search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge commit 'dfc115332c94a2f62058ac7f2bce7631fbd20b3d'
[unleashed/tickless.git] / lib / libssl / t1_lib.c
blob0d03b45a9797c3fceb97e905a5d8334862587a43
1 /* $OpenBSD: t1_lib.c,v 1.137 2017/08/30 16:44:37 jsing Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112 #include <stdio.h>
113
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/objects.h>
117 #include <openssl/ocsp.h>
118
119 #include "ssl_locl.h"
120
121 #include "bytestring.h"
122 #include "ssl_tlsext.h"
123
124 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
125 const unsigned char *sess_id, int sesslen,
126 SSL_SESSION **psess);
127
128 SSL3_ENC_METHOD TLSv1_enc_data = {
129 .enc = tls1_enc,
130 .enc_flags = 0,
131 };
132
133 SSL3_ENC_METHOD TLSv1_1_enc_data = {
134 .enc = tls1_enc,
135 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV,
136 };
137
138 SSL3_ENC_METHOD TLSv1_2_enc_data = {
139 .enc = tls1_enc,
140 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|
141 SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS,
142 };
143
144 long
145 tls1_default_timeout(void)
146 {
147 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
148 * is way too long for http, the cache would over fill */
149 return (60 * 60 * 2);
150 }
151
152 int
153 tls1_new(SSL *s)
154 {
155 if (!ssl3_new(s))
156 return (0);
157 s->method->internal->ssl_clear(s);
158 return (1);
159 }
160
161 void
162 tls1_free(SSL *s)
163 {
164 if (s == NULL)
165 return;
166
167 free(s->internal->tlsext_session_ticket);
168 ssl3_free(s);
169 }
170
171 void
172 tls1_clear(SSL *s)
173 {
174 ssl3_clear(s);
175 s->version = s->method->internal->version;
176 }
177
178 static int nid_list[] = {
179 NID_sect163k1, /* sect163k1 (1) */
180 NID_sect163r1, /* sect163r1 (2) */
181 NID_sect163r2, /* sect163r2 (3) */
182 NID_sect193r1, /* sect193r1 (4) */
183 NID_sect193r2, /* sect193r2 (5) */
184 NID_sect233k1, /* sect233k1 (6) */
185 NID_sect233r1, /* sect233r1 (7) */
186 NID_sect239k1, /* sect239k1 (8) */
187 NID_sect283k1, /* sect283k1 (9) */
188 NID_sect283r1, /* sect283r1 (10) */
189 NID_sect409k1, /* sect409k1 (11) */
190 NID_sect409r1, /* sect409r1 (12) */
191 NID_sect571k1, /* sect571k1 (13) */
192 NID_sect571r1, /* sect571r1 (14) */
193 NID_secp160k1, /* secp160k1 (15) */
194 NID_secp160r1, /* secp160r1 (16) */
195 NID_secp160r2, /* secp160r2 (17) */
196 NID_secp192k1, /* secp192k1 (18) */
197 NID_X9_62_prime192v1, /* secp192r1 (19) */
198 NID_secp224k1, /* secp224k1 (20) */
199 NID_secp224r1, /* secp224r1 (21) */
200 NID_secp256k1, /* secp256k1 (22) */
201 NID_X9_62_prime256v1, /* secp256r1 (23) */
202 NID_secp384r1, /* secp384r1 (24) */
203 NID_secp521r1, /* secp521r1 (25) */
204 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */
205 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */
206 NID_brainpoolP512r1, /* brainpoolP512r1 (28) */
207 NID_X25519, /* X25519 (29) */
208 };
209
210 #if 0
211 static const uint8_t ecformats_list[] = {
212 TLSEXT_ECPOINTFORMAT_uncompressed,
213 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
214 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
215 };
216 #endif
217
218 static const uint8_t ecformats_default[] = {
219 TLSEXT_ECPOINTFORMAT_uncompressed,
220 };
221
222 #if 0
223 static const uint16_t eccurves_list[] = {
224 29, /* X25519 (29) */
225 14, /* sect571r1 (14) */
226 13, /* sect571k1 (13) */
227 25, /* secp521r1 (25) */
228 28, /* brainpoolP512r1 (28) */
229 11, /* sect409k1 (11) */
230 12, /* sect409r1 (12) */
231 27, /* brainpoolP384r1 (27) */
232 24, /* secp384r1 (24) */
233 9, /* sect283k1 (9) */
234 10, /* sect283r1 (10) */
235 26, /* brainpoolP256r1 (26) */
236 22, /* secp256k1 (22) */
237 23, /* secp256r1 (23) */
238 8, /* sect239k1 (8) */
239 6, /* sect233k1 (6) */
240 7, /* sect233r1 (7) */
241 20, /* secp224k1 (20) */
242 21, /* secp224r1 (21) */
243 4, /* sect193r1 (4) */
244 5, /* sect193r2 (5) */
245 18, /* secp192k1 (18) */
246 19, /* secp192r1 (19) */
247 1, /* sect163k1 (1) */
248 2, /* sect163r1 (2) */
249 3, /* sect163r2 (3) */
250 15, /* secp160k1 (15) */
251 16, /* secp160r1 (16) */
252 17, /* secp160r2 (17) */
253 };
254 #endif
255
256 static const uint16_t eccurves_default[] = {
257 29, /* X25519 (29) */
258 23, /* secp256r1 (23) */
259 24, /* secp384r1 (24) */
260 };
261
262 int
263 tls1_ec_curve_id2nid(const uint16_t curve_id)
264 {
265 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
266 if ((curve_id < 1) ||
267 ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0])))
268 return 0;
269 return nid_list[curve_id - 1];
270 }
271
272 uint16_t
273 tls1_ec_nid2curve_id(const int nid)
274 {
275 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
276 switch (nid) {
277 case NID_sect163k1: /* sect163k1 (1) */
278 return 1;
279 case NID_sect163r1: /* sect163r1 (2) */
280 return 2;
281 case NID_sect163r2: /* sect163r2 (3) */
282 return 3;
283 case NID_sect193r1: /* sect193r1 (4) */
284 return 4;
285 case NID_sect193r2: /* sect193r2 (5) */
286 return 5;
287 case NID_sect233k1: /* sect233k1 (6) */
288 return 6;
289 case NID_sect233r1: /* sect233r1 (7) */
290 return 7;
291 case NID_sect239k1: /* sect239k1 (8) */
292 return 8;
293 case NID_sect283k1: /* sect283k1 (9) */
294 return 9;
295 case NID_sect283r1: /* sect283r1 (10) */
296 return 10;
297 case NID_sect409k1: /* sect409k1 (11) */
298 return 11;
299 case NID_sect409r1: /* sect409r1 (12) */
300 return 12;
301 case NID_sect571k1: /* sect571k1 (13) */
302 return 13;
303 case NID_sect571r1: /* sect571r1 (14) */
304 return 14;
305 case NID_secp160k1: /* secp160k1 (15) */
306 return 15;
307 case NID_secp160r1: /* secp160r1 (16) */
308 return 16;
309 case NID_secp160r2: /* secp160r2 (17) */
310 return 17;
311 case NID_secp192k1: /* secp192k1 (18) */
312 return 18;
313 case NID_X9_62_prime192v1: /* secp192r1 (19) */
314 return 19;
315 case NID_secp224k1: /* secp224k1 (20) */
316 return 20;
317 case NID_secp224r1: /* secp224r1 (21) */
318 return 21;
319 case NID_secp256k1: /* secp256k1 (22) */
320 return 22;
321 case NID_X9_62_prime256v1: /* secp256r1 (23) */
322 return 23;
323 case NID_secp384r1: /* secp384r1 (24) */
324 return 24;
325 case NID_secp521r1: /* secp521r1 (25) */
326 return 25;
327 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
328 return 26;
329 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
330 return 27;
331 case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */
332 return 28;
333 case NID_X25519: /* X25519 (29) */
334 return 29;
335 default:
336 return 0;
337 }
338 }
339
340 /*
341 * Return the appropriate format list. If client_formats is non-zero, return
342 * the client/session formats. Otherwise return the custom format list if one
343 * exists, or the default formats if a custom list has not been specified.
344 */
345 void
346 tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats,
347 size_t *pformatslen)
348 {
349 if (client_formats != 0) {
350 *pformats = SSI(s)->tlsext_ecpointformatlist;
351 *pformatslen = SSI(s)->tlsext_ecpointformatlist_length;
352 return;
353 }
354
355 *pformats = s->internal->tlsext_ecpointformatlist;
356 *pformatslen = s->internal->tlsext_ecpointformatlist_length;
357 if (*pformats == NULL) {
358 *pformats = ecformats_default;
359 *pformatslen = sizeof(ecformats_default);
360 }
361 }
362
363 /*
364 * Return the appropriate curve list. If client_curves is non-zero, return
365 * the client/session curves. Otherwise return the custom curve list if one
366 * exists, or the default curves if a custom list has not been specified.
367 */
368 void
369 tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves,
370 size_t *pcurveslen)
371 {
372 if (client_curves != 0) {
373 *pcurves = SSI(s)->tlsext_supportedgroups;
374 *pcurveslen = SSI(s)->tlsext_supportedgroups_length;
375 return;
376 }
377
378 *pcurves = s->internal->tlsext_supportedgroups;
379 *pcurveslen = s->internal->tlsext_supportedgroups_length;
380 if (*pcurves == NULL) {
381 *pcurves = eccurves_default;
382 *pcurveslen = sizeof(eccurves_default) / 2;
383 }
384 }
385
386 int
387 tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len,
388 const int *groups, size_t ngroups)
389 {
390 uint16_t *group_ids;
391 size_t i;
392
393 group_ids = calloc(ngroups, sizeof(uint16_t));
394 if (group_ids == NULL)
395 return 0;
396
397 for (i = 0; i < ngroups; i++) {
398 group_ids[i] = tls1_ec_nid2curve_id(groups[i]);
399 if (group_ids[i] == 0) {
400 free(group_ids);
401 return 0;
402 }
403 }
404
405 free(*out_group_ids);
406 *out_group_ids = group_ids;
407 *out_group_ids_len = ngroups;
408
409 return 1;
410 }
411
412 int
413 tls1_set_groups_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
414 const char *groups)
415 {
416 uint16_t *new_group_ids, *group_ids = NULL;
417 size_t ngroups = 0;
418 char *gs, *p, *q;
419 int nid;
420
421 if ((gs = strdup(groups)) == NULL)
422 return 0;
423
424 q = gs;
425 while ((p = strsep(&q, ":")) != NULL) {
426 nid = OBJ_sn2nid(p);
427 if (nid == NID_undef)
428 nid = OBJ_ln2nid(p);
429 if (nid == NID_undef)
430 nid = EC_curve_nist2nid(p);
431 if (nid == NID_undef)
432 goto err;
433
434 if ((new_group_ids = reallocarray(group_ids, ngroups + 1,
435 sizeof(uint16_t))) == NULL)
436 goto err;
437 group_ids = new_group_ids;
438
439 group_ids[ngroups] = tls1_ec_nid2curve_id(nid);
440 if (group_ids[ngroups] == 0)
441 goto err;
442
443 ngroups++;
444 }
445
446 free(gs);
447 free(*out_group_ids);
448 *out_group_ids = group_ids;
449 *out_group_ids_len = ngroups;
450
451 return 1;
452
453 err:
454 free(gs);
455 free(group_ids);
456
457 return 0;
458 }
459
460 /* Check that a curve is one of our preferences. */
461 int
462 tls1_check_curve(SSL *s, const uint16_t curve_id)
463 {
464 const uint16_t *curves;
465 size_t curveslen, i;
466
467 tls1_get_curvelist(s, 0, &curves, &curveslen);
468
469 for (i = 0; i < curveslen; i++) {
470 if (curves[i] == curve_id)
471 return (1);
472 }
473 return (0);
474 }
475
476 int
477 tls1_get_shared_curve(SSL *s)
478 {
479 size_t preflen, supplen, i, j;
480 const uint16_t *pref, *supp;
481 unsigned long server_pref;
482
483 /* Cannot do anything on the client side. */
484 if (s->server == 0)
485 return (NID_undef);
486
487 /* Return first preference shared curve. */
488 server_pref = (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE);
489 tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen);
490 tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen);
491
492 for (i = 0; i < preflen; i++) {
493 for (j = 0; j < supplen; j++) {
494 if (pref[i] == supp[j])
495 return (tls1_ec_curve_id2nid(pref[i]));
496 }
497 }
498 return (NID_undef);
499 }
500
501 /* For an EC key set TLS ID and required compression based on parameters. */
502 static int
503 tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec)
504 {
505 const EC_GROUP *grp;
506 const EC_METHOD *meth;
507 int is_prime = 0;
508 int nid, id;
509
510 if (ec == NULL)
511 return (0);
512
513 /* Determine if it is a prime field. */
514 if ((grp = EC_KEY_get0_group(ec)) == NULL)
515 return (0);
516 if ((meth = EC_GROUP_method_of(grp)) == NULL)
517 return (0);
518 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
519 is_prime = 1;
520
521 /* Determine curve ID. */
522 nid = EC_GROUP_get_curve_name(grp);
523 id = tls1_ec_nid2curve_id(nid);
524
525 /* If we have an ID set it, otherwise set arbitrary explicit curve. */
526 if (id != 0)
527 *curve_id = id;
528 else
529 *curve_id = is_prime ? 0xff01 : 0xff02;
530
531 /* Specify the compression identifier. */
532 if (comp_id != NULL) {
533 if (EC_KEY_get0_public_key(ec) == NULL)
534 return (0);
535
536 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
537 *comp_id = is_prime ?
538 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime :
539 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
540 } else {
541 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
542 }
543 }
544 return (1);
545 }
546
547 /* Check that an EC key is compatible with extensions. */
548 static int
549 tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id)
550 {
551 size_t curveslen, formatslen, i;
552 const uint16_t *curves;
553 const uint8_t *formats;
554
555 /*
556 * Check point formats extension if present, otherwise everything
557 * is supported (see RFC4492).
558 */
559 tls1_get_formatlist(s, 1, &formats, &formatslen);
560 if (comp_id != NULL && formats != NULL) {
561 for (i = 0; i < formatslen; i++) {
562 if (formats[i] == *comp_id)
563 break;
564 }
565 if (i == formatslen)
566 return (0);
567 }
568
569 /*
570 * Check curve list if present, otherwise everything is supported.
571 */
572 tls1_get_curvelist(s, 1, &curves, &curveslen);
573 if (curve_id != NULL && curves != NULL) {
574 for (i = 0; i < curveslen; i++) {
575 if (curves[i] == *curve_id)
576 break;
577 }
578 if (i == curveslen)
579 return (0);
580 }
581
582 return (1);
583 }
584
585 /* Check EC server key is compatible with client extensions. */
586 int
587 tls1_check_ec_server_key(SSL *s)
588 {
589 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
590 uint16_t curve_id;
591 uint8_t comp_id;
592 EVP_PKEY *pkey;
593 int rv;
594
595 if (cpk->x509 == NULL || cpk->privatekey == NULL)
596 return (0);
597 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL)
598 return (0);
599 rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec);
600 EVP_PKEY_free(pkey);
601 if (rv != 1)
602 return (0);
603
604 return tls1_check_ec_key(s, &curve_id, &comp_id);
605 }
606
607 /* Check EC temporary key is compatible with client extensions. */
608 int
609 tls1_check_ec_tmp_key(SSL *s)
610 {
611 EC_KEY *ec = s->cert->ecdh_tmp;
612 uint16_t curve_id;
613
614 /* Need a shared curve. */
615 if (tls1_get_shared_curve(s) != NID_undef)
616 return (1);
617
618 if (ec == NULL)
619 return (0);
620
621 if (tls1_set_ec_id(&curve_id, NULL, ec) != 1)
622 return (0);
623
624 return tls1_check_ec_key(s, &curve_id, NULL);
625 }
626
627 /*
628 * List of supported signature algorithms and hashes. Should make this
629 * customisable at some point, for now include everything we support.
630 */
631
632 static unsigned char tls12_sigalgs[] = {
633 TLSEXT_hash_sha512, TLSEXT_signature_rsa,
634 TLSEXT_hash_sha512, TLSEXT_signature_ecdsa,
635 #ifndef OPENSSL_NO_GOST
636 TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512,
637 #endif
638
639 TLSEXT_hash_sha384, TLSEXT_signature_rsa,
640 TLSEXT_hash_sha384, TLSEXT_signature_ecdsa,
641
642 TLSEXT_hash_sha256, TLSEXT_signature_rsa,
643 TLSEXT_hash_sha256, TLSEXT_signature_ecdsa,
644
645 #ifndef OPENSSL_NO_GOST
646 TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256,
647 TLSEXT_hash_gost94, TLSEXT_signature_gostr01,
648 #endif
649
650 TLSEXT_hash_sha224, TLSEXT_signature_rsa,
651 TLSEXT_hash_sha224, TLSEXT_signature_ecdsa,
652
653 TLSEXT_hash_sha1, TLSEXT_signature_rsa,
654 TLSEXT_hash_sha1, TLSEXT_signature_ecdsa,
655 };
656
657 void
658 tls12_get_req_sig_algs(SSL *s, unsigned char **sigalgs, size_t *sigalgs_len)
659 {
660 *sigalgs = tls12_sigalgs;
661 *sigalgs_len = sizeof(tls12_sigalgs);
662 }
663
664 unsigned char *
665 ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
666 {
667 size_t len;
668 CBB cbb;
669
670 if (p >= limit)
671 return NULL;
672
673 if (!CBB_init_fixed(&cbb, p, limit - p))
674 return NULL;
675 if (!tlsext_clienthello_build(s, &cbb)) {
676 CBB_cleanup(&cbb);
677 return NULL;
678 }
679 if (!CBB_finish(&cbb, NULL, &len)) {
680 CBB_cleanup(&cbb);
681 return NULL;
682 }
683
684 return (p + len);
685 }
686
687 unsigned char *
688 ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
689 {
690 size_t len;
691 CBB cbb;
692
693 if (p >= limit)
694 return NULL;
695
696 if (!CBB_init_fixed(&cbb, p, limit - p))
697 return NULL;
698 if (!tlsext_serverhello_build(s, &cbb)) {
699 CBB_cleanup(&cbb);
700 return NULL;
701 }
702 if (!CBB_finish(&cbb, NULL, &len)) {
703 CBB_cleanup(&cbb);
704 return NULL;
705 }
706
707 return (p + len);
708 }
709
710 int
711 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
712 int n, int *al)
713 {
714 unsigned short type;
715 unsigned short size;
716 unsigned short len;
717 unsigned char *data = *p;
718 unsigned char *end = d + n;
719 CBS cbs;
720
721 s->internal->servername_done = 0;
722 s->tlsext_status_type = -1;
723 S3I(s)->renegotiate_seen = 0;
724 free(S3I(s)->alpn_selected);
725 S3I(s)->alpn_selected = NULL;
726 s->internal->srtp_profile = NULL;
727
728 if (data == end)
729 goto ri_check;
730
731 if (end - data < 2)
732 goto err;
733 n2s(data, len);
734
735 if (end - data != len)
736 goto err;
737
738 while (end - data >= 4) {
739 n2s(data, type);
740 n2s(data, size);
741
742 if (end - data < size)
743 goto err;
744
745 if (s->internal->tlsext_debug_cb)
746 s->internal->tlsext_debug_cb(s, 0, type, data, size,
747 s->internal->tlsext_debug_arg);
748
749 CBS_init(&cbs, data, size);
750 if (!tlsext_clienthello_parse_one(s, &cbs, type, al))
751 return 0;
752
753 data += size;
754 }
755
756 /* Spurious data on the end */
757 if (data != end)
758 goto err;
759
760 *p = data;
761
762 ri_check:
763
764 /* Need RI if renegotiating */
765
766 if (!S3I(s)->renegotiate_seen && s->internal->renegotiate) {
767 *al = SSL_AD_HANDSHAKE_FAILURE;
768 SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
769 return 0;
770 }
771
772 return 1;
773
774 err:
775 *al = SSL_AD_DECODE_ERROR;
776 return 0;
777 }
778
779 int
780 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
781 {
782 unsigned short type;
783 unsigned short size;
784 unsigned short len;
785 unsigned char *data = *p;
786 unsigned char *end = *p + n;
787 CBS cbs;
788
789 S3I(s)->renegotiate_seen = 0;
790 free(S3I(s)->alpn_selected);
791 S3I(s)->alpn_selected = NULL;
792
793 if (data == end)
794 goto ri_check;
795
796 if (end - data < 2)
797 goto err;
798 n2s(data, len);
799
800 if (end - data != len)
801 goto err;
802
803 while (end - data >= 4) {
804 n2s(data, type);
805 n2s(data, size);
806
807 if (end - data < size)
808 goto err;
809
810 if (s->internal->tlsext_debug_cb)
811 s->internal->tlsext_debug_cb(s, 1, type, data, size,
812 s->internal->tlsext_debug_arg);
813
814 CBS_init(&cbs, data, size);
815 if (!tlsext_serverhello_parse_one(s, &cbs, type, al))
816 return 0;
817
818 data += size;
819
820 }
821
822 if (data != end) {
823 *al = SSL_AD_DECODE_ERROR;
824 return 0;
825 }
826
827 *p = data;
828
829 ri_check:
830
831 /* Determine if we need to see RI. Strictly speaking if we want to
832 * avoid an attack we should *always* see RI even on initial server
833 * hello because the client doesn't see any renegotiation during an
834 * attack. However this would mean we could not connect to any server
835 * which doesn't support RI so for the immediate future tolerate RI
836 * absence on initial connect only.
837 */
838 if (!S3I(s)->renegotiate_seen &&
839 !(s->internal->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
840 *al = SSL_AD_HANDSHAKE_FAILURE;
841 SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
842 return 0;
843 }
844
845 return 1;
846
847 err:
848 *al = SSL_AD_DECODE_ERROR;
849 return 0;
850 }
851
852 int
853 ssl_check_clienthello_tlsext_early(SSL *s)
854 {
855 int ret = SSL_TLSEXT_ERR_NOACK;
856 int al = SSL_AD_UNRECOGNIZED_NAME;
857
858 /* The handling of the ECPointFormats extension is done elsewhere, namely in
859 * ssl3_choose_cipher in s3_lib.c.
860 */
861 /* The handling of the EllipticCurves extension is done elsewhere, namely in
862 * ssl3_choose_cipher in s3_lib.c.
863 */
864
865 if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0)
866 ret = s->ctx->internal->tlsext_servername_callback(s, &al,
867 s->ctx->internal->tlsext_servername_arg);
868 else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0)
869 ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al,
870 s->initial_ctx->internal->tlsext_servername_arg);
871
872 switch (ret) {
873 case SSL_TLSEXT_ERR_ALERT_FATAL:
874 ssl3_send_alert(s, SSL3_AL_FATAL, al);
875 return -1;
876 case SSL_TLSEXT_ERR_ALERT_WARNING:
877 ssl3_send_alert(s, SSL3_AL_WARNING, al);
878 return 1;
879 case SSL_TLSEXT_ERR_NOACK:
880 s->internal->servername_done = 0;
881 default:
882 return 1;
883 }
884 }
885
886 int
887 ssl_check_clienthello_tlsext_late(SSL *s)
888 {
889 int ret = SSL_TLSEXT_ERR_OK;
890 int al = 0; /* XXX gcc3 */
891
892 /* If status request then ask callback what to do.
893 * Note: this must be called after servername callbacks in case
894 * the certificate has changed, and must be called after the cipher
895 * has been chosen because this may influence which certificate is sent
896 */
897 if ((s->tlsext_status_type != -1) &&
898 s->ctx && s->ctx->internal->tlsext_status_cb) {
899 int r;
900 CERT_PKEY *certpkey;
901 certpkey = ssl_get_server_send_pkey(s);
902 /* If no certificate can't return certificate status */
903 if (certpkey == NULL) {
904 s->internal->tlsext_status_expected = 0;
905 return 1;
906 }
907 /* Set current certificate to one we will use so
908 * SSL_get_certificate et al can pick it up.
909 */
910 s->cert->key = certpkey;
911 r = s->ctx->internal->tlsext_status_cb(s,
912 s->ctx->internal->tlsext_status_arg);
913 switch (r) {
914 /* We don't want to send a status request response */
915 case SSL_TLSEXT_ERR_NOACK:
916 s->internal->tlsext_status_expected = 0;
917 break;
918 /* status request response should be sent */
919 case SSL_TLSEXT_ERR_OK:
920 if (s->internal->tlsext_ocsp_resp)
921 s->internal->tlsext_status_expected = 1;
922 else
923 s->internal->tlsext_status_expected = 0;
924 break;
925 /* something bad happened */
926 case SSL_TLSEXT_ERR_ALERT_FATAL:
927 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
928 al = SSL_AD_INTERNAL_ERROR;
929 goto err;
930 }
931 } else
932 s->internal->tlsext_status_expected = 0;
933
934 err:
935 switch (ret) {
936 case SSL_TLSEXT_ERR_ALERT_FATAL:
937 ssl3_send_alert(s, SSL3_AL_FATAL, al);
938 return -1;
939 case SSL_TLSEXT_ERR_ALERT_WARNING:
940 ssl3_send_alert(s, SSL3_AL_WARNING, al);
941 return 1;
942 default:
943 return 1;
944 }
945 }
946
947 int
948 ssl_check_serverhello_tlsext(SSL *s)
949 {
950 int ret = SSL_TLSEXT_ERR_NOACK;
951 int al = SSL_AD_UNRECOGNIZED_NAME;
952
953 ret = SSL_TLSEXT_ERR_OK;
954
955 if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0)
956 ret = s->ctx->internal->tlsext_servername_callback(s, &al,
957 s->ctx->internal->tlsext_servername_arg);
958 else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0)
959 ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al,
960 s->initial_ctx->internal->tlsext_servername_arg);
961
962 /* If we've requested certificate status and we wont get one
963 * tell the callback
964 */
965 if ((s->tlsext_status_type != -1) && !(s->internal->tlsext_status_expected) &&
966 s->ctx && s->ctx->internal->tlsext_status_cb) {
967 int r;
968 /* Set resp to NULL, resplen to -1 so callback knows
969 * there is no response.
970 */
971 free(s->internal->tlsext_ocsp_resp);
972 s->internal->tlsext_ocsp_resp = NULL;
973 s->internal->tlsext_ocsp_resplen = -1;
974 r = s->ctx->internal->tlsext_status_cb(s,
975 s->ctx->internal->tlsext_status_arg);
976 if (r == 0) {
977 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
978 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
979 }
980 if (r < 0) {
981 al = SSL_AD_INTERNAL_ERROR;
982 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
983 }
984 }
985
986 switch (ret) {
987 case SSL_TLSEXT_ERR_ALERT_FATAL:
988 ssl3_send_alert(s, SSL3_AL_FATAL, al);
989
990 return -1;
991 case SSL_TLSEXT_ERR_ALERT_WARNING:
992 ssl3_send_alert(s, SSL3_AL_WARNING, al);
993
994 return 1;
995 case SSL_TLSEXT_ERR_NOACK:
996 s->internal->servername_done = 0;
997 default:
998 return 1;
999 }
1000 }
1001
1002 /* Since the server cache lookup is done early on in the processing of the
1003 * ClientHello, and other operations depend on the result, we need to handle
1004 * any TLS session ticket extension at the same time.
1005 *
1006 * session_id: points at the session ID in the ClientHello. This code will
1007 * read past the end of this in order to parse out the session ticket
1008 * extension, if any.
1009 * len: the length of the session ID.
1010 * limit: a pointer to the first byte after the ClientHello.
1011 * ret: (output) on return, if a ticket was decrypted, then this is set to
1012 * point to the resulting session.
1013 *
1014 * If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key
1015 * ciphersuite, in which case we have no use for session tickets and one will
1016 * never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1.
1017 *
1018 * Returns:
1019 * -1: fatal error, either from parsing or decrypting the ticket.
1020 * 0: no ticket was found (or was ignored, based on settings).
1021 * 1: a zero length extension was found, indicating that the client supports
1022 * session tickets but doesn't currently have one to offer.
1023 * 2: either s->internal->tls_session_secret_cb was set, or a ticket was offered but
1024 * couldn't be decrypted because of a non-fatal error.
1025 * 3: a ticket was successfully decrypted and *ret was set.
1026 *
1027 * Side effects:
1028 * Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue
1029 * a new session ticket to the client because the client indicated support
1030 * (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have
1031 * a session ticket or we couldn't use the one it gave us, or if
1032 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
1033 * Otherwise, s->internal->tlsext_ticket_expected is set to 0.
1034 */
1035 int
1036 tls1_process_ticket(SSL *s, const unsigned char *session, int session_len,
1037 const unsigned char *limit, SSL_SESSION **ret)
1038 {
1039 /* Point after session ID in client hello */
1040 CBS session_id, cookie, cipher_list, compress_algo, extensions;
1041
1042 *ret = NULL;
1043 s->internal->tlsext_ticket_expected = 0;
1044
1045 /* If tickets disabled behave as if no ticket present
1046 * to permit stateful resumption.
1047 */
1048 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1049 return 0;
1050 if (!limit)
1051 return 0;
1052
1053 if (limit < session)
1054 return -1;
1055
1056 CBS_init(&session_id, session, limit - session);
1057
1058 /* Skip past the session id */
1059 if (!CBS_skip(&session_id, session_len))
1060 return -1;
1061
1062 /* Skip past DTLS cookie */
1063 if (SSL_IS_DTLS(s)) {
1064 if (!CBS_get_u8_length_prefixed(&session_id, &cookie))
1065 return -1;
1066 }
1067
1068 /* Skip past cipher list */
1069 if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list))
1070 return -1;
1071
1072 /* Skip past compression algorithm list */
1073 if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo))
1074 return -1;
1075
1076 /* Now at start of extensions */
1077 if (CBS_len(&session_id) == 0)
1078 return 0;
1079 if (!CBS_get_u16_length_prefixed(&session_id, &extensions))
1080 return -1;
1081
1082 while (CBS_len(&extensions) > 0) {
1083 CBS ext_data;
1084 uint16_t ext_type;
1085
1086 if (!CBS_get_u16(&extensions, &ext_type) ||
1087 !CBS_get_u16_length_prefixed(&extensions, &ext_data))
1088 return -1;
1089
1090 if (ext_type == TLSEXT_TYPE_session_ticket) {
1091 int r;
1092 if (CBS_len(&ext_data) == 0) {
1093 /* The client will accept a ticket but doesn't
1094 * currently have one. */
1095 s->internal->tlsext_ticket_expected = 1;
1096 return 1;
1097 }
1098 if (s->internal->tls_session_secret_cb) {
1099 /* Indicate that the ticket couldn't be
1100 * decrypted rather than generating the session
1101 * from ticket now, trigger abbreviated
1102 * handshake based on external mechanism to
1103 * calculate the master secret later. */
1104 return 2;
1105 }
1106
1107 r = tls_decrypt_ticket(s, CBS_data(&ext_data),
1108 CBS_len(&ext_data), session, session_len, ret);
1109
1110 switch (r) {
1111 case 2: /* ticket couldn't be decrypted */
1112 s->internal->tlsext_ticket_expected = 1;
1113 return 2;
1114 case 3: /* ticket was decrypted */
1115 return r;
1116 case 4: /* ticket decrypted but need to renew */
1117 s->internal->tlsext_ticket_expected = 1;
1118 return 3;
1119 default: /* fatal error */
1120 return -1;
1121 }
1122 }
1123 }
1124 return 0;
1125 }
1126
1127 /* tls_decrypt_ticket attempts to decrypt a session ticket.
1128 *
1129 * etick: points to the body of the session ticket extension.
1130 * eticklen: the length of the session tickets extenion.
1131 * sess_id: points at the session ID.
1132 * sesslen: the length of the session ID.
1133 * psess: (output) on return, if a ticket was decrypted, then this is set to
1134 * point to the resulting session.
1135 *
1136 * Returns:
1137 * -1: fatal error, either from parsing or decrypting the ticket.
1138 * 2: the ticket couldn't be decrypted.
1139 * 3: a ticket was successfully decrypted and *psess was set.
1140 * 4: same as 3, but the ticket needs to be renewed.
1141 */
1142 static int
1143 tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1144 const unsigned char *sess_id, int sesslen, SSL_SESSION **psess)
1145 {
1146 SSL_SESSION *sess;
1147 unsigned char *sdec;
1148 const unsigned char *p;
1149 int slen, mlen, renew_ticket = 0;
1150 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1151 HMAC_CTX hctx;
1152 EVP_CIPHER_CTX ctx;
1153 SSL_CTX *tctx = s->initial_ctx;
1154
1155 /*
1156 * The API guarantees EVP_MAX_IV_LENGTH bytes of space for
1157 * the iv to tlsext_ticket_key_cb(). Since the total space
1158 * required for a session cookie is never less than this,
1159 * this check isn't too strict. The exact check comes later.
1160 */
1161 if (eticklen < 16 + EVP_MAX_IV_LENGTH)
1162 return 2;
1163
1164 /* Initialize session ticket encryption and HMAC contexts */
1165 HMAC_CTX_init(&hctx);
1166 EVP_CIPHER_CTX_init(&ctx);
1167 if (tctx->internal->tlsext_ticket_key_cb) {
1168 unsigned char *nctick = (unsigned char *)etick;
1169 int rv = tctx->internal->tlsext_ticket_key_cb(s,
1170 nctick, nctick + 16, &ctx, &hctx, 0);
1171 if (rv < 0) {
1172 HMAC_CTX_cleanup(&hctx);
1173 EVP_CIPHER_CTX_cleanup(&ctx);
1174 return -1;
1175 }
1176 if (rv == 0) {
1177 HMAC_CTX_cleanup(&hctx);
1178 EVP_CIPHER_CTX_cleanup(&ctx);
1179 return 2;
1180 }
1181 if (rv == 2)
1182 renew_ticket = 1;
1183 } else {
1184 /* Check key name matches */
1185 if (timingsafe_memcmp(etick,
1186 tctx->internal->tlsext_tick_key_name, 16))
1187 return 2;
1188 HMAC_Init_ex(&hctx, tctx->internal->tlsext_tick_hmac_key,
1189 16, tlsext_tick_md(), NULL);
1190 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
1191 tctx->internal->tlsext_tick_aes_key, etick + 16);
1192 }
1193
1194 /*
1195 * Attempt to process session ticket, first conduct sanity and
1196 * integrity checks on ticket.
1197 */
1198 mlen = HMAC_size(&hctx);
1199 if (mlen < 0) {
1200 HMAC_CTX_cleanup(&hctx);
1201 EVP_CIPHER_CTX_cleanup(&ctx);
1202 return -1;
1203 }
1204
1205 /* Sanity check ticket length: must exceed keyname + IV + HMAC */
1206 if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) {
1207 HMAC_CTX_cleanup(&hctx);
1208 EVP_CIPHER_CTX_cleanup(&ctx);
1209 return 2;
1210 }
1211 eticklen -= mlen;
1212
1213 /* Check HMAC of encrypted ticket */
1214 if (HMAC_Update(&hctx, etick, eticklen) <= 0 ||
1215 HMAC_Final(&hctx, tick_hmac, NULL) <= 0) {
1216 HMAC_CTX_cleanup(&hctx);
1217 EVP_CIPHER_CTX_cleanup(&ctx);
1218 return -1;
1219 }
1220
1221 HMAC_CTX_cleanup(&hctx);
1222 if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) {
1223 EVP_CIPHER_CTX_cleanup(&ctx);
1224 return 2;
1225 }
1226
1227 /* Attempt to decrypt session data */
1228 /* Move p after IV to start of encrypted ticket, update length */
1229 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1230 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1231 sdec = malloc(eticklen);
1232 if (sdec == NULL ||
1233 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) {
1234 free(sdec);
1235 EVP_CIPHER_CTX_cleanup(&ctx);
1236 return -1;
1237 }
1238 if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) {
1239 free(sdec);
1240 EVP_CIPHER_CTX_cleanup(&ctx);
1241 return 2;
1242 }
1243 slen += mlen;
1244 EVP_CIPHER_CTX_cleanup(&ctx);
1245 p = sdec;
1246
1247 sess = d2i_SSL_SESSION(NULL, &p, slen);
1248 free(sdec);
1249 if (sess) {
1250 /* The session ID, if non-empty, is used by some clients to
1251 * detect that the ticket has been accepted. So we copy it to
1252 * the session structure. If it is empty set length to zero
1253 * as required by standard.
1254 */
1255 if (sesslen)
1256 memcpy(sess->session_id, sess_id, sesslen);
1257 sess->session_id_length = sesslen;
1258 *psess = sess;
1259 if (renew_ticket)
1260 return 4;
1261 else
1262 return 3;
1263 }
1264 ERR_clear_error();
1265 /* For session parse failure, indicate that we need to send a new
1266 * ticket. */
1267 return 2;
1268 }
1269
1270 /* Tables to translate from NIDs to TLS v1.2 ids */
1271
1272 typedef struct {
1273 int nid;
1274 int id;
1275 } tls12_lookup;
1276
1277 static tls12_lookup tls12_md[] = {
1278 {NID_md5, TLSEXT_hash_md5},
1279 {NID_sha1, TLSEXT_hash_sha1},
1280 {NID_sha224, TLSEXT_hash_sha224},
1281 {NID_sha256, TLSEXT_hash_sha256},
1282 {NID_sha384, TLSEXT_hash_sha384},
1283 {NID_sha512, TLSEXT_hash_sha512},
1284 {NID_id_GostR3411_94, TLSEXT_hash_gost94},
1285 {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256},
1286 {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512}
1287 };
1288
1289 static tls12_lookup tls12_sig[] = {
1290 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
1291 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
1292 {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01},
1293 };
1294
1295 static int
1296 tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
1297 {
1298 size_t i;
1299 for (i = 0; i < tlen; i++) {
1300 if (table[i].nid == nid)
1301 return table[i].id;
1302 }
1303 return -1;
1304 }
1305
1306 int
1307 tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
1308 {
1309 int sig_id, md_id;
1310 if (!md)
1311 return 0;
1312 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
1313 sizeof(tls12_md) / sizeof(tls12_lookup));
1314 if (md_id == -1)
1315 return 0;
1316 sig_id = tls12_get_sigid(pk);
1317 if (sig_id == -1)
1318 return 0;
1319 p[0] = (unsigned char)md_id;
1320 p[1] = (unsigned char)sig_id;
1321 return 1;
1322 }
1323
1324 int
1325 tls12_get_sigid(const EVP_PKEY *pk)
1326 {
1327 return tls12_find_id(pk->type, tls12_sig,
1328 sizeof(tls12_sig) / sizeof(tls12_lookup));
1329 }
1330
1331 const EVP_MD *
1332 tls12_get_hash(unsigned char hash_alg)
1333 {
1334 switch (hash_alg) {
1335 case TLSEXT_hash_sha1:
1336 return EVP_sha1();
1337 case TLSEXT_hash_sha224:
1338 return EVP_sha224();
1339 case TLSEXT_hash_sha256:
1340 return EVP_sha256();
1341 case TLSEXT_hash_sha384:
1342 return EVP_sha384();
1343 case TLSEXT_hash_sha512:
1344 return EVP_sha512();
1345 #ifndef OPENSSL_NO_GOST
1346 case TLSEXT_hash_gost94:
1347 return EVP_gostr341194();
1348 case TLSEXT_hash_streebog_256:
1349 return EVP_streebog256();
1350 case TLSEXT_hash_streebog_512:
1351 return EVP_streebog512();
1352 #endif
1353 default:
1354 return NULL;
1355 }
1356 }
1357
1358 /* Set preferred digest for each key type */
1359
1360 int
1361 tls1_process_sigalgs(SSL *s, CBS *cbs)
1362 {
1363 const EVP_MD *md;
1364 CERT *c = s->cert;
1365 int idx;
1366
1367 /* Extension ignored for inappropriate versions */
1368 if (!SSL_USE_SIGALGS(s))
1369 return 1;
1370
1371 /* Should never happen */
1372 if (c == NULL)
1373 return 0;
1374
1375 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
1376 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
1377 c->pkeys[SSL_PKEY_ECC].digest = NULL;
1378 c->pkeys[SSL_PKEY_GOST01].digest = NULL;
1379
1380 while (CBS_len(cbs) > 0) {
1381 uint8_t hash_alg, sig_alg;
1382
1383 if (!CBS_get_u8(cbs, &hash_alg) || !CBS_get_u8(cbs, &sig_alg))
1384 return 0;
1385
1386 switch (sig_alg) {
1387 case TLSEXT_signature_rsa:
1388 idx = SSL_PKEY_RSA_SIGN;
1389 break;
1390 case TLSEXT_signature_ecdsa:
1391 idx = SSL_PKEY_ECC;
1392 break;
1393 case TLSEXT_signature_gostr01:
1394 case TLSEXT_signature_gostr12_256:
1395 case TLSEXT_signature_gostr12_512:
1396 idx = SSL_PKEY_GOST01;
1397 break;
1398 default:
1399 continue;
1400 }
1401
1402 if (c->pkeys[idx].digest == NULL) {
1403 md = tls12_get_hash(hash_alg);
1404 if (md) {
1405 c->pkeys[idx].digest = md;
1406 if (idx == SSL_PKEY_RSA_SIGN)
1407 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
1408 }
1409 }
1410
1411 }
1412
1413 /*
1414 * Set any remaining keys to default values. NOTE: if alg is not
1415 * supported it stays as NULL.
1416 */
1417 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
1418 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
1419 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
1420 }
1421 if (!c->pkeys[SSL_PKEY_ECC].digest)
1422 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
1423 #ifndef OPENSSL_NO_GOST
1424 if (!c->pkeys[SSL_PKEY_GOST01].digest)
1425 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194();
1426 #endif
1427 return 1;
1428 }
unleashed repo fork