static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
const unsigned char *sess_id, int sesslen,
SSL_SESSION **psess);
+static int ssl_check_clienthello_tlsext(SSL *s);
+int ssl_check_serverhello_tlsext(SSL *s);
#endif
SSL3_ENC_METHOD TLSv1_enc_data={
NID_secp521r1 /* secp521r1 (25) */
};
-static int pref_list[] =
+
+static const unsigned char ecformats_default[] =
{
- NID_sect571r1, /* sect571r1 (14) */
- NID_sect571k1, /* sect571k1 (13) */
- NID_secp521r1, /* secp521r1 (25) */
- NID_sect409k1, /* sect409k1 (11) */
- NID_sect409r1, /* sect409r1 (12) */
- NID_secp384r1, /* secp384r1 (24) */
- NID_sect283k1, /* sect283k1 (9) */
- NID_sect283r1, /* sect283r1 (10) */
- NID_secp256k1, /* secp256k1 (22) */
- NID_X9_62_prime256v1, /* secp256r1 (23) */
- NID_sect239k1, /* sect239k1 (8) */
- NID_sect233k1, /* sect233k1 (6) */
- NID_sect233r1, /* sect233r1 (7) */
- NID_secp224k1, /* secp224k1 (20) */
- NID_secp224r1, /* secp224r1 (21) */
- NID_sect193r1, /* sect193r1 (4) */
- NID_sect193r2, /* sect193r2 (5) */
- NID_secp192k1, /* secp192k1 (18) */
- NID_X9_62_prime192v1, /* secp192r1 (19) */
- NID_sect163k1, /* sect163k1 (1) */
- NID_sect163r1, /* sect163r1 (2) */
- NID_sect163r2, /* sect163r2 (3) */
- NID_secp160k1, /* secp160k1 (15) */
- NID_secp160r1, /* secp160r1 (16) */
- NID_secp160r2, /* secp160r2 (17) */
+ TLSEXT_ECPOINTFORMAT_uncompressed,
+ TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
+ TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
+ };
+
+static const unsigned char eccurves_default[] =
+ {
+ 0,14, /* sect571r1 (14) */
+ 0,13, /* sect571k1 (13) */
+ 0,25, /* secp521r1 (25) */
+ 0,11, /* sect409k1 (11) */
+ 0,12, /* sect409r1 (12) */
+ 0,24, /* secp384r1 (24) */
+ 0,9, /* sect283k1 (9) */
+ 0,10, /* sect283r1 (10) */
+ 0,22, /* secp256k1 (22) */
+ 0,23, /* secp256r1 (23) */
+ 0,8, /* sect239k1 (8) */
+ 0,6, /* sect233k1 (6) */
+ 0,7, /* sect233r1 (7) */
+ 0,20, /* secp224k1 (20) */
+ 0,21, /* secp224r1 (21) */
+ 0,4, /* sect193r1 (4) */
+ 0,5, /* sect193r2 (5) */
+ 0,18, /* secp192k1 (18) */
+ 0,19, /* secp192r1 (19) */
+ 0,1, /* sect163k1 (1) */
+ 0,2, /* sect163r1 (2) */
+ 0,3, /* sect163r2 (3) */
+ 0,15, /* secp160k1 (15) */
+ 0,16, /* secp160r1 (16) */
+ 0,17, /* secp160r2 (17) */
};
int tls1_ec_curve_id2nid(int curve_id)
return 0;
}
}
+/* Get curves list, if "sess" is set return client curves otherwise
+ * preferred list
+ */
+static void tls1_get_curvelist(SSL *s, int sess,
+ const unsigned char **pcurves,
+ size_t *pcurveslen)
+ {
+ if (sess)
+ {
+ *pcurves = s->session->tlsext_ellipticcurvelist;
+ *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
+ }
+ else
+ {
+ *pcurves = s->tlsext_ellipticcurvelist;
+ *pcurveslen = s->tlsext_ellipticcurvelist_length;
+ }
+ /* If not set use default: for now static structure */
+ if (!*pcurves)
+ {
+ *pcurves = eccurves_default;
+ *pcurveslen = sizeof(eccurves_default);
+ }
+ }
+
+/* Return nth shared curve. If nmatch == -1 return number of
+ * matches.
+ */
+
+int tls1_shared_curve(SSL *s, int nmatch)
+ {
+ const unsigned char *pref, *supp;
+ size_t preflen, supplen, i, j;
+ int k;
+ /* Can't do anything on client side */
+ if (s->server == 0)
+ return -1;
+ tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
+ &supp, &supplen);
+ tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
+ &pref, &preflen);
+ preflen /= 2;
+ supplen /= 2;
+ k = 0;
+ for (i = 0; i < preflen; i++, pref+=2)
+ {
+ const unsigned char *tsupp = supp;
+ for (j = 0; j < supplen; j++, tsupp+=2)
+ {
+ if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
+ {
+ if (nmatch == k)
+ {
+ int id = (pref[0] << 8) | pref[1];
+ return tls1_ec_curve_id2nid(id);
+ }
+ k++;
+ }
+ }
+ }
+ if (nmatch == -1)
+ return k;
+ return 0;
+ }
+
+int tls1_set_curves(unsigned char **pext, size_t *pextlen,
+ int *curves, size_t ncurves)
+ {
+ unsigned char *clist, *p;
+ size_t i;
+ /* Bitmap of curves included to detect duplicates: only works
+ * while curve ids < 32
+ */
+ unsigned long dup_list = 0;
+ clist = OPENSSL_malloc(ncurves * 2);
+ if (!clist)
+ return 0;
+ for (i = 0, p = clist; i < ncurves; i++)
+ {
+ unsigned long idmask;
+ int id;
+ id = tls1_ec_nid2curve_id(curves[i]);
+ idmask = 1L << id;
+ if (!id || (dup_list & idmask))
+ {
+ OPENSSL_free(clist);
+ return 0;
+ }
+ dup_list |= idmask;
+ s2n(id, p);
+ }
+ if (*pext)
+ OPENSSL_free(*pext);
+ *pext = clist;
+ *pextlen = ncurves * 2;
+ return 1;
+ }
+
+#define MAX_CURVELIST 25
+
+typedef struct
+ {
+ size_t nidcnt;
+ int nid_arr[MAX_CURVELIST];
+ } nid_cb_st;
+
+static int nid_cb(const char *elem, int len, void *arg)
+ {
+ nid_cb_st *narg = arg;
+ size_t i;
+ int nid;
+ char etmp[20];
+ if (narg->nidcnt == MAX_CURVELIST)
+ return 0;
+ if (len > (int)(sizeof(etmp) - 1))
+ return 0;
+ memcpy(etmp, elem, len);
+ etmp[len] = 0;
+ nid = EC_curve_nist2nid(etmp);
+ if (nid == NID_undef)
+ nid = OBJ_sn2nid(etmp);
+ if (nid == NID_undef)
+ nid = OBJ_ln2nid(etmp);
+ if (nid == NID_undef)
+ return 0;
+ for (i = 0; i < narg->nidcnt; i++)
+ if (narg->nid_arr[i] == nid)
+ return 0;
+ narg->nid_arr[narg->nidcnt++] = nid;
+ return 1;
+ }
+/* Set curves based on a colon separate list */
+int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
+ const char *str)
+ {
+ nid_cb_st ncb;
+ ncb.nidcnt = 0;
+ if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
+ return 0;
+ return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
+ }
+/* For an EC key set TLS id and required compression based on parameters */
+static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
+ EC_KEY *ec)
+ {
+ int is_prime, id;
+ const EC_GROUP *grp;
+ const EC_POINT *pt;
+ const EC_METHOD *meth;
+ if (!ec)
+ return 0;
+ /* Determine if it is a prime field */
+ grp = EC_KEY_get0_group(ec);
+ pt = EC_KEY_get0_public_key(ec);
+ if (!grp || !pt)
+ return 0;
+ meth = EC_GROUP_method_of(grp);
+ if (!meth)
+ return 0;
+ if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
+ is_prime = 1;
+ else
+ is_prime = 0;
+ /* Determine curve ID */
+ id = EC_GROUP_get_curve_name(grp);
+ id = tls1_ec_nid2curve_id(id);
+ /* If we have an ID set it, otherwise set arbitrary explicit curve */
+ if (id)
+ {
+ curve_id[0] = 0;
+ curve_id[1] = (unsigned char)id;
+ }
+ else
+ {
+ curve_id[0] = 0xff;
+ if (is_prime)
+ curve_id[1] = 0x01;
+ else
+ curve_id[1] = 0x02;
+ }
+ if (comp_id)
+ {
+ if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
+ {
+ if (is_prime)
+ *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
+ else
+ *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
+ }
+ else
+ *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
+ }
+ return 1;
+ }
+/* Check an EC key is compatible with extensions */
+static int tls1_check_ec_key(SSL *s,
+ unsigned char *curve_id, unsigned char *comp_id)
+ {
+ const unsigned char *p;
+ size_t plen, i;
+ int j;
+ /* If point formats extension present check it, otherwise everything
+ * is supported (see RFC4492).
+ */
+ if (comp_id && s->session->tlsext_ecpointformatlist)
+ {
+ p = s->session->tlsext_ecpointformatlist;
+ plen = s->session->tlsext_ecpointformatlist_length;
+ for (i = 0; i < plen; i++, p++)
+ {
+ if (*comp_id == *p)
+ break;
+ }
+ if (i == plen)
+ return 0;
+ }
+ /* Check curve is consistent with client and server preferences */
+ for (j = 0; j <= 1; j++)
+ {
+ tls1_get_curvelist(s, j, &p, &plen);
+ for (i = 0; i < plen; i+=2, p+=2)
+ {
+ if (p[0] == curve_id[0] && p[1] == curve_id[1])
+ break;
+ }
+ if (i == plen)
+ return 0;
+ }
+ return 1;
+ }
+/* Check EC server key is compatible with client extensions */
+int tls1_check_ec_server_key(SSL *s)
+ {
+ int rv;
+ CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
+ EVP_PKEY *pkey;
+ unsigned char comp_id, curve_id[2];
+ if (!cpk->x509 || !cpk->privatekey)
+ return 0;
+ pkey = X509_get_pubkey(cpk->x509);
+ if (!pkey)
+ return 0;
+ rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
+ EVP_PKEY_free(pkey);
+ if (!rv)
+ return 0;
+ return tls1_check_ec_key(s, curve_id, &comp_id);
+ }
+/* Check EC temporary key is compatible with client extensions */
+int tls1_check_ec_tmp_key(SSL *s)
+ {
+ unsigned char curve_id[2];
+ EC_KEY *ec = s->cert->ecdh_tmp;
+ if (s->cert->ecdh_tmp_auto)
+ {
+ /* Need a shared curve */
+ if (tls1_shared_curve(s, 0))
+ return 1;
+ else return 0;
+ }
+ if (!ec)
+ {
+ if (s->cert->ecdh_tmp_cb)
+ return 1;
+ else
+ return 0;
+ }
+ if (!tls1_set_ec_id(curve_id, NULL, ec))
+ return 1;
+ return tls1_check_ec_key(s, curve_id, NULL);
+ }
+
#endif /* OPENSSL_NO_EC */
#ifndef OPENSSL_NO_TLSEXT
return (int)slen;
}
+/* byte_compare is a compare function for qsort(3) that compares bytes. */
+static int byte_compare(const void *in_a, const void *in_b)
+ {
+ unsigned char a = *((const unsigned char*) in_a);
+ unsigned char b = *((const unsigned char*) in_b);
+
+ if (a > b)
+ return 1;
+ else if (a < b)
+ return -1;
+ return 0;
+}
+
unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
{
int extdatalen=0;
unsigned char *ret = p;
+#ifndef OPENSSL_NO_EC
+ /* See if we support any ECC ciphersuites */
+ int using_ecc = 0;
+ if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION)
+ {
+ int i;
+ unsigned long alg_k, alg_a;
+ STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
+
+ for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
+ {
+ SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
+
+ alg_k = c->algorithm_mkey;
+ alg_a = c->algorithm_auth;
+ if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
+ || (alg_a & SSL_aECDSA)))
+ {
+ using_ecc = 1;
+ break;
+ }
+ }
+ }
+#endif
/* don't add extensions for SSLv3 unless doing secure renegotiation */
if (s->client_version == SSL3_VERSION
}
#ifndef OPENSSL_NO_SRP
-#define MIN(x,y) (((x)<(y))?(x):(y))
- /* we add SRP username the first time only if we have one! */
+ /* Add SRP username if there is one */
if (s->srp_ctx.login != NULL)
- {/* Add TLS extension SRP username to the Client Hello message */
- int login_len = MIN(strlen(s->srp_ctx.login) + 1, 255);
- long lenmax;
+ { /* Add TLS extension SRP username to the Client Hello message */
- if ((lenmax = limit - ret - 5) < 0) return NULL;
- if (login_len > lenmax) return NULL;
- if (login_len > 255)
+ int login_len = strlen(s->srp_ctx.login);
+ if (login_len > 255 || login_len == 0)
{
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
return NULL;
- }
+ }
+
+ /* check for enough space.
+ 4 for the srp type type and entension length
+ 1 for the srp user identity
+ + srp user identity length
+ */
+ if ((limit - ret - 5 - login_len) < 0) return NULL;
+
+ /* fill in the extension */
s2n(TLSEXT_TYPE_srp,ret);
s2n(login_len+1,ret);
-
- (*ret++) = (unsigned char) MIN(strlen(s->srp_ctx.login), 254);
- memcpy(ret, s->srp_ctx.login, MIN(strlen(s->srp_ctx.login), 254));
+ (*ret++) = (unsigned char) login_len;
+ memcpy(ret, s->srp_ctx.login, login_len);
ret+=login_len;
}
#endif
#ifndef OPENSSL_NO_EC
- if (s->tlsext_ecpointformatlist != NULL &&
- s->version != DTLS1_VERSION)
+ if (using_ecc)
{
/* Add TLS extension ECPointFormats to the ClientHello message */
long lenmax;
+ const unsigned char *plist;
+ size_t plistlen;
+ /* If we have a custom point format list use it otherwise
+ * use default */
+ plist = s->tlsext_ecpointformatlist;
+ if (plist)
+ plistlen = s->tlsext_ecpointformatlist_length;
+ else
+ {
+ plist = ecformats_default;
+ plistlen = sizeof(ecformats_default);
+ }
if ((lenmax = limit - ret - 5) < 0) return NULL;
- if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
- if (s->tlsext_ecpointformatlist_length > 255)
+ if (plistlen > (size_t)lenmax) return NULL;
+ if (plistlen > 255)
{
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
return NULL;
}
s2n(TLSEXT_TYPE_ec_point_formats,ret);
- s2n(s->tlsext_ecpointformatlist_length + 1,ret);
- *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
- memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
- ret+=s->tlsext_ecpointformatlist_length;
- }
- if (s->tlsext_ellipticcurvelist != NULL &&
- s->version != DTLS1_VERSION)
- {
+ s2n(plistlen + 1,ret);
+ *(ret++) = (unsigned char)plistlen ;
+ memcpy(ret, plist, plistlen);
+ ret+=plistlen;
+
/* Add TLS extension EllipticCurves to the ClientHello message */
- long lenmax;
+ plist = s->tlsext_ellipticcurvelist;
+ tls1_get_curvelist(s, 0, &plist, &plistlen);
if ((lenmax = limit - ret - 6) < 0) return NULL;
- if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
- if (s->tlsext_ellipticcurvelist_length > 65532)
+ if (plistlen > (size_t)lenmax) return NULL;
+ if (plistlen > 65532)
{
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
return NULL;
}
s2n(TLSEXT_TYPE_elliptic_curves,ret);
- s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
+ s2n(plistlen + 2, ret);
/* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
* elliptic_curve_list, but the examples use two bytes.
* http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
* resolves this to two bytes.
*/
- s2n(s->tlsext_ellipticcurvelist_length, ret);
- memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
- ret+=s->tlsext_ellipticcurvelist_length;
+ s2n(plistlen, ret);
+ memcpy(ret, plist, plistlen);
+ ret+=plistlen;
}
#endif /* OPENSSL_NO_EC */
}
skip_ext:
- if (TLS1_get_version(s) >= TLS1_2_VERSION)
+ if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
{
if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
return NULL;
ret += el;
}
- if ((extdatalen = ret-p-2)== 0)
+ /* Add TLS extension Server_Authz_DataFormats to the ClientHello */
+ /* 2 bytes for extension type */
+ /* 2 bytes for extension length */
+ /* 1 byte for the list length */
+ /* 1 byte for the list (we only support audit proofs) */
+ if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
+ {
+ size_t lenmax;
+ const unsigned short ext_len = 2;
+ const unsigned char list_len = 1;
+
+ if ((lenmax = limit - ret - 6) < 0) return NULL;
+
+ s2n(TLSEXT_TYPE_server_authz, ret);
+ /* Extension length: 2 bytes */
+ s2n(ext_len, ret);
+ *(ret++) = list_len;
+ *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
+ }
+
+ if ((extdatalen = ret-p-2) == 0)
return p;
s2n(extdatalen,p);
}
#endif
+ /* If the client supports authz then see whether we have any to offer
+ * to it. */
+ if (s->s3->tlsext_authz_client_types_len)
+ {
+ size_t authz_length;
+ /* By now we already know the new cipher, so we can look ahead
+ * to see whether the cert we are going to send
+ * has any authz data attached to it. */
+ const unsigned char* authz = ssl_get_authz_data(s, &authz_length);
+ const unsigned char* const orig_authz = authz;
+ size_t i;
+ unsigned authz_count = 0;
+
+ /* The authz data contains a number of the following structures:
+ * uint8_t authz_type
+ * uint16_t length
+ * uint8_t data[length]
+ *
+ * First we walk over it to find the number of authz elements. */
+ for (i = 0; i < authz_length; i++)
+ {
+ unsigned short length;
+ unsigned char type;
+
+ type = *(authz++);
+ if (memchr(s->s3->tlsext_authz_client_types,
+ type,
+ s->s3->tlsext_authz_client_types_len) != NULL)
+ authz_count++;
+
+ n2s(authz, length);
+ /* n2s increments authz by 2 */
+ i += 2;
+ authz += length;
+ i += length;
+ }
+
+ if (authz_count)
+ {
+ /* Add TLS extension server_authz to the ServerHello message
+ * 2 bytes for extension type
+ * 2 bytes for extension length
+ * 1 byte for the list length
+ * n bytes for the list */
+ const unsigned short ext_len = 1 + authz_count;
+
+ if ((long)(limit - ret - 4 - ext_len) < 0) return NULL;
+ s2n(TLSEXT_TYPE_server_authz, ret);
+ s2n(ext_len, ret);
+ *(ret++) = authz_count;
+ s->s3->tlsext_authz_promised_to_client = 1;
+ }
+
+ authz = orig_authz;
+ for (i = 0; i < authz_length; i++)
+ {
+ unsigned short length;
+ unsigned char type;
+
+ authz_count++;
+ type = *(authz++);
+ if (memchr(s->s3->tlsext_authz_client_types,
+ type,
+ s->s3->tlsext_authz_client_types_len) != NULL)
+ *(ret++) = type;
+ n2s(authz, length);
+ /* n2s increments authz by 2 */
+ i += 2;
+ authz += length;
+ i += length;
+ }
+ }
+
if ((extdatalen = ret-p-2)== 0)
return p;
return ret;
}
-int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
- {
+static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
+ {
unsigned short type;
unsigned short size;
unsigned short len;
#ifndef OPENSSL_NO_SRP
else if (type == TLSEXT_TYPE_srp)
{
- if (size > 0)
+ if (size <= 0 || ((len = data[0])) != (size -1))
{
- len = data[0];
- if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
- return -1;
- memcpy(s->srp_ctx.login, &data[1], len);
- s->srp_ctx.login[len]='\0';
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+ if (s->srp_ctx.login != NULL)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+ if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
+ return -1;
+ memcpy(s->srp_ctx.login, &data[1], len);
+ s->srp_ctx.login[len]='\0';
+
+ if (strlen(s->srp_ctx.login) != len)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
}
}
#endif
#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
else if (type == TLSEXT_TYPE_next_proto_neg &&
- s->s3->tmp.finish_md_len == 0)
+ s->s3->tmp.finish_md_len == 0)
{
/* We shouldn't accept this extension on a
* renegotiation.
return 0;
}
+ else if (type == TLSEXT_TYPE_server_authz)
+ {
+ unsigned char *sdata = data;
+ unsigned char server_authz_dataformatlist_length;
+
+ if (size == 0)
+ {
+ *al = TLS1_AD_DECODE_ERROR;
+ return 0;
+ }
+
+ server_authz_dataformatlist_length = *(sdata++);
+
+ if (server_authz_dataformatlist_length != size - 1)
+ {
+ *al = TLS1_AD_DECODE_ERROR;
+ return 0;
+ }
+
+ /* Successful session resumption uses the same authz
+ * information as the original session so we ignore this
+ * in the case of a session resumption. */
+ if (!s->hit)
+ {
+ size_t i;
+ if (s->s3->tlsext_authz_client_types != NULL)
+ OPENSSL_free(s->s3->tlsext_authz_client_types);
+ s->s3->tlsext_authz_client_types =
+ OPENSSL_malloc(server_authz_dataformatlist_length);
+ if (!s->s3->tlsext_authz_client_types)
+ {
+ *al = TLS1_AD_INTERNAL_ERROR;
+ return 0;
+ }
+
+ s->s3->tlsext_authz_client_types_len =
+ server_authz_dataformatlist_length;
+ memcpy(s->s3->tlsext_authz_client_types,
+ sdata,
+ server_authz_dataformatlist_length);
+
+ /* Sort the types in order to check for duplicates. */
+ qsort(s->s3->tlsext_authz_client_types,
+ server_authz_dataformatlist_length,
+ 1 /* element size */,
+ byte_compare);
+
+ for (i = 0; i < server_authz_dataformatlist_length; i++)
+ {
+ if (i > 0 &&
+ s->s3->tlsext_authz_client_types[i] ==
+ s->s3->tlsext_authz_client_types[i-1])
+ {
+ *al = TLS1_AD_DECODE_ERROR;
+ return 0;
+ }
+ }
+ }
+ }
+
data+=size;
}
-
+
*p = data;
ri_check:
!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
{
*al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
+ SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
return 0;
}
return 1;
}
+int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
+ {
+ int al = -1;
+ if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0)
+ {
+ ssl3_send_alert(s,SSL3_AL_FATAL,al);
+ return 0;
+ }
+
+ if (ssl_check_clienthello_tlsext(s) <= 0)
+ {
+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
+ return 0;
+ }
+ return 1;
+}
+
#ifndef OPENSSL_NO_NEXTPROTONEG
/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
* elements of zero length are allowed and the set of elements must exactly fill
* the length of the block. */
-static int ssl_next_proto_validate(unsigned char *d, unsigned len)
+static char ssl_next_proto_validate(unsigned char *d, unsigned len)
{
unsigned int off = 0;
}
#endif
-int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
+static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
{
unsigned short length;
unsigned short type;
return 0;
}
- data+=size;
+ else if (type == TLSEXT_TYPE_server_authz)
+ {
+ /* We only support audit proofs. It's an error to send
+ * an authz hello extension if the client
+ * didn't request a proof. */
+ unsigned char *sdata = data;
+ unsigned char server_authz_dataformatlist_length;
+
+ if (!s->ctx->tlsext_authz_server_audit_proof_cb)
+ {
+ *al = TLS1_AD_UNSUPPORTED_EXTENSION;
+ return 0;
+ }
+
+ if (!size)
+ {
+ *al = TLS1_AD_DECODE_ERROR;
+ return 0;
+ }
+
+ server_authz_dataformatlist_length = *(sdata++);
+ if (server_authz_dataformatlist_length != size - 1)
+ {
+ *al = TLS1_AD_DECODE_ERROR;
+ return 0;
+ }
+
+ /* We only support audit proofs, so a legal ServerHello
+ * authz list contains exactly one entry. */
+ if (server_authz_dataformatlist_length != 1 ||
+ sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof)
+ {
+ *al = TLS1_AD_UNSUPPORTED_EXTENSION;
+ return 0;
+ }
+
+ s->s3->tlsext_authz_server_promised = 1;
+ }
+
+ data += size;
}
if (data != d+n)
&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
{
*al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
+ SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
return 0;
}
int ssl_prepare_clienthello_tlsext(SSL *s)
{
-#ifndef OPENSSL_NO_EC
- /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
- * and elliptic curves we support.
- */
- int using_ecc = 0;
- int i;
- unsigned char *j;
- unsigned long alg_k, alg_a;
- STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
-
- for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
- {
- SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
-
- alg_k = c->algorithm_mkey;
- alg_a = c->algorithm_auth;
- if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
- {
- using_ecc = 1;
- break;
- }
- }
- using_ecc = using_ecc && (s->version >= TLS1_VERSION);
- if (using_ecc)
- {
- if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
- if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
- {
- SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
- return -1;
- }
- s->tlsext_ecpointformatlist_length = 3;
- s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
- s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
- s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
-
- /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
- if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
- s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
- if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
- {
- s->tlsext_ellipticcurvelist_length = 0;
- SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
- return -1;
- }
- for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
- sizeof(pref_list)/sizeof(pref_list[0]); i++)
- {
- int id = tls1_ec_nid2curve_id(pref_list[i]);
- s2n(id,j);
- }
- }
-#endif /* OPENSSL_NO_EC */
#ifdef TLSEXT_TYPE_opaque_prf_input
{
return 1;
}
-int ssl_check_clienthello_tlsext(SSL *s)
+static int ssl_check_clienthello_tlsext(SSL *s)
{
int ret=SSL_TLSEXT_ERR_NOACK;
int al = SSL_AD_UNRECOGNIZED_NAME;
}
}
+int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
+ {
+ int al = -1;
+ if (s->version < SSL3_VERSION)
+ return 1;
+ if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0)
+ {
+ ssl3_send_alert(s,SSL3_AL_FATAL,al);
+ return 0;
+ }
+
+ if (ssl_check_serverhello_tlsext(s) <= 0)
+ {
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,SSL_R_SERVERHELLO_TLSEXT);
+ return 0;
+ }
+ return 1;
+}
+
/* Since the server cache lookup is done early on in the processing of the
* ClientHello, and other operations depend on the result, we need to handle
* any TLS session ticket extension at the same time.
} tls12_lookup;
static tls12_lookup tls12_md[] = {
-#ifndef OPENSSL_NO_MD5
{NID_md5, TLSEXT_hash_md5},
-#endif
-#ifndef OPENSSL_NO_SHA
{NID_sha1, TLSEXT_hash_sha1},
-#endif
-#ifndef OPENSSL_NO_SHA256
{NID_sha224, TLSEXT_hash_sha224},
{NID_sha256, TLSEXT_hash_sha256},
-#endif
-#ifndef OPENSSL_NO_SHA512
{NID_sha384, TLSEXT_hash_sha384},
{NID_sha512, TLSEXT_hash_sha512}
-#endif
};
static tls12_lookup tls12_sig[] = {
-#ifndef OPENSSL_NO_RSA
{EVP_PKEY_RSA, TLSEXT_signature_rsa},
-#endif
-#ifndef OPENSSL_NO_RSA
{EVP_PKEY_DSA, TLSEXT_signature_dsa},
-#endif
-#ifndef OPENSSL_NO_ECDSA
{EVP_PKEY_EC, TLSEXT_signature_ecdsa}
-#endif
};
static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
}
return -1;
}
-#if 0
+
static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
{
size_t i;
for (i = 0; i < tlen; i++)
{
- if (table[i].id == id)
+ if ((table[i].id) == id)
return table[i].nid;
}
- return -1;
+ return NID_undef;
}
-#endif
int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
{
int sig_id, md_id;
+ if (!md)
+ return 0;
md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
sizeof(tls12_md)/sizeof(tls12_lookup));
if (md_id == -1)
int i, idx;
const EVP_MD *md;
CERT *c = s->cert;
+ TLS_SIGALGS *sigptr;
/* Extension ignored for TLS versions below 1.2 */
if (TLS1_get_version(s) < TLS1_2_VERSION)
return 1;
c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
c->pkeys[SSL_PKEY_ECC].digest = NULL;
- for (i = 0; i < dsize; i += 2)
- {
- unsigned char hash_alg = data[i], sig_alg = data[i+1];
+ if (c->sigalgs)
+ OPENSSL_free(c->sigalgs);
+ c->sigalgs = OPENSSL_malloc((dsize/2) * sizeof(TLS_SIGALGS));
+ if (!c->sigalgs)
+ return 0;
+ c->sigalgslen = dsize/2;
- switch(sig_alg)
+ for (i = 0, sigptr = c->sigalgs; i < dsize; i += 2, sigptr++)
+ {
+ sigptr->rhash = data[i];
+ sigptr->rsign = data[i + 1];
+ sigptr->hash_nid = tls12_find_nid(sigptr->rhash, tls12_md,
+ sizeof(tls12_md)/sizeof(tls12_lookup));
+ sigptr->sign_nid = tls12_find_nid(sigptr->rsign, tls12_sig,
+ sizeof(tls12_sig)/sizeof(tls12_lookup));
+ if (!OBJ_find_sigid_by_algs(&sigptr->signandhash_nid,
+ sigptr->hash_nid,
+ sigptr->sign_nid))
+ sigptr->signandhash_nid = NID_undef;
+ switch(sigptr->rsign)
{
#ifndef OPENSSL_NO_RSA
case TLSEXT_signature_rsa:
if (c->pkeys[idx].digest == NULL)
{
- md = tls12_get_hash(hash_alg);
+ md = tls12_get_hash(sigptr->rhash);
if (md)
{
c->pkeys[idx].digest = md;
#endif
+int SSL_get_sigalgs(SSL *s, int idx,
+ int *psign, int *phash, int *psignandhash,
+ unsigned char *rsig, unsigned char *rhash)
+ {
+ if (s->cert->sigalgs == NULL)
+ return 0;
+ if (idx >= 0)
+ {
+ TLS_SIGALGS *psig;
+ if (idx >= (int)s->cert->sigalgslen)
+ return 0;
+ psig = s->cert->sigalgs + idx;
+ if (psign)
+ *psign = psig->sign_nid;
+ if (phash)
+ *phash = psig->hash_nid;
+ if (psignandhash)
+ *psignandhash = psig->signandhash_nid;
+ if (rsig)
+ *rsig = psig->rsign;
+ if (rhash)
+ *rhash = psig->rhash;
+ }
+ return s->cert->sigalgslen;
+ }
+
+
#ifndef OPENSSL_NO_HEARTBEATS
int
tls1_process_heartbeat(SSL *s)
*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
memcpy(bp, pl, payload);
-
+ bp += payload;
+ /* Random padding */
+ RAND_pseudo_bytes(bp, padding);
+
r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
if (r >= 0 && s->msg_callback)
projects / openssl.git / blobdiff