From a944a45e81ae8f06dfe0247d841d4b758320a551 Mon Sep 17 00:00:00 2001 From: liushuyu Date: Wed, 22 Dec 2021 17:32:36 -0700 Subject: [PATCH] libressl: Update to 3.4.2 --- CMakeLists.txt | 44 +- ChangeLog | 513 +++ README.md | 12 +- VERSION | 2 +- cert.pem | 5950 ++++++++++++++++++++++++++++ crypto/CMakeLists.txt | 20 +- crypto/VERSION | 2 +- crypto/asn1/a_object.c | 11 +- crypto/asn1/a_time_tm.c | 14 +- crypto/asn1/asn1_err.c | 3 +- crypto/asn1/asn1_lib.c | 4 +- crypto/asn1/t_spki.c | 5 +- crypto/asn1/t_x509.c | 12 +- crypto/asn1/t_x509a.c | 6 +- crypto/asn1/tasn_dec.c | 22 +- crypto/asn1/tasn_enc.c | 21 +- crypto/asn1/x_name.c | 22 +- crypto/asn1/x_x509.c | 10 +- crypto/bio/b_dump.c | 15 +- crypto/bio/bio_cb.c | 16 +- crypto/bn/bn_lib.c | 141 +- crypto/bn/bn_print.c | 6 +- crypto/bn/bn_rand.c | 8 +- crypto/cms/cms_env.c | 3 +- crypto/compat/getentropy_freebsd.c | 6 +- crypto/compat/getentropy_netbsd.c | 6 +- crypto/compat/getentropy_win.c | 27 +- crypto/compat/recallocarray.c | 4 +- crypto/crypto.sym | 12 + crypto/ec/ec2_oct.c | 91 +- crypto/ec/ec2_smpl.c | 21 +- crypto/ec/ec_asn1.c | 25 +- crypto/ec/ec_curve.c | 4 +- crypto/ec/ec_cvt.c | 8 +- crypto/ec/ec_key.c | 31 +- crypto/ec/ec_lcl.h | 37 +- crypto/ec/ec_lib.c | 190 +- crypto/ec/ec_oct.c | 58 +- crypto/ec/eck_prn.c | 20 +- crypto/ec/ecp_mont.c | 37 +- crypto/ec/ecp_nist.c | 25 +- crypto/ec/ecp_oct.c | 23 +- crypto/ec/ecp_smpl.c | 98 +- crypto/ecdh/ech_key.c | 21 +- crypto/ecdsa/ecs_ossl.c | 41 +- crypto/evp/evp_enc.c | 24 +- crypto/evp/evp_err.c | 3 +- crypto/evp/m_sigver.c | 63 +- crypto/evp/p_lib.c | 51 +- crypto/gost/gostr341001.c | 8 +- crypto/gost/gostr341001_ameth.c | 7 +- crypto/gost/gostr341001_key.c | 6 +- crypto/hkdf/hkdf.c | 3 +- crypto/objects/obj_dat.c | 3 +- crypto/objects/obj_dat.h | 96 +- crypto/objects/obj_xref.h | 22 +- crypto/ocsp/ocsp_cl.c | 17 +- crypto/pkcs12/p12_attr.c | 10 +- crypto/pkcs12/p12_crpt.c | 6 +- crypto/pkcs12/p12_decr.c | 4 +- crypto/pkcs12/p12_key.c | 16 +- crypto/pkcs12/p12_kiss.c | 18 +- crypto/pkcs12/p12_mutl.c | 4 +- crypto/rsa/rsa_sign.c | 8 +- crypto/ts/ts_rsp_verify.c | 49 +- crypto/x509/ext_dat.h | 8 +- crypto/x509/x509_addr.c | 1541 +++++++ crypto/x509/x509_alt.c | 11 +- crypto/x509/x509_asid.c | 1083 +++++ crypto/x509/x509_constraints.c | 100 +- crypto/x509/x509_cpols.c | 13 +- crypto/x509/x509_genn.c | 52 +- crypto/x509/x509_internal.h | 20 +- crypto/x509/x509_issuer_cache.c | 12 +- crypto/x509/x509_lu.c | 12 +- crypto/x509/x509_pci.c | 5 +- crypto/x509/x509_purp.c | 79 +- crypto/x509/x509_trs.c | 6 +- crypto/x509/x509_verify.c | 577 ++- crypto/x509/x509_vfy.c | 114 +- crypto/x509/x509_vpm.c | 17 +- include/compat/pthread.h | 8 + include/openssl/asn1.h | 3 +- include/openssl/bn.h | 14 +- include/openssl/dtls1.h | 89 +- include/openssl/ec.h | 35 +- include/openssl/evp.h | 13 +- include/openssl/obj_mac.h | 64 + include/openssl/opensslfeatures.h | 3 +- include/openssl/opensslv.h | 6 +- include/openssl/srtp.h | 6 +- include/openssl/ssl.h | 247 +- include/openssl/ssl3.h | 46 +- include/openssl/tls1.h | 21 +- include/openssl/x509.h | 7 +- include/openssl/x509_vfy.h | 4 +- include/openssl/x509v3.h | 192 +- openssl.cnf | 24 + ssl/CMakeLists.txt | 15 +- ssl/VERSION | 2 +- ssl/bio_ssl.c | 12 +- ssl/bs_ber.c | 7 +- ssl/bs_cbb.c | 9 +- ssl/bs_cbs.c | 9 +- ssl/bytestring.h | 7 +- ssl/d1_both.c | 184 +- ssl/d1_clnt.c | 184 - ssl/d1_lib.c | 53 +- ssl/d1_pkt.c | 600 +-- ssl/d1_srtp.c | 36 +- ssl/d1_srvr.c | 165 - ssl/dtls_locl.h | 231 ++ ssl/s3_cbc.c | 34 +- ssl/s3_lib.c | 221 +- ssl/srtp.h | 6 +- ssl/ssl.sym | 28 + ssl/ssl_algs.c | 3 +- ssl/ssl_asn1.c | 11 +- ssl/ssl_both.c | 186 +- ssl/ssl_cert.c | 20 +- ssl/ssl_ciph.c | 33 +- ssl/ssl_ciphers.c | 32 +- ssl/ssl_clnt.c | 660 +-- ssl/ssl_err.c | 4 +- ssl/ssl_lib.c | 432 +- ssl/ssl_locl.h | 605 ++- ssl/ssl_methods.c | 868 ++-- ssl/ssl_packet.c | 11 +- ssl/ssl_pkt.c | 412 +- ssl/ssl_rsa.c | 70 +- ssl/ssl_sess.c | 18 +- ssl/ssl_sigalgs.c | 234 +- ssl/ssl_sigalgs.h | 22 +- ssl/ssl_srvr.c | 577 +-- ssl/ssl_stat.c | 134 +- ssl/ssl_tlsext.c | 318 +- ssl/ssl_tlsext.h | 4 +- ssl/ssl_transcript.c | 13 +- ssl/ssl_txt.c | 4 +- ssl/ssl_versions.c | 276 +- ssl/t1_enc.c | 827 +--- ssl/t1_lib.c | 26 +- ssl/tls12_key_schedule.c | 175 + ssl/tls12_lib.c | 118 + ssl/tls12_record_layer.c | 1127 +++++- ssl/tls13_buffer.c | 4 +- ssl/tls13_client.c | 192 +- ssl/tls13_handshake.c | 238 +- ssl/tls13_handshake_msg.c | 3 +- ssl/tls13_internal.h | 31 +- ssl/tls13_key_schedule.c | 163 +- ssl/tls13_legacy.c | 147 +- ssl/tls13_lib.c | 135 +- ssl/tls13_record.c | 4 +- ssl/tls13_record.h | 3 +- ssl/tls13_record_layer.c | 274 +- ssl/tls13_server.c | 183 +- ssl/tls_content.c | 149 + ssl/tls_content.h | 48 + tap-driver.sh | 2 +- test-driver | 8 +- tls/CMakeLists.txt | 24 +- tls/VERSION | 2 +- tls/tls.c | 139 +- tls/tls.sym | 1 + tls/tls_client.c | 27 +- tls/tls_config.c | 17 +- tls/tls_conninfo.c | 5 +- tls/tls_internal.h | 4 +- tls/tls_keypair.c | 6 +- tls/tls_ocsp.c | 4 +- tls/tls_server.c | 6 +- tls/tls_util.c | 4 +- x509v3.cnf | 29 + 174 files changed, 17124 insertions(+), 6248 deletions(-) create mode 100644 cert.pem create mode 100644 crypto/x509/x509_addr.c create mode 100644 crypto/x509/x509_asid.c create mode 100644 openssl.cnf delete mode 100644 ssl/d1_clnt.c delete mode 100644 ssl/d1_srvr.c create mode 100644 ssl/dtls_locl.h create mode 100644 ssl/tls12_key_schedule.c create mode 100644 ssl/tls12_lib.c create mode 100644 ssl/tls_content.c create mode 100644 ssl/tls_content.h create mode 100644 x509v3.cnf diff --git a/CMakeLists.txt b/CMakeLists.txt index dda193e..f161653 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -113,19 +113,21 @@ if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang") endif() if(WIN32) - add_definitions(-Drestrict) add_definitions(-D_CRT_SECURE_NO_WARNINGS) add_definitions(-D_CRT_DEPRECATED_NO_WARNINGS) add_definitions(-D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS) - add_definitions(-DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0600) add_definitions(-DCPPFLAGS -DNO_SYSLOG -DNO_CRYPT) - set(PLATFORM_LIBS ${PLATFORM_LIBS} ws2_32) + add_definitions(-DWIN32_LEAN_AND_MEAN) + if(NOT CMAKE_SYSTEM_NAME MATCHES "WindowsStore") + add_definitions(-D_WIN32_WINNT=0x0600) + endif() + set(PLATFORM_LIBS ${PLATFORM_LIBS} ws2_32 bcrypt) endif() if(MSVC) add_definitions(-Dinline=__inline) message(STATUS "Using [${CMAKE_C_COMPILER_ID}] compiler") - if(CMAKE_C_COMPILER_ID MATCHES "MSVC") + if(CMAKE_C_COMPILER_ID MATCHES "MSVC" OR CMAKE_C_COMPILER_ID MATCHES "Clang") set(MSVC_DISABLED_WARNINGS_LIST "C4018" # 'expression' : signed/unsigned mismatch "C4057" # 'operator' : 'identifier1' indirection to @@ -298,6 +300,7 @@ if(ENABLE_ASM) elseif(CMAKE_SYSTEM_NAME STREQUAL "SunOS" AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "i386") set(HOST_ASM_ELF_X86_64 true) endif() + add_definitions(-DHAVE_GNU_STACK) elseif(APPLE AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64") set(HOST_ASM_MACOSX_X86_64 true) elseif(MSVC AND ("${CMAKE_GENERATOR}" MATCHES "Win64" OR "${CMAKE_GENERATOR_PLATFORM}" STREQUAL "x64")) @@ -331,12 +334,23 @@ if(SIZEOF_TIME_T STREQUAL "4") endif() add_definitions(-DSIZEOF_TIME_T=${SIZEOF_TIME_T}) -set(OPENSSL_LIBS tls ssl crypto ${PLATFORM_LIBS}) +set(OPENSSL_LIBS ssl crypto ${PLATFORM_LIBS}) +set(LIBTLS_LIBS tls ${PLATFORM_LIBS}) add_subdirectory(crypto) add_subdirectory(ssl) +if(LIBRESSL_APPS) + add_subdirectory(apps) +endif() add_subdirectory(tls) add_subdirectory(include) +if(NOT MSVC) + add_subdirectory(man) +endif() +# Tests require the openssl executable and are unavailable when building shared libraries +if(LIBRESSL_APPS AND LIBRESSL_TESTS) + add_subdirectory(tests) +endif() if(NOT MSVC) # Create pkgconfig files. @@ -358,3 +372,23 @@ if(NOT MSVC) DESTINATION ${CMAKE_INSTALL_LIBDIR}) endif() +if(NOT "${OPENSSLDIR}" STREQUAL "") + set(CONF_DIR "${OPENSSLDIR}") +else() + set(CONF_DIR "${CMAKE_INSTALL_PREFIX}/etc/ssl") +endif() + +if(ENABLE_LIBRESSL_INSTALL) + install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR}) + install(DIRECTORY DESTINATION ${CONF_DIR}/certs) +endif(ENABLE_LIBRESSL_INSTALL) + +if(NOT TARGET uninstall) + configure_file( + "${CMAKE_CURRENT_SOURCE_DIR}/cmake_uninstall.cmake.in" + "${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake" + IMMEDIATE @ONLY) + + add_custom_target(uninstall + COMMAND ${CMAKE_COMMAND} -P ${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake) +endif() diff --git a/ChangeLog b/ChangeLog index 4598456..5a458ca 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,514 @@ history is also available from Git. LibreSSL Portable Release Notes: +3.4.2 - Security fix + + * In some situations the X.509 verifier would discard an error on an + unverified certificate chain, resulting in an authentication bypass. + Thanks to Ilya Shipitsin and Timo Steinlein for reporting. + +3.4.1 - Stable release + + * New Features + - Added support for OpenSSL 1.1.1 TLSv1.3 APIs. + - Enabled the new X.509 validator to allow verification of + modern certificate chains. + * Portable Improvements + - Ported continuous integration and test infrastructure to Github + actions. + - Added Universal Windows Platform (UWP) build support. + - Fixed mingw-w64 builds on newer versions with missing SSP support. + - Added non-executable stack annotations for CMake builds. + * API and Documentation Enhancements + - Added the following APIs from OpenSSL + BN_bn2binpad BN_bn2lebinpad BN_lebin2bn EC_GROUP_get_curve + EC_GROUP_order_bits EC_GROUP_set_curve + EC_POINT_get_affine_coordinates + EC_POINT_set_affine_coordinates + EC_POINT_set_compressed_coordinates EVP_DigestSign + EVP_DigestVerify SSL_CIPHER_find SSL_CTX_get0_privatekey + SSL_CTX_get_max_early_data SSL_CTX_get_ssl_method + SSL_CTX_set_ciphersuites SSL_CTX_set_max_early_data + SSL_CTX_set_post_handshake_auth SSL_SESSION_get0_cipher + SSL_SESSION_get_max_early_data SSL_SESSION_is_resumable + SSL_SESSION_set_max_early_data SSL_get_early_data_status + SSL_get_max_early_data SSL_read_early_data SSL_set0_rbio + SSL_set_ciphersuites SSL_set_max_early_data + SSL_set_post_handshake_auth + SSL_set_psk_use_session_callback + SSL_verify_client_post_handshake SSL_write_early_data + - Added AES-GCM constants from RFC 7714 for SRTP. + * Compatibility Changes + - Implement flushing for TLSv1.3 handshakes behavior, needed for Apache. + - Call the info callback on connect/accept exit in TLSv1.3, + needed for p5-Net-SSLeay. + - Default to using named curve parameter encoding from + pre-OpenSSL 1.1.0, adding OPENSSL_EC_EXPLICIT_CURVE. + - Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback. + * Testing and Proactive Security + - Added additional state machine test coverage. + - Improved integration test support with ruby/openssl tests. + - Error codes and callback support in new X.509 validator made + compatible with p5-Net_SSLeay tests. + * Internal Improvements + - Numerous fixes and improvements to the new X.509 validator to + ensure compatible error codes and callback support compatible + with the legacy OpenSSL validator. + +3.4.0 - Development release + + * Add support for OpenSSL 1.1.1 TLSv1.3 APIs. + + * Enable new x509 validator. + + * More details to come, testing is appreciated. + +3.3.5 - Security fix + + * A stack overread could occur when checking X.509 name constraints. + From GoldBinocle on GitHub. + + * Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier. + This compensates for the expiry of the DST Root X3 certificate. + +3.3.4 - Security fix + + * In LibreSSL, printing a certificate can result in a crash in + X509_CERT_AUX_print(). + From Ingo Schwarze + + * Ensure GNU-stack is set on ELF platforms when building with CMake to + enable non-executable stack annotations for the GNU toolchain. + From Tobias Heider + +3.3.3 - Stable release + + * This is the first stable release from the 3.3.x series. + There are no changes from 3.3.2. + +3.3.2 - Development release + + * This release adds support for DTLSv1.2 and continues the rewrite + of the record layer for the legacy stack. Numerous bugs and + interoperability issues were fixed in the new verifier. A few bugs + and incompatibilities remain, so this release uses the old verifier + by default. The OpenSSL 1.1 TLSv1.3 API is not yet available. + + * Switch finish{,_peer}_md_len from an int to a size_t. + + * Make SSL_get{,_peer}_finished() work when used with TLSv1.3. + + * Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size + for cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2 + was a historical artefact. + + * Correct the return value type from ERR_peek_error() to a long. + + * Avoid use of uninitialized in ASN1_time_parse() which could happen + on parsing UTCTime if the caller did not initialise the passed + struct tm. + + * Destroy the mutex in a tls_config object on tls_config_free(). + + * Free alert_data and phh_data in tls13_record_layer_free() + these could leak if SSL_shutdown() or tls_close() were called + after closing the underlying socket(). + + * Free struct members in tls13_record_layer_free() in their natural + order for reviewability. + + * Gracefully handle root certificates being both trusted and + untrusted. + + * Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new + verifier. + + * Use the legacy verifier when building auto chains for TLS. + + * Use consistent names in tls13_{client,server}_finished_{recv,send}(). + + * Add tls13_secret_{init,cleanup}() and use them throughout the + TLSv1.3 code base. + + * Move the read MAC key into the TLSv1.2 record layer. + + * Make tls12_record_layer_free() NULL safe. + + * Search the intermediates only after searching the root certs in the + new verifier to avoid problems with the legacy callback. + + * Bail out early after finding a single chain in the new verifier, if + we have been called via the legacy verifier API. + + * Set (invalid and likely incomplete) chain on the xsc on chain build + failure prior to calling the callback. This is required by various + callers, including auto chain. + + * Align SSL_get_shared_ciphers() with OpenSSL. This takes into account + that it never returned server ciphers, so now it will fail when + called from the client side. + + * Add support for SSL_get_shared_ciphers() with TLSv1.3. + + * Split the record protection from the TLSv1.2 record layer. + + * Clean up sequence number handling in the new TLSv1.2 record layer. + + * Clean up sequence number handling in DTLS. + + * Clean up dtls1_reset_seq_numbers(). + + * Factor out code for explicit IV length, block size and MAC length + from tls12_record_layer_open_record_protected_cipher(). + + * Provide record layer overhead for DTLS. + + * Provide functions to determine if TLSv1.2 record protection is + engaged. + + * Add code to handle change of cipher state in the new TLSv1.2 record + layer. + + * Mop up now unused dtls1_build_sequence_numbers() function. + + * Allow setting a keypair on a tls context without specifying the + private key, and fake it internally in libtls. This removes the + need for privsep engines like relayd to use bogus keys. + + * Skip the private key check for fake private keys. + + * Move the private key setup from tls_configure_ssl_keypair() to a + helper function with proper error checking. + + * Change the internal tls_configure_ssl_keypair() function to + return -1 instead of 1 on failure. + + * Move sequence numbers into the new TLSv1.2 record layer. + + * Move AEAD handling into the new TLSv1.2 record layer. + + * Remove direct assignment of aead_ctx to avoid a leak. + + * Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360, + draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds. + + * Fail early in legacy exporter if the master secret is not available + to avoid a segfault if it is called when the handshake is not + completed. + + * Factor out legacy stack version checks. + + * Correct handshake MAC/PRF for various TLSv1.2 cipher suites which + were originally added with the default handshake MAC and PRF rather + than the SHA256 handshake MAC and PRF. + + * Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md(). + + * Use dtls1_record_retrieve_buffered_record() to load buffered + application data. + + * Enforce read ahead with DTLS. + + * Remove bogus DTLS checks that disabled ECC and OCSP. + + * Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA". + + * Only print the certificate file once on verification failure. + + * Pull in fix for EVP_CipherUpdate() overflow from OpenSSL. + + * Clean up and simplify dtls1_get_cipher(). + + * Group HelloVerifyRequest decoding and add missing check for trailing + data. + + * Revise HelloVerifyRequest handling for DTLSv1.2. + + * Handle DTLS1_2_VERSION in various places. + + * Add DTLSv1.2 methods. + + * Make SSL{_CTX,}_get_{min,max}_proto_version() return a version of + zero if the minimum or maximum has been set to zero to match + OpenSSL's behavior. + + * Rename the "truncated" label into "decode_err" and the "f_err" + label into "fatal_err". + + * Factor out and change some of the legacy client version code. + + * Simplify version checks in the TLSv1.3 client. Ensure that the + server announced TLSv1.3 and nothing higher and check that the + legacy_version is set to TLSv1.2 as required by RFC 8446. + + * Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that + the new validator checks for EXFLAG_CRITICAL in + x509_vfy_check_chain_extension() for all untrusted certs in the + chain. Take into account that the root is not necessarily trusted. + + * Avoid passing last and depth to x509_verify_cert_error() on ENOMEM. + + * Rename depth to num_untrusted. + + * Only use TLS versions internally rather than both TLS and DTLS + versions since the latter are the one's complement of the human + readable version numbers, which means that newer versions decrease + in value. + + * Fix two bugs in the legacy verifier that resulted from refactoring + of X509_verify_cert() for the new verifier: a return value was + incorrectly treated as boolean, making it insufficient to decide + whether validation should carry on or not. + + * Identify DTLS based on the version major value. + + * Move handling of cipher/hash based cipher suites into the new record + layer. + + * Add tls12_record_protection_unused() and call it from CCS functions. + + * Move key/IV length checks closer to usage sites. Also add explicit + checks against EVP_CIPHER_{iv,key}_length(). + + * Replace two handrolled tls12_record_protection_engaged(). + + * Improve internal version handling: add handshake fields for our + minimum version, our maximum version and the TLS version negotiated + during the handshake. Convert most of the internal code to use these + version fields. + + * Guard against future internal use of TLS1_get_{client,}_version() + macros. + + * Remove the internal ssl_downgrade_max_version() function which is no + longer needed. + + * Fix checks for memory caps of constraints names. There are internal + caps on the number of name constraints and other names, that the new + name constraints code allocates per cert chain. These limits were + checked too late, making them only partially effective. + + * Use EXFLAG_INVALID to handle out of memory and parse errors in + x509v3_cache_extensions(). + + * Add support for DTLSv1.2 version handling. + + * Enable DTLSv1.2 support. + + * Add DTLSv1.2 support to openssl s_client/s_server. + + * Remove no longer needed read ahead workarounds in the s_client and + s_server. + + * Fix a copy-paste error - skid was confused with an akid when + checking for EXFLAG_INVALID. This broke OCSP validation with + certain mirrors. + + * Make supported protocols and options for DHE params more prominent + in tls_config_set_protocols.3. + + * Avoid a use-after-scope in tls13_cert_add(). + + * Split TLSv1.3 record protection from record layer. + + * Move the TLSv1.3 handshake struct inside the shared handshake + struct. + + * Fully initialize rrec in tls12_record_layer_open_record_protected() + to avoid confusing some static analyzers. + + * Use tls_set_errorx() on OCSP_basic_verify() failure since the latter + does not set errno. + + * Convert openssl(1) x509 to new option handling and do the usual + clean up that goes along with it. + + * Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data. + + * Rename new_cipher to cipher to align naming with keyblock or other + parts of the handshake data. + + * Avoid mangled output in BIO_debug_callback(). + + * Fix client initiated renegotiation by replacing use of s->internal-type + with s->server. + + * Move the TLSv1.2 record number increment into the new record layer. + + * Move finished and peer finished into the handshake struct. + + * Avoid transcript initialization when sending a TLS HelloRequest, + fixing server initiated renegotiation. + + * Remove pointless assignment in SSL_get0_alpn_selected(). + + * Provide EVP_PKEY_new_CMAC_KEY(3). + + * Add missing prototype for d2i_DSAPrivateKey_fp(3) to x509.h. + + * Add DTLSv1.2 to openssl(1) s_server and s_client protocol message + logging. + + * Avoid leaking param->name in x509_verify_param_zero(). + + * Avoid a leak in an error path in openssl(1) x509. + + * Add some error checking to openssl(1) x509. + + * When sending an alert in TLSv1.3, only set its error code when no + other error was set previously. Certain clients rely on specific + SSL_R_ error codes to identify that they are dealing with a self + signed cert. + + * Switch to the legacy verifier for the stable release. + + * Provide SSL_use_certificate_chain_file(3). + + * Provide SSL_set_hostflags(3) and SSL_get0_peername(3). + + * Provide various DTLSv1.2 specific functions and defines. + + * Document meaning of '*' in the genrsa output. + + * Updated documentation for SSL_get_shared_ciphers(3). + + * Add documentation for SSL_get_finished(3). + + * Document EVP_PKEY_new_CMAC_key(3) + + * Document SSL_use_certificate_chain_file(3). + + * Document SSL_set_hostflags(3) and SSL_get0_peername(3). + + * Update SSL_get_version.3 manual for DTLSv.1.2 support. + + * Added '--enable-libtls-only' build option, which builds and installs a + statically-linked libtls, skipping libcrypto and libssl. This is useful + for systems that ship with OpenSSL but wish to also package libtls. + +3.3.1 - Security fix + + * Malformed ASN.1 in a certificate revocation list or a timestamp + response token can lead to a NULL pointer dereference. + + Bug fixes + + * Move point-on-curve check to set_affine_coordinates to avoid + verifying ECDSA signatures with unchecked public keys. + + * Fix SSL_is_server() to behave as documented by re-introducing the + client-specific methods. + + * Avoid undefined behavior due to memcpy(NULL, NULL, 0). + + * Mark a few more internal static tables const. + +3.3.0 - Development release + + * Make openssl(1) s_server ignore -4 and -6 for compatibility with + OpenSSL. + + * Further cleanup of the DTLS record handling. + + * Continue the replacement of the TLSv1.2 record layer by + reimplementing the read side of the TLSv1.2 record handling. + + * Replace DTLSv1_enc_data() with TLSv1_1_enc_data(). + + * Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c. + + * When switching from the TLSv1.3 stack to the legacy stack include + a TLS record header. This is necessary if there is more than one + handshake message in the TLS plaintext record. + + * Set SO_REUSEADDR on the server socket in the openssl(1) ocsp + command. + + * Fix resource handling on error in OCSP_request_add0_id(). + + * Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into + .data.rel.ro and .rodata, respectively. + + * Add a const qualifier to srtp_known_profiles. + + * Simplify TLS method by removing the client and server specific + methods internally. + + * Avoid casting away const in ssl_ctx_make_profiles(). + + * Make sure there is enough room for stashing the handshake message + when switching to the legacy TLS stack. + + * Avoid explicitly conditioning an assert on DTLS1_VERSION to make + the assert work for newer DTLS versions. + + * Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL. + + * Send a host header with OCSP queries to make openssl(1) ocsp + work with some widely used OCSP responders. + + * Fix a memory leak in the openssl(1) s_client. + + * Add a flag to mark DTLS methods as DTLS to have an easy way to + recognize DTLS methods that avoids inspecting the version number. + + * Implement SSL_is_dtls() and use it internally in place of the + SSL_IS_DTLS macro. + + * Unbreak DTLS retransmissions for flights that include a CCS. + + * Add ability to ocspcheck(8) to parse a port in the specified + OCSP URL. + + * Refactor and clean up ocspcheck(8) and add regression tests. + + * If x509_verify() fails, ensure that the error is set on both + the x509_verify_ctx() and its store context to make some failures + visible from SSL_get_verify_result(). + + * Use the X509_STORE_CTX get_issuer() callback from the new X.509 + verifier to fix hashed certificate directories. + + * Only check BIO_should_read() on read and BIO_should_write() on + write. Previously, BIO_should_write() was also checked after read + and BIO_should_read() after write which could cause stalls in + software that uses the same BIO for read and write. + + * In openssl(1) verify, also check for error on the store context + since the return value of X509_verify_cert() is unreliable in + presence of a callback that returns 1 too often. + + * Update getentropy on Windows to use Cryptography Next Generation + (CNG). wincrypt is deprecated and no longer works with newer Windows + environments, such as in Windows Store apps. + + * Implement auto chain for the TLSv1.3 server since some software + relies on this. + + * Handle additional certificate error cases in the new X.509 verifier. + Keep track of the errors encountered if a verify callback tells the + verifier to continue and report them back via the error on the store + context. This mimics the behavior of the old verifier that would + persist the first error encountered while building the chain. + + * Report specific failures for "self signed certificates" in a way + compatible with the old verifier since software relies on the + error code. + + * Implement key exporter for TLSv1.3. + + * Plug a large memory leak in the new verifier caused by calling + X509_policy_check() repeatedly. + + * Avoid leaking memory in x509_verify_chain_dup(). + + * Various documentation improvements, particularly around TLS methods. + +3.2.3 - Security fix + + * Malformed ASN.1 in a certificate revocation list or a timestamp + response token can lead to a NULL pointer dereference. + 3.2.2 - Stable release * This is the first stable release with the new TLSv1.3 @@ -279,6 +787,11 @@ LibreSSL Portable Release Notes: * Use non-expired certificates first when building a certificate chain. +3.1.5 - Security fix + + * Malformed ASN.1 in a certificate revocation list or a timestamp + response token can lead to a NULL pointer dereference. + 3.1.4 - Interoperability and bug fixes for the TLSv1.3 client: * Improve client certificate selection to allow EC certificates diff --git a/README.md b/README.md index 7e13082..2a04248 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -Built from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.2.tar.gz +Built from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.2.tar.gz Modifications: - Removed tests/mandocs/pkgconfig/scripts/apps/cmake_uninstall from both filesystem and CMakeLists.txt @@ -9,7 +9,11 @@ Modifications: ![LibreSSL image](https://www.libressl.org/images/libressl.jpg) ## Official portable version of [LibreSSL](https://www.libressl.org) ## -[![Build Status](https://travis-ci.org/libressl-portable/portable.svg?branch=master)](https://travis-ci.org/libressl-portable/portable) [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/libressl.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:libressl) +[![Linux Build Status](https://github.com/libressl-portable/portable/actions/workflows/linux_test.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/linux_test.yml) +[![macOS Build Status](https://github.com/libressl-portable/portable/actions/workflows/macos_test.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/macos_test.yml) +[![Android_Build Status](https://github.com/libressl-portable/portable/actions/workflows/android_test.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/android_test.yml) +[![Cross_Build Status](https://github.com/libressl-portable/portable/actions/workflows/cross_test.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/cross_test.yml) +[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/libressl.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:libressl) LibreSSL is a fork of [OpenSSL](https://www.openssl.org) 1.0.1g developed by the [OpenBSD](https://www.openbsd.org) project. Our goal is to modernize the codebase, @@ -45,9 +49,9 @@ At the time of this writing, LibreSSL is known to build and work on: * AIX (5.3 and later) LibreSSL also supports the following Windows environments: -* Microsoft Windows (Vista or higher, x86 and x64) +* Microsoft Windows (Windows 7 / Windows Server 2008r2 or later, x86 and x64) * Wine (32-bit and 64-bit) -* Builds with Mingw-w64, Cygwin, and Visual Studio +* Mingw-w64, Cygwin, and Visual Studio Official release tarballs are available at your friendly neighborhood OpenBSD mirror in directory diff --git a/VERSION b/VERSION index 19ef286..ec46c1f 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -3.2.2 +3.4.2 diff --git a/cert.pem b/cert.pem new file mode 100644 index 0000000..0e50fe6 --- /dev/null +++ b/cert.pem @@ -0,0 +1,5950 @@ +# $OpenBSD: cert.pem,v 1.24 2021/09/30 18:16:11 deraadt Exp $ +### /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068 + +=== /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6047274297262753887 (0x53ec3beefbb2485f) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: May 20 08:38:15 2009 GMT + Not After : Dec 31 08:38:15 2030 GMT + Subject: C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:1 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 65:CD:EB:AB:35:1E:00:3E:7E:D5:74:C0:1C:B4:73:47:0E:1A:64:2F + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + CPS: http://www.firmaprofesional.com/cps + User Notice: + Explicit Text: + +SHA1 Fingerprint=AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA +SHA256 Fingerprint=04:04:80:28:BF:1F:28:64:D4:8F:9A:D4:D8:32:94:36:6A:82:88:56:55:3F:3B:14:30:3F:90:14:7F:5D:40:EF +-----BEGIN CERTIFICATE----- +MIIGFDCCA/ygAwIBAgIIU+w77vuySF8wDQYJKoZIhvcNAQEFBQAwUTELMAkGA1UE +BhMCRVMxQjBABgNVBAMMOUF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uIEZpcm1h +cHJvZmVzaW9uYWwgQ0lGIEE2MjYzNDA2ODAeFw0wOTA1MjAwODM4MTVaFw0zMDEy +MzEwODM4MTVaMFExCzAJBgNVBAYTAkVTMUIwQAYDVQQDDDlBdXRvcmlkYWQgZGUg +Q2VydGlmaWNhY2lvbiBGaXJtYXByb2Zlc2lvbmFsIENJRiBBNjI2MzQwNjgwggIi +MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDKlmuO6vj78aI14H9M2uDDUtd9 +thDIAl6zQyrET2qyyhxdKJp4ERppWVevtSBC5IsP5t9bpgOSL/UR5GLXMnE42QQM +cas9UX4PB99jBVzpv5RvwSmCwLTaUbDBPLutN0pcyvFLNg4kq7/DhHf9qFD0sefG +L9ItWY16Ck6WaVICqjaY7Pz6FIMMNx/Jkjd/14Et5cS54D40/mf0PmbR0/RAz15i +NA9wBj4gGFrO93IbJWyTdBSTo3OxDqqHECNZXyAFGUftaI6SEspd/NYrspI8IM/h +X68gvqB2f3bl7BqGYTM+53u0P6APjqK5am+5hyZvQWyIplD9amML9ZMWGxmPsu2b +m8mQ9QEM3xk9Dz44I8kvjwzRAv4bVdZO0I08r0+k8/6vKtMFnXkIoctXMbScyJCy +Z/QYFpM6/EfY0XiWMR+6KwxfXZmtY4laJCB22N/9q06mIqqdXuYnin1oKaPnirja +EbsXLZmdEyRG98Xi2J+Of8ePdG1asuhy9azuJBCtLxTa/y2aRnFHvkLfuwHb9H/T +KI8xWVvTyQKmtFLKbpf7Q8UIJm+K9Lv9nyiqDdVF8xM6HdjAeI9BZzwelGSuewvF +6NkBiDkal4ZkQdU7hwxu+g/GvUgUvzlN1J5Bto+WHWOWk9mVBngxaJ43BjuAiUVh +OSPHG0SjFeUc+JIwuwIDAQABo4HvMIHsMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYD +VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRlzeurNR4APn7VdMActHNHDhpkLzCBpgYD +VR0gBIGeMIGbMIGYBgRVHSAAMIGPMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LmZp +cm1hcHJvZmVzaW9uYWwuY29tL2NwczBcBggrBgEFBQcCAjBQHk4AUABhAHMAZQBv +ACAAZABlACAAbABhACAAQgBvAG4AYQBuAG8AdgBhACAANAA3ACAAQgBhAHIAYwBl +AGwAbwBuAGEAIAAwADgAMAAxADcwDQYJKoZIhvcNAQEFBQADggIBABd9oPm03cXF +661LJLWhAqvdpYhKsg9VSytXjDvlMd3+xDLx51tkljYyGOylMnfX40S2wBEqgLk9 +am58m9Ot/MPWo+ZkKXzR4Tgegiv/J2Wv+xYVxC5xhOW1//qkR71kMrv2JYSiJ0L1 +ILDCExARzRAVukKQKtJE4ZYm6zFIEv0q2skGz3QeqUvVhyj5eTSSPi5E6PaPT481 +PyWzOdxjKpBrIF/EUhJOlywqrJ2X3kjyo2bbwtKDlaZmp54lD+kLM5FlClrD2VQS +3a/DTg4fJl4N3LON7NWBcN7STyQF82xO9UxJZo3R/9ILJUFI/lGExkKvgATP0H5k +SeTy36LssUzAKh3ntLFlosS88Zj0qnAHY7S42jtM+kAiMFsRpvAFDsYCA0irhpuF +3dvd6qJ2gHN99ZwExEWN57kci57q13XRcrHedUTnQn3iV2t93Jm8PYMo6oCTjcVM +ZcFwgbg4/EMxsvYDNEeyrPsiBsse3RdHHF9mudMaotoRsaS8I8nkvof/uZS2+F0g +StRf571oe2XyFR7SOqkt6dhrJKyXWERHrVkY8SFlcN7ONGCoQPHzPKTDKCOM/icz +Q0CgFzzr6juwcqajuUpLXhZI9LK8yIySxZ2frHI2vDSANGupi5LAuBft7HZT9SQB +jLMi6Et8Vcad+qMUu2WFbm5PEn4KPJ2V +-----END CERTIFICATE----- + +### ACCV + +=== /CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6828503384748696800 (0x5ec3b7a6437fa4e0) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: May 5 09:37:37 2011 GMT + Not After : Dec 31 09:37:37 2030 GMT + Subject: CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES + X509v3 extensions: + Authority Information Access: + CA Issuers - URI:http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt + OCSP - URI:http://ocsp.accv.es + + X509v3 Subject Key Identifier: + D2:87:B4:E3:DF:37:27:93:55:F6:56:EA:81:E5:36:CC:8C:1E:3F:BD + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Authority Key Identifier: + keyid:D2:87:B4:E3:DF:37:27:93:55:F6:56:EA:81:E5:36:CC:8C:1E:3F:BD + + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + User Notice: + Explicit Text: + CPS: http://www.accv.es/legislacion_c.htm + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl + + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Alternative Name: + email:accv@accv.es +SHA1 Fingerprint=93:05:7A:88:15:C6:4F:CE:88:2F:FA:91:16:52:28:78:BC:53:64:17 +SHA256 Fingerprint=9A:6E:C0:12:E1:A7:DA:9D:BE:34:19:4D:47:8A:D7:C0:DB:18:22:FB:07:1D:F1:29:81:49:6E:D1:04:38:41:13 +-----BEGIN CERTIFICATE----- +MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UE +AwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQsw +CQYDVQQGEwJFUzAeFw0xMTA1MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIxEjAQ +BgNVBAMMCUFDQ1ZSQUlaMTEQMA4GA1UECwwHUEtJQUNDVjENMAsGA1UECgwEQUND +VjELMAkGA1UEBhMCRVMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCb +qau/YUqXry+XZpp0X9DZlv3P4uRm7x8fRzPCRKPfmt4ftVTdFXxpNRFvu8gMjmoY +HtiP2Ra8EEg2XPBjs5BaXCQ316PWywlxufEBcoSwfdtNgM3802/J+Nq2DoLSRYWo +G2ioPej0RGy9ocLLA76MPhMAhN9KSMDjIgro6TenGEyxCQ0jVn8ETdkXhBilyNpA +lHPrzg5XPAOBOp0KoVdDaaxXbXmQeOW1tDvYvEyNKKGno6e6Ak4l0Squ7a4DIrhr +IA8wKFSVf+DuzgpmndFALW4ir50awQUZ0m/A8p/4e7MCQvtQqR0tkw8jq8bBD5L/ +0KIV9VMJcRz/RROE5iZe+OCIHAr8Fraocwa48GOEAqDGWuzndN9wrqODJerWx5eH +k6fGioozl2A3ED6XPm4pFdahD9GILBKfb6qkxkLrQaLjlUPTAYVtjrs78yM2x/47 +4KElB0iryYl0/wiPgL/AlmXz7uxLaL2diMMxs0Dx6M/2OLuc5NF/1OVYm3z61PMO +m3WR5LpSLhl+0fXNWhn8ugb2+1KoS5kE3fj5tItQo05iifCHJPqDQsGH+tUtKSpa +cXpkatcnYGMN285J9Y0fkIkyF/hzQ7jSWpOGYdbhdQrqeWZ2iE9x6wQl1gpaepPl +uUsXQA+xtrn13k/c4LOsOxFwYIRKQ26ZIMApcQrAZQIDAQABo4ICyzCCAscwfQYI +KwYBBQUHAQEEcTBvMEwGCCsGAQUFBzAChkBodHRwOi8vd3d3LmFjY3YuZXMvZmls +ZWFkbWluL0FyY2hpdm9zL2NlcnRpZmljYWRvcy9yYWl6YWNjdjEuY3J0MB8GCCsG +AQUFBzABhhNodHRwOi8vb2NzcC5hY2N2LmVzMB0GA1UdDgQWBBTSh7Tj3zcnk1X2 +VuqB5TbMjB4/vTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNKHtOPfNyeT +VfZW6oHlNsyMHj+9MIIBcwYDVR0gBIIBajCCAWYwggFiBgRVHSAAMIIBWDCCASIG +CCsGAQUFBwICMIIBFB6CARAAQQB1AHQAbwByAGkAZABhAGQAIABkAGUAIABDAGUA +cgB0AGkAZgBpAGMAYQBjAGkA8wBuACAAUgBhAO0AegAgAGQAZQAgAGwAYQAgAEEA +QwBDAFYAIAAoAEEAZwBlAG4AYwBpAGEAIABkAGUAIABUAGUAYwBuAG8AbABvAGcA +7QBhACAAeQAgAEMAZQByAHQAaQBmAGkAYwBhAGMAaQDzAG4AIABFAGwAZQBjAHQA +cgDzAG4AaQBjAGEALAAgAEMASQBGACAAUQA0ADYAMAAxADEANQA2AEUAKQAuACAA +QwBQAFMAIABlAG4AIABoAHQAdABwADoALwAvAHcAdwB3AC4AYQBjAGMAdgAuAGUA +czAwBggrBgEFBQcCARYkaHR0cDovL3d3dy5hY2N2LmVzL2xlZ2lzbGFjaW9uX2Mu +aHRtMFUGA1UdHwROMEwwSqBIoEaGRGh0dHA6Ly93d3cuYWNjdi5lcy9maWxlYWRt +aW4vQXJjaGl2b3MvY2VydGlmaWNhZG9zL3JhaXphY2N2MV9kZXIuY3JsMA4GA1Ud +DwEB/wQEAwIBBjAXBgNVHREEEDAOgQxhY2N2QGFjY3YuZXMwDQYJKoZIhvcNAQEF +BQADggIBAJcxAp/n/UNnSEQU5CmH7UwoZtCPNdpNYbdKl02125DgBS4OxnnQ8pdp +D70ER9m+27Up2pvZrqmZ1dM8MJP1jaGo/AaNRPTKFpV8M9xii6g3+CfYCS0b78gU +JyCpZET/LtZ1qmxNYEAZSUNUY9rizLpm5U9EelvZaoErQNV/+QEnWCzI7UiRfD+m +AM/EKXMRNt6GGT6d7hmKG9Ww7Y49nCrADdg9ZuM8Db3VlFzi4qc1GwQA9j9ajepD +vV+JHanBsMyZ4k0ACtrJJ1vnE5Bc5PUzolVt3OAJTS+xJlsndQAJxGJ3KQhfnlms +tn6tn1QwIgPBHnFk/vk4CpYY3QIUrCPLBhwepH2NDd4nQeit2hW3sCPdK6jT2iWH +7ehVRE2I9DZ+hJp4rPcOVkkO1jMl1oRQQmwgEh0q1b688nCBpHBgvgW1m54ERL5h +I6zppSSMEYCUWqKiuUnSwdzRp+0xESyeGabu4VXhwOrPDYTkF7eifKXeVSUG7szA +h1xA2syVP1XgNce4hL60Xc16gwFy7ofmXx2utYXGJt/mwZrpHgJHnyqobalbz+xF +d3+YJ5oyXSrjhO7FmGYvliAd3djDJ9ew+f7Zfc3Qn48LFFhRny+Lwzgt3uiP1o2H +pPVWQxaZLPSkVrQ0uGE3ycJYgBugl6H8WY3pEfbRD0tVNEYqi4Y7 +-----END CERTIFICATE----- + +### Actalis S.p.A./03358520967 + +=== /C=IT/L=Milan/O=Actalis S.p.A./03358520967/CN=Actalis Authentication Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6271844772424770508 (0x570a119742c4e3cc) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Sep 22 11:22:02 2011 GMT + Not After : Sep 22 11:22:02 2030 GMT + Subject: C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA + X509v3 extensions: + X509v3 Subject Key Identifier: + 52:D8:88:3A:C8:9F:78:66:ED:89:F3:7B:38:70:94:C9:02:02:36:D0 + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Authority Key Identifier: + keyid:52:D8:88:3A:C8:9F:78:66:ED:89:F3:7B:38:70:94:C9:02:02:36:D0 + + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=F3:73:B3:87:06:5A:28:84:8A:F2:F3:4A:CE:19:2B:DD:C7:8E:9C:AC +SHA256 Fingerprint=55:92:60:84:EC:96:3A:64:B9:6E:2A:BE:01:CE:0B:A8:6A:64:FB:FE:BC:C7:AA:B5:AF:C1:55:B3:7F:D7:60:66 +-----BEGIN CERTIFICATE----- +MIIFuzCCA6OgAwIBAgIIVwoRl0LE48wwDQYJKoZIhvcNAQELBQAwazELMAkGA1UE +BhMCSVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w +MzM1ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290 +IENBMB4XDTExMDkyMjExMjIwMloXDTMwMDkyMjExMjIwMlowazELMAkGA1UEBhMC +SVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1 +ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290IENB +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp8bEpSmkLO/lGMWwUKNv +UTufClrJwkg4CsIcoBh/kbWHuUA/3R1oHwiD1S0eiKD4j1aPbZkCkpAW1V8IbInX +4ay8IMKx4INRimlNAJZaby/ARH6jDuSRzVju3PvHHkVH3Se5CAGfpiEd9UEtL0z9 +KK3giq0itFZljoZUj5NDKd45RnijMCO6zfB9E1fAXdKDa0hMxKufgFpbOr3JpyI/ +gCczWw63igxdBzcIy2zSekciRDXFzMwujt0q7bd9Zg1fYVEiVRvjRuPjPdA1Yprb +rxTIW6HMiRvhMCb8oJsfgadHHwTrozmSBp+Z07/T6k9QnBn+locePGX2oxgkg4YQ +51Q+qDp2JE+BIcXjDwL4k5RHILv+1A7TaLndxHqEguNTVHnd25zS8gebLra8Pu2F +be8lEfKXGkJh90qX6IuxEAf6ZYGyojnP9zz/GPvG8VqLWeICrHuS0E4UT1lF9gxe +KF+w6D9Fz8+vm2/7hNN3WpVvrJSEnu68wEqPSpP4RCHiMUVhUE4Q2OM1fEwZtN4F +v6MGn8i1zeQf1xcGDXqVdFUNaBr8EBtiZJ1t4JWgw5QHVw0U5r0F+7if5t+L4sbn +fpb2U8WANFAoWPASUHEXMLrmeGO89LKtmyuy/uE5jF66CyCU3nuDuP/jVo23Eek7 +jPKxwV2dpAtMK9myGPW1n0sCAwEAAaNjMGEwHQYDVR0OBBYEFFLYiDrIn3hm7Ynz +ezhwlMkCAjbQMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUUtiIOsifeGbt +ifN7OHCUyQICNtAwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAL +e3KHwGCmSUyIWOYdiPcUZEim2FgKDk8TNd81HdTtBjHIgT5q1d07GjLukD0R0i70 +jsNjLiNmsGe+b7bAEzlgqqI0JZN1Ut6nna0Oh4lScWoWPBkdg/iaKWW+9D+a2fDz +WochcYBNy+A4mz+7+uAwTc+G02UQGRjRlwKxK3JCaKygvU5a2hi/a5iB0P2avl4V +SM0RFbnAKVy06Ij3Pjaut2L9HmLecHgQHEhb2rykOLpn7VU+Xlff1ANATIGk0k9j +pwlCCRT8AKnCgHNPLsBA2RF7SOp6AsDT6ygBJlh0wcBzIm2Tlf05fbsq4/aC4yyX +X04fkZT6/iyj2HYauE2yOE+b+h1IYHkm4vP9qdCa6HCPSXrW5b0KDtst842/6+Ok +fcvHlXHo2qN8xcL4dJIEG4aspCJTQLas/kx2z/uUMsA1n3Y/buWQbqCmJqK4LL7R +K4X9p2jIugErsWx0Hbhzlefut8cl8ABMALJ+tguLHPPAUJ4lueAI3jZm/zel0btU +ZCzJJ7VLkn5l/9Mt4blOvH+kQSGQQXemOR/qnuOf0GZvBeyqdn6/axag67XH/JJU +LysRJyU3eExRarDzzFhdFPFqSBX/wge2sY0PjlxQRrM9vwGYT7JZVEc+NHt4bVaT +LnPqZih4zR0Uv6CPLy64Lo7yFIrM6bV8+2ydDKXhlg== +-----END CERTIFICATE----- + +### AffirmTrust + +=== /C=US/O=AffirmTrust/CN=AffirmTrust Commercial +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 8608355977964138876 (0x7777062726a9b17c) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jan 29 14:06:06 2010 GMT + Not After : Dec 31 14:06:06 2030 GMT + Subject: C=US, O=AffirmTrust, CN=AffirmTrust Commercial + X509v3 extensions: + X509v3 Subject Key Identifier: + 9D:93:C6:53:8B:5E:CA:AF:3F:9F:1E:0F:E5:99:95:BC:24:F6:94:8F + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=F9:B5:B6:32:45:5F:9C:BE:EC:57:5F:80:DC:E9:6E:2C:C7:B2:78:B7 +SHA256 Fingerprint=03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7 +-----BEGIN CERTIFICATE----- +MIIDTDCCAjSgAwIBAgIId3cGJyapsXwwDQYJKoZIhvcNAQELBQAwRDELMAkGA1UE +BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVz +dCBDb21tZXJjaWFsMB4XDTEwMDEyOTE0MDYwNloXDTMwMTIzMTE0MDYwNlowRDEL +MAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZp +cm1UcnVzdCBDb21tZXJjaWFsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA9htPZwcroRX1BiLLHwGy43NFBkRJLLtJJRTWzsO3qyxPxkEylFf6EqdbDuKP +Hx6GGaeqtS25Xw2Kwq+FNXkyLbscYjfysVtKPcrNcV/pQr6U6Mje+SJIZMblq8Yr +ba0F8PrVC8+a5fBQpIs7R6UjW3p6+DM/uO+Zl+MgwdYoic+U+7lF7eNAFxHUdPAL +MeIrJmqbTFeurCA+ukV6BfO9m2kVrn1OIGPENXY6BwLJN/3HR+7o8XYdcxXyl6S1 +yHp52UKqK39c/s4mT6NmgTWvRLpUHhwwMmWd5jyTXlBOeuM61G7MGvv50jeuJCqr +VwMiKA1JdX+3KNp1v47j3A55MQIDAQABo0IwQDAdBgNVHQ4EFgQUnZPGU4teyq8/ +nx4P5ZmVvCT2lI8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJ +KoZIhvcNAQELBQADggEBAFis9AQOzcAN/wr91LoWXym9e2iZWEnStB03TX8nfUYG +XUPGhi4+c7ImfU+TqbbEKpqrIZcUsd6M06uJFdhrJNTxFq7YpFzUf1GO7RgBsZNj +vbz4YYCanrHOQnDiqX0GJX0nof5v7LMeJNrjS1UaADs1tDvZ110w/YETifLCBivt +Z8SOyUOyXGsViQK8YvxO8rUzqrJv0wqiUOP2O+guRMLbZjipM1ZI8W0bM40NjD9g +N53Tym1+NH4Nn3J2ixufcv1SNUFFApYvHLKac0khsUlHRUe072o0EclNmsxZt9YC +nlpOZbWUrhvfKbAW8b8Angc6F2S1BLUjIZkKlTuXfO8= +-----END CERTIFICATE----- +=== /C=US/O=AffirmTrust/CN=AffirmTrust Networking +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 8957382827206547757 (0x7c4f04391cd4992d) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Jan 29 14:08:24 2010 GMT + Not After : Dec 31 14:08:24 2030 GMT + Subject: C=US, O=AffirmTrust, CN=AffirmTrust Networking + X509v3 extensions: + X509v3 Subject Key Identifier: + 07:1F:D2:E7:9C:DA:C2:6E:A2:40:B4:B0:7A:50:10:50:74:C4:C8:BD + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F +SHA256 Fingerprint=0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0:B4:1B +-----BEGIN CERTIFICATE----- +MIIDTDCCAjSgAwIBAgIIfE8EORzUmS0wDQYJKoZIhvcNAQEFBQAwRDELMAkGA1UE +BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVz +dCBOZXR3b3JraW5nMB4XDTEwMDEyOTE0MDgyNFoXDTMwMTIzMTE0MDgyNFowRDEL +MAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZp +cm1UcnVzdCBOZXR3b3JraW5nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAtITMMxcua5Rsa2FSoOujz3mUTOWUgJnLVWREZY9nZOIG41w3SfYvm4SEHi3y +YJ0wTsyEheIszx6e/jarM3c1RNg1lho9Nuh6DtjVR6FqaYvZ/Ls6rnla1fTWcbua +kCNrmreIdIcMHl+5ni36q1Mr3Lt2PpNMCAiMHqIjHNRqrSK6mQEubWXLviRmVSRL +QESxG9fhwoXA3hA/Pe24/PHxI1Pcv2WXb9n5QHGNfb2V1M6+oF4nI979ptAmDgAp +6zxG8D1gvz9Q0twmQVGeFDdCBKNwV6gbh+0t+nvujArjqWaJGctB+d1ENmHP4ndG +yH329JKBNv3bNPFyfvMMFr20FQIDAQABo0IwQDAdBgNVHQ4EFgQUBx/S55zawm6i +QLSwelAQUHTEyL0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJ +KoZIhvcNAQEFBQADggEBAIlXshZ6qML91tmbmzTCnLQyFE2npN/svqe++EPbkTfO +tDIuUFUaNU52Q3Eg75N3ThVwLofDwR1t3Mu1J9QsVtFSUzpE0nPIxBsFZVpikpzu +QY0x2+c06lkh1QF612S4ZDnNye2v7UsDSKegmQGA3GWjNq5lWUhPgkvIZfFXHeVZ +Lgo/bNjR9eUJtGxUAArgFU2HdW23WJZa3W3SAKD0m0i+wzekujbgfIeFlxoVot4u +olu9rxj5kFDNcFn4J2dHy8egBzp90SxdbBk6ZrV9/ZFvgrG+CJPbFEfxojfHRZ48 +x3evZKiT3/Zpg4Jg8klCNO1aAFSFHBY2kgxc+qatv9s= +-----END CERTIFICATE----- +=== /C=US/O=AffirmTrust/CN=AffirmTrust Premium +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7893706540734352110 (0x6d8c1446b1a60aee) + Signature Algorithm: sha384WithRSAEncryption + Validity + Not Before: Jan 29 14:10:36 2010 GMT + Not After : Dec 31 14:10:36 2040 GMT + Subject: C=US, O=AffirmTrust, CN=AffirmTrust Premium + X509v3 extensions: + X509v3 Subject Key Identifier: + 9D:C0:67:A6:0C:22:D9:26:F5:45:AB:A6:65:52:11:27:D8:45:AC:63 + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=D8:A6:33:2C:E0:03:6F:B1:85:F6:63:4F:7D:6A:06:65:26:32:28:27 +SHA256 Fingerprint=70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A +-----BEGIN CERTIFICATE----- +MIIFRjCCAy6gAwIBAgIIbYwURrGmCu4wDQYJKoZIhvcNAQEMBQAwQTELMAkGA1UE +BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MRwwGgYDVQQDDBNBZmZpcm1UcnVz +dCBQcmVtaXVtMB4XDTEwMDEyOTE0MTAzNloXDTQwMTIzMTE0MTAzNlowQTELMAkG +A1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MRwwGgYDVQQDDBNBZmZpcm1U +cnVzdCBQcmVtaXVtMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxBLf +qV/+Qd3d9Z+K4/as4Tx4mrzY8H96oDMq3I0gW64tb+eT2TZwamjPjlGjhVtnBKAQ +JG9dKILBl1fYSCkTtuG+kU3fhQxTGJoeJKJPj/CihQvL9Cl/0qRY7iZNyaqoe5rZ ++jjeRFcV5fiMyNlI4g0WJx0eyIOFJbe6qlVBzAMiSy2RjYvmia9mx+n/K+k8rNrS +s8PhaJyJ+HoAVt70VZVs+7pk3WKL3wt3MutizCaam7uqYoNMtAZ6MMgpv+0GTZe5 +HMQxK9VfvFMSF5yZVylmd2EhMQcuJUmdGPLu8ytxjLW6OQdJd/zvLpKQBY0tL3d7 +70O/Nbua2Plzpyzy0FfuKE4mX4+QaAkvuPjcBukumj5Rp9EixAqnOEhss/n/fauG +V+O61oV4d7pD6kh/9ti+I20ev9E2bFhc8e6kGVQa9QPSdubhjL08s9NIS+LI+H+S +qHZGnEJlPqQewQcDWkYtuJfzt9WyVSHvutxMAJf7FJUnM7/oQ0dG0giZFmA7mn7S +5u046uwBHjxIVkkJx0w3AJ6IDsBz4W9m6XJHMD4Q5QsDyZpCAGzFlH5hxIrff4Ia +C1nEWTJ3s7xgaVY5/bQGeyzWZDbZvUjthB9+pSKPKrhC9IK31FOQeE4tGv2Bb0TX +OwF0lkLgAOIua+rF7nKsu7/+6qqo+Nz2snmKtmcCAwEAAaNCMEAwHQYDVR0OBBYE +FJ3AZ6YMItkm9UWrpmVSESfYRaxjMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/ +BAQDAgEGMA0GCSqGSIb3DQEBDAUAA4ICAQCzV00QYk465KzquByvMiPIs0laUZx2 +KI15qldGF9X1Uva3ROgIRL8YhNILgM3FEv0AVQVhh0HctSSePMTYyPtwni94loMg +Nt58D2kTiKV1NpgIpsbfrM7jWNa3Pt668+s0QNiigfV4Py/VpfzZotReBA4Xrf5B +8OWycvpEgjNC6C1Y91aMYj+6QrCcDFx+LmUmXFNPALJ4fqENmS2NuB2OosSw/WDQ +MKSOyARiqcTtNd56l+0OOF6SL5Nwpamcb6d9Ex1+xghIsV5n61EIJenmJWtSKZGc +0jlzCFfemQa0W50QBuHCAKi4HEoCChTQwUHK+4w1IX2COPKpVJEZNZOUbWo6xbLQ +u4mGk+ibyQ86p3q4ofB4Rvr8Ny/lioTz3/4E2aFooC8k4gmVBtWVyuEklut89pMF +u+1z6S3RdTnX5yTb2E5fQ4+e0BQ5v1VwSJlXMbSc7kqYA5YwH2AG7hsj/oFgIxpH +YoWlzBk0gG+zrBrjn/B7SK3VAdlntqlyk+otZrWyuOQ9PLLvTIzq6we/qzWaVYa8 +GKa1qF60g2xraUDTn9zxw2lrueFtCfTxqlB2Cnp9ehehVZZCmTEJ3WARjQUwfuaO +RtGdFNrHF+QFlozEJLUbzxQHskD4o55BhrwE0GuWyCqANP2/7waj3VjFhT0+j/6e +KeC2uAloGRwYQw== +-----END CERTIFICATE----- +=== /C=US/O=AffirmTrust/CN=AffirmTrust Premium ECC +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 8401224907861490260 (0x7497258ac73f7a54) + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Jan 29 14:20:24 2010 GMT + Not After : Dec 31 14:20:24 2040 GMT + Subject: C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC + X509v3 extensions: + X509v3 Subject Key Identifier: + 9A:AF:29:7A:C0:11:35:35:26:51:30:00:C3:6A:FE:40:D5:AE:D6:3C + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=B8:23:6B:00:2F:1D:16:86:53:01:55:6C:11:A4:37:CA:EB:FF:C3:BB +SHA256 Fingerprint=BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23 +-----BEGIN CERTIFICATE----- +MIIB/jCCAYWgAwIBAgIIdJclisc/elQwCgYIKoZIzj0EAwMwRTELMAkGA1UEBhMC +VVMxFDASBgNVBAoMC0FmZmlybVRydXN0MSAwHgYDVQQDDBdBZmZpcm1UcnVzdCBQ +cmVtaXVtIEVDQzAeFw0xMDAxMjkxNDIwMjRaFw00MDEyMzExNDIwMjRaMEUxCzAJ +BgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEgMB4GA1UEAwwXQWZmaXJt +VHJ1c3QgUHJlbWl1bSBFQ0MwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNMF4bFZ0D +0KF5Nbc6PJJ6yhUczWLznCZcBz3lVPqj1swS6vQUX+iOGasvLkjmrBhDeKzQN8O9 +ss0s5kfiGuZjuD0uL3jET9v0D6RoTFVya5UdThhClXjMNzyR4ptlKymjQjBAMB0G +A1UdDgQWBBSaryl6wBE1NSZRMADDav5A1a7WPDAPBgNVHRMBAf8EBTADAQH/MA4G +A1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNnADBkAjAXCfOHiFBar8jAQr9HX/Vs +aobgxCd05DhT1wV/GzTjxi+zygk8N53X57hG8f2h4nECMEJZh0PUUd+60wkyWs6I +flc9nF9Ca/UHLbXwgpP5WW+uZPpY5Yse42O+tYHNbwKMeQ== +-----END CERTIFICATE----- + +### Agencia Catalana de Certificacio (NIF Q-0801176-I) + +=== /C=ES/O=Agencia Catalana de Certificacio (NIF Q-0801176-I)/OU=Serveis Publics de Certificacio/OU=Vegeu https://www.catcert.net/verarrel (c)03/OU=Jerarquia Entitats de Certificacio Catalanes/CN=EC-ACC +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + (Negative)11:d4:c2:14:2b:de:21:eb:57:9d:53:fb:0c:22:3b:ff + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Jan 7 23:00:00 2003 GMT + Not After : Jan 7 22:59:59 2031 GMT + Subject: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC + X509v3 extensions: + X509v3 Subject Alternative Name: + email:ec_acc@catcert.net + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + A0:C3:8B:44:AA:37:A5:45:BF:97:80:5A:D1:F1:78:A2:9B:E9:5D:8D + X509v3 Certificate Policies: + Policy: 1.3.6.1.4.1.15096.1.3.1.10 + CPS: https://www.catcert.net/verarrel + User Notice: + Explicit Text: Vegeu https://www.catcert.net/verarrel + +SHA1 Fingerprint=28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8 +SHA256 Fingerprint=88:49:7F:01:60:2F:31:54:24:6A:E2:8C:4D:5A:EF:10:F1:D8:7E:BB:76:62:6F:4A:E0:B7:F9:5B:A7:96:87:99 +-----BEGIN CERTIFICATE----- +MIIFVjCCBD6gAwIBAgIQ7is969Qh3hSoYqwE893EATANBgkqhkiG9w0BAQUFADCB +8zELMAkGA1UEBhMCRVMxOzA5BgNVBAoTMkFnZW5jaWEgQ2F0YWxhbmEgZGUgQ2Vy +dGlmaWNhY2lvIChOSUYgUS0wODAxMTc2LUkpMSgwJgYDVQQLEx9TZXJ2ZWlzIFB1 +YmxpY3MgZGUgQ2VydGlmaWNhY2lvMTUwMwYDVQQLEyxWZWdldSBodHRwczovL3d3 +dy5jYXRjZXJ0Lm5ldC92ZXJhcnJlbCAoYykwMzE1MDMGA1UECxMsSmVyYXJxdWlh +IEVudGl0YXRzIGRlIENlcnRpZmljYWNpbyBDYXRhbGFuZXMxDzANBgNVBAMTBkVD +LUFDQzAeFw0wMzAxMDcyMzAwMDBaFw0zMTAxMDcyMjU5NTlaMIHzMQswCQYDVQQG +EwJFUzE7MDkGA1UEChMyQWdlbmNpYSBDYXRhbGFuYSBkZSBDZXJ0aWZpY2FjaW8g +KE5JRiBRLTA4MDExNzYtSSkxKDAmBgNVBAsTH1NlcnZlaXMgUHVibGljcyBkZSBD +ZXJ0aWZpY2FjaW8xNTAzBgNVBAsTLFZlZ2V1IGh0dHBzOi8vd3d3LmNhdGNlcnQu +bmV0L3ZlcmFycmVsIChjKTAzMTUwMwYDVQQLEyxKZXJhcnF1aWEgRW50aXRhdHMg +ZGUgQ2VydGlmaWNhY2lvIENhdGFsYW5lczEPMA0GA1UEAxMGRUMtQUNDMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsyLHT+KXQpWIR4NA9h0X84NzJB5R +85iKw5K4/0CQBXCHYMkAqbWUZRkiFRfCQ2xmRJoNBD45b6VLeqpjt4pEndljkYRm +4CgPukLjbo73FCeTae6RDqNfDrHrZqJyTxIThmV6PttPB/SnCWDaOkKZx7J/sxaV +HMf5NLWUhdWZXqBIoH7nF2W4onW4HvPlQn2v7fOKSGRdghST2MDk/7NQcvJ29rNd +QlB50JQ+awwAvthrDk4q7D7SzIKiGGUzE3eeml0aE9jD2z3Il3rucO2n5nzbcc8t +lGLfbdb1OL4/pYUKGbio2Al1QnDE6u/LDsg0qBIimAy4E5S2S+zw0JDnJwIDAQAB +o4HjMIHgMB0GA1UdEQQWMBSBEmVjX2FjY0BjYXRjZXJ0Lm5ldDAPBgNVHRMBAf8E +BTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUoMOLRKo3pUW/l4Ba0fF4 +opvpXY0wfwYDVR0gBHgwdjB0BgsrBgEEAfV4AQMBCjBlMCwGCCsGAQUFBwIBFiBo +dHRwczovL3d3dy5jYXRjZXJ0Lm5ldC92ZXJhcnJlbDA1BggrBgEFBQcCAjApGidW +ZWdldSBodHRwczovL3d3dy5jYXRjZXJ0Lm5ldC92ZXJhcnJlbCAwDQYJKoZIhvcN +AQEFBQADggEBAKBIW4IB9k1IuDlVNZyAelOZ1Vr/sXE7zDkJlF7W2u++AVtd0x7Y +/X1PzaBB4DSTv8vihpw3kpBWHNzrKQXlxJ7HNd+KDM3FIUPpqojlNcAZQmNaAl6k +SBg6hW/cnbw/nZzBh7h6YQjpdwt/cKt63dmXLGQehb+8dJahw3oS7AwaboMMPOhy +Rp/7SNVel+axofjk70YllJyJ22k4vuxcDlbHZVHlUIiIv0LVKz3l+bqeLrPK9HOS +Agu+TGbrIP65y7WZf+a2E/rKS03Z7lNGBjvGTq2TWoF+bCpLagVFjPIhpDGQh2xl +nJ2lYJU6Un/10asIbvPuW/mIPX64b24D5EI= +-----END CERTIFICATE----- + +### Amazon + +=== /C=US/O=Amazon/CN=Amazon Root CA 1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: May 26 00:00:00 2015 GMT + Not After : Jan 17 00:00:00 2038 GMT + Subject: C=US, O=Amazon, CN=Amazon Root CA 1 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 84:18:CC:85:34:EC:BC:0C:94:94:2E:08:59:9C:C7:B2:10:4E:0A:08 +SHA1 Fingerprint=8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16 +SHA256 Fingerprint=8E:CD:E6:88:4F:3D:87:B1:12:5B:A3:1A:C3:FC:B1:3D:70:16:DE:7F:57:CC:90:4F:E1:CB:97:C6:AE:98:19:6E +-----BEGIN CERTIFICATE----- +MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF +ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6 +b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL +MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv +b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj +ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM +9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw +IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6 +VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L +93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm +jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA +A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI +U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs +N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv +o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU +5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy +rqXRfboQnoZsG4q5WTP468SQvvG5 +-----END CERTIFICATE----- +=== /C=US/O=Amazon/CN=Amazon Root CA 2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 06:6c:9f:d2:96:35:86:9f:0a:0f:e5:86:78:f8:5b:26:bb:8a:37 + Signature Algorithm: sha384WithRSAEncryption + Validity + Not Before: May 26 00:00:00 2015 GMT + Not After : May 26 00:00:00 2040 GMT + Subject: C=US, O=Amazon, CN=Amazon Root CA 2 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + B0:0C:F0:4C:30:F4:05:58:02:48:FD:33:E5:52:AF:4B:84:E3:66:52 +SHA1 Fingerprint=5A:8C:EF:45:D7:A6:98:59:76:7A:8C:8B:44:96:B5:78:CF:47:4B:1A +SHA256 Fingerprint=1B:A5:B2:AA:8C:65:40:1A:82:96:01:18:F8:0B:EC:4F:62:30:4D:83:CE:C4:71:3A:19:C3:9C:01:1E:A4:6D:B4 +-----BEGIN CERTIFICATE----- +MIIFQTCCAymgAwIBAgITBmyf0pY1hp8KD+WGePhbJruKNzANBgkqhkiG9w0BAQwF +ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6 +b24gUm9vdCBDQSAyMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTEL +MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv +b3QgQ0EgMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK2Wny2cSkxK +gXlRmeyKy2tgURO8TW0G/LAIjd0ZEGrHJgw12MBvIITplLGbhQPDW9tK6Mj4kHbZ +W0/jTOgGNk3Mmqw9DJArktQGGWCsN0R5hYGCrVo34A3MnaZMUnbqQ523BNFQ9lXg +1dKmSYXpN+nKfq5clU1Imj+uIFptiJXZNLhSGkOQsL9sBbm2eLfq0OQ6PBJTYv9K +8nu+NQWpEjTj82R0Yiw9AElaKP4yRLuH3WUnAnE72kr3H9rN9yFVkE8P7K6C4Z9r +2UXTu/Bfh+08LDmG2j/e7HJV63mjrdvdfLC6HM783k81ds8P+HgfajZRRidhW+me +z/CiVX18JYpvL7TFz4QuK/0NURBs+18bvBt+xa47mAExkv8LV/SasrlX6avvDXbR +8O70zoan4G7ptGmh32n2M8ZpLpcTnqWHsFcQgTfJU7O7f/aS0ZzQGPSSbtqDT6Zj +mUyl+17vIWR6IF9sZIUVyzfpYgwLKhbcAS4y2j5L9Z469hdAlO+ekQiG+r5jqFoz +7Mt0Q5X5bGlSNscpb/xVA1wf+5+9R+vnSUeVC06JIglJ4PVhHvG/LopyboBZ/1c6 ++XUyo05f7O0oYtlNc/LMgRdg7c3r3NunysV+Ar3yVAhU/bQtCSwXVEqY0VThUWcI +0u1ufm8/0i2BWSlmy5A5lREedCf+3euvAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMB +Af8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSwDPBMMPQFWAJI/TPlUq9LhONm +UjANBgkqhkiG9w0BAQwFAAOCAgEAqqiAjw54o+Ci1M3m9Zh6O+oAA7CXDpO8Wqj2 +LIxyh6mx/H9z/WNxeKWHWc8w4Q0QshNabYL1auaAn6AFC2jkR2vHat+2/XcycuUY ++gn0oJMsXdKMdYV2ZZAMA3m3MSNjrXiDCYZohMr/+c8mmpJ5581LxedhpxfL86kS +k5Nrp+gvU5LEYFiwzAJRGFuFjWJZY7attN6a+yb3ACfAXVU3dJnJUH/jWS5E4ywl +7uxMMne0nxrpS10gxdr9HIcWxkPo1LsmmkVwXqkLN1PiRnsn/eBG8om3zEK2yygm +btmlyTrIQRNg91CMFa6ybRoVGld45pIq2WWQgj9sAq+uEjonljYE1x2igGOpm/Hl +urR8FLBOybEfdF849lHqm/osohHUqS0nGkWxr7JOcQ3AWEbWaQbLU8uz/mtBzUF+ +fUwPfHJ5elnNXkoOrJupmHN5fLT0zLm4BwyydFy4x2+IoZCn9Kr5v2c69BoVYh63 +n749sSmvZ6ES8lgQGVMDMBu4Gon2nL2XA46jCfMdiyHxtN/kHNGfZQIG6lzWE7OE +76KlXIx3KadowGuuQNKotOrN8I1LOJwZmhsoVLiJkO/KdYE+HvJkJMcYr07/R54H +9jVlpNMKVv/1F2Rs76giJUmTtt8AF9pYfl3uxRuw0dFfIRDH+fO6AgonB8Xx1sfT +4PsJYGw= +-----END CERTIFICATE----- +=== /C=US/O=Amazon/CN=Amazon Root CA 3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 06:6c:9f:d5:74:97:36:66:3f:3b:0b:9a:d9:e8:9e:76:03:f2:4a + Signature Algorithm: ecdsa-with-SHA256 + Validity + Not Before: May 26 00:00:00 2015 GMT + Not After : May 26 00:00:00 2040 GMT + Subject: C=US, O=Amazon, CN=Amazon Root CA 3 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + AB:B6:DB:D7:06:9E:37:AC:30:86:07:91:70:C7:9C:C4:19:B1:78:C0 +SHA1 Fingerprint=0D:44:DD:8C:3C:8C:1A:1A:58:75:64:81:E9:0F:2E:2A:FF:B3:D2:6E +SHA256 Fingerprint=18:CE:6C:FE:7B:F1:4E:60:B2:E3:47:B8:DF:E8:68:CB:31:D0:2E:BB:3A:DA:27:15:69:F5:03:43:B4:6D:B3:A4 +-----BEGIN CERTIFICATE----- +MIIBtjCCAVugAwIBAgITBmyf1XSXNmY/Owua2eiedgPySjAKBggqhkjOPQQDAjA5 +MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24g +Um9vdCBDQSAzMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG +A1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3Qg +Q0EgMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCmXp8ZBf8ANm+gBG1bG8lKl +ui2yEujSLtf6ycXYqm0fc4E7O5hrOXwzpcVOho6AF2hiRVd9RFgdszflZwjrZt6j +QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSr +ttvXBp43rDCGB5Fwx5zEGbF4wDAKBggqhkjOPQQDAgNJADBGAiEA4IWSoxe3jfkr +BqWTrBqYaGFy+uGh0PsceGCmQ5nFuMQCIQCcAu/xlJyzlvnrxir4tiz+OpAUFteM +YyRIHN8wfdVoOw== +-----END CERTIFICATE----- +=== /C=US/O=Amazon/CN=Amazon Root CA 4 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 06:6c:9f:d7:c1:bb:10:4c:29:43:e5:71:7b:7b:2c:c8:1a:c1:0e + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: May 26 00:00:00 2015 GMT + Not After : May 26 00:00:00 2040 GMT + Subject: C=US, O=Amazon, CN=Amazon Root CA 4 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + D3:EC:C7:3A:65:6E:CC:E1:DA:76:9A:56:FB:9C:F3:86:6D:57:E5:81 +SHA1 Fingerprint=F6:10:84:07:D6:F8:BB:67:98:0C:C2:E2:44:C2:EB:AE:1C:EF:63:BE +SHA256 Fingerprint=E3:5D:28:41:9E:D0:20:25:CF:A6:90:38:CD:62:39:62:45:8D:A5:C6:95:FB:DE:A3:C2:2B:0B:FB:25:89:70:92 +-----BEGIN CERTIFICATE----- +MIIB8jCCAXigAwIBAgITBmyf18G7EEwpQ+Vxe3ssyBrBDjAKBggqhkjOPQQDAzA5 +MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24g +Um9vdCBDQSA0MB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG +A1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3Qg +Q0EgNDB2MBAGByqGSM49AgEGBSuBBAAiA2IABNKrijdPo1MN/sGKe0uoe0ZLY7Bi +9i0b2whxIdIA6GO9mif78DluXeo9pcmBqqNbIJhFXRbb/egQbeOc4OO9X4Ri83Bk +M6DLJC9wuoihKqB1+IGuYgbEgds5bimwHvouXKNCMEAwDwYDVR0TAQH/BAUwAwEB +/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFNPsxzplbszh2naaVvuc84ZtV+WB +MAoGCCqGSM49BAMDA2gAMGUCMDqLIfG9fhGt0O9Yli/W651+kI0rz2ZVwyzjKKlw +CkcO8DdZEv8tmZQoTipPNU0zWgIxAOp1AE47xDqUEpHJWEadIRNyp4iciuRMStuW +1KyLa2tJElMzrdfkviT8tQp21KW8EA== +-----END CERTIFICATE----- + +### Atos + +=== /CN=Atos TrustedRoot 2011/O=Atos/C=DE +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6643877497813316402 (0x5c33cb622c5fb332) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jul 7 14:58:30 2011 GMT + Not After : Dec 31 23:59:59 2030 GMT + Subject: CN=Atos TrustedRoot 2011, O=Atos, C=DE + X509v3 extensions: + X509v3 Subject Key Identifier: + A7:A5:06:B1:2C:A6:09:60:EE:D1:97:E9:70:AE:BC:3B:19:6C:DB:21 + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Authority Key Identifier: + keyid:A7:A5:06:B1:2C:A6:09:60:EE:D1:97:E9:70:AE:BC:3B:19:6C:DB:21 + + X509v3 Certificate Policies: + Policy: 1.3.6.1.4.1.6189.3.4.1.1 + + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=2B:B1:F5:3E:55:0C:1D:C5:F1:D4:E6:B7:6A:46:4B:55:06:02:AC:21 +SHA256 Fingerprint=F3:56:BE:A2:44:B7:A9:1E:B3:5D:53:CA:9A:D7:86:4A:CE:01:8E:2D:35:D5:F8:F9:6D:DF:68:A6:F4:1A:A4:74 +-----BEGIN CERTIFICATE----- +MIIDdzCCAl+gAwIBAgIIXDPLYixfszIwDQYJKoZIhvcNAQELBQAwPDEeMBwGA1UE +AwwVQXRvcyBUcnVzdGVkUm9vdCAyMDExMQ0wCwYDVQQKDARBdG9zMQswCQYDVQQG +EwJERTAeFw0xMTA3MDcxNDU4MzBaFw0zMDEyMzEyMzU5NTlaMDwxHjAcBgNVBAMM +FUF0b3MgVHJ1c3RlZFJvb3QgMjAxMTENMAsGA1UECgwEQXRvczELMAkGA1UEBhMC +REUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVhTuXbyo7LjvPpvMp +Nb7PGKw+qtn4TaA+Gke5vJrf8v7MPkfoepbCJI419KkM/IL9bcFyYie96mvr54rM +VD6QUM+A1JX76LWC1BTFtqlVJVfbsVD2sGBkWXppzwO3bw2+yj5vdHLqqjAqc2K+ +SZFhyBH+DgMq92og3AIVDV4VavzjgsG1xZ1kCWyjWZgHJ8cblithdHFsQ/H3NYkQ +4J7sVaE3IqKHBAUsR320HLliKWYoyrfhk/WklAOZuXCFteZI6o1Q/NnezG8HDt0L +cp2AMBYHlT8oDv3FdU9T1nSatCQujgKRz3bFmx5VdJx4IbHwLfELn8LVlhgf8FQi +eowHAgMBAAGjfTB7MB0GA1UdDgQWBBSnpQaxLKYJYO7Rl+lwrrw7GWzbITAPBgNV +HRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFKelBrEspglg7tGX6XCuvDsZbNshMBgG +A1UdIAQRMA8wDQYLKwYBBAGwLQMEAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3 +DQEBCwUAA4IBAQAmdzTblEiGKkGdLD4GkGDEjKwLVLgfuXvTBznk+j57sj1O7Z8j +vZfza1zv7v1Apt+hk6EKhqzvINB5Ab149xnYJDE0BAGmuhWawyfc2E8PzBhj/5kP +DpFrdRbhIfzYJsdHt6bPWHJxfrrhTZVHO8mvbaG0weyJ9rQPOLXiZNwlz6bb65pc +maHFCN795trV1lpFDMS3wrUU77QR/w4VtfX128a961qn8FYiqTxlVMYVqL2Gns2D +lmh6cYGJ4Qvh6hEbaAjMaZ7snkGeRDImeuKHCnE96+RapNLbxc3G3mB/ufNPRJLv +KrcYPqcZ2Qt9sTdBQrC6YB3y/gkRsPCHe6ed +-----END CERTIFICATE----- + +### Baltimore + +=== /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 33554617 (0x20000b9) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: May 12 18:46:00 2000 GMT + Not After : May 12 23:59:00 2025 GMT + Subject: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root + X509v3 extensions: + X509v3 Subject Key Identifier: + E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0 + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:3 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74 +SHA256 Fingerprint=16:AF:57:A9:F6:76:B0:AB:12:60:95:AA:5E:BA:DE:F2:2A:B3:11:19:D6:44:AC:95:CD:4B:93:DB:F3:F2:6A:EB +-----BEGIN CERTIFICATE----- +MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ +RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD +VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX +DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y +ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy +VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr +mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr +IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK +mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu +XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy +dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye +jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1 +BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3 +DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92 +9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx +jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0 +Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz +ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS +R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp +-----END CERTIFICATE----- + +### Buypass AS-983163327 + +=== /C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Oct 26 08:38:03 2010 GMT + Not After : Oct 26 08:38:03 2040 GMT + Subject: C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 Root CA + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + C9:80:77:E0:62:92:82:F5:46:9C:F3:BA:F7:4C:C3:DE:B8:A3:AD:39 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=49:0A:75:74:DE:87:0A:47:FE:58:EE:F6:C7:6B:EB:C6:0B:12:40:99 +SHA256 Fingerprint=9A:11:40:25:19:7C:5B:B9:5D:94:E6:3D:55:CD:43:79:08:47:B6:46:B2:3C:DF:11:AD:A4:A0:0E:FF:15:FB:48 +-----BEGIN CERTIFICATE----- +MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEd +MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3Mg +Q2xhc3MgMiBSb290IENBMB4XDTEwMTAyNjA4MzgwM1oXDTQwMTAyNjA4MzgwM1ow +TjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MSAw +HgYDVQQDDBdCdXlwYXNzIENsYXNzIDIgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEB +BQADggIPADCCAgoCggIBANfHXvfBB9R3+0Mh9PT1aeTuMgHbo4Yf5FkNuud1g1Lr +6hxhFUi7HQfKjK6w3Jad6sNgkoaCKHOcVgb/S2TwDCo3SbXlzwx87vFKu3MwZfPV +L4O2fuPn9Z6rYPnT8Z2SdIrkHJasW4DptfQxh6NR/Md+oW+OU3fUl8FVM5I+GC91 +1K2GScuVr1QGbNgGE41b/+EmGVnAJLqBcXmQRFBoJJRfuLMR8SlBYaNByyM21cHx +MlAQTn/0hpPshNOOvEu/XAFOBz3cFIqUCqTqc/sLUegTBxj6DvEr0VQVfTzh97QZ +QmdiXnfgolXsttlpF9U6r0TtSsWe5HonfOV116rLJeffawrbD02TTqigzXsu8lkB +arcNuAeBfos4GzjmCleZPe4h6KP1DBbdi+w0jpwqHAAVF41og9JwnxgIzRFo1clr +Us3ERo/ctfPYV3Me6ZQ5BL/T3jjetFPsaRyifsSP5BtwrfKi+fv3FmRmaZ9JUaLi +FRhnBkp/1Wy1TbMz4GHrXb7pmA8y1x1LPC5aAVKRCfLf6o3YBkBjqhHk/sM3nhRS +P/TizPJhk9H9Z2vXUq6/aKtAQ6BXNVN48FP4YUIHZMbXb5tMOA1jrGKvNouicwoN +9SG9dKpN6nIDSdvHXx1iY8f93ZHsM+71bbRuMGjeyNYmsHVee7QHIJihdjK4TWxP +AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMmAd+BikoL1Rpzz +uvdMw964o605MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAU18h +9bqwOlI5LJKwbADJ784g7wbylp7ppHR/ehb8t/W2+xUbP6umwHJdELFx7rxP462s +A20ucS6vxOOto70MEae0/0qyexAQH6dXQbLArvQsWdZHEIjzIVEpMMpghq9Gqx3t +OluwlN5E40EIosHsHdb9T7bWR9AUC8rmyrV7d35BH16Dx7aMOZawP5aBQW9gkOLo ++fsicdl9sz1Gv7SEr5AcD48Saq/v7h56rgJKihcrdv6sVIkkLE8/trKnToyokZf7 +KcZ7XC25y2a2t6hbElGFtQl+Ynhw/qlqYLYdDnkM/crqJIByw5c/8nerQyIKx+u2 +DISCLIBrQYoIwOula9+ZEsuK1V6ADJHgJgg2SMX6OBE1/yWDLfJ6v9r9jv6ly0Us +H8SIU653DtmadsWOLB2jutXsMq7Aqqz30XpN69QH4kj3Io6wpJ9qzo6ysmD0oyLQ +I+uUWnpp3Q+/QFesa1lQ2aOZ4W7+jQF5JyMV3pKdewlNWudLSDBaGOYKbeaP4NK7 +5t98biGCwWg5TbSYWGZizEqQXsP6JwSxeRV0mcy+rSDeJmAc61ZRpqPq5KM/p/9h +3PFaTWwyI0PurKju7koSCTxdccK+efrCh2gdC/1cacwG0Jp9VJkqyTkaGa9LKkPz +Y11aWOIv4x3kqdbQCtCev9eBCfHJxyYNrJgWVqA= +-----END CERTIFICATE----- +=== /C=NO/O=Buypass AS-983163327/CN=Buypass Class 3 Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Oct 26 08:28:58 2010 GMT + Not After : Oct 26 08:28:58 2040 GMT + Subject: C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 47:B8:CD:FF:E5:6F:EE:F8:B2:EC:2F:4E:0E:F9:25:B0:8E:3C:6B:C3 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=DA:FA:F7:FA:66:84:EC:06:8F:14:50:BD:C7:C2:81:A5:BC:A9:64:57 +SHA256 Fingerprint=ED:F7:EB:BC:A2:7A:2A:38:4D:38:7B:7D:40:10:C6:66:E2:ED:B4:84:3E:4C:29:B4:AE:1D:5B:93:32:E6:B2:4D +-----BEGIN CERTIFICATE----- +MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEd +MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3Mg +Q2xhc3MgMyBSb290IENBMB4XDTEwMTAyNjA4Mjg1OFoXDTQwMTAyNjA4Mjg1OFow +TjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MSAw +HgYDVQQDDBdCdXlwYXNzIENsYXNzIDMgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEB +BQADggIPADCCAgoCggIBAKXaCpUWUOOV8l6ddjEGMnqb8RB2uACatVI2zSRHsJ8Y +ZLya9vrVediQYkwiL944PdbgqOkcLNt4EemOaFEVcsfzM4fkoF0LXOBXByow9c3E +N3coTRiR5r/VUv1xLXA+58bEiuPwKAv0dpihi4dVsjoT/Lc+JzeOIuOoTyrvYLs9 +tznDDgFHmV0ST9tD+leh7fmdvhFHJlsTmKtdFoqwNxxXnUX/iJY2v7vKB3tvh2PX +0DJq1l1sDPGzbjniazEuOQAnFN44wOwZZoYS6J1yFhNkUsepNxz9gjDthBgd9K5c +/3ATAOux9TN6S9ZV+AWNS2mw9bMoNlwUxFFzTWsL8TQH2xc519woe2v1n/MuwU8X +KhDzzMro6/1rqy6any2CbgTUUgGTLT2G/H783+9CHaZr77kgxve9oKeV/afmiSTY +zIw0bOIjL9kSGiG5VZFvC5F5GQytQIgLcOJ60g7YaEi7ghM5EFjp2CoHxhLbWNvS +O1UQRwUVZ2J+GGOmRj8JDlQyXr8NYnon74Do29lLBlo3WiXQCBJ31G8JUJc9yB3D +34xFMFbG02SrZvPAXpacw8Tvw3xrizp5f7NJzz3iiZ+gMEuFuZyUJHmPfWupRWgP +K9Dx2hzLabjKSWJtyNBjYt1gD1iqj6G8BaVmos8bdrKEZLFMOVLAMLrwjEsCsLa3 +AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEe4zf/lb+74suwv +Tg75JbCOPGvDMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAACAj +QTUEkMJAYmDv4jVM1z+s4jSQuKFvdvoWFqRINyzpkMLyPPgKn9iB5btb2iUspKdV +cSQy9sgL8rxq+JOssgfCX5/bzMiKqr5qb+FJEMwx14C7u8jYog5kV+qi9cKpMRXS +IGrs/CIBKM+GuIAeqcwRpTzyFrNHnfzSgCHEy9BHcEGhyoMZCCxt8l13nIoUE9Q2 +HJLw5QY33KbmkJs4j1xrG0aGQ0JfPgEHU1RdZX33inOhmlRaHylDFCfChQ+1iHsa +O5S3HWCntZznKWlXWpuTekMwGwPXYshApqr8ZORK15FTAaggiG6cX0S5y2CBNOxv +033aSF/rtJC8LakcC6wc1aJoIIAE1vyxjy+7SjENSoYc6+I2KSb12tjE8nVhz36u +dmNKekBlk4f4HoCMhuWG1o8O/FMsYOgWYRqiPkN7zTlgVGr18okmAWiDSKIz6MkE +kbIRNBE+6tBDGR8Dk5AM/1E9V/RBbuHLoL7ryWPNbczk+DaqaJ3tvV2XcEQNtg41 +3OEMXbugUZTLfhbrES+jkkXITHHZvMmZUldGL1DPvTVp9D0VzgalLA8+9oG6lLvD +u79leNKGef9JOxqDDPDeeOzI8k1MGt6CKfjBWtrt7uYnXuhF0J0cUahoq0Tj0Itq +4/g7u9xN12TyUb7mqqta6THuBrxzvxNiCp/HuZc= +-----END CERTIFICATE----- + +### certSIGN + +=== /C=RO/O=certSIGN/OU=certSIGN ROOT CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 35210227249154 (0x200605167002) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Jul 4 17:20:04 2006 GMT + Not After : Jul 4 17:20:04 2031 GMT + Subject: C=RO, O=certSIGN, OU=certSIGN ROOT CA + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + E0:8C:9B:DB:25:49:B3:F1:7C:86:D6:B2:42:87:0B:D0:6B:A0:D9:E4 +SHA1 Fingerprint=FA:B7:EE:36:97:26:62:FB:2D:B0:2A:F6:BF:03:FD:E8:7C:4B:2F:9B +SHA256 Fingerprint=EA:A9:62:C4:FA:4A:6B:AF:EB:E4:15:19:6D:35:1C:CD:88:8D:4F:53:F3:FA:8A:E6:D7:C4:66:A9:4E:60:42:BB +-----BEGIN CERTIFICATE----- +MIIDODCCAiCgAwIBAgIGIAYFFnACMA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNVBAYT +AlJPMREwDwYDVQQKEwhjZXJ0U0lHTjEZMBcGA1UECxMQY2VydFNJR04gUk9PVCBD +QTAeFw0wNjA3MDQxNzIwMDRaFw0zMTA3MDQxNzIwMDRaMDsxCzAJBgNVBAYTAlJP +MREwDwYDVQQKEwhjZXJ0U0lHTjEZMBcGA1UECxMQY2VydFNJR04gUk9PVCBDQTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALczuX7IJUqOtdu0KBuqV5Do +0SLTZLrTk+jUrIZhQGpgV2hUhE28alQCBf/fm5oqrl0Hj0rDKH/v+yv6efHHrfAQ +UySQi2bJqIirr1qjAOm+ukbuW3N7LBeCgV5iLKECZbO9xSsAfsT8AzNXDe3i+s5d +RdY4zTW2ssHQnIFKquSyAVwdj1+ZxLGt24gh65AIgoDzMKND5pCCrlUoSe1b16kQ +OA7+j0xbm0bqQfWwCHTD0IgztnzXdN/chNFDDnU5oSVAKOp4yw4sLjmdjItuFhwv +JoIQ4uNllAoEwF73XVv4EOLQunpL+943AAAaWyjj0pxzPjKHmKHJUS/X3qwzs08C +AwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0O +BBYEFOCMm9slSbPxfIbWskKHC9BroNnkMA0GCSqGSIb3DQEBBQUAA4IBAQA+0hyJ +LjX8+HXd5n9liPRyTMks1zJO890ZeUe9jjtbkw9QSSQTaxQGcu8J06Gh40CEyecY +MnQ8SG4Pn0vU9x7Tk4ZkVJdjclDVVc/6IJMCopvDI5NOFlV2oHB5bc0hH88vLbwZ +44gx+FkagQnIl6Z0x2DEW8xXjrJ1/RsCCdtZb3KTafcxQdaIOL+Hsr0Wefmq5L6I +Jd1hJyMctTEHBDa0GpC9oHRxUIltvBTjD4au8as+x6AJzKNI0eDbZOeStc+vckNw +i/nDhDwTqn6Sm1dTk/pwwpEOMfmbZ13pljheX7NzTogVZ96edhBiIL5VaZVDADlN +9u6wWk5JRFRYX0KD +-----END CERTIFICATE----- + +### CERTSIGN SA + +=== /C=RO/O=CERTSIGN SA/OU=certSIGN ROOT CA G2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 11:00:34:b6:4e:c6:36:2d:36 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Feb 6 09:27:35 2017 GMT + Not After : Feb 6 09:27:35 2042 GMT + Subject: C=RO, O=CERTSIGN SA, OU=certSIGN ROOT CA G2 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 82:21:2D:66:C6:D7:A0:E0:15:EB:CE:4C:09:77:C4:60:9E:54:6E:03 +SHA1 Fingerprint=26:F9:93:B4:ED:3D:28:27:B0:B9:4B:A7:E9:15:1D:A3:8D:92:E5:32 +SHA256 Fingerprint=65:7C:FE:2F:A7:3F:AA:38:46:25:71:F3:32:A2:36:3A:46:FC:E7:02:09:51:71:07:02:CD:FB:B6:EE:DA:33:05 +-----BEGIN CERTIFICATE----- +MIIFRzCCAy+gAwIBAgIJEQA0tk7GNi02MA0GCSqGSIb3DQEBCwUAMEExCzAJBgNV +BAYTAlJPMRQwEgYDVQQKEwtDRVJUU0lHTiBTQTEcMBoGA1UECxMTY2VydFNJR04g +Uk9PVCBDQSBHMjAeFw0xNzAyMDYwOTI3MzVaFw00MjAyMDYwOTI3MzVaMEExCzAJ +BgNVBAYTAlJPMRQwEgYDVQQKEwtDRVJUU0lHTiBTQTEcMBoGA1UECxMTY2VydFNJ +R04gUk9PVCBDQSBHMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMDF +dRmRfUR0dIf+DjuW3NgBFszuY5HnC2/OOwppGnzC46+CjobXXo9X69MhWf05N0Iw +vlDqtg+piNguLWkh59E3GE59kdUWX2tbAMI5Qw02hVK5U2UPHULlj88F0+7cDBrZ +uIt4ImfkabBoxTzkbFpG583H+u/E7Eu9aqSs/cwoUe+StCmrqzWaTOTECMYmzPhp +n+Sc8CnTXPnGFiWeI8MgwT0PPzhAsP6CRDiqWhqKa2NYOLQV07YRaXseVO6MGiKs +cpc/I1mbySKEwQdPzH/iV8oScLumZfNpdWO9lfsbl83kqK/20U6o2YpxJM02PbyW +xPFsqa7lzw1uKA2wDrXKUXt4FMMgL3/7FFXhEZn91QqhngLjYl/rNUssuHLoPj1P +rCy7Lobio3aP5ZMqz6WryFyNSwb/EkaseMsUBzXgqd+L6a8VTxaJW732jcZZroiF +DsGJ6x9nxUWO/203Nit4ZoORUSs9/1F3dmKh7Gc+PoGD4FapUB8fepmrY7+EF3fx +DTvf95xhszWYijqy7DwaNz9+j5LP2RIUZNoQAhVB/0/E6xyjyfqZ90bp4RjZsbgy +LcsUDFDYg2WD7rlcz8sFWkz6GZdr1l0T08JcVLwyc6B49fFtHsufpaafItzRUZ6C +eWRgKRM+o/1Pcmqr4tTluCRVLERLiohEnMqE0yo7AgMBAAGjQjBAMA8GA1UdEwEB +/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSCIS1mxteg4BXrzkwJ +d8RgnlRuAzANBgkqhkiG9w0BAQsFAAOCAgEAYN4auOfyYILVAzOBywaK8SJJ6ejq +kX/GM15oGQOGO0MBzwdw5AgeZYWR5hEit/UCI46uuR59H35s5r0l1ZUa8gWmr4UC +b6741jH/JclKyMeKqdmfS0mbEVeZkkMR3rYzpMzXjWR91M08KCy0mpbqTfXERMQl +qiCA2ClV9+BB/AYm/7k29UMUA2Z44RGx2iBfRgB4ACGlHgAoYXhvqAEBj500mv/0 +OJD7uNGzcgbJceaBxXntC6Z58hMLnPddDnskk7RI24Zf3lCGeOdA5jGokHZwYa+c +NywRtYK3qq4kNFtyDGkNzVmf9nGvnAvRCjj5BiKDUyUM/FHE5r7iOZULJK2v0ZXk +ltd0ZGtxTgI8qoXzIKNDOXZbbFD+mpwUHmUUihW9o4JFWklWatKcsWMy5WHgUyIO +pwpJ6st+H6jiYoD2EEVSmAYY3qXNL3+q1Ok+CHLsIwMCPKaq2LxndD0UF/tUSxfj +03k9bWtJySgOLnRQvwzZRjoQhsmnP+mg7H/rpXdYaXHmgwo38oZJar55CJD2AhZk +PuXaTH4MNMn5X7azKFGnpyuqSfqNZSlO42sTp5SjLVFteAxEy9/eCG/Oo2Sr05WE +1LlSVHJ7liXMvGnjSG4N0MedJ5qq+BOS3R7fY581qRY27Iy4g/Q9iY/NtBde17MX +QRBdJ3NghVdJIgc= +-----END CERTIFICATE----- + +### China Financial Certification Authority + +=== /C=CN/O=China Financial Certification Authority/CN=CFCA EV ROOT +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 407555286 (0x184accd6) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Aug 8 03:07:01 2012 GMT + Not After : Dec 31 03:07:01 2029 GMT + Subject: C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:E3:FE:2D:FD:28:D0:0B:B5:BA:B6:A2:C4:BF:06:AA:05:8C:93:FB:2F + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + E3:FE:2D:FD:28:D0:0B:B5:BA:B6:A2:C4:BF:06:AA:05:8C:93:FB:2F +SHA1 Fingerprint=E2:B8:29:4B:55:84:AB:6B:58:C2:90:46:6C:AC:3F:B8:39:8F:84:83 +SHA256 Fingerprint=5C:C3:D7:8E:4E:1D:5E:45:54:7A:04:E6:87:3E:64:F9:0C:F9:53:6D:1C:CC:2E:F8:00:F3:55:C4:C5:FD:70:FD +-----BEGIN CERTIFICATE----- +MIIFjTCCA3WgAwIBAgIEGErM1jANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJD +TjEwMC4GA1UECgwnQ2hpbmEgRmluYW5jaWFsIENlcnRpZmljYXRpb24gQXV0aG9y +aXR5MRUwEwYDVQQDDAxDRkNBIEVWIFJPT1QwHhcNMTIwODA4MDMwNzAxWhcNMjkx +MjMxMDMwNzAxWjBWMQswCQYDVQQGEwJDTjEwMC4GA1UECgwnQ2hpbmEgRmluYW5j +aWFsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRUwEwYDVQQDDAxDRkNBIEVWIFJP +T1QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXXWvNED8fBVnVBU03 +sQ7smCuOFR36k0sXgiFxEFLXUWRwFsJVaU2OFW2fvwwbwuCjZ9YMrM8irq93VCpL +TIpTUnrD7i7es3ElweldPe6hL6P3KjzJIx1qqx2hp/Hz7KDVRM8Vz3IvHWOX6Jn5 +/ZOkVIBMUtRSqy5J35DNuF++P96hyk0g1CXohClTt7GIH//62pCfCqktQT+x8Rgp +7hZZLDRJGqgG16iI0gNyejLi6mhNbiyWZXvKWfry4t3uMCz7zEasxGPrb382KzRz +EpR/38wmnvFyXVBlWY9ps4deMm/DGIq1lY+wejfeWkU7xzbh72fROdOXW3NiGUgt +hxwG+3SYIElz8AXSG7Ggo7cbcNOIabla1jj0Ytwli3i/+Oh+uFzJlU9fpy25IGvP +a931DfSCt/SyZi4QKPaXWnuWFo8BGS1sbn85WAZkgwGDg8NNkt0yxoekN+kWzqot +aK8KgWU6cMGbrU1tVMoqLUuFG7OA5nBFDWteNfB/O7ic5ARwiRIlk9oKmSJgamNg +TnYGmE69g60dWIolhdLHZR4tjsbftsbhf4oEIRUpdPA+nJCdDC7xij5aqgwJHsfV +PKPtl8MeNPo4+QgO48BdK4PRVmrJtqhUUy54Mmc9gn900PvhtgVguXDbjgv5E1hv +cWAQUhC5wUEJ73IfZzF4/5YFjQIDAQABo2MwYTAfBgNVHSMEGDAWgBTj/i39KNAL +tbq2osS/BqoFjJP7LzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAd +BgNVHQ4EFgQU4/4t/SjQC7W6tqLEvwaqBYyT+y8wDQYJKoZIhvcNAQELBQADggIB +ACXGumvrh8vegjmWPfBEp2uEcwPenStPuiB/vHiyz5ewG5zz13ku9Ui20vsXiObT +ej/tUxPQ4i9qecsAIyjmHjdXNYmEwnZPNDatZ8POQQaIxffu2Bq41gt/UP+TqhdL +jOztUmCypAbqTuv0axn96/Ua4CUqmtzHQTb3yHQFhDmVOdYLO6Qn+gjYXB74BGBS +ESgoA//vU2YApUo0FmZ8/Qmkrp5nGm9BC2sGE5uPhnEFtC+NiWYzKXZUmhH4J/qy +P5Hgzg0b8zAarb8iXRvTvyUFTeGSGn+ZnzxEk8rUQElsgIfXBDrDMlI1Dlb4pd19 +xIsNER9Tyx6yF7Zod1rg1MvIB671Oi6ON7fQAUtDKXeMOZePglr4UeWJoBjnaH9d +Ci77o0cOPaYjesYBx4/IXr9tgFa+iiS6M+qf4TIRnvHST4D2G0CvOJ4RUHlzEhLN +5mydLIhyPDCBBpEi6lmt2hkuIsKNuYyH4Ga8cyNfIWRjgEj1oDwYPZTISEEdQLpe +/v5WOaHIz16eGWRGENoXkbcFgKyLmZJ956LYBws2J+dIeWCKw9cTXPhyQN9Ky8+Z +AAoACxGV2lZFA4gKn2fQ1XmxqI1AbQ3CekD6819kR5LLU7m7Wc5P/dAVUwHY3+vZ +5nbv0CO7O6l5s9UCKc2Jo5YPSjXnTkLAdc0Hz+Ys63su +-----END CERTIFICATE----- + +### Chunghwa Telecom Co., Ltd. + +=== /C=TW/O=Chunghwa Telecom Co., Ltd./OU=ePKI Root Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 15:c8:bd:65:47:5c:af:b8:97:00:5e:e4:06:d2:bc:9d + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Dec 20 02:31:27 2004 GMT + Not After : Dec 20 02:31:27 2034 GMT + Subject: C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root Certification Authority + X509v3 extensions: + X509v3 Subject Key Identifier: + 1E:0C:F7:B6:67:F2:E1:92:26:09:45:C0:55:39:2E:77:3F:42:4A:A2 + X509v3 Basic Constraints: + CA:TRUE + setCext-hashedRoot: + 0/0-...0...+......0...g*.....E... +V|.[x....S..... +SHA1 Fingerprint=67:65:0D:F1:7E:8E:7E:5B:82:40:A4:F4:56:4B:CF:E2:3D:69:C6:F0 +SHA256 Fingerprint=C0:A6:F4:DC:63:A2:4B:FD:CF:54:EF:2A:6A:08:2A:0A:72:DE:35:80:3E:2F:F5:FF:52:7A:E5:D8:72:06:DF:D5 +-----BEGIN CERTIFICATE----- +MIIFsDCCA5igAwIBAgIQFci9ZUdcr7iXAF7kBtK8nTANBgkqhkiG9w0BAQUFADBe +MQswCQYDVQQGEwJUVzEjMCEGA1UECgwaQ2h1bmdod2EgVGVsZWNvbSBDby4sIEx0 +ZC4xKjAoBgNVBAsMIWVQS0kgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe +Fw0wNDEyMjAwMjMxMjdaFw0zNDEyMjAwMjMxMjdaMF4xCzAJBgNVBAYTAlRXMSMw +IQYDVQQKDBpDaHVuZ2h3YSBUZWxlY29tIENvLiwgTHRkLjEqMCgGA1UECwwhZVBL +SSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEF +AAOCAg8AMIICCgKCAgEA4SUP7o3biDN1Z82tH306Tm2d0y8U82N0ywEhajfqhFAH +SyZbCUNsIZ5qyNUD9WBpj8zwIuQf5/dqIjG3LBXy4P4AakP/h2XGtRrBp0xtInAh +ijHyl3SJCRImHJ7K2RKilTza6We/CKBk49ZCt0Xvl/T29de1ShUCWH2YWEtgvM3X +DZoTM1PRYfl61dd4s5oz9wCGzh1NlDivqOx4UXCKXBCDUSH3ET00hl7lSM2XgYI1 +TBnsZfZrxQWh7kcT1rMhJ5QQCtkkO7q+RBNGMD+XPNjX12ruOzjjK9SXDrkb5wdJ +fzcq+Xd4z1TtW0ado4AOkUPB1ltfFLqfpo0kR0BZv3I4sjZsN/+Z0V0OWQqraffA +sgRFelQArr5T9rXn4fg8ozHSqf4hUmTFpmfwdQcGlBSBVcYn5AGPF8Fqcde+S/uU +WH1+ETOxQvdibBjWzwloPn9s9h6PYq2lY9sJpx8iQkEeb5mKPtf5P0B6ebClAZLS +nT0IFaUQAS2zMnaolQ2zepr7BxB4EW/hj8e6DyUadCrlHJhBmd8hh+iVBmoKs2pH +dmX2Os+PYhcZewoozRrSgx4hxyy/vv9haLdnG7t4TY3OZ+XkwY63I2binZB1NJip +NiuKmpS5nezMirH4JYlcWrYvjB9teSSnUmjDhDXiZo1jDiVN1Rmy5nk3pyKdVDEC +AwEAAaNqMGgwHQYDVR0OBBYEFB4M97Zn8uGSJglFwFU5Lnc/QkqiMAwGA1UdEwQF +MAMBAf8wOQYEZyoHAAQxMC8wLQIBADAJBgUrDgMCGgUAMAcGBWcqAwAABBRFsMLH +ClZ87lt4DJX5GFPBphzYEDANBgkqhkiG9w0BAQUFAAOCAgEACbODU1kBPpVJufGB +uvl2ICO1J2B01GqZNF5sAFPZn/KmsSQHRGoqxqWOeBLoR9lYGxMqXnmbnwoqZ6Yl +PwZpVnPDimZI+ymBV3QGypzqKOg4ZyYr8dW1P2WT+DZdjo2NQCCHGervJ8A9tDkP +JXtoUHRVnAxZfVo9QZQlUgjgRywVMRnVvwdVxrsStZf0X4OFunHB2WyBEXYKCrC/ +gpf36j36+uwtqSiUO1bd0lEursC9CBWMd1I0ltabrNMdjmEPNXubrjlpC2JgQCA2 +j6/7Nu4tCEoduL+bXPjqpRugc6bY+G7gMwRfaKonh+3ZwZCc7b3jajWvY9+rGNm6 +5ulK6lCKD2GTHuItGeIwlDWSXQ62B68ZgI9HkFFLLk3dheLSClIKF5r8GrBQAuUB +o2M3IUxExJtRmREOc5wGj1QupyheRDmHVi03vYVElOEMSyycw5KFNGHLD7ibSkNS +/jQ6fbjpKdx2qcgw+BRxgMYeNkh0IkFch4LoGHGLQYlE535YW6i4jRPpp2zDR+2z +Gp1iro2C6pSe3VkQw63d4k3jMdXH7OjysP6SHhYKGvzZ8/gntsm+HbRsZJB/9OTE +W9c3rkIO3aQab3yIVMUWbuF6aC74Or8NpDyJO3inTmODBCEIZ43ygknQW/2xzQ+D +hNQ+IIX3Sj0rnP0qCglN6oH4EZw= +-----END CERTIFICATE----- + +### Comodo CA Limited + +=== /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Jan 1 00:00:00 2004 GMT + Not After : Dec 31 23:59:59 2028 GMT + Subject: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services + X509v3 extensions: + X509v3 Subject Key Identifier: + A0:11:0A:23:3E:96:F1:07:EC:E2:AF:29:EF:82:A5:7F:D0:30:A4:B4 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 CRL Distribution Points: + + Full Name: + URI:http://crl.comodoca.com/AAACertificateServices.crl + + Full Name: + URI:http://crl.comodo.net/AAACertificateServices.crl + +SHA1 Fingerprint=D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49 +SHA256 Fingerprint=D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4 +-----BEGIN CERTIFICATE----- +MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb +MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow +GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj +YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL +MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE +BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM +GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua +BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe +3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4 +YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR +rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm +ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU +oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF +MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v +QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t +b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF +AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q +GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz +Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2 +G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi +l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3 +smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg== +-----END CERTIFICATE----- + +### COMODO CA Limited + +=== /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 4e:81:2d:8a:82:65:e0:0b:02:ee:3e:35:02:46:e5:3d + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Dec 1 00:00:00 2006 GMT + Not After : Dec 31 23:59:59 2029 GMT + Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority + X509v3 extensions: + X509v3 Subject Key Identifier: + 0B:58:E5:8B:C6:4C:15:37:A4:40:A9:30:A9:21:BE:47:36:5A:56:FF + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 CRL Distribution Points: + + Full Name: + URI:http://crl.comodoca.com/COMODOCertificationAuthority.crl + +SHA1 Fingerprint=66:31:BF:9E:F7:4F:9E:B6:C9:D5:A6:0C:BA:6A:BE:D1:F7:BD:EF:7B +SHA256 Fingerprint=0C:2C:D6:3D:F7:80:6F:A3:99:ED:E8:09:11:6B:57:5B:F8:79:89:F0:65:18:F9:80:8C:86:05:03:17:8B:AF:66 +-----BEGIN CERTIFICATE----- +MIIEHTCCAwWgAwIBAgIQToEtioJl4AsC7j41AkblPTANBgkqhkiG9w0BAQUFADCB +gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G +A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV +BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjEyMDEwMDAw +MDBaFw0yOTEyMzEyMzU5NTlaMIGBMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl +YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P +RE8gQ0EgTGltaXRlZDEnMCUGA1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0 +aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ECLi3LjkRv3 +UcEbVASY06m/weaKXTuH+7uIzg3jLz8GlvCiKVCZrts7oVewdFFxze1CkU1B/qnI +2GqGd0S7WWaXUF601CxwRM/aN5VCaTwwxHGzUvAhTaHYujl8HJ6jJJ3ygxaYqhZ8 +Q5sVW7euNJH+1GImGEaaP+vB+fGQV+useg2L23IwambV4EajcNxo2f8ESIl33rXp ++2dtQem8Ob0y2WIC8bGoPW43nOIv4tOiJovGuFVDiOEjPqXSJDlqR6sA1KGzqSX+ +DT+nHbrTUcELpNqsOO9VUCQFZUaTNE8tja3G1CEZ0o7KBWFxB3NH5YoZEr0ETc5O +nKVIrLsm9wIDAQABo4GOMIGLMB0GA1UdDgQWBBQLWOWLxkwVN6RAqTCpIb5HNlpW +/zAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zBJBgNVHR8EQjBAMD6g +PKA6hjhodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9DZXJ0aWZpY2F0aW9u +QXV0aG9yaXR5LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAPpiem/Yb6dc5t3iuHXIY +SdOH5EOC6z/JqvWote9VfCFSZfnVDeFs9D6Mk3ORLgLETgdxb8CPOGEIqB6BCsAv +IC9Bi5HcSEW88cbeunZrM8gALTFGTO3nnc+IlP8zwFboJIYmuNg4ON8qa90SzMc/ +RxdMosIGlgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4 +zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd +BA6+C4OmF4O5MBKgxTMVBbkN+8cFduPYSo38NBejxiEovjBFMR7HeL5YYTisO+IB +ZQ== +-----END CERTIFICATE----- +=== /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Mar 6 00:00:00 2008 GMT + Not After : Jan 18 23:59:59 2038 GMT + Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority + X509v3 extensions: + X509v3 Subject Key Identifier: + 75:71:A7:19:48:19:BC:9D:9D:EA:41:47:DF:94:C4:48:77:99:D3:79 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=9F:74:4E:9F:2B:4D:BA:EC:0F:31:2C:50:B6:56:3B:8E:2D:93:C3:11 +SHA256 Fingerprint=17:93:92:7A:06:14:54:97:89:AD:CE:2F:8F:34:F7:F0:B6:6D:0F:3A:E3:A3:B8:4D:21:EC:15:DB:BA:4F:AD:C7 +-----BEGIN CERTIFICATE----- +MIICiTCCAg+gAwIBAgIQH0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTEL +MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE +BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMT +IkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDgwMzA2MDAw +MDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdy +ZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09N +T0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlv +biBBdXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQDR3svdcmCFYX7deSR +FtSrYpn1PlILBs5BAH+X4QokPB0BBO490o0JlwzgdeT6+3eKKvUDYEs2ixYjFq0J +cfRK9ChQtP6IHG4/bC8vCVlbpVsLM5niwz2J+Wos77LTBumjQjBAMB0GA1UdDgQW +BBR1cacZSBm8nZ3qQUfflMRId5nTeTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/ +BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjEA7wNbeqy3eApyt4jf/7VGFAkK+qDm +fQjGGoe9GKhzvSbKYAydzpmfz1wPMOG+FDHqAjAU9JM8SaczepBGR7NjfRObTrdv +GDeAU/7dIOA1mjbRxwG55tzd8/8dLDoWV9mSOdY= +-----END CERTIFICATE----- +=== /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d + Signature Algorithm: sha384WithRSAEncryption + Validity + Not Before: Jan 19 00:00:00 2010 GMT + Not After : Jan 18 23:59:59 2038 GMT + Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority + X509v3 extensions: + X509v3 Subject Key Identifier: + BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4 +SHA256 Fingerprint=52:F0:E1:C4:E5:8E:C6:29:29:1B:60:31:7F:07:46:71:B8:5D:7E:A8:0D:5B:07:27:34:63:53:4B:32:B4:02:34 +-----BEGIN CERTIFICATE----- +MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907YWwOGnTANBgkqhkiG9w0BAQwFADCB +hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G +A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV +BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMTE5 +MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT +EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR +Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNh +dGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCR +6FSS0gpWsawNJN3Fz0RndJkrN6N9I3AAcbxT38T6KhKPS38QVr2fcHK3YX/JSw8X +pz3jsARh7v8Rl8f0hj4K+j5c+ZPmNHrZFGvnnLOFoIJ6dq9xkNfs/Q36nGz637CC +9BR++b7Epi9Pf5l/tfxnQ3K9DADWietrLNPtj5gcFKt+5eNu/Nio5JIk2kNrYrhV +/erBvGy2i/MOjZrkm2xpmfh4SDBF1a3hDTxFYPwyllEnvGfDyi62a+pGx8cgoLEf +Zd5ICLqkTqnyg0Y3hOvozIFIQ2dOciqbXL1MGyiKXCJ7tKuY2e7gUYPDCUZObT6Z ++pUX2nwzV0E8jVHtC7ZcryxjGt9XyD+86V3Em69FmeKjWiS0uqlWPc9vqv9JWL7w +qP/0uK3pN/u6uPQLOvnoQ0IeidiEyxPx2bvhiWC4jChWrBQdnArncevPDt09qZah +SL0896+1DSJMwBGB7FY79tOi4lu3sgQiUpWAk2nojkxl8ZEDLXB0AuqLZxUpaVIC +u9ffUGpVRr+goyhhf3DQw6KqLCGqR84onAZFdr+CGCe01a60y1Dma/RMhnEw6abf +Fobg2P9A3fvQQoh/ozM6LlweQRGBY84YcWsr7KaKtzFcOmpH4MN5WdYgGq/yapiq +crxXStJLnbsQ/LBMQeXtHT1eKJ2czL+zUdqnR+WEUwIDAQABo0IwQDAdBgNVHQ4E +FgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB +/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAArx1UaEt65Ru2yyTUEUAJNMnMvl +wFTPoCWOAvn9sKIN9SCYPBMtrFaisNZ+EZLpLrqeLppysb0ZRGxhNaKatBYSaVqM +4dc+pBroLwP0rmEdEBsqpIt6xf4FpuHA1sj+nq6PK7o9mfjYcwlYRm6mnPTXJ9OV +2jeDchzTc+CiR5kDOF3VSXkAKRzH7JsgHAckaVd4sjn8OoSgtZx8jb8uk2Intzna +FxiuvTwJaP+EmzzV1gsD41eeFPfR60/IvYcjt7ZJQ3mFXLrrkguhxuhoqEwWsRqZ +CuhTLJK7oQkYdQxlqHvLI7cawiiFwxv/0Cti76R7CZGYZ4wUAc1oBmpjIXUDgIiK +boHGhfKppC3n9KUkEEeDys30jXlYsQab5xoq2Z0B15R97QNKyvDb6KkBPvVWmcke +jkk9u+UJueBPSZI9FoJAzMxZxuY67RIuaTxslbH9qh17f4a+Hg4yRvv7E491f0yL +S0Zj/gA0QHDBw7mh3aZw4gSzQbzpgJHqZJx64SIDqZxubw5lT2yHh17zbqD5daWb +QOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk527RH89elWsn2/x20Kk4yl +0MC2Hb46TpSi125sC8KKfPog88Tk5c0NqMuRkrF8hey1FGlmDoLnzc7ILaZRfyHB +NVOFBkpdn627G190 +-----END CERTIFICATE----- + +### Cybertrust, Inc + +=== /O=Cybertrust, Inc/CN=Cybertrust Global Root +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 04:00:00:00:00:01:0f:85:aa:2d:48 + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Dec 15 08:00:00 2006 GMT + Not After : Dec 15 08:00:00 2021 GMT + Subject: O=Cybertrust, Inc, CN=Cybertrust Global Root + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + B6:08:7B:0D:7A:CC:AC:20:4C:86:56:32:5E:CF:AB:6E:85:2D:70:57 + X509v3 CRL Distribution Points: + + Full Name: + URI:http://www2.public-trust.com/crl/ct/ctroot.crl + + X509v3 Authority Key Identifier: + keyid:B6:08:7B:0D:7A:CC:AC:20:4C:86:56:32:5E:CF:AB:6E:85:2D:70:57 + +SHA1 Fingerprint=5F:43:E5:B1:BF:F8:78:8C:AC:1C:C7:CA:4A:9A:C6:22:2B:CC:34:C6 +SHA256 Fingerprint=96:0A:DF:00:63:E9:63:56:75:0C:29:65:DD:0A:08:67:DA:0B:9C:BD:6E:77:71:4A:EA:FB:23:49:AB:39:3D:A3 +-----BEGIN CERTIFICATE----- +MIIDoTCCAomgAwIBAgILBAAAAAABD4WqLUgwDQYJKoZIhvcNAQEFBQAwOzEYMBYG +A1UEChMPQ3liZXJ0cnVzdCwgSW5jMR8wHQYDVQQDExZDeWJlcnRydXN0IEdsb2Jh +bCBSb290MB4XDTA2MTIxNTA4MDAwMFoXDTIxMTIxNTA4MDAwMFowOzEYMBYGA1UE +ChMPQ3liZXJ0cnVzdCwgSW5jMR8wHQYDVQQDExZDeWJlcnRydXN0IEdsb2JhbCBS +b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+Mi8vRRQZhP/8NN5 +7CPytxrHjoXxEnOmGaoQ25yiZXRadz5RfVb23CO21O1fWLE3TdVJDm71aofW0ozS +J8bi/zafmGWgE07GKmSb1ZASzxQG9Dvj1Ci+6A74q05IlG2OlTEQXO2iLb3VOm2y +HLtgwEZLAfVJrn5GitB0jaEMAs7u/OePuGtm839EAL9mJRQr3RAwHQeWP032a7iP +t3sMpTjr3kfb1V05/Iin89cqdPHoWqI7n1C6poxFNcJQZZXcY4Lv3b93TZxiyWNz +FtApD0mpSPCzqrdsxacwOUBdrsTiXSZT8M4cIwhhqJQZugRiQOwfOHB3EgZxpzAY +XSUnpQIDAQABo4GlMIGiMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/ +MB0GA1UdDgQWBBS2CHsNesysIEyGVjJez6tuhS1wVzA/BgNVHR8EODA2MDSgMqAw +hi5odHRwOi8vd3d3Mi5wdWJsaWMtdHJ1c3QuY29tL2NybC9jdC9jdHJvb3QuY3Js +MB8GA1UdIwQYMBaAFLYIew16zKwgTIZWMl7Pq26FLXBXMA0GCSqGSIb3DQEBBQUA +A4IBAQBW7wojoFROlZfJ+InaRcHUowAl9B8Tq7ejhVhpwjCt2BWKLePJzYFa+HMj +Wqd8BfP9IjsO0QbE2zZMcwSO5bAi5MXzLqXZI+O4Tkogp24CJJ8iYGd7ix1yCcUx +XOl5n4BHPa2hCwcUPUf/A2kaDAtE52Mlp3+yybh2hO0j9n0Hq0V+09+zv+mKts2o +omcrUtW3ZfA5TGOgkXmTUg9U3YO7n9GPp1Nzw8v/MOx8BLjYRB+TX3EJIrduPuoc +A06dGiBh+4E37F78CkWr1+cXVdCg6mCbpvbjjFspwgZgFJ0tl0ypkxWdYcQBX0jW +WL1WMRJOEcgh4LMRkWXbtKaIOM5V +-----END CERTIFICATE----- + +### D-Trust GmbH + +=== /C=DE/O=D-Trust GmbH/CN=D-TRUST Root Class 3 CA 2 2009 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 623603 (0x983f3) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Nov 5 08:35:58 2009 GMT + Not After : Nov 5 08:35:58 2029 GMT + Subject: C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + FD:DA:14:C4:9F:30:DE:21:BD:1E:42:39:FC:AB:63:23:49:E0:F1:84 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 CRL Distribution Points: + + Full Name: + URI:ldap://directory.d-trust.net/CN=D-TRUST%20Root%20Class%203%20CA%202%202009,O=D-Trust%20GmbH,C=DE?certificaterevocationlist + + Full Name: + URI:http://www.d-trust.net/crl/d-trust_root_class_3_ca_2_2009.crl + +SHA1 Fingerprint=58:E8:AB:B0:36:15:33:FB:80:F7:9B:1B:6D:29:D3:FF:8D:5F:00:F0 +SHA256 Fingerprint=49:E7:A4:42:AC:F0:EA:62:87:05:00:54:B5:25:64:B6:50:E4:F4:9E:42:E3:48:D6:AA:38:E0:39:E9:57:B1:C1 +-----BEGIN CERTIFICATE----- +MIIEMzCCAxugAwIBAgIDCYPzMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNVBAYTAkRF +MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxJzAlBgNVBAMMHkQtVFJVU1QgUm9vdCBD +bGFzcyAzIENBIDIgMjAwOTAeFw0wOTExMDUwODM1NThaFw0yOTExMDUwODM1NTha +ME0xCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxJzAlBgNVBAMM +HkQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgMjAwOTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBANOySs96R+91myP6Oi/WUEWJNTrGa9v+2wBoqOADER03 +UAifTUpolDWzU9GUY6cgVq/eUXjsKj3zSEhQPgrfRlWLJ23DEE0NkVJD2IfgXU42 +tSHKXzlABF9bfsyjxiupQB7ZNoTWSPOSHjRGICTBpFGOShrvUD9pXRl/RcPHAY9R +ySPocq60vFYJfxLLHLGvKZAKyVXMD9O0Gu1HNVpK7ZxzBCHQqr0ME7UAyiZsxGsM +lFqVlNpQmvH/pStmMaTJOKDfHR+4CS7zp+hnUquVH+BGPtikw8paxTGA6Eian5Rp +/hnd2HN8gcqW3o7tszIFZYQ05ub9VxC1X3a/L7AQDcUCAwEAAaOCARowggEWMA8G +A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFP3aFMSfMN4hvR5COfyrYyNJ4PGEMA4G +A1UdDwEB/wQEAwIBBjCB0wYDVR0fBIHLMIHIMIGAoH6gfIZ6bGRhcDovL2RpcmVj +dG9yeS5kLXRydXN0Lm5ldC9DTj1ELVRSVVNUJTIwUm9vdCUyMENsYXNzJTIwMyUy +MENBJTIwMiUyMDIwMDksTz1ELVRydXN0JTIwR21iSCxDPURFP2NlcnRpZmljYXRl +cmV2b2NhdGlvbmxpc3QwQ6BBoD+GPWh0dHA6Ly93d3cuZC10cnVzdC5uZXQvY3Js +L2QtdHJ1c3Rfcm9vdF9jbGFzc18zX2NhXzJfMjAwOS5jcmwwDQYJKoZIhvcNAQEL +BQADggEBAH+X2zDI36ScfSF6gHDOFBJpiBSVYEQBrLLpME+bUMJm2H6NMLVwMeni +acfzcNsgFYbQDfC+rAF1hM5+n02/t2A7nPPKHeJeaNijnZflQGDSNiH+0LS4F9p0 +o3/U37CYAqxva2ssJSRyoWXuJVrl5jLn8t+rSfrzkGkj2wTZ51xY/GXUl77M/C4K +zCUqNQT4YJEVdT1B/yMfGchs64JTBKbkTCJNjYy6zltz7GRUUG3RnFX7acM2w4y8 +PIWmawomDeCTmGCufsYkl4phX5GOZpIJhzbNi5stPvZR1FDUWSi9g/LMKHtThm3Y +Johw1+qRzT65ysCQblrGXnRl11z+o+I= +-----END CERTIFICATE----- +=== /C=DE/O=D-Trust GmbH/CN=D-TRUST Root Class 3 CA 2 EV 2009 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 623604 (0x983f4) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Nov 5 08:50:46 2009 GMT + Not After : Nov 5 08:50:46 2029 GMT + Subject: C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + D3:94:8A:4C:62:13:2A:19:2E:CC:AF:72:8A:7D:36:D7:9A:1C:DC:67 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 CRL Distribution Points: + + Full Name: + URI:ldap://directory.d-trust.net/CN=D-TRUST%20Root%20Class%203%20CA%202%20EV%202009,O=D-Trust%20GmbH,C=DE?certificaterevocationlist + + Full Name: + URI:http://www.d-trust.net/crl/d-trust_root_class_3_ca_2_ev_2009.crl + +SHA1 Fingerprint=96:C9:1B:0B:95:B4:10:98:42:FA:D0:D8:22:79:FE:60:FA:B9:16:83 +SHA256 Fingerprint=EE:C5:49:6B:98:8C:E9:86:25:B9:34:09:2E:EC:29:08:BE:D0:B0:F3:16:C2:D4:73:0C:84:EA:F1:F3:D3:48:81 +-----BEGIN CERTIFICATE----- +MIIEQzCCAyugAwIBAgIDCYP0MA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNVBAYTAkRF +MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNVBAMMIUQtVFJVU1QgUm9vdCBD +bGFzcyAzIENBIDIgRVYgMjAwOTAeFw0wOTExMDUwODUwNDZaFw0yOTExMDUwODUw +NDZaMFAxCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNV +BAMMIUQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgRVYgMjAwOTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAJnxhDRwui+3MKCOvXwEz75ivJn9gpfSegpn +ljgJ9hBOlSJzmY3aFS3nBfwZcyK3jpgAvDw9rKFs+9Z5JUut8Mxk2og+KbgPCdM0 +3TP1YtHhzRnp7hhPTFiu4h7WDFsVWtg6uMQYZB7jM7K1iXdODL/ZlGsTl28So/6Z +qQTMFexgaDbtCHu39b+T7WYxg4zGcTSHThfqr4uRjRxWQa4iN1438h3Z0S0NL2lR +p75mpoo6Kr3HGrHhFPC+Oh25z1uxav60sUYgovseO3Dvk5h9jHOW8sXvhXCtKSb8 +HgQ+HKDYD8tSg2J87otTlZCpV6LqYQXY+U3EJ/pure3511H3a6UCAwEAAaOCASQw +ggEgMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNOUikxiEyoZLsyvcop9Ntea +HNxnMA4GA1UdDwEB/wQEAwIBBjCB3QYDVR0fBIHVMIHSMIGHoIGEoIGBhn9sZGFw +Oi8vZGlyZWN0b3J5LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1QlMjBSb290JTIwQ2xh +c3MlMjAzJTIwQ0ElMjAyJTIwRVYlMjAyMDA5LE89RC1UcnVzdCUyMEdtYkgsQz1E +RT9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0MEagRKBChkBodHRwOi8vd3d3LmQt +dHJ1c3QubmV0L2NybC9kLXRydXN0X3Jvb3RfY2xhc3NfM19jYV8yX2V2XzIwMDku +Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQA07XtaPKSUiO8aEXUHL7P+PPoeUSbrh/Yp +3uDx1MYkCenBz1UbtDDZzhr+BlGmFaQt77JLvyAoJUnRpjZ3NOhk31KxEcdzes05 +nsKtjHEh8lprr988TlWvsoRlFIm5d8sqMb7Po23Pb0iUMkZv53GMoKaEGTcH8gNF +CSuGdXzfX2lXANtu2KZyIktQ1HWYVt+3GP9DQ1CuekR78HlR10M9p9OB0/DJT7na +xpeG0ILD5EJt/rDiZE4OJudANCa1CInXCGNjOCd1HjPqbqjdn5lPdE2BiYBL3ZqX +KVwvvoFBuYz/6n1gBp7N1z3TLqMVvKjmJuVvw9y4AyHqnxbxLFS1 +-----END CERTIFICATE----- + +### Dhimyotis + +=== /C=FR/O=Dhimyotis/CN=Certigna +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + fe:dc:e3:01:0f:c9:48:ff + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Jun 29 15:13:05 2007 GMT + Not After : Jun 29 15:13:05 2027 GMT + Subject: C=FR, O=Dhimyotis, CN=Certigna + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 1A:ED:FE:41:39:90:B4:24:59:BE:01:F2:52:D5:45:F6:5A:39:DC:11 + X509v3 Authority Key Identifier: + keyid:1A:ED:FE:41:39:90:B4:24:59:BE:01:F2:52:D5:45:F6:5A:39:DC:11 + DirName:/C=FR/O=Dhimyotis/CN=Certigna + serial:FE:DC:E3:01:0F:C9:48:FF + + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + Netscape Cert Type: + SSL CA, S/MIME CA, Object Signing CA +SHA1 Fingerprint=B1:2E:13:63:45:86:A4:6F:1A:B2:60:68:37:58:2D:C4:AC:FD:94:97 +SHA256 Fingerprint=E3:B6:A2:DB:2E:D7:CE:48:84:2F:7A:C5:32:41:C7:B7:1D:54:14:4B:FB:40:C1:1F:3F:1D:0B:42:F5:EE:A1:2D +-----BEGIN CERTIFICATE----- +MIIDqDCCApCgAwIBAgIJAP7c4wEPyUj/MA0GCSqGSIb3DQEBBQUAMDQxCzAJBgNV +BAYTAkZSMRIwEAYDVQQKDAlEaGlteW90aXMxETAPBgNVBAMMCENlcnRpZ25hMB4X +DTA3MDYyOTE1MTMwNVoXDTI3MDYyOTE1MTMwNVowNDELMAkGA1UEBhMCRlIxEjAQ +BgNVBAoMCURoaW15b3RpczERMA8GA1UEAwwIQ2VydGlnbmEwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDIaPHJ1tazNHUmgh7stL7qXOEm7RFHYeGifBZ4 +QCHkYJ5ayGPhxLGWkv8YbWkj4Sti993iNi+RB7lIzw7sebYs5zRLcAglozyHGxny +gQcPOJAZ0xH+hrTy0V4eHpbNgGzOOzGTtvKg0KmVEn2lmsxryIRWijOp5yIVUxbw +zBfsV1/pogqYCd7jX5xv3EjjhQsVWqa6n6xI4wmy9/Qy3l40vhx4XUJbzg4ij02Q +130yGLMLLGq/jj8UEYkgDncUtT2UCIf3JR7VsmAA7G8qKCVuKj4YYxclPz5EIBb2 +JsglrgVKtOdjLPOMFlN+XPsRGgjBRmKfIrjxwo1p3Po6WAbfAgMBAAGjgbwwgbkw +DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUGu3+QTmQtCRZvgHyUtVF9lo53BEw +ZAYDVR0jBF0wW4AUGu3+QTmQtCRZvgHyUtVF9lo53BGhOKQ2MDQxCzAJBgNVBAYT +AkZSMRIwEAYDVQQKDAlEaGlteW90aXMxETAPBgNVBAMMCENlcnRpZ25hggkA/tzj +AQ/JSP8wDgYDVR0PAQH/BAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIABzANBgkqhkiG +9w0BAQUFAAOCAQEAhQMeknH2Qq/ho2Ge6/PAD/Kl1NqV5ta+aDY9fm4fTIrv0Q8h +bV6lUmPOEvjvKtpv6zf+EwLHyzs+ImvaYS5/1HI93TDhHkxAGYwP15zRgzB7mFnc +fca5DClMoTOi62c6ZYTTluLtdkVwj7Ur3vkj1kluPBS1xp81HlDQwY9qcEQCYsuu +HWhBp6pX6FOqB9IG9tUUBguRA3UsbHK1YZWaDYu5Def131TN3ubY1gkIl2PlwS6w +t0QmwCbAr1UwnjvVNioZBPRcHv/PLLf/0P2HQBHVESO7SMAhqaQoLf0V+LBOK/Qw +WyH8EZE0vkHve52Xdf+XlcCWWC/qu0bXu+TZLg== +-----END CERTIFICATE----- +=== /C=FR/O=Dhimyotis/OU=0002 48146308100036/CN=Certigna Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + ca:e9:1b:89:f1:55:03:0d:a3:e6:41:6d:c4:e3:a6:e1 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Oct 1 08:32:27 2013 GMT + Not After : Oct 1 08:32:27 2033 GMT + Subject: C=FR, O=Dhimyotis, OU=0002 48146308100036, CN=Certigna Root CA + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 18:87:56:E0:6E:77:EE:24:35:3C:4E:73:9A:1F:D6:E1:E2:79:7E:2B + X509v3 Authority Key Identifier: + keyid:18:87:56:E0:6E:77:EE:24:35:3C:4E:73:9A:1F:D6:E1:E2:79:7E:2B + + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + CPS: https://wwww.certigna.fr/autorites/ + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://crl.certigna.fr/certignarootca.crl + + Full Name: + URI:http://crl.dhimyotis.com/certignarootca.crl + +SHA1 Fingerprint=2D:0D:52:14:FF:9E:AD:99:24:01:74:20:47:6E:6C:85:27:27:F5:43 +SHA256 Fingerprint=D4:8D:3D:23:EE:DB:50:A4:59:E5:51:97:60:1C:27:77:4B:9D:7B:18:C9:4D:5A:05:95:11:A1:02:50:B9:31:68 +-----BEGIN CERTIFICATE----- +MIIGWzCCBEOgAwIBAgIRAMrpG4nxVQMNo+ZBbcTjpuEwDQYJKoZIhvcNAQELBQAw +WjELMAkGA1UEBhMCRlIxEjAQBgNVBAoMCURoaW15b3RpczEcMBoGA1UECwwTMDAw +MiA0ODE0NjMwODEwMDAzNjEZMBcGA1UEAwwQQ2VydGlnbmEgUm9vdCBDQTAeFw0x +MzEwMDEwODMyMjdaFw0zMzEwMDEwODMyMjdaMFoxCzAJBgNVBAYTAkZSMRIwEAYD +VQQKDAlEaGlteW90aXMxHDAaBgNVBAsMEzAwMDIgNDgxNDYzMDgxMDAwMzYxGTAX +BgNVBAMMEENlcnRpZ25hIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw +ggIKAoICAQDNGDllGlmx6mQWDoyUJJV8g9PFOSbcDO8WV43X2KyjQn+Cyu3NW9sO +ty3tRQgXstmzy9YXUnIo245Onoq2C/mehJpNdt4iKVzSs9IGPjA5qXSjklYcoW9M +CiBtnyN6tMbaLOQdLNyzKNAT8kxOAkmhVECe5uUFoC2EyP+YbNDrihqECB63aCPu +I9Vwzm1RaRDuoXrC0SIxwoKF0vJVdlB8JXrJhFwLrN1CTivngqIkicuQstDuI7pm +TLtipPlTWmR7fJj6o0ieD5Wupxj0auwuA0Wv8HT4Ks16XdG+RCYyKfHx9WzMfgIh +C59vpD++nVPiz32pLHxYGpfhPTc3GGYo0kDFUYqMwy3OU4gkWGQwFsWq4NYKpkDf +ePb1BHxpE4S80dGnBs8B92jAqFe7OmGtBIyT46388NtEbVncSVmurJqZNjBBe3Yz +IoejwpKGbvlw7q6Hh5UbxHq9MfPU0uWZ/75I7HX1eBYdpnDBfzwboZL7z8g81sWT +Co/1VTp2lc5ZmIoJlXcymoO6LAQ6l73UL77XbJuiyn1tJslV1c/DeVIICZkHJC1k +JWumIWmbat10TWuXekG9qxf5kBdIjzb5LdXF2+6qhUVB+s06RbFo5jZMm5BX7CO5 +hwjCxAnxl4YqKE3idMDaxIzb3+KhF1nOJFl0Mdp//TBt2dzhauH8XwIDAQABo4IB +GjCCARYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE +FBiHVuBud+4kNTxOc5of1uHieX4rMB8GA1UdIwQYMBaAFBiHVuBud+4kNTxOc5of +1uHieX4rMEQGA1UdIAQ9MDswOQYEVR0gADAxMC8GCCsGAQUFBwIBFiNodHRwczov +L3d3d3cuY2VydGlnbmEuZnIvYXV0b3JpdGVzLzBtBgNVHR8EZjBkMC+gLaArhilo +dHRwOi8vY3JsLmNlcnRpZ25hLmZyL2NlcnRpZ25hcm9vdGNhLmNybDAxoC+gLYYr +aHR0cDovL2NybC5kaGlteW90aXMuY29tL2NlcnRpZ25hcm9vdGNhLmNybDANBgkq +hkiG9w0BAQsFAAOCAgEAlLieT/DjlQgi581oQfccVdV8AOItOoldaDgvUSILSo3L +6btdPrtcPbEo/uRTVRPPoZAbAh1fZkYJMyjhDSSXcNMQH+pkV5a7XdrnxIxPTGRG +HVyH41neQtGbqH6mid2PHMkwgu07nM3A6RngatgCdTer9zQoKJHyBApPNeNgJgH6 +0BGM+RFq7q89w1DTj18zeTyGqHNFkIwgtnJzFyO+B2XleJINugHA64wcZr+shncB +lA2c5uk5jR+mUYyZDDl34bSb+hxnV29qao6pK0xXeXpXIs/NX2NGjVxZOob4Mkdi +o2cNGJHc+6Zr9UhhcyNZjgKnvETq9Emd8VRY+WCv2hikLyhF3HqgiIZd8zvn/yk1 +gPxkQ5Tm4xxvvq0OKmOZK8l+hfZx6AYDlf7ej0gcWtSS6Cvu5zHbugRqh5jnxV/v +faci9wHYTfmJ0A6aBVmknpjZbyvKcL5kwlWj9Omvw5Ip3IgWJJk8jSaYtlu3zM63 +Nwf9JtmYhST/WSMDmu2dnajkXjjO11INb9I/bbEFa0nOipFGc/T2L/Coc3cOZayh +jWZSaX5LaAzHHjcng6WMxwLkFM1JAbBzs/3GkDpv0mztO+7skb6iQ12LAEpmJURw +3kAP+HwV96LOPNdeE4yBFxgX0b3xdxA61GU5wSesVywlVP+i2k+KYTlerj1KjL0= +-----END CERTIFICATE----- + +### DigiCert Inc + +=== /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0c:e7:e0:e5:17:d8:46:fe:8f:e5:60:fc:1b:f0:30:39 + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Nov 10 00:00:00 2006 GMT + Not After : Nov 10 00:00:00 2031 GMT + Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 45:EB:A2:AF:F4:92:CB:82:31:2D:51:8B:A7:A7:21:9D:F3:6D:C8:0F + X509v3 Authority Key Identifier: + keyid:45:EB:A2:AF:F4:92:CB:82:31:2D:51:8B:A7:A7:21:9D:F3:6D:C8:0F + +SHA1 Fingerprint=05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43 +SHA256 Fingerprint=3E:90:99:B5:01:5E:8F:48:6C:00:BC:EA:9D:11:1E:E7:21:FA:BA:35:5A:89:BC:F1:DF:69:56:1E:3D:C6:32:5C +-----BEGIN CERTIFICATE----- +MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv +b3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQG +EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl +cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7c +JpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYP +mDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+ +wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4 +VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/ +AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMB +AAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW +BBRF66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYun +pyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRC +dWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTf +fwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJKusm7Xi+fT8r87cm +NW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5QZ7dsvfPx +H2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe ++o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g== +-----END CERTIFICATE----- +=== /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root G2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0b:93:1c:3a:d6:39:67:ea:67:23:bf:c3:af:9a:f4:4b + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Aug 1 12:00:00 2013 GMT + Not After : Jan 15 12:00:00 2038 GMT + Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G2 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + CE:C3:4A:B9:99:55:F2:B8:DB:60:BF:A9:7E:BD:56:B5:97:36:A7:D6 +SHA1 Fingerprint=A1:4B:48:D9:43:EE:0A:0E:40:90:4F:3C:E0:A4:C0:91:93:51:5D:3F +SHA256 Fingerprint=7D:05:EB:B6:82:33:9F:8C:94:51:EE:09:4E:EB:FE:FA:79:53:A1:14:ED:B2:F4:49:49:45:2F:AB:7D:2F:C1:85 +-----BEGIN CERTIFICATE----- +MIIDljCCAn6gAwIBAgIQC5McOtY5Z+pnI7/Dr5r0SzANBgkqhkiG9w0BAQsFADBl +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv +b3QgRzIwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBlMQswCQYDVQQG +EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl +cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgRzIwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ5ygvUj82ckmIkzTz+GoeMVSA +n61UQbVH35ao1K+ALbkKz3X9iaV9JPrjIgwrvJUXCzO/GU1BBpAAvQxNEP4Htecc +biJVMWWXvdMX0h5i89vqbFCMP4QMls+3ywPgym2hFEwbid3tALBSfK+RbLE4E9Hp +EgjAALAcKxHad3A2m67OeYfcgnDmCXRwVWmvo2ifv922ebPynXApVfSr/5Vh88lA +bx3RvpO704gqu52/clpWcTs/1PPRCv4o76Pu2ZmvA9OPYLfykqGxvYmJHzDNw6Yu +YjOuFgJ3RFrngQo8p0Quebg/BLxcoIfhG69Rjs3sLPr4/m3wOnyqi+RnlTGNAgMB +AAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQW +BBTOw0q5mVXyuNtgv6l+vVa1lzan1jANBgkqhkiG9w0BAQsFAAOCAQEAyqVVjOPI +QW5pJ6d1Ee88hjZv0p3GeDgdaZaikmkuOGybfQTUiaWxMTeKySHMq2zNixya1r9I +0jJmwYrA8y8678Dj1JGG0VDjA9tzd29KOVPt3ibHtX2vK0LRdWLjSisCx1BL4Gni +lmwORGYQRI+tBev4eaymG+g3NJ1TyWGqolKvSnAWhsI6yLETcDbYz+70CjTVW0z9 +B5yiutkBclzzTcHdDrEcDcRjvq30FPuJ7KJBDkzMyFdA0G4Dqs0MjomZmWzwPDCv +ON9vvKO+KSAnq3T/EyJ43pdSVR6DtVQgA+6uwE9W3jfMw3+qBCe703e4YtsXfJwo +IhNzbM8m9Yop5w== +-----END CERTIFICATE----- +=== /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root G3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0b:a1:5a:fa:1d:df:a0:b5:49:44:af:cd:24:a0:6c:ec + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Aug 1 12:00:00 2013 GMT + Not After : Jan 15 12:00:00 2038 GMT + Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G3 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + CB:D0:BD:A9:E1:98:05:51:A1:4D:37:A2:83:79:CE:8D:1D:2A:E4:84 +SHA1 Fingerprint=F5:17:A2:4F:9A:48:C6:C9:F8:A2:00:26:9F:DC:0F:48:2C:AB:30:89 +SHA256 Fingerprint=7E:37:CB:8B:4C:47:09:0C:AB:36:55:1B:A6:F4:5D:B8:40:68:0F:BA:16:6A:95:2D:B1:00:71:7F:43:05:3F:C2 +-----BEGIN CERTIFICATE----- +MIICRjCCAc2gAwIBAgIQC6Fa+h3foLVJRK/NJKBs7DAKBggqhkjOPQQDAzBlMQsw +CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu +ZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3Qg +RzMwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBlMQswCQYDVQQGEwJV +UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu +Y29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgRzMwdjAQBgcq +hkjOPQIBBgUrgQQAIgNiAAQZ57ysRGXtzbg/WPuNsVepRC0FFfLvC/8QdJ+1YlJf +Zn4f5dwbRXkLzMZTCp2NXQLZqVneAlr2lSoOjThKiknGvMYDOAdfVdp+CW7if17Q +RSAPWXYQ1qAk8C3eNvJsKTmjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/ +BAQDAgGGMB0GA1UdDgQWBBTL0L2p4ZgFUaFNN6KDec6NHSrkhDAKBggqhkjOPQQD +AwNnADBkAjAlpIFFAmsSS3V0T8gj43DydXLefInwz5FyYZ5eEJJZVrmDxxDnOOlY +JjZ91eQ0hjkCMHw2U/Aw5WJjOpnitqM7mzT6HtoQknFekROn3aRukswy1vUhZscv +6pZjamVFkpUBtA== +-----END CERTIFICATE----- +=== /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Nov 10 00:00:00 2006 GMT + Not After : Nov 10 00:00:00 2031 GMT + Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55 + X509v3 Authority Key Identifier: + keyid:03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55 + +SHA1 Fingerprint=A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36 +SHA256 Fingerprint=43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61 +-----BEGIN CERTIFICATE----- +MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD +QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT +MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j +b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB +CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97 +nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt +43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P +T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4 +gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO +BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR +TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw +DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr +hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg +06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF +PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls +YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk +CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4= +-----END CERTIFICATE----- +=== /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Aug 1 12:00:00 2013 GMT + Not After : Jan 15 12:00:00 2038 GMT + Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 4E:22:54:20:18:95:E6:E3:6E:E6:0F:FA:FA:B9:12:ED:06:17:8F:39 +SHA1 Fingerprint=DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4 +SHA256 Fingerprint=CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F +-----BEGIN CERTIFICATE----- +MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH +MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT +MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j +b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI +2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx +1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ +q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz +tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ +vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP +BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV +5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY +1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4 +NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG +Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91 +8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe +pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl +MrY= +-----END CERTIFICATE----- +=== /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 05:55:56:bc:f2:5e:a4:35:35:c3:a4:0f:d5:ab:45:72 + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Aug 1 12:00:00 2013 GMT + Not After : Jan 15 12:00:00 2038 GMT + Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + B3:DB:48:A4:F9:A1:C5:D8:AE:36:41:CC:11:63:69:62:29:BC:4B:C6 +SHA1 Fingerprint=7E:04:DE:89:6A:3E:66:6D:00:E6:87:D3:3F:FA:D9:3B:E8:3D:34:9E +SHA256 Fingerprint=31:AD:66:48:F8:10:41:38:C7:38:F3:9E:A4:32:01:33:39:3E:3A:18:CC:02:29:6E:F9:7C:2A:C9:EF:67:31:D0 +-----BEGIN CERTIFICATE----- +MIICPzCCAcWgAwIBAgIQBVVWvPJepDU1w6QP1atFcjAKBggqhkjOPQQDAzBhMQsw +CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu +ZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMzAe +Fw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVTMRUw +EwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20x +IDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEczMHYwEAYHKoZIzj0CAQYF +K4EEACIDYgAE3afZu4q4C/sLfyHS8L6+c/MzXRq8NOrexpu80JX28MzQC7phW1FG +fp4tn+6OYwwX7Adw9c+ELkCDnOg/QW07rdOkFFk2eJ0DQ+4QE2xy3q6Ip6FrtUPO +Z9wj/wMco+I+o0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAd +BgNVHQ4EFgQUs9tIpPmhxdiuNkHMEWNpYim8S8YwCgYIKoZIzj0EAwMDaAAwZQIx +AK288mw/EkrRLTnDCgmXc/SINoyIJ7vmiI1Qhadj+Z4y3maTD/HMsQmP3Wyr+mt/ +oAIwOWZbwmSNuJ5Q3KjVSaLtx9zRSX8XAbjIho9OjIgrqJqpisXRAL34VOKa5Vt8 +sycX +-----END CERTIFICATE----- +=== /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77 + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Nov 10 00:00:00 2006 GMT + Not After : Nov 10 00:00:00 2031 GMT + Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3 + X509v3 Authority Key Identifier: + keyid:B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3 + +SHA1 Fingerprint=5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25 +SHA256 Fingerprint=74:31:E5:F4:C3:C1:CE:46:90:77:4F:0B:61:E0:54:40:88:3B:A9:A0:1E:D0:0B:A6:AB:D7:80:6E:D3:B1:18:CF +-----BEGIN CERTIFICATE----- +MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j +ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL +MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 +LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug +RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm ++9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW +PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM +xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB +Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3 +hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg +EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF +MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA +FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec +nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z +eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF +hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2 +Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe +vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep ++OkuE6N36B9K +-----END CERTIFICATE----- +=== /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Trusted Root G4 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 05:9b:1b:57:9e:8e:21:32:e2:39:07:bd:a7:77:75:5c + Signature Algorithm: sha384WithRSAEncryption + Validity + Not Before: Aug 1 12:00:00 2013 GMT + Not After : Jan 15 12:00:00 2038 GMT + Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + EC:D7:E3:82:D2:71:5D:64:4C:DF:2E:67:3F:E7:BA:98:AE:1C:0F:4F +SHA1 Fingerprint=DD:FB:16:CD:49:31:C9:73:A2:03:7D:3F:C8:3A:4D:7D:77:5D:05:E4 +SHA256 Fingerprint=55:2F:7B:DC:F1:A7:AF:9E:6C:E6:72:01:7F:4F:12:AB:F7:72:40:C7:8E:76:1A:C2:03:D1:D9:D2:0A:C8:99:88 +-----BEGIN CERTIFICATE----- +MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBi +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg +RzQwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBiMQswCQYDVQQGEwJV +UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu +Y29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIiMA0GCSqG +SIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKnJS7JIT3y +ithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/WBTxSD1If +xp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHiLQwb7iDV +ySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm7nfISKhmV1efVFiO +DCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5w3jHtrHEtWoYOAMQ +jdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6MUSaM0C/ +CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mXaXpI8OCi +EhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZxd9LBADM +fRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfhvbfmQ6QY +uKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m800ERElvlEFDrMcXK +chYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+isX4KJpn15GkvmB0t +9dmpsh3lGwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB +hjAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wDQYJKoZIhvcNAQEMBQAD +ggIBALth2X2pbL4XxJEbw6GiAI3jZGgPVs93rnD5/ZpKmbnJeFwMDF/k5hQpVgs2 +SV1EY+CtnJYYZhsjDT156W1r1lT40jzBQ0CuHVD1UvyQO7uYmWlrx8GnqGikJ9yd ++SeuMIW59mdNOj6PWTkiU0TryF0Dyu1Qen1iIQqAyHNm0aAFYF/opbSnr6j3bTWc +fFqK1qI4mfN4i/RN0iAL3gTujJtHgXINwBQy7zBZLq7gcfJW5GqXb5JQbZaNaHqa +sjYUegbyJLkJEVDXCLG4iXqEI2FCKeWjzaIgQdfRnGTZ6iahixTXTBmyUEFxPT9N +cCOGDErcgdLMMpSEDQgJlxxPwO5rIHQw0uA5NBCFIRUBCOhVMt5xSdkoF1BN5r5N +0XWs0Mr7QbhDparTwwVETyw2m+L64kW4I1NsBm9nVX9GtUw/bihaeSbSpKhil9Ie +4u1Ki7wb/UdKDd9nZn6yW0HQO+T0O/QEY+nvwlQAUaCKKsnOeMzV6ocEGLPOr0mI +r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1 +/YldvIViHTLSoCtU7ZpXwdv6EM8Zt4tKG48BtieVU+i2iW1bvGjUI+iLUaJW+fCm +gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+ +-----END CERTIFICATE----- + +### Disig a.s. + +=== /C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 92:b8:88:db:b0:8a:c1:63 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jul 19 09:15:30 2012 GMT + Not After : Jul 19 09:15:30 2042 GMT + Subject: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + B5:99:F8:AF:B0:94:F5:E3:20:D6:0A:AD:CE:4E:56:A4:2E:6E:42:ED +SHA1 Fingerprint=B5:61:EB:EA:A4:DE:E4:25:4B:69:1A:98:A5:57:47:C2:34:C7:D9:71 +SHA256 Fingerprint=E2:3D:4A:03:6D:7B:70:E9:F5:95:B1:42:20:79:D2:B9:1E:DF:BB:1F:B6:51:A0:63:3E:AA:8A:9D:C5:F8:07:03 +-----BEGIN CERTIFICATE----- +MIIFaTCCA1GgAwIBAgIJAJK4iNuwisFjMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV +BAYTAlNLMRMwEQYDVQQHEwpCcmF0aXNsYXZhMRMwEQYDVQQKEwpEaXNpZyBhLnMu +MRkwFwYDVQQDExBDQSBEaXNpZyBSb290IFIyMB4XDTEyMDcxOTA5MTUzMFoXDTQy +MDcxOTA5MTUzMFowUjELMAkGA1UEBhMCU0sxEzARBgNVBAcTCkJyYXRpc2xhdmEx +EzARBgNVBAoTCkRpc2lnIGEucy4xGTAXBgNVBAMTEENBIERpc2lnIFJvb3QgUjIw +ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCio8QACdaFXS1tFPbCw3Oe +NcJxVX6B+6tGUODBfEl45qt5WDza/3wcn9iXAng+a0EE6UG9vgMsRfYvZNSrXaNH +PWSb6WiaxswbP7q+sos0Ai6YVRn8jG+qX9pMzk0DIaPY0jSTVpbLTAwAFjxfGs3I +x2ymrdMxp7zo5eFm1tL7A7RBZckQrg4FY8aAamkw/dLukO8NJ9+flXP04SXabBbe +QTg06ov80egEFGEtQX6sx3dOy1FU+16SGBsEWmjGycT6txOgmLcRK7fWV8x8nhfR +yyX+hk4kLlYMeE2eARKmK6cBZW58Yh2EhN/qwGu1pSqVg8NTEQxzHQuyRpDRQjrO +QG6Vrf/GlK1ul4SOfW+eioANSW1z4nuSHsPzwfPrLgVv2RvPN3YEyLRa5Beny912 +H9AZdugsBbPWnDTYltxhh5EF5EQIM8HauQhl1K6yNg3ruji6DOWbnuuNZt2Zz9aJ +QfYEkoopKW1rOhzndX0CcQ7zwOe9yxndnWCywmZgtrEE7snmhrmaZkCo5xHtgUUD +i/ZnWejBBhG93c+AAk9lQHhcR1DIm+YfgXvkRKhbhZri3lrVx/k6RGZL5DJUfORs +nLMOPReisjQS1n6yqEm70XooQL6iFh/f5DcfEXP7kAplQ6INfPgGAVUzfbANuPT1 +rqVCV3w2EYx7XsQDnYx5nQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud +DwEB/wQEAwIBBjAdBgNVHQ4EFgQUtZn4r7CU9eMg1gqtzk5WpC5uQu0wDQYJKoZI +hvcNAQELBQADggIBACYGXnDnZTPIgm7ZnBc6G3pmsgH2eDtpXi/q/075KMOYKmFM +tCQSin1tERT3nLXK5ryeJ45MGcipvXrA1zYObYVybqjGom32+nNjf7xueQgcnYqf +GopTpti72TVVsRHFqQOzVju5hJMiXn7B9hJSi+osZ7z+Nkz1uM/Rs0mSO9MpDpkb +lvdhuDvEK7Z4bLQjb/D907JedR+Zlais9trhxTF7+9FGs9K8Z7RiVLoJ92Owk6Ka ++elSLotgEqv89WBW7xBci8QaQtyDW2QOy7W81k/BfDxujRNt+3vrMNDcTa/F1bal +TFtxyegxvug4BkihGuLq0t4SOVga/4AOgnXmt8kHbA7v/zjxmHHEt38OFdAlab0i +nSvtBfZGR6ztwPDUO+Ls7pZbkBNOHlY667DvlruWIxG68kOGdGSVyCh13x01utI3 +gzhTODY7z2zp+WsO0PsE6E9312UBeIYMej4hYvF/Y3EMyZ9E26gnonW+boE+18Dr +G5gPcFw0sorMwIUY6256s/daoQe/qUKS82Ail+QUoQebTnbAjn39pCXHR+3/H3Os +zMOl6W8KjptlwlCFtaOgUxLMVYdh84GuEEZhvUQhuMI9dM9+JDX6HAcOmz0iyu8x +L4ysEr3vQCj8KWefshNPZiTEUxnpHikV7+ZtsH8tZ/3zbBt1RqPlShfppNcL +-----END CERTIFICATE----- + +### E-Tu\U011Fra EBG Bili\U015Fim Teknolojileri ve Hizmetleri A.\U015E. + +=== /C=TR/L=Ankara/O=E-Tu\xC4\x9Fra EBG Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E./OU=E-Tugra Sertifikasyon Merkezi/CN=E-Tugra Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7667447206703254355 (0x6a683e9c519bcb53) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Mar 5 12:09:48 2013 GMT + Not After : Mar 3 12:09:48 2023 GMT + Subject: C=TR, L=Ankara, O=E-Tu\xC4\x9Fra EBG Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority + X509v3 extensions: + X509v3 Subject Key Identifier: + 2E:E3:DB:B2:49:D0:9C:54:79:5C:FA:27:2A:FE:CC:4E:D2:E8:4E:54 + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Authority Key Identifier: + keyid:2E:E3:DB:B2:49:D0:9C:54:79:5C:FA:27:2A:FE:CC:4E:D2:E8:4E:54 + + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=51:C6:E7:08:49:06:6E:F3:92:D4:5C:A0:0D:6D:A3:62:8F:C3:52:39 +SHA256 Fingerprint=B0:BF:D5:2B:B0:D7:D9:BD:92:BF:5D:4D:C1:3D:A2:55:C0:2C:54:2F:37:83:65:EA:89:39:11:F5:5E:55:F2:3C +-----BEGIN CERTIFICATE----- +MIIGSzCCBDOgAwIBAgIIamg+nFGby1MwDQYJKoZIhvcNAQELBQAwgbIxCzAJBgNV +BAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBC +aWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhpem1ldGxlcmkgQS7Fni4xJjAkBgNV +BAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBNZXJrZXppMSgwJgYDVQQDDB9FLVR1 +Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEzMDMwNTEyMDk0OFoXDTIz +MDMwMzEyMDk0OFowgbIxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+ +BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhp +em1ldGxlcmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBN +ZXJrZXppMSgwJgYDVQQDDB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4vU/kwVRHoViVF56C/UY +B4Oufq9899SKa6VjQzm5S/fDxmSJPZQuVIBSOTkHS0vdhQd2h8y/L5VMzH2nPbxH +D5hw+IyFHnSOkm0bQNGZDbt1bsipa5rAhDGvykPL6ys06I+XawGb1Q5KCKpbknSF +Q9OArqGIW66z6l7LFpp3RMih9lRozt6Plyu6W0ACDGQXwLWTzeHxE2bODHnv0ZEo +q1+gElIwcxmOj+GMB6LDu0rw6h8VqO4lzKRG+Bsi77MOQ7osJLjFLFzUHPhdZL3D +k14opz8n8Y4e0ypQBaNV2cvnOVPAmJ6MVGKLJrD3fY185MaeZkJVgkfnsliNZvcH +fC425lAcP9tDJMW/hkd5s3kc91r0E+xs+D/iWR+V7kI+ua2oMoVJl0b+SzGPWsut +dEcf6ZG33ygEIqDUD13ieU/qbIWGvaimzuT6w+Gzrt48Ue7LE3wBf4QOXVGUnhMM +ti6lTPk5cDZvlsouDERVxcr6XQKj39ZkjFqzAQqptQpHF//vkUAqjqFGOjGY5RH8 +zLtJVor8udBhmm9lbObDyz51Sf6Pp+KJxWfXnUYTTjF2OySznhFlhqt/7x3U+Lzn +rFpct1pHXFXOVbQicVtbC/DP3KBhZOqp12gKY6fgDT+gr9Oq0n7vUaDmUStVkhUX +U8u3Zg5mTPj5dUyQ5xJwx0UCAwEAAaNjMGEwHQYDVR0OBBYEFC7j27JJ0JxUeVz6 +Jyr+zE7S6E5UMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAULuPbsknQnFR5 +XPonKv7MTtLoTlQwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAF +Nzr0TbdF4kV1JI+2d1LoHNgQk2Xz8lkGpD4eKexd0dCrfOAKkEh47U6YA5n+KGCR +HTAduGN8qOY1tfrTYXbm1gdLymmasoR6d5NFFxWfJNCYExL/u6Au/U5Mh/jOXKqY +GwXgAEZKgoClM4so3O0409/lPun++1ndYYRP0lSWE2ETPo+Aab6TR7U1Q9Jauz1c +77NCR807VRMGsAnb/WP2OogKmW9+4c4bU2pEZiNRCHu8W1Ki/QY3OEBhj0qWuJA3 ++GbHeJAAFS6LrVE1Uweoa2iu+U48BybNCAVwzDk/dr2l02cmAYamU9JgO3xDf1WK +vJUawSg5TB9D0pH0clmKuVb8P7Sd2nCcdlqMQ1DujjByTd//SffGqWfZbawCEeI6 +FiWnWAjLb1NBnEg4R2gz0dfHj9R0IdTDBZB6/86WiLEVKV0jq9BgoRJP3vQXzTLl +yb/IQ639Lo7xr+L0mPoSHyDYwKcMhcWQ9DstliaxLL5Mq+ux0orJ23gTDx4JnW2P +AJ8C2sH6H3p6CcRK5ogql5+Ji/03X186zjhZhkuvcQu02PJwT58yE+Owp1fl2tpD +y4Q08ijE6m30Ku/Ba3ba+367hTzSU8JNvnHhRdH9I2cNE3X7z2VnIp2usAnRCf8d +NL/+I5c30jn6PQ0GC7TbO6Orb1wdtn7os4I07QZcJA== +-----END CERTIFICATE----- + +### eMudhra Inc + +=== /C=US/OU=emSign PKI/O=eMudhra Inc/CN=emSign ECC Root CA - C3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 7b:71:b6:82:56:b8:12:7c:9c:a8 + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Feb 18 18:30:00 2018 GMT + Not After : Feb 18 18:30:00 2043 GMT + Subject: C=US, OU=emSign PKI, O=eMudhra Inc, CN=emSign ECC Root CA - C3 + X509v3 extensions: + X509v3 Subject Key Identifier: + FB:5A:48:D0:80:20:40:F2:A8:E9:00:07:69:19:77:A7:E6:C3:F4:CF + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=B6:AF:43:C2:9B:81:53:7D:F6:EF:6B:C3:1F:1F:60:15:0C:EE:48:66 +SHA256 Fingerprint=BC:4D:80:9B:15:18:9D:78:DB:3E:1D:8C:F4:F9:72:6A:79:5D:A1:64:3C:A5:F1:35:8E:1D:DB:0E:DC:0D:7E:B3 +-----BEGIN CERTIFICATE----- +MIICKzCCAbGgAwIBAgIKe3G2gla4EnycqDAKBggqhkjOPQQDAzBaMQswCQYDVQQG +EwJVUzETMBEGA1UECxMKZW1TaWduIFBLSTEUMBIGA1UEChMLZU11ZGhyYSBJbmMx +IDAeBgNVBAMTF2VtU2lnbiBFQ0MgUm9vdCBDQSAtIEMzMB4XDTE4MDIxODE4MzAw +MFoXDTQzMDIxODE4MzAwMFowWjELMAkGA1UEBhMCVVMxEzARBgNVBAsTCmVtU2ln +biBQS0kxFDASBgNVBAoTC2VNdWRocmEgSW5jMSAwHgYDVQQDExdlbVNpZ24gRUND +IFJvb3QgQ0EgLSBDMzB2MBAGByqGSM49AgEGBSuBBAAiA2IABP2lYa57JhAd6bci +MK4G9IGzsUJxlTm801Ljr6/58pc1kjZGDoeVjbk5Wum739D+yAdBPLtVb4Ojavti +sIGJAnB9SMVK4+kiVCJNk7tCDK93nCOmfddhEc5lx/h//vXyqaNCMEAwHQYDVR0O +BBYEFPtaSNCAIEDyqOkAB2kZd6fmw/TPMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB +Af8EBTADAQH/MAoGCCqGSM49BAMDA2gAMGUCMQC02C8Cif22TGK6Q04ThHK1rt0c +3ta13FaPWEBaLd4gTCKDypOofu4SQMfWh0/434UCMBwUZOR8loMRnLDRWmFLpg9J +0wD8ofzkpf9/rdcw0Md3f76BB1UwUCAU9Vc4CqgxUQ== +-----END CERTIFICATE----- +=== /C=US/OU=emSign PKI/O=eMudhra Inc/CN=emSign Root CA - C1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + ae:cf:00:ba:c4:cf:32:f8:43:b2 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Feb 18 18:30:00 2018 GMT + Not After : Feb 18 18:30:00 2043 GMT + Subject: C=US, OU=emSign PKI, O=eMudhra Inc, CN=emSign Root CA - C1 + X509v3 extensions: + X509v3 Subject Key Identifier: + FE:A1:E0:70:1E:2A:03:39:52:5A:42:BE:5C:91:85:7A:18:AA:4D:B5 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=E7:2E:F1:DF:FC:B2:09:28:CF:5D:D4:D5:67:37:B1:51:CB:86:4F:01 +SHA256 Fingerprint=12:56:09:AA:30:1D:A0:A2:49:B9:7A:82:39:CB:6A:34:21:6F:44:DC:AC:9F:39:54:B1:42:92:F2:E8:C8:60:8F +-----BEGIN CERTIFICATE----- +MIIDczCCAlugAwIBAgILAK7PALrEzzL4Q7IwDQYJKoZIhvcNAQELBQAwVjELMAkG +A1UEBhMCVVMxEzARBgNVBAsTCmVtU2lnbiBQS0kxFDASBgNVBAoTC2VNdWRocmEg +SW5jMRwwGgYDVQQDExNlbVNpZ24gUm9vdCBDQSAtIEMxMB4XDTE4MDIxODE4MzAw +MFoXDTQzMDIxODE4MzAwMFowVjELMAkGA1UEBhMCVVMxEzARBgNVBAsTCmVtU2ln +biBQS0kxFDASBgNVBAoTC2VNdWRocmEgSW5jMRwwGgYDVQQDExNlbVNpZ24gUm9v +dCBDQSAtIEMxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz+upufGZ +BczYKCFK83M0UYRWEPWgTywS4/oTmifQz/l5GnRfHXk5/Fv4cI7gklL35CX5VIPZ +HdPIWoU/Xse2B+4+wM6ar6xWQio5JXDWv7V7Nq2s9nPczdcdioOl+yuQFTdrHCZH +3DspVpNqs8FqOp099cGXOFgFixwR4+S0uF2FHYP+eF8LRWgYSKVGczQ7/g/IdrvH +GPMF0Ybzhe3nudkyrVWIzqa2kbBPrH4VI5b2P/AgNBbeCsbEBEV5f6f9vtKppa+c +xSMq9zwhbL2vj07FOrLzNBL834AaSaTUqZX3noleoomslMuoaJuvimUnzYnu3Yy1 +aylwQ6BpC+S5DwIDAQABo0IwQDAdBgNVHQ4EFgQU/qHgcB4qAzlSWkK+XJGFehiq +TbUwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL +BQADggEBAMJKVvoVIXsoounlHfv4LcQ5lkFMOycsxGwYFYDGrK9HWS8mC+M2sO87 +/kOXSTKZEhVb3xEp/6tT+LvBeA+snFOvV71ojD1pM/CjoCNjO2RnIkSt1XHLVip4 +kqNPEjE2NuLe/gDEo2APJ62gsIq1NnpSob0n9CAnYuhNlCQT5AoE6TyrLshDCUrG +YQTlSTR+08TI9Q/Aqum6VF7zYytPT1DU/rl7mYw9wC68AivTxEDkigcxHpvOJpkT ++xHqmiIMERnHXhuBUDDIlhJu58tBf5E7oke3VIAb3ADMmpDqw8NQBmIMMMAVSKeo +WXzhriKi4gp6D/piq1JM4fHfyr6DDUI= +-----END CERTIFICATE----- + +### eMudhra Technologies Limited + +=== /C=IN/OU=emSign PKI/O=eMudhra Technologies Limited/CN=emSign ECC Root CA - G3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3c:f6:07:a9:68:70:0e:da:8b:84 + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Feb 18 18:30:00 2018 GMT + Not After : Feb 18 18:30:00 2043 GMT + Subject: C=IN, OU=emSign PKI, O=eMudhra Technologies Limited, CN=emSign ECC Root CA - G3 + X509v3 extensions: + X509v3 Subject Key Identifier: + 7C:5D:02:84:13:D4:CC:8A:9B:81:CE:17:1C:2E:29:1E:9C:48:63:42 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=30:43:FA:4F:F2:57:DC:A0:C3:80:EE:2E:58:EA:78:B2:3F:E6:BB:C1 +SHA256 Fingerprint=86:A1:EC:BA:08:9C:4A:8D:3B:BE:27:34:C6:12:BA:34:1D:81:3E:04:3C:F9:E8:A8:62:CD:5C:57:A3:6B:BE:6B +-----BEGIN CERTIFICATE----- +MIICTjCCAdOgAwIBAgIKPPYHqWhwDtqLhDAKBggqhkjOPQQDAzBrMQswCQYDVQQG +EwJJTjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBUZWNo +bm9sb2dpZXMgTGltaXRlZDEgMB4GA1UEAxMXZW1TaWduIEVDQyBSb290IENBIC0g +RzMwHhcNMTgwMjE4MTgzMDAwWhcNNDMwMjE4MTgzMDAwWjBrMQswCQYDVQQGEwJJ +TjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBUZWNobm9s +b2dpZXMgTGltaXRlZDEgMB4GA1UEAxMXZW1TaWduIEVDQyBSb290IENBIC0gRzMw +djAQBgcqhkjOPQIBBgUrgQQAIgNiAAQjpQy4LRL1KPOxst3iAhKAnjlfSU2fySU0 +WXTsuwYc58Byr+iuL+FBVIcUqEqy6HyC5ltqtdyzdc6LBtCGI79G1Y4PPwT01xyS +fvalY8L1X44uT6EYGQIrMgqCZH0Wk9GjQjBAMB0GA1UdDgQWBBR8XQKEE9TMipuB +zhccLikenEhjQjAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggq +hkjOPQQDAwNpADBmAjEAvvNhzwIQHWSVB7gYboiFBS+DCBeQyh+KTOgNG3qxrdWB +CUfvO6wIBHxcmbHtRwfSAjEAnbpV/KlK6O3t5nYBQnvI+GDZjVGLVTv7jHvrZQnD ++JbNR6iC8hZVdyR+EhCVBCyj +-----END CERTIFICATE----- +=== /C=IN/OU=emSign PKI/O=eMudhra Technologies Limited/CN=emSign Root CA - G1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 31:f5:e4:62:0c:6c:58:ed:d6:d8 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Feb 18 18:30:00 2018 GMT + Not After : Feb 18 18:30:00 2043 GMT + Subject: C=IN, OU=emSign PKI, O=eMudhra Technologies Limited, CN=emSign Root CA - G1 + X509v3 extensions: + X509v3 Subject Key Identifier: + FB:EF:0D:86:9E:B0:E3:DD:A9:B9:F1:21:17:7F:3E:FC:F0:77:2B:1A + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=8A:C7:AD:8F:73:AC:4E:C1:B5:75:4D:A5:40:F4:FC:CF:7C:B5:8E:8C +SHA256 Fingerprint=40:F6:AF:03:46:A9:9A:A1:CD:1D:55:5A:4E:9C:CE:62:C7:F9:63:46:03:EE:40:66:15:83:3D:C8:C8:D0:03:67 +-----BEGIN CERTIFICATE----- +MIIDlDCCAnygAwIBAgIKMfXkYgxsWO3W2DANBgkqhkiG9w0BAQsFADBnMQswCQYD +VQQGEwJJTjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBU +ZWNobm9sb2dpZXMgTGltaXRlZDEcMBoGA1UEAxMTZW1TaWduIFJvb3QgQ0EgLSBH +MTAeFw0xODAyMTgxODMwMDBaFw00MzAyMTgxODMwMDBaMGcxCzAJBgNVBAYTAklO +MRMwEQYDVQQLEwplbVNpZ24gUEtJMSUwIwYDVQQKExxlTXVkaHJhIFRlY2hub2xv +Z2llcyBMaW1pdGVkMRwwGgYDVQQDExNlbVNpZ24gUm9vdCBDQSAtIEcxMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk0u76WaK7p1b1TST0Bsew+eeuGQz +f2N4aLTNLnF115sgxk0pvLZoYIr3IZpWNVrzdr3YzZr/k1ZLpVkGoZM0Kd0WNHVO +8oG0x5ZOrRkVUkr+PHB1cM2vK6sVmjM8qrOLqs1D/fXqcP/tzxE7lM5OMhbTI0Aq +d7OvPAEsbO2ZLIvZTmmYsvePQbAyeGHWDV/D+qJAkh1cF+ZwPjXnorfCYuKrpDhM +tTk1b+oDafo6VGiFbdbyL0NVHpENDtjVaqSW0RM8LHhQ6DqS0hdW5TUaQBw+jSzt +Od9C4INBdN+jzcKGYEho42kLVACL5HZpIQ15TjQIXhTCzLG3rdd8cIrHhQIDAQAB +o0IwQDAdBgNVHQ4EFgQU++8Nhp6w492pufEhF38+/PB3KxowDgYDVR0PAQH/BAQD +AgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFn/8oz1h31x +PaOfG1vR2vjTnGs2vZupYeveFix0PZ7mddrXuqe8QhfnPZHr5X3dPpzxz5KsbEjM +wiI/aTvFthUvozXGaCocV685743QNcMYDHsAVhzNixl03r4PEuDQqqE/AjSxcM6d +GNYIAwlG7mDgfrbESQRRfXBgvKqy/3lyeqYdPV8q+Mri/Tm3R7nrft8EI6/6nAYH +6ftjk4BAtcZsCjEozgyfz7MjNYBBjWzEN3uBL4ChQEKF6dk4jeihU80Bv2noWgby +RQuQ+q7hv53yrlc8pa6yVvSLZUDp/TGBLPQ5Cdjua6e0ph0VpZj3AYHYhX3zUVxx +iN66zB+Afko= +-----END CERTIFICATE----- + +### Entrust, Inc. + +=== /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1246989352 (0x4a538c28) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jul 7 17:25:54 2009 GMT + Not After : Dec 7 17:55:54 2030 GMT + Subject: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 6A:72:26:7A:D0:1E:EF:7D:E7:3B:69:51:D4:6C:8D:9F:90:12:66:AB +SHA1 Fingerprint=8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4 +SHA256 Fingerprint=43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39 +-----BEGIN CERTIFICATE----- +MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC +VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50 +cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs +IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz +dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy +NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu +dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt +dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0 +aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj +YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T +RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN +cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW +wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1 +U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0 +jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP +BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN +BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/ +jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ +Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v +1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R +nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH +VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g== +-----END CERTIFICATE----- +=== /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - EC1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + a6:8b:79:29:00:00:00:00:50:d0:91:f9 + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Dec 18 15:25:36 2012 GMT + Not After : Dec 18 15:55:36 2037 GMT + Subject: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - EC1 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + B7:63:E7:1A:DD:8D:E9:08:A6:55:83:A4:E0:6A:50:41:65:11:42:49 +SHA1 Fingerprint=20:D8:06:40:DF:9B:25:F5:12:25:3A:11:EA:F7:59:8A:EB:14:B5:47 +SHA256 Fingerprint=02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5 +-----BEGIN CERTIFICATE----- +MIIC+TCCAoCgAwIBAgINAKaLeSkAAAAAUNCR+TAKBggqhkjOPQQDAzCBvzELMAkG +A1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3 +d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDEyIEVu +dHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEzMDEGA1UEAxMq +RW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRUMxMB4XDTEy +MTIxODE1MjUzNloXDTM3MTIxODE1NTUzNlowgb8xCzAJBgNVBAYTAlVTMRYwFAYD +VQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0 +L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxMiBFbnRydXN0LCBJbmMuIC0g +Zm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMzAxBgNVBAMTKkVudHJ1c3QgUm9vdCBD +ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEVDMTB2MBAGByqGSM49AgEGBSuBBAAi +A2IABIQTydC6bUF74mzQ61VfZgIaJPRbiWlH47jCffHyAsWfoPZb1YsGGYZPUxBt +ByQnoaD41UcZYUx9ypMn6nQM72+WCf5j7HBdNq1nd67JnXxVRDqiY1Ef9eNi1KlH +Bz7MIKNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O +BBYEFLdj5xrdjekIplWDpOBqUEFlEUJJMAoGCCqGSM49BAMDA2cAMGQCMGF52OVC +R98crlOZF7ZvHH3hvxGU0QOIdeSNiaSKd0bebWHvAvX7td/M/k7//qnmpwIwW5nX +hTcGtXsI/esni0qU+eH6p44mCOh8kmhtc9hvJqwhAriZtyZBWyVgrtBIGu4G +-----END CERTIFICATE----- +=== /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2015 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G4 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + d9:b5:43:7f:af:a9:39:0f:00:00:00:00:55:65:ad:58 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: May 27 11:11:16 2015 GMT + Not After : Dec 27 11:41:16 2037 GMT + Subject: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2015 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G4 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 9F:38:C4:56:23:C3:39:E8:A0:71:6C:E8:54:4C:E4:E8:3A:B1:BF:67 +SHA1 Fingerprint=14:88:4E:86:26:37:B0:26:AF:59:62:5C:40:77:EC:35:29:BA:96:01 +SHA256 Fingerprint=DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88 +-----BEGIN CERTIFICATE----- +MIIGSzCCBDOgAwIBAgIRANm1Q3+vqTkPAAAAAFVlrVgwDQYJKoZIhvcNAQELBQAw +gb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQL +Ex9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykg +MjAxNSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAw +BgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0 +MB4XDTE1MDUyNzExMTExNloXDTM3MTIyNzExNDExNlowgb4xCzAJBgNVBAYTAlVT +MRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1 +c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxNSBFbnRydXN0LCBJ +bmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAwBgNVBAMTKUVudHJ1c3Qg +Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0MIICIjANBgkqhkiG9w0B +AQEFAAOCAg8AMIICCgKCAgEAsewsQu7i0TD/pZJH4i3DumSXbcr3DbVZwbPLqGgZ +2K+EbTBwXX7zLtJTmeH+H17ZSK9dE43b/2MzTdMAArzE+NEGCJR5WIoV3imz/f3E +T+iq4qA7ec2/a0My3dl0ELn39GjUu9CH1apLiipvKgS1sqbHoHrmSKvS0VnM1n4j +5pds8ELl3FFLFUHtSUrJ3hCX1nbB76W1NhSXNdh4IjVS70O92yfbYVaCNNzLiGAM +C1rlLAHGVK/XqsEQe9IFWrhAnoanw5CGAlZSCXqc0ieCU0plUmr1POeo8pyvi73T +DtTUXm6Hnmo9RR3RXRv06QqsYJn7ibT/mCzPfB3pAqoEmh643IhuJbNsZvc8kPNX +wbMv9W3y+8qh+CmdRouzavbmZwe+LGcKKh9asj5XxNMhIWNlUpEbsZmOeX7m640A +2Vqq6nPopIICR5b+W45UYaPrL0swsIsjdXJ8ITzI9vF01Bx7owVV7rtNOzK+mndm +nqxpkCIHH2E6lr7lmk/MBTwoWdPBDFSoWWG9yHJM6Nyfh3+9nEg2XpWjDrk4JFX8 +dWbrAuMINClKxuMrLzOg2qOGpRKX/YAr2hRC45K9PvJdXmd0LhyIRyk0X+IyqJwl +N4y6mACXi0mWHv0liqzc2thddG5msP9E36EYxr5ILzeUePiVSj9/E15dWf10hkNj +c0kCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD +VR0OBBYEFJ84xFYjwznooHFs6FRM5Og6sb9nMA0GCSqGSIb3DQEBCwUAA4ICAQAS +5UKme4sPDORGpbZgQIeMJX6tuGguW8ZAdjwD+MlZ9POrYs4QjbRaZIxowLByQzTS +Gwv2LFPSypBLhmb8qoMi9IsabyZIrHZ3CL/FmFz0Jomee8O5ZDIBf9PD3Vht7LGr +hFV0d4QEJ1JrhkzO3bll/9bGXp+aEJlLdWr+aumXIOTkdnrG0CSqkM0gkLpHZPt/ +B7NTeLUKYvJzQ85BK4FqLoUWlFPUa19yIqtRLULVAJyZv967lDtX/Zr1hstWO1uI +AeV8KEsD+UmDfLJ/fOPtjqF/YFOOVZ1QNBIPt5d7bIdKROf1beyAN/BYGW5KaHbw +H5Lk6rWS02FREAutp9lfx1/cH6NcjKF+m7ee01ZvZl4HliDtC3T7Zk6LERXpgUl+ +b7DUUH8i119lAg2m9IUe2K4GS0qn0jFmwvjO5QimpAKWRGhXxNUzzxkvFMSUHHuk +2fCfDrGA4tGeEWSpiBE6doLlYsKA2KSD7ZPvfC+QsDJMlhVoSFLUmQjAJOgc47Ol +IQ6SwJAfzyBfyjs4x7dtOvPmRLgOMWuIjnDrnBdSqEGULoe256YSxXXfW8AKbnuk +5F6G+TaU33fD6Q3AOfF5u0aOq0NZJ7cguyPpVkAh7DE9ZapD8j3fcEThuk0mEDuY +n/PIjhs4ViFqUZPTkcpG2om3PVODLAgfi49T3f+sHw== +-----END CERTIFICATE----- +=== /C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1164660820 (0x456b5054) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Nov 27 20:23:42 2006 GMT + Not After : Nov 27 20:53:42 2026 GMT + Subject: C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Private Key Usage Period: + Not Before: Nov 27 20:23:42 2006 GMT, Not After: Nov 27 20:53:42 2026 GMT + X509v3 Authority Key Identifier: + keyid:68:90:E4:67:A4:A6:53:80:C7:86:66:A4:F1:F7:4B:43:FB:84:BD:6D + + X509v3 Subject Key Identifier: + 68:90:E4:67:A4:A6:53:80:C7:86:66:A4:F1:F7:4B:43:FB:84:BD:6D + 1.2.840.113533.7.65.0: + 0...V7.1:4.0.... +SHA1 Fingerprint=B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:37:D4:4D:F5:D4:67:49:52:F9 +SHA256 Fingerprint=73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C +-----BEGIN CERTIFICATE----- +MIIEkTCCA3mgAwIBAgIERWtQVDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMC +VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0 +Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW +KGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsGA1UEAxMkRW50cnVzdCBSb290IENl +cnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MTEyNzIwMjM0MloXDTI2MTEyNzIw +NTM0MlowgbAxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMTkw +NwYDVQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSBy +ZWZlcmVuY2UxHzAdBgNVBAsTFihjKSAyMDA2IEVudHJ1c3QsIEluYy4xLTArBgNV +BAMTJEVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBALaVtkNC+sZtKm9I35RMOVcF7sN5EUFo +Nu3s/poBj6E4KPz3EEZmLk0eGrEaTsbRwJWIsMn/MYszA9u3g3s+IIRe7bJWKKf4 +4LlAcTfFy0cOlypowCKVYhXbR9n10Cv/gkvJrT7eTNuQgFA/CYqEAOwwCj0Yzfv9 +KlmaI5UXLEWeH25DeW0MXJj+SKfFI0dcXv1u5x609mhF0YaDW6KKjbHjKYD+JXGI +rb68j6xSlkuqUY3kEzEZ6E5Nn9uss2rVvDlUccp6en+Q3X0dgNmBu1kmwhH+5pPi +94DkZfs0Nw4pgHBNrziGLp5/V6+eF67rHMsoIV+2HNjnogQi+dPa2MsCAwEAAaOB +sDCBrTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zArBgNVHRAEJDAi +gA8yMDA2MTEyNzIwMjM0MlqBDzIwMjYxMTI3MjA1MzQyWjAfBgNVHSMEGDAWgBRo +kORnpKZTgMeGZqTx90tD+4S9bTAdBgNVHQ4EFgQUaJDkZ6SmU4DHhmak8fdLQ/uE +vW0wHQYJKoZIhvZ9B0EABBAwDhsIVjcuMTo0LjADAgSQMA0GCSqGSIb3DQEBBQUA +A4IBAQCT1DCw1wMgKtD5Y+iRDAUgqV8ZyntyTtSx29CW+1RaGSwMCPeyvIWonX9t +O1KzKtvn1ISMY/YPyyYBkVBs9F8U4pN0wBOeMDpQ47RgxRzwIkSNcUesyBrJ6Zua +AGAT/3B+XxFNSRuzFVJ7yVTav52Vr2ua2J7p8eRDjeIRRDq/r72DQnNSi6q7pynP +9WQcCk3RvKqsnyrQ/39/2n3qse0wJcGE2jTSW3iDVuycNsMm4hH2Z0kdkquM++v/ +eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0tHuu2guQOHXvgR1m +0vdXcDazv/wor3ElhVsT/h5/WrQ8 +-----END CERTIFICATE----- + +### Entrust.net + +=== /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 946069240 (0x3863def8) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Dec 24 17:50:51 1999 GMT + Not After : Jul 24 14:15:12 2029 GMT + Subject: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 55:E4:81:D1:11:80:BE:D8:89:B9:08:A3:31:F9:A1:24:09:16:B9:70 +SHA1 Fingerprint=50:30:06:09:1D:97:D4:F5:AE:39:F7:CB:E7:92:7D:7D:65:2D:34:31 +SHA256 Fingerprint=6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77 +-----BEGIN CERTIFICATE----- +MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML +RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp +bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5 +IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp +ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQxNzUwNTFaFw0yOTA3 +MjQxNDE1MTJaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3 +LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxp +YWIuKTElMCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEG +A1UEAxMqRW50cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgp +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArU1LqRKGsuqjIAcVFmQq +K0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOLGp18EzoOH1u3Hs/lJBQe +sYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSrhRSGlVuX +MlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVT +XTzWnLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/ +HoZdenoVve8AjhUiVBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH +4QIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV +HQ4EFgQUVeSB0RGAvtiJuQijMfmhJAkWuXAwDQYJKoZIhvcNAQEFBQADggEBADub +j1abMOdTmXx6eadNl9cZlZD7Bh/KM3xGY4+WZiT6QBshJ8rmcnPyT/4xmf3IDExo +U8aAghOY+rat2l098c5u9hURlIIM7j+VrxGrD9cv3h8Dj1csHsm7mhpElesYT6Yf +zX1XEC+bBAlahLVu2B064dae0Wx5XnkcFMXj0EyTO2U87d89vqbllRrDtRnDvV5b +u/8j72gZyxKTJ1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+ +bYQLCIt+jerXmCHG8+c8eS9enNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/Er +fF6adulZkMV8gzURZVE= +-----END CERTIFICATE----- + +### FNMT-RCM + +=== /C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 5d:93:8d:30:67:36:c8:06:1d:1a:c7:54:84:69:07 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Oct 29 15:59:56 2008 GMT + Not After : Jan 1 00:00:00 2030 GMT + Subject: C=ES, O=FNMT-RCM, OU=AC RAIZ FNMT-RCM + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + F7:7D:C5:FD:C4:E8:9A:1B:77:64:A7:F5:1D:A0:CC:BF:87:60:9A:6D + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + CPS: http://www.cert.fnmt.es/dpcs/ + +SHA1 Fingerprint=EC:50:35:07:B2:15:C4:95:62:19:E2:A8:9A:5B:42:99:2C:4C:2C:20 +SHA256 Fingerprint=EB:C5:57:0C:29:01:8C:4D:67:B1:AA:12:7B:AF:12:F7:03:B4:61:1E:BC:17:B7:DA:B5:57:38:94:17:9B:93:FA +-----BEGIN CERTIFICATE----- +MIIFgzCCA2ugAwIBAgIPXZONMGc2yAYdGsdUhGkHMA0GCSqGSIb3DQEBCwUAMDsx +CzAJBgNVBAYTAkVTMREwDwYDVQQKDAhGTk1ULVJDTTEZMBcGA1UECwwQQUMgUkFJ +WiBGTk1ULVJDTTAeFw0wODEwMjkxNTU5NTZaFw0zMDAxMDEwMDAwMDBaMDsxCzAJ +BgNVBAYTAkVTMREwDwYDVQQKDAhGTk1ULVJDTTEZMBcGA1UECwwQQUMgUkFJWiBG +Tk1ULVJDTTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALpxgHpMhm5/ +yBNtwMZ9HACXjywMI7sQmkCpGreHiPibVmr75nuOi5KOpyVdWRHbNi63URcfqQgf +BBckWKo3Shjf5TnUV/3XwSyRAZHiItQDwFj8d0fsjz50Q7qsNI1NOHZnjrDIbzAz +WHFctPVrbtQBULgTfmxKo0nRIBnuvMApGGWn3v7v3QqQIecaZ5JCEJhfTzC8PhxF +tBDXaEAUwED653cXeuYLj2VbPNmaUtu1vZ5Gzz3rkQUCwJaydkxNEJY7kvqcfw+Z +374jNUUeAlz+taibmSXaXvMiwzn15Cou08YfxGyqxRxqAQVKL9LFwag0Jl1mpdIC +IfkYtwb1TplvqKtMUejPUBjFd8g5CSxJkjKZqLsXF3mwWsXmo8RZZUc1g16p6DUL +mbvkzSDGm0oGObVo/CK67lWMK07q87Hj/LaZmtVC+nFNCM+HHmpxffnTtOmlcYF7 +wk5HlqX2doWjKI/pgG6BU6VtX7hI+cL5NqYuSf+4lsKMB7ObiFj86xsc3i1w4peS +MKGJ47xVqCfWS+2QrYv6YyVZLag13cqXM7zlzced0ezvXg5KkAYmY6252TUtB7p2 +ZSysV4999AeU14ECll2jB0nVetBX+RvnU0Z1qrB5QstocQjpYL05ac70r8NWQMet +UqIJ5G+GR4of6ygnXYMgrwTJbFaai0b1AgMBAAGjgYMwgYAwDwYDVR0TAQH/BAUw +AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPd9xf3E6Jobd2Sn9R2gzL+H +YJptMD4GA1UdIAQ3MDUwMwYEVR0gADArMCkGCCsGAQUFBwIBFh1odHRwOi8vd3d3 +LmNlcnQuZm5tdC5lcy9kcGNzLzANBgkqhkiG9w0BAQsFAAOCAgEAB5BK3/MjTvDD +nFFlm5wioooMhfNzKWtN/gHiqQxjAb8EZ6WdmF/9ARP67Jpi6Yb+tmLSbkyU+8B1 +RXxlDPiyN8+sD8+Nb/kZ94/sHvJwnvDKuO+3/3Y3dlv2bojzr2IyIpMNOmqOFGYM +LVN0V2Ue1bLdI4E7pWYjJ2cJj+F3qkPNZVEI7VFY/uY5+ctHhKQV8Xa7pO6kO8Rf +77IzlhEYt8llvhjho6Tc+hj507wTmzl6NLrTQfv6MooqtyuGC2mDOL7Nii4LcK2N +JpLuHvUBKwrZ1pebbuCoGRw6IYsMHkCtA+fdZn71uSANA+iW+YJF1DngoABd15jm +fZ5nc8OaKveri6E6FO80vFIOiZiaBECEHX5FaZNXzuvO+FB8TxxuBEOb+dY7Ixjp +6o7RTUaN8Tvkasq6+yO3m/qZASlaWFot4/nUbQ4mrcFuNLwy+AwF+mWj2zs3gyLp +1txyM/1d8iC9djwj2ij3+RvrWWTV3F9yfiD8zYm1kGdNYno/Tq0dwzn+evQoFt9B +9kiABdcPUXmsEKvU7ANm5mqwujGSQkBqvjrTcuFqN1W8rB2Vt2lh8kORdOag0wok +RqEIr9baRRmW1FMdW4R58MD3R++Lj8UGrp1MYp3/RgT408m2ECVAdf4WqslKYIYv +uu8wd+RU4riEmViAqhOLUTpPSPaLtrM= +-----END CERTIFICATE----- +=== /C=ES/O=FNMT-RCM/OU=Ceres/2.5.4.97=VATES-Q2826004J/CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 62:f6:32:6c:e5:c4:e3:68:5c:1b:62:dd:9c:2e:9d:95 + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Dec 20 09:37:33 2018 GMT + Not After : Dec 20 09:37:33 2043 GMT + Subject: C=ES, O=FNMT-RCM, OU=Ceres/2.5.4.97=VATES-Q2826004J, CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 01:B9:2F:EF:BF:11:86:60:F2:4F:D0:41:6E:AB:73:1F:E7:D2:6E:49 +SHA1 Fingerprint=62:FF:D9:9E:C0:65:0D:03:CE:75:93:D2:ED:3F:2D:32:C9:E3:E5:4A +SHA256 Fingerprint=55:41:53:B1:3D:2C:F9:DD:B7:53:BF:BE:1A:4E:0A:E0:8D:0A:A4:18:70:58:FE:60:A2:B8:62:B2:E4:B8:7B:CB +-----BEGIN CERTIFICATE----- +MIICbjCCAfOgAwIBAgIQYvYybOXE42hcG2LdnC6dlTAKBggqhkjOPQQDAzB4MQsw +CQYDVQQGEwJFUzERMA8GA1UECgwIRk5NVC1SQ00xDjAMBgNVBAsMBUNlcmVzMRgw +FgYDVQRhDA9WQVRFUy1RMjgyNjAwNEoxLDAqBgNVBAMMI0FDIFJBSVogRk5NVC1S +Q00gU0VSVklET1JFUyBTRUdVUk9TMB4XDTE4MTIyMDA5MzczM1oXDTQzMTIyMDA5 +MzczM1oweDELMAkGA1UEBhMCRVMxETAPBgNVBAoMCEZOTVQtUkNNMQ4wDAYDVQQL +DAVDZXJlczEYMBYGA1UEYQwPVkFURVMtUTI4MjYwMDRKMSwwKgYDVQQDDCNBQyBS +QUlaIEZOTVQtUkNNIFNFUlZJRE9SRVMgU0VHVVJPUzB2MBAGByqGSM49AgEGBSuB +BAAiA2IABPa6V1PIyqvfNkpSIeSX0oNnnvBlUdBeh8dHsVnyV0ebAAKTRBdp20LH +sbI6GA60XYyzZl2hNPk2LEnb80b8s0RpRBNm/dfF/a82Tc4DTQdxz69qBdKiQ1oK +Um8BA06Oi6NCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD +VR0OBBYEFAG5L++/EYZg8k/QQW6rcx/n0m5JMAoGCCqGSM49BAMDA2kAMGYCMQCu +SuMrQMN0EfKVrRYj3k4MGuZdpSRea0R7/DjiT8ucRRcRTBQnJlU5dUoDzBOQn5IC +MQD6SmxgiHPz7riYYqnOK8LZiqZwMR2vsJRM60/G49HzYqc8/5MuB1xJAWdpEgJy +v+c= +-----END CERTIFICATE----- + +### GlobalSign + +=== /OU=GlobalSign ECC Root CA - R4/O=GlobalSign/CN=GlobalSign +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2a:38:a4:1c:96:0a:04:de:42:b2:28:a5:0b:e8:34:98:02 + Signature Algorithm: ecdsa-with-SHA256 + Validity + Not Before: Nov 13 00:00:00 2012 GMT + Not After : Jan 19 03:14:07 2038 GMT + Subject: OU=GlobalSign ECC Root CA - R4, O=GlobalSign, CN=GlobalSign + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 54:B0:7B:AD:45:B8:E2:40:7F:FB:0A:6E:FB:BE:33:C9:3C:A3:84:D5 +SHA1 Fingerprint=69:69:56:2E:40:80:F4:24:A1:E7:19:9F:14:BA:F3:EE:58:AB:6A:BB +SHA256 Fingerprint=BE:C9:49:11:C2:95:56:76:DB:6C:0A:55:09:86:D7:6E:3B:A0:05:66:7C:44:2C:97:62:B4:FB:B7:73:DE:22:8C +-----BEGIN CERTIFICATE----- +MIIB4TCCAYegAwIBAgIRKjikHJYKBN5CsiilC+g0mAIwCgYIKoZIzj0EAwIwUDEk +MCIGA1UECxMbR2xvYmFsU2lnbiBFQ0MgUm9vdCBDQSAtIFI0MRMwEQYDVQQKEwpH +bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTEyMTExMzAwMDAwMFoX +DTM4MDExOTAzMTQwN1owUDEkMCIGA1UECxMbR2xvYmFsU2lnbiBFQ0MgUm9vdCBD +QSAtIFI0MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuMZ5049sJQ6fLjkZHAOkrprlOQcJ +FspjsbmG+IpXwVfOQvpzofdlQv8ewQCybnMO/8ch5RikqtlxP6jUuc6MHaNCMEAw +DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFSwe61F +uOJAf/sKbvu+M8k8o4TVMAoGCCqGSM49BAMCA0gAMEUCIQDckqGgE6bPA7DmxCGX +kPoUVy0D7O48027KqGx2vKLeuwIgJ6iFJzWbVsaj8kfSt24bAgAXqmemFZHe+pTs +ewv4n4Q= +-----END CERTIFICATE----- +=== /OU=GlobalSign ECC Root CA - R5/O=GlobalSign/CN=GlobalSign +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 60:59:49:e0:26:2e:bb:55:f9:0a:77:8a:71:f9:4a:d8:6c + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Nov 13 00:00:00 2012 GMT + Not After : Jan 19 03:14:07 2038 GMT + Subject: OU=GlobalSign ECC Root CA - R5, O=GlobalSign, CN=GlobalSign + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 3D:E6:29:48:9B:EA:07:CA:21:44:4A:26:DE:6E:DE:D2:83:D0:9F:59 +SHA1 Fingerprint=1F:24:C6:30:CD:A4:18:EF:20:69:FF:AD:4F:DD:5F:46:3A:1B:69:AA +SHA256 Fingerprint=17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24 +-----BEGIN CERTIFICATE----- +MIICHjCCAaSgAwIBAgIRYFlJ4CYuu1X5CneKcflK2GwwCgYIKoZIzj0EAwMwUDEk +MCIGA1UECxMbR2xvYmFsU2lnbiBFQ0MgUm9vdCBDQSAtIFI1MRMwEQYDVQQKEwpH +bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTEyMTExMzAwMDAwMFoX +DTM4MDExOTAzMTQwN1owUDEkMCIGA1UECxMbR2xvYmFsU2lnbiBFQ0MgUm9vdCBD +QSAtIFI1MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu +MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAER0UOlvt9Xb/pOdEh+J8LttV7HpI6SFkc +8GIxLcB6KP4ap1yztsyX50XUWPrRd21DosCHZTQKH3rd6zwzocWdTaRvQZU4f8ke +hOvRnkmSh5SHDDqFSmafnVmTTZdhBoZKo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD +VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPeYpSJvqB8ohREom3m7e0oPQn1kwCgYI +KoZIzj0EAwMDaAAwZQIxAOVpEslu28YxuglB4Zf4+/2a4n0Sye18ZNPLBSWLVtmg +515dTguDnFt2KaAJJiFqYgIwcdK1j1zqO+F4CYWodZI7yFz9SO8NdCKoCOJuxUnO +xwy8p2Fp8fc74SrL+SvzZpA3 +-----END CERTIFICATE----- +=== /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 04:00:00:00:00:01:0f:86:26:e6:0d + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Dec 15 08:00:00 2006 GMT + Not After : Dec 15 08:00:00 2021 GMT + Subject: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E + X509v3 CRL Distribution Points: + + Full Name: + URI:http://crl.globalsign.net/root-r2.crl + + X509v3 Authority Key Identifier: + keyid:9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E + +SHA1 Fingerprint=75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE +SHA256 Fingerprint=CA:42:DD:41:74:5F:D0:B8:1E:B9:02:36:2C:F9:D8:BF:71:9D:A1:BD:1B:1E:FC:94:6F:5B:4C:99:F4:2C:1B:9E +-----BEGIN CERTIFICATE----- +MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G +A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp +Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1 +MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG +A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL +v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8 +eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq +tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd +C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa +zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB +mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH +V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n +bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG +3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs +J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO +291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS +ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd +AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7 +TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg== +-----END CERTIFICATE----- +=== /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 04:00:00:00:00:01:21:58:53:08:a2 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Mar 18 10:00:00 2009 GMT + Not After : Mar 18 10:00:00 2029 GMT + Subject: OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 8F:F0:4B:7F:A8:2E:45:24:AE:4D:50:FA:63:9A:8B:DE:E2:DD:1B:BC +SHA1 Fingerprint=D6:9B:56:11:48:F0:1C:77:C5:45:78:C1:09:26:DF:5B:85:69:76:AD +SHA256 Fingerprint=CB:B5:22:D7:B7:F1:27:AD:6A:01:13:86:5B:DF:1C:D4:10:2E:7D:07:59:AF:63:5A:7C:F4:72:0D:C9:63:C5:3B +-----BEGIN CERTIFICATE----- +MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G +A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp +Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4 +MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG +A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8 +RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT +gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm +KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd +QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ +XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw +DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o +LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU +RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp +jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK +6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX +mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs +Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH +WD9f +-----END CERTIFICATE----- +=== /OU=GlobalSign Root CA - R6/O=GlobalSign/CN=GlobalSign +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51 + Signature Algorithm: sha384WithRSAEncryption + Validity + Not Before: Dec 10 00:00:00 2014 GMT + Not After : Dec 10 00:00:00 2034 GMT + Subject: OU=GlobalSign Root CA - R6, O=GlobalSign, CN=GlobalSign + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + AE:6C:05:A3:93:13:E2:A2:E7:E2:D7:1C:D6:C7:F0:7F:C8:67:53:A0 + X509v3 Authority Key Identifier: + keyid:AE:6C:05:A3:93:13:E2:A2:E7:E2:D7:1C:D6:C7:F0:7F:C8:67:53:A0 + +SHA1 Fingerprint=80:94:64:0E:B5:A7:A1:CA:11:9C:1F:DD:D5:9F:81:02:63:A7:FB:D1 +SHA256 Fingerprint=2C:AB:EA:FE:37:D0:6C:A2:2A:BA:73:91:C0:03:3D:25:98:29:52:C4:53:64:73:49:76:3A:3A:B5:AD:6C:CF:69 +-----BEGIN CERTIFICATE----- +MIIFgzCCA2ugAwIBAgIORea7A4Mzw4VlSOb/RVEwDQYJKoZIhvcNAQEMBQAwTDEg +MB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjYxEzARBgNVBAoTCkdsb2Jh +bFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTQxMjEwMDAwMDAwWhcNMzQx +MjEwMDAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSNjET +MBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCAiIwDQYJ +KoZIhvcNAQEBBQADggIPADCCAgoCggIBAJUH6HPKZvnsFMp7PPcNCPG0RQssgrRI +xutbPK6DuEGSMxSkb3/pKszGsIhrxbaJ0cay/xTOURQh7ErdG1rG1ofuTToVBu1k +ZguSgMpE3nOUTvOniX9PeGMIyBJQbUJmL025eShNUhqKGoC3GYEOfsSKvGRMIRxD +aNc9PIrFsmbVkJq3MQbFvuJtMgamHvm566qjuL++gmNQ0PAYid/kD3n16qIfKtJw +LnvnvJO7bVPiSHyMEAc4/2ayd2F+4OqMPKq0pPbzlUoSB239jLKJz9CgYXfIWHSw +1CM69106yqLbnQneXUQtkPGBzVeS+n68UARjNN9rkxi+azayOeSsJDa38O+2HBNX +k7besvjihbdzorg1qkXy4J02oW9UivFyVm4uiMVRQkQVlO6jxTiWm05OWgtH8wY2 +SXcwvHE35absIQh1/OZhFj931dmRl4QKbNQCTXTAFO39OfuD8l4UoQSwC+n+7o/h +bguyCLNhZglqsQY6ZZZZwPA1/cnaKI0aEYdwgQqomnUdnjqGBQCe24DWJfncBZ4n +WUx2OVvq+aWh2IMP0f/fMBH5hc8zSPXKbWQULHpYT9NLCEnFlWQaYw55PfWzjMpY +rZxCRXluDocZXFSxZba/jJvcE+kNb7gu3GduyYsRtYQUigAZcIN5kZeR1Bonvzce +MgfYFGM8KEyvAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTAD +AQH/MB0GA1UdDgQWBBSubAWjkxPioufi1xzWx/B/yGdToDAfBgNVHSMEGDAWgBSu +bAWjkxPioufi1xzWx/B/yGdToDANBgkqhkiG9w0BAQwFAAOCAgEAgyXt6NH9lVLN +nsAEoJFp5lzQhN7craJP6Ed41mWYqVuoPId8AorRbrcWc+ZfwFSY1XS+wc3iEZGt +Ixg93eFyRJa0lV7Ae46ZeBZDE1ZXs6KzO7V33EByrKPrmzU+sQghoefEQzd5Mr61 +55wsTLxDKZmOMNOsIeDjHfrYBzN2VAAiKrlNIC5waNrlU/yDXNOd8v9EDERm8tLj +vUYAGm0CuiVdjaExUd1URhxN25mW7xocBFymFe944Hn+Xds+qkxV/ZoVqW/hpvvf +cDDpw+5CRu3CkwWJ+n1jez/QcYF8AOiYrg54NMMl+68KnyBr3TsTjxKM4kEaSHpz +oHdpx7Zcf4LIHv5YGygrqGytXm3ABdJ7t+uA/iU3/gKbaKxCXcPu9czc8FB10jZp +nOZ7BN9uBmm23goJSFmH63sUYHpkqmlD75HHTOwY3WzvUy2MmeFe8nI+z1TIvWfs +pA9MRf/TuTAjB0yPEL+GltmZWrSZVxykzLsViVO6LAUP5MSeGbEYNNVMnbrt9x+v +JJUEeKgDu+6B5dpffItKoZB0JaezPkvILFa9x8jvOOJckvB595yEunQtYQEgfn7R +8k8HWV+LLUNS60YMlOH1Zkd5d9VUWx+tJDfLRVpOoERIyNiwmcUVhAn21klJwGW4 +5hpxbqCo8YLoRT5s1gLXCmeDBVrJpBA= +-----END CERTIFICATE----- + +### GlobalSign nv-sa + +=== /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Root E46 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 11:d2:bb:ba:33:6e:d4:bc:e6:24:68:c5:0d:84:1d:98:e8:43 + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Mar 20 00:00:00 2019 GMT + Not After : Mar 20 00:00:00 2046 GMT + Subject: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Root E46 + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 31:0A:90:8F:B6:C6:9D:D2:44:4B:80:B5:A2:E6:1F:B1:12:4F:1B:95 +SHA1 Fingerprint=39:B4:6C:D5:FE:80:06:EB:E2:2F:4A:BB:08:33:A0:AF:DB:B9:DD:84 +SHA256 Fingerprint=CB:B9:C4:4D:84:B8:04:3E:10:50:EA:31:A6:9F:51:49:55:D7:BF:D2:E2:C6:B4:93:01:01:9A:D6:1D:9F:50:58 +-----BEGIN CERTIFICATE----- +MIICCzCCAZGgAwIBAgISEdK7ujNu1LzmJGjFDYQdmOhDMAoGCCqGSM49BAMDMEYx +CzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRwwGgYDVQQD +ExNHbG9iYWxTaWduIFJvb3QgRTQ2MB4XDTE5MDMyMDAwMDAwMFoXDTQ2MDMyMDAw +MDAwMFowRjELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2Ex +HDAaBgNVBAMTE0dsb2JhbFNpZ24gUm9vdCBFNDYwdjAQBgcqhkjOPQIBBgUrgQQA +IgNiAAScDrHPt+ieUnd1NPqlRqetMhkytAepJ8qUuwzSChDH2omwlwxwEwkBjtjq +R+q+soArzfwoDdusvKSGN+1wCAB16pMLey5SnCNoIwZD7JIvU4Tb+0cUB+hflGdd +yXqBPCCjQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud +DgQWBBQxCpCPtsad0kRLgLWi5h+xEk8blTAKBggqhkjOPQQDAwNoADBlAjEA31SQ +7Zvvi5QCkxeCmb6zniz2C5GMn0oUsfZkvLtoURMMA/cVi4RguYv/Uo7njLwcAjA8 ++RHUjE7AwWHCFUyqqx0LMV87HOIAl0Qx5v5zli/altP+CAezNIm8BZ/3Hobui3A= +-----END CERTIFICATE----- +=== /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Root R46 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 11:d2:bb:b9:d7:23:18:9e:40:5f:0a:9d:2d:d0:df:25:67:d1 + Signature Algorithm: sha384WithRSAEncryption + Validity + Not Before: Mar 20 00:00:00 2019 GMT + Not After : Mar 20 00:00:00 2046 GMT + Subject: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Root R46 + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 03:5C:AB:73:81:87:A8:CC:B0:A6:D5:94:E2:36:96:49:FF:05:99:2C +SHA1 Fingerprint=53:A2:B0:4B:CA:6B:D6:45:E6:39:8A:8E:C4:0D:D2:BF:77:C3:A2:90 +SHA256 Fingerprint=4F:A3:12:6D:8D:3A:11:D1:C4:85:5A:4F:80:7C:BA:D6:CF:91:9D:3A:5A:88:B0:3B:EA:2C:63:72:D9:3C:40:C9 +-----BEGIN CERTIFICATE----- +MIIFWjCCA0KgAwIBAgISEdK7udcjGJ5AXwqdLdDfJWfRMA0GCSqGSIb3DQEBDAUA +MEYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRwwGgYD +VQQDExNHbG9iYWxTaWduIFJvb3QgUjQ2MB4XDTE5MDMyMDAwMDAwMFoXDTQ2MDMy +MDAwMDAwMFowRjELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYt +c2ExHDAaBgNVBAMTE0dsb2JhbFNpZ24gUm9vdCBSNDYwggIiMA0GCSqGSIb3DQEB +AQUAA4ICDwAwggIKAoICAQCsrHQy6LNl5brtQyYdpokNRbopiLKkHWPd08EsCVeJ +OaFV6Wc0dwxu5FUdUiXSE2te4R2pt32JMl8Nnp8semNgQB+msLZ4j5lUlghYruQG +vGIFAha/r6gjA7aUD7xubMLL1aa7DOn2wQL7Id5m3RerdELv8HQvJfTqa1VbkNud +316HCkD7rRlr+/fKYIje2sGP1q7Vf9Q8g+7XFkyDRTNrJ9CG0Bwta/OrffGFqfUo +0q3v84RLHIf8E6M6cqJaESvWJ3En7YEtbWaBkoe0G1h6zD8K+kZPTXhc+CtI4wSE +y132tGqzZfxCnlEmIyDLPRT5ge1lFgBPGmSXZgjPjHvjK8Cd+RTyG/FWaha/LIWF +zXg4mutCagI0GIMXTpRW+LaCtfOW3T3zvn8gdz57GSNrLNRyc0NXfeD412lPFzYE ++cCQYDdF3uYM2HSNrpyibXRdQr4G9dlkbgIQrImwTDsHTUB+JMWKmIJ5jqSngiCN +I/onccnfxkF0oE32kRbcRoxfKWMxWXEM2G/CtjJ9++ZdU6Z+Ffy7dXxd7Pj2Fxzs +x2sZy/N78CsHpdlseVR2bJ0cpm4O6XkMqCNqo98bMDGfsVR7/mrLZqrcZdCinkqa +ByFrgY/bxFn63iLABJzjqls2k+g9vXqhnQt2sQvHnf3PmKgGwvgqo6GDoLclcqUC +4wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV +HQ4EFgQUA1yrc4GHqMywptWU4jaWSf8FmSwwDQYJKoZIhvcNAQEMBQADggIBAHx4 +7PYCLLtbfpIrXTncvtgdokIzTfnvpCo7RGkerNlFo048p9gkUbJUHJNOxO97k4Vg +JuoJSOD1u8fpaNK7ajFxzHmuEajwmf3lH7wvqMxX63bEIaZHU1VNaL8FpO7XJqti +2kM3S+LGteWygxk6x9PbTZ4IevPuzz5i+6zoYMzRx6Fcg0XERczzF2sUyQQCPtIk +pnnpHs6i58FZFZ8d4kuaPp92CC1r2LpXFNqD6v6MVenQTqnMdzGxRBF6XLE+0xRF +FRhiJBPSy03OXIPBNvIQtQ6IbbjhVp+J3pZmOUdkLG5NrmJ7v2B0GbhWrJKsFjLt +rWhV/pi60zTe9Mlhww6G9kuEYO4Ne7UyWHmRVSyBQ7N0H3qqJZ4d16GLuc1CLgSk +ZoNNiTW2bKg2SnkheCLQQrzRQDGQob4Ez8pn7fXwgNNgyYMqIgXQBztSvwyeqiv5 +u+YfjyW6hY0XHgL+XVAEV8/+LbzvXMAaq7afJMbfc2hIkCwU9D9SGuTSyxTDYWnP +4vkYxboznxSjBF25cfe1lNj2M8FawTSLfJvdkzrnE6JwYZ+vj+vYxXX4M2bUdGc6 +N3ec592kD3ZDZopD8p/7DEJ4Y9HiD2971KE9dJeFt0g5QdYg/NA6s/rob8SKunE3 +vouXsXgxT7PntgMTzlSdriVZzH81Xwj3QEUxeCp6 +-----END CERTIFICATE----- +=== /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 04:00:00:00:00:01:15:4b:5a:c3:94 + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Sep 1 12:00:00 1998 GMT + Not After : Jan 28 12:00:00 2028 GMT + Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B +SHA1 Fingerprint=B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C +SHA256 Fingerprint=EB:D4:10:40:E4:BB:3E:C7:42:C9:E3:81:D3:1E:F2:A4:1A:48:B6:68:5C:96:E7:CE:F3:C1:DF:6C:D4:33:1C:99 +-----BEGIN CERTIFICATE----- +MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG +A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv +b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw +MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i +YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT +aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ +jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp +xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp +1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG +snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ +U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8 +9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E +BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B +AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz +yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE +38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP +AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad +DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME +HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== +-----END CERTIFICATE----- + +### GoDaddy.com, Inc. + +=== /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Sep 1 00:00:00 2009 GMT + Not After : Dec 31 23:59:59 2037 GMT + Subject: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE +SHA1 Fingerprint=47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B +SHA256 Fingerprint=45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA +-----BEGIN CERTIFICATE----- +MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx +EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT +EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp +ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz +NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH +EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE +AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD +E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH +/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy +DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh +GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR +tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA +AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE +FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX +WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu +9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr +gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo +2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO +LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI +4uJEvlz36hz1 +-----END CERTIFICATE----- + +### Google Trust Services LLC + +=== /C=US/O=Google Trust Services LLC/CN=GTS Root R1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 6e:47:a9:c5:4b:47:0c:0d:ec:33:d0:89:b9:1c:f4:e1 + Signature Algorithm: sha384WithRSAEncryption + Validity + Not Before: Jun 22 00:00:00 2016 GMT + Not After : Jun 22 00:00:00 2036 GMT + Subject: C=US, O=Google Trust Services LLC, CN=GTS Root R1 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + E4:AF:2B:26:71:1A:2B:48:27:85:2F:52:66:2C:EF:F0:89:13:71:3E +SHA1 Fingerprint=E1:C9:50:E6:EF:22:F8:4C:56:45:72:8B:92:20:60:D7:D5:A7:A3:E8 +SHA256 Fingerprint=2A:57:54:71:E3:13:40:BC:21:58:1C:BD:2C:F1:3E:15:84:63:20:3E:CE:94:BC:F9:D3:CC:19:6B:F0:9A:54:72 +-----BEGIN CERTIFICATE----- +MIIFWjCCA0KgAwIBAgIQbkepxUtHDA3sM9CJuRz04TANBgkqhkiG9w0BAQwFADBH +MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM +QzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIy +MDAwMDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNl +cnZpY2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwggIiMA0GCSqGSIb3DQEB +AQUAA4ICDwAwggIKAoICAQC2EQKLHuOhd5s73L+UPreVp0A8of2C+X0yBoJx9vaM +f/vo27xqLpeXo4xL+Sv2sfnOhB2x+cWX3u+58qPpvBKJXqeqUqv4IyfLpLGcY9vX +mX7wCl7raKb0xlpHDU0QM+NOsROjyBhsS+z8CZDfnWQpJSMHobTSPS5g4M/SCYe7 +zUjwTcLCeoiKu7rPWRnWr4+wB7CeMfGCwcDfLqZtbBkOtdh+JhpFAz2weaSUKK0P +fyblqAj+lug8aJRT7oM6iCsVlgmy4HqMLnXWnOunVmSPlk9orj2XwoSPwLxAwAtc +vfaHszVsrBhQf4TgTM2S0yDpM7xSma8ytSmzJSq0SPly4cpk9+aCEI3oncKKiPo4 +Zor8Y/kB+Xj9e1x3+naH+uzfsQ55lVe0vSbv1gHR6xYKu44LtcXFilWr06zqkUsp +zBmkMiVOKvFlRNACzqrOSbTqn3yDsEB750Orp2yjj32JgfpMpf/VjsPOS+C12LOO +Rc92wO1AK/1TD7Cn1TsNsYqiA94xrcx36m97PtbfkSIS5r762DL8EGMUUXLeXdYW +k70paDPvOmbsB4om3xPXV2V4J95eSRQAogB/mqghtqmxlbCluQ0WEdrHbEg8QOB+ +DVrNVjzRlwW5y0vtOUucxD/SVRNuJLDWcfr0wbrM7Rv1/oFB2ACYPTrIrnqYNxgF +lQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV +HQ4EFgQU5K8rJnEaK0gnhS9SZizv8IkTcT4wDQYJKoZIhvcNAQEMBQADggIBADiW +Cu49tJYeX++dnAsznyvgyv3SjgofQXSlfKqE1OXyHuY3UjKcC9FhHb8owbZEKTV1 +d5iyfNm9dKyKaOOpMQkpAWBz40d8U6iQSifvS9efk+eCNs6aaAyC58/UEBZvXw6Z +XPYfcX3v73svfuo21pdwCxXu11xWajOl40k4DLh9+42FpLFZXvRq4d2h9mREruZR +gyFmxhE+885H7pwoHyXa/6xmld01D1zvICxi/ZG6qcz8WpyTgYMpl0p8WnK0OdC3 +d8t5/Wk6kjftbjhlRn7pYL15iJdfOBL07q9bgsiG1eGZbYwE8na6SfZu6W0eX6Dv +J4J2QPim01hcDyxC2kLGe4g0x8HYRZvBPsVhHdljUEn2NIVq4BjFbkerQUIpm/Zg +DdIx02OYI5NaAIFItO/Nis3Jz5nu2Z6qNuFoS3FJFDYoOj0dzpqPJeaAcWErtXvM ++SUWgeExX6GjfhaknBZqlxi9dnKlC54dNuYvoS++cJEPqOba+MSSQGwlfnuzCdyy +F62ARPBopY+Udf90WuioAnwMCeKpSwughQtiue+hMZL77/ZRBIls6Kl0obsXs7X9 +SQ98POyDGCBDTtWTurQ0sR8WNh8M5mQ5Fkzc4P4dyKliPUDqysU0ArSuiYgzNdws +E3PYJ/HQcu51OyLemGhmW/HGY0dVHLqlCFF1pkgl +-----END CERTIFICATE----- +=== /C=US/O=Google Trust Services LLC/CN=GTS Root R2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 6e:47:a9:c6:5a:b3:e7:20:c5:30:9a:3f:68:52:f2:6f + Signature Algorithm: sha384WithRSAEncryption + Validity + Not Before: Jun 22 00:00:00 2016 GMT + Not After : Jun 22 00:00:00 2036 GMT + Subject: C=US, O=Google Trust Services LLC, CN=GTS Root R2 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + BB:FF:CA:8E:23:9F:4F:99:CA:DB:E2:68:A6:A5:15:27:17:1E:D9:0E +SHA1 Fingerprint=D2:73:96:2A:2A:5E:39:9F:73:3F:E1:C7:1E:64:3F:03:38:34:FC:4D +SHA256 Fingerprint=C4:5D:7B:B0:8E:6D:67:E6:2E:42:35:11:0B:56:4E:5F:78:FD:92:EF:05:8C:84:0A:EA:4E:64:55:D7:58:5C:60 +-----BEGIN CERTIFICATE----- +MIIFWjCCA0KgAwIBAgIQbkepxlqz5yDFMJo/aFLybzANBgkqhkiG9w0BAQwFADBH +MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM +QzEUMBIGA1UEAxMLR1RTIFJvb3QgUjIwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIy +MDAwMDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNl +cnZpY2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjIwggIiMA0GCSqGSIb3DQEB +AQUAA4ICDwAwggIKAoICAQDO3v2m++zsFDQ8BwZabFn3GTXd98GdVarTzTukk3Lv +CvptnfbwhYBboUhSnznFt+4orO/LdmgUud+tAWyZH8QiHZ/+cnfgLFuv5AS/T3Kg +GjSY6Dlo7JUle3ah5mm5hRm9iYz+re026nO8/4Piy33B0s5Ks40FnotJk9/BW9Bu +XvAuMC6C/Pq8tBcKSOWIm8Wba96wyrQD8Nr0kLhlZPdcTK3ofmZemde4wj7I0BOd +re7kRXuJVfeKH2JShBKzwkCX44ofR5GmdFrS+LFjKBC4swm4VndAoiaYecb+3yXu +PuWgf9RhD1FLPD+M2uFwdNjCaKH5wQzpoeJ/u1U8dgbuak7MkogwTZq9TwtImoS1 +mKPV+3PBV2HdKFZ1E66HjucMUQkQdYhMvI35ezzUIkgfKtzra7tEscszcTJGr61K +8YzodDqs5xoic4DSMPclQsciOzsSrZYuxsN2B6ogtzVJV+mSSeh2FnIxZyuWfoqj +x5RWIr9qS34BIbIjMt/kmkRtWVtd9QCgHJvGeJeNkP+byKq0rxFROV7Z+2et1VsR +nTKaG73VululycslaVNVJ1zgyjbLiGH7HrfQy+4W+9OmTN6SpdTi3/UGVN4unUu0 +kzCqgc7dGtxRcw1PcOnlthYhGXmy5okLdWTK1au8CcEYof/UVKGFPP0UJAOyh9Ok +twIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV +HQ4EFgQUu//KjiOfT5nK2+JopqUVJxce2Q4wDQYJKoZIhvcNAQEMBQADggIBALZp +8KZ3/p7uC4Gt4cCpx/k1HUCCq+YEtN/L9x0Pg/B+E02NjO7jMyLDOfxA325BS0JT +vhaI8dI4XsRomRyYUpOM52jtG2pzegVATX9lO9ZY8c6DR2Dj/5epnGB3GFW1fgiT +z9D2PGcDFWEJ+YF59exTpJ/JjwGLc8R3dtyDovUMSRqodt6Sm2T4syzFJ9MHwAiA +pJiS4wGWAqoC7o87xdFtCjMwc3i5T1QWvwsHoaRc5svJXISPD+AVdyx+Jn7axEvb +pxZ3B7DNdehyQtaVhJ2Gg/LkkM0JR9SLA3DaWsYDQvTtN6LwG1BUSw7YhN4ZKJmB +R64JGz9I0cNv4rBgF/XuIwKl2gBbbZCr7qLpGzvpx0QnRY5rn/WkhLx3+WuXrD5R +RaIRpsyF7gpo8j5QOHokYh4XIDdtak23CZvJ/KRY9bb7nE4Yu5UC56GtmwfuNmsk +0jmGwZODUNKBRqhfYlcsu2xkiAhu7xNUX90txGdj08+JN7+dIPT7eoOboB6BAFDC +5AwiWVIQ7UNWhwD4FFKnHYuTjKJNRn8nxnGbJN7k2oaLDX5rIMHAnuFl2GqjpuiF +izoHCBy69Y9Vmhh1fuXsgWbRIXOhNUQLgD1bnF5vKheW0YMjiGZt5obicDIvUiLn +yOd/xCxgXS/Dr55FBcOEArf9LAhST4Ldo/DUhgkC +-----END CERTIFICATE----- +=== /C=US/O=Google Trust Services LLC/CN=GTS Root R3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 6e:47:a9:c7:6c:a9:73:24:40:89:0f:03:55:dd:8d:1d + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Jun 22 00:00:00 2016 GMT + Not After : Jun 22 00:00:00 2036 GMT + Subject: C=US, O=Google Trust Services LLC, CN=GTS Root R3 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + C1:F1:26:BA:A0:2D:AE:85:81:CF:D3:F1:2A:12:BD:B8:0A:67:FD:BC +SHA1 Fingerprint=30:D4:24:6F:07:FF:DB:91:89:8A:0B:E9:49:66:11:EB:8C:5E:46:E5 +SHA256 Fingerprint=15:D5:B8:77:46:19:EA:7D:54:CE:1C:A6:D0:B0:C4:03:E0:37:A9:17:F1:31:E8:A0:4E:1E:6B:7A:71:BA:BC:E5 +-----BEGIN CERTIFICATE----- +MIICDDCCAZGgAwIBAgIQbkepx2ypcyRAiQ8DVd2NHTAKBggqhkjOPQQDAzBHMQsw +CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU +MBIGA1UEAxMLR1RTIFJvb3QgUjMwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw +MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp +Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjMwdjAQBgcqhkjOPQIBBgUrgQQA +IgNiAAQfTzOHMymKoYTey8chWEGJ6ladK0uFxh1MJ7x/JlFyb+Kf1qPKzEUURout +736GjOyxfi//qXGdGIRFBEFVbivqJn+7kAHjSxm65FSWRQmx1WyRRK2EE46ajA2A +DDL24CejQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud +DgQWBBTB8Sa6oC2uhYHP0/EqEr24Cmf9vDAKBggqhkjOPQQDAwNpADBmAjEAgFuk +fCPAlaUs3L6JbyO5o91lAFJekazInXJ0glMLfalAvWhgxeG4VDvBNhcl2MG9AjEA +njWSdIUlUfUk7GRSJFClH9voy8l27OyCbvWFGFPouOOaKaqW04MjyaR7YbPMAuhd +-----END CERTIFICATE----- +=== /C=US/O=Google Trust Services LLC/CN=GTS Root R4 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 6e:47:a9:c8:8b:94:b6:e8:bb:3b:2a:d8:a2:b2:c1:99 + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Jun 22 00:00:00 2016 GMT + Not After : Jun 22 00:00:00 2036 GMT + Subject: C=US, O=Google Trust Services LLC, CN=GTS Root R4 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 80:4C:D6:EB:74:FF:49:36:A3:D5:D8:FC:B5:3E:C5:6A:F0:94:1D:8C +SHA1 Fingerprint=2A:1D:60:27:D9:4A:B1:0A:1C:4D:91:5C:CD:33:A0:CB:3E:2D:54:CB +SHA256 Fingerprint=71:CC:A5:39:1F:9E:79:4B:04:80:25:30:B3:63:E1:21:DA:8A:30:43:BB:26:66:2F:EA:4D:CA:7F:C9:51:A4:BD +-----BEGIN CERTIFICATE----- +MIICCjCCAZGgAwIBAgIQbkepyIuUtui7OyrYorLBmTAKBggqhkjOPQQDAzBHMQsw +CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU +MBIGA1UEAxMLR1RTIFJvb3QgUjQwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw +MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp +Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjQwdjAQBgcqhkjOPQIBBgUrgQQA +IgNiAATzdHOnaItgrkO4NcWBMHtLSZ37wWHO5t5GvWvVYRg1rkDdc/eJkTBa6zzu +hXyiQHY7qca4R9gq55KRanPpsXI5nymfopjTX15YhmUPoYRlBtHci8nHc8iMai/l +xKvRHYqjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud +DgQWBBSATNbrdP9JNqPV2Py1PsVq8JQdjDAKBggqhkjOPQQDAwNnADBkAjBqUFJ0 +CMRw3J5QdCHojXohw0+WbhXRIjVhLfoIN+4Zba3bssx9BzT1YBkstTTZbyACMANx +sbqjYAuG7ZoIapVon+Kz4ZNkfF6Tpt95LY2F45TPI11xzPKwTdb+mciUqXWi4w== +-----END CERTIFICATE----- + +### GUANG DONG CERTIFICATE AUTHORITY CO.,LTD. + +=== /C=CN/O=GUANG DONG CERTIFICATE AUTHORITY CO.,LTD./CN=GDCA TrustAUTH R5 ROOT +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 9009899650740120186 (0x7d0997fef047ea7a) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Nov 26 05:13:15 2014 GMT + Not After : Dec 31 15:59:59 2040 GMT + Subject: C=CN, O=GUANG DONG CERTIFICATE AUTHORITY CO.,LTD., CN=GDCA TrustAUTH R5 ROOT + X509v3 extensions: + X509v3 Subject Key Identifier: + E2:C9:40:9F:4D:CE:E8:9A:A1:7C:CF:0E:3F:65:C5:29:88:6A:19:51 + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=0F:36:38:5B:81:1A:25:C3:9B:31:4E:83:CA:E9:34:66:70:CC:74:B4 +SHA256 Fingerprint=BF:FF:8F:D0:44:33:48:7D:6A:8A:A6:0C:1A:29:76:7A:9F:C2:BB:B0:5E:42:0F:71:3A:13:B9:92:89:1D:38:93 +-----BEGIN CERTIFICATE----- +MIIFiDCCA3CgAwIBAgIIfQmX/vBH6nowDQYJKoZIhvcNAQELBQAwYjELMAkGA1UE +BhMCQ04xMjAwBgNVBAoMKUdVQU5HIERPTkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZ +IENPLixMVEQuMR8wHQYDVQQDDBZHRENBIFRydXN0QVVUSCBSNSBST09UMB4XDTE0 +MTEyNjA1MTMxNVoXDTQwMTIzMTE1NTk1OVowYjELMAkGA1UEBhMCQ04xMjAwBgNV +BAoMKUdVQU5HIERPTkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZIENPLixMVEQuMR8w +HQYDVQQDDBZHRENBIFRydXN0QVVUSCBSNSBST09UMIICIjANBgkqhkiG9w0BAQEF +AAOCAg8AMIICCgKCAgEA2aMW8Mh0dHeb7zMNOwZ+Vfy1YI92hhJCfVZmPoiC7XJj +Dp6L3TQsAlFRwxn9WVSEyfFrs0yw6ehGXTjGoqcuEVe6ghWinI9tsJlKCvLriXBj +TnnEt1u9ol2x8kECK62pOqPseQrsXzrj/e+APK00mxqriCZ7VqKChh/rNYmDf1+u +KU49tm7srsHwJ5uu4/Ts765/94Y9cnrrpftZTqfrlYwiOXnhLQiPzLyRuEH3FMEj +qcOtmkVEs7LXLM3GKeJQEK5cy4KOFxg2fZfmiJqwTTQJ9Cy5WmYqsBebnh52nUpm +MUHfP/vFBu8btn4aRjb3ZGM74zkYI+dndRTVdVeSN72+ahsmUPI2JgaQxXABZG12 +ZuGR224HwGGALrIuL4xwp9E7PLOR5G62xDtw8mySlwnNR30YwPO7ng/Wi64HtloP +zgsMR6flPri9fcebNaBhlzpBdRfMK5Z3KpIhHtmVdiBnaM8Nvd/WHwlqmuLMc3Gk +L30SgLdTMEZeS1SZD2fJpcjyIMGC7J0R38IC+xo70e0gmu9lZJIQDSri3nDxGGeC +jGHeuLzRL5z7D9Ar7Rt2ueQ5Vfj4oR24qoAATILnsn8JuLwwoC8N9VKejveSswoA +HQBUlwbgsQfZxw9cZX08bVlX5O2ljelAU58VS6Bx9hoh49pwBiFYFIeFd3mqgnkC +AwEAAaNCMEAwHQYDVR0OBBYEFOLJQJ9NzuiaoXzPDj9lxSmIahlRMA8GA1UdEwEB +/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQDRSVfg +p8xoWLoBDysZzY2wYUWsEe1jUGn4H3++Fo/9nesLqjJHdtJnJO29fDMylyrHBYZm +DRd9FBUb1Ov9H5r2XpdptxolpAqzkT9fNqyL7FeoPueBihhXOYV0GkLH6VsTX4/5 +COmSdI31R9KrO9b7eGZONn356ZLpBN79SWP8bfsUcZNnL0dKt7n/HipzcEYwv1ry +L3ml4Y0M2fmyYzeMN2WFcGpcWwlyua1jPLHd+PwyvzeG5LuOmCd+uh8W4XAR8gPf +JWIyJyYYMoSf/wA6E7qaTfRPuBRwIrHKK5DOKcFw9C+df/KQHtZa37dG/OaG+svg +IHZ6uqbL9XzeYqWxi+7egmaKTjowHz+Ay60nugxe19CxVsp3cbK1daFQqUBDF8Io +2c9Si1vIY9RCPqAzekYu9wogRlR+ak8x8YF+QnQ4ZXMn7sZ8uI7XpTrXmKGcjBBV +09tL7ECQ8s1uV9JiDnxXk7Gnbc2dg7sq5+W2O3FYrf3RRbxake5TFW/TRQl1brqQ +XR4EzzffHqhmsYzmIGrv/EhOdJhCrylvLmrH+33RZjEizIYAfmaDDEL0vTSSwxrq +T8p+ck0LcIymSLumoRT2+1hEmRSuqguTaaApJUqlyyvdimYHFngVV3Eb7PVHhPOe +MTd61X8kreS8/f3MboPoDKi3QWwH3b08hpcv0g== +-----END CERTIFICATE----- + +### Hellenic Academic and Research Institutions Cert. Authority + +=== /C=GR/L=Athens/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions ECC RootCA 2015 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: ecdsa-with-SHA256 + Validity + Not Before: Jul 7 10:37:12 2015 GMT + Not After : Jun 30 10:37:12 2040 GMT + Subject: C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions ECC RootCA 2015 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + B4:22:0B:82:99:24:01:0E:9C:BB:E4:0E:FD:BF:FB:97:20:93:99:2A +SHA1 Fingerprint=9F:F1:71:8D:92:D5:9A:F3:7D:74:97:B4:BC:6F:84:68:0B:BA:B6:66 +SHA256 Fingerprint=44:B5:45:AA:8A:25:E6:5A:73:CA:15:DC:27:FC:36:D2:4C:1C:B9:95:3A:06:65:39:B1:15:82:DC:48:7B:48:33 +-----BEGIN CERTIFICATE----- +MIICwzCCAkqgAwIBAgIBADAKBggqhkjOPQQDAjCBqjELMAkGA1UEBhMCR1IxDzAN +BgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl +c2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxRDBCBgNVBAMTO0hl +bGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgRUNDIFJv +b3RDQSAyMDE1MB4XDTE1MDcwNzEwMzcxMloXDTQwMDYzMDEwMzcxMlowgaoxCzAJ +BgNVBAYTAkdSMQ8wDQYDVQQHEwZBdGhlbnMxRDBCBgNVBAoTO0hlbGxlbmljIEFj +YWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgQ2VydC4gQXV0aG9yaXR5 +MUQwQgYDVQQDEztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0 +dXRpb25zIEVDQyBSb290Q0EgMjAxNTB2MBAGByqGSM49AgEGBSuBBAAiA2IABJKg +QehLgoRc4vgxEZmGZE4JJS+dQS8KrjVPdJWyUWRrjWvmP3CV8AVER6ZyOFB2lQJa +jq4onvktTpnvLEhvTCUp6NFxW98dwXU3tNf6e3pCnGoKVlp8aQuqgAkkbH7BRqNC +MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFLQi +C4KZJAEOnLvkDv2/+5cgk5kqMAoGCCqGSM49BAMCA2cAMGQCMGfOFmI4oqxiRaep +lSTAGiecMjvAwNW6qef4BENThe5SId6d9SWDPp5YSy/XZxMOIQIwBeF1Ad5o7Sof +TUwJCA3sS61kFyjndc5FZXIhF8siQQ6ME5g4mlRtm8rifOoCWCKR +-----END CERTIFICATE----- +=== /C=GR/L=Athens/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions RootCA 2015 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jul 7 10:11:21 2015 GMT + Not After : Jun 30 10:11:21 2040 GMT + Subject: C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2015 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 71:15:67:C8:C8:C9:BD:75:5D:72:D0:38:18:6A:9D:F3:71:24:54:0B +SHA1 Fingerprint=01:0C:06:95:A6:98:19:14:FF:BF:5F:C6:B0:B6:95:EA:29:E9:12:A6 +SHA256 Fingerprint=A0:40:92:9A:02:CE:53:B4:AC:F4:F2:FF:C6:98:1C:E4:49:6F:75:5E:6D:45:FE:0B:2A:69:2B:CD:52:52:3F:36 +-----BEGIN CERTIFICATE----- +MIIGCzCCA/OgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBpjELMAkGA1UEBhMCR1Ix +DzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNhZGVtaWMgYW5k +IFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxQDA+BgNVBAMT +N0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgUm9v +dENBIDIwMTUwHhcNMTUwNzA3MTAxMTIxWhcNNDAwNjMwMTAxMTIxWjCBpjELMAkG +A1UEBhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNh +ZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkx +QDA+BgNVBAMTN0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1 +dGlvbnMgUm9vdENBIDIwMTUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC +AQDC+Kk/G4n8PDwEXT2QNrCROnk8ZlrvbTkBSRq0t89/TSNTt5AA4xMqKKYx8ZEA +4yjsriFBzh/a/X0SWwGDD7mwX5nh8hKDgE0GPt+sr+ehiGsxr/CL0BgzuNtFajT0 +AoAkKAoCFZVedioNmToUW/bLy1O8E00BiDeUJRtCvCLYjqOWXjrZMts+6PAQZe10 +4S+nfK8nNLspfZu2zwnI5dMK/IhlZXQK3HMcXM1AsRzUtoSMTFDPaI6oWa7CJ06C +ojXdFPQf/7J31Ycvqm59JCfnxssm5uX+Zwdj2EUN3TpZZTlYepKZcj2chF6IIbjV +9Cz82XBST3i4vTwri5WY9bPRaM8gFH5MXF/ni+X1NYEZN9cRCLdmvtNKzoNXADrD +gfgXy5I2XdGj2HUb4Ysn6npIQf1FGQatJ5lOwXBH3bWfgVMS5bGMSF0xQxfjjMZ6 +Y5ZLKTBOhE5iGV48zpeQpX8B653g+IuJ3SWYPZK2fu/Z8VFRfS0myGlZYeCsargq +NhEEelC9MoS+L9xy1dcdFkfkR2YgP/SWxa+OAXqlD3pk9Q0Yh9muiNX6hME6wGko +LfINaFGq46V3xqSQDqE3izEjR8EJCOtu93ib14L8hCCZSRm2Ekax+0VVFqmjZayc +Bw/qa9wfLgZy7IaIEuQt218FL+TwA9MmM+eAws1CoRc0CwIDAQABo0IwQDAPBgNV +HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUcRVnyMjJvXVd +ctA4GGqd83EkVAswDQYJKoZIhvcNAQELBQADggIBAHW7bVRLqhBYRjTyYtcWNl0I +XtVsyIe9tC5G8jH4fOpCtZMWVdyhDBKg2mF+D1hYc2Ryx+hFjtyp8iY/xnmMsVMI +M4GwVhO+5lFc2JsKT0ucVlMC6U/2DWDqTUJV6HwbISHTGzrMd/K4kPFox/la/vot +9L/J9UUbzjgQKjeKeaO04wlshYaT/4mWJ3iBj2fjRnRUjtkNaeJK9E10A/+yd+2V +Z5fkscWrv2oj6NSU4kQoYsRL4vDY4ilrGnB+JGGTe08DMiUNRSQrlrRGar9KC/ea +j8GsGsVn82800vpzY4zvFrCopEYq+OsS7HK07/grfoxSwIuEVPkvPuNVqNxmsdnh +X9izjFk0WaSrT2y7HxjbdavYy5LNlDhhDgcGH0tGEPEVvo2FXDtKK4F5D7Rpn0lQ +l033DlZdwJVqwjbDG2jJ9SrcR5q+ss7FJej6A7na+RZukYT1HCjI/CbM1xyQVqdf +bzoEvM14iQuODy+jqk+iGxI9FghAD/FGTNeqewjBCvVtJ94Cj8rDtSvK6evIIVM4 +pcw72Hc3MKJP2W/R8kCtQXoXxdZKNYm3QdV8hn9VTYNKpXMgwDqvkPGaJI7ZjnHK +e7iG2rKPmT4dEw0SEe7Uq/DpFXYC5ODfqiAeW2GFZECpkJcNrVPSWh2HagCXZWK0 +vm9qp/UsQu0yrbYhnr68 +-----END CERTIFICATE----- +=== /C=GR/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions RootCA 2011 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Dec 6 13:49:52 2011 GMT + Not After : Dec 1 13:49:52 2031 GMT + Subject: C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + A6:91:42:FD:13:61:4A:23:9E:08:A4:29:E5:D8:13:04:23:EE:41:25 + X509v3 Name Constraints: + Permitted: + DNS:.gr + DNS:.eu + DNS:.edu + DNS:.org + email:.gr + email:.eu + email:.edu + email:.org + +SHA1 Fingerprint=FE:45:65:9B:79:03:5B:98:A1:61:B5:51:2E:AC:DA:58:09:48:22:4D +SHA256 Fingerprint=BC:10:4F:15:A4:8B:E7:09:DC:A5:42:A7:E1:D4:B9:DF:6F:05:45:27:E8:02:EA:A9:2D:59:54:44:25:8A:FE:71 +-----BEGIN CERTIFICATE----- +MIIEMTCCAxmgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBlTELMAkGA1UEBhMCR1Ix +RDBCBgNVBAoTO0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1 +dGlvbnMgQ2VydC4gQXV0aG9yaXR5MUAwPgYDVQQDEzdIZWxsZW5pYyBBY2FkZW1p +YyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIFJvb3RDQSAyMDExMB4XDTExMTIw +NjEzNDk1MloXDTMxMTIwMTEzNDk1MlowgZUxCzAJBgNVBAYTAkdSMUQwQgYDVQQK +EztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIENl +cnQuIEF1dGhvcml0eTFAMD4GA1UEAxM3SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl +c2VhcmNoIEluc3RpdHV0aW9ucyBSb290Q0EgMjAxMTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAKlTAOMupvaO+mDYLZU++CwqVE7NuYRhlFhPjz2L5EPz +dYmNUeTDN9KKiE15HrcS3UN4SoqS5tdI1Q+kOilENbgH9mgdVc04UfCMJDGFr4PJ +fel3r+0ae50X+bOdOFAPplp5kYCvN66m0zH7tSYJnTxa71HFK9+WXesyHgLacEns +bgzImjeN9/E2YEsmLIKe0HjzDQ9jpFEw4fkrJxIH2Oq9GGKYsFk3fb7u8yBRQlqD +75O6aRXxYp2fmTmCobd0LovUxQt7L/DICto9eQqakxylKHJzkUOap9FNhYS5qXSP +FEDH3N6sQWRstBmbAmNtJGSPRLIl6s5ddAxjMlyNh+UCAwEAAaOBiTCBhjAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUppFC/RNhSiOeCKQp +5dgTBCPuQSUwRwYDVR0eBEAwPqA8MAWCAy5ncjAFggMuZXUwBoIELmVkdTAGggQu +b3JnMAWBAy5ncjAFgQMuZXUwBoEELmVkdTAGgQQub3JnMA0GCSqGSIb3DQEBBQUA +A4IBAQAf73lB4XtuP7KMhjdCSk4cNx6NZrokgclPEg8hwAOXhiVtXdMiKahsog2p +6z0GW5k6x8zDmjR/qw7IThzh+uTczQ2+vyT+bOdrwg3IBp5OjWEopmr95fZi6hg8 +TqBTnbI6nOulnJEWtk2C4AwFSKls9cz4y51JtPACpf1wA+2KIaWuE4ZJwzNzvoc7 +dIsXRSZMFpGD/md9zU1jZ/rzAxKWeAaNsWftjj++n08C9bMJL/NMh98qy5V8Acys +Nnq/onN694/BtZqhFLKPM58N7yLcZnuEvUUXBj08yrl3NI/K6s8/MT7jiOOASSXI +l7WdmplNsDz4SgCbZN2fOUvRJ9e4 +-----END CERTIFICATE----- + +### Hongkong Post + +=== /C=HK/O=Hongkong Post/CN=Hongkong Post Root CA 1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1000 (0x3e8) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: May 15 05:13:14 2003 GMT + Not After : May 15 04:52:29 2023 GMT + Subject: C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:3 + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Certificate Sign, CRL Sign +SHA1 Fingerprint=D6:DA:A8:20:8D:09:D2:15:4D:24:B5:2F:CB:34:6E:B2:58:B2:8A:58 +SHA256 Fingerprint=F9:E6:7D:33:6C:51:00:2A:C0:54:C6:32:02:2D:66:DD:A2:E7:E3:FF:F1:0A:D0:61:ED:31:D8:BB:B4:10:CF:B2 +-----BEGIN CERTIFICATE----- +MIIDMDCCAhigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCSEsx +FjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3Qg +Um9vdCBDQSAxMB4XDTAzMDUxNTA1MTMxNFoXDTIzMDUxNTA0NTIyOVowRzELMAkG +A1UEBhMCSEsxFjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdr +b25nIFBvc3QgUm9vdCBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEArP84tulmAknjorThkPlAj3n54r15/gK97iSSHSL22oVyaf7XPwnU3ZG1ApzQ +jVrhVcNQhrkpJsLj2aDxaQMoIIBFIi1WpztUlVYiWR8o3x8gPW2iNr4joLFutbEn +PzlTCeqrauh0ssJlXI6/fMN4hM2eFvz1Lk8gKgifd/PFHsSaUmYeSF7jEAaPIpjh +ZY4bXSNmO7ilMlHIhqqhqZ5/dpTCpmy3QfDVyAY45tQM4vM7TG1QjMSDJ8EThFk9 +nnV0ttgCXjqQesBCNnLsak3c78QA3xMYV18meMjWCnl3v/evt3a5pQuEF10Q6m/h +q5URX208o1xNg1vysxmKgIsLhwIDAQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgED +MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEADkbVPK7ih9legYsC +mEEIjEy82tvuJxuC52pF7BaLT4Wg87JwvVqWuspube5Gi27nKi6Wsxkz67SfqLI3 +7piol7Yutmcn1KZJ/RyTZXaeQi/cImyaT/JaFTmxcdcrUehtHJjA2Sr0oYJ71clB +oiMBdDhViw+5LmeiIAQ32pwL0xch4I+XeTRvhEgCIDMb5jREn5Fw9IBehEPCKdJs +EhTkYY2sEJCehFC78JZvRZ+K88psT/oROhUVRsPNH4NbLUES7VBnQRM9IauUiqpO +fMGx+6fWtScvl6tu4B3i0RwsH0Ti/L6RoZz71ilTc4afU9hDDl3WY4JxHYB0yvbi +AmvZWg== +-----END CERTIFICATE----- +=== /C=HK/ST=Hong Kong/L=Hong Kong/O=Hongkong Post/CN=Hongkong Post Root CA 3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 08:16:5f:8a:4c:a5:ec:00:c9:93:40:df:c4:c6:ae:23:b8:1c:5a:a4 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jun 3 02:29:46 2017 GMT + Not After : Jun 3 02:29:46 2042 GMT + Subject: C=HK, ST=Hong Kong, L=Hong Kong, O=Hongkong Post, CN=Hongkong Post Root CA 3 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Authority Key Identifier: + keyid:17:9D:CD:1E:8B:D6:39:2B:70:D3:5C:D4:A0:B8:1F:B0:00:FC:C5:61 + + X509v3 Subject Key Identifier: + 17:9D:CD:1E:8B:D6:39:2B:70:D3:5C:D4:A0:B8:1F:B0:00:FC:C5:61 +SHA1 Fingerprint=58:A2:D0:EC:20:52:81:5B:C1:F3:F8:64:02:24:4E:C2:8E:02:4B:02 +SHA256 Fingerprint=5A:2F:C0:3F:0C:83:B0:90:BB:FA:40:60:4B:09:88:44:6C:76:36:18:3D:F9:84:6E:17:10:1A:44:7F:B8:EF:D6 +-----BEGIN CERTIFICATE----- +MIIFzzCCA7egAwIBAgIUCBZfikyl7ADJk0DfxMauI7gcWqQwDQYJKoZIhvcNAQEL +BQAwbzELMAkGA1UEBhMCSEsxEjAQBgNVBAgTCUhvbmcgS29uZzESMBAGA1UEBxMJ +SG9uZyBLb25nMRYwFAYDVQQKEw1Ib25na29uZyBQb3N0MSAwHgYDVQQDExdIb25n +a29uZyBQb3N0IFJvb3QgQ0EgMzAeFw0xNzA2MDMwMjI5NDZaFw00MjA2MDMwMjI5 +NDZaMG8xCzAJBgNVBAYTAkhLMRIwEAYDVQQIEwlIb25nIEtvbmcxEjAQBgNVBAcT +CUhvbmcgS29uZzEWMBQGA1UEChMNSG9uZ2tvbmcgUG9zdDEgMB4GA1UEAxMXSG9u +Z2tvbmcgUG9zdCBSb290IENBIDMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +AoICAQCziNfqzg8gTr7m1gNt7ln8wlffKWihgw4+aMdoWJwcYEuJQwy51BWy7sFO +dem1p+/l6TWZ5Mwc50tfjTMwIDNT2aa71T4Tjukfh0mtUC1Qyhi+AViiE3CWu4mI +VoBc+L0sPOFMV4i707mV78vH9toxdCim5lSJ9UExyuUmGs2C4HDaOym71QP1mbpV +9WTRYA6ziUm4ii8F0oRFKHyPaFASePwLtVPLwpgchKOesL4jpNrcyCse2m5FHomY +2vkALgbpDDtw1VAliJnLzXNg99X/NWfFobxeq81KuEXryGgeDQ0URhLj0mRiikKY +vLTGCAj4/ahMZJx2Ab0vqWwzD9g/KLg8aQFChn5pwckGyuV6RmXpwtZQQS4/t+Tt +bNe/JgERohYpSms0BpDsE9K2+2p20jzt8NYt3eEV7KObLyzJPivkaTv/ciWxNoZb +x39ri1UbSsUgYT2uy1DhCDq+sI9jQVMwCFk8mB13umOResoQUGC/8Ne8lYePl8X+ +l2oBlKN8W4UdKjk60FSh0Tlxnf0h+bV78OLgAo9uliQlLKAeLKjEiafv7ZkGL7YK +TE/bosw3Gq9HhS2KX8Q0NEwA/RiTZxPRN+ZItIsGxVd7GYYKecsAyVKvQv83j+Gj +Hno9UKtjBucVtT+2RTeUN7F+8kjDf8V1/peNRY8apxpyKBpADwIDAQABo2MwYTAP +BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBQXnc0e +i9Y5K3DTXNSguB+wAPzFYTAdBgNVHQ4EFgQUF53NHovWOStw01zUoLgfsAD8xWEw +DQYJKoZIhvcNAQELBQADggIBAFbVe27mIgHSQpsY1Q7XZiNc4/6gx5LS6ZStS6LG +7BJ8dNVI0lkUmcDrudHr9EgwW62nV3OZqdPlt9EuWSRY3GguLmLYauRwCy0gUCCk +MpXRAJi70/33MvJJrsZ64Ee+bs7Lo3I6LWldy8joRTnU+kLBEUx3XZL7av9YROXr +gZ6voJmtvqkBZss4HTzfQx/0TW60uhdG/H39h4F5ag0zD/ov+BS5gLNdTaqX4fnk +GMX41TiMJjz98iji7lpJiCzfeT2OnpA8vUFKOt1b9pq0zj8lMH8yfaIDlNDceqFS +3m6TjRgm/VWsvY+b0s+v54Ysyx8Jb6NvqYTUc79NoXQbTiNg8swOqn+knEwlqLJm +Ozj/2ZQw9nKEvmhVEA/GcywWaZMH/rFF7buiVWqw2rVKAiUnhde3t4ZEFolsgCs+ +l6mc1X5VTMbeRRAc6uk7nwNT7u56AQIWeNTowr5GdogTPyK7SBIdUgC0An4hGh6c +JfTzPV4e0hz5sy229zdcxsshTrD3mUcYhcErulWuBurQB7Lcq9CClnXO0lD+mefP +L5/ndtFhKvshuzHQqp9HpLIiyhY6UFfEW0NnxWViA0kB60PZ2Pierc+xYw5F9KBa +LJstxabArahH9CdMOA0uG0k7UvToiIMrVCjU8jVStDKDYmlkDJGcn5fqdBb9HxEG +mpv0 +-----END CERTIFICATE----- + +### IdenTrust + +=== /C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0a:01:42:80:00:00:01:45:23:c8:44:b5:00:00:00:02 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jan 16 18:12:23 2014 GMT + Not After : Jan 16 18:12:23 2034 GMT + Subject: C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + ED:44:19:C0:D3:F0:06:8B:EE:A4:7B:BE:42:E7:26:54:C8:8E:36:76 +SHA1 Fingerprint=DF:71:7E:AA:4A:D9:4E:C9:55:84:99:60:2D:48:DE:5F:BC:F0:3A:25 +SHA256 Fingerprint=5D:56:49:9B:E4:D2:E0:8B:CF:CA:D0:8A:3E:38:72:3D:50:50:3B:DE:70:69:48:E4:2F:55:60:30:19:E5:28:AE +-----BEGIN CERTIFICATE----- +MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK +MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVu +VHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQw +MTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScw +JQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqG +SIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT +3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU ++ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gp +S0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1 +bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi +T0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCL +vYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjK +Vsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZK +dHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHT +c+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hv +l7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5N +iGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB +/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQAD +ggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH +6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwt +LRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93 +nAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3 ++wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRK +W2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pT +AwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLq +l1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG +4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZ +mUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A +7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H +-----END CERTIFICATE----- +=== /C=US/O=IdenTrust/CN=IdenTrust Public Sector Root CA 1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0a:01:42:80:00:00:01:45:23:cf:46:7c:00:00:00:02 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jan 16 17:53:32 2014 GMT + Not After : Jan 16 17:53:32 2034 GMT + Subject: C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + E3:71:E0:9E:D8:A7:42:D9:DB:71:91:6B:94:93:EB:C3:A3:D1:14:A3 +SHA1 Fingerprint=BA:29:41:60:77:98:3F:F4:F3:EF:F2:31:05:3B:2E:EA:6D:4D:45:FD +SHA256 Fingerprint=30:D0:89:5A:9A:44:8A:26:20:91:63:55:22:D1:F5:20:10:B5:86:7A:CA:E1:2C:78:EF:95:8F:D4:F4:38:9F:2F +-----BEGIN CERTIFICATE----- +MIIFZjCCA06gAwIBAgIQCgFCgAAAAUUjz0Z8AAAAAjANBgkqhkiG9w0BAQsFADBN +MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MSowKAYDVQQDEyFJZGVu +VHJ1c3QgUHVibGljIFNlY3RvciBSb290IENBIDEwHhcNMTQwMTE2MTc1MzMyWhcN +MzQwMTE2MTc1MzMyWjBNMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0 +MSowKAYDVQQDEyFJZGVuVHJ1c3QgUHVibGljIFNlY3RvciBSb290IENBIDEwggIi +MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2IpT8pEiv6EdrCvsnduTyP4o7 +ekosMSqMjbCpwzFrqHd2hCa2rIFCDQjrVVi7evi8ZX3yoG2LqEfpYnYeEe4IFNGy +RBb06tD6Hi9e28tzQa68ALBKK0CyrOE7S8ItneShm+waOh7wCLPQ5CQ1B5+ctMlS +bdsHyo+1W/CD80/HLaXIrcuVIKQxKFdYWuSNG5qrng0M8gozOSI5Cpcu81N3uURF +/YTLNiCBWS2ab21ISGHKTN9T0a9SvESfqy9rg3LvdYDaBjMbXcjaY8ZNzaxmMc3R +3j6HEDbhuaR672BQssvKplbgN6+rNBM5Jeg5ZuSYeqoSmJxZZoY+rfGwyj4GD3vw +EUs3oERte8uojHH01bWRNszwFcYr3lEXsZdMUD2xlVl8BX0tIdUAvwFnol57plzy +9yLxkA2T26pEUWbMfXYD62qoKjgZl3YNa4ph+bz27nb9cCvdKTz4Ch5bQhyLVi9V +GxyhLrXHFub4qjySjmm2AcG1hp2JDws4lFTo6tyePSW8Uybt1as5qsVATFSrsrTZ +2fjXctscvG29ZV/viDUqZi/u9rNl8DONfJhBaUYPQxxp+pu10GFqzcpL2UyQRqsV +WaFHVCkugyhfHMKiq3IXAAaOReyL4jM9f9oZRORicsPfIsbyVtTdX5Vy7W1f90gD +W/3FKqD2cyOEEBsB5wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/ +BAUwAwEB/zAdBgNVHQ4EFgQU43HgntinQtnbcZFrlJPrw6PRFKMwDQYJKoZIhvcN +AQELBQADggIBAEf63QqwEZE4rU1d9+UOl1QZgkiHVIyqZJnYWv6IAcVYpZmxI1Qj +t2odIFflAWJBF9MJ23XLblSQdf4an4EKwt3X9wnQW3IV5B4Jaj0z8yGa5hV+rVHV +DRDtfULAj+7AmgjVQdZcDiFpboBhDhXAuM/FSRJSzL46zNQuOAXeNf0fb7iAaJg9 +TaDKQGXSc3z1i9kKlT/YPyNtGtEqJBnZhbMX73huqVjRI9PHE+1yJX9dsXNw0H8G +lwmEKYBhHfpe/3OsoOOJuBxxFcbeMX8S3OFtm6/n6J91eEyrRjuazr8FGF1NFTwW +mhlQBJqymm9li1JfPFgEKCXAZmExfrngdbkaqIHWchezxQMxNRF4eKLg6TCMf4Df +WN88uieW4oA0beOY02QnrEh+KHdcxiVhJfiFDGX6xDIvpZgF5PgLZxYWxoK4Mhn5 ++bl53B/N66+rDt0b20XkeucC4pVd/GnwU2lhlXV5C15V5jgclKlZM57IcXR5f1GJ +tshquDDIajjDbp7hNxbqBWJMWxJH7ae0s1hWx0nzfxJoCTFx8G34Tkf71oXuxVhA +GaQdp/lLQzfcaFpPz+vCZHTetBXZ9FRUGi8c15dxVJCO2SCdUyt/q4/i6jC8UDfv +8Ue1fXwsBOxonbRJRBD0ckscZOf85muQ3Wl9af0AVqW3rLatt8o+Ae+c +-----END CERTIFICATE----- + +### Internet Security Research Group + +=== /C=US/O=Internet Security Research Group/CN=ISRG Root X1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jun 4 11:04:38 2015 GMT + Not After : Jun 4 11:04:38 2035 GMT + Subject: C=US, O=Internet Security Research Group, CN=ISRG Root X1 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E +SHA1 Fingerprint=CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8 +SHA256 Fingerprint=96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6 +-----BEGIN CERTIFICATE----- +MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 +WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu +ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY +MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc +h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ +0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U +A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW +T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH +B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC +B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv +KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn +OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn +jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw +qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI +rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq +hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL +ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ +3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK +NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 +ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur +TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC +jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc +oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq +4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA +mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d +emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= +-----END CERTIFICATE----- + +### IZENPE S.A. + +=== /C=ES/O=IZENPE S.A./CN=Izenpe.com +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + b0:b7:5a:16:48:5f:bf:e1:cb:f5:8b:d7:19:e6:7d + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Dec 13 13:08:28 2007 GMT + Not After : Dec 13 08:27:25 2037 GMT + Subject: C=ES, O=IZENPE S.A., CN=Izenpe.com + X509v3 extensions: + X509v3 Subject Alternative Name: + email:info@izenpe.com, DirName:/O=IZENPE S.A. - CIF A01337260-RMerc.Vitoria-Gasteiz T1055 F62 S8/street=Avda del Mediterraneo Etorbidea 14 - 01010 Vitoria-Gasteiz + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 1D:1C:65:0E:A8:F2:25:7B:B4:91:CF:E4:B1:B1:E6:BD:55:74:6C:05 +SHA1 Fingerprint=2F:78:3D:25:52:18:A7:4A:65:39:71:B5:2C:A2:9C:45:15:6F:E9:19 +SHA256 Fingerprint=25:30:CC:8E:98:32:15:02:BA:D9:6F:9B:1F:BA:1B:09:9E:2D:29:9E:0F:45:48:BB:91:4F:36:3B:C0:D4:53:1F +-----BEGIN CERTIFICATE----- +MIIF8TCCA9mgAwIBAgIQALC3WhZIX7/hy/WL1xnmfTANBgkqhkiG9w0BAQsFADA4 +MQswCQYDVQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6 +ZW5wZS5jb20wHhcNMDcxMjEzMTMwODI4WhcNMzcxMjEzMDgyNzI1WjA4MQswCQYD +VQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6ZW5wZS5j +b20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJ03rKDx6sp4boFmVq +scIbRTJxldn+EFvMr+eleQGPicPK8lVx93e+d5TzcqQsRNiekpsUOqHnJJAKClaO +xdgmlOHZSOEtPtoKct2jmRXagaKH9HtuJneJWK3W6wyyQXpzbm3benhB6QiIEn6H +LmYRY2xU+zydcsC8Lv/Ct90NduM61/e0aL6i9eOBbsFGb12N4E3GVFWJGjMxCrFX +uaOKmMPsOzTFlUFpfnXCPCDFYbpRR6AgkJOhkEvzTnyFRVSa0QUmQbC1TR0zvsQD +yCV8wXDbO/QJLVQnSKwv4cSsPsjLkkxTOTcj7NMB+eAJRE1NZMDhDVqHIrytG6P+ +JrUV86f8hBnp7KGItERphIPzidF0BqnMC9bC3ieFUCbKF7jJeodWLBoBHmy+E60Q +rLUk9TiRodZL2vG70t5HtfG8gfZZa88ZU+mNFctKy6lvROUbQc/hhqfK0GqfvEyN +BjNaooXlkDWgYlwWTvDjovoDGrQscbNYLN57C9saD+veIR8GdwYDsMnvmfzAuU8L +hij+0rnq49qlw0dpEuDb8PYZi+17cNcC1u2HGCgsBCRMd+RIihrGO5rUD8r6ddIB +QFqNeb+Lz0vPqhbBleStTIo+F5HUsWLlguWABKQDfo2/2n+iD5dPDNMN+9fR5XJ+ +HMh3/1uaD7euBUbl8agW7EekFwIDAQABo4H2MIHzMIGwBgNVHREEgagwgaWBD2lu +Zm9AaXplbnBlLmNvbaSBkTCBjjFHMEUGA1UECgw+SVpFTlBFIFMuQS4gLSBDSUYg +QTAxMzM3MjYwLVJNZXJjLlZpdG9yaWEtR2FzdGVpeiBUMTA1NSBGNjIgUzgxQzBB +BgNVBAkMOkF2ZGEgZGVsIE1lZGl0ZXJyYW5lbyBFdG9yYmlkZWEgMTQgLSAwMTAx +MCBWaXRvcmlhLUdhc3RlaXowDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AQYwHQYDVR0OBBYEFB0cZQ6o8iV7tJHP5LGx5r1VdGwFMA0GCSqGSIb3DQEBCwUA +A4ICAQB4pgwWSp9MiDrAyw6lFn2fuUhfGI8NYjb2zRlrrKvV9pF9rnHzP7MOeIWb +laQnIUdCSnxIOvVFfLMMjlF4rJUT3sb9fbgakEyrkgPH7UIBzg/YsfqikuFgba56 +awmqxinuaElnMIAkejEWOVt+8Rwu3WwJrfIxwYJOubv5vr8qhT/AQKM6WfxZSzwo +JNu0FXWuDYi6LnPAvViH5ULy617uHjAimcs30cQhbIHsvm0m5hzkQiCeR7Csg1lw +LDXWrzY0tM07+DKo7+N4ifuNRSzanLh+QBxh5z6ikixL8s36mLYp//Pye6kfLqCT +VyvehQP5aTfLnnhqBbTFMXiJ7HqnheG5ezzevh55hM6fcA5ZwjUukCox2eRFekGk +LhObNA5me0mrZJfQRsN5nXJQY6aYWwa9SG3YOYNw6DXwBdGqvOPbyALqfP2C2sJb +UjWumDqtujWTI6cfSN01RpiyEGjkpTHCClguGYEQyVB1/OpaFs4R1+7vUIgtYf8/ +QnMFlEPVjjxOAToZpR9GTnfQXeWBIiGH/pR9hNiTrdZoQ0iy2+tzJOeRf1SktoA+ +naM8THLCV8Sg1Mw4J87VBp6iSNnpn86CcDaTmjvfliHjWbcM2pE38P1ZWrOZyGls +QyYBNWNgVYkDOnXYukrZVP/u3oDYLdE41V4tC5h9Pmzb/CaIxw== +-----END CERTIFICATE----- + +### Japan Certification Services, Inc. + +=== /C=JP/O=Japan Certification Services, Inc./CN=SecureSign RootCA11 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Apr 8 04:56:47 2009 GMT + Not After : Apr 8 04:56:47 2029 GMT + Subject: C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA11 + X509v3 extensions: + X509v3 Subject Key Identifier: + 5B:F8:4D:4F:B2:A5:86:D4:3A:D2:F1:63:9A:A0:BE:09:F6:57:B7:DE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=3B:C4:9F:48:F8:F3:73:A0:9C:1E:BD:F8:5B:B1:C3:65:C7:D8:11:B3 +SHA256 Fingerprint=BF:0F:EE:FB:9E:3A:58:1A:D5:F9:E9:DB:75:89:98:57:43:D2:61:08:5C:4D:31:4F:6F:5D:72:59:AA:42:16:12 +-----BEGIN CERTIFICATE----- +MIIDbTCCAlWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJKUDEr +MCkGA1UEChMiSmFwYW4gQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcywgSW5jLjEcMBoG +A1UEAxMTU2VjdXJlU2lnbiBSb290Q0ExMTAeFw0wOTA0MDgwNDU2NDdaFw0yOTA0 +MDgwNDU2NDdaMFgxCzAJBgNVBAYTAkpQMSswKQYDVQQKEyJKYXBhbiBDZXJ0aWZp +Y2F0aW9uIFNlcnZpY2VzLCBJbmMuMRwwGgYDVQQDExNTZWN1cmVTaWduIFJvb3RD +QTExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/XeqpRyQBTvLTJsz +i1oURaTnkBbR31fSIRCkF/3frNYfp+TbfPfs37gD2pRY/V1yfIw/XwFndBWW4wI8 +h9uuywGOwvNmxoVF9ALGOrVisq/6nL+k5tSAMJjzDbaTj6nU2DbysPyKyiyhFTOV +MdrAG/LuYpmGYz+/3ZMqg6h2uRMft85OQoWPIucuGvKVCbIFtUROd6EgvanyTgp9 +UK31BQ1FT0Zx/Sg+U/sE2C3XZR1KG/rPO7AxmjVuyIsG0wCR8pQIZUyxNAYAeoni +8McDWc/V1uinMrPmmECGxc0nEovMe863ETxiYAcjPitAbpSACW22s293bzUIUPsC +h8U+iQIDAQABo0IwQDAdBgNVHQ4EFgQUW/hNT7KlhtQ60vFjmqC+CfZXt94wDgYD +VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB +AKChOBZmLqdWHyGcBvod7bkixTgm2E5P7KN/ed5GIaGHd48HCJqypMWvDzKYC3xm +KbabfSVSSUOrTC4rbnpwrxYO4wJs+0LmGJ1F2FXI6Dvd5+H0LgscNFxsWEr7jIhQ +X5Ucv+2rIrVls4W6ng+4reV6G4pQOh29Dbx7VFALuUKvVaAYga1lme++5Jy/xIWr +QbJUb9wlze144o4MjQlJ3WN7WmmWAiGovVJZ6X01y8hSyn+B/tlr0/cR7SXf+Of5 +pPpyl4RTDaXQMhhRdlkUbA/r7F+AjHVDg8OFmP9Mni0N5HeDk061lgeLKBObjBmN +QSdJQO7e5iNEOdyhIta6A/I= +-----END CERTIFICATE----- + +### Krajowa Izba Rozliczeniowa S.A. + +=== /C=PL/O=Krajowa Izba Rozliczeniowa S.A./CN=SZAFIR ROOT CA2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3e:8a:5d:07:ec:55:d2:32:d5:b7:e3:b6:5f:01:eb:2d:dc:e4:d6:e4 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Oct 19 07:43:30 2015 GMT + Not After : Oct 19 07:43:30 2035 GMT + Subject: C=PL, O=Krajowa Izba Rozliczeniowa S.A., CN=SZAFIR ROOT CA2 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 2E:16:A9:4A:18:B5:CB:CC:F5:6F:50:F3:23:5F:F8:5D:E7:AC:F0:C8 +SHA1 Fingerprint=E2:52:FA:95:3F:ED:DB:24:60:BD:6E:28:F3:9C:CC:CF:5E:B3:3F:DE +SHA256 Fingerprint=A1:33:9D:33:28:1A:0B:56:E5:57:D3:D3:2B:1C:E7:F9:36:7E:B0:94:BD:5F:A7:2A:7E:50:04:C8:DE:D7:CA:FE +-----BEGIN CERTIFICATE----- +MIIDcjCCAlqgAwIBAgIUPopdB+xV0jLVt+O2XwHrLdzk1uQwDQYJKoZIhvcNAQEL +BQAwUTELMAkGA1UEBhMCUEwxKDAmBgNVBAoMH0tyYWpvd2EgSXpiYSBSb3psaWN6 +ZW5pb3dhIFMuQS4xGDAWBgNVBAMMD1NaQUZJUiBST09UIENBMjAeFw0xNTEwMTkw +NzQzMzBaFw0zNTEwMTkwNzQzMzBaMFExCzAJBgNVBAYTAlBMMSgwJgYDVQQKDB9L +cmFqb3dhIEl6YmEgUm96bGljemVuaW93YSBTLkEuMRgwFgYDVQQDDA9TWkFGSVIg +Uk9PVCBDQTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3vD5QqEvN +QLXOYeeWyrSh2gwisPq1e3YAd4wLz32ohswmUeQgPYUM1ljj5/QqGJ3a0a4m7utT +3PSQ1hNKDJA8w/Ta0o4NkjrcsbH/ON7Dui1fgLkCvUqdGw+0w8LBZwPd3BucPbOw +3gAeqDRHu5rr/gsUvTaE2g0gv/pby6kWIK05YO4vdbbnl5z5Pv1+TW9NL++IDWr6 +3fE9biCloBK0TXC5ztdyO4mTp4CEHCdJckm1/zuVnsHMyAHs6A6KCpbns6aH5db5 +BSsNl0BwPLqsdVqc1U2dAgrSS5tmS0YHF2Wtn2yIANwiieDhZNRnvDF5YTy7ykHN +XGoAyDw4jlivAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD +AgEGMB0GA1UdDgQWBBQuFqlKGLXLzPVvUPMjX/hd56zwyDANBgkqhkiG9w0BAQsF +AAOCAQEAtXP4A9xZWx126aMqe5Aosk3AM0+qmrHUuOQn/6mWmc5G4G18TKI4pAZw +8PRBEew/R40/cof5O/2kbytTAOD/OblqBw7rHRz2onKQy4I9EYKL0rufKq8h5mOG +nXkZ7/e7DDWQw4rtTw/1zBLZpD67oPwglV9PJi8RI4NOdQcPv5vRtB3pEAT+ymCP +oky4rc/hkA/NrgrHXXu3UNLUYfrVFdvXn4dRVOul4+vJhaAlIDf7js4MNIThPIGy +d05DpYhfhmehPea0XGG2Ptv+tyjFogeutcrKjSoS75ftwjCkySp6+/NNIxuZMzSg +LvWpCz/UXeHPhJ/iGcJfitYgHuNztw== +-----END CERTIFICATE----- + +### Microsec Ltd. + +=== /C=HU/L=Budapest/O=Microsec Ltd./2.5.4.97=VATHU-23584497/CN=e-Szigno Root CA 2017 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 01:54:48:ef:21:fd:97:59:0d:f5:04:0a + Signature Algorithm: ecdsa-with-SHA256 + Validity + Not Before: Aug 22 12:07:06 2017 GMT + Not After : Aug 22 12:07:06 2042 GMT + Subject: C=HU, L=Budapest, O=Microsec Ltd./2.5.4.97=VATHU-23584497, CN=e-Szigno Root CA 2017 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 87:11:15:08:D1:AA:C1:78:0C:B1:AF:CE:C6:C9:90:EF:BF:30:04:C0 + X509v3 Authority Key Identifier: + keyid:87:11:15:08:D1:AA:C1:78:0C:B1:AF:CE:C6:C9:90:EF:BF:30:04:C0 + +SHA1 Fingerprint=89:D4:83:03:4F:9E:9A:48:80:5F:72:37:D4:A9:A6:EF:CB:7C:1F:D1 +SHA256 Fingerprint=BE:B0:0B:30:83:9B:9B:C3:2C:32:E4:44:79:05:95:06:41:F2:64:21:B1:5E:D0:89:19:8B:51:8A:E2:EA:1B:99 +-----BEGIN CERTIFICATE----- +MIICQDCCAeWgAwIBAgIMAVRI7yH9l1kN9QQKMAoGCCqGSM49BAMCMHExCzAJBgNV +BAYTAkhVMREwDwYDVQQHDAhCdWRhcGVzdDEWMBQGA1UECgwNTWljcm9zZWMgTHRk +LjEXMBUGA1UEYQwOVkFUSFUtMjM1ODQ0OTcxHjAcBgNVBAMMFWUtU3ppZ25vIFJv +b3QgQ0EgMjAxNzAeFw0xNzA4MjIxMjA3MDZaFw00MjA4MjIxMjA3MDZaMHExCzAJ +BgNVBAYTAkhVMREwDwYDVQQHDAhCdWRhcGVzdDEWMBQGA1UECgwNTWljcm9zZWMg +THRkLjEXMBUGA1UEYQwOVkFUSFUtMjM1ODQ0OTcxHjAcBgNVBAMMFWUtU3ppZ25v +IFJvb3QgQ0EgMjAxNzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJbcPYrYsHtv +xie+RJCxs1YVe45DJH0ahFnuY2iyxl6H0BVIHqiQrb1TotreOpCmYF9oMrWGQd+H +Wyx7xf58etqjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G +A1UdDgQWBBSHERUI0arBeAyxr87GyZDvvzAEwDAfBgNVHSMEGDAWgBSHERUI0arB +eAyxr87GyZDvvzAEwDAKBggqhkjOPQQDAgNJADBGAiEAtVfd14pVCzbhhkT61Nlo +jbjcI4qKDdQvfepz7L9NbKgCIQDLpbQS+ue16M9+k/zzNY9vTlp8tLxOsvxyqltZ ++efcMQ== +-----END CERTIFICATE----- +=== /C=HU/L=Budapest/O=Microsec Ltd./CN=Microsec e-Szigno Root CA 2009/emailAddress=info@e-szigno.hu +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + c2:7e:43:04:4e:47:3f:19 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jun 16 11:30:18 2009 GMT + Not After : Dec 30 11:30:18 2029 GMT + Subject: C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA 2009/emailAddress=info@e-szigno.hu + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + CB:0F:C6:DF:42:43:CC:3D:CB:B5:48:23:A1:1A:7A:A6:2A:BB:34:68 + X509v3 Authority Key Identifier: + keyid:CB:0F:C6:DF:42:43:CC:3D:CB:B5:48:23:A1:1A:7A:A6:2A:BB:34:68 + + X509v3 Subject Alternative Name: + email:info@e-szigno.hu +SHA1 Fingerprint=89:DF:74:FE:5C:F4:0F:4A:80:F9:E3:37:7D:54:DA:91:E1:01:31:8E +SHA256 Fingerprint=3C:5F:81:FE:A5:FA:B8:2C:64:BF:A2:EA:EC:AF:CD:E8:E0:77:FC:86:20:A7:CA:E5:37:16:3D:F3:6E:DB:F3:78 +-----BEGIN CERTIFICATE----- +MIIECjCCAvKgAwIBAgIJAMJ+QwRORz8ZMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYD +VQQGEwJIVTERMA8GA1UEBwwIQnVkYXBlc3QxFjAUBgNVBAoMDU1pY3Jvc2VjIEx0 +ZC4xJzAlBgNVBAMMHk1pY3Jvc2VjIGUtU3ppZ25vIFJvb3QgQ0EgMjAwOTEfMB0G +CSqGSIb3DQEJARYQaW5mb0BlLXN6aWduby5odTAeFw0wOTA2MTYxMTMwMThaFw0y +OTEyMzAxMTMwMThaMIGCMQswCQYDVQQGEwJIVTERMA8GA1UEBwwIQnVkYXBlc3Qx +FjAUBgNVBAoMDU1pY3Jvc2VjIEx0ZC4xJzAlBgNVBAMMHk1pY3Jvc2VjIGUtU3pp +Z25vIFJvb3QgQ0EgMjAwOTEfMB0GCSqGSIb3DQEJARYQaW5mb0BlLXN6aWduby5o +dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOn4j/NjrdqG2KfgQvvP +kd6mJviZpWNwrZuuyjNAfW2WbqEORO7hE52UQlKavXWFdCyoDh2Tthi3jCyoz/tc +cbna7P7ofo/kLx2yqHWH2Leh5TvPmUpG0IMZfcChEhyVbUr02MelTTMuhTlAdX4U +fIASmFDHQWe4oIBhVKZsTh/gnQ4H6cm6M+f+wFUoLAKApxn1ntxVUwOXewdI/5n7 +N4okxFnMUBBjjqqpGrCEGob5X7uxUG6k0QrM1XF+H6cbfPVTbiJfyyvm1HxdrtbC +xkzlBQHZ7Vf8wSN5/PrIJIOV87VqUQHQd9bpEqH5GoP7ghu5sJf0dgYzQ0mg/wu1 ++rUCAwEAAaOBgDB+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G +A1UdDgQWBBTLD8bfQkPMPcu1SCOhGnqmKrs0aDAfBgNVHSMEGDAWgBTLD8bfQkPM +Pcu1SCOhGnqmKrs0aDAbBgNVHREEFDASgRBpbmZvQGUtc3ppZ25vLmh1MA0GCSqG +SIb3DQEBCwUAA4IBAQDJ0Q5eLtXMs3w+y/w9/w0olZMEyL/azXm4Q5DwpL7v8u8h +mLzU1F0G9u5C7DBsoKqpyvGvivo/C3NqPuouQH4frlRheesuCDfXI/OMn74dseGk +ddug4lQUsbocKaQY9hK6ohQU4zE1yED/t+AFdlfBHFny+L/k7SViXITwfn4fs775 +tyERzAMBVnCnEJIeGzSBHq2cGsMEPO0CYdYeBvNfOofyK/FFh+U9rNHHV4S9a67c +2Pm2G2JwCz02yULyMtd6YebS2z3PyKnJm9zbWETXbzivf3jTo60adbocwTZ8jx5t +HMN1Rq41Bab2XD0h7lbwyYIiLXpUq3DDfSJlgnCW +-----END CERTIFICATE----- + +### Microsoft Corporation + +=== /C=US/O=Microsoft Corporation/CN=Microsoft ECC Root Certificate Authority 2017 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 66:f2:3d:af:87:de:8b:b1:4a:ea:0c:57:31:01:c2:ec + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Dec 18 23:06:45 2019 GMT + Not After : Jul 18 23:16:04 2042 GMT + Subject: C=US, O=Microsoft Corporation, CN=Microsoft ECC Root Certificate Authority 2017 + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + C8:CB:99:72:70:52:0C:F8:E6:BE:B2:04:57:29:2A:CF:42:10:ED:35 + 1.3.6.1.4.1.311.21.1: + ... +SHA1 Fingerprint=99:9A:64:C3:7F:F4:7D:9F:AB:95:F1:47:69:89:14:60:EE:C4:C3:C5 +SHA256 Fingerprint=35:8D:F3:9D:76:4A:F9:E1:B7:66:E9:C9:72:DF:35:2E:E1:5C:FA:C2:27:AF:6A:D1:D7:0E:8E:4A:6E:DC:BA:02 +-----BEGIN CERTIFICATE----- +MIICWTCCAd+gAwIBAgIQZvI9r4fei7FK6gxXMQHC7DAKBggqhkjOPQQDAzBlMQsw +CQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYwNAYD +VQQDEy1NaWNyb3NvZnQgRUNDIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIw +MTcwHhcNMTkxMjE4MjMwNjQ1WhcNNDIwNzE4MjMxNjA0WjBlMQswCQYDVQQGEwJV +UzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYwNAYDVQQDEy1NaWNy +b3NvZnQgRUNDIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTcwdjAQBgcq +hkjOPQIBBgUrgQQAIgNiAATUvD0CQnVBEyPNgASGAlEvaqiBYgtlzPbKnR5vSmZR +ogPZnZH6thaxjG7efM3beaYvzrvOcS/lpaso7GMEZpn4+vKTEAXhgShC48Zo9OYb +hGBKia/teQ87zvH2RPUBeMCjVDBSMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8E +BTADAQH/MB0GA1UdDgQWBBTIy5lycFIM+Oa+sgRXKSrPQhDtNTAQBgkrBgEEAYI3 +FQEEAwIBADAKBggqhkjOPQQDAwNoADBlAjBY8k3qDPlfXu5gKcs68tvWMoQZP3zV +L8KxzJOuULsJMsbG7X7JNpQS5GiFBqIb0C8CMQCZ6Ra0DvpWSNSkMBaReNtUjGUB +iudQZsIxtzm6uBoiB078a1QWIP8rtedMDE2mT3M= +-----END CERTIFICATE----- +=== /C=US/O=Microsoft Corporation/CN=Microsoft RSA Root Certificate Authority 2017 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 1e:d3:97:09:5f:d8:b4:b3:47:70:1e:aa:be:7f:45:b3 + Signature Algorithm: sha384WithRSAEncryption + Validity + Not Before: Dec 18 22:51:22 2019 GMT + Not After : Jul 18 23:00:23 2042 GMT + Subject: C=US, O=Microsoft Corporation, CN=Microsoft RSA Root Certificate Authority 2017 + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 09:CB:59:7F:86:B2:70:8F:1A:C3:39:E3:C0:D9:E9:BF:BB:4D:B2:23 + 1.3.6.1.4.1.311.21.1: + ... +SHA1 Fingerprint=73:A5:E6:4A:3B:FF:83:16:FF:0E:DC:CC:61:8A:90:6E:4E:AE:4D:74 +SHA256 Fingerprint=C7:41:F7:0F:4B:2A:8D:88:BF:2E:71:C1:41:22:EF:53:EF:10:EB:A0:CF:A5:E6:4C:FA:20:F4:18:85:30:73:E0 +-----BEGIN CERTIFICATE----- +MIIFqDCCA5CgAwIBAgIQHtOXCV/YtLNHcB6qvn9FszANBgkqhkiG9w0BAQwFADBl +MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYw +NAYDVQQDEy1NaWNyb3NvZnQgUlNBIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 +IDIwMTcwHhcNMTkxMjE4MjI1MTIyWhcNNDIwNzE4MjMwMDIzWjBlMQswCQYDVQQG +EwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYwNAYDVQQDEy1N +aWNyb3NvZnQgUlNBIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTcwggIi +MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDKW76UM4wplZEWCpW9R2LBifOZ +Nt9GkMml7Xhqb0eRaPgnZ1AzHaGm++DlQ6OEAlcBXZxIQIJTELy/xztokLaCLeX0 +ZdDMbRnMlfl7rEqUrQ7eS0MdhweSE5CAg2Q1OQT85elss7YfUJQ4ZVBcF0a5toW1 +HLUX6NZFndiyJrDKxHBKrmCk3bPZ7Pw71VdyvD/IybLeS2v4I2wDwAW9lcfNcztm +gGTjGqwu+UcF8ga2m3P1eDNbx6H7JyqhtJqRjJHTOoI+dkC0zVJhUXAoP8XFWvLJ +jEm7FFtNyP9nTUwSlq31/niol4fX/V4ggNyhSyL71Imtus5Hl0dVe49FyGcohJUc +aDDv70ngNXtk55iwlNpNhTs+VcQor1fznhPbRiefHqJeRIOkpcrVE7NLP8TjwuaG +YaRSMLl6IE9vDzhTyzMMEyuP1pq9KsgtsRx9S1HKR9FIJ3Jdh+vVReZIZZ2vUpC6 +W6IYZVcSn2i51BVrlMRpIpj0M+Dt+VGOQVDJNE92kKz8OMHY4Xu54+OU4UZpyw4K +UGsTuqwPN1q3ErWQgR5WrlcihtnJ0tHXUeOrO8ZV/R4O03QK0dqq6mm4lyiPSMQH ++FJDOvTKVTUssKZqwJz58oHhEmrARdlns87/I6KJClTUFLkqqNfs+avNJVgyeY+Q +W5g5xAgGwax/Dj0ApQIDAQABo1QwUjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/ +BAUwAwEB/zAdBgNVHQ4EFgQUCctZf4aycI8awznjwNnpv7tNsiMwEAYJKwYBBAGC +NxUBBAMCAQAwDQYJKoZIhvcNAQEMBQADggIBAKyvPl3CEZaJjqPnktaXFbgToqZC +LgLNFgVZJ8og6Lq46BrsTaiXVq5lQ7GPAJtSzVXNUzltYkyLDVt8LkS/gxCP81OC +gMNPOsduET/m4xaRhPtthH80dK2Jp86519efhGSSvpWhrQlTM93uCupKUY5vVau6 +tZRGrox/2KJQJWVggEbbMwSubLWYdFQl3JPk+ONVFT24bcMKpBLBaYVu32TxU5nh +SnUgnZUP5NbcA/FZGOhHibJXWpS2qdgXKxdJ5XbLwVaZOjex/2kskZGT4d9Mozd2 +TaGf+G0eHdP67Pv0RR0Tbc/3WeUiJ3IrhvNXuzDtJE3cfVa7o7P4NHmJweDyAmH3 +pvwPuxwXC65B2Xy9J6P9LjrRk5Sxcx0ki69bIImtt2dmefU6xqaWM/5TkshGsRGR +xpl/j8nWZjEgQRCHLQzWwa80mMpkg/sTV9HB8Dx6jKXB/ZUhoHHBk2dxEuqPiApp +GWSZI1b7rCoucL5mxAyE7+WL85MB+GqQk2dLsmijtWKP6T+MejteD+eMuMZ87zf9 +dOLITzNy4ZQ5bb0Sr74MTnB8G2+NszKTc0QWbej09+CVgI+WXTik9KveCjCHk9hN +AHFiRSdLOkKEW39lt2c0Ui2cFmuqqNh7o0JMcccMyj6D5KbvtwEwXlGjefVwaaZB +RA+GsCyRxj3qrg+E +-----END CERTIFICATE----- + +### NAVER BUSINESS PLATFORM Corp. + +=== /C=KR/O=NAVER BUSINESS PLATFORM Corp./CN=NAVER Global Root Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 01:94:30:1e:a2:0b:dd:f5:c5:33:2a:b1:43:44:71:f8:d6:50:4d:0d + Signature Algorithm: sha384WithRSAEncryption + Validity + Not Before: Aug 18 08:58:42 2017 GMT + Not After : Aug 18 23:59:59 2037 GMT + Subject: C=KR, O=NAVER BUSINESS PLATFORM Corp., CN=NAVER Global Root Certification Authority + X509v3 extensions: + X509v3 Subject Key Identifier: + D2:9F:88:DF:A1:CD:2C:BD:EC:F5:3B:01:01:93:33:27:B2:EB:60:4B + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=8F:6B:F2:A9:27:4A:DA:14:A0:C4:F4:8E:61:27:F9:C0:1E:78:5D:D1 +SHA256 Fingerprint=88:F4:38:DC:F8:FF:D1:FA:8F:42:91:15:FF:E5:F8:2A:E1:E0:6E:0C:70:C3:75:FA:AD:71:7B:34:A4:9E:72:65 +-----BEGIN CERTIFICATE----- +MIIFojCCA4qgAwIBAgIUAZQwHqIL3fXFMyqxQ0Rx+NZQTQ0wDQYJKoZIhvcNAQEM +BQAwaTELMAkGA1UEBhMCS1IxJjAkBgNVBAoMHU5BVkVSIEJVU0lORVNTIFBMQVRG +T1JNIENvcnAuMTIwMAYDVQQDDClOQVZFUiBHbG9iYWwgUm9vdCBDZXJ0aWZpY2F0 +aW9uIEF1dGhvcml0eTAeFw0xNzA4MTgwODU4NDJaFw0zNzA4MTgyMzU5NTlaMGkx +CzAJBgNVBAYTAktSMSYwJAYDVQQKDB1OQVZFUiBCVVNJTkVTUyBQTEFURk9STSBD +b3JwLjEyMDAGA1UEAwwpTkFWRVIgR2xvYmFsIFJvb3QgQ2VydGlmaWNhdGlvbiBB +dXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC21PGTXLVA +iQqrDZBbUGOukJR0F0Vy1ntlWilLp1agS7gvQnXp2XskWjFlqxcX0TM62RHcQDaH +38dq6SZeWYp34+hInDEW+j6RscrJo+KfziFTowI2MMtSAuXaMl3Dxeb57hHHi8lE +HoSTGEq0n+USZGnQJoViAbbJAh2+g1G7XNr4rRVqmfeSVPc0W+m/6imBEtRTkZaz +kVrd/pBzKPswRrXKCAfHcXLJZtM0l/aM9BhK4dA9WkW2aacp+yPOiNgSnABIqKYP +szuSjXEOdMWLyEz59JuOuDxp7W87UC9Y7cSw0BwbagzivESq2M0UXZR4Yb8Obtoq +vC8MC3GmsxY/nOb5zJ9TNeIDoKAYv7vxvvTWjIcNQvcGufFt7QSUqP620wbGQGHf +nZ3zVHbOUzoBppJB7ASjjw2i1QnK1sua8e9DXcCrpUHPXFNwcMmIpi3Ua2FzUCaG +YQ5fG8Ir4ozVu53BA0K6lNpfqbDKzE0K70dpAy8i+/Eozr9dUGWokG2zdLAIx6yo +0es+nPxdGoMuK8u180SdOqcXYZaicdNwlhVNt0xz7hlcxVs+Qf6sdWA7G2POAN3a +CJBitOUt7kinaxeZVL6HSuOpXgRM6xBtVNbv8ejyYhbLgGvtPe31HzClrkvJE+2K +AQHJuFFYwGY6sWZLxNUxAmLpdIQM201GLQIDAQABo0IwQDAdBgNVHQ4EFgQU0p+I +36HNLL3s9TsBAZMzJ7LrYEswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB +Af8wDQYJKoZIhvcNAQEMBQADggIBADLKgLOdPVQG3dLSLvCkASELZ0jKbY7gyKoN +qo0hV4/GPnrK21HUUrPUloSlWGB/5QuOH/XcChWB5Tu2tyIvCZwTFrFsDDUIbatj +cu3cvuzHV+YwIHHW1xDBE1UBjCpD5EHxzzp6U5LOogMFDTjfArsQLtk70pt6wKGm ++LUx5vR1yblTmXVHIloUFcd4G7ad6Qz4G3bxhYTeodoS76TiEJd6eN4MUZeoIUCL +hr0N8F5OSza7OyAfikJW4Qsav3vQIkMsRIz75Sq0bBwcupTgE34h5prCy8VCZLQe +lHsIJchxzIdFV4XTnyliIoNRlwAYl3dqmJLJfGBs32x9SuRwTMKeuB330DTHD8z7 +p/8Dvq1wkNoL3chtl1+afwkyQf3NosxabUzyqkn+Zvjp2DXrDige7kgvOtB5CTh8 +piKCk5XQA76+AqAF3SAi428diDRgxuYKuQl1C/AH6GmWNcf7I4GOODm4RStDeKLR +LBT/DShycpWbXgnbiUSYqqFJu3FS8r/2/yehNq+4tneI3TqkbZs0kNwUXTC/t+sX +5Ie3cdCh13cV1ELX8vMxmV2b3RZtP+oGI/hGoiLtk/bdmuYqh7GYVPEi92tF4+KO +dh2ajcQGjTa3FPOdVGm3jjzVpG2Tgbet9r1ke8LJaDmgkpzNNIaRkPpkUZ3+/uul +9XXeifdy +-----END CERTIFICATE----- + +### NetLock Kft. + +=== /C=HU/L=Budapest/O=NetLock Kft./OU=Tan\xC3\xBAs\xC3\xADtv\xC3\xA1nykiad\xC3\xB3k (Certification Services)/CN=NetLock Arany (Class Gold) F\xC5\x91tan\xC3\xBAs\xC3\xADtv\xC3\xA1ny +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 80544274841616 (0x49412ce40010) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Dec 11 15:08:21 2008 GMT + Not After : Dec 6 15:08:21 2028 GMT + Subject: C=HU, L=Budapest, O=NetLock Kft., OU=Tan\xC3\xBAs\xC3\xADtv\xC3\xA1nykiad\xC3\xB3k (Certification Services), CN=NetLock Arany (Class Gold) F\xC5\x91tan\xC3\xBAs\xC3\xADtv\xC3\xA1ny + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:4 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + CC:FA:67:93:F0:B6:B8:D0:A5:C0:1E:F3:53:FD:8C:53:DF:83:D7:96 +SHA1 Fingerprint=06:08:3F:59:3F:15:A1:04:A0:69:A4:6B:A9:03:D0:06:B7:97:09:91 +SHA256 Fingerprint=6C:61:DA:C3:A2:DE:F0:31:50:6B:E0:36:D2:A6:FE:40:19:94:FB:D1:3D:F9:C8:D4:66:59:92:74:C4:46:EC:98 +-----BEGIN CERTIFICATE----- +MIIEFTCCAv2gAwIBAgIGSUEs5AAQMA0GCSqGSIb3DQEBCwUAMIGnMQswCQYDVQQG +EwJIVTERMA8GA1UEBwwIQnVkYXBlc3QxFTATBgNVBAoMDE5ldExvY2sgS2Z0LjE3 +MDUGA1UECwwuVGFuw7pzw610dsOhbnlraWFkw7NrIChDZXJ0aWZpY2F0aW9uIFNl +cnZpY2VzKTE1MDMGA1UEAwwsTmV0TG9jayBBcmFueSAoQ2xhc3MgR29sZCkgRsWR +dGFuw7pzw610dsOhbnkwHhcNMDgxMjExMTUwODIxWhcNMjgxMjA2MTUwODIxWjCB +pzELMAkGA1UEBhMCSFUxETAPBgNVBAcMCEJ1ZGFwZXN0MRUwEwYDVQQKDAxOZXRM +b2NrIEtmdC4xNzA1BgNVBAsMLlRhbsO6c8OtdHbDoW55a2lhZMOzayAoQ2VydGlm +aWNhdGlvbiBTZXJ2aWNlcykxNTAzBgNVBAMMLE5ldExvY2sgQXJhbnkgKENsYXNz +IEdvbGQpIEbFkXRhbsO6c8OtdHbDoW55MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAxCRec75LbRTDofTjl5Bu0jBFHjzuZ9lk4BqKf8owyoPjIMHj9DrT +lF8afFttvzBPhCf2nx9JvMaZCpDyD/V/Q4Q3Y1GLeqVw/HpYzY6b7cNGbIRwXdrz +AZAj/E4wqX7hJ2Pn7WQ8oLjJM2P+FpD/sLj916jAwJRDC7bVWaaeVtAkH3B5r9s5 +VA1lddkVQZQBr17s9o3x/61k/iCa11zr/qYfCGSji3ZVrR47KGAuhyXoqq8fxmRG +ILdwfzzeSNuWU7c5d+Qa4scWhHaXWy+7GRWF+GmF9ZmnqfI0p6m2pgP8b4Y9VHx2 +BJtr+UBdADTHLpl1neWIA6pN+APSQnbAGwIDAKiLo0UwQzASBgNVHRMBAf8ECDAG +AQH/AgEEMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUzPpnk/C2uNClwB7zU/2M +U9+D15YwDQYJKoZIhvcNAQELBQADggEBAKt/7hwWqZw8UQCgwBEIBaeZ5m8BiFRh +bvG5GK1Krf6BQCOUL/t1fC8oS2IkgYIL9WHxHG64YTjrgfpioTtaYtOUZcTh5m2C ++C8lcLIhJsFyUR+MLMOEkMNaj7rP9KdlpeuY0fsFskZ1FSNqb4VjMIDw1Z4fKRzC +bLBQWV2QWzuoDTDPv31/zvGdg73JRm4gpvlhUbohL3u+pRVjodSVh/GeufOJ8z2F +uLjbvrW5KfnaNwUASZQDhETnv0Mxz3WLJdH0pmT1kvarBes96aULNmLazAZfNou2 +XjG4Kvte9nHfRCaexOYNkbQudZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7E= +-----END CERTIFICATE----- + +### Network Solutions L.L.C. + +=== /C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 57:cb:33:6f:c2:5c:16:e6:47:16:17:e3:90:31:68:e0 + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Dec 1 00:00:00 2006 GMT + Not After : Dec 31 23:59:59 2029 GMT + Subject: C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority + X509v3 extensions: + X509v3 Subject Key Identifier: + 21:30:C9:FB:00:D7:4E:98:DA:87:AA:2A:D0:A7:2E:B1:40:31:A7:4C + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 CRL Distribution Points: + + Full Name: + URI:http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl + +SHA1 Fingerprint=74:F8:A3:C3:EF:E7:B3:90:06:4B:83:90:3C:21:64:60:20:E5:DF:CE +SHA256 Fingerprint=15:F0:BA:00:A3:AC:7A:F3:AC:88:4C:07:2B:10:11:A0:77:BD:77:C0:97:F4:01:64:B2:F8:59:8A:BD:83:86:0C +-----BEGIN CERTIFICATE----- +MIID5jCCAs6gAwIBAgIQV8szb8JcFuZHFhfjkDFo4DANBgkqhkiG9w0BAQUFADBi +MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMu +MTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3Jp +dHkwHhcNMDYxMjAxMDAwMDAwWhcNMjkxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJV +UzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydO +ZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkvH6SMG3G2I4rC7xGzuAnlt7e+foS0zwz +c7MEL7xxjOWftiJgPl9dzgn/ggwbmlFQGiaJ3dVhXRncEg8tCqJDXRfQNJIg6nPP +OCwGJgl6cvf6UDL4wpPTaaIjzkGxzOTVHzbRijr4jGPiFFlp7Q3Tf2vouAPlT2rl +mGNpSAW+Lv8ztumXWWn4Zxmuk2GWRBXTcrA/vGp97Eh/jcOrqnErU2lBUzS1sLnF +BgrEsEX1QV1uiUV7PTsmjHTC5dLRfbIR1PtYMiKagMnc/Qzpf14Dl847ABSHJ3A4 +qY5usyd2mFHgBeMhqxrVhSI8KbWaFsWAqPS7azCPL0YCorEMIuDTAgMBAAGjgZcw +gZQwHQYDVR0OBBYEFCEwyfsA106Y2oeqKtCnLrFAMadMMA4GA1UdDwEB/wQEAwIB +BjAPBgNVHRMBAf8EBTADAQH/MFIGA1UdHwRLMEkwR6BFoEOGQWh0dHA6Ly9jcmwu +bmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zQ2VydGlmaWNhdGVBdXRob3Jp +dHkuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQC7rkvnt1frf6ott3NHhWrB5KUd5Oc8 +6fRZZXe1eltajSU24HqXLjjAV2CDmAaDn7l2em5Q4LqILPxFzBiwmZVRDuwduIj/ +h1AcgsLj4DKAv6ALR8jDMe+ZZzKATxcheQxpXN5eNK4CtSbqUN9/GGUsyfJj4akH +/nxxH2szJGoeBfcFaMBqEssuXmHLrijTfsK0ZpEmXzwuJF/LWA/rKOyvEZbz3Htv +wKeI8lN3s2Berq4o2jUsbzRF0ybh3uxbTydrFny9RAQYgrOJeRcQcT16ohZO9QHN +pGxlaKFJdlxDydi8NmdspZS11My5vWo1ViHe2MPr+8ukYEywVaCge1ey +-----END CERTIFICATE----- + +### QuoVadis Limited + +=== /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 1 G3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 78:58:5f:2e:ad:2c:19:4b:e3:37:07:35:34:13:28:b5:96:d4:65:93 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jan 12 17:27:44 2012 GMT + Not After : Jan 12 17:27:44 2042 GMT + Subject: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 1 G3 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + A3:97:D6:F3:5E:A2:10:E1:AB:45:9F:3C:17:64:3C:EE:01:70:9C:CC +SHA1 Fingerprint=1B:8E:EA:57:96:29:1A:C9:39:EA:B8:0A:81:1A:73:73:C0:93:79:67 +SHA256 Fingerprint=8A:86:6F:D1:B2:76:B5:7E:57:8E:92:1C:65:82:8A:2B:ED:58:E9:F2:F2:88:05:41:34:B7:F1:F4:BF:C9:CC:74 +-----BEGIN CERTIFICATE----- +MIIFYDCCA0igAwIBAgIUeFhfLq0sGUvjNwc1NBMotZbUZZMwDQYJKoZIhvcNAQEL +BQAwSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc +BgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMSBHMzAeFw0xMjAxMTIxNzI3NDRaFw00 +MjAxMTIxNzI3NDRaMEgxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBM +aW1pdGVkMR4wHAYDVQQDExVRdW9WYWRpcyBSb290IENBIDEgRzMwggIiMA0GCSqG +SIb3DQEBAQUAA4ICDwAwggIKAoICAQCgvlAQjunybEC0BJyFuTHK3C3kEakEPBtV +wedYMB0ktMPvhd6MLOHBPd+C5k+tR4ds7FtJwUrVu4/sh6x/gpqG7D0DmVIB0jWe +rNrwU8lmPNSsAgHaJNM7qAJGr6Qc4/hzWHa39g6QDbXwz8z6+cZM5cOGMAqNF341 +68Xfuw6cwI2H44g4hWf6Pser4BOcBRiYz5P1sZK0/CPTz9XEJ0ngnjybCKOLXSoh +4Pw5qlPafX7PGglTvF0FBM+hSo+LdoINofjSxxR3W5A2B4GbPgb6Ul5jxaYA/qXp +UhtStZI5cgMJYr2wYBZupt0lwgNm3fME0UDiTouG9G/lg6AnhF4EwfWQvTA9xO+o +abw4m6SkltFi2mnAAZauy8RRNOoMqv8hjlmPSlzkYZqn0ukqeI1RPToV7qJZjqlc +3sX5kCLliEVx3ZGZbHqfPT2YfF72vhZooF6uCyP8Wg+qInYtyaEQHeTTRCOQiJ/G +KubX9ZqzWB4vMIkIG1SitZgj7Ah3HJVdYdHLiZxfokqRmu8hqkkWCKi9YSgxyXSt +hfbZxbGL0eUQMk1fiyA6PEkfM4VZDdvLCXVDaXP7a3F98N/ETH3Goy7IlXnLc6KO +Tk0k+17kBL5yG6YnLUlamXrXXAkgt3+UuU/xDRxeiEIbEbfnkduebPRq34wGmAOt +zCjvpUfzUwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB +BjAdBgNVHQ4EFgQUo5fW816iEOGrRZ88F2Q87gFwnMwwDQYJKoZIhvcNAQELBQAD +ggIBABj6W3X8PnrHX3fHyt/PX8MSxEBd1DKquGrX1RUVRpgjpeaQWxiZTOOtQqOC +MTaIzen7xASWSIsBx40Bz1szBpZGZnQdT+3Btrm0DWHMY37XLneMlhwqI2hrhVd2 +cDMT/uFPpiN3GPoajOi9ZcnPP/TJF9zrx7zABC4tRi9pZsMbj/7sPtPKlL92CiUN +qXsCHKnQO18LwIE6PWThv6ctTr1NxNgpxiIY0MWscgKCP6o6ojoilzHdCGPDdRS5 +YCgtW2jgFqlmgiNR9etT2DGbe+m3nUvriBbP+V04ikkwj+3x6xn0dxoxGE1nVGwv +b2X52z3sIexe9PSLymBlVNFxZPT5pqOBMzYzcfCkeF9OrYMh3jRJjehZrJ3ydlo2 +8hP0r+AJx2EqbPfgna67hkooby7utHnNkDPDs3b69fBsnQGQ+p6Q9pxyz0fawx/k +NSBT8lTR32GDpgLiJTjehTItXnOQUl1CxM49S+H5GYQd1aJQzEH7QRTDvdbJWqNj +ZgKAvQU6O0ec7AAmTPWIUb+oI38YB7AL7YsmoWTTYUrrXJ/es69nA7Mf3W1daWhp +q1467HxpvMc7hU6eFbm0FU/DlXpY18ls6Wy58yljXrQs8C097Vpl4KlbQMJImYFt +nh8GKjwStIsPm6Ik8KaN1nrgS7ZklmOVhMJKzRwuJIczYOXD +-----END CERTIFICATE----- +=== /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1289 (0x509) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Nov 24 18:27:00 2006 GMT + Not After : Nov 24 18:23:33 2031 GMT + Subject: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 1A:84:62:BC:48:4C:33:25:04:D4:EE:D0:F6:03:C4:19:46:D1:94:6B + X509v3 Authority Key Identifier: + keyid:1A:84:62:BC:48:4C:33:25:04:D4:EE:D0:F6:03:C4:19:46:D1:94:6B + DirName:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 + serial:05:09 + +SHA1 Fingerprint=CA:3A:FB:CF:12:40:36:4B:44:B2:16:20:88:80:48:39:19:93:7C:F7 +SHA256 Fingerprint=85:A0:DD:7D:D7:20:AD:B7:FF:05:F8:3D:54:2B:20:9D:C7:FF:45:28:F7:D6:77:B1:83:89:FE:A5:E5:C4:9E:86 +-----BEGIN CERTIFICATE----- +MIIFtzCCA5+gAwIBAgICBQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0x +GTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJv +b3QgQ0EgMjAeFw0wNjExMjQxODI3MDBaFw0zMTExMjQxODIzMzNaMEUxCzAJBgNV +BAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYDVQQDExJRdW9W +YWRpcyBSb290IENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCa +GMpLlA0ALa8DKYrwD4HIrkwZhR0In6spRIXzL4GtMh6QRr+jhiYaHv5+HBg6XJxg +Fyo6dIMzMH1hVBHL7avg5tKifvVrbxi3Cgst/ek+7wrGsxDp3MJGF/hd/aTa/55J +WpzmM+Yklvc/ulsrHHo1wtZn/qtmUIttKGAr79dgw8eTvI02kfN/+NsRE8Scd3bB +rrcCaoF6qUWD4gXmuVbBlDePSHFjIuwXZQeVikvfj8ZaCuWw419eaxGrDPmF60Tp ++ARz8un+XJiM9XOva7R+zdRcAitMOeGylZUtQofX1bOQQ7dsE/He3fbE+Ik/0XX1 +ksOR1YqI0JDs3G3eicJlcZaLDQP9nL9bFqyS2+r+eXyt66/3FsvbzSUr5R/7mp/i +Ucw6UwxI5g69ybR2BlLmEROFcmMDBOAENisgGQLodKcftslWZvB1JdxnwQ5hYIiz +PtGo/KPaHbDRsSNU30R2be1B2MGyIrZTHN81Hdyhdyox5C315eXbyOD/5YDXC2Og +/zOhD7osFRXql7PSorW+8oyWHhqPHWykYTe5hnMz15eWniN9gqRMgeKh0bpnX5UH +oycR7hYQe7xFSkyyBNKr79X9DFHOUGoIMfmR2gyPZFwDwzqLID9ujWc9Otb+fVuI +yV77zGHcizN300QyNQliBJIWENieJ0f7OyHj+OsdWwIDAQABo4GwMIGtMA8GA1Ud +EwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBQahGK8SEwzJQTU7tD2 +A8QZRtGUazBuBgNVHSMEZzBlgBQahGK8SEwzJQTU7tD2A8QZRtGUa6FJpEcwRTEL +MAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMT +ElF1b1ZhZGlzIFJvb3QgQ0EgMoICBQkwDQYJKoZIhvcNAQEFBQADggIBAD4KFk2f +BluornFdLwUvZ+YTRYPENvbzwCYMDbVHZF34tHLJRqUDGCdViXh9duqWNIAXINzn +g/iN/Ae42l9NLmeyhP3ZRPx3UIHmfLTJDQtyU/h2BwdBR5YM++CCJpNVjP4iH2Bl +fF/nJrP3MpCYUNQ3cVX2kiF495V5+vgtJodmVjB3pjd4M1IQWK4/YY7yarHvGH5K +WWPKjaJW1acvvFYfzznB4vsKqBUsfU16Y8Zsl0Q80m/DShcK+JDSV6IZUaUtl0Ha +B0+pUNqQjZRG4T7wlP0QADj1O+hA4bRuVhogzG9Yje0uRY/W6ZM/57Es3zrWIozc +hLsib9D45MY56QSIPMO661V6bYCZJPVsAfv4l7CUW+v90m/xd2gNNWQjrLhVoQPR +TUIZ3Ph1WVaj+ahJefivDrkRoHy3au000LYmYjgahwz46P0u05B/B5EqHdZ+XIWD +mbA4CD/pXvk1B+TJYm5Xf6dQlfe6yJvmjqIBxdZmv3lh8zwc4bmCXF2gw+nYSL0Z +ohEUGW6yhhtoPkg3Goi3XZZenMfvJ2II4pEZXNLxId26F0KCl3GBUzGpn/Z9Yr9y +4aOTHcyKJloJONDO1w2AFrR4pTqHTI2KpdVGl/IsELm8VCLAAVBpQ570su9t+Oza +8eOx79+Rj1QqCyXBJhnEUhAFZdWCEOrCMc0u +-----END CERTIFICATE----- +=== /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 G3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 44:57:34:24:5b:81:89:9b:35:f2:ce:b8:2b:3b:5b:a7:26:f0:75:28 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jan 12 18:59:32 2012 GMT + Not After : Jan 12 18:59:32 2042 GMT + Subject: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + ED:E7:6F:76:5A:BF:60:EC:49:5B:C6:A5:77:BB:72:16:71:9B:C4:3D +SHA1 Fingerprint=09:3C:61:F3:8B:8B:DC:7D:55:DF:75:38:02:05:00:E1:25:F5:C8:36 +SHA256 Fingerprint=8F:E4:FB:0A:F9:3A:4D:0D:67:DB:0B:EB:B2:3E:37:C7:1B:F3:25:DC:BC:DD:24:0E:A0:4D:AF:58:B4:7E:18:40 +-----BEGIN CERTIFICATE----- +MIIFYDCCA0igAwIBAgIURFc0JFuBiZs18s64KztbpybwdSgwDQYJKoZIhvcNAQEL +BQAwSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc +BgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMiBHMzAeFw0xMjAxMTIxODU5MzJaFw00 +MjAxMTIxODU5MzJaMEgxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBM +aW1pdGVkMR4wHAYDVQQDExVRdW9WYWRpcyBSb290IENBIDIgRzMwggIiMA0GCSqG +SIb3DQEBAQUAA4ICDwAwggIKAoICAQChriWyARjcV4g/Ruv5r+LrI3HimtFhZiFf +qq8nUeVuGxbULX1QsFN3vXg6YOJkApt8hpvWGo6t/x8Vf9WVHhLL5hSEBMHfNrMW +n4rjyduYNM7YMxcoRvynyfDStNVNCXJJ+fKH46nafaF9a7I6JaltUkSs+L5u+9ym +c5GQYaYDFCDy54ejiK2toIz/pgslUiXnFgHVy7g1gQyjO/Dh4fxaXc6AcW34Sas+ +O7q414AB+6XrW7PFXmAqMaCvN+ggOp+oMiwMzAkd056OXbxMmO7FGmh77FOm6RQ1 +o9/NgJ8MSPsc9PG/Srj61YxxSscfrf5BmrODXfKEVu+lV0POKa2Mq1W/xPtbAd0j +IaFYAI7D0GoT7RPjEiuA3GfmlbLNHiJuKvhB1PLKFAeNilUSxmn1uIZoL1NesNKq +IcGY5jDjZ1XHm26sGahVpkUG0CM62+tlXSoREfA7T8pt9DTEceT/AFr2XK4jYIVz +8eQQsSWu1ZK7E8EM4DnatDlXtas1qnIhO4M15zHfeiFuuDIIfR0ykRVKYnLP43eh +vNURG3YBZwjgQQvD6xVu+KQZ2aKrr+InUlYrAoosFCT5v0ICvybIxo/gbjh9Uy3l +7ZizlWNof/k19N+IxWA1ksB8aRxhlRbQ694Lrz4EEEVlWFA4r0jyWbYW8jwNkALG +cC4BrTwV1wIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB +BjAdBgNVHQ4EFgQU7edvdlq/YOxJW8ald7tyFnGbxD0wDQYJKoZIhvcNAQELBQAD +ggIBAJHfgD9DCX5xwvfrs4iP4VGyvD11+ShdyLyZm3tdquXK4Qr36LLTn91nMX66 +AarHakE7kNQIXLJgapDwyM4DYvmL7ftuKtwGTTwpD4kWilhMSA/ohGHqPHKmd+RC +roijQ1h5fq7KpVMNqT1wvSAZYaRsOPxDMuHBR//47PERIjKWnML2W2mWeyAMQ0Ga +W/ZZGYjeVYg3UQt4XAoeo0L9x52ID8DyeAIkVJOviYeIyUqAHerQbj5hLja7NQ4n +lv1mNDthcnPxFlxHBlRJAHpYErAK74X9sbgzdWqTHBLmYF5vHX/JHyPLhGGfHoJE ++V+tYlUkmlKY7VHnoX6XOuYvHxHaU4AshZ6rNRDbIl9qxV6XU/IyAgkwo1jwDQHV +csaxfGl7w/U2Rcxhbl5MlMVerugOXou/983g7aEOGzPuVBj+D77vfoRrQ+NwmNtd +dbINWQeFFSM51vHfqSYP1kjHs6Yi9TM3WpVHn3u6GBVv/9YUZINJ0gpnIdsPNWNg +KCLjsZWDzYWm3S8P52dSbrsvhXz1SnPnxT7AvSESBT/8twNJAlvIJebiVDj1eYeM +HVOyToV7BjjHLPj4sHKNJeV3UvQDHEimUF+IIDBu8oJDqz2XhOdT+yHBTw8imoa4 +WSr2Rz0ZiC3oheGe7IUIarFsNMkd7EgrO3jtZsSOeWmD3n+M +-----END CERTIFICATE----- +=== /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1478 (0x5c6) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Nov 24 19:11:23 2006 GMT + Not After : Nov 24 19:06:44 2031 GMT + Subject: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Certificate Policies: + Policy: 1.3.6.1.4.1.8024.0.3 + User Notice: + Explicit Text: Any use of this Certificate constitutes acceptance of the QuoVadis Root CA 3 Certificate Policy / Certification Practice Statement. + CPS: http://www.quovadisglobal.com/cps + + X509v3 Key Usage: + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + F2:C0:13:E0:82:43:3E:FB:EE:2F:67:32:96:35:5C:DB:B8:CB:02:D0 + X509v3 Authority Key Identifier: + keyid:F2:C0:13:E0:82:43:3E:FB:EE:2F:67:32:96:35:5C:DB:B8:CB:02:D0 + DirName:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3 + serial:05:C6 + +SHA1 Fingerprint=1F:49:14:F7:D8:74:95:1D:DD:AE:02:C0:BE:FD:3A:2D:82:75:51:85 +SHA256 Fingerprint=18:F1:FC:7F:20:5D:F8:AD:DD:EB:7F:E0:07:DD:57:E3:AF:37:5A:9C:4D:8D:73:54:6B:F4:F1:FE:D1:E1:8D:35 +-----BEGIN CERTIFICATE----- +MIIGnTCCBIWgAwIBAgICBcYwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0x +GTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJv +b3QgQ0EgMzAeFw0wNjExMjQxOTExMjNaFw0zMTExMjQxOTA2NDRaMEUxCzAJBgNV +BAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYDVQQDExJRdW9W +YWRpcyBSb290IENBIDMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDM +V0IWVJzmmNPTTe7+7cefQzlKZbPoFog02w1ZkXTPkrgEQK0CSzGrvI2RaNggDhoB +4hp7Thdd4oq3P5kazethq8Jlph+3t723j/z9cI8LoGe+AaJZz3HmDyl2/7FWeUUr +H556VOijKTVopAFPD6QuN+8bv+OPEKhyq1hX51SGyMnzW9os2l2ObjyjPtr7guXd +8lyyBTNvijbO0BNO/79KDDRMpsMhvVAEVeuxu537RR5kFd5VAYwCdrXLoT9Cabwv +vWhDFlaJKjdhkf2mrk7AyxRllDdLkgbvBNDInIjbC3uBr7E9KsRlOni27tyAsdLT +mZw67mtaa7ONt9XOnMK+pUsvFrGeaDsGb659n/je7Mwpp5ijJUMv7/FfJuGITfhe +btfZFG4ZM2mnO4SJk8RTVROhUXhA+LjJou57ulJCg54U7QVSWllWp5f8nT8KKdjc +T5EOE7zelaTfi5m+rJsziO+1ga8bxiJTyPbH7pcUsMV8eFLI8M5ud2CEpukqdiDt +WAEXMJPpGovgc2PZapKUSU60rUqFxKMiMPwJ7Wgic6aIDFUhWMXhOp8q3crhkODZ +c6tsgLjoC2SToJyMGf+z0gzskSaHirOi4XCPLArlzW1oUevaPwV/izLmE1xr/l9A +4iLItLRkT9a6fUg+qGkM17uGcclzuD87nSVL2v9A6wIDAQABo4IBlTCCAZEwDwYD +VR0TAQH/BAUwAwEB/zCB4QYDVR0gBIHZMIHWMIHTBgkrBgEEAb5YAAMwgcUwgZMG +CCsGAQUFBwICMIGGGoGDQW55IHVzZSBvZiB0aGlzIENlcnRpZmljYXRlIGNvbnN0 +aXR1dGVzIGFjY2VwdGFuY2Ugb2YgdGhlIFF1b1ZhZGlzIFJvb3QgQ0EgMyBDZXJ0 +aWZpY2F0ZSBQb2xpY3kgLyBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVu +dC4wLQYIKwYBBQUHAgEWIWh0dHA6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29tL2Nw +czALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFPLAE+CCQz777i9nMpY1XNu4ywLQMG4G +A1UdIwRnMGWAFPLAE+CCQz777i9nMpY1XNu4ywLQoUmkRzBFMQswCQYDVQQGEwJC +TTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDEbMBkGA1UEAxMSUXVvVmFkaXMg +Um9vdCBDQSAzggIFxjANBgkqhkiG9w0BAQUFAAOCAgEAT62gLEz6wPJv92ZVqyM0 +7ucp2sNbtrCD2dDQ4iH782CnO11gUyeim/YIIirnv6By5ZwkajGxkHon24QRiSem +d1o417+shvzuXYO8BsbRd2sPbSQvS3pspweWyuOEn62Iix2rFo1bZhfZFvSLgNLd ++LJ2w/w4E6oM3kJpK27zPOuAJ9v1pkQNn1pVWQvVDVJIxa6f8i+AxeoyUDUSly7B +4f/xI4hROJ/yZlZ25w9Rl6VSDE1JUZU2Pb+iSwwQHYaZTKrzchGT5Or2m9qoXadN +t54CrnMAyNojA+j56hl0YgCUyyIgvpSnWbWCar6ZeXqp8kokUvd0/bpO5qgdAm6x +DYBEwa7TIzdfu4V8K5Iu6H6li92Z4b8nby1dqnuH/grdS/yO9SbkbnBCbjPsMZ57 +k8HkyWkaPcBrTiJt7qtYTcbQQcEr6k8Sh17rRdhs9ZgC06DYVYoGmRmioHfRMJ6s +zHXug/WwYjnPbFfiTNKRCw51KBuav/0aQ/HKd/s7j2G4aSgWQgRecCocIdiP4b0j +Wy10QJLZYxkNc91pvGJHvOB0K7Lrfb5BG7XARsWhIstfTsEokt4YutUqKLsRixeT +mJlglFwjz1onl14LBQaTNx47aTbrqZ5hHY8y2o4M1nQ+ewkk2gF3R8Q7zTSMmfXK +4SVhM7JZG+Ju1zdXtg2pEto= +-----END CERTIFICATE----- +=== /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3 G3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2e:f5:9b:02:28:a7:db:7a:ff:d5:a3:a9:ee:bd:03:a0:cf:12:6a:1d + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jan 12 20:26:32 2012 GMT + Not After : Jan 12 20:26:32 2042 GMT + Subject: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 G3 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + C6:17:D0:BC:A8:EA:02:43:F2:1B:06:99:5D:2B:90:20:B9:D7:9C:E4 +SHA1 Fingerprint=48:12:BD:92:3C:A8:C4:39:06:E7:30:6D:27:96:E6:A4:CF:22:2E:7D +SHA256 Fingerprint=88:EF:81:DE:20:2E:B0:18:45:2E:43:F8:64:72:5C:EA:5F:BD:1F:C2:D9:D2:05:73:07:09:C5:D8:B8:69:0F:46 +-----BEGIN CERTIFICATE----- +MIIFYDCCA0igAwIBAgIULvWbAiin23r/1aOp7r0DoM8Sah0wDQYJKoZIhvcNAQEL +BQAwSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc +BgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMyBHMzAeFw0xMjAxMTIyMDI2MzJaFw00 +MjAxMTIyMDI2MzJaMEgxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBM +aW1pdGVkMR4wHAYDVQQDExVRdW9WYWRpcyBSb290IENBIDMgRzMwggIiMA0GCSqG +SIb3DQEBAQUAA4ICDwAwggIKAoICAQCzyw4QZ47qFJenMioKVjZ/aEzHs286IxSR +/xl/pcqs7rN2nXrpixurazHb+gtTTK/FpRp5PIpM/6zfJd5O2YIyC0TeytuMrKNu +FoM7pmRLMon7FhY4futD4tN0SsJiCnMK3UmzV9KwCoWdcTzeo8vAMvMBOSBDGzXR +U7Ox7sWTaYI+FrUoRqHe6okJ7UO4BUaKhvVZR74bbwEhELn9qdIoyhA5CcoTNs+c +ra1AdHkrAj80//ogaX3T7mH1urPnMNA3I4ZyYUUpSFlob3emLoG+B01vr87ERROR +FHAGjx+f+IdpsQ7vw4kZ6+ocYfx6bIrc1gMLnia6Et3UVDmrJqMz6nWB2i3ND0/k +A9HvFZcba5DFApCTZgIhsUfei5pKgLlVj7WiL8DWM2fafsSntARE60f75li59wzw +eyuxwHApw0BiLTtIadwjPEjrewl5qW3aqDCYz4ByA4imW0aucnl8CAMhZa634Ryl +sSqiMd5mBPfAdOhx3v89WcyWJhKLhZVXGqtrdQtEPREoPHtht+KPZ0/l7DxMYIBp +VzgeAVuNVejH38DMdyM0SXV89pgR6y3e7UEuFAUCf+D+IOs15xGsIs5XPd7JMG0Q +A4XN8f+MFrXBsj6IbGB/kE+V9/YtrQE5BwT6dYB9v0lQ7e/JxHwc64B+27bQ3RP+ +ydOc17KXqQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB +BjAdBgNVHQ4EFgQUxhfQvKjqAkPyGwaZXSuQILnXnOQwDQYJKoZIhvcNAQELBQAD +ggIBADRh2Va1EodVTd2jNTFGu6QHcrxfYWLopfsLN7E8trP6KZ1/AvWkyaiTt3px +KGmPc+FSkNrVvjrlt3ZqVoAh313m6Tqe5T72omnHKgqwGEfcIHB9UqM+WXzBusnI +FUBhynLWcKzSt/Ac5IYp8M7vaGPQtSCKFWGafoaYtMnCdvvMujAWzKNhxnQT5Wvv +oxXqA/4Ti2Tk08HS6IT7SdEQTXlm66r99I0xHnAUrdzeZxNMgRVhvLfZkXdxGYFg +u/BYpbWcC/ePIlUnwEsBbTuZDdQdm2NnL9DuDcpmvJRPpq3t/O5jrFc/ZSXPsoaP +0Aj/uHYUbt7lJ+yreLVTubY/6CD50qi+YUbKh4yE8/nxoGibIh6BJpsQBJFxwAYf +3KDTuVan45gtf4Od34wrnDKOMpTwATwiKp9Dwi7DmDkHOHv8XgBCH/MyJnmDhPbl +8MFREsALHgQjDFSlTC9JxUrRtm5gDWv8a4uFJGS3iQ6rJUdbPM9+Sb3H6QrG2vd+ +DhcI00iX0HGS8A85PjRqHH3Y8iKuu2n0M7SmSFXRDw4m6Oy2Cy2nhTXN/VnIn9HN +PlopNLk9hM6xZdRZkZFWdSHBd575euFgndOtBBj0fOtek49TSiIp+EgrPk2GrFt/ +ywaZWWDYWGWVjUTR939+J399roD1B0y2PpxxVJkES/1Y+Zj0 +-----END CERTIFICATE----- + +### SECOM Trust Systems CO.,LTD. + +=== /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: May 29 05:00:39 2009 GMT + Not After : May 29 05:00:39 2029 GMT + Subject: C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2 + X509v3 extensions: + X509v3 Subject Key Identifier: + 0A:85:A9:77:65:05:98:7C:40:81:F8:0F:97:2C:38:F1:0A:EC:3C:CF + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=5F:3B:8C:F2:F8:10:B3:7D:78:B4:CE:EC:19:19:C3:73:34:B9:C7:74 +SHA256 Fingerprint=51:3B:2C:EC:B8:10:D4:CD:E5:DD:85:39:1A:DF:C6:C2:DD:60:D8:7B:B7:36:D2:B5:21:48:4A:A4:7A:0E:BE:F6 +-----BEGIN CERTIFICATE----- +MIIDdzCCAl+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJKUDEl +MCMGA1UEChMcU0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEnMCUGA1UECxMe +U2VjdXJpdHkgQ29tbXVuaWNhdGlvbiBSb290Q0EyMB4XDTA5MDUyOTA1MDAzOVoX +DTI5MDUyOTA1MDAzOVowXTELMAkGA1UEBhMCSlAxJTAjBgNVBAoTHFNFQ09NIFRy +dXN0IFN5c3RlbXMgQ08uLExURC4xJzAlBgNVBAsTHlNlY3VyaXR5IENvbW11bmlj +YXRpb24gUm9vdENBMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANAV +OVKxUrO6xVmCxF1SrjpDZYBLx/KWvNs2l9amZIyoXvDjChz335c9S672XewhtUGr +zbl+dp+++T42NKA7wfYxEUV0kz1XgMX5iZnK5atq1LXaQZAQwdbWQonCv/Q4EpVM +VAX3NuRFg3sUZdbcDE3R3n4MqzvEFb46VqZab3ZpUql6ucjrappdUtAtCms1FgkQ +hNBqyjoGADdH5H5XTz+L62e4iKrFvlNVspHEfbmwhRkGeC7bYRr6hfVKkaHnFtWO +ojnflLhwHyg/i/xAXmODPIMqGplrz95Zajv8bxbXH/1KEOtOghY6rCcMU/Gt1SSw +awNQwS08Ft1ENCcadfsCAwEAAaNCMEAwHQYDVR0OBBYEFAqFqXdlBZh8QIH4D5cs +OPEK7DzPMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 +DQEBCwUAA4IBAQBMOqNErLlFsceTfsgLCkLfZOoc7llsCLqJX2rKSpWeeo8HxdpF +coJxDjrSzG+ntKEju/Ykn8sX/oymzsLS28yN/HH8AynBbF0zX2S2ZTuJbxh2ePXc +okgfGT+Ok+vx+hfuzU7jBBJV1uXk3fs+BXziHV7Gp7yXT2g69ekuCkO2r1dcYmh8 +t/2jioSgrGK+KwmHNPBqAbubKVY8/gA3zyNs8U6qtnRGEmyR7jTV7JqR50S+kDFy +1UkC9gLl9B/rfNmWVan/7Ir5mUf/NVoCqgTLiluHcSmRvaS0eg29mvVXIwAHIRc/ +SjnRBUkLp7Y3gaVdjKozXoEofKd9J+sAro03 +-----END CERTIFICATE----- + +### SECOM Trust.net + +=== /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Sep 30 04:20:49 2003 GMT + Not After : Sep 30 04:20:49 2023 GMT + Subject: C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1 + X509v3 extensions: + X509v3 Subject Key Identifier: + A0:73:49:99:68:DC:85:5B:65:E3:9B:28:2F:57:9F:BD:33:BC:07:48 + X509v3 Key Usage: + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=36:B1:2B:49:F9:81:9E:D7:4C:9E:BC:38:0F:C6:56:8F:5D:AC:B2:F7 +SHA256 Fingerprint=E7:5E:72:ED:9F:56:0E:EC:6E:B4:80:00:73:A4:3F:C3:AD:19:19:5A:39:22:82:01:78:95:97:4A:99:02:6B:6C +-----BEGIN CERTIFICATE----- +MIIDWjCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJKUDEY +MBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYDVQQLEx5TZWN1cml0eSBDb21t +dW5pY2F0aW9uIFJvb3RDQTEwHhcNMDMwOTMwMDQyMDQ5WhcNMjMwOTMwMDQyMDQ5 +WjBQMQswCQYDVQQGEwJKUDEYMBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYD +VQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTEwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCzs/5/022x7xZ8V6UMbXaKL0u/ZPtM7orw8yl8 +9f/uKuDp6bpbZCKamm8sOiZpUQWZJtzVHGpxxpp9Hp3dfGzGjGdnSj74cbAZJ6kJ +DKaVv0uMDPpVmDvY6CKhS3E4eayXkmmziX7qIWgGmBSWh9JhNrxtJ1aeV+7AwFb9 +Ms+k2Y7CI9eNqPPYJayX5HA49LY6tJ07lyZDo6G8SVlyTCMwhwFY9k6+HGhWZq/N +QV3Is00qVUarH9oe4kA92819uZKAnDfdDJZkndwi92SL32HeFZRSFaB9UslLqCHJ +xrHty8OVYNEP8Ktw+N/LTX7s1vqr2b1/VPKl6Xn62dZ2JChzAgMBAAGjPzA9MB0G +A1UdDgQWBBSgc0mZaNyFW2XjmygvV5+9M7wHSDALBgNVHQ8EBAMCAQYwDwYDVR0T +AQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAaECpqLvkT115swW1F7NgE+vG +kl3g0dNq/vu+m22/xwVtWSDEHPC32oRYAmP6SBbvT6UL90qY8j+eG61Ha2POCEfr +Uj94nK9NrvjVT8+amCoQQTlSxN3Zmw7vkwGusi7KaEIkQmywszo+zenaSMQVy+n5 +Bw+SUEmK3TGXX8npN6o7WWWXlDLJs58+OmJYxUmtYg5xpTKqL8aJdkNAExNnPaJU +JRDL8Try2frbSVa7pv6nQTXD4IhhyYjH3zYQIphZ6rBK+1YWc26sTfcioU+tHXot +RSflMMFe8toTyyVCUZVHA4xsIcx0Qu1T/zOLjw9XARYvz6buyXAiFL39vmwLAw== +-----END CERTIFICATE----- + +### SecureTrust Corporation + +=== /C=US/O=SecureTrust Corporation/CN=Secure Global CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 07:56:22:a4:e8:d4:8a:89:4d:f4:13:c8:f0:f8:ea:a5 + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Nov 7 19:42:28 2006 GMT + Not After : Dec 31 19:52:06 2029 GMT + Subject: C=US, O=SecureTrust Corporation, CN=Secure Global CA + X509v3 extensions: + 1.3.6.1.4.1.311.20.2: + ...C.A + X509v3 Key Usage: + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + AF:44:04:C2:41:7E:48:83:DB:4E:39:02:EC:EC:84:7A:E6:CE:C9:A4 + X509v3 CRL Distribution Points: + + Full Name: + URI:http://crl.securetrust.com/SGCA.crl + + 1.3.6.1.4.1.311.21.1: + ... +SHA1 Fingerprint=3A:44:73:5A:E5:81:90:1F:24:86:61:46:1E:3B:9C:C4:5F:F5:3A:1B +SHA256 Fingerprint=42:00:F5:04:3A:C8:59:0E:BB:52:7D:20:9E:D1:50:30:29:FB:CB:D4:1C:A1:B5:06:EC:27:F1:5A:DE:7D:AC:69 +-----BEGIN CERTIFICATE----- +MIIDvDCCAqSgAwIBAgIQB1YipOjUiolN9BPI8PjqpTANBgkqhkiG9w0BAQUFADBK +MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24x +GTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwgQ0EwHhcNMDYxMTA3MTk0MjI4WhcNMjkx +MjMxMTk1MjA2WjBKMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3Qg +Q29ycG9yYXRpb24xGTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwgQ0EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvNS7YrGxVaQZx5RNoJLNP2MwhR/jxYDiJ +iQPpvepeRlMJ3Fz1Wuj3RSoC6zFh1ykzTM7HfAo3fg+6MpjhHZevj8fcyTiW89sa +/FHtaMbQbqR8JNGuQsiWUGMu4P51/pinX0kuleM5M2SOHqRfkNJnPLLZ/kG5VacJ +jnIFHovdRIWCQtBJwB1g8NEXLJXr9qXBkqPFwqcIYA1gBBCWeZ4WNOaptvolRTnI +HmX5k/Wq8VLcmZg9pYYaDDUz+kulBAYVHDGA76oYa8J719rO+TMg1fW9ajMtgQT7 +sFzUnKPiXB3jqUJ1XnvUd+85VLrJChgbEplJL4hL/VBi0XPnj3pDAgMBAAGjgZ0w +gZowEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQF +MAMBAf8wHQYDVR0OBBYEFK9EBMJBfkiD2045AuzshHrmzsmkMDQGA1UdHwQtMCsw +KaAnoCWGI2h0dHA6Ly9jcmwuc2VjdXJldHJ1c3QuY29tL1NHQ0EuY3JsMBAGCSsG +AQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IBAQBjGghAfaReUw132HquHw0L +URYD7xh8yOOvaliTFGCRsoTciE6+OYo68+aCiV0BN7OrJKQVDpI1WkpEXk5X+nXO +H0jOZvQ8QCaSmGwb7iRGDBezUqXbpZGRzzfTb+cnCDpOGR86p1hcF895P4vkp9Mm +I50mD1hp/Ed+stCNi5O/KU9DaXR2Z0vPB4zmAve14bRDtUstFJ/53CYNv6ZHdAbY +iNE6KTCEztI5gGIbqMdXSbxqVVFnFUq+NQfk1XWYN3kwFNspnWzFacxHVaIw98xc +f8LDmBxrThaA63p4ZUWiABqvDA1VZDRIuJK58bRQKfJPIx/abKwfROHdI3hRW8cW +-----END CERTIFICATE----- +=== /C=US/O=SecureTrust Corporation/CN=SecureTrust CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0c:f0:8e:5c:08:16:a5:ad:42:7f:f0:eb:27:18:59:d0 + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Nov 7 19:31:18 2006 GMT + Not After : Dec 31 19:40:55 2029 GMT + Subject: C=US, O=SecureTrust Corporation, CN=SecureTrust CA + X509v3 extensions: + 1.3.6.1.4.1.311.20.2: + ...C.A + X509v3 Key Usage: + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 42:32:B6:16:FA:04:FD:FE:5D:4B:7A:C3:FD:F7:4C:40:1D:5A:43:AF + X509v3 CRL Distribution Points: + + Full Name: + URI:http://crl.securetrust.com/STCA.crl + + 1.3.6.1.4.1.311.21.1: + ... +SHA1 Fingerprint=87:82:C6:C3:04:35:3B:CF:D2:96:92:D2:59:3E:7D:44:D9:34:FF:11 +SHA256 Fingerprint=F1:C1:B5:0A:E5:A2:0D:D8:03:0E:C9:F6:BC:24:82:3D:D3:67:B5:25:57:59:B4:E7:1B:61:FC:E9:F7:37:5D:73 +-----BEGIN CERTIFICATE----- +MIIDuDCCAqCgAwIBAgIQDPCOXAgWpa1Cf/DrJxhZ0DANBgkqhkiG9w0BAQUFADBI +MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24x +FzAVBgNVBAMTDlNlY3VyZVRydXN0IENBMB4XDTA2MTEwNzE5MzExOFoXDTI5MTIz +MTE5NDA1NVowSDELMAkGA1UEBhMCVVMxIDAeBgNVBAoTF1NlY3VyZVRydXN0IENv +cnBvcmF0aW9uMRcwFQYDVQQDEw5TZWN1cmVUcnVzdCBDQTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAKukgeWVzfX2FI7CT8rU4niVWJxB4Q2ZQCQXOZEz +Zum+4YOvYlyJ0fwkW2Gz4BERQRwdbvC4u/jep4G6pkjGnx29vo6pQT64lO0pGtSO +0gMdA+9tDWccV9cGrcrI9f4Or2YlSASWC12juhbDCE/RRvgUXPLIXgGZbf2IzIao +wW8xQmxSPmjL8xk037uHGFaAJsTQ3MBv396gwpEWoGQRS0S8Hvbn+mPeZqx2pHGj +7DaUaHp3pLHnDi+BeuK1cobvomuL8A/b01k/unK8RCSc43Oz969XL0Imnal0ugBS +8kvNU3xHCzaFDmapCJcWNFfBZveA4+1wVMeT4C4oFVmHursCAwEAAaOBnTCBmjAT +BgkrBgEEAYI3FAIEBh4EAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB +/zAdBgNVHQ4EFgQUQjK2FvoE/f5dS3rD/fdMQB1aQ68wNAYDVR0fBC0wKzApoCeg +JYYjaHR0cDovL2NybC5zZWN1cmV0cnVzdC5jb20vU1RDQS5jcmwwEAYJKwYBBAGC +NxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBADDtT0rhWDpSclu1pqNlGKa7UTt3 +6Z3q059c4EVlew3KW+JwULKUBRSuSceNQQcSc5R+DCMh/bwQf2AQWnL1mA6s7Ll/ +3XpvXdMc9P+IBWlCqQVxyLesJugutIxq/3HcuLHfmbx8IVQr5Fiiu1cprp6poxkm +D5kuCLDv/WnPmRoJjeOnnyvJNjR7JLN4TJUXpAYmHrZkUjZfYGfZnMUFdAvnZyPS +CPyI6a6Lf+Ew9Dd+/cYy2i2eRDAwbO4H3tI0/NL/QPZL9GZGBlSm8jIKYyYwa5vR +3ItHuuG51WLQoqD0ZwV4KWMabwTW+MZMo5qxN7SN5ShLHZ4swrhovO0C7jE= +-----END CERTIFICATE----- + +### Sonera + + +### SSL Corporation + +=== /C=US/ST=Texas/L=Houston/O=SSL Corporation/CN=SSL.com EV Root Certification Authority ECC +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3182246526754555285 (0x2c299c5b16ed0595) + Signature Algorithm: ecdsa-with-SHA256 + Validity + Not Before: Feb 12 18:15:23 2016 GMT + Not After : Feb 12 18:15:23 2041 GMT + Subject: C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com EV Root Certification Authority ECC + X509v3 extensions: + X509v3 Subject Key Identifier: + 5B:CA:5E:E5:DE:D2:81:AA:CD:A8:2D:64:51:B6:D9:72:9B:97:E6:4F + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Authority Key Identifier: + keyid:5B:CA:5E:E5:DE:D2:81:AA:CD:A8:2D:64:51:B6:D9:72:9B:97:E6:4F + + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=4C:DD:51:A3:D1:F5:20:32:14:B0:C6:C5:32:23:03:91:C7:46:42:6D +SHA256 Fingerprint=22:A2:C1:F7:BD:ED:70:4C:C1:E7:01:B5:F4:08:C3:10:88:0F:E9:56:B5:DE:2A:4A:44:F9:9C:87:3A:25:A7:C8 +-----BEGIN CERTIFICATE----- +MIIClDCCAhqgAwIBAgIILCmcWxbtBZUwCgYIKoZIzj0EAwIwfzELMAkGA1UEBhMC +VVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9T +U0wgQ29ycG9yYXRpb24xNDAyBgNVBAMMK1NTTC5jb20gRVYgUm9vdCBDZXJ0aWZp +Y2F0aW9uIEF1dGhvcml0eSBFQ0MwHhcNMTYwMjEyMTgxNTIzWhcNNDEwMjEyMTgx +NTIzWjB/MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hv +dXN0b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjE0MDIGA1UEAwwrU1NMLmNv +bSBFViBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IEVDQzB2MBAGByqGSM49 +AgEGBSuBBAAiA2IABKoSR5CYG/vvw0AHgyBO8TCCogbR8pKGYfL2IWjKAMTH6kMA +VIbc/R/fALhBYlzccBYy3h+Z1MzFB8gIH2EWB1E9fVwHU+M1OIzfzZ/ZLg1Kthku +WnBaBu2+8KGwytAJKaNjMGEwHQYDVR0OBBYEFFvKXuXe0oGqzagtZFG22XKbl+ZP +MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUW8pe5d7SgarNqC1kUbbZcpuX +5k8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA2gAMGUCMQCK5kCJN+vp1RPZ +ytRrJPOwPYdGWBrssd9v+1a6cGvHOMzosYxPD/fxZ3YOg9AeUY8CMD32IygmTMZg +h5Mmm7I1HrrW9zzRHM76JTymGoEVW/MSD2zuZYrJh6j5B+BimoxcSg== +-----END CERTIFICATE----- +=== /C=US/ST=Texas/L=Houston/O=SSL Corporation/CN=SSL.com EV Root Certification Authority RSA R2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6248227494352943350 (0x56b629cd34bc78f6) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: May 31 18:14:37 2017 GMT + Not After : May 30 18:14:37 2042 GMT + Subject: C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com EV Root Certification Authority RSA R2 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Authority Key Identifier: + keyid:F9:60:BB:D4:E3:D5:34:F6:B8:F5:06:80:25:A7:73:DB:46:69:A8:9E + + X509v3 Subject Key Identifier: + F9:60:BB:D4:E3:D5:34:F6:B8:F5:06:80:25:A7:73:DB:46:69:A8:9E + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=74:3A:F0:52:9B:D0:32:A0:F4:4A:83:CD:D4:BA:A9:7B:7C:2E:C4:9A +SHA256 Fingerprint=2E:7B:F1:6C:C2:24:85:A7:BB:E2:AA:86:96:75:07:61:B0:AE:39:BE:3B:2F:E9:D0:CC:6D:4E:F7:34:91:42:5C +-----BEGIN CERTIFICATE----- +MIIF6zCCA9OgAwIBAgIIVrYpzTS8ePYwDQYJKoZIhvcNAQELBQAwgYIxCzAJBgNV +BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4GA1UEBwwHSG91c3RvbjEYMBYGA1UE +CgwPU1NMIENvcnBvcmF0aW9uMTcwNQYDVQQDDC5TU0wuY29tIEVWIFJvb3QgQ2Vy +dGlmaWNhdGlvbiBBdXRob3JpdHkgUlNBIFIyMB4XDTE3MDUzMTE4MTQzN1oXDTQy +MDUzMDE4MTQzN1owgYIxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4G +A1UEBwwHSG91c3RvbjEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMTcwNQYDVQQD +DC5TU0wuY29tIEVWIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUlNBIFIy +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjzZlQOHWTcDXtOlG2mvq +M0fNTPl9fb69LT3w23jhhqXZuglXaO1XPqDQCEGD5yhBJB/jchXQARr7XnAjssuf +OePPxU7Gkm0mxnu7s9onnQqG6YE3Bf7wcXHswxzpY6IXFJ3vG2fThVUCAtZJycxa +4bH3bzKfydQ7iEGonL3Lq9ttewkfokxykNorCPzPPFTOZw+oz12WGQvE43LrrdF9 +HSfvkusQv1vrO6/PgN3B0pYEW3p+pKk8OHakYo6gOV7qd89dAFmPZiw+B6KjBSYR +aZfqhbcPlgtLyEDhULouisv3D5oi53+aNxPN8k0TayHRwMwi8qFG9kRpnMphNQcA +b9ZhCBHqurj26bNg5U257J8UZslXWNvNh2n4ioYSA0e/ZhN2rHd9NCSFg83XqpyQ +Gp8hLH94t2S42Oim9HizVcuE0jLEeK6jj2HdzghTreyI/BXkmg3mnxp3zkyPuBQV +PWKchjgGAGYS5Fl2WlPAApiiECtoRHuOec4zSnaqW4EWG7WK2NAAe15itAnWhmMO +pgWVSbooi4iTsjQc2KRVbrcc0N6ZVTsj9CLg+SlmJuwgUHfbSguPvuUCYHBBXtSu +UDkiFCbLsjtzdFVHB3mBOagwE0TlBIqulhMlQg+5U8Sb/M3kHN48+qvWBkofZ6aY +MBzdLNvcGJVXZsb/XItW9XcCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNV +HSMEGDAWgBT5YLvU49U09rj1BoAlp3PbRmmonjAdBgNVHQ4EFgQU+WC71OPVNPa4 +9QaAJadz20ZpqJ4wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQBW +s47LCp1Jjr+kxJG7ZhcFUZh1++VQLHqe8RT6q9OKPv+RKY9ji9i0qVQBDb6Thi/5 +Sm3HXvVX+cpVHBK+Rw82xd9qt9t1wkclf7nxY/hoLVUE0fKNsKTPvDxeH3jnpaAg +cLAExbf3cqfeIg29MyVGjGSSJuM+LmOW2puMPfgYCdcDzH2GguDKBAdRUNf/ktUM +79qGn5nX67evaOI5JpS6aLe/g9Pqemc9YmeuJeVy6OLk7K4S9ksrPJ/psEDzOFSz +/bdoyNrGj1E8svuR3Bznm53htw1yj+KkxKl4+esUrMZDBcJlOSgYAsOCsp0FvmXt +ll9ldDz7CTUue5wT/RsPXcdtgTpWD8w74a8CLyKsRspGPKAcTNZEtF4uXBVmCeEm +Kf7GUmG6sXP/wwyc5WxqlD8UykAWlYTzWamsX0xhk23RO8yilQwipmdnRC652dKK +QbNmC1r7fSOl8hqw/96bg5Qu0T/fkreRrwU7ZcegbLHNYhLDkBvjJc40vG93drEQ +w/cFGsDWr3RiSBd3kmmQYRzelYB0VI8YHMPzA9C/pEN1hlMYegouCRw2n5H9gooi +S9EOUCXdywMMF8mDAAhONU2Ki+3wApRmLER/y5UnlhetCTCstnEXbosX9hwJ1C07 +mKVx01QT2WDz9UtmT/rx7iASjbSsV7FFY6GsdqnC+w== +-----END CERTIFICATE----- +=== /C=US/ST=Texas/L=Houston/O=SSL Corporation/CN=SSL.com Root Certification Authority ECC +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 8495723813297216424 (0x75e6dfcbc1685ba8) + Signature Algorithm: ecdsa-with-SHA256 + Validity + Not Before: Feb 12 18:14:03 2016 GMT + Not After : Feb 12 18:14:03 2041 GMT + Subject: C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com Root Certification Authority ECC + X509v3 extensions: + X509v3 Subject Key Identifier: + 82:D1:85:73:30:E7:35:04:D3:8E:02:92:FB:E5:A4:D1:C4:21:E8:CD + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Authority Key Identifier: + keyid:82:D1:85:73:30:E7:35:04:D3:8E:02:92:FB:E5:A4:D1:C4:21:E8:CD + + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=C3:19:7C:39:24:E6:54:AF:1B:C4:AB:20:95:7A:E2:C3:0E:13:02:6A +SHA256 Fingerprint=34:17:BB:06:CC:60:07:DA:1B:96:1C:92:0B:8A:B4:CE:3F:AD:82:0E:4A:A3:0B:9A:CB:C4:A7:4E:BD:CE:BC:65 +-----BEGIN CERTIFICATE----- +MIICjTCCAhSgAwIBAgIIdebfy8FoW6gwCgYIKoZIzj0EAwIwfDELMAkGA1UEBhMC +VVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9T +U0wgQ29ycG9yYXRpb24xMTAvBgNVBAMMKFNTTC5jb20gUm9vdCBDZXJ0aWZpY2F0 +aW9uIEF1dGhvcml0eSBFQ0MwHhcNMTYwMjEyMTgxNDAzWhcNNDEwMjEyMTgxNDAz +WjB8MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0 +b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjExMC8GA1UEAwwoU1NMLmNvbSBS +b290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IEVDQzB2MBAGByqGSM49AgEGBSuB +BAAiA2IABEVuqVDEpiM2nl8ojRfLliJkP9x6jh3MCLOicSS6jkm5BBtHllirLZXI +7Z4INcgn64mMU1jrYor+8FsPazFSY0E7ic3s7LaNGdM0B9y7xgZ/wkWV7Mt/qCPg +CemB+vNH06NjMGEwHQYDVR0OBBYEFILRhXMw5zUE044CkvvlpNHEIejNMA8GA1Ud +EwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUgtGFczDnNQTTjgKS++Wk0cQh6M0wDgYD +VR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA2cAMGQCMG/n61kRpGDPYbCWe+0F+S8T +kdzt5fxQaxFGRrMcIQBiu77D5+jNB5n5DQtdcj7EqgIwH7y6C+IwJPt8bYBVCpk+ +gA0z5Wajs6O7pdWLjwkspl1+4vAHCGht0nxpbl/f5Wpl +-----END CERTIFICATE----- +=== /C=US/ST=Texas/L=Houston/O=SSL Corporation/CN=SSL.com Root Certification Authority RSA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 8875640296558310041 (0x7b2c9bd316803299) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Feb 12 17:39:39 2016 GMT + Not After : Feb 12 17:39:39 2041 GMT + Subject: C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com Root Certification Authority RSA + X509v3 extensions: + X509v3 Subject Key Identifier: + DD:04:09:07:A2:F5:7A:7D:52:53:12:92:95:EE:38:80:25:0D:A6:59 + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Authority Key Identifier: + keyid:DD:04:09:07:A2:F5:7A:7D:52:53:12:92:95:EE:38:80:25:0D:A6:59 + + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=B7:AB:33:08:D1:EA:44:77:BA:14:80:12:5A:6F:BD:A9:36:49:0C:BB +SHA256 Fingerprint=85:66:6A:56:2E:E0:BE:5C:E9:25:C1:D8:89:0A:6F:76:A8:7E:C1:6D:4D:7D:5F:29:EA:74:19:CF:20:12:3B:69 +-----BEGIN CERTIFICATE----- +MIIF3TCCA8WgAwIBAgIIeyyb0xaAMpkwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCVVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQK +DA9TU0wgQ29ycG9yYXRpb24xMTAvBgNVBAMMKFNTTC5jb20gUm9vdCBDZXJ0aWZp +Y2F0aW9uIEF1dGhvcml0eSBSU0EwHhcNMTYwMjEyMTczOTM5WhcNNDEwMjEyMTcz +OTM5WjB8MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hv +dXN0b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjExMC8GA1UEAwwoU1NMLmNv +bSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFJTQTCCAiIwDQYJKoZIhvcN +AQEBBQADggIPADCCAgoCggIBAPkP3aMrfcvQKv7sZ4Wm5y4bunfh4/WvpOz6Sl2R +xFdHaxh3a3by/ZPkPQ/CFp4LZsNWlJ4Xg4XOVu/yFv0AYvUiCVToZRdOQbngT0aX +qhvIuG5iXmmxX9sqAn78bMrzQdjt0Oj8P2FI7bADFB0QDksZ4LtO7IZl/zbzXmcC +C52GVWH9ejjt/uIZALdvoVBidXQ8oPrIJZK0bnoix/geoeOy3ZExqysdBP+lSgQ3 +6YWkMyv94tZVNHwZpEpox7Ko07fKoZOI68GXvIz5HdkihCR0xwQ9aqkpk8zruFvh +/l8lqjRYyMEjVJ0bmBHDOJx+PYZspQ9AhnwC9FwCTyjLrnGfDzrIM/4RJTXq/LrF +YD3ZfBjVsqnTdXgDciLKOsMf7yzlLqn6niy2UUb9rwPW6mBo6oUWNmuF6R7As93E +JNyAKoFBbZQ+yODJgUEAnl6/f8UImKIYLEJAs/lvOCdLToD0PYFH4Ih86hzOtXVc +US4cK38acijnALXRdMbX5J+tB5O2UzU1/Dfkw/ZdFr4hc96SCvigY2q8lpJqPvi8 +ZVWb3vUNiSYE/CUapiVpy8JtynziWV+XrOvvLsi81xtZPCvM8hnIk2snYxnP/Okm ++Mpxm3+T/jRnhE6Z6/yzeAkzcLpmpnbtG3PrGqUNxCITIJRWCk4sbE6x/c+cCbqi +M+2HAgMBAAGjYzBhMB0GA1UdDgQWBBTdBAkHovV6fVJTEpKV7jiAJQ2mWTAPBgNV +HRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFN0ECQei9Xp9UlMSkpXuOIAlDaZZMA4G +A1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAIBgRlCn7Jp0cHh5wYfGV +cpNxJK1ok1iOMq8bs3AD/CUrdIWQPXhq9LmLpZc7tRiRux6n+UBbkflVma8eEdBc +Hadm47GUBwwyOabqG7B52B2ccETjit3E+ZUfijhDPwGFpUenPUayvOUiaPd7nNgs +PgohyC0zrL/FgZkxdMF1ccW+sfAjRfSda/wZY52jvATGGAslu1OJD7OAUN5F7kR/ +q5R4ZJjT9ijdh9hwZXT7DrkT66cPYakylszeu+1jTBi7qUD3oFRuIIhxdRjqerQ0 +cuAjJ3dctpDqhiVAq+8zD8ufgr6iIPv2tS0a5sKFsXQP+8hlAqRSAUfdSSLBv9jr +a6x+3uxjMxW3IwiPxg+NQVrdjsW5j+VFP3jbutIbQLH+cU0/4IGiul607BXgk90I +H37hVZkLId6Tngr75qNJvTYw/ud3sqB1l7UtgYgXZSD32pAAn8lSzDLKNXz1PQ/Y +K9f1JmzJBjSWFupwWRoyeXkLtoh/D1JIPb9s2KJELtFOt3JY04kTlf5Eq/jXixtu +nLwsoFvVagCvXzfh1foQC5ichucmj87w7G6KVwuA406ywKBjYZC6VWg3dGq2ktuf +oYYitmUnDuy2n0Jg5GfCtdpBC8TTi2EbvPofkSvXRAdeuims2cXp71NIWuuA8ShY +Ic2wBlX7Jz9TkHCpBB5XJ7k= +-----END CERTIFICATE----- + +### Staat der Nederlanden + +=== /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden EV Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 10000013 (0x98968d) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Dec 8 11:19:29 2010 GMT + Not After : Dec 8 11:10:28 2022 GMT + Subject: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + FE:AB:00:90:98:9E:24:FC:A9:CC:1A:8A:FB:27:B8:BF:30:6E:A8:3B +SHA1 Fingerprint=76:E2:7E:C1:4F:DB:82:C1:C0:A6:75:B5:05:BE:3D:29:B4:ED:DB:BB +SHA256 Fingerprint=4D:24:91:41:4C:FE:95:67:46:EC:4C:EF:A6:CF:6F:72:E2:8A:13:29:43:2F:9D:8A:90:7A:C4:CB:5D:AD:C1:5A +-----BEGIN CERTIFICATE----- +MIIFcDCCA1igAwIBAgIEAJiWjTANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJO +TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFh +dCBkZXIgTmVkZXJsYW5kZW4gRVYgUm9vdCBDQTAeFw0xMDEyMDgxMTE5MjlaFw0y +MjEyMDgxMTEwMjhaMFgxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIg +TmVkZXJsYW5kZW4xKTAnBgNVBAMMIFN0YWF0IGRlciBOZWRlcmxhbmRlbiBFViBS +b290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA48d+ifkkSzrS +M4M1LGns3Amk41GoJSt5uAg94JG6hIXGhaTK5skuU6TJJB79VWZxXSzFYGgEt9nC +UiY4iKTWO0Cmws0/zZiTs1QUWJZV1VD+hq2kY39ch/aO5ieSZxeSAgMs3NZmdO3d +Z//BYY1jTw+bbRcwJu+r0h8QoPnFfxZpgQNH7R5ojXKhTbImxrpsX23Wr9GxE46p +rfNeaXUmGD5BKyF/7otdBwadQ8QpCiv8Kj6GyzyDOvnJDdrFmeK8eEEzduG/L13l +pJhQDBXd4Pqcfzho0LKmeqfRMb1+ilgnQ7O6M5HTp5gVXJrm0w912fxBmJc+qiXb +j5IusHsMX/FjqTf5m3VpTCgmJdrV8hJwRVXj33NeN/UhbJCONVrJ0yPr08C+eKxC +KFhmpUZtcALXEPlLVPxdhkqHz3/KRawRWrUgUY0viEeXOcDPusBCAUCZSCELa6fS +/ZbV0b5GnUngC6agIk440ME8MLxwjyx1zNDFjFE7PZQIZCZhfbnDZY8UnCHQqv0X +cgOPvZuM5l5Tnrmd74K74bzickFbIZTTRTeU0d8JOV3nI6qaHcptqAqGhYqCvkIH +1vI4gnPah1vlPNOePqc7nvQDs/nxfRN0Av+7oeX6AHkcpmZBiFxgV6YuCcS6/ZrP +px9Aw7vMWgpVSzs4dlG4Y4uElBbmVvMCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB +/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFP6rAJCYniT8qcwaivsnuL8wbqg7 +MA0GCSqGSIb3DQEBCwUAA4ICAQDPdyxuVr5Os7aEAJSrR8kN0nbHhp8dB9O2tLsI +eK9p0gtJ3jPFrK3CiAJ9Brc1AsFgyb/E6JTe1NOpEyVa/m6irn0F3H3zbPB+po3u +2dfOWBfoqSmuc0iH55vKbimhZF8ZE/euBhD/UcabTVUlT5OZEAFTdfETzsemQUHS +v4ilf0X8rLiltTMMgsT7B/Zq5SWEXwbKwYY5EdtYzXc7LMJMD16a4/CrPmEbUCTC +wPTxGfARKbalGAKb12NMcIxHowNDXLldRqANb/9Zjr7dn3LDWyvfjFvO5QxGbJKy +CqNMVEIYFRIYvdr8unRu/8G2oGTYqV9Vrp9canaW2HNnh/tNf1zuacpzEPuKqf2e +vTY4SUmH9A4U8OmHuD+nT3pajnnUk+S7aFKErGzp85hwVXIy+TSrK0m1zSBi5Dp6 +Z2Orltxtrpfs/J92VoguZs9btsmksNcFuuEnL5O7Jiqik7Ab846+HUCjuTaPPoIa +Gl6I6lD4WeKDRikL40Rc4ZW2aZCaFG+XroHPaO+Zmr615+F/+PoTRxZMzG0IQOeL +eG9QgkRQP2YGiqtDhFZKDyAthg710tvSeopLzaXoTvFeJiUBWSOgftL2fiFX1ye8 +FVdMpEbB4IMeDExNH08GGeL5qPQ6gqGyeUN51q1veieQA6TqJIc/2b3Z6fJfUEkc +7uzXLg== +-----END CERTIFICATE----- + +### Starfield Technologies, Inc. + +=== /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Jun 29 17:39:16 2004 GMT + Not After : Jun 29 17:39:16 2034 GMT + Subject: C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority + X509v3 extensions: + X509v3 Subject Key Identifier: + BF:5F:B7:D1:CE:DD:1F:86:F4:5B:55:AC:DC:D7:10:C2:0E:A9:88:E7 + X509v3 Authority Key Identifier: + keyid:BF:5F:B7:D1:CE:DD:1F:86:F4:5B:55:AC:DC:D7:10:C2:0E:A9:88:E7 + DirName:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority + serial:00 + + X509v3 Basic Constraints: + CA:TRUE +SHA1 Fingerprint=AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C3:D0:E3:37:0E:B5:8A +SHA256 Fingerprint=14:65:FA:20:53:97:B8:76:FA:A6:F0:A9:95:8E:55:90:E4:0F:CC:7F:AA:4F:B7:C2:C8:67:75:21:FB:5F:B6:58 +-----BEGIN CERTIFICATE----- +MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl +MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp +U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw +NjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UE +ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp +ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3 +DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf +8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN ++lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0 +X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa +K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA +1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0G +A1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fR +zt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0 +YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBD +bGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8w +DQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3 +L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56D +eruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl +xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynp +VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY +WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q= +-----END CERTIFICATE----- +=== /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Sep 1 00:00:00 2009 GMT + Not After : Dec 31 23:59:59 2037 GMT + Subject: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root Certificate Authority - G2 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 7C:0C:32:1F:A7:D9:30:7F:C4:7D:68:A3:62:A8:A1:CE:AB:07:5B:27 +SHA1 Fingerprint=B5:1C:06:7C:EE:2B:0C:3D:F8:55:AB:2D:92:F4:FE:39:D4:E7:0F:0E +SHA256 Fingerprint=2C:E1:CB:0B:F9:D2:F9:E1:02:99:3F:BE:21:51:52:C3:B2:DD:0C:AB:DE:1C:68:E5:31:9B:83:91:54:DB:B7:F5 +-----BEGIN CERTIFICATE----- +MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx +EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT +HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs +ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAw +MFoXDTM3MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6 +b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj +aG5vbG9naWVzLCBJbmMuMTIwMAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZp +Y2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNHttfKPTUuiUP3oWmb3ooa/RMg +nLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtrX8WJpRBSiUZV9Lh1 +HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/hbVNMYq/N +Hwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN +dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0 +HZbUJtQIBFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO +BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0G +CSqGSIb3DQEBCwUAA4IBAQARWfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjU +sHU48TRqneSfioYmUeYs0cYtbpUgSpIB7LiKZ3sx4mcujJUDJi5DnUox9g61DLu3 +4jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoNAX3FWOdt5oUwF5okxBDgBPfg +8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K +pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1 +mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0 +-----END CERTIFICATE----- +=== /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Sep 1 00:00:00 2009 GMT + Not After : Dec 31 23:59:59 2037 GMT + Subject: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 9C:5F:00:DF:AA:01:D7:30:2B:38:88:A2:B8:6D:4A:9C:F2:11:91:83 +SHA1 Fingerprint=92:5A:8F:8D:2C:6D:04:E0:66:5F:59:6A:FF:22:D8:63:E8:25:6F:3F +SHA256 Fingerprint=56:8D:69:05:A2:C8:87:08:A4:B3:02:51:90:ED:CF:ED:B1:97:4A:60:6A:13:C6:E5:29:0F:CB:2A:E6:3E:DA:B5 +-----BEGIN CERTIFICATE----- +MIID7zCCAtegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMCVVMx +EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT +HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xOzA5BgNVBAMTMlN0YXJmaWVs +ZCBTZXJ2aWNlcyBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5 +MDkwMTAwMDAwMFoXDTM3MTIzMTIzNTk1OVowgZgxCzAJBgNVBAYTAlVTMRAwDgYD +VQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFy +ZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTswOQYDVQQDEzJTdGFyZmllbGQgU2Vy +dmljZXMgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBANUMOsQq+U7i9b4Zl1+OiFOxHz/Lz58gE20p +OsgPfTz3a3Y4Y9k2YKibXlwAgLIvWX/2h/klQ4bnaRtSmpDhcePYLQ1Ob/bISdm2 +8xpWriu2dBTrz/sm4xq6HZYuajtYlIlHVv8loJNwU4PahHQUw2eeBGg6345AWh1K +Ts9DkTvnVtYAcMtS7nt9rjrnvDH5RfbCYM8TWQIrgMw0R9+53pBlbQLPLJGmpufe +hRhJfGZOozptqbXuNC66DQO4M99H67FrjSXZm86B0UVGMpZwh94CDklDhbZsc7tk +6mFBrMnUVN+HL8cisibMn1lUaJ/8viovxFUcdUBgF4UCVTmLfwUCAwEAAaNCMEAw +DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJxfAN+q +AdcwKziIorhtSpzyEZGDMA0GCSqGSIb3DQEBCwUAA4IBAQBLNqaEd2ndOxmfZyMI +bw5hyf2E3F/YNoHN2BtBLZ9g3ccaaNnRbobhiCPPE95Dz+I0swSdHynVv/heyNXB +ve6SbzJ08pGCL72CQnqtKrcgfU28elUSwhXqvfdqlS5sdJ/PHLTyxQGjhdByPq1z +qwubdQxtRbeOlKyWN7Wg0I8VRw7j6IPdj/3vQQF3zCepYoUz8jcI73HPdwbeyBkd +iEDPfUYd/x7H4c7/I9vG+o1VTqkC50cRRj70/b17KSa7qWFiNyi2LSr2EIZkyXCn +0q23KXB56jzaYyWf/Wi3MOxw+3WKt21gZ7IeyLnp2KhvAotnDU0mV3HaIPzBSlCN +sSi6 +-----END CERTIFICATE----- + +### SwissSign AG + +=== /C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + bb:40:1c:43:f5:5e:4f:b0 + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Oct 25 08:30:35 2006 GMT + Not After : Oct 25 08:30:35 2036 GMT + Subject: C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 5B:25:7B:96:A4:65:51:7E:B8:39:F3:C0:78:66:5E:E8:3A:E7:F0:EE + X509v3 Authority Key Identifier: + keyid:5B:25:7B:96:A4:65:51:7E:B8:39:F3:C0:78:66:5E:E8:3A:E7:F0:EE + + X509v3 Certificate Policies: + Policy: 2.16.756.1.89.1.2.1.1 + CPS: http://repository.swisssign.com/ + +SHA1 Fingerprint=D8:C5:38:8A:B7:30:1B:1B:6E:D4:7A:E6:45:25:3A:6F:9F:1A:27:61 +SHA256 Fingerprint=62:DD:0B:E9:B9:F5:0A:16:3E:A0:F8:E7:5C:05:3B:1E:CA:57:EA:55:C8:68:8F:64:7C:68:81:F2:C8:35:7B:95 +-----BEGIN CERTIFICATE----- +MIIFujCCA6KgAwIBAgIJALtAHEP1Xk+wMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV +BAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMTFlN3aXNzU2ln +biBHb2xkIENBIC0gRzIwHhcNMDYxMDI1MDgzMDM1WhcNMzYxMDI1MDgzMDM1WjBF +MQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFHMR8wHQYDVQQDExZT +d2lzc1NpZ24gR29sZCBDQSAtIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC +CgKCAgEAr+TufoskDhJuqVAtFkQ7kpJcyrhdhJJCEyq8ZVeCQD5XJM1QiyUqt2/8 +76LQwB8CJEoTlo8jE+YoWACjR8cGp4QjK7u9lit/VcyLwVcfDmJlD909Vopz2q5+ +bbqBHH5CjCA12UNNhPqE21Is8w4ndwtrvxEvcnifLtg+5hg3Wipy+dpikJKVyh+c +6bM8K8vzARO/Ws/BtQpgvd21mWRTuKCWs2/iJneRjOBiEAKfNA+k1ZIzUd6+jbqE +emA8atufK+ze3gE/bk3lUIbLtK/tREDFylqM2tIrfKjuvqblCqoOpd8FUrdVxyJd +MmqXl2MT28nbeTZ7hTpKxVKJ+STnnXepgv9VHKVxaSvRAiTysybUa9oEVeXBCsdt +MDeQKuSeFDNeFhdVxVu1yzSJkvGdJo+hB9TGsnhQ2wwMC3wLjEHXuendjIj3o02y +MszYF9rNt85mndT9Xv+9lz4pded+p2JYryU0pUHHPbwNUMoDAw8IWh+Vc3hiv69y +FGkOpeUDDniOJihC8AcLYiAQZzlG+qkDzAQ4embvIIO1jEpWjpEA/I5cgt6IoMPi +aG59je883WX0XaxR7ySArqpWl2/5rX3aYT+YdzylkbYcjCbaZaIJbcHiVOO5ykxM +gI93e2CaHt+28kgeDrpOVG2Y4OGiGqJ3UM/EY5LsRxmd6+ZrzsECAwEAAaOBrDCB +qTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUWyV7 +lqRlUX64OfPAeGZe6Drn8O4wHwYDVR0jBBgwFoAUWyV7lqRlUX64OfPAeGZe6Drn +8O4wRgYDVR0gBD8wPTA7BglghXQBWQECAQEwLjAsBggrBgEFBQcCARYgaHR0cDov +L3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIBACe6 +45R88a7A3hfm5djV9VSwg/S7zV4Fe0+fdWavPOhWfvxyeDgD2StiGwC5+OlgzczO +UYrHUDFu4Up+GC9pWbY9ZIEr44OE5iKHjn3g7gKZYbge9LgriBIWhMIxkziWMaa5 +O1M/wySTVltpkuzFwbs4AOPsF6m43Md8AYOfMke6UiI0HTJ6CVanfCU2qT1L2sCC +bwq7EsiHSycR+R4tx5M/nttfJmtS2S6K8RTGRI0Vqbe/vd6mGu6uLftIdxf+u+yv +GPUqUfA5hJeVbG4bwyvEdGB5JbAKJ9/fXtI5z0V9QkvfsywexcZdylU6oJxpmo/a +77KwPJ+HbBIrZXAVUjEaJM9vMSNQH4xPjyPDdEFjHFWoFN0+4FFQz/EbMFYOkrCC +hdiDyyJkvC24JdVUorgG6q2SpCSgwYa1ShNqR88uC1aVVMvOmttqtKay20EIhid3 +92qgQmwLOM7XdVAyksLfKzAiSNDVQTglXaTpXZ/GlHXQRf0wl0OPkKsKx4ZzYEpp +Ld6leNcG2mqeSz53OiATIgHQv2ieY2BrNU0LbbqhPcCT4H8js1WtciVORvnSFu+w +ZMEBnunKoGqYDs/YYPIvSbjkQuE4NRb0yG5P94FW6LqjviOvrv1vA+ACOzB2+htt +Qc8Bsem4yWb02ybzOqR08kkkW8mw0FfB+j564ZfJ +-----END CERTIFICATE----- +=== /C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 5700383053117599563 (0x4f1bd42f54bb2f4b) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Oct 25 08:32:46 2006 GMT + Not After : Oct 25 08:32:46 2036 GMT + Subject: C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 17:A0:CD:C1:E4:41:B6:3A:5B:3B:CB:45:9D:BD:1C:C2:98:FA:86:58 + X509v3 Authority Key Identifier: + keyid:17:A0:CD:C1:E4:41:B6:3A:5B:3B:CB:45:9D:BD:1C:C2:98:FA:86:58 + + X509v3 Certificate Policies: + Policy: 2.16.756.1.89.1.3.1.1 + CPS: http://repository.swisssign.com/ + +SHA1 Fingerprint=9B:AA:E5:9F:56:EE:21:CB:43:5A:BE:25:93:DF:A7:F0:40:D1:1D:CB +SHA256 Fingerprint=BE:6C:4D:A2:BB:B9:BA:59:B6:F3:93:97:68:37:42:46:C3:C0:05:99:3F:A9:8F:02:0D:1D:ED:BE:D4:8A:81:D5 +-----BEGIN CERTIFICATE----- +MIIFvTCCA6WgAwIBAgIITxvUL1S7L0swDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UE +BhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8GA1UEAxMYU3dpc3NTaWdu +IFNpbHZlciBDQSAtIEcyMB4XDTA2MTAyNTA4MzI0NloXDTM2MTAyNTA4MzI0Nlow +RzELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8GA1UEAxMY +U3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A +MIICCgKCAgEAxPGHf9N4Mfc4yfjDmUO8x/e8N+dOcbpLj6VzHVxumK4DV644N0Mv +Fz0fyM5oEMF4rhkDKxD6LHmD9ui5aLlV8gREpzn5/ASLHvGiTSf5YXu6t+WiE7br +YT7QbNHm+/pe7R20nqA1W6GSy/BJkv6FCgU+5tkL4k+73JU3/JHpMjUi0R86TieF +nbAVlDLaYQ1HTWBCrpJH6INaUFjpiou5XaHc3ZlKHzZnu0jkg7Y360g6rw9njxcH +6ATK72oxh9TAtvmUcXtnZLi2kUpCe2UuMGoM9ZDulebyzYLs2aFK7PayS+VFheZt +eJMELpyCbTapxDFkH4aDCyr0NQp4yVXPQbBH6TCfmb5hqAaEuSh6XzjZG6k4sIN/ +c8HDO0gqgg8hm7jMqDXDhBuDsz6+pJVpATqJAHgE2cn0mRmrVn5bi4Y5FZGkECwJ +MoBgs5PAKrYYC51+jUnyEEp/+dVGLxmSo5mnJqy7jDzmDrxHB9xzUfFwZC8I+bRH +HTBsROopN4WSaGa8gzj+ezku01DwH/teYLappvonQfGbGHLy9YR0SslnxFSuSGTf +jNFusB3hB48IHpmccelM2KX3RxIfdNFRnobzwqIjQAtz20um53MGjMGg6cFZrEb6 +5i/4z3GcRm25xBWNOHkDRUjvxF3XCO6HOSKGsg0PWEP3calILv3q1h8CAwEAAaOB +rDCBqTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU +F6DNweRBtjpbO8tFnb0cwpj6hlgwHwYDVR0jBBgwFoAUF6DNweRBtjpbO8tFnb0c +wpj6hlgwRgYDVR0gBD8wPTA7BglghXQBWQEDAQEwLjAsBggrBgEFBQcCARYgaHR0 +cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIB +AHPGgeAn0i0P4JUw4ppBf1AsX19iYamGamkYDHRJ1l2E6kFSGG9YrVBWIGrGvShp +WJHckRE1qTodvBqlYJ7YH39FkWnZfrt4csEGDyrOj4VwYaygzQu4OSlWhDJOhrs9 +xCrZ1x9y7v5RoSJBsXECYxqCsGKrXlcSH9/L3XWgwF15kIwb4FDm3jH+mHtwX6WQ +2K34ArZv02DdQEsixT2tOnqfGhpHkXkzuoLcMmkDlm4fS/Bx/uNncqCxv1yL5PqZ +IseEuRuNI5c/7SXgz2W79WEE790eslpBIlqhn10s6FvJbakMDHiqYMZWjwFaDGi8 +aRl5xB9+lwW/xekkUV7U1UtT7dkjWjYDZaPBA61BMPNGG4WQr2W11bHkFlt4dR2X +em1ZqSqPe97Dh4kQmUlzeMg9vVE1dCrV8X5pGyq7O70luJpaPXJhkGaH7gzWTdQR +dAtq/gsD/KNVV4n+SsuuWxcFyPKNIzFTONItaj+CuY0IavdeQXRuwxF+B6wpYJE/ +OMpXEA29MC/HpeZBoNquBYeaoKRlbEwJDIm6uNO5wJOKMPqN5ZprFQFOZ6raYlY+ +hAhm0sQ2fac+EPyI4NSA5QC9qvNOBqN6avlicuMJT+ubDgEj8Z+7fNzcbBGXJbLy +tGMU0gYqZ4yD9c7qB9iaah7s5Aq7KkzrCWA5zspi2C5u +-----END CERTIFICATE----- + +### T-Systems Enterprise Services GmbH + +=== /C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Oct 1 10:40:14 2008 GMT + Not After : Oct 1 23:59:59 2033 GMT + Subject: C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + BF:59:20:36:00:79:A0:A0:22:6B:8C:D5:F2:61:D2:B8:2C:CB:82:4A +SHA1 Fingerprint=59:0D:2D:7D:88:4F:40:2E:61:7E:A5:62:32:17:65:CF:17:D8:94:E9 +SHA256 Fingerprint=91:E2:F5:78:8D:58:10:EB:A7:BA:58:73:7D:E1:54:8A:8E:CA:CD:01:45:98:BC:0B:14:3E:04:1B:17:05:25:52 +-----BEGIN CERTIFICATE----- +MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUx +KzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAd +BgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNl +YyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1 +OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnBy +aXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50 +ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUd +AqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiC +FoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi +1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6Iavq +jnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZ +wI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGj +QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/ +WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhy +NsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPAC +uvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVw +IEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6 +g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN +9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlP +BSeOE6Fuwg== +-----END CERTIFICATE----- +=== /C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Oct 1 10:29:56 2008 GMT + Not After : Oct 1 23:59:59 2033 GMT + Subject: C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + B5:03:F7:76:3B:61:82:6A:12:AA:18:53:EB:03:21:94:BF:FE:CE:CA +SHA1 Fingerprint=55:A6:72:3E:CB:F2:EC:CD:C3:23:74:70:19:9D:2A:BE:11:E3:81:D1 +SHA256 Fingerprint=FD:73:DA:D3:1C:64:4F:F1:B4:3B:EF:0C:CD:DA:96:71:0B:9C:D9:87:5E:CA:7E:31:70:7A:F3:E9:6D:52:2B:BD +-----BEGIN CERTIFICATE----- +MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUx +KzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAd +BgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNl +YyBHbG9iYWxSb290IENsYXNzIDMwHhcNMDgxMDAxMTAyOTU2WhcNMzMxMDAxMjM1 +OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnBy +aXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50 +ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDMwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9dZPwYiJvJK7genasfb3ZJNW4t/zN +8ELg63iIVl6bmlQdTQyK9tPPcPRStdiTBONGhnFBSivwKixVA9ZIw+A5OO3yXDw/ +RLyTPWGrTs0NvvAgJ1gORH8EGoel15YUNpDQSXuhdfsaa3Ox+M6pCSzyU9XDFES4 +hqX2iys52qMzVNn6chr3IhUciJFrf2blw2qAsCTz34ZFiP0Zf3WHHx+xGwpzJFu5 +ZeAsVMhg02YXP+HMVDNzkQI6pn97djmiH5a2OK61yJN0HZ65tOVgnS9W0eDrXltM +EnAMbEQgqxHY9Bn20pxSN+f6tsIxO0rUFJmtxxr1XV/6B7h8DR/Wgx6zAgMBAAGj +QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS1 +A/d2O2GCahKqGFPrAyGUv/7OyjANBgkqhkiG9w0BAQsFAAOCAQEAVj3vlNW92nOy +WL6ukK2YJ5f+AbGwUgC4TeQbIXQbfsDuXmkqJa9c1h3a0nnJ85cp4IaH3gRZD/FZ +1GSFS5mvJQQeyUapl96Cshtwn5z2r3Ex3XsFpSzTucpH9sry9uetuUg/vBa3wW30 +6gmv7PO15wWeph6KU1HWk4HMdJP2udqmJQV0eVp+QD6CSyYRMG7hP0HHRwA11fXT +91Q+gT3aSWqas+8QPebrb9HIIkfLzM8BMZLZGOMivgkeGj5asuRrDFR6fUNOuIml +e9eiPZaGzPImNC1qkp2aGtAw4l1OBLBfiyB+d8E9lYLRRpo7PHi4b6HQDWSieB4p +TpPDpFQUWw== +-----END CERTIFICATE----- + +### TAIWAN-CA + +=== /C=TW/O=TAIWAN-CA/OU=Root CA/CN=TWCA Global Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3262 (0xcbe) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jun 27 06:28:33 2012 GMT + Not After : Dec 31 15:59:59 2030 GMT + Subject: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=9C:BB:48:53:F6:A4:F6:D3:52:A4:E8:32:52:55:60:13:F5:AD:AF:65 +SHA256 Fingerprint=59:76:90:07:F7:68:5D:0F:CD:50:87:2F:9F:95:D5:75:5A:5B:2B:45:7D:81:F3:69:2B:61:0A:98:67:2F:0E:1B +-----BEGIN CERTIFICATE----- +MIIFQTCCAymgAwIBAgICDL4wDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVFcx +EjAQBgNVBAoTCVRBSVdBTi1DQTEQMA4GA1UECxMHUm9vdCBDQTEcMBoGA1UEAxMT +VFdDQSBHbG9iYWwgUm9vdCBDQTAeFw0xMjA2MjcwNjI4MzNaFw0zMDEyMzExNTU5 +NTlaMFExCzAJBgNVBAYTAlRXMRIwEAYDVQQKEwlUQUlXQU4tQ0ExEDAOBgNVBAsT +B1Jvb3QgQ0ExHDAaBgNVBAMTE1RXQ0EgR2xvYmFsIFJvb3QgQ0EwggIiMA0GCSqG +SIb3DQEBAQUAA4ICDwAwggIKAoICAQCwBdvI64zEbooh745NnHEKH1Jw7W2CnJfF +10xORUnLQEK1EjRsGcJ0pDFfhQKX7EMzClPSnIyOt7h52yvVavKOZsTuKwEHktSz +0ALfUPZVr2YOy+BHYC8rMjk1Ujoog/h7FsYYuGLWRyWRzvAZEk2tY/XTP3VfKfCh +MBwqoJimFb3u/Rk28OKRQ4/6ytYQJ0lM793B8YVwm8rqqFpD/G2Gb3PpN0Wp8DbH +zIh1HrtsBv+baz4X7GGqcXzGHaL3SekVtTzWoWH1EfcFbx39Eb7QMAfCKbAJTibc +46KokWofwpFFiFzlmLhxpRUZyXx1EcxwdE8tmx2RRP1WKKD+u4ZqyPpcC1jcxkt2 +yKsi2XMPpfRaAok/T54igu6idFMqPVMnaR1sjjIsZAAmY2E2TqNGtz99sy2sbZCi +laLOz9qC5wc0GZbpuCGqKX6mOL6OKUohZnkfs8O1CWfe1tQHRvMq2uYiN2DLgbYP +oA/pyJV/v1WRBXrPPRXAb94JlAGD1zQbzECl8LibZ9WYkTunhHiVJqRaCPgrdLQA +BDzfuBSO6N+pjWxnkjMdwLfS7JLIvgm/LCkFbwJrnu+8vyq8W8BQj0FwcYeyTbcE +qYSjMq+u7msXi7Kx/mzhkIyIqJdIzshNy/MGz19qCkKxHh53L46g5pIOBvwFItIm +4TFRfTLcDwIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAgEAXzSBdu+WHdXltdkCY4QWwa6gcFGn90xHNcgL +1yg9iXHZqjNB6hQbbCEAwGxCGX6faVsgQt+i0trEfJdLjbDorMjupWkEmQqSpqsn +LhpNgb+E1HAerUf+/UqdM+DyucRFCCEK2mlpc3INvjT+lIutwx4116KD7+U4x6WF +H6vPNOw/KP4M8VeGTslV9xzU2KV9Bnpv1d8Q34FOIWWxtuEXeZVFBs5fzNxGiWNo +RI2T9GRwoD2dKAXDOXC4Ynsg/eTb6QihuJ49CcdP+yz4k3ZB3lLg4VfSnQO8d57+ +nile98FRYB/e2guyLXW3Q0iT5/Z5xoRdgFlglPx4mI88k1HtQJAH32RjJMtOcQWh +15QaiDLxInQirqWm2BJpTGCjAu4r7NRjkgtevi92a6O2JryPA9gK8kxkRr05YuWW +6zRjESjMlfGt7+/cgFhI6Uu46mWs6fyAtbXIRfmswZ/ZuepiiI7E8UuDEq3mi4TW +nsLrgxifarsbJGAzcMzs9zLzXNl5fe+epP7JI8Mk7hWSsT2RTyaGvWZzJBPqpK5j +wa19hAM8EHiGG3njxPPyBJUgriOCxLM6AGK/5jYk4Ve6xx6QddVfP5VhK8E7zeWz +aGHQRiapIVJpLesux+t3zqY6tQMzT3bR51xUAV3LePTJDL/PEo4XLSNolOer/qmy +KwbQBM0= +-----END CERTIFICATE----- +=== /C=TW/O=TAIWAN-CA/OU=Root CA/CN=TWCA Root Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Aug 28 07:24:33 2008 GMT + Not After : Dec 31 15:59:59 2030 GMT + Subject: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 6A:38:5B:26:8D:DE:8B:5A:F2:4F:7A:54:83:19:18:E3:08:35:A6:BA +SHA1 Fingerprint=CF:9E:87:6D:D3:EB:FC:42:26:97:A3:B5:A3:7A:A0:76:A9:06:23:48 +SHA256 Fingerprint=BF:D8:8F:E1:10:1C:41:AE:3E:80:1B:F8:BE:56:35:0E:E9:BA:D1:A6:B9:BD:51:5E:DC:5C:6D:5B:87:11:AC:44 +-----BEGIN CERTIFICATE----- +MIIDezCCAmOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJUVzES +MBAGA1UECgwJVEFJV0FOLUNBMRAwDgYDVQQLDAdSb290IENBMSowKAYDVQQDDCFU +V0NBIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDgwODI4MDcyNDMz +WhcNMzAxMjMxMTU1OTU5WjBfMQswCQYDVQQGEwJUVzESMBAGA1UECgwJVEFJV0FO +LUNBMRAwDgYDVQQLDAdSb290IENBMSowKAYDVQQDDCFUV0NBIFJvb3QgQ2VydGlm +aWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQCwfnK4pAOU5qfeCTiRShFAh6d8WWQUe7UREN3+v9XAu1bihSX0NXIP+FPQQeFE +AcK0HMMxQhZHhTMidrIKbw/lJVBPhYa+v5guEGcevhEFhgWQxFnQfHgQsIBct+HH +K3XLfJ+utdGdIzdjp9xCoi2SBBtQwXu4PhvJVgSLL1KbralW6cH/ralYhzC2gfeX +RfwZVzsrb+RH9JlF/h3x+JejiB03HFyP4HYlmlD4oFT/RJB2I9IyxsOrBr/8+7/z +rX2SYgJbKdM1o5OaQ2RgXbL6Mv87BK9NQGr5x+PvI/1ry+UPizgN7gr8/g+YnzAx +3WxSZfmLgb4i4RxYA7qRG4kHAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqOFsmjd6LWvJPelSDGRjjCDWmujANBgkq +hkiG9w0BAQUFAAOCAQEAPNV3PdrfibqHDAhUaiBQkr6wQT25JmSDCi/oQMCXKCeC +MErJk/9q56YAf4lCmtYR5VPOL8zy2gXE/uJQxDqGfczafhAJO5I1KlOy/usrBdls +XebQ79NqZp4VKIV66IIArB6nCWlWQtNoURi+VJq/REG6Sb4gumlc7rh3zc5sH62D +lhh9DrUUOYTxKOkto557HnpyWoOzeW/vtPzQCqVYT0bf+215WfKEIlKuD8z7fDvn +aspHYcN6+NOSBB+4IIThNlQWx0DeO4pz3N/GCUzf7Nr/1FNCocnyYh0igzyXxfkZ +YiesZSLX0zzG5Y6yU8xJzrww/nsOM5D77dIUkR8Hrw== +-----END CERTIFICATE----- + +### TeliaSonera + +=== /O=TeliaSonera/CN=TeliaSonera Root CA v1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 95:be:16:a0:f7:2e:46:f1:7b:39:82:72:fa:8b:cd:96 + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Oct 18 12:00:50 2007 GMT + Not After : Oct 18 12:00:50 2032 GMT + Subject: O=TeliaSonera, CN=TeliaSonera Root CA v1 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + F0:8F:59:38:00:B3:F5:8F:9A:96:0C:D5:EB:FA:7B:AA:17:E8:13:12 +SHA1 Fingerprint=43:13:BB:96:F1:D5:86:9B:C1:4E:6A:92:F6:CF:F6:34:69:87:82:37 +SHA256 Fingerprint=DD:69:36:FE:21:F8:F0:77:C1:23:A1:A5:21:C1:22:24:F7:22:55:B7:3E:03:A7:26:06:93:E8:A2:4B:0F:A3:89 +-----BEGIN CERTIFICATE----- +MIIFODCCAyCgAwIBAgIRAJW+FqD3LkbxezmCcvqLzZYwDQYJKoZIhvcNAQEFBQAw +NzEUMBIGA1UECgwLVGVsaWFTb25lcmExHzAdBgNVBAMMFlRlbGlhU29uZXJhIFJv +b3QgQ0EgdjEwHhcNMDcxMDE4MTIwMDUwWhcNMzIxMDE4MTIwMDUwWjA3MRQwEgYD +VQQKDAtUZWxpYVNvbmVyYTEfMB0GA1UEAwwWVGVsaWFTb25lcmEgUm9vdCBDQSB2 +MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMK+6yfwIaPzaSZVfp3F +VRaRXP3vIb9TgHot0pGMYzHw7CTww6XScnwQbfQ3t+XmfHnqjLWCi65ItqwA3GV1 +7CpNX8GH9SBlK4GoRz6JI5UwFpB/6FcHSOcZrr9FZ7E3GwYq/t75rH2D+1665I+X +Z75Ljo1kB1c4VWk0Nj0TSO9P4tNmHqTPGrdeNjPUtAa9GAH9d4RQAEX1jF3oI7x+ +/jXh7VB7qTCNGdMJjmhnXb88lxhTuylixcpecsHHltTbLaC0H2kD7OriUPEMPPCs +81Mt8Bz17Ww5OXOAFshSsCPN4D7c3TxHoLs1iuKYaIu+5b9y7tL6pe0S7fyYGKkm +dtwoSxAgHNN/Fnct7W+A90m7UwW7XWjH1Mh1Fj+JWov3F0fUTPHSiXk+TT2YqGHe +Oh7S+F4D4MHJHIzTjU3TlTazN19jY5szFPAtJmtTfImMMsJu7D0hADnJoWjiUIMu +sDor8zagrC/kb2HCUQk5PotTubtn2txTuXZZNp1D5SDgPTJghSJRt8czu90VL6R4 +pgd7gUY2BIbdeTXHlSw7sKMXNeVzH7RcWe/a6hBle3rQf5+ztCo3O3CLm1u5K7fs +slESl1MpWtTwEhDcTwK7EpIvYtQ/aUN8Ddb8WHUBiJ1YFkveupD/RwGJBmr2X7KQ +arMCpgKIv7NHfirZ1fpoeDVNAgMBAAGjPzA9MA8GA1UdEwEB/wQFMAMBAf8wCwYD +VR0PBAQDAgEGMB0GA1UdDgQWBBTwj1k4ALP1j5qWDNXr+nuqF+gTEjANBgkqhkiG +9w0BAQUFAAOCAgEAvuRcYk4k9AwI//DTDGjkk0kiP0Qnb7tt3oNmzqjMDfz1mgbl +dxSR651Be5kqhOX//CHBXfDkH1e3damhXwIm/9fH907eT/j3HEbAek9ALCI18Bmx +0GtnLLCo4MBANzX2hFxc469CeP6nyQ1Q6g2EdvZR74NTxnr/DlZJLo961gzmJ1Tj +TQpgcmLNkQfWpb/ImWvtxBnmq0wROMVvMeJuScg/doAmAyYp4Db29iBT4xdwNBed +Y2gea+zDTYa4EzAvXUYNR0PVG6pZDrlcjQZIrXSHX8f8MVRBE+LHIQ6e4B4N4cB7 +Q4WQxYpYxmUKeFfyxiMPAdkgS94P+5KFdSpcc41teyWRyu5FrgZLAMzTsVlQ2jqI +OylDRl6XK1TOU2+NSueW+r9xDkKLfP0ooNBIytrEgUy7onOTJsjrDNYmiLbAJM+7 +vVvrdX3pCI6GMyx5dwlppYn8s3CQh3aP0yK7Qs69cwsgJirQmz1wHiRszYd2qReW +t88NkvuOGKmYSdGe/mBEciG5Ge3C9THxOUiIkCR1VBatzvT4aRRkOfujuLpwQMcn +HL/EVlP6Y2XQ8xwOFvVrhlhNGNTkDY6lnVuR3HYkUD/GKvvZt5y11ubQ2egZixVx +SK236thZiNSQvxaz2emsWWFUyBy6ysHK4bkgTI86k4mloMy/0/Z1pHWWbVY= +-----END CERTIFICATE----- + +### The Go Daddy Group, Inc. + +=== /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Jun 29 17:06:20 2004 GMT + Not After : Jun 29 17:06:20 2034 GMT + Subject: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority + X509v3 extensions: + X509v3 Subject Key Identifier: + D2:C4:B0:D2:91:D4:4C:11:71:B3:61:CB:3D:A1:FE:DD:A8:6A:D4:E3 + X509v3 Authority Key Identifier: + keyid:D2:C4:B0:D2:91:D4:4C:11:71:B3:61:CB:3D:A1:FE:DD:A8:6A:D4:E3 + DirName:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority + serial:00 + + X509v3 Basic Constraints: + CA:TRUE +SHA1 Fingerprint=27:96:BA:E6:3F:18:01:E2:77:26:1B:A0:D7:77:70:02:8F:20:EE:E4 +SHA256 Fingerprint=C3:84:6B:F2:4B:9E:93:CA:64:27:4C:0E:C6:7C:1E:CC:5E:02:4F:FC:AC:D2:D7:40:19:35:0E:81:FE:54:6A:E4 +-----BEGIN CERTIFICATE----- +MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh +MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE +YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3 +MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo +ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg +MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN +ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA +PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w +wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi +EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY +avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+ +YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE +sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h +/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5 +IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj +YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD +ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy +OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P +TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ +HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER +dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf +ReYNnyicsbkqWletNw+vHX/bvZ8= +-----END CERTIFICATE----- + +### The USERTRUST Network + +=== /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust ECC Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26 + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Feb 1 00:00:00 2010 GMT + Not After : Jan 18 23:59:59 2038 GMT + Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority + X509v3 extensions: + X509v3 Subject Key Identifier: + 3A:E1:09:86:D4:CF:19:C2:96:76:74:49:76:DC:E0:35:C6:63:63:9A + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=D1:CB:CA:5D:B2:D5:2A:7F:69:3B:67:4D:E5:F0:5A:1D:0C:95:7D:F0 +SHA256 Fingerprint=4F:F4:60:D5:4B:9C:86:DA:BF:BC:FC:57:12:E0:40:0D:2B:ED:3F:BC:4D:4F:BD:AA:86:E0:6A:DC:D2:A9:AD:7A +-----BEGIN CERTIFICATE----- +MIICjzCCAhWgAwIBAgIQXIuZxVqUxdJxVt7NiYDMJjAKBggqhkjOPQQDAzCBiDEL +MAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNl +eSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMT +JVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMjAx +MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgT +Ck5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUg +VVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBFQ0MgQ2VydGlm +aWNhdGlvbiBBdXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQarFRaqflo +I+d61SRvU8Za2EurxtW20eZzca7dnNYMYf3boIkDuAUU7FfO7l0/4iGzzvfUinng +o4N+LZfQYcTxmdwlkWOrfzCjtHDix6EznPO/LlxTsV+zfTJ/ijTjeXmjQjBAMB0G +A1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1xmNjmjAOBgNVHQ8BAf8EBAMCAQYwDwYD +VR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjA2Z6EWCNzklwBBHU6+4WMB +zzuqQhFkoJ2UOQIReVx7Hfpkue4WQrO/isIJxOzksU0CMQDpKmFHjFJKS04YcPbW +RNZu9YO6bVi9JNlWSOrvxKJGgYhqOkbRqZtNyWHa0V1Xahg= +-----END CERTIFICATE----- +=== /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d + Signature Algorithm: sha384WithRSAEncryption + Validity + Not Before: Feb 1 00:00:00 2010 GMT + Not After : Jan 18 23:59:59 2038 GMT + Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority + X509v3 extensions: + X509v3 Subject Key Identifier: + 53:79:BF:5A:AA:2B:4A:CF:54:80:E1:D8:9B:C0:9D:F2:B2:03:66:CB + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E +SHA256 Fingerprint=E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2 +-----BEGIN CERTIFICATE----- +MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB +iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl +cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV +BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw +MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV +BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU +aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy +dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B +3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY +tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/ +Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2 +VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT +79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6 +c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT +Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l +c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee +UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE +Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd +BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G +A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF +Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO +VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3 +ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs +8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR +iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze +Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ +XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/ +qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB +VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB +L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG +jjxDah2nGN59PRbxYvnKkKj9 +-----END CERTIFICATE----- + +### TrustCor Systems S. de R.L. + +=== /C=PA/ST=Panama/L=Panama City/O=TrustCor Systems S. de R.L./OU=TrustCor Certificate Authority/CN=TrustCor ECA-1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 84:82:2c:5f:1c:62:d0:40 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Feb 4 12:32:33 2016 GMT + Not After : Dec 31 17:28:07 2029 GMT + Subject: C=PA, ST=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor ECA-1 + X509v3 extensions: + X509v3 Subject Key Identifier: + 44:9E:48:F5:CC:6D:48:D4:A0:4B:7F:FE:59:24:2F:83:97:99:9A:86 + X509v3 Authority Key Identifier: + keyid:44:9E:48:F5:CC:6D:48:D4:A0:4B:7F:FE:59:24:2F:83:97:99:9A:86 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=58:D1:DF:95:95:67:6B:63:C0:F0:5B:1C:17:4D:8B:84:0B:C8:78:BD +SHA256 Fingerprint=5A:88:5D:B1:9C:01:D9:12:C5:75:93:88:93:8C:AF:BB:DF:03:1A:B2:D4:8E:91:EE:15:58:9B:42:97:1D:03:9C +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIJAISCLF8cYtBAMA0GCSqGSIb3DQEBCwUAMIGcMQswCQYD +VQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEk +MCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5U +cnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFzAVBgNVBAMMDlRydXN0Q29y +IEVDQS0xMB4XDTE2MDIwNDEyMzIzM1oXDTI5MTIzMTE3MjgwN1owgZwxCzAJBgNV +BAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQw +IgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRy +dXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOVHJ1c3RDb3Ig +RUNBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPj+ARtZ+odnbb +3w9U73NjKYKtR8aja+3+XzP4Q1HpGjORMRegdMTUpwHmspI+ap3tDvl0mEDTPwOA +BoJA6LHip1GnHYMma6ve+heRK9jGrB6xnhkB1Zem6g23xFUfJ3zSCNV2HykVh0A5 +3ThFEXXQmqc04L/NyFIduUd+Dbi7xgz2c1cWWn5DkR9VOsZtRASqnKmcp0yJF4Ou +owReUoCLHhIlERnXDH19MURB6tuvsBzvgdAsxZohmz3tQjtQJvLsznFhBmIhVE5/ +wZ0+fyCMgMsq2JdiyIMzkX2woloPV+g7zPIlstR8L+xNxqE6FXrntl019fZISjZF +ZtS6mFjBAgMBAAGjYzBhMB0GA1UdDgQWBBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAf +BgNVHSMEGDAWgBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAPBgNVHRMBAf8EBTADAQH/ +MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEABT41XBVwm8nHc2Fv +civUwo/yQ10CzsSUuZQRg2dd4mdsdXa/uwyqNsatR5Nj3B5+1t4u/ukZMjgDfxT2 +AHMsWbEhBuH7rBiVDKP/mZb3Kyeb1STMHd3BOuCYRLDE5D53sXOpZCz2HAF8P11F +hcCF5yWPldwX8zyfGm6wyuMdKulMY/okYWLW2n62HGz1Ah3UKt1VkOsqEUc8Ll50 +soIipX1TH0XsJ5F95yIW6MBoNtjG8U+ARDL54dHRHareqKucBK+tIA5kmE2la8BI +WJZpTdwHjFGTot+fDz2LYLSCjaoITmJF4PkL0uDgPFveXHEnJcLmA4GLEFPjx1Wi +tJ/X5g== +-----END CERTIFICATE----- +=== /C=PA/ST=Panama/L=Panama City/O=TrustCor Systems S. de R.L./OU=TrustCor Certificate Authority/CN=TrustCor RootCert CA-1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + da:9b:ec:71:f3:03:b0:19 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Feb 4 12:32:16 2016 GMT + Not After : Dec 31 17:23:16 2029 GMT + Subject: C=PA, ST=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor RootCert CA-1 + X509v3 extensions: + X509v3 Subject Key Identifier: + EE:6B:49:3C:7A:3F:0D:E3:B1:09:B7:8A:C8:AB:19:9F:73:33:50:E7 + X509v3 Authority Key Identifier: + keyid:EE:6B:49:3C:7A:3F:0D:E3:B1:09:B7:8A:C8:AB:19:9F:73:33:50:E7 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=FF:BD:CD:E7:82:C8:43:5E:3C:6F:26:86:5C:CA:A8:3A:45:5B:C3:0A +SHA256 Fingerprint=D4:0E:9C:86:CD:8F:E4:68:C1:77:69:59:F4:9E:A7:74:FA:54:86:84:B6:C4:06:F3:90:92:61:F4:DC:E2:57:5C +-----BEGIN CERTIFICATE----- +MIIEMDCCAxigAwIBAgIJANqb7HHzA7AZMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYD +VQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEk +MCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5U +cnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRydXN0Q29y +IFJvb3RDZXJ0IENBLTEwHhcNMTYwMjA0MTIzMjE2WhcNMjkxMjMxMTcyMzE2WjCB +pDELMAkGA1UEBhMCUEExDzANBgNVBAgMBlBhbmFtYTEUMBIGA1UEBwwLUGFuYW1h +IENpdHkxJDAiBgNVBAoMG1RydXN0Q29yIFN5c3RlbXMgUy4gZGUgUi5MLjEnMCUG +A1UECwweVHJ1c3RDb3IgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR8wHQYDVQQDDBZU +cnVzdENvciBSb290Q2VydCBDQS0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAv463leLCJhJrMxnHQFgKq1mqjQCj/IDHUHuO1CAmujIS2CNUSSUQIpid +RtLByZ5OGy4sDjjzGiVoHKZaBeYei0i/mJZ0PmnK6bV4pQa81QBeCQryJ3pS/C3V +seq0iWEk8xoT26nPUu0MJLq5nux+AHT6k61sKZKuUbS701e/s/OojZz0JEsq1pme +9J7+wH5COucLlVPat2gOkEz7cD+PSiyU8ybdY2mplNgQTsVHCJCZGxdNuWxu72CV +EY4hgLW9oHPY0LJ3xEXqWib7ZnZ2+AYfYW0PVcWDtxBWcgYHpfOxGgMFZA6dWorW +hnAbJN7+KIor0Gqw/Hqi3LJ5DotlDwIDAQABo2MwYTAdBgNVHQ4EFgQU7mtJPHo/ +DeOxCbeKyKsZn3MzUOcwHwYDVR0jBBgwFoAU7mtJPHo/DeOxCbeKyKsZn3MzUOcw +DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQAD +ggEBACUY1JGPE+6PHh0RU9otRCkZoB5rMZ5NDp6tPVxBb5UrJKF5mDo4Nvu7Zp5I +/5CQ7z3UuJu0h3U/IJvOcs+hVcFNZKIZBqEHMwwLKeXx6quj7LUKdJDHfXLy11yf +ke+Ri7fc7Waiz45mO7yfOgLgJ90WmMCV1Aqk5IGadZQ1nJBfiDcGrVmVCrDRZ9MZ +yonnMlo2HD6CqFqTvsbQZJG2z9m2GM/bftJlo6bEjhcxwft+dtvTheNYsnd6djts +L1Ac59v2Z3kf9YKVmgenFK+P3CghZwnS1k1aHBkcjndcw5QkPTJrS37UeJSDvjdN +zl/HHk484IkzlQsPpTLWPFp5LBk= +-----END CERTIFICATE----- +=== /C=PA/ST=Panama/L=Panama City/O=TrustCor Systems S. de R.L./OU=TrustCor Certificate Authority/CN=TrustCor RootCert CA-2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2711694510199101698 (0x25a1dfca33cb5902) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Feb 4 12:32:23 2016 GMT + Not After : Dec 31 17:26:39 2034 GMT + Subject: C=PA, ST=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor RootCert CA-2 + X509v3 extensions: + X509v3 Subject Key Identifier: + D9:FE:21:40:6E:94:9E:BC:9B:3D:9C:7D:98:20:19:E5:8C:30:62:B2 + X509v3 Authority Key Identifier: + keyid:D9:FE:21:40:6E:94:9E:BC:9B:3D:9C:7D:98:20:19:E5:8C:30:62:B2 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=B8:BE:6D:CB:56:F1:55:B9:63:D4:12:CA:4E:06:34:C7:94:B2:1C:C0 +SHA256 Fingerprint=07:53:E9:40:37:8C:1B:D5:E3:83:6E:39:5D:AE:A5:CB:83:9E:50:46:F1:BD:0E:AE:19:51:CF:10:FE:C7:C9:65 +-----BEGIN CERTIFICATE----- +MIIGLzCCBBegAwIBAgIIJaHfyjPLWQIwDQYJKoZIhvcNAQELBQAwgaQxCzAJBgNV +BAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQw +IgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRy +dXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWVHJ1c3RDb3Ig +Um9vdENlcnQgQ0EtMjAeFw0xNjAyMDQxMjMyMjNaFw0zNDEyMzExNzI2MzlaMIGk +MQswCQYDVQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEg +Q2l0eTEkMCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYD +VQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRy +dXN0Q29yIFJvb3RDZXJ0IENBLTIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +AoICAQCnIG7CKqJiJJWQdsg4foDSq8GbZQWU9MEKENUCrO2fk8eHyLAnK0IMPQo+ +QVqedd2NyuCb7GgypGmSaIwLgQ5WoD4a3SwlFIIvl9NkRvRUqdw6VC0xK5mC8tkq +1+9xALgxpL56JAfDQiDyitSSBBtlVkxs1Pu2YVpHI7TYabS3OtB0PAx1oYxOdqHp +2yqlO/rOsP9+aij9JxzIsekp8VduZLTQwRVtDr4uDkbIXvRR/u8OYzo7cbrPb1nK +DOObXUm4TOJXsZiKQlecdu/vvdFoqNL0Cbt3Nb4lggjEFixEIFapRBF37120Hape +az6LMvYHL1cEksr1/p3C6eizjkxLAjHZ5DxIgif3GIJ2SDpxsROhOdUuxTTCHWKF +3wP+TfSvPd9cW436cOGlfifHhi5qjxLGhF5DUVCcGZt45vz27Ud+ez1m7xMTiF88 +oWP7+ayHNZ/zgp6kPwqcMWmLmaSISo5uZk3vFsQPeSghYA2FFn3XVDjxklb9tTNM +g9zXEJ9L/cb4Qr26fHMC4P99zVvh1Kxhe1fVSntb1IVYJ12/+CtgrKAmrhQhJ8Z3 +mjOAPF5GP/fDsaOGM8boXg25NSyqRsGFAnWAoOsk+xWq5Gd/bnc/9ASKL3x74xdh +8N0JqSDIvgmk0H5Ew7IwSjiqqewYmgeCK9u4nBit2uBGF6zPXQIDAQABo2MwYTAd +BgNVHQ4EFgQU2f4hQG6UnrybPZx9mCAZ5YwwYrIwHwYDVR0jBBgwFoAU2f4hQG6U +nrybPZx9mCAZ5YwwYrIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYw +DQYJKoZIhvcNAQELBQADggIBAJ5Fngw7tu/hOsh80QA9z+LqBrWyOrsGS2h60COX +dKcs8AjYeVrXWoSK2BKaG9l9XE1wxaX5q+WjiYndAfrs3fnpkpfbsEZC89NiqpX+ +MWcUaViQCqoL7jcjx1BRtPV+nuN79+TMQjItSQzL/0kMmx40/W5ulop5A7Zv2wnL +/V9lFDfhOPXzYRZY5LVtDQsEGz9QLX+zx3oaFoBg+Iof6Rsqxvm6ARppv9JYx1RX +CI/hOWB3S6xZhBqI8d3LT3jX5+EzLfzuQfogsL7L9ziUwOHQhQ+77Sxzq+3+knYa +ZH9bDTMJBzN7Bj8RpFxwPIXAz+OQqIN3+tvmxYxoZxBnpVIt8MSZj3+/0WvitUfW +2dCFmU2Umw9Lje4AWkcdEQOsQRivh7dvDDqPys/cA8GiCcjl/YBeyGBCARsaU1q7 +N6a3vLqE6R5sGtRk2tRD/pOLS/IseRYQ1JMLiI+h2IYURpFHmygk71dSTlxCnKr3 +Sewn6EAes6aJInKc9Q0ztFijMDvd1GpUk74aTfOTlPf8hAs/hCBcNANExdqtvArB +As8e5ZTZ845b2EzwnexhF7sUMlQMAimTHpKG9n/v55IFDlndmQguLvqcAFLTxWYp +5KeXRKQOKIETNcX2b2TmQcTVL8w0RSXPQQCWPUouwpaYT05KnJe32x+SMsj/D1Fu +1uwJ +-----END CERTIFICATE----- + +### Trustis Limited + +=== /C=GB/O=Trustis Limited/OU=Trustis FPS Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 1b:1f:ad:b6:20:f9:24:d3:36:6b:f7:c7:f1:8c:a0:59 + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Dec 23 12:14:06 2003 GMT + Not After : Jan 21 11:36:54 2024 GMT + Subject: C=GB, O=Trustis Limited, OU=Trustis FPS Root CA + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Authority Key Identifier: + keyid:BA:FA:71:25:79:8B:57:41:25:21:86:0B:71:EB:B2:64:0E:8B:21:67 + + X509v3 Subject Key Identifier: + BA:FA:71:25:79:8B:57:41:25:21:86:0B:71:EB:B2:64:0E:8B:21:67 +SHA1 Fingerprint=3B:C0:38:0B:33:C3:F6:A6:0C:86:15:22:93:D9:DF:F5:4B:81:C0:04 +SHA256 Fingerprint=C1:B4:82:99:AB:A5:20:8F:E9:63:0A:CE:55:CA:68:A0:3E:DA:5A:51:9C:88:02:A0:D3:A6:73:BE:8F:8E:55:7D +-----BEGIN CERTIFICATE----- +MIIDZzCCAk+gAwIBAgIQGx+ttiD5JNM2a/fH8YygWTANBgkqhkiG9w0BAQUFADBF +MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPVHJ1c3RpcyBMaW1pdGVkMRwwGgYDVQQL +ExNUcnVzdGlzIEZQUyBSb290IENBMB4XDTAzMTIyMzEyMTQwNloXDTI0MDEyMTEx +MzY1NFowRTELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1RydXN0aXMgTGltaXRlZDEc +MBoGA1UECxMTVHJ1c3RpcyBGUFMgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAMVQe547NdDfxIzNjpvto8A2mfRC6qc+gIMPpqdZh8mQRUN+ +AOqGeSoDvT03mYlmt+WKVoaTnGhLaASMk5MCPjDSNzoiYYkchU59j9WvezX2fihH +iTHcDnlkH5nSW7r+f2C/revnPDgpai/lkQtV/+xvWNUtyd5MZnGPDNcE2gfmHhjj +vSkCqPoc4Vu5g6hBSLwacY3nYuUtsuvffM/bq1rKMfFMIvMFE/eC+XN5DL7XSxzA +0RU8k0Fk0ea+IxciAIleH2ulrG6nS4zto3Lmr2NNL4XSFDWaLk6M6jKYKIahkQlB +OrTh4/L68MkKokHdqeMDx4gVOxzUGpTXn2RZEm0CAwEAAaNTMFEwDwYDVR0TAQH/ +BAUwAwEB/zAfBgNVHSMEGDAWgBS6+nEleYtXQSUhhgtx67JkDoshZzAdBgNVHQ4E +FgQUuvpxJXmLV0ElIYYLceuyZA6LIWcwDQYJKoZIhvcNAQEFBQADggEBAH5Y//01 +GX2cGE+esCu8jowU/yyg2kdbw++BLa8F6nRIW/M+TgfHbcWzk88iNVy2P3UnXwmW +zaD+vkAMXBJV+JOCyinpXj9WV4s4NvdFGkwozZ5BuO1WTISkQMi4sKUraXAEasP4 +1BIy+Q7DsdwyhEQsb8tGD+pmQQ9P8Vilpg0ND2HepZ5dfWWhPBfnqFVO76DH7cZE +f1T1o+CP8HxVIo8ptoGj4W1OLBuAZ+ytIJ8MYmHVl/9D7S3B2l0pKoU/rGXuhg8F +jZBf3+6f9L/uHfuY5H+QK4R4EA5sSVPvFVtlRkpdr7r7OnIdzfYliB6XzCGcKQEN +ZetX2fNXlrtIzYE= +-----END CERTIFICATE----- + +### Trustwave Holdings, Inc. + +=== /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 05:f7:0e:86:da:49:f3:46:35:2e:ba:b2 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Aug 23 19:34:12 2017 GMT + Not After : Aug 23 19:34:12 2042 GMT + Subject: C=US, ST=Illinois, L=Chicago, O=Trustwave Holdings, Inc., CN=Trustwave Global Certification Authority + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 99:E0:19:67:0D:62:DB:76:B3:DA:3D:B8:5B:E8:FD:42:D2:31:0E:87 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=2F:8F:36:4F:E1:58:97:44:21:59:87:A5:2A:9A:D0:69:95:26:7F:B5 +SHA256 Fingerprint=97:55:20:15:F5:DD:FC:3C:87:88:C0:06:94:45:55:40:88:94:45:00:84:F1:00:86:70:86:BC:1A:2B:B5:8D:C8 +-----BEGIN CERTIFICATE----- +MIIF2jCCA8KgAwIBAgIMBfcOhtpJ80Y1LrqyMA0GCSqGSIb3DQEBCwUAMIGIMQsw +CQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMxEDAOBgNVBAcMB0NoaWNhZ28x +ITAfBgNVBAoMGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjExMC8GA1UEAwwoVHJ1 +c3R3YXZlIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNzA4MjMx +OTM0MTJaFw00MjA4MjMxOTM0MTJaMIGIMQswCQYDVQQGEwJVUzERMA8GA1UECAwI +SWxsaW5vaXMxEDAOBgNVBAcMB0NoaWNhZ28xITAfBgNVBAoMGFRydXN0d2F2ZSBI +b2xkaW5ncywgSW5jLjExMC8GA1UEAwwoVHJ1c3R3YXZlIEdsb2JhbCBDZXJ0aWZp +Y2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB +ALldUShLPDeS0YLOvR29zd24q88KPuFd5dyqCblXAj7mY2Hf8g+CY66j96xz0Xzn +swuvCAAJWX/NKSqIk4cXGIDtiLK0thAfLdZfVaITXdHG6wZWiYj+rDKd/VzDBcdu +7oaJuogDnXIhhpCujwOl3J+IKMujkkkP7NAP4m1ET4BqstTnoApTAbqOl5F2brz8 +1Ws25kCI1nsvXwXoLG0R8+eyvpJETNKXpP7ScoFDB5zpET71ixpZfR9oWN0EACyW +80OzfpgZdNmcc9kYvkHHNHnZ9GLCQ7mzJ7Aiy/k9UscwR7PJPrhq4ufogXBeQotP +JqX+OsIgbrv4Fo7NDKm0G2x2EOFYeUY+VM6AqFcJNykbmROPDMjWLBz7BegIlT1l +RtzuzWniTY+HKE40Cz7PFNm73bZQmq131BnW2hqIyE4bJ3XYsgjxroMwuREOzYfw +hI0Vcnyh78zyiGG69Gm7DIwLdVcEuE4qFC49DxweMqZiNu5m4iK4BUBjECLzMx10 +coos9TkpoNPnG4CELcU9402x/RpvumUHO1jsQkUm+9jaJXLE9gCxInm943xZYkqc +BW89zubWR2OZxiRvchLIrH+QtAuRcOi35hYQcRfO3gZPSEF9NUqjifLJS3tBEW1n +twiYTOURGa5CgNz7kAXU+FDKvuStx8KU1xad5hePrzb7AgMBAAGjQjBAMA8GA1Ud +EwEB/wQFMAMBAf8wHQYDVR0OBBYEFJngGWcNYtt2s9o9uFvo/ULSMQ6HMA4GA1Ud +DwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAmHNw4rDT7TnsTGDZqRKGFx6W +0OhUKDtkLSGm+J1WE2pIPU/HPinbbViDVD2HfSMF1OQc3Og4ZYbFdada2zUFvXfe +uyk3QAUHw5RSn8pk3fEbK9xGChACMf1KaA0HZJDmHvUqoai7PF35owgLEQzxPy0Q +lG/+4jSHg9bP5Rs1bdID4bANqKCqRieCNqcVtgimQlRXtpla4gt5kNdXElE1GYhB +aCXUNxeEFfsBctyV3lImIJgm4nb1J2/6ADtKYdkNy1GTKv0WBpanI5ojSP5RvbbE +sLFUzt5sQa0WZ37b/TjNuThOssFgy50X31ieemKyJo90lZvkWx3SD92YHJtZuSPT +MaCm/zjdzyBP6VhWOmfD0faZmZ26NraAL4hHT4a/RDqA5Dccprrql5gR0IRiR2Qe +qu5AvzSxnI9O4fKSTx+O856X3vOmeWqJcU9LJxdI/uz0UA9PSX3MReO9ekDFQdxh +VicGaeVyQYHTtgGJoC86cnn+OjC/QezHYj6RS8fZMXZC+fc8Y+wmjHMMfRod6qh8 +h6jCJ3zhM0EPz8/8AKAigJ5Kp28AsEFFtyLKaEjFQqKu3R3y4G5OBVixwJAWKqQ9 +EEC+j2Jjg6mcgn0tAumDMHzLJ8n9HmYAsC7TIS+OMxZsmO0QqAfWzJPP29FpHOTK +yeC2nOnOcXHebD8WpHk= +-----END CERTIFICATE----- +=== /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P256 Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0d:6a:5f:08:3f:28:5c:3e:51:95:df:5d + Signature Algorithm: ecdsa-with-SHA256 + Validity + Not Before: Aug 23 19:35:10 2017 GMT + Not After : Aug 23 19:35:10 2042 GMT + Subject: C=US, ST=Illinois, L=Chicago, O=Trustwave Holdings, Inc., CN=Trustwave Global ECC P256 Certification Authority + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + A3:41:06:AC:90:6D:D1:4A:EB:75:A5:4A:10:99:B3:B1:A1:8B:4A:F7 +SHA1 Fingerprint=B4:90:82:DD:45:0C:BE:8B:5B:B1:66:D3:E2:A4:08:26:CD:ED:42:CF +SHA256 Fingerprint=94:5B:BC:82:5E:A5:54:F4:89:D1:FD:51:A7:3D:DF:2E:A6:24:AC:70:19:A0:52:05:22:5C:22:A7:8C:CF:A8:B4 +-----BEGIN CERTIFICATE----- +MIICYDCCAgegAwIBAgIMDWpfCD8oXD5Rld9dMAoGCCqGSM49BAMCMIGRMQswCQYD +VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAf +BgNVBAoTGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3 +YXZlIEdsb2JhbCBFQ0MgUDI1NiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0x +NzA4MjMxOTM1MTBaFw00MjA4MjMxOTM1MTBaMIGRMQswCQYDVQQGEwJVUzERMA8G +A1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRydXN0 +d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBF +Q0MgUDI1NiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTBZMBMGByqGSM49AgEGCCqG +SM49AwEHA0IABH77bOYj43MyCMpg5lOcunSNGLB4kFKA3TjASh3RqMyTpJcGOMoN +FWLGjgEqZZ2q3zSRLoHB5DOSMcT9CTqmP62jQzBBMA8GA1UdEwEB/wQFMAMBAf8w +DwYDVR0PAQH/BAUDAwcGADAdBgNVHQ4EFgQUo0EGrJBt0UrrdaVKEJmzsaGLSvcw +CgYIKoZIzj0EAwIDRwAwRAIgB+ZU2g6gWrKuEZ+Hxbb/ad4lvvigtwjzRM4q3wgh +DDcCIC0mA6AFvWvR9lz4ZcyGbbOcNEhjhAnFjXca4syc4XR7 +-----END CERTIFICATE----- +=== /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P384 Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 08:bd:85:97:6c:99:27:a4:80:68:47:3b + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Aug 23 19:36:43 2017 GMT + Not After : Aug 23 19:36:43 2042 GMT + Subject: C=US, ST=Illinois, L=Chicago, O=Trustwave Holdings, Inc., CN=Trustwave Global ECC P384 Certification Authority + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 55:A9:84:89:D2:C1:32:BD:18:CB:6C:A6:07:4E:C8:E7:9D:BE:82:90 +SHA1 Fingerprint=E7:F3:A3:C8:CF:6F:C3:04:2E:6D:0E:67:32:C5:9E:68:95:0D:5E:D2 +SHA256 Fingerprint=55:90:38:59:C8:C0:C3:EB:B8:75:9E:CE:4E:25:57:22:5F:F5:75:8B:BD:38:EB:D4:82:76:60:1E:1B:D5:80:97 +-----BEGIN CERTIFICATE----- +MIICnTCCAiSgAwIBAgIMCL2Fl2yZJ6SAaEc7MAoGCCqGSM49BAMDMIGRMQswCQYD +VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAf +BgNVBAoTGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3 +YXZlIEdsb2JhbCBFQ0MgUDM4NCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0x +NzA4MjMxOTM2NDNaFw00MjA4MjMxOTM2NDNaMIGRMQswCQYDVQQGEwJVUzERMA8G +A1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRydXN0 +d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBF +Q0MgUDM4NCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTB2MBAGByqGSM49AgEGBSuB +BAAiA2IABGvaDXU1CDFHBa5FmVXxERMuSvgQMSOjfoPTfygIOiYaOs+Xgh+AtycJ +j9GOMMQKmw6sWASr9zZ9lCOkmwqKi6vr/TklZvFe/oyujUF5nQlgziip04pt89ZF +1PKYhDhloKNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0G +A1UdDgQWBBRVqYSJ0sEyvRjLbKYHTsjnnb6CkDAKBggqhkjOPQQDAwNnADBkAjA3 +AZKXRRJ+oPM+rRk6ct30UJMDEr5E0k9BpIycnR+j9sKS50gU/k6bpZFXrsY3crsC +MGclCrEMXu6pY5Jv5ZAL/mYiykf9ijH3g/56vxC+GCsej/YpHpRZ744hN8tRmKVu +Sw== +-----END CERTIFICATE----- + +### Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK + +=== /C=TR/L=Gebze - Kocaeli/O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK/OU=Kamu Sertifikasyon Merkezi - Kamu SM/CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Nov 25 08:25:55 2013 GMT + Not After : Oct 25 08:25:55 2043 GMT + Subject: C=TR, L=Gebze - Kocaeli, O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK, OU=Kamu Sertifikasyon Merkezi - Kamu SM, CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 + X509v3 extensions: + X509v3 Subject Key Identifier: + 65:3F:C7:8A:86:C6:3C:DD:3C:54:5C:35:F8:3A:ED:52:0C:47:57:C8 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=31:43:64:9B:EC:CE:27:EC:ED:3A:3F:0B:8F:0D:E4:E8:91:DD:EE:CA +SHA256 Fingerprint=46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16 +-----BEGIN CERTIFICATE----- +MIIEYzCCA0ugAwIBAgIBATANBgkqhkiG9w0BAQsFADCB0jELMAkGA1UEBhMCVFIx +GDAWBgNVBAcTD0dlYnplIC0gS29jYWVsaTFCMEAGA1UEChM5VHVya2l5ZSBCaWxp +bXNlbCB2ZSBUZWtub2xvamlrIEFyYXN0aXJtYSBLdXJ1bXUgLSBUVUJJVEFLMS0w +KwYDVQQLEyRLYW11IFNlcnRpZmlrYXN5b24gTWVya2V6aSAtIEthbXUgU00xNjA0 +BgNVBAMTLVRVQklUQUsgS2FtdSBTTSBTU0wgS29rIFNlcnRpZmlrYXNpIC0gU3Vy +dW0gMTAeFw0xMzExMjUwODI1NTVaFw00MzEwMjUwODI1NTVaMIHSMQswCQYDVQQG +EwJUUjEYMBYGA1UEBxMPR2ViemUgLSBLb2NhZWxpMUIwQAYDVQQKEzlUdXJraXll +IEJpbGltc2VsIHZlIFRla25vbG9qaWsgQXJhc3Rpcm1hIEt1cnVtdSAtIFRVQklU +QUsxLTArBgNVBAsTJEthbXUgU2VydGlmaWthc3lvbiBNZXJrZXppIC0gS2FtdSBT +TTE2MDQGA1UEAxMtVFVCSVRBSyBLYW11IFNNIFNTTCBLb2sgU2VydGlmaWthc2kg +LSBTdXJ1bSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr3UwM6q7 +a9OZLBI3hNmNe5eA027n/5tQlT6QlVZC1xl8JoSNkvoBHToP4mQ4t4y86Ij5iySr +LqP1N+RAjhgleYN1Hzv/bKjFxlb4tO2KRKOrbEz8HdDc72i9z+SqzvBV96I01INr +N3wcwv61A+xXzry0tcXtAA9TNypN9E8Mg/uGz8v+jE69h/mniyFXnHrfA2eJLJ2X +YacQuFWQfw4tJzh03+f92k4S400VIgLI4OD8D62K18lUUMw7D8oWgITQUVbDjlZ/ +iSIzL+aFCr2lqBs23tPcLG07xxO9WSMs5uWk99gL7eqQQESolbuT1dCANLZGeA4f +AJNG4e7p+exPFwIDAQABo0IwQDAdBgNVHQ4EFgQUZT/HiobGPN08VFw1+DrtUgxH +V8gwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL +BQADggEBACo/4fEyjq7hmFxLXs9rHmoJ0iKpEsdeV31zVmSAhHqT5Am5EM2fKifh +AHe+SMg1qIGf5LgsyX8OsNJLN13qudULXjS99HMpw+0mFZx+CFOKWI3QSyjfwbPf +IPP54+M638yclNhOT8NrF7f3cuitZjO1JVOr4PhMqZ398g26rrnZqsZr+ZO7rqu4 +lzwDGrpDxpa5RXI4s6ehlj2Re37AIVNMh+3yC1SVUZPVIqUNivGTDj5UDrDYyU7c +8jEyVupk+eq1nRZmQnLzf9OxMUP8pI4X8W0jq5Rm+K37DwhuJi1/FwcJsoz7UMCf +lo3Ptv0AnVoUmr8CRPXBwp8iXqIPoeM= +-----END CERTIFICATE----- + +### UniTrust + +=== /C=CN/O=UniTrust/CN=UCA Extended Validation Root +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 4f:d2:2b:8f:f5:64:c8:33:9e:4f:34:58:66:23:70:60 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Mar 13 00:00:00 2015 GMT + Not After : Dec 31 00:00:00 2038 GMT + Subject: C=CN, O=UniTrust, CN=UCA Extended Validation Root + X509v3 extensions: + X509v3 Subject Key Identifier: + D9:74:3A:E4:30:3D:0D:F7:12:DC:7E:5A:05:9F:1E:34:9A:F7:E1:14 + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=A3:A1:B0:6F:24:61:23:4A:E3:36:A5:C2:37:FC:A6:FF:DD:F0:D7:3A +SHA256 Fingerprint=D4:3A:F9:B3:54:73:75:5C:96:84:FC:06:D7:D8:CB:70:EE:5C:28:E7:73:FB:29:4E:B4:1E:E7:17:22:92:4D:24 +-----BEGIN CERTIFICATE----- +MIIFWjCCA0KgAwIBAgIQT9Irj/VkyDOeTzRYZiNwYDANBgkqhkiG9w0BAQsFADBH +MQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxJTAjBgNVBAMMHFVDQSBF +eHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwHhcNMTUwMzEzMDAwMDAwWhcNMzgxMjMx +MDAwMDAwWjBHMQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxJTAjBgNV +BAMMHFVDQSBFeHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwggIiMA0GCSqGSIb3DQEB +AQUAA4ICDwAwggIKAoICAQCpCQcoEwKwmeBkqh5DFnpzsZGgdT6o+uM4AHrsiWog +D4vFsJszA1qGxliG1cGFu0/GnEBNyr7uaZa4rYEwmnySBesFK5pI0Lh2PpbIILvS +sPGP2KxFRv+qZ2C0d35qHzwaUnoEPQc8hQ2E0B92CvdqFN9y4zR8V05WAT558aop +O2z6+I9tTcg1367r3CTueUWnhbYFiN6IXSV8l2RnCdm/WhUFhvMJHuxYMjMR83dk +sHYf5BA1FxvyDrFspCqjc/wJHx4yGVMR59mzLC52LqGj3n5qiAno8geK+LLNEOfi +c0CTuwjRP+H8C5SzJe98ptfRr5//lpr1kXuYC3fUfugH0mK1lTnj8/FtDw5lhIpj +VMWAtuCeS31HJqcBCF3RiJ7XwzJE+oJKCmhUfzhTA8ykADNkUVkLo4KRel7sFsLz +KuZi2irbWWIQJUoqgQtHB0MGcIfS+pMRKXpITeuUx3BNr2fVUbGAIAEBtHoIppB/ +TuDvB0GHr2qlXov7z1CymlSvw4m6WC31MJixNnI5fkkE/SmnTHnkBVfblLkWU41G +sx2VYVdWf6/wFlthWG82UBEL2KwrlRYaDh8IzTY0ZRBiZtWAXxQgXy0MoHgKaNYs +1+lvK9JKBZP8nm9rZ/+I8U6laUpSNwXqxhaN0sSZ0YIrO7o1dfdRUVjzyAfd5LQD +fwIDAQABo0IwQDAdBgNVHQ4EFgQU2XQ65DA9DfcS3H5aBZ8eNJr34RQwDwYDVR0T +AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBADaN +l8xCFWQpN5smLNb7rhVpLGsaGvdftvkHTFnq88nIua7Mui563MD1sC3AO6+fcAUR +ap8lTwEpcOPlDOHqWnzcSbvBHiqB9RZLcpHIojG5qtr8nR/zXUACE/xOHAbKsxSQ +VBcZEhrxH9cMaVr2cXj0lH2RC47skFSOvG+hTKv8dGT9cZr4QQehzZHkPJrgmzI5 +c6sq1WnIeJEmMX3ixzDx/BR4dxIOE/TdFpS/S2d7cFOFyrC78zhNLJA5wA3CXWvp +4uXViI3WLL+rG761KIcSF3Ru/H38j9CHJrAb+7lsq+KePRXBOy5nAliRn+/4Qh8s +t2j1da3Ptfb/EX3C8CSlrdP6oDyp+l3cpaDvRKS+1ujl5BOWF3sGPjLtx7dCvHaj +2GU4Kzg1USEODm8uNBNA4StnDG1KQTAYI1oyVZnJF+A83vbsea0rWBmirSwiGpWO +vpaQXUJXxPkUAzUrHC1RVwinOt4/5Mi0A3PCwSaAuwtCH60NryZy2sy+s6ODWA2C +xR9GUeOcGMyNm43sSet1UNWMKFnKdDTajAshqx7qG+XH/RU+wBeq+yNuJkbL+vmx +cmtpzyKEC2IPrNkZAJSidjzULZrtBJ4tBmIQN1IchXIbJ+XMxjHsN+xjWZsLHXbM +fjKaiJUINlK73nZfdklJrX+9ZSCyycErdhh2n1ax +-----END CERTIFICATE----- +=== /C=CN/O=UniTrust/CN=UCA Global G2 Root +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 5d:df:b1:da:5a:a3:ed:5d:be:5a:65:20:65:03:90:ef + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Mar 11 00:00:00 2016 GMT + Not After : Dec 31 00:00:00 2040 GMT + Subject: C=CN, O=UniTrust, CN=UCA Global G2 Root + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 81:C4:8C:CC:F5:E4:30:FF:A5:0C:08:5F:8C:15:67:21:74:01:DF:DF +SHA1 Fingerprint=28:F9:78:16:19:7A:FF:18:25:18:AA:44:FE:C1:A0:CE:5C:B6:4C:8A +SHA256 Fingerprint=9B:EA:11:C9:76:FE:01:47:64:C1:BE:56:A6:F9:14:B5:A5:60:31:7A:BD:99:88:39:33:82:E5:16:1A:A0:49:3C +-----BEGIN CERTIFICATE----- +MIIFRjCCAy6gAwIBAgIQXd+x2lqj7V2+WmUgZQOQ7zANBgkqhkiG9w0BAQsFADA9 +MQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxGzAZBgNVBAMMElVDQSBH +bG9iYWwgRzIgUm9vdDAeFw0xNjAzMTEwMDAwMDBaFw00MDEyMzEwMDAwMDBaMD0x +CzAJBgNVBAYTAkNOMREwDwYDVQQKDAhVbmlUcnVzdDEbMBkGA1UEAwwSVUNBIEds +b2JhbCBHMiBSb290MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxeYr +b3zvJgUno4Ek2m/LAfmZmqkywiKHYUGRO8vDaBsGxUypK8FnFyIdK+35KYmToni9 +kmugow2ifsqTs6bRjDXVdfkX9s9FxeV67HeToI8jrg4aA3++1NDtLnurRiNb/yzm +VHqUwCoV8MmNsHo7JOHXaOIxPAYzRrZUEaalLyJUKlgNAQLx+hVRZ2zA+te2G3/R +VogvGjqNO7uCEeBHANBSh6v7hn4PJGtAnTRnvI3HLYZveT6OqTwXS3+wmeOwcWDc +C/Vkw85DvG1xudLeJ1uK6NjGruFZfc8oLTW4lVYa8bJYS7cSN8h8s+1LgOGN+jIj +tm+3SJUIsUROhYw6AlQgL9+/V087OpAh18EmNVQg7Mc/R+zvWr9LesGtOxdQXGLY +D0tK3Cv6brxzks3sx1DoQZbXqX5t2Okdj4q1uViSukqSKwxW/YDrCPBeKW4bHAyv +j5OJrdu9o54hyokZ7N+1wxrrFv54NkzWbtA+FxyQF2smuvt6L78RHBgOLXMDj6Dl +NaBa4kx1HXHhOThTeEDMg5PXCp6dW4+K5OXgSORIskfNTip1KnvyIvbJvgmRlld6 +iIis7nCs+dwp4wwcOxJORNanTrAmyPPZGpeRaOrvjUYG0lZFWJo8DA+DuAUlwznP +O6Q0ibd5Ei9Hxeepl2n8pndntd978XplFeRhVmUCAwEAAaNCMEAwDgYDVR0PAQH/ +BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIHEjMz15DD/pQwIX4wV +ZyF0Ad/fMA0GCSqGSIb3DQEBCwUAA4ICAQATZSL1jiutROTL/7lo5sOASD0Ee/oj +L3rtNtqyzm325p7lX1iPyzcyochltq44PTUbPrw7tgTQvPlJ9Zv3hcU2tsu8+Mg5 +1eRfB70VVJd0ysrtT7q6ZHafgbiERUlMjW+i67HM0cOU2kTC5uLqGOiiHycFutfl +1qnN3e92mI0ADs0b+gO3joBYDic/UvuUospeZcnWhNq5NXHzJsBPd+aBJ9J3O5oU +b3n09tDh05S60FdRvScFDcH9yBIw7m+NESsIndTUv4BFFJqIRNow6rSn4+7vW4LV +PtateJLbXDzz2K36uGt/xDYotgIVilQsnLAXc47QN6MUPJiVAAwpBVueSUmxX8fj +y88nZY41F7dXyDDZQVu5FLbowg+UMaeUmMxq67XhJ/UQqAHojhJi6IjMtX9Gl8Cb +EGY4GjZGXyJoPd/JxhMnq1MGrKI8hgZlb7F+sSlEmqO6SWkoaY/X5V+tBIZkbxqg +DMUIYs6Ao9Dz7GjevjPHF1t/gMRMTLGmhIrDO7gJzRSBuhjjVFc2/tsvfEehOjPI ++Vg7RE+xygKJBJYoaMVLuCaJu9YzL1DV/pqJuhgyklTGW+Cd+V7lDSKb9triyCGy +YiGqhkCyLmTTX8jjfhFnRR8F/uOi77Oos/N9j/gMHyIfLXC0uAE0djAA5SN4p1bX +UB+K+wb1whnw0A== +-----END CERTIFICATE----- + +### Unizeto Technologies S.A. + +=== /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 279744 (0x444c0) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Oct 22 12:07:37 2008 GMT + Not After : Dec 31 12:07:37 2029 GMT + Subject: C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 08:76:CD:CB:07:FF:24:F6:C5:CD:ED:BB:90:BC:E2:84:37:46:75:F7 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=07:E0:32:E0:20:B7:2C:3F:19:2F:06:28:A2:59:3A:19:A7:0F:06:9E +SHA256 Fingerprint=5C:58:46:8D:55:F5:8E:49:7E:74:39:82:D2:B5:00:10:B6:D1:65:37:4A:CF:83:A7:D4:A3:2D:B7:68:C4:40:8E +-----BEGIN CERTIFICATE----- +MIIDuzCCAqOgAwIBAgIDBETAMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAlBM +MSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLEx5D +ZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAgBgNVBAMTGUNlcnR1bSBU +cnVzdGVkIE5ldHdvcmsgQ0EwHhcNMDgxMDIyMTIwNzM3WhcNMjkxMjMxMTIwNzM3 +WjB+MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMg +Uy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSIw +IAYDVQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEA4/t9o3K6wvDJFIf1awFO4W5AB7ptJ11/91sts1rH +UV+rpDKmYYe2bg+G0jACl/jXaVehGDldamR5xgFZrDwxSjh80gTSSyjoIF87B6LM +TXPb865Px1bVWqeWifrzq2jUI4ZZJ88JJ7ysbnKDHDBy3+Ci6dLhdHUZvSqeexVU +BBvXQzmtVSjF4hq79MDkrjhJM8x2hZ85RdKknvISjFH4fOQtf/WsX+sWn7Et0brM +kUJ3TCXJkDhv2/DM+44el1k+1WBO5gUo7Ul5E0u6SNsv+XLTOcr+H9g0cvW0QM8x +AcPs3hEtF10fuFDRXhmnad4HMyjKUJX5p1TLVIZQRan5SQIDAQABo0IwQDAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQIds3LB/8k9sXN7buQvOKEN0Z19zAOBgNV +HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAKaorSLOAT2mo/9i0Eidi15y +sHhE49wcrwn9I0j6vSrEuVUEtRCjjSfeC4Jj0O7eDDd5QVsisrCaQVymcODU0HfL +I9MA4GxWL+FpDQ3Zqr8hgVDZBqWo/5U30Kr+4rP1mS1FhIrlQgnXdAIv94nYmem8 +J9RHjboNRhx3zxSkHLmkMcScKHQDNP8zGSal6Q10tz6XxnboJ5ajZt3hrvJBW8qY +VoNzcOSGGtIxQbovvi0TWnZvTuhOgQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI +03YnnZotBqbJ7DnSq9ufmgsnAjUpsUCV5/nonFWIGUbWtzT1fs45mtk48VH3Tyw= +-----END CERTIFICATE----- + +### WISeKey + +=== /C=CH/O=WISeKey/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GB CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 76:b1:20:52:74:f0:85:87:46:b3:f8:23:1a:f6:c2:c0 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Dec 1 15:00:32 2014 GMT + Not After : Dec 1 15:10:31 2039 GMT + Subject: C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA + X509v3 extensions: + X509v3 Key Usage: + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 35:0F:C8:36:63:5E:E2:A3:EC:F9:3B:66:15:CE:51:52:E3:91:9A:3D + 1.3.6.1.4.1.311.21.1: + ... +SHA1 Fingerprint=0F:F9:40:76:18:D3:D7:6A:4B:98:F0:A8:35:9E:0C:FD:27:AC:CC:ED +SHA256 Fingerprint=6B:9C:08:E8:6E:B0:F7:67:CF:AD:65:CD:98:B6:21:49:E5:49:4A:67:F5:84:5E:7B:D1:ED:01:9F:27:B8:6B:D6 +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIQdrEgUnTwhYdGs/gjGvbCwDANBgkqhkiG9w0BAQsFADBt +MQswCQYDVQQGEwJDSDEQMA4GA1UEChMHV0lTZUtleTEiMCAGA1UECxMZT0lTVEUg +Rm91bmRhdGlvbiBFbmRvcnNlZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9i +YWwgUm9vdCBHQiBDQTAeFw0xNDEyMDExNTAwMzJaFw0zOTEyMDExNTEwMzFaMG0x +CzAJBgNVBAYTAkNIMRAwDgYDVQQKEwdXSVNlS2V5MSIwIAYDVQQLExlPSVNURSBG +b3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBXSVNlS2V5IEdsb2Jh +bCBSb290IEdCIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2Be3 +HEokKtaXscriHvt9OO+Y9bI5mE4nuBFde9IllIiCFSZqGzG7qFshISvYD06fWvGx +WuR51jIjK+FTzJlFXHtPrby/h0oLS5daqPZI7H17Dc0hBt+eFf1Biki3IPShehtX +1F1Q/7pn2COZH8g/497/b1t3sWtuuMlk9+HKQUYOKXHQuSP8yYFfTvdv37+ErXNk +u7dCjmn21HYdfp2nuFeKUWdy19SouJVUQHMD9ur06/4oQnc/nSMbsrY9gBQHTC5P +99UKFg29ZkM3fiNDecNAhvVMKdqOmq0NpQSHiB6F4+lT1ZvIiwNjeOvgGUpuuy9r +M2RYk61pv48b74JIxwIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw +AwEB/zAdBgNVHQ4EFgQUNQ/INmNe4qPs+TtmFc5RUuORmj0wEAYJKwYBBAGCNxUB +BAMCAQAwDQYJKoZIhvcNAQELBQADggEBAEBM+4eymYGQfp3FsLAmzYh7KzKNbrgh +cViXfa43FK8+5/ea4n32cZiZBKpDdHij40lhPnOMTZTg+XHEthYOU3gf1qKHLwI5 +gSk8rxWYITD+KJAAjNHhy/peyP34EEY7onhCkRd0VQreUGdNZtGn//3ZwLWoo4rO +ZvUPQ82nK1d7Y0Zqqi5S2PTt4W2tKZB4SLrhI6qjiey1q5bAtEuiHZeeevJuQHHf +aPFlTc58Bd9TZaml8LGXBHAVRgOY1NK/VLSgWH1Sb9pWJmLU2NuJMW8c8CLC02Ic +Nc1MaRVUGpCY3useX8p3x8uOPUNpnJpY0CQ73xtAln41rYHHTnG6iBM= +-----END CERTIFICATE----- +=== /C=CH/O=WISeKey/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GC CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 21:2a:56:0c:ae:da:0c:ab:40:45:bf:2b:a2:2d:3a:ea + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: May 9 09:48:34 2017 GMT + Not After : May 9 09:58:33 2042 GMT + Subject: C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GC CA + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 48:87:14:AC:E3:C3:9E:90:60:3A:D7:CA:89:EE:D3:AD:8C:B4:50:66 + 1.3.6.1.4.1.311.21.1: + ... +SHA1 Fingerprint=E0:11:84:5E:34:DE:BE:88:81:B9:9C:F6:16:26:D1:96:1F:C3:B9:31 +SHA256 Fingerprint=85:60:F9:1C:36:24:DA:BA:95:70:B5:FE:A0:DB:E3:6F:F1:1A:83:23:BE:94:86:85:4F:B3:F3:4A:55:71:19:8D +-----BEGIN CERTIFICATE----- +MIICaTCCAe+gAwIBAgIQISpWDK7aDKtARb8roi066jAKBggqhkjOPQQDAzBtMQsw +CQYDVQQGEwJDSDEQMA4GA1UEChMHV0lTZUtleTEiMCAGA1UECxMZT0lTVEUgRm91 +bmRhdGlvbiBFbmRvcnNlZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9iYWwg +Um9vdCBHQyBDQTAeFw0xNzA1MDkwOTQ4MzRaFw00MjA1MDkwOTU4MzNaMG0xCzAJ +BgNVBAYTAkNIMRAwDgYDVQQKEwdXSVNlS2V5MSIwIAYDVQQLExlPSVNURSBGb3Vu +ZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBXSVNlS2V5IEdsb2JhbCBS +b290IEdDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAETOlQwMYPchi82PG6s4ni +eUqjFqdrVCTbUf/q9Akkwwsin8tqJ4KBDdLArzHkdIJuyiXZjHWd8dvQmqJLIX4W +p2OQ0jnUsYd4XxiWD1AbNTcPasbc2RNNpI6QN+a9WzGRo1QwUjAOBgNVHQ8BAf8E +BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUSIcUrOPDnpBgOtfKie7T +rYy0UGYwEAYJKwYBBAGCNxUBBAMCAQAwCgYIKoZIzj0EAwMDaAAwZQIwJsdpW9zV +57LnyAyMjMPdeYwbY9XJUpROTYJKcx6ygISpJcBMWm1JKWB4E+J+SOtkAjEA2zQg +Mgj/mkkCtojeFK9dbJlxjRo/i9fgojaGHAeCOnZT/cKi7e97sIBPWA9LUzm9 +-----END CERTIFICATE----- + +### XRamp Security Services Inc + +=== /C=US/OU=www.xrampsecurity.com/O=XRamp Security Services Inc/CN=XRamp Global Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Nov 1 17:14:04 2004 GMT + Not After : Jan 1 05:37:19 2035 GMT + Subject: C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority + X509v3 extensions: + 1.3.6.1.4.1.311.20.2: + ...C.A + X509v3 Key Usage: + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + C6:4F:A2:3D:06:63:84:09:9C:CE:62:E4:04:AC:8D:5C:B5:E9:B6:1B + X509v3 CRL Distribution Points: + + Full Name: + URI:http://crl.xrampsecurity.com/XGCA.crl + + 1.3.6.1.4.1.311.21.1: + ... +SHA1 Fingerprint=B8:01:86:D1:EB:9C:86:A5:41:04:CF:30:54:F3:4C:52:B7:E5:58:C6 +SHA256 Fingerprint=CE:CD:DC:90:50:99:D8:DA:DF:C5:B1:D2:09:B7:37:CB:E2:C1:8C:FB:2C:10:C0:FF:0B:CF:0D:32:86:FC:1A:A2 +-----BEGIN CERTIFICATE----- +MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCB +gjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEk +MCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRY +UmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQxMTAxMTcx +NDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3 +dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2Vy +dmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB +dXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS6 +38eMpSe2OAtp87ZOqCwuIR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCP +KZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMxfoArtYzAQDsRhtDLooY2YKTVMIJt2W7Q +DxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FEzG+gSqmUsE3a56k0enI4 +qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqsAxcZZPRa +JSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNVi +PvryxS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0P +BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASs +jVy16bYbMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0 +eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEwDQYJKoZIhvcNAQEFBQAD +ggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc/Kh4ZzXxHfAR +vbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt +qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLa +IR9NmXmd4c8nnxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSy +i6mx5O+aGtA9aZnuqCij4Tyz8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQ +O+7ETPTsJ3xCwnR8gooJybQDJbw= +-----END CERTIFICATE----- diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt index eaabc58..34ffd91 100644 --- a/crypto/CMakeLists.txt +++ b/crypto/CMakeLists.txt @@ -968,7 +968,25 @@ if(EXTRA_EXPORT) endforeach() endif() -add_library(crypto ${CRYPTO_SRC}) +set(LIBTLS_EXTRA_EXPORT ${EXTRA_EXPORT} PARENT_SCOPE) + +add_library(crypto_obj OBJECT ${CRYPTO_SRC}) +target_include_directories(crypto_obj + PRIVATE + . + asn1 + bn + dsa + ec + ecdh + ecdsa + evp + modes + ../include/compat + PUBLIC + ../include) + +add_library(crypto $) target_include_directories(crypto PRIVATE . diff --git a/crypto/VERSION b/crypto/VERSION index 0eaa4dc..b10dcdd 100644 --- a/crypto/VERSION +++ b/crypto/VERSION @@ -1 +1 @@ -46:1:0 +47:0:0 diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c index 16c3a1c..8600f80 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_object.c,v 1.31 2018/04/25 11:48:21 tb Exp $ */ +/* $OpenBSD: a_object.c,v 1.32 2021/05/01 13:16:30 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -304,8 +304,6 @@ c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long len) } } - /* only the ASN1_OBJECTs from the 'table' will have values - * for ->sn or ->ln */ if ((a == NULL) || ((*a) == NULL) || !((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC)) { if ((ret = ASN1_OBJECT_new()) == NULL) @@ -327,6 +325,13 @@ c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long len) memcpy(data, p, length); + /* If there are dynamic strings, free them here, and clear the flag. */ + if ((ret->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS) != 0) { + free((void *)ret->sn); + free((void *)ret->ln); + ret->flags &= ~ASN1_OBJECT_FLAG_DYNAMIC_STRINGS; + } + /* reattach data to object, after which it remains const */ ret->data = data; ret->length = length; diff --git a/crypto/asn1/a_time_tm.c b/crypto/asn1/a_time_tm.c index b6e22cb..db93825 100644 --- a/crypto/asn1/a_time_tm.c +++ b/crypto/asn1/a_time_tm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_time_tm.c,v 1.15 2018/04/25 11:48:21 tb Exp $ */ +/* $OpenBSD: a_time_tm.c,v 1.18 2021/08/28 08:22:48 tb Exp $ */ /* * Copyright (c) 2015 Bob Beck * @@ -163,10 +163,9 @@ ASN1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode) return (-1); lt = tm; - if (lt == NULL) { - memset(<m, 0, sizeof(ltm)); + if (lt == NULL) lt = <m; - } + memset(lt, 0, sizeof(*lt)); /* Timezone is required and must be GMT (Zulu). */ if (bytes[len - 1] != 'Z') @@ -262,8 +261,8 @@ ASN1_TIME_adj_internal(ASN1_TIME *s, time_t t, int offset_day, long offset_sec, size_t len; char * p; - if (gmtime_r(&t, &tm) == NULL) - return (NULL); + if (gmtime_r(&t, &tm) == NULL) + return (NULL); if (offset_day || offset_sec) { if (!OPENSSL_gmtime_adj(&tm, offset_day, offset_sec)) @@ -299,7 +298,7 @@ ASN1_TIME_adj_internal(ASN1_TIME *s, time_t t, int offset_day, long offset_sec, case GENTIME_LENGTH: s->type = V_ASN1_GENERALIZEDTIME; break; - case UTCTIME_LENGTH: + case UTCTIME_LENGTH: s->type = V_ASN1_UTCTIME; break; default: @@ -354,7 +353,6 @@ ASN1_TIME_to_generalizedtime(const ASN1_TIME *t, ASN1_GENERALIZEDTIME **out) if (t->type != V_ASN1_GENERALIZEDTIME && t->type != V_ASN1_UTCTIME) return (NULL); - memset(&tm, 0, sizeof(tm)); if (t->type != ASN1_time_parse(t->data, t->length, &tm, t->type)) return (NULL); if ((str = gentime_string_from_tm(&tm)) == NULL) diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c index 5cc3550..e2c56de 100644 --- a/crypto/asn1/asn1_err.c +++ b/crypto/asn1/asn1_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_err.c,v 1.21 2018/03/29 02:29:24 inoguchi Exp $ */ +/* $OpenBSD: asn1_err.c,v 1.22 2020/12/08 15:06:42 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -85,6 +85,7 @@ static ERR_STRING_DATA ASN1_str_reasons[] = { {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) , "bad object header"}, {ERR_REASON(ASN1_R_BAD_PASSWORD_READ) , "bad password read"}, {ERR_REASON(ASN1_R_BAD_TAG) , "bad tag"}, + {ERR_REASON(ASN1_R_BAD_TEMPLATE) , "bad template"}, {ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH), "bmpstring is wrong length"}, {ERR_REASON(ASN1_R_BN_LIB) , "bn lib"}, {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH), "boolean is wrong length"}, diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index 5dc520c..d760ccc 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_lib.c,v 1.44 2018/11/17 09:34:11 tb Exp $ */ +/* $OpenBSD: asn1_lib.c,v 1.45 2020/12/08 15:06:42 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -388,6 +388,8 @@ ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b) { int i; + if (a == NULL || b == NULL) + return -1; i = (a->length - b->length); if (i == 0) { i = memcmp(a->data, b->data, a->length); diff --git a/crypto/asn1/t_spki.c b/crypto/asn1/t_spki.c index 39ff067..7f1ed12 100644 --- a/crypto/asn1/t_spki.c +++ b/crypto/asn1/t_spki.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t_spki.c,v 1.11 2014/07/11 08:44:47 jsing Exp $ */ +/* $OpenBSD: t_spki.c,v 1.12 2021/08/24 15:23:03 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -94,7 +94,8 @@ NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki) } chal = spki->spkac->challenge; if (chal->length) - BIO_printf(out, " Challenge String: %s\n", chal->data); + BIO_printf(out, " Challenge String: %.*s\n", chal->length, + chal->data); i = OBJ_obj2nid(spki->sig_algor->algorithm); BIO_printf(out, " Signature Algorithm: %s", (i == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(i)); diff --git a/crypto/asn1/t_x509.c b/crypto/asn1/t_x509.c index 73a0491..42b00a7 100644 --- a/crypto/asn1/t_x509.c +++ b/crypto/asn1/t_x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t_x509.c,v 1.32 2020/04/10 07:05:24 tb Exp $ */ +/* $OpenBSD: t_x509.c,v 1.34 2021/07/26 16:54:20 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -180,7 +180,7 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag) if (BIO_printf(bp, " Issuer:%c", mlch) <= 0) goto err; if (X509_NAME_print_ex(bp, X509_get_issuer_name(x), - nmindent, nmflags) < 0) + nmindent, nmflags) < (nmflags == X509_FLAG_COMPAT ? 1 : 0)) goto err; if (BIO_write(bp, "\n", 1) <= 0) goto err; @@ -203,7 +203,7 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag) if (BIO_printf(bp, " Subject:%c", mlch) <= 0) goto err; if (X509_NAME_print_ex(bp, X509_get_subject_name(x), - nmindent, nmflags) < 0) + nmindent, nmflags) < (nmflags == X509_FLAG_COMPAT ? 1 : 0)) goto err; if (BIO_write(bp, "\n", 1) <= 0) goto err; @@ -261,10 +261,12 @@ X509_ocspid_print(BIO *bp, X509 *x) in OCSP requests */ if (BIO_printf(bp, " Subject OCSP hash: ") <= 0) goto err; - derlen = i2d_X509_NAME(x->cert_info->subject, NULL); + if ((derlen = i2d_X509_NAME(x->cert_info->subject, NULL)) <= 0) + goto err; if ((der = dertmp = malloc(derlen)) == NULL) goto err; - i2d_X509_NAME(x->cert_info->subject, &dertmp); + if (i2d_X509_NAME(x->cert_info->subject, &dertmp) <= 0) + goto err; if (!EVP_Digest(der, derlen, SHA1md, NULL, EVP_sha1(), NULL)) goto err; diff --git a/crypto/asn1/t_x509a.c b/crypto/asn1/t_x509a.c index fd68211..b0346fa 100644 --- a/crypto/asn1/t_x509a.c +++ b/crypto/asn1/t_x509a.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t_x509a.c,v 1.8 2014/07/11 08:44:47 jsing Exp $ */ +/* $OpenBSD: t_x509a.c,v 1.9 2021/07/10 17:45:16 schwarze Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -105,8 +105,8 @@ X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent) } else BIO_printf(out, "%*sNo Rejected Uses.\n", indent, ""); if (aux->alias) - BIO_printf(out, "%*sAlias: %s\n", indent, "", - aux->alias->data); + BIO_printf(out, "%*sAlias: %.*s\n", indent, "", + aux->alias->length, aux->alias->data); if (aux->keyid) { BIO_printf(out, "%*sKey Id: ", indent, ""); for (i = 0; i < aux->keyid->length; i++) diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index 70dc355..4b08e90 100644 --- a/crypto/asn1/tasn_dec.c +++ b/crypto/asn1/tasn_dec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tasn_dec.c,v 1.37 2019/04/01 15:48:04 jsing Exp $ */ +/* $OpenBSD: tasn_dec.c,v 1.38 2020/12/08 15:06:42 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -210,6 +210,16 @@ asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, break; case ASN1_ITYPE_MSTRING: + /* + * It never makes sense for multi-strings to have implicit + * tagging, so if tag != -1, then this looks like an error in + * the template. + */ + if (tag != -1) { + ASN1error(ASN1_R_BAD_TEMPLATE); + goto err; + } + p = *in; /* Just read in tag and class */ ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, @@ -245,6 +255,16 @@ asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, it, tag, aclass, opt, ctx); case ASN1_ITYPE_CHOICE: + /* + * It never makes sense for CHOICE types to have implicit + * tagging, so if tag != -1, then this looks like an error in + * the template. + */ + if (tag != -1) { + ASN1error(ASN1_R_BAD_TEMPLATE); + goto err; + } + if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) goto auxerr; diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c index d103c4d..5d95f03 100644 --- a/crypto/asn1/tasn_enc.c +++ b/crypto/asn1/tasn_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tasn_enc.c,v 1.22 2019/04/01 15:48:04 jsing Exp $ */ +/* $OpenBSD: tasn_enc.c,v 1.23 2020/12/08 15:06:42 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -61,6 +61,7 @@ #include #include +#include #include static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, @@ -152,9 +153,27 @@ ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, break; case ASN1_ITYPE_MSTRING: + /* + * It never makes sense for multi-strings to have implicit + * tagging, so if tag != -1, then this looks like an error in + * the template. + */ + if (tag != -1) { + ASN1error(ASN1_R_BAD_TEMPLATE); + return 0; + } return asn1_i2d_ex_primitive(pval, out, it, -1, aclass); case ASN1_ITYPE_CHOICE: + /* + * It never makes sense for CHOICE types to have implicit + * tagging, so if tag != -1, then this looks like an error in + * the template. + */ + if (tag != -1) { + ASN1error(ASN1_R_BAD_TEMPLATE); + return 0; + } if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it, NULL)) return 0; i = asn1_get_choice_selector(pval, it); diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c index 4bf1842..0961ee3 100644 --- a/crypto/asn1/x_name.c +++ b/crypto/asn1/x_name.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_name.c,v 1.34 2018/02/20 17:09:20 jsing Exp $ */ +/* $OpenBSD: x_name.c,v 1.35 2021/07/04 11:38:37 schwarze Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -626,19 +626,13 @@ i2d_name_canon(STACK_OF(STACK_OF_X509_NAME_ENTRY) *_intname, unsigned char **in) int X509_NAME_set(X509_NAME **xn, X509_NAME *name) { - X509_NAME *in; - - if (!xn || !name) - return (0); - - if (*xn != name) { - in = X509_NAME_dup(name); - if (in != NULL) { - X509_NAME_free(*xn); - *xn = in; - } - } - return (*xn != NULL); + if (*xn == name) + return *xn != NULL; + if ((name = X509_NAME_dup(name)) == NULL) + return 0; + X509_NAME_free(*xn); + *xn = name; + return 1; } int diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c index 6a56a79..422f625 100644 --- a/crypto/asn1/x_x509.c +++ b/crypto/asn1/x_x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_x509.c,v 1.26 2018/02/17 15:50:42 jsing Exp $ */ +/* $OpenBSD: x_x509.c,v 1.27 2021/09/02 12:41:44 job Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -185,6 +185,10 @@ x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) ret->akid = NULL; ret->aux = NULL; ret->crldp = NULL; +#ifndef OPENSSL_NO_RFC3779 + ret->rfc3779_addr = NULL; + ret->rfc3779_asid = NULL; +#endif CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); break; @@ -202,6 +206,10 @@ x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) policy_cache_free(ret->policy_cache); GENERAL_NAMES_free(ret->altname); NAME_CONSTRAINTS_free(ret->nc); +#ifndef OPENSSL_NO_RFC3779 + sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free); + ASIdentifiers_free(ret->rfc3779_asid); +#endif free(ret->name); ret->name = NULL; break; diff --git a/crypto/bio/b_dump.c b/crypto/bio/b_dump.c index 0214add..7e1c2d7 100644 --- a/crypto/bio/b_dump.c +++ b/crypto/bio/b_dump.c @@ -1,10 +1,10 @@ -/* $OpenBSD: b_dump.c,v 1.21 2015/04/23 06:11:19 deraadt Exp $ */ +/* $OpenBSD: b_dump.c,v 1.22 2021/07/11 20:18:07 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. +* The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions @@ -82,7 +82,7 @@ BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u), { int ret = 0; char buf[288 + 1], tmp[20], str[128 + 1]; - int i, j, rows, trc; + int i, j, rows, trc, written; unsigned char ch; int dump_width; @@ -133,13 +133,18 @@ BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u), /* if this is the last call then update the ddt_dump thing so * that we will move the selection point in the debug window */ - ret += cb((void *)buf, strlen(buf), u); + if ((written = cb((void *)buf, strlen(buf), u)) < 0) + return -1; + ret += written; + } #ifdef TRUNCATE if (trc > 0) { snprintf(buf, sizeof buf, "%s%04x - \n", str, len + trc); - ret += cb((void *)buf, strlen(buf), u); + if ((written = cb((void *)buf, strlen(buf), u)) < 0) + return -1; + ret += written; } #endif return (ret); diff --git a/crypto/bio/bio_cb.c b/crypto/bio/bio_cb.c index ab0e3a9..52cdd24 100644 --- a/crypto/bio/bio_cb.c +++ b/crypto/bio/bio_cb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_cb.c,v 1.16 2014/12/08 03:54:19 bcook Exp $ */ +/* $OpenBSD: bio_cb.c,v 1.17 2021/03/25 09:26:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -70,15 +70,22 @@ BIO_debug_callback(BIO *bio, int cmd, const char *argp, int argi, long argl, BIO *b; char buf[256]; char *p; + int nbuf; long r = 1; size_t p_maxlen; if (BIO_CB_RETURN & cmd) r = ret; - snprintf(buf, sizeof buf, "BIO[%p]:", bio); - p = &(buf[14]); - p_maxlen = sizeof buf - 14; + nbuf = snprintf(buf, sizeof(buf), "BIO[%p]: ", bio); + if (nbuf < 0) + nbuf = 0; /* Ignore error; continue printing. */ + if (nbuf >= sizeof(buf)) + goto out; + + p = buf + nbuf; + p_maxlen = sizeof(buf) - nbuf; + switch (cmd) { case BIO_CB_FREE: snprintf(p, p_maxlen, "Free - %s\n", bio->method->name); @@ -136,6 +143,7 @@ BIO_debug_callback(BIO *bio, int cmd, const char *argp, int argi, long argl, break; } + out: b = (BIO *)bio->cb_arg; if (b != NULL) BIO_write(b, buf, strlen(buf)); diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 1a91b9e..af837ee 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_lib.c,v 1.47 2019/06/17 17:11:48 tb Exp $ */ +/* $OpenBSD: bn_lib.c,v 1.48 2021/09/08 12:19:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -583,20 +583,143 @@ BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) return (ret); } +typedef enum { + big, + little, +} endianness_t; + /* ignore negative */ +static int +bn2binpad(const BIGNUM *a, unsigned char *to, int tolen, endianness_t endianness) +{ + int n; + size_t i, lasti, j, atop, mask; + BN_ULONG l; + + /* + * In case |a| is fixed-top, BN_num_bytes can return bogus length, + * but it's assumed that fixed-top inputs ought to be "nominated" + * even for padded output, so it works out... + */ + n = BN_num_bytes(a); + if (tolen == -1) + tolen = n; + else if (tolen < n) { /* uncommon/unlike case */ + BIGNUM temp = *a; + + bn_correct_top(&temp); + + n = BN_num_bytes(&temp); + if (tolen < n) + return -1; + } + + /* Swipe through whole available data and don't give away padded zero. */ + atop = a->dmax * BN_BYTES; + if (atop == 0) { + explicit_bzero(to, tolen); + return tolen; + } + + lasti = atop - 1; + atop = a->top * BN_BYTES; + + if (endianness == big) + to += tolen; /* start from the end of the buffer */ + + for (i = 0, j = 0; j < (size_t)tolen; j++) { + unsigned char val; + + l = a->d[i / BN_BYTES]; + mask = 0 - ((j - atop) >> (8 * sizeof(i) - 1)); + val = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask); + + if (endianness == big) + *--to = val; + else + *to++ = val; + + i += (i - lasti) >> (8 * sizeof(i) - 1); /* stay on last limb */ + } + + return tolen; +} + +int +BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) +{ + if (tolen < 0) + return -1; + return bn2binpad(a, to, tolen, big); +} + int BN_bn2bin(const BIGNUM *a, unsigned char *to) { - int n, i; - BN_ULONG l; + return bn2binpad(a, to, -1, big); +} - bn_check_top(a); - n = i=BN_num_bytes(a); - while (i--) { - l = a->d[i / BN_BYTES]; - *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff; +BIGNUM * +BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret) +{ + unsigned int i, m, n; + BN_ULONG l; + BIGNUM *bn = NULL; + + if (ret == NULL) + ret = bn = BN_new(); + if (ret == NULL) + return NULL; + + bn_check_top(ret); + + s += len; + /* Skip trailing zeroes. */ + for (; len > 0 && s[-1] == 0; s--, len--) + continue; + + n = len; + if (n == 0) { + ret->top = 0; + return ret; } - return (n); + + i = ((n - 1) / BN_BYTES) + 1; + m = (n - 1) % BN_BYTES; + if (bn_wexpand(ret, (int)i) == NULL) { + BN_free(bn); + return NULL; + } + + ret->top = i; + ret->neg = 0; + l = 0; + while (n-- > 0) { + s--; + l = (l << 8L) | *s; + if (m-- == 0) { + ret->d[--i] = l; + l = 0; + m = BN_BYTES - 1; + } + } + + /* + * need to call this due to clear byte at top if avoiding having the + * top bit set (-ve number) + */ + bn_correct_top(ret); + + return ret; +} + +int +BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen) +{ + if (tolen < 0) + return -1; + + return bn2binpad(a, to, tolen, little); } int diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c index de67c03..d849b86 100644 --- a/crypto/bn/bn_print.c +++ b/crypto/bn/bn_print.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_print.c,v 1.31 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: bn_print.c,v 1.32 2021/08/31 11:19:19 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -216,7 +216,7 @@ BN_hex2bn(BIGNUM **bn, const char *a) if ((ret = BN_new()) == NULL) return (0); } else { - ret= *bn; + ret = *bn; BN_zero(ret); } @@ -228,7 +228,7 @@ BN_hex2bn(BIGNUM **bn, const char *a) m = 0; h = 0; while (j > 0) { - m = ((BN_BYTES*2) <= j) ? (BN_BYTES * 2) : j; + m = ((BN_BYTES * 2) <= j) ? (BN_BYTES * 2) : j; l = 0; for (;;) { c = a[j - m]; diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index f94ce1d..b21692c 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_rand.c,v 1.24 2020/09/12 17:16:36 tb Exp $ */ +/* $OpenBSD: bn_rand.c,v 1.25 2021/08/31 11:19:19 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -194,20 +194,20 @@ err: return (ret); } -int +int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) { return bnrand(0, rnd, bits, top, bottom); } -int +int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) { return bnrand(1, rnd, bits, top, bottom); } #if 1 -int +int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom) { return bnrand(2, rnd, bits, top, bottom); diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index 74d957e..a88ea63 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_env.c,v 1.23 2019/10/04 18:03:56 tb Exp $ */ +/* $OpenBSD: cms_env.c,v 1.24 2021/09/08 14:33:02 tb Exp $ */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. @@ -792,6 +792,7 @@ cms_RecipientInfo_kekri_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) goto err; } + freezero(ec->key, ec->keylen); ec->key = ukey; ec->keylen = ukeylen; diff --git a/crypto/compat/getentropy_freebsd.c b/crypto/compat/getentropy_freebsd.c index 30cd68e..ea90ffe 100644 --- a/crypto/compat/getentropy_freebsd.c +++ b/crypto/compat/getentropy_freebsd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: getentropy_freebsd.c,v 1.3 2016/08/07 03:27:21 tb Exp $ */ +/* $OpenBSD: getentropy_freebsd.c,v 1.4 2020/10/12 22:08:33 deraadt Exp $ */ /* * Copyright (c) 2014 Pawel Jakub Dawidek @@ -32,11 +32,9 @@ static size_t getentropy_sysctl(u_char *buf, size_t size) { - int mib[2]; + const int mib[2] = { CTL_KERN, KERN_ARND }; size_t len, done; - mib[0] = CTL_KERN; - mib[1] = KERN_ARND; done = 0; do { diff --git a/crypto/compat/getentropy_netbsd.c b/crypto/compat/getentropy_netbsd.c index 45d68c9..5dc8959 100644 --- a/crypto/compat/getentropy_netbsd.c +++ b/crypto/compat/getentropy_netbsd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: getentropy_netbsd.c,v 1.3 2016/08/07 03:27:21 tb Exp $ */ +/* $OpenBSD: getentropy_netbsd.c,v 1.4 2020/10/12 22:08:33 deraadt Exp $ */ /* * Copyright (c) 2014 Pawel Jakub Dawidek @@ -32,11 +32,9 @@ static size_t getentropy_sysctl(u_char *buf, size_t size) { - int mib[2]; + const int mib[2] = { CTL_KERN, KERN_ARND }; size_t len, done; - mib[0] = CTL_KERN; - mib[1] = KERN_ARND; done = 0; do { diff --git a/crypto/compat/getentropy_win.c b/crypto/compat/getentropy_win.c index 2abeb27..64514b3 100644 --- a/crypto/compat/getentropy_win.c +++ b/crypto/compat/getentropy_win.c @@ -1,4 +1,4 @@ -/* $OpenBSD: getentropy_win.c,v 1.5 2016/08/07 03:27:21 tb Exp $ */ +/* $OpenBSD: getentropy_win.c,v 1.6 2020/11/11 10:41:24 bcook Exp $ */ /* * Copyright (c) 2014, Theo de Raadt @@ -21,39 +21,30 @@ */ #include +#include #include #include #include -#include -#include int getentropy(void *buf, size_t len); /* - * On Windows, CryptGenRandom is supposed to be a well-seeded - * cryptographically strong random number generator. + * On Windows, BCryptGenRandom with BCRYPT_USE_SYSTEM_PREFERRED_RNG is supposed + * to be a well-seeded, cryptographically strong random number generator. + * https://docs.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom */ int getentropy(void *buf, size_t len) { - HCRYPTPROV provider; - if (len > 256) { errno = EIO; return (-1); } - if (CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL, - CRYPT_VERIFYCONTEXT) == 0) - goto fail; - if (CryptGenRandom(provider, len, buf) == 0) { - CryptReleaseContext(provider, 0); - goto fail; + if (FAILED(BCryptGenRandom(NULL, buf, len, BCRYPT_USE_SYSTEM_PREFERRED_RNG))) { + errno = EIO; + return (-1); } - CryptReleaseContext(provider, 0); - return (0); -fail: - errno = EIO; - return (-1); + return (0); } diff --git a/crypto/compat/recallocarray.c b/crypto/compat/recallocarray.c index d93abd2..7ab2ec5 100644 --- a/crypto/compat/recallocarray.c +++ b/crypto/compat/recallocarray.c @@ -1,4 +1,4 @@ -/* $OpenBSD: recallocarray.c,v 1.1 2017/03/06 18:44:21 otto Exp $ */ +/* $OpenBSD: recallocarray.c,v 1.2 2021/03/18 11:16:58 claudio Exp $ */ /* * Copyright (c) 2008, 2017 Otto Moerbeek * @@ -57,7 +57,7 @@ recallocarray(void *ptr, size_t oldnmemb, size_t newnmemb, size_t size) if (newsize <= oldsize) { size_t d = oldsize - newsize; - if (d < oldsize / 2 && d < getpagesize()) { + if (d < oldsize / 2 && d < (size_t)getpagesize()) { memset((char *)ptr + newsize, 0, d); return ptr; } diff --git a/crypto/crypto.sym b/crypto/crypto.sym index 48a76e8..e690e4f 100644 --- a/crypto/crypto.sym +++ b/crypto/crypto.sym @@ -425,6 +425,8 @@ BN_add_word BN_asc2bn BN_bin2bn BN_bn2bin +BN_bn2binpad +BN_bn2lebinpad BN_bn2dec BN_bn2hex BN_bn2mpi @@ -468,6 +470,7 @@ BN_is_prime_ex BN_is_prime_fasttest BN_is_prime_fasttest_ex BN_kronecker +BN_lebin2bn BN_lshift BN_lshift1 BN_mask_bits @@ -1047,6 +1050,7 @@ EC_GROUP_get0_seed EC_GROUP_get_asn1_flag EC_GROUP_get_basis_type EC_GROUP_get_cofactor +EC_GROUP_get_curve EC_GROUP_get_curve_GF2m EC_GROUP_get_curve_GFp EC_GROUP_get_curve_name @@ -1062,8 +1066,10 @@ EC_GROUP_new EC_GROUP_new_by_curve_name EC_GROUP_new_curve_GF2m EC_GROUP_new_curve_GFp +EC_GROUP_order_bits EC_GROUP_precompute_mult EC_GROUP_set_asn1_flag +EC_GROUP_set_curve EC_GROUP_set_curve_GF2m EC_GROUP_set_curve_GFp EC_GROUP_set_curve_name @@ -1128,6 +1134,7 @@ EC_POINT_dbl EC_POINT_dup EC_POINT_free EC_POINT_get_Jprojective_coordinates_GFp +EC_POINT_get_affine_coordinates EC_POINT_get_affine_coordinates_GF2m EC_POINT_get_affine_coordinates_GFp EC_POINT_hex2point @@ -1143,8 +1150,10 @@ EC_POINT_point2bn EC_POINT_point2hex EC_POINT_point2oct EC_POINT_set_Jprojective_coordinates_GFp +EC_POINT_set_affine_coordinates EC_POINT_set_affine_coordinates_GF2m EC_POINT_set_affine_coordinates_GFp +EC_POINT_set_compressed_coordinates EC_POINT_set_compressed_coordinates_GF2m EC_POINT_set_compressed_coordinates_GFp EC_POINT_set_to_infinity @@ -1447,9 +1456,11 @@ EVP_DigestFinal EVP_DigestFinal_ex EVP_DigestInit EVP_DigestInit_ex +EVP_DigestSign EVP_DigestSignFinal EVP_DigestSignInit EVP_DigestUpdate +EVP_DigestVerify EVP_DigestVerifyFinal EVP_DigestVerifyInit EVP_ENCODE_CTX_free @@ -1587,6 +1598,7 @@ EVP_PKEY_meth_set_verify_recover EVP_PKEY_meth_set_verifyctx EVP_PKEY_missing_parameters EVP_PKEY_new +EVP_PKEY_new_CMAC_key EVP_PKEY_new_mac_key EVP_PKEY_paramgen EVP_PKEY_paramgen_init diff --git a/crypto/ec/ec2_oct.c b/crypto/ec/ec2_oct.c index 268eccf..832083c 100644 --- a/crypto/ec/ec2_oct.c +++ b/crypto/ec/ec2_oct.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec2_oct.c,v 1.11 2018/07/15 16:27:39 tb Exp $ */ +/* $OpenBSD: ec2_oct.c,v 1.16 2021/05/03 14:42:45 tb Exp $ */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * @@ -121,6 +121,10 @@ ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point if (!BN_GF2m_mod_arr(x, x_, group->poly)) goto err; if (BN_is_zero(x)) { + if (y_bit != 0) { + ECerror(EC_R_INVALID_COMPRESSED_POINT); + goto err; + } if (!BN_GF2m_mod_sqrt_arr(y, &group->b, group->poly, ctx)) goto err; } else { @@ -152,7 +156,7 @@ ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point } } - if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx)) + if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx)) goto err; ret = 1; @@ -221,7 +225,7 @@ ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, if ((yxi = BN_CTX_get(ctx)) == NULL) goto err; - if (!EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx)) + if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx)) goto err; buf[0] = form; @@ -280,10 +284,11 @@ ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, } -/* Converts an octet string representation to an EC_POINT. +/* + * Converts an octet string representation to an EC_POINT. * Note that the simple implementation only uses affine coordinates. */ -int +int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, const unsigned char *buf, size_t len, BN_CTX *ctx) { @@ -298,19 +303,35 @@ ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, ECerror(EC_R_BUFFER_TOO_SMALL); return 0; } - form = buf[0]; - y_bit = form & 1; - form = form & ~1U; - if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED) && - (form != POINT_CONVERSION_UNCOMPRESSED) && - (form != POINT_CONVERSION_HYBRID)) { + + /* + * The first octet is the point conversion octet PC, see X9.62, page 4 + * and section 4.4.2. It must be: + * 0x00 for the point at infinity + * 0x02 or 0x03 for compressed form + * 0x04 for uncompressed form + * 0x06 or 0x07 for hybrid form. + * For compressed or hybrid forms, we store the last bit of buf[0] as + * y_bit and clear it from buf[0] so as to obtain a POINT_CONVERSION_*. + * We error if buf[0] contains any but the above values. + */ + y_bit = buf[0] & 1; + form = buf[0] & ~1U; + + if (form != 0 && form != POINT_CONVERSION_COMPRESSED && + form != POINT_CONVERSION_UNCOMPRESSED && + form != POINT_CONVERSION_HYBRID) { ECerror(EC_R_INVALID_ENCODING); return 0; } - if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit) { - ECerror(EC_R_INVALID_ENCODING); - return 0; + if (form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) { + if (y_bit != 0) { + ECerror(EC_R_INVALID_ENCODING); + return 0; + } } + + /* The point at infinity is represented by a single zero octet. */ if (form == 0) { if (len != 1) { ECerror(EC_R_INVALID_ENCODING); @@ -318,6 +339,7 @@ ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, } return EC_POINT_set_to_infinity(group, point); } + field_len = (EC_GROUP_get_degree(group) + 7) / 8; enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2 * field_len; @@ -326,6 +348,7 @@ ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, ECerror(EC_R_INVALID_ENCODING); return 0; } + if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) @@ -346,7 +369,11 @@ ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, goto err; } if (form == POINT_CONVERSION_COMPRESSED) { - if (!EC_POINT_set_compressed_coordinates_GF2m(group, point, x, y_bit, ctx)) + /* + * EC_POINT_set_compressed_coordinates checks that the + * point is on the curve as required by X9.62. + */ + if (!EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx)) goto err; } else { if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) @@ -356,22 +383,34 @@ ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, goto err; } if (form == POINT_CONVERSION_HYBRID) { - if (!group->meth->field_div(group, yxi, y, x, ctx)) - goto err; - if (y_bit != BN_is_odd(yxi)) { - ECerror(EC_R_INVALID_ENCODING); - goto err; + /* + * Check that the form in the encoding was set + * correctly according to X9.62 4.4.2.a, 4(c), + * see also first paragraph of X9.62 4.4.1.b. + */ + if (BN_is_zero(x)) { + if (y_bit != 0) { + ECerror(EC_R_INVALID_ENCODING); + goto err; + } + } else { + if (!group->meth->field_div(group, yxi, y, x, + ctx)) + goto err; + if (y_bit != BN_is_odd(yxi)) { + ECerror(EC_R_INVALID_ENCODING); + goto err; + } } } - if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx)) + /* + * EC_POINT_set_affine_coordinates checks that the + * point is on the curve as required by X9.62. + */ + if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx)) goto err; } - /* test required by X9.62 */ - if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { - ECerror(EC_R_POINT_IS_NOT_ON_CURVE); - goto err; - } ret = 1; err: diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c index 936cee4..9f3b380 100644 --- a/crypto/ec/ec2_smpl.c +++ b/crypto/ec/ec2_smpl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec2_smpl.c,v 1.21 2018/11/05 20:18:21 tb Exp $ */ +/* $OpenBSD: ec2_smpl.c,v 1.23 2021/09/08 17:29:21 tb Exp $ */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * @@ -88,17 +88,18 @@ EC_GF2m_simple_method(void) .group_set_curve = ec_GF2m_simple_group_set_curve, .group_get_curve = ec_GF2m_simple_group_get_curve, .group_get_degree = ec_GF2m_simple_group_get_degree, + .group_order_bits = ec_group_simple_order_bits, .group_check_discriminant = - ec_GF2m_simple_group_check_discriminant, + ec_GF2m_simple_group_check_discriminant, .point_init = ec_GF2m_simple_point_init, .point_finish = ec_GF2m_simple_point_finish, .point_clear_finish = ec_GF2m_simple_point_clear_finish, .point_copy = ec_GF2m_simple_point_copy, .point_set_to_infinity = ec_GF2m_simple_point_set_to_infinity, .point_set_affine_coordinates = - ec_GF2m_simple_point_set_affine_coordinates, + ec_GF2m_simple_point_set_affine_coordinates, .point_get_affine_coordinates = - ec_GF2m_simple_point_get_affine_coordinates, + ec_GF2m_simple_point_get_affine_coordinates, .add = ec_GF2m_simple_add, .dbl = ec_GF2m_simple_dbl, .invert = ec_GF2m_simple_invert, @@ -483,7 +484,7 @@ ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, if (!BN_copy(y0, &a->Y)) goto err; } else { - if (!EC_POINT_get_affine_coordinates_GF2m(group, a, x0, y0, ctx)) + if (!EC_POINT_get_affine_coordinates(group, a, x0, y0, ctx)) goto err; } if (b->Z_is_one) { @@ -492,7 +493,7 @@ ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, if (!BN_copy(y1, &b->Y)) goto err; } else { - if (!EC_POINT_get_affine_coordinates_GF2m(group, b, x1, y1, ctx)) + if (!EC_POINT_get_affine_coordinates(group, b, x1, y1, ctx)) goto err; } @@ -541,7 +542,7 @@ ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, if (!BN_GF2m_add(y2, y2, y1)) goto err; - if (!EC_POINT_set_affine_coordinates_GF2m(group, r, x2, y2, ctx)) + if (!EC_POINT_set_affine_coordinates(group, r, x2, y2, ctx)) goto err; ret = 1; @@ -684,9 +685,9 @@ ec_GF2m_simple_cmp(const EC_GROUP *group, const EC_POINT *a, if ((bY = BN_CTX_get(ctx)) == NULL) goto err; - if (!EC_POINT_get_affine_coordinates_GF2m(group, a, aX, aY, ctx)) + if (!EC_POINT_get_affine_coordinates(group, a, aX, aY, ctx)) goto err; - if (!EC_POINT_get_affine_coordinates_GF2m(group, b, bX, bY, ctx)) + if (!EC_POINT_get_affine_coordinates(group, b, bX, bY, ctx)) goto err; ret = ((BN_cmp(aX, bX) == 0) && BN_cmp(aY, bY) == 0) ? 0 : 1; @@ -720,7 +721,7 @@ ec_GF2m_simple_make_affine(const EC_GROUP * group, EC_POINT * point, BN_CTX * ct if ((y = BN_CTX_get(ctx)) == NULL) goto err; - if (!EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx)) + if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx)) goto err; if (!BN_copy(&point->X, x)) goto err; diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index f69dd02..befeee9 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_asn1.c,v 1.31 2018/09/01 16:23:15 tb Exp $ */ +/* $OpenBSD: ec_asn1.c,v 1.34 2021/08/31 20:14:40 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -709,7 +709,7 @@ ec_asn1_group2fieldid(const EC_GROUP * group, X9_62_FIELDID * field) goto err; } /* the parameters are specified by the prime number p */ - if (!EC_GROUP_get_curve_GFp(group, tmp, NULL, NULL, NULL)) { + if (!EC_GROUP_get_curve(group, tmp, NULL, NULL, NULL)) { ECerror(ERR_R_EC_LIB); goto err; } @@ -801,12 +801,12 @@ ec_asn1_group2fieldid(const EC_GROUP * group, X9_62_FIELDID * field) static int ec_asn1_group2curve(const EC_GROUP * group, X9_62_CURVE * curve) { - int ok = 0, nid; BIGNUM *tmp_1 = NULL, *tmp_2 = NULL; unsigned char *buffer_1 = NULL, *buffer_2 = NULL, *a_buf = NULL, *b_buf = NULL; size_t len_1, len_2; unsigned char char_zero = 0; + int ok = 0; if (!group || !curve || !curve->a || !curve->b) return 0; @@ -815,23 +815,12 @@ ec_asn1_group2curve(const EC_GROUP * group, X9_62_CURVE * curve) ECerror(ERR_R_MALLOC_FAILURE); goto err; } - nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group)); /* get a and b */ - if (nid == NID_X9_62_prime_field) { - if (!EC_GROUP_get_curve_GFp(group, NULL, tmp_1, tmp_2, NULL)) { - ECerror(ERR_R_EC_LIB); - goto err; - } + if (!EC_GROUP_get_curve(group, NULL, tmp_1, tmp_2, NULL)) { + ECerror(ERR_R_EC_LIB); + goto err; } -#ifndef OPENSSL_NO_EC2M - else { /* nid == NID_X9_62_characteristic_two_field */ - if (!EC_GROUP_get_curve_GF2m(group, NULL, tmp_1, tmp_2, NULL)) { - ECerror(ERR_R_EC_LIB); - goto err; - } - } -#endif len_1 = (size_t) BN_num_bytes(tmp_1); len_2 = (size_t) BN_num_bytes(tmp_2); @@ -1028,7 +1017,7 @@ ec_asn1_group2pkparameters(const EC_GROUP * group, ECPKPARAMETERS * params) if ((ret->value.named_curve = OBJ_nid2obj(tmp)) == NULL) ok = 0; } else - /* we don't kmow the nid => ERROR */ + /* we don't know the group => ERROR */ ok = 0; } else { /* use the ECPARAMETERS structure */ diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c index 84a565d..b575f7b 100644 --- a/crypto/ec/ec_curve.c +++ b/crypto/ec/ec_curve.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_curve.c,v 1.20 2020/06/05 17:12:09 jsing Exp $ */ +/* $OpenBSD: ec_curve.c,v 1.21 2021/04/20 17:16:37 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -3373,7 +3373,7 @@ ec_group_new_from_data(const ec_list_element curve) ECerror(ERR_R_BN_LIB); goto err; } - if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) { + if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) { ECerror(ERR_R_EC_LIB); goto err; } diff --git a/crypto/ec/ec_cvt.c b/crypto/ec/ec_cvt.c index a098206..05c7dd1 100644 --- a/crypto/ec/ec_cvt.c +++ b/crypto/ec/ec_cvt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_cvt.c,v 1.6 2014/07/10 22:45:57 jsing Exp $ */ +/* $OpenBSD: ec_cvt.c,v 1.7 2021/04/20 17:04:13 tb Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ @@ -112,7 +112,7 @@ EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, if (ret == NULL) return NULL; - if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx)) { + if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) { unsigned long err; err = ERR_peek_last_error(); @@ -136,7 +136,7 @@ EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, if (ret == NULL) return NULL; - if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx)) { + if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) { EC_GROUP_clear_free(ret); return NULL; } @@ -158,7 +158,7 @@ EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, if (ret == NULL) return NULL; - if (!EC_GROUP_set_curve_GF2m(ret, p, a, b, ctx)) { + if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) { EC_GROUP_clear_free(ret); return NULL; } diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index 1d0a03a..27b8f26 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_key.c,v 1.24 2019/01/19 01:12:48 tb Exp $ */ +/* $OpenBSD: ec_key.c,v 1.26 2021/04/20 17:23:37 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -381,7 +381,7 @@ EC_KEY_set_public_key_affine_coordinates(EC_KEY * key, BIGNUM * x, BIGNUM * y) BN_CTX *ctx = NULL; BIGNUM *tx, *ty; EC_POINT *point = NULL; - int ok = 0, tmp_nid, is_char_two = 0; + int ok = 0; if (!key || !key->group || !x || !y) { ECerror(ERR_R_PASSED_NULL_PARAMETER); @@ -396,34 +396,15 @@ EC_KEY_set_public_key_affine_coordinates(EC_KEY * key, BIGNUM * x, BIGNUM * y) if (!point) goto err; - tmp_nid = EC_METHOD_get_field_type(EC_GROUP_method_of(key->group)); - - if (tmp_nid == NID_X9_62_characteristic_two_field) - is_char_two = 1; - if ((tx = BN_CTX_get(ctx)) == NULL) goto err; if ((ty = BN_CTX_get(ctx)) == NULL) goto err; -#ifndef OPENSSL_NO_EC2M - if (is_char_two) { - if (!EC_POINT_set_affine_coordinates_GF2m(key->group, point, - x, y, ctx)) - goto err; - if (!EC_POINT_get_affine_coordinates_GF2m(key->group, point, - tx, ty, ctx)) - goto err; - } else -#endif - { - if (!EC_POINT_set_affine_coordinates_GFp(key->group, point, - x, y, ctx)) - goto err; - if (!EC_POINT_get_affine_coordinates_GFp(key->group, point, - tx, ty, ctx)) - goto err; - } + if (!EC_POINT_set_affine_coordinates(key->group, point, x, y, ctx)) + goto err; + if (!EC_POINT_get_affine_coordinates(key->group, point, tx, ty, ctx)) + goto err; /* * Check if retrieved coordinates match originals: if not values are * out of range. diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h index 8948e51..ced04c7 100644 --- a/crypto/ec/ec_lcl.h +++ b/crypto/ec/ec_lcl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_lcl.h,v 1.13 2019/01/19 01:12:48 tb Exp $ */ +/* $OpenBSD: ec_lcl.h,v 1.18 2021/09/08 17:29:21 tb Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ @@ -105,14 +105,14 @@ struct ec_method_st { void (*group_clear_finish)(EC_GROUP *); int (*group_copy)(EC_GROUP *, const EC_GROUP *); - /* used by EC_GROUP_set_curve_GFp, EC_GROUP_get_curve_GFp, */ - /* EC_GROUP_set_curve_GF2m, and EC_GROUP_get_curve_GF2m: */ + /* used by EC_GROUP_{get,set}_curve */ int (*group_set_curve)(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *); int (*group_get_curve)(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *); /* used by EC_GROUP_get_degree: */ int (*group_get_degree)(const EC_GROUP *); - + /* used by EC_GROUP_order_bits: */ + int (*group_order_bits)(const EC_GROUP *); /* used by EC_GROUP_check: */ int (*group_check_discriminant)(const EC_GROUP *, BN_CTX *); @@ -122,17 +122,18 @@ struct ec_method_st { void (*point_clear_finish)(EC_POINT *); int (*point_copy)(EC_POINT *, const EC_POINT *); - /* used by EC_POINT_set_to_infinity, - * EC_POINT_set_Jprojective_coordinates_GFp, - * EC_POINT_get_Jprojective_coordinates_GFp, - * EC_POINT_set_affine_coordinates_GFp, ..._GF2m, - * EC_POINT_get_affine_coordinates_GFp, ..._GF2m, - * EC_POINT_set_compressed_coordinates_GFp, ..._GF2m: + /* + * used by EC_POINT_set_to_infinity, + * EC_POINT_set_Jprojective_coordinates, + * EC_POINT_get_Jprojective_coordinates, + * EC_POINT_set_affine_coordinates, + * EC_POINT_get_affine_coordinates, + * EC_POINT_set_compressed_coordinates: */ int (*point_set_to_infinity)(const EC_GROUP *, EC_POINT *); - int (*point_set_Jprojective_coordinates_GFp)(const EC_GROUP *, EC_POINT *, + int (*point_set_Jprojective_coordinates)(const EC_GROUP *, EC_POINT *, const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *); - int (*point_get_Jprojective_coordinates_GFp)(const EC_GROUP *, const EC_POINT *, + int (*point_get_Jprojective_coordinates)(const EC_GROUP *, const EC_POINT *, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *); int (*point_set_affine_coordinates)(const EC_GROUP *, EC_POINT *, const BIGNUM *x, const BIGNUM *y, BN_CTX *); @@ -282,7 +283,7 @@ void EC_EX_DATA_clear_free_data(EC_EXTRA_DATA **, void EC_EX_DATA_free_all_data(EC_EXTRA_DATA **); void EC_EX_DATA_clear_free_all_data(EC_EXTRA_DATA **); - +int ec_group_simple_order_bits(const EC_GROUP *group); struct ec_point_st { const EC_METHOD *meth; @@ -297,8 +298,6 @@ struct ec_point_st { int Z_is_one; /* enable optimized point arithmetics for special case */ } /* EC_POINT */; - - /* method functions in ec_mult.c * (ec_lib.c uses these as defaults if group->method->mul is 0) */ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, @@ -321,10 +320,10 @@ void ec_GFp_simple_point_finish(EC_POINT *); void ec_GFp_simple_point_clear_finish(EC_POINT *); int ec_GFp_simple_point_copy(EC_POINT *, const EC_POINT *); int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *); -int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *, EC_POINT *, - const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *); -int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *, const EC_POINT *, - BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *); +int ec_GFp_simple_set_Jprojective_coordinates(const EC_GROUP *, EC_POINT *, + const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *); +int ec_GFp_simple_get_Jprojective_coordinates(const EC_GROUP *, + const EC_POINT *, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *); int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *, const BIGNUM *x, const BIGNUM *y, BN_CTX *); int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *, const EC_POINT *, diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index df90616..7cc69f8 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_lib.c,v 1.32 2019/09/29 10:09:09 tb Exp $ */ +/* $OpenBSD: ec_lib.c,v 1.41 2021/09/12 16:23:19 tb Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ @@ -100,7 +100,7 @@ EC_GROUP_new(const EC_METHOD * meth) BN_init(&ret->cofactor); ret->curve_name = 0; - ret->asn1_flag = 0; + ret->asn1_flag = OPENSSL_EC_NAMED_CURVE; ret->asn1_form = POINT_CONVERSION_UNCOMPRESSED; ret->seed = NULL; @@ -401,6 +401,11 @@ EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) return !BN_is_zero(order); } +int +EC_GROUP_order_bits(const EC_GROUP *group) +{ + return group->meth->group_order_bits(group); +} int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx) @@ -488,52 +493,55 @@ EC_GROUP_get_seed_len(const EC_GROUP * group) return group->seed_len; } - -int -EC_GROUP_set_curve_GFp(EC_GROUP * group, const BIGNUM * p, const BIGNUM * a, - const BIGNUM * b, BN_CTX * ctx) +int +EC_GROUP_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, + const BIGNUM *b, BN_CTX *ctx) { - if (group->meth->group_set_curve == 0) { + if (group->meth->group_set_curve == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } return group->meth->group_set_curve(group, p, a, b, ctx); } - -int -EC_GROUP_get_curve_GFp(const EC_GROUP * group, BIGNUM * p, BIGNUM * a, - BIGNUM * b, BN_CTX * ctx) +int +EC_GROUP_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, + BN_CTX *ctx) { - if (group->meth->group_get_curve == 0) { + if (group->meth->group_get_curve == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } return group->meth->group_get_curve(group, p, a, b, ctx); } +int +EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, + const BIGNUM *b, BN_CTX *ctx) +{ + return EC_GROUP_set_curve(group, p, a, b, ctx); +} + +int +EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, + BN_CTX *ctx) +{ + return EC_GROUP_get_curve(group, p, a, b, ctx); +} + #ifndef OPENSSL_NO_EC2M -int -EC_GROUP_set_curve_GF2m(EC_GROUP * group, const BIGNUM * p, const BIGNUM * a, - const BIGNUM * b, BN_CTX * ctx) +int +EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, + const BIGNUM *b, BN_CTX *ctx) { - if (group->meth->group_set_curve == 0) { - ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; - } - return group->meth->group_set_curve(group, p, a, b, ctx); + return EC_GROUP_set_curve(group, p, a, b, ctx); } - -int -EC_GROUP_get_curve_GF2m(const EC_GROUP * group, BIGNUM * p, BIGNUM * a, - BIGNUM * b, BN_CTX * ctx) +int +EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, + BIGNUM *b, BN_CTX *ctx) { - if (group->meth->group_get_curve == 0) { - ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; - } - return group->meth->group_get_curve(group, p, a, b, ctx); + return EC_GROUP_get_curve(group, p, a, b, ctx); } #endif @@ -919,28 +927,57 @@ EC_POINT_set_to_infinity(const EC_GROUP * group, EC_POINT * point) return group->meth->point_set_to_infinity(group, point); } +int +EC_POINT_set_Jprojective_coordinates(const EC_GROUP *group, EC_POINT *point, + const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx) +{ + if (group->meth->point_set_Jprojective_coordinates == NULL) { + ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + if (group->meth != point->meth) { + ECerror(EC_R_INCOMPATIBLE_OBJECTS); + return 0; + } + return group->meth->point_set_Jprojective_coordinates(group, point, + x, y, z, ctx); +} -int +int +EC_POINT_get_Jprojective_coordinates(const EC_GROUP *group, + const EC_POINT *point, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx) +{ + if (group->meth->point_get_Jprojective_coordinates == NULL) { + ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + if (group->meth != point->meth) { + ECerror(EC_R_INCOMPATIBLE_OBJECTS); + return 0; + } + return group->meth->point_get_Jprojective_coordinates(group, point, + x, y, z, ctx); +} + +int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *point, const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx) { - if (group->meth->point_set_Jprojective_coordinates_GFp == 0) { - ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; - } - if (group->meth != point->meth) { - ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return 0; - } - return group->meth->point_set_Jprojective_coordinates_GFp(group, point, x, y, z, ctx); + return EC_POINT_set_Jprojective_coordinates(group, point, x, y, z, ctx); } - -int +int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx) { - if (group->meth->point_get_Jprojective_coordinates_GFp == 0) { + return EC_POINT_get_Jprojective_coordinates(group, point, x, y, z, ctx); +} + +int +EC_POINT_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point, + const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx) +{ + if (group->meth->point_set_affine_coordinates == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } @@ -948,47 +985,36 @@ EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group, ECerror(EC_R_INCOMPATIBLE_OBJECTS); return 0; } - return group->meth->point_get_Jprojective_coordinates_GFp(group, point, x, y, z, ctx); + if (!group->meth->point_set_affine_coordinates(group, point, x, y, ctx)) + return 0; + if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { + ECerror(EC_R_POINT_IS_NOT_ON_CURVE); + return 0; + } + return 1; } - -int +int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point, const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx) { - if (group->meth->point_set_affine_coordinates == 0) { - ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; - } - if (group->meth != point->meth) { - ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return 0; - } - return group->meth->point_set_affine_coordinates(group, point, x, y, ctx); + return EC_POINT_set_affine_coordinates(group, point, x, y, ctx); } #ifndef OPENSSL_NO_EC2M -int +int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point, const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx) { - if (group->meth->point_set_affine_coordinates == 0) { - ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; - } - if (group->meth != point->meth) { - ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return 0; - } - return group->meth->point_set_affine_coordinates(group, point, x, y, ctx); + return EC_POINT_set_affine_coordinates(group, point, x, y, ctx); } #endif -int -EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point, +int +EC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx) { - if (group->meth->point_get_affine_coordinates == 0) { + if (group->meth->point_get_affine_coordinates == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } @@ -999,20 +1025,19 @@ EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point return group->meth->point_get_affine_coordinates(group, point, x, y, ctx); } +int +EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point, + BIGNUM *x, BIGNUM *y, BN_CTX *ctx) +{ + return EC_POINT_get_affine_coordinates(group, point, x, y, ctx); +} + #ifndef OPENSSL_NO_EC2M -int +int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx) { - if (group->meth->point_get_affine_coordinates == 0) { - ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; - } - if (group->meth != point->meth) { - ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return 0; - } - return group->meth->point_get_affine_coordinates(group, point, x, y, ctx); + return EC_POINT_get_affine_coordinates(group, point, x, y, ctx); } #endif @@ -1241,6 +1266,17 @@ EC_GROUP_have_precompute_mult(const EC_GROUP * group) * been performed */ } +int +ec_group_simple_order_bits(const EC_GROUP *group) +{ + /* XXX change group->order to a pointer? */ +#if 0 + if (group->order == NULL) + return 0; +#endif + return BN_num_bits(&group->order); +} + EC_KEY * ECParameters_dup(EC_KEY *key) { diff --git a/crypto/ec/ec_oct.c b/crypto/ec/ec_oct.c index f44b174..4596821 100644 --- a/crypto/ec/ec_oct.c +++ b/crypto/ec/ec_oct.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_oct.c,v 1.5 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ec_oct.c,v 1.8 2021/04/20 17:34:33 tb Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ @@ -70,12 +70,12 @@ #include "ec_lcl.h" -int -EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP * group, EC_POINT * point, - const BIGNUM * x, int y_bit, BN_CTX * ctx) +int +EC_POINT_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point, + const BIGNUM *x, int y_bit, BN_CTX *ctx) { - if (group->meth->point_set_compressed_coordinates == 0 - && !(group->meth->flags & EC_FLAGS_DEFAULT_OCT)) { + if (group->meth->point_set_compressed_coordinates == NULL && + !(group->meth->flags & EC_FLAGS_DEFAULT_OCT)) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } @@ -98,36 +98,33 @@ EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP * group, EC_POINT * point group, point, x, y_bit, ctx); #endif } - return group->meth->point_set_compressed_coordinates(group, point, x, y_bit, ctx); + if (!group->meth->point_set_compressed_coordinates(group, point, x, + y_bit, ctx)) + return 0; + if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { + ECerror(EC_R_POINT_IS_NOT_ON_CURVE); + return 0; + } + return 1; +} + +int +EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point, + const BIGNUM *x, int y_bit, BN_CTX *ctx) +{ + return EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx); } #ifndef OPENSSL_NO_EC2M -int -EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP * group, EC_POINT * point, - const BIGNUM * x, int y_bit, BN_CTX * ctx) +int +EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point, + const BIGNUM *x, int y_bit, BN_CTX *ctx) { - if (group->meth->point_set_compressed_coordinates == 0 - && !(group->meth->flags & EC_FLAGS_DEFAULT_OCT)) { - ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; - } - if (group->meth != point->meth) { - ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return 0; - } - if (group->meth->flags & EC_FLAGS_DEFAULT_OCT) { - if (group->meth->field_type == NID_X9_62_prime_field) - return ec_GFp_simple_set_compressed_coordinates( - group, point, x, y_bit, ctx); - else - return ec_GF2m_simple_set_compressed_coordinates( - group, point, x, y_bit, ctx); - } - return group->meth->point_set_compressed_coordinates(group, point, x, y_bit, ctx); + return EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx); } #endif -size_t +size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form, unsigned char *buf, size_t len, BN_CTX *ctx) @@ -159,8 +156,7 @@ EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point, return group->meth->point2oct(group, point, form, buf, len, ctx); } - -int +int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point, const unsigned char *buf, size_t len, BN_CTX *ctx) { diff --git a/crypto/ec/eck_prn.c b/crypto/ec/eck_prn.c index be57d87..c2fd2eb 100644 --- a/crypto/ec/eck_prn.c +++ b/crypto/ec/eck_prn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: eck_prn.c,v 1.15 2018/07/15 16:27:39 tb Exp $ */ +/* $OpenBSD: eck_prn.c,v 1.17 2021/04/20 17:12:43 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -64,8 +64,6 @@ #include #include -#include - #include #include #include @@ -214,19 +212,9 @@ ECPKParameters_print(BIO * bp, const EC_GROUP * x, int off) reason = ERR_R_MALLOC_FAILURE; goto err; } -#ifndef OPENSSL_NO_EC2M - if (is_char_two) { - if (!EC_GROUP_get_curve_GF2m(x, p, a, b, ctx)) { - reason = ERR_R_EC_LIB; - goto err; - } - } else /* prime field */ -#endif - { - if (!EC_GROUP_get_curve_GFp(x, p, a, b, ctx)) { - reason = ERR_R_EC_LIB; - goto err; - } + if (!EC_GROUP_get_curve(x, p, a, b, ctx)) { + reason = ERR_R_EC_LIB; + goto err; } if ((point = EC_GROUP_get0_generator(x)) == NULL) { diff --git a/crypto/ec/ecp_mont.c b/crypto/ec/ecp_mont.c index f4dff9a..0da3083 100644 --- a/crypto/ec/ecp_mont.c +++ b/crypto/ec/ecp_mont.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecp_mont.c,v 1.17 2018/11/05 20:18:21 tb Exp $ */ +/* $OpenBSD: ecp_mont.c,v 1.20 2021/09/08 17:29:21 tb Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ @@ -79,21 +79,22 @@ EC_GFp_mont_method(void) .group_set_curve = ec_GFp_mont_group_set_curve, .group_get_curve = ec_GFp_simple_group_get_curve, .group_get_degree = ec_GFp_simple_group_get_degree, + .group_order_bits = ec_group_simple_order_bits, .group_check_discriminant = - ec_GFp_simple_group_check_discriminant, + ec_GFp_simple_group_check_discriminant, .point_init = ec_GFp_simple_point_init, .point_finish = ec_GFp_simple_point_finish, .point_clear_finish = ec_GFp_simple_point_clear_finish, .point_copy = ec_GFp_simple_point_copy, .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity, - .point_set_Jprojective_coordinates_GFp = - ec_GFp_simple_set_Jprojective_coordinates_GFp, - .point_get_Jprojective_coordinates_GFp = - ec_GFp_simple_get_Jprojective_coordinates_GFp, + .point_set_Jprojective_coordinates = + ec_GFp_simple_set_Jprojective_coordinates, + .point_get_Jprojective_coordinates = + ec_GFp_simple_get_Jprojective_coordinates, .point_set_affine_coordinates = - ec_GFp_simple_point_set_affine_coordinates, + ec_GFp_simple_point_set_affine_coordinates, .point_get_affine_coordinates = - ec_GFp_simple_point_get_affine_coordinates, + ec_GFp_simple_point_get_affine_coordinates, .add = ec_GFp_simple_add, .dbl = ec_GFp_simple_dbl, .invert = ec_GFp_simple_invert, @@ -117,7 +118,7 @@ EC_GFp_mont_method(void) } -int +int ec_GFp_mont_group_init(EC_GROUP * group) { int ok; @@ -129,7 +130,7 @@ ec_GFp_mont_group_init(EC_GROUP * group) } -void +void ec_GFp_mont_group_finish(EC_GROUP * group) { BN_MONT_CTX_free(group->field_data1); @@ -140,7 +141,7 @@ ec_GFp_mont_group_finish(EC_GROUP * group) } -void +void ec_GFp_mont_group_clear_finish(EC_GROUP * group) { BN_MONT_CTX_free(group->field_data1); @@ -151,7 +152,7 @@ ec_GFp_mont_group_clear_finish(EC_GROUP * group) } -int +int ec_GFp_mont_group_copy(EC_GROUP * dest, const EC_GROUP * src) { BN_MONT_CTX_free(dest->field_data1); @@ -185,7 +186,7 @@ ec_GFp_mont_group_copy(EC_GROUP * dest, const EC_GROUP * src) } -int +int ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { @@ -237,7 +238,7 @@ ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, } -int +int ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { @@ -249,7 +250,7 @@ ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, } -int +int ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) { @@ -261,7 +262,7 @@ ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, } -int +int ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) { @@ -273,7 +274,7 @@ ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, } -int +int ec_GFp_mont_field_decode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) { @@ -285,7 +286,7 @@ ec_GFp_mont_field_decode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, } -int +int ec_GFp_mont_field_set_to_one(const EC_GROUP *group, BIGNUM *r, BN_CTX *ctx) { if (group->field_data2 == NULL) { diff --git a/crypto/ec/ecp_nist.c b/crypto/ec/ecp_nist.c index 073c041..f7dae16 100644 --- a/crypto/ec/ecp_nist.c +++ b/crypto/ec/ecp_nist.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecp_nist.c,v 1.15 2018/11/05 20:18:21 tb Exp $ */ +/* $OpenBSD: ecp_nist.c,v 1.18 2021/09/08 17:29:21 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -80,21 +80,22 @@ EC_GFp_nist_method(void) .group_set_curve = ec_GFp_nist_group_set_curve, .group_get_curve = ec_GFp_simple_group_get_curve, .group_get_degree = ec_GFp_simple_group_get_degree, + .group_order_bits = ec_group_simple_order_bits, .group_check_discriminant = - ec_GFp_simple_group_check_discriminant, + ec_GFp_simple_group_check_discriminant, .point_init = ec_GFp_simple_point_init, .point_finish = ec_GFp_simple_point_finish, .point_clear_finish = ec_GFp_simple_point_clear_finish, .point_copy = ec_GFp_simple_point_copy, .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity, - .point_set_Jprojective_coordinates_GFp = - ec_GFp_simple_set_Jprojective_coordinates_GFp, - .point_get_Jprojective_coordinates_GFp = - ec_GFp_simple_get_Jprojective_coordinates_GFp, + .point_set_Jprojective_coordinates = + ec_GFp_simple_set_Jprojective_coordinates, + .point_get_Jprojective_coordinates = + ec_GFp_simple_get_Jprojective_coordinates, .point_set_affine_coordinates = - ec_GFp_simple_point_set_affine_coordinates, + ec_GFp_simple_point_set_affine_coordinates, .point_get_affine_coordinates = - ec_GFp_simple_point_get_affine_coordinates, + ec_GFp_simple_point_get_affine_coordinates, .add = ec_GFp_simple_add, .dbl = ec_GFp_simple_dbl, .invert = ec_GFp_simple_invert, @@ -114,7 +115,7 @@ EC_GFp_nist_method(void) return &ret; } -int +int ec_GFp_nist_group_copy(EC_GROUP * dest, const EC_GROUP * src) { dest->field_mod_func = src->field_mod_func; @@ -122,7 +123,7 @@ ec_GFp_nist_group_copy(EC_GROUP * dest, const EC_GROUP * src) return ec_GFp_simple_group_copy(dest, src); } -int +int ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { @@ -162,7 +163,7 @@ ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p, } -int +int ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { @@ -189,7 +190,7 @@ ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, } -int +int ec_GFp_nist_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, BN_CTX * ctx) { diff --git a/crypto/ec/ecp_oct.c b/crypto/ec/ecp_oct.c index 90c5ca2..177bbe1 100644 --- a/crypto/ec/ecp_oct.c +++ b/crypto/ec/ecp_oct.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecp_oct.c,v 1.11 2018/07/15 16:27:39 tb Exp $ */ +/* $OpenBSD: ecp_oct.c,v 1.14 2021/04/20 17:32:57 tb Exp $ */ /* Includes code written by Lenka Fibikova * for the OpenSSL project. * Includes code written by Bodo Moeller for the OpenSSL project. @@ -185,7 +185,7 @@ ec_GFp_simple_set_compressed_coordinates(const EC_GROUP * group, ECerror(ERR_R_INTERNAL_ERROR); goto err; } - if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) + if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx)) goto err; ret = 1; @@ -246,7 +246,7 @@ ec_GFp_simple_point2oct(const EC_GROUP * group, const EC_POINT * point, point_co if ((y = BN_CTX_get(ctx)) == NULL) goto err; - if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) + if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx)) goto err; if ((form == POINT_CONVERSION_COMPRESSED || form == POINT_CONVERSION_HYBRID) && BN_is_odd(y)) @@ -362,7 +362,11 @@ ec_GFp_simple_oct2point(const EC_GROUP * group, EC_POINT * point, goto err; } if (form == POINT_CONVERSION_COMPRESSED) { - if (!EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx)) + /* + * EC_POINT_set_compressed_coordinates checks that the point + * is on the curve as required by X9.62. + */ + if (!EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx)) goto err; } else { if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) @@ -377,15 +381,14 @@ ec_GFp_simple_oct2point(const EC_GROUP * group, EC_POINT * point, goto err; } } - if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) + /* + * EC_POINT_set_affine_coordinates checks that the point is + * on the curve as required by X9.62. + */ + if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx)) goto err; } - /* test required by X9.62 */ - if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { - ECerror(EC_R_POINT_IS_NOT_ON_CURVE); - goto err; - } ret = 1; err: diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c index 3957bd1..1d0b1d6 100644 --- a/crypto/ec/ecp_smpl.c +++ b/crypto/ec/ecp_smpl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecp_smpl.c,v 1.29 2018/11/15 05:53:31 tb Exp $ */ +/* $OpenBSD: ecp_smpl.c,v 1.33 2021/09/08 17:29:21 tb Exp $ */ /* Includes code written by Lenka Fibikova * for the OpenSSL project. * Includes code written by Bodo Moeller for the OpenSSL project. @@ -80,21 +80,22 @@ EC_GFp_simple_method(void) .group_set_curve = ec_GFp_simple_group_set_curve, .group_get_curve = ec_GFp_simple_group_get_curve, .group_get_degree = ec_GFp_simple_group_get_degree, + .group_order_bits = ec_group_simple_order_bits, .group_check_discriminant = - ec_GFp_simple_group_check_discriminant, + ec_GFp_simple_group_check_discriminant, .point_init = ec_GFp_simple_point_init, .point_finish = ec_GFp_simple_point_finish, .point_clear_finish = ec_GFp_simple_point_clear_finish, .point_copy = ec_GFp_simple_point_copy, .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity, - .point_set_Jprojective_coordinates_GFp = - ec_GFp_simple_set_Jprojective_coordinates_GFp, - .point_get_Jprojective_coordinates_GFp = - ec_GFp_simple_get_Jprojective_coordinates_GFp, + .point_set_Jprojective_coordinates = + ec_GFp_simple_set_Jprojective_coordinates, + .point_get_Jprojective_coordinates = + ec_GFp_simple_get_Jprojective_coordinates, .point_set_affine_coordinates = - ec_GFp_simple_point_set_affine_coordinates, + ec_GFp_simple_point_set_affine_coordinates, .point_get_affine_coordinates = - ec_GFp_simple_point_get_affine_coordinates, + ec_GFp_simple_point_get_affine_coordinates, .add = ec_GFp_simple_add, .dbl = ec_GFp_simple_dbl, .invert = ec_GFp_simple_invert, @@ -129,7 +130,7 @@ EC_GFp_simple_method(void) */ -int +int ec_GFp_simple_group_init(EC_GROUP * group) { BN_init(&group->field); @@ -140,7 +141,7 @@ ec_GFp_simple_group_init(EC_GROUP * group) } -void +void ec_GFp_simple_group_finish(EC_GROUP * group) { BN_free(&group->field); @@ -149,7 +150,7 @@ ec_GFp_simple_group_finish(EC_GROUP * group) } -void +void ec_GFp_simple_group_clear_finish(EC_GROUP * group) { BN_clear_free(&group->field); @@ -158,7 +159,7 @@ ec_GFp_simple_group_clear_finish(EC_GROUP * group) } -int +int ec_GFp_simple_group_copy(EC_GROUP * dest, const EC_GROUP * src) { if (!BN_copy(&dest->field, &src->field)) @@ -174,7 +175,7 @@ ec_GFp_simple_group_copy(EC_GROUP * dest, const EC_GROUP * src) } -int +int ec_GFp_simple_group_set_curve(EC_GROUP * group, const BIGNUM * p, const BIGNUM * a, const BIGNUM * b, BN_CTX * ctx) { @@ -231,7 +232,7 @@ ec_GFp_simple_group_set_curve(EC_GROUP * group, } -int +int ec_GFp_simple_group_get_curve(const EC_GROUP * group, BIGNUM * p, BIGNUM * a, BIGNUM * b, BN_CTX * ctx) { int ret = 0; @@ -275,14 +276,14 @@ ec_GFp_simple_group_get_curve(const EC_GROUP * group, BIGNUM * p, BIGNUM * a, BI } -int +int ec_GFp_simple_group_get_degree(const EC_GROUP * group) { return BN_num_bits(&group->field); } -int +int ec_GFp_simple_group_check_discriminant(const EC_GROUP * group, BN_CTX * ctx) { int ret = 0; @@ -358,7 +359,7 @@ ec_GFp_simple_group_check_discriminant(const EC_GROUP * group, BN_CTX * ctx) } -int +int ec_GFp_simple_point_init(EC_POINT * point) { BN_init(&point->X); @@ -370,7 +371,7 @@ ec_GFp_simple_point_init(EC_POINT * point) } -void +void ec_GFp_simple_point_finish(EC_POINT * point) { BN_free(&point->X); @@ -379,7 +380,7 @@ ec_GFp_simple_point_finish(EC_POINT * point) } -void +void ec_GFp_simple_point_clear_finish(EC_POINT * point) { BN_clear_free(&point->X); @@ -389,7 +390,7 @@ ec_GFp_simple_point_clear_finish(EC_POINT * point) } -int +int ec_GFp_simple_point_copy(EC_POINT * dest, const EC_POINT * src) { if (!BN_copy(&dest->X, &src->X)) @@ -404,7 +405,7 @@ ec_GFp_simple_point_copy(EC_POINT * dest, const EC_POINT * src) } -int +int ec_GFp_simple_point_set_to_infinity(const EC_GROUP * group, EC_POINT * point) { point->Z_is_one = 0; @@ -413,9 +414,10 @@ ec_GFp_simple_point_set_to_infinity(const EC_GROUP * group, EC_POINT * point) } -int -ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP * group, EC_POINT * point, - const BIGNUM * x, const BIGNUM * y, const BIGNUM * z, BN_CTX * ctx) +int +ec_GFp_simple_set_Jprojective_coordinates(const EC_GROUP *group, + EC_POINT *point, const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, + BN_CTX *ctx) { BN_CTX *new_ctx = NULL; int ret = 0; @@ -465,10 +467,9 @@ ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP * group, EC_POINT * return ret; } - -int -ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP * group, const EC_POINT * point, - BIGNUM * x, BIGNUM * y, BIGNUM * z, BN_CTX * ctx) +int +ec_GFp_simple_get_Jprojective_coordinates(const EC_GROUP *group, + const EC_POINT *point, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx) { BN_CTX *new_ctx = NULL; int ret = 0; @@ -513,8 +514,7 @@ ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP * group, const EC_P return ret; } - -int +int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP * group, EC_POINT * point, const BIGNUM * x, const BIGNUM * y, BN_CTX * ctx) { @@ -523,11 +523,11 @@ ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP * group, EC_POINT * po ECerror(ERR_R_PASSED_NULL_PARAMETER); return 0; } - return EC_POINT_set_Jprojective_coordinates_GFp(group, point, x, y, BN_value_one(), ctx); + return EC_POINT_set_Jprojective_coordinates(group, point, x, y, + BN_value_one(), ctx); } - -int +int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP * group, const EC_POINT * point, BIGNUM * x, BIGNUM * y, BN_CTX * ctx) { @@ -634,7 +634,7 @@ ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP * group, const EC_POIN return ret; } -int +int ec_GFp_simple_add(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, const EC_POINT * b, BN_CTX * ctx) { int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); @@ -823,7 +823,7 @@ ec_GFp_simple_add(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, cons } -int +int ec_GFp_simple_dbl(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, BN_CTX * ctx) { int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); @@ -965,7 +965,7 @@ ec_GFp_simple_dbl(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, BN_C } -int +int ec_GFp_simple_invert(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx) { if (EC_POINT_is_at_infinity(group, point) > 0 || BN_is_zero(&point->Y)) @@ -976,14 +976,14 @@ ec_GFp_simple_invert(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx) } -int +int ec_GFp_simple_is_at_infinity(const EC_GROUP * group, const EC_POINT * point) { return BN_is_zero(&point->Z); } -int +int ec_GFp_simple_is_on_curve(const EC_GROUP * group, const EC_POINT * point, BN_CTX * ctx) { int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); @@ -1086,7 +1086,7 @@ ec_GFp_simple_is_on_curve(const EC_GROUP * group, const EC_POINT * point, BN_CTX } -int +int ec_GFp_simple_cmp(const EC_GROUP * group, const EC_POINT * a, const EC_POINT * b, BN_CTX * ctx) { /* @@ -1188,7 +1188,7 @@ ec_GFp_simple_cmp(const EC_GROUP * group, const EC_POINT * a, const EC_POINT * b } -int +int ec_GFp_simple_make_affine(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx) { BN_CTX *new_ctx = NULL; @@ -1209,9 +1209,9 @@ ec_GFp_simple_make_affine(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx if ((y = BN_CTX_get(ctx)) == NULL) goto err; - if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) + if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx)) goto err; - if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) + if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx)) goto err; if (!point->Z_is_one) { ECerror(ERR_R_INTERNAL_ERROR); @@ -1226,7 +1226,7 @@ ec_GFp_simple_make_affine(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx } -int +int ec_GFp_simple_points_make_affine(const EC_GROUP * group, size_t num, EC_POINT * points[], BN_CTX * ctx) { BN_CTX *new_ctx = NULL; @@ -1272,11 +1272,11 @@ ec_GFp_simple_points_make_affine(const EC_GROUP * group, size_t num, EC_POINT * /* * The array is used as a binary tree, exactly as in heapsort: - * + * * heap[1] heap[2] heap[3] heap[4] heap[5] * heap[6] heap[7] heap[8]heap[9] heap[10]heap[11] * heap[12]heap[13] heap[14] heap[15] - * + * * We put the Z's in the last line; then we set each other node to the * product of its two child-nodes (where empty or 0 entries are * treated as ones); then we invert heap[1]; then we invert each @@ -1401,13 +1401,13 @@ ec_GFp_simple_points_make_affine(const EC_GROUP * group, size_t num, EC_POINT * } -int +int ec_GFp_simple_field_mul(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, const BIGNUM * b, BN_CTX * ctx) { return BN_mod_mul(r, a, b, &group->field, ctx); } -int +int ec_GFp_simple_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, BN_CTX * ctx) { return BN_mod_sqr(r, a, &group->field, ctx); @@ -1417,7 +1417,7 @@ ec_GFp_simple_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, BN * Apply randomization of EC point projective coordinates: * * (X, Y, Z) = (lambda^2 * X, lambda^3 * Y, lambda * Z) - * + * * where lambda is in the interval [1, group->field). */ int @@ -1687,7 +1687,7 @@ ec_GFp_simple_mul_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, } /* one final cswap to move the right value into r */ EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one); - + ret = 1; err: diff --git a/crypto/ecdh/ech_key.c b/crypto/ecdh/ech_key.c index 378912c..e59ce8b 100644 --- a/crypto/ecdh/ech_key.c +++ b/crypto/ecdh/ech_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ech_key.c,v 1.9 2019/01/19 01:12:48 tb Exp $ */ +/* $OpenBSD: ech_key.c,v 1.11 2021/04/20 17:23:37 tb Exp $ */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * @@ -140,23 +140,10 @@ ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, goto err; } - if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == - NID_X9_62_prime_field) { - if (!EC_POINT_get_affine_coordinates_GFp(group, tmp, x, y, - ctx)) { - ECDHerror(ECDH_R_POINT_ARITHMETIC_FAILURE); - goto err; - } + if (!EC_POINT_get_affine_coordinates(group, tmp, x, y, ctx)) { + ECDHerror(ECDH_R_POINT_ARITHMETIC_FAILURE); + goto err; } -#ifndef OPENSSL_NO_EC2M - else { - if (!EC_POINT_get_affine_coordinates_GF2m(group, tmp, x, y, - ctx)) { - ECDHerror(ECDH_R_POINT_ARITHMETIC_FAILURE); - goto err; - } - } -#endif buflen = ECDH_size(ecdh); len = BN_num_bytes(x); diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c index 8a6685d..e7e7a52 100644 --- a/crypto/ecdsa/ecs_ossl.c +++ b/crypto/ecdsa/ecs_ossl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecs_ossl.c,v 1.20 2019/06/04 18:15:27 tb Exp $ */ +/* $OpenBSD: ecs_ossl.c,v 1.22 2021/04/20 17:23:37 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project */ @@ -205,23 +205,11 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) ECDSAerror(ERR_R_EC_LIB); goto err; } - if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == - NID_X9_62_prime_field) { - if (!EC_POINT_get_affine_coordinates_GFp(group, point, - X, NULL, ctx)) { - ECDSAerror(ERR_R_EC_LIB); - goto err; - } + if (!EC_POINT_get_affine_coordinates(group, point, X, NULL, + ctx)) { + ECDSAerror(ERR_R_EC_LIB); + goto err; } -#ifndef OPENSSL_NO_EC2M - else { /* NID_X9_62_characteristic_two_field */ - if (!EC_POINT_get_affine_coordinates_GF2m(group, point, - X, NULL, ctx)) { - ECDSAerror(ERR_R_EC_LIB); - goto err; - } - } -#endif if (!BN_nnmod(r, X, order, ctx)) { ECDSAerror(ERR_R_BN_LIB); goto err; @@ -521,23 +509,10 @@ ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, ECDSAerror(ERR_R_EC_LIB); goto err; } - if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == - NID_X9_62_prime_field) { - if (!EC_POINT_get_affine_coordinates_GFp(group, point, X, NULL, - ctx)) { - ECDSAerror(ERR_R_EC_LIB); - goto err; - } + if (!EC_POINT_get_affine_coordinates(group, point, X, NULL, ctx)) { + ECDSAerror(ERR_R_EC_LIB); + goto err; } -#ifndef OPENSSL_NO_EC2M - else { /* NID_X9_62_characteristic_two_field */ - if (!EC_POINT_get_affine_coordinates_GF2m(group, point, X, NULL, - ctx)) { - ECDSAerror(ERR_R_EC_LIB); - goto err; - } - } -#endif if (!BN_nnmod(u1, X, order, ctx)) { ECDSAerror(ERR_R_BN_LIB); goto err; diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index bb49e28..896b9e1 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_enc.c,v 1.43 2019/04/14 17:16:57 jsing Exp $ */ +/* $OpenBSD: evp_enc.c,v 1.44 2021/02/18 19:12:29 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,6 +56,7 @@ * [including the GNU Public Licence.] */ +#include #include #include #include @@ -337,6 +338,17 @@ EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, return 1; } else { j = bl - i; + + /* + * Once we've processed the first j bytes from in, the + * amount of data left that is a multiple of the block + * length is (inl - j) & ~(bl - 1). Ensure this plus + * the block processed from ctx-buf doesn't overflow. + */ + if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) { + EVPerror(EVP_R_TOO_LARGE); + return 0; + } memcpy(&(ctx->buf[i]), in, j); if (!M_do_cipher(ctx, out, ctx->buf, bl)) return 0; @@ -451,6 +463,16 @@ EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, } if (ctx->final_used) { + /* + * final_used is only ever set if buf_len is 0. Therefore the + * maximum length output we will ever see from EVP_EncryptUpdate + * is inl & ~(b - 1). Since final_used is set, the final output + * length is (inl & ~(b - 1)) + b. Ensure it doesn't overflow. + */ + if ((inl & ~(b - 1)) > INT_MAX - b) { + EVPerror(EVP_R_TOO_LARGE); + return 0; + } memcpy(out, ctx->final, b); out += b; fix_len = 1; diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index 2494cf5..07ece82 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_err.c,v 1.26 2020/04/27 19:31:02 tb Exp $ */ +/* $OpenBSD: evp_err.c,v 1.27 2021/03/29 15:57:23 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -116,6 +116,7 @@ static ERR_STRING_DATA EVP_str_reasons[] = { {ERR_REASON(EVP_R_INVALID_OPERATION) , "invalid operation"}, {ERR_REASON(EVP_R_IV_TOO_LARGE) , "iv too large"}, {ERR_REASON(EVP_R_KEYGEN_FAILURE) , "keygen failure"}, + {ERR_REASON(EVP_R_KEY_SETUP_FAILED) , "key setup failed"}, {ERR_REASON(EVP_R_MESSAGE_DIGEST_IS_NULL), "message digest is null"}, {ERR_REASON(EVP_R_METHOD_NOT_SUPPORTED) , "method not supported"}, {ERR_REASON(EVP_R_MISSING_PARAMETERS) , "missing parameters"}, diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c index 9e313c3..bd93746 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -1,4 +1,4 @@ -/* $OpenBSD: m_sigver.c,v 1.7 2018/05/13 06:35:10 tb Exp $ */ +/* $OpenBSD: m_sigver.c,v 1.9 2021/05/09 14:25:40 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -74,15 +74,17 @@ do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, if (ctx->pctx == NULL) return 0; - if (type == NULL) { - int def_nid; - if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) > 0) - type = EVP_get_digestbynid(def_nid); - } + if (!(ctx->pctx->pmeth->flags & EVP_PKEY_FLAG_SIGCTX_CUSTOM)) { + if (type == NULL) { + int def_nid; + if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) > 0) + type = EVP_get_digestbynid(def_nid); + } - if (type == NULL) { - EVPerror(EVP_R_NO_DEFAULT_DIGEST); - return 0; + if (type == NULL) { + EVPerror(EVP_R_NO_DEFAULT_DIGEST); + return 0; + } } if (ver) { @@ -105,6 +107,8 @@ do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, return 0; if (pctx) *pctx = ctx->pctx; + if (ctx->pctx->pmeth->flags & EVP_PKEY_FLAG_SIGCTX_CUSTOM) + return 1; if (!EVP_DigestInit_ex(ctx, type, e)) return 0; return 1; @@ -127,7 +131,24 @@ EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen) { - int sctx, r = 0; + EVP_PKEY_CTX *pctx = ctx->pctx; + int sctx; + int r = 0; + + if (pctx->pmeth->flags & EVP_PKEY_FLAG_SIGCTX_CUSTOM) { + EVP_PKEY_CTX *dctx; + + if (sigret == NULL) + return pctx->pmeth->signctx(pctx, sigret, siglen, ctx); + + /* XXX - support EVP_MD_CTX_FLAG_FINALISE? */ + if ((dctx = EVP_PKEY_CTX_dup(ctx->pctx)) == NULL) + return 0; + r = dctx->pmeth->signctx(dctx, sigret, siglen, ctx); + EVP_PKEY_CTX_free(dctx); + + return r; + } if (ctx->pctx->pmeth->signctx) sctx = 1; @@ -165,6 +186,18 @@ EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen) return 1; } +int +EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, + const unsigned char *tbs, size_t tbslen) +{ + if (sigret != NULL) { + if (EVP_DigestSignUpdate(ctx, tbs, tbslen) <= 0) + return 0; + } + + return EVP_DigestSignFinal(ctx, sigret, siglen); +} + int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen) { @@ -191,3 +224,13 @@ EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen) return r; return EVP_PKEY_verify(ctx->pctx, sig, siglen, md, mdlen); } + +int +EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, size_t siglen, + const unsigned char *tbs, size_t tbslen) +{ + if (EVP_DigestVerifyUpdate(ctx, tbs, tbslen) <= 0) + return -1; + + return EVP_DigestVerifyFinal(ctx, sigret, siglen); +} diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 13a9d65..9577b10 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p_lib.c,v 1.25 2019/03/17 18:17:45 tb Exp $ */ +/* $OpenBSD: p_lib.c,v 1.26 2021/03/29 15:57:23 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -61,6 +61,7 @@ #include #include +#include #include #include #include @@ -216,10 +217,14 @@ EVP_PKEY_up_ref(EVP_PKEY *pkey) */ static int -pkey_set_type(EVP_PKEY *pkey, int type, const char *str, int len) +pkey_set_type(EVP_PKEY *pkey, ENGINE *e, int type, const char *str, int len) { const EVP_PKEY_ASN1_METHOD *ameth; - ENGINE *e = NULL; + ENGINE **eptr = NULL; + + if (e == NULL) + eptr = &e; + if (pkey) { if (pkey->pkey.ptr) EVP_PKEY_free_it(pkey); @@ -234,11 +239,11 @@ pkey_set_type(EVP_PKEY *pkey, int type, const char *str, int len) #endif } if (str) - ameth = EVP_PKEY_asn1_find_str(&e, str, len); + ameth = EVP_PKEY_asn1_find_str(eptr, str, len); else - ameth = EVP_PKEY_asn1_find(&e, type); + ameth = EVP_PKEY_asn1_find(eptr, type); #ifndef OPENSSL_NO_ENGINE - if (pkey == NULL) + if (pkey == NULL && eptr != NULL) ENGINE_finish(e); #endif if (!ameth) { @@ -258,13 +263,43 @@ pkey_set_type(EVP_PKEY *pkey, int type, const char *str, int len) int EVP_PKEY_set_type(EVP_PKEY *pkey, int type) { - return pkey_set_type(pkey, type, NULL, -1); + return pkey_set_type(pkey, NULL, type, NULL, -1); +} + +EVP_PKEY * +EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv, size_t len, + const EVP_CIPHER *cipher) +{ + EVP_PKEY *ret = NULL; + CMAC_CTX *cmctx = NULL; + + if ((ret = EVP_PKEY_new()) == NULL) + goto err; + if ((cmctx = CMAC_CTX_new()) == NULL) + goto err; + + if (!pkey_set_type(ret, e, EVP_PKEY_CMAC, NULL, -1)) + goto err; + + if (!CMAC_Init(cmctx, priv, len, cipher, e)) { + EVPerror(EVP_R_KEY_SETUP_FAILED); + goto err; + } + + ret->pkey.ptr = (char *)cmctx; + + return ret; + + err: + EVP_PKEY_free(ret); + CMAC_CTX_free(cmctx); + return NULL; } int EVP_PKEY_set_type_str(EVP_PKEY *pkey, const char *str, int len) { - return pkey_set_type(pkey, EVP_PKEY_NONE, str, len); + return pkey_set_type(pkey, NULL, EVP_PKEY_NONE, str, len); } int diff --git a/crypto/gost/gostr341001.c b/crypto/gost/gostr341001.c index ba70d5f..bfbd032 100644 --- a/crypto/gost/gostr341001.c +++ b/crypto/gost/gostr341001.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gostr341001.c,v 1.7 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: gostr341001.c,v 1.8 2021/04/20 17:16:38 tb Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -206,7 +206,7 @@ gost2001_do_sign(BIGNUM *md, GOST_KEY *eckey) GOSTerror(ERR_R_EC_LIB); goto err; } - if (EC_POINT_get_affine_coordinates_GFp(group, C, X, + if (EC_POINT_get_affine_coordinates(group, C, X, NULL, ctx) == 0) { GOSTerror(ERR_R_EC_LIB); goto err; @@ -304,7 +304,7 @@ gost2001_do_verify(BIGNUM *md, ECDSA_SIG *sig, GOST_KEY *ec) GOSTerror(ERR_R_EC_LIB); goto err; } - if (EC_POINT_get_affine_coordinates_GFp(group, C, X, NULL, ctx) == 0) { + if (EC_POINT_get_affine_coordinates(group, C, X, NULL, ctx) == 0) { GOSTerror(ERR_R_EC_LIB); goto err; } @@ -354,7 +354,7 @@ VKO_compute_key(BIGNUM *X, BIGNUM *Y, const GOST_KEY *pkey, GOST_KEY *priv_key, goto err; if (EC_POINT_mul(group, pnt, NULL, pub_key, p, ctx) == 0) goto err; - if (EC_POINT_get_affine_coordinates_GFp(group, pnt, X, Y, ctx) == 0) + if (EC_POINT_get_affine_coordinates(group, pnt, X, Y, ctx) == 0) goto err; ok = 1; diff --git a/crypto/gost/gostr341001_ameth.c b/crypto/gost/gostr341001_ameth.c index 27a95f2..294b654 100644 --- a/crypto/gost/gostr341001_ameth.c +++ b/crypto/gost/gostr341001_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gostr341001_ameth.c,v 1.16 2020/06/05 17:17:22 jsing Exp $ */ +/* $OpenBSD: gostr341001_ameth.c,v 1.17 2021/04/20 17:16:38 tb Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -290,7 +290,7 @@ pub_encode_gost01(X509_PUBKEY *pub, const EVP_PKEY *pk) goto err; } - if (EC_POINT_get_affine_coordinates_GFp(GOST_KEY_get0_group(ec), + if (EC_POINT_get_affine_coordinates(GOST_KEY_get0_group(ec), pub_key, X, Y, NULL) == 0) { GOSTerror(ERR_R_EC_LIB); goto err; @@ -352,8 +352,7 @@ pub_print_gost01(BIO *out, const EVP_PKEY *pkey, int indent, ASN1_PCTX *pctx) goto err; pubkey = GOST_KEY_get0_public_key(pkey->pkey.gost); group = GOST_KEY_get0_group(pkey->pkey.gost); - if (EC_POINT_get_affine_coordinates_GFp(group, pubkey, X, Y, - ctx) == 0) { + if (EC_POINT_get_affine_coordinates(group, pubkey, X, Y, ctx) == 0) { GOSTerror(ERR_R_EC_LIB); goto err; } diff --git a/crypto/gost/gostr341001_key.c b/crypto/gost/gostr341001_key.c index 0af39f2..d5d885c 100644 --- a/crypto/gost/gostr341001_key.c +++ b/crypto/gost/gostr341001_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gostr341001_key.c,v 1.8 2017/05/02 03:59:44 deraadt Exp $ */ +/* $OpenBSD: gostr341001_key.c,v 1.9 2021/04/20 17:16:38 tb Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -201,10 +201,10 @@ GOST_KEY_set_public_key_affine_coordinates(GOST_KEY *key, BIGNUM *x, BIGNUM *y) goto err; if ((ty = BN_CTX_get(ctx)) == NULL) goto err; - if (EC_POINT_set_affine_coordinates_GFp(key->group, point, x, y, + if (EC_POINT_set_affine_coordinates(key->group, point, x, y, ctx) == 0) goto err; - if (EC_POINT_get_affine_coordinates_GFp(key->group, point, tx, ty, + if (EC_POINT_get_affine_coordinates(key->group, point, tx, ty, ctx) == 0) goto err; /* diff --git a/crypto/hkdf/hkdf.c b/crypto/hkdf/hkdf.c index b8be10b..e912481 100644 --- a/crypto/hkdf/hkdf.c +++ b/crypto/hkdf/hkdf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hkdf.c,v 1.4 2019/11/21 20:02:20 tim Exp $ */ +/* $OpenBSD: hkdf.c,v 1.5 2021/08/27 16:12:33 tb Exp $ */ /* Copyright (c) 2014, Google Inc. * * Permission to use, copy, modify, and/or distribute this software for any @@ -16,7 +16,6 @@ #include -#include #include #include diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c index c0b63e4..db25799 100644 --- a/crypto/objects/obj_dat.c +++ b/crypto/objects/obj_dat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: obj_dat.c,v 1.42 2019/07/03 03:24:04 deraadt Exp $ */ +/* $OpenBSD: obj_dat.c,v 1.43 2021/09/01 09:42:28 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -628,7 +628,6 @@ OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) buf_len -= i; } ret += i; - l = 0; } } diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index 13f2383..6f50a90 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -62,12 +62,12 @@ * [including the GNU Public Licence.] */ -#define NUM_NID 1001 -#define NUM_SN 994 -#define NUM_LN 994 -#define NUM_OBJ 924 +#define NUM_NID 1016 +#define NUM_SN 1009 +#define NUM_LN 1009 +#define NUM_OBJ 939 -static const unsigned char lvalues[6481]={ +static const unsigned char lvalues[6618]={ 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 0] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 6] OBJ_pkcs */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02, /* [ 13] OBJ_md2 */ @@ -986,6 +986,21 @@ static const unsigned char lvalues[6481]={ 0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x03,/* [6455] OBJ_id_tc26_gost_3410_12_512_paramSetC */ 0x2A,0x85,0x03,0x07,0x01,0x01,0x04,0x01, /* [6464] OBJ_id_tc26_hmac_gost_3411_12_256 */ 0x2A,0x85,0x03,0x07,0x01,0x01,0x04,0x02, /* [6472] OBJ_id_tc26_hmac_gost_3411_12_512 */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x18,/* [6480] OBJ_id_ct_routeOriginAuthz */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x1A,/* [6491] OBJ_id_ct_rpkiManifest */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x23,/* [6502] OBJ_id_ct_rpkiGhostbusters */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x24,/* [6513] OBJ_id_ct_resourceTaggedAttest */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x0E, /* [6524] OBJ_id_cp */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x1C, /* [6531] OBJ_sbgp_ipAddrBlockv2 */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x1D, /* [6539] OBJ_sbgp_autonomousSysNumv2 */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x0E,0x02, /* [6547] OBJ_ipAddr_asNumber */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x0E,0x03, /* [6555] OBJ_ipAddr_asNumberv2 */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x0A, /* [6563] OBJ_rpkiManifest */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x0B, /* [6571] OBJ_signedObject */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x0D, /* [6579] OBJ_rpkiNotify */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x2F,/* [6587] OBJ_id_ct_geofeedCSVwithCRLF */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x30,/* [6598] OBJ_id_ct_signedChecklist */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x1E, /* [6609] OBJ_id_kp_bgpsec_router */ }; static const ASN1_OBJECT nid_objs[NUM_NID]={ @@ -2612,6 +2627,32 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={ NID_id_tc26_hmac_gost_3411_12_256,8,&(lvalues[6464]),0}, {"id-tc26-hmac-gost-3411-12-512","HMAC STREEBOG 512", NID_id_tc26_hmac_gost_3411_12_512,8,&(lvalues[6472]),0}, +{"id-ct-routeOriginAuthz","id-ct-routeOriginAuthz", + NID_id_ct_routeOriginAuthz,11,&(lvalues[6480]),0}, +{"id-ct-rpkiManifest","id-ct-rpkiManifest",NID_id_ct_rpkiManifest,11, + &(lvalues[6491]),0}, +{"id-ct-rpkiGhostbusters","id-ct-rpkiGhostbusters", + NID_id_ct_rpkiGhostbusters,11,&(lvalues[6502]),0}, +{"id-ct-resourceTaggedAttest","id-ct-resourceTaggedAttest", + NID_id_ct_resourceTaggedAttest,11,&(lvalues[6513]),0}, +{"id-cp","id-cp",NID_id_cp,7,&(lvalues[6524]),0}, +{"sbgp-ipAddrBlockv2","sbgp-ipAddrBlockv2",NID_sbgp_ipAddrBlockv2,8, + &(lvalues[6531]),0}, +{"sbgp-autonomousSysNumv2","sbgp-autonomousSysNumv2", + NID_sbgp_autonomousSysNumv2,8,&(lvalues[6539]),0}, +{"ipAddr-asNumber","ipAddr-asNumber",NID_ipAddr_asNumber,8, + &(lvalues[6547]),0}, +{"ipAddr-asNumberv2","ipAddr-asNumberv2",NID_ipAddr_asNumberv2,8, + &(lvalues[6555]),0}, +{"rpkiManifest","RPKI Manifest",NID_rpkiManifest,8,&(lvalues[6563]),0}, +{"signedObject","Signed Object",NID_signedObject,8,&(lvalues[6571]),0}, +{"rpkiNotify","RPKI Notify",NID_rpkiNotify,8,&(lvalues[6579]),0}, +{"id-ct-geofeedCSVwithCRLF","id-ct-geofeedCSVwithCRLF", + NID_id_ct_geofeedCSVwithCRLF,11,&(lvalues[6587]),0}, +{"id-ct-signedChecklist","id-ct-signedChecklist", + NID_id_ct_signedChecklist,11,&(lvalues[6598]),0}, +{"id-kp-bgpsec-router","BGPsec Router",NID_id_kp_bgpsec_router,8, + &(lvalues[6609]),0}, }; static const unsigned int sn_objs[NUM_SN]={ @@ -3096,7 +3137,14 @@ static const unsigned int sn_objs[NUM_SN]={ 332, /* "id-cmc-senderNonce" */ 327, /* "id-cmc-statusInfo" */ 331, /* "id-cmc-transactionId" */ +1005, /* "id-cp" */ 787, /* "id-ct-asciiTextWithCRLF" */ +1013, /* "id-ct-geofeedCSVwithCRLF" */ +1004, /* "id-ct-resourceTaggedAttest" */ +1001, /* "id-ct-routeOriginAuthz" */ +1003, /* "id-ct-rpkiGhostbusters" */ +1002, /* "id-ct-rpkiManifest" */ +1014, /* "id-ct-signedChecklist" */ 408, /* "id-ecPublicKey" */ 508, /* "id-hex-multipart-message" */ 507, /* "id-hex-partial-message" */ @@ -3118,6 +3166,7 @@ static const unsigned int sn_objs[NUM_SN]={ 784, /* "id-it-suppLangTags" */ 304, /* "id-it-unsupportedOIDs" */ 128, /* "id-kp" */ +1015, /* "id-kp-bgpsec-router" */ 280, /* "id-mod-attribute-cert" */ 274, /* "id-mod-cmc" */ 277, /* "id-mod-cmp" */ @@ -3257,6 +3306,8 @@ static const unsigned int sn_objs[NUM_SN]={ 647, /* "international-organizations" */ 869, /* "internationaliSDNNumber" */ 142, /* "invalidityDate" */ +1008, /* "ipAddr-asNumber" */ +1009, /* "ipAddr-asNumberv2" */ 294, /* "ipsecEndSystem" */ 295, /* "ipsecTunnel" */ 296, /* "ipsecUser" */ @@ -3375,6 +3426,8 @@ static const unsigned int sn_objs[NUM_SN]={ 877, /* "roleOccupant" */ 448, /* "room" */ 463, /* "roomNumber" */ +1010, /* "rpkiManifest" */ +1012, /* "rpkiNotify" */ 6, /* "rsaEncryption" */ 644, /* "rsaOAEPEncryptionSET" */ 377, /* "rsaSignature" */ @@ -3382,7 +3435,9 @@ static const unsigned int sn_objs[NUM_SN]={ 482, /* "sOARecord" */ 155, /* "safeContentsBag" */ 291, /* "sbgp-autonomousSysNum" */ +1007, /* "sbgp-autonomousSysNumv2" */ 290, /* "sbgp-ipAddrBlock" */ +1006, /* "sbgp-ipAddrBlockv2" */ 292, /* "sbgp-routerIdentifier" */ 159, /* "sdsiCertificate" */ 859, /* "searchGuide" */ @@ -3555,6 +3610,7 @@ static const unsigned int sn_objs[NUM_SN]={ 604, /* "setext-pinAny" */ 603, /* "setext-pinSecure" */ 605, /* "setext-track2" */ +1011, /* "signedObject" */ 52, /* "signingTime" */ 454, /* "simpleSecurityObject" */ 496, /* "singleLevelQuality" */ @@ -3618,6 +3674,7 @@ static const unsigned int ln_objs[NUM_LN]={ 910, /* "Any Extended Key Usage" */ 664, /* "Any language" */ 177, /* "Authority Information Access" */ +1015, /* "BGPsec Router" */ 365, /* "Basic OCSP Response" */ 285, /* "Biometric Info" */ 179, /* "CA Issuers" */ @@ -3728,6 +3785,8 @@ static const unsigned int ln_objs[NUM_LN]={ 165, /* "Policy Qualifier User Notice" */ 385, /* "Private" */ 663, /* "Proxy Certificate Information" */ +1010, /* "RPKI Manifest" */ +1012, /* "RPKI Notify" */ 1, /* "RSA Data Security, Inc." */ 2, /* "RSA Data Security, Inc. PKCS" */ 188, /* "S/MIME" */ @@ -3736,6 +3795,7 @@ static const unsigned int ln_objs[NUM_LN]={ 512, /* "Secure Electronic Transactions" */ 386, /* "Security" */ 394, /* "Selected Attribute Types" */ +1011, /* "Signed Object" */ 143, /* "Strong Extranet ID" */ 398, /* "Subject Information Access" */ 130, /* "TLS Web Client Authentication" */ @@ -4087,7 +4147,14 @@ static const unsigned int ln_objs[NUM_LN]={ 332, /* "id-cmc-senderNonce" */ 327, /* "id-cmc-statusInfo" */ 331, /* "id-cmc-transactionId" */ +1005, /* "id-cp" */ 787, /* "id-ct-asciiTextWithCRLF" */ +1013, /* "id-ct-geofeedCSVwithCRLF" */ +1004, /* "id-ct-resourceTaggedAttest" */ +1001, /* "id-ct-routeOriginAuthz" */ +1003, /* "id-ct-rpkiGhostbusters" */ +1002, /* "id-ct-rpkiManifest" */ +1014, /* "id-ct-signedChecklist" */ 408, /* "id-ecPublicKey" */ 508, /* "id-hex-multipart-message" */ 507, /* "id-hex-partial-message" */ @@ -4228,6 +4295,8 @@ static const unsigned int ln_objs[NUM_LN]={ 461, /* "info" */ 101, /* "initials" */ 869, /* "internationaliSDNNumber" */ +1008, /* "ipAddr-asNumber" */ +1009, /* "ipAddr-asNumberv2" */ 749, /* "ipsec3" */ 750, /* "ipsec4" */ 181, /* "iso" */ @@ -4374,7 +4443,9 @@ static const unsigned int ln_objs[NUM_LN]={ 482, /* "sOARecord" */ 155, /* "safeContentsBag" */ 291, /* "sbgp-autonomousSysNum" */ +1007, /* "sbgp-autonomousSysNumv2" */ 290, /* "sbgp-ipAddrBlock" */ +1006, /* "sbgp-ipAddrBlockv2" */ 292, /* "sbgp-routerIdentifier" */ 159, /* "sdsiCertificate" */ 859, /* "searchGuide" */ @@ -5015,6 +5086,7 @@ static const unsigned int obj_objs[NUM_OBJ]={ 266, /* OBJ_id_aca 1 3 6 1 5 5 7 10 */ 267, /* OBJ_id_qcs 1 3 6 1 5 5 7 11 */ 268, /* OBJ_id_cct 1 3 6 1 5 5 7 12 */ +1005, /* OBJ_id_cp 1 3 6 1 5 5 7 14 */ 662, /* OBJ_id_ppl 1 3 6 1 5 5 7 21 */ 176, /* OBJ_id_ad 1 3 6 1 5 5 7 48 */ 507, /* OBJ_id_hex_partial_message 1 3 6 1 7 1 1 1 */ @@ -5137,6 +5209,8 @@ static const unsigned int obj_objs[NUM_OBJ]={ 397, /* OBJ_ac_proxying 1 3 6 1 5 5 7 1 10 */ 398, /* OBJ_sinfo_access 1 3 6 1 5 5 7 1 11 */ 663, /* OBJ_proxyCertInfo 1 3 6 1 5 5 7 1 14 */ +1006, /* OBJ_sbgp_ipAddrBlockv2 1 3 6 1 5 5 7 1 28 */ +1007, /* OBJ_sbgp_autonomousSysNumv2 1 3 6 1 5 5 7 1 29 */ 164, /* OBJ_id_qt_cps 1 3 6 1 5 5 7 2 1 */ 165, /* OBJ_id_qt_unotice 1 3 6 1 5 5 7 2 2 */ 293, /* OBJ_textNotice 1 3 6 1 5 5 7 2 3 */ @@ -5150,6 +5224,7 @@ static const unsigned int obj_objs[NUM_OBJ]={ 133, /* OBJ_time_stamp 1 3 6 1 5 5 7 3 8 */ 180, /* OBJ_OCSP_sign 1 3 6 1 5 5 7 3 9 */ 297, /* OBJ_dvcs 1 3 6 1 5 5 7 3 10 */ +1015, /* OBJ_id_kp_bgpsec_router 1 3 6 1 5 5 7 3 30 */ 298, /* OBJ_id_it_caProtEncCert 1 3 6 1 5 5 7 4 1 */ 299, /* OBJ_id_it_signKeyPairTypes 1 3 6 1 5 5 7 4 2 */ 300, /* OBJ_id_it_encKeyPairTypes 1 3 6 1 5 5 7 4 3 */ @@ -5209,6 +5284,8 @@ static const unsigned int obj_objs[NUM_OBJ]={ 360, /* OBJ_id_cct_crs 1 3 6 1 5 5 7 12 1 */ 361, /* OBJ_id_cct_PKIData 1 3 6 1 5 5 7 12 2 */ 362, /* OBJ_id_cct_PKIResponse 1 3 6 1 5 5 7 12 3 */ +1008, /* OBJ_ipAddr_asNumber 1 3 6 1 5 5 7 14 2 */ +1009, /* OBJ_ipAddr_asNumberv2 1 3 6 1 5 5 7 14 3 */ 664, /* OBJ_id_ppl_anyLanguage 1 3 6 1 5 5 7 21 0 */ 665, /* OBJ_id_ppl_inheritAll 1 3 6 1 5 5 7 21 1 */ 667, /* OBJ_Independent 1 3 6 1 5 5 7 21 2 */ @@ -5217,6 +5294,9 @@ static const unsigned int obj_objs[NUM_OBJ]={ 363, /* OBJ_ad_timeStamping 1 3 6 1 5 5 7 48 3 */ 364, /* OBJ_ad_dvcs 1 3 6 1 5 5 7 48 4 */ 785, /* OBJ_caRepository 1 3 6 1 5 5 7 48 5 */ +1010, /* OBJ_rpkiManifest 1 3 6 1 5 5 7 48 10 */ +1011, /* OBJ_signedObject 1 3 6 1 5 5 7 48 11 */ +1012, /* OBJ_rpkiNotify 1 3 6 1 5 5 7 48 13 */ 780, /* OBJ_hmac_md5 1 3 6 1 5 5 8 1 1 */ 781, /* OBJ_hmac_sha1 1 3 6 1 5 5 8 1 2 */ 58, /* OBJ_netscape_cert_extension 2 16 840 1 113730 1 */ @@ -5475,7 +5555,13 @@ static const unsigned int obj_objs[NUM_OBJ]={ 210, /* OBJ_id_smime_ct_DVCSRequestData 1 2 840 113549 1 9 16 1 7 */ 211, /* OBJ_id_smime_ct_DVCSResponseData 1 2 840 113549 1 9 16 1 8 */ 786, /* OBJ_id_smime_ct_compressedData 1 2 840 113549 1 9 16 1 9 */ +1001, /* OBJ_id_ct_routeOriginAuthz 1 2 840 113549 1 9 16 1 24 */ +1002, /* OBJ_id_ct_rpkiManifest 1 2 840 113549 1 9 16 1 26 */ 787, /* OBJ_id_ct_asciiTextWithCRLF 1 2 840 113549 1 9 16 1 27 */ +1003, /* OBJ_id_ct_rpkiGhostbusters 1 2 840 113549 1 9 16 1 35 */ +1004, /* OBJ_id_ct_resourceTaggedAttest 1 2 840 113549 1 9 16 1 36 */ +1013, /* OBJ_id_ct_geofeedCSVwithCRLF 1 2 840 113549 1 9 16 1 47 */ +1014, /* OBJ_id_ct_signedChecklist 1 2 840 113549 1 9 16 1 48 */ 212, /* OBJ_id_smime_aa_receiptRequest 1 2 840 113549 1 9 16 2 1 */ 213, /* OBJ_id_smime_aa_securityLabel 1 2 840 113549 1 9 16 2 2 */ 214, /* OBJ_id_smime_aa_mlExpandHistory 1 2 840 113549 1 9 16 2 3 */ diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h index 59c597c..cffd006 100644 --- a/crypto/objects/obj_xref.h +++ b/crypto/objects/obj_xref.h @@ -1,4 +1,4 @@ -/* $OpenBSD: obj_xref.h,v 1.4 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: obj_xref.h,v 1.5 2021/05/12 10:24:39 inoguchi Exp $ */ /* AUTOGENERATED BY objxref.pl, DO NOT EDIT */ __BEGIN_HIDDEN_DECLS @@ -44,6 +44,16 @@ static const nid_triple sigoid_srt[] = {NID_rsassaPss, NID_undef, NID_rsaEncryption}, {NID_id_tc26_signwithdigest_gost3410_2012_256, NID_id_tc26_gost3411_2012_256, NID_id_GostR3410_2001}, {NID_id_tc26_signwithdigest_gost3410_2012_512, NID_id_tc26_gost3411_2012_512, NID_id_GostR3410_2001}, + {NID_dhSinglePass_stdDH_sha1kdf_scheme, NID_sha1, NID_dh_std_kdf}, + {NID_dhSinglePass_stdDH_sha224kdf_scheme, NID_sha224, NID_dh_std_kdf}, + {NID_dhSinglePass_stdDH_sha256kdf_scheme, NID_sha256, NID_dh_std_kdf}, + {NID_dhSinglePass_stdDH_sha384kdf_scheme, NID_sha384, NID_dh_std_kdf}, + {NID_dhSinglePass_stdDH_sha512kdf_scheme, NID_sha512, NID_dh_std_kdf}, + {NID_dhSinglePass_cofactorDH_sha1kdf_scheme, NID_sha1, NID_dh_cofactor_kdf}, + {NID_dhSinglePass_cofactorDH_sha224kdf_scheme, NID_sha224, NID_dh_cofactor_kdf}, + {NID_dhSinglePass_cofactorDH_sha256kdf_scheme, NID_sha256, NID_dh_cofactor_kdf}, + {NID_dhSinglePass_cofactorDH_sha384kdf_scheme, NID_sha384, NID_dh_cofactor_kdf}, + {NID_dhSinglePass_cofactorDH_sha512kdf_scheme, NID_sha512, NID_dh_cofactor_kdf}, }; static const nid_triple * const sigoid_srt_xref[] = @@ -61,19 +71,29 @@ static const nid_triple * const sigoid_srt_xref[] = &sigoid_srt[5], &sigoid_srt[8], &sigoid_srt[12], + &sigoid_srt[32], + &sigoid_srt[37], &sigoid_srt[6], &sigoid_srt[10], &sigoid_srt[11], &sigoid_srt[13], &sigoid_srt[24], &sigoid_srt[20], + &sigoid_srt[34], + &sigoid_srt[39], &sigoid_srt[14], &sigoid_srt[21], + &sigoid_srt[35], + &sigoid_srt[40], &sigoid_srt[15], &sigoid_srt[22], + &sigoid_srt[36], + &sigoid_srt[41], &sigoid_srt[16], &sigoid_srt[23], &sigoid_srt[19], + &sigoid_srt[33], + &sigoid_srt[38], &sigoid_srt[25], &sigoid_srt[26], &sigoid_srt[27], diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c index 0ed816c..cb5a2f3 100644 --- a/crypto/ocsp/ocsp_cl.c +++ b/crypto/ocsp/ocsp_cl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_cl.c,v 1.16 2018/11/25 19:48:43 jmc Exp $ */ +/* $OpenBSD: ocsp_cl.c,v 1.17 2020/10/09 17:19:35 tb Exp $ */ /* Written by Tom Titchener for the OpenSSL * project. */ @@ -81,18 +81,19 @@ OCSP_ONEREQ * OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid) { - OCSP_ONEREQ *one = NULL; + OCSP_ONEREQ *one; - if (!(one = OCSP_ONEREQ_new())) + if ((one = OCSP_ONEREQ_new()) == NULL) goto err; - if (one->reqCert) - OCSP_CERTID_free(one->reqCert); + if (req != NULL) { + if (!sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one)) + goto err; + } + OCSP_CERTID_free(one->reqCert); one->reqCert = cid; - if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one)) - goto err; return one; -err: + err: OCSP_ONEREQ_free(one); return NULL; } diff --git a/crypto/pkcs12/p12_attr.c b/crypto/pkcs12/p12_attr.c index 65bfaa0..e8e340a 100644 --- a/crypto/pkcs12/p12_attr.c +++ b/crypto/pkcs12/p12_attr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_attr.c,v 1.12 2018/08/24 20:07:41 tb Exp $ */ +/* $OpenBSD: p12_attr.c,v 1.13 2021/07/09 14:07:59 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -125,10 +125,10 @@ PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid) if (!attrs) return NULL; - for (i = 0; i < sk_X509_ATTRIBUTE_num (attrs); i++) { - attrib = sk_X509_ATTRIBUTE_value (attrs, i); - if (OBJ_obj2nid (attrib->object) == attr_nid) { - if (sk_ASN1_TYPE_num (attrib->value.set)) + for (i = 0; i < sk_X509_ATTRIBUTE_num(attrs); i++) { + attrib = sk_X509_ATTRIBUTE_value(attrs, i); + if (OBJ_obj2nid(attrib->object) == attr_nid) { + if (sk_ASN1_TYPE_num(attrib->value.set)) return sk_ASN1_TYPE_value(attrib->value.set, 0); else return NULL; diff --git a/crypto/pkcs12/p12_crpt.c b/crypto/pkcs12/p12_crpt.c index d1f7d71..d21c9c1 100644 --- a/crypto/pkcs12/p12_crpt.c +++ b/crypto/pkcs12/p12_crpt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_crpt.c,v 1.14 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: p12_crpt.c,v 1.15 2021/07/09 14:07:59 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -101,13 +101,13 @@ PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, } salt = pbe->salt->data; saltlen = pbe->salt->length; - if (!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_KEY_ID, + if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_KEY_ID, iter, EVP_CIPHER_key_length(cipher), key, md)) { PKCS12error(PKCS12_R_KEY_GEN_ERROR); PBEPARAM_free(pbe); return 0; } - if (!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_IV_ID, + if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_IV_ID, iter, EVP_CIPHER_iv_length(cipher), iv, md)) { PKCS12error(PKCS12_R_IV_GEN_ERROR); PBEPARAM_free(pbe); diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c index 1ef5c4a..8ac7f17 100644 --- a/crypto/pkcs12/p12_decr.c +++ b/crypto/pkcs12/p12_decr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_decr.c,v 1.19 2018/05/13 14:22:34 tb Exp $ */ +/* $OpenBSD: p12_decr.c,v 1.20 2021/07/09 14:08:00 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -156,7 +156,7 @@ PKCS12_item_i2d_encrypt(X509_ALGOR *algor, const ASN1_ITEM *it, unsigned char *in = NULL; int inlen; - if (!(oct = ASN1_OCTET_STRING_new ())) { + if (!(oct = ASN1_OCTET_STRING_new())) { PKCS12error(ERR_R_MALLOC_FAILURE); return NULL; } diff --git a/crypto/pkcs12/p12_key.c b/crypto/pkcs12/p12_key.c index d419a9d..2887948 100644 --- a/crypto/pkcs12/p12_key.c +++ b/crypto/pkcs12/p12_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_key.c,v 1.26 2017/05/02 03:59:45 deraadt Exp $ */ +/* $OpenBSD: p12_key.c,v 1.27 2021/07/09 14:08:00 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -143,7 +143,7 @@ PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, !EVP_DigestFinal_ex(&ctx, Ai, NULL)) goto err; } - memcpy (out, Ai, min (n, u)); + memcpy(out, Ai, min(n, u)); if (u >= n) { ret = 1; goto end; @@ -153,9 +153,9 @@ PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, for (j = 0; j < v; j++) B[j] = Ai[j % u]; /* Work out B + 1 first then can use B as tmp space */ - if (!BN_bin2bn (B, v, Bpl1)) + if (!BN_bin2bn(B, v, Bpl1)) goto err; - if (!BN_add_word (Bpl1, 1)) + if (!BN_add_word(Bpl1, 1)) goto err; for (j = 0; j < Ilen; j += v) { if (!BN_bin2bn(I + j, v, Ij)) @@ -164,12 +164,12 @@ PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, goto err; if (!BN_bn2bin(Ij, B)) goto err; - Ijlen = BN_num_bytes (Ij); + Ijlen = BN_num_bytes(Ij); /* If more than 2^(v*8) - 1 cut off MSB */ if (Ijlen > v) { - if (!BN_bn2bin (Ij, B)) + if (!BN_bn2bin(Ij, B)) goto err; - memcpy (I + j, B + 1, v); + memcpy(I + j, B + 1, v); #ifndef PKCS12_BROKEN_KEYGEN /* If less than v bytes pad with zeroes */ } else if (Ijlen < v) { @@ -177,7 +177,7 @@ PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, if (!BN_bn2bin(Ij, I + j + v - Ijlen)) goto err; #endif - } else if (!BN_bn2bin (Ij, I + j)) + } else if (!BN_bn2bin(Ij, I + j)) goto err; } } diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c index 102ca35..54a8092 100644 --- a/crypto/pkcs12/p12_kiss.c +++ b/crypto/pkcs12/p12_kiss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_kiss.c,v 1.19 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: p12_kiss.c,v 1.21 2021/07/09 14:08:00 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -125,17 +125,19 @@ PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, return 0; } - if (!parse_pk12 (p12, pass, -1, pkey, ocerts)) { + if (!parse_pk12(p12, pass, -1, pkey, ocerts)) { PKCS12error(PKCS12_R_PARSE_ERROR); goto err; } while ((x = sk_X509_pop(ocerts))) { if (pkey && *pkey && cert && !*cert) { + ERR_set_mark(); if (X509_check_private_key(x, *pkey)) { *cert = x; x = NULL; } + ERR_pop_to_mark(); } if (ca && x) { @@ -177,11 +179,11 @@ parse_pk12(PKCS12 *p12, const char *pass, int passlen, EVP_PKEY **pkey, int i, bagnid; PKCS7 *p7; - if (!(asafes = PKCS12_unpack_authsafes (p12))) + if (!(asafes = PKCS12_unpack_authsafes(p12))) return 0; - for (i = 0; i < sk_PKCS7_num (asafes); i++) { - p7 = sk_PKCS7_value (asafes, i); - bagnid = OBJ_obj2nid (p7->type); + for (i = 0; i < sk_PKCS7_num(asafes); i++) { + p7 = sk_PKCS7_value(asafes, i); + bagnid = OBJ_obj2nid(p7->type); if (bagnid == NID_pkcs7_data) { bags = PKCS12_unpack_p7data(p7); } else if (bagnid == NID_pkcs7_encrypted) { @@ -227,10 +229,10 @@ parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, EVP_PKEY **pkey, ASN1_BMPSTRING *fname = NULL; ASN1_OCTET_STRING *lkid = NULL; - if ((attrib = PKCS12_get_attr (bag, NID_friendlyName))) + if ((attrib = PKCS12_get_attr(bag, NID_friendlyName))) fname = attrib->value.bmpstring; - if ((attrib = PKCS12_get_attr (bag, NID_localKeyID))) + if ((attrib = PKCS12_get_attr(bag, NID_localKeyID))) lkid = attrib->value.octet_string; switch (OBJ_obj2nid(bag->type)) { diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c index f3132ec..d45ab07 100644 --- a/crypto/pkcs12/p12_mutl.c +++ b/crypto/pkcs12/p12_mutl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_mutl.c,v 1.23 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: p12_mutl.c,v 1.24 2021/07/09 14:08:00 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -192,7 +192,7 @@ PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, if (!salt) arc4random_buf(p12->mac->salt->data, saltlen); else - memcpy (p12->mac->salt->data, salt, saltlen); + memcpy(p12->mac->salt->data, salt, saltlen); p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type)); if (!(p12->mac->dinfo->algor->parameter = ASN1_TYPE_new())) { PKCS12error(ERR_R_MALLOC_FAILURE); diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c index 50e07f4..d205046 100644 --- a/crypto/rsa/rsa_sign.c +++ b/crypto/rsa/rsa_sign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_sign.c,v 1.31 2018/09/05 00:55:33 djm Exp $ */ +/* $OpenBSD: rsa_sign.c,v 1.32 2021/05/14 18:03:42 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -108,7 +108,7 @@ encode_pkcs1(unsigned char **out, int *out_len, int type, sig.algor->parameter = ¶meter; sig.digest = &digest; - sig.digest->data = (unsigned char*)m; /* TMP UGLY CAST */ + sig.digest->data = (unsigned char *)m; /* TMP UGLY CAST */ sig.digest->length = m_len; if ((len = i2d_X509_SIG(&sig, &der)) < 0) @@ -194,7 +194,7 @@ int_rsa_verify(int type, const unsigned char *m, unsigned int m_len, if ((decrypt_len = RSA_public_decrypt((int)siglen, sigbuf, decrypt_buf, rsa, RSA_PKCS1_PADDING)) <= 0) goto err; - + if (type == NID_md5_sha1) { /* * NID_md5_sha1 corresponds to the MD5/SHA1 combination in @@ -229,7 +229,7 @@ int_rsa_verify(int type, const unsigned char *m, unsigned int m_len, if (rm != NULL) { const EVP_MD *md; - if ((md = EVP_get_digestbynid(type)) == NULL) { + if ((md = EVP_get_digestbynid(type)) == NULL) { RSAerror(RSA_R_UNKNOWN_ALGORITHM_TYPE); goto err; } diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index 36ead06..46704df 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_rsp_verify.c,v 1.18 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ts_rsp_verify.c,v 1.21 2021/07/02 11:15:08 schwarze Exp $ */ /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL * project 2002. */ @@ -593,35 +593,40 @@ TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info) } static int -TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, X509_ALGOR **md_alg, - unsigned char **imprint, unsigned *imprint_len) +TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, X509_ALGOR **out_md_alg, + unsigned char **out_imprint, unsigned int *out_imprint_len) { - TS_MSG_IMPRINT *msg_imprint = TS_TST_INFO_get_msg_imprint(tst_info); - X509_ALGOR *md_alg_resp = TS_MSG_IMPRINT_get_algo(msg_imprint); + TS_MSG_IMPRINT *msg_imprint; + X509_ALGOR *md_alg_resp; + X509_ALGOR *md_alg = NULL; + unsigned char *imprint = NULL; + unsigned int imprint_len = 0; const EVP_MD *md; EVP_MD_CTX md_ctx; unsigned char buffer[4096]; int length; - *md_alg = NULL; - *imprint = NULL; + *out_md_alg = NULL; + *out_imprint = NULL; + *out_imprint_len = 0; - /* Return the MD algorithm of the response. */ - if (!(*md_alg = X509_ALGOR_dup(md_alg_resp))) + /* Retrieve the MD algorithm of the response. */ + msg_imprint = TS_TST_INFO_get_msg_imprint(tst_info); + md_alg_resp = TS_MSG_IMPRINT_get_algo(msg_imprint); + if ((md_alg = X509_ALGOR_dup(md_alg_resp)) == NULL) goto err; /* Getting the MD object. */ - if (!(md = EVP_get_digestbyobj((*md_alg)->algorithm))) { + if ((md = EVP_get_digestbyobj((md_alg)->algorithm)) == NULL) { TSerror(TS_R_UNSUPPORTED_MD_ALGORITHM); goto err; } /* Compute message digest. */ - length = EVP_MD_size(md); - if (length < 0) + if ((length = EVP_MD_size(md)) < 0) goto err; - *imprint_len = length; - if (!(*imprint = malloc(*imprint_len))) { + imprint_len = length; + if ((imprint = malloc(imprint_len)) == NULL) { TSerror(ERR_R_MALLOC_FAILURE); goto err; } @@ -632,16 +637,20 @@ TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, X509_ALGOR **md_alg, if (!EVP_DigestUpdate(&md_ctx, buffer, length)) goto err; } - if (!EVP_DigestFinal(&md_ctx, *imprint, NULL)) + if (!EVP_DigestFinal(&md_ctx, imprint, NULL)) goto err; + *out_md_alg = md_alg; + md_alg = NULL; + *out_imprint = imprint; + imprint = NULL; + *out_imprint_len = imprint_len; + return 1; err: - X509_ALGOR_free(*md_alg); - free(*imprint); - *imprint = NULL; - *imprint_len = 0; + X509_ALGOR_free(md_alg); + free(imprint); return 0; } @@ -711,7 +720,7 @@ TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer) /* Check the subject name first. */ if (tsa_name->type == GEN_DIRNAME && - X509_name_cmp(tsa_name->d.dirn, signer->cert_info->subject) == 0) + X509_NAME_cmp(tsa_name->d.dirn, signer->cert_info->subject) == 0) return 1; /* Check all the alternative names. */ diff --git a/crypto/x509/ext_dat.h b/crypto/x509/ext_dat.h index 1a7ae6e..18d60b7 100644 --- a/crypto/x509/ext_dat.h +++ b/crypto/x509/ext_dat.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ext_dat.h,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: ext_dat.h,v 1.3 2021/09/02 21:27:26 job Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -72,7 +72,7 @@ extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; extern X509V3_EXT_METHOD v3_crl_hold, v3_pci; extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints; extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp; -extern X509V3_EXT_METHOD v3_addr, v3_asid; +extern const X509V3_EXT_METHOD v3_addr, v3_asid; /* This table will be searched using OBJ_bsearch so it *must* kept in * order of the ext_nid values. @@ -105,6 +105,10 @@ static const X509V3_EXT_METHOD *standard_exts[] = { #endif &v3_sxnet, &v3_info, +#ifndef OPENSSL_NO_RFC3779 + &v3_addr, + &v3_asid, +#endif #ifndef OPENSSL_NO_OCSP &v3_ocsp_nonce, &v3_ocsp_crlid, diff --git a/crypto/x509/x509_addr.c b/crypto/x509/x509_addr.c new file mode 100644 index 0000000..ccc06bb --- /dev/null +++ b/crypto/x509/x509_addr.c @@ -0,0 +1,1541 @@ +/* + * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Implementation of RFC 3779 section 2.2. + */ + +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +#include "ext_dat.h" + +#ifndef OPENSSL_NO_RFC3779 + +/* + * OpenSSL ASN.1 template translation of RFC 3779 2.2.3. + */ + +static const ASN1_TEMPLATE IPAddressRange_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(IPAddressRange, min), + .field_name = "min", + .item = &ASN1_BIT_STRING_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(IPAddressRange, max), + .field_name = "max", + .item = &ASN1_BIT_STRING_it, + }, +}; + +const ASN1_ITEM IPAddressRange_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = IPAddressRange_seq_tt, + .tcount = sizeof(IPAddressRange_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(IPAddressRange), + .sname = "IPAddressRange", +}; + +static const ASN1_TEMPLATE IPAddressOrRange_ch_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(IPAddressOrRange, u.addressPrefix), + .field_name = "u.addressPrefix", + .item = &ASN1_BIT_STRING_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(IPAddressOrRange, u.addressRange), + .field_name = "u.addressRange", + .item = &IPAddressRange_it, + }, +}; + +const ASN1_ITEM IPAddressOrRange_it = { + .itype = ASN1_ITYPE_CHOICE, + .utype = offsetof(IPAddressOrRange, type), + .templates = IPAddressOrRange_ch_tt, + .tcount = sizeof(IPAddressOrRange_ch_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(IPAddressOrRange), + .sname = "IPAddressOrRange", +}; + +static const ASN1_TEMPLATE IPAddressChoice_ch_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(IPAddressChoice, u.inherit), + .field_name = "u.inherit", + .item = &ASN1_NULL_it, + }, + { + .flags = ASN1_TFLG_SEQUENCE_OF, + .tag = 0, + .offset = offsetof(IPAddressChoice, u.addressesOrRanges), + .field_name = "u.addressesOrRanges", + .item = &IPAddressOrRange_it, + }, +}; + +const ASN1_ITEM IPAddressChoice_it = { + .itype = ASN1_ITYPE_CHOICE, + .utype = offsetof(IPAddressChoice, type), + .templates = IPAddressChoice_ch_tt, + .tcount = sizeof(IPAddressChoice_ch_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(IPAddressChoice), + .sname = "IPAddressChoice", +}; + +static const ASN1_TEMPLATE IPAddressFamily_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(IPAddressFamily, addressFamily), + .field_name = "addressFamily", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(IPAddressFamily, ipAddressChoice), + .field_name = "ipAddressChoice", + .item = &IPAddressChoice_it, + }, +}; + +const ASN1_ITEM IPAddressFamily_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = IPAddressFamily_seq_tt, + .tcount = sizeof(IPAddressFamily_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(IPAddressFamily), + .sname = "IPAddressFamily", +}; + +static const ASN1_TEMPLATE IPAddrBlocks_item_tt = { + .flags = ASN1_TFLG_SEQUENCE_OF, + .tag = 0, + .offset = 0, + .field_name = "IPAddrBlocks", + .item = &IPAddressFamily_it, +}; + +/* XXX: maybe special? */ +static const ASN1_ITEM IPAddrBlocks_it = { + .itype = ASN1_ITYPE_PRIMITIVE, + .utype = -1, + .templates = &IPAddrBlocks_item_tt, + .tcount = 0, + .funcs = NULL, + .size = 0, + .sname = "IPAddrBlocks", +}; + +IPAddressRange * +d2i_IPAddressRange(IPAddressRange **a, const unsigned char **in, long len) +{ + return (IPAddressRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, + &IPAddressRange_it); +} + +int +i2d_IPAddressRange(IPAddressRange *a, unsigned char **out) +{ + return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressRange_it); +} + +IPAddressRange * +IPAddressRange_new(void) +{ + return (IPAddressRange *)ASN1_item_new(&IPAddressRange_it); +} + +void +IPAddressRange_free(IPAddressRange *a) +{ + ASN1_item_free((ASN1_VALUE *)a, &IPAddressRange_it); +} + +IPAddressOrRange * +d2i_IPAddressOrRange(IPAddressOrRange **a, const unsigned char **in, long len) +{ + return (IPAddressOrRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, + &IPAddressOrRange_it); +} + +int +i2d_IPAddressOrRange(IPAddressOrRange *a, unsigned char **out) +{ + return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressOrRange_it); +} + +IPAddressOrRange * +IPAddressOrRange_new(void) +{ + return (IPAddressOrRange *)ASN1_item_new(&IPAddressOrRange_it); +} + +void +IPAddressOrRange_free(IPAddressOrRange *a) +{ + ASN1_item_free((ASN1_VALUE *)a, &IPAddressOrRange_it); +} + +IPAddressChoice * +d2i_IPAddressChoice(IPAddressChoice **a, const unsigned char **in, long len) +{ + return (IPAddressChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, + &IPAddressChoice_it); +} + +int +i2d_IPAddressChoice(IPAddressChoice *a, unsigned char **out) +{ + return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressChoice_it); +} + +IPAddressChoice * +IPAddressChoice_new(void) +{ + return (IPAddressChoice *)ASN1_item_new(&IPAddressChoice_it); +} + +void +IPAddressChoice_free(IPAddressChoice *a) +{ + ASN1_item_free((ASN1_VALUE *)a, &IPAddressChoice_it); +} + +IPAddressFamily * +d2i_IPAddressFamily(IPAddressFamily **a, const unsigned char **in, long len) +{ + return (IPAddressFamily *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, + &IPAddressFamily_it); +} + +int +i2d_IPAddressFamily(IPAddressFamily *a, unsigned char **out) +{ + return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressFamily_it); +} + +IPAddressFamily * +IPAddressFamily_new(void) +{ + return (IPAddressFamily *)ASN1_item_new(&IPAddressFamily_it); +} + +void +IPAddressFamily_free(IPAddressFamily *a) +{ + ASN1_item_free((ASN1_VALUE *)a, &IPAddressFamily_it); +} + +/* + * How much buffer space do we need for a raw address? + */ +#define ADDR_RAW_BUF_LEN 16 + +/* + * What's the address length associated with this AFI? + */ +static int +length_from_afi(const unsigned afi) +{ + switch (afi) { + case IANA_AFI_IPV4: + return 4; + case IANA_AFI_IPV6: + return 16; + default: + return 0; + } +} + +/* + * Extract the AFI from an IPAddressFamily. + */ +unsigned int +X509v3_addr_get_afi(const IPAddressFamily *f) +{ + if (f == NULL || + f->addressFamily == NULL || + f->addressFamily->data == NULL || + f->addressFamily->length < 2) + return 0; + return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1]; +} + +/* + * Expand the bitstring form of an address into a raw byte array. + * At the moment this is coded for simplicity, not speed. + */ +static int +addr_expand(unsigned char *addr, const ASN1_BIT_STRING *bs, const int length, + const unsigned char fill) +{ + if (bs->length < 0 || bs->length > length) + return 0; + if (bs->length > 0) { + memcpy(addr, bs->data, bs->length); + if ((bs->flags & 7) != 0) { + unsigned char mask = 0xFF >> (8 - (bs->flags & 7)); + if (fill == 0) + addr[bs->length - 1] &= ~mask; + else + addr[bs->length - 1] |= mask; + } + } + memset(addr + bs->length, fill, length - bs->length); + return 1; +} + +/* + * Extract the prefix length from a bitstring. + */ +#define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7))) + +/* + * i2r handler for one address bitstring. + */ +static int +i2r_address(BIO *out, const unsigned afi, const unsigned char fill, + const ASN1_BIT_STRING *bs) +{ + unsigned char addr[ADDR_RAW_BUF_LEN]; + int i, n; + + if (bs->length < 0) + return 0; + switch (afi) { + case IANA_AFI_IPV4: + if (!addr_expand(addr, bs, 4, fill)) + return 0; + BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], + addr[3]); + break; + case IANA_AFI_IPV6: + if (!addr_expand(addr, bs, 16, fill)) + return 0; + for (n = 16; + n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00; n -= 2) + continue; + for (i = 0; i < n; i += 2) + BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1], + (i < 14 ? ":" : "")); + if (i < 16) + BIO_puts(out, ":"); + if (i == 0) + BIO_puts(out, ":"); + break; + default: + for (i = 0; i < bs->length; i++) + BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), + bs->data[i]); + BIO_printf(out, "[%d]", (int)(bs->flags & 7)); + break; + } + return 1; +} + +/* + * i2r handler for a sequence of addresses and ranges. + */ +static int +i2r_IPAddressOrRanges(BIO *out, const int indent, + const IPAddressOrRanges *aors, const unsigned afi) +{ + int i; + for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) { + const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i); + BIO_printf(out, "%*s", indent, ""); + switch (aor->type) { + case IPAddressOrRange_addressPrefix: + if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix)) + return 0; + BIO_printf(out, "/%d\n", + addr_prefixlen(aor->u.addressPrefix)); + continue; + case IPAddressOrRange_addressRange: + if (!i2r_address(out, afi, 0x00, + aor->u.addressRange->min)) + return 0; + BIO_puts(out, "-"); + if (!i2r_address(out, afi, 0xFF, + aor->u.addressRange->max)) + return 0; + BIO_puts(out, "\n"); + continue; + } + } + return 1; +} + +/* + * i2r handler for an IPAddrBlocks extension. + */ +static int +i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, void *ext, BIO *out, + int indent) +{ + const IPAddrBlocks *addr = ext; + int i; + for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { + IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); + const unsigned int afi = X509v3_addr_get_afi(f); + switch (afi) { + case IANA_AFI_IPV4: + BIO_printf(out, "%*sIPv4", indent, ""); + break; + case IANA_AFI_IPV6: + BIO_printf(out, "%*sIPv6", indent, ""); + break; + default: + BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi); + break; + } + if (f->addressFamily->length > 2) { + switch (f->addressFamily->data[2]) { + case 1: + BIO_puts(out, " (Unicast)"); + break; + case 2: + BIO_puts(out, " (Multicast)"); + break; + case 3: + BIO_puts(out, " (Unicast/Multicast)"); + break; + case 4: + BIO_puts(out, " (MPLS)"); + break; + case 64: + BIO_puts(out, " (Tunnel)"); + break; + case 65: + BIO_puts(out, " (VPLS)"); + break; + case 66: + BIO_puts(out, " (BGP MDT)"); + break; + case 128: + BIO_puts(out, " (MPLS-labeled VPN)"); + break; + default: + BIO_printf(out, " (Unknown SAFI %u)", + (unsigned)f->addressFamily->data[2]); + break; + } + } + switch (f->ipAddressChoice->type) { + case IPAddressChoice_inherit: + BIO_puts(out, ": inherit\n"); + break; + case IPAddressChoice_addressesOrRanges: + BIO_puts(out, ":\n"); + if (!i2r_IPAddressOrRanges(out, + indent + 2, + f->ipAddressChoice-> + u.addressesOrRanges, afi)) + return 0; + break; + } + } + return 1; +} + +/* + * Sort comparison function for a sequence of IPAddressOrRange + * elements. + * + * There's no sane answer we can give if addr_expand() fails, and an + * assertion failure on externally supplied data is seriously uncool, + * so we just arbitrarily declare that if given invalid inputs this + * function returns -1. If this messes up your preferred sort order + * for garbage input, tough noogies. + */ +static int +IPAddressOrRange_cmp(const IPAddressOrRange *a, const IPAddressOrRange *b, + const int length) +{ + unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN]; + int prefixlen_a = 0, prefixlen_b = 0; + int r; + + switch (a->type) { + case IPAddressOrRange_addressPrefix: + if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00)) + return -1; + prefixlen_a = addr_prefixlen(a->u.addressPrefix); + break; + case IPAddressOrRange_addressRange: + if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00)) + return -1; + prefixlen_a = length * 8; + break; + } + + switch (b->type) { + case IPAddressOrRange_addressPrefix: + if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00)) + return -1; + prefixlen_b = addr_prefixlen(b->u.addressPrefix); + break; + case IPAddressOrRange_addressRange: + if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00)) + return -1; + prefixlen_b = length * 8; + break; + } + + if ((r = memcmp(addr_a, addr_b, length)) != 0) + return r; + else + return prefixlen_a - prefixlen_b; +} + +/* + * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort() + * comparison routines are only allowed two arguments. + */ +static int +v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a, + const IPAddressOrRange *const *b) +{ + return IPAddressOrRange_cmp(*a, *b, 4); +} + +/* + * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort() + * comparison routines are only allowed two arguments. + */ +static int +v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a, + const IPAddressOrRange *const *b) +{ + return IPAddressOrRange_cmp(*a, *b, 16); +} + +/* + * Calculate whether a range collapses to a prefix. + * See last paragraph of RFC 3779 2.2.3.7. + */ +static int +range_should_be_prefix(const unsigned char *min, const unsigned char *max, + const int length) +{ + unsigned char mask; + int i, j; + + if (memcmp(min, max, length) <= 0) + return -1; + for (i = 0; i < length && min[i] == max[i]; i++) + continue; + for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) + continue; + if (i < j) + return -1; + if (i > j) + return i * 8; + mask = min[i] ^ max[i]; + switch (mask) { + case 0x01: + j = 7; + break; + case 0x03: + j = 6; + break; + case 0x07: + j = 5; + break; + case 0x0F: + j = 4; + break; + case 0x1F: + j = 3; + break; + case 0x3F: + j = 2; + break; + case 0x7F: + j = 1; + break; + default: + return -1; + } + if ((min[i] & mask) != 0 || (max[i] & mask) != mask) + return -1; + else + return i * 8 + j; +} + +/* + * Construct a prefix. + */ +static int +make_addressPrefix(IPAddressOrRange **result, unsigned char *addr, + const int prefixlen) +{ + int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; + IPAddressOrRange *aor = IPAddressOrRange_new(); + + if (aor == NULL) + return 0; + aor->type = IPAddressOrRange_addressPrefix; + if (aor->u.addressPrefix == NULL && + (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL) + goto err; + if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen)) + goto err; + aor->u.addressPrefix->flags &= ~7; + aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT; + if (bitlen > 0) { + aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen); + aor->u.addressPrefix->flags |= 8 - bitlen; + } + + *result = aor; + return 1; + + err: + IPAddressOrRange_free(aor); + return 0; +} + +/* + * Construct a range. If it can be expressed as a prefix, + * return a prefix instead. Doing this here simplifies + * the rest of the code considerably. + */ +static int +make_addressRange(IPAddressOrRange **result, unsigned char *min, + unsigned char *max, const int length) +{ + IPAddressOrRange *aor; + int i, prefixlen; + + if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0) + return make_addressPrefix(result, min, prefixlen); + + if ((aor = IPAddressOrRange_new()) == NULL) + return 0; + aor->type = IPAddressOrRange_addressRange; + if ((aor->u.addressRange = IPAddressRange_new()) == NULL) + goto err; + if (aor->u.addressRange->min == NULL && + (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL) + goto err; + if (aor->u.addressRange->max == NULL && + (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL) + goto err; + + for (i = length; i > 0 && min[i - 1] == 0x00; --i) + continue; + if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i)) + goto err; + aor->u.addressRange->min->flags &= ~7; + aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT; + if (i > 0) { + unsigned char b = min[i - 1]; + int j = 1; + while ((b & (0xFFU >> j)) != 0) + ++j; + aor->u.addressRange->min->flags |= 8 - j; + } + + for (i = length; i > 0 && max[i - 1] == 0xFF; --i) + continue; + if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i)) + goto err; + aor->u.addressRange->max->flags &= ~7; + aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT; + if (i > 0) { + unsigned char b = max[i - 1]; + int j = 1; + while ((b & (0xFFU >> j)) != (0xFFU >> j)) + ++j; + aor->u.addressRange->max->flags |= 8 - j; + } + + *result = aor; + return 1; + + err: + IPAddressOrRange_free(aor); + return 0; +} + +/* + * Construct a new address family or find an existing one. + */ +static IPAddressFamily * +make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi, + const unsigned *safi) +{ + IPAddressFamily *f; + unsigned char key[3]; + int keylen; + int i; + + key[0] = (afi >> 8) & 0xFF; + key[1] = afi & 0xFF; + if (safi != NULL) { + key[2] = *safi & 0xFF; + keylen = 3; + } else { + keylen = 2; + } + + for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { + f = sk_IPAddressFamily_value(addr, i); + if (f->addressFamily->length == keylen && + !memcmp(f->addressFamily->data, key, keylen)) + return f; + } + + if ((f = IPAddressFamily_new()) == NULL) + goto err; + if (f->ipAddressChoice == NULL && + (f->ipAddressChoice = IPAddressChoice_new()) == NULL) + goto err; + if (f->addressFamily == NULL && + (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL) + goto err; + if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen)) + goto err; + if (!sk_IPAddressFamily_push(addr, f)) + goto err; + + return f; + + err: + IPAddressFamily_free(f); + return NULL; +} + +/* + * Add an inheritance element. + */ +int +X509v3_addr_add_inherit(IPAddrBlocks *addr, const unsigned afi, + const unsigned *safi) +{ + IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); + if (f == NULL || + f->ipAddressChoice == NULL || + (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && + f->ipAddressChoice->u.addressesOrRanges != NULL)) + return 0; + if (f->ipAddressChoice->type == IPAddressChoice_inherit && + f->ipAddressChoice->u.inherit != NULL) + return 1; + if (f->ipAddressChoice->u.inherit == NULL && + (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL) + return 0; + f->ipAddressChoice->type = IPAddressChoice_inherit; + return 1; +} + +/* + * Construct an IPAddressOrRange sequence, or return an existing one. + */ +static IPAddressOrRanges * +make_prefix_or_range(IPAddrBlocks *addr, const unsigned afi, + const unsigned *safi) +{ + IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); + IPAddressOrRanges *aors = NULL; + + if (f == NULL || + f->ipAddressChoice == NULL || + (f->ipAddressChoice->type == IPAddressChoice_inherit && + f->ipAddressChoice->u.inherit != NULL)) + return NULL; + if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) + aors = f->ipAddressChoice->u.addressesOrRanges; + if (aors != NULL) + return aors; + if ((aors = sk_IPAddressOrRange_new_null()) == NULL) + return NULL; + switch (afi) { + case IANA_AFI_IPV4: + (void)sk_IPAddressOrRange_set_cmp_func(aors, + v4IPAddressOrRange_cmp); + break; + case IANA_AFI_IPV6: + (void)sk_IPAddressOrRange_set_cmp_func(aors, + v6IPAddressOrRange_cmp); + break; + } + f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; + f->ipAddressChoice->u.addressesOrRanges = aors; + return aors; +} + +/* + * Add a prefix. + */ +int +X509v3_addr_add_prefix(IPAddrBlocks *addr, const unsigned afi, + const unsigned *safi, unsigned char *a, const int prefixlen) +{ + IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); + IPAddressOrRange *aor; + if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen)) + return 0; + if (sk_IPAddressOrRange_push(aors, aor)) + return 1; + IPAddressOrRange_free(aor); + return 0; +} + +/* + * Add a range. + */ +int +X509v3_addr_add_range(IPAddrBlocks *addr, const unsigned afi, + const unsigned *safi, unsigned char *min, unsigned char *max) +{ + IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); + IPAddressOrRange *aor; + int length = length_from_afi(afi); + if (aors == NULL) + return 0; + if (!make_addressRange(&aor, min, max, length)) + return 0; + if (sk_IPAddressOrRange_push(aors, aor)) + return 1; + IPAddressOrRange_free(aor); + return 0; +} + +/* + * Extract min and max values from an IPAddressOrRange. + */ +static int +extract_min_max(IPAddressOrRange *aor, unsigned char *min, unsigned char *max, + int length) +{ + if (aor == NULL || min == NULL || max == NULL) + return 0; + switch (aor->type) { + case IPAddressOrRange_addressPrefix: + return (addr_expand(min, aor->u.addressPrefix, length, 0x00) && + addr_expand(max, aor->u.addressPrefix, length, 0xFF)); + case IPAddressOrRange_addressRange: + return (addr_expand(min, aor->u.addressRange->min, length, + 0x00) && + addr_expand(max, aor->u.addressRange->max, length, 0xFF)); + } + return 0; +} + +/* + * Public wrapper for extract_min_max(). + */ +int +X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi, + unsigned char *min, unsigned char *max, const int length) +{ + int afi_length = length_from_afi(afi); + if (aor == NULL || min == NULL || max == NULL || + afi_length == 0 || length < afi_length || + (aor->type != IPAddressOrRange_addressPrefix && + aor->type != IPAddressOrRange_addressRange) || + !extract_min_max(aor, min, max, afi_length)) + return 0; + + return afi_length; +} + +/* + * Sort comparison function for a sequence of IPAddressFamily. + * + * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about + * the ordering: I can read it as meaning that IPv6 without a SAFI + * comes before IPv4 with a SAFI, which seems pretty weird. The + * examples in appendix B suggest that the author intended the + * null-SAFI rule to apply only within a single AFI, which is what I + * would have expected and is what the following code implements. + */ +static int +IPAddressFamily_cmp(const IPAddressFamily *const *a_, + const IPAddressFamily *const *b_) +{ + const ASN1_OCTET_STRING *a = (*a_)->addressFamily; + const ASN1_OCTET_STRING *b = (*b_)->addressFamily; + int len = ((a->length <= b->length) ? a->length : b->length); + int cmp = memcmp(a->data, b->data, len); + return cmp ? cmp : a->length - b->length; +} + +/* + * Check whether an IPAddrBLocks is in canonical form. + */ +int +X509v3_addr_is_canonical(IPAddrBlocks *addr) +{ + unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; + unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; + IPAddressOrRanges *aors; + int i, j, k; + + /* + * Empty extension is canonical. + */ + if (addr == NULL) + return 1; + + /* + * Check whether the top-level list is in order. + */ + for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) { + const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); + const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); + if (IPAddressFamily_cmp(&a, &b) >= 0) + return 0; + } + + /* + * Top level's ok, now check each address family. + */ + for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { + IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); + int length = length_from_afi(X509v3_addr_get_afi(f)); + + /* + * Inheritance is canonical. Anything other than inheritance + * or a SEQUENCE OF IPAddressOrRange is an ASN.1 error or + * something. + */ + if (f == NULL || f->ipAddressChoice == NULL) + return 0; + switch (f->ipAddressChoice->type) { + case IPAddressChoice_inherit: + continue; + case IPAddressChoice_addressesOrRanges: + break; + default: + return 0; + } + + /* + * It's an IPAddressOrRanges sequence, check it. + */ + aors = f->ipAddressChoice->u.addressesOrRanges; + if (sk_IPAddressOrRange_num(aors) == 0) + return 0; + for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) { + IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); + IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, + j + 1); + + if (!extract_min_max(a, a_min, a_max, length) || + !extract_min_max(b, b_min, b_max, length)) + return 0; + + /* + * Punt misordered list, overlapping start, or inverted + * range. + */ + if (memcmp(a_min, b_min, length) >= 0 || + memcmp(a_min, a_max, length) > 0 || + memcmp(b_min, b_max, length) > 0) + return 0; + + /* + * Punt if adjacent or overlapping. Check for adjacency by + * subtracting one from b_min first. + */ + for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) + continue; + if (memcmp(a_max, b_min, length) >= 0) + return 0; + + /* + * Check for range that should be expressed as a prefix. + */ + if (a->type == IPAddressOrRange_addressRange && + range_should_be_prefix(a_min, a_max, length) >= 0) + return 0; + } + + /* + * Check range to see if it's inverted or should be a + * prefix. + */ + j = sk_IPAddressOrRange_num(aors) - 1; + { + IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); + if (a != NULL && + a->type == IPAddressOrRange_addressRange) { + if (!extract_min_max(a, a_min, a_max, length)) + return 0; + if (memcmp(a_min, a_max, length) > 0 || + range_should_be_prefix(a_min, a_max, + length) >= 0) + return 0; + } + } + } + + /* + * If we made it through all that, we're happy. + */ + return 1; +} + +/* + * Whack an IPAddressOrRanges into canonical form. + */ +static int +IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi) +{ + int i, j, length = length_from_afi(afi); + + /* + * Sort the IPAddressOrRanges sequence. + */ + sk_IPAddressOrRange_sort(aors); + + /* + * Clean up representation issues, punt on duplicates or overlaps. + */ + for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { + IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i); + IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1); + unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; + unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; + + if (!extract_min_max(a, a_min, a_max, length) || + !extract_min_max(b, b_min, b_max, length)) + return 0; + + /* + * Punt inverted ranges. + */ + if (memcmp(a_min, a_max, length) > 0 || + memcmp(b_min, b_max, length) > 0) + return 0; + + /* + * Punt overlaps. + */ + if (memcmp(a_max, b_min, length) >= 0) + return 0; + + /* + * Merge if a and b are adjacent. We check for + * adjacency by subtracting one from b_min first. + */ + for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) + continue; + if (memcmp(a_max, b_min, length) == 0) { + IPAddressOrRange *merged; + if (!make_addressRange(&merged, a_min, b_max, length)) + return 0; + (void)sk_IPAddressOrRange_set(aors, i, merged); + (void)sk_IPAddressOrRange_delete(aors, i + 1); + IPAddressOrRange_free(a); + IPAddressOrRange_free(b); + --i; + continue; + } + } + + /* + * Check for inverted final range. + */ + j = sk_IPAddressOrRange_num(aors) - 1; + { + IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); + if (a != NULL && a->type == IPAddressOrRange_addressRange) { + unsigned char a_min[ADDR_RAW_BUF_LEN], + a_max[ADDR_RAW_BUF_LEN]; + if (!extract_min_max(a, a_min, a_max, length)) + return 0; + if (memcmp(a_min, a_max, length) > 0) + return 0; + } + } + + return 1; +} + +/* + * Whack an IPAddrBlocks extension into canonical form. + */ +int +X509v3_addr_canonize(IPAddrBlocks *addr) +{ + int i; + for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { + IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); + if (f->ipAddressChoice->type == + IPAddressChoice_addressesOrRanges && + !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges, + X509v3_addr_get_afi(f))) + return 0; + } + (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); + sk_IPAddressFamily_sort(addr); + OPENSSL_assert(X509v3_addr_is_canonical(addr)); + return 1; +} + +/* + * v2i handler for the IPAddrBlocks extension. + */ +static void * +v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx, + STACK_OF(CONF_VALUE)*values) +{ + static const char v4addr_chars[] = "0123456789."; + static const char v6addr_chars[] = "0123456789.:abcdefABCDEF"; + IPAddrBlocks *addr = NULL; + char *s = NULL, *t; + int i; + + if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) { + X509V3error(ERR_R_MALLOC_FAILURE); + return NULL; + } + + for (i = 0; i < sk_CONF_VALUE_num(values); i++) { + CONF_VALUE *val = sk_CONF_VALUE_value(values, i); + unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN]; + unsigned afi, *safi = NULL, safi_; + const char *addr_chars = NULL; + int prefixlen, i1, i2, delim, length; + + if (!name_cmp(val->name, "IPv4")) { + afi = IANA_AFI_IPV4; + } else if (!name_cmp(val->name, "IPv6")) { + afi = IANA_AFI_IPV6; + } else if (!name_cmp(val->name, "IPv4-SAFI")) { + afi = IANA_AFI_IPV4; + safi = &safi_; + } else if (!name_cmp(val->name, "IPv6-SAFI")) { + afi = IANA_AFI_IPV6; + safi = &safi_; + } else { + X509V3error(X509V3_R_EXTENSION_NAME_ERROR); + X509V3_conf_err(val); + goto err; + } + + switch (afi) { + case IANA_AFI_IPV4: + addr_chars = v4addr_chars; + break; + case IANA_AFI_IPV6: + addr_chars = v6addr_chars; + break; + } + + length = length_from_afi(afi); + + /* + * Handle SAFI, if any, and strdup() so we can null-terminate + * the other input values. + */ + if (safi != NULL) { + *safi = strtoul(val->value, &t, 0); + t += strspn(t, " \t"); + if (*safi > 0xFF || *t++ != ':') { + X509V3error(X509V3_R_INVALID_SAFI); + X509V3_conf_err(val); + goto err; + } + t += strspn(t, " \t"); + s = strdup(t); + } else { + s = strdup(val->value); + } + if (s == NULL) { + X509V3error(ERR_R_MALLOC_FAILURE); + goto err; + } + + /* + * Check for inheritance. Not worth additional complexity to + * optimize this (seldom-used) case. + */ + if (strcmp(s, "inherit") == 0) { + if (!X509v3_addr_add_inherit(addr, afi, safi)) { + X509V3error(X509V3_R_INVALID_INHERITANCE); + X509V3_conf_err(val); + goto err; + } + free(s); + s = NULL; + continue; + } + + i1 = strspn(s, addr_chars); + i2 = i1 + strspn(s + i1, " \t"); + delim = s[i2++]; + s[i1] = '\0'; + + if (a2i_ipadd(min, s) != length) { + X509V3error(X509V3_R_INVALID_IPADDRESS); + X509V3_conf_err(val); + goto err; + } + + switch (delim) { + case '/': + prefixlen = (int)strtoul(s + i2, &t, 10); + if (t == s + i2 || *t != '\0') { + X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); + X509V3_conf_err(val); + goto err; + } + if (!X509v3_addr_add_prefix(addr, afi, safi, min, + prefixlen)) { + X509V3error(ERR_R_MALLOC_FAILURE); + goto err; + } + break; + case '-': + i1 = i2 + strspn(s + i2, " \t"); + i2 = i1 + strspn(s + i1, addr_chars); + if (i1 == i2 || s[i2] != '\0') { + X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); + X509V3_conf_err(val); + goto err; + } + if (a2i_ipadd(max, s + i1) != length) { + X509V3error(X509V3_R_INVALID_IPADDRESS); + X509V3_conf_err(val); + goto err; + } + if (memcmp(min, max, length_from_afi(afi)) > 0) { + X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); + X509V3_conf_err(val); + goto err; + } + if (!X509v3_addr_add_range(addr, afi, safi, min, max)) { + X509V3error(ERR_R_MALLOC_FAILURE); + goto err; + } + break; + case '\0': + if (!X509v3_addr_add_prefix(addr, afi, safi, min, + length * 8)) { + X509V3error(ERR_R_MALLOC_FAILURE); + goto err; + } + break; + default: + X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); + X509V3_conf_err(val); + goto err; + } + + free(s); + s = NULL; + } + + /* + * Canonize the result, then we're done. + */ + if (!X509v3_addr_canonize(addr)) + goto err; + return addr; + + err: + free(s); + sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); + return NULL; +} + +/* + * OpenSSL dispatch + */ +const X509V3_EXT_METHOD v3_addr = { + NID_sbgp_ipAddrBlock, /* nid */ + 0, /* flags */ + &IPAddrBlocks_it, + 0, 0, 0, 0, /* old functions, ignored */ + 0, /* i2s */ + 0, /* s2i */ + 0, /* i2v */ + v2i_IPAddrBlocks, /* v2i */ + i2r_IPAddrBlocks, /* i2r */ + 0, /* r2i */ + NULL /* extension-specific data */ +}; + +/* + * Figure out whether extension sues inheritance. + */ +int +X509v3_addr_inherits(IPAddrBlocks *addr) +{ + int i; + if (addr == NULL) + return 0; + for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { + IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); + if (f->ipAddressChoice->type == IPAddressChoice_inherit) + return 1; + } + return 0; +} + +/* + * Figure out whether parent contains child. + */ +static int +addr_contains(IPAddressOrRanges *parent, IPAddressOrRanges *child, int length) +{ + unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN]; + unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN]; + int p, c; + + if (child == NULL || parent == child) + return 1; + if (parent == NULL) + return 0; + + p = 0; + for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { + if (!extract_min_max(sk_IPAddressOrRange_value(child, c), + c_min, c_max, length)) + return -1; + for (;; p++) { + if (p >= sk_IPAddressOrRange_num(parent)) + return 0; + if (!extract_min_max(sk_IPAddressOrRange_value(parent, + p), p_min, p_max, length)) + return 0; + if (memcmp(p_max, c_max, length) < 0) + continue; + if (memcmp(p_min, c_min, length) > 0) + return 0; + break; + } + } + + return 1; +} + +/* + * Test whether a is a subset of b. + */ +int +X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) +{ + int i; + if (a == NULL || a == b) + return 1; + if (b == NULL || X509v3_addr_inherits(a) || X509v3_addr_inherits(b)) + return 0; + (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); + for (i = 0; i < sk_IPAddressFamily_num(a); i++) { + IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); + int j = sk_IPAddressFamily_find(b, fa); + IPAddressFamily *fb; + fb = sk_IPAddressFamily_value(b, j); + if (fb == NULL) + return 0; + if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, + fa->ipAddressChoice->u.addressesOrRanges, + length_from_afi(X509v3_addr_get_afi(fb)))) + return 0; + } + return 1; +} + +/* + * Validation error handling via callback. + */ +#define validation_err(_err_) \ + do { \ + if (ctx != NULL) { \ + ctx->error = _err_; \ + ctx->error_depth = i; \ + ctx->current_cert = x; \ + ret = ctx->verify_cb(0, ctx); \ + } else { \ + ret = 0; \ + } \ + if (!ret) \ + goto done; \ + } while (0) + +/* + * Core code for RFC 3779 2.3 path validation. + * + * Returns 1 for success, 0 on error. + * + * When returning 0, ctx->error MUST be set to an appropriate value other than + * X509_V_OK. + */ +static int +addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain, + IPAddrBlocks *ext) +{ + IPAddrBlocks *child = NULL; + int i, j, ret = 1; + X509 *x; + + OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); + OPENSSL_assert(ctx != NULL || ext != NULL); + OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); + + /* + * Figure out where to start. If we don't have an extension to check, + * we're done. Otherwise, check canonical form and set up for walking + * up the chain. + */ + if (ext != NULL) { + i = -1; + x = NULL; + } else { + i = 0; + x = sk_X509_value(chain, i); + if ((ext = x->rfc3779_addr) == NULL) + goto done; + } + if (!X509v3_addr_is_canonical(ext)) + validation_err(X509_V_ERR_INVALID_EXTENSION); + (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); + if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { + X509V3error(ERR_R_MALLOC_FAILURE); + if (ctx != NULL) + ctx->error = X509_V_ERR_OUT_OF_MEM; + ret = 0; + goto done; + } + + /* + * Now walk up the chain. No cert may list resources that its parent + * doesn't list. + */ + for (i++; i < sk_X509_num(chain); i++) { + x = sk_X509_value(chain, i); + if (!X509v3_addr_is_canonical(x->rfc3779_addr)) + validation_err(X509_V_ERR_INVALID_EXTENSION); + if (x->rfc3779_addr == NULL) { + for (j = 0; j < sk_IPAddressFamily_num(child); j++) { + IPAddressFamily *fc = sk_IPAddressFamily_value(child, + j); + if (fc->ipAddressChoice->type != + IPAddressChoice_inherit) { + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + break; + } + } + continue; + } + (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, + IPAddressFamily_cmp); + for (j = 0; j < sk_IPAddressFamily_num(child); j++) { + IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); + int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); + IPAddressFamily *fp = + sk_IPAddressFamily_value(x->rfc3779_addr, k); + if (fp == NULL) { + if (fc->ipAddressChoice->type == + IPAddressChoice_addressesOrRanges) { + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + break; + } + continue; + } + if (fp->ipAddressChoice->type == + IPAddressChoice_addressesOrRanges) { + if (fc->ipAddressChoice->type == + IPAddressChoice_inherit || + addr_contains(fp->ipAddressChoice->u.addressesOrRanges, + fc->ipAddressChoice->u.addressesOrRanges, + length_from_afi(X509v3_addr_get_afi(fc)))) + sk_IPAddressFamily_set(child, j, fp); + else + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + } + } + } + + /* + * Trust anchor can't inherit. + */ + if (x->rfc3779_addr != NULL) { + for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { + IPAddressFamily *fp = + sk_IPAddressFamily_value(x->rfc3779_addr, j); + if (fp->ipAddressChoice->type == + IPAddressChoice_inherit && + sk_IPAddressFamily_find(child, fp) >= 0) + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + } + } + + done: + sk_IPAddressFamily_free(child); + return ret; +} + +#undef validation_err + +/* + * RFC 3779 2.3 path validation -- called from X509_verify_cert(). + */ +int +X509v3_addr_validate_path(X509_STORE_CTX *ctx) +{ + if (ctx->chain == NULL || + sk_X509_num(ctx->chain) == 0 || + ctx->verify_cb == NULL) { + ctx->error = X509_V_ERR_UNSPECIFIED; + return 0; + } + return addr_validate_path_internal(ctx, ctx->chain, NULL); +} + +/* + * RFC 3779 2.3 path validation of an extension. + * Test whether chain covers extension. + */ +int +X509v3_addr_validate_resource_set(STACK_OF(X509)*chain, IPAddrBlocks *ext, + int allow_inheritance) +{ + if (ext == NULL) + return 1; + if (chain == NULL || sk_X509_num(chain) == 0) + return 0; + if (!allow_inheritance && X509v3_addr_inherits(ext)) + return 0; + return addr_validate_path_internal(NULL, chain, ext); +} + +#endif /* OPENSSL_NO_RFC3779 */ diff --git a/crypto/x509/x509_alt.c b/crypto/x509/x509_alt.c index 45aaec2..5b9f490 100644 --- a/crypto/x509/x509_alt.c +++ b/crypto/x509/x509_alt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_alt.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: x509_alt.c,v 1.2 2021/08/24 15:23:03 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -264,15 +264,18 @@ GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen) break; case GEN_EMAIL: - BIO_printf(out, "email:%s", gen->d.ia5->data); + BIO_printf(out, "email:%.*s", gen->d.ia5->length, + gen->d.ia5->data); break; case GEN_DNS: - BIO_printf(out, "DNS:%s", gen->d.ia5->data); + BIO_printf(out, "DNS:%.*s", gen->d.ia5->length, + gen->d.ia5->data); break; case GEN_URI: - BIO_printf(out, "URI:%s", gen->d.ia5->data); + BIO_printf(out, "URI:%.*s", gen->d.ia5->length, + gen->d.ia5->data); break; case GEN_DIRNAME: diff --git a/crypto/x509/x509_asid.c b/crypto/x509/x509_asid.c new file mode 100644 index 0000000..ed99ca7 --- /dev/null +++ b/crypto/x509/x509_asid.c @@ -0,0 +1,1083 @@ +/* + * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Implementation of RFC 3779 section 3.2. + */ + +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "ext_dat.h" + +#ifndef OPENSSL_NO_RFC3779 + +static const ASN1_TEMPLATE ASRange_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(ASRange, min), + .field_name = "min", + .item = &ASN1_INTEGER_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(ASRange, max), + .field_name = "max", + .item = &ASN1_INTEGER_it, + }, +}; + +const ASN1_ITEM ASRange_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = ASRange_seq_tt, + .tcount = sizeof(ASRange_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(ASRange), + .sname = "ASRange", +}; + +static const ASN1_TEMPLATE ASIdOrRange_ch_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(ASIdOrRange, u.id), + .field_name = "u.id", + .item = &ASN1_INTEGER_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(ASIdOrRange, u.range), + .field_name = "u.range", + .item = &ASRange_it, + }, +}; + +const ASN1_ITEM ASIdOrRange_it = { + .itype = ASN1_ITYPE_CHOICE, + .utype = offsetof(ASIdOrRange, type), + .templates = ASIdOrRange_ch_tt, + .tcount = sizeof(ASIdOrRange_ch_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(ASIdOrRange), + .sname = "ASIdOrRange", +}; + +static const ASN1_TEMPLATE ASIdentifierChoice_ch_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(ASIdentifierChoice, u.inherit), + .field_name = "u.inherit", + .item = &ASN1_NULL_it, + }, + { + .flags = ASN1_TFLG_SEQUENCE_OF, + .tag = 0, + .offset = offsetof(ASIdentifierChoice, u.asIdsOrRanges), + .field_name = "u.asIdsOrRanges", + .item = &ASIdOrRange_it, + }, +}; + +const ASN1_ITEM ASIdentifierChoice_it = { + .itype = ASN1_ITYPE_CHOICE, + .utype = offsetof(ASIdentifierChoice, type), + .templates = ASIdentifierChoice_ch_tt, + .tcount = sizeof(ASIdentifierChoice_ch_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(ASIdentifierChoice), + .sname = "ASIdentifierChoice", +}; + +static const ASN1_TEMPLATE ASIdentifiers_seq_tt[] = { + { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(ASIdentifiers, asnum), + .field_name = "asnum", + .item = &ASIdentifierChoice_it, + }, + { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 1, + .offset = offsetof(ASIdentifiers, rdi), + .field_name = "rdi", + .item = &ASIdentifierChoice_it, + }, +}; + +const ASN1_ITEM ASIdentifiers_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = ASIdentifiers_seq_tt, + .tcount = sizeof(ASIdentifiers_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(ASIdentifiers), + .sname = "ASIdentifiers", +}; + +ASRange * +d2i_ASRange(ASRange **a, const unsigned char **in, long len) +{ + return (ASRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, + &ASRange_it); +} + +int +i2d_ASRange(ASRange *a, unsigned char **out) +{ + return ASN1_item_i2d((ASN1_VALUE *)a, out, &ASRange_it); +} + +ASRange * +ASRange_new(void) +{ + return (ASRange *)ASN1_item_new(&ASRange_it); +} + +void +ASRange_free(ASRange *a) +{ + ASN1_item_free((ASN1_VALUE *)a, &ASRange_it); +} + +ASIdOrRange * +d2i_ASIdOrRange(ASIdOrRange **a, const unsigned char **in, long len) +{ + return (ASIdOrRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, + &ASIdOrRange_it); +} + +int +i2d_ASIdOrRange(ASIdOrRange *a, unsigned char **out) +{ + return ASN1_item_i2d((ASN1_VALUE *)a, out, &ASIdOrRange_it); +} + +ASIdOrRange * +ASIdOrRange_new(void) +{ + return (ASIdOrRange *)ASN1_item_new(&ASIdOrRange_it); +} + +void +ASIdOrRange_free(ASIdOrRange *a) +{ + ASN1_item_free((ASN1_VALUE *)a, &ASIdOrRange_it); +} + +ASIdentifierChoice * +d2i_ASIdentifierChoice(ASIdentifierChoice **a, const unsigned char **in, + long len) +{ + return (ASIdentifierChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, + &ASIdentifierChoice_it); +} + +int +i2d_ASIdentifierChoice(ASIdentifierChoice *a, unsigned char **out) +{ + return ASN1_item_i2d((ASN1_VALUE *)a, out, &ASIdentifierChoice_it); +} + +ASIdentifierChoice * +ASIdentifierChoice_new(void) +{ + return (ASIdentifierChoice *)ASN1_item_new(&ASIdentifierChoice_it); +} + +void +ASIdentifierChoice_free(ASIdentifierChoice *a) +{ + ASN1_item_free((ASN1_VALUE *)a, &ASIdentifierChoice_it); +} + +ASIdentifiers * +d2i_ASIdentifiers(ASIdentifiers **a, const unsigned char **in, long len) +{ + return (ASIdentifiers *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, + &ASIdentifiers_it); +} + +int +i2d_ASIdentifiers(ASIdentifiers *a, unsigned char **out) +{ + return ASN1_item_i2d((ASN1_VALUE *)a, out, &ASIdentifiers_it); +} + +ASIdentifiers * +ASIdentifiers_new(void) +{ + return (ASIdentifiers *)ASN1_item_new(&ASIdentifiers_it); +} + +void +ASIdentifiers_free(ASIdentifiers *a) +{ + ASN1_item_free((ASN1_VALUE *)a, &ASIdentifiers_it); +} + +/* + * i2r method for an ASIdentifierChoice. + */ +static int +i2r_ASIdentifierChoice(BIO *out, ASIdentifierChoice *choice, int indent, + const char *msg) +{ + int i; + char *s; + if (choice == NULL) + return 1; + BIO_printf(out, "%*s%s:\n", indent, "", msg); + switch (choice->type) { + case ASIdentifierChoice_inherit: + BIO_printf(out, "%*sinherit\n", indent + 2, ""); + break; + case ASIdentifierChoice_asIdsOrRanges: + for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges); + i++) { + ASIdOrRange *aor = + sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); + switch (aor->type) { + case ASIdOrRange_id: + if ((s = i2s_ASN1_INTEGER(NULL, aor->u.id)) == + NULL) + return 0; + BIO_printf(out, "%*s%s\n", indent + 2, "", s); + free(s); + break; + case ASIdOrRange_range: + if ((s = i2s_ASN1_INTEGER(NULL, + aor->u.range->min)) == NULL) + return 0; + BIO_printf(out, "%*s%s-", indent + 2, "", s); + free(s); + if ((s = i2s_ASN1_INTEGER(NULL, + aor->u.range->max)) == NULL) + return 0; + BIO_printf(out, "%s\n", s); + free(s); + break; + default: + return 0; + } + } + break; + default: + return 0; + } + return 1; +} + +/* + * i2r method for an ASIdentifier extension. + */ +static int +i2r_ASIdentifiers(const X509V3_EXT_METHOD *method, void *ext, BIO *out, + int indent) +{ + ASIdentifiers *asid = ext; + return (i2r_ASIdentifierChoice(out, asid->asnum, indent, + "Autonomous System Numbers") && + i2r_ASIdentifierChoice(out, asid->rdi, indent, + "Routing Domain Identifiers")); +} + +/* + * Sort comparison function for a sequence of ASIdOrRange elements. + */ +static int +ASIdOrRange_cmp(const ASIdOrRange *const *a_, const ASIdOrRange *const *b_) +{ + const ASIdOrRange *a = *a_, *b = *b_; + + /* XXX: these asserts need to be replaced */ + OPENSSL_assert((a->type == ASIdOrRange_id && a->u.id != NULL) || + (a->type == ASIdOrRange_range && a->u.range != NULL && + a->u.range->min != NULL && a->u.range->max != NULL)); + + OPENSSL_assert((b->type == ASIdOrRange_id && b->u.id != NULL) || + (b->type == ASIdOrRange_range && b->u.range != NULL && + b->u.range->min != NULL && b->u.range->max != NULL)); + + if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id) + return ASN1_INTEGER_cmp(a->u.id, b->u.id); + + if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) { + int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min); + return r != 0 ? r : ASN1_INTEGER_cmp(a->u.range->max, + b->u.range->max); + } + + if (a->type == ASIdOrRange_id) + return ASN1_INTEGER_cmp(a->u.id, b->u.range->min); + else + return ASN1_INTEGER_cmp(a->u.range->min, b->u.id); +} + +/* + * Add an inherit element. + */ +int +X509v3_asid_add_inherit(ASIdentifiers *asid, int which) +{ + ASIdentifierChoice **choice; + if (asid == NULL) + return 0; + switch (which) { + case V3_ASID_ASNUM: + choice = &asid->asnum; + break; + case V3_ASID_RDI: + choice = &asid->rdi; + break; + default: + return 0; + } + if (*choice == NULL) { + if ((*choice = ASIdentifierChoice_new()) == NULL) + return 0; + if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL) + return 0; + (*choice)->type = ASIdentifierChoice_inherit; + } + return (*choice)->type == ASIdentifierChoice_inherit; +} + +/* + * Add an ID or range to an ASIdentifierChoice. + */ +int +X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which, ASN1_INTEGER *min, + ASN1_INTEGER *max) +{ + ASIdentifierChoice **choice; + ASIdOrRange *aor; + if (asid == NULL) + return 0; + switch (which) { + case V3_ASID_ASNUM: + choice = &asid->asnum; + break; + case V3_ASID_RDI: + choice = &asid->rdi; + break; + default: + return 0; + } + if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit) + return 0; + if (*choice == NULL) { + if ((*choice = ASIdentifierChoice_new()) == NULL) + return 0; + (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp); + if ((*choice)->u.asIdsOrRanges == NULL) + return 0; + (*choice)->type = ASIdentifierChoice_asIdsOrRanges; + } + if ((aor = ASIdOrRange_new()) == NULL) + return 0; + if (max == NULL) { + aor->type = ASIdOrRange_id; + aor->u.id = min; + } else { + aor->type = ASIdOrRange_range; + if ((aor->u.range = ASRange_new()) == NULL) + goto err; + ASN1_INTEGER_free(aor->u.range->min); + aor->u.range->min = min; + ASN1_INTEGER_free(aor->u.range->max); + aor->u.range->max = max; + } + if (!(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor))) + goto err; + return 1; + + err: + ASIdOrRange_free(aor); + return 0; +} + +/* + * Extract min and max values from an ASIdOrRange. + */ +static int +extract_min_max(ASIdOrRange *aor, ASN1_INTEGER **min, ASN1_INTEGER **max) +{ + OPENSSL_assert(aor != NULL); + + switch (aor->type) { + case ASIdOrRange_id: + *min = aor->u.id; + *max = aor->u.id; + return 1; + case ASIdOrRange_range: + *min = aor->u.range->min; + *max = aor->u.range->max; + return 1; + } + + return 0; +} + +/* + * Check whether an ASIdentifierChoice is in canonical form. + */ +static int +ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice) +{ + ASN1_INTEGER *a_max_plus_one = NULL; + ASN1_INTEGER *orig; + BIGNUM *bn = NULL; + int i, ret = 0; + + /* + * Empty element or inheritance is canonical. + */ + if (choice == NULL || choice->type == ASIdentifierChoice_inherit) + return 1; + + /* + * If not a list, or if empty list, it's broken. + */ + if (choice->type != ASIdentifierChoice_asIdsOrRanges || + sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) + return 0; + + /* + * It's a list, check it. + */ + for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) { + ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, + i); + ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, + i + 1); + ASN1_INTEGER *a_min = NULL, + *a_max = NULL, + *b_min = NULL, + *b_max = + NULL; + + if (!extract_min_max(a, &a_min, &a_max) || + !extract_min_max(b, &b_min, &b_max)) + goto done; + + /* + * Punt misordered list, overlapping start, or inverted range. + */ + if (ASN1_INTEGER_cmp(a_min, b_min) >= 0 || + ASN1_INTEGER_cmp(a_min, a_max) > 0 || + ASN1_INTEGER_cmp(b_min, b_max) > 0) + goto done; + + /* + * Calculate a_max + 1 to check for adjacency. + */ + if ((bn == NULL && (bn = BN_new()) == NULL) || + ASN1_INTEGER_to_BN(a_max, bn) == NULL || + !BN_add_word(bn, 1)) { + X509V3error(ERR_R_MALLOC_FAILURE); + goto done; + } + + if ((a_max_plus_one = + BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) { + a_max_plus_one = orig; + X509V3error(ERR_R_MALLOC_FAILURE); + goto done; + } + + /* + * Punt if adjacent or overlapping. + */ + if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) >= 0) + goto done; + } + + /* + * Check for inverted range. + */ + i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; + { + ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, + i); + ASN1_INTEGER *a_min, *a_max; + if (a != NULL && a->type == ASIdOrRange_range) { + if (!extract_min_max(a, &a_min, &a_max) || + ASN1_INTEGER_cmp(a_min, a_max) > 0) + goto done; + } + } + + ret = 1; + + done: + ASN1_INTEGER_free(a_max_plus_one); + BN_free(bn); + return ret; +} + +/* + * Check whether an ASIdentifier extension is in canonical form. + */ +int +X509v3_asid_is_canonical(ASIdentifiers *asid) +{ + return (asid == NULL || + (ASIdentifierChoice_is_canonical(asid->asnum) && + ASIdentifierChoice_is_canonical(asid->rdi))); +} + +/* + * Whack an ASIdentifierChoice into canonical form. + */ +static int +ASIdentifierChoice_canonize(ASIdentifierChoice *choice) +{ + ASN1_INTEGER *a_max_plus_one = NULL; + ASN1_INTEGER *orig; + BIGNUM *bn = NULL; + int i, ret = 0; + + /* + * Nothing to do for empty element or inheritance. + */ + if (choice == NULL || choice->type == ASIdentifierChoice_inherit) + return 1; + + /* + * If not a list, or if empty list, it's broken. + */ + if (choice->type != ASIdentifierChoice_asIdsOrRanges || + sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) { + X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); + return 0; + } + + /* + * We have a non-empty list. Sort it. + */ + sk_ASIdOrRange_sort(choice->u.asIdsOrRanges); + + /* + * Now check for errors and suboptimal encoding, rejecting the + * former and fixing the latter. + */ + for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) { + ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, + i); + ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, + i + 1); + ASN1_INTEGER *a_min = NULL, + *a_max = NULL, + *b_min = NULL, + *b_max = + NULL; + + if (!extract_min_max(a, &a_min, &a_max) || + !extract_min_max(b, &b_min, &b_max)) + goto done; + + /* + * Make sure we're properly sorted (paranoia). + */ + OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0); + + /* + * Punt inverted ranges. + */ + if (ASN1_INTEGER_cmp(a_min, a_max) > 0 || + ASN1_INTEGER_cmp(b_min, b_max) > 0) + goto done; + + /* + * Check for overlaps. + */ + if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) { + X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); + goto done; + } + + /* + * Calculate a_max + 1 to check for adjacency. + */ + if ((bn == NULL && (bn = BN_new()) == NULL) || + ASN1_INTEGER_to_BN(a_max, bn) == NULL || + !BN_add_word(bn, 1)) { + X509V3error(ERR_R_MALLOC_FAILURE); + goto done; + } + + if ((a_max_plus_one = + BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) { + a_max_plus_one = orig; + X509V3error(ERR_R_MALLOC_FAILURE); + goto done; + } + + /* + * If a and b are adjacent, merge them. + */ + if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) == 0) { + ASRange *r; + switch (a->type) { + case ASIdOrRange_id: + if ((r = calloc(1, sizeof(*r))) == NULL) { + X509V3error(ERR_R_MALLOC_FAILURE); + goto done; + } + r->min = a_min; + r->max = b_max; + a->type = ASIdOrRange_range; + a->u.range = r; + break; + case ASIdOrRange_range: + ASN1_INTEGER_free(a->u.range->max); + a->u.range->max = b_max; + break; + } + switch (b->type) { + case ASIdOrRange_id: + b->u.id = NULL; + break; + case ASIdOrRange_range: + b->u.range->max = NULL; + break; + } + ASIdOrRange_free(b); + (void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, + i + 1); + i--; + continue; + } + } + + /* + * Check for final inverted range. + */ + i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; + { + ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, + i); + ASN1_INTEGER *a_min, *a_max; + if (a != NULL && a->type == ASIdOrRange_range) { + if (!extract_min_max(a, &a_min, &a_max) || + ASN1_INTEGER_cmp(a_min, a_max) > 0) + goto done; + } + } + + /* Paranoia */ + OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); + + ret = 1; + + done: + ASN1_INTEGER_free(a_max_plus_one); + BN_free(bn); + return ret; +} + +/* + * Whack an ASIdentifier extension into canonical form. + */ +int +X509v3_asid_canonize(ASIdentifiers *asid) +{ + return (asid == NULL || + (ASIdentifierChoice_canonize(asid->asnum) && + ASIdentifierChoice_canonize(asid->rdi))); +} + +/* + * v2i method for an ASIdentifier extension. + */ +static void * +v2i_ASIdentifiers(const struct v3_ext_method *method, struct v3_ext_ctx *ctx, + STACK_OF(CONF_VALUE)*values) +{ + ASN1_INTEGER *min = NULL, *max = NULL; + ASIdentifiers *asid = NULL; + int i; + + if ((asid = ASIdentifiers_new()) == NULL) { + X509V3error(ERR_R_MALLOC_FAILURE); + return NULL; + } + + for (i = 0; i < sk_CONF_VALUE_num(values); i++) { + CONF_VALUE *val = sk_CONF_VALUE_value(values, i); + int i1 = 0, i2 = 0, i3 = 0, is_range = 0, which = 0; + + /* + * Figure out whether this is an AS or an RDI. + */ + if (!name_cmp(val->name, "AS")) { + which = V3_ASID_ASNUM; + } else if (!name_cmp(val->name, "RDI")) { + which = V3_ASID_RDI; + } else { + X509V3error(X509V3_R_EXTENSION_NAME_ERROR); + X509V3_conf_err(val); + goto err; + } + + /* + * Handle inheritance. + */ + if (strcmp(val->value, "inherit") == 0) { + if (X509v3_asid_add_inherit(asid, which)) + continue; + X509V3error(X509V3_R_INVALID_INHERITANCE); + X509V3_conf_err(val); + goto err; + } + + /* + * Number, range, or mistake, pick it apart and figure out which + */ + i1 = strspn(val->value, "0123456789"); + if (val->value[i1] == '\0') { + is_range = 0; + } else { + is_range = 1; + i2 = i1 + strspn(val->value + i1, " \t"); + if (val->value[i2] != '-') { + X509V3error(X509V3_R_INVALID_ASNUMBER); + X509V3_conf_err(val); + goto err; + } + i2++; + i2 = i2 + strspn(val->value + i2, " \t"); + i3 = i2 + strspn(val->value + i2, "0123456789"); + if (val->value[i3] != '\0') { + X509V3error(X509V3_R_INVALID_ASRANGE); + X509V3_conf_err(val); + goto err; + } + } + + /* + * Syntax is ok, read and add it. + */ + if (!is_range) { + if (!X509V3_get_value_int(val, &min)) { + X509V3error(ERR_R_MALLOC_FAILURE); + goto err; + } + } else { + char *s = strdup(val->value); + if (s == NULL) { + X509V3error(ERR_R_MALLOC_FAILURE); + goto err; + } + s[i1] = '\0'; + min = s2i_ASN1_INTEGER(NULL, s); + max = s2i_ASN1_INTEGER(NULL, s + i2); + free(s); + if (min == NULL || max == NULL) { + X509V3error(ERR_R_MALLOC_FAILURE); + goto err; + } + if (ASN1_INTEGER_cmp(min, max) > 0) { + X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); + goto err; + } + } + if (!X509v3_asid_add_id_or_range(asid, which, min, max)) { + X509V3error(ERR_R_MALLOC_FAILURE); + goto err; + } + min = max = NULL; + } + + /* + * Canonize the result, then we're done. + */ + if (!X509v3_asid_canonize(asid)) + goto err; + return asid; + + err: + ASIdentifiers_free(asid); + ASN1_INTEGER_free(min); + ASN1_INTEGER_free(max); + return NULL; +} + +/* + * OpenSSL dispatch. + */ +const X509V3_EXT_METHOD v3_asid = { + NID_sbgp_autonomousSysNum, /* nid */ + 0, /* flags */ + &ASIdentifiers_it, /* template */ + 0, 0, 0, 0, /* old functions, ignored */ + 0, /* i2s */ + 0, /* s2i */ + 0, /* i2v */ + v2i_ASIdentifiers, /* v2i */ + i2r_ASIdentifiers, /* i2r */ + 0, /* r2i */ + NULL /* extension-specific data */ +}; + +/* + * Figure out whether extension uses inheritance. + */ +int +X509v3_asid_inherits(ASIdentifiers *asid) +{ + return (asid != NULL && + ((asid->asnum != NULL && + asid->asnum->type == ASIdentifierChoice_inherit) || + (asid->rdi != NULL && + asid->rdi->type == ASIdentifierChoice_inherit))); +} + +/* + * Figure out whether parent contains child. + */ +static int +asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child) +{ + ASN1_INTEGER *p_min = NULL, *p_max = NULL, *c_min = NULL, *c_max = NULL; + int p, c; + + if (child == NULL || parent == child) + return 1; + if (parent == NULL) + return 0; + + p = 0; + for (c = 0; c < sk_ASIdOrRange_num(child); c++) { + if (!extract_min_max(sk_ASIdOrRange_value(child, c), &c_min, + &c_max)) + return 0; + for (;; p++) { + if (p >= sk_ASIdOrRange_num(parent)) + return 0; + if (!extract_min_max(sk_ASIdOrRange_value(parent, p), + &p_min, &p_max)) + return 0; + if (ASN1_INTEGER_cmp(p_max, c_max) < 0) + continue; + if (ASN1_INTEGER_cmp(p_min, c_min) > 0) + return 0; + break; + } + } + + return 1; +} + +/* + * Test whether a is a subset of b. + */ +int +X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b) +{ + return (a == NULL || + a == b || + (b != NULL && + !X509v3_asid_inherits(a) && + !X509v3_asid_inherits(b) && + asid_contains(b->asnum->u.asIdsOrRanges, + a->asnum->u.asIdsOrRanges) && + asid_contains(b->rdi->u.asIdsOrRanges, + a->rdi->u.asIdsOrRanges))); +} + +/* + * Validation error handling via callback. + */ +#define validation_err(_err_) \ + do { \ + if (ctx != NULL) { \ + ctx->error = _err_; \ + ctx->error_depth = i; \ + ctx->current_cert = x; \ + ret = ctx->verify_cb(0, ctx); \ + } else { \ + ret = 0; \ + } \ + if (!ret) \ + goto done; \ + } while (0) + +/* + * Core code for RFC 3779 3.3 path validation. + */ +static int +asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain, + ASIdentifiers *ext) +{ + ASIdOrRanges *child_as = NULL, *child_rdi = NULL; + int i, ret = 1, inherit_as = 0, inherit_rdi = 0; + X509 *x; + + OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); + OPENSSL_assert(ctx != NULL || ext != NULL); + OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); + + /* + * Figure out where to start. If we don't have an extension to + * check, we're done. Otherwise, check canonical form and + * set up for walking up the chain. + */ + if (ext != NULL) { + i = -1; + x = NULL; + } else { + i = 0; + x = sk_X509_value(chain, i); + if ((ext = x->rfc3779_asid) == NULL) + goto done; + } + if (!X509v3_asid_is_canonical(ext)) + validation_err(X509_V_ERR_INVALID_EXTENSION); + if (ext->asnum != NULL) { + switch (ext->asnum->type) { + case ASIdentifierChoice_inherit: + inherit_as = 1; + break; + case ASIdentifierChoice_asIdsOrRanges: + child_as = ext->asnum->u.asIdsOrRanges; + break; + } + } + if (ext->rdi != NULL) { + switch (ext->rdi->type) { + case ASIdentifierChoice_inherit: + inherit_rdi = 1; + break; + case ASIdentifierChoice_asIdsOrRanges: + child_rdi = ext->rdi->u.asIdsOrRanges; + break; + } + } + + /* + * Now walk up the chain. Extensions must be in canonical form, no + * cert may list resources that its parent doesn't list. + */ + for (i++; i < sk_X509_num(chain); i++) { + x = sk_X509_value(chain, i); + OPENSSL_assert(x != NULL); + + if (x->rfc3779_asid == NULL) { + if (child_as != NULL || child_rdi != NULL) + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + continue; + } + if (!X509v3_asid_is_canonical(x->rfc3779_asid)) + validation_err(X509_V_ERR_INVALID_EXTENSION); + if (x->rfc3779_asid->asnum == NULL && child_as != NULL) { + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + child_as = NULL; + inherit_as = 0; + } + if (x->rfc3779_asid->asnum != NULL && + x->rfc3779_asid->asnum->type == + ASIdentifierChoice_asIdsOrRanges) { + if (inherit_as || + asid_contains(x->rfc3779_asid->asnum->u.asIdsOrRanges, + child_as)) { + child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges; + inherit_as = 0; + } else { + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + } + } + if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) { + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + child_rdi = NULL; + inherit_rdi = 0; + } + if (x->rfc3779_asid->rdi != NULL && + x->rfc3779_asid->rdi->type == ASIdentifierChoice_asIdsOrRanges) { + if (inherit_rdi || + asid_contains(x->rfc3779_asid->rdi->u.asIdsOrRanges, + child_rdi)) { + child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges; + inherit_rdi = 0; + } else { + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + } + } + } + + /* + * Trust anchor can't inherit. + */ + OPENSSL_assert(x != NULL); + + if (x->rfc3779_asid != NULL) { + if (x->rfc3779_asid->asnum != NULL && + x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit) + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + if (x->rfc3779_asid->rdi != NULL && + x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit) + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + } + + done: + return ret; +} + +#undef validation_err + +/* + * RFC 3779 3.3 path validation -- called from X509_verify_cert(). + */ +int +X509v3_asid_validate_path(X509_STORE_CTX *ctx) +{ + if (ctx->chain == NULL || + sk_X509_num(ctx->chain) == 0 || + ctx->verify_cb == NULL) { + ctx->error = X509_V_ERR_UNSPECIFIED; + return 0; + } + return asid_validate_path_internal(ctx, ctx->chain, NULL); +} + +/* + * RFC 3779 3.3 path validation of an extension. + * Test whether chain covers extension. + */ +int +X509v3_asid_validate_resource_set(STACK_OF(X509)*chain, ASIdentifiers *ext, + int allow_inheritance) +{ + if (ext == NULL) + return 1; + if (chain == NULL || sk_X509_num(chain) == 0) + return 0; + if (!allow_inheritance && X509v3_asid_inherits(ext)) + return 0; + return asid_validate_path_internal(NULL, chain, ext); +} + +#endif /* OPENSSL_NO_RFC3779 */ diff --git a/crypto/x509/x509_constraints.c b/crypto/x509/x509_constraints.c index 5659d6e..db33bf1 100644 --- a/crypto/x509/x509_constraints.c +++ b/crypto/x509/x509_constraints.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_constraints.c,v 1.10 2020/09/21 05:41:43 tb Exp $ */ +/* $OpenBSD: x509_constraints.c,v 1.17 2021/09/23 15:49:48 jsing Exp $ */ /* * Copyright (c) 2020 Bob Beck * @@ -36,7 +36,7 @@ #define DOMAIN_PART_MAX_LEN 255 struct x509_constraints_name * -x509_constraints_name_new() +x509_constraints_name_new(void) { return (calloc(1, sizeof(struct x509_constraints_name))); } @@ -69,9 +69,11 @@ x509_constraints_name_dup(struct x509_constraints_name *name) new->type = name->type; new->af = name->af; new->der_len = name->der_len; - if (name->der_len > 0 && (new->der = malloc(name->der_len)) == NULL) - goto err; - memcpy(new->der, name->der, name->der_len); + if (name->der_len > 0) { + if ((new->der = malloc(name->der_len)) == NULL) + goto err; + memcpy(new->der, name->der, name->der_len); + } if (name->name != NULL && (new->name = strdup(name->name)) == NULL) goto err; if (name->local != NULL && (new->local = strdup(name->local)) == NULL) @@ -84,9 +86,16 @@ x509_constraints_name_dup(struct x509_constraints_name *name) } struct x509_constraints_names * -x509_constraints_names_new() +x509_constraints_names_new(size_t names_max) { - return (calloc(1, sizeof(struct x509_constraints_names))); + struct x509_constraints_names *new; + + if ((new = calloc(1, sizeof(struct x509_constraints_names))) == NULL) + return NULL; + + new->names_max = names_max; + + return new; } void @@ -114,8 +123,8 @@ int x509_constraints_names_add(struct x509_constraints_names *names, struct x509_constraints_name *name) { - size_t i = names->names_count; - + if (names->names_count >= names->names_max) + return 0; if (names->names_count == names->names_len) { struct x509_constraints_name **tmp; if ((tmp = recallocarray(names->names, names->names_len, @@ -124,7 +133,7 @@ x509_constraints_names_add(struct x509_constraints_names *names, names->names_len += 32; names->names = tmp; } - names->names[i] = name; + names->names[names->names_count] = name; names->names_count++; return 1; } @@ -139,14 +148,16 @@ x509_constraints_names_dup(struct x509_constraints_names *names) if (names == NULL) return NULL; - if ((new = x509_constraints_names_new()) == NULL) + if ((new = x509_constraints_names_new(names->names_max)) == NULL) goto err; + for (i = 0; i < names->names_count; i++) { if ((name = x509_constraints_name_dup(names->names[i])) == NULL) goto err; if (!x509_constraints_names_add(new, name)) goto err; } + return new; err: x509_constraints_names_free(new); @@ -158,13 +169,15 @@ x509_constraints_names_dup(struct x509_constraints_names *names) /* * Validate that the name contains only a hostname consisting of RFC * 5890 compliant A-labels (see RFC 6066 section 3). This is more - * permissive to allow for a leading '*' for a SAN DNSname wildcard, - * or a leading '.' for a subdomain based constraint, as well as - * allowing for '_' which is commonly accepted by nonconformant - * DNS implementaitons. + * permissive to allow for a leading '.' for a subdomain based + * constraint, as well as allowing for '_' which is commonly accepted + * by nonconformant DNS implementaitons. + * + * if "wildcards" is set it allows '*' to occur in the string at the end of a + * component. */ static int -x509_constraints_valid_domain_internal(uint8_t *name, size_t len) +x509_constraints_valid_domain_internal(uint8_t *name, size_t len, int wildcards) { uint8_t prev, c = 0; int component = 0; @@ -187,8 +200,8 @@ x509_constraints_valid_domain_internal(uint8_t *name, size_t len) if (!isalnum(c) && c != '-' && c != '.' && c != '_' && c != '*') return 0; - /* '*' can only be the first thing. */ - if (c == '*' && !first) + /* if it is a '*', fail if not wildcards */ + if (!wildcards && c == '*') return 0; /* '-' must not start a component or be at the end. */ @@ -210,6 +223,13 @@ x509_constraints_valid_domain_internal(uint8_t *name, size_t len) component = 0; continue; } + /* + * Wildcards can only occur at the end of a component. + * c*.com is valid, c*c.com is not. + */ + if (prev == '*') + return 0; + /* Components must be 63 chars or less. */ if (++component > 63) return 0; @@ -222,15 +242,13 @@ x509_constraints_valid_domain(uint8_t *name, size_t len) { if (len == 0) return 0; - if (name[0] == '*') /* wildcard not allowed in a domain name */ - return 0; /* * A domain may not be less than two characters, so you can't * have a require subdomain name with less than that. */ if (len < 3 && name[0] == '.') return 0; - return x509_constraints_valid_domain_internal(name, len); + return x509_constraints_valid_domain_internal(name, len, 0); } int @@ -241,15 +259,13 @@ x509_constraints_valid_host(uint8_t *name, size_t len) if (len == 0) return 0; - if (name[0] == '*') /* wildcard not allowed in a host name */ - return 0; if (name[0] == '.') /* leading . not allowed in a host name*/ return 0; if (inet_pton(AF_INET, name, &sin4) == 1) return 0; if (inet_pton(AF_INET6, name, &sin6) == 1) return 0; - return x509_constraints_valid_domain_internal(name, len); + return x509_constraints_valid_domain_internal(name, len, 0); } int @@ -272,7 +288,7 @@ x509_constraints_valid_sandns(uint8_t *name, size_t len) if (len >= 4 && name[0] == '*' && name[1] != '.') return 0; - return x509_constraints_valid_domain_internal(name, len); + return x509_constraints_valid_domain_internal(name, len, 1); } static inline int @@ -323,16 +339,16 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, if (c == '.') goto bad; } - if (wi > DOMAIN_PART_MAX_LEN) - goto bad; if (accept) { + if (wi >= DOMAIN_PART_MAX_LEN) + goto bad; working[wi++] = c; accept = 0; continue; } if (candidate_local != NULL) { /* We are looking for the domain part */ - if (wi > DOMAIN_PART_MAX_LEN) + if (wi >= DOMAIN_PART_MAX_LEN) goto bad; working[wi++] = c; if (i == len - 1) { @@ -347,7 +363,7 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, continue; } /* We are looking for the local part */ - if (wi > LOCAL_PART_MAX_LEN) + if (wi >= LOCAL_PART_MAX_LEN) break; if (quoted) { @@ -367,6 +383,8 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, */ if (c == 9) goto bad; + if (wi >= LOCAL_PART_MAX_LEN) + goto bad; working[wi++] = c; continue; /* all's good inside our quoted string */ } @@ -396,6 +414,8 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, } if (!local_part_ok(c)) goto bad; + if (wi >= LOCAL_PART_MAX_LEN) + goto bad; working[wi++] = c; } if (candidate_local == NULL || candidate_domain == NULL) @@ -420,16 +440,13 @@ x509_constraints_valid_domain_constraint(uint8_t *constraint, size_t len) if (len == 0) return 1; /* empty constraints match */ - if (constraint[0] == '*') /* wildcard not allowed in a constraint */ - return 0; - /* * A domain may not be less than two characters, so you * can't match a single domain of less than that */ if (len < 3 && constraint[0] == '.') return 0; - return x509_constraints_valid_domain_internal(constraint, len); + return x509_constraints_valid_domain_internal(constraint, len, 0); } /* @@ -700,7 +717,7 @@ x509_constraints_extract_names(struct x509_constraints_names *names, *error = X509_V_ERR_OUT_OF_MEM; goto err; } - vname->type=GEN_DNS; + vname->type = GEN_DNS; include_cn = 0; /* don't use cn from subject */ break; case GEN_EMAIL: @@ -1115,7 +1132,8 @@ x509_constraints_chain(STACK_OF(X509) *chain, int *error, int *depth) goto err; if (chain_length == 1) return 1; - if ((names = x509_constraints_names_new()) == NULL) { + if ((names = x509_constraints_names_new( + X509_VERIFY_MAX_CHAIN_NAMES)) == NULL) { verify_err = X509_V_ERR_OUT_OF_MEM; goto err; } @@ -1128,13 +1146,13 @@ x509_constraints_chain(STACK_OF(X509) *chain, int *error, int *depth) if ((cert = sk_X509_value(chain, i)) == NULL) goto err; if (cert->nc != NULL) { - if ((permitted = - x509_constraints_names_new()) == NULL) { + if ((permitted = x509_constraints_names_new( + X509_VERIFY_MAX_CHAIN_CONSTRAINTS)) == NULL) { verify_err = X509_V_ERR_OUT_OF_MEM; goto err; } - if ((excluded = - x509_constraints_names_new()) == NULL) { + if ((excluded = x509_constraints_names_new( + X509_VERIFY_MAX_CHAIN_CONSTRAINTS)) == NULL) { verify_err = X509_V_ERR_OUT_OF_MEM; goto err; } @@ -1159,10 +1177,6 @@ x509_constraints_chain(STACK_OF(X509) *chain, int *error, int *depth) if (!x509_constraints_extract_names(names, cert, 0, &verify_err)) goto err; - if (names->names_count > X509_VERIFY_MAX_CHAIN_NAMES) { - verify_err = X509_V_ERR_OUT_OF_MEM; - goto err; - } } x509_constraints_names_free(names); diff --git a/crypto/x509/x509_cpols.c b/crypto/x509/x509_cpols.c index 4b6c13c..2ace607 100644 --- a/crypto/x509/x509_cpols.c +++ b/crypto/x509/x509_cpols.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_cpols.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: x509_cpols.c,v 1.2 2021/08/24 15:23:03 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -696,7 +696,8 @@ print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, int indent) qualinfo = sk_POLICYQUALINFO_value(quals, i); switch (OBJ_obj2nid(qualinfo->pqualid)) { case NID_id_qt_cps: - BIO_printf(out, "%*sCPS: %s\n", indent, "", + BIO_printf(out, "%*sCPS: %.*s\n", indent, "", + qualinfo->d.cpsuri->length, qualinfo->d.cpsuri->data); break; @@ -724,8 +725,8 @@ print_notice(BIO *out, USERNOTICE *notice, int indent) if (notice->noticeref) { NOTICEREF *ref; ref = notice->noticeref; - BIO_printf(out, "%*sOrganization: %s\n", indent, "", - ref->organization->data); + BIO_printf(out, "%*sOrganization: %.*s\n", indent, "", + ref->organization->length, ref->organization->data); BIO_printf(out, "%*sNumber%s: ", indent, "", sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : ""); for (i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) { @@ -741,8 +742,8 @@ print_notice(BIO *out, USERNOTICE *notice, int indent) BIO_puts(out, "\n"); } if (notice->exptext) - BIO_printf(out, "%*sExplicit Text: %s\n", indent, "", - notice->exptext->data); + BIO_printf(out, "%*sExplicit Text: %.*s\n", indent, "", + notice->exptext->length, notice->exptext->data); } void diff --git a/crypto/x509/x509_genn.c b/crypto/x509/x509_genn.c index 848006a..dadf6f1 100644 --- a/crypto/x509/x509_genn.c +++ b/crypto/x509/x509_genn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_genn.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: x509_genn.c,v 1.2 2020/12/08 15:06:42 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -117,16 +117,17 @@ OTHERNAME_free(OTHERNAME *a) ASN1_item_free((ASN1_VALUE *)a, &OTHERNAME_it); } +/* Uses explicit tagging since DIRECTORYSTRING is a CHOICE type */ static const ASN1_TEMPLATE EDIPARTYNAME_seq_tt[] = { { - .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL, + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, .tag = 0, .offset = offsetof(EDIPARTYNAME, nameAssigner), .field_name = "nameAssigner", .item = &DIRECTORYSTRING_it, }, { - .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL, + .flags = ASN1_TFLG_EXPLICIT, .tag = 1, .offset = offsetof(EDIPARTYNAME, partyName), .field_name = "partyName", @@ -324,6 +325,37 @@ GENERAL_NAME_dup(GENERAL_NAME *a) return ASN1_item_dup(&GENERAL_NAME_it, a); } +static int +EDIPARTYNAME_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b) +{ + int res; + + /* + * Shouldn't be possible in a valid GENERAL_NAME, but we handle it + * anyway. OTHERNAME_cmp treats NULL != NULL, so we do the same here. + */ + if (a == NULL || b == NULL) + return -1; + if (a->nameAssigner == NULL && b->nameAssigner != NULL) + return -1; + if (a->nameAssigner != NULL && b->nameAssigner == NULL) + return 1; + /* If we get here, both have nameAssigner set or both unset. */ + if (a->nameAssigner != NULL) { + res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner); + if (res != 0) + return res; + } + /* + * partyName is required, so these should never be NULL. We treat it in + * the same way as the a == NULL || b == NULL case above. + */ + if (a->partyName == NULL || b->partyName == NULL) + return -1; + + return ASN1_STRING_cmp(a->partyName, b->partyName); +} + /* Returns 0 if they are equal, != 0 otherwise. */ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) @@ -334,8 +366,11 @@ GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) return -1; switch (a->type) { case GEN_X400: + result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); + break; + case GEN_EDIPARTY: - result = ASN1_TYPE_cmp(a->d.other, b->d.other); + result = EDIPARTYNAME_cmp(a->d.ediPartyName, b->d.ediPartyName); break; case GEN_OTHERNAME: @@ -384,8 +419,11 @@ GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value) { switch (type) { case GEN_X400: + a->d.x400Address = value; + break; + case GEN_EDIPARTY: - a->d.other = value; + a->d.ediPartyName = value; break; case GEN_OTHERNAME: @@ -420,8 +458,10 @@ GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype) *ptype = a->type; switch (a->type) { case GEN_X400: + return a->d.x400Address; + case GEN_EDIPARTY: - return a->d.other; + return a->d.ediPartyName; case GEN_OTHERNAME: return a->d.otherName; diff --git a/crypto/x509/x509_internal.h b/crypto/x509/x509_internal.h index 9d69055..9878b6f 100644 --- a/crypto/x509/x509_internal.h +++ b/crypto/x509/x509_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_internal.h,v 1.3 2020/09/15 11:55:14 beck Exp $ */ +/* $OpenBSD: x509_internal.h,v 1.12.2.1 2021/11/24 09:28:55 tb Exp $ */ /* * Copyright (c) 2020 Bob Beck * @@ -51,18 +51,23 @@ struct x509_constraints_name { struct x509_constraints_names { struct x509_constraints_name **names; - size_t names_len; size_t names_count; + size_t names_len; + size_t names_max; }; struct x509_verify_chain { STACK_OF(X509) *certs; /* Kept in chain order, includes leaf */ + int *cert_errors; /* Verify error for each cert in chain. */ struct x509_constraints_names *names; /* All names from all certs */ }; struct x509_verify_ctx { X509_STORE_CTX *xsc; struct x509_verify_chain **chains; /* Validated chains */ + STACK_OF(X509) *saved_error_chain; + int saved_error; + int saved_error_depth; size_t chains_count; STACK_OF(X509) *roots; /* Trusted roots for this validation */ STACK_OF(X509) *intermediates; /* Intermediates provided by peer */ @@ -72,8 +77,8 @@ struct x509_verify_ctx { size_t max_depth; /* Max chain depth for validation */ size_t max_sigs; /* Max number of signature checks */ size_t sig_checks; /* Number of signature checks done */ - size_t error_depth; /* Depth of last error seen */ - int error; /* Last error seen */ + size_t error_depth; /* Depth of last error seen */ + int error; /* Last error seen */ }; int ASN1_time_tm_clamp_notafter(struct tm *tm); @@ -85,13 +90,14 @@ int x509_vfy_check_revocation(X509_STORE_CTX *ctx); int x509_vfy_check_policy(X509_STORE_CTX *ctx); int x509_vfy_check_trust(X509_STORE_CTX *ctx); int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx); +int x509_vfy_callback_indicate_completion(X509_STORE_CTX *ctx); void x509v3_cache_extensions(X509 *x); +X509 *x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x); int x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm, int notafter); -struct x509_verify_ctx *x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc, - STACK_OF(X509) *roots); +struct x509_verify_ctx *x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc); void x509_constraints_name_clear(struct x509_constraints_name *name); int x509_constraints_names_add(struct x509_constraints_names *names, @@ -99,7 +105,7 @@ int x509_constraints_names_add(struct x509_constraints_names *names, struct x509_constraints_names *x509_constraints_names_dup( struct x509_constraints_names *names); void x509_constraints_names_clear(struct x509_constraints_names *names); -struct x509_constraints_names *x509_constraints_names_new(void); +struct x509_constraints_names *x509_constraints_names_new(size_t names_max); void x509_constraints_names_free(struct x509_constraints_names *names); int x509_constraints_valid_host(uint8_t *name, size_t len); int x509_constraints_valid_sandns(uint8_t *name, size_t len); diff --git a/crypto/x509/x509_issuer_cache.c b/crypto/x509/x509_issuer_cache.c index 6831c18..26cde17 100644 --- a/crypto/x509/x509_issuer_cache.c +++ b/crypto/x509/x509_issuer_cache.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_issuer_cache.c,v 1.1 2020/09/11 14:30:51 beck Exp $ */ +/* $OpenBSD: x509_issuer_cache.c,v 1.2 2020/11/18 17:00:59 tb Exp $ */ /* * Copyright (c) 2020 Bob Beck * @@ -77,9 +77,9 @@ x509_issuer_cache_set_max(size_t max) * Find a previous result of checking if parent signed child * * Returns: - * -1 : No entry exists in the cache. signature must be checked. - * 0 : The signature of parent signing child is invalid. - * 1 : The signature of parent signing child is valid. + * -1 : No entry exists in the cache. signature must be checked. + * 0 : The signature of parent signing child is invalid. + * 1 : The signature of parent signing child is valid. */ int x509_issuer_cache_find(unsigned char *parent_md, unsigned char *child_md) @@ -98,7 +98,7 @@ x509_issuer_cache_find(unsigned char *parent_md, unsigned char *child_md) return -1; if ((found = RB_FIND(x509_issuer_tree, &x509_issuer_cache, &candidate)) != NULL) { - TAILQ_REMOVE(&x509_issuer_lru, found, queue); + TAILQ_REMOVE(&x509_issuer_lru, found, queue); TAILQ_INSERT_HEAD(&x509_issuer_lru, found, queue); ret = found->valid; } @@ -111,7 +111,7 @@ x509_issuer_cache_find(unsigned char *parent_md, unsigned char *child_md) * Attempt to add a validation result to the cache. * * valid must be: - * 0: The signature of parent signing child is invalid. + * 0: The signature of parent signing child is invalid. * 1: The signature of parent signing child is valid. * * Previously added entries for the same parent and child are *not* replaced. diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index f21103c..315eddf 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_lu.c,v 1.30 2018/08/24 19:21:09 tb Exp $ */ +/* $OpenBSD: x509_lu.c,v 1.31 2021/10/06 08:29:41 claudio Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -312,6 +312,9 @@ X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, X509_OBJECT stmp, *tmp; int i, j; + if (ctx == NULL) + return 0; + CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name); CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); @@ -561,6 +564,8 @@ X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) X509 *x; X509_OBJECT *obj; + if (ctx->ctx == NULL) + return NULL; sk = sk_X509_new_null(); if (sk == NULL) return NULL; @@ -610,6 +615,8 @@ X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) X509_CRL *x; X509_OBJECT *obj, xobj; + if (ctx->ctx == NULL) + return NULL; sk = sk_X509_CRL_new_null(); if (sk == NULL) return NULL; @@ -718,6 +725,9 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) } X509_OBJECT_free_contents(&obj); + if (ctx->ctx == NULL) + return 0; + /* Else find index of first cert accepted by 'check_issued' */ ret = 0; CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); diff --git a/crypto/x509/x509_pci.c b/crypto/x509/x509_pci.c index 8997f0c..b1d31df 100644 --- a/crypto/x509/x509_pci.c +++ b/crypto/x509/x509_pci.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_pci.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: x509_pci.c,v 1.2 2021/08/24 15:23:03 tb Exp $ */ /* Contributed to the OpenSSL Project 2004 * by Richard Levitte (richard@levitte.org) */ @@ -77,7 +77,8 @@ i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, BIO *out, i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage); BIO_puts(out, "\n"); if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data) - BIO_printf(out, "%*sPolicy Text: %s\n", indent, "", + BIO_printf(out, "%*sPolicy Text: %.*s\n", indent, "", + pci->proxyPolicy->policy->length, pci->proxyPolicy->policy->data); return 1; } diff --git a/crypto/x509/x509_purp.c b/crypto/x509/x509_purp.c index f2d4665..86ee274 100644 --- a/crypto/x509/x509_purp.c +++ b/crypto/x509/x509_purp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_purp.c,v 1.2 2020/09/13 15:06:17 beck Exp $ */ +/* $OpenBSD: x509_purp.c,v 1.7 2021/09/13 15:26:53 claudio Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -132,6 +132,8 @@ X509_check_purpose(X509 *x, int id, int ca) CRYPTO_w_lock(CRYPTO_LOCK_X509); x509v3_cache_extensions(x); CRYPTO_w_unlock(CRYPTO_LOCK_X509); + if (x->ex_flags & EXFLAG_INVALID) + return X509_V_ERR_UNSPECIFIED; } if (id == -1) return 1; @@ -293,11 +295,7 @@ xptable_free(X509_PURPOSE *p) void X509_PURPOSE_cleanup(void) { - unsigned int i; - sk_X509_PURPOSE_pop_free(xptable, xptable_free); - for(i = 0; i < X509_PURPOSE_COUNT; i++) - xptable_free(xstandard + i); xptable = NULL; } @@ -368,6 +366,10 @@ X509_supported_extension(X509_EXTENSION *ex) NID_basic_constraints, /* 87 */ NID_certificate_policies, /* 89 */ NID_ext_key_usage, /* 126 */ +#ifndef OPENSSL_NO_RFC3779 + NID_sbgp_ipAddrBlock, /* 290 */ + NID_sbgp_autonomousSysNum, /* 291 */ +#endif NID_policy_constraints, /* 401 */ NID_proxyCertInfo, /* 663 */ NID_name_constraints, /* 666 */ @@ -421,7 +423,12 @@ setup_crldp(X509 *x) { int i; - x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL); + x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, &i, NULL); + if (x->crldp == NULL && i != -1) { + x->ex_flags |= EXFLAG_INVALID; + return; + } + for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) setup_dp(x, sk_DIST_POINT_value(x->crldp, i)); } @@ -449,7 +456,7 @@ x509v3_cache_extensions(X509 *x) x->ex_flags |= EXFLAG_V1; /* Handle basic constraints */ - if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) { + if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &i, NULL))) { if (bs->ca) x->ex_flags |= EXFLAG_CA; if (bs->pathlen) { @@ -463,10 +470,12 @@ x509v3_cache_extensions(X509 *x) x->ex_pathlen = -1; BASIC_CONSTRAINTS_free(bs); x->ex_flags |= EXFLAG_BCONS; + } else if (i != -1) { + x->ex_flags |= EXFLAG_INVALID; } /* Handle proxy certificates */ - if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { + if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &i, NULL))) { if (x->ex_flags & EXFLAG_CA || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) { @@ -485,10 +494,12 @@ x509v3_cache_extensions(X509 *x) x->ex_pcpathlen = -1; PROXY_CERT_INFO_EXTENSION_free(pci); x->ex_flags |= EXFLAG_PROXY; + } else if (i != -1) { + x->ex_flags |= EXFLAG_INVALID; } /* Handle key usage */ - if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { + if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL))) { if (usage->length > 0) { x->ex_kusage = usage->data[0]; if (usage->length > 1) @@ -497,9 +508,12 @@ x509v3_cache_extensions(X509 *x) x->ex_kusage = 0; x->ex_flags |= EXFLAG_KUSAGE; ASN1_BIT_STRING_free(usage); + } else if (i != -1) { + x->ex_flags |= EXFLAG_INVALID; } + x->ex_xkusage = 0; - if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) { + if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, &i, NULL))) { x->ex_flags |= EXFLAG_XKUSAGE; for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) { switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) { @@ -538,19 +552,27 @@ x509v3_cache_extensions(X509 *x) } } sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free); + } else if (i != -1) { + x->ex_flags |= EXFLAG_INVALID; } - if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) { + if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, &i, NULL))) { if (ns->length > 0) x->ex_nscert = ns->data[0]; else x->ex_nscert = 0; x->ex_flags |= EXFLAG_NSCERT; ASN1_BIT_STRING_free(ns); + } else if (i != -1) { + x->ex_flags |= EXFLAG_INVALID; } - x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); - x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); + x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, &i, NULL); + if (x->skid == NULL && i != -1) + x->ex_flags |= EXFLAG_INVALID; + x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, &i, NULL); + if (x->akid == NULL && i != -1) + x->ex_flags |= EXFLAG_INVALID; /* Does subject name match issuer? */ if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) { @@ -561,12 +583,23 @@ x509v3_cache_extensions(X509 *x) x->ex_flags |= EXFLAG_SS; } - x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); + x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, &i, NULL); + if (x->altname == NULL && i != -1) + x->ex_flags |= EXFLAG_INVALID; x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL); if (!x->nc && (i != -1)) x->ex_flags |= EXFLAG_INVALID; setup_crldp(x); +#ifndef OPENSSL_NO_RFC3779 + x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, &i, NULL); + if (x->rfc3779_addr == NULL && i != -1) + x->ex_flags |= EXFLAG_INVALID; + x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, &i, NULL); + if (x->rfc3779_asid == NULL && i != -1) + x->ex_flags |= EXFLAG_INVALID; +#endif + for (i = 0; i < X509_get_ext_count(x); i++) { ex = X509_get_ext(x, i); if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == @@ -626,6 +659,8 @@ X509_check_ca(X509 *x) CRYPTO_w_lock(CRYPTO_LOCK_X509); x509v3_cache_extensions(x); CRYPTO_w_unlock(CRYPTO_LOCK_X509); + if (x->ex_flags & EXFLAG_INVALID) + return X509_V_ERR_UNSPECIFIED; } return check_ca(x); @@ -836,8 +871,20 @@ X509_check_issued(X509 *issuer, X509 *subject) if (X509_NAME_cmp(X509_get_subject_name(issuer), X509_get_issuer_name(subject))) return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; - x509v3_cache_extensions(issuer); - x509v3_cache_extensions(subject); + if (!(issuer->ex_flags & EXFLAG_SET)) { + CRYPTO_w_lock(CRYPTO_LOCK_X509); + x509v3_cache_extensions(issuer); + CRYPTO_w_unlock(CRYPTO_LOCK_X509); + } + if (issuer->ex_flags & EXFLAG_INVALID) + return X509_V_ERR_UNSPECIFIED; + if (!(subject->ex_flags & EXFLAG_SET)) { + CRYPTO_w_lock(CRYPTO_LOCK_X509); + x509v3_cache_extensions(subject); + CRYPTO_w_unlock(CRYPTO_LOCK_X509); + } + if (subject->ex_flags & EXFLAG_INVALID) + return X509_V_ERR_UNSPECIFIED; if (subject->akid) { int ret = X509_check_akid(issuer, subject->akid); diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c index 651dc82..1a60e5a 100644 --- a/crypto/x509/x509_trs.c +++ b/crypto/x509/x509_trs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_trs.c,v 1.23 2018/05/18 18:40:38 tb Exp $ */ +/* $OpenBSD: x509_trs.c,v 1.24 2021/07/23 20:50:28 schwarze Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -265,10 +265,6 @@ trtable_free(X509_TRUST *p) void X509_TRUST_cleanup(void) { - unsigned int i; - - for (i = 0; i < X509_TRUST_COUNT; i++) - trtable_free(trstandard + i); sk_X509_TRUST_pop_free(trtable, trtable_free); trtable = NULL; } diff --git a/crypto/x509/x509_verify.c b/crypto/x509/x509_verify.c index 0c32cd0..5ff7c50 100644 --- a/crypto/x509/x509_verify.c +++ b/crypto/x509/x509_verify.c @@ -1,6 +1,6 @@ -/* $OpenBSD: x509_verify.c,v 1.13 2020/09/26 15:44:06 jsing Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.49.2.1 2021/11/24 09:28:56 tb Exp $ */ /* - * Copyright (c) 2020 Bob Beck + * Copyright (c) 2020-2021 Bob Beck * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -15,7 +15,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* x509_verify - inspired by golang's crypto/x509/Verify */ +/* x509_verify - inspired by golang's crypto/x509.Verify */ #include #include @@ -33,7 +33,7 @@ static int x509_verify_cert_valid(struct x509_verify_ctx *ctx, X509 *cert, struct x509_verify_chain *current_chain); static void x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, - struct x509_verify_chain *current_chain); + struct x509_verify_chain *current_chain, int full_chain); static int x509_verify_cert_error(struct x509_verify_ctx *ctx, X509 *cert, size_t depth, int error, int ok); static void x509_verify_chain_free(struct x509_verify_chain *chain); @@ -49,7 +49,11 @@ x509_verify_chain_new(void) goto err; if ((chain->certs = sk_X509_new_null()) == NULL) goto err; - if ((chain->names = x509_constraints_names_new()) == NULL) + if ((chain->cert_errors = calloc(X509_VERIFY_MAX_CHAIN_CERTS, + sizeof(int))) == NULL) + goto err; + if ((chain->names = + x509_constraints_names_new(X509_VERIFY_MAX_CHAIN_NAMES)) == NULL) goto err; return chain; @@ -63,6 +67,8 @@ x509_verify_chain_clear(struct x509_verify_chain *chain) { sk_X509_pop_free(chain->certs, X509_free); chain->certs = NULL; + free(chain->cert_errors); + chain->cert_errors = NULL; x509_constraints_names_free(chain->names); chain->names = NULL; } @@ -81,10 +87,15 @@ x509_verify_chain_dup(struct x509_verify_chain *chain) { struct x509_verify_chain *new_chain; - if ((new_chain = x509_verify_chain_new()) == NULL) + if ((new_chain = calloc(1, sizeof(*chain))) == NULL) goto err; if ((new_chain->certs = X509_chain_up_ref(chain->certs)) == NULL) goto err; + if ((new_chain->cert_errors = calloc(X509_VERIFY_MAX_CHAIN_CERTS, + sizeof(int))) == NULL) + goto err; + memcpy(new_chain->cert_errors, chain->cert_errors, + X509_VERIFY_MAX_CHAIN_CERTS * sizeof(int)); if ((new_chain->names = x509_constraints_names_dup(chain->names)) == NULL) goto err; @@ -99,18 +110,32 @@ x509_verify_chain_append(struct x509_verify_chain *chain, X509 *cert, int *error) { int verify_err = X509_V_ERR_UNSPECIFIED; + size_t idx; if (!x509_constraints_extract_names(chain->names, cert, sk_X509_num(chain->certs) == 0, &verify_err)) { *error = verify_err; return 0; } + X509_up_ref(cert); if (!sk_X509_push(chain->certs, cert)) { X509_free(cert); *error = X509_V_ERR_OUT_OF_MEM; return 0; } + + idx = sk_X509_num(chain->certs) - 1; + chain->cert_errors[idx] = *error; + + /* + * We've just added the issuer for the previous certificate, + * clear its error if appropriate. + */ + if (idx > 1 && chain->cert_errors[idx - 1] == + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) + chain->cert_errors[idx - 1] = X509_V_OK; + return 1; } @@ -141,6 +166,9 @@ x509_verify_ctx_reset(struct x509_verify_ctx *ctx) for (i = 0; i < ctx->chains_count; i++) x509_verify_chain_free(ctx->chains[i]); + sk_X509_pop_free(ctx->saved_error_chain, X509_free); + ctx->saved_error = 0; + ctx->saved_error_depth = 0; ctx->error = 0; ctx->error_depth = 0; ctx->chains_count = 0; @@ -158,40 +186,209 @@ x509_verify_ctx_clear(struct x509_verify_ctx *ctx) } static int -x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert) +x509_verify_cert_cache_extensions(X509 *cert) { + if (!(cert->ex_flags & EXFLAG_SET)) { + CRYPTO_w_lock(CRYPTO_LOCK_X509); + x509v3_cache_extensions(cert); + CRYPTO_w_unlock(CRYPTO_LOCK_X509); + } + if (cert->ex_flags & EXFLAG_INVALID) + return 0; + return (cert->ex_flags & EXFLAG_SET); +} + +static int +x509_verify_cert_self_signed(X509 *cert) { + return (cert->ex_flags & EXFLAG_SS) ? 1 : 0; +} + +static int +x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert, + int full_chain) +{ + X509 *match = NULL; int i; - for (i = 0; i < sk_X509_num(ctx->roots); i++) { - if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0) - return 1; + if (!x509_verify_cert_cache_extensions(cert)) + return 0; + + /* Check by lookup if we have a legacy xsc */ + if (ctx->xsc != NULL) { + if ((match = x509_vfy_lookup_cert_match(ctx->xsc, + cert)) != NULL) { + X509_free(match); + return !full_chain || + x509_verify_cert_self_signed(cert); + } + } else { + /* Check the provided roots */ + for (i = 0; i < sk_X509_num(ctx->roots); i++) { + if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0) + return !full_chain || + x509_verify_cert_self_signed(cert); + } } + return 0; } static int x509_verify_ctx_set_xsc_chain(struct x509_verify_ctx *ctx, - struct x509_verify_chain *chain) + struct x509_verify_chain *chain, int set_error, int is_trusted) { - size_t depth; - X509 *last = x509_verify_chain_last(chain); + size_t num_untrusted; + int i; if (ctx->xsc == NULL) return 1; - depth = sk_X509_num(chain->certs); - if (depth > 0) - depth--; + /* + * XXX last_untrusted is actually the number of untrusted certs at the + * bottom of the chain. This works now since we stop at the first + * trusted cert. This will need fixing once we allow more than one + * trusted certificate. + */ + num_untrusted = sk_X509_num(chain->certs); + if (is_trusted && num_untrusted > 0) + num_untrusted--; + ctx->xsc->last_untrusted = num_untrusted; - ctx->xsc->last_untrusted = depth ? depth - 1 : 0; sk_X509_pop_free(ctx->xsc->chain, X509_free); ctx->xsc->chain = X509_chain_up_ref(chain->certs); if (ctx->xsc->chain == NULL) - return x509_verify_cert_error(ctx, last, depth, + return x509_verify_cert_error(ctx, NULL, 0, X509_V_ERR_OUT_OF_MEM, 0); + + if (set_error) { + ctx->xsc->error = X509_V_OK; + ctx->xsc->error_depth = 0; + for (i = 0; i < sk_X509_num(chain->certs); i++) { + if (chain->cert_errors[i] != X509_V_OK) { + ctx->xsc->error = chain->cert_errors[i]; + ctx->xsc->error_depth = i; + break; + } + } + } + return 1; } + +/* + * Save the error state and unvalidated chain off of the xsc for + * later. + */ +static int +x509_verify_ctx_save_xsc_error(struct x509_verify_ctx *ctx) +{ + if (ctx->xsc != NULL && ctx->xsc->chain != NULL) { + sk_X509_pop_free(ctx->saved_error_chain, X509_free); + ctx->saved_error_chain = X509_chain_up_ref(ctx->xsc->chain); + if (ctx->saved_error_chain == NULL) + return x509_verify_cert_error(ctx, NULL, 0, + X509_V_ERR_OUT_OF_MEM, 0); + ctx->saved_error = ctx->xsc->error; + ctx->saved_error_depth = ctx->xsc->error_depth; + } + return 1; +} + +/* + * Restore the saved error state and unvalidated chain to the xsc + * if we do not have a validated chain. + */ +static int +x509_verify_ctx_restore_xsc_error(struct x509_verify_ctx *ctx) +{ + if (ctx->xsc != NULL && ctx->chains_count == 0 && + ctx->saved_error_chain != NULL) { + sk_X509_pop_free(ctx->xsc->chain, X509_free); + ctx->xsc->chain = X509_chain_up_ref(ctx->saved_error_chain); + if (ctx->xsc->chain == NULL) + return x509_verify_cert_error(ctx, NULL, 0, + X509_V_ERR_OUT_OF_MEM, 0); + ctx->xsc->error = ctx->saved_error; + ctx->xsc->error_depth = ctx->saved_error_depth; + } + return 1; +} + +/* Perform legacy style validation of a chain */ +static int +x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx, + struct x509_verify_chain *chain, size_t depth) +{ + int ret = 0, trust; + + if (ctx->xsc == NULL) + return 1; + + /* + * If we have a legacy xsc, choose a validated chain, and + * apply the extensions, revocation, and policy checks just + * like the legacy code did. We do this here instead of as + * building the chains to more easily support the callback and + * the bewildering array of VERIFY_PARAM knobs that are there + * for the fiddling. + */ + + /* These may be set in one of the following calls. */ + ctx->xsc->error = X509_V_OK; + ctx->xsc->error_depth = 0; + + trust = x509_vfy_check_trust(ctx->xsc); + if (trust == X509_TRUST_REJECTED) + goto err; + + if (!x509_verify_ctx_set_xsc_chain(ctx, chain, 0, 1)) + goto err; + + /* + * XXX currently this duplicates some work done in chain + * build, but we keep it here until we have feature parity + */ + if (!x509_vfy_check_chain_extensions(ctx->xsc)) + goto err; + + if (!x509_constraints_chain(ctx->xsc->chain, + &ctx->xsc->error, &ctx->xsc->error_depth)) { + X509 *cert = sk_X509_value(ctx->xsc->chain, depth); + if (!x509_verify_cert_error(ctx, cert, + ctx->xsc->error_depth, ctx->xsc->error, 0)) + goto err; + } + + if (!x509_vfy_check_revocation(ctx->xsc)) + goto err; + + if (!x509_vfy_check_policy(ctx->xsc)) + goto err; + + if ((!(ctx->xsc->param->flags & X509_V_FLAG_PARTIAL_CHAIN)) && + trust != X509_TRUST_TRUSTED) + goto err; + + ret = 1; + + err: + /* + * The above checks may have set ctx->xsc->error and + * ctx->xsc->error_depth - save these for later on. + */ + if (ctx->xsc->error != X509_V_OK) { + if (ctx->xsc->error_depth < 0 || + ctx->xsc->error_depth >= X509_VERIFY_MAX_CHAIN_CERTS) + return 0; + chain->cert_errors[ctx->xsc->error_depth] = + ctx->xsc->error; + ctx->error_depth = ctx->xsc->error_depth; + } + + return ret; +} + /* Add a validated chain to our list of valid chains */ static int x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx, @@ -208,43 +405,17 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx, return x509_verify_cert_error(ctx, last, depth, X509_V_ERR_CERT_CHAIN_TOO_LONG, 0); + /* Clear a get issuer failure for a root certificate. */ + if (chain->cert_errors[depth] == + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) + chain->cert_errors[depth] = X509_V_OK; + + if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth)) + return 0; + /* - * If we have a legacy xsc, choose a validated chain, - * and apply the extensions, revocation, and policy checks - * just like the legacy code did. We do this here instead - * of as building the chains to more easily support the - * callback and the bewildering array of VERIFY_PARAM - * knobs that are there for the fiddling. - */ - if (ctx->xsc != NULL) { - if (!x509_verify_ctx_set_xsc_chain(ctx, chain)) - return 0; - - /* - * XXX currently this duplicates some work done - * in chain build, but we keep it here until - * we have feature parity - */ - if (!x509_vfy_check_chain_extensions(ctx->xsc)) - return 0; - - if (!x509_constraints_chain(ctx->xsc->chain, - &ctx->xsc->error, &ctx->xsc->error_depth)) { - X509 *cert = sk_X509_value(ctx->xsc->chain, depth); - if (!x509_verify_cert_error(ctx, cert, - ctx->xsc->error_depth, ctx->xsc->error, 0)) - return 0; - } - - if (!x509_vfy_check_revocation(ctx->xsc)) - return 0; - - if (!x509_vfy_check_policy(ctx->xsc)) - return 0; - } - /* - * no xsc means we are being called from the non-legacy API, - * extensions and purpose are dealt with as the chain is built. + * In the non-legacy code, extensions and purpose are dealt + * with as the chain is built. * * The non-legacy api returns multiple chains but does not do * any revocation checking (it must be done by the caller on @@ -266,6 +437,8 @@ static int x509_verify_potential_parent(struct x509_verify_ctx *ctx, X509 *parent, X509 *child) { + if (!x509_verify_cert_cache_extensions(parent)) + return 0; if (ctx->xsc != NULL) return (ctx->xsc->check_issued(ctx->xsc, child, parent)); @@ -313,7 +486,7 @@ x509_verify_parent_signature(X509 *parent, X509 *child, static int x509_verify_consider_candidate(struct x509_verify_ctx *ctx, X509 *cert, unsigned char *cert_md, int is_root_cert, X509 *candidate, - struct x509_verify_chain *current_chain) + struct x509_verify_chain *current_chain, int full_chain) { int depth = sk_X509_num(current_chain->certs); struct x509_verify_chain *new_chain; @@ -333,12 +506,11 @@ x509_verify_consider_candidate(struct x509_verify_ctx *ctx, X509 *cert, return 0; } - if (!x509_verify_parent_signature(candidate, cert, cert_md, &ctx->error)) { - if (!x509_verify_cert_error(ctx, candidate, depth, - ctx->error, 0)) - return 0; + if (!x509_verify_cert_error(ctx, candidate, depth, + ctx->error, 0)) + return 0; } if (!x509_verify_cert_valid(ctx, candidate, current_chain)) @@ -351,8 +523,7 @@ x509_verify_consider_candidate(struct x509_verify_ctx *ctx, X509 *cert, return 0; } if (!x509_verify_chain_append(new_chain, candidate, &ctx->error)) { - x509_verify_cert_error(ctx, candidate, depth, - ctx->error, 0); + x509_verify_cert_error(ctx, candidate, depth, ctx->error, 0); x509_verify_chain_free(new_chain); return 0; } @@ -363,17 +534,18 @@ x509_verify_consider_candidate(struct x509_verify_ctx *ctx, X509 *cert, * give up. */ if (is_root_cert) { - if (!x509_verify_ctx_set_xsc_chain(ctx, new_chain)) { + if (!x509_verify_ctx_set_xsc_chain(ctx, new_chain, 0, 1)) { x509_verify_chain_free(new_chain); return 0; } - if (x509_verify_cert_error(ctx, candidate, depth, X509_V_OK, 1)) { - (void) x509_verify_ctx_add_chain(ctx, new_chain); - goto done; + if (!x509_verify_ctx_add_chain(ctx, new_chain)) { + x509_verify_chain_free(new_chain); + return 0; } + goto done; } - x509_verify_build_chains(ctx, candidate, new_chain); + x509_verify_build_chains(ctx, candidate, new_chain, full_chain); done: x509_verify_chain_free(new_chain); @@ -397,11 +569,19 @@ x509_verify_cert_error(struct x509_verify_ctx *ctx, X509 *cert, size_t depth, static void x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, - struct x509_verify_chain *current_chain) + struct x509_verify_chain *current_chain, int full_chain) { unsigned char cert_md[EVP_MAX_MD_SIZE] = { 0 }; X509 *candidate; - int i, depth, count; + int i, depth, count, ret, is_root; + + /* + * If we are finding chains with an xsc, just stop after we have + * one chain, there's no point in finding more, it just exercises + * the potentially buggy callback processing in the calling software. + */ + if (ctx->xsc != NULL && ctx->chains_count > 0) + return; depth = sk_X509_num(current_chain->certs); if (depth > 0) @@ -418,36 +598,80 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, return; count = ctx->chains_count; + ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; ctx->error_depth = depth; - for (i = 0; i < sk_X509_num(ctx->roots); i++) { - candidate = sk_X509_value(ctx->roots, i); - if (x509_verify_potential_parent(ctx, candidate, cert)) { - x509_verify_consider_candidate(ctx, cert, - cert_md, 1, candidate, current_chain); + if (ctx->saved_error != 0) + ctx->error = ctx->saved_error; + if (ctx->saved_error_depth != 0) + ctx->error_depth = ctx->saved_error_depth; + + if (ctx->xsc != NULL) { + /* + * Long ago experiments at Muppet labs resulted in a + * situation where software not only sees these errors + * but forced developers to expect them in certain cases. + * so we must mimic this awfulness for the legacy case. + */ + if (cert->ex_flags & EXFLAG_SS) + ctx->error = (depth == 0) ? + X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: + X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; + } + + /* Check for legacy mode roots */ + if (ctx->xsc != NULL) { + if ((ret = ctx->xsc->get_issuer(&candidate, ctx->xsc, cert)) < 0) { + x509_verify_cert_error(ctx, cert, depth, + X509_V_ERR_STORE_LOOKUP, 0); + return; + } + if (ret > 0) { + if (x509_verify_potential_parent(ctx, candidate, cert)) { + is_root = !full_chain || + x509_verify_cert_self_signed(candidate); + x509_verify_consider_candidate(ctx, cert, + cert_md, is_root, candidate, current_chain, + full_chain); + } + X509_free(candidate); + } + } else { + /* Check to see if we have a trusted root issuer. */ + for (i = 0; i < sk_X509_num(ctx->roots); i++) { + candidate = sk_X509_value(ctx->roots, i); + if (x509_verify_potential_parent(ctx, candidate, cert)) { + is_root = !full_chain || + x509_verify_cert_self_signed(candidate); + x509_verify_consider_candidate(ctx, cert, + cert_md, is_root, candidate, current_chain, + full_chain); + } } } + /* Check intermediates after checking roots */ if (ctx->intermediates != NULL) { for (i = 0; i < sk_X509_num(ctx->intermediates); i++) { candidate = sk_X509_value(ctx->intermediates, i); if (x509_verify_potential_parent(ctx, candidate, cert)) { x509_verify_consider_candidate(ctx, cert, - cert_md, 0, candidate, current_chain); + cert_md, 0, candidate, current_chain, + full_chain); } } } + if (ctx->chains_count > count) { if (ctx->xsc != NULL) { ctx->xsc->error = X509_V_OK; ctx->xsc->error_depth = depth; ctx->xsc->current_cert = cert; - (void) ctx->xsc->verify_cb(1, ctx->xsc); } } else if (ctx->error_depth == depth) { - (void) x509_verify_cert_error(ctx, cert, depth, - ctx->error, 0); + if (!x509_verify_ctx_set_xsc_chain(ctx, current_chain, 0, 0)) + return; } } @@ -458,8 +682,13 @@ x509_verify_cert_hostname(struct x509_verify_ctx *ctx, X509 *cert, char *name) size_t len; if (name == NULL) { - if (ctx->xsc != NULL) - return x509_vfy_check_id(ctx->xsc); + if (ctx->xsc != NULL) { + int ret; + + if ((ret = x509_vfy_check_id(ctx->xsc)) == 0) + ctx->error = ctx->xsc->error; + return ret; + } return 1; } if ((candidate = strdup(name)) == NULL) { @@ -516,8 +745,6 @@ x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm, int notafter) { int type; - memset(tm, 0, sizeof(*tm)); - type = ASN1_time_parse(atime->data, atime->length, tm, atime->type); if (type == -1) return 0; @@ -601,11 +828,13 @@ x509_verify_validate_constraints(X509 *cert, return 1; if (cert->nc != NULL) { - if ((permitted = x509_constraints_names_new()) == NULL) { + if ((permitted = x509_constraints_names_new( + X509_VERIFY_MAX_CHAIN_CONSTRAINTS)) == NULL) { err = X509_V_ERR_OUT_OF_MEM; goto err; } - if ((excluded = x509_constraints_names_new()) == NULL) { + if ((excluded = x509_constraints_names_new( + X509_VERIFY_MAX_CHAIN_CONSTRAINTS)) == NULL) { err = X509_V_ERR_OUT_OF_MEM; goto err; } @@ -630,10 +859,9 @@ x509_verify_validate_constraints(X509 *cert, static int x509_verify_cert_extensions(struct x509_verify_ctx *ctx, X509 *cert, int need_ca) { - if (!(cert->ex_flags & EXFLAG_SET)) { - CRYPTO_w_lock(CRYPTO_LOCK_X509); - x509v3_cache_extensions(cert); - CRYPTO_w_unlock(CRYPTO_LOCK_X509); + if (!x509_verify_cert_cache_extensions(cert)) { + ctx->error = X509_V_ERR_UNSPECIFIED; + return 0; } if (ctx->xsc != NULL) @@ -712,7 +940,7 @@ x509_verify_cert_valid(struct x509_verify_ctx *ctx, X509 *cert, } struct x509_verify_ctx * -x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc, STACK_OF(X509) *roots) +x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc) { struct x509_verify_ctx *ctx; size_t max_depth; @@ -720,7 +948,7 @@ x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc, STACK_OF(X509) *roots) if (xsc == NULL) return NULL; - if ((ctx = x509_verify_ctx_new(roots)) == NULL) + if ((ctx = x509_verify_ctx_new(NULL)) == NULL) return NULL; ctx->xsc = xsc; @@ -748,14 +976,16 @@ x509_verify_ctx_new(STACK_OF(X509) *roots) { struct x509_verify_ctx *ctx; - if (roots == NULL) - return NULL; - if ((ctx = calloc(1, sizeof(struct x509_verify_ctx))) == NULL) return NULL; - if ((ctx->roots = X509_chain_up_ref(roots)) == NULL) - goto err; + if (roots != NULL) { + if ((ctx->roots = X509_chain_up_ref(roots)) == NULL) + goto err; + } else { + if ((ctx->roots = sk_X509_new_null()) == NULL) + goto err; + } ctx->max_depth = X509_VERIFY_MAX_CHAIN_CERTS; ctx->max_chains = X509_VERIFY_MAX_CHAINS; @@ -850,19 +1080,24 @@ size_t x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name) { struct x509_verify_chain *current_chain; + int retry_chain_build, full_chain = 0; if (ctx->roots == NULL || ctx->max_depth == 0) { ctx->error = X509_V_ERR_INVALID_CALL; - return 0; + goto err; } if (ctx->xsc != NULL) { if (leaf != NULL || name != NULL) { ctx->error = X509_V_ERR_INVALID_CALL; - return 0; + goto err; } leaf = ctx->xsc->cert; + /* XXX */ + full_chain = 1; + if (ctx->xsc->param->flags & X509_V_FLAG_PARTIAL_CHAIN) + full_chain = 0; /* * XXX * The legacy code expects the top level cert to be @@ -872,57 +1107,163 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name) */ if ((ctx->xsc->chain = sk_X509_new_null()) == NULL) { ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; + goto err; } if (!X509_up_ref(leaf)) { ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; + goto err; } if (!sk_X509_push(ctx->xsc->chain, leaf)) { X509_free(leaf); ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; + goto err; } ctx->xsc->error_depth = 0; ctx->xsc->current_cert = leaf; } if (!x509_verify_cert_valid(ctx, leaf, NULL)) - return 0; + goto err; if (!x509_verify_cert_hostname(ctx, leaf, name)) - return 0; + goto err; if ((current_chain = x509_verify_chain_new()) == NULL) { ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; + goto err; } if (!x509_verify_chain_append(current_chain, leaf, &ctx->error)) { x509_verify_chain_free(current_chain); - return 0; + goto err; } - if (x509_verify_ctx_cert_is_root(ctx, leaf)) - x509_verify_ctx_add_chain(ctx, current_chain); - else - x509_verify_build_chains(ctx, leaf, current_chain); + do { + retry_chain_build = 0; + if (x509_verify_ctx_cert_is_root(ctx, leaf, full_chain)) { + if (!x509_verify_ctx_add_chain(ctx, current_chain)) { + x509_verify_chain_free(current_chain); + goto err; + } + } else { + x509_verify_build_chains(ctx, leaf, current_chain, + full_chain); + if (full_chain && ctx->chains_count == 0) { + /* + * Save the error state from the xsc + * at this point to put back on the + * xsc in case we do not find a chain + * that is trusted but not a full + * chain to a self signed root. This + * is because the unvalidated chain is + * used by the autochain batshittery + * on failure and will be needed for + * that. + */ + if (!x509_verify_ctx_save_xsc_error(ctx)) { + x509_verify_chain_free(current_chain); + goto err; + } + full_chain = 0; + retry_chain_build = 1; + } + } + } while (retry_chain_build); x509_verify_chain_free(current_chain); /* - * Safety net: - * We could not find a validated chain, and for some reason do not - * have an error set. + * Do the new verifier style return, where we don't have an xsc + * that allows a crazy callback to turn invalid things into valid. */ - if (ctx->chains_count == 0 && ctx->error == 0) + if (ctx->xsc == NULL) { + /* + * Safety net: + * We could not find a validated chain, and for some reason do not + * have an error set. + */ + if (ctx->chains_count == 0 && ctx->error == X509_V_OK) + ctx->error = X509_V_ERR_UNSPECIFIED; + + /* + * If we are not using an xsc, and have no possibility for the + * crazy OpenSSL callback API changing the results of + * validation steps (because the callback can make validation + * proceed in the presence of invalid certs), any chains we + * have here are correctly built and verified. + */ + if (ctx->chains_count > 0) + ctx->error = X509_V_OK; + + return ctx->chains_count; + } + + /* + * Otherwise we are doing compatibility with an xsc, which means that we + * will have one chain, which might actually be a bogus chain because + * the callback told us to ignore errors and proceed to build an invalid + * chain. Possible return values from this include returning 1 with an + * invalid chain and a value of xsc->error != X509_V_OK (It's tradition + * that makes it ok). + */ + + if (ctx->chains_count > 0) { + /* + * The chain we have using an xsc might not be a verified chain + * if the callback perverted things while we built it to ignore + * failures and proceed with chain building. We put this chain + * and the error associated with it on the xsc. + */ + if (!x509_verify_ctx_set_xsc_chain(ctx, ctx->chains[0], 1, 1)) + goto err; + + /* + * Call the callback for completion up our built + * chain. The callback could still tell us to + * fail. Since this chain might exist as the result of + * callback doing perversions, we could still return + * "success" with something other than X509_V_OK set + * as the error. + */ + if (!x509_vfy_callback_indicate_completion(ctx->xsc)) + goto err; + } else { + /* + * We did not find a chain. Bring back the failure + * case we wanted to the xsc if we saved one. If we + * did not we should have just the leaf on the xsc. + */ + if (!x509_verify_ctx_restore_xsc_error(ctx)) + goto err; + + /* + * Safety net, ensure we have an error set in the + * failing case. + */ + if (ctx->xsc->error == X509_V_OK) { + if (ctx->error == X509_V_OK) + ctx->error = X509_V_ERR_UNSPECIFIED; + ctx->xsc->error = ctx->error; + } + + /* + * Let the callback override the return value + * at depth 0 if it chooses to + */ + return ctx->xsc->verify_cb(0, ctx->xsc); + } + + /* We only ever find one chain in compat mode with an xsc. */ + return 1; + + err: + if (ctx->error == X509_V_OK) ctx->error = X509_V_ERR_UNSPECIFIED; - /* Clear whatever errors happened if we have any validated chain */ - if (ctx->chains_count > 0) - ctx->error = X509_V_OK; - if (ctx->xsc != NULL) { - ctx->xsc->error = ctx->error; - return ctx->xsc->verify_cb(ctx->chains_count, ctx->xsc); + if (ctx->xsc->error == X509_V_OK) + ctx->xsc->error = X509_V_ERR_UNSPECIFIED; + ctx->error = ctx->xsc->error; } - return (ctx->chains_count); + + return 0; } + diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index fe1431c..1f52779 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.81 2020/09/26 02:06:28 deraadt Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.89.2.1 2021/11/24 09:28:56 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -240,12 +240,13 @@ x509_vfy_check_id(X509_STORE_CTX *ctx) { * Oooooooh.. */ static int -X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad) +X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok) { X509 *x, *xtmp, *xtmp2, *chain_ss = NULL; int bad_chain = 0; X509_VERIFY_PARAM *param = ctx->param; - int depth, i, ok = 0; + int ok = 0, ret = 0; + int depth, i; int num, j, retry, trust; int (*cb) (int xok, X509_STORE_CTX *xctx); STACK_OF(X509) *sktmp = NULL; @@ -517,11 +518,15 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad) if (!ok) goto end; } + + ret = 1; end: sk_X509_free(sktmp); X509_free(chain_ss); *bad = bad_chain; - return ok; + *out_ok = ok; + + return ret; } static int @@ -531,8 +536,7 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx) ctx->error = X509_V_OK; /* Initialize to OK */ - ok = X509_verify_cert_legacy_build_chain(ctx, &bad_chain); - if (!ok) + if (!X509_verify_cert_legacy_build_chain(ctx, &bad_chain, &ok)) goto end; /* We have the chain complete: now we need to check its purpose */ @@ -630,60 +634,13 @@ X509_verify_cert(X509_STORE_CTX *ctx) /* Use the modern multi-chain verifier from x509_verify_cert */ - /* Find our trusted roots */ - ctx->error = X509_V_ERR_OUT_OF_MEM; - - if (ctx->get_issuer == get_issuer_sk) { - /* - * We are using the trusted stack method. so - * the roots are in the aptly named "ctx->other_ctx" - * pointer. (It could have been called "al") - */ - if ((roots = X509_chain_up_ref(ctx->other_ctx)) == NULL) - return -1; - } else { - /* - * We have a X509_STORE and need to pull out the roots. - * Don't look Ethel... - */ - STACK_OF(X509_OBJECT) *objs; - size_t i, good = 1; - - if ((roots = sk_X509_new_null()) == NULL) - return -1; - - CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); - if ((objs = X509_STORE_get0_objects(ctx->ctx)) == NULL) - good = 0; - for (i = 0; good && i < sk_X509_OBJECT_num(objs); i++) { - X509_OBJECT *obj; - X509 *root; - obj = sk_X509_OBJECT_value(objs, i); - if (obj->type != X509_LU_X509) - continue; - root = obj->data.x509; - if (X509_up_ref(root) == 0) - good = 0; - if (sk_X509_push(roots, root) == 0) { - X509_free(root); - good = 0; - } - } - CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); - - if (!good) { - sk_X509_pop_free(roots, X509_free); - return -1; - } - } - - if ((vctx = x509_verify_ctx_new_from_xsc(ctx, roots)) != NULL) { + if ((vctx = x509_verify_ctx_new_from_xsc(ctx)) != NULL) { ctx->error = X509_V_OK; /* Initialize to OK */ chain_count = x509_verify(vctx, NULL, NULL); } + x509_verify_ctx_free(vctx); sk_X509_pop_free(roots, X509_free); - x509_verify_ctx_free(vctx); /* if we succeed we have a chain in ctx->chain */ return (chain_count > 0 && ctx->chain != NULL); @@ -910,7 +867,8 @@ check_name_constraints(X509_STORE_CTX *ctx) /* Given a certificate try and find an exact match in the store */ -static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) +static X509 * +lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) { STACK_OF(X509) *certs; X509 *xtmp = NULL; @@ -937,7 +895,17 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) return xtmp; } -static int check_trust(X509_STORE_CTX *ctx) +X509 * +x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) +{ + if (ctx->lookup_certs == NULL || ctx->ctx == NULL || + ctx->ctx->objs == NULL) + return NULL; + return lookup_cert_match(ctx, x); +} + +static int +check_trust(X509_STORE_CTX *ctx) { size_t i; int ok; @@ -991,7 +959,8 @@ static int check_trust(X509_STORE_CTX *ctx) return X509_TRUST_UNTRUSTED; } -int x509_vfy_check_trust(X509_STORE_CTX *ctx) +int +x509_vfy_check_trust(X509_STORE_CTX *ctx) { return check_trust(ctx); } @@ -1794,6 +1763,11 @@ x509_vfy_check_policy(X509_STORE_CTX *ctx) if (ctx->parent) return 1; + + /* X509_policy_check always allocates a new tree. */ + X509_policy_tree_free(ctx->tree); + ctx->tree = NULL; + ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, ctx->param->policies, ctx->param->flags); if (ret == 0) { @@ -1905,7 +1879,7 @@ x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) } static int -internal_verify(X509_STORE_CTX *ctx) +x509_vfy_internal_verify(X509_STORE_CTX *ctx, int chain_verified) { int n = sk_X509_num(ctx->chain) - 1; X509 *xi = sk_X509_value(ctx->chain, n); @@ -1941,8 +1915,8 @@ internal_verify(X509_STORE_CTX *ctx) * certificate and its depth (rather than the depth of * the subject). */ - if (xs != xi || - (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) { + if (!chain_verified && ( xs != xi || + (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { EVP_PKEY *pkey; if ((pkey = X509_get_pubkey(xi)) == NULL) { if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n, @@ -1959,7 +1933,7 @@ internal_verify(X509_STORE_CTX *ctx) } check_cert: /* Calls verify callback as needed */ - if (!x509_check_cert_time(ctx, xs, n)) + if (!chain_verified && !x509_check_cert_time(ctx, xs, n)) return 0; /* @@ -1980,6 +1954,22 @@ check_cert: return 1; } +static int +internal_verify(X509_STORE_CTX *ctx) +{ + return x509_vfy_internal_verify(ctx, 0); +} + +/* + * Internal verify, but with a chain where the verification + * math has already been performed. + */ +int +x509_vfy_callback_indicate_completion(X509_STORE_CTX *ctx) +{ + return x509_vfy_internal_verify(ctx, 1); +} + int X509_cmp_current_time(const ASN1_TIME *ctm) { diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index 448ee20..42ea6e7 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vpm.c,v 1.22 2020/09/14 08:10:04 beck Exp $ */ +/* $OpenBSD: x509_vpm.c,v 1.27 2021/09/30 18:23:46 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -172,6 +172,7 @@ x509_verify_param_zero(X509_VERIFY_PARAM *param) X509_VERIFY_PARAM_ID *paramid; if (!param) return; + free(param->name); param->name = NULL; param->purpose = 0; param->trust = 0; @@ -207,7 +208,7 @@ X509_VERIFY_PARAM_new(void) param = calloc(1, sizeof(X509_VERIFY_PARAM)); if (param == NULL) return NULL; - paramid = calloc (1, sizeof(X509_VERIFY_PARAM_ID)); + paramid = calloc(1, sizeof(X509_VERIFY_PARAM_ID)); if (paramid == NULL) { free(param); return NULL; @@ -227,7 +228,8 @@ X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) free(param); } -/* This function determines how parameters are "inherited" from one structure +/* + * This function determines how parameters are "inherited" from one structure * to another. There are several different ways this can happen. * * 1. If a child structure needs to have its values initialized from a parent @@ -596,6 +598,7 @@ static const X509_VERIFY_PARAM_ID _empty_id = { NULL }; static const X509_VERIFY_PARAM default_table[] = { { .name = "default", + .flags = X509_V_FLAG_TRUSTED_FIRST, .depth = 100, .trust = 0, /* XXX This is not the default trust value */ .id = vpm_empty_id @@ -673,8 +676,8 @@ X509_VERIFY_PARAM_get_count(void) return num; } -const -X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id) +const X509_VERIFY_PARAM * +X509_VERIFY_PARAM_get0(int id) { int num = sizeof(default_table) / sizeof(X509_VERIFY_PARAM); if (id < num) @@ -682,8 +685,8 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id) return sk_X509_VERIFY_PARAM_value(param_table, id - num); } -const -X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name) +const X509_VERIFY_PARAM * +X509_VERIFY_PARAM_lookup(const char *name) { X509_VERIFY_PARAM pm; unsigned int i, limit; diff --git a/include/compat/pthread.h b/include/compat/pthread.h index 1527d3c..1ab011c 100755 --- a/include/compat/pthread.h +++ b/include/compat/pthread.h @@ -102,6 +102,14 @@ pthread_mutex_unlock(pthread_mutex_t *mutex) return 0; } +static inline int +pthread_mutex_destroy(pthread_mutex_t *mutex) +{ + DeleteCriticalSection(mutex->lock); + free(mutex->lock); + return 0; +} + #else #include_next #endif diff --git a/include/openssl/asn1.h b/include/openssl/asn1.h index 0a8da41..76c294a 100644 --- a/include/openssl/asn1.h +++ b/include/openssl/asn1.h @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1.h,v 1.53 2018/11/30 04:51:19 jeremy Exp $ */ +/* $OpenBSD: asn1.h,v 1.54 2020/12/08 15:06:42 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1137,6 +1137,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_BAD_OBJECT_HEADER 102 #define ASN1_R_BAD_PASSWORD_READ 103 #define ASN1_R_BAD_TAG 104 +#define ASN1_R_BAD_TEMPLATE 230 #define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 214 #define ASN1_R_BN_LIB 105 #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 diff --git a/include/openssl/bn.h b/include/openssl/bn.h index cc1f467..1675111 100644 --- a/include/openssl/bn.h +++ b/include/openssl/bn.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bn.h,v 1.39 2019/08/25 19:23:59 schwarze Exp $ */ +/* $OpenBSD: bn.h,v 1.43 2021/09/10 14:33:44 tb Exp $ */ /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -231,6 +231,15 @@ extern "C" { #define BN_set_flags(b,n) ((b)->flags|=(n)) #define BN_get_flags(b,n) ((b)->flags&(n)) +/* Values for |top| in BN_rand() */ +#define BN_RAND_TOP_ANY -1 +#define BN_RAND_TOP_ONE 0 +#define BN_RAND_TOP_TWO 1 + +/* Values for |bottom| in BN_rand() */ +#define BN_RAND_BOTTOM_ANY 0 +#define BN_RAND_BOTTOM_ODD 1 + /* get a clone of a BIGNUM with changed flags, for *temporary* use only * (the two BIGNUMs cannot not be used in parallel!) */ #define BN_with_flags(dest,b,n) ((dest)->d=(b)->d, \ @@ -428,6 +437,9 @@ BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b); void BN_swap(BIGNUM *a, BIGNUM *b); BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret); int BN_bn2bin(const BIGNUM *a, unsigned char *to); +int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen); +BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret); +int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen); BIGNUM *BN_mpi2bn(const unsigned char *s, int len, BIGNUM *ret); int BN_bn2mpi(const BIGNUM *a, unsigned char *to); int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); diff --git a/include/openssl/dtls1.h b/include/openssl/dtls1.h index c9c5963..79542c8 100644 --- a/include/openssl/dtls1.h +++ b/include/openssl/dtls1.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dtls1.h,v 1.23 2020/03/12 17:01:53 jsing Exp $ */ +/* $OpenBSD: dtls1.h,v 1.27 2021/05/16 13:56:30 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -78,6 +78,8 @@ extern "C" { #endif #define DTLS1_VERSION 0xFEFF +#define DTLS1_2_VERSION 0xFEFD +#define DTLS1_VERSION_MAJOR 0xFE /* lengths of messages */ #define DTLS1_COOKIE_LENGTH 256 @@ -93,91 +95,6 @@ extern "C" { #define DTLS1_AL_HEADER_LENGTH 2 -#ifndef OPENSSL_NO_SSL_INTERN - - -typedef struct dtls1_bitmap_st { - unsigned long map; /* track 32 packets on 32-bit systems - and 64 - on 64-bit systems */ - unsigned char max_seq_num[8]; /* max record number seen so far, - 64-bit value in big-endian - encoding */ -} DTLS1_BITMAP; - -struct dtls1_retransmit_state { - EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */ - EVP_MD_CTX *write_hash; /* used for mac generation */ - SSL_SESSION *session; - unsigned short epoch; -}; - -struct hm_header_st { - unsigned char type; - unsigned long msg_len; - unsigned short seq; - unsigned long frag_off; - unsigned long frag_len; - unsigned int is_ccs; - struct dtls1_retransmit_state saved_retransmit_state; -}; - -struct ccs_header_st { - unsigned char type; - unsigned short seq; -}; - -struct dtls1_timeout_st { - /* Number of read timeouts so far */ - unsigned int read_timeouts; - - /* Number of write timeouts so far */ - unsigned int write_timeouts; - - /* Number of alerts received so far */ - unsigned int num_alerts; -}; - -struct _pqueue; - -typedef struct record_pqueue_st { - unsigned short epoch; - struct _pqueue *q; -} record_pqueue; - -typedef struct hm_fragment_st { - struct hm_header_st msg_header; - unsigned char *fragment; - unsigned char *reassembly; -} hm_fragment; - -struct dtls1_state_internal_st; - -typedef struct dtls1_state_st { - /* Buffered (sent) handshake records */ - struct _pqueue *sent_messages; - - /* Indicates when the last handshake msg or heartbeat sent will timeout */ - struct timeval next_timeout; - - /* Timeout duration */ - unsigned short timeout_duration; - - struct dtls1_state_internal_st *internal; -} DTLS1_STATE; - -#ifndef LIBRESSL_INTERNAL - -typedef struct dtls1_record_data_st { - unsigned char *packet; - unsigned int packet_length; - SSL3_BUFFER rbuf; - SSL3_RECORD rrec; -} DTLS1_RECORD_DATA; - -#endif - -#endif - /* Timeout multipliers (timeout slice is defined in apps/timeouts.h */ #define DTLS1_TMO_READ_COUNT 2 #define DTLS1_TMO_WRITE_COUNT 2 diff --git a/include/openssl/ec.h b/include/openssl/ec.h index a95d99f..d8ff42c 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ec.h,v 1.18 2019/09/29 10:09:09 tb Exp $ */ +/* $OpenBSD: ec.h,v 1.27 2021/09/12 16:23:19 tb Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ @@ -250,6 +250,8 @@ const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group); */ int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx); +int EC_GROUP_order_bits(const EC_GROUP *group); + /** Gets the cofactor of a EC_GROUP * \param group EC_GROUP object * \param cofactor BIGNUM to which the cofactor is copied @@ -280,6 +282,11 @@ unsigned char *EC_GROUP_get0_seed(const EC_GROUP *x); size_t EC_GROUP_get_seed_len(const EC_GROUP *); size_t EC_GROUP_set_seed(EC_GROUP *, const unsigned char *, size_t len); +int EC_GROUP_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, + const BIGNUM *b, BN_CTX *ctx); +int EC_GROUP_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, + BN_CTX *ctx); +#if !defined(LIBRESSL_INTERNAL) /** Sets the parameter of a ec over GFp defined by y^2 = x^3 + a*x + b * \param group EC_GROUP object * \param p BIGNUM with the prime number @@ -321,6 +328,8 @@ int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, c */ int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx); #endif +#endif + /** Returns the number of bits needed to represent a field element * \param group EC_GROUP object * \return number of bits needed to represent a field element @@ -446,6 +455,22 @@ const EC_METHOD *EC_POINT_method_of(const EC_POINT *point); */ int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point); +int EC_POINT_set_affine_coordinates(const EC_GROUP *group, EC_POINT *p, + const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx); +int EC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *p, + BIGNUM *x, BIGNUM *y, BN_CTX *ctx); +int EC_POINT_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *p, + const BIGNUM *x, int y_bit, BN_CTX *ctx); + +#if defined(LIBRESSL_INTERNAL) + +int EC_POINT_set_Jprojective_coordinates(const EC_GROUP *group, EC_POINT *p, + const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx); +int EC_POINT_get_Jprojective_coordinates(const EC_GROUP *group, + const EC_POINT *p, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx); + +#else + /** Sets the jacobian projective coordinates of a EC_POINT over GFp * \param group underlying EC_GROUP object * \param p EC_POINT object @@ -502,6 +527,7 @@ int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, */ int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *p, const BIGNUM *x, int y_bit, BN_CTX *ctx); + #ifndef OPENSSL_NO_EC2M /** Sets the affine coordinates of a EC_POINT over GF2m * \param group underlying EC_GROUP object @@ -535,7 +561,9 @@ int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, */ int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p, const BIGNUM *x, int y_bit, BN_CTX *ctx); -#endif +#endif /* OPENSSL_NO_EC2M */ +#endif /* !LIBRESSL_INTERNAL */ + /** Encodes a EC_POINT object to a octet string * \param group underlying EC_GROUP object * \param p EC_POINT object @@ -680,7 +708,8 @@ int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1, unsigned int *k2, unsigned int *k3); #endif -#define OPENSSL_EC_NAMED_CURVE 0x001 +#define OPENSSL_EC_EXPLICIT_CURVE 0x000 +#define OPENSSL_EC_NAMED_CURVE 0x001 typedef struct ecpk_parameters_st ECPKPARAMETERS; diff --git a/include/openssl/evp.h b/include/openssl/evp.h index f1fe8a1..06c529e 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: evp.h,v 1.79 2020/04/27 19:31:02 tb Exp $ */ +/* $OpenBSD: evp.h,v 1.83 2021/05/10 17:00:32 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -617,7 +617,7 @@ int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); #ifndef LIBRESSL_INTERNAL int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); #endif - + int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s, EVP_PKEY *pkey); @@ -628,11 +628,17 @@ int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey); int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen); +int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, + const unsigned char *tbs, size_t tbslen); + int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey); int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen); +int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, + size_t siglen, const unsigned char *tbs, size_t tbslen); + int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, const unsigned char *ek, int ekl, const unsigned char *iv, EVP_PKEY *priv); int EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); @@ -1149,6 +1155,8 @@ void EVP_PKEY_CTX_set0_keygen_info(EVP_PKEY_CTX *ctx, int *dat, int datlen); EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *e, const unsigned char *key, int keylen); +EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv, + size_t len, const EVP_CIPHER *cipher); void EVP_PKEY_CTX_set_data(EVP_PKEY_CTX *ctx, void *data); void *EVP_PKEY_CTX_get_data(EVP_PKEY_CTX *ctx); @@ -1512,6 +1520,7 @@ void ERR_load_EVP_strings(void); #define EVP_R_INVALID_OPERATION 148 #define EVP_R_IV_TOO_LARGE 102 #define EVP_R_KEYGEN_FAILURE 120 +#define EVP_R_KEY_SETUP_FAILED 180 #define EVP_R_MESSAGE_DIGEST_IS_NULL 159 #define EVP_R_METHOD_NOT_SUPPORTED 144 #define EVP_R_MISSING_PARAMETERS 103 diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index 3ed1087..d86324c 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -853,10 +853,34 @@ #define NID_id_smime_ct_compressedData 786 #define OBJ_id_smime_ct_compressedData OBJ_id_smime_ct,9L +#define SN_id_ct_routeOriginAuthz "id-ct-routeOriginAuthz" +#define NID_id_ct_routeOriginAuthz 1001 +#define OBJ_id_ct_routeOriginAuthz OBJ_id_smime_ct,24L + +#define SN_id_ct_rpkiManifest "id-ct-rpkiManifest" +#define NID_id_ct_rpkiManifest 1002 +#define OBJ_id_ct_rpkiManifest OBJ_id_smime_ct,26L + #define SN_id_ct_asciiTextWithCRLF "id-ct-asciiTextWithCRLF" #define NID_id_ct_asciiTextWithCRLF 787 #define OBJ_id_ct_asciiTextWithCRLF OBJ_id_smime_ct,27L +#define SN_id_ct_rpkiGhostbusters "id-ct-rpkiGhostbusters" +#define NID_id_ct_rpkiGhostbusters 1003 +#define OBJ_id_ct_rpkiGhostbusters OBJ_id_smime_ct,35L + +#define SN_id_ct_resourceTaggedAttest "id-ct-resourceTaggedAttest" +#define NID_id_ct_resourceTaggedAttest 1004 +#define OBJ_id_ct_resourceTaggedAttest OBJ_id_smime_ct,36L + +#define SN_id_ct_geofeedCSVwithCRLF "id-ct-geofeedCSVwithCRLF" +#define NID_id_ct_geofeedCSVwithCRLF 1013 +#define OBJ_id_ct_geofeedCSVwithCRLF OBJ_id_smime_ct,47L + +#define SN_id_ct_signedChecklist "id-ct-signedChecklist" +#define NID_id_ct_signedChecklist 1014 +#define OBJ_id_ct_signedChecklist OBJ_id_smime_ct,48L + #define SN_id_smime_aa_receiptRequest "id-smime-aa-receiptRequest" #define NID_id_smime_aa_receiptRequest 212 #define OBJ_id_smime_aa_receiptRequest OBJ_id_smime_aa,1L @@ -1366,6 +1390,10 @@ #define NID_id_cct 268 #define OBJ_id_cct OBJ_id_pkix,12L +#define SN_id_cp "id-cp" +#define NID_id_cp 1005 +#define OBJ_id_cp OBJ_id_pkix,14L + #define SN_id_ppl "id-ppl" #define NID_id_ppl 662 #define OBJ_id_ppl OBJ_id_pkix,21L @@ -1490,6 +1518,14 @@ #define NID_proxyCertInfo 663 #define OBJ_proxyCertInfo OBJ_id_pe,14L +#define SN_sbgp_ipAddrBlockv2 "sbgp-ipAddrBlockv2" +#define NID_sbgp_ipAddrBlockv2 1006 +#define OBJ_sbgp_ipAddrBlockv2 OBJ_id_pe,28L + +#define SN_sbgp_autonomousSysNumv2 "sbgp-autonomousSysNumv2" +#define NID_sbgp_autonomousSysNumv2 1007 +#define OBJ_sbgp_autonomousSysNumv2 OBJ_id_pe,29L + #define SN_id_qt_cps "id-qt-cps" #define LN_id_qt_cps "Policy Qualifier CPS" #define NID_id_qt_cps 164 @@ -1554,6 +1590,11 @@ #define NID_dvcs 297 #define OBJ_dvcs OBJ_id_kp,10L +#define SN_id_kp_bgpsec_router "id-kp-bgpsec-router" +#define LN_id_kp_bgpsec_router "BGPsec Router" +#define NID_id_kp_bgpsec_router 1015 +#define OBJ_id_kp_bgpsec_router OBJ_id_kp,30L + #define SN_id_it_caProtEncCert "id-it-caProtEncCert" #define NID_id_it_caProtEncCert 298 #define OBJ_id_it_caProtEncCert OBJ_id_it,1L @@ -1823,6 +1864,14 @@ #define NID_id_cct_PKIResponse 362 #define OBJ_id_cct_PKIResponse OBJ_id_cct,3L +#define SN_ipAddr_asNumber "ipAddr-asNumber" +#define NID_ipAddr_asNumber 1008 +#define OBJ_ipAddr_asNumber OBJ_id_cp,2L + +#define SN_ipAddr_asNumberv2 "ipAddr-asNumberv2" +#define NID_ipAddr_asNumberv2 1009 +#define OBJ_ipAddr_asNumberv2 OBJ_id_cp,3L + #define SN_id_ppl_anyLanguage "id-ppl-anyLanguage" #define LN_id_ppl_anyLanguage "Any language" #define NID_id_ppl_anyLanguage 664 @@ -1863,6 +1912,21 @@ #define NID_caRepository 785 #define OBJ_caRepository OBJ_id_ad,5L +#define SN_rpkiManifest "rpkiManifest" +#define LN_rpkiManifest "RPKI Manifest" +#define NID_rpkiManifest 1010 +#define OBJ_rpkiManifest OBJ_id_ad,10L + +#define SN_signedObject "signedObject" +#define LN_signedObject "Signed Object" +#define NID_signedObject 1011 +#define OBJ_signedObject OBJ_id_ad,11L + +#define SN_rpkiNotify "rpkiNotify" +#define LN_rpkiNotify "RPKI Notify" +#define NID_rpkiNotify 1012 +#define OBJ_rpkiNotify OBJ_id_ad,13L + #define OBJ_id_pkix_OCSP OBJ_ad_OCSP #define SN_id_pkix_OCSP_basic "basicOCSPResponse" diff --git a/include/openssl/opensslfeatures.h b/include/openssl/opensslfeatures.h index 9684276..ba80520 100644 --- a/include/openssl/opensslfeatures.h +++ b/include/openssl/opensslfeatures.h @@ -3,7 +3,8 @@ * are enabled, rather than not being able to tell when things are * enabled (or possibly not yet not implemented, or removed!). */ -/* #define LIBRESSL_HAS_TLS1_3 */ +#define LIBRESSL_HAS_TLS1_3 +#define LIBRESSL_HAS_DTLS1_2 #define OPENSSL_THREADS diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h index 28b1f1f..e06b97e 100644 --- a/include/openssl/opensslv.h +++ b/include/openssl/opensslv.h @@ -1,11 +1,11 @@ -/* $OpenBSD: opensslv.h,v 1.61 2020/09/25 11:31:39 bcook Exp $ */ +/* $OpenBSD: opensslv.h,v 1.66 2021/09/15 17:14:26 tb Exp $ */ #ifndef HEADER_OPENSSLV_H #define HEADER_OPENSSLV_H /* These will change with each release of LibreSSL-portable */ -#define LIBRESSL_VERSION_NUMBER 0x3020200fL +#define LIBRESSL_VERSION_NUMBER 0x3040200fL /* ^ Patch starts here */ -#define LIBRESSL_VERSION_TEXT "LibreSSL 3.2.2" +#define LIBRESSL_VERSION_TEXT "LibreSSL 3.4.2" /* These will never change */ #define OPENSSL_VERSION_NUMBER 0x20000000L diff --git a/include/openssl/srtp.h b/include/openssl/srtp.h index 6daa02a..89ce862 100644 --- a/include/openssl/srtp.h +++ b/include/openssl/srtp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: srtp.h,v 1.6 2015/09/01 15:18:23 jsing Exp $ */ +/* $OpenBSD: srtp.h,v 1.7 2021/06/11 15:28:13 landry Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -129,6 +129,10 @@ extern "C" { #define SRTP_NULL_SHA1_80 0x0005 #define SRTP_NULL_SHA1_32 0x0006 +/* AEAD SRTP protection profiles from RFC 7714 */ +#define SRTP_AEAD_AES_128_GCM 0x0007 +#define SRTP_AEAD_AES_256_GCM 0x0008 + int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles); int SSL_set_tlsext_use_srtp(SSL *ctx, const char *profiles); diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 88039c0..2c208b0 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.178 2020/09/20 09:42:00 tb Exp $ */ +/* $OpenBSD: ssl.h,v 1.209 2021/09/14 23:07:18 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -301,6 +301,7 @@ extern "C" { #define SSL_TXT_STREEBOG512 "STREEBOG512" #define SSL_TXT_DTLS1 "DTLSv1" +#define SSL_TXT_DTLS1_2 "DTLSv1.2" #define SSL_TXT_SSLV2 "SSLv2" #define SSL_TXT_SSLV3 "SSLv3" #define SSL_TXT_TLSV1 "TLSv1" @@ -356,7 +357,9 @@ extern "C" { * in SSL_CTX. */ typedef struct ssl_st *ssl_crock_st; +#if defined(LIBRESSL_INTERNAL) typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT; +#endif typedef struct ssl_method_st SSL_METHOD; typedef struct ssl_cipher_st SSL_CIPHER; typedef struct ssl_session_st SSL_SESSION; @@ -376,113 +379,6 @@ typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg); -#ifndef OPENSSL_NO_SSL_INTERN - -/* used to hold info on the particular ciphers used */ -struct ssl_cipher_st { - int valid; - const char *name; /* text name */ - unsigned long id; /* id, 4 bytes, first is version */ - - unsigned long algorithm_mkey; /* key exchange algorithm */ - unsigned long algorithm_auth; /* server authentication */ - unsigned long algorithm_enc; /* symmetric encryption */ - unsigned long algorithm_mac; /* symmetric authentication */ - unsigned long algorithm_ssl; /* (major) protocol version */ - - unsigned long algo_strength; /* strength and export flags */ - unsigned long algorithm2; /* Extra flags */ - int strength_bits; /* Number of bits really used */ - int alg_bits; /* Number of bits for algorithm */ -}; - - -/* Used to hold functions for SSLv3/TLSv1 functions */ -struct ssl_method_internal_st; - -struct ssl_method_st { - int (*ssl_dispatch_alert)(SSL *s); - int (*num_ciphers)(void); - const SSL_CIPHER *(*get_cipher)(unsigned int ncipher); - const SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr); - int (*put_cipher_by_char)(const SSL_CIPHER *cipher, unsigned char *ptr); - - const struct ssl_method_internal_st *internal; -}; - -/* Lets make this into an ASN.1 type structure as follows - * SSL_SESSION_ID ::= SEQUENCE { - * version INTEGER, -- structure version number - * SSLversion INTEGER, -- SSL version number - * Cipher OCTET STRING, -- the 3 byte cipher ID - * Session_ID OCTET STRING, -- the Session ID - * Master_key OCTET STRING, -- the master key - * KRB5_principal OCTET STRING -- optional Kerberos principal - * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time - * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds - * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate - * Session_ID_context [ 4 ] EXPLICIT OCTET STRING, -- the Session ID context - * Verify_result [ 5 ] EXPLICIT INTEGER, -- X509_V_... code for `Peer' - * HostName [ 6 ] EXPLICIT OCTET STRING, -- optional HostName from servername TLS extension - * PSK_identity_hint [ 7 ] EXPLICIT OCTET STRING, -- optional PSK identity hint - * PSK_identity [ 8 ] EXPLICIT OCTET STRING, -- optional PSK identity - * Ticket_lifetime_hint [9] EXPLICIT INTEGER, -- server's lifetime hint for session ticket - * Ticket [10] EXPLICIT OCTET STRING, -- session ticket (clients only) - * Compression_meth [11] EXPLICIT OCTET STRING, -- optional compression method - * SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username - * } - * Look in ssl/ssl_asn1.c for more details - * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-). - */ -struct ssl_session_internal_st; - -struct ssl_session_st { - int ssl_version; /* what ssl version session info is - * being kept in here? */ - - int master_key_length; - unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; - - /* session_id - valid? */ - unsigned int session_id_length; - unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; - - /* this is used to determine whether the session is being reused in - * the appropriate context. It is up to the application to set this, - * via SSL_new */ - unsigned int sid_ctx_length; - unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; - - /* This is the cert for the other end. */ - X509 *peer; - - /* when app_verify_callback accepts a session where the peer's certificate - * is not ok, we must remember the error for session reuse: */ - long verify_result; /* only for servers */ - - long timeout; - time_t time; - int references; - - const SSL_CIPHER *cipher; - unsigned long cipher_id; /* when ASN.1 loaded, this - * needs to be used to load - * the 'cipher' structure */ - - STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */ - - char *tlsext_hostname; - - /* RFC4507 info */ - unsigned char *tlsext_tick; /* Session ticket */ - size_t tlsext_ticklen; /* Session ticket length */ - long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ - - struct ssl_session_internal_st *internal; -}; - -#endif - /* Allow initial connection to servers that don't support RI */ #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L @@ -520,6 +416,9 @@ struct ssl_session_st { #define SSL_OP_NO_TLSv1_3 0x20000000L #endif +#define SSL_OP_NO_DTLSv1 0x40000000L +#define SSL_OP_NO_DTLSv1_2 0x80000000L + /* SSL_OP_ALL: various bug workarounds that should be rather harmless. */ #define SSL_OP_ALL \ (SSL_OP_LEGACY_SERVER_CONNECT) @@ -610,8 +509,10 @@ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, #define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) #define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) +#ifndef LIBRESSL_INTERNAL struct ssl_aead_ctx_st; typedef struct ssl_aead_ctx_st SSL_AEAD_CTX; +#endif #define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */ @@ -635,7 +536,7 @@ typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id, typedef struct ssl_comp_st SSL_COMP; -#ifndef OPENSSL_NO_SSL_INTERN +#ifdef LIBRESSL_INTERNAL struct ssl_comp_st { int id; @@ -782,6 +683,12 @@ void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, unsigned int *len); +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +typedef int (*SSL_psk_use_session_cb_func)(SSL *ssl, const EVP_MD *md, + const unsigned char **id, size_t *idlen, SSL_SESSION **sess); +void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb); +#endif + #define SSL_NOTHING 1 #define SSL_WRITING 2 #define SSL_READING 3 @@ -796,7 +703,7 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, #define SSL_MAC_FLAG_READ_MAC_STREAM 1 #define SSL_MAC_FLAG_WRITE_MAC_STREAM 2 -#ifndef OPENSSL_NO_SSL_INTERN +#if defined(LIBRESSL_INTERNAL) struct ssl_internal_st; struct ssl_st { @@ -954,6 +861,13 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count); #define SSL_VERIFY_PEER 0x01 #define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02 #define SSL_VERIFY_CLIENT_ONCE 0x04 +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +#define SSL_VERIFY_POST_HANDSHAKE 0x08 + +int SSL_verify_client_post_handshake(SSL *s); +void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val); +void SSL_set_post_handshake_auth(SSL *s, int val); +#endif #define OpenSSL_add_ssl_algorithms() SSL_library_init() #define SSLeay_add_ssl_algorithms() SSL_library_init() @@ -982,40 +896,53 @@ SSL_SESSION *PEM_read_SSL_SESSION(FILE *fp, SSL_SESSION **x, int PEM_write_bio_SSL_SESSION(BIO *bp, SSL_SESSION *x); int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x); -#define SSL_AD_REASON_OFFSET 1000 /* offset to get SSL_R_... value from SSL_AD_... */ +/* + * TLS Alerts. + * + * https://www.iana.org/assignments/tls-parameters/#tls-parameters-6 + */ -/* These alert types are for SSLv3 and TLSv1 */ -#define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY -#define SSL_AD_UNEXPECTED_MESSAGE SSL3_AD_UNEXPECTED_MESSAGE /* fatal */ -#define SSL_AD_BAD_RECORD_MAC SSL3_AD_BAD_RECORD_MAC /* fatal */ -#define SSL_AD_DECRYPTION_FAILED TLS1_AD_DECRYPTION_FAILED -#define SSL_AD_RECORD_OVERFLOW TLS1_AD_RECORD_OVERFLOW -#define SSL_AD_DECOMPRESSION_FAILURE SSL3_AD_DECOMPRESSION_FAILURE/* fatal */ -#define SSL_AD_HANDSHAKE_FAILURE SSL3_AD_HANDSHAKE_FAILURE/* fatal */ -#define SSL_AD_NO_CERTIFICATE SSL3_AD_NO_CERTIFICATE /* Not for TLS */ -#define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE -#define SSL_AD_UNSUPPORTED_CERTIFICATE SSL3_AD_UNSUPPORTED_CERTIFICATE -#define SSL_AD_CERTIFICATE_REVOKED SSL3_AD_CERTIFICATE_REVOKED -#define SSL_AD_CERTIFICATE_EXPIRED SSL3_AD_CERTIFICATE_EXPIRED -#define SSL_AD_CERTIFICATE_UNKNOWN SSL3_AD_CERTIFICATE_UNKNOWN -#define SSL_AD_ILLEGAL_PARAMETER SSL3_AD_ILLEGAL_PARAMETER /* fatal */ -#define SSL_AD_UNKNOWN_CA TLS1_AD_UNKNOWN_CA /* fatal */ -#define SSL_AD_ACCESS_DENIED TLS1_AD_ACCESS_DENIED /* fatal */ -#define SSL_AD_DECODE_ERROR TLS1_AD_DECODE_ERROR /* fatal */ -#define SSL_AD_DECRYPT_ERROR TLS1_AD_DECRYPT_ERROR -#define SSL_AD_EXPORT_RESTRICTION TLS1_AD_EXPORT_RESTRICTION/* fatal */ -#define SSL_AD_PROTOCOL_VERSION TLS1_AD_PROTOCOL_VERSION /* fatal */ -#define SSL_AD_INSUFFICIENT_SECURITY TLS1_AD_INSUFFICIENT_SECURITY/* fatal */ -#define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR /* fatal */ -#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */ -#define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED -#define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION -#define SSL_AD_UNSUPPORTED_EXTENSION TLS1_AD_UNSUPPORTED_EXTENSION -#define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE -#define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME -#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE -#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE -#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */ +/* Obsolete alerts. */ +#ifndef LIBRESSL_INTERNAL +#define SSL_AD_DECRYPTION_FAILED 21 /* Removed in TLSv1.1 */ +#define SSL_AD_NO_CERTIFICATE 41 /* Removed in TLSv1.0 */ +#define SSL_AD_EXPORT_RESTRICTION 60 /* Removed in TLSv1.1 */ +#endif + +#define SSL_AD_CLOSE_NOTIFY 0 +#define SSL_AD_UNEXPECTED_MESSAGE 10 +#define SSL_AD_BAD_RECORD_MAC 20 +#define SSL_AD_RECORD_OVERFLOW 22 +#define SSL_AD_DECOMPRESSION_FAILURE 30 /* Removed in TLSv1.3 */ +#define SSL_AD_HANDSHAKE_FAILURE 40 +#define SSL_AD_BAD_CERTIFICATE 42 +#define SSL_AD_UNSUPPORTED_CERTIFICATE 43 +#define SSL_AD_CERTIFICATE_REVOKED 44 +#define SSL_AD_CERTIFICATE_EXPIRED 45 +#define SSL_AD_CERTIFICATE_UNKNOWN 46 +#define SSL_AD_ILLEGAL_PARAMETER 47 +#define SSL_AD_UNKNOWN_CA 48 +#define SSL_AD_ACCESS_DENIED 49 +#define SSL_AD_DECODE_ERROR 50 +#define SSL_AD_DECRYPT_ERROR 51 +#define SSL_AD_PROTOCOL_VERSION 70 +#define SSL_AD_INSUFFICIENT_SECURITY 71 +#define SSL_AD_INTERNAL_ERROR 80 +#define SSL_AD_INAPPROPRIATE_FALLBACK 86 +#define SSL_AD_USER_CANCELLED 90 +#define SSL_AD_NO_RENEGOTIATION 100 /* Removed in TLSv1.3 */ +#define SSL_AD_MISSING_EXTENSION 109 /* Added in TLSv1.3. */ +#define SSL_AD_UNSUPPORTED_EXTENSION 110 +#define SSL_AD_CERTIFICATE_UNOBTAINABLE 111 /* Removed in TLSv1.3 */ +#define SSL_AD_UNRECOGNIZED_NAME 112 +#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE 113 +#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE 114 /* Removed in TLSv1.3 */ +#define SSL_AD_UNKNOWN_PSK_IDENTITY 115 +#define SSL_AD_CERTIFICATE_REQUIRED 116 +#define SSL_AD_NO_APPLICATION_PROTOCOL 120 + +/* Offset to get an SSL_R_... value from an SSL_AD_... value. */ +#define SSL_AD_REASON_OFFSET 1000 #define SSL_ERROR_NONE 0 #define SSL_ERROR_SSL 1 @@ -1088,6 +1015,7 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x); #define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63 #define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129 #define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64 +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE 127 #define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE 65 #define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS 66 #define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS 67 @@ -1127,6 +1055,7 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x); #define SSL_CTRL_SET_ECDH_AUTO 94 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +#define SSL_CTRL_GET_PEER_SIGNATURE_NID 108 #define SSL_CTRL_GET_PEER_TMP_KEY 109 #define SSL_CTRL_GET_SERVER_TMP_KEY SSL_CTRL_GET_PEER_TMP_KEY #else @@ -1142,6 +1071,10 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x); #define SSL_CTRL_GET_MIN_PROTO_VERSION 130 #define SSL_CTRL_GET_MAX_PROTO_VERSION 131 +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +#define SSL_CTRL_GET_SIGNATURE_NID 132 +#endif + #define DTLSv1_get_timeout(ssl, arg) \ SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) #define DTLSv1_handle_timeout(ssl) \ @@ -1214,6 +1147,8 @@ int SSL_get_max_proto_version(SSL *ssl); int SSL_set_min_proto_version(SSL *ssl, uint16_t version); int SSL_set_max_proto_version(SSL *ssl, uint16_t version); +const SSL_METHOD *SSL_CTX_get_ssl_method(const SSL_CTX *ctx); + #ifndef LIBRESSL_INTERNAL #define SSL_CTRL_SET_CURVES SSL_CTRL_SET_GROUPS #define SSL_CTRL_SET_CURVES_LIST SSL_CTRL_SET_GROUPS_LIST @@ -1237,8 +1172,17 @@ int SSL_set_max_proto_version(SSL *ssl, uint16_t version); SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk) #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +#define SSL_get_signature_nid(s, pn) \ + SSL_ctrl(s, SSL_CTRL_GET_SIGNATURE_NID, 0, pn) + +#define SSL_get_peer_signature_nid(s, pn) \ + SSL_ctrl(s, SSL_CTRL_GET_PEER_SIGNATURE_NID, 0, pn) #define SSL_get_peer_tmp_key(s, pk) \ SSL_ctrl(s, SSL_CTRL_GET_PEER_TMP_KEY, 0, pk) + +int SSL_get_signature_type_nid(const SSL *ssl, int *nid); +int SSL_get_peer_signature_type_nid(const SSL *ssl, int *nid); + #endif /* LIBRESSL_HAS_TLS1_3 || LIBRESSL_INTERNAL */ #ifndef LIBRESSL_INTERNAL @@ -1296,6 +1240,7 @@ long SSL_CTX_get_timeout(const SSL_CTX *ctx); X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *); void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *); X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx); +EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx); int SSL_want(const SSL *s); int SSL_clear(SSL *s); @@ -1309,6 +1254,7 @@ const char * SSL_CIPHER_get_version(const SSL_CIPHER *c); const char * SSL_CIPHER_get_name(const SSL_CIPHER *c); unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c); uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *c); +const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr); int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c); int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c); int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c); @@ -1327,6 +1273,7 @@ int SSL_set_rfd(SSL *s, int fd); int SSL_set_wfd(SSL *s, int fd); void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio); BIO * SSL_get_rbio(const SSL *s); +void SSL_set0_rbio(SSL *s, BIO *rbio); BIO * SSL_get_wbio(const SSL *s); int SSL_set_cipher_list(SSL *s, const char *str); #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) @@ -1349,6 +1296,7 @@ int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len); int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type); int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type); int SSL_use_certificate_file(SSL *ssl, const char *file, int type); +int SSL_use_certificate_chain_file(SSL *ssl, const char *file); int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type); int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type); int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type); @@ -1365,6 +1313,7 @@ const char *SSL_state_string(const SSL *s); const char *SSL_rstate_string(const SSL *s); const char *SSL_state_string_long(const SSL *s); const char *SSL_rstate_string_long(const SSL *s); +const SSL_CIPHER *SSL_SESSION_get0_cipher(const SSL_SESSION *ss); size_t SSL_SESSION_get_master_key(const SSL_SESSION *ss, unsigned char *out, size_t max_out); int SSL_SESSION_get_protocol_version(const SSL_SESSION *s); @@ -1378,6 +1327,9 @@ int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid, unsigned int sid_len); int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx, unsigned int sid_ctx_len); +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +int SSL_SESSION_is_resumable(const SSL_SESSION *s); +#endif SSL_SESSION *SSL_SESSION_new(void); void SSL_SESSION_free(SSL_SESSION *ses); @@ -1443,9 +1395,8 @@ int SSL_set_purpose(SSL *s, int purpose); int SSL_CTX_set_trust(SSL_CTX *s, int trust); int SSL_set_trust(SSL *s, int trust); int SSL_set1_host(SSL *s, const char *hostname); -#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +void SSL_set_hostflags(SSL *s, unsigned int flags); const char *SSL_get0_peername(SSL *s); -#endif X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx); int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm); @@ -1457,6 +1408,7 @@ void SSL_free(SSL *ssl); int SSL_up_ref(SSL *ssl); int SSL_accept(SSL *ssl); int SSL_connect(SSL *ssl); +int SSL_is_dtls(const SSL *s); int SSL_is_server(const SSL *s); int SSL_read(SSL *ssl, void *buf, int num); int SSL_peek(SSL *ssl, void *buf, int num); @@ -1516,6 +1468,10 @@ const SSL_METHOD *DTLSv1_method(void); /* DTLSv1.0 */ const SSL_METHOD *DTLSv1_server_method(void); /* DTLSv1.0 */ const SSL_METHOD *DTLSv1_client_method(void); /* DTLSv1.0 */ +const SSL_METHOD *DTLSv1_2_method(void); /* DTLSv1.2 */ +const SSL_METHOD *DTLSv1_2_server_method(void); /* DTLSv1.2 */ +const SSL_METHOD *DTLSv1_2_client_method(void); /* DTLSv1.2 */ + const SSL_METHOD *DTLS_method(void); /* DTLS v1.0 or later */ const SSL_METHOD *DTLS_server_method(void); /* DTLS v1.0 or later */ const SSL_METHOD *DTLS_client_method(void); /* DTLS v1.0 or later */ @@ -2035,6 +1991,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_MISSING_VERIFY_MESSAGE 174 #define SSL_R_MULTIPLE_SGC_RESTARTS 346 #define SSL_R_NON_SSLV2_INITIAL_PACKET 175 +#define SSL_R_NO_APPLICATION_PROTOCOL 235 #define SSL_R_NO_CERTIFICATES_RETURNED 176 #define SSL_R_NO_CERTIFICATE_ASSIGNED 177 #define SSL_R_NO_CERTIFICATE_RETURNED 178 diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h index a102d11..6c6cc2a 100644 --- a/include/openssl/ssl3.h +++ b/include/openssl/ssl3.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl3.h,v 1.51 2020/06/05 18:14:05 jsing Exp $ */ +/* $OpenBSD: ssl3.h,v 1.57 2021/09/10 14:49:13 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -292,11 +292,11 @@ extern "C" { #define SSL3_RT_ALERT 21 #define SSL3_RT_HANDSHAKE 22 #define SSL3_RT_APPLICATION_DATA 23 -#define TLS1_RT_HEARTBEAT 24 #define SSL3_AL_WARNING 1 #define SSL3_AL_FATAL 2 +#ifndef LIBRESSL_INTERNAL #define SSL3_AD_CLOSE_NOTIFY 0 #define SSL3_AD_UNEXPECTED_MESSAGE 10 /* fatal */ #define SSL3_AD_BAD_RECORD_MAC 20 /* fatal */ @@ -309,34 +309,11 @@ extern "C" { #define SSL3_AD_CERTIFICATE_EXPIRED 45 #define SSL3_AD_CERTIFICATE_UNKNOWN 46 #define SSL3_AD_ILLEGAL_PARAMETER 47 /* fatal */ +#endif #define TLS1_HB_REQUEST 1 #define TLS1_HB_RESPONSE 2 -#ifndef OPENSSL_NO_SSL_INTERN -#ifndef LIBRESSL_INTERNAL - -typedef struct ssl3_record_st { -/*r */ int type; /* type of record */ -/*rw*/ unsigned int length; /* How many bytes available */ -/*r */ unsigned int off; /* read/write offset into 'buf' */ -/*rw*/ unsigned char *data; /* pointer to the record data */ -/*rw*/ unsigned char *input; /* where the decode bytes are */ -/*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */ -/*r */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */ -} SSL3_RECORD; - -typedef struct ssl3_buffer_st { - unsigned char *buf; /* at least SSL3_RT_MAX_PACKET_SIZE bytes, - * see ssl3_setup_buffers() */ - size_t len; /* buffer size */ - int offset; /* where to 'copy from' */ - int left; /* how many bytes left */ -} SSL3_BUFFER; - -#endif -#endif - #define SSL3_CT_RSA_SIGN 1 #define SSL3_CT_DSS_SIGN 2 #define SSL3_CT_RSA_FIXED_DH 3 @@ -355,21 +332,6 @@ typedef struct ssl3_buffer_st { #define TLS1_FLAGS_FREEZE_TRANSCRIPT 0x0020 #define SSL3_FLAGS_CCS_OK 0x0080 -#ifndef OPENSSL_NO_SSL_INTERN - -struct ssl3_state_internal_st; - -typedef struct ssl3_state_st { - long flags; - - unsigned char server_random[SSL3_RANDOM_SIZE]; - unsigned char client_random[SSL3_RANDOM_SIZE]; - - struct ssl3_state_internal_st *internal; -} SSL3_STATE; - -#endif - /* SSLv3 */ /*client */ /* extra state */ @@ -475,6 +437,7 @@ typedef struct ssl3_state_st { #define SSL3_MT_CCS 1 +#ifndef LIBRESSL_INTERNAL /* These are used when changing over to a new cipher */ #define SSL3_CC_READ 0x01 #define SSL3_CC_WRITE 0x02 @@ -484,6 +447,7 @@ typedef struct ssl3_state_st { #define SSL3_CHANGE_CIPHER_SERVER_READ (SSL3_CC_SERVER|SSL3_CC_READ) #define SSL3_CHANGE_CIPHER_CLIENT_READ (SSL3_CC_CLIENT|SSL3_CC_READ) #define SSL3_CHANGE_CIPHER_SERVER_WRITE (SSL3_CC_SERVER|SSL3_CC_WRITE) +#endif #ifdef __cplusplus } diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index 8cd5226..cb06a53 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls1.h,v 1.41 2020/06/05 18:14:05 jsing Exp $ */ +/* $OpenBSD: tls1.h,v 1.49 2021/09/10 14:57:31 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -177,18 +177,7 @@ extern "C" { #define TLS1_VERSION_MAJOR 0x03 #define TLS1_VERSION_MINOR 0x01 -#define TLS1_get_version(s) \ - ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0) - -#define TLS1_get_client_version(s) \ - ((s->client_version >> 8) == TLS1_VERSION_MAJOR ? s->client_version : 0) - -/* - * TLS Alert codes. - * - * https://www.iana.org/assignments/tls-parameters/#tls-parameters-6 - */ - +#ifndef LIBRESSL_INTERNAL #define TLS1_AD_DECRYPTION_FAILED 21 #define TLS1_AD_RECORD_OVERFLOW 22 #define TLS1_AD_UNKNOWN_CA 48 /* fatal */ @@ -211,6 +200,7 @@ extern "C" { #define TLS1_AD_BAD_CERTIFICATE_HASH_VALUE 114 /* Code 115 from RFC 4279. */ #define TLS1_AD_UNKNOWN_PSK_IDENTITY 115 /* fatal */ +#endif /* * TLS ExtensionType values. @@ -328,6 +318,9 @@ SSL_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_DEBUG_CB,(void (*)(void))cb) #define SSL_set_tlsext_debug_arg(ssl, arg) \ SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_DEBUG_ARG,0, (void *)arg) +#define SSL_get_tlsext_status_type(ssl) \ +SSL_ctrl(ssl, SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE, 0, NULL) + #define SSL_set_tlsext_status_type(ssl, type) \ SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE,type, NULL) @@ -768,11 +761,13 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) #define TLS_MD_MASTER_SECRET_CONST "master secret" #define TLS_MD_MASTER_SECRET_CONST_SIZE 13 +#if defined(LIBRESSL_INTERNAL) /* TLS Session Ticket extension struct. */ struct tls_session_ticket_ext_st { unsigned short length; void *data; }; +#endif #ifdef __cplusplus } diff --git a/include/openssl/x509.h b/include/openssl/x509.h index e30cbc0..bb675bd 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.h,v 1.74 2018/08/24 20:26:03 tb Exp $ */ +/* $OpenBSD: x509.h,v 1.76 2021/09/02 12:41:44 job Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -300,6 +300,10 @@ struct x509_st STACK_OF(DIST_POINT) *crldp; STACK_OF(GENERAL_NAME) *altname; NAME_CONSTRAINTS *nc; +#ifndef OPENSSL_NO_RFC3779 + STACK_OF(IPAddressFamily) *rfc3779_addr; + struct ASIdentifiers_st *rfc3779_asid; +#endif #ifndef OPENSSL_NO_SHA unsigned char sha1_hash[SHA_DIGEST_LENGTH]; #endif @@ -692,6 +696,7 @@ int i2d_RSA_PUBKEY_fp(FILE *fp,RSA *rsa); #ifndef OPENSSL_NO_DSA DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa); int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa); +DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa); int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa); #endif #ifndef OPENSSL_NO_EC diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index a68d5c0..57189b9 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.h,v 1.31 2020/09/13 15:06:17 beck Exp $ */ +/* $OpenBSD: x509_vfy.h,v 1.32 2021/02/24 18:01:31 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -247,7 +247,7 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ /* The following is built up */ int valid; /* if 0, rebuild chain */ - int last_untrusted; /* index of last untrusted cert */ + int last_untrusted; /* XXX: number of untrusted certs in chain!!! */ STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */ X509_POLICY_TREE *tree; /* Valid policy tree */ diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h index d2754fa..abe9307 100644 --- a/include/openssl/x509v3.h +++ b/include/openssl/x509v3.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509v3.h,v 1.2 2020/09/13 15:06:17 beck Exp $ */ +/* $OpenBSD: x509v3.h,v 1.5 2021/09/02 13:48:39 job Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -842,6 +842,196 @@ int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk, void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent); DECLARE_STACK_OF(X509_POLICY_NODE) +#if defined(LIBRESSL_INTERNAL) +#ifndef OPENSSL_NO_RFC3779 +typedef struct ASRange_st { + ASN1_INTEGER *min, *max; +} ASRange; + +# define ASIdOrRange_id 0 +# define ASIdOrRange_range 1 + +typedef struct ASIdOrRange_st { + int type; + union { + ASN1_INTEGER *id; + ASRange *range; + } u; +} ASIdOrRange; + +typedef STACK_OF(ASIdOrRange) ASIdOrRanges; +DECLARE_STACK_OF(ASIdOrRange) + +# define ASIdentifierChoice_inherit 0 +# define ASIdentifierChoice_asIdsOrRanges 1 + +typedef struct ASIdentifierChoice_st { + int type; + union { + ASN1_NULL *inherit; + ASIdOrRanges *asIdsOrRanges; + } u; +} ASIdentifierChoice; + +typedef struct ASIdentifiers_st { + ASIdentifierChoice *asnum, *rdi; +} ASIdentifiers; + +ASRange *ASRange_new(void); +void ASRange_free(ASRange *a); +ASRange *d2i_ASRange(ASRange **a, const unsigned char **in, long len); +int i2d_ASRange(ASRange *a, unsigned char **out); +extern const ASN1_ITEM ASRange_it; + +ASIdOrRange *ASIdOrRange_new(void); +void ASIdOrRange_free(ASIdOrRange *a); +ASIdOrRange *d2i_ASIdOrRange(ASIdOrRange **a, const unsigned char **in, + long len); +int i2d_ASIdOrRange(ASIdOrRange *a, unsigned char **out); +extern const ASN1_ITEM ASIdOrRange_it; + +ASIdentifierChoice *ASIdentifierChoice_new(void); +void ASIdentifierChoice_free(ASIdentifierChoice *a); +ASIdentifierChoice *d2i_ASIdentifierChoice(ASIdentifierChoice **a, + const unsigned char **in, long len); +int i2d_ASIdentifierChoice(ASIdentifierChoice *a, unsigned char **out); +extern const ASN1_ITEM ASIdentifierChoice_it; + +ASIdentifiers *ASIdentifiers_new(void); +void ASIdentifiers_free(ASIdentifiers *a); +ASIdentifiers *d2i_ASIdentifiers(ASIdentifiers **a, const unsigned char **in, + long len); +int i2d_ASIdentifiers(ASIdentifiers *a, unsigned char **out); +extern const ASN1_ITEM ASIdentifiers_it; + +typedef struct IPAddressRange_st { + ASN1_BIT_STRING *min, *max; +} IPAddressRange; + +# define IPAddressOrRange_addressPrefix 0 +# define IPAddressOrRange_addressRange 1 + +typedef struct IPAddressOrRange_st { + int type; + union { + ASN1_BIT_STRING *addressPrefix; + IPAddressRange *addressRange; + } u; +} IPAddressOrRange; + +typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges; +DECLARE_STACK_OF(IPAddressOrRange) + +# define IPAddressChoice_inherit 0 +# define IPAddressChoice_addressesOrRanges 1 + +typedef struct IPAddressChoice_st { + int type; + union { + ASN1_NULL *inherit; + IPAddressOrRanges *addressesOrRanges; + } u; +} IPAddressChoice; + +typedef struct IPAddressFamily_st { + ASN1_OCTET_STRING *addressFamily; + IPAddressChoice *ipAddressChoice; +} IPAddressFamily; + +typedef STACK_OF(IPAddressFamily) IPAddrBlocks; +DECLARE_STACK_OF(IPAddressFamily) + +IPAddressRange *IPAddressRange_new(void); +void IPAddressRange_free(IPAddressRange *a); +IPAddressRange *d2i_IPAddressRange(IPAddressRange **a, + const unsigned char **in, long len); +int i2d_IPAddressRange(IPAddressRange *a, unsigned char **out); +extern const ASN1_ITEM IPAddressRange_it; + +IPAddressOrRange *IPAddressOrRange_new(void); +void IPAddressOrRange_free(IPAddressOrRange *a); +IPAddressOrRange *d2i_IPAddressOrRange(IPAddressOrRange **a, + const unsigned char **in, long len); +int i2d_IPAddressOrRange(IPAddressOrRange *a, unsigned char **out); +extern const ASN1_ITEM IPAddressOrRange_it; + +IPAddressChoice *IPAddressChoice_new(void); +void IPAddressChoice_free(IPAddressChoice *a); +IPAddressChoice *d2i_IPAddressChoice(IPAddressChoice **a, + const unsigned char **in, long len); +int i2d_IPAddressChoice(IPAddressChoice *a, unsigned char **out); +extern const ASN1_ITEM IPAddressChoice_it; + +IPAddressFamily *IPAddressFamily_new(void); +void IPAddressFamily_free(IPAddressFamily *a); +IPAddressFamily *d2i_IPAddressFamily(IPAddressFamily **a, + const unsigned char **in, long len); +int i2d_IPAddressFamily(IPAddressFamily *a, unsigned char **out); +extern const ASN1_ITEM IPAddressFamily_it; + +/* + * API tag for elements of the ASIdentifer SEQUENCE. + */ +# define V3_ASID_ASNUM 0 +# define V3_ASID_RDI 1 + +/* + * AFI values, assigned by IANA. It'd be nice to make the AFI + * handling code totally generic, but there are too many little things + * that would need to be defined for other address families for it to + * be worth the trouble. + */ +# define IANA_AFI_IPV4 1 +# define IANA_AFI_IPV6 2 +/* + * Utilities to construct and extract values from RFC3779 extensions, + * since some of the encodings (particularly for IP address prefixes + * and ranges) are a bit tedious to work with directly. + */ +int X509v3_asid_add_inherit(ASIdentifiers *asid, int which); +int X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which, + ASN1_INTEGER *min, ASN1_INTEGER *max); +int X509v3_addr_add_inherit(IPAddrBlocks *addr, + const unsigned afi, const unsigned *safi); +int X509v3_addr_add_prefix(IPAddrBlocks *addr, + const unsigned afi, const unsigned *safi, + unsigned char *a, const int prefixlen); +int X509v3_addr_add_range(IPAddrBlocks *addr, + const unsigned afi, const unsigned *safi, + unsigned char *min, unsigned char *max); +unsigned X509v3_addr_get_afi(const IPAddressFamily *f); +int X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi, + unsigned char *min, unsigned char *max, + const int length); +/* + * Canonical forms. + */ +int X509v3_asid_is_canonical(ASIdentifiers *asid); +int X509v3_addr_is_canonical(IPAddrBlocks *addr); +int X509v3_asid_canonize(ASIdentifiers *asid); +int X509v3_addr_canonize(IPAddrBlocks *addr); + +/* + * Tests for inheritance and containment. + */ +int X509v3_asid_inherits(ASIdentifiers *asid); +int X509v3_addr_inherits(IPAddrBlocks *addr); +int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b); +int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b); + +/* + * Check whether RFC 3779 extensions nest properly in chains. + */ +int X509v3_asid_validate_path(X509_STORE_CTX *); +int X509v3_addr_validate_path(X509_STORE_CTX *); +int X509v3_asid_validate_resource_set(STACK_OF(X509) *chain, + ASIdentifiers *ext, + int allow_inheritance); +int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain, + IPAddrBlocks *ext, int allow_inheritance); + +#endif /* OPENSSL_NO_RFC3779 */ +#endif /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes diff --git a/openssl.cnf b/openssl.cnf new file mode 100644 index 0000000..8ce83bf --- /dev/null +++ b/openssl.cnf @@ -0,0 +1,24 @@ +[ req ] +#default_bits = 2048 +#default_md = sha256 +#default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_min = 2 +countryName_max = 2 +stateOrProvinceName = State or Province Name (full name) +localityName = Locality Name (eg, city) +0.organizationName = Organization Name (eg, company) +organizationalUnitName = Organizational Unit Name (eg, section) +commonName = Common Name (eg, fully qualified host name) +commonName_max = 64 +emailAddress = Email Address +emailAddress_max = 64 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 diff --git a/ssl/CMakeLists.txt b/ssl/CMakeLists.txt index 015cb62..a772d12 100644 --- a/ssl/CMakeLists.txt +++ b/ssl/CMakeLists.txt @@ -5,11 +5,9 @@ set( bs_cbb.c bs_cbs.c d1_both.c - d1_clnt.c d1_lib.c d1_pkt.c d1_srtp.c - d1_srvr.c pqueue.c s3_cbc.c s3_lib.c @@ -38,6 +36,9 @@ set( ssl_versions.c t1_enc.c t1_lib.c + tls_content.c + tls12_key_schedule.c + tls12_lib.c tls12_record_layer.c tls13_buffer.c tls13_client.c @@ -53,7 +54,15 @@ set( tls13_server.c ) -add_library(ssl ${SSL_SRC}) +add_library(ssl_obj OBJECT ${SSL_SRC}) +target_include_directories(ssl_obj + PRIVATE + . + ../include/compat + PUBLIC + ../include) + +add_library(ssl $) target_include_directories(ssl PRIVATE . diff --git a/ssl/VERSION b/ssl/VERSION index 9c7e424..5525aec 100644 --- a/ssl/VERSION +++ b/ssl/VERSION @@ -1 +1 @@ -48:1:0 +50:0:0 diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c index 93cfa0d..bb40b2a 100644 --- a/ssl/bio_ssl.c +++ b/ssl/bio_ssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_ssl.c,v 1.29 2018/08/24 20:30:21 tb Exp $ */ +/* $OpenBSD: bio_ssl.c,v 1.31 2021/07/01 17:53:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -294,10 +294,10 @@ ssl_ctrl(BIO *b, int cmd, long num, void *ptr) SSL_shutdown(ssl); if (ssl->internal->handshake_func == - ssl->method->internal->ssl_connect) + ssl->method->ssl_connect) SSL_set_connect_state(ssl); else if (ssl->internal->handshake_func == - ssl->method->internal->ssl_accept) + ssl->method->ssl_accept) SSL_set_accept_state(ssl); SSL_clear(ssl); @@ -509,7 +509,7 @@ BIO_new_buffer_ssl_connect(SSL_CTX *ctx) goto err; return (ret); -err: + err: BIO_free(buf); BIO_free(ssl); return (NULL); @@ -528,7 +528,7 @@ BIO_new_ssl_connect(SSL_CTX *ctx) goto err; return (ret); -err: + err: BIO_free(con); BIO_free(ssl); return (NULL); @@ -553,7 +553,7 @@ BIO_new_ssl(SSL_CTX *ctx, int client) BIO_set_ssl(ret, ssl, BIO_CLOSE); return (ret); -err: + err: BIO_free(ret); return (NULL); } diff --git a/ssl/bs_ber.c b/ssl/bs_ber.c index 7863b8b..5cace24 100644 --- a/ssl/bs_ber.c +++ b/ssl/bs_ber.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bs_ber.c,v 1.9 2016/12/03 12:34:35 jsing Exp $ */ +/* $OpenBSD: bs_ber.c,v 1.11 2021/05/16 10:58:27 jsing Exp $ */ /* * Copyright (c) 2014, Google Inc. * @@ -12,12 +12,11 @@ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN - * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ #include -#include - #include "bytestring.h" /* diff --git a/ssl/bs_cbb.c b/ssl/bs_cbb.c index e734dd6..e17c57e 100644 --- a/ssl/bs_cbb.c +++ b/ssl/bs_cbb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bs_cbb.c,v 1.23 2020/09/16 05:52:04 jsing Exp $ */ +/* $OpenBSD: bs_cbb.c,v 1.26 2021/05/16 10:58:27 jsing Exp $ */ /* * Copyright (c) 2014, Google Inc. * @@ -12,13 +12,12 @@ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN - * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ #include #include -#include - #include "bytestring.h" #define CBB_INITIAL_SIZE 64 @@ -277,7 +276,7 @@ CBB_discard_child(CBB *cbb) return; cbb->base->len = cbb->offset; - + cbb->child->base = NULL; cbb->child = NULL; cbb->pending_len_len = 0; diff --git a/ssl/bs_cbs.c b/ssl/bs_cbs.c index 5c3b9e3..8d55871 100644 --- a/ssl/bs_cbs.c +++ b/ssl/bs_cbs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bs_cbs.c,v 1.18 2019/01/23 22:20:40 beck Exp $ */ +/* $OpenBSD: bs_cbs.c,v 1.20 2021/05/16 10:58:27 jsing Exp $ */ /* * Copyright (c) 2014, Google Inc. * @@ -12,15 +12,12 @@ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN - * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ #include #include -#include -#include -#include - #include "bytestring.h" void diff --git a/ssl/bytestring.h b/ssl/bytestring.h index 20ee439..9e55dd4 100644 --- a/ssl/bytestring.h +++ b/ssl/bytestring.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bytestring.h,v 1.17 2018/08/16 18:39:37 jsing Exp $ */ +/* $OpenBSD: bytestring.h,v 1.19 2021/05/16 10:58:27 jsing Exp $ */ /* * Copyright (c) 2014, Google Inc. * @@ -12,7 +12,8 @@ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN - * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ #ifndef OPENSSL_HEADER_BYTESTRING_H #define OPENSSL_HEADER_BYTESTRING_H @@ -20,8 +21,6 @@ #include #include -#include - __BEGIN_HIDDEN_DECLS /* diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 3d2516c..4c014be 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_both.c,v 1.60 2020/09/26 14:43:17 jsing Exp $ */ +/* $OpenBSD: d1_both.c,v 1.78 2021/09/04 14:24:28 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -117,15 +117,15 @@ #include #include -#include "ssl_locl.h" - #include #include #include #include -#include "pqueue.h" #include "bytestring.h" +#include "dtls_locl.h" +#include "pqueue.h" +#include "ssl_locl.h" #define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8) @@ -148,15 +148,15 @@ if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \ if (bitmask[ii] != 0xff) { is_complete = 0; break; } } -static unsigned char bitmask_start_values[] = { +static const unsigned char bitmask_start_values[] = { 0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 }; -static unsigned char bitmask_end_values[] = { +static const unsigned char bitmask_end_values[] = { 0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f }; /* XDTLS: figure out the right values */ -static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28}; +static const unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28}; static unsigned int dtls1_guess_mtu(unsigned int curr_mtu); static void dtls1_fix_message_header(SSL *s, unsigned long frag_off, @@ -201,12 +201,6 @@ dtls1_hm_fragment_free(hm_fragment *frag) if (frag == NULL) return; - if (frag->msg_header.is_ccs) { - EVP_CIPHER_CTX_free( - frag->msg_header.saved_retransmit_state.enc_write_ctx); - EVP_MD_CTX_free( - frag->msg_header.saved_retransmit_state.write_hash); - } free(frag->fragment); free(frag->reassembly); free(frag); @@ -218,7 +212,8 @@ dtls1_do_write(SSL *s, int type) { int ret; int curr_mtu; - unsigned int len, frag_off, mac_size, blocksize; + unsigned int len, frag_off; + size_t overhead; /* AHA! Figure out the MTU, and stick to the right size */ if (D1I(s)->mtu < dtls1_min_mtu() && @@ -246,21 +241,13 @@ dtls1_do_write(SSL *s, int type) OPENSSL_assert(s->internal->init_num == (int)D1I(s)->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH); - if (s->internal->write_hash) - mac_size = EVP_MD_CTX_size(s->internal->write_hash); - else - mac_size = 0; - - if (s->internal->enc_write_ctx && - (EVP_CIPHER_mode( s->internal->enc_write_ctx->cipher) & EVP_CIPH_CBC_MODE)) - blocksize = 2 * EVP_CIPHER_block_size(s->internal->enc_write_ctx->cipher); - else - blocksize = 0; + if (!tls12_record_layer_write_overhead(s->internal->rl, &overhead)) + return -1; frag_off = 0; while (s->internal->init_num) { curr_mtu = D1I(s)->mtu - BIO_wpending(SSL_get_wbio(s)) - - DTLS1_RT_HEADER_LENGTH - mac_size - blocksize; + DTLS1_RT_HEADER_LENGTH - overhead; if (curr_mtu <= DTLS1_HM_HEADER_LENGTH) { /* grr.. we could get an error if MTU picked was wrong */ @@ -268,7 +255,7 @@ dtls1_do_write(SSL *s, int type) if (ret <= 0) return ret; curr_mtu = D1I(s)->mtu - DTLS1_RT_HEADER_LENGTH - - mac_size - blocksize; + overhead; } if (s->internal->init_num > curr_mtu) @@ -276,7 +263,6 @@ dtls1_do_write(SSL *s, int type) else len = s->internal->init_num; - /* XDTLS: this function is too long. split out the CCS part */ if (type == SSL3_RT_HANDSHAKE) { if (s->internal->init_off != 0) { @@ -394,23 +380,23 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) * s3->internal->tmp is used to store messages that are unexpected, caused * by the absence of an optional handshake message */ - if (S3I(s)->tmp.reuse_message) { - S3I(s)->tmp.reuse_message = 0; - if ((mt >= 0) && (S3I(s)->tmp.message_type != mt)) { + if (S3I(s)->hs.tls12.reuse_message) { + S3I(s)->hs.tls12.reuse_message = 0; + if ((mt >= 0) && (S3I(s)->hs.tls12.message_type != mt)) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); - goto f_err; + goto fatal_err; } *ok = 1; s->internal->init_msg = s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH; - s->internal->init_num = (int)S3I(s)->tmp.message_size; + s->internal->init_num = (int)S3I(s)->hs.tls12.message_size; return s->internal->init_num; } msg_hdr = &D1I(s)->r_msg_hdr; memset(msg_hdr, 0, sizeof(struct hm_header_st)); -again: + again: i = dtls1_get_message_fragment(s, st1, stn, max, ok); if (i == DTLS1_HM_BAD_FRAGMENT || i == DTLS1_HM_FRAGMENT_RETRY) /* bad fragment received */ @@ -441,7 +427,7 @@ again: s->internal->init_msg = s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH; return s->internal->init_num; -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); *ok = 0; return -1; @@ -480,9 +466,9 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max) return SSL_AD_INTERNAL_ERROR; } - S3I(s)->tmp.message_size = msg_len; + S3I(s)->hs.tls12.message_size = msg_len; D1I(s)->r_msg_hdr.msg_len = msg_len; - S3I(s)->tmp.message_type = msg_hdr->type; + S3I(s)->hs.tls12.message_type = msg_hdr->type; D1I(s)->r_msg_hdr.type = msg_hdr->type; D1I(s)->r_msg_hdr.seq = msg_hdr->seq; } else if (msg_len != D1I(s)->r_msg_hdr.msg_len) { @@ -614,7 +600,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) unsigned char devnull [256]; while (frag_len) { - i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, + i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, devnull, frag_len > sizeof(devnull) ? sizeof(devnull) : frag_len, 0); if (i <= 0) @@ -626,7 +612,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) } /* read the body of the fragment (header has already been read */ - i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, + i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, frag->fragment + msg_hdr->frag_off, frag_len, 0); if (i <= 0 || (unsigned long)i != frag_len) goto err; @@ -658,7 +644,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) return DTLS1_HM_FRAGMENT_RETRY; -err: + err: if (item == NULL && frag != NULL) dtls1_hm_fragment_free(frag); *ok = 0; @@ -704,7 +690,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) unsigned char devnull [256]; while (frag_len) { - i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, + i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, devnull, frag_len > sizeof(devnull) ? sizeof(devnull) : frag_len, 0); if (i <= 0) @@ -726,7 +712,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) if (frag_len) { /* read the body of the fragment (header has already been read */ - i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, + i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, frag->fragment, frag_len, 0); if (i <= 0 || (unsigned long)i != frag_len) goto err; @@ -745,7 +731,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) return DTLS1_HM_FRAGMENT_RETRY; -err: + err: if (item == NULL && frag != NULL) dtls1_hm_fragment_free(frag); *ok = 0; @@ -758,10 +744,11 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) { unsigned char wire[DTLS1_HM_HEADER_LENGTH]; unsigned long len, frag_off, frag_len; - int i, al; struct hm_header_st msg_hdr; + int i, al; + CBS cbs; -again: + again: /* see if we have the required fragment already */ if ((frag_len = dtls1_retrieve_buffered_fragment(s, max, ok)) || *ok) { if (*ok) @@ -770,21 +757,21 @@ again: } /* read handshake message header */ - i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, wire, + i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, wire, DTLS1_HM_HEADER_LENGTH, 0); - if (i <= 0) /* nbio, or an error */ - { + if (i <= 0) { + /* nbio, or an error */ s->internal->rwstate = SSL_READING; *ok = 0; return i; } - /* Handshake fails if message header is incomplete */ - if (i != DTLS1_HM_HEADER_LENGTH || - /* parse the message fragment header */ - dtls1_get_message_header(wire, &msg_hdr) == 0) { + + CBS_init(&cbs, wire, i); + if (!dtls1_get_message_header(&cbs, &msg_hdr)) { + /* Handshake fails if message header is incomplete. */ al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); - goto f_err; + goto fatal_err; } /* @@ -826,12 +813,12 @@ again: { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); - goto f_err; + goto fatal_err; } } if ((al = dtls1_preprocess_fragment(s, &msg_hdr, max))) - goto f_err; + goto fatal_err; /* XDTLS: ressurect this when restart is in place */ S3I(s)->hs.state = stn; @@ -839,7 +826,7 @@ again: if (frag_len > 0) { unsigned char *p = (unsigned char *)s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH; - i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, + i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &p[frag_off], frag_len, 0); /* XDTLS: fix this--message fragments cannot span multiple packets */ if (i <= 0) { @@ -855,9 +842,9 @@ again: * handshake to fail */ if (i != (int)frag_len) { - al = SSL3_AD_ILLEGAL_PARAMETER; - SSLerror(s, SSL3_AD_ILLEGAL_PARAMETER); - goto f_err; + al = SSL_AD_ILLEGAL_PARAMETER; + SSLerror(s, SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER); + goto fatal_err; } *ok = 1; @@ -871,7 +858,7 @@ again: s->internal->init_num = frag_len; return frag_len; -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); s->internal->init_num = 0; @@ -973,14 +960,9 @@ dtls1_buffer_message(SSL *s, int is_ccs) memcpy(frag->fragment, s->internal->init_buf->data, s->internal->init_num); - if (is_ccs) { - OPENSSL_assert(D1I(s)->w_msg_hdr.msg_len + - ((s->version == DTLS1_VERSION) ? - DTLS1_CCS_HEADER_LENGTH : 3) == (unsigned int)s->internal->init_num); - } else { - OPENSSL_assert(D1I(s)->w_msg_hdr.msg_len + - DTLS1_HM_HEADER_LENGTH == (unsigned int)s->internal->init_num); - } + OPENSSL_assert(D1I(s)->w_msg_hdr.msg_len + + (is_ccs ? DTLS1_CCS_HEADER_LENGTH : DTLS1_HM_HEADER_LENGTH) == + (unsigned int)s->internal->init_num); frag->msg_header.msg_len = D1I(s)->w_msg_hdr.msg_len; frag->msg_header.seq = D1I(s)->w_msg_hdr.seq; @@ -990,10 +972,9 @@ dtls1_buffer_message(SSL *s, int is_ccs) frag->msg_header.is_ccs = is_ccs; /* save current state*/ - frag->msg_header.saved_retransmit_state.enc_write_ctx = s->internal->enc_write_ctx; - frag->msg_header.saved_retransmit_state.write_hash = s->internal->write_hash; frag->msg_header.saved_retransmit_state.session = s->session; - frag->msg_header.saved_retransmit_state.epoch = D1I(s)->w_epoch; + frag->msg_header.saved_retransmit_state.epoch = + tls12_record_layer_write_epoch(s->internal->rl); memset(seq64be, 0, sizeof(seq64be)); seq64be[6] = (unsigned char)(dtls1_get_queue_priority( @@ -1022,7 +1003,6 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, unsigned long header_length; unsigned char seq64be[8]; struct dtls1_retransmit_state saved_state; - unsigned char save_write_sequence[8]; /* OPENSSL_assert(s->internal->init_num == 0); @@ -1060,43 +1040,25 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, frag->msg_header.frag_len); /* save current state */ - saved_state.enc_write_ctx = s->internal->enc_write_ctx; - saved_state.write_hash = s->internal->write_hash; saved_state.session = s->session; - saved_state.epoch = D1I(s)->w_epoch; + saved_state.epoch = tls12_record_layer_write_epoch(s->internal->rl); D1I(s)->retransmitting = 1; /* restore state in which the message was originally sent */ - s->internal->enc_write_ctx = frag->msg_header.saved_retransmit_state.enc_write_ctx; - s->internal->write_hash = frag->msg_header.saved_retransmit_state.write_hash; s->session = frag->msg_header.saved_retransmit_state.session; - D1I(s)->w_epoch = frag->msg_header.saved_retransmit_state.epoch; - - if (frag->msg_header.saved_retransmit_state.epoch == - saved_state.epoch - 1) { - memcpy(save_write_sequence, S3I(s)->write_sequence, - sizeof(S3I(s)->write_sequence)); - memcpy(S3I(s)->write_sequence, D1I(s)->last_write_sequence, - sizeof(S3I(s)->write_sequence)); - } + if (!tls12_record_layer_use_write_epoch(s->internal->rl, + frag->msg_header.saved_retransmit_state.epoch)) + return 0; ret = dtls1_do_write(s, frag->msg_header.is_ccs ? SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE); /* restore current state */ - s->internal->enc_write_ctx = saved_state.enc_write_ctx; - s->internal->write_hash = saved_state.write_hash; s->session = saved_state.session; - D1I(s)->w_epoch = saved_state.epoch; - - if (frag->msg_header.saved_retransmit_state.epoch == - saved_state.epoch - 1) { - memcpy(D1I(s)->last_write_sequence, S3I(s)->write_sequence, - sizeof(S3I(s)->write_sequence)); - memcpy(S3I(s)->write_sequence, save_write_sequence, - sizeof(S3I(s)->write_sequence)); - } + if (!tls12_record_layer_use_write_epoch(s->internal->rl, + saved_state.epoch)) + return 0; D1I(s)->retransmitting = 0; @@ -1108,11 +1070,16 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, void dtls1_clear_record_buffer(SSL *s) { + hm_fragment *frag; pitem *item; for(item = pqueue_pop(s->d1->sent_messages); item != NULL; item = pqueue_pop(s->d1->sent_messages)) { - dtls1_hm_fragment_free((hm_fragment *)item->data); + frag = item->data; + if (frag->msg_header.is_ccs) + tls12_record_layer_write_epoch_done(s->internal->rl, + frag->msg_header.saved_retransmit_state.epoch); + dtls1_hm_fragment_free(frag); pitem_free(item); } } @@ -1206,26 +1173,23 @@ dtls1_guess_mtu(unsigned int curr_mtu) } int -dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr) +dtls1_get_message_header(CBS *header, struct hm_header_st *msg_hdr) { - CBS header; uint32_t msg_len, frag_off, frag_len; uint16_t seq; uint8_t type; - CBS_init(&header, data, sizeof(*msg_hdr)); - memset(msg_hdr, 0, sizeof(*msg_hdr)); - if (!CBS_get_u8(&header, &type)) + if (!CBS_get_u8(header, &type)) return 0; - if (!CBS_get_u24(&header, &msg_len)) + if (!CBS_get_u24(header, &msg_len)) return 0; - if (!CBS_get_u16(&header, &seq)) + if (!CBS_get_u16(header, &seq)) return 0; - if (!CBS_get_u24(&header, &frag_off)) + if (!CBS_get_u24(header, &frag_off)) return 0; - if (!CBS_get_u24(&header, &frag_len)) + if (!CBS_get_u24(header, &frag_len)) return 0; msg_hdr->type = type; @@ -1236,11 +1200,3 @@ dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr) return 1; } - -void -dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr) -{ - memset(ccs_hdr, 0, sizeof(struct ccs_header_st)); - - ccs_hdr->type = *(data++); -} diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c deleted file mode 100644 index b660589..0000000 --- a/ssl/d1_clnt.c +++ /dev/null @@ -1,184 +0,0 @@ -/* $OpenBSD: d1_clnt.c,v 1.83 2020/01/23 10:48:37 jsing Exp $ */ -/* - * DTLS implementation written by Nagendra Modadugu - * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. - */ -/* ==================================================================== - * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include -#include - -#include "ssl_locl.h" - -#include -#include -#include -#include -#include -#include - -#include "bytestring.h" - -int -dtls1_get_hello_verify(SSL *s) -{ - long n; - int al, ok = 0; - size_t cookie_len; - uint16_t ssl_version; - CBS hello_verify_request, cookie; - - n = ssl3_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, - DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->internal->max_cert_list, &ok); - if (!ok) - return ((int)n); - - if (S3I(s)->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { - D1I(s)->send_cookie = 0; - S3I(s)->tmp.reuse_message = 1; - return (1); - } - - if (n < 0) - goto truncated; - - CBS_init(&hello_verify_request, s->internal->init_msg, n); - - if (!CBS_get_u16(&hello_verify_request, &ssl_version)) - goto truncated; - - if (ssl_version != s->version) { - SSLerror(s, SSL_R_WRONG_SSL_VERSION); - s->version = (s->version & 0xff00) | (ssl_version & 0xff); - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; - } - - if (!CBS_get_u8_length_prefixed(&hello_verify_request, &cookie)) - goto truncated; - - if (!CBS_write_bytes(&cookie, D1I(s)->cookie, - sizeof(D1I(s)->cookie), &cookie_len)) { - D1I(s)->cookie_len = 0; - al = SSL_AD_ILLEGAL_PARAMETER; - goto f_err; - } - D1I(s)->cookie_len = cookie_len; - D1I(s)->send_cookie = 1; - - return 1; - -truncated: - al = SSL_AD_DECODE_ERROR; -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return -1; -} diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index b7d23ef..d4280a2 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_lib.c,v 1.50 2020/09/26 14:43:17 jsing Exp $ */ +/* $OpenBSD: d1_lib.c,v 1.59 2021/08/30 19:12:25 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -67,6 +67,7 @@ #include +#include "dtls_locl.h" #include "pqueue.h" #include "ssl_locl.h" @@ -74,10 +75,6 @@ void dtls1_hm_fragment_free(hm_fragment *frag); static int dtls1_listen(SSL *s, struct sockaddr *client); -SSL3_ENC_METHOD DTLSv1_enc_data = { - .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, -}; - int dtls1_new(SSL *s) { @@ -91,8 +88,6 @@ dtls1_new(SSL *s) if ((s->d1->internal->unprocessed_rcds.q = pqueue_new()) == NULL) goto err; - if ((s->d1->internal->processed_rcds.q = pqueue_new()) == NULL) - goto err; if ((s->d1->internal->buffered_messages = pqueue_new()) == NULL) goto err; if ((s->d1->sent_messages = pqueue_new()) == NULL) @@ -103,7 +98,7 @@ dtls1_new(SSL *s) if (s->server) s->d1->internal->cookie_len = sizeof(D1I(s)->cookie); - s->method->internal->ssl_clear(s); + s->method->ssl_clear(s); return (1); err: @@ -146,7 +141,6 @@ static void dtls1_clear_queues(SSL *s) { dtls1_drain_records(D1I(s)->unprocessed_rcds.q); - dtls1_drain_records(D1I(s)->processed_rcds.q); dtls1_drain_fragments(D1I(s)->buffered_messages); dtls1_drain_fragments(s->d1->sent_messages); dtls1_drain_records(D1I(s)->buffered_app_data.q); @@ -163,7 +157,6 @@ dtls1_free(SSL *s) dtls1_clear_queues(s); pqueue_free(D1I(s)->unprocessed_rcds.q); - pqueue_free(D1I(s)->processed_rcds.q); pqueue_free(D1I(s)->buffered_messages); pqueue_free(s->d1->sent_messages); pqueue_free(D1I(s)->buffered_app_data.q); @@ -179,7 +172,6 @@ dtls1_clear(SSL *s) { struct dtls1_state_internal_st *internal; pqueue unprocessed_rcds; - pqueue processed_rcds; pqueue buffered_messages; pqueue sent_messages; pqueue buffered_app_data; @@ -187,7 +179,6 @@ dtls1_clear(SSL *s) if (s->d1) { unprocessed_rcds = D1I(s)->unprocessed_rcds.q; - processed_rcds = D1I(s)->processed_rcds.q; buffered_messages = D1I(s)->buffered_messages; sent_messages = s->d1->sent_messages; buffered_app_data = D1I(s)->buffered_app_data.q; @@ -200,6 +191,9 @@ dtls1_clear(SSL *s) memset(s->d1, 0, sizeof(*s->d1)); s->d1->internal = internal; + D1I(s)->unprocessed_rcds.epoch = + tls12_record_layer_read_epoch(s->internal->rl) + 1; + if (s->server) { D1I(s)->cookie_len = sizeof(D1I(s)->cookie); } @@ -209,7 +203,6 @@ dtls1_clear(SSL *s) } D1I(s)->unprocessed_rcds.q = unprocessed_rcds; - D1I(s)->processed_rcds.q = processed_rcds; D1I(s)->buffered_messages = buffered_messages; s->d1->sent_messages = sent_messages; D1I(s)->buffered_app_data.q = buffered_app_data; @@ -255,14 +248,15 @@ dtls1_ctrl(SSL *s, int cmd, long larg, void *parg) const SSL_CIPHER * dtls1_get_cipher(unsigned int u) { - const SSL_CIPHER *ciph = ssl3_get_cipher(u); + const SSL_CIPHER *cipher; - if (ciph != NULL) { - if (ciph->algorithm_enc == SSL_RC4) - return NULL; - } + if ((cipher = ssl3_get_cipher(u)) == NULL) + return NULL; - return ciph; + if (cipher->algorithm_enc == SSL_RC4) + return NULL; + + return cipher; } void @@ -427,24 +421,3 @@ dtls1_listen(SSL *s, struct sockaddr *client) (void)BIO_dgram_get_peer(SSL_get_rbio(s), client); return 1; } - -void -dtls1_build_sequence_number(unsigned char *dst, unsigned char *seq, - unsigned short epoch) -{ - CBB cbb; - - if (!CBB_init_fixed(&cbb, dst, SSL3_SEQUENCE_SIZE)) - goto err; - if (!CBB_add_u16(&cbb, epoch)) - goto err; - if (!CBB_add_bytes(&cbb, &seq[2], SSL3_SEQUENCE_SIZE - 2)) - goto err; - if (!CBB_finish(&cbb, NULL, NULL)) - goto err; - - return; - - err: - CBB_cleanup(&cbb); -} diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index 31ea52f..aafadf1 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_pkt.c,v 1.82 2020/09/24 17:59:54 jsing Exp $ */ +/* $OpenBSD: d1_pkt.c,v 1.112 2021/09/04 14:31:54 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -118,17 +118,13 @@ #include #include -#include "ssl_locl.h" - #include #include -#include "pqueue.h" #include "bytestring.h" - -static int do_dtls1_write(SSL *s, int type, const unsigned char *buf, - unsigned int len); - +#include "dtls_locl.h" +#include "pqueue.h" +#include "ssl_locl.h" /* mod 128 saturating subtract of two 64-bit values in big-endian order */ static int @@ -182,10 +178,10 @@ satsub64be(const unsigned char *v1, const unsigned char *v2) return brw + (ret & 0xFF); } -static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, - int len, int peek); -static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap); -static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); +static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap, + const unsigned char *seq); +static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap, + const unsigned char *seq); static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD_INTERNAL *rr, unsigned int *is_next_epoch); static int dtls1_buffer_record(SSL *s, record_pqueue *q, @@ -194,12 +190,8 @@ static int dtls1_process_record(SSL *s); /* copy buffered record into SSL structure */ static int -dtls1_copy_record(SSL *s, pitem *item) +dtls1_copy_record(SSL *s, DTLS1_RECORD_DATA_INTERNAL *rdata) { - DTLS1_RECORD_DATA_INTERNAL *rdata; - - rdata = (DTLS1_RECORD_DATA_INTERNAL *)item->data; - ssl3_release_buffer(&S3I(s)->rbuf); s->internal->packet = rdata->packet; @@ -207,13 +199,9 @@ dtls1_copy_record(SSL *s, pitem *item) memcpy(&(S3I(s)->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER_INTERNAL)); memcpy(&(S3I(s)->rrec), &(rdata->rrec), sizeof(SSL3_RECORD_INTERNAL)); - /* Set proper sequence number for mac calculation */ - memcpy(&(S3I(s)->read_sequence[2]), &(rdata->packet[5]), 6); - return (1); } - static int dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) { @@ -250,10 +238,10 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) return (1); -err: + err: ssl3_release_buffer(&rdata->rbuf); -init_err: + init_err: SSLerror(s, ERR_R_INTERNAL_ERROR); free(rdata); pitem_free(item); @@ -268,7 +256,7 @@ dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) item = pqueue_pop(queue->q); if (item) { - dtls1_copy_record(s, item); + dtls1_copy_record(s, item->data); free(item->data); pitem_free(item); @@ -279,45 +267,26 @@ dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) return (0); } - -/* retrieve a buffered record that belongs to the new epoch, i.e., not processed - * yet */ -#define dtls1_get_unprocessed_record(s) \ - dtls1_retrieve_buffered_record((s), \ - &((D1I(s))->unprocessed_rcds)) - -/* retrieve a buffered record that belongs to the current epoch, ie, processed */ -#define dtls1_get_processed_record(s) \ - dtls1_retrieve_buffered_record((s), \ - &((D1I(s))->processed_rcds)) - static int -dtls1_process_buffered_records(SSL *s) +dtls1_process_buffered_record(SSL *s) { - pitem *item; + /* Check if epoch is current. */ + if (D1I(s)->unprocessed_rcds.epoch != + tls12_record_layer_read_epoch(s->internal->rl)) + return (0); - item = pqueue_peek(D1I(s)->unprocessed_rcds.q); - if (item) { - /* Check if epoch is current. */ - if (D1I(s)->unprocessed_rcds.epoch != D1I(s)->r_epoch) - return (1); - /* Nothing to do. */ - - /* Process all the records. */ - while (pqueue_peek(D1I(s)->unprocessed_rcds.q)) { - dtls1_get_unprocessed_record(s); - if (! dtls1_process_record(s)) - return (0); - if (dtls1_buffer_record(s, &(D1I(s)->processed_rcds), - S3I(s)->rrec.seq_num) < 0) - return (-1); - } + /* Update epoch once all unprocessed records have been processed. */ + if (pqueue_peek(D1I(s)->unprocessed_rcds.q) == NULL) { + D1I(s)->unprocessed_rcds.epoch = + tls12_record_layer_read_epoch(s->internal->rl) + 1; + return (0); } - /* sync epoch numbers once all the unprocessed records - * have been processed */ - D1I(s)->processed_rcds.epoch = D1I(s)->r_epoch; - D1I(s)->unprocessed_rcds.epoch = D1I(s)->r_epoch + 1; + /* Process one of the records. */ + if (!dtls1_retrieve_buffered_record(s, &D1I(s)->unprocessed_rcds)) + return (-1); + if (!dtls1_process_record(s)) + return (-1); return (1); } @@ -325,134 +294,50 @@ dtls1_process_buffered_records(SSL *s) static int dtls1_process_record(SSL *s) { - int i, al; - int enc_err; - SSL_SESSION *sess; - SSL3_RECORD_INTERNAL *rr; - unsigned int mac_size, orig_len; - unsigned char md[EVP_MAX_MD_SIZE]; + SSL3_RECORD_INTERNAL *rr = &(S3I(s)->rrec); + uint8_t alert_desc; + uint8_t *out; + size_t out_len; - rr = &(S3I(s)->rrec); - sess = s->session; + tls12_record_layer_set_version(s->internal->rl, s->version); - /* At this point, s->internal->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, - * and we have that many bytes in s->internal->packet - */ - rr->input = &(s->internal->packet[DTLS1_RT_HEADER_LENGTH]); + if (!tls12_record_layer_open_record(s->internal->rl, s->internal->packet, + s->internal->packet_length, &out, &out_len)) { + tls12_record_layer_alert(s->internal->rl, &alert_desc); - /* ok, we can now read from 's->internal->packet' data into 'rr' - * rr->input points at rr->length bytes, which - * need to be copied into rr->data by either - * the decryption or by the decompression - * When the data is 'copied' into the rr->data buffer, - * rr->input will be pointed at the new buffer */ + if (alert_desc == 0) + goto err; - /* We now have - encrypted [ MAC [ compressed [ plain ] ] ] - * rr->length bytes of encrypted compressed stuff. */ - - /* check is not needed I believe */ - if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - goto f_err; - } - - /* decrypt in place in 'rr->input' */ - rr->data = rr->input; - - /* enc_err is: - * 0: (in non-constant time) if the record is publically invalid. - * 1: if the padding is valid - * -1: if the padding is invalid */ - if ((enc_err = tls1_enc(s, 0)) == 0) { - /* For DTLS we simply ignore bad packets. */ - rr->length = 0; - s->internal->packet_length = 0; - goto err; - } - - /* r->length is now the compressed data plus mac */ - if ((sess != NULL) && (s->enc_read_ctx != NULL) && - (EVP_MD_CTX_md(s->read_hash) != NULL)) { - /* s->read_hash != NULL => mac_size != -1 */ - unsigned char *mac = NULL; - unsigned char mac_tmp[EVP_MAX_MD_SIZE]; - mac_size = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); - - orig_len = rr->length + rr->padding_length; - - /* orig_len is the length of the record before any padding was - * removed. This is public information, as is the MAC in use, - * therefore we can safely process the record in a different - * amount of time if it's too short to possibly contain a MAC. + /* + * DTLS should silently discard invalid records, including those + * with a bad MAC, as per RFC 6347 section 4.1.2.1. */ - if (orig_len < mac_size || - /* CBC records must have a padding length byte too. */ - (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && - orig_len < mac_size + 1)) { - al = SSL_AD_DECODE_ERROR; - SSLerror(s, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + if (alert_desc == SSL_AD_BAD_RECORD_MAC) { + out_len = 0; + goto done; } - if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { - /* We update the length so that the TLS header bytes - * can be constructed correctly but we need to extract - * the MAC in constant time from within the record, - * without leaking the contents of the padding bytes. - * */ - mac = mac_tmp; - ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); - rr->length -= mac_size; - } else { - /* In this case there's no padding, so |orig_len| - * equals |rec->length| and we checked that there's - * enough bytes for |mac_size| above. */ - rr->length -= mac_size; - mac = &rr->data[rr->length]; - } + if (alert_desc == SSL_AD_RECORD_OVERFLOW) + SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - i = tls1_mac(s, md, 0 /* not send */); - if (i < 0 || mac == NULL || timingsafe_memcmp(md, mac, (size_t)mac_size) != 0) - enc_err = -1; - if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) - enc_err = -1; - } - - if (enc_err < 0) { - /* decryption failed, silently discard message */ - rr->length = 0; - s->internal->packet_length = 0; - goto err; - } - - if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); - goto f_err; + goto fatal_err; } + done: + rr->data = out; + rr->length = out_len; rr->off = 0; - /* So at this point the following is true - * ssl->s3->internal->rrec.type is the type of record - * ssl->s3->internal->rrec.length == number of bytes in record - * ssl->s3->internal->rrec.off == offset to first valid byte - * ssl->s3->internal->rrec.data == where to take bytes from, increment - * after use :-). - */ - /* we have pulled in a full packet so zero things */ s->internal->packet_length = 0; + return (1); -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: + fatal_err: + ssl3_send_alert(s, SSL3_AL_FATAL, alert_desc); + err: return (0); } - /* Call this to get a new input record. * It will return <= 0 if more data is needed, normally due to an error * or non-blocking IO. @@ -465,26 +350,19 @@ err: int dtls1_get_record(SSL *s) { - SSL3_RECORD_INTERNAL *rr; + SSL3_RECORD_INTERNAL *rr = &(S3I(s)->rrec); unsigned char *p = NULL; DTLS1_BITMAP *bitmap; unsigned int is_next_epoch; - int n; + int ret, n; - rr = &(S3I(s)->rrec); - - /* The epoch may have changed. If so, process all the - * pending records. This is a non-blocking operation. */ - if (dtls1_process_buffered_records(s) < 0) - return (-1); - - /* if we're renegotiating, then there may be buffered records */ - if (dtls1_get_processed_record(s)) - return 1; + /* See if there are pending records that can now be processed. */ + if ((ret = dtls1_process_buffered_record(s)) != 0) + return (ret); /* get something from the wire */ if (0) { -again: + again: /* dump this record on all retries */ rr->length = 0; s->internal->packet_length = 0; @@ -515,14 +393,15 @@ again: if (!CBS_get_u16(&header, &ssl_version)) goto again; - /* sequence number is 64 bits, with top 2 bytes = epoch */ - if (!CBS_get_u16(&header, &epoch) || - !CBS_get_bytes(&header, &seq_no, 6)) + /* Sequence number is 64 bits, with top 2 bytes = epoch. */ + if (!CBS_get_bytes(&header, &seq_no, SSL3_SEQUENCE_SIZE)) + goto again; + if (!CBS_get_u16(&seq_no, &epoch)) + goto again; + if (!CBS_write_bytes(&seq_no, &rr->seq_num[2], + sizeof(rr->seq_num) - 2, NULL)) goto again; - if (!CBS_write_bytes(&seq_no, &(S3I(s)->read_sequence[2]), - sizeof(S3I(s)->read_sequence) - 2, NULL)) - goto again; if (!CBS_get_u16(&header, &len)) goto again; @@ -572,7 +451,7 @@ again: */ if (!(D1I(s)->listen && rr->type == SSL3_RT_HANDSHAKE && p != NULL && *p == SSL3_MT_CLIENT_HELLO) && - !dtls1_record_replay_check(s, bitmap)) + !dtls1_record_replay_check(s, bitmap, rr->seq_num)) goto again; /* just read a 0 length packet */ @@ -590,7 +469,7 @@ again: rr->seq_num) < 0) return (-1); /* Mark receipt of record. */ - dtls1_record_bitmap_update(s, bitmap); + dtls1_record_bitmap_update(s, bitmap, rr->seq_num); } goto again; } @@ -599,7 +478,7 @@ again: goto again; /* Mark receipt of record. */ - dtls1_record_bitmap_update(s, bitmap); + dtls1_record_bitmap_update(s, bitmap, rr->seq_num); return (1); } @@ -634,10 +513,9 @@ again: int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) { - int al, i, j, ret; + int al, i, ret; unsigned int n; SSL3_RECORD_INTERNAL *rr; - void (*cb)(const SSL *ssl, int type2, int val) = NULL; if (S3I(s)->rbuf.buf == NULL) /* Not initialized yet */ if (!ssl3_setup_buffers(s)) @@ -650,15 +528,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) return -1; } - /* check whether there's a handshake message (client hello?) waiting */ - if ((ret = have_handshake_fragment(s, type, buf, len, peek))) - return ret; - - /* Now D1I(s)->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */ - - if (!s->internal->in_handshake && SSL_in_init(s)) - { - /* type == SSL3_RT_APPLICATION_DATA */ + if (!s->internal->in_handshake && SSL_in_init(s)) { i = s->internal->handshake_func(s); if (i < 0) return (i); @@ -681,17 +551,8 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) * so process data buffered during the last handshake * in advance, if any. */ - if (S3I(s)->hs.state == SSL_ST_OK && rr->length == 0) { - pitem *item; - item = pqueue_pop(D1I(s)->buffered_app_data.q); - if (item) { - - dtls1_copy_record(s, item); - - free(item->data); - pitem_free(item); - } - } + if (S3I(s)->hs.state == SSL_ST_OK && rr->length == 0) + dtls1_retrieve_buffered_record(s, &(D1I(s)->buffered_app_data)); /* Check for timeout */ if (dtls1_handle_timeout(s) > 0) @@ -742,16 +603,15 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) return (0); } - - if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ - { + /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ + if (type == rr->type) { /* make sure that we are not getting application data when we * are doing a handshake for the first time */ - if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && - (s->enc_read_ctx == NULL)) { + if (SSL_in_init(s) && type == SSL3_RT_APPLICATION_DATA && + !tls12_record_layer_read_protected(s->internal->rl)) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_APP_DATA_IN_HANDSHAKE); - goto f_err; + goto fatal_err; } if (len <= 0) @@ -775,90 +635,68 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) return (n); } - - /* If we get here, then type != rr->type; if we have a handshake - * message, then it was unexpected (Hello Request or Client Hello). */ - - /* In case of record types for which we have 'fragment' storage, - * fill that so that we can process the data at a fixed place. + /* + * If we get here, then type != rr->type; if we have a handshake + * message, then it was unexpected (Hello Request or Client Hello). */ + { - unsigned int k, dest_maxlen = 0; - unsigned char *dest = NULL; - unsigned int *dest_len = NULL; + unsigned int record_min_len = 0; if (rr->type == SSL3_RT_HANDSHAKE) { - dest_maxlen = sizeof D1I(s)->handshake_fragment; - dest = D1I(s)->handshake_fragment; - dest_len = &D1I(s)->handshake_fragment_len; + record_min_len = DTLS1_HM_HEADER_LENGTH; } else if (rr->type == SSL3_RT_ALERT) { - dest_maxlen = sizeof(D1I(s)->alert_fragment); - dest = D1I(s)->alert_fragment; - dest_len = &D1I(s)->alert_fragment_len; - } - /* else it's a CCS message, or application data or wrong */ - else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC) { - /* Application data while renegotiating - * is allowed. Try again reading. + record_min_len = DTLS1_AL_HEADER_LENGTH; + } else if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { + record_min_len = DTLS1_CCS_HEADER_LENGTH; + } else if (rr->type == SSL3_RT_APPLICATION_DATA) { + /* + * Application data while renegotiating is allowed. + * Try reading again. */ - if (rr->type == SSL3_RT_APPLICATION_DATA) { - BIO *bio; - S3I(s)->in_read_app_data = 2; - bio = SSL_get_rbio(s); - s->internal->rwstate = SSL_READING; - BIO_clear_retry_flags(bio); - BIO_set_retry_read(bio); - return (-1); - } + BIO *bio; + S3I(s)->in_read_app_data = 2; + bio = SSL_get_rbio(s); + s->internal->rwstate = SSL_READING; + BIO_clear_retry_flags(bio); + BIO_set_retry_read(bio); + return (-1); + } else { /* Not certain if this is the right error handling */ al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_RECORD); - goto f_err; + goto fatal_err; } - if (dest_maxlen > 0) { - /* XDTLS: In a pathalogical case, the Client Hello - * may be fragmented--don't always expect dest_maxlen bytes */ - if (rr->length < dest_maxlen) { - s->internal->rstate = SSL_ST_READ_HEADER; - rr->length = 0; - goto start; - } - - /* now move 'n' bytes: */ - for ( k = 0; k < dest_maxlen; k++) { - dest[k] = rr->data[rr->off++]; - rr->length--; - } - *dest_len = dest_maxlen; + if (record_min_len > 0 && rr->length < record_min_len) { + s->internal->rstate = SSL_ST_READ_HEADER; + rr->length = 0; + goto start; } } - /* D1I(s)->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE; - * D1I(s)->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT. - * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */ - /* If we are a client, check for an incoming 'Hello Request': */ - if ((!s->server) && - (D1I(s)->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && - (D1I(s)->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && - (s->session != NULL) && (s->session->cipher != NULL)) { - D1I(s)->handshake_fragment_len = 0; + if (!s->server && rr->type == SSL3_RT_HANDSHAKE && + rr->length >= DTLS1_HM_HEADER_LENGTH && rr->off == 0 && + rr->data[0] == SSL3_MT_HELLO_REQUEST && + s->session != NULL && s->session->cipher != NULL) { + struct hm_header_st msg_hdr; + CBS cbs; - if ((D1I(s)->handshake_fragment[1] != 0) || - (D1I(s)->handshake_fragment[2] != 0) || - (D1I(s)->handshake_fragment[3] != 0)) { + CBS_init(&cbs, rr->data, rr->length); + if (!dtls1_get_message_header(&cbs, &msg_hdr)) + return -1; + if (msg_hdr.msg_len != 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_HELLO_REQUEST); - goto f_err; + goto fatal_err; } + rr->length = 0; /* no need to check sequence number on HELLO REQUEST messages */ - if (s->internal->msg_callback) - s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, - D1I(s)->handshake_fragment, 4, s, s->internal->msg_callback_arg); + ssl_msg_callback(s, 0, SSL3_RT_HANDSHAKE, rr->data, 4); if (SSL_is_init_finished(s) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && @@ -894,38 +732,27 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) } /* we either finished a handshake or ignored the request, * now try again to obtain the (application) data we were asked for */ + rr->length = 0; goto start; } - if (D1I(s)->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH) { - int alert_level = D1I(s)->alert_fragment[0]; - int alert_descr = D1I(s)->alert_fragment[1]; + if (rr->type == SSL3_RT_ALERT && rr->length >= DTLS1_AL_HEADER_LENGTH && + rr->off == 0) { + int alert_level = rr->data[0]; + int alert_descr = rr->data[1]; - D1I(s)->alert_fragment_len = 0; + ssl_msg_callback(s, 0, SSL3_RT_ALERT, rr->data, 2); - if (s->internal->msg_callback) - s->internal->msg_callback(0, s->version, SSL3_RT_ALERT, - D1I(s)->alert_fragment, 2, s, s->internal->msg_callback_arg); + ssl_info_callback(s, SSL_CB_READ_ALERT, + (alert_level << 8) | alert_descr); - if (s->internal->info_callback != NULL) - cb = s->internal->info_callback; - else if (s->ctx->internal->info_callback != NULL) - cb = s->ctx->internal->info_callback; - - if (cb != NULL) { - j = (alert_level << 8) | alert_descr; - cb(s, SSL_CB_READ_ALERT, j); - } - - if (alert_level == 1) /* warning */ - { + if (alert_level == SSL3_AL_WARNING) { S3I(s)->warn_alert = alert_descr; if (alert_descr == SSL_AD_CLOSE_NOTIFY) { s->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; return (0); } - } else if (alert_level == 2) /* fatal */ - { + } else if (alert_level == SSL3_AL_FATAL) { s->internal->rwstate = SSL_NOTHING; S3I(s)->fatal_alert = alert_descr; SSLerror(s, SSL_AD_REASON_OFFSET + alert_descr); @@ -937,45 +764,37 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) } else { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_UNKNOWN_ALERT_TYPE); - goto f_err; + goto fatal_err; } + rr->length = 0; goto start; } - if (s->internal->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */ - { + if (s->internal->shutdown & SSL_SENT_SHUTDOWN) { s->internal->rwstate = SSL_NOTHING; rr->length = 0; return (0); } if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { - struct ccs_header_st ccs_hdr; - unsigned int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH; - - dtls1_get_ccs_header(rr->data, &ccs_hdr); - /* 'Change Cipher Spec' is just a single byte, so we know * exactly what the record payload has to look like */ /* XDTLS: check that epoch is consistent */ - if ((rr->length != ccs_hdr_len) || + if ((rr->length != DTLS1_CCS_HEADER_LENGTH) || (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC); - goto f_err; + goto fatal_err; } - rr->length = 0; - - if (s->internal->msg_callback) - s->internal->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, - rr->data, 1, s, s->internal->msg_callback_arg); + ssl_msg_callback(s, 0, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1); /* We can't process a CCS now, because previous handshake * messages are still missing, so just drop it. */ if (!D1I(s)->change_cipher_spec_ok) { + rr->length = 0; goto start; } @@ -985,21 +804,22 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) if (!ssl3_do_change_cipher_spec(s)) goto err; - /* do this whenever CCS is processed */ - dtls1_reset_seq_numbers(s, SSL3_CC_READ); - + rr->length = 0; goto start; } /* Unexpected handshake message (Client Hello, or protocol violation) */ - if ((D1I(s)->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && + if (rr->type == SSL3_RT_HANDSHAKE && + rr->length >= DTLS1_HM_HEADER_LENGTH && rr->off == 0 && !s->internal->in_handshake) { struct hm_header_st msg_hdr; + CBS cbs; /* this may just be a stale retransmit */ - if (!dtls1_get_message_header(rr->data, &msg_hdr)) + CBS_init(&cbs, rr->data, rr->length); + if (!dtls1_get_message_header(&cbs, &msg_hdr)) return -1; - if (rr->epoch != D1I(s)->r_epoch) { + if (rr->epoch != tls12_record_layer_read_epoch(s->internal->rl)) { rr->length = 0; goto start; } @@ -1045,19 +865,15 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) return (-1); } } + rr->length = 0; goto start; } switch (rr->type) { default: - /* TLS just ignores unknown message types */ - if (s->version == TLS1_VERSION) { - rr->length = 0; - goto start; - } al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_RECORD); - goto f_err; + goto fatal_err; case SSL3_RT_CHANGE_CIPHER_SPEC: case SSL3_RT_ALERT: case SSL3_RT_HANDSHAKE: @@ -1066,7 +882,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) * should not happen when type != rr->type */ al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, ERR_R_INTERNAL_ERROR); - goto f_err; + goto fatal_err; case SSL3_RT_APPLICATION_DATA: /* At this point, we were expecting handshake data, * but have application data. If the library was @@ -1088,12 +904,12 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) } else { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_RECORD); - goto f_err; + goto fatal_err; } } /* not reached */ - f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: return (-1); @@ -1124,39 +940,6 @@ dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) return i; } - - /* this only happens when a client hello is received and a handshake - * is started. */ -static int -have_handshake_fragment(SSL *s, int type, unsigned char *buf, - int len, int peek) -{ - - if ((type == SSL3_RT_HANDSHAKE) && (D1I(s)->handshake_fragment_len > 0)) - /* (partially) satisfy request from storage */ - { - unsigned char *src = D1I(s)->handshake_fragment; - unsigned char *dst = buf; - unsigned int k, n; - - /* peek == 0 */ - n = 0; - while ((len > 0) && (D1I(s)->handshake_fragment_len > 0)) { - *dst++ = *src++; - len--; - D1I(s)->handshake_fragment_len--; - n++; - } - /* move any remaining fragment bytes: */ - for (k = 0; k < D1I(s)->handshake_fragment_len; k++) - D1I(s)->handshake_fragment[k] = *src++; - return n; - } - - return 0; -} - - /* Call this to write data in records of type 'type' * It will return <= 0 if not all data has been sent or non-blocking IO. */ @@ -1192,7 +975,7 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len) /* If we have an alert to send, let's send it */ if (S3I(s)->alert_dispatch) { - if ((ret = s->method->ssl_dispatch_alert(s)) <= 0) + if ((ret = ssl3_dispatch_alert(s)) <= 0) return (ret); /* If it went, fall through and send more stuff. */ } @@ -1206,7 +989,6 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len) goto err; tls12_record_layer_set_version(s->internal->rl, s->version); - tls12_record_layer_set_write_epoch(s->internal->rl, D1I(s)->w_epoch); if (!tls12_record_layer_seal_record(s->internal->rl, type, buf, len, &cbb)) goto err; @@ -1235,34 +1017,30 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len) } static int -dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap) +dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap, + const unsigned char *seq) { - int cmp; unsigned int shift; - const unsigned char *seq = S3I(s)->read_sequence; + int cmp; cmp = satsub64be(seq, bitmap->max_seq_num); - if (cmp > 0) { - memcpy (S3I(s)->rrec.seq_num, seq, 8); + if (cmp > 0) return 1; /* this record in new */ - } shift = -cmp; if (shift >= sizeof(bitmap->map)*8) return 0; /* stale, outside the window */ else if (bitmap->map & (1UL << shift)) return 0; /* record previously received */ - memcpy(S3I(s)->rrec.seq_num, seq, 8); return 1; } - static void -dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) +dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap, + const unsigned char *seq) { - int cmp; unsigned int shift; - const unsigned char *seq = S3I(s)->read_sequence; + int cmp; cmp = satsub64be(seq, bitmap->max_seq_num); if (cmp > 0) { @@ -1279,60 +1057,23 @@ dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) } } - -int -dtls1_dispatch_alert(SSL *s) -{ - int i, j; - void (*cb)(const SSL *ssl, int type, int val) = NULL; - unsigned char buf[DTLS1_AL_HEADER_LENGTH]; - unsigned char *ptr = &buf[0]; - - S3I(s)->alert_dispatch = 0; - - memset(buf, 0, sizeof(buf)); - *ptr++ = S3I(s)->send_alert[0]; - *ptr++ = S3I(s)->send_alert[1]; - - i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf)); - if (i <= 0) { - S3I(s)->alert_dispatch = 1; - /* fprintf( stderr, "not done with alert\n" ); */ - } else { - if (S3I(s)->send_alert[0] == SSL3_AL_FATAL) - (void)BIO_flush(s->wbio); - - if (s->internal->msg_callback) - s->internal->msg_callback(1, s->version, SSL3_RT_ALERT, - S3I(s)->send_alert, 2, s, s->internal->msg_callback_arg); - - if (s->internal->info_callback != NULL) - cb = s->internal->info_callback; - else if (s->ctx->internal->info_callback != NULL) - cb = s->ctx->internal->info_callback; - - if (cb != NULL) { - j = (S3I(s)->send_alert[0]<<8)|S3I(s)->send_alert[1]; - cb(s, SSL_CB_WRITE_ALERT, j); - } - } - return (i); -} - - static DTLS1_BITMAP * dtls1_get_bitmap(SSL *s, SSL3_RECORD_INTERNAL *rr, unsigned int *is_next_epoch) { + uint16_t read_epoch, read_epoch_next; *is_next_epoch = 0; + read_epoch = tls12_record_layer_read_epoch(s->internal->rl); + read_epoch_next = read_epoch + 1; + /* In current epoch, accept HM, CCS, DATA, & ALERT */ - if (rr->epoch == D1I(s)->r_epoch) + if (rr->epoch == read_epoch) return &D1I(s)->bitmap; /* Only HM and ALERT messages can be from the next epoch */ - else if (rr->epoch == (unsigned long)(D1I(s)->r_epoch + 1) && - (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) { + if (rr->epoch == read_epoch_next && + (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) { *is_next_epoch = 1; return &D1I(s)->next_bitmap; } @@ -1341,21 +1082,8 @@ dtls1_get_bitmap(SSL *s, SSL3_RECORD_INTERNAL *rr, unsigned int *is_next_epoch) } void -dtls1_reset_seq_numbers(SSL *s, int rw) +dtls1_reset_read_seq_numbers(SSL *s) { - unsigned char *seq; - unsigned int seq_bytes = sizeof(S3I(s)->read_sequence); - - if (rw & SSL3_CC_READ) { - D1I(s)->r_epoch++; - seq = S3I(s)->read_sequence; - memcpy(&(D1I(s)->bitmap), &(D1I(s)->next_bitmap), sizeof(DTLS1_BITMAP)); - memset(&(D1I(s)->next_bitmap), 0, sizeof(DTLS1_BITMAP)); - } else { - D1I(s)->w_epoch++; - seq = S3I(s)->write_sequence; - memcpy(D1I(s)->last_write_sequence, seq, sizeof(S3I(s)->write_sequence)); - } - - memset(seq, 0, seq_bytes); + memcpy(&(D1I(s)->bitmap), &(D1I(s)->next_bitmap), sizeof(DTLS1_BITMAP)); + memset(&(D1I(s)->next_bitmap), 0, sizeof(DTLS1_BITMAP)); } diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c index 70e9a4f..70f9453 100644 --- a/ssl/d1_srtp.c +++ b/ssl/d1_srtp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srtp.c,v 1.24 2020/03/16 15:25:13 tb Exp $ */ +/* $OpenBSD: d1_srtp.c,v 1.29 2021/06/11 15:28:13 landry Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -118,15 +118,16 @@ #include #include - -#include "ssl_locl.h" +#include #ifndef OPENSSL_NO_SRTP #include "bytestring.h" +#include "dtls_locl.h" +#include "ssl_locl.h" #include "srtp.h" -static SRTP_PROTECTION_PROFILE srtp_known_profiles[] = { +static const SRTP_PROTECTION_PROFILE srtp_known_profiles[] = { { "SRTP_AES128_CM_SHA1_80", SRTP_AES128_CM_SHA1_80, @@ -135,14 +136,22 @@ static SRTP_PROTECTION_PROFILE srtp_known_profiles[] = { "SRTP_AES128_CM_SHA1_32", SRTP_AES128_CM_SHA1_32, }, + { + "SRTP_AEAD_AES_128_GCM", + SRTP_AEAD_AES_128_GCM, + }, + { + "SRTP_AEAD_AES_256_GCM", + SRTP_AEAD_AES_256_GCM, + }, {0} }; int -srtp_find_profile_by_name(char *profile_name, SRTP_PROTECTION_PROFILE **pptr, - unsigned int len) +srtp_find_profile_by_name(const char *profile_name, + const SRTP_PROTECTION_PROFILE **pptr, unsigned int len) { - SRTP_PROTECTION_PROFILE *p; + const SRTP_PROTECTION_PROFILE *p; p = srtp_known_profiles; while (p->name) { @@ -160,9 +169,9 @@ srtp_find_profile_by_name(char *profile_name, SRTP_PROTECTION_PROFILE **pptr, int srtp_find_profile_by_num(unsigned int profile_num, - SRTP_PROTECTION_PROFILE **pptr) + const SRTP_PROTECTION_PROFILE **pptr) { - SRTP_PROTECTION_PROFILE *p; + const SRTP_PROTECTION_PROFILE *p; p = srtp_known_profiles; while (p->name) { @@ -181,11 +190,9 @@ ssl_ctx_make_profiles(const char *profiles_string, STACK_OF(SRTP_PROTECTION_PROFILE) **out) { STACK_OF(SRTP_PROTECTION_PROFILE) *profiles; - char *col; - char *ptr = (char *)profiles_string; - - SRTP_PROTECTION_PROFILE *p; + const char *ptr = profiles_string; + const SRTP_PROTECTION_PROFILE *p; if (!(profiles = sk_SRTP_PROTECTION_PROFILE_new_null())) { SSLerrorx(SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES); @@ -245,7 +252,8 @@ SSL_get_srtp_profiles(SSL *s) SRTP_PROTECTION_PROFILE * SSL_get_selected_srtp_profile(SSL *s) { - return s->internal->srtp_profile; + /* XXX cast away the const */ + return (SRTP_PROTECTION_PROFILE *)s->internal->srtp_profile; } #endif diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c deleted file mode 100644 index 1a1ee54..0000000 --- a/ssl/d1_srvr.c +++ /dev/null @@ -1,165 +0,0 @@ -/* $OpenBSD: d1_srvr.c,v 1.95 2018/11/05 05:45:15 jsing Exp $ */ -/* - * DTLS implementation written by Nagendra Modadugu - * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. - */ -/* ==================================================================== - * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include - -#include "ssl_locl.h" - -#include -#include -#include -#include -#include -#include -#include - -int -dtls1_send_hello_verify_request(SSL *s) -{ - CBB cbb, verify, cookie; - - memset(&cbb, 0, sizeof(cbb)); - - if (S3I(s)->hs.state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) { - if (s->ctx->internal->app_gen_cookie_cb == NULL || - s->ctx->internal->app_gen_cookie_cb(s, D1I(s)->cookie, - &(D1I(s)->cookie_len)) == 0) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - return 0; - } - - if (!ssl3_handshake_msg_start(s, &cbb, &verify, - DTLS1_MT_HELLO_VERIFY_REQUEST)) - goto err; - if (!CBB_add_u16(&verify, s->version)) - goto err; - if (!CBB_add_u8_length_prefixed(&verify, &cookie)) - goto err; - if (!CBB_add_bytes(&cookie, D1I(s)->cookie, D1I(s)->cookie_len)) - goto err; - if (!ssl3_handshake_msg_finish(s, &cbb)) - goto err; - - S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B; - } - - /* S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */ - return (ssl3_handshake_write(s)); - - err: - CBB_cleanup(&cbb); - - return (-1); -} diff --git a/ssl/dtls_locl.h b/ssl/dtls_locl.h new file mode 100644 index 0000000..4cf8827 --- /dev/null +++ b/ssl/dtls_locl.h @@ -0,0 +1,231 @@ +/* $OpenBSD: dtls_locl.h,v 1.7 2021/09/04 14:24:28 jsing Exp $ */ +/* + * DTLS implementation written by Nagendra Modadugu + * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. + */ +/* ==================================================================== + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#ifndef HEADER_DTLS_LOCL_H +#define HEADER_DTLS_LOCL_H + +#include + +#include + +#include "ssl_locl.h" + +__BEGIN_HIDDEN_DECLS + +typedef struct dtls1_bitmap_st { + unsigned long map; /* track 32 packets on 32-bit systems + and 64 - on 64-bit systems */ + unsigned char max_seq_num[8]; /* max record number seen so far, + 64-bit value in big-endian + encoding */ +} DTLS1_BITMAP; + +struct dtls1_retransmit_state { + EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */ + EVP_MD_CTX *write_hash; /* used for mac generation */ + SSL_SESSION *session; + unsigned short epoch; +}; + +struct hm_header_st { + unsigned char type; + unsigned long msg_len; + unsigned short seq; + unsigned long frag_off; + unsigned long frag_len; + unsigned int is_ccs; + struct dtls1_retransmit_state saved_retransmit_state; +}; + +struct dtls1_timeout_st { + /* Number of read timeouts so far */ + unsigned int read_timeouts; + + /* Number of write timeouts so far */ + unsigned int write_timeouts; + + /* Number of alerts received so far */ + unsigned int num_alerts; +}; + +struct _pqueue; + +typedef struct record_pqueue_st { + unsigned short epoch; + struct _pqueue *q; +} record_pqueue; + +typedef struct hm_fragment_st { + struct hm_header_st msg_header; + unsigned char *fragment; + unsigned char *reassembly; +} hm_fragment; + +typedef struct dtls1_record_data_internal_st { + unsigned char *packet; + unsigned int packet_length; + SSL3_BUFFER_INTERNAL rbuf; + SSL3_RECORD_INTERNAL rrec; +} DTLS1_RECORD_DATA_INTERNAL; + +struct dtls1_state_internal_st; + +typedef struct dtls1_state_internal_st { + unsigned int send_cookie; + unsigned char cookie[DTLS1_COOKIE_LENGTH]; + unsigned char rcvd_cookie[DTLS1_COOKIE_LENGTH]; + unsigned int cookie_len; + + /* records being received in the current epoch */ + DTLS1_BITMAP bitmap; + + /* renegotiation starts a new set of sequence numbers */ + DTLS1_BITMAP next_bitmap; + + /* handshake message numbers */ + unsigned short handshake_write_seq; + unsigned short next_handshake_write_seq; + + unsigned short handshake_read_seq; + + /* Received handshake records (unprocessed) */ + record_pqueue unprocessed_rcds; + + /* Buffered handshake messages */ + struct _pqueue *buffered_messages; + + /* Buffered application records. + * Only for records between CCS and Finished + * to prevent either protocol violation or + * unnecessary message loss. + */ + record_pqueue buffered_app_data; + + /* Is set when listening for new connections with dtls1_listen() */ + unsigned int listen; + + unsigned int mtu; /* max DTLS packet size */ + + struct hm_header_st w_msg_hdr; + struct hm_header_st r_msg_hdr; + + struct dtls1_timeout_st timeout; + + unsigned int retransmitting; + unsigned int change_cipher_spec_ok; +} DTLS1_STATE_INTERNAL; +#define D1I(s) (s->d1->internal) + +typedef struct dtls1_state_st { + /* Buffered (sent) handshake records */ + struct _pqueue *sent_messages; + + /* Indicates when the last handshake msg or heartbeat sent will timeout */ + struct timeval next_timeout; + + /* Timeout duration */ + unsigned short timeout_duration; + + struct dtls1_state_internal_st *internal; +} DTLS1_STATE; + +int dtls1_do_write(SSL *s, int type); +int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek); +void dtls1_set_message_header(SSL *s, unsigned char mt, unsigned long len, + unsigned long frag_off, unsigned long frag_len); +void dtls1_set_message_header_int(SSL *s, unsigned char mt, + unsigned long len, unsigned short seq_num, unsigned long frag_off, + unsigned long frag_len); + +int do_dtls1_write(SSL *s, int type, const unsigned char *buf, + unsigned int len); + +int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf, int len); +int dtls1_write_bytes(SSL *s, int type, const void *buf, int len); + +int dtls1_read_failed(SSL *s, int code); +int dtls1_buffer_message(SSL *s, int ccs); +int dtls1_retransmit_message(SSL *s, unsigned short seq, + unsigned long frag_off, int *found); +int dtls1_get_queue_priority(unsigned short seq, int is_ccs); +int dtls1_retransmit_buffered_messages(SSL *s); +void dtls1_clear_record_buffer(SSL *s); +int dtls1_get_message_header(CBS *header, struct hm_header_st *msg_hdr); +void dtls1_reset_read_seq_numbers(SSL *s); +struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft); +int dtls1_check_timeout_num(SSL *s); +int dtls1_handle_timeout(SSL *s); +const SSL_CIPHER *dtls1_get_cipher(unsigned int u); +void dtls1_start_timer(SSL *s); +void dtls1_stop_timer(SSL *s); +int dtls1_is_timer_expired(SSL *s); +void dtls1_double_timeout(SSL *s); +unsigned int dtls1_min_mtu(void); + +int dtls1_new(SSL *s); +void dtls1_free(SSL *s); +void dtls1_clear(SSL *s); +long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg); + +long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok); +int dtls1_get_record(SSL *s); + +__END_HIDDEN_DECLS + +#endif diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 74e0562..1c0286f 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_cbc.c,v 1.22 2020/06/19 21:26:40 tb Exp $ */ +/* $OpenBSD: s3_cbc.c,v 1.24 2021/05/16 14:10:43 jsing Exp $ */ /* ==================================================================== * Copyright (c) 2012 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,11 @@ * */ -#include "ssl_locl.h" - #include #include +#include "ssl_locl.h" + /* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length * field. (SHA-384/512 have 128-bit length.) */ #define MAX_HASH_BIT_COUNT_BYTES 16 @@ -101,7 +101,7 @@ constant_time_eq_8(unsigned int a, unsigned int b) return DUPLICATE_MSB_TO_ALL_8(c); } -/* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC +/* ssl3_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC * record in |rec| in constant time and returns 1 if the padding is valid and * -1 otherwise. It also removes any explicit IV from the start of the record * without leaking any timing about whether there was enough space after the @@ -113,26 +113,24 @@ constant_time_eq_8(unsigned int a, unsigned int b) * 1: if the padding was valid * -1: otherwise. */ int -tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD_INTERNAL *rec, - unsigned int block_size, unsigned int mac_size) +ssl3_cbc_remove_padding(SSL3_RECORD_INTERNAL *rec, unsigned int eiv_len, + unsigned int mac_size) { unsigned int padding_length, good, to_check, i; const unsigned int overhead = 1 /* padding length byte */ + mac_size; - /* Check if version requires explicit IV */ - if (SSL_USE_EXPLICIT_IV(s)) { - /* These lengths are all public so we can test them in - * non-constant time. - */ - if (overhead + block_size > rec->length) - return 0; - /* We can now safely skip explicit IV */ - rec->data += block_size; - rec->input += block_size; - rec->length -= block_size; - } else if (overhead > rec->length) + /* + * These lengths are all public so we can test them in + * non-constant time. + */ + if (overhead + eiv_len > rec->length) return 0; + /* We can now safely skip explicit IV, if any. */ + rec->data += eiv_len; + rec->input += eiv_len; + rec->length -= eiv_len; + padding_length = rec->data[rec->length - 1]; good = constant_time_ge(rec->length, overhead + padding_length); diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 91bfb5f..e78b70f 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.198 2020/09/17 15:42:14 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.215 2021/09/08 12:56:14 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -156,9 +156,12 @@ #include #include #include +#include -#include "ssl_locl.h" #include "bytestring.h" +#include "dtls_locl.h" +#include "ssl_locl.h" +#include "ssl_sigalgs.h" #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER)) @@ -170,7 +173,7 @@ #define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24) /* list of available SSLv3 ciphers (sorted by id) */ -SSL_CIPHER ssl3_ciphers[] = { +const SSL_CIPHER ssl3_ciphers[] = { /* The RSA ciphers */ /* Cipher 01 */ @@ -417,7 +420,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA256, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 0, .alg_bits = 0, }, @@ -433,7 +436,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA256, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -449,7 +452,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA256, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 256, .alg_bits = 256, }, @@ -518,7 +521,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA256, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -534,7 +537,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA256, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 256, .alg_bits = 256, }, @@ -550,7 +553,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA256, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -566,7 +569,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA256, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 256, .alg_bits = 256, }, @@ -1447,7 +1450,7 @@ ssl3_pending(const SSL *s) int ssl3_handshake_msg_hdr_len(SSL *s) { - return (SSL_IS_DTLS(s) ? DTLS1_HM_HEADER_LENGTH : + return (SSL_is_dtls(s) ? DTLS1_HM_HEADER_LENGTH : SSL3_HM_HEADER_LENGTH); } @@ -1460,7 +1463,7 @@ ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type) goto err; if (!CBB_add_u8(handshake, msg_type)) goto err; - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { unsigned char *data; if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH - @@ -1497,7 +1500,7 @@ ssl3_handshake_msg_finish(SSL *s, CBB *handshake) s->internal->init_num = (int)outlen; s->internal->init_off = 0; - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { unsigned long len; uint8_t msg_type; CBS cbs; @@ -1529,7 +1532,7 @@ ssl3_handshake_write(SSL *s) int ssl3_record_write(SSL *s, int type) { - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) return dtls1_do_write(s, type); return ssl3_do_write(s, type); @@ -1545,7 +1548,7 @@ ssl3_new(SSL *s) return (0); } - s->method->internal->ssl_clear(s); + s->method->ssl_clear(s); return (1); } @@ -1565,12 +1568,12 @@ ssl3_free(SSL *s) EC_KEY_free(S3I(s)->tmp.ecdh); freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH); - tls13_key_share_free(S3I(s)->hs_tls13.key_share); - tls13_secrets_destroy(S3I(s)->hs_tls13.secrets); - freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len); - tls13_clienthello_hash_clear(&S3I(s)->hs_tls13); + tls13_key_share_free(S3I(s)->hs.tls13.key_share); + tls13_secrets_destroy(S3I(s)->hs.tls13.secrets); + freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len); + tls13_clienthello_hash_clear(&S3I(s)->hs.tls13); - sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free); + sk_X509_NAME_pop_free(S3I(s)->hs.tls12.ca_names, X509_NAME_free); tls1_transcript_free(s); tls1_transcript_hash_free(s); @@ -1591,7 +1594,7 @@ ssl3_clear(SSL *s) size_t rlen, wlen; tls1_cleanup_key_block(s); - sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free); + sk_X509_NAME_pop_free(S3I(s)->hs.tls12.ca_names, X509_NAME_free); DH_free(S3I(s)->tmp.dh); S3I(s)->tmp.dh = NULL; @@ -1605,15 +1608,15 @@ ssl3_clear(SSL *s) S3I(s)->hs.sigalgs = NULL; S3I(s)->hs.sigalgs_len = 0; - tls13_key_share_free(S3I(s)->hs_tls13.key_share); - S3I(s)->hs_tls13.key_share = NULL; + tls13_key_share_free(S3I(s)->hs.tls13.key_share); + S3I(s)->hs.tls13.key_share = NULL; - tls13_secrets_destroy(S3I(s)->hs_tls13.secrets); - S3I(s)->hs_tls13.secrets = NULL; - freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len); - S3I(s)->hs_tls13.cookie = NULL; - S3I(s)->hs_tls13.cookie_len = 0; - tls13_clienthello_hash_clear(&S3I(s)->hs_tls13); + tls13_secrets_destroy(S3I(s)->hs.tls13.secrets); + S3I(s)->hs.tls13.secrets = NULL; + freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len); + S3I(s)->hs.tls13.cookie = NULL; + S3I(s)->hs.tls13.cookie_len = 0; + tls13_clienthello_hash_clear(&S3I(s)->hs.tls13); S3I(s)->hs.extensions_seen = 0; @@ -1627,6 +1630,7 @@ ssl3_clear(SSL *s) free(S3I(s)->alpn_selected); S3I(s)->alpn_selected = NULL; + S3I(s)->alpn_selected_len = 0; memset(S3I(s), 0, sizeof(*S3I(s))); internal = S3I(s); @@ -1678,8 +1682,8 @@ _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key) } else if (sc->peer_x25519_tmp != NULL) { if (!ssl_kex_dummy_ecdhe_x25519(pkey)) goto err; - } else if (S3I(s)->hs_tls13.key_share != NULL) { - if (!tls13_key_share_peer_pkey(S3I(s)->hs_tls13.key_share, + } else if (S3I(s)->hs.tls13.key_share != NULL) { + if (!tls13_key_share_peer_pkey(S3I(s)->hs.tls13.key_share, pkey)) goto err; } else { @@ -1804,6 +1808,12 @@ _SSL_set_tlsext_debug_arg(SSL *s, void *arg) return 1; } +static int +_SSL_get_tlsext_status_type(SSL *s) +{ + return s->tlsext_status_type; +} + static int _SSL_set_tlsext_status_type(SSL *s, int type) { @@ -1926,6 +1936,64 @@ SSL_set1_groups_list(SSL *s, const char *groups) &s->internal->tlsext_supportedgroups_length, groups); } +static int +_SSL_get_signature_nid(SSL *s, int *nid) +{ + const struct ssl_sigalg *sigalg; + + if ((sigalg = S3I(s)->hs.our_sigalg) == NULL) + return 0; + + *nid = EVP_MD_type(sigalg->md()); + + return 1; +} + +static int +_SSL_get_peer_signature_nid(SSL *s, int *nid) +{ + const struct ssl_sigalg *sigalg; + + if ((sigalg = S3I(s)->hs.peer_sigalg) == NULL) + return 0; + + *nid = EVP_MD_type(sigalg->md()); + + return 1; +} + +int +SSL_get_signature_type_nid(const SSL *s, int *nid) +{ + const struct ssl_sigalg *sigalg; + + if ((sigalg = S3I(s)->hs.our_sigalg) == NULL) + return 0; + + *nid = sigalg->key_type; + if (sigalg->key_type == EVP_PKEY_RSA && + (sigalg->flags & SIGALG_FLAG_RSA_PSS)) + *nid = EVP_PKEY_RSA_PSS; + + return 1; +} + +int +SSL_get_peer_signature_type_nid(const SSL *s, int *nid) +{ + const struct ssl_sigalg *sigalg; + + if ((sigalg = S3I(s)->hs.peer_sigalg) == NULL) + return 0; + + *nid = sigalg->key_type; + if (sigalg->key_type == EVP_PKEY_RSA && + (sigalg->flags & SIGALG_FLAG_RSA_PSS)) + *nid = EVP_PKEY_RSA_PSS; + + return 1; +} + long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) { @@ -1972,6 +2040,9 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: return _SSL_set_tlsext_debug_arg(s, parg); + case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE: + return _SSL_get_tlsext_status_type(s); + case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: return _SSL_set_tlsext_status_type(s, larg); @@ -2036,6 +2107,12 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return 0; return SSL_set_max_proto_version(s, larg); + case SSL_CTRL_GET_SIGNATURE_NID: + return _SSL_get_signature_nid(s, parg); + + case SSL_CTRL_GET_PEER_SIGNATURE_NID: + return _SSL_get_peer_signature_nid(s, parg); + /* * Legacy controls that should eventually be removed. */ @@ -2416,51 +2493,6 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) return 0; } -/* - * This function needs to check if the ciphers required are actually available. - */ -const SSL_CIPHER * -ssl3_get_cipher_by_char(const unsigned char *p) -{ - uint16_t cipher_value; - CBS cbs; - - /* We have to assume it is at least 2 bytes due to existing API. */ - CBS_init(&cbs, p, 2); - if (!CBS_get_u16(&cbs, &cipher_value)) - return NULL; - - return ssl3_get_cipher_by_value(cipher_value); -} - -int -ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) -{ - CBB cbb; - - if (p == NULL) - return (2); - - if ((c->id & ~SSL3_CK_VALUE_MASK) != SSL3_CK_ID) - return (0); - - memset(&cbb, 0, sizeof(cbb)); - - /* We have to assume it is at least 2 bytes due to existing API. */ - if (!CBB_init_fixed(&cbb, p, 2)) - goto err; - if (!CBB_add_u16(&cbb, ssl3_cipher_get_value(c))) - goto err; - if (!CBB_finish(&cbb, NULL, NULL)) - goto err; - - return (2); - - err: - CBB_cleanup(&cbb); - return (0); -} - SSL_CIPHER * ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, STACK_OF(SSL_CIPHER) *srvr) @@ -2548,7 +2580,7 @@ ssl3_get_req_cert_types(SSL *s, CBB *cbb) { unsigned long alg_k; - alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; + alg_k = S3I(s)->hs.cipher->algorithm_mkey; #ifndef OPENSSL_NO_GOST if ((alg_k & SSL_kGOST) != 0) { @@ -2608,7 +2640,7 @@ ssl3_shutdown(SSL *s) return(-1); /* return WANT_WRITE */ } else if (S3I(s)->alert_dispatch) { /* resend it if not sent */ - ret = s->method->ssl_dispatch_alert(s); + ret = ssl3_dispatch_alert(s); if (ret == -1) { /* * We only get to return -1 here the 2nd/Nth @@ -2620,7 +2652,7 @@ ssl3_shutdown(SSL *s) } } else if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) { /* If we are waiting for a close from our peer, we are closed */ - s->method->internal->ssl_read_bytes(s, 0, NULL, 0, 0); + s->method->ssl_read_bytes(s, 0, NULL, 0, 0); if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) { return(-1); /* return WANT_READ */ } @@ -2641,8 +2673,8 @@ ssl3_write(SSL *s, const void *buf, int len) if (S3I(s)->renegotiate) ssl3_renegotiate_check(s); - return s->method->internal->ssl_write_bytes(s, - SSL3_RT_APPLICATION_DATA, buf, len); + return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, + buf, len); } static int @@ -2654,19 +2686,20 @@ ssl3_read_internal(SSL *s, void *buf, int len, int peek) if (S3I(s)->renegotiate) ssl3_renegotiate_check(s); S3I(s)->in_read_app_data = 1; - ret = s->method->internal->ssl_read_bytes(s, - SSL3_RT_APPLICATION_DATA, buf, len, peek); + + ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, + peek); if ((ret == -1) && (S3I(s)->in_read_app_data == 2)) { /* - * ssl3_read_bytes decided to call s->internal->handshake_func, which - * called ssl3_read_bytes to read handshake data. + * ssl3_read_bytes decided to call s->internal->handshake_func, + * which called ssl3_read_bytes to read handshake data. * However, ssl3_read_bytes actually found application data * and thinks that application data makes sense here; so disable * handshake processing and try to read application data again. */ s->internal->in_handshake++; - ret = s->method->internal->ssl_read_bytes(s, - SSL3_RT_APPLICATION_DATA, buf, len, peek); + ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, + buf, len, peek); s->internal->in_handshake--; } else S3I(s)->in_read_app_data = 0; @@ -2722,17 +2755,3 @@ ssl3_renegotiate_check(SSL *s) } return (ret); } -/* - * If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF - * and handshake macs if required. - */ -long -ssl_get_algorithm2(SSL *s) -{ - long alg2 = S3I(s)->hs.new_cipher->algorithm2; - - if (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF && - alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) - return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; - return alg2; -} diff --git a/ssl/srtp.h b/ssl/srtp.h index 6daa02a..89ce862 100644 --- a/ssl/srtp.h +++ b/ssl/srtp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: srtp.h,v 1.6 2015/09/01 15:18:23 jsing Exp $ */ +/* $OpenBSD: srtp.h,v 1.7 2021/06/11 15:28:13 landry Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -129,6 +129,10 @@ extern "C" { #define SRTP_NULL_SHA1_80 0x0005 #define SRTP_NULL_SHA1_32 0x0006 +/* AEAD SRTP protection profiles from RFC 7714 */ +#define SRTP_AEAD_AES_128_GCM 0x0007 +#define SRTP_AEAD_AES_256_GCM 0x0008 + int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles); int SSL_set_tlsext_use_srtp(SSL *ctx, const char *profiles); diff --git a/ssl/ssl.sym b/ssl/ssl.sym index e094c2a..ec329e7 100644 --- a/ssl/ssl.sym +++ b/ssl/ssl.sym @@ -10,6 +10,9 @@ DTLS_server_method DTLSv1_client_method DTLSv1_method DTLSv1_server_method +DTLSv1_2_client_method +DTLSv1_2_method +DTLSv1_2_server_method SSLv23_client_method SSLv23_method SSLv23_server_method @@ -33,6 +36,7 @@ d2i_SSL_SESSION i2d_SSL_SESSION ERR_load_SSL_strings SSL_CIPHER_description +SSL_CIPHER_find SSL_CIPHER_get_auth_nid SSL_CIPHER_get_bits SSL_CIPHER_get_by_id @@ -61,6 +65,7 @@ SSL_CTX_free SSL_CTX_get0_certificate SSL_CTX_get0_chain_certs SSL_CTX_get0_param +SSL_CTX_get0_privatekey SSL_CTX_get_cert_store SSL_CTX_get_ciphers SSL_CTX_get_client_CA_list @@ -70,9 +75,11 @@ SSL_CTX_get_default_passwd_cb_userdata SSL_CTX_get_ex_data SSL_CTX_get_ex_new_index SSL_CTX_get_info_callback +SSL_CTX_get_max_early_data SSL_CTX_get_max_proto_version SSL_CTX_get_min_proto_version SSL_CTX_get_quiet_shutdown +SSL_CTX_get_ssl_method SSL_CTX_get_timeout SSL_CTX_get_verify_callback SSL_CTX_get_verify_depth @@ -98,6 +105,7 @@ SSL_CTX_set_alpn_select_cb SSL_CTX_set_cert_store SSL_CTX_set_cert_verify_callback SSL_CTX_set_cipher_list +SSL_CTX_set_ciphersuites SSL_CTX_set_client_CA_list SSL_CTX_set_client_cert_cb SSL_CTX_set_client_cert_engine @@ -109,11 +117,13 @@ SSL_CTX_set_default_verify_paths SSL_CTX_set_ex_data SSL_CTX_set_generate_session_id SSL_CTX_set_info_callback +SSL_CTX_set_max_early_data SSL_CTX_set_max_proto_version SSL_CTX_set_min_proto_version SSL_CTX_set_msg_callback SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_protos_advertised_cb +SSL_CTX_set_post_handshake_auth SSL_CTX_set_purpose SSL_CTX_set_quiet_shutdown SSL_CTX_set_session_id_context @@ -139,6 +149,7 @@ SSL_CTX_use_certificate_chain_file SSL_CTX_use_certificate_chain_mem SSL_CTX_use_certificate_file SSL_SESSION_free +SSL_SESSION_get0_cipher SSL_SESSION_get0_id_context SSL_SESSION_get0_peer SSL_SESSION_get_compress_id @@ -146,17 +157,20 @@ SSL_SESSION_get_ex_data SSL_SESSION_get_ex_new_index SSL_SESSION_get_id SSL_SESSION_get_master_key +SSL_SESSION_get_max_early_data SSL_SESSION_get_protocol_version SSL_SESSION_get_ticket_lifetime_hint SSL_SESSION_get_time SSL_SESSION_get_timeout SSL_SESSION_has_ticket +SSL_SESSION_is_resumable SSL_SESSION_new SSL_SESSION_print SSL_SESSION_print_fp SSL_SESSION_set1_id SSL_SESSION_set1_id_context SSL_SESSION_set_ex_data +SSL_SESSION_set_max_early_data SSL_SESSION_set_time SSL_SESSION_set_timeout SSL_SESSION_up_ref @@ -187,6 +201,7 @@ SSL_get0_alpn_selected SSL_get0_chain_certs SSL_get0_next_proto_negotiated SSL_get0_param +SSL_get0_peername SSL_get1_session SSL_get1_supported_ciphers SSL_get_SSL_CTX @@ -200,6 +215,7 @@ SSL_get_current_cipher SSL_get_current_compression SSL_get_current_expansion SSL_get_default_timeout +SSL_get_early_data_status SSL_get_error SSL_get_ex_data SSL_get_ex_data_X509_STORE_CTX_idx @@ -207,6 +223,7 @@ SSL_get_ex_new_index SSL_get_fd SSL_get_finished SSL_get_info_callback +SSL_get_max_early_data SSL_get_max_proto_version SSL_get_min_proto_version SSL_get_peer_cert_chain @@ -234,6 +251,7 @@ SSL_get_version SSL_get_wbio SSL_get_wfd SSL_has_matching_session_id +SSL_is_dtls SSL_is_server SSL_library_init SSL_load_client_CA_file @@ -242,6 +260,7 @@ SSL_new SSL_peek SSL_pending SSL_read +SSL_read_early_data SSL_renegotiate SSL_renegotiate_abbreviated SSL_renegotiate_pending @@ -249,6 +268,7 @@ SSL_rstate_string SSL_rstate_string_long SSL_select_next_proto SSL_set0_chain +SSL_set0_rbio SSL_set1_chain SSL_set1_groups SSL_set1_groups_list @@ -259,16 +279,21 @@ SSL_set_accept_state SSL_set_alpn_protos SSL_set_bio SSL_set_cipher_list +SSL_set_ciphersuites SSL_set_client_CA_list SSL_set_connect_state SSL_set_debug SSL_set_ex_data SSL_set_fd SSL_set_generate_session_id +SSL_set_hostflags SSL_set_info_callback +SSL_set_max_early_data SSL_set_max_proto_version SSL_set_min_proto_version SSL_set_msg_callback +SSL_set_post_handshake_auth +SSL_set_psk_use_session_callback SSL_set_purpose SSL_set_quiet_shutdown SSL_set_read_ahead @@ -303,9 +328,12 @@ SSL_use_RSAPrivateKey_ASN1 SSL_use_RSAPrivateKey_file SSL_use_certificate SSL_use_certificate_ASN1 +SSL_use_certificate_chain_file SSL_use_certificate_file +SSL_verify_client_post_handshake SSL_version SSL_version_str SSL_want SSL_write +SSL_write_early_data OPENSSL_init_ssl diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c index bb736c5..5ed56b8 100644 --- a/ssl/ssl_algs.c +++ b/ssl/ssl_algs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_algs.c,v 1.28 2019/04/04 16:44:24 jsing Exp $ */ +/* $OpenBSD: ssl_algs.c,v 1.29 2021/05/16 08:24:21 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -60,6 +60,7 @@ #include #include +#include #include "ssl_locl.h" diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index 94fc868..6ff7ca5 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_asn1.c,v 1.57 2018/08/27 16:42:48 jsing Exp $ */ +/* $OpenBSD: ssl_asn1.c,v 1.59 2021/05/16 14:10:43 jsing Exp $ */ /* * Copyright (c) 2016 Joel Sing * @@ -20,9 +20,8 @@ #include #include -#include "ssl_locl.h" - #include "bytestring.h" +#include "ssl_locl.h" #define SSLASN1_TAG (CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC) #define SSLASN1_TIME_TAG (SSLASN1_TAG | 1) @@ -331,7 +330,7 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) goto err; if (timeout != 0) s->timeout = (long)timeout; - + /* Peer certificate [3]. */ X509_free(s->peer); s->peer = NULL; @@ -383,7 +382,7 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) if (!CBS_strdup(&hostname, &s->tlsext_hostname)) goto err; } - + /* PSK identity hint [7]. */ /* PSK identity [8]. */ @@ -421,7 +420,7 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) return (s); -err: + err: ERR_asprintf_error_data("offset=%d", (int)(CBS_data(&cbs) - *pp)); if (s != NULL && (a == NULL || *a != s)) diff --git a/ssl/ssl_both.c b/ssl/ssl_both.c index 5da450b..f3d50d6 100644 --- a/ssl/ssl_both.c +++ b/ssl/ssl_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_both.c,v 1.20 2020/09/24 18:12:00 jsing Exp $ */ +/* $OpenBSD: ssl_both.c,v 1.35 2021/09/03 13:19:12 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -118,14 +118,14 @@ #include #include -#include "ssl_locl.h" - #include #include #include #include #include "bytestring.h" +#include "dtls_locl.h" +#include "ssl_locl.h" /* * Send s->internal->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or @@ -150,10 +150,8 @@ ssl3_do_write(SSL *s, int type) (unsigned char *)&s->internal->init_buf->data[s->internal->init_off], ret); if (ret == s->internal->init_num) { - if (s->internal->msg_callback) - s->internal->msg_callback(1, s->version, type, s->internal->init_buf->data, - (size_t)(s->internal->init_off + s->internal->init_num), s, - s->internal->msg_callback_arg); + ssl_msg_callback(s, 1, type, s->internal->init_buf->data, + (size_t)(s->internal->init_off + s->internal->init_num)); return (1); } @@ -164,42 +162,39 @@ ssl3_do_write(SSL *s, int type) } int -ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) +ssl3_send_finished(SSL *s, int state_a, int state_b) { CBB cbb, finished; - int md_len; memset(&cbb, 0, sizeof(cbb)); - if (S3I(s)->hs.state == a) { - md_len = TLS1_FINISH_MAC_LENGTH; - OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE); - - if (tls1_final_finish_mac(s, sender, slen, - S3I(s)->tmp.finish_md) != md_len) - return (0); - S3I(s)->tmp.finish_md_len = md_len; + if (S3I(s)->hs.state == state_a) { + if (!tls12_derive_finished(s)) + goto err; /* Copy finished so we can use it for renegotiation checks. */ - if (s->internal->type == SSL_ST_CONNECT) { + if (!s->server) { memcpy(S3I(s)->previous_client_finished, - S3I(s)->tmp.finish_md, md_len); - S3I(s)->previous_client_finished_len = md_len; + S3I(s)->hs.finished, S3I(s)->hs.finished_len); + S3I(s)->previous_client_finished_len = + S3I(s)->hs.finished_len; } else { memcpy(S3I(s)->previous_server_finished, - S3I(s)->tmp.finish_md, md_len); - S3I(s)->previous_server_finished_len = md_len; + S3I(s)->hs.finished, S3I(s)->hs.finished_len); + S3I(s)->previous_server_finished_len = + S3I(s)->hs.finished_len; } if (!ssl3_handshake_msg_start(s, &cbb, &finished, SSL3_MT_FINISHED)) goto err; - if (!CBB_add_bytes(&finished, S3I(s)->tmp.finish_md, md_len)) + if (!CBB_add_bytes(&finished, S3I(s)->hs.finished, + S3I(s)->hs.finished_len)) goto err; if (!ssl3_handshake_msg_finish(s, &cbb)) goto err; - S3I(s)->hs.state = b; + S3I(s)->hs.state = state_b; } return (ssl3_handshake_write(s)); @@ -210,36 +205,6 @@ ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) return (-1); } -/* - * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen - * so far. - */ -static void -ssl3_take_mac(SSL *s) -{ - const char *sender; - int slen; - - /* - * If no new cipher setup return immediately: other functions will - * set the appropriate error. - */ - if (S3I(s)->hs.new_cipher == NULL) - return; - - if (S3I(s)->hs.state & SSL_ST_CONNECT) { - sender = TLS_MD_SERVER_FINISH_CONST; - slen = TLS_MD_SERVER_FINISH_CONST_SIZE; - } else { - sender = TLS_MD_CLIENT_FINISH_CONST; - slen = TLS_MD_CLIENT_FINISH_CONST_SIZE; - } - - S3I(s)->tmp.peer_finish_md_len = - tls1_final_finish_mac(s, sender, slen, - S3I(s)->tmp.peer_finish_md); -} - int ssl3_get_finished(SSL *s, int a, int b) { @@ -256,7 +221,7 @@ ssl3_get_finished(SSL *s, int a, int b) if (!S3I(s)->change_cipher_spec) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_GOT_A_FIN_BEFORE_A_CCS); - goto f_err; + goto fatal_err; } S3I(s)->change_cipher_spec = 0; @@ -265,49 +230,42 @@ ssl3_get_finished(SSL *s, int a, int b) if (n < 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_DIGEST_LENGTH); - goto f_err; + goto fatal_err; } CBS_init(&cbs, s->internal->init_msg, n); - if (S3I(s)->tmp.peer_finish_md_len != md_len || + if (S3I(s)->hs.peer_finished_len != md_len || CBS_len(&cbs) != md_len) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_DIGEST_LENGTH); - goto f_err; + goto fatal_err; } - if (!CBS_mem_equal(&cbs, S3I(s)->tmp.peer_finish_md, CBS_len(&cbs))) { + if (!CBS_mem_equal(&cbs, S3I(s)->hs.peer_finished, CBS_len(&cbs))) { al = SSL_AD_DECRYPT_ERROR; SSLerror(s, SSL_R_DIGEST_CHECK_FAILED); - goto f_err; + goto fatal_err; } /* Copy finished so we can use it for renegotiation checks. */ OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE); - if (s->internal->type == SSL_ST_ACCEPT) { + if (s->server) { memcpy(S3I(s)->previous_client_finished, - S3I(s)->tmp.peer_finish_md, md_len); + S3I(s)->hs.peer_finished, md_len); S3I(s)->previous_client_finished_len = md_len; } else { memcpy(S3I(s)->previous_server_finished, - S3I(s)->tmp.peer_finish_md, md_len); + S3I(s)->hs.peer_finished, md_len); S3I(s)->previous_server_finished_len = md_len; } return (1); -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); return (0); } -/* for these 2 messages, we need to - * ssl->enc_read_ctx re-init - * ssl->s3->internal->read_sequence zero - * ssl->s3->internal->read_mac_secret re-init - * ssl->session->read_sym_enc assign - * ssl->session->read_hash assign - */ int ssl3_send_change_cipher_spec(SSL *s, int a, int b) { @@ -331,7 +289,7 @@ ssl3_send_change_cipher_spec(SSL *s, int a, int b) s->internal->init_num = (int)outlen; s->internal->init_off = 0; - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { D1I(s)->handshake_write_seq = D1I(s)->next_handshake_write_seq; dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, @@ -408,6 +366,8 @@ ssl3_output_cert_chain(SSL *s, CBB *cbb, CERT_PKEY *cpk) SSLerror(s, ERR_R_X509_LIB); goto err; } + X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xs_ctx), + X509_V_FLAG_LEGACY_VERIFY); X509_verify_cert(xs_ctx); ERR_clear_error(); chain = xs_ctx->chain; @@ -447,33 +407,33 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) CBS cbs; uint8_t u8; - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) return (dtls1_get_message(s, st1, stn, mt, max, ok)); - if (S3I(s)->tmp.reuse_message) { - S3I(s)->tmp.reuse_message = 0; - if ((mt >= 0) && (S3I(s)->tmp.message_type != mt)) { + if (S3I(s)->hs.tls12.reuse_message) { + S3I(s)->hs.tls12.reuse_message = 0; + if ((mt >= 0) && (S3I(s)->hs.tls12.message_type != mt)) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); - goto f_err; + goto fatal_err; } *ok = 1; - s->internal->init_msg = s->internal->init_buf->data + 4; - s->internal->init_num = (int)S3I(s)->tmp.message_size; + s->internal->init_msg = s->internal->init_buf->data + + SSL3_HM_HEADER_LENGTH; + s->internal->init_num = (int)S3I(s)->hs.tls12.message_size; return s->internal->init_num; } p = (unsigned char *)s->internal->init_buf->data; - /* s->internal->init_num < 4 */ if (S3I(s)->hs.state == st1) { int skip_message; do { - while (s->internal->init_num < 4) { - i = s->method->internal->ssl_read_bytes(s, + while (s->internal->init_num < SSL3_HM_HEADER_LENGTH) { + i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &p[s->internal->init_num], - 4 - s->internal->init_num, 0); + SSL3_HM_HEADER_LENGTH - s->internal->init_num, 0); if (i <= 0) { s->internal->rwstate = SSL_READING; *ok = 0; @@ -494,51 +454,50 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) s->internal->init_num = 0; skip_message = 1; - if (s->internal->msg_callback) - s->internal->msg_callback(0, s->version, - SSL3_RT_HANDSHAKE, p, 4, s, - s->internal->msg_callback_arg); + ssl_msg_callback(s, 0, + SSL3_RT_HANDSHAKE, p, + SSL3_HM_HEADER_LENGTH); } } } while (skip_message); - /* s->internal->init_num == 4 */ - if ((mt >= 0) && (*p != mt)) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); - goto f_err; + goto fatal_err; } - CBS_init(&cbs, p, 4); + CBS_init(&cbs, p, SSL3_HM_HEADER_LENGTH); if (!CBS_get_u8(&cbs, &u8) || !CBS_get_u24(&cbs, &l)) { SSLerror(s, ERR_R_BUF_LIB); goto err; } - S3I(s)->tmp.message_type = u8; + S3I(s)->hs.tls12.message_type = u8; if (l > (unsigned long)max) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_EXCESSIVE_MESSAGE_SIZE); - goto f_err; + goto fatal_err; } - if (l && !BUF_MEM_grow_clean(s->internal->init_buf, l + 4)) { + if (l && !BUF_MEM_grow_clean(s->internal->init_buf, + l + SSL3_HM_HEADER_LENGTH)) { SSLerror(s, ERR_R_BUF_LIB); goto err; } - S3I(s)->tmp.message_size = l; + S3I(s)->hs.tls12.message_size = l; S3I(s)->hs.state = stn; - s->internal->init_msg = s->internal->init_buf->data + 4; + s->internal->init_msg = s->internal->init_buf->data + + SSL3_HM_HEADER_LENGTH; s->internal->init_num = 0; } /* next state (stn) */ p = s->internal->init_msg; - n = S3I(s)->tmp.message_size - s->internal->init_num; + n = S3I(s)->hs.tls12.message_size - s->internal->init_num; while (n > 0) { - i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, + i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &p[s->internal->init_num], n, 0); if (i <= 0) { s->internal->rwstate = SSL_READING; @@ -549,29 +508,22 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) n -= i; } - /* If receiving Finished, record MAC of prior handshake messages for - * Finished verification. */ - if (*s->internal->init_buf->data == SSL3_MT_FINISHED) - ssl3_take_mac(s); - /* Feed this message into MAC computation. */ if (s->internal->mac_packet) { tls1_transcript_record(s, (unsigned char *)s->internal->init_buf->data, - s->internal->init_num + 4); + s->internal->init_num + SSL3_HM_HEADER_LENGTH); - if (s->internal->msg_callback) - s->internal->msg_callback(0, s->version, - SSL3_RT_HANDSHAKE, s->internal->init_buf->data, - (size_t)s->internal->init_num + 4, s, - s->internal->msg_callback_arg); + ssl_msg_callback(s, 0, SSL3_RT_HANDSHAKE, + s->internal->init_buf->data, + (size_t)s->internal->init_num + SSL3_HM_HEADER_LENGTH); } *ok = 1; return (s->internal->init_num); -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: + err: *ok = 0; return (-1); } @@ -599,7 +551,7 @@ ssl_cert_type(X509 *x, EVP_PKEY *pkey) ret = SSL_PKEY_GOST01; } -err: + err: if (!pkey) EVP_PKEY_free(pk); return (ret); @@ -681,7 +633,7 @@ ssl3_setup_init_buffer(SSL *s) s->internal->init_buf = buf; return (1); -err: + err: BUF_MEM_free(buf); return (0); } @@ -702,7 +654,7 @@ ssl3_setup_read_buffer(SSL *s) unsigned char *p; size_t len, align, headerlen; - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) headerlen = DTLS1_RT_HEADER_LENGTH; else headerlen = SSL3_RT_HEADER_LENGTH; @@ -721,7 +673,7 @@ ssl3_setup_read_buffer(SSL *s) s->internal->packet = S3I(s)->rbuf.buf; return 1; -err: + err: SSLerror(s, ERR_R_MALLOC_FAILURE); return 0; } @@ -732,7 +684,7 @@ ssl3_setup_write_buffer(SSL *s) unsigned char *p; size_t len, align, headerlen; - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) headerlen = DTLS1_RT_HEADER_LENGTH + 1; else headerlen = SSL3_RT_HEADER_LENGTH; @@ -754,7 +706,7 @@ ssl3_setup_write_buffer(SSL *s) return 1; -err: + err: SSLerror(s, ERR_R_MALLOC_FAILURE); return 0; } diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 43e8331..a13ee59 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_cert.c,v 1.78 2020/06/05 17:55:24 jsing Exp $ */ +/* $OpenBSD: ssl_cert.c,v 1.83 2021/06/11 11:13:53 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -505,10 +505,10 @@ SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) STACK_OF(X509_NAME) * SSL_get_client_CA_list(const SSL *s) { - if (s->internal->type == SSL_ST_CONNECT) { + if (!s->server) { /* We are in the client. */ if ((s->version >> 8) == SSL3_VERSION_MAJOR) - return (S3I(s)->tmp.ca_names); + return (S3I(s)->hs.tls12.ca_names); else return (NULL); } else { @@ -595,8 +595,9 @@ SSL_load_client_CA_file(const char *file) goto err; } } - if ((xn = X509_get_subject_name(x)) == NULL) goto err; - /* check for duplicates */ + if ((xn = X509_get_subject_name(x)) == NULL) + goto err; + /* check for duplicates */ xn = X509_NAME_dup(xn); if (xn == NULL) goto err; @@ -609,7 +610,7 @@ SSL_load_client_CA_file(const char *file) } if (0) { -err: + err: sk_X509_NAME_pop_free(ret, X509_NAME_free); ret = NULL; } @@ -656,8 +657,9 @@ SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, for (;;) { if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL) break; - if ((xn = X509_get_subject_name(x)) == NULL) goto err; - xn = X509_NAME_dup(xn); + if ((xn = X509_get_subject_name(x)) == NULL) + goto err; + xn = X509_NAME_dup(xn); if (xn == NULL) goto err; if (sk_X509_NAME_find(stack, xn) >= 0) @@ -669,7 +671,7 @@ SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, ERR_clear_error(); if (0) { -err: + err: ret = 0; } BIO_free(in); diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index fd576ce..0e9941b 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.119 2020/09/13 16:49:05 jsing Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.124 2021/07/03 16:06:44 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -143,6 +143,7 @@ #include #include +#include #ifndef OPENSSL_NO_ENGINE #include @@ -559,9 +560,21 @@ ssl_cipher_get_evp_aead(const SSL_SESSION *ss, const EVP_AEAD **aead) int ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md) { + unsigned long handshake_mac; + *md = NULL; - switch (ssl_get_algorithm2(s) & SSL_HANDSHAKE_MAC_MASK) { + if (S3I(s)->hs.cipher == NULL) + return 0; + + handshake_mac = S3I(s)->hs.cipher->algorithm2 & + SSL_HANDSHAKE_MAC_MASK; + + /* For TLSv1.2 we upgrade the default MD5+SHA1 MAC to SHA256. */ + if (SSL_USE_SHA256_PRF(s) && handshake_mac == SSL_HANDSHAKE_MAC_DEFAULT) + handshake_mac = SSL_HANDSHAKE_MAC_SHA256; + + switch (handshake_mac) { case SSL_HANDSHAKE_MAC_DEFAULT: *md = EVP_md5_sha1(); return 1; @@ -1215,7 +1228,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, * in ciphers. We cannot get more than the number compiled in, so * it is used for allocation. */ - num_of_ciphers = ssl_method->num_ciphers(); + num_of_ciphers = ssl3_num_ciphers(); co_list = reallocarray(NULL, num_of_ciphers, sizeof(CIPHER_ORDER)); if (co_list == NULL) { SSLerrorx(ERR_R_MALLOC_FAILURE); @@ -1587,6 +1600,20 @@ SSL_CIPHER_get_value(const SSL_CIPHER *c) return ssl3_cipher_get_value(c); } +const SSL_CIPHER * +SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr) +{ + uint16_t cipher_value; + CBS cbs; + + /* This API is documented with ptr being an array of length two. */ + CBS_init(&cbs, ptr, 2); + if (!CBS_get_u16(&cbs, &cipher_value)) + return NULL; + + return ssl3_get_cipher_by_value(cipher_value); +} + int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c) { diff --git a/ssl/ssl_ciphers.c b/ssl/ssl_ciphers.c index 399e274..4e4a0d9 100644 --- a/ssl/ssl_ciphers.c +++ b/ssl/ssl_ciphers.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciphers.c,v 1.9 2020/09/15 15:28:38 schwarze Exp $ */ +/* $OpenBSD: ssl_ciphers.c,v 1.11 2021/03/11 17:14:46 jsing Exp $ */ /* * Copyright (c) 2015-2017 Doug Hogan * Copyright (c) 2015-2018, 2020 Joel Sing @@ -36,28 +36,17 @@ ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher) } int -ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher, uint16_t min_ver, +ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher, uint16_t min_ver, uint16_t max_ver) { - /* XXX: We only support DTLSv1 which is effectively TLSv1.1 */ - if (min_ver == DTLS1_VERSION || max_ver == DTLS1_VERSION) - min_ver = max_ver = TLS1_1_VERSION; - switch(cipher->algorithm_ssl) { case SSL_SSLV3: - if (min_ver <= TLS1_2_VERSION) - return 1; - break; + return (min_ver <= TLS1_2_VERSION); case SSL_TLSV1_2: - if (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver) - return 1; - break; + return (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver); case SSL_TLSV1_3: - if (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver) - return 1; - break; + return (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver); } - return 0; } @@ -72,13 +61,13 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb) if (ciphers == NULL) return 0; - if (!ssl_supported_version_range(s, &min_vers, &max_vers)) + if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers)) return 0; for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL) return 0; - if (!ssl_cipher_allowed_in_version_range(cipher, min_vers, + if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers, max_vers)) continue; if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher))) @@ -104,7 +93,7 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) { STACK_OF(SSL_CIPHER) *ciphers = NULL; const SSL_CIPHER *cipher; - uint16_t cipher_value, max_version; + uint16_t cipher_value; unsigned long cipher_id; S3I(s)->send_connection_binding = 0; @@ -145,9 +134,8 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) * Fail if the current version is an unexpected * downgrade. */ - if (!ssl_downgrade_max_version(s, &max_version)) - goto err; - if (s->version < max_version) { + if (S3I(s)->hs.negotiated_tls_version < + S3I(s)->hs.our_max_tls_version) { SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INAPPROPRIATE_FALLBACK); diff --git a/ssl/ssl_clnt.c b/ssl/ssl_clnt.c index f11dcaa..ddab394 100644 --- a/ssl/ssl_clnt.c +++ b/ssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.73 2020/09/24 18:12:00 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.111 2021/09/03 13:18:17 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -152,8 +152,6 @@ #include #include -#include "ssl_locl.h" - #include #include #include @@ -161,6 +159,7 @@ #include #include #include +#include #ifndef OPENSSL_NO_ENGINE #include @@ -170,6 +169,8 @@ #endif #include "bytestring.h" +#include "dtls_locl.h" +#include "ssl_locl.h" #include "ssl_sigalgs.h" #include "ssl_tlsext.h" @@ -178,18 +179,12 @@ static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b); int ssl3_connect(SSL *s) { - void (*cb)(const SSL *ssl, int type, int val) = NULL; - int ret = -1; int new_state, state, skip = 0; + int ret = -1; ERR_clear_error(); errno = 0; - if (s->internal->info_callback != NULL) - cb = s->internal->info_callback; - else if (s->ctx->internal->info_callback != NULL) - cb = s->ctx->internal->info_callback; - s->internal->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); @@ -209,25 +204,22 @@ ssl3_connect(SSL *s) case SSL_ST_OK|SSL_ST_CONNECT: s->server = 0; - if (cb != NULL) - cb(s, SSL_CB_HANDSHAKE_START, 1); - if (SSL_IS_DTLS(s)) { - if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; - } - } else { - if ((s->version & 0xff00) != 0x0300) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; - } + ssl_info_callback(s, SSL_CB_HANDSHAKE_START, 1); + + if (!ssl_legacy_stack_version(s, s->version)) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + ret = -1; + goto end; } - /* s->version=SSL3_VERSION; */ - s->internal->type = SSL_ST_CONNECT; + if (!ssl_supported_tls_version_range(s, + &S3I(s)->hs.our_min_tls_version, + &S3I(s)->hs.our_max_tls_version)) { + SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); + ret = -1; + goto end; + } if (!ssl3_setup_init_buffer(s)) { ret = -1; @@ -253,7 +245,7 @@ ssl3_connect(SSL *s) s->ctx->internal->stats.sess_connect++; s->internal->init_num = 0; - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { /* mark client_random uninitialized */ memset(s->s3->client_random, 0, sizeof(s->s3->client_random)); @@ -266,7 +258,7 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_CLNT_HELLO_B: s->internal->shutdown = 0; - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { /* every DTLS ClientHello resets Finished MAC */ tls1_transcript_reset(s); @@ -277,9 +269,9 @@ ssl3_connect(SSL *s) if (ret <= 0) goto end; - if (SSL_IS_DTLS(s) && D1I(s)->send_cookie) { + if (SSL_is_dtls(s) && D1I(s)->send_cookie) { S3I(s)->hs.state = SSL3_ST_CW_FLUSH; - S3I(s)->hs.next_state = SSL3_ST_CR_SRVR_HELLO_A; + S3I(s)->hs.tls12.next_state = SSL3_ST_CR_SRVR_HELLO_A; } else S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A; @@ -299,7 +291,7 @@ ssl3_connect(SSL *s) if (s->internal->hit) { S3I(s)->hs.state = SSL3_ST_CR_FINISHED_A; - if (!SSL_IS_DTLS(s)) { + if (!SSL_is_dtls(s)) { if (s->internal->tlsext_ticket_expected) { /* receive renewed session ticket */ S3I(s)->hs.state = SSL3_ST_CR_SESSION_TICKET_A; @@ -308,7 +300,7 @@ ssl3_connect(SSL *s) /* No client certificate verification. */ tls1_transcript_free(s); } - } else if (SSL_IS_DTLS(s)) { + } else if (SSL_is_dtls(s)) { S3I(s)->hs.state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A; } else { S3I(s)->hs.state = SSL3_ST_CR_CERT_A; @@ -318,7 +310,7 @@ ssl3_connect(SSL *s) case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: - ret = dtls1_get_hello_verify(s); + ret = ssl3_get_dtls_hello_verify(s); if (ret <= 0) goto end; dtls1_stop_timer(s); @@ -344,7 +336,7 @@ ssl3_connect(SSL *s) break; } /* Check if it is anon DH/ECDH. */ - if (!(S3I(s)->hs.new_cipher->algorithm_auth & + if (!(S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL)) { ret = ssl3_get_server_certificate(s); if (ret <= 0) @@ -392,9 +384,9 @@ ssl3_connect(SSL *s) ret = ssl3_get_server_done(s); if (ret <= 0) goto end; - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_stop_timer(s); - if (S3I(s)->tmp.cert_req) + if (S3I(s)->hs.tls12.cert_request) S3I(s)->hs.state = SSL3_ST_CW_CERT_A; else S3I(s)->hs.state = SSL3_ST_CW_KEY_EXCH_A; @@ -406,7 +398,7 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_CERT_B: case SSL3_ST_CW_CERT_C: case SSL3_ST_CW_CERT_D: - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_start_timer(s); ret = ssl3_send_client_certificate(s); if (ret <= 0) @@ -417,7 +409,7 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_KEY_EXCH_A: case SSL3_ST_CW_KEY_EXCH_B: - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_start_timer(s); ret = ssl3_send_client_key_exchange(s); if (ret <= 0) @@ -438,13 +430,13 @@ ssl3_connect(SSL *s) * message when client's ECDH public key is sent * inside the client certificate. */ - if (S3I(s)->tmp.cert_req == 1) { + if (S3I(s)->hs.tls12.cert_request == 1) { S3I(s)->hs.state = SSL3_ST_CW_CERT_VRFY_A; } else { S3I(s)->hs.state = SSL3_ST_CW_CHANGE_A; S3I(s)->change_cipher_spec = 0; } - if (!SSL_IS_DTLS(s)) { + if (!SSL_is_dtls(s)) { if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { S3I(s)->hs.state = SSL3_ST_CW_CHANGE_A; S3I(s)->change_cipher_spec = 0; @@ -456,7 +448,7 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_CERT_VRFY_A: case SSL3_ST_CW_CERT_VRFY_B: - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_start_timer(s); ret = ssl3_send_client_verify(s); if (ret <= 0) @@ -468,7 +460,7 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_CHANGE_A: case SSL3_ST_CW_CHANGE_B: - if (SSL_IS_DTLS(s) && !s->internal->hit) + if (SSL_is_dtls(s) && !s->internal->hit) dtls1_start_timer(s); ret = ssl3_send_change_cipher_spec(s, SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B); @@ -477,47 +469,40 @@ ssl3_connect(SSL *s) S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A; s->internal->init_num = 0; + s->session->cipher = S3I(s)->hs.cipher; - s->session->cipher = S3I(s)->hs.new_cipher; if (!tls1_setup_key_block(s)) { ret = -1; goto end; } - - if (!tls1_change_cipher_state(s, - SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { + if (!tls1_change_write_cipher_state(s)) { ret = -1; goto end; } - - if (SSL_IS_DTLS(s)) - dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); - break; case SSL3_ST_CW_FINISHED_A: case SSL3_ST_CW_FINISHED_B: - if (SSL_IS_DTLS(s) && !s->internal->hit) + if (SSL_is_dtls(s) && !s->internal->hit) dtls1_start_timer(s); ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A, - SSL3_ST_CW_FINISHED_B, TLS_MD_CLIENT_FINISH_CONST, - TLS_MD_CLIENT_FINISH_CONST_SIZE); + SSL3_ST_CW_FINISHED_B); if (ret <= 0) goto end; - if (!SSL_IS_DTLS(s)) + if (!SSL_is_dtls(s)) s->s3->flags |= SSL3_FLAGS_CCS_OK; S3I(s)->hs.state = SSL3_ST_CW_FLUSH; /* clear flags */ if (s->internal->hit) { - S3I(s)->hs.next_state = SSL_ST_OK; + S3I(s)->hs.tls12.next_state = SSL_ST_OK; } else { /* Allow NewSessionTicket if ticket expected */ if (s->internal->tlsext_ticket_expected) - S3I(s)->hs.next_state = + S3I(s)->hs.tls12.next_state = SSL3_ST_CR_SESSION_TICKET_A; else - S3I(s)->hs.next_state = + S3I(s)->hs.tls12.next_state = SSL3_ST_CR_FINISHED_A; } s->internal->init_num = 0; @@ -543,7 +528,7 @@ ssl3_connect(SSL *s) case SSL3_ST_CR_FINISHED_A: case SSL3_ST_CR_FINISHED_B: - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) D1I(s)->change_cipher_spec_ok = 1; else s->s3->flags |= SSL3_FLAGS_CCS_OK; @@ -551,7 +536,7 @@ ssl3_connect(SSL *s) SSL3_ST_CR_FINISHED_B); if (ret <= 0) goto end; - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_stop_timer(s); if (s->internal->hit) @@ -564,18 +549,18 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_FLUSH: s->internal->rwstate = SSL_WRITING; if (BIO_flush(s->wbio) <= 0) { - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { /* If the write error was fatal, stop trying */ if (!BIO_should_retry(s->wbio)) { s->internal->rwstate = SSL_NOTHING; - S3I(s)->hs.state = S3I(s)->hs.next_state; + S3I(s)->hs.state = S3I(s)->hs.tls12.next_state; } } ret = -1; goto end; } s->internal->rwstate = SSL_NOTHING; - S3I(s)->hs.state = S3I(s)->hs.next_state; + S3I(s)->hs.state = S3I(s)->hs.tls12.next_state; break; case SSL_ST_OK: @@ -588,7 +573,7 @@ ssl3_connect(SSL *s) goto end; } - if (!SSL_IS_DTLS(s)) + if (!SSL_is_dtls(s)) ssl3_release_init_buffer(s); ssl_free_wbio_buffer(s); @@ -606,10 +591,9 @@ ssl3_connect(SSL *s) s->internal->handshake_func = ssl3_connect; s->ctx->internal->stats.sess_connect_good++; - if (cb != NULL) - cb(s, SSL_CB_HANDSHAKE_DONE, 1); + ssl_info_callback(s, SSL_CB_HANDSHAKE_DONE, 1); - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { /* done with handshaking */ D1I(s)->handshake_read_seq = 0; D1I(s)->next_handshake_write_seq = 0; @@ -626,26 +610,25 @@ ssl3_connect(SSL *s) } /* did we do anything */ - if (!S3I(s)->tmp.reuse_message && !skip) { + if (!S3I(s)->hs.tls12.reuse_message && !skip) { if (s->internal->debug) { if ((ret = BIO_flush(s->wbio)) <= 0) goto end; } - if ((cb != NULL) && (S3I(s)->hs.state != state)) { + if (S3I(s)->hs.state != state) { new_state = S3I(s)->hs.state; S3I(s)->hs.state = state; - cb(s, SSL_CB_CONNECT_LOOP, 1); + ssl_info_callback(s, SSL_CB_CONNECT_LOOP, 1); S3I(s)->hs.state = new_state; } } skip = 0; } -end: + end: s->internal->in_handshake--; - if (cb != NULL) - cb(s, SSL_CB_CONNECT_EXIT, ret); + ssl_info_callback(s, SSL_CB_CONNECT_EXIT, ret); return (ret); } @@ -663,7 +646,7 @@ ssl3_send_client_hello(SSL *s) if (S3I(s)->hs.state == SSL3_ST_CW_CLNT_HELLO_A) { SSL_SESSION *sess = s->session; - if (ssl_supported_version_range(s, NULL, &max_version) != 1) { + if (!ssl_max_supported_version(s, &max_version)) { SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); return (-1); } @@ -683,7 +666,7 @@ ssl3_send_client_hello(SSL *s) * HelloVerifyRequest, we must retain the original client * random value. */ - if (!SSL_IS_DTLS(s) || D1I(s)->send_cookie == 0) + if (!SSL_is_dtls(s) || D1I(s)->send_cookie == 0) arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); if (!ssl3_handshake_msg_start(s, &cbb, &client_hello, @@ -702,10 +685,10 @@ ssl3_send_client_hello(SSL *s) * 1.0. * * Possible scenario with previous logic: - * 1. Client hello indicates TLS 1.2 - * 2. Server hello says TLS 1.0 + * 1. Client hello indicates TLS 1.2 + * 2. Server hello says TLS 1.0 * 3. RSA encrypted premaster secret uses 1.2. - * 4. Handhaked proceeds using TLS 1.0. + * 4. Handhaked proceeds using TLS 1.0. * 5. Server sends hello request to renegotiate. * 6. Client hello indicates TLS v1.0 as we now * know that is maximum server supports. @@ -744,7 +727,7 @@ ssl3_send_client_hello(SSL *s) } /* DTLS Cookie. */ - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { if (D1I(s)->cookie_len > sizeof(D1I(s)->cookie)) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; @@ -787,18 +770,79 @@ ssl3_send_client_hello(SSL *s) /* SSL3_ST_CW_CLNT_HELLO_B */ return (ssl3_handshake_write(s)); -err: + err: CBB_cleanup(&cbb); return (-1); } +int +ssl3_get_dtls_hello_verify(SSL *s) +{ + long n; + int al, ok = 0; + size_t cookie_len; + uint16_t ssl_version; + CBS hello_verify_request, cookie; + + n = ssl3_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, + DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->internal->max_cert_list, &ok); + if (!ok) + return ((int)n); + + if (S3I(s)->hs.tls12.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { + D1I(s)->send_cookie = 0; + S3I(s)->hs.tls12.reuse_message = 1; + return (1); + } + + if (n < 0) + goto decode_err; + + CBS_init(&hello_verify_request, s->internal->init_msg, n); + + if (!CBS_get_u16(&hello_verify_request, &ssl_version)) + goto decode_err; + if (!CBS_get_u8_length_prefixed(&hello_verify_request, &cookie)) + goto decode_err; + if (CBS_len(&hello_verify_request) != 0) + goto decode_err; + + /* + * Per RFC 6347 section 4.2.1, the HelloVerifyRequest should always + * contain DTLSv1.0 the version that is going to be negotiated. + * Tolerate DTLSv1.2 just in case. + */ + if (ssl_version != DTLS1_VERSION && ssl_version != DTLS1_2_VERSION) { + SSLerror(s, SSL_R_WRONG_SSL_VERSION); + s->version = (s->version & 0xff00) | (ssl_version & 0xff); + al = SSL_AD_PROTOCOL_VERSION; + goto fatal_err; + } + + if (!CBS_write_bytes(&cookie, D1I(s)->cookie, + sizeof(D1I(s)->cookie), &cookie_len)) { + D1I(s)->cookie_len = 0; + al = SSL_AD_ILLEGAL_PARAMETER; + goto fatal_err; + } + D1I(s)->cookie_len = cookie_len; + D1I(s)->send_cookie = 1; + + return 1; + + decode_err: + al = SSL_AD_DECODE_ERROR; + fatal_err: + ssl3_send_alert(s, SSL3_AL_FATAL, al); + return -1; +} + int ssl3_get_server_hello(SSL *s) { CBS cbs, server_random, session_id; uint16_t server_version, cipher_suite; - uint16_t min_version, max_version; uint8_t compression_method; const SSL_CIPHER *cipher; const SSL_METHOD *method; @@ -815,47 +859,48 @@ ssl3_get_server_hello(SSL *s) s->internal->first_packet = 0; if (n < 0) - goto truncated; + goto decode_err; CBS_init(&cbs, s->internal->init_msg, n); - if (SSL_IS_DTLS(s)) { - if (S3I(s)->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { + if (SSL_is_dtls(s)) { + if (S3I(s)->hs.tls12.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { if (D1I(s)->send_cookie == 0) { - S3I(s)->tmp.reuse_message = 1; + S3I(s)->hs.tls12.reuse_message = 1; return (1); } else { /* Already sent a cookie. */ al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); - goto f_err; + goto fatal_err; } } } - if (S3I(s)->tmp.message_type != SSL3_MT_SERVER_HELLO) { + if (S3I(s)->hs.tls12.message_type != SSL3_MT_SERVER_HELLO) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); - goto f_err; + goto fatal_err; } if (!CBS_get_u16(&cbs, &server_version)) - goto truncated; + goto decode_err; - if (ssl_supported_version_range(s, &min_version, &max_version) != 1) { - SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); - goto err; - } - - if (server_version < min_version || server_version > max_version) { + if (!ssl_check_version_from_server(s, server_version)) { SSLerror(s, SSL_R_WRONG_SSL_VERSION); s->version = (s->version & 0xff00) | (server_version & 0xff); al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + goto fatal_err; } s->version = server_version; - if ((method = ssl_get_client_method(server_version)) == NULL) { + S3I(s)->hs.negotiated_tls_version = ssl_tls_version(server_version); + if (S3I(s)->hs.negotiated_tls_version == 0) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + goto err; + } + + if ((method = ssl_get_method(server_version)) == NULL) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } @@ -863,15 +908,13 @@ ssl3_get_server_hello(SSL *s) /* Server random. */ if (!CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE)) - goto truncated; + goto decode_err; if (!CBS_write_bytes(&server_random, s->s3->server_random, sizeof(s->s3->server_random), NULL)) goto err; - if (!ssl_downgrade_max_version(s, &max_version)) - goto err; - if (!SSL_IS_DTLS(s) && max_version >= TLS1_2_VERSION && - s->version < max_version) { + if (S3I(s)->hs.our_max_tls_version >= TLS1_2_VERSION && + S3I(s)->hs.negotiated_tls_version < S3I(s)->hs.our_max_tls_version) { /* * RFC 8446 section 4.1.3. We must not downgrade if the server * random value contains the TLS 1.2 or TLS 1.1 magical value. @@ -879,34 +922,34 @@ ssl3_get_server_hello(SSL *s) if (!CBS_skip(&server_random, CBS_len(&server_random) - sizeof(tls13_downgrade_12))) goto err; - if (s->version == TLS1_2_VERSION && + if (S3I(s)->hs.negotiated_tls_version == TLS1_2_VERSION && CBS_mem_equal(&server_random, tls13_downgrade_12, sizeof(tls13_downgrade_12))) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); - goto f_err; + goto fatal_err; } if (CBS_mem_equal(&server_random, tls13_downgrade_11, sizeof(tls13_downgrade_11))) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); - goto f_err; + goto fatal_err; } } /* Session ID. */ if (!CBS_get_u8_length_prefixed(&cbs, &session_id)) - goto truncated; + goto decode_err; if (CBS_len(&session_id) > SSL3_SESSION_ID_SIZE) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_SSL3_SESSION_ID_TOO_LONG); - goto f_err; + goto fatal_err; } /* Cipher suite. */ if (!CBS_get_u16(&cbs, &cipher_suite)) - goto truncated; + goto decode_err; /* * Check if we want to resume the session based on external @@ -933,7 +976,7 @@ ssl3_get_server_hello(SSL *s) /* actually a client application bug */ al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); - goto f_err; + goto fatal_err; } s->s3->flags |= SSL3_FLAGS_CCS_OK; s->internal->hit = 1; @@ -946,7 +989,7 @@ ssl3_get_server_hello(SSL *s) if (s->session->session_id_length > 0) { if (!ssl_get_new_session(s, 0)) { al = SSL_AD_INTERNAL_ERROR; - goto f_err; + goto fatal_err; } } @@ -965,22 +1008,22 @@ ssl3_get_server_hello(SSL *s) if ((cipher = ssl3_get_cipher_by_value(cipher_suite)) == NULL) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_UNKNOWN_CIPHER_RETURNED); - goto f_err; + goto fatal_err; } /* TLS v1.2 only ciphersuites require v1.2 or later. */ if ((cipher->algorithm_ssl & SSL_TLSV1_2) && - (TLS1_get_version(s) < TLS1_2_VERSION)) { + S3I(s)->hs.negotiated_tls_version < TLS1_2_VERSION) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED); - goto f_err; + goto fatal_err; } if (!ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) { /* we did not say we would use this cipher */ al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED); - goto f_err; + goto fatal_err; } /* @@ -993,9 +1036,9 @@ ssl3_get_server_hello(SSL *s) if (s->internal->hit && (s->session->cipher_id != cipher->id)) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); - goto f_err; + goto fatal_err; } - S3I(s)->hs.new_cipher = cipher; + S3I(s)->hs.cipher = cipher; if (!tls1_transcript_hash_init(s)) goto err; @@ -1004,24 +1047,27 @@ ssl3_get_server_hello(SSL *s) * Don't digest cached records if no sigalgs: we may need them for * client authentication. */ - alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; + alg_k = S3I(s)->hs.cipher->algorithm_mkey; if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST))) tls1_transcript_free(s); if (!CBS_get_u8(&cbs, &compression_method)) - goto truncated; + goto decode_err; if (compression_method != 0) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); - goto f_err; + goto fatal_err; } if (!tlsext_client_parse(s, SSL_TLSEXT_MSG_SH, &cbs, &al)) { SSLerror(s, SSL_R_PARSE_TLSEXT); - goto f_err; + goto fatal_err; } + if (CBS_len(&cbs) != 0) + goto decode_err; + /* * Determine if we need to see RI. Strictly speaking if we want to * avoid an attack we should *always* see RI even on initial server @@ -1034,7 +1080,7 @@ ssl3_get_server_hello(SSL *s) !(s->internal->options & SSL_OP_LEGACY_SERVER_CONNECT)) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - goto f_err; + goto fatal_err; } if (ssl_check_serverhello_tlsext(s) <= 0) { @@ -1044,13 +1090,13 @@ ssl3_get_server_hello(SSL *s) return (1); -truncated: + decode_err: /* wrong packet length */ al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: + err: return (-1); } @@ -1071,15 +1117,15 @@ ssl3_get_server_certificate(SSL *s) if (!ok) return ((int)n); - if (S3I(s)->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) { - S3I(s)->tmp.reuse_message = 1; + if (S3I(s)->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) { + S3I(s)->hs.tls12.reuse_message = 1; return (1); } - if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE) { + if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); - goto f_err; + goto fatal_err; } @@ -1089,28 +1135,28 @@ ssl3_get_server_certificate(SSL *s) } if (n < 0) - goto truncated; + goto decode_err; CBS_init(&cbs, s->internal->init_msg, n); if (CBS_len(&cbs) < 3) - goto truncated; + goto decode_err; if (!CBS_get_u24_length_prefixed(&cbs, &cert_list) || CBS_len(&cbs) != 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_LENGTH_MISMATCH); - goto f_err; + goto fatal_err; } while (CBS_len(&cert_list) > 0) { CBS cert; if (CBS_len(&cert_list) < 3) - goto truncated; + goto decode_err; if (!CBS_get_u24_length_prefixed(&cert_list, &cert)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_CERT_LENGTH_MISMATCH); - goto f_err; + goto fatal_err; } q = CBS_data(&cert); @@ -1118,12 +1164,12 @@ ssl3_get_server_certificate(SSL *s) if (x == NULL) { al = SSL_AD_BAD_CERTIFICATE; SSLerror(s, ERR_R_ASN1_LIB); - goto f_err; + goto fatal_err; } if (q != CBS_data(&cert) + CBS_len(&cert)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_CERT_LENGTH_MISMATCH); - goto f_err; + goto fatal_err; } if (!sk_X509_push(sk, x)) { SSLerror(s, ERR_R_MALLOC_FAILURE); @@ -1136,7 +1182,7 @@ ssl3_get_server_certificate(SSL *s) if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)) { al = ssl_verify_alarm_type(s->verify_result); SSLerror(s, SSL_R_CERTIFICATE_VERIFY_FAILED); - goto f_err; + goto fatal_err; } ERR_clear_error(); /* but we keep s->verify_result */ @@ -1162,7 +1208,7 @@ ssl3_get_server_certificate(SSL *s) x = NULL; al = SSL3_AL_FATAL; SSLerror(s, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); - goto f_err; + goto fatal_err; } i = ssl_cert_type(x, pkey); @@ -1170,7 +1216,7 @@ ssl3_get_server_certificate(SSL *s) x = NULL; al = SSL3_AL_FATAL; SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE); - goto f_err; + goto fatal_err; } sc->peer_cert_type = i; @@ -1192,14 +1238,14 @@ ssl3_get_server_certificate(SSL *s) ret = 1; if (0) { -truncated: + decode_err: /* wrong packet length */ al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); } -err: + err: EVP_PKEY_free(pkey); X509_free(x); sk_X509_pop_free(sk, X509_free); @@ -1217,7 +1263,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) long alg_a; int al; - alg_a = S3I(s)->hs.new_cipher->algorithm_auth; + alg_a = S3I(s)->hs.cipher->algorithm_auth; sc = SSI(s)->sess_cert; if ((dh = DH_new()) == NULL) { @@ -1226,21 +1272,21 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) } if (!CBS_get_u16_length_prefixed(cbs, &dhp)) - goto truncated; + goto decode_err; if ((dh->p = BN_bin2bn(CBS_data(&dhp), CBS_len(&dhp), NULL)) == NULL) { SSLerror(s, ERR_R_BN_LIB); goto err; } if (!CBS_get_u16_length_prefixed(cbs, &dhg)) - goto truncated; + goto decode_err; if ((dh->g = BN_bin2bn(CBS_data(&dhg), CBS_len(&dhg), NULL)) == NULL) { SSLerror(s, ERR_R_BN_LIB); goto err; } if (!CBS_get_u16_length_prefixed(cbs, &dhpk)) - goto truncated; + goto decode_err; if ((dh->pub_key = BN_bin2bn(CBS_data(&dhpk), CBS_len(&dhpk), NULL)) == NULL) { SSLerror(s, ERR_R_BN_LIB); @@ -1266,7 +1312,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) return (1); - truncated: + decode_err: al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); ssl3_send_alert(s, SSL3_AL_FATAL, al); @@ -1345,7 +1391,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) int nid; int al; - alg_a = S3I(s)->hs.new_cipher->algorithm_auth; + alg_a = S3I(s)->hs.cipher->algorithm_auth; sc = SSI(s)->sess_cert; /* Only named curves are supported. */ @@ -1354,7 +1400,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) !CBS_get_u16(cbs, &curve_id)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + goto fatal_err; } /* @@ -1364,17 +1410,17 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) if (tls1_check_curve(s, curve_id) != 1) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_WRONG_CURVE); - goto f_err; + goto fatal_err; } if ((nid = tls1_ec_curve_id2nid(curve_id)) == 0) { al = SSL_AD_INTERNAL_ERROR; SSLerror(s, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); - goto f_err; + goto fatal_err; } if (!CBS_get_u8_length_prefixed(cbs, &public)) - goto truncated; + goto decode_err; if (nid == NID_X25519) { if (ssl3_get_server_kex_ecdhe_ecx(s, sc, nid, &public) != 1) @@ -1399,11 +1445,11 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) return (1); - truncated: + decode_err: al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); - f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: @@ -1414,7 +1460,6 @@ int ssl3_get_server_key_exchange(SSL *s) { CBS cbs, signature; - const EVP_MD *md = NULL; EVP_PKEY *pkey = NULL; EVP_MD_CTX md_ctx; const unsigned char *param; @@ -1424,8 +1469,8 @@ ssl3_get_server_key_exchange(SSL *s) EVP_MD_CTX_init(&md_ctx); - alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; - alg_a = S3I(s)->hs.new_cipher->algorithm_auth; + alg_k = S3I(s)->hs.cipher->algorithm_mkey; + alg_a = S3I(s)->hs.cipher->algorithm_auth; /* * Use same message size as in ssl3_get_certificate_request() @@ -1441,7 +1486,7 @@ ssl3_get_server_key_exchange(SSL *s) CBS_init(&cbs, s->internal->init_msg, n); - if (S3I(s)->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { + if (S3I(s)->hs.tls12.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { /* * Do not skip server key exchange if this cipher suite uses * ephemeral keys. @@ -1449,10 +1494,10 @@ ssl3_get_server_key_exchange(SSL *s) if (alg_k & (SSL_kDHE|SSL_kECDHE)) { SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); al = SSL_AD_UNEXPECTED_MESSAGE; - goto f_err; + goto fatal_err; } - S3I(s)->tmp.reuse_message = 1; + S3I(s)->hs.tls12.reuse_message = 1; EVP_MD_CTX_cleanup(&md_ctx); return (1); } @@ -1484,57 +1529,38 @@ ssl3_get_server_key_exchange(SSL *s) } else if (alg_k != 0) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); - goto f_err; + goto fatal_err; } param_len -= CBS_len(&cbs); /* if it was signed, check the signature */ if (pkey != NULL) { - EVP_PKEY_CTX *pctx; + uint16_t sigalg_value = SIGALG_NONE; const struct ssl_sigalg *sigalg; + EVP_PKEY_CTX *pctx; if (SSL_USE_SIGALGS(s)) { - uint16_t sigalg_value; - if (!CBS_get_u16(&cbs, &sigalg_value)) - goto truncated; - if ((sigalg = ssl_sigalg(sigalg_value, tls12_sigalgs, - tls12_sigalgs_len)) == NULL) { - SSLerror(s, SSL_R_UNKNOWN_DIGEST); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - if ((md = sigalg->md()) == NULL) { - SSLerror(s, SSL_R_UNKNOWN_DIGEST); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - if (!ssl_sigalg_pkey_ok(sigalg, pkey, 0)) { - SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - } else if (pkey->type == EVP_PKEY_RSA) { - sigalg = ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1); - } else if (pkey->type == EVP_PKEY_EC) { - sigalg = ssl_sigalg_lookup(SIGALG_ECDSA_SHA1); - } else { - SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); - al = SSL_AD_DECODE_ERROR; - goto f_err; + goto decode_err; } - md = sigalg->md(); - if (!CBS_get_u16_length_prefixed(&cbs, &signature)) - goto truncated; + goto decode_err; if (CBS_len(&signature) > EVP_PKEY_size(pkey)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_WRONG_SIGNATURE_LENGTH); - goto f_err; + goto fatal_err; } - if (!EVP_DigestVerifyInit(&md_ctx, &pctx, md, NULL, pkey)) + if ((sigalg = ssl_sigalg_for_peer(s, pkey, + sigalg_value)) == NULL) { + al = SSL_AD_DECODE_ERROR; + goto fatal_err; + } + S3I(s)->hs.peer_sigalg = sigalg; + + if (!EVP_DigestVerifyInit(&md_ctx, &pctx, sigalg->md(), + NULL, pkey)) goto err; if (!EVP_DigestVerifyUpdate(&md_ctx, s->s3->client_random, SSL3_RANDOM_SIZE)) @@ -1553,7 +1579,7 @@ ssl3_get_server_key_exchange(SSL *s) CBS_len(&signature)) <= 0) { al = SSL_AD_DECRYPT_ERROR; SSLerror(s, SSL_R_BAD_SIGNATURE); - goto f_err; + goto fatal_err; } } else { /* aNULL does not need public keys. */ @@ -1566,7 +1592,7 @@ ssl3_get_server_key_exchange(SSL *s) if (CBS_len(&cbs) != 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE); - goto f_err; + goto fatal_err; } EVP_PKEY_free(pkey); @@ -1574,11 +1600,11 @@ ssl3_get_server_key_exchange(SSL *s) return (1); - truncated: + decode_err: al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); - f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: @@ -1592,9 +1618,8 @@ int ssl3_get_certificate_request(SSL *s) { int ok, ret = 0; - long n; - uint8_t ctype_num; - CBS cert_request, ctypes, rdn_list; + long n; + CBS cert_request, cert_types, rdn_list; X509_NAME *xn = NULL; const unsigned char *q; STACK_OF(X509_NAME) *ca_sk = NULL; @@ -1604,10 +1629,10 @@ ssl3_get_certificate_request(SSL *s) if (!ok) return ((int)n); - S3I(s)->tmp.cert_req = 0; + S3I(s)->hs.tls12.cert_request = 0; - if (S3I(s)->tmp.message_type == SSL3_MT_SERVER_DONE) { - S3I(s)->tmp.reuse_message = 1; + if (S3I(s)->hs.tls12.message_type == SSL3_MT_SERVER_DONE) { + S3I(s)->hs.tls12.reuse_message = 1; /* * If we get here we don't need any cached handshake records * as we wont be doing client auth. @@ -1616,21 +1641,21 @@ ssl3_get_certificate_request(SSL *s) return (1); } - if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) { + if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_REQUEST) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE); goto err; } /* TLS does not like anon-DH with client cert */ - if (S3I(s)->hs.new_cipher->algorithm_auth & SSL_aNULL) { + if (S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); SSLerror(s, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); goto err; } if (n < 0) - goto truncated; + goto decode_err; CBS_init(&cert_request, s->internal->init_msg, n); if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) { @@ -1638,18 +1663,8 @@ ssl3_get_certificate_request(SSL *s) goto err; } - /* get the certificate types */ - if (!CBS_get_u8(&cert_request, &ctype_num)) - goto truncated; - - if (ctype_num > SSL3_CT_NUMBER) - ctype_num = SSL3_CT_NUMBER; - if (!CBS_get_bytes(&cert_request, &ctypes, ctype_num) || - !CBS_write_bytes(&ctypes, (uint8_t *)S3I(s)->tmp.ctype, - sizeof(S3I(s)->tmp.ctype), NULL)) { - SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); - goto err; - } + if (!CBS_get_u8_length_prefixed(&cert_request, &cert_types)) + goto decode_err; if (SSL_USE_SIGALGS(s)) { CBS sigalgs; @@ -1721,18 +1736,17 @@ ssl3_get_certificate_request(SSL *s) } /* we should setup a certificate to return.... */ - S3I(s)->tmp.cert_req = 1; - S3I(s)->tmp.ctype_num = ctype_num; - sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free); - S3I(s)->tmp.ca_names = ca_sk; + S3I(s)->hs.tls12.cert_request = 1; + sk_X509_NAME_pop_free(S3I(s)->hs.tls12.ca_names, X509_NAME_free); + S3I(s)->hs.tls12.ca_names = ca_sk; ca_sk = NULL; ret = 1; if (0) { -truncated: + decode_err: SSLerror(s, SSL_R_BAD_PACKET_LENGTH); } -err: + err: X509_NAME_free(xn); sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); return (ret); @@ -1757,20 +1771,20 @@ ssl3_get_new_session_ticket(SSL *s) if (!ok) return ((int)n); - if (S3I(s)->tmp.message_type == SSL3_MT_FINISHED) { - S3I(s)->tmp.reuse_message = 1; + if (S3I(s)->hs.tls12.message_type == SSL3_MT_FINISHED) { + S3I(s)->hs.tls12.reuse_message = 1; return (1); } - if (S3I(s)->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) { + if (S3I(s)->hs.tls12.message_type != SSL3_MT_NEWSESSION_TICKET) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); - goto f_err; + goto fatal_err; } if (n < 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_LENGTH_MISMATCH); - goto f_err; + goto fatal_err; } CBS_init(&cbs, s->internal->init_msg, n); @@ -1782,7 +1796,7 @@ ssl3_get_new_session_ticket(SSL *s) CBS_len(&cbs) != 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_LENGTH_MISMATCH); - goto f_err; + goto fatal_err; } s->session->tlsext_tick_lifetime_hint = (long)lifetime_hint; @@ -1813,9 +1827,9 @@ ssl3_get_new_session_ticket(SSL *s) EVP_sha256(), NULL); ret = 1; return (ret); -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: + err: return (-1); } @@ -1828,16 +1842,51 @@ ssl3_get_cert_status(SSL *s) uint8_t status_type; n = ssl3_get_message(s, SSL3_ST_CR_CERT_STATUS_A, - SSL3_ST_CR_CERT_STATUS_B, SSL3_MT_CERTIFICATE_STATUS, - 16384, &ok); + SSL3_ST_CR_CERT_STATUS_B, -1, 16384, &ok); if (!ok) return ((int)n); + if (S3I(s)->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) { + /* + * Tell the callback the server did not send us an OSCP + * response, and has decided to head directly to key exchange. + */ + if (s->ctx->internal->tlsext_status_cb) { + int ret; + + free(s->internal->tlsext_ocsp_resp); + s->internal->tlsext_ocsp_resp = NULL; + s->internal->tlsext_ocsp_resp_len = 0; + + ret = s->ctx->internal->tlsext_status_cb(s, + s->ctx->internal->tlsext_status_arg); + if (ret == 0) { + al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; + SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE); + goto fatal_err; + } + if (ret < 0) { + al = SSL_AD_INTERNAL_ERROR; + SSLerror(s, ERR_R_MALLOC_FAILURE); + goto fatal_err; + } + } + S3I(s)->hs.tls12.reuse_message = 1; + return (1); + } + + if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE && + S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_STATUS) { + al = SSL_AD_UNEXPECTED_MESSAGE; + SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); + goto fatal_err; + } + if (n < 0) { /* need at least status type + length */ al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_LENGTH_MISMATCH); - goto f_err; + goto fatal_err; } CBS_init(&cert_status, s->internal->init_msg, n); @@ -1846,28 +1895,28 @@ ssl3_get_cert_status(SSL *s) /* need at least status type + length */ al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_LENGTH_MISMATCH); - goto f_err; + goto fatal_err; } if (status_type != TLSEXT_STATUSTYPE_ocsp) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); - goto f_err; + goto fatal_err; } if (!CBS_get_u24_length_prefixed(&cert_status, &response) || CBS_len(&cert_status) != 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_LENGTH_MISMATCH); - goto f_err; + goto fatal_err; } if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, &s->internal->tlsext_ocsp_resp_len)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto f_err; - } + al = SSL_AD_INTERNAL_ERROR; + SSLerror(s, ERR_R_MALLOC_FAILURE); + goto fatal_err; + } if (s->ctx->internal->tlsext_status_cb) { int ret; @@ -1876,16 +1925,16 @@ ssl3_get_cert_status(SSL *s) if (ret == 0) { al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE); - goto f_err; + goto fatal_err; } if (ret < 0) { al = SSL_AD_INTERNAL_ERROR; SSLerror(s, ERR_R_MALLOC_FAILURE); - goto f_err; + goto fatal_err; } } return (1); -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); return (-1); } @@ -1933,6 +1982,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb) goto err; } + /* XXX - our max protocol version. */ pms[0] = s->client_version >> 8; pms[1] = s->client_version & 0xff; arc4random_buf(&pms[2], sizeof(pms) - 2); @@ -1956,13 +2006,12 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb) if (!CBB_flush(cbb)) goto err; - s->session->master_key_length = - tls1_generate_master_secret(s, - s->session->master_key, pms, sizeof(pms)); + if (!tls12_derive_master_secret(s, pms, sizeof(pms))) + goto err; ret = 1; -err: + err: explicit_bzero(pms, sizeof(pms)); EVP_PKEY_free(pkey); free(enc_pms); @@ -2010,10 +2059,8 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb) goto err; } - /* Generate master key from the result. */ - s->session->master_key_length = - tls1_generate_master_secret(s, - s->session->master_key, key, key_len); + if (!tls12_derive_master_secret(s, key, key_len)) + goto err; if (!CBB_add_u16_length_prefixed(cbb, &dh_Yc)) goto err; @@ -2025,7 +2072,7 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb) ret = 1; -err: + err: DH_free(dh_clnt); freezero(key, key_size); @@ -2059,8 +2106,8 @@ ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb) if (!ssl_kex_derive_ecdhe_ecp(ecdh, sc->peer_ecdh_tmp, &key, &key_len)) goto err; - s->session->master_key_length = tls1_generate_master_secret(s, - s->session->master_key, key, key_len); + if (!tls12_derive_master_secret(s, key, key_len)) + goto err; ret = 1; @@ -2097,10 +2144,8 @@ ssl3_send_client_kex_ecdhe_ecx(SSL *s, SESS_CERT *sc, CBB *cbb) if (!CBB_flush(cbb)) goto err; - /* Generate master key from the result. */ - s->session->master_key_length = - tls1_generate_master_secret(s, - s->session->master_key, shared_key, X25519_KEY_LENGTH); + if (!tls12_derive_master_secret(s, shared_key, X25519_KEY_LENGTH)) + goto err; ret = 1; @@ -2170,7 +2215,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb) /* * If we have client certificate, use its secret as peer key. */ - if (S3I(s)->tmp.cert_req && s->cert->key->privatekey) { + if (S3I(s)->hs.tls12.cert_request && s->cert->key->privatekey) { if (EVP_PKEY_derive_set_peer(pkey_ctx, s->cert->key->privatekey) <=0) { /* @@ -2190,7 +2235,8 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb) goto err; } - if (ssl_get_algorithm2(s) & SSL_HANDSHAKE_MAC_GOST94) + /* XXX check handshake hash instead. */ + if (S3I(s)->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94) nid = NID_id_GostR3411_94; else nid = NID_id_tc26_gost3411_2012_256; @@ -2230,9 +2276,9 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb) s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY; } EVP_PKEY_CTX_free(pkey_ctx); - s->session->master_key_length = - tls1_generate_master_secret(s, - s->session->master_key, premaster_secret, 32); + + if (!tls12_derive_master_secret(s, premaster_secret, 32)) + goto err; ret = 1; @@ -2253,7 +2299,7 @@ ssl3_send_client_key_exchange(SSL *s) memset(&cbb, 0, sizeof(cbb)); if (S3I(s)->hs.state == SSL3_ST_CW_KEY_EXCH_A) { - alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; + alg_k = S3I(s)->hs.cipher->algorithm_mkey; if ((sess_cert = SSI(s)->sess_cert) == NULL) { ssl3_send_alert(s, SSL3_AL_FATAL, @@ -2294,21 +2340,19 @@ ssl3_send_client_key_exchange(SSL *s) /* SSL3_ST_CW_KEY_EXCH_B */ return (ssl3_handshake_write(s)); -err: + err: CBB_cleanup(&cbb); return (-1); } static int -ssl3_send_client_verify_sigalgs(SSL *s, CBB *cert_verify) +ssl3_send_client_verify_sigalgs(SSL *s, EVP_PKEY *pkey, + const struct ssl_sigalg *sigalg, CBB *cert_verify) { - const struct ssl_sigalg *sigalg; CBB cbb_signature; EVP_PKEY_CTX *pctx = NULL; - EVP_PKEY *pkey; EVP_MD_CTX mctx; - const EVP_MD *md; const unsigned char *hdata; unsigned char *signature = NULL; size_t signature_len, hdata_len; @@ -2316,21 +2360,11 @@ ssl3_send_client_verify_sigalgs(SSL *s, CBB *cert_verify) EVP_MD_CTX_init(&mctx); - pkey = s->cert->key->privatekey; - if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) { - SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR); - goto err; - } - if ((md = sigalg->md()) == NULL) { - SSLerror(s, SSL_R_UNKNOWN_DIGEST); - goto err; - } - if (!tls1_transcript_data(s, &hdata, &hdata_len)) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } - if (!EVP_DigestSignInit(&mctx, &pctx, md, NULL, pkey)) { + if (!EVP_DigestSignInit(&mctx, &pctx, sigalg->md(), NULL, pkey)) { SSLerror(s, ERR_R_EVP_LIB); goto err; } @@ -2382,18 +2416,15 @@ ssl3_send_client_verify_sigalgs(SSL *s, CBB *cert_verify) } static int -ssl3_send_client_verify_rsa(SSL *s, CBB *cert_verify) +ssl3_send_client_verify_rsa(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) { CBB cbb_signature; - EVP_PKEY *pkey; unsigned char data[EVP_MAX_MD_SIZE]; unsigned char *signature = NULL; unsigned int signature_len; size_t data_len; int ret = 0; - pkey = s->cert->key->privatekey; - if (!tls1_transcript_hash_value(s, data, sizeof(data), &data_len)) goto err; if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL) @@ -2418,17 +2449,14 @@ ssl3_send_client_verify_rsa(SSL *s, CBB *cert_verify) } static int -ssl3_send_client_verify_ec(SSL *s, CBB *cert_verify) +ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) { CBB cbb_signature; - EVP_PKEY *pkey; unsigned char data[EVP_MAX_MD_SIZE]; unsigned char *signature = NULL; unsigned int signature_len; int ret = 0; - pkey = s->cert->key->privatekey; - if (!tls1_transcript_hash_value(s, data, sizeof(data), NULL)) goto err; if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL) @@ -2454,12 +2482,11 @@ ssl3_send_client_verify_ec(SSL *s, CBB *cert_verify) #ifndef OPENSSL_NO_GOST static int -ssl3_send_client_verify_gost(SSL *s, CBB *cert_verify) +ssl3_send_client_verify_gost(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) { CBB cbb_signature; EVP_MD_CTX mctx; EVP_PKEY_CTX *pctx; - EVP_PKEY *pkey; const EVP_MD *md; const unsigned char *hdata; unsigned char *signature = NULL; @@ -2470,8 +2497,6 @@ ssl3_send_client_verify_gost(SSL *s, CBB *cert_verify) EVP_MD_CTX_init(&mctx); - pkey = s->cert->key->privatekey; - if (!tls1_transcript_data(s, &hdata, &hdata_len)) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; @@ -2526,6 +2551,7 @@ ssl3_send_client_verify_gost(SSL *s, CBB *cert_verify) int ssl3_send_client_verify(SSL *s) { + const struct ssl_sigalg *sigalg; CBB cbb, cert_verify; EVP_PKEY *pkey; @@ -2537,24 +2563,30 @@ ssl3_send_client_verify(SSL *s) goto err; pkey = s->cert->key->privatekey; + if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) { + SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR); + goto err; + } + S3I(s)->hs.our_sigalg = sigalg; /* - * For TLS v1.2 send signature algorithm and signature - * using agreed digest and cached handshake records. + * For TLS v1.2 send signature algorithm and signature using + * agreed digest and cached handshake records. */ if (SSL_USE_SIGALGS(s)) { - if (!ssl3_send_client_verify_sigalgs(s, &cert_verify)) + if (!ssl3_send_client_verify_sigalgs(s, pkey, sigalg, + &cert_verify)) goto err; } else if (pkey->type == EVP_PKEY_RSA) { - if (!ssl3_send_client_verify_rsa(s, &cert_verify)) + if (!ssl3_send_client_verify_rsa(s, pkey, &cert_verify)) goto err; } else if (pkey->type == EVP_PKEY_EC) { - if (!ssl3_send_client_verify_ec(s, &cert_verify)) + if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify)) goto err; #ifndef OPENSSL_NO_GOST } else if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) { - if (!ssl3_send_client_verify_gost(s, &cert_verify)) + if (!ssl3_send_client_verify_gost(s, pkey, &cert_verify)) goto err; #endif } else { @@ -2600,8 +2632,8 @@ ssl3_send_client_certificate(SSL *s) if (S3I(s)->hs.state == SSL3_ST_CW_CERT_B) { /* * If we get an error, we need to - * ssl->rwstate=SSL_X509_LOOKUP; return(-1); - * We then get retied later + * ssl->internal->rwstate = SSL_X509_LOOKUP; return(-1); + * We then get retried later. */ i = ssl_do_client_cert_cb(s, &x509, &pkey); if (i < 0) { @@ -2622,7 +2654,7 @@ ssl3_send_client_certificate(SSL *s) X509_free(x509); EVP_PKEY_free(pkey); if (i == 0) { - S3I(s)->tmp.cert_req = 2; + S3I(s)->hs.tls12.cert_request = 2; /* There is no client certificate to verify. */ tls1_transcript_free(s); @@ -2637,7 +2669,7 @@ ssl3_send_client_certificate(SSL *s) SSL3_MT_CERTIFICATE)) goto err; if (!ssl3_output_cert_chain(s, &client_cert, - (S3I(s)->tmp.cert_req == 2) ? NULL : s->cert->key)) + (S3I(s)->hs.tls12.cert_request == 2) ? NULL : s->cert->key)) goto err; if (!ssl3_handshake_msg_finish(s, &cbb)) goto err; @@ -2665,8 +2697,8 @@ ssl3_check_cert_and_algorithm(SSL *s) SESS_CERT *sc; DH *dh; - alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; - alg_a = S3I(s)->hs.new_cipher->algorithm_auth; + alg_k = S3I(s)->hs.cipher->algorithm_mkey; + alg_a = S3I(s)->hs.cipher->algorithm_auth; /* We don't have a certificate. */ if (alg_a & SSL_aNULL) @@ -2687,7 +2719,7 @@ ssl3_check_cert_and_algorithm(SSL *s) sc->peer_pkeys[idx].x509, s) == 0) { /* check failed */ SSLerror(s, SSL_R_BAD_ECC_CERT); - goto f_err; + goto fatal_err; } else { return (1); } @@ -2699,22 +2731,22 @@ ssl3_check_cert_and_algorithm(SSL *s) /* Check that we have a certificate if we require one. */ if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) { SSLerror(s, SSL_R_MISSING_RSA_SIGNING_CERT); - goto f_err; + goto fatal_err; } if ((alg_k & SSL_kRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) { SSLerror(s, SSL_R_MISSING_RSA_ENCRYPTING_CERT); - goto f_err; + goto fatal_err; } if ((alg_k & SSL_kDHE) && !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { SSLerror(s, SSL_R_MISSING_DH_KEY); - goto f_err; + goto fatal_err; } return (1); -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); -err: + err: return (0); } @@ -2740,9 +2772,9 @@ ssl3_check_finished(SSL *s) if (!ok) return ((int)n); - S3I(s)->tmp.reuse_message = 1; - if ((S3I(s)->tmp.message_type == SSL3_MT_FINISHED) || - (S3I(s)->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) + S3I(s)->hs.tls12.reuse_message = 1; + if ((S3I(s)->hs.tls12.message_type == SSL3_MT_FINISHED) || + (S3I(s)->hs.tls12.message_type == SSL3_MT_NEWSESSION_TICKET)) return (2); return (1); diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index cbc2898..9ea7cd4 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_err.c,v 1.37 2020/01/21 05:19:02 jsing Exp $ */ +/* $OpenBSD: ssl_err.c,v 1.39 2021/09/10 09:25:29 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -61,6 +61,7 @@ #include #include +#include #include #include "ssl_locl.h" @@ -293,6 +294,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= { {ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE), "missing verify message"}, {ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) , "multiple sgc restarts"}, {ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET), "non sslv2 initial packet"}, + {ERR_REASON(SSL_R_NO_APPLICATION_PROTOCOL), "no application protocol"}, {ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED), "no certificates returned"}, {ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED), "no certificate assigned"}, {ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED), "no certificate returned"}, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 6e375e1..0f86238 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.234 2020/09/24 18:12:00 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.268 2021/09/10 08:59:56 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -146,13 +146,12 @@ #include -#include "ssl_locl.h" - #include #include #include #include #include +#include #include #ifndef OPENSSL_NO_ENGINE @@ -160,6 +159,8 @@ #endif #include "bytestring.h" +#include "dtls_locl.h" +#include "ssl_locl.h" #include "ssl_sigalgs.h" const char *SSL_version_str = OPENSSL_VERSION_TEXT; @@ -186,9 +187,7 @@ SSL_clear(SSL *s) return (0); } - s->internal->type = 0; - - s->version = s->method->internal->version; + s->version = s->method->version; s->client_version = s->version; s->internal->rwstate = SSL_NOTHING; s->internal->rstate = SSL_ST_READ_HEADER; @@ -208,12 +207,12 @@ SSL_clear(SSL *s) */ if (!s->internal->in_handshake && (s->session == NULL) && (s->method != s->ctx->method)) { - s->method->internal->ssl_free(s); + s->method->ssl_free(s); s->method = s->ctx->method; - if (!s->method->internal->ssl_new(s)) + if (!s->method->ssl_new(s)) return (0); } else - s->method->internal->ssl_clear(s); + s->method->ssl_clear(s); return (1); } @@ -254,8 +253,13 @@ SSL_new(SSL_CTX *ctx) if ((s->internal = calloc(1, sizeof(*s->internal))) == NULL) goto err; - s->internal->min_version = ctx->internal->min_version; - s->internal->max_version = ctx->internal->max_version; + if ((s->internal->rl = tls12_record_layer_new()) == NULL) + goto err; + + s->internal->min_tls_version = ctx->internal->min_tls_version; + s->internal->max_tls_version = ctx->internal->max_tls_version; + s->internal->min_proto_version = ctx->internal->min_proto_version; + s->internal->max_proto_version = ctx->internal->max_proto_version; s->internal->options = ctx->internal->options; s->internal->mode = ctx->internal->mode; @@ -338,14 +342,11 @@ SSL_new(SSL_CTX *ctx) s->method = ctx->method; - if (!s->method->internal->ssl_new(s)) - goto err; - - if ((s->internal->rl = tls12_record_layer_new()) == NULL) + if (!s->method->ssl_new(s)) goto err; s->references = 1; - s->server = (ctx->method->internal->ssl_accept == ssl_undefined_function) ? 0 : 1; + s->server = ctx->method->server; SSL_clear(s); @@ -460,7 +461,7 @@ SSL_set1_host(SSL *s, const char *hostname) { struct in_addr ina; struct in6_addr in6a; - + if (hostname != NULL && *hostname != '\0' && (inet_pton(AF_INET, hostname, &ina) == 1 || inet_pton(AF_INET6, hostname, &in6a) == 1)) @@ -469,6 +470,12 @@ SSL_set1_host(SSL *s, const char *hostname) return X509_VERIFY_PARAM_set1_host(s->param, hostname, 0); } +void +SSL_set_hostflags(SSL *s, unsigned int flags) +{ + X509_VERIFY_PARAM_set_hostflags(s->param, flags); +} + const char * SSL_get0_peername(SSL *s) { @@ -559,7 +566,7 @@ SSL_free(SSL *s) sk_X509_NAME_pop_free(s->internal->client_CA, X509_NAME_free); if (s->method != NULL) - s->method->internal->ssl_free(s); + s->method->ssl_free(s); SSL_CTX_free(s->ctx); @@ -607,6 +614,13 @@ SSL_get_rbio(const SSL *s) return (s->rbio); } +void +SSL_set0_rbio(SSL *s, BIO *rbio) +{ + BIO_free_all(s->rbio); + s->rbio = rbio; +} + BIO * SSL_get_wbio(const SSL *s) { @@ -660,7 +674,7 @@ SSL_set_fd(SSL *s, int fd) BIO_set_fd(bio, fd, BIO_NOCLOSE); SSL_set_bio(s, bio, bio); ret = 1; -err: + err: return (ret); } @@ -683,7 +697,7 @@ SSL_set_wfd(SSL *s, int fd) } else SSL_set_bio(s, SSL_get_rbio(s), SSL_get_rbio(s)); ret = 1; -err: + err: return (ret); } @@ -706,7 +720,7 @@ SSL_set_rfd(SSL *s, int fd) } else SSL_set_bio(s, SSL_get_wbio(s), SSL_get_wbio(s)); ret = 1; -err: + err: return (ret); } @@ -717,10 +731,10 @@ SSL_get_finished(const SSL *s, void *buf, size_t count) { size_t ret; - ret = S3I(s)->tmp.finish_md_len; + ret = S3I(s)->hs.finished_len; if (count > ret) count = ret; - memcpy(buf, S3I(s)->tmp.finish_md, count); + memcpy(buf, S3I(s)->hs.finished, count); return (ret); } @@ -730,10 +744,10 @@ SSL_get_peer_finished(const SSL *s, void *buf, size_t count) { size_t ret; - ret = S3I(s)->tmp.peer_finish_md_len; + ret = S3I(s)->hs.peer_finished_len; if (count > ret) count = ret; - memcpy(buf, S3I(s)->tmp.peer_finish_md, count); + memcpy(buf, S3I(s)->hs.peer_finished, count); return (ret); } @@ -804,7 +818,7 @@ SSL_get_read_ahead(const SSL *s) int SSL_pending(const SSL *s) { - return (s->method->internal->ssl_pending(s)); + return (s->method->ssl_pending(s)); } X509 * @@ -859,9 +873,9 @@ SSL_copy_session_id(SSL *t, const SSL *f) /* What if we are set up for one protocol but want to talk another? */ if (t->method != f->method) { - t->method->internal->ssl_free(t); + t->method->ssl_free(t); t->method = f->method; - if (!t->method->internal->ssl_new(t)) + if (!t->method->ssl_new(t)) return 0; } @@ -926,7 +940,7 @@ SSL_accept(SSL *s) if (s->internal->handshake_func == NULL) SSL_set_accept_state(s); /* Not properly initialized yet */ - return (s->method->internal->ssl_accept(s)); + return (s->method->ssl_accept(s)); } int @@ -935,7 +949,13 @@ SSL_connect(SSL *s) if (s->internal->handshake_func == NULL) SSL_set_connect_state(s); /* Not properly initialized yet */ - return (s->method->internal->ssl_connect(s)); + return (s->method->ssl_connect(s)); +} + +int +SSL_is_dtls(const SSL *s) +{ + return s->method->dtls; } int @@ -1072,7 +1092,7 @@ SSL_shutdown(SSL *s) } if (s != NULL && !SSL_in_init(s)) - return (s->method->internal->ssl_shutdown(s)); + return (s->method->ssl_shutdown(s)); return (1); } @@ -1085,7 +1105,7 @@ SSL_renegotiate(SSL *s) s->internal->new_session = 1; - return (s->method->internal->ssl_renegotiate(s)); + return (s->method->ssl_renegotiate(s)); } int @@ -1096,7 +1116,7 @@ SSL_renegotiate_abbreviated(SSL *s) s->internal->new_session = 0; - return (s->method->internal->ssl_renegotiate(s)); + return (s->method->ssl_renegotiate(s)); } int @@ -1145,7 +1165,7 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg) if (larg < (long)dtls1_min_mtu()) return (0); #endif - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { D1I(s)->mtu = larg; return (larg); } @@ -1160,7 +1180,7 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg) return (S3I(s)->send_connection_binding); else return (0); default: - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) return dtls1_ctrl(s, cmd, larg, parg); return ssl3_ctrl(s, cmd, larg, parg); } @@ -1171,9 +1191,7 @@ SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) { switch (cmd) { case SSL_CTRL_SET_MSG_CALLBACK: - s->internal->msg_callback = (void (*)(int write_p, int version, - int content_type, const void *buf, size_t len, - SSL *ssl, void *arg))(fp); + s->internal->msg_callback = (ssl_msg_callback_fn *)(fp); return (1); default: @@ -1271,9 +1289,7 @@ SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) { switch (cmd) { case SSL_CTRL_SET_MSG_CALLBACK: - ctx->internal->msg_callback = (void (*)(int write_p, int version, - int content_type, const void *buf, size_t len, SSL *ssl, - void *arg))(fp); + ctx->internal->msg_callback = (ssl_msg_callback_fn *)fp; return (1); default: @@ -1322,7 +1338,7 @@ SSL_get1_supported_ciphers(SSL *s) if (s == NULL) return NULL; - if (!ssl_supported_version_range(s, &min_vers, &max_vers)) + if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers)) return NULL; if ((ciphers = SSL_get_ciphers(s)) == NULL) return NULL; @@ -1332,7 +1348,7 @@ SSL_get1_supported_ciphers(SSL *s) for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL) goto err; - if (!ssl_cipher_allowed_in_version_range(cipher, min_vers, + if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers, max_vers)) continue; if (!sk_SSL_CIPHER_push(supported_ciphers, cipher)) @@ -1356,8 +1372,6 @@ ssl_has_ecc_ciphers(SSL *s) SSL_CIPHER *cipher; int i; - if (s->version == DTLS1_VERSION) - return 0; if ((ciphers = SSL_get_ciphers(s)) == NULL) return 0; @@ -1478,22 +1492,30 @@ SSL_set_ciphersuites(SSL *s, const char *str) char * SSL_get_shared_ciphers(const SSL *s, char *buf, int len) { - STACK_OF(SSL_CIPHER) *ciphers; + STACK_OF(SSL_CIPHER) *client_ciphers, *server_ciphers; const SSL_CIPHER *cipher; size_t curlen = 0; char *end; int i; - if (s->session == NULL || s->session->ciphers == NULL || len < 2) - return (NULL); + if (!s->server || s->session == NULL || len < 2) + return NULL; - ciphers = s->session->ciphers; - if (sk_SSL_CIPHER_num(ciphers) == 0) - return (NULL); + if ((client_ciphers = s->session->ciphers) == NULL) + return NULL; + if ((server_ciphers = SSL_get_ciphers(s)) == NULL) + return NULL; + if (sk_SSL_CIPHER_num(client_ciphers) == 0 || + sk_SSL_CIPHER_num(server_ciphers) == 0) + return NULL; buf[0] = '\0'; - for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { - cipher = sk_SSL_CIPHER_value(ciphers, i); + for (i = 0; i < sk_SSL_CIPHER_num(client_ciphers); i++) { + cipher = sk_SSL_CIPHER_value(client_ciphers, i); + + if (sk_SSL_CIPHER_find(server_ciphers, cipher) < 0) + continue; + end = buf + curlen; if (strlcat(buf, cipher->name, len) >= len || (curlen = strlcat(buf, ":", len)) >= len) { @@ -1505,7 +1527,7 @@ SSL_get_shared_ciphers(const SSL *s, char *buf, int len) /* remove trailing colon */ if ((end = strrchr(buf, ':')) != NULL) *end = '\0'; - return (buf); + return buf; } /* @@ -1580,7 +1602,7 @@ SSL_select_next_proto(unsigned char **out, unsigned char *outlen, result = client; status = OPENSSL_NPN_NO_OVERLAP; -found: + found: *out = (unsigned char *) result + 1; *outlen = result[0]; return (status); @@ -1698,20 +1720,32 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, unsigned int *len) { - *data = NULL; - *len = 0; - *data = ssl->s3->internal->alpn_selected; *len = ssl->s3->internal->alpn_selected_len; } +void +SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb) +{ + return; +} + int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, const char *label, size_t llen, const unsigned char *p, size_t plen, int use_context) { - return (tls1_export_keying_material(s, out, olen, - label, llen, p, plen, use_context)); + if (s->internal->tls13 != NULL && s->version == TLS1_3_VERSION) { + if (!use_context) { + p = NULL; + plen = 0; + } + return tls13_exporter(s->internal->tls13, label, llen, p, plen, + out, olen); + } + + return (tls1_export_keying_material(s, out, olen, label, llen, p, plen, + use_context)); } static unsigned long @@ -1800,8 +1834,10 @@ SSL_CTX_new(const SSL_METHOD *meth) } ret->method = meth; - ret->internal->min_version = meth->internal->min_version; - ret->internal->max_version = meth->internal->max_version; + ret->internal->min_tls_version = meth->min_tls_version; + ret->internal->max_tls_version = meth->max_tls_version; + ret->internal->min_proto_version = 0; + ret->internal->max_proto_version = 0; ret->internal->mode = SSL_MODE_AUTO_RETRY; ret->cert_store = NULL; @@ -1911,9 +1947,9 @@ SSL_CTX_new(const SSL_METHOD *meth) ret->internal->options |= SSL_OP_LEGACY_SERVER_CONNECT; return (ret); -err: + err: SSLerrorx(ERR_R_MALLOC_FAILURE); -err2: + err2: SSL_CTX_free(ret); return (NULL); } @@ -2080,8 +2116,8 @@ ssl_using_ecc_cipher(SSL *s) { unsigned long alg_a, alg_k; - alg_a = S3I(s)->hs.new_cipher->algorithm_auth; - alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; + alg_a = S3I(s)->hs.cipher->algorithm_auth; + alg_k = S3I(s)->hs.cipher->algorithm_mkey; return SSI(s)->tlsext_ecpointformatlist != NULL && SSI(s)->tlsext_ecpointformatlist_length > 0 && @@ -2091,7 +2127,7 @@ ssl_using_ecc_cipher(SSL *s) int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) { - const SSL_CIPHER *cs = S3I(s)->hs.new_cipher; + const SSL_CIPHER *cs = S3I(s)->hs.cipher; unsigned long alg_a; alg_a = cs->algorithm_auth; @@ -2119,9 +2155,9 @@ ssl_get_server_send_pkey(const SSL *s) int i; c = s->cert; - ssl_set_cert_masks(c, S3I(s)->hs.new_cipher); + ssl_set_cert_masks(c, S3I(s)->hs.cipher); - alg_a = S3I(s)->hs.new_cipher->algorithm_auth; + alg_a = S3I(s)->hs.cipher->algorithm_auth; if (alg_a & SSL_aECDSA) { i = SSL_PKEY_ECC; @@ -2180,9 +2216,9 @@ ssl_get_auto_dh(SSL *s) if (s->cert->dh_tmp_auto == 2) { keylen = 1024; - } else if (S3I(s)->hs.new_cipher->algorithm_auth & SSL_aNULL) { + } else if (S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL) { keylen = 1024; - if (S3I(s)->hs.new_cipher->strength_bits == 256) + if (S3I(s)->hs.cipher->strength_bits == 256) keylen = 3072; } else { if ((cpk = ssl_get_server_send_pkey(s)) == NULL) @@ -2219,35 +2255,119 @@ ssl_get_auto_dh(SSL *s) return (dhp); } +static int +ssl_should_update_external_cache(SSL *s, int mode) +{ + int cache_mode; + + cache_mode = s->session_ctx->internal->session_cache_mode; + + /* Don't cache if mode says not to */ + if ((cache_mode & mode) == 0) + return 0; + + /* if it is not already cached, cache it */ + if (!s->internal->hit) + return 1; + + /* If it's TLS 1.3, do it to match OpenSSL */ + if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) + return 1; + + return 0; +} + +static int +ssl_should_update_internal_cache(SSL *s, int mode) +{ + int cache_mode; + + cache_mode = s->session_ctx->internal->session_cache_mode; + + /* Don't cache if mode says not to */ + if ((cache_mode & mode) == 0) + return 0; + + /* If it is already cached, don't cache it again */ + if (s->internal->hit) + return 0; + + if ((cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE) != 0) + return 0; + + /* If we are lesser than TLS 1.3, Cache it. */ + if (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION) + return 1; + + /* Below this we consider TLS 1.3 or later */ + + /* If it's not a server, add it? OpenSSL does this. */ + if (!s->server) + return 1; + + /* XXX if we support early data / PSK need to add */ + + /* + * If we have the remove session callback, we will want + * to know about this even if it's a stateless ticket + * from 1.3 so we can know when it is removed. + */ + if (s->session_ctx->internal->remove_session_cb != NULL) + return 1; + + /* If we have set OP_NO_TICKET, cache it. */ + if ((s->internal->options & SSL_OP_NO_TICKET) != 0) + return 1; + + /* Otherwise do not cache */ + return 0; +} + void ssl_update_cache(SSL *s, int mode) { - int i; + int cache_mode, do_callback; - /* - * If the session_id_length is 0, we are not supposed to cache it, - * and it would be rather hard to do anyway :-) - */ if (s->session->session_id_length == 0) return; - i = s->session_ctx->internal->session_cache_mode; - if ((i & mode) && (!s->internal->hit) && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) - || SSL_CTX_add_session(s->session_ctx, s->session)) - && (s->session_ctx->internal->new_session_cb != NULL)) { - CRYPTO_add(&s->session->references, 1, CRYPTO_LOCK_SSL_SESSION); - if (!s->session_ctx->internal->new_session_cb(s, s->session)) - SSL_SESSION_free(s->session); + cache_mode = s->session_ctx->internal->session_cache_mode; + do_callback = ssl_should_update_external_cache(s, mode); + + if (ssl_should_update_internal_cache(s, mode)) { + /* + * XXX should we fail if the add to the internal cache + * fails? OpenSSL doesn't care.. + */ + (void) SSL_CTX_add_session(s->session_ctx, s->session); } - /* auto flush every 255 connections */ - if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && - ((i & mode) == mode)) { - if ((((mode & SSL_SESS_CACHE_CLIENT) ? - s->session_ctx->internal->stats.sess_connect_good : - s->session_ctx->internal->stats.sess_accept_good) & 0xff) == 0xff) { + /* + * Update the "external cache" by calling the new session + * callback if present, even with TLS 1.3 without early data + * "because some application just want to know about the + * creation of a session and aren't doing a full cache". + * Apparently, if they are doing a full cache, they'll have + * some fun, but we endeavour to give application writers the + * same glorious experience they expect from OpenSSL which + * does it this way. + */ + if (do_callback && s->session_ctx->internal->new_session_cb != NULL) { + CRYPTO_add(&s->session->references, 1, CRYPTO_LOCK_SSL_SESSION); + if (!s->session_ctx->internal->new_session_cb(s, s->session)) + SSL_SESSION_free(s->session); + } + + /* Auto flush every 255 connections. */ + if (!(cache_mode & SSL_SESS_CACHE_NO_AUTO_CLEAR) && + (cache_mode & mode) != 0) { + int connections; + if (mode & SSL_SESS_CACHE_CLIENT) + connections = s->session_ctx->internal->stats.sess_connect_good; + else + connections = s->session_ctx->internal->stats.sess_accept_good; + if ((connections & 0xff) == 0xff) SSL_CTX_flush_sessions(s->session_ctx, time(NULL)); - } } } @@ -2266,17 +2386,17 @@ SSL_set_ssl_method(SSL *s, const SSL_METHOD *method) if (s->method == method) return (ret); - if (s->internal->handshake_func == s->method->internal->ssl_connect) - handshake_func = method->internal->ssl_connect; - else if (s->internal->handshake_func == s->method->internal->ssl_accept) - handshake_func = method->internal->ssl_accept; + if (s->internal->handshake_func == s->method->ssl_connect) + handshake_func = method->ssl_connect; + else if (s->internal->handshake_func == s->method->ssl_accept) + handshake_func = method->ssl_accept; - if (s->method->internal->version == method->internal->version) { + if (s->method->version == method->version) { s->method = method; } else { - s->method->internal->ssl_free(s); + s->method->ssl_free(s); s->method = method; - ret = s->method->internal->ssl_new(s); + ret = s->method->ssl_new(s); } s->internal->handshake_func = handshake_func; @@ -2356,7 +2476,7 @@ SSL_get_error(const SSL *s, int i) if (i == 0) { if ((s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) && (S3I(s)->warn_alert == SSL_AD_CLOSE_NOTIFY)) - return (SSL_ERROR_ZERO_RETURN); + return (SSL_ERROR_ZERO_RETURN); } return (SSL_ERROR_SYSCALL); } @@ -2371,7 +2491,7 @@ SSL_do_handshake(SSL *s) return (-1); } - s->method->internal->ssl_renegotiate_check(s); + s->method->ssl_renegotiate_check(s); if (SSL_in_init(s) || SSL_in_before(s)) { ret = s->internal->handshake_func(s); @@ -2389,7 +2509,7 @@ SSL_set_accept_state(SSL *s) s->server = 1; s->internal->shutdown = 0; S3I(s)->hs.state = SSL_ST_ACCEPT|SSL_ST_BEFORE; - s->internal->handshake_func = s->method->internal->ssl_accept; + s->internal->handshake_func = s->method->ssl_accept; ssl_clear_cipher_state(s); } @@ -2399,7 +2519,7 @@ SSL_set_connect_state(SSL *s) s->server = 0; s->internal->shutdown = 0; S3I(s)->hs.state = SSL_ST_CONNECT|SSL_ST_BEFORE; - s->internal->handshake_func = s->method->internal->ssl_connect; + s->internal->handshake_func = s->method->ssl_connect; ssl_clear_cipher_state(s); } @@ -2428,8 +2548,6 @@ const char * ssl_version_string(int ver) { switch (ver) { - case DTLS1_VERSION: - return (SSL_TXT_DTLS1); case TLS1_VERSION: return (SSL_TXT_TLSV1); case TLS1_1_VERSION: @@ -2438,6 +2556,10 @@ ssl_version_string(int ver) return (SSL_TXT_TLSV1_2); case TLS1_3_VERSION: return (SSL_TXT_TLSV1_3); + case DTLS1_VERSION: + return (SSL_TXT_DTLS1); + case DTLS1_2_VERSION: + return (SSL_TXT_DTLS1_2); default: return ("unknown"); } @@ -2461,7 +2583,6 @@ SSL_dup(SSL *s) goto err; ret->version = s->version; - ret->internal->type = s->internal->type; ret->method = s->method; if (s->session != NULL) { @@ -2475,9 +2596,9 @@ SSL_dup(SSL *s) * and thus we can't use SSL_copy_session_id. */ - ret->method->internal->ssl_free(ret); + ret->method->ssl_free(ret); ret->method = s->method; - ret->method->internal->ssl_new(ret); + ret->method->ssl_new(ret); ssl_cert_free(ret->cert); if ((ret->cert = ssl_cert_dup(s->cert)) == NULL) @@ -2583,39 +2704,35 @@ ssl_clear_cipher_state(SSL *s) void ssl_clear_cipher_read_state(SSL *s) { - EVP_CIPHER_CTX_free(s->enc_read_ctx); - s->enc_read_ctx = NULL; - EVP_MD_CTX_free(s->read_hash); - s->read_hash = NULL; - tls12_record_layer_clear_read_state(s->internal->rl); - tls12_record_layer_set_read_seq_num(s->internal->rl, - S3I(s)->read_sequence); - - if (s->internal->aead_read_ctx != NULL) { - EVP_AEAD_CTX_cleanup(&s->internal->aead_read_ctx->ctx); - free(s->internal->aead_read_ctx); - s->internal->aead_read_ctx = NULL; - } + tls12_record_layer_read_cipher_hash(s->internal->rl, + &s->enc_read_ctx, &s->read_hash); } void ssl_clear_cipher_write_state(SSL *s) { - EVP_CIPHER_CTX_free(s->internal->enc_write_ctx); - s->internal->enc_write_ctx = NULL; - EVP_MD_CTX_free(s->internal->write_hash); - s->internal->write_hash = NULL; - tls12_record_layer_clear_write_state(s->internal->rl); - tls12_record_layer_set_write_seq_num(s->internal->rl, - S3I(s)->write_sequence); +} - if (s->internal->aead_write_ctx != NULL) { - EVP_AEAD_CTX_cleanup(&s->internal->aead_write_ctx->ctx); - free(s->internal->aead_write_ctx); - s->internal->aead_write_ctx = NULL; - } +void +ssl_info_callback(const SSL *s, int type, int value) +{ + ssl_info_callback_fn *cb; + + if ((cb = s->internal->info_callback) == NULL) + cb = s->ctx->internal->info_callback; + if (cb != NULL) + cb(s, type, value); +} + +void +ssl_msg_callback(SSL *s, int is_write, int content_type, + const void *msg_buf, size_t msg_len) +{ + if (s->internal->msg_callback != NULL) + s->internal->msg_callback(is_write, s->version, content_type, + msg_buf, msg_len, s, s->internal->msg_callback_arg); } /* Fix this function so that it takes an optional type parameter */ @@ -2855,6 +2972,24 @@ SSL_get_verify_result(const SSL *ssl) return (ssl->verify_result); } +int +SSL_verify_client_post_handshake(SSL *ssl) +{ + return 0; +} + +void +SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val) +{ + return; +} + +void +SSL_set_post_handshake_auth(SSL *ssl, int val) +{ + return; +} + int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) @@ -2923,6 +3058,15 @@ SSL_CTX_get0_certificate(const SSL_CTX *ctx) return ctx->internal->cert->key->x509; } +EVP_PKEY * +SSL_CTX_get0_privatekey(const SSL_CTX *ctx) +{ + if (ctx->internal->cert == NULL) + return NULL; + + return ctx->internal->cert->key->privatekey; +} + int SSL_want(const SSL *s) { @@ -3003,52 +3147,62 @@ SSL_cache_hit(SSL *s) int SSL_CTX_get_min_proto_version(SSL_CTX *ctx) { - return ctx->internal->min_version; + return ctx->internal->min_proto_version; } int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) { return ssl_version_set_min(ctx->method, version, - ctx->internal->max_version, &ctx->internal->min_version); + ctx->internal->max_tls_version, &ctx->internal->min_tls_version, + &ctx->internal->min_proto_version); } int SSL_CTX_get_max_proto_version(SSL_CTX *ctx) { - return ctx->internal->max_version; + return ctx->internal->max_proto_version; } int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) { return ssl_version_set_max(ctx->method, version, - ctx->internal->min_version, &ctx->internal->max_version); + ctx->internal->min_tls_version, &ctx->internal->max_tls_version, + &ctx->internal->max_proto_version); } int SSL_get_min_proto_version(SSL *ssl) { - return ssl->internal->min_version; + return ssl->internal->min_proto_version; } int SSL_set_min_proto_version(SSL *ssl, uint16_t version) { return ssl_version_set_min(ssl->method, version, - ssl->internal->max_version, &ssl->internal->min_version); + ssl->internal->max_tls_version, &ssl->internal->min_tls_version, + &ssl->internal->min_proto_version); } int SSL_get_max_proto_version(SSL *ssl) { - return ssl->internal->max_version; + return ssl->internal->max_proto_version; } int SSL_set_max_proto_version(SSL *ssl, uint16_t version) { return ssl_version_set_max(ssl->method, version, - ssl->internal->min_version, &ssl->internal->max_version); + ssl->internal->min_tls_version, &ssl->internal->max_tls_version, + &ssl->internal->max_proto_version); +} + +const SSL_METHOD * +SSL_CTX_get_ssl_method(const SSL_CTX *ctx) +{ + return ctx->method; } static int diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 9a9ef59..7ff3e07 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.295 2020/09/24 18:12:00 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.358 2021/08/30 19:25:43 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -152,6 +152,7 @@ #include #include + #include #include #include @@ -161,7 +162,6 @@ #include #include "bytestring.h" -#include "ssl_sigalgs.h" #include "tls13_internal.h" __BEGIN_HIDDEN_DECLS @@ -169,6 +169,10 @@ __BEGIN_HIDDEN_DECLS #define CTASSERT(x) extern char _ctassert[(x) ? 1 : -1 ] \ __attribute__((__unused__)) +#ifndef LIBRESSL_HAS_DTLS1_2 +#define LIBRESSL_HAS_DTLS1_2 +#endif + #ifndef LIBRESSL_HAS_TLS1_3_CLIENT #define LIBRESSL_HAS_TLS1_3_CLIENT #endif @@ -313,25 +317,21 @@ __BEGIN_HIDDEN_DECLS */ #define SSL_C_PKEYLENGTH(c) 1024 -/* Check if an SSL structure is using DTLS. */ -#define SSL_IS_DTLS(s) \ - (s->method->internal->version == DTLS1_VERSION) - -/* See if we need explicit IV. */ -#define SSL_USE_EXPLICIT_IV(s) \ - (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_EXPLICIT_IV) - /* See if we use signature algorithms extension. */ #define SSL_USE_SIGALGS(s) \ - (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_SIGALGS) + (s->method->enc_flags & SSL_ENC_FLAG_SIGALGS) + +/* See if we use SHA256 default PRF. */ +#define SSL_USE_SHA256_PRF(s) \ + (s->method->enc_flags & SSL_ENC_FLAG_SHA256_PRF) /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ #define SSL_USE_TLS1_2_CIPHERS(s) \ - (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS) + (s->method->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS) /* Allow TLS 1.3 ciphersuites only. */ #define SSL_USE_TLS1_3_CIPHERS(s) \ - (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_3_CIPHERS) + (s->method->enc_flags & SSL_ENC_FLAG_TLS1_3_CIPHERS) #define SSL_PKEY_RSA 0 #define SSL_PKEY_ECC 1 @@ -361,11 +361,30 @@ __BEGIN_HIDDEN_DECLS #define EXPLICIT_CHAR2_CURVE_TYPE 2 #define NAMED_CURVE_TYPE 3 -typedef struct ssl_method_internal_st { +struct ssl_cipher_st { + int valid; + const char *name; /* text name */ + unsigned long id; /* id, 4 bytes, first is version */ + + unsigned long algorithm_mkey; /* key exchange algorithm */ + unsigned long algorithm_auth; /* server authentication */ + unsigned long algorithm_enc; /* symmetric encryption */ + unsigned long algorithm_mac; /* symmetric authentication */ + unsigned long algorithm_ssl; /* (major) protocol version */ + + unsigned long algo_strength; /* strength and export flags */ + unsigned long algorithm2; /* Extra flags */ + int strength_bits; /* Number of bits really used */ + int alg_bits; /* Number of bits for algorithm */ +}; + +struct ssl_method_st { + int dtls; + int server; int version; - uint16_t min_version; - uint16_t max_version; + uint16_t min_tls_version; + uint16_t max_tls_version; int (*ssl_new)(SSL *s); void (*ssl_clear)(SSL *s); @@ -383,8 +402,10 @@ typedef struct ssl_method_internal_st { int peek); int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len); - struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */ -} SSL_METHOD_INTERNAL; + const SSL_CIPHER *(*get_cipher)(unsigned int ncipher); + + unsigned int enc_flags; /* SSL_ENC_FLAG_* */ +}; typedef struct ssl_session_internal_st { CRYPTO_EX_DATA ex_data; /* application specific data */ @@ -408,27 +429,74 @@ typedef struct ssl_session_internal_st { } SSL_SESSION_INTERNAL; #define SSI(s) (s->session->internal) -typedef struct ssl_handshake_st { - /* state contains one of the SSL3_ST_* values. */ - int state; +/* Lets make this into an ASN.1 type structure as follows + * SSL_SESSION_ID ::= SEQUENCE { + * version INTEGER, -- structure version number + * SSLversion INTEGER, -- SSL version number + * Cipher OCTET STRING, -- the 3 byte cipher ID + * Session_ID OCTET STRING, -- the Session ID + * Master_key OCTET STRING, -- the master key + * KRB5_principal OCTET STRING -- optional Kerberos principal + * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time + * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds + * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate + * Session_ID_context [ 4 ] EXPLICIT OCTET STRING, -- the Session ID context + * Verify_result [ 5 ] EXPLICIT INTEGER, -- X509_V_... code for `Peer' + * HostName [ 6 ] EXPLICIT OCTET STRING, -- optional HostName from servername TLS extension + * PSK_identity_hint [ 7 ] EXPLICIT OCTET STRING, -- optional PSK identity hint + * PSK_identity [ 8 ] EXPLICIT OCTET STRING, -- optional PSK identity + * Ticket_lifetime_hint [9] EXPLICIT INTEGER, -- server's lifetime hint for session ticket + * Ticket [10] EXPLICIT OCTET STRING, -- session ticket (clients only) + * Compression_meth [11] EXPLICIT OCTET STRING, -- optional compression method + * SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username + * } + * Look in ssl/ssl_asn1.c for more details + * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-). + */ +struct ssl_session_st { + int ssl_version; /* what ssl version session info is + * being kept in here? */ - /* used when SSL_ST_FLUSH_DATA is entered */ - int next_state; + int master_key_length; + unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; - /* new_cipher is the cipher being negotiated in this handshake. */ - const SSL_CIPHER *new_cipher; + /* session_id - valid? */ + unsigned int session_id_length; + unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; - /* key_block is the record-layer key block for TLS 1.2 and earlier. */ - int key_block_len; - unsigned char *key_block; + /* this is used to determine whether the session is being reused in + * the appropriate context. It is up to the application to set this, + * via SSL_new */ + unsigned int sid_ctx_length; + unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; - /* Extensions seen in this handshake. */ - uint32_t extensions_seen; + /* This is the cert for the other end. */ + X509 *peer; - /* sigalgs offered in this handshake in wire form */ - size_t sigalgs_len; - uint8_t *sigalgs; -} SSL_HANDSHAKE; + /* when app_verify_callback accepts a session where the peer's certificate + * is not ok, we must remember the error for session reuse: */ + long verify_result; /* only for servers */ + + long timeout; + time_t time; + int references; + + const SSL_CIPHER *cipher; + unsigned long cipher_id; /* when ASN.1 loaded, this + * needs to be used to load + * the 'cipher' structure */ + + STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */ + + char *tlsext_hostname; + + /* RFC4507 info */ + unsigned char *tlsext_tick; /* Session ticket */ + size_t tlsext_ticklen; /* Session ticket length */ + long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ + + struct ssl_session_internal_st *internal; +}; typedef struct cert_pkey_st { X509 *x509; @@ -436,17 +504,36 @@ typedef struct cert_pkey_st { STACK_OF(X509) *chain; } CERT_PKEY; -typedef struct ssl_handshake_tls13_st { - uint16_t min_version; - uint16_t max_version; - uint16_t version; +struct ssl_sigalg; +typedef struct ssl_handshake_tls12_st { + /* Used when SSL_ST_FLUSH_DATA is entered. */ + int next_state; + + /* Handshake message type and size. */ + int message_type; + unsigned long message_size; + + /* Reuse current handshake message. */ + int reuse_message; + + /* Client certificate requests. */ + int cert_request; + STACK_OF(X509_NAME) *ca_names; + + /* Record-layer key block for TLS 1.2 and earlier. */ + struct tls12_key_block *key_block; + + /* Transcript hash prior to sending certificate verify message. */ + uint8_t cert_verify[EVP_MAX_MD_SIZE]; +} SSL_HANDSHAKE_TLS12; + +typedef struct ssl_handshake_tls13_st { int use_legacy; int hrr; - /* Certificate and sigalg selected for use (static pointers). */ + /* Certificate selected for use (static pointer). */ const CERT_PKEY *cpk; - const struct ssl_sigalg *sigalg; /* Version proposed by peer server. */ uint16_t server_version; @@ -470,40 +557,125 @@ typedef struct ssl_handshake_tls13_st { EVP_MD_CTX *clienthello_md_ctx; unsigned char *clienthello_hash; unsigned int clienthello_hash_len; - } SSL_HANDSHAKE_TLS13; +typedef struct ssl_handshake_st { + /* + * Minimum and maximum versions supported for this handshake. These are + * initialised at the start of a handshake based on the method in use + * and the current protocol version configuration. + */ + uint16_t our_min_tls_version; + uint16_t our_max_tls_version; + + /* + * Version negotiated for this session. For a client this is set once + * the server selected version is parsed from the ServerHello (either + * from the legacy version or supported versions extension). For a + * server this is set once we select the version we will use with the + * client. + */ + uint16_t negotiated_tls_version; + + /* + * Current handshake state - contains one of the SSL3_ST_* values and + * is used by the TLSv1.2 state machine, as well as being updated by + * the TLSv1.3 stack due to it being exposed externally. + */ + int state; + + /* Cipher being negotiated in this handshake. */ + const SSL_CIPHER *cipher; + + /* Extensions seen in this handshake. */ + uint32_t extensions_seen; + + /* Signature algorithms selected for use (static pointers). */ + const struct ssl_sigalg *our_sigalg; + const struct ssl_sigalg *peer_sigalg; + + /* sigalgs offered in this handshake in wire form */ + uint8_t *sigalgs; + size_t sigalgs_len; + + /* + * Copies of the verify data sent in our finished message and the + * verify data received in the finished message sent by our peer. + */ + uint8_t finished[EVP_MAX_MD_SIZE]; + size_t finished_len; + uint8_t peer_finished[EVP_MAX_MD_SIZE]; + size_t peer_finished_len; + + SSL_HANDSHAKE_TLS12 tls12; + SSL_HANDSHAKE_TLS13 tls13; +} SSL_HANDSHAKE; + +struct tls12_key_block; + +struct tls12_key_block *tls12_key_block_new(void); +void tls12_key_block_free(struct tls12_key_block *kb); +void tls12_key_block_client_write(struct tls12_key_block *kb, CBS *mac_key, + CBS *key, CBS *iv); +void tls12_key_block_server_write(struct tls12_key_block *kb, CBS *mac_key, + CBS *key, CBS *iv); +int tls12_key_block_generate(struct tls12_key_block *kb, SSL *s, + const EVP_AEAD *aead, const EVP_CIPHER *cipher, const EVP_MD *mac_hash); + struct tls12_record_layer; struct tls12_record_layer *tls12_record_layer_new(void); void tls12_record_layer_free(struct tls12_record_layer *rl); +void tls12_record_layer_alert(struct tls12_record_layer *rl, + uint8_t *alert_desc); +int tls12_record_layer_write_overhead(struct tls12_record_layer *rl, + size_t *overhead); +int tls12_record_layer_read_protected(struct tls12_record_layer *rl); +int tls12_record_layer_write_protected(struct tls12_record_layer *rl); +void tls12_record_layer_set_aead(struct tls12_record_layer *rl, + const EVP_AEAD *aead); +void tls12_record_layer_set_cipher_hash(struct tls12_record_layer *rl, + const EVP_CIPHER *cipher, const EVP_MD *handshake_hash, + const EVP_MD *mac_hash); void tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version); -void tls12_record_layer_set_read_epoch(struct tls12_record_layer *rl, +void tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl, uint16_t epoch); -void tls12_record_layer_set_write_epoch(struct tls12_record_layer *rl, +uint16_t tls12_record_layer_read_epoch(struct tls12_record_layer *rl); +uint16_t tls12_record_layer_write_epoch(struct tls12_record_layer *rl); +int tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl, + uint16_t epoch); +void tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl, uint16_t epoch); void tls12_record_layer_clear_read_state(struct tls12_record_layer *rl); void tls12_record_layer_clear_write_state(struct tls12_record_layer *rl); -void tls12_record_layer_set_read_seq_num(struct tls12_record_layer *rl, - uint8_t *seq_num); -void tls12_record_layer_set_write_seq_num(struct tls12_record_layer *rl, - uint8_t *seq_num); -int tls12_record_layer_set_read_aead(struct tls12_record_layer *rl, - SSL_AEAD_CTX *aead_ctx); -int tls12_record_layer_set_write_aead(struct tls12_record_layer *rl, - SSL_AEAD_CTX *aead_ctx); -int tls12_record_layer_set_read_cipher_hash(struct tls12_record_layer *rl, - EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac); -int tls12_record_layer_set_write_cipher_hash(struct tls12_record_layer *rl, - EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac); +void tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl); +void tls12_record_layer_read_cipher_hash(struct tls12_record_layer *rl, + EVP_CIPHER_CTX **cipher, EVP_MD_CTX **hash); +int tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl, + CBS *mac_key, CBS *key, CBS *iv); +int tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl, + CBS *mac_key, CBS *key, CBS *iv); +int tls12_record_layer_open_record(struct tls12_record_layer *rl, + uint8_t *buf, size_t buf_len, uint8_t **out, size_t *out_len); int tls12_record_layer_seal_record(struct tls12_record_layer *rl, uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out); +typedef void (ssl_info_callback_fn)(const SSL *s, int type, int val); +typedef void (ssl_msg_callback_fn)(int is_write, int version, int content_type, + const void *buf, size_t len, SSL *ssl, void *arg); + typedef struct ssl_ctx_internal_st { - uint16_t min_version; - uint16_t max_version; + uint16_t min_tls_version; + uint16_t max_tls_version; + + /* + * These may be zero to imply minimum or maximum version supported by + * the method. + */ + uint16_t min_proto_version; + uint16_t max_proto_version; unsigned long options; unsigned long mode; @@ -536,11 +708,10 @@ typedef struct ssl_ctx_internal_st { int (*app_verify_cookie_cb)(SSL *ssl, const unsigned char *cookie, unsigned int cookie_len); - void (*info_callback)(const SSL *ssl,int type,int val); /* used if SSL's info_callback is NULL */ + ssl_info_callback_fn *info_callback; /* callback that allows applications to peek at protocol messages */ - void (*msg_callback)(int write_p, int version, int content_type, - const void *buf, size_t len, SSL *ssl, void *arg); + ssl_msg_callback_fn *msg_callback; void *msg_callback_arg; int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */ @@ -664,8 +835,15 @@ typedef struct ssl_ctx_internal_st { typedef struct ssl_internal_st { struct tls13_ctx *tls13; - uint16_t min_version; - uint16_t max_version; + uint16_t min_tls_version; + uint16_t max_tls_version; + + /* + * These may be zero to imply minimum or maximum version supported by + * the method. + */ + uint16_t min_proto_version; + uint16_t max_proto_version; unsigned long options; /* protocol behaviour */ unsigned long mode; /* API behaviour */ @@ -679,17 +857,17 @@ typedef struct ssl_internal_st { /* true when we are actually in SSL_accept() or SSL_connect() */ int in_handshake; int (*handshake_func)(SSL *); - /* callback that allows applications to peek at protocol messages */ - void (*msg_callback)(int write_p, int version, int content_type, - const void *buf, size_t len, SSL *ssl, void *arg); - void *msg_callback_arg; - /* Default generate session ID callback. */ - GEN_SESSION_CB generate_session_id; + ssl_info_callback_fn *info_callback; + + /* callback that allows applications to peek at protocol messages */ + ssl_msg_callback_fn *msg_callback; + void *msg_callback_arg; int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */ - void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */ + /* Default generate session ID callback. */ + GEN_SESSION_CB generate_session_id; /* TLS extension debug callback */ void (*tlsext_debug_cb)(SSL *s, int client_server, int type, @@ -706,8 +884,6 @@ typedef struct ssl_internal_st { /* XXX non-callback */ - int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */ - /* This holds a variable that indicates what we were doing * when a 0 or -1 is returned. This is needed for * non-blocking IO so we know what request needs re-doing when @@ -745,21 +921,6 @@ typedef struct ssl_internal_st { STACK_OF(SSL_CIPHER) *cipher_list_tls13; - /* These are the ones being used, the ones in SSL_SESSION are - * the ones to be 'copied' into these ones */ - int mac_flags; - - SSL_AEAD_CTX *aead_read_ctx; /* AEAD context. If non-NULL, then - enc_read_ctx and read_hash are - ignored. */ - - SSL_AEAD_CTX *aead_write_ctx; /* AEAD context. If non-NULL, then - enc_write_ctx and write_hash are - ignored. */ - - EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */ - EVP_MD_CTX *write_hash; /* used for mac generation */ - struct tls12_record_layer *rl; /* session info */ @@ -799,7 +960,7 @@ typedef struct ssl_internal_st { TLS_SESSION_TICKET_EXT *tlsext_session_ticket; STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; /* What we'll do */ - SRTP_PROTECTION_PROFILE *srtp_profile; /* What's been chosen */ + const SRTP_PROTECTION_PROFILE *srtp_profile; /* What's been chosen */ int renegotiate;/* 1 if we are renegotiating. * 2 if we are a server and are inside a handshake @@ -819,7 +980,7 @@ typedef struct ssl3_record_internal_st { unsigned int off; /* read/write offset into 'buf' */ unsigned char *data; /* pointer to the record data */ unsigned char *input; /* where the decode bytes are */ - unsigned long epoch; /* epoch number, needed by DTLS1 */ + uint16_t epoch; /* epoch number, needed by DTLS1 */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */ } SSL3_RECORD_INTERNAL; @@ -832,13 +993,6 @@ typedef struct ssl3_buffer_internal_st { } SSL3_BUFFER_INTERNAL; typedef struct ssl3_state_internal_st { - unsigned char read_sequence[SSL3_SEQUENCE_SIZE]; - int read_mac_secret_size; - unsigned char read_mac_secret[EVP_MAX_MD_SIZE]; - unsigned char write_sequence[SSL3_SEQUENCE_SIZE]; - int write_mac_secret_size; - unsigned char write_mac_secret[EVP_MAX_MD_SIZE]; - SSL3_BUFFER_INTERNAL rbuf; /* read IO goes into here */ SSL3_BUFFER_INTERNAL wbuf; /* write IO goes into here */ @@ -889,43 +1043,14 @@ typedef struct ssl3_state_internal_st { int in_read_app_data; SSL_HANDSHAKE hs; - SSL_HANDSHAKE_TLS13 hs_tls13; struct { - int new_mac_secret_size; - - /* actually only needs to be 16+20 */ - unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2]; - - /* actually only need to be 16+20 for SSLv3 and 12 for TLS */ - unsigned char finish_md[EVP_MAX_MD_SIZE*2]; - int finish_md_len; - unsigned char peer_finish_md[EVP_MAX_MD_SIZE*2]; - int peer_finish_md_len; - - unsigned long message_size; - int message_type; - DH *dh; EC_KEY *ecdh; /* holds short lived ECDH key */ int ecdh_nid; uint8_t *x25519; - - int reuse_message; - - /* used for certificate requests */ - int cert_req; - int ctype_num; - char ctype[SSL3_CT_NUMBER]; - STACK_OF(X509_NAME) *ca_names; - - const EVP_CIPHER *new_sym_enc; - const EVP_AEAD *new_aead; - const EVP_MD *new_hash; - int new_mac_pkey_type; - int cert_request; } tmp; /* Connection binding to prevent renegotiation attacks */ @@ -951,77 +1076,14 @@ typedef struct ssl3_state_internal_st { } SSL3_STATE_INTERNAL; #define S3I(s) (s->s3->internal) -typedef struct dtls1_record_data_internal_st { - unsigned char *packet; - unsigned int packet_length; - SSL3_BUFFER_INTERNAL rbuf; - SSL3_RECORD_INTERNAL rrec; -} DTLS1_RECORD_DATA_INTERNAL; +typedef struct ssl3_state_st { + long flags; -typedef struct dtls1_state_internal_st { - unsigned int send_cookie; - unsigned char cookie[DTLS1_COOKIE_LENGTH]; - unsigned char rcvd_cookie[DTLS1_COOKIE_LENGTH]; - unsigned int cookie_len; + unsigned char server_random[SSL3_RANDOM_SIZE]; + unsigned char client_random[SSL3_RANDOM_SIZE]; - /* - * The current data and handshake epoch. This is initially - * undefined, and starts at zero once the initial handshake is - * completed - */ - unsigned short r_epoch; - unsigned short w_epoch; - - /* records being received in the current epoch */ - DTLS1_BITMAP bitmap; - - /* renegotiation starts a new set of sequence numbers */ - DTLS1_BITMAP next_bitmap; - - /* handshake message numbers */ - unsigned short handshake_write_seq; - unsigned short next_handshake_write_seq; - - unsigned short handshake_read_seq; - - /* save last sequence number for retransmissions */ - unsigned char last_write_sequence[SSL3_SEQUENCE_SIZE]; - - /* Received handshake records (processed and unprocessed) */ - record_pqueue unprocessed_rcds; - record_pqueue processed_rcds; - - /* Buffered handshake messages */ - struct _pqueue *buffered_messages; - - /* Buffered application records. - * Only for records between CCS and Finished - * to prevent either protocol violation or - * unnecessary message loss. - */ - record_pqueue buffered_app_data; - - /* Is set when listening for new connections with dtls1_listen() */ - unsigned int listen; - - unsigned int mtu; /* max DTLS packet size */ - - struct hm_header_st w_msg_hdr; - struct hm_header_st r_msg_hdr; - - struct dtls1_timeout_st timeout; - - /* storage for Alert/Handshake protocol data received but not - * yet processed by ssl3_read_bytes: */ - unsigned char alert_fragment[DTLS1_AL_HEADER_LENGTH]; - unsigned int alert_fragment_len; - unsigned char handshake_fragment[DTLS1_HM_HEADER_LENGTH]; - unsigned int handshake_fragment_len; - - unsigned int retransmitting; - unsigned int change_cipher_spec_ok; -} DTLS1_STATE_INTERNAL; -#define D1I(s) (s->d1->internal) + struct ssl3_state_internal_st *internal; +} SSL3_STATE; typedef struct cert_st { /* Current active set */ @@ -1067,17 +1129,10 @@ typedef struct sess_cert_st { /*#define SSL_DEBUG */ /*#define RSA_DEBUG */ -typedef struct ssl3_enc_method { - unsigned int enc_flags; -} SSL3_ENC_METHOD; - /* * Flag values for enc_flags. */ -/* Uses explicit IV. */ -#define SSL_ENC_FLAG_EXPLICIT_IV (1 << 0) - /* Uses signature algorithms extension. */ #define SSL_ENC_FLAG_SIGALGS (1 << 1) @@ -1090,61 +1145,45 @@ typedef struct ssl3_enc_method { /* Allow TLS 1.3 ciphersuites only. */ #define SSL_ENC_FLAG_TLS1_3_CIPHERS (1 << 5) -/* - * ssl_aead_ctx_st contains information about an AEAD that is being used to - * encrypt an SSL connection. - */ -struct ssl_aead_ctx_st { - EVP_AEAD_CTX ctx; - /* - * fixed_nonce contains any bytes of the nonce that are fixed for all - * records. - */ - unsigned char fixed_nonce[12]; - unsigned char fixed_nonce_len; - unsigned char variable_nonce_len; - unsigned char xor_fixed_nonce; - unsigned char tag_len; - /* - * variable_nonce_in_record is non-zero if the variable nonce - * for a record is included as a prefix before the ciphertext. - */ - char variable_nonce_in_record; -}; +#define TLSV1_ENC_FLAGS 0 +#define TLSV1_1_ENC_FLAGS 0 +#define TLSV1_2_ENC_FLAGS (SSL_ENC_FLAG_SIGALGS | \ + SSL_ENC_FLAG_SHA256_PRF | \ + SSL_ENC_FLAG_TLS1_2_CIPHERS) +#define TLSV1_3_ENC_FLAGS (SSL_ENC_FLAG_SIGALGS | \ + SSL_ENC_FLAG_TLS1_3_CIPHERS) -extern SSL_CIPHER ssl3_ciphers[]; +extern const SSL_CIPHER ssl3_ciphers[]; const char *ssl_version_string(int ver); -int ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); -int ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); +int ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver, + uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver); +int ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver, + uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver); +int ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); +int ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); +uint16_t ssl_tls_version(uint16_t version); +uint16_t ssl_effective_tls_version(SSL *s); +int ssl_max_supported_version(SSL *s, uint16_t *max_ver); int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver); -int ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver, - uint16_t *out_ver); -int ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver, - uint16_t *out_ver); -int ssl_downgrade_max_version(SSL *s, uint16_t *max_ver); +int ssl_check_version_from_server(SSL *s, uint16_t server_version); +int ssl_legacy_stack_version(SSL *s, uint16_t version); int ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher); -int ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher, +int ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher, uint16_t min_ver, uint16_t max_ver); const SSL_METHOD *tls_legacy_method(void); -const SSL_METHOD *tls_legacy_client_method(void); -const SSL_METHOD *tls_legacy_server_method(void); - -const SSL_METHOD *ssl_get_client_method(uint16_t version); -const SSL_METHOD *ssl_get_server_method(uint16_t version); - -extern SSL3_ENC_METHOD DTLSv1_enc_data; -extern SSL3_ENC_METHOD TLSv1_enc_data; -extern SSL3_ENC_METHOD TLSv1_1_enc_data; -extern SSL3_ENC_METHOD TLSv1_2_enc_data; -extern SSL3_ENC_METHOD TLSv1_3_enc_data; +const SSL_METHOD *ssl_get_method(uint16_t version); void ssl_clear_cipher_state(SSL *s); void ssl_clear_cipher_read_state(SSL *s); void ssl_clear_cipher_write_state(SSL *s); int ssl_clear_bad_session(SSL *s); +void ssl_info_callback(const SSL *s, int type, int value); +void ssl_msg_callback(SSL *s, int is_write, int content_type, + const void *msg_buf, size_t msg_len); + CERT *ssl_cert_new(void); CERT *ssl_cert_dup(CERT *cert); void ssl_cert_free(CERT *c); @@ -1193,7 +1232,6 @@ int ssl_verify_alarm_type(long type); int SSL_SESSION_ticket(SSL_SESSION *ss, unsigned char **out, size_t *out_len); const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p); -int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p); int ssl3_send_server_certificate(SSL *s); int ssl3_send_newsession_ticket(SSL *s); int ssl3_send_cert_status(SSL *s); @@ -1203,7 +1241,7 @@ int ssl3_do_write(SSL *s, int type); int ssl3_send_alert(SSL *s, int level, int desc); int ssl3_get_req_cert_types(SSL *s, CBB *cbb); long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok); -int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen); +int ssl3_send_finished(SSL *s, int state_a, int state_b); int ssl3_num_ciphers(void); const SSL_CIPHER *ssl3_get_cipher(unsigned int u); const SSL_CIPHER *ssl3_get_cipher_by_id(unsigned int id); @@ -1249,51 +1287,17 @@ int ssl3_handshake_msg_finish(SSL *s, CBB *handshake); int ssl3_handshake_write(SSL *s); int ssl3_record_write(SSL *s, int type); -void tls1_record_sequence_increment(unsigned char *seq); int ssl3_do_change_cipher_spec(SSL *ssl); -int dtls1_do_write(SSL *s, int type); int ssl3_packet_read(SSL *s, int plen); int ssl3_packet_extend(SSL *s, int plen); int ssl_server_legacy_first_packet(SSL *s); -int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek); int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len); -void dtls1_set_message_header(SSL *s, unsigned char mt, unsigned long len, - unsigned long frag_off, unsigned long frag_len); -void dtls1_set_message_header_int(SSL *s, unsigned char mt, - unsigned long len, unsigned short seq_num, unsigned long frag_off, - unsigned long frag_len); - -int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf, int len); -int dtls1_write_bytes(SSL *s, int type, const void *buf, int len); - -int dtls1_read_failed(SSL *s, int code); -int dtls1_buffer_message(SSL *s, int ccs); -int dtls1_retransmit_message(SSL *s, unsigned short seq, - unsigned long frag_off, int *found); -int dtls1_get_queue_priority(unsigned short seq, int is_ccs); -int dtls1_retransmit_buffered_messages(SSL *s); -void dtls1_clear_record_buffer(SSL *s); -int dtls1_get_message_header(unsigned char *data, - struct hm_header_st *msg_hdr); -void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr); -void dtls1_reset_seq_numbers(SSL *s, int rw); -void dtls1_build_sequence_number(unsigned char *dst, unsigned char *seq, - unsigned short epoch); -struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft); -int dtls1_check_timeout_num(SSL *s); -int dtls1_handle_timeout(SSL *s); -const SSL_CIPHER *dtls1_get_cipher(unsigned int u); -void dtls1_start_timer(SSL *s); -void dtls1_stop_timer(SSL *s); -int dtls1_is_timer_expired(SSL *s); -void dtls1_double_timeout(SSL *s); -unsigned int dtls1_min_mtu(void); /* some client-only functions */ -int dtls1_get_hello_verify(SSL *s); int ssl3_send_client_hello(SSL *s); +int ssl3_get_dtls_hello_verify(SSL *s); int ssl3_get_server_hello(SSL *s); int ssl3_get_certificate_request(SSL *s); int ssl3_get_new_session_ticket(SSL *s); @@ -1309,8 +1313,8 @@ int ssl3_check_cert_and_algorithm(SSL *s); int ssl3_check_finished(SSL *s); /* some server-only functions */ -int dtls1_send_hello_verify_request(SSL *s); int ssl3_get_client_hello(SSL *s); +int ssl3_send_dtls_hello_verify_request(SSL *s); int ssl3_send_server_hello(SSL *s); int ssl3_send_hello_request(SSL *s); int ssl3_send_server_key_exchange(SSL *s); @@ -1331,15 +1335,6 @@ int tls1_new(SSL *s); void tls1_free(SSL *s); void tls1_clear(SSL *s); -int dtls1_new(SSL *s); -void dtls1_free(SSL *s); -void dtls1_clear(SSL *s); -long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg); - -long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok); -int dtls1_get_record(SSL *s); -int dtls1_dispatch_alert(SSL *s); - int ssl_init_wbio_buffer(SSL *s, int push); void ssl_free_wbio_buffer(SSL *s); @@ -1358,20 +1353,26 @@ void tls1_transcript_freeze(SSL *s); void tls1_transcript_unfreeze(SSL *s); int tls1_transcript_record(SSL *s, const unsigned char *buf, size_t len); +int tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len, + const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len, + const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len, + const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len); + void tls1_cleanup_key_block(SSL *s); -int tls1_change_cipher_state(SSL *s, int which); +int tls1_change_read_cipher_state(SSL *s); +int tls1_change_write_cipher_state(SSL *s); int tls1_setup_key_block(SSL *s); -int tls1_enc(SSL *s, int snd); -int tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *p); -int tls1_mac(SSL *ssl, unsigned char *md, int snd); -int tls1_generate_master_secret(SSL *s, unsigned char *out, - unsigned char *p, int len); +int tls1_generate_key_block(SSL *s, uint8_t *key_block, size_t key_block_len); int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, const char *label, size_t llen, const unsigned char *p, size_t plen, int use_context); -int tls1_alert_code(int code); int ssl_ok(SSL *s); +int tls12_derive_finished(SSL *s); +int tls12_derive_peer_finished(SSL *s); +int tls12_derive_master_secret(SSL *s, uint8_t *premaster_secret, + size_t premaster_secret_len); + int ssl_using_ecc_cipher(SSL *s); int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s); @@ -1390,8 +1391,6 @@ uint16_t tls1_ec_nid2curve_id(const int nid); int tls1_check_curve(SSL *s, const uint16_t group_id); int tls1_get_shared_curve(SSL *s); -int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, - size_t n, int *al); int ssl_check_clienthello_tlsext_early(SSL *s); int ssl_check_clienthello_tlsext_late(SSL *s); int ssl_check_serverhello_tlsext(SSL *s); @@ -1404,15 +1403,13 @@ int ssl_check_serverhello_tlsext(SSL *s); int tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret); -long ssl_get_algorithm2(SSL *s); - int tls1_check_ec_server_key(SSL *s); /* s3_cbc.c */ void ssl3_cbc_copy_mac(unsigned char *out, const SSL3_RECORD_INTERNAL *rec, unsigned int md_size, unsigned int orig_len); -int tls1_cbc_remove_padding(const SSL *s, SSL3_RECORD_INTERNAL *rec, - unsigned int block_size, unsigned int mac_size); +int ssl3_cbc_remove_padding(SSL3_RECORD_INTERNAL *rec, unsigned int eiv_len, + unsigned int mac_size); char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx); int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out, size_t *md_out_size, const unsigned char header[13], @@ -1427,10 +1424,10 @@ void SSL_error_internal(const SSL *s, int r, char *f, int l); #ifndef OPENSSL_NO_SRTP -int srtp_find_profile_by_name(char *profile_name, - SRTP_PROTECTION_PROFILE **pptr, unsigned int len); +int srtp_find_profile_by_name(const char *profile_name, + const SRTP_PROTECTION_PROFILE **pptr, unsigned int len); int srtp_find_profile_by_num(unsigned int profile_num, - SRTP_PROTECTION_PROFILE **pptr); + const SRTP_PROTECTION_PROFILE **pptr); #endif /* OPENSSL_NO_SRTP */ diff --git a/ssl/ssl_methods.c b/ssl/ssl_methods.c index ff8d17a..d8ffbb7 100644 --- a/ssl/ssl_methods.c +++ b/ssl/ssl_methods.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_methods.c,v 1.16 2020/09/17 15:23:29 jsing Exp $ */ +/* $OpenBSD: ssl_methods.c,v 1.28 2021/07/26 03:17:38 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,13 +56,37 @@ * [including the GNU Public Licence.] */ +#include "dtls_locl.h" #include "ssl_locl.h" #include "tls13_internal.h" -static const SSL_METHOD_INTERNAL DTLSv1_client_method_internal_data = { - .version = DTLS1_VERSION, - .min_version = DTLS1_VERSION, - .max_version = DTLS1_VERSION, +static const SSL_METHOD DTLS_method_data = { + .dtls = 1, + .server = 1, + .version = DTLS1_2_VERSION, + .min_tls_version = TLS1_1_VERSION, + .max_tls_version = TLS1_2_VERSION, + .ssl_new = dtls1_new, + .ssl_clear = dtls1_clear, + .ssl_free = dtls1_free, + .ssl_accept = ssl3_accept, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = dtls1_read_bytes, + .ssl_write_bytes = dtls1_write_app_data_bytes, + .get_cipher = dtls1_get_cipher, + .enc_flags = TLSV1_2_ENC_FLAGS, +}; + +static const SSL_METHOD DTLS_client_method_data = { + .dtls = 1, + .server = 0, + .version = DTLS1_2_VERSION, + .min_tls_version = TLS1_1_VERSION, + .max_tls_version = TLS1_2_VERSION, .ssl_new = dtls1_new, .ssl_clear = dtls1_clear, .ssl_free = dtls1_free, @@ -74,16 +98,92 @@ static const SSL_METHOD_INTERNAL DTLSv1_client_method_internal_data = { .ssl_pending = ssl3_pending, .ssl_read_bytes = dtls1_read_bytes, .ssl_write_bytes = dtls1_write_app_data_bytes, - .ssl3_enc = &DTLSv1_enc_data, + .get_cipher = dtls1_get_cipher, + .enc_flags = TLSV1_2_ENC_FLAGS, +}; + +static const SSL_METHOD DTLSv1_method_data = { + .dtls = 1, + .server = 1, + .version = DTLS1_VERSION, + .min_tls_version = TLS1_1_VERSION, + .max_tls_version = TLS1_1_VERSION, + .ssl_new = dtls1_new, + .ssl_clear = dtls1_clear, + .ssl_free = dtls1_free, + .ssl_accept = ssl3_accept, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = dtls1_read_bytes, + .ssl_write_bytes = dtls1_write_app_data_bytes, + .get_cipher = dtls1_get_cipher, + .enc_flags = TLSV1_1_ENC_FLAGS, }; static const SSL_METHOD DTLSv1_client_method_data = { - .ssl_dispatch_alert = dtls1_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, + .dtls = 1, + .server = 0, + .version = DTLS1_VERSION, + .min_tls_version = TLS1_1_VERSION, + .max_tls_version = TLS1_1_VERSION, + .ssl_new = dtls1_new, + .ssl_clear = dtls1_clear, + .ssl_free = dtls1_free, + .ssl_accept = ssl_undefined_function, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = dtls1_read_bytes, + .ssl_write_bytes = dtls1_write_app_data_bytes, .get_cipher = dtls1_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &DTLSv1_client_method_internal_data, + .enc_flags = TLSV1_1_ENC_FLAGS, +}; + +static const SSL_METHOD DTLSv1_2_method_data = { + .dtls = 1, + .server = 1, + .version = DTLS1_2_VERSION, + .min_tls_version = TLS1_2_VERSION, + .max_tls_version = TLS1_2_VERSION, + .ssl_new = dtls1_new, + .ssl_clear = dtls1_clear, + .ssl_free = dtls1_free, + .ssl_accept = ssl3_accept, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = dtls1_read_bytes, + .ssl_write_bytes = dtls1_write_app_data_bytes, + .get_cipher = dtls1_get_cipher, + .enc_flags = TLSV1_2_ENC_FLAGS, +}; + +static const SSL_METHOD DTLSv1_2_client_method_data = { + .dtls = 1, + .server = 0, + .version = DTLS1_2_VERSION, + .min_tls_version = TLS1_2_VERSION, + .max_tls_version = TLS1_2_VERSION, + .ssl_new = dtls1_new, + .ssl_clear = dtls1_clear, + .ssl_free = dtls1_free, + .ssl_accept = ssl_undefined_function, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = dtls1_read_bytes, + .ssl_write_bytes = dtls1_write_app_data_bytes, + .get_cipher = dtls1_get_cipher, + .enc_flags = TLSV1_2_ENC_FLAGS, }; const SSL_METHOD * @@ -92,272 +192,61 @@ DTLSv1_client_method(void) return &DTLSv1_client_method_data; } -const SSL_METHOD * -DTLS_client_method(void) -{ - return DTLSv1_client_method(); -} - -static const SSL_METHOD_INTERNAL DTLSv1_method_internal_data = { - .version = DTLS1_VERSION, - .min_version = DTLS1_VERSION, - .max_version = DTLS1_VERSION, - .ssl_new = dtls1_new, - .ssl_clear = dtls1_clear, - .ssl_free = dtls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl3_connect, - .ssl_shutdown = ssl3_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_pending = ssl3_pending, - .ssl_read_bytes = dtls1_read_bytes, - .ssl_write_bytes = dtls1_write_app_data_bytes, - .ssl3_enc = &DTLSv1_enc_data, -}; - -static const SSL_METHOD DTLSv1_method_data = { - .ssl_dispatch_alert = dtls1_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = dtls1_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &DTLSv1_method_internal_data, -}; - const SSL_METHOD * DTLSv1_method(void) { return &DTLSv1_method_data; } -const SSL_METHOD * -DTLS_method(void) -{ - return DTLSv1_method(); -} - -static const SSL_METHOD_INTERNAL DTLSv1_server_method_internal_data = { - .version = DTLS1_VERSION, - .min_version = DTLS1_VERSION, - .max_version = DTLS1_VERSION, - .ssl_new = dtls1_new, - .ssl_clear = dtls1_clear, - .ssl_free = dtls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl_undefined_function, - .ssl_shutdown = ssl3_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_pending = ssl3_pending, - .ssl_read_bytes = dtls1_read_bytes, - .ssl_write_bytes = dtls1_write_app_data_bytes, - .ssl3_enc = &DTLSv1_enc_data, -}; - -static const SSL_METHOD DTLSv1_server_method_data = { - .ssl_dispatch_alert = dtls1_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = dtls1_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &DTLSv1_server_method_internal_data, -}; - const SSL_METHOD * DTLSv1_server_method(void) { - return &DTLSv1_server_method_data; + return &DTLSv1_method_data; +} + +const SSL_METHOD * +DTLSv1_2_client_method(void) +{ + return &DTLSv1_2_client_method_data; +} + +const SSL_METHOD * +DTLSv1_2_method(void) +{ + return &DTLSv1_2_method_data; +} + +const SSL_METHOD * +DTLSv1_2_server_method(void) +{ + return &DTLSv1_2_method_data; +} + +const SSL_METHOD * +DTLS_client_method(void) +{ + return &DTLS_client_method_data; +} + +const SSL_METHOD * +DTLS_method(void) +{ + return &DTLS_method_data; } const SSL_METHOD * DTLS_server_method(void) { - return DTLSv1_server_method(); -} - -#ifdef LIBRESSL_HAS_TLS1_3_CLIENT -static const SSL_METHOD_INTERNAL TLS_client_method_internal_data = { - .version = TLS1_3_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_3_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl_undefined_function, - .ssl_connect = tls13_legacy_connect, - .ssl_shutdown = tls13_legacy_shutdown, - .ssl_renegotiate = ssl_undefined_function, - .ssl_renegotiate_check = ssl_ok, - .ssl_pending = tls13_legacy_pending, - .ssl_read_bytes = tls13_legacy_read_bytes, - .ssl_write_bytes = tls13_legacy_write_bytes, - .ssl3_enc = &TLSv1_3_enc_data, -}; - -static const SSL_METHOD TLS_client_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLS_client_method_internal_data, -}; -#endif - -static const SSL_METHOD_INTERNAL TLS_legacy_client_method_internal_data = { - .version = TLS1_2_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_2_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl_undefined_function, - .ssl_connect = ssl3_connect, - .ssl_shutdown = ssl3_shutdown, - .ssl_renegotiate = ssl_undefined_function, - .ssl_renegotiate_check = ssl_ok, - .ssl_pending = ssl3_pending, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_2_enc_data, -}; - -static const SSL_METHOD TLS_legacy_client_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLS_legacy_client_method_internal_data, -}; - -static const SSL_METHOD_INTERNAL TLSv1_client_method_internal_data = { - .version = TLS1_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl_undefined_function, - .ssl_connect = ssl3_connect, - .ssl_shutdown = ssl3_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_pending = ssl3_pending, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_enc_data, -}; - -static const SSL_METHOD TLSv1_client_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_client_method_internal_data, -}; - -static const SSL_METHOD_INTERNAL TLSv1_1_client_method_internal_data = { - .version = TLS1_1_VERSION, - .min_version = TLS1_1_VERSION, - .max_version = TLS1_1_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl_undefined_function, - .ssl_connect = ssl3_connect, - .ssl_shutdown = ssl3_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_pending = ssl3_pending, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_1_enc_data, -}; - -static const SSL_METHOD TLSv1_1_client_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_1_client_method_internal_data, -}; - -static const SSL_METHOD_INTERNAL TLSv1_2_client_method_internal_data = { - .version = TLS1_2_VERSION, - .min_version = TLS1_2_VERSION, - .max_version = TLS1_2_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl_undefined_function, - .ssl_connect = ssl3_connect, - .ssl_shutdown = ssl3_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_pending = ssl3_pending, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_2_enc_data, -}; - -static const SSL_METHOD TLSv1_2_client_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_2_client_method_internal_data, -}; - -const SSL_METHOD * -SSLv23_client_method(void) -{ - return (TLS_client_method()); -} - -const SSL_METHOD * -TLS_client_method(void) -{ -#ifdef LIBRESSL_HAS_TLS1_3_CLIENT - return (&TLS_client_method_data); -#else - return tls_legacy_client_method(); -#endif -} - -const SSL_METHOD * -tls_legacy_client_method(void) -{ - return (&TLS_legacy_client_method_data); -} - -const SSL_METHOD * -TLSv1_client_method(void) -{ - return (&TLSv1_client_method_data); -} - -const SSL_METHOD * -TLSv1_1_client_method(void) -{ - return (&TLSv1_1_client_method_data); -} - -const SSL_METHOD * -TLSv1_2_client_method(void) -{ - return (&TLSv1_2_client_method_data); + return &DTLS_method_data; } #if defined(LIBRESSL_HAS_TLS1_3_CLIENT) && defined(LIBRESSL_HAS_TLS1_3_SERVER) -static const SSL_METHOD_INTERNAL TLS_method_internal_data = { +static const SSL_METHOD TLS_method_data = { + .dtls = 0, + .server = 1, .version = TLS1_3_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_3_VERSION, + .min_tls_version = TLS1_VERSION, + .max_tls_version = TLS1_3_VERSION, .ssl_new = tls1_new, .ssl_clear = tls1_clear, .ssl_free = tls1_free, @@ -369,23 +258,17 @@ static const SSL_METHOD_INTERNAL TLS_method_internal_data = { .ssl_pending = tls13_legacy_pending, .ssl_read_bytes = tls13_legacy_read_bytes, .ssl_write_bytes = tls13_legacy_write_bytes, - .ssl3_enc = &TLSv1_3_enc_data, -}; - -static const SSL_METHOD TLS_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLS_method_internal_data, + .enc_flags = TLSV1_3_ENC_FLAGS, }; #endif -static const SSL_METHOD_INTERNAL TLS_legacy_method_internal_data = { +static const SSL_METHOD TLS_legacy_method_data = { + .dtls = 0, + .server = 1, .version = TLS1_2_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_2_VERSION, + .min_tls_version = TLS1_VERSION, + .max_tls_version = TLS1_2_VERSION, .ssl_new = tls1_new, .ssl_clear = tls1_clear, .ssl_free = tls1_free, @@ -397,49 +280,62 @@ static const SSL_METHOD_INTERNAL TLS_legacy_method_internal_data = { .ssl_pending = ssl3_pending, .ssl_read_bytes = ssl3_read_bytes, .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_2_enc_data, -}; - -static const SSL_METHOD TLS_legacy_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLS_legacy_method_internal_data, + .enc_flags = TLSV1_2_ENC_FLAGS, }; -static const SSL_METHOD_INTERNAL TLSv1_method_internal_data = { - .version = TLS1_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_VERSION, +#if defined(LIBRESSL_HAS_TLS1_3_CLIENT) +static const SSL_METHOD TLS_client_method_data = { + .dtls = 0, + .server = 0, + .version = TLS1_3_VERSION, + .min_tls_version = TLS1_VERSION, + .max_tls_version = TLS1_3_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = tls13_legacy_accept, + .ssl_connect = tls13_legacy_connect, + .ssl_shutdown = tls13_legacy_shutdown, + .ssl_renegotiate = ssl_undefined_function, + .ssl_renegotiate_check = ssl_ok, + .ssl_pending = tls13_legacy_pending, + .ssl_read_bytes = tls13_legacy_read_bytes, + .ssl_write_bytes = tls13_legacy_write_bytes, + .get_cipher = ssl3_get_cipher, + .enc_flags = TLSV1_3_ENC_FLAGS, +}; + +#else + +static const SSL_METHOD TLS_legacy_client_method_data = { + .dtls = 0, + .server = 0, + .version = TLS1_2_VERSION, + .min_tls_version = TLS1_VERSION, + .max_tls_version = TLS1_2_VERSION, .ssl_new = tls1_new, .ssl_clear = tls1_clear, .ssl_free = tls1_free, .ssl_accept = ssl3_accept, .ssl_connect = ssl3_connect, .ssl_shutdown = ssl3_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_renegotiate = ssl_undefined_function, + .ssl_renegotiate_check = ssl_ok, .ssl_pending = ssl3_pending, .ssl_read_bytes = ssl3_read_bytes, .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_enc_data, + .get_cipher = ssl3_get_cipher, + .enc_flags = TLSV1_2_ENC_FLAGS, }; +#endif static const SSL_METHOD TLSv1_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_method_internal_data, -}; - -static const SSL_METHOD_INTERNAL TLSv1_1_method_internal_data = { - .version = TLS1_1_VERSION, - .min_version = TLS1_1_VERSION, - .max_version = TLS1_1_VERSION, + .dtls = 0, + .server = 1, + .version = TLS1_VERSION, + .min_tls_version = TLS1_VERSION, + .max_tls_version = TLS1_VERSION, .ssl_new = tls1_new, .ssl_clear = tls1_clear, .ssl_free = tls1_free, @@ -451,22 +347,37 @@ static const SSL_METHOD_INTERNAL TLSv1_1_method_internal_data = { .ssl_pending = ssl3_pending, .ssl_read_bytes = ssl3_read_bytes, .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_1_enc_data, + .get_cipher = ssl3_get_cipher, + .enc_flags = TLSV1_ENC_FLAGS, +}; + +static const SSL_METHOD TLSv1_client_method_data = { + .dtls = 0, + .server = 0, + .version = TLS1_VERSION, + .min_tls_version = TLS1_VERSION, + .max_tls_version = TLS1_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = ssl_undefined_function, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = ssl3_read_bytes, + .ssl_write_bytes = ssl3_write_bytes, + .get_cipher = ssl3_get_cipher, + .enc_flags = TLSV1_ENC_FLAGS, }; static const SSL_METHOD TLSv1_1_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_1_method_internal_data, -}; - -static const SSL_METHOD_INTERNAL TLSv1_2_method_internal_data = { - .version = TLS1_2_VERSION, - .min_version = TLS1_2_VERSION, - .max_version = TLS1_2_VERSION, + .dtls = 0, + .server = 1, + .version = TLS1_1_VERSION, + .min_tls_version = TLS1_1_VERSION, + .max_tls_version = TLS1_1_VERSION, .ssl_new = tls1_new, .ssl_clear = tls1_clear, .ssl_free = tls1_free, @@ -478,22 +389,81 @@ static const SSL_METHOD_INTERNAL TLSv1_2_method_internal_data = { .ssl_pending = ssl3_pending, .ssl_read_bytes = ssl3_read_bytes, .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_2_enc_data, + .get_cipher = ssl3_get_cipher, + .enc_flags = TLSV1_1_ENC_FLAGS, +}; + +static const SSL_METHOD TLSv1_1_client_method_data = { + .dtls = 0, + .server = 0, + .version = TLS1_1_VERSION, + .min_tls_version = TLS1_1_VERSION, + .max_tls_version = TLS1_1_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = ssl_undefined_function, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = ssl3_read_bytes, + .ssl_write_bytes = ssl3_write_bytes, + .get_cipher = ssl3_get_cipher, + .enc_flags = TLSV1_1_ENC_FLAGS, }; static const SSL_METHOD TLSv1_2_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, + .dtls = 0, + .server = 1, + .version = TLS1_2_VERSION, + .min_tls_version = TLS1_2_VERSION, + .max_tls_version = TLS1_2_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = ssl3_accept, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = ssl3_read_bytes, + .ssl_write_bytes = ssl3_write_bytes, .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_2_method_internal_data, + .enc_flags = TLSV1_2_ENC_FLAGS, +}; + +static const SSL_METHOD TLSv1_2_client_method_data = { + .dtls = 0, + .server = 0, + .version = TLS1_2_VERSION, + .min_tls_version = TLS1_2_VERSION, + .max_tls_version = TLS1_2_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = ssl_undefined_function, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = ssl3_read_bytes, + .ssl_write_bytes = ssl3_write_bytes, + .get_cipher = ssl3_get_cipher, + .enc_flags = TLSV1_2_ENC_FLAGS, }; const SSL_METHOD * -SSLv23_method(void) +TLS_client_method(void) { - return (TLS_method()); +#if defined(LIBRESSL_HAS_TLS1_3_CLIENT) + return (&TLS_client_method_data); +#else + return (&TLS_legacy_client_method_data); +#endif } const SSL_METHOD * @@ -506,237 +476,105 @@ TLS_method(void) #endif } +const SSL_METHOD * +TLS_server_method(void) +{ + return TLS_method(); +} + const SSL_METHOD * tls_legacy_method(void) { return (&TLS_legacy_method_data); } +const SSL_METHOD * +SSLv23_client_method(void) +{ + return TLS_client_method(); +} + +const SSL_METHOD * +SSLv23_method(void) +{ + return TLS_method(); +} + +const SSL_METHOD * +SSLv23_server_method(void) +{ + return TLS_method(); +} + +const SSL_METHOD * +TLSv1_client_method(void) +{ + return (&TLSv1_client_method_data); +} + const SSL_METHOD * TLSv1_method(void) { return (&TLSv1_method_data); } +const SSL_METHOD * +TLSv1_server_method(void) +{ + return (&TLSv1_method_data); +} + +const SSL_METHOD * +TLSv1_1_client_method(void) +{ + return (&TLSv1_1_client_method_data); +} + const SSL_METHOD * TLSv1_1_method(void) { return (&TLSv1_1_method_data); } +const SSL_METHOD * +TLSv1_1_server_method(void) +{ + return (&TLSv1_1_method_data); +} + +const SSL_METHOD * +TLSv1_2_client_method(void) +{ + return (&TLSv1_2_client_method_data); +} + const SSL_METHOD * TLSv1_2_method(void) { return (&TLSv1_2_method_data); } -#ifdef LIBRESSL_HAS_TLS1_3_SERVER -static const SSL_METHOD_INTERNAL TLS_server_method_internal_data = { - .version = TLS1_3_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_3_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = tls13_legacy_accept, - .ssl_connect = ssl_undefined_function, - .ssl_shutdown = tls13_legacy_shutdown, - .ssl_renegotiate = ssl_undefined_function, - .ssl_renegotiate_check = ssl_ok, - .ssl_pending = tls13_legacy_pending, - .ssl_read_bytes = tls13_legacy_read_bytes, - .ssl_write_bytes = tls13_legacy_write_bytes, - .ssl3_enc = &TLSv1_3_enc_data, -}; - -static const SSL_METHOD TLS_server_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLS_server_method_internal_data, -}; -#endif - -static const SSL_METHOD_INTERNAL TLS_legacy_server_method_internal_data = { - .version = TLS1_2_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_2_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl_undefined_function, - .ssl_shutdown = ssl3_shutdown, - .ssl_renegotiate = ssl_undefined_function, - .ssl_renegotiate_check = ssl_ok, - .ssl_pending = ssl3_pending, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_2_enc_data, -}; - -static const SSL_METHOD TLS_legacy_server_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLS_legacy_server_method_internal_data, -}; - -static const SSL_METHOD_INTERNAL TLSv1_server_method_internal_data = { - .version = TLS1_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl_undefined_function, - .ssl_shutdown = ssl3_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_pending = ssl3_pending, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_enc_data, -}; - -static const SSL_METHOD TLSv1_server_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_server_method_internal_data, -}; - -static const SSL_METHOD_INTERNAL TLSv1_1_server_method_internal_data = { - .version = TLS1_1_VERSION, - .min_version = TLS1_1_VERSION, - .max_version = TLS1_1_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl_undefined_function, - .ssl_shutdown = ssl3_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_pending = ssl3_pending, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_1_enc_data, -}; - -static const SSL_METHOD TLSv1_1_server_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_1_server_method_internal_data, -}; - -static const SSL_METHOD_INTERNAL TLSv1_2_server_method_internal_data = { - .version = TLS1_2_VERSION, - .min_version = TLS1_2_VERSION, - .max_version = TLS1_2_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl_undefined_function, - .ssl_shutdown = ssl3_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_pending = ssl3_pending, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_2_enc_data, -}; - -static const SSL_METHOD TLSv1_2_server_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_2_server_method_internal_data, -}; - -const SSL_METHOD * -SSLv23_server_method(void) -{ - return (TLS_server_method()); -} - -const SSL_METHOD * -TLS_server_method(void) -{ -#ifdef LIBRESSL_HAS_TLS1_3_SERVER - return (&TLS_server_method_data); -#else - return tls_legacy_server_method(); -#endif -} - -const SSL_METHOD * -tls_legacy_server_method(void) -{ - return (&TLS_legacy_server_method_data); -} - -const SSL_METHOD * -TLSv1_server_method(void) -{ - return (&TLSv1_server_method_data); -} - -const SSL_METHOD * -TLSv1_1_server_method(void) -{ - return (&TLSv1_1_server_method_data); -} - const SSL_METHOD * TLSv1_2_server_method(void) { - return (&TLSv1_2_server_method_data); + return (&TLSv1_2_method_data); } const SSL_METHOD * -ssl_get_client_method(uint16_t version) +ssl_get_method(uint16_t version) { if (version == TLS1_3_VERSION) - return (TLS_client_method()); + return (TLS_method()); if (version == TLS1_2_VERSION) - return (TLSv1_2_client_method()); + return (TLSv1_2_method()); if (version == TLS1_1_VERSION) - return (TLSv1_1_client_method()); + return (TLSv1_1_method()); if (version == TLS1_VERSION) - return (TLSv1_client_method()); + return (TLSv1_method()); if (version == DTLS1_VERSION) - return (DTLSv1_client_method()); - - return (NULL); -} - -const SSL_METHOD * -ssl_get_server_method(uint16_t version) -{ - if (version == TLS1_3_VERSION) - return (TLS_server_method()); - if (version == TLS1_2_VERSION) - return (TLSv1_2_server_method()); - if (version == TLS1_1_VERSION) - return (TLSv1_1_server_method()); - if (version == TLS1_VERSION) - return (TLSv1_server_method()); - if (version == DTLS1_VERSION) - return (DTLSv1_server_method()); + return (DTLSv1_method()); + if (version == DTLS1_2_VERSION) + return (DTLSv1_2_method()); return (NULL); } diff --git a/ssl/ssl_packet.c b/ssl/ssl_packet.c index d8fb409..af56dce 100644 --- a/ssl/ssl_packet.c +++ b/ssl/ssl_packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_packet.c,v 1.8 2018/11/08 22:28:52 jsing Exp $ */ +/* $OpenBSD: ssl_packet.c,v 1.12 2021/07/01 17:53:39 jsing Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -15,9 +15,8 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include "ssl_locl.h" - #include "bytestring.h" +#include "ssl_locl.h" static int ssl_is_sslv2_client_hello(CBS *header) @@ -238,7 +237,7 @@ ssl_server_legacy_first_packet(SSL *s) const char *data; CBS header; - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) return 1; CBS_init(&header, s->internal->packet, SSL3_RT_HEADER_LENGTH); @@ -247,12 +246,12 @@ ssl_server_legacy_first_packet(SSL *s) return 1; /* Only continue if this is not a version locked method. */ - if (s->method->internal->min_version == s->method->internal->max_version) + if (s->method->min_tls_version == s->method->max_tls_version) return 1; if (ssl_is_sslv2_client_hello(&header) == 1) { /* Only permit SSLv2 client hellos if TLSv1.0 is enabled. */ - if (ssl_enabled_version_range(s, &min_version, NULL) != 1) { + if (ssl_enabled_tls_version_range(s, &min_version, NULL) != 1) { SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); return -1; } diff --git a/ssl/ssl_pkt.c b/ssl/ssl_pkt.c index c9c8647..049a7df 100644 --- a/ssl/ssl_pkt.c +++ b/ssl/ssl_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_pkt.c,v 1.31 2020/08/30 15:40:20 jsing Exp $ */ +/* $OpenBSD: ssl_pkt.c,v 1.50 2021/08/30 19:25:43 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -112,12 +112,12 @@ #include #include -#include "ssl_locl.h" - #include #include #include "bytestring.h" +#include "dtls_locl.h" +#include "ssl_locl.h" static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len); @@ -149,15 +149,14 @@ ssl_force_want_read(SSL *s) static int ssl3_read_n(SSL *s, int n, int max, int extend) { + SSL3_BUFFER_INTERNAL *rb = &(S3I(s)->rbuf); int i, len, left; size_t align; unsigned char *pkt; - SSL3_BUFFER_INTERNAL *rb; if (n <= 0) return n; - rb = &(S3I(s)->rbuf); if (rb->buf == NULL) if (!ssl3_setup_read_buffer(s)) return -1; @@ -195,7 +194,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend) /* For DTLS/UDP reads should not span multiple packets * because the read operation returns the whole packet * at once (as long as it fits into the buffer). */ - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { if (left > 0 && n > left) n = left; } @@ -228,14 +227,14 @@ ssl3_read_n(SSL *s, int n, int max, int extend) return -1; } - if (!s->internal->read_ahead) { - /* ignore max parameter */ - max = n; - } else { + if (s->internal->read_ahead || SSL_is_dtls(s)) { if (max < n) max = n; if (max > (int)(rb->len - rb->offset)) max = rb->len - rb->offset; + } else { + /* ignore max parameter */ + max = n; } while (left < n) { @@ -255,7 +254,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend) if (i <= 0) { rb->left = left; if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS && - !SSL_IS_DTLS(s)) { + !SSL_is_dtls(s)) { if (len + left == 0) ssl3_release_read_buffer(s); } @@ -268,7 +267,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend) * the underlying transport protocol is message oriented as * opposed to byte oriented as in the TLS case. */ - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { if (n > left) n = left; /* makes the while condition false */ } @@ -327,15 +326,13 @@ ssl3_packet_extend(SSL *s, int plen) static int ssl3_get_record(SSL *s) { - int al; - int enc_err, n, i, ret = -1; - SSL3_RECORD_INTERNAL *rr; - SSL_SESSION *sess; - unsigned char md[EVP_MAX_MD_SIZE]; - unsigned int mac_size, orig_len; - - rr = &(S3I(s)->rrec); - sess = s->session; + SSL3_BUFFER_INTERNAL *rb = &(S3I(s)->rbuf); + SSL3_RECORD_INTERNAL *rr = &(S3I(s)->rrec); + uint8_t alert_desc; + uint8_t *out; + size_t out_len; + int al, n; + int ret = -1; again: /* check if we have the header */ @@ -373,13 +370,14 @@ ssl3_get_record(SSL *s) /* Lets check version */ if (!s->internal->first_packet && ssl_version != s->version) { - SSLerror(s, SSL_R_WRONG_VERSION_NUMBER); if ((s->version & 0xFF00) == (ssl_version & 0xFF00) && - !s->internal->enc_write_ctx && !s->internal->write_hash) + !tls12_record_layer_write_protected(s->internal->rl)) { /* Send back error using their minor version number :-) */ s->version = ssl_version; + } + SSLerror(s, SSL_R_WRONG_VERSION_NUMBER); al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + goto fatal_err; } if ((ssl_version >> 8) != SSL3_VERSION_MAJOR) { @@ -387,17 +385,13 @@ ssl3_get_record(SSL *s) goto err; } - if (rr->length > S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH) { + if (rr->length > rb->len - SSL3_RT_HEADER_LENGTH) { al = SSL_AD_RECORD_OVERFLOW; SSLerror(s, SSL_R_PACKET_LENGTH_TOO_LONG); - goto f_err; + goto fatal_err; } - - /* now s->internal->rstate == SSL_ST_READ_BODY */ } - /* s->internal->rstate == SSL_ST_READ_BODY, get and decode the data */ - n = ssl3_packet_extend(s, SSL3_RT_HEADER_LENGTH + rr->length); if (n <= 0) return (n); @@ -406,133 +400,50 @@ ssl3_get_record(SSL *s) s->internal->rstate = SSL_ST_READ_HEADER; /* set state for later operations */ - /* At this point, s->internal->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, - * and we have that many bytes in s->internal->packet - */ - rr->input = &(s->internal->packet[SSL3_RT_HEADER_LENGTH]); - - /* ok, we can now read from 's->internal->packet' data into 'rr' - * rr->input points at rr->length bytes, which - * need to be copied into rr->data by either - * the decryption or by the decompression - * When the data is 'copied' into the rr->data buffer, - * rr->input will be pointed at the new buffer */ - - /* We now have - encrypted [ MAC [ compressed [ plain ] ] ] - * rr->length bytes of encrypted compressed stuff. */ - - /* check is not needed I believe */ - if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - goto f_err; - } - - /* decrypt in place in 'rr->input' */ - rr->data = rr->input; - - /* enc_err is: - * 0: (in non-constant time) if the record is publically invalid. - * 1: if the padding is valid - * -1: if the padding is invalid */ - if ((enc_err = tls1_enc(s, 0)) == 0) { - al = SSL_AD_BAD_RECORD_MAC; - SSLerror(s, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); - goto f_err; - } - - /* r->length is now the compressed data plus mac */ - if ((sess != NULL) && (s->enc_read_ctx != NULL) && - (EVP_MD_CTX_md(s->read_hash) != NULL)) { - /* s->read_hash != NULL => mac_size != -1 */ - unsigned char *mac = NULL; - unsigned char mac_tmp[EVP_MAX_MD_SIZE]; - - mac_size = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); - - orig_len = rr->length + rr->padding_length; - - /* orig_len is the length of the record before any padding was - * removed. This is public information, as is the MAC in use, - * therefore we can safely process the record in a different - * amount of time if it's too short to possibly contain a MAC. - */ - if (orig_len < mac_size || - /* CBC records must have a padding length byte too. */ - (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && - orig_len < mac_size + 1)) { - al = SSL_AD_DECODE_ERROR; - SSLerror(s, SSL_R_LENGTH_TOO_SHORT); - goto f_err; - } - - if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { - /* We update the length so that the TLS header bytes - * can be constructed correctly but we need to extract - * the MAC in constant time from within the record, - * without leaking the contents of the padding bytes. - * */ - mac = mac_tmp; - ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); - rr->length -= mac_size; - } else { - /* In this case there's no padding, so |orig_len| - * equals |rec->length| and we checked that there's - * enough bytes for |mac_size| above. */ - rr->length -= mac_size; - mac = &rr->data[rr->length]; - } - - i = tls1_mac(s,md,0 /* not send */); - if (i < 0 || mac == NULL || - timingsafe_memcmp(md, mac, (size_t)mac_size) != 0) - enc_err = -1; - if (rr->length > - SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) - enc_err = -1; - } - - if (enc_err < 0) { - /* - * A separate 'decryption_failed' alert was introduced with - * TLS 1.0, SSL 3.0 only has 'bad_record_mac'. But unless a - * decryption failure is directly visible from the ciphertext - * anyway, we should not reveal which kind of error - * occurred -- this might become visible to an attacker - * (e.g. via a logfile) - */ - al = SSL_AD_BAD_RECORD_MAC; - SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); - goto f_err; - } - - if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); - goto f_err; - } - - rr->off = 0; /* - * So at this point the following is true - * - * ssl->s3->internal->rrec.type is the type of record - * ssl->s3->internal->rrec.length == number of bytes in record - * ssl->s3->internal->rrec.off == offset to first valid byte - * ssl->s3->internal->rrec.data == where to take bytes from, increment - * after use :-). + * A full record has now been read from the wire, which now needs + * to be processed. */ + tls12_record_layer_set_version(s->internal->rl, s->version); + + if (!tls12_record_layer_open_record(s->internal->rl, s->internal->packet, + s->internal->packet_length, &out, &out_len)) { + tls12_record_layer_alert(s->internal->rl, &alert_desc); + + if (alert_desc == 0) + goto err; + + if (alert_desc == SSL_AD_RECORD_OVERFLOW) + SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + else if (alert_desc == SSL_AD_BAD_RECORD_MAC) + SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); + + al = alert_desc; + goto fatal_err; + } + + rr->data = out; + rr->length = out_len; + rr->off = 0; /* we have pulled in a full packet so zero things */ s->internal->packet_length = 0; if (rr->length == 0) { /* - * CBC countermeasures for known IV weaknesses - * can legitimately insert a single empty record, - * so we allow ourselves to read once past a single - * empty record without forcing want_read. + * Zero-length fragments are only permitted for application + * data, as per RFC 5246 section 6.2.1. + */ + if (rr->type != SSL3_RT_APPLICATION_DATA) { + SSLerror(s, SSL_R_BAD_LENGTH); + al = SSL_AD_UNEXPECTED_MESSAGE; + goto fatal_err; + } + + /* + * CBC countermeasures for known IV weaknesses can legitimately + * insert a single empty record, so we allow ourselves to read + * once past a single empty record without forcing want_read. */ if (s->internal->empty_record_count++ > SSL_MAX_EMPTY_RECORDS) { SSLerror(s, SSL_R_PEER_BEHAVING_BADLY); @@ -543,15 +454,15 @@ ssl3_get_record(SSL *s) return -1; } goto again; - } else { - s->internal->empty_record_count = 0; } + s->internal->empty_record_count = 0; + return (1); -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: + err: return (ret); } @@ -642,7 +553,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len) /* If we have an alert to send, let's send it. */ if (S3I(s)->alert_dispatch) { - if ((ret = s->method->ssl_dispatch_alert(s)) <= 0) + if ((ret = ssl3_dispatch_alert(s)) <= 0) return (ret); /* If it went, fall through and send more stuff. */ @@ -660,8 +571,9 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len) * bytes and record version number > TLS 1.0. */ version = s->version; - if (S3I(s)->hs.state == SSL3_ST_CW_CLNT_HELLO_B && !s->internal->renegotiate && - TLS1_get_version(s) > TLS1_VERSION) + if (S3I(s)->hs.state == SSL3_ST_CW_CLNT_HELLO_B && + !s->internal->renegotiate && + S3I(s)->hs.our_max_tls_version > TLS1_VERSION) version = TLS1_VERSION; /* @@ -669,8 +581,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len) * (see http://www.openssl.org/~bodo/tls-cbc.txt). Note that this * is unnecessary for AEAD. */ - if (sess != NULL && s->internal->enc_write_ctx != NULL && - EVP_MD_CTX_md(s->internal->write_hash) != NULL) { + if (sess != NULL && tls12_record_layer_write_protected(s->internal->rl)) { if (S3I(s)->need_empty_fragments && !S3I(s)->empty_fragment_done && type == SSL3_RT_APPLICATION_DATA) @@ -755,7 +666,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) wb->left = 0; wb->offset += i; if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS && - !SSL_IS_DTLS(s)) + !SSL_is_dtls(s)) ssl3_release_write_buffer(s); s->internal->rwstate = SSL_NOTHING; return (S3I(s)->wpend_ret); @@ -764,7 +675,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) * For DTLS, just drop it. That's kind of the * whole point in using a datagram service. */ - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) wb->left = 0; return (i); } @@ -803,8 +714,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) { - void (*cb)(const SSL *ssl, int type2, int val) = NULL; - int al, i, j, ret, rrcount = 0; + int al, i, ret, rrcount = 0; unsigned int n; SSL3_RECORD_INTERNAL *rr; @@ -860,7 +770,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) } } -start: + start: /* * Do not process more than three consecutive records, otherwise the * peer can cause us to loop indefinitely. Instead, return with an @@ -898,7 +808,7 @@ start: && (rr->type != SSL3_RT_HANDSHAKE)) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); - goto f_err; + goto fatal_err; } /* If the other end has shut down, throw anything we read away @@ -914,11 +824,11 @@ start: if (type == rr->type) { /* make sure that we are not getting application data when we * are doing a handshake for the first time */ - if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && - (s->enc_read_ctx == NULL)) { + if (SSL_in_init(s) && type == SSL3_RT_APPLICATION_DATA && + !tls12_record_layer_read_protected(s->internal->rl)) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_APP_DATA_IN_HANDSHAKE); - goto f_err; + goto fatal_err; } if (len <= 0) @@ -1000,13 +910,11 @@ start: (S3I(s)->handshake_fragment[3] != 0)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_HELLO_REQUEST); - goto f_err; + goto fatal_err; } - if (s->internal->msg_callback) - s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, - S3I(s)->handshake_fragment, 4, s, - s->internal->msg_callback_arg); + ssl_msg_callback(s, 0, SSL3_RT_HANDSHAKE, + S3I(s)->handshake_fragment, 4); if (SSL_is_init_finished(s) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && @@ -1044,7 +952,7 @@ start: S3I(s)->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO && (s->internal->options & SSL_OP_NO_CLIENT_RENEGOTIATION)) { al = SSL_AD_NO_RENEGOTIATION; - goto f_err; + goto fatal_err; } /* If we are a server and get a client hello when renegotiation isn't * allowed send back a no renegotiation alert and carry on. @@ -1067,19 +975,11 @@ start: S3I(s)->alert_fragment_len = 0; - if (s->internal->msg_callback) - s->internal->msg_callback(0, s->version, SSL3_RT_ALERT, - S3I(s)->alert_fragment, 2, s, s->internal->msg_callback_arg); + ssl_msg_callback(s, 0, SSL3_RT_ALERT, + S3I(s)->alert_fragment, 2); - if (s->internal->info_callback != NULL) - cb = s->internal->info_callback; - else if (s->ctx->internal->info_callback != NULL) - cb = s->ctx->internal->info_callback; - - if (cb != NULL) { - j = (alert_level << 8) | alert_descr; - cb(s, SSL_CB_READ_ALERT, j); - } + ssl_info_callback(s, SSL_CB_READ_ALERT, + (alert_level << 8) | alert_descr); if (alert_level == SSL3_AL_WARNING) { S3I(s)->warn_alert = alert_descr; @@ -1099,7 +999,7 @@ start: else if (alert_descr == SSL_AD_NO_RENEGOTIATION) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_NO_RENEGOTIATION); - goto f_err; + goto fatal_err; } } else if (alert_level == SSL3_AL_FATAL) { s->internal->rwstate = SSL_NOTHING; @@ -1113,7 +1013,7 @@ start: } else { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_UNKNOWN_ALERT_TYPE); - goto f_err; + goto fatal_err; } goto start; @@ -1133,31 +1033,27 @@ start: (rr->data[0] != SSL3_MT_CCS)) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC); - goto f_err; + goto fatal_err; } /* Check we have a cipher to change to */ - if (S3I(s)->hs.new_cipher == NULL) { + if (S3I(s)->hs.cipher == NULL) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_CCS_RECEIVED_EARLY); - goto f_err; + goto fatal_err; } /* Check that we should be receiving a Change Cipher Spec. */ if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_CCS_RECEIVED_EARLY); - goto f_err; + goto fatal_err; } s->s3->flags &= ~SSL3_FLAGS_CCS_OK; rr->length = 0; - if (s->internal->msg_callback) { - s->internal->msg_callback(0, s->version, - SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, - s->internal->msg_callback_arg); - } + ssl_msg_callback(s, 0, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1); S3I(s)->change_cipher_spec = 1; if (!ssl3_do_change_cipher_spec(s)) @@ -1208,7 +1104,7 @@ start: } al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_RECORD); - goto f_err; + goto fatal_err; case SSL3_RT_CHANGE_CIPHER_SPEC: case SSL3_RT_ALERT: case SSL3_RT_HANDSHAKE: @@ -1217,7 +1113,7 @@ start: * should not happen when type != rr->type */ al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, ERR_R_INTERNAL_ERROR); - goto f_err; + goto fatal_err; case SSL3_RT_APPLICATION_DATA: /* At this point, we were expecting handshake data, * but have application data. If the library was @@ -1239,118 +1135,100 @@ start: } else { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_RECORD); - goto f_err; + goto fatal_err; } } /* not reached */ -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: + err: return (-1); } int ssl3_do_change_cipher_spec(SSL *s) { - int i; - const char *sender; - int slen; - - if (S3I(s)->hs.state & SSL_ST_ACCEPT) - i = SSL3_CHANGE_CIPHER_SERVER_READ; - else - i = SSL3_CHANGE_CIPHER_CLIENT_READ; - - if (S3I(s)->hs.key_block == NULL) { + if (S3I(s)->hs.tls12.key_block == NULL) { if (s->session == NULL || s->session->master_key_length == 0) { /* might happen if dtls1_read_bytes() calls this */ SSLerror(s, SSL_R_CCS_RECEIVED_EARLY); return (0); } - s->session->cipher = S3I(s)->hs.new_cipher; + s->session->cipher = S3I(s)->hs.cipher; if (!tls1_setup_key_block(s)) return (0); } - if (!tls1_change_cipher_state(s, i)) + if (!tls1_change_read_cipher_state(s)) return (0); - /* we have to record the message digest at - * this point so we can get it before we read - * the finished message */ - if (S3I(s)->hs.state & SSL_ST_CONNECT) { - sender = TLS_MD_SERVER_FINISH_CONST; - slen = TLS_MD_SERVER_FINISH_CONST_SIZE; - } else { - sender = TLS_MD_CLIENT_FINISH_CONST; - slen = TLS_MD_CLIENT_FINISH_CONST_SIZE; - } - - i = tls1_final_finish_mac(s, sender, slen, - S3I(s)->tmp.peer_finish_md); - if (i == 0) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - return 0; - } - S3I(s)->tmp.peer_finish_md_len = i; + /* + * We have to record the message digest at this point so we can get it + * before we read the finished message. + */ + if (!tls12_derive_peer_finished(s)) + return (0); return (1); } +static int +ssl3_write_alert(SSL *s) +{ + if (SSL_is_dtls(s)) + return do_dtls1_write(s, SSL3_RT_ALERT, S3I(s)->send_alert, + sizeof(S3I(s)->send_alert)); + + return do_ssl3_write(s, SSL3_RT_ALERT, S3I(s)->send_alert, + sizeof(S3I(s)->send_alert)); +} + int ssl3_send_alert(SSL *s, int level, int desc) { - /* Map tls/ssl alert value to correct one */ - desc = tls1_alert_code(desc); - if (desc < 0) - return -1; - /* If a fatal one, remove from cache */ - if ((level == 2) && (s->session != NULL)) + /* If alert is fatal, remove session from cache. */ + if (level == SSL3_AL_FATAL) SSL_CTX_remove_session(s->ctx, s->session); S3I(s)->alert_dispatch = 1; S3I(s)->send_alert[0] = level; S3I(s)->send_alert[1] = desc; - if (S3I(s)->wbuf.left == 0) /* data still being written out? */ - return s->method->ssl_dispatch_alert(s); - /* else data is still being written out, we will get written - * some time in the future */ - return -1; + /* + * If data is still being written out, the alert will be dispatched at + * some point in the future. + */ + if (S3I(s)->wbuf.left != 0) + return -1; + + return ssl3_dispatch_alert(s); } int ssl3_dispatch_alert(SSL *s) { - int i, j; - void (*cb)(const SSL *ssl, int type, int val) = NULL; + int ret; S3I(s)->alert_dispatch = 0; - i = do_ssl3_write(s, SSL3_RT_ALERT, &S3I(s)->send_alert[0], 2); - if (i <= 0) { + if ((ret = ssl3_write_alert(s)) <= 0) { S3I(s)->alert_dispatch = 1; - } else { - /* Alert sent to BIO. If it is important, flush it now. - * If the message does not get sent due to non-blocking IO, - * we will not worry too much. */ - if (S3I(s)->send_alert[0] == SSL3_AL_FATAL) - (void)BIO_flush(s->wbio); - - if (s->internal->msg_callback) - s->internal->msg_callback(1, s->version, SSL3_RT_ALERT, - S3I(s)->send_alert, 2, s, s->internal->msg_callback_arg); - - if (s->internal->info_callback != NULL) - cb = s->internal->info_callback; - else if (s->ctx->internal->info_callback != NULL) - cb = s->ctx->internal->info_callback; - - if (cb != NULL) { - j = (S3I(s)->send_alert[0]<<8)|S3I(s)->send_alert[1]; - cb(s, SSL_CB_WRITE_ALERT, j); - } + return ret; } - return (i); + + /* + * Alert sent to BIO. If it is important, flush it now. + * If the message does not get sent due to non-blocking IO, + * we will not worry too much. + */ + if (S3I(s)->send_alert[0] == SSL3_AL_FATAL) + (void)BIO_flush(s->wbio); + + ssl_msg_callback(s, 1, SSL3_RT_ALERT, S3I(s)->send_alert, 2); + + ssl_info_callback(s, SSL_CB_WRITE_ALERT, + (S3I(s)->send_alert[0] << 8) | S3I(s)->send_alert[1]); + + return ret; } diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 0936c0b..e3a1e5d 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_rsa.c,v 1.31 2019/03/25 16:46:48 jsing Exp $ */ +/* $OpenBSD: ssl_rsa.c,v 1.34 2021/06/11 11:13:53 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -58,17 +58,20 @@ #include -#include "ssl_locl.h" - #include #include #include #include #include +#include "ssl_locl.h" + static int ssl_set_cert(CERT *c, X509 *x509); static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey); -static int ssl_ctx_use_certificate_chain_bio(SSL_CTX *, BIO *); +static int use_certificate_chain_bio(BIO *in, CERT *cert, + pem_password_cb *passwd_cb, void *passwd_arg); +static int use_certificate_chain_file(const char *file, CERT *cert, + pem_password_cb *passwd_cb, void *passwd_arg); int SSL_use_certificate(SSL *ssl, X509 *x) @@ -117,7 +120,7 @@ SSL_use_certificate_file(SSL *ssl, const char *file, int type) } ret = SSL_use_certificate(ssl, x); -end: + end: X509_free(x); BIO_free(in); return (ret); @@ -240,7 +243,7 @@ SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) } ret = SSL_use_RSAPrivateKey(ssl, rsa); RSA_free(rsa); -end: + end: BIO_free(in); return (ret); } @@ -309,7 +312,7 @@ SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) } ret = SSL_use_PrivateKey(ssl, pkey); EVP_PKEY_free(pkey); -end: + end: BIO_free(in); return (ret); } @@ -433,7 +436,7 @@ SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) } ret = SSL_CTX_use_certificate(ctx, x); -end: + end: X509_free(x); BIO_free(in); return (ret); @@ -514,7 +517,7 @@ SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) } ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); RSA_free(rsa); -end: + end: BIO_free(in); return (ret); } @@ -580,7 +583,7 @@ SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) } ret = SSL_CTX_use_PrivateKey(ctx, pkey); EVP_PKEY_free(pkey); -end: + end: BIO_free(in); return (ret); } @@ -609,29 +612,29 @@ SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d, * sent to the peer in the Certificate message. */ static int -ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in) +use_certificate_chain_bio(BIO *in, CERT *cert, pem_password_cb *passwd_cb, + void *passwd_arg) { X509 *ca, *x = NULL; unsigned long err; int ret = 0; - if ((x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata)) == NULL) { + if ((x = PEM_read_bio_X509_AUX(in, NULL, passwd_cb, passwd_arg)) == + NULL) { SSLerrorx(ERR_R_PEM_LIB); goto err; } - if (!SSL_CTX_use_certificate(ctx, x)) + if (!ssl_set_cert(cert, x)) goto err; - if (!ssl_cert_set0_chain(ctx->internal->cert, NULL)) + if (!ssl_cert_set0_chain(cert, NULL)) goto err; /* Process any additional CA certificates. */ - while ((ca = PEM_read_bio_X509(in, NULL, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata)) != NULL) { - if (!ssl_cert_add0_chain_cert(ctx->internal->cert, ca)) { + while ((ca = PEM_read_bio_X509(in, NULL, passwd_cb, passwd_arg)) != + NULL) { + if (!ssl_cert_add0_chain_cert(cert, ca)) { X509_free(ca); goto err; } @@ -652,7 +655,8 @@ ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in) } int -SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) +use_certificate_chain_file(const char *file, CERT *cert, + pem_password_cb *passwd_cb, void *passwd_arg) { BIO *in; int ret = 0; @@ -668,13 +672,29 @@ SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) goto end; } - ret = ssl_ctx_use_certificate_chain_bio(ctx, in); + ret = use_certificate_chain_bio(in, cert, passwd_cb, passwd_arg); -end: + end: BIO_free(in); return (ret); } +int +SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) +{ + return use_certificate_chain_file(file, ctx->internal->cert, + ctx->default_passwd_callback, + ctx->default_passwd_callback_userdata); +} + +int +SSL_use_certificate_chain_file(SSL *ssl, const char *file) +{ + return use_certificate_chain_file(file, ssl->cert, + ssl->ctx->default_passwd_callback, + ssl->ctx->default_passwd_callback_userdata); +} + int SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len) { @@ -687,9 +707,11 @@ SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len) goto end; } - ret = ssl_ctx_use_certificate_chain_bio(ctx, in); + ret = use_certificate_chain_bio(in, ctx->internal->cert, + ctx->default_passwd_callback, + ctx->default_passwd_callback_userdata); -end: + end: BIO_free(in); return (ret); } diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index d805419..4e798e0 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.100 2020/09/19 09:56:35 tb Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.105 2021/09/08 17:27:33 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -136,6 +136,7 @@ */ #include +#include #ifndef OPENSSL_NO_ENGINE #include @@ -345,6 +346,7 @@ ssl_get_new_session(SSL *s, int session) case TLS1_1_VERSION: case TLS1_2_VERSION: case DTLS1_VERSION: + case DTLS1_2_VERSION: ss->ssl_version = s->version; ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; break; @@ -797,7 +799,7 @@ SSL_set_session(SSL *s, SSL_SESSION *session) return SSL_set_ssl_method(s, s->ctx->method); } - if ((method = ssl_get_client_method(session->ssl_version)) == NULL) { + if ((method = ssl_get_method(session->ssl_version)) == NULL) { SSLerror(s, SSL_R_UNABLE_TO_FIND_SSL_METHOD); return (0); } @@ -872,6 +874,12 @@ SSL_SESSION_get_protocol_version(const SSL_SESSION *s) return s->ssl_version; } +const SSL_CIPHER * +SSL_SESSION_get0_cipher(const SSL_SESSION *s) +{ + return s->cipher; +} + X509 * SSL_SESSION_get0_peer(SSL_SESSION *s) { @@ -905,6 +913,12 @@ SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx, return 1; } +int +SSL_SESSION_is_resumable(const SSL_SESSION *s) +{ + return 0; +} + long SSL_CTX_set_timeout(SSL_CTX *s, long t) { diff --git a/ssl/ssl_sigalgs.c b/ssl/ssl_sigalgs.c index 6378ec8..765f39d 100644 --- a/ssl/ssl_sigalgs.c +++ b/ssl/ssl_sigalgs.c @@ -1,6 +1,7 @@ -/* $OpenBSD: ssl_sigalgs.c,v 1.21 2020/05/09 16:52:15 beck Exp $ */ +/* $OpenBSD: ssl_sigalgs.c,v 1.37 2021/06/29 19:36:14 jsing Exp $ */ /* * Copyright (c) 2018-2020 Bob Beck + * Copyright (c) 2021 Joel Sing * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,10 +15,12 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + #include #include #include +#include #include "bytestring.h" #include "ssl_locl.h" @@ -27,101 +30,101 @@ const struct ssl_sigalg sigalgs[] = { { .value = SIGALG_RSA_PKCS1_SHA512, - .md = EVP_sha512, .key_type = EVP_PKEY_RSA, + .md = EVP_sha512, }, { .value = SIGALG_ECDSA_SECP521R1_SHA512, - .md = EVP_sha512, .key_type = EVP_PKEY_EC, + .md = EVP_sha512, .curve_nid = NID_secp521r1, }, #ifndef OPENSSL_NO_GOST { .value = SIGALG_GOSTR12_512_STREEBOG_512, - .md = EVP_streebog512, .key_type = EVP_PKEY_GOSTR12_512, + .md = EVP_streebog512, }, #endif { .value = SIGALG_RSA_PKCS1_SHA384, - .md = EVP_sha384, .key_type = EVP_PKEY_RSA, + .md = EVP_sha384, }, { .value = SIGALG_ECDSA_SECP384R1_SHA384, - .md = EVP_sha384, .key_type = EVP_PKEY_EC, + .md = EVP_sha384, .curve_nid = NID_secp384r1, }, { .value = SIGALG_RSA_PKCS1_SHA256, - .md = EVP_sha256, .key_type = EVP_PKEY_RSA, + .md = EVP_sha256, }, { .value = SIGALG_ECDSA_SECP256R1_SHA256, - .md = EVP_sha256, .key_type = EVP_PKEY_EC, + .md = EVP_sha256, .curve_nid = NID_X9_62_prime256v1, }, #ifndef OPENSSL_NO_GOST { .value = SIGALG_GOSTR12_256_STREEBOG_256, - .md = EVP_streebog256, .key_type = EVP_PKEY_GOSTR12_256, + .md = EVP_streebog256, }, { .value = SIGALG_GOSTR01_GOST94, - .md = EVP_gostr341194, .key_type = EVP_PKEY_GOSTR01, + .md = EVP_gostr341194, }, #endif { .value = SIGALG_RSA_PSS_RSAE_SHA256, - .md = EVP_sha256, .key_type = EVP_PKEY_RSA, + .md = EVP_sha256, .flags = SIGALG_FLAG_RSA_PSS, }, { .value = SIGALG_RSA_PSS_RSAE_SHA384, - .md = EVP_sha384, .key_type = EVP_PKEY_RSA, + .md = EVP_sha384, .flags = SIGALG_FLAG_RSA_PSS, }, { .value = SIGALG_RSA_PSS_RSAE_SHA512, - .md = EVP_sha512, .key_type = EVP_PKEY_RSA, + .md = EVP_sha512, .flags = SIGALG_FLAG_RSA_PSS, }, { .value = SIGALG_RSA_PSS_PSS_SHA256, - .md = EVP_sha256, .key_type = EVP_PKEY_RSA, + .md = EVP_sha256, .flags = SIGALG_FLAG_RSA_PSS, }, { .value = SIGALG_RSA_PSS_PSS_SHA384, - .md = EVP_sha384, .key_type = EVP_PKEY_RSA, + .md = EVP_sha384, .flags = SIGALG_FLAG_RSA_PSS, }, { .value = SIGALG_RSA_PSS_PSS_SHA512, - .md = EVP_sha512, .key_type = EVP_PKEY_RSA, + .md = EVP_sha512, .flags = SIGALG_FLAG_RSA_PSS, }, { .value = SIGALG_RSA_PKCS1_SHA224, - .md = EVP_sha224, .key_type = EVP_PKEY_RSA, + .md = EVP_sha224, }, { .value = SIGALG_ECDSA_SECP224R1_SHA224, - .md = EVP_sha224, .key_type = EVP_PKEY_EC, + .md = EVP_sha224, }, { .value = SIGALG_RSA_PKCS1_SHA1, @@ -143,8 +146,8 @@ const struct ssl_sigalg sigalgs[] = { }, }; -/* Sigalgs for tls 1.3, in preference order, */ -uint16_t tls13_sigalgs[] = { +/* Sigalgs for TLSv1.3, in preference order. */ +const uint16_t tls13_sigalgs[] = { SIGALG_RSA_PSS_RSAE_SHA512, SIGALG_RSA_PKCS1_SHA512, SIGALG_ECDSA_SECP521R1_SHA512, @@ -155,10 +158,10 @@ uint16_t tls13_sigalgs[] = { SIGALG_RSA_PKCS1_SHA256, SIGALG_ECDSA_SECP256R1_SHA256, }; -size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0])); +const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0])); -/* Sigalgs for tls 1.2, in preference order, */ -uint16_t tls12_sigalgs[] = { +/* Sigalgs for TLSv1.2, in preference order. */ +const uint16_t tls12_sigalgs[] = { SIGALG_RSA_PSS_RSAE_SHA512, SIGALG_RSA_PKCS1_SHA512, SIGALG_ECDSA_SECP521R1_SHA512, @@ -171,87 +174,124 @@ uint16_t tls12_sigalgs[] = { SIGALG_RSA_PKCS1_SHA1, /* XXX */ SIGALG_ECDSA_SHA1, /* XXX */ }; -size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0])); +const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0])); -const struct ssl_sigalg * -ssl_sigalg_lookup(uint16_t sigalg) +static void +ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values, + size_t *out_len) +{ + if (tls_version >= TLS1_3_VERSION) { + *out_values = tls13_sigalgs; + *out_len = tls13_sigalgs_len; + } else { + *out_values = tls12_sigalgs; + *out_len = tls12_sigalgs_len; + } +} + +static const struct ssl_sigalg * +ssl_sigalg_lookup(uint16_t value) { int i; for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) { - if (sigalgs[i].value == sigalg) + if (sigalgs[i].value == value) return &sigalgs[i]; } return NULL; } -const struct ssl_sigalg * -ssl_sigalg(uint16_t sigalg, uint16_t *values, size_t len) +static const struct ssl_sigalg * +ssl_sigalg_from_value(SSL *s, uint16_t value) { + const uint16_t *values; + size_t len; int i; + ssl_sigalgs_for_version(S3I(s)->hs.negotiated_tls_version, + &values, &len); + for (i = 0; i < len; i++) { - if (values[i] == sigalg) - return ssl_sigalg_lookup(sigalg); + if (values[i] == value) + return ssl_sigalg_lookup(value); } return NULL; } int -ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len) +ssl_sigalgs_build(uint16_t tls_version, CBB *cbb) { + const uint16_t *values; + size_t len; size_t i; - for (i = 0; sigalgs[i].value != SIGALG_NONE; i++); - if (len > i) - return 0; - - /* XXX check for duplicates and other sanity BS? */ + ssl_sigalgs_for_version(tls_version, &values, &len); /* Add values in order as long as they are supported. */ for (i = 0; i < len; i++) { - /* Do not allow the legacy value for < 1.2 to be used */ + /* Do not allow the legacy value for < 1.2 to be used. */ if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1) return 0; - - if (ssl_sigalg_lookup(values[i]) != NULL) { - if (!CBB_add_u16(cbb, values[i])) - return 0; - } else + if (ssl_sigalg_lookup(values[i]) == NULL) + return 0; + if (!CBB_add_u16(cbb, values[i])) return 0; } return 1; } -int -ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey, - int check_curve) +static const struct ssl_sigalg * +ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey) +{ + /* Default signature algorithms used for TLSv1.2 and earlier. */ + switch (pkey->type) { + case EVP_PKEY_RSA: + if (S3I(s)->hs.negotiated_tls_version < TLS1_2_VERSION) + return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1); + return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1); + case EVP_PKEY_EC: + return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1); +#ifndef OPENSSL_NO_GOST + case EVP_PKEY_GOSTR01: + return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94); +#endif + } + SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); + return (NULL); +} + +static int +ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey) { if (sigalg == NULL || pkey == NULL) return 0; if (sigalg->key_type != pkey->type) return 0; + /* RSA PSS must have a sufficiently large RSA key. */ if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) { - /* - * RSA PSS Must have an RSA key that needs to be at - * least as big as twice the size of the hash + 2 - */ if (pkey->type != EVP_PKEY_RSA || EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2)) return 0; } - if (pkey->type == EVP_PKEY_EC && check_curve) { - /* Curve must match for EC keys. */ + if (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION) + return 1; + + /* RSA cannot be used without PSS in TLSv1.3. */ + if (sigalg->key_type == EVP_PKEY_RSA && + (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0) + return 0; + + /* Ensure that curve matches for EC keys. */ + if (pkey->type == EVP_PKEY_EC) { if (sigalg->curve_nid == 0) return 0; - if (EC_GROUP_get_curve_name(EC_KEY_get0_group - (EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->curve_nid) { + if (EC_GROUP_get_curve_name(EC_KEY_get0_group( + EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->curve_nid) return 0; - } } return 1; @@ -260,78 +300,56 @@ ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey, const struct ssl_sigalg * ssl_sigalg_select(SSL *s, EVP_PKEY *pkey) { - uint16_t *tls_sigalgs = tls12_sigalgs; - size_t tls_sigalgs_len = tls12_sigalgs_len; - int check_curve = 0; CBS cbs; - if (TLS1_get_version(s) >= TLS1_3_VERSION) { - tls_sigalgs = tls13_sigalgs; - tls_sigalgs_len = tls13_sigalgs_len; - check_curve = 1; - } - - /* Pre TLS 1.2 defaults */ - if (!SSL_USE_SIGALGS(s)) { - switch (pkey->type) { - case EVP_PKEY_RSA: - return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1); - case EVP_PKEY_EC: - return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1); -#ifndef OPENSSL_NO_GOST - case EVP_PKEY_GOSTR01: - return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94); -#endif - } - SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); - return (NULL); - } + if (!SSL_USE_SIGALGS(s)) + return ssl_sigalg_for_legacy(s, pkey); /* - * RFC 5246 allows a TLS 1.2 client to send no sigalgs, in - * which case the server must use the the default. + * RFC 5246 allows a TLS 1.2 client to send no sigalgs extension, + * in which case the server must use the default. */ - if (TLS1_get_version(s) < TLS1_3_VERSION && - S3I(s)->hs.sigalgs == NULL) { - switch (pkey->type) { - case EVP_PKEY_RSA: - return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1); - case EVP_PKEY_EC: - return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1); -#ifndef OPENSSL_NO_GOST - case EVP_PKEY_GOSTR01: - return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94); -#endif - } - SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); - return (NULL); - } + if (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION && + S3I(s)->hs.sigalgs == NULL) + return ssl_sigalg_for_legacy(s, pkey); /* * If we get here, we have client or server sent sigalgs, use one. */ CBS_init(&cbs, S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len); while (CBS_len(&cbs) > 0) { - uint16_t sig_alg; const struct ssl_sigalg *sigalg; + uint16_t sigalg_value; - if (!CBS_get_u16(&cbs, &sig_alg)) + if (!CBS_get_u16(&cbs, &sigalg_value)) return 0; - if ((sigalg = ssl_sigalg(sig_alg, tls_sigalgs, - tls_sigalgs_len)) == NULL) + if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL) continue; - - /* RSA cannot be used without PSS in TLSv1.3. */ - if (TLS1_get_version(s) >= TLS1_3_VERSION && - sigalg->key_type == EVP_PKEY_RSA && - (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0) - continue; - - if (ssl_sigalg_pkey_ok(sigalg, pkey, check_curve)) + if (ssl_sigalg_pkey_ok(s, sigalg, pkey)) return sigalg; } SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); return NULL; } + +const struct ssl_sigalg * +ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, uint16_t sigalg_value) +{ + const struct ssl_sigalg *sigalg; + + if (!SSL_USE_SIGALGS(s)) + return ssl_sigalg_for_legacy(s, pkey); + + if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL) { + SSLerror(s, SSL_R_UNKNOWN_DIGEST); + return (NULL); + } + if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) { + SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); + return (NULL); + } + + return sigalg; +} diff --git a/ssl/ssl_sigalgs.h b/ssl/ssl_sigalgs.h index 13a3597..beab11a 100644 --- a/ssl/ssl_sigalgs.h +++ b/ssl/ssl_sigalgs.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sigalgs.h,v 1.14 2019/03/25 17:33:26 jsing Exp $ */ +/* $OpenBSD: ssl_sigalgs.h,v 1.23 2021/06/29 19:25:59 jsing Exp $ */ /* * Copyright (c) 2018-2019 Bob Beck * @@ -55,31 +55,23 @@ __BEGIN_HIDDEN_DECLS #define SIGALG_GOSTR12_256_STREEBOG_256 0xEEEE #define SIGALG_GOSTR01_GOST94 0xEDED -/* Legacy sigalg for < 1.2 same value as boring uses*/ +/* Legacy sigalg for < TLSv1.2 same value as BoringSSL uses. */ #define SIGALG_RSA_PKCS1_MD5_SHA1 0xFF01 #define SIGALG_FLAG_RSA_PSS 0x00000001 -struct ssl_sigalg{ +struct ssl_sigalg { uint16_t value; - const EVP_MD *(*md)(void); int key_type; + const EVP_MD *(*md)(void); int curve_nid; int flags; }; -extern uint16_t tls12_sigalgs[]; -extern size_t tls12_sigalgs_len; -extern uint16_t tls13_sigalgs[]; -extern size_t tls13_sigalgs_len; - -const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg); -const struct ssl_sigalg *ssl_sigalg(uint16_t sigalg, uint16_t *values, size_t len); -int ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len); -int ssl_sigalg_pkey_check(uint16_t sigalg, EVP_PKEY *pk); -int ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey, - int check_curve); +int ssl_sigalgs_build(uint16_t tls_version, CBB *cbb); const struct ssl_sigalg *ssl_sigalg_select(SSL *s, EVP_PKEY *pkey); +const struct ssl_sigalg *ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, + uint16_t sigalg_value); __END_HIDDEN_DECLS diff --git a/ssl/ssl_srvr.c b/ssl/ssl_srvr.c index 0f448a2..3a37fc7 100644 --- a/ssl/ssl_srvr.c +++ b/ssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.85 2020/09/24 18:12:00 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.119 2021/09/03 13:18:01 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -150,43 +150,39 @@ #include -#include "ssl_locl.h" - #include #include #include #include #include -#ifndef OPENSSL_NO_GOST -#include -#endif #include #include #include +#include #include +#ifndef OPENSSL_NO_GOST +#include +#endif + #include "bytestring.h" +#include "dtls_locl.h" +#include "ssl_locl.h" #include "ssl_sigalgs.h" #include "ssl_tlsext.h" int ssl3_accept(SSL *s) { - void (*cb)(const SSL *ssl, int type, int val) = NULL; unsigned long alg_k; - int ret = -1; int new_state, state, skip = 0; int listen = 0; + int ret = -1; ERR_clear_error(); errno = 0; - if (s->internal->info_callback != NULL) - cb = s->internal->info_callback; - else if (s->ctx->internal->info_callback != NULL) - cb = s->ctx->internal->info_callback; - - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) listen = D1I(s)->listen; /* init things to blank */ @@ -194,7 +190,7 @@ ssl3_accept(SSL *s) if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) D1I(s)->listen = listen; for (;;) { @@ -210,23 +206,22 @@ ssl3_accept(SSL *s) case SSL_ST_BEFORE|SSL_ST_ACCEPT: case SSL_ST_OK|SSL_ST_ACCEPT: s->server = 1; - if (cb != NULL) - cb(s, SSL_CB_HANDSHAKE_START, 1); - if (SSL_IS_DTLS(s)) { - if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; - } - } else { - if ((s->version >> 8) != 3) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; - } + ssl_info_callback(s, SSL_CB_HANDSHAKE_START, 1); + + if (!ssl_legacy_stack_version(s, s->version)) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + ret = -1; + goto end; + } + + if (!ssl_supported_tls_version_range(s, + &S3I(s)->hs.our_min_tls_version, + &S3I(s)->hs.our_max_tls_version)) { + SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); + ret = -1; + goto end; } - s->internal->type = SSL_ST_ACCEPT; if (!ssl3_setup_init_buffer(s)) { ret = -1; @@ -257,7 +252,7 @@ ssl3_accept(SSL *s) S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A; s->ctx->internal->stats.sess_accept++; - } else if (!SSL_IS_DTLS(s) && !S3I(s)->send_connection_binding) { + } else if (!SSL_is_dtls(s) && !S3I(s)->send_connection_binding) { /* * Server attempting to renegotiate with * client that doesn't support secure @@ -281,23 +276,25 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_HELLO_REQ_A: case SSL3_ST_SW_HELLO_REQ_B: s->internal->shutdown = 0; - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { dtls1_clear_record_buffer(s); dtls1_start_timer(s); } ret = ssl3_send_hello_request(s); if (ret <= 0) goto end; - if (SSL_IS_DTLS(s)) - S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A; + if (SSL_is_dtls(s)) + S3I(s)->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A; else - S3I(s)->hs.next_state = SSL3_ST_SW_HELLO_REQ_C; + S3I(s)->hs.tls12.next_state = SSL3_ST_SW_HELLO_REQ_C; S3I(s)->hs.state = SSL3_ST_SW_FLUSH; s->internal->init_num = 0; - if (!tls1_transcript_init(s)) { - ret = -1; - goto end; + if (SSL_is_dtls(s)) { + if (!tls1_transcript_init(s)) { + ret = -1; + goto end; + } } break; @@ -309,7 +306,7 @@ ssl3_accept(SSL *s) case SSL3_ST_SR_CLNT_HELLO_B: case SSL3_ST_SR_CLNT_HELLO_C: s->internal->shutdown = 0; - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { ret = ssl3_get_client_hello(s); if (ret <= 0) goto end; @@ -328,9 +325,8 @@ ssl3_accept(SSL *s) * stateless while listening. */ if (listen) { - memcpy(S3I(s)->write_sequence, - S3I(s)->read_sequence, - sizeof(S3I(s)->write_sequence)); + tls12_record_layer_reflect_seq_num( + s->internal->rl); } /* If we're just listening, stop here */ @@ -361,11 +357,11 @@ ssl3_accept(SSL *s) case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A: case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B: - ret = dtls1_send_hello_verify_request(s); + ret = ssl3_send_dtls_hello_verify_request(s); if (ret <= 0) goto end; S3I(s)->hs.state = SSL3_ST_SW_FLUSH; - S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A; + S3I(s)->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A; /* HelloVerifyRequest resets Finished MAC. */ tls1_transcript_reset(s); @@ -373,7 +369,7 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_SRVR_HELLO_A: case SSL3_ST_SW_SRVR_HELLO_B: - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { s->internal->renegotiate = 2; dtls1_start_timer(s); } @@ -394,9 +390,9 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_CERT_A: case SSL3_ST_SW_CERT_B: /* Check if it is anon DH or anon ECDH. */ - if (!(S3I(s)->hs.new_cipher->algorithm_auth & + if (!(S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL)) { - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_start_timer(s); ret = ssl3_send_server_certificate(s); if (ret <= 0) @@ -414,7 +410,7 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_KEY_EXCH_A: case SSL3_ST_SW_KEY_EXCH_B: - alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; + alg_k = S3I(s)->hs.cipher->algorithm_mkey; /* * Only send if using a DH key exchange. @@ -425,7 +421,7 @@ ssl3_accept(SSL *s) * public key for key exchange. */ if (alg_k & (SSL_kDHE|SSL_kECDHE)) { - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_start_timer(s); ret = ssl3_send_server_key_exchange(s); if (ret <= 0) @@ -459,19 +455,19 @@ ssl3_accept(SSL *s) if (!(s->verify_mode & SSL_VERIFY_PEER) || ((s->session->peer != NULL) && (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || - ((S3I(s)->hs.new_cipher->algorithm_auth & + ((S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL) && !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { /* No cert request. */ skip = 1; - S3I(s)->tmp.cert_request = 0; + S3I(s)->hs.tls12.cert_request = 0; S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A; - if (!SSL_IS_DTLS(s)) + if (!SSL_is_dtls(s)) tls1_transcript_free(s); } else { - S3I(s)->tmp.cert_request = 1; - if (SSL_IS_DTLS(s)) + S3I(s)->hs.tls12.cert_request = 1; + if (SSL_is_dtls(s)) dtls1_start_timer(s); ret = ssl3_send_certificate_request(s); if (ret <= 0) @@ -483,12 +479,12 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_SRVR_DONE_A: case SSL3_ST_SW_SRVR_DONE_B: - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_start_timer(s); ret = ssl3_send_server_done(s); if (ret <= 0) goto end; - S3I(s)->hs.next_state = SSL3_ST_SR_CERT_A; + S3I(s)->hs.tls12.next_state = SSL3_ST_SR_CERT_A; S3I(s)->hs.state = SSL3_ST_SW_FLUSH; s->internal->init_num = 0; break; @@ -506,23 +502,23 @@ ssl3_accept(SSL *s) */ s->internal->rwstate = SSL_WRITING; if (BIO_flush(s->wbio) <= 0) { - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { /* If the write error was fatal, stop trying. */ if (!BIO_should_retry(s->wbio)) { s->internal->rwstate = SSL_NOTHING; - S3I(s)->hs.state = S3I(s)->hs.next_state; + S3I(s)->hs.state = S3I(s)->hs.tls12.next_state; } } ret = -1; goto end; } s->internal->rwstate = SSL_NOTHING; - S3I(s)->hs.state = S3I(s)->hs.next_state; + S3I(s)->hs.state = S3I(s)->hs.tls12.next_state; break; case SSL3_ST_SR_CERT_A: case SSL3_ST_SR_CERT_B: - if (S3I(s)->tmp.cert_request) { + if (S3I(s)->hs.tls12.cert_request) { ret = ssl3_get_client_certificate(s); if (ret <= 0) goto end; @@ -537,12 +533,12 @@ ssl3_accept(SSL *s) if (ret <= 0) goto end; - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A; s->internal->init_num = 0; } - alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; + alg_k = S3I(s)->hs.cipher->algorithm_mkey; if (ret == 2) { /* * For the ECDH ciphersuites when @@ -576,8 +572,8 @@ ssl3_accept(SSL *s) * a client cert, it can be verified. */ if (!tls1_transcript_hash_value(s, - S3I(s)->tmp.cert_verify_md, - sizeof(S3I(s)->tmp.cert_verify_md), + S3I(s)->hs.tls12.cert_verify, + sizeof(S3I(s)->hs.tls12.cert_verify), NULL)) { ret = -1; goto end; @@ -587,7 +583,7 @@ ssl3_accept(SSL *s) case SSL3_ST_SR_CERT_VRFY_A: case SSL3_ST_SR_CERT_VRFY_B: - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) D1I(s)->change_cipher_spec_ok = 1; else s->s3->flags |= SSL3_FLAGS_CCS_OK; @@ -602,7 +598,7 @@ ssl3_accept(SSL *s) case SSL3_ST_SR_FINISHED_A: case SSL3_ST_SR_FINISHED_B: - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) D1I(s)->change_cipher_spec_ok = 1; else s->s3->flags |= SSL3_FLAGS_CCS_OK; @@ -610,7 +606,7 @@ ssl3_accept(SSL *s) SSL3_ST_SR_FINISHED_B); if (ret <= 0) goto end; - if (SSL_IS_DTLS(s)) + if (SSL_is_dtls(s)) dtls1_stop_timer(s); if (s->internal->hit) S3I(s)->hs.state = SSL_ST_OK; @@ -641,43 +637,36 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_CHANGE_A: case SSL3_ST_SW_CHANGE_B: - s->session->cipher = S3I(s)->hs.new_cipher; - if (!tls1_setup_key_block(s)) { - ret = -1; - goto end; - } - ret = ssl3_send_change_cipher_spec(s, SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B); if (ret <= 0) goto end; S3I(s)->hs.state = SSL3_ST_SW_FINISHED_A; s->internal->init_num = 0; + s->session->cipher = S3I(s)->hs.cipher; - if (!tls1_change_cipher_state(s, - SSL3_CHANGE_CIPHER_SERVER_WRITE)) { + if (!tls1_setup_key_block(s)) { + ret = -1; + goto end; + } + if (!tls1_change_write_cipher_state(s)) { ret = -1; goto end; } - - if (SSL_IS_DTLS(s)) - dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); break; case SSL3_ST_SW_FINISHED_A: case SSL3_ST_SW_FINISHED_B: - ret = ssl3_send_finished(s, - SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B, - TLS_MD_SERVER_FINISH_CONST, - TLS_MD_SERVER_FINISH_CONST_SIZE); + ret = ssl3_send_finished(s, SSL3_ST_SW_FINISHED_A, + SSL3_ST_SW_FINISHED_B); if (ret <= 0) goto end; S3I(s)->hs.state = SSL3_ST_SW_FLUSH; if (s->internal->hit) { - S3I(s)->hs.next_state = SSL3_ST_SR_FINISHED_A; + S3I(s)->hs.tls12.next_state = SSL3_ST_SR_FINISHED_A; tls1_transcript_free(s); } else - S3I(s)->hs.next_state = SSL_ST_OK; + S3I(s)->hs.tls12.next_state = SSL_ST_OK; s->internal->init_num = 0; break; @@ -691,7 +680,7 @@ ssl3_accept(SSL *s) goto end; } - if (!SSL_IS_DTLS(s)) + if (!SSL_is_dtls(s)) ssl3_release_init_buffer(s); /* remove buffering on output */ @@ -710,13 +699,12 @@ ssl3_accept(SSL *s) /* s->server=1; */ s->internal->handshake_func = ssl3_accept; - if (cb != NULL) - cb(s, SSL_CB_HANDSHAKE_DONE, 1); + ssl_info_callback(s, SSL_CB_HANDSHAKE_DONE, 1); } ret = 1; - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { /* Done handshaking, next message is client hello. */ D1I(s)->handshake_read_seq = 0; /* Next message is server hello. */ @@ -733,27 +721,26 @@ ssl3_accept(SSL *s) /* break; */ } - if (!S3I(s)->tmp.reuse_message && !skip) { + if (!S3I(s)->hs.tls12.reuse_message && !skip) { if (s->internal->debug) { if ((ret = BIO_flush(s->wbio)) <= 0) goto end; } - if ((cb != NULL) && (S3I(s)->hs.state != state)) { + if (S3I(s)->hs.state != state) { new_state = S3I(s)->hs.state; S3I(s)->hs.state = state; - cb(s, SSL_CB_ACCEPT_LOOP, 1); + ssl_info_callback(s, SSL_CB_ACCEPT_LOOP, 1); S3I(s)->hs.state = new_state; } } skip = 0; } -end: + end: /* BIO_flush(s->wbio); */ s->internal->in_handshake--; - if (cb != NULL) - cb(s, SSL_CB_ACCEPT_EXIT, ret); + ssl_info_callback(s, SSL_CB_ACCEPT_EXIT, ret); return (ret); } @@ -799,7 +786,7 @@ ssl3_get_client_hello(SSL *s) STACK_OF(SSL_CIPHER) *ciphers = NULL; unsigned long alg_k; const SSL_METHOD *method; - uint16_t max_version, shared_version; + uint16_t shared_version; /* * We do this so that we will respond with our native type. @@ -827,48 +814,52 @@ ssl3_get_client_hello(SSL *s) /* Parse client hello up until the extensions (if any). */ if (!CBS_get_u16(&cbs, &client_version)) - goto truncated; + goto decode_err; if (!CBS_get_bytes(&cbs, &client_random, SSL3_RANDOM_SIZE)) - goto truncated; + goto decode_err; if (!CBS_get_u8_length_prefixed(&cbs, &session_id)) - goto truncated; + goto decode_err; if (CBS_len(&session_id) > SSL3_SESSION_ID_SIZE) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_SSL3_SESSION_ID_TOO_LONG); - goto f_err; + goto fatal_err; } - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { if (!CBS_get_u8_length_prefixed(&cbs, &cookie)) - goto truncated; + goto decode_err; } if (!CBS_get_u16_length_prefixed(&cbs, &cipher_suites)) - goto truncated; + goto decode_err; if (!CBS_get_u8_length_prefixed(&cbs, &compression_methods)) - goto truncated; + goto decode_err; /* * Use version from inside client hello, not from record header. * (may differ: see RFC 2246, Appendix E, second paragraph) */ - if (!ssl_downgrade_max_version(s, &max_version)) - goto err; - if (ssl_max_shared_version(s, client_version, &shared_version) != 1) { - SSLerror(s, SSL_R_WRONG_VERSION_NUMBER); + if (!ssl_max_shared_version(s, client_version, &shared_version)) { if ((s->client_version >> 8) == SSL3_VERSION_MAJOR && - !s->internal->enc_write_ctx && !s->internal->write_hash) { + !tls12_record_layer_write_protected(s->internal->rl)) { /* * Similar to ssl3_get_record, send alert using remote * version number. */ s->version = s->client_version; } + SSLerror(s, SSL_R_WRONG_VERSION_NUMBER); al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + goto fatal_err; } s->client_version = client_version; s->version = shared_version; - if ((method = ssl_get_server_method(shared_version)) == NULL) { + S3I(s)->hs.negotiated_tls_version = ssl_tls_version(shared_version); + if (S3I(s)->hs.negotiated_tls_version == 0) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + goto err; + } + + if ((method = ssl_get_method(shared_version)) == NULL) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } @@ -879,7 +870,7 @@ ssl3_get_client_hello(SSL *s) * one, just return since we do not want to allocate any memory yet. * So check cookie length... */ - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { if (CBS_len(&cookie) == 0) return (1); @@ -920,7 +911,7 @@ ssl3_get_client_hello(SSL *s) if (i == 1) { /* previous session */ s->internal->hit = 1; } else if (i == -1) - goto f_err; + goto fatal_err; else { /* i == 0 */ if (!ssl_get_new_session(s, 1)) @@ -928,7 +919,7 @@ ssl3_get_client_hello(SSL *s) } } - if (SSL_IS_DTLS(s)) { + if (SSL_is_dtls(s)) { /* * The ClientHello may contain a cookie even if the HelloVerify * message has not been sent - make sure that it does not cause @@ -937,7 +928,7 @@ ssl3_get_client_hello(SSL *s) if (CBS_len(&cookie) > sizeof(D1I(s)->rcvd_cookie)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_COOKIE_MISMATCH); - goto f_err; + goto fatal_err; } /* Verify the cookie if appropriate option is set. */ @@ -955,7 +946,7 @@ ssl3_get_client_hello(SSL *s) D1I(s)->rcvd_cookie, cookie_len) == 0) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_COOKIE_MISMATCH); - goto f_err; + goto fatal_err; } /* else cookie verification succeeded */ /* XXX - can d1->cookie_len > sizeof(rcvd_cookie) ? */ @@ -964,7 +955,7 @@ ssl3_get_client_hello(SSL *s) /* default verification */ al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_COOKIE_MISMATCH); - goto f_err; + goto fatal_err; } cookie_valid = 1; } @@ -975,7 +966,7 @@ ssl3_get_client_hello(SSL *s) /* we need a cipher if we are not resuming a session */ al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_NO_CIPHERS_SPECIFIED); - goto f_err; + goto fatal_err; } if (CBS_len(&cipher_suites) > 0) { @@ -1004,32 +995,35 @@ ssl3_get_client_hello(SSL *s) */ al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_REQUIRED_CIPHER_MISSING); - goto f_err; + goto fatal_err; } } comp_null = 0; while (CBS_len(&compression_methods) > 0) { if (!CBS_get_u8(&compression_methods, &comp_method)) - goto truncated; + goto decode_err; if (comp_method == 0) comp_null = 1; } if (comp_null == 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_NO_COMPRESSION_SPECIFIED); - goto f_err; + goto fatal_err; } if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, &cbs, &al)) { SSLerror(s, SSL_R_PARSE_TLSEXT); - goto f_err; + goto fatal_err; } + if (CBS_len(&cbs) != 0) + goto decode_err; + if (!S3I(s)->renegotiate_seen && s->internal->renegotiate) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - goto f_err; + goto fatal_err; } if (ssl_check_clienthello_tlsext_early(s) <= 0) { @@ -1045,8 +1039,8 @@ ssl3_get_client_hello(SSL *s) */ arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); - if (!SSL_IS_DTLS(s) && max_version >= TLS1_2_VERSION && - s->version < max_version) { + if (S3I(s)->hs.our_max_tls_version >= TLS1_2_VERSION && + S3I(s)->hs.negotiated_tls_version < S3I(s)->hs.our_max_tls_version) { /* * RFC 8446 section 4.1.3. If we are downgrading from TLS 1.3 * we must set the last 8 bytes of the server random to magical @@ -1055,7 +1049,7 @@ ssl3_get_client_hello(SSL *s) */ size_t index = SSL3_RANDOM_SIZE - sizeof(tls13_downgrade_12); uint8_t *magic = &s->s3->server_random[index]; - if (s->version == TLS1_2_VERSION) { + if (S3I(s)->hs.negotiated_tls_version == TLS1_2_VERSION) { /* Indicate we chose to downgrade to 1.2. */ memcpy(magic, tls13_downgrade_12, sizeof(tls13_downgrade_12)); @@ -1086,7 +1080,7 @@ ssl3_get_client_hello(SSL *s) if (pref_cipher == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_NO_SHARED_CIPHER); - goto f_err; + goto fatal_err; } s->session->cipher = pref_cipher; @@ -1107,7 +1101,7 @@ ssl3_get_client_hello(SSL *s) if (ciphers == NULL) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_NO_CIPHERS_PASSED); - goto f_err; + goto fatal_err; } ciphers = NULL; c = ssl3_choose_cipher(s, s->session->ciphers, @@ -1116,17 +1110,17 @@ ssl3_get_client_hello(SSL *s) if (c == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_NO_SHARED_CIPHER); - goto f_err; + goto fatal_err; } - S3I(s)->hs.new_cipher = c; + S3I(s)->hs.cipher = c; } else { - S3I(s)->hs.new_cipher = s->session->cipher; + S3I(s)->hs.cipher = s->session->cipher; } if (!tls1_transcript_hash_init(s)) goto err; - alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; + alg_k = S3I(s)->hs.cipher->algorithm_mkey; if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) || !(s->verify_mode & SSL_VERIFY_PEER)) tls1_transcript_free(s); @@ -1134,13 +1128,13 @@ ssl3_get_client_hello(SSL *s) /* * We now have the following setup. * client_random - * cipher_list - our prefered list of ciphers - * ciphers - the clients prefered list of ciphers + * cipher_list - our prefered list of ciphers + * ciphers - the clients prefered list of ciphers * compression - basically ignored right now * ssl version is set - sslv3 * s->session - The ssl session has been setup. * s->internal->hit - session reuse flag - * s->hs.new_cipher - the new cipher to use. + * s->hs.cipher - the new cipher to use. */ /* Handles TLS extensions that we couldn't check earlier */ @@ -1152,18 +1146,62 @@ ssl3_get_client_hello(SSL *s) ret = cookie_valid ? 2 : 1; if (0) { -truncated: + decode_err: al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); } -err: + err: sk_SSL_CIPHER_free(ciphers); return (ret); } +int +ssl3_send_dtls_hello_verify_request(SSL *s) +{ + CBB cbb, verify, cookie; + + memset(&cbb, 0, sizeof(cbb)); + + if (S3I(s)->hs.state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) { + if (s->ctx->internal->app_gen_cookie_cb == NULL || + s->ctx->internal->app_gen_cookie_cb(s, D1I(s)->cookie, + &(D1I(s)->cookie_len)) == 0) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + return 0; + } + + /* + * Per RFC 6347 section 4.2.1, the HelloVerifyRequest should + * always contain DTLSv1.0 regardless of the version that is + * going to be negotiated. + */ + if (!ssl3_handshake_msg_start(s, &cbb, &verify, + DTLS1_MT_HELLO_VERIFY_REQUEST)) + goto err; + if (!CBB_add_u16(&verify, DTLS1_VERSION)) + goto err; + if (!CBB_add_u8_length_prefixed(&verify, &cookie)) + goto err; + if (!CBB_add_bytes(&cookie, D1I(s)->cookie, D1I(s)->cookie_len)) + goto err; + if (!ssl3_handshake_msg_finish(s, &cbb)) + goto err; + + S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B; + } + + /* S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */ + return (ssl3_handshake_write(s)); + + err: + CBB_cleanup(&cbb); + + return (-1); +} + int ssl3_send_server_hello(SSL *s) { @@ -1217,7 +1255,7 @@ ssl3_send_server_hello(SSL *s) /* Cipher suite. */ if (!CBB_add_u16(&server_hello, - ssl3_cipher_get_value(S3I(s)->hs.new_cipher))) + ssl3_cipher_get_value(S3I(s)->hs.cipher))) goto err; /* Compression method (null). */ @@ -1281,19 +1319,19 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb) if ((dhp = ssl_get_auto_dh(s)) == NULL) { al = SSL_AD_INTERNAL_ERROR; SSLerror(s, ERR_R_INTERNAL_ERROR); - goto f_err; + goto fatal_err; } } else dhp = s->cert->dh_tmp; if (dhp == NULL && s->cert->dh_tmp_cb != NULL) dhp = s->cert->dh_tmp_cb(s, 0, - SSL_C_PKEYLENGTH(S3I(s)->hs.new_cipher)); + SSL_C_PKEYLENGTH(S3I(s)->hs.cipher)); if (dhp == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_MISSING_TMP_DH_KEY); - goto f_err; + goto fatal_err; } if (S3I(s)->tmp.dh != NULL) { @@ -1339,7 +1377,7 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb) return (1); - f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: return (-1); @@ -1370,7 +1408,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb) if ((S3I(s)->tmp.ecdh = EC_KEY_new()) == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_MISSING_TMP_ECDH_KEY); - goto f_err; + goto fatal_err; } S3I(s)->tmp.ecdh_nid = nid; ecdh = S3I(s)->tmp.ecdh; @@ -1400,7 +1438,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb) return (1); - f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: return (-1); @@ -1496,7 +1534,7 @@ ssl3_send_server_key_exchange(SSL *s) if (!CBB_init(&cbb_params, 0)) goto err; - type = S3I(s)->hs.new_cipher->algorithm_mkey; + type = S3I(s)->hs.cipher->algorithm_mkey; if (type & SSL_kDHE) { if (ssl3_send_server_kex_dhe(s, &cbb_params) != 1) goto err; @@ -1506,7 +1544,7 @@ ssl3_send_server_key_exchange(SSL *s) } else { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); - goto f_err; + goto fatal_err; } if (!CBB_finish(&cbb_params, ¶ms, ¶ms_len)) @@ -1516,19 +1554,20 @@ ssl3_send_server_key_exchange(SSL *s) goto err; /* Add signature unless anonymous. */ - if (!(S3I(s)->hs.new_cipher->algorithm_auth & SSL_aNULL)) { - if ((pkey = ssl_get_sign_pkey(s, S3I(s)->hs.new_cipher, + if (!(S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL)) { + if ((pkey = ssl_get_sign_pkey(s, S3I(s)->hs.cipher, &md, &sigalg)) == NULL) { al = SSL_AD_DECODE_ERROR; - goto f_err; + goto fatal_err; } + S3I(s)->hs.our_sigalg = sigalg; /* Send signature algorithm. */ if (SSL_USE_SIGALGS(s)) { if (!CBB_add_u16(&server_kex, sigalg->value)) { al = SSL_AD_INTERNAL_ERROR; SSLerror(s, ERR_R_INTERNAL_ERROR); - goto f_err; + goto fatal_err; } } @@ -1591,7 +1630,7 @@ ssl3_send_server_key_exchange(SSL *s) return (ssl3_handshake_write(s)); - f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: CBB_cleanup(&cbb_params); @@ -1628,9 +1667,11 @@ ssl3_send_certificate_request(SSL *s) goto err; if (SSL_USE_SIGALGS(s)) { - if (!CBB_add_u16_length_prefixed(&cert_request, &sigalgs)) + if (!CBB_add_u16_length_prefixed(&cert_request, + &sigalgs)) goto err; - if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len)) + if (!ssl_sigalgs_build( + S3I(s)->hs.negotiated_tls_version, &sigalgs)) goto err; } @@ -1682,6 +1723,8 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs) int al = -1; arc4random_buf(fakekey, sizeof(fakekey)); + + /* XXX - peer max protocol version. */ fakekey[0] = s->client_version >> 8; fakekey[1] = s->client_version & 0xff; @@ -1690,7 +1733,7 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs) (pkey->pkey.rsa == NULL)) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_MISSING_RSA_CERTIFICATE); - goto f_err; + goto fatal_err; } rsa = pkey->pkey.rsa; @@ -1702,7 +1745,7 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs) p = pms; if (!CBS_get_u16_length_prefixed(cbs, &enc_pms)) - goto truncated; + goto decode_err; if (CBS_len(cbs) != 0 || CBS_len(&enc_pms) != RSA_size(rsa)) { SSLerror(s, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); goto err; @@ -1718,6 +1761,7 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs) /* SSLerror(s, SSL_R_BAD_RSA_DECRYPT); */ } + /* XXX - peer max version. */ if ((al == -1) && !((pms[0] == (s->client_version >> 8)) && (pms[1] == (s->client_version & 0xff)))) { /* @@ -1748,18 +1792,17 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs) p = fakekey; } - s->session->master_key_length = - tls1_generate_master_secret(s, - s->session->master_key, p, SSL_MAX_MASTER_KEY_LENGTH); + if (!tls12_derive_master_secret(s, p, SSL_MAX_MASTER_KEY_LENGTH)) + goto err; freezero(pms, pms_len); return (1); - truncated: + decode_err: al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); - f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: freezero(pms, pms_len); @@ -1778,14 +1821,14 @@ ssl3_get_client_kex_dhe(SSL *s, CBS *cbs) DH *dh; if (!CBS_get_u16_length_prefixed(cbs, &dh_Yc)) - goto truncated; + goto decode_err; if (CBS_len(cbs) != 0) - goto truncated; + goto decode_err; if (S3I(s)->tmp.dh == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_MISSING_TMP_DH_KEY); - goto f_err; + goto fatal_err; } dh = S3I(s)->tmp.dh; @@ -1805,21 +1848,21 @@ ssl3_get_client_kex_dhe(SSL *s, CBS *cbs) if (!DH_check_pub_key(dh, bn, &key_is_invalid)) { al = SSL_AD_INTERNAL_ERROR; SSLerror(s, ERR_R_DH_LIB); - goto f_err; + goto fatal_err; } if (key_is_invalid) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, ERR_R_DH_LIB); - goto f_err; + goto fatal_err; } if ((key_len = DH_compute_key(key, bn, dh)) <= 0) { al = SSL_AD_INTERNAL_ERROR; SSLerror(s, ERR_R_DH_LIB); - goto f_err; + goto fatal_err; } - s->session->master_key_length = tls1_generate_master_secret(s, - s->session->master_key, key, key_len); + if (!tls12_derive_master_secret(s, key, key_len)) + goto err; DH_free(S3I(s)->tmp.dh); S3I(s)->tmp.dh = NULL; @@ -1829,10 +1872,10 @@ ssl3_get_client_kex_dhe(SSL *s, CBS *cbs) return (1); - truncated: + decode_err: al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); - f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: freezero(key, key_size); @@ -1879,8 +1922,8 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, CBS *cbs) /* Derive the shared secret and compute master secret. */ if (!ssl_kex_derive_ecdhe_ecp(ecdh, ecdh_peer, &key, &key_len)) goto err; - s->session->master_key_length = tls1_generate_master_secret(s, - s->session->master_key, key, key_len); + if (!tls12_derive_master_secret(s, key, key_len)) + goto err; EC_KEY_free(S3I(s)->tmp.ecdh); S3I(s)->tmp.ecdh = NULL; @@ -1917,9 +1960,8 @@ ssl3_get_client_kex_ecdhe_ecx(SSL *s, CBS *cbs) freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH); S3I(s)->tmp.x25519 = NULL; - s->session->master_key_length = - tls1_generate_master_secret( - s, s->session->master_key, shared_key, X25519_KEY_LENGTH); + if (!tls12_derive_master_secret(s, shared_key, X25519_KEY_LENGTH)) + goto err; ret = 1; @@ -1932,7 +1974,7 @@ ssl3_get_client_kex_ecdhe_ecx(SSL *s, CBS *cbs) static int ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs) { - if (S3I(s)->tmp.x25519 != NULL) + if (S3I(s)->tmp.x25519 != NULL) return ssl3_get_client_kex_ecdhe_ecx(s, cbs); return ssl3_get_client_kex_ecdhe_ecp(s, cbs); @@ -1951,7 +1993,7 @@ ssl3_get_client_kex_gost(SSL *s, CBS *cbs) int ret = 0; /* Get our certificate private key*/ - alg_a = S3I(s)->hs.new_cipher->algorithm_auth; + alg_a = S3I(s)->hs.cipher->algorithm_auth; if (alg_a & SSL_aGOST01) pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; @@ -1975,19 +2017,17 @@ ssl3_get_client_kex_gost(SSL *s, CBS *cbs) /* Decrypt session key */ if (!CBS_get_asn1(cbs, &gostblob, CBS_ASN1_SEQUENCE)) - goto truncated; + goto decode_err; if (CBS_len(cbs) != 0) - goto truncated; + goto decode_err; if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, CBS_data(&gostblob), CBS_len(&gostblob)) <= 0) { SSLerror(s, SSL_R_DECRYPTION_FAILED); goto gerr; } - /* Generate master secret */ - s->session->master_key_length = - tls1_generate_master_secret( - s, s->session->master_key, premaster_secret, 32); + if (!tls12_derive_master_secret(s, premaster_secret, 32)) + goto err; /* Check if pubkey from client certificate was used */ if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, @@ -2003,7 +2043,7 @@ ssl3_get_client_kex_gost(SSL *s, CBS *cbs) else goto err; - truncated: + decode_err: al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); ssl3_send_alert(s, SSL3_AL_FATAL, al); @@ -2030,7 +2070,7 @@ ssl3_get_client_key_exchange(SSL *s) CBS_init(&cbs, s->internal->init_msg, n); - alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; + alg_k = S3I(s)->hs.cipher->algorithm_mkey; if (alg_k & SSL_kRSA) { if (ssl3_get_client_kex_rsa(s, &cbs) != 1) @@ -2047,18 +2087,18 @@ ssl3_get_client_key_exchange(SSL *s) } else { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_UNKNOWN_CIPHER_TYPE); - goto f_err; + goto fatal_err; } if (CBS_len(&cbs) != 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); - goto f_err; + goto fatal_err; } return (1); - f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: return (-1); @@ -2069,7 +2109,7 @@ ssl3_get_cert_verify(SSL *s) { CBS cbs, signature; const struct ssl_sigalg *sigalg = NULL; - const EVP_MD *md = NULL; + uint16_t sigalg_value = SIGALG_NONE; EVP_PKEY *pkey = NULL; X509 *peer = NULL; EVP_MD_CTX mctx; @@ -2098,12 +2138,12 @@ ssl3_get_cert_verify(SSL *s) type = X509_certificate_type(peer, pkey); } - if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) { - S3I(s)->tmp.reuse_message = 1; + if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_VERIFY) { + S3I(s)->hs.tls12.reuse_message = 1; if (peer != NULL) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_MISSING_VERIFY_MESSAGE); - goto f_err; + goto fatal_err; } ret = 1; goto end; @@ -2112,126 +2152,108 @@ ssl3_get_cert_verify(SSL *s) if (peer == NULL) { SSLerror(s, SSL_R_NO_CLIENT_CERT_RECEIVED); al = SSL_AD_UNEXPECTED_MESSAGE; - goto f_err; + goto fatal_err; } if (!(type & EVP_PKT_SIGN)) { SSLerror(s, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); al = SSL_AD_ILLEGAL_PARAMETER; - goto f_err; + goto fatal_err; } if (S3I(s)->change_cipher_spec) { SSLerror(s, SSL_R_CCS_RECEIVED_EARLY); al = SSL_AD_UNEXPECTED_MESSAGE; - goto f_err; - } - - if (!SSL_USE_SIGALGS(s)) { - if (!CBS_get_u16_length_prefixed(&cbs, &signature)) - goto err; - if (CBS_len(&signature) > EVP_PKEY_size(pkey)) { - SSLerror(s, SSL_R_WRONG_SIGNATURE_SIZE); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - if (CBS_len(&cbs) != 0) { - al = SSL_AD_DECODE_ERROR; - SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE); - goto f_err; - } + goto fatal_err; } if (SSL_USE_SIGALGS(s)) { - EVP_PKEY_CTX *pctx; - uint16_t sigalg_value; - if (!CBS_get_u16(&cbs, &sigalg_value)) - goto truncated; - if ((sigalg = ssl_sigalg(sigalg_value, tls12_sigalgs, - tls12_sigalgs_len)) == NULL || - (md = sigalg->md()) == NULL) { - SSLerror(s, SSL_R_UNKNOWN_DIGEST); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - if (!ssl_sigalg_pkey_ok(sigalg, pkey, 0)) { - SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } + goto decode_err; + } + if (!CBS_get_u16_length_prefixed(&cbs, &signature)) + goto err; + if (CBS_len(&cbs) != 0) { + al = SSL_AD_DECODE_ERROR; + SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE); + goto fatal_err; + } - if (!CBS_get_u16_length_prefixed(&cbs, &signature)) - goto err; - if (CBS_len(&signature) > EVP_PKEY_size(pkey)) { - SSLerror(s, SSL_R_WRONG_SIGNATURE_SIZE); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - if (CBS_len(&cbs) != 0) { - al = SSL_AD_DECODE_ERROR; - SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE); - goto f_err; - } + if (CBS_len(&signature) > EVP_PKEY_size(pkey)) { + SSLerror(s, SSL_R_WRONG_SIGNATURE_SIZE); + al = SSL_AD_DECODE_ERROR; + goto fatal_err; + } + + if ((sigalg = ssl_sigalg_for_peer(s, pkey, + sigalg_value)) == NULL) { + al = SSL_AD_DECODE_ERROR; + goto fatal_err; + } + S3I(s)->hs.peer_sigalg = sigalg; + + if (SSL_USE_SIGALGS(s)) { + EVP_PKEY_CTX *pctx; if (!tls1_transcript_data(s, &hdata, &hdatalen)) { SSLerror(s, ERR_R_INTERNAL_ERROR); al = SSL_AD_INTERNAL_ERROR; - goto f_err; + goto fatal_err; } - if (!EVP_DigestVerifyInit(&mctx, &pctx, md, NULL, pkey)) { + if (!EVP_DigestVerifyInit(&mctx, &pctx, sigalg->md(), + NULL, pkey)) { SSLerror(s, ERR_R_EVP_LIB); al = SSL_AD_INTERNAL_ERROR; - goto f_err; + goto fatal_err; } if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) && - (!EVP_PKEY_CTX_set_rsa_padding - (pctx, RSA_PKCS1_PSS_PADDING) || + (!EVP_PKEY_CTX_set_rsa_padding(pctx, + RSA_PKCS1_PSS_PADDING) || !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) { al = SSL_AD_INTERNAL_ERROR; - goto f_err; + goto fatal_err; } if (sigalg->key_type == EVP_PKEY_GOSTR01 && EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY, EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) { al = SSL_AD_INTERNAL_ERROR; - goto f_err; + goto fatal_err; } if (!EVP_DigestVerifyUpdate(&mctx, hdata, hdatalen)) { SSLerror(s, ERR_R_EVP_LIB); al = SSL_AD_INTERNAL_ERROR; - goto f_err; + goto fatal_err; } if (EVP_DigestVerifyFinal(&mctx, CBS_data(&signature), CBS_len(&signature)) <= 0) { al = SSL_AD_DECRYPT_ERROR; SSLerror(s, SSL_R_BAD_SIGNATURE); - goto f_err; + goto fatal_err; } } else if (pkey->type == EVP_PKEY_RSA) { - verify = RSA_verify(NID_md5_sha1, S3I(s)->tmp.cert_verify_md, + verify = RSA_verify(NID_md5_sha1, S3I(s)->hs.tls12.cert_verify, MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, CBS_data(&signature), CBS_len(&signature), pkey->pkey.rsa); if (verify < 0) { al = SSL_AD_DECRYPT_ERROR; SSLerror(s, SSL_R_BAD_RSA_DECRYPT); - goto f_err; + goto fatal_err; } if (verify == 0) { al = SSL_AD_DECRYPT_ERROR; SSLerror(s, SSL_R_BAD_RSA_SIGNATURE); - goto f_err; + goto fatal_err; } } else if (pkey->type == EVP_PKEY_EC) { verify = ECDSA_verify(pkey->save_type, - &(S3I(s)->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), + &(S3I(s)->hs.tls12.cert_verify[MD5_DIGEST_LENGTH]), SHA_DIGEST_LENGTH, CBS_data(&signature), CBS_len(&signature), pkey->pkey.ec); if (verify <= 0) { al = SSL_AD_DECRYPT_ERROR; SSLerror(s, SSL_R_BAD_ECDSA_SIGNATURE); - goto f_err; + goto fatal_err; } #ifndef OPENSSL_NO_GOST } else if (pkey->type == NID_id_GostR3410_94 || @@ -2239,23 +2261,24 @@ ssl3_get_cert_verify(SSL *s) unsigned char sigbuf[128]; unsigned int siglen = sizeof(sigbuf); EVP_PKEY_CTX *pctx; + const EVP_MD *md; int nid; if (!tls1_transcript_data(s, &hdata, &hdatalen)) { SSLerror(s, ERR_R_INTERNAL_ERROR); al = SSL_AD_INTERNAL_ERROR; - goto f_err; + goto fatal_err; } if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) || !(md = EVP_get_digestbynid(nid))) { SSLerror(s, ERR_R_EVP_LIB); al = SSL_AD_INTERNAL_ERROR; - goto f_err; + goto fatal_err; } if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) { SSLerror(s, ERR_R_EVP_LIB); al = SSL_AD_INTERNAL_ERROR; - goto f_err; + goto fatal_err; } if (!EVP_DigestInit_ex(&mctx, md, NULL) || !EVP_DigestUpdate(&mctx, hdata, hdatalen) || @@ -2268,14 +2291,14 @@ ssl3_get_cert_verify(SSL *s) SSLerror(s, ERR_R_EVP_LIB); al = SSL_AD_INTERNAL_ERROR; EVP_PKEY_CTX_free(pctx); - goto f_err; + goto fatal_err; } if (EVP_PKEY_verify(pctx, CBS_data(&signature), CBS_len(&signature), sigbuf, siglen) <= 0) { al = SSL_AD_DECRYPT_ERROR; SSLerror(s, SSL_R_BAD_SIGNATURE); EVP_PKEY_CTX_free(pctx); - goto f_err; + goto fatal_err; } EVP_PKEY_CTX_free(pctx); @@ -2283,15 +2306,15 @@ ssl3_get_cert_verify(SSL *s) } else { SSLerror(s, ERR_R_INTERNAL_ERROR); al = SSL_AD_UNSUPPORTED_CERTIFICATE; - goto f_err; + goto fatal_err; } ret = 1; if (0) { - truncated: + decode_err: al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); - f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); } end: @@ -2317,35 +2340,35 @@ ssl3_get_client_certificate(SSL *s) if (!ok) return ((int)n); - if (S3I(s)->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) { + if (S3I(s)->hs.tls12.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) { if ((s->verify_mode & SSL_VERIFY_PEER) && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { - SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); + SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); al = SSL_AD_HANDSHAKE_FAILURE; - goto f_err; + goto fatal_err; } /* * If tls asked for a client cert, * the client must return a 0 list. */ - if (S3I(s)->tmp.cert_request) { + if (S3I(s)->hs.tls12.cert_request) { SSLerror(s, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST ); al = SSL_AD_UNEXPECTED_MESSAGE; - goto f_err; + goto fatal_err; } - S3I(s)->tmp.reuse_message = 1; + S3I(s)->hs.tls12.reuse_message = 1; return (1); } - if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE) { + if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE); - goto f_err; + goto fatal_err; } if (n < 0) - goto truncated; + goto decode_err; CBS_init(&cbs, s->internal->init_msg, n); @@ -2356,7 +2379,7 @@ ssl3_get_client_certificate(SSL *s) if (!CBS_get_u24_length_prefixed(&cbs, &client_certs) || CBS_len(&cbs) != 0) - goto truncated; + goto decode_err; while (CBS_len(&client_certs) > 0) { CBS cert; @@ -2364,7 +2387,7 @@ ssl3_get_client_certificate(SSL *s) if (!CBS_get_u24_length_prefixed(&client_certs, &cert)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_CERT_LENGTH_MISMATCH); - goto f_err; + goto fatal_err; } q = CBS_data(&cert); @@ -2376,7 +2399,7 @@ ssl3_get_client_certificate(SSL *s) if (q != CBS_data(&cert) + CBS_len(&cert)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_CERT_LENGTH_MISMATCH); - goto f_err; + goto fatal_err; } if (!sk_X509_push(sk, x)) { SSLerror(s, ERR_R_MALLOC_FAILURE); @@ -2394,7 +2417,7 @@ ssl3_get_client_certificate(SSL *s) (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); al = SSL_AD_HANDSHAKE_FAILURE; - goto f_err; + goto fatal_err; } /* No client certificate so free transcript. */ tls1_transcript_free(s); @@ -2403,7 +2426,7 @@ ssl3_get_client_certificate(SSL *s) if (i <= 0) { al = ssl_verify_alarm_type(s->verify_result); SSLerror(s, SSL_R_NO_CERTIFICATE_RETURNED); - goto f_err; + goto fatal_err; } } @@ -2434,13 +2457,13 @@ ssl3_get_client_certificate(SSL *s) ret = 1; if (0) { -truncated: + decode_err: al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); -f_err: + fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); } -err: + err: X509_free(x); sk_X509_pop_free(sk, X509_free); diff --git a/ssl/ssl_stat.c b/ssl/ssl_stat.c index 6b26d4c..b51538c 100644 --- a/ssl/ssl_stat.c +++ b/ssl/ssl_stat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_stat.c,v 1.14 2017/05/07 04:22:24 beck Exp $ */ +/* $OpenBSD: ssl_stat.c,v 1.17 2021/06/13 15:51:10 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -578,94 +578,88 @@ SSL_alert_desc_string(int value) const char *str; switch (value & 0xff) { - case SSL3_AD_CLOSE_NOTIFY: + case SSL_AD_CLOSE_NOTIFY: str = "CN"; break; - case SSL3_AD_UNEXPECTED_MESSAGE: + case SSL_AD_UNEXPECTED_MESSAGE: str = "UM"; break; - case SSL3_AD_BAD_RECORD_MAC: + case SSL_AD_BAD_RECORD_MAC: str = "BM"; break; - case SSL3_AD_DECOMPRESSION_FAILURE: + case SSL_AD_DECOMPRESSION_FAILURE: str = "DF"; break; - case SSL3_AD_HANDSHAKE_FAILURE: + case SSL_AD_HANDSHAKE_FAILURE: str = "HF"; break; - case SSL3_AD_NO_CERTIFICATE: - str = "NC"; - break; - case SSL3_AD_BAD_CERTIFICATE: + case SSL_AD_BAD_CERTIFICATE: str = "BC"; break; - case SSL3_AD_UNSUPPORTED_CERTIFICATE: + case SSL_AD_UNSUPPORTED_CERTIFICATE: str = "UC"; break; - case SSL3_AD_CERTIFICATE_REVOKED: + case SSL_AD_CERTIFICATE_REVOKED: str = "CR"; break; - case SSL3_AD_CERTIFICATE_EXPIRED: + case SSL_AD_CERTIFICATE_EXPIRED: str = "CE"; break; - case SSL3_AD_CERTIFICATE_UNKNOWN: + case SSL_AD_CERTIFICATE_UNKNOWN: str = "CU"; break; - case SSL3_AD_ILLEGAL_PARAMETER: + case SSL_AD_ILLEGAL_PARAMETER: str = "IP"; break; - case TLS1_AD_DECRYPTION_FAILED: - str = "DC"; - break; - case TLS1_AD_RECORD_OVERFLOW: + case SSL_AD_RECORD_OVERFLOW: str = "RO"; break; - case TLS1_AD_UNKNOWN_CA: + case SSL_AD_UNKNOWN_CA: str = "CA"; break; - case TLS1_AD_ACCESS_DENIED: + case SSL_AD_ACCESS_DENIED: str = "AD"; break; - case TLS1_AD_DECODE_ERROR: + case SSL_AD_DECODE_ERROR: str = "DE"; break; - case TLS1_AD_DECRYPT_ERROR: + case SSL_AD_DECRYPT_ERROR: str = "CY"; break; - case TLS1_AD_EXPORT_RESTRICTION: - str = "ER"; - break; - case TLS1_AD_PROTOCOL_VERSION: + case SSL_AD_PROTOCOL_VERSION: str = "PV"; break; - case TLS1_AD_INSUFFICIENT_SECURITY: + case SSL_AD_INSUFFICIENT_SECURITY: str = "IS"; break; - case TLS1_AD_INTERNAL_ERROR: + case SSL_AD_INTERNAL_ERROR: str = "IE"; break; - case TLS1_AD_USER_CANCELLED: + case SSL_AD_USER_CANCELLED: str = "US"; break; - case TLS1_AD_NO_RENEGOTIATION: + case SSL_AD_NO_RENEGOTIATION: str = "NR"; break; - case TLS1_AD_UNSUPPORTED_EXTENSION: + case SSL_AD_MISSING_EXTENSION: + str = "ME"; + break; + case SSL_AD_UNSUPPORTED_EXTENSION: str = "UE"; break; - case TLS1_AD_CERTIFICATE_UNOBTAINABLE: + case SSL_AD_CERTIFICATE_UNOBTAINABLE: str = "CO"; break; - case TLS1_AD_UNRECOGNIZED_NAME: + case SSL_AD_UNRECOGNIZED_NAME: str = "UN"; break; - case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE: + case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: str = "BR"; break; - case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE: + case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: str = "BH"; break; - case TLS1_AD_UNKNOWN_PSK_IDENTITY: + case SSL_AD_UNKNOWN_PSK_IDENTITY: str = "UP"; break; default: @@ -681,94 +675,88 @@ SSL_alert_desc_string_long(int value) const char *str; switch (value & 0xff) { - case SSL3_AD_CLOSE_NOTIFY: + case SSL_AD_CLOSE_NOTIFY: str = "close notify"; break; - case SSL3_AD_UNEXPECTED_MESSAGE: + case SSL_AD_UNEXPECTED_MESSAGE: str = "unexpected_message"; break; - case SSL3_AD_BAD_RECORD_MAC: + case SSL_AD_BAD_RECORD_MAC: str = "bad record mac"; break; - case SSL3_AD_DECOMPRESSION_FAILURE: + case SSL_AD_DECOMPRESSION_FAILURE: str = "decompression failure"; break; - case SSL3_AD_HANDSHAKE_FAILURE: + case SSL_AD_HANDSHAKE_FAILURE: str = "handshake failure"; break; - case SSL3_AD_NO_CERTIFICATE: - str = "no certificate"; - break; - case SSL3_AD_BAD_CERTIFICATE: + case SSL_AD_BAD_CERTIFICATE: str = "bad certificate"; break; - case SSL3_AD_UNSUPPORTED_CERTIFICATE: + case SSL_AD_UNSUPPORTED_CERTIFICATE: str = "unsupported certificate"; break; - case SSL3_AD_CERTIFICATE_REVOKED: + case SSL_AD_CERTIFICATE_REVOKED: str = "certificate revoked"; break; - case SSL3_AD_CERTIFICATE_EXPIRED: + case SSL_AD_CERTIFICATE_EXPIRED: str = "certificate expired"; break; - case SSL3_AD_CERTIFICATE_UNKNOWN: + case SSL_AD_CERTIFICATE_UNKNOWN: str = "certificate unknown"; break; - case SSL3_AD_ILLEGAL_PARAMETER: + case SSL_AD_ILLEGAL_PARAMETER: str = "illegal parameter"; break; - case TLS1_AD_DECRYPTION_FAILED: - str = "decryption failed"; - break; - case TLS1_AD_RECORD_OVERFLOW: + case SSL_AD_RECORD_OVERFLOW: str = "record overflow"; break; - case TLS1_AD_UNKNOWN_CA: + case SSL_AD_UNKNOWN_CA: str = "unknown CA"; break; - case TLS1_AD_ACCESS_DENIED: + case SSL_AD_ACCESS_DENIED: str = "access denied"; break; - case TLS1_AD_DECODE_ERROR: + case SSL_AD_DECODE_ERROR: str = "decode error"; break; - case TLS1_AD_DECRYPT_ERROR: + case SSL_AD_DECRYPT_ERROR: str = "decrypt error"; break; - case TLS1_AD_EXPORT_RESTRICTION: - str = "export restriction"; - break; - case TLS1_AD_PROTOCOL_VERSION: + case SSL_AD_PROTOCOL_VERSION: str = "protocol version"; break; - case TLS1_AD_INSUFFICIENT_SECURITY: + case SSL_AD_INSUFFICIENT_SECURITY: str = "insufficient security"; break; - case TLS1_AD_INTERNAL_ERROR: + case SSL_AD_INTERNAL_ERROR: str = "internal error"; break; - case TLS1_AD_USER_CANCELLED: + case SSL_AD_USER_CANCELLED: str = "user canceled"; break; - case TLS1_AD_NO_RENEGOTIATION: + case SSL_AD_NO_RENEGOTIATION: str = "no renegotiation"; break; - case TLS1_AD_UNSUPPORTED_EXTENSION: + case SSL_AD_MISSING_EXTENSION: + str = "missing extension"; + break; + case SSL_AD_UNSUPPORTED_EXTENSION: str = "unsupported extension"; break; - case TLS1_AD_CERTIFICATE_UNOBTAINABLE: + case SSL_AD_CERTIFICATE_UNOBTAINABLE: str = "certificate unobtainable"; break; - case TLS1_AD_UNRECOGNIZED_NAME: + case SSL_AD_UNRECOGNIZED_NAME: str = "unrecognized name"; break; - case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE: + case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: str = "bad certificate status response"; break; - case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE: + case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: str = "bad certificate hash value"; break; - case TLS1_AD_UNKNOWN_PSK_IDENTITY: + case SSL_AD_UNKNOWN_PSK_IDENTITY: str = "unknown PSK identity"; break; default: diff --git a/ssl/ssl_tlsext.c b/ssl/ssl_tlsext.c index a039d0b..3ad5649 100644 --- a/ssl/ssl_tlsext.c +++ b/ssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.82 2020/09/09 12:31:23 inoguchi Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.99 2021/09/10 09:25:29 tb Exp $ */ /* * Copyright (c) 2016, 2017, 2019 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -20,10 +20,10 @@ #include #include - -#include "ssl_locl.h" +#include #include "bytestring.h" +#include "ssl_locl.h" #include "ssl_sigalgs.h" #include "ssl_tlsext.h" @@ -36,7 +36,7 @@ tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) { /* ALPN protos have been specified and this is the initial handshake */ return s->internal->alpn_client_proto_list != NULL && - S3I(s)->tmp.finish_md_len == 0; + S3I(s)->hs.finished_len == 0; } int @@ -85,9 +85,16 @@ tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) if (s->ctx->internal->alpn_select_cb == NULL) return 1; + /* + * XXX - A few things should be considered here: + * 1. Ensure that the same protocol is selected on session resumption. + * 2. Should the callback be called even if no ALPN extension was sent? + * 3. TLSv1.2 and earlier: ensure that SNI has already been processed. + */ r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, CBS_data(&alpn), CBS_len(&alpn), s->ctx->internal->alpn_select_cb_arg); + if (r == SSL_TLSEXT_ERR_OK) { free(S3I(s)->alpn_selected); if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) { @@ -97,9 +104,18 @@ tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) } memcpy(S3I(s)->alpn_selected, selected, selected_len); S3I(s)->alpn_selected_len = selected_len; + + return 1; } - return 1; + /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */ + if (r == SSL_TLSEXT_ERR_NOACK) + return 1; + + *alert = SSL_AD_NO_APPLICATION_PROTOCOL; + SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL); + + return 0; err: *alert = SSL_AD_DECODE_ERROR; @@ -139,7 +155,7 @@ tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) CBS list, proto; if (s->internal->alpn_client_proto_list == NULL) { - *alert = TLS1_AD_UNSUPPORTED_EXTENSION; + *alert = SSL_AD_UNSUPPORTED_EXTENSION; return 0; } @@ -163,7 +179,7 @@ tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) return 1; err: - *alert = TLS1_AD_DECODE_ERROR; + *alert = SSL_AD_DECODE_ERROR; return 0; } @@ -174,7 +190,7 @@ int tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) { return ssl_has_ecc_ciphers(s) || - (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); + (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); } int @@ -226,7 +242,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, uint16_t *groups; int i; - if (S3I(s)->hs_tls13.hrr) { + if (S3I(s)->hs.tls13.hrr) { if (SSI(s)->tlsext_supportedgroups == NULL) { *alert = SSL_AD_HANDSHAKE_FAILURE; return 0; @@ -258,7 +274,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, if ((groups = reallocarray(NULL, groups_len, sizeof(uint16_t))) == NULL) { - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_INTERNAL_ERROR; return 0; } @@ -281,7 +297,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, return 1; err: - *alert = TLS1_AD_DECODE_ERROR; + *alert = SSL_AD_DECODE_ERROR; return 0; } @@ -313,7 +329,7 @@ tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, * https://support.f5.com/csp/article/K37345003 */ if (!CBS_skip(cbs, CBS_len(cbs))) { - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_INTERNAL_ERROR; return 0; } @@ -353,31 +369,28 @@ tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) CBS ecpf; if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) - goto err; + return 0; if (CBS_len(&ecpf) == 0) - goto err; + return 0; if (CBS_len(cbs) != 0) - goto err; + return 0; - /* Must contain uncompressed (0) */ + /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ if (!CBS_contains_zero_byte(&ecpf)) { SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); - goto err; + *alert = SSL_AD_ILLEGAL_PARAMETER; + return 0; } if (!s->internal->hit) { if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist), &(SSI(s)->tlsext_ecpointformatlist_length))) { - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_INTERNAL_ERROR; return 0; } } return 1; - - err: - *alert = SSL_AD_DECODE_ERROR; - return 0; } int @@ -401,9 +414,6 @@ tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) int tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) { - if (s->version == DTLS1_VERSION) - return 0; - return ssl_using_ecc_cipher(s); } @@ -475,7 +485,8 @@ tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) int tlsext_ri_server_needs(SSL *s, uint16_t msg_type) { - return (s->version < TLS1_3_VERSION && S3I(s)->send_connection_binding); + return (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION && + S3I(s)->send_connection_binding); } int @@ -510,7 +521,7 @@ tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) S3I(s)->previous_server_finished_len != 0) || (S3I(s)->previous_client_finished_len != 0 && S3I(s)->previous_server_finished_len == 0)) { - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_INTERNAL_ERROR; return 0; } @@ -557,28 +568,22 @@ tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) int tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) { - return (TLS1_get_client_version(s) >= TLS1_2_VERSION); + return (S3I(s)->hs.our_max_tls_version >= TLS1_2_VERSION); } int tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { - uint16_t *tls_sigalgs = tls12_sigalgs; - size_t tls_sigalgs_len = tls12_sigalgs_len; + uint16_t tls_version = S3I(s)->hs.negotiated_tls_version; CBB sigalgs; - if (TLS1_get_client_version(s) >= TLS1_3_VERSION && - S3I(s)->hs_tls13.min_version >= TLS1_3_VERSION) { - tls_sigalgs = tls13_sigalgs; - tls_sigalgs_len = tls13_sigalgs_len; - } + if (msg_type == SSL_TLSEXT_MSG_CH) + tls_version = S3I(s)->hs.our_min_tls_version; if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) return 0; - - if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) + if (!ssl_sigalgs_build(tls_version, &sigalgs)) return 0; - if (!CBB_flush(cbb)) return 0; @@ -603,27 +608,18 @@ tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) int tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) { - return (s->version >= TLS1_3_VERSION); + return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION); } int tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { - uint16_t *tls_sigalgs = tls12_sigalgs; - size_t tls_sigalgs_len = tls12_sigalgs_len; CBB sigalgs; - if (s->version >= TLS1_3_VERSION) { - tls_sigalgs = tls13_sigalgs; - tls_sigalgs_len = tls13_sigalgs_len; - } - if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) return 0; - - if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) + if (!ssl_sigalgs_build(S3I(s)->hs.negotiated_tls_version, &sigalgs)) return 0; - if (!CBB_flush(cbb)) return 0; @@ -635,7 +631,7 @@ tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS sigalgs; - if (s->version < TLS1_3_VERSION) + if (ssl_effective_tls_version(s) < TLS1_3_VERSION) return 0; if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) @@ -743,7 +739,7 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) * other implementations appear more tolerant. */ if (name_type != TLSEXT_NAMETYPE_host_name) { - *alert = SSL3_AD_ILLEGAL_PARAMETER; + *alert = SSL_AD_ILLEGAL_PARAMETER; goto err; } @@ -758,25 +754,25 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) goto err; if (!tlsext_sni_is_valid_hostname(&host_name)) { - *alert = SSL3_AD_ILLEGAL_PARAMETER; + *alert = SSL_AD_ILLEGAL_PARAMETER; goto err; } - if (s->internal->hit || S3I(s)->hs_tls13.hrr) { + if (s->internal->hit || S3I(s)->hs.tls13.hrr) { if (s->session->tlsext_hostname == NULL) { - *alert = TLS1_AD_UNRECOGNIZED_NAME; + *alert = SSL_AD_UNRECOGNIZED_NAME; goto err; } if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, strlen(s->session->tlsext_hostname))) { - *alert = TLS1_AD_UNRECOGNIZED_NAME; + *alert = SSL_AD_UNRECOGNIZED_NAME; goto err; } } else { if (s->session->tlsext_hostname != NULL) goto err; if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_INTERNAL_ERROR; goto err; } } @@ -786,7 +782,7 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) * therefore we allow only one entry. */ if (CBS_len(&server_name_list) != 0) { - *alert = SSL3_AD_ILLEGAL_PARAMETER; + *alert = SSL_AD_ILLEGAL_PARAMETER; goto err; } if (CBS_len(cbs) != 0) @@ -817,18 +813,18 @@ int tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { - *alert = TLS1_AD_UNRECOGNIZED_NAME; + *alert = SSL_AD_UNRECOGNIZED_NAME; return 0; } if (s->internal->hit) { if (s->session->tlsext_hostname == NULL) { - *alert = TLS1_AD_UNRECOGNIZED_NAME; + *alert = SSL_AD_UNRECOGNIZED_NAME; return 0; } if (strcmp(s->tlsext_hostname, s->session->tlsext_hostname) != 0) { - *alert = TLS1_AD_UNRECOGNIZED_NAME; + *alert = SSL_AD_UNRECOGNIZED_NAME; return 0; } } else { @@ -838,7 +834,7 @@ tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) } if ((s->session->tlsext_hostname = strdup(s->tlsext_hostname)) == NULL) { - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_INTERNAL_ERROR; return 0; } } @@ -848,14 +844,12 @@ tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) /* - *Certificate Status Request - RFC 6066 section 8. + * Certificate Status Request - RFC 6066 section 8. */ int tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) { - if (SSL_IS_DTLS(s)) - return 0; if (msg_type != SSL_TLSEXT_MSG_CH) return 0; @@ -925,7 +919,7 @@ tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) s->tlsext_status_type = -1; if (!CBS_skip(cbs, CBS_len(cbs))) { - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_INTERNAL_ERROR; return 0; } return 1; @@ -986,7 +980,7 @@ tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) int tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) { - if (s->version >= TLS1_3_VERSION && + if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION && s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && s->ctx->internal->tlsext_status_cb != NULL) { s->internal->tlsext_status_expected = 0; @@ -1003,7 +997,7 @@ tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB ocsp_response; - if (s->version >= TLS1_3_VERSION) { + if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) { if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) return 0; if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) @@ -1021,11 +1015,10 @@ tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) int tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - CBS response; - uint16_t version = TLS1_get_client_version(s); uint8_t status_type; + CBS response; - if (version >= TLS1_3_VERSION) { + if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) { if (msg_type == SSL_TLSEXT_MSG_CR) { /* * RFC 8446, 4.4.2.1 - the server may request an OCSP @@ -1060,7 +1053,7 @@ tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) } } else { if (s->tlsext_status_type == -1) { - *alert = TLS1_AD_UNSUPPORTED_EXTENSION; + *alert = SSL_AD_UNSUPPORTED_EXTENSION; return 0; } /* Set flag to expect CertificateStatus message */ @@ -1144,14 +1137,14 @@ tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), (int)CBS_len(cbs), s->internal->tls_session_ticket_ext_cb_arg)) { - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_INTERNAL_ERROR; return 0; } } /* We need to signal that this was processed fully */ if (!CBS_skip(cbs, CBS_len(cbs))) { - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_INTERNAL_ERROR; return 0; } @@ -1180,13 +1173,13 @@ tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), (int)CBS_len(cbs), s->internal->tls_session_ticket_ext_cb_arg)) { - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_INTERNAL_ERROR; return 0; } } if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { - *alert = TLS1_AD_UNSUPPORTED_EXTENSION; + *alert = SSL_AD_UNSUPPORTED_EXTENSION; return 0; } @@ -1204,7 +1197,7 @@ tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) { - return SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) != NULL; + return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL; } int @@ -1213,7 +1206,7 @@ tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) CBB profiles, mki; int ct, i; STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; - SRTP_PROTECTION_PROFILE *prof; + const SRTP_PROTECTION_PROFILE *prof; if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); @@ -1247,7 +1240,7 @@ tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) int tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - SRTP_PROTECTION_PROFILE *cprof, *sprof; + const SRTP_PROTECTION_PROFILE *cprof, *sprof; STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; int i, j; int ret; @@ -1327,7 +1320,7 @@ tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) int tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) { - return SSL_IS_DTLS(s) && SSL_get_selected_srtp_profile(s) != NULL; + return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL; } int @@ -1358,7 +1351,7 @@ int tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; - SRTP_PROTECTION_PROFILE *prof; + const SRTP_PROTECTION_PROFILE *prof; int i; uint16_t id; CBS profile_ids, mki; @@ -1411,11 +1404,7 @@ tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) int tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) { - /* XXX once this gets initialized when we get tls13_client.c */ - if (S3I(s)->hs_tls13.max_version == 0) - return 0; - return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >= - TLS1_3_VERSION); + return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); } int @@ -1426,7 +1415,7 @@ tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) return 0; - if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, + if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share, &client_shares)) return 0; @@ -1462,9 +1451,9 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) * Ignore this client share if we're using earlier than TLSv1.3 * or we've already selected a key share. */ - if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) + if (S3I(s)->hs.our_max_tls_version < TLS1_3_VERSION) continue; - if (S3I(s)->hs_tls13.key_share != NULL) + if (S3I(s)->hs.tls13.key_share != NULL) continue; /* XXX - consider implementing server preference. */ @@ -1472,10 +1461,10 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) continue; /* Decode and store the selected key share. */ - S3I(s)->hs_tls13.key_share = tls13_key_share_new(group); - if (S3I(s)->hs_tls13.key_share == NULL) + S3I(s)->hs.tls13.key_share = tls13_key_share_new(group); + if (S3I(s)->hs.tls13.key_share == NULL) goto err; - if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share, + if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share, group, &key_exchange)) goto err; } @@ -1490,26 +1479,24 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) int tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) { - if (SSL_IS_DTLS(s) || s->version < TLS1_3_VERSION) - return 0; - - return tlsext_extension_seen(s, TLSEXT_TYPE_key_share); + return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION && + tlsext_extension_seen(s, TLSEXT_TYPE_key_share)); } int tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { /* In the case of a HRR, we only send the server selected group. */ - if (S3I(s)->hs_tls13.hrr) { - if (S3I(s)->hs_tls13.server_group == 0) + if (S3I(s)->hs.tls13.hrr) { + if (S3I(s)->hs.tls13.server_group == 0) return 0; - return CBB_add_u16(cbb, S3I(s)->hs_tls13.server_group); + return CBB_add_u16(cbb, S3I(s)->hs.tls13.server_group); } - if (S3I(s)->hs_tls13.key_share == NULL) + if (S3I(s)->hs.tls13.key_share == NULL) return 0; - if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, cbb)) + if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share, cbb)) return 0; return 1; @@ -1528,17 +1515,17 @@ tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) if (CBS_len(cbs) == 0) { /* HRR does not include an actual key share. */ /* XXX - we should know that we are in a HRR... */ - S3I(s)->hs_tls13.server_group = group; + S3I(s)->hs.tls13.server_group = group; return 1; } if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) return 0; - if (S3I(s)->hs_tls13.key_share == NULL) + if (S3I(s)->hs.tls13.key_share == NULL) return 0; - if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share, + if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share, group, &key_exchange)) goto err; @@ -1555,9 +1542,7 @@ tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) int tlsext_versions_client_needs(SSL *s, uint16_t msg_type) { - if (SSL_IS_DTLS(s)) - return 0; - return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); + return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); } int @@ -1567,11 +1552,8 @@ tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) uint16_t version; CBB versions; - max = S3I(s)->hs_tls13.max_version; - min = S3I(s)->hs_tls13.min_version; - - if (min < TLS1_VERSION) - return 0; + max = S3I(s)->hs.our_max_tls_version; + min = S3I(s)->hs.our_min_tls_version; if (!CBB_add_u8_length_prefixed(cbb, &versions)) return 0; @@ -1596,8 +1578,8 @@ tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) uint16_t max, min; uint16_t matched_version = 0; - max = S3I(s)->hs_tls13.max_version; - min = S3I(s)->hs_tls13.min_version; + max = S3I(s)->hs.our_max_tls_version; + min = S3I(s)->hs.our_min_tls_version; if (!CBS_get_u8_length_prefixed(cbs, &versions)) goto err; @@ -1613,16 +1595,8 @@ tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) matched_version = version; } - /* - * XXX if we haven't matched a version we should - * fail - but we currently need to succeed to - * ignore this before the server code for 1.3 - * is set up and initialized. - */ - if (max == 0) - return 1; /* XXX */ - - if (matched_version != 0) { + if (matched_version > 0) { + /* XXX - this should be stored for later processing. */ s->version = matched_version; return 1; } @@ -1638,17 +1612,13 @@ tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) int tlsext_versions_server_needs(SSL *s, uint16_t msg_type) { - return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION); + return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION); } int tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { - if (!CBB_add_u16(cbb, TLS1_3_VERSION)) - return 0; - /* XXX set 1.2 in legacy version? */ - - return 1; + return CBB_add_u16(cbb, TLS1_3_VERSION); } int @@ -1661,13 +1631,14 @@ tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) return 0; } + /* XXX - need to fix for DTLS 1.3 */ if (selected_version < TLS1_3_VERSION) { *alert = SSL_AD_ILLEGAL_PARAMETER; return 0; } /* XXX test between min and max once initialization code goes in */ - S3I(s)->hs_tls13.server_version = selected_version; + S3I(s)->hs.tls13.server_version = selected_version; return 1; } @@ -1680,12 +1651,8 @@ tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) int tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) { - if (SSL_IS_DTLS(s)) - return 0; - if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) - return 0; - return (S3I(s)->hs_tls13.cookie_len > 0 && - S3I(s)->hs_tls13.cookie != NULL); + return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION && + S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL); } int @@ -1696,8 +1663,8 @@ tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) if (!CBB_add_u16_length_prefixed(cbb, &cookie)) return 0; - if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, - S3I(s)->hs_tls13.cookie_len)) + if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie, + S3I(s)->hs.tls13.cookie_len)) return 0; if (!CBB_flush(cbb)) @@ -1714,7 +1681,7 @@ tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) if (!CBS_get_u16_length_prefixed(cbs, &cookie)) goto err; - if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len) + if (CBS_len(&cookie) != S3I(s)->hs.tls13.cookie_len) goto err; /* @@ -1722,8 +1689,8 @@ tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) * sent - client *MUST* send the same cookie with new CR after * a cookie is sent by the server with an HRR. */ - if (!CBS_mem_equal(&cookie, S3I(s)->hs_tls13.cookie, - S3I(s)->hs_tls13.cookie_len)) { + if (!CBS_mem_equal(&cookie, S3I(s)->hs.tls13.cookie, + S3I(s)->hs.tls13.cookie_len)) { /* XXX special cookie mismatch alert? */ *alert = SSL_AD_ILLEGAL_PARAMETER; return 0; @@ -1739,17 +1706,12 @@ tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) int tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) { - - if (SSL_IS_DTLS(s)) - return 0; - if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) - return 0; /* * Server needs to set cookie value in tls13 handshake * in order to send one, should only be sent with HRR. */ - return (S3I(s)->hs_tls13.cookie_len > 0 && - S3I(s)->hs_tls13.cookie != NULL); + return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION && + S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL); } int @@ -1762,8 +1724,8 @@ tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) if (!CBB_add_u16_length_prefixed(cbb, &cookie)) return 0; - if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, - S3I(s)->hs_tls13.cookie_len)) + if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie, + S3I(s)->hs.tls13.cookie_len)) return 0; if (!CBB_flush(cbb)) @@ -1782,8 +1744,8 @@ tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) * HRR from a server with a cookie to process after accepting * one from the server in the same handshake */ - if (S3I(s)->hs_tls13.cookie != NULL || - S3I(s)->hs_tls13.cookie_len != 0) { + if (S3I(s)->hs.tls13.cookie != NULL || + S3I(s)->hs.tls13.cookie_len != 0) { *alert = SSL_AD_ILLEGAL_PARAMETER; return 0; } @@ -1791,8 +1753,8 @@ tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) if (!CBS_get_u16_length_prefixed(cbs, &cookie)) goto err; - if (!CBS_stow(&cookie, &S3I(s)->hs_tls13.cookie, - &S3I(s)->hs_tls13.cookie_len)) + if (!CBS_stow(&cookie, &S3I(s)->hs.tls13.cookie, + &S3I(s)->hs.tls13.cookie_len)) goto err; return 1; @@ -1815,7 +1777,7 @@ struct tls_extension { struct tls_extension_funcs server; }; -static struct tls_extension tls_extensions[] = { +static const struct tls_extension tls_extensions[] = { { .type = TLSEXT_TYPE_supported_versions, .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | @@ -1997,7 +1959,7 @@ static struct tls_extension tls_extensions[] = { /* Ensure that extensions fit in a uint32_t bitmask. */ CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); -struct tls_extension * +const struct tls_extension * tls_extension_find(uint16_t type, size_t *tls_extensions_idx) { size_t i; @@ -2022,8 +1984,8 @@ tlsext_extension_seen(SSL *s, uint16_t type) return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0); } -static struct tls_extension_funcs * -tlsext_funcs(struct tls_extension *tlsext, int is_server) +static const struct tls_extension_funcs * +tlsext_funcs(const struct tls_extension *tlsext, int is_server) { if (is_server) return &tlsext->server; @@ -2034,17 +1996,14 @@ tlsext_funcs(struct tls_extension *tlsext, int is_server) static int tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) { - struct tls_extension_funcs *ext; - struct tls_extension *tlsext; + const struct tls_extension_funcs *ext; + const struct tls_extension *tlsext; CBB extensions, extension_data; int extensions_present = 0; + uint16_t tls_version; size_t i; - uint16_t version; - if (is_server) - version = s->version; - else - version = TLS1_get_client_version(s); + tls_version = ssl_effective_tls_version(s); if (!CBB_add_u16_length_prefixed(cbb, &extensions)) return 0; @@ -2054,7 +2013,7 @@ tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) ext = tlsext_funcs(tlsext, is_server); /* RFC 8446 Section 4.2 */ - if (version >= TLS1_3_VERSION && + if (tls_version >= TLS1_3_VERSION && !(tlsext->messages & msg_type)) continue; @@ -2112,20 +2071,17 @@ tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) static int tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) { - struct tls_extension_funcs *ext; - struct tls_extension *tlsext; + const struct tls_extension_funcs *ext; + const struct tls_extension *tlsext; CBS extensions, extension_data; uint16_t type; size_t idx; - uint16_t version; + uint16_t tls_version; int alert_desc; - S3I(s)->hs.extensions_seen = 0; + tls_version = ssl_effective_tls_version(s); - if (is_server) - version = s->version; - else - version = TLS1_get_client_version(s); + S3I(s)->hs.extensions_seen = 0; /* An empty extensions block is valid. */ if (CBS_len(cbs) == 0) @@ -2143,24 +2099,24 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) goto err; if (s->internal->tlsext_debug_cb != NULL) - s->internal->tlsext_debug_cb(s, is_server, type, + s->internal->tlsext_debug_cb(s, !is_server, type, (unsigned char *)CBS_data(&extension_data), CBS_len(&extension_data), s->internal->tlsext_debug_arg); - if (!SSL_IS_DTLS(s) && version >= TLS1_3_VERSION && is_server && + /* Unknown extensions are ignored. */ + if ((tlsext = tls_extension_find(type, &idx)) == NULL) + continue; + + if (tls_version >= TLS1_3_VERSION && is_server && msg_type == SSL_TLSEXT_MSG_CH) { if (!tlsext_clienthello_hash_extension(s, type, &extension_data)) goto err; } - /* Unknown extensions are ignored. */ - if ((tlsext = tls_extension_find(type, &idx)) == NULL) - continue; - /* RFC 8446 Section 4.2 */ - if (version >= TLS1_3_VERSION && + if (tls_version >= TLS1_3_VERSION && !(tlsext->messages & msg_type)) { alert_desc = SSL_AD_ILLEGAL_PARAMETER; goto err; diff --git a/ssl/ssl_tlsext.h b/ssl/ssl_tlsext.h index d98b387..8e0742a 100644 --- a/ssl/ssl_tlsext.h +++ b/ssl/ssl_tlsext.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.h,v 1.25 2020/07/03 04:51:59 tb Exp $ */ +/* $OpenBSD: ssl_tlsext.h,v 1.26 2020/10/11 01:13:04 guenther Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -134,7 +134,7 @@ int tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); int tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb); int tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); -struct tls_extension *tls_extension_find(uint16_t, size_t *); +const struct tls_extension *tls_extension_find(uint16_t, size_t *); int tlsext_extension_seen(SSL *s, uint16_t); __END_HIDDEN_DECLS diff --git a/ssl/ssl_transcript.c b/ssl/ssl_transcript.c index b93004c..47aa15a 100644 --- a/ssl/ssl_transcript.c +++ b/ssl/ssl_transcript.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_transcript.c,v 1.2 2020/02/05 16:47:34 jsing Exp $ */ +/* $OpenBSD: ssl_transcript.c,v 1.5 2021/05/16 14:10:43 jsing Exp $ */ /* * Copyright (c) 2017 Joel Sing * @@ -15,10 +15,10 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include "ssl_locl.h" - #include +#include "ssl_locl.h" + int tls1_transcript_hash_init(SSL *s) { @@ -50,7 +50,7 @@ tls1_transcript_hash_init(SSL *s) SSLerror(s, ERR_R_EVP_LIB); goto err; } - + return 1; err: @@ -76,6 +76,9 @@ tls1_transcript_hash_value(SSL *s, const unsigned char *out, size_t len, unsigned int mdlen; int ret = 0; + if (S3I(s)->handshake_hash == NULL) + goto err; + if (EVP_MD_CTX_size(S3I(s)->handshake_hash) > len) goto err; @@ -139,7 +142,7 @@ tls1_transcript_reset(SSL *s) * it is impossible to tell if it succeeded (returning a length of zero) * or if it failed (and returned zero)... our implementation never * fails with a length of zero, so we trust all is okay... - */ + */ (void)BUF_MEM_grow_clean(S3I(s)->handshake_transcript, 0); tls1_transcript_unfreeze(s); diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index 0180d07..09b76dd 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_txt.c,v 1.28 2017/02/07 02:08:38 beck Exp $ */ +/* $OpenBSD: ssl_txt.c,v 1.29 2021/06/11 11:13:53 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -182,7 +182,7 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) goto err; return (1); -err: + err: return (0); } diff --git a/ssl/ssl_versions.c b/ssl/ssl_versions.c index b21fa71..c633b58 100644 --- a/ssl/ssl_versions.c +++ b/ssl/ssl_versions.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_versions.c,v 1.6 2020/05/31 18:03:32 jsing Exp $ */ +/* $OpenBSD: ssl_versions.c,v 1.20 2021/07/01 17:53:39 jsing Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -17,8 +17,28 @@ #include "ssl_locl.h" +static uint16_t +ssl_dtls_to_tls_version(uint16_t dtls_ver) +{ + if (dtls_ver == DTLS1_VERSION) + return TLS1_1_VERSION; + if (dtls_ver == DTLS1_2_VERSION) + return TLS1_2_VERSION; + return 0; +} + +static uint16_t +ssl_tls_to_dtls_version(uint16_t tls_ver) +{ + if (tls_ver == TLS1_1_VERSION) + return DTLS1_VERSION; + if (tls_ver == TLS1_2_VERSION) + return DTLS1_2_VERSION; + return 0; +} + static int -ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver, +ssl_clamp_tls_version_range(uint16_t *min_ver, uint16_t *max_ver, uint16_t clamp_min, uint16_t clamp_max) { if (clamp_min > clamp_max || *min_ver > *max_ver) @@ -35,55 +55,80 @@ ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver, } int -ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver, - uint16_t *out_ver) +ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver, + uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver) { - uint16_t min_version, max_version; + uint16_t min_proto, min_version, max_version; - if (ver == 0) { - *out_ver = meth->internal->min_version; + if (proto_ver == 0) { + *out_tls_ver = meth->min_tls_version; + *out_proto_ver = 0; return 1; } - min_version = ver; - max_version = max_ver; + min_version = proto_ver; + max_version = max_tls_ver; - if (!ssl_clamp_version_range(&min_version, &max_version, - meth->internal->min_version, meth->internal->max_version)) + if (meth->dtls) { + if ((min_version = ssl_dtls_to_tls_version(proto_ver)) == 0) + return 0; + } + + if (!ssl_clamp_tls_version_range(&min_version, &max_version, + meth->min_tls_version, meth->max_tls_version)) return 0; - *out_ver = min_version; - + min_proto = min_version; + if (meth->dtls) { + if ((min_proto = ssl_tls_to_dtls_version(min_version)) == 0) + return 0; + } + *out_tls_ver = min_version; + *out_proto_ver = min_proto; + return 1; } int -ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver, - uint16_t *out_ver) +ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver, + uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver) { - uint16_t min_version, max_version; + uint16_t max_proto, min_version, max_version; - if (ver == 0) { - *out_ver = meth->internal->max_version; + if (proto_ver == 0) { + *out_tls_ver = meth->max_tls_version; + *out_proto_ver = 0; return 1; } - min_version = min_ver; - max_version = ver; + min_version = min_tls_ver; + max_version = proto_ver; - if (!ssl_clamp_version_range(&min_version, &max_version, - meth->internal->min_version, meth->internal->max_version)) + if (meth->dtls) { + if ((max_version = ssl_dtls_to_tls_version(proto_ver)) == 0) + return 0; + } + + if (!ssl_clamp_tls_version_range(&min_version, &max_version, + meth->min_tls_version, meth->max_tls_version)) return 0; - *out_ver = max_version; - + max_proto = max_version; + if (meth->dtls) { + if ((max_proto = ssl_tls_to_dtls_version(max_version)) == 0) + return 0; + } + *out_tls_ver = max_version; + *out_proto_ver = max_proto; + return 1; } int -ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) +ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) { uint16_t min_version, max_version; + unsigned long options; /* * The enabled versions have to be a contiguous range, which means we @@ -95,23 +140,32 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) min_version = 0; max_version = TLS1_3_VERSION; + options = s->internal->options; - if ((s->internal->options & SSL_OP_NO_TLSv1) == 0) + if (SSL_is_dtls(s)) { + options = 0; + if (s->internal->options & SSL_OP_NO_DTLSv1) + options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1; + if (s->internal->options & SSL_OP_NO_DTLSv1_2) + options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2; + } + + if ((options & SSL_OP_NO_TLSv1) == 0) min_version = TLS1_VERSION; - else if ((s->internal->options & SSL_OP_NO_TLSv1_1) == 0) + else if ((options & SSL_OP_NO_TLSv1_1) == 0) min_version = TLS1_1_VERSION; - else if ((s->internal->options & SSL_OP_NO_TLSv1_2) == 0) + else if ((options & SSL_OP_NO_TLSv1_2) == 0) min_version = TLS1_2_VERSION; - else if ((s->internal->options & SSL_OP_NO_TLSv1_3) == 0) + else if ((options & SSL_OP_NO_TLSv1_3) == 0) min_version = TLS1_3_VERSION; - if ((s->internal->options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION) + if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION) max_version = TLS1_2_VERSION; - if ((s->internal->options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION) + if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION) max_version = TLS1_1_VERSION; - if ((s->internal->options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION) + if ((options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION) max_version = TLS1_VERSION; - if ((s->internal->options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION) + if ((options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION) max_version = 0; /* Everything has been disabled... */ @@ -119,8 +173,8 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) return 0; /* Limit to configured version range. */ - if (!ssl_clamp_version_range(&min_version, &max_version, - s->internal->min_version, s->internal->max_version)) + if (!ssl_clamp_tls_version_range(&min_version, &max_version, + s->internal->min_tls_version, s->internal->max_tls_version)) return 0; if (min_ver != NULL) @@ -132,26 +186,18 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) } int -ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) +ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) { uint16_t min_version, max_version; - /* DTLS cannot currently be disabled... */ - if (SSL_IS_DTLS(s)) { - min_version = max_version = DTLS1_VERSION; - goto done; - } - - if (!ssl_enabled_version_range(s, &min_version, &max_version)) + if (!ssl_enabled_tls_version_range(s, &min_version, &max_version)) return 0; /* Limit to the versions supported by this method. */ - if (!ssl_clamp_version_range(&min_version, &max_version, - s->method->internal->min_version, - s->method->internal->max_version)) + if (!ssl_clamp_tls_version_range(&min_version, &max_version, + s->method->min_tls_version, s->method->max_tls_version)) return 0; - done: if (min_ver != NULL) *min_ver = min_version; if (max_ver != NULL) @@ -160,33 +206,93 @@ ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) return 1; } +uint16_t +ssl_tls_version(uint16_t version) +{ + if (version == TLS1_VERSION || version == TLS1_1_VERSION || + version == TLS1_2_VERSION || version == TLS1_3_VERSION) + return version; + + if (version == DTLS1_VERSION) + return TLS1_1_VERSION; + if (version == DTLS1_2_VERSION) + return TLS1_2_VERSION; + + return 0; +} + +uint16_t +ssl_effective_tls_version(SSL *s) +{ + if (S3I(s)->hs.negotiated_tls_version > 0) + return S3I(s)->hs.negotiated_tls_version; + + return S3I(s)->hs.our_max_tls_version; +} + +int +ssl_max_supported_version(SSL *s, uint16_t *max_ver) +{ + uint16_t max_version; + + *max_ver = 0; + + if (!ssl_supported_tls_version_range(s, NULL, &max_version)) + return 0; + + if (SSL_is_dtls(s)) { + if ((max_version = ssl_tls_to_dtls_version(max_version)) == 0) + return 0; + } + + *max_ver = max_version; + + return 1; +} + int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) { - uint16_t min_version, max_version, shared_version; + uint16_t min_version, max_version, peer_tls_version, shared_version; *max_ver = 0; + peer_tls_version = peer_ver; - if (SSL_IS_DTLS(s)) { - if (peer_ver >= DTLS1_VERSION) { - *max_ver = DTLS1_VERSION; - return 1; + if (SSL_is_dtls(s)) { + if ((peer_ver >> 8) != DTLS1_VERSION_MAJOR) + return 0; + + /* + * Convert the peer version to a TLS version - DTLS versions are + * the 1's complement of TLS version numbers (but not the actual + * protocol version numbers, that would be too sensible). Not to + * mention that DTLSv1.0 is really equivalent to DTLSv1.1. + */ + peer_tls_version = ssl_dtls_to_tls_version(peer_ver); + + /* + * This may be a version that we do not know about, if it is + * newer than DTLS1_2_VERSION (yes, less than is correct due + * to the "clever" versioning scheme), use TLS1_2_VERSION. + */ + if (peer_tls_version == 0) { + if (peer_ver < DTLS1_2_VERSION) + peer_tls_version = TLS1_2_VERSION; } - return 0; } - if (peer_ver >= TLS1_3_VERSION) + if (peer_tls_version >= TLS1_3_VERSION) shared_version = TLS1_3_VERSION; - else if (peer_ver >= TLS1_2_VERSION) + else if (peer_tls_version >= TLS1_2_VERSION) shared_version = TLS1_2_VERSION; - else if (peer_ver >= TLS1_1_VERSION) + else if (peer_tls_version >= TLS1_1_VERSION) shared_version = TLS1_1_VERSION; - else if (peer_ver >= TLS1_VERSION) + else if (peer_tls_version >= TLS1_VERSION) shared_version = TLS1_VERSION; else return 0; - if (!ssl_supported_version_range(s, &min_version, &max_version)) + if (!ssl_supported_tls_version_range(s, &min_version, &max_version)) return 0; if (shared_version < min_version) @@ -195,39 +301,49 @@ ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) if (shared_version > max_version) shared_version = max_version; + if (SSL_is_dtls(s)) { + /* + * The resulting shared version will by definition be something + * that we know about. Switch back from TLS to DTLS. + */ + shared_version = ssl_tls_to_dtls_version(shared_version); + if (shared_version == 0) + return 0; + } + *max_ver = shared_version; return 1; } int -ssl_downgrade_max_version(SSL *s, uint16_t *max_ver) +ssl_check_version_from_server(SSL *s, uint16_t server_version) { - uint16_t min_version, max_version; + uint16_t min_tls_version, max_tls_version, server_tls_version; - /* - * The downgrade maximum version is based on the versions that are - * enabled, however we also have to then limit to the versions - * supported by the method. The SSL method will be changed during - * version negotiation and when switching from the new stack to - * the legacy context, as such we want to use the method from the - * context. - */ + /* Ensure that the version selected by the server is valid. */ - if (SSL_IS_DTLS(s)) { - *max_ver = DTLS1_VERSION; - return 1; + server_tls_version = server_version; + if (SSL_is_dtls(s)) { + server_tls_version = ssl_dtls_to_tls_version(server_version); + if (server_tls_version == 0) + return 0; } - if (!ssl_enabled_version_range(s, &min_version, &max_version)) + if (!ssl_supported_tls_version_range(s, &min_tls_version, + &max_tls_version)) return 0; - if (!ssl_clamp_version_range(&min_version, &max_version, - s->ctx->method->internal->min_version, - s->ctx->method->internal->max_version)) - return 0; - - *max_ver = max_version; - - return 1; + return (server_tls_version >= min_tls_version && + server_tls_version <= max_tls_version); +} + +int +ssl_legacy_stack_version(SSL *s, uint16_t version) +{ + if (SSL_is_dtls(s)) + return version == DTLS1_VERSION || version == DTLS1_2_VERSION; + + return version == TLS1_VERSION || version == TLS1_1_VERSION || + version == TLS1_2_VERSION; } diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index a66c82b..65e2063 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_enc.c,v 1.123 2020/08/30 15:40:20 jsing Exp $ */ +/* $OpenBSD: t1_enc.c,v 1.151 2021/07/01 17:53:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -138,34 +138,19 @@ #include #include -#include "ssl_locl.h" - #include #include #include +#include -int tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len, - const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len, - const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len, - const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len); +#include "dtls_locl.h" +#include "ssl_locl.h" void tls1_cleanup_key_block(SSL *s) { - freezero(S3I(s)->hs.key_block, S3I(s)->hs.key_block_len); - S3I(s)->hs.key_block = NULL; - S3I(s)->hs.key_block_len = 0; -} - -void -tls1_record_sequence_increment(unsigned char *seq) -{ - int i; - - for (i = SSL3_SEQUENCE_SIZE - 1; i >= 0; i--) { - if (++seq[i] != 0) - break; - } + tls12_key_block_free(S3I(s)->hs.tls12.key_block); + S3I(s)->hs.tls12.key_block = NULL; } /* @@ -299,313 +284,78 @@ tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len, return (1); } -static int -tls1_generate_key_block(SSL *s, unsigned char *km, int num) +int +tls1_generate_key_block(SSL *s, uint8_t *key_block, size_t key_block_len) { - if (num < 0) - return (0); - return tls1_PRF(s, s->session->master_key, s->session->master_key_length, TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, s->s3->server_random, SSL3_RANDOM_SIZE, s->s3->client_random, SSL3_RANDOM_SIZE, - NULL, 0, NULL, 0, km, num); -} - -/* - * tls1_aead_ctx_init allocates aead_ctx, if needed. It returns 1 on success - * and 0 on failure. - */ -static int -tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx) -{ - if (*aead_ctx != NULL) { - EVP_AEAD_CTX_cleanup(&(*aead_ctx)->ctx); - return (1); - } - - *aead_ctx = malloc(sizeof(SSL_AEAD_CTX)); - if (*aead_ctx == NULL) { - SSLerrorx(ERR_R_MALLOC_FAILURE); - return (0); - } - - return (1); + NULL, 0, NULL, 0, key_block, key_block_len); } static int -tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key, - unsigned int key_len, const unsigned char *iv, unsigned int iv_len) +tls1_change_cipher_state(SSL *s, int is_write) { - const EVP_AEAD *aead = S3I(s)->tmp.new_aead; - SSL_AEAD_CTX *aead_ctx; + CBS mac_key, key, iv; - /* XXX - Need to avoid clearing write state for DTLS. */ - if (SSL_IS_DTLS(s)) - return 0; - - if (is_read) { - ssl_clear_cipher_read_state(s); - if (!tls1_aead_ctx_init(&s->internal->aead_read_ctx)) - return 0; - aead_ctx = s->internal->aead_read_ctx; - - if (!tls12_record_layer_set_read_aead(s->internal->rl, aead_ctx)) - return 0; + /* Use client write keys on client write and server read. */ + if ((!s->server && is_write) || (s->server && !is_write)) { + tls12_key_block_client_write(S3I(s)->hs.tls12.key_block, + &mac_key, &key, &iv); } else { - ssl_clear_cipher_write_state(s); - if (!tls1_aead_ctx_init(&s->internal->aead_write_ctx)) - return 0; - aead_ctx = s->internal->aead_write_ctx; - - if (!tls12_record_layer_set_write_aead(s->internal->rl, aead_ctx)) - return 0; + tls12_key_block_server_write(S3I(s)->hs.tls12.key_block, + &mac_key, &key, &iv); } - if (!EVP_AEAD_CTX_init(&aead_ctx->ctx, aead, key, key_len, - EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) - return (0); - if (iv_len > sizeof(aead_ctx->fixed_nonce)) { - SSLerrorx(ERR_R_INTERNAL_ERROR); - return (0); - } - memcpy(aead_ctx->fixed_nonce, iv, iv_len); - aead_ctx->fixed_nonce_len = iv_len; - aead_ctx->variable_nonce_len = 8; /* always the case, currently. */ - aead_ctx->variable_nonce_in_record = - (S3I(s)->hs.new_cipher->algorithm2 & - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD) != 0; - aead_ctx->xor_fixed_nonce = - S3I(s)->hs.new_cipher->algorithm_enc == SSL_CHACHA20POLY1305; - aead_ctx->tag_len = EVP_AEAD_max_overhead(aead); - - if (aead_ctx->xor_fixed_nonce) { - if (aead_ctx->fixed_nonce_len != EVP_AEAD_nonce_length(aead) || - aead_ctx->variable_nonce_len > EVP_AEAD_nonce_length(aead)) { - SSLerrorx(ERR_R_INTERNAL_ERROR); - return (0); - } + if (!is_write) { + if (!tls12_record_layer_change_read_cipher_state(s->internal->rl, + &mac_key, &key, &iv)) + goto err; + if (SSL_is_dtls(s)) + dtls1_reset_read_seq_numbers(s); + tls12_record_layer_read_cipher_hash(s->internal->rl, + &s->enc_read_ctx, &s->read_hash); } else { - if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != - EVP_AEAD_nonce_length(aead)) { - SSLerrorx(ERR_R_INTERNAL_ERROR); - return (0); - } - } - - return (1); -} - -/* - * tls1_change_cipher_state_cipher performs the work needed to switch cipher - * states when using EVP_CIPHER. The argument is_read is true iff this function - * is being called due to reading, as opposed to writing, a ChangeCipherSpec - * message. - */ -static int -tls1_change_cipher_state_cipher(SSL *s, char is_read, - const unsigned char *mac_secret, unsigned int mac_secret_size, - const unsigned char *key, unsigned int key_len, const unsigned char *iv, - unsigned int iv_len) -{ - EVP_CIPHER_CTX *cipher_ctx; - const EVP_CIPHER *cipher; - EVP_MD_CTX *mac_ctx; - EVP_PKEY *mac_key; - const EVP_MD *mac; - int stream_mac; - int mac_type; - - cipher = S3I(s)->tmp.new_sym_enc; - mac = S3I(s)->tmp.new_hash; - mac_type = S3I(s)->tmp.new_mac_pkey_type; - stream_mac = S3I(s)->hs.new_cipher->algorithm2 & TLS1_STREAM_MAC; - - if (is_read) { - if (stream_mac) - s->internal->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; - else - s->internal->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; - - ssl_clear_cipher_read_state(s); - - if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) - goto err; - s->enc_read_ctx = cipher_ctx; - if ((mac_ctx = EVP_MD_CTX_new()) == NULL) - goto err; - s->read_hash = mac_ctx; - - if (!tls12_record_layer_set_read_cipher_hash(s->internal->rl, - cipher_ctx, mac_ctx, stream_mac)) - goto err; - } else { - if (stream_mac) - s->internal->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; - else - s->internal->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; - - /* - * DTLS fragments retain a pointer to the compression, cipher - * and hash contexts, so that it can restore state in order - * to perform retransmissions. As such, we cannot free write - * contexts that are used for DTLS - these are instead freed - * by DTLS when its frees a ChangeCipherSpec fragment. - */ - if (!SSL_IS_DTLS(s)) - ssl_clear_cipher_write_state(s); - - if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) - goto err; - s->internal->enc_write_ctx = cipher_ctx; - if ((mac_ctx = EVP_MD_CTX_new()) == NULL) - goto err; - s->internal->write_hash = mac_ctx; - - if (!tls12_record_layer_set_write_cipher_hash(s->internal->rl, - cipher_ctx, mac_ctx, stream_mac)) + if (!tls12_record_layer_change_write_cipher_state(s->internal->rl, + &mac_key, &key, &iv)) goto err; } - - EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read); - - if ((mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, mac_secret, - mac_secret_size)) == NULL) - goto err; - EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key); - EVP_PKEY_free(mac_key); - - if (S3I(s)->hs.new_cipher->algorithm_enc == SSL_eGOST2814789CNT) { - int nid; - if (S3I(s)->hs.new_cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94) - nid = NID_id_Gost28147_89_CryptoPro_A_ParamSet; - else - nid = NID_id_tc26_gost_28147_param_Z; - - EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_GOST_SET_SBOX, nid, 0); - if (S3I(s)->hs.new_cipher->algorithm_mac == SSL_GOST89MAC) - EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_GOST_SET_SBOX, nid, 0); - } - return (1); -err: - SSLerrorx(ERR_R_MALLOC_FAILURE); + err: return (0); } int -tls1_change_cipher_state(SSL *s, int which) +tls1_change_read_cipher_state(SSL *s) { - const unsigned char *client_write_mac_secret, *server_write_mac_secret; - const unsigned char *client_write_key, *server_write_key; - const unsigned char *client_write_iv, *server_write_iv; - const unsigned char *mac_secret, *key, *iv; - int mac_secret_size, key_len, iv_len; - unsigned char *key_block, *seq; - const EVP_CIPHER *cipher; - const EVP_AEAD *aead; - char is_read, use_client_keys; + return tls1_change_cipher_state(s, 0); +} - cipher = S3I(s)->tmp.new_sym_enc; - aead = S3I(s)->tmp.new_aead; - - /* - * is_read is true if we have just read a ChangeCipherSpec message, - * that is we need to update the read cipherspec. Otherwise we have - * just written one. - */ - is_read = (which & SSL3_CC_READ) != 0; - - /* - * use_client_keys is true if we wish to use the keys for the "client - * write" direction. This is the case if we're a client sending a - * ChangeCipherSpec, or a server reading a client's ChangeCipherSpec. - */ - use_client_keys = ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || - (which == SSL3_CHANGE_CIPHER_SERVER_READ)); - - /* - * Reset sequence number to zero - for DTLS this is handled in - * dtls1_reset_seq_numbers(). - */ - if (!SSL_IS_DTLS(s)) { - seq = is_read ? S3I(s)->read_sequence : S3I(s)->write_sequence; - memset(seq, 0, SSL3_SEQUENCE_SIZE); - } - - if (aead != NULL) { - key_len = EVP_AEAD_key_length(aead); - iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(S3I(s)->hs.new_cipher); - } else { - key_len = EVP_CIPHER_key_length(cipher); - iv_len = EVP_CIPHER_iv_length(cipher); - } - - mac_secret_size = S3I(s)->tmp.new_mac_secret_size; - - key_block = S3I(s)->hs.key_block; - client_write_mac_secret = key_block; - key_block += mac_secret_size; - server_write_mac_secret = key_block; - key_block += mac_secret_size; - client_write_key = key_block; - key_block += key_len; - server_write_key = key_block; - key_block += key_len; - client_write_iv = key_block; - key_block += iv_len; - server_write_iv = key_block; - key_block += iv_len; - - if (use_client_keys) { - mac_secret = client_write_mac_secret; - key = client_write_key; - iv = client_write_iv; - } else { - mac_secret = server_write_mac_secret; - key = server_write_key; - iv = server_write_iv; - } - - if (key_block - S3I(s)->hs.key_block != S3I(s)->hs.key_block_len) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - goto err2; - } - - if (is_read) { - memcpy(S3I(s)->read_mac_secret, mac_secret, mac_secret_size); - S3I(s)->read_mac_secret_size = mac_secret_size; - } else { - memcpy(S3I(s)->write_mac_secret, mac_secret, mac_secret_size); - S3I(s)->write_mac_secret_size = mac_secret_size; - } - - if (aead != NULL) { - return tls1_change_cipher_state_aead(s, is_read, key, key_len, - iv, iv_len); - } - - return tls1_change_cipher_state_cipher(s, is_read, - mac_secret, mac_secret_size, key, key_len, iv, iv_len); - -err2: - return (0); +int +tls1_change_write_cipher_state(SSL *s) +{ + return tls1_change_cipher_state(s, 1); } int tls1_setup_key_block(SSL *s) { - unsigned char *key_block; + struct tls12_key_block *key_block; int mac_type = NID_undef, mac_secret_size = 0; - int key_block_len, key_len, iv_len; const EVP_CIPHER *cipher = NULL; const EVP_AEAD *aead = NULL; - const EVP_MD *mac = NULL; + const EVP_MD *handshake_hash = NULL; + const EVP_MD *mac_hash = NULL; int ret = 0; - if (S3I(s)->hs.key_block_len != 0) + /* + * XXX - callers should be changed so that they only call this + * function once. + */ + if (S3I(s)->hs.tls12.key_block != NULL) return (1); if (s->session->cipher && @@ -614,41 +364,32 @@ tls1_setup_key_block(SSL *s) SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return (0); } - key_len = EVP_AEAD_key_length(aead); - iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->session->cipher); } else { - if (!ssl_cipher_get_evp(s->session, &cipher, &mac, &mac_type, - &mac_secret_size)) { + /* XXX - mac_type and mac_secret_size are now unused. */ + if (!ssl_cipher_get_evp(s->session, &cipher, &mac_hash, + &mac_type, &mac_secret_size)) { SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return (0); } - key_len = EVP_CIPHER_key_length(cipher); - iv_len = EVP_CIPHER_iv_length(cipher); } - S3I(s)->tmp.new_aead = aead; - S3I(s)->tmp.new_sym_enc = cipher; - S3I(s)->tmp.new_hash = mac; - S3I(s)->tmp.new_mac_pkey_type = mac_type; - S3I(s)->tmp.new_mac_secret_size = mac_secret_size; + if (!ssl_get_handshake_evp_md(s, &handshake_hash)) + return (0); - tls1_cleanup_key_block(s); + tls12_record_layer_set_aead(s->internal->rl, aead); + tls12_record_layer_set_cipher_hash(s->internal->rl, cipher, + handshake_hash, mac_hash); - if ((key_block = reallocarray(NULL, mac_secret_size + key_len + iv_len, - 2)) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); + if ((key_block = tls12_key_block_new()) == NULL) goto err; - } - key_block_len = (mac_secret_size + key_len + iv_len) * 2; - - S3I(s)->hs.key_block_len = key_block_len; - S3I(s)->hs.key_block = key_block; - - if (!tls1_generate_key_block(s, key_block, key_block_len)) + if (!tls12_key_block_generate(key_block, s, aead, cipher, mac_hash)) goto err; + S3I(s)->hs.tls12.key_block = key_block; + key_block = NULL; + if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) && - s->method->internal->version <= TLS1_VERSION) { + s->method->version <= TLS1_VERSION) { /* * Enable vulnerability countermeasure for CBC ciphers with * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) @@ -669,379 +410,11 @@ tls1_setup_key_block(SSL *s) ret = 1; err: + tls12_key_block_free(key_block); + return (ret); } -/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. - * - * Returns: - * 0: (in non-constant time) if the record is publically invalid (i.e. too - * short etc). - * 1: if the record's padding is valid / the encryption was successful. - * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, - * an internal error occured. - */ -int -tls1_enc(SSL *s, int send) -{ - const SSL_AEAD_CTX *aead; - const EVP_CIPHER *enc; - EVP_CIPHER_CTX *ds; - SSL3_RECORD_INTERNAL *rec; - unsigned char *seq; - unsigned long l; - int bs, i, j, k, ret, mac_size = 0; - - if (send) { - /* No longer supported. */ - return -1; - } else { - aead = s->internal->aead_read_ctx; - rec = &S3I(s)->rrec; - seq = S3I(s)->read_sequence; - } - - if (aead) { - unsigned char ad[13], *in, *out, nonce[16]; - size_t out_len, pad_len = 0; - unsigned int nonce_used; - - if (SSL_IS_DTLS(s)) { - dtls1_build_sequence_number(ad, seq, - send ? D1I(s)->w_epoch : D1I(s)->r_epoch); - } else { - memcpy(ad, seq, SSL3_SEQUENCE_SIZE); - tls1_record_sequence_increment(seq); - } - - ad[8] = rec->type; - ad[9] = (unsigned char)(s->version >> 8); - ad[10] = (unsigned char)(s->version); - - if (aead->variable_nonce_len > 8 || - aead->variable_nonce_len > sizeof(nonce)) - return -1; - - if (aead->xor_fixed_nonce) { - if (aead->fixed_nonce_len > sizeof(nonce) || - aead->variable_nonce_len > aead->fixed_nonce_len) - return -1; /* Should never happen. */ - pad_len = aead->fixed_nonce_len - aead->variable_nonce_len; - } else { - if (aead->fixed_nonce_len + - aead->variable_nonce_len > sizeof(nonce)) - return -1; /* Should never happen. */ - } - - if (send) { - size_t len = rec->length; - size_t eivlen = 0; - in = rec->input; - out = rec->data; - - if (aead->xor_fixed_nonce) { - /* - * The sequence number is left zero - * padded, then xored with the fixed - * nonce. - */ - memset(nonce, 0, pad_len); - memcpy(nonce + pad_len, ad, - aead->variable_nonce_len); - for (i = 0; i < aead->fixed_nonce_len; i++) - nonce[i] ^= aead->fixed_nonce[i]; - nonce_used = aead->fixed_nonce_len; - } else { - /* - * When sending we use the sequence number as - * the variable part of the nonce. - */ - memcpy(nonce, aead->fixed_nonce, - aead->fixed_nonce_len); - nonce_used = aead->fixed_nonce_len; - memcpy(nonce + nonce_used, ad, - aead->variable_nonce_len); - nonce_used += aead->variable_nonce_len; - } - - /* - * In do_ssl3_write, rec->input is moved forward by - * variable_nonce_len in order to leave space for the - * variable nonce. Thus we can copy the sequence number - * bytes into place without overwriting any of the - * plaintext. - */ - if (aead->variable_nonce_in_record) { - memcpy(out, ad, aead->variable_nonce_len); - len -= aead->variable_nonce_len; - eivlen = aead->variable_nonce_len; - } - - ad[11] = len >> 8; - ad[12] = len & 0xff; - - if (!EVP_AEAD_CTX_seal(&aead->ctx, - out + eivlen, &out_len, len + aead->tag_len, nonce, - nonce_used, in + eivlen, len, ad, sizeof(ad))) - return -1; - if (aead->variable_nonce_in_record) - out_len += aead->variable_nonce_len; - } else { - /* receive */ - size_t len = rec->length; - - if (rec->data != rec->input) - return -1; /* internal error - should never happen. */ - out = in = rec->input; - - if (len < aead->variable_nonce_len) - return 0; - - if (aead->xor_fixed_nonce) { - /* - * The sequence number is left zero - * padded, then xored with the fixed - * nonce. - */ - memset(nonce, 0, pad_len); - memcpy(nonce + pad_len, ad, - aead->variable_nonce_len); - for (i = 0; i < aead->fixed_nonce_len; i++) - nonce[i] ^= aead->fixed_nonce[i]; - nonce_used = aead->fixed_nonce_len; - } else { - memcpy(nonce, aead->fixed_nonce, - aead->fixed_nonce_len); - nonce_used = aead->fixed_nonce_len; - - memcpy(nonce + nonce_used, - aead->variable_nonce_in_record ? in : ad, - aead->variable_nonce_len); - nonce_used += aead->variable_nonce_len; - } - - if (aead->variable_nonce_in_record) { - in += aead->variable_nonce_len; - len -= aead->variable_nonce_len; - out += aead->variable_nonce_len; - } - - if (len < aead->tag_len) - return 0; - len -= aead->tag_len; - - ad[11] = len >> 8; - ad[12] = len & 0xff; - - if (!EVP_AEAD_CTX_open(&aead->ctx, out, &out_len, len, - nonce, nonce_used, in, len + aead->tag_len, ad, - sizeof(ad))) - return -1; - - rec->data = rec->input = out; - } - - rec->length = out_len; - - return 1; - } - - if (send) { - if (EVP_MD_CTX_md(s->internal->write_hash)) { - int n = EVP_MD_CTX_size(s->internal->write_hash); - OPENSSL_assert(n >= 0); - } - ds = s->internal->enc_write_ctx; - if (s->internal->enc_write_ctx == NULL) - enc = NULL; - else { - int ivlen = 0; - enc = EVP_CIPHER_CTX_cipher(s->internal->enc_write_ctx); - if (SSL_USE_EXPLICIT_IV(s) && - EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) - ivlen = EVP_CIPHER_iv_length(enc); - if (ivlen > 1) { - if (rec->data != rec->input) { -#ifdef DEBUG - /* we can't write into the input stream: - * Can this ever happen?? (steve) - */ - fprintf(stderr, - "%s:%d: rec->data != rec->input\n", - __FILE__, __LINE__); -#endif - } else - arc4random_buf(rec->input, ivlen); - } - } - } else { - if (EVP_MD_CTX_md(s->read_hash)) { - int n = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(n >= 0); - } - ds = s->enc_read_ctx; - if (s->enc_read_ctx == NULL) - enc = NULL; - else - enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); - } - - if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { - memmove(rec->data, rec->input, rec->length); - rec->input = rec->data; - ret = 1; - } else { - l = rec->length; - bs = EVP_CIPHER_block_size(ds->cipher); - - if (bs != 1 && send) { - i = bs - ((int)l % bs); - - /* Add weird padding of upto 256 bytes */ - - /* we need to add 'i' padding bytes of value j */ - j = i - 1; - for (k = (int)l; k < (int)(l + i); k++) - rec->input[k] = j; - l += i; - rec->length += i; - } - - if (!send) { - if (l == 0 || l % bs != 0) - return 0; - } - - i = EVP_Cipher(ds, rec->data, rec->input, l); - if ((EVP_CIPHER_flags(ds->cipher) & - EVP_CIPH_FLAG_CUSTOM_CIPHER) ? (i < 0) : (i == 0)) - return -1; /* AEAD can fail to verify MAC */ - - ret = 1; - if (EVP_MD_CTX_md(s->read_hash) != NULL) - mac_size = EVP_MD_CTX_size(s->read_hash); - if ((bs != 1) && !send) - ret = tls1_cbc_remove_padding(s, rec, bs, mac_size); - } - return ret; -} - -int -tls1_final_finish_mac(SSL *s, const char *str, int str_len, unsigned char *out) -{ - unsigned char buf[EVP_MAX_MD_SIZE]; - size_t hash_len; - - if (str_len < 0) - return 0; - - if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) - return 0; - - if (!tls1_PRF(s, s->session->master_key, s->session->master_key_length, - str, str_len, buf, hash_len, NULL, 0, NULL, 0, NULL, 0, - out, TLS1_FINISH_MAC_LENGTH)) - return 0; - - return TLS1_FINISH_MAC_LENGTH; -} - -int -tls1_mac(SSL *ssl, unsigned char *md, int send) -{ - SSL3_RECORD_INTERNAL *rec; - unsigned char *seq; - EVP_MD_CTX *hash; - size_t md_size, orig_len; - EVP_MD_CTX hmac, *mac_ctx; - unsigned char header[13]; - int stream_mac = (send ? - (ssl->internal->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) : - (ssl->internal->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM)); - int t; - - if (send) { - /* No longer supported. */ - return -1; - } else { - rec = &(ssl->s3->internal->rrec); - seq = &(ssl->s3->internal->read_sequence[0]); - hash = ssl->read_hash; - } - - t = EVP_MD_CTX_size(hash); - OPENSSL_assert(t >= 0); - md_size = t; - - /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ - if (stream_mac) { - mac_ctx = hash; - } else { - if (!EVP_MD_CTX_copy(&hmac, hash)) - return -1; - mac_ctx = &hmac; - } - - if (SSL_IS_DTLS(ssl)) - dtls1_build_sequence_number(header, seq, - send ? D1I(ssl)->w_epoch : D1I(ssl)->r_epoch); - else - memcpy(header, seq, SSL3_SEQUENCE_SIZE); - - orig_len = rec->length + md_size + rec->padding_length; - - header[8] = rec->type; - header[9] = (unsigned char)(ssl->version >> 8); - header[10] = (unsigned char)(ssl->version); - header[11] = (rec->length) >> 8; - header[12] = (rec->length) & 0xff; - - if (!send && - EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && - ssl3_cbc_record_digest_supported(mac_ctx)) { - /* This is a CBC-encrypted record. We must avoid leaking any - * timing-side channel information about how many blocks of - * data we are hashing because that gives an attacker a - * timing-oracle. */ - if (!ssl3_cbc_digest_record(mac_ctx, - md, &md_size, header, rec->input, - rec->length + md_size, orig_len, - ssl->s3->internal->read_mac_secret, - ssl->s3->internal->read_mac_secret_size)) - return -1; - } else { - EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)); - EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length); - t = EVP_DigestSignFinal(mac_ctx, md, &md_size); - OPENSSL_assert(t > 0); - } - - if (!stream_mac) - EVP_MD_CTX_cleanup(&hmac); - - if (!SSL_IS_DTLS(ssl)) - tls1_record_sequence_increment(seq); - - return (md_size); -} - -int -tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, - int len) -{ - if (len < 0) - return 0; - - if (!tls1_PRF(s, p, len, - TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE, - s->s3->client_random, SSL3_RANDOM_SIZE, NULL, 0, - s->s3->server_random, SSL3_RANDOM_SIZE, NULL, 0, - s->session->master_key, SSL_MAX_MASTER_KEY_LENGTH)) - return 0; - - return (SSL_MAX_MASTER_KEY_LENGTH); -} - int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, const char *label, size_t llen, const unsigned char *context, @@ -1051,6 +424,11 @@ tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, size_t vallen, currentvalpos; int rv; + if (!SSL_is_init_finished(s)) { + SSLerror(s, SSL_R_BAD_STATE); + return 0; + } + /* construct PRF arguments * we construct the PRF argument ourself rather than passing separate * values into the TLS PRF to ensure that the concatenation of values @@ -1104,86 +482,15 @@ tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, val, vallen, NULL, 0, NULL, 0, NULL, 0, NULL, 0, out, olen); goto ret; -err1: + err1: SSLerror(s, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); rv = 0; goto ret; -err2: + err2: SSLerror(s, ERR_R_MALLOC_FAILURE); rv = 0; -ret: + ret: free(val); return (rv); } - -int -tls1_alert_code(int code) -{ - switch (code) { - case SSL_AD_CLOSE_NOTIFY: - return (SSL3_AD_CLOSE_NOTIFY); - case SSL_AD_UNEXPECTED_MESSAGE: - return (SSL3_AD_UNEXPECTED_MESSAGE); - case SSL_AD_BAD_RECORD_MAC: - return (SSL3_AD_BAD_RECORD_MAC); - case SSL_AD_DECRYPTION_FAILED: - return (TLS1_AD_DECRYPTION_FAILED); - case SSL_AD_RECORD_OVERFLOW: - return (TLS1_AD_RECORD_OVERFLOW); - case SSL_AD_DECOMPRESSION_FAILURE: - return (SSL3_AD_DECOMPRESSION_FAILURE); - case SSL_AD_HANDSHAKE_FAILURE: - return (SSL3_AD_HANDSHAKE_FAILURE); - case SSL_AD_NO_CERTIFICATE: - return (-1); - case SSL_AD_BAD_CERTIFICATE: - return (SSL3_AD_BAD_CERTIFICATE); - case SSL_AD_UNSUPPORTED_CERTIFICATE: - return (SSL3_AD_UNSUPPORTED_CERTIFICATE); - case SSL_AD_CERTIFICATE_REVOKED: - return (SSL3_AD_CERTIFICATE_REVOKED); - case SSL_AD_CERTIFICATE_EXPIRED: - return (SSL3_AD_CERTIFICATE_EXPIRED); - case SSL_AD_CERTIFICATE_UNKNOWN: - return (SSL3_AD_CERTIFICATE_UNKNOWN); - case SSL_AD_ILLEGAL_PARAMETER: - return (SSL3_AD_ILLEGAL_PARAMETER); - case SSL_AD_UNKNOWN_CA: - return (TLS1_AD_UNKNOWN_CA); - case SSL_AD_ACCESS_DENIED: - return (TLS1_AD_ACCESS_DENIED); - case SSL_AD_DECODE_ERROR: - return (TLS1_AD_DECODE_ERROR); - case SSL_AD_DECRYPT_ERROR: - return (TLS1_AD_DECRYPT_ERROR); - case SSL_AD_EXPORT_RESTRICTION: - return (TLS1_AD_EXPORT_RESTRICTION); - case SSL_AD_PROTOCOL_VERSION: - return (TLS1_AD_PROTOCOL_VERSION); - case SSL_AD_INSUFFICIENT_SECURITY: - return (TLS1_AD_INSUFFICIENT_SECURITY); - case SSL_AD_INTERNAL_ERROR: - return (TLS1_AD_INTERNAL_ERROR); - case SSL_AD_INAPPROPRIATE_FALLBACK: - return(TLS1_AD_INAPPROPRIATE_FALLBACK); - case SSL_AD_USER_CANCELLED: - return (TLS1_AD_USER_CANCELLED); - case SSL_AD_NO_RENEGOTIATION: - return (TLS1_AD_NO_RENEGOTIATION); - case SSL_AD_UNSUPPORTED_EXTENSION: - return (TLS1_AD_UNSUPPORTED_EXTENSION); - case SSL_AD_CERTIFICATE_UNOBTAINABLE: - return (TLS1_AD_CERTIFICATE_UNOBTAINABLE); - case SSL_AD_UNRECOGNIZED_NAME: - return (TLS1_AD_UNRECOGNIZED_NAME); - case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: - return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); - case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: - return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); - case SSL_AD_UNKNOWN_PSK_IDENTITY: - return (TLS1_AD_UNKNOWN_PSK_IDENTITY); - default: - return (-1); - } -} diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index f091dd0..3cb2d8a 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.176 2020/09/12 17:25:11 tb Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.182 2021/07/01 17:53:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -116,34 +116,20 @@ #include #include -#include "ssl_locl.h" - #include "bytestring.h" +#include "ssl_locl.h" #include "ssl_sigalgs.h" #include "ssl_tlsext.h" static int tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess); -SSL3_ENC_METHOD TLSv1_enc_data = { - .enc_flags = 0, -}; - -SSL3_ENC_METHOD TLSv1_1_enc_data = { - .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, -}; - -SSL3_ENC_METHOD TLSv1_2_enc_data = { - .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS| - SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS, -}; - int tls1_new(SSL *s) { if (!ssl3_new(s)) return (0); - s->method->internal->ssl_clear(s); + s->method->ssl_clear(s); return (1); } @@ -161,10 +147,10 @@ void tls1_clear(SSL *s) { ssl3_clear(s); - s->version = s->method->internal->version; + s->version = s->method->version; } -static int nid_list[] = { +static const int nid_list[] = { NID_sect163k1, /* sect163k1 (1) */ NID_sect163r1, /* sect163r1 (2) */ NID_sect163r2, /* sect163r2 (3) */ @@ -682,7 +668,7 @@ ssl_check_clienthello_tlsext_late(SSL *s) } else s->internal->tlsext_status_expected = 0; -err: + err: switch (ret) { case SSL_TLSEXT_ERR_ALERT_FATAL: ssl3_send_alert(s, SSL3_AL_FATAL, al); diff --git a/ssl/tls12_key_schedule.c b/ssl/tls12_key_schedule.c new file mode 100644 index 0000000..c206460 --- /dev/null +++ b/ssl/tls12_key_schedule.c @@ -0,0 +1,175 @@ +/* $OpenBSD: tls12_key_schedule.c,v 1.1 2021/05/05 10:05:27 jsing Exp $ */ +/* + * Copyright (c) 2021 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include + +#include "bytestring.h" +#include "ssl_locl.h" + +struct tls12_key_block { + CBS client_write_mac_key; + CBS server_write_mac_key; + CBS client_write_key; + CBS server_write_key; + CBS client_write_iv; + CBS server_write_iv; + + uint8_t *key_block; + size_t key_block_len; +}; + +struct tls12_key_block * +tls12_key_block_new(void) +{ + return calloc(1, sizeof(struct tls12_key_block)); +} + +static void +tls12_key_block_clear(struct tls12_key_block *kb) +{ + CBS_init(&kb->client_write_mac_key, NULL, 0); + CBS_init(&kb->server_write_mac_key, NULL, 0); + CBS_init(&kb->client_write_key, NULL, 0); + CBS_init(&kb->server_write_key, NULL, 0); + CBS_init(&kb->client_write_iv, NULL, 0); + CBS_init(&kb->server_write_iv, NULL, 0); + + freezero(kb->key_block, kb->key_block_len); + kb->key_block = NULL; + kb->key_block_len = 0; +} + +void +tls12_key_block_free(struct tls12_key_block *kb) +{ + if (kb == NULL) + return; + + tls12_key_block_clear(kb); + + freezero(kb, sizeof(struct tls12_key_block)); +} + +void +tls12_key_block_client_write(struct tls12_key_block *kb, CBS *mac_key, + CBS *key, CBS *iv) +{ + CBS_dup(&kb->client_write_mac_key, mac_key); + CBS_dup(&kb->client_write_key, key); + CBS_dup(&kb->client_write_iv, iv); +} + +void +tls12_key_block_server_write(struct tls12_key_block *kb, CBS *mac_key, + CBS *key, CBS *iv) +{ + CBS_dup(&kb->server_write_mac_key, mac_key); + CBS_dup(&kb->server_write_key, key); + CBS_dup(&kb->server_write_iv, iv); +} + +int +tls12_key_block_generate(struct tls12_key_block *kb, SSL *s, + const EVP_AEAD *aead, const EVP_CIPHER *cipher, const EVP_MD *mac_hash) +{ + size_t mac_key_len = 0, key_len = 0, iv_len = 0; + uint8_t *key_block = NULL; + size_t key_block_len = 0; + CBS cbs; + + /* + * Generate a TLSv1.2 key block and partition into individual secrets, + * as per RFC 5246 section 6.3. + */ + + tls12_key_block_clear(kb); + + /* Must have AEAD or cipher/MAC pair. */ + if (aead == NULL && (cipher == NULL || mac_hash == NULL)) + goto err; + + if (aead != NULL) { + key_len = EVP_AEAD_key_length(aead); + + /* AEAD fixed nonce length. */ + if (aead == EVP_aead_aes_128_gcm() || + aead == EVP_aead_aes_256_gcm()) + iv_len = 4; + else if (aead == EVP_aead_chacha20_poly1305()) + iv_len = 12; + else + goto err; + } else if (cipher != NULL && mac_hash != NULL) { + /* + * A negative integer return value will be detected via the + * EVP_MAX_* checks against the size_t variables below. + */ + mac_key_len = EVP_MD_size(mac_hash); + key_len = EVP_CIPHER_key_length(cipher); + iv_len = EVP_CIPHER_iv_length(cipher); + + /* Special handling for GOST... */ + if (EVP_MD_type(mac_hash) == NID_id_Gost28147_89_MAC) + mac_key_len = 32; + } + + if (mac_key_len > EVP_MAX_MD_SIZE) + goto err; + if (key_len > EVP_MAX_KEY_LENGTH) + goto err; + if (iv_len > EVP_MAX_IV_LENGTH) + goto err; + + key_block_len = 2 * mac_key_len + 2 * key_len + 2 * iv_len; + if ((key_block = calloc(1, key_block_len)) == NULL) + goto err; + + if (!tls1_generate_key_block(s, key_block, key_block_len)) + goto err; + + kb->key_block = key_block; + kb->key_block_len = key_block_len; + key_block = NULL; + key_block_len = 0; + + /* Partition key block into individual secrets. */ + CBS_init(&cbs, kb->key_block, kb->key_block_len); + if (!CBS_get_bytes(&cbs, &kb->client_write_mac_key, mac_key_len)) + goto err; + if (!CBS_get_bytes(&cbs, &kb->server_write_mac_key, mac_key_len)) + goto err; + if (!CBS_get_bytes(&cbs, &kb->client_write_key, key_len)) + goto err; + if (!CBS_get_bytes(&cbs, &kb->server_write_key, key_len)) + goto err; + if (!CBS_get_bytes(&cbs, &kb->client_write_iv, iv_len)) + goto err; + if (!CBS_get_bytes(&cbs, &kb->server_write_iv, iv_len)) + goto err; + if (CBS_len(&cbs) != 0) + goto err; + + return 1; + + err: + tls12_key_block_clear(kb); + freezero(key_block, key_block_len); + + return 0; +} diff --git a/ssl/tls12_lib.c b/ssl/tls12_lib.c new file mode 100644 index 0000000..f30f3a7 --- /dev/null +++ b/ssl/tls12_lib.c @@ -0,0 +1,118 @@ +/* $OpenBSD: tls12_lib.c,v 1.3 2021/05/02 15:57:29 jsing Exp $ */ +/* + * Copyright (c) 2021 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "ssl_locl.h" + +static int +tls12_finished_verify_data(SSL *s, const char *finished_label, + size_t finished_label_len, uint8_t *verify_data, size_t verify_data_len, + size_t *out_len) +{ + uint8_t transcript_hash[EVP_MAX_MD_SIZE]; + size_t transcript_hash_len; + + *out_len = 0; + + if (s->session->master_key_length <= 0) + return 0; + + if (verify_data_len < TLS1_FINISH_MAC_LENGTH) + return 0; + + if (!tls1_transcript_hash_value(s, transcript_hash, + sizeof(transcript_hash), &transcript_hash_len)) + return 0; + + if (!tls1_PRF(s, s->session->master_key, s->session->master_key_length, + finished_label, finished_label_len, transcript_hash, + transcript_hash_len, NULL, 0, NULL, 0, NULL, 0, verify_data, + TLS1_FINISH_MAC_LENGTH)) + return 0; + + *out_len = TLS1_FINISH_MAC_LENGTH; + + return 1; +} + +static int +tls12_client_finished_verify_data(SSL *s, uint8_t *verify_data, + size_t verify_data_len, size_t *out_len) +{ + return tls12_finished_verify_data(s, TLS_MD_CLIENT_FINISH_CONST, + TLS_MD_CLIENT_FINISH_CONST_SIZE, verify_data, verify_data_len, + out_len); +} + +static int +tls12_server_finished_verify_data(SSL *s, uint8_t *verify_data, + size_t verify_data_len, size_t *out_len) +{ + return tls12_finished_verify_data(s, TLS_MD_SERVER_FINISH_CONST, + TLS_MD_SERVER_FINISH_CONST_SIZE, verify_data, verify_data_len, + out_len); +} + +int +tls12_derive_finished(SSL *s) +{ + if (!s->server) { + return tls12_client_finished_verify_data(s, + S3I(s)->hs.finished, sizeof(S3I(s)->hs.finished), + &S3I(s)->hs.finished_len); + } else { + return tls12_server_finished_verify_data(s, + S3I(s)->hs.finished, sizeof(S3I(s)->hs.finished), + &S3I(s)->hs.finished_len); + } +} + +int +tls12_derive_peer_finished(SSL *s) +{ + if (s->server) { + return tls12_client_finished_verify_data(s, + S3I(s)->hs.peer_finished, sizeof(S3I(s)->hs.peer_finished), + &S3I(s)->hs.peer_finished_len); + } else { + return tls12_server_finished_verify_data(s, + S3I(s)->hs.peer_finished, sizeof(S3I(s)->hs.peer_finished), + &S3I(s)->hs.peer_finished_len); + } +} + +int +tls12_derive_master_secret(SSL *s, uint8_t *premaster_secret, + size_t premaster_secret_len) +{ + s->session->master_key_length = 0; + + if (premaster_secret_len == 0) + return 0; + + CTASSERT(sizeof(s->session->master_key) == SSL_MAX_MASTER_KEY_LENGTH); + + if (!tls1_PRF(s, premaster_secret, premaster_secret_len, + TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE, + s->s3->client_random, SSL3_RANDOM_SIZE, NULL, 0, + s->s3->server_random, SSL3_RANDOM_SIZE, NULL, 0, + s->session->master_key, sizeof(s->session->master_key))) + return 0; + + s->session->master_key_length = SSL_MAX_MASTER_KEY_LENGTH; + + return 1; +} diff --git a/ssl/tls12_record_layer.c b/ssl/tls12_record_layer.c index 10d0f11..6d7d869 100644 --- a/ssl/tls12_record_layer.c +++ b/ssl/tls12_record_layer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls12_record_layer.c,v 1.4 2020/09/16 17:15:01 jsing Exp $ */ +/* $OpenBSD: tls12_record_layer.c,v 1.34 2021/08/30 19:12:25 jsing Exp $ */ /* * Copyright (c) 2020 Joel Sing * @@ -15,36 +15,173 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +#include #include #include #include "ssl_locl.h" +#define TLS12_RECORD_SEQ_NUM_LEN 8 +#define TLS12_AEAD_FIXED_NONCE_MAX_LEN 12 + +struct tls12_record_protection { + uint16_t epoch; + uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN]; + + EVP_AEAD_CTX *aead_ctx; + + uint8_t *aead_nonce; + size_t aead_nonce_len; + + uint8_t *aead_fixed_nonce; + size_t aead_fixed_nonce_len; + + size_t aead_variable_nonce_len; + size_t aead_tag_len; + + int aead_xor_nonces; + int aead_variable_nonce_in_record; + + EVP_CIPHER_CTX *cipher_ctx; + EVP_MD_CTX *hash_ctx; + + int stream_mac; + + uint8_t *mac_key; + size_t mac_key_len; +}; + +static struct tls12_record_protection * +tls12_record_protection_new(void) +{ + return calloc(1, sizeof(struct tls12_record_protection)); +} + +static void +tls12_record_protection_clear(struct tls12_record_protection *rp) +{ + if (rp->aead_ctx != NULL) { + EVP_AEAD_CTX_cleanup(rp->aead_ctx); + freezero(rp->aead_ctx, sizeof(*rp->aead_ctx)); + } + + freezero(rp->aead_nonce, rp->aead_nonce_len); + freezero(rp->aead_fixed_nonce, rp->aead_fixed_nonce_len); + + EVP_CIPHER_CTX_free(rp->cipher_ctx); + EVP_MD_CTX_free(rp->hash_ctx); + + freezero(rp->mac_key, rp->mac_key_len); + + memset(rp, 0, sizeof(*rp)); +} + +static void +tls12_record_protection_free(struct tls12_record_protection *rp) +{ + if (rp == NULL) + return; + + tls12_record_protection_clear(rp); + + freezero(rp, sizeof(struct tls12_record_protection)); +} + +static int +tls12_record_protection_engaged(struct tls12_record_protection *rp) +{ + return rp->aead_ctx != NULL || rp->cipher_ctx != NULL; +} + +static int +tls12_record_protection_unused(struct tls12_record_protection *rp) +{ + return rp->aead_ctx == NULL && rp->cipher_ctx == NULL && + rp->hash_ctx == NULL && rp->mac_key == NULL; +} + +static int +tls12_record_protection_eiv_len(struct tls12_record_protection *rp, + size_t *out_eiv_len) +{ + int eiv_len; + + *out_eiv_len = 0; + + if (rp->cipher_ctx == NULL) + return 0; + + eiv_len = 0; + if (EVP_CIPHER_CTX_mode(rp->cipher_ctx) == EVP_CIPH_CBC_MODE) + eiv_len = EVP_CIPHER_CTX_iv_length(rp->cipher_ctx); + if (eiv_len < 0 || eiv_len > EVP_MAX_IV_LENGTH) + return 0; + + *out_eiv_len = eiv_len; + + return 1; +} + +static int +tls12_record_protection_block_size(struct tls12_record_protection *rp, + size_t *out_block_size) +{ + int block_size; + + *out_block_size = 0; + + if (rp->cipher_ctx == NULL) + return 0; + + block_size = EVP_CIPHER_CTX_block_size(rp->cipher_ctx); + if (block_size < 0 || block_size > EVP_MAX_BLOCK_LENGTH) + return 0; + + *out_block_size = block_size; + + return 1; +} + +static int +tls12_record_protection_mac_len(struct tls12_record_protection *rp, + size_t *out_mac_len) +{ + int mac_len; + + *out_mac_len = 0; + + if (rp->hash_ctx == NULL) + return 0; + + mac_len = EVP_MD_CTX_size(rp->hash_ctx); + if (mac_len <= 0 || mac_len > EVP_MAX_MD_SIZE) + return 0; + + *out_mac_len = mac_len; + + return 1; +} + struct tls12_record_layer { uint16_t version; + uint16_t initial_epoch; int dtls; - uint16_t read_epoch; - uint16_t write_epoch; + uint8_t alert_desc; - int read_stream_mac; - int write_stream_mac; + const EVP_AEAD *aead; + const EVP_CIPHER *cipher; + const EVP_MD *handshake_hash; + const EVP_MD *mac_hash; - /* - * XXX - for now these are just pointers to externally managed - * structs/memory. These should eventually be owned by the record layer. - */ - SSL_AEAD_CTX *read_aead_ctx; - SSL_AEAD_CTX *write_aead_ctx; + /* Pointers to active record protection (memory is not owned). */ + struct tls12_record_protection *read; + struct tls12_record_protection *write; - EVP_CIPHER_CTX *read_cipher_ctx; - EVP_MD_CTX *read_hash_ctx; - EVP_CIPHER_CTX *write_cipher_ctx; - EVP_MD_CTX *write_hash_ctx; - - uint8_t *read_seq_num; - uint8_t *write_seq_num; + struct tls12_record_protection *read_current; + struct tls12_record_protection *write_current; + struct tls12_record_protection *write_previous; }; struct tls12_record_layer * @@ -53,124 +190,451 @@ tls12_record_layer_new(void) struct tls12_record_layer *rl; if ((rl = calloc(1, sizeof(struct tls12_record_layer))) == NULL) - return NULL; + goto err; + if ((rl->read_current = tls12_record_protection_new()) == NULL) + goto err; + if ((rl->write_current = tls12_record_protection_new()) == NULL) + goto err; + + rl->read = rl->read_current; + rl->write = rl->write_current; return rl; + + err: + tls12_record_layer_free(rl); + + return NULL; } void tls12_record_layer_free(struct tls12_record_layer *rl) { + if (rl == NULL) + return; + + tls12_record_protection_free(rl->read_current); + tls12_record_protection_free(rl->write_current); + tls12_record_protection_free(rl->write_previous); + freezero(rl, sizeof(struct tls12_record_layer)); } +void +tls12_record_layer_alert(struct tls12_record_layer *rl, uint8_t *alert_desc) +{ + *alert_desc = rl->alert_desc; +} + +int +tls12_record_layer_write_overhead(struct tls12_record_layer *rl, + size_t *overhead) +{ + size_t block_size, eiv_len, mac_len; + + *overhead = 0; + + if (rl->write->aead_ctx != NULL) { + *overhead = rl->write->aead_tag_len; + } else if (rl->write->cipher_ctx != NULL) { + eiv_len = 0; + if (rl->version != TLS1_VERSION) { + if (!tls12_record_protection_eiv_len(rl->write, &eiv_len)) + return 0; + } + if (!tls12_record_protection_block_size(rl->write, &block_size)) + return 0; + if (!tls12_record_protection_mac_len(rl->write, &mac_len)) + return 0; + + *overhead = eiv_len + block_size + mac_len; + } + + return 1; +} + +int +tls12_record_layer_read_protected(struct tls12_record_layer *rl) +{ + return tls12_record_protection_engaged(rl->read); +} + +int +tls12_record_layer_write_protected(struct tls12_record_layer *rl) +{ + return tls12_record_protection_engaged(rl->write); +} + +void +tls12_record_layer_set_aead(struct tls12_record_layer *rl, const EVP_AEAD *aead) +{ + rl->aead = aead; +} + +void +tls12_record_layer_set_cipher_hash(struct tls12_record_layer *rl, + const EVP_CIPHER *cipher, const EVP_MD *handshake_hash, + const EVP_MD *mac_hash) +{ + rl->cipher = cipher; + rl->handshake_hash = handshake_hash; + rl->mac_hash = mac_hash; +} + void tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version) { rl->version = version; - rl->dtls = (version == DTLS1_VERSION); + rl->dtls = ((version >> 8) == DTLS1_VERSION_MAJOR); } void -tls12_record_layer_set_read_epoch(struct tls12_record_layer *rl, uint16_t epoch) +tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl, + uint16_t epoch) { - rl->read_epoch = epoch; + rl->initial_epoch = epoch; +} + +uint16_t +tls12_record_layer_read_epoch(struct tls12_record_layer *rl) +{ + return rl->read->epoch; +} + +uint16_t +tls12_record_layer_write_epoch(struct tls12_record_layer *rl) +{ + return rl->write->epoch; +} + +int +tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl, uint16_t epoch) +{ + if (rl->write->epoch == epoch) + return 1; + + if (rl->write_current->epoch == epoch) { + rl->write = rl->write_current; + return 1; + } + + if (rl->write_previous != NULL && rl->write_previous->epoch == epoch) { + rl->write = rl->write_previous; + return 1; + } + + return 0; } void -tls12_record_layer_set_write_epoch(struct tls12_record_layer *rl, uint16_t epoch) +tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl, uint16_t epoch) { - rl->write_epoch = epoch; -} + if (rl->write_previous == NULL || rl->write_previous->epoch != epoch) + return; -static void -tls12_record_layer_set_read_state(struct tls12_record_layer *rl, - SSL_AEAD_CTX *aead_ctx, EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, - int stream_mac) -{ - rl->read_aead_ctx = aead_ctx; + rl->write = rl->write_current; - rl->read_cipher_ctx = cipher_ctx; - rl->read_hash_ctx = hash_ctx; - rl->read_stream_mac = stream_mac; -} - -static void -tls12_record_layer_set_write_state(struct tls12_record_layer *rl, - SSL_AEAD_CTX *aead_ctx, EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, - int stream_mac) -{ - rl->write_aead_ctx = aead_ctx; - - rl->write_cipher_ctx = cipher_ctx; - rl->write_hash_ctx = hash_ctx; - rl->write_stream_mac = stream_mac; + tls12_record_protection_free(rl->write_previous); + rl->write_previous = NULL; } void tls12_record_layer_clear_read_state(struct tls12_record_layer *rl) { - tls12_record_layer_set_read_state(rl, NULL, NULL, NULL, 0); - rl->read_seq_num = NULL; + tls12_record_protection_clear(rl->read); + rl->read->epoch = rl->initial_epoch; } void tls12_record_layer_clear_write_state(struct tls12_record_layer *rl) { - tls12_record_layer_set_write_state(rl, NULL, NULL, NULL, 0); - rl->write_seq_num = NULL; + tls12_record_protection_clear(rl->write); + rl->write->epoch = rl->initial_epoch; + + tls12_record_protection_free(rl->write_previous); + rl->write_previous = NULL; } void -tls12_record_layer_set_read_seq_num(struct tls12_record_layer *rl, - uint8_t *seq_num) +tls12_record_layer_read_cipher_hash(struct tls12_record_layer *rl, + EVP_CIPHER_CTX **cipher, EVP_MD_CTX **hash) { - rl->read_seq_num = seq_num; + *cipher = rl->read->cipher_ctx; + *hash = rl->read->hash_ctx; } void -tls12_record_layer_set_write_seq_num(struct tls12_record_layer *rl, - uint8_t *seq_num) +tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl) { - rl->write_seq_num = seq_num; + memcpy(rl->write->seq_num, rl->read->seq_num, + sizeof(rl->write->seq_num)); } +static const uint8_t tls12_max_seq_num[TLS12_RECORD_SEQ_NUM_LEN] = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, +}; + int -tls12_record_layer_set_read_aead(struct tls12_record_layer *rl, - SSL_AEAD_CTX *aead_ctx) +tls12_record_layer_inc_seq_num(struct tls12_record_layer *rl, uint8_t *seq_num) { - tls12_record_layer_set_read_state(rl, aead_ctx, NULL, NULL, 0); + CBS max_seq_num; + int i; + + /* + * RFC 5246 section 6.1 and RFC 6347 section 4.1 - both TLS and DTLS + * sequence numbers must not wrap. Note that for DTLS the first two + * bytes are used as an "epoch" and not part of the sequence number. + */ + CBS_init(&max_seq_num, seq_num, TLS12_RECORD_SEQ_NUM_LEN); + if (rl->dtls) { + if (!CBS_skip(&max_seq_num, 2)) + return 0; + } + if (CBS_mem_equal(&max_seq_num, tls12_max_seq_num, + CBS_len(&max_seq_num))) + return 0; + + for (i = TLS12_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) { + if (++seq_num[i] != 0) + break; + } return 1; } -int -tls12_record_layer_set_write_aead(struct tls12_record_layer *rl, - SSL_AEAD_CTX *aead_ctx) +static int +tls12_record_layer_set_mac_key(struct tls12_record_protection *rp, + const uint8_t *mac_key, size_t mac_key_len) { - tls12_record_layer_set_write_state(rl, aead_ctx, NULL, NULL, 0); + freezero(rp->mac_key, rp->mac_key_len); + rp->mac_key = NULL; + rp->mac_key_len = 0; + + if (mac_key == NULL || mac_key_len == 0) + return 1; + + if ((rp->mac_key = calloc(1, mac_key_len)) == NULL) + return 0; + + memcpy(rp->mac_key, mac_key, mac_key_len); + rp->mac_key_len = mac_key_len; return 1; } -int -tls12_record_layer_set_read_cipher_hash(struct tls12_record_layer *rl, - EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac) +static int +tls12_record_layer_ccs_aead(struct tls12_record_layer *rl, + struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, + CBS *iv) { - tls12_record_layer_set_read_state(rl, NULL, cipher_ctx, hash_ctx, - stream_mac); + if (!tls12_record_protection_unused(rp)) + return 0; + + if ((rp->aead_ctx = calloc(1, sizeof(*rp->aead_ctx))) == NULL) + return 0; + + /* AES GCM cipher suites use variable nonce in record. */ + if (rl->aead == EVP_aead_aes_128_gcm() || + rl->aead == EVP_aead_aes_256_gcm()) + rp->aead_variable_nonce_in_record = 1; + + /* ChaCha20 Poly1305 XORs the fixed and variable nonces. */ + if (rl->aead == EVP_aead_chacha20_poly1305()) + rp->aead_xor_nonces = 1; + + if (!CBS_stow(iv, &rp->aead_fixed_nonce, &rp->aead_fixed_nonce_len)) + return 0; + + rp->aead_nonce = calloc(1, EVP_AEAD_nonce_length(rl->aead)); + if (rp->aead_nonce == NULL) + return 0; + + rp->aead_nonce_len = EVP_AEAD_nonce_length(rl->aead); + rp->aead_tag_len = EVP_AEAD_max_overhead(rl->aead); + rp->aead_variable_nonce_len = TLS12_RECORD_SEQ_NUM_LEN; + + if (rp->aead_xor_nonces) { + /* Fixed nonce length must match, variable must not exceed. */ + if (rp->aead_fixed_nonce_len != rp->aead_nonce_len) + return 0; + if (rp->aead_variable_nonce_len > rp->aead_nonce_len) + return 0; + } else { + /* Concatenated nonce length must equal AEAD nonce length. */ + if (rp->aead_fixed_nonce_len + + rp->aead_variable_nonce_len != rp->aead_nonce_len) + return 0; + } + + if (!EVP_AEAD_CTX_init(rp->aead_ctx, rl->aead, CBS_data(key), + CBS_len(key), EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) + return 0; return 1; } -int -tls12_record_layer_set_write_cipher_hash(struct tls12_record_layer *rl, - EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac) +static int +tls12_record_layer_ccs_cipher(struct tls12_record_layer *rl, + struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, + CBS *iv) { - tls12_record_layer_set_write_state(rl, NULL, cipher_ctx, hash_ctx, - stream_mac); + EVP_PKEY *mac_pkey = NULL; + int gost_param_nid; + int mac_type; + int ret = 0; - return 1; + if (!tls12_record_protection_unused(rp)) + goto err; + + mac_type = EVP_PKEY_HMAC; + rp->stream_mac = 0; + + if (CBS_len(iv) > INT_MAX || CBS_len(key) > INT_MAX) + goto err; + if (EVP_CIPHER_iv_length(rl->cipher) != CBS_len(iv)) + goto err; + if (EVP_CIPHER_key_length(rl->cipher) != CBS_len(key)) + goto err; + + /* Special handling for GOST... */ + if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) { + if (CBS_len(mac_key) != 32) + goto err; + mac_type = EVP_PKEY_GOSTIMIT; + rp->stream_mac = 1; + } else { + if (CBS_len(mac_key) > INT_MAX) + goto err; + if (EVP_MD_size(rl->mac_hash) != CBS_len(mac_key)) + goto err; + } + + if ((rp->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) + goto err; + if ((rp->hash_ctx = EVP_MD_CTX_new()) == NULL) + goto err; + + if (!tls12_record_layer_set_mac_key(rp, CBS_data(mac_key), + CBS_len(mac_key))) + goto err; + + if ((mac_pkey = EVP_PKEY_new_mac_key(mac_type, NULL, CBS_data(mac_key), + CBS_len(mac_key))) == NULL) + goto err; + + if (!EVP_CipherInit_ex(rp->cipher_ctx, rl->cipher, NULL, CBS_data(key), + CBS_data(iv), is_write)) + goto err; + + if (EVP_DigestSignInit(rp->hash_ctx, NULL, rl->mac_hash, NULL, + mac_pkey) <= 0) + goto err; + + /* More special handling for GOST... */ + if (EVP_CIPHER_type(rl->cipher) == NID_gost89_cnt) { + gost_param_nid = NID_id_tc26_gost_28147_param_Z; + if (EVP_MD_type(rl->handshake_hash) == NID_id_GostR3411_94) + gost_param_nid = NID_id_Gost28147_89_CryptoPro_A_ParamSet; + + if (EVP_CIPHER_CTX_ctrl(rp->cipher_ctx, EVP_CTRL_GOST_SET_SBOX, + gost_param_nid, 0) <= 0) + goto err; + + if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) { + if (EVP_MD_CTX_ctrl(rp->hash_ctx, EVP_MD_CTRL_GOST_SET_SBOX, + gost_param_nid, 0) <= 0) + goto err; + } + } + + ret = 1; + + err: + EVP_PKEY_free(mac_pkey); + + return ret; +} + +static int +tls12_record_layer_change_cipher_state(struct tls12_record_layer *rl, + struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, + CBS *iv) +{ + if (rl->aead != NULL) + return tls12_record_layer_ccs_aead(rl, rp, is_write, mac_key, + key, iv); + + return tls12_record_layer_ccs_cipher(rl, rp, is_write, mac_key, + key, iv); +} + +int +tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl, + CBS *mac_key, CBS *key, CBS *iv) +{ + struct tls12_record_protection *read_new = NULL; + int ret = 0; + + if ((read_new = tls12_record_protection_new()) == NULL) + goto err; + + /* Read sequence number gets reset to zero. */ + + /* DTLS epoch is incremented and is permitted to wrap. */ + if (rl->dtls) + read_new->epoch = rl->read_current->epoch + 1; + + if (!tls12_record_layer_change_cipher_state(rl, read_new, 0, + mac_key, key, iv)) + goto err; + + tls12_record_protection_free(rl->read_current); + rl->read = rl->read_current = read_new; + read_new = NULL; + + ret = 1; + + err: + tls12_record_protection_free(read_new); + + return ret; +} + +int +tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl, + CBS *mac_key, CBS *key, CBS *iv) +{ + struct tls12_record_protection *write_new; + int ret = 0; + + if ((write_new = tls12_record_protection_new()) == NULL) + goto err; + + /* Write sequence number gets reset to zero. */ + + /* DTLS epoch is incremented and is permitted to wrap. */ + if (rl->dtls) + write_new->epoch = rl->write_current->epoch + 1; + + if (!tls12_record_layer_change_cipher_state(rl, write_new, 1, + mac_key, key, iv)) + goto err; + + if (rl->dtls) { + tls12_record_protection_free(rl->write_previous); + rl->write_previous = rl->write_current; + rl->write_current = NULL; + } + tls12_record_protection_free(rl->write_current); + rl->write = rl->write_current = write_new; + write_new = NULL; + + ret = 1; + + err: + tls12_record_protection_free(write_new); + + return ret; } static int @@ -193,8 +657,8 @@ tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb, static int tls12_record_layer_pseudo_header(struct tls12_record_layer *rl, - uint8_t content_type, uint16_t record_len, uint16_t epoch, uint8_t *seq_num, - size_t seq_num_len, uint8_t **out, size_t *out_len) + uint8_t content_type, uint16_t record_len, CBS *seq_num, uint8_t **out, + size_t *out_len) { CBB cbb; @@ -205,8 +669,7 @@ tls12_record_layer_pseudo_header(struct tls12_record_layer *rl, if (!CBB_init(&cbb, 13)) goto err; - if (!tls12_record_layer_build_seq_num(rl, &cbb, epoch, - seq_num, seq_num_len)) + if (!CBB_add_bytes(&cbb, CBS_data(seq_num), CBS_len(seq_num))) goto err; if (!CBB_add_u8(&cbb, content_type)) goto err; @@ -228,13 +691,12 @@ tls12_record_layer_pseudo_header(struct tls12_record_layer *rl, static int tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb, - EVP_MD_CTX *hash_ctx, int stream_mac, uint16_t epoch, uint8_t *seq_num, - size_t seq_num_len, uint8_t content_type, const uint8_t *content, - size_t content_len, size_t *out_len) + EVP_MD_CTX *hash_ctx, int stream_mac, CBS *seq_num, uint8_t content_type, + const uint8_t *content, size_t content_len, size_t *out_len) { EVP_MD_CTX *mac_ctx = NULL; uint8_t *header = NULL; - size_t header_len; + size_t header_len = 0; size_t mac_len; uint8_t *mac; int ret = 0; @@ -245,7 +707,7 @@ tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb, goto err; if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, - epoch, seq_num, seq_num_len, &header, &header_len)) + seq_num, &header, &header_len)) goto err; if (EVP_DigestSignUpdate(mac_ctx, header, header_len) <= 0) @@ -258,6 +720,8 @@ tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb, goto err; if (EVP_DigestSignFinal(mac_ctx, mac, &mac_len) <= 0) goto err; + if (mac_len == 0) + goto err; if (stream_mac) { if (!EVP_MD_CTX_copy(hash_ctx, mac_ctx)) @@ -269,39 +733,95 @@ tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb, err: EVP_MD_CTX_free(mac_ctx); - free(header); + freezero(header, header_len); return ret; } static int -tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb, - uint8_t content_type, const uint8_t *content, size_t content_len, - size_t *out_len) +tls12_record_layer_read_mac_cbc(struct tls12_record_layer *rl, CBB *cbb, + uint8_t content_type, CBS *seq_num, const uint8_t *content, + size_t content_len, size_t mac_len, size_t padding_len) { - return tls12_record_layer_mac(rl, cbb, rl->write_hash_ctx, - rl->write_stream_mac, rl->write_epoch, rl->write_seq_num, - SSL3_SEQUENCE_SIZE, content_type, content, content_len, out_len); + uint8_t *header = NULL; + size_t header_len = 0; + uint8_t *mac = NULL; + size_t out_mac_len = 0; + int ret = 0; + + /* + * Must be constant time to avoid leaking details about CBC padding. + */ + + if (!ssl3_cbc_record_digest_supported(rl->read->hash_ctx)) + goto err; + + if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, + seq_num, &header, &header_len)) + goto err; + + if (!CBB_add_space(cbb, &mac, mac_len)) + goto err; + if (!ssl3_cbc_digest_record(rl->read->hash_ctx, mac, &out_mac_len, header, + content, content_len + mac_len, content_len + mac_len + padding_len, + rl->read->mac_key, rl->read->mac_key_len)) + goto err; + if (mac_len != out_mac_len) + goto err; + + ret = 1; + + err: + freezero(header, header_len); + + return ret; +} + +static int +tls12_record_layer_read_mac(struct tls12_record_layer *rl, CBB *cbb, + uint8_t content_type, CBS *seq_num, const uint8_t *content, + size_t content_len) +{ + EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; + size_t out_len; + + if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) + return 0; + + return tls12_record_layer_mac(rl, cbb, rl->read->hash_ctx, + rl->read->stream_mac, seq_num, content_type, content, content_len, + &out_len); +} + +static int +tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb, + uint8_t content_type, CBS *seq_num, const uint8_t *content, + size_t content_len, size_t *out_len) +{ + return tls12_record_layer_mac(rl, cbb, rl->write->hash_ctx, + rl->write->stream_mac, seq_num, content_type, content, content_len, + out_len); } static int tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl, - const SSL_AEAD_CTX *aead, uint8_t *seq_num, uint8_t **out, size_t *out_len) + struct tls12_record_protection *rp, CBS *seq_num) { CBB cbb; - if (aead->variable_nonce_len > SSL3_SEQUENCE_SIZE) + if (rp->aead_variable_nonce_len > CBS_len(seq_num)) return 0; /* Fixed nonce and variable nonce (sequence number) are concatenated. */ - if (!CBB_init(&cbb, 16)) + if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len)) goto err; - if (!CBB_add_bytes(&cbb, aead->fixed_nonce, - aead->fixed_nonce_len)) + if (!CBB_add_bytes(&cbb, rp->aead_fixed_nonce, + rp->aead_fixed_nonce_len)) goto err; - if (!CBB_add_bytes(&cbb, seq_num, aead->variable_nonce_len)) + if (!CBB_add_bytes(&cbb, CBS_data(seq_num), + rp->aead_variable_nonce_len)) goto err; - if (!CBB_finish(&cbb, out, out_len)) + if (!CBB_finish(&cbb, NULL, NULL)) goto err; return 1; @@ -314,53 +834,313 @@ tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl, static int tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl, - const SSL_AEAD_CTX *aead, uint8_t *seq_num, uint8_t **out, size_t *out_len) + struct tls12_record_protection *rp, CBS *seq_num) { - uint8_t *nonce = NULL; - size_t nonce_len = 0; uint8_t *pad; CBB cbb; int i; - if (aead->variable_nonce_len > SSL3_SEQUENCE_SIZE) + if (rp->aead_variable_nonce_len > CBS_len(seq_num)) return 0; - if (aead->fixed_nonce_len < aead->variable_nonce_len) + if (rp->aead_fixed_nonce_len < rp->aead_variable_nonce_len) + return 0; + if (rp->aead_fixed_nonce_len != rp->aead_nonce_len) return 0; /* * Variable nonce (sequence number) is right padded, before the fixed * nonce is XOR'd in. */ - if (!CBB_init(&cbb, 16)) + if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len)) goto err; if (!CBB_add_space(&cbb, &pad, - aead->fixed_nonce_len - aead->variable_nonce_len)) + rp->aead_fixed_nonce_len - rp->aead_variable_nonce_len)) goto err; - if (!CBB_add_bytes(&cbb, seq_num, aead->variable_nonce_len)) + if (!CBB_add_bytes(&cbb, CBS_data(seq_num), + rp->aead_variable_nonce_len)) goto err; - if (!CBB_finish(&cbb, &nonce, &nonce_len)) + if (!CBB_finish(&cbb, NULL, NULL)) goto err; - for (i = 0; i < aead->fixed_nonce_len; i++) - nonce[i] ^= aead->fixed_nonce[i]; - - *out = nonce; - *out_len = nonce_len; + for (i = 0; i < rp->aead_fixed_nonce_len; i++) + rp->aead_nonce[i] ^= rp->aead_fixed_nonce[i]; return 1; err: CBB_cleanup(&cbb); - freezero(nonce, nonce_len); return 0; } +static int +tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl, + uint8_t content_type, CBS *fragment, uint8_t **out, size_t *out_len) +{ + if (tls12_record_protection_engaged(rl->read)) + return 0; + + /* XXX - decrypt/process in place for now. */ + *out = (uint8_t *)CBS_data(fragment); + *out_len = CBS_len(fragment); + + return 1; +} + +static int +tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, + uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out, + size_t *out_len) +{ + struct tls12_record_protection *rp = rl->read; + uint8_t *header = NULL; + size_t header_len = 0; + uint8_t *plain; + size_t plain_len; + CBS var_nonce; + int ret = 0; + + if (rp->aead_xor_nonces) { + if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num)) + goto err; + } else if (rp->aead_variable_nonce_in_record) { + if (!CBS_get_bytes(fragment, &var_nonce, + rp->aead_variable_nonce_len)) + goto err; + if (!tls12_record_layer_aead_concat_nonce(rl, rp, &var_nonce)) + goto err; + } else { + if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num)) + goto err; + } + + /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ + if (CBS_len(fragment) < rp->aead_tag_len) { + rl->alert_desc = SSL_AD_BAD_RECORD_MAC; + goto err; + } + if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { + rl->alert_desc = SSL_AD_RECORD_OVERFLOW; + goto err; + } + + /* XXX - decrypt/process in place for now. */ + plain = (uint8_t *)CBS_data(fragment); + plain_len = CBS_len(fragment) - rp->aead_tag_len; + + if (!tls12_record_layer_pseudo_header(rl, content_type, plain_len, + seq_num, &header, &header_len)) + goto err; + + if (!EVP_AEAD_CTX_open(rp->aead_ctx, plain, out_len, plain_len, + rp->aead_nonce, rp->aead_nonce_len, CBS_data(fragment), + CBS_len(fragment), header, header_len)) { + rl->alert_desc = SSL_AD_BAD_RECORD_MAC; + goto err; + } + + if (*out_len > SSL3_RT_MAX_PLAIN_LENGTH) { + rl->alert_desc = SSL_AD_RECORD_OVERFLOW; + goto err; + } + + if (*out_len != plain_len) + goto err; + + *out = plain; + + ret = 1; + + err: + freezero(header, header_len); + + return ret; +} + +static int +tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl, + uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out, + size_t *out_len) +{ + EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; + SSL3_RECORD_INTERNAL rrec; + size_t block_size, eiv_len; + uint8_t *mac = NULL; + size_t mac_len = 0; + uint8_t *out_mac = NULL; + size_t out_mac_len = 0; + uint8_t *plain; + size_t plain_len; + size_t min_len; + CBB cbb_mac; + int ret = 0; + + memset(&cbb_mac, 0, sizeof(cbb_mac)); + memset(&rrec, 0, sizeof(rrec)); + + if (!tls12_record_protection_block_size(rl->read, &block_size)) + goto err; + + /* Determine explicit IV length. */ + eiv_len = 0; + if (rl->version != TLS1_VERSION) { + if (!tls12_record_protection_eiv_len(rl->read, &eiv_len)) + goto err; + } + + mac_len = 0; + if (rl->read->hash_ctx != NULL) { + if (!tls12_record_protection_mac_len(rl->read, &mac_len)) + goto err; + } + + /* CBC has at least one padding byte. */ + min_len = eiv_len + mac_len; + if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) + min_len += 1; + + if (CBS_len(fragment) < min_len) { + rl->alert_desc = SSL_AD_BAD_RECORD_MAC; + goto err; + } + if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { + rl->alert_desc = SSL_AD_RECORD_OVERFLOW; + goto err; + } + if (CBS_len(fragment) % block_size != 0) { + rl->alert_desc = SSL_AD_BAD_RECORD_MAC; + goto err; + } + + /* XXX - decrypt/process in place for now. */ + plain = (uint8_t *)CBS_data(fragment); + plain_len = CBS_len(fragment); + + if (!EVP_Cipher(enc, plain, CBS_data(fragment), plain_len)) + goto err; + + rrec.data = plain; + rrec.input = plain; + rrec.length = plain_len; + + /* + * We now have to remove padding, extract MAC, calculate MAC + * and compare MAC in constant time. + */ + if (block_size > 1) + ssl3_cbc_remove_padding(&rrec, eiv_len, mac_len); + + if ((mac = calloc(1, mac_len)) == NULL) + goto err; + + if (!CBB_init(&cbb_mac, EVP_MAX_MD_SIZE)) + goto err; + if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) { + ssl3_cbc_copy_mac(mac, &rrec, mac_len, rrec.length + + rrec.padding_length); + rrec.length -= mac_len; + if (!tls12_record_layer_read_mac_cbc(rl, &cbb_mac, content_type, + seq_num, rrec.input, rrec.length, mac_len, + rrec.padding_length)) + goto err; + } else { + rrec.length -= mac_len; + memcpy(mac, rrec.data + rrec.length, mac_len); + if (!tls12_record_layer_read_mac(rl, &cbb_mac, content_type, + seq_num, rrec.input, rrec.length)) + goto err; + } + if (!CBB_finish(&cbb_mac, &out_mac, &out_mac_len)) + goto err; + if (mac_len != out_mac_len) + goto err; + + if (timingsafe_memcmp(mac, out_mac, mac_len) != 0) { + rl->alert_desc = SSL_AD_BAD_RECORD_MAC; + goto err; + } + + if (rrec.length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_len) { + rl->alert_desc = SSL_AD_BAD_RECORD_MAC; + goto err; + } + if (rrec.length > SSL3_RT_MAX_PLAIN_LENGTH) { + rl->alert_desc = SSL_AD_RECORD_OVERFLOW; + goto err; + } + + *out = rrec.data; + *out_len = rrec.length; + + ret = 1; + + err: + CBB_cleanup(&cbb_mac); + freezero(mac, mac_len); + freezero(out_mac, out_mac_len); + + return ret; +} + +int +tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf, + size_t buf_len, uint8_t **out, size_t *out_len) +{ + CBS cbs, fragment, seq_num; + uint16_t version; + uint8_t content_type; + + CBS_init(&cbs, buf, buf_len); + CBS_init(&seq_num, rl->read->seq_num, sizeof(rl->read->seq_num)); + + if (!CBS_get_u8(&cbs, &content_type)) + return 0; + if (!CBS_get_u16(&cbs, &version)) + return 0; + if (rl->dtls) { + /* + * The DTLS sequence number is split into a 16 bit epoch and + * 48 bit sequence number, however for the purposes of record + * processing it is treated the same as a TLS 64 bit sequence + * number. DTLS also uses explicit read sequence numbers, which + * we need to extract from the DTLS record header. + */ + if (!CBS_get_bytes(&cbs, &seq_num, SSL3_SEQUENCE_SIZE)) + return 0; + if (!CBS_write_bytes(&seq_num, rl->read->seq_num, + sizeof(rl->read->seq_num), NULL)) + return 0; + } + if (!CBS_get_u16_length_prefixed(&cbs, &fragment)) + return 0; + + if (rl->read->aead_ctx != NULL) { + if (!tls12_record_layer_open_record_protected_aead(rl, + content_type, &seq_num, &fragment, out, out_len)) + return 0; + } else if (rl->read->cipher_ctx != NULL) { + if (!tls12_record_layer_open_record_protected_cipher(rl, + content_type, &seq_num, &fragment, out, out_len)) + return 0; + } else { + if (!tls12_record_layer_open_record_plaintext(rl, + content_type, &fragment, out, out_len)) + return 0; + } + + if (!rl->dtls) { + if (!tls12_record_layer_inc_seq_num(rl, rl->read->seq_num)) + return 0; + } + + return 1; +} + static int tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl, uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out) { - if (rl->write_aead_ctx != NULL || rl->write_cipher_ctx != NULL) + if (tls12_record_protection_engaged(rl->write)) return 0; return CBB_add_bytes(out, content, content_len); @@ -368,46 +1148,46 @@ tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl, static int tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl, - uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out) + uint8_t content_type, CBS *seq_num, const uint8_t *content, + size_t content_len, CBB *out) { - const SSL_AEAD_CTX *aead = rl->write_aead_ctx; - uint8_t *header = NULL, *nonce = NULL; - size_t header_len = 0, nonce_len = 0; + struct tls12_record_protection *rp = rl->write; + uint8_t *header = NULL; + size_t header_len = 0; size_t enc_record_len, out_len; - uint16_t epoch = 0; uint8_t *enc_data; int ret = 0; - /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */ - if (aead->xor_fixed_nonce) { - if (!tls12_record_layer_aead_xored_nonce(rl, aead, - rl->write_seq_num, &nonce, &nonce_len)) + if (rp->aead_xor_nonces) { + if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num)) goto err; } else { - if (!tls12_record_layer_aead_concat_nonce(rl, aead, - rl->write_seq_num, &nonce, &nonce_len)) + if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num)) goto err; } - if (aead->variable_nonce_in_record) { - /* XXX - length check? */ - if (!CBB_add_bytes(out, rl->write_seq_num, aead->variable_nonce_len)) + if (rp->aead_variable_nonce_in_record) { + if (rp->aead_variable_nonce_len > CBS_len(seq_num)) + goto err; + if (!CBB_add_bytes(out, CBS_data(seq_num), + rp->aead_variable_nonce_len)) goto err; } if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, - epoch, rl->write_seq_num, SSL3_SEQUENCE_SIZE, &header, &header_len)) + seq_num, &header, &header_len)) goto err; /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ - enc_record_len = content_len + aead->tag_len; + enc_record_len = content_len + rp->aead_tag_len; if (enc_record_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) goto err; if (!CBB_add_space(out, &enc_data, enc_record_len)) goto err; - if (!EVP_AEAD_CTX_seal(&aead->ctx, enc_data, &out_len, enc_record_len, - nonce, nonce_len, content, content_len, header, header_len)) + if (!EVP_AEAD_CTX_seal(rp->aead_ctx, enc_data, &out_len, enc_record_len, + rp->aead_nonce, rp->aead_nonce_len, content, content_len, header, + header_len)) goto err; if (out_len != enc_record_len) @@ -417,18 +1197,17 @@ tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl, err: freezero(header, header_len); - freezero(nonce, nonce_len); return ret; } static int tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl, - uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out) + uint8_t content_type, CBS *seq_num, const uint8_t *content, + size_t content_len, CBB *out) { - EVP_CIPHER_CTX *enc = rl->write_cipher_ctx; - size_t mac_len, pad_len; - int block_size, eiv_len; + EVP_CIPHER_CTX *enc = rl->write->cipher_ctx; + size_t block_size, eiv_len, mac_len, pad_len; uint8_t *enc_data, *eiv, *pad, pad_val; uint8_t *plain = NULL; size_t plain_len = 0; @@ -440,11 +1219,10 @@ tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl, /* Add explicit IV if necessary. */ eiv_len = 0; - if (rl->version != TLS1_VERSION && - EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) - eiv_len = EVP_CIPHER_CTX_iv_length(enc); - if (eiv_len < 0 || eiv_len > EVP_MAX_IV_LENGTH) - goto err; + if (rl->version != TLS1_VERSION) { + if (!tls12_record_protection_eiv_len(rl->write, &eiv_len)) + goto err; + } if (eiv_len > 0) { if (!CBB_add_space(&cbb, &eiv, eiv_len)) goto err; @@ -455,17 +1233,16 @@ tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl, goto err; mac_len = 0; - if (rl->write_hash_ctx != NULL) { + if (rl->write->hash_ctx != NULL) { if (!tls12_record_layer_write_mac(rl, &cbb, content_type, - content, content_len, &mac_len)) + seq_num, content, content_len, &mac_len)) goto err; } - plain_len = (size_t)eiv_len + content_len + mac_len; + plain_len = eiv_len + content_len + mac_len; /* Add padding to block size, if necessary. */ - block_size = EVP_CIPHER_CTX_block_size(enc); - if (block_size < 0 || block_size > EVP_MAX_BLOCK_LENGTH) + if (!tls12_record_protection_block_size(rl->write, &block_size)) goto err; if (block_size > 1) { pad_len = block_size - (plain_len % block_size); @@ -504,39 +1281,61 @@ int tls12_record_layer_seal_record(struct tls12_record_layer *rl, uint8_t content_type, const uint8_t *content, size_t content_len, CBB *cbb) { - CBB fragment; + uint8_t *seq_num_data = NULL; + size_t seq_num_len = 0; + CBB fragment, seq_num_cbb; + CBS seq_num; + int ret = 0; + + /* + * Construct the effective sequence number - this is used in both + * the DTLS header and for MAC calculations. + */ + if (!CBB_init(&seq_num_cbb, SSL3_SEQUENCE_SIZE)) + goto err; + if (!tls12_record_layer_build_seq_num(rl, &seq_num_cbb, rl->write->epoch, + rl->write->seq_num, sizeof(rl->write->seq_num))) + goto err; + if (!CBB_finish(&seq_num_cbb, &seq_num_data, &seq_num_len)) + goto err; + CBS_init(&seq_num, seq_num_data, seq_num_len); if (!CBB_add_u8(cbb, content_type)) - return 0; + goto err; if (!CBB_add_u16(cbb, rl->version)) - return 0; + goto err; if (rl->dtls) { - if (!tls12_record_layer_build_seq_num(rl, cbb, - rl->write_epoch, rl->write_seq_num, - SSL3_SEQUENCE_SIZE)) - return 0; + if (!CBB_add_bytes(cbb, CBS_data(&seq_num), CBS_len(&seq_num))) + goto err; } if (!CBB_add_u16_length_prefixed(cbb, &fragment)) - return 0; + goto err; - if (rl->write_aead_ctx != NULL) { + if (rl->write->aead_ctx != NULL) { if (!tls12_record_layer_seal_record_protected_aead(rl, - content_type, content, content_len, &fragment)) - return 0; - } else if (rl->write_cipher_ctx != NULL) { + content_type, &seq_num, content, content_len, &fragment)) + goto err; + } else if (rl->write->cipher_ctx != NULL) { if (!tls12_record_layer_seal_record_protected_cipher(rl, - content_type, content, content_len, &fragment)) - return 0; + content_type, &seq_num, content, content_len, &fragment)) + goto err; } else { if (!tls12_record_layer_seal_record_plaintext(rl, content_type, content, content_len, &fragment)) - return 0; + goto err; } if (!CBB_flush(cbb)) - return 0; + goto err; - tls1_record_sequence_increment(rl->write_seq_num); + if (!tls12_record_layer_inc_seq_num(rl, rl->write->seq_num)) + goto err; - return 1; + ret = 1; + + err: + CBB_cleanup(&seq_num_cbb); + free(seq_num_data); + + return ret; } diff --git a/ssl/tls13_buffer.c b/ssl/tls13_buffer.c index bc10abd..b46ac65 100644 --- a/ssl/tls13_buffer.c +++ b/ssl/tls13_buffer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_buffer.c,v 1.3 2020/03/10 17:11:25 jsing Exp $ */ +/* $OpenBSD: tls13_buffer.c,v 1.5 2021/05/16 14:19:04 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -15,8 +15,6 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include "ssl_locl.h" - #include "bytestring.h" #include "tls13_internal.h" diff --git a/ssl/tls13_client.c b/ssl/tls13_client.c index 35409d9..62c5174 100644 --- a/ssl/tls13_client.c +++ b/ssl/tls13_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_client.c,v 1.67 2020/09/11 17:36:27 jsing Exp $ */ +/* $OpenBSD: tls13_client.c,v 1.86 2021/06/29 19:20:39 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -15,11 +15,11 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include "ssl_locl.h" - #include #include "bytestring.h" +#include "ssl_locl.h" +#include "ssl_sigalgs.h" #include "ssl_tlsext.h" #include "tls13_handshake.h" #include "tls13_internal.h" @@ -31,12 +31,12 @@ tls13_client_init(struct tls13_ctx *ctx) size_t groups_len; SSL *s = ctx->ssl; - if (!ssl_supported_version_range(s, &ctx->hs->min_version, - &ctx->hs->max_version)) { + if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version, + &ctx->hs->our_max_tls_version)) { SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); return 0; } - s->client_version = s->version = ctx->hs->max_version; + s->client_version = s->version = ctx->hs->our_max_tls_version; tls13_record_layer_set_retry_after_phh(ctx->rl, (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); @@ -51,9 +51,9 @@ tls13_client_init(struct tls13_ctx *ctx) tls1_get_group_list(s, 0, &groups, &groups_len); if (groups_len < 1) return 0; - if ((ctx->hs->key_share = tls13_key_share_new(groups[0])) == NULL) + if ((ctx->hs->tls13.key_share = tls13_key_share_new(groups[0])) == NULL) return 0; - if (!tls13_key_share_generate(ctx->hs->key_share)) + if (!tls13_key_share_generate(ctx->hs->tls13.key_share)) return 0; arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); @@ -64,11 +64,12 @@ tls13_client_init(struct tls13_ctx *ctx) * legacy session identifier triggers compatibility mode (see RFC 8446 * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used. */ - if (ctx->middlebox_compat && ctx->hs->max_version >= TLS1_3_VERSION) { - arc4random_buf(ctx->hs->legacy_session_id, - sizeof(ctx->hs->legacy_session_id)); - ctx->hs->legacy_session_id_len = - sizeof(ctx->hs->legacy_session_id); + if (ctx->middlebox_compat && + ctx->hs->our_max_tls_version >= TLS1_3_VERSION) { + arc4random_buf(ctx->hs->tls13.legacy_session_id, + sizeof(ctx->hs->tls13.legacy_session_id)); + ctx->hs->tls13.legacy_session_id_len = + sizeof(ctx->hs->tls13.legacy_session_id); } return 1; @@ -91,7 +92,7 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb) SSL *s = ctx->ssl; /* Legacy client version is capped at TLS 1.2. */ - client_version = ctx->hs->max_version; + client_version = ctx->hs->our_max_tls_version; if (client_version > TLS1_2_VERSION) client_version = TLS1_2_VERSION; @@ -102,8 +103,8 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb) if (!CBB_add_u8_length_prefixed(cbb, &session_id)) goto err; - if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id, - ctx->hs->legacy_session_id_len)) + if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id, + ctx->hs->tls13.legacy_session_id_len)) goto err; if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites)) @@ -133,7 +134,7 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb) int tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb) { - if (ctx->hs->min_version < TLS1_2_VERSION) + if (ctx->hs->our_min_tls_version < TLS1_2_VERSION) tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); /* We may receive a pre-TLSv1.3 alert in response to the client hello. */ @@ -228,9 +229,9 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) goto err; if (tls13_server_hello_is_legacy(cbs)) { - if (ctx->hs->max_version >= TLS1_3_VERSION) { + if (ctx->hs->our_max_tls_version >= TLS1_3_VERSION) { /* - * RFC 8446 section 4.1.3, We must not downgrade if + * RFC 8446 section 4.1.3: we must not downgrade if * the server random value contains the TLS 1.2 or 1.1 * magical value. */ @@ -249,7 +250,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) if (!CBS_skip(cbs, CBS_len(cbs))) goto err; - ctx->hs->use_legacy = 1; + ctx->hs->tls13.use_legacy = 1; return 1; } @@ -262,7 +263,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, sizeof(tls13_hello_retry_request_hash))) { tlsext_msg_type = SSL_TLSEXT_MSG_HRR; - ctx->hs->hrr = 1; + ctx->hs->tls13.hrr = 1; } if (!tlsext_client_parse(s, tlsext_msg_type, cbs, &alert_desc)) { @@ -271,50 +272,48 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) } /* - * See if a supported versions extension was returned. If it was then - * the legacy version must be set to 0x0303 (RFC 8446 section 4.1.3). - * Otherwise, fallback to the legacy version, ensuring that it is both - * within range and not TLS 1.3 or greater (which must use the - * supported version extension. + * The supported versions extension indicated 0x0304 or greater. + * Ensure that it was 0x0304 and that legacy version is set to 0x0303 + * (RFC 8446 section 4.2.1). */ - if (ctx->hs->server_version != 0) { - if (legacy_version != TLS1_2_VERSION) { - ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; - goto err; - } - } else { - if (legacy_version < ctx->hs->min_version || - legacy_version > ctx->hs->max_version || - legacy_version > TLS1_2_VERSION) { - ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; - goto err; - } - ctx->hs->server_version = legacy_version; + if (ctx->hs->tls13.server_version != TLS1_3_VERSION || + legacy_version != TLS1_2_VERSION) { + ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; + goto err; } + ctx->hs->negotiated_tls_version = ctx->hs->tls13.server_version; /* The session_id must match. */ - if (!CBS_mem_equal(&session_id, ctx->hs->legacy_session_id, - ctx->hs->legacy_session_id_len)) { + if (!CBS_mem_equal(&session_id, ctx->hs->tls13.legacy_session_id, + ctx->hs->tls13.legacy_session_id_len)) { ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; goto err; } /* * Ensure that the cipher suite is one that we offered in the client - * hello and that it matches the TLS version selected. + * hello and that it is a TLSv1.3 cipher suite. */ cipher = ssl3_get_cipher_by_value(cipher_suite); if (cipher == NULL || !ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) { ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; goto err; } - if (ctx->hs->server_version == TLS1_3_VERSION && - cipher->algorithm_ssl != SSL_TLSV1_3) { + if (cipher->algorithm_ssl != SSL_TLSV1_3) { ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; goto err; } - /* XXX - move this to hs_tls13? */ - S3I(s)->hs.new_cipher = cipher; + if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR) && !ctx->hs->tls13.hrr) { + /* + * A ServerHello following a HelloRetryRequest MUST use the same + * cipher suite (RFC 8446 section 4.1.4). + */ + if (ctx->hs->cipher != cipher) { + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; + goto err; + } + } + ctx->hs->cipher = cipher; if (compression_method != 0) { ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; @@ -344,21 +343,21 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx) /* Derive the shared key and engage record protection. */ - if (!tls13_key_share_derive(ctx->hs->key_share, &shared_key, + if (!tls13_key_share_derive(ctx->hs->tls13.key_share, &shared_key, &shared_key_len)) goto err; - s->session->cipher = S3I(s)->hs.new_cipher; - s->session->ssl_version = ctx->hs->server_version; + s->session->cipher = ctx->hs->cipher; + s->session->ssl_version = ctx->hs->tls13.server_version; - if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL) + if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL) goto err; - if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL) + if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL) goto err; if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) goto err; - ctx->hs->secrets = secrets; + ctx->hs->tls13.secrets = secrets; /* XXX - pass in hash. */ if (!tls1_transcript_hash_init(s)) @@ -375,7 +374,7 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx) goto err; /* Handshake secrets. */ - if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key, + if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key, shared_key_len, &context)) goto err; @@ -414,13 +413,13 @@ tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs) return 0; /* - * This may have been a TLSv1.2 or earlier ServerHello that just happened - * to have matching server random... + * This may have been a TLSv1.2 or earlier ServerHello that just + * happened to have matching server random... */ - if (ctx->hs->use_legacy) + if (ctx->hs->tls13.use_legacy) return tls13_use_legacy_client(ctx); - if (!ctx->hs->hrr) + if (!ctx->hs->tls13.hrr) return 0; if (!tls13_synthetic_handshake_message(ctx)) @@ -428,7 +427,7 @@ tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs) if (!tls13_handshake_msg_record(ctx)) return 0; - ctx->hs->hrr = 0; + ctx->hs->tls13.hrr = 0; return 1; } @@ -441,17 +440,17 @@ tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb) * supported groups and is not the same as the key share we previously * offered. */ - if (!tls1_check_curve(ctx->ssl, ctx->hs->server_group)) + if (!tls1_check_curve(ctx->ssl, ctx->hs->tls13.server_group)) return 0; /* XXX alert */ - if (ctx->hs->server_group == tls13_key_share_group(ctx->hs->key_share)) + if (ctx->hs->tls13.server_group == tls13_key_share_group(ctx->hs->tls13.key_share)) return 0; /* XXX alert */ /* Switch to new key share. */ - tls13_key_share_free(ctx->hs->key_share); - if ((ctx->hs->key_share = - tls13_key_share_new(ctx->hs->server_group)) == NULL) + tls13_key_share_free(ctx->hs->tls13.key_share); + if ((ctx->hs->tls13.key_share = + tls13_key_share_new(ctx->hs->tls13.server_group)) == NULL) return 0; - if (!tls13_key_share_generate(ctx->hs->key_share)) + if (!tls13_key_share_generate(ctx->hs->tls13.key_share)) return 0; if (!tls13_client_hello_build(ctx, cbb)) @@ -478,13 +477,13 @@ tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs) return 0; } - if (ctx->hs->use_legacy) { + if (ctx->hs->tls13.use_legacy) { if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR)) return 0; return tls13_use_legacy_client(ctx); } - if (ctx->hs->hrr) { + if (ctx->hs->tls13.hrr) { /* The server has sent two HelloRetryRequests. */ ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; return 0; @@ -681,10 +680,6 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) if (!CBS_get_u16_length_prefixed(cbs, &signature)) goto err; - if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs, - tls13_sigalgs_len)) == NULL) - goto err; - if (!CBB_init(&cbb, 0)) goto err; if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, @@ -695,8 +690,8 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) goto err; if (!CBB_add_u8(&cbb, 0)) goto err; - if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash, - ctx->hs->transcript_hash_len)) + if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash, + ctx->hs->tls13.transcript_hash_len)) goto err; if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) goto err; @@ -705,8 +700,10 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) goto err; if ((pkey = X509_get0_pubkey(cert)) == NULL) goto err; - if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) + if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey, + signature_scheme)) == NULL) goto err; + ctx->hs->peer_sigalg = sigalg; if (CBS_len(&signature) > EVP_PKEY_size(pkey)) goto err; @@ -746,7 +743,7 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) int tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs) { - struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; struct tls13_secret context = { .data = "", .len = 0 }; struct tls13_secret finished_key; uint8_t transcript_hash[EVP_MAX_MD_SIZE]; @@ -774,8 +771,8 @@ tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs) if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, ctx->hash, NULL)) goto err; - if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash, - ctx->hs->transcript_hash_len)) + if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash, + ctx->hs->tls13.transcript_hash_len)) goto err; verify_data_len = HMAC_size(hmac_ctx); if ((verify_data = calloc(1, verify_data_len)) == NULL) @@ -790,6 +787,11 @@ tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs) goto err; } + if (!CBS_write_bytes(cbs, ctx->hs->peer_finished, + sizeof(ctx->hs->peer_finished), + &ctx->hs->peer_finished_len)) + goto err; + if (!CBS_skip(cbs, verify_data_len)) goto err; @@ -902,8 +904,8 @@ tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb) if (!tls13_client_select_certificate(ctx, &cpk, &sigalg)) goto err; - ctx->hs->cpk = cpk; - ctx->hs->sigalg = sigalg; + ctx->hs->tls13.cpk = cpk; + ctx->hs->our_sigalg = sigalg; if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) goto err; @@ -952,9 +954,9 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) memset(&sig_cbb, 0, sizeof(sig_cbb)); - if ((cpk = ctx->hs->cpk) == NULL) + if ((cpk = ctx->hs->tls13.cpk) == NULL) goto err; - if ((sigalg = ctx->hs->sigalg) == NULL) + if ((sigalg = ctx->hs->our_sigalg) == NULL) goto err; pkey = cpk->privatekey; @@ -968,8 +970,8 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) goto err; if (!CBB_add_u8(&sig_cbb, 0)) goto err; - if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash, - ctx->hs->transcript_hash_len)) + if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash, + ctx->hs->tls13.transcript_hash_len)) goto err; if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) goto err; @@ -1026,20 +1028,20 @@ tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb) int tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb) { - struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; struct tls13_secret context = { .data = "", .len = 0 }; - struct tls13_secret finished_key; + struct tls13_secret finished_key = { .data = NULL, .len = 0 }; uint8_t transcript_hash[EVP_MAX_MD_SIZE]; size_t transcript_hash_len; - uint8_t key[EVP_MAX_MD_SIZE]; uint8_t *verify_data; - size_t hmac_len; + size_t verify_data_len; unsigned int hlen; HMAC_CTX *hmac_ctx = NULL; + CBS cbs; int ret = 0; - finished_key.data = key; - finished_key.len = EVP_MD_size(ctx->hash); + if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash))) + goto err; if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, &secrets->client_handshake_traffic, "finished", @@ -1058,17 +1060,23 @@ tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb) if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) goto err; - hmac_len = HMAC_size(hmac_ctx); - if (!CBB_add_space(cbb, &verify_data, hmac_len)) + verify_data_len = HMAC_size(hmac_ctx); + if (!CBB_add_space(cbb, &verify_data, verify_data_len)) goto err; if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) goto err; - if (hlen != hmac_len) + if (hlen != verify_data_len) + goto err; + + CBS_init(&cbs, verify_data, verify_data_len); + if (!CBS_write_bytes(&cbs, ctx->hs->finished, + sizeof(ctx->hs->finished), &ctx->hs->finished_len)) goto err; ret = 1; err: + tls13_secret_cleanup(&finished_key); HMAC_CTX_free(hmac_ctx); return ret; @@ -1077,7 +1085,7 @@ tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb) int tls13_client_finished_sent(struct tls13_ctx *ctx) { - struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; /* * Any records following the client finished message must be encrypted diff --git a/ssl/tls13_handshake.c b/ssl/tls13_handshake.c index b3cecc7..cca8560 100644 --- a/ssl/tls13_handshake.c +++ b/ssl/tls13_handshake.c @@ -1,6 +1,6 @@ -/* $OpenBSD: tls13_handshake.c,v 1.64 2020/07/30 16:23:17 tb Exp $ */ +/* $OpenBSD: tls13_handshake.c,v 1.70 2021/09/16 19:25:30 jsing Exp $ */ /* - * Copyright (c) 2018-2019 Theo Buehler + * Copyright (c) 2018-2021 Theo Buehler * Copyright (c) 2019 Joel Sing * * Permission to use, copy, modify, and distribute this software for any @@ -48,6 +48,9 @@ static int tls13_handshake_send_action(struct tls13_ctx *ctx, static int tls13_handshake_recv_action(struct tls13_ctx *ctx, const struct tls13_handshake_action *action); +static int tls13_handshake_set_legacy_state(struct tls13_ctx *ctx); +static int tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx); + static const struct tls13_handshake_action state_machine[] = { [CLIENT_HELLO] = { .handshake_type = TLS13_MT_CLIENT_HELLO, @@ -328,6 +331,18 @@ tls13_handshake_advance_state_machine(struct tls13_ctx *ctx) return 1; } +static int +tls13_handshake_end_of_flight(struct tls13_ctx *ctx, + const struct tls13_handshake_action *previous) +{ + const struct tls13_handshake_action *current; + + if ((current = tls13_handshake_active_action(ctx)) == NULL) + return 1; + + return current->sender != previous->sender; +} + int tls13_handshake_msg_record(struct tls13_ctx *ctx) { @@ -341,40 +356,64 @@ int tls13_handshake_perform(struct tls13_ctx *ctx) { const struct tls13_handshake_action *action; + int sending; int ret; if (!ctx->handshake_started) { + /* + * Set legacy state to connect/accept and call info callback + * to signal that the handshake started. + */ + if (!tls13_handshake_set_legacy_state(ctx)) + return TLS13_IO_FAILURE; + if (!tls13_handshake_legacy_info_callback(ctx)) + return TLS13_IO_FAILURE; + ctx->handshake_started = 1; - if (ctx->info_cb != NULL) - ctx->info_cb(ctx, TLS13_INFO_HANDSHAKE_STARTED, 1); + + /* Set legacy state for initial ClientHello read or write. */ + if (!tls13_handshake_set_legacy_state(ctx)) + return TLS13_IO_FAILURE; } for (;;) { if ((action = tls13_handshake_active_action(ctx)) == NULL) return TLS13_IO_FAILURE; + if (ctx->need_flush) { + if ((ret = tls13_record_layer_flush(ctx->rl)) != + TLS13_IO_SUCCESS) + return ret; + ctx->need_flush = 0; + } + if (action->handshake_complete) { ctx->handshake_completed = 1; tls13_record_layer_handshake_completed(ctx->rl); - if (ctx->info_cb != NULL) - ctx->info_cb(ctx, - TLS13_INFO_HANDSHAKE_COMPLETED, 1); + + if (!tls13_handshake_set_legacy_state(ctx)) + return TLS13_IO_FAILURE; + if (!tls13_handshake_legacy_info_callback(ctx)) + return TLS13_IO_FAILURE; + return TLS13_IO_SUCCESS; } + sending = action->sender == ctx->mode; + DEBUGF("%s %s %s\n", tls13_handshake_mode_name(ctx->mode), - (action->sender == ctx->mode) ? "sending" : "receiving", + sending ? "sending" : "receiving", tls13_handshake_message_name(action->handshake_type)); - if (ctx->alert) + if (ctx->alert != 0) return tls13_send_alert(ctx->rl, ctx->alert); - if (action->sender == ctx->mode) + if (sending) ret = tls13_handshake_send_action(ctx, action); else ret = tls13_handshake_recv_action(ctx, action); - if (ctx->alert) + if (ctx->alert != 0) return tls13_send_alert(ctx->rl, ctx->alert); if (ret <= 0) { @@ -385,8 +424,18 @@ tls13_handshake_perform(struct tls13_ctx *ctx) return ret; } + if (!tls13_handshake_legacy_info_callback(ctx)) + return TLS13_IO_FAILURE; + if (!tls13_handshake_advance_state_machine(ctx)) return TLS13_IO_FAILURE; + + if (sending) + ctx->need_flush = tls13_handshake_end_of_flight(ctx, + action); + + if (!tls13_handshake_set_legacy_state(ctx)) + return TLS13_IO_FAILURE; } } @@ -428,8 +477,9 @@ tls13_handshake_send_action(struct tls13_ctx *ctx, if (action->send_preserve_transcript_hash) { if (!tls1_transcript_hash_value(ctx->ssl, - ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash), - &ctx->hs->transcript_hash_len)) + ctx->hs->tls13.transcript_hash, + sizeof(ctx->hs->tls13.transcript_hash), + &ctx->hs->tls13.transcript_hash_len)) return TLS13_IO_FAILURE; } @@ -471,8 +521,9 @@ tls13_handshake_recv_action(struct tls13_ctx *ctx, if (action->recv_preserve_transcript_hash) { if (!tls1_transcript_hash_value(ctx->ssl, - ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash), - &ctx->hs->transcript_hash_len)) + ctx->hs->tls13.transcript_hash, + sizeof(ctx->hs->tls13.transcript_hash), + &ctx->hs->tls13.transcript_hash_len)) return TLS13_IO_FAILURE; } @@ -510,8 +561,163 @@ tls13_handshake_recv_action(struct tls13_ctx *ctx, tls13_handshake_msg_free(ctx->hs_msg); ctx->hs_msg = NULL; - if (ctx->ssl->method->internal->version < TLS1_3_VERSION) + if (ctx->ssl->method->version < TLS1_3_VERSION) return TLS13_IO_USE_LEGACY; return ret; } + +struct tls13_handshake_legacy_state { + int recv; + int send; +}; + +static const struct tls13_handshake_legacy_state legacy_states[] = { + [CLIENT_HELLO] = { + .recv = SSL3_ST_SR_CLNT_HELLO_A, + .send = SSL3_ST_CW_CLNT_HELLO_A, + }, + [SERVER_HELLO_RETRY_REQUEST] = { + .recv = SSL3_ST_CR_SRVR_HELLO_A, + .send = SSL3_ST_SW_SRVR_HELLO_A, + }, + [CLIENT_HELLO_RETRY] = { + .recv = SSL3_ST_SR_CLNT_HELLO_A, + .send = SSL3_ST_CW_CLNT_HELLO_A, + }, + [SERVER_HELLO] = { + .recv = SSL3_ST_CR_SRVR_HELLO_A, + .send = SSL3_ST_SW_SRVR_HELLO_A, + }, + [SERVER_ENCRYPTED_EXTENSIONS] = { + .send = 0, + .recv = 0, + }, + [SERVER_CERTIFICATE_REQUEST] = { + .recv = SSL3_ST_CR_CERT_REQ_A, + .send = SSL3_ST_SW_CERT_REQ_A, + }, + [SERVER_CERTIFICATE] = { + .recv = SSL3_ST_CR_CERT_A, + .send = SSL3_ST_SW_CERT_A, + }, + [SERVER_CERTIFICATE_VERIFY] = { + .send = 0, + .recv = 0, + }, + [SERVER_FINISHED] = { + .recv = SSL3_ST_CR_FINISHED_A, + .send = SSL3_ST_SW_FINISHED_A, + }, + [CLIENT_END_OF_EARLY_DATA] = { + .send = 0, + .recv = 0, + }, + [CLIENT_CERTIFICATE] = { + .recv = SSL3_ST_SR_CERT_VRFY_A, + .send = SSL3_ST_CW_CERT_VRFY_B, + }, + [CLIENT_CERTIFICATE_VERIFY] = { + .send = 0, + .recv = 0, + }, + [CLIENT_FINISHED] = { + .recv = SSL3_ST_SR_FINISHED_A, + .send = SSL3_ST_CW_FINISHED_A, + }, + [APPLICATION_DATA] = { + .recv = 0, + .send = 0, + }, +}; + +CTASSERT(sizeof(state_machine) / sizeof(state_machine[0]) == + sizeof(legacy_states) / sizeof(legacy_states[0])); + +static int +tls13_handshake_legacy_state(struct tls13_ctx *ctx, int *out_state) +{ + const struct tls13_handshake_action *action; + enum tls13_message_type mt; + + *out_state = 0; + + if (!ctx->handshake_started) { + if (ctx->mode == TLS13_HS_CLIENT) + *out_state = SSL_ST_CONNECT; + else + *out_state = SSL_ST_ACCEPT; + + return 1; + } + + if (ctx->handshake_completed) { + *out_state = SSL_ST_OK; + return 1; + } + + if ((mt = tls13_handshake_active_state(ctx)) == INVALID) + return 0; + + if ((action = tls13_handshake_active_action(ctx)) == NULL) + return 0; + + if (action->sender == ctx->mode) + *out_state = legacy_states[mt].send; + else + *out_state = legacy_states[mt].recv; + + return 1; +} + +static int +tls13_handshake_info_position(struct tls13_ctx *ctx) +{ + if (!ctx->handshake_started) + return TLS13_INFO_HANDSHAKE_STARTED; + + if (ctx->handshake_completed) + return TLS13_INFO_HANDSHAKE_COMPLETED; + + if (ctx->mode == TLS13_HS_CLIENT) + return TLS13_INFO_CONNECT_LOOP; + else + return TLS13_INFO_ACCEPT_LOOP; +} + +static int +tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx) +{ + int state, where; + + if (!tls13_handshake_legacy_state(ctx, &state)) + return 0; + + /* Do nothing if there's no corresponding legacy state. */ + if (state == 0) + return 1; + + if (ctx->info_cb != NULL) { + where = tls13_handshake_info_position(ctx); + ctx->info_cb(ctx, where, 1); + } + + return 1; +} + +static int +tls13_handshake_set_legacy_state(struct tls13_ctx *ctx) +{ + int state; + + if (!tls13_handshake_legacy_state(ctx, &state)) + return 0; + + /* Do nothing if there's no corresponding legacy state. */ + if (state == 0) + return 1; + + ctx->hs->state = state; + + return 1; +} diff --git a/ssl/tls13_handshake_msg.c b/ssl/tls13_handshake_msg.c index 21932fc..ff6d6d7 100644 --- a/ssl/tls13_handshake_msg.c +++ b/ssl/tls13_handshake_msg.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_handshake_msg.c,v 1.2 2019/11/20 16:21:20 beck Exp $ */ +/* $OpenBSD: tls13_handshake_msg.c,v 1.3 2021/05/16 14:19:04 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -16,7 +16,6 @@ */ #include "bytestring.h" -#include "ssl_locl.h" #include "tls13_internal.h" #define TLS13_HANDSHAKE_MSG_HEADER_LEN 4 diff --git a/ssl/tls13_internal.h b/ssl/tls13_internal.h index 03a1a6b..20cb52e 100644 --- a/ssl/tls13_internal.h +++ b/ssl/tls13_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_internal.h,v 1.86 2020/07/30 16:23:17 tb Exp $ */ +/* $OpenBSD: tls13_internal.h,v 1.94 2021/09/16 19:25:30 jsing Exp $ */ /* * Copyright (c) 2018 Bob Beck * Copyright (c) 2018 Theo Buehler @@ -81,6 +81,10 @@ __BEGIN_HIDDEN_DECLS #define TLS13_INFO_HANDSHAKE_STARTED SSL_CB_HANDSHAKE_START #define TLS13_INFO_HANDSHAKE_COMPLETED SSL_CB_HANDSHAKE_DONE +#define TLS13_INFO_ACCEPT_LOOP SSL_CB_ACCEPT_LOOP +#define TLS13_INFO_CONNECT_LOOP SSL_CB_CONNECT_LOOP +#define TLS13_INFO_ACCEPT_EXIT SSL_CB_ACCEPT_EXIT +#define TLS13_INFO_CONNECT_EXIT SSL_CB_CONNECT_EXIT typedef void (*tls13_alert_cb)(uint8_t _alert_desc, void *_cb_arg); typedef ssize_t (*tls13_phh_recv_cb)(void *_cb_arg, CBS *_cbs); @@ -88,6 +92,7 @@ typedef void (*tls13_phh_sent_cb)(void *_cb_arg); typedef ssize_t (*tls13_read_cb)(void *_buf, size_t _buflen, void *_cb_arg); typedef ssize_t (*tls13_write_cb)(const void *_buf, size_t _buflen, void *_cb_arg); +typedef ssize_t (*tls13_flush_cb)(void *_cb_arg); typedef void (*tls13_handshake_message_cb)(void *_cb_arg); typedef void (*tls13_info_cb)(void *_cb_arg, int _state, int _ret); typedef int (*tls13_ocsp_status_cb)(void *_cb_arg); @@ -141,6 +146,8 @@ struct tls13_secrets { struct tls13_secret resumption_master; }; +int tls13_secret_init(struct tls13_secret *secret, size_t len); +void tls13_secret_cleanup(struct tls13_secret *secret); struct tls13_secrets *tls13_secrets_create(const EVP_MD *digest, int resumption); void tls13_secrets_destroy(struct tls13_secrets *secrets); @@ -148,6 +155,16 @@ void tls13_secrets_destroy(struct tls13_secrets *secrets); int tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest, const struct tls13_secret *secret, const char *label, const struct tls13_secret *context); +int tls13_hkdf_expand_label_with_length(struct tls13_secret *out, + const EVP_MD *digest, const struct tls13_secret *secret, + const uint8_t *label, size_t label_len, const struct tls13_secret *context); + +int tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest, + const struct tls13_secret *secret, const char *label, + const struct tls13_secret *context); +int tls13_derive_secret_with_label_length(struct tls13_secret *out, + const EVP_MD *digest, const struct tls13_secret *secret, + const uint8_t *label, size_t label_len, const struct tls13_secret *context); int tls13_derive_early_secrets(struct tls13_secrets *secrets, uint8_t *psk, size_t psk_len, const struct tls13_secret *context); @@ -184,6 +201,7 @@ struct tls13_record_layer; struct tls13_record_layer_callbacks { tls13_read_cb wire_read; tls13_write_cb wire_write; + tls13_flush_cb wire_flush; tls13_alert_cb alert_recv; tls13_alert_cb alert_sent; tls13_phh_recv_cb phh_recv; @@ -195,7 +213,7 @@ struct tls13_record_layer *tls13_record_layer_new( void tls13_record_layer_free(struct tls13_record_layer *rl); void tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow); void tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow); -void tls13_record_layer_rbuf(struct tls13_record_layer *rl, CBS *cbs); +void tls13_record_layer_rcontent(struct tls13_record_layer *rl, CBS *cbs); void tls13_record_layer_set_aead(struct tls13_record_layer *rl, const EVP_AEAD *aead); void tls13_record_layer_set_hash(struct tls13_record_layer *rl, @@ -210,6 +228,7 @@ int tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, struct tls13_secret *write_key); ssize_t tls13_record_layer_send_pending(struct tls13_record_layer *rl); ssize_t tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs); +ssize_t tls13_record_layer_flush(struct tls13_record_layer *rl); ssize_t tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n); ssize_t tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf, @@ -262,11 +281,12 @@ struct tls13_ctx { struct tls13_error error; SSL *ssl; - struct ssl_handshake_tls13_st *hs; + struct ssl_handshake_st *hs; uint8_t mode; struct tls13_handshake_stage handshake_stage; int handshake_started; int handshake_completed; + int need_flush; int middlebox_compat; int send_dummy_ccs; int send_dummy_ccs_after; @@ -312,6 +332,7 @@ int tls13_legacy_connect(SSL *ssl); int tls13_legacy_return_code(SSL *ssl, ssize_t ret); ssize_t tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg); ssize_t tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg); +ssize_t tls13_legacy_wire_flush_cb(void *arg); int tls13_legacy_pending(const SSL *ssl); int tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek); @@ -412,6 +433,10 @@ int tls13_error_setx(struct tls13_error *error, int code, int subcode, tls13_error_setx(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \ (fmt), __VA_ARGS__) +int tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len, + const uint8_t *context_value, size_t context_value_len, uint8_t *out, + size_t out_len); + extern const uint8_t tls13_downgrade_12[8]; extern const uint8_t tls13_downgrade_11[8]; extern const uint8_t tls13_hello_retry_request_hash[32]; diff --git a/ssl/tls13_key_schedule.c b/ssl/tls13_key_schedule.c index 91f59e4..bb96cf3 100644 --- a/ssl/tls13_key_schedule.c +++ b/ssl/tls13_key_schedule.c @@ -1,5 +1,6 @@ -/* $OpenBSD: tls13_key_schedule.c,v 1.8 2019/11/17 21:01:08 beck Exp $ */ -/* Copyright (c) 2018, Bob Beck +/* $OpenBSD: tls13_key_schedule.c,v 1.14 2021/01/05 18:36:22 tb Exp $ */ +/* + * Copyright (c) 2018, Bob Beck * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -22,46 +23,25 @@ #include "bytestring.h" #include "tls13_internal.h" -void -tls13_secrets_destroy(struct tls13_secrets *secrets) +int +tls13_secret_init(struct tls13_secret *secret, size_t len) { - if (secrets == NULL) - return; + if (secret->data != NULL) + return 0; - /* you can never be too sure :) */ - freezero(secrets->zeros.data, secrets->zeros.len); - freezero(secrets->empty_hash.data, secrets->empty_hash.len); + if ((secret->data = calloc(1, len)) == NULL) + return 0; + secret->len = len; - freezero(secrets->extracted_early.data, - secrets->extracted_early.len); - freezero(secrets->binder_key.data, - secrets->binder_key.len); - freezero(secrets->client_early_traffic.data, - secrets->client_early_traffic.len); - freezero(secrets->early_exporter_master.data, - secrets->early_exporter_master.len); - freezero(secrets->derived_early.data, - secrets->derived_early.len); - freezero(secrets->extracted_handshake.data, - secrets->extracted_handshake.len); - freezero(secrets->client_handshake_traffic.data, - secrets->client_handshake_traffic.len); - freezero(secrets->server_handshake_traffic.data, - secrets->server_handshake_traffic.len); - freezero(secrets->derived_handshake.data, - secrets->derived_handshake.len); - freezero(secrets->extracted_master.data, - secrets->extracted_master.len); - freezero(secrets->client_application_traffic.data, - secrets->client_application_traffic.len); - freezero(secrets->server_application_traffic.data, - secrets->server_application_traffic.len); - freezero(secrets->exporter_master.data, - secrets->exporter_master.len); - freezero(secrets->resumption_master.data, - secrets->resumption_master.len); + return 1; +} - freezero(secrets, sizeof(struct tls13_secrets)); +void +tls13_secret_cleanup(struct tls13_secret *secret) +{ + freezero(secret->data, secret->len); + secret->data = NULL; + secret->len = 0; } /* @@ -81,62 +61,39 @@ tls13_secrets_create(const EVP_MD *digest, int resumption) if ((secrets = calloc(1, sizeof(struct tls13_secrets))) == NULL) goto err; - if ((secrets->zeros.data = calloc(hash_length, sizeof(uint8_t))) == - NULL) + if (!tls13_secret_init(&secrets->zeros, hash_length)) + goto err; + if (!tls13_secret_init(&secrets->empty_hash, hash_length)) goto err; - secrets->zeros.len = hash_length; - if ((secrets->empty_hash.data = malloc(hash_length)) == NULL) + if (!tls13_secret_init(&secrets->extracted_early, hash_length)) goto err; - secrets->empty_hash.len = hash_length; - - if ((secrets->extracted_early.data = malloc(hash_length)) == NULL) + if (!tls13_secret_init(&secrets->binder_key, hash_length)) goto err; - secrets->extracted_early.len = hash_length; - if ((secrets->binder_key.data = malloc(hash_length)) == NULL) + if (!tls13_secret_init(&secrets->client_early_traffic, hash_length)) goto err; - secrets->binder_key.len = hash_length; - if ((secrets->client_early_traffic.data = malloc(hash_length)) == NULL) + if (!tls13_secret_init(&secrets->early_exporter_master, hash_length)) goto err; - secrets->client_early_traffic.len = hash_length; - if ((secrets->early_exporter_master.data = malloc(hash_length)) == - NULL) + if (!tls13_secret_init(&secrets->derived_early, hash_length)) goto err; - secrets->early_exporter_master.len = hash_length; - if ((secrets->derived_early.data = malloc(hash_length)) == NULL) + if (!tls13_secret_init(&secrets->extracted_handshake, hash_length)) goto err; - secrets->derived_early.len = hash_length; - if ((secrets->extracted_handshake.data = malloc(hash_length)) == NULL) + if (!tls13_secret_init(&secrets->client_handshake_traffic, hash_length)) goto err; - secrets->extracted_handshake.len = hash_length; - if ((secrets->client_handshake_traffic.data = malloc(hash_length)) - == NULL) + if (!tls13_secret_init(&secrets->server_handshake_traffic, hash_length)) goto err; - secrets->client_handshake_traffic.len = hash_length; - if ((secrets->server_handshake_traffic.data = malloc(hash_length)) - == NULL) + if (!tls13_secret_init(&secrets->derived_handshake, hash_length)) goto err; - secrets->server_handshake_traffic.len = hash_length; - if ((secrets->derived_handshake.data = malloc(hash_length)) == NULL) + if (!tls13_secret_init(&secrets->extracted_master, hash_length)) goto err; - secrets->derived_handshake.len = hash_length; - if ((secrets->extracted_master.data = malloc(hash_length)) == NULL) + if (!tls13_secret_init(&secrets->client_application_traffic, hash_length)) goto err; - secrets->extracted_master.len = hash_length; - if ((secrets->client_application_traffic.data = malloc(hash_length)) == - NULL) + if (!tls13_secret_init(&secrets->server_application_traffic, hash_length)) goto err; - secrets->client_application_traffic.len = hash_length; - if ((secrets->server_application_traffic.data = malloc(hash_length)) == - NULL) + if (!tls13_secret_init(&secrets->exporter_master, hash_length)) goto err; - secrets->server_application_traffic.len = hash_length; - if ((secrets->exporter_master.data = malloc(hash_length)) == NULL) + if (!tls13_secret_init(&secrets->resumption_master, hash_length)) goto err; - secrets->exporter_master.len = hash_length; - if ((secrets->resumption_master.data = malloc(hash_length)) == NULL) - goto err; - secrets->resumption_master.len = hash_length; /* * Calculate the hash of a zero-length string - this is needed during @@ -169,10 +126,47 @@ tls13_secrets_create(const EVP_MD *digest, int resumption) return NULL; } +void +tls13_secrets_destroy(struct tls13_secrets *secrets) +{ + if (secrets == NULL) + return; + + /* you can never be too sure :) */ + tls13_secret_cleanup(&secrets->zeros); + tls13_secret_cleanup(&secrets->empty_hash); + + tls13_secret_cleanup(&secrets->extracted_early); + tls13_secret_cleanup(&secrets->binder_key); + tls13_secret_cleanup(&secrets->client_early_traffic); + tls13_secret_cleanup(&secrets->early_exporter_master); + tls13_secret_cleanup(&secrets->derived_early); + tls13_secret_cleanup(&secrets->extracted_handshake); + tls13_secret_cleanup(&secrets->client_handshake_traffic); + tls13_secret_cleanup(&secrets->server_handshake_traffic); + tls13_secret_cleanup(&secrets->derived_handshake); + tls13_secret_cleanup(&secrets->extracted_master); + tls13_secret_cleanup(&secrets->client_application_traffic); + tls13_secret_cleanup(&secrets->server_application_traffic); + tls13_secret_cleanup(&secrets->exporter_master); + tls13_secret_cleanup(&secrets->resumption_master); + + freezero(secrets, sizeof(struct tls13_secrets)); +} + int tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest, const struct tls13_secret *secret, const char *label, const struct tls13_secret *context) +{ + return tls13_hkdf_expand_label_with_length(out, digest, secret, label, + strlen(label), context); +} + +int +tls13_hkdf_expand_label_with_length(struct tls13_secret *out, + const EVP_MD *digest, const struct tls13_secret *secret, + const uint8_t *label, size_t label_len, const struct tls13_secret *context) { const char tls13_plabel[] = "tls13 "; uint8_t *hkdf_label; @@ -188,7 +182,7 @@ tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest, goto err; if (!CBB_add_bytes(&child, tls13_plabel, strlen(tls13_plabel))) goto err; - if (!CBB_add_bytes(&child, label, strlen(label))) + if (!CBB_add_bytes(&child, label, label_len)) goto err; if (!CBB_add_u8_length_prefixed(&cbb, &child)) goto err; @@ -207,7 +201,7 @@ tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest, return(0); } -static int +int tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest, const struct tls13_secret *secret, const char *label, const struct tls13_secret *context) @@ -215,6 +209,15 @@ tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest, return tls13_hkdf_expand_label(out, digest, secret, label, context); } +int +tls13_derive_secret_with_label_length(struct tls13_secret *out, + const EVP_MD *digest, const struct tls13_secret *secret, const uint8_t *label, + size_t label_len, const struct tls13_secret *context) +{ + return tls13_hkdf_expand_label_with_length(out, digest, secret, label, + label_len, context); +} + int tls13_derive_early_secrets(struct tls13_secrets *secrets, uint8_t *psk, size_t psk_len, const struct tls13_secret *context) diff --git a/ssl/tls13_legacy.c b/ssl/tls13_legacy.c index 317a1cb..f668dd4 100644 --- a/ssl/tls13_legacy.c +++ b/ssl/tls13_legacy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_legacy.c,v 1.13 2020/09/13 15:04:35 jsing Exp $ */ +/* $OpenBSD: tls13_legacy.c,v 1.31 2021/09/16 19:25:30 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -20,10 +20,6 @@ #include "ssl_locl.h" #include "tls13_internal.h" -SSL3_ENC_METHOD TLSv1_3_enc_data = { - .enc_flags = SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_TLS1_3_CIPHERS, -}; - static ssize_t tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len) { @@ -40,8 +36,6 @@ tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len) if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) { if (BIO_should_read(ssl->rbio)) return TLS13_IO_WANT_POLLIN; - if (BIO_should_write(ssl->rbio)) - return TLS13_IO_WANT_POLLOUT; if (n == 0) return TLS13_IO_EOF; @@ -79,8 +73,6 @@ tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len) errno = 0; if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) { - if (BIO_should_read(ssl->wbio)) - return TLS13_IO_WANT_POLLIN; if (BIO_should_write(ssl->wbio)) return TLS13_IO_WANT_POLLOUT; @@ -104,6 +96,30 @@ tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg) return tls13_legacy_wire_write(ctx->ssl, buf, n); } +static ssize_t +tls13_legacy_wire_flush(SSL *ssl) +{ + if (BIO_flush(ssl->wbio) <= 0) { + if (BIO_should_write(ssl->wbio)) + return TLS13_IO_WANT_POLLOUT; + + if (ERR_peek_error() == 0 && errno != 0) + SYSerror(errno); + + return TLS13_IO_FAILURE; + } + + return TLS13_IO_SUCCESS; +} + +ssize_t +tls13_legacy_wire_flush_cb(void *arg) +{ + struct tls13_ctx *ctx = arg; + + return tls13_legacy_wire_flush(ctx->ssl); +} + static void tls13_legacy_error(SSL *ssl) { @@ -224,7 +240,7 @@ tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int pee return -1; } if (len < 0) { - SSLerror(ssl, SSL_R_BAD_LENGTH); + SSLerror(ssl, SSL_R_BAD_LENGTH); return -1; } @@ -255,7 +271,7 @@ tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len) return -1; } if (len < 0) { - SSLerror(ssl, SSL_R_BAD_LENGTH); + SSLerror(ssl, SSL_R_BAD_LENGTH); return -1; } @@ -269,12 +285,12 @@ tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len) } /* - * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until + * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until * we have written out all of the requested data. */ sent = S3I(ssl)->wnum; if (len < sent) { - SSLerror(ssl, SSL_R_BAD_LENGTH); + SSLerror(ssl, SSL_R_BAD_LENGTH); return -1; } n = len - sent; @@ -297,22 +313,36 @@ static int tls13_use_legacy_stack(struct tls13_ctx *ctx) { SSL *s = ctx->ssl; + CBB cbb, fragment; CBS cbs; + memset(&cbb, 0, sizeof(cbb)); + + s->method = tls_legacy_method(); + if (!ssl3_setup_init_buffer(s)) - return 0; + goto err; if (!ssl3_setup_buffers(s)) - return 0; + goto err; if (!ssl_init_wbio_buffer(s, 1)) - return 0; + goto err; /* Stash any unprocessed data from the last record. */ - tls13_record_layer_rbuf(ctx->rl, &cbs); + tls13_record_layer_rcontent(ctx->rl, &cbs); if (CBS_len(&cbs) > 0) { - if (!CBS_write_bytes(&cbs, - S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH, - S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL)) - return 0; + if (!CBB_init_fixed(&cbb, S3I(s)->rbuf.buf, + S3I(s)->rbuf.len)) + goto err; + if (!CBB_add_u8(&cbb, SSL3_RT_HANDSHAKE)) + goto err; + if (!CBB_add_u16(&cbb, TLS1_2_VERSION)) + goto err; + if (!CBB_add_u16_length_prefixed(&cbb, &fragment)) + goto err; + if (!CBB_add_bytes(&fragment, CBS_data(&cbs), CBS_len(&cbs))) + goto err; + if (!CBB_finish(&cbb, NULL, NULL)) + goto err; S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH; S3I(s)->rbuf.left = CBS_len(&cbs); @@ -326,15 +356,22 @@ tls13_use_legacy_stack(struct tls13_ctx *ctx) /* Stash the current handshake message. */ tls13_handshake_msg_data(ctx->hs_msg, &cbs); + if (!BUF_MEM_grow_clean(s->internal->init_buf, CBS_len(&cbs))) + goto err; if (!CBS_write_bytes(&cbs, s->internal->init_buf->data, s->internal->init_buf->length, NULL)) - return 0; + goto err; - S3I(s)->tmp.reuse_message = 1; - S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg); - S3I(s)->tmp.message_size = CBS_len(&cbs); + S3I(s)->hs.tls12.reuse_message = 1; + S3I(s)->hs.tls12.message_type = tls13_handshake_msg_type(ctx->hs_msg); + S3I(s)->hs.tls12.message_size = CBS_len(&cbs) - SSL3_HM_HEADER_LENGTH; return 1; + + err: + CBB_cleanup(&cbb); + + return 0; } int @@ -342,14 +379,11 @@ tls13_use_legacy_client(struct tls13_ctx *ctx) { SSL *s = ctx->ssl; - s->method = tls_legacy_client_method(); - s->internal->handshake_func = s->method->internal->ssl_connect; - s->client_version = s->version = s->method->internal->max_version; - if (!tls13_use_legacy_stack(ctx)) return 0; - S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A; + s->internal->handshake_func = s->method->ssl_connect; + s->client_version = s->version = s->method->max_tls_version; return 1; } @@ -359,15 +393,12 @@ tls13_use_legacy_server(struct tls13_ctx *ctx) { SSL *s = ctx->ssl; - s->method = tls_legacy_server_method(); - s->internal->handshake_func = s->method->internal->ssl_accept; - s->client_version = s->version = s->method->internal->max_version; - s->server = 1; - if (!tls13_use_legacy_stack(ctx)) return 0; - S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A; + s->internal->handshake_func = s->method->ssl_accept; + s->client_version = s->version = s->method->max_tls_version; + s->server = 1; return 1; } @@ -385,7 +416,7 @@ tls13_legacy_accept(SSL *ssl) } ssl->internal->tls13 = ctx; ctx->ssl = ssl; - ctx->hs = &S3I(ssl)->hs_tls13; + ctx->hs = &S3I(ssl)->hs; if (!tls13_server_init(ctx)) { if (ERR_peek_error() == 0) @@ -395,15 +426,17 @@ tls13_legacy_accept(SSL *ssl) } ERR_clear_error(); - S3I(ssl)->hs.state = SSL_ST_ACCEPT; ret = tls13_server_accept(ctx); if (ret == TLS13_IO_USE_LEGACY) - return ssl->method->internal->ssl_accept(ssl); - if (ret == TLS13_IO_SUCCESS) - S3I(ssl)->hs.state = SSL_ST_OK; + return ssl->method->ssl_accept(ssl); - return tls13_legacy_return_code(ssl, ret); + ret = tls13_legacy_return_code(ssl, ret); + + if (ctx->info_cb != NULL) + ctx->info_cb(ctx, TLS13_INFO_ACCEPT_EXIT, ret); + + return ret; } int @@ -416,7 +449,7 @@ tls13_legacy_connect(SSL *ssl) /* XXX drop back to legacy for client auth for now */ if (ssl->cert->key->privatekey != NULL) { ssl->method = tls_legacy_client_method(); - return ssl->method->internal->ssl_connect(ssl); + return ssl->method->ssl_connect(ssl); } #endif @@ -427,7 +460,7 @@ tls13_legacy_connect(SSL *ssl) } ssl->internal->tls13 = ctx; ctx->ssl = ssl; - ctx->hs = &S3I(ssl)->hs_tls13; + ctx->hs = &S3I(ssl)->hs; if (!tls13_client_init(ctx)) { if (ERR_peek_error() == 0) @@ -437,15 +470,17 @@ tls13_legacy_connect(SSL *ssl) } ERR_clear_error(); - S3I(ssl)->hs.state = SSL_ST_CONNECT; ret = tls13_client_connect(ctx); if (ret == TLS13_IO_USE_LEGACY) - return ssl->method->internal->ssl_connect(ssl); - if (ret == TLS13_IO_SUCCESS) - S3I(ssl)->hs.state = SSL_ST_OK; + return ssl->method->ssl_connect(ssl); - return tls13_legacy_return_code(ssl, ret); + ret = tls13_legacy_return_code(ssl, ret); + + if (ctx->info_cb != NULL) + ctx->info_cb(ctx, TLS13_INFO_CONNECT_EXIT, ret); + + return ret; } int @@ -504,18 +539,22 @@ tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert) int legacy_alert = SSL_AD_UNRECOGNIZED_NAME; int ret = SSL_TLSEXT_ERR_NOACK; SSL_CTX *ssl_ctx = ctx->ssl->ctx; - SSL *ssl = ctx->ssl; + SSL *s = ctx->ssl; if (ssl_ctx->internal->tlsext_servername_callback == NULL) - ssl_ctx = ssl->initial_ctx; + ssl_ctx = s->initial_ctx; if (ssl_ctx->internal->tlsext_servername_callback == NULL) return 1; - ret = ssl_ctx->internal->tlsext_servername_callback(ssl, &legacy_alert, + ret = ssl_ctx->internal->tlsext_servername_callback(s, &legacy_alert, ssl_ctx->internal->tlsext_servername_arg); - if (ret == SSL_TLSEXT_ERR_ALERT_FATAL || - ret == SSL_TLSEXT_ERR_ALERT_WARNING) { + /* + * Ignore SSL_TLSEXT_ERR_ALERT_WARNING returns to match OpenSSL's + * behavior: the only warning alerts in TLSv1.3 are close_notify and + * user_canceled, neither of which should be returned by the callback. + */ + if (ret == SSL_TLSEXT_ERR_ALERT_FATAL) { if (legacy_alert >= 0 && legacy_alert <= 255) *alert = legacy_alert; return 0; diff --git a/ssl/tls13_lib.c b/ssl/tls13_lib.c index 590426a..1a9596a 100644 --- a/ssl/tls13_lib.c +++ b/ssl/tls13_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_lib.c,v 1.54 2020/09/11 15:03:36 jsing Exp $ */ +/* $OpenBSD: tls13_lib.c,v 1.62 2021/09/16 19:25:30 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * Copyright (c) 2019 Bob Beck @@ -147,7 +147,8 @@ tls13_alert_sent_cb(uint8_t alert_desc, void *arg) } /* All other alerts are treated as fatal in TLSv1.3. */ - SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc); + if (ctx->error.code == 0) + SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc); } static void @@ -161,8 +162,7 @@ tls13_legacy_handshake_message_recv_cb(void *arg) return; tls13_handshake_msg_data(ctx->hs_msg, &cbs); - s->internal->msg_callback(0, TLS1_3_VERSION, SSL3_RT_HANDSHAKE, - CBS_data(&cbs), CBS_len(&cbs), s, s->internal->msg_callback_arg); + ssl_msg_callback(s, 0, SSL3_RT_HANDSHAKE, CBS_data(&cbs), CBS_len(&cbs)); } static void @@ -176,8 +176,7 @@ tls13_legacy_handshake_message_sent_cb(void *arg) return; tls13_handshake_msg_data(ctx->hs_msg, &cbs); - s->internal->msg_callback(1, TLS1_3_VERSION, SSL3_RT_HANDSHAKE, - CBS_data(&cbs), CBS_len(&cbs), s, s->internal->msg_callback_arg); + ssl_msg_callback(s, 1, SSL3_RT_HANDSHAKE, CBS_data(&cbs), CBS_len(&cbs)); } static void @@ -185,12 +184,8 @@ tls13_legacy_info_cb(void *arg, int state, int ret) { struct tls13_ctx *ctx = arg; SSL *s = ctx->ssl; - void (*cb)(const SSL *, int, int); - if ((cb = s->internal->info_callback) == NULL) - cb = s->ctx->internal->info_callback; - if (cb != NULL) - cb(s, state, ret); + ssl_info_callback(s, state, ret); } static int @@ -200,8 +195,7 @@ tls13_legacy_ocsp_status_recv_cb(void *arg) SSL *s = ctx->ssl; int ret; - if (s->ctx->internal->tlsext_status_cb == NULL || - s->internal->tlsext_ocsp_resp == NULL) + if (s->ctx->internal->tlsext_status_cb == NULL) return 1; ret = s->ctx->internal->tlsext_status_cb(s, @@ -223,7 +217,7 @@ tls13_legacy_ocsp_status_recv_cb(void *arg) static int tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx) { - struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; if (ctx->mode == TLS13_HS_CLIENT) return (tls13_update_client_traffic_secret(secrets) && @@ -237,7 +231,7 @@ tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx) static int tls13_phh_update_peer_traffic_secret(struct tls13_ctx *ctx) { - struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; if (ctx->mode == TLS13_HS_CLIENT) return (tls13_update_server_traffic_secret(secrets) && @@ -380,6 +374,7 @@ tls13_phh_received_cb(void *cb_arg, CBS *cbs) static const struct tls13_record_layer_callbacks rl_callbacks = { .wire_read = tls13_legacy_wire_read_cb, .wire_write = tls13_legacy_wire_write_cb, + .wire_flush = tls13_legacy_wire_flush_cb, .alert_recv = tls13_alert_received_cb, .alert_sent = tls13_alert_sent_cb, .phh_recv = tls13_phh_received_cb, @@ -429,9 +424,9 @@ tls13_ctx_free(struct tls13_ctx *ctx) int tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert, - int(*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb)) + int (*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb)) { - CBB cert_data; + CBB cert_data, cert_exts; uint8_t *data; int cert_len; @@ -448,7 +443,6 @@ tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert, if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb)) return 0; } else { - CBB cert_exts; if (!CBB_add_u16_length_prefixed(cbb, &cert_exts)) return 0; } @@ -504,16 +498,16 @@ tls13_synthetic_handshake_message(struct tls13_ctx *ctx) int tls13_clienthello_hash_init(struct tls13_ctx *ctx) { - if (ctx->hs->clienthello_md_ctx != NULL) + if (ctx->hs->tls13.clienthello_md_ctx != NULL) return 0; - if ((ctx->hs->clienthello_md_ctx = EVP_MD_CTX_new()) == NULL) + if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL) return 0; - if (!EVP_DigestInit_ex(ctx->hs->clienthello_md_ctx, + if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx, EVP_sha256(), NULL)) return 0; - if ((ctx->hs->clienthello_hash == NULL) && - (ctx->hs->clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) == + if ((ctx->hs->tls13.clienthello_hash == NULL) && + (ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) == NULL) return 0; @@ -521,7 +515,7 @@ tls13_clienthello_hash_init(struct tls13_ctx *ctx) } void -tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) +tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) /* XXX */ { EVP_MD_CTX_free(hs->clienthello_md_ctx); hs->clienthello_md_ctx = NULL; @@ -533,7 +527,7 @@ int tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data, size_t len) { - return EVP_DigestUpdate(ctx->hs->clienthello_md_ctx, data, len); + return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len); } int @@ -546,12 +540,12 @@ tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs) int tls13_clienthello_hash_finalize(struct tls13_ctx *ctx) { - if (!EVP_DigestFinal_ex(ctx->hs->clienthello_md_ctx, - ctx->hs->clienthello_hash, - &ctx->hs->clienthello_hash_len)) + if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx, + ctx->hs->tls13.clienthello_hash, + &ctx->hs->tls13.clienthello_hash_len)) return 0; - EVP_MD_CTX_free(ctx->hs->clienthello_md_ctx); - ctx->hs->clienthello_md_ctx = NULL; + EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx); + ctx->hs->tls13.clienthello_md_ctx = NULL; return 1; } @@ -561,21 +555,90 @@ tls13_clienthello_hash_validate(struct tls13_ctx *ctx) unsigned char new_ch_hash[EVP_MAX_MD_SIZE]; unsigned int new_ch_hash_len; - if (ctx->hs->clienthello_hash == NULL) + if (ctx->hs->tls13.clienthello_hash == NULL) return 0; - if (!EVP_DigestFinal_ex(ctx->hs->clienthello_md_ctx, + if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx, new_ch_hash, &new_ch_hash_len)) return 0; - EVP_MD_CTX_free(ctx->hs->clienthello_md_ctx); - ctx->hs->clienthello_md_ctx = NULL; + EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx); + ctx->hs->tls13.clienthello_md_ctx = NULL; - if (ctx->hs->clienthello_hash_len != new_ch_hash_len) + if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len) return 0; - if (memcmp(ctx->hs->clienthello_hash, new_ch_hash, + if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash, new_ch_hash_len) != 0) return 0; return 1; } +int +tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len, + const uint8_t *context_value, size_t context_value_len, uint8_t *out, + size_t out_len) +{ + struct tls13_secret context, export_out, export_secret; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; + EVP_MD_CTX *md_ctx = NULL; + unsigned int md_out_len; + int md_len; + int ret = 0; + + /* + * RFC 8446 Section 7.5. + */ + + memset(&context, 0, sizeof(context)); + memset(&export_secret, 0, sizeof(export_secret)); + + export_out.data = out; + export_out.len = out_len; + + if (!ctx->handshake_completed) + return 0; + + md_len = EVP_MD_size(secrets->digest); + if (md_len <= 0 || md_len > EVP_MAX_MD_SIZE) + goto err; + + if (!tls13_secret_init(&export_secret, md_len)) + goto err; + if (!tls13_secret_init(&context, md_len)) + goto err; + + /* In TLSv1.3 no context is equivalent to an empty context. */ + if (context_value == NULL) { + context_value = ""; + context_value_len = 0; + } + + if ((md_ctx = EVP_MD_CTX_new()) == NULL) + goto err; + if (!EVP_DigestInit_ex(md_ctx, secrets->digest, NULL)) + goto err; + if (!EVP_DigestUpdate(md_ctx, context_value, context_value_len)) + goto err; + if (!EVP_DigestFinal_ex(md_ctx, context.data, &md_out_len)) + goto err; + if (md_len != md_out_len) + goto err; + + if (!tls13_derive_secret_with_label_length(&export_secret, + secrets->digest, &secrets->exporter_master, label, label_len, + &secrets->empty_hash)) + goto err; + + if (!tls13_hkdf_expand_label(&export_out, secrets->digest, + &export_secret, "exporter", &context)) + goto err; + + ret = 1; + + err: + EVP_MD_CTX_free(md_ctx); + tls13_secret_cleanup(&context); + tls13_secret_cleanup(&export_secret); + + return ret; +} diff --git a/ssl/tls13_record.c b/ssl/tls13_record.c index c856932..3bdaead 100644 --- a/ssl/tls13_record.c +++ b/ssl/tls13_record.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_record.c,v 1.6 2020/05/11 18:08:11 jsing Exp $ */ +/* $OpenBSD: tls13_record.c,v 1.8 2021/05/16 14:19:04 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -15,8 +15,6 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include "ssl_locl.h" - #include "tls13_internal.h" #include "tls13_record.h" diff --git a/ssl/tls13_record.h b/ssl/tls13_record.h index 400153b..4b7ac4f 100644 --- a/ssl/tls13_record.h +++ b/ssl/tls13_record.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_record.h,v 1.3 2019/01/21 00:24:19 jsing Exp $ */ +/* $OpenBSD: tls13_record.h,v 1.4 2021/05/16 14:20:29 jsing Exp $ */ /* * Copyright (c) 2019 Joel Sing * @@ -19,7 +19,6 @@ #define HEADER_TLS13_RECORD_H #include "bytestring.h" -#include "tls13_internal.h" __BEGIN_HIDDEN_DECLS diff --git a/ssl/tls13_record_layer.c b/ssl/tls13_record_layer.c index 1d75d9e..6b9f5d1 100644 --- a/ssl/tls13_record_layer.c +++ b/ssl/tls13_record_layer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_record_layer.c,v 1.53 2020/09/11 15:03:36 jsing Exp $ */ +/* $OpenBSD: tls13_record_layer.c,v 1.64 2021/09/16 19:25:30 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -15,16 +15,50 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include "ssl_locl.h" - #include "tls13_internal.h" #include "tls13_record.h" +#include "tls_content.h" static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl, uint8_t content_type, const uint8_t *buf, size_t n); static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl, uint8_t content_type, const uint8_t *content, size_t content_len); +struct tls13_record_protection { + EVP_AEAD_CTX aead_ctx; + struct tls13_secret iv; + struct tls13_secret nonce; + uint8_t seq_num[TLS13_RECORD_SEQ_NUM_LEN]; +}; + +struct tls13_record_protection * +tls13_record_protection_new(void) +{ + return calloc(1, sizeof(struct tls13_record_protection)); +} + +void +tls13_record_protection_clear(struct tls13_record_protection *rp) +{ + EVP_AEAD_CTX_cleanup(&rp->aead_ctx); + + tls13_secret_cleanup(&rp->iv); + tls13_secret_cleanup(&rp->nonce); + + memset(rp->seq_num, 0, sizeof(rp->seq_num)); +} + +void +tls13_record_protection_free(struct tls13_record_protection *rp) +{ + if (rp == NULL) + return; + + tls13_record_protection_clear(rp); + + freezero(rp, sizeof(struct tls13_record_protection)); +} + struct tls13_record_layer { uint16_t legacy_version; @@ -66,39 +100,20 @@ struct tls13_record_layer { uint8_t *phh_data; size_t phh_len; - /* Buffer containing plaintext from opened records. */ - uint8_t rbuf_content_type; - uint8_t *rbuf; - size_t rbuf_len; - CBS rbuf_cbs; + /* Content from opened records. */ + struct tls_content *rcontent; /* Record protection. */ const EVP_MD *hash; const EVP_AEAD *aead; - EVP_AEAD_CTX read_aead_ctx; - EVP_AEAD_CTX write_aead_ctx; - struct tls13_secret read_iv; - struct tls13_secret write_iv; - struct tls13_secret read_nonce; - struct tls13_secret write_nonce; - uint8_t read_seq_num[TLS13_RECORD_SEQ_NUM_LEN]; - uint8_t write_seq_num[TLS13_RECORD_SEQ_NUM_LEN]; + struct tls13_record_protection *read; + struct tls13_record_protection *write; /* Callbacks. */ struct tls13_record_layer_callbacks cb; void *cb_arg; }; -static void -tls13_record_layer_rbuf_free(struct tls13_record_layer *rl) -{ - CBS_init(&rl->rbuf_cbs, NULL, 0); - freezero(rl->rbuf, rl->rbuf_len); - rl->rbuf = NULL; - rl->rbuf_len = 0; - rl->rbuf_content_type = 0; -} - static void tls13_record_layer_rrec_free(struct tls13_record_layer *rl) { @@ -120,13 +135,26 @@ tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks, struct tls13_record_layer *rl; if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL) - return NULL; + goto err; + + if ((rl->rcontent = tls_content_new()) == NULL) + goto err; + + if ((rl->read = tls13_record_protection_new()) == NULL) + goto err; + if ((rl->write = tls13_record_protection_new()) == NULL) + goto err; rl->legacy_version = TLS1_2_VERSION; rl->cb = *callbacks; rl->cb_arg = cb_arg; return rl; + + err: + tls13_record_layer_free(rl); + + return NULL; } void @@ -135,26 +163,24 @@ tls13_record_layer_free(struct tls13_record_layer *rl) if (rl == NULL) return; - tls13_record_layer_rbuf_free(rl); - tls13_record_layer_rrec_free(rl); tls13_record_layer_wrec_free(rl); - EVP_AEAD_CTX_cleanup(&rl->read_aead_ctx); - EVP_AEAD_CTX_cleanup(&rl->write_aead_ctx); + freezero(rl->alert_data, rl->alert_len); + freezero(rl->phh_data, rl->phh_len); - freezero(rl->read_iv.data, rl->read_iv.len); - freezero(rl->write_iv.data, rl->write_iv.len); - freezero(rl->read_nonce.data, rl->read_nonce.len); - freezero(rl->write_nonce.data, rl->write_nonce.len); + tls_content_free(rl->rcontent); + + tls13_record_protection_free(rl->read); + tls13_record_protection_free(rl->write); freezero(rl, sizeof(struct tls13_record_layer)); } void -tls13_record_layer_rbuf(struct tls13_record_layer *rl, CBS *cbs) +tls13_record_layer_rcontent(struct tls13_record_layer *rl, CBS *cbs) { - CBS_dup(&rl->rbuf_cbs, cbs); + CBS_dup(tls_content_cbs(rl->rcontent), cbs); } static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN] = { @@ -257,22 +283,18 @@ tls13_record_layer_process_alert(struct tls13_record_layer *rl) * will result in one of three things - continuation (user_cancelled), * read channel closure (close_notify) or termination (all others). */ - if (rl->rbuf == NULL) + if (tls_content_type(rl->rcontent) != SSL3_RT_ALERT) return TLS13_IO_FAILURE; - if (rl->rbuf_content_type != SSL3_RT_ALERT) - return TLS13_IO_FAILURE; - - if (!CBS_get_u8(&rl->rbuf_cbs, &alert_level)) + if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_level)) + return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); + if (!CBS_get_u8(tls_content_cbs(rl->rcontent), &alert_desc)) return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); - if (!CBS_get_u8(&rl->rbuf_cbs, &alert_desc)) + if (tls_content_remaining(rl->rcontent) != 0) return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); - if (CBS_len(&rl->rbuf_cbs) != 0) - return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); - - tls13_record_layer_rbuf_free(rl); + tls_content_clear(rl->rcontent); /* * Alert level is ignored for closure alerts (RFC 8446 section 6.1), @@ -383,7 +405,7 @@ tls13_record_layer_send_pending(struct tls13_record_layer *rl) } static ssize_t -tls13_record_layer_alert(struct tls13_record_layer *rl, +tls13_record_layer_enqueue_alert(struct tls13_record_layer *rl, uint8_t alert_level, uint8_t alert_desc) { CBB cbb; @@ -427,49 +449,35 @@ tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs) } static int -tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, EVP_AEAD_CTX *aead_ctx, - const EVP_MD *hash, struct tls13_secret *iv, struct tls13_secret *nonce, - struct tls13_secret *traffic_key) +tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash, + struct tls13_record_protection *rp, struct tls13_secret *traffic_key) { struct tls13_secret context = { .data = "", .len = 0 }; struct tls13_secret key = { .data = NULL, .len = 0 }; int ret = 0; - EVP_AEAD_CTX_cleanup(aead_ctx); + tls13_record_protection_clear(rp); - freezero(iv->data, iv->len); - iv->data = NULL; - iv->len = 0; - - freezero(nonce->data, nonce->len); - nonce->data = NULL; - nonce->len = 0; - - if ((iv->data = calloc(1, EVP_AEAD_nonce_length(aead))) == NULL) + if (!tls13_secret_init(&rp->iv, EVP_AEAD_nonce_length(aead))) goto err; - iv->len = EVP_AEAD_nonce_length(aead); - - if ((nonce->data = calloc(1, EVP_AEAD_nonce_length(aead))) == NULL) + if (!tls13_secret_init(&rp->nonce, EVP_AEAD_nonce_length(aead))) goto err; - nonce->len = EVP_AEAD_nonce_length(aead); - - if ((key.data = calloc(1, EVP_AEAD_key_length(aead))) == NULL) + if (!tls13_secret_init(&key, EVP_AEAD_key_length(aead))) goto err; - key.len = EVP_AEAD_key_length(aead); - if (!tls13_hkdf_expand_label(iv, hash, traffic_key, "iv", &context)) + if (!tls13_hkdf_expand_label(&rp->iv, hash, traffic_key, "iv", &context)) goto err; if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context)) goto err; - if (!EVP_AEAD_CTX_init(aead_ctx, aead, key.data, key.len, + if (!EVP_AEAD_CTX_init(&rp->aead_ctx, aead, key.data, key.len, EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) goto err; ret = 1; err: - freezero(key.data, key.len); + tls13_secret_cleanup(&key); return ret; } @@ -478,20 +486,16 @@ int tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, struct tls13_secret *read_key) { - memset(rl->read_seq_num, 0, TLS13_RECORD_SEQ_NUM_LEN); - - return tls13_record_layer_set_traffic_key(rl->aead, &rl->read_aead_ctx, - rl->hash, &rl->read_iv, &rl->read_nonce, read_key); + return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, + rl->read, read_key); } int tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, struct tls13_secret *write_key) { - memset(rl->write_seq_num, 0, TLS13_RECORD_SEQ_NUM_LEN); - - return tls13_record_layer_set_traffic_key(rl->aead, &rl->write_aead_ctx, - rl->hash, &rl->write_iv, &rl->write_nonce, write_key); + return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, + rl->write, write_key); } static int @@ -514,15 +518,10 @@ tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl) return 0; } - tls13_record_layer_rbuf_free(rl); - - if (!CBS_stow(&cbs, &rl->rbuf, &rl->rbuf_len)) + if (!tls_content_dup_data(rl->rcontent, + tls13_record_content_type(rl->rrec), CBS_data(&cbs), CBS_len(&cbs))) return 0; - rl->rbuf_content_type = tls13_record_content_type(rl->rrec); - - CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len); - return 1; } @@ -548,13 +547,13 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) goto err; content_len = CBS_len(&enc_record); - if (!tls13_record_layer_update_nonce(&rl->read_nonce, &rl->read_iv, - rl->read_seq_num)) + if (!tls13_record_layer_update_nonce(&rl->read->nonce, &rl->read->iv, + rl->read->seq_num)) goto err; - if (!EVP_AEAD_CTX_open(&rl->read_aead_ctx, + if (!EVP_AEAD_CTX_open(&rl->read->aead_ctx, content, &out_len, content_len, - rl->read_nonce.data, rl->read_nonce.len, + rl->read->nonce.data, rl->read->nonce.len, CBS_data(&enc_record), CBS_len(&enc_record), CBS_data(&header), CBS_len(&header))) goto err; @@ -564,7 +563,7 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) goto err; } - if (!tls13_record_layer_inc_seq_num(rl->read_seq_num)) + if (!tls13_record_layer_inc_seq_num(rl->read->seq_num)) goto err; /* @@ -587,13 +586,7 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) } content_type = content[inner_len]; - tls13_record_layer_rbuf_free(rl); - - rl->rbuf_content_type = content_type; - rl->rbuf = content; - rl->rbuf_len = inner_len; - - CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len); + tls_content_set_data(rl->rcontent, content_type, content, inner_len); return 1; @@ -725,8 +718,8 @@ tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl, if (!CBB_finish(&cbb, &data, &data_len)) goto err; - if (!tls13_record_layer_update_nonce(&rl->write_nonce, - &rl->write_iv, rl->write_seq_num)) + if (!tls13_record_layer_update_nonce(&rl->write->nonce, + &rl->write->iv, rl->write->seq_num)) goto err; /* @@ -734,16 +727,16 @@ tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl, * this would avoid a copy since the inner would be passed as two * separate pieces. */ - if (!EVP_AEAD_CTX_seal(&rl->write_aead_ctx, + if (!EVP_AEAD_CTX_seal(&rl->write->aead_ctx, enc_record, &out_len, enc_record_len, - rl->write_nonce.data, rl->write_nonce.len, + rl->write->nonce.data, rl->write->nonce.len, inner, inner_len, header, header_len)) goto err; if (out_len != enc_record_len) goto err; - if (!tls13_record_layer_inc_seq_num(rl->write_seq_num)) + if (!tls13_record_layer_inc_seq_num(rl->write->seq_num)) goto err; if (!tls13_record_set_data(rl->wrec, data, data_len)) @@ -798,7 +791,7 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl) if ((rl->rrec = tls13_record_new()) == NULL) goto err; } - + if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) { switch (ret) { case TLS13_IO_RECORD_VERSION: @@ -808,13 +801,19 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl) } return ret; } - - if (rl->legacy_version == TLS1_2_VERSION && - tls13_record_version(rl->rrec) != TLS1_2_VERSION) - return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); - + content_type = tls13_record_content_type(rl->rrec); + /* + * In response to a client hello we may receive an alert in a + * record with a legacy version. Otherwise enforce that the + * legacy record version is 0x0303 per RFC 8446, section 5.1. + */ + if (rl->legacy_version == TLS1_2_VERSION && + tls13_record_version(rl->rrec) != TLS1_2_VERSION && + (content_type != SSL3_RT_ALERT || !rl->legacy_alerts_allowed)) + return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); + /* * Bag of hacks ahead... after the first ClientHello message has been * sent or received and before the peer's Finished message has been @@ -854,12 +853,12 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl) * we must terminate the connection with an unexpected_message alert. * See RFC 8446 section 5.4. */ - if (CBS_len(&rl->rbuf_cbs) == 0 && - (rl->rbuf_content_type == SSL3_RT_ALERT || - rl->rbuf_content_type == SSL3_RT_HANDSHAKE)) + if (tls_content_remaining(rl->rcontent) == 0 && + (tls_content_type(rl->rcontent) == SSL3_RT_ALERT || + tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE)) return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); - switch (rl->rbuf_content_type) { + switch (tls_content_type(rl->rcontent)) { case SSL3_RT_ALERT: return tls13_record_layer_process_alert(rl); @@ -884,10 +883,10 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl) static ssize_t tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type) { - if (rl->rbuf_content_type != content_type) + if (tls_content_type(rl->rcontent) != content_type) return 0; - return CBS_len(&rl->rbuf_cbs); + return tls_content_remaining(rl->rcontent); } static ssize_t @@ -906,9 +905,9 @@ tls13_record_layer_recv_phh(struct tls13_record_layer *rl) * TLS13_IO_FAILURE something broke. */ if (rl->cb.phh_recv != NULL) - ret = rl->cb.phh_recv(rl->cb_arg, &rl->rbuf_cbs); + ret = rl->cb.phh_recv(rl->cb_arg, tls_content_cbs(rl->rcontent)); - tls13_record_layer_rbuf_free(rl); + tls_content_clear(rl->rcontent); /* Leave post handshake handshake mode unless we need more data. */ if (ret != TLS13_IO_WANT_POLLIN) @@ -937,7 +936,7 @@ tls13_record_layer_read_internal(struct tls13_record_layer *rl, return TLS13_IO_EOF; /* If necessary, pull up the next record. */ - if (CBS_len(&rl->rbuf_cbs) == 0) { + if (tls_content_remaining(rl->rcontent) == 0) { if ((ret = tls13_record_layer_read_record(rl)) <= 0) return ret; @@ -945,17 +944,15 @@ tls13_record_layer_read_internal(struct tls13_record_layer *rl, * We may have read a valid 0-byte application data record, * in which case we need to read the next record. */ - if (CBS_len(&rl->rbuf_cbs) == 0) { - tls13_record_layer_rbuf_free(rl); + if (tls_content_remaining(rl->rcontent) == 0) return TLS13_IO_WANT_POLLIN; - } } /* * If we are in post handshake handshake mode, we must not see * any record type that isn't a handshake until we are done. */ - if (rl->phh && rl->rbuf_content_type != SSL3_RT_HANDSHAKE) + if (rl->phh && tls_content_type(rl->rcontent) != SSL3_RT_HANDSHAKE) return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); /* @@ -964,32 +961,18 @@ tls13_record_layer_read_internal(struct tls13_record_layer *rl, * be trying to read application data and need to handle a * post-handshake handshake message instead... */ - if (rl->rbuf_content_type != content_type) { - if (rl->rbuf_content_type == SSL3_RT_HANDSHAKE) { + if (tls_content_type(rl->rcontent) != content_type) { + if (tls_content_type(rl->rcontent) == SSL3_RT_HANDSHAKE) { if (rl->handshake_completed) return tls13_record_layer_recv_phh(rl); } return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); } - if (n > CBS_len(&rl->rbuf_cbs)) - n = CBS_len(&rl->rbuf_cbs); + if (peek) + return tls_content_peek(rl->rcontent, buf, n); - /* XXX - CBS_memcpy? CBS_copy_bytes? */ - memcpy(buf, CBS_data(&rl->rbuf_cbs), n); - - if (!peek) { - if (!CBS_skip(&rl->rbuf_cbs, n)) - goto err; - } - - if (CBS_len(&rl->rbuf_cbs) == 0) - tls13_record_layer_rbuf_free(rl); - - return n; - - err: - return TLS13_IO_FAILURE; + return tls_content_read(rl->rcontent, buf, n); } static ssize_t @@ -1113,6 +1096,12 @@ tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type, return ret; } +ssize_t +tls13_record_layer_flush(struct tls13_record_layer *rl) +{ + return rl->cb.wire_flush(rl->cb_arg); +} + static const uint8_t tls13_dummy_ccs[] = { 0x01 }; ssize_t @@ -1193,7 +1182,8 @@ tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc) alert_level = TLS13_ALERT_LEVEL_WARNING; do { - ret = tls13_record_layer_alert(rl, alert_level, alert_desc); + ret = tls13_record_layer_enqueue_alert(rl, alert_level, + alert_desc); } while (ret == TLS13_IO_WANT_RETRY); return ret; diff --git a/ssl/tls13_server.c b/ssl/tls13_server.c index a5c03b6..d2c7abb 100644 --- a/ssl/tls13_server.c +++ b/ssl/tls13_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.61 2020/07/03 04:12:51 tb Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.84 2021/07/01 17:53:39 jsing Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing * Copyright (c) 2020 Bob Beck @@ -19,8 +19,8 @@ #include #include "ssl_locl.h" +#include "ssl_sigalgs.h" #include "ssl_tlsext.h" - #include "tls13_handshake.h" #include "tls13_internal.h" @@ -29,12 +29,12 @@ tls13_server_init(struct tls13_ctx *ctx) { SSL *s = ctx->ssl; - if (!ssl_supported_version_range(s, &ctx->hs->min_version, - &ctx->hs->max_version)) { + if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version, + &ctx->hs->our_max_tls_version)) { SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); return 0; } - s->version = ctx->hs->max_version; + s->version = ctx->hs->our_max_tls_version; tls13_record_layer_set_retry_after_phh(ctx->rl, (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); @@ -99,7 +99,7 @@ tls13_client_hello_is_legacy(CBS *cbs) int tls13_client_hello_required_extensions(struct tls13_ctx *ctx) { - SSL *ssl = ctx->ssl; + SSL *s = ctx->ssl; /* * RFC 8446, section 9.2. If the ClientHello has supported_versions @@ -111,10 +111,10 @@ tls13_client_hello_required_extensions(struct tls13_ctx *ctx) * If we got no pre_shared_key, then signature_algorithms and * supported_groups must both be present. */ - if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_pre_shared_key)) { - if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_signature_algorithms)) + if (!tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) { + if (!tlsext_extension_seen(s, TLSEXT_TYPE_signature_algorithms)) return 0; - if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_supported_groups)) + if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups)) return 0; } @@ -122,8 +122,8 @@ tls13_client_hello_required_extensions(struct tls13_ctx *ctx) * supported_groups and key_share must either both be present or * both be absent. */ - if (tlsext_extension_seen(ssl, TLSEXT_TYPE_supported_groups) != - tlsext_extension_seen(ssl, TLSEXT_TYPE_key_share)) + if (tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups) != + tlsext_extension_seen(s, TLSEXT_TYPE_key_share)) return 0; /* @@ -163,6 +163,10 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) goto err; return tls13_use_legacy_server(ctx); } + ctx->hs->negotiated_tls_version = TLS1_3_VERSION; + + /* Ensure we send subsequent alerts with the correct record version. */ + tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); /* Add decoded values to the current ClientHello hash */ if (!tls13_clienthello_hash_init(ctx)) { @@ -197,7 +201,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) } /* Finalize first ClientHello hash, or validate against it */ - if (!ctx->hs->hrr) { + if (!ctx->hs->tls13.hrr) { if (!tls13_clienthello_hash_finalize(ctx)) { ctx->alert = TLS13_ALERT_INTERNAL_ERROR; goto err; @@ -207,7 +211,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; goto err; } - tls13_clienthello_hash_clear(ctx->hs); + tls13_clienthello_hash_clear(&ctx->hs->tls13); } if (!tls13_client_hello_required_extensions(ctx)) { @@ -225,13 +229,13 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) } /* Store legacy session identifier so we can echo it. */ - if (CBS_len(&session_id) > sizeof(ctx->hs->legacy_session_id)) { + if (CBS_len(&session_id) > sizeof(ctx->hs->tls13.legacy_session_id)) { ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; goto err; } - if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id, - sizeof(ctx->hs->legacy_session_id), - &ctx->hs->legacy_session_id_len)) { + if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id, + sizeof(ctx->hs->tls13.legacy_session_id), + &ctx->hs->tls13.legacy_session_id_len)) { ctx->alert = TLS13_ALERT_INTERNAL_ERROR; goto err; } @@ -248,7 +252,11 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; goto err; } - S3I(s)->hs.new_cipher = cipher; + ctx->hs->cipher = cipher; + + sk_SSL_CIPHER_free(s->session->ciphers); + s->session->ciphers = ciphers; + ciphers = NULL; /* Ensure only the NULL compression method is advertised. */ if (!CBS_mem_equal(&compression_methods, tls13_compression_null_only, @@ -274,11 +282,9 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) goto err; /* See if we switched back to the legacy client method. */ - if (s->method->internal->version < TLS1_3_VERSION) + if (s->method->version < TLS1_3_VERSION) return 1; - tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); - /* * If a matching key share was provided, we do not need to send a * HelloRetryRequest. @@ -288,7 +294,7 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) * has been enabled. This would probably mean using either an * INITIAL | WITHOUT_HRR state, or another intermediate state. */ - if (ctx->hs->key_share != NULL) + if (ctx->hs->tls13.key_share != NULL) ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR; /* XXX - check this is the correct point */ @@ -309,7 +315,7 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr) SSL *s = ctx->ssl; uint16_t cipher; - cipher = SSL_CIPHER_get_value(S3I(s)->hs.new_cipher); + cipher = SSL_CIPHER_get_value(ctx->hs->cipher); server_random = s->s3->server_random; if (hrr) { @@ -323,8 +329,8 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr) goto err; if (!CBB_add_u8_length_prefixed(cbb, &session_id)) goto err; - if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id, - ctx->hs->legacy_session_id_len)) + if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id, + ctx->hs->tls13.legacy_session_id_len)) goto err; if (!CBB_add_u16(cbb, cipher)) goto err; @@ -337,7 +343,7 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr) goto err; return 1; -err: + err: return 0; } @@ -353,20 +359,20 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx) SSL *s = ctx->ssl; int ret = 0; - if (!tls13_key_share_derive(ctx->hs->key_share, + if (!tls13_key_share_derive(ctx->hs->tls13.key_share, &shared_key, &shared_key_len)) goto err; - s->session->cipher = S3I(s)->hs.new_cipher; + s->session->cipher = ctx->hs->cipher; - if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL) + if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL) goto err; - if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL) + if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL) goto err; if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) goto err; - ctx->hs->secrets = secrets; + ctx->hs->tls13.secrets = secrets; /* XXX - pass in hash. */ if (!tls1_transcript_hash_init(s)) @@ -383,7 +389,7 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx) goto err; /* Handshake secrets. */ - if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key, + if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key, shared_key_len, &context)) goto err; @@ -413,16 +419,16 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) { int nid; - ctx->hs->hrr = 1; + ctx->hs->tls13.hrr = 1; if (!tls13_synthetic_handshake_message(ctx)) return 0; - if (ctx->hs->key_share != NULL) + if (ctx->hs->tls13.key_share != NULL) return 0; if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef) return 0; - if ((ctx->hs->server_group = tls1_ec_nid2curve_id(nid)) == 0) + if ((ctx->hs->tls13.server_group = tls1_ec_nid2curve_id(nid)) == 0) return 0; if (!tls13_server_hello_build(ctx, cbb, 1)) @@ -439,7 +445,7 @@ tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx) * we MUST send a dummy CCS following our first handshake message. * See RFC 8446 Appendix D.4. */ - if (ctx->hs->legacy_session_id_len > 0) + if (ctx->hs->tls13.legacy_session_id_len > 0) ctx->send_dummy_ccs_after = 1; return 1; @@ -454,10 +460,10 @@ tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) return 0; /* XXX - need further checks. */ - if (s->method->internal->version < TLS1_3_VERSION) + if (s->method->version < TLS1_3_VERSION) return 0; - ctx->hs->hrr = 0; + ctx->hs->tls13.hrr = 0; return 1; } @@ -478,14 +484,14 @@ tls13_servername_process(struct tls13_ctx *ctx) int tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) { - if (ctx->hs->key_share == NULL) + if (ctx->hs->tls13.key_share == NULL) return 0; - if (!tls13_key_share_generate(ctx->hs->key_share)) + if (!tls13_key_share_generate(ctx->hs->tls13.key_share)) return 0; if (!tls13_servername_process(ctx)) return 0; - ctx->hs->server_group = 0; + ctx->hs->tls13.server_group = 0; if (!tls13_server_hello_build(ctx, cbb, 0)) return 0; @@ -502,7 +508,7 @@ tls13_server_hello_sent(struct tls13_ctx *ctx) * See RFC 8446 Appendix D.4. */ if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) && - ctx->hs->legacy_session_id_len > 0) + ctx->hs->tls13.legacy_session_id_len > 0) ctx->send_dummy_ccs_after = 1; return tls13_server_engage_record_protection(ctx); @@ -611,6 +617,7 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) SSL *s = ctx->ssl; CBB cert_request_context, cert_list; const struct ssl_sigalg *sigalg; + X509_STORE_CTX *xsc = NULL; STACK_OF(X509) *chain; CERT_PKEY *cpk; X509 *cert; @@ -627,12 +634,24 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) goto err; } - ctx->hs->cpk = cpk; - ctx->hs->sigalg = sigalg; + ctx->hs->tls13.cpk = cpk; + ctx->hs->our_sigalg = sigalg; if ((chain = cpk->chain) == NULL) chain = s->ctx->extra_certs; + if (chain == NULL && !(s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) { + if ((xsc = X509_STORE_CTX_new()) == NULL) + goto err; + if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL)) + goto err; + X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc), + X509_V_FLAG_LEGACY_VERIFY); + X509_verify_cert(xsc); + ERR_clear_error(); + chain = xsc->chain; + } + if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) goto err; if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) @@ -643,10 +662,19 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) for (i = 0; i < sk_X509_num(chain); i++) { cert = sk_X509_value(chain, i); + + /* + * In the case of auto chain, the leaf certificate will be at + * the top of the chain - skip over it as we've already added + * it earlier. + */ + if (i == 0 && cert == cpk->x509) + continue; + /* * XXX we don't send extensions with chain certs to avoid sending - * a leaf ocsp stape with the chain certs. This needs to get - * fixed + * a leaf ocsp staple with the chain certs. This needs to get + * fixed. */ if (!tls13_cert_add(ctx, &cert_list, cert, NULL)) goto err; @@ -658,6 +686,8 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) ret = 1; err: + X509_STORE_CTX_free(xsc); + return ret; } @@ -676,9 +706,9 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) memset(&sig_cbb, 0, sizeof(sig_cbb)); - if ((cpk = ctx->hs->cpk) == NULL) + if ((cpk = ctx->hs->tls13.cpk) == NULL) goto err; - if ((sigalg = ctx->hs->sigalg) == NULL) + if ((sigalg = ctx->hs->our_sigalg) == NULL) goto err; pkey = cpk->privatekey; @@ -692,8 +722,8 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) goto err; if (!CBB_add_u8(&sig_cbb, 0)) goto err; - if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash, - ctx->hs->transcript_hash_len)) + if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash, + ctx->hs->tls13.transcript_hash_len)) goto err; if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) goto err; @@ -744,20 +774,20 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) int tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) { - struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; struct tls13_secret context = { .data = "", .len = 0 }; - struct tls13_secret finished_key; + struct tls13_secret finished_key = { .data = NULL, .len = 0 } ; uint8_t transcript_hash[EVP_MAX_MD_SIZE]; size_t transcript_hash_len; - uint8_t key[EVP_MAX_MD_SIZE]; uint8_t *verify_data; - size_t hmac_len; + size_t verify_data_len; unsigned int hlen; HMAC_CTX *hmac_ctx = NULL; + CBS cbs; int ret = 0; - finished_key.data = key; - finished_key.len = EVP_MD_size(ctx->hash); + if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash))) + goto err; if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, &secrets->server_handshake_traffic, "finished", @@ -776,17 +806,23 @@ tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) goto err; - hmac_len = HMAC_size(hmac_ctx); - if (!CBB_add_space(cbb, &verify_data, hmac_len)) + verify_data_len = HMAC_size(hmac_ctx); + if (!CBB_add_space(cbb, &verify_data, verify_data_len)) goto err; if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) goto err; - if (hlen != hmac_len) + if (hlen != verify_data_len) + goto err; + + CBS_init(&cbs, verify_data, verify_data_len); + if (!CBS_write_bytes(&cbs, ctx->hs->finished, + sizeof(ctx->hs->finished), &ctx->hs->finished_len)) goto err; ret = 1; err: + tls13_secret_cleanup(&finished_key); HMAC_CTX_free(hmac_ctx); return ret; @@ -795,14 +831,14 @@ tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) int tls13_server_finished_sent(struct tls13_ctx *ctx) { - struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; struct tls13_secret context = { .data = "", .len = 0 }; /* * Derive application traffic keys. */ - context.data = ctx->hs->transcript_hash; - context.len = ctx->hs->transcript_hash_len; + context.data = ctx->hs->tls13.transcript_hash; + context.len = ctx->hs->tls13.transcript_hash_len; if (!tls13_derive_application_secrets(secrets, &context)) return 0; @@ -934,10 +970,6 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) if (!CBS_get_u16_length_prefixed(cbs, &signature)) goto err; - if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs, - tls13_sigalgs_len)) == NULL) - goto err; - if (!CBB_init(&cbb, 0)) goto err; if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, @@ -948,8 +980,8 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) goto err; if (!CBB_add_u8(&cbb, 0)) goto err; - if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash, - ctx->hs->transcript_hash_len)) + if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash, + ctx->hs->tls13.transcript_hash_len)) goto err; if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) goto err; @@ -958,8 +990,10 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) goto err; if ((pkey = X509_get0_pubkey(cert)) == NULL) goto err; - if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) + if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey, + signature_scheme)) == NULL) goto err; + ctx->hs->peer_sigalg = sigalg; if (CBS_len(&signature) > EVP_PKEY_size(pkey)) goto err; @@ -1006,7 +1040,7 @@ tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs) int tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) { - struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; struct tls13_secret context = { .data = "", .len = 0 }; struct tls13_secret finished_key; uint8_t *verify_data = NULL; @@ -1032,8 +1066,8 @@ tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, ctx->hash, NULL)) goto err; - if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash, - ctx->hs->transcript_hash_len)) + if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash, + ctx->hs->tls13.transcript_hash_len)) goto err; verify_data_len = HMAC_size(hmac_ctx); if ((verify_data = calloc(1, verify_data_len)) == NULL) @@ -1048,6 +1082,11 @@ tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) goto err; } + if (!CBS_write_bytes(cbs, ctx->hs->peer_finished, + sizeof(ctx->hs->peer_finished), + &ctx->hs->peer_finished_len)) + goto err; + if (!CBS_skip(cbs, verify_data_len)) goto err; diff --git a/ssl/tls_content.c b/ssl/tls_content.c new file mode 100644 index 0000000..ede178f --- /dev/null +++ b/ssl/tls_content.c @@ -0,0 +1,149 @@ +/* $OpenBSD: tls_content.c,v 1.1 2021/09/04 16:26:12 jsing Exp $ */ +/* + * Copyright (c) 2020 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include + +#include "tls_content.h" + +/* Content from a TLS record. */ +struct tls_content { + uint8_t type; + uint16_t epoch; + + const uint8_t *data; + size_t len; + CBS cbs; +}; + +struct tls_content * +tls_content_new(void) +{ + return calloc(1, sizeof(struct tls_content)); +} + +void +tls_content_clear(struct tls_content *content) +{ + freezero((void *)content->data, content->len); + memset(content, 0, sizeof(*content)); +} + +void +tls_content_free(struct tls_content *content) +{ + if (content == NULL) + return; + + tls_content_clear(content); + + freezero(content, sizeof(struct tls_content)); +} + +CBS * +tls_content_cbs(struct tls_content *content) +{ + return &content->cbs; +} + +int +tls_content_equal(struct tls_content *content, const uint8_t *buf, size_t n) +{ + return CBS_mem_equal(&content->cbs, buf, n); +} + +size_t +tls_content_remaining(struct tls_content *content) +{ + return CBS_len(&content->cbs); +} + +uint8_t +tls_content_type(struct tls_content *content) +{ + return content->type; +} + +int +tls_content_dup_data(struct tls_content *content, uint8_t type, + const uint8_t *data, size_t data_len) +{ + uint8_t *dup; + + if ((dup = calloc(1, data_len)) == NULL) + return 0; + memcpy(dup, data, data_len); + + tls_content_set_data(content, type, dup, data_len); + + return 1; +} + +uint16_t +tls_content_epoch(struct tls_content *content) +{ + return content->epoch; +} + +void +tls_content_set_epoch(struct tls_content *content, uint16_t epoch) +{ + content->epoch = epoch; +} + +void +tls_content_set_data(struct tls_content *content, uint8_t type, + const uint8_t *data, size_t data_len) +{ + tls_content_clear(content); + + content->type = type; + content->data = data; + content->len = data_len; + + CBS_init(&content->cbs, content->data, content->len); +} + +static ssize_t +tls_content_read_internal(struct tls_content *content, uint8_t *buf, size_t n, + int peek) +{ + if (n > CBS_len(&content->cbs)) + n = CBS_len(&content->cbs); + + /* XXX - CBS_memcpy? CBS_copy_bytes? */ + memcpy(buf, CBS_data(&content->cbs), n); + + if (!peek) { + if (!CBS_skip(&content->cbs, n)) + return -1; + } + + return n; +} + +ssize_t +tls_content_peek(struct tls_content *content, uint8_t *buf, size_t n) +{ + return tls_content_read_internal(content, buf, n, 1); +} + +ssize_t +tls_content_read(struct tls_content *content, uint8_t *buf, size_t n) +{ + return tls_content_read_internal(content, buf, n, 0); +} diff --git a/ssl/tls_content.h b/ssl/tls_content.h new file mode 100644 index 0000000..173af2a --- /dev/null +++ b/ssl/tls_content.h @@ -0,0 +1,48 @@ +/* $OpenBSD: tls_content.h,v 1.1 2021/09/04 16:26:12 jsing Exp $ */ +/* + * Copyright (c) 2020 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef HEADER_TLS_CONTENT_H +#define HEADER_TLS_CONTENT_H + +#include "bytestring.h" + +__BEGIN_HIDDEN_DECLS + +struct tls_content; + +struct tls_content *tls_content_new(void); +void tls_content_clear(struct tls_content *content); +void tls_content_free(struct tls_content *content); + +CBS *tls_content_cbs(struct tls_content *content); +int tls_content_equal(struct tls_content *content, const uint8_t *buf, size_t n); +size_t tls_content_remaining(struct tls_content *content); +uint8_t tls_content_type(struct tls_content *content); +uint16_t tls_content_epoch(struct tls_content *content); + +int tls_content_dup_data(struct tls_content *content, uint8_t type, + const uint8_t *data, size_t data_len); +void tls_content_set_data(struct tls_content *content, uint8_t type, + const uint8_t *data, size_t data_len); +void tls_content_set_epoch(struct tls_content *content, uint16_t epoch); + +ssize_t tls_content_peek(struct tls_content *content, uint8_t *buf, size_t n); +ssize_t tls_content_read(struct tls_content *content, uint8_t *buf, size_t n); + +__END_HIDDEN_DECLS + +#endif diff --git a/tap-driver.sh b/tap-driver.sh index 865761d..0ca4903 100755 --- a/tap-driver.sh +++ b/tap-driver.sh @@ -369,7 +369,7 @@ function setup_result_obj(line) sub("^(not )?ok[ \t]*", "", line) # If the result has an explicit number, get it and strip it; otherwise, - # automatically assing the next progresive number to it. + # automatically assign the next test number to it. if (line ~ /^[0-9]+$/ || line ~ /^[0-9]+[^a-zA-Z0-9_]/) { match(line, "^[0-9]+") diff --git a/test-driver b/test-driver index 89dba1e..9759384 100755 --- a/test-driver +++ b/test-driver @@ -42,11 +42,13 @@ print_usage () { cat < $ + $) target_include_directories(tls PRIVATE . @@ -37,8 +55,8 @@ target_include_directories(tls PUBLIC ../include) -export_symbol(tls ${CMAKE_CURRENT_SOURCE_DIR}/tls.sym) -target_link_libraries(tls ssl crypto ${PLATFORM_LIBS}) +export_symbol(tls ${CMAKE_CURRENT_BINARY_DIR}/tls.sym) +target_link_libraries(tls ${PLATFORM_LIBS}) if (WIN32) set(TLS_POSTFIX -${TLS_MAJOR_VERSION}) endif() diff --git a/tls/VERSION b/tls/VERSION index 77c98b5..2005c06 100644 --- a/tls/VERSION +++ b/tls/VERSION @@ -1 +1 @@ -20:1:0 +22:0:0 diff --git a/tls/tls.c b/tls/tls.c index 3d6723b..262ec3d 100644 --- a/tls/tls.c +++ b/tls/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.85 2020/05/24 15:12:54 jsing Exp $ */ +/* $OpenBSD: tls.c,v 1.89 2021/02/01 15:35:41 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -326,12 +326,113 @@ tls_cert_pubkey_hash(X509 *cert, char **hash) return (rv); } +static int +tls_keypair_to_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY **pkey) +{ + BIO *bio = NULL; + X509 *x509 = NULL; + char *mem; + size_t len; + int ret = -1; + + *pkey = NULL; + + if (ctx->config->use_fake_private_key) { + mem = keypair->cert_mem; + len = keypair->cert_len; + } else { + mem = keypair->key_mem; + len = keypair->key_len; + } + + if (mem == NULL) + return (0); + + if (len > INT_MAX) { + tls_set_errorx(ctx, ctx->config->use_fake_private_key ? + "cert too long" : "key too long"); + goto err; + } + + if ((bio = BIO_new_mem_buf(mem, len)) == NULL) { + tls_set_errorx(ctx, "failed to create buffer"); + goto err; + } + + if (ctx->config->use_fake_private_key) { + if ((x509 = PEM_read_bio_X509(bio, NULL, tls_password_cb, + NULL)) == NULL) { + tls_set_errorx(ctx, "failed to read X509 certificate"); + goto err; + } + if ((*pkey = X509_get_pubkey(x509)) == NULL) { + tls_set_errorx(ctx, "failed to retrieve pubkey"); + goto err; + } + } else { + if ((*pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb, + NULL)) == NULL) { + tls_set_errorx(ctx, "failed to read private key"); + goto err; + } + } + + ret = 0; + err: + BIO_free(bio); + X509_free(x509); + return (ret); +} + +static int +tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *pkey) +{ + RSA *rsa = NULL; + EC_KEY *eckey = NULL; + int ret = -1; + + /* Only install the pubkey hash if fake private keys are used. */ + if (!ctx->config->skip_private_key_check) + return (0); + + if (keypair->pubkey_hash == NULL) { + tls_set_errorx(ctx, "public key hash not set"); + goto err; + } + + switch (EVP_PKEY_id(pkey)) { + case EVP_PKEY_RSA: + if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL || + RSA_set_ex_data(rsa, 0, keypair->pubkey_hash) == 0) { + tls_set_errorx(ctx, "RSA key setup failure"); + goto err; + } + break; + case EVP_PKEY_EC: + if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL || + ECDSA_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0) { + tls_set_errorx(ctx, "EC key setup failure"); + goto err; + } + break; + default: + tls_set_errorx(ctx, "incorrect key type"); + goto err; + } + + ret = 0; + + err: + RSA_free(rsa); + EC_KEY_free(eckey); + return (ret); +} + int tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, struct tls_keypair *keypair, int required) { EVP_PKEY *pkey = NULL; - BIO *bio = NULL; if (!required && keypair->cert_mem == NULL && @@ -351,38 +452,15 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, } } - if (keypair->key_mem != NULL) { - if (keypair->key_len > INT_MAX) { - tls_set_errorx(ctx, "key too long"); + if (tls_keypair_to_pkey(ctx, keypair, &pkey) == -1) + goto err; + if (pkey != NULL) { + if (tls_keypair_setup_pkey(ctx, keypair, pkey) == -1) goto err; - } - - if ((bio = BIO_new_mem_buf(keypair->key_mem, - keypair->key_len)) == NULL) { - tls_set_errorx(ctx, "failed to create buffer"); - goto err; - } - if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb, - NULL)) == NULL) { - tls_set_errorx(ctx, "failed to read private key"); - goto err; - } - - if (keypair->pubkey_hash != NULL) { - RSA *rsa; - /* XXX only RSA for now for relayd privsep */ - if ((rsa = EVP_PKEY_get1_RSA(pkey)) != NULL) { - RSA_set_ex_data(rsa, 0, keypair->pubkey_hash); - RSA_free(rsa); - } - } - if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) { tls_set_errorx(ctx, "failed to load private key"); goto err; } - BIO_free(bio); - bio = NULL; EVP_PKEY_free(pkey); pkey = NULL; } @@ -397,9 +475,8 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, err: EVP_PKEY_free(pkey); - BIO_free(bio); - return (1); + return (-1); } int diff --git a/tls/tls.sym b/tls/tls.sym index e3fcb67..42c039d 100644 --- a/tls/tls.sym +++ b/tls/tls.sym @@ -45,6 +45,7 @@ tls_config_set_session_lifetime tls_config_set_session_fd tls_config_set_verify_depth tls_config_skip_private_key_check +tls_config_use_fake_private_key tls_config_verify tls_config_verify_client tls_config_verify_client_optional diff --git a/tls/tls_client.c b/tls/tls_client.c index 04e4402..c45684d 100644 --- a/tls/tls_client.c +++ b/tls/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_client.c,v 1.45 2018/03/19 16:34:47 jsing Exp $ */ +/* $OpenBSD: tls_client.c,v 1.47 2021/06/01 20:26:11 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -279,6 +279,7 @@ static int tls_connect_common(struct tls *ctx, const char *servername) { union tls_addr addrbuf; + size_t servername_len; int rv = -1; if ((ctx->flags & TLS_CLIENT) == 0) { @@ -291,6 +292,17 @@ tls_connect_common(struct tls *ctx, const char *servername) tls_set_errorx(ctx, "out of memory"); goto err; } + + /* + * If there's a trailing dot, remove it. While an FQDN includes + * the terminating dot representing the zero-length label of + * the root (RFC 8499, section 2), the SNI explicitly does not + * include it (RFC 6066, section 3). + */ + servername_len = strlen(ctx->servername); + if (servername_len > 0 && + ctx->servername[servername_len - 1] == '.') + ctx->servername[servername_len - 1] = '\0'; } if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { @@ -306,7 +318,7 @@ tls_connect_common(struct tls *ctx, const char *servername) goto err; if (ctx->config->verify_name) { - if (servername == NULL) { + if (ctx->servername == NULL) { tls_set_errorx(ctx, "server name not specified"); goto err; } @@ -350,13 +362,14 @@ tls_connect_common(struct tls *ctx, const char *servername) } /* - * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not + * RFC 6066 (SNI): Literal IPv4 and IPv6 addresses are not * permitted in "HostName". */ - if (servername != NULL && - inet_pton(AF_INET, servername, &addrbuf) != 1 && - inet_pton(AF_INET6, servername, &addrbuf) != 1) { - if (SSL_set_tlsext_host_name(ctx->ssl_conn, servername) == 0) { + if (ctx->servername != NULL && + inet_pton(AF_INET, ctx->servername, &addrbuf) != 1 && + inet_pton(AF_INET6, ctx->servername, &addrbuf) != 1) { + if (SSL_set_tlsext_host_name(ctx->ssl_conn, + ctx->servername) == 0) { tls_set_errorx(ctx, "server name indication failure"); goto err; } diff --git a/tls/tls_config.c b/tls/tls_config.c index ed47170..9144dad 100644 --- a/tls/tls_config.c +++ b/tls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.58 2020/01/20 08:39:21 jsing Exp $ */ +/* $OpenBSD: tls_config.c,v 1.63 2021/01/21 22:03:25 eric Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -179,6 +179,8 @@ tls_config_free(struct tls_config *config) free((char *)config->crl_mem); free(config->ecdhecurves); + pthread_mutex_destroy(&config->mutex); + free(config); } @@ -351,7 +353,8 @@ tls_config_add_keypair_file_internal(struct tls_config *config, return (-1); if (tls_keypair_set_cert_file(keypair, &config->error, cert_file) != 0) goto err; - if (tls_keypair_set_key_file(keypair, &config->error, key_file) != 0) + if (key_file != NULL && + tls_keypair_set_key_file(keypair, &config->error, key_file) != 0) goto err; if (ocsp_file != NULL && tls_keypair_set_ocsp_staple_file(keypair, &config->error, @@ -378,7 +381,8 @@ tls_config_add_keypair_mem_internal(struct tls_config *config, const uint8_t *ce return (-1); if (tls_keypair_set_cert_mem(keypair, &config->error, cert, cert_len) != 0) goto err; - if (tls_keypair_set_key_mem(keypair, &config->error, key, key_len) != 0) + if (key != NULL && + tls_keypair_set_key_mem(keypair, &config->error, key, key_len) != 0) goto err; if (staple != NULL && tls_keypair_set_ocsp_staple_mem(keypair, &config->error, staple, @@ -803,6 +807,13 @@ tls_config_skip_private_key_check(struct tls_config *config) config->skip_private_key_check = 1; } +void +tls_config_use_fake_private_key(struct tls_config *config) +{ + config->use_fake_private_key = 1; + config->skip_private_key_check = 1; +} + int tls_config_set_ocsp_staple_file(struct tls_config *config, const char *staple_file) { diff --git a/tls/tls_conninfo.c b/tls/tls_conninfo.c index d44dc84..4d9ae29 100644 --- a/tls/tls_conninfo.c +++ b/tls/tls_conninfo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_conninfo.c,v 1.21 2019/11/02 13:37:59 jsing Exp $ */ +/* $OpenBSD: tls_conninfo.c,v 1.22 2021/01/05 15:57:38 tb Exp $ */ /* * Copyright (c) 2015 Joel Sing * Copyright (c) 2015 Bob Beck @@ -112,9 +112,6 @@ tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore, if (ctx->ssl_peer_cert == NULL) return (-1); - memset(&before_tm, 0, sizeof(before_tm)); - memset(&after_tm, 0, sizeof(after_tm)); - if ((before = X509_get_notBefore(ctx->ssl_peer_cert)) == NULL) goto err; if ((after = X509_get_notAfter(ctx->ssl_peer_cert)) == NULL) diff --git a/tls/tls_internal.h b/tls/tls_internal.h index 1dd5f45..5487b12 100644 --- a/tls/tls_internal.h +++ b/tls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.77 2019/11/16 21:39:52 beck Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.78 2021/01/21 19:09:10 eric Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * Copyright (c) 2014 Joel Sing @@ -111,6 +111,7 @@ struct tls_config { int verify_name; int verify_time; int skip_private_key_check; + int use_fake_private_key; }; struct tls_conninfo { @@ -294,5 +295,6 @@ __END_HIDDEN_DECLS /* XXX this function is not fully hidden so relayd can use it */ void tls_config_skip_private_key_check(struct tls_config *config); +void tls_config_use_fake_private_key(struct tls_config *config); #endif /* HEADER_TLS_INTERNAL_H */ diff --git a/tls/tls_keypair.c b/tls/tls_keypair.c index a98e5c2..a12d21d 100644 --- a/tls/tls_keypair.c +++ b/tls/tls_keypair.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_keypair.c,v 1.6 2018/04/07 16:35:34 jsing Exp $ */ +/* $OpenBSD: tls_keypair.c,v 1.8 2021/01/05 17:37:12 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -137,7 +137,7 @@ tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error, { char *errstr = "unknown"; BIO *cert_bio = NULL; - int ssl_err; + unsigned long ssl_err; int rv = -1; X509_free(*cert); @@ -155,7 +155,7 @@ tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error, if ((*cert = PEM_read_bio_X509(cert_bio, NULL, tls_password_cb, NULL)) == NULL) { if ((ssl_err = ERR_peek_error()) != 0) - errstr = ERR_error_string(ssl_err, NULL); + errstr = ERR_error_string(ssl_err, NULL); tls_error_set(error, "failed to load certificate: %s", errstr); goto err; } diff --git a/tls/tls_ocsp.c b/tls/tls_ocsp.c index 32c372e..f00e6bc 100644 --- a/tls/tls_ocsp.c +++ b/tls/tls_ocsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_ocsp.c,v 1.19 2019/12/03 14:56:42 tb Exp $ */ +/* $OpenBSD: tls_ocsp.c,v 1.20 2021/03/23 20:04:29 tb Exp $ */ /* * Copyright (c) 2015 Marko Kreen * Copyright (c) 2016 Bob Beck @@ -218,7 +218,7 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp) /* now verify */ if (OCSP_basic_verify(br, ctx->ocsp->extra_certs, SSL_CTX_get_cert_store(ctx->ssl_ctx), flags) != 1) { - tls_set_error(ctx, "ocsp verify failed"); + tls_set_errorx(ctx, "ocsp verify failed"); goto err; } diff --git a/tls/tls_server.c b/tls/tls_server.c index a709a2b..0a8ec47 100644 --- a/tls/tls_server.c +++ b/tls/tls_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_server.c,v 1.45 2019/05/13 22:36:01 bcook Exp $ */ +/* $OpenBSD: tls_server.c,v 1.47 2021/06/14 03:53:59 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -109,7 +109,7 @@ tls_servername_cb(SSL *ssl, int *al, void *arg) inet_pton(AF_INET6, name, &addrbuf) == 1) return (SSL_TLSEXT_ERR_NOACK); - free((char *)conn_ctx->servername); + free(conn_ctx->servername); if ((conn_ctx->servername = strdup(name)) == NULL) goto err; @@ -133,7 +133,7 @@ tls_servername_cb(SSL *ssl, int *al, void *arg) * There is no way to tell libssl that an internal failure occurred. * The only option we have is to return a fatal alert. */ - *al = TLS1_AD_INTERNAL_ERROR; + *al = SSL_AD_INTERNAL_ERROR; return (SSL_TLSEXT_ERR_ALERT_FATAL); } diff --git a/tls/tls_util.c b/tls/tls_util.c index b144fb1..d8103a5 100644 --- a/tls/tls_util.c +++ b/tls/tls_util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_util.c,v 1.14 2019/04/13 18:47:58 tb Exp $ */ +/* $OpenBSD: tls_util.c,v 1.15 2021/08/16 13:54:38 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing * Copyright (c) 2014 Ted Unangst @@ -92,7 +92,7 @@ tls_host_port(const char *hostport, char **host, char **port) *p++ = '\0'; } - /* Find the port seperator. */ + /* Find the port separator. */ if ((p = strchr(p, ':')) == NULL) goto done; diff --git a/x509v3.cnf b/x509v3.cnf new file mode 100644 index 0000000..d12d732 --- /dev/null +++ b/x509v3.cnf @@ -0,0 +1,29 @@ +# default settings +CERTPATHLEN = 1 +CERTUSAGE = digitalSignature,keyCertSign,cRLSign +EXTCERTUSAGE = serverAuth,clientAuth +CERTIP = 0.0.0.0 +CERTFQDN = nohost.nodomain + +# This section should be referenced when building an x509v3 CA +# Certificate. +# The default path length and the key usage can be overridden +# modified by setting the CERTPATHLEN and CERTUSAGE environment +# variables. +[x509v3_CA] +basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN +keyUsage=$ENV::CERTUSAGE + +# This section should be referenced to add an IP Address +# as an alternate subject name, needed by isakmpd +# The address must be provided in the CERTIP environment variable +[x509v3_IPAddr] +subjectAltName=IP:$ENV::CERTIP +extendedKeyUsage=$ENV::EXTCERTUSAGE + +# This section should be referenced to add a FQDN hostname +# as an alternate subject name, needed by isakmpd +# The address must be provided in the CERTFQDN environment variable +[x509v3_FQDN] +subjectAltName=DNS:$ENV::CERTFQDN +extendedKeyUsage=$ENV::EXTCERTUSAGE