1 /* $OpenBSD: t1_lib.c,v 1.96 2016/12/21 16:44:31 jsing Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 114 #include <openssl/evp.h> 115 #include <openssl/hmac.h> 116 #include <openssl/objects.h> 117 #include <openssl/ocsp.h> 118 119 #include "ssl_locl.h" 120 #include "bytestring.h" 121 122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 123 const unsigned char *sess_id, int sesslen, 124 SSL_SESSION **psess); 125 126 SSL3_ENC_METHOD TLSv1_enc_data = { 127 .enc = tls1_enc, 128 .mac = tls1_mac, 129 .setup_key_block = tls1_setup_key_block, 130 .generate_master_secret = tls1_generate_master_secret, 131 .change_cipher_state = tls1_change_cipher_state, 132 .final_finish_mac = tls1_final_finish_mac, 133 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 134 .cert_verify_mac = tls1_cert_verify_mac, 135 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 136 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 137 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 138 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 139 .alert_value = tls1_alert_code, 140 .export_keying_material = tls1_export_keying_material, 141 .enc_flags = 0, 142 }; 143 144 SSL3_ENC_METHOD TLSv1_1_enc_data = { 145 .enc = tls1_enc, 146 .mac = tls1_mac, 147 .setup_key_block = tls1_setup_key_block, 148 .generate_master_secret = tls1_generate_master_secret, 149 .change_cipher_state = tls1_change_cipher_state, 150 .final_finish_mac = tls1_final_finish_mac, 151 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 152 .cert_verify_mac = tls1_cert_verify_mac, 153 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 154 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 155 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 156 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 157 .alert_value = tls1_alert_code, 158 .export_keying_material = tls1_export_keying_material, 159 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, 160 }; 161 162 SSL3_ENC_METHOD TLSv1_2_enc_data = { 163 .enc = tls1_enc, 164 .mac = tls1_mac, 165 .setup_key_block = tls1_setup_key_block, 166 .generate_master_secret = tls1_generate_master_secret, 167 .change_cipher_state = tls1_change_cipher_state, 168 .final_finish_mac = tls1_final_finish_mac, 169 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 170 .cert_verify_mac = tls1_cert_verify_mac, 171 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 172 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 173 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 174 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 175 .alert_value = tls1_alert_code, 176 .export_keying_material = tls1_export_keying_material, 177 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS| 178 SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS, 179 }; 180 181 long 182 tls1_default_timeout(void) 183 { 184 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 185 * is way too long for http, the cache would over fill */ 186 return (60 * 60 * 2); 187 } 188 189 int 190 tls1_new(SSL *s) 191 { 192 if (!ssl3_new(s)) 193 return (0); 194 s->method->ssl_clear(s); 195 return (1); 196 } 197 198 void 199 tls1_free(SSL *s) 200 { 201 if (s == NULL) 202 return; 203 204 free(s->tlsext_session_ticket); 205 ssl3_free(s); 206 } 207 208 void 209 tls1_clear(SSL *s) 210 { 211 ssl3_clear(s); 212 s->version = s->method->version; 213 } 214 215 216 static int nid_list[] = { 217 NID_sect163k1, /* sect163k1 (1) */ 218 NID_sect163r1, /* sect163r1 (2) */ 219 NID_sect163r2, /* sect163r2 (3) */ 220 NID_sect193r1, /* sect193r1 (4) */ 221 NID_sect193r2, /* sect193r2 (5) */ 222 NID_sect233k1, /* sect233k1 (6) */ 223 NID_sect233r1, /* sect233r1 (7) */ 224 NID_sect239k1, /* sect239k1 (8) */ 225 NID_sect283k1, /* sect283k1 (9) */ 226 NID_sect283r1, /* sect283r1 (10) */ 227 NID_sect409k1, /* sect409k1 (11) */ 228 NID_sect409r1, /* sect409r1 (12) */ 229 NID_sect571k1, /* sect571k1 (13) */ 230 NID_sect571r1, /* sect571r1 (14) */ 231 NID_secp160k1, /* secp160k1 (15) */ 232 NID_secp160r1, /* secp160r1 (16) */ 233 NID_secp160r2, /* secp160r2 (17) */ 234 NID_secp192k1, /* secp192k1 (18) */ 235 NID_X9_62_prime192v1, /* secp192r1 (19) */ 236 NID_secp224k1, /* secp224k1 (20) */ 237 NID_secp224r1, /* secp224r1 (21) */ 238 NID_secp256k1, /* secp256k1 (22) */ 239 NID_X9_62_prime256v1, /* secp256r1 (23) */ 240 NID_secp384r1, /* secp384r1 (24) */ 241 NID_secp521r1, /* secp521r1 (25) */ 242 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */ 243 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */ 244 NID_brainpoolP512r1, /* brainpoolP512r1 (28) */ 245 NID_X25519, /* X25519 (29) */ 246 }; 247 248 static const uint8_t ecformats_default[] = { 249 TLSEXT_ECPOINTFORMAT_uncompressed, 250 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 251 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 252 }; 253 254 static const uint16_t eccurves_default[] = { 255 29, /* X25519 (29) */ 256 14, /* sect571r1 (14) */ 257 13, /* sect571k1 (13) */ 258 25, /* secp521r1 (25) */ 259 28, /* brainpool512r1 (28) */ 260 11, /* sect409k1 (11) */ 261 12, /* sect409r1 (12) */ 262 27, /* brainpoolP384r1 (27) */ 263 24, /* secp384r1 (24) */ 264 9, /* sect283k1 (9) */ 265 10, /* sect283r1 (10) */ 266 26, /* brainpoolP256r1 (26) */ 267 22, /* secp256k1 (22) */ 268 23, /* secp256r1 (23) */ 269 8, /* sect239k1 (8) */ 270 6, /* sect233k1 (6) */ 271 7, /* sect233r1 (7) */ 272 20, /* secp224k1 (20) */ 273 21, /* secp224r1 (21) */ 274 4, /* sect193r1 (4) */ 275 5, /* sect193r2 (5) */ 276 18, /* secp192k1 (18) */ 277 19, /* secp192r1 (19) */ 278 1, /* sect163k1 (1) */ 279 2, /* sect163r1 (2) */ 280 3, /* sect163r2 (3) */ 281 15, /* secp160k1 (15) */ 282 16, /* secp160r1 (16) */ 283 17, /* secp160r2 (17) */ 284 }; 285 286 int 287 tls1_ec_curve_id2nid(const uint16_t curve_id) 288 { 289 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 290 if ((curve_id < 1) || 291 ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0]))) 292 return 0; 293 return nid_list[curve_id - 1]; 294 } 295 296 uint16_t 297 tls1_ec_nid2curve_id(int nid) 298 { 299 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 300 switch (nid) { 301 case NID_sect163k1: /* sect163k1 (1) */ 302 return 1; 303 case NID_sect163r1: /* sect163r1 (2) */ 304 return 2; 305 case NID_sect163r2: /* sect163r2 (3) */ 306 return 3; 307 case NID_sect193r1: /* sect193r1 (4) */ 308 return 4; 309 case NID_sect193r2: /* sect193r2 (5) */ 310 return 5; 311 case NID_sect233k1: /* sect233k1 (6) */ 312 return 6; 313 case NID_sect233r1: /* sect233r1 (7) */ 314 return 7; 315 case NID_sect239k1: /* sect239k1 (8) */ 316 return 8; 317 case NID_sect283k1: /* sect283k1 (9) */ 318 return 9; 319 case NID_sect283r1: /* sect283r1 (10) */ 320 return 10; 321 case NID_sect409k1: /* sect409k1 (11) */ 322 return 11; 323 case NID_sect409r1: /* sect409r1 (12) */ 324 return 12; 325 case NID_sect571k1: /* sect571k1 (13) */ 326 return 13; 327 case NID_sect571r1: /* sect571r1 (14) */ 328 return 14; 329 case NID_secp160k1: /* secp160k1 (15) */ 330 return 15; 331 case NID_secp160r1: /* secp160r1 (16) */ 332 return 16; 333 case NID_secp160r2: /* secp160r2 (17) */ 334 return 17; 335 case NID_secp192k1: /* secp192k1 (18) */ 336 return 18; 337 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 338 return 19; 339 case NID_secp224k1: /* secp224k1 (20) */ 340 return 20; 341 case NID_secp224r1: /* secp224r1 (21) */ 342 return 21; 343 case NID_secp256k1: /* secp256k1 (22) */ 344 return 22; 345 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 346 return 23; 347 case NID_secp384r1: /* secp384r1 (24) */ 348 return 24; 349 case NID_secp521r1: /* secp521r1 (25) */ 350 return 25; 351 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */ 352 return 26; 353 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */ 354 return 27; 355 case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */ 356 return 28; 357 case NID_X25519: /* X25519 (29) */ 358 return 29; 359 default: 360 return 0; 361 } 362 } 363 364 /* 365 * Return the appropriate format list. If client_formats is non-zero, return 366 * the client/session formats. Otherwise return the custom format list if one 367 * exists, or the default formats if a custom list has not been specified. 368 */ 369 static void 370 tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, 371 size_t *pformatslen) 372 { 373 if (client_formats != 0) { 374 *pformats = s->session->tlsext_ecpointformatlist; 375 *pformatslen = s->session->tlsext_ecpointformatlist_length; 376 return; 377 } 378 379 *pformats = s->tlsext_ecpointformatlist; 380 *pformatslen = s->tlsext_ecpointformatlist_length; 381 if (*pformats == NULL) { 382 *pformats = ecformats_default; 383 *pformatslen = sizeof(ecformats_default); 384 } 385 } 386 387 /* 388 * Return the appropriate curve list. If client_curves is non-zero, return 389 * the client/session curves. Otherwise return the custom curve list if one 390 * exists, or the default curves if a custom list has not been specified. 391 */ 392 static void 393 tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves, 394 size_t *pcurveslen) 395 { 396 if (client_curves != 0) { 397 *pcurves = s->session->tlsext_ellipticcurvelist; 398 *pcurveslen = s->session->tlsext_ellipticcurvelist_length; 399 return; 400 } 401 402 *pcurves = s->tlsext_ellipticcurvelist; 403 *pcurveslen = s->tlsext_ellipticcurvelist_length; 404 if (*pcurves == NULL) { 405 *pcurves = eccurves_default; 406 *pcurveslen = sizeof(eccurves_default) / 2; 407 } 408 } 409 410 /* Check that a curve is one of our preferences. */ 411 int 412 tls1_check_curve(SSL *s, const uint16_t curve_id) 413 { 414 const uint16_t *curves; 415 size_t curveslen, i; 416 417 tls1_get_curvelist(s, 0, &curves, &curveslen); 418 419 for (i = 0; i < curveslen; i++) { 420 if (curves[i] == curve_id) 421 return (1); 422 } 423 return (0); 424 } 425 426 int 427 tls1_get_shared_curve(SSL *s) 428 { 429 size_t preflen, supplen, i, j; 430 const uint16_t *pref, *supp; 431 unsigned long server_pref; 432 433 /* Cannot do anything on the client side. */ 434 if (s->server == 0) 435 return (NID_undef); 436 437 /* Return first preference shared curve. */ 438 server_pref = (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE); 439 tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen); 440 tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen); 441 442 for (i = 0; i < preflen; i++) { 443 for (j = 0; j < supplen; j++) { 444 if (pref[i] == supp[j]) 445 return (tls1_ec_curve_id2nid(pref[i])); 446 } 447 } 448 return (NID_undef); 449 } 450 451 /* For an EC key set TLS ID and required compression based on parameters. */ 452 static int 453 tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec) 454 { 455 const EC_GROUP *grp; 456 const EC_METHOD *meth; 457 int is_prime = 0; 458 int nid, id; 459 460 if (ec == NULL) 461 return (0); 462 463 /* Determine if it is a prime field. */ 464 if ((grp = EC_KEY_get0_group(ec)) == NULL) 465 return (0); 466 if ((meth = EC_GROUP_method_of(grp)) == NULL) 467 return (0); 468 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field) 469 is_prime = 1; 470 471 /* Determine curve ID. */ 472 nid = EC_GROUP_get_curve_name(grp); 473 id = tls1_ec_nid2curve_id(nid); 474 475 /* If we have an ID set it, otherwise set arbitrary explicit curve. */ 476 if (id != 0) 477 *curve_id = id; 478 else 479 *curve_id = is_prime ? 0xff01 : 0xff02; 480 481 /* Specify the compression identifier. */ 482 if (comp_id != NULL) { 483 if (EC_KEY_get0_public_key(ec) == NULL) 484 return (0); 485 486 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { 487 *comp_id = is_prime ? 488 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime : 489 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 490 } else { 491 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 492 } 493 } 494 return (1); 495 } 496 497 /* Check that an EC key is compatible with extensions. */ 498 static int 499 tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id) 500 { 501 size_t curveslen, formatslen, i; 502 const uint16_t *curves; 503 const uint8_t *formats; 504 505 /* 506 * Check point formats extension if present, otherwise everything 507 * is supported (see RFC4492). 508 */ 509 tls1_get_formatlist(s, 1, &formats, &formatslen); 510 if (comp_id != NULL && formats != NULL) { 511 for (i = 0; i < formatslen; i++) { 512 if (formats[i] == *comp_id) 513 break; 514 } 515 if (i == formatslen) 516 return (0); 517 } 518 519 /* 520 * Check curve list if present, otherwise everything is supported. 521 */ 522 tls1_get_curvelist(s, 1, &curves, &curveslen); 523 if (curve_id != NULL && curves != NULL) { 524 for (i = 0; i < curveslen; i++) { 525 if (curves[i] == *curve_id) 526 break; 527 } 528 if (i == curveslen) 529 return (0); 530 } 531 532 return (1); 533 } 534 535 /* Check EC server key is compatible with client extensions. */ 536 int 537 tls1_check_ec_server_key(SSL *s) 538 { 539 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; 540 uint16_t curve_id; 541 uint8_t comp_id; 542 EVP_PKEY *pkey; 543 int rv; 544 545 if (cpk->x509 == NULL || cpk->privatekey == NULL) 546 return (0); 547 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL) 548 return (0); 549 rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec); 550 EVP_PKEY_free(pkey); 551 if (rv != 1) 552 return (0); 553 554 return tls1_check_ec_key(s, &curve_id, &comp_id); 555 } 556 557 /* Check EC temporary key is compatible with client extensions. */ 558 int 559 tls1_check_ec_tmp_key(SSL *s) 560 { 561 EC_KEY *ec = s->cert->ecdh_tmp; 562 uint16_t curve_id; 563 564 if (s->cert->ecdh_tmp_auto != 0) { 565 /* Need a shared curve. */ 566 if (tls1_get_shared_curve(s) != NID_undef) 567 return (1); 568 return (0); 569 } 570 571 if (ec == NULL) { 572 if (s->cert->ecdh_tmp_cb != NULL) 573 return (1); 574 return (0); 575 } 576 if (tls1_set_ec_id(&curve_id, NULL, ec) != 1) 577 return (0); 578 579 return tls1_check_ec_key(s, &curve_id, NULL); 580 } 581 582 /* 583 * List of supported signature algorithms and hashes. Should make this 584 * customisable at some point, for now include everything we support. 585 */ 586 587 static unsigned char tls12_sigalgs[] = { 588 TLSEXT_hash_sha512, TLSEXT_signature_rsa, 589 TLSEXT_hash_sha512, TLSEXT_signature_dsa, 590 TLSEXT_hash_sha512, TLSEXT_signature_ecdsa, 591 #ifndef OPENSSL_NO_GOST 592 TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512, 593 #endif 594 595 TLSEXT_hash_sha384, TLSEXT_signature_rsa, 596 TLSEXT_hash_sha384, TLSEXT_signature_dsa, 597 TLSEXT_hash_sha384, TLSEXT_signature_ecdsa, 598 599 TLSEXT_hash_sha256, TLSEXT_signature_rsa, 600 TLSEXT_hash_sha256, TLSEXT_signature_dsa, 601 TLSEXT_hash_sha256, TLSEXT_signature_ecdsa, 602 603 #ifndef OPENSSL_NO_GOST 604 TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256, 605 TLSEXT_hash_gost94, TLSEXT_signature_gostr01, 606 #endif 607 608 TLSEXT_hash_sha224, TLSEXT_signature_rsa, 609 TLSEXT_hash_sha224, TLSEXT_signature_dsa, 610 TLSEXT_hash_sha224, TLSEXT_signature_ecdsa, 611 612 TLSEXT_hash_sha1, TLSEXT_signature_rsa, 613 TLSEXT_hash_sha1, TLSEXT_signature_dsa, 614 TLSEXT_hash_sha1, TLSEXT_signature_ecdsa, 615 }; 616 617 int 618 tls12_get_req_sig_algs(SSL *s, unsigned char *p) 619 { 620 size_t slen = sizeof(tls12_sigalgs); 621 622 if (p) 623 memcpy(p, tls12_sigalgs, slen); 624 return (int)slen; 625 } 626 627 unsigned char * 628 ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 629 { 630 int extdatalen = 0; 631 unsigned char *ret = p; 632 int using_ecc = 0; 633 634 /* See if we support any ECC ciphersuites. */ 635 if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) { 636 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 637 unsigned long alg_k, alg_a; 638 int i; 639 640 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { 641 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 642 643 alg_k = c->algorithm_mkey; 644 alg_a = c->algorithm_auth; 645 646 if ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) { 647 using_ecc = 1; 648 break; 649 } 650 } 651 } 652 653 ret += 2; 654 655 if (ret >= limit) 656 return NULL; /* this really never occurs, but ... */ 657 658 if (s->tlsext_hostname != NULL) { 659 /* Add TLS extension servername to the Client Hello message */ 660 size_t size_str, lenmax; 661 662 /* check for enough space. 663 4 for the servername type and extension length 664 2 for servernamelist length 665 1 for the hostname type 666 2 for hostname length 667 + hostname length 668 */ 669 670 if ((size_t)(limit - ret) < 9) 671 return NULL; 672 673 lenmax = limit - ret - 9; 674 if ((size_str = strlen(s->tlsext_hostname)) > lenmax) 675 return NULL; 676 677 /* extension type and length */ 678 s2n(TLSEXT_TYPE_server_name, ret); 679 680 s2n(size_str + 5, ret); 681 682 /* length of servername list */ 683 s2n(size_str + 3, ret); 684 685 /* hostname type, length and hostname */ 686 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 687 s2n(size_str, ret); 688 memcpy(ret, s->tlsext_hostname, size_str); 689 ret += size_str; 690 } 691 692 /* Add RI if renegotiating */ 693 if (s->renegotiate) { 694 int el; 695 696 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { 697 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 698 ERR_R_INTERNAL_ERROR); 699 return NULL; 700 } 701 702 if ((size_t)(limit - ret) < 4 + el) 703 return NULL; 704 705 s2n(TLSEXT_TYPE_renegotiate, ret); 706 s2n(el, ret); 707 708 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { 709 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 710 ERR_R_INTERNAL_ERROR); 711 return NULL; 712 } 713 714 ret += el; 715 } 716 717 if (using_ecc) { 718 size_t curveslen, formatslen, lenmax; 719 const uint16_t *curves; 720 const uint8_t *formats; 721 int i; 722 723 /* 724 * Add TLS extension ECPointFormats to the ClientHello message. 725 */ 726 tls1_get_formatlist(s, 0, &formats, &formatslen); 727 728 if ((size_t)(limit - ret) < 5) 729 return NULL; 730 731 lenmax = limit - ret - 5; 732 if (formatslen > lenmax) 733 return NULL; 734 if (formatslen > 255) { 735 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 736 ERR_R_INTERNAL_ERROR); 737 return NULL; 738 } 739 740 s2n(TLSEXT_TYPE_ec_point_formats, ret); 741 s2n(formatslen + 1, ret); 742 *(ret++) = (unsigned char)formatslen; 743 memcpy(ret, formats, formatslen); 744 ret += formatslen; 745 746 /* 747 * Add TLS extension EllipticCurves to the ClientHello message. 748 */ 749 tls1_get_curvelist(s, 0, &curves, &curveslen); 750 751 if ((size_t)(limit - ret) < 6) 752 return NULL; 753 754 lenmax = limit - ret - 6; 755 if (curveslen > lenmax) 756 return NULL; 757 if (curveslen > 65532) { 758 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 759 ERR_R_INTERNAL_ERROR); 760 return NULL; 761 } 762 763 s2n(TLSEXT_TYPE_elliptic_curves, ret); 764 s2n((curveslen * 2) + 2, ret); 765 766 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for 767 * elliptic_curve_list, but the examples use two bytes. 768 * https://www1.ietf.org/mail-archive/web/tls/current/msg00538.html 769 * resolves this to two bytes. 770 */ 771 s2n(curveslen * 2, ret); 772 for (i = 0; i < curveslen; i++) 773 s2n(curves[i], ret); 774 } 775 776 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 777 int ticklen; 778 if (!s->new_session && s->session && s->session->tlsext_tick) 779 ticklen = s->session->tlsext_ticklen; 780 else if (s->session && s->tlsext_session_ticket && 781 s->tlsext_session_ticket->data) { 782 ticklen = s->tlsext_session_ticket->length; 783 s->session->tlsext_tick = malloc(ticklen); 784 if (!s->session->tlsext_tick) 785 return NULL; 786 memcpy(s->session->tlsext_tick, 787 s->tlsext_session_ticket->data, ticklen); 788 s->session->tlsext_ticklen = ticklen; 789 } else 790 ticklen = 0; 791 if (ticklen == 0 && s->tlsext_session_ticket && 792 s->tlsext_session_ticket->data == NULL) 793 goto skip_ext; 794 /* Check for enough room 2 for extension type, 2 for len 795 * rest for ticket 796 */ 797 if ((size_t)(limit - ret) < 4 + ticklen) 798 return NULL; 799 s2n(TLSEXT_TYPE_session_ticket, ret); 800 801 s2n(ticklen, ret); 802 if (ticklen) { 803 memcpy(ret, s->session->tlsext_tick, ticklen); 804 ret += ticklen; 805 } 806 } 807 skip_ext: 808 809 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 810 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 811 return NULL; 812 813 s2n(TLSEXT_TYPE_signature_algorithms, ret); 814 s2n(sizeof(tls12_sigalgs) + 2, ret); 815 s2n(sizeof(tls12_sigalgs), ret); 816 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 817 ret += sizeof(tls12_sigalgs); 818 } 819 820 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 821 s->version != DTLS1_VERSION) { 822 int i; 823 long extlen, idlen, itmp; 824 OCSP_RESPID *id; 825 826 idlen = 0; 827 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 828 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 829 itmp = i2d_OCSP_RESPID(id, NULL); 830 if (itmp <= 0) 831 return NULL; 832 idlen += itmp + 2; 833 } 834 835 if (s->tlsext_ocsp_exts) { 836 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 837 if (extlen < 0) 838 return NULL; 839 } else 840 extlen = 0; 841 842 if ((size_t)(limit - ret) < 7 + extlen + idlen) 843 return NULL; 844 s2n(TLSEXT_TYPE_status_request, ret); 845 if (extlen + idlen > 0xFFF0) 846 return NULL; 847 s2n(extlen + idlen + 5, ret); 848 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 849 s2n(idlen, ret); 850 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 851 /* save position of id len */ 852 unsigned char *q = ret; 853 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 854 /* skip over id len */ 855 ret += 2; 856 itmp = i2d_OCSP_RESPID(id, &ret); 857 /* write id len */ 858 s2n(itmp, q); 859 } 860 s2n(extlen, ret); 861 if (extlen > 0) 862 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 863 } 864 865 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { 866 /* The client advertises an emtpy extension to indicate its 867 * support for Next Protocol Negotiation */ 868 if ((size_t)(limit - ret) < 4) 869 return NULL; 870 s2n(TLSEXT_TYPE_next_proto_neg, ret); 871 s2n(0, ret); 872 } 873 874 if (s->alpn_client_proto_list != NULL && 875 s->s3->tmp.finish_md_len == 0) { 876 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len) 877 return (NULL); 878 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 879 s2n(2 + s->alpn_client_proto_list_len, ret); 880 s2n(s->alpn_client_proto_list_len, ret); 881 memcpy(ret, s->alpn_client_proto_list, 882 s->alpn_client_proto_list_len); 883 ret += s->alpn_client_proto_list_len; 884 } 885 886 #ifndef OPENSSL_NO_SRTP 887 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { 888 int el; 889 890 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 891 892 if ((size_t)(limit - ret) < 4 + el) 893 return NULL; 894 895 s2n(TLSEXT_TYPE_use_srtp, ret); 896 s2n(el, ret); 897 898 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { 899 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 900 ERR_R_INTERNAL_ERROR); 901 return NULL; 902 } 903 ret += el; 904 } 905 #endif 906 907 /* 908 * Add padding to workaround bugs in F5 terminators. 909 * See https://tools.ietf.org/html/draft-agl-tls-padding-03 910 * 911 * Note that this seems to trigger issues with IronPort SMTP 912 * appliances. 913 * 914 * NB: because this code works out the length of all existing 915 * extensions it MUST always appear last. 916 */ 917 if (s->options & SSL_OP_TLSEXT_PADDING) { 918 int hlen = ret - (unsigned char *)s->init_buf->data; 919 920 /* 921 * The code in s23_clnt.c to build ClientHello messages 922 * includes the 5-byte record header in the buffer, while the 923 * code in s3_clnt.c does not. 924 */ 925 if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 926 hlen -= 5; 927 if (hlen > 0xff && hlen < 0x200) { 928 hlen = 0x200 - hlen; 929 if (hlen >= 4) 930 hlen -= 4; 931 else 932 hlen = 0; 933 934 s2n(TLSEXT_TYPE_padding, ret); 935 s2n(hlen, ret); 936 memset(ret, 0, hlen); 937 ret += hlen; 938 } 939 } 940 941 if ((extdatalen = ret - p - 2) == 0) 942 return p; 943 944 s2n(extdatalen, p); 945 return ret; 946 } 947 948 unsigned char * 949 ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 950 { 951 int using_ecc, extdatalen = 0; 952 unsigned long alg_a, alg_k; 953 unsigned char *ret = p; 954 int next_proto_neg_seen; 955 956 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 957 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 958 using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) && 959 s->session->tlsext_ecpointformatlist != NULL; 960 961 ret += 2; 962 if (ret >= limit) 963 return NULL; /* this really never occurs, but ... */ 964 965 if (!s->hit && s->servername_done == 1 && 966 s->session->tlsext_hostname != NULL) { 967 if ((size_t)(limit - ret) < 4) 968 return NULL; 969 970 s2n(TLSEXT_TYPE_server_name, ret); 971 s2n(0, ret); 972 } 973 974 if (s->s3->send_connection_binding) { 975 int el; 976 977 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { 978 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 979 ERR_R_INTERNAL_ERROR); 980 return NULL; 981 } 982 983 if ((size_t)(limit - ret) < 4 + el) 984 return NULL; 985 986 s2n(TLSEXT_TYPE_renegotiate, ret); 987 s2n(el, ret); 988 989 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { 990 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 991 ERR_R_INTERNAL_ERROR); 992 return NULL; 993 } 994 995 ret += el; 996 } 997 998 if (using_ecc && s->version != DTLS1_VERSION) { 999 const unsigned char *formats; 1000 size_t formatslen, lenmax; 1001 1002 /* 1003 * Add TLS extension ECPointFormats to the ServerHello message. 1004 */ 1005 tls1_get_formatlist(s, 0, &formats, &formatslen); 1006 1007 if ((size_t)(limit - ret) < 5) 1008 return NULL; 1009 1010 lenmax = limit - ret - 5; 1011 if (formatslen > lenmax) 1012 return NULL; 1013 if (formatslen > 255) { 1014 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1015 ERR_R_INTERNAL_ERROR); 1016 return NULL; 1017 } 1018 1019 s2n(TLSEXT_TYPE_ec_point_formats, ret); 1020 s2n(formatslen + 1, ret); 1021 *(ret++) = (unsigned char)formatslen; 1022 memcpy(ret, formats, formatslen); 1023 ret += formatslen; 1024 } 1025 1026 /* 1027 * Currently the server should not respond with a SupportedCurves 1028 * extension. 1029 */ 1030 1031 if (s->tlsext_ticket_expected && 1032 !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 1033 if ((size_t)(limit - ret) < 4) 1034 return NULL; 1035 1036 s2n(TLSEXT_TYPE_session_ticket, ret); 1037 s2n(0, ret); 1038 } 1039 1040 if (s->tlsext_status_expected) { 1041 if ((size_t)(limit - ret) < 4) 1042 return NULL; 1043 1044 s2n(TLSEXT_TYPE_status_request, ret); 1045 s2n(0, ret); 1046 } 1047 1048 #ifndef OPENSSL_NO_SRTP 1049 if (SSL_IS_DTLS(s) && s->srtp_profile) { 1050 int el; 1051 1052 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 1053 1054 if ((size_t)(limit - ret) < 4 + el) 1055 return NULL; 1056 1057 s2n(TLSEXT_TYPE_use_srtp, ret); 1058 s2n(el, ret); 1059 1060 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { 1061 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1062 ERR_R_INTERNAL_ERROR); 1063 return NULL; 1064 } 1065 ret += el; 1066 } 1067 #endif 1068 1069 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || 1070 (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) && 1071 (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { 1072 static const unsigned char cryptopro_ext[36] = { 1073 0xfd, 0xe8, /*65000*/ 1074 0x00, 0x20, /*32 bytes length*/ 1075 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 1076 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 1077 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 1078 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 1079 }; 1080 if ((size_t)(limit - ret) < sizeof(cryptopro_ext)) 1081 return NULL; 1082 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext)); 1083 ret += sizeof(cryptopro_ext); 1084 } 1085 1086 next_proto_neg_seen = s->s3->next_proto_neg_seen; 1087 s->s3->next_proto_neg_seen = 0; 1088 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) { 1089 const unsigned char *npa; 1090 unsigned int npalen; 1091 int r; 1092 1093 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, 1094 s->ctx->next_protos_advertised_cb_arg); 1095 if (r == SSL_TLSEXT_ERR_OK) { 1096 if ((size_t)(limit - ret) < 4 + npalen) 1097 return NULL; 1098 s2n(TLSEXT_TYPE_next_proto_neg, ret); 1099 s2n(npalen, ret); 1100 memcpy(ret, npa, npalen); 1101 ret += npalen; 1102 s->s3->next_proto_neg_seen = 1; 1103 } 1104 } 1105 1106 if (s->s3->alpn_selected != NULL) { 1107 const unsigned char *selected = s->s3->alpn_selected; 1108 unsigned int len = s->s3->alpn_selected_len; 1109 1110 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0) 1111 return (NULL); 1112 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 1113 s2n(3 + len, ret); 1114 s2n(1 + len, ret); 1115 *ret++ = len; 1116 memcpy(ret, selected, len); 1117 ret += len; 1118 } 1119 1120 if ((extdatalen = ret - p - 2) == 0) 1121 return p; 1122 1123 s2n(extdatalen, p); 1124 return ret; 1125 } 1126 1127 /* 1128 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a 1129 * ClientHello. 1130 * data: the contents of the extension, not including the type and length. 1131 * data_len: the number of bytes in data. 1132 * al: a pointer to the alert value to send in the event of a non-zero 1133 * return. 1134 * returns: 1 on success. 1135 */ 1136 static int 1137 tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, 1138 unsigned int data_len, int *al) 1139 { 1140 CBS cbs, proto_name_list, alpn; 1141 const unsigned char *selected; 1142 unsigned char selected_len; 1143 int r; 1144 1145 if (s->ctx->alpn_select_cb == NULL) 1146 return (1); 1147 1148 if (data_len < 2) 1149 goto parse_error; 1150 1151 CBS_init(&cbs, data, data_len); 1152 1153 /* 1154 * data should contain a uint16 length followed by a series of 8-bit, 1155 * length-prefixed strings. 1156 */ 1157 if (!CBS_get_u16_length_prefixed(&cbs, &alpn) || 1158 CBS_len(&alpn) < 2 || 1159 CBS_len(&cbs) != 0) 1160 goto parse_error; 1161 1162 /* Validate data before sending to callback. */ 1163 CBS_dup(&alpn, &proto_name_list); 1164 while (CBS_len(&proto_name_list) > 0) { 1165 CBS proto_name; 1166 1167 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name) || 1168 CBS_len(&proto_name) == 0) 1169 goto parse_error; 1170 } 1171 1172 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, 1173 CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg); 1174 if (r == SSL_TLSEXT_ERR_OK) { 1175 free(s->s3->alpn_selected); 1176 if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) { 1177 *al = SSL_AD_INTERNAL_ERROR; 1178 return (-1); 1179 } 1180 memcpy(s->s3->alpn_selected, selected, selected_len); 1181 s->s3->alpn_selected_len = selected_len; 1182 } 1183 1184 return (1); 1185 1186 parse_error: 1187 *al = SSL_AD_DECODE_ERROR; 1188 return (0); 1189 } 1190 1191 int 1192 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1193 int n, int *al) 1194 { 1195 unsigned short type; 1196 unsigned short size; 1197 unsigned short len; 1198 unsigned char *data = *p; 1199 unsigned char *end = d + n; 1200 int renegotiate_seen = 0; 1201 int sigalg_seen = 0; 1202 1203 s->servername_done = 0; 1204 s->tlsext_status_type = -1; 1205 s->s3->next_proto_neg_seen = 0; 1206 free(s->s3->alpn_selected); 1207 s->s3->alpn_selected = NULL; 1208 s->srtp_profile = NULL; 1209 1210 if (data == end) 1211 goto ri_check; 1212 1213 if (end - data < 2) 1214 goto err; 1215 n2s(data, len); 1216 1217 if (end - data != len) 1218 goto err; 1219 1220 while (end - data >= 4) { 1221 n2s(data, type); 1222 n2s(data, size); 1223 1224 if (end - data < size) 1225 goto err; 1226 1227 if (s->tlsext_debug_cb) 1228 s->tlsext_debug_cb(s, 0, type, data, size, 1229 s->tlsext_debug_arg); 1230 /* The servername extension is treated as follows: 1231 1232 - Only the hostname type is supported with a maximum length of 255. 1233 - The servername is rejected if too long or if it contains zeros, 1234 in which case an fatal alert is generated. 1235 - The servername field is maintained together with the session cache. 1236 - When a session is resumed, the servername call back invoked in order 1237 to allow the application to position itself to the right context. 1238 - The servername is acknowledged if it is new for a session or when 1239 it is identical to a previously used for the same session. 1240 Applications can control the behaviour. They can at any time 1241 set a 'desirable' servername for a new SSL object. This can be the 1242 case for example with HTTPS when a Host: header field is received and 1243 a renegotiation is requested. In this case, a possible servername 1244 presented in the new client hello is only acknowledged if it matches 1245 the value of the Host: field. 1246 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1247 if they provide for changing an explicit servername context for the session, 1248 i.e. when the session has been established with a servername extension. 1249 - On session reconnect, the servername extension may be absent. 1250 1251 */ 1252 1253 if (type == TLSEXT_TYPE_server_name) { 1254 unsigned char *sdata; 1255 int servname_type; 1256 int dsize; 1257 1258 if (size < 2) { 1259 *al = SSL_AD_DECODE_ERROR; 1260 return 0; 1261 } 1262 n2s(data, dsize); 1263 1264 size -= 2; 1265 if (dsize > size) { 1266 *al = SSL_AD_DECODE_ERROR; 1267 return 0; 1268 } 1269 1270 sdata = data; 1271 while (dsize > 3) { 1272 servname_type = *(sdata++); 1273 1274 n2s(sdata, len); 1275 dsize -= 3; 1276 1277 if (len > dsize) { 1278 *al = SSL_AD_DECODE_ERROR; 1279 return 0; 1280 } 1281 if (s->servername_done == 0) 1282 switch (servname_type) { 1283 case TLSEXT_NAMETYPE_host_name: 1284 if (!s->hit) { 1285 if (s->session->tlsext_hostname) { 1286 *al = SSL_AD_DECODE_ERROR; 1287 return 0; 1288 } 1289 if (len > TLSEXT_MAXLEN_host_name) { 1290 *al = TLS1_AD_UNRECOGNIZED_NAME; 1291 return 0; 1292 } 1293 if ((s->session->tlsext_hostname = 1294 malloc(len + 1)) == NULL) { 1295 *al = TLS1_AD_INTERNAL_ERROR; 1296 return 0; 1297 } 1298 memcpy(s->session->tlsext_hostname, sdata, len); 1299 s->session->tlsext_hostname[len] = '\0'; 1300 if (strlen(s->session->tlsext_hostname) != len) { 1301 free(s->session->tlsext_hostname); 1302 s->session->tlsext_hostname = NULL; 1303 *al = TLS1_AD_UNRECOGNIZED_NAME; 1304 return 0; 1305 } 1306 s->servername_done = 1; 1307 1308 1309 } else { 1310 s->servername_done = s->session->tlsext_hostname && 1311 strlen(s->session->tlsext_hostname) == len && 1312 strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1313 } 1314 break; 1315 1316 default: 1317 break; 1318 } 1319 1320 dsize -= len; 1321 } 1322 if (dsize != 0) { 1323 *al = SSL_AD_DECODE_ERROR; 1324 return 0; 1325 } 1326 1327 } 1328 1329 else if (type == TLSEXT_TYPE_ec_point_formats && 1330 s->version != DTLS1_VERSION) { 1331 unsigned char *sdata = data; 1332 size_t formatslen; 1333 uint8_t *formats; 1334 1335 if (size < 1) { 1336 *al = TLS1_AD_DECODE_ERROR; 1337 return 0; 1338 } 1339 formatslen = *(sdata++); 1340 if (formatslen != size - 1) { 1341 *al = TLS1_AD_DECODE_ERROR; 1342 return 0; 1343 } 1344 1345 if (!s->hit) { 1346 free(s->session->tlsext_ecpointformatlist); 1347 s->session->tlsext_ecpointformatlist = NULL; 1348 s->session->tlsext_ecpointformatlist_length = 0; 1349 1350 if ((formats = reallocarray(NULL, formatslen, 1351 sizeof(uint8_t))) == NULL) { 1352 *al = TLS1_AD_INTERNAL_ERROR; 1353 return 0; 1354 } 1355 memcpy(formats, sdata, formatslen); 1356 s->session->tlsext_ecpointformatlist = formats; 1357 s->session->tlsext_ecpointformatlist_length = 1358 formatslen; 1359 } 1360 } else if (type == TLSEXT_TYPE_elliptic_curves && 1361 s->version != DTLS1_VERSION) { 1362 unsigned char *sdata = data; 1363 size_t curveslen, i; 1364 uint16_t *curves; 1365 1366 if (size < 2) { 1367 *al = TLS1_AD_DECODE_ERROR; 1368 return 0; 1369 } 1370 n2s(sdata, curveslen); 1371 if (curveslen != size - 2 || curveslen % 2 != 0) { 1372 *al = TLS1_AD_DECODE_ERROR; 1373 return 0; 1374 } 1375 curveslen /= 2; 1376 1377 if (!s->hit) { 1378 if (s->session->tlsext_ellipticcurvelist) { 1379 *al = TLS1_AD_DECODE_ERROR; 1380 return 0; 1381 } 1382 s->session->tlsext_ellipticcurvelist_length = 0; 1383 if ((curves = reallocarray(NULL, curveslen, 1384 sizeof(uint16_t))) == NULL) { 1385 *al = TLS1_AD_INTERNAL_ERROR; 1386 return 0; 1387 } 1388 for (i = 0; i < curveslen; i++) 1389 n2s(sdata, curves[i]); 1390 s->session->tlsext_ellipticcurvelist = curves; 1391 s->session->tlsext_ellipticcurvelist_length = curveslen; 1392 } 1393 } 1394 else if (type == TLSEXT_TYPE_session_ticket) { 1395 if (s->tls_session_ticket_ext_cb && 1396 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1397 *al = TLS1_AD_INTERNAL_ERROR; 1398 return 0; 1399 } 1400 } else if (type == TLSEXT_TYPE_renegotiate) { 1401 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 1402 return 0; 1403 renegotiate_seen = 1; 1404 } else if (type == TLSEXT_TYPE_signature_algorithms) { 1405 int dsize; 1406 if (sigalg_seen || size < 2) { 1407 *al = SSL_AD_DECODE_ERROR; 1408 return 0; 1409 } 1410 sigalg_seen = 1; 1411 n2s(data, dsize); 1412 size -= 2; 1413 if (dsize != size || dsize & 1) { 1414 *al = SSL_AD_DECODE_ERROR; 1415 return 0; 1416 } 1417 if (!tls1_process_sigalgs(s, data, dsize)) { 1418 *al = SSL_AD_DECODE_ERROR; 1419 return 0; 1420 } 1421 } else if (type == TLSEXT_TYPE_status_request && 1422 s->version != DTLS1_VERSION) { 1423 1424 if (size < 5) { 1425 *al = SSL_AD_DECODE_ERROR; 1426 return 0; 1427 } 1428 1429 s->tlsext_status_type = *data++; 1430 size--; 1431 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { 1432 const unsigned char *sdata; 1433 int dsize; 1434 /* Read in responder_id_list */ 1435 n2s(data, dsize); 1436 size -= 2; 1437 if (dsize > size) { 1438 *al = SSL_AD_DECODE_ERROR; 1439 return 0; 1440 } 1441 1442 /* 1443 * We remove any OCSP_RESPIDs from a 1444 * previous handshake to prevent 1445 * unbounded memory growth. 1446 */ 1447 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, 1448 OCSP_RESPID_free); 1449 s->tlsext_ocsp_ids = NULL; 1450 if (dsize > 0) { 1451 s->tlsext_ocsp_ids = 1452 sk_OCSP_RESPID_new_null(); 1453 if (s->tlsext_ocsp_ids == NULL) { 1454 *al = SSL_AD_INTERNAL_ERROR; 1455 return 0; 1456 } 1457 } 1458 1459 while (dsize > 0) { 1460 OCSP_RESPID *id; 1461 int idsize; 1462 if (dsize < 4) { 1463 *al = SSL_AD_DECODE_ERROR; 1464 return 0; 1465 } 1466 n2s(data, idsize); 1467 dsize -= 2 + idsize; 1468 size -= 2 + idsize; 1469 if (dsize < 0) { 1470 *al = SSL_AD_DECODE_ERROR; 1471 return 0; 1472 } 1473 sdata = data; 1474 data += idsize; 1475 id = d2i_OCSP_RESPID(NULL, 1476 &sdata, idsize); 1477 if (!id) { 1478 *al = SSL_AD_DECODE_ERROR; 1479 return 0; 1480 } 1481 if (data != sdata) { 1482 OCSP_RESPID_free(id); 1483 *al = SSL_AD_DECODE_ERROR; 1484 return 0; 1485 } 1486 if (!sk_OCSP_RESPID_push( 1487 s->tlsext_ocsp_ids, id)) { 1488 OCSP_RESPID_free(id); 1489 *al = SSL_AD_INTERNAL_ERROR; 1490 return 0; 1491 } 1492 } 1493 1494 /* Read in request_extensions */ 1495 if (size < 2) { 1496 *al = SSL_AD_DECODE_ERROR; 1497 return 0; 1498 } 1499 n2s(data, dsize); 1500 size -= 2; 1501 if (dsize != size) { 1502 *al = SSL_AD_DECODE_ERROR; 1503 return 0; 1504 } 1505 sdata = data; 1506 if (dsize > 0) { 1507 if (s->tlsext_ocsp_exts) { 1508 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1509 X509_EXTENSION_free); 1510 } 1511 1512 s->tlsext_ocsp_exts = 1513 d2i_X509_EXTENSIONS(NULL, 1514 &sdata, dsize); 1515 if (!s->tlsext_ocsp_exts || 1516 (data + dsize != sdata)) { 1517 *al = SSL_AD_DECODE_ERROR; 1518 return 0; 1519 } 1520 } 1521 } else { 1522 /* We don't know what to do with any other type 1523 * so ignore it. 1524 */ 1525 s->tlsext_status_type = -1; 1526 } 1527 } 1528 else if (type == TLSEXT_TYPE_next_proto_neg && 1529 s->s3->tmp.finish_md_len == 0 && 1530 s->s3->alpn_selected == NULL) { 1531 /* We shouldn't accept this extension on a 1532 * renegotiation. 1533 * 1534 * s->new_session will be set on renegotiation, but we 1535 * probably shouldn't rely that it couldn't be set on 1536 * the initial renegotation too in certain cases (when 1537 * there's some other reason to disallow resuming an 1538 * earlier session -- the current code won't be doing 1539 * anything like that, but this might change). 1540 1541 * A valid sign that there's been a previous handshake 1542 * in this connection is if s->s3->tmp.finish_md_len > 1543 * 0. (We are talking about a check that will happen 1544 * in the Hello protocol round, well before a new 1545 * Finished message could have been computed.) */ 1546 s->s3->next_proto_neg_seen = 1; 1547 } 1548 else if (type == 1549 TLSEXT_TYPE_application_layer_protocol_negotiation && 1550 s->ctx->alpn_select_cb != NULL && 1551 s->s3->tmp.finish_md_len == 0) { 1552 if (tls1_alpn_handle_client_hello(s, data, 1553 size, al) != 1) 1554 return (0); 1555 /* ALPN takes precedence over NPN. */ 1556 s->s3->next_proto_neg_seen = 0; 1557 } 1558 1559 /* session ticket processed earlier */ 1560 #ifndef OPENSSL_NO_SRTP 1561 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1562 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) 1563 return 0; 1564 } 1565 #endif 1566 1567 data += size; 1568 } 1569 1570 /* Spurious data on the end */ 1571 if (data != end) 1572 goto err; 1573 1574 *p = data; 1575 1576 ri_check: 1577 1578 /* Need RI if renegotiating */ 1579 1580 if (!renegotiate_seen && s->renegotiate) { 1581 *al = SSL_AD_HANDSHAKE_FAILURE; 1582 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1583 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1584 return 0; 1585 } 1586 1587 return 1; 1588 1589 err: 1590 *al = SSL_AD_DECODE_ERROR; 1591 return 0; 1592 } 1593 1594 /* 1595 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1596 * elements of zero length are allowed and the set of elements must exactly fill 1597 * the length of the block. 1598 */ 1599 static char 1600 ssl_next_proto_validate(const unsigned char *d, unsigned int len) 1601 { 1602 CBS npn, value; 1603 1604 CBS_init(&npn, d, len); 1605 while (CBS_len(&npn) > 0) { 1606 if (!CBS_get_u8_length_prefixed(&npn, &value) || 1607 CBS_len(&value) == 0) 1608 return 0; 1609 } 1610 return 1; 1611 } 1612 1613 int 1614 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al) 1615 { 1616 unsigned short type; 1617 unsigned short size; 1618 unsigned short len; 1619 unsigned char *data = *p; 1620 unsigned char *end = *p + n; 1621 int tlsext_servername = 0; 1622 int renegotiate_seen = 0; 1623 1624 s->s3->next_proto_neg_seen = 0; 1625 free(s->s3->alpn_selected); 1626 s->s3->alpn_selected = NULL; 1627 1628 if (data == end) 1629 goto ri_check; 1630 1631 if (end - data < 2) 1632 goto err; 1633 n2s(data, len); 1634 1635 if (end - data != len) 1636 goto err; 1637 1638 while (end - data >= 4) { 1639 n2s(data, type); 1640 n2s(data, size); 1641 1642 if (end - data < size) 1643 goto err; 1644 1645 if (s->tlsext_debug_cb) 1646 s->tlsext_debug_cb(s, 1, type, data, size, 1647 s->tlsext_debug_arg); 1648 1649 if (type == TLSEXT_TYPE_server_name) { 1650 if (s->tlsext_hostname == NULL || size > 0) { 1651 *al = TLS1_AD_UNRECOGNIZED_NAME; 1652 return 0; 1653 } 1654 tlsext_servername = 1; 1655 1656 } 1657 else if (type == TLSEXT_TYPE_ec_point_formats && 1658 s->version != DTLS1_VERSION) { 1659 unsigned char *sdata = data; 1660 size_t formatslen; 1661 uint8_t *formats; 1662 1663 if (size < 1) { 1664 *al = TLS1_AD_DECODE_ERROR; 1665 return 0; 1666 } 1667 formatslen = *(sdata++); 1668 if (formatslen != size - 1) { 1669 *al = TLS1_AD_DECODE_ERROR; 1670 return 0; 1671 } 1672 1673 if (!s->hit) { 1674 free(s->session->tlsext_ecpointformatlist); 1675 s->session->tlsext_ecpointformatlist = NULL; 1676 s->session->tlsext_ecpointformatlist_length = 0; 1677 1678 if ((formats = reallocarray(NULL, formatslen, 1679 sizeof(uint8_t))) == NULL) { 1680 *al = TLS1_AD_INTERNAL_ERROR; 1681 return 0; 1682 } 1683 memcpy(formats, sdata, formatslen); 1684 s->session->tlsext_ecpointformatlist = formats; 1685 s->session->tlsext_ecpointformatlist_length = 1686 formatslen; 1687 } 1688 } 1689 else if (type == TLSEXT_TYPE_session_ticket) { 1690 if (s->tls_session_ticket_ext_cb && 1691 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1692 *al = TLS1_AD_INTERNAL_ERROR; 1693 return 0; 1694 } 1695 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) { 1696 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1697 return 0; 1698 } 1699 s->tlsext_ticket_expected = 1; 1700 } 1701 else if (type == TLSEXT_TYPE_status_request && 1702 s->version != DTLS1_VERSION) { 1703 /* MUST be empty and only sent if we've requested 1704 * a status request message. 1705 */ 1706 if ((s->tlsext_status_type == -1) || (size > 0)) { 1707 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1708 return 0; 1709 } 1710 /* Set flag to expect CertificateStatus message */ 1711 s->tlsext_status_expected = 1; 1712 } 1713 else if (type == TLSEXT_TYPE_next_proto_neg && 1714 s->s3->tmp.finish_md_len == 0) { 1715 unsigned char *selected; 1716 unsigned char selected_len; 1717 1718 /* We must have requested it. */ 1719 if (s->ctx->next_proto_select_cb == NULL) { 1720 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1721 return 0; 1722 } 1723 /* The data must be valid */ 1724 if (!ssl_next_proto_validate(data, size)) { 1725 *al = TLS1_AD_DECODE_ERROR; 1726 return 0; 1727 } 1728 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) { 1729 *al = TLS1_AD_INTERNAL_ERROR; 1730 return 0; 1731 } 1732 s->next_proto_negotiated = malloc(selected_len); 1733 if (!s->next_proto_negotiated) { 1734 *al = TLS1_AD_INTERNAL_ERROR; 1735 return 0; 1736 } 1737 memcpy(s->next_proto_negotiated, selected, selected_len); 1738 s->next_proto_negotiated_len = selected_len; 1739 s->s3->next_proto_neg_seen = 1; 1740 } 1741 else if (type == 1742 TLSEXT_TYPE_application_layer_protocol_negotiation) { 1743 unsigned int len; 1744 1745 /* We must have requested it. */ 1746 if (s->alpn_client_proto_list == NULL) { 1747 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1748 return 0; 1749 } 1750 if (size < 4) { 1751 *al = TLS1_AD_DECODE_ERROR; 1752 return (0); 1753 } 1754 1755 /* The extension data consists of: 1756 * uint16 list_length 1757 * uint8 proto_length; 1758 * uint8 proto[proto_length]; */ 1759 len = ((unsigned int)data[0]) << 8 | 1760 ((unsigned int)data[1]); 1761 if (len != (unsigned int)size - 2) { 1762 *al = TLS1_AD_DECODE_ERROR; 1763 return (0); 1764 } 1765 len = data[2]; 1766 if (len != (unsigned int)size - 3) { 1767 *al = TLS1_AD_DECODE_ERROR; 1768 return (0); 1769 } 1770 free(s->s3->alpn_selected); 1771 s->s3->alpn_selected = malloc(len); 1772 if (s->s3->alpn_selected == NULL) { 1773 *al = TLS1_AD_INTERNAL_ERROR; 1774 return (0); 1775 } 1776 memcpy(s->s3->alpn_selected, data + 3, len); 1777 s->s3->alpn_selected_len = len; 1778 1779 } else if (type == TLSEXT_TYPE_renegotiate) { 1780 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1781 return 0; 1782 renegotiate_seen = 1; 1783 } 1784 #ifndef OPENSSL_NO_SRTP 1785 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1786 if (ssl_parse_serverhello_use_srtp_ext(s, data, 1787 size, al)) 1788 return 0; 1789 } 1790 #endif 1791 1792 data += size; 1793 1794 } 1795 1796 if (data != end) { 1797 *al = SSL_AD_DECODE_ERROR; 1798 return 0; 1799 } 1800 1801 if (!s->hit && tlsext_servername == 1) { 1802 if (s->tlsext_hostname) { 1803 if (s->session->tlsext_hostname == NULL) { 1804 s->session->tlsext_hostname = 1805 strdup(s->tlsext_hostname); 1806 1807 if (!s->session->tlsext_hostname) { 1808 *al = SSL_AD_UNRECOGNIZED_NAME; 1809 return 0; 1810 } 1811 } else { 1812 *al = SSL_AD_DECODE_ERROR; 1813 return 0; 1814 } 1815 } 1816 } 1817 1818 *p = data; 1819 1820 ri_check: 1821 1822 /* Determine if we need to see RI. Strictly speaking if we want to 1823 * avoid an attack we should *always* see RI even on initial server 1824 * hello because the client doesn't see any renegotiation during an 1825 * attack. However this would mean we could not connect to any server 1826 * which doesn't support RI so for the immediate future tolerate RI 1827 * absence on initial connect only. 1828 */ 1829 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { 1830 *al = SSL_AD_HANDSHAKE_FAILURE; 1831 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1832 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1833 return 0; 1834 } 1835 1836 return 1; 1837 1838 err: 1839 *al = SSL_AD_DECODE_ERROR; 1840 return 0; 1841 } 1842 1843 int 1844 ssl_check_clienthello_tlsext_early(SSL *s) 1845 { 1846 int ret = SSL_TLSEXT_ERR_NOACK; 1847 int al = SSL_AD_UNRECOGNIZED_NAME; 1848 1849 /* The handling of the ECPointFormats extension is done elsewhere, namely in 1850 * ssl3_choose_cipher in s3_lib.c. 1851 */ 1852 /* The handling of the EllipticCurves extension is done elsewhere, namely in 1853 * ssl3_choose_cipher in s3_lib.c. 1854 */ 1855 1856 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1857 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1858 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1859 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1860 1861 switch (ret) { 1862 case SSL_TLSEXT_ERR_ALERT_FATAL: 1863 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1864 return -1; 1865 case SSL_TLSEXT_ERR_ALERT_WARNING: 1866 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1867 return 1; 1868 case SSL_TLSEXT_ERR_NOACK: 1869 s->servername_done = 0; 1870 default: 1871 return 1; 1872 } 1873 } 1874 1875 int 1876 ssl_check_clienthello_tlsext_late(SSL *s) 1877 { 1878 int ret = SSL_TLSEXT_ERR_OK; 1879 int al = 0; /* XXX gcc3 */ 1880 1881 /* If status request then ask callback what to do. 1882 * Note: this must be called after servername callbacks in case 1883 * the certificate has changed, and must be called after the cipher 1884 * has been chosen because this may influence which certificate is sent 1885 */ 1886 if ((s->tlsext_status_type != -1) && 1887 s->ctx && s->ctx->tlsext_status_cb) { 1888 int r; 1889 CERT_PKEY *certpkey; 1890 certpkey = ssl_get_server_send_pkey(s); 1891 /* If no certificate can't return certificate status */ 1892 if (certpkey == NULL) { 1893 s->tlsext_status_expected = 0; 1894 return 1; 1895 } 1896 /* Set current certificate to one we will use so 1897 * SSL_get_certificate et al can pick it up. 1898 */ 1899 s->cert->key = certpkey; 1900 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1901 switch (r) { 1902 /* We don't want to send a status request response */ 1903 case SSL_TLSEXT_ERR_NOACK: 1904 s->tlsext_status_expected = 0; 1905 break; 1906 /* status request response should be sent */ 1907 case SSL_TLSEXT_ERR_OK: 1908 if (s->tlsext_ocsp_resp) 1909 s->tlsext_status_expected = 1; 1910 else 1911 s->tlsext_status_expected = 0; 1912 break; 1913 /* something bad happened */ 1914 case SSL_TLSEXT_ERR_ALERT_FATAL: 1915 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1916 al = SSL_AD_INTERNAL_ERROR; 1917 goto err; 1918 } 1919 } else 1920 s->tlsext_status_expected = 0; 1921 1922 err: 1923 switch (ret) { 1924 case SSL_TLSEXT_ERR_ALERT_FATAL: 1925 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1926 return -1; 1927 case SSL_TLSEXT_ERR_ALERT_WARNING: 1928 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1929 return 1; 1930 default: 1931 return 1; 1932 } 1933 } 1934 1935 int 1936 ssl_check_serverhello_tlsext(SSL *s) 1937 { 1938 int ret = SSL_TLSEXT_ERR_NOACK; 1939 int al = SSL_AD_UNRECOGNIZED_NAME; 1940 1941 /* If we are client and using an elliptic curve cryptography cipher 1942 * suite, then if server returns an EC point formats lists extension 1943 * it must contain uncompressed. 1944 */ 1945 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1946 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1947 if ((s->tlsext_ecpointformatlist != NULL) && 1948 (s->tlsext_ecpointformatlist_length > 0) && 1949 (s->session->tlsext_ecpointformatlist != NULL) && 1950 (s->session->tlsext_ecpointformatlist_length > 0) && 1951 ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) { 1952 /* we are using an ECC cipher */ 1953 size_t i; 1954 unsigned char *list; 1955 int found_uncompressed = 0; 1956 list = s->session->tlsext_ecpointformatlist; 1957 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) { 1958 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) { 1959 found_uncompressed = 1; 1960 break; 1961 } 1962 } 1963 if (!found_uncompressed) { 1964 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 1965 return -1; 1966 } 1967 } 1968 ret = SSL_TLSEXT_ERR_OK; 1969 1970 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1971 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1972 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1973 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1974 1975 /* If we've requested certificate status and we wont get one 1976 * tell the callback 1977 */ 1978 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) && 1979 s->ctx && s->ctx->tlsext_status_cb) { 1980 int r; 1981 /* Set resp to NULL, resplen to -1 so callback knows 1982 * there is no response. 1983 */ 1984 free(s->tlsext_ocsp_resp); 1985 s->tlsext_ocsp_resp = NULL; 1986 s->tlsext_ocsp_resplen = -1; 1987 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1988 if (r == 0) { 1989 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 1990 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1991 } 1992 if (r < 0) { 1993 al = SSL_AD_INTERNAL_ERROR; 1994 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1995 } 1996 } 1997 1998 switch (ret) { 1999 case SSL_TLSEXT_ERR_ALERT_FATAL: 2000 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2001 2002 return -1; 2003 case SSL_TLSEXT_ERR_ALERT_WARNING: 2004 ssl3_send_alert(s, SSL3_AL_WARNING, al); 2005 2006 return 1; 2007 case SSL_TLSEXT_ERR_NOACK: 2008 s->servername_done = 0; 2009 default: 2010 return 1; 2011 } 2012 } 2013 2014 /* Since the server cache lookup is done early on in the processing of the 2015 * ClientHello, and other operations depend on the result, we need to handle 2016 * any TLS session ticket extension at the same time. 2017 * 2018 * session_id: points at the session ID in the ClientHello. This code will 2019 * read past the end of this in order to parse out the session ticket 2020 * extension, if any. 2021 * len: the length of the session ID. 2022 * limit: a pointer to the first byte after the ClientHello. 2023 * ret: (output) on return, if a ticket was decrypted, then this is set to 2024 * point to the resulting session. 2025 * 2026 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key 2027 * ciphersuite, in which case we have no use for session tickets and one will 2028 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 2029 * 2030 * Returns: 2031 * -1: fatal error, either from parsing or decrypting the ticket. 2032 * 0: no ticket was found (or was ignored, based on settings). 2033 * 1: a zero length extension was found, indicating that the client supports 2034 * session tickets but doesn't currently have one to offer. 2035 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but 2036 * couldn't be decrypted because of a non-fatal error. 2037 * 3: a ticket was successfully decrypted and *ret was set. 2038 * 2039 * Side effects: 2040 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 2041 * a new session ticket to the client because the client indicated support 2042 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 2043 * a session ticket or we couldn't use the one it gave us, or if 2044 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2045 * Otherwise, s->tlsext_ticket_expected is set to 0. 2046 */ 2047 int 2048 tls1_process_ticket(SSL *s, const unsigned char *session, int session_len, 2049 const unsigned char *limit, SSL_SESSION **ret) 2050 { 2051 /* Point after session ID in client hello */ 2052 CBS session_id, cookie, cipher_list, compress_algo, extensions; 2053 2054 *ret = NULL; 2055 s->tlsext_ticket_expected = 0; 2056 2057 /* If tickets disabled behave as if no ticket present 2058 * to permit stateful resumption. 2059 */ 2060 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 2061 return 0; 2062 if (!limit) 2063 return 0; 2064 2065 if (limit < session) 2066 return -1; 2067 2068 CBS_init(&session_id, session, limit - session); 2069 2070 /* Skip past the session id */ 2071 if (!CBS_skip(&session_id, session_len)) 2072 return -1; 2073 2074 /* Skip past DTLS cookie */ 2075 if (SSL_IS_DTLS(s)) { 2076 if (!CBS_get_u8_length_prefixed(&session_id, &cookie)) 2077 return -1; 2078 } 2079 2080 /* Skip past cipher list */ 2081 if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list)) 2082 return -1; 2083 2084 /* Skip past compression algorithm list */ 2085 if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo)) 2086 return -1; 2087 2088 /* Now at start of extensions */ 2089 if (CBS_len(&session_id) == 0) 2090 return 0; 2091 if (!CBS_get_u16_length_prefixed(&session_id, &extensions)) 2092 return -1; 2093 2094 while (CBS_len(&extensions) > 0) { 2095 CBS ext_data; 2096 uint16_t ext_type; 2097 2098 if (!CBS_get_u16(&extensions, &ext_type) || 2099 !CBS_get_u16_length_prefixed(&extensions, &ext_data)) 2100 return -1; 2101 2102 if (ext_type == TLSEXT_TYPE_session_ticket) { 2103 int r; 2104 if (CBS_len(&ext_data) == 0) { 2105 /* The client will accept a ticket but doesn't 2106 * currently have one. */ 2107 s->tlsext_ticket_expected = 1; 2108 return 1; 2109 } 2110 if (s->tls_session_secret_cb) { 2111 /* Indicate that the ticket couldn't be 2112 * decrypted rather than generating the session 2113 * from ticket now, trigger abbreviated 2114 * handshake based on external mechanism to 2115 * calculate the master secret later. */ 2116 return 2; 2117 } 2118 2119 r = tls_decrypt_ticket(s, CBS_data(&ext_data), 2120 CBS_len(&ext_data), session, session_len, ret); 2121 2122 switch (r) { 2123 case 2: /* ticket couldn't be decrypted */ 2124 s->tlsext_ticket_expected = 1; 2125 return 2; 2126 case 3: /* ticket was decrypted */ 2127 return r; 2128 case 4: /* ticket decrypted but need to renew */ 2129 s->tlsext_ticket_expected = 1; 2130 return 3; 2131 default: /* fatal error */ 2132 return -1; 2133 } 2134 } 2135 } 2136 return 0; 2137 } 2138 2139 /* tls_decrypt_ticket attempts to decrypt a session ticket. 2140 * 2141 * etick: points to the body of the session ticket extension. 2142 * eticklen: the length of the session tickets extenion. 2143 * sess_id: points at the session ID. 2144 * sesslen: the length of the session ID. 2145 * psess: (output) on return, if a ticket was decrypted, then this is set to 2146 * point to the resulting session. 2147 * 2148 * Returns: 2149 * -1: fatal error, either from parsing or decrypting the ticket. 2150 * 2: the ticket couldn't be decrypted. 2151 * 3: a ticket was successfully decrypted and *psess was set. 2152 * 4: same as 3, but the ticket needs to be renewed. 2153 */ 2154 static int 2155 tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2156 const unsigned char *sess_id, int sesslen, SSL_SESSION **psess) 2157 { 2158 SSL_SESSION *sess; 2159 unsigned char *sdec; 2160 const unsigned char *p; 2161 int slen, mlen, renew_ticket = 0; 2162 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 2163 HMAC_CTX hctx; 2164 EVP_CIPHER_CTX ctx; 2165 SSL_CTX *tctx = s->initial_ctx; 2166 2167 /* 2168 * The API guarantees EVP_MAX_IV_LENGTH bytes of space for 2169 * the iv to tlsext_ticket_key_cb(). Since the total space 2170 * required for a session cookie is never less than this, 2171 * this check isn't too strict. The exact check comes later. 2172 */ 2173 if (eticklen < 16 + EVP_MAX_IV_LENGTH) 2174 return 2; 2175 2176 /* Initialize session ticket encryption and HMAC contexts */ 2177 HMAC_CTX_init(&hctx); 2178 EVP_CIPHER_CTX_init(&ctx); 2179 if (tctx->tlsext_ticket_key_cb) { 2180 unsigned char *nctick = (unsigned char *)etick; 2181 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 2182 &ctx, &hctx, 0); 2183 if (rv < 0) { 2184 HMAC_CTX_cleanup(&hctx); 2185 EVP_CIPHER_CTX_cleanup(&ctx); 2186 return -1; 2187 } 2188 if (rv == 0) { 2189 HMAC_CTX_cleanup(&hctx); 2190 EVP_CIPHER_CTX_cleanup(&ctx); 2191 return 2; 2192 } 2193 if (rv == 2) 2194 renew_ticket = 1; 2195 } else { 2196 /* Check key name matches */ 2197 if (timingsafe_memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2198 return 2; 2199 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2200 tlsext_tick_md(), NULL); 2201 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2202 tctx->tlsext_tick_aes_key, etick + 16); 2203 } 2204 2205 /* 2206 * Attempt to process session ticket, first conduct sanity and 2207 * integrity checks on ticket. 2208 */ 2209 mlen = HMAC_size(&hctx); 2210 if (mlen < 0) { 2211 HMAC_CTX_cleanup(&hctx); 2212 EVP_CIPHER_CTX_cleanup(&ctx); 2213 return -1; 2214 } 2215 2216 /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 2217 if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) { 2218 HMAC_CTX_cleanup(&hctx); 2219 EVP_CIPHER_CTX_cleanup(&ctx); 2220 return 2; 2221 } 2222 eticklen -= mlen; 2223 2224 /* Check HMAC of encrypted ticket */ 2225 if (HMAC_Update(&hctx, etick, eticklen) <= 0 || 2226 HMAC_Final(&hctx, tick_hmac, NULL) <= 0) { 2227 HMAC_CTX_cleanup(&hctx); 2228 EVP_CIPHER_CTX_cleanup(&ctx); 2229 return -1; 2230 } 2231 2232 HMAC_CTX_cleanup(&hctx); 2233 if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) { 2234 EVP_CIPHER_CTX_cleanup(&ctx); 2235 return 2; 2236 } 2237 2238 /* Attempt to decrypt session data */ 2239 /* Move p after IV to start of encrypted ticket, update length */ 2240 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2241 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2242 sdec = malloc(eticklen); 2243 if (sdec == NULL || 2244 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) { 2245 free(sdec); 2246 EVP_CIPHER_CTX_cleanup(&ctx); 2247 return -1; 2248 } 2249 if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) { 2250 free(sdec); 2251 EVP_CIPHER_CTX_cleanup(&ctx); 2252 return 2; 2253 } 2254 slen += mlen; 2255 EVP_CIPHER_CTX_cleanup(&ctx); 2256 p = sdec; 2257 2258 sess = d2i_SSL_SESSION(NULL, &p, slen); 2259 free(sdec); 2260 if (sess) { 2261 /* The session ID, if non-empty, is used by some clients to 2262 * detect that the ticket has been accepted. So we copy it to 2263 * the session structure. If it is empty set length to zero 2264 * as required by standard. 2265 */ 2266 if (sesslen) 2267 memcpy(sess->session_id, sess_id, sesslen); 2268 sess->session_id_length = sesslen; 2269 *psess = sess; 2270 if (renew_ticket) 2271 return 4; 2272 else 2273 return 3; 2274 } 2275 ERR_clear_error(); 2276 /* For session parse failure, indicate that we need to send a new 2277 * ticket. */ 2278 return 2; 2279 } 2280 2281 /* Tables to translate from NIDs to TLS v1.2 ids */ 2282 2283 typedef struct { 2284 int nid; 2285 int id; 2286 } tls12_lookup; 2287 2288 static tls12_lookup tls12_md[] = { 2289 {NID_md5, TLSEXT_hash_md5}, 2290 {NID_sha1, TLSEXT_hash_sha1}, 2291 {NID_sha224, TLSEXT_hash_sha224}, 2292 {NID_sha256, TLSEXT_hash_sha256}, 2293 {NID_sha384, TLSEXT_hash_sha384}, 2294 {NID_sha512, TLSEXT_hash_sha512}, 2295 {NID_id_GostR3411_94, TLSEXT_hash_gost94}, 2296 {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256}, 2297 {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512} 2298 }; 2299 2300 static tls12_lookup tls12_sig[] = { 2301 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2302 {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2303 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}, 2304 {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01}, 2305 }; 2306 2307 static int 2308 tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 2309 { 2310 size_t i; 2311 for (i = 0; i < tlen; i++) { 2312 if (table[i].nid == nid) 2313 return table[i].id; 2314 } 2315 return -1; 2316 } 2317 2318 int 2319 tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 2320 { 2321 int sig_id, md_id; 2322 if (!md) 2323 return 0; 2324 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2325 sizeof(tls12_md) / sizeof(tls12_lookup)); 2326 if (md_id == -1) 2327 return 0; 2328 sig_id = tls12_get_sigid(pk); 2329 if (sig_id == -1) 2330 return 0; 2331 p[0] = (unsigned char)md_id; 2332 p[1] = (unsigned char)sig_id; 2333 return 1; 2334 } 2335 2336 int 2337 tls12_get_sigid(const EVP_PKEY *pk) 2338 { 2339 return tls12_find_id(pk->type, tls12_sig, 2340 sizeof(tls12_sig) / sizeof(tls12_lookup)); 2341 } 2342 2343 const EVP_MD * 2344 tls12_get_hash(unsigned char hash_alg) 2345 { 2346 switch (hash_alg) { 2347 case TLSEXT_hash_sha1: 2348 return EVP_sha1(); 2349 case TLSEXT_hash_sha224: 2350 return EVP_sha224(); 2351 case TLSEXT_hash_sha256: 2352 return EVP_sha256(); 2353 case TLSEXT_hash_sha384: 2354 return EVP_sha384(); 2355 case TLSEXT_hash_sha512: 2356 return EVP_sha512(); 2357 #ifndef OPENSSL_NO_GOST 2358 case TLSEXT_hash_gost94: 2359 return EVP_gostr341194(); 2360 case TLSEXT_hash_streebog_256: 2361 return EVP_streebog256(); 2362 case TLSEXT_hash_streebog_512: 2363 return EVP_streebog512(); 2364 #endif 2365 default: 2366 return NULL; 2367 } 2368 } 2369 2370 /* Set preferred digest for each key type */ 2371 2372 int 2373 tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 2374 { 2375 int idx; 2376 const EVP_MD *md; 2377 CERT *c = s->cert; 2378 CBS cbs; 2379 2380 /* Extension ignored for inappropriate versions */ 2381 if (!SSL_USE_SIGALGS(s)) 2382 return 1; 2383 2384 /* Should never happen */ 2385 if (!c || dsize < 0) 2386 return 0; 2387 2388 CBS_init(&cbs, data, dsize); 2389 2390 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; 2391 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 2392 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2393 c->pkeys[SSL_PKEY_ECC].digest = NULL; 2394 c->pkeys[SSL_PKEY_GOST01].digest = NULL; 2395 2396 while (CBS_len(&cbs) > 0) { 2397 uint8_t hash_alg, sig_alg; 2398 2399 if (!CBS_get_u8(&cbs, &hash_alg) || 2400 !CBS_get_u8(&cbs, &sig_alg)) { 2401 /* Should never happen */ 2402 return 0; 2403 } 2404 2405 switch (sig_alg) { 2406 case TLSEXT_signature_rsa: 2407 idx = SSL_PKEY_RSA_SIGN; 2408 break; 2409 case TLSEXT_signature_dsa: 2410 idx = SSL_PKEY_DSA_SIGN; 2411 break; 2412 case TLSEXT_signature_ecdsa: 2413 idx = SSL_PKEY_ECC; 2414 break; 2415 case TLSEXT_signature_gostr01: 2416 case TLSEXT_signature_gostr12_256: 2417 case TLSEXT_signature_gostr12_512: 2418 idx = SSL_PKEY_GOST01; 2419 break; 2420 default: 2421 continue; 2422 } 2423 2424 if (c->pkeys[idx].digest == NULL) { 2425 md = tls12_get_hash(hash_alg); 2426 if (md) { 2427 c->pkeys[idx].digest = md; 2428 if (idx == SSL_PKEY_RSA_SIGN) 2429 c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 2430 } 2431 } 2432 2433 } 2434 2435 /* Set any remaining keys to default values. NOTE: if alg is not 2436 * supported it stays as NULL. 2437 */ 2438 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2439 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2440 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { 2441 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2442 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2443 } 2444 if (!c->pkeys[SSL_PKEY_ECC].digest) 2445 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2446 #ifndef OPENSSL_NO_GOST 2447 if (!c->pkeys[SSL_PKEY_GOST01].digest) 2448 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); 2449 #endif 2450 return 1; 2451 } 2452