1 /* $OpenBSD: t1_lib.c,v 1.83 2015/08/19 23:34:34 bcook Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 114 #include <openssl/evp.h> 115 #include <openssl/hmac.h> 116 #include <openssl/objects.h> 117 #include <openssl/ocsp.h> 118 119 #include "ssl_locl.h" 120 #include "bytestring.h" 121 122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 123 const unsigned char *sess_id, int sesslen, 124 SSL_SESSION **psess); 125 126 SSL3_ENC_METHOD TLSv1_enc_data = { 127 .enc = tls1_enc, 128 .mac = tls1_mac, 129 .setup_key_block = tls1_setup_key_block, 130 .generate_master_secret = tls1_generate_master_secret, 131 .change_cipher_state = tls1_change_cipher_state, 132 .final_finish_mac = tls1_final_finish_mac, 133 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 134 .cert_verify_mac = tls1_cert_verify_mac, 135 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 136 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 137 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 138 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 139 .alert_value = tls1_alert_code, 140 .export_keying_material = tls1_export_keying_material, 141 .enc_flags = 0, 142 }; 143 144 SSL3_ENC_METHOD TLSv1_1_enc_data = { 145 .enc = tls1_enc, 146 .mac = tls1_mac, 147 .setup_key_block = tls1_setup_key_block, 148 .generate_master_secret = tls1_generate_master_secret, 149 .change_cipher_state = tls1_change_cipher_state, 150 .final_finish_mac = tls1_final_finish_mac, 151 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 152 .cert_verify_mac = tls1_cert_verify_mac, 153 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 154 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 155 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 156 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 157 .alert_value = tls1_alert_code, 158 .export_keying_material = tls1_export_keying_material, 159 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, 160 }; 161 162 SSL3_ENC_METHOD TLSv1_2_enc_data = { 163 .enc = tls1_enc, 164 .mac = tls1_mac, 165 .setup_key_block = tls1_setup_key_block, 166 .generate_master_secret = tls1_generate_master_secret, 167 .change_cipher_state = tls1_change_cipher_state, 168 .final_finish_mac = tls1_final_finish_mac, 169 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 170 .cert_verify_mac = tls1_cert_verify_mac, 171 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 172 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 173 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 174 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 175 .alert_value = tls1_alert_code, 176 .export_keying_material = tls1_export_keying_material, 177 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS| 178 SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS, 179 }; 180 181 long 182 tls1_default_timeout(void) 183 { 184 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 185 * is way too long for http, the cache would over fill */ 186 return (60 * 60 * 2); 187 } 188 189 int 190 tls1_new(SSL *s) 191 { 192 if (!ssl3_new(s)) 193 return (0); 194 s->method->ssl_clear(s); 195 return (1); 196 } 197 198 void 199 tls1_free(SSL *s) 200 { 201 if (s == NULL) 202 return; 203 204 free(s->tlsext_session_ticket); 205 ssl3_free(s); 206 } 207 208 void 209 tls1_clear(SSL *s) 210 { 211 ssl3_clear(s); 212 s->version = s->method->version; 213 } 214 215 216 static int nid_list[] = { 217 NID_sect163k1, /* sect163k1 (1) */ 218 NID_sect163r1, /* sect163r1 (2) */ 219 NID_sect163r2, /* sect163r2 (3) */ 220 NID_sect193r1, /* sect193r1 (4) */ 221 NID_sect193r2, /* sect193r2 (5) */ 222 NID_sect233k1, /* sect233k1 (6) */ 223 NID_sect233r1, /* sect233r1 (7) */ 224 NID_sect239k1, /* sect239k1 (8) */ 225 NID_sect283k1, /* sect283k1 (9) */ 226 NID_sect283r1, /* sect283r1 (10) */ 227 NID_sect409k1, /* sect409k1 (11) */ 228 NID_sect409r1, /* sect409r1 (12) */ 229 NID_sect571k1, /* sect571k1 (13) */ 230 NID_sect571r1, /* sect571r1 (14) */ 231 NID_secp160k1, /* secp160k1 (15) */ 232 NID_secp160r1, /* secp160r1 (16) */ 233 NID_secp160r2, /* secp160r2 (17) */ 234 NID_secp192k1, /* secp192k1 (18) */ 235 NID_X9_62_prime192v1, /* secp192r1 (19) */ 236 NID_secp224k1, /* secp224k1 (20) */ 237 NID_secp224r1, /* secp224r1 (21) */ 238 NID_secp256k1, /* secp256k1 (22) */ 239 NID_X9_62_prime256v1, /* secp256r1 (23) */ 240 NID_secp384r1, /* secp384r1 (24) */ 241 NID_secp521r1, /* secp521r1 (25) */ 242 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */ 243 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */ 244 NID_brainpoolP512r1 /* brainpoolP512r1 (28) */ 245 }; 246 247 static const uint8_t ecformats_default[] = { 248 TLSEXT_ECPOINTFORMAT_uncompressed, 249 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 250 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 251 }; 252 253 static const uint16_t eccurves_default[] = { 254 14, /* sect571r1 (14) */ 255 13, /* sect571k1 (13) */ 256 25, /* secp521r1 (25) */ 257 28, /* brainpool512r1 (28) */ 258 11, /* sect409k1 (11) */ 259 12, /* sect409r1 (12) */ 260 27, /* brainpoolP384r1 (27) */ 261 24, /* secp384r1 (24) */ 262 9, /* sect283k1 (9) */ 263 10, /* sect283r1 (10) */ 264 26, /* brainpoolP256r1 (26) */ 265 22, /* secp256k1 (22) */ 266 23, /* secp256r1 (23) */ 267 8, /* sect239k1 (8) */ 268 6, /* sect233k1 (6) */ 269 7, /* sect233r1 (7) */ 270 20, /* secp224k1 (20) */ 271 21, /* secp224r1 (21) */ 272 4, /* sect193r1 (4) */ 273 5, /* sect193r2 (5) */ 274 18, /* secp192k1 (18) */ 275 19, /* secp192r1 (19) */ 276 1, /* sect163k1 (1) */ 277 2, /* sect163r1 (2) */ 278 3, /* sect163r2 (3) */ 279 15, /* secp160k1 (15) */ 280 16, /* secp160r1 (16) */ 281 17, /* secp160r2 (17) */ 282 }; 283 284 int 285 tls1_ec_curve_id2nid(uint16_t curve_id) 286 { 287 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 288 if ((curve_id < 1) || 289 ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0]))) 290 return 0; 291 return nid_list[curve_id - 1]; 292 } 293 294 uint16_t 295 tls1_ec_nid2curve_id(int nid) 296 { 297 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 298 switch (nid) { 299 case NID_sect163k1: /* sect163k1 (1) */ 300 return 1; 301 case NID_sect163r1: /* sect163r1 (2) */ 302 return 2; 303 case NID_sect163r2: /* sect163r2 (3) */ 304 return 3; 305 case NID_sect193r1: /* sect193r1 (4) */ 306 return 4; 307 case NID_sect193r2: /* sect193r2 (5) */ 308 return 5; 309 case NID_sect233k1: /* sect233k1 (6) */ 310 return 6; 311 case NID_sect233r1: /* sect233r1 (7) */ 312 return 7; 313 case NID_sect239k1: /* sect239k1 (8) */ 314 return 8; 315 case NID_sect283k1: /* sect283k1 (9) */ 316 return 9; 317 case NID_sect283r1: /* sect283r1 (10) */ 318 return 10; 319 case NID_sect409k1: /* sect409k1 (11) */ 320 return 11; 321 case NID_sect409r1: /* sect409r1 (12) */ 322 return 12; 323 case NID_sect571k1: /* sect571k1 (13) */ 324 return 13; 325 case NID_sect571r1: /* sect571r1 (14) */ 326 return 14; 327 case NID_secp160k1: /* secp160k1 (15) */ 328 return 15; 329 case NID_secp160r1: /* secp160r1 (16) */ 330 return 16; 331 case NID_secp160r2: /* secp160r2 (17) */ 332 return 17; 333 case NID_secp192k1: /* secp192k1 (18) */ 334 return 18; 335 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 336 return 19; 337 case NID_secp224k1: /* secp224k1 (20) */ 338 return 20; 339 case NID_secp224r1: /* secp224r1 (21) */ 340 return 21; 341 case NID_secp256k1: /* secp256k1 (22) */ 342 return 22; 343 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 344 return 23; 345 case NID_secp384r1: /* secp384r1 (24) */ 346 return 24; 347 case NID_secp521r1: /* secp521r1 (25) */ 348 return 25; 349 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */ 350 return 26; 351 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */ 352 return 27; 353 case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */ 354 return 28; 355 default: 356 return 0; 357 } 358 } 359 360 /* 361 * Return the appropriate format list. If client_formats is non-zero, return 362 * the client/session formats. Otherwise return the custom format list if one 363 * exists, or the default formats if a custom list has not been specified. 364 */ 365 static void 366 tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, 367 size_t *pformatslen) 368 { 369 if (client_formats != 0) { 370 *pformats = s->session->tlsext_ecpointformatlist; 371 *pformatslen = s->session->tlsext_ecpointformatlist_length; 372 return; 373 } 374 375 *pformats = s->tlsext_ecpointformatlist; 376 *pformatslen = s->tlsext_ecpointformatlist_length; 377 if (*pformats == NULL) { 378 *pformats = ecformats_default; 379 *pformatslen = sizeof(ecformats_default); 380 } 381 } 382 383 /* 384 * Return the appropriate curve list. If client_curves is non-zero, return 385 * the client/session curves. Otherwise return the custom curve list if one 386 * exists, or the default curves if a custom list has not been specified. 387 */ 388 static void 389 tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves, 390 size_t *pcurveslen) 391 { 392 if (client_curves != 0) { 393 *pcurves = s->session->tlsext_ellipticcurvelist; 394 *pcurveslen = s->session->tlsext_ellipticcurvelist_length; 395 return; 396 } 397 398 *pcurves = s->tlsext_ellipticcurvelist; 399 *pcurveslen = s->tlsext_ellipticcurvelist_length; 400 if (*pcurves == NULL) { 401 *pcurves = eccurves_default; 402 *pcurveslen = sizeof(eccurves_default) / 2; 403 } 404 } 405 406 /* Check that a curve is one of our preferences. */ 407 int 408 tls1_check_curve(SSL *s, const unsigned char *p, size_t len) 409 { 410 CBS cbs; 411 const uint16_t *curves; 412 size_t curveslen, i; 413 uint8_t type; 414 uint16_t cid; 415 416 CBS_init(&cbs, p, len); 417 418 /* Only named curves are supported. */ 419 if (CBS_len(&cbs) != 3 || 420 !CBS_get_u8(&cbs, &type) || 421 type != NAMED_CURVE_TYPE || 422 !CBS_get_u16(&cbs, &cid)) 423 return (0); 424 425 tls1_get_curvelist(s, 0, &curves, &curveslen); 426 427 for (i = 0; i < curveslen; i++) { 428 if (curves[i] == cid) 429 return (1); 430 } 431 return (0); 432 } 433 434 int 435 tls1_get_shared_curve(SSL *s) 436 { 437 size_t preflen, supplen, i, j; 438 const uint16_t *pref, *supp; 439 unsigned long server_pref; 440 441 /* Cannot do anything on the client side. */ 442 if (s->server == 0) 443 return (NID_undef); 444 445 /* Return first preference shared curve. */ 446 server_pref = (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE); 447 tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen); 448 tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen); 449 450 for (i = 0; i < preflen; i++) { 451 for (j = 0; j < supplen; j++) { 452 if (pref[i] == supp[j]) 453 return (tls1_ec_curve_id2nid(pref[i])); 454 } 455 } 456 return (NID_undef); 457 } 458 459 /* For an EC key set TLS ID and required compression based on parameters. */ 460 static int 461 tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec) 462 { 463 const EC_GROUP *grp; 464 const EC_METHOD *meth; 465 int is_prime = 0; 466 int nid, id; 467 468 if (ec == NULL) 469 return (0); 470 471 /* Determine if it is a prime field. */ 472 if ((grp = EC_KEY_get0_group(ec)) == NULL) 473 return (0); 474 if ((meth = EC_GROUP_method_of(grp)) == NULL) 475 return (0); 476 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field) 477 is_prime = 1; 478 479 /* Determine curve ID. */ 480 nid = EC_GROUP_get_curve_name(grp); 481 id = tls1_ec_nid2curve_id(nid); 482 483 /* If we have an ID set it, otherwise set arbitrary explicit curve. */ 484 if (id != 0) 485 *curve_id = id; 486 else 487 *curve_id = is_prime ? 0xff01 : 0xff02; 488 489 /* Specify the compression identifier. */ 490 if (comp_id != NULL) { 491 if (EC_KEY_get0_public_key(ec) == NULL) 492 return (0); 493 494 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { 495 *comp_id = is_prime ? 496 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime : 497 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 498 } else { 499 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 500 } 501 } 502 return (1); 503 } 504 505 /* Check that an EC key is compatible with extensions. */ 506 static int 507 tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id) 508 { 509 size_t curveslen, formatslen, i; 510 const uint16_t *curves; 511 const uint8_t *formats; 512 513 /* 514 * Check point formats extension if present, otherwise everything 515 * is supported (see RFC4492). 516 */ 517 tls1_get_formatlist(s, 1, &formats, &formatslen); 518 if (comp_id != NULL && formats != NULL) { 519 for (i = 0; i < formatslen; i++) { 520 if (formats[i] == *comp_id) 521 break; 522 } 523 if (i == formatslen) 524 return (0); 525 } 526 527 /* 528 * Check curve list if present, otherwise everything is supported. 529 */ 530 tls1_get_curvelist(s, 1, &curves, &curveslen); 531 if (curve_id != NULL && curves != NULL) { 532 for (i = 0; i < curveslen; i++) { 533 if (curves[i] == *curve_id) 534 break; 535 } 536 if (i == curveslen) 537 return (0); 538 } 539 540 return (1); 541 } 542 543 /* Check EC server key is compatible with client extensions. */ 544 int 545 tls1_check_ec_server_key(SSL *s) 546 { 547 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; 548 uint16_t curve_id; 549 uint8_t comp_id; 550 EVP_PKEY *pkey; 551 int rv; 552 553 if (cpk->x509 == NULL || cpk->privatekey == NULL) 554 return (0); 555 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL) 556 return (0); 557 rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec); 558 EVP_PKEY_free(pkey); 559 if (rv != 1) 560 return (0); 561 562 return tls1_check_ec_key(s, &curve_id, &comp_id); 563 } 564 565 /* Check EC temporary key is compatible with client extensions. */ 566 int 567 tls1_check_ec_tmp_key(SSL *s) 568 { 569 EC_KEY *ec = s->cert->ecdh_tmp; 570 uint16_t curve_id; 571 572 if (s->cert->ecdh_tmp_auto != 0) { 573 /* Need a shared curve. */ 574 if (tls1_get_shared_curve(s) != NID_undef) 575 return (1); 576 return (0); 577 } 578 579 if (ec == NULL) { 580 if (s->cert->ecdh_tmp_cb != NULL) 581 return (1); 582 return (0); 583 } 584 if (tls1_set_ec_id(&curve_id, NULL, ec) != 1) 585 return (0); 586 587 return tls1_check_ec_key(s, &curve_id, NULL); 588 } 589 590 /* 591 * List of supported signature algorithms and hashes. Should make this 592 * customisable at some point, for now include everything we support. 593 */ 594 595 static unsigned char tls12_sigalgs[] = { 596 TLSEXT_hash_sha512, TLSEXT_signature_rsa, 597 TLSEXT_hash_sha512, TLSEXT_signature_dsa, 598 TLSEXT_hash_sha512, TLSEXT_signature_ecdsa, 599 #ifndef OPENSSL_NO_GOST 600 TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512, 601 #endif 602 603 TLSEXT_hash_sha384, TLSEXT_signature_rsa, 604 TLSEXT_hash_sha384, TLSEXT_signature_dsa, 605 TLSEXT_hash_sha384, TLSEXT_signature_ecdsa, 606 607 TLSEXT_hash_sha256, TLSEXT_signature_rsa, 608 TLSEXT_hash_sha256, TLSEXT_signature_dsa, 609 TLSEXT_hash_sha256, TLSEXT_signature_ecdsa, 610 611 #ifndef OPENSSL_NO_GOST 612 TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256, 613 TLSEXT_hash_gost94, TLSEXT_signature_gostr01, 614 #endif 615 616 TLSEXT_hash_sha224, TLSEXT_signature_rsa, 617 TLSEXT_hash_sha224, TLSEXT_signature_dsa, 618 TLSEXT_hash_sha224, TLSEXT_signature_ecdsa, 619 620 TLSEXT_hash_sha1, TLSEXT_signature_rsa, 621 TLSEXT_hash_sha1, TLSEXT_signature_dsa, 622 TLSEXT_hash_sha1, TLSEXT_signature_ecdsa, 623 }; 624 625 int 626 tls12_get_req_sig_algs(SSL *s, unsigned char *p) 627 { 628 size_t slen = sizeof(tls12_sigalgs); 629 630 if (p) 631 memcpy(p, tls12_sigalgs, slen); 632 return (int)slen; 633 } 634 635 unsigned char * 636 ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 637 { 638 int extdatalen = 0; 639 unsigned char *ret = p; 640 int using_ecc = 0; 641 642 /* See if we support any ECC ciphersuites. */ 643 if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) { 644 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 645 unsigned long alg_k, alg_a; 646 int i; 647 648 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { 649 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 650 651 alg_k = c->algorithm_mkey; 652 alg_a = c->algorithm_auth; 653 654 if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || 655 (alg_a & SSL_aECDSA))) { 656 using_ecc = 1; 657 break; 658 } 659 } 660 } 661 662 /* don't add extensions for SSLv3 unless doing secure renegotiation */ 663 if (s->client_version == SSL3_VERSION && 664 !s->s3->send_connection_binding) 665 return p; 666 667 ret += 2; 668 669 if (ret >= limit) 670 return NULL; /* this really never occurs, but ... */ 671 672 if (s->tlsext_hostname != NULL) { 673 /* Add TLS extension servername to the Client Hello message */ 674 size_t size_str, lenmax; 675 676 /* check for enough space. 677 4 for the servername type and extension length 678 2 for servernamelist length 679 1 for the hostname type 680 2 for hostname length 681 + hostname length 682 */ 683 684 if ((size_t)(limit - ret) < 9) 685 return NULL; 686 687 lenmax = limit - ret - 9; 688 if ((size_str = strlen(s->tlsext_hostname)) > lenmax) 689 return NULL; 690 691 /* extension type and length */ 692 s2n(TLSEXT_TYPE_server_name, ret); 693 694 s2n(size_str + 5, ret); 695 696 /* length of servername list */ 697 s2n(size_str + 3, ret); 698 699 /* hostname type, length and hostname */ 700 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 701 s2n(size_str, ret); 702 memcpy(ret, s->tlsext_hostname, size_str); 703 ret += size_str; 704 } 705 706 /* Add RI if renegotiating */ 707 if (s->renegotiate) { 708 int el; 709 710 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { 711 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 712 ERR_R_INTERNAL_ERROR); 713 return NULL; 714 } 715 716 if ((size_t)(limit - ret) < 4 + el) 717 return NULL; 718 719 s2n(TLSEXT_TYPE_renegotiate, ret); 720 s2n(el, ret); 721 722 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { 723 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 724 ERR_R_INTERNAL_ERROR); 725 return NULL; 726 } 727 728 ret += el; 729 } 730 731 if (using_ecc) { 732 size_t curveslen, formatslen, lenmax; 733 const uint16_t *curves; 734 const uint8_t *formats; 735 int i; 736 737 /* 738 * Add TLS extension ECPointFormats to the ClientHello message. 739 */ 740 tls1_get_formatlist(s, 0, &formats, &formatslen); 741 742 if ((size_t)(limit - ret) < 5) 743 return NULL; 744 745 lenmax = limit - ret - 5; 746 if (formatslen > lenmax) 747 return NULL; 748 if (formatslen > 255) { 749 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 750 ERR_R_INTERNAL_ERROR); 751 return NULL; 752 } 753 754 s2n(TLSEXT_TYPE_ec_point_formats, ret); 755 s2n(formatslen + 1, ret); 756 *(ret++) = (unsigned char)formatslen; 757 memcpy(ret, formats, formatslen); 758 ret += formatslen; 759 760 /* 761 * Add TLS extension EllipticCurves to the ClientHello message. 762 */ 763 tls1_get_curvelist(s, 0, &curves, &curveslen); 764 765 if ((size_t)(limit - ret) < 6) 766 return NULL; 767 768 lenmax = limit - ret - 6; 769 if (curveslen > lenmax) 770 return NULL; 771 if (curveslen > 65532) { 772 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 773 ERR_R_INTERNAL_ERROR); 774 return NULL; 775 } 776 777 s2n(TLSEXT_TYPE_elliptic_curves, ret); 778 s2n((curveslen * 2) + 2, ret); 779 780 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for 781 * elliptic_curve_list, but the examples use two bytes. 782 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html 783 * resolves this to two bytes. 784 */ 785 s2n(curveslen * 2, ret); 786 for (i = 0; i < curveslen; i++) 787 s2n(curves[i], ret); 788 } 789 790 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 791 int ticklen; 792 if (!s->new_session && s->session && s->session->tlsext_tick) 793 ticklen = s->session->tlsext_ticklen; 794 else if (s->session && s->tlsext_session_ticket && 795 s->tlsext_session_ticket->data) { 796 ticklen = s->tlsext_session_ticket->length; 797 s->session->tlsext_tick = malloc(ticklen); 798 if (!s->session->tlsext_tick) 799 return NULL; 800 memcpy(s->session->tlsext_tick, 801 s->tlsext_session_ticket->data, ticklen); 802 s->session->tlsext_ticklen = ticklen; 803 } else 804 ticklen = 0; 805 if (ticklen == 0 && s->tlsext_session_ticket && 806 s->tlsext_session_ticket->data == NULL) 807 goto skip_ext; 808 /* Check for enough room 2 for extension type, 2 for len 809 * rest for ticket 810 */ 811 if ((size_t)(limit - ret) < 4 + ticklen) 812 return NULL; 813 s2n(TLSEXT_TYPE_session_ticket, ret); 814 815 s2n(ticklen, ret); 816 if (ticklen) { 817 memcpy(ret, s->session->tlsext_tick, ticklen); 818 ret += ticklen; 819 } 820 } 821 skip_ext: 822 823 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 824 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 825 return NULL; 826 827 s2n(TLSEXT_TYPE_signature_algorithms, ret); 828 s2n(sizeof(tls12_sigalgs) + 2, ret); 829 s2n(sizeof(tls12_sigalgs), ret); 830 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 831 ret += sizeof(tls12_sigalgs); 832 } 833 834 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 835 s->version != DTLS1_VERSION) { 836 int i; 837 long extlen, idlen, itmp; 838 OCSP_RESPID *id; 839 840 idlen = 0; 841 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 842 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 843 itmp = i2d_OCSP_RESPID(id, NULL); 844 if (itmp <= 0) 845 return NULL; 846 idlen += itmp + 2; 847 } 848 849 if (s->tlsext_ocsp_exts) { 850 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 851 if (extlen < 0) 852 return NULL; 853 } else 854 extlen = 0; 855 856 if ((size_t)(limit - ret) < 7 + extlen + idlen) 857 return NULL; 858 s2n(TLSEXT_TYPE_status_request, ret); 859 if (extlen + idlen > 0xFFF0) 860 return NULL; 861 s2n(extlen + idlen + 5, ret); 862 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 863 s2n(idlen, ret); 864 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 865 /* save position of id len */ 866 unsigned char *q = ret; 867 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 868 /* skip over id len */ 869 ret += 2; 870 itmp = i2d_OCSP_RESPID(id, &ret); 871 /* write id len */ 872 s2n(itmp, q); 873 } 874 s2n(extlen, ret); 875 if (extlen > 0) 876 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 877 } 878 879 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { 880 /* The client advertises an emtpy extension to indicate its 881 * support for Next Protocol Negotiation */ 882 if ((size_t)(limit - ret) < 4) 883 return NULL; 884 s2n(TLSEXT_TYPE_next_proto_neg, ret); 885 s2n(0, ret); 886 } 887 888 if (s->alpn_client_proto_list != NULL && 889 s->s3->tmp.finish_md_len == 0) { 890 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len) 891 return (NULL); 892 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 893 s2n(2 + s->alpn_client_proto_list_len, ret); 894 s2n(s->alpn_client_proto_list_len, ret); 895 memcpy(ret, s->alpn_client_proto_list, 896 s->alpn_client_proto_list_len); 897 ret += s->alpn_client_proto_list_len; 898 } 899 900 #ifndef OPENSSL_NO_SRTP 901 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { 902 int el; 903 904 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 905 906 if ((size_t)(limit - ret) < 4 + el) 907 return NULL; 908 909 s2n(TLSEXT_TYPE_use_srtp, ret); 910 s2n(el, ret); 911 912 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { 913 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 914 ERR_R_INTERNAL_ERROR); 915 return NULL; 916 } 917 ret += el; 918 } 919 #endif 920 921 /* 922 * Add padding to workaround bugs in F5 terminators. 923 * See https://tools.ietf.org/html/draft-agl-tls-padding-03 924 * 925 * Note that this seems to trigger issues with IronPort SMTP 926 * appliances. 927 * 928 * NB: because this code works out the length of all existing 929 * extensions it MUST always appear last. 930 */ 931 if (s->options & SSL_OP_TLSEXT_PADDING) { 932 int hlen = ret - (unsigned char *)s->init_buf->data; 933 934 /* 935 * The code in s23_clnt.c to build ClientHello messages 936 * includes the 5-byte record header in the buffer, while the 937 * code in s3_clnt.c does not. 938 */ 939 if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 940 hlen -= 5; 941 if (hlen > 0xff && hlen < 0x200) { 942 hlen = 0x200 - hlen; 943 if (hlen >= 4) 944 hlen -= 4; 945 else 946 hlen = 0; 947 948 s2n(TLSEXT_TYPE_padding, ret); 949 s2n(hlen, ret); 950 memset(ret, 0, hlen); 951 ret += hlen; 952 } 953 } 954 955 if ((extdatalen = ret - p - 2) == 0) 956 return p; 957 958 s2n(extdatalen, p); 959 return ret; 960 } 961 962 unsigned char * 963 ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 964 { 965 int using_ecc, extdatalen = 0; 966 unsigned long alg_a, alg_k; 967 unsigned char *ret = p; 968 int next_proto_neg_seen; 969 970 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 971 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 972 using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || 973 alg_a & SSL_aECDSA) && 974 s->session->tlsext_ecpointformatlist != NULL; 975 976 /* don't add extensions for SSLv3, unless doing secure renegotiation */ 977 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 978 return p; 979 980 ret += 2; 981 if (ret >= limit) 982 return NULL; /* this really never occurs, but ... */ 983 984 if (!s->hit && s->servername_done == 1 && 985 s->session->tlsext_hostname != NULL) { 986 if ((size_t)(limit - ret) < 4) 987 return NULL; 988 989 s2n(TLSEXT_TYPE_server_name, ret); 990 s2n(0, ret); 991 } 992 993 if (s->s3->send_connection_binding) { 994 int el; 995 996 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { 997 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 998 ERR_R_INTERNAL_ERROR); 999 return NULL; 1000 } 1001 1002 if ((size_t)(limit - ret) < 4 + el) 1003 return NULL; 1004 1005 s2n(TLSEXT_TYPE_renegotiate, ret); 1006 s2n(el, ret); 1007 1008 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { 1009 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1010 ERR_R_INTERNAL_ERROR); 1011 return NULL; 1012 } 1013 1014 ret += el; 1015 } 1016 1017 if (using_ecc && s->version != DTLS1_VERSION) { 1018 const unsigned char *formats; 1019 size_t formatslen, lenmax; 1020 1021 /* 1022 * Add TLS extension ECPointFormats to the ServerHello message. 1023 */ 1024 tls1_get_formatlist(s, 0, &formats, &formatslen); 1025 1026 if ((size_t)(limit - ret) < 5) 1027 return NULL; 1028 1029 lenmax = limit - ret - 5; 1030 if (formatslen > lenmax) 1031 return NULL; 1032 if (formatslen > 255) { 1033 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1034 ERR_R_INTERNAL_ERROR); 1035 return NULL; 1036 } 1037 1038 s2n(TLSEXT_TYPE_ec_point_formats, ret); 1039 s2n(formatslen + 1, ret); 1040 *(ret++) = (unsigned char)formatslen; 1041 memcpy(ret, formats, formatslen); 1042 ret += formatslen; 1043 } 1044 1045 /* 1046 * Currently the server should not respond with a SupportedCurves 1047 * extension. 1048 */ 1049 1050 if (s->tlsext_ticket_expected && 1051 !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 1052 if ((size_t)(limit - ret) < 4) 1053 return NULL; 1054 1055 s2n(TLSEXT_TYPE_session_ticket, ret); 1056 s2n(0, ret); 1057 } 1058 1059 if (s->tlsext_status_expected) { 1060 if ((size_t)(limit - ret) < 4) 1061 return NULL; 1062 1063 s2n(TLSEXT_TYPE_status_request, ret); 1064 s2n(0, ret); 1065 } 1066 1067 #ifndef OPENSSL_NO_SRTP 1068 if (SSL_IS_DTLS(s) && s->srtp_profile) { 1069 int el; 1070 1071 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 1072 1073 if ((size_t)(limit - ret) < 4 + el) 1074 return NULL; 1075 1076 s2n(TLSEXT_TYPE_use_srtp, ret); 1077 s2n(el, ret); 1078 1079 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { 1080 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1081 ERR_R_INTERNAL_ERROR); 1082 return NULL; 1083 } 1084 ret += el; 1085 } 1086 #endif 1087 1088 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || 1089 (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) && 1090 (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { 1091 static const unsigned char cryptopro_ext[36] = { 1092 0xfd, 0xe8, /*65000*/ 1093 0x00, 0x20, /*32 bytes length*/ 1094 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 1095 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 1096 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 1097 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 1098 }; 1099 if ((size_t)(limit - ret) < sizeof(cryptopro_ext)) 1100 return NULL; 1101 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext)); 1102 ret += sizeof(cryptopro_ext); 1103 } 1104 1105 next_proto_neg_seen = s->s3->next_proto_neg_seen; 1106 s->s3->next_proto_neg_seen = 0; 1107 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) { 1108 const unsigned char *npa; 1109 unsigned int npalen; 1110 int r; 1111 1112 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, 1113 s->ctx->next_protos_advertised_cb_arg); 1114 if (r == SSL_TLSEXT_ERR_OK) { 1115 if ((size_t)(limit - ret) < 4 + npalen) 1116 return NULL; 1117 s2n(TLSEXT_TYPE_next_proto_neg, ret); 1118 s2n(npalen, ret); 1119 memcpy(ret, npa, npalen); 1120 ret += npalen; 1121 s->s3->next_proto_neg_seen = 1; 1122 } 1123 } 1124 1125 if (s->s3->alpn_selected != NULL) { 1126 const unsigned char *selected = s->s3->alpn_selected; 1127 unsigned int len = s->s3->alpn_selected_len; 1128 1129 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0) 1130 return (NULL); 1131 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 1132 s2n(3 + len, ret); 1133 s2n(1 + len, ret); 1134 *ret++ = len; 1135 memcpy(ret, selected, len); 1136 ret += len; 1137 } 1138 1139 if ((extdatalen = ret - p - 2) == 0) 1140 return p; 1141 1142 s2n(extdatalen, p); 1143 return ret; 1144 } 1145 1146 /* 1147 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a 1148 * ClientHello. 1149 * data: the contents of the extension, not including the type and length. 1150 * data_len: the number of bytes in data. 1151 * al: a pointer to the alert value to send in the event of a non-zero 1152 * return. 1153 * returns: 1 on success. 1154 */ 1155 static int 1156 tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, 1157 unsigned int data_len, int *al) 1158 { 1159 CBS cbs, proto_name_list, alpn; 1160 const unsigned char *selected; 1161 unsigned char selected_len; 1162 int r; 1163 1164 if (s->ctx->alpn_select_cb == NULL) 1165 return (1); 1166 1167 if (data_len < 2) 1168 goto parse_error; 1169 1170 CBS_init(&cbs, data, data_len); 1171 1172 /* 1173 * data should contain a uint16 length followed by a series of 8-bit, 1174 * length-prefixed strings. 1175 */ 1176 if (!CBS_get_u16_length_prefixed(&cbs, &alpn) || 1177 CBS_len(&alpn) < 2 || 1178 CBS_len(&cbs) != 0) 1179 goto parse_error; 1180 1181 /* Validate data before sending to callback. */ 1182 CBS_dup(&alpn, &proto_name_list); 1183 while (CBS_len(&proto_name_list) > 0) { 1184 CBS proto_name; 1185 1186 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name) || 1187 CBS_len(&proto_name) == 0) 1188 goto parse_error; 1189 } 1190 1191 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, 1192 CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg); 1193 if (r == SSL_TLSEXT_ERR_OK) { 1194 free(s->s3->alpn_selected); 1195 if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) { 1196 *al = SSL_AD_INTERNAL_ERROR; 1197 return (-1); 1198 } 1199 memcpy(s->s3->alpn_selected, selected, selected_len); 1200 s->s3->alpn_selected_len = selected_len; 1201 } 1202 1203 return (1); 1204 1205 parse_error: 1206 *al = SSL_AD_DECODE_ERROR; 1207 return (0); 1208 } 1209 1210 int 1211 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1212 int n, int *al) 1213 { 1214 unsigned short type; 1215 unsigned short size; 1216 unsigned short len; 1217 unsigned char *data = *p; 1218 int renegotiate_seen = 0; 1219 int sigalg_seen = 0; 1220 1221 s->servername_done = 0; 1222 s->tlsext_status_type = -1; 1223 s->s3->next_proto_neg_seen = 0; 1224 free(s->s3->alpn_selected); 1225 s->s3->alpn_selected = NULL; 1226 1227 if (data >= (d + n - 2)) 1228 goto ri_check; 1229 n2s(data, len); 1230 1231 if (data > (d + n - len)) 1232 goto ri_check; 1233 1234 while (data <= (d + n - 4)) { 1235 n2s(data, type); 1236 n2s(data, size); 1237 1238 if (data + size > (d + n)) 1239 goto ri_check; 1240 if (s->tlsext_debug_cb) 1241 s->tlsext_debug_cb(s, 0, type, data, size, 1242 s->tlsext_debug_arg); 1243 /* The servername extension is treated as follows: 1244 1245 - Only the hostname type is supported with a maximum length of 255. 1246 - The servername is rejected if too long or if it contains zeros, 1247 in which case an fatal alert is generated. 1248 - The servername field is maintained together with the session cache. 1249 - When a session is resumed, the servername call back invoked in order 1250 to allow the application to position itself to the right context. 1251 - The servername is acknowledged if it is new for a session or when 1252 it is identical to a previously used for the same session. 1253 Applications can control the behaviour. They can at any time 1254 set a 'desirable' servername for a new SSL object. This can be the 1255 case for example with HTTPS when a Host: header field is received and 1256 a renegotiation is requested. In this case, a possible servername 1257 presented in the new client hello is only acknowledged if it matches 1258 the value of the Host: field. 1259 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1260 if they provide for changing an explicit servername context for the session, 1261 i.e. when the session has been established with a servername extension. 1262 - On session reconnect, the servername extension may be absent. 1263 1264 */ 1265 1266 if (type == TLSEXT_TYPE_server_name) { 1267 unsigned char *sdata; 1268 int servname_type; 1269 int dsize; 1270 1271 if (size < 2) { 1272 *al = SSL_AD_DECODE_ERROR; 1273 return 0; 1274 } 1275 n2s(data, dsize); 1276 1277 size -= 2; 1278 if (dsize > size) { 1279 *al = SSL_AD_DECODE_ERROR; 1280 return 0; 1281 } 1282 1283 sdata = data; 1284 while (dsize > 3) { 1285 servname_type = *(sdata++); 1286 1287 n2s(sdata, len); 1288 dsize -= 3; 1289 1290 if (len > dsize) { 1291 *al = SSL_AD_DECODE_ERROR; 1292 return 0; 1293 } 1294 if (s->servername_done == 0) 1295 switch (servname_type) { 1296 case TLSEXT_NAMETYPE_host_name: 1297 if (!s->hit) { 1298 if (s->session->tlsext_hostname) { 1299 *al = SSL_AD_DECODE_ERROR; 1300 return 0; 1301 } 1302 if (len > TLSEXT_MAXLEN_host_name) { 1303 *al = TLS1_AD_UNRECOGNIZED_NAME; 1304 return 0; 1305 } 1306 if ((s->session->tlsext_hostname = 1307 malloc(len + 1)) == NULL) { 1308 *al = TLS1_AD_INTERNAL_ERROR; 1309 return 0; 1310 } 1311 memcpy(s->session->tlsext_hostname, sdata, len); 1312 s->session->tlsext_hostname[len] = '\0'; 1313 if (strlen(s->session->tlsext_hostname) != len) { 1314 free(s->session->tlsext_hostname); 1315 s->session->tlsext_hostname = NULL; 1316 *al = TLS1_AD_UNRECOGNIZED_NAME; 1317 return 0; 1318 } 1319 s->servername_done = 1; 1320 1321 1322 } else { 1323 s->servername_done = s->session->tlsext_hostname && 1324 strlen(s->session->tlsext_hostname) == len && 1325 strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1326 } 1327 break; 1328 1329 default: 1330 break; 1331 } 1332 1333 dsize -= len; 1334 } 1335 if (dsize != 0) { 1336 *al = SSL_AD_DECODE_ERROR; 1337 return 0; 1338 } 1339 1340 } 1341 1342 else if (type == TLSEXT_TYPE_ec_point_formats && 1343 s->version != DTLS1_VERSION) { 1344 unsigned char *sdata = data; 1345 size_t formatslen; 1346 uint8_t *formats; 1347 1348 if (size < 1) { 1349 *al = TLS1_AD_DECODE_ERROR; 1350 return 0; 1351 } 1352 formatslen = *(sdata++); 1353 if (formatslen != size - 1) { 1354 *al = TLS1_AD_DECODE_ERROR; 1355 return 0; 1356 } 1357 1358 if (!s->hit) { 1359 free(s->session->tlsext_ecpointformatlist); 1360 s->session->tlsext_ecpointformatlist = NULL; 1361 s->session->tlsext_ecpointformatlist_length = 0; 1362 1363 if ((formats = reallocarray(NULL, formatslen, 1364 sizeof(uint8_t))) == NULL) { 1365 *al = TLS1_AD_INTERNAL_ERROR; 1366 return 0; 1367 } 1368 memcpy(formats, sdata, formatslen); 1369 s->session->tlsext_ecpointformatlist = formats; 1370 s->session->tlsext_ecpointformatlist_length = 1371 formatslen; 1372 } 1373 } else if (type == TLSEXT_TYPE_elliptic_curves && 1374 s->version != DTLS1_VERSION) { 1375 unsigned char *sdata = data; 1376 size_t curveslen, i; 1377 uint16_t *curves; 1378 1379 if (size < 2) { 1380 *al = TLS1_AD_DECODE_ERROR; 1381 return 0; 1382 } 1383 n2s(sdata, curveslen); 1384 if (curveslen != size - 2 || curveslen % 2 != 0) { 1385 *al = TLS1_AD_DECODE_ERROR; 1386 return 0; 1387 } 1388 curveslen /= 2; 1389 1390 if (!s->hit) { 1391 if (s->session->tlsext_ellipticcurvelist) { 1392 *al = TLS1_AD_DECODE_ERROR; 1393 return 0; 1394 } 1395 s->session->tlsext_ellipticcurvelist_length = 0; 1396 if ((curves = reallocarray(NULL, curveslen, 1397 sizeof(uint16_t))) == NULL) { 1398 *al = TLS1_AD_INTERNAL_ERROR; 1399 return 0; 1400 } 1401 for (i = 0; i < curveslen; i++) 1402 n2s(sdata, curves[i]); 1403 s->session->tlsext_ellipticcurvelist = curves; 1404 s->session->tlsext_ellipticcurvelist_length = curveslen; 1405 } 1406 } 1407 else if (type == TLSEXT_TYPE_session_ticket) { 1408 if (s->tls_session_ticket_ext_cb && 1409 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1410 *al = TLS1_AD_INTERNAL_ERROR; 1411 return 0; 1412 } 1413 } else if (type == TLSEXT_TYPE_renegotiate) { 1414 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 1415 return 0; 1416 renegotiate_seen = 1; 1417 } else if (type == TLSEXT_TYPE_signature_algorithms) { 1418 int dsize; 1419 if (sigalg_seen || size < 2) { 1420 *al = SSL_AD_DECODE_ERROR; 1421 return 0; 1422 } 1423 sigalg_seen = 1; 1424 n2s(data, dsize); 1425 size -= 2; 1426 if (dsize != size || dsize & 1) { 1427 *al = SSL_AD_DECODE_ERROR; 1428 return 0; 1429 } 1430 if (!tls1_process_sigalgs(s, data, dsize)) { 1431 *al = SSL_AD_DECODE_ERROR; 1432 return 0; 1433 } 1434 } else if (type == TLSEXT_TYPE_status_request && 1435 s->version != DTLS1_VERSION) { 1436 1437 if (size < 5) { 1438 *al = SSL_AD_DECODE_ERROR; 1439 return 0; 1440 } 1441 1442 s->tlsext_status_type = *data++; 1443 size--; 1444 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { 1445 const unsigned char *sdata; 1446 int dsize; 1447 /* Read in responder_id_list */ 1448 n2s(data, dsize); 1449 size -= 2; 1450 if (dsize > size ) { 1451 *al = SSL_AD_DECODE_ERROR; 1452 return 0; 1453 } 1454 while (dsize > 0) { 1455 OCSP_RESPID *id; 1456 int idsize; 1457 if (dsize < 4) { 1458 *al = SSL_AD_DECODE_ERROR; 1459 return 0; 1460 } 1461 n2s(data, idsize); 1462 dsize -= 2 + idsize; 1463 size -= 2 + idsize; 1464 if (dsize < 0) { 1465 *al = SSL_AD_DECODE_ERROR; 1466 return 0; 1467 } 1468 sdata = data; 1469 data += idsize; 1470 id = d2i_OCSP_RESPID(NULL, 1471 &sdata, idsize); 1472 if (!id) { 1473 *al = SSL_AD_DECODE_ERROR; 1474 return 0; 1475 } 1476 if (data != sdata) { 1477 OCSP_RESPID_free(id); 1478 *al = SSL_AD_DECODE_ERROR; 1479 return 0; 1480 } 1481 if (!s->tlsext_ocsp_ids && 1482 !(s->tlsext_ocsp_ids = 1483 sk_OCSP_RESPID_new_null())) { 1484 OCSP_RESPID_free(id); 1485 *al = SSL_AD_INTERNAL_ERROR; 1486 return 0; 1487 } 1488 if (!sk_OCSP_RESPID_push( 1489 s->tlsext_ocsp_ids, id)) { 1490 OCSP_RESPID_free(id); 1491 *al = SSL_AD_INTERNAL_ERROR; 1492 return 0; 1493 } 1494 } 1495 1496 /* Read in request_extensions */ 1497 if (size < 2) { 1498 *al = SSL_AD_DECODE_ERROR; 1499 return 0; 1500 } 1501 n2s(data, dsize); 1502 size -= 2; 1503 if (dsize != size) { 1504 *al = SSL_AD_DECODE_ERROR; 1505 return 0; 1506 } 1507 sdata = data; 1508 if (dsize > 0) { 1509 if (s->tlsext_ocsp_exts) { 1510 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1511 X509_EXTENSION_free); 1512 } 1513 1514 s->tlsext_ocsp_exts = 1515 d2i_X509_EXTENSIONS(NULL, 1516 &sdata, dsize); 1517 if (!s->tlsext_ocsp_exts || 1518 (data + dsize != sdata)) { 1519 *al = SSL_AD_DECODE_ERROR; 1520 return 0; 1521 } 1522 } 1523 } else { 1524 /* We don't know what to do with any other type 1525 * so ignore it. 1526 */ 1527 s->tlsext_status_type = -1; 1528 } 1529 } 1530 else if (type == TLSEXT_TYPE_next_proto_neg && 1531 s->s3->tmp.finish_md_len == 0 && 1532 s->s3->alpn_selected == NULL) { 1533 /* We shouldn't accept this extension on a 1534 * renegotiation. 1535 * 1536 * s->new_session will be set on renegotiation, but we 1537 * probably shouldn't rely that it couldn't be set on 1538 * the initial renegotation too in certain cases (when 1539 * there's some other reason to disallow resuming an 1540 * earlier session -- the current code won't be doing 1541 * anything like that, but this might change). 1542 1543 * A valid sign that there's been a previous handshake 1544 * in this connection is if s->s3->tmp.finish_md_len > 1545 * 0. (We are talking about a check that will happen 1546 * in the Hello protocol round, well before a new 1547 * Finished message could have been computed.) */ 1548 s->s3->next_proto_neg_seen = 1; 1549 } 1550 else if (type == 1551 TLSEXT_TYPE_application_layer_protocol_negotiation && 1552 s->ctx->alpn_select_cb != NULL && 1553 s->s3->tmp.finish_md_len == 0) { 1554 if (tls1_alpn_handle_client_hello(s, data, 1555 size, al) != 1) 1556 return (0); 1557 /* ALPN takes precedence over NPN. */ 1558 s->s3->next_proto_neg_seen = 0; 1559 } 1560 1561 /* session ticket processed earlier */ 1562 #ifndef OPENSSL_NO_SRTP 1563 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1564 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) 1565 return 0; 1566 } 1567 #endif 1568 1569 data += size; 1570 } 1571 1572 *p = data; 1573 1574 ri_check: 1575 1576 /* Need RI if renegotiating */ 1577 1578 if (!renegotiate_seen && s->renegotiate) { 1579 *al = SSL_AD_HANDSHAKE_FAILURE; 1580 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1581 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1582 return 0; 1583 } 1584 1585 return 1; 1586 } 1587 1588 /* 1589 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1590 * elements of zero length are allowed and the set of elements must exactly fill 1591 * the length of the block. 1592 */ 1593 static char 1594 ssl_next_proto_validate(const unsigned char *d, unsigned int len) 1595 { 1596 CBS npn, value; 1597 1598 CBS_init(&npn, d, len); 1599 while (CBS_len(&npn) > 0) { 1600 if (!CBS_get_u8_length_prefixed(&npn, &value) || 1601 CBS_len(&value) == 0) 1602 return 0; 1603 } 1604 return 1; 1605 } 1606 1607 int 1608 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1609 int n, int *al) 1610 { 1611 unsigned short length; 1612 unsigned short type; 1613 unsigned short size; 1614 unsigned char *data = *p; 1615 int tlsext_servername = 0; 1616 int renegotiate_seen = 0; 1617 1618 s->s3->next_proto_neg_seen = 0; 1619 free(s->s3->alpn_selected); 1620 s->s3->alpn_selected = NULL; 1621 1622 if (data >= (d + n - 2)) 1623 goto ri_check; 1624 1625 n2s(data, length); 1626 if (data + length != d + n) { 1627 *al = SSL_AD_DECODE_ERROR; 1628 return 0; 1629 } 1630 1631 while (data <= (d + n - 4)) { 1632 n2s(data, type); 1633 n2s(data, size); 1634 1635 if (data + size > (d + n)) 1636 goto ri_check; 1637 1638 if (s->tlsext_debug_cb) 1639 s->tlsext_debug_cb(s, 1, type, data, size, 1640 s->tlsext_debug_arg); 1641 1642 if (type == TLSEXT_TYPE_server_name) { 1643 if (s->tlsext_hostname == NULL || size > 0) { 1644 *al = TLS1_AD_UNRECOGNIZED_NAME; 1645 return 0; 1646 } 1647 tlsext_servername = 1; 1648 1649 } 1650 else if (type == TLSEXT_TYPE_ec_point_formats && 1651 s->version != DTLS1_VERSION) { 1652 unsigned char *sdata = data; 1653 size_t formatslen; 1654 uint8_t *formats; 1655 1656 if (size < 1) { 1657 *al = TLS1_AD_DECODE_ERROR; 1658 return 0; 1659 } 1660 formatslen = *(sdata++); 1661 if (formatslen != size - 1) { 1662 *al = TLS1_AD_DECODE_ERROR; 1663 return 0; 1664 } 1665 1666 if (!s->hit) { 1667 free(s->session->tlsext_ecpointformatlist); 1668 s->session->tlsext_ecpointformatlist = NULL; 1669 s->session->tlsext_ecpointformatlist_length = 0; 1670 1671 if ((formats = reallocarray(NULL, formatslen, 1672 sizeof(uint8_t))) == NULL) { 1673 *al = TLS1_AD_INTERNAL_ERROR; 1674 return 0; 1675 } 1676 memcpy(formats, sdata, formatslen); 1677 s->session->tlsext_ecpointformatlist = formats; 1678 s->session->tlsext_ecpointformatlist_length = 1679 formatslen; 1680 } 1681 } 1682 else if (type == TLSEXT_TYPE_session_ticket) { 1683 if (s->tls_session_ticket_ext_cb && 1684 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1685 *al = TLS1_AD_INTERNAL_ERROR; 1686 return 0; 1687 } 1688 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) { 1689 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1690 return 0; 1691 } 1692 s->tlsext_ticket_expected = 1; 1693 } 1694 else if (type == TLSEXT_TYPE_status_request && 1695 s->version != DTLS1_VERSION) { 1696 /* MUST be empty and only sent if we've requested 1697 * a status request message. 1698 */ 1699 if ((s->tlsext_status_type == -1) || (size > 0)) { 1700 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1701 return 0; 1702 } 1703 /* Set flag to expect CertificateStatus message */ 1704 s->tlsext_status_expected = 1; 1705 } 1706 else if (type == TLSEXT_TYPE_next_proto_neg && 1707 s->s3->tmp.finish_md_len == 0) { 1708 unsigned char *selected; 1709 unsigned char selected_len; 1710 1711 /* We must have requested it. */ 1712 if (s->ctx->next_proto_select_cb == NULL) { 1713 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1714 return 0; 1715 } 1716 /* The data must be valid */ 1717 if (!ssl_next_proto_validate(data, size)) { 1718 *al = TLS1_AD_DECODE_ERROR; 1719 return 0; 1720 } 1721 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) { 1722 *al = TLS1_AD_INTERNAL_ERROR; 1723 return 0; 1724 } 1725 s->next_proto_negotiated = malloc(selected_len); 1726 if (!s->next_proto_negotiated) { 1727 *al = TLS1_AD_INTERNAL_ERROR; 1728 return 0; 1729 } 1730 memcpy(s->next_proto_negotiated, selected, selected_len); 1731 s->next_proto_negotiated_len = selected_len; 1732 s->s3->next_proto_neg_seen = 1; 1733 } 1734 else if (type == 1735 TLSEXT_TYPE_application_layer_protocol_negotiation) { 1736 unsigned int len; 1737 1738 /* We must have requested it. */ 1739 if (s->alpn_client_proto_list == NULL) { 1740 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1741 return 0; 1742 } 1743 if (size < 4) { 1744 *al = TLS1_AD_DECODE_ERROR; 1745 return (0); 1746 } 1747 1748 /* The extension data consists of: 1749 * uint16 list_length 1750 * uint8 proto_length; 1751 * uint8 proto[proto_length]; */ 1752 len = ((unsigned int)data[0]) << 8 | 1753 ((unsigned int)data[1]); 1754 if (len != (unsigned int)size - 2) { 1755 *al = TLS1_AD_DECODE_ERROR; 1756 return (0); 1757 } 1758 len = data[2]; 1759 if (len != (unsigned int)size - 3) { 1760 *al = TLS1_AD_DECODE_ERROR; 1761 return (0); 1762 } 1763 free(s->s3->alpn_selected); 1764 s->s3->alpn_selected = malloc(len); 1765 if (s->s3->alpn_selected == NULL) { 1766 *al = TLS1_AD_INTERNAL_ERROR; 1767 return (0); 1768 } 1769 memcpy(s->s3->alpn_selected, data + 3, len); 1770 s->s3->alpn_selected_len = len; 1771 1772 } else if (type == TLSEXT_TYPE_renegotiate) { 1773 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1774 return 0; 1775 renegotiate_seen = 1; 1776 } 1777 #ifndef OPENSSL_NO_SRTP 1778 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1779 if (ssl_parse_serverhello_use_srtp_ext(s, data, 1780 size, al)) 1781 return 0; 1782 } 1783 #endif 1784 1785 data += size; 1786 1787 } 1788 1789 if (data != d + n) { 1790 *al = SSL_AD_DECODE_ERROR; 1791 return 0; 1792 } 1793 1794 if (!s->hit && tlsext_servername == 1) { 1795 if (s->tlsext_hostname) { 1796 if (s->session->tlsext_hostname == NULL) { 1797 s->session->tlsext_hostname = 1798 strdup(s->tlsext_hostname); 1799 1800 if (!s->session->tlsext_hostname) { 1801 *al = SSL_AD_UNRECOGNIZED_NAME; 1802 return 0; 1803 } 1804 } else { 1805 *al = SSL_AD_DECODE_ERROR; 1806 return 0; 1807 } 1808 } 1809 } 1810 1811 *p = data; 1812 1813 ri_check: 1814 1815 /* Determine if we need to see RI. Strictly speaking if we want to 1816 * avoid an attack we should *always* see RI even on initial server 1817 * hello because the client doesn't see any renegotiation during an 1818 * attack. However this would mean we could not connect to any server 1819 * which doesn't support RI so for the immediate future tolerate RI 1820 * absence on initial connect only. 1821 */ 1822 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { 1823 *al = SSL_AD_HANDSHAKE_FAILURE; 1824 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1825 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1826 return 0; 1827 } 1828 1829 return 1; 1830 } 1831 1832 int 1833 ssl_prepare_clienthello_tlsext(SSL *s) 1834 { 1835 return 1; 1836 } 1837 1838 int 1839 ssl_prepare_serverhello_tlsext(SSL *s) 1840 { 1841 return 1; 1842 } 1843 1844 int 1845 ssl_check_clienthello_tlsext_early(SSL *s) 1846 { 1847 int ret = SSL_TLSEXT_ERR_NOACK; 1848 int al = SSL_AD_UNRECOGNIZED_NAME; 1849 1850 /* The handling of the ECPointFormats extension is done elsewhere, namely in 1851 * ssl3_choose_cipher in s3_lib.c. 1852 */ 1853 /* The handling of the EllipticCurves extension is done elsewhere, namely in 1854 * ssl3_choose_cipher in s3_lib.c. 1855 */ 1856 1857 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1858 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1859 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1860 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1861 1862 switch (ret) { 1863 case SSL_TLSEXT_ERR_ALERT_FATAL: 1864 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1865 return -1; 1866 case SSL_TLSEXT_ERR_ALERT_WARNING: 1867 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1868 return 1; 1869 case SSL_TLSEXT_ERR_NOACK: 1870 s->servername_done = 0; 1871 default: 1872 return 1; 1873 } 1874 } 1875 1876 int 1877 ssl_check_clienthello_tlsext_late(SSL *s) 1878 { 1879 int ret = SSL_TLSEXT_ERR_OK; 1880 int al = 0; /* XXX gcc3 */ 1881 1882 /* If status request then ask callback what to do. 1883 * Note: this must be called after servername callbacks in case 1884 * the certificate has changed, and must be called after the cipher 1885 * has been chosen because this may influence which certificate is sent 1886 */ 1887 if ((s->tlsext_status_type != -1) && 1888 s->ctx && s->ctx->tlsext_status_cb) { 1889 int r; 1890 CERT_PKEY *certpkey; 1891 certpkey = ssl_get_server_send_pkey(s); 1892 /* If no certificate can't return certificate status */ 1893 if (certpkey == NULL) { 1894 s->tlsext_status_expected = 0; 1895 return 1; 1896 } 1897 /* Set current certificate to one we will use so 1898 * SSL_get_certificate et al can pick it up. 1899 */ 1900 s->cert->key = certpkey; 1901 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1902 switch (r) { 1903 /* We don't want to send a status request response */ 1904 case SSL_TLSEXT_ERR_NOACK: 1905 s->tlsext_status_expected = 0; 1906 break; 1907 /* status request response should be sent */ 1908 case SSL_TLSEXT_ERR_OK: 1909 if (s->tlsext_ocsp_resp) 1910 s->tlsext_status_expected = 1; 1911 else 1912 s->tlsext_status_expected = 0; 1913 break; 1914 /* something bad happened */ 1915 case SSL_TLSEXT_ERR_ALERT_FATAL: 1916 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1917 al = SSL_AD_INTERNAL_ERROR; 1918 goto err; 1919 } 1920 } else 1921 s->tlsext_status_expected = 0; 1922 1923 err: 1924 switch (ret) { 1925 case SSL_TLSEXT_ERR_ALERT_FATAL: 1926 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1927 return -1; 1928 case SSL_TLSEXT_ERR_ALERT_WARNING: 1929 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1930 return 1; 1931 default: 1932 return 1; 1933 } 1934 } 1935 1936 int 1937 ssl_check_serverhello_tlsext(SSL *s) 1938 { 1939 int ret = SSL_TLSEXT_ERR_NOACK; 1940 int al = SSL_AD_UNRECOGNIZED_NAME; 1941 1942 /* If we are client and using an elliptic curve cryptography cipher 1943 * suite, then if server returns an EC point formats lists extension 1944 * it must contain uncompressed. 1945 */ 1946 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1947 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1948 if ((s->tlsext_ecpointformatlist != NULL) && 1949 (s->tlsext_ecpointformatlist_length > 0) && 1950 (s->session->tlsext_ecpointformatlist != NULL) && 1951 (s->session->tlsext_ecpointformatlist_length > 0) && 1952 ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { 1953 /* we are using an ECC cipher */ 1954 size_t i; 1955 unsigned char *list; 1956 int found_uncompressed = 0; 1957 list = s->session->tlsext_ecpointformatlist; 1958 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) { 1959 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) { 1960 found_uncompressed = 1; 1961 break; 1962 } 1963 } 1964 if (!found_uncompressed) { 1965 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 1966 return -1; 1967 } 1968 } 1969 ret = SSL_TLSEXT_ERR_OK; 1970 1971 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1972 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1973 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1974 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1975 1976 /* If we've requested certificate status and we wont get one 1977 * tell the callback 1978 */ 1979 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) && 1980 s->ctx && s->ctx->tlsext_status_cb) { 1981 int r; 1982 /* Set resp to NULL, resplen to -1 so callback knows 1983 * there is no response. 1984 */ 1985 free(s->tlsext_ocsp_resp); 1986 s->tlsext_ocsp_resp = NULL; 1987 s->tlsext_ocsp_resplen = -1; 1988 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1989 if (r == 0) { 1990 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 1991 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1992 } 1993 if (r < 0) { 1994 al = SSL_AD_INTERNAL_ERROR; 1995 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1996 } 1997 } 1998 1999 switch (ret) { 2000 case SSL_TLSEXT_ERR_ALERT_FATAL: 2001 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2002 2003 return -1; 2004 case SSL_TLSEXT_ERR_ALERT_WARNING: 2005 ssl3_send_alert(s, SSL3_AL_WARNING, al); 2006 2007 return 1; 2008 case SSL_TLSEXT_ERR_NOACK: 2009 s->servername_done = 0; 2010 default: 2011 return 1; 2012 } 2013 } 2014 2015 /* Since the server cache lookup is done early on in the processing of the 2016 * ClientHello, and other operations depend on the result, we need to handle 2017 * any TLS session ticket extension at the same time. 2018 * 2019 * session_id: points at the session ID in the ClientHello. This code will 2020 * read past the end of this in order to parse out the session ticket 2021 * extension, if any. 2022 * len: the length of the session ID. 2023 * limit: a pointer to the first byte after the ClientHello. 2024 * ret: (output) on return, if a ticket was decrypted, then this is set to 2025 * point to the resulting session. 2026 * 2027 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key 2028 * ciphersuite, in which case we have no use for session tickets and one will 2029 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 2030 * 2031 * Returns: 2032 * -1: fatal error, either from parsing or decrypting the ticket. 2033 * 0: no ticket was found (or was ignored, based on settings). 2034 * 1: a zero length extension was found, indicating that the client supports 2035 * session tickets but doesn't currently have one to offer. 2036 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but 2037 * couldn't be decrypted because of a non-fatal error. 2038 * 3: a ticket was successfully decrypted and *ret was set. 2039 * 2040 * Side effects: 2041 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 2042 * a new session ticket to the client because the client indicated support 2043 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 2044 * a session ticket or we couldn't use the one it gave us, or if 2045 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2046 * Otherwise, s->tlsext_ticket_expected is set to 0. 2047 */ 2048 int 2049 tls1_process_ticket(SSL *s, const unsigned char *session, int session_len, 2050 const unsigned char *limit, SSL_SESSION **ret) 2051 { 2052 /* Point after session ID in client hello */ 2053 CBS session_id, cookie, cipher_list, compress_algo, extensions; 2054 2055 *ret = NULL; 2056 s->tlsext_ticket_expected = 0; 2057 2058 /* If tickets disabled behave as if no ticket present 2059 * to permit stateful resumption. 2060 */ 2061 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 2062 return 0; 2063 if (s->version <= SSL3_VERSION || !limit) 2064 return 0; 2065 2066 if (limit < session) 2067 return -1; 2068 2069 CBS_init(&session_id, session, limit - session); 2070 2071 /* Skip past the session id */ 2072 if (!CBS_skip(&session_id, session_len)) 2073 return -1; 2074 2075 /* Skip past DTLS cookie */ 2076 if (SSL_IS_DTLS(s)) { 2077 if (!CBS_get_u8_length_prefixed(&session_id, &cookie)) 2078 return -1; 2079 } 2080 2081 /* Skip past cipher list */ 2082 if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list)) 2083 return -1; 2084 2085 /* Skip past compression algorithm list */ 2086 if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo)) 2087 return -1; 2088 2089 /* Now at start of extensions */ 2090 if (CBS_len(&session_id) == 0) 2091 return 0; 2092 if (!CBS_get_u16_length_prefixed(&session_id, &extensions)) 2093 return -1; 2094 2095 while (CBS_len(&extensions) > 0) { 2096 CBS ext_data; 2097 uint16_t ext_type; 2098 2099 if (!CBS_get_u16(&extensions, &ext_type) || 2100 !CBS_get_u16_length_prefixed(&extensions, &ext_data)) 2101 return -1; 2102 2103 if (ext_type == TLSEXT_TYPE_session_ticket) { 2104 int r; 2105 if (CBS_len(&ext_data) == 0) { 2106 /* The client will accept a ticket but doesn't 2107 * currently have one. */ 2108 s->tlsext_ticket_expected = 1; 2109 return 1; 2110 } 2111 if (s->tls_session_secret_cb) { 2112 /* Indicate that the ticket couldn't be 2113 * decrypted rather than generating the session 2114 * from ticket now, trigger abbreviated 2115 * handshake based on external mechanism to 2116 * calculate the master secret later. */ 2117 return 2; 2118 } 2119 2120 r = tls_decrypt_ticket(s, CBS_data(&ext_data), 2121 CBS_len(&ext_data), session, session_len, ret); 2122 2123 switch (r) { 2124 case 2: /* ticket couldn't be decrypted */ 2125 s->tlsext_ticket_expected = 1; 2126 return 2; 2127 case 3: /* ticket was decrypted */ 2128 return r; 2129 case 4: /* ticket decrypted but need to renew */ 2130 s->tlsext_ticket_expected = 1; 2131 return 3; 2132 default: /* fatal error */ 2133 return -1; 2134 } 2135 } 2136 } 2137 return 0; 2138 } 2139 2140 /* tls_decrypt_ticket attempts to decrypt a session ticket. 2141 * 2142 * etick: points to the body of the session ticket extension. 2143 * eticklen: the length of the session tickets extenion. 2144 * sess_id: points at the session ID. 2145 * sesslen: the length of the session ID. 2146 * psess: (output) on return, if a ticket was decrypted, then this is set to 2147 * point to the resulting session. 2148 * 2149 * Returns: 2150 * -1: fatal error, either from parsing or decrypting the ticket. 2151 * 2: the ticket couldn't be decrypted. 2152 * 3: a ticket was successfully decrypted and *psess was set. 2153 * 4: same as 3, but the ticket needs to be renewed. 2154 */ 2155 static int 2156 tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2157 const unsigned char *sess_id, int sesslen, SSL_SESSION **psess) 2158 { 2159 SSL_SESSION *sess; 2160 unsigned char *sdec; 2161 const unsigned char *p; 2162 int slen, mlen, renew_ticket = 0; 2163 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 2164 HMAC_CTX hctx; 2165 EVP_CIPHER_CTX ctx; 2166 SSL_CTX *tctx = s->initial_ctx; 2167 /* Need at least keyname + iv + some encrypted data */ 2168 if (eticklen < 48) 2169 return 2; 2170 /* Initialize session ticket encryption and HMAC contexts */ 2171 HMAC_CTX_init(&hctx); 2172 EVP_CIPHER_CTX_init(&ctx); 2173 if (tctx->tlsext_ticket_key_cb) { 2174 unsigned char *nctick = (unsigned char *)etick; 2175 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 2176 &ctx, &hctx, 0); 2177 if (rv < 0) { 2178 EVP_CIPHER_CTX_cleanup(&ctx); 2179 return -1; 2180 } 2181 if (rv == 0) { 2182 EVP_CIPHER_CTX_cleanup(&ctx); 2183 return 2; 2184 } 2185 if (rv == 2) 2186 renew_ticket = 1; 2187 } else { 2188 /* Check key name matches */ 2189 if (timingsafe_memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2190 return 2; 2191 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2192 tlsext_tick_md(), NULL); 2193 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2194 tctx->tlsext_tick_aes_key, etick + 16); 2195 } 2196 /* Attempt to process session ticket, first conduct sanity and 2197 * integrity checks on ticket. 2198 */ 2199 mlen = HMAC_size(&hctx); 2200 if (mlen < 0) { 2201 EVP_CIPHER_CTX_cleanup(&ctx); 2202 return -1; 2203 } 2204 eticklen -= mlen; 2205 /* Check HMAC of encrypted ticket */ 2206 HMAC_Update(&hctx, etick, eticklen); 2207 HMAC_Final(&hctx, tick_hmac, NULL); 2208 HMAC_CTX_cleanup(&hctx); 2209 if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) { 2210 EVP_CIPHER_CTX_cleanup(&ctx); 2211 return 2; 2212 } 2213 /* Attempt to decrypt session data */ 2214 /* Move p after IV to start of encrypted ticket, update length */ 2215 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2216 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2217 sdec = malloc(eticklen); 2218 if (!sdec) { 2219 EVP_CIPHER_CTX_cleanup(&ctx); 2220 return -1; 2221 } 2222 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 2223 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) { 2224 free(sdec); 2225 EVP_CIPHER_CTX_cleanup(&ctx); 2226 return 2; 2227 } 2228 slen += mlen; 2229 EVP_CIPHER_CTX_cleanup(&ctx); 2230 p = sdec; 2231 2232 sess = d2i_SSL_SESSION(NULL, &p, slen); 2233 free(sdec); 2234 if (sess) { 2235 /* The session ID, if non-empty, is used by some clients to 2236 * detect that the ticket has been accepted. So we copy it to 2237 * the session structure. If it is empty set length to zero 2238 * as required by standard. 2239 */ 2240 if (sesslen) 2241 memcpy(sess->session_id, sess_id, sesslen); 2242 sess->session_id_length = sesslen; 2243 *psess = sess; 2244 if (renew_ticket) 2245 return 4; 2246 else 2247 return 3; 2248 } 2249 ERR_clear_error(); 2250 /* For session parse failure, indicate that we need to send a new 2251 * ticket. */ 2252 return 2; 2253 } 2254 2255 /* Tables to translate from NIDs to TLS v1.2 ids */ 2256 2257 typedef struct { 2258 int nid; 2259 int id; 2260 } tls12_lookup; 2261 2262 static tls12_lookup tls12_md[] = { 2263 {NID_md5, TLSEXT_hash_md5}, 2264 {NID_sha1, TLSEXT_hash_sha1}, 2265 {NID_sha224, TLSEXT_hash_sha224}, 2266 {NID_sha256, TLSEXT_hash_sha256}, 2267 {NID_sha384, TLSEXT_hash_sha384}, 2268 {NID_sha512, TLSEXT_hash_sha512}, 2269 {NID_id_GostR3411_94, TLSEXT_hash_gost94}, 2270 {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256}, 2271 {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512} 2272 }; 2273 2274 static tls12_lookup tls12_sig[] = { 2275 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2276 {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2277 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}, 2278 {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01}, 2279 }; 2280 2281 static int 2282 tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 2283 { 2284 size_t i; 2285 for (i = 0; i < tlen; i++) { 2286 if (table[i].nid == nid) 2287 return table[i].id; 2288 } 2289 return -1; 2290 } 2291 2292 int 2293 tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 2294 { 2295 int sig_id, md_id; 2296 if (!md) 2297 return 0; 2298 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2299 sizeof(tls12_md) / sizeof(tls12_lookup)); 2300 if (md_id == -1) 2301 return 0; 2302 sig_id = tls12_get_sigid(pk); 2303 if (sig_id == -1) 2304 return 0; 2305 p[0] = (unsigned char)md_id; 2306 p[1] = (unsigned char)sig_id; 2307 return 1; 2308 } 2309 2310 int 2311 tls12_get_sigid(const EVP_PKEY *pk) 2312 { 2313 return tls12_find_id(pk->type, tls12_sig, 2314 sizeof(tls12_sig) / sizeof(tls12_lookup)); 2315 } 2316 2317 const EVP_MD * 2318 tls12_get_hash(unsigned char hash_alg) 2319 { 2320 switch (hash_alg) { 2321 case TLSEXT_hash_sha1: 2322 return EVP_sha1(); 2323 case TLSEXT_hash_sha224: 2324 return EVP_sha224(); 2325 case TLSEXT_hash_sha256: 2326 return EVP_sha256(); 2327 case TLSEXT_hash_sha384: 2328 return EVP_sha384(); 2329 case TLSEXT_hash_sha512: 2330 return EVP_sha512(); 2331 #ifndef OPENSSL_NO_GOST 2332 case TLSEXT_hash_gost94: 2333 return EVP_gostr341194(); 2334 case TLSEXT_hash_streebog_256: 2335 return EVP_streebog256(); 2336 case TLSEXT_hash_streebog_512: 2337 return EVP_streebog512(); 2338 #endif 2339 default: 2340 return NULL; 2341 } 2342 } 2343 2344 /* Set preferred digest for each key type */ 2345 2346 int 2347 tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 2348 { 2349 int idx; 2350 const EVP_MD *md; 2351 CERT *c = s->cert; 2352 CBS cbs; 2353 2354 /* Extension ignored for inappropriate versions */ 2355 if (!SSL_USE_SIGALGS(s)) 2356 return 1; 2357 2358 /* Should never happen */ 2359 if (!c || dsize < 0) 2360 return 0; 2361 2362 CBS_init(&cbs, data, dsize); 2363 2364 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; 2365 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 2366 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2367 c->pkeys[SSL_PKEY_ECC].digest = NULL; 2368 c->pkeys[SSL_PKEY_GOST01].digest = NULL; 2369 2370 while (CBS_len(&cbs) > 0) { 2371 uint8_t hash_alg, sig_alg; 2372 2373 if (!CBS_get_u8(&cbs, &hash_alg) || 2374 !CBS_get_u8(&cbs, &sig_alg)) { 2375 /* Should never happen */ 2376 return 0; 2377 } 2378 2379 switch (sig_alg) { 2380 case TLSEXT_signature_rsa: 2381 idx = SSL_PKEY_RSA_SIGN; 2382 break; 2383 case TLSEXT_signature_dsa: 2384 idx = SSL_PKEY_DSA_SIGN; 2385 break; 2386 case TLSEXT_signature_ecdsa: 2387 idx = SSL_PKEY_ECC; 2388 break; 2389 case TLSEXT_signature_gostr01: 2390 case TLSEXT_signature_gostr12_256: 2391 case TLSEXT_signature_gostr12_512: 2392 idx = SSL_PKEY_GOST01; 2393 break; 2394 default: 2395 continue; 2396 } 2397 2398 if (c->pkeys[idx].digest == NULL) { 2399 md = tls12_get_hash(hash_alg); 2400 if (md) { 2401 c->pkeys[idx].digest = md; 2402 if (idx == SSL_PKEY_RSA_SIGN) 2403 c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 2404 } 2405 } 2406 2407 } 2408 2409 /* Set any remaining keys to default values. NOTE: if alg is not 2410 * supported it stays as NULL. 2411 */ 2412 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2413 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2414 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { 2415 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2416 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2417 } 2418 if (!c->pkeys[SSL_PKEY_ECC].digest) 2419 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2420 #ifndef OPENSSL_NO_GOST 2421 if (!c->pkeys[SSL_PKEY_GOST01].digest) 2422 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); 2423 #endif 2424 return 1; 2425 } 2426