1 /* $OpenBSD: t1_lib.c,v 1.84 2015/09/01 13:38:27 jsing Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 114 #include <openssl/evp.h> 115 #include <openssl/hmac.h> 116 #include <openssl/objects.h> 117 #include <openssl/ocsp.h> 118 119 #include "ssl_locl.h" 120 #include "bytestring.h" 121 122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 123 const unsigned char *sess_id, int sesslen, 124 SSL_SESSION **psess); 125 126 SSL3_ENC_METHOD TLSv1_enc_data = { 127 .enc = tls1_enc, 128 .mac = tls1_mac, 129 .setup_key_block = tls1_setup_key_block, 130 .generate_master_secret = tls1_generate_master_secret, 131 .change_cipher_state = tls1_change_cipher_state, 132 .final_finish_mac = tls1_final_finish_mac, 133 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 134 .cert_verify_mac = tls1_cert_verify_mac, 135 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 136 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 137 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 138 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 139 .alert_value = tls1_alert_code, 140 .export_keying_material = tls1_export_keying_material, 141 .enc_flags = 0, 142 }; 143 144 SSL3_ENC_METHOD TLSv1_1_enc_data = { 145 .enc = tls1_enc, 146 .mac = tls1_mac, 147 .setup_key_block = tls1_setup_key_block, 148 .generate_master_secret = tls1_generate_master_secret, 149 .change_cipher_state = tls1_change_cipher_state, 150 .final_finish_mac = tls1_final_finish_mac, 151 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 152 .cert_verify_mac = tls1_cert_verify_mac, 153 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 154 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 155 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 156 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 157 .alert_value = tls1_alert_code, 158 .export_keying_material = tls1_export_keying_material, 159 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, 160 }; 161 162 SSL3_ENC_METHOD TLSv1_2_enc_data = { 163 .enc = tls1_enc, 164 .mac = tls1_mac, 165 .setup_key_block = tls1_setup_key_block, 166 .generate_master_secret = tls1_generate_master_secret, 167 .change_cipher_state = tls1_change_cipher_state, 168 .final_finish_mac = tls1_final_finish_mac, 169 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 170 .cert_verify_mac = tls1_cert_verify_mac, 171 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 172 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 173 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 174 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 175 .alert_value = tls1_alert_code, 176 .export_keying_material = tls1_export_keying_material, 177 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS| 178 SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS, 179 }; 180 181 long 182 tls1_default_timeout(void) 183 { 184 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 185 * is way too long for http, the cache would over fill */ 186 return (60 * 60 * 2); 187 } 188 189 int 190 tls1_new(SSL *s) 191 { 192 if (!ssl3_new(s)) 193 return (0); 194 s->method->ssl_clear(s); 195 return (1); 196 } 197 198 void 199 tls1_free(SSL *s) 200 { 201 if (s == NULL) 202 return; 203 204 free(s->tlsext_session_ticket); 205 ssl3_free(s); 206 } 207 208 void 209 tls1_clear(SSL *s) 210 { 211 ssl3_clear(s); 212 s->version = s->method->version; 213 } 214 215 216 static int nid_list[] = { 217 NID_sect163k1, /* sect163k1 (1) */ 218 NID_sect163r1, /* sect163r1 (2) */ 219 NID_sect163r2, /* sect163r2 (3) */ 220 NID_sect193r1, /* sect193r1 (4) */ 221 NID_sect193r2, /* sect193r2 (5) */ 222 NID_sect233k1, /* sect233k1 (6) */ 223 NID_sect233r1, /* sect233r1 (7) */ 224 NID_sect239k1, /* sect239k1 (8) */ 225 NID_sect283k1, /* sect283k1 (9) */ 226 NID_sect283r1, /* sect283r1 (10) */ 227 NID_sect409k1, /* sect409k1 (11) */ 228 NID_sect409r1, /* sect409r1 (12) */ 229 NID_sect571k1, /* sect571k1 (13) */ 230 NID_sect571r1, /* sect571r1 (14) */ 231 NID_secp160k1, /* secp160k1 (15) */ 232 NID_secp160r1, /* secp160r1 (16) */ 233 NID_secp160r2, /* secp160r2 (17) */ 234 NID_secp192k1, /* secp192k1 (18) */ 235 NID_X9_62_prime192v1, /* secp192r1 (19) */ 236 NID_secp224k1, /* secp224k1 (20) */ 237 NID_secp224r1, /* secp224r1 (21) */ 238 NID_secp256k1, /* secp256k1 (22) */ 239 NID_X9_62_prime256v1, /* secp256r1 (23) */ 240 NID_secp384r1, /* secp384r1 (24) */ 241 NID_secp521r1, /* secp521r1 (25) */ 242 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */ 243 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */ 244 NID_brainpoolP512r1 /* brainpoolP512r1 (28) */ 245 }; 246 247 static const uint8_t ecformats_default[] = { 248 TLSEXT_ECPOINTFORMAT_uncompressed, 249 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 250 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 251 }; 252 253 static const uint16_t eccurves_default[] = { 254 14, /* sect571r1 (14) */ 255 13, /* sect571k1 (13) */ 256 25, /* secp521r1 (25) */ 257 28, /* brainpool512r1 (28) */ 258 11, /* sect409k1 (11) */ 259 12, /* sect409r1 (12) */ 260 27, /* brainpoolP384r1 (27) */ 261 24, /* secp384r1 (24) */ 262 9, /* sect283k1 (9) */ 263 10, /* sect283r1 (10) */ 264 26, /* brainpoolP256r1 (26) */ 265 22, /* secp256k1 (22) */ 266 23, /* secp256r1 (23) */ 267 8, /* sect239k1 (8) */ 268 6, /* sect233k1 (6) */ 269 7, /* sect233r1 (7) */ 270 20, /* secp224k1 (20) */ 271 21, /* secp224r1 (21) */ 272 4, /* sect193r1 (4) */ 273 5, /* sect193r2 (5) */ 274 18, /* secp192k1 (18) */ 275 19, /* secp192r1 (19) */ 276 1, /* sect163k1 (1) */ 277 2, /* sect163r1 (2) */ 278 3, /* sect163r2 (3) */ 279 15, /* secp160k1 (15) */ 280 16, /* secp160r1 (16) */ 281 17, /* secp160r2 (17) */ 282 }; 283 284 int 285 tls1_ec_curve_id2nid(uint16_t curve_id) 286 { 287 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 288 if ((curve_id < 1) || 289 ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0]))) 290 return 0; 291 return nid_list[curve_id - 1]; 292 } 293 294 uint16_t 295 tls1_ec_nid2curve_id(int nid) 296 { 297 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 298 switch (nid) { 299 case NID_sect163k1: /* sect163k1 (1) */ 300 return 1; 301 case NID_sect163r1: /* sect163r1 (2) */ 302 return 2; 303 case NID_sect163r2: /* sect163r2 (3) */ 304 return 3; 305 case NID_sect193r1: /* sect193r1 (4) */ 306 return 4; 307 case NID_sect193r2: /* sect193r2 (5) */ 308 return 5; 309 case NID_sect233k1: /* sect233k1 (6) */ 310 return 6; 311 case NID_sect233r1: /* sect233r1 (7) */ 312 return 7; 313 case NID_sect239k1: /* sect239k1 (8) */ 314 return 8; 315 case NID_sect283k1: /* sect283k1 (9) */ 316 return 9; 317 case NID_sect283r1: /* sect283r1 (10) */ 318 return 10; 319 case NID_sect409k1: /* sect409k1 (11) */ 320 return 11; 321 case NID_sect409r1: /* sect409r1 (12) */ 322 return 12; 323 case NID_sect571k1: /* sect571k1 (13) */ 324 return 13; 325 case NID_sect571r1: /* sect571r1 (14) */ 326 return 14; 327 case NID_secp160k1: /* secp160k1 (15) */ 328 return 15; 329 case NID_secp160r1: /* secp160r1 (16) */ 330 return 16; 331 case NID_secp160r2: /* secp160r2 (17) */ 332 return 17; 333 case NID_secp192k1: /* secp192k1 (18) */ 334 return 18; 335 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 336 return 19; 337 case NID_secp224k1: /* secp224k1 (20) */ 338 return 20; 339 case NID_secp224r1: /* secp224r1 (21) */ 340 return 21; 341 case NID_secp256k1: /* secp256k1 (22) */ 342 return 22; 343 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 344 return 23; 345 case NID_secp384r1: /* secp384r1 (24) */ 346 return 24; 347 case NID_secp521r1: /* secp521r1 (25) */ 348 return 25; 349 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */ 350 return 26; 351 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */ 352 return 27; 353 case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */ 354 return 28; 355 default: 356 return 0; 357 } 358 } 359 360 /* 361 * Return the appropriate format list. If client_formats is non-zero, return 362 * the client/session formats. Otherwise return the custom format list if one 363 * exists, or the default formats if a custom list has not been specified. 364 */ 365 static void 366 tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, 367 size_t *pformatslen) 368 { 369 if (client_formats != 0) { 370 *pformats = s->session->tlsext_ecpointformatlist; 371 *pformatslen = s->session->tlsext_ecpointformatlist_length; 372 return; 373 } 374 375 *pformats = s->tlsext_ecpointformatlist; 376 *pformatslen = s->tlsext_ecpointformatlist_length; 377 if (*pformats == NULL) { 378 *pformats = ecformats_default; 379 *pformatslen = sizeof(ecformats_default); 380 } 381 } 382 383 /* 384 * Return the appropriate curve list. If client_curves is non-zero, return 385 * the client/session curves. Otherwise return the custom curve list if one 386 * exists, or the default curves if a custom list has not been specified. 387 */ 388 static void 389 tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves, 390 size_t *pcurveslen) 391 { 392 if (client_curves != 0) { 393 *pcurves = s->session->tlsext_ellipticcurvelist; 394 *pcurveslen = s->session->tlsext_ellipticcurvelist_length; 395 return; 396 } 397 398 *pcurves = s->tlsext_ellipticcurvelist; 399 *pcurveslen = s->tlsext_ellipticcurvelist_length; 400 if (*pcurves == NULL) { 401 *pcurves = eccurves_default; 402 *pcurveslen = sizeof(eccurves_default) / 2; 403 } 404 } 405 406 /* Check that a curve is one of our preferences. */ 407 int 408 tls1_check_curve(SSL *s, const unsigned char *p, size_t len) 409 { 410 CBS cbs; 411 const uint16_t *curves; 412 size_t curveslen, i; 413 uint8_t type; 414 uint16_t cid; 415 416 CBS_init(&cbs, p, len); 417 418 /* Only named curves are supported. */ 419 if (CBS_len(&cbs) != 3 || 420 !CBS_get_u8(&cbs, &type) || 421 type != NAMED_CURVE_TYPE || 422 !CBS_get_u16(&cbs, &cid)) 423 return (0); 424 425 tls1_get_curvelist(s, 0, &curves, &curveslen); 426 427 for (i = 0; i < curveslen; i++) { 428 if (curves[i] == cid) 429 return (1); 430 } 431 return (0); 432 } 433 434 int 435 tls1_get_shared_curve(SSL *s) 436 { 437 size_t preflen, supplen, i, j; 438 const uint16_t *pref, *supp; 439 unsigned long server_pref; 440 441 /* Cannot do anything on the client side. */ 442 if (s->server == 0) 443 return (NID_undef); 444 445 /* Return first preference shared curve. */ 446 server_pref = (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE); 447 tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen); 448 tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen); 449 450 for (i = 0; i < preflen; i++) { 451 for (j = 0; j < supplen; j++) { 452 if (pref[i] == supp[j]) 453 return (tls1_ec_curve_id2nid(pref[i])); 454 } 455 } 456 return (NID_undef); 457 } 458 459 /* For an EC key set TLS ID and required compression based on parameters. */ 460 static int 461 tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec) 462 { 463 const EC_GROUP *grp; 464 const EC_METHOD *meth; 465 int is_prime = 0; 466 int nid, id; 467 468 if (ec == NULL) 469 return (0); 470 471 /* Determine if it is a prime field. */ 472 if ((grp = EC_KEY_get0_group(ec)) == NULL) 473 return (0); 474 if ((meth = EC_GROUP_method_of(grp)) == NULL) 475 return (0); 476 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field) 477 is_prime = 1; 478 479 /* Determine curve ID. */ 480 nid = EC_GROUP_get_curve_name(grp); 481 id = tls1_ec_nid2curve_id(nid); 482 483 /* If we have an ID set it, otherwise set arbitrary explicit curve. */ 484 if (id != 0) 485 *curve_id = id; 486 else 487 *curve_id = is_prime ? 0xff01 : 0xff02; 488 489 /* Specify the compression identifier. */ 490 if (comp_id != NULL) { 491 if (EC_KEY_get0_public_key(ec) == NULL) 492 return (0); 493 494 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { 495 *comp_id = is_prime ? 496 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime : 497 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 498 } else { 499 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 500 } 501 } 502 return (1); 503 } 504 505 /* Check that an EC key is compatible with extensions. */ 506 static int 507 tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id) 508 { 509 size_t curveslen, formatslen, i; 510 const uint16_t *curves; 511 const uint8_t *formats; 512 513 /* 514 * Check point formats extension if present, otherwise everything 515 * is supported (see RFC4492). 516 */ 517 tls1_get_formatlist(s, 1, &formats, &formatslen); 518 if (comp_id != NULL && formats != NULL) { 519 for (i = 0; i < formatslen; i++) { 520 if (formats[i] == *comp_id) 521 break; 522 } 523 if (i == formatslen) 524 return (0); 525 } 526 527 /* 528 * Check curve list if present, otherwise everything is supported. 529 */ 530 tls1_get_curvelist(s, 1, &curves, &curveslen); 531 if (curve_id != NULL && curves != NULL) { 532 for (i = 0; i < curveslen; i++) { 533 if (curves[i] == *curve_id) 534 break; 535 } 536 if (i == curveslen) 537 return (0); 538 } 539 540 return (1); 541 } 542 543 /* Check EC server key is compatible with client extensions. */ 544 int 545 tls1_check_ec_server_key(SSL *s) 546 { 547 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; 548 uint16_t curve_id; 549 uint8_t comp_id; 550 EVP_PKEY *pkey; 551 int rv; 552 553 if (cpk->x509 == NULL || cpk->privatekey == NULL) 554 return (0); 555 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL) 556 return (0); 557 rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec); 558 EVP_PKEY_free(pkey); 559 if (rv != 1) 560 return (0); 561 562 return tls1_check_ec_key(s, &curve_id, &comp_id); 563 } 564 565 /* Check EC temporary key is compatible with client extensions. */ 566 int 567 tls1_check_ec_tmp_key(SSL *s) 568 { 569 EC_KEY *ec = s->cert->ecdh_tmp; 570 uint16_t curve_id; 571 572 if (s->cert->ecdh_tmp_auto != 0) { 573 /* Need a shared curve. */ 574 if (tls1_get_shared_curve(s) != NID_undef) 575 return (1); 576 return (0); 577 } 578 579 if (ec == NULL) { 580 if (s->cert->ecdh_tmp_cb != NULL) 581 return (1); 582 return (0); 583 } 584 if (tls1_set_ec_id(&curve_id, NULL, ec) != 1) 585 return (0); 586 587 return tls1_check_ec_key(s, &curve_id, NULL); 588 } 589 590 /* 591 * List of supported signature algorithms and hashes. Should make this 592 * customisable at some point, for now include everything we support. 593 */ 594 595 static unsigned char tls12_sigalgs[] = { 596 TLSEXT_hash_sha512, TLSEXT_signature_rsa, 597 TLSEXT_hash_sha512, TLSEXT_signature_dsa, 598 TLSEXT_hash_sha512, TLSEXT_signature_ecdsa, 599 #ifndef OPENSSL_NO_GOST 600 TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512, 601 #endif 602 603 TLSEXT_hash_sha384, TLSEXT_signature_rsa, 604 TLSEXT_hash_sha384, TLSEXT_signature_dsa, 605 TLSEXT_hash_sha384, TLSEXT_signature_ecdsa, 606 607 TLSEXT_hash_sha256, TLSEXT_signature_rsa, 608 TLSEXT_hash_sha256, TLSEXT_signature_dsa, 609 TLSEXT_hash_sha256, TLSEXT_signature_ecdsa, 610 611 #ifndef OPENSSL_NO_GOST 612 TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256, 613 TLSEXT_hash_gost94, TLSEXT_signature_gostr01, 614 #endif 615 616 TLSEXT_hash_sha224, TLSEXT_signature_rsa, 617 TLSEXT_hash_sha224, TLSEXT_signature_dsa, 618 TLSEXT_hash_sha224, TLSEXT_signature_ecdsa, 619 620 TLSEXT_hash_sha1, TLSEXT_signature_rsa, 621 TLSEXT_hash_sha1, TLSEXT_signature_dsa, 622 TLSEXT_hash_sha1, TLSEXT_signature_ecdsa, 623 }; 624 625 int 626 tls12_get_req_sig_algs(SSL *s, unsigned char *p) 627 { 628 size_t slen = sizeof(tls12_sigalgs); 629 630 if (p) 631 memcpy(p, tls12_sigalgs, slen); 632 return (int)slen; 633 } 634 635 unsigned char * 636 ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 637 { 638 int extdatalen = 0; 639 unsigned char *ret = p; 640 int using_ecc = 0; 641 642 /* See if we support any ECC ciphersuites. */ 643 if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) { 644 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 645 unsigned long alg_k, alg_a; 646 int i; 647 648 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { 649 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 650 651 alg_k = c->algorithm_mkey; 652 alg_a = c->algorithm_auth; 653 654 if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || 655 (alg_a & SSL_aECDSA))) { 656 using_ecc = 1; 657 break; 658 } 659 } 660 } 661 662 /* don't add extensions for SSLv3 unless doing secure renegotiation */ 663 if (s->client_version == SSL3_VERSION && 664 !s->s3->send_connection_binding) 665 return p; 666 667 ret += 2; 668 669 if (ret >= limit) 670 return NULL; /* this really never occurs, but ... */ 671 672 if (s->tlsext_hostname != NULL) { 673 /* Add TLS extension servername to the Client Hello message */ 674 size_t size_str, lenmax; 675 676 /* check for enough space. 677 4 for the servername type and extension length 678 2 for servernamelist length 679 1 for the hostname type 680 2 for hostname length 681 + hostname length 682 */ 683 684 if ((size_t)(limit - ret) < 9) 685 return NULL; 686 687 lenmax = limit - ret - 9; 688 if ((size_str = strlen(s->tlsext_hostname)) > lenmax) 689 return NULL; 690 691 /* extension type and length */ 692 s2n(TLSEXT_TYPE_server_name, ret); 693 694 s2n(size_str + 5, ret); 695 696 /* length of servername list */ 697 s2n(size_str + 3, ret); 698 699 /* hostname type, length and hostname */ 700 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 701 s2n(size_str, ret); 702 memcpy(ret, s->tlsext_hostname, size_str); 703 ret += size_str; 704 } 705 706 /* Add RI if renegotiating */ 707 if (s->renegotiate) { 708 int el; 709 710 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { 711 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 712 ERR_R_INTERNAL_ERROR); 713 return NULL; 714 } 715 716 if ((size_t)(limit - ret) < 4 + el) 717 return NULL; 718 719 s2n(TLSEXT_TYPE_renegotiate, ret); 720 s2n(el, ret); 721 722 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { 723 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 724 ERR_R_INTERNAL_ERROR); 725 return NULL; 726 } 727 728 ret += el; 729 } 730 731 if (using_ecc) { 732 size_t curveslen, formatslen, lenmax; 733 const uint16_t *curves; 734 const uint8_t *formats; 735 int i; 736 737 /* 738 * Add TLS extension ECPointFormats to the ClientHello message. 739 */ 740 tls1_get_formatlist(s, 0, &formats, &formatslen); 741 742 if ((size_t)(limit - ret) < 5) 743 return NULL; 744 745 lenmax = limit - ret - 5; 746 if (formatslen > lenmax) 747 return NULL; 748 if (formatslen > 255) { 749 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 750 ERR_R_INTERNAL_ERROR); 751 return NULL; 752 } 753 754 s2n(TLSEXT_TYPE_ec_point_formats, ret); 755 s2n(formatslen + 1, ret); 756 *(ret++) = (unsigned char)formatslen; 757 memcpy(ret, formats, formatslen); 758 ret += formatslen; 759 760 /* 761 * Add TLS extension EllipticCurves to the ClientHello message. 762 */ 763 tls1_get_curvelist(s, 0, &curves, &curveslen); 764 765 if ((size_t)(limit - ret) < 6) 766 return NULL; 767 768 lenmax = limit - ret - 6; 769 if (curveslen > lenmax) 770 return NULL; 771 if (curveslen > 65532) { 772 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 773 ERR_R_INTERNAL_ERROR); 774 return NULL; 775 } 776 777 s2n(TLSEXT_TYPE_elliptic_curves, ret); 778 s2n((curveslen * 2) + 2, ret); 779 780 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for 781 * elliptic_curve_list, but the examples use two bytes. 782 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html 783 * resolves this to two bytes. 784 */ 785 s2n(curveslen * 2, ret); 786 for (i = 0; i < curveslen; i++) 787 s2n(curves[i], ret); 788 } 789 790 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 791 int ticklen; 792 if (!s->new_session && s->session && s->session->tlsext_tick) 793 ticklen = s->session->tlsext_ticklen; 794 else if (s->session && s->tlsext_session_ticket && 795 s->tlsext_session_ticket->data) { 796 ticklen = s->tlsext_session_ticket->length; 797 s->session->tlsext_tick = malloc(ticklen); 798 if (!s->session->tlsext_tick) 799 return NULL; 800 memcpy(s->session->tlsext_tick, 801 s->tlsext_session_ticket->data, ticklen); 802 s->session->tlsext_ticklen = ticklen; 803 } else 804 ticklen = 0; 805 if (ticklen == 0 && s->tlsext_session_ticket && 806 s->tlsext_session_ticket->data == NULL) 807 goto skip_ext; 808 /* Check for enough room 2 for extension type, 2 for len 809 * rest for ticket 810 */ 811 if ((size_t)(limit - ret) < 4 + ticklen) 812 return NULL; 813 s2n(TLSEXT_TYPE_session_ticket, ret); 814 815 s2n(ticklen, ret); 816 if (ticklen) { 817 memcpy(ret, s->session->tlsext_tick, ticklen); 818 ret += ticklen; 819 } 820 } 821 skip_ext: 822 823 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 824 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 825 return NULL; 826 827 s2n(TLSEXT_TYPE_signature_algorithms, ret); 828 s2n(sizeof(tls12_sigalgs) + 2, ret); 829 s2n(sizeof(tls12_sigalgs), ret); 830 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 831 ret += sizeof(tls12_sigalgs); 832 } 833 834 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 835 s->version != DTLS1_VERSION) { 836 int i; 837 long extlen, idlen, itmp; 838 OCSP_RESPID *id; 839 840 idlen = 0; 841 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 842 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 843 itmp = i2d_OCSP_RESPID(id, NULL); 844 if (itmp <= 0) 845 return NULL; 846 idlen += itmp + 2; 847 } 848 849 if (s->tlsext_ocsp_exts) { 850 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 851 if (extlen < 0) 852 return NULL; 853 } else 854 extlen = 0; 855 856 if ((size_t)(limit - ret) < 7 + extlen + idlen) 857 return NULL; 858 s2n(TLSEXT_TYPE_status_request, ret); 859 if (extlen + idlen > 0xFFF0) 860 return NULL; 861 s2n(extlen + idlen + 5, ret); 862 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 863 s2n(idlen, ret); 864 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 865 /* save position of id len */ 866 unsigned char *q = ret; 867 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 868 /* skip over id len */ 869 ret += 2; 870 itmp = i2d_OCSP_RESPID(id, &ret); 871 /* write id len */ 872 s2n(itmp, q); 873 } 874 s2n(extlen, ret); 875 if (extlen > 0) 876 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 877 } 878 879 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { 880 /* The client advertises an emtpy extension to indicate its 881 * support for Next Protocol Negotiation */ 882 if ((size_t)(limit - ret) < 4) 883 return NULL; 884 s2n(TLSEXT_TYPE_next_proto_neg, ret); 885 s2n(0, ret); 886 } 887 888 if (s->alpn_client_proto_list != NULL && 889 s->s3->tmp.finish_md_len == 0) { 890 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len) 891 return (NULL); 892 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 893 s2n(2 + s->alpn_client_proto_list_len, ret); 894 s2n(s->alpn_client_proto_list_len, ret); 895 memcpy(ret, s->alpn_client_proto_list, 896 s->alpn_client_proto_list_len); 897 ret += s->alpn_client_proto_list_len; 898 } 899 900 #ifndef OPENSSL_NO_SRTP 901 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { 902 int el; 903 904 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 905 906 if ((size_t)(limit - ret) < 4 + el) 907 return NULL; 908 909 s2n(TLSEXT_TYPE_use_srtp, ret); 910 s2n(el, ret); 911 912 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { 913 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 914 ERR_R_INTERNAL_ERROR); 915 return NULL; 916 } 917 ret += el; 918 } 919 #endif 920 921 /* 922 * Add padding to workaround bugs in F5 terminators. 923 * See https://tools.ietf.org/html/draft-agl-tls-padding-03 924 * 925 * Note that this seems to trigger issues with IronPort SMTP 926 * appliances. 927 * 928 * NB: because this code works out the length of all existing 929 * extensions it MUST always appear last. 930 */ 931 if (s->options & SSL_OP_TLSEXT_PADDING) { 932 int hlen = ret - (unsigned char *)s->init_buf->data; 933 934 /* 935 * The code in s23_clnt.c to build ClientHello messages 936 * includes the 5-byte record header in the buffer, while the 937 * code in s3_clnt.c does not. 938 */ 939 if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 940 hlen -= 5; 941 if (hlen > 0xff && hlen < 0x200) { 942 hlen = 0x200 - hlen; 943 if (hlen >= 4) 944 hlen -= 4; 945 else 946 hlen = 0; 947 948 s2n(TLSEXT_TYPE_padding, ret); 949 s2n(hlen, ret); 950 memset(ret, 0, hlen); 951 ret += hlen; 952 } 953 } 954 955 if ((extdatalen = ret - p - 2) == 0) 956 return p; 957 958 s2n(extdatalen, p); 959 return ret; 960 } 961 962 unsigned char * 963 ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 964 { 965 int using_ecc, extdatalen = 0; 966 unsigned long alg_a, alg_k; 967 unsigned char *ret = p; 968 int next_proto_neg_seen; 969 970 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 971 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 972 using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || 973 alg_a & SSL_aECDSA) && 974 s->session->tlsext_ecpointformatlist != NULL; 975 976 /* don't add extensions for SSLv3, unless doing secure renegotiation */ 977 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 978 return p; 979 980 ret += 2; 981 if (ret >= limit) 982 return NULL; /* this really never occurs, but ... */ 983 984 if (!s->hit && s->servername_done == 1 && 985 s->session->tlsext_hostname != NULL) { 986 if ((size_t)(limit - ret) < 4) 987 return NULL; 988 989 s2n(TLSEXT_TYPE_server_name, ret); 990 s2n(0, ret); 991 } 992 993 if (s->s3->send_connection_binding) { 994 int el; 995 996 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { 997 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 998 ERR_R_INTERNAL_ERROR); 999 return NULL; 1000 } 1001 1002 if ((size_t)(limit - ret) < 4 + el) 1003 return NULL; 1004 1005 s2n(TLSEXT_TYPE_renegotiate, ret); 1006 s2n(el, ret); 1007 1008 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { 1009 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1010 ERR_R_INTERNAL_ERROR); 1011 return NULL; 1012 } 1013 1014 ret += el; 1015 } 1016 1017 if (using_ecc && s->version != DTLS1_VERSION) { 1018 const unsigned char *formats; 1019 size_t formatslen, lenmax; 1020 1021 /* 1022 * Add TLS extension ECPointFormats to the ServerHello message. 1023 */ 1024 tls1_get_formatlist(s, 0, &formats, &formatslen); 1025 1026 if ((size_t)(limit - ret) < 5) 1027 return NULL; 1028 1029 lenmax = limit - ret - 5; 1030 if (formatslen > lenmax) 1031 return NULL; 1032 if (formatslen > 255) { 1033 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1034 ERR_R_INTERNAL_ERROR); 1035 return NULL; 1036 } 1037 1038 s2n(TLSEXT_TYPE_ec_point_formats, ret); 1039 s2n(formatslen + 1, ret); 1040 *(ret++) = (unsigned char)formatslen; 1041 memcpy(ret, formats, formatslen); 1042 ret += formatslen; 1043 } 1044 1045 /* 1046 * Currently the server should not respond with a SupportedCurves 1047 * extension. 1048 */ 1049 1050 if (s->tlsext_ticket_expected && 1051 !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 1052 if ((size_t)(limit - ret) < 4) 1053 return NULL; 1054 1055 s2n(TLSEXT_TYPE_session_ticket, ret); 1056 s2n(0, ret); 1057 } 1058 1059 if (s->tlsext_status_expected) { 1060 if ((size_t)(limit - ret) < 4) 1061 return NULL; 1062 1063 s2n(TLSEXT_TYPE_status_request, ret); 1064 s2n(0, ret); 1065 } 1066 1067 #ifndef OPENSSL_NO_SRTP 1068 if (SSL_IS_DTLS(s) && s->srtp_profile) { 1069 int el; 1070 1071 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 1072 1073 if ((size_t)(limit - ret) < 4 + el) 1074 return NULL; 1075 1076 s2n(TLSEXT_TYPE_use_srtp, ret); 1077 s2n(el, ret); 1078 1079 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { 1080 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1081 ERR_R_INTERNAL_ERROR); 1082 return NULL; 1083 } 1084 ret += el; 1085 } 1086 #endif 1087 1088 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || 1089 (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) && 1090 (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { 1091 static const unsigned char cryptopro_ext[36] = { 1092 0xfd, 0xe8, /*65000*/ 1093 0x00, 0x20, /*32 bytes length*/ 1094 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 1095 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 1096 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 1097 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 1098 }; 1099 if ((size_t)(limit - ret) < sizeof(cryptopro_ext)) 1100 return NULL; 1101 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext)); 1102 ret += sizeof(cryptopro_ext); 1103 } 1104 1105 next_proto_neg_seen = s->s3->next_proto_neg_seen; 1106 s->s3->next_proto_neg_seen = 0; 1107 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) { 1108 const unsigned char *npa; 1109 unsigned int npalen; 1110 int r; 1111 1112 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, 1113 s->ctx->next_protos_advertised_cb_arg); 1114 if (r == SSL_TLSEXT_ERR_OK) { 1115 if ((size_t)(limit - ret) < 4 + npalen) 1116 return NULL; 1117 s2n(TLSEXT_TYPE_next_proto_neg, ret); 1118 s2n(npalen, ret); 1119 memcpy(ret, npa, npalen); 1120 ret += npalen; 1121 s->s3->next_proto_neg_seen = 1; 1122 } 1123 } 1124 1125 if (s->s3->alpn_selected != NULL) { 1126 const unsigned char *selected = s->s3->alpn_selected; 1127 unsigned int len = s->s3->alpn_selected_len; 1128 1129 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0) 1130 return (NULL); 1131 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 1132 s2n(3 + len, ret); 1133 s2n(1 + len, ret); 1134 *ret++ = len; 1135 memcpy(ret, selected, len); 1136 ret += len; 1137 } 1138 1139 if ((extdatalen = ret - p - 2) == 0) 1140 return p; 1141 1142 s2n(extdatalen, p); 1143 return ret; 1144 } 1145 1146 /* 1147 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a 1148 * ClientHello. 1149 * data: the contents of the extension, not including the type and length. 1150 * data_len: the number of bytes in data. 1151 * al: a pointer to the alert value to send in the event of a non-zero 1152 * return. 1153 * returns: 1 on success. 1154 */ 1155 static int 1156 tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, 1157 unsigned int data_len, int *al) 1158 { 1159 CBS cbs, proto_name_list, alpn; 1160 const unsigned char *selected; 1161 unsigned char selected_len; 1162 int r; 1163 1164 if (s->ctx->alpn_select_cb == NULL) 1165 return (1); 1166 1167 if (data_len < 2) 1168 goto parse_error; 1169 1170 CBS_init(&cbs, data, data_len); 1171 1172 /* 1173 * data should contain a uint16 length followed by a series of 8-bit, 1174 * length-prefixed strings. 1175 */ 1176 if (!CBS_get_u16_length_prefixed(&cbs, &alpn) || 1177 CBS_len(&alpn) < 2 || 1178 CBS_len(&cbs) != 0) 1179 goto parse_error; 1180 1181 /* Validate data before sending to callback. */ 1182 CBS_dup(&alpn, &proto_name_list); 1183 while (CBS_len(&proto_name_list) > 0) { 1184 CBS proto_name; 1185 1186 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name) || 1187 CBS_len(&proto_name) == 0) 1188 goto parse_error; 1189 } 1190 1191 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, 1192 CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg); 1193 if (r == SSL_TLSEXT_ERR_OK) { 1194 free(s->s3->alpn_selected); 1195 if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) { 1196 *al = SSL_AD_INTERNAL_ERROR; 1197 return (-1); 1198 } 1199 memcpy(s->s3->alpn_selected, selected, selected_len); 1200 s->s3->alpn_selected_len = selected_len; 1201 } 1202 1203 return (1); 1204 1205 parse_error: 1206 *al = SSL_AD_DECODE_ERROR; 1207 return (0); 1208 } 1209 1210 int 1211 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1212 int n, int *al) 1213 { 1214 unsigned short type; 1215 unsigned short size; 1216 unsigned short len; 1217 unsigned char *data = *p; 1218 int renegotiate_seen = 0; 1219 int sigalg_seen = 0; 1220 1221 s->servername_done = 0; 1222 s->tlsext_status_type = -1; 1223 s->s3->next_proto_neg_seen = 0; 1224 free(s->s3->alpn_selected); 1225 s->s3->alpn_selected = NULL; 1226 1227 if (data >= (d + n - 2)) 1228 goto ri_check; 1229 n2s(data, len); 1230 1231 if (data > (d + n - len)) 1232 goto ri_check; 1233 1234 while (data <= (d + n - 4)) { 1235 n2s(data, type); 1236 n2s(data, size); 1237 1238 if (data + size > (d + n)) 1239 goto ri_check; 1240 if (s->tlsext_debug_cb) 1241 s->tlsext_debug_cb(s, 0, type, data, size, 1242 s->tlsext_debug_arg); 1243 /* The servername extension is treated as follows: 1244 1245 - Only the hostname type is supported with a maximum length of 255. 1246 - The servername is rejected if too long or if it contains zeros, 1247 in which case an fatal alert is generated. 1248 - The servername field is maintained together with the session cache. 1249 - When a session is resumed, the servername call back invoked in order 1250 to allow the application to position itself to the right context. 1251 - The servername is acknowledged if it is new for a session or when 1252 it is identical to a previously used for the same session. 1253 Applications can control the behaviour. They can at any time 1254 set a 'desirable' servername for a new SSL object. This can be the 1255 case for example with HTTPS when a Host: header field is received and 1256 a renegotiation is requested. In this case, a possible servername 1257 presented in the new client hello is only acknowledged if it matches 1258 the value of the Host: field. 1259 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1260 if they provide for changing an explicit servername context for the session, 1261 i.e. when the session has been established with a servername extension. 1262 - On session reconnect, the servername extension may be absent. 1263 1264 */ 1265 1266 if (type == TLSEXT_TYPE_server_name) { 1267 unsigned char *sdata; 1268 int servname_type; 1269 int dsize; 1270 1271 if (size < 2) { 1272 *al = SSL_AD_DECODE_ERROR; 1273 return 0; 1274 } 1275 n2s(data, dsize); 1276 1277 size -= 2; 1278 if (dsize > size) { 1279 *al = SSL_AD_DECODE_ERROR; 1280 return 0; 1281 } 1282 1283 sdata = data; 1284 while (dsize > 3) { 1285 servname_type = *(sdata++); 1286 1287 n2s(sdata, len); 1288 dsize -= 3; 1289 1290 if (len > dsize) { 1291 *al = SSL_AD_DECODE_ERROR; 1292 return 0; 1293 } 1294 if (s->servername_done == 0) 1295 switch (servname_type) { 1296 case TLSEXT_NAMETYPE_host_name: 1297 if (!s->hit) { 1298 if (s->session->tlsext_hostname) { 1299 *al = SSL_AD_DECODE_ERROR; 1300 return 0; 1301 } 1302 if (len > TLSEXT_MAXLEN_host_name) { 1303 *al = TLS1_AD_UNRECOGNIZED_NAME; 1304 return 0; 1305 } 1306 if ((s->session->tlsext_hostname = 1307 malloc(len + 1)) == NULL) { 1308 *al = TLS1_AD_INTERNAL_ERROR; 1309 return 0; 1310 } 1311 memcpy(s->session->tlsext_hostname, sdata, len); 1312 s->session->tlsext_hostname[len] = '\0'; 1313 if (strlen(s->session->tlsext_hostname) != len) { 1314 free(s->session->tlsext_hostname); 1315 s->session->tlsext_hostname = NULL; 1316 *al = TLS1_AD_UNRECOGNIZED_NAME; 1317 return 0; 1318 } 1319 s->servername_done = 1; 1320 1321 1322 } else { 1323 s->servername_done = s->session->tlsext_hostname && 1324 strlen(s->session->tlsext_hostname) == len && 1325 strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1326 } 1327 break; 1328 1329 default: 1330 break; 1331 } 1332 1333 dsize -= len; 1334 } 1335 if (dsize != 0) { 1336 *al = SSL_AD_DECODE_ERROR; 1337 return 0; 1338 } 1339 1340 } 1341 1342 else if (type == TLSEXT_TYPE_ec_point_formats && 1343 s->version != DTLS1_VERSION) { 1344 unsigned char *sdata = data; 1345 size_t formatslen; 1346 uint8_t *formats; 1347 1348 if (size < 1) { 1349 *al = TLS1_AD_DECODE_ERROR; 1350 return 0; 1351 } 1352 formatslen = *(sdata++); 1353 if (formatslen != size - 1) { 1354 *al = TLS1_AD_DECODE_ERROR; 1355 return 0; 1356 } 1357 1358 if (!s->hit) { 1359 free(s->session->tlsext_ecpointformatlist); 1360 s->session->tlsext_ecpointformatlist = NULL; 1361 s->session->tlsext_ecpointformatlist_length = 0; 1362 1363 if ((formats = reallocarray(NULL, formatslen, 1364 sizeof(uint8_t))) == NULL) { 1365 *al = TLS1_AD_INTERNAL_ERROR; 1366 return 0; 1367 } 1368 memcpy(formats, sdata, formatslen); 1369 s->session->tlsext_ecpointformatlist = formats; 1370 s->session->tlsext_ecpointformatlist_length = 1371 formatslen; 1372 } 1373 } else if (type == TLSEXT_TYPE_elliptic_curves && 1374 s->version != DTLS1_VERSION) { 1375 unsigned char *sdata = data; 1376 size_t curveslen, i; 1377 uint16_t *curves; 1378 1379 if (size < 2) { 1380 *al = TLS1_AD_DECODE_ERROR; 1381 return 0; 1382 } 1383 n2s(sdata, curveslen); 1384 if (curveslen != size - 2 || curveslen % 2 != 0) { 1385 *al = TLS1_AD_DECODE_ERROR; 1386 return 0; 1387 } 1388 curveslen /= 2; 1389 1390 if (!s->hit) { 1391 if (s->session->tlsext_ellipticcurvelist) { 1392 *al = TLS1_AD_DECODE_ERROR; 1393 return 0; 1394 } 1395 s->session->tlsext_ellipticcurvelist_length = 0; 1396 if ((curves = reallocarray(NULL, curveslen, 1397 sizeof(uint16_t))) == NULL) { 1398 *al = TLS1_AD_INTERNAL_ERROR; 1399 return 0; 1400 } 1401 for (i = 0; i < curveslen; i++) 1402 n2s(sdata, curves[i]); 1403 s->session->tlsext_ellipticcurvelist = curves; 1404 s->session->tlsext_ellipticcurvelist_length = curveslen; 1405 } 1406 } 1407 else if (type == TLSEXT_TYPE_session_ticket) { 1408 if (s->tls_session_ticket_ext_cb && 1409 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1410 *al = TLS1_AD_INTERNAL_ERROR; 1411 return 0; 1412 } 1413 } else if (type == TLSEXT_TYPE_renegotiate) { 1414 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 1415 return 0; 1416 renegotiate_seen = 1; 1417 } else if (type == TLSEXT_TYPE_signature_algorithms) { 1418 int dsize; 1419 if (sigalg_seen || size < 2) { 1420 *al = SSL_AD_DECODE_ERROR; 1421 return 0; 1422 } 1423 sigalg_seen = 1; 1424 n2s(data, dsize); 1425 size -= 2; 1426 if (dsize != size || dsize & 1) { 1427 *al = SSL_AD_DECODE_ERROR; 1428 return 0; 1429 } 1430 if (!tls1_process_sigalgs(s, data, dsize)) { 1431 *al = SSL_AD_DECODE_ERROR; 1432 return 0; 1433 } 1434 } else if (type == TLSEXT_TYPE_status_request && 1435 s->version != DTLS1_VERSION) { 1436 1437 if (size < 5) { 1438 *al = SSL_AD_DECODE_ERROR; 1439 return 0; 1440 } 1441 1442 s->tlsext_status_type = *data++; 1443 size--; 1444 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { 1445 const unsigned char *sdata; 1446 int dsize; 1447 /* Read in responder_id_list */ 1448 n2s(data, dsize); 1449 size -= 2; 1450 if (dsize > size ) { 1451 *al = SSL_AD_DECODE_ERROR; 1452 return 0; 1453 } 1454 while (dsize > 0) { 1455 OCSP_RESPID *id; 1456 int idsize; 1457 if (dsize < 4) { 1458 *al = SSL_AD_DECODE_ERROR; 1459 return 0; 1460 } 1461 n2s(data, idsize); 1462 dsize -= 2 + idsize; 1463 size -= 2 + idsize; 1464 if (dsize < 0) { 1465 *al = SSL_AD_DECODE_ERROR; 1466 return 0; 1467 } 1468 sdata = data; 1469 data += idsize; 1470 id = d2i_OCSP_RESPID(NULL, 1471 &sdata, idsize); 1472 if (!id) { 1473 *al = SSL_AD_DECODE_ERROR; 1474 return 0; 1475 } 1476 if (data != sdata) { 1477 OCSP_RESPID_free(id); 1478 *al = SSL_AD_DECODE_ERROR; 1479 return 0; 1480 } 1481 if (!s->tlsext_ocsp_ids && 1482 !(s->tlsext_ocsp_ids = 1483 sk_OCSP_RESPID_new_null())) { 1484 OCSP_RESPID_free(id); 1485 *al = SSL_AD_INTERNAL_ERROR; 1486 return 0; 1487 } 1488 if (!sk_OCSP_RESPID_push( 1489 s->tlsext_ocsp_ids, id)) { 1490 OCSP_RESPID_free(id); 1491 *al = SSL_AD_INTERNAL_ERROR; 1492 return 0; 1493 } 1494 } 1495 1496 /* Read in request_extensions */ 1497 if (size < 2) { 1498 *al = SSL_AD_DECODE_ERROR; 1499 return 0; 1500 } 1501 n2s(data, dsize); 1502 size -= 2; 1503 if (dsize != size) { 1504 *al = SSL_AD_DECODE_ERROR; 1505 return 0; 1506 } 1507 sdata = data; 1508 if (dsize > 0) { 1509 if (s->tlsext_ocsp_exts) { 1510 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1511 X509_EXTENSION_free); 1512 } 1513 1514 s->tlsext_ocsp_exts = 1515 d2i_X509_EXTENSIONS(NULL, 1516 &sdata, dsize); 1517 if (!s->tlsext_ocsp_exts || 1518 (data + dsize != sdata)) { 1519 *al = SSL_AD_DECODE_ERROR; 1520 return 0; 1521 } 1522 } 1523 } else { 1524 /* We don't know what to do with any other type 1525 * so ignore it. 1526 */ 1527 s->tlsext_status_type = -1; 1528 } 1529 } 1530 else if (type == TLSEXT_TYPE_next_proto_neg && 1531 s->s3->tmp.finish_md_len == 0 && 1532 s->s3->alpn_selected == NULL) { 1533 /* We shouldn't accept this extension on a 1534 * renegotiation. 1535 * 1536 * s->new_session will be set on renegotiation, but we 1537 * probably shouldn't rely that it couldn't be set on 1538 * the initial renegotation too in certain cases (when 1539 * there's some other reason to disallow resuming an 1540 * earlier session -- the current code won't be doing 1541 * anything like that, but this might change). 1542 1543 * A valid sign that there's been a previous handshake 1544 * in this connection is if s->s3->tmp.finish_md_len > 1545 * 0. (We are talking about a check that will happen 1546 * in the Hello protocol round, well before a new 1547 * Finished message could have been computed.) */ 1548 s->s3->next_proto_neg_seen = 1; 1549 } 1550 else if (type == 1551 TLSEXT_TYPE_application_layer_protocol_negotiation && 1552 s->ctx->alpn_select_cb != NULL && 1553 s->s3->tmp.finish_md_len == 0) { 1554 if (tls1_alpn_handle_client_hello(s, data, 1555 size, al) != 1) 1556 return (0); 1557 /* ALPN takes precedence over NPN. */ 1558 s->s3->next_proto_neg_seen = 0; 1559 } 1560 1561 /* session ticket processed earlier */ 1562 #ifndef OPENSSL_NO_SRTP 1563 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1564 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) 1565 return 0; 1566 } 1567 #endif 1568 1569 data += size; 1570 } 1571 1572 *p = data; 1573 1574 ri_check: 1575 1576 /* Need RI if renegotiating */ 1577 1578 if (!renegotiate_seen && s->renegotiate) { 1579 *al = SSL_AD_HANDSHAKE_FAILURE; 1580 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1581 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1582 return 0; 1583 } 1584 1585 return 1; 1586 } 1587 1588 /* 1589 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1590 * elements of zero length are allowed and the set of elements must exactly fill 1591 * the length of the block. 1592 */ 1593 static char 1594 ssl_next_proto_validate(const unsigned char *d, unsigned int len) 1595 { 1596 CBS npn, value; 1597 1598 CBS_init(&npn, d, len); 1599 while (CBS_len(&npn) > 0) { 1600 if (!CBS_get_u8_length_prefixed(&npn, &value) || 1601 CBS_len(&value) == 0) 1602 return 0; 1603 } 1604 return 1; 1605 } 1606 1607 int 1608 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1609 int n, int *al) 1610 { 1611 unsigned short length; 1612 unsigned short type; 1613 unsigned short size; 1614 unsigned char *data = *p; 1615 int tlsext_servername = 0; 1616 int renegotiate_seen = 0; 1617 1618 s->s3->next_proto_neg_seen = 0; 1619 free(s->s3->alpn_selected); 1620 s->s3->alpn_selected = NULL; 1621 1622 if (data >= (d + n - 2)) 1623 goto ri_check; 1624 1625 n2s(data, length); 1626 if (data + length != d + n) { 1627 *al = SSL_AD_DECODE_ERROR; 1628 return 0; 1629 } 1630 1631 while (data <= (d + n - 4)) { 1632 n2s(data, type); 1633 n2s(data, size); 1634 1635 if (data + size > (d + n)) 1636 goto ri_check; 1637 1638 if (s->tlsext_debug_cb) 1639 s->tlsext_debug_cb(s, 1, type, data, size, 1640 s->tlsext_debug_arg); 1641 1642 if (type == TLSEXT_TYPE_server_name) { 1643 if (s->tlsext_hostname == NULL || size > 0) { 1644 *al = TLS1_AD_UNRECOGNIZED_NAME; 1645 return 0; 1646 } 1647 tlsext_servername = 1; 1648 1649 } 1650 else if (type == TLSEXT_TYPE_ec_point_formats && 1651 s->version != DTLS1_VERSION) { 1652 unsigned char *sdata = data; 1653 size_t formatslen; 1654 uint8_t *formats; 1655 1656 if (size < 1) { 1657 *al = TLS1_AD_DECODE_ERROR; 1658 return 0; 1659 } 1660 formatslen = *(sdata++); 1661 if (formatslen != size - 1) { 1662 *al = TLS1_AD_DECODE_ERROR; 1663 return 0; 1664 } 1665 1666 if (!s->hit) { 1667 free(s->session->tlsext_ecpointformatlist); 1668 s->session->tlsext_ecpointformatlist = NULL; 1669 s->session->tlsext_ecpointformatlist_length = 0; 1670 1671 if ((formats = reallocarray(NULL, formatslen, 1672 sizeof(uint8_t))) == NULL) { 1673 *al = TLS1_AD_INTERNAL_ERROR; 1674 return 0; 1675 } 1676 memcpy(formats, sdata, formatslen); 1677 s->session->tlsext_ecpointformatlist = formats; 1678 s->session->tlsext_ecpointformatlist_length = 1679 formatslen; 1680 } 1681 } 1682 else if (type == TLSEXT_TYPE_session_ticket) { 1683 if (s->tls_session_ticket_ext_cb && 1684 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1685 *al = TLS1_AD_INTERNAL_ERROR; 1686 return 0; 1687 } 1688 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) { 1689 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1690 return 0; 1691 } 1692 s->tlsext_ticket_expected = 1; 1693 } 1694 else if (type == TLSEXT_TYPE_status_request && 1695 s->version != DTLS1_VERSION) { 1696 /* MUST be empty and only sent if we've requested 1697 * a status request message. 1698 */ 1699 if ((s->tlsext_status_type == -1) || (size > 0)) { 1700 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1701 return 0; 1702 } 1703 /* Set flag to expect CertificateStatus message */ 1704 s->tlsext_status_expected = 1; 1705 } 1706 else if (type == TLSEXT_TYPE_next_proto_neg && 1707 s->s3->tmp.finish_md_len == 0) { 1708 unsigned char *selected; 1709 unsigned char selected_len; 1710 1711 /* We must have requested it. */ 1712 if (s->ctx->next_proto_select_cb == NULL) { 1713 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1714 return 0; 1715 } 1716 /* The data must be valid */ 1717 if (!ssl_next_proto_validate(data, size)) { 1718 *al = TLS1_AD_DECODE_ERROR; 1719 return 0; 1720 } 1721 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) { 1722 *al = TLS1_AD_INTERNAL_ERROR; 1723 return 0; 1724 } 1725 s->next_proto_negotiated = malloc(selected_len); 1726 if (!s->next_proto_negotiated) { 1727 *al = TLS1_AD_INTERNAL_ERROR; 1728 return 0; 1729 } 1730 memcpy(s->next_proto_negotiated, selected, selected_len); 1731 s->next_proto_negotiated_len = selected_len; 1732 s->s3->next_proto_neg_seen = 1; 1733 } 1734 else if (type == 1735 TLSEXT_TYPE_application_layer_protocol_negotiation) { 1736 unsigned int len; 1737 1738 /* We must have requested it. */ 1739 if (s->alpn_client_proto_list == NULL) { 1740 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1741 return 0; 1742 } 1743 if (size < 4) { 1744 *al = TLS1_AD_DECODE_ERROR; 1745 return (0); 1746 } 1747 1748 /* The extension data consists of: 1749 * uint16 list_length 1750 * uint8 proto_length; 1751 * uint8 proto[proto_length]; */ 1752 len = ((unsigned int)data[0]) << 8 | 1753 ((unsigned int)data[1]); 1754 if (len != (unsigned int)size - 2) { 1755 *al = TLS1_AD_DECODE_ERROR; 1756 return (0); 1757 } 1758 len = data[2]; 1759 if (len != (unsigned int)size - 3) { 1760 *al = TLS1_AD_DECODE_ERROR; 1761 return (0); 1762 } 1763 free(s->s3->alpn_selected); 1764 s->s3->alpn_selected = malloc(len); 1765 if (s->s3->alpn_selected == NULL) { 1766 *al = TLS1_AD_INTERNAL_ERROR; 1767 return (0); 1768 } 1769 memcpy(s->s3->alpn_selected, data + 3, len); 1770 s->s3->alpn_selected_len = len; 1771 1772 } else if (type == TLSEXT_TYPE_renegotiate) { 1773 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1774 return 0; 1775 renegotiate_seen = 1; 1776 } 1777 #ifndef OPENSSL_NO_SRTP 1778 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1779 if (ssl_parse_serverhello_use_srtp_ext(s, data, 1780 size, al)) 1781 return 0; 1782 } 1783 #endif 1784 1785 data += size; 1786 1787 } 1788 1789 if (data != d + n) { 1790 *al = SSL_AD_DECODE_ERROR; 1791 return 0; 1792 } 1793 1794 if (!s->hit && tlsext_servername == 1) { 1795 if (s->tlsext_hostname) { 1796 if (s->session->tlsext_hostname == NULL) { 1797 s->session->tlsext_hostname = 1798 strdup(s->tlsext_hostname); 1799 1800 if (!s->session->tlsext_hostname) { 1801 *al = SSL_AD_UNRECOGNIZED_NAME; 1802 return 0; 1803 } 1804 } else { 1805 *al = SSL_AD_DECODE_ERROR; 1806 return 0; 1807 } 1808 } 1809 } 1810 1811 *p = data; 1812 1813 ri_check: 1814 1815 /* Determine if we need to see RI. Strictly speaking if we want to 1816 * avoid an attack we should *always* see RI even on initial server 1817 * hello because the client doesn't see any renegotiation during an 1818 * attack. However this would mean we could not connect to any server 1819 * which doesn't support RI so for the immediate future tolerate RI 1820 * absence on initial connect only. 1821 */ 1822 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { 1823 *al = SSL_AD_HANDSHAKE_FAILURE; 1824 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1825 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1826 return 0; 1827 } 1828 1829 return 1; 1830 } 1831 1832 int 1833 ssl_check_clienthello_tlsext_early(SSL *s) 1834 { 1835 int ret = SSL_TLSEXT_ERR_NOACK; 1836 int al = SSL_AD_UNRECOGNIZED_NAME; 1837 1838 /* The handling of the ECPointFormats extension is done elsewhere, namely in 1839 * ssl3_choose_cipher in s3_lib.c. 1840 */ 1841 /* The handling of the EllipticCurves extension is done elsewhere, namely in 1842 * ssl3_choose_cipher in s3_lib.c. 1843 */ 1844 1845 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1846 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1847 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1848 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1849 1850 switch (ret) { 1851 case SSL_TLSEXT_ERR_ALERT_FATAL: 1852 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1853 return -1; 1854 case SSL_TLSEXT_ERR_ALERT_WARNING: 1855 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1856 return 1; 1857 case SSL_TLSEXT_ERR_NOACK: 1858 s->servername_done = 0; 1859 default: 1860 return 1; 1861 } 1862 } 1863 1864 int 1865 ssl_check_clienthello_tlsext_late(SSL *s) 1866 { 1867 int ret = SSL_TLSEXT_ERR_OK; 1868 int al = 0; /* XXX gcc3 */ 1869 1870 /* If status request then ask callback what to do. 1871 * Note: this must be called after servername callbacks in case 1872 * the certificate has changed, and must be called after the cipher 1873 * has been chosen because this may influence which certificate is sent 1874 */ 1875 if ((s->tlsext_status_type != -1) && 1876 s->ctx && s->ctx->tlsext_status_cb) { 1877 int r; 1878 CERT_PKEY *certpkey; 1879 certpkey = ssl_get_server_send_pkey(s); 1880 /* If no certificate can't return certificate status */ 1881 if (certpkey == NULL) { 1882 s->tlsext_status_expected = 0; 1883 return 1; 1884 } 1885 /* Set current certificate to one we will use so 1886 * SSL_get_certificate et al can pick it up. 1887 */ 1888 s->cert->key = certpkey; 1889 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1890 switch (r) { 1891 /* We don't want to send a status request response */ 1892 case SSL_TLSEXT_ERR_NOACK: 1893 s->tlsext_status_expected = 0; 1894 break; 1895 /* status request response should be sent */ 1896 case SSL_TLSEXT_ERR_OK: 1897 if (s->tlsext_ocsp_resp) 1898 s->tlsext_status_expected = 1; 1899 else 1900 s->tlsext_status_expected = 0; 1901 break; 1902 /* something bad happened */ 1903 case SSL_TLSEXT_ERR_ALERT_FATAL: 1904 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1905 al = SSL_AD_INTERNAL_ERROR; 1906 goto err; 1907 } 1908 } else 1909 s->tlsext_status_expected = 0; 1910 1911 err: 1912 switch (ret) { 1913 case SSL_TLSEXT_ERR_ALERT_FATAL: 1914 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1915 return -1; 1916 case SSL_TLSEXT_ERR_ALERT_WARNING: 1917 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1918 return 1; 1919 default: 1920 return 1; 1921 } 1922 } 1923 1924 int 1925 ssl_check_serverhello_tlsext(SSL *s) 1926 { 1927 int ret = SSL_TLSEXT_ERR_NOACK; 1928 int al = SSL_AD_UNRECOGNIZED_NAME; 1929 1930 /* If we are client and using an elliptic curve cryptography cipher 1931 * suite, then if server returns an EC point formats lists extension 1932 * it must contain uncompressed. 1933 */ 1934 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1935 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1936 if ((s->tlsext_ecpointformatlist != NULL) && 1937 (s->tlsext_ecpointformatlist_length > 0) && 1938 (s->session->tlsext_ecpointformatlist != NULL) && 1939 (s->session->tlsext_ecpointformatlist_length > 0) && 1940 ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { 1941 /* we are using an ECC cipher */ 1942 size_t i; 1943 unsigned char *list; 1944 int found_uncompressed = 0; 1945 list = s->session->tlsext_ecpointformatlist; 1946 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) { 1947 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) { 1948 found_uncompressed = 1; 1949 break; 1950 } 1951 } 1952 if (!found_uncompressed) { 1953 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 1954 return -1; 1955 } 1956 } 1957 ret = SSL_TLSEXT_ERR_OK; 1958 1959 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1960 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1961 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1962 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1963 1964 /* If we've requested certificate status and we wont get one 1965 * tell the callback 1966 */ 1967 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) && 1968 s->ctx && s->ctx->tlsext_status_cb) { 1969 int r; 1970 /* Set resp to NULL, resplen to -1 so callback knows 1971 * there is no response. 1972 */ 1973 free(s->tlsext_ocsp_resp); 1974 s->tlsext_ocsp_resp = NULL; 1975 s->tlsext_ocsp_resplen = -1; 1976 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1977 if (r == 0) { 1978 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 1979 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1980 } 1981 if (r < 0) { 1982 al = SSL_AD_INTERNAL_ERROR; 1983 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1984 } 1985 } 1986 1987 switch (ret) { 1988 case SSL_TLSEXT_ERR_ALERT_FATAL: 1989 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1990 1991 return -1; 1992 case SSL_TLSEXT_ERR_ALERT_WARNING: 1993 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1994 1995 return 1; 1996 case SSL_TLSEXT_ERR_NOACK: 1997 s->servername_done = 0; 1998 default: 1999 return 1; 2000 } 2001 } 2002 2003 /* Since the server cache lookup is done early on in the processing of the 2004 * ClientHello, and other operations depend on the result, we need to handle 2005 * any TLS session ticket extension at the same time. 2006 * 2007 * session_id: points at the session ID in the ClientHello. This code will 2008 * read past the end of this in order to parse out the session ticket 2009 * extension, if any. 2010 * len: the length of the session ID. 2011 * limit: a pointer to the first byte after the ClientHello. 2012 * ret: (output) on return, if a ticket was decrypted, then this is set to 2013 * point to the resulting session. 2014 * 2015 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key 2016 * ciphersuite, in which case we have no use for session tickets and one will 2017 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 2018 * 2019 * Returns: 2020 * -1: fatal error, either from parsing or decrypting the ticket. 2021 * 0: no ticket was found (or was ignored, based on settings). 2022 * 1: a zero length extension was found, indicating that the client supports 2023 * session tickets but doesn't currently have one to offer. 2024 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but 2025 * couldn't be decrypted because of a non-fatal error. 2026 * 3: a ticket was successfully decrypted and *ret was set. 2027 * 2028 * Side effects: 2029 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 2030 * a new session ticket to the client because the client indicated support 2031 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 2032 * a session ticket or we couldn't use the one it gave us, or if 2033 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2034 * Otherwise, s->tlsext_ticket_expected is set to 0. 2035 */ 2036 int 2037 tls1_process_ticket(SSL *s, const unsigned char *session, int session_len, 2038 const unsigned char *limit, SSL_SESSION **ret) 2039 { 2040 /* Point after session ID in client hello */ 2041 CBS session_id, cookie, cipher_list, compress_algo, extensions; 2042 2043 *ret = NULL; 2044 s->tlsext_ticket_expected = 0; 2045 2046 /* If tickets disabled behave as if no ticket present 2047 * to permit stateful resumption. 2048 */ 2049 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 2050 return 0; 2051 if (s->version <= SSL3_VERSION || !limit) 2052 return 0; 2053 2054 if (limit < session) 2055 return -1; 2056 2057 CBS_init(&session_id, session, limit - session); 2058 2059 /* Skip past the session id */ 2060 if (!CBS_skip(&session_id, session_len)) 2061 return -1; 2062 2063 /* Skip past DTLS cookie */ 2064 if (SSL_IS_DTLS(s)) { 2065 if (!CBS_get_u8_length_prefixed(&session_id, &cookie)) 2066 return -1; 2067 } 2068 2069 /* Skip past cipher list */ 2070 if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list)) 2071 return -1; 2072 2073 /* Skip past compression algorithm list */ 2074 if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo)) 2075 return -1; 2076 2077 /* Now at start of extensions */ 2078 if (CBS_len(&session_id) == 0) 2079 return 0; 2080 if (!CBS_get_u16_length_prefixed(&session_id, &extensions)) 2081 return -1; 2082 2083 while (CBS_len(&extensions) > 0) { 2084 CBS ext_data; 2085 uint16_t ext_type; 2086 2087 if (!CBS_get_u16(&extensions, &ext_type) || 2088 !CBS_get_u16_length_prefixed(&extensions, &ext_data)) 2089 return -1; 2090 2091 if (ext_type == TLSEXT_TYPE_session_ticket) { 2092 int r; 2093 if (CBS_len(&ext_data) == 0) { 2094 /* The client will accept a ticket but doesn't 2095 * currently have one. */ 2096 s->tlsext_ticket_expected = 1; 2097 return 1; 2098 } 2099 if (s->tls_session_secret_cb) { 2100 /* Indicate that the ticket couldn't be 2101 * decrypted rather than generating the session 2102 * from ticket now, trigger abbreviated 2103 * handshake based on external mechanism to 2104 * calculate the master secret later. */ 2105 return 2; 2106 } 2107 2108 r = tls_decrypt_ticket(s, CBS_data(&ext_data), 2109 CBS_len(&ext_data), session, session_len, ret); 2110 2111 switch (r) { 2112 case 2: /* ticket couldn't be decrypted */ 2113 s->tlsext_ticket_expected = 1; 2114 return 2; 2115 case 3: /* ticket was decrypted */ 2116 return r; 2117 case 4: /* ticket decrypted but need to renew */ 2118 s->tlsext_ticket_expected = 1; 2119 return 3; 2120 default: /* fatal error */ 2121 return -1; 2122 } 2123 } 2124 } 2125 return 0; 2126 } 2127 2128 /* tls_decrypt_ticket attempts to decrypt a session ticket. 2129 * 2130 * etick: points to the body of the session ticket extension. 2131 * eticklen: the length of the session tickets extenion. 2132 * sess_id: points at the session ID. 2133 * sesslen: the length of the session ID. 2134 * psess: (output) on return, if a ticket was decrypted, then this is set to 2135 * point to the resulting session. 2136 * 2137 * Returns: 2138 * -1: fatal error, either from parsing or decrypting the ticket. 2139 * 2: the ticket couldn't be decrypted. 2140 * 3: a ticket was successfully decrypted and *psess was set. 2141 * 4: same as 3, but the ticket needs to be renewed. 2142 */ 2143 static int 2144 tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2145 const unsigned char *sess_id, int sesslen, SSL_SESSION **psess) 2146 { 2147 SSL_SESSION *sess; 2148 unsigned char *sdec; 2149 const unsigned char *p; 2150 int slen, mlen, renew_ticket = 0; 2151 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 2152 HMAC_CTX hctx; 2153 EVP_CIPHER_CTX ctx; 2154 SSL_CTX *tctx = s->initial_ctx; 2155 /* Need at least keyname + iv + some encrypted data */ 2156 if (eticklen < 48) 2157 return 2; 2158 /* Initialize session ticket encryption and HMAC contexts */ 2159 HMAC_CTX_init(&hctx); 2160 EVP_CIPHER_CTX_init(&ctx); 2161 if (tctx->tlsext_ticket_key_cb) { 2162 unsigned char *nctick = (unsigned char *)etick; 2163 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 2164 &ctx, &hctx, 0); 2165 if (rv < 0) { 2166 EVP_CIPHER_CTX_cleanup(&ctx); 2167 return -1; 2168 } 2169 if (rv == 0) { 2170 EVP_CIPHER_CTX_cleanup(&ctx); 2171 return 2; 2172 } 2173 if (rv == 2) 2174 renew_ticket = 1; 2175 } else { 2176 /* Check key name matches */ 2177 if (timingsafe_memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2178 return 2; 2179 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2180 tlsext_tick_md(), NULL); 2181 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2182 tctx->tlsext_tick_aes_key, etick + 16); 2183 } 2184 /* Attempt to process session ticket, first conduct sanity and 2185 * integrity checks on ticket. 2186 */ 2187 mlen = HMAC_size(&hctx); 2188 if (mlen < 0) { 2189 EVP_CIPHER_CTX_cleanup(&ctx); 2190 return -1; 2191 } 2192 eticklen -= mlen; 2193 /* Check HMAC of encrypted ticket */ 2194 HMAC_Update(&hctx, etick, eticklen); 2195 HMAC_Final(&hctx, tick_hmac, NULL); 2196 HMAC_CTX_cleanup(&hctx); 2197 if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) { 2198 EVP_CIPHER_CTX_cleanup(&ctx); 2199 return 2; 2200 } 2201 /* Attempt to decrypt session data */ 2202 /* Move p after IV to start of encrypted ticket, update length */ 2203 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2204 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2205 sdec = malloc(eticklen); 2206 if (!sdec) { 2207 EVP_CIPHER_CTX_cleanup(&ctx); 2208 return -1; 2209 } 2210 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 2211 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) { 2212 free(sdec); 2213 EVP_CIPHER_CTX_cleanup(&ctx); 2214 return 2; 2215 } 2216 slen += mlen; 2217 EVP_CIPHER_CTX_cleanup(&ctx); 2218 p = sdec; 2219 2220 sess = d2i_SSL_SESSION(NULL, &p, slen); 2221 free(sdec); 2222 if (sess) { 2223 /* The session ID, if non-empty, is used by some clients to 2224 * detect that the ticket has been accepted. So we copy it to 2225 * the session structure. If it is empty set length to zero 2226 * as required by standard. 2227 */ 2228 if (sesslen) 2229 memcpy(sess->session_id, sess_id, sesslen); 2230 sess->session_id_length = sesslen; 2231 *psess = sess; 2232 if (renew_ticket) 2233 return 4; 2234 else 2235 return 3; 2236 } 2237 ERR_clear_error(); 2238 /* For session parse failure, indicate that we need to send a new 2239 * ticket. */ 2240 return 2; 2241 } 2242 2243 /* Tables to translate from NIDs to TLS v1.2 ids */ 2244 2245 typedef struct { 2246 int nid; 2247 int id; 2248 } tls12_lookup; 2249 2250 static tls12_lookup tls12_md[] = { 2251 {NID_md5, TLSEXT_hash_md5}, 2252 {NID_sha1, TLSEXT_hash_sha1}, 2253 {NID_sha224, TLSEXT_hash_sha224}, 2254 {NID_sha256, TLSEXT_hash_sha256}, 2255 {NID_sha384, TLSEXT_hash_sha384}, 2256 {NID_sha512, TLSEXT_hash_sha512}, 2257 {NID_id_GostR3411_94, TLSEXT_hash_gost94}, 2258 {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256}, 2259 {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512} 2260 }; 2261 2262 static tls12_lookup tls12_sig[] = { 2263 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2264 {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2265 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}, 2266 {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01}, 2267 }; 2268 2269 static int 2270 tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 2271 { 2272 size_t i; 2273 for (i = 0; i < tlen; i++) { 2274 if (table[i].nid == nid) 2275 return table[i].id; 2276 } 2277 return -1; 2278 } 2279 2280 int 2281 tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 2282 { 2283 int sig_id, md_id; 2284 if (!md) 2285 return 0; 2286 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2287 sizeof(tls12_md) / sizeof(tls12_lookup)); 2288 if (md_id == -1) 2289 return 0; 2290 sig_id = tls12_get_sigid(pk); 2291 if (sig_id == -1) 2292 return 0; 2293 p[0] = (unsigned char)md_id; 2294 p[1] = (unsigned char)sig_id; 2295 return 1; 2296 } 2297 2298 int 2299 tls12_get_sigid(const EVP_PKEY *pk) 2300 { 2301 return tls12_find_id(pk->type, tls12_sig, 2302 sizeof(tls12_sig) / sizeof(tls12_lookup)); 2303 } 2304 2305 const EVP_MD * 2306 tls12_get_hash(unsigned char hash_alg) 2307 { 2308 switch (hash_alg) { 2309 case TLSEXT_hash_sha1: 2310 return EVP_sha1(); 2311 case TLSEXT_hash_sha224: 2312 return EVP_sha224(); 2313 case TLSEXT_hash_sha256: 2314 return EVP_sha256(); 2315 case TLSEXT_hash_sha384: 2316 return EVP_sha384(); 2317 case TLSEXT_hash_sha512: 2318 return EVP_sha512(); 2319 #ifndef OPENSSL_NO_GOST 2320 case TLSEXT_hash_gost94: 2321 return EVP_gostr341194(); 2322 case TLSEXT_hash_streebog_256: 2323 return EVP_streebog256(); 2324 case TLSEXT_hash_streebog_512: 2325 return EVP_streebog512(); 2326 #endif 2327 default: 2328 return NULL; 2329 } 2330 } 2331 2332 /* Set preferred digest for each key type */ 2333 2334 int 2335 tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 2336 { 2337 int idx; 2338 const EVP_MD *md; 2339 CERT *c = s->cert; 2340 CBS cbs; 2341 2342 /* Extension ignored for inappropriate versions */ 2343 if (!SSL_USE_SIGALGS(s)) 2344 return 1; 2345 2346 /* Should never happen */ 2347 if (!c || dsize < 0) 2348 return 0; 2349 2350 CBS_init(&cbs, data, dsize); 2351 2352 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; 2353 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 2354 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2355 c->pkeys[SSL_PKEY_ECC].digest = NULL; 2356 c->pkeys[SSL_PKEY_GOST01].digest = NULL; 2357 2358 while (CBS_len(&cbs) > 0) { 2359 uint8_t hash_alg, sig_alg; 2360 2361 if (!CBS_get_u8(&cbs, &hash_alg) || 2362 !CBS_get_u8(&cbs, &sig_alg)) { 2363 /* Should never happen */ 2364 return 0; 2365 } 2366 2367 switch (sig_alg) { 2368 case TLSEXT_signature_rsa: 2369 idx = SSL_PKEY_RSA_SIGN; 2370 break; 2371 case TLSEXT_signature_dsa: 2372 idx = SSL_PKEY_DSA_SIGN; 2373 break; 2374 case TLSEXT_signature_ecdsa: 2375 idx = SSL_PKEY_ECC; 2376 break; 2377 case TLSEXT_signature_gostr01: 2378 case TLSEXT_signature_gostr12_256: 2379 case TLSEXT_signature_gostr12_512: 2380 idx = SSL_PKEY_GOST01; 2381 break; 2382 default: 2383 continue; 2384 } 2385 2386 if (c->pkeys[idx].digest == NULL) { 2387 md = tls12_get_hash(hash_alg); 2388 if (md) { 2389 c->pkeys[idx].digest = md; 2390 if (idx == SSL_PKEY_RSA_SIGN) 2391 c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 2392 } 2393 } 2394 2395 } 2396 2397 /* Set any remaining keys to default values. NOTE: if alg is not 2398 * supported it stays as NULL. 2399 */ 2400 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2401 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2402 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { 2403 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2404 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2405 } 2406 if (!c->pkeys[SSL_PKEY_ECC].digest) 2407 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2408 #ifndef OPENSSL_NO_GOST 2409 if (!c->pkeys[SSL_PKEY_GOST01].digest) 2410 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); 2411 #endif 2412 return 1; 2413 } 2414