X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Ft1_lib.c;h=9308aedc3959f30e85d775492f4c1702c5ba4acf;hp=5fae9fb4260bb972484e6c5e8a19440cd98d8b56;hb=deffd89af34022ba3ef11b0fb1af637f28159064;hpb=4453cd8c734349f4515eaa1b047464de0f34a1b5 diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 5fae9fb426..9308aedc39 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -115,6 +115,10 @@ #include #include #include +#ifndef OPENSSL_NO_DH +#include +#include +#endif #include "ssl_locl.h" const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; @@ -123,7 +127,7 @@ const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, const unsigned char *sess_id, int sesslen, SSL_SESSION **psess); -static int ssl_check_clienthello_tlsext(SSL *s); +static int ssl_check_clienthello_tlsext_early(SSL *s); int ssl_check_serverhello_tlsext(SSL *s); #endif @@ -140,6 +144,49 @@ SSL3_ENC_METHOD TLSv1_enc_data={ TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, tls1_alert_code, tls1_export_keying_material, + 0, + SSL3_HM_HEADER_LENGTH, + ssl3_set_handshake_header, + ssl3_handshake_write + }; + +SSL3_ENC_METHOD TLSv1_1_enc_data={ + tls1_enc, + tls1_mac, + tls1_setup_key_block, + tls1_generate_master_secret, + tls1_change_cipher_state, + tls1_final_finish_mac, + TLS1_FINISH_MAC_LENGTH, + tls1_cert_verify_mac, + TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, + TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, + tls1_alert_code, + tls1_export_keying_material, + SSL_ENC_FLAG_EXPLICIT_IV, + SSL3_HM_HEADER_LENGTH, + ssl3_set_handshake_header, + ssl3_handshake_write + }; + +SSL3_ENC_METHOD TLSv1_2_enc_data={ + tls1_enc, + tls1_mac, + tls1_setup_key_block, + tls1_generate_master_secret, + tls1_change_cipher_state, + tls1_final_finish_mac, + TLS1_FINISH_MAC_LENGTH, + tls1_cert_verify_mac, + TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, + TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, + tls1_alert_code, + tls1_export_keying_material, + SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF + |SSL_ENC_FLAG_TLS1_2_CIPHERS, + SSL3_HM_HEADER_LENGTH, + ssl3_set_handshake_header, + ssl3_handshake_write }; long tls1_default_timeout(void) @@ -175,33 +222,46 @@ void tls1_clear(SSL *s) #ifndef OPENSSL_NO_EC -static int nid_list[] = - { - NID_sect163k1, /* sect163k1 (1) */ - NID_sect163r1, /* sect163r1 (2) */ - NID_sect163r2, /* sect163r2 (3) */ - NID_sect193r1, /* sect193r1 (4) */ - NID_sect193r2, /* sect193r2 (5) */ - NID_sect233k1, /* sect233k1 (6) */ - NID_sect233r1, /* sect233r1 (7) */ - NID_sect239k1, /* sect239k1 (8) */ - NID_sect283k1, /* sect283k1 (9) */ - NID_sect283r1, /* sect283r1 (10) */ - NID_sect409k1, /* sect409k1 (11) */ - NID_sect409r1, /* sect409r1 (12) */ - NID_sect571k1, /* sect571k1 (13) */ - NID_sect571r1, /* sect571r1 (14) */ - NID_secp160k1, /* secp160k1 (15) */ - NID_secp160r1, /* secp160r1 (16) */ - NID_secp160r2, /* secp160r2 (17) */ - NID_secp192k1, /* secp192k1 (18) */ - NID_X9_62_prime192v1, /* secp192r1 (19) */ - NID_secp224k1, /* secp224k1 (20) */ - NID_secp224r1, /* secp224r1 (21) */ - NID_secp256k1, /* secp256k1 (22) */ - NID_X9_62_prime256v1, /* secp256r1 (23) */ - NID_secp384r1, /* secp384r1 (24) */ - NID_secp521r1 /* secp521r1 (25) */ +typedef struct + { + int nid; /* Curve NID */ + int secbits; /* Bits of security (from SP800-57) */ + unsigned int flags; /* Flags: currently just field type */ + } tls_curve_info; + +#define TLS_CURVE_CHAR2 0x1 +#define TLS_CURVE_PRIME 0x0 + +static tls_curve_info nid_list[] = + { + {NID_sect163k1, 80, TLS_CURVE_CHAR2},/* sect163k1 (1) */ + {NID_sect163r1, 80, TLS_CURVE_CHAR2},/* sect163r1 (2) */ + {NID_sect163r2, 80, TLS_CURVE_CHAR2},/* sect163r2 (3) */ + {NID_sect193r1, 80, TLS_CURVE_CHAR2},/* sect193r1 (4) */ + {NID_sect193r2, 80, TLS_CURVE_CHAR2},/* sect193r2 (5) */ + {NID_sect233k1, 112, TLS_CURVE_CHAR2},/* sect233k1 (6) */ + {NID_sect233r1, 112, TLS_CURVE_CHAR2},/* sect233r1 (7) */ + {NID_sect239k1, 112, TLS_CURVE_CHAR2},/* sect239k1 (8) */ + {NID_sect283k1, 128, TLS_CURVE_CHAR2},/* sect283k1 (9) */ + {NID_sect283r1, 128, TLS_CURVE_CHAR2},/* sect283r1 (10) */ + {NID_sect409k1, 192, TLS_CURVE_CHAR2},/* sect409k1 (11) */ + {NID_sect409r1, 192, TLS_CURVE_CHAR2},/* sect409r1 (12) */ + {NID_sect571k1, 256, TLS_CURVE_CHAR2},/* sect571k1 (13) */ + {NID_sect571r1, 256, TLS_CURVE_CHAR2},/* sect571r1 (14) */ + {NID_secp160k1, 80, TLS_CURVE_PRIME},/* secp160k1 (15) */ + {NID_secp160r1, 80, TLS_CURVE_PRIME},/* secp160r1 (16) */ + {NID_secp160r2, 80, TLS_CURVE_PRIME},/* secp160r2 (17) */ + {NID_secp192k1, 80, TLS_CURVE_PRIME},/* secp192k1 (18) */ + {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME},/* secp192r1 (19) */ + {NID_secp224k1, 112, TLS_CURVE_PRIME},/* secp224k1 (20) */ + {NID_secp224r1, 112, TLS_CURVE_PRIME},/* secp224r1 (21) */ + {NID_secp256k1, 128, TLS_CURVE_PRIME},/* secp256k1 (22) */ + {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME},/* secp256r1 (23) */ + {NID_secp384r1, 192, TLS_CURVE_PRIME},/* secp384r1 (24) */ + {NID_secp521r1, 256, TLS_CURVE_PRIME},/* secp521r1 (25) */ + {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */ + {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ + {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME},/* brainpool512r1 (28) */ }; @@ -217,11 +277,14 @@ static const unsigned char eccurves_default[] = 0,14, /* sect571r1 (14) */ 0,13, /* sect571k1 (13) */ 0,25, /* secp521r1 (25) */ + 0,28, /* brainpool512r1 (28) */ 0,11, /* sect409k1 (11) */ 0,12, /* sect409r1 (12) */ + 0,27, /* brainpoolP384r1 (27) */ 0,24, /* secp384r1 (24) */ 0,9, /* sect283k1 (9) */ 0,10, /* sect283r1 (10) */ + 0,26, /* brainpoolP256r1 (26) */ 0,22, /* secp256k1 (22) */ 0,23, /* secp256r1 (23) */ 0,8, /* sect239k1 (8) */ @@ -241,13 +304,19 @@ static const unsigned char eccurves_default[] = 0,17, /* secp160r2 (17) */ }; +static const unsigned char suiteb_curves[] = + { + 0, TLSEXT_curve_P_256, + 0, TLSEXT_curve_P_384 + }; + int tls1_ec_curve_id2nid(int curve_id) { /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ if ((curve_id < 1) || ((unsigned int)curve_id > sizeof(nid_list)/sizeof(nid_list[0]))) return 0; - return nid_list[curve_id-1]; + return nid_list[curve_id-1].nid; } int tls1_ec_nid2curve_id(int nid) @@ -305,6 +374,12 @@ int tls1_ec_nid2curve_id(int nid) return 24; case NID_secp521r1: /* secp521r1 (25) */ return 25; + case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */ + return 26; + case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */ + return 27; + case NID_brainpoolP512r1: /* brainpool512r1 (28) */ + return 28; default: return 0; } @@ -320,13 +395,29 @@ static void tls1_get_curvelist(SSL *s, int sess, { *pcurves = s->session->tlsext_ellipticcurvelist; *pcurveslen = s->session->tlsext_ellipticcurvelist_length; + return; } - else + /* For Suite B mode only include P-256, P-384 */ + switch (tls1_suiteb(s)) { + case SSL_CERT_FLAG_SUITEB_128_LOS: + *pcurves = suiteb_curves; + *pcurveslen = sizeof(suiteb_curves); + break; + + case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: + *pcurves = suiteb_curves; + *pcurveslen = 2; + break; + + case SSL_CERT_FLAG_SUITEB_192_LOS: + *pcurves = suiteb_curves + 2; + *pcurveslen = 2; + break; + default: *pcurves = s->tlsext_ellipticcurvelist; *pcurveslen = s->tlsext_ellipticcurvelist_length; } - /* If not set use default: for now static structure */ if (!*pcurves) { *pcurves = eccurves_default; @@ -334,8 +425,58 @@ static void tls1_get_curvelist(SSL *s, int sess, } } +/* See if curve is allowed by security callback */ +static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op) + { + tls_curve_info *cinfo; + if (curve[0]) + return 1; + if ((curve[1] < 1) || ((size_t)curve[1] > + sizeof(nid_list)/sizeof(nid_list[0]))) + return 0; + cinfo = &nid_list[curve[1]-1]; + return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve); + } + +/* Check a curve is one of our preferences */ +int tls1_check_curve(SSL *s, const unsigned char *p, size_t len) + { + const unsigned char *curves; + size_t curveslen, i; + unsigned int suiteb_flags = tls1_suiteb(s); + if (len != 3 || p[0] != NAMED_CURVE_TYPE) + return 0; + /* Check curve matches Suite B preferences */ + if (suiteb_flags) + { + unsigned long cid = s->s3->tmp.new_cipher->id; + if (p[1]) + return 0; + if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) + { + if (p[2] != TLSEXT_curve_P_256) + return 0; + } + else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) + { + if (p[2] != TLSEXT_curve_P_384) + return 0; + } + else /* Should never happen */ + return 0; + } + tls1_get_curvelist(s, 0, &curves, &curveslen); + for (i = 0; i < curveslen; i += 2, curves += 2) + { + if (p[1] == curves[0] && p[2] == curves[1]) + return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK); + } + return 0; + } + /* Return nth shared curve. If nmatch == -1 return number of - * matches. + * matches. For nmatch == -2 return the NID of the curve to use for + * an EC tmp key. */ int tls1_shared_curve(SSL *s, int nmatch) @@ -346,6 +487,25 @@ int tls1_shared_curve(SSL *s, int nmatch) /* Can't do anything on client side */ if (s->server == 0) return -1; + if (nmatch == -2) + { + if (tls1_suiteb(s)) + { + /* For Suite B ciphersuite determines curve: we + * already know these are acceptable due to previous + * checks. + */ + unsigned long cid = s->s3->tmp.new_cipher->id; + if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) + return NID_X9_62_prime256v1; /* P-256 */ + if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) + return NID_secp384r1; /* P-384 */ + /* Should never happen */ + return NID_undef; + } + /* If not Suite B just return first preference shared curve */ + nmatch = 0; + } tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &supp, &supplen); tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), @@ -360,6 +520,8 @@ int tls1_shared_curve(SSL *s, int nmatch) { if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) { + if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED)) + continue; if (nmatch == k) { int id = (pref[0] << 8) | pref[1]; @@ -407,7 +569,7 @@ int tls1_set_curves(unsigned char **pext, size_t *pextlen, return 1; } -#define MAX_CURVELIST 25 +#define MAX_CURVELIST 28 typedef struct { @@ -448,6 +610,8 @@ int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, ncb.nidcnt = 0; if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb)) return 0; + if (pext == NULL) + return 1; return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt); } /* For an EC key set TLS id and required compression based on parameters */ @@ -456,14 +620,12 @@ static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id, { int is_prime, id; const EC_GROUP *grp; - const EC_POINT *pt; const EC_METHOD *meth; if (!ec) return 0; /* Determine if it is a prime field */ grp = EC_KEY_get0_group(ec); - pt = EC_KEY_get0_public_key(ec); - if (!grp || !pt) + if (!grp) return 0; meth = EC_GROUP_method_of(grp); if (!meth) @@ -491,6 +653,8 @@ static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id, } if (comp_id) { + if (EC_KEY_get0_public_key(ec) == NULL) + return 0; if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { if (is_prime) @@ -525,6 +689,8 @@ static int tls1_check_ec_key(SSL *s, if (i == plen) return 0; } + if (!curve_id) + return 1; /* Check curve is consistent with client and server preferences */ for (j = 0; j <= 1; j++) { @@ -536,32 +702,136 @@ static int tls1_check_ec_key(SSL *s, } if (i == plen) return 0; + /* For clients can only check sent curve list */ + if (!s->server) + break; } return 1; } -/* Check EC server key is compatible with client extensions */ -int tls1_check_ec_server_key(SSL *s) + +static void tls1_get_formatlist(SSL *s, const unsigned char **pformats, + size_t *pformatslen) + { + /* If we have a custom point format list use it otherwise + * use default */ + if (s->tlsext_ecpointformatlist) + { + *pformats = s->tlsext_ecpointformatlist; + *pformatslen = s->tlsext_ecpointformatlist_length; + } + else + { + *pformats = ecformats_default; + /* For Suite B we don't support char2 fields */ + if (tls1_suiteb(s)) + *pformatslen = sizeof(ecformats_default) - 1; + else + *pformatslen = sizeof(ecformats_default); + } + } + +/* Check cert parameters compatible with extensions: currently just checks + * EC certificates have compatible curves and compression. + */ +static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) { - int rv; - CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; - EVP_PKEY *pkey; unsigned char comp_id, curve_id[2]; - if (!cpk->x509 || !cpk->privatekey) - return 0; - pkey = X509_get_pubkey(cpk->x509); + EVP_PKEY *pkey; + int rv; + pkey = X509_get_pubkey(x); if (!pkey) return 0; + /* If not EC nothing to do */ + if (pkey->type != EVP_PKEY_EC) + { + EVP_PKEY_free(pkey); + return 1; + } rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec); EVP_PKEY_free(pkey); if (!rv) return 0; - return tls1_check_ec_key(s, curve_id, &comp_id); + /* Can't check curve_id for client certs as we don't have a + * supported curves extension. + */ + rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id); + if (!rv) + return 0; + /* Special case for suite B. We *MUST* sign using SHA256+P-256 or + * SHA384+P-384, adjust digest if necessary. + */ + if (set_ee_md && tls1_suiteb(s)) + { + int check_md; + size_t i; + CERT *c = s->cert; + if (curve_id[0]) + return 0; + /* Check to see we have necessary signing algorithm */ + if (curve_id[1] == TLSEXT_curve_P_256) + check_md = NID_ecdsa_with_SHA256; + else if (curve_id[1] == TLSEXT_curve_P_384) + check_md = NID_ecdsa_with_SHA384; + else + return 0; /* Should never happen */ + for (i = 0; i < c->shared_sigalgslen; i++) + if (check_md == c->shared_sigalgs[i].signandhash_nid) + break; + if (i == c->shared_sigalgslen) + return 0; + if (set_ee_md == 2) + { + if (check_md == NID_ecdsa_with_SHA256) + c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256(); + else + c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384(); + } + } + return rv; } /* Check EC temporary key is compatible with client extensions */ -int tls1_check_ec_tmp_key(SSL *s) +int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) { unsigned char curve_id[2]; EC_KEY *ec = s->cert->ecdh_tmp; +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + /* Allow any curve: not just those peer supports */ + if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) + return 1; +#endif + /* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, + * no other curves permitted. + */ + if (tls1_suiteb(s)) + { + /* Curve to check determined by ciphersuite */ + if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) + curve_id[1] = TLSEXT_curve_P_256; + else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) + curve_id[1] = TLSEXT_curve_P_384; + else + return 0; + curve_id[0] = 0; + /* Check this curve is acceptable */ + if (!tls1_check_ec_key(s, curve_id, NULL)) + return 0; + /* If auto or setting curve from callback assume OK */ + if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb) + return 1; + /* Otherwise check curve is acceptable */ + else + { + unsigned char curve_tmp[2]; + if (!ec) + return 0; + if (!tls1_set_ec_id(curve_tmp, NULL, ec)) + return 0; + if (!curve_tmp[0] || curve_tmp[1] == curve_id[1]) + return 1; + return 0; + } + + } if (s->cert->ecdh_tmp_auto) { /* Need a shared curve */ @@ -577,8 +847,20 @@ int tls1_check_ec_tmp_key(SSL *s) return 0; } if (!tls1_set_ec_id(curve_id, NULL, ec)) - return 1; + return 0; +/* Set this to allow use of invalid curves for testing */ +#if 0 + return 1; +#else return tls1_check_ec_key(s, curve_id, NULL); +#endif + } + +#else + +static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) + { + return 1; } #endif /* OPENSSL_NO_EC */ @@ -624,56 +906,214 @@ static unsigned char tls12_sigalgs[] = { #ifndef OPENSSL_NO_SHA tlsext_sigalg(TLSEXT_hash_sha1) #endif -#ifndef OPENSSL_NO_MD5 - tlsext_sigalg_rsa(TLSEXT_hash_md5) -#endif }; - -size_t tls12_get_sig_algs(SSL *s, unsigned char *p) +#ifndef OPENSSL_NO_ECDSA +static unsigned char suiteb_sigalgs[] = { + tlsext_sigalg_ecdsa(TLSEXT_hash_sha256) + tlsext_sigalg_ecdsa(TLSEXT_hash_sha384) +}; +#endif +size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs) { - const unsigned char *sigs; - size_t sigslen; - sigs = s->cert->conf_sigalgs; + /* If Suite B mode use Suite B sigalgs only, ignore any other + * preferences. + */ +#ifndef OPENSSL_NO_EC + switch (tls1_suiteb(s)) + { + case SSL_CERT_FLAG_SUITEB_128_LOS: + *psigs = suiteb_sigalgs; + return sizeof(suiteb_sigalgs); + + case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: + *psigs = suiteb_sigalgs; + return 2; - if (sigs) - sigslen = s->cert->conf_sigalgslen; + case SSL_CERT_FLAG_SUITEB_192_LOS: + *psigs = suiteb_sigalgs + 2; + return 2; + } +#endif + /* If server use client authentication sigalgs if not NULL */ + if (s->server && s->cert->client_sigalgs) + { + *psigs = s->cert->client_sigalgs; + return s->cert->client_sigalgslen; + } + else if (s->cert->conf_sigalgs) + { + *psigs = s->cert->conf_sigalgs; + return s->cert->conf_sigalgslen; + } else { - sigs = tls12_sigalgs; - sigslen = sizeof(tls12_sigalgs); -#ifdef OPENSSL_FIPS - /* If FIPS mode don't include MD5 which is last */ - if (FIPS_mode()) - sigslen -= 2; -#endif + *psigs = tls12_sigalgs; + return sizeof(tls12_sigalgs); + } + } +/* Check signature algorithm is consistent with sent supported signature + * algorithms and if so return relevant digest. + */ +int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, + const unsigned char *sig, EVP_PKEY *pkey) + { + const unsigned char *sent_sigs; + size_t sent_sigslen, i; + int sigalg = tls12_get_sigid(pkey); + /* Should never happen */ + if (sigalg == -1) + return -1; + /* Check key type is consistent with signature */ + if (sigalg != (int)sig[1]) + { + SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE); + return 0; + } +#ifndef OPENSSL_NO_EC + if (pkey->type == EVP_PKEY_EC) + { + unsigned char curve_id[2], comp_id; + /* Check compression and curve matches extensions */ + if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec)) + return 0; + if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) + { + SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_CURVE); + return 0; + } + /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */ + if (tls1_suiteb(s)) + { + if (curve_id[0]) + return 0; + if (curve_id[1] == TLSEXT_curve_P_256) + { + if (sig[0] != TLSEXT_hash_sha256) + { + SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, + SSL_R_ILLEGAL_SUITEB_DIGEST); + return 0; + } + } + else if (curve_id[1] == TLSEXT_curve_P_384) + { + if (sig[0] != TLSEXT_hash_sha384) + { + SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, + SSL_R_ILLEGAL_SUITEB_DIGEST); + return 0; + } + } + else + return 0; + } } + else if (tls1_suiteb(s)) + return 0; +#endif - if (p) - memcpy(p, sigs, sigslen); - return sigslen; + /* Check signature matches a type we sent */ + sent_sigslen = tls12_get_psigalgs(s, &sent_sigs); + for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2) + { + if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1]) + break; + } + /* Allow fallback to SHA1 if not strict mode */ + if (i == sent_sigslen && (sig[0] != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) + { + SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE); + return 0; + } + *pmd = tls12_get_hash(sig[0]); + if (*pmd == NULL) + { + SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_UNKNOWN_DIGEST); + return 0; + } + /* Make sure security callback allows algorithm */ + if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK, + EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd), + (void *)sig)) + { + SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE); + return 0; + } + /* Store the digest used so applications can retrieve it if they + * wish. + */ + if (s->session && s->session->sess_cert) + s->session->sess_cert->peer_key->digest = *pmd; + return 1; } -/* byte_compare is a compare function for qsort(3) that compares bytes. */ -static int byte_compare(const void *in_a, const void *in_b) +/* Get a mask of disabled algorithms: an algorithm is disabled + * if it isn't supported or doesn't appear in supported signature + * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific + * session and not global settings. + * + */ +void ssl_set_client_disabled(SSL *s) { - unsigned char a = *((const unsigned char*) in_a); - unsigned char b = *((const unsigned char*) in_b); + CERT *c = s->cert; + c->mask_a = 0; + c->mask_k = 0; + /* Don't allow TLS 1.2 only ciphers if we don't suppport them */ + if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s)) + c->mask_ssl = SSL_TLSV1_2; + else + c->mask_ssl = 0; + ssl_set_sig_mask(&c->mask_a, s, SSL_SECOP_SIGALG_MASK); + /* Disable static DH if we don't include any appropriate + * signature algorithms. + */ + if (c->mask_a & SSL_aRSA) + c->mask_k |= SSL_kDHr|SSL_kECDHr; + if (c->mask_a & SSL_aDSS) + c->mask_k |= SSL_kDHd; + if (c->mask_a & SSL_aECDSA) + c->mask_k |= SSL_kECDHe; +#ifndef OPENSSL_NO_KRB5 + if (!kssl_tgt_is_available(s->kssl_ctx)) + { + c->mask_a |= SSL_aKRB5; + c->mask_k |= SSL_kKRB5; + } +#endif +#ifndef OPENSSL_NO_PSK + /* with PSK there must be client callback set */ + if (!s->psk_client_callback) + { + c->mask_a |= SSL_aPSK; + c->mask_k |= SSL_kPSK; + } +#endif /* OPENSSL_NO_PSK */ + c->valid = 1; + } - if (a > b) +int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op) + { + CERT *ct = s->cert; + if (c->algorithm_ssl & ct->mask_ssl || c->algorithm_mkey & ct->mask_k || c->algorithm_auth & ct->mask_a) return 1; - else if (a < b) - return -1; - return 0; -} + return !ssl_security(s, op, c->strength_bits, 0, (void *)c); + } + +static int tls_use_ticket(SSL *s) + { + if (s->options & SSL_OP_NO_TICKET) + return 0; + return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL); + } -unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) +unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit, int *al) { int extdatalen=0; unsigned char *ret = p; #ifndef OPENSSL_NO_EC /* See if we support any ECC ciphersuites */ int using_ecc = 0; - if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) + if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) { int i; unsigned long alg_k, alg_a; @@ -685,7 +1125,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; - if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) + if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) { using_ecc = 1; @@ -796,16 +1236,10 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha long lenmax; const unsigned char *plist; size_t plistlen; - /* If we have a custom point format list use it otherwise - * use default */ - plist = s->tlsext_ecpointformatlist; - if (plist) - plistlen = s->tlsext_ecpointformatlist_length; - else - { - plist = ecformats_default; - plistlen = sizeof(ecformats_default); - } + size_t i; + unsigned char *etmp; + + tls1_get_formatlist(s, &plist, &plistlen); if ((lenmax = limit - ret - 5) < 0) return NULL; if (plistlen > (size_t)lenmax) return NULL; @@ -832,22 +1266,34 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; } + s2n(TLSEXT_TYPE_elliptic_curves,ret); - s2n(plistlen + 2, ret); + etmp = ret + 4; + /* Copy curve ID if supported */ + for (i = 0; i < plistlen; i += 2, plist += 2) + { + if (tls_curve_allowed(s, plist, SSL_SECOP_CURVE_SUPPORTED)) + { + *etmp++ = plist[0]; + *etmp++ = plist[1]; + } + } + + plistlen = etmp - ret - 4; /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for * elliptic_curve_list, but the examples use two bytes. * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html * resolves this to two bytes. */ + s2n(plistlen + 2, ret); s2n(plistlen, ret); - memcpy(ret, plist, plistlen); ret+=plistlen; } #endif /* OPENSSL_NO_EC */ - if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) + if (tls_use_ticket(s)) { int ticklen; if (!s->new_session && s->session && s->session->tlsext_tick) @@ -883,22 +1329,27 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha } skip_ext: - if (TLS1_get_client_version(s) >= TLS1_2_VERSION) + if (SSL_USE_SIGALGS(s)) { size_t salglen; - salglen = tls12_get_sig_algs(s, NULL); + const unsigned char *salg; + unsigned char *etmp; + salglen = tls12_get_psigalgs(s, &salg); if ((size_t)(limit - ret) < salglen + 6) return NULL; s2n(TLSEXT_TYPE_signature_algorithms,ret); - s2n(salglen + 2, ret); - s2n(salglen, ret); - tls12_get_sig_algs(s, ret); + etmp = ret; + /* Skip over lengths for now */ + ret += 4; + salglen = tls12_copy_sigalgs(s, ret, salg, salglen); + /* Fill in lengths */ + s2n(salglen + 2, etmp); + s2n(salglen, etmp); ret += salglen; } #ifdef TLSEXT_TYPE_opaque_prf_input - if (s->s3->client_opaque_prf_input != NULL && - s->version != DTLS1_VERSION) + if (s->s3->client_opaque_prf_input != NULL) { size_t col = s->s3->client_opaque_prf_input_len; @@ -915,8 +1366,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha } #endif - if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && - s->version != DTLS1_VERSION) + if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { int i; long extlen, idlen, itmp; @@ -990,6 +1440,18 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha } #endif + if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) + { + if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len) + return NULL; + s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret); + s2n(2 + s->alpn_client_proto_list_len,ret); + s2n(s->alpn_client_proto_list_len,ret); + memcpy(ret, s->alpn_client_proto_list, + s->alpn_client_proto_list_len); + ret += s->alpn_client_proto_list_len; + } + if(SSL_get_srtp_profiles(s)) { int el; @@ -1009,25 +1471,72 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha ret += el; } - /* Add TLS extension Server_Authz_DataFormats to the ClientHello */ - /* 2 bytes for extension type */ - /* 2 bytes for extension length */ - /* 1 byte for the list length */ - /* 1 byte for the list (we only support audit proofs) */ - if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL) + /* Add custom TLS Extensions to ClientHello */ + if (s->ctx->custom_cli_ext_records_count) { - size_t lenmax; - const unsigned short ext_len = 2; - const unsigned char list_len = 1; + size_t i; + custom_cli_ext_record* record; - if ((lenmax = limit - ret - 6) < 0) return NULL; + for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++) + { + const unsigned char* out = NULL; + unsigned short outlen = 0; + + record = &s->ctx->custom_cli_ext_records[i]; + /* NULL callback sends empty extension */ + /* -1 from callback omits extension */ + if (record->fn1) + { + int cb_retval = 0; + cb_retval = record->fn1(s, record->ext_type, + &out, &outlen, al, + record->arg); + if (cb_retval == 0) + return NULL; /* error */ + if (cb_retval == -1) + continue; /* skip this extension */ + } + if (limit < ret + 4 + outlen) + return NULL; + s2n(record->ext_type, ret); + s2n(outlen, ret); + memcpy(ret, out, outlen); + ret += outlen; + } + } +#ifdef TLSEXT_TYPE_encrypt_then_mac + s2n(TLSEXT_TYPE_encrypt_then_mac,ret); + s2n(0,ret); +#endif +#ifdef TLSEXT_TYPE_padding + /* Add padding to workaround bugs in F5 terminators. + * See https://tools.ietf.org/html/draft-agl-tls-padding-03 + * + * NB: because this code works out the length of all existing + * extensions it MUST always appear last. + */ + { + int hlen = ret - (unsigned char *)s->init_buf->data; + /* The code in s23_clnt.c to build ClientHello messages includes the + * 5-byte record header in the buffer, while the code in s3_clnt.c does + * not. */ + if (s->state == SSL23_ST_CW_CLNT_HELLO_A) + hlen -= 5; + if (hlen > 0xff && hlen < 0x200) + { + hlen = 0x200 - hlen; + if (hlen >= 4) + hlen -= 4; + else + hlen = 0; - s2n(TLSEXT_TYPE_server_authz, ret); - /* Extension length: 2 bytes */ - s2n(ext_len, ret); - *(ret++) = list_len; - *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof; + s2n(TLSEXT_TYPE_padding, ret); + s2n(hlen, ret); + memset(ret, 0, hlen); + ret += hlen; } + } +#endif if ((extdatalen = ret-p-2) == 0) return p; @@ -1036,18 +1545,25 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha return ret; } -unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) +unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit, int *al) { int extdatalen=0; unsigned char *ret = p; + size_t i; + custom_srv_ext_record *record; #ifndef OPENSSL_NO_NEXTPROTONEG int next_proto_neg_seen; #endif - - /* don't add extensions for SSLv3, unless doing secure renegotiation */ - if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) - return p; - +#ifndef OPENSSL_NO_EC + unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; + int using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA); + using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); +#endif + /* don't add extensions for SSLv3, unless doing secure renegotiation */ + if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) + return p; + ret+=2; if (ret>=limit) return NULL; /* this really never occurs, but ... */ @@ -1084,32 +1600,34 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha } #ifndef OPENSSL_NO_EC - if (s->tlsext_ecpointformatlist != NULL && - s->version != DTLS1_VERSION) + if (using_ecc) { + const unsigned char *plist; + size_t plistlen; /* Add TLS extension ECPointFormats to the ServerHello message */ long lenmax; + tls1_get_formatlist(s, &plist, &plistlen); + if ((lenmax = limit - ret - 5) < 0) return NULL; - if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; - if (s->tlsext_ecpointformatlist_length > 255) + if (plistlen > (size_t)lenmax) return NULL; + if (plistlen > 255) { SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; } s2n(TLSEXT_TYPE_ec_point_formats,ret); - s2n(s->tlsext_ecpointformatlist_length + 1,ret); - *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; - memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); - ret+=s->tlsext_ecpointformatlist_length; + s2n(plistlen + 1,ret); + *(ret++) = (unsigned char) plistlen; + memcpy(ret, plist, plistlen); + ret+=plistlen; } /* Currently the server should not respond with a SupportedCurves extension */ #endif /* OPENSSL_NO_EC */ - if (s->tlsext_ticket_expected - && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) + if (s->tlsext_ticket_expected && tls_use_ticket(s)) { if ((long)(limit - ret - 4) < 0) return NULL; s2n(TLSEXT_TYPE_session_ticket,ret); @@ -1124,8 +1642,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha } #ifdef TLSEXT_TYPE_opaque_prf_input - if (s->s3->server_opaque_prf_input != NULL && - s->version != DTLS1_VERSION) + if (s->s3->server_opaque_prf_input != NULL) { size_t sol = s->s3->server_opaque_prf_input_len; @@ -1216,77 +1733,60 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha } #endif - /* If the client supports authz then see whether we have any to offer - * to it. */ - if (s->s3->tlsext_authz_client_types_len) + for (i = 0; i < s->ctx->custom_srv_ext_records_count; i++) { - size_t authz_length; - /* By now we already know the new cipher, so we can look ahead - * to see whether the cert we are going to send - * has any authz data attached to it. */ - const unsigned char* authz = ssl_get_authz_data(s, &authz_length); - const unsigned char* const orig_authz = authz; - size_t i; - unsigned authz_count = 0; - - /* The authz data contains a number of the following structures: - * uint8_t authz_type - * uint16_t length - * uint8_t data[length] - * - * First we walk over it to find the number of authz elements. */ - for (i = 0; i < authz_length; i++) - { - unsigned short length; - unsigned char type; - - type = *(authz++); - if (memchr(s->s3->tlsext_authz_client_types, - type, - s->s3->tlsext_authz_client_types_len) != NULL) - authz_count++; + const unsigned char *out = NULL; + unsigned short outlen = 0; + int cb_retval = 0; - n2s(authz, length); - /* n2s increments authz by 2 */ - i += 2; - authz += length; - i += length; - } + record = &s->ctx->custom_srv_ext_records[i]; - if (authz_count) + /* NULL callback or -1 omits extension */ + if (!record->fn2) + continue; + cb_retval = record->fn2(s, record->ext_type, + &out, &outlen, al, + record->arg); + if (cb_retval == 0) + return NULL; /* error */ + if (cb_retval == -1) + continue; /* skip this extension */ + if (limit < ret + 4 + outlen) + return NULL; + s2n(record->ext_type, ret); + s2n(outlen, ret); + memcpy(ret, out, outlen); + ret += outlen; + } +#ifdef TLSEXT_TYPE_encrypt_then_mac + if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) + { + /* Don't use encrypt_then_mac if AEAD: might want + * to disable for other ciphersuites too. + */ + if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD) + s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC; + else { - /* Add TLS extension server_authz to the ServerHello message - * 2 bytes for extension type - * 2 bytes for extension length - * 1 byte for the list length - * n bytes for the list */ - const unsigned short ext_len = 1 + authz_count; - - if ((long)(limit - ret - 4 - ext_len) < 0) return NULL; - s2n(TLSEXT_TYPE_server_authz, ret); - s2n(ext_len, ret); - *(ret++) = authz_count; - s->s3->tlsext_authz_promised_to_client = 1; + s2n(TLSEXT_TYPE_encrypt_then_mac,ret); + s2n(0,ret); } + } +#endif - authz = orig_authz; - for (i = 0; i < authz_length; i++) - { - unsigned short length; - unsigned char type; + if (s->s3->alpn_selected) + { + const unsigned char *selected = s->s3->alpn_selected; + unsigned len = s->s3->alpn_selected_len; - authz_count++; - type = *(authz++); - if (memchr(s->s3->tlsext_authz_client_types, - type, - s->s3->tlsext_authz_client_types_len) != NULL) - *(ret++) = type; - n2s(authz, length); - /* n2s increments authz by 2 */ - i += 2; - authz += length; - i += length; - } + if ((long)(limit - ret - 4 - 2 - 1 - len) < 0) + return NULL; + s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret); + s2n(3 + len,ret); + s2n(1 + len,ret); + *ret++ = len; + memcpy(ret, selected, len); + ret += len; } if ((extdatalen = ret-p-2)== 0) @@ -1296,6 +1796,159 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha return ret; } +/* tls1_alpn_handle_client_hello is called to process the ALPN extension in a + * ClientHello. + * data: the contents of the extension, not including the type and length. + * data_len: the number of bytes in |data| + * al: a pointer to the alert value to send in the event of a non-zero + * return. + * + * returns: 0 on success. */ +static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, + unsigned data_len, int *al) + { + unsigned i; + unsigned proto_len; + const unsigned char *selected; + unsigned char selected_len; + int r; + + if (s->ctx->alpn_select_cb == NULL) + return 0; + + if (data_len < 2) + goto parse_error; + + /* data should contain a uint16 length followed by a series of 8-bit, + * length-prefixed strings. */ + i = ((unsigned) data[0]) << 8 | + ((unsigned) data[1]); + data_len -= 2; + data += 2; + if (data_len != i) + goto parse_error; + + if (data_len < 2) + goto parse_error; + + for (i = 0; i < data_len;) + { + proto_len = data[i]; + i++; + + if (proto_len == 0) + goto parse_error; + + if (i + proto_len < i || i + proto_len > data_len) + goto parse_error; + + i += proto_len; + } + + r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len, + s->ctx->alpn_select_cb_arg); + if (r == SSL_TLSEXT_ERR_OK) { + if (s->s3->alpn_selected) + OPENSSL_free(s->s3->alpn_selected); + s->s3->alpn_selected = OPENSSL_malloc(selected_len); + if (!s->s3->alpn_selected) + { + *al = SSL_AD_INTERNAL_ERROR; + return -1; + } + memcpy(s->s3->alpn_selected, selected, selected_len); + s->s3->alpn_selected_len = selected_len; + } + return 0; + +parse_error: + *al = SSL_AD_DECODE_ERROR; + return -1; + } + +#ifndef OPENSSL_NO_EC +/* ssl_check_for_safari attempts to fingerprint Safari using OS X + * SecureTransport using the TLS extension block in |d|, of length |n|. + * Safari, since 10.6, sends exactly these extensions, in this order: + * SNI, + * elliptic_curves + * ec_point_formats + * + * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, + * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. + * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from + * 10.8..10.8.3 (which don't work). + */ +static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) { + unsigned short type, size; + static const unsigned char kSafariExtensionsBlock[] = { + 0x00, 0x0a, /* elliptic_curves extension */ + 0x00, 0x08, /* 8 bytes */ + 0x00, 0x06, /* 6 bytes of curve ids */ + 0x00, 0x17, /* P-256 */ + 0x00, 0x18, /* P-384 */ + 0x00, 0x19, /* P-521 */ + + 0x00, 0x0b, /* ec_point_formats */ + 0x00, 0x02, /* 2 bytes */ + 0x01, /* 1 point format */ + 0x00, /* uncompressed */ + }; + + /* The following is only present in TLS 1.2 */ + static const unsigned char kSafariTLS12ExtensionsBlock[] = { + 0x00, 0x0d, /* signature_algorithms */ + 0x00, 0x0c, /* 12 bytes */ + 0x00, 0x0a, /* 10 bytes */ + 0x05, 0x01, /* SHA-384/RSA */ + 0x04, 0x01, /* SHA-256/RSA */ + 0x02, 0x01, /* SHA-1/RSA */ + 0x04, 0x03, /* SHA-256/ECDSA */ + 0x02, 0x03, /* SHA-1/ECDSA */ + }; + + if (data >= (d+n-2)) + return; + data += 2; + + if (data > (d+n-4)) + return; + n2s(data,type); + n2s(data,size); + + if (type != TLSEXT_TYPE_server_name) + return; + + if (data+size > d+n) + return; + data += size; + + if (TLS1_get_client_version(s) >= TLS1_2_VERSION) + { + const size_t len1 = sizeof(kSafariExtensionsBlock); + const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); + + if (data + len1 + len2 != d+n) + return; + if (memcmp(data, kSafariExtensionsBlock, len1) != 0) + return; + if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0) + return; + } + else + { + const size_t len = sizeof(kSafariExtensionsBlock); + + if (data + len != d+n) + return; + if (memcmp(data, kSafariExtensionsBlock, len) != 0) + return; + } + + s->s3->is_probably_safari = 1; +} +#endif /* !OPENSSL_NO_EC */ + static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) { unsigned short type; @@ -1303,6 +1956,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char unsigned short len; unsigned char *data = *p; int renegotiate_seen = 0; + size_t i; s->servername_done = 0; s->tlsext_status_type = -1; @@ -1310,10 +1964,30 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char s->s3->next_proto_neg_seen = 0; #endif + if (s->s3->alpn_selected) + { + OPENSSL_free(s->s3->alpn_selected); + s->s3->alpn_selected = NULL; + } + + /* Clear observed custom extensions */ + s->s3->serverinfo_client_tlsext_custom_types_count = 0; + if (s->s3->serverinfo_client_tlsext_custom_types != NULL) + { + OPENSSL_free(s->s3->serverinfo_client_tlsext_custom_types); + s->s3->serverinfo_client_tlsext_custom_types = NULL; + } + #ifndef OPENSSL_NO_HEARTBEATS s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | SSL_TLSEXT_HB_DONT_SEND_REQUESTS); #endif + +#ifndef OPENSSL_NO_EC + if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) + ssl_check_for_safari(s, data, d, n); +#endif /* !OPENSSL_NO_EC */ + /* Clear any signature algorithms extension received */ if (s->cert->peer_sigalgs) { @@ -1326,6 +2000,16 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char OPENSSL_free(s->cert->shared_sigalgs); s->cert->shared_sigalgs = NULL; } + /* Clear certificate digests and validity flags */ + for (i = 0; i < SSL_PKEY_NUM; i++) + { + s->cert->pkeys[i].digest = NULL; + s->cert->pkeys[i].valid_flags = 0; + } + +#ifdef TLSEXT_TYPE_encrypt_then_mac + s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC; +#endif if (data >= (d+n-2)) goto ri_check; @@ -1480,13 +2164,13 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char #endif #ifndef OPENSSL_NO_EC - else if (type == TLSEXT_TYPE_ec_point_formats && - s->version != DTLS1_VERSION) + else if (type == TLSEXT_TYPE_ec_point_formats) { unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); - if (ecpointformatlist_length != size - 1) + if (ecpointformatlist_length != size - 1 || + ecpointformatlist_length < 1) { *al = TLS1_AD_DECODE_ERROR; return 0; @@ -1515,14 +2199,14 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char fprintf(stderr,"\n"); #endif } - else if (type == TLSEXT_TYPE_elliptic_curves && - s->version != DTLS1_VERSION) + else if (type == TLSEXT_TYPE_elliptic_curves) { unsigned char *sdata = data; int ellipticcurvelist_length = (*(sdata++) << 8); ellipticcurvelist_length += (*(sdata++)); - if (ellipticcurvelist_length != size - 2) + if (ellipticcurvelist_length != size - 2 || + ellipticcurvelist_length < 1) { *al = TLS1_AD_DECODE_ERROR; return 0; @@ -1553,8 +2237,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char } #endif /* OPENSSL_NO_EC */ #ifdef TLSEXT_TYPE_opaque_prf_input - else if (type == TLSEXT_TYPE_opaque_prf_input && - s->version != DTLS1_VERSION) + else if (type == TLSEXT_TYPE_opaque_prf_input) { unsigned char *sdata = data; @@ -1629,8 +2312,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char return 0; } } - else if (type == TLSEXT_TYPE_status_request && - s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) + else if (type == TLSEXT_TYPE_status_request) { if (size < 5) @@ -1760,7 +2442,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char #endif #ifndef OPENSSL_NO_NEXTPROTONEG else if (type == TLSEXT_TYPE_next_proto_neg && - s->s3->tmp.finish_md_len == 0) + s->s3->tmp.finish_md_len == 0 && + s->s3->alpn_selected == NULL) { /* We shouldn't accept this extension on a * renegotiation. @@ -1781,6 +2464,18 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char } #endif + else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation && + s->ctx->alpn_select_cb && + s->s3->tmp.finish_md_len == 0) + { + if (tls1_alpn_handle_client_hello(s, data, size, al) != 0) + return 0; +#ifndef OPENSSL_NO_NEXTPROTONEG + /* ALPN takes precedence over NPN. */ + s->s3->next_proto_neg_seen = 0; +#endif + } + /* session ticket processed earlier */ else if (type == TLSEXT_TYPE_use_srtp) { @@ -1788,66 +2483,30 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char al)) return 0; } - - else if (type == TLSEXT_TYPE_server_authz) + /* If this ClientHello extension was unhandled and this is + * a nonresumed connection, check whether the extension is a + * custom TLS Extension (has a custom_srv_ext_record), and if + * so call the callback and record the extension number so that + * an appropriate ServerHello may be later returned. + */ + else if (!s->hit && s->ctx->custom_srv_ext_records_count) { - unsigned char *sdata = data; - unsigned char server_authz_dataformatlist_length; - - if (size == 0) - { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } - - server_authz_dataformatlist_length = *(sdata++); - - if (server_authz_dataformatlist_length != size - 1) - { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } + custom_srv_ext_record *record; - /* Successful session resumption uses the same authz - * information as the original session so we ignore this - * in the case of a session resumption. */ - if (!s->hit) + for (i=0; i < s->ctx->custom_srv_ext_records_count; i++) { - size_t i; - if (s->s3->tlsext_authz_client_types != NULL) - OPENSSL_free(s->s3->tlsext_authz_client_types); - s->s3->tlsext_authz_client_types = - OPENSSL_malloc(server_authz_dataformatlist_length); - if (!s->s3->tlsext_authz_client_types) - { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - - s->s3->tlsext_authz_client_types_len = - server_authz_dataformatlist_length; - memcpy(s->s3->tlsext_authz_client_types, - sdata, - server_authz_dataformatlist_length); - - /* Sort the types in order to check for duplicates. */ - qsort(s->s3->tlsext_authz_client_types, - server_authz_dataformatlist_length, - 1 /* element size */, - byte_compare); - - for (i = 0; i < server_authz_dataformatlist_length; i++) + record = &s->ctx->custom_srv_ext_records[i]; + if (type == record->ext_type) { - if (i > 0 && - s->s3->tlsext_authz_client_types[i] == - s->s3->tlsext_authz_client_types[i-1]) - { - *al = TLS1_AD_DECODE_ERROR; + if (record->fn1 && !record->fn1(s, type, data, size, al, record->arg)) return 0; - } - } + } } } +#ifdef TLSEXT_TYPE_encrypt_then_mac + else if (type == TLSEXT_TYPE_encrypt_then_mac) + s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC; +#endif data+=size; } @@ -1882,7 +2541,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in return 0; } - if (ssl_check_clienthello_tlsext(s) <= 0) + if (ssl_check_clienthello_tlsext_early(s) <= 0) { SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT); return 0; @@ -1923,11 +2582,21 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char s->s3->next_proto_neg_seen = 0; #endif + if (s->s3->alpn_selected) + { + OPENSSL_free(s->s3->alpn_selected); + s->s3->alpn_selected = NULL; + } + #ifndef OPENSSL_NO_HEARTBEATS s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | SSL_TLSEXT_HB_DONT_SEND_REQUESTS); #endif +#ifdef TLSEXT_TYPE_encrypt_then_mac + s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC; +#endif + if (data >= (d+n-2)) goto ri_check; @@ -1961,8 +2630,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char } #ifndef OPENSSL_NO_EC - else if (type == TLSEXT_TYPE_ec_point_formats && - s->version != DTLS1_VERSION) + else if (type == TLSEXT_TYPE_ec_point_formats) { unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); @@ -1999,8 +2667,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *al = TLS1_AD_INTERNAL_ERROR; return 0; } - if ((SSL_get_options(s) & SSL_OP_NO_TICKET) - || (size > 0)) + if (!tls_use_ticket(s) || (size > 0)) { *al = TLS1_AD_UNSUPPORTED_EXTENSION; return 0; @@ -2008,8 +2675,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char s->tlsext_ticket_expected = 1; } #ifdef TLSEXT_TYPE_opaque_prf_input - else if (type == TLSEXT_TYPE_opaque_prf_input && - s->version != DTLS1_VERSION) + else if (type == TLSEXT_TYPE_opaque_prf_input) { unsigned char *sdata = data; @@ -2039,8 +2705,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char } } #endif - else if (type == TLSEXT_TYPE_status_request && - s->version != DTLS1_VERSION) + else if (type == TLSEXT_TYPE_status_request) { /* MUST be empty and only sent if we've requested * a status request message. @@ -2061,7 +2726,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char unsigned char selected_len; /* We must have requested it. */ - if ((s->ctx->next_proto_select_cb == NULL)) + if (s->ctx->next_proto_select_cb == NULL) { *al = TLS1_AD_UNSUPPORTED_EXTENSION; return 0; @@ -2088,6 +2753,52 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char s->s3->next_proto_neg_seen = 1; } #endif + + else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) + { + unsigned len; + + /* We must have requested it. */ + if (s->alpn_client_proto_list == NULL) + { + *al = TLS1_AD_UNSUPPORTED_EXTENSION; + return 0; + } + if (size < 4) + { + *al = TLS1_AD_DECODE_ERROR; + return 0; + } + /* The extension data consists of: + * uint16 list_length + * uint8 proto_length; + * uint8 proto[proto_length]; */ + len = data[0]; + len <<= 8; + len |= data[1]; + if (len != (unsigned) size - 2) + { + *al = TLS1_AD_DECODE_ERROR; + return 0; + } + len = data[2]; + if (len != (unsigned) size - 3) + { + *al = TLS1_AD_DECODE_ERROR; + return 0; + } + if (s->s3->alpn_selected) + OPENSSL_free(s->s3->alpn_selected); + s->s3->alpn_selected = OPENSSL_malloc(len); + if (!s->s3->alpn_selected) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } + memcpy(s->s3->alpn_selected, data + 3, len); + s->s3->alpn_selected_len = len; + } + else if (type == TLSEXT_TYPE_renegotiate) { if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) @@ -2117,45 +2828,33 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char al)) return 0; } - - else if (type == TLSEXT_TYPE_server_authz) + /* If this extension type was not otherwise handled, but + * matches a custom_cli_ext_record, then send it to the c + * callback */ + else if (s->ctx->custom_cli_ext_records_count) { - /* We only support audit proofs. It's an error to send - * an authz hello extension if the client - * didn't request a proof. */ - unsigned char *sdata = data; - unsigned char server_authz_dataformatlist_length; - - if (!s->ctx->tlsext_authz_server_audit_proof_cb) - { - *al = TLS1_AD_UNSUPPORTED_EXTENSION; - return 0; - } - - if (!size) - { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } - - server_authz_dataformatlist_length = *(sdata++); - if (server_authz_dataformatlist_length != size - 1) - { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } + size_t i; + custom_cli_ext_record* record; - /* We only support audit proofs, so a legal ServerHello - * authz list contains exactly one entry. */ - if (server_authz_dataformatlist_length != 1 || - sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof) + for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++) { - *al = TLS1_AD_UNSUPPORTED_EXTENSION; - return 0; - } - - s->s3->tlsext_authz_server_promised = 1; + record = &s->ctx->custom_cli_ext_records[i]; + if (record->ext_type == type) + { + if (record->fn2 && !record->fn2(s, type, data, size, al, record->arg)) + return 0; + break; + } + } + } +#ifdef TLSEXT_TYPE_encrypt_then_mac + else if (type == TLSEXT_TYPE_encrypt_then_mac) + { + /* Ignore if inappropriate ciphersuite */ + if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD) + s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC; } +#endif data += size; } @@ -2254,36 +2953,10 @@ int ssl_prepare_clienthello_tlsext(SSL *s) int ssl_prepare_serverhello_tlsext(SSL *s) { -#ifndef OPENSSL_NO_EC - /* If we are server and using an ECC cipher suite, send the point formats we support - * if the client sent us an ECPointsFormat extension. Note that the server is not - * supposed to send an EllipticCurves extension. - */ - - unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; - int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA); - using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); - - if (using_ecc) - { - if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); - if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) - { - SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); - return -1; - } - s->tlsext_ecpointformatlist_length = 3; - s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; - s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; - s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; - } -#endif /* OPENSSL_NO_EC */ - return 1; } -static int ssl_check_clienthello_tlsext(SSL *s) +static int ssl_check_clienthello_tlsext_early(SSL *s) { int ret=SSL_TLSEXT_ERR_NOACK; int al = SSL_AD_UNRECOGNIZED_NAME; @@ -2302,42 +2975,12 @@ static int ssl_check_clienthello_tlsext(SSL *s) else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); - /* If status request then ask callback what to do. - * Note: this must be called after servername callbacks in case - * the certificate has changed. - */ - if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) - { - int r; - r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); - switch (r) - { - /* We don't want to send a status request response */ - case SSL_TLSEXT_ERR_NOACK: - s->tlsext_status_expected = 0; - break; - /* status request response should be sent */ - case SSL_TLSEXT_ERR_OK: - if (s->tlsext_ocsp_resp) - s->tlsext_status_expected = 1; - else - s->tlsext_status_expected = 0; - break; - /* something bad happened */ - case SSL_TLSEXT_ERR_ALERT_FATAL: - ret = SSL_TLSEXT_ERR_ALERT_FATAL; - al = SSL_AD_INTERNAL_ERROR; - goto err; - } - } - else - s->tlsext_status_expected = 0; - #ifdef TLSEXT_TYPE_opaque_prf_input { /* This sort of belongs into ssl_prepare_serverhello_tlsext(), * but we might be sending an alert in response to the client hello, - * so this has to happen here in ssl_check_clienthello_tlsext(). */ + * so this has to happen here in + * ssl_check_clienthello_tlsext_early(). */ int r = 1; @@ -2389,8 +3032,8 @@ static int ssl_check_clienthello_tlsext(SSL *s) } } -#endif err: +#endif switch (ret) { case SSL_TLSEXT_ERR_ALERT_FATAL: @@ -2408,23 +3051,88 @@ static int ssl_check_clienthello_tlsext(SSL *s) } } -int ssl_check_serverhello_tlsext(SSL *s) +int ssl_check_clienthello_tlsext_late(SSL *s) { - int ret=SSL_TLSEXT_ERR_NOACK; - int al = SSL_AD_UNRECOGNIZED_NAME; + int ret = SSL_TLSEXT_ERR_OK; + int al; -#ifndef OPENSSL_NO_EC - /* If we are client and using an elliptic curve cryptography cipher - * suite, then if server returns an EC point formats lists extension - * it must contain uncompressed. - */ - unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; - if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && - (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && - ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) + /* If status request then ask callback what to do. + * Note: this must be called after servername callbacks in case + * the certificate has changed, and must be called after the cipher + * has been chosen because this may influence which certificate is sent + */ + if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) { - /* we are using an ECC cipher */ + int r; + CERT_PKEY *certpkey; + certpkey = ssl_get_server_send_pkey(s); + /* If no certificate can't return certificate status */ + if (certpkey == NULL) + { + s->tlsext_status_expected = 0; + return 1; + } + /* Set current certificate to one we will use so + * SSL_get_certificate et al can pick it up. + */ + s->cert->key = certpkey; + r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); + switch (r) + { + /* We don't want to send a status request response */ + case SSL_TLSEXT_ERR_NOACK: + s->tlsext_status_expected = 0; + break; + /* status request response should be sent */ + case SSL_TLSEXT_ERR_OK: + if (s->tlsext_ocsp_resp) + s->tlsext_status_expected = 1; + else + s->tlsext_status_expected = 0; + break; + /* something bad happened */ + case SSL_TLSEXT_ERR_ALERT_FATAL: + ret = SSL_TLSEXT_ERR_ALERT_FATAL; + al = SSL_AD_INTERNAL_ERROR; + goto err; + } + } + else + s->tlsext_status_expected = 0; + + err: + switch (ret) + { + case SSL_TLSEXT_ERR_ALERT_FATAL: + ssl3_send_alert(s, SSL3_AL_FATAL, al); + return -1; + + case SSL_TLSEXT_ERR_ALERT_WARNING: + ssl3_send_alert(s, SSL3_AL_WARNING, al); + return 1; + + default: + return 1; + } + } + +int ssl_check_serverhello_tlsext(SSL *s) + { + int ret=SSL_TLSEXT_ERR_NOACK; + int al = SSL_AD_UNRECOGNIZED_NAME; + +#ifndef OPENSSL_NO_EC + /* If we are client and using an elliptic curve cryptography cipher + * suite, then if server returns an EC point formats lists extension + * it must contain uncompressed. + */ + unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; + if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && + (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && + ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) + { + /* we are using an ECC cipher */ size_t i; unsigned char *list; int found_uncompressed = 0; @@ -2585,14 +3293,14 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, /* If tickets disabled behave as if no ticket present * to permit stateful resumption. */ - if (SSL_get_options(s) & SSL_OP_NO_TICKET) + if (!tls_use_ticket(s)) return 0; if ((s->version <= SSL3_VERSION) || !limit) return 0; if (p >= limit) return -1; /* Skip past DTLS cookie */ - if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) + if (SSL_IS_DTLS(s)) { i = *(p++); p+= i; @@ -2728,7 +3436,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, HMAC_Update(&hctx, etick, eticklen); HMAC_Final(&hctx, tick_hmac, NULL); HMAC_CTX_cleanup(&hctx); - if (memcmp(tick_hmac, etick + eticklen, mlen)) + if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) return 2; /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */ @@ -2839,40 +3547,60 @@ int tls12_get_sigid(const EVP_PKEY *pk) sizeof(tls12_sig)/sizeof(tls12_lookup)); } -const EVP_MD *tls12_get_hash(unsigned char hash_alg) +typedef struct { - switch(hash_alg) - { -#ifndef OPENSSL_NO_MD5 - case TLSEXT_hash_md5: -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return NULL; + int nid; + int secbits; + const EVP_MD *(*mfunc)(void); + } tls12_hash_info; + +static const tls12_hash_info tls12_md_info[] = { +#ifdef OPENSSL_NO_MD5 + {NID_md5, 64, 0}, +#else + {NID_md5, 64, EVP_md5}, #endif - return EVP_md5(); +#ifdef OPENSSL_NO_SHA + {NID_sha1, 80, 0}, +#else + {NID_sha1, 80, EVP_sha1}, #endif -#ifndef OPENSSL_NO_SHA - case TLSEXT_hash_sha1: - return EVP_sha1(); +#ifdef OPENSSL_NO_SHA256 + {NID_sha224, 112, 0}, + {NID_sha256, 128, 0}, +#else + {NID_sha224, 112, EVP_sha224}, + {NID_sha256, 128, EVP_sha256}, #endif -#ifndef OPENSSL_NO_SHA256 - case TLSEXT_hash_sha224: - return EVP_sha224(); - - case TLSEXT_hash_sha256: - return EVP_sha256(); +#ifdef OPENSSL_NO_SHA512 + {NID_sha384, 192, 0}, + {NID_sha512, 256, 0} +#else + {NID_sha384, 192, EVP_sha384}, + {NID_sha512, 256, EVP_sha512} #endif -#ifndef OPENSSL_NO_SHA512 - case TLSEXT_hash_sha384: - return EVP_sha384(); +}; - case TLSEXT_hash_sha512: - return EVP_sha512(); -#endif - default: +static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg) + { + if (hash_alg == 0) return NULL; + if (hash_alg > sizeof(tls12_md_info)/sizeof(tls12_md_info[0])) + return NULL; + return tls12_md_info + hash_alg - 1; + } - } +const EVP_MD *tls12_get_hash(unsigned char hash_alg) + { + const tls12_hash_info *inf; +#ifndef OPENSSL_FIPS + if (hash_alg == TLSEXT_hash_md5 && FIPS_mode()) + return NULL; +#endif + inf = tls12_get_hash_info(hash_alg); + if (!inf || !inf->mfunc) + return NULL; + return inf->mfunc(); } static int tls12_get_pkey_idx(unsigned char sig_alg) @@ -2899,7 +3627,7 @@ static int tls12_get_pkey_idx(unsigned char sig_alg) static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid, int *psignhash_nid, const unsigned char *data) { - int sign_nid, hash_nid; + int sign_nid = 0, hash_nid = 0; if (!phash_nid && !psign_nid && !psignhash_nid) return; if (phash_nid || psignhash_nid) @@ -2925,8 +3653,86 @@ static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid, *psignhash_nid = NID_undef; } } +/* Check to see if a signature algorithm is allowed */ +static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp) + { + /* See if we have an entry in the hash table and it is enabled */ + const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]); + if (!hinf || !hinf->mfunc) + return 0; + /* See if public key algorithm allowed */ + if (tls12_get_pkey_idx(ptmp[1]) == -1) + return 0; + /* Finally see if security callback allows it */ + return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp); + } + +/* Get a mask of disabled public key algorithms based on supported + * signature algorithms. For example if no signature algorithm supports RSA + * then RSA is disabled. + */ + +void ssl_set_sig_mask(unsigned long *pmask_a, SSL *s, int op) + { + const unsigned char *sigalgs; + size_t i, sigalgslen; + int have_rsa = 0, have_dsa = 0, have_ecdsa = 0; + /* Now go through all signature algorithms seeing if we support + * any for RSA, DSA, ECDSA. Do this for all versions not just + * TLS 1.2. To keep down calls to security callback only check + * if we have to. + */ + sigalgslen = tls12_get_psigalgs(s, &sigalgs); + for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) + { + switch(sigalgs[1]) + { +#ifndef OPENSSL_NO_RSA + case TLSEXT_signature_rsa: + if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs)) + have_rsa = 1; + break; +#endif +#ifndef OPENSSL_NO_DSA + case TLSEXT_signature_dsa: + if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs)) + have_dsa = 1; + break; +#endif +#ifndef OPENSSL_NO_ECDSA + case TLSEXT_signature_ecdsa: + if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs)) + have_ecdsa = 1; + break; +#endif + } + } + if (!have_rsa) + *pmask_a |= SSL_aRSA; + if (!have_dsa) + *pmask_a |= SSL_aDSS; + if (!have_ecdsa) + *pmask_a |= SSL_aECDSA; + } + +size_t tls12_copy_sigalgs(SSL *s, unsigned char *out, + const unsigned char *psig, size_t psiglen) + { + unsigned char *tmpout = out; + size_t i; + for (i = 0; i < psiglen; i += 2, psig += 2) + { + if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) + { + *tmpout++ = psig[0]; + *tmpout++ = psig[1]; + } + } + return tmpout - out; + } + /* Given preference and allowed sigalgs set shared sigalgs */ -static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig, +static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig, const unsigned char *pref, size_t preflen, const unsigned char *allow, size_t allowlen) { @@ -2935,9 +3741,7 @@ static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig, for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2) { /* Skip disabled hashes or signature algorithms */ - if (tls12_get_hash(ptmp[0]) == NULL) - continue; - if (tls12_get_pkey_idx(ptmp[1]) == -1) + if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp)) continue; for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2) { @@ -2969,19 +3773,26 @@ static int tls1_set_shared_sigalgs(SSL *s) size_t nmatch; TLS_SIGALGS *salgs = NULL; CERT *c = s->cert; - conf = c->conf_sigalgs; - if (conf) - conflen = c->conf_sigalgslen; - else + unsigned int is_suiteb = tls1_suiteb(s); + if (c->shared_sigalgs) { - conf = tls12_sigalgs; - conflen = sizeof(tls12_sigalgs); -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - conflen -= 2; -#endif + OPENSSL_free(c->shared_sigalgs); + c->shared_sigalgs = NULL; + } + /* If client use client signature algorithms if not NULL */ + if (!s->server && c->client_sigalgs && !is_suiteb) + { + conf = c->client_sigalgs; + conflen = c->client_sigalgslen; + } + else if (c->conf_sigalgs && !is_suiteb) + { + conf = c->conf_sigalgs; + conflen = c->conf_sigalgslen; } - if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) + else + conflen = tls12_get_psigalgs(s, &conf); + if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) { pref = conf; preflen = conflen; @@ -2995,13 +3806,13 @@ static int tls1_set_shared_sigalgs(SSL *s) pref = c->peer_sigalgs; preflen = c->peer_sigalgslen; } - nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen); + nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen); if (!nmatch) return 1; salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS)); if (!salgs) return 0; - nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen); + nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen); c->shared_sigalgs = salgs; c->shared_sigalgslen = nmatch; return 1; @@ -3017,18 +3828,15 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) const EVP_MD *md; CERT *c = s->cert; TLS_SIGALGS *sigptr; - /* Extension ignored for TLS versions below 1.2 */ - if (TLS1_get_version(s) < TLS1_2_VERSION) + /* Extension ignored for inappropriate versions */ + if (!SSL_USE_SIGALGS(s)) return 1; /* Should never happen */ if (!c) return 0; - c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; - c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; - c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; - c->pkeys[SSL_PKEY_ECC].digest = NULL; - + if (c->peer_sigalgs) + OPENSSL_free(c->peer_sigalgs); c->peer_sigalgs = OPENSSL_malloc(dsize); if (!c->peer_sigalgs) return 0; @@ -3037,6 +3845,32 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) tls1_set_shared_sigalgs(s); +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) + { + /* Use first set signature preference to force message + * digest, ignoring any peer preferences. + */ + const unsigned char *sigs = NULL; + if (s->server) + sigs = c->conf_sigalgs; + else + sigs = c->client_sigalgs; + if (sigs) + { + idx = tls12_get_pkey_idx(sigs[1]); + md = tls12_get_hash(sigs[0]); + c->pkeys[idx].digest = md; + c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN; + if (idx == SSL_PKEY_RSA_SIGN) + { + c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN; + c->pkeys[SSL_PKEY_RSA_ENC].digest = md; + } + } + } +#endif + for (i = 0, sigptr = c->shared_sigalgs; i < c->shared_sigalgslen; i++, sigptr++) { @@ -3045,29 +3879,39 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) { md = tls12_get_hash(sigptr->rhash); c->pkeys[idx].digest = md; + c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN; if (idx == SSL_PKEY_RSA_SIGN) + { + c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN; c->pkeys[SSL_PKEY_RSA_ENC].digest = md; + } } } - /* Set any remaining keys to default values. NOTE: if alg is not - * supported it stays as NULL. + /* In strict mode leave unset digests as NULL to indicate we can't + * use the certificate for signing. */ + if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) + { + /* Set any remaining keys to default values. NOTE: if alg is + * not supported it stays as NULL. + */ #ifndef OPENSSL_NO_DSA - if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) - c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1(); + if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) + c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); #endif #ifndef OPENSSL_NO_RSA - if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) - { - c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); - c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); - } + if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) + { + c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); + c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); + } #endif #ifndef OPENSSL_NO_ECDSA - if (!c->pkeys[SSL_PKEY_ECC].digest) - c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa(); + if (!c->pkeys[SSL_PKEY_ECC].digest) + c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); #endif + } return 1; } @@ -3125,16 +3969,20 @@ tls1_process_heartbeat(SSL *s) unsigned int payload; unsigned int padding = 16; /* Use minimum padding */ - /* Read type and payload length first */ - hbtype = *p++; - n2s(p, payload); - pl = p; - if (s->msg_callback) s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, &s->s3->rrec.data[0], s->s3->rrec.length, s, s->msg_callback_arg); + /* Read type and payload length first */ + if (1 + 2 + 16 > s->s3->rrec.length) + return 0; /* silently discard */ + hbtype = *p++; + n2s(p, payload); + if (1 + 2 + payload + 16 > s->s3->rrec.length) + return 0; /* silently discard per RFC 6520 sec. 4 */ + pl = p; + if (hbtype == TLS1_HB_REQUEST) { unsigned char *buffer, *bp; @@ -3316,16 +4164,18 @@ static int sig_cb(const char *elem, int len, void *arg) /* Set suppored signature algorithms based on a colon separated list * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */ -int tls1_set_sigalgs_list(CERT *c, const char *str) +int tls1_set_sigalgs_list(CERT *c, const char *str, int client) { sig_cb_st sig; sig.sigalgcnt = 0; if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) return 0; - return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt); + if (c == NULL) + return 1; + return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); } -int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen) +int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) { unsigned char *sigalgs, *sptr; int rhash, rsign; @@ -3348,11 +4198,21 @@ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen) *sptr++ = rsign; } - if (c->conf_sigalgs) - OPENSSL_free(c->conf_sigalgs); + if (client) + { + if (c->client_sigalgs) + OPENSSL_free(c->client_sigalgs); + c->client_sigalgs = sigalgs; + c->client_sigalgslen = salglen; + } + else + { + if (c->conf_sigalgs) + OPENSSL_free(c->conf_sigalgs); + c->conf_sigalgs = sigalgs; + c->conf_sigalgslen = salglen; + } - c->conf_sigalgs = sigalgs; - c->conf_sigalgslen = salglen; return 1; err: @@ -3360,4 +4220,484 @@ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen) return 0; } +static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid) + { + int sig_nid; + size_t i; + if (default_nid == -1) + return 1; + sig_nid = X509_get_signature_nid(x); + if (default_nid) + return sig_nid == default_nid ? 1 : 0; + for (i = 0; i < c->shared_sigalgslen; i++) + if (sig_nid == c->shared_sigalgs[i].signandhash_nid) + return 1; + return 0; + } +/* Check to see if a certificate issuer name matches list of CA names */ +static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x) + { + X509_NAME *nm; + int i; + nm = X509_get_issuer_name(x); + for (i = 0; i < sk_X509_NAME_num(names); i++) + { + if(!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i))) + return 1; + } + return 0; + } + +/* Check certificate chain is consistent with TLS extensions and is + * usable by server. This servers two purposes: it allows users to + * check chains before passing them to the server and it allows the + * server to check chains before attempting to use them. + */ + +/* Flags which need to be set for a certificate when stict mode not set */ + +#define CERT_PKEY_VALID_FLAGS \ + (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM) +/* Strict mode flags */ +#define CERT_PKEY_STRICT_FLAGS \ + (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \ + | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE) + +int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, + int idx) + { + int i; + int rv = 0; + int check_flags = 0, strict_mode; + CERT_PKEY *cpk = NULL; + CERT *c = s->cert; + unsigned int suiteb_flags = tls1_suiteb(s); + /* idx == -1 means checking server chains */ + if (idx != -1) + { + /* idx == -2 means checking client certificate chains */ + if (idx == -2) + { + cpk = c->key; + idx = cpk - c->pkeys; + } + else + cpk = c->pkeys + idx; + x = cpk->x509; + pk = cpk->privatekey; + chain = cpk->chain; + strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT; + /* If no cert or key, forget it */ + if (!x || !pk) + goto end; +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + /* Allow any certificate to pass test */ + if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) + { + rv = CERT_PKEY_STRICT_FLAGS|CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_VALID|CERT_PKEY_SIGN; + cpk->valid_flags = rv; + return rv; + } #endif + } + else + { + if (!x || !pk) + goto end; + idx = ssl_cert_type(x, pk); + if (idx == -1) + goto end; + cpk = c->pkeys + idx; + if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) + check_flags = CERT_PKEY_STRICT_FLAGS; + else + check_flags = CERT_PKEY_VALID_FLAGS; + strict_mode = 1; + } + + if (suiteb_flags) + { + int ok; + if (check_flags) + check_flags |= CERT_PKEY_SUITEB; + ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags); + if (ok != X509_V_OK) + { + if (check_flags) + rv |= CERT_PKEY_SUITEB; + else + goto end; + } + } + + /* Check all signature algorithms are consistent with + * signature algorithms extension if TLS 1.2 or later + * and strict mode. + */ + if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) + { + int default_nid; + unsigned char rsign = 0; + if (c->peer_sigalgs) + default_nid = 0; + /* If no sigalgs extension use defaults from RFC5246 */ + else + { + switch(idx) + { + case SSL_PKEY_RSA_ENC: + case SSL_PKEY_RSA_SIGN: + case SSL_PKEY_DH_RSA: + rsign = TLSEXT_signature_rsa; + default_nid = NID_sha1WithRSAEncryption; + break; + + case SSL_PKEY_DSA_SIGN: + case SSL_PKEY_DH_DSA: + rsign = TLSEXT_signature_dsa; + default_nid = NID_dsaWithSHA1; + break; + + case SSL_PKEY_ECC: + rsign = TLSEXT_signature_ecdsa; + default_nid = NID_ecdsa_with_SHA1; + break; + + default: + default_nid = -1; + break; + } + } + /* If peer sent no signature algorithms extension and we + * have set preferred signature algorithms check we support + * sha1. + */ + if (default_nid > 0 && c->conf_sigalgs) + { + size_t j; + const unsigned char *p = c->conf_sigalgs; + for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) + { + if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign) + break; + } + if (j == c->conf_sigalgslen) + { + if (check_flags) + goto skip_sigs; + else + goto end; + } + } + /* Check signature algorithm of each cert in chain */ + if (!tls1_check_sig_alg(c, x, default_nid)) + { + if (!check_flags) goto end; + } + else + rv |= CERT_PKEY_EE_SIGNATURE; + rv |= CERT_PKEY_CA_SIGNATURE; + for (i = 0; i < sk_X509_num(chain); i++) + { + if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), + default_nid)) + { + if (check_flags) + { + rv &= ~CERT_PKEY_CA_SIGNATURE; + break; + } + else + goto end; + } + } + } + /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */ + else if(check_flags) + rv |= CERT_PKEY_EE_SIGNATURE|CERT_PKEY_CA_SIGNATURE; + skip_sigs: + /* Check cert parameters are consistent */ + if (tls1_check_cert_param(s, x, check_flags ? 1 : 2)) + rv |= CERT_PKEY_EE_PARAM; + else if (!check_flags) + goto end; + if (!s->server) + rv |= CERT_PKEY_CA_PARAM; + /* In strict mode check rest of chain too */ + else if (strict_mode) + { + rv |= CERT_PKEY_CA_PARAM; + for (i = 0; i < sk_X509_num(chain); i++) + { + X509 *ca = sk_X509_value(chain, i); + if (!tls1_check_cert_param(s, ca, 0)) + { + if (check_flags) + { + rv &= ~CERT_PKEY_CA_PARAM; + break; + } + else + goto end; + } + } + } + if (!s->server && strict_mode) + { + STACK_OF(X509_NAME) *ca_dn; + int check_type = 0; + switch (pk->type) + { + case EVP_PKEY_RSA: + check_type = TLS_CT_RSA_SIGN; + break; + case EVP_PKEY_DSA: + check_type = TLS_CT_DSS_SIGN; + break; + case EVP_PKEY_EC: + check_type = TLS_CT_ECDSA_SIGN; + break; + case EVP_PKEY_DH: + case EVP_PKEY_DHX: + { + int cert_type = X509_certificate_type(x, pk); + if (cert_type & EVP_PKS_RSA) + check_type = TLS_CT_RSA_FIXED_DH; + if (cert_type & EVP_PKS_DSA) + check_type = TLS_CT_DSS_FIXED_DH; + } + } + if (check_type) + { + const unsigned char *ctypes; + int ctypelen; + if (c->ctypes) + { + ctypes = c->ctypes; + ctypelen = (int)c->ctype_num; + } + else + { + ctypes = (unsigned char *)s->s3->tmp.ctype; + ctypelen = s->s3->tmp.ctype_num; + } + for (i = 0; i < ctypelen; i++) + { + if (ctypes[i] == check_type) + { + rv |= CERT_PKEY_CERT_TYPE; + break; + } + } + if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags) + goto end; + } + else + rv |= CERT_PKEY_CERT_TYPE; + + + ca_dn = s->s3->tmp.ca_names; + + if (!sk_X509_NAME_num(ca_dn)) + rv |= CERT_PKEY_ISSUER_NAME; + + if (!(rv & CERT_PKEY_ISSUER_NAME)) + { + if (ssl_check_ca_name(ca_dn, x)) + rv |= CERT_PKEY_ISSUER_NAME; + } + if (!(rv & CERT_PKEY_ISSUER_NAME)) + { + for (i = 0; i < sk_X509_num(chain); i++) + { + X509 *xtmp = sk_X509_value(chain, i); + if (ssl_check_ca_name(ca_dn, xtmp)) + { + rv |= CERT_PKEY_ISSUER_NAME; + break; + } + } + } + if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) + goto end; + } + else + rv |= CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE; + + if (!check_flags || (rv & check_flags) == check_flags) + rv |= CERT_PKEY_VALID; + + end: + + if (TLS1_get_version(s) >= TLS1_2_VERSION) + { + if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN) + rv |= CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_SIGN; + else if (cpk->digest) + rv |= CERT_PKEY_SIGN; + } + else + rv |= CERT_PKEY_SIGN|CERT_PKEY_EXPLICIT_SIGN; + + /* When checking a CERT_PKEY structure all flags are irrelevant + * if the chain is invalid. + */ + if (!check_flags) + { + if (rv & CERT_PKEY_VALID) + cpk->valid_flags = rv; + else + { + /* Preserve explicit sign flag, clear rest */ + cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN; + return 0; + } + } + return rv; + } + +/* Set validity of certificates in an SSL structure */ +void tls1_set_cert_validity(SSL *s) + { + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); + } +/* User level utiity function to check a chain is suitable */ +int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) + { + return tls1_check_chain(s, x, pk, chain, -1); + } + +#endif + +#ifndef OPENSSL_NO_DH +DH *ssl_get_auto_dh(SSL *s) + { + int dh_secbits = 80; + if (s->cert->dh_tmp_auto == 2) + return DH_get_1024_160(); + if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) + { + if (s->s3->tmp.new_cipher->strength_bits == 256) + dh_secbits = 128; + else + dh_secbits = 80; + } + else + { + CERT_PKEY *cpk = ssl_get_server_send_pkey(s); + dh_secbits = EVP_PKEY_security_bits(cpk->privatekey); + } + + if (dh_secbits >= 128) + { + DH *dhp = DH_new(); + if (!dhp) + return NULL; + dhp->g = BN_new(); + if (dhp->g) + BN_set_word(dhp->g, 2); + if (dh_secbits >= 192) + dhp->p = get_rfc3526_prime_8192(NULL); + else + dhp->p = get_rfc3526_prime_3072(NULL); + if (!dhp->p || !dhp->g) + { + DH_free(dhp); + return NULL; + } + return dhp; + } + if (dh_secbits >= 112) + return DH_get_2048_224(); + return DH_get_1024_160(); + } +#endif + +static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) + { + int secbits; + EVP_PKEY *pkey = X509_get_pubkey(x); + if (pkey) + { + secbits = EVP_PKEY_security_bits(pkey); + EVP_PKEY_free(pkey); + } + else + secbits = -1; + if (s) + return ssl_security(s, op, secbits, 0, x); + else + return ssl_ctx_security(ctx, op, secbits, 0, x); + } + +static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) + { + /* Lookup signature algorithm digest */ + int secbits = -1, md_nid = NID_undef, sig_nid; + sig_nid = X509_get_signature_nid(x); + if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) + { + const EVP_MD *md; + if (md_nid && (md = EVP_get_digestbynid(md_nid))) + secbits = EVP_MD_size(md) * 4; + } + if (s) + return ssl_security(s, op, secbits, md_nid, x); + else + return ssl_ctx_security(ctx, op, secbits, md_nid, x); + } + +int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee) + { + if (vfy) + vfy = SSL_SECOP_PEER; + if (is_ee) + { + if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy)) + return SSL_R_EE_KEY_TOO_SMALL; + } + else + { + if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy)) + return SSL_R_CA_KEY_TOO_SMALL; + } + if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy)) + return SSL_R_CA_MD_TOO_WEAK; + return 1; + } + +/* Check security of a chain, if sk includes the end entity certificate + * then x is NULL. If vfy is 1 then we are verifying a peer chain and + * not sending one to the peer. + * Return values: 1 if ok otherwise error code to use + */ + +int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy) + { + int rv, start_idx, i; + if (x == NULL) + { + x = sk_X509_value(sk, 0); + start_idx = 1; + } + else + start_idx = 0; + + rv = ssl_security_cert(s, NULL, x, vfy, 1); + if (rv != 1) + return rv; + + for (i = start_idx; i < sk_X509_num(sk); i++) + { + x = sk_X509_value(sk, i); + rv = ssl_security_cert(s, NULL, x, vfy, 0); + if (rv != 1) + return rv; + } + return 1; + }