+int
+tls1_heartbeat(SSL *s)
+ {
+ unsigned char *buf, *p;
+ int ret;
+ unsigned int payload = 18; /* Sequence number + random bytes */
+ unsigned int padding = 16; /* Use minimum padding */
+
+ /* Only send if peer supports and accepts HB requests... */
+ if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
+ s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
+ {
+ SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
+ return -1;
+ }
+
+ /* ...and there is none in flight yet... */
+ if (s->tlsext_hb_pending)
+ {
+ SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
+ return -1;
+ }
+
+ /* ...and no handshake in progress. */
+ if (SSL_in_init(s) || s->in_handshake)
+ {
+ SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
+ return -1;
+ }
+
+ /* Check if padding is too long, payload and padding
+ * must not exceed 2^14 - 3 = 16381 bytes in total.
+ */
+ OPENSSL_assert(payload + padding <= 16381);
+
+ /* Create HeartBeat message, we just use a sequence number
+ * as payload to distuingish different messages and add
+ * some random stuff.
+ * - Message Type, 1 byte
+ * - Payload Length, 2 bytes (unsigned int)
+ * - Payload, the sequence number (2 bytes uint)
+ * - Payload, random bytes (16 bytes uint)
+ * - Padding
+ */
+ buf = OPENSSL_malloc(1 + 2 + payload + padding);
+ p = buf;
+ /* Message Type */
+ *p++ = TLS1_HB_REQUEST;
+ /* Payload length (18 bytes here) */
+ s2n(payload, p);
+ /* Sequence number */
+ s2n(s->tlsext_hb_seq, p);
+ /* 16 random bytes */
+ RAND_pseudo_bytes(p, 16);
+ p += 16;
+ /* Random padding */
+ RAND_pseudo_bytes(p, padding);
+
+ ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
+ if (ret >= 0)
+ {
+ if (s->msg_callback)
+ s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
+ buf, 3 + payload + padding,
+ s, s->msg_callback_arg);
+
+ s->tlsext_hb_pending = 1;
+ }
+
+ OPENSSL_free(buf);
+
+ return ret;
+ }
+#endif
+
+#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
+
+typedef struct
+ {
+ size_t sigalgcnt;
+ int sigalgs[MAX_SIGALGLEN];
+ } sig_cb_st;
+
+static int sig_cb(const char *elem, int len, void *arg)
+ {
+ sig_cb_st *sarg = arg;
+ size_t i;
+ char etmp[20], *p;
+ int sig_alg, hash_alg;
+ if (sarg->sigalgcnt == MAX_SIGALGLEN)
+ return 0;
+ if (len > (int)(sizeof(etmp) - 1))
+ return 0;
+ memcpy(etmp, elem, len);
+ etmp[len] = 0;
+ p = strchr(etmp, '+');
+ if (!p)
+ return 0;
+ *p = 0;
+ p++;
+ if (!*p)
+ return 0;
+
+ if (!strcmp(etmp, "RSA"))
+ sig_alg = EVP_PKEY_RSA;
+ else if (!strcmp(etmp, "DSA"))
+ sig_alg = EVP_PKEY_DSA;
+ else if (!strcmp(etmp, "ECDSA"))
+ sig_alg = EVP_PKEY_EC;
+ else return 0;
+
+ hash_alg = OBJ_sn2nid(p);
+ if (hash_alg == NID_undef)
+ hash_alg = OBJ_ln2nid(p);
+ if (hash_alg == NID_undef)
+ return 0;
+
+ for (i = 0; i < sarg->sigalgcnt; i+=2)
+ {
+ if (sarg->sigalgs[i] == sig_alg
+ && sarg->sigalgs[i + 1] == hash_alg)
+ return 0;
+ }
+ sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
+ sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
+ return 1;
+ }
+
+/* Set suppored signature algorithms based on a colon separated list
+ * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */
+int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
+ {
+ sig_cb_st sig;
+ sig.sigalgcnt = 0;
+ if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
+ return 0;
+ return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
+ }
+
+int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
+ {
+ unsigned char *sigalgs, *sptr;
+ int rhash, rsign;
+ size_t i;
+ if (salglen & 1)
+ return 0;
+ sigalgs = OPENSSL_malloc(salglen);
+ if (sigalgs == NULL)
+ return 0;
+ for (i = 0, sptr = sigalgs; i < salglen; i+=2)
+ {
+ rhash = tls12_find_id(*psig_nids++, tls12_md,
+ sizeof(tls12_md)/sizeof(tls12_lookup));
+ rsign = tls12_find_id(*psig_nids++, tls12_sig,
+ sizeof(tls12_sig)/sizeof(tls12_lookup));
+
+ if (rhash == -1 || rsign == -1)
+ goto err;
+ *sptr++ = rhash;
+ *sptr++ = rsign;
+ }
+
+ if (client)
+ {
+ if (c->client_sigalgs)
+ OPENSSL_free(c->client_sigalgs);
+ c->client_sigalgs = sigalgs;
+ c->client_sigalgslen = salglen;
+ }
+ else
+ {
+ if (c->conf_sigalgs)
+ OPENSSL_free(c->conf_sigalgs);
+ c->conf_sigalgs = sigalgs;
+ c->conf_sigalgslen = salglen;
+ }
+
+ return 1;
+
+ err:
+ OPENSSL_free(sigalgs);
+ return 0;
+ }
+
+static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
+ {
+ int sig_nid;
+ size_t i;
+ if (default_nid == -1)
+ return 1;
+ sig_nid = X509_get_signature_nid(x);
+ if (default_nid)
+ return sig_nid == default_nid ? 1 : 0;
+ for (i = 0; i < c->shared_sigalgslen; i++)
+ if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
+ return 1;
+ return 0;
+ }
+
+/* Check certificate chain is consistent with TLS extensions and is
+ * usable by server.
+ */
+int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
+ int idx)
+ {
+ int i;
+ int rv = CERT_PKEY_INVALID;
+ CERT_PKEY *cpk = NULL;
+ CERT *c = s->cert;
+ if (idx != -1)
+ {
+ cpk = c->pkeys + idx;
+ x = cpk->x509;
+ pk = cpk->privatekey;
+ chain = cpk->chain;
+ /* If no cert or key, forget it */
+ if (!x || !pk)
+ goto end;
+ }
+ else
+ {
+ idx = ssl_cert_type(x, pk);
+ if (idx == -1)
+ goto end;
+ }
+
+ /* Check all signature algorithms are consistent with
+ * signature algorithms extension if TLS 1.2 or later
+ * and strict mode.
+ */
+ if (TLS1_get_version(s) >= TLS1_2_VERSION
+ && c->cert_flags & SSL_CERT_FLAG_TLS_STRICT)
+ {
+ int default_nid;
+ unsigned char rsign = 0;
+ if (c->peer_sigalgs)
+ default_nid = 0;
+ /* If no sigalgs extension use defaults from RFC5246 */
+ else
+ {
+ switch(idx)
+ {
+ case SSL_PKEY_RSA_ENC:
+ case SSL_PKEY_RSA_SIGN:
+ case SSL_PKEY_DH_RSA:
+ rsign = TLSEXT_signature_rsa;
+ default_nid = NID_sha1WithRSAEncryption;
+ break;
+
+ case SSL_PKEY_DSA_SIGN:
+ case SSL_PKEY_DH_DSA:
+ rsign = TLSEXT_signature_dsa;
+ default_nid = NID_dsaWithSHA1;
+ break;
+
+ case SSL_PKEY_ECC:
+ rsign = TLSEXT_signature_ecdsa;
+ default_nid = NID_ecdsa_with_SHA1;
+ break;
+
+ default:
+ default_nid = -1;
+ break;
+ }
+ }
+ /* If peer sent no signature algorithms extension and we
+ * have set preferred signature algorithms check we support
+ * sha1.
+ */
+ if (default_nid > 0 && c->conf_sigalgs)
+ {
+ size_t j;
+ const unsigned char *p = c->conf_sigalgs;
+ for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2)
+ {
+ if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
+ break;
+ }
+ if (j == c->conf_sigalgslen)
+ goto end;
+ }
+ /* Check signature algorithm of each cert in chain */
+ if (!tls1_check_sig_alg(c, x, default_nid))
+ goto end;
+ for (i = 0; i < sk_X509_num(chain); i++)
+ {
+ if (!tls1_check_sig_alg(c, sk_X509_value(chain, i),
+ default_nid))
+ goto end;
+ }
+ }
+
+ /* Check cert parameters are consistent */
+ if (!tls1_check_cert_param(s, x))
+ goto end;
+ /* In strict mode check rest of chain too */
+ if (c->cert_flags & SSL_CERT_FLAG_TLS_STRICT)
+ {
+ for (i = 0; i < sk_X509_num(chain); i++)
+ {
+ if (!tls1_check_cert_param(s, sk_X509_value(chain, i)))
+ goto end;
+ }
+ }
+ rv = CERT_PKEY_VALID;
+
+ end:
+ if (cpk)
+ {
+ if (rv && cpk->digest)
+ rv |= CERT_PKEY_SIGN;
+ cpk->valid_flags = rv;
+ }
+ return rv;
+ }
+
+/* Set validity of certificates in an SSL structure */
+void tls1_set_cert_validity(SSL *s)
+ {
+ tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
+ tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
+ tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
+ tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
+ tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
+ tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
+ }
+/* User level utiity function to check a chain is suitable */
+int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
+ {
+ return tls1_check_chain(s, x, pk, chain, -1);
+ }
+