summaryrefslogtreecommitdiff
path: root/src/lib/libssl/t1_lib.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/t1_lib.c')
-rw-r--r--src/lib/libssl/t1_lib.c941
1 files changed, 883 insertions, 58 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 26cbae449e..27c8e3460d 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -114,6 +114,7 @@
114#include <openssl/evp.h> 114#include <openssl/evp.h>
115#include <openssl/hmac.h> 115#include <openssl/hmac.h>
116#include <openssl/ocsp.h> 116#include <openssl/ocsp.h>
117#include <openssl/rand.h>
117#include "ssl_locl.h" 118#include "ssl_locl.h"
118 119
119const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; 120const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
@@ -136,6 +137,7 @@ SSL3_ENC_METHOD TLSv1_enc_data={
136 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 137 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 138 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138 tls1_alert_code, 139 tls1_alert_code,
140 tls1_export_keying_material,
139 }; 141 };
140 142
141long tls1_default_timeout(void) 143long tls1_default_timeout(void)
@@ -166,10 +168,11 @@ void tls1_free(SSL *s)
166void tls1_clear(SSL *s) 168void tls1_clear(SSL *s)
167 { 169 {
168 ssl3_clear(s); 170 ssl3_clear(s);
169 s->version=TLS1_VERSION; 171 s->version = s->method->version;
170 } 172 }
171 173
172#ifndef OPENSSL_NO_EC 174#ifndef OPENSSL_NO_EC
175
173static int nid_list[] = 176static int nid_list[] =
174 { 177 {
175 NID_sect163k1, /* sect163k1 (1) */ 178 NID_sect163k1, /* sect163k1 (1) */
@@ -198,7 +201,36 @@ static int nid_list[] =
198 NID_secp384r1, /* secp384r1 (24) */ 201 NID_secp384r1, /* secp384r1 (24) */
199 NID_secp521r1 /* secp521r1 (25) */ 202 NID_secp521r1 /* secp521r1 (25) */
200 }; 203 };
201 204
205static int pref_list[] =
206 {
207 NID_sect571r1, /* sect571r1 (14) */
208 NID_sect571k1, /* sect571k1 (13) */
209 NID_secp521r1, /* secp521r1 (25) */
210 NID_sect409k1, /* sect409k1 (11) */
211 NID_sect409r1, /* sect409r1 (12) */
212 NID_secp384r1, /* secp384r1 (24) */
213 NID_sect283k1, /* sect283k1 (9) */
214 NID_sect283r1, /* sect283r1 (10) */
215 NID_secp256k1, /* secp256k1 (22) */
216 NID_X9_62_prime256v1, /* secp256r1 (23) */
217 NID_sect239k1, /* sect239k1 (8) */
218 NID_sect233k1, /* sect233k1 (6) */
219 NID_sect233r1, /* sect233r1 (7) */
220 NID_secp224k1, /* secp224k1 (20) */
221 NID_secp224r1, /* secp224r1 (21) */
222 NID_sect193r1, /* sect193r1 (4) */
223 NID_sect193r2, /* sect193r2 (5) */
224 NID_secp192k1, /* secp192k1 (18) */
225 NID_X9_62_prime192v1, /* secp192r1 (19) */
226 NID_sect163k1, /* sect163k1 (1) */
227 NID_sect163r1, /* sect163r1 (2) */
228 NID_sect163r2, /* sect163r2 (3) */
229 NID_secp160k1, /* secp160k1 (15) */
230 NID_secp160r1, /* secp160r1 (16) */
231 NID_secp160r2, /* secp160r2 (17) */
232 };
233
202int tls1_ec_curve_id2nid(int curve_id) 234int tls1_ec_curve_id2nid(int curve_id)
203 { 235 {
204 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 236 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
@@ -270,6 +302,64 @@ int tls1_ec_nid2curve_id(int nid)
270#endif /* OPENSSL_NO_EC */ 302#endif /* OPENSSL_NO_EC */
271 303
272#ifndef OPENSSL_NO_TLSEXT 304#ifndef OPENSSL_NO_TLSEXT
305
306/* List of supported signature algorithms and hashes. Should make this
307 * customisable at some point, for now include everything we support.
308 */
309
310#ifdef OPENSSL_NO_RSA
311#define tlsext_sigalg_rsa(md) /* */
312#else
313#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
314#endif
315
316#ifdef OPENSSL_NO_DSA
317#define tlsext_sigalg_dsa(md) /* */
318#else
319#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
320#endif
321
322#ifdef OPENSSL_NO_ECDSA
323#define tlsext_sigalg_ecdsa(md) /* */
324#else
325#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
326#endif
327
328#define tlsext_sigalg(md) \
329 tlsext_sigalg_rsa(md) \
330 tlsext_sigalg_dsa(md) \
331 tlsext_sigalg_ecdsa(md)
332
333static unsigned char tls12_sigalgs[] = {
334#ifndef OPENSSL_NO_SHA512
335 tlsext_sigalg(TLSEXT_hash_sha512)
336 tlsext_sigalg(TLSEXT_hash_sha384)
337#endif
338#ifndef OPENSSL_NO_SHA256
339 tlsext_sigalg(TLSEXT_hash_sha256)
340 tlsext_sigalg(TLSEXT_hash_sha224)
341#endif
342#ifndef OPENSSL_NO_SHA
343 tlsext_sigalg(TLSEXT_hash_sha1)
344#endif
345#ifndef OPENSSL_NO_MD5
346 tlsext_sigalg_rsa(TLSEXT_hash_md5)
347#endif
348};
349
350int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
351 {
352 size_t slen = sizeof(tls12_sigalgs);
353#ifdef OPENSSL_FIPS
354 /* If FIPS mode don't include MD5 which is last */
355 if (FIPS_mode())
356 slen -= 2;
357#endif
358 if (p)
359 memcpy(p, tls12_sigalgs, slen);
360 return (int)slen;
361 }
362
273unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 363unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
274 { 364 {
275 int extdatalen=0; 365 int extdatalen=0;
@@ -317,7 +407,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
317 } 407 }
318 408
319 /* Add RI if renegotiating */ 409 /* Add RI if renegotiating */
320 if (s->new_session) 410 if (s->renegotiate)
321 { 411 {
322 int el; 412 int el;
323 413
@@ -341,6 +431,34 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
341 ret += el; 431 ret += el;
342 } 432 }
343 433
434#ifndef OPENSSL_NO_SRP
435 /* Add SRP username if there is one */
436 if (s->srp_ctx.login != NULL)
437 { /* Add TLS extension SRP username to the Client Hello message */
438
439 int login_len = strlen(s->srp_ctx.login);
440 if (login_len > 255 || login_len == 0)
441 {
442 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
443 return NULL;
444 }
445
446 /* check for enough space.
447 4 for the srp type type and entension length
448 1 for the srp user identity
449 + srp user identity length
450 */
451 if ((limit - ret - 5 - login_len) < 0) return NULL;
452
453 /* fill in the extension */
454 s2n(TLSEXT_TYPE_srp,ret);
455 s2n(login_len+1,ret);
456 (*ret++) = (unsigned char) login_len;
457 memcpy(ret, s->srp_ctx.login, login_len);
458 ret+=login_len;
459 }
460#endif
461
344#ifndef OPENSSL_NO_EC 462#ifndef OPENSSL_NO_EC
345 if (s->tlsext_ecpointformatlist != NULL && 463 if (s->tlsext_ecpointformatlist != NULL &&
346 s->version != DTLS1_VERSION) 464 s->version != DTLS1_VERSION)
@@ -426,6 +544,17 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
426 } 544 }
427 skip_ext: 545 skip_ext:
428 546
547 if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
548 {
549 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
550 return NULL;
551 s2n(TLSEXT_TYPE_signature_algorithms,ret);
552 s2n(sizeof(tls12_sigalgs) + 2, ret);
553 s2n(sizeof(tls12_sigalgs), ret);
554 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
555 ret += sizeof(tls12_sigalgs);
556 }
557
429#ifdef TLSEXT_TYPE_opaque_prf_input 558#ifdef TLSEXT_TYPE_opaque_prf_input
430 if (s->s3->client_opaque_prf_input != NULL && 559 if (s->s3->client_opaque_prf_input != NULL &&
431 s->version != DTLS1_VERSION) 560 s->version != DTLS1_VERSION)
@@ -494,6 +623,51 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
494 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 623 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
495 } 624 }
496 625
626#ifndef OPENSSL_NO_HEARTBEATS
627 /* Add Heartbeat extension */
628 s2n(TLSEXT_TYPE_heartbeat,ret);
629 s2n(1,ret);
630 /* Set mode:
631 * 1: peer may send requests
632 * 2: peer not allowed to send requests
633 */
634 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
635 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
636 else
637 *(ret++) = SSL_TLSEXT_HB_ENABLED;
638#endif
639
640#ifndef OPENSSL_NO_NEXTPROTONEG
641 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
642 {
643 /* The client advertises an emtpy extension to indicate its
644 * support for Next Protocol Negotiation */
645 if (limit - ret - 4 < 0)
646 return NULL;
647 s2n(TLSEXT_TYPE_next_proto_neg,ret);
648 s2n(0,ret);
649 }
650#endif
651
652 if(SSL_get_srtp_profiles(s))
653 {
654 int el;
655
656 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
657
658 if((limit - p - 4 - el) < 0) return NULL;
659
660 s2n(TLSEXT_TYPE_use_srtp,ret);
661 s2n(el,ret);
662
663 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
664 {
665 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
666 return NULL;
667 }
668 ret += el;
669 }
670
497 if ((extdatalen = ret-p-2)== 0) 671 if ((extdatalen = ret-p-2)== 0)
498 return p; 672 return p;
499 673
@@ -505,6 +679,9 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
505 { 679 {
506 int extdatalen=0; 680 int extdatalen=0;
507 unsigned char *ret = p; 681 unsigned char *ret = p;
682#ifndef OPENSSL_NO_NEXTPROTONEG
683 int next_proto_neg_seen;
684#endif
508 685
509 /* don't add extensions for SSLv3, unless doing secure renegotiation */ 686 /* don't add extensions for SSLv3, unless doing secure renegotiation */
510 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 687 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
@@ -603,6 +780,26 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
603 ret += sol; 780 ret += sol;
604 } 781 }
605#endif 782#endif
783
784 if(s->srtp_profile)
785 {
786 int el;
787
788 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
789
790 if((limit - p - 4 - el) < 0) return NULL;
791
792 s2n(TLSEXT_TYPE_use_srtp,ret);
793 s2n(el,ret);
794
795 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
796 {
797 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
798 return NULL;
799 }
800 ret+=el;
801 }
802
606 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 803 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
607 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) 804 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
608 { const unsigned char cryptopro_ext[36] = { 805 { const unsigned char cryptopro_ext[36] = {
@@ -618,6 +815,46 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
618 815
619 } 816 }
620 817
818#ifndef OPENSSL_NO_HEARTBEATS
819 /* Add Heartbeat extension if we've received one */
820 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
821 {
822 s2n(TLSEXT_TYPE_heartbeat,ret);
823 s2n(1,ret);
824 /* Set mode:
825 * 1: peer may send requests
826 * 2: peer not allowed to send requests
827 */
828 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
829 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
830 else
831 *(ret++) = SSL_TLSEXT_HB_ENABLED;
832
833 }
834#endif
835
836#ifndef OPENSSL_NO_NEXTPROTONEG
837 next_proto_neg_seen = s->s3->next_proto_neg_seen;
838 s->s3->next_proto_neg_seen = 0;
839 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
840 {
841 const unsigned char *npa;
842 unsigned int npalen;
843 int r;
844
845 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
846 if (r == SSL_TLSEXT_ERR_OK)
847 {
848 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
849 s2n(TLSEXT_TYPE_next_proto_neg,ret);
850 s2n(npalen,ret);
851 memcpy(ret, npa, npalen);
852 ret += npalen;
853 s->s3->next_proto_neg_seen = 1;
854 }
855 }
856#endif
857
621 if ((extdatalen = ret-p-2)== 0) 858 if ((extdatalen = ret-p-2)== 0)
622 return p; 859 return p;
623 860
@@ -632,9 +869,18 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
632 unsigned short len; 869 unsigned short len;
633 unsigned char *data = *p; 870 unsigned char *data = *p;
634 int renegotiate_seen = 0; 871 int renegotiate_seen = 0;
872 int sigalg_seen = 0;
635 873
636 s->servername_done = 0; 874 s->servername_done = 0;
637 s->tlsext_status_type = -1; 875 s->tlsext_status_type = -1;
876#ifndef OPENSSL_NO_NEXTPROTONEG
877 s->s3->next_proto_neg_seen = 0;
878#endif
879
880#ifndef OPENSSL_NO_HEARTBEATS
881 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
882 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
883#endif
638 884
639 if (data >= (d+n-2)) 885 if (data >= (d+n-2))
640 goto ri_check; 886 goto ri_check;
@@ -762,6 +1008,31 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
762 } 1008 }
763 1009
764 } 1010 }
1011#ifndef OPENSSL_NO_SRP
1012 else if (type == TLSEXT_TYPE_srp)
1013 {
1014 if (size <= 0 || ((len = data[0])) != (size -1))
1015 {
1016 *al = SSL_AD_DECODE_ERROR;
1017 return 0;
1018 }
1019 if (s->srp_ctx.login != NULL)
1020 {
1021 *al = SSL_AD_DECODE_ERROR;
1022 return 0;
1023 }
1024 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1025 return -1;
1026 memcpy(s->srp_ctx.login, &data[1], len);
1027 s->srp_ctx.login[len]='\0';
1028
1029 if (strlen(s->srp_ctx.login) != len)
1030 {
1031 *al = SSL_AD_DECODE_ERROR;
1032 return 0;
1033 }
1034 }
1035#endif
765 1036
766#ifndef OPENSSL_NO_EC 1037#ifndef OPENSSL_NO_EC
767 else if (type == TLSEXT_TYPE_ec_point_formats && 1038 else if (type == TLSEXT_TYPE_ec_point_formats &&
@@ -882,6 +1153,28 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
882 return 0; 1153 return 0;
883 renegotiate_seen = 1; 1154 renegotiate_seen = 1;
884 } 1155 }
1156 else if (type == TLSEXT_TYPE_signature_algorithms)
1157 {
1158 int dsize;
1159 if (sigalg_seen || size < 2)
1160 {
1161 *al = SSL_AD_DECODE_ERROR;
1162 return 0;
1163 }
1164 sigalg_seen = 1;
1165 n2s(data,dsize);
1166 size -= 2;
1167 if (dsize != size || dsize & 1)
1168 {
1169 *al = SSL_AD_DECODE_ERROR;
1170 return 0;
1171 }
1172 if (!tls1_process_sigalgs(s, data, dsize))
1173 {
1174 *al = SSL_AD_DECODE_ERROR;
1175 return 0;
1176 }
1177 }
885 else if (type == TLSEXT_TYPE_status_request && 1178 else if (type == TLSEXT_TYPE_status_request &&
886 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) 1179 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
887 { 1180 {
@@ -994,8 +1287,54 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
994 else 1287 else
995 s->tlsext_status_type = -1; 1288 s->tlsext_status_type = -1;
996 } 1289 }
1290#ifndef OPENSSL_NO_HEARTBEATS
1291 else if (type == TLSEXT_TYPE_heartbeat)
1292 {
1293 switch(data[0])
1294 {
1295 case 0x01: /* Client allows us to send HB requests */
1296 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1297 break;
1298 case 0x02: /* Client doesn't accept HB requests */
1299 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1300 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1301 break;
1302 default: *al = SSL_AD_ILLEGAL_PARAMETER;
1303 return 0;
1304 }
1305 }
1306#endif
1307#ifndef OPENSSL_NO_NEXTPROTONEG
1308 else if (type == TLSEXT_TYPE_next_proto_neg &&
1309 s->s3->tmp.finish_md_len == 0)
1310 {
1311 /* We shouldn't accept this extension on a
1312 * renegotiation.
1313 *
1314 * s->new_session will be set on renegotiation, but we
1315 * probably shouldn't rely that it couldn't be set on
1316 * the initial renegotation too in certain cases (when
1317 * there's some other reason to disallow resuming an
1318 * earlier session -- the current code won't be doing
1319 * anything like that, but this might change).
1320
1321 * A valid sign that there's been a previous handshake
1322 * in this connection is if s->s3->tmp.finish_md_len >
1323 * 0. (We are talking about a check that will happen
1324 * in the Hello protocol round, well before a new
1325 * Finished message could have been computed.) */
1326 s->s3->next_proto_neg_seen = 1;
1327 }
1328#endif
997 1329
998 /* session ticket processed earlier */ 1330 /* session ticket processed earlier */
1331 else if (type == TLSEXT_TYPE_use_srtp)
1332 {
1333 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1334 al))
1335 return 0;
1336 }
1337
999 data+=size; 1338 data+=size;
1000 } 1339 }
1001 1340
@@ -1005,7 +1344,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1005 1344
1006 /* Need RI if renegotiating */ 1345 /* Need RI if renegotiating */
1007 1346
1008 if (!renegotiate_seen && s->new_session && 1347 if (!renegotiate_seen && s->renegotiate &&
1009 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1348 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1010 { 1349 {
1011 *al = SSL_AD_HANDSHAKE_FAILURE; 1350 *al = SSL_AD_HANDSHAKE_FAILURE;
@@ -1017,6 +1356,26 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1017 return 1; 1356 return 1;
1018 } 1357 }
1019 1358
1359#ifndef OPENSSL_NO_NEXTPROTONEG
1360/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1361 * elements of zero length are allowed and the set of elements must exactly fill
1362 * the length of the block. */
1363static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1364 {
1365 unsigned int off = 0;
1366
1367 while (off < len)
1368 {
1369 if (d[off] == 0)
1370 return 0;
1371 off += d[off];
1372 off++;
1373 }
1374
1375 return off == len;
1376 }
1377#endif
1378
1020int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 1379int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1021 { 1380 {
1022 unsigned short length; 1381 unsigned short length;
@@ -1026,6 +1385,15 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1026 int tlsext_servername = 0; 1385 int tlsext_servername = 0;
1027 int renegotiate_seen = 0; 1386 int renegotiate_seen = 0;
1028 1387
1388#ifndef OPENSSL_NO_NEXTPROTONEG
1389 s->s3->next_proto_neg_seen = 0;
1390#endif
1391
1392#ifndef OPENSSL_NO_HEARTBEATS
1393 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1394 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1395#endif
1396
1029 if (data >= (d+n-2)) 1397 if (data >= (d+n-2))
1030 goto ri_check; 1398 goto ri_check;
1031 1399
@@ -1151,12 +1519,71 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1151 /* Set flag to expect CertificateStatus message */ 1519 /* Set flag to expect CertificateStatus message */
1152 s->tlsext_status_expected = 1; 1520 s->tlsext_status_expected = 1;
1153 } 1521 }
1522#ifndef OPENSSL_NO_NEXTPROTONEG
1523 else if (type == TLSEXT_TYPE_next_proto_neg &&
1524 s->s3->tmp.finish_md_len == 0)
1525 {
1526 unsigned char *selected;
1527 unsigned char selected_len;
1528
1529 /* We must have requested it. */
1530 if ((s->ctx->next_proto_select_cb == NULL))
1531 {
1532 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1533 return 0;
1534 }
1535 /* The data must be valid */
1536 if (!ssl_next_proto_validate(data, size))
1537 {
1538 *al = TLS1_AD_DECODE_ERROR;
1539 return 0;
1540 }
1541 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1542 {
1543 *al = TLS1_AD_INTERNAL_ERROR;
1544 return 0;
1545 }
1546 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1547 if (!s->next_proto_negotiated)
1548 {
1549 *al = TLS1_AD_INTERNAL_ERROR;
1550 return 0;
1551 }
1552 memcpy(s->next_proto_negotiated, selected, selected_len);
1553 s->next_proto_negotiated_len = selected_len;
1554 s->s3->next_proto_neg_seen = 1;
1555 }
1556#endif
1154 else if (type == TLSEXT_TYPE_renegotiate) 1557 else if (type == TLSEXT_TYPE_renegotiate)
1155 { 1558 {
1156 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1559 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1157 return 0; 1560 return 0;
1158 renegotiate_seen = 1; 1561 renegotiate_seen = 1;
1159 } 1562 }
1563#ifndef OPENSSL_NO_HEARTBEATS
1564 else if (type == TLSEXT_TYPE_heartbeat)
1565 {
1566 switch(data[0])
1567 {
1568 case 0x01: /* Server allows us to send HB requests */
1569 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1570 break;
1571 case 0x02: /* Server doesn't accept HB requests */
1572 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1573 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1574 break;
1575 default: *al = SSL_AD_ILLEGAL_PARAMETER;
1576 return 0;
1577 }
1578 }
1579#endif
1580 else if (type == TLSEXT_TYPE_use_srtp)
1581 {
1582 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1583 al))
1584 return 0;
1585 }
1586
1160 data+=size; 1587 data+=size;
1161 } 1588 }
1162 1589
@@ -1236,7 +1663,7 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
1236 break; 1663 break;
1237 } 1664 }
1238 } 1665 }
1239 using_ecc = using_ecc && (s->version == TLS1_VERSION); 1666 using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1240 if (using_ecc) 1667 if (using_ecc)
1241 { 1668 {
1242 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 1669 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
@@ -1252,16 +1679,19 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
1252 1679
1253 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */ 1680 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1254 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist); 1681 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1255 s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2; 1682 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1256 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) 1683 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1257 { 1684 {
1258 s->tlsext_ellipticcurvelist_length = 0; 1685 s->tlsext_ellipticcurvelist_length = 0;
1259 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1686 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1260 return -1; 1687 return -1;
1261 } 1688 }
1262 for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <= 1689 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1263 sizeof(nid_list)/sizeof(nid_list[0]); i++) 1690 sizeof(pref_list)/sizeof(pref_list[0]); i++)
1264 s2n(i,j); 1691 {
1692 int id = tls1_ec_nid2curve_id(pref_list[i]);
1693 s2n(id,j);
1694 }
1265 } 1695 }
1266#endif /* OPENSSL_NO_EC */ 1696#endif /* OPENSSL_NO_EC */
1267 1697
@@ -1570,26 +2000,56 @@ int ssl_check_serverhello_tlsext(SSL *s)
1570 } 2000 }
1571 } 2001 }
1572 2002
1573/* Since the server cache lookup is done early on in the processing of client 2003/* Since the server cache lookup is done early on in the processing of the
1574 * hello and other operations depend on the result we need to handle any TLS 2004 * ClientHello, and other operations depend on the result, we need to handle
1575 * session ticket extension at the same time. 2005 * any TLS session ticket extension at the same time.
2006 *
2007 * session_id: points at the session ID in the ClientHello. This code will
2008 * read past the end of this in order to parse out the session ticket
2009 * extension, if any.
2010 * len: the length of the session ID.
2011 * limit: a pointer to the first byte after the ClientHello.
2012 * ret: (output) on return, if a ticket was decrypted, then this is set to
2013 * point to the resulting session.
2014 *
2015 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2016 * ciphersuite, in which case we have no use for session tickets and one will
2017 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2018 *
2019 * Returns:
2020 * -1: fatal error, either from parsing or decrypting the ticket.
2021 * 0: no ticket was found (or was ignored, based on settings).
2022 * 1: a zero length extension was found, indicating that the client supports
2023 * session tickets but doesn't currently have one to offer.
2024 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2025 * couldn't be decrypted because of a non-fatal error.
2026 * 3: a ticket was successfully decrypted and *ret was set.
2027 *
2028 * Side effects:
2029 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2030 * a new session ticket to the client because the client indicated support
2031 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2032 * a session ticket or we couldn't use the one it gave us, or if
2033 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2034 * Otherwise, s->tlsext_ticket_expected is set to 0.
1576 */ 2035 */
1577
1578int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 2036int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1579 const unsigned char *limit, SSL_SESSION **ret) 2037 const unsigned char *limit, SSL_SESSION **ret)
1580 { 2038 {
1581 /* Point after session ID in client hello */ 2039 /* Point after session ID in client hello */
1582 const unsigned char *p = session_id + len; 2040 const unsigned char *p = session_id + len;
1583 unsigned short i; 2041 unsigned short i;
1584 2042
2043 *ret = NULL;
2044 s->tlsext_ticket_expected = 0;
2045
1585 /* If tickets disabled behave as if no ticket present 2046 /* If tickets disabled behave as if no ticket present
1586 * to permit stateful resumption. 2047 * to permit stateful resumption.
1587 */ 2048 */
1588 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 2049 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1589 return 1; 2050 return 0;
1590
1591 if ((s->version <= SSL3_VERSION) || !limit) 2051 if ((s->version <= SSL3_VERSION) || !limit)
1592 return 1; 2052 return 0;
1593 if (p >= limit) 2053 if (p >= limit)
1594 return -1; 2054 return -1;
1595 /* Skip past DTLS cookie */ 2055 /* Skip past DTLS cookie */
@@ -1612,7 +2072,7 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1612 return -1; 2072 return -1;
1613 /* Now at start of extensions */ 2073 /* Now at start of extensions */
1614 if ((p + 2) >= limit) 2074 if ((p + 2) >= limit)
1615 return 1; 2075 return 0;
1616 n2s(p, i); 2076 n2s(p, i);
1617 while ((p + 4) <= limit) 2077 while ((p + 4) <= limit)
1618 { 2078 {
@@ -1620,39 +2080,61 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1620 n2s(p, type); 2080 n2s(p, type);
1621 n2s(p, size); 2081 n2s(p, size);
1622 if (p + size > limit) 2082 if (p + size > limit)
1623 return 1; 2083 return 0;
1624 if (type == TLSEXT_TYPE_session_ticket) 2084 if (type == TLSEXT_TYPE_session_ticket)
1625 { 2085 {
1626 /* If tickets disabled indicate cache miss which will 2086 int r;
1627 * trigger a full handshake
1628 */
1629 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1630 return 1;
1631 /* If zero length note client will accept a ticket
1632 * and indicate cache miss to trigger full handshake
1633 */
1634 if (size == 0) 2087 if (size == 0)
1635 { 2088 {
2089 /* The client will accept a ticket but doesn't
2090 * currently have one. */
1636 s->tlsext_ticket_expected = 1; 2091 s->tlsext_ticket_expected = 1;
1637 return 0; /* Cache miss */ 2092 return 1;
1638 } 2093 }
1639 if (s->tls_session_secret_cb) 2094 if (s->tls_session_secret_cb)
1640 { 2095 {
1641 /* Indicate cache miss here and instead of 2096 /* Indicate that the ticket couldn't be
1642 * generating the session from ticket now, 2097 * decrypted rather than generating the session
1643 * trigger abbreviated handshake based on 2098 * from ticket now, trigger abbreviated
1644 * external mechanism to calculate the master 2099 * handshake based on external mechanism to
1645 * secret later. */ 2100 * calculate the master secret later. */
1646 return 0; 2101 return 2;
2102 }
2103 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2104 switch (r)
2105 {
2106 case 2: /* ticket couldn't be decrypted */
2107 s->tlsext_ticket_expected = 1;
2108 return 2;
2109 case 3: /* ticket was decrypted */
2110 return r;
2111 case 4: /* ticket decrypted but need to renew */
2112 s->tlsext_ticket_expected = 1;
2113 return 3;
2114 default: /* fatal error */
2115 return -1;
1647 } 2116 }
1648 return tls_decrypt_ticket(s, p, size, session_id, len,
1649 ret);
1650 } 2117 }
1651 p += size; 2118 p += size;
1652 } 2119 }
1653 return 1; 2120 return 0;
1654 } 2121 }
1655 2122
2123/* tls_decrypt_ticket attempts to decrypt a session ticket.
2124 *
2125 * etick: points to the body of the session ticket extension.
2126 * eticklen: the length of the session tickets extenion.
2127 * sess_id: points at the session ID.
2128 * sesslen: the length of the session ID.
2129 * psess: (output) on return, if a ticket was decrypted, then this is set to
2130 * point to the resulting session.
2131 *
2132 * Returns:
2133 * -1: fatal error, either from parsing or decrypting the ticket.
2134 * 2: the ticket couldn't be decrypted.
2135 * 3: a ticket was successfully decrypted and *psess was set.
2136 * 4: same as 3, but the ticket needs to be renewed.
2137 */
1656static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2138static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1657 const unsigned char *sess_id, int sesslen, 2139 const unsigned char *sess_id, int sesslen,
1658 SSL_SESSION **psess) 2140 SSL_SESSION **psess)
@@ -1667,7 +2149,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1667 SSL_CTX *tctx = s->initial_ctx; 2149 SSL_CTX *tctx = s->initial_ctx;
1668 /* Need at least keyname + iv + some encrypted data */ 2150 /* Need at least keyname + iv + some encrypted data */
1669 if (eticklen < 48) 2151 if (eticklen < 48)
1670 goto tickerr; 2152 return 2;
1671 /* Initialize session ticket encryption and HMAC contexts */ 2153 /* Initialize session ticket encryption and HMAC contexts */
1672 HMAC_CTX_init(&hctx); 2154 HMAC_CTX_init(&hctx);
1673 EVP_CIPHER_CTX_init(&ctx); 2155 EVP_CIPHER_CTX_init(&ctx);
@@ -1679,7 +2161,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1679 if (rv < 0) 2161 if (rv < 0)
1680 return -1; 2162 return -1;
1681 if (rv == 0) 2163 if (rv == 0)
1682 goto tickerr; 2164 return 2;
1683 if (rv == 2) 2165 if (rv == 2)
1684 renew_ticket = 1; 2166 renew_ticket = 1;
1685 } 2167 }
@@ -1687,15 +2169,15 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1687 { 2169 {
1688 /* Check key name matches */ 2170 /* Check key name matches */
1689 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2171 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
1690 goto tickerr; 2172 return 2;
1691 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2173 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
1692 tlsext_tick_md(), NULL); 2174 tlsext_tick_md(), NULL);
1693 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2175 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
1694 tctx->tlsext_tick_aes_key, etick + 16); 2176 tctx->tlsext_tick_aes_key, etick + 16);
1695 } 2177 }
1696 /* Attempt to process session ticket, first conduct sanity and 2178 /* Attempt to process session ticket, first conduct sanity and
1697 * integrity checks on ticket. 2179 * integrity checks on ticket.
1698 */ 2180 */
1699 mlen = HMAC_size(&hctx); 2181 mlen = HMAC_size(&hctx);
1700 if (mlen < 0) 2182 if (mlen < 0)
1701 { 2183 {
@@ -1708,7 +2190,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1708 HMAC_Final(&hctx, tick_hmac, NULL); 2190 HMAC_Final(&hctx, tick_hmac, NULL);
1709 HMAC_CTX_cleanup(&hctx); 2191 HMAC_CTX_cleanup(&hctx);
1710 if (memcmp(tick_hmac, etick + eticklen, mlen)) 2192 if (memcmp(tick_hmac, etick + eticklen, mlen))
1711 goto tickerr; 2193 return 2;
1712 /* Attempt to decrypt session data */ 2194 /* Attempt to decrypt session data */
1713 /* Move p after IV to start of encrypted ticket, update length */ 2195 /* Move p after IV to start of encrypted ticket, update length */
1714 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2196 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
@@ -1721,33 +2203,376 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1721 } 2203 }
1722 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 2204 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
1723 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) 2205 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
1724 goto tickerr; 2206 return 2;
1725 slen += mlen; 2207 slen += mlen;
1726 EVP_CIPHER_CTX_cleanup(&ctx); 2208 EVP_CIPHER_CTX_cleanup(&ctx);
1727 p = sdec; 2209 p = sdec;
1728 2210
1729 sess = d2i_SSL_SESSION(NULL, &p, slen); 2211 sess = d2i_SSL_SESSION(NULL, &p, slen);
1730 OPENSSL_free(sdec); 2212 OPENSSL_free(sdec);
1731 if (sess) 2213 if (sess)
1732 { 2214 {
1733 /* The session ID if non-empty is used by some clients to 2215 /* The session ID, if non-empty, is used by some clients to
1734 * detect that the ticket has been accepted. So we copy it to 2216 * detect that the ticket has been accepted. So we copy it to
1735 * the session structure. If it is empty set length to zero 2217 * the session structure. If it is empty set length to zero
1736 * as required by standard. 2218 * as required by standard.
1737 */ 2219 */
1738 if (sesslen) 2220 if (sesslen)
1739 memcpy(sess->session_id, sess_id, sesslen); 2221 memcpy(sess->session_id, sess_id, sesslen);
1740 sess->session_id_length = sesslen; 2222 sess->session_id_length = sesslen;
1741 *psess = sess; 2223 *psess = sess;
1742 s->tlsext_ticket_expected = renew_ticket; 2224 if (renew_ticket)
2225 return 4;
2226 else
2227 return 3;
2228 }
2229 ERR_clear_error();
2230 /* For session parse failure, indicate that we need to send a new
2231 * ticket. */
2232 return 2;
2233 }
2234
2235/* Tables to translate from NIDs to TLS v1.2 ids */
2236
2237typedef struct
2238 {
2239 int nid;
2240 int id;
2241 } tls12_lookup;
2242
2243static tls12_lookup tls12_md[] = {
2244#ifndef OPENSSL_NO_MD5
2245 {NID_md5, TLSEXT_hash_md5},
2246#endif
2247#ifndef OPENSSL_NO_SHA
2248 {NID_sha1, TLSEXT_hash_sha1},
2249#endif
2250#ifndef OPENSSL_NO_SHA256
2251 {NID_sha224, TLSEXT_hash_sha224},
2252 {NID_sha256, TLSEXT_hash_sha256},
2253#endif
2254#ifndef OPENSSL_NO_SHA512
2255 {NID_sha384, TLSEXT_hash_sha384},
2256 {NID_sha512, TLSEXT_hash_sha512}
2257#endif
2258};
2259
2260static tls12_lookup tls12_sig[] = {
2261#ifndef OPENSSL_NO_RSA
2262 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2263#endif
2264#ifndef OPENSSL_NO_DSA
2265 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2266#endif
2267#ifndef OPENSSL_NO_ECDSA
2268 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2269#endif
2270};
2271
2272static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2273 {
2274 size_t i;
2275 for (i = 0; i < tlen; i++)
2276 {
2277 if (table[i].nid == nid)
2278 return table[i].id;
2279 }
2280 return -1;
2281 }
2282#if 0
2283static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2284 {
2285 size_t i;
2286 for (i = 0; i < tlen; i++)
2287 {
2288 if (table[i].id == id)
2289 return table[i].nid;
2290 }
2291 return -1;
2292 }
2293#endif
2294
2295int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2296 {
2297 int sig_id, md_id;
2298 if (!md)
2299 return 0;
2300 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2301 sizeof(tls12_md)/sizeof(tls12_lookup));
2302 if (md_id == -1)
2303 return 0;
2304 sig_id = tls12_get_sigid(pk);
2305 if (sig_id == -1)
2306 return 0;
2307 p[0] = (unsigned char)md_id;
2308 p[1] = (unsigned char)sig_id;
2309 return 1;
2310 }
2311
2312int tls12_get_sigid(const EVP_PKEY *pk)
2313 {
2314 return tls12_find_id(pk->type, tls12_sig,
2315 sizeof(tls12_sig)/sizeof(tls12_lookup));
2316 }
2317
2318const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2319 {
2320 switch(hash_alg)
2321 {
2322#ifndef OPENSSL_NO_MD5
2323 case TLSEXT_hash_md5:
2324#ifdef OPENSSL_FIPS
2325 if (FIPS_mode())
2326 return NULL;
2327#endif
2328 return EVP_md5();
2329#endif
2330#ifndef OPENSSL_NO_SHA
2331 case TLSEXT_hash_sha1:
2332 return EVP_sha1();
2333#endif
2334#ifndef OPENSSL_NO_SHA256
2335 case TLSEXT_hash_sha224:
2336 return EVP_sha224();
2337
2338 case TLSEXT_hash_sha256:
2339 return EVP_sha256();
2340#endif
2341#ifndef OPENSSL_NO_SHA512
2342 case TLSEXT_hash_sha384:
2343 return EVP_sha384();
2344
2345 case TLSEXT_hash_sha512:
2346 return EVP_sha512();
2347#endif
2348 default:
2349 return NULL;
2350
2351 }
2352 }
2353
2354/* Set preferred digest for each key type */
2355
2356int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2357 {
2358 int i, idx;
2359 const EVP_MD *md;
2360 CERT *c = s->cert;
2361 /* Extension ignored for TLS versions below 1.2 */
2362 if (TLS1_get_version(s) < TLS1_2_VERSION)
1743 return 1; 2363 return 1;
2364 /* Should never happen */
2365 if (!c)
2366 return 0;
2367
2368 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2369 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2370 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2371 c->pkeys[SSL_PKEY_ECC].digest = NULL;
2372
2373 for (i = 0; i < dsize; i += 2)
2374 {
2375 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2376
2377 switch(sig_alg)
2378 {
2379#ifndef OPENSSL_NO_RSA
2380 case TLSEXT_signature_rsa:
2381 idx = SSL_PKEY_RSA_SIGN;
2382 break;
2383#endif
2384#ifndef OPENSSL_NO_DSA
2385 case TLSEXT_signature_dsa:
2386 idx = SSL_PKEY_DSA_SIGN;
2387 break;
2388#endif
2389#ifndef OPENSSL_NO_ECDSA
2390 case TLSEXT_signature_ecdsa:
2391 idx = SSL_PKEY_ECC;
2392 break;
2393#endif
2394 default:
2395 continue;
2396 }
2397
2398 if (c->pkeys[idx].digest == NULL)
2399 {
2400 md = tls12_get_hash(hash_alg);
2401 if (md)
2402 {
2403 c->pkeys[idx].digest = md;
2404 if (idx == SSL_PKEY_RSA_SIGN)
2405 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2406 }
2407 }
2408
1744 } 2409 }
1745 /* If session decrypt failure indicate a cache miss and set state to 2410
1746 * send a new ticket 2411
1747 */ 2412 /* Set any remaining keys to default values. NOTE: if alg is not
1748 tickerr: 2413 * supported it stays as NULL.
1749 s->tlsext_ticket_expected = 1; 2414 */
2415#ifndef OPENSSL_NO_DSA
2416 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2417 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2418#endif
2419#ifndef OPENSSL_NO_RSA
2420 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2421 {
2422 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2423 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2424 }
2425#endif
2426#ifndef OPENSSL_NO_ECDSA
2427 if (!c->pkeys[SSL_PKEY_ECC].digest)
2428 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
2429#endif
2430 return 1;
2431 }
2432
2433#endif
2434
2435#ifndef OPENSSL_NO_HEARTBEATS
2436int
2437tls1_process_heartbeat(SSL *s)
2438 {
2439 unsigned char *p = &s->s3->rrec.data[0], *pl;
2440 unsigned short hbtype;
2441 unsigned int payload;
2442 unsigned int padding = 16; /* Use minimum padding */
2443
2444 /* Read type and payload length first */
2445 hbtype = *p++;
2446 n2s(p, payload);
2447 pl = p;
2448
2449 if (s->msg_callback)
2450 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2451 &s->s3->rrec.data[0], s->s3->rrec.length,
2452 s, s->msg_callback_arg);
2453
2454 if (hbtype == TLS1_HB_REQUEST)
2455 {
2456 unsigned char *buffer, *bp;
2457 int r;
2458
2459 /* Allocate memory for the response, size is 1 bytes
2460 * message type, plus 2 bytes payload length, plus
2461 * payload, plus padding
2462 */
2463 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2464 bp = buffer;
2465
2466 /* Enter response type, length and copy payload */
2467 *bp++ = TLS1_HB_RESPONSE;
2468 s2n(payload, bp);
2469 memcpy(bp, pl, payload);
2470 bp += payload;
2471 /* Random padding */
2472 RAND_pseudo_bytes(bp, padding);
2473
2474 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2475
2476 if (r >= 0 && s->msg_callback)
2477 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2478 buffer, 3 + payload + padding,
2479 s, s->msg_callback_arg);
2480
2481 OPENSSL_free(buffer);
2482
2483 if (r < 0)
2484 return r;
2485 }
2486 else if (hbtype == TLS1_HB_RESPONSE)
2487 {
2488 unsigned int seq;
2489
2490 /* We only send sequence numbers (2 bytes unsigned int),
2491 * and 16 random bytes, so we just try to read the
2492 * sequence number */
2493 n2s(pl, seq);
2494
2495 if (payload == 18 && seq == s->tlsext_hb_seq)
2496 {
2497 s->tlsext_hb_seq++;
2498 s->tlsext_hb_pending = 0;
2499 }
2500 }
2501
1750 return 0; 2502 return 0;
1751 } 2503 }
1752 2504
2505int
2506tls1_heartbeat(SSL *s)
2507 {
2508 unsigned char *buf, *p;
2509 int ret;
2510 unsigned int payload = 18; /* Sequence number + random bytes */
2511 unsigned int padding = 16; /* Use minimum padding */
2512
2513 /* Only send if peer supports and accepts HB requests... */
2514 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2515 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2516 {
2517 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2518 return -1;
2519 }
2520
2521 /* ...and there is none in flight yet... */
2522 if (s->tlsext_hb_pending)
2523 {
2524 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2525 return -1;
2526 }
2527
2528 /* ...and no handshake in progress. */
2529 if (SSL_in_init(s) || s->in_handshake)
2530 {
2531 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2532 return -1;
2533 }
2534
2535 /* Check if padding is too long, payload and padding
2536 * must not exceed 2^14 - 3 = 16381 bytes in total.
2537 */
2538 OPENSSL_assert(payload + padding <= 16381);
2539
2540 /* Create HeartBeat message, we just use a sequence number
2541 * as payload to distuingish different messages and add
2542 * some random stuff.
2543 * - Message Type, 1 byte
2544 * - Payload Length, 2 bytes (unsigned int)
2545 * - Payload, the sequence number (2 bytes uint)
2546 * - Payload, random bytes (16 bytes uint)
2547 * - Padding
2548 */
2549 buf = OPENSSL_malloc(1 + 2 + payload + padding);
2550 p = buf;
2551 /* Message Type */
2552 *p++ = TLS1_HB_REQUEST;
2553 /* Payload length (18 bytes here) */
2554 s2n(payload, p);
2555 /* Sequence number */
2556 s2n(s->tlsext_hb_seq, p);
2557 /* 16 random bytes */
2558 RAND_pseudo_bytes(p, 16);
2559 p += 16;
2560 /* Random padding */
2561 RAND_pseudo_bytes(p, padding);
2562
2563 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2564 if (ret >= 0)
2565 {
2566 if (s->msg_callback)
2567 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2568 buf, 3 + payload + padding,
2569 s, s->msg_callback_arg);
2570
2571 s->tlsext_hb_pending = 1;
2572 }
2573
2574 OPENSSL_free(buf);
2575
2576 return ret;
2577 }
1753#endif 2578#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-23 23:46:15 +0000