summaryrefslogtreecommitdiff
path: root/src/lib/libssl/t1_lib.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/t1_lib.c')
-rw-r--r--src/lib/libssl/t1_lib.c941
1 files changed, 58 insertions, 883 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 27c8e3460d..26cbae449e 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -114,7 +114,6 @@
114#include <openssl/evp.h> 114#include <openssl/evp.h>
115#include <openssl/hmac.h> 115#include <openssl/hmac.h>
116#include <openssl/ocsp.h> 116#include <openssl/ocsp.h>
117#include <openssl/rand.h>
118#include "ssl_locl.h" 117#include "ssl_locl.h"
119 118
120const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; 119const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
@@ -137,7 +136,6 @@ SSL3_ENC_METHOD TLSv1_enc_data={
137 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 136 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
138 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 137 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
139 tls1_alert_code, 138 tls1_alert_code,
140 tls1_export_keying_material,
141 }; 139 };
142 140
143long tls1_default_timeout(void) 141long tls1_default_timeout(void)
@@ -168,11 +166,10 @@ void tls1_free(SSL *s)
168void tls1_clear(SSL *s) 166void tls1_clear(SSL *s)
169 { 167 {
170 ssl3_clear(s); 168 ssl3_clear(s);
171 s->version = s->method->version; 169 s->version=TLS1_VERSION;
172 } 170 }
173 171
174#ifndef OPENSSL_NO_EC 172#ifndef OPENSSL_NO_EC
175
176static int nid_list[] = 173static int nid_list[] =
177 { 174 {
178 NID_sect163k1, /* sect163k1 (1) */ 175 NID_sect163k1, /* sect163k1 (1) */
@@ -201,36 +198,7 @@ static int nid_list[] =
201 NID_secp384r1, /* secp384r1 (24) */ 198 NID_secp384r1, /* secp384r1 (24) */
202 NID_secp521r1 /* secp521r1 (25) */ 199 NID_secp521r1 /* secp521r1 (25) */
203 }; 200 };
204 201
205static int pref_list[] =
206 {
207 NID_sect571r1, /* sect571r1 (14) */
208 NID_sect571k1, /* sect571k1 (13) */
209 NID_secp521r1, /* secp521r1 (25) */
210 NID_sect409k1, /* sect409k1 (11) */
211 NID_sect409r1, /* sect409r1 (12) */
212 NID_secp384r1, /* secp384r1 (24) */
213 NID_sect283k1, /* sect283k1 (9) */
214 NID_sect283r1, /* sect283r1 (10) */
215 NID_secp256k1, /* secp256k1 (22) */
216 NID_X9_62_prime256v1, /* secp256r1 (23) */
217 NID_sect239k1, /* sect239k1 (8) */
218 NID_sect233k1, /* sect233k1 (6) */
219 NID_sect233r1, /* sect233r1 (7) */
220 NID_secp224k1, /* secp224k1 (20) */
221 NID_secp224r1, /* secp224r1 (21) */
222 NID_sect193r1, /* sect193r1 (4) */
223 NID_sect193r2, /* sect193r2 (5) */
224 NID_secp192k1, /* secp192k1 (18) */
225 NID_X9_62_prime192v1, /* secp192r1 (19) */
226 NID_sect163k1, /* sect163k1 (1) */
227 NID_sect163r1, /* sect163r1 (2) */
228 NID_sect163r2, /* sect163r2 (3) */
229 NID_secp160k1, /* secp160k1 (15) */
230 NID_secp160r1, /* secp160r1 (16) */
231 NID_secp160r2, /* secp160r2 (17) */
232 };
233
234int tls1_ec_curve_id2nid(int curve_id) 202int tls1_ec_curve_id2nid(int curve_id)
235 { 203 {
236 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 204 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
@@ -302,64 +270,6 @@ int tls1_ec_nid2curve_id(int nid)
302#endif /* OPENSSL_NO_EC */ 270#endif /* OPENSSL_NO_EC */
303 271
304#ifndef OPENSSL_NO_TLSEXT 272#ifndef OPENSSL_NO_TLSEXT
305
306/* List of supported signature algorithms and hashes. Should make this
307 * customisable at some point, for now include everything we support.
308 */
309
310#ifdef OPENSSL_NO_RSA
311#define tlsext_sigalg_rsa(md) /* */
312#else
313#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
314#endif
315
316#ifdef OPENSSL_NO_DSA
317#define tlsext_sigalg_dsa(md) /* */
318#else
319#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
320#endif
321
322#ifdef OPENSSL_NO_ECDSA
323#define tlsext_sigalg_ecdsa(md) /* */
324#else
325#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
326#endif
327
328#define tlsext_sigalg(md) \
329 tlsext_sigalg_rsa(md) \
330 tlsext_sigalg_dsa(md) \
331 tlsext_sigalg_ecdsa(md)
332
333static unsigned char tls12_sigalgs[] = {
334#ifndef OPENSSL_NO_SHA512
335 tlsext_sigalg(TLSEXT_hash_sha512)
336 tlsext_sigalg(TLSEXT_hash_sha384)
337#endif
338#ifndef OPENSSL_NO_SHA256
339 tlsext_sigalg(TLSEXT_hash_sha256)
340 tlsext_sigalg(TLSEXT_hash_sha224)
341#endif
342#ifndef OPENSSL_NO_SHA
343 tlsext_sigalg(TLSEXT_hash_sha1)
344#endif
345#ifndef OPENSSL_NO_MD5
346 tlsext_sigalg_rsa(TLSEXT_hash_md5)
347#endif
348};
349
350int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
351 {
352 size_t slen = sizeof(tls12_sigalgs);
353#ifdef OPENSSL_FIPS
354 /* If FIPS mode don't include MD5 which is last */
355 if (FIPS_mode())
356 slen -= 2;
357#endif
358 if (p)
359 memcpy(p, tls12_sigalgs, slen);
360 return (int)slen;
361 }
362
363unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 273unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
364 { 274 {
365 int extdatalen=0; 275 int extdatalen=0;
@@ -407,7 +317,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
407 } 317 }
408 318
409 /* Add RI if renegotiating */ 319 /* Add RI if renegotiating */
410 if (s->renegotiate) 320 if (s->new_session)
411 { 321 {
412 int el; 322 int el;
413 323
@@ -431,34 +341,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
431 ret += el; 341 ret += el;
432 } 342 }
433 343
434#ifndef OPENSSL_NO_SRP
435 /* Add SRP username if there is one */
436 if (s->srp_ctx.login != NULL)
437 { /* Add TLS extension SRP username to the Client Hello message */
438
439 int login_len = strlen(s->srp_ctx.login);
440 if (login_len > 255 || login_len == 0)
441 {
442 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
443 return NULL;
444 }
445
446 /* check for enough space.
447 4 for the srp type type and entension length
448 1 for the srp user identity
449 + srp user identity length
450 */
451 if ((limit - ret - 5 - login_len) < 0) return NULL;
452
453 /* fill in the extension */
454 s2n(TLSEXT_TYPE_srp,ret);
455 s2n(login_len+1,ret);
456 (*ret++) = (unsigned char) login_len;
457 memcpy(ret, s->srp_ctx.login, login_len);
458 ret+=login_len;
459 }
460#endif
461
462#ifndef OPENSSL_NO_EC 344#ifndef OPENSSL_NO_EC
463 if (s->tlsext_ecpointformatlist != NULL && 345 if (s->tlsext_ecpointformatlist != NULL &&
464 s->version != DTLS1_VERSION) 346 s->version != DTLS1_VERSION)
@@ -544,17 +426,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
544 } 426 }
545 skip_ext: 427 skip_ext:
546 428
547 if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
548 {
549 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
550 return NULL;
551 s2n(TLSEXT_TYPE_signature_algorithms,ret);
552 s2n(sizeof(tls12_sigalgs) + 2, ret);
553 s2n(sizeof(tls12_sigalgs), ret);
554 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
555 ret += sizeof(tls12_sigalgs);
556 }
557
558#ifdef TLSEXT_TYPE_opaque_prf_input 429#ifdef TLSEXT_TYPE_opaque_prf_input
559 if (s->s3->client_opaque_prf_input != NULL && 430 if (s->s3->client_opaque_prf_input != NULL &&
560 s->version != DTLS1_VERSION) 431 s->version != DTLS1_VERSION)
@@ -623,51 +494,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
623 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 494 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
624 } 495 }
625 496
626#ifndef OPENSSL_NO_HEARTBEATS
627 /* Add Heartbeat extension */
628 s2n(TLSEXT_TYPE_heartbeat,ret);
629 s2n(1,ret);
630 /* Set mode:
631 * 1: peer may send requests
632 * 2: peer not allowed to send requests
633 */
634 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
635 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
636 else
637 *(ret++) = SSL_TLSEXT_HB_ENABLED;
638#endif
639
640#ifndef OPENSSL_NO_NEXTPROTONEG
641 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
642 {
643 /* The client advertises an emtpy extension to indicate its
644 * support for Next Protocol Negotiation */
645 if (limit - ret - 4 < 0)
646 return NULL;
647 s2n(TLSEXT_TYPE_next_proto_neg,ret);
648 s2n(0,ret);
649 }
650#endif
651
652 if(SSL_get_srtp_profiles(s))
653 {
654 int el;
655
656 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
657
658 if((limit - p - 4 - el) < 0) return NULL;
659
660 s2n(TLSEXT_TYPE_use_srtp,ret);
661 s2n(el,ret);
662
663 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
664 {
665 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
666 return NULL;
667 }
668 ret += el;
669 }
670
671 if ((extdatalen = ret-p-2)== 0) 497 if ((extdatalen = ret-p-2)== 0)
672 return p; 498 return p;
673 499
@@ -679,9 +505,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
679 { 505 {
680 int extdatalen=0; 506 int extdatalen=0;
681 unsigned char *ret = p; 507 unsigned char *ret = p;
682#ifndef OPENSSL_NO_NEXTPROTONEG
683 int next_proto_neg_seen;
684#endif
685 508
686 /* don't add extensions for SSLv3, unless doing secure renegotiation */ 509 /* don't add extensions for SSLv3, unless doing secure renegotiation */
687 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 510 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
@@ -780,26 +603,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
780 ret += sol; 603 ret += sol;
781 } 604 }
782#endif 605#endif
783
784 if(s->srtp_profile)
785 {
786 int el;
787
788 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
789
790 if((limit - p - 4 - el) < 0) return NULL;
791
792 s2n(TLSEXT_TYPE_use_srtp,ret);
793 s2n(el,ret);
794
795 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
796 {
797 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
798 return NULL;
799 }
800 ret+=el;
801 }
802
803 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 606 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
804 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) 607 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
805 { const unsigned char cryptopro_ext[36] = { 608 { const unsigned char cryptopro_ext[36] = {
@@ -815,46 +618,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
815 618
816 } 619 }
817 620
818#ifndef OPENSSL_NO_HEARTBEATS
819 /* Add Heartbeat extension if we've received one */
820 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
821 {
822 s2n(TLSEXT_TYPE_heartbeat,ret);
823 s2n(1,ret);
824 /* Set mode:
825 * 1: peer may send requests
826 * 2: peer not allowed to send requests
827 */
828 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
829 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
830 else
831 *(ret++) = SSL_TLSEXT_HB_ENABLED;
832
833 }
834#endif
835
836#ifndef OPENSSL_NO_NEXTPROTONEG
837 next_proto_neg_seen = s->s3->next_proto_neg_seen;
838 s->s3->next_proto_neg_seen = 0;
839 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
840 {
841 const unsigned char *npa;
842 unsigned int npalen;
843 int r;
844
845 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
846 if (r == SSL_TLSEXT_ERR_OK)
847 {
848 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
849 s2n(TLSEXT_TYPE_next_proto_neg,ret);
850 s2n(npalen,ret);
851 memcpy(ret, npa, npalen);
852 ret += npalen;
853 s->s3->next_proto_neg_seen = 1;
854 }
855 }
856#endif
857
858 if ((extdatalen = ret-p-2)== 0) 621 if ((extdatalen = ret-p-2)== 0)
859 return p; 622 return p;
860 623
@@ -869,18 +632,9 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
869 unsigned short len; 632 unsigned short len;
870 unsigned char *data = *p; 633 unsigned char *data = *p;
871 int renegotiate_seen = 0; 634 int renegotiate_seen = 0;
872 int sigalg_seen = 0;
873 635
874 s->servername_done = 0; 636 s->servername_done = 0;
875 s->tlsext_status_type = -1; 637 s->tlsext_status_type = -1;
876#ifndef OPENSSL_NO_NEXTPROTONEG
877 s->s3->next_proto_neg_seen = 0;
878#endif
879
880#ifndef OPENSSL_NO_HEARTBEATS
881 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
882 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
883#endif
884 638
885 if (data >= (d+n-2)) 639 if (data >= (d+n-2))
886 goto ri_check; 640 goto ri_check;
@@ -1008,31 +762,6 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1008 } 762 }
1009 763
1010 } 764 }
1011#ifndef OPENSSL_NO_SRP
1012 else if (type == TLSEXT_TYPE_srp)
1013 {
1014 if (size <= 0 || ((len = data[0])) != (size -1))
1015 {
1016 *al = SSL_AD_DECODE_ERROR;
1017 return 0;
1018 }
1019 if (s->srp_ctx.login != NULL)
1020 {
1021 *al = SSL_AD_DECODE_ERROR;
1022 return 0;
1023 }
1024 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1025 return -1;
1026 memcpy(s->srp_ctx.login, &data[1], len);
1027 s->srp_ctx.login[len]='\0';
1028
1029 if (strlen(s->srp_ctx.login) != len)
1030 {
1031 *al = SSL_AD_DECODE_ERROR;
1032 return 0;
1033 }
1034 }
1035#endif
1036 765
1037#ifndef OPENSSL_NO_EC 766#ifndef OPENSSL_NO_EC
1038 else if (type == TLSEXT_TYPE_ec_point_formats && 767 else if (type == TLSEXT_TYPE_ec_point_formats &&
@@ -1153,28 +882,6 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1153 return 0; 882 return 0;
1154 renegotiate_seen = 1; 883 renegotiate_seen = 1;
1155 } 884 }
1156 else if (type == TLSEXT_TYPE_signature_algorithms)
1157 {
1158 int dsize;
1159 if (sigalg_seen || size < 2)
1160 {
1161 *al = SSL_AD_DECODE_ERROR;
1162 return 0;
1163 }
1164 sigalg_seen = 1;
1165 n2s(data,dsize);
1166 size -= 2;
1167 if (dsize != size || dsize & 1)
1168 {
1169 *al = SSL_AD_DECODE_ERROR;
1170 return 0;
1171 }
1172 if (!tls1_process_sigalgs(s, data, dsize))
1173 {
1174 *al = SSL_AD_DECODE_ERROR;
1175 return 0;
1176 }
1177 }
1178 else if (type == TLSEXT_TYPE_status_request && 885 else if (type == TLSEXT_TYPE_status_request &&
1179 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) 886 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1180 { 887 {
@@ -1287,54 +994,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1287 else 994 else
1288 s->tlsext_status_type = -1; 995 s->tlsext_status_type = -1;
1289 } 996 }
1290#ifndef OPENSSL_NO_HEARTBEATS
1291 else if (type == TLSEXT_TYPE_heartbeat)
1292 {
1293 switch(data[0])
1294 {
1295 case 0x01: /* Client allows us to send HB requests */
1296 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1297 break;
1298 case 0x02: /* Client doesn't accept HB requests */
1299 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1300 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1301 break;
1302 default: *al = SSL_AD_ILLEGAL_PARAMETER;
1303 return 0;
1304 }
1305 }
1306#endif
1307#ifndef OPENSSL_NO_NEXTPROTONEG
1308 else if (type == TLSEXT_TYPE_next_proto_neg &&
1309 s->s3->tmp.finish_md_len == 0)
1310 {
1311 /* We shouldn't accept this extension on a
1312 * renegotiation.
1313 *
1314 * s->new_session will be set on renegotiation, but we
1315 * probably shouldn't rely that it couldn't be set on
1316 * the initial renegotation too in certain cases (when
1317 * there's some other reason to disallow resuming an
1318 * earlier session -- the current code won't be doing
1319 * anything like that, but this might change).
1320
1321 * A valid sign that there's been a previous handshake
1322 * in this connection is if s->s3->tmp.finish_md_len >
1323 * 0. (We are talking about a check that will happen
1324 * in the Hello protocol round, well before a new
1325 * Finished message could have been computed.) */
1326 s->s3->next_proto_neg_seen = 1;
1327 }
1328#endif
1329 997
1330 /* session ticket processed earlier */ 998 /* session ticket processed earlier */
1331 else if (type == TLSEXT_TYPE_use_srtp)
1332 {
1333 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1334 al))
1335 return 0;
1336 }
1337
1338 data+=size; 999 data+=size;
1339 } 1000 }
1340 1001
@@ -1344,7 +1005,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1344 1005
1345 /* Need RI if renegotiating */ 1006 /* Need RI if renegotiating */
1346 1007
1347 if (!renegotiate_seen && s->renegotiate && 1008 if (!renegotiate_seen && s->new_session &&
1348 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1009 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1349 { 1010 {
1350 *al = SSL_AD_HANDSHAKE_FAILURE; 1011 *al = SSL_AD_HANDSHAKE_FAILURE;
@@ -1356,26 +1017,6 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1356 return 1; 1017 return 1;
1357 } 1018 }
1358 1019
1359#ifndef OPENSSL_NO_NEXTPROTONEG
1360/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1361 * elements of zero length are allowed and the set of elements must exactly fill
1362 * the length of the block. */
1363static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1364 {
1365 unsigned int off = 0;
1366
1367 while (off < len)
1368 {
1369 if (d[off] == 0)
1370 return 0;
1371 off += d[off];
1372 off++;
1373 }
1374
1375 return off == len;
1376 }
1377#endif
1378
1379int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 1020int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1380 { 1021 {
1381 unsigned short length; 1022 unsigned short length;
@@ -1385,15 +1026,6 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1385 int tlsext_servername = 0; 1026 int tlsext_servername = 0;
1386 int renegotiate_seen = 0; 1027 int renegotiate_seen = 0;
1387 1028
1388#ifndef OPENSSL_NO_NEXTPROTONEG
1389 s->s3->next_proto_neg_seen = 0;
1390#endif
1391
1392#ifndef OPENSSL_NO_HEARTBEATS
1393 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1394 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1395#endif
1396
1397 if (data >= (d+n-2)) 1029 if (data >= (d+n-2))
1398 goto ri_check; 1030 goto ri_check;
1399 1031
@@ -1519,71 +1151,12 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1519 /* Set flag to expect CertificateStatus message */ 1151 /* Set flag to expect CertificateStatus message */
1520 s->tlsext_status_expected = 1; 1152 s->tlsext_status_expected = 1;
1521 } 1153 }
1522#ifndef OPENSSL_NO_NEXTPROTONEG
1523 else if (type == TLSEXT_TYPE_next_proto_neg &&
1524 s->s3->tmp.finish_md_len == 0)
1525 {
1526 unsigned char *selected;
1527 unsigned char selected_len;
1528
1529 /* We must have requested it. */
1530 if ((s->ctx->next_proto_select_cb == NULL))
1531 {
1532 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1533 return 0;
1534 }
1535 /* The data must be valid */
1536 if (!ssl_next_proto_validate(data, size))
1537 {
1538 *al = TLS1_AD_DECODE_ERROR;
1539 return 0;
1540 }
1541 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1542 {
1543 *al = TLS1_AD_INTERNAL_ERROR;
1544 return 0;
1545 }
1546 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1547 if (!s->next_proto_negotiated)
1548 {
1549 *al = TLS1_AD_INTERNAL_ERROR;
1550 return 0;
1551 }
1552 memcpy(s->next_proto_negotiated, selected, selected_len);
1553 s->next_proto_negotiated_len = selected_len;
1554 s->s3->next_proto_neg_seen = 1;
1555 }
1556#endif
1557 else if (type == TLSEXT_TYPE_renegotiate) 1154 else if (type == TLSEXT_TYPE_renegotiate)
1558 { 1155 {
1559 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1156 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1560 return 0; 1157 return 0;
1561 renegotiate_seen = 1; 1158 renegotiate_seen = 1;
1562 } 1159 }
1563#ifndef OPENSSL_NO_HEARTBEATS
1564 else if (type == TLSEXT_TYPE_heartbeat)
1565 {
1566 switch(data[0])
1567 {
1568 case 0x01: /* Server allows us to send HB requests */
1569 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1570 break;
1571 case 0x02: /* Server doesn't accept HB requests */
1572 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1573 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1574 break;
1575 default: *al = SSL_AD_ILLEGAL_PARAMETER;
1576 return 0;
1577 }
1578 }
1579#endif
1580 else if (type == TLSEXT_TYPE_use_srtp)
1581 {
1582 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1583 al))
1584 return 0;
1585 }
1586
1587 data+=size; 1160 data+=size;
1588 } 1161 }
1589 1162
@@ -1663,7 +1236,7 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
1663 break; 1236 break;
1664 } 1237 }
1665 } 1238 }
1666 using_ecc = using_ecc && (s->version >= TLS1_VERSION); 1239 using_ecc = using_ecc && (s->version == TLS1_VERSION);
1667 if (using_ecc) 1240 if (using_ecc)
1668 { 1241 {
1669 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 1242 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
@@ -1679,19 +1252,16 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
1679 1252
1680 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */ 1253 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1681 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist); 1254 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1682 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2; 1255 s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2;
1683 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) 1256 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1684 { 1257 {
1685 s->tlsext_ellipticcurvelist_length = 0; 1258 s->tlsext_ellipticcurvelist_length = 0;
1686 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1259 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1687 return -1; 1260 return -1;
1688 } 1261 }
1689 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i < 1262 for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <=
1690 sizeof(pref_list)/sizeof(pref_list[0]); i++) 1263 sizeof(nid_list)/sizeof(nid_list[0]); i++)
1691 { 1264 s2n(i,j);
1692 int id = tls1_ec_nid2curve_id(pref_list[i]);
1693 s2n(id,j);
1694 }
1695 } 1265 }
1696#endif /* OPENSSL_NO_EC */ 1266#endif /* OPENSSL_NO_EC */
1697 1267
@@ -2000,56 +1570,26 @@ int ssl_check_serverhello_tlsext(SSL *s)
2000 } 1570 }
2001 } 1571 }
2002 1572
2003/* Since the server cache lookup is done early on in the processing of the 1573/* Since the server cache lookup is done early on in the processing of client
2004 * ClientHello, and other operations depend on the result, we need to handle 1574 * hello and other operations depend on the result we need to handle any TLS
2005 * any TLS session ticket extension at the same time. 1575 * session ticket extension at the same time.
2006 *
2007 * session_id: points at the session ID in the ClientHello. This code will
2008 * read past the end of this in order to parse out the session ticket
2009 * extension, if any.
2010 * len: the length of the session ID.
2011 * limit: a pointer to the first byte after the ClientHello.
2012 * ret: (output) on return, if a ticket was decrypted, then this is set to
2013 * point to the resulting session.
2014 *
2015 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2016 * ciphersuite, in which case we have no use for session tickets and one will
2017 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2018 *
2019 * Returns:
2020 * -1: fatal error, either from parsing or decrypting the ticket.
2021 * 0: no ticket was found (or was ignored, based on settings).
2022 * 1: a zero length extension was found, indicating that the client supports
2023 * session tickets but doesn't currently have one to offer.
2024 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2025 * couldn't be decrypted because of a non-fatal error.
2026 * 3: a ticket was successfully decrypted and *ret was set.
2027 *
2028 * Side effects:
2029 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2030 * a new session ticket to the client because the client indicated support
2031 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2032 * a session ticket or we couldn't use the one it gave us, or if
2033 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2034 * Otherwise, s->tlsext_ticket_expected is set to 0.
2035 */ 1576 */
1577
2036int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 1578int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2037 const unsigned char *limit, SSL_SESSION **ret) 1579 const unsigned char *limit, SSL_SESSION **ret)
2038 { 1580 {
2039 /* Point after session ID in client hello */ 1581 /* Point after session ID in client hello */
2040 const unsigned char *p = session_id + len; 1582 const unsigned char *p = session_id + len;
2041 unsigned short i; 1583 unsigned short i;
2042 1584
2043 *ret = NULL;
2044 s->tlsext_ticket_expected = 0;
2045
2046 /* If tickets disabled behave as if no ticket present 1585 /* If tickets disabled behave as if no ticket present
2047 * to permit stateful resumption. 1586 * to permit stateful resumption.
2048 */ 1587 */
2049 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 1588 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2050 return 0; 1589 return 1;
1590
2051 if ((s->version <= SSL3_VERSION) || !limit) 1591 if ((s->version <= SSL3_VERSION) || !limit)
2052 return 0; 1592 return 1;
2053 if (p >= limit) 1593 if (p >= limit)
2054 return -1; 1594 return -1;
2055 /* Skip past DTLS cookie */ 1595 /* Skip past DTLS cookie */
@@ -2072,7 +1612,7 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2072 return -1; 1612 return -1;
2073 /* Now at start of extensions */ 1613 /* Now at start of extensions */
2074 if ((p + 2) >= limit) 1614 if ((p + 2) >= limit)
2075 return 0; 1615 return 1;
2076 n2s(p, i); 1616 n2s(p, i);
2077 while ((p + 4) <= limit) 1617 while ((p + 4) <= limit)
2078 { 1618 {
@@ -2080,61 +1620,39 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2080 n2s(p, type); 1620 n2s(p, type);
2081 n2s(p, size); 1621 n2s(p, size);
2082 if (p + size > limit) 1622 if (p + size > limit)
2083 return 0; 1623 return 1;
2084 if (type == TLSEXT_TYPE_session_ticket) 1624 if (type == TLSEXT_TYPE_session_ticket)
2085 { 1625 {
2086 int r; 1626 /* If tickets disabled indicate cache miss which will
1627 * trigger a full handshake
1628 */
1629 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1630 return 1;
1631 /* If zero length note client will accept a ticket
1632 * and indicate cache miss to trigger full handshake
1633 */
2087 if (size == 0) 1634 if (size == 0)
2088 { 1635 {
2089 /* The client will accept a ticket but doesn't
2090 * currently have one. */
2091 s->tlsext_ticket_expected = 1; 1636 s->tlsext_ticket_expected = 1;
2092 return 1; 1637 return 0; /* Cache miss */
2093 } 1638 }
2094 if (s->tls_session_secret_cb) 1639 if (s->tls_session_secret_cb)
2095 { 1640 {
2096 /* Indicate that the ticket couldn't be 1641 /* Indicate cache miss here and instead of
2097 * decrypted rather than generating the session 1642 * generating the session from ticket now,
2098 * from ticket now, trigger abbreviated 1643 * trigger abbreviated handshake based on
2099 * handshake based on external mechanism to 1644 * external mechanism to calculate the master
2100 * calculate the master secret later. */ 1645 * secret later. */
2101 return 2; 1646 return 0;
2102 }
2103 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2104 switch (r)
2105 {
2106 case 2: /* ticket couldn't be decrypted */
2107 s->tlsext_ticket_expected = 1;
2108 return 2;
2109 case 3: /* ticket was decrypted */
2110 return r;
2111 case 4: /* ticket decrypted but need to renew */
2112 s->tlsext_ticket_expected = 1;
2113 return 3;
2114 default: /* fatal error */
2115 return -1;
2116 } 1647 }
1648 return tls_decrypt_ticket(s, p, size, session_id, len,
1649 ret);
2117 } 1650 }
2118 p += size; 1651 p += size;
2119 } 1652 }
2120 return 0; 1653 return 1;
2121 } 1654 }
2122 1655
2123/* tls_decrypt_ticket attempts to decrypt a session ticket.
2124 *
2125 * etick: points to the body of the session ticket extension.
2126 * eticklen: the length of the session tickets extenion.
2127 * sess_id: points at the session ID.
2128 * sesslen: the length of the session ID.
2129 * psess: (output) on return, if a ticket was decrypted, then this is set to
2130 * point to the resulting session.
2131 *
2132 * Returns:
2133 * -1: fatal error, either from parsing or decrypting the ticket.
2134 * 2: the ticket couldn't be decrypted.
2135 * 3: a ticket was successfully decrypted and *psess was set.
2136 * 4: same as 3, but the ticket needs to be renewed.
2137 */
2138static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 1656static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2139 const unsigned char *sess_id, int sesslen, 1657 const unsigned char *sess_id, int sesslen,
2140 SSL_SESSION **psess) 1658 SSL_SESSION **psess)
@@ -2149,7 +1667,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2149 SSL_CTX *tctx = s->initial_ctx; 1667 SSL_CTX *tctx = s->initial_ctx;
2150 /* Need at least keyname + iv + some encrypted data */ 1668 /* Need at least keyname + iv + some encrypted data */
2151 if (eticklen < 48) 1669 if (eticklen < 48)
2152 return 2; 1670 goto tickerr;
2153 /* Initialize session ticket encryption and HMAC contexts */ 1671 /* Initialize session ticket encryption and HMAC contexts */
2154 HMAC_CTX_init(&hctx); 1672 HMAC_CTX_init(&hctx);
2155 EVP_CIPHER_CTX_init(&ctx); 1673 EVP_CIPHER_CTX_init(&ctx);
@@ -2161,7 +1679,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2161 if (rv < 0) 1679 if (rv < 0)
2162 return -1; 1680 return -1;
2163 if (rv == 0) 1681 if (rv == 0)
2164 return 2; 1682 goto tickerr;
2165 if (rv == 2) 1683 if (rv == 2)
2166 renew_ticket = 1; 1684 renew_ticket = 1;
2167 } 1685 }
@@ -2169,15 +1687,15 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2169 { 1687 {
2170 /* Check key name matches */ 1688 /* Check key name matches */
2171 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 1689 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2172 return 2; 1690 goto tickerr;
2173 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 1691 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2174 tlsext_tick_md(), NULL); 1692 tlsext_tick_md(), NULL);
2175 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 1693 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2176 tctx->tlsext_tick_aes_key, etick + 16); 1694 tctx->tlsext_tick_aes_key, etick + 16);
2177 } 1695 }
2178 /* Attempt to process session ticket, first conduct sanity and 1696 /* Attempt to process session ticket, first conduct sanity and
2179 * integrity checks on ticket. 1697 * integrity checks on ticket.
2180 */ 1698 */
2181 mlen = HMAC_size(&hctx); 1699 mlen = HMAC_size(&hctx);
2182 if (mlen < 0) 1700 if (mlen < 0)
2183 { 1701 {
@@ -2190,7 +1708,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2190 HMAC_Final(&hctx, tick_hmac, NULL); 1708 HMAC_Final(&hctx, tick_hmac, NULL);
2191 HMAC_CTX_cleanup(&hctx); 1709 HMAC_CTX_cleanup(&hctx);
2192 if (memcmp(tick_hmac, etick + eticklen, mlen)) 1710 if (memcmp(tick_hmac, etick + eticklen, mlen))
2193 return 2; 1711 goto tickerr;
2194 /* Attempt to decrypt session data */ 1712 /* Attempt to decrypt session data */
2195 /* Move p after IV to start of encrypted ticket, update length */ 1713 /* Move p after IV to start of encrypted ticket, update length */
2196 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 1714 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
@@ -2203,376 +1721,33 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2203 } 1721 }
2204 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 1722 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2205 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) 1723 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2206 return 2; 1724 goto tickerr;
2207 slen += mlen; 1725 slen += mlen;
2208 EVP_CIPHER_CTX_cleanup(&ctx); 1726 EVP_CIPHER_CTX_cleanup(&ctx);
2209 p = sdec; 1727 p = sdec;
2210 1728
2211 sess = d2i_SSL_SESSION(NULL, &p, slen); 1729 sess = d2i_SSL_SESSION(NULL, &p, slen);
2212 OPENSSL_free(sdec); 1730 OPENSSL_free(sdec);
2213 if (sess) 1731 if (sess)
2214 { 1732 {
2215 /* The session ID, if non-empty, is used by some clients to 1733 /* The session ID if non-empty is used by some clients to
2216 * detect that the ticket has been accepted. So we copy it to 1734 * detect that the ticket has been accepted. So we copy it to
2217 * the session structure. If it is empty set length to zero 1735 * the session structure. If it is empty set length to zero
2218 * as required by standard. 1736 * as required by standard.
2219 */ 1737 */
2220 if (sesslen) 1738 if (sesslen)
2221 memcpy(sess->session_id, sess_id, sesslen); 1739 memcpy(sess->session_id, sess_id, sesslen);
2222 sess->session_id_length = sesslen; 1740 sess->session_id_length = sesslen;
2223 *psess = sess; 1741 *psess = sess;
2224 if (renew_ticket) 1742 s->tlsext_ticket_expected = renew_ticket;
2225 return 4;
2226 else
2227 return 3;
2228 }
2229 ERR_clear_error();
2230 /* For session parse failure, indicate that we need to send a new
2231 * ticket. */
2232 return 2;
2233 }
2234
2235/* Tables to translate from NIDs to TLS v1.2 ids */
2236
2237typedef struct
2238 {
2239 int nid;
2240 int id;
2241 } tls12_lookup;
2242
2243static tls12_lookup tls12_md[] = {
2244#ifndef OPENSSL_NO_MD5
2245 {NID_md5, TLSEXT_hash_md5},
2246#endif
2247#ifndef OPENSSL_NO_SHA
2248 {NID_sha1, TLSEXT_hash_sha1},
2249#endif
2250#ifndef OPENSSL_NO_SHA256
2251 {NID_sha224, TLSEXT_hash_sha224},
2252 {NID_sha256, TLSEXT_hash_sha256},
2253#endif
2254#ifndef OPENSSL_NO_SHA512
2255 {NID_sha384, TLSEXT_hash_sha384},
2256 {NID_sha512, TLSEXT_hash_sha512}
2257#endif
2258};
2259
2260static tls12_lookup tls12_sig[] = {
2261#ifndef OPENSSL_NO_RSA
2262 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2263#endif
2264#ifndef OPENSSL_NO_DSA
2265 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2266#endif
2267#ifndef OPENSSL_NO_ECDSA
2268 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2269#endif
2270};
2271
2272static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2273 {
2274 size_t i;
2275 for (i = 0; i < tlen; i++)
2276 {
2277 if (table[i].nid == nid)
2278 return table[i].id;
2279 }
2280 return -1;
2281 }
2282#if 0
2283static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2284 {
2285 size_t i;
2286 for (i = 0; i < tlen; i++)
2287 {
2288 if (table[i].id == id)
2289 return table[i].nid;
2290 }
2291 return -1;
2292 }
2293#endif
2294
2295int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2296 {
2297 int sig_id, md_id;
2298 if (!md)
2299 return 0;
2300 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2301 sizeof(tls12_md)/sizeof(tls12_lookup));
2302 if (md_id == -1)
2303 return 0;
2304 sig_id = tls12_get_sigid(pk);
2305 if (sig_id == -1)
2306 return 0;
2307 p[0] = (unsigned char)md_id;
2308 p[1] = (unsigned char)sig_id;
2309 return 1;
2310 }
2311
2312int tls12_get_sigid(const EVP_PKEY *pk)
2313 {
2314 return tls12_find_id(pk->type, tls12_sig,
2315 sizeof(tls12_sig)/sizeof(tls12_lookup));
2316 }
2317
2318const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2319 {
2320 switch(hash_alg)
2321 {
2322#ifndef OPENSSL_NO_MD5
2323 case TLSEXT_hash_md5:
2324#ifdef OPENSSL_FIPS
2325 if (FIPS_mode())
2326 return NULL;
2327#endif
2328 return EVP_md5();
2329#endif
2330#ifndef OPENSSL_NO_SHA
2331 case TLSEXT_hash_sha1:
2332 return EVP_sha1();
2333#endif
2334#ifndef OPENSSL_NO_SHA256
2335 case TLSEXT_hash_sha224:
2336 return EVP_sha224();
2337
2338 case TLSEXT_hash_sha256:
2339 return EVP_sha256();
2340#endif
2341#ifndef OPENSSL_NO_SHA512
2342 case TLSEXT_hash_sha384:
2343 return EVP_sha384();
2344
2345 case TLSEXT_hash_sha512:
2346 return EVP_sha512();
2347#endif
2348 default:
2349 return NULL;
2350
2351 }
2352 }
2353
2354/* Set preferred digest for each key type */
2355
2356int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2357 {
2358 int i, idx;
2359 const EVP_MD *md;
2360 CERT *c = s->cert;
2361 /* Extension ignored for TLS versions below 1.2 */
2362 if (TLS1_get_version(s) < TLS1_2_VERSION)
2363 return 1; 1743 return 1;
2364 /* Should never happen */
2365 if (!c)
2366 return 0;
2367
2368 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2369 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2370 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2371 c->pkeys[SSL_PKEY_ECC].digest = NULL;
2372
2373 for (i = 0; i < dsize; i += 2)
2374 {
2375 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2376
2377 switch(sig_alg)
2378 {
2379#ifndef OPENSSL_NO_RSA
2380 case TLSEXT_signature_rsa:
2381 idx = SSL_PKEY_RSA_SIGN;
2382 break;
2383#endif
2384#ifndef OPENSSL_NO_DSA
2385 case TLSEXT_signature_dsa:
2386 idx = SSL_PKEY_DSA_SIGN;
2387 break;
2388#endif
2389#ifndef OPENSSL_NO_ECDSA
2390 case TLSEXT_signature_ecdsa:
2391 idx = SSL_PKEY_ECC;
2392 break;
2393#endif
2394 default:
2395 continue;
2396 }
2397
2398 if (c->pkeys[idx].digest == NULL)
2399 {
2400 md = tls12_get_hash(hash_alg);
2401 if (md)
2402 {
2403 c->pkeys[idx].digest = md;
2404 if (idx == SSL_PKEY_RSA_SIGN)
2405 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2406 }
2407 }
2408
2409 }
2410
2411
2412 /* Set any remaining keys to default values. NOTE: if alg is not
2413 * supported it stays as NULL.
2414 */
2415#ifndef OPENSSL_NO_DSA
2416 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2417 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2418#endif
2419#ifndef OPENSSL_NO_RSA
2420 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2421 {
2422 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2423 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2424 }
2425#endif
2426#ifndef OPENSSL_NO_ECDSA
2427 if (!c->pkeys[SSL_PKEY_ECC].digest)
2428 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
2429#endif
2430 return 1;
2431 }
2432
2433#endif
2434
2435#ifndef OPENSSL_NO_HEARTBEATS
2436int
2437tls1_process_heartbeat(SSL *s)
2438 {
2439 unsigned char *p = &s->s3->rrec.data[0], *pl;
2440 unsigned short hbtype;
2441 unsigned int payload;
2442 unsigned int padding = 16; /* Use minimum padding */
2443
2444 /* Read type and payload length first */
2445 hbtype = *p++;
2446 n2s(p, payload);
2447 pl = p;
2448
2449 if (s->msg_callback)
2450 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2451 &s->s3->rrec.data[0], s->s3->rrec.length,
2452 s, s->msg_callback_arg);
2453
2454 if (hbtype == TLS1_HB_REQUEST)
2455 {
2456 unsigned char *buffer, *bp;
2457 int r;
2458
2459 /* Allocate memory for the response, size is 1 bytes
2460 * message type, plus 2 bytes payload length, plus
2461 * payload, plus padding
2462 */
2463 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2464 bp = buffer;
2465
2466 /* Enter response type, length and copy payload */
2467 *bp++ = TLS1_HB_RESPONSE;
2468 s2n(payload, bp);
2469 memcpy(bp, pl, payload);
2470 bp += payload;
2471 /* Random padding */
2472 RAND_pseudo_bytes(bp, padding);
2473
2474 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2475
2476 if (r >= 0 && s->msg_callback)
2477 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2478 buffer, 3 + payload + padding,
2479 s, s->msg_callback_arg);
2480
2481 OPENSSL_free(buffer);
2482
2483 if (r < 0)
2484 return r;
2485 } 1744 }
2486 else if (hbtype == TLS1_HB_RESPONSE) 1745 /* If session decrypt failure indicate a cache miss and set state to
2487 { 1746 * send a new ticket
2488 unsigned int seq; 1747 */
2489 1748 tickerr:
2490 /* We only send sequence numbers (2 bytes unsigned int), 1749 s->tlsext_ticket_expected = 1;
2491 * and 16 random bytes, so we just try to read the
2492 * sequence number */
2493 n2s(pl, seq);
2494
2495 if (payload == 18 && seq == s->tlsext_hb_seq)
2496 {
2497 s->tlsext_hb_seq++;
2498 s->tlsext_hb_pending = 0;
2499 }
2500 }
2501
2502 return 0; 1750 return 0;
2503 } 1751 }
2504 1752
2505int
2506tls1_heartbeat(SSL *s)
2507 {
2508 unsigned char *buf, *p;
2509 int ret;
2510 unsigned int payload = 18; /* Sequence number + random bytes */
2511 unsigned int padding = 16; /* Use minimum padding */
2512
2513 /* Only send if peer supports and accepts HB requests... */
2514 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2515 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2516 {
2517 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2518 return -1;
2519 }
2520
2521 /* ...and there is none in flight yet... */
2522 if (s->tlsext_hb_pending)
2523 {
2524 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2525 return -1;
2526 }
2527
2528 /* ...and no handshake in progress. */
2529 if (SSL_in_init(s) || s->in_handshake)
2530 {
2531 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2532 return -1;
2533 }
2534
2535 /* Check if padding is too long, payload and padding
2536 * must not exceed 2^14 - 3 = 16381 bytes in total.
2537 */
2538 OPENSSL_assert(payload + padding <= 16381);
2539
2540 /* Create HeartBeat message, we just use a sequence number
2541 * as payload to distuingish different messages and add
2542 * some random stuff.
2543 * - Message Type, 1 byte
2544 * - Payload Length, 2 bytes (unsigned int)
2545 * - Payload, the sequence number (2 bytes uint)
2546 * - Payload, random bytes (16 bytes uint)
2547 * - Padding
2548 */
2549 buf = OPENSSL_malloc(1 + 2 + payload + padding);
2550 p = buf;
2551 /* Message Type */
2552 *p++ = TLS1_HB_REQUEST;
2553 /* Payload length (18 bytes here) */
2554 s2n(payload, p);
2555 /* Sequence number */
2556 s2n(s->tlsext_hb_seq, p);
2557 /* 16 random bytes */
2558 RAND_pseudo_bytes(p, 16);
2559 p += 16;
2560 /* Random padding */
2561 RAND_pseudo_bytes(p, padding);
2562
2563 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2564 if (ret >= 0)
2565 {
2566 if (s->msg_callback)
2567 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2568 buf, 3 + payload + padding,
2569 s, s->msg_callback_arg);
2570
2571 s->tlsext_hb_pending = 1;
2572 }
2573
2574 OPENSSL_free(buf);
2575
2576 return ret;
2577 }
2578#endif 1753#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-04 17:06:18 +0000