1 /* $OpenBSD: t1_lib.c,v 1.115 2017/02/07 02:08:38 beck Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 114 #include <openssl/evp.h> 115 #include <openssl/hmac.h> 116 #include <openssl/objects.h> 117 #include <openssl/ocsp.h> 118 119 #include "ssl_locl.h" 120 #include "bytestring.h" 121 122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 123 const unsigned char *sess_id, int sesslen, 124 SSL_SESSION **psess); 125 126 SSL3_ENC_METHOD TLSv1_enc_data = { 127 .enc = tls1_enc, 128 .enc_flags = 0, 129 }; 130 131 SSL3_ENC_METHOD TLSv1_1_enc_data = { 132 .enc = tls1_enc, 133 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, 134 }; 135 136 SSL3_ENC_METHOD TLSv1_2_enc_data = { 137 .enc = tls1_enc, 138 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS| 139 SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS, 140 }; 141 142 long 143 tls1_default_timeout(void) 144 { 145 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 146 * is way too long for http, the cache would over fill */ 147 return (60 * 60 * 2); 148 } 149 150 int 151 tls1_new(SSL *s) 152 { 153 if (!ssl3_new(s)) 154 return (0); 155 s->method->internal->ssl_clear(s); 156 return (1); 157 } 158 159 void 160 tls1_free(SSL *s) 161 { 162 if (s == NULL) 163 return; 164 165 free(s->internal->tlsext_session_ticket); 166 ssl3_free(s); 167 } 168 169 void 170 tls1_clear(SSL *s) 171 { 172 ssl3_clear(s); 173 s->version = s->method->internal->version; 174 } 175 176 static int nid_list[] = { 177 NID_sect163k1, /* sect163k1 (1) */ 178 NID_sect163r1, /* sect163r1 (2) */ 179 NID_sect163r2, /* sect163r2 (3) */ 180 NID_sect193r1, /* sect193r1 (4) */ 181 NID_sect193r2, /* sect193r2 (5) */ 182 NID_sect233k1, /* sect233k1 (6) */ 183 NID_sect233r1, /* sect233r1 (7) */ 184 NID_sect239k1, /* sect239k1 (8) */ 185 NID_sect283k1, /* sect283k1 (9) */ 186 NID_sect283r1, /* sect283r1 (10) */ 187 NID_sect409k1, /* sect409k1 (11) */ 188 NID_sect409r1, /* sect409r1 (12) */ 189 NID_sect571k1, /* sect571k1 (13) */ 190 NID_sect571r1, /* sect571r1 (14) */ 191 NID_secp160k1, /* secp160k1 (15) */ 192 NID_secp160r1, /* secp160r1 (16) */ 193 NID_secp160r2, /* secp160r2 (17) */ 194 NID_secp192k1, /* secp192k1 (18) */ 195 NID_X9_62_prime192v1, /* secp192r1 (19) */ 196 NID_secp224k1, /* secp224k1 (20) */ 197 NID_secp224r1, /* secp224r1 (21) */ 198 NID_secp256k1, /* secp256k1 (22) */ 199 NID_X9_62_prime256v1, /* secp256r1 (23) */ 200 NID_secp384r1, /* secp384r1 (24) */ 201 NID_secp521r1, /* secp521r1 (25) */ 202 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */ 203 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */ 204 NID_brainpoolP512r1, /* brainpoolP512r1 (28) */ 205 NID_X25519, /* X25519 (29) */ 206 }; 207 208 #if 0 209 static const uint8_t ecformats_list[] = { 210 TLSEXT_ECPOINTFORMAT_uncompressed, 211 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 212 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 213 }; 214 #endif 215 216 static const uint8_t ecformats_default[] = { 217 TLSEXT_ECPOINTFORMAT_uncompressed, 218 }; 219 220 #if 0 221 static const uint16_t eccurves_list[] = { 222 29, /* X25519 (29) */ 223 14, /* sect571r1 (14) */ 224 13, /* sect571k1 (13) */ 225 25, /* secp521r1 (25) */ 226 28, /* brainpoolP512r1 (28) */ 227 11, /* sect409k1 (11) */ 228 12, /* sect409r1 (12) */ 229 27, /* brainpoolP384r1 (27) */ 230 24, /* secp384r1 (24) */ 231 9, /* sect283k1 (9) */ 232 10, /* sect283r1 (10) */ 233 26, /* brainpoolP256r1 (26) */ 234 22, /* secp256k1 (22) */ 235 23, /* secp256r1 (23) */ 236 8, /* sect239k1 (8) */ 237 6, /* sect233k1 (6) */ 238 7, /* sect233r1 (7) */ 239 20, /* secp224k1 (20) */ 240 21, /* secp224r1 (21) */ 241 4, /* sect193r1 (4) */ 242 5, /* sect193r2 (5) */ 243 18, /* secp192k1 (18) */ 244 19, /* secp192r1 (19) */ 245 1, /* sect163k1 (1) */ 246 2, /* sect163r1 (2) */ 247 3, /* sect163r2 (3) */ 248 15, /* secp160k1 (15) */ 249 16, /* secp160r1 (16) */ 250 17, /* secp160r2 (17) */ 251 }; 252 #endif 253 254 static const uint16_t eccurves_default[] = { 255 29, /* X25519 (29) */ 256 23, /* secp256r1 (23) */ 257 24, /* secp384r1 (24) */ 258 }; 259 260 int 261 tls1_ec_curve_id2nid(const uint16_t curve_id) 262 { 263 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 264 if ((curve_id < 1) || 265 ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0]))) 266 return 0; 267 return nid_list[curve_id - 1]; 268 } 269 270 uint16_t 271 tls1_ec_nid2curve_id(int nid) 272 { 273 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 274 switch (nid) { 275 case NID_sect163k1: /* sect163k1 (1) */ 276 return 1; 277 case NID_sect163r1: /* sect163r1 (2) */ 278 return 2; 279 case NID_sect163r2: /* sect163r2 (3) */ 280 return 3; 281 case NID_sect193r1: /* sect193r1 (4) */ 282 return 4; 283 case NID_sect193r2: /* sect193r2 (5) */ 284 return 5; 285 case NID_sect233k1: /* sect233k1 (6) */ 286 return 6; 287 case NID_sect233r1: /* sect233r1 (7) */ 288 return 7; 289 case NID_sect239k1: /* sect239k1 (8) */ 290 return 8; 291 case NID_sect283k1: /* sect283k1 (9) */ 292 return 9; 293 case NID_sect283r1: /* sect283r1 (10) */ 294 return 10; 295 case NID_sect409k1: /* sect409k1 (11) */ 296 return 11; 297 case NID_sect409r1: /* sect409r1 (12) */ 298 return 12; 299 case NID_sect571k1: /* sect571k1 (13) */ 300 return 13; 301 case NID_sect571r1: /* sect571r1 (14) */ 302 return 14; 303 case NID_secp160k1: /* secp160k1 (15) */ 304 return 15; 305 case NID_secp160r1: /* secp160r1 (16) */ 306 return 16; 307 case NID_secp160r2: /* secp160r2 (17) */ 308 return 17; 309 case NID_secp192k1: /* secp192k1 (18) */ 310 return 18; 311 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 312 return 19; 313 case NID_secp224k1: /* secp224k1 (20) */ 314 return 20; 315 case NID_secp224r1: /* secp224r1 (21) */ 316 return 21; 317 case NID_secp256k1: /* secp256k1 (22) */ 318 return 22; 319 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 320 return 23; 321 case NID_secp384r1: /* secp384r1 (24) */ 322 return 24; 323 case NID_secp521r1: /* secp521r1 (25) */ 324 return 25; 325 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */ 326 return 26; 327 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */ 328 return 27; 329 case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */ 330 return 28; 331 case NID_X25519: /* X25519 (29) */ 332 return 29; 333 default: 334 return 0; 335 } 336 } 337 338 /* 339 * Return the appropriate format list. If client_formats is non-zero, return 340 * the client/session formats. Otherwise return the custom format list if one 341 * exists, or the default formats if a custom list has not been specified. 342 */ 343 static void 344 tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, 345 size_t *pformatslen) 346 { 347 if (client_formats != 0) { 348 *pformats = SSI(s)->tlsext_ecpointformatlist; 349 *pformatslen = SSI(s)->tlsext_ecpointformatlist_length; 350 return; 351 } 352 353 *pformats = s->internal->tlsext_ecpointformatlist; 354 *pformatslen = s->internal->tlsext_ecpointformatlist_length; 355 if (*pformats == NULL) { 356 *pformats = ecformats_default; 357 *pformatslen = sizeof(ecformats_default); 358 } 359 } 360 361 /* 362 * Return the appropriate curve list. If client_curves is non-zero, return 363 * the client/session curves. Otherwise return the custom curve list if one 364 * exists, or the default curves if a custom list has not been specified. 365 */ 366 static void 367 tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves, 368 size_t *pcurveslen) 369 { 370 if (client_curves != 0) { 371 *pcurves = SSI(s)->tlsext_supportedgroups; 372 *pcurveslen = SSI(s)->tlsext_supportedgroups_length; 373 return; 374 } 375 376 *pcurves = s->internal->tlsext_supportedgroups; 377 *pcurveslen = s->internal->tlsext_supportedgroups_length; 378 if (*pcurves == NULL) { 379 *pcurves = eccurves_default; 380 *pcurveslen = sizeof(eccurves_default) / 2; 381 } 382 } 383 384 int 385 tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len, 386 const int *groups, size_t ngroups) 387 { 388 uint16_t *group_ids; 389 size_t i; 390 391 group_ids = calloc(ngroups, sizeof(uint16_t)); 392 if (group_ids == NULL) 393 return 0; 394 395 for (i = 0; i < ngroups; i++) { 396 group_ids[i] = tls1_ec_nid2curve_id(groups[i]); 397 if (group_ids[i] == 0) { 398 free(group_ids); 399 return 0; 400 } 401 } 402 403 free(*out_group_ids); 404 *out_group_ids = group_ids; 405 *out_group_ids_len = ngroups; 406 407 return 1; 408 } 409 410 int 411 tls1_set_groups_list(uint16_t **out_group_ids, size_t *out_group_ids_len, 412 const char *groups) 413 { 414 uint16_t *new_group_ids, *group_ids = NULL; 415 size_t ngroups = 0; 416 char *gs, *p, *q; 417 int nid; 418 419 if ((gs = strdup(groups)) == NULL) 420 return 0; 421 422 q = gs; 423 while ((p = strsep(&q, ":")) != NULL) { 424 nid = OBJ_sn2nid(p); 425 if (nid == NID_undef) 426 nid = OBJ_ln2nid(p); 427 if (nid == NID_undef) 428 nid = EC_curve_nist2nid(p); 429 if (nid == NID_undef) 430 goto err; 431 432 if ((new_group_ids = reallocarray(group_ids, ngroups + 1, 433 sizeof(uint16_t))) == NULL) 434 goto err; 435 group_ids = new_group_ids; 436 437 group_ids[ngroups] = tls1_ec_nid2curve_id(nid); 438 if (group_ids[ngroups] == 0) 439 goto err; 440 441 ngroups++; 442 } 443 444 free(gs); 445 free(*out_group_ids); 446 *out_group_ids = group_ids; 447 *out_group_ids_len = ngroups; 448 449 return 1; 450 451 err: 452 free(gs); 453 free(group_ids); 454 455 return 0; 456 } 457 458 /* Check that a curve is one of our preferences. */ 459 int 460 tls1_check_curve(SSL *s, const uint16_t curve_id) 461 { 462 const uint16_t *curves; 463 size_t curveslen, i; 464 465 tls1_get_curvelist(s, 0, &curves, &curveslen); 466 467 for (i = 0; i < curveslen; i++) { 468 if (curves[i] == curve_id) 469 return (1); 470 } 471 return (0); 472 } 473 474 int 475 tls1_get_shared_curve(SSL *s) 476 { 477 size_t preflen, supplen, i, j; 478 const uint16_t *pref, *supp; 479 unsigned long server_pref; 480 481 /* Cannot do anything on the client side. */ 482 if (s->server == 0) 483 return (NID_undef); 484 485 /* Return first preference shared curve. */ 486 server_pref = (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE); 487 tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen); 488 tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen); 489 490 for (i = 0; i < preflen; i++) { 491 for (j = 0; j < supplen; j++) { 492 if (pref[i] == supp[j]) 493 return (tls1_ec_curve_id2nid(pref[i])); 494 } 495 } 496 return (NID_undef); 497 } 498 499 /* For an EC key set TLS ID and required compression based on parameters. */ 500 static int 501 tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec) 502 { 503 const EC_GROUP *grp; 504 const EC_METHOD *meth; 505 int is_prime = 0; 506 int nid, id; 507 508 if (ec == NULL) 509 return (0); 510 511 /* Determine if it is a prime field. */ 512 if ((grp = EC_KEY_get0_group(ec)) == NULL) 513 return (0); 514 if ((meth = EC_GROUP_method_of(grp)) == NULL) 515 return (0); 516 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field) 517 is_prime = 1; 518 519 /* Determine curve ID. */ 520 nid = EC_GROUP_get_curve_name(grp); 521 id = tls1_ec_nid2curve_id(nid); 522 523 /* If we have an ID set it, otherwise set arbitrary explicit curve. */ 524 if (id != 0) 525 *curve_id = id; 526 else 527 *curve_id = is_prime ? 0xff01 : 0xff02; 528 529 /* Specify the compression identifier. */ 530 if (comp_id != NULL) { 531 if (EC_KEY_get0_public_key(ec) == NULL) 532 return (0); 533 534 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { 535 *comp_id = is_prime ? 536 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime : 537 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 538 } else { 539 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 540 } 541 } 542 return (1); 543 } 544 545 /* Check that an EC key is compatible with extensions. */ 546 static int 547 tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id) 548 { 549 size_t curveslen, formatslen, i; 550 const uint16_t *curves; 551 const uint8_t *formats; 552 553 /* 554 * Check point formats extension if present, otherwise everything 555 * is supported (see RFC4492). 556 */ 557 tls1_get_formatlist(s, 1, &formats, &formatslen); 558 if (comp_id != NULL && formats != NULL) { 559 for (i = 0; i < formatslen; i++) { 560 if (formats[i] == *comp_id) 561 break; 562 } 563 if (i == formatslen) 564 return (0); 565 } 566 567 /* 568 * Check curve list if present, otherwise everything is supported. 569 */ 570 tls1_get_curvelist(s, 1, &curves, &curveslen); 571 if (curve_id != NULL && curves != NULL) { 572 for (i = 0; i < curveslen; i++) { 573 if (curves[i] == *curve_id) 574 break; 575 } 576 if (i == curveslen) 577 return (0); 578 } 579 580 return (1); 581 } 582 583 /* Check EC server key is compatible with client extensions. */ 584 int 585 tls1_check_ec_server_key(SSL *s) 586 { 587 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; 588 uint16_t curve_id; 589 uint8_t comp_id; 590 EVP_PKEY *pkey; 591 int rv; 592 593 if (cpk->x509 == NULL || cpk->privatekey == NULL) 594 return (0); 595 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL) 596 return (0); 597 rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec); 598 EVP_PKEY_free(pkey); 599 if (rv != 1) 600 return (0); 601 602 return tls1_check_ec_key(s, &curve_id, &comp_id); 603 } 604 605 /* Check EC temporary key is compatible with client extensions. */ 606 int 607 tls1_check_ec_tmp_key(SSL *s) 608 { 609 EC_KEY *ec = s->cert->ecdh_tmp; 610 uint16_t curve_id; 611 612 if (s->cert->ecdh_tmp_auto != 0) { 613 /* Need a shared curve. */ 614 if (tls1_get_shared_curve(s) != NID_undef) 615 return (1); 616 return (0); 617 } 618 619 if (ec == NULL) { 620 if (s->cert->ecdh_tmp_cb != NULL) 621 return (1); 622 return (0); 623 } 624 if (tls1_set_ec_id(&curve_id, NULL, ec) != 1) 625 return (0); 626 627 return tls1_check_ec_key(s, &curve_id, NULL); 628 } 629 630 /* 631 * List of supported signature algorithms and hashes. Should make this 632 * customisable at some point, for now include everything we support. 633 */ 634 635 static unsigned char tls12_sigalgs[] = { 636 TLSEXT_hash_sha512, TLSEXT_signature_rsa, 637 TLSEXT_hash_sha512, TLSEXT_signature_dsa, 638 TLSEXT_hash_sha512, TLSEXT_signature_ecdsa, 639 #ifndef OPENSSL_NO_GOST 640 TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512, 641 #endif 642 643 TLSEXT_hash_sha384, TLSEXT_signature_rsa, 644 TLSEXT_hash_sha384, TLSEXT_signature_dsa, 645 TLSEXT_hash_sha384, TLSEXT_signature_ecdsa, 646 647 TLSEXT_hash_sha256, TLSEXT_signature_rsa, 648 TLSEXT_hash_sha256, TLSEXT_signature_dsa, 649 TLSEXT_hash_sha256, TLSEXT_signature_ecdsa, 650 651 #ifndef OPENSSL_NO_GOST 652 TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256, 653 TLSEXT_hash_gost94, TLSEXT_signature_gostr01, 654 #endif 655 656 TLSEXT_hash_sha224, TLSEXT_signature_rsa, 657 TLSEXT_hash_sha224, TLSEXT_signature_dsa, 658 TLSEXT_hash_sha224, TLSEXT_signature_ecdsa, 659 660 TLSEXT_hash_sha1, TLSEXT_signature_rsa, 661 TLSEXT_hash_sha1, TLSEXT_signature_dsa, 662 TLSEXT_hash_sha1, TLSEXT_signature_ecdsa, 663 }; 664 665 int 666 tls12_get_req_sig_algs(SSL *s, unsigned char *p) 667 { 668 size_t slen = sizeof(tls12_sigalgs); 669 670 if (p) 671 memcpy(p, tls12_sigalgs, slen); 672 return (int)slen; 673 } 674 675 unsigned char * 676 ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 677 { 678 int extdatalen = 0; 679 unsigned char *ret = p; 680 int using_ecc = 0; 681 682 /* See if we support any ECC ciphersuites. */ 683 if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) { 684 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 685 unsigned long alg_k, alg_a; 686 int i; 687 688 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { 689 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 690 691 alg_k = c->algorithm_mkey; 692 alg_a = c->algorithm_auth; 693 694 if ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) { 695 using_ecc = 1; 696 break; 697 } 698 } 699 } 700 701 ret += 2; 702 703 if (ret >= limit) 704 return NULL; /* this really never occurs, but ... */ 705 706 if (s->tlsext_hostname != NULL) { 707 /* Add TLS extension servername to the Client Hello message */ 708 size_t size_str, lenmax; 709 710 /* check for enough space. 711 4 for the servername type and extension length 712 2 for servernamelist length 713 1 for the hostname type 714 2 for hostname length 715 + hostname length 716 */ 717 718 if ((size_t)(limit - ret) < 9) 719 return NULL; 720 721 lenmax = limit - ret - 9; 722 if ((size_str = strlen(s->tlsext_hostname)) > lenmax) 723 return NULL; 724 725 /* extension type and length */ 726 s2n(TLSEXT_TYPE_server_name, ret); 727 728 s2n(size_str + 5, ret); 729 730 /* length of servername list */ 731 s2n(size_str + 3, ret); 732 733 /* hostname type, length and hostname */ 734 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 735 s2n(size_str, ret); 736 memcpy(ret, s->tlsext_hostname, size_str); 737 ret += size_str; 738 } 739 740 /* Add RI if renegotiating */ 741 if (s->internal->renegotiate) { 742 int el; 743 744 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { 745 SSLerror(s, ERR_R_INTERNAL_ERROR); 746 return NULL; 747 } 748 749 if ((size_t)(limit - ret) < 4 + el) 750 return NULL; 751 752 s2n(TLSEXT_TYPE_renegotiate, ret); 753 s2n(el, ret); 754 755 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { 756 SSLerror(s, ERR_R_INTERNAL_ERROR); 757 return NULL; 758 } 759 760 ret += el; 761 } 762 763 if (using_ecc) { 764 size_t curveslen, formatslen, lenmax; 765 const uint16_t *curves; 766 const uint8_t *formats; 767 int i; 768 769 /* 770 * Add TLS extension ECPointFormats to the ClientHello message. 771 */ 772 tls1_get_formatlist(s, 0, &formats, &formatslen); 773 774 if ((size_t)(limit - ret) < 5) 775 return NULL; 776 777 lenmax = limit - ret - 5; 778 if (formatslen > lenmax) 779 return NULL; 780 if (formatslen > 255) { 781 SSLerror(s, ERR_R_INTERNAL_ERROR); 782 return NULL; 783 } 784 785 s2n(TLSEXT_TYPE_ec_point_formats, ret); 786 s2n(formatslen + 1, ret); 787 *(ret++) = (unsigned char)formatslen; 788 memcpy(ret, formats, formatslen); 789 ret += formatslen; 790 791 /* 792 * Add TLS extension EllipticCurves to the ClientHello message. 793 */ 794 tls1_get_curvelist(s, 0, &curves, &curveslen); 795 796 if ((size_t)(limit - ret) < 6) 797 return NULL; 798 799 lenmax = limit - ret - 6; 800 if (curveslen * 2 > lenmax) 801 return NULL; 802 if (curveslen * 2 > 65532) { 803 SSLerror(s, ERR_R_INTERNAL_ERROR); 804 return NULL; 805 } 806 807 s2n(TLSEXT_TYPE_elliptic_curves, ret); 808 s2n((curveslen * 2) + 2, ret); 809 810 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for 811 * elliptic_curve_list, but the examples use two bytes. 812 * https://www1.ietf.org/mail-archive/web/tls/current/msg00538.html 813 * resolves this to two bytes. 814 */ 815 s2n(curveslen * 2, ret); 816 for (i = 0; i < curveslen; i++) 817 s2n(curves[i], ret); 818 } 819 820 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 821 int ticklen; 822 if (!s->internal->new_session && s->session && s->session->tlsext_tick) 823 ticklen = s->session->tlsext_ticklen; 824 else if (s->session && s->internal->tlsext_session_ticket && 825 s->internal->tlsext_session_ticket->data) { 826 ticklen = s->internal->tlsext_session_ticket->length; 827 s->session->tlsext_tick = malloc(ticklen); 828 if (!s->session->tlsext_tick) 829 return NULL; 830 memcpy(s->session->tlsext_tick, 831 s->internal->tlsext_session_ticket->data, ticklen); 832 s->session->tlsext_ticklen = ticklen; 833 } else 834 ticklen = 0; 835 if (ticklen == 0 && s->internal->tlsext_session_ticket && 836 s->internal->tlsext_session_ticket->data == NULL) 837 goto skip_ext; 838 /* Check for enough room 2 for extension type, 2 for len 839 * rest for ticket 840 */ 841 if ((size_t)(limit - ret) < 4 + ticklen) 842 return NULL; 843 s2n(TLSEXT_TYPE_session_ticket, ret); 844 845 s2n(ticklen, ret); 846 if (ticklen) { 847 memcpy(ret, s->session->tlsext_tick, ticklen); 848 ret += ticklen; 849 } 850 } 851 skip_ext: 852 853 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 854 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 855 return NULL; 856 857 s2n(TLSEXT_TYPE_signature_algorithms, ret); 858 s2n(sizeof(tls12_sigalgs) + 2, ret); 859 s2n(sizeof(tls12_sigalgs), ret); 860 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 861 ret += sizeof(tls12_sigalgs); 862 } 863 864 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 865 s->version != DTLS1_VERSION) { 866 int i; 867 long extlen, idlen, itmp; 868 OCSP_RESPID *id; 869 870 idlen = 0; 871 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 872 id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, i); 873 itmp = i2d_OCSP_RESPID(id, NULL); 874 if (itmp <= 0) 875 return NULL; 876 idlen += itmp + 2; 877 } 878 879 if (s->internal->tlsext_ocsp_exts) { 880 extlen = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, NULL); 881 if (extlen < 0) 882 return NULL; 883 } else 884 extlen = 0; 885 886 if ((size_t)(limit - ret) < 7 + extlen + idlen) 887 return NULL; 888 s2n(TLSEXT_TYPE_status_request, ret); 889 if (extlen + idlen > 0xFFF0) 890 return NULL; 891 s2n(extlen + idlen + 5, ret); 892 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 893 s2n(idlen, ret); 894 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 895 /* save position of id len */ 896 unsigned char *q = ret; 897 id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, i); 898 /* skip over id len */ 899 ret += 2; 900 itmp = i2d_OCSP_RESPID(id, &ret); 901 /* write id len */ 902 s2n(itmp, q); 903 } 904 s2n(extlen, ret); 905 if (extlen > 0) 906 i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ret); 907 } 908 909 if (s->ctx->internal->next_proto_select_cb && 910 !S3I(s)->tmp.finish_md_len) { 911 /* The client advertises an emtpy extension to indicate its 912 * support for Next Protocol Negotiation */ 913 if ((size_t)(limit - ret) < 4) 914 return NULL; 915 s2n(TLSEXT_TYPE_next_proto_neg, ret); 916 s2n(0, ret); 917 } 918 919 if (s->internal->alpn_client_proto_list != NULL && 920 S3I(s)->tmp.finish_md_len == 0) { 921 if ((size_t)(limit - ret) < 922 6 + s->internal->alpn_client_proto_list_len) 923 return (NULL); 924 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 925 s2n(2 + s->internal->alpn_client_proto_list_len, ret); 926 s2n(s->internal->alpn_client_proto_list_len, ret); 927 memcpy(ret, s->internal->alpn_client_proto_list, 928 s->internal->alpn_client_proto_list_len); 929 ret += s->internal->alpn_client_proto_list_len; 930 } 931 932 #ifndef OPENSSL_NO_SRTP 933 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { 934 int el; 935 936 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 937 938 if ((size_t)(limit - ret) < 4 + el) 939 return NULL; 940 941 s2n(TLSEXT_TYPE_use_srtp, ret); 942 s2n(el, ret); 943 944 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { 945 SSLerror(s, ERR_R_INTERNAL_ERROR); 946 return NULL; 947 } 948 ret += el; 949 } 950 #endif 951 952 /* 953 * Add padding to workaround bugs in F5 terminators. 954 * See https://tools.ietf.org/html/draft-agl-tls-padding-03 955 * 956 * Note that this seems to trigger issues with IronPort SMTP 957 * appliances. 958 * 959 * NB: because this code works out the length of all existing 960 * extensions it MUST always appear last. 961 */ 962 if (s->internal->options & SSL_OP_TLSEXT_PADDING) { 963 int hlen = ret - (unsigned char *)s->internal->init_buf->data; 964 965 /* 966 * The code in s23_clnt.c to build ClientHello messages 967 * includes the 5-byte record header in the buffer, while the 968 * code in s3_clnt.c does not. 969 */ 970 if (s->internal->state == SSL23_ST_CW_CLNT_HELLO_A) 971 hlen -= 5; 972 if (hlen > 0xff && hlen < 0x200) { 973 hlen = 0x200 - hlen; 974 if (hlen >= 4) 975 hlen -= 4; 976 else 977 hlen = 0; 978 979 s2n(TLSEXT_TYPE_padding, ret); 980 s2n(hlen, ret); 981 memset(ret, 0, hlen); 982 ret += hlen; 983 } 984 } 985 986 if ((extdatalen = ret - p - 2) == 0) 987 return p; 988 989 s2n(extdatalen, p); 990 return ret; 991 } 992 993 unsigned char * 994 ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 995 { 996 int using_ecc, extdatalen = 0; 997 unsigned long alg_a, alg_k; 998 unsigned char *ret = p; 999 int next_proto_neg_seen; 1000 1001 alg_a = S3I(s)->tmp.new_cipher->algorithm_auth; 1002 alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; 1003 using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) && 1004 SSI(s)->tlsext_ecpointformatlist != NULL; 1005 1006 ret += 2; 1007 if (ret >= limit) 1008 return NULL; /* this really never occurs, but ... */ 1009 1010 if (!s->internal->hit && s->internal->servername_done == 1 && 1011 s->session->tlsext_hostname != NULL) { 1012 if ((size_t)(limit - ret) < 4) 1013 return NULL; 1014 1015 s2n(TLSEXT_TYPE_server_name, ret); 1016 s2n(0, ret); 1017 } 1018 1019 if (S3I(s)->send_connection_binding) { 1020 int el; 1021 1022 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { 1023 SSLerror(s, ERR_R_INTERNAL_ERROR); 1024 return NULL; 1025 } 1026 1027 if ((size_t)(limit - ret) < 4 + el) 1028 return NULL; 1029 1030 s2n(TLSEXT_TYPE_renegotiate, ret); 1031 s2n(el, ret); 1032 1033 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { 1034 SSLerror(s, ERR_R_INTERNAL_ERROR); 1035 return NULL; 1036 } 1037 1038 ret += el; 1039 } 1040 1041 if (using_ecc && s->version != DTLS1_VERSION) { 1042 const unsigned char *formats; 1043 size_t formatslen, lenmax; 1044 1045 /* 1046 * Add TLS extension ECPointFormats to the ServerHello message. 1047 */ 1048 tls1_get_formatlist(s, 0, &formats, &formatslen); 1049 1050 if ((size_t)(limit - ret) < 5) 1051 return NULL; 1052 1053 lenmax = limit - ret - 5; 1054 if (formatslen > lenmax) 1055 return NULL; 1056 if (formatslen > 255) { 1057 SSLerror(s, ERR_R_INTERNAL_ERROR); 1058 return NULL; 1059 } 1060 1061 s2n(TLSEXT_TYPE_ec_point_formats, ret); 1062 s2n(formatslen + 1, ret); 1063 *(ret++) = (unsigned char)formatslen; 1064 memcpy(ret, formats, formatslen); 1065 ret += formatslen; 1066 } 1067 1068 /* 1069 * Currently the server should not respond with a SupportedCurves 1070 * extension. 1071 */ 1072 1073 if (s->internal->tlsext_ticket_expected && 1074 !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 1075 if ((size_t)(limit - ret) < 4) 1076 return NULL; 1077 1078 s2n(TLSEXT_TYPE_session_ticket, ret); 1079 s2n(0, ret); 1080 } 1081 1082 if (s->internal->tlsext_status_expected) { 1083 if ((size_t)(limit - ret) < 4) 1084 return NULL; 1085 1086 s2n(TLSEXT_TYPE_status_request, ret); 1087 s2n(0, ret); 1088 } 1089 1090 #ifndef OPENSSL_NO_SRTP 1091 if (SSL_IS_DTLS(s) && s->internal->srtp_profile) { 1092 int el; 1093 1094 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 1095 1096 if ((size_t)(limit - ret) < 4 + el) 1097 return NULL; 1098 1099 s2n(TLSEXT_TYPE_use_srtp, ret); 1100 s2n(el, ret); 1101 1102 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { 1103 SSLerror(s, ERR_R_INTERNAL_ERROR); 1104 return NULL; 1105 } 1106 ret += el; 1107 } 1108 #endif 1109 1110 if (((S3I(s)->tmp.new_cipher->id & 0xFFFF) == 0x80 || 1111 (S3I(s)->tmp.new_cipher->id & 0xFFFF) == 0x81) && 1112 (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { 1113 static const unsigned char cryptopro_ext[36] = { 1114 0xfd, 0xe8, /*65000*/ 1115 0x00, 0x20, /*32 bytes length*/ 1116 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 1117 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 1118 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 1119 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 1120 }; 1121 if ((size_t)(limit - ret) < sizeof(cryptopro_ext)) 1122 return NULL; 1123 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext)); 1124 ret += sizeof(cryptopro_ext); 1125 } 1126 1127 next_proto_neg_seen = S3I(s)->next_proto_neg_seen; 1128 S3I(s)->next_proto_neg_seen = 0; 1129 if (next_proto_neg_seen && s->ctx->internal->next_protos_advertised_cb) { 1130 const unsigned char *npa; 1131 unsigned int npalen; 1132 int r; 1133 1134 r = s->ctx->internal->next_protos_advertised_cb(s, &npa, &npalen, 1135 s->ctx->internal->next_protos_advertised_cb_arg); 1136 if (r == SSL_TLSEXT_ERR_OK) { 1137 if ((size_t)(limit - ret) < 4 + npalen) 1138 return NULL; 1139 s2n(TLSEXT_TYPE_next_proto_neg, ret); 1140 s2n(npalen, ret); 1141 memcpy(ret, npa, npalen); 1142 ret += npalen; 1143 S3I(s)->next_proto_neg_seen = 1; 1144 } 1145 } 1146 1147 if (S3I(s)->alpn_selected != NULL) { 1148 const unsigned char *selected = S3I(s)->alpn_selected; 1149 unsigned int len = S3I(s)->alpn_selected_len; 1150 1151 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0) 1152 return (NULL); 1153 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 1154 s2n(3 + len, ret); 1155 s2n(1 + len, ret); 1156 *ret++ = len; 1157 memcpy(ret, selected, len); 1158 ret += len; 1159 } 1160 1161 if ((extdatalen = ret - p - 2) == 0) 1162 return p; 1163 1164 s2n(extdatalen, p); 1165 return ret; 1166 } 1167 1168 /* 1169 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a 1170 * ClientHello. 1171 * data: the contents of the extension, not including the type and length. 1172 * data_len: the number of bytes in data. 1173 * al: a pointer to the alert value to send in the event of a non-zero 1174 * return. 1175 * returns: 1 on success. 1176 */ 1177 static int 1178 tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, 1179 unsigned int data_len, int *al) 1180 { 1181 CBS cbs, proto_name_list, alpn; 1182 const unsigned char *selected; 1183 unsigned char selected_len; 1184 int r; 1185 1186 if (s->ctx->internal->alpn_select_cb == NULL) 1187 return (1); 1188 1189 if (data_len < 2) 1190 goto parse_error; 1191 1192 CBS_init(&cbs, data, data_len); 1193 1194 /* 1195 * data should contain a uint16 length followed by a series of 8-bit, 1196 * length-prefixed strings. 1197 */ 1198 if (!CBS_get_u16_length_prefixed(&cbs, &alpn) || 1199 CBS_len(&alpn) < 2 || 1200 CBS_len(&cbs) != 0) 1201 goto parse_error; 1202 1203 /* Validate data before sending to callback. */ 1204 CBS_dup(&alpn, &proto_name_list); 1205 while (CBS_len(&proto_name_list) > 0) { 1206 CBS proto_name; 1207 1208 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name) || 1209 CBS_len(&proto_name) == 0) 1210 goto parse_error; 1211 } 1212 1213 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, 1214 CBS_data(&alpn), CBS_len(&alpn), 1215 s->ctx->internal->alpn_select_cb_arg); 1216 if (r == SSL_TLSEXT_ERR_OK) { 1217 free(S3I(s)->alpn_selected); 1218 if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) { 1219 *al = SSL_AD_INTERNAL_ERROR; 1220 return (-1); 1221 } 1222 memcpy(S3I(s)->alpn_selected, selected, selected_len); 1223 S3I(s)->alpn_selected_len = selected_len; 1224 } 1225 1226 return (1); 1227 1228 parse_error: 1229 *al = SSL_AD_DECODE_ERROR; 1230 return (0); 1231 } 1232 1233 int 1234 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1235 int n, int *al) 1236 { 1237 unsigned short type; 1238 unsigned short size; 1239 unsigned short len; 1240 unsigned char *data = *p; 1241 unsigned char *end = d + n; 1242 int renegotiate_seen = 0; 1243 int sigalg_seen = 0; 1244 1245 s->internal->servername_done = 0; 1246 s->tlsext_status_type = -1; 1247 S3I(s)->next_proto_neg_seen = 0; 1248 free(S3I(s)->alpn_selected); 1249 S3I(s)->alpn_selected = NULL; 1250 s->internal->srtp_profile = NULL; 1251 1252 if (data == end) 1253 goto ri_check; 1254 1255 if (end - data < 2) 1256 goto err; 1257 n2s(data, len); 1258 1259 if (end - data != len) 1260 goto err; 1261 1262 while (end - data >= 4) { 1263 n2s(data, type); 1264 n2s(data, size); 1265 1266 if (end - data < size) 1267 goto err; 1268 1269 if (s->internal->tlsext_debug_cb) 1270 s->internal->tlsext_debug_cb(s, 0, type, data, size, 1271 s->internal->tlsext_debug_arg); 1272 /* The servername extension is treated as follows: 1273 1274 - Only the hostname type is supported with a maximum length of 255. 1275 - The servername is rejected if too long or if it contains zeros, 1276 in which case an fatal alert is generated. 1277 - The servername field is maintained together with the session cache. 1278 - When a session is resumed, the servername call back invoked in order 1279 to allow the application to position itself to the right context. 1280 - The servername is acknowledged if it is new for a session or when 1281 it is identical to a previously used for the same session. 1282 Applications can control the behaviour. They can at any time 1283 set a 'desirable' servername for a new SSL object. This can be the 1284 case for example with HTTPS when a Host: header field is received and 1285 a renegotiation is requested. In this case, a possible servername 1286 presented in the new client hello is only acknowledged if it matches 1287 the value of the Host: field. 1288 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1289 if they provide for changing an explicit servername context for the session, 1290 i.e. when the session has been established with a servername extension. 1291 - On session reconnect, the servername extension may be absent. 1292 1293 */ 1294 1295 if (type == TLSEXT_TYPE_server_name) { 1296 unsigned char *sdata; 1297 int servname_type; 1298 int dsize; 1299 1300 if (size < 2) { 1301 *al = SSL_AD_DECODE_ERROR; 1302 return 0; 1303 } 1304 n2s(data, dsize); 1305 1306 size -= 2; 1307 if (dsize > size) { 1308 *al = SSL_AD_DECODE_ERROR; 1309 return 0; 1310 } 1311 1312 sdata = data; 1313 while (dsize > 3) { 1314 servname_type = *(sdata++); 1315 1316 n2s(sdata, len); 1317 dsize -= 3; 1318 1319 if (len > dsize) { 1320 *al = SSL_AD_DECODE_ERROR; 1321 return 0; 1322 } 1323 if (s->internal->servername_done == 0) 1324 switch (servname_type) { 1325 case TLSEXT_NAMETYPE_host_name: 1326 if (!s->internal->hit) { 1327 if (s->session->tlsext_hostname) { 1328 *al = SSL_AD_DECODE_ERROR; 1329 return 0; 1330 } 1331 if (len > TLSEXT_MAXLEN_host_name) { 1332 *al = TLS1_AD_UNRECOGNIZED_NAME; 1333 return 0; 1334 } 1335 if ((s->session->tlsext_hostname = 1336 malloc(len + 1)) == NULL) { 1337 *al = TLS1_AD_INTERNAL_ERROR; 1338 return 0; 1339 } 1340 memcpy(s->session->tlsext_hostname, sdata, len); 1341 s->session->tlsext_hostname[len] = '\0'; 1342 if (strlen(s->session->tlsext_hostname) != len) { 1343 free(s->session->tlsext_hostname); 1344 s->session->tlsext_hostname = NULL; 1345 *al = TLS1_AD_UNRECOGNIZED_NAME; 1346 return 0; 1347 } 1348 s->internal->servername_done = 1; 1349 1350 1351 } else { 1352 s->internal->servername_done = s->session->tlsext_hostname && 1353 strlen(s->session->tlsext_hostname) == len && 1354 strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1355 } 1356 break; 1357 1358 default: 1359 break; 1360 } 1361 1362 dsize -= len; 1363 } 1364 if (dsize != 0) { 1365 *al = SSL_AD_DECODE_ERROR; 1366 return 0; 1367 } 1368 1369 } 1370 1371 else if (type == TLSEXT_TYPE_ec_point_formats && 1372 s->version != DTLS1_VERSION) { 1373 unsigned char *sdata = data; 1374 size_t formatslen; 1375 uint8_t *formats; 1376 1377 if (size < 1) { 1378 *al = TLS1_AD_DECODE_ERROR; 1379 return 0; 1380 } 1381 formatslen = *(sdata++); 1382 if (formatslen != size - 1) { 1383 *al = TLS1_AD_DECODE_ERROR; 1384 return 0; 1385 } 1386 1387 if (!s->internal->hit) { 1388 free(SSI(s)->tlsext_ecpointformatlist); 1389 SSI(s)->tlsext_ecpointformatlist = NULL; 1390 SSI(s)->tlsext_ecpointformatlist_length = 0; 1391 1392 if ((formats = reallocarray(NULL, formatslen, 1393 sizeof(uint8_t))) == NULL) { 1394 *al = TLS1_AD_INTERNAL_ERROR; 1395 return 0; 1396 } 1397 memcpy(formats, sdata, formatslen); 1398 SSI(s)->tlsext_ecpointformatlist = formats; 1399 SSI(s)->tlsext_ecpointformatlist_length = 1400 formatslen; 1401 } 1402 } else if (type == TLSEXT_TYPE_elliptic_curves && 1403 s->version != DTLS1_VERSION) { 1404 unsigned char *sdata = data; 1405 size_t curveslen, i; 1406 uint16_t *curves; 1407 1408 if (size < 2) { 1409 *al = TLS1_AD_DECODE_ERROR; 1410 return 0; 1411 } 1412 n2s(sdata, curveslen); 1413 if (curveslen != size - 2 || curveslen % 2 != 0) { 1414 *al = TLS1_AD_DECODE_ERROR; 1415 return 0; 1416 } 1417 curveslen /= 2; 1418 1419 if (!s->internal->hit) { 1420 if (SSI(s)->tlsext_supportedgroups) { 1421 *al = TLS1_AD_DECODE_ERROR; 1422 return 0; 1423 } 1424 SSI(s)->tlsext_supportedgroups_length = 0; 1425 if ((curves = reallocarray(NULL, curveslen, 1426 sizeof(uint16_t))) == NULL) { 1427 *al = TLS1_AD_INTERNAL_ERROR; 1428 return 0; 1429 } 1430 for (i = 0; i < curveslen; i++) 1431 n2s(sdata, curves[i]); 1432 SSI(s)->tlsext_supportedgroups = curves; 1433 SSI(s)->tlsext_supportedgroups_length = curveslen; 1434 } 1435 } else if (type == TLSEXT_TYPE_session_ticket) { 1436 if (s->internal->tls_session_ticket_ext_cb && 1437 !s->internal->tls_session_ticket_ext_cb(s, data, size, s->internal->tls_session_ticket_ext_cb_arg)) { 1438 *al = TLS1_AD_INTERNAL_ERROR; 1439 return 0; 1440 } 1441 } else if (type == TLSEXT_TYPE_renegotiate) { 1442 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 1443 return 0; 1444 renegotiate_seen = 1; 1445 } else if (type == TLSEXT_TYPE_signature_algorithms) { 1446 int dsize; 1447 if (sigalg_seen || size < 2) { 1448 *al = SSL_AD_DECODE_ERROR; 1449 return 0; 1450 } 1451 sigalg_seen = 1; 1452 n2s(data, dsize); 1453 size -= 2; 1454 if (dsize != size || dsize & 1) { 1455 *al = SSL_AD_DECODE_ERROR; 1456 return 0; 1457 } 1458 if (!tls1_process_sigalgs(s, data, dsize)) { 1459 *al = SSL_AD_DECODE_ERROR; 1460 return 0; 1461 } 1462 } else if (type == TLSEXT_TYPE_status_request && 1463 s->version != DTLS1_VERSION) { 1464 1465 if (size < 5) { 1466 *al = SSL_AD_DECODE_ERROR; 1467 return 0; 1468 } 1469 1470 s->tlsext_status_type = *data++; 1471 size--; 1472 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { 1473 const unsigned char *sdata; 1474 int dsize; 1475 /* Read in responder_id_list */ 1476 n2s(data, dsize); 1477 size -= 2; 1478 if (dsize > size) { 1479 *al = SSL_AD_DECODE_ERROR; 1480 return 0; 1481 } 1482 1483 /* 1484 * We remove any OCSP_RESPIDs from a 1485 * previous handshake to prevent 1486 * unbounded memory growth. 1487 */ 1488 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, 1489 OCSP_RESPID_free); 1490 s->internal->tlsext_ocsp_ids = NULL; 1491 if (dsize > 0) { 1492 s->internal->tlsext_ocsp_ids = 1493 sk_OCSP_RESPID_new_null(); 1494 if (s->internal->tlsext_ocsp_ids == NULL) { 1495 *al = SSL_AD_INTERNAL_ERROR; 1496 return 0; 1497 } 1498 } 1499 1500 while (dsize > 0) { 1501 OCSP_RESPID *id; 1502 int idsize; 1503 if (dsize < 4) { 1504 *al = SSL_AD_DECODE_ERROR; 1505 return 0; 1506 } 1507 n2s(data, idsize); 1508 dsize -= 2 + idsize; 1509 size -= 2 + idsize; 1510 if (dsize < 0) { 1511 *al = SSL_AD_DECODE_ERROR; 1512 return 0; 1513 } 1514 sdata = data; 1515 data += idsize; 1516 id = d2i_OCSP_RESPID(NULL, 1517 &sdata, idsize); 1518 if (!id) { 1519 *al = SSL_AD_DECODE_ERROR; 1520 return 0; 1521 } 1522 if (data != sdata) { 1523 OCSP_RESPID_free(id); 1524 *al = SSL_AD_DECODE_ERROR; 1525 return 0; 1526 } 1527 if (!sk_OCSP_RESPID_push( 1528 s->internal->tlsext_ocsp_ids, id)) { 1529 OCSP_RESPID_free(id); 1530 *al = SSL_AD_INTERNAL_ERROR; 1531 return 0; 1532 } 1533 } 1534 1535 /* Read in request_extensions */ 1536 if (size < 2) { 1537 *al = SSL_AD_DECODE_ERROR; 1538 return 0; 1539 } 1540 n2s(data, dsize); 1541 size -= 2; 1542 if (dsize != size) { 1543 *al = SSL_AD_DECODE_ERROR; 1544 return 0; 1545 } 1546 sdata = data; 1547 if (dsize > 0) { 1548 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, 1549 X509_EXTENSION_free); 1550 1551 s->internal->tlsext_ocsp_exts = 1552 d2i_X509_EXTENSIONS(NULL, 1553 &sdata, dsize); 1554 if (!s->internal->tlsext_ocsp_exts || 1555 (data + dsize != sdata)) { 1556 *al = SSL_AD_DECODE_ERROR; 1557 return 0; 1558 } 1559 } 1560 } else { 1561 /* We don't know what to do with any other type 1562 * so ignore it. 1563 */ 1564 s->tlsext_status_type = -1; 1565 } 1566 } 1567 else if (type == TLSEXT_TYPE_next_proto_neg && 1568 S3I(s)->tmp.finish_md_len == 0 && 1569 S3I(s)->alpn_selected == NULL) { 1570 /* We shouldn't accept this extension on a 1571 * renegotiation. 1572 * 1573 * s->internal->new_session will be set on renegotiation, but we 1574 * probably shouldn't rely that it couldn't be set on 1575 * the initial renegotation too in certain cases (when 1576 * there's some other reason to disallow resuming an 1577 * earlier session -- the current code won't be doing 1578 * anything like that, but this might change). 1579 1580 * A valid sign that there's been a previous handshake 1581 * in this connection is if S3I(s)->tmp.finish_md_len > 1582 * 0. (We are talking about a check that will happen 1583 * in the Hello protocol round, well before a new 1584 * Finished message could have been computed.) */ 1585 S3I(s)->next_proto_neg_seen = 1; 1586 } 1587 else if (type == 1588 TLSEXT_TYPE_application_layer_protocol_negotiation && 1589 s->ctx->internal->alpn_select_cb != NULL && 1590 S3I(s)->tmp.finish_md_len == 0) { 1591 if (tls1_alpn_handle_client_hello(s, data, 1592 size, al) != 1) 1593 return (0); 1594 /* ALPN takes precedence over NPN. */ 1595 S3I(s)->next_proto_neg_seen = 0; 1596 } 1597 1598 /* session ticket processed earlier */ 1599 #ifndef OPENSSL_NO_SRTP 1600 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1601 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) 1602 return 0; 1603 } 1604 #endif 1605 1606 data += size; 1607 } 1608 1609 /* Spurious data on the end */ 1610 if (data != end) 1611 goto err; 1612 1613 *p = data; 1614 1615 ri_check: 1616 1617 /* Need RI if renegotiating */ 1618 1619 if (!renegotiate_seen && s->internal->renegotiate) { 1620 *al = SSL_AD_HANDSHAKE_FAILURE; 1621 SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1622 return 0; 1623 } 1624 1625 return 1; 1626 1627 err: 1628 *al = SSL_AD_DECODE_ERROR; 1629 return 0; 1630 } 1631 1632 /* 1633 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1634 * elements of zero length are allowed and the set of elements must exactly fill 1635 * the length of the block. 1636 */ 1637 static char 1638 ssl_next_proto_validate(const unsigned char *d, unsigned int len) 1639 { 1640 CBS npn, value; 1641 1642 CBS_init(&npn, d, len); 1643 while (CBS_len(&npn) > 0) { 1644 if (!CBS_get_u8_length_prefixed(&npn, &value) || 1645 CBS_len(&value) == 0) 1646 return 0; 1647 } 1648 return 1; 1649 } 1650 1651 int 1652 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al) 1653 { 1654 unsigned short type; 1655 unsigned short size; 1656 unsigned short len; 1657 unsigned char *data = *p; 1658 unsigned char *end = *p + n; 1659 int tlsext_servername = 0; 1660 int renegotiate_seen = 0; 1661 1662 S3I(s)->next_proto_neg_seen = 0; 1663 free(S3I(s)->alpn_selected); 1664 S3I(s)->alpn_selected = NULL; 1665 1666 if (data == end) 1667 goto ri_check; 1668 1669 if (end - data < 2) 1670 goto err; 1671 n2s(data, len); 1672 1673 if (end - data != len) 1674 goto err; 1675 1676 while (end - data >= 4) { 1677 n2s(data, type); 1678 n2s(data, size); 1679 1680 if (end - data < size) 1681 goto err; 1682 1683 if (s->internal->tlsext_debug_cb) 1684 s->internal->tlsext_debug_cb(s, 1, type, data, size, 1685 s->internal->tlsext_debug_arg); 1686 1687 if (type == TLSEXT_TYPE_server_name) { 1688 if (s->tlsext_hostname == NULL || size > 0) { 1689 *al = TLS1_AD_UNRECOGNIZED_NAME; 1690 return 0; 1691 } 1692 tlsext_servername = 1; 1693 1694 } 1695 else if (type == TLSEXT_TYPE_ec_point_formats && 1696 s->version != DTLS1_VERSION) { 1697 unsigned char *sdata = data; 1698 size_t formatslen; 1699 uint8_t *formats; 1700 1701 if (size < 1) { 1702 *al = TLS1_AD_DECODE_ERROR; 1703 return 0; 1704 } 1705 formatslen = *(sdata++); 1706 if (formatslen != size - 1) { 1707 *al = TLS1_AD_DECODE_ERROR; 1708 return 0; 1709 } 1710 1711 if (!s->internal->hit) { 1712 free(SSI(s)->tlsext_ecpointformatlist); 1713 SSI(s)->tlsext_ecpointformatlist = NULL; 1714 SSI(s)->tlsext_ecpointformatlist_length = 0; 1715 1716 if ((formats = reallocarray(NULL, formatslen, 1717 sizeof(uint8_t))) == NULL) { 1718 *al = TLS1_AD_INTERNAL_ERROR; 1719 return 0; 1720 } 1721 memcpy(formats, sdata, formatslen); 1722 SSI(s)->tlsext_ecpointformatlist = formats; 1723 SSI(s)->tlsext_ecpointformatlist_length = 1724 formatslen; 1725 } 1726 } 1727 else if (type == TLSEXT_TYPE_session_ticket) { 1728 if (s->internal->tls_session_ticket_ext_cb && 1729 !s->internal->tls_session_ticket_ext_cb(s, data, size, s->internal->tls_session_ticket_ext_cb_arg)) { 1730 *al = TLS1_AD_INTERNAL_ERROR; 1731 return 0; 1732 } 1733 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) { 1734 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1735 return 0; 1736 } 1737 s->internal->tlsext_ticket_expected = 1; 1738 } 1739 else if (type == TLSEXT_TYPE_status_request && 1740 s->version != DTLS1_VERSION) { 1741 /* MUST be empty and only sent if we've requested 1742 * a status request message. 1743 */ 1744 if ((s->tlsext_status_type == -1) || (size > 0)) { 1745 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1746 return 0; 1747 } 1748 /* Set flag to expect CertificateStatus message */ 1749 s->internal->tlsext_status_expected = 1; 1750 } 1751 else if (type == TLSEXT_TYPE_next_proto_neg && 1752 S3I(s)->tmp.finish_md_len == 0) { 1753 unsigned char *selected; 1754 unsigned char selected_len; 1755 1756 /* We must have requested it. */ 1757 if (s->ctx->internal->next_proto_select_cb == NULL) { 1758 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1759 return 0; 1760 } 1761 /* The data must be valid */ 1762 if (!ssl_next_proto_validate(data, size)) { 1763 *al = TLS1_AD_DECODE_ERROR; 1764 return 0; 1765 } 1766 if (s->ctx->internal->next_proto_select_cb(s, &selected, 1767 &selected_len, data, size, 1768 s->ctx->internal->next_proto_select_cb_arg) != 1769 SSL_TLSEXT_ERR_OK) { 1770 *al = TLS1_AD_INTERNAL_ERROR; 1771 return 0; 1772 } 1773 s->internal->next_proto_negotiated = malloc(selected_len); 1774 if (!s->internal->next_proto_negotiated) { 1775 *al = TLS1_AD_INTERNAL_ERROR; 1776 return 0; 1777 } 1778 memcpy(s->internal->next_proto_negotiated, selected, selected_len); 1779 s->internal->next_proto_negotiated_len = selected_len; 1780 S3I(s)->next_proto_neg_seen = 1; 1781 } 1782 else if (type == 1783 TLSEXT_TYPE_application_layer_protocol_negotiation) { 1784 unsigned int len; 1785 1786 /* We must have requested it. */ 1787 if (s->internal->alpn_client_proto_list == NULL) { 1788 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1789 return 0; 1790 } 1791 if (size < 4) { 1792 *al = TLS1_AD_DECODE_ERROR; 1793 return (0); 1794 } 1795 1796 /* The extension data consists of: 1797 * uint16 list_length 1798 * uint8 proto_length; 1799 * uint8 proto[proto_length]; */ 1800 len = ((unsigned int)data[0]) << 8 | 1801 ((unsigned int)data[1]); 1802 if (len != (unsigned int)size - 2) { 1803 *al = TLS1_AD_DECODE_ERROR; 1804 return (0); 1805 } 1806 len = data[2]; 1807 if (len != (unsigned int)size - 3) { 1808 *al = TLS1_AD_DECODE_ERROR; 1809 return (0); 1810 } 1811 free(S3I(s)->alpn_selected); 1812 S3I(s)->alpn_selected = malloc(len); 1813 if (S3I(s)->alpn_selected == NULL) { 1814 *al = TLS1_AD_INTERNAL_ERROR; 1815 return (0); 1816 } 1817 memcpy(S3I(s)->alpn_selected, data + 3, len); 1818 S3I(s)->alpn_selected_len = len; 1819 1820 } else if (type == TLSEXT_TYPE_renegotiate) { 1821 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1822 return 0; 1823 renegotiate_seen = 1; 1824 } 1825 #ifndef OPENSSL_NO_SRTP 1826 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1827 if (ssl_parse_serverhello_use_srtp_ext(s, data, 1828 size, al)) 1829 return 0; 1830 } 1831 #endif 1832 1833 data += size; 1834 1835 } 1836 1837 if (data != end) { 1838 *al = SSL_AD_DECODE_ERROR; 1839 return 0; 1840 } 1841 1842 if (!s->internal->hit && tlsext_servername == 1) { 1843 if (s->tlsext_hostname) { 1844 if (s->session->tlsext_hostname == NULL) { 1845 s->session->tlsext_hostname = 1846 strdup(s->tlsext_hostname); 1847 1848 if (!s->session->tlsext_hostname) { 1849 *al = SSL_AD_UNRECOGNIZED_NAME; 1850 return 0; 1851 } 1852 } else { 1853 *al = SSL_AD_DECODE_ERROR; 1854 return 0; 1855 } 1856 } 1857 } 1858 1859 *p = data; 1860 1861 ri_check: 1862 1863 /* Determine if we need to see RI. Strictly speaking if we want to 1864 * avoid an attack we should *always* see RI even on initial server 1865 * hello because the client doesn't see any renegotiation during an 1866 * attack. However this would mean we could not connect to any server 1867 * which doesn't support RI so for the immediate future tolerate RI 1868 * absence on initial connect only. 1869 */ 1870 if (!renegotiate_seen && 1871 !(s->internal->options & SSL_OP_LEGACY_SERVER_CONNECT)) { 1872 *al = SSL_AD_HANDSHAKE_FAILURE; 1873 SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1874 return 0; 1875 } 1876 1877 return 1; 1878 1879 err: 1880 *al = SSL_AD_DECODE_ERROR; 1881 return 0; 1882 } 1883 1884 int 1885 ssl_check_clienthello_tlsext_early(SSL *s) 1886 { 1887 int ret = SSL_TLSEXT_ERR_NOACK; 1888 int al = SSL_AD_UNRECOGNIZED_NAME; 1889 1890 /* The handling of the ECPointFormats extension is done elsewhere, namely in 1891 * ssl3_choose_cipher in s3_lib.c. 1892 */ 1893 /* The handling of the EllipticCurves extension is done elsewhere, namely in 1894 * ssl3_choose_cipher in s3_lib.c. 1895 */ 1896 1897 if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0) 1898 ret = s->ctx->internal->tlsext_servername_callback(s, &al, 1899 s->ctx->internal->tlsext_servername_arg); 1900 else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0) 1901 ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al, 1902 s->initial_ctx->internal->tlsext_servername_arg); 1903 1904 switch (ret) { 1905 case SSL_TLSEXT_ERR_ALERT_FATAL: 1906 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1907 return -1; 1908 case SSL_TLSEXT_ERR_ALERT_WARNING: 1909 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1910 return 1; 1911 case SSL_TLSEXT_ERR_NOACK: 1912 s->internal->servername_done = 0; 1913 default: 1914 return 1; 1915 } 1916 } 1917 1918 int 1919 ssl_check_clienthello_tlsext_late(SSL *s) 1920 { 1921 int ret = SSL_TLSEXT_ERR_OK; 1922 int al = 0; /* XXX gcc3 */ 1923 1924 /* If status request then ask callback what to do. 1925 * Note: this must be called after servername callbacks in case 1926 * the certificate has changed, and must be called after the cipher 1927 * has been chosen because this may influence which certificate is sent 1928 */ 1929 if ((s->tlsext_status_type != -1) && 1930 s->ctx && s->ctx->internal->tlsext_status_cb) { 1931 int r; 1932 CERT_PKEY *certpkey; 1933 certpkey = ssl_get_server_send_pkey(s); 1934 /* If no certificate can't return certificate status */ 1935 if (certpkey == NULL) { 1936 s->internal->tlsext_status_expected = 0; 1937 return 1; 1938 } 1939 /* Set current certificate to one we will use so 1940 * SSL_get_certificate et al can pick it up. 1941 */ 1942 s->cert->key = certpkey; 1943 r = s->ctx->internal->tlsext_status_cb(s, 1944 s->ctx->internal->tlsext_status_arg); 1945 switch (r) { 1946 /* We don't want to send a status request response */ 1947 case SSL_TLSEXT_ERR_NOACK: 1948 s->internal->tlsext_status_expected = 0; 1949 break; 1950 /* status request response should be sent */ 1951 case SSL_TLSEXT_ERR_OK: 1952 if (s->internal->tlsext_ocsp_resp) 1953 s->internal->tlsext_status_expected = 1; 1954 else 1955 s->internal->tlsext_status_expected = 0; 1956 break; 1957 /* something bad happened */ 1958 case SSL_TLSEXT_ERR_ALERT_FATAL: 1959 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1960 al = SSL_AD_INTERNAL_ERROR; 1961 goto err; 1962 } 1963 } else 1964 s->internal->tlsext_status_expected = 0; 1965 1966 err: 1967 switch (ret) { 1968 case SSL_TLSEXT_ERR_ALERT_FATAL: 1969 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1970 return -1; 1971 case SSL_TLSEXT_ERR_ALERT_WARNING: 1972 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1973 return 1; 1974 default: 1975 return 1; 1976 } 1977 } 1978 1979 int 1980 ssl_check_serverhello_tlsext(SSL *s) 1981 { 1982 int ret = SSL_TLSEXT_ERR_NOACK; 1983 int al = SSL_AD_UNRECOGNIZED_NAME; 1984 1985 /* If we are client and using an elliptic curve cryptography cipher 1986 * suite, then if server returns an EC point formats lists extension 1987 * it must contain uncompressed. 1988 */ 1989 unsigned long alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; 1990 unsigned long alg_a = S3I(s)->tmp.new_cipher->algorithm_auth; 1991 if ((s->internal->tlsext_ecpointformatlist != NULL) && 1992 (s->internal->tlsext_ecpointformatlist_length > 0) && 1993 (SSI(s)->tlsext_ecpointformatlist != NULL) && 1994 (SSI(s)->tlsext_ecpointformatlist_length > 0) && 1995 ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) { 1996 /* we are using an ECC cipher */ 1997 size_t i; 1998 unsigned char *list; 1999 int found_uncompressed = 0; 2000 list = SSI(s)->tlsext_ecpointformatlist; 2001 for (i = 0; i < SSI(s)->tlsext_ecpointformatlist_length; i++) { 2002 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) { 2003 found_uncompressed = 1; 2004 break; 2005 } 2006 } 2007 if (!found_uncompressed) { 2008 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 2009 return -1; 2010 } 2011 } 2012 ret = SSL_TLSEXT_ERR_OK; 2013 2014 if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0) 2015 ret = s->ctx->internal->tlsext_servername_callback(s, &al, 2016 s->ctx->internal->tlsext_servername_arg); 2017 else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0) 2018 ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al, 2019 s->initial_ctx->internal->tlsext_servername_arg); 2020 2021 /* If we've requested certificate status and we wont get one 2022 * tell the callback 2023 */ 2024 if ((s->tlsext_status_type != -1) && !(s->internal->tlsext_status_expected) && 2025 s->ctx && s->ctx->internal->tlsext_status_cb) { 2026 int r; 2027 /* Set resp to NULL, resplen to -1 so callback knows 2028 * there is no response. 2029 */ 2030 free(s->internal->tlsext_ocsp_resp); 2031 s->internal->tlsext_ocsp_resp = NULL; 2032 s->internal->tlsext_ocsp_resplen = -1; 2033 r = s->ctx->internal->tlsext_status_cb(s, 2034 s->ctx->internal->tlsext_status_arg); 2035 if (r == 0) { 2036 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2037 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2038 } 2039 if (r < 0) { 2040 al = SSL_AD_INTERNAL_ERROR; 2041 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2042 } 2043 } 2044 2045 switch (ret) { 2046 case SSL_TLSEXT_ERR_ALERT_FATAL: 2047 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2048 2049 return -1; 2050 case SSL_TLSEXT_ERR_ALERT_WARNING: 2051 ssl3_send_alert(s, SSL3_AL_WARNING, al); 2052 2053 return 1; 2054 case SSL_TLSEXT_ERR_NOACK: 2055 s->internal->servername_done = 0; 2056 default: 2057 return 1; 2058 } 2059 } 2060 2061 /* Since the server cache lookup is done early on in the processing of the 2062 * ClientHello, and other operations depend on the result, we need to handle 2063 * any TLS session ticket extension at the same time. 2064 * 2065 * session_id: points at the session ID in the ClientHello. This code will 2066 * read past the end of this in order to parse out the session ticket 2067 * extension, if any. 2068 * len: the length of the session ID. 2069 * limit: a pointer to the first byte after the ClientHello. 2070 * ret: (output) on return, if a ticket was decrypted, then this is set to 2071 * point to the resulting session. 2072 * 2073 * If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key 2074 * ciphersuite, in which case we have no use for session tickets and one will 2075 * never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1. 2076 * 2077 * Returns: 2078 * -1: fatal error, either from parsing or decrypting the ticket. 2079 * 0: no ticket was found (or was ignored, based on settings). 2080 * 1: a zero length extension was found, indicating that the client supports 2081 * session tickets but doesn't currently have one to offer. 2082 * 2: either s->internal->tls_session_secret_cb was set, or a ticket was offered but 2083 * couldn't be decrypted because of a non-fatal error. 2084 * 3: a ticket was successfully decrypted and *ret was set. 2085 * 2086 * Side effects: 2087 * Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue 2088 * a new session ticket to the client because the client indicated support 2089 * (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have 2090 * a session ticket or we couldn't use the one it gave us, or if 2091 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2092 * Otherwise, s->internal->tlsext_ticket_expected is set to 0. 2093 */ 2094 int 2095 tls1_process_ticket(SSL *s, const unsigned char *session, int session_len, 2096 const unsigned char *limit, SSL_SESSION **ret) 2097 { 2098 /* Point after session ID in client hello */ 2099 CBS session_id, cookie, cipher_list, compress_algo, extensions; 2100 2101 *ret = NULL; 2102 s->internal->tlsext_ticket_expected = 0; 2103 2104 /* If tickets disabled behave as if no ticket present 2105 * to permit stateful resumption. 2106 */ 2107 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 2108 return 0; 2109 if (!limit) 2110 return 0; 2111 2112 if (limit < session) 2113 return -1; 2114 2115 CBS_init(&session_id, session, limit - session); 2116 2117 /* Skip past the session id */ 2118 if (!CBS_skip(&session_id, session_len)) 2119 return -1; 2120 2121 /* Skip past DTLS cookie */ 2122 if (SSL_IS_DTLS(s)) { 2123 if (!CBS_get_u8_length_prefixed(&session_id, &cookie)) 2124 return -1; 2125 } 2126 2127 /* Skip past cipher list */ 2128 if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list)) 2129 return -1; 2130 2131 /* Skip past compression algorithm list */ 2132 if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo)) 2133 return -1; 2134 2135 /* Now at start of extensions */ 2136 if (CBS_len(&session_id) == 0) 2137 return 0; 2138 if (!CBS_get_u16_length_prefixed(&session_id, &extensions)) 2139 return -1; 2140 2141 while (CBS_len(&extensions) > 0) { 2142 CBS ext_data; 2143 uint16_t ext_type; 2144 2145 if (!CBS_get_u16(&extensions, &ext_type) || 2146 !CBS_get_u16_length_prefixed(&extensions, &ext_data)) 2147 return -1; 2148 2149 if (ext_type == TLSEXT_TYPE_session_ticket) { 2150 int r; 2151 if (CBS_len(&ext_data) == 0) { 2152 /* The client will accept a ticket but doesn't 2153 * currently have one. */ 2154 s->internal->tlsext_ticket_expected = 1; 2155 return 1; 2156 } 2157 if (s->internal->tls_session_secret_cb) { 2158 /* Indicate that the ticket couldn't be 2159 * decrypted rather than generating the session 2160 * from ticket now, trigger abbreviated 2161 * handshake based on external mechanism to 2162 * calculate the master secret later. */ 2163 return 2; 2164 } 2165 2166 r = tls_decrypt_ticket(s, CBS_data(&ext_data), 2167 CBS_len(&ext_data), session, session_len, ret); 2168 2169 switch (r) { 2170 case 2: /* ticket couldn't be decrypted */ 2171 s->internal->tlsext_ticket_expected = 1; 2172 return 2; 2173 case 3: /* ticket was decrypted */ 2174 return r; 2175 case 4: /* ticket decrypted but need to renew */ 2176 s->internal->tlsext_ticket_expected = 1; 2177 return 3; 2178 default: /* fatal error */ 2179 return -1; 2180 } 2181 } 2182 } 2183 return 0; 2184 } 2185 2186 /* tls_decrypt_ticket attempts to decrypt a session ticket. 2187 * 2188 * etick: points to the body of the session ticket extension. 2189 * eticklen: the length of the session tickets extenion. 2190 * sess_id: points at the session ID. 2191 * sesslen: the length of the session ID. 2192 * psess: (output) on return, if a ticket was decrypted, then this is set to 2193 * point to the resulting session. 2194 * 2195 * Returns: 2196 * -1: fatal error, either from parsing or decrypting the ticket. 2197 * 2: the ticket couldn't be decrypted. 2198 * 3: a ticket was successfully decrypted and *psess was set. 2199 * 4: same as 3, but the ticket needs to be renewed. 2200 */ 2201 static int 2202 tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2203 const unsigned char *sess_id, int sesslen, SSL_SESSION **psess) 2204 { 2205 SSL_SESSION *sess; 2206 unsigned char *sdec; 2207 const unsigned char *p; 2208 int slen, mlen, renew_ticket = 0; 2209 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 2210 HMAC_CTX hctx; 2211 EVP_CIPHER_CTX ctx; 2212 SSL_CTX *tctx = s->initial_ctx; 2213 2214 /* 2215 * The API guarantees EVP_MAX_IV_LENGTH bytes of space for 2216 * the iv to tlsext_ticket_key_cb(). Since the total space 2217 * required for a session cookie is never less than this, 2218 * this check isn't too strict. The exact check comes later. 2219 */ 2220 if (eticklen < 16 + EVP_MAX_IV_LENGTH) 2221 return 2; 2222 2223 /* Initialize session ticket encryption and HMAC contexts */ 2224 HMAC_CTX_init(&hctx); 2225 EVP_CIPHER_CTX_init(&ctx); 2226 if (tctx->internal->tlsext_ticket_key_cb) { 2227 unsigned char *nctick = (unsigned char *)etick; 2228 int rv = tctx->internal->tlsext_ticket_key_cb(s, 2229 nctick, nctick + 16, &ctx, &hctx, 0); 2230 if (rv < 0) { 2231 HMAC_CTX_cleanup(&hctx); 2232 EVP_CIPHER_CTX_cleanup(&ctx); 2233 return -1; 2234 } 2235 if (rv == 0) { 2236 HMAC_CTX_cleanup(&hctx); 2237 EVP_CIPHER_CTX_cleanup(&ctx); 2238 return 2; 2239 } 2240 if (rv == 2) 2241 renew_ticket = 1; 2242 } else { 2243 /* Check key name matches */ 2244 if (timingsafe_memcmp(etick, 2245 tctx->internal->tlsext_tick_key_name, 16)) 2246 return 2; 2247 HMAC_Init_ex(&hctx, tctx->internal->tlsext_tick_hmac_key, 2248 16, tlsext_tick_md(), NULL); 2249 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2250 tctx->internal->tlsext_tick_aes_key, etick + 16); 2251 } 2252 2253 /* 2254 * Attempt to process session ticket, first conduct sanity and 2255 * integrity checks on ticket. 2256 */ 2257 mlen = HMAC_size(&hctx); 2258 if (mlen < 0) { 2259 HMAC_CTX_cleanup(&hctx); 2260 EVP_CIPHER_CTX_cleanup(&ctx); 2261 return -1; 2262 } 2263 2264 /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 2265 if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) { 2266 HMAC_CTX_cleanup(&hctx); 2267 EVP_CIPHER_CTX_cleanup(&ctx); 2268 return 2; 2269 } 2270 eticklen -= mlen; 2271 2272 /* Check HMAC of encrypted ticket */ 2273 if (HMAC_Update(&hctx, etick, eticklen) <= 0 || 2274 HMAC_Final(&hctx, tick_hmac, NULL) <= 0) { 2275 HMAC_CTX_cleanup(&hctx); 2276 EVP_CIPHER_CTX_cleanup(&ctx); 2277 return -1; 2278 } 2279 2280 HMAC_CTX_cleanup(&hctx); 2281 if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) { 2282 EVP_CIPHER_CTX_cleanup(&ctx); 2283 return 2; 2284 } 2285 2286 /* Attempt to decrypt session data */ 2287 /* Move p after IV to start of encrypted ticket, update length */ 2288 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2289 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2290 sdec = malloc(eticklen); 2291 if (sdec == NULL || 2292 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) { 2293 free(sdec); 2294 EVP_CIPHER_CTX_cleanup(&ctx); 2295 return -1; 2296 } 2297 if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) { 2298 free(sdec); 2299 EVP_CIPHER_CTX_cleanup(&ctx); 2300 return 2; 2301 } 2302 slen += mlen; 2303 EVP_CIPHER_CTX_cleanup(&ctx); 2304 p = sdec; 2305 2306 sess = d2i_SSL_SESSION(NULL, &p, slen); 2307 free(sdec); 2308 if (sess) { 2309 /* The session ID, if non-empty, is used by some clients to 2310 * detect that the ticket has been accepted. So we copy it to 2311 * the session structure. If it is empty set length to zero 2312 * as required by standard. 2313 */ 2314 if (sesslen) 2315 memcpy(sess->session_id, sess_id, sesslen); 2316 sess->session_id_length = sesslen; 2317 *psess = sess; 2318 if (renew_ticket) 2319 return 4; 2320 else 2321 return 3; 2322 } 2323 ERR_clear_error(); 2324 /* For session parse failure, indicate that we need to send a new 2325 * ticket. */ 2326 return 2; 2327 } 2328 2329 /* Tables to translate from NIDs to TLS v1.2 ids */ 2330 2331 typedef struct { 2332 int nid; 2333 int id; 2334 } tls12_lookup; 2335 2336 static tls12_lookup tls12_md[] = { 2337 {NID_md5, TLSEXT_hash_md5}, 2338 {NID_sha1, TLSEXT_hash_sha1}, 2339 {NID_sha224, TLSEXT_hash_sha224}, 2340 {NID_sha256, TLSEXT_hash_sha256}, 2341 {NID_sha384, TLSEXT_hash_sha384}, 2342 {NID_sha512, TLSEXT_hash_sha512}, 2343 {NID_id_GostR3411_94, TLSEXT_hash_gost94}, 2344 {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256}, 2345 {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512} 2346 }; 2347 2348 static tls12_lookup tls12_sig[] = { 2349 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2350 {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2351 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}, 2352 {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01}, 2353 }; 2354 2355 static int 2356 tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 2357 { 2358 size_t i; 2359 for (i = 0; i < tlen; i++) { 2360 if (table[i].nid == nid) 2361 return table[i].id; 2362 } 2363 return -1; 2364 } 2365 2366 int 2367 tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 2368 { 2369 int sig_id, md_id; 2370 if (!md) 2371 return 0; 2372 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2373 sizeof(tls12_md) / sizeof(tls12_lookup)); 2374 if (md_id == -1) 2375 return 0; 2376 sig_id = tls12_get_sigid(pk); 2377 if (sig_id == -1) 2378 return 0; 2379 p[0] = (unsigned char)md_id; 2380 p[1] = (unsigned char)sig_id; 2381 return 1; 2382 } 2383 2384 int 2385 tls12_get_sigid(const EVP_PKEY *pk) 2386 { 2387 return tls12_find_id(pk->type, tls12_sig, 2388 sizeof(tls12_sig) / sizeof(tls12_lookup)); 2389 } 2390 2391 const EVP_MD * 2392 tls12_get_hash(unsigned char hash_alg) 2393 { 2394 switch (hash_alg) { 2395 case TLSEXT_hash_sha1: 2396 return EVP_sha1(); 2397 case TLSEXT_hash_sha224: 2398 return EVP_sha224(); 2399 case TLSEXT_hash_sha256: 2400 return EVP_sha256(); 2401 case TLSEXT_hash_sha384: 2402 return EVP_sha384(); 2403 case TLSEXT_hash_sha512: 2404 return EVP_sha512(); 2405 #ifndef OPENSSL_NO_GOST 2406 case TLSEXT_hash_gost94: 2407 return EVP_gostr341194(); 2408 case TLSEXT_hash_streebog_256: 2409 return EVP_streebog256(); 2410 case TLSEXT_hash_streebog_512: 2411 return EVP_streebog512(); 2412 #endif 2413 default: 2414 return NULL; 2415 } 2416 } 2417 2418 /* Set preferred digest for each key type */ 2419 2420 int 2421 tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 2422 { 2423 int idx; 2424 const EVP_MD *md; 2425 CERT *c = s->cert; 2426 CBS cbs; 2427 2428 /* Extension ignored for inappropriate versions */ 2429 if (!SSL_USE_SIGALGS(s)) 2430 return 1; 2431 2432 /* Should never happen */ 2433 if (!c || dsize < 0) 2434 return 0; 2435 2436 CBS_init(&cbs, data, dsize); 2437 2438 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; 2439 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 2440 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2441 c->pkeys[SSL_PKEY_ECC].digest = NULL; 2442 c->pkeys[SSL_PKEY_GOST01].digest = NULL; 2443 2444 while (CBS_len(&cbs) > 0) { 2445 uint8_t hash_alg, sig_alg; 2446 2447 if (!CBS_get_u8(&cbs, &hash_alg) || 2448 !CBS_get_u8(&cbs, &sig_alg)) { 2449 /* Should never happen */ 2450 return 0; 2451 } 2452 2453 switch (sig_alg) { 2454 case TLSEXT_signature_rsa: 2455 idx = SSL_PKEY_RSA_SIGN; 2456 break; 2457 case TLSEXT_signature_dsa: 2458 idx = SSL_PKEY_DSA_SIGN; 2459 break; 2460 case TLSEXT_signature_ecdsa: 2461 idx = SSL_PKEY_ECC; 2462 break; 2463 case TLSEXT_signature_gostr01: 2464 case TLSEXT_signature_gostr12_256: 2465 case TLSEXT_signature_gostr12_512: 2466 idx = SSL_PKEY_GOST01; 2467 break; 2468 default: 2469 continue; 2470 } 2471 2472 if (c->pkeys[idx].digest == NULL) { 2473 md = tls12_get_hash(hash_alg); 2474 if (md) { 2475 c->pkeys[idx].digest = md; 2476 if (idx == SSL_PKEY_RSA_SIGN) 2477 c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 2478 } 2479 } 2480 2481 } 2482 2483 /* Set any remaining keys to default values. NOTE: if alg is not 2484 * supported it stays as NULL. 2485 */ 2486 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2487 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2488 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { 2489 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2490 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2491 } 2492 if (!c->pkeys[SSL_PKEY_ECC].digest) 2493 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2494 #ifndef OPENSSL_NO_GOST 2495 if (!c->pkeys[SSL_PKEY_GOST01].digest) 2496 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); 2497 #endif 2498 return 1; 2499 } 2500