1*f5b1c8a1SJohn Marino /* $OpenBSD: t1_lib.c,v 1.86 2016/03/10 23:21:46 mmcc Exp $ */ 2*f5b1c8a1SJohn Marino /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3*f5b1c8a1SJohn Marino * All rights reserved. 4*f5b1c8a1SJohn Marino * 5*f5b1c8a1SJohn Marino * This package is an SSL implementation written 6*f5b1c8a1SJohn Marino * by Eric Young (eay@cryptsoft.com). 7*f5b1c8a1SJohn Marino * The implementation was written so as to conform with Netscapes SSL. 8*f5b1c8a1SJohn Marino * 9*f5b1c8a1SJohn Marino * This library is free for commercial and non-commercial use as long as 10*f5b1c8a1SJohn Marino * the following conditions are aheared to. The following conditions 11*f5b1c8a1SJohn Marino * apply to all code found in this distribution, be it the RC4, RSA, 12*f5b1c8a1SJohn Marino * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13*f5b1c8a1SJohn Marino * included with this distribution is covered by the same copyright terms 14*f5b1c8a1SJohn Marino * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15*f5b1c8a1SJohn Marino * 16*f5b1c8a1SJohn Marino * Copyright remains Eric Young's, and as such any Copyright notices in 17*f5b1c8a1SJohn Marino * the code are not to be removed. 18*f5b1c8a1SJohn Marino * If this package is used in a product, Eric Young should be given attribution 19*f5b1c8a1SJohn Marino * as the author of the parts of the library used. 20*f5b1c8a1SJohn Marino * This can be in the form of a textual message at program startup or 21*f5b1c8a1SJohn Marino * in documentation (online or textual) provided with the package. 22*f5b1c8a1SJohn Marino * 23*f5b1c8a1SJohn Marino * Redistribution and use in source and binary forms, with or without 24*f5b1c8a1SJohn Marino * modification, are permitted provided that the following conditions 25*f5b1c8a1SJohn Marino * are met: 26*f5b1c8a1SJohn Marino * 1. Redistributions of source code must retain the copyright 27*f5b1c8a1SJohn Marino * notice, this list of conditions and the following disclaimer. 28*f5b1c8a1SJohn Marino * 2. Redistributions in binary form must reproduce the above copyright 29*f5b1c8a1SJohn Marino * notice, this list of conditions and the following disclaimer in the 30*f5b1c8a1SJohn Marino * documentation and/or other materials provided with the distribution. 31*f5b1c8a1SJohn Marino * 3. All advertising materials mentioning features or use of this software 32*f5b1c8a1SJohn Marino * must display the following acknowledgement: 33*f5b1c8a1SJohn Marino * "This product includes cryptographic software written by 34*f5b1c8a1SJohn Marino * Eric Young (eay@cryptsoft.com)" 35*f5b1c8a1SJohn Marino * The word 'cryptographic' can be left out if the rouines from the library 36*f5b1c8a1SJohn Marino * being used are not cryptographic related :-). 37*f5b1c8a1SJohn Marino * 4. If you include any Windows specific code (or a derivative thereof) from 38*f5b1c8a1SJohn Marino * the apps directory (application code) you must include an acknowledgement: 39*f5b1c8a1SJohn Marino * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40*f5b1c8a1SJohn Marino * 41*f5b1c8a1SJohn Marino * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42*f5b1c8a1SJohn Marino * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43*f5b1c8a1SJohn Marino * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44*f5b1c8a1SJohn Marino * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45*f5b1c8a1SJohn Marino * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46*f5b1c8a1SJohn Marino * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47*f5b1c8a1SJohn Marino * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48*f5b1c8a1SJohn Marino * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49*f5b1c8a1SJohn Marino * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50*f5b1c8a1SJohn Marino * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51*f5b1c8a1SJohn Marino * SUCH DAMAGE. 52*f5b1c8a1SJohn Marino * 53*f5b1c8a1SJohn Marino * The licence and distribution terms for any publically available version or 54*f5b1c8a1SJohn Marino * derivative of this code cannot be changed. i.e. this code cannot simply be 55*f5b1c8a1SJohn Marino * copied and put under another distribution licence 56*f5b1c8a1SJohn Marino * [including the GNU Public Licence.] 57*f5b1c8a1SJohn Marino */ 58*f5b1c8a1SJohn Marino /* ==================================================================== 59*f5b1c8a1SJohn Marino * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60*f5b1c8a1SJohn Marino * 61*f5b1c8a1SJohn Marino * Redistribution and use in source and binary forms, with or without 62*f5b1c8a1SJohn Marino * modification, are permitted provided that the following conditions 63*f5b1c8a1SJohn Marino * are met: 64*f5b1c8a1SJohn Marino * 65*f5b1c8a1SJohn Marino * 1. Redistributions of source code must retain the above copyright 66*f5b1c8a1SJohn Marino * notice, this list of conditions and the following disclaimer. 67*f5b1c8a1SJohn Marino * 68*f5b1c8a1SJohn Marino * 2. Redistributions in binary form must reproduce the above copyright 69*f5b1c8a1SJohn Marino * notice, this list of conditions and the following disclaimer in 70*f5b1c8a1SJohn Marino * the documentation and/or other materials provided with the 71*f5b1c8a1SJohn Marino * distribution. 72*f5b1c8a1SJohn Marino * 73*f5b1c8a1SJohn Marino * 3. All advertising materials mentioning features or use of this 74*f5b1c8a1SJohn Marino * software must display the following acknowledgment: 75*f5b1c8a1SJohn Marino * "This product includes software developed by the OpenSSL Project 76*f5b1c8a1SJohn Marino * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77*f5b1c8a1SJohn Marino * 78*f5b1c8a1SJohn Marino * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79*f5b1c8a1SJohn Marino * endorse or promote products derived from this software without 80*f5b1c8a1SJohn Marino * prior written permission. For written permission, please contact 81*f5b1c8a1SJohn Marino * openssl-core@openssl.org. 82*f5b1c8a1SJohn Marino * 83*f5b1c8a1SJohn Marino * 5. Products derived from this software may not be called "OpenSSL" 84*f5b1c8a1SJohn Marino * nor may "OpenSSL" appear in their names without prior written 85*f5b1c8a1SJohn Marino * permission of the OpenSSL Project. 86*f5b1c8a1SJohn Marino * 87*f5b1c8a1SJohn Marino * 6. Redistributions of any form whatsoever must retain the following 88*f5b1c8a1SJohn Marino * acknowledgment: 89*f5b1c8a1SJohn Marino * "This product includes software developed by the OpenSSL Project 90*f5b1c8a1SJohn Marino * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91*f5b1c8a1SJohn Marino * 92*f5b1c8a1SJohn Marino * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93*f5b1c8a1SJohn Marino * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94*f5b1c8a1SJohn Marino * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95*f5b1c8a1SJohn Marino * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96*f5b1c8a1SJohn Marino * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97*f5b1c8a1SJohn Marino * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98*f5b1c8a1SJohn Marino * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99*f5b1c8a1SJohn Marino * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100*f5b1c8a1SJohn Marino * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101*f5b1c8a1SJohn Marino * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102*f5b1c8a1SJohn Marino * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103*f5b1c8a1SJohn Marino * OF THE POSSIBILITY OF SUCH DAMAGE. 104*f5b1c8a1SJohn Marino * ==================================================================== 105*f5b1c8a1SJohn Marino * 106*f5b1c8a1SJohn Marino * This product includes cryptographic software written by Eric Young 107*f5b1c8a1SJohn Marino * (eay@cryptsoft.com). This product includes software written by Tim 108*f5b1c8a1SJohn Marino * Hudson (tjh@cryptsoft.com). 109*f5b1c8a1SJohn Marino * 110*f5b1c8a1SJohn Marino */ 111*f5b1c8a1SJohn Marino 112*f5b1c8a1SJohn Marino #include <stdio.h> 113*f5b1c8a1SJohn Marino 114*f5b1c8a1SJohn Marino #include <openssl/evp.h> 115*f5b1c8a1SJohn Marino #include <openssl/hmac.h> 116*f5b1c8a1SJohn Marino #include <openssl/objects.h> 117*f5b1c8a1SJohn Marino #include <openssl/ocsp.h> 118*f5b1c8a1SJohn Marino 119*f5b1c8a1SJohn Marino #include "ssl_locl.h" 120*f5b1c8a1SJohn Marino #include "bytestring.h" 121*f5b1c8a1SJohn Marino 122*f5b1c8a1SJohn Marino static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 123*f5b1c8a1SJohn Marino const unsigned char *sess_id, int sesslen, 124*f5b1c8a1SJohn Marino SSL_SESSION **psess); 125*f5b1c8a1SJohn Marino 126*f5b1c8a1SJohn Marino SSL3_ENC_METHOD TLSv1_enc_data = { 127*f5b1c8a1SJohn Marino .enc = tls1_enc, 128*f5b1c8a1SJohn Marino .mac = tls1_mac, 129*f5b1c8a1SJohn Marino .setup_key_block = tls1_setup_key_block, 130*f5b1c8a1SJohn Marino .generate_master_secret = tls1_generate_master_secret, 131*f5b1c8a1SJohn Marino .change_cipher_state = tls1_change_cipher_state, 132*f5b1c8a1SJohn Marino .final_finish_mac = tls1_final_finish_mac, 133*f5b1c8a1SJohn Marino .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 134*f5b1c8a1SJohn Marino .cert_verify_mac = tls1_cert_verify_mac, 135*f5b1c8a1SJohn Marino .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 136*f5b1c8a1SJohn Marino .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 137*f5b1c8a1SJohn Marino .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 138*f5b1c8a1SJohn Marino .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 139*f5b1c8a1SJohn Marino .alert_value = tls1_alert_code, 140*f5b1c8a1SJohn Marino .export_keying_material = tls1_export_keying_material, 141*f5b1c8a1SJohn Marino .enc_flags = 0, 142*f5b1c8a1SJohn Marino }; 143*f5b1c8a1SJohn Marino 144*f5b1c8a1SJohn Marino SSL3_ENC_METHOD TLSv1_1_enc_data = { 145*f5b1c8a1SJohn Marino .enc = tls1_enc, 146*f5b1c8a1SJohn Marino .mac = tls1_mac, 147*f5b1c8a1SJohn Marino .setup_key_block = tls1_setup_key_block, 148*f5b1c8a1SJohn Marino .generate_master_secret = tls1_generate_master_secret, 149*f5b1c8a1SJohn Marino .change_cipher_state = tls1_change_cipher_state, 150*f5b1c8a1SJohn Marino .final_finish_mac = tls1_final_finish_mac, 151*f5b1c8a1SJohn Marino .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 152*f5b1c8a1SJohn Marino .cert_verify_mac = tls1_cert_verify_mac, 153*f5b1c8a1SJohn Marino .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 154*f5b1c8a1SJohn Marino .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 155*f5b1c8a1SJohn Marino .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 156*f5b1c8a1SJohn Marino .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 157*f5b1c8a1SJohn Marino .alert_value = tls1_alert_code, 158*f5b1c8a1SJohn Marino .export_keying_material = tls1_export_keying_material, 159*f5b1c8a1SJohn Marino .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, 160*f5b1c8a1SJohn Marino }; 161*f5b1c8a1SJohn Marino 162*f5b1c8a1SJohn Marino SSL3_ENC_METHOD TLSv1_2_enc_data = { 163*f5b1c8a1SJohn Marino .enc = tls1_enc, 164*f5b1c8a1SJohn Marino .mac = tls1_mac, 165*f5b1c8a1SJohn Marino .setup_key_block = tls1_setup_key_block, 166*f5b1c8a1SJohn Marino .generate_master_secret = tls1_generate_master_secret, 167*f5b1c8a1SJohn Marino .change_cipher_state = tls1_change_cipher_state, 168*f5b1c8a1SJohn Marino .final_finish_mac = tls1_final_finish_mac, 169*f5b1c8a1SJohn Marino .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 170*f5b1c8a1SJohn Marino .cert_verify_mac = tls1_cert_verify_mac, 171*f5b1c8a1SJohn Marino .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 172*f5b1c8a1SJohn Marino .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 173*f5b1c8a1SJohn Marino .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 174*f5b1c8a1SJohn Marino .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 175*f5b1c8a1SJohn Marino .alert_value = tls1_alert_code, 176*f5b1c8a1SJohn Marino .export_keying_material = tls1_export_keying_material, 177*f5b1c8a1SJohn Marino .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS| 178*f5b1c8a1SJohn Marino SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS, 179*f5b1c8a1SJohn Marino }; 180*f5b1c8a1SJohn Marino 181*f5b1c8a1SJohn Marino long 182*f5b1c8a1SJohn Marino tls1_default_timeout(void) 183*f5b1c8a1SJohn Marino { 184*f5b1c8a1SJohn Marino /* 2 hours, the 24 hours mentioned in the TLSv1 spec 185*f5b1c8a1SJohn Marino * is way too long for http, the cache would over fill */ 186*f5b1c8a1SJohn Marino return (60 * 60 * 2); 187*f5b1c8a1SJohn Marino } 188*f5b1c8a1SJohn Marino 189*f5b1c8a1SJohn Marino int 190*f5b1c8a1SJohn Marino tls1_new(SSL *s) 191*f5b1c8a1SJohn Marino { 192*f5b1c8a1SJohn Marino if (!ssl3_new(s)) 193*f5b1c8a1SJohn Marino return (0); 194*f5b1c8a1SJohn Marino s->method->ssl_clear(s); 195*f5b1c8a1SJohn Marino return (1); 196*f5b1c8a1SJohn Marino } 197*f5b1c8a1SJohn Marino 198*f5b1c8a1SJohn Marino void 199*f5b1c8a1SJohn Marino tls1_free(SSL *s) 200*f5b1c8a1SJohn Marino { 201*f5b1c8a1SJohn Marino if (s == NULL) 202*f5b1c8a1SJohn Marino return; 203*f5b1c8a1SJohn Marino 204*f5b1c8a1SJohn Marino free(s->tlsext_session_ticket); 205*f5b1c8a1SJohn Marino ssl3_free(s); 206*f5b1c8a1SJohn Marino } 207*f5b1c8a1SJohn Marino 208*f5b1c8a1SJohn Marino void 209*f5b1c8a1SJohn Marino tls1_clear(SSL *s) 210*f5b1c8a1SJohn Marino { 211*f5b1c8a1SJohn Marino ssl3_clear(s); 212*f5b1c8a1SJohn Marino s->version = s->method->version; 213*f5b1c8a1SJohn Marino } 214*f5b1c8a1SJohn Marino 215*f5b1c8a1SJohn Marino 216*f5b1c8a1SJohn Marino static int nid_list[] = { 217*f5b1c8a1SJohn Marino NID_sect163k1, /* sect163k1 (1) */ 218*f5b1c8a1SJohn Marino NID_sect163r1, /* sect163r1 (2) */ 219*f5b1c8a1SJohn Marino NID_sect163r2, /* sect163r2 (3) */ 220*f5b1c8a1SJohn Marino NID_sect193r1, /* sect193r1 (4) */ 221*f5b1c8a1SJohn Marino NID_sect193r2, /* sect193r2 (5) */ 222*f5b1c8a1SJohn Marino NID_sect233k1, /* sect233k1 (6) */ 223*f5b1c8a1SJohn Marino NID_sect233r1, /* sect233r1 (7) */ 224*f5b1c8a1SJohn Marino NID_sect239k1, /* sect239k1 (8) */ 225*f5b1c8a1SJohn Marino NID_sect283k1, /* sect283k1 (9) */ 226*f5b1c8a1SJohn Marino NID_sect283r1, /* sect283r1 (10) */ 227*f5b1c8a1SJohn Marino NID_sect409k1, /* sect409k1 (11) */ 228*f5b1c8a1SJohn Marino NID_sect409r1, /* sect409r1 (12) */ 229*f5b1c8a1SJohn Marino NID_sect571k1, /* sect571k1 (13) */ 230*f5b1c8a1SJohn Marino NID_sect571r1, /* sect571r1 (14) */ 231*f5b1c8a1SJohn Marino NID_secp160k1, /* secp160k1 (15) */ 232*f5b1c8a1SJohn Marino NID_secp160r1, /* secp160r1 (16) */ 233*f5b1c8a1SJohn Marino NID_secp160r2, /* secp160r2 (17) */ 234*f5b1c8a1SJohn Marino NID_secp192k1, /* secp192k1 (18) */ 235*f5b1c8a1SJohn Marino NID_X9_62_prime192v1, /* secp192r1 (19) */ 236*f5b1c8a1SJohn Marino NID_secp224k1, /* secp224k1 (20) */ 237*f5b1c8a1SJohn Marino NID_secp224r1, /* secp224r1 (21) */ 238*f5b1c8a1SJohn Marino NID_secp256k1, /* secp256k1 (22) */ 239*f5b1c8a1SJohn Marino NID_X9_62_prime256v1, /* secp256r1 (23) */ 240*f5b1c8a1SJohn Marino NID_secp384r1, /* secp384r1 (24) */ 241*f5b1c8a1SJohn Marino NID_secp521r1, /* secp521r1 (25) */ 242*f5b1c8a1SJohn Marino NID_brainpoolP256r1, /* brainpoolP256r1 (26) */ 243*f5b1c8a1SJohn Marino NID_brainpoolP384r1, /* brainpoolP384r1 (27) */ 244*f5b1c8a1SJohn Marino NID_brainpoolP512r1 /* brainpoolP512r1 (28) */ 245*f5b1c8a1SJohn Marino }; 246*f5b1c8a1SJohn Marino 247*f5b1c8a1SJohn Marino static const uint8_t ecformats_default[] = { 248*f5b1c8a1SJohn Marino TLSEXT_ECPOINTFORMAT_uncompressed, 249*f5b1c8a1SJohn Marino TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 250*f5b1c8a1SJohn Marino TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 251*f5b1c8a1SJohn Marino }; 252*f5b1c8a1SJohn Marino 253*f5b1c8a1SJohn Marino static const uint16_t eccurves_default[] = { 254*f5b1c8a1SJohn Marino 14, /* sect571r1 (14) */ 255*f5b1c8a1SJohn Marino 13, /* sect571k1 (13) */ 256*f5b1c8a1SJohn Marino 25, /* secp521r1 (25) */ 257*f5b1c8a1SJohn Marino 28, /* brainpool512r1 (28) */ 258*f5b1c8a1SJohn Marino 11, /* sect409k1 (11) */ 259*f5b1c8a1SJohn Marino 12, /* sect409r1 (12) */ 260*f5b1c8a1SJohn Marino 27, /* brainpoolP384r1 (27) */ 261*f5b1c8a1SJohn Marino 24, /* secp384r1 (24) */ 262*f5b1c8a1SJohn Marino 9, /* sect283k1 (9) */ 263*f5b1c8a1SJohn Marino 10, /* sect283r1 (10) */ 264*f5b1c8a1SJohn Marino 26, /* brainpoolP256r1 (26) */ 265*f5b1c8a1SJohn Marino 22, /* secp256k1 (22) */ 266*f5b1c8a1SJohn Marino 23, /* secp256r1 (23) */ 267*f5b1c8a1SJohn Marino 8, /* sect239k1 (8) */ 268*f5b1c8a1SJohn Marino 6, /* sect233k1 (6) */ 269*f5b1c8a1SJohn Marino 7, /* sect233r1 (7) */ 270*f5b1c8a1SJohn Marino 20, /* secp224k1 (20) */ 271*f5b1c8a1SJohn Marino 21, /* secp224r1 (21) */ 272*f5b1c8a1SJohn Marino 4, /* sect193r1 (4) */ 273*f5b1c8a1SJohn Marino 5, /* sect193r2 (5) */ 274*f5b1c8a1SJohn Marino 18, /* secp192k1 (18) */ 275*f5b1c8a1SJohn Marino 19, /* secp192r1 (19) */ 276*f5b1c8a1SJohn Marino 1, /* sect163k1 (1) */ 277*f5b1c8a1SJohn Marino 2, /* sect163r1 (2) */ 278*f5b1c8a1SJohn Marino 3, /* sect163r2 (3) */ 279*f5b1c8a1SJohn Marino 15, /* secp160k1 (15) */ 280*f5b1c8a1SJohn Marino 16, /* secp160r1 (16) */ 281*f5b1c8a1SJohn Marino 17, /* secp160r2 (17) */ 282*f5b1c8a1SJohn Marino }; 283*f5b1c8a1SJohn Marino 284*f5b1c8a1SJohn Marino int 285*f5b1c8a1SJohn Marino tls1_ec_curve_id2nid(uint16_t curve_id) 286*f5b1c8a1SJohn Marino { 287*f5b1c8a1SJohn Marino /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 288*f5b1c8a1SJohn Marino if ((curve_id < 1) || 289*f5b1c8a1SJohn Marino ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0]))) 290*f5b1c8a1SJohn Marino return 0; 291*f5b1c8a1SJohn Marino return nid_list[curve_id - 1]; 292*f5b1c8a1SJohn Marino } 293*f5b1c8a1SJohn Marino 294*f5b1c8a1SJohn Marino uint16_t 295*f5b1c8a1SJohn Marino tls1_ec_nid2curve_id(int nid) 296*f5b1c8a1SJohn Marino { 297*f5b1c8a1SJohn Marino /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 298*f5b1c8a1SJohn Marino switch (nid) { 299*f5b1c8a1SJohn Marino case NID_sect163k1: /* sect163k1 (1) */ 300*f5b1c8a1SJohn Marino return 1; 301*f5b1c8a1SJohn Marino case NID_sect163r1: /* sect163r1 (2) */ 302*f5b1c8a1SJohn Marino return 2; 303*f5b1c8a1SJohn Marino case NID_sect163r2: /* sect163r2 (3) */ 304*f5b1c8a1SJohn Marino return 3; 305*f5b1c8a1SJohn Marino case NID_sect193r1: /* sect193r1 (4) */ 306*f5b1c8a1SJohn Marino return 4; 307*f5b1c8a1SJohn Marino case NID_sect193r2: /* sect193r2 (5) */ 308*f5b1c8a1SJohn Marino return 5; 309*f5b1c8a1SJohn Marino case NID_sect233k1: /* sect233k1 (6) */ 310*f5b1c8a1SJohn Marino return 6; 311*f5b1c8a1SJohn Marino case NID_sect233r1: /* sect233r1 (7) */ 312*f5b1c8a1SJohn Marino return 7; 313*f5b1c8a1SJohn Marino case NID_sect239k1: /* sect239k1 (8) */ 314*f5b1c8a1SJohn Marino return 8; 315*f5b1c8a1SJohn Marino case NID_sect283k1: /* sect283k1 (9) */ 316*f5b1c8a1SJohn Marino return 9; 317*f5b1c8a1SJohn Marino case NID_sect283r1: /* sect283r1 (10) */ 318*f5b1c8a1SJohn Marino return 10; 319*f5b1c8a1SJohn Marino case NID_sect409k1: /* sect409k1 (11) */ 320*f5b1c8a1SJohn Marino return 11; 321*f5b1c8a1SJohn Marino case NID_sect409r1: /* sect409r1 (12) */ 322*f5b1c8a1SJohn Marino return 12; 323*f5b1c8a1SJohn Marino case NID_sect571k1: /* sect571k1 (13) */ 324*f5b1c8a1SJohn Marino return 13; 325*f5b1c8a1SJohn Marino case NID_sect571r1: /* sect571r1 (14) */ 326*f5b1c8a1SJohn Marino return 14; 327*f5b1c8a1SJohn Marino case NID_secp160k1: /* secp160k1 (15) */ 328*f5b1c8a1SJohn Marino return 15; 329*f5b1c8a1SJohn Marino case NID_secp160r1: /* secp160r1 (16) */ 330*f5b1c8a1SJohn Marino return 16; 331*f5b1c8a1SJohn Marino case NID_secp160r2: /* secp160r2 (17) */ 332*f5b1c8a1SJohn Marino return 17; 333*f5b1c8a1SJohn Marino case NID_secp192k1: /* secp192k1 (18) */ 334*f5b1c8a1SJohn Marino return 18; 335*f5b1c8a1SJohn Marino case NID_X9_62_prime192v1: /* secp192r1 (19) */ 336*f5b1c8a1SJohn Marino return 19; 337*f5b1c8a1SJohn Marino case NID_secp224k1: /* secp224k1 (20) */ 338*f5b1c8a1SJohn Marino return 20; 339*f5b1c8a1SJohn Marino case NID_secp224r1: /* secp224r1 (21) */ 340*f5b1c8a1SJohn Marino return 21; 341*f5b1c8a1SJohn Marino case NID_secp256k1: /* secp256k1 (22) */ 342*f5b1c8a1SJohn Marino return 22; 343*f5b1c8a1SJohn Marino case NID_X9_62_prime256v1: /* secp256r1 (23) */ 344*f5b1c8a1SJohn Marino return 23; 345*f5b1c8a1SJohn Marino case NID_secp384r1: /* secp384r1 (24) */ 346*f5b1c8a1SJohn Marino return 24; 347*f5b1c8a1SJohn Marino case NID_secp521r1: /* secp521r1 (25) */ 348*f5b1c8a1SJohn Marino return 25; 349*f5b1c8a1SJohn Marino case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */ 350*f5b1c8a1SJohn Marino return 26; 351*f5b1c8a1SJohn Marino case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */ 352*f5b1c8a1SJohn Marino return 27; 353*f5b1c8a1SJohn Marino case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */ 354*f5b1c8a1SJohn Marino return 28; 355*f5b1c8a1SJohn Marino default: 356*f5b1c8a1SJohn Marino return 0; 357*f5b1c8a1SJohn Marino } 358*f5b1c8a1SJohn Marino } 359*f5b1c8a1SJohn Marino 360*f5b1c8a1SJohn Marino /* 361*f5b1c8a1SJohn Marino * Return the appropriate format list. If client_formats is non-zero, return 362*f5b1c8a1SJohn Marino * the client/session formats. Otherwise return the custom format list if one 363*f5b1c8a1SJohn Marino * exists, or the default formats if a custom list has not been specified. 364*f5b1c8a1SJohn Marino */ 365*f5b1c8a1SJohn Marino static void 366*f5b1c8a1SJohn Marino tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, 367*f5b1c8a1SJohn Marino size_t *pformatslen) 368*f5b1c8a1SJohn Marino { 369*f5b1c8a1SJohn Marino if (client_formats != 0) { 370*f5b1c8a1SJohn Marino *pformats = s->session->tlsext_ecpointformatlist; 371*f5b1c8a1SJohn Marino *pformatslen = s->session->tlsext_ecpointformatlist_length; 372*f5b1c8a1SJohn Marino return; 373*f5b1c8a1SJohn Marino } 374*f5b1c8a1SJohn Marino 375*f5b1c8a1SJohn Marino *pformats = s->tlsext_ecpointformatlist; 376*f5b1c8a1SJohn Marino *pformatslen = s->tlsext_ecpointformatlist_length; 377*f5b1c8a1SJohn Marino if (*pformats == NULL) { 378*f5b1c8a1SJohn Marino *pformats = ecformats_default; 379*f5b1c8a1SJohn Marino *pformatslen = sizeof(ecformats_default); 380*f5b1c8a1SJohn Marino } 381*f5b1c8a1SJohn Marino } 382*f5b1c8a1SJohn Marino 383*f5b1c8a1SJohn Marino /* 384*f5b1c8a1SJohn Marino * Return the appropriate curve list. If client_curves is non-zero, return 385*f5b1c8a1SJohn Marino * the client/session curves. Otherwise return the custom curve list if one 386*f5b1c8a1SJohn Marino * exists, or the default curves if a custom list has not been specified. 387*f5b1c8a1SJohn Marino */ 388*f5b1c8a1SJohn Marino static void 389*f5b1c8a1SJohn Marino tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves, 390*f5b1c8a1SJohn Marino size_t *pcurveslen) 391*f5b1c8a1SJohn Marino { 392*f5b1c8a1SJohn Marino if (client_curves != 0) { 393*f5b1c8a1SJohn Marino *pcurves = s->session->tlsext_ellipticcurvelist; 394*f5b1c8a1SJohn Marino *pcurveslen = s->session->tlsext_ellipticcurvelist_length; 395*f5b1c8a1SJohn Marino return; 396*f5b1c8a1SJohn Marino } 397*f5b1c8a1SJohn Marino 398*f5b1c8a1SJohn Marino *pcurves = s->tlsext_ellipticcurvelist; 399*f5b1c8a1SJohn Marino *pcurveslen = s->tlsext_ellipticcurvelist_length; 400*f5b1c8a1SJohn Marino if (*pcurves == NULL) { 401*f5b1c8a1SJohn Marino *pcurves = eccurves_default; 402*f5b1c8a1SJohn Marino *pcurveslen = sizeof(eccurves_default) / 2; 403*f5b1c8a1SJohn Marino } 404*f5b1c8a1SJohn Marino } 405*f5b1c8a1SJohn Marino 406*f5b1c8a1SJohn Marino /* Check that a curve is one of our preferences. */ 407*f5b1c8a1SJohn Marino int 408*f5b1c8a1SJohn Marino tls1_check_curve(SSL *s, const unsigned char *p, size_t len) 409*f5b1c8a1SJohn Marino { 410*f5b1c8a1SJohn Marino CBS cbs; 411*f5b1c8a1SJohn Marino const uint16_t *curves; 412*f5b1c8a1SJohn Marino size_t curveslen, i; 413*f5b1c8a1SJohn Marino uint8_t type; 414*f5b1c8a1SJohn Marino uint16_t cid; 415*f5b1c8a1SJohn Marino 416*f5b1c8a1SJohn Marino CBS_init(&cbs, p, len); 417*f5b1c8a1SJohn Marino 418*f5b1c8a1SJohn Marino /* Only named curves are supported. */ 419*f5b1c8a1SJohn Marino if (CBS_len(&cbs) != 3 || 420*f5b1c8a1SJohn Marino !CBS_get_u8(&cbs, &type) || 421*f5b1c8a1SJohn Marino type != NAMED_CURVE_TYPE || 422*f5b1c8a1SJohn Marino !CBS_get_u16(&cbs, &cid)) 423*f5b1c8a1SJohn Marino return (0); 424*f5b1c8a1SJohn Marino 425*f5b1c8a1SJohn Marino tls1_get_curvelist(s, 0, &curves, &curveslen); 426*f5b1c8a1SJohn Marino 427*f5b1c8a1SJohn Marino for (i = 0; i < curveslen; i++) { 428*f5b1c8a1SJohn Marino if (curves[i] == cid) 429*f5b1c8a1SJohn Marino return (1); 430*f5b1c8a1SJohn Marino } 431*f5b1c8a1SJohn Marino return (0); 432*f5b1c8a1SJohn Marino } 433*f5b1c8a1SJohn Marino 434*f5b1c8a1SJohn Marino int 435*f5b1c8a1SJohn Marino tls1_get_shared_curve(SSL *s) 436*f5b1c8a1SJohn Marino { 437*f5b1c8a1SJohn Marino size_t preflen, supplen, i, j; 438*f5b1c8a1SJohn Marino const uint16_t *pref, *supp; 439*f5b1c8a1SJohn Marino unsigned long server_pref; 440*f5b1c8a1SJohn Marino 441*f5b1c8a1SJohn Marino /* Cannot do anything on the client side. */ 442*f5b1c8a1SJohn Marino if (s->server == 0) 443*f5b1c8a1SJohn Marino return (NID_undef); 444*f5b1c8a1SJohn Marino 445*f5b1c8a1SJohn Marino /* Return first preference shared curve. */ 446*f5b1c8a1SJohn Marino server_pref = (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE); 447*f5b1c8a1SJohn Marino tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen); 448*f5b1c8a1SJohn Marino tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen); 449*f5b1c8a1SJohn Marino 450*f5b1c8a1SJohn Marino for (i = 0; i < preflen; i++) { 451*f5b1c8a1SJohn Marino for (j = 0; j < supplen; j++) { 452*f5b1c8a1SJohn Marino if (pref[i] == supp[j]) 453*f5b1c8a1SJohn Marino return (tls1_ec_curve_id2nid(pref[i])); 454*f5b1c8a1SJohn Marino } 455*f5b1c8a1SJohn Marino } 456*f5b1c8a1SJohn Marino return (NID_undef); 457*f5b1c8a1SJohn Marino } 458*f5b1c8a1SJohn Marino 459*f5b1c8a1SJohn Marino /* For an EC key set TLS ID and required compression based on parameters. */ 460*f5b1c8a1SJohn Marino static int 461*f5b1c8a1SJohn Marino tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec) 462*f5b1c8a1SJohn Marino { 463*f5b1c8a1SJohn Marino const EC_GROUP *grp; 464*f5b1c8a1SJohn Marino const EC_METHOD *meth; 465*f5b1c8a1SJohn Marino int is_prime = 0; 466*f5b1c8a1SJohn Marino int nid, id; 467*f5b1c8a1SJohn Marino 468*f5b1c8a1SJohn Marino if (ec == NULL) 469*f5b1c8a1SJohn Marino return (0); 470*f5b1c8a1SJohn Marino 471*f5b1c8a1SJohn Marino /* Determine if it is a prime field. */ 472*f5b1c8a1SJohn Marino if ((grp = EC_KEY_get0_group(ec)) == NULL) 473*f5b1c8a1SJohn Marino return (0); 474*f5b1c8a1SJohn Marino if ((meth = EC_GROUP_method_of(grp)) == NULL) 475*f5b1c8a1SJohn Marino return (0); 476*f5b1c8a1SJohn Marino if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field) 477*f5b1c8a1SJohn Marino is_prime = 1; 478*f5b1c8a1SJohn Marino 479*f5b1c8a1SJohn Marino /* Determine curve ID. */ 480*f5b1c8a1SJohn Marino nid = EC_GROUP_get_curve_name(grp); 481*f5b1c8a1SJohn Marino id = tls1_ec_nid2curve_id(nid); 482*f5b1c8a1SJohn Marino 483*f5b1c8a1SJohn Marino /* If we have an ID set it, otherwise set arbitrary explicit curve. */ 484*f5b1c8a1SJohn Marino if (id != 0) 485*f5b1c8a1SJohn Marino *curve_id = id; 486*f5b1c8a1SJohn Marino else 487*f5b1c8a1SJohn Marino *curve_id = is_prime ? 0xff01 : 0xff02; 488*f5b1c8a1SJohn Marino 489*f5b1c8a1SJohn Marino /* Specify the compression identifier. */ 490*f5b1c8a1SJohn Marino if (comp_id != NULL) { 491*f5b1c8a1SJohn Marino if (EC_KEY_get0_public_key(ec) == NULL) 492*f5b1c8a1SJohn Marino return (0); 493*f5b1c8a1SJohn Marino 494*f5b1c8a1SJohn Marino if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { 495*f5b1c8a1SJohn Marino *comp_id = is_prime ? 496*f5b1c8a1SJohn Marino TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime : 497*f5b1c8a1SJohn Marino TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 498*f5b1c8a1SJohn Marino } else { 499*f5b1c8a1SJohn Marino *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 500*f5b1c8a1SJohn Marino } 501*f5b1c8a1SJohn Marino } 502*f5b1c8a1SJohn Marino return (1); 503*f5b1c8a1SJohn Marino } 504*f5b1c8a1SJohn Marino 505*f5b1c8a1SJohn Marino /* Check that an EC key is compatible with extensions. */ 506*f5b1c8a1SJohn Marino static int 507*f5b1c8a1SJohn Marino tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id) 508*f5b1c8a1SJohn Marino { 509*f5b1c8a1SJohn Marino size_t curveslen, formatslen, i; 510*f5b1c8a1SJohn Marino const uint16_t *curves; 511*f5b1c8a1SJohn Marino const uint8_t *formats; 512*f5b1c8a1SJohn Marino 513*f5b1c8a1SJohn Marino /* 514*f5b1c8a1SJohn Marino * Check point formats extension if present, otherwise everything 515*f5b1c8a1SJohn Marino * is supported (see RFC4492). 516*f5b1c8a1SJohn Marino */ 517*f5b1c8a1SJohn Marino tls1_get_formatlist(s, 1, &formats, &formatslen); 518*f5b1c8a1SJohn Marino if (comp_id != NULL && formats != NULL) { 519*f5b1c8a1SJohn Marino for (i = 0; i < formatslen; i++) { 520*f5b1c8a1SJohn Marino if (formats[i] == *comp_id) 521*f5b1c8a1SJohn Marino break; 522*f5b1c8a1SJohn Marino } 523*f5b1c8a1SJohn Marino if (i == formatslen) 524*f5b1c8a1SJohn Marino return (0); 525*f5b1c8a1SJohn Marino } 526*f5b1c8a1SJohn Marino 527*f5b1c8a1SJohn Marino /* 528*f5b1c8a1SJohn Marino * Check curve list if present, otherwise everything is supported. 529*f5b1c8a1SJohn Marino */ 530*f5b1c8a1SJohn Marino tls1_get_curvelist(s, 1, &curves, &curveslen); 531*f5b1c8a1SJohn Marino if (curve_id != NULL && curves != NULL) { 532*f5b1c8a1SJohn Marino for (i = 0; i < curveslen; i++) { 533*f5b1c8a1SJohn Marino if (curves[i] == *curve_id) 534*f5b1c8a1SJohn Marino break; 535*f5b1c8a1SJohn Marino } 536*f5b1c8a1SJohn Marino if (i == curveslen) 537*f5b1c8a1SJohn Marino return (0); 538*f5b1c8a1SJohn Marino } 539*f5b1c8a1SJohn Marino 540*f5b1c8a1SJohn Marino return (1); 541*f5b1c8a1SJohn Marino } 542*f5b1c8a1SJohn Marino 543*f5b1c8a1SJohn Marino /* Check EC server key is compatible with client extensions. */ 544*f5b1c8a1SJohn Marino int 545*f5b1c8a1SJohn Marino tls1_check_ec_server_key(SSL *s) 546*f5b1c8a1SJohn Marino { 547*f5b1c8a1SJohn Marino CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; 548*f5b1c8a1SJohn Marino uint16_t curve_id; 549*f5b1c8a1SJohn Marino uint8_t comp_id; 550*f5b1c8a1SJohn Marino EVP_PKEY *pkey; 551*f5b1c8a1SJohn Marino int rv; 552*f5b1c8a1SJohn Marino 553*f5b1c8a1SJohn Marino if (cpk->x509 == NULL || cpk->privatekey == NULL) 554*f5b1c8a1SJohn Marino return (0); 555*f5b1c8a1SJohn Marino if ((pkey = X509_get_pubkey(cpk->x509)) == NULL) 556*f5b1c8a1SJohn Marino return (0); 557*f5b1c8a1SJohn Marino rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec); 558*f5b1c8a1SJohn Marino EVP_PKEY_free(pkey); 559*f5b1c8a1SJohn Marino if (rv != 1) 560*f5b1c8a1SJohn Marino return (0); 561*f5b1c8a1SJohn Marino 562*f5b1c8a1SJohn Marino return tls1_check_ec_key(s, &curve_id, &comp_id); 563*f5b1c8a1SJohn Marino } 564*f5b1c8a1SJohn Marino 565*f5b1c8a1SJohn Marino /* Check EC temporary key is compatible with client extensions. */ 566*f5b1c8a1SJohn Marino int 567*f5b1c8a1SJohn Marino tls1_check_ec_tmp_key(SSL *s) 568*f5b1c8a1SJohn Marino { 569*f5b1c8a1SJohn Marino EC_KEY *ec = s->cert->ecdh_tmp; 570*f5b1c8a1SJohn Marino uint16_t curve_id; 571*f5b1c8a1SJohn Marino 572*f5b1c8a1SJohn Marino if (s->cert->ecdh_tmp_auto != 0) { 573*f5b1c8a1SJohn Marino /* Need a shared curve. */ 574*f5b1c8a1SJohn Marino if (tls1_get_shared_curve(s) != NID_undef) 575*f5b1c8a1SJohn Marino return (1); 576*f5b1c8a1SJohn Marino return (0); 577*f5b1c8a1SJohn Marino } 578*f5b1c8a1SJohn Marino 579*f5b1c8a1SJohn Marino if (ec == NULL) { 580*f5b1c8a1SJohn Marino if (s->cert->ecdh_tmp_cb != NULL) 581*f5b1c8a1SJohn Marino return (1); 582*f5b1c8a1SJohn Marino return (0); 583*f5b1c8a1SJohn Marino } 584*f5b1c8a1SJohn Marino if (tls1_set_ec_id(&curve_id, NULL, ec) != 1) 585*f5b1c8a1SJohn Marino return (0); 586*f5b1c8a1SJohn Marino 587*f5b1c8a1SJohn Marino return tls1_check_ec_key(s, &curve_id, NULL); 588*f5b1c8a1SJohn Marino } 589*f5b1c8a1SJohn Marino 590*f5b1c8a1SJohn Marino /* 591*f5b1c8a1SJohn Marino * List of supported signature algorithms and hashes. Should make this 592*f5b1c8a1SJohn Marino * customisable at some point, for now include everything we support. 593*f5b1c8a1SJohn Marino */ 594*f5b1c8a1SJohn Marino 595*f5b1c8a1SJohn Marino static unsigned char tls12_sigalgs[] = { 596*f5b1c8a1SJohn Marino TLSEXT_hash_sha512, TLSEXT_signature_rsa, 597*f5b1c8a1SJohn Marino TLSEXT_hash_sha512, TLSEXT_signature_dsa, 598*f5b1c8a1SJohn Marino TLSEXT_hash_sha512, TLSEXT_signature_ecdsa, 599*f5b1c8a1SJohn Marino #ifndef OPENSSL_NO_GOST 600*f5b1c8a1SJohn Marino TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512, 601*f5b1c8a1SJohn Marino #endif 602*f5b1c8a1SJohn Marino 603*f5b1c8a1SJohn Marino TLSEXT_hash_sha384, TLSEXT_signature_rsa, 604*f5b1c8a1SJohn Marino TLSEXT_hash_sha384, TLSEXT_signature_dsa, 605*f5b1c8a1SJohn Marino TLSEXT_hash_sha384, TLSEXT_signature_ecdsa, 606*f5b1c8a1SJohn Marino 607*f5b1c8a1SJohn Marino TLSEXT_hash_sha256, TLSEXT_signature_rsa, 608*f5b1c8a1SJohn Marino TLSEXT_hash_sha256, TLSEXT_signature_dsa, 609*f5b1c8a1SJohn Marino TLSEXT_hash_sha256, TLSEXT_signature_ecdsa, 610*f5b1c8a1SJohn Marino 611*f5b1c8a1SJohn Marino #ifndef OPENSSL_NO_GOST 612*f5b1c8a1SJohn Marino TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256, 613*f5b1c8a1SJohn Marino TLSEXT_hash_gost94, TLSEXT_signature_gostr01, 614*f5b1c8a1SJohn Marino #endif 615*f5b1c8a1SJohn Marino 616*f5b1c8a1SJohn Marino TLSEXT_hash_sha224, TLSEXT_signature_rsa, 617*f5b1c8a1SJohn Marino TLSEXT_hash_sha224, TLSEXT_signature_dsa, 618*f5b1c8a1SJohn Marino TLSEXT_hash_sha224, TLSEXT_signature_ecdsa, 619*f5b1c8a1SJohn Marino 620*f5b1c8a1SJohn Marino TLSEXT_hash_sha1, TLSEXT_signature_rsa, 621*f5b1c8a1SJohn Marino TLSEXT_hash_sha1, TLSEXT_signature_dsa, 622*f5b1c8a1SJohn Marino TLSEXT_hash_sha1, TLSEXT_signature_ecdsa, 623*f5b1c8a1SJohn Marino }; 624*f5b1c8a1SJohn Marino 625*f5b1c8a1SJohn Marino int 626*f5b1c8a1SJohn Marino tls12_get_req_sig_algs(SSL *s, unsigned char *p) 627*f5b1c8a1SJohn Marino { 628*f5b1c8a1SJohn Marino size_t slen = sizeof(tls12_sigalgs); 629*f5b1c8a1SJohn Marino 630*f5b1c8a1SJohn Marino if (p) 631*f5b1c8a1SJohn Marino memcpy(p, tls12_sigalgs, slen); 632*f5b1c8a1SJohn Marino return (int)slen; 633*f5b1c8a1SJohn Marino } 634*f5b1c8a1SJohn Marino 635*f5b1c8a1SJohn Marino unsigned char * 636*f5b1c8a1SJohn Marino ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 637*f5b1c8a1SJohn Marino { 638*f5b1c8a1SJohn Marino int extdatalen = 0; 639*f5b1c8a1SJohn Marino unsigned char *ret = p; 640*f5b1c8a1SJohn Marino int using_ecc = 0; 641*f5b1c8a1SJohn Marino 642*f5b1c8a1SJohn Marino /* See if we support any ECC ciphersuites. */ 643*f5b1c8a1SJohn Marino if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) { 644*f5b1c8a1SJohn Marino STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 645*f5b1c8a1SJohn Marino unsigned long alg_k, alg_a; 646*f5b1c8a1SJohn Marino int i; 647*f5b1c8a1SJohn Marino 648*f5b1c8a1SJohn Marino for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { 649*f5b1c8a1SJohn Marino SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 650*f5b1c8a1SJohn Marino 651*f5b1c8a1SJohn Marino alg_k = c->algorithm_mkey; 652*f5b1c8a1SJohn Marino alg_a = c->algorithm_auth; 653*f5b1c8a1SJohn Marino 654*f5b1c8a1SJohn Marino if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || 655*f5b1c8a1SJohn Marino (alg_a & SSL_aECDSA))) { 656*f5b1c8a1SJohn Marino using_ecc = 1; 657*f5b1c8a1SJohn Marino break; 658*f5b1c8a1SJohn Marino } 659*f5b1c8a1SJohn Marino } 660*f5b1c8a1SJohn Marino } 661*f5b1c8a1SJohn Marino 662*f5b1c8a1SJohn Marino ret += 2; 663*f5b1c8a1SJohn Marino 664*f5b1c8a1SJohn Marino if (ret >= limit) 665*f5b1c8a1SJohn Marino return NULL; /* this really never occurs, but ... */ 666*f5b1c8a1SJohn Marino 667*f5b1c8a1SJohn Marino if (s->tlsext_hostname != NULL) { 668*f5b1c8a1SJohn Marino /* Add TLS extension servername to the Client Hello message */ 669*f5b1c8a1SJohn Marino size_t size_str, lenmax; 670*f5b1c8a1SJohn Marino 671*f5b1c8a1SJohn Marino /* check for enough space. 672*f5b1c8a1SJohn Marino 4 for the servername type and extension length 673*f5b1c8a1SJohn Marino 2 for servernamelist length 674*f5b1c8a1SJohn Marino 1 for the hostname type 675*f5b1c8a1SJohn Marino 2 for hostname length 676*f5b1c8a1SJohn Marino + hostname length 677*f5b1c8a1SJohn Marino */ 678*f5b1c8a1SJohn Marino 679*f5b1c8a1SJohn Marino if ((size_t)(limit - ret) < 9) 680*f5b1c8a1SJohn Marino return NULL; 681*f5b1c8a1SJohn Marino 682*f5b1c8a1SJohn Marino lenmax = limit - ret - 9; 683*f5b1c8a1SJohn Marino if ((size_str = strlen(s->tlsext_hostname)) > lenmax) 684*f5b1c8a1SJohn Marino return NULL; 685*f5b1c8a1SJohn Marino 686*f5b1c8a1SJohn Marino /* extension type and length */ 687*f5b1c8a1SJohn Marino s2n(TLSEXT_TYPE_server_name, ret); 688*f5b1c8a1SJohn Marino 689*f5b1c8a1SJohn Marino s2n(size_str + 5, ret); 690*f5b1c8a1SJohn Marino 691*f5b1c8a1SJohn Marino /* length of servername list */ 692*f5b1c8a1SJohn Marino s2n(size_str + 3, ret); 693*f5b1c8a1SJohn Marino 694*f5b1c8a1SJohn Marino /* hostname type, length and hostname */ 695*f5b1c8a1SJohn Marino *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 696*f5b1c8a1SJohn Marino s2n(size_str, ret); 697*f5b1c8a1SJohn Marino memcpy(ret, s->tlsext_hostname, size_str); 698*f5b1c8a1SJohn Marino ret += size_str; 699*f5b1c8a1SJohn Marino } 700*f5b1c8a1SJohn Marino 701*f5b1c8a1SJohn Marino /* Add RI if renegotiating */ 702*f5b1c8a1SJohn Marino if (s->renegotiate) { 703*f5b1c8a1SJohn Marino int el; 704*f5b1c8a1SJohn Marino 705*f5b1c8a1SJohn Marino if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { 706*f5b1c8a1SJohn Marino SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 707*f5b1c8a1SJohn Marino ERR_R_INTERNAL_ERROR); 708*f5b1c8a1SJohn Marino return NULL; 709*f5b1c8a1SJohn Marino } 710*f5b1c8a1SJohn Marino 711*f5b1c8a1SJohn Marino if ((size_t)(limit - ret) < 4 + el) 712*f5b1c8a1SJohn Marino return NULL; 713*f5b1c8a1SJohn Marino 714*f5b1c8a1SJohn Marino s2n(TLSEXT_TYPE_renegotiate, ret); 715*f5b1c8a1SJohn Marino s2n(el, ret); 716*f5b1c8a1SJohn Marino 717*f5b1c8a1SJohn Marino if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { 718*f5b1c8a1SJohn Marino SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 719*f5b1c8a1SJohn Marino ERR_R_INTERNAL_ERROR); 720*f5b1c8a1SJohn Marino return NULL; 721*f5b1c8a1SJohn Marino } 722*f5b1c8a1SJohn Marino 723*f5b1c8a1SJohn Marino ret += el; 724*f5b1c8a1SJohn Marino } 725*f5b1c8a1SJohn Marino 726*f5b1c8a1SJohn Marino if (using_ecc) { 727*f5b1c8a1SJohn Marino size_t curveslen, formatslen, lenmax; 728*f5b1c8a1SJohn Marino const uint16_t *curves; 729*f5b1c8a1SJohn Marino const uint8_t *formats; 730*f5b1c8a1SJohn Marino int i; 731*f5b1c8a1SJohn Marino 732*f5b1c8a1SJohn Marino /* 733*f5b1c8a1SJohn Marino * Add TLS extension ECPointFormats to the ClientHello message. 734*f5b1c8a1SJohn Marino */ 735*f5b1c8a1SJohn Marino tls1_get_formatlist(s, 0, &formats, &formatslen); 736*f5b1c8a1SJohn Marino 737*f5b1c8a1SJohn Marino if ((size_t)(limit - ret) < 5) 738*f5b1c8a1SJohn Marino return NULL; 739*f5b1c8a1SJohn Marino 740*f5b1c8a1SJohn Marino lenmax = limit - ret - 5; 741*f5b1c8a1SJohn Marino if (formatslen > lenmax) 742*f5b1c8a1SJohn Marino return NULL; 743*f5b1c8a1SJohn Marino if (formatslen > 255) { 744*f5b1c8a1SJohn Marino SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 745*f5b1c8a1SJohn Marino ERR_R_INTERNAL_ERROR); 746*f5b1c8a1SJohn Marino return NULL; 747*f5b1c8a1SJohn Marino } 748*f5b1c8a1SJohn Marino 749*f5b1c8a1SJohn Marino s2n(TLSEXT_TYPE_ec_point_formats, ret); 750*f5b1c8a1SJohn Marino s2n(formatslen + 1, ret); 751*f5b1c8a1SJohn Marino *(ret++) = (unsigned char)formatslen; 752*f5b1c8a1SJohn Marino memcpy(ret, formats, formatslen); 753*f5b1c8a1SJohn Marino ret += formatslen; 754*f5b1c8a1SJohn Marino 755*f5b1c8a1SJohn Marino /* 756*f5b1c8a1SJohn Marino * Add TLS extension EllipticCurves to the ClientHello message. 757*f5b1c8a1SJohn Marino */ 758*f5b1c8a1SJohn Marino tls1_get_curvelist(s, 0, &curves, &curveslen); 759*f5b1c8a1SJohn Marino 760*f5b1c8a1SJohn Marino if ((size_t)(limit - ret) < 6) 761*f5b1c8a1SJohn Marino return NULL; 762*f5b1c8a1SJohn Marino 763*f5b1c8a1SJohn Marino lenmax = limit - ret - 6; 764*f5b1c8a1SJohn Marino if (curveslen > lenmax) 765*f5b1c8a1SJohn Marino return NULL; 766*f5b1c8a1SJohn Marino if (curveslen > 65532) { 767*f5b1c8a1SJohn Marino SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 768*f5b1c8a1SJohn Marino ERR_R_INTERNAL_ERROR); 769*f5b1c8a1SJohn Marino return NULL; 770*f5b1c8a1SJohn Marino } 771*f5b1c8a1SJohn Marino 772*f5b1c8a1SJohn Marino s2n(TLSEXT_TYPE_elliptic_curves, ret); 773*f5b1c8a1SJohn Marino s2n((curveslen * 2) + 2, ret); 774*f5b1c8a1SJohn Marino 775*f5b1c8a1SJohn Marino /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for 776*f5b1c8a1SJohn Marino * elliptic_curve_list, but the examples use two bytes. 777*f5b1c8a1SJohn Marino * https://www1.ietf.org/mail-archive/web/tls/current/msg00538.html 778*f5b1c8a1SJohn Marino * resolves this to two bytes. 779*f5b1c8a1SJohn Marino */ 780*f5b1c8a1SJohn Marino s2n(curveslen * 2, ret); 781*f5b1c8a1SJohn Marino for (i = 0; i < curveslen; i++) 782*f5b1c8a1SJohn Marino s2n(curves[i], ret); 783*f5b1c8a1SJohn Marino } 784*f5b1c8a1SJohn Marino 785*f5b1c8a1SJohn Marino if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 786*f5b1c8a1SJohn Marino int ticklen; 787*f5b1c8a1SJohn Marino if (!s->new_session && s->session && s->session->tlsext_tick) 788*f5b1c8a1SJohn Marino ticklen = s->session->tlsext_ticklen; 789*f5b1c8a1SJohn Marino else if (s->session && s->tlsext_session_ticket && 790*f5b1c8a1SJohn Marino s->tlsext_session_ticket->data) { 791*f5b1c8a1SJohn Marino ticklen = s->tlsext_session_ticket->length; 792*f5b1c8a1SJohn Marino s->session->tlsext_tick = malloc(ticklen); 793*f5b1c8a1SJohn Marino if (!s->session->tlsext_tick) 794*f5b1c8a1SJohn Marino return NULL; 795*f5b1c8a1SJohn Marino memcpy(s->session->tlsext_tick, 796*f5b1c8a1SJohn Marino s->tlsext_session_ticket->data, ticklen); 797*f5b1c8a1SJohn Marino s->session->tlsext_ticklen = ticklen; 798*f5b1c8a1SJohn Marino } else 799*f5b1c8a1SJohn Marino ticklen = 0; 800*f5b1c8a1SJohn Marino if (ticklen == 0 && s->tlsext_session_ticket && 801*f5b1c8a1SJohn Marino s->tlsext_session_ticket->data == NULL) 802*f5b1c8a1SJohn Marino goto skip_ext; 803*f5b1c8a1SJohn Marino /* Check for enough room 2 for extension type, 2 for len 804*f5b1c8a1SJohn Marino * rest for ticket 805*f5b1c8a1SJohn Marino */ 806*f5b1c8a1SJohn Marino if ((size_t)(limit - ret) < 4 + ticklen) 807*f5b1c8a1SJohn Marino return NULL; 808*f5b1c8a1SJohn Marino s2n(TLSEXT_TYPE_session_ticket, ret); 809*f5b1c8a1SJohn Marino 810*f5b1c8a1SJohn Marino s2n(ticklen, ret); 811*f5b1c8a1SJohn Marino if (ticklen) { 812*f5b1c8a1SJohn Marino memcpy(ret, s->session->tlsext_tick, ticklen); 813*f5b1c8a1SJohn Marino ret += ticklen; 814*f5b1c8a1SJohn Marino } 815*f5b1c8a1SJohn Marino } 816*f5b1c8a1SJohn Marino skip_ext: 817*f5b1c8a1SJohn Marino 818*f5b1c8a1SJohn Marino if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 819*f5b1c8a1SJohn Marino if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 820*f5b1c8a1SJohn Marino return NULL; 821*f5b1c8a1SJohn Marino 822*f5b1c8a1SJohn Marino s2n(TLSEXT_TYPE_signature_algorithms, ret); 823*f5b1c8a1SJohn Marino s2n(sizeof(tls12_sigalgs) + 2, ret); 824*f5b1c8a1SJohn Marino s2n(sizeof(tls12_sigalgs), ret); 825*f5b1c8a1SJohn Marino memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 826*f5b1c8a1SJohn Marino ret += sizeof(tls12_sigalgs); 827*f5b1c8a1SJohn Marino } 828*f5b1c8a1SJohn Marino 829*f5b1c8a1SJohn Marino if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 830*f5b1c8a1SJohn Marino s->version != DTLS1_VERSION) { 831*f5b1c8a1SJohn Marino int i; 832*f5b1c8a1SJohn Marino long extlen, idlen, itmp; 833*f5b1c8a1SJohn Marino OCSP_RESPID *id; 834*f5b1c8a1SJohn Marino 835*f5b1c8a1SJohn Marino idlen = 0; 836*f5b1c8a1SJohn Marino for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 837*f5b1c8a1SJohn Marino id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 838*f5b1c8a1SJohn Marino itmp = i2d_OCSP_RESPID(id, NULL); 839*f5b1c8a1SJohn Marino if (itmp <= 0) 840*f5b1c8a1SJohn Marino return NULL; 841*f5b1c8a1SJohn Marino idlen += itmp + 2; 842*f5b1c8a1SJohn Marino } 843*f5b1c8a1SJohn Marino 844*f5b1c8a1SJohn Marino if (s->tlsext_ocsp_exts) { 845*f5b1c8a1SJohn Marino extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 846*f5b1c8a1SJohn Marino if (extlen < 0) 847*f5b1c8a1SJohn Marino return NULL; 848*f5b1c8a1SJohn Marino } else 849*f5b1c8a1SJohn Marino extlen = 0; 850*f5b1c8a1SJohn Marino 851*f5b1c8a1SJohn Marino if ((size_t)(limit - ret) < 7 + extlen + idlen) 852*f5b1c8a1SJohn Marino return NULL; 853*f5b1c8a1SJohn Marino s2n(TLSEXT_TYPE_status_request, ret); 854*f5b1c8a1SJohn Marino if (extlen + idlen > 0xFFF0) 855*f5b1c8a1SJohn Marino return NULL; 856*f5b1c8a1SJohn Marino s2n(extlen + idlen + 5, ret); 857*f5b1c8a1SJohn Marino *(ret++) = TLSEXT_STATUSTYPE_ocsp; 858*f5b1c8a1SJohn Marino s2n(idlen, ret); 859*f5b1c8a1SJohn Marino for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 860*f5b1c8a1SJohn Marino /* save position of id len */ 861*f5b1c8a1SJohn Marino unsigned char *q = ret; 862*f5b1c8a1SJohn Marino id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 863*f5b1c8a1SJohn Marino /* skip over id len */ 864*f5b1c8a1SJohn Marino ret += 2; 865*f5b1c8a1SJohn Marino itmp = i2d_OCSP_RESPID(id, &ret); 866*f5b1c8a1SJohn Marino /* write id len */ 867*f5b1c8a1SJohn Marino s2n(itmp, q); 868*f5b1c8a1SJohn Marino } 869*f5b1c8a1SJohn Marino s2n(extlen, ret); 870*f5b1c8a1SJohn Marino if (extlen > 0) 871*f5b1c8a1SJohn Marino i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 872*f5b1c8a1SJohn Marino } 873*f5b1c8a1SJohn Marino 874*f5b1c8a1SJohn Marino if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { 875*f5b1c8a1SJohn Marino /* The client advertises an emtpy extension to indicate its 876*f5b1c8a1SJohn Marino * support for Next Protocol Negotiation */ 877*f5b1c8a1SJohn Marino if ((size_t)(limit - ret) < 4) 878*f5b1c8a1SJohn Marino return NULL; 879*f5b1c8a1SJohn Marino s2n(TLSEXT_TYPE_next_proto_neg, ret); 880*f5b1c8a1SJohn Marino s2n(0, ret); 881*f5b1c8a1SJohn Marino } 882*f5b1c8a1SJohn Marino 883*f5b1c8a1SJohn Marino if (s->alpn_client_proto_list != NULL && 884*f5b1c8a1SJohn Marino s->s3->tmp.finish_md_len == 0) { 885*f5b1c8a1SJohn Marino if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len) 886*f5b1c8a1SJohn Marino return (NULL); 887*f5b1c8a1SJohn Marino s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 888*f5b1c8a1SJohn Marino s2n(2 + s->alpn_client_proto_list_len, ret); 889*f5b1c8a1SJohn Marino s2n(s->alpn_client_proto_list_len, ret); 890*f5b1c8a1SJohn Marino memcpy(ret, s->alpn_client_proto_list, 891*f5b1c8a1SJohn Marino s->alpn_client_proto_list_len); 892*f5b1c8a1SJohn Marino ret += s->alpn_client_proto_list_len; 893*f5b1c8a1SJohn Marino } 894*f5b1c8a1SJohn Marino 895*f5b1c8a1SJohn Marino #ifndef OPENSSL_NO_SRTP 896*f5b1c8a1SJohn Marino if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { 897*f5b1c8a1SJohn Marino int el; 898*f5b1c8a1SJohn Marino 899*f5b1c8a1SJohn Marino ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 900*f5b1c8a1SJohn Marino 901*f5b1c8a1SJohn Marino if ((size_t)(limit - ret) < 4 + el) 902*f5b1c8a1SJohn Marino return NULL; 903*f5b1c8a1SJohn Marino 904*f5b1c8a1SJohn Marino s2n(TLSEXT_TYPE_use_srtp, ret); 905*f5b1c8a1SJohn Marino s2n(el, ret); 906*f5b1c8a1SJohn Marino 907*f5b1c8a1SJohn Marino if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { 908*f5b1c8a1SJohn Marino SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 909*f5b1c8a1SJohn Marino ERR_R_INTERNAL_ERROR); 910*f5b1c8a1SJohn Marino return NULL; 911*f5b1c8a1SJohn Marino } 912*f5b1c8a1SJohn Marino ret += el; 913*f5b1c8a1SJohn Marino } 914*f5b1c8a1SJohn Marino #endif 915*f5b1c8a1SJohn Marino 916*f5b1c8a1SJohn Marino /* 917*f5b1c8a1SJohn Marino * Add padding to workaround bugs in F5 terminators. 918*f5b1c8a1SJohn Marino * See https://tools.ietf.org/html/draft-agl-tls-padding-03 919*f5b1c8a1SJohn Marino * 920*f5b1c8a1SJohn Marino * Note that this seems to trigger issues with IronPort SMTP 921*f5b1c8a1SJohn Marino * appliances. 922*f5b1c8a1SJohn Marino * 923*f5b1c8a1SJohn Marino * NB: because this code works out the length of all existing 924*f5b1c8a1SJohn Marino * extensions it MUST always appear last. 925*f5b1c8a1SJohn Marino */ 926*f5b1c8a1SJohn Marino if (s->options & SSL_OP_TLSEXT_PADDING) { 927*f5b1c8a1SJohn Marino int hlen = ret - (unsigned char *)s->init_buf->data; 928*f5b1c8a1SJohn Marino 929*f5b1c8a1SJohn Marino /* 930*f5b1c8a1SJohn Marino * The code in s23_clnt.c to build ClientHello messages 931*f5b1c8a1SJohn Marino * includes the 5-byte record header in the buffer, while the 932*f5b1c8a1SJohn Marino * code in s3_clnt.c does not. 933*f5b1c8a1SJohn Marino */ 934*f5b1c8a1SJohn Marino if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 935*f5b1c8a1SJohn Marino hlen -= 5; 936*f5b1c8a1SJohn Marino if (hlen > 0xff && hlen < 0x200) { 937*f5b1c8a1SJohn Marino hlen = 0x200 - hlen; 938*f5b1c8a1SJohn Marino if (hlen >= 4) 939*f5b1c8a1SJohn Marino hlen -= 4; 940*f5b1c8a1SJohn Marino else 941*f5b1c8a1SJohn Marino hlen = 0; 942*f5b1c8a1SJohn Marino 943*f5b1c8a1SJohn Marino s2n(TLSEXT_TYPE_padding, ret); 944*f5b1c8a1SJohn Marino s2n(hlen, ret); 945*f5b1c8a1SJohn Marino memset(ret, 0, hlen); 946*f5b1c8a1SJohn Marino ret += hlen; 947*f5b1c8a1SJohn Marino } 948*f5b1c8a1SJohn Marino } 949*f5b1c8a1SJohn Marino 950*f5b1c8a1SJohn Marino if ((extdatalen = ret - p - 2) == 0) 951*f5b1c8a1SJohn Marino return p; 952*f5b1c8a1SJohn Marino 953*f5b1c8a1SJohn Marino s2n(extdatalen, p); 954*f5b1c8a1SJohn Marino return ret; 955*f5b1c8a1SJohn Marino } 956*f5b1c8a1SJohn Marino 957*f5b1c8a1SJohn Marino unsigned char * 958*f5b1c8a1SJohn Marino ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 959*f5b1c8a1SJohn Marino { 960*f5b1c8a1SJohn Marino int using_ecc, extdatalen = 0; 961*f5b1c8a1SJohn Marino unsigned long alg_a, alg_k; 962*f5b1c8a1SJohn Marino unsigned char *ret = p; 963*f5b1c8a1SJohn Marino int next_proto_neg_seen; 964*f5b1c8a1SJohn Marino 965*f5b1c8a1SJohn Marino alg_a = s->s3->tmp.new_cipher->algorithm_auth; 966*f5b1c8a1SJohn Marino alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 967*f5b1c8a1SJohn Marino using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || 968*f5b1c8a1SJohn Marino alg_a & SSL_aECDSA) && 969*f5b1c8a1SJohn Marino s->session->tlsext_ecpointformatlist != NULL; 970*f5b1c8a1SJohn Marino 971*f5b1c8a1SJohn Marino ret += 2; 972*f5b1c8a1SJohn Marino if (ret >= limit) 973*f5b1c8a1SJohn Marino return NULL; /* this really never occurs, but ... */ 974*f5b1c8a1SJohn Marino 975*f5b1c8a1SJohn Marino if (!s->hit && s->servername_done == 1 && 976*f5b1c8a1SJohn Marino s->session->tlsext_hostname != NULL) { 977*f5b1c8a1SJohn Marino if ((size_t)(limit - ret) < 4) 978*f5b1c8a1SJohn Marino return NULL; 979*f5b1c8a1SJohn Marino 980*f5b1c8a1SJohn Marino s2n(TLSEXT_TYPE_server_name, ret); 981*f5b1c8a1SJohn Marino s2n(0, ret); 982*f5b1c8a1SJohn Marino } 983*f5b1c8a1SJohn Marino 984*f5b1c8a1SJohn Marino if (s->s3->send_connection_binding) { 985*f5b1c8a1SJohn Marino int el; 986*f5b1c8a1SJohn Marino 987*f5b1c8a1SJohn Marino if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { 988*f5b1c8a1SJohn Marino SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 989*f5b1c8a1SJohn Marino ERR_R_INTERNAL_ERROR); 990*f5b1c8a1SJohn Marino return NULL; 991*f5b1c8a1SJohn Marino } 992*f5b1c8a1SJohn Marino 993*f5b1c8a1SJohn Marino if ((size_t)(limit - ret) < 4 + el) 994*f5b1c8a1SJohn Marino return NULL; 995*f5b1c8a1SJohn Marino 996*f5b1c8a1SJohn Marino s2n(TLSEXT_TYPE_renegotiate, ret); 997*f5b1c8a1SJohn Marino s2n(el, ret); 998*f5b1c8a1SJohn Marino 999*f5b1c8a1SJohn Marino if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { 1000*f5b1c8a1SJohn Marino SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1001*f5b1c8a1SJohn Marino ERR_R_INTERNAL_ERROR); 1002*f5b1c8a1SJohn Marino return NULL; 1003*f5b1c8a1SJohn Marino } 1004*f5b1c8a1SJohn Marino 1005*f5b1c8a1SJohn Marino ret += el; 1006*f5b1c8a1SJohn Marino } 1007*f5b1c8a1SJohn Marino 1008*f5b1c8a1SJohn Marino if (using_ecc && s->version != DTLS1_VERSION) { 1009*f5b1c8a1SJohn Marino const unsigned char *formats; 1010*f5b1c8a1SJohn Marino size_t formatslen, lenmax; 1011*f5b1c8a1SJohn Marino 1012*f5b1c8a1SJohn Marino /* 1013*f5b1c8a1SJohn Marino * Add TLS extension ECPointFormats to the ServerHello message. 1014*f5b1c8a1SJohn Marino */ 1015*f5b1c8a1SJohn Marino tls1_get_formatlist(s, 0, &formats, &formatslen); 1016*f5b1c8a1SJohn Marino 1017*f5b1c8a1SJohn Marino if ((size_t)(limit - ret) < 5) 1018*f5b1c8a1SJohn Marino return NULL; 1019*f5b1c8a1SJohn Marino 1020*f5b1c8a1SJohn Marino lenmax = limit - ret - 5; 1021*f5b1c8a1SJohn Marino if (formatslen > lenmax) 1022*f5b1c8a1SJohn Marino return NULL; 1023*f5b1c8a1SJohn Marino if (formatslen > 255) { 1024*f5b1c8a1SJohn Marino SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1025*f5b1c8a1SJohn Marino ERR_R_INTERNAL_ERROR); 1026*f5b1c8a1SJohn Marino return NULL; 1027*f5b1c8a1SJohn Marino } 1028*f5b1c8a1SJohn Marino 1029*f5b1c8a1SJohn Marino s2n(TLSEXT_TYPE_ec_point_formats, ret); 1030*f5b1c8a1SJohn Marino s2n(formatslen + 1, ret); 1031*f5b1c8a1SJohn Marino *(ret++) = (unsigned char)formatslen; 1032*f5b1c8a1SJohn Marino memcpy(ret, formats, formatslen); 1033*f5b1c8a1SJohn Marino ret += formatslen; 1034*f5b1c8a1SJohn Marino } 1035*f5b1c8a1SJohn Marino 1036*f5b1c8a1SJohn Marino /* 1037*f5b1c8a1SJohn Marino * Currently the server should not respond with a SupportedCurves 1038*f5b1c8a1SJohn Marino * extension. 1039*f5b1c8a1SJohn Marino */ 1040*f5b1c8a1SJohn Marino 1041*f5b1c8a1SJohn Marino if (s->tlsext_ticket_expected && 1042*f5b1c8a1SJohn Marino !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 1043*f5b1c8a1SJohn Marino if ((size_t)(limit - ret) < 4) 1044*f5b1c8a1SJohn Marino return NULL; 1045*f5b1c8a1SJohn Marino 1046*f5b1c8a1SJohn Marino s2n(TLSEXT_TYPE_session_ticket, ret); 1047*f5b1c8a1SJohn Marino s2n(0, ret); 1048*f5b1c8a1SJohn Marino } 1049*f5b1c8a1SJohn Marino 1050*f5b1c8a1SJohn Marino if (s->tlsext_status_expected) { 1051*f5b1c8a1SJohn Marino if ((size_t)(limit - ret) < 4) 1052*f5b1c8a1SJohn Marino return NULL; 1053*f5b1c8a1SJohn Marino 1054*f5b1c8a1SJohn Marino s2n(TLSEXT_TYPE_status_request, ret); 1055*f5b1c8a1SJohn Marino s2n(0, ret); 1056*f5b1c8a1SJohn Marino } 1057*f5b1c8a1SJohn Marino 1058*f5b1c8a1SJohn Marino #ifndef OPENSSL_NO_SRTP 1059*f5b1c8a1SJohn Marino if (SSL_IS_DTLS(s) && s->srtp_profile) { 1060*f5b1c8a1SJohn Marino int el; 1061*f5b1c8a1SJohn Marino 1062*f5b1c8a1SJohn Marino ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 1063*f5b1c8a1SJohn Marino 1064*f5b1c8a1SJohn Marino if ((size_t)(limit - ret) < 4 + el) 1065*f5b1c8a1SJohn Marino return NULL; 1066*f5b1c8a1SJohn Marino 1067*f5b1c8a1SJohn Marino s2n(TLSEXT_TYPE_use_srtp, ret); 1068*f5b1c8a1SJohn Marino s2n(el, ret); 1069*f5b1c8a1SJohn Marino 1070*f5b1c8a1SJohn Marino if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { 1071*f5b1c8a1SJohn Marino SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1072*f5b1c8a1SJohn Marino ERR_R_INTERNAL_ERROR); 1073*f5b1c8a1SJohn Marino return NULL; 1074*f5b1c8a1SJohn Marino } 1075*f5b1c8a1SJohn Marino ret += el; 1076*f5b1c8a1SJohn Marino } 1077*f5b1c8a1SJohn Marino #endif 1078*f5b1c8a1SJohn Marino 1079*f5b1c8a1SJohn Marino if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || 1080*f5b1c8a1SJohn Marino (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) && 1081*f5b1c8a1SJohn Marino (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { 1082*f5b1c8a1SJohn Marino static const unsigned char cryptopro_ext[36] = { 1083*f5b1c8a1SJohn Marino 0xfd, 0xe8, /*65000*/ 1084*f5b1c8a1SJohn Marino 0x00, 0x20, /*32 bytes length*/ 1085*f5b1c8a1SJohn Marino 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 1086*f5b1c8a1SJohn Marino 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 1087*f5b1c8a1SJohn Marino 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 1088*f5b1c8a1SJohn Marino 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 1089*f5b1c8a1SJohn Marino }; 1090*f5b1c8a1SJohn Marino if ((size_t)(limit - ret) < sizeof(cryptopro_ext)) 1091*f5b1c8a1SJohn Marino return NULL; 1092*f5b1c8a1SJohn Marino memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext)); 1093*f5b1c8a1SJohn Marino ret += sizeof(cryptopro_ext); 1094*f5b1c8a1SJohn Marino } 1095*f5b1c8a1SJohn Marino 1096*f5b1c8a1SJohn Marino next_proto_neg_seen = s->s3->next_proto_neg_seen; 1097*f5b1c8a1SJohn Marino s->s3->next_proto_neg_seen = 0; 1098*f5b1c8a1SJohn Marino if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) { 1099*f5b1c8a1SJohn Marino const unsigned char *npa; 1100*f5b1c8a1SJohn Marino unsigned int npalen; 1101*f5b1c8a1SJohn Marino int r; 1102*f5b1c8a1SJohn Marino 1103*f5b1c8a1SJohn Marino r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, 1104*f5b1c8a1SJohn Marino s->ctx->next_protos_advertised_cb_arg); 1105*f5b1c8a1SJohn Marino if (r == SSL_TLSEXT_ERR_OK) { 1106*f5b1c8a1SJohn Marino if ((size_t)(limit - ret) < 4 + npalen) 1107*f5b1c8a1SJohn Marino return NULL; 1108*f5b1c8a1SJohn Marino s2n(TLSEXT_TYPE_next_proto_neg, ret); 1109*f5b1c8a1SJohn Marino s2n(npalen, ret); 1110*f5b1c8a1SJohn Marino memcpy(ret, npa, npalen); 1111*f5b1c8a1SJohn Marino ret += npalen; 1112*f5b1c8a1SJohn Marino s->s3->next_proto_neg_seen = 1; 1113*f5b1c8a1SJohn Marino } 1114*f5b1c8a1SJohn Marino } 1115*f5b1c8a1SJohn Marino 1116*f5b1c8a1SJohn Marino if (s->s3->alpn_selected != NULL) { 1117*f5b1c8a1SJohn Marino const unsigned char *selected = s->s3->alpn_selected; 1118*f5b1c8a1SJohn Marino unsigned int len = s->s3->alpn_selected_len; 1119*f5b1c8a1SJohn Marino 1120*f5b1c8a1SJohn Marino if ((long)(limit - ret - 4 - 2 - 1 - len) < 0) 1121*f5b1c8a1SJohn Marino return (NULL); 1122*f5b1c8a1SJohn Marino s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 1123*f5b1c8a1SJohn Marino s2n(3 + len, ret); 1124*f5b1c8a1SJohn Marino s2n(1 + len, ret); 1125*f5b1c8a1SJohn Marino *ret++ = len; 1126*f5b1c8a1SJohn Marino memcpy(ret, selected, len); 1127*f5b1c8a1SJohn Marino ret += len; 1128*f5b1c8a1SJohn Marino } 1129*f5b1c8a1SJohn Marino 1130*f5b1c8a1SJohn Marino if ((extdatalen = ret - p - 2) == 0) 1131*f5b1c8a1SJohn Marino return p; 1132*f5b1c8a1SJohn Marino 1133*f5b1c8a1SJohn Marino s2n(extdatalen, p); 1134*f5b1c8a1SJohn Marino return ret; 1135*f5b1c8a1SJohn Marino } 1136*f5b1c8a1SJohn Marino 1137*f5b1c8a1SJohn Marino /* 1138*f5b1c8a1SJohn Marino * tls1_alpn_handle_client_hello is called to process the ALPN extension in a 1139*f5b1c8a1SJohn Marino * ClientHello. 1140*f5b1c8a1SJohn Marino * data: the contents of the extension, not including the type and length. 1141*f5b1c8a1SJohn Marino * data_len: the number of bytes in data. 1142*f5b1c8a1SJohn Marino * al: a pointer to the alert value to send in the event of a non-zero 1143*f5b1c8a1SJohn Marino * return. 1144*f5b1c8a1SJohn Marino * returns: 1 on success. 1145*f5b1c8a1SJohn Marino */ 1146*f5b1c8a1SJohn Marino static int 1147*f5b1c8a1SJohn Marino tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, 1148*f5b1c8a1SJohn Marino unsigned int data_len, int *al) 1149*f5b1c8a1SJohn Marino { 1150*f5b1c8a1SJohn Marino CBS cbs, proto_name_list, alpn; 1151*f5b1c8a1SJohn Marino const unsigned char *selected; 1152*f5b1c8a1SJohn Marino unsigned char selected_len; 1153*f5b1c8a1SJohn Marino int r; 1154*f5b1c8a1SJohn Marino 1155*f5b1c8a1SJohn Marino if (s->ctx->alpn_select_cb == NULL) 1156*f5b1c8a1SJohn Marino return (1); 1157*f5b1c8a1SJohn Marino 1158*f5b1c8a1SJohn Marino if (data_len < 2) 1159*f5b1c8a1SJohn Marino goto parse_error; 1160*f5b1c8a1SJohn Marino 1161*f5b1c8a1SJohn Marino CBS_init(&cbs, data, data_len); 1162*f5b1c8a1SJohn Marino 1163*f5b1c8a1SJohn Marino /* 1164*f5b1c8a1SJohn Marino * data should contain a uint16 length followed by a series of 8-bit, 1165*f5b1c8a1SJohn Marino * length-prefixed strings. 1166*f5b1c8a1SJohn Marino */ 1167*f5b1c8a1SJohn Marino if (!CBS_get_u16_length_prefixed(&cbs, &alpn) || 1168*f5b1c8a1SJohn Marino CBS_len(&alpn) < 2 || 1169*f5b1c8a1SJohn Marino CBS_len(&cbs) != 0) 1170*f5b1c8a1SJohn Marino goto parse_error; 1171*f5b1c8a1SJohn Marino 1172*f5b1c8a1SJohn Marino /* Validate data before sending to callback. */ 1173*f5b1c8a1SJohn Marino CBS_dup(&alpn, &proto_name_list); 1174*f5b1c8a1SJohn Marino while (CBS_len(&proto_name_list) > 0) { 1175*f5b1c8a1SJohn Marino CBS proto_name; 1176*f5b1c8a1SJohn Marino 1177*f5b1c8a1SJohn Marino if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name) || 1178*f5b1c8a1SJohn Marino CBS_len(&proto_name) == 0) 1179*f5b1c8a1SJohn Marino goto parse_error; 1180*f5b1c8a1SJohn Marino } 1181*f5b1c8a1SJohn Marino 1182*f5b1c8a1SJohn Marino r = s->ctx->alpn_select_cb(s, &selected, &selected_len, 1183*f5b1c8a1SJohn Marino CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg); 1184*f5b1c8a1SJohn Marino if (r == SSL_TLSEXT_ERR_OK) { 1185*f5b1c8a1SJohn Marino free(s->s3->alpn_selected); 1186*f5b1c8a1SJohn Marino if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) { 1187*f5b1c8a1SJohn Marino *al = SSL_AD_INTERNAL_ERROR; 1188*f5b1c8a1SJohn Marino return (-1); 1189*f5b1c8a1SJohn Marino } 1190*f5b1c8a1SJohn Marino memcpy(s->s3->alpn_selected, selected, selected_len); 1191*f5b1c8a1SJohn Marino s->s3->alpn_selected_len = selected_len; 1192*f5b1c8a1SJohn Marino } 1193*f5b1c8a1SJohn Marino 1194*f5b1c8a1SJohn Marino return (1); 1195*f5b1c8a1SJohn Marino 1196*f5b1c8a1SJohn Marino parse_error: 1197*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1198*f5b1c8a1SJohn Marino return (0); 1199*f5b1c8a1SJohn Marino } 1200*f5b1c8a1SJohn Marino 1201*f5b1c8a1SJohn Marino int 1202*f5b1c8a1SJohn Marino ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1203*f5b1c8a1SJohn Marino int n, int *al) 1204*f5b1c8a1SJohn Marino { 1205*f5b1c8a1SJohn Marino unsigned short type; 1206*f5b1c8a1SJohn Marino unsigned short size; 1207*f5b1c8a1SJohn Marino unsigned short len; 1208*f5b1c8a1SJohn Marino unsigned char *data = *p; 1209*f5b1c8a1SJohn Marino int renegotiate_seen = 0; 1210*f5b1c8a1SJohn Marino int sigalg_seen = 0; 1211*f5b1c8a1SJohn Marino 1212*f5b1c8a1SJohn Marino s->servername_done = 0; 1213*f5b1c8a1SJohn Marino s->tlsext_status_type = -1; 1214*f5b1c8a1SJohn Marino s->s3->next_proto_neg_seen = 0; 1215*f5b1c8a1SJohn Marino free(s->s3->alpn_selected); 1216*f5b1c8a1SJohn Marino s->s3->alpn_selected = NULL; 1217*f5b1c8a1SJohn Marino 1218*f5b1c8a1SJohn Marino if (data >= (d + n - 2)) 1219*f5b1c8a1SJohn Marino goto ri_check; 1220*f5b1c8a1SJohn Marino n2s(data, len); 1221*f5b1c8a1SJohn Marino 1222*f5b1c8a1SJohn Marino if (data > (d + n - len)) 1223*f5b1c8a1SJohn Marino goto ri_check; 1224*f5b1c8a1SJohn Marino 1225*f5b1c8a1SJohn Marino while (data <= (d + n - 4)) { 1226*f5b1c8a1SJohn Marino n2s(data, type); 1227*f5b1c8a1SJohn Marino n2s(data, size); 1228*f5b1c8a1SJohn Marino 1229*f5b1c8a1SJohn Marino if (data + size > (d + n)) 1230*f5b1c8a1SJohn Marino goto ri_check; 1231*f5b1c8a1SJohn Marino if (s->tlsext_debug_cb) 1232*f5b1c8a1SJohn Marino s->tlsext_debug_cb(s, 0, type, data, size, 1233*f5b1c8a1SJohn Marino s->tlsext_debug_arg); 1234*f5b1c8a1SJohn Marino /* The servername extension is treated as follows: 1235*f5b1c8a1SJohn Marino 1236*f5b1c8a1SJohn Marino - Only the hostname type is supported with a maximum length of 255. 1237*f5b1c8a1SJohn Marino - The servername is rejected if too long or if it contains zeros, 1238*f5b1c8a1SJohn Marino in which case an fatal alert is generated. 1239*f5b1c8a1SJohn Marino - The servername field is maintained together with the session cache. 1240*f5b1c8a1SJohn Marino - When a session is resumed, the servername call back invoked in order 1241*f5b1c8a1SJohn Marino to allow the application to position itself to the right context. 1242*f5b1c8a1SJohn Marino - The servername is acknowledged if it is new for a session or when 1243*f5b1c8a1SJohn Marino it is identical to a previously used for the same session. 1244*f5b1c8a1SJohn Marino Applications can control the behaviour. They can at any time 1245*f5b1c8a1SJohn Marino set a 'desirable' servername for a new SSL object. This can be the 1246*f5b1c8a1SJohn Marino case for example with HTTPS when a Host: header field is received and 1247*f5b1c8a1SJohn Marino a renegotiation is requested. In this case, a possible servername 1248*f5b1c8a1SJohn Marino presented in the new client hello is only acknowledged if it matches 1249*f5b1c8a1SJohn Marino the value of the Host: field. 1250*f5b1c8a1SJohn Marino - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1251*f5b1c8a1SJohn Marino if they provide for changing an explicit servername context for the session, 1252*f5b1c8a1SJohn Marino i.e. when the session has been established with a servername extension. 1253*f5b1c8a1SJohn Marino - On session reconnect, the servername extension may be absent. 1254*f5b1c8a1SJohn Marino 1255*f5b1c8a1SJohn Marino */ 1256*f5b1c8a1SJohn Marino 1257*f5b1c8a1SJohn Marino if (type == TLSEXT_TYPE_server_name) { 1258*f5b1c8a1SJohn Marino unsigned char *sdata; 1259*f5b1c8a1SJohn Marino int servname_type; 1260*f5b1c8a1SJohn Marino int dsize; 1261*f5b1c8a1SJohn Marino 1262*f5b1c8a1SJohn Marino if (size < 2) { 1263*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1264*f5b1c8a1SJohn Marino return 0; 1265*f5b1c8a1SJohn Marino } 1266*f5b1c8a1SJohn Marino n2s(data, dsize); 1267*f5b1c8a1SJohn Marino 1268*f5b1c8a1SJohn Marino size -= 2; 1269*f5b1c8a1SJohn Marino if (dsize > size) { 1270*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1271*f5b1c8a1SJohn Marino return 0; 1272*f5b1c8a1SJohn Marino } 1273*f5b1c8a1SJohn Marino 1274*f5b1c8a1SJohn Marino sdata = data; 1275*f5b1c8a1SJohn Marino while (dsize > 3) { 1276*f5b1c8a1SJohn Marino servname_type = *(sdata++); 1277*f5b1c8a1SJohn Marino 1278*f5b1c8a1SJohn Marino n2s(sdata, len); 1279*f5b1c8a1SJohn Marino dsize -= 3; 1280*f5b1c8a1SJohn Marino 1281*f5b1c8a1SJohn Marino if (len > dsize) { 1282*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1283*f5b1c8a1SJohn Marino return 0; 1284*f5b1c8a1SJohn Marino } 1285*f5b1c8a1SJohn Marino if (s->servername_done == 0) 1286*f5b1c8a1SJohn Marino switch (servname_type) { 1287*f5b1c8a1SJohn Marino case TLSEXT_NAMETYPE_host_name: 1288*f5b1c8a1SJohn Marino if (!s->hit) { 1289*f5b1c8a1SJohn Marino if (s->session->tlsext_hostname) { 1290*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1291*f5b1c8a1SJohn Marino return 0; 1292*f5b1c8a1SJohn Marino } 1293*f5b1c8a1SJohn Marino if (len > TLSEXT_MAXLEN_host_name) { 1294*f5b1c8a1SJohn Marino *al = TLS1_AD_UNRECOGNIZED_NAME; 1295*f5b1c8a1SJohn Marino return 0; 1296*f5b1c8a1SJohn Marino } 1297*f5b1c8a1SJohn Marino if ((s->session->tlsext_hostname = 1298*f5b1c8a1SJohn Marino malloc(len + 1)) == NULL) { 1299*f5b1c8a1SJohn Marino *al = TLS1_AD_INTERNAL_ERROR; 1300*f5b1c8a1SJohn Marino return 0; 1301*f5b1c8a1SJohn Marino } 1302*f5b1c8a1SJohn Marino memcpy(s->session->tlsext_hostname, sdata, len); 1303*f5b1c8a1SJohn Marino s->session->tlsext_hostname[len] = '\0'; 1304*f5b1c8a1SJohn Marino if (strlen(s->session->tlsext_hostname) != len) { 1305*f5b1c8a1SJohn Marino free(s->session->tlsext_hostname); 1306*f5b1c8a1SJohn Marino s->session->tlsext_hostname = NULL; 1307*f5b1c8a1SJohn Marino *al = TLS1_AD_UNRECOGNIZED_NAME; 1308*f5b1c8a1SJohn Marino return 0; 1309*f5b1c8a1SJohn Marino } 1310*f5b1c8a1SJohn Marino s->servername_done = 1; 1311*f5b1c8a1SJohn Marino 1312*f5b1c8a1SJohn Marino 1313*f5b1c8a1SJohn Marino } else { 1314*f5b1c8a1SJohn Marino s->servername_done = s->session->tlsext_hostname && 1315*f5b1c8a1SJohn Marino strlen(s->session->tlsext_hostname) == len && 1316*f5b1c8a1SJohn Marino strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1317*f5b1c8a1SJohn Marino } 1318*f5b1c8a1SJohn Marino break; 1319*f5b1c8a1SJohn Marino 1320*f5b1c8a1SJohn Marino default: 1321*f5b1c8a1SJohn Marino break; 1322*f5b1c8a1SJohn Marino } 1323*f5b1c8a1SJohn Marino 1324*f5b1c8a1SJohn Marino dsize -= len; 1325*f5b1c8a1SJohn Marino } 1326*f5b1c8a1SJohn Marino if (dsize != 0) { 1327*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1328*f5b1c8a1SJohn Marino return 0; 1329*f5b1c8a1SJohn Marino } 1330*f5b1c8a1SJohn Marino 1331*f5b1c8a1SJohn Marino } 1332*f5b1c8a1SJohn Marino 1333*f5b1c8a1SJohn Marino else if (type == TLSEXT_TYPE_ec_point_formats && 1334*f5b1c8a1SJohn Marino s->version != DTLS1_VERSION) { 1335*f5b1c8a1SJohn Marino unsigned char *sdata = data; 1336*f5b1c8a1SJohn Marino size_t formatslen; 1337*f5b1c8a1SJohn Marino uint8_t *formats; 1338*f5b1c8a1SJohn Marino 1339*f5b1c8a1SJohn Marino if (size < 1) { 1340*f5b1c8a1SJohn Marino *al = TLS1_AD_DECODE_ERROR; 1341*f5b1c8a1SJohn Marino return 0; 1342*f5b1c8a1SJohn Marino } 1343*f5b1c8a1SJohn Marino formatslen = *(sdata++); 1344*f5b1c8a1SJohn Marino if (formatslen != size - 1) { 1345*f5b1c8a1SJohn Marino *al = TLS1_AD_DECODE_ERROR; 1346*f5b1c8a1SJohn Marino return 0; 1347*f5b1c8a1SJohn Marino } 1348*f5b1c8a1SJohn Marino 1349*f5b1c8a1SJohn Marino if (!s->hit) { 1350*f5b1c8a1SJohn Marino free(s->session->tlsext_ecpointformatlist); 1351*f5b1c8a1SJohn Marino s->session->tlsext_ecpointformatlist = NULL; 1352*f5b1c8a1SJohn Marino s->session->tlsext_ecpointformatlist_length = 0; 1353*f5b1c8a1SJohn Marino 1354*f5b1c8a1SJohn Marino if ((formats = reallocarray(NULL, formatslen, 1355*f5b1c8a1SJohn Marino sizeof(uint8_t))) == NULL) { 1356*f5b1c8a1SJohn Marino *al = TLS1_AD_INTERNAL_ERROR; 1357*f5b1c8a1SJohn Marino return 0; 1358*f5b1c8a1SJohn Marino } 1359*f5b1c8a1SJohn Marino memcpy(formats, sdata, formatslen); 1360*f5b1c8a1SJohn Marino s->session->tlsext_ecpointformatlist = formats; 1361*f5b1c8a1SJohn Marino s->session->tlsext_ecpointformatlist_length = 1362*f5b1c8a1SJohn Marino formatslen; 1363*f5b1c8a1SJohn Marino } 1364*f5b1c8a1SJohn Marino } else if (type == TLSEXT_TYPE_elliptic_curves && 1365*f5b1c8a1SJohn Marino s->version != DTLS1_VERSION) { 1366*f5b1c8a1SJohn Marino unsigned char *sdata = data; 1367*f5b1c8a1SJohn Marino size_t curveslen, i; 1368*f5b1c8a1SJohn Marino uint16_t *curves; 1369*f5b1c8a1SJohn Marino 1370*f5b1c8a1SJohn Marino if (size < 2) { 1371*f5b1c8a1SJohn Marino *al = TLS1_AD_DECODE_ERROR; 1372*f5b1c8a1SJohn Marino return 0; 1373*f5b1c8a1SJohn Marino } 1374*f5b1c8a1SJohn Marino n2s(sdata, curveslen); 1375*f5b1c8a1SJohn Marino if (curveslen != size - 2 || curveslen % 2 != 0) { 1376*f5b1c8a1SJohn Marino *al = TLS1_AD_DECODE_ERROR; 1377*f5b1c8a1SJohn Marino return 0; 1378*f5b1c8a1SJohn Marino } 1379*f5b1c8a1SJohn Marino curveslen /= 2; 1380*f5b1c8a1SJohn Marino 1381*f5b1c8a1SJohn Marino if (!s->hit) { 1382*f5b1c8a1SJohn Marino if (s->session->tlsext_ellipticcurvelist) { 1383*f5b1c8a1SJohn Marino *al = TLS1_AD_DECODE_ERROR; 1384*f5b1c8a1SJohn Marino return 0; 1385*f5b1c8a1SJohn Marino } 1386*f5b1c8a1SJohn Marino s->session->tlsext_ellipticcurvelist_length = 0; 1387*f5b1c8a1SJohn Marino if ((curves = reallocarray(NULL, curveslen, 1388*f5b1c8a1SJohn Marino sizeof(uint16_t))) == NULL) { 1389*f5b1c8a1SJohn Marino *al = TLS1_AD_INTERNAL_ERROR; 1390*f5b1c8a1SJohn Marino return 0; 1391*f5b1c8a1SJohn Marino } 1392*f5b1c8a1SJohn Marino for (i = 0; i < curveslen; i++) 1393*f5b1c8a1SJohn Marino n2s(sdata, curves[i]); 1394*f5b1c8a1SJohn Marino s->session->tlsext_ellipticcurvelist = curves; 1395*f5b1c8a1SJohn Marino s->session->tlsext_ellipticcurvelist_length = curveslen; 1396*f5b1c8a1SJohn Marino } 1397*f5b1c8a1SJohn Marino } 1398*f5b1c8a1SJohn Marino else if (type == TLSEXT_TYPE_session_ticket) { 1399*f5b1c8a1SJohn Marino if (s->tls_session_ticket_ext_cb && 1400*f5b1c8a1SJohn Marino !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1401*f5b1c8a1SJohn Marino *al = TLS1_AD_INTERNAL_ERROR; 1402*f5b1c8a1SJohn Marino return 0; 1403*f5b1c8a1SJohn Marino } 1404*f5b1c8a1SJohn Marino } else if (type == TLSEXT_TYPE_renegotiate) { 1405*f5b1c8a1SJohn Marino if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 1406*f5b1c8a1SJohn Marino return 0; 1407*f5b1c8a1SJohn Marino renegotiate_seen = 1; 1408*f5b1c8a1SJohn Marino } else if (type == TLSEXT_TYPE_signature_algorithms) { 1409*f5b1c8a1SJohn Marino int dsize; 1410*f5b1c8a1SJohn Marino if (sigalg_seen || size < 2) { 1411*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1412*f5b1c8a1SJohn Marino return 0; 1413*f5b1c8a1SJohn Marino } 1414*f5b1c8a1SJohn Marino sigalg_seen = 1; 1415*f5b1c8a1SJohn Marino n2s(data, dsize); 1416*f5b1c8a1SJohn Marino size -= 2; 1417*f5b1c8a1SJohn Marino if (dsize != size || dsize & 1) { 1418*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1419*f5b1c8a1SJohn Marino return 0; 1420*f5b1c8a1SJohn Marino } 1421*f5b1c8a1SJohn Marino if (!tls1_process_sigalgs(s, data, dsize)) { 1422*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1423*f5b1c8a1SJohn Marino return 0; 1424*f5b1c8a1SJohn Marino } 1425*f5b1c8a1SJohn Marino } else if (type == TLSEXT_TYPE_status_request && 1426*f5b1c8a1SJohn Marino s->version != DTLS1_VERSION) { 1427*f5b1c8a1SJohn Marino 1428*f5b1c8a1SJohn Marino if (size < 5) { 1429*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1430*f5b1c8a1SJohn Marino return 0; 1431*f5b1c8a1SJohn Marino } 1432*f5b1c8a1SJohn Marino 1433*f5b1c8a1SJohn Marino s->tlsext_status_type = *data++; 1434*f5b1c8a1SJohn Marino size--; 1435*f5b1c8a1SJohn Marino if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { 1436*f5b1c8a1SJohn Marino const unsigned char *sdata; 1437*f5b1c8a1SJohn Marino int dsize; 1438*f5b1c8a1SJohn Marino /* Read in responder_id_list */ 1439*f5b1c8a1SJohn Marino n2s(data, dsize); 1440*f5b1c8a1SJohn Marino size -= 2; 1441*f5b1c8a1SJohn Marino if (dsize > size ) { 1442*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1443*f5b1c8a1SJohn Marino return 0; 1444*f5b1c8a1SJohn Marino } 1445*f5b1c8a1SJohn Marino while (dsize > 0) { 1446*f5b1c8a1SJohn Marino OCSP_RESPID *id; 1447*f5b1c8a1SJohn Marino int idsize; 1448*f5b1c8a1SJohn Marino if (dsize < 4) { 1449*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1450*f5b1c8a1SJohn Marino return 0; 1451*f5b1c8a1SJohn Marino } 1452*f5b1c8a1SJohn Marino n2s(data, idsize); 1453*f5b1c8a1SJohn Marino dsize -= 2 + idsize; 1454*f5b1c8a1SJohn Marino size -= 2 + idsize; 1455*f5b1c8a1SJohn Marino if (dsize < 0) { 1456*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1457*f5b1c8a1SJohn Marino return 0; 1458*f5b1c8a1SJohn Marino } 1459*f5b1c8a1SJohn Marino sdata = data; 1460*f5b1c8a1SJohn Marino data += idsize; 1461*f5b1c8a1SJohn Marino id = d2i_OCSP_RESPID(NULL, 1462*f5b1c8a1SJohn Marino &sdata, idsize); 1463*f5b1c8a1SJohn Marino if (!id) { 1464*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1465*f5b1c8a1SJohn Marino return 0; 1466*f5b1c8a1SJohn Marino } 1467*f5b1c8a1SJohn Marino if (data != sdata) { 1468*f5b1c8a1SJohn Marino OCSP_RESPID_free(id); 1469*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1470*f5b1c8a1SJohn Marino return 0; 1471*f5b1c8a1SJohn Marino } 1472*f5b1c8a1SJohn Marino if (!s->tlsext_ocsp_ids && 1473*f5b1c8a1SJohn Marino !(s->tlsext_ocsp_ids = 1474*f5b1c8a1SJohn Marino sk_OCSP_RESPID_new_null())) { 1475*f5b1c8a1SJohn Marino OCSP_RESPID_free(id); 1476*f5b1c8a1SJohn Marino *al = SSL_AD_INTERNAL_ERROR; 1477*f5b1c8a1SJohn Marino return 0; 1478*f5b1c8a1SJohn Marino } 1479*f5b1c8a1SJohn Marino if (!sk_OCSP_RESPID_push( 1480*f5b1c8a1SJohn Marino s->tlsext_ocsp_ids, id)) { 1481*f5b1c8a1SJohn Marino OCSP_RESPID_free(id); 1482*f5b1c8a1SJohn Marino *al = SSL_AD_INTERNAL_ERROR; 1483*f5b1c8a1SJohn Marino return 0; 1484*f5b1c8a1SJohn Marino } 1485*f5b1c8a1SJohn Marino } 1486*f5b1c8a1SJohn Marino 1487*f5b1c8a1SJohn Marino /* Read in request_extensions */ 1488*f5b1c8a1SJohn Marino if (size < 2) { 1489*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1490*f5b1c8a1SJohn Marino return 0; 1491*f5b1c8a1SJohn Marino } 1492*f5b1c8a1SJohn Marino n2s(data, dsize); 1493*f5b1c8a1SJohn Marino size -= 2; 1494*f5b1c8a1SJohn Marino if (dsize != size) { 1495*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1496*f5b1c8a1SJohn Marino return 0; 1497*f5b1c8a1SJohn Marino } 1498*f5b1c8a1SJohn Marino sdata = data; 1499*f5b1c8a1SJohn Marino if (dsize > 0) { 1500*f5b1c8a1SJohn Marino if (s->tlsext_ocsp_exts) { 1501*f5b1c8a1SJohn Marino sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1502*f5b1c8a1SJohn Marino X509_EXTENSION_free); 1503*f5b1c8a1SJohn Marino } 1504*f5b1c8a1SJohn Marino 1505*f5b1c8a1SJohn Marino s->tlsext_ocsp_exts = 1506*f5b1c8a1SJohn Marino d2i_X509_EXTENSIONS(NULL, 1507*f5b1c8a1SJohn Marino &sdata, dsize); 1508*f5b1c8a1SJohn Marino if (!s->tlsext_ocsp_exts || 1509*f5b1c8a1SJohn Marino (data + dsize != sdata)) { 1510*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1511*f5b1c8a1SJohn Marino return 0; 1512*f5b1c8a1SJohn Marino } 1513*f5b1c8a1SJohn Marino } 1514*f5b1c8a1SJohn Marino } else { 1515*f5b1c8a1SJohn Marino /* We don't know what to do with any other type 1516*f5b1c8a1SJohn Marino * so ignore it. 1517*f5b1c8a1SJohn Marino */ 1518*f5b1c8a1SJohn Marino s->tlsext_status_type = -1; 1519*f5b1c8a1SJohn Marino } 1520*f5b1c8a1SJohn Marino } 1521*f5b1c8a1SJohn Marino else if (type == TLSEXT_TYPE_next_proto_neg && 1522*f5b1c8a1SJohn Marino s->s3->tmp.finish_md_len == 0 && 1523*f5b1c8a1SJohn Marino s->s3->alpn_selected == NULL) { 1524*f5b1c8a1SJohn Marino /* We shouldn't accept this extension on a 1525*f5b1c8a1SJohn Marino * renegotiation. 1526*f5b1c8a1SJohn Marino * 1527*f5b1c8a1SJohn Marino * s->new_session will be set on renegotiation, but we 1528*f5b1c8a1SJohn Marino * probably shouldn't rely that it couldn't be set on 1529*f5b1c8a1SJohn Marino * the initial renegotation too in certain cases (when 1530*f5b1c8a1SJohn Marino * there's some other reason to disallow resuming an 1531*f5b1c8a1SJohn Marino * earlier session -- the current code won't be doing 1532*f5b1c8a1SJohn Marino * anything like that, but this might change). 1533*f5b1c8a1SJohn Marino 1534*f5b1c8a1SJohn Marino * A valid sign that there's been a previous handshake 1535*f5b1c8a1SJohn Marino * in this connection is if s->s3->tmp.finish_md_len > 1536*f5b1c8a1SJohn Marino * 0. (We are talking about a check that will happen 1537*f5b1c8a1SJohn Marino * in the Hello protocol round, well before a new 1538*f5b1c8a1SJohn Marino * Finished message could have been computed.) */ 1539*f5b1c8a1SJohn Marino s->s3->next_proto_neg_seen = 1; 1540*f5b1c8a1SJohn Marino } 1541*f5b1c8a1SJohn Marino else if (type == 1542*f5b1c8a1SJohn Marino TLSEXT_TYPE_application_layer_protocol_negotiation && 1543*f5b1c8a1SJohn Marino s->ctx->alpn_select_cb != NULL && 1544*f5b1c8a1SJohn Marino s->s3->tmp.finish_md_len == 0) { 1545*f5b1c8a1SJohn Marino if (tls1_alpn_handle_client_hello(s, data, 1546*f5b1c8a1SJohn Marino size, al) != 1) 1547*f5b1c8a1SJohn Marino return (0); 1548*f5b1c8a1SJohn Marino /* ALPN takes precedence over NPN. */ 1549*f5b1c8a1SJohn Marino s->s3->next_proto_neg_seen = 0; 1550*f5b1c8a1SJohn Marino } 1551*f5b1c8a1SJohn Marino 1552*f5b1c8a1SJohn Marino /* session ticket processed earlier */ 1553*f5b1c8a1SJohn Marino #ifndef OPENSSL_NO_SRTP 1554*f5b1c8a1SJohn Marino else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1555*f5b1c8a1SJohn Marino if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) 1556*f5b1c8a1SJohn Marino return 0; 1557*f5b1c8a1SJohn Marino } 1558*f5b1c8a1SJohn Marino #endif 1559*f5b1c8a1SJohn Marino 1560*f5b1c8a1SJohn Marino data += size; 1561*f5b1c8a1SJohn Marino } 1562*f5b1c8a1SJohn Marino 1563*f5b1c8a1SJohn Marino *p = data; 1564*f5b1c8a1SJohn Marino 1565*f5b1c8a1SJohn Marino ri_check: 1566*f5b1c8a1SJohn Marino 1567*f5b1c8a1SJohn Marino /* Need RI if renegotiating */ 1568*f5b1c8a1SJohn Marino 1569*f5b1c8a1SJohn Marino if (!renegotiate_seen && s->renegotiate) { 1570*f5b1c8a1SJohn Marino *al = SSL_AD_HANDSHAKE_FAILURE; 1571*f5b1c8a1SJohn Marino SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1572*f5b1c8a1SJohn Marino SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1573*f5b1c8a1SJohn Marino return 0; 1574*f5b1c8a1SJohn Marino } 1575*f5b1c8a1SJohn Marino 1576*f5b1c8a1SJohn Marino return 1; 1577*f5b1c8a1SJohn Marino } 1578*f5b1c8a1SJohn Marino 1579*f5b1c8a1SJohn Marino /* 1580*f5b1c8a1SJohn Marino * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1581*f5b1c8a1SJohn Marino * elements of zero length are allowed and the set of elements must exactly fill 1582*f5b1c8a1SJohn Marino * the length of the block. 1583*f5b1c8a1SJohn Marino */ 1584*f5b1c8a1SJohn Marino static char 1585*f5b1c8a1SJohn Marino ssl_next_proto_validate(const unsigned char *d, unsigned int len) 1586*f5b1c8a1SJohn Marino { 1587*f5b1c8a1SJohn Marino CBS npn, value; 1588*f5b1c8a1SJohn Marino 1589*f5b1c8a1SJohn Marino CBS_init(&npn, d, len); 1590*f5b1c8a1SJohn Marino while (CBS_len(&npn) > 0) { 1591*f5b1c8a1SJohn Marino if (!CBS_get_u8_length_prefixed(&npn, &value) || 1592*f5b1c8a1SJohn Marino CBS_len(&value) == 0) 1593*f5b1c8a1SJohn Marino return 0; 1594*f5b1c8a1SJohn Marino } 1595*f5b1c8a1SJohn Marino return 1; 1596*f5b1c8a1SJohn Marino } 1597*f5b1c8a1SJohn Marino 1598*f5b1c8a1SJohn Marino int 1599*f5b1c8a1SJohn Marino ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1600*f5b1c8a1SJohn Marino int n, int *al) 1601*f5b1c8a1SJohn Marino { 1602*f5b1c8a1SJohn Marino unsigned short length; 1603*f5b1c8a1SJohn Marino unsigned short type; 1604*f5b1c8a1SJohn Marino unsigned short size; 1605*f5b1c8a1SJohn Marino unsigned char *data = *p; 1606*f5b1c8a1SJohn Marino int tlsext_servername = 0; 1607*f5b1c8a1SJohn Marino int renegotiate_seen = 0; 1608*f5b1c8a1SJohn Marino 1609*f5b1c8a1SJohn Marino s->s3->next_proto_neg_seen = 0; 1610*f5b1c8a1SJohn Marino free(s->s3->alpn_selected); 1611*f5b1c8a1SJohn Marino s->s3->alpn_selected = NULL; 1612*f5b1c8a1SJohn Marino 1613*f5b1c8a1SJohn Marino if (data >= (d + n - 2)) 1614*f5b1c8a1SJohn Marino goto ri_check; 1615*f5b1c8a1SJohn Marino 1616*f5b1c8a1SJohn Marino n2s(data, length); 1617*f5b1c8a1SJohn Marino if (data + length != d + n) { 1618*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1619*f5b1c8a1SJohn Marino return 0; 1620*f5b1c8a1SJohn Marino } 1621*f5b1c8a1SJohn Marino 1622*f5b1c8a1SJohn Marino while (data <= (d + n - 4)) { 1623*f5b1c8a1SJohn Marino n2s(data, type); 1624*f5b1c8a1SJohn Marino n2s(data, size); 1625*f5b1c8a1SJohn Marino 1626*f5b1c8a1SJohn Marino if (data + size > (d + n)) 1627*f5b1c8a1SJohn Marino goto ri_check; 1628*f5b1c8a1SJohn Marino 1629*f5b1c8a1SJohn Marino if (s->tlsext_debug_cb) 1630*f5b1c8a1SJohn Marino s->tlsext_debug_cb(s, 1, type, data, size, 1631*f5b1c8a1SJohn Marino s->tlsext_debug_arg); 1632*f5b1c8a1SJohn Marino 1633*f5b1c8a1SJohn Marino if (type == TLSEXT_TYPE_server_name) { 1634*f5b1c8a1SJohn Marino if (s->tlsext_hostname == NULL || size > 0) { 1635*f5b1c8a1SJohn Marino *al = TLS1_AD_UNRECOGNIZED_NAME; 1636*f5b1c8a1SJohn Marino return 0; 1637*f5b1c8a1SJohn Marino } 1638*f5b1c8a1SJohn Marino tlsext_servername = 1; 1639*f5b1c8a1SJohn Marino 1640*f5b1c8a1SJohn Marino } 1641*f5b1c8a1SJohn Marino else if (type == TLSEXT_TYPE_ec_point_formats && 1642*f5b1c8a1SJohn Marino s->version != DTLS1_VERSION) { 1643*f5b1c8a1SJohn Marino unsigned char *sdata = data; 1644*f5b1c8a1SJohn Marino size_t formatslen; 1645*f5b1c8a1SJohn Marino uint8_t *formats; 1646*f5b1c8a1SJohn Marino 1647*f5b1c8a1SJohn Marino if (size < 1) { 1648*f5b1c8a1SJohn Marino *al = TLS1_AD_DECODE_ERROR; 1649*f5b1c8a1SJohn Marino return 0; 1650*f5b1c8a1SJohn Marino } 1651*f5b1c8a1SJohn Marino formatslen = *(sdata++); 1652*f5b1c8a1SJohn Marino if (formatslen != size - 1) { 1653*f5b1c8a1SJohn Marino *al = TLS1_AD_DECODE_ERROR; 1654*f5b1c8a1SJohn Marino return 0; 1655*f5b1c8a1SJohn Marino } 1656*f5b1c8a1SJohn Marino 1657*f5b1c8a1SJohn Marino if (!s->hit) { 1658*f5b1c8a1SJohn Marino free(s->session->tlsext_ecpointformatlist); 1659*f5b1c8a1SJohn Marino s->session->tlsext_ecpointformatlist = NULL; 1660*f5b1c8a1SJohn Marino s->session->tlsext_ecpointformatlist_length = 0; 1661*f5b1c8a1SJohn Marino 1662*f5b1c8a1SJohn Marino if ((formats = reallocarray(NULL, formatslen, 1663*f5b1c8a1SJohn Marino sizeof(uint8_t))) == NULL) { 1664*f5b1c8a1SJohn Marino *al = TLS1_AD_INTERNAL_ERROR; 1665*f5b1c8a1SJohn Marino return 0; 1666*f5b1c8a1SJohn Marino } 1667*f5b1c8a1SJohn Marino memcpy(formats, sdata, formatslen); 1668*f5b1c8a1SJohn Marino s->session->tlsext_ecpointformatlist = formats; 1669*f5b1c8a1SJohn Marino s->session->tlsext_ecpointformatlist_length = 1670*f5b1c8a1SJohn Marino formatslen; 1671*f5b1c8a1SJohn Marino } 1672*f5b1c8a1SJohn Marino } 1673*f5b1c8a1SJohn Marino else if (type == TLSEXT_TYPE_session_ticket) { 1674*f5b1c8a1SJohn Marino if (s->tls_session_ticket_ext_cb && 1675*f5b1c8a1SJohn Marino !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1676*f5b1c8a1SJohn Marino *al = TLS1_AD_INTERNAL_ERROR; 1677*f5b1c8a1SJohn Marino return 0; 1678*f5b1c8a1SJohn Marino } 1679*f5b1c8a1SJohn Marino if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) { 1680*f5b1c8a1SJohn Marino *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1681*f5b1c8a1SJohn Marino return 0; 1682*f5b1c8a1SJohn Marino } 1683*f5b1c8a1SJohn Marino s->tlsext_ticket_expected = 1; 1684*f5b1c8a1SJohn Marino } 1685*f5b1c8a1SJohn Marino else if (type == TLSEXT_TYPE_status_request && 1686*f5b1c8a1SJohn Marino s->version != DTLS1_VERSION) { 1687*f5b1c8a1SJohn Marino /* MUST be empty and only sent if we've requested 1688*f5b1c8a1SJohn Marino * a status request message. 1689*f5b1c8a1SJohn Marino */ 1690*f5b1c8a1SJohn Marino if ((s->tlsext_status_type == -1) || (size > 0)) { 1691*f5b1c8a1SJohn Marino *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1692*f5b1c8a1SJohn Marino return 0; 1693*f5b1c8a1SJohn Marino } 1694*f5b1c8a1SJohn Marino /* Set flag to expect CertificateStatus message */ 1695*f5b1c8a1SJohn Marino s->tlsext_status_expected = 1; 1696*f5b1c8a1SJohn Marino } 1697*f5b1c8a1SJohn Marino else if (type == TLSEXT_TYPE_next_proto_neg && 1698*f5b1c8a1SJohn Marino s->s3->tmp.finish_md_len == 0) { 1699*f5b1c8a1SJohn Marino unsigned char *selected; 1700*f5b1c8a1SJohn Marino unsigned char selected_len; 1701*f5b1c8a1SJohn Marino 1702*f5b1c8a1SJohn Marino /* We must have requested it. */ 1703*f5b1c8a1SJohn Marino if (s->ctx->next_proto_select_cb == NULL) { 1704*f5b1c8a1SJohn Marino *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1705*f5b1c8a1SJohn Marino return 0; 1706*f5b1c8a1SJohn Marino } 1707*f5b1c8a1SJohn Marino /* The data must be valid */ 1708*f5b1c8a1SJohn Marino if (!ssl_next_proto_validate(data, size)) { 1709*f5b1c8a1SJohn Marino *al = TLS1_AD_DECODE_ERROR; 1710*f5b1c8a1SJohn Marino return 0; 1711*f5b1c8a1SJohn Marino } 1712*f5b1c8a1SJohn Marino if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) { 1713*f5b1c8a1SJohn Marino *al = TLS1_AD_INTERNAL_ERROR; 1714*f5b1c8a1SJohn Marino return 0; 1715*f5b1c8a1SJohn Marino } 1716*f5b1c8a1SJohn Marino s->next_proto_negotiated = malloc(selected_len); 1717*f5b1c8a1SJohn Marino if (!s->next_proto_negotiated) { 1718*f5b1c8a1SJohn Marino *al = TLS1_AD_INTERNAL_ERROR; 1719*f5b1c8a1SJohn Marino return 0; 1720*f5b1c8a1SJohn Marino } 1721*f5b1c8a1SJohn Marino memcpy(s->next_proto_negotiated, selected, selected_len); 1722*f5b1c8a1SJohn Marino s->next_proto_negotiated_len = selected_len; 1723*f5b1c8a1SJohn Marino s->s3->next_proto_neg_seen = 1; 1724*f5b1c8a1SJohn Marino } 1725*f5b1c8a1SJohn Marino else if (type == 1726*f5b1c8a1SJohn Marino TLSEXT_TYPE_application_layer_protocol_negotiation) { 1727*f5b1c8a1SJohn Marino unsigned int len; 1728*f5b1c8a1SJohn Marino 1729*f5b1c8a1SJohn Marino /* We must have requested it. */ 1730*f5b1c8a1SJohn Marino if (s->alpn_client_proto_list == NULL) { 1731*f5b1c8a1SJohn Marino *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1732*f5b1c8a1SJohn Marino return 0; 1733*f5b1c8a1SJohn Marino } 1734*f5b1c8a1SJohn Marino if (size < 4) { 1735*f5b1c8a1SJohn Marino *al = TLS1_AD_DECODE_ERROR; 1736*f5b1c8a1SJohn Marino return (0); 1737*f5b1c8a1SJohn Marino } 1738*f5b1c8a1SJohn Marino 1739*f5b1c8a1SJohn Marino /* The extension data consists of: 1740*f5b1c8a1SJohn Marino * uint16 list_length 1741*f5b1c8a1SJohn Marino * uint8 proto_length; 1742*f5b1c8a1SJohn Marino * uint8 proto[proto_length]; */ 1743*f5b1c8a1SJohn Marino len = ((unsigned int)data[0]) << 8 | 1744*f5b1c8a1SJohn Marino ((unsigned int)data[1]); 1745*f5b1c8a1SJohn Marino if (len != (unsigned int)size - 2) { 1746*f5b1c8a1SJohn Marino *al = TLS1_AD_DECODE_ERROR; 1747*f5b1c8a1SJohn Marino return (0); 1748*f5b1c8a1SJohn Marino } 1749*f5b1c8a1SJohn Marino len = data[2]; 1750*f5b1c8a1SJohn Marino if (len != (unsigned int)size - 3) { 1751*f5b1c8a1SJohn Marino *al = TLS1_AD_DECODE_ERROR; 1752*f5b1c8a1SJohn Marino return (0); 1753*f5b1c8a1SJohn Marino } 1754*f5b1c8a1SJohn Marino free(s->s3->alpn_selected); 1755*f5b1c8a1SJohn Marino s->s3->alpn_selected = malloc(len); 1756*f5b1c8a1SJohn Marino if (s->s3->alpn_selected == NULL) { 1757*f5b1c8a1SJohn Marino *al = TLS1_AD_INTERNAL_ERROR; 1758*f5b1c8a1SJohn Marino return (0); 1759*f5b1c8a1SJohn Marino } 1760*f5b1c8a1SJohn Marino memcpy(s->s3->alpn_selected, data + 3, len); 1761*f5b1c8a1SJohn Marino s->s3->alpn_selected_len = len; 1762*f5b1c8a1SJohn Marino 1763*f5b1c8a1SJohn Marino } else if (type == TLSEXT_TYPE_renegotiate) { 1764*f5b1c8a1SJohn Marino if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1765*f5b1c8a1SJohn Marino return 0; 1766*f5b1c8a1SJohn Marino renegotiate_seen = 1; 1767*f5b1c8a1SJohn Marino } 1768*f5b1c8a1SJohn Marino #ifndef OPENSSL_NO_SRTP 1769*f5b1c8a1SJohn Marino else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1770*f5b1c8a1SJohn Marino if (ssl_parse_serverhello_use_srtp_ext(s, data, 1771*f5b1c8a1SJohn Marino size, al)) 1772*f5b1c8a1SJohn Marino return 0; 1773*f5b1c8a1SJohn Marino } 1774*f5b1c8a1SJohn Marino #endif 1775*f5b1c8a1SJohn Marino 1776*f5b1c8a1SJohn Marino data += size; 1777*f5b1c8a1SJohn Marino 1778*f5b1c8a1SJohn Marino } 1779*f5b1c8a1SJohn Marino 1780*f5b1c8a1SJohn Marino if (data != d + n) { 1781*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1782*f5b1c8a1SJohn Marino return 0; 1783*f5b1c8a1SJohn Marino } 1784*f5b1c8a1SJohn Marino 1785*f5b1c8a1SJohn Marino if (!s->hit && tlsext_servername == 1) { 1786*f5b1c8a1SJohn Marino if (s->tlsext_hostname) { 1787*f5b1c8a1SJohn Marino if (s->session->tlsext_hostname == NULL) { 1788*f5b1c8a1SJohn Marino s->session->tlsext_hostname = 1789*f5b1c8a1SJohn Marino strdup(s->tlsext_hostname); 1790*f5b1c8a1SJohn Marino 1791*f5b1c8a1SJohn Marino if (!s->session->tlsext_hostname) { 1792*f5b1c8a1SJohn Marino *al = SSL_AD_UNRECOGNIZED_NAME; 1793*f5b1c8a1SJohn Marino return 0; 1794*f5b1c8a1SJohn Marino } 1795*f5b1c8a1SJohn Marino } else { 1796*f5b1c8a1SJohn Marino *al = SSL_AD_DECODE_ERROR; 1797*f5b1c8a1SJohn Marino return 0; 1798*f5b1c8a1SJohn Marino } 1799*f5b1c8a1SJohn Marino } 1800*f5b1c8a1SJohn Marino } 1801*f5b1c8a1SJohn Marino 1802*f5b1c8a1SJohn Marino *p = data; 1803*f5b1c8a1SJohn Marino 1804*f5b1c8a1SJohn Marino ri_check: 1805*f5b1c8a1SJohn Marino 1806*f5b1c8a1SJohn Marino /* Determine if we need to see RI. Strictly speaking if we want to 1807*f5b1c8a1SJohn Marino * avoid an attack we should *always* see RI even on initial server 1808*f5b1c8a1SJohn Marino * hello because the client doesn't see any renegotiation during an 1809*f5b1c8a1SJohn Marino * attack. However this would mean we could not connect to any server 1810*f5b1c8a1SJohn Marino * which doesn't support RI so for the immediate future tolerate RI 1811*f5b1c8a1SJohn Marino * absence on initial connect only. 1812*f5b1c8a1SJohn Marino */ 1813*f5b1c8a1SJohn Marino if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { 1814*f5b1c8a1SJohn Marino *al = SSL_AD_HANDSHAKE_FAILURE; 1815*f5b1c8a1SJohn Marino SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1816*f5b1c8a1SJohn Marino SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1817*f5b1c8a1SJohn Marino return 0; 1818*f5b1c8a1SJohn Marino } 1819*f5b1c8a1SJohn Marino 1820*f5b1c8a1SJohn Marino return 1; 1821*f5b1c8a1SJohn Marino } 1822*f5b1c8a1SJohn Marino 1823*f5b1c8a1SJohn Marino int 1824*f5b1c8a1SJohn Marino ssl_check_clienthello_tlsext_early(SSL *s) 1825*f5b1c8a1SJohn Marino { 1826*f5b1c8a1SJohn Marino int ret = SSL_TLSEXT_ERR_NOACK; 1827*f5b1c8a1SJohn Marino int al = SSL_AD_UNRECOGNIZED_NAME; 1828*f5b1c8a1SJohn Marino 1829*f5b1c8a1SJohn Marino /* The handling of the ECPointFormats extension is done elsewhere, namely in 1830*f5b1c8a1SJohn Marino * ssl3_choose_cipher in s3_lib.c. 1831*f5b1c8a1SJohn Marino */ 1832*f5b1c8a1SJohn Marino /* The handling of the EllipticCurves extension is done elsewhere, namely in 1833*f5b1c8a1SJohn Marino * ssl3_choose_cipher in s3_lib.c. 1834*f5b1c8a1SJohn Marino */ 1835*f5b1c8a1SJohn Marino 1836*f5b1c8a1SJohn Marino if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1837*f5b1c8a1SJohn Marino ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1838*f5b1c8a1SJohn Marino else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1839*f5b1c8a1SJohn Marino ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1840*f5b1c8a1SJohn Marino 1841*f5b1c8a1SJohn Marino switch (ret) { 1842*f5b1c8a1SJohn Marino case SSL_TLSEXT_ERR_ALERT_FATAL: 1843*f5b1c8a1SJohn Marino ssl3_send_alert(s, SSL3_AL_FATAL, al); 1844*f5b1c8a1SJohn Marino return -1; 1845*f5b1c8a1SJohn Marino case SSL_TLSEXT_ERR_ALERT_WARNING: 1846*f5b1c8a1SJohn Marino ssl3_send_alert(s, SSL3_AL_WARNING, al); 1847*f5b1c8a1SJohn Marino return 1; 1848*f5b1c8a1SJohn Marino case SSL_TLSEXT_ERR_NOACK: 1849*f5b1c8a1SJohn Marino s->servername_done = 0; 1850*f5b1c8a1SJohn Marino default: 1851*f5b1c8a1SJohn Marino return 1; 1852*f5b1c8a1SJohn Marino } 1853*f5b1c8a1SJohn Marino } 1854*f5b1c8a1SJohn Marino 1855*f5b1c8a1SJohn Marino int 1856*f5b1c8a1SJohn Marino ssl_check_clienthello_tlsext_late(SSL *s) 1857*f5b1c8a1SJohn Marino { 1858*f5b1c8a1SJohn Marino int ret = SSL_TLSEXT_ERR_OK; 1859*f5b1c8a1SJohn Marino int al = 0; /* XXX gcc3 */ 1860*f5b1c8a1SJohn Marino 1861*f5b1c8a1SJohn Marino /* If status request then ask callback what to do. 1862*f5b1c8a1SJohn Marino * Note: this must be called after servername callbacks in case 1863*f5b1c8a1SJohn Marino * the certificate has changed, and must be called after the cipher 1864*f5b1c8a1SJohn Marino * has been chosen because this may influence which certificate is sent 1865*f5b1c8a1SJohn Marino */ 1866*f5b1c8a1SJohn Marino if ((s->tlsext_status_type != -1) && 1867*f5b1c8a1SJohn Marino s->ctx && s->ctx->tlsext_status_cb) { 1868*f5b1c8a1SJohn Marino int r; 1869*f5b1c8a1SJohn Marino CERT_PKEY *certpkey; 1870*f5b1c8a1SJohn Marino certpkey = ssl_get_server_send_pkey(s); 1871*f5b1c8a1SJohn Marino /* If no certificate can't return certificate status */ 1872*f5b1c8a1SJohn Marino if (certpkey == NULL) { 1873*f5b1c8a1SJohn Marino s->tlsext_status_expected = 0; 1874*f5b1c8a1SJohn Marino return 1; 1875*f5b1c8a1SJohn Marino } 1876*f5b1c8a1SJohn Marino /* Set current certificate to one we will use so 1877*f5b1c8a1SJohn Marino * SSL_get_certificate et al can pick it up. 1878*f5b1c8a1SJohn Marino */ 1879*f5b1c8a1SJohn Marino s->cert->key = certpkey; 1880*f5b1c8a1SJohn Marino r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1881*f5b1c8a1SJohn Marino switch (r) { 1882*f5b1c8a1SJohn Marino /* We don't want to send a status request response */ 1883*f5b1c8a1SJohn Marino case SSL_TLSEXT_ERR_NOACK: 1884*f5b1c8a1SJohn Marino s->tlsext_status_expected = 0; 1885*f5b1c8a1SJohn Marino break; 1886*f5b1c8a1SJohn Marino /* status request response should be sent */ 1887*f5b1c8a1SJohn Marino case SSL_TLSEXT_ERR_OK: 1888*f5b1c8a1SJohn Marino if (s->tlsext_ocsp_resp) 1889*f5b1c8a1SJohn Marino s->tlsext_status_expected = 1; 1890*f5b1c8a1SJohn Marino else 1891*f5b1c8a1SJohn Marino s->tlsext_status_expected = 0; 1892*f5b1c8a1SJohn Marino break; 1893*f5b1c8a1SJohn Marino /* something bad happened */ 1894*f5b1c8a1SJohn Marino case SSL_TLSEXT_ERR_ALERT_FATAL: 1895*f5b1c8a1SJohn Marino ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1896*f5b1c8a1SJohn Marino al = SSL_AD_INTERNAL_ERROR; 1897*f5b1c8a1SJohn Marino goto err; 1898*f5b1c8a1SJohn Marino } 1899*f5b1c8a1SJohn Marino } else 1900*f5b1c8a1SJohn Marino s->tlsext_status_expected = 0; 1901*f5b1c8a1SJohn Marino 1902*f5b1c8a1SJohn Marino err: 1903*f5b1c8a1SJohn Marino switch (ret) { 1904*f5b1c8a1SJohn Marino case SSL_TLSEXT_ERR_ALERT_FATAL: 1905*f5b1c8a1SJohn Marino ssl3_send_alert(s, SSL3_AL_FATAL, al); 1906*f5b1c8a1SJohn Marino return -1; 1907*f5b1c8a1SJohn Marino case SSL_TLSEXT_ERR_ALERT_WARNING: 1908*f5b1c8a1SJohn Marino ssl3_send_alert(s, SSL3_AL_WARNING, al); 1909*f5b1c8a1SJohn Marino return 1; 1910*f5b1c8a1SJohn Marino default: 1911*f5b1c8a1SJohn Marino return 1; 1912*f5b1c8a1SJohn Marino } 1913*f5b1c8a1SJohn Marino } 1914*f5b1c8a1SJohn Marino 1915*f5b1c8a1SJohn Marino int 1916*f5b1c8a1SJohn Marino ssl_check_serverhello_tlsext(SSL *s) 1917*f5b1c8a1SJohn Marino { 1918*f5b1c8a1SJohn Marino int ret = SSL_TLSEXT_ERR_NOACK; 1919*f5b1c8a1SJohn Marino int al = SSL_AD_UNRECOGNIZED_NAME; 1920*f5b1c8a1SJohn Marino 1921*f5b1c8a1SJohn Marino /* If we are client and using an elliptic curve cryptography cipher 1922*f5b1c8a1SJohn Marino * suite, then if server returns an EC point formats lists extension 1923*f5b1c8a1SJohn Marino * it must contain uncompressed. 1924*f5b1c8a1SJohn Marino */ 1925*f5b1c8a1SJohn Marino unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1926*f5b1c8a1SJohn Marino unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1927*f5b1c8a1SJohn Marino if ((s->tlsext_ecpointformatlist != NULL) && 1928*f5b1c8a1SJohn Marino (s->tlsext_ecpointformatlist_length > 0) && 1929*f5b1c8a1SJohn Marino (s->session->tlsext_ecpointformatlist != NULL) && 1930*f5b1c8a1SJohn Marino (s->session->tlsext_ecpointformatlist_length > 0) && 1931*f5b1c8a1SJohn Marino ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { 1932*f5b1c8a1SJohn Marino /* we are using an ECC cipher */ 1933*f5b1c8a1SJohn Marino size_t i; 1934*f5b1c8a1SJohn Marino unsigned char *list; 1935*f5b1c8a1SJohn Marino int found_uncompressed = 0; 1936*f5b1c8a1SJohn Marino list = s->session->tlsext_ecpointformatlist; 1937*f5b1c8a1SJohn Marino for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) { 1938*f5b1c8a1SJohn Marino if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) { 1939*f5b1c8a1SJohn Marino found_uncompressed = 1; 1940*f5b1c8a1SJohn Marino break; 1941*f5b1c8a1SJohn Marino } 1942*f5b1c8a1SJohn Marino } 1943*f5b1c8a1SJohn Marino if (!found_uncompressed) { 1944*f5b1c8a1SJohn Marino SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 1945*f5b1c8a1SJohn Marino return -1; 1946*f5b1c8a1SJohn Marino } 1947*f5b1c8a1SJohn Marino } 1948*f5b1c8a1SJohn Marino ret = SSL_TLSEXT_ERR_OK; 1949*f5b1c8a1SJohn Marino 1950*f5b1c8a1SJohn Marino if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1951*f5b1c8a1SJohn Marino ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1952*f5b1c8a1SJohn Marino else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1953*f5b1c8a1SJohn Marino ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1954*f5b1c8a1SJohn Marino 1955*f5b1c8a1SJohn Marino /* If we've requested certificate status and we wont get one 1956*f5b1c8a1SJohn Marino * tell the callback 1957*f5b1c8a1SJohn Marino */ 1958*f5b1c8a1SJohn Marino if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) && 1959*f5b1c8a1SJohn Marino s->ctx && s->ctx->tlsext_status_cb) { 1960*f5b1c8a1SJohn Marino int r; 1961*f5b1c8a1SJohn Marino /* Set resp to NULL, resplen to -1 so callback knows 1962*f5b1c8a1SJohn Marino * there is no response. 1963*f5b1c8a1SJohn Marino */ 1964*f5b1c8a1SJohn Marino free(s->tlsext_ocsp_resp); 1965*f5b1c8a1SJohn Marino s->tlsext_ocsp_resp = NULL; 1966*f5b1c8a1SJohn Marino s->tlsext_ocsp_resplen = -1; 1967*f5b1c8a1SJohn Marino r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1968*f5b1c8a1SJohn Marino if (r == 0) { 1969*f5b1c8a1SJohn Marino al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 1970*f5b1c8a1SJohn Marino ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1971*f5b1c8a1SJohn Marino } 1972*f5b1c8a1SJohn Marino if (r < 0) { 1973*f5b1c8a1SJohn Marino al = SSL_AD_INTERNAL_ERROR; 1974*f5b1c8a1SJohn Marino ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1975*f5b1c8a1SJohn Marino } 1976*f5b1c8a1SJohn Marino } 1977*f5b1c8a1SJohn Marino 1978*f5b1c8a1SJohn Marino switch (ret) { 1979*f5b1c8a1SJohn Marino case SSL_TLSEXT_ERR_ALERT_FATAL: 1980*f5b1c8a1SJohn Marino ssl3_send_alert(s, SSL3_AL_FATAL, al); 1981*f5b1c8a1SJohn Marino 1982*f5b1c8a1SJohn Marino return -1; 1983*f5b1c8a1SJohn Marino case SSL_TLSEXT_ERR_ALERT_WARNING: 1984*f5b1c8a1SJohn Marino ssl3_send_alert(s, SSL3_AL_WARNING, al); 1985*f5b1c8a1SJohn Marino 1986*f5b1c8a1SJohn Marino return 1; 1987*f5b1c8a1SJohn Marino case SSL_TLSEXT_ERR_NOACK: 1988*f5b1c8a1SJohn Marino s->servername_done = 0; 1989*f5b1c8a1SJohn Marino default: 1990*f5b1c8a1SJohn Marino return 1; 1991*f5b1c8a1SJohn Marino } 1992*f5b1c8a1SJohn Marino } 1993*f5b1c8a1SJohn Marino 1994*f5b1c8a1SJohn Marino /* Since the server cache lookup is done early on in the processing of the 1995*f5b1c8a1SJohn Marino * ClientHello, and other operations depend on the result, we need to handle 1996*f5b1c8a1SJohn Marino * any TLS session ticket extension at the same time. 1997*f5b1c8a1SJohn Marino * 1998*f5b1c8a1SJohn Marino * session_id: points at the session ID in the ClientHello. This code will 1999*f5b1c8a1SJohn Marino * read past the end of this in order to parse out the session ticket 2000*f5b1c8a1SJohn Marino * extension, if any. 2001*f5b1c8a1SJohn Marino * len: the length of the session ID. 2002*f5b1c8a1SJohn Marino * limit: a pointer to the first byte after the ClientHello. 2003*f5b1c8a1SJohn Marino * ret: (output) on return, if a ticket was decrypted, then this is set to 2004*f5b1c8a1SJohn Marino * point to the resulting session. 2005*f5b1c8a1SJohn Marino * 2006*f5b1c8a1SJohn Marino * If s->tls_session_secret_cb is set then we are expecting a pre-shared key 2007*f5b1c8a1SJohn Marino * ciphersuite, in which case we have no use for session tickets and one will 2008*f5b1c8a1SJohn Marino * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 2009*f5b1c8a1SJohn Marino * 2010*f5b1c8a1SJohn Marino * Returns: 2011*f5b1c8a1SJohn Marino * -1: fatal error, either from parsing or decrypting the ticket. 2012*f5b1c8a1SJohn Marino * 0: no ticket was found (or was ignored, based on settings). 2013*f5b1c8a1SJohn Marino * 1: a zero length extension was found, indicating that the client supports 2014*f5b1c8a1SJohn Marino * session tickets but doesn't currently have one to offer. 2015*f5b1c8a1SJohn Marino * 2: either s->tls_session_secret_cb was set, or a ticket was offered but 2016*f5b1c8a1SJohn Marino * couldn't be decrypted because of a non-fatal error. 2017*f5b1c8a1SJohn Marino * 3: a ticket was successfully decrypted and *ret was set. 2018*f5b1c8a1SJohn Marino * 2019*f5b1c8a1SJohn Marino * Side effects: 2020*f5b1c8a1SJohn Marino * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 2021*f5b1c8a1SJohn Marino * a new session ticket to the client because the client indicated support 2022*f5b1c8a1SJohn Marino * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 2023*f5b1c8a1SJohn Marino * a session ticket or we couldn't use the one it gave us, or if 2024*f5b1c8a1SJohn Marino * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2025*f5b1c8a1SJohn Marino * Otherwise, s->tlsext_ticket_expected is set to 0. 2026*f5b1c8a1SJohn Marino */ 2027*f5b1c8a1SJohn Marino int 2028*f5b1c8a1SJohn Marino tls1_process_ticket(SSL *s, const unsigned char *session, int session_len, 2029*f5b1c8a1SJohn Marino const unsigned char *limit, SSL_SESSION **ret) 2030*f5b1c8a1SJohn Marino { 2031*f5b1c8a1SJohn Marino /* Point after session ID in client hello */ 2032*f5b1c8a1SJohn Marino CBS session_id, cookie, cipher_list, compress_algo, extensions; 2033*f5b1c8a1SJohn Marino 2034*f5b1c8a1SJohn Marino *ret = NULL; 2035*f5b1c8a1SJohn Marino s->tlsext_ticket_expected = 0; 2036*f5b1c8a1SJohn Marino 2037*f5b1c8a1SJohn Marino /* If tickets disabled behave as if no ticket present 2038*f5b1c8a1SJohn Marino * to permit stateful resumption. 2039*f5b1c8a1SJohn Marino */ 2040*f5b1c8a1SJohn Marino if (SSL_get_options(s) & SSL_OP_NO_TICKET) 2041*f5b1c8a1SJohn Marino return 0; 2042*f5b1c8a1SJohn Marino if (!limit) 2043*f5b1c8a1SJohn Marino return 0; 2044*f5b1c8a1SJohn Marino 2045*f5b1c8a1SJohn Marino if (limit < session) 2046*f5b1c8a1SJohn Marino return -1; 2047*f5b1c8a1SJohn Marino 2048*f5b1c8a1SJohn Marino CBS_init(&session_id, session, limit - session); 2049*f5b1c8a1SJohn Marino 2050*f5b1c8a1SJohn Marino /* Skip past the session id */ 2051*f5b1c8a1SJohn Marino if (!CBS_skip(&session_id, session_len)) 2052*f5b1c8a1SJohn Marino return -1; 2053*f5b1c8a1SJohn Marino 2054*f5b1c8a1SJohn Marino /* Skip past DTLS cookie */ 2055*f5b1c8a1SJohn Marino if (SSL_IS_DTLS(s)) { 2056*f5b1c8a1SJohn Marino if (!CBS_get_u8_length_prefixed(&session_id, &cookie)) 2057*f5b1c8a1SJohn Marino return -1; 2058*f5b1c8a1SJohn Marino } 2059*f5b1c8a1SJohn Marino 2060*f5b1c8a1SJohn Marino /* Skip past cipher list */ 2061*f5b1c8a1SJohn Marino if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list)) 2062*f5b1c8a1SJohn Marino return -1; 2063*f5b1c8a1SJohn Marino 2064*f5b1c8a1SJohn Marino /* Skip past compression algorithm list */ 2065*f5b1c8a1SJohn Marino if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo)) 2066*f5b1c8a1SJohn Marino return -1; 2067*f5b1c8a1SJohn Marino 2068*f5b1c8a1SJohn Marino /* Now at start of extensions */ 2069*f5b1c8a1SJohn Marino if (CBS_len(&session_id) == 0) 2070*f5b1c8a1SJohn Marino return 0; 2071*f5b1c8a1SJohn Marino if (!CBS_get_u16_length_prefixed(&session_id, &extensions)) 2072*f5b1c8a1SJohn Marino return -1; 2073*f5b1c8a1SJohn Marino 2074*f5b1c8a1SJohn Marino while (CBS_len(&extensions) > 0) { 2075*f5b1c8a1SJohn Marino CBS ext_data; 2076*f5b1c8a1SJohn Marino uint16_t ext_type; 2077*f5b1c8a1SJohn Marino 2078*f5b1c8a1SJohn Marino if (!CBS_get_u16(&extensions, &ext_type) || 2079*f5b1c8a1SJohn Marino !CBS_get_u16_length_prefixed(&extensions, &ext_data)) 2080*f5b1c8a1SJohn Marino return -1; 2081*f5b1c8a1SJohn Marino 2082*f5b1c8a1SJohn Marino if (ext_type == TLSEXT_TYPE_session_ticket) { 2083*f5b1c8a1SJohn Marino int r; 2084*f5b1c8a1SJohn Marino if (CBS_len(&ext_data) == 0) { 2085*f5b1c8a1SJohn Marino /* The client will accept a ticket but doesn't 2086*f5b1c8a1SJohn Marino * currently have one. */ 2087*f5b1c8a1SJohn Marino s->tlsext_ticket_expected = 1; 2088*f5b1c8a1SJohn Marino return 1; 2089*f5b1c8a1SJohn Marino } 2090*f5b1c8a1SJohn Marino if (s->tls_session_secret_cb) { 2091*f5b1c8a1SJohn Marino /* Indicate that the ticket couldn't be 2092*f5b1c8a1SJohn Marino * decrypted rather than generating the session 2093*f5b1c8a1SJohn Marino * from ticket now, trigger abbreviated 2094*f5b1c8a1SJohn Marino * handshake based on external mechanism to 2095*f5b1c8a1SJohn Marino * calculate the master secret later. */ 2096*f5b1c8a1SJohn Marino return 2; 2097*f5b1c8a1SJohn Marino } 2098*f5b1c8a1SJohn Marino 2099*f5b1c8a1SJohn Marino r = tls_decrypt_ticket(s, CBS_data(&ext_data), 2100*f5b1c8a1SJohn Marino CBS_len(&ext_data), session, session_len, ret); 2101*f5b1c8a1SJohn Marino 2102*f5b1c8a1SJohn Marino switch (r) { 2103*f5b1c8a1SJohn Marino case 2: /* ticket couldn't be decrypted */ 2104*f5b1c8a1SJohn Marino s->tlsext_ticket_expected = 1; 2105*f5b1c8a1SJohn Marino return 2; 2106*f5b1c8a1SJohn Marino case 3: /* ticket was decrypted */ 2107*f5b1c8a1SJohn Marino return r; 2108*f5b1c8a1SJohn Marino case 4: /* ticket decrypted but need to renew */ 2109*f5b1c8a1SJohn Marino s->tlsext_ticket_expected = 1; 2110*f5b1c8a1SJohn Marino return 3; 2111*f5b1c8a1SJohn Marino default: /* fatal error */ 2112*f5b1c8a1SJohn Marino return -1; 2113*f5b1c8a1SJohn Marino } 2114*f5b1c8a1SJohn Marino } 2115*f5b1c8a1SJohn Marino } 2116*f5b1c8a1SJohn Marino return 0; 2117*f5b1c8a1SJohn Marino } 2118*f5b1c8a1SJohn Marino 2119*f5b1c8a1SJohn Marino /* tls_decrypt_ticket attempts to decrypt a session ticket. 2120*f5b1c8a1SJohn Marino * 2121*f5b1c8a1SJohn Marino * etick: points to the body of the session ticket extension. 2122*f5b1c8a1SJohn Marino * eticklen: the length of the session tickets extenion. 2123*f5b1c8a1SJohn Marino * sess_id: points at the session ID. 2124*f5b1c8a1SJohn Marino * sesslen: the length of the session ID. 2125*f5b1c8a1SJohn Marino * psess: (output) on return, if a ticket was decrypted, then this is set to 2126*f5b1c8a1SJohn Marino * point to the resulting session. 2127*f5b1c8a1SJohn Marino * 2128*f5b1c8a1SJohn Marino * Returns: 2129*f5b1c8a1SJohn Marino * -1: fatal error, either from parsing or decrypting the ticket. 2130*f5b1c8a1SJohn Marino * 2: the ticket couldn't be decrypted. 2131*f5b1c8a1SJohn Marino * 3: a ticket was successfully decrypted and *psess was set. 2132*f5b1c8a1SJohn Marino * 4: same as 3, but the ticket needs to be renewed. 2133*f5b1c8a1SJohn Marino */ 2134*f5b1c8a1SJohn Marino static int 2135*f5b1c8a1SJohn Marino tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2136*f5b1c8a1SJohn Marino const unsigned char *sess_id, int sesslen, SSL_SESSION **psess) 2137*f5b1c8a1SJohn Marino { 2138*f5b1c8a1SJohn Marino SSL_SESSION *sess; 2139*f5b1c8a1SJohn Marino unsigned char *sdec; 2140*f5b1c8a1SJohn Marino const unsigned char *p; 2141*f5b1c8a1SJohn Marino int slen, mlen, renew_ticket = 0; 2142*f5b1c8a1SJohn Marino unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 2143*f5b1c8a1SJohn Marino HMAC_CTX hctx; 2144*f5b1c8a1SJohn Marino EVP_CIPHER_CTX ctx; 2145*f5b1c8a1SJohn Marino SSL_CTX *tctx = s->initial_ctx; 2146*f5b1c8a1SJohn Marino /* Need at least keyname + iv + some encrypted data */ 2147*f5b1c8a1SJohn Marino if (eticklen < 48) 2148*f5b1c8a1SJohn Marino return 2; 2149*f5b1c8a1SJohn Marino /* Initialize session ticket encryption and HMAC contexts */ 2150*f5b1c8a1SJohn Marino HMAC_CTX_init(&hctx); 2151*f5b1c8a1SJohn Marino EVP_CIPHER_CTX_init(&ctx); 2152*f5b1c8a1SJohn Marino if (tctx->tlsext_ticket_key_cb) { 2153*f5b1c8a1SJohn Marino unsigned char *nctick = (unsigned char *)etick; 2154*f5b1c8a1SJohn Marino int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 2155*f5b1c8a1SJohn Marino &ctx, &hctx, 0); 2156*f5b1c8a1SJohn Marino if (rv < 0) { 2157*f5b1c8a1SJohn Marino EVP_CIPHER_CTX_cleanup(&ctx); 2158*f5b1c8a1SJohn Marino return -1; 2159*f5b1c8a1SJohn Marino } 2160*f5b1c8a1SJohn Marino if (rv == 0) { 2161*f5b1c8a1SJohn Marino EVP_CIPHER_CTX_cleanup(&ctx); 2162*f5b1c8a1SJohn Marino return 2; 2163*f5b1c8a1SJohn Marino } 2164*f5b1c8a1SJohn Marino if (rv == 2) 2165*f5b1c8a1SJohn Marino renew_ticket = 1; 2166*f5b1c8a1SJohn Marino } else { 2167*f5b1c8a1SJohn Marino /* Check key name matches */ 2168*f5b1c8a1SJohn Marino if (timingsafe_memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2169*f5b1c8a1SJohn Marino return 2; 2170*f5b1c8a1SJohn Marino HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2171*f5b1c8a1SJohn Marino tlsext_tick_md(), NULL); 2172*f5b1c8a1SJohn Marino EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2173*f5b1c8a1SJohn Marino tctx->tlsext_tick_aes_key, etick + 16); 2174*f5b1c8a1SJohn Marino } 2175*f5b1c8a1SJohn Marino /* Attempt to process session ticket, first conduct sanity and 2176*f5b1c8a1SJohn Marino * integrity checks on ticket. 2177*f5b1c8a1SJohn Marino */ 2178*f5b1c8a1SJohn Marino mlen = HMAC_size(&hctx); 2179*f5b1c8a1SJohn Marino if (mlen < 0) { 2180*f5b1c8a1SJohn Marino EVP_CIPHER_CTX_cleanup(&ctx); 2181*f5b1c8a1SJohn Marino return -1; 2182*f5b1c8a1SJohn Marino } 2183*f5b1c8a1SJohn Marino eticklen -= mlen; 2184*f5b1c8a1SJohn Marino /* Check HMAC of encrypted ticket */ 2185*f5b1c8a1SJohn Marino HMAC_Update(&hctx, etick, eticklen); 2186*f5b1c8a1SJohn Marino HMAC_Final(&hctx, tick_hmac, NULL); 2187*f5b1c8a1SJohn Marino HMAC_CTX_cleanup(&hctx); 2188*f5b1c8a1SJohn Marino if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) { 2189*f5b1c8a1SJohn Marino EVP_CIPHER_CTX_cleanup(&ctx); 2190*f5b1c8a1SJohn Marino return 2; 2191*f5b1c8a1SJohn Marino } 2192*f5b1c8a1SJohn Marino /* Attempt to decrypt session data */ 2193*f5b1c8a1SJohn Marino /* Move p after IV to start of encrypted ticket, update length */ 2194*f5b1c8a1SJohn Marino p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2195*f5b1c8a1SJohn Marino eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2196*f5b1c8a1SJohn Marino sdec = malloc(eticklen); 2197*f5b1c8a1SJohn Marino if (!sdec) { 2198*f5b1c8a1SJohn Marino EVP_CIPHER_CTX_cleanup(&ctx); 2199*f5b1c8a1SJohn Marino return -1; 2200*f5b1c8a1SJohn Marino } 2201*f5b1c8a1SJohn Marino EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 2202*f5b1c8a1SJohn Marino if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) { 2203*f5b1c8a1SJohn Marino free(sdec); 2204*f5b1c8a1SJohn Marino EVP_CIPHER_CTX_cleanup(&ctx); 2205*f5b1c8a1SJohn Marino return 2; 2206*f5b1c8a1SJohn Marino } 2207*f5b1c8a1SJohn Marino slen += mlen; 2208*f5b1c8a1SJohn Marino EVP_CIPHER_CTX_cleanup(&ctx); 2209*f5b1c8a1SJohn Marino p = sdec; 2210*f5b1c8a1SJohn Marino 2211*f5b1c8a1SJohn Marino sess = d2i_SSL_SESSION(NULL, &p, slen); 2212*f5b1c8a1SJohn Marino free(sdec); 2213*f5b1c8a1SJohn Marino if (sess) { 2214*f5b1c8a1SJohn Marino /* The session ID, if non-empty, is used by some clients to 2215*f5b1c8a1SJohn Marino * detect that the ticket has been accepted. So we copy it to 2216*f5b1c8a1SJohn Marino * the session structure. If it is empty set length to zero 2217*f5b1c8a1SJohn Marino * as required by standard. 2218*f5b1c8a1SJohn Marino */ 2219*f5b1c8a1SJohn Marino if (sesslen) 2220*f5b1c8a1SJohn Marino memcpy(sess->session_id, sess_id, sesslen); 2221*f5b1c8a1SJohn Marino sess->session_id_length = sesslen; 2222*f5b1c8a1SJohn Marino *psess = sess; 2223*f5b1c8a1SJohn Marino if (renew_ticket) 2224*f5b1c8a1SJohn Marino return 4; 2225*f5b1c8a1SJohn Marino else 2226*f5b1c8a1SJohn Marino return 3; 2227*f5b1c8a1SJohn Marino } 2228*f5b1c8a1SJohn Marino ERR_clear_error(); 2229*f5b1c8a1SJohn Marino /* For session parse failure, indicate that we need to send a new 2230*f5b1c8a1SJohn Marino * ticket. */ 2231*f5b1c8a1SJohn Marino return 2; 2232*f5b1c8a1SJohn Marino } 2233*f5b1c8a1SJohn Marino 2234*f5b1c8a1SJohn Marino /* Tables to translate from NIDs to TLS v1.2 ids */ 2235*f5b1c8a1SJohn Marino 2236*f5b1c8a1SJohn Marino typedef struct { 2237*f5b1c8a1SJohn Marino int nid; 2238*f5b1c8a1SJohn Marino int id; 2239*f5b1c8a1SJohn Marino } tls12_lookup; 2240*f5b1c8a1SJohn Marino 2241*f5b1c8a1SJohn Marino static tls12_lookup tls12_md[] = { 2242*f5b1c8a1SJohn Marino {NID_md5, TLSEXT_hash_md5}, 2243*f5b1c8a1SJohn Marino {NID_sha1, TLSEXT_hash_sha1}, 2244*f5b1c8a1SJohn Marino {NID_sha224, TLSEXT_hash_sha224}, 2245*f5b1c8a1SJohn Marino {NID_sha256, TLSEXT_hash_sha256}, 2246*f5b1c8a1SJohn Marino {NID_sha384, TLSEXT_hash_sha384}, 2247*f5b1c8a1SJohn Marino {NID_sha512, TLSEXT_hash_sha512}, 2248*f5b1c8a1SJohn Marino {NID_id_GostR3411_94, TLSEXT_hash_gost94}, 2249*f5b1c8a1SJohn Marino {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256}, 2250*f5b1c8a1SJohn Marino {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512} 2251*f5b1c8a1SJohn Marino }; 2252*f5b1c8a1SJohn Marino 2253*f5b1c8a1SJohn Marino static tls12_lookup tls12_sig[] = { 2254*f5b1c8a1SJohn Marino {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2255*f5b1c8a1SJohn Marino {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2256*f5b1c8a1SJohn Marino {EVP_PKEY_EC, TLSEXT_signature_ecdsa}, 2257*f5b1c8a1SJohn Marino {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01}, 2258*f5b1c8a1SJohn Marino }; 2259*f5b1c8a1SJohn Marino 2260*f5b1c8a1SJohn Marino static int 2261*f5b1c8a1SJohn Marino tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 2262*f5b1c8a1SJohn Marino { 2263*f5b1c8a1SJohn Marino size_t i; 2264*f5b1c8a1SJohn Marino for (i = 0; i < tlen; i++) { 2265*f5b1c8a1SJohn Marino if (table[i].nid == nid) 2266*f5b1c8a1SJohn Marino return table[i].id; 2267*f5b1c8a1SJohn Marino } 2268*f5b1c8a1SJohn Marino return -1; 2269*f5b1c8a1SJohn Marino } 2270*f5b1c8a1SJohn Marino 2271*f5b1c8a1SJohn Marino int 2272*f5b1c8a1SJohn Marino tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 2273*f5b1c8a1SJohn Marino { 2274*f5b1c8a1SJohn Marino int sig_id, md_id; 2275*f5b1c8a1SJohn Marino if (!md) 2276*f5b1c8a1SJohn Marino return 0; 2277*f5b1c8a1SJohn Marino md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2278*f5b1c8a1SJohn Marino sizeof(tls12_md) / sizeof(tls12_lookup)); 2279*f5b1c8a1SJohn Marino if (md_id == -1) 2280*f5b1c8a1SJohn Marino return 0; 2281*f5b1c8a1SJohn Marino sig_id = tls12_get_sigid(pk); 2282*f5b1c8a1SJohn Marino if (sig_id == -1) 2283*f5b1c8a1SJohn Marino return 0; 2284*f5b1c8a1SJohn Marino p[0] = (unsigned char)md_id; 2285*f5b1c8a1SJohn Marino p[1] = (unsigned char)sig_id; 2286*f5b1c8a1SJohn Marino return 1; 2287*f5b1c8a1SJohn Marino } 2288*f5b1c8a1SJohn Marino 2289*f5b1c8a1SJohn Marino int 2290*f5b1c8a1SJohn Marino tls12_get_sigid(const EVP_PKEY *pk) 2291*f5b1c8a1SJohn Marino { 2292*f5b1c8a1SJohn Marino return tls12_find_id(pk->type, tls12_sig, 2293*f5b1c8a1SJohn Marino sizeof(tls12_sig) / sizeof(tls12_lookup)); 2294*f5b1c8a1SJohn Marino } 2295*f5b1c8a1SJohn Marino 2296*f5b1c8a1SJohn Marino const EVP_MD * 2297*f5b1c8a1SJohn Marino tls12_get_hash(unsigned char hash_alg) 2298*f5b1c8a1SJohn Marino { 2299*f5b1c8a1SJohn Marino switch (hash_alg) { 2300*f5b1c8a1SJohn Marino case TLSEXT_hash_sha1: 2301*f5b1c8a1SJohn Marino return EVP_sha1(); 2302*f5b1c8a1SJohn Marino case TLSEXT_hash_sha224: 2303*f5b1c8a1SJohn Marino return EVP_sha224(); 2304*f5b1c8a1SJohn Marino case TLSEXT_hash_sha256: 2305*f5b1c8a1SJohn Marino return EVP_sha256(); 2306*f5b1c8a1SJohn Marino case TLSEXT_hash_sha384: 2307*f5b1c8a1SJohn Marino return EVP_sha384(); 2308*f5b1c8a1SJohn Marino case TLSEXT_hash_sha512: 2309*f5b1c8a1SJohn Marino return EVP_sha512(); 2310*f5b1c8a1SJohn Marino #ifndef OPENSSL_NO_GOST 2311*f5b1c8a1SJohn Marino case TLSEXT_hash_gost94: 2312*f5b1c8a1SJohn Marino return EVP_gostr341194(); 2313*f5b1c8a1SJohn Marino case TLSEXT_hash_streebog_256: 2314*f5b1c8a1SJohn Marino return EVP_streebog256(); 2315*f5b1c8a1SJohn Marino case TLSEXT_hash_streebog_512: 2316*f5b1c8a1SJohn Marino return EVP_streebog512(); 2317*f5b1c8a1SJohn Marino #endif 2318*f5b1c8a1SJohn Marino default: 2319*f5b1c8a1SJohn Marino return NULL; 2320*f5b1c8a1SJohn Marino } 2321*f5b1c8a1SJohn Marino } 2322*f5b1c8a1SJohn Marino 2323*f5b1c8a1SJohn Marino /* Set preferred digest for each key type */ 2324*f5b1c8a1SJohn Marino 2325*f5b1c8a1SJohn Marino int 2326*f5b1c8a1SJohn Marino tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 2327*f5b1c8a1SJohn Marino { 2328*f5b1c8a1SJohn Marino int idx; 2329*f5b1c8a1SJohn Marino const EVP_MD *md; 2330*f5b1c8a1SJohn Marino CERT *c = s->cert; 2331*f5b1c8a1SJohn Marino CBS cbs; 2332*f5b1c8a1SJohn Marino 2333*f5b1c8a1SJohn Marino /* Extension ignored for inappropriate versions */ 2334*f5b1c8a1SJohn Marino if (!SSL_USE_SIGALGS(s)) 2335*f5b1c8a1SJohn Marino return 1; 2336*f5b1c8a1SJohn Marino 2337*f5b1c8a1SJohn Marino /* Should never happen */ 2338*f5b1c8a1SJohn Marino if (!c || dsize < 0) 2339*f5b1c8a1SJohn Marino return 0; 2340*f5b1c8a1SJohn Marino 2341*f5b1c8a1SJohn Marino CBS_init(&cbs, data, dsize); 2342*f5b1c8a1SJohn Marino 2343*f5b1c8a1SJohn Marino c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; 2344*f5b1c8a1SJohn Marino c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 2345*f5b1c8a1SJohn Marino c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2346*f5b1c8a1SJohn Marino c->pkeys[SSL_PKEY_ECC].digest = NULL; 2347*f5b1c8a1SJohn Marino c->pkeys[SSL_PKEY_GOST01].digest = NULL; 2348*f5b1c8a1SJohn Marino 2349*f5b1c8a1SJohn Marino while (CBS_len(&cbs) > 0) { 2350*f5b1c8a1SJohn Marino uint8_t hash_alg, sig_alg; 2351*f5b1c8a1SJohn Marino 2352*f5b1c8a1SJohn Marino if (!CBS_get_u8(&cbs, &hash_alg) || 2353*f5b1c8a1SJohn Marino !CBS_get_u8(&cbs, &sig_alg)) { 2354*f5b1c8a1SJohn Marino /* Should never happen */ 2355*f5b1c8a1SJohn Marino return 0; 2356*f5b1c8a1SJohn Marino } 2357*f5b1c8a1SJohn Marino 2358*f5b1c8a1SJohn Marino switch (sig_alg) { 2359*f5b1c8a1SJohn Marino case TLSEXT_signature_rsa: 2360*f5b1c8a1SJohn Marino idx = SSL_PKEY_RSA_SIGN; 2361*f5b1c8a1SJohn Marino break; 2362*f5b1c8a1SJohn Marino case TLSEXT_signature_dsa: 2363*f5b1c8a1SJohn Marino idx = SSL_PKEY_DSA_SIGN; 2364*f5b1c8a1SJohn Marino break; 2365*f5b1c8a1SJohn Marino case TLSEXT_signature_ecdsa: 2366*f5b1c8a1SJohn Marino idx = SSL_PKEY_ECC; 2367*f5b1c8a1SJohn Marino break; 2368*f5b1c8a1SJohn Marino case TLSEXT_signature_gostr01: 2369*f5b1c8a1SJohn Marino case TLSEXT_signature_gostr12_256: 2370*f5b1c8a1SJohn Marino case TLSEXT_signature_gostr12_512: 2371*f5b1c8a1SJohn Marino idx = SSL_PKEY_GOST01; 2372*f5b1c8a1SJohn Marino break; 2373*f5b1c8a1SJohn Marino default: 2374*f5b1c8a1SJohn Marino continue; 2375*f5b1c8a1SJohn Marino } 2376*f5b1c8a1SJohn Marino 2377*f5b1c8a1SJohn Marino if (c->pkeys[idx].digest == NULL) { 2378*f5b1c8a1SJohn Marino md = tls12_get_hash(hash_alg); 2379*f5b1c8a1SJohn Marino if (md) { 2380*f5b1c8a1SJohn Marino c->pkeys[idx].digest = md; 2381*f5b1c8a1SJohn Marino if (idx == SSL_PKEY_RSA_SIGN) 2382*f5b1c8a1SJohn Marino c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 2383*f5b1c8a1SJohn Marino } 2384*f5b1c8a1SJohn Marino } 2385*f5b1c8a1SJohn Marino 2386*f5b1c8a1SJohn Marino } 2387*f5b1c8a1SJohn Marino 2388*f5b1c8a1SJohn Marino /* Set any remaining keys to default values. NOTE: if alg is not 2389*f5b1c8a1SJohn Marino * supported it stays as NULL. 2390*f5b1c8a1SJohn Marino */ 2391*f5b1c8a1SJohn Marino if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2392*f5b1c8a1SJohn Marino c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2393*f5b1c8a1SJohn Marino if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { 2394*f5b1c8a1SJohn Marino c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2395*f5b1c8a1SJohn Marino c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2396*f5b1c8a1SJohn Marino } 2397*f5b1c8a1SJohn Marino if (!c->pkeys[SSL_PKEY_ECC].digest) 2398*f5b1c8a1SJohn Marino c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2399*f5b1c8a1SJohn Marino #ifndef OPENSSL_NO_GOST 2400*f5b1c8a1SJohn Marino if (!c->pkeys[SSL_PKEY_GOST01].digest) 2401*f5b1c8a1SJohn Marino c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); 2402*f5b1c8a1SJohn Marino #endif 2403*f5b1c8a1SJohn Marino return 1; 2404*f5b1c8a1SJohn Marino } 2405