1 /* $OpenBSD: t1_lib.c,v 1.87 2016/05/30 13:42:54 beck Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 114 #include <openssl/evp.h> 115 #include <openssl/hmac.h> 116 #include <openssl/objects.h> 117 #include <openssl/ocsp.h> 118 119 #include "ssl_locl.h" 120 #include "bytestring.h" 121 122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 123 const unsigned char *sess_id, int sesslen, 124 SSL_SESSION **psess); 125 126 SSL3_ENC_METHOD TLSv1_enc_data = { 127 .enc = tls1_enc, 128 .mac = tls1_mac, 129 .setup_key_block = tls1_setup_key_block, 130 .generate_master_secret = tls1_generate_master_secret, 131 .change_cipher_state = tls1_change_cipher_state, 132 .final_finish_mac = tls1_final_finish_mac, 133 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 134 .cert_verify_mac = tls1_cert_verify_mac, 135 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 136 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 137 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 138 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 139 .alert_value = tls1_alert_code, 140 .export_keying_material = tls1_export_keying_material, 141 .enc_flags = 0, 142 }; 143 144 SSL3_ENC_METHOD TLSv1_1_enc_data = { 145 .enc = tls1_enc, 146 .mac = tls1_mac, 147 .setup_key_block = tls1_setup_key_block, 148 .generate_master_secret = tls1_generate_master_secret, 149 .change_cipher_state = tls1_change_cipher_state, 150 .final_finish_mac = tls1_final_finish_mac, 151 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 152 .cert_verify_mac = tls1_cert_verify_mac, 153 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 154 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 155 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 156 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 157 .alert_value = tls1_alert_code, 158 .export_keying_material = tls1_export_keying_material, 159 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, 160 }; 161 162 SSL3_ENC_METHOD TLSv1_2_enc_data = { 163 .enc = tls1_enc, 164 .mac = tls1_mac, 165 .setup_key_block = tls1_setup_key_block, 166 .generate_master_secret = tls1_generate_master_secret, 167 .change_cipher_state = tls1_change_cipher_state, 168 .final_finish_mac = tls1_final_finish_mac, 169 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 170 .cert_verify_mac = tls1_cert_verify_mac, 171 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 172 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 173 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 174 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 175 .alert_value = tls1_alert_code, 176 .export_keying_material = tls1_export_keying_material, 177 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS| 178 SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS, 179 }; 180 181 long 182 tls1_default_timeout(void) 183 { 184 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 185 * is way too long for http, the cache would over fill */ 186 return (60 * 60 * 2); 187 } 188 189 int 190 tls1_new(SSL *s) 191 { 192 if (!ssl3_new(s)) 193 return (0); 194 s->method->ssl_clear(s); 195 return (1); 196 } 197 198 void 199 tls1_free(SSL *s) 200 { 201 if (s == NULL) 202 return; 203 204 free(s->tlsext_session_ticket); 205 ssl3_free(s); 206 } 207 208 void 209 tls1_clear(SSL *s) 210 { 211 ssl3_clear(s); 212 s->version = s->method->version; 213 } 214 215 216 static int nid_list[] = { 217 NID_sect163k1, /* sect163k1 (1) */ 218 NID_sect163r1, /* sect163r1 (2) */ 219 NID_sect163r2, /* sect163r2 (3) */ 220 NID_sect193r1, /* sect193r1 (4) */ 221 NID_sect193r2, /* sect193r2 (5) */ 222 NID_sect233k1, /* sect233k1 (6) */ 223 NID_sect233r1, /* sect233r1 (7) */ 224 NID_sect239k1, /* sect239k1 (8) */ 225 NID_sect283k1, /* sect283k1 (9) */ 226 NID_sect283r1, /* sect283r1 (10) */ 227 NID_sect409k1, /* sect409k1 (11) */ 228 NID_sect409r1, /* sect409r1 (12) */ 229 NID_sect571k1, /* sect571k1 (13) */ 230 NID_sect571r1, /* sect571r1 (14) */ 231 NID_secp160k1, /* secp160k1 (15) */ 232 NID_secp160r1, /* secp160r1 (16) */ 233 NID_secp160r2, /* secp160r2 (17) */ 234 NID_secp192k1, /* secp192k1 (18) */ 235 NID_X9_62_prime192v1, /* secp192r1 (19) */ 236 NID_secp224k1, /* secp224k1 (20) */ 237 NID_secp224r1, /* secp224r1 (21) */ 238 NID_secp256k1, /* secp256k1 (22) */ 239 NID_X9_62_prime256v1, /* secp256r1 (23) */ 240 NID_secp384r1, /* secp384r1 (24) */ 241 NID_secp521r1, /* secp521r1 (25) */ 242 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */ 243 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */ 244 NID_brainpoolP512r1 /* brainpoolP512r1 (28) */ 245 }; 246 247 static const uint8_t ecformats_default[] = { 248 TLSEXT_ECPOINTFORMAT_uncompressed, 249 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 250 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 251 }; 252 253 static const uint16_t eccurves_default[] = { 254 14, /* sect571r1 (14) */ 255 13, /* sect571k1 (13) */ 256 25, /* secp521r1 (25) */ 257 28, /* brainpool512r1 (28) */ 258 11, /* sect409k1 (11) */ 259 12, /* sect409r1 (12) */ 260 27, /* brainpoolP384r1 (27) */ 261 24, /* secp384r1 (24) */ 262 9, /* sect283k1 (9) */ 263 10, /* sect283r1 (10) */ 264 26, /* brainpoolP256r1 (26) */ 265 22, /* secp256k1 (22) */ 266 23, /* secp256r1 (23) */ 267 8, /* sect239k1 (8) */ 268 6, /* sect233k1 (6) */ 269 7, /* sect233r1 (7) */ 270 20, /* secp224k1 (20) */ 271 21, /* secp224r1 (21) */ 272 4, /* sect193r1 (4) */ 273 5, /* sect193r2 (5) */ 274 18, /* secp192k1 (18) */ 275 19, /* secp192r1 (19) */ 276 1, /* sect163k1 (1) */ 277 2, /* sect163r1 (2) */ 278 3, /* sect163r2 (3) */ 279 15, /* secp160k1 (15) */ 280 16, /* secp160r1 (16) */ 281 17, /* secp160r2 (17) */ 282 }; 283 284 int 285 tls1_ec_curve_id2nid(uint16_t curve_id) 286 { 287 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 288 if ((curve_id < 1) || 289 ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0]))) 290 return 0; 291 return nid_list[curve_id - 1]; 292 } 293 294 uint16_t 295 tls1_ec_nid2curve_id(int nid) 296 { 297 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 298 switch (nid) { 299 case NID_sect163k1: /* sect163k1 (1) */ 300 return 1; 301 case NID_sect163r1: /* sect163r1 (2) */ 302 return 2; 303 case NID_sect163r2: /* sect163r2 (3) */ 304 return 3; 305 case NID_sect193r1: /* sect193r1 (4) */ 306 return 4; 307 case NID_sect193r2: /* sect193r2 (5) */ 308 return 5; 309 case NID_sect233k1: /* sect233k1 (6) */ 310 return 6; 311 case NID_sect233r1: /* sect233r1 (7) */ 312 return 7; 313 case NID_sect239k1: /* sect239k1 (8) */ 314 return 8; 315 case NID_sect283k1: /* sect283k1 (9) */ 316 return 9; 317 case NID_sect283r1: /* sect283r1 (10) */ 318 return 10; 319 case NID_sect409k1: /* sect409k1 (11) */ 320 return 11; 321 case NID_sect409r1: /* sect409r1 (12) */ 322 return 12; 323 case NID_sect571k1: /* sect571k1 (13) */ 324 return 13; 325 case NID_sect571r1: /* sect571r1 (14) */ 326 return 14; 327 case NID_secp160k1: /* secp160k1 (15) */ 328 return 15; 329 case NID_secp160r1: /* secp160r1 (16) */ 330 return 16; 331 case NID_secp160r2: /* secp160r2 (17) */ 332 return 17; 333 case NID_secp192k1: /* secp192k1 (18) */ 334 return 18; 335 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 336 return 19; 337 case NID_secp224k1: /* secp224k1 (20) */ 338 return 20; 339 case NID_secp224r1: /* secp224r1 (21) */ 340 return 21; 341 case NID_secp256k1: /* secp256k1 (22) */ 342 return 22; 343 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 344 return 23; 345 case NID_secp384r1: /* secp384r1 (24) */ 346 return 24; 347 case NID_secp521r1: /* secp521r1 (25) */ 348 return 25; 349 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */ 350 return 26; 351 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */ 352 return 27; 353 case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */ 354 return 28; 355 default: 356 return 0; 357 } 358 } 359 360 /* 361 * Return the appropriate format list. If client_formats is non-zero, return 362 * the client/session formats. Otherwise return the custom format list if one 363 * exists, or the default formats if a custom list has not been specified. 364 */ 365 static void 366 tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, 367 size_t *pformatslen) 368 { 369 if (client_formats != 0) { 370 *pformats = s->session->tlsext_ecpointformatlist; 371 *pformatslen = s->session->tlsext_ecpointformatlist_length; 372 return; 373 } 374 375 *pformats = s->tlsext_ecpointformatlist; 376 *pformatslen = s->tlsext_ecpointformatlist_length; 377 if (*pformats == NULL) { 378 *pformats = ecformats_default; 379 *pformatslen = sizeof(ecformats_default); 380 } 381 } 382 383 /* 384 * Return the appropriate curve list. If client_curves is non-zero, return 385 * the client/session curves. Otherwise return the custom curve list if one 386 * exists, or the default curves if a custom list has not been specified. 387 */ 388 static void 389 tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves, 390 size_t *pcurveslen) 391 { 392 if (client_curves != 0) { 393 *pcurves = s->session->tlsext_ellipticcurvelist; 394 *pcurveslen = s->session->tlsext_ellipticcurvelist_length; 395 return; 396 } 397 398 *pcurves = s->tlsext_ellipticcurvelist; 399 *pcurveslen = s->tlsext_ellipticcurvelist_length; 400 if (*pcurves == NULL) { 401 *pcurves = eccurves_default; 402 *pcurveslen = sizeof(eccurves_default) / 2; 403 } 404 } 405 406 /* Check that a curve is one of our preferences. */ 407 int 408 tls1_check_curve(SSL *s, const unsigned char *p, size_t len) 409 { 410 CBS cbs; 411 const uint16_t *curves; 412 size_t curveslen, i; 413 uint8_t type; 414 uint16_t cid; 415 416 CBS_init(&cbs, p, len); 417 418 /* Only named curves are supported. */ 419 if (CBS_len(&cbs) != 3 || 420 !CBS_get_u8(&cbs, &type) || 421 type != NAMED_CURVE_TYPE || 422 !CBS_get_u16(&cbs, &cid)) 423 return (0); 424 425 tls1_get_curvelist(s, 0, &curves, &curveslen); 426 427 for (i = 0; i < curveslen; i++) { 428 if (curves[i] == cid) 429 return (1); 430 } 431 return (0); 432 } 433 434 int 435 tls1_get_shared_curve(SSL *s) 436 { 437 size_t preflen, supplen, i, j; 438 const uint16_t *pref, *supp; 439 unsigned long server_pref; 440 441 /* Cannot do anything on the client side. */ 442 if (s->server == 0) 443 return (NID_undef); 444 445 /* Return first preference shared curve. */ 446 server_pref = (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE); 447 tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen); 448 tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen); 449 450 for (i = 0; i < preflen; i++) { 451 for (j = 0; j < supplen; j++) { 452 if (pref[i] == supp[j]) 453 return (tls1_ec_curve_id2nid(pref[i])); 454 } 455 } 456 return (NID_undef); 457 } 458 459 /* For an EC key set TLS ID and required compression based on parameters. */ 460 static int 461 tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec) 462 { 463 const EC_GROUP *grp; 464 const EC_METHOD *meth; 465 int is_prime = 0; 466 int nid, id; 467 468 if (ec == NULL) 469 return (0); 470 471 /* Determine if it is a prime field. */ 472 if ((grp = EC_KEY_get0_group(ec)) == NULL) 473 return (0); 474 if ((meth = EC_GROUP_method_of(grp)) == NULL) 475 return (0); 476 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field) 477 is_prime = 1; 478 479 /* Determine curve ID. */ 480 nid = EC_GROUP_get_curve_name(grp); 481 id = tls1_ec_nid2curve_id(nid); 482 483 /* If we have an ID set it, otherwise set arbitrary explicit curve. */ 484 if (id != 0) 485 *curve_id = id; 486 else 487 *curve_id = is_prime ? 0xff01 : 0xff02; 488 489 /* Specify the compression identifier. */ 490 if (comp_id != NULL) { 491 if (EC_KEY_get0_public_key(ec) == NULL) 492 return (0); 493 494 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { 495 *comp_id = is_prime ? 496 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime : 497 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 498 } else { 499 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 500 } 501 } 502 return (1); 503 } 504 505 /* Check that an EC key is compatible with extensions. */ 506 static int 507 tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id) 508 { 509 size_t curveslen, formatslen, i; 510 const uint16_t *curves; 511 const uint8_t *formats; 512 513 /* 514 * Check point formats extension if present, otherwise everything 515 * is supported (see RFC4492). 516 */ 517 tls1_get_formatlist(s, 1, &formats, &formatslen); 518 if (comp_id != NULL && formats != NULL) { 519 for (i = 0; i < formatslen; i++) { 520 if (formats[i] == *comp_id) 521 break; 522 } 523 if (i == formatslen) 524 return (0); 525 } 526 527 /* 528 * Check curve list if present, otherwise everything is supported. 529 */ 530 tls1_get_curvelist(s, 1, &curves, &curveslen); 531 if (curve_id != NULL && curves != NULL) { 532 for (i = 0; i < curveslen; i++) { 533 if (curves[i] == *curve_id) 534 break; 535 } 536 if (i == curveslen) 537 return (0); 538 } 539 540 return (1); 541 } 542 543 /* Check EC server key is compatible with client extensions. */ 544 int 545 tls1_check_ec_server_key(SSL *s) 546 { 547 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; 548 uint16_t curve_id; 549 uint8_t comp_id; 550 EVP_PKEY *pkey; 551 int rv; 552 553 if (cpk->x509 == NULL || cpk->privatekey == NULL) 554 return (0); 555 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL) 556 return (0); 557 rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec); 558 EVP_PKEY_free(pkey); 559 if (rv != 1) 560 return (0); 561 562 return tls1_check_ec_key(s, &curve_id, &comp_id); 563 } 564 565 /* Check EC temporary key is compatible with client extensions. */ 566 int 567 tls1_check_ec_tmp_key(SSL *s) 568 { 569 EC_KEY *ec = s->cert->ecdh_tmp; 570 uint16_t curve_id; 571 572 if (s->cert->ecdh_tmp_auto != 0) { 573 /* Need a shared curve. */ 574 if (tls1_get_shared_curve(s) != NID_undef) 575 return (1); 576 return (0); 577 } 578 579 if (ec == NULL) { 580 if (s->cert->ecdh_tmp_cb != NULL) 581 return (1); 582 return (0); 583 } 584 if (tls1_set_ec_id(&curve_id, NULL, ec) != 1) 585 return (0); 586 587 return tls1_check_ec_key(s, &curve_id, NULL); 588 } 589 590 /* 591 * List of supported signature algorithms and hashes. Should make this 592 * customisable at some point, for now include everything we support. 593 */ 594 595 static unsigned char tls12_sigalgs[] = { 596 TLSEXT_hash_sha512, TLSEXT_signature_rsa, 597 TLSEXT_hash_sha512, TLSEXT_signature_dsa, 598 TLSEXT_hash_sha512, TLSEXT_signature_ecdsa, 599 #ifndef OPENSSL_NO_GOST 600 TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512, 601 #endif 602 603 TLSEXT_hash_sha384, TLSEXT_signature_rsa, 604 TLSEXT_hash_sha384, TLSEXT_signature_dsa, 605 TLSEXT_hash_sha384, TLSEXT_signature_ecdsa, 606 607 TLSEXT_hash_sha256, TLSEXT_signature_rsa, 608 TLSEXT_hash_sha256, TLSEXT_signature_dsa, 609 TLSEXT_hash_sha256, TLSEXT_signature_ecdsa, 610 611 #ifndef OPENSSL_NO_GOST 612 TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256, 613 TLSEXT_hash_gost94, TLSEXT_signature_gostr01, 614 #endif 615 616 TLSEXT_hash_sha224, TLSEXT_signature_rsa, 617 TLSEXT_hash_sha224, TLSEXT_signature_dsa, 618 TLSEXT_hash_sha224, TLSEXT_signature_ecdsa, 619 620 TLSEXT_hash_sha1, TLSEXT_signature_rsa, 621 TLSEXT_hash_sha1, TLSEXT_signature_dsa, 622 TLSEXT_hash_sha1, TLSEXT_signature_ecdsa, 623 }; 624 625 int 626 tls12_get_req_sig_algs(SSL *s, unsigned char *p) 627 { 628 size_t slen = sizeof(tls12_sigalgs); 629 630 if (p) 631 memcpy(p, tls12_sigalgs, slen); 632 return (int)slen; 633 } 634 635 unsigned char * 636 ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 637 { 638 int extdatalen = 0; 639 unsigned char *ret = p; 640 int using_ecc = 0; 641 642 /* See if we support any ECC ciphersuites. */ 643 if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) { 644 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 645 unsigned long alg_k, alg_a; 646 int i; 647 648 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { 649 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 650 651 alg_k = c->algorithm_mkey; 652 alg_a = c->algorithm_auth; 653 654 if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || 655 (alg_a & SSL_aECDSA))) { 656 using_ecc = 1; 657 break; 658 } 659 } 660 } 661 662 ret += 2; 663 664 if (ret >= limit) 665 return NULL; /* this really never occurs, but ... */ 666 667 if (s->tlsext_hostname != NULL) { 668 /* Add TLS extension servername to the Client Hello message */ 669 size_t size_str, lenmax; 670 671 /* check for enough space. 672 4 for the servername type and extension length 673 2 for servernamelist length 674 1 for the hostname type 675 2 for hostname length 676 + hostname length 677 */ 678 679 if ((size_t)(limit - ret) < 9) 680 return NULL; 681 682 lenmax = limit - ret - 9; 683 if ((size_str = strlen(s->tlsext_hostname)) > lenmax) 684 return NULL; 685 686 /* extension type and length */ 687 s2n(TLSEXT_TYPE_server_name, ret); 688 689 s2n(size_str + 5, ret); 690 691 /* length of servername list */ 692 s2n(size_str + 3, ret); 693 694 /* hostname type, length and hostname */ 695 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 696 s2n(size_str, ret); 697 memcpy(ret, s->tlsext_hostname, size_str); 698 ret += size_str; 699 } 700 701 /* Add RI if renegotiating */ 702 if (s->renegotiate) { 703 int el; 704 705 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { 706 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 707 ERR_R_INTERNAL_ERROR); 708 return NULL; 709 } 710 711 if ((size_t)(limit - ret) < 4 + el) 712 return NULL; 713 714 s2n(TLSEXT_TYPE_renegotiate, ret); 715 s2n(el, ret); 716 717 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { 718 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 719 ERR_R_INTERNAL_ERROR); 720 return NULL; 721 } 722 723 ret += el; 724 } 725 726 if (using_ecc) { 727 size_t curveslen, formatslen, lenmax; 728 const uint16_t *curves; 729 const uint8_t *formats; 730 int i; 731 732 /* 733 * Add TLS extension ECPointFormats to the ClientHello message. 734 */ 735 tls1_get_formatlist(s, 0, &formats, &formatslen); 736 737 if ((size_t)(limit - ret) < 5) 738 return NULL; 739 740 lenmax = limit - ret - 5; 741 if (formatslen > lenmax) 742 return NULL; 743 if (formatslen > 255) { 744 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 745 ERR_R_INTERNAL_ERROR); 746 return NULL; 747 } 748 749 s2n(TLSEXT_TYPE_ec_point_formats, ret); 750 s2n(formatslen + 1, ret); 751 *(ret++) = (unsigned char)formatslen; 752 memcpy(ret, formats, formatslen); 753 ret += formatslen; 754 755 /* 756 * Add TLS extension EllipticCurves to the ClientHello message. 757 */ 758 tls1_get_curvelist(s, 0, &curves, &curveslen); 759 760 if ((size_t)(limit - ret) < 6) 761 return NULL; 762 763 lenmax = limit - ret - 6; 764 if (curveslen > lenmax) 765 return NULL; 766 if (curveslen > 65532) { 767 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 768 ERR_R_INTERNAL_ERROR); 769 return NULL; 770 } 771 772 s2n(TLSEXT_TYPE_elliptic_curves, ret); 773 s2n((curveslen * 2) + 2, ret); 774 775 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for 776 * elliptic_curve_list, but the examples use two bytes. 777 * https://www1.ietf.org/mail-archive/web/tls/current/msg00538.html 778 * resolves this to two bytes. 779 */ 780 s2n(curveslen * 2, ret); 781 for (i = 0; i < curveslen; i++) 782 s2n(curves[i], ret); 783 } 784 785 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 786 int ticklen; 787 if (!s->new_session && s->session && s->session->tlsext_tick) 788 ticklen = s->session->tlsext_ticklen; 789 else if (s->session && s->tlsext_session_ticket && 790 s->tlsext_session_ticket->data) { 791 ticklen = s->tlsext_session_ticket->length; 792 s->session->tlsext_tick = malloc(ticklen); 793 if (!s->session->tlsext_tick) 794 return NULL; 795 memcpy(s->session->tlsext_tick, 796 s->tlsext_session_ticket->data, ticklen); 797 s->session->tlsext_ticklen = ticklen; 798 } else 799 ticklen = 0; 800 if (ticklen == 0 && s->tlsext_session_ticket && 801 s->tlsext_session_ticket->data == NULL) 802 goto skip_ext; 803 /* Check for enough room 2 for extension type, 2 for len 804 * rest for ticket 805 */ 806 if ((size_t)(limit - ret) < 4 + ticklen) 807 return NULL; 808 s2n(TLSEXT_TYPE_session_ticket, ret); 809 810 s2n(ticklen, ret); 811 if (ticklen) { 812 memcpy(ret, s->session->tlsext_tick, ticklen); 813 ret += ticklen; 814 } 815 } 816 skip_ext: 817 818 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 819 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 820 return NULL; 821 822 s2n(TLSEXT_TYPE_signature_algorithms, ret); 823 s2n(sizeof(tls12_sigalgs) + 2, ret); 824 s2n(sizeof(tls12_sigalgs), ret); 825 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 826 ret += sizeof(tls12_sigalgs); 827 } 828 829 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 830 s->version != DTLS1_VERSION) { 831 int i; 832 long extlen, idlen, itmp; 833 OCSP_RESPID *id; 834 835 idlen = 0; 836 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 837 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 838 itmp = i2d_OCSP_RESPID(id, NULL); 839 if (itmp <= 0) 840 return NULL; 841 idlen += itmp + 2; 842 } 843 844 if (s->tlsext_ocsp_exts) { 845 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 846 if (extlen < 0) 847 return NULL; 848 } else 849 extlen = 0; 850 851 if ((size_t)(limit - ret) < 7 + extlen + idlen) 852 return NULL; 853 s2n(TLSEXT_TYPE_status_request, ret); 854 if (extlen + idlen > 0xFFF0) 855 return NULL; 856 s2n(extlen + idlen + 5, ret); 857 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 858 s2n(idlen, ret); 859 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 860 /* save position of id len */ 861 unsigned char *q = ret; 862 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 863 /* skip over id len */ 864 ret += 2; 865 itmp = i2d_OCSP_RESPID(id, &ret); 866 /* write id len */ 867 s2n(itmp, q); 868 } 869 s2n(extlen, ret); 870 if (extlen > 0) 871 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 872 } 873 874 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { 875 /* The client advertises an emtpy extension to indicate its 876 * support for Next Protocol Negotiation */ 877 if ((size_t)(limit - ret) < 4) 878 return NULL; 879 s2n(TLSEXT_TYPE_next_proto_neg, ret); 880 s2n(0, ret); 881 } 882 883 if (s->alpn_client_proto_list != NULL && 884 s->s3->tmp.finish_md_len == 0) { 885 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len) 886 return (NULL); 887 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 888 s2n(2 + s->alpn_client_proto_list_len, ret); 889 s2n(s->alpn_client_proto_list_len, ret); 890 memcpy(ret, s->alpn_client_proto_list, 891 s->alpn_client_proto_list_len); 892 ret += s->alpn_client_proto_list_len; 893 } 894 895 #ifndef OPENSSL_NO_SRTP 896 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { 897 int el; 898 899 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 900 901 if ((size_t)(limit - ret) < 4 + el) 902 return NULL; 903 904 s2n(TLSEXT_TYPE_use_srtp, ret); 905 s2n(el, ret); 906 907 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { 908 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 909 ERR_R_INTERNAL_ERROR); 910 return NULL; 911 } 912 ret += el; 913 } 914 #endif 915 916 /* 917 * Add padding to workaround bugs in F5 terminators. 918 * See https://tools.ietf.org/html/draft-agl-tls-padding-03 919 * 920 * Note that this seems to trigger issues with IronPort SMTP 921 * appliances. 922 * 923 * NB: because this code works out the length of all existing 924 * extensions it MUST always appear last. 925 */ 926 if (s->options & SSL_OP_TLSEXT_PADDING) { 927 int hlen = ret - (unsigned char *)s->init_buf->data; 928 929 /* 930 * The code in s23_clnt.c to build ClientHello messages 931 * includes the 5-byte record header in the buffer, while the 932 * code in s3_clnt.c does not. 933 */ 934 if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 935 hlen -= 5; 936 if (hlen > 0xff && hlen < 0x200) { 937 hlen = 0x200 - hlen; 938 if (hlen >= 4) 939 hlen -= 4; 940 else 941 hlen = 0; 942 943 s2n(TLSEXT_TYPE_padding, ret); 944 s2n(hlen, ret); 945 memset(ret, 0, hlen); 946 ret += hlen; 947 } 948 } 949 950 if ((extdatalen = ret - p - 2) == 0) 951 return p; 952 953 s2n(extdatalen, p); 954 return ret; 955 } 956 957 unsigned char * 958 ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 959 { 960 int using_ecc, extdatalen = 0; 961 unsigned long alg_a, alg_k; 962 unsigned char *ret = p; 963 int next_proto_neg_seen; 964 965 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 966 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 967 using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || 968 alg_a & SSL_aECDSA) && 969 s->session->tlsext_ecpointformatlist != NULL; 970 971 ret += 2; 972 if (ret >= limit) 973 return NULL; /* this really never occurs, but ... */ 974 975 if (!s->hit && s->servername_done == 1 && 976 s->session->tlsext_hostname != NULL) { 977 if ((size_t)(limit - ret) < 4) 978 return NULL; 979 980 s2n(TLSEXT_TYPE_server_name, ret); 981 s2n(0, ret); 982 } 983 984 if (s->s3->send_connection_binding) { 985 int el; 986 987 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { 988 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 989 ERR_R_INTERNAL_ERROR); 990 return NULL; 991 } 992 993 if ((size_t)(limit - ret) < 4 + el) 994 return NULL; 995 996 s2n(TLSEXT_TYPE_renegotiate, ret); 997 s2n(el, ret); 998 999 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { 1000 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1001 ERR_R_INTERNAL_ERROR); 1002 return NULL; 1003 } 1004 1005 ret += el; 1006 } 1007 1008 if (using_ecc && s->version != DTLS1_VERSION) { 1009 const unsigned char *formats; 1010 size_t formatslen, lenmax; 1011 1012 /* 1013 * Add TLS extension ECPointFormats to the ServerHello message. 1014 */ 1015 tls1_get_formatlist(s, 0, &formats, &formatslen); 1016 1017 if ((size_t)(limit - ret) < 5) 1018 return NULL; 1019 1020 lenmax = limit - ret - 5; 1021 if (formatslen > lenmax) 1022 return NULL; 1023 if (formatslen > 255) { 1024 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1025 ERR_R_INTERNAL_ERROR); 1026 return NULL; 1027 } 1028 1029 s2n(TLSEXT_TYPE_ec_point_formats, ret); 1030 s2n(formatslen + 1, ret); 1031 *(ret++) = (unsigned char)formatslen; 1032 memcpy(ret, formats, formatslen); 1033 ret += formatslen; 1034 } 1035 1036 /* 1037 * Currently the server should not respond with a SupportedCurves 1038 * extension. 1039 */ 1040 1041 if (s->tlsext_ticket_expected && 1042 !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 1043 if ((size_t)(limit - ret) < 4) 1044 return NULL; 1045 1046 s2n(TLSEXT_TYPE_session_ticket, ret); 1047 s2n(0, ret); 1048 } 1049 1050 if (s->tlsext_status_expected) { 1051 if ((size_t)(limit - ret) < 4) 1052 return NULL; 1053 1054 s2n(TLSEXT_TYPE_status_request, ret); 1055 s2n(0, ret); 1056 } 1057 1058 #ifndef OPENSSL_NO_SRTP 1059 if (SSL_IS_DTLS(s) && s->srtp_profile) { 1060 int el; 1061 1062 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 1063 1064 if ((size_t)(limit - ret) < 4 + el) 1065 return NULL; 1066 1067 s2n(TLSEXT_TYPE_use_srtp, ret); 1068 s2n(el, ret); 1069 1070 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { 1071 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1072 ERR_R_INTERNAL_ERROR); 1073 return NULL; 1074 } 1075 ret += el; 1076 } 1077 #endif 1078 1079 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || 1080 (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) && 1081 (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { 1082 static const unsigned char cryptopro_ext[36] = { 1083 0xfd, 0xe8, /*65000*/ 1084 0x00, 0x20, /*32 bytes length*/ 1085 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 1086 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 1087 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 1088 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 1089 }; 1090 if ((size_t)(limit - ret) < sizeof(cryptopro_ext)) 1091 return NULL; 1092 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext)); 1093 ret += sizeof(cryptopro_ext); 1094 } 1095 1096 next_proto_neg_seen = s->s3->next_proto_neg_seen; 1097 s->s3->next_proto_neg_seen = 0; 1098 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) { 1099 const unsigned char *npa; 1100 unsigned int npalen; 1101 int r; 1102 1103 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, 1104 s->ctx->next_protos_advertised_cb_arg); 1105 if (r == SSL_TLSEXT_ERR_OK) { 1106 if ((size_t)(limit - ret) < 4 + npalen) 1107 return NULL; 1108 s2n(TLSEXT_TYPE_next_proto_neg, ret); 1109 s2n(npalen, ret); 1110 memcpy(ret, npa, npalen); 1111 ret += npalen; 1112 s->s3->next_proto_neg_seen = 1; 1113 } 1114 } 1115 1116 if (s->s3->alpn_selected != NULL) { 1117 const unsigned char *selected = s->s3->alpn_selected; 1118 unsigned int len = s->s3->alpn_selected_len; 1119 1120 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0) 1121 return (NULL); 1122 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 1123 s2n(3 + len, ret); 1124 s2n(1 + len, ret); 1125 *ret++ = len; 1126 memcpy(ret, selected, len); 1127 ret += len; 1128 } 1129 1130 if ((extdatalen = ret - p - 2) == 0) 1131 return p; 1132 1133 s2n(extdatalen, p); 1134 return ret; 1135 } 1136 1137 /* 1138 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a 1139 * ClientHello. 1140 * data: the contents of the extension, not including the type and length. 1141 * data_len: the number of bytes in data. 1142 * al: a pointer to the alert value to send in the event of a non-zero 1143 * return. 1144 * returns: 1 on success. 1145 */ 1146 static int 1147 tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, 1148 unsigned int data_len, int *al) 1149 { 1150 CBS cbs, proto_name_list, alpn; 1151 const unsigned char *selected; 1152 unsigned char selected_len; 1153 int r; 1154 1155 if (s->ctx->alpn_select_cb == NULL) 1156 return (1); 1157 1158 if (data_len < 2) 1159 goto parse_error; 1160 1161 CBS_init(&cbs, data, data_len); 1162 1163 /* 1164 * data should contain a uint16 length followed by a series of 8-bit, 1165 * length-prefixed strings. 1166 */ 1167 if (!CBS_get_u16_length_prefixed(&cbs, &alpn) || 1168 CBS_len(&alpn) < 2 || 1169 CBS_len(&cbs) != 0) 1170 goto parse_error; 1171 1172 /* Validate data before sending to callback. */ 1173 CBS_dup(&alpn, &proto_name_list); 1174 while (CBS_len(&proto_name_list) > 0) { 1175 CBS proto_name; 1176 1177 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name) || 1178 CBS_len(&proto_name) == 0) 1179 goto parse_error; 1180 } 1181 1182 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, 1183 CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg); 1184 if (r == SSL_TLSEXT_ERR_OK) { 1185 free(s->s3->alpn_selected); 1186 if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) { 1187 *al = SSL_AD_INTERNAL_ERROR; 1188 return (-1); 1189 } 1190 memcpy(s->s3->alpn_selected, selected, selected_len); 1191 s->s3->alpn_selected_len = selected_len; 1192 } 1193 1194 return (1); 1195 1196 parse_error: 1197 *al = SSL_AD_DECODE_ERROR; 1198 return (0); 1199 } 1200 1201 int 1202 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1203 int n, int *al) 1204 { 1205 unsigned short type; 1206 unsigned short size; 1207 unsigned short len; 1208 unsigned char *data = *p; 1209 int renegotiate_seen = 0; 1210 int sigalg_seen = 0; 1211 1212 s->servername_done = 0; 1213 s->tlsext_status_type = -1; 1214 s->s3->next_proto_neg_seen = 0; 1215 free(s->s3->alpn_selected); 1216 s->s3->alpn_selected = NULL; 1217 1218 if (data >= (d + n - 2)) 1219 goto ri_check; 1220 n2s(data, len); 1221 1222 if (data > (d + n - len)) 1223 goto ri_check; 1224 1225 while (data <= (d + n - 4)) { 1226 n2s(data, type); 1227 n2s(data, size); 1228 1229 if (data + size > (d + n)) 1230 goto ri_check; 1231 if (s->tlsext_debug_cb) 1232 s->tlsext_debug_cb(s, 0, type, data, size, 1233 s->tlsext_debug_arg); 1234 /* The servername extension is treated as follows: 1235 1236 - Only the hostname type is supported with a maximum length of 255. 1237 - The servername is rejected if too long or if it contains zeros, 1238 in which case an fatal alert is generated. 1239 - The servername field is maintained together with the session cache. 1240 - When a session is resumed, the servername call back invoked in order 1241 to allow the application to position itself to the right context. 1242 - The servername is acknowledged if it is new for a session or when 1243 it is identical to a previously used for the same session. 1244 Applications can control the behaviour. They can at any time 1245 set a 'desirable' servername for a new SSL object. This can be the 1246 case for example with HTTPS when a Host: header field is received and 1247 a renegotiation is requested. In this case, a possible servername 1248 presented in the new client hello is only acknowledged if it matches 1249 the value of the Host: field. 1250 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1251 if they provide for changing an explicit servername context for the session, 1252 i.e. when the session has been established with a servername extension. 1253 - On session reconnect, the servername extension may be absent. 1254 1255 */ 1256 1257 if (type == TLSEXT_TYPE_server_name) { 1258 unsigned char *sdata; 1259 int servname_type; 1260 int dsize; 1261 1262 if (size < 2) { 1263 *al = SSL_AD_DECODE_ERROR; 1264 return 0; 1265 } 1266 n2s(data, dsize); 1267 1268 size -= 2; 1269 if (dsize > size) { 1270 *al = SSL_AD_DECODE_ERROR; 1271 return 0; 1272 } 1273 1274 sdata = data; 1275 while (dsize > 3) { 1276 servname_type = *(sdata++); 1277 1278 n2s(sdata, len); 1279 dsize -= 3; 1280 1281 if (len > dsize) { 1282 *al = SSL_AD_DECODE_ERROR; 1283 return 0; 1284 } 1285 if (s->servername_done == 0) 1286 switch (servname_type) { 1287 case TLSEXT_NAMETYPE_host_name: 1288 if (!s->hit) { 1289 if (s->session->tlsext_hostname) { 1290 *al = SSL_AD_DECODE_ERROR; 1291 return 0; 1292 } 1293 if (len > TLSEXT_MAXLEN_host_name) { 1294 *al = TLS1_AD_UNRECOGNIZED_NAME; 1295 return 0; 1296 } 1297 if ((s->session->tlsext_hostname = 1298 malloc(len + 1)) == NULL) { 1299 *al = TLS1_AD_INTERNAL_ERROR; 1300 return 0; 1301 } 1302 memcpy(s->session->tlsext_hostname, sdata, len); 1303 s->session->tlsext_hostname[len] = '\0'; 1304 if (strlen(s->session->tlsext_hostname) != len) { 1305 free(s->session->tlsext_hostname); 1306 s->session->tlsext_hostname = NULL; 1307 *al = TLS1_AD_UNRECOGNIZED_NAME; 1308 return 0; 1309 } 1310 s->servername_done = 1; 1311 1312 1313 } else { 1314 s->servername_done = s->session->tlsext_hostname && 1315 strlen(s->session->tlsext_hostname) == len && 1316 strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1317 } 1318 break; 1319 1320 default: 1321 break; 1322 } 1323 1324 dsize -= len; 1325 } 1326 if (dsize != 0) { 1327 *al = SSL_AD_DECODE_ERROR; 1328 return 0; 1329 } 1330 1331 } 1332 1333 else if (type == TLSEXT_TYPE_ec_point_formats && 1334 s->version != DTLS1_VERSION) { 1335 unsigned char *sdata = data; 1336 size_t formatslen; 1337 uint8_t *formats; 1338 1339 if (size < 1) { 1340 *al = TLS1_AD_DECODE_ERROR; 1341 return 0; 1342 } 1343 formatslen = *(sdata++); 1344 if (formatslen != size - 1) { 1345 *al = TLS1_AD_DECODE_ERROR; 1346 return 0; 1347 } 1348 1349 if (!s->hit) { 1350 free(s->session->tlsext_ecpointformatlist); 1351 s->session->tlsext_ecpointformatlist = NULL; 1352 s->session->tlsext_ecpointformatlist_length = 0; 1353 1354 if ((formats = reallocarray(NULL, formatslen, 1355 sizeof(uint8_t))) == NULL) { 1356 *al = TLS1_AD_INTERNAL_ERROR; 1357 return 0; 1358 } 1359 memcpy(formats, sdata, formatslen); 1360 s->session->tlsext_ecpointformatlist = formats; 1361 s->session->tlsext_ecpointformatlist_length = 1362 formatslen; 1363 } 1364 } else if (type == TLSEXT_TYPE_elliptic_curves && 1365 s->version != DTLS1_VERSION) { 1366 unsigned char *sdata = data; 1367 size_t curveslen, i; 1368 uint16_t *curves; 1369 1370 if (size < 2) { 1371 *al = TLS1_AD_DECODE_ERROR; 1372 return 0; 1373 } 1374 n2s(sdata, curveslen); 1375 if (curveslen != size - 2 || curveslen % 2 != 0) { 1376 *al = TLS1_AD_DECODE_ERROR; 1377 return 0; 1378 } 1379 curveslen /= 2; 1380 1381 if (!s->hit) { 1382 if (s->session->tlsext_ellipticcurvelist) { 1383 *al = TLS1_AD_DECODE_ERROR; 1384 return 0; 1385 } 1386 s->session->tlsext_ellipticcurvelist_length = 0; 1387 if ((curves = reallocarray(NULL, curveslen, 1388 sizeof(uint16_t))) == NULL) { 1389 *al = TLS1_AD_INTERNAL_ERROR; 1390 return 0; 1391 } 1392 for (i = 0; i < curveslen; i++) 1393 n2s(sdata, curves[i]); 1394 s->session->tlsext_ellipticcurvelist = curves; 1395 s->session->tlsext_ellipticcurvelist_length = curveslen; 1396 } 1397 } 1398 else if (type == TLSEXT_TYPE_session_ticket) { 1399 if (s->tls_session_ticket_ext_cb && 1400 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1401 *al = TLS1_AD_INTERNAL_ERROR; 1402 return 0; 1403 } 1404 } else if (type == TLSEXT_TYPE_renegotiate) { 1405 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 1406 return 0; 1407 renegotiate_seen = 1; 1408 } else if (type == TLSEXT_TYPE_signature_algorithms) { 1409 int dsize; 1410 if (sigalg_seen || size < 2) { 1411 *al = SSL_AD_DECODE_ERROR; 1412 return 0; 1413 } 1414 sigalg_seen = 1; 1415 n2s(data, dsize); 1416 size -= 2; 1417 if (dsize != size || dsize & 1) { 1418 *al = SSL_AD_DECODE_ERROR; 1419 return 0; 1420 } 1421 if (!tls1_process_sigalgs(s, data, dsize)) { 1422 *al = SSL_AD_DECODE_ERROR; 1423 return 0; 1424 } 1425 } else if (type == TLSEXT_TYPE_status_request && 1426 s->version != DTLS1_VERSION) { 1427 1428 if (size < 5) { 1429 *al = SSL_AD_DECODE_ERROR; 1430 return 0; 1431 } 1432 1433 s->tlsext_status_type = *data++; 1434 size--; 1435 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { 1436 const unsigned char *sdata; 1437 int dsize; 1438 /* Read in responder_id_list */ 1439 n2s(data, dsize); 1440 size -= 2; 1441 if (dsize > size ) { 1442 *al = SSL_AD_DECODE_ERROR; 1443 return 0; 1444 } 1445 while (dsize > 0) { 1446 OCSP_RESPID *id; 1447 int idsize; 1448 if (dsize < 4) { 1449 *al = SSL_AD_DECODE_ERROR; 1450 return 0; 1451 } 1452 n2s(data, idsize); 1453 dsize -= 2 + idsize; 1454 size -= 2 + idsize; 1455 if (dsize < 0) { 1456 *al = SSL_AD_DECODE_ERROR; 1457 return 0; 1458 } 1459 sdata = data; 1460 data += idsize; 1461 id = d2i_OCSP_RESPID(NULL, 1462 &sdata, idsize); 1463 if (!id) { 1464 *al = SSL_AD_DECODE_ERROR; 1465 return 0; 1466 } 1467 if (data != sdata) { 1468 OCSP_RESPID_free(id); 1469 *al = SSL_AD_DECODE_ERROR; 1470 return 0; 1471 } 1472 if (!s->tlsext_ocsp_ids && 1473 !(s->tlsext_ocsp_ids = 1474 sk_OCSP_RESPID_new_null())) { 1475 OCSP_RESPID_free(id); 1476 *al = SSL_AD_INTERNAL_ERROR; 1477 return 0; 1478 } 1479 if (!sk_OCSP_RESPID_push( 1480 s->tlsext_ocsp_ids, id)) { 1481 OCSP_RESPID_free(id); 1482 *al = SSL_AD_INTERNAL_ERROR; 1483 return 0; 1484 } 1485 } 1486 1487 /* Read in request_extensions */ 1488 if (size < 2) { 1489 *al = SSL_AD_DECODE_ERROR; 1490 return 0; 1491 } 1492 n2s(data, dsize); 1493 size -= 2; 1494 if (dsize != size) { 1495 *al = SSL_AD_DECODE_ERROR; 1496 return 0; 1497 } 1498 sdata = data; 1499 if (dsize > 0) { 1500 if (s->tlsext_ocsp_exts) { 1501 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1502 X509_EXTENSION_free); 1503 } 1504 1505 s->tlsext_ocsp_exts = 1506 d2i_X509_EXTENSIONS(NULL, 1507 &sdata, dsize); 1508 if (!s->tlsext_ocsp_exts || 1509 (data + dsize != sdata)) { 1510 *al = SSL_AD_DECODE_ERROR; 1511 return 0; 1512 } 1513 } 1514 } else { 1515 /* We don't know what to do with any other type 1516 * so ignore it. 1517 */ 1518 s->tlsext_status_type = -1; 1519 } 1520 } 1521 else if (type == TLSEXT_TYPE_next_proto_neg && 1522 s->s3->tmp.finish_md_len == 0 && 1523 s->s3->alpn_selected == NULL) { 1524 /* We shouldn't accept this extension on a 1525 * renegotiation. 1526 * 1527 * s->new_session will be set on renegotiation, but we 1528 * probably shouldn't rely that it couldn't be set on 1529 * the initial renegotation too in certain cases (when 1530 * there's some other reason to disallow resuming an 1531 * earlier session -- the current code won't be doing 1532 * anything like that, but this might change). 1533 1534 * A valid sign that there's been a previous handshake 1535 * in this connection is if s->s3->tmp.finish_md_len > 1536 * 0. (We are talking about a check that will happen 1537 * in the Hello protocol round, well before a new 1538 * Finished message could have been computed.) */ 1539 s->s3->next_proto_neg_seen = 1; 1540 } 1541 else if (type == 1542 TLSEXT_TYPE_application_layer_protocol_negotiation && 1543 s->ctx->alpn_select_cb != NULL && 1544 s->s3->tmp.finish_md_len == 0) { 1545 if (tls1_alpn_handle_client_hello(s, data, 1546 size, al) != 1) 1547 return (0); 1548 /* ALPN takes precedence over NPN. */ 1549 s->s3->next_proto_neg_seen = 0; 1550 } 1551 1552 /* session ticket processed earlier */ 1553 #ifndef OPENSSL_NO_SRTP 1554 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1555 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) 1556 return 0; 1557 } 1558 #endif 1559 1560 data += size; 1561 } 1562 1563 *p = data; 1564 1565 ri_check: 1566 1567 /* Need RI if renegotiating */ 1568 1569 if (!renegotiate_seen && s->renegotiate) { 1570 *al = SSL_AD_HANDSHAKE_FAILURE; 1571 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1572 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1573 return 0; 1574 } 1575 1576 return 1; 1577 } 1578 1579 /* 1580 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1581 * elements of zero length are allowed and the set of elements must exactly fill 1582 * the length of the block. 1583 */ 1584 static char 1585 ssl_next_proto_validate(const unsigned char *d, unsigned int len) 1586 { 1587 CBS npn, value; 1588 1589 CBS_init(&npn, d, len); 1590 while (CBS_len(&npn) > 0) { 1591 if (!CBS_get_u8_length_prefixed(&npn, &value) || 1592 CBS_len(&value) == 0) 1593 return 0; 1594 } 1595 return 1; 1596 } 1597 1598 int 1599 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1600 int n, int *al) 1601 { 1602 unsigned short length; 1603 unsigned short type; 1604 unsigned short size; 1605 unsigned char *data = *p; 1606 int tlsext_servername = 0; 1607 int renegotiate_seen = 0; 1608 1609 s->s3->next_proto_neg_seen = 0; 1610 free(s->s3->alpn_selected); 1611 s->s3->alpn_selected = NULL; 1612 1613 if (data >= (d + n - 2)) 1614 goto ri_check; 1615 1616 n2s(data, length); 1617 if (data + length != d + n) { 1618 *al = SSL_AD_DECODE_ERROR; 1619 return 0; 1620 } 1621 1622 while (data <= (d + n - 4)) { 1623 n2s(data, type); 1624 n2s(data, size); 1625 1626 if (data + size > (d + n)) 1627 goto ri_check; 1628 1629 if (s->tlsext_debug_cb) 1630 s->tlsext_debug_cb(s, 1, type, data, size, 1631 s->tlsext_debug_arg); 1632 1633 if (type == TLSEXT_TYPE_server_name) { 1634 if (s->tlsext_hostname == NULL || size > 0) { 1635 *al = TLS1_AD_UNRECOGNIZED_NAME; 1636 return 0; 1637 } 1638 tlsext_servername = 1; 1639 1640 } 1641 else if (type == TLSEXT_TYPE_ec_point_formats && 1642 s->version != DTLS1_VERSION) { 1643 unsigned char *sdata = data; 1644 size_t formatslen; 1645 uint8_t *formats; 1646 1647 if (size < 1) { 1648 *al = TLS1_AD_DECODE_ERROR; 1649 return 0; 1650 } 1651 formatslen = *(sdata++); 1652 if (formatslen != size - 1) { 1653 *al = TLS1_AD_DECODE_ERROR; 1654 return 0; 1655 } 1656 1657 if (!s->hit) { 1658 free(s->session->tlsext_ecpointformatlist); 1659 s->session->tlsext_ecpointformatlist = NULL; 1660 s->session->tlsext_ecpointformatlist_length = 0; 1661 1662 if ((formats = reallocarray(NULL, formatslen, 1663 sizeof(uint8_t))) == NULL) { 1664 *al = TLS1_AD_INTERNAL_ERROR; 1665 return 0; 1666 } 1667 memcpy(formats, sdata, formatslen); 1668 s->session->tlsext_ecpointformatlist = formats; 1669 s->session->tlsext_ecpointformatlist_length = 1670 formatslen; 1671 } 1672 } 1673 else if (type == TLSEXT_TYPE_session_ticket) { 1674 if (s->tls_session_ticket_ext_cb && 1675 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1676 *al = TLS1_AD_INTERNAL_ERROR; 1677 return 0; 1678 } 1679 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) { 1680 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1681 return 0; 1682 } 1683 s->tlsext_ticket_expected = 1; 1684 } 1685 else if (type == TLSEXT_TYPE_status_request && 1686 s->version != DTLS1_VERSION) { 1687 /* MUST be empty and only sent if we've requested 1688 * a status request message. 1689 */ 1690 if ((s->tlsext_status_type == -1) || (size > 0)) { 1691 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1692 return 0; 1693 } 1694 /* Set flag to expect CertificateStatus message */ 1695 s->tlsext_status_expected = 1; 1696 } 1697 else if (type == TLSEXT_TYPE_next_proto_neg && 1698 s->s3->tmp.finish_md_len == 0) { 1699 unsigned char *selected; 1700 unsigned char selected_len; 1701 1702 /* We must have requested it. */ 1703 if (s->ctx->next_proto_select_cb == NULL) { 1704 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1705 return 0; 1706 } 1707 /* The data must be valid */ 1708 if (!ssl_next_proto_validate(data, size)) { 1709 *al = TLS1_AD_DECODE_ERROR; 1710 return 0; 1711 } 1712 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) { 1713 *al = TLS1_AD_INTERNAL_ERROR; 1714 return 0; 1715 } 1716 s->next_proto_negotiated = malloc(selected_len); 1717 if (!s->next_proto_negotiated) { 1718 *al = TLS1_AD_INTERNAL_ERROR; 1719 return 0; 1720 } 1721 memcpy(s->next_proto_negotiated, selected, selected_len); 1722 s->next_proto_negotiated_len = selected_len; 1723 s->s3->next_proto_neg_seen = 1; 1724 } 1725 else if (type == 1726 TLSEXT_TYPE_application_layer_protocol_negotiation) { 1727 unsigned int len; 1728 1729 /* We must have requested it. */ 1730 if (s->alpn_client_proto_list == NULL) { 1731 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1732 return 0; 1733 } 1734 if (size < 4) { 1735 *al = TLS1_AD_DECODE_ERROR; 1736 return (0); 1737 } 1738 1739 /* The extension data consists of: 1740 * uint16 list_length 1741 * uint8 proto_length; 1742 * uint8 proto[proto_length]; */ 1743 len = ((unsigned int)data[0]) << 8 | 1744 ((unsigned int)data[1]); 1745 if (len != (unsigned int)size - 2) { 1746 *al = TLS1_AD_DECODE_ERROR; 1747 return (0); 1748 } 1749 len = data[2]; 1750 if (len != (unsigned int)size - 3) { 1751 *al = TLS1_AD_DECODE_ERROR; 1752 return (0); 1753 } 1754 free(s->s3->alpn_selected); 1755 s->s3->alpn_selected = malloc(len); 1756 if (s->s3->alpn_selected == NULL) { 1757 *al = TLS1_AD_INTERNAL_ERROR; 1758 return (0); 1759 } 1760 memcpy(s->s3->alpn_selected, data + 3, len); 1761 s->s3->alpn_selected_len = len; 1762 1763 } else if (type == TLSEXT_TYPE_renegotiate) { 1764 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1765 return 0; 1766 renegotiate_seen = 1; 1767 } 1768 #ifndef OPENSSL_NO_SRTP 1769 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1770 if (ssl_parse_serverhello_use_srtp_ext(s, data, 1771 size, al)) 1772 return 0; 1773 } 1774 #endif 1775 1776 data += size; 1777 1778 } 1779 1780 if (data != d + n) { 1781 *al = SSL_AD_DECODE_ERROR; 1782 return 0; 1783 } 1784 1785 if (!s->hit && tlsext_servername == 1) { 1786 if (s->tlsext_hostname) { 1787 if (s->session->tlsext_hostname == NULL) { 1788 s->session->tlsext_hostname = 1789 strdup(s->tlsext_hostname); 1790 1791 if (!s->session->tlsext_hostname) { 1792 *al = SSL_AD_UNRECOGNIZED_NAME; 1793 return 0; 1794 } 1795 } else { 1796 *al = SSL_AD_DECODE_ERROR; 1797 return 0; 1798 } 1799 } 1800 } 1801 1802 *p = data; 1803 1804 ri_check: 1805 1806 /* Determine if we need to see RI. Strictly speaking if we want to 1807 * avoid an attack we should *always* see RI even on initial server 1808 * hello because the client doesn't see any renegotiation during an 1809 * attack. However this would mean we could not connect to any server 1810 * which doesn't support RI so for the immediate future tolerate RI 1811 * absence on initial connect only. 1812 */ 1813 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { 1814 *al = SSL_AD_HANDSHAKE_FAILURE; 1815 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1816 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1817 return 0; 1818 } 1819 1820 return 1; 1821 } 1822 1823 int 1824 ssl_check_clienthello_tlsext_early(SSL *s) 1825 { 1826 int ret = SSL_TLSEXT_ERR_NOACK; 1827 int al = SSL_AD_UNRECOGNIZED_NAME; 1828 1829 /* The handling of the ECPointFormats extension is done elsewhere, namely in 1830 * ssl3_choose_cipher in s3_lib.c. 1831 */ 1832 /* The handling of the EllipticCurves extension is done elsewhere, namely in 1833 * ssl3_choose_cipher in s3_lib.c. 1834 */ 1835 1836 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1837 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1838 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1839 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1840 1841 switch (ret) { 1842 case SSL_TLSEXT_ERR_ALERT_FATAL: 1843 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1844 return -1; 1845 case SSL_TLSEXT_ERR_ALERT_WARNING: 1846 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1847 return 1; 1848 case SSL_TLSEXT_ERR_NOACK: 1849 s->servername_done = 0; 1850 default: 1851 return 1; 1852 } 1853 } 1854 1855 int 1856 ssl_check_clienthello_tlsext_late(SSL *s) 1857 { 1858 int ret = SSL_TLSEXT_ERR_OK; 1859 int al = 0; /* XXX gcc3 */ 1860 1861 /* If status request then ask callback what to do. 1862 * Note: this must be called after servername callbacks in case 1863 * the certificate has changed, and must be called after the cipher 1864 * has been chosen because this may influence which certificate is sent 1865 */ 1866 if ((s->tlsext_status_type != -1) && 1867 s->ctx && s->ctx->tlsext_status_cb) { 1868 int r; 1869 CERT_PKEY *certpkey; 1870 certpkey = ssl_get_server_send_pkey(s); 1871 /* If no certificate can't return certificate status */ 1872 if (certpkey == NULL) { 1873 s->tlsext_status_expected = 0; 1874 return 1; 1875 } 1876 /* Set current certificate to one we will use so 1877 * SSL_get_certificate et al can pick it up. 1878 */ 1879 s->cert->key = certpkey; 1880 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1881 switch (r) { 1882 /* We don't want to send a status request response */ 1883 case SSL_TLSEXT_ERR_NOACK: 1884 s->tlsext_status_expected = 0; 1885 break; 1886 /* status request response should be sent */ 1887 case SSL_TLSEXT_ERR_OK: 1888 if (s->tlsext_ocsp_resp) 1889 s->tlsext_status_expected = 1; 1890 else 1891 s->tlsext_status_expected = 0; 1892 break; 1893 /* something bad happened */ 1894 case SSL_TLSEXT_ERR_ALERT_FATAL: 1895 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1896 al = SSL_AD_INTERNAL_ERROR; 1897 goto err; 1898 } 1899 } else 1900 s->tlsext_status_expected = 0; 1901 1902 err: 1903 switch (ret) { 1904 case SSL_TLSEXT_ERR_ALERT_FATAL: 1905 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1906 return -1; 1907 case SSL_TLSEXT_ERR_ALERT_WARNING: 1908 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1909 return 1; 1910 default: 1911 return 1; 1912 } 1913 } 1914 1915 int 1916 ssl_check_serverhello_tlsext(SSL *s) 1917 { 1918 int ret = SSL_TLSEXT_ERR_NOACK; 1919 int al = SSL_AD_UNRECOGNIZED_NAME; 1920 1921 /* If we are client and using an elliptic curve cryptography cipher 1922 * suite, then if server returns an EC point formats lists extension 1923 * it must contain uncompressed. 1924 */ 1925 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1926 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1927 if ((s->tlsext_ecpointformatlist != NULL) && 1928 (s->tlsext_ecpointformatlist_length > 0) && 1929 (s->session->tlsext_ecpointformatlist != NULL) && 1930 (s->session->tlsext_ecpointformatlist_length > 0) && 1931 ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { 1932 /* we are using an ECC cipher */ 1933 size_t i; 1934 unsigned char *list; 1935 int found_uncompressed = 0; 1936 list = s->session->tlsext_ecpointformatlist; 1937 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) { 1938 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) { 1939 found_uncompressed = 1; 1940 break; 1941 } 1942 } 1943 if (!found_uncompressed) { 1944 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 1945 return -1; 1946 } 1947 } 1948 ret = SSL_TLSEXT_ERR_OK; 1949 1950 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1951 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1952 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1953 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1954 1955 /* If we've requested certificate status and we wont get one 1956 * tell the callback 1957 */ 1958 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) && 1959 s->ctx && s->ctx->tlsext_status_cb) { 1960 int r; 1961 /* Set resp to NULL, resplen to -1 so callback knows 1962 * there is no response. 1963 */ 1964 free(s->tlsext_ocsp_resp); 1965 s->tlsext_ocsp_resp = NULL; 1966 s->tlsext_ocsp_resplen = -1; 1967 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1968 if (r == 0) { 1969 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 1970 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1971 } 1972 if (r < 0) { 1973 al = SSL_AD_INTERNAL_ERROR; 1974 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1975 } 1976 } 1977 1978 switch (ret) { 1979 case SSL_TLSEXT_ERR_ALERT_FATAL: 1980 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1981 1982 return -1; 1983 case SSL_TLSEXT_ERR_ALERT_WARNING: 1984 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1985 1986 return 1; 1987 case SSL_TLSEXT_ERR_NOACK: 1988 s->servername_done = 0; 1989 default: 1990 return 1; 1991 } 1992 } 1993 1994 /* Since the server cache lookup is done early on in the processing of the 1995 * ClientHello, and other operations depend on the result, we need to handle 1996 * any TLS session ticket extension at the same time. 1997 * 1998 * session_id: points at the session ID in the ClientHello. This code will 1999 * read past the end of this in order to parse out the session ticket 2000 * extension, if any. 2001 * len: the length of the session ID. 2002 * limit: a pointer to the first byte after the ClientHello. 2003 * ret: (output) on return, if a ticket was decrypted, then this is set to 2004 * point to the resulting session. 2005 * 2006 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key 2007 * ciphersuite, in which case we have no use for session tickets and one will 2008 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 2009 * 2010 * Returns: 2011 * -1: fatal error, either from parsing or decrypting the ticket. 2012 * 0: no ticket was found (or was ignored, based on settings). 2013 * 1: a zero length extension was found, indicating that the client supports 2014 * session tickets but doesn't currently have one to offer. 2015 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but 2016 * couldn't be decrypted because of a non-fatal error. 2017 * 3: a ticket was successfully decrypted and *ret was set. 2018 * 2019 * Side effects: 2020 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 2021 * a new session ticket to the client because the client indicated support 2022 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 2023 * a session ticket or we couldn't use the one it gave us, or if 2024 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2025 * Otherwise, s->tlsext_ticket_expected is set to 0. 2026 */ 2027 int 2028 tls1_process_ticket(SSL *s, const unsigned char *session, int session_len, 2029 const unsigned char *limit, SSL_SESSION **ret) 2030 { 2031 /* Point after session ID in client hello */ 2032 CBS session_id, cookie, cipher_list, compress_algo, extensions; 2033 2034 *ret = NULL; 2035 s->tlsext_ticket_expected = 0; 2036 2037 /* If tickets disabled behave as if no ticket present 2038 * to permit stateful resumption. 2039 */ 2040 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 2041 return 0; 2042 if (!limit) 2043 return 0; 2044 2045 if (limit < session) 2046 return -1; 2047 2048 CBS_init(&session_id, session, limit - session); 2049 2050 /* Skip past the session id */ 2051 if (!CBS_skip(&session_id, session_len)) 2052 return -1; 2053 2054 /* Skip past DTLS cookie */ 2055 if (SSL_IS_DTLS(s)) { 2056 if (!CBS_get_u8_length_prefixed(&session_id, &cookie)) 2057 return -1; 2058 } 2059 2060 /* Skip past cipher list */ 2061 if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list)) 2062 return -1; 2063 2064 /* Skip past compression algorithm list */ 2065 if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo)) 2066 return -1; 2067 2068 /* Now at start of extensions */ 2069 if (CBS_len(&session_id) == 0) 2070 return 0; 2071 if (!CBS_get_u16_length_prefixed(&session_id, &extensions)) 2072 return -1; 2073 2074 while (CBS_len(&extensions) > 0) { 2075 CBS ext_data; 2076 uint16_t ext_type; 2077 2078 if (!CBS_get_u16(&extensions, &ext_type) || 2079 !CBS_get_u16_length_prefixed(&extensions, &ext_data)) 2080 return -1; 2081 2082 if (ext_type == TLSEXT_TYPE_session_ticket) { 2083 int r; 2084 if (CBS_len(&ext_data) == 0) { 2085 /* The client will accept a ticket but doesn't 2086 * currently have one. */ 2087 s->tlsext_ticket_expected = 1; 2088 return 1; 2089 } 2090 if (s->tls_session_secret_cb) { 2091 /* Indicate that the ticket couldn't be 2092 * decrypted rather than generating the session 2093 * from ticket now, trigger abbreviated 2094 * handshake based on external mechanism to 2095 * calculate the master secret later. */ 2096 return 2; 2097 } 2098 2099 r = tls_decrypt_ticket(s, CBS_data(&ext_data), 2100 CBS_len(&ext_data), session, session_len, ret); 2101 2102 switch (r) { 2103 case 2: /* ticket couldn't be decrypted */ 2104 s->tlsext_ticket_expected = 1; 2105 return 2; 2106 case 3: /* ticket was decrypted */ 2107 return r; 2108 case 4: /* ticket decrypted but need to renew */ 2109 s->tlsext_ticket_expected = 1; 2110 return 3; 2111 default: /* fatal error */ 2112 return -1; 2113 } 2114 } 2115 } 2116 return 0; 2117 } 2118 2119 /* tls_decrypt_ticket attempts to decrypt a session ticket. 2120 * 2121 * etick: points to the body of the session ticket extension. 2122 * eticklen: the length of the session tickets extenion. 2123 * sess_id: points at the session ID. 2124 * sesslen: the length of the session ID. 2125 * psess: (output) on return, if a ticket was decrypted, then this is set to 2126 * point to the resulting session. 2127 * 2128 * Returns: 2129 * -1: fatal error, either from parsing or decrypting the ticket. 2130 * 2: the ticket couldn't be decrypted. 2131 * 3: a ticket was successfully decrypted and *psess was set. 2132 * 4: same as 3, but the ticket needs to be renewed. 2133 */ 2134 static int 2135 tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2136 const unsigned char *sess_id, int sesslen, SSL_SESSION **psess) 2137 { 2138 SSL_SESSION *sess; 2139 unsigned char *sdec; 2140 const unsigned char *p; 2141 int slen, mlen, renew_ticket = 0; 2142 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 2143 HMAC_CTX hctx; 2144 EVP_CIPHER_CTX ctx; 2145 SSL_CTX *tctx = s->initial_ctx; 2146 /* Need at least keyname + iv + some encrypted data */ 2147 if (eticklen < 48) 2148 return 2; 2149 /* Initialize session ticket encryption and HMAC contexts */ 2150 HMAC_CTX_init(&hctx); 2151 EVP_CIPHER_CTX_init(&ctx); 2152 if (tctx->tlsext_ticket_key_cb) { 2153 unsigned char *nctick = (unsigned char *)etick; 2154 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 2155 &ctx, &hctx, 0); 2156 if (rv < 0) { 2157 EVP_CIPHER_CTX_cleanup(&ctx); 2158 return -1; 2159 } 2160 if (rv == 0) { 2161 EVP_CIPHER_CTX_cleanup(&ctx); 2162 return 2; 2163 } 2164 if (rv == 2) 2165 renew_ticket = 1; 2166 } else { 2167 /* Check key name matches */ 2168 if (timingsafe_memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2169 return 2; 2170 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2171 tlsext_tick_md(), NULL); 2172 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2173 tctx->tlsext_tick_aes_key, etick + 16); 2174 } 2175 /* Attempt to process session ticket, first conduct sanity and 2176 * integrity checks on ticket. 2177 */ 2178 mlen = HMAC_size(&hctx); 2179 if (mlen < 0) { 2180 EVP_CIPHER_CTX_cleanup(&ctx); 2181 return -1; 2182 } 2183 eticklen -= mlen; 2184 /* Check HMAC of encrypted ticket */ 2185 HMAC_Update(&hctx, etick, eticklen); 2186 HMAC_Final(&hctx, tick_hmac, NULL); 2187 HMAC_CTX_cleanup(&hctx); 2188 if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) { 2189 EVP_CIPHER_CTX_cleanup(&ctx); 2190 return 2; 2191 } 2192 /* Attempt to decrypt session data */ 2193 /* Move p after IV to start of encrypted ticket, update length */ 2194 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2195 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2196 sdec = malloc(eticklen); 2197 if (!sdec) { 2198 EVP_CIPHER_CTX_cleanup(&ctx); 2199 return -1; 2200 } 2201 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 2202 if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) { 2203 free(sdec); 2204 EVP_CIPHER_CTX_cleanup(&ctx); 2205 return 2; 2206 } 2207 slen += mlen; 2208 EVP_CIPHER_CTX_cleanup(&ctx); 2209 p = sdec; 2210 2211 sess = d2i_SSL_SESSION(NULL, &p, slen); 2212 free(sdec); 2213 if (sess) { 2214 /* The session ID, if non-empty, is used by some clients to 2215 * detect that the ticket has been accepted. So we copy it to 2216 * the session structure. If it is empty set length to zero 2217 * as required by standard. 2218 */ 2219 if (sesslen) 2220 memcpy(sess->session_id, sess_id, sesslen); 2221 sess->session_id_length = sesslen; 2222 *psess = sess; 2223 if (renew_ticket) 2224 return 4; 2225 else 2226 return 3; 2227 } 2228 ERR_clear_error(); 2229 /* For session parse failure, indicate that we need to send a new 2230 * ticket. */ 2231 return 2; 2232 } 2233 2234 /* Tables to translate from NIDs to TLS v1.2 ids */ 2235 2236 typedef struct { 2237 int nid; 2238 int id; 2239 } tls12_lookup; 2240 2241 static tls12_lookup tls12_md[] = { 2242 {NID_md5, TLSEXT_hash_md5}, 2243 {NID_sha1, TLSEXT_hash_sha1}, 2244 {NID_sha224, TLSEXT_hash_sha224}, 2245 {NID_sha256, TLSEXT_hash_sha256}, 2246 {NID_sha384, TLSEXT_hash_sha384}, 2247 {NID_sha512, TLSEXT_hash_sha512}, 2248 {NID_id_GostR3411_94, TLSEXT_hash_gost94}, 2249 {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256}, 2250 {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512} 2251 }; 2252 2253 static tls12_lookup tls12_sig[] = { 2254 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2255 {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2256 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}, 2257 {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01}, 2258 }; 2259 2260 static int 2261 tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 2262 { 2263 size_t i; 2264 for (i = 0; i < tlen; i++) { 2265 if (table[i].nid == nid) 2266 return table[i].id; 2267 } 2268 return -1; 2269 } 2270 2271 int 2272 tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 2273 { 2274 int sig_id, md_id; 2275 if (!md) 2276 return 0; 2277 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2278 sizeof(tls12_md) / sizeof(tls12_lookup)); 2279 if (md_id == -1) 2280 return 0; 2281 sig_id = tls12_get_sigid(pk); 2282 if (sig_id == -1) 2283 return 0; 2284 p[0] = (unsigned char)md_id; 2285 p[1] = (unsigned char)sig_id; 2286 return 1; 2287 } 2288 2289 int 2290 tls12_get_sigid(const EVP_PKEY *pk) 2291 { 2292 return tls12_find_id(pk->type, tls12_sig, 2293 sizeof(tls12_sig) / sizeof(tls12_lookup)); 2294 } 2295 2296 const EVP_MD * 2297 tls12_get_hash(unsigned char hash_alg) 2298 { 2299 switch (hash_alg) { 2300 case TLSEXT_hash_sha1: 2301 return EVP_sha1(); 2302 case TLSEXT_hash_sha224: 2303 return EVP_sha224(); 2304 case TLSEXT_hash_sha256: 2305 return EVP_sha256(); 2306 case TLSEXT_hash_sha384: 2307 return EVP_sha384(); 2308 case TLSEXT_hash_sha512: 2309 return EVP_sha512(); 2310 #ifndef OPENSSL_NO_GOST 2311 case TLSEXT_hash_gost94: 2312 return EVP_gostr341194(); 2313 case TLSEXT_hash_streebog_256: 2314 return EVP_streebog256(); 2315 case TLSEXT_hash_streebog_512: 2316 return EVP_streebog512(); 2317 #endif 2318 default: 2319 return NULL; 2320 } 2321 } 2322 2323 /* Set preferred digest for each key type */ 2324 2325 int 2326 tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 2327 { 2328 int idx; 2329 const EVP_MD *md; 2330 CERT *c = s->cert; 2331 CBS cbs; 2332 2333 /* Extension ignored for inappropriate versions */ 2334 if (!SSL_USE_SIGALGS(s)) 2335 return 1; 2336 2337 /* Should never happen */ 2338 if (!c || dsize < 0) 2339 return 0; 2340 2341 CBS_init(&cbs, data, dsize); 2342 2343 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; 2344 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 2345 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2346 c->pkeys[SSL_PKEY_ECC].digest = NULL; 2347 c->pkeys[SSL_PKEY_GOST01].digest = NULL; 2348 2349 while (CBS_len(&cbs) > 0) { 2350 uint8_t hash_alg, sig_alg; 2351 2352 if (!CBS_get_u8(&cbs, &hash_alg) || 2353 !CBS_get_u8(&cbs, &sig_alg)) { 2354 /* Should never happen */ 2355 return 0; 2356 } 2357 2358 switch (sig_alg) { 2359 case TLSEXT_signature_rsa: 2360 idx = SSL_PKEY_RSA_SIGN; 2361 break; 2362 case TLSEXT_signature_dsa: 2363 idx = SSL_PKEY_DSA_SIGN; 2364 break; 2365 case TLSEXT_signature_ecdsa: 2366 idx = SSL_PKEY_ECC; 2367 break; 2368 case TLSEXT_signature_gostr01: 2369 case TLSEXT_signature_gostr12_256: 2370 case TLSEXT_signature_gostr12_512: 2371 idx = SSL_PKEY_GOST01; 2372 break; 2373 default: 2374 continue; 2375 } 2376 2377 if (c->pkeys[idx].digest == NULL) { 2378 md = tls12_get_hash(hash_alg); 2379 if (md) { 2380 c->pkeys[idx].digest = md; 2381 if (idx == SSL_PKEY_RSA_SIGN) 2382 c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 2383 } 2384 } 2385 2386 } 2387 2388 /* Set any remaining keys to default values. NOTE: if alg is not 2389 * supported it stays as NULL. 2390 */ 2391 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2392 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2393 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { 2394 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2395 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2396 } 2397 if (!c->pkeys[SSL_PKEY_ECC].digest) 2398 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2399 #ifndef OPENSSL_NO_GOST 2400 if (!c->pkeys[SSL_PKEY_GOST01].digest) 2401 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); 2402 #endif 2403 return 1; 2404 } 2405