object. This can be the 149595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case for example with HTTPS when a Host: header field is received and 149695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley a renegotiation is requested. In this case, a possible servername 149795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley presented in the new client hello is only acknowledged if it matches 149895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley the value of the Host: field. 149995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 150095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if they provide for changing an explicit servername context for the session, 150195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley i.e. when the session has been established with a servername extension. 150295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley - On session reconnect, the servername extension may be absent. 150395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 150495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley*/ 150595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 150695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (type == TLSEXT_TYPE_server_name) 150795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1508dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin CBS server_name_list; 1509ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley char have_seen_host_name = 0; 1510dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin 1511dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (!CBS_get_u16_length_prefixed(&extension, &server_name_list) || 1512dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin CBS_len(&server_name_list) < 1 || 1513dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin CBS_len(&extension) != 0) 151495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1515dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_DECODE_ERROR; 151695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 151795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 151895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1519dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin /* Decode each ServerName in the extension. */ 1520dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin while (CBS_len(&server_name_list) > 0) 152195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1522dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin uint8_t name_type; 1523dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin CBS host_name; 152495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1525dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin /* Decode the NameType. */ 1526dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (!CBS_get_u8(&server_name_list, &name_type)) 152795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1528dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_DECODE_ERROR; 152995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 153095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 1531dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin 1532dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin /* Only host_name is supported. */ 1533dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (name_type != TLSEXT_NAMETYPE_host_name) 1534dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin continue; 1535dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin 1536ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley if (have_seen_host_name) 1537ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley { 1538ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley /* The ServerNameList MUST NOT contain 1539ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley * more than one name of the same 1540ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley * name_type. */ 1541ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley *out_alert = SSL_AD_DECODE_ERROR; 1542ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley return 0; 1543ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley } 1544ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley 1545ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley have_seen_host_name = 1; 1546ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley 1547ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name) || 1548ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley CBS_len(&host_name) < 1) 1549ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley { 1550ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley *out_alert = SSL_AD_DECODE_ERROR; 1551ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley return 0; 1552ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley } 1553ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley 1554ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley if (CBS_len(&host_name) > TLSEXT_MAXLEN_host_name || 1555ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley CBS_contains_zero_byte(&host_name)) 1556ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley { 1557ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley *out_alert = SSL_AD_UNRECOGNIZED_NAME; 1558ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley return 0; 1559ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley } 1560ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley 1561dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (!s->hit) 156295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1563ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley assert(s->session->tlsext_hostname == NULL); 1564dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (s->session->tlsext_hostname) 1565dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin { 1566ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley /* This should be impossible. */ 1567dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_DECODE_ERROR; 1568dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin return 0; 1569dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin } 1570dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin 1571dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin /* Copy the hostname as a string. */ 1572ed43958853bda3e1ef817dd7c46306f88cfedb08David Benjamin if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) 1573dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin { 1574dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_INTERNAL_ERROR; 1575dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin return 0; 157695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 1577ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley 1578ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley s->should_ack_sni = 1; 157995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 158095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 158195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 158295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 158395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (type == TLSEXT_TYPE_ec_point_formats) 158495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1585dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin CBS ec_point_format_list; 158695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1587dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (!CBS_get_u8_length_prefixed(&extension, &ec_point_format_list) || 1588dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin CBS_len(&extension) != 0) 158995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1590dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_DECODE_ERROR; 159195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 159295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 1593dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin 159495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!s->hit) 159595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1596dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (!CBS_stow(&ec_point_format_list, 1597dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin &s->session->tlsext_ecpointformatlist, 1598dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin &s->session->tlsext_ecpointformatlist_length)) 159995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1600dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_INTERNAL_ERROR; 160195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 160295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 160395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 160495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 160595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (type == TLSEXT_TYPE_elliptic_curves) 160695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1607dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin CBS elliptic_curve_list; 1608072334d943ef81d45f75d97cd722b46f1293f773David Benjamin size_t i, num_curves; 160995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1610dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (!CBS_get_u16_length_prefixed(&extension, &elliptic_curve_list) || 1611072334d943ef81d45f75d97cd722b46f1293f773David Benjamin CBS_len(&elliptic_curve_list) == 0 || 1612072334d943ef81d45f75d97cd722b46f1293f773David Benjamin (CBS_len(&elliptic_curve_list) & 1) != 0 || 1613dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin CBS_len(&extension) != 0) 161495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1615dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_DECODE_ERROR; 161695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 161795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 1618dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin 161995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!s->hit) 162095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1621072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (s->session->tlsext_ellipticcurvelist) 1622072334d943ef81d45f75d97cd722b46f1293f773David Benjamin { 1623072334d943ef81d45f75d97cd722b46f1293f773David Benjamin OPENSSL_free(s->session->tlsext_ellipticcurvelist); 1624072334d943ef81d45f75d97cd722b46f1293f773David Benjamin s->session->tlsext_ellipticcurvelist_length = 0; 1625072334d943ef81d45f75d97cd722b46f1293f773David Benjamin } 1626072334d943ef81d45f75d97cd722b46f1293f773David Benjamin s->session->tlsext_ellipticcurvelist = 1627072334d943ef81d45f75d97cd722b46f1293f773David Benjamin (uint16_t*)OPENSSL_malloc(CBS_len(&elliptic_curve_list)); 1628072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (s->session->tlsext_ellipticcurvelist == NULL) 162995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1630dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_INTERNAL_ERROR; 163195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 163295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 1633072334d943ef81d45f75d97cd722b46f1293f773David Benjamin num_curves = CBS_len(&elliptic_curve_list) / 2; 1634072334d943ef81d45f75d97cd722b46f1293f773David Benjamin for (i = 0; i < num_curves; i++) 1635072334d943ef81d45f75d97cd722b46f1293f773David Benjamin { 1636072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (!CBS_get_u16(&elliptic_curve_list, 1637072334d943ef81d45f75d97cd722b46f1293f773David Benjamin &s->session->tlsext_ellipticcurvelist[i])) 1638072334d943ef81d45f75d97cd722b46f1293f773David Benjamin { 1639072334d943ef81d45f75d97cd722b46f1293f773David Benjamin *out_alert = SSL_AD_INTERNAL_ERROR; 1640072334d943ef81d45f75d97cd722b46f1293f773David Benjamin return 0; 1641072334d943ef81d45f75d97cd722b46f1293f773David Benjamin } 1642072334d943ef81d45f75d97cd722b46f1293f773David Benjamin } 1643072334d943ef81d45f75d97cd722b46f1293f773David Benjamin if (CBS_len(&elliptic_curve_list) != 0) 1644072334d943ef81d45f75d97cd722b46f1293f773David Benjamin { 1645072334d943ef81d45f75d97cd722b46f1293f773David Benjamin *out_alert = SSL_AD_INTERNAL_ERROR; 1646072334d943ef81d45f75d97cd722b46f1293f773David Benjamin return 0; 1647072334d943ef81d45f75d97cd722b46f1293f773David Benjamin } 1648072334d943ef81d45f75d97cd722b46f1293f773David Benjamin s->session->tlsext_ellipticcurvelist_length = num_curves; 164995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 165095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 165195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (type == TLSEXT_TYPE_session_ticket) 165295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 165395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->tls_session_ticket_ext_cb && 1654dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin !s->tls_session_ticket_ext_cb(s, CBS_data(&extension), CBS_len(&extension), s->tls_session_ticket_ext_cb_arg)) 165595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1656dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_INTERNAL_ERROR; 165795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 165895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 165995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 166095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (type == TLSEXT_TYPE_renegotiate) 166195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1662dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (!ssl_parse_clienthello_renegotiate_ext(s, &extension, out_alert)) 166395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 166495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley renegotiate_seen = 1; 166595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 166695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (type == TLSEXT_TYPE_signature_algorithms) 166795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1668dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin CBS supported_signature_algorithms; 1669dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin 1670dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (!CBS_get_u16_length_prefixed(&extension, &supported_signature_algorithms) || 1671dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin CBS_len(&extension) != 0) 167295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1673dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_DECODE_ERROR; 167495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 167595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 1676dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin 1677dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin /* Ensure the signature algorithms are non-empty. It 1678dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin * contains a list of SignatureAndHashAlgorithms 1679dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin * which are two bytes each. */ 1680dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (CBS_len(&supported_signature_algorithms) == 0 || 1681dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin (CBS_len(&supported_signature_algorithms) % 2) != 0) 168295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1683dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_DECODE_ERROR; 168495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 168595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 1686dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin 1687cd9969434c2b2c347f1fb12623ee240ae01ac942David Benjamin if (!tls1_process_sigalgs(s, &supported_signature_algorithms)) 168895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1689dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_DECODE_ERROR; 169095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 169195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 169295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* If sigalgs received and no shared algorithms fatal 169395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * error. 169495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 169595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs) 169695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 169795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_NO_SHARED_SIGATURE_ALGORITHMS); 1698dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_ILLEGAL_PARAMETER; 169995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 170095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 170195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 170295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 170395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (type == TLSEXT_TYPE_next_proto_neg && 170495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->s3->tmp.finish_md_len == 0 && 170595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->s3->alpn_selected == NULL) 170695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1707dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin /* The extension must be empty. */ 1708dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (CBS_len(&extension) != 0) 1709dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin { 1710dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_DECODE_ERROR; 1711dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin return 0; 1712dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin } 1713dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin 171495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* We shouldn't accept this extension on a 171595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * renegotiation. 171695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 171795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * s->new_session will be set on renegotiation, but we 171895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * probably shouldn't rely that it couldn't be set on 171995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * the initial renegotation too in certain cases (when 172095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * there's some other reason to disallow resuming an 172195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * earlier session -- the current code won't be doing 172295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * anything like that, but this might change). 172395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 172495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * A valid sign that there's been a previous handshake 172595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * in this connection is if s->s3->tmp.finish_md_len > 172695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 0. (We are talking about a check that will happen 172795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * in the Hello protocol round, well before a new 172895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * Finished message could have been computed.) */ 172995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->s3->next_proto_neg_seen = 1; 173095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 173195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 173295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation && 173395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->ctx->alpn_select_cb && 173495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->s3->tmp.finish_md_len == 0) 173595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1736dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (!tls1_alpn_handle_client_hello(s, &extension, out_alert)) 173795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 173895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* ALPN takes precedence over NPN. */ 173995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->s3->next_proto_neg_seen = 0; 174095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 174195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 17421258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley else if (type == TLSEXT_TYPE_channel_id && 17431258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley s->tlsext_channel_id_enabled) 1744dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin { 1745dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin /* The extension must be empty. */ 1746dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (CBS_len(&extension) != 0) 1747dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin { 1748dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_DECODE_ERROR; 1749dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin return 0; 1750dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin } 1751dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin 17521258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley s->s3->tlsext_channel_id_valid = 1; 1753dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin } 17541258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley 17551258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley else if (type == TLSEXT_TYPE_channel_id_new && 17561258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley s->tlsext_channel_id_enabled) 17571258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley { 1758dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin /* The extension must be empty. */ 1759dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (CBS_len(&extension) != 0) 1760dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin { 1761dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_DECODE_ERROR; 1762dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin return 0; 1763dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin } 1764dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin 17651258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley s->s3->tlsext_channel_id_valid = 1; 17661258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley s->s3->tlsext_channel_id_new = 1; 17671258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley } 17681258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley 17691258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley 177095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* session ticket processed earlier */ 177195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (type == TLSEXT_TYPE_use_srtp) 177295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1773dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (!ssl_parse_clienthello_use_srtp_ext(s, &extension, out_alert)) 177495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 177595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 177695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 177795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 177895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ri_check: 177995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 178095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Need RI if renegotiating */ 178195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 178295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!renegotiate_seen && s->renegotiate && 178395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 178495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1785dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin *out_alert = SSL_AD_HANDSHAKE_FAILURE; 1786172fc2c42716c45ea02626ca8a31703e4dd89b33David Benjamin OPENSSL_PUT_ERROR(SSL, ssl_scan_clienthello_tlsext, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 178795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 178895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 178995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* If no signature algorithms extension set default values */ 179095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!s->cert->peer_sigalgs) 179195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ssl_cert_set_default_md(s->cert); 179295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 179395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 179495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 179595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 1796dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjaminint ssl_parse_clienthello_tlsext(SSL *s, CBS *cbs) 179795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1798dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin int alert = -1; 1799dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin if (ssl_scan_clienthello_tlsext(s, cbs, &alert) <= 0) 180095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 1801dc72ff75bd5795440a85f2a5841f0fe98ea37dd6David Benjamin ssl3_send_alert(s, SSL3_AL_FATAL, alert); 180295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 180395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 180495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 18056c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin if (ssl_check_clienthello_tlsext(s) <= 0) 180695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 18079d28c75774cbec7f3cd841e554b06d03fbf838ceDavid Benjamin OPENSSL_PUT_ERROR(SSL, ssl_parse_clienthello_tlsext, SSL_R_CLIENTHELLO_TLSEXT); 180895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 180995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 181095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 1811072334d943ef81d45f75d97cd722b46f1293f773David Benjamin } 181295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 181395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No 181495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * elements of zero length are allowed and the set of elements must exactly fill 181595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * the length of the block. */ 181603973096f416e694b676160ca481553bb44738ebDavid Benjaminstatic char ssl_next_proto_validate(const CBS *cbs) 181795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 181803973096f416e694b676160ca481553bb44738ebDavid Benjamin CBS copy = *cbs; 181995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 182003973096f416e694b676160ca481553bb44738ebDavid Benjamin while (CBS_len(©) != 0) 182195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 182203973096f416e694b676160ca481553bb44738ebDavid Benjamin CBS proto; 182303973096f416e694b676160ca481553bb44738ebDavid Benjamin if (!CBS_get_u8_length_prefixed(©, &proto) || 182403973096f416e694b676160ca481553bb44738ebDavid Benjamin CBS_len(&proto) == 0) 182503973096f416e694b676160ca481553bb44738ebDavid Benjamin { 182695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 182703973096f416e694b676160ca481553bb44738ebDavid Benjamin } 182895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 182903973096f416e694b676160ca481553bb44738ebDavid Benjamin return 1; 183095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 183195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 183203973096f416e694b676160ca481553bb44738ebDavid Benjaminstatic int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert) 183395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 183495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int tlsext_servername = 0; 183595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int renegotiate_seen = 0; 183603973096f416e694b676160ca481553bb44738ebDavid Benjamin CBS extensions; 183795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 18386c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin /* TODO(davidben): Move all of these to some per-handshake state that 18396c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin * gets systematically reset on a new handshake; perhaps allocate it 18406c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin * fresh each time so it's not even kept around post-handshake. */ 184195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->s3->next_proto_neg_seen = 0; 184295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 18436c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin s->tlsext_ticket_expected = 0; 18446c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin s->s3->tmp.certificate_status_expected = 0; 18456444287806d801b9a45baf1f6f02a0e3a16e144cDavid Benjamin 184695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->s3->alpn_selected) 184795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 184895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_free(s->s3->alpn_selected); 184995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->s3->alpn_selected = NULL; 185095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 185195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 185203973096f416e694b676160ca481553bb44738ebDavid Benjamin /* There may be no extensions. */ 185303973096f416e694b676160ca481553bb44738ebDavid Benjamin if (CBS_len(cbs) == 0) 185403973096f416e694b676160ca481553bb44738ebDavid Benjamin { 185595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley goto ri_check; 185603973096f416e694b676160ca481553bb44738ebDavid Benjamin } 185795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 185835a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin /* Decode the extensions block and check it is valid. */ 185935a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin if (!CBS_get_u16_length_prefixed(cbs, &extensions) || 186035a7a4492ddc6082e1b0e71252f35701f8aa848aDavid Benjamin !tls1_check_duplicate_extensions(&extensions)) 186195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 186203973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_DECODE_ERROR; 186395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 186495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 186595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 186603973096f416e694b676160ca481553bb44738ebDavid Benjamin while (CBS_len(&extensions) != 0) 186795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 186803973096f416e694b676160ca481553bb44738ebDavid Benjamin uint16_t type; 186903973096f416e694b676160ca481553bb44738ebDavid Benjamin CBS extension; 187095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 187103973096f416e694b676160ca481553bb44738ebDavid Benjamin /* Decode the next extension. */ 187203973096f416e694b676160ca481553bb44738ebDavid Benjamin if (!CBS_get_u16(&extensions, &type) || 187303973096f416e694b676160ca481553bb44738ebDavid Benjamin !CBS_get_u16_length_prefixed(&extensions, &extension)) 187403973096f416e694b676160ca481553bb44738ebDavid Benjamin { 187503973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_DECODE_ERROR; 187603973096f416e694b676160ca481553bb44738ebDavid Benjamin return 0; 187703973096f416e694b676160ca481553bb44738ebDavid Benjamin } 187895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 187995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->tlsext_debug_cb) 188003973096f416e694b676160ca481553bb44738ebDavid Benjamin { 188103973096f416e694b676160ca481553bb44738ebDavid Benjamin s->tlsext_debug_cb(s, 1, type, (unsigned char*)CBS_data(&extension), 188203973096f416e694b676160ca481553bb44738ebDavid Benjamin CBS_len(&extension), s->tlsext_debug_arg); 188303973096f416e694b676160ca481553bb44738ebDavid Benjamin } 188495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 188595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (type == TLSEXT_TYPE_server_name) 188695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 188703973096f416e694b676160ca481553bb44738ebDavid Benjamin /* The extension must be empty. */ 188803973096f416e694b676160ca481553bb44738ebDavid Benjamin if (CBS_len(&extension) != 0) 188995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 189003973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_DECODE_ERROR; 189195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 189295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 189303973096f416e694b676160ca481553bb44738ebDavid Benjamin /* We must have sent it in ClientHello. */ 189403973096f416e694b676160ca481553bb44738ebDavid Benjamin if (s->tlsext_hostname == NULL) 189503973096f416e694b676160ca481553bb44738ebDavid Benjamin { 189603973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; 189703973096f416e694b676160ca481553bb44738ebDavid Benjamin return 0; 189803973096f416e694b676160ca481553bb44738ebDavid Benjamin } 189903973096f416e694b676160ca481553bb44738ebDavid Benjamin tlsext_servername = 1; 190095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 190195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (type == TLSEXT_TYPE_ec_point_formats) 190295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 190303973096f416e694b676160ca481553bb44738ebDavid Benjamin CBS ec_point_format_list; 190495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 190503973096f416e694b676160ca481553bb44738ebDavid Benjamin if (!CBS_get_u8_length_prefixed(&extension, &ec_point_format_list) || 190603973096f416e694b676160ca481553bb44738ebDavid Benjamin CBS_len(&extension) != 0) 190795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 190803973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_DECODE_ERROR; 190995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 191095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 191103973096f416e694b676160ca481553bb44738ebDavid Benjamin 19125ba06a75324e33a8381556b98e52f5a3247227d0Adam Langley if (!s->hit) 191395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 19145ba06a75324e33a8381556b98e52f5a3247227d0Adam Langley if (!CBS_stow(&ec_point_format_list, 19155ba06a75324e33a8381556b98e52f5a3247227d0Adam Langley &s->session->tlsext_ecpointformatlist, 19165ba06a75324e33a8381556b98e52f5a3247227d0Adam Langley &s->session->tlsext_ecpointformatlist_length)) 19175ba06a75324e33a8381556b98e52f5a3247227d0Adam Langley { 19185ba06a75324e33a8381556b98e52f5a3247227d0Adam Langley *out_alert = SSL_AD_INTERNAL_ERROR; 19195ba06a75324e33a8381556b98e52f5a3247227d0Adam Langley return 0; 19205ba06a75324e33a8381556b98e52f5a3247227d0Adam Langley } 192195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 192295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 192395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (type == TLSEXT_TYPE_session_ticket) 192495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 192595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->tls_session_ticket_ext_cb && 192603973096f416e694b676160ca481553bb44738ebDavid Benjamin !s->tls_session_ticket_ext_cb(s, CBS_data(&extension), CBS_len(&extension), 192703973096f416e694b676160ca481553bb44738ebDavid Benjamin s->tls_session_ticket_ext_cb_arg)) 192895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 192903973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_INTERNAL_ERROR; 193095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 193195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 193203973096f416e694b676160ca481553bb44738ebDavid Benjamin 193303973096f416e694b676160ca481553bb44738ebDavid Benjamin if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || CBS_len(&extension) > 0) 193495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 193503973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; 193695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 193795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 193803973096f416e694b676160ca481553bb44738ebDavid Benjamin 193995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->tlsext_ticket_expected = 1; 194095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 194195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (type == TLSEXT_TYPE_status_request) 194295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 194303973096f416e694b676160ca481553bb44738ebDavid Benjamin /* The extension MUST be empty and may only sent if 194403973096f416e694b676160ca481553bb44738ebDavid Benjamin * we've requested a status request message. */ 194503973096f416e694b676160ca481553bb44738ebDavid Benjamin if (CBS_len(&extension) != 0) 194695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 194703973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_DECODE_ERROR; 194895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 194995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 19506c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin if (!s->ocsp_stapling_enabled) 195103973096f416e694b676160ca481553bb44738ebDavid Benjamin { 195203973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; 195303973096f416e694b676160ca481553bb44738ebDavid Benjamin return 0; 195403973096f416e694b676160ca481553bb44738ebDavid Benjamin } 195503973096f416e694b676160ca481553bb44738ebDavid Benjamin /* Set a flag to expect a CertificateStatus message */ 19566c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjamin s->s3->tmp.certificate_status_expected = 1; 195795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 195803973096f416e694b676160ca481553bb44738ebDavid Benjamin else if (type == TLSEXT_TYPE_next_proto_neg && s->s3->tmp.finish_md_len == 0) { 195903973096f416e694b676160ca481553bb44738ebDavid Benjamin unsigned char *selected; 196003973096f416e694b676160ca481553bb44738ebDavid Benjamin unsigned char selected_len; 196103973096f416e694b676160ca481553bb44738ebDavid Benjamin 196203973096f416e694b676160ca481553bb44738ebDavid Benjamin /* We must have requested it. */ 196303973096f416e694b676160ca481553bb44738ebDavid Benjamin if (s->ctx->next_proto_select_cb == NULL) 196495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 196503973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; 196603973096f416e694b676160ca481553bb44738ebDavid Benjamin return 0; 196703973096f416e694b676160ca481553bb44738ebDavid Benjamin } 196895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 196903973096f416e694b676160ca481553bb44738ebDavid Benjamin /* The data must be valid. */ 197003973096f416e694b676160ca481553bb44738ebDavid Benjamin if (!ssl_next_proto_validate(&extension)) 197103973096f416e694b676160ca481553bb44738ebDavid Benjamin { 197203973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_DECODE_ERROR; 197303973096f416e694b676160ca481553bb44738ebDavid Benjamin return 0; 197495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 197595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 197603973096f416e694b676160ca481553bb44738ebDavid Benjamin if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, 197703973096f416e694b676160ca481553bb44738ebDavid Benjamin CBS_data(&extension), CBS_len(&extension), 197803973096f416e694b676160ca481553bb44738ebDavid Benjamin s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) 197903973096f416e694b676160ca481553bb44738ebDavid Benjamin { 198003973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_INTERNAL_ERROR; 198103973096f416e694b676160ca481553bb44738ebDavid Benjamin return 0; 198203973096f416e694b676160ca481553bb44738ebDavid Benjamin } 198303973096f416e694b676160ca481553bb44738ebDavid Benjamin 198403973096f416e694b676160ca481553bb44738ebDavid Benjamin s->next_proto_negotiated = BUF_memdup(selected, selected_len); 198503973096f416e694b676160ca481553bb44738ebDavid Benjamin if (s->next_proto_negotiated == NULL) 198603973096f416e694b676160ca481553bb44738ebDavid Benjamin { 198703973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_INTERNAL_ERROR; 198803973096f416e694b676160ca481553bb44738ebDavid Benjamin return 0; 198903973096f416e694b676160ca481553bb44738ebDavid Benjamin } 199003973096f416e694b676160ca481553bb44738ebDavid Benjamin s->next_proto_negotiated_len = selected_len; 199103973096f416e694b676160ca481553bb44738ebDavid Benjamin s->s3->next_proto_neg_seen = 1; 199203973096f416e694b676160ca481553bb44738ebDavid Benjamin } 199395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) 199495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 199503973096f416e694b676160ca481553bb44738ebDavid Benjamin CBS protocol_name_list, protocol_name; 199695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 199795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* We must have requested it. */ 199895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->alpn_client_proto_list == NULL) 199995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 200003973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; 200195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 200295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 200303973096f416e694b676160ca481553bb44738ebDavid Benjamin 200403973096f416e694b676160ca481553bb44738ebDavid Benjamin /* The extension data consists of a ProtocolNameList 200503973096f416e694b676160ca481553bb44738ebDavid Benjamin * which must have exactly one ProtocolName. Each of 200603973096f416e694b676160ca481553bb44738ebDavid Benjamin * these is length-prefixed. */ 200703973096f416e694b676160ca481553bb44738ebDavid Benjamin if (!CBS_get_u16_length_prefixed(&extension, &protocol_name_list) || 200803973096f416e694b676160ca481553bb44738ebDavid Benjamin CBS_len(&extension) != 0 || 200903973096f416e694b676160ca481553bb44738ebDavid Benjamin !CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) || 201003973096f416e694b676160ca481553bb44738ebDavid Benjamin CBS_len(&protocol_name_list) != 0) 201195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 201203973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_DECODE_ERROR; 201395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 201495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 201503973096f416e694b676160ca481553bb44738ebDavid Benjamin 201603973096f416e694b676160ca481553bb44738ebDavid Benjamin if (!CBS_stow(&protocol_name, 201703973096f416e694b676160ca481553bb44738ebDavid Benjamin &s->s3->alpn_selected, 201803973096f416e694b676160ca481553bb44738ebDavid Benjamin &s->s3->alpn_selected_len)) 201995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 202003973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_INTERNAL_ERROR; 202195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 202295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 202395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 202495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 20251258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley else if (type == TLSEXT_TYPE_channel_id) 202603973096f416e694b676160ca481553bb44738ebDavid Benjamin { 202703973096f416e694b676160ca481553bb44738ebDavid Benjamin if (CBS_len(&extension) != 0) 202803973096f416e694b676160ca481553bb44738ebDavid Benjamin { 202903973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_DECODE_ERROR; 203003973096f416e694b676160ca481553bb44738ebDavid Benjamin return 0; 203103973096f416e694b676160ca481553bb44738ebDavid Benjamin } 20321258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley s->s3->tlsext_channel_id_valid = 1; 203303973096f416e694b676160ca481553bb44738ebDavid Benjamin } 20341258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley else if (type == TLSEXT_TYPE_channel_id_new) 20351258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley { 203603973096f416e694b676160ca481553bb44738ebDavid Benjamin if (CBS_len(&extension) != 0) 203703973096f416e694b676160ca481553bb44738ebDavid Benjamin { 203803973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_DECODE_ERROR; 203903973096f416e694b676160ca481553bb44738ebDavid Benjamin return 0; 204003973096f416e694b676160ca481553bb44738ebDavid Benjamin } 20411258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley s->s3->tlsext_channel_id_valid = 1; 20421258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley s->s3->tlsext_channel_id_new = 1; 20431258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley } 20449169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland else if (type == TLSEXT_TYPE_certificate_timestamp) 20459169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland { 20469169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland if (CBS_len(&extension) == 0) 20479169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland { 20489169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland *out_alert = SSL_AD_DECODE_ERROR; 20499169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland return 0; 20509169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland } 20511258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley 20529169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland /* Session resumption uses the original session information. */ 20539169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland if (!s->hit) 20549169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland { 20559169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland if (!CBS_stow(&extension, 20569169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland &s->session->tlsext_signed_cert_timestamp_list, 20579169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland &s->session->tlsext_signed_cert_timestamp_list_length)) 20589169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland { 20599169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland *out_alert = SSL_AD_INTERNAL_ERROR; 20609169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland return 0; 20619169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland } 20629169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland } 20639169c964589694a3dac5fecf6465806fb1f8b22bHÃ¥vard Molland } 206495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (type == TLSEXT_TYPE_renegotiate) 206595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 206603973096f416e694b676160ca481553bb44738ebDavid Benjamin if (!ssl_parse_serverhello_renegotiate_ext(s, &extension, out_alert)) 206795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 206895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley renegotiate_seen = 1; 206995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 207095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (type == TLSEXT_TYPE_use_srtp) 207195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 207203973096f416e694b676160ca481553bb44738ebDavid Benjamin if (!ssl_parse_serverhello_use_srtp_ext(s, &extension, out_alert)) 207395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 207495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 207595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 207695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 207795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!s->hit && tlsext_servername == 1) 207895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 207995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->tlsext_hostname) 208095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 208195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->session->tlsext_hostname == NULL) 208295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 208395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); 208495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!s->session->tlsext_hostname) 208595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 208603973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_UNRECOGNIZED_NAME; 208795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 208895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 208995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 209095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 209195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 209203973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_DECODE_ERROR; 209395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 209495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 209595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 209695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 209795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 209895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ri_check: 209995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 210095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Determine if we need to see RI. Strictly speaking if we want to 210195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * avoid an attack we should *always* see RI even on initial server 210295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * hello because the client doesn't see any renegotiation during an 210395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * attack. However this would mean we could not connect to any server 210495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * which doesn't support RI so for the immediate future tolerate RI 210595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * absence on initial connect only. 210695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 210795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!renegotiate_seen 210895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 210995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 211095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 211103973096f416e694b676160ca481553bb44738ebDavid Benjamin *out_alert = SSL_AD_HANDSHAKE_FAILURE; 21129d28c75774cbec7f3cd841e554b06d03fbf838ceDavid Benjamin OPENSSL_PUT_ERROR(SSL, ssl_scan_serverhello_tlsext, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 211395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 211495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 211595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 211695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 211795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 211895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 211995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 212095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleyint ssl_prepare_clienthello_tlsext(SSL *s) 212195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 212295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 212395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 212495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 212595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleyint ssl_prepare_serverhello_tlsext(SSL *s) 212695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 212795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 212895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 212995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 21306c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjaminstatic int ssl_check_clienthello_tlsext(SSL *s) 213195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 213295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int ret=SSL_TLSEXT_ERR_NOACK; 213395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int al = SSL_AD_UNRECOGNIZED_NAME; 213495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 213595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* The handling of the ECPointFormats extension is done elsewhere, namely in 213695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * ssl3_choose_cipher in s3_lib.c. 213795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 213895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* The handling of the EllipticCurves extension is done elsewhere, namely in 213995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * ssl3_choose_cipher in s3_lib.c. 214095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 214195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 214295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 214395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 214495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 214595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 214695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 214795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley switch (ret) 214895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 214995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case SSL_TLSEXT_ERR_ALERT_FATAL: 215095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ssl3_send_alert(s,SSL3_AL_FATAL,al); 215195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return -1; 215295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 215395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case SSL_TLSEXT_ERR_ALERT_WARNING: 215495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ssl3_send_alert(s,SSL3_AL_WARNING,al); 2155ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley return 1; 2156ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley 215795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case SSL_TLSEXT_ERR_NOACK: 2158ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley s->should_ack_sni = 0; 2159ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley return 1; 2160ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley 2161ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley default: 2162ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley return 1; 216395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 216495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 216595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 21666c7aed048ca0a335e02dfee10976c5dc8620783eDavid Benjaminstatic int ssl_check_serverhello_tlsext(SSL *s) 216795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 216895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int ret=SSL_TLSEXT_ERR_NOACK; 216995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int al = SSL_AD_UNRECOGNIZED_NAME; 217095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 217195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* If we are client and using an elliptic curve cryptography cipher 217295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * suite, then if server returns an EC point formats lists extension 217395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * it must contain uncompressed. 217495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 217595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 217695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 217795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 217895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 21790da0e18a60754e1d8cc520110f5a449ab01a47efDavid Benjamin ((alg_k & SSL_kEECDH) || (alg_a & SSL_aECDSA))) 218095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 218195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* we are using an ECC cipher */ 218295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley size_t i; 218395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley unsigned char *list; 218495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int found_uncompressed = 0; 218595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley list = s->session->tlsext_ecpointformatlist; 218695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 218795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 218895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) 218995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 219095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley found_uncompressed = 1; 219195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley break; 219295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 219395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 219495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!found_uncompressed) 219595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 2196172fc2c42716c45ea02626ca8a31703e4dd89b33David Benjamin OPENSSL_PUT_ERROR(SSL, ssl_check_serverhello_tlsext, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 219795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return -1; 219895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 219995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 220095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ret = SSL_TLSEXT_ERR_OK; 220195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 220295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 220395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 220495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 220595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 220695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 220795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley switch (ret) 220895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 220995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case SSL_TLSEXT_ERR_ALERT_FATAL: 2210ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley ssl3_send_alert(s,SSL3_AL_FATAL,al); 221195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return -1; 221295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 221395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case SSL_TLSEXT_ERR_ALERT_WARNING: 221495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ssl3_send_alert(s,SSL3_AL_WARNING,al); 2215ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley return 1; 2216ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley 2217ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley default: 2218ed8270a55c3845abbc85dfeed358597fef059ea9Adam Langley return 1; 221995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 222095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 222195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 222203973096f416e694b676160ca481553bb44738ebDavid Benjaminint ssl_parse_serverhello_tlsext(SSL *s, CBS *cbs) 222395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 222403973096f416e694b676160ca481553bb44738ebDavid Benjamin int alert = -1; 222595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->version < SSL3_VERSION) 222695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 222703973096f416e694b676160ca481553bb44738ebDavid Benjamin 222803973096f416e694b676160ca481553bb44738ebDavid Benjamin if (ssl_scan_serverhello_tlsext(s, cbs, &alert) <= 0) 222995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 223003973096f416e694b676160ca481553bb44738ebDavid Benjamin ssl3_send_alert(s, SSL3_AL_FATAL, alert); 223195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 223295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 223395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 223403973096f416e694b676160ca481553bb44738ebDavid Benjamin if (ssl_check_serverhello_tlsext(s) <= 0) 223595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 22369d28c75774cbec7f3cd841e554b06d03fbf838ceDavid Benjamin OPENSSL_PUT_ERROR(SSL, ssl_parse_serverhello_tlsext, SSL_R_SERVERHELLO_TLSEXT); 223795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 223895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 223903973096f416e694b676160ca481553bb44738ebDavid Benjamin 224095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 224103973096f416e694b676160ca481553bb44738ebDavid Benjamin } 224295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 224395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* Since the server cache lookup is done early on in the processing of the 224495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * ClientHello, and other operations depend on the result, we need to handle 224595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * any TLS session ticket extension at the same time. 224695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 2247dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley * ctx: contains the early callback context, which is the result of a 2248dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley * shallow parse of the ClientHello. 224995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * ret: (output) on return, if a ticket was decrypted, then this is set to 225095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * point to the resulting session. 225195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 225295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * If s->tls_session_secret_cb is set then we are expecting a pre-shared key 225395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * ciphersuite, in which case we have no use for session tickets and one will 225495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 225595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 225695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * Returns: 225795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * -1: fatal error, either from parsing or decrypting the ticket. 225895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 0: no ticket was found (or was ignored, based on settings). 225995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 1: a zero length extension was found, indicating that the client supports 226095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * session tickets but doesn't currently have one to offer. 226195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 2: either s->tls_session_secret_cb was set, or a ticket was offered but 226295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * couldn't be decrypted because of a non-fatal error. 226395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 3: a ticket was successfully decrypted and *ret was set. 226495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 226595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * Side effects: 226695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 226795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * a new session ticket to the client because the client indicated support 226895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 226995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * a session ticket or we couldn't use the one it gave us, or if 227095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 227195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * Otherwise, s->tlsext_ticket_expected is set to 0. 227295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 2273dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langleyint tls1_process_ticket(SSL *s, const struct ssl_early_callback_ctx *ctx, 2274dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley SSL_SESSION **ret) 227595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 227695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *ret = NULL; 227795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley s->tlsext_ticket_expected = 0; 2278dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley const unsigned char *data; 2279dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley size_t len; 2280dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley int r; 228195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 228295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* If tickets disabled behave as if no ticket present 228395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * to permit stateful resumption. 228495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 228595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (SSL_get_options(s) & SSL_OP_NO_TICKET) 228695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 2287dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley if ((s->version <= SSL3_VERSION) && !ctx->extensions) 228895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 2289dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley if (!SSL_early_callback_ctx_extension_get( 2290dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley ctx, TLSEXT_TYPE_session_ticket, &data, &len)) 229195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 229295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 2293dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley } 2294dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley if (len == 0) 229595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 2296dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley /* The client will accept a ticket but doesn't 2297dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley * currently have one. */ 2298dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley s->tlsext_ticket_expected = 1; 2299dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley return 1; 2300dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley } 2301dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley if (s->tls_session_secret_cb) 2302dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley { 2303dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley /* Indicate that the ticket couldn't be 2304dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley * decrypted rather than generating the session 2305dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley * from ticket now, trigger abbreviated 2306dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley * handshake based on external mechanism to 2307dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley * calculate the master secret later. */ 2308dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley return 2; 2309dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley } 2310dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley r = tls_decrypt_ticket(s, data, len, ctx->session_id, 2311dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley ctx->session_id_len, ret); 2312dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley switch (r) 2313dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley { 2314dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley case 2: /* ticket couldn't be decrypted */ 2315dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley s->tlsext_ticket_expected = 1; 2316dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley return 2; 2317dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley case 3: /* ticket was decrypted */ 2318dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley return r; 2319dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley case 4: /* ticket decrypted but need to renew */ 2320dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley s->tlsext_ticket_expected = 1; 2321dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley return 3; 2322dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley default: /* fatal error */ 2323dc9b1411279f02e604367bc56fca8cf2acc9d531Adam Langley return -1; 232495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 232595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 232695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 232795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* tls_decrypt_ticket attempts to decrypt a session ticket. 232895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 232995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * etick: points to the body of the session ticket extension. 233095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * eticklen: the length of the session tickets extenion. 233195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * sess_id: points at the session ID. 233295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * sesslen: the length of the session ID. 233395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * psess: (output) on return, if a ticket was decrypted, then this is set to 233495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * point to the resulting session. 233595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 233695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * Returns: 233795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * -1: fatal error, either from parsing or decrypting the ticket. 233895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 2: the ticket couldn't be decrypted. 233995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 3: a ticket was successfully decrypted and *psess was set. 234095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * 4: same as 3, but the ticket needs to be renewed. 234195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 234295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleystatic int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 234395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley const unsigned char *sess_id, int sesslen, 234495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley SSL_SESSION **psess) 234595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 234695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley SSL_SESSION *sess; 234795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley unsigned char *sdec; 234895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley const unsigned char *p; 234995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int slen, mlen, renew_ticket = 0; 235095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 235195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley HMAC_CTX hctx; 235295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley EVP_CIPHER_CTX ctx; 235395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley SSL_CTX *tctx = s->initial_ctx; 235495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Need at least keyname + iv + some encrypted data */ 235595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (eticklen < 48) 235695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 2; 235795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Initialize session ticket encryption and HMAC contexts */ 235895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley HMAC_CTX_init(&hctx); 235995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley EVP_CIPHER_CTX_init(&ctx); 236095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (tctx->tlsext_ticket_key_cb) 236195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 236295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley unsigned char *nctick = (unsigned char *)etick; 236395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 236495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley &ctx, &hctx, 0); 236595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (rv < 0) 236695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return -1; 236795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (rv == 0) 236895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 2; 236995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (rv == 2) 237095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley renew_ticket = 1; 237195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 237295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 237395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 237495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Check key name matches */ 237595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 237695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 2; 237795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 237895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tlsext_tick_md(), NULL); 237995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 238095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tctx->tlsext_tick_aes_key, etick + 16); 238195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 238295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Attempt to process session ticket, first conduct sanity and 238395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * integrity checks on ticket. 238495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 238595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley mlen = HMAC_size(&hctx); 238695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (mlen < 0) 238795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 238895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley EVP_CIPHER_CTX_cleanup(&ctx); 238995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return -1; 239095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 239195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley eticklen -= mlen; 239295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Check HMAC of encrypted ticket */ 239395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley HMAC_Update(&hctx, etick, eticklen); 239495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley HMAC_Final(&hctx, tick_hmac, NULL); 239595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley HMAC_CTX_cleanup(&hctx); 239695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) 239795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 2; 239895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Attempt to decrypt session data */ 239995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Move p after IV to start of encrypted ticket, update length */ 240095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 240195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 240295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley sdec = OPENSSL_malloc(eticklen); 240395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!sdec) 240495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 240595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley EVP_CIPHER_CTX_cleanup(&ctx); 240695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return -1; 240795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 240895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 240995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) 24103e1488555806d7fd78ae75a585161bc7cb15f096Adam Langley { 24113e1488555806d7fd78ae75a585161bc7cb15f096Adam Langley EVP_CIPHER_CTX_cleanup(&ctx); 24123e1488555806d7fd78ae75a585161bc7cb15f096Adam Langley OPENSSL_free(sdec); 241395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 2; 24143e1488555806d7fd78ae75a585161bc7cb15f096Adam Langley } 241595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley slen += mlen; 241695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley EVP_CIPHER_CTX_cleanup(&ctx); 241795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley p = sdec; 241895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 241995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley sess = d2i_SSL_SESSION(NULL, &p, slen); 242095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_free(sdec); 242195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (sess) 242295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 242395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* The session ID, if non-empty, is used by some clients to 242495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * detect that the ticket has been accepted. So we copy it to 242595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * the session structure. If it is empty set length to zero 242695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * as required by standard. 242795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 242895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (sesslen) 242995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley memcpy(sess->session_id, sess_id, sesslen); 243095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley sess->session_id_length = sesslen; 243195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *psess = sess; 243295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (renew_ticket) 243395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 4; 243495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 243595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 3; 243695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 243795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ERR_clear_error(); 243895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* For session parse failure, indicate that we need to send a new 243995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * ticket. */ 244095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 2; 244195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 244295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 244395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* Tables to translate from NIDs to TLS v1.2 ids */ 244495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 244595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleytypedef struct 244695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 244795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int nid; 244895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int id; 244995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } tls12_lookup; 245095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 2451cff6472442de2e65f95fa04893b12b1412118f60David Benjaminstatic const tls12_lookup tls12_md[] = { 245295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley {NID_md5, TLSEXT_hash_md5}, 245395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley {NID_sha1, TLSEXT_hash_sha1}, 245495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley {NID_sha224, TLSEXT_hash_sha224}, 245595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley {NID_sha256, TLSEXT_hash_sha256}, 245695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley {NID_sha384, TLSEXT_hash_sha384}, 245795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley {NID_sha512, TLSEXT_hash_sha512} 245895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley}; 245995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 2460cff6472442de2e65f95fa04893b12b1412118f60David Benjaminstatic const tls12_lookup tls12_sig[] = { 246195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 246295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley {EVP_PKEY_EC, TLSEXT_signature_ecdsa} 246395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley}; 246495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 2465cff6472442de2e65f95fa04893b12b1412118f60David Benjaminstatic int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen) 246695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 246795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley size_t i; 246895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley for (i = 0; i < tlen; i++) 246995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 247095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (table[i].nid == nid) 247195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return table[i].id; 247295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 247395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return -1; 247495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 247595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 2476cff6472442de2e65f95fa04893b12b1412118f60David Benjaminstatic int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen) 247795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 247895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley size_t i; 247995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley for (i = 0; i < tlen; i++) 248095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 248195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if ((table[i].id) == id) 248295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return table[i].nid; 248395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 248495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return NID_undef; 248595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 248695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 248795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleyint tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 248895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 248995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int sig_id, md_id; 249095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!md) 249195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 249295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 249395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley sizeof(tls12_md)/sizeof(tls12_lookup)); 249495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (md_id == -1) 249595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 249695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley sig_id = tls12_get_sigid(pk); 249795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (sig_id == -1) 249895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 249995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley p[0] = (unsigned char)md_id; 250095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley p[1] = (unsigned char)sig_id; 250195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 250295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 250395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 250495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleyint tls12_get_sigid(const EVP_PKEY *pk) 250595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 250695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return tls12_find_id(pk->type, tls12_sig, 250795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley sizeof(tls12_sig)/sizeof(tls12_lookup)); 250895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 250995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 251095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleyconst EVP_MD *tls12_get_hash(unsigned char hash_alg) 251195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 251295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley switch(hash_alg) 251395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 251495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case TLSEXT_hash_md5: 251595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return EVP_md5(); 251695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case TLSEXT_hash_sha1: 251795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return EVP_sha1(); 251895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case TLSEXT_hash_sha224: 251995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return EVP_sha224(); 252095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 252195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case TLSEXT_hash_sha256: 252295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return EVP_sha256(); 252395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case TLSEXT_hash_sha384: 252495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return EVP_sha384(); 252595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 252695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case TLSEXT_hash_sha512: 252795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return EVP_sha512(); 252895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley default: 252995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return NULL; 253095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 253195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 253295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 253395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 253495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleystatic int tls12_get_pkey_idx(unsigned char sig_alg) 253595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 253695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley switch(sig_alg) 253795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 253895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case TLSEXT_signature_rsa: 253995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return SSL_PKEY_RSA_SIGN; 254095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case TLSEXT_signature_ecdsa: 254195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return SSL_PKEY_ECC; 254295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 254395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return -1; 254495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 254595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 254695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* Convert TLS 1.2 signature algorithm extension values into NIDs */ 254795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleystatic void tls1_lookup_sigalg(int *phash_nid, int *psign_nid, 254895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int *psignhash_nid, const unsigned char *data) 254995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 255095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int sign_nid = 0, hash_nid = 0; 255195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!phash_nid && !psign_nid && !psignhash_nid) 255295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return; 255395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (phash_nid || psignhash_nid) 255495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 255595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley hash_nid = tls12_find_nid(data[0], tls12_md, 255695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley sizeof(tls12_md)/sizeof(tls12_lookup)); 255795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (phash_nid) 255895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *phash_nid = hash_nid; 255995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 256095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (psign_nid || psignhash_nid) 256195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 256295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley sign_nid = tls12_find_nid(data[1], tls12_sig, 256395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley sizeof(tls12_sig)/sizeof(tls12_lookup)); 256495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (psign_nid) 256595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *psign_nid = sign_nid; 256695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 256795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (psignhash_nid) 256895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 256995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (sign_nid && hash_nid) 257095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OBJ_find_sigid_by_algs(psignhash_nid, 257195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley hash_nid, sign_nid); 257295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 257395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *psignhash_nid = NID_undef; 257495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 257595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 257695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* Given preference and allowed sigalgs set shared sigalgs */ 257795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleystatic int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig, 257895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley const unsigned char *pref, size_t preflen, 257995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley const unsigned char *allow, size_t allowlen) 258095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 258195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley const unsigned char *ptmp, *atmp; 258295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley size_t i, j, nmatch = 0; 258395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2) 258495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 258595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Skip disabled hashes or signature algorithms */ 258695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (tls12_get_hash(ptmp[0]) == NULL) 258795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley continue; 258895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (tls12_get_pkey_idx(ptmp[1]) == -1) 258995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley continue; 259095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2) 259195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 259295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) 259395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 259495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley nmatch++; 259595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (shsig) 259695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 259795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley shsig->rhash = ptmp[0]; 259895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley shsig->rsign = ptmp[1]; 259995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_lookup_sigalg(&shsig->hash_nid, 260095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley &shsig->sign_nid, 260195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley &shsig->signandhash_nid, 260295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ptmp); 260395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley shsig++; 260495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 260595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley break; 260695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 260795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 260895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 260995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return nmatch; 261095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 261195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 261295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* Set shared signature algorithms for SSL structures */ 261395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleystatic int tls1_set_shared_sigalgs(SSL *s) 261495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 261595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley const unsigned char *pref, *allow, *conf; 261695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley size_t preflen, allowlen, conflen; 261795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley size_t nmatch; 261895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley TLS_SIGALGS *salgs = NULL; 261995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley CERT *c = s->cert; 2620db4f9521b536d0f8d208610465fe9e1388e01bebAdam Langley if (c->shared_sigalgs) 2621db4f9521b536d0f8d208610465fe9e1388e01bebAdam Langley { 2622db4f9521b536d0f8d208610465fe9e1388e01bebAdam Langley OPENSSL_free(c->shared_sigalgs); 2623db4f9521b536d0f8d208610465fe9e1388e01bebAdam Langley c->shared_sigalgs = NULL; 2624db4f9521b536d0f8d208610465fe9e1388e01bebAdam Langley } 262595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* If client use client signature algorithms if not NULL */ 2626335d10d201a22598c2b2c379148c9a095b8ab175David Benjamin if (!s->server && c->client_sigalgs) 262795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 262895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley conf = c->client_sigalgs; 262995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley conflen = c->client_sigalgslen; 263095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 2631335d10d201a22598c2b2c379148c9a095b8ab175David Benjamin else if (c->conf_sigalgs) 263295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 263395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley conf = c->conf_sigalgs; 263495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley conflen = c->conf_sigalgslen; 263595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 263695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 263795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley conflen = tls12_get_psigalgs(s, &conf); 2638335d10d201a22598c2b2c379148c9a095b8ab175David Benjamin if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) 263995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 264095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley pref = conf; 264195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley preflen = conflen; 264295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley allow = c->peer_sigalgs; 264395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley allowlen = c->peer_sigalgslen; 264495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 264595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 264695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 264795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley allow = conf; 264895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley allowlen = conflen; 264995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley pref = c->peer_sigalgs; 265095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley preflen = c->peer_sigalgslen; 265195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 265295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen); 265395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!nmatch) 265495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 265595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS)); 265695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!salgs) 265795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 265895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen); 265995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->shared_sigalgs = salgs; 266095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->shared_sigalgslen = nmatch; 266195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 266295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 266395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 266495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 266595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* Set preferred digest for each key type */ 266695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 2667cd9969434c2b2c347f1fb12623ee240ae01ac942David Benjaminint tls1_process_sigalgs(SSL *s, const CBS *sigalgs) 266895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 266995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int idx; 267095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley size_t i; 267195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley const EVP_MD *md; 267295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley CERT *c = s->cert; 267395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley TLS_SIGALGS *sigptr; 2674cd9969434c2b2c347f1fb12623ee240ae01ac942David Benjamin 267595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Extension ignored for inappropriate versions */ 267695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!SSL_USE_SIGALGS(s)) 267795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 267831955f91dcdb1a30bc7fd560ee9054321fc514e9Alex Chernyakhovsky /* Length must be even */ 2679cd9969434c2b2c347f1fb12623ee240ae01ac942David Benjamin if (CBS_len(sigalgs) % 2 != 0) 268031955f91dcdb1a30bc7fd560ee9054321fc514e9Alex Chernyakhovsky return 0; 268195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Should never happen */ 268295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!c) 268395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 268495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 2685cd9969434c2b2c347f1fb12623ee240ae01ac942David Benjamin if (!CBS_stow(sigalgs, &c->peer_sigalgs, &c->peer_sigalgslen)) 268695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 268795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 268895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_set_shared_sigalgs(s); 268995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 269095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL 269195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) 269295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 269395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Use first set signature preference to force message 269495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * digest, ignoring any peer preferences. 269595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 269695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley const unsigned char *sigs = NULL; 269795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->server) 269895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley sigs = c->conf_sigalgs; 269995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 270095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley sigs = c->client_sigalgs; 270195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (sigs) 270295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 270395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley idx = tls12_get_pkey_idx(sigs[1]); 270495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley md = tls12_get_hash(sigs[0]); 270595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->pkeys[idx].digest = md; 270695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN; 270795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (idx == SSL_PKEY_RSA_SIGN) 270895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 270995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN; 271095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 271195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 271295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 271395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 271495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#endif 271595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 271695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley for (i = 0, sigptr = c->shared_sigalgs; 271795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley i < c->shared_sigalgslen; i++, sigptr++) 271895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 271995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley idx = tls12_get_pkey_idx(sigptr->rsign); 272095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (idx > 0 && c->pkeys[idx].digest == NULL) 272195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 272295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley md = tls12_get_hash(sigptr->rhash); 272395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->pkeys[idx].digest = md; 272495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN; 272595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (idx == SSL_PKEY_RSA_SIGN) 272695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 272795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN; 272895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 272995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 273095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 273195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 273295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 273395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* In strict mode leave unset digests as NULL to indicate we can't 273495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * use the certificate for signing. 273595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 273695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) 273795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 273895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Set any remaining keys to default values. NOTE: if alg is 273995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * not supported it stays as NULL. 274095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 274195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) 274295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 274395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 274495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 274595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 274695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!c->pkeys[SSL_PKEY_ECC].digest) 274795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 274895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 274995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 275095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 275195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 275295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 275395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleyint SSL_get_sigalgs(SSL *s, int idx, 275495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int *psign, int *phash, int *psignhash, 275595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley unsigned char *rsig, unsigned char *rhash) 275695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 275795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley const unsigned char *psig = s->cert->peer_sigalgs; 275895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (psig == NULL) 275995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 276095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (idx >= 0) 276195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 276295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley idx <<= 1; 276395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (idx >= (int)s->cert->peer_sigalgslen) 276495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 276595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley psig += idx; 276695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (rhash) 276795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *rhash = psig[0]; 276895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (rsig) 276995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *rsig = psig[1]; 277095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_lookup_sigalg(phash, psign, psignhash, psig); 277195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 277295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return s->cert->peer_sigalgslen / 2; 277395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 277495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 277595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleyint SSL_get_shared_sigalgs(SSL *s, int idx, 277695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int *psign, int *phash, int *psignhash, 277795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley unsigned char *rsig, unsigned char *rhash) 277895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 277995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs; 278095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen) 278195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 278295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley shsigalgs += idx; 278395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (phash) 278495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *phash = shsigalgs->hash_nid; 278595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (psign) 278695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *psign = shsigalgs->sign_nid; 278795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (psignhash) 278895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *psignhash = shsigalgs->signandhash_nid; 278995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (rsig) 279095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *rsig = shsigalgs->rsign; 279195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (rhash) 279295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *rhash = shsigalgs->rhash; 279395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return s->cert->shared_sigalgslen; 279495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 279595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 27961258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley/* tls1_channel_id_hash calculates the signed data for a Channel ID on the given 27971258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley * SSL connection and writes it to |md|. */ 27981258b6a756674d63f172602d8041ccc0dffd03d1Adam Langleyint 27991258b6a756674d63f172602d8041ccc0dffd03d1Adam Langleytls1_channel_id_hash(EVP_MD_CTX *md, SSL *s) 28001258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley { 28011258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley EVP_MD_CTX ctx; 28021258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley unsigned char temp_digest[EVP_MAX_MD_SIZE]; 28031258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley unsigned temp_digest_len; 28041258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley int i; 28051258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley static const char kClientIDMagic[] = "TLS Channel ID signature"; 28061258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley 28071258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley if (s->s3->handshake_buffer) 28081258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley if (!ssl3_digest_cached_records(s)) 28091258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley return 0; 28101258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley 28111258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic)); 28121258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley 28131258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley if (s->hit && s->s3->tlsext_channel_id_new) 28141258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley { 28151258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley static const char kResumptionMagic[] = "Resumption"; 28161258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley EVP_DigestUpdate(md, kResumptionMagic, 28171258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley sizeof(kResumptionMagic)); 28181258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley if (s->session->original_handshake_hash_len == 0) 28191258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley return 0; 28201258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley EVP_DigestUpdate(md, s->session->original_handshake_hash, 28211258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley s->session->original_handshake_hash_len); 28221258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley } 28231258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley 28241258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley EVP_MD_CTX_init(&ctx); 28251258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley for (i = 0; i < SSL_MAX_DIGEST; i++) 28261258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley { 28271258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley if (s->s3->handshake_dgst[i] == NULL) 28281258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley continue; 28291258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]); 28301258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len); 28311258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley EVP_DigestUpdate(md, temp_digest, temp_digest_len); 28321258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley } 28331258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley EVP_MD_CTX_cleanup(&ctx); 28341258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley 28351258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley return 1; 28361258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley } 28371258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley 28381258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley/* tls1_record_handshake_hashes_for_channel_id records the current handshake 28391258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley * hashes in |s->session| so that Channel ID resumptions can sign that data. */ 28401258b6a756674d63f172602d8041ccc0dffd03d1Adam Langleyint tls1_record_handshake_hashes_for_channel_id(SSL *s) 28411258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley { 28421258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley int digest_len; 28431258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley /* This function should never be called for a resumed session because 28441258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley * the handshake hashes that we wish to record are for the original, 28451258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley * full handshake. */ 28461258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley if (s->hit) 28471258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley return -1; 28481258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley /* It only makes sense to call this function if Channel IDs have been 28491258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley * negotiated. */ 28501258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley if (!s->s3->tlsext_channel_id_new) 28511258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley return -1; 28521258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley 28531258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley digest_len = tls1_handshake_digest( 28541258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley s, s->session->original_handshake_hash, 28551258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley sizeof(s->session->original_handshake_hash)); 28561258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley if (digest_len < 0) 28571258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley return -1; 28581258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley 28591258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley s->session->original_handshake_hash_len = digest_len; 28601258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley 28611258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley return 1; 28621258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley } 28631258b6a756674d63f172602d8041ccc0dffd03d1Adam Langley 286495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleyint tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) 286595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 286695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley unsigned char *sigalgs, *sptr; 286795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int rhash, rsign; 286895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley size_t i; 286995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (salglen & 1) 287095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 287195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley sigalgs = OPENSSL_malloc(salglen); 287295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (sigalgs == NULL) 287395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 287495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley for (i = 0, sptr = sigalgs; i < salglen; i+=2) 287595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 287695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rhash = tls12_find_id(*psig_nids++, tls12_md, 287795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley sizeof(tls12_md)/sizeof(tls12_lookup)); 287895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rsign = tls12_find_id(*psig_nids++, tls12_sig, 287995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley sizeof(tls12_sig)/sizeof(tls12_lookup)); 288095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 288195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (rhash == -1 || rsign == -1) 288295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley goto err; 288395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *sptr++ = rhash; 288495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley *sptr++ = rsign; 288595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 288695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 288795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (client) 288895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 288995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (c->client_sigalgs) 289095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_free(c->client_sigalgs); 289195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->client_sigalgs = sigalgs; 289295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->client_sigalgslen = salglen; 289395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 289495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 289595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 289695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (c->conf_sigalgs) 289795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_free(c->conf_sigalgs); 289895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->conf_sigalgs = sigalgs; 289995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley c->conf_sigalgslen = salglen; 290095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 290195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 290295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 290395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 290495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley err: 290595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley OPENSSL_free(sigalgs); 290695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 290795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 290895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 290995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleystatic int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid) 291095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 291195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int sig_nid; 291295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley size_t i; 291395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (default_nid == -1) 291495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 291595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley sig_nid = X509_get_signature_nid(x); 291695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (default_nid) 291795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return sig_nid == default_nid ? 1 : 0; 291895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley for (i = 0; i < c->shared_sigalgslen; i++) 291995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (sig_nid == c->shared_sigalgs[i].signandhash_nid) 292095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 292195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 292295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 292395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* Check to see if a certificate issuer name matches list of CA names */ 292495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleystatic int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x) 292595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 292695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley X509_NAME *nm; 292795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int i; 292895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley nm = X509_get_issuer_name(x); 292995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley for (i = 0; i < sk_X509_NAME_num(names); i++) 293095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 293195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if(!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i))) 293295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 1; 293395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 293495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 293595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 293695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 293795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* Check certificate chain is consistent with TLS extensions and is 293895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * usable by server. This servers two purposes: it allows users to 293995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * check chains before passing them to the server and it allows the 294095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * server to check chains before attempting to use them. 294195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 294295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 294395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* Flags which need to be set for a certificate when stict mode not set */ 294495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 294595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#define CERT_PKEY_VALID_FLAGS \ 294695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM) 294795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* Strict mode flags */ 294895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#define CERT_PKEY_STRICT_FLAGS \ 294995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \ 295095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE) 295195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 295295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleyint tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, 295395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int idx) 295495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 295595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int i; 295695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int rv = 0; 295795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int check_flags = 0, strict_mode; 295895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley CERT_PKEY *cpk = NULL; 295995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley CERT *c = s->cert; 296095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* idx == -1 means checking server chains */ 296195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (idx != -1) 296295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 296395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* idx == -2 means checking client certificate chains */ 296495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (idx == -2) 296595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 296695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley cpk = c->key; 296795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley idx = cpk - c->pkeys; 296895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 296995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 297095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley cpk = c->pkeys + idx; 297195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley x = cpk->x509; 297295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley pk = cpk->privatekey; 297395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley chain = cpk->chain; 297495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT; 297595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* If no cert or key, forget it */ 297695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!x || !pk) 297795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley goto end; 297895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL 297995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Allow any certificate to pass test */ 298095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) 298195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 298295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rv = CERT_PKEY_STRICT_FLAGS|CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_VALID|CERT_PKEY_SIGN; 298395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley cpk->valid_flags = rv; 298495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return rv; 298595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 298695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley#endif 298795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 298895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 298995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 299095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!x || !pk) 299195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley goto end; 299295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley idx = ssl_cert_type(x, pk); 299395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (idx == -1) 299495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley goto end; 299595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley cpk = c->pkeys + idx; 299695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) 299795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley check_flags = CERT_PKEY_STRICT_FLAGS; 299895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 299995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley check_flags = CERT_PKEY_VALID_FLAGS; 300095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley strict_mode = 1; 300195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 300295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 300395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Check all signature algorithms are consistent with 300495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * signature algorithms extension if TLS 1.2 or later 300595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * and strict mode. 300695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 300795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) 300895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 300995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley int default_nid; 301095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley unsigned char rsign = 0; 301195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (c->peer_sigalgs) 301295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley default_nid = 0; 301395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* If no sigalgs extension use defaults from RFC5246 */ 301495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 301595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 301695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley switch(idx) 301795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 301895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case SSL_PKEY_RSA_ENC: 301995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case SSL_PKEY_RSA_SIGN: 302095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rsign = TLSEXT_signature_rsa; 302195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley default_nid = NID_sha1WithRSAEncryption; 302295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley break; 302395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 302495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case SSL_PKEY_ECC: 302595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rsign = TLSEXT_signature_ecdsa; 302695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley default_nid = NID_ecdsa_with_SHA1; 302795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley break; 302895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 302995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley default: 303095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley default_nid = -1; 303195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley break; 303295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 303395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 303495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* If peer sent no signature algorithms extension and we 303595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * have set preferred signature algorithms check we support 303695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * sha1. 303795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 303895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (default_nid > 0 && c->conf_sigalgs) 303995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 304095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley size_t j; 304195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley const unsigned char *p = c->conf_sigalgs; 304295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) 304395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 304495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign) 304595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley break; 304695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 304795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (j == c->conf_sigalgslen) 304895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 304995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (check_flags) 305095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley goto skip_sigs; 305195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 305295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley goto end; 305395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 305495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 305595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Check signature algorithm of each cert in chain */ 305695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!tls1_check_sig_alg(c, x, default_nid)) 305795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 305895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!check_flags) goto end; 305995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 306095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 306195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rv |= CERT_PKEY_EE_SIGNATURE; 306295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rv |= CERT_PKEY_CA_SIGNATURE; 306395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley for (i = 0; i < sk_X509_num(chain); i++) 306495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 306595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), 306695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley default_nid)) 306795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 306895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (check_flags) 306995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 307095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rv &= ~CERT_PKEY_CA_SIGNATURE; 307195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley break; 307295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 307395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 307495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley goto end; 307595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 307695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 307795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 307895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */ 307995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if(check_flags) 308095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rv |= CERT_PKEY_EE_SIGNATURE|CERT_PKEY_CA_SIGNATURE; 308195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley skip_sigs: 308295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Check cert parameters are consistent */ 308395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (tls1_check_cert_param(s, x, check_flags ? 1 : 2)) 308495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rv |= CERT_PKEY_EE_PARAM; 308595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (!check_flags) 308695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley goto end; 308795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!s->server) 308895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rv |= CERT_PKEY_CA_PARAM; 308995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* In strict mode check rest of chain too */ 309095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (strict_mode) 309195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 309295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rv |= CERT_PKEY_CA_PARAM; 309395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley for (i = 0; i < sk_X509_num(chain); i++) 309495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 309595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley X509 *ca = sk_X509_value(chain, i); 309695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!tls1_check_cert_param(s, ca, 0)) 309795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 309895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (check_flags) 309995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 310095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rv &= ~CERT_PKEY_CA_PARAM; 310195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley break; 310295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 310395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 310495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley goto end; 310595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 310695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 310795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 310895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!s->server && strict_mode) 310995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 311095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley STACK_OF(X509_NAME) *ca_dn; 3111676d1e780e96b201113958e8a6f2e787438f200bDavid Benjamin uint8_t check_type = 0; 311295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley switch (pk->type) 311395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 311495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case EVP_PKEY_RSA: 311595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley check_type = TLS_CT_RSA_SIGN; 311695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley break; 311795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley case EVP_PKEY_EC: 311895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley check_type = TLS_CT_ECDSA_SIGN; 311995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley break; 312095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 312195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (check_type) 312295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 3123676d1e780e96b201113958e8a6f2e787438f200bDavid Benjamin if (s->s3->tmp.certificate_types && 3124676d1e780e96b201113958e8a6f2e787438f200bDavid Benjamin memchr(s->s3->tmp.certificate_types, check_type, s->s3->tmp.num_certificate_types)) 312595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 312695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rv |= CERT_PKEY_CERT_TYPE; 312795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 312895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags) 312995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley goto end; 313095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 313195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 313295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rv |= CERT_PKEY_CERT_TYPE; 313395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 313495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 313595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley ca_dn = s->s3->tmp.ca_names; 313695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 313795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!sk_X509_NAME_num(ca_dn)) 313895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rv |= CERT_PKEY_ISSUER_NAME; 313995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 314095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!(rv & CERT_PKEY_ISSUER_NAME)) 314195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 314295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (ssl_check_ca_name(ca_dn, x)) 314395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rv |= CERT_PKEY_ISSUER_NAME; 314495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 314595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!(rv & CERT_PKEY_ISSUER_NAME)) 314695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 314795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley for (i = 0; i < sk_X509_num(chain); i++) 314895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 314995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley X509 *xtmp = sk_X509_value(chain, i); 315095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (ssl_check_ca_name(ca_dn, xtmp)) 315195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 315295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rv |= CERT_PKEY_ISSUER_NAME; 315395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley break; 315495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 315595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 315695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 315795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) 315895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley goto end; 315995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 316095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 316195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rv |= CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE; 316295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 316395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!check_flags || (rv & check_flags) == check_flags) 316495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rv |= CERT_PKEY_VALID; 316595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 316695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley end: 316795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 316895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (TLS1_get_version(s) >= TLS1_2_VERSION) 316995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 317095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN) 317195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rv |= CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_SIGN; 317295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else if (cpk->digest) 317395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rv |= CERT_PKEY_SIGN; 317495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 317595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 317695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley rv |= CERT_PKEY_SIGN|CERT_PKEY_EXPLICIT_SIGN; 317795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 317895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* When checking a CERT_PKEY structure all flags are irrelevant 317995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley * if the chain is invalid. 318095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley */ 318195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (!check_flags) 318295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 318395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley if (rv & CERT_PKEY_VALID) 318495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley cpk->valid_flags = rv; 318595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley else 318695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 318795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley /* Preserve explicit sign flag, clear rest */ 318895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN; 318995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return 0; 319095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 319195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 319295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return rv; 319395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 319495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 319595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* Set validity of certificates in an SSL structure */ 319695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleyvoid tls1_set_cert_validity(SSL *s) 319795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 319895c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC); 319995c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN); 320095c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); 320195c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 320295c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley/* User level utiity function to check a chain is suitable */ 320395c29f3cd1f6c08c6c0927868683392eea727ccAdam Langleyint SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) 320495c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley { 320595c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley return tls1_check_chain(s, x, pk, chain, -1); 320695c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley } 320795c29f3cd1f6c08c6c0927868683392eea727ccAdam Langley 3208