1 /* $OpenBSD: t1_lib.c,v 1.91 2016/10/02 21:05:44 guenther Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 114 #include <openssl/evp.h> 115 #include <openssl/hmac.h> 116 #include <openssl/objects.h> 117 #include <openssl/ocsp.h> 118 119 #include "ssl_locl.h" 120 #include "bytestring.h" 121 122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 123 const unsigned char *sess_id, int sesslen, 124 SSL_SESSION **psess); 125 126 SSL3_ENC_METHOD TLSv1_enc_data = { 127 .enc = tls1_enc, 128 .mac = tls1_mac, 129 .setup_key_block = tls1_setup_key_block, 130 .generate_master_secret = tls1_generate_master_secret, 131 .change_cipher_state = tls1_change_cipher_state, 132 .final_finish_mac = tls1_final_finish_mac, 133 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 134 .cert_verify_mac = tls1_cert_verify_mac, 135 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 136 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 137 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 138 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 139 .alert_value = tls1_alert_code, 140 .export_keying_material = tls1_export_keying_material, 141 .enc_flags = 0, 142 }; 143 144 SSL3_ENC_METHOD TLSv1_1_enc_data = { 145 .enc = tls1_enc, 146 .mac = tls1_mac, 147 .setup_key_block = tls1_setup_key_block, 148 .generate_master_secret = tls1_generate_master_secret, 149 .change_cipher_state = tls1_change_cipher_state, 150 .final_finish_mac = tls1_final_finish_mac, 151 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 152 .cert_verify_mac = tls1_cert_verify_mac, 153 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 154 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 155 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 156 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 157 .alert_value = tls1_alert_code, 158 .export_keying_material = tls1_export_keying_material, 159 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, 160 }; 161 162 SSL3_ENC_METHOD TLSv1_2_enc_data = { 163 .enc = tls1_enc, 164 .mac = tls1_mac, 165 .setup_key_block = tls1_setup_key_block, 166 .generate_master_secret = tls1_generate_master_secret, 167 .change_cipher_state = tls1_change_cipher_state, 168 .final_finish_mac = tls1_final_finish_mac, 169 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 170 .cert_verify_mac = tls1_cert_verify_mac, 171 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 172 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 173 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 174 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 175 .alert_value = tls1_alert_code, 176 .export_keying_material = tls1_export_keying_material, 177 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS| 178 SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS, 179 }; 180 181 long 182 tls1_default_timeout(void) 183 { 184 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 185 * is way too long for http, the cache would over fill */ 186 return (60 * 60 * 2); 187 } 188 189 int 190 tls1_new(SSL *s) 191 { 192 if (!ssl3_new(s)) 193 return (0); 194 s->method->ssl_clear(s); 195 return (1); 196 } 197 198 void 199 tls1_free(SSL *s) 200 { 201 if (s == NULL) 202 return; 203 204 free(s->tlsext_session_ticket); 205 ssl3_free(s); 206 } 207 208 void 209 tls1_clear(SSL *s) 210 { 211 ssl3_clear(s); 212 s->version = s->method->version; 213 } 214 215 216 static int nid_list[] = { 217 NID_sect163k1, /* sect163k1 (1) */ 218 NID_sect163r1, /* sect163r1 (2) */ 219 NID_sect163r2, /* sect163r2 (3) */ 220 NID_sect193r1, /* sect193r1 (4) */ 221 NID_sect193r2, /* sect193r2 (5) */ 222 NID_sect233k1, /* sect233k1 (6) */ 223 NID_sect233r1, /* sect233r1 (7) */ 224 NID_sect239k1, /* sect239k1 (8) */ 225 NID_sect283k1, /* sect283k1 (9) */ 226 NID_sect283r1, /* sect283r1 (10) */ 227 NID_sect409k1, /* sect409k1 (11) */ 228 NID_sect409r1, /* sect409r1 (12) */ 229 NID_sect571k1, /* sect571k1 (13) */ 230 NID_sect571r1, /* sect571r1 (14) */ 231 NID_secp160k1, /* secp160k1 (15) */ 232 NID_secp160r1, /* secp160r1 (16) */ 233 NID_secp160r2, /* secp160r2 (17) */ 234 NID_secp192k1, /* secp192k1 (18) */ 235 NID_X9_62_prime192v1, /* secp192r1 (19) */ 236 NID_secp224k1, /* secp224k1 (20) */ 237 NID_secp224r1, /* secp224r1 (21) */ 238 NID_secp256k1, /* secp256k1 (22) */ 239 NID_X9_62_prime256v1, /* secp256r1 (23) */ 240 NID_secp384r1, /* secp384r1 (24) */ 241 NID_secp521r1, /* secp521r1 (25) */ 242 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */ 243 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */ 244 NID_brainpoolP512r1 /* brainpoolP512r1 (28) */ 245 }; 246 247 static const uint8_t ecformats_default[] = { 248 TLSEXT_ECPOINTFORMAT_uncompressed, 249 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 250 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 251 }; 252 253 static const uint16_t eccurves_default[] = { 254 14, /* sect571r1 (14) */ 255 13, /* sect571k1 (13) */ 256 25, /* secp521r1 (25) */ 257 28, /* brainpool512r1 (28) */ 258 11, /* sect409k1 (11) */ 259 12, /* sect409r1 (12) */ 260 27, /* brainpoolP384r1 (27) */ 261 24, /* secp384r1 (24) */ 262 9, /* sect283k1 (9) */ 263 10, /* sect283r1 (10) */ 264 26, /* brainpoolP256r1 (26) */ 265 22, /* secp256k1 (22) */ 266 23, /* secp256r1 (23) */ 267 8, /* sect239k1 (8) */ 268 6, /* sect233k1 (6) */ 269 7, /* sect233r1 (7) */ 270 20, /* secp224k1 (20) */ 271 21, /* secp224r1 (21) */ 272 4, /* sect193r1 (4) */ 273 5, /* sect193r2 (5) */ 274 18, /* secp192k1 (18) */ 275 19, /* secp192r1 (19) */ 276 1, /* sect163k1 (1) */ 277 2, /* sect163r1 (2) */ 278 3, /* sect163r2 (3) */ 279 15, /* secp160k1 (15) */ 280 16, /* secp160r1 (16) */ 281 17, /* secp160r2 (17) */ 282 }; 283 284 int 285 tls1_ec_curve_id2nid(uint16_t curve_id) 286 { 287 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 288 if ((curve_id < 1) || 289 ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0]))) 290 return 0; 291 return nid_list[curve_id - 1]; 292 } 293 294 uint16_t 295 tls1_ec_nid2curve_id(int nid) 296 { 297 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 298 switch (nid) { 299 case NID_sect163k1: /* sect163k1 (1) */ 300 return 1; 301 case NID_sect163r1: /* sect163r1 (2) */ 302 return 2; 303 case NID_sect163r2: /* sect163r2 (3) */ 304 return 3; 305 case NID_sect193r1: /* sect193r1 (4) */ 306 return 4; 307 case NID_sect193r2: /* sect193r2 (5) */ 308 return 5; 309 case NID_sect233k1: /* sect233k1 (6) */ 310 return 6; 311 case NID_sect233r1: /* sect233r1 (7) */ 312 return 7; 313 case NID_sect239k1: /* sect239k1 (8) */ 314 return 8; 315 case NID_sect283k1: /* sect283k1 (9) */ 316 return 9; 317 case NID_sect283r1: /* sect283r1 (10) */ 318 return 10; 319 case NID_sect409k1: /* sect409k1 (11) */ 320 return 11; 321 case NID_sect409r1: /* sect409r1 (12) */ 322 return 12; 323 case NID_sect571k1: /* sect571k1 (13) */ 324 return 13; 325 case NID_sect571r1: /* sect571r1 (14) */ 326 return 14; 327 case NID_secp160k1: /* secp160k1 (15) */ 328 return 15; 329 case NID_secp160r1: /* secp160r1 (16) */ 330 return 16; 331 case NID_secp160r2: /* secp160r2 (17) */ 332 return 17; 333 case NID_secp192k1: /* secp192k1 (18) */ 334 return 18; 335 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 336 return 19; 337 case NID_secp224k1: /* secp224k1 (20) */ 338 return 20; 339 case NID_secp224r1: /* secp224r1 (21) */ 340 return 21; 341 case NID_secp256k1: /* secp256k1 (22) */ 342 return 22; 343 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 344 return 23; 345 case NID_secp384r1: /* secp384r1 (24) */ 346 return 24; 347 case NID_secp521r1: /* secp521r1 (25) */ 348 return 25; 349 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */ 350 return 26; 351 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */ 352 return 27; 353 case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */ 354 return 28; 355 default: 356 return 0; 357 } 358 } 359 360 /* 361 * Return the appropriate format list. If client_formats is non-zero, return 362 * the client/session formats. Otherwise return the custom format list if one 363 * exists, or the default formats if a custom list has not been specified. 364 */ 365 static void 366 tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, 367 size_t *pformatslen) 368 { 369 if (client_formats != 0) { 370 *pformats = s->session->tlsext_ecpointformatlist; 371 *pformatslen = s->session->tlsext_ecpointformatlist_length; 372 return; 373 } 374 375 *pformats = s->tlsext_ecpointformatlist; 376 *pformatslen = s->tlsext_ecpointformatlist_length; 377 if (*pformats == NULL) { 378 *pformats = ecformats_default; 379 *pformatslen = sizeof(ecformats_default); 380 } 381 } 382 383 /* 384 * Return the appropriate curve list. If client_curves is non-zero, return 385 * the client/session curves. Otherwise return the custom curve list if one 386 * exists, or the default curves if a custom list has not been specified. 387 */ 388 static void 389 tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves, 390 size_t *pcurveslen) 391 { 392 if (client_curves != 0) { 393 *pcurves = s->session->tlsext_ellipticcurvelist; 394 *pcurveslen = s->session->tlsext_ellipticcurvelist_length; 395 return; 396 } 397 398 *pcurves = s->tlsext_ellipticcurvelist; 399 *pcurveslen = s->tlsext_ellipticcurvelist_length; 400 if (*pcurves == NULL) { 401 *pcurves = eccurves_default; 402 *pcurveslen = sizeof(eccurves_default) / 2; 403 } 404 } 405 406 /* Check that a curve is one of our preferences. */ 407 int 408 tls1_check_curve(SSL *s, const unsigned char *p, size_t len) 409 { 410 CBS cbs; 411 const uint16_t *curves; 412 size_t curveslen, i; 413 uint8_t type; 414 uint16_t cid; 415 416 CBS_init(&cbs, p, len); 417 418 /* Only named curves are supported. */ 419 if (CBS_len(&cbs) != 3 || 420 !CBS_get_u8(&cbs, &type) || 421 type != NAMED_CURVE_TYPE || 422 !CBS_get_u16(&cbs, &cid)) 423 return (0); 424 425 tls1_get_curvelist(s, 0, &curves, &curveslen); 426 427 for (i = 0; i < curveslen; i++) { 428 if (curves[i] == cid) 429 return (1); 430 } 431 return (0); 432 } 433 434 int 435 tls1_get_shared_curve(SSL *s) 436 { 437 size_t preflen, supplen, i, j; 438 const uint16_t *pref, *supp; 439 unsigned long server_pref; 440 441 /* Cannot do anything on the client side. */ 442 if (s->server == 0) 443 return (NID_undef); 444 445 /* Return first preference shared curve. */ 446 server_pref = (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE); 447 tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen); 448 tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen); 449 450 for (i = 0; i < preflen; i++) { 451 for (j = 0; j < supplen; j++) { 452 if (pref[i] == supp[j]) 453 return (tls1_ec_curve_id2nid(pref[i])); 454 } 455 } 456 return (NID_undef); 457 } 458 459 /* For an EC key set TLS ID and required compression based on parameters. */ 460 static int 461 tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec) 462 { 463 const EC_GROUP *grp; 464 const EC_METHOD *meth; 465 int is_prime = 0; 466 int nid, id; 467 468 if (ec == NULL) 469 return (0); 470 471 /* Determine if it is a prime field. */ 472 if ((grp = EC_KEY_get0_group(ec)) == NULL) 473 return (0); 474 if ((meth = EC_GROUP_method_of(grp)) == NULL) 475 return (0); 476 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field) 477 is_prime = 1; 478 479 /* Determine curve ID. */ 480 nid = EC_GROUP_get_curve_name(grp); 481 id = tls1_ec_nid2curve_id(nid); 482 483 /* If we have an ID set it, otherwise set arbitrary explicit curve. */ 484 if (id != 0) 485 *curve_id = id; 486 else 487 *curve_id = is_prime ? 0xff01 : 0xff02; 488 489 /* Specify the compression identifier. */ 490 if (comp_id != NULL) { 491 if (EC_KEY_get0_public_key(ec) == NULL) 492 return (0); 493 494 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { 495 *comp_id = is_prime ? 496 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime : 497 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 498 } else { 499 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 500 } 501 } 502 return (1); 503 } 504 505 /* Check that an EC key is compatible with extensions. */ 506 static int 507 tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id) 508 { 509 size_t curveslen, formatslen, i; 510 const uint16_t *curves; 511 const uint8_t *formats; 512 513 /* 514 * Check point formats extension if present, otherwise everything 515 * is supported (see RFC4492). 516 */ 517 tls1_get_formatlist(s, 1, &formats, &formatslen); 518 if (comp_id != NULL && formats != NULL) { 519 for (i = 0; i < formatslen; i++) { 520 if (formats[i] == *comp_id) 521 break; 522 } 523 if (i == formatslen) 524 return (0); 525 } 526 527 /* 528 * Check curve list if present, otherwise everything is supported. 529 */ 530 tls1_get_curvelist(s, 1, &curves, &curveslen); 531 if (curve_id != NULL && curves != NULL) { 532 for (i = 0; i < curveslen; i++) { 533 if (curves[i] == *curve_id) 534 break; 535 } 536 if (i == curveslen) 537 return (0); 538 } 539 540 return (1); 541 } 542 543 /* Check EC server key is compatible with client extensions. */ 544 int 545 tls1_check_ec_server_key(SSL *s) 546 { 547 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; 548 uint16_t curve_id; 549 uint8_t comp_id; 550 EVP_PKEY *pkey; 551 int rv; 552 553 if (cpk->x509 == NULL || cpk->privatekey == NULL) 554 return (0); 555 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL) 556 return (0); 557 rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec); 558 EVP_PKEY_free(pkey); 559 if (rv != 1) 560 return (0); 561 562 return tls1_check_ec_key(s, &curve_id, &comp_id); 563 } 564 565 /* Check EC temporary key is compatible with client extensions. */ 566 int 567 tls1_check_ec_tmp_key(SSL *s) 568 { 569 EC_KEY *ec = s->cert->ecdh_tmp; 570 uint16_t curve_id; 571 572 if (s->cert->ecdh_tmp_auto != 0) { 573 /* Need a shared curve. */ 574 if (tls1_get_shared_curve(s) != NID_undef) 575 return (1); 576 return (0); 577 } 578 579 if (ec == NULL) { 580 if (s->cert->ecdh_tmp_cb != NULL) 581 return (1); 582 return (0); 583 } 584 if (tls1_set_ec_id(&curve_id, NULL, ec) != 1) 585 return (0); 586 587 return tls1_check_ec_key(s, &curve_id, NULL); 588 } 589 590 /* 591 * List of supported signature algorithms and hashes. Should make this 592 * customisable at some point, for now include everything we support. 593 */ 594 595 static unsigned char tls12_sigalgs[] = { 596 TLSEXT_hash_sha512, TLSEXT_signature_rsa, 597 TLSEXT_hash_sha512, TLSEXT_signature_dsa, 598 TLSEXT_hash_sha512, TLSEXT_signature_ecdsa, 599 #ifndef OPENSSL_NO_GOST 600 TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512, 601 #endif 602 603 TLSEXT_hash_sha384, TLSEXT_signature_rsa, 604 TLSEXT_hash_sha384, TLSEXT_signature_dsa, 605 TLSEXT_hash_sha384, TLSEXT_signature_ecdsa, 606 607 TLSEXT_hash_sha256, TLSEXT_signature_rsa, 608 TLSEXT_hash_sha256, TLSEXT_signature_dsa, 609 TLSEXT_hash_sha256, TLSEXT_signature_ecdsa, 610 611 #ifndef OPENSSL_NO_GOST 612 TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256, 613 TLSEXT_hash_gost94, TLSEXT_signature_gostr01, 614 #endif 615 616 TLSEXT_hash_sha224, TLSEXT_signature_rsa, 617 TLSEXT_hash_sha224, TLSEXT_signature_dsa, 618 TLSEXT_hash_sha224, TLSEXT_signature_ecdsa, 619 620 TLSEXT_hash_sha1, TLSEXT_signature_rsa, 621 TLSEXT_hash_sha1, TLSEXT_signature_dsa, 622 TLSEXT_hash_sha1, TLSEXT_signature_ecdsa, 623 }; 624 625 int 626 tls12_get_req_sig_algs(SSL *s, unsigned char *p) 627 { 628 size_t slen = sizeof(tls12_sigalgs); 629 630 if (p) 631 memcpy(p, tls12_sigalgs, slen); 632 return (int)slen; 633 } 634 635 unsigned char * 636 ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 637 { 638 int extdatalen = 0; 639 unsigned char *ret = p; 640 int using_ecc = 0; 641 642 /* See if we support any ECC ciphersuites. */ 643 if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) { 644 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 645 unsigned long alg_k, alg_a; 646 int i; 647 648 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { 649 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 650 651 alg_k = c->algorithm_mkey; 652 alg_a = c->algorithm_auth; 653 654 if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || 655 (alg_a & SSL_aECDSA))) { 656 using_ecc = 1; 657 break; 658 } 659 } 660 } 661 662 ret += 2; 663 664 if (ret >= limit) 665 return NULL; /* this really never occurs, but ... */ 666 667 if (s->tlsext_hostname != NULL) { 668 /* Add TLS extension servername to the Client Hello message */ 669 size_t size_str, lenmax; 670 671 /* check for enough space. 672 4 for the servername type and extension length 673 2 for servernamelist length 674 1 for the hostname type 675 2 for hostname length 676 + hostname length 677 */ 678 679 if ((size_t)(limit - ret) < 9) 680 return NULL; 681 682 lenmax = limit - ret - 9; 683 if ((size_str = strlen(s->tlsext_hostname)) > lenmax) 684 return NULL; 685 686 /* extension type and length */ 687 s2n(TLSEXT_TYPE_server_name, ret); 688 689 s2n(size_str + 5, ret); 690 691 /* length of servername list */ 692 s2n(size_str + 3, ret); 693 694 /* hostname type, length and hostname */ 695 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 696 s2n(size_str, ret); 697 memcpy(ret, s->tlsext_hostname, size_str); 698 ret += size_str; 699 } 700 701 /* Add RI if renegotiating */ 702 if (s->renegotiate) { 703 int el; 704 705 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { 706 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 707 ERR_R_INTERNAL_ERROR); 708 return NULL; 709 } 710 711 if ((size_t)(limit - ret) < 4 + el) 712 return NULL; 713 714 s2n(TLSEXT_TYPE_renegotiate, ret); 715 s2n(el, ret); 716 717 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { 718 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 719 ERR_R_INTERNAL_ERROR); 720 return NULL; 721 } 722 723 ret += el; 724 } 725 726 if (using_ecc) { 727 size_t curveslen, formatslen, lenmax; 728 const uint16_t *curves; 729 const uint8_t *formats; 730 int i; 731 732 /* 733 * Add TLS extension ECPointFormats to the ClientHello message. 734 */ 735 tls1_get_formatlist(s, 0, &formats, &formatslen); 736 737 if ((size_t)(limit - ret) < 5) 738 return NULL; 739 740 lenmax = limit - ret - 5; 741 if (formatslen > lenmax) 742 return NULL; 743 if (formatslen > 255) { 744 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 745 ERR_R_INTERNAL_ERROR); 746 return NULL; 747 } 748 749 s2n(TLSEXT_TYPE_ec_point_formats, ret); 750 s2n(formatslen + 1, ret); 751 *(ret++) = (unsigned char)formatslen; 752 memcpy(ret, formats, formatslen); 753 ret += formatslen; 754 755 /* 756 * Add TLS extension EllipticCurves to the ClientHello message. 757 */ 758 tls1_get_curvelist(s, 0, &curves, &curveslen); 759 760 if ((size_t)(limit - ret) < 6) 761 return NULL; 762 763 lenmax = limit - ret - 6; 764 if (curveslen > lenmax) 765 return NULL; 766 if (curveslen > 65532) { 767 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 768 ERR_R_INTERNAL_ERROR); 769 return NULL; 770 } 771 772 s2n(TLSEXT_TYPE_elliptic_curves, ret); 773 s2n((curveslen * 2) + 2, ret); 774 775 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for 776 * elliptic_curve_list, but the examples use two bytes. 777 * https://www1.ietf.org/mail-archive/web/tls/current/msg00538.html 778 * resolves this to two bytes. 779 */ 780 s2n(curveslen * 2, ret); 781 for (i = 0; i < curveslen; i++) 782 s2n(curves[i], ret); 783 } 784 785 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 786 int ticklen; 787 if (!s->new_session && s->session && s->session->tlsext_tick) 788 ticklen = s->session->tlsext_ticklen; 789 else if (s->session && s->tlsext_session_ticket && 790 s->tlsext_session_ticket->data) { 791 ticklen = s->tlsext_session_ticket->length; 792 s->session->tlsext_tick = malloc(ticklen); 793 if (!s->session->tlsext_tick) 794 return NULL; 795 memcpy(s->session->tlsext_tick, 796 s->tlsext_session_ticket->data, ticklen); 797 s->session->tlsext_ticklen = ticklen; 798 } else 799 ticklen = 0; 800 if (ticklen == 0 && s->tlsext_session_ticket && 801 s->tlsext_session_ticket->data == NULL) 802 goto skip_ext; 803 /* Check for enough room 2 for extension type, 2 for len 804 * rest for ticket 805 */ 806 if ((size_t)(limit - ret) < 4 + ticklen) 807 return NULL; 808 s2n(TLSEXT_TYPE_session_ticket, ret); 809 810 s2n(ticklen, ret); 811 if (ticklen) { 812 memcpy(ret, s->session->tlsext_tick, ticklen); 813 ret += ticklen; 814 } 815 } 816 skip_ext: 817 818 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 819 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 820 return NULL; 821 822 s2n(TLSEXT_TYPE_signature_algorithms, ret); 823 s2n(sizeof(tls12_sigalgs) + 2, ret); 824 s2n(sizeof(tls12_sigalgs), ret); 825 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 826 ret += sizeof(tls12_sigalgs); 827 } 828 829 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 830 s->version != DTLS1_VERSION) { 831 int i; 832 long extlen, idlen, itmp; 833 OCSP_RESPID *id; 834 835 idlen = 0; 836 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 837 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 838 itmp = i2d_OCSP_RESPID(id, NULL); 839 if (itmp <= 0) 840 return NULL; 841 idlen += itmp + 2; 842 } 843 844 if (s->tlsext_ocsp_exts) { 845 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 846 if (extlen < 0) 847 return NULL; 848 } else 849 extlen = 0; 850 851 if ((size_t)(limit - ret) < 7 + extlen + idlen) 852 return NULL; 853 s2n(TLSEXT_TYPE_status_request, ret); 854 if (extlen + idlen > 0xFFF0) 855 return NULL; 856 s2n(extlen + idlen + 5, ret); 857 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 858 s2n(idlen, ret); 859 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 860 /* save position of id len */ 861 unsigned char *q = ret; 862 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 863 /* skip over id len */ 864 ret += 2; 865 itmp = i2d_OCSP_RESPID(id, &ret); 866 /* write id len */ 867 s2n(itmp, q); 868 } 869 s2n(extlen, ret); 870 if (extlen > 0) 871 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 872 } 873 874 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { 875 /* The client advertises an emtpy extension to indicate its 876 * support for Next Protocol Negotiation */ 877 if ((size_t)(limit - ret) < 4) 878 return NULL; 879 s2n(TLSEXT_TYPE_next_proto_neg, ret); 880 s2n(0, ret); 881 } 882 883 if (s->alpn_client_proto_list != NULL && 884 s->s3->tmp.finish_md_len == 0) { 885 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len) 886 return (NULL); 887 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 888 s2n(2 + s->alpn_client_proto_list_len, ret); 889 s2n(s->alpn_client_proto_list_len, ret); 890 memcpy(ret, s->alpn_client_proto_list, 891 s->alpn_client_proto_list_len); 892 ret += s->alpn_client_proto_list_len; 893 } 894 895 #ifndef OPENSSL_NO_SRTP 896 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { 897 int el; 898 899 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 900 901 if ((size_t)(limit - ret) < 4 + el) 902 return NULL; 903 904 s2n(TLSEXT_TYPE_use_srtp, ret); 905 s2n(el, ret); 906 907 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { 908 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 909 ERR_R_INTERNAL_ERROR); 910 return NULL; 911 } 912 ret += el; 913 } 914 #endif 915 916 /* 917 * Add padding to workaround bugs in F5 terminators. 918 * See https://tools.ietf.org/html/draft-agl-tls-padding-03 919 * 920 * Note that this seems to trigger issues with IronPort SMTP 921 * appliances. 922 * 923 * NB: because this code works out the length of all existing 924 * extensions it MUST always appear last. 925 */ 926 if (s->options & SSL_OP_TLSEXT_PADDING) { 927 int hlen = ret - (unsigned char *)s->init_buf->data; 928 929 /* 930 * The code in s23_clnt.c to build ClientHello messages 931 * includes the 5-byte record header in the buffer, while the 932 * code in s3_clnt.c does not. 933 */ 934 if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 935 hlen -= 5; 936 if (hlen > 0xff && hlen < 0x200) { 937 hlen = 0x200 - hlen; 938 if (hlen >= 4) 939 hlen -= 4; 940 else 941 hlen = 0; 942 943 s2n(TLSEXT_TYPE_padding, ret); 944 s2n(hlen, ret); 945 memset(ret, 0, hlen); 946 ret += hlen; 947 } 948 } 949 950 if ((extdatalen = ret - p - 2) == 0) 951 return p; 952 953 s2n(extdatalen, p); 954 return ret; 955 } 956 957 unsigned char * 958 ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 959 { 960 int using_ecc, extdatalen = 0; 961 unsigned long alg_a, alg_k; 962 unsigned char *ret = p; 963 int next_proto_neg_seen; 964 965 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 966 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 967 using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || 968 alg_a & SSL_aECDSA) && 969 s->session->tlsext_ecpointformatlist != NULL; 970 971 ret += 2; 972 if (ret >= limit) 973 return NULL; /* this really never occurs, but ... */ 974 975 if (!s->hit && s->servername_done == 1 && 976 s->session->tlsext_hostname != NULL) { 977 if ((size_t)(limit - ret) < 4) 978 return NULL; 979 980 s2n(TLSEXT_TYPE_server_name, ret); 981 s2n(0, ret); 982 } 983 984 if (s->s3->send_connection_binding) { 985 int el; 986 987 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { 988 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 989 ERR_R_INTERNAL_ERROR); 990 return NULL; 991 } 992 993 if ((size_t)(limit - ret) < 4 + el) 994 return NULL; 995 996 s2n(TLSEXT_TYPE_renegotiate, ret); 997 s2n(el, ret); 998 999 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { 1000 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1001 ERR_R_INTERNAL_ERROR); 1002 return NULL; 1003 } 1004 1005 ret += el; 1006 } 1007 1008 if (using_ecc && s->version != DTLS1_VERSION) { 1009 const unsigned char *formats; 1010 size_t formatslen, lenmax; 1011 1012 /* 1013 * Add TLS extension ECPointFormats to the ServerHello message. 1014 */ 1015 tls1_get_formatlist(s, 0, &formats, &formatslen); 1016 1017 if ((size_t)(limit - ret) < 5) 1018 return NULL; 1019 1020 lenmax = limit - ret - 5; 1021 if (formatslen > lenmax) 1022 return NULL; 1023 if (formatslen > 255) { 1024 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1025 ERR_R_INTERNAL_ERROR); 1026 return NULL; 1027 } 1028 1029 s2n(TLSEXT_TYPE_ec_point_formats, ret); 1030 s2n(formatslen + 1, ret); 1031 *(ret++) = (unsigned char)formatslen; 1032 memcpy(ret, formats, formatslen); 1033 ret += formatslen; 1034 } 1035 1036 /* 1037 * Currently the server should not respond with a SupportedCurves 1038 * extension. 1039 */ 1040 1041 if (s->tlsext_ticket_expected && 1042 !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 1043 if ((size_t)(limit - ret) < 4) 1044 return NULL; 1045 1046 s2n(TLSEXT_TYPE_session_ticket, ret); 1047 s2n(0, ret); 1048 } 1049 1050 if (s->tlsext_status_expected) { 1051 if ((size_t)(limit - ret) < 4) 1052 return NULL; 1053 1054 s2n(TLSEXT_TYPE_status_request, ret); 1055 s2n(0, ret); 1056 } 1057 1058 #ifndef OPENSSL_NO_SRTP 1059 if (SSL_IS_DTLS(s) && s->srtp_profile) { 1060 int el; 1061 1062 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 1063 1064 if ((size_t)(limit - ret) < 4 + el) 1065 return NULL; 1066 1067 s2n(TLSEXT_TYPE_use_srtp, ret); 1068 s2n(el, ret); 1069 1070 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { 1071 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1072 ERR_R_INTERNAL_ERROR); 1073 return NULL; 1074 } 1075 ret += el; 1076 } 1077 #endif 1078 1079 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || 1080 (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) && 1081 (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { 1082 static const unsigned char cryptopro_ext[36] = { 1083 0xfd, 0xe8, /*65000*/ 1084 0x00, 0x20, /*32 bytes length*/ 1085 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 1086 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 1087 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 1088 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 1089 }; 1090 if ((size_t)(limit - ret) < sizeof(cryptopro_ext)) 1091 return NULL; 1092 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext)); 1093 ret += sizeof(cryptopro_ext); 1094 } 1095 1096 next_proto_neg_seen = s->s3->next_proto_neg_seen; 1097 s->s3->next_proto_neg_seen = 0; 1098 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) { 1099 const unsigned char *npa; 1100 unsigned int npalen; 1101 int r; 1102 1103 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, 1104 s->ctx->next_protos_advertised_cb_arg); 1105 if (r == SSL_TLSEXT_ERR_OK) { 1106 if ((size_t)(limit - ret) < 4 + npalen) 1107 return NULL; 1108 s2n(TLSEXT_TYPE_next_proto_neg, ret); 1109 s2n(npalen, ret); 1110 memcpy(ret, npa, npalen); 1111 ret += npalen; 1112 s->s3->next_proto_neg_seen = 1; 1113 } 1114 } 1115 1116 if (s->s3->alpn_selected != NULL) { 1117 const unsigned char *selected = s->s3->alpn_selected; 1118 unsigned int len = s->s3->alpn_selected_len; 1119 1120 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0) 1121 return (NULL); 1122 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 1123 s2n(3 + len, ret); 1124 s2n(1 + len, ret); 1125 *ret++ = len; 1126 memcpy(ret, selected, len); 1127 ret += len; 1128 } 1129 1130 if ((extdatalen = ret - p - 2) == 0) 1131 return p; 1132 1133 s2n(extdatalen, p); 1134 return ret; 1135 } 1136 1137 /* 1138 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a 1139 * ClientHello. 1140 * data: the contents of the extension, not including the type and length. 1141 * data_len: the number of bytes in data. 1142 * al: a pointer to the alert value to send in the event of a non-zero 1143 * return. 1144 * returns: 1 on success. 1145 */ 1146 static int 1147 tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, 1148 unsigned int data_len, int *al) 1149 { 1150 CBS cbs, proto_name_list, alpn; 1151 const unsigned char *selected; 1152 unsigned char selected_len; 1153 int r; 1154 1155 if (s->ctx->alpn_select_cb == NULL) 1156 return (1); 1157 1158 if (data_len < 2) 1159 goto parse_error; 1160 1161 CBS_init(&cbs, data, data_len); 1162 1163 /* 1164 * data should contain a uint16 length followed by a series of 8-bit, 1165 * length-prefixed strings. 1166 */ 1167 if (!CBS_get_u16_length_prefixed(&cbs, &alpn) || 1168 CBS_len(&alpn) < 2 || 1169 CBS_len(&cbs) != 0) 1170 goto parse_error; 1171 1172 /* Validate data before sending to callback. */ 1173 CBS_dup(&alpn, &proto_name_list); 1174 while (CBS_len(&proto_name_list) > 0) { 1175 CBS proto_name; 1176 1177 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name) || 1178 CBS_len(&proto_name) == 0) 1179 goto parse_error; 1180 } 1181 1182 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, 1183 CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg); 1184 if (r == SSL_TLSEXT_ERR_OK) { 1185 free(s->s3->alpn_selected); 1186 if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) { 1187 *al = SSL_AD_INTERNAL_ERROR; 1188 return (-1); 1189 } 1190 memcpy(s->s3->alpn_selected, selected, selected_len); 1191 s->s3->alpn_selected_len = selected_len; 1192 } 1193 1194 return (1); 1195 1196 parse_error: 1197 *al = SSL_AD_DECODE_ERROR; 1198 return (0); 1199 } 1200 1201 int 1202 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1203 int n, int *al) 1204 { 1205 unsigned short type; 1206 unsigned short size; 1207 unsigned short len; 1208 unsigned char *data = *p; 1209 int renegotiate_seen = 0; 1210 int sigalg_seen = 0; 1211 1212 s->servername_done = 0; 1213 s->tlsext_status_type = -1; 1214 s->s3->next_proto_neg_seen = 0; 1215 free(s->s3->alpn_selected); 1216 s->s3->alpn_selected = NULL; 1217 1218 if (data >= (d + n - 2)) 1219 goto ri_check; 1220 n2s(data, len); 1221 1222 if (data > (d + n - len)) 1223 goto ri_check; 1224 1225 while (data <= (d + n - 4)) { 1226 n2s(data, type); 1227 n2s(data, size); 1228 1229 if (data + size > (d + n)) 1230 goto ri_check; 1231 if (s->tlsext_debug_cb) 1232 s->tlsext_debug_cb(s, 0, type, data, size, 1233 s->tlsext_debug_arg); 1234 /* The servername extension is treated as follows: 1235 1236 - Only the hostname type is supported with a maximum length of 255. 1237 - The servername is rejected if too long or if it contains zeros, 1238 in which case an fatal alert is generated. 1239 - The servername field is maintained together with the session cache. 1240 - When a session is resumed, the servername call back invoked in order 1241 to allow the application to position itself to the right context. 1242 - The servername is acknowledged if it is new for a session or when 1243 it is identical to a previously used for the same session. 1244 Applications can control the behaviour. They can at any time 1245 set a 'desirable' servername for a new SSL object. This can be the 1246 case for example with HTTPS when a Host: header field is received and 1247 a renegotiation is requested. In this case, a possible servername 1248 presented in the new client hello is only acknowledged if it matches 1249 the value of the Host: field. 1250 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1251 if they provide for changing an explicit servername context for the session, 1252 i.e. when the session has been established with a servername extension. 1253 - On session reconnect, the servername extension may be absent. 1254 1255 */ 1256 1257 if (type == TLSEXT_TYPE_server_name) { 1258 unsigned char *sdata; 1259 int servname_type; 1260 int dsize; 1261 1262 if (size < 2) { 1263 *al = SSL_AD_DECODE_ERROR; 1264 return 0; 1265 } 1266 n2s(data, dsize); 1267 1268 size -= 2; 1269 if (dsize > size) { 1270 *al = SSL_AD_DECODE_ERROR; 1271 return 0; 1272 } 1273 1274 sdata = data; 1275 while (dsize > 3) { 1276 servname_type = *(sdata++); 1277 1278 n2s(sdata, len); 1279 dsize -= 3; 1280 1281 if (len > dsize) { 1282 *al = SSL_AD_DECODE_ERROR; 1283 return 0; 1284 } 1285 if (s->servername_done == 0) 1286 switch (servname_type) { 1287 case TLSEXT_NAMETYPE_host_name: 1288 if (!s->hit) { 1289 if (s->session->tlsext_hostname) { 1290 *al = SSL_AD_DECODE_ERROR; 1291 return 0; 1292 } 1293 if (len > TLSEXT_MAXLEN_host_name) { 1294 *al = TLS1_AD_UNRECOGNIZED_NAME; 1295 return 0; 1296 } 1297 if ((s->session->tlsext_hostname = 1298 malloc(len + 1)) == NULL) { 1299 *al = TLS1_AD_INTERNAL_ERROR; 1300 return 0; 1301 } 1302 memcpy(s->session->tlsext_hostname, sdata, len); 1303 s->session->tlsext_hostname[len] = '\0'; 1304 if (strlen(s->session->tlsext_hostname) != len) { 1305 free(s->session->tlsext_hostname); 1306 s->session->tlsext_hostname = NULL; 1307 *al = TLS1_AD_UNRECOGNIZED_NAME; 1308 return 0; 1309 } 1310 s->servername_done = 1; 1311 1312 1313 } else { 1314 s->servername_done = s->session->tlsext_hostname && 1315 strlen(s->session->tlsext_hostname) == len && 1316 strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1317 } 1318 break; 1319 1320 default: 1321 break; 1322 } 1323 1324 dsize -= len; 1325 } 1326 if (dsize != 0) { 1327 *al = SSL_AD_DECODE_ERROR; 1328 return 0; 1329 } 1330 1331 } 1332 1333 else if (type == TLSEXT_TYPE_ec_point_formats && 1334 s->version != DTLS1_VERSION) { 1335 unsigned char *sdata = data; 1336 size_t formatslen; 1337 uint8_t *formats; 1338 1339 if (size < 1) { 1340 *al = TLS1_AD_DECODE_ERROR; 1341 return 0; 1342 } 1343 formatslen = *(sdata++); 1344 if (formatslen != size - 1) { 1345 *al = TLS1_AD_DECODE_ERROR; 1346 return 0; 1347 } 1348 1349 if (!s->hit) { 1350 free(s->session->tlsext_ecpointformatlist); 1351 s->session->tlsext_ecpointformatlist = NULL; 1352 s->session->tlsext_ecpointformatlist_length = 0; 1353 1354 if ((formats = reallocarray(NULL, formatslen, 1355 sizeof(uint8_t))) == NULL) { 1356 *al = TLS1_AD_INTERNAL_ERROR; 1357 return 0; 1358 } 1359 memcpy(formats, sdata, formatslen); 1360 s->session->tlsext_ecpointformatlist = formats; 1361 s->session->tlsext_ecpointformatlist_length = 1362 formatslen; 1363 } 1364 } else if (type == TLSEXT_TYPE_elliptic_curves && 1365 s->version != DTLS1_VERSION) { 1366 unsigned char *sdata = data; 1367 size_t curveslen, i; 1368 uint16_t *curves; 1369 1370 if (size < 2) { 1371 *al = TLS1_AD_DECODE_ERROR; 1372 return 0; 1373 } 1374 n2s(sdata, curveslen); 1375 if (curveslen != size - 2 || curveslen % 2 != 0) { 1376 *al = TLS1_AD_DECODE_ERROR; 1377 return 0; 1378 } 1379 curveslen /= 2; 1380 1381 if (!s->hit) { 1382 if (s->session->tlsext_ellipticcurvelist) { 1383 *al = TLS1_AD_DECODE_ERROR; 1384 return 0; 1385 } 1386 s->session->tlsext_ellipticcurvelist_length = 0; 1387 if ((curves = reallocarray(NULL, curveslen, 1388 sizeof(uint16_t))) == NULL) { 1389 *al = TLS1_AD_INTERNAL_ERROR; 1390 return 0; 1391 } 1392 for (i = 0; i < curveslen; i++) 1393 n2s(sdata, curves[i]); 1394 s->session->tlsext_ellipticcurvelist = curves; 1395 s->session->tlsext_ellipticcurvelist_length = curveslen; 1396 } 1397 } 1398 else if (type == TLSEXT_TYPE_session_ticket) { 1399 if (s->tls_session_ticket_ext_cb && 1400 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1401 *al = TLS1_AD_INTERNAL_ERROR; 1402 return 0; 1403 } 1404 } else if (type == TLSEXT_TYPE_renegotiate) { 1405 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 1406 return 0; 1407 renegotiate_seen = 1; 1408 } else if (type == TLSEXT_TYPE_signature_algorithms) { 1409 int dsize; 1410 if (sigalg_seen || size < 2) { 1411 *al = SSL_AD_DECODE_ERROR; 1412 return 0; 1413 } 1414 sigalg_seen = 1; 1415 n2s(data, dsize); 1416 size -= 2; 1417 if (dsize != size || dsize & 1) { 1418 *al = SSL_AD_DECODE_ERROR; 1419 return 0; 1420 } 1421 if (!tls1_process_sigalgs(s, data, dsize)) { 1422 *al = SSL_AD_DECODE_ERROR; 1423 return 0; 1424 } 1425 } else if (type == TLSEXT_TYPE_status_request && 1426 s->version != DTLS1_VERSION) { 1427 1428 if (size < 5) { 1429 *al = SSL_AD_DECODE_ERROR; 1430 return 0; 1431 } 1432 1433 s->tlsext_status_type = *data++; 1434 size--; 1435 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { 1436 const unsigned char *sdata; 1437 int dsize; 1438 /* Read in responder_id_list */ 1439 n2s(data, dsize); 1440 size -= 2; 1441 if (dsize > size) { 1442 *al = SSL_AD_DECODE_ERROR; 1443 return 0; 1444 } 1445 1446 /* 1447 * We remove any OCSP_RESPIDs from a 1448 * previous handshake to prevent 1449 * unbounded memory growth. 1450 */ 1451 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, 1452 OCSP_RESPID_free); 1453 s->tlsext_ocsp_ids = NULL; 1454 if (dsize > 0) { 1455 s->tlsext_ocsp_ids = 1456 sk_OCSP_RESPID_new_null(); 1457 if (s->tlsext_ocsp_ids == NULL) { 1458 *al = SSL_AD_INTERNAL_ERROR; 1459 return 0; 1460 } 1461 } 1462 1463 while (dsize > 0) { 1464 OCSP_RESPID *id; 1465 int idsize; 1466 if (dsize < 4) { 1467 *al = SSL_AD_DECODE_ERROR; 1468 return 0; 1469 } 1470 n2s(data, idsize); 1471 dsize -= 2 + idsize; 1472 size -= 2 + idsize; 1473 if (dsize < 0) { 1474 *al = SSL_AD_DECODE_ERROR; 1475 return 0; 1476 } 1477 sdata = data; 1478 data += idsize; 1479 id = d2i_OCSP_RESPID(NULL, 1480 &sdata, idsize); 1481 if (!id) { 1482 *al = SSL_AD_DECODE_ERROR; 1483 return 0; 1484 } 1485 if (data != sdata) { 1486 OCSP_RESPID_free(id); 1487 *al = SSL_AD_DECODE_ERROR; 1488 return 0; 1489 } 1490 if (!sk_OCSP_RESPID_push( 1491 s->tlsext_ocsp_ids, id)) { 1492 OCSP_RESPID_free(id); 1493 *al = SSL_AD_INTERNAL_ERROR; 1494 return 0; 1495 } 1496 } 1497 1498 /* Read in request_extensions */ 1499 if (size < 2) { 1500 *al = SSL_AD_DECODE_ERROR; 1501 return 0; 1502 } 1503 n2s(data, dsize); 1504 size -= 2; 1505 if (dsize != size) { 1506 *al = SSL_AD_DECODE_ERROR; 1507 return 0; 1508 } 1509 sdata = data; 1510 if (dsize > 0) { 1511 if (s->tlsext_ocsp_exts) { 1512 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1513 X509_EXTENSION_free); 1514 } 1515 1516 s->tlsext_ocsp_exts = 1517 d2i_X509_EXTENSIONS(NULL, 1518 &sdata, dsize); 1519 if (!s->tlsext_ocsp_exts || 1520 (data + dsize != sdata)) { 1521 *al = SSL_AD_DECODE_ERROR; 1522 return 0; 1523 } 1524 } 1525 } else { 1526 /* We don't know what to do with any other type 1527 * so ignore it. 1528 */ 1529 s->tlsext_status_type = -1; 1530 } 1531 } 1532 else if (type == TLSEXT_TYPE_next_proto_neg && 1533 s->s3->tmp.finish_md_len == 0 && 1534 s->s3->alpn_selected == NULL) { 1535 /* We shouldn't accept this extension on a 1536 * renegotiation. 1537 * 1538 * s->new_session will be set on renegotiation, but we 1539 * probably shouldn't rely that it couldn't be set on 1540 * the initial renegotation too in certain cases (when 1541 * there's some other reason to disallow resuming an 1542 * earlier session -- the current code won't be doing 1543 * anything like that, but this might change). 1544 1545 * A valid sign that there's been a previous handshake 1546 * in this connection is if s->s3->tmp.finish_md_len > 1547 * 0. (We are talking about a check that will happen 1548 * in the Hello protocol round, well before a new 1549 * Finished message could have been computed.) */ 1550 s->s3->next_proto_neg_seen = 1; 1551 } 1552 else if (type == 1553 TLSEXT_TYPE_application_layer_protocol_negotiation && 1554 s->ctx->alpn_select_cb != NULL && 1555 s->s3->tmp.finish_md_len == 0) { 1556 if (tls1_alpn_handle_client_hello(s, data, 1557 size, al) != 1) 1558 return (0); 1559 /* ALPN takes precedence over NPN. */ 1560 s->s3->next_proto_neg_seen = 0; 1561 } 1562 1563 /* session ticket processed earlier */ 1564 #ifndef OPENSSL_NO_SRTP 1565 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1566 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) 1567 return 0; 1568 } 1569 #endif 1570 1571 data += size; 1572 } 1573 1574 *p = data; 1575 1576 ri_check: 1577 1578 /* Need RI if renegotiating */ 1579 1580 if (!renegotiate_seen && s->renegotiate) { 1581 *al = SSL_AD_HANDSHAKE_FAILURE; 1582 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1583 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1584 return 0; 1585 } 1586 1587 return 1; 1588 } 1589 1590 /* 1591 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1592 * elements of zero length are allowed and the set of elements must exactly fill 1593 * the length of the block. 1594 */ 1595 static char 1596 ssl_next_proto_validate(const unsigned char *d, unsigned int len) 1597 { 1598 CBS npn, value; 1599 1600 CBS_init(&npn, d, len); 1601 while (CBS_len(&npn) > 0) { 1602 if (!CBS_get_u8_length_prefixed(&npn, &value) || 1603 CBS_len(&value) == 0) 1604 return 0; 1605 } 1606 return 1; 1607 } 1608 1609 int 1610 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1611 int n, int *al) 1612 { 1613 unsigned short length; 1614 unsigned short type; 1615 unsigned short size; 1616 unsigned char *data = *p; 1617 int tlsext_servername = 0; 1618 int renegotiate_seen = 0; 1619 1620 s->s3->next_proto_neg_seen = 0; 1621 free(s->s3->alpn_selected); 1622 s->s3->alpn_selected = NULL; 1623 1624 if (data >= (d + n - 2)) 1625 goto ri_check; 1626 1627 n2s(data, length); 1628 if (data + length != d + n) { 1629 *al = SSL_AD_DECODE_ERROR; 1630 return 0; 1631 } 1632 1633 while (data <= (d + n - 4)) { 1634 n2s(data, type); 1635 n2s(data, size); 1636 1637 if (data + size > (d + n)) 1638 goto ri_check; 1639 1640 if (s->tlsext_debug_cb) 1641 s->tlsext_debug_cb(s, 1, type, data, size, 1642 s->tlsext_debug_arg); 1643 1644 if (type == TLSEXT_TYPE_server_name) { 1645 if (s->tlsext_hostname == NULL || size > 0) { 1646 *al = TLS1_AD_UNRECOGNIZED_NAME; 1647 return 0; 1648 } 1649 tlsext_servername = 1; 1650 1651 } 1652 else if (type == TLSEXT_TYPE_ec_point_formats && 1653 s->version != DTLS1_VERSION) { 1654 unsigned char *sdata = data; 1655 size_t formatslen; 1656 uint8_t *formats; 1657 1658 if (size < 1) { 1659 *al = TLS1_AD_DECODE_ERROR; 1660 return 0; 1661 } 1662 formatslen = *(sdata++); 1663 if (formatslen != size - 1) { 1664 *al = TLS1_AD_DECODE_ERROR; 1665 return 0; 1666 } 1667 1668 if (!s->hit) { 1669 free(s->session->tlsext_ecpointformatlist); 1670 s->session->tlsext_ecpointformatlist = NULL; 1671 s->session->tlsext_ecpointformatlist_length = 0; 1672 1673 if ((formats = reallocarray(NULL, formatslen, 1674 sizeof(uint8_t))) == NULL) { 1675 *al = TLS1_AD_INTERNAL_ERROR; 1676 return 0; 1677 } 1678 memcpy(formats, sdata, formatslen); 1679 s->session->tlsext_ecpointformatlist = formats; 1680 s->session->tlsext_ecpointformatlist_length = 1681 formatslen; 1682 } 1683 } 1684 else if (type == TLSEXT_TYPE_session_ticket) { 1685 if (s->tls_session_ticket_ext_cb && 1686 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1687 *al = TLS1_AD_INTERNAL_ERROR; 1688 return 0; 1689 } 1690 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) { 1691 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1692 return 0; 1693 } 1694 s->tlsext_ticket_expected = 1; 1695 } 1696 else if (type == TLSEXT_TYPE_status_request && 1697 s->version != DTLS1_VERSION) { 1698 /* MUST be empty and only sent if we've requested 1699 * a status request message. 1700 */ 1701 if ((s->tlsext_status_type == -1) || (size > 0)) { 1702 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1703 return 0; 1704 } 1705 /* Set flag to expect CertificateStatus message */ 1706 s->tlsext_status_expected = 1; 1707 } 1708 else if (type == TLSEXT_TYPE_next_proto_neg && 1709 s->s3->tmp.finish_md_len == 0) { 1710 unsigned char *selected; 1711 unsigned char selected_len; 1712 1713 /* We must have requested it. */ 1714 if (s->ctx->next_proto_select_cb == NULL) { 1715 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1716 return 0; 1717 } 1718 /* The data must be valid */ 1719 if (!ssl_next_proto_validate(data, size)) { 1720 *al = TLS1_AD_DECODE_ERROR; 1721 return 0; 1722 } 1723 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) { 1724 *al = TLS1_AD_INTERNAL_ERROR; 1725 return 0; 1726 } 1727 s->next_proto_negotiated = malloc(selected_len); 1728 if (!s->next_proto_negotiated) { 1729 *al = TLS1_AD_INTERNAL_ERROR; 1730 return 0; 1731 } 1732 memcpy(s->next_proto_negotiated, selected, selected_len); 1733 s->next_proto_negotiated_len = selected_len; 1734 s->s3->next_proto_neg_seen = 1; 1735 } 1736 else if (type == 1737 TLSEXT_TYPE_application_layer_protocol_negotiation) { 1738 unsigned int len; 1739 1740 /* We must have requested it. */ 1741 if (s->alpn_client_proto_list == NULL) { 1742 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1743 return 0; 1744 } 1745 if (size < 4) { 1746 *al = TLS1_AD_DECODE_ERROR; 1747 return (0); 1748 } 1749 1750 /* The extension data consists of: 1751 * uint16 list_length 1752 * uint8 proto_length; 1753 * uint8 proto[proto_length]; */ 1754 len = ((unsigned int)data[0]) << 8 | 1755 ((unsigned int)data[1]); 1756 if (len != (unsigned int)size - 2) { 1757 *al = TLS1_AD_DECODE_ERROR; 1758 return (0); 1759 } 1760 len = data[2]; 1761 if (len != (unsigned int)size - 3) { 1762 *al = TLS1_AD_DECODE_ERROR; 1763 return (0); 1764 } 1765 free(s->s3->alpn_selected); 1766 s->s3->alpn_selected = malloc(len); 1767 if (s->s3->alpn_selected == NULL) { 1768 *al = TLS1_AD_INTERNAL_ERROR; 1769 return (0); 1770 } 1771 memcpy(s->s3->alpn_selected, data + 3, len); 1772 s->s3->alpn_selected_len = len; 1773 1774 } else if (type == TLSEXT_TYPE_renegotiate) { 1775 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1776 return 0; 1777 renegotiate_seen = 1; 1778 } 1779 #ifndef OPENSSL_NO_SRTP 1780 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1781 if (ssl_parse_serverhello_use_srtp_ext(s, data, 1782 size, al)) 1783 return 0; 1784 } 1785 #endif 1786 1787 data += size; 1788 1789 } 1790 1791 if (data != d + n) { 1792 *al = SSL_AD_DECODE_ERROR; 1793 return 0; 1794 } 1795 1796 if (!s->hit && tlsext_servername == 1) { 1797 if (s->tlsext_hostname) { 1798 if (s->session->tlsext_hostname == NULL) { 1799 s->session->tlsext_hostname = 1800 strdup(s->tlsext_hostname); 1801 1802 if (!s->session->tlsext_hostname) { 1803 *al = SSL_AD_UNRECOGNIZED_NAME; 1804 return 0; 1805 } 1806 } else { 1807 *al = SSL_AD_DECODE_ERROR; 1808 return 0; 1809 } 1810 } 1811 } 1812 1813 *p = data; 1814 1815 ri_check: 1816 1817 /* Determine if we need to see RI. Strictly speaking if we want to 1818 * avoid an attack we should *always* see RI even on initial server 1819 * hello because the client doesn't see any renegotiation during an 1820 * attack. However this would mean we could not connect to any server 1821 * which doesn't support RI so for the immediate future tolerate RI 1822 * absence on initial connect only. 1823 */ 1824 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { 1825 *al = SSL_AD_HANDSHAKE_FAILURE; 1826 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1827 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1828 return 0; 1829 } 1830 1831 return 1; 1832 } 1833 1834 int 1835 ssl_check_clienthello_tlsext_early(SSL *s) 1836 { 1837 int ret = SSL_TLSEXT_ERR_NOACK; 1838 int al = SSL_AD_UNRECOGNIZED_NAME; 1839 1840 /* The handling of the ECPointFormats extension is done elsewhere, namely in 1841 * ssl3_choose_cipher in s3_lib.c. 1842 */ 1843 /* The handling of the EllipticCurves extension is done elsewhere, namely in 1844 * ssl3_choose_cipher in s3_lib.c. 1845 */ 1846 1847 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1848 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1849 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1850 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1851 1852 switch (ret) { 1853 case SSL_TLSEXT_ERR_ALERT_FATAL: 1854 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1855 return -1; 1856 case SSL_TLSEXT_ERR_ALERT_WARNING: 1857 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1858 return 1; 1859 case SSL_TLSEXT_ERR_NOACK: 1860 s->servername_done = 0; 1861 default: 1862 return 1; 1863 } 1864 } 1865 1866 int 1867 ssl_check_clienthello_tlsext_late(SSL *s) 1868 { 1869 int ret = SSL_TLSEXT_ERR_OK; 1870 int al = 0; /* XXX gcc3 */ 1871 1872 /* If status request then ask callback what to do. 1873 * Note: this must be called after servername callbacks in case 1874 * the certificate has changed, and must be called after the cipher 1875 * has been chosen because this may influence which certificate is sent 1876 */ 1877 if ((s->tlsext_status_type != -1) && 1878 s->ctx && s->ctx->tlsext_status_cb) { 1879 int r; 1880 CERT_PKEY *certpkey; 1881 certpkey = ssl_get_server_send_pkey(s); 1882 /* If no certificate can't return certificate status */ 1883 if (certpkey == NULL) { 1884 s->tlsext_status_expected = 0; 1885 return 1; 1886 } 1887 /* Set current certificate to one we will use so 1888 * SSL_get_certificate et al can pick it up. 1889 */ 1890 s->cert->key = certpkey; 1891 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1892 switch (r) { 1893 /* We don't want to send a status request response */ 1894 case SSL_TLSEXT_ERR_NOACK: 1895 s->tlsext_status_expected = 0; 1896 break; 1897 /* status request response should be sent */ 1898 case SSL_TLSEXT_ERR_OK: 1899 if (s->tlsext_ocsp_resp) 1900 s->tlsext_status_expected = 1; 1901 else 1902 s->tlsext_status_expected = 0; 1903 break; 1904 /* something bad happened */ 1905 case SSL_TLSEXT_ERR_ALERT_FATAL: 1906 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1907 al = SSL_AD_INTERNAL_ERROR; 1908 goto err; 1909 } 1910 } else 1911 s->tlsext_status_expected = 0; 1912 1913 err: 1914 switch (ret) { 1915 case SSL_TLSEXT_ERR_ALERT_FATAL: 1916 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1917 return -1; 1918 case SSL_TLSEXT_ERR_ALERT_WARNING: 1919 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1920 return 1; 1921 default: 1922 return 1; 1923 } 1924 } 1925 1926 int 1927 ssl_check_serverhello_tlsext(SSL *s) 1928 { 1929 int ret = SSL_TLSEXT_ERR_NOACK; 1930 int al = SSL_AD_UNRECOGNIZED_NAME; 1931 1932 /* If we are client and using an elliptic curve cryptography cipher 1933 * suite, then if server returns an EC point formats lists extension 1934 * it must contain uncompressed. 1935 */ 1936 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1937 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1938 if ((s->tlsext_ecpointformatlist != NULL) && 1939 (s->tlsext_ecpointformatlist_length > 0) && 1940 (s->session->tlsext_ecpointformatlist != NULL) && 1941 (s->session->tlsext_ecpointformatlist_length > 0) && 1942 ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { 1943 /* we are using an ECC cipher */ 1944 size_t i; 1945 unsigned char *list; 1946 int found_uncompressed = 0; 1947 list = s->session->tlsext_ecpointformatlist; 1948 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) { 1949 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) { 1950 found_uncompressed = 1; 1951 break; 1952 } 1953 } 1954 if (!found_uncompressed) { 1955 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 1956 return -1; 1957 } 1958 } 1959 ret = SSL_TLSEXT_ERR_OK; 1960 1961 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1962 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1963 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1964 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1965 1966 /* If we've requested certificate status and we wont get one 1967 * tell the callback 1968 */ 1969 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) && 1970 s->ctx && s->ctx->tlsext_status_cb) { 1971 int r; 1972 /* Set resp to NULL, resplen to -1 so callback knows 1973 * there is no response. 1974 */ 1975 free(s->tlsext_ocsp_resp); 1976 s->tlsext_ocsp_resp = NULL; 1977 s->tlsext_ocsp_resplen = -1; 1978 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1979 if (r == 0) { 1980 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 1981 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1982 } 1983 if (r < 0) { 1984 al = SSL_AD_INTERNAL_ERROR; 1985 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1986 } 1987 } 1988 1989 switch (ret) { 1990 case SSL_TLSEXT_ERR_ALERT_FATAL: 1991 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1992 1993 return -1; 1994 case SSL_TLSEXT_ERR_ALERT_WARNING: 1995 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1996 1997 return 1; 1998 case SSL_TLSEXT_ERR_NOACK: 1999 s->servername_done = 0; 2000 default: 2001 return 1; 2002 } 2003 } 2004 2005 /* Since the server cache lookup is done early on in the processing of the 2006 * ClientHello, and other operations depend on the result, we need to handle 2007 * any TLS session ticket extension at the same time. 2008 * 2009 * session_id: points at the session ID in the ClientHello. This code will 2010 * read past the end of this in order to parse out the session ticket 2011 * extension, if any. 2012 * len: the length of the session ID. 2013 * limit: a pointer to the first byte after the ClientHello. 2014 * ret: (output) on return, if a ticket was decrypted, then this is set to 2015 * point to the resulting session. 2016 * 2017 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key 2018 * ciphersuite, in which case we have no use for session tickets and one will 2019 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 2020 * 2021 * Returns: 2022 * -1: fatal error, either from parsing or decrypting the ticket. 2023 * 0: no ticket was found (or was ignored, based on settings). 2024 * 1: a zero length extension was found, indicating that the client supports 2025 * session tickets but doesn't currently have one to offer. 2026 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but 2027 * couldn't be decrypted because of a non-fatal error. 2028 * 3: a ticket was successfully decrypted and *ret was set. 2029 * 2030 * Side effects: 2031 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 2032 * a new session ticket to the client because the client indicated support 2033 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 2034 * a session ticket or we couldn't use the one it gave us, or if 2035 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2036 * Otherwise, s->tlsext_ticket_expected is set to 0. 2037 */ 2038 int 2039 tls1_process_ticket(SSL *s, const unsigned char *session, int session_len, 2040 const unsigned char *limit, SSL_SESSION **ret) 2041 { 2042 /* Point after session ID in client hello */ 2043 CBS session_id, cookie, cipher_list, compress_algo, extensions; 2044 2045 *ret = NULL; 2046 s->tlsext_ticket_expected = 0; 2047 2048 /* If tickets disabled behave as if no ticket present 2049 * to permit stateful resumption. 2050 */ 2051 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 2052 return 0; 2053 if (!limit) 2054 return 0; 2055 2056 if (limit < session) 2057 return -1; 2058 2059 CBS_init(&session_id, session, limit - session); 2060 2061 /* Skip past the session id */ 2062 if (!CBS_skip(&session_id, session_len)) 2063 return -1; 2064 2065 /* Skip past DTLS cookie */ 2066 if (SSL_IS_DTLS(s)) { 2067 if (!CBS_get_u8_length_prefixed(&session_id, &cookie)) 2068 return -1; 2069 } 2070 2071 /* Skip past cipher list */ 2072 if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list)) 2073 return -1; 2074 2075 /* Skip past compression algorithm list */ 2076 if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo)) 2077 return -1; 2078 2079 /* Now at start of extensions */ 2080 if (CBS_len(&session_id) == 0) 2081 return 0; 2082 if (!CBS_get_u16_length_prefixed(&session_id, &extensions)) 2083 return -1; 2084 2085 while (CBS_len(&extensions) > 0) { 2086 CBS ext_data; 2087 uint16_t ext_type; 2088 2089 if (!CBS_get_u16(&extensions, &ext_type) || 2090 !CBS_get_u16_length_prefixed(&extensions, &ext_data)) 2091 return -1; 2092 2093 if (ext_type == TLSEXT_TYPE_session_ticket) { 2094 int r; 2095 if (CBS_len(&ext_data) == 0) { 2096 /* The client will accept a ticket but doesn't 2097 * currently have one. */ 2098 s->tlsext_ticket_expected = 1; 2099 return 1; 2100 } 2101 if (s->tls_session_secret_cb) { 2102 /* Indicate that the ticket couldn't be 2103 * decrypted rather than generating the session 2104 * from ticket now, trigger abbreviated 2105 * handshake based on external mechanism to 2106 * calculate the master secret later. */ 2107 return 2; 2108 } 2109 2110 r = tls_decrypt_ticket(s, CBS_data(&ext_data), 2111 CBS_len(&ext_data), session, session_len, ret); 2112 2113 switch (r) { 2114 case 2: /* ticket couldn't be decrypted */ 2115 s->tlsext_ticket_expected = 1; 2116 return 2; 2117 case 3: /* ticket was decrypted */ 2118 return r; 2119 case 4: /* ticket decrypted but need to renew */ 2120 s->tlsext_ticket_expected = 1; 2121 return 3; 2122 default: /* fatal error */ 2123 return -1; 2124 } 2125 } 2126 } 2127 return 0; 2128 } 2129 2130 /* tls_decrypt_ticket attempts to decrypt a session ticket. 2131 * 2132 * etick: points to the body of the session ticket extension. 2133 * eticklen: the length of the session tickets extenion. 2134 * sess_id: points at the session ID. 2135 * sesslen: the length of the session ID. 2136 * psess: (output) on return, if a ticket was decrypted, then this is set to 2137 * point to the resulting session. 2138 * 2139 * Returns: 2140 * -1: fatal error, either from parsing or decrypting the ticket. 2141 * 2: the ticket couldn't be decrypted. 2142 * 3: a ticket was successfully decrypted and *psess was set. 2143 * 4: same as 3, but the ticket needs to be renewed. 2144 */ 2145 static int 2146 tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2147 const unsigned char *sess_id, int sesslen, SSL_SESSION **psess) 2148 { 2149 SSL_SESSION *sess; 2150 unsigned char *sdec; 2151 const unsigned char *p; 2152 int slen, mlen, renew_ticket = 0; 2153 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 2154 HMAC_CTX hctx; 2155 EVP_CIPHER_CTX ctx; 2156 SSL_CTX *tctx = s->initial_ctx; 2157 2158 /* 2159 * The API guarantees EVP_MAX_IV_LENGTH bytes of space for 2160 * the iv to tlsext_ticket_key_cb(). Since the total space 2161 * required for a session cookie is never less than this, 2162 * this check isn't too strict. The exact check comes later. 2163 */ 2164 if (eticklen < 16 + EVP_MAX_IV_LENGTH) 2165 return 2; 2166 2167 /* Initialize session ticket encryption and HMAC contexts */ 2168 HMAC_CTX_init(&hctx); 2169 EVP_CIPHER_CTX_init(&ctx); 2170 if (tctx->tlsext_ticket_key_cb) { 2171 unsigned char *nctick = (unsigned char *)etick; 2172 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 2173 &ctx, &hctx, 0); 2174 if (rv < 0) { 2175 HMAC_CTX_cleanup(&hctx); 2176 EVP_CIPHER_CTX_cleanup(&ctx); 2177 return -1; 2178 } 2179 if (rv == 0) { 2180 HMAC_CTX_cleanup(&hctx); 2181 EVP_CIPHER_CTX_cleanup(&ctx); 2182 return 2; 2183 } 2184 if (rv == 2) 2185 renew_ticket = 1; 2186 } else { 2187 /* Check key name matches */ 2188 if (timingsafe_memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2189 return 2; 2190 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2191 tlsext_tick_md(), NULL); 2192 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2193 tctx->tlsext_tick_aes_key, etick + 16); 2194 } 2195 2196 /* 2197 * Attempt to process session ticket, first conduct sanity and 2198 * integrity checks on ticket. 2199 */ 2200 mlen = HMAC_size(&hctx); 2201 if (mlen < 0) { 2202 HMAC_CTX_cleanup(&hctx); 2203 EVP_CIPHER_CTX_cleanup(&ctx); 2204 return -1; 2205 } 2206 2207 /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 2208 if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) { 2209 HMAC_CTX_cleanup(&hctx); 2210 EVP_CIPHER_CTX_cleanup(&ctx); 2211 return 2; 2212 } 2213 eticklen -= mlen; 2214 2215 /* Check HMAC of encrypted ticket */ 2216 if (HMAC_Update(&hctx, etick, eticklen) <= 0 || 2217 HMAC_Final(&hctx, tick_hmac, NULL) <= 0) { 2218 HMAC_CTX_cleanup(&hctx); 2219 EVP_CIPHER_CTX_cleanup(&ctx); 2220 return -1; 2221 } 2222 2223 HMAC_CTX_cleanup(&hctx); 2224 if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) { 2225 EVP_CIPHER_CTX_cleanup(&ctx); 2226 return 2; 2227 } 2228 2229 /* Attempt to decrypt session data */ 2230 /* Move p after IV to start of encrypted ticket, update length */ 2231 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2232 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2233 sdec = malloc(eticklen); 2234 if (sdec == NULL || 2235 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) { 2236 free(sdec); 2237 EVP_CIPHER_CTX_cleanup(&ctx); 2238 return -1; 2239 } 2240 if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) { 2241 free(sdec); 2242 EVP_CIPHER_CTX_cleanup(&ctx); 2243 return 2; 2244 } 2245 slen += mlen; 2246 EVP_CIPHER_CTX_cleanup(&ctx); 2247 p = sdec; 2248 2249 sess = d2i_SSL_SESSION(NULL, &p, slen); 2250 free(sdec); 2251 if (sess) { 2252 /* The session ID, if non-empty, is used by some clients to 2253 * detect that the ticket has been accepted. So we copy it to 2254 * the session structure. If it is empty set length to zero 2255 * as required by standard. 2256 */ 2257 if (sesslen) 2258 memcpy(sess->session_id, sess_id, sesslen); 2259 sess->session_id_length = sesslen; 2260 *psess = sess; 2261 if (renew_ticket) 2262 return 4; 2263 else 2264 return 3; 2265 } 2266 ERR_clear_error(); 2267 /* For session parse failure, indicate that we need to send a new 2268 * ticket. */ 2269 return 2; 2270 } 2271 2272 /* Tables to translate from NIDs to TLS v1.2 ids */ 2273 2274 typedef struct { 2275 int nid; 2276 int id; 2277 } tls12_lookup; 2278 2279 static tls12_lookup tls12_md[] = { 2280 {NID_md5, TLSEXT_hash_md5}, 2281 {NID_sha1, TLSEXT_hash_sha1}, 2282 {NID_sha224, TLSEXT_hash_sha224}, 2283 {NID_sha256, TLSEXT_hash_sha256}, 2284 {NID_sha384, TLSEXT_hash_sha384}, 2285 {NID_sha512, TLSEXT_hash_sha512}, 2286 {NID_id_GostR3411_94, TLSEXT_hash_gost94}, 2287 {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256}, 2288 {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512} 2289 }; 2290 2291 static tls12_lookup tls12_sig[] = { 2292 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2293 {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2294 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}, 2295 {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01}, 2296 }; 2297 2298 static int 2299 tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 2300 { 2301 size_t i; 2302 for (i = 0; i < tlen; i++) { 2303 if (table[i].nid == nid) 2304 return table[i].id; 2305 } 2306 return -1; 2307 } 2308 2309 int 2310 tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 2311 { 2312 int sig_id, md_id; 2313 if (!md) 2314 return 0; 2315 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2316 sizeof(tls12_md) / sizeof(tls12_lookup)); 2317 if (md_id == -1) 2318 return 0; 2319 sig_id = tls12_get_sigid(pk); 2320 if (sig_id == -1) 2321 return 0; 2322 p[0] = (unsigned char)md_id; 2323 p[1] = (unsigned char)sig_id; 2324 return 1; 2325 } 2326 2327 int 2328 tls12_get_sigid(const EVP_PKEY *pk) 2329 { 2330 return tls12_find_id(pk->type, tls12_sig, 2331 sizeof(tls12_sig) / sizeof(tls12_lookup)); 2332 } 2333 2334 const EVP_MD * 2335 tls12_get_hash(unsigned char hash_alg) 2336 { 2337 switch (hash_alg) { 2338 case TLSEXT_hash_sha1: 2339 return EVP_sha1(); 2340 case TLSEXT_hash_sha224: 2341 return EVP_sha224(); 2342 case TLSEXT_hash_sha256: 2343 return EVP_sha256(); 2344 case TLSEXT_hash_sha384: 2345 return EVP_sha384(); 2346 case TLSEXT_hash_sha512: 2347 return EVP_sha512(); 2348 #ifndef OPENSSL_NO_GOST 2349 case TLSEXT_hash_gost94: 2350 return EVP_gostr341194(); 2351 case TLSEXT_hash_streebog_256: 2352 return EVP_streebog256(); 2353 case TLSEXT_hash_streebog_512: 2354 return EVP_streebog512(); 2355 #endif 2356 default: 2357 return NULL; 2358 } 2359 } 2360 2361 /* Set preferred digest for each key type */ 2362 2363 int 2364 tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 2365 { 2366 int idx; 2367 const EVP_MD *md; 2368 CERT *c = s->cert; 2369 CBS cbs; 2370 2371 /* Extension ignored for inappropriate versions */ 2372 if (!SSL_USE_SIGALGS(s)) 2373 return 1; 2374 2375 /* Should never happen */ 2376 if (!c || dsize < 0) 2377 return 0; 2378 2379 CBS_init(&cbs, data, dsize); 2380 2381 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; 2382 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 2383 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2384 c->pkeys[SSL_PKEY_ECC].digest = NULL; 2385 c->pkeys[SSL_PKEY_GOST01].digest = NULL; 2386 2387 while (CBS_len(&cbs) > 0) { 2388 uint8_t hash_alg, sig_alg; 2389 2390 if (!CBS_get_u8(&cbs, &hash_alg) || 2391 !CBS_get_u8(&cbs, &sig_alg)) { 2392 /* Should never happen */ 2393 return 0; 2394 } 2395 2396 switch (sig_alg) { 2397 case TLSEXT_signature_rsa: 2398 idx = SSL_PKEY_RSA_SIGN; 2399 break; 2400 case TLSEXT_signature_dsa: 2401 idx = SSL_PKEY_DSA_SIGN; 2402 break; 2403 case TLSEXT_signature_ecdsa: 2404 idx = SSL_PKEY_ECC; 2405 break; 2406 case TLSEXT_signature_gostr01: 2407 case TLSEXT_signature_gostr12_256: 2408 case TLSEXT_signature_gostr12_512: 2409 idx = SSL_PKEY_GOST01; 2410 break; 2411 default: 2412 continue; 2413 } 2414 2415 if (c->pkeys[idx].digest == NULL) { 2416 md = tls12_get_hash(hash_alg); 2417 if (md) { 2418 c->pkeys[idx].digest = md; 2419 if (idx == SSL_PKEY_RSA_SIGN) 2420 c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 2421 } 2422 } 2423 2424 } 2425 2426 /* Set any remaining keys to default values. NOTE: if alg is not 2427 * supported it stays as NULL. 2428 */ 2429 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2430 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2431 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { 2432 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2433 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2434 } 2435 if (!c->pkeys[SSL_PKEY_ECC].digest) 2436 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2437 #ifndef OPENSSL_NO_GOST 2438 if (!c->pkeys[SSL_PKEY_GOST01].digest) 2439 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); 2440 #endif 2441 return 1; 2442 } 2443