1 /* 2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <stdlib.h> 12 #include <openssl/objects.h> 13 #include <openssl/evp.h> 14 #include <openssl/hmac.h> 15 #include <openssl/ocsp.h> 16 #include <openssl/conf.h> 17 #include <openssl/x509v3.h> 18 #include <openssl/dh.h> 19 #include <openssl/bn.h> 20 #include "ssl_locl.h" 21 #include <openssl/ct.h> 22 23 24 #define CHECKLEN(curr, val, limit) \ 25 (((curr) >= (limit)) || (size_t)((limit) - (curr)) < (size_t)(val)) 26 27 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 28 const unsigned char *sess_id, int sesslen, 29 SSL_SESSION **psess); 30 static int ssl_check_clienthello_tlsext_early(SSL *s); 31 static int ssl_check_serverhello_tlsext(SSL *s); 32 33 SSL3_ENC_METHOD const TLSv1_enc_data = { 34 tls1_enc, 35 tls1_mac, 36 tls1_setup_key_block, 37 tls1_generate_master_secret, 38 tls1_change_cipher_state, 39 tls1_final_finish_mac, 40 TLS1_FINISH_MAC_LENGTH, 41 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 42 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 43 tls1_alert_code, 44 tls1_export_keying_material, 45 0, 46 SSL3_HM_HEADER_LENGTH, 47 ssl3_set_handshake_header, 48 ssl3_handshake_write 49 }; 50 51 SSL3_ENC_METHOD const TLSv1_1_enc_data = { 52 tls1_enc, 53 tls1_mac, 54 tls1_setup_key_block, 55 tls1_generate_master_secret, 56 tls1_change_cipher_state, 57 tls1_final_finish_mac, 58 TLS1_FINISH_MAC_LENGTH, 59 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 60 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 61 tls1_alert_code, 62 tls1_export_keying_material, 63 SSL_ENC_FLAG_EXPLICIT_IV, 64 SSL3_HM_HEADER_LENGTH, 65 ssl3_set_handshake_header, 66 ssl3_handshake_write 67 }; 68 69 SSL3_ENC_METHOD const TLSv1_2_enc_data = { 70 tls1_enc, 71 tls1_mac, 72 tls1_setup_key_block, 73 tls1_generate_master_secret, 74 tls1_change_cipher_state, 75 tls1_final_finish_mac, 76 TLS1_FINISH_MAC_LENGTH, 77 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 78 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 79 tls1_alert_code, 80 tls1_export_keying_material, 81 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF 82 | SSL_ENC_FLAG_TLS1_2_CIPHERS, 83 SSL3_HM_HEADER_LENGTH, 84 ssl3_set_handshake_header, 85 ssl3_handshake_write 86 }; 87 88 long tls1_default_timeout(void) 89 { 90 /* 91 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for 92 * http, the cache would over fill 93 */ 94 return (60 * 60 * 2); 95 } 96 97 int tls1_new(SSL *s) 98 { 99 if (!ssl3_new(s)) 100 return (0); 101 s->method->ssl_clear(s); 102 return (1); 103 } 104 105 void tls1_free(SSL *s) 106 { 107 OPENSSL_free(s->tlsext_session_ticket); 108 ssl3_free(s); 109 } 110 111 void tls1_clear(SSL *s) 112 { 113 ssl3_clear(s); 114 if (s->method->version == TLS_ANY_VERSION) 115 s->version = TLS_MAX_VERSION; 116 else 117 s->version = s->method->version; 118 } 119 120 #ifndef OPENSSL_NO_EC 121 122 typedef struct { 123 int nid; /* Curve NID */ 124 int secbits; /* Bits of security (from SP800-57) */ 125 unsigned int flags; /* Flags: currently just field type */ 126 } tls_curve_info; 127 128 /* 129 * Table of curve information. 130 * Do not delete entries or reorder this array! It is used as a lookup 131 * table: the index of each entry is one less than the TLS curve id. 132 */ 133 static const tls_curve_info nid_list[] = { 134 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */ 135 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */ 136 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */ 137 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */ 138 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */ 139 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */ 140 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */ 141 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */ 142 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */ 143 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */ 144 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */ 145 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */ 146 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */ 147 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */ 148 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */ 149 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */ 150 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */ 151 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */ 152 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */ 153 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */ 154 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */ 155 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */ 156 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */ 157 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */ 158 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */ 159 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */ 160 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ 161 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */ 162 {NID_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */ 163 }; 164 165 static const unsigned char ecformats_default[] = { 166 TLSEXT_ECPOINTFORMAT_uncompressed, 167 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 168 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 169 }; 170 171 /* The default curves */ 172 static const unsigned char eccurves_default[] = { 173 0, 29, /* X25519 (29) */ 174 0, 23, /* secp256r1 (23) */ 175 0, 25, /* secp521r1 (25) */ 176 0, 24, /* secp384r1 (24) */ 177 }; 178 179 static const unsigned char suiteb_curves[] = { 180 0, TLSEXT_curve_P_256, 181 0, TLSEXT_curve_P_384 182 }; 183 184 int tls1_ec_curve_id2nid(int curve_id, unsigned int *pflags) 185 { 186 const tls_curve_info *cinfo; 187 /* ECC curves from RFC 4492 and RFC 7027 */ 188 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list))) 189 return 0; 190 cinfo = nid_list + curve_id - 1; 191 if (pflags) 192 *pflags = cinfo->flags; 193 return cinfo->nid; 194 } 195 196 int tls1_ec_nid2curve_id(int nid) 197 { 198 size_t i; 199 for (i = 0; i < OSSL_NELEM(nid_list); i++) { 200 if (nid_list[i].nid == nid) 201 return i + 1; 202 } 203 return 0; 204 } 205 206 /* 207 * Get curves list, if "sess" is set return client curves otherwise 208 * preferred list. 209 * Sets |num_curves| to the number of curves in the list, i.e., 210 * the length of |pcurves| is 2 * num_curves. 211 * Returns 1 on success and 0 if the client curves list has invalid format. 212 * The latter indicates an internal error: we should not be accepting such 213 * lists in the first place. 214 * TODO(emilia): we should really be storing the curves list in explicitly 215 * parsed form instead. (However, this would affect binary compatibility 216 * so cannot happen in the 1.0.x series.) 217 */ 218 static int tls1_get_curvelist(SSL *s, int sess, 219 const unsigned char **pcurves, size_t *num_curves) 220 { 221 size_t pcurveslen = 0; 222 223 if (sess) { 224 *pcurves = s->session->tlsext_ellipticcurvelist; 225 pcurveslen = s->session->tlsext_ellipticcurvelist_length; 226 } else { 227 /* For Suite B mode only include P-256, P-384 */ 228 switch (tls1_suiteb(s)) { 229 case SSL_CERT_FLAG_SUITEB_128_LOS: 230 *pcurves = suiteb_curves; 231 pcurveslen = sizeof(suiteb_curves); 232 break; 233 234 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 235 *pcurves = suiteb_curves; 236 pcurveslen = 2; 237 break; 238 239 case SSL_CERT_FLAG_SUITEB_192_LOS: 240 *pcurves = suiteb_curves + 2; 241 pcurveslen = 2; 242 break; 243 default: 244 *pcurves = s->tlsext_ellipticcurvelist; 245 pcurveslen = s->tlsext_ellipticcurvelist_length; 246 } 247 if (!*pcurves) { 248 *pcurves = eccurves_default; 249 pcurveslen = sizeof(eccurves_default); 250 } 251 } 252 253 /* We do not allow odd length arrays to enter the system. */ 254 if (pcurveslen & 1) { 255 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR); 256 *num_curves = 0; 257 return 0; 258 } 259 *num_curves = pcurveslen / 2; 260 return 1; 261 } 262 263 /* See if curve is allowed by security callback */ 264 static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op) 265 { 266 const tls_curve_info *cinfo; 267 if (curve[0]) 268 return 1; 269 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list))) 270 return 0; 271 cinfo = &nid_list[curve[1] - 1]; 272 # ifdef OPENSSL_NO_EC2M 273 if (cinfo->flags & TLS_CURVE_CHAR2) 274 return 0; 275 # endif 276 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve); 277 } 278 279 /* Check a curve is one of our preferences */ 280 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len) 281 { 282 const unsigned char *curves; 283 size_t num_curves, i; 284 unsigned int suiteb_flags = tls1_suiteb(s); 285 if (len != 3 || p[0] != NAMED_CURVE_TYPE) 286 return 0; 287 /* Check curve matches Suite B preferences */ 288 if (suiteb_flags) { 289 unsigned long cid = s->s3->tmp.new_cipher->id; 290 if (p[1]) 291 return 0; 292 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) { 293 if (p[2] != TLSEXT_curve_P_256) 294 return 0; 295 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) { 296 if (p[2] != TLSEXT_curve_P_384) 297 return 0; 298 } else /* Should never happen */ 299 return 0; 300 } 301 if (!tls1_get_curvelist(s, 0, &curves, &num_curves)) 302 return 0; 303 for (i = 0; i < num_curves; i++, curves += 2) { 304 if (p[1] == curves[0] && p[2] == curves[1]) 305 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK); 306 } 307 return 0; 308 } 309 310 /*- 311 * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef 312 * if there is no match. 313 * For nmatch == -1, return number of matches 314 * For nmatch == -2, return the NID of the curve to use for 315 * an EC tmp key, or NID_undef if there is no match. 316 */ 317 int tls1_shared_curve(SSL *s, int nmatch) 318 { 319 const unsigned char *pref, *supp; 320 size_t num_pref, num_supp, i, j; 321 int k; 322 323 /* Can't do anything on client side */ 324 if (s->server == 0) 325 return -1; 326 if (nmatch == -2) { 327 if (tls1_suiteb(s)) { 328 /* 329 * For Suite B ciphersuite determines curve: we already know 330 * these are acceptable due to previous checks. 331 */ 332 unsigned long cid = s->s3->tmp.new_cipher->id; 333 334 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 335 return NID_X9_62_prime256v1; /* P-256 */ 336 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 337 return NID_secp384r1; /* P-384 */ 338 /* Should never happen */ 339 return NID_undef; 340 } 341 /* If not Suite B just return first preference shared curve */ 342 nmatch = 0; 343 } 344 /* 345 * Avoid truncation. tls1_get_curvelist takes an int 346 * but s->options is a long... 347 */ 348 if (!tls1_get_curvelist(s, 349 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, 350 &supp, &num_supp)) 351 /* In practice, NID_undef == 0 but let's be precise. */ 352 return nmatch == -1 ? 0 : NID_undef; 353 if (!tls1_get_curvelist(s, 354 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0, 355 &pref, &num_pref)) 356 return nmatch == -1 ? 0 : NID_undef; 357 358 for (k = 0, i = 0; i < num_pref; i++, pref += 2) { 359 const unsigned char *tsupp = supp; 360 361 for (j = 0; j < num_supp; j++, tsupp += 2) { 362 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) { 363 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED)) 364 continue; 365 if (nmatch == k) { 366 int id = (pref[0] << 8) | pref[1]; 367 368 return tls1_ec_curve_id2nid(id, NULL); 369 } 370 k++; 371 } 372 } 373 } 374 if (nmatch == -1) 375 return k; 376 /* Out of range (nmatch > k). */ 377 return NID_undef; 378 } 379 380 int tls1_set_curves(unsigned char **pext, size_t *pextlen, 381 int *curves, size_t ncurves) 382 { 383 unsigned char *clist, *p; 384 size_t i; 385 /* 386 * Bitmap of curves included to detect duplicates: only works while curve 387 * ids < 32 388 */ 389 unsigned long dup_list = 0; 390 clist = OPENSSL_malloc(ncurves * 2); 391 if (clist == NULL) 392 return 0; 393 for (i = 0, p = clist; i < ncurves; i++) { 394 unsigned long idmask; 395 int id; 396 id = tls1_ec_nid2curve_id(curves[i]); 397 idmask = 1L << id; 398 if (!id || (dup_list & idmask)) { 399 OPENSSL_free(clist); 400 return 0; 401 } 402 dup_list |= idmask; 403 s2n(id, p); 404 } 405 OPENSSL_free(*pext); 406 *pext = clist; 407 *pextlen = ncurves * 2; 408 return 1; 409 } 410 411 # define MAX_CURVELIST 28 412 413 typedef struct { 414 size_t nidcnt; 415 int nid_arr[MAX_CURVELIST]; 416 } nid_cb_st; 417 418 static int nid_cb(const char *elem, int len, void *arg) 419 { 420 nid_cb_st *narg = arg; 421 size_t i; 422 int nid; 423 char etmp[20]; 424 if (elem == NULL) 425 return 0; 426 if (narg->nidcnt == MAX_CURVELIST) 427 return 0; 428 if (len > (int)(sizeof(etmp) - 1)) 429 return 0; 430 memcpy(etmp, elem, len); 431 etmp[len] = 0; 432 nid = EC_curve_nist2nid(etmp); 433 if (nid == NID_undef) 434 nid = OBJ_sn2nid(etmp); 435 if (nid == NID_undef) 436 nid = OBJ_ln2nid(etmp); 437 if (nid == NID_undef) 438 return 0; 439 for (i = 0; i < narg->nidcnt; i++) 440 if (narg->nid_arr[i] == nid) 441 return 0; 442 narg->nid_arr[narg->nidcnt++] = nid; 443 return 1; 444 } 445 446 /* Set curves based on a colon separate list */ 447 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, const char *str) 448 { 449 nid_cb_st ncb; 450 ncb.nidcnt = 0; 451 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb)) 452 return 0; 453 if (pext == NULL) 454 return 1; 455 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt); 456 } 457 458 /* For an EC key set TLS id and required compression based on parameters */ 459 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id, 460 EC_KEY *ec) 461 { 462 int id; 463 const EC_GROUP *grp; 464 if (!ec) 465 return 0; 466 /* Determine if it is a prime field */ 467 grp = EC_KEY_get0_group(ec); 468 if (!grp) 469 return 0; 470 /* Determine curve ID */ 471 id = EC_GROUP_get_curve_name(grp); 472 id = tls1_ec_nid2curve_id(id); 473 /* If no id return error: we don't support arbitrary explicit curves */ 474 if (id == 0) 475 return 0; 476 curve_id[0] = 0; 477 curve_id[1] = (unsigned char)id; 478 if (comp_id) { 479 if (EC_KEY_get0_public_key(ec) == NULL) 480 return 0; 481 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) { 482 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 483 } else { 484 if ((nid_list[id - 1].flags & TLS_CURVE_TYPE) == TLS_CURVE_PRIME) 485 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 486 else 487 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 488 } 489 } 490 return 1; 491 } 492 493 /* Check an EC key is compatible with extensions */ 494 static int tls1_check_ec_key(SSL *s, 495 unsigned char *curve_id, unsigned char *comp_id) 496 { 497 const unsigned char *pformats, *pcurves; 498 size_t num_formats, num_curves, i; 499 int j; 500 /* 501 * If point formats extension present check it, otherwise everything is 502 * supported (see RFC4492). 503 */ 504 if (comp_id && s->session->tlsext_ecpointformatlist) { 505 pformats = s->session->tlsext_ecpointformatlist; 506 num_formats = s->session->tlsext_ecpointformatlist_length; 507 for (i = 0; i < num_formats; i++, pformats++) { 508 if (*comp_id == *pformats) 509 break; 510 } 511 if (i == num_formats) 512 return 0; 513 } 514 if (!curve_id) 515 return 1; 516 /* Check curve is consistent with client and server preferences */ 517 for (j = 0; j <= 1; j++) { 518 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves)) 519 return 0; 520 if (j == 1 && num_curves == 0) { 521 /* 522 * If we've not received any curves then skip this check. 523 * RFC 4492 does not require the supported elliptic curves extension 524 * so if it is not sent we can just choose any curve. 525 * It is invalid to send an empty list in the elliptic curves 526 * extension, so num_curves == 0 always means no extension. 527 */ 528 break; 529 } 530 for (i = 0; i < num_curves; i++, pcurves += 2) { 531 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1]) 532 break; 533 } 534 if (i == num_curves) 535 return 0; 536 /* For clients can only check sent curve list */ 537 if (!s->server) 538 break; 539 } 540 return 1; 541 } 542 543 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats, 544 size_t *num_formats) 545 { 546 /* 547 * If we have a custom point format list use it otherwise use default 548 */ 549 if (s->tlsext_ecpointformatlist) { 550 *pformats = s->tlsext_ecpointformatlist; 551 *num_formats = s->tlsext_ecpointformatlist_length; 552 } else { 553 *pformats = ecformats_default; 554 /* For Suite B we don't support char2 fields */ 555 if (tls1_suiteb(s)) 556 *num_formats = sizeof(ecformats_default) - 1; 557 else 558 *num_formats = sizeof(ecformats_default); 559 } 560 } 561 562 /* 563 * Check cert parameters compatible with extensions: currently just checks EC 564 * certificates have compatible curves and compression. 565 */ 566 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) 567 { 568 unsigned char comp_id, curve_id[2]; 569 EVP_PKEY *pkey; 570 int rv; 571 pkey = X509_get0_pubkey(x); 572 if (!pkey) 573 return 0; 574 /* If not EC nothing to do */ 575 if (EVP_PKEY_id(pkey) != EVP_PKEY_EC) 576 return 1; 577 rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)); 578 if (!rv) 579 return 0; 580 /* 581 * Can't check curve_id for client certs as we don't have a supported 582 * curves extension. 583 */ 584 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id); 585 if (!rv) 586 return 0; 587 /* 588 * Special case for suite B. We *MUST* sign using SHA256+P-256 or 589 * SHA384+P-384, adjust digest if necessary. 590 */ 591 if (set_ee_md && tls1_suiteb(s)) { 592 int check_md; 593 size_t i; 594 CERT *c = s->cert; 595 if (curve_id[0]) 596 return 0; 597 /* Check to see we have necessary signing algorithm */ 598 if (curve_id[1] == TLSEXT_curve_P_256) 599 check_md = NID_ecdsa_with_SHA256; 600 else if (curve_id[1] == TLSEXT_curve_P_384) 601 check_md = NID_ecdsa_with_SHA384; 602 else 603 return 0; /* Should never happen */ 604 for (i = 0; i < c->shared_sigalgslen; i++) 605 if (check_md == c->shared_sigalgs[i].signandhash_nid) 606 break; 607 if (i == c->shared_sigalgslen) 608 return 0; 609 if (set_ee_md == 2) { 610 if (check_md == NID_ecdsa_with_SHA256) 611 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256(); 612 else 613 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384(); 614 } 615 } 616 return rv; 617 } 618 619 # ifndef OPENSSL_NO_EC 620 /* 621 * tls1_check_ec_tmp_key - Check EC temporary key compatibility 622 * @s: SSL connection 623 * @cid: Cipher ID we're considering using 624 * 625 * Checks that the kECDHE cipher suite we're considering using 626 * is compatible with the client extensions. 627 * 628 * Returns 0 when the cipher can't be used or 1 when it can. 629 */ 630 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) 631 { 632 /* 633 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other 634 * curves permitted. 635 */ 636 if (tls1_suiteb(s)) { 637 unsigned char curve_id[2]; 638 /* Curve to check determined by ciphersuite */ 639 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 640 curve_id[1] = TLSEXT_curve_P_256; 641 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 642 curve_id[1] = TLSEXT_curve_P_384; 643 else 644 return 0; 645 curve_id[0] = 0; 646 /* Check this curve is acceptable */ 647 if (!tls1_check_ec_key(s, curve_id, NULL)) 648 return 0; 649 return 1; 650 } 651 /* Need a shared curve */ 652 if (tls1_shared_curve(s, 0)) 653 return 1; 654 return 0; 655 } 656 # endif /* OPENSSL_NO_EC */ 657 658 #else 659 660 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) 661 { 662 return 1; 663 } 664 665 #endif /* OPENSSL_NO_EC */ 666 667 /* 668 * List of supported signature algorithms and hashes. Should make this 669 * customisable at some point, for now include everything we support. 670 */ 671 672 #ifdef OPENSSL_NO_RSA 673 # define tlsext_sigalg_rsa(md) /* */ 674 #else 675 # define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa, 676 #endif 677 678 #ifdef OPENSSL_NO_DSA 679 # define tlsext_sigalg_dsa(md) /* */ 680 #else 681 # define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa, 682 #endif 683 684 #ifdef OPENSSL_NO_EC 685 # define tlsext_sigalg_ecdsa(md)/* */ 686 #else 687 # define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, 688 #endif 689 690 #define tlsext_sigalg(md) \ 691 tlsext_sigalg_rsa(md) \ 692 tlsext_sigalg_dsa(md) \ 693 tlsext_sigalg_ecdsa(md) 694 695 static const unsigned char tls12_sigalgs[] = { 696 tlsext_sigalg(TLSEXT_hash_sha512) 697 tlsext_sigalg(TLSEXT_hash_sha384) 698 tlsext_sigalg(TLSEXT_hash_sha256) 699 tlsext_sigalg(TLSEXT_hash_sha224) 700 tlsext_sigalg(TLSEXT_hash_sha1) 701 #ifndef OPENSSL_NO_GOST 702 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001, 703 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256, 704 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512 705 #endif 706 }; 707 708 #ifndef OPENSSL_NO_EC 709 static const unsigned char suiteb_sigalgs[] = { 710 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256) 711 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384) 712 }; 713 #endif 714 size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs) 715 { 716 /* 717 * If Suite B mode use Suite B sigalgs only, ignore any other 718 * preferences. 719 */ 720 #ifndef OPENSSL_NO_EC 721 switch (tls1_suiteb(s)) { 722 case SSL_CERT_FLAG_SUITEB_128_LOS: 723 *psigs = suiteb_sigalgs; 724 return sizeof(suiteb_sigalgs); 725 726 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 727 *psigs = suiteb_sigalgs; 728 return 2; 729 730 case SSL_CERT_FLAG_SUITEB_192_LOS: 731 *psigs = suiteb_sigalgs + 2; 732 return 2; 733 } 734 #endif 735 /* If server use client authentication sigalgs if not NULL */ 736 if (s->server == sent && s->cert->client_sigalgs) { 737 *psigs = s->cert->client_sigalgs; 738 return s->cert->client_sigalgslen; 739 } else if (s->cert->conf_sigalgs) { 740 *psigs = s->cert->conf_sigalgs; 741 return s->cert->conf_sigalgslen; 742 } else { 743 *psigs = tls12_sigalgs; 744 return sizeof(tls12_sigalgs); 745 } 746 } 747 748 /* 749 * Check signature algorithm is consistent with sent supported signature 750 * algorithms and if so return relevant digest. 751 */ 752 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, 753 const unsigned char *sig, EVP_PKEY *pkey) 754 { 755 const unsigned char *sent_sigs; 756 size_t sent_sigslen, i; 757 int sigalg = tls12_get_sigid(pkey); 758 /* Should never happen */ 759 if (sigalg == -1) 760 return -1; 761 /* Check key type is consistent with signature */ 762 if (sigalg != (int)sig[1]) { 763 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE); 764 return 0; 765 } 766 #ifndef OPENSSL_NO_EC 767 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { 768 unsigned char curve_id[2], comp_id; 769 /* Check compression and curve matches extensions */ 770 if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey))) 771 return 0; 772 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) { 773 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); 774 return 0; 775 } 776 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */ 777 if (tls1_suiteb(s)) { 778 if (curve_id[0]) 779 return 0; 780 if (curve_id[1] == TLSEXT_curve_P_256) { 781 if (sig[0] != TLSEXT_hash_sha256) { 782 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, 783 SSL_R_ILLEGAL_SUITEB_DIGEST); 784 return 0; 785 } 786 } else if (curve_id[1] == TLSEXT_curve_P_384) { 787 if (sig[0] != TLSEXT_hash_sha384) { 788 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, 789 SSL_R_ILLEGAL_SUITEB_DIGEST); 790 return 0; 791 } 792 } else 793 return 0; 794 } 795 } else if (tls1_suiteb(s)) 796 return 0; 797 #endif 798 799 /* Check signature matches a type we sent */ 800 sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); 801 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) { 802 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1]) 803 break; 804 } 805 /* Allow fallback to SHA1 if not strict mode */ 806 if (i == sent_sigslen 807 && (sig[0] != TLSEXT_hash_sha1 808 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { 809 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE); 810 return 0; 811 } 812 *pmd = tls12_get_hash(sig[0]); 813 if (*pmd == NULL) { 814 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST); 815 return 0; 816 } 817 /* Make sure security callback allows algorithm */ 818 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK, 819 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd), (void *)sig)) { 820 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE); 821 return 0; 822 } 823 /* 824 * Store the digest used so applications can retrieve it if they wish. 825 */ 826 s->s3->tmp.peer_md = *pmd; 827 return 1; 828 } 829 830 /* 831 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't 832 * supported, doesn't appear in supported signature algorithms, isn't supported 833 * by the enabled protocol versions or by the security level. 834 * 835 * This function should only be used for checking which ciphers are supported 836 * by the client. 837 * 838 * Call ssl_cipher_disabled() to check that it's enabled or not. 839 */ 840 void ssl_set_client_disabled(SSL *s) 841 { 842 s->s3->tmp.mask_a = 0; 843 s->s3->tmp.mask_k = 0; 844 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK); 845 ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver); 846 #ifndef OPENSSL_NO_PSK 847 /* with PSK there must be client callback set */ 848 if (!s->psk_client_callback) { 849 s->s3->tmp.mask_a |= SSL_aPSK; 850 s->s3->tmp.mask_k |= SSL_PSK; 851 } 852 #endif /* OPENSSL_NO_PSK */ 853 #ifndef OPENSSL_NO_SRP 854 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) { 855 s->s3->tmp.mask_a |= SSL_aSRP; 856 s->s3->tmp.mask_k |= SSL_kSRP; 857 } 858 #endif 859 } 860 861 /* 862 * ssl_cipher_disabled - check that a cipher is disabled or not 863 * @s: SSL connection that you want to use the cipher on 864 * @c: cipher to check 865 * @op: Security check that you want to do 866 * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3 867 * 868 * Returns 1 when it's disabled, 0 when enabled. 869 */ 870 int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe) 871 { 872 if (c->algorithm_mkey & s->s3->tmp.mask_k 873 || c->algorithm_auth & s->s3->tmp.mask_a) 874 return 1; 875 if (s->s3->tmp.max_ver == 0) 876 return 1; 877 if (!SSL_IS_DTLS(s)) { 878 int min_tls = c->min_tls; 879 880 /* 881 * For historical reasons we will allow ECHDE to be selected by a server 882 * in SSLv3 if we are a client 883 */ 884 if (min_tls == TLS1_VERSION && ecdhe 885 && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0) 886 min_tls = SSL3_VERSION; 887 888 if ((min_tls > s->s3->tmp.max_ver) || (c->max_tls < s->s3->tmp.min_ver)) 889 return 1; 890 } 891 if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver) 892 || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver))) 893 return 1; 894 895 return !ssl_security(s, op, c->strength_bits, 0, (void *)c); 896 } 897 898 static int tls_use_ticket(SSL *s) 899 { 900 if (s->options & SSL_OP_NO_TICKET) 901 return 0; 902 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL); 903 } 904 905 static int compare_uint(const void *p1, const void *p2) 906 { 907 unsigned int u1 = *((const unsigned int *)p1); 908 unsigned int u2 = *((const unsigned int *)p2); 909 if (u1 < u2) 910 return -1; 911 else if (u1 > u2) 912 return 1; 913 else 914 return 0; 915 } 916 917 /* 918 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be 919 * more than one extension of the same type in a ClientHello or ServerHello. 920 * This function does an initial scan over the extensions block to filter those 921 * out. It returns 1 if all extensions are unique, and 0 if the extensions 922 * contain duplicates, could not be successfully parsed, or an internal error 923 * occurred. 924 */ 925 static int tls1_check_duplicate_extensions(const PACKET *packet) 926 { 927 PACKET extensions = *packet; 928 size_t num_extensions = 0, i = 0; 929 unsigned int *extension_types = NULL; 930 int ret = 0; 931 932 /* First pass: count the extensions. */ 933 while (PACKET_remaining(&extensions) > 0) { 934 unsigned int type; 935 PACKET extension; 936 if (!PACKET_get_net_2(&extensions, &type) || 937 !PACKET_get_length_prefixed_2(&extensions, &extension)) { 938 goto done; 939 } 940 num_extensions++; 941 } 942 943 if (num_extensions <= 1) 944 return 1; 945 946 extension_types = OPENSSL_malloc(sizeof(unsigned int) * num_extensions); 947 if (extension_types == NULL) { 948 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_MALLOC_FAILURE); 949 goto done; 950 } 951 952 /* Second pass: gather the extension types. */ 953 extensions = *packet; 954 for (i = 0; i < num_extensions; i++) { 955 PACKET extension; 956 if (!PACKET_get_net_2(&extensions, &extension_types[i]) || 957 !PACKET_get_length_prefixed_2(&extensions, &extension)) { 958 /* This should not happen. */ 959 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR); 960 goto done; 961 } 962 } 963 964 if (PACKET_remaining(&extensions) != 0) { 965 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR); 966 goto done; 967 } 968 /* Sort the extensions and make sure there are no duplicates. */ 969 qsort(extension_types, num_extensions, sizeof(unsigned int), compare_uint); 970 for (i = 1; i < num_extensions; i++) { 971 if (extension_types[i - 1] == extension_types[i]) 972 goto done; 973 } 974 ret = 1; 975 done: 976 OPENSSL_free(extension_types); 977 return ret; 978 } 979 980 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, 981 unsigned char *limit, int *al) 982 { 983 int extdatalen = 0; 984 unsigned char *orig = buf; 985 unsigned char *ret = buf; 986 #ifndef OPENSSL_NO_EC 987 /* See if we support any ECC ciphersuites */ 988 int using_ecc = 0; 989 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) { 990 int i; 991 unsigned long alg_k, alg_a; 992 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 993 994 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { 995 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 996 997 alg_k = c->algorithm_mkey; 998 alg_a = c->algorithm_auth; 999 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) 1000 || (alg_a & SSL_aECDSA)) { 1001 using_ecc = 1; 1002 break; 1003 } 1004 } 1005 } 1006 #endif 1007 1008 ret += 2; 1009 1010 if (ret >= limit) 1011 return NULL; /* this really never occurs, but ... */ 1012 1013 /* Add RI if renegotiating */ 1014 if (s->renegotiate) { 1015 int el; 1016 1017 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { 1018 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1019 return NULL; 1020 } 1021 1022 if (CHECKLEN(ret, 4 + el, limit)) 1023 return NULL; 1024 1025 s2n(TLSEXT_TYPE_renegotiate, ret); 1026 s2n(el, ret); 1027 1028 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { 1029 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1030 return NULL; 1031 } 1032 1033 ret += el; 1034 } 1035 /* Only add RI for SSLv3 */ 1036 if (s->client_version == SSL3_VERSION) 1037 goto done; 1038 1039 if (s->tlsext_hostname != NULL) { 1040 /* Add TLS extension servername to the Client Hello message */ 1041 size_t size_str; 1042 1043 /*- 1044 * check for enough space. 1045 * 4 for the servername type and extension length 1046 * 2 for servernamelist length 1047 * 1 for the hostname type 1048 * 2 for hostname length 1049 * + hostname length 1050 */ 1051 size_str = strlen(s->tlsext_hostname); 1052 if (CHECKLEN(ret, 9 + size_str, limit)) 1053 return NULL; 1054 1055 /* extension type and length */ 1056 s2n(TLSEXT_TYPE_server_name, ret); 1057 s2n(size_str + 5, ret); 1058 1059 /* length of servername list */ 1060 s2n(size_str + 3, ret); 1061 1062 /* hostname type, length and hostname */ 1063 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name; 1064 s2n(size_str, ret); 1065 memcpy(ret, s->tlsext_hostname, size_str); 1066 ret += size_str; 1067 } 1068 #ifndef OPENSSL_NO_SRP 1069 /* Add SRP username if there is one */ 1070 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the 1071 * Client Hello message */ 1072 1073 size_t login_len = strlen(s->srp_ctx.login); 1074 if (login_len > 255 || login_len == 0) { 1075 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1076 return NULL; 1077 } 1078 1079 /*- 1080 * check for enough space. 1081 * 4 for the srp type type and extension length 1082 * 1 for the srp user identity 1083 * + srp user identity length 1084 */ 1085 if (CHECKLEN(ret, 5 + login_len, limit)) 1086 return NULL; 1087 1088 /* fill in the extension */ 1089 s2n(TLSEXT_TYPE_srp, ret); 1090 s2n(login_len + 1, ret); 1091 (*ret++) = (unsigned char)login_len; 1092 memcpy(ret, s->srp_ctx.login, login_len); 1093 ret += login_len; 1094 } 1095 #endif 1096 1097 #ifndef OPENSSL_NO_EC 1098 if (using_ecc) { 1099 /* 1100 * Add TLS extension ECPointFormats to the ClientHello message 1101 */ 1102 const unsigned char *pcurves, *pformats; 1103 size_t num_curves, num_formats, curves_list_len; 1104 size_t i; 1105 unsigned char *etmp; 1106 1107 tls1_get_formatlist(s, &pformats, &num_formats); 1108 1109 if (num_formats > 255) { 1110 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1111 return NULL; 1112 } 1113 /*- 1114 * check for enough space. 1115 * 4 bytes for the ec point formats type and extension length 1116 * 1 byte for the length of the formats 1117 * + formats length 1118 */ 1119 if (CHECKLEN(ret, 5 + num_formats, limit)) 1120 return NULL; 1121 1122 s2n(TLSEXT_TYPE_ec_point_formats, ret); 1123 /* The point format list has 1-byte length. */ 1124 s2n(num_formats + 1, ret); 1125 *(ret++) = (unsigned char)num_formats; 1126 memcpy(ret, pformats, num_formats); 1127 ret += num_formats; 1128 1129 /* 1130 * Add TLS extension EllipticCurves to the ClientHello message 1131 */ 1132 pcurves = s->tlsext_ellipticcurvelist; 1133 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) 1134 return NULL; 1135 1136 if (num_curves > 65532 / 2) { 1137 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1138 return NULL; 1139 } 1140 /*- 1141 * check for enough space. 1142 * 4 bytes for the ec curves type and extension length 1143 * 2 bytes for the curve list length 1144 * + curve list length 1145 */ 1146 if (CHECKLEN(ret, 6 + (num_curves * 2), limit)) 1147 return NULL; 1148 1149 s2n(TLSEXT_TYPE_elliptic_curves, ret); 1150 etmp = ret + 4; 1151 /* Copy curve ID if supported */ 1152 for (i = 0; i < num_curves; i++, pcurves += 2) { 1153 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) { 1154 *etmp++ = pcurves[0]; 1155 *etmp++ = pcurves[1]; 1156 } 1157 } 1158 1159 curves_list_len = etmp - ret - 4; 1160 1161 s2n(curves_list_len + 2, ret); 1162 s2n(curves_list_len, ret); 1163 ret += curves_list_len; 1164 } 1165 #endif /* OPENSSL_NO_EC */ 1166 1167 if (tls_use_ticket(s)) { 1168 size_t ticklen; 1169 if (!s->new_session && s->session && s->session->tlsext_tick) 1170 ticklen = s->session->tlsext_ticklen; 1171 else if (s->session && s->tlsext_session_ticket && 1172 s->tlsext_session_ticket->data) { 1173 ticklen = s->tlsext_session_ticket->length; 1174 s->session->tlsext_tick = OPENSSL_malloc(ticklen); 1175 if (s->session->tlsext_tick == NULL) 1176 return NULL; 1177 memcpy(s->session->tlsext_tick, 1178 s->tlsext_session_ticket->data, ticklen); 1179 s->session->tlsext_ticklen = ticklen; 1180 } else 1181 ticklen = 0; 1182 if (ticklen == 0 && s->tlsext_session_ticket && 1183 s->tlsext_session_ticket->data == NULL) 1184 goto skip_ext; 1185 /* 1186 * Check for enough room 2 for extension type, 2 for len rest for 1187 * ticket 1188 */ 1189 if (CHECKLEN(ret, 4 + ticklen, limit)) 1190 return NULL; 1191 s2n(TLSEXT_TYPE_session_ticket, ret); 1192 s2n(ticklen, ret); 1193 if (ticklen > 0) { 1194 memcpy(ret, s->session->tlsext_tick, ticklen); 1195 ret += ticklen; 1196 } 1197 } 1198 skip_ext: 1199 1200 #ifndef OPENSSL_NO_OCSP 1201 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { 1202 int i; 1203 size_t extlen, idlen; 1204 int lentmp; 1205 OCSP_RESPID *id; 1206 1207 idlen = 0; 1208 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 1209 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 1210 lentmp = i2d_OCSP_RESPID(id, NULL); 1211 if (lentmp <= 0) 1212 return NULL; 1213 idlen += (size_t)lentmp + 2; 1214 } 1215 1216 if (s->tlsext_ocsp_exts) { 1217 lentmp = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 1218 if (lentmp < 0) 1219 return NULL; 1220 extlen = (size_t)lentmp; 1221 } else 1222 extlen = 0; 1223 1224 if (extlen + idlen > 0xFFF0) 1225 return NULL; 1226 /* 1227 * 2 bytes for status request type 1228 * 2 bytes for status request len 1229 * 1 byte for OCSP request type 1230 * 2 bytes for length of ids 1231 * 2 bytes for length of extensions 1232 * + length of ids 1233 * + length of extensions 1234 */ 1235 if (CHECKLEN(ret, 9 + idlen + extlen, limit)) 1236 return NULL; 1237 1238 s2n(TLSEXT_TYPE_status_request, ret); 1239 s2n(extlen + idlen + 5, ret); 1240 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 1241 s2n(idlen, ret); 1242 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 1243 /* save position of id len */ 1244 unsigned char *q = ret; 1245 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 1246 /* skip over id len */ 1247 ret += 2; 1248 lentmp = i2d_OCSP_RESPID(id, &ret); 1249 /* write id len */ 1250 s2n(lentmp, q); 1251 } 1252 s2n(extlen, ret); 1253 if (extlen > 0) 1254 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 1255 } 1256 #endif 1257 #ifndef OPENSSL_NO_HEARTBEATS 1258 if (SSL_IS_DTLS(s)) { 1259 /* Add Heartbeat extension */ 1260 1261 /*- 1262 * check for enough space. 1263 * 4 bytes for the heartbeat ext type and extension length 1264 * 1 byte for the mode 1265 */ 1266 if (CHECKLEN(ret, 5, limit)) 1267 return NULL; 1268 1269 s2n(TLSEXT_TYPE_heartbeat, ret); 1270 s2n(1, ret); 1271 /*- 1272 * Set mode: 1273 * 1: peer may send requests 1274 * 2: peer not allowed to send requests 1275 */ 1276 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS) 1277 *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS; 1278 else 1279 *(ret++) = SSL_DTLSEXT_HB_ENABLED; 1280 } 1281 #endif 1282 1283 #ifndef OPENSSL_NO_NEXTPROTONEG 1284 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { 1285 /* 1286 * The client advertises an empty extension to indicate its support 1287 * for Next Protocol Negotiation 1288 */ 1289 1290 /*- 1291 * check for enough space. 1292 * 4 bytes for the NPN ext type and extension length 1293 */ 1294 if (CHECKLEN(ret, 4, limit)) 1295 return NULL; 1296 s2n(TLSEXT_TYPE_next_proto_neg, ret); 1297 s2n(0, ret); 1298 } 1299 #endif 1300 1301 /* 1302 * finish_md_len is non-zero during a renegotiation, so 1303 * this avoids sending ALPN during the renegotiation 1304 * (see longer comment below) 1305 */ 1306 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) { 1307 /*- 1308 * check for enough space. 1309 * 4 bytes for the ALPN type and extension length 1310 * 2 bytes for the ALPN protocol list length 1311 * + ALPN protocol list length 1312 */ 1313 if (CHECKLEN(ret, 6 + s->alpn_client_proto_list_len, limit)) 1314 return NULL; 1315 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 1316 s2n(2 + s->alpn_client_proto_list_len, ret); 1317 s2n(s->alpn_client_proto_list_len, ret); 1318 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len); 1319 ret += s->alpn_client_proto_list_len; 1320 s->s3->alpn_sent = 1; 1321 } 1322 #ifndef OPENSSL_NO_SRTP 1323 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { 1324 int el; 1325 1326 /* Returns 0 on success!! */ 1327 if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) { 1328 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1329 return NULL; 1330 } 1331 1332 /*- 1333 * check for enough space. 1334 * 4 bytes for the SRTP type and extension length 1335 * + SRTP profiles length 1336 */ 1337 if (CHECKLEN(ret, 4 + el, limit)) 1338 return NULL; 1339 1340 s2n(TLSEXT_TYPE_use_srtp, ret); 1341 s2n(el, ret); 1342 1343 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { 1344 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1345 return NULL; 1346 } 1347 ret += el; 1348 } 1349 #endif 1350 custom_ext_init(&s->cert->cli_ext); 1351 /* Add custom TLS Extensions to ClientHello */ 1352 if (!custom_ext_add(s, 0, &ret, limit, al)) 1353 return NULL; 1354 /* 1355 * In 1.1.0 before 1.1.0c we negotiated EtM with DTLS, then just 1356 * silently failed to actually do it. It is fixed in 1.1.1 but to 1357 * ease the transition especially from 1.1.0b to 1.1.0c, we just 1358 * disable it in 1.1.0. 1359 * Also skip if SSL_OP_NO_ENCRYPT_THEN_MAC is set. 1360 */ 1361 if (!SSL_IS_DTLS(s) && !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) { 1362 /*- 1363 * check for enough space. 1364 * 4 bytes for the ETM type and extension length 1365 */ 1366 if (CHECKLEN(ret, 4, limit)) 1367 return NULL; 1368 s2n(TLSEXT_TYPE_encrypt_then_mac, ret); 1369 s2n(0, ret); 1370 } 1371 1372 #ifndef OPENSSL_NO_CT 1373 if (s->ct_validation_callback != NULL) { 1374 /*- 1375 * check for enough space. 1376 * 4 bytes for the SCT type and extension length 1377 */ 1378 if (CHECKLEN(ret, 4, limit)) 1379 return NULL; 1380 1381 s2n(TLSEXT_TYPE_signed_certificate_timestamp, ret); 1382 s2n(0, ret); 1383 } 1384 #endif 1385 1386 /*- 1387 * check for enough space. 1388 * 4 bytes for the EMS type and extension length 1389 */ 1390 if (CHECKLEN(ret, 4, limit)) 1391 return NULL; 1392 s2n(TLSEXT_TYPE_extended_master_secret, ret); 1393 s2n(0, ret); 1394 1395 /* 1396 * WebSphere application server can not handle having the 1397 * last extension be 0-length (e.g. EMS, EtM), so keep those 1398 * before SigAlgs 1399 */ 1400 if (SSL_CLIENT_USE_SIGALGS(s)) { 1401 size_t salglen; 1402 const unsigned char *salg; 1403 unsigned char *etmp; 1404 salglen = tls12_get_psigalgs(s, 1, &salg); 1405 1406 /*- 1407 * check for enough space. 1408 * 4 bytes for the sigalgs type and extension length 1409 * 2 bytes for the sigalg list length 1410 * + sigalg list length 1411 */ 1412 if (CHECKLEN(ret, salglen + 6, limit)) 1413 return NULL; 1414 s2n(TLSEXT_TYPE_signature_algorithms, ret); 1415 etmp = ret; 1416 /* Skip over lengths for now */ 1417 ret += 4; 1418 salglen = tls12_copy_sigalgs(s, ret, salg, salglen); 1419 /* Fill in lengths */ 1420 s2n(salglen + 2, etmp); 1421 s2n(salglen, etmp); 1422 ret += salglen; 1423 } 1424 1425 /* 1426 * Add padding to workaround bugs in F5 terminators. See 1427 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this 1428 * code works out the length of all existing extensions it MUST always 1429 * appear last. WebSphere 7.x/8.x is intolerant of empty extensions 1430 * being last, so minimum length of 1. 1431 */ 1432 if (s->options & SSL_OP_TLSEXT_PADDING) { 1433 int hlen = ret - (unsigned char *)s->init_buf->data; 1434 1435 if (hlen > 0xff && hlen < 0x200) { 1436 hlen = 0x200 - hlen; 1437 if (hlen >= 4) 1438 hlen -= 4; 1439 else 1440 hlen = 1; 1441 1442 /*- 1443 * check for enough space. Strictly speaking we know we've already 1444 * got enough space because to get here the message size is < 0x200, 1445 * but we know that we've allocated far more than that in the buffer 1446 * - but for consistency and robustness we're going to check anyway. 1447 * 1448 * 4 bytes for the padding type and extension length 1449 * + padding length 1450 */ 1451 if (CHECKLEN(ret, 4 + hlen, limit)) 1452 return NULL; 1453 s2n(TLSEXT_TYPE_padding, ret); 1454 s2n(hlen, ret); 1455 memset(ret, 0, hlen); 1456 ret += hlen; 1457 } 1458 } 1459 1460 done: 1461 1462 if ((extdatalen = ret - orig - 2) == 0) 1463 return orig; 1464 1465 s2n(extdatalen, orig); 1466 return ret; 1467 } 1468 1469 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, 1470 unsigned char *limit, int *al) 1471 { 1472 int extdatalen = 0; 1473 unsigned char *orig = buf; 1474 unsigned char *ret = buf; 1475 #ifndef OPENSSL_NO_NEXTPROTONEG 1476 int next_proto_neg_seen; 1477 #endif 1478 #ifndef OPENSSL_NO_EC 1479 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1480 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1481 int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA); 1482 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); 1483 #endif 1484 1485 ret += 2; 1486 if (ret >= limit) 1487 return NULL; /* this really never occurs, but ... */ 1488 1489 if (s->s3->send_connection_binding) { 1490 int el; 1491 1492 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */ 1493 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { 1494 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1495 return NULL; 1496 } 1497 1498 /*- 1499 * check for enough space. 1500 * 4 bytes for the reneg type and extension length 1501 * + reneg data length 1502 */ 1503 if (CHECKLEN(ret, 4 + el, limit)) 1504 return NULL; 1505 1506 s2n(TLSEXT_TYPE_renegotiate, ret); 1507 s2n(el, ret); 1508 1509 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { 1510 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1511 return NULL; 1512 } 1513 1514 ret += el; 1515 } 1516 1517 /* Only add RI for SSLv3 */ 1518 if (s->version == SSL3_VERSION) 1519 goto done; 1520 1521 if (!s->hit && s->servername_done == 1 1522 && s->session->tlsext_hostname != NULL) { 1523 /*- 1524 * check for enough space. 1525 * 4 bytes for the server name type and extension length 1526 */ 1527 if (CHECKLEN(ret, 4, limit)) 1528 return NULL; 1529 1530 s2n(TLSEXT_TYPE_server_name, ret); 1531 s2n(0, ret); 1532 } 1533 #ifndef OPENSSL_NO_EC 1534 if (using_ecc) { 1535 const unsigned char *plist; 1536 size_t plistlen; 1537 /* 1538 * Add TLS extension ECPointFormats to the ServerHello message 1539 */ 1540 1541 tls1_get_formatlist(s, &plist, &plistlen); 1542 1543 if (plistlen > 255) { 1544 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1545 return NULL; 1546 } 1547 1548 /*- 1549 * check for enough space. 1550 * 4 bytes for the ec points format type and extension length 1551 * 1 byte for the points format list length 1552 * + length of points format list 1553 */ 1554 if (CHECKLEN(ret, 5 + plistlen, limit)) 1555 return NULL; 1556 1557 s2n(TLSEXT_TYPE_ec_point_formats, ret); 1558 s2n(plistlen + 1, ret); 1559 *(ret++) = (unsigned char)plistlen; 1560 memcpy(ret, plist, plistlen); 1561 ret += plistlen; 1562 1563 } 1564 /* 1565 * Currently the server should not respond with a SupportedCurves 1566 * extension 1567 */ 1568 #endif /* OPENSSL_NO_EC */ 1569 1570 if (s->tlsext_ticket_expected && tls_use_ticket(s)) { 1571 /*- 1572 * check for enough space. 1573 * 4 bytes for the Ticket type and extension length 1574 */ 1575 if (CHECKLEN(ret, 4, limit)) 1576 return NULL; 1577 s2n(TLSEXT_TYPE_session_ticket, ret); 1578 s2n(0, ret); 1579 } else { 1580 /* 1581 * if we don't add the above TLSEXT, we can't add a session ticket 1582 * later 1583 */ 1584 s->tlsext_ticket_expected = 0; 1585 } 1586 1587 if (s->tlsext_status_expected) { 1588 /*- 1589 * check for enough space. 1590 * 4 bytes for the Status request type and extension length 1591 */ 1592 if (CHECKLEN(ret, 4, limit)) 1593 return NULL; 1594 s2n(TLSEXT_TYPE_status_request, ret); 1595 s2n(0, ret); 1596 } 1597 #ifndef OPENSSL_NO_SRTP 1598 if (SSL_IS_DTLS(s) && s->srtp_profile) { 1599 int el; 1600 1601 /* Returns 0 on success!! */ 1602 if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) { 1603 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1604 return NULL; 1605 } 1606 /*- 1607 * check for enough space. 1608 * 4 bytes for the SRTP profiles type and extension length 1609 * + length of the SRTP profiles list 1610 */ 1611 if (CHECKLEN(ret, 4 + el, limit)) 1612 return NULL; 1613 1614 s2n(TLSEXT_TYPE_use_srtp, ret); 1615 s2n(el, ret); 1616 1617 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { 1618 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1619 return NULL; 1620 } 1621 ret += el; 1622 } 1623 #endif 1624 1625 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 1626 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) 1627 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { 1628 const unsigned char cryptopro_ext[36] = { 1629 0xfd, 0xe8, /* 65000 */ 1630 0x00, 0x20, /* 32 bytes length */ 1631 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 1632 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 1633 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 1634 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 1635 }; 1636 1637 /* check for enough space. */ 1638 if (CHECKLEN(ret, sizeof(cryptopro_ext), limit)) 1639 return NULL; 1640 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext)); 1641 ret += sizeof(cryptopro_ext); 1642 1643 } 1644 #ifndef OPENSSL_NO_HEARTBEATS 1645 /* Add Heartbeat extension if we've received one */ 1646 if (SSL_IS_DTLS(s) && (s->tlsext_heartbeat & SSL_DTLSEXT_HB_ENABLED)) { 1647 /*- 1648 * check for enough space. 1649 * 4 bytes for the Heartbeat type and extension length 1650 * 1 byte for the mode 1651 */ 1652 if (CHECKLEN(ret, 5, limit)) 1653 return NULL; 1654 s2n(TLSEXT_TYPE_heartbeat, ret); 1655 s2n(1, ret); 1656 /*- 1657 * Set mode: 1658 * 1: peer may send requests 1659 * 2: peer not allowed to send requests 1660 */ 1661 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS) 1662 *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS; 1663 else 1664 *(ret++) = SSL_DTLSEXT_HB_ENABLED; 1665 1666 } 1667 #endif 1668 1669 #ifndef OPENSSL_NO_NEXTPROTONEG 1670 next_proto_neg_seen = s->s3->next_proto_neg_seen; 1671 s->s3->next_proto_neg_seen = 0; 1672 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) { 1673 const unsigned char *npa; 1674 unsigned int npalen; 1675 int r; 1676 1677 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, 1678 s-> 1679 ctx->next_protos_advertised_cb_arg); 1680 if (r == SSL_TLSEXT_ERR_OK) { 1681 /*- 1682 * check for enough space. 1683 * 4 bytes for the NPN type and extension length 1684 * + length of protocols list 1685 */ 1686 if (CHECKLEN(ret, 4 + npalen, limit)) 1687 return NULL; 1688 s2n(TLSEXT_TYPE_next_proto_neg, ret); 1689 s2n(npalen, ret); 1690 memcpy(ret, npa, npalen); 1691 ret += npalen; 1692 s->s3->next_proto_neg_seen = 1; 1693 } 1694 } 1695 #endif 1696 if (!custom_ext_add(s, 1, &ret, limit, al)) 1697 return NULL; 1698 if (s->tlsext_use_etm) { 1699 /* 1700 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable 1701 * for other cases too. 1702 */ 1703 if (SSL_IS_DTLS(s) || s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD 1704 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4 1705 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT 1706 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) 1707 s->tlsext_use_etm = 0; 1708 else { 1709 /*- 1710 * check for enough space. 1711 * 4 bytes for the ETM type and extension length 1712 */ 1713 if (CHECKLEN(ret, 4, limit)) 1714 return NULL; 1715 s2n(TLSEXT_TYPE_encrypt_then_mac, ret); 1716 s2n(0, ret); 1717 } 1718 } 1719 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) { 1720 /*- 1721 * check for enough space. 1722 * 4 bytes for the EMS type and extension length 1723 */ 1724 if (CHECKLEN(ret, 4, limit)) 1725 return NULL; 1726 s2n(TLSEXT_TYPE_extended_master_secret, ret); 1727 s2n(0, ret); 1728 } 1729 1730 if (s->s3->alpn_selected != NULL) { 1731 const unsigned char *selected = s->s3->alpn_selected; 1732 size_t len = s->s3->alpn_selected_len; 1733 1734 /*- 1735 * check for enough space. 1736 * 4 bytes for the ALPN type and extension length 1737 * 2 bytes for ALPN data length 1738 * 1 byte for selected protocol length 1739 * + length of the selected protocol 1740 */ 1741 if (CHECKLEN(ret, 7 + len, limit)) 1742 return NULL; 1743 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 1744 s2n(3 + len, ret); 1745 s2n(1 + len, ret); 1746 *ret++ = len; 1747 memcpy(ret, selected, len); 1748 ret += len; 1749 } 1750 1751 done: 1752 1753 if ((extdatalen = ret - orig - 2) == 0) 1754 return orig; 1755 1756 s2n(extdatalen, orig); 1757 return ret; 1758 } 1759 1760 /* 1761 * Save the ALPN extension in a ClientHello. 1762 * pkt: the contents of the ALPN extension, not including type and length. 1763 * al: a pointer to the alert value to send in the event of a failure. 1764 * returns: 1 on success, 0 on error. 1765 */ 1766 static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al) 1767 { 1768 PACKET protocol_list, save_protocol_list, protocol; 1769 1770 *al = SSL_AD_DECODE_ERROR; 1771 1772 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list) 1773 || PACKET_remaining(&protocol_list) < 2) { 1774 return 0; 1775 } 1776 1777 save_protocol_list = protocol_list; 1778 do { 1779 /* Protocol names can't be empty. */ 1780 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol) 1781 || PACKET_remaining(&protocol) == 0) { 1782 return 0; 1783 } 1784 } while (PACKET_remaining(&protocol_list) != 0); 1785 1786 if (!PACKET_memdup(&save_protocol_list, 1787 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) { 1788 *al = TLS1_AD_INTERNAL_ERROR; 1789 return 0; 1790 } 1791 1792 return 1; 1793 } 1794 1795 /* 1796 * Process the ALPN extension in a ClientHello. 1797 * al: a pointer to the alert value to send in the event of a failure. 1798 * returns 1 on success, 0 on error. 1799 */ 1800 static int tls1_alpn_handle_client_hello_late(SSL *s, int *al) 1801 { 1802 const unsigned char *selected = NULL; 1803 unsigned char selected_len = 0; 1804 1805 if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) { 1806 int r = s->ctx->alpn_select_cb(s, &selected, &selected_len, 1807 s->s3->alpn_proposed, 1808 s->s3->alpn_proposed_len, 1809 s->ctx->alpn_select_cb_arg); 1810 1811 if (r == SSL_TLSEXT_ERR_OK) { 1812 OPENSSL_free(s->s3->alpn_selected); 1813 s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len); 1814 if (s->s3->alpn_selected == NULL) { 1815 *al = SSL_AD_INTERNAL_ERROR; 1816 return 0; 1817 } 1818 s->s3->alpn_selected_len = selected_len; 1819 #ifndef OPENSSL_NO_NEXTPROTONEG 1820 /* ALPN takes precedence over NPN. */ 1821 s->s3->next_proto_neg_seen = 0; 1822 #endif 1823 } else if (r == SSL_TLSEXT_ERR_NOACK) { 1824 /* Behave as if no callback was present. */ 1825 return 1; 1826 } else { 1827 *al = SSL_AD_NO_APPLICATION_PROTOCOL; 1828 return 0; 1829 } 1830 } 1831 1832 return 1; 1833 } 1834 1835 #ifndef OPENSSL_NO_EC 1836 /*- 1837 * ssl_check_for_safari attempts to fingerprint Safari using OS X 1838 * SecureTransport using the TLS extension block in |pkt|. 1839 * Safari, since 10.6, sends exactly these extensions, in this order: 1840 * SNI, 1841 * elliptic_curves 1842 * ec_point_formats 1843 * 1844 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, 1845 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. 1846 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from 1847 * 10.8..10.8.3 (which don't work). 1848 */ 1849 static void ssl_check_for_safari(SSL *s, const PACKET *pkt) 1850 { 1851 unsigned int type; 1852 PACKET sni, tmppkt; 1853 size_t ext_len; 1854 1855 static const unsigned char kSafariExtensionsBlock[] = { 1856 0x00, 0x0a, /* elliptic_curves extension */ 1857 0x00, 0x08, /* 8 bytes */ 1858 0x00, 0x06, /* 6 bytes of curve ids */ 1859 0x00, 0x17, /* P-256 */ 1860 0x00, 0x18, /* P-384 */ 1861 0x00, 0x19, /* P-521 */ 1862 1863 0x00, 0x0b, /* ec_point_formats */ 1864 0x00, 0x02, /* 2 bytes */ 1865 0x01, /* 1 point format */ 1866 0x00, /* uncompressed */ 1867 /* The following is only present in TLS 1.2 */ 1868 0x00, 0x0d, /* signature_algorithms */ 1869 0x00, 0x0c, /* 12 bytes */ 1870 0x00, 0x0a, /* 10 bytes */ 1871 0x05, 0x01, /* SHA-384/RSA */ 1872 0x04, 0x01, /* SHA-256/RSA */ 1873 0x02, 0x01, /* SHA-1/RSA */ 1874 0x04, 0x03, /* SHA-256/ECDSA */ 1875 0x02, 0x03, /* SHA-1/ECDSA */ 1876 }; 1877 1878 /* Length of the common prefix (first two extensions). */ 1879 static const size_t kSafariCommonExtensionsLength = 18; 1880 1881 tmppkt = *pkt; 1882 1883 if (!PACKET_forward(&tmppkt, 2) 1884 || !PACKET_get_net_2(&tmppkt, &type) 1885 || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) { 1886 return; 1887 } 1888 1889 if (type != TLSEXT_TYPE_server_name) 1890 return; 1891 1892 ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ? 1893 sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength; 1894 1895 s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock, 1896 ext_len); 1897 } 1898 #endif /* !OPENSSL_NO_EC */ 1899 1900 /* 1901 * Parse ClientHello extensions and stash extension info in various parts of 1902 * the SSL object. Verify that there are no duplicate extensions. 1903 * 1904 * Behaviour upon resumption is extension-specific. If the extension has no 1905 * effect during resumption, it is parsed (to verify its format) but otherwise 1906 * ignored. 1907 * 1908 * Consumes the entire packet in |pkt|. Returns 1 on success and 0 on failure. 1909 * Upon failure, sets |al| to the appropriate alert. 1910 */ 1911 static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) 1912 { 1913 unsigned int type; 1914 int renegotiate_seen = 0; 1915 PACKET extensions; 1916 1917 *al = SSL_AD_DECODE_ERROR; 1918 s->servername_done = 0; 1919 s->tlsext_status_type = -1; 1920 #ifndef OPENSSL_NO_NEXTPROTONEG 1921 s->s3->next_proto_neg_seen = 0; 1922 #endif 1923 1924 OPENSSL_free(s->s3->alpn_selected); 1925 s->s3->alpn_selected = NULL; 1926 s->s3->alpn_selected_len = 0; 1927 OPENSSL_free(s->s3->alpn_proposed); 1928 s->s3->alpn_proposed = NULL; 1929 s->s3->alpn_proposed_len = 0; 1930 #ifndef OPENSSL_NO_HEARTBEATS 1931 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED | 1932 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS); 1933 #endif 1934 1935 #ifndef OPENSSL_NO_EC 1936 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) 1937 ssl_check_for_safari(s, pkt); 1938 #endif /* !OPENSSL_NO_EC */ 1939 1940 /* Clear any signature algorithms extension received */ 1941 OPENSSL_free(s->s3->tmp.peer_sigalgs); 1942 s->s3->tmp.peer_sigalgs = NULL; 1943 s->tlsext_use_etm = 0; 1944 1945 #ifndef OPENSSL_NO_SRP 1946 OPENSSL_free(s->srp_ctx.login); 1947 s->srp_ctx.login = NULL; 1948 #endif 1949 1950 s->srtp_profile = NULL; 1951 1952 if (PACKET_remaining(pkt) == 0) 1953 goto ri_check; 1954 1955 if (!PACKET_as_length_prefixed_2(pkt, &extensions)) 1956 return 0; 1957 1958 if (!tls1_check_duplicate_extensions(&extensions)) 1959 return 0; 1960 1961 /* 1962 * We parse all extensions to ensure the ClientHello is well-formed but, 1963 * unless an extension specifies otherwise, we ignore extensions upon 1964 * resumption. 1965 */ 1966 while (PACKET_get_net_2(&extensions, &type)) { 1967 PACKET extension; 1968 if (!PACKET_get_length_prefixed_2(&extensions, &extension)) 1969 return 0; 1970 1971 if (s->tlsext_debug_cb) 1972 s->tlsext_debug_cb(s, 0, type, PACKET_data(&extension), 1973 PACKET_remaining(&extension), 1974 s->tlsext_debug_arg); 1975 1976 if (type == TLSEXT_TYPE_renegotiate) { 1977 if (!ssl_parse_clienthello_renegotiate_ext(s, &extension, al)) 1978 return 0; 1979 renegotiate_seen = 1; 1980 } else if (s->version == SSL3_VERSION) { 1981 } 1982 /*- 1983 * The servername extension is treated as follows: 1984 * 1985 * - Only the hostname type is supported with a maximum length of 255. 1986 * - The servername is rejected if too long or if it contains zeros, 1987 * in which case an fatal alert is generated. 1988 * - The servername field is maintained together with the session cache. 1989 * - When a session is resumed, the servername call back invoked in order 1990 * to allow the application to position itself to the right context. 1991 * - The servername is acknowledged if it is new for a session or when 1992 * it is identical to a previously used for the same session. 1993 * Applications can control the behaviour. They can at any time 1994 * set a 'desirable' servername for a new SSL object. This can be the 1995 * case for example with HTTPS when a Host: header field is received and 1996 * a renegotiation is requested. In this case, a possible servername 1997 * presented in the new client hello is only acknowledged if it matches 1998 * the value of the Host: field. 1999 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 2000 * if they provide for changing an explicit servername context for the 2001 * session, i.e. when the session has been established with a servername 2002 * extension. 2003 * - On session reconnect, the servername extension may be absent. 2004 * 2005 */ 2006 2007 else if (type == TLSEXT_TYPE_server_name) { 2008 unsigned int servname_type; 2009 PACKET sni, hostname; 2010 2011 if (!PACKET_as_length_prefixed_2(&extension, &sni) 2012 /* ServerNameList must be at least 1 byte long. */ 2013 || PACKET_remaining(&sni) == 0) { 2014 return 0; 2015 } 2016 2017 /* 2018 * Although the server_name extension was intended to be 2019 * extensible to new name types, RFC 4366 defined the 2020 * syntax inextensibility and OpenSSL 1.0.x parses it as 2021 * such. 2022 * RFC 6066 corrected the mistake but adding new name types 2023 * is nevertheless no longer feasible, so act as if no other 2024 * SNI types can exist, to simplify parsing. 2025 * 2026 * Also note that the RFC permits only one SNI value per type, 2027 * i.e., we can only have a single hostname. 2028 */ 2029 if (!PACKET_get_1(&sni, &servname_type) 2030 || servname_type != TLSEXT_NAMETYPE_host_name 2031 || !PACKET_as_length_prefixed_2(&sni, &hostname)) { 2032 return 0; 2033 } 2034 2035 if (!s->hit) { 2036 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) { 2037 *al = TLS1_AD_UNRECOGNIZED_NAME; 2038 return 0; 2039 } 2040 2041 if (PACKET_contains_zero_byte(&hostname)) { 2042 *al = TLS1_AD_UNRECOGNIZED_NAME; 2043 return 0; 2044 } 2045 2046 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) { 2047 *al = TLS1_AD_INTERNAL_ERROR; 2048 return 0; 2049 } 2050 2051 s->servername_done = 1; 2052 } else { 2053 /* 2054 * TODO(openssl-team): if the SNI doesn't match, we MUST 2055 * fall back to a full handshake. 2056 */ 2057 s->servername_done = s->session->tlsext_hostname 2058 && PACKET_equal(&hostname, s->session->tlsext_hostname, 2059 strlen(s->session->tlsext_hostname)); 2060 } 2061 } 2062 #ifndef OPENSSL_NO_SRP 2063 else if (type == TLSEXT_TYPE_srp) { 2064 PACKET srp_I; 2065 2066 if (!PACKET_as_length_prefixed_1(&extension, &srp_I)) 2067 return 0; 2068 2069 if (PACKET_contains_zero_byte(&srp_I)) 2070 return 0; 2071 2072 /* 2073 * TODO(openssl-team): currently, we re-authenticate the user 2074 * upon resumption. Instead, we MUST ignore the login. 2075 */ 2076 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) { 2077 *al = TLS1_AD_INTERNAL_ERROR; 2078 return 0; 2079 } 2080 } 2081 #endif 2082 2083 #ifndef OPENSSL_NO_EC 2084 else if (type == TLSEXT_TYPE_ec_point_formats) { 2085 PACKET ec_point_format_list; 2086 2087 if (!PACKET_as_length_prefixed_1(&extension, &ec_point_format_list) 2088 || PACKET_remaining(&ec_point_format_list) == 0) { 2089 return 0; 2090 } 2091 2092 if (!s->hit) { 2093 if (!PACKET_memdup(&ec_point_format_list, 2094 &s->session->tlsext_ecpointformatlist, 2095 &s-> 2096 session->tlsext_ecpointformatlist_length)) { 2097 *al = TLS1_AD_INTERNAL_ERROR; 2098 return 0; 2099 } 2100 } 2101 } else if (type == TLSEXT_TYPE_elliptic_curves) { 2102 PACKET elliptic_curve_list; 2103 2104 /* Each NamedCurve is 2 bytes and we must have at least 1. */ 2105 if (!PACKET_as_length_prefixed_2(&extension, &elliptic_curve_list) 2106 || PACKET_remaining(&elliptic_curve_list) == 0 2107 || (PACKET_remaining(&elliptic_curve_list) % 2) != 0) { 2108 return 0; 2109 } 2110 2111 if (!s->hit) { 2112 if (!PACKET_memdup(&elliptic_curve_list, 2113 &s->session->tlsext_ellipticcurvelist, 2114 &s-> 2115 session->tlsext_ellipticcurvelist_length)) { 2116 *al = TLS1_AD_INTERNAL_ERROR; 2117 return 0; 2118 } 2119 } 2120 } 2121 #endif /* OPENSSL_NO_EC */ 2122 else if (type == TLSEXT_TYPE_session_ticket) { 2123 if (s->tls_session_ticket_ext_cb && 2124 !s->tls_session_ticket_ext_cb(s, PACKET_data(&extension), 2125 PACKET_remaining(&extension), 2126 s->tls_session_ticket_ext_cb_arg)) 2127 { 2128 *al = TLS1_AD_INTERNAL_ERROR; 2129 return 0; 2130 } 2131 } else if (type == TLSEXT_TYPE_signature_algorithms) { 2132 PACKET supported_sig_algs; 2133 2134 if (!PACKET_as_length_prefixed_2(&extension, &supported_sig_algs) 2135 || (PACKET_remaining(&supported_sig_algs) % 2) != 0 2136 || PACKET_remaining(&supported_sig_algs) == 0) { 2137 return 0; 2138 } 2139 2140 if (!s->hit) { 2141 if (!tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs), 2142 PACKET_remaining(&supported_sig_algs))) { 2143 return 0; 2144 } 2145 } 2146 } else if (type == TLSEXT_TYPE_status_request) { 2147 if (!PACKET_get_1(&extension, 2148 (unsigned int *)&s->tlsext_status_type)) { 2149 return 0; 2150 } 2151 #ifndef OPENSSL_NO_OCSP 2152 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { 2153 const unsigned char *ext_data; 2154 PACKET responder_id_list, exts; 2155 if (!PACKET_get_length_prefixed_2 2156 (&extension, &responder_id_list)) 2157 return 0; 2158 2159 /* 2160 * We remove any OCSP_RESPIDs from a previous handshake 2161 * to prevent unbounded memory growth - CVE-2016-6304 2162 */ 2163 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, 2164 OCSP_RESPID_free); 2165 if (PACKET_remaining(&responder_id_list) > 0) { 2166 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 2167 if (s->tlsext_ocsp_ids == NULL) { 2168 *al = SSL_AD_INTERNAL_ERROR; 2169 return 0; 2170 } 2171 } else { 2172 s->tlsext_ocsp_ids = NULL; 2173 } 2174 2175 while (PACKET_remaining(&responder_id_list) > 0) { 2176 OCSP_RESPID *id; 2177 PACKET responder_id; 2178 const unsigned char *id_data; 2179 2180 if (!PACKET_get_length_prefixed_2(&responder_id_list, 2181 &responder_id) 2182 || PACKET_remaining(&responder_id) == 0) { 2183 return 0; 2184 } 2185 2186 id_data = PACKET_data(&responder_id); 2187 id = d2i_OCSP_RESPID(NULL, &id_data, 2188 PACKET_remaining(&responder_id)); 2189 if (id == NULL) 2190 return 0; 2191 2192 if (id_data != PACKET_end(&responder_id)) { 2193 OCSP_RESPID_free(id); 2194 return 0; 2195 } 2196 2197 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { 2198 OCSP_RESPID_free(id); 2199 *al = SSL_AD_INTERNAL_ERROR; 2200 return 0; 2201 } 2202 } 2203 2204 /* Read in request_extensions */ 2205 if (!PACKET_as_length_prefixed_2(&extension, &exts)) 2206 return 0; 2207 2208 if (PACKET_remaining(&exts) > 0) { 2209 ext_data = PACKET_data(&exts); 2210 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 2211 X509_EXTENSION_free); 2212 s->tlsext_ocsp_exts = 2213 d2i_X509_EXTENSIONS(NULL, &ext_data, 2214 PACKET_remaining(&exts)); 2215 if (s->tlsext_ocsp_exts == NULL 2216 || ext_data != PACKET_end(&exts)) { 2217 return 0; 2218 } 2219 } 2220 } else 2221 #endif 2222 { 2223 /* 2224 * We don't know what to do with any other type so ignore it. 2225 */ 2226 s->tlsext_status_type = -1; 2227 } 2228 } 2229 #ifndef OPENSSL_NO_HEARTBEATS 2230 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) { 2231 unsigned int hbtype; 2232 2233 if (!PACKET_get_1(&extension, &hbtype) 2234 || PACKET_remaining(&extension)) { 2235 *al = SSL_AD_DECODE_ERROR; 2236 return 0; 2237 } 2238 switch (hbtype) { 2239 case 0x01: /* Client allows us to send HB requests */ 2240 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED; 2241 break; 2242 case 0x02: /* Client doesn't accept HB requests */ 2243 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED; 2244 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS; 2245 break; 2246 default: 2247 *al = SSL_AD_ILLEGAL_PARAMETER; 2248 return 0; 2249 } 2250 } 2251 #endif 2252 #ifndef OPENSSL_NO_NEXTPROTONEG 2253 else if (type == TLSEXT_TYPE_next_proto_neg && 2254 s->s3->tmp.finish_md_len == 0) { 2255 /*- 2256 * We shouldn't accept this extension on a 2257 * renegotiation. 2258 * 2259 * s->new_session will be set on renegotiation, but we 2260 * probably shouldn't rely that it couldn't be set on 2261 * the initial renegotiation too in certain cases (when 2262 * there's some other reason to disallow resuming an 2263 * earlier session -- the current code won't be doing 2264 * anything like that, but this might change). 2265 * 2266 * A valid sign that there's been a previous handshake 2267 * in this connection is if s->s3->tmp.finish_md_len > 2268 * 0. (We are talking about a check that will happen 2269 * in the Hello protocol round, well before a new 2270 * Finished message could have been computed.) 2271 */ 2272 s->s3->next_proto_neg_seen = 1; 2273 } 2274 #endif 2275 2276 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation && 2277 s->s3->tmp.finish_md_len == 0) { 2278 if (!tls1_alpn_handle_client_hello(s, &extension, al)) 2279 return 0; 2280 } 2281 2282 /* session ticket processed earlier */ 2283 #ifndef OPENSSL_NO_SRTP 2284 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) 2285 && type == TLSEXT_TYPE_use_srtp) { 2286 if (ssl_parse_clienthello_use_srtp_ext(s, &extension, al)) 2287 return 0; 2288 } 2289 #endif 2290 else if (type == TLSEXT_TYPE_encrypt_then_mac && 2291 !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) 2292 s->tlsext_use_etm = 1; 2293 /* 2294 * Note: extended master secret extension handled in 2295 * tls_check_serverhello_tlsext_early() 2296 */ 2297 2298 /* 2299 * If this ClientHello extension was unhandled and this is a 2300 * nonresumed connection, check whether the extension is a custom 2301 * TLS Extension (has a custom_srv_ext_record), and if so call the 2302 * callback and record the extension number so that an appropriate 2303 * ServerHello may be later returned. 2304 */ 2305 else if (!s->hit) { 2306 if (custom_ext_parse(s, 1, type, PACKET_data(&extension), 2307 PACKET_remaining(&extension), al) <= 0) 2308 return 0; 2309 } 2310 } 2311 2312 if (PACKET_remaining(pkt) != 0) { 2313 /* 2314 * tls1_check_duplicate_extensions should ensure this never happens. 2315 */ 2316 *al = SSL_AD_INTERNAL_ERROR; 2317 return 0; 2318 } 2319 2320 ri_check: 2321 2322 /* Need RI if renegotiating */ 2323 2324 if (!renegotiate_seen && s->renegotiate && 2325 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { 2326 *al = SSL_AD_HANDSHAKE_FAILURE; 2327 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT, 2328 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 2329 return 0; 2330 } 2331 2332 /* 2333 * This function currently has no state to clean up, so it returns directly. 2334 * If parsing fails at any point, the function returns early. 2335 * The SSL object may be left with partial data from extensions, but it must 2336 * then no longer be used, and clearing it up will free the leftovers. 2337 */ 2338 return 1; 2339 } 2340 2341 int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt) 2342 { 2343 int al = -1; 2344 custom_ext_init(&s->cert->srv_ext); 2345 if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) { 2346 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2347 return 0; 2348 } 2349 if (ssl_check_clienthello_tlsext_early(s) <= 0) { 2350 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT); 2351 return 0; 2352 } 2353 return 1; 2354 } 2355 2356 #ifndef OPENSSL_NO_NEXTPROTONEG 2357 /* 2358 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 2359 * elements of zero length are allowed and the set of elements must exactly 2360 * fill the length of the block. 2361 */ 2362 static char ssl_next_proto_validate(PACKET *pkt) 2363 { 2364 PACKET tmp_protocol; 2365 2366 while (PACKET_remaining(pkt)) { 2367 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol) 2368 || PACKET_remaining(&tmp_protocol) == 0) 2369 return 0; 2370 } 2371 2372 return 1; 2373 } 2374 #endif 2375 2376 static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al) 2377 { 2378 unsigned int length, type, size; 2379 int tlsext_servername = 0; 2380 int renegotiate_seen = 0; 2381 2382 #ifndef OPENSSL_NO_NEXTPROTONEG 2383 s->s3->next_proto_neg_seen = 0; 2384 #endif 2385 s->tlsext_ticket_expected = 0; 2386 2387 OPENSSL_free(s->s3->alpn_selected); 2388 s->s3->alpn_selected = NULL; 2389 #ifndef OPENSSL_NO_HEARTBEATS 2390 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED | 2391 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS); 2392 #endif 2393 2394 s->tlsext_use_etm = 0; 2395 2396 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; 2397 2398 if (!PACKET_get_net_2(pkt, &length)) 2399 goto ri_check; 2400 2401 if (PACKET_remaining(pkt) != length) { 2402 *al = SSL_AD_DECODE_ERROR; 2403 return 0; 2404 } 2405 2406 if (!tls1_check_duplicate_extensions(pkt)) { 2407 *al = SSL_AD_DECODE_ERROR; 2408 return 0; 2409 } 2410 2411 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) { 2412 const unsigned char *data; 2413 PACKET spkt; 2414 2415 if (!PACKET_get_sub_packet(pkt, &spkt, size) 2416 || !PACKET_peek_bytes(&spkt, &data, size)) 2417 goto ri_check; 2418 2419 if (s->tlsext_debug_cb) 2420 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg); 2421 2422 if (type == TLSEXT_TYPE_renegotiate) { 2423 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al)) 2424 return 0; 2425 renegotiate_seen = 1; 2426 } else if (s->version == SSL3_VERSION) { 2427 } else if (type == TLSEXT_TYPE_server_name) { 2428 if (s->tlsext_hostname == NULL || size > 0) { 2429 *al = TLS1_AD_UNRECOGNIZED_NAME; 2430 return 0; 2431 } 2432 tlsext_servername = 1; 2433 } 2434 #ifndef OPENSSL_NO_EC 2435 else if (type == TLSEXT_TYPE_ec_point_formats) { 2436 unsigned int ecpointformatlist_length; 2437 if (!PACKET_get_1(&spkt, &ecpointformatlist_length) 2438 || ecpointformatlist_length != size - 1) { 2439 *al = TLS1_AD_DECODE_ERROR; 2440 return 0; 2441 } 2442 if (!s->hit) { 2443 s->session->tlsext_ecpointformatlist_length = 0; 2444 OPENSSL_free(s->session->tlsext_ecpointformatlist); 2445 if ((s->session->tlsext_ecpointformatlist = 2446 OPENSSL_malloc(ecpointformatlist_length)) == NULL) { 2447 *al = TLS1_AD_INTERNAL_ERROR; 2448 return 0; 2449 } 2450 s->session->tlsext_ecpointformatlist_length = 2451 ecpointformatlist_length; 2452 if (!PACKET_copy_bytes(&spkt, 2453 s->session->tlsext_ecpointformatlist, 2454 ecpointformatlist_length)) { 2455 *al = TLS1_AD_DECODE_ERROR; 2456 return 0; 2457 } 2458 2459 } 2460 } 2461 #endif /* OPENSSL_NO_EC */ 2462 2463 else if (type == TLSEXT_TYPE_session_ticket) { 2464 if (s->tls_session_ticket_ext_cb && 2465 !s->tls_session_ticket_ext_cb(s, data, size, 2466 s->tls_session_ticket_ext_cb_arg)) 2467 { 2468 *al = TLS1_AD_INTERNAL_ERROR; 2469 return 0; 2470 } 2471 if (!tls_use_ticket(s) || (size > 0)) { 2472 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 2473 return 0; 2474 } 2475 s->tlsext_ticket_expected = 1; 2476 } else if (type == TLSEXT_TYPE_status_request) { 2477 /* 2478 * MUST be empty and only sent if we've requested a status 2479 * request message. 2480 */ 2481 if ((s->tlsext_status_type == -1) || (size > 0)) { 2482 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 2483 return 0; 2484 } 2485 /* Set flag to expect CertificateStatus message */ 2486 s->tlsext_status_expected = 1; 2487 } 2488 #ifndef OPENSSL_NO_CT 2489 /* 2490 * Only take it if we asked for it - i.e if there is no CT validation 2491 * callback set, then a custom extension MAY be processing it, so we 2492 * need to let control continue to flow to that. 2493 */ 2494 else if (type == TLSEXT_TYPE_signed_certificate_timestamp && 2495 s->ct_validation_callback != NULL) { 2496 /* Simply copy it off for later processing */ 2497 if (s->tlsext_scts != NULL) { 2498 OPENSSL_free(s->tlsext_scts); 2499 s->tlsext_scts = NULL; 2500 } 2501 s->tlsext_scts_len = size; 2502 if (size > 0) { 2503 s->tlsext_scts = OPENSSL_malloc(size); 2504 if (s->tlsext_scts == NULL) { 2505 *al = TLS1_AD_INTERNAL_ERROR; 2506 return 0; 2507 } 2508 memcpy(s->tlsext_scts, data, size); 2509 } 2510 } 2511 #endif 2512 #ifndef OPENSSL_NO_NEXTPROTONEG 2513 else if (type == TLSEXT_TYPE_next_proto_neg && 2514 s->s3->tmp.finish_md_len == 0) { 2515 unsigned char *selected; 2516 unsigned char selected_len; 2517 /* We must have requested it. */ 2518 if (s->ctx->next_proto_select_cb == NULL) { 2519 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 2520 return 0; 2521 } 2522 /* The data must be valid */ 2523 if (!ssl_next_proto_validate(&spkt)) { 2524 *al = TLS1_AD_DECODE_ERROR; 2525 return 0; 2526 } 2527 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, 2528 size, 2529 s-> 2530 ctx->next_proto_select_cb_arg) != 2531 SSL_TLSEXT_ERR_OK) { 2532 *al = TLS1_AD_INTERNAL_ERROR; 2533 return 0; 2534 } 2535 /* 2536 * Could be non-NULL if server has sent multiple NPN extensions in 2537 * a single Serverhello 2538 */ 2539 OPENSSL_free(s->next_proto_negotiated); 2540 s->next_proto_negotiated = OPENSSL_malloc(selected_len); 2541 if (s->next_proto_negotiated == NULL) { 2542 *al = TLS1_AD_INTERNAL_ERROR; 2543 return 0; 2544 } 2545 memcpy(s->next_proto_negotiated, selected, selected_len); 2546 s->next_proto_negotiated_len = selected_len; 2547 s->s3->next_proto_neg_seen = 1; 2548 } 2549 #endif 2550 2551 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) { 2552 unsigned len; 2553 /* We must have requested it. */ 2554 if (!s->s3->alpn_sent) { 2555 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 2556 return 0; 2557 } 2558 /*- 2559 * The extension data consists of: 2560 * uint16 list_length 2561 * uint8 proto_length; 2562 * uint8 proto[proto_length]; 2563 */ 2564 if (!PACKET_get_net_2(&spkt, &len) 2565 || PACKET_remaining(&spkt) != len || !PACKET_get_1(&spkt, &len) 2566 || PACKET_remaining(&spkt) != len) { 2567 *al = TLS1_AD_DECODE_ERROR; 2568 return 0; 2569 } 2570 OPENSSL_free(s->s3->alpn_selected); 2571 s->s3->alpn_selected = OPENSSL_malloc(len); 2572 if (s->s3->alpn_selected == NULL) { 2573 *al = TLS1_AD_INTERNAL_ERROR; 2574 return 0; 2575 } 2576 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) { 2577 *al = TLS1_AD_DECODE_ERROR; 2578 return 0; 2579 } 2580 s->s3->alpn_selected_len = len; 2581 } 2582 #ifndef OPENSSL_NO_HEARTBEATS 2583 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) { 2584 unsigned int hbtype; 2585 if (!PACKET_get_1(&spkt, &hbtype)) { 2586 *al = SSL_AD_DECODE_ERROR; 2587 return 0; 2588 } 2589 switch (hbtype) { 2590 case 0x01: /* Server allows us to send HB requests */ 2591 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED; 2592 break; 2593 case 0x02: /* Server doesn't accept HB requests */ 2594 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED; 2595 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS; 2596 break; 2597 default: 2598 *al = SSL_AD_ILLEGAL_PARAMETER; 2599 return 0; 2600 } 2601 } 2602 #endif 2603 #ifndef OPENSSL_NO_SRTP 2604 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 2605 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al)) 2606 return 0; 2607 } 2608 #endif 2609 else if (type == TLSEXT_TYPE_encrypt_then_mac) { 2610 /* Ignore if inappropriate ciphersuite */ 2611 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) && 2612 s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD 2613 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4) 2614 s->tlsext_use_etm = 1; 2615 } else if (type == TLSEXT_TYPE_extended_master_secret) { 2616 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS; 2617 if (!s->hit) 2618 s->session->flags |= SSL_SESS_FLAG_EXTMS; 2619 } 2620 /* 2621 * If this extension type was not otherwise handled, but matches a 2622 * custom_cli_ext_record, then send it to the c callback 2623 */ 2624 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0) 2625 return 0; 2626 } 2627 2628 if (PACKET_remaining(pkt) != 0) { 2629 *al = SSL_AD_DECODE_ERROR; 2630 return 0; 2631 } 2632 2633 if (!s->hit && tlsext_servername == 1) { 2634 if (s->tlsext_hostname) { 2635 if (s->session->tlsext_hostname == NULL) { 2636 s->session->tlsext_hostname = 2637 OPENSSL_strdup(s->tlsext_hostname); 2638 if (!s->session->tlsext_hostname) { 2639 *al = SSL_AD_UNRECOGNIZED_NAME; 2640 return 0; 2641 } 2642 } else { 2643 *al = SSL_AD_DECODE_ERROR; 2644 return 0; 2645 } 2646 } 2647 } 2648 2649 ri_check: 2650 2651 /* 2652 * Determine if we need to see RI. Strictly speaking if we want to avoid 2653 * an attack we should *always* see RI even on initial server hello 2654 * because the client doesn't see any renegotiation during an attack. 2655 * However this would mean we could not connect to any server which 2656 * doesn't support RI so for the immediate future tolerate RI absence 2657 */ 2658 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 2659 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { 2660 *al = SSL_AD_HANDSHAKE_FAILURE; 2661 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, 2662 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 2663 return 0; 2664 } 2665 2666 if (s->hit) { 2667 /* 2668 * Check extended master secret extension is consistent with 2669 * original session. 2670 */ 2671 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) != 2672 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) { 2673 *al = SSL_AD_HANDSHAKE_FAILURE; 2674 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS); 2675 return 0; 2676 } 2677 } 2678 2679 return 1; 2680 } 2681 2682 int ssl_prepare_clienthello_tlsext(SSL *s) 2683 { 2684 s->s3->alpn_sent = 0; 2685 return 1; 2686 } 2687 2688 int ssl_prepare_serverhello_tlsext(SSL *s) 2689 { 2690 return 1; 2691 } 2692 2693 static int ssl_check_clienthello_tlsext_early(SSL *s) 2694 { 2695 int ret = SSL_TLSEXT_ERR_NOACK; 2696 int al = SSL_AD_UNRECOGNIZED_NAME; 2697 2698 #ifndef OPENSSL_NO_EC 2699 /* 2700 * The handling of the ECPointFormats extension is done elsewhere, namely 2701 * in ssl3_choose_cipher in s3_lib.c. 2702 */ 2703 /* 2704 * The handling of the EllipticCurves extension is done elsewhere, namely 2705 * in ssl3_choose_cipher in s3_lib.c. 2706 */ 2707 #endif 2708 2709 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 2710 ret = 2711 s->ctx->tlsext_servername_callback(s, &al, 2712 s->ctx->tlsext_servername_arg); 2713 else if (s->session_ctx != NULL 2714 && s->session_ctx->tlsext_servername_callback != 0) 2715 ret = 2716 s->session_ctx->tlsext_servername_callback(s, &al, 2717 s-> 2718 session_ctx->tlsext_servername_arg); 2719 2720 switch (ret) { 2721 case SSL_TLSEXT_ERR_ALERT_FATAL: 2722 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2723 return -1; 2724 2725 case SSL_TLSEXT_ERR_ALERT_WARNING: 2726 ssl3_send_alert(s, SSL3_AL_WARNING, al); 2727 return 1; 2728 2729 case SSL_TLSEXT_ERR_NOACK: 2730 s->servername_done = 0; 2731 /* fall thru */ 2732 default: 2733 return 1; 2734 } 2735 } 2736 2737 /* Initialise digests to default values */ 2738 void ssl_set_default_md(SSL *s) 2739 { 2740 const EVP_MD **pmd = s->s3->tmp.md; 2741 #ifndef OPENSSL_NO_DSA 2742 pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX); 2743 #endif 2744 #ifndef OPENSSL_NO_RSA 2745 if (SSL_USE_SIGALGS(s)) 2746 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX); 2747 else 2748 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX); 2749 pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN]; 2750 #endif 2751 #ifndef OPENSSL_NO_EC 2752 pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX); 2753 #endif 2754 #ifndef OPENSSL_NO_GOST 2755 pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX); 2756 pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX); 2757 pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX); 2758 #endif 2759 } 2760 2761 int tls1_set_server_sigalgs(SSL *s) 2762 { 2763 int al; 2764 size_t i; 2765 2766 /* Clear any shared signature algorithms */ 2767 OPENSSL_free(s->cert->shared_sigalgs); 2768 s->cert->shared_sigalgs = NULL; 2769 s->cert->shared_sigalgslen = 0; 2770 /* Clear certificate digests and validity flags */ 2771 for (i = 0; i < SSL_PKEY_NUM; i++) { 2772 s->s3->tmp.md[i] = NULL; 2773 s->s3->tmp.valid_flags[i] = 0; 2774 } 2775 2776 /* If sigalgs received process it. */ 2777 if (s->s3->tmp.peer_sigalgs) { 2778 if (!tls1_process_sigalgs(s)) { 2779 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE); 2780 al = SSL_AD_INTERNAL_ERROR; 2781 goto err; 2782 } 2783 /* Fatal error is no shared signature algorithms */ 2784 if (!s->cert->shared_sigalgs) { 2785 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, 2786 SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); 2787 al = SSL_AD_ILLEGAL_PARAMETER; 2788 goto err; 2789 } 2790 } else { 2791 ssl_set_default_md(s); 2792 } 2793 return 1; 2794 err: 2795 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2796 return 0; 2797 } 2798 2799 /* 2800 * Upon success, returns 1. 2801 * Upon failure, returns 0 and sets |al| to the appropriate fatal alert. 2802 */ 2803 int ssl_check_clienthello_tlsext_late(SSL *s, int *al) 2804 { 2805 s->tlsext_status_expected = 0; 2806 2807 /* 2808 * If status request then ask callback what to do. Note: this must be 2809 * called after servername callbacks in case the certificate has changed, 2810 * and must be called after the cipher has been chosen because this may 2811 * influence which certificate is sent 2812 */ 2813 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) { 2814 int ret; 2815 CERT_PKEY *certpkey; 2816 certpkey = ssl_get_server_send_pkey(s); 2817 /* If no certificate can't return certificate status */ 2818 if (certpkey != NULL) { 2819 /* 2820 * Set current certificate to one we will use so SSL_get_certificate 2821 * et al can pick it up. 2822 */ 2823 s->cert->key = certpkey; 2824 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2825 switch (ret) { 2826 /* We don't want to send a status request response */ 2827 case SSL_TLSEXT_ERR_NOACK: 2828 s->tlsext_status_expected = 0; 2829 break; 2830 /* status request response should be sent */ 2831 case SSL_TLSEXT_ERR_OK: 2832 if (s->tlsext_ocsp_resp) 2833 s->tlsext_status_expected = 1; 2834 break; 2835 /* something bad happened */ 2836 case SSL_TLSEXT_ERR_ALERT_FATAL: 2837 default: 2838 *al = SSL_AD_INTERNAL_ERROR; 2839 return 0; 2840 } 2841 } 2842 } 2843 2844 if (!tls1_alpn_handle_client_hello_late(s, al)) { 2845 return 0; 2846 } 2847 2848 return 1; 2849 } 2850 2851 int ssl_check_serverhello_tlsext(SSL *s) 2852 { 2853 int ret = SSL_TLSEXT_ERR_NOACK; 2854 int al = SSL_AD_UNRECOGNIZED_NAME; 2855 2856 #ifndef OPENSSL_NO_EC 2857 /* 2858 * If we are client and using an elliptic curve cryptography cipher 2859 * suite, then if server returns an EC point formats lists extension it 2860 * must contain uncompressed. 2861 */ 2862 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 2863 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2864 if ((s->tlsext_ecpointformatlist != NULL) 2865 && (s->tlsext_ecpointformatlist_length > 0) 2866 && (s->session->tlsext_ecpointformatlist != NULL) 2867 && (s->session->tlsext_ecpointformatlist_length > 0) 2868 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) { 2869 /* we are using an ECC cipher */ 2870 size_t i; 2871 unsigned char *list; 2872 int found_uncompressed = 0; 2873 list = s->session->tlsext_ecpointformatlist; 2874 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) { 2875 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) { 2876 found_uncompressed = 1; 2877 break; 2878 } 2879 } 2880 if (!found_uncompressed) { 2881 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, 2882 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 2883 return -1; 2884 } 2885 } 2886 ret = SSL_TLSEXT_ERR_OK; 2887 #endif /* OPENSSL_NO_EC */ 2888 2889 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 2890 ret = 2891 s->ctx->tlsext_servername_callback(s, &al, 2892 s->ctx->tlsext_servername_arg); 2893 else if (s->session_ctx != NULL 2894 && s->session_ctx->tlsext_servername_callback != 0) 2895 ret = 2896 s->session_ctx->tlsext_servername_callback(s, &al, 2897 s-> 2898 session_ctx->tlsext_servername_arg); 2899 2900 /* 2901 * Ensure we get sensible values passed to tlsext_status_cb in the event 2902 * that we don't receive a status message 2903 */ 2904 OPENSSL_free(s->tlsext_ocsp_resp); 2905 s->tlsext_ocsp_resp = NULL; 2906 s->tlsext_ocsp_resplen = -1; 2907 2908 switch (ret) { 2909 case SSL_TLSEXT_ERR_ALERT_FATAL: 2910 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2911 return -1; 2912 2913 case SSL_TLSEXT_ERR_ALERT_WARNING: 2914 ssl3_send_alert(s, SSL3_AL_WARNING, al); 2915 return 1; 2916 2917 case SSL_TLSEXT_ERR_NOACK: 2918 s->servername_done = 0; 2919 /* fall thru */ 2920 default: 2921 return 1; 2922 } 2923 } 2924 2925 int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt) 2926 { 2927 int al = -1; 2928 if (s->version < SSL3_VERSION) 2929 return 1; 2930 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) { 2931 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2932 return 0; 2933 } 2934 2935 if (ssl_check_serverhello_tlsext(s) <= 0) { 2936 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT); 2937 return 0; 2938 } 2939 return 1; 2940 } 2941 2942 /*- 2943 * Since the server cache lookup is done early on in the processing of the 2944 * ClientHello and other operations depend on the result some extensions 2945 * need to be handled at the same time. 2946 * 2947 * Two extensions are currently handled, session ticket and extended master 2948 * secret. 2949 * 2950 * session_id: ClientHello session ID. 2951 * ext: ClientHello extensions (including length prefix) 2952 * ret: (output) on return, if a ticket was decrypted, then this is set to 2953 * point to the resulting session. 2954 * 2955 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key 2956 * ciphersuite, in which case we have no use for session tickets and one will 2957 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 2958 * 2959 * Returns: 2960 * -1: fatal error, either from parsing or decrypting the ticket. 2961 * 0: no ticket was found (or was ignored, based on settings). 2962 * 1: a zero length extension was found, indicating that the client supports 2963 * session tickets but doesn't currently have one to offer. 2964 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but 2965 * couldn't be decrypted because of a non-fatal error. 2966 * 3: a ticket was successfully decrypted and *ret was set. 2967 * 2968 * Side effects: 2969 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 2970 * a new session ticket to the client because the client indicated support 2971 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 2972 * a session ticket or we couldn't use the one it gave us, or if 2973 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2974 * Otherwise, s->tlsext_ticket_expected is set to 0. 2975 * 2976 * For extended master secret flag is set if the extension is present. 2977 * 2978 */ 2979 int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext, 2980 const PACKET *session_id, 2981 SSL_SESSION **ret) 2982 { 2983 unsigned int i; 2984 PACKET local_ext = *ext; 2985 int retv = -1; 2986 2987 int have_ticket = 0; 2988 int use_ticket = tls_use_ticket(s); 2989 2990 *ret = NULL; 2991 s->tlsext_ticket_expected = 0; 2992 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; 2993 2994 /* 2995 * If tickets disabled behave as if no ticket present to permit stateful 2996 * resumption. 2997 */ 2998 if ((s->version <= SSL3_VERSION)) 2999 return 0; 3000 3001 if (!PACKET_get_net_2(&local_ext, &i)) { 3002 retv = 0; 3003 goto end; 3004 } 3005 while (PACKET_remaining(&local_ext) >= 4) { 3006 unsigned int type, size; 3007 3008 if (!PACKET_get_net_2(&local_ext, &type) 3009 || !PACKET_get_net_2(&local_ext, &size)) { 3010 /* Shouldn't ever happen */ 3011 retv = -1; 3012 goto end; 3013 } 3014 if (PACKET_remaining(&local_ext) < size) { 3015 retv = 0; 3016 goto end; 3017 } 3018 if (type == TLSEXT_TYPE_session_ticket && use_ticket) { 3019 int r; 3020 const unsigned char *etick; 3021 3022 /* Duplicate extension */ 3023 if (have_ticket != 0) { 3024 retv = -1; 3025 goto end; 3026 } 3027 have_ticket = 1; 3028 3029 if (size == 0) { 3030 /* 3031 * The client will accept a ticket but doesn't currently have 3032 * one. 3033 */ 3034 s->tlsext_ticket_expected = 1; 3035 retv = 1; 3036 continue; 3037 } 3038 if (s->tls_session_secret_cb) { 3039 /* 3040 * Indicate that the ticket couldn't be decrypted rather than 3041 * generating the session from ticket now, trigger 3042 * abbreviated handshake based on external mechanism to 3043 * calculate the master secret later. 3044 */ 3045 retv = 2; 3046 continue; 3047 } 3048 if (!PACKET_get_bytes(&local_ext, &etick, size)) { 3049 /* Shouldn't ever happen */ 3050 retv = -1; 3051 goto end; 3052 } 3053 r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id), 3054 PACKET_remaining(session_id), ret); 3055 switch (r) { 3056 case 2: /* ticket couldn't be decrypted */ 3057 s->tlsext_ticket_expected = 1; 3058 retv = 2; 3059 break; 3060 case 3: /* ticket was decrypted */ 3061 retv = r; 3062 break; 3063 case 4: /* ticket decrypted but need to renew */ 3064 s->tlsext_ticket_expected = 1; 3065 retv = 3; 3066 break; 3067 default: /* fatal error */ 3068 retv = -1; 3069 break; 3070 } 3071 continue; 3072 } else { 3073 if (type == TLSEXT_TYPE_extended_master_secret) 3074 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS; 3075 if (!PACKET_forward(&local_ext, size)) { 3076 retv = -1; 3077 goto end; 3078 } 3079 } 3080 } 3081 if (have_ticket == 0) 3082 retv = 0; 3083 end: 3084 return retv; 3085 } 3086 3087 /*- 3088 * tls_decrypt_ticket attempts to decrypt a session ticket. 3089 * 3090 * etick: points to the body of the session ticket extension. 3091 * eticklen: the length of the session tickets extension. 3092 * sess_id: points at the session ID. 3093 * sesslen: the length of the session ID. 3094 * psess: (output) on return, if a ticket was decrypted, then this is set to 3095 * point to the resulting session. 3096 * 3097 * Returns: 3098 * -2: fatal error, malloc failure. 3099 * -1: fatal error, either from parsing or decrypting the ticket. 3100 * 2: the ticket couldn't be decrypted. 3101 * 3: a ticket was successfully decrypted and *psess was set. 3102 * 4: same as 3, but the ticket needs to be renewed. 3103 */ 3104 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, 3105 int eticklen, const unsigned char *sess_id, 3106 int sesslen, SSL_SESSION **psess) 3107 { 3108 SSL_SESSION *sess; 3109 unsigned char *sdec; 3110 const unsigned char *p; 3111 int slen, mlen, renew_ticket = 0, ret = -1; 3112 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 3113 HMAC_CTX *hctx = NULL; 3114 EVP_CIPHER_CTX *ctx = NULL; 3115 SSL_CTX *tctx = s->session_ctx; 3116 3117 /* Need at least keyname + iv */ 3118 if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) { 3119 ret = 2; 3120 goto err; 3121 } 3122 3123 /* Initialize session ticket encryption and HMAC contexts */ 3124 hctx = HMAC_CTX_new(); 3125 if (hctx == NULL) 3126 return -2; 3127 ctx = EVP_CIPHER_CTX_new(); 3128 if (ctx == NULL) { 3129 ret = -2; 3130 goto err; 3131 } 3132 if (tctx->tlsext_ticket_key_cb) { 3133 unsigned char *nctick = (unsigned char *)etick; 3134 int rv = tctx->tlsext_ticket_key_cb(s, nctick, 3135 nctick + TLSEXT_KEYNAME_LENGTH, 3136 ctx, hctx, 0); 3137 if (rv < 0) 3138 goto err; 3139 if (rv == 0) { 3140 ret = 2; 3141 goto err; 3142 } 3143 if (rv == 2) 3144 renew_ticket = 1; 3145 } else { 3146 /* Check key name matches */ 3147 if (memcmp(etick, tctx->tlsext_tick_key_name, 3148 TLSEXT_KEYNAME_LENGTH) != 0) { 3149 ret = 2; 3150 goto err; 3151 } 3152 if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 3153 sizeof(tctx->tlsext_tick_hmac_key), 3154 EVP_sha256(), NULL) <= 0 3155 || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, 3156 tctx->tlsext_tick_aes_key, 3157 etick + TLSEXT_KEYNAME_LENGTH) <= 0) { 3158 goto err; 3159 } 3160 } 3161 /* 3162 * Attempt to process session ticket, first conduct sanity and integrity 3163 * checks on ticket. 3164 */ 3165 mlen = HMAC_size(hctx); 3166 if (mlen < 0) { 3167 goto err; 3168 } 3169 /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 3170 if (eticklen <= 3171 TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) { 3172 ret = 2; 3173 goto err; 3174 } 3175 eticklen -= mlen; 3176 /* Check HMAC of encrypted ticket */ 3177 if (HMAC_Update(hctx, etick, eticklen) <= 0 3178 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) { 3179 goto err; 3180 } 3181 HMAC_CTX_free(hctx); 3182 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { 3183 EVP_CIPHER_CTX_free(ctx); 3184 return 2; 3185 } 3186 /* Attempt to decrypt session data */ 3187 /* Move p after IV to start of encrypted ticket, update length */ 3188 p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx); 3189 eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx); 3190 sdec = OPENSSL_malloc(eticklen); 3191 if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) { 3192 EVP_CIPHER_CTX_free(ctx); 3193 OPENSSL_free(sdec); 3194 return -1; 3195 } 3196 if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) { 3197 EVP_CIPHER_CTX_free(ctx); 3198 OPENSSL_free(sdec); 3199 return 2; 3200 } 3201 slen += mlen; 3202 EVP_CIPHER_CTX_free(ctx); 3203 ctx = NULL; 3204 p = sdec; 3205 3206 sess = d2i_SSL_SESSION(NULL, &p, slen); 3207 slen -= p - sdec; 3208 OPENSSL_free(sdec); 3209 if (sess) { 3210 /* Some additional consistency checks */ 3211 if (slen != 0 || sess->session_id_length != 0) { 3212 SSL_SESSION_free(sess); 3213 return 2; 3214 } 3215 /* 3216 * The session ID, if non-empty, is used by some clients to detect 3217 * that the ticket has been accepted. So we copy it to the session 3218 * structure. If it is empty set length to zero as required by 3219 * standard. 3220 */ 3221 if (sesslen) 3222 memcpy(sess->session_id, sess_id, sesslen); 3223 sess->session_id_length = sesslen; 3224 *psess = sess; 3225 if (renew_ticket) 3226 return 4; 3227 else 3228 return 3; 3229 } 3230 ERR_clear_error(); 3231 /* 3232 * For session parse failure, indicate that we need to send a new ticket. 3233 */ 3234 return 2; 3235 err: 3236 EVP_CIPHER_CTX_free(ctx); 3237 HMAC_CTX_free(hctx); 3238 return ret; 3239 } 3240 3241 /* Tables to translate from NIDs to TLS v1.2 ids */ 3242 3243 typedef struct { 3244 int nid; 3245 int id; 3246 } tls12_lookup; 3247 3248 static const tls12_lookup tls12_md[] = { 3249 {NID_md5, TLSEXT_hash_md5}, 3250 {NID_sha1, TLSEXT_hash_sha1}, 3251 {NID_sha224, TLSEXT_hash_sha224}, 3252 {NID_sha256, TLSEXT_hash_sha256}, 3253 {NID_sha384, TLSEXT_hash_sha384}, 3254 {NID_sha512, TLSEXT_hash_sha512}, 3255 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411}, 3256 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256}, 3257 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512}, 3258 }; 3259 3260 static const tls12_lookup tls12_sig[] = { 3261 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 3262 {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 3263 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}, 3264 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001}, 3265 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256}, 3266 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512} 3267 }; 3268 3269 static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen) 3270 { 3271 size_t i; 3272 for (i = 0; i < tlen; i++) { 3273 if (table[i].nid == nid) 3274 return table[i].id; 3275 } 3276 return -1; 3277 } 3278 3279 static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen) 3280 { 3281 size_t i; 3282 for (i = 0; i < tlen; i++) { 3283 if ((table[i].id) == id) 3284 return table[i].nid; 3285 } 3286 return NID_undef; 3287 } 3288 3289 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 3290 { 3291 int sig_id, md_id; 3292 if (!md) 3293 return 0; 3294 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md)); 3295 if (md_id == -1) 3296 return 0; 3297 sig_id = tls12_get_sigid(pk); 3298 if (sig_id == -1) 3299 return 0; 3300 p[0] = (unsigned char)md_id; 3301 p[1] = (unsigned char)sig_id; 3302 return 1; 3303 } 3304 3305 int tls12_get_sigid(const EVP_PKEY *pk) 3306 { 3307 return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig)); 3308 } 3309 3310 typedef struct { 3311 int nid; 3312 int secbits; 3313 int md_idx; 3314 unsigned char tlsext_hash; 3315 } tls12_hash_info; 3316 3317 static const tls12_hash_info tls12_md_info[] = { 3318 {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5}, 3319 {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1}, 3320 {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224}, 3321 {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256}, 3322 {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384}, 3323 {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512}, 3324 {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411}, 3325 {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX, 3326 TLSEXT_hash_gostr34112012_256}, 3327 {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX, 3328 TLSEXT_hash_gostr34112012_512}, 3329 }; 3330 3331 static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg) 3332 { 3333 unsigned int i; 3334 if (hash_alg == 0) 3335 return NULL; 3336 3337 for (i = 0; i < OSSL_NELEM(tls12_md_info); i++) { 3338 if (tls12_md_info[i].tlsext_hash == hash_alg) 3339 return tls12_md_info + i; 3340 } 3341 3342 return NULL; 3343 } 3344 3345 const EVP_MD *tls12_get_hash(unsigned char hash_alg) 3346 { 3347 const tls12_hash_info *inf; 3348 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode()) 3349 return NULL; 3350 inf = tls12_get_hash_info(hash_alg); 3351 if (!inf) 3352 return NULL; 3353 return ssl_md(inf->md_idx); 3354 } 3355 3356 static int tls12_get_pkey_idx(unsigned char sig_alg) 3357 { 3358 switch (sig_alg) { 3359 #ifndef OPENSSL_NO_RSA 3360 case TLSEXT_signature_rsa: 3361 return SSL_PKEY_RSA_SIGN; 3362 #endif 3363 #ifndef OPENSSL_NO_DSA 3364 case TLSEXT_signature_dsa: 3365 return SSL_PKEY_DSA_SIGN; 3366 #endif 3367 #ifndef OPENSSL_NO_EC 3368 case TLSEXT_signature_ecdsa: 3369 return SSL_PKEY_ECC; 3370 #endif 3371 #ifndef OPENSSL_NO_GOST 3372 case TLSEXT_signature_gostr34102001: 3373 return SSL_PKEY_GOST01; 3374 3375 case TLSEXT_signature_gostr34102012_256: 3376 return SSL_PKEY_GOST12_256; 3377 3378 case TLSEXT_signature_gostr34102012_512: 3379 return SSL_PKEY_GOST12_512; 3380 #endif 3381 } 3382 return -1; 3383 } 3384 3385 /* Convert TLS 1.2 signature algorithm extension values into NIDs */ 3386 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid, 3387 int *psignhash_nid, const unsigned char *data) 3388 { 3389 int sign_nid = NID_undef, hash_nid = NID_undef; 3390 if (!phash_nid && !psign_nid && !psignhash_nid) 3391 return; 3392 if (phash_nid || psignhash_nid) { 3393 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md)); 3394 if (phash_nid) 3395 *phash_nid = hash_nid; 3396 } 3397 if (psign_nid || psignhash_nid) { 3398 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig)); 3399 if (psign_nid) 3400 *psign_nid = sign_nid; 3401 } 3402 if (psignhash_nid) { 3403 if (sign_nid == NID_undef || hash_nid == NID_undef 3404 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid) <= 0) 3405 *psignhash_nid = NID_undef; 3406 } 3407 } 3408 3409 /* Check to see if a signature algorithm is allowed */ 3410 static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp) 3411 { 3412 /* See if we have an entry in the hash table and it is enabled */ 3413 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]); 3414 if (hinf == NULL || ssl_md(hinf->md_idx) == NULL) 3415 return 0; 3416 /* See if public key algorithm allowed */ 3417 if (tls12_get_pkey_idx(ptmp[1]) == -1) 3418 return 0; 3419 /* Finally see if security callback allows it */ 3420 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp); 3421 } 3422 3423 /* 3424 * Get a mask of disabled public key algorithms based on supported signature 3425 * algorithms. For example if no signature algorithm supports RSA then RSA is 3426 * disabled. 3427 */ 3428 3429 void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op) 3430 { 3431 const unsigned char *sigalgs; 3432 size_t i, sigalgslen; 3433 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0; 3434 /* 3435 * Now go through all signature algorithms seeing if we support any for 3436 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep 3437 * down calls to security callback only check if we have to. 3438 */ 3439 sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs); 3440 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) { 3441 switch (sigalgs[1]) { 3442 #ifndef OPENSSL_NO_RSA 3443 case TLSEXT_signature_rsa: 3444 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs)) 3445 have_rsa = 1; 3446 break; 3447 #endif 3448 #ifndef OPENSSL_NO_DSA 3449 case TLSEXT_signature_dsa: 3450 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs)) 3451 have_dsa = 1; 3452 break; 3453 #endif 3454 #ifndef OPENSSL_NO_EC 3455 case TLSEXT_signature_ecdsa: 3456 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs)) 3457 have_ecdsa = 1; 3458 break; 3459 #endif 3460 } 3461 } 3462 if (!have_rsa) 3463 *pmask_a |= SSL_aRSA; 3464 if (!have_dsa) 3465 *pmask_a |= SSL_aDSS; 3466 if (!have_ecdsa) 3467 *pmask_a |= SSL_aECDSA; 3468 } 3469 3470 size_t tls12_copy_sigalgs(SSL *s, unsigned char *out, 3471 const unsigned char *psig, size_t psiglen) 3472 { 3473 unsigned char *tmpout = out; 3474 size_t i; 3475 for (i = 0; i < psiglen; i += 2, psig += 2) { 3476 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) { 3477 *tmpout++ = psig[0]; 3478 *tmpout++ = psig[1]; 3479 } 3480 } 3481 return tmpout - out; 3482 } 3483 3484 /* Given preference and allowed sigalgs set shared sigalgs */ 3485 static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig, 3486 const unsigned char *pref, size_t preflen, 3487 const unsigned char *allow, size_t allowlen) 3488 { 3489 const unsigned char *ptmp, *atmp; 3490 size_t i, j, nmatch = 0; 3491 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) { 3492 /* Skip disabled hashes or signature algorithms */ 3493 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp)) 3494 continue; 3495 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) { 3496 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) { 3497 nmatch++; 3498 if (shsig) { 3499 shsig->rhash = ptmp[0]; 3500 shsig->rsign = ptmp[1]; 3501 tls1_lookup_sigalg(&shsig->hash_nid, 3502 &shsig->sign_nid, 3503 &shsig->signandhash_nid, ptmp); 3504 shsig++; 3505 } 3506 break; 3507 } 3508 } 3509 } 3510 return nmatch; 3511 } 3512 3513 /* Set shared signature algorithms for SSL structures */ 3514 static int tls1_set_shared_sigalgs(SSL *s) 3515 { 3516 const unsigned char *pref, *allow, *conf; 3517 size_t preflen, allowlen, conflen; 3518 size_t nmatch; 3519 TLS_SIGALGS *salgs = NULL; 3520 CERT *c = s->cert; 3521 unsigned int is_suiteb = tls1_suiteb(s); 3522 3523 OPENSSL_free(c->shared_sigalgs); 3524 c->shared_sigalgs = NULL; 3525 c->shared_sigalgslen = 0; 3526 /* If client use client signature algorithms if not NULL */ 3527 if (!s->server && c->client_sigalgs && !is_suiteb) { 3528 conf = c->client_sigalgs; 3529 conflen = c->client_sigalgslen; 3530 } else if (c->conf_sigalgs && !is_suiteb) { 3531 conf = c->conf_sigalgs; 3532 conflen = c->conf_sigalgslen; 3533 } else 3534 conflen = tls12_get_psigalgs(s, 0, &conf); 3535 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) { 3536 pref = conf; 3537 preflen = conflen; 3538 allow = s->s3->tmp.peer_sigalgs; 3539 allowlen = s->s3->tmp.peer_sigalgslen; 3540 } else { 3541 allow = conf; 3542 allowlen = conflen; 3543 pref = s->s3->tmp.peer_sigalgs; 3544 preflen = s->s3->tmp.peer_sigalgslen; 3545 } 3546 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen); 3547 if (nmatch) { 3548 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS)); 3549 if (salgs == NULL) 3550 return 0; 3551 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen); 3552 } else { 3553 salgs = NULL; 3554 } 3555 c->shared_sigalgs = salgs; 3556 c->shared_sigalgslen = nmatch; 3557 return 1; 3558 } 3559 3560 /* Set preferred digest for each key type */ 3561 3562 int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize) 3563 { 3564 CERT *c = s->cert; 3565 /* Extension ignored for inappropriate versions */ 3566 if (!SSL_USE_SIGALGS(s)) 3567 return 1; 3568 /* Should never happen */ 3569 if (!c) 3570 return 0; 3571 3572 OPENSSL_free(s->s3->tmp.peer_sigalgs); 3573 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize); 3574 if (s->s3->tmp.peer_sigalgs == NULL) 3575 return 0; 3576 s->s3->tmp.peer_sigalgslen = dsize; 3577 memcpy(s->s3->tmp.peer_sigalgs, data, dsize); 3578 return 1; 3579 } 3580 3581 int tls1_process_sigalgs(SSL *s) 3582 { 3583 int idx; 3584 size_t i; 3585 const EVP_MD *md; 3586 const EVP_MD **pmd = s->s3->tmp.md; 3587 uint32_t *pvalid = s->s3->tmp.valid_flags; 3588 CERT *c = s->cert; 3589 TLS_SIGALGS *sigptr; 3590 if (!tls1_set_shared_sigalgs(s)) 3591 return 0; 3592 3593 for (i = 0, sigptr = c->shared_sigalgs; 3594 i < c->shared_sigalgslen; i++, sigptr++) { 3595 idx = tls12_get_pkey_idx(sigptr->rsign); 3596 if (idx > 0 && pmd[idx] == NULL) { 3597 md = tls12_get_hash(sigptr->rhash); 3598 pmd[idx] = md; 3599 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN; 3600 if (idx == SSL_PKEY_RSA_SIGN) { 3601 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN; 3602 pmd[SSL_PKEY_RSA_ENC] = md; 3603 } 3604 } 3605 3606 } 3607 /* 3608 * In strict mode leave unset digests as NULL to indicate we can't use 3609 * the certificate for signing. 3610 */ 3611 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { 3612 /* 3613 * Set any remaining keys to default values. NOTE: if alg is not 3614 * supported it stays as NULL. 3615 */ 3616 #ifndef OPENSSL_NO_DSA 3617 if (pmd[SSL_PKEY_DSA_SIGN] == NULL) 3618 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1(); 3619 #endif 3620 #ifndef OPENSSL_NO_RSA 3621 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) { 3622 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1(); 3623 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1(); 3624 } 3625 #endif 3626 #ifndef OPENSSL_NO_EC 3627 if (pmd[SSL_PKEY_ECC] == NULL) 3628 pmd[SSL_PKEY_ECC] = EVP_sha1(); 3629 #endif 3630 #ifndef OPENSSL_NO_GOST 3631 if (pmd[SSL_PKEY_GOST01] == NULL) 3632 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94); 3633 if (pmd[SSL_PKEY_GOST12_256] == NULL) 3634 pmd[SSL_PKEY_GOST12_256] = 3635 EVP_get_digestbynid(NID_id_GostR3411_2012_256); 3636 if (pmd[SSL_PKEY_GOST12_512] == NULL) 3637 pmd[SSL_PKEY_GOST12_512] = 3638 EVP_get_digestbynid(NID_id_GostR3411_2012_512); 3639 #endif 3640 } 3641 return 1; 3642 } 3643 3644 int SSL_get_sigalgs(SSL *s, int idx, 3645 int *psign, int *phash, int *psignhash, 3646 unsigned char *rsig, unsigned char *rhash) 3647 { 3648 const unsigned char *psig = s->s3->tmp.peer_sigalgs; 3649 if (psig == NULL) 3650 return 0; 3651 if (idx >= 0) { 3652 idx <<= 1; 3653 if (idx >= (int)s->s3->tmp.peer_sigalgslen) 3654 return 0; 3655 psig += idx; 3656 if (rhash) 3657 *rhash = psig[0]; 3658 if (rsig) 3659 *rsig = psig[1]; 3660 tls1_lookup_sigalg(phash, psign, psignhash, psig); 3661 } 3662 return s->s3->tmp.peer_sigalgslen / 2; 3663 } 3664 3665 int SSL_get_shared_sigalgs(SSL *s, int idx, 3666 int *psign, int *phash, int *psignhash, 3667 unsigned char *rsig, unsigned char *rhash) 3668 { 3669 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs; 3670 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen) 3671 return 0; 3672 shsigalgs += idx; 3673 if (phash) 3674 *phash = shsigalgs->hash_nid; 3675 if (psign) 3676 *psign = shsigalgs->sign_nid; 3677 if (psignhash) 3678 *psignhash = shsigalgs->signandhash_nid; 3679 if (rsig) 3680 *rsig = shsigalgs->rsign; 3681 if (rhash) 3682 *rhash = shsigalgs->rhash; 3683 return s->cert->shared_sigalgslen; 3684 } 3685 3686 #define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2) 3687 3688 typedef struct { 3689 size_t sigalgcnt; 3690 int sigalgs[MAX_SIGALGLEN]; 3691 } sig_cb_st; 3692 3693 static void get_sigorhash(int *psig, int *phash, const char *str) 3694 { 3695 if (strcmp(str, "RSA") == 0) { 3696 *psig = EVP_PKEY_RSA; 3697 } else if (strcmp(str, "DSA") == 0) { 3698 *psig = EVP_PKEY_DSA; 3699 } else if (strcmp(str, "ECDSA") == 0) { 3700 *psig = EVP_PKEY_EC; 3701 } else { 3702 *phash = OBJ_sn2nid(str); 3703 if (*phash == NID_undef) 3704 *phash = OBJ_ln2nid(str); 3705 } 3706 } 3707 3708 static int sig_cb(const char *elem, int len, void *arg) 3709 { 3710 sig_cb_st *sarg = arg; 3711 size_t i; 3712 char etmp[20], *p; 3713 int sig_alg = NID_undef, hash_alg = NID_undef; 3714 if (elem == NULL) 3715 return 0; 3716 if (sarg->sigalgcnt == MAX_SIGALGLEN) 3717 return 0; 3718 if (len > (int)(sizeof(etmp) - 1)) 3719 return 0; 3720 memcpy(etmp, elem, len); 3721 etmp[len] = 0; 3722 p = strchr(etmp, '+'); 3723 if (!p) 3724 return 0; 3725 *p = 0; 3726 p++; 3727 if (!*p) 3728 return 0; 3729 3730 get_sigorhash(&sig_alg, &hash_alg, etmp); 3731 get_sigorhash(&sig_alg, &hash_alg, p); 3732 3733 if (sig_alg == NID_undef || hash_alg == NID_undef) 3734 return 0; 3735 3736 for (i = 0; i < sarg->sigalgcnt; i += 2) { 3737 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg) 3738 return 0; 3739 } 3740 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg; 3741 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg; 3742 return 1; 3743 } 3744 3745 /* 3746 * Set supported signature algorithms based on a colon separated list of the 3747 * form sig+hash e.g. RSA+SHA512:DSA+SHA512 3748 */ 3749 int tls1_set_sigalgs_list(CERT *c, const char *str, int client) 3750 { 3751 sig_cb_st sig; 3752 sig.sigalgcnt = 0; 3753 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) 3754 return 0; 3755 if (c == NULL) 3756 return 1; 3757 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); 3758 } 3759 3760 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) 3761 { 3762 unsigned char *sigalgs, *sptr; 3763 int rhash, rsign; 3764 size_t i; 3765 if (salglen & 1) 3766 return 0; 3767 sigalgs = OPENSSL_malloc(salglen); 3768 if (sigalgs == NULL) 3769 return 0; 3770 for (i = 0, sptr = sigalgs; i < salglen; i += 2) { 3771 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md)); 3772 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig)); 3773 3774 if (rhash == -1 || rsign == -1) 3775 goto err; 3776 *sptr++ = rhash; 3777 *sptr++ = rsign; 3778 } 3779 3780 if (client) { 3781 OPENSSL_free(c->client_sigalgs); 3782 c->client_sigalgs = sigalgs; 3783 c->client_sigalgslen = salglen; 3784 } else { 3785 OPENSSL_free(c->conf_sigalgs); 3786 c->conf_sigalgs = sigalgs; 3787 c->conf_sigalgslen = salglen; 3788 } 3789 3790 return 1; 3791 3792 err: 3793 OPENSSL_free(sigalgs); 3794 return 0; 3795 } 3796 3797 static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid) 3798 { 3799 int sig_nid; 3800 size_t i; 3801 if (default_nid == -1) 3802 return 1; 3803 sig_nid = X509_get_signature_nid(x); 3804 if (default_nid) 3805 return sig_nid == default_nid ? 1 : 0; 3806 for (i = 0; i < c->shared_sigalgslen; i++) 3807 if (sig_nid == c->shared_sigalgs[i].signandhash_nid) 3808 return 1; 3809 return 0; 3810 } 3811 3812 /* Check to see if a certificate issuer name matches list of CA names */ 3813 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x) 3814 { 3815 X509_NAME *nm; 3816 int i; 3817 nm = X509_get_issuer_name(x); 3818 for (i = 0; i < sk_X509_NAME_num(names); i++) { 3819 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i))) 3820 return 1; 3821 } 3822 return 0; 3823 } 3824 3825 /* 3826 * Check certificate chain is consistent with TLS extensions and is usable by 3827 * server. This servers two purposes: it allows users to check chains before 3828 * passing them to the server and it allows the server to check chains before 3829 * attempting to use them. 3830 */ 3831 3832 /* Flags which need to be set for a certificate when strict mode not set */ 3833 3834 #define CERT_PKEY_VALID_FLAGS \ 3835 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM) 3836 /* Strict mode flags */ 3837 #define CERT_PKEY_STRICT_FLAGS \ 3838 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \ 3839 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE) 3840 3841 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, 3842 int idx) 3843 { 3844 int i; 3845 int rv = 0; 3846 int check_flags = 0, strict_mode; 3847 CERT_PKEY *cpk = NULL; 3848 CERT *c = s->cert; 3849 uint32_t *pvalid; 3850 unsigned int suiteb_flags = tls1_suiteb(s); 3851 /* idx == -1 means checking server chains */ 3852 if (idx != -1) { 3853 /* idx == -2 means checking client certificate chains */ 3854 if (idx == -2) { 3855 cpk = c->key; 3856 idx = cpk - c->pkeys; 3857 } else 3858 cpk = c->pkeys + idx; 3859 pvalid = s->s3->tmp.valid_flags + idx; 3860 x = cpk->x509; 3861 pk = cpk->privatekey; 3862 chain = cpk->chain; 3863 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT; 3864 /* If no cert or key, forget it */ 3865 if (!x || !pk) 3866 goto end; 3867 } else { 3868 if (!x || !pk) 3869 return 0; 3870 idx = ssl_cert_type(x, pk); 3871 if (idx == -1) 3872 return 0; 3873 pvalid = s->s3->tmp.valid_flags + idx; 3874 3875 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) 3876 check_flags = CERT_PKEY_STRICT_FLAGS; 3877 else 3878 check_flags = CERT_PKEY_VALID_FLAGS; 3879 strict_mode = 1; 3880 } 3881 3882 if (suiteb_flags) { 3883 int ok; 3884 if (check_flags) 3885 check_flags |= CERT_PKEY_SUITEB; 3886 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags); 3887 if (ok == X509_V_OK) 3888 rv |= CERT_PKEY_SUITEB; 3889 else if (!check_flags) 3890 goto end; 3891 } 3892 3893 /* 3894 * Check all signature algorithms are consistent with signature 3895 * algorithms extension if TLS 1.2 or later and strict mode. 3896 */ 3897 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) { 3898 int default_nid; 3899 unsigned char rsign = 0; 3900 if (s->s3->tmp.peer_sigalgs) 3901 default_nid = 0; 3902 /* If no sigalgs extension use defaults from RFC5246 */ 3903 else { 3904 switch (idx) { 3905 case SSL_PKEY_RSA_ENC: 3906 case SSL_PKEY_RSA_SIGN: 3907 rsign = TLSEXT_signature_rsa; 3908 default_nid = NID_sha1WithRSAEncryption; 3909 break; 3910 3911 case SSL_PKEY_DSA_SIGN: 3912 rsign = TLSEXT_signature_dsa; 3913 default_nid = NID_dsaWithSHA1; 3914 break; 3915 3916 case SSL_PKEY_ECC: 3917 rsign = TLSEXT_signature_ecdsa; 3918 default_nid = NID_ecdsa_with_SHA1; 3919 break; 3920 3921 case SSL_PKEY_GOST01: 3922 rsign = TLSEXT_signature_gostr34102001; 3923 default_nid = NID_id_GostR3411_94_with_GostR3410_2001; 3924 break; 3925 3926 case SSL_PKEY_GOST12_256: 3927 rsign = TLSEXT_signature_gostr34102012_256; 3928 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256; 3929 break; 3930 3931 case SSL_PKEY_GOST12_512: 3932 rsign = TLSEXT_signature_gostr34102012_512; 3933 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512; 3934 break; 3935 3936 default: 3937 default_nid = -1; 3938 break; 3939 } 3940 } 3941 /* 3942 * If peer sent no signature algorithms extension and we have set 3943 * preferred signature algorithms check we support sha1. 3944 */ 3945 if (default_nid > 0 && c->conf_sigalgs) { 3946 size_t j; 3947 const unsigned char *p = c->conf_sigalgs; 3948 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) { 3949 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign) 3950 break; 3951 } 3952 if (j == c->conf_sigalgslen) { 3953 if (check_flags) 3954 goto skip_sigs; 3955 else 3956 goto end; 3957 } 3958 } 3959 /* Check signature algorithm of each cert in chain */ 3960 if (!tls1_check_sig_alg(c, x, default_nid)) { 3961 if (!check_flags) 3962 goto end; 3963 } else 3964 rv |= CERT_PKEY_EE_SIGNATURE; 3965 rv |= CERT_PKEY_CA_SIGNATURE; 3966 for (i = 0; i < sk_X509_num(chain); i++) { 3967 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) { 3968 if (check_flags) { 3969 rv &= ~CERT_PKEY_CA_SIGNATURE; 3970 break; 3971 } else 3972 goto end; 3973 } 3974 } 3975 } 3976 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */ 3977 else if (check_flags) 3978 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE; 3979 skip_sigs: 3980 /* Check cert parameters are consistent */ 3981 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2)) 3982 rv |= CERT_PKEY_EE_PARAM; 3983 else if (!check_flags) 3984 goto end; 3985 if (!s->server) 3986 rv |= CERT_PKEY_CA_PARAM; 3987 /* In strict mode check rest of chain too */ 3988 else if (strict_mode) { 3989 rv |= CERT_PKEY_CA_PARAM; 3990 for (i = 0; i < sk_X509_num(chain); i++) { 3991 X509 *ca = sk_X509_value(chain, i); 3992 if (!tls1_check_cert_param(s, ca, 0)) { 3993 if (check_flags) { 3994 rv &= ~CERT_PKEY_CA_PARAM; 3995 break; 3996 } else 3997 goto end; 3998 } 3999 } 4000 } 4001 if (!s->server && strict_mode) { 4002 STACK_OF(X509_NAME) *ca_dn; 4003 int check_type = 0; 4004 switch (EVP_PKEY_id(pk)) { 4005 case EVP_PKEY_RSA: 4006 check_type = TLS_CT_RSA_SIGN; 4007 break; 4008 case EVP_PKEY_DSA: 4009 check_type = TLS_CT_DSS_SIGN; 4010 break; 4011 case EVP_PKEY_EC: 4012 check_type = TLS_CT_ECDSA_SIGN; 4013 break; 4014 } 4015 if (check_type) { 4016 const unsigned char *ctypes; 4017 int ctypelen; 4018 if (c->ctypes) { 4019 ctypes = c->ctypes; 4020 ctypelen = (int)c->ctype_num; 4021 } else { 4022 ctypes = (unsigned char *)s->s3->tmp.ctype; 4023 ctypelen = s->s3->tmp.ctype_num; 4024 } 4025 for (i = 0; i < ctypelen; i++) { 4026 if (ctypes[i] == check_type) { 4027 rv |= CERT_PKEY_CERT_TYPE; 4028 break; 4029 } 4030 } 4031 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags) 4032 goto end; 4033 } else 4034 rv |= CERT_PKEY_CERT_TYPE; 4035 4036 ca_dn = s->s3->tmp.ca_names; 4037 4038 if (!sk_X509_NAME_num(ca_dn)) 4039 rv |= CERT_PKEY_ISSUER_NAME; 4040 4041 if (!(rv & CERT_PKEY_ISSUER_NAME)) { 4042 if (ssl_check_ca_name(ca_dn, x)) 4043 rv |= CERT_PKEY_ISSUER_NAME; 4044 } 4045 if (!(rv & CERT_PKEY_ISSUER_NAME)) { 4046 for (i = 0; i < sk_X509_num(chain); i++) { 4047 X509 *xtmp = sk_X509_value(chain, i); 4048 if (ssl_check_ca_name(ca_dn, xtmp)) { 4049 rv |= CERT_PKEY_ISSUER_NAME; 4050 break; 4051 } 4052 } 4053 } 4054 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) 4055 goto end; 4056 } else 4057 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE; 4058 4059 if (!check_flags || (rv & check_flags) == check_flags) 4060 rv |= CERT_PKEY_VALID; 4061 4062 end: 4063 4064 if (TLS1_get_version(s) >= TLS1_2_VERSION) { 4065 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN) 4066 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 4067 else if (s->s3->tmp.md[idx] != NULL) 4068 rv |= CERT_PKEY_SIGN; 4069 } else 4070 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN; 4071 4072 /* 4073 * When checking a CERT_PKEY structure all flags are irrelevant if the 4074 * chain is invalid. 4075 */ 4076 if (!check_flags) { 4077 if (rv & CERT_PKEY_VALID) 4078 *pvalid = rv; 4079 else { 4080 /* Preserve explicit sign flag, clear rest */ 4081 *pvalid &= CERT_PKEY_EXPLICIT_SIGN; 4082 return 0; 4083 } 4084 } 4085 return rv; 4086 } 4087 4088 /* Set validity of certificates in an SSL structure */ 4089 void tls1_set_cert_validity(SSL *s) 4090 { 4091 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC); 4092 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN); 4093 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); 4094 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); 4095 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01); 4096 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256); 4097 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512); 4098 } 4099 4100 /* User level utility function to check a chain is suitable */ 4101 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) 4102 { 4103 return tls1_check_chain(s, x, pk, chain, -1); 4104 } 4105 4106 #ifndef OPENSSL_NO_DH 4107 DH *ssl_get_auto_dh(SSL *s) 4108 { 4109 int dh_secbits = 80; 4110 if (s->cert->dh_tmp_auto == 2) 4111 return DH_get_1024_160(); 4112 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { 4113 if (s->s3->tmp.new_cipher->strength_bits == 256) 4114 dh_secbits = 128; 4115 else 4116 dh_secbits = 80; 4117 } else { 4118 CERT_PKEY *cpk = ssl_get_server_send_pkey(s); 4119 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey); 4120 } 4121 4122 if (dh_secbits >= 128) { 4123 DH *dhp = DH_new(); 4124 BIGNUM *p, *g; 4125 if (dhp == NULL) 4126 return NULL; 4127 g = BN_new(); 4128 if (g != NULL) 4129 BN_set_word(g, 2); 4130 if (dh_secbits >= 192) 4131 p = BN_get_rfc3526_prime_8192(NULL); 4132 else 4133 p = BN_get_rfc3526_prime_3072(NULL); 4134 if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { 4135 DH_free(dhp); 4136 BN_free(p); 4137 BN_free(g); 4138 return NULL; 4139 } 4140 return dhp; 4141 } 4142 if (dh_secbits >= 112) 4143 return DH_get_2048_224(); 4144 return DH_get_1024_160(); 4145 } 4146 #endif 4147 4148 static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) 4149 { 4150 int secbits = -1; 4151 EVP_PKEY *pkey = X509_get0_pubkey(x); 4152 if (pkey) { 4153 /* 4154 * If no parameters this will return -1 and fail using the default 4155 * security callback for any non-zero security level. This will 4156 * reject keys which omit parameters but this only affects DSA and 4157 * omission of parameters is never (?) done in practice. 4158 */ 4159 secbits = EVP_PKEY_security_bits(pkey); 4160 } 4161 if (s) 4162 return ssl_security(s, op, secbits, 0, x); 4163 else 4164 return ssl_ctx_security(ctx, op, secbits, 0, x); 4165 } 4166 4167 static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) 4168 { 4169 /* Lookup signature algorithm digest */ 4170 int secbits = -1, md_nid = NID_undef, sig_nid; 4171 /* Don't check signature if self signed */ 4172 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) 4173 return 1; 4174 sig_nid = X509_get_signature_nid(x); 4175 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) { 4176 const EVP_MD *md; 4177 if (md_nid && (md = EVP_get_digestbynid(md_nid))) 4178 secbits = EVP_MD_size(md) * 4; 4179 } 4180 if (s) 4181 return ssl_security(s, op, secbits, md_nid, x); 4182 else 4183 return ssl_ctx_security(ctx, op, secbits, md_nid, x); 4184 } 4185 4186 int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee) 4187 { 4188 if (vfy) 4189 vfy = SSL_SECOP_PEER; 4190 if (is_ee) { 4191 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy)) 4192 return SSL_R_EE_KEY_TOO_SMALL; 4193 } else { 4194 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy)) 4195 return SSL_R_CA_KEY_TOO_SMALL; 4196 } 4197 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy)) 4198 return SSL_R_CA_MD_TOO_WEAK; 4199 return 1; 4200 } 4201 4202 /* 4203 * Check security of a chain, if |sk| includes the end entity certificate then 4204 * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending 4205 * one to the peer. Return values: 1 if ok otherwise error code to use 4206 */ 4207 4208 int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy) 4209 { 4210 int rv, start_idx, i; 4211 if (x == NULL) { 4212 x = sk_X509_value(sk, 0); 4213 start_idx = 1; 4214 } else 4215 start_idx = 0; 4216 4217 rv = ssl_security_cert(s, NULL, x, vfy, 1); 4218 if (rv != 1) 4219 return rv; 4220 4221 for (i = start_idx; i < sk_X509_num(sk); i++) { 4222 x = sk_X509_value(sk, i); 4223 rv = ssl_security_cert(s, NULL, x, vfy, 0); 4224 if (rv != 1) 4225 return rv; 4226 } 4227 return 1; 4228 } 4229