1 /* $OpenBSD: t1_lib.c,v 1.68 2014/12/02 20:46:19 miod Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 114 #include <openssl/evp.h> 115 #include <openssl/hmac.h> 116 #include <openssl/objects.h> 117 #include <openssl/ocsp.h> 118 119 #include "ssl_locl.h" 120 121 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 122 const unsigned char *sess_id, int sesslen, 123 SSL_SESSION **psess); 124 125 SSL3_ENC_METHOD TLSv1_enc_data = { 126 .enc = tls1_enc, 127 .mac = tls1_mac, 128 .setup_key_block = tls1_setup_key_block, 129 .generate_master_secret = tls1_generate_master_secret, 130 .change_cipher_state = tls1_change_cipher_state, 131 .final_finish_mac = tls1_final_finish_mac, 132 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 133 .cert_verify_mac = tls1_cert_verify_mac, 134 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 135 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 136 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 137 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 138 .alert_value = tls1_alert_code, 139 .export_keying_material = tls1_export_keying_material, 140 .enc_flags = 0, 141 }; 142 143 SSL3_ENC_METHOD TLSv1_1_enc_data = { 144 .enc = tls1_enc, 145 .mac = tls1_mac, 146 .setup_key_block = tls1_setup_key_block, 147 .generate_master_secret = tls1_generate_master_secret, 148 .change_cipher_state = tls1_change_cipher_state, 149 .final_finish_mac = tls1_final_finish_mac, 150 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 151 .cert_verify_mac = tls1_cert_verify_mac, 152 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 153 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 154 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 155 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 156 .alert_value = tls1_alert_code, 157 .export_keying_material = tls1_export_keying_material, 158 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, 159 }; 160 161 SSL3_ENC_METHOD TLSv1_2_enc_data = { 162 .enc = tls1_enc, 163 .mac = tls1_mac, 164 .setup_key_block = tls1_setup_key_block, 165 .generate_master_secret = tls1_generate_master_secret, 166 .change_cipher_state = tls1_change_cipher_state, 167 .final_finish_mac = tls1_final_finish_mac, 168 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 169 .cert_verify_mac = tls1_cert_verify_mac, 170 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 171 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 172 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 173 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 174 .alert_value = tls1_alert_code, 175 .export_keying_material = tls1_export_keying_material, 176 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS| 177 SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS, 178 }; 179 180 long 181 tls1_default_timeout(void) 182 { 183 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 184 * is way too long for http, the cache would over fill */ 185 return (60 * 60 * 2); 186 } 187 188 int 189 tls1_new(SSL *s) 190 { 191 if (!ssl3_new(s)) 192 return (0); 193 s->method->ssl_clear(s); 194 return (1); 195 } 196 197 void 198 tls1_free(SSL *s) 199 { 200 free(s->tlsext_session_ticket); 201 ssl3_free(s); 202 } 203 204 void 205 tls1_clear(SSL *s) 206 { 207 ssl3_clear(s); 208 s->version = s->method->version; 209 } 210 211 212 static int nid_list[] = { 213 NID_sect163k1, /* sect163k1 (1) */ 214 NID_sect163r1, /* sect163r1 (2) */ 215 NID_sect163r2, /* sect163r2 (3) */ 216 NID_sect193r1, /* sect193r1 (4) */ 217 NID_sect193r2, /* sect193r2 (5) */ 218 NID_sect233k1, /* sect233k1 (6) */ 219 NID_sect233r1, /* sect233r1 (7) */ 220 NID_sect239k1, /* sect239k1 (8) */ 221 NID_sect283k1, /* sect283k1 (9) */ 222 NID_sect283r1, /* sect283r1 (10) */ 223 NID_sect409k1, /* sect409k1 (11) */ 224 NID_sect409r1, /* sect409r1 (12) */ 225 NID_sect571k1, /* sect571k1 (13) */ 226 NID_sect571r1, /* sect571r1 (14) */ 227 NID_secp160k1, /* secp160k1 (15) */ 228 NID_secp160r1, /* secp160r1 (16) */ 229 NID_secp160r2, /* secp160r2 (17) */ 230 NID_secp192k1, /* secp192k1 (18) */ 231 NID_X9_62_prime192v1, /* secp192r1 (19) */ 232 NID_secp224k1, /* secp224k1 (20) */ 233 NID_secp224r1, /* secp224r1 (21) */ 234 NID_secp256k1, /* secp256k1 (22) */ 235 NID_X9_62_prime256v1, /* secp256r1 (23) */ 236 NID_secp384r1, /* secp384r1 (24) */ 237 NID_secp521r1, /* secp521r1 (25) */ 238 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */ 239 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */ 240 NID_brainpoolP512r1 /* brainpoolP512r1 (28) */ 241 }; 242 243 static const unsigned char ecformats_default[] = { 244 TLSEXT_ECPOINTFORMAT_uncompressed, 245 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 246 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 247 }; 248 249 static const unsigned char eccurves_default[] = { 250 0,14, /* sect571r1 (14) */ 251 0,13, /* sect571k1 (13) */ 252 0,25, /* secp521r1 (25) */ 253 0,28, /* brainpool512r1 (28) */ 254 0,11, /* sect409k1 (11) */ 255 0,12, /* sect409r1 (12) */ 256 0,27, /* brainpoolP384r1 (27) */ 257 0,24, /* secp384r1 (24) */ 258 0,9, /* sect283k1 (9) */ 259 0,10, /* sect283r1 (10) */ 260 0,26, /* brainpoolP256r1 (26) */ 261 0,22, /* secp256k1 (22) */ 262 0,23, /* secp256r1 (23) */ 263 0,8, /* sect239k1 (8) */ 264 0,6, /* sect233k1 (6) */ 265 0,7, /* sect233r1 (7) */ 266 0,20, /* secp224k1 (20) */ 267 0,21, /* secp224r1 (21) */ 268 0,4, /* sect193r1 (4) */ 269 0,5, /* sect193r2 (5) */ 270 0,18, /* secp192k1 (18) */ 271 0,19, /* secp192r1 (19) */ 272 0,1, /* sect163k1 (1) */ 273 0,2, /* sect163r1 (2) */ 274 0,3, /* sect163r2 (3) */ 275 0,15, /* secp160k1 (15) */ 276 0,16, /* secp160r1 (16) */ 277 0,17, /* secp160r2 (17) */ 278 }; 279 280 int 281 tls1_ec_curve_id2nid(int curve_id) 282 { 283 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 284 if ((curve_id < 1) || 285 ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0]))) 286 return 0; 287 return nid_list[curve_id - 1]; 288 } 289 290 int 291 tls1_ec_nid2curve_id(int nid) 292 { 293 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 294 switch (nid) { 295 case NID_sect163k1: /* sect163k1 (1) */ 296 return 1; 297 case NID_sect163r1: /* sect163r1 (2) */ 298 return 2; 299 case NID_sect163r2: /* sect163r2 (3) */ 300 return 3; 301 case NID_sect193r1: /* sect193r1 (4) */ 302 return 4; 303 case NID_sect193r2: /* sect193r2 (5) */ 304 return 5; 305 case NID_sect233k1: /* sect233k1 (6) */ 306 return 6; 307 case NID_sect233r1: /* sect233r1 (7) */ 308 return 7; 309 case NID_sect239k1: /* sect239k1 (8) */ 310 return 8; 311 case NID_sect283k1: /* sect283k1 (9) */ 312 return 9; 313 case NID_sect283r1: /* sect283r1 (10) */ 314 return 10; 315 case NID_sect409k1: /* sect409k1 (11) */ 316 return 11; 317 case NID_sect409r1: /* sect409r1 (12) */ 318 return 12; 319 case NID_sect571k1: /* sect571k1 (13) */ 320 return 13; 321 case NID_sect571r1: /* sect571r1 (14) */ 322 return 14; 323 case NID_secp160k1: /* secp160k1 (15) */ 324 return 15; 325 case NID_secp160r1: /* secp160r1 (16) */ 326 return 16; 327 case NID_secp160r2: /* secp160r2 (17) */ 328 return 17; 329 case NID_secp192k1: /* secp192k1 (18) */ 330 return 18; 331 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 332 return 19; 333 case NID_secp224k1: /* secp224k1 (20) */ 334 return 20; 335 case NID_secp224r1: /* secp224r1 (21) */ 336 return 21; 337 case NID_secp256k1: /* secp256k1 (22) */ 338 return 22; 339 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 340 return 23; 341 case NID_secp384r1: /* secp384r1 (24) */ 342 return 24; 343 case NID_secp521r1: /* secp521r1 (25) */ 344 return 25; 345 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */ 346 return 26; 347 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */ 348 return 27; 349 case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */ 350 return 28; 351 default: 352 return 0; 353 } 354 } 355 356 /* 357 * Return the appropriate format list. If client_formats is non-zero, return 358 * the client/session formats. Otherwise return the custom format list if one 359 * exists, or the default formats if a custom list has not been specified. 360 */ 361 static void 362 tls1_get_formatlist(SSL *s, int client_formats, const unsigned char **pformats, 363 size_t *pformatslen) 364 { 365 if (client_formats != 0) { 366 *pformats = s->session->tlsext_ecpointformatlist; 367 *pformatslen = s->session->tlsext_ecpointformatlist_length; 368 return; 369 } 370 371 *pformats = s->tlsext_ecpointformatlist; 372 *pformatslen = s->tlsext_ecpointformatlist_length; 373 if (*pformats == NULL) { 374 *pformats = ecformats_default; 375 *pformatslen = sizeof(ecformats_default); 376 } 377 } 378 379 /* 380 * Return the appropriate curve list. If client_curves is non-zero, return 381 * the client/session curves. Otherwise return the custom curve list if one 382 * exists, or the default curves if a custom list has not been specified. 383 */ 384 static void 385 tls1_get_curvelist(SSL *s, int client_curves, const unsigned char **pcurves, 386 size_t *pcurveslen) 387 { 388 if (client_curves != 0) { 389 *pcurves = s->session->tlsext_ellipticcurvelist; 390 *pcurveslen = s->session->tlsext_ellipticcurvelist_length; 391 return; 392 } 393 394 *pcurves = s->tlsext_ellipticcurvelist; 395 *pcurveslen = s->tlsext_ellipticcurvelist_length; 396 if (*pcurves == NULL) { 397 *pcurves = eccurves_default; 398 *pcurveslen = sizeof(eccurves_default); 399 } 400 } 401 402 /* Check that a curve is one of our preferences. */ 403 int 404 tls1_check_curve(SSL *s, const unsigned char *p, size_t len) 405 { 406 const unsigned char *curves; 407 size_t curveslen, i; 408 409 /* Only named curves are supported. */ 410 if (len != 3 || p[0] != NAMED_CURVE_TYPE) 411 return (0); 412 413 tls1_get_curvelist(s, 0, &curves, &curveslen); 414 415 for (i = 0; i < curveslen; i += 2, curves += 2) { 416 if (p[1] == curves[0] && p[2] == curves[1]) 417 return (1); 418 } 419 return (0); 420 } 421 422 int 423 tls1_get_shared_curve(SSL *s) 424 { 425 const unsigned char *pref, *supp, *tsupp; 426 size_t preflen, supplen, i, j; 427 unsigned long server_pref; 428 int id; 429 430 /* Cannot do anything on the client side. */ 431 if (s->server == 0) 432 return (NID_undef); 433 434 /* Return first preference shared curve. */ 435 server_pref = (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE); 436 tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen); 437 tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen); 438 439 for (i = 0; i < preflen; i += 2, pref += 2) { 440 tsupp = supp; 441 for (j = 0; j < supplen; j += 2, tsupp += 2) { 442 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) { 443 id = (pref[0] << 8) | pref[1]; 444 return (tls1_ec_curve_id2nid(id)); 445 } 446 } 447 } 448 return (NID_undef); 449 } 450 451 /* For an EC key set TLS ID and required compression based on parameters. */ 452 static int 453 tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id, EC_KEY *ec) 454 { 455 const EC_GROUP *grp; 456 const EC_METHOD *meth; 457 int is_prime = 0; 458 int nid, id; 459 460 if (ec == NULL) 461 return (0); 462 463 /* Determine if it is a prime field. */ 464 if ((grp = EC_KEY_get0_group(ec)) == NULL) 465 return (0); 466 if ((meth = EC_GROUP_method_of(grp)) == NULL) 467 return (0); 468 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field) 469 is_prime = 1; 470 471 /* Determine curve ID. */ 472 nid = EC_GROUP_get_curve_name(grp); 473 id = tls1_ec_nid2curve_id(nid); 474 475 /* If we have an ID set it, otherwise set arbitrary explicit curve. */ 476 if (id != 0) { 477 curve_id[0] = 0; 478 curve_id[1] = (unsigned char)id; 479 } else { 480 curve_id[0] = 0xff; 481 curve_id[1] = is_prime ? 0x01 : 0x02; 482 } 483 484 /* Specify the compression identifier. */ 485 if (comp_id != NULL) { 486 if (EC_KEY_get0_public_key(ec) == NULL) 487 return (0); 488 489 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { 490 *comp_id = is_prime ? 491 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime : 492 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 493 } else { 494 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 495 } 496 } 497 return (1); 498 } 499 500 /* Check that an EC key is compatible with extensions. */ 501 static int 502 tls1_check_ec_key(SSL *s, unsigned char *curve_id, unsigned char *comp_id) 503 { 504 const unsigned char *curves, *formats; 505 size_t curveslen, formatslen, i; 506 507 /* 508 * Check point formats extension if present, otherwise everything 509 * is supported (see RFC4492). 510 */ 511 tls1_get_formatlist(s, 1, &formats, &formatslen); 512 if (comp_id != NULL && formats != NULL) { 513 for (i = 0; i < formatslen; i++, formats++) { 514 if (*comp_id == *formats) 515 break; 516 } 517 if (i == formatslen) 518 return (0); 519 } 520 521 /* 522 * Check curve list if present, otherwise everything is supported. 523 */ 524 tls1_get_curvelist(s, 1, &curves, &curveslen); 525 if (curves != NULL) { 526 for (i = 0; i < curveslen; i += 2, curves += 2) { 527 if (curves[0] == curve_id[0] && 528 curves[1] == curve_id[1]) 529 break; 530 } 531 if (i == curveslen) 532 return (0); 533 } 534 535 return (1); 536 } 537 538 /* Check EC server key is compatible with client extensions. */ 539 int 540 tls1_check_ec_server_key(SSL *s) 541 { 542 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; 543 unsigned char comp_id, curve_id[2]; 544 EVP_PKEY *pkey; 545 int rv; 546 547 if (cpk->x509 == NULL || cpk->privatekey == NULL) 548 return (0); 549 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL) 550 return (0); 551 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec); 552 EVP_PKEY_free(pkey); 553 if (rv != 1) 554 return (0); 555 556 return tls1_check_ec_key(s, curve_id, &comp_id); 557 } 558 559 /* Check EC temporary key is compatible with client extensions. */ 560 int 561 tls1_check_ec_tmp_key(SSL *s) 562 { 563 EC_KEY *ec = s->cert->ecdh_tmp; 564 unsigned char curve_id[2]; 565 566 if (s->cert->ecdh_tmp_auto != 0) { 567 /* Need a shared curve. */ 568 if (tls1_get_shared_curve(s) != NID_undef) 569 return (1); 570 return (0); 571 } 572 573 if (ec == NULL) { 574 if (s->cert->ecdh_tmp_cb != NULL) 575 return (1); 576 return (0); 577 } 578 if (tls1_set_ec_id(curve_id, NULL, ec) != 1) 579 return (0); 580 581 return tls1_check_ec_key(s, curve_id, NULL); 582 } 583 584 /* 585 * List of supported signature algorithms and hashes. Should make this 586 * customisable at some point, for now include everything we support. 587 */ 588 589 static unsigned char tls12_sigalgs[] = { 590 TLSEXT_hash_sha512, TLSEXT_signature_rsa, 591 TLSEXT_hash_sha512, TLSEXT_signature_dsa, 592 TLSEXT_hash_sha512, TLSEXT_signature_ecdsa, 593 #ifndef OPENSSL_NO_GOST 594 TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512, 595 #endif 596 597 TLSEXT_hash_sha384, TLSEXT_signature_rsa, 598 TLSEXT_hash_sha384, TLSEXT_signature_dsa, 599 TLSEXT_hash_sha384, TLSEXT_signature_ecdsa, 600 601 TLSEXT_hash_sha256, TLSEXT_signature_rsa, 602 TLSEXT_hash_sha256, TLSEXT_signature_dsa, 603 TLSEXT_hash_sha256, TLSEXT_signature_ecdsa, 604 605 #ifndef OPENSSL_NO_GOST 606 TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256, 607 TLSEXT_hash_gost94, TLSEXT_signature_gostr01, 608 #endif 609 610 TLSEXT_hash_sha224, TLSEXT_signature_rsa, 611 TLSEXT_hash_sha224, TLSEXT_signature_dsa, 612 TLSEXT_hash_sha224, TLSEXT_signature_ecdsa, 613 614 TLSEXT_hash_sha1, TLSEXT_signature_rsa, 615 TLSEXT_hash_sha1, TLSEXT_signature_dsa, 616 TLSEXT_hash_sha1, TLSEXT_signature_ecdsa, 617 }; 618 619 int 620 tls12_get_req_sig_algs(SSL *s, unsigned char *p) 621 { 622 size_t slen = sizeof(tls12_sigalgs); 623 624 if (p) 625 memcpy(p, tls12_sigalgs, slen); 626 return (int)slen; 627 } 628 629 unsigned char * 630 ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 631 { 632 int extdatalen = 0; 633 unsigned char *ret = p; 634 int using_ecc = 0; 635 636 /* See if we support any ECC ciphersuites. */ 637 if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) { 638 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 639 unsigned long alg_k, alg_a; 640 int i; 641 642 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { 643 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 644 645 alg_k = c->algorithm_mkey; 646 alg_a = c->algorithm_auth; 647 648 if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || 649 (alg_a & SSL_aECDSA))) { 650 using_ecc = 1; 651 break; 652 } 653 } 654 } 655 656 /* don't add extensions for SSLv3 unless doing secure renegotiation */ 657 if (s->client_version == SSL3_VERSION && 658 !s->s3->send_connection_binding) 659 return p; 660 661 ret += 2; 662 663 if (ret >= limit) 664 return NULL; /* this really never occurs, but ... */ 665 666 if (s->tlsext_hostname != NULL) { 667 /* Add TLS extension servername to the Client Hello message */ 668 size_t size_str, lenmax; 669 670 /* check for enough space. 671 4 for the servername type and extension length 672 2 for servernamelist length 673 1 for the hostname type 674 2 for hostname length 675 + hostname length 676 */ 677 678 if ((size_t)(limit - ret) < 9) 679 return NULL; 680 681 lenmax = limit - ret - 9; 682 if ((size_str = strlen(s->tlsext_hostname)) > lenmax) 683 return NULL; 684 685 /* extension type and length */ 686 s2n(TLSEXT_TYPE_server_name, ret); 687 688 s2n(size_str + 5, ret); 689 690 /* length of servername list */ 691 s2n(size_str + 3, ret); 692 693 /* hostname type, length and hostname */ 694 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 695 s2n(size_str, ret); 696 memcpy(ret, s->tlsext_hostname, size_str); 697 ret += size_str; 698 } 699 700 /* Add RI if renegotiating */ 701 if (s->renegotiate) { 702 int el; 703 704 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { 705 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 706 ERR_R_INTERNAL_ERROR); 707 return NULL; 708 } 709 710 if ((size_t)(limit - ret) < 4 + el) 711 return NULL; 712 713 s2n(TLSEXT_TYPE_renegotiate, ret); 714 s2n(el, ret); 715 716 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { 717 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 718 ERR_R_INTERNAL_ERROR); 719 return NULL; 720 } 721 722 ret += el; 723 } 724 725 if (using_ecc) { 726 const unsigned char *curves, *formats; 727 size_t curveslen, formatslen, lenmax; 728 729 /* 730 * Add TLS extension ECPointFormats to the ClientHello message. 731 */ 732 tls1_get_formatlist(s, 0, &formats, &formatslen); 733 734 if ((size_t)(limit - ret) < 5) 735 return NULL; 736 737 lenmax = limit - ret - 5; 738 if (formatslen > lenmax) 739 return NULL; 740 if (formatslen > 255) { 741 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 742 ERR_R_INTERNAL_ERROR); 743 return NULL; 744 } 745 746 s2n(TLSEXT_TYPE_ec_point_formats, ret); 747 s2n(formatslen + 1, ret); 748 *(ret++) = (unsigned char)formatslen; 749 memcpy(ret, formats, formatslen); 750 ret += formatslen; 751 752 /* 753 * Add TLS extension EllipticCurves to the ClientHello message. 754 */ 755 tls1_get_curvelist(s, 0, &curves, &curveslen); 756 757 if ((size_t)(limit - ret) < 6) 758 return NULL; 759 760 lenmax = limit - ret - 6; 761 if (curveslen > lenmax) 762 return NULL; 763 if (curveslen > 65532) { 764 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 765 ERR_R_INTERNAL_ERROR); 766 return NULL; 767 } 768 769 s2n(TLSEXT_TYPE_elliptic_curves, ret); 770 s2n(curveslen + 2, ret); 771 772 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for 773 * elliptic_curve_list, but the examples use two bytes. 774 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html 775 * resolves this to two bytes. 776 */ 777 s2n(curveslen, ret); 778 memcpy(ret, curves, curveslen); 779 ret += curveslen; 780 } 781 782 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 783 int ticklen; 784 if (!s->new_session && s->session && s->session->tlsext_tick) 785 ticklen = s->session->tlsext_ticklen; 786 else if (s->session && s->tlsext_session_ticket && 787 s->tlsext_session_ticket->data) { 788 ticklen = s->tlsext_session_ticket->length; 789 s->session->tlsext_tick = malloc(ticklen); 790 if (!s->session->tlsext_tick) 791 return NULL; 792 memcpy(s->session->tlsext_tick, 793 s->tlsext_session_ticket->data, ticklen); 794 s->session->tlsext_ticklen = ticklen; 795 } else 796 ticklen = 0; 797 if (ticklen == 0 && s->tlsext_session_ticket && 798 s->tlsext_session_ticket->data == NULL) 799 goto skip_ext; 800 /* Check for enough room 2 for extension type, 2 for len 801 * rest for ticket 802 */ 803 if ((size_t)(limit - ret) < 4 + ticklen) 804 return NULL; 805 s2n(TLSEXT_TYPE_session_ticket, ret); 806 807 s2n(ticklen, ret); 808 if (ticklen) { 809 memcpy(ret, s->session->tlsext_tick, ticklen); 810 ret += ticklen; 811 } 812 } 813 skip_ext: 814 815 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 816 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 817 return NULL; 818 819 s2n(TLSEXT_TYPE_signature_algorithms, ret); 820 s2n(sizeof(tls12_sigalgs) + 2, ret); 821 s2n(sizeof(tls12_sigalgs), ret); 822 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 823 ret += sizeof(tls12_sigalgs); 824 } 825 826 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 827 s->version != DTLS1_VERSION) { 828 int i; 829 long extlen, idlen, itmp; 830 OCSP_RESPID *id; 831 832 idlen = 0; 833 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 834 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 835 itmp = i2d_OCSP_RESPID(id, NULL); 836 if (itmp <= 0) 837 return NULL; 838 idlen += itmp + 2; 839 } 840 841 if (s->tlsext_ocsp_exts) { 842 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 843 if (extlen < 0) 844 return NULL; 845 } else 846 extlen = 0; 847 848 if ((size_t)(limit - ret) < 7 + extlen + idlen) 849 return NULL; 850 s2n(TLSEXT_TYPE_status_request, ret); 851 if (extlen + idlen > 0xFFF0) 852 return NULL; 853 s2n(extlen + idlen + 5, ret); 854 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 855 s2n(idlen, ret); 856 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 857 /* save position of id len */ 858 unsigned char *q = ret; 859 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 860 /* skip over id len */ 861 ret += 2; 862 itmp = i2d_OCSP_RESPID(id, &ret); 863 /* write id len */ 864 s2n(itmp, q); 865 } 866 s2n(extlen, ret); 867 if (extlen > 0) 868 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 869 } 870 871 #ifndef OPENSSL_NO_NEXTPROTONEG 872 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { 873 /* The client advertises an emtpy extension to indicate its 874 * support for Next Protocol Negotiation */ 875 if ((size_t)(limit - ret) < 4) 876 return NULL; 877 s2n(TLSEXT_TYPE_next_proto_neg, ret); 878 s2n(0, ret); 879 } 880 #endif 881 882 #ifndef OPENSSL_NO_SRTP 883 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { 884 int el; 885 886 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 887 888 if ((size_t)(limit - ret) < 4 + el) 889 return NULL; 890 891 s2n(TLSEXT_TYPE_use_srtp, ret); 892 s2n(el, ret); 893 894 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { 895 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 896 ERR_R_INTERNAL_ERROR); 897 return NULL; 898 } 899 ret += el; 900 } 901 #endif 902 903 /* 904 * Add padding to workaround bugs in F5 terminators. 905 * See https://tools.ietf.org/html/draft-agl-tls-padding-03 906 * 907 * Note that this seems to trigger issues with IronPort SMTP 908 * appliances. 909 * 910 * NB: because this code works out the length of all existing 911 * extensions it MUST always appear last. 912 */ 913 if (s->options & SSL_OP_TLSEXT_PADDING) { 914 int hlen = ret - (unsigned char *)s->init_buf->data; 915 916 /* 917 * The code in s23_clnt.c to build ClientHello messages 918 * includes the 5-byte record header in the buffer, while the 919 * code in s3_clnt.c does not. 920 */ 921 if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 922 hlen -= 5; 923 if (hlen > 0xff && hlen < 0x200) { 924 hlen = 0x200 - hlen; 925 if (hlen >= 4) 926 hlen -= 4; 927 else 928 hlen = 0; 929 930 s2n(TLSEXT_TYPE_padding, ret); 931 s2n(hlen, ret); 932 memset(ret, 0, hlen); 933 ret += hlen; 934 } 935 } 936 937 if ((extdatalen = ret - p - 2) == 0) 938 return p; 939 940 s2n(extdatalen, p); 941 return ret; 942 } 943 944 unsigned char * 945 ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 946 { 947 int using_ecc, extdatalen = 0; 948 unsigned long alg_a, alg_k; 949 unsigned char *ret = p; 950 #ifndef OPENSSL_NO_NEXTPROTONEG 951 int next_proto_neg_seen; 952 #endif 953 954 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 955 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 956 using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || 957 alg_a & SSL_aECDSA) && 958 s->session->tlsext_ecpointformatlist != NULL; 959 960 /* don't add extensions for SSLv3, unless doing secure renegotiation */ 961 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 962 return p; 963 964 ret += 2; 965 if (ret >= limit) 966 return NULL; /* this really never occurs, but ... */ 967 968 if (!s->hit && s->servername_done == 1 && 969 s->session->tlsext_hostname != NULL) { 970 if ((size_t)(limit - ret) < 4) 971 return NULL; 972 973 s2n(TLSEXT_TYPE_server_name, ret); 974 s2n(0, ret); 975 } 976 977 if (s->s3->send_connection_binding) { 978 int el; 979 980 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { 981 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 982 ERR_R_INTERNAL_ERROR); 983 return NULL; 984 } 985 986 if ((size_t)(limit - ret) < 4 + el) 987 return NULL; 988 989 s2n(TLSEXT_TYPE_renegotiate, ret); 990 s2n(el, ret); 991 992 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { 993 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 994 ERR_R_INTERNAL_ERROR); 995 return NULL; 996 } 997 998 ret += el; 999 } 1000 1001 if (using_ecc && s->version != DTLS1_VERSION) { 1002 const unsigned char *formats; 1003 size_t formatslen, lenmax; 1004 1005 /* 1006 * Add TLS extension ECPointFormats to the ServerHello message. 1007 */ 1008 tls1_get_formatlist(s, 0, &formats, &formatslen); 1009 1010 if ((size_t)(limit - ret) < 5) 1011 return NULL; 1012 1013 lenmax = limit - ret - 5; 1014 if (formatslen > lenmax) 1015 return NULL; 1016 if (formatslen > 255) { 1017 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1018 ERR_R_INTERNAL_ERROR); 1019 return NULL; 1020 } 1021 1022 s2n(TLSEXT_TYPE_ec_point_formats, ret); 1023 s2n(formatslen + 1, ret); 1024 *(ret++) = (unsigned char)formatslen; 1025 memcpy(ret, formats, formatslen); 1026 ret += formatslen; 1027 } 1028 1029 /* 1030 * Currently the server should not respond with a SupportedCurves 1031 * extension. 1032 */ 1033 1034 if (s->tlsext_ticket_expected && 1035 !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 1036 if ((size_t)(limit - ret) < 4) 1037 return NULL; 1038 1039 s2n(TLSEXT_TYPE_session_ticket, ret); 1040 s2n(0, ret); 1041 } 1042 1043 if (s->tlsext_status_expected) { 1044 if ((size_t)(limit - ret) < 4) 1045 return NULL; 1046 1047 s2n(TLSEXT_TYPE_status_request, ret); 1048 s2n(0, ret); 1049 } 1050 1051 #ifndef OPENSSL_NO_SRTP 1052 if (SSL_IS_DTLS(s) && s->srtp_profile) { 1053 int el; 1054 1055 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 1056 1057 if ((size_t)(limit - ret) < 4 + el) 1058 return NULL; 1059 1060 s2n(TLSEXT_TYPE_use_srtp, ret); 1061 s2n(el, ret); 1062 1063 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { 1064 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1065 ERR_R_INTERNAL_ERROR); 1066 return NULL; 1067 } 1068 ret += el; 1069 } 1070 #endif 1071 1072 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || 1073 (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) && 1074 (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { 1075 static const unsigned char cryptopro_ext[36] = { 1076 0xfd, 0xe8, /*65000*/ 1077 0x00, 0x20, /*32 bytes length*/ 1078 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 1079 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 1080 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 1081 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 1082 }; 1083 if ((size_t)(limit - ret) < sizeof(cryptopro_ext)) 1084 return NULL; 1085 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext)); 1086 ret += sizeof(cryptopro_ext); 1087 } 1088 1089 #ifndef OPENSSL_NO_NEXTPROTONEG 1090 next_proto_neg_seen = s->s3->next_proto_neg_seen; 1091 s->s3->next_proto_neg_seen = 0; 1092 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) { 1093 const unsigned char *npa; 1094 unsigned int npalen; 1095 int r; 1096 1097 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, 1098 s->ctx->next_protos_advertised_cb_arg); 1099 if (r == SSL_TLSEXT_ERR_OK) { 1100 if ((size_t)(limit - ret) < 4 + npalen) 1101 return NULL; 1102 s2n(TLSEXT_TYPE_next_proto_neg, ret); 1103 s2n(npalen, ret); 1104 memcpy(ret, npa, npalen); 1105 ret += npalen; 1106 s->s3->next_proto_neg_seen = 1; 1107 } 1108 } 1109 #endif 1110 1111 if ((extdatalen = ret - p - 2) == 0) 1112 return p; 1113 1114 s2n(extdatalen, p); 1115 return ret; 1116 } 1117 1118 /* ssl_check_for_safari attempts to fingerprint Safari using OS X 1119 * SecureTransport using the TLS extension block in |d|, of length |n|. 1120 * Safari, since 10.6, sends exactly these extensions, in this order: 1121 * SNI, 1122 * elliptic_curves 1123 * ec_point_formats 1124 * 1125 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, 1126 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. 1127 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from 1128 * 10.8..10.8.3 (which don't work). 1129 */ 1130 static void 1131 ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, 1132 int n) 1133 { 1134 unsigned short type, size; 1135 static const unsigned char kSafariExtensionsBlock[] = { 1136 0x00, 0x0a, /* elliptic_curves extension */ 1137 0x00, 0x08, /* 8 bytes */ 1138 0x00, 0x06, /* 6 bytes of curve ids */ 1139 0x00, 0x17, /* P-256 */ 1140 0x00, 0x18, /* P-384 */ 1141 0x00, 0x19, /* P-521 */ 1142 1143 0x00, 0x0b, /* ec_point_formats */ 1144 0x00, 0x02, /* 2 bytes */ 1145 0x01, /* 1 point format */ 1146 0x00, /* uncompressed */ 1147 }; 1148 1149 /* The following is only present in TLS 1.2 */ 1150 static const unsigned char kSafariTLS12ExtensionsBlock[] = { 1151 0x00, 0x0d, /* signature_algorithms */ 1152 0x00, 0x0c, /* 12 bytes */ 1153 0x00, 0x0a, /* 10 bytes */ 1154 0x05, 0x01, /* SHA-384/RSA */ 1155 0x04, 0x01, /* SHA-256/RSA */ 1156 0x02, 0x01, /* SHA-1/RSA */ 1157 0x04, 0x03, /* SHA-256/ECDSA */ 1158 0x02, 0x03, /* SHA-1/ECDSA */ 1159 }; 1160 1161 if (data >= (d + n - 2)) 1162 return; 1163 data += 2; 1164 1165 if (data > (d + n - 4)) 1166 return; 1167 n2s(data, type); 1168 n2s(data, size); 1169 1170 if (type != TLSEXT_TYPE_server_name) 1171 return; 1172 1173 if (data + size > d + n) 1174 return; 1175 data += size; 1176 1177 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 1178 const size_t len1 = sizeof(kSafariExtensionsBlock); 1179 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); 1180 1181 if (data + len1 + len2 != d + n) 1182 return; 1183 if (memcmp(data, kSafariExtensionsBlock, len1) != 0) 1184 return; 1185 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0) 1186 return; 1187 } else { 1188 const size_t len = sizeof(kSafariExtensionsBlock); 1189 1190 if (data + len != d + n) 1191 return; 1192 if (memcmp(data, kSafariExtensionsBlock, len) != 0) 1193 return; 1194 } 1195 1196 s->s3->is_probably_safari = 1; 1197 } 1198 1199 int 1200 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1201 int n, int *al) 1202 { 1203 unsigned short type; 1204 unsigned short size; 1205 unsigned short len; 1206 unsigned char *data = *p; 1207 int renegotiate_seen = 0; 1208 int sigalg_seen = 0; 1209 1210 s->servername_done = 0; 1211 s->tlsext_status_type = -1; 1212 #ifndef OPENSSL_NO_NEXTPROTONEG 1213 s->s3->next_proto_neg_seen = 0; 1214 #endif 1215 1216 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) 1217 ssl_check_for_safari(s, data, d, n); 1218 1219 if (data >= (d + n - 2)) 1220 goto ri_check; 1221 n2s(data, len); 1222 1223 if (data > (d + n - len)) 1224 goto ri_check; 1225 1226 while (data <= (d + n - 4)) { 1227 n2s(data, type); 1228 n2s(data, size); 1229 1230 if (data + size > (d + n)) 1231 goto ri_check; 1232 if (s->tlsext_debug_cb) 1233 s->tlsext_debug_cb(s, 0, type, data, size, 1234 s->tlsext_debug_arg); 1235 /* The servername extension is treated as follows: 1236 1237 - Only the hostname type is supported with a maximum length of 255. 1238 - The servername is rejected if too long or if it contains zeros, 1239 in which case an fatal alert is generated. 1240 - The servername field is maintained together with the session cache. 1241 - When a session is resumed, the servername call back invoked in order 1242 to allow the application to position itself to the right context. 1243 - The servername is acknowledged if it is new for a session or when 1244 it is identical to a previously used for the same session. 1245 Applications can control the behaviour. They can at any time 1246 set a 'desirable' servername for a new SSL object. This can be the 1247 case for example with HTTPS when a Host: header field is received and 1248 a renegotiation is requested. In this case, a possible servername 1249 presented in the new client hello is only acknowledged if it matches 1250 the value of the Host: field. 1251 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1252 if they provide for changing an explicit servername context for the session, 1253 i.e. when the session has been established with a servername extension. 1254 - On session reconnect, the servername extension may be absent. 1255 1256 */ 1257 1258 if (type == TLSEXT_TYPE_server_name) { 1259 unsigned char *sdata; 1260 int servname_type; 1261 int dsize; 1262 1263 if (size < 2) { 1264 *al = SSL_AD_DECODE_ERROR; 1265 return 0; 1266 } 1267 n2s(data, dsize); 1268 1269 size -= 2; 1270 if (dsize > size) { 1271 *al = SSL_AD_DECODE_ERROR; 1272 return 0; 1273 } 1274 1275 sdata = data; 1276 while (dsize > 3) { 1277 servname_type = *(sdata++); 1278 1279 n2s(sdata, len); 1280 dsize -= 3; 1281 1282 if (len > dsize) { 1283 *al = SSL_AD_DECODE_ERROR; 1284 return 0; 1285 } 1286 if (s->servername_done == 0) 1287 switch (servname_type) { 1288 case TLSEXT_NAMETYPE_host_name: 1289 if (!s->hit) { 1290 if (s->session->tlsext_hostname) { 1291 *al = SSL_AD_DECODE_ERROR; 1292 return 0; 1293 } 1294 if (len > TLSEXT_MAXLEN_host_name) { 1295 *al = TLS1_AD_UNRECOGNIZED_NAME; 1296 return 0; 1297 } 1298 if ((s->session->tlsext_hostname = 1299 malloc(len + 1)) == NULL) { 1300 *al = TLS1_AD_INTERNAL_ERROR; 1301 return 0; 1302 } 1303 memcpy(s->session->tlsext_hostname, sdata, len); 1304 s->session->tlsext_hostname[len] = '\0'; 1305 if (strlen(s->session->tlsext_hostname) != len) { 1306 free(s->session->tlsext_hostname); 1307 s->session->tlsext_hostname = NULL; 1308 *al = TLS1_AD_UNRECOGNIZED_NAME; 1309 return 0; 1310 } 1311 s->servername_done = 1; 1312 1313 1314 } else { 1315 s->servername_done = s->session->tlsext_hostname && 1316 strlen(s->session->tlsext_hostname) == len && 1317 strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1318 } 1319 break; 1320 1321 default: 1322 break; 1323 } 1324 1325 dsize -= len; 1326 } 1327 if (dsize != 0) { 1328 *al = SSL_AD_DECODE_ERROR; 1329 return 0; 1330 } 1331 1332 } 1333 1334 else if (type == TLSEXT_TYPE_ec_point_formats && 1335 s->version != DTLS1_VERSION) { 1336 unsigned char *sdata = data; 1337 int ecpointformatlist_length = *(sdata++); 1338 1339 if (ecpointformatlist_length != size - 1) { 1340 *al = TLS1_AD_DECODE_ERROR; 1341 return 0; 1342 } 1343 if (!s->hit) { 1344 free(s->session->tlsext_ecpointformatlist); 1345 s->session->tlsext_ecpointformatlist_length = 0; 1346 if ((s->session->tlsext_ecpointformatlist = 1347 malloc(ecpointformatlist_length)) == NULL) { 1348 *al = TLS1_AD_INTERNAL_ERROR; 1349 return 0; 1350 } 1351 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 1352 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 1353 } 1354 } else if (type == TLSEXT_TYPE_elliptic_curves && 1355 s->version != DTLS1_VERSION) { 1356 unsigned char *sdata = data; 1357 int ellipticcurvelist_length = (*(sdata++) << 8); 1358 ellipticcurvelist_length += (*(sdata++)); 1359 1360 if (ellipticcurvelist_length != size - 2 || 1361 ellipticcurvelist_length < 1) { 1362 *al = TLS1_AD_DECODE_ERROR; 1363 return 0; 1364 } 1365 if (!s->hit) { 1366 if (s->session->tlsext_ellipticcurvelist) { 1367 *al = TLS1_AD_DECODE_ERROR; 1368 return 0; 1369 } 1370 s->session->tlsext_ellipticcurvelist_length = 0; 1371 if ((s->session->tlsext_ellipticcurvelist = 1372 malloc(ellipticcurvelist_length)) == NULL) { 1373 *al = TLS1_AD_INTERNAL_ERROR; 1374 return 0; 1375 } 1376 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; 1377 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); 1378 } 1379 } 1380 else if (type == TLSEXT_TYPE_session_ticket) { 1381 if (s->tls_session_ticket_ext_cb && 1382 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1383 *al = TLS1_AD_INTERNAL_ERROR; 1384 return 0; 1385 } 1386 } else if (type == TLSEXT_TYPE_renegotiate) { 1387 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 1388 return 0; 1389 renegotiate_seen = 1; 1390 } else if (type == TLSEXT_TYPE_signature_algorithms) { 1391 int dsize; 1392 if (sigalg_seen || size < 2) { 1393 *al = SSL_AD_DECODE_ERROR; 1394 return 0; 1395 } 1396 sigalg_seen = 1; 1397 n2s(data, dsize); 1398 size -= 2; 1399 if (dsize != size || dsize & 1) { 1400 *al = SSL_AD_DECODE_ERROR; 1401 return 0; 1402 } 1403 if (!tls1_process_sigalgs(s, data, dsize)) { 1404 *al = SSL_AD_DECODE_ERROR; 1405 return 0; 1406 } 1407 } else if (type == TLSEXT_TYPE_status_request && 1408 s->version != DTLS1_VERSION) { 1409 1410 if (size < 5) { 1411 *al = SSL_AD_DECODE_ERROR; 1412 return 0; 1413 } 1414 1415 s->tlsext_status_type = *data++; 1416 size--; 1417 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { 1418 const unsigned char *sdata; 1419 int dsize; 1420 /* Read in responder_id_list */ 1421 n2s(data, dsize); 1422 size -= 2; 1423 if (dsize > size ) { 1424 *al = SSL_AD_DECODE_ERROR; 1425 return 0; 1426 } 1427 while (dsize > 0) { 1428 OCSP_RESPID *id; 1429 int idsize; 1430 if (dsize < 4) { 1431 *al = SSL_AD_DECODE_ERROR; 1432 return 0; 1433 } 1434 n2s(data, idsize); 1435 dsize -= 2 + idsize; 1436 size -= 2 + idsize; 1437 if (dsize < 0) { 1438 *al = SSL_AD_DECODE_ERROR; 1439 return 0; 1440 } 1441 sdata = data; 1442 data += idsize; 1443 id = d2i_OCSP_RESPID(NULL, 1444 &sdata, idsize); 1445 if (!id) { 1446 *al = SSL_AD_DECODE_ERROR; 1447 return 0; 1448 } 1449 if (data != sdata) { 1450 OCSP_RESPID_free(id); 1451 *al = SSL_AD_DECODE_ERROR; 1452 return 0; 1453 } 1454 if (!s->tlsext_ocsp_ids && 1455 !(s->tlsext_ocsp_ids = 1456 sk_OCSP_RESPID_new_null())) { 1457 OCSP_RESPID_free(id); 1458 *al = SSL_AD_INTERNAL_ERROR; 1459 return 0; 1460 } 1461 if (!sk_OCSP_RESPID_push( 1462 s->tlsext_ocsp_ids, id)) { 1463 OCSP_RESPID_free(id); 1464 *al = SSL_AD_INTERNAL_ERROR; 1465 return 0; 1466 } 1467 } 1468 1469 /* Read in request_extensions */ 1470 if (size < 2) { 1471 *al = SSL_AD_DECODE_ERROR; 1472 return 0; 1473 } 1474 n2s(data, dsize); 1475 size -= 2; 1476 if (dsize != size) { 1477 *al = SSL_AD_DECODE_ERROR; 1478 return 0; 1479 } 1480 sdata = data; 1481 if (dsize > 0) { 1482 if (s->tlsext_ocsp_exts) { 1483 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1484 X509_EXTENSION_free); 1485 } 1486 1487 s->tlsext_ocsp_exts = 1488 d2i_X509_EXTENSIONS(NULL, 1489 &sdata, dsize); 1490 if (!s->tlsext_ocsp_exts || 1491 (data + dsize != sdata)) { 1492 *al = SSL_AD_DECODE_ERROR; 1493 return 0; 1494 } 1495 } 1496 } else { 1497 /* We don't know what to do with any other type 1498 * so ignore it. 1499 */ 1500 s->tlsext_status_type = -1; 1501 } 1502 } 1503 #ifndef OPENSSL_NO_NEXTPROTONEG 1504 else if (type == TLSEXT_TYPE_next_proto_neg && 1505 s->s3->tmp.finish_md_len == 0) { 1506 /* We shouldn't accept this extension on a 1507 * renegotiation. 1508 * 1509 * s->new_session will be set on renegotiation, but we 1510 * probably shouldn't rely that it couldn't be set on 1511 * the initial renegotation too in certain cases (when 1512 * there's some other reason to disallow resuming an 1513 * earlier session -- the current code won't be doing 1514 * anything like that, but this might change). 1515 1516 * A valid sign that there's been a previous handshake 1517 * in this connection is if s->s3->tmp.finish_md_len > 1518 * 0. (We are talking about a check that will happen 1519 * in the Hello protocol round, well before a new 1520 * Finished message could have been computed.) */ 1521 s->s3->next_proto_neg_seen = 1; 1522 } 1523 #endif 1524 1525 /* session ticket processed earlier */ 1526 #ifndef OPENSSL_NO_SRTP 1527 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1528 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) 1529 return 0; 1530 } 1531 #endif 1532 1533 data += size; 1534 } 1535 1536 *p = data; 1537 1538 ri_check: 1539 1540 /* Need RI if renegotiating */ 1541 1542 if (!renegotiate_seen && s->renegotiate) { 1543 *al = SSL_AD_HANDSHAKE_FAILURE; 1544 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1545 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1546 return 0; 1547 } 1548 1549 return 1; 1550 } 1551 1552 #ifndef OPENSSL_NO_NEXTPROTONEG 1553 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1554 * elements of zero length are allowed and the set of elements must exactly fill 1555 * the length of the block. */ 1556 static char 1557 ssl_next_proto_validate(unsigned char *d, unsigned len) 1558 { 1559 unsigned int off = 0; 1560 1561 while (off < len) { 1562 if (d[off] == 0) 1563 return 0; 1564 off += d[off]; 1565 off++; 1566 } 1567 1568 return off == len; 1569 } 1570 #endif 1571 1572 int 1573 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1574 int n, int *al) 1575 { 1576 unsigned short length; 1577 unsigned short type; 1578 unsigned short size; 1579 unsigned char *data = *p; 1580 int tlsext_servername = 0; 1581 int renegotiate_seen = 0; 1582 1583 #ifndef OPENSSL_NO_NEXTPROTONEG 1584 s->s3->next_proto_neg_seen = 0; 1585 #endif 1586 1587 if (data >= (d + n - 2)) 1588 goto ri_check; 1589 1590 n2s(data, length); 1591 if (data + length != d + n) { 1592 *al = SSL_AD_DECODE_ERROR; 1593 return 0; 1594 } 1595 1596 while (data <= (d + n - 4)) { 1597 n2s(data, type); 1598 n2s(data, size); 1599 1600 if (data + size > (d + n)) 1601 goto ri_check; 1602 1603 if (s->tlsext_debug_cb) 1604 s->tlsext_debug_cb(s, 1, type, data, size, 1605 s->tlsext_debug_arg); 1606 1607 if (type == TLSEXT_TYPE_server_name) { 1608 if (s->tlsext_hostname == NULL || size > 0) { 1609 *al = TLS1_AD_UNRECOGNIZED_NAME; 1610 return 0; 1611 } 1612 tlsext_servername = 1; 1613 1614 } 1615 else if (type == TLSEXT_TYPE_ec_point_formats && 1616 s->version != DTLS1_VERSION) { 1617 unsigned char *sdata = data; 1618 int ecpointformatlist_length = *(sdata++); 1619 1620 if (ecpointformatlist_length != size - 1 || 1621 ecpointformatlist_length < 1) { 1622 *al = TLS1_AD_DECODE_ERROR; 1623 return 0; 1624 } 1625 if (!s->hit) { 1626 free(s->session->tlsext_ecpointformatlist); 1627 s->session->tlsext_ecpointformatlist_length = 0; 1628 1629 if ((s->session->tlsext_ecpointformatlist = 1630 malloc(ecpointformatlist_length)) == NULL) { 1631 *al = TLS1_AD_INTERNAL_ERROR; 1632 return 0; 1633 } 1634 s->session->tlsext_ecpointformatlist_length = 1635 ecpointformatlist_length; 1636 memcpy(s->session->tlsext_ecpointformatlist, 1637 sdata, ecpointformatlist_length); 1638 } 1639 } 1640 else if (type == TLSEXT_TYPE_session_ticket) { 1641 if (s->tls_session_ticket_ext_cb && 1642 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1643 *al = TLS1_AD_INTERNAL_ERROR; 1644 return 0; 1645 } 1646 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) { 1647 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1648 return 0; 1649 } 1650 s->tlsext_ticket_expected = 1; 1651 } 1652 else if (type == TLSEXT_TYPE_status_request && 1653 s->version != DTLS1_VERSION) { 1654 /* MUST be empty and only sent if we've requested 1655 * a status request message. 1656 */ 1657 if ((s->tlsext_status_type == -1) || (size > 0)) { 1658 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1659 return 0; 1660 } 1661 /* Set flag to expect CertificateStatus message */ 1662 s->tlsext_status_expected = 1; 1663 } 1664 #ifndef OPENSSL_NO_NEXTPROTONEG 1665 else if (type == TLSEXT_TYPE_next_proto_neg && 1666 s->s3->tmp.finish_md_len == 0) { 1667 unsigned char *selected; 1668 unsigned char selected_len; 1669 1670 /* We must have requested it. */ 1671 if (s->ctx->next_proto_select_cb == NULL) { 1672 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1673 return 0; 1674 } 1675 /* The data must be valid */ 1676 if (!ssl_next_proto_validate(data, size)) { 1677 *al = TLS1_AD_DECODE_ERROR; 1678 return 0; 1679 } 1680 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) { 1681 *al = TLS1_AD_INTERNAL_ERROR; 1682 return 0; 1683 } 1684 s->next_proto_negotiated = malloc(selected_len); 1685 if (!s->next_proto_negotiated) { 1686 *al = TLS1_AD_INTERNAL_ERROR; 1687 return 0; 1688 } 1689 memcpy(s->next_proto_negotiated, selected, selected_len); 1690 s->next_proto_negotiated_len = selected_len; 1691 s->s3->next_proto_neg_seen = 1; 1692 } 1693 #endif 1694 else if (type == TLSEXT_TYPE_renegotiate) { 1695 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1696 return 0; 1697 renegotiate_seen = 1; 1698 } 1699 #ifndef OPENSSL_NO_SRTP 1700 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1701 if (ssl_parse_serverhello_use_srtp_ext(s, data, 1702 size, al)) 1703 return 0; 1704 } 1705 #endif 1706 1707 data += size; 1708 1709 } 1710 1711 if (data != d + n) { 1712 *al = SSL_AD_DECODE_ERROR; 1713 return 0; 1714 } 1715 1716 if (!s->hit && tlsext_servername == 1) { 1717 if (s->tlsext_hostname) { 1718 if (s->session->tlsext_hostname == NULL) { 1719 s->session->tlsext_hostname = 1720 strdup(s->tlsext_hostname); 1721 1722 if (!s->session->tlsext_hostname) { 1723 *al = SSL_AD_UNRECOGNIZED_NAME; 1724 return 0; 1725 } 1726 } else { 1727 *al = SSL_AD_DECODE_ERROR; 1728 return 0; 1729 } 1730 } 1731 } 1732 1733 *p = data; 1734 1735 ri_check: 1736 1737 /* Determine if we need to see RI. Strictly speaking if we want to 1738 * avoid an attack we should *always* see RI even on initial server 1739 * hello because the client doesn't see any renegotiation during an 1740 * attack. However this would mean we could not connect to any server 1741 * which doesn't support RI so for the immediate future tolerate RI 1742 * absence on initial connect only. 1743 */ 1744 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { 1745 *al = SSL_AD_HANDSHAKE_FAILURE; 1746 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1747 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1748 return 0; 1749 } 1750 1751 return 1; 1752 } 1753 1754 int 1755 ssl_prepare_clienthello_tlsext(SSL *s) 1756 { 1757 return 1; 1758 } 1759 1760 int 1761 ssl_prepare_serverhello_tlsext(SSL *s) 1762 { 1763 return 1; 1764 } 1765 1766 int 1767 ssl_check_clienthello_tlsext_early(SSL *s) 1768 { 1769 int ret = SSL_TLSEXT_ERR_NOACK; 1770 int al = SSL_AD_UNRECOGNIZED_NAME; 1771 1772 /* The handling of the ECPointFormats extension is done elsewhere, namely in 1773 * ssl3_choose_cipher in s3_lib.c. 1774 */ 1775 /* The handling of the EllipticCurves extension is done elsewhere, namely in 1776 * ssl3_choose_cipher in s3_lib.c. 1777 */ 1778 1779 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1780 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1781 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1782 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1783 1784 switch (ret) { 1785 case SSL_TLSEXT_ERR_ALERT_FATAL: 1786 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1787 return -1; 1788 case SSL_TLSEXT_ERR_ALERT_WARNING: 1789 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1790 return 1; 1791 case SSL_TLSEXT_ERR_NOACK: 1792 s->servername_done = 0; 1793 default: 1794 return 1; 1795 } 1796 } 1797 1798 int 1799 ssl_check_clienthello_tlsext_late(SSL *s) 1800 { 1801 int ret = SSL_TLSEXT_ERR_OK; 1802 int al = 0; /* XXX gcc3 */ 1803 1804 /* If status request then ask callback what to do. 1805 * Note: this must be called after servername callbacks in case 1806 * the certificate has changed, and must be called after the cipher 1807 * has been chosen because this may influence which certificate is sent 1808 */ 1809 if ((s->tlsext_status_type != -1) && 1810 s->ctx && s->ctx->tlsext_status_cb) { 1811 int r; 1812 CERT_PKEY *certpkey; 1813 certpkey = ssl_get_server_send_pkey(s); 1814 /* If no certificate can't return certificate status */ 1815 if (certpkey == NULL) { 1816 s->tlsext_status_expected = 0; 1817 return 1; 1818 } 1819 /* Set current certificate to one we will use so 1820 * SSL_get_certificate et al can pick it up. 1821 */ 1822 s->cert->key = certpkey; 1823 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1824 switch (r) { 1825 /* We don't want to send a status request response */ 1826 case SSL_TLSEXT_ERR_NOACK: 1827 s->tlsext_status_expected = 0; 1828 break; 1829 /* status request response should be sent */ 1830 case SSL_TLSEXT_ERR_OK: 1831 if (s->tlsext_ocsp_resp) 1832 s->tlsext_status_expected = 1; 1833 else 1834 s->tlsext_status_expected = 0; 1835 break; 1836 /* something bad happened */ 1837 case SSL_TLSEXT_ERR_ALERT_FATAL: 1838 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1839 al = SSL_AD_INTERNAL_ERROR; 1840 goto err; 1841 } 1842 } else 1843 s->tlsext_status_expected = 0; 1844 1845 err: 1846 switch (ret) { 1847 case SSL_TLSEXT_ERR_ALERT_FATAL: 1848 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1849 return -1; 1850 case SSL_TLSEXT_ERR_ALERT_WARNING: 1851 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1852 return 1; 1853 default: 1854 return 1; 1855 } 1856 } 1857 1858 int 1859 ssl_check_serverhello_tlsext(SSL *s) 1860 { 1861 int ret = SSL_TLSEXT_ERR_NOACK; 1862 int al = SSL_AD_UNRECOGNIZED_NAME; 1863 1864 /* If we are client and using an elliptic curve cryptography cipher 1865 * suite, then if server returns an EC point formats lists extension 1866 * it must contain uncompressed. 1867 */ 1868 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1869 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1870 if ((s->tlsext_ecpointformatlist != NULL) && 1871 (s->tlsext_ecpointformatlist_length > 0) && 1872 (s->session->tlsext_ecpointformatlist != NULL) && 1873 (s->session->tlsext_ecpointformatlist_length > 0) && 1874 ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { 1875 /* we are using an ECC cipher */ 1876 size_t i; 1877 unsigned char *list; 1878 int found_uncompressed = 0; 1879 list = s->session->tlsext_ecpointformatlist; 1880 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) { 1881 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) { 1882 found_uncompressed = 1; 1883 break; 1884 } 1885 } 1886 if (!found_uncompressed) { 1887 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 1888 return -1; 1889 } 1890 } 1891 ret = SSL_TLSEXT_ERR_OK; 1892 1893 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1894 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1895 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1896 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1897 1898 /* If we've requested certificate status and we wont get one 1899 * tell the callback 1900 */ 1901 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) && 1902 s->ctx && s->ctx->tlsext_status_cb) { 1903 int r; 1904 /* Set resp to NULL, resplen to -1 so callback knows 1905 * there is no response. 1906 */ 1907 free(s->tlsext_ocsp_resp); 1908 s->tlsext_ocsp_resp = NULL; 1909 s->tlsext_ocsp_resplen = -1; 1910 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1911 if (r == 0) { 1912 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 1913 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1914 } 1915 if (r < 0) { 1916 al = SSL_AD_INTERNAL_ERROR; 1917 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1918 } 1919 } 1920 1921 switch (ret) { 1922 case SSL_TLSEXT_ERR_ALERT_FATAL: 1923 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1924 1925 return -1; 1926 case SSL_TLSEXT_ERR_ALERT_WARNING: 1927 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1928 1929 return 1; 1930 case SSL_TLSEXT_ERR_NOACK: 1931 s->servername_done = 0; 1932 default: 1933 return 1; 1934 } 1935 } 1936 1937 /* Since the server cache lookup is done early on in the processing of the 1938 * ClientHello, and other operations depend on the result, we need to handle 1939 * any TLS session ticket extension at the same time. 1940 * 1941 * session_id: points at the session ID in the ClientHello. This code will 1942 * read past the end of this in order to parse out the session ticket 1943 * extension, if any. 1944 * len: the length of the session ID. 1945 * limit: a pointer to the first byte after the ClientHello. 1946 * ret: (output) on return, if a ticket was decrypted, then this is set to 1947 * point to the resulting session. 1948 * 1949 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key 1950 * ciphersuite, in which case we have no use for session tickets and one will 1951 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 1952 * 1953 * Returns: 1954 * -1: fatal error, either from parsing or decrypting the ticket. 1955 * 0: no ticket was found (or was ignored, based on settings). 1956 * 1: a zero length extension was found, indicating that the client supports 1957 * session tickets but doesn't currently have one to offer. 1958 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but 1959 * couldn't be decrypted because of a non-fatal error. 1960 * 3: a ticket was successfully decrypted and *ret was set. 1961 * 1962 * Side effects: 1963 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 1964 * a new session ticket to the client because the client indicated support 1965 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 1966 * a session ticket or we couldn't use the one it gave us, or if 1967 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 1968 * Otherwise, s->tlsext_ticket_expected is set to 0. 1969 */ 1970 int 1971 tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 1972 const unsigned char *limit, SSL_SESSION **ret) 1973 { 1974 /* Point after session ID in client hello */ 1975 const unsigned char *p = session_id + len; 1976 unsigned short i; 1977 1978 *ret = NULL; 1979 s->tlsext_ticket_expected = 0; 1980 1981 /* If tickets disabled behave as if no ticket present 1982 * to permit stateful resumption. 1983 */ 1984 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 1985 return 0; 1986 if ((s->version <= SSL3_VERSION) || !limit) 1987 return 0; 1988 if (p >= limit) 1989 return -1; 1990 /* Skip past DTLS cookie */ 1991 if (SSL_IS_DTLS(s)) { 1992 i = *(p++); 1993 p += i; 1994 if (p >= limit) 1995 return -1; 1996 } 1997 /* Skip past cipher list */ 1998 n2s(p, i); 1999 p += i; 2000 if (p >= limit) 2001 return -1; 2002 /* Skip past compression algorithm list */ 2003 i = *(p++); 2004 p += i; 2005 if (p > limit) 2006 return -1; 2007 /* Now at start of extensions */ 2008 if ((p + 2) >= limit) 2009 return 0; 2010 n2s(p, i); 2011 while ((p + 4) <= limit) { 2012 unsigned short type, size; 2013 n2s(p, type); 2014 n2s(p, size); 2015 if (p + size > limit) 2016 return 0; 2017 if (type == TLSEXT_TYPE_session_ticket) { 2018 int r; 2019 if (size == 0) { 2020 /* The client will accept a ticket but doesn't 2021 * currently have one. */ 2022 s->tlsext_ticket_expected = 1; 2023 return 1; 2024 } 2025 if (s->tls_session_secret_cb) { 2026 /* Indicate that the ticket couldn't be 2027 * decrypted rather than generating the session 2028 * from ticket now, trigger abbreviated 2029 * handshake based on external mechanism to 2030 * calculate the master secret later. */ 2031 return 2; 2032 } 2033 r = tls_decrypt_ticket(s, p, size, session_id, len, ret); 2034 switch (r) { 2035 case 2: /* ticket couldn't be decrypted */ 2036 s->tlsext_ticket_expected = 1; 2037 return 2; 2038 case 3: /* ticket was decrypted */ 2039 return r; 2040 case 4: /* ticket decrypted but need to renew */ 2041 s->tlsext_ticket_expected = 1; 2042 return 3; 2043 default: /* fatal error */ 2044 return -1; 2045 } 2046 } 2047 p += size; 2048 } 2049 return 0; 2050 } 2051 2052 /* tls_decrypt_ticket attempts to decrypt a session ticket. 2053 * 2054 * etick: points to the body of the session ticket extension. 2055 * eticklen: the length of the session tickets extenion. 2056 * sess_id: points at the session ID. 2057 * sesslen: the length of the session ID. 2058 * psess: (output) on return, if a ticket was decrypted, then this is set to 2059 * point to the resulting session. 2060 * 2061 * Returns: 2062 * -1: fatal error, either from parsing or decrypting the ticket. 2063 * 2: the ticket couldn't be decrypted. 2064 * 3: a ticket was successfully decrypted and *psess was set. 2065 * 4: same as 3, but the ticket needs to be renewed. 2066 */ 2067 static int 2068 tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2069 const unsigned char *sess_id, int sesslen, SSL_SESSION **psess) 2070 { 2071 SSL_SESSION *sess; 2072 unsigned char *sdec; 2073 const unsigned char *p; 2074 int slen, mlen, renew_ticket = 0; 2075 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 2076 HMAC_CTX hctx; 2077 EVP_CIPHER_CTX ctx; 2078 SSL_CTX *tctx = s->initial_ctx; 2079 /* Need at least keyname + iv + some encrypted data */ 2080 if (eticklen < 48) 2081 return 2; 2082 /* Initialize session ticket encryption and HMAC contexts */ 2083 HMAC_CTX_init(&hctx); 2084 EVP_CIPHER_CTX_init(&ctx); 2085 if (tctx->tlsext_ticket_key_cb) { 2086 unsigned char *nctick = (unsigned char *)etick; 2087 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 2088 &ctx, &hctx, 0); 2089 if (rv < 0) { 2090 EVP_CIPHER_CTX_cleanup(&ctx); 2091 return -1; 2092 } 2093 if (rv == 0) { 2094 EVP_CIPHER_CTX_cleanup(&ctx); 2095 return 2; 2096 } 2097 if (rv == 2) 2098 renew_ticket = 1; 2099 } else { 2100 /* Check key name matches */ 2101 if (timingsafe_memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2102 return 2; 2103 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2104 tlsext_tick_md(), NULL); 2105 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2106 tctx->tlsext_tick_aes_key, etick + 16); 2107 } 2108 /* Attempt to process session ticket, first conduct sanity and 2109 * integrity checks on ticket. 2110 */ 2111 mlen = HMAC_size(&hctx); 2112 if (mlen < 0) { 2113 EVP_CIPHER_CTX_cleanup(&ctx); 2114 return -1; 2115 } 2116 eticklen -= mlen; 2117 /* Check HMAC of encrypted ticket */ 2118 HMAC_Update(&hctx, etick, eticklen); 2119 HMAC_Final(&hctx, tick_hmac, NULL); 2120 HMAC_CTX_cleanup(&hctx); 2121 if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) { 2122 EVP_CIPHER_CTX_cleanup(&ctx); 2123 return 2; 2124 } 2125 /* Attempt to decrypt session data */ 2126 /* Move p after IV to start of encrypted ticket, update length */ 2127 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2128 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2129 sdec = malloc(eticklen); 2130 if (!sdec) { 2131 EVP_CIPHER_CTX_cleanup(&ctx); 2132 return -1; 2133 } 2134 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 2135 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) { 2136 free(sdec); 2137 EVP_CIPHER_CTX_cleanup(&ctx); 2138 return 2; 2139 } 2140 slen += mlen; 2141 EVP_CIPHER_CTX_cleanup(&ctx); 2142 p = sdec; 2143 2144 sess = d2i_SSL_SESSION(NULL, &p, slen); 2145 free(sdec); 2146 if (sess) { 2147 /* The session ID, if non-empty, is used by some clients to 2148 * detect that the ticket has been accepted. So we copy it to 2149 * the session structure. If it is empty set length to zero 2150 * as required by standard. 2151 */ 2152 if (sesslen) 2153 memcpy(sess->session_id, sess_id, sesslen); 2154 sess->session_id_length = sesslen; 2155 *psess = sess; 2156 if (renew_ticket) 2157 return 4; 2158 else 2159 return 3; 2160 } 2161 ERR_clear_error(); 2162 /* For session parse failure, indicate that we need to send a new 2163 * ticket. */ 2164 return 2; 2165 } 2166 2167 /* Tables to translate from NIDs to TLS v1.2 ids */ 2168 2169 typedef struct { 2170 int nid; 2171 int id; 2172 } tls12_lookup; 2173 2174 static tls12_lookup tls12_md[] = { 2175 {NID_md5, TLSEXT_hash_md5}, 2176 {NID_sha1, TLSEXT_hash_sha1}, 2177 {NID_sha224, TLSEXT_hash_sha224}, 2178 {NID_sha256, TLSEXT_hash_sha256}, 2179 {NID_sha384, TLSEXT_hash_sha384}, 2180 {NID_sha512, TLSEXT_hash_sha512}, 2181 {NID_id_GostR3411_94, TLSEXT_hash_gost94}, 2182 {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256}, 2183 {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512} 2184 }; 2185 2186 static tls12_lookup tls12_sig[] = { 2187 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2188 {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2189 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}, 2190 {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01}, 2191 }; 2192 2193 static int 2194 tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 2195 { 2196 size_t i; 2197 for (i = 0; i < tlen; i++) { 2198 if (table[i].nid == nid) 2199 return table[i].id; 2200 } 2201 return -1; 2202 } 2203 2204 int 2205 tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 2206 { 2207 int sig_id, md_id; 2208 if (!md) 2209 return 0; 2210 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2211 sizeof(tls12_md) / sizeof(tls12_lookup)); 2212 if (md_id == -1) 2213 return 0; 2214 sig_id = tls12_get_sigid(pk); 2215 if (sig_id == -1) 2216 return 0; 2217 p[0] = (unsigned char)md_id; 2218 p[1] = (unsigned char)sig_id; 2219 return 1; 2220 } 2221 2222 int 2223 tls12_get_sigid(const EVP_PKEY *pk) 2224 { 2225 return tls12_find_id(pk->type, tls12_sig, 2226 sizeof(tls12_sig) / sizeof(tls12_lookup)); 2227 } 2228 2229 const EVP_MD * 2230 tls12_get_hash(unsigned char hash_alg) 2231 { 2232 switch (hash_alg) { 2233 case TLSEXT_hash_sha1: 2234 return EVP_sha1(); 2235 case TLSEXT_hash_sha224: 2236 return EVP_sha224(); 2237 case TLSEXT_hash_sha256: 2238 return EVP_sha256(); 2239 case TLSEXT_hash_sha384: 2240 return EVP_sha384(); 2241 case TLSEXT_hash_sha512: 2242 return EVP_sha512(); 2243 #ifndef OPENSSL_NO_GOST 2244 case TLSEXT_hash_gost94: 2245 return EVP_gostr341194(); 2246 case TLSEXT_hash_streebog_256: 2247 return EVP_streebog256(); 2248 case TLSEXT_hash_streebog_512: 2249 return EVP_streebog512(); 2250 #endif 2251 default: 2252 return NULL; 2253 } 2254 } 2255 2256 /* Set preferred digest for each key type */ 2257 2258 int 2259 tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 2260 { 2261 int i, idx; 2262 const EVP_MD *md; 2263 CERT *c = s->cert; 2264 2265 /* Extension ignored for inappropriate versions */ 2266 if (!SSL_USE_SIGALGS(s)) 2267 return 1; 2268 2269 /* Should never happen */ 2270 if (!c) 2271 return 0; 2272 2273 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; 2274 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 2275 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2276 c->pkeys[SSL_PKEY_ECC].digest = NULL; 2277 c->pkeys[SSL_PKEY_GOST94].digest = NULL; 2278 c->pkeys[SSL_PKEY_GOST01].digest = NULL; 2279 2280 for (i = 0; i < dsize; i += 2) { 2281 unsigned char hash_alg = data[i], sig_alg = data[i + 1]; 2282 2283 switch (sig_alg) { 2284 case TLSEXT_signature_rsa: 2285 idx = SSL_PKEY_RSA_SIGN; 2286 break; 2287 case TLSEXT_signature_dsa: 2288 idx = SSL_PKEY_DSA_SIGN; 2289 break; 2290 case TLSEXT_signature_ecdsa: 2291 idx = SSL_PKEY_ECC; 2292 break; 2293 case TLSEXT_signature_gostr01: 2294 case TLSEXT_signature_gostr12_256: 2295 case TLSEXT_signature_gostr12_512: 2296 idx = SSL_PKEY_GOST01; 2297 break; 2298 default: 2299 continue; 2300 } 2301 2302 if (c->pkeys[idx].digest == NULL) { 2303 md = tls12_get_hash(hash_alg); 2304 if (md) { 2305 c->pkeys[idx].digest = md; 2306 if (idx == SSL_PKEY_RSA_SIGN) 2307 c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 2308 } 2309 } 2310 2311 } 2312 2313 /* Set any remaining keys to default values. NOTE: if alg is not 2314 * supported it stays as NULL. 2315 */ 2316 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2317 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2318 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { 2319 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2320 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2321 } 2322 if (!c->pkeys[SSL_PKEY_ECC].digest) 2323 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2324 #ifndef OPENSSL_NO_GOST 2325 if (!c->pkeys[SSL_PKEY_GOST94].digest) 2326 c->pkeys[SSL_PKEY_GOST94].digest = EVP_gostr341194(); 2327 if (!c->pkeys[SSL_PKEY_GOST01].digest) 2328 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); 2329 #endif 2330 return 1; 2331 } 2332