1 /* $OpenBSD: t1_lib.c,v 1.104 2017/01/23 08:48:45 beck Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 114 #include <openssl/evp.h> 115 #include <openssl/hmac.h> 116 #include <openssl/objects.h> 117 #include <openssl/ocsp.h> 118 119 #include "ssl_locl.h" 120 #include "bytestring.h" 121 122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 123 const unsigned char *sess_id, int sesslen, 124 SSL_SESSION **psess); 125 126 SSL3_ENC_METHOD TLSv1_enc_data = { 127 .enc = tls1_enc, 128 .mac = tls1_mac, 129 .setup_key_block = tls1_setup_key_block, 130 .generate_master_secret = tls1_generate_master_secret, 131 .change_cipher_state = tls1_change_cipher_state, 132 .final_finish_mac = tls1_final_finish_mac, 133 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 134 .cert_verify_mac = tls1_cert_verify_mac, 135 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 136 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 137 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 138 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 139 .alert_value = tls1_alert_code, 140 .export_keying_material = tls1_export_keying_material, 141 .enc_flags = 0, 142 }; 143 144 SSL3_ENC_METHOD TLSv1_1_enc_data = { 145 .enc = tls1_enc, 146 .mac = tls1_mac, 147 .setup_key_block = tls1_setup_key_block, 148 .generate_master_secret = tls1_generate_master_secret, 149 .change_cipher_state = tls1_change_cipher_state, 150 .final_finish_mac = tls1_final_finish_mac, 151 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 152 .cert_verify_mac = tls1_cert_verify_mac, 153 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 154 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 155 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 156 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 157 .alert_value = tls1_alert_code, 158 .export_keying_material = tls1_export_keying_material, 159 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, 160 }; 161 162 SSL3_ENC_METHOD TLSv1_2_enc_data = { 163 .enc = tls1_enc, 164 .mac = tls1_mac, 165 .setup_key_block = tls1_setup_key_block, 166 .generate_master_secret = tls1_generate_master_secret, 167 .change_cipher_state = tls1_change_cipher_state, 168 .final_finish_mac = tls1_final_finish_mac, 169 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 170 .cert_verify_mac = tls1_cert_verify_mac, 171 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 172 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 173 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 174 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 175 .alert_value = tls1_alert_code, 176 .export_keying_material = tls1_export_keying_material, 177 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS| 178 SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS, 179 }; 180 181 long 182 tls1_default_timeout(void) 183 { 184 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 185 * is way too long for http, the cache would over fill */ 186 return (60 * 60 * 2); 187 } 188 189 int 190 tls1_new(SSL *s) 191 { 192 if (!ssl3_new(s)) 193 return (0); 194 s->method->ssl_clear(s); 195 return (1); 196 } 197 198 void 199 tls1_free(SSL *s) 200 { 201 if (s == NULL) 202 return; 203 204 free(s->internal->tlsext_session_ticket); 205 ssl3_free(s); 206 } 207 208 void 209 tls1_clear(SSL *s) 210 { 211 ssl3_clear(s); 212 s->version = s->method->version; 213 } 214 215 216 static int nid_list[] = { 217 NID_sect163k1, /* sect163k1 (1) */ 218 NID_sect163r1, /* sect163r1 (2) */ 219 NID_sect163r2, /* sect163r2 (3) */ 220 NID_sect193r1, /* sect193r1 (4) */ 221 NID_sect193r2, /* sect193r2 (5) */ 222 NID_sect233k1, /* sect233k1 (6) */ 223 NID_sect233r1, /* sect233r1 (7) */ 224 NID_sect239k1, /* sect239k1 (8) */ 225 NID_sect283k1, /* sect283k1 (9) */ 226 NID_sect283r1, /* sect283r1 (10) */ 227 NID_sect409k1, /* sect409k1 (11) */ 228 NID_sect409r1, /* sect409r1 (12) */ 229 NID_sect571k1, /* sect571k1 (13) */ 230 NID_sect571r1, /* sect571r1 (14) */ 231 NID_secp160k1, /* secp160k1 (15) */ 232 NID_secp160r1, /* secp160r1 (16) */ 233 NID_secp160r2, /* secp160r2 (17) */ 234 NID_secp192k1, /* secp192k1 (18) */ 235 NID_X9_62_prime192v1, /* secp192r1 (19) */ 236 NID_secp224k1, /* secp224k1 (20) */ 237 NID_secp224r1, /* secp224r1 (21) */ 238 NID_secp256k1, /* secp256k1 (22) */ 239 NID_X9_62_prime256v1, /* secp256r1 (23) */ 240 NID_secp384r1, /* secp384r1 (24) */ 241 NID_secp521r1, /* secp521r1 (25) */ 242 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */ 243 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */ 244 NID_brainpoolP512r1, /* brainpoolP512r1 (28) */ 245 NID_X25519, /* X25519 (29) */ 246 }; 247 248 static const uint8_t ecformats_default[] = { 249 TLSEXT_ECPOINTFORMAT_uncompressed, 250 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 251 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 252 }; 253 254 static const uint16_t eccurves_default[] = { 255 29, /* X25519 (29) */ 256 14, /* sect571r1 (14) */ 257 13, /* sect571k1 (13) */ 258 25, /* secp521r1 (25) */ 259 28, /* brainpool512r1 (28) */ 260 11, /* sect409k1 (11) */ 261 12, /* sect409r1 (12) */ 262 27, /* brainpoolP384r1 (27) */ 263 24, /* secp384r1 (24) */ 264 9, /* sect283k1 (9) */ 265 10, /* sect283r1 (10) */ 266 26, /* brainpoolP256r1 (26) */ 267 22, /* secp256k1 (22) */ 268 23, /* secp256r1 (23) */ 269 8, /* sect239k1 (8) */ 270 6, /* sect233k1 (6) */ 271 7, /* sect233r1 (7) */ 272 20, /* secp224k1 (20) */ 273 21, /* secp224r1 (21) */ 274 4, /* sect193r1 (4) */ 275 5, /* sect193r2 (5) */ 276 18, /* secp192k1 (18) */ 277 19, /* secp192r1 (19) */ 278 1, /* sect163k1 (1) */ 279 2, /* sect163r1 (2) */ 280 3, /* sect163r2 (3) */ 281 15, /* secp160k1 (15) */ 282 16, /* secp160r1 (16) */ 283 17, /* secp160r2 (17) */ 284 }; 285 286 int 287 tls1_ec_curve_id2nid(const uint16_t curve_id) 288 { 289 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 290 if ((curve_id < 1) || 291 ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0]))) 292 return 0; 293 return nid_list[curve_id - 1]; 294 } 295 296 uint16_t 297 tls1_ec_nid2curve_id(int nid) 298 { 299 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 300 switch (nid) { 301 case NID_sect163k1: /* sect163k1 (1) */ 302 return 1; 303 case NID_sect163r1: /* sect163r1 (2) */ 304 return 2; 305 case NID_sect163r2: /* sect163r2 (3) */ 306 return 3; 307 case NID_sect193r1: /* sect193r1 (4) */ 308 return 4; 309 case NID_sect193r2: /* sect193r2 (5) */ 310 return 5; 311 case NID_sect233k1: /* sect233k1 (6) */ 312 return 6; 313 case NID_sect233r1: /* sect233r1 (7) */ 314 return 7; 315 case NID_sect239k1: /* sect239k1 (8) */ 316 return 8; 317 case NID_sect283k1: /* sect283k1 (9) */ 318 return 9; 319 case NID_sect283r1: /* sect283r1 (10) */ 320 return 10; 321 case NID_sect409k1: /* sect409k1 (11) */ 322 return 11; 323 case NID_sect409r1: /* sect409r1 (12) */ 324 return 12; 325 case NID_sect571k1: /* sect571k1 (13) */ 326 return 13; 327 case NID_sect571r1: /* sect571r1 (14) */ 328 return 14; 329 case NID_secp160k1: /* secp160k1 (15) */ 330 return 15; 331 case NID_secp160r1: /* secp160r1 (16) */ 332 return 16; 333 case NID_secp160r2: /* secp160r2 (17) */ 334 return 17; 335 case NID_secp192k1: /* secp192k1 (18) */ 336 return 18; 337 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 338 return 19; 339 case NID_secp224k1: /* secp224k1 (20) */ 340 return 20; 341 case NID_secp224r1: /* secp224r1 (21) */ 342 return 21; 343 case NID_secp256k1: /* secp256k1 (22) */ 344 return 22; 345 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 346 return 23; 347 case NID_secp384r1: /* secp384r1 (24) */ 348 return 24; 349 case NID_secp521r1: /* secp521r1 (25) */ 350 return 25; 351 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */ 352 return 26; 353 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */ 354 return 27; 355 case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */ 356 return 28; 357 case NID_X25519: /* X25519 (29) */ 358 return 29; 359 default: 360 return 0; 361 } 362 } 363 364 /* 365 * Return the appropriate format list. If client_formats is non-zero, return 366 * the client/session formats. Otherwise return the custom format list if one 367 * exists, or the default formats if a custom list has not been specified. 368 */ 369 static void 370 tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, 371 size_t *pformatslen) 372 { 373 if (client_formats != 0) { 374 *pformats = SSI(s)->tlsext_ecpointformatlist; 375 *pformatslen = SSI(s)->tlsext_ecpointformatlist_length; 376 return; 377 } 378 379 *pformats = s->internal->tlsext_ecpointformatlist; 380 *pformatslen = s->internal->tlsext_ecpointformatlist_length; 381 if (*pformats == NULL) { 382 *pformats = ecformats_default; 383 *pformatslen = sizeof(ecformats_default); 384 } 385 } 386 387 /* 388 * Return the appropriate curve list. If client_curves is non-zero, return 389 * the client/session curves. Otherwise return the custom curve list if one 390 * exists, or the default curves if a custom list has not been specified. 391 */ 392 static void 393 tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves, 394 size_t *pcurveslen) 395 { 396 if (client_curves != 0) { 397 *pcurves = SSI(s)->tlsext_ellipticcurvelist; 398 *pcurveslen = SSI(s)->tlsext_ellipticcurvelist_length; 399 return; 400 } 401 402 *pcurves = s->internal->tlsext_ellipticcurvelist; 403 *pcurveslen = s->internal->tlsext_ellipticcurvelist_length; 404 if (*pcurves == NULL) { 405 *pcurves = eccurves_default; 406 *pcurveslen = sizeof(eccurves_default) / 2; 407 } 408 } 409 410 /* Check that a curve is one of our preferences. */ 411 int 412 tls1_check_curve(SSL *s, const uint16_t curve_id) 413 { 414 const uint16_t *curves; 415 size_t curveslen, i; 416 417 tls1_get_curvelist(s, 0, &curves, &curveslen); 418 419 for (i = 0; i < curveslen; i++) { 420 if (curves[i] == curve_id) 421 return (1); 422 } 423 return (0); 424 } 425 426 int 427 tls1_get_shared_curve(SSL *s) 428 { 429 size_t preflen, supplen, i, j; 430 const uint16_t *pref, *supp; 431 unsigned long server_pref; 432 433 /* Cannot do anything on the client side. */ 434 if (s->server == 0) 435 return (NID_undef); 436 437 /* Return first preference shared curve. */ 438 server_pref = (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE); 439 tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen); 440 tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen); 441 442 for (i = 0; i < preflen; i++) { 443 for (j = 0; j < supplen; j++) { 444 if (pref[i] == supp[j]) 445 return (tls1_ec_curve_id2nid(pref[i])); 446 } 447 } 448 return (NID_undef); 449 } 450 451 /* For an EC key set TLS ID and required compression based on parameters. */ 452 static int 453 tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec) 454 { 455 const EC_GROUP *grp; 456 const EC_METHOD *meth; 457 int is_prime = 0; 458 int nid, id; 459 460 if (ec == NULL) 461 return (0); 462 463 /* Determine if it is a prime field. */ 464 if ((grp = EC_KEY_get0_group(ec)) == NULL) 465 return (0); 466 if ((meth = EC_GROUP_method_of(grp)) == NULL) 467 return (0); 468 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field) 469 is_prime = 1; 470 471 /* Determine curve ID. */ 472 nid = EC_GROUP_get_curve_name(grp); 473 id = tls1_ec_nid2curve_id(nid); 474 475 /* If we have an ID set it, otherwise set arbitrary explicit curve. */ 476 if (id != 0) 477 *curve_id = id; 478 else 479 *curve_id = is_prime ? 0xff01 : 0xff02; 480 481 /* Specify the compression identifier. */ 482 if (comp_id != NULL) { 483 if (EC_KEY_get0_public_key(ec) == NULL) 484 return (0); 485 486 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { 487 *comp_id = is_prime ? 488 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime : 489 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 490 } else { 491 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 492 } 493 } 494 return (1); 495 } 496 497 /* Check that an EC key is compatible with extensions. */ 498 static int 499 tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id) 500 { 501 size_t curveslen, formatslen, i; 502 const uint16_t *curves; 503 const uint8_t *formats; 504 505 /* 506 * Check point formats extension if present, otherwise everything 507 * is supported (see RFC4492). 508 */ 509 tls1_get_formatlist(s, 1, &formats, &formatslen); 510 if (comp_id != NULL && formats != NULL) { 511 for (i = 0; i < formatslen; i++) { 512 if (formats[i] == *comp_id) 513 break; 514 } 515 if (i == formatslen) 516 return (0); 517 } 518 519 /* 520 * Check curve list if present, otherwise everything is supported. 521 */ 522 tls1_get_curvelist(s, 1, &curves, &curveslen); 523 if (curve_id != NULL && curves != NULL) { 524 for (i = 0; i < curveslen; i++) { 525 if (curves[i] == *curve_id) 526 break; 527 } 528 if (i == curveslen) 529 return (0); 530 } 531 532 return (1); 533 } 534 535 /* Check EC server key is compatible with client extensions. */ 536 int 537 tls1_check_ec_server_key(SSL *s) 538 { 539 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; 540 uint16_t curve_id; 541 uint8_t comp_id; 542 EVP_PKEY *pkey; 543 int rv; 544 545 if (cpk->x509 == NULL || cpk->privatekey == NULL) 546 return (0); 547 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL) 548 return (0); 549 rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec); 550 EVP_PKEY_free(pkey); 551 if (rv != 1) 552 return (0); 553 554 return tls1_check_ec_key(s, &curve_id, &comp_id); 555 } 556 557 /* Check EC temporary key is compatible with client extensions. */ 558 int 559 tls1_check_ec_tmp_key(SSL *s) 560 { 561 EC_KEY *ec = s->cert->ecdh_tmp; 562 uint16_t curve_id; 563 564 if (s->cert->ecdh_tmp_auto != 0) { 565 /* Need a shared curve. */ 566 if (tls1_get_shared_curve(s) != NID_undef) 567 return (1); 568 return (0); 569 } 570 571 if (ec == NULL) { 572 if (s->cert->ecdh_tmp_cb != NULL) 573 return (1); 574 return (0); 575 } 576 if (tls1_set_ec_id(&curve_id, NULL, ec) != 1) 577 return (0); 578 579 return tls1_check_ec_key(s, &curve_id, NULL); 580 } 581 582 /* 583 * List of supported signature algorithms and hashes. Should make this 584 * customisable at some point, for now include everything we support. 585 */ 586 587 static unsigned char tls12_sigalgs[] = { 588 TLSEXT_hash_sha512, TLSEXT_signature_rsa, 589 TLSEXT_hash_sha512, TLSEXT_signature_dsa, 590 TLSEXT_hash_sha512, TLSEXT_signature_ecdsa, 591 #ifndef OPENSSL_NO_GOST 592 TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512, 593 #endif 594 595 TLSEXT_hash_sha384, TLSEXT_signature_rsa, 596 TLSEXT_hash_sha384, TLSEXT_signature_dsa, 597 TLSEXT_hash_sha384, TLSEXT_signature_ecdsa, 598 599 TLSEXT_hash_sha256, TLSEXT_signature_rsa, 600 TLSEXT_hash_sha256, TLSEXT_signature_dsa, 601 TLSEXT_hash_sha256, TLSEXT_signature_ecdsa, 602 603 #ifndef OPENSSL_NO_GOST 604 TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256, 605 TLSEXT_hash_gost94, TLSEXT_signature_gostr01, 606 #endif 607 608 TLSEXT_hash_sha224, TLSEXT_signature_rsa, 609 TLSEXT_hash_sha224, TLSEXT_signature_dsa, 610 TLSEXT_hash_sha224, TLSEXT_signature_ecdsa, 611 612 TLSEXT_hash_sha1, TLSEXT_signature_rsa, 613 TLSEXT_hash_sha1, TLSEXT_signature_dsa, 614 TLSEXT_hash_sha1, TLSEXT_signature_ecdsa, 615 }; 616 617 int 618 tls12_get_req_sig_algs(SSL *s, unsigned char *p) 619 { 620 size_t slen = sizeof(tls12_sigalgs); 621 622 if (p) 623 memcpy(p, tls12_sigalgs, slen); 624 return (int)slen; 625 } 626 627 unsigned char * 628 ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 629 { 630 int extdatalen = 0; 631 unsigned char *ret = p; 632 int using_ecc = 0; 633 634 /* See if we support any ECC ciphersuites. */ 635 if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) { 636 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 637 unsigned long alg_k, alg_a; 638 int i; 639 640 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { 641 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 642 643 alg_k = c->algorithm_mkey; 644 alg_a = c->algorithm_auth; 645 646 if ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) { 647 using_ecc = 1; 648 break; 649 } 650 } 651 } 652 653 ret += 2; 654 655 if (ret >= limit) 656 return NULL; /* this really never occurs, but ... */ 657 658 if (s->tlsext_hostname != NULL) { 659 /* Add TLS extension servername to the Client Hello message */ 660 size_t size_str, lenmax; 661 662 /* check for enough space. 663 4 for the servername type and extension length 664 2 for servernamelist length 665 1 for the hostname type 666 2 for hostname length 667 + hostname length 668 */ 669 670 if ((size_t)(limit - ret) < 9) 671 return NULL; 672 673 lenmax = limit - ret - 9; 674 if ((size_str = strlen(s->tlsext_hostname)) > lenmax) 675 return NULL; 676 677 /* extension type and length */ 678 s2n(TLSEXT_TYPE_server_name, ret); 679 680 s2n(size_str + 5, ret); 681 682 /* length of servername list */ 683 s2n(size_str + 3, ret); 684 685 /* hostname type, length and hostname */ 686 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 687 s2n(size_str, ret); 688 memcpy(ret, s->tlsext_hostname, size_str); 689 ret += size_str; 690 } 691 692 /* Add RI if renegotiating */ 693 if (s->internal->renegotiate) { 694 int el; 695 696 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { 697 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 698 ERR_R_INTERNAL_ERROR); 699 return NULL; 700 } 701 702 if ((size_t)(limit - ret) < 4 + el) 703 return NULL; 704 705 s2n(TLSEXT_TYPE_renegotiate, ret); 706 s2n(el, ret); 707 708 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { 709 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 710 ERR_R_INTERNAL_ERROR); 711 return NULL; 712 } 713 714 ret += el; 715 } 716 717 if (using_ecc) { 718 size_t curveslen, formatslen, lenmax; 719 const uint16_t *curves; 720 const uint8_t *formats; 721 int i; 722 723 /* 724 * Add TLS extension ECPointFormats to the ClientHello message. 725 */ 726 tls1_get_formatlist(s, 0, &formats, &formatslen); 727 728 if ((size_t)(limit - ret) < 5) 729 return NULL; 730 731 lenmax = limit - ret - 5; 732 if (formatslen > lenmax) 733 return NULL; 734 if (formatslen > 255) { 735 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 736 ERR_R_INTERNAL_ERROR); 737 return NULL; 738 } 739 740 s2n(TLSEXT_TYPE_ec_point_formats, ret); 741 s2n(formatslen + 1, ret); 742 *(ret++) = (unsigned char)formatslen; 743 memcpy(ret, formats, formatslen); 744 ret += formatslen; 745 746 /* 747 * Add TLS extension EllipticCurves to the ClientHello message. 748 */ 749 tls1_get_curvelist(s, 0, &curves, &curveslen); 750 751 if ((size_t)(limit - ret) < 6) 752 return NULL; 753 754 lenmax = limit - ret - 6; 755 if (curveslen > lenmax) 756 return NULL; 757 if (curveslen > 65532) { 758 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 759 ERR_R_INTERNAL_ERROR); 760 return NULL; 761 } 762 763 s2n(TLSEXT_TYPE_elliptic_curves, ret); 764 s2n((curveslen * 2) + 2, ret); 765 766 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for 767 * elliptic_curve_list, but the examples use two bytes. 768 * https://www1.ietf.org/mail-archive/web/tls/current/msg00538.html 769 * resolves this to two bytes. 770 */ 771 s2n(curveslen * 2, ret); 772 for (i = 0; i < curveslen; i++) 773 s2n(curves[i], ret); 774 } 775 776 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 777 int ticklen; 778 if (!s->internal->new_session && s->session && s->session->tlsext_tick) 779 ticklen = s->session->tlsext_ticklen; 780 else if (s->session && s->internal->tlsext_session_ticket && 781 s->internal->tlsext_session_ticket->data) { 782 ticklen = s->internal->tlsext_session_ticket->length; 783 s->session->tlsext_tick = malloc(ticklen); 784 if (!s->session->tlsext_tick) 785 return NULL; 786 memcpy(s->session->tlsext_tick, 787 s->internal->tlsext_session_ticket->data, ticklen); 788 s->session->tlsext_ticklen = ticklen; 789 } else 790 ticklen = 0; 791 if (ticklen == 0 && s->internal->tlsext_session_ticket && 792 s->internal->tlsext_session_ticket->data == NULL) 793 goto skip_ext; 794 /* Check for enough room 2 for extension type, 2 for len 795 * rest for ticket 796 */ 797 if ((size_t)(limit - ret) < 4 + ticklen) 798 return NULL; 799 s2n(TLSEXT_TYPE_session_ticket, ret); 800 801 s2n(ticklen, ret); 802 if (ticklen) { 803 memcpy(ret, s->session->tlsext_tick, ticklen); 804 ret += ticklen; 805 } 806 } 807 skip_ext: 808 809 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 810 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 811 return NULL; 812 813 s2n(TLSEXT_TYPE_signature_algorithms, ret); 814 s2n(sizeof(tls12_sigalgs) + 2, ret); 815 s2n(sizeof(tls12_sigalgs), ret); 816 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 817 ret += sizeof(tls12_sigalgs); 818 } 819 820 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 821 s->version != DTLS1_VERSION) { 822 int i; 823 long extlen, idlen, itmp; 824 OCSP_RESPID *id; 825 826 idlen = 0; 827 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 828 id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, i); 829 itmp = i2d_OCSP_RESPID(id, NULL); 830 if (itmp <= 0) 831 return NULL; 832 idlen += itmp + 2; 833 } 834 835 if (s->internal->tlsext_ocsp_exts) { 836 extlen = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, NULL); 837 if (extlen < 0) 838 return NULL; 839 } else 840 extlen = 0; 841 842 if ((size_t)(limit - ret) < 7 + extlen + idlen) 843 return NULL; 844 s2n(TLSEXT_TYPE_status_request, ret); 845 if (extlen + idlen > 0xFFF0) 846 return NULL; 847 s2n(extlen + idlen + 5, ret); 848 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 849 s2n(idlen, ret); 850 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 851 /* save position of id len */ 852 unsigned char *q = ret; 853 id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, i); 854 /* skip over id len */ 855 ret += 2; 856 itmp = i2d_OCSP_RESPID(id, &ret); 857 /* write id len */ 858 s2n(itmp, q); 859 } 860 s2n(extlen, ret); 861 if (extlen > 0) 862 i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ret); 863 } 864 865 if (s->ctx->internal->next_proto_select_cb && 866 !S3I(s)->tmp.finish_md_len) { 867 /* The client advertises an emtpy extension to indicate its 868 * support for Next Protocol Negotiation */ 869 if ((size_t)(limit - ret) < 4) 870 return NULL; 871 s2n(TLSEXT_TYPE_next_proto_neg, ret); 872 s2n(0, ret); 873 } 874 875 if (s->internal->alpn_client_proto_list != NULL && 876 S3I(s)->tmp.finish_md_len == 0) { 877 if ((size_t)(limit - ret) < 878 6 + s->internal->alpn_client_proto_list_len) 879 return (NULL); 880 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 881 s2n(2 + s->internal->alpn_client_proto_list_len, ret); 882 s2n(s->internal->alpn_client_proto_list_len, ret); 883 memcpy(ret, s->internal->alpn_client_proto_list, 884 s->internal->alpn_client_proto_list_len); 885 ret += s->internal->alpn_client_proto_list_len; 886 } 887 888 #ifndef OPENSSL_NO_SRTP 889 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { 890 int el; 891 892 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 893 894 if ((size_t)(limit - ret) < 4 + el) 895 return NULL; 896 897 s2n(TLSEXT_TYPE_use_srtp, ret); 898 s2n(el, ret); 899 900 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { 901 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 902 ERR_R_INTERNAL_ERROR); 903 return NULL; 904 } 905 ret += el; 906 } 907 #endif 908 909 /* 910 * Add padding to workaround bugs in F5 terminators. 911 * See https://tools.ietf.org/html/draft-agl-tls-padding-03 912 * 913 * Note that this seems to trigger issues with IronPort SMTP 914 * appliances. 915 * 916 * NB: because this code works out the length of all existing 917 * extensions it MUST always appear last. 918 */ 919 if (s->options & SSL_OP_TLSEXT_PADDING) { 920 int hlen = ret - (unsigned char *)s->internal->init_buf->data; 921 922 /* 923 * The code in s23_clnt.c to build ClientHello messages 924 * includes the 5-byte record header in the buffer, while the 925 * code in s3_clnt.c does not. 926 */ 927 if (s->internal->state == SSL23_ST_CW_CLNT_HELLO_A) 928 hlen -= 5; 929 if (hlen > 0xff && hlen < 0x200) { 930 hlen = 0x200 - hlen; 931 if (hlen >= 4) 932 hlen -= 4; 933 else 934 hlen = 0; 935 936 s2n(TLSEXT_TYPE_padding, ret); 937 s2n(hlen, ret); 938 memset(ret, 0, hlen); 939 ret += hlen; 940 } 941 } 942 943 if ((extdatalen = ret - p - 2) == 0) 944 return p; 945 946 s2n(extdatalen, p); 947 return ret; 948 } 949 950 unsigned char * 951 ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 952 { 953 int using_ecc, extdatalen = 0; 954 unsigned long alg_a, alg_k; 955 unsigned char *ret = p; 956 int next_proto_neg_seen; 957 958 alg_a = S3I(s)->tmp.new_cipher->algorithm_auth; 959 alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; 960 using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) && 961 SSI(s)->tlsext_ecpointformatlist != NULL; 962 963 ret += 2; 964 if (ret >= limit) 965 return NULL; /* this really never occurs, but ... */ 966 967 if (!s->internal->hit && s->internal->servername_done == 1 && 968 s->session->tlsext_hostname != NULL) { 969 if ((size_t)(limit - ret) < 4) 970 return NULL; 971 972 s2n(TLSEXT_TYPE_server_name, ret); 973 s2n(0, ret); 974 } 975 976 if (S3I(s)->send_connection_binding) { 977 int el; 978 979 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { 980 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 981 ERR_R_INTERNAL_ERROR); 982 return NULL; 983 } 984 985 if ((size_t)(limit - ret) < 4 + el) 986 return NULL; 987 988 s2n(TLSEXT_TYPE_renegotiate, ret); 989 s2n(el, ret); 990 991 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { 992 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 993 ERR_R_INTERNAL_ERROR); 994 return NULL; 995 } 996 997 ret += el; 998 } 999 1000 if (using_ecc && s->version != DTLS1_VERSION) { 1001 const unsigned char *formats; 1002 size_t formatslen, lenmax; 1003 1004 /* 1005 * Add TLS extension ECPointFormats to the ServerHello message. 1006 */ 1007 tls1_get_formatlist(s, 0, &formats, &formatslen); 1008 1009 if ((size_t)(limit - ret) < 5) 1010 return NULL; 1011 1012 lenmax = limit - ret - 5; 1013 if (formatslen > lenmax) 1014 return NULL; 1015 if (formatslen > 255) { 1016 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1017 ERR_R_INTERNAL_ERROR); 1018 return NULL; 1019 } 1020 1021 s2n(TLSEXT_TYPE_ec_point_formats, ret); 1022 s2n(formatslen + 1, ret); 1023 *(ret++) = (unsigned char)formatslen; 1024 memcpy(ret, formats, formatslen); 1025 ret += formatslen; 1026 } 1027 1028 /* 1029 * Currently the server should not respond with a SupportedCurves 1030 * extension. 1031 */ 1032 1033 if (s->internal->tlsext_ticket_expected && 1034 !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 1035 if ((size_t)(limit - ret) < 4) 1036 return NULL; 1037 1038 s2n(TLSEXT_TYPE_session_ticket, ret); 1039 s2n(0, ret); 1040 } 1041 1042 if (s->internal->tlsext_status_expected) { 1043 if ((size_t)(limit - ret) < 4) 1044 return NULL; 1045 1046 s2n(TLSEXT_TYPE_status_request, ret); 1047 s2n(0, ret); 1048 } 1049 1050 #ifndef OPENSSL_NO_SRTP 1051 if (SSL_IS_DTLS(s) && s->internal->srtp_profile) { 1052 int el; 1053 1054 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 1055 1056 if ((size_t)(limit - ret) < 4 + el) 1057 return NULL; 1058 1059 s2n(TLSEXT_TYPE_use_srtp, ret); 1060 s2n(el, ret); 1061 1062 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { 1063 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1064 ERR_R_INTERNAL_ERROR); 1065 return NULL; 1066 } 1067 ret += el; 1068 } 1069 #endif 1070 1071 if (((S3I(s)->tmp.new_cipher->id & 0xFFFF) == 0x80 || 1072 (S3I(s)->tmp.new_cipher->id & 0xFFFF) == 0x81) && 1073 (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { 1074 static const unsigned char cryptopro_ext[36] = { 1075 0xfd, 0xe8, /*65000*/ 1076 0x00, 0x20, /*32 bytes length*/ 1077 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 1078 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 1079 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 1080 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 1081 }; 1082 if ((size_t)(limit - ret) < sizeof(cryptopro_ext)) 1083 return NULL; 1084 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext)); 1085 ret += sizeof(cryptopro_ext); 1086 } 1087 1088 next_proto_neg_seen = S3I(s)->next_proto_neg_seen; 1089 S3I(s)->next_proto_neg_seen = 0; 1090 if (next_proto_neg_seen && s->ctx->internal->next_protos_advertised_cb) { 1091 const unsigned char *npa; 1092 unsigned int npalen; 1093 int r; 1094 1095 r = s->ctx->internal->next_protos_advertised_cb(s, &npa, &npalen, 1096 s->ctx->internal->next_protos_advertised_cb_arg); 1097 if (r == SSL_TLSEXT_ERR_OK) { 1098 if ((size_t)(limit - ret) < 4 + npalen) 1099 return NULL; 1100 s2n(TLSEXT_TYPE_next_proto_neg, ret); 1101 s2n(npalen, ret); 1102 memcpy(ret, npa, npalen); 1103 ret += npalen; 1104 S3I(s)->next_proto_neg_seen = 1; 1105 } 1106 } 1107 1108 if (S3I(s)->alpn_selected != NULL) { 1109 const unsigned char *selected = S3I(s)->alpn_selected; 1110 unsigned int len = S3I(s)->alpn_selected_len; 1111 1112 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0) 1113 return (NULL); 1114 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 1115 s2n(3 + len, ret); 1116 s2n(1 + len, ret); 1117 *ret++ = len; 1118 memcpy(ret, selected, len); 1119 ret += len; 1120 } 1121 1122 if ((extdatalen = ret - p - 2) == 0) 1123 return p; 1124 1125 s2n(extdatalen, p); 1126 return ret; 1127 } 1128 1129 /* 1130 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a 1131 * ClientHello. 1132 * data: the contents of the extension, not including the type and length. 1133 * data_len: the number of bytes in data. 1134 * al: a pointer to the alert value to send in the event of a non-zero 1135 * return. 1136 * returns: 1 on success. 1137 */ 1138 static int 1139 tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, 1140 unsigned int data_len, int *al) 1141 { 1142 CBS cbs, proto_name_list, alpn; 1143 const unsigned char *selected; 1144 unsigned char selected_len; 1145 int r; 1146 1147 if (s->ctx->internal->alpn_select_cb == NULL) 1148 return (1); 1149 1150 if (data_len < 2) 1151 goto parse_error; 1152 1153 CBS_init(&cbs, data, data_len); 1154 1155 /* 1156 * data should contain a uint16 length followed by a series of 8-bit, 1157 * length-prefixed strings. 1158 */ 1159 if (!CBS_get_u16_length_prefixed(&cbs, &alpn) || 1160 CBS_len(&alpn) < 2 || 1161 CBS_len(&cbs) != 0) 1162 goto parse_error; 1163 1164 /* Validate data before sending to callback. */ 1165 CBS_dup(&alpn, &proto_name_list); 1166 while (CBS_len(&proto_name_list) > 0) { 1167 CBS proto_name; 1168 1169 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name) || 1170 CBS_len(&proto_name) == 0) 1171 goto parse_error; 1172 } 1173 1174 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, 1175 CBS_data(&alpn), CBS_len(&alpn), 1176 s->ctx->internal->alpn_select_cb_arg); 1177 if (r == SSL_TLSEXT_ERR_OK) { 1178 free(S3I(s)->alpn_selected); 1179 if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) { 1180 *al = SSL_AD_INTERNAL_ERROR; 1181 return (-1); 1182 } 1183 memcpy(S3I(s)->alpn_selected, selected, selected_len); 1184 S3I(s)->alpn_selected_len = selected_len; 1185 } 1186 1187 return (1); 1188 1189 parse_error: 1190 *al = SSL_AD_DECODE_ERROR; 1191 return (0); 1192 } 1193 1194 int 1195 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1196 int n, int *al) 1197 { 1198 unsigned short type; 1199 unsigned short size; 1200 unsigned short len; 1201 unsigned char *data = *p; 1202 unsigned char *end = d + n; 1203 int renegotiate_seen = 0; 1204 int sigalg_seen = 0; 1205 1206 s->internal->servername_done = 0; 1207 s->tlsext_status_type = -1; 1208 S3I(s)->next_proto_neg_seen = 0; 1209 free(S3I(s)->alpn_selected); 1210 S3I(s)->alpn_selected = NULL; 1211 s->internal->srtp_profile = NULL; 1212 1213 if (data == end) 1214 goto ri_check; 1215 1216 if (end - data < 2) 1217 goto err; 1218 n2s(data, len); 1219 1220 if (end - data != len) 1221 goto err; 1222 1223 while (end - data >= 4) { 1224 n2s(data, type); 1225 n2s(data, size); 1226 1227 if (end - data < size) 1228 goto err; 1229 1230 if (s->internal->tlsext_debug_cb) 1231 s->internal->tlsext_debug_cb(s, 0, type, data, size, 1232 s->internal->tlsext_debug_arg); 1233 /* The servername extension is treated as follows: 1234 1235 - Only the hostname type is supported with a maximum length of 255. 1236 - The servername is rejected if too long or if it contains zeros, 1237 in which case an fatal alert is generated. 1238 - The servername field is maintained together with the session cache. 1239 - When a session is resumed, the servername call back invoked in order 1240 to allow the application to position itself to the right context. 1241 - The servername is acknowledged if it is new for a session or when 1242 it is identical to a previously used for the same session. 1243 Applications can control the behaviour. They can at any time 1244 set a 'desirable' servername for a new SSL object. This can be the 1245 case for example with HTTPS when a Host: header field is received and 1246 a renegotiation is requested. In this case, a possible servername 1247 presented in the new client hello is only acknowledged if it matches 1248 the value of the Host: field. 1249 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1250 if they provide for changing an explicit servername context for the session, 1251 i.e. when the session has been established with a servername extension. 1252 - On session reconnect, the servername extension may be absent. 1253 1254 */ 1255 1256 if (type == TLSEXT_TYPE_server_name) { 1257 unsigned char *sdata; 1258 int servname_type; 1259 int dsize; 1260 1261 if (size < 2) { 1262 *al = SSL_AD_DECODE_ERROR; 1263 return 0; 1264 } 1265 n2s(data, dsize); 1266 1267 size -= 2; 1268 if (dsize > size) { 1269 *al = SSL_AD_DECODE_ERROR; 1270 return 0; 1271 } 1272 1273 sdata = data; 1274 while (dsize > 3) { 1275 servname_type = *(sdata++); 1276 1277 n2s(sdata, len); 1278 dsize -= 3; 1279 1280 if (len > dsize) { 1281 *al = SSL_AD_DECODE_ERROR; 1282 return 0; 1283 } 1284 if (s->internal->servername_done == 0) 1285 switch (servname_type) { 1286 case TLSEXT_NAMETYPE_host_name: 1287 if (!s->internal->hit) { 1288 if (s->session->tlsext_hostname) { 1289 *al = SSL_AD_DECODE_ERROR; 1290 return 0; 1291 } 1292 if (len > TLSEXT_MAXLEN_host_name) { 1293 *al = TLS1_AD_UNRECOGNIZED_NAME; 1294 return 0; 1295 } 1296 if ((s->session->tlsext_hostname = 1297 malloc(len + 1)) == NULL) { 1298 *al = TLS1_AD_INTERNAL_ERROR; 1299 return 0; 1300 } 1301 memcpy(s->session->tlsext_hostname, sdata, len); 1302 s->session->tlsext_hostname[len] = '\0'; 1303 if (strlen(s->session->tlsext_hostname) != len) { 1304 free(s->session->tlsext_hostname); 1305 s->session->tlsext_hostname = NULL; 1306 *al = TLS1_AD_UNRECOGNIZED_NAME; 1307 return 0; 1308 } 1309 s->internal->servername_done = 1; 1310 1311 1312 } else { 1313 s->internal->servername_done = s->session->tlsext_hostname && 1314 strlen(s->session->tlsext_hostname) == len && 1315 strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1316 } 1317 break; 1318 1319 default: 1320 break; 1321 } 1322 1323 dsize -= len; 1324 } 1325 if (dsize != 0) { 1326 *al = SSL_AD_DECODE_ERROR; 1327 return 0; 1328 } 1329 1330 } 1331 1332 else if (type == TLSEXT_TYPE_ec_point_formats && 1333 s->version != DTLS1_VERSION) { 1334 unsigned char *sdata = data; 1335 size_t formatslen; 1336 uint8_t *formats; 1337 1338 if (size < 1) { 1339 *al = TLS1_AD_DECODE_ERROR; 1340 return 0; 1341 } 1342 formatslen = *(sdata++); 1343 if (formatslen != size - 1) { 1344 *al = TLS1_AD_DECODE_ERROR; 1345 return 0; 1346 } 1347 1348 if (!s->internal->hit) { 1349 free(SSI(s)->tlsext_ecpointformatlist); 1350 SSI(s)->tlsext_ecpointformatlist = NULL; 1351 SSI(s)->tlsext_ecpointformatlist_length = 0; 1352 1353 if ((formats = reallocarray(NULL, formatslen, 1354 sizeof(uint8_t))) == NULL) { 1355 *al = TLS1_AD_INTERNAL_ERROR; 1356 return 0; 1357 } 1358 memcpy(formats, sdata, formatslen); 1359 SSI(s)->tlsext_ecpointformatlist = formats; 1360 SSI(s)->tlsext_ecpointformatlist_length = 1361 formatslen; 1362 } 1363 } else if (type == TLSEXT_TYPE_elliptic_curves && 1364 s->version != DTLS1_VERSION) { 1365 unsigned char *sdata = data; 1366 size_t curveslen, i; 1367 uint16_t *curves; 1368 1369 if (size < 2) { 1370 *al = TLS1_AD_DECODE_ERROR; 1371 return 0; 1372 } 1373 n2s(sdata, curveslen); 1374 if (curveslen != size - 2 || curveslen % 2 != 0) { 1375 *al = TLS1_AD_DECODE_ERROR; 1376 return 0; 1377 } 1378 curveslen /= 2; 1379 1380 if (!s->internal->hit) { 1381 if (SSI(s)->tlsext_ellipticcurvelist) { 1382 *al = TLS1_AD_DECODE_ERROR; 1383 return 0; 1384 } 1385 SSI(s)->tlsext_ellipticcurvelist_length = 0; 1386 if ((curves = reallocarray(NULL, curveslen, 1387 sizeof(uint16_t))) == NULL) { 1388 *al = TLS1_AD_INTERNAL_ERROR; 1389 return 0; 1390 } 1391 for (i = 0; i < curveslen; i++) 1392 n2s(sdata, curves[i]); 1393 SSI(s)->tlsext_ellipticcurvelist = curves; 1394 SSI(s)->tlsext_ellipticcurvelist_length = curveslen; 1395 } 1396 } 1397 else if (type == TLSEXT_TYPE_session_ticket) { 1398 if (s->internal->tls_session_ticket_ext_cb && 1399 !s->internal->tls_session_ticket_ext_cb(s, data, size, s->internal->tls_session_ticket_ext_cb_arg)) { 1400 *al = TLS1_AD_INTERNAL_ERROR; 1401 return 0; 1402 } 1403 } else if (type == TLSEXT_TYPE_renegotiate) { 1404 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 1405 return 0; 1406 renegotiate_seen = 1; 1407 } else if (type == TLSEXT_TYPE_signature_algorithms) { 1408 int dsize; 1409 if (sigalg_seen || size < 2) { 1410 *al = SSL_AD_DECODE_ERROR; 1411 return 0; 1412 } 1413 sigalg_seen = 1; 1414 n2s(data, dsize); 1415 size -= 2; 1416 if (dsize != size || dsize & 1) { 1417 *al = SSL_AD_DECODE_ERROR; 1418 return 0; 1419 } 1420 if (!tls1_process_sigalgs(s, data, dsize)) { 1421 *al = SSL_AD_DECODE_ERROR; 1422 return 0; 1423 } 1424 } else if (type == TLSEXT_TYPE_status_request && 1425 s->version != DTLS1_VERSION) { 1426 1427 if (size < 5) { 1428 *al = SSL_AD_DECODE_ERROR; 1429 return 0; 1430 } 1431 1432 s->tlsext_status_type = *data++; 1433 size--; 1434 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { 1435 const unsigned char *sdata; 1436 int dsize; 1437 /* Read in responder_id_list */ 1438 n2s(data, dsize); 1439 size -= 2; 1440 if (dsize > size) { 1441 *al = SSL_AD_DECODE_ERROR; 1442 return 0; 1443 } 1444 1445 /* 1446 * We remove any OCSP_RESPIDs from a 1447 * previous handshake to prevent 1448 * unbounded memory growth. 1449 */ 1450 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, 1451 OCSP_RESPID_free); 1452 s->internal->tlsext_ocsp_ids = NULL; 1453 if (dsize > 0) { 1454 s->internal->tlsext_ocsp_ids = 1455 sk_OCSP_RESPID_new_null(); 1456 if (s->internal->tlsext_ocsp_ids == NULL) { 1457 *al = SSL_AD_INTERNAL_ERROR; 1458 return 0; 1459 } 1460 } 1461 1462 while (dsize > 0) { 1463 OCSP_RESPID *id; 1464 int idsize; 1465 if (dsize < 4) { 1466 *al = SSL_AD_DECODE_ERROR; 1467 return 0; 1468 } 1469 n2s(data, idsize); 1470 dsize -= 2 + idsize; 1471 size -= 2 + idsize; 1472 if (dsize < 0) { 1473 *al = SSL_AD_DECODE_ERROR; 1474 return 0; 1475 } 1476 sdata = data; 1477 data += idsize; 1478 id = d2i_OCSP_RESPID(NULL, 1479 &sdata, idsize); 1480 if (!id) { 1481 *al = SSL_AD_DECODE_ERROR; 1482 return 0; 1483 } 1484 if (data != sdata) { 1485 OCSP_RESPID_free(id); 1486 *al = SSL_AD_DECODE_ERROR; 1487 return 0; 1488 } 1489 if (!sk_OCSP_RESPID_push( 1490 s->internal->tlsext_ocsp_ids, id)) { 1491 OCSP_RESPID_free(id); 1492 *al = SSL_AD_INTERNAL_ERROR; 1493 return 0; 1494 } 1495 } 1496 1497 /* Read in request_extensions */ 1498 if (size < 2) { 1499 *al = SSL_AD_DECODE_ERROR; 1500 return 0; 1501 } 1502 n2s(data, dsize); 1503 size -= 2; 1504 if (dsize != size) { 1505 *al = SSL_AD_DECODE_ERROR; 1506 return 0; 1507 } 1508 sdata = data; 1509 if (dsize > 0) { 1510 if (s->internal->tlsext_ocsp_exts) { 1511 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, 1512 X509_EXTENSION_free); 1513 } 1514 1515 s->internal->tlsext_ocsp_exts = 1516 d2i_X509_EXTENSIONS(NULL, 1517 &sdata, dsize); 1518 if (!s->internal->tlsext_ocsp_exts || 1519 (data + dsize != sdata)) { 1520 *al = SSL_AD_DECODE_ERROR; 1521 return 0; 1522 } 1523 } 1524 } else { 1525 /* We don't know what to do with any other type 1526 * so ignore it. 1527 */ 1528 s->tlsext_status_type = -1; 1529 } 1530 } 1531 else if (type == TLSEXT_TYPE_next_proto_neg && 1532 S3I(s)->tmp.finish_md_len == 0 && 1533 S3I(s)->alpn_selected == NULL) { 1534 /* We shouldn't accept this extension on a 1535 * renegotiation. 1536 * 1537 * s->internal->new_session will be set on renegotiation, but we 1538 * probably shouldn't rely that it couldn't be set on 1539 * the initial renegotation too in certain cases (when 1540 * there's some other reason to disallow resuming an 1541 * earlier session -- the current code won't be doing 1542 * anything like that, but this might change). 1543 1544 * A valid sign that there's been a previous handshake 1545 * in this connection is if S3I(s)->tmp.finish_md_len > 1546 * 0. (We are talking about a check that will happen 1547 * in the Hello protocol round, well before a new 1548 * Finished message could have been computed.) */ 1549 S3I(s)->next_proto_neg_seen = 1; 1550 } 1551 else if (type == 1552 TLSEXT_TYPE_application_layer_protocol_negotiation && 1553 s->ctx->internal->alpn_select_cb != NULL && 1554 S3I(s)->tmp.finish_md_len == 0) { 1555 if (tls1_alpn_handle_client_hello(s, data, 1556 size, al) != 1) 1557 return (0); 1558 /* ALPN takes precedence over NPN. */ 1559 S3I(s)->next_proto_neg_seen = 0; 1560 } 1561 1562 /* session ticket processed earlier */ 1563 #ifndef OPENSSL_NO_SRTP 1564 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1565 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) 1566 return 0; 1567 } 1568 #endif 1569 1570 data += size; 1571 } 1572 1573 /* Spurious data on the end */ 1574 if (data != end) 1575 goto err; 1576 1577 *p = data; 1578 1579 ri_check: 1580 1581 /* Need RI if renegotiating */ 1582 1583 if (!renegotiate_seen && s->internal->renegotiate) { 1584 *al = SSL_AD_HANDSHAKE_FAILURE; 1585 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1586 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1587 return 0; 1588 } 1589 1590 return 1; 1591 1592 err: 1593 *al = SSL_AD_DECODE_ERROR; 1594 return 0; 1595 } 1596 1597 /* 1598 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1599 * elements of zero length are allowed and the set of elements must exactly fill 1600 * the length of the block. 1601 */ 1602 static char 1603 ssl_next_proto_validate(const unsigned char *d, unsigned int len) 1604 { 1605 CBS npn, value; 1606 1607 CBS_init(&npn, d, len); 1608 while (CBS_len(&npn) > 0) { 1609 if (!CBS_get_u8_length_prefixed(&npn, &value) || 1610 CBS_len(&value) == 0) 1611 return 0; 1612 } 1613 return 1; 1614 } 1615 1616 int 1617 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al) 1618 { 1619 unsigned short type; 1620 unsigned short size; 1621 unsigned short len; 1622 unsigned char *data = *p; 1623 unsigned char *end = *p + n; 1624 int tlsext_servername = 0; 1625 int renegotiate_seen = 0; 1626 1627 S3I(s)->next_proto_neg_seen = 0; 1628 free(S3I(s)->alpn_selected); 1629 S3I(s)->alpn_selected = NULL; 1630 1631 if (data == end) 1632 goto ri_check; 1633 1634 if (end - data < 2) 1635 goto err; 1636 n2s(data, len); 1637 1638 if (end - data != len) 1639 goto err; 1640 1641 while (end - data >= 4) { 1642 n2s(data, type); 1643 n2s(data, size); 1644 1645 if (end - data < size) 1646 goto err; 1647 1648 if (s->internal->tlsext_debug_cb) 1649 s->internal->tlsext_debug_cb(s, 1, type, data, size, 1650 s->internal->tlsext_debug_arg); 1651 1652 if (type == TLSEXT_TYPE_server_name) { 1653 if (s->tlsext_hostname == NULL || size > 0) { 1654 *al = TLS1_AD_UNRECOGNIZED_NAME; 1655 return 0; 1656 } 1657 tlsext_servername = 1; 1658 1659 } 1660 else if (type == TLSEXT_TYPE_ec_point_formats && 1661 s->version != DTLS1_VERSION) { 1662 unsigned char *sdata = data; 1663 size_t formatslen; 1664 uint8_t *formats; 1665 1666 if (size < 1) { 1667 *al = TLS1_AD_DECODE_ERROR; 1668 return 0; 1669 } 1670 formatslen = *(sdata++); 1671 if (formatslen != size - 1) { 1672 *al = TLS1_AD_DECODE_ERROR; 1673 return 0; 1674 } 1675 1676 if (!s->internal->hit) { 1677 free(SSI(s)->tlsext_ecpointformatlist); 1678 SSI(s)->tlsext_ecpointformatlist = NULL; 1679 SSI(s)->tlsext_ecpointformatlist_length = 0; 1680 1681 if ((formats = reallocarray(NULL, formatslen, 1682 sizeof(uint8_t))) == NULL) { 1683 *al = TLS1_AD_INTERNAL_ERROR; 1684 return 0; 1685 } 1686 memcpy(formats, sdata, formatslen); 1687 SSI(s)->tlsext_ecpointformatlist = formats; 1688 SSI(s)->tlsext_ecpointformatlist_length = 1689 formatslen; 1690 } 1691 } 1692 else if (type == TLSEXT_TYPE_session_ticket) { 1693 if (s->internal->tls_session_ticket_ext_cb && 1694 !s->internal->tls_session_ticket_ext_cb(s, data, size, s->internal->tls_session_ticket_ext_cb_arg)) { 1695 *al = TLS1_AD_INTERNAL_ERROR; 1696 return 0; 1697 } 1698 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) { 1699 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1700 return 0; 1701 } 1702 s->internal->tlsext_ticket_expected = 1; 1703 } 1704 else if (type == TLSEXT_TYPE_status_request && 1705 s->version != DTLS1_VERSION) { 1706 /* MUST be empty and only sent if we've requested 1707 * a status request message. 1708 */ 1709 if ((s->tlsext_status_type == -1) || (size > 0)) { 1710 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1711 return 0; 1712 } 1713 /* Set flag to expect CertificateStatus message */ 1714 s->internal->tlsext_status_expected = 1; 1715 } 1716 else if (type == TLSEXT_TYPE_next_proto_neg && 1717 S3I(s)->tmp.finish_md_len == 0) { 1718 unsigned char *selected; 1719 unsigned char selected_len; 1720 1721 /* We must have requested it. */ 1722 if (s->ctx->internal->next_proto_select_cb == NULL) { 1723 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1724 return 0; 1725 } 1726 /* The data must be valid */ 1727 if (!ssl_next_proto_validate(data, size)) { 1728 *al = TLS1_AD_DECODE_ERROR; 1729 return 0; 1730 } 1731 if (s->ctx->internal->next_proto_select_cb(s, &selected, 1732 &selected_len, data, size, 1733 s->ctx->internal->next_proto_select_cb_arg) != 1734 SSL_TLSEXT_ERR_OK) { 1735 *al = TLS1_AD_INTERNAL_ERROR; 1736 return 0; 1737 } 1738 s->internal->next_proto_negotiated = malloc(selected_len); 1739 if (!s->internal->next_proto_negotiated) { 1740 *al = TLS1_AD_INTERNAL_ERROR; 1741 return 0; 1742 } 1743 memcpy(s->internal->next_proto_negotiated, selected, selected_len); 1744 s->internal->next_proto_negotiated_len = selected_len; 1745 S3I(s)->next_proto_neg_seen = 1; 1746 } 1747 else if (type == 1748 TLSEXT_TYPE_application_layer_protocol_negotiation) { 1749 unsigned int len; 1750 1751 /* We must have requested it. */ 1752 if (s->internal->alpn_client_proto_list == NULL) { 1753 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1754 return 0; 1755 } 1756 if (size < 4) { 1757 *al = TLS1_AD_DECODE_ERROR; 1758 return (0); 1759 } 1760 1761 /* The extension data consists of: 1762 * uint16 list_length 1763 * uint8 proto_length; 1764 * uint8 proto[proto_length]; */ 1765 len = ((unsigned int)data[0]) << 8 | 1766 ((unsigned int)data[1]); 1767 if (len != (unsigned int)size - 2) { 1768 *al = TLS1_AD_DECODE_ERROR; 1769 return (0); 1770 } 1771 len = data[2]; 1772 if (len != (unsigned int)size - 3) { 1773 *al = TLS1_AD_DECODE_ERROR; 1774 return (0); 1775 } 1776 free(S3I(s)->alpn_selected); 1777 S3I(s)->alpn_selected = malloc(len); 1778 if (S3I(s)->alpn_selected == NULL) { 1779 *al = TLS1_AD_INTERNAL_ERROR; 1780 return (0); 1781 } 1782 memcpy(S3I(s)->alpn_selected, data + 3, len); 1783 S3I(s)->alpn_selected_len = len; 1784 1785 } else if (type == TLSEXT_TYPE_renegotiate) { 1786 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1787 return 0; 1788 renegotiate_seen = 1; 1789 } 1790 #ifndef OPENSSL_NO_SRTP 1791 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1792 if (ssl_parse_serverhello_use_srtp_ext(s, data, 1793 size, al)) 1794 return 0; 1795 } 1796 #endif 1797 1798 data += size; 1799 1800 } 1801 1802 if (data != end) { 1803 *al = SSL_AD_DECODE_ERROR; 1804 return 0; 1805 } 1806 1807 if (!s->internal->hit && tlsext_servername == 1) { 1808 if (s->tlsext_hostname) { 1809 if (s->session->tlsext_hostname == NULL) { 1810 s->session->tlsext_hostname = 1811 strdup(s->tlsext_hostname); 1812 1813 if (!s->session->tlsext_hostname) { 1814 *al = SSL_AD_UNRECOGNIZED_NAME; 1815 return 0; 1816 } 1817 } else { 1818 *al = SSL_AD_DECODE_ERROR; 1819 return 0; 1820 } 1821 } 1822 } 1823 1824 *p = data; 1825 1826 ri_check: 1827 1828 /* Determine if we need to see RI. Strictly speaking if we want to 1829 * avoid an attack we should *always* see RI even on initial server 1830 * hello because the client doesn't see any renegotiation during an 1831 * attack. However this would mean we could not connect to any server 1832 * which doesn't support RI so for the immediate future tolerate RI 1833 * absence on initial connect only. 1834 */ 1835 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { 1836 *al = SSL_AD_HANDSHAKE_FAILURE; 1837 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1838 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1839 return 0; 1840 } 1841 1842 return 1; 1843 1844 err: 1845 *al = SSL_AD_DECODE_ERROR; 1846 return 0; 1847 } 1848 1849 int 1850 ssl_check_clienthello_tlsext_early(SSL *s) 1851 { 1852 int ret = SSL_TLSEXT_ERR_NOACK; 1853 int al = SSL_AD_UNRECOGNIZED_NAME; 1854 1855 /* The handling of the ECPointFormats extension is done elsewhere, namely in 1856 * ssl3_choose_cipher in s3_lib.c. 1857 */ 1858 /* The handling of the EllipticCurves extension is done elsewhere, namely in 1859 * ssl3_choose_cipher in s3_lib.c. 1860 */ 1861 1862 if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0) 1863 ret = s->ctx->internal->tlsext_servername_callback(s, &al, 1864 s->ctx->internal->tlsext_servername_arg); 1865 else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0) 1866 ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al, 1867 s->initial_ctx->internal->tlsext_servername_arg); 1868 1869 switch (ret) { 1870 case SSL_TLSEXT_ERR_ALERT_FATAL: 1871 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1872 return -1; 1873 case SSL_TLSEXT_ERR_ALERT_WARNING: 1874 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1875 return 1; 1876 case SSL_TLSEXT_ERR_NOACK: 1877 s->internal->servername_done = 0; 1878 default: 1879 return 1; 1880 } 1881 } 1882 1883 int 1884 ssl_check_clienthello_tlsext_late(SSL *s) 1885 { 1886 int ret = SSL_TLSEXT_ERR_OK; 1887 int al = 0; /* XXX gcc3 */ 1888 1889 /* If status request then ask callback what to do. 1890 * Note: this must be called after servername callbacks in case 1891 * the certificate has changed, and must be called after the cipher 1892 * has been chosen because this may influence which certificate is sent 1893 */ 1894 if ((s->tlsext_status_type != -1) && 1895 s->ctx && s->ctx->internal->tlsext_status_cb) { 1896 int r; 1897 CERT_PKEY *certpkey; 1898 certpkey = ssl_get_server_send_pkey(s); 1899 /* If no certificate can't return certificate status */ 1900 if (certpkey == NULL) { 1901 s->internal->tlsext_status_expected = 0; 1902 return 1; 1903 } 1904 /* Set current certificate to one we will use so 1905 * SSL_get_certificate et al can pick it up. 1906 */ 1907 s->cert->key = certpkey; 1908 r = s->ctx->internal->tlsext_status_cb(s, 1909 s->ctx->internal->tlsext_status_arg); 1910 switch (r) { 1911 /* We don't want to send a status request response */ 1912 case SSL_TLSEXT_ERR_NOACK: 1913 s->internal->tlsext_status_expected = 0; 1914 break; 1915 /* status request response should be sent */ 1916 case SSL_TLSEXT_ERR_OK: 1917 if (s->internal->tlsext_ocsp_resp) 1918 s->internal->tlsext_status_expected = 1; 1919 else 1920 s->internal->tlsext_status_expected = 0; 1921 break; 1922 /* something bad happened */ 1923 case SSL_TLSEXT_ERR_ALERT_FATAL: 1924 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1925 al = SSL_AD_INTERNAL_ERROR; 1926 goto err; 1927 } 1928 } else 1929 s->internal->tlsext_status_expected = 0; 1930 1931 err: 1932 switch (ret) { 1933 case SSL_TLSEXT_ERR_ALERT_FATAL: 1934 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1935 return -1; 1936 case SSL_TLSEXT_ERR_ALERT_WARNING: 1937 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1938 return 1; 1939 default: 1940 return 1; 1941 } 1942 } 1943 1944 int 1945 ssl_check_serverhello_tlsext(SSL *s) 1946 { 1947 int ret = SSL_TLSEXT_ERR_NOACK; 1948 int al = SSL_AD_UNRECOGNIZED_NAME; 1949 1950 /* If we are client and using an elliptic curve cryptography cipher 1951 * suite, then if server returns an EC point formats lists extension 1952 * it must contain uncompressed. 1953 */ 1954 unsigned long alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; 1955 unsigned long alg_a = S3I(s)->tmp.new_cipher->algorithm_auth; 1956 if ((s->internal->tlsext_ecpointformatlist != NULL) && 1957 (s->internal->tlsext_ecpointformatlist_length > 0) && 1958 (SSI(s)->tlsext_ecpointformatlist != NULL) && 1959 (SSI(s)->tlsext_ecpointformatlist_length > 0) && 1960 ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) { 1961 /* we are using an ECC cipher */ 1962 size_t i; 1963 unsigned char *list; 1964 int found_uncompressed = 0; 1965 list = SSI(s)->tlsext_ecpointformatlist; 1966 for (i = 0; i < SSI(s)->tlsext_ecpointformatlist_length; i++) { 1967 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) { 1968 found_uncompressed = 1; 1969 break; 1970 } 1971 } 1972 if (!found_uncompressed) { 1973 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 1974 return -1; 1975 } 1976 } 1977 ret = SSL_TLSEXT_ERR_OK; 1978 1979 if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0) 1980 ret = s->ctx->internal->tlsext_servername_callback(s, &al, 1981 s->ctx->internal->tlsext_servername_arg); 1982 else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0) 1983 ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al, 1984 s->initial_ctx->internal->tlsext_servername_arg); 1985 1986 /* If we've requested certificate status and we wont get one 1987 * tell the callback 1988 */ 1989 if ((s->tlsext_status_type != -1) && !(s->internal->tlsext_status_expected) && 1990 s->ctx && s->ctx->internal->tlsext_status_cb) { 1991 int r; 1992 /* Set resp to NULL, resplen to -1 so callback knows 1993 * there is no response. 1994 */ 1995 free(s->internal->tlsext_ocsp_resp); 1996 s->internal->tlsext_ocsp_resp = NULL; 1997 s->internal->tlsext_ocsp_resplen = -1; 1998 r = s->ctx->internal->tlsext_status_cb(s, 1999 s->ctx->internal->tlsext_status_arg); 2000 if (r == 0) { 2001 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2002 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2003 } 2004 if (r < 0) { 2005 al = SSL_AD_INTERNAL_ERROR; 2006 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2007 } 2008 } 2009 2010 switch (ret) { 2011 case SSL_TLSEXT_ERR_ALERT_FATAL: 2012 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2013 2014 return -1; 2015 case SSL_TLSEXT_ERR_ALERT_WARNING: 2016 ssl3_send_alert(s, SSL3_AL_WARNING, al); 2017 2018 return 1; 2019 case SSL_TLSEXT_ERR_NOACK: 2020 s->internal->servername_done = 0; 2021 default: 2022 return 1; 2023 } 2024 } 2025 2026 /* Since the server cache lookup is done early on in the processing of the 2027 * ClientHello, and other operations depend on the result, we need to handle 2028 * any TLS session ticket extension at the same time. 2029 * 2030 * session_id: points at the session ID in the ClientHello. This code will 2031 * read past the end of this in order to parse out the session ticket 2032 * extension, if any. 2033 * len: the length of the session ID. 2034 * limit: a pointer to the first byte after the ClientHello. 2035 * ret: (output) on return, if a ticket was decrypted, then this is set to 2036 * point to the resulting session. 2037 * 2038 * If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key 2039 * ciphersuite, in which case we have no use for session tickets and one will 2040 * never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1. 2041 * 2042 * Returns: 2043 * -1: fatal error, either from parsing or decrypting the ticket. 2044 * 0: no ticket was found (or was ignored, based on settings). 2045 * 1: a zero length extension was found, indicating that the client supports 2046 * session tickets but doesn't currently have one to offer. 2047 * 2: either s->internal->tls_session_secret_cb was set, or a ticket was offered but 2048 * couldn't be decrypted because of a non-fatal error. 2049 * 3: a ticket was successfully decrypted and *ret was set. 2050 * 2051 * Side effects: 2052 * Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue 2053 * a new session ticket to the client because the client indicated support 2054 * (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have 2055 * a session ticket or we couldn't use the one it gave us, or if 2056 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2057 * Otherwise, s->internal->tlsext_ticket_expected is set to 0. 2058 */ 2059 int 2060 tls1_process_ticket(SSL *s, const unsigned char *session, int session_len, 2061 const unsigned char *limit, SSL_SESSION **ret) 2062 { 2063 /* Point after session ID in client hello */ 2064 CBS session_id, cookie, cipher_list, compress_algo, extensions; 2065 2066 *ret = NULL; 2067 s->internal->tlsext_ticket_expected = 0; 2068 2069 /* If tickets disabled behave as if no ticket present 2070 * to permit stateful resumption. 2071 */ 2072 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 2073 return 0; 2074 if (!limit) 2075 return 0; 2076 2077 if (limit < session) 2078 return -1; 2079 2080 CBS_init(&session_id, session, limit - session); 2081 2082 /* Skip past the session id */ 2083 if (!CBS_skip(&session_id, session_len)) 2084 return -1; 2085 2086 /* Skip past DTLS cookie */ 2087 if (SSL_IS_DTLS(s)) { 2088 if (!CBS_get_u8_length_prefixed(&session_id, &cookie)) 2089 return -1; 2090 } 2091 2092 /* Skip past cipher list */ 2093 if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list)) 2094 return -1; 2095 2096 /* Skip past compression algorithm list */ 2097 if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo)) 2098 return -1; 2099 2100 /* Now at start of extensions */ 2101 if (CBS_len(&session_id) == 0) 2102 return 0; 2103 if (!CBS_get_u16_length_prefixed(&session_id, &extensions)) 2104 return -1; 2105 2106 while (CBS_len(&extensions) > 0) { 2107 CBS ext_data; 2108 uint16_t ext_type; 2109 2110 if (!CBS_get_u16(&extensions, &ext_type) || 2111 !CBS_get_u16_length_prefixed(&extensions, &ext_data)) 2112 return -1; 2113 2114 if (ext_type == TLSEXT_TYPE_session_ticket) { 2115 int r; 2116 if (CBS_len(&ext_data) == 0) { 2117 /* The client will accept a ticket but doesn't 2118 * currently have one. */ 2119 s->internal->tlsext_ticket_expected = 1; 2120 return 1; 2121 } 2122 if (s->internal->tls_session_secret_cb) { 2123 /* Indicate that the ticket couldn't be 2124 * decrypted rather than generating the session 2125 * from ticket now, trigger abbreviated 2126 * handshake based on external mechanism to 2127 * calculate the master secret later. */ 2128 return 2; 2129 } 2130 2131 r = tls_decrypt_ticket(s, CBS_data(&ext_data), 2132 CBS_len(&ext_data), session, session_len, ret); 2133 2134 switch (r) { 2135 case 2: /* ticket couldn't be decrypted */ 2136 s->internal->tlsext_ticket_expected = 1; 2137 return 2; 2138 case 3: /* ticket was decrypted */ 2139 return r; 2140 case 4: /* ticket decrypted but need to renew */ 2141 s->internal->tlsext_ticket_expected = 1; 2142 return 3; 2143 default: /* fatal error */ 2144 return -1; 2145 } 2146 } 2147 } 2148 return 0; 2149 } 2150 2151 /* tls_decrypt_ticket attempts to decrypt a session ticket. 2152 * 2153 * etick: points to the body of the session ticket extension. 2154 * eticklen: the length of the session tickets extenion. 2155 * sess_id: points at the session ID. 2156 * sesslen: the length of the session ID. 2157 * psess: (output) on return, if a ticket was decrypted, then this is set to 2158 * point to the resulting session. 2159 * 2160 * Returns: 2161 * -1: fatal error, either from parsing or decrypting the ticket. 2162 * 2: the ticket couldn't be decrypted. 2163 * 3: a ticket was successfully decrypted and *psess was set. 2164 * 4: same as 3, but the ticket needs to be renewed. 2165 */ 2166 static int 2167 tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2168 const unsigned char *sess_id, int sesslen, SSL_SESSION **psess) 2169 { 2170 SSL_SESSION *sess; 2171 unsigned char *sdec; 2172 const unsigned char *p; 2173 int slen, mlen, renew_ticket = 0; 2174 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 2175 HMAC_CTX hctx; 2176 EVP_CIPHER_CTX ctx; 2177 SSL_CTX *tctx = s->initial_ctx; 2178 2179 /* 2180 * The API guarantees EVP_MAX_IV_LENGTH bytes of space for 2181 * the iv to tlsext_ticket_key_cb(). Since the total space 2182 * required for a session cookie is never less than this, 2183 * this check isn't too strict. The exact check comes later. 2184 */ 2185 if (eticklen < 16 + EVP_MAX_IV_LENGTH) 2186 return 2; 2187 2188 /* Initialize session ticket encryption and HMAC contexts */ 2189 HMAC_CTX_init(&hctx); 2190 EVP_CIPHER_CTX_init(&ctx); 2191 if (tctx->internal->tlsext_ticket_key_cb) { 2192 unsigned char *nctick = (unsigned char *)etick; 2193 int rv = tctx->internal->tlsext_ticket_key_cb(s, 2194 nctick, nctick + 16, &ctx, &hctx, 0); 2195 if (rv < 0) { 2196 HMAC_CTX_cleanup(&hctx); 2197 EVP_CIPHER_CTX_cleanup(&ctx); 2198 return -1; 2199 } 2200 if (rv == 0) { 2201 HMAC_CTX_cleanup(&hctx); 2202 EVP_CIPHER_CTX_cleanup(&ctx); 2203 return 2; 2204 } 2205 if (rv == 2) 2206 renew_ticket = 1; 2207 } else { 2208 /* Check key name matches */ 2209 if (timingsafe_memcmp(etick, 2210 tctx->internal->tlsext_tick_key_name, 16)) 2211 return 2; 2212 HMAC_Init_ex(&hctx, tctx->internal->tlsext_tick_hmac_key, 2213 16, tlsext_tick_md(), NULL); 2214 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2215 tctx->internal->tlsext_tick_aes_key, etick + 16); 2216 } 2217 2218 /* 2219 * Attempt to process session ticket, first conduct sanity and 2220 * integrity checks on ticket. 2221 */ 2222 mlen = HMAC_size(&hctx); 2223 if (mlen < 0) { 2224 HMAC_CTX_cleanup(&hctx); 2225 EVP_CIPHER_CTX_cleanup(&ctx); 2226 return -1; 2227 } 2228 2229 /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 2230 if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) { 2231 HMAC_CTX_cleanup(&hctx); 2232 EVP_CIPHER_CTX_cleanup(&ctx); 2233 return 2; 2234 } 2235 eticklen -= mlen; 2236 2237 /* Check HMAC of encrypted ticket */ 2238 if (HMAC_Update(&hctx, etick, eticklen) <= 0 || 2239 HMAC_Final(&hctx, tick_hmac, NULL) <= 0) { 2240 HMAC_CTX_cleanup(&hctx); 2241 EVP_CIPHER_CTX_cleanup(&ctx); 2242 return -1; 2243 } 2244 2245 HMAC_CTX_cleanup(&hctx); 2246 if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) { 2247 EVP_CIPHER_CTX_cleanup(&ctx); 2248 return 2; 2249 } 2250 2251 /* Attempt to decrypt session data */ 2252 /* Move p after IV to start of encrypted ticket, update length */ 2253 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2254 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2255 sdec = malloc(eticklen); 2256 if (sdec == NULL || 2257 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) { 2258 free(sdec); 2259 EVP_CIPHER_CTX_cleanup(&ctx); 2260 return -1; 2261 } 2262 if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) { 2263 free(sdec); 2264 EVP_CIPHER_CTX_cleanup(&ctx); 2265 return 2; 2266 } 2267 slen += mlen; 2268 EVP_CIPHER_CTX_cleanup(&ctx); 2269 p = sdec; 2270 2271 sess = d2i_SSL_SESSION(NULL, &p, slen); 2272 free(sdec); 2273 if (sess) { 2274 /* The session ID, if non-empty, is used by some clients to 2275 * detect that the ticket has been accepted. So we copy it to 2276 * the session structure. If it is empty set length to zero 2277 * as required by standard. 2278 */ 2279 if (sesslen) 2280 memcpy(sess->session_id, sess_id, sesslen); 2281 sess->session_id_length = sesslen; 2282 *psess = sess; 2283 if (renew_ticket) 2284 return 4; 2285 else 2286 return 3; 2287 } 2288 ERR_clear_error(); 2289 /* For session parse failure, indicate that we need to send a new 2290 * ticket. */ 2291 return 2; 2292 } 2293 2294 /* Tables to translate from NIDs to TLS v1.2 ids */ 2295 2296 typedef struct { 2297 int nid; 2298 int id; 2299 } tls12_lookup; 2300 2301 static tls12_lookup tls12_md[] = { 2302 {NID_md5, TLSEXT_hash_md5}, 2303 {NID_sha1, TLSEXT_hash_sha1}, 2304 {NID_sha224, TLSEXT_hash_sha224}, 2305 {NID_sha256, TLSEXT_hash_sha256}, 2306 {NID_sha384, TLSEXT_hash_sha384}, 2307 {NID_sha512, TLSEXT_hash_sha512}, 2308 {NID_id_GostR3411_94, TLSEXT_hash_gost94}, 2309 {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256}, 2310 {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512} 2311 }; 2312 2313 static tls12_lookup tls12_sig[] = { 2314 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2315 {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2316 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}, 2317 {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01}, 2318 }; 2319 2320 static int 2321 tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 2322 { 2323 size_t i; 2324 for (i = 0; i < tlen; i++) { 2325 if (table[i].nid == nid) 2326 return table[i].id; 2327 } 2328 return -1; 2329 } 2330 2331 int 2332 tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 2333 { 2334 int sig_id, md_id; 2335 if (!md) 2336 return 0; 2337 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2338 sizeof(tls12_md) / sizeof(tls12_lookup)); 2339 if (md_id == -1) 2340 return 0; 2341 sig_id = tls12_get_sigid(pk); 2342 if (sig_id == -1) 2343 return 0; 2344 p[0] = (unsigned char)md_id; 2345 p[1] = (unsigned char)sig_id; 2346 return 1; 2347 } 2348 2349 int 2350 tls12_get_sigid(const EVP_PKEY *pk) 2351 { 2352 return tls12_find_id(pk->type, tls12_sig, 2353 sizeof(tls12_sig) / sizeof(tls12_lookup)); 2354 } 2355 2356 const EVP_MD * 2357 tls12_get_hash(unsigned char hash_alg) 2358 { 2359 switch (hash_alg) { 2360 case TLSEXT_hash_sha1: 2361 return EVP_sha1(); 2362 case TLSEXT_hash_sha224: 2363 return EVP_sha224(); 2364 case TLSEXT_hash_sha256: 2365 return EVP_sha256(); 2366 case TLSEXT_hash_sha384: 2367 return EVP_sha384(); 2368 case TLSEXT_hash_sha512: 2369 return EVP_sha512(); 2370 #ifndef OPENSSL_NO_GOST 2371 case TLSEXT_hash_gost94: 2372 return EVP_gostr341194(); 2373 case TLSEXT_hash_streebog_256: 2374 return EVP_streebog256(); 2375 case TLSEXT_hash_streebog_512: 2376 return EVP_streebog512(); 2377 #endif 2378 default: 2379 return NULL; 2380 } 2381 } 2382 2383 /* Set preferred digest for each key type */ 2384 2385 int 2386 tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 2387 { 2388 int idx; 2389 const EVP_MD *md; 2390 CERT *c = s->cert; 2391 CBS cbs; 2392 2393 /* Extension ignored for inappropriate versions */ 2394 if (!SSL_USE_SIGALGS(s)) 2395 return 1; 2396 2397 /* Should never happen */ 2398 if (!c || dsize < 0) 2399 return 0; 2400 2401 CBS_init(&cbs, data, dsize); 2402 2403 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; 2404 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 2405 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2406 c->pkeys[SSL_PKEY_ECC].digest = NULL; 2407 c->pkeys[SSL_PKEY_GOST01].digest = NULL; 2408 2409 while (CBS_len(&cbs) > 0) { 2410 uint8_t hash_alg, sig_alg; 2411 2412 if (!CBS_get_u8(&cbs, &hash_alg) || 2413 !CBS_get_u8(&cbs, &sig_alg)) { 2414 /* Should never happen */ 2415 return 0; 2416 } 2417 2418 switch (sig_alg) { 2419 case TLSEXT_signature_rsa: 2420 idx = SSL_PKEY_RSA_SIGN; 2421 break; 2422 case TLSEXT_signature_dsa: 2423 idx = SSL_PKEY_DSA_SIGN; 2424 break; 2425 case TLSEXT_signature_ecdsa: 2426 idx = SSL_PKEY_ECC; 2427 break; 2428 case TLSEXT_signature_gostr01: 2429 case TLSEXT_signature_gostr12_256: 2430 case TLSEXT_signature_gostr12_512: 2431 idx = SSL_PKEY_GOST01; 2432 break; 2433 default: 2434 continue; 2435 } 2436 2437 if (c->pkeys[idx].digest == NULL) { 2438 md = tls12_get_hash(hash_alg); 2439 if (md) { 2440 c->pkeys[idx].digest = md; 2441 if (idx == SSL_PKEY_RSA_SIGN) 2442 c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 2443 } 2444 } 2445 2446 } 2447 2448 /* Set any remaining keys to default values. NOTE: if alg is not 2449 * supported it stays as NULL. 2450 */ 2451 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2452 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2453 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { 2454 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2455 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2456 } 2457 if (!c->pkeys[SSL_PKEY_ECC].digest) 2458 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2459 #ifndef OPENSSL_NO_GOST 2460 if (!c->pkeys[SSL_PKEY_GOST01].digest) 2461 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); 2462 #endif 2463 return 1; 2464 } 2465