1 /* $OpenBSD: t1_lib.c,v 1.88 2016/08/27 15:58:06 jsing Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 114 #include <openssl/evp.h> 115 #include <openssl/hmac.h> 116 #include <openssl/objects.h> 117 #include <openssl/ocsp.h> 118 119 #include "ssl_locl.h" 120 #include "bytestring.h" 121 122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 123 const unsigned char *sess_id, int sesslen, 124 SSL_SESSION **psess); 125 126 SSL3_ENC_METHOD TLSv1_enc_data = { 127 .enc = tls1_enc, 128 .mac = tls1_mac, 129 .setup_key_block = tls1_setup_key_block, 130 .generate_master_secret = tls1_generate_master_secret, 131 .change_cipher_state = tls1_change_cipher_state, 132 .final_finish_mac = tls1_final_finish_mac, 133 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 134 .cert_verify_mac = tls1_cert_verify_mac, 135 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 136 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 137 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 138 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 139 .alert_value = tls1_alert_code, 140 .export_keying_material = tls1_export_keying_material, 141 .enc_flags = 0, 142 }; 143 144 SSL3_ENC_METHOD TLSv1_1_enc_data = { 145 .enc = tls1_enc, 146 .mac = tls1_mac, 147 .setup_key_block = tls1_setup_key_block, 148 .generate_master_secret = tls1_generate_master_secret, 149 .change_cipher_state = tls1_change_cipher_state, 150 .final_finish_mac = tls1_final_finish_mac, 151 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 152 .cert_verify_mac = tls1_cert_verify_mac, 153 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 154 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 155 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 156 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 157 .alert_value = tls1_alert_code, 158 .export_keying_material = tls1_export_keying_material, 159 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, 160 }; 161 162 SSL3_ENC_METHOD TLSv1_2_enc_data = { 163 .enc = tls1_enc, 164 .mac = tls1_mac, 165 .setup_key_block = tls1_setup_key_block, 166 .generate_master_secret = tls1_generate_master_secret, 167 .change_cipher_state = tls1_change_cipher_state, 168 .final_finish_mac = tls1_final_finish_mac, 169 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 170 .cert_verify_mac = tls1_cert_verify_mac, 171 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 172 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 173 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 174 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 175 .alert_value = tls1_alert_code, 176 .export_keying_material = tls1_export_keying_material, 177 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS| 178 SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS, 179 }; 180 181 long 182 tls1_default_timeout(void) 183 { 184 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 185 * is way too long for http, the cache would over fill */ 186 return (60 * 60 * 2); 187 } 188 189 int 190 tls1_new(SSL *s) 191 { 192 if (!ssl3_new(s)) 193 return (0); 194 s->method->ssl_clear(s); 195 return (1); 196 } 197 198 void 199 tls1_free(SSL *s) 200 { 201 if (s == NULL) 202 return; 203 204 free(s->tlsext_session_ticket); 205 ssl3_free(s); 206 } 207 208 void 209 tls1_clear(SSL *s) 210 { 211 ssl3_clear(s); 212 s->version = s->method->version; 213 } 214 215 216 static int nid_list[] = { 217 NID_sect163k1, /* sect163k1 (1) */ 218 NID_sect163r1, /* sect163r1 (2) */ 219 NID_sect163r2, /* sect163r2 (3) */ 220 NID_sect193r1, /* sect193r1 (4) */ 221 NID_sect193r2, /* sect193r2 (5) */ 222 NID_sect233k1, /* sect233k1 (6) */ 223 NID_sect233r1, /* sect233r1 (7) */ 224 NID_sect239k1, /* sect239k1 (8) */ 225 NID_sect283k1, /* sect283k1 (9) */ 226 NID_sect283r1, /* sect283r1 (10) */ 227 NID_sect409k1, /* sect409k1 (11) */ 228 NID_sect409r1, /* sect409r1 (12) */ 229 NID_sect571k1, /* sect571k1 (13) */ 230 NID_sect571r1, /* sect571r1 (14) */ 231 NID_secp160k1, /* secp160k1 (15) */ 232 NID_secp160r1, /* secp160r1 (16) */ 233 NID_secp160r2, /* secp160r2 (17) */ 234 NID_secp192k1, /* secp192k1 (18) */ 235 NID_X9_62_prime192v1, /* secp192r1 (19) */ 236 NID_secp224k1, /* secp224k1 (20) */ 237 NID_secp224r1, /* secp224r1 (21) */ 238 NID_secp256k1, /* secp256k1 (22) */ 239 NID_X9_62_prime256v1, /* secp256r1 (23) */ 240 NID_secp384r1, /* secp384r1 (24) */ 241 NID_secp521r1, /* secp521r1 (25) */ 242 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */ 243 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */ 244 NID_brainpoolP512r1 /* brainpoolP512r1 (28) */ 245 }; 246 247 static const uint8_t ecformats_default[] = { 248 TLSEXT_ECPOINTFORMAT_uncompressed, 249 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 250 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 251 }; 252 253 static const uint16_t eccurves_default[] = { 254 14, /* sect571r1 (14) */ 255 13, /* sect571k1 (13) */ 256 25, /* secp521r1 (25) */ 257 28, /* brainpool512r1 (28) */ 258 11, /* sect409k1 (11) */ 259 12, /* sect409r1 (12) */ 260 27, /* brainpoolP384r1 (27) */ 261 24, /* secp384r1 (24) */ 262 9, /* sect283k1 (9) */ 263 10, /* sect283r1 (10) */ 264 26, /* brainpoolP256r1 (26) */ 265 22, /* secp256k1 (22) */ 266 23, /* secp256r1 (23) */ 267 8, /* sect239k1 (8) */ 268 6, /* sect233k1 (6) */ 269 7, /* sect233r1 (7) */ 270 20, /* secp224k1 (20) */ 271 21, /* secp224r1 (21) */ 272 4, /* sect193r1 (4) */ 273 5, /* sect193r2 (5) */ 274 18, /* secp192k1 (18) */ 275 19, /* secp192r1 (19) */ 276 1, /* sect163k1 (1) */ 277 2, /* sect163r1 (2) */ 278 3, /* sect163r2 (3) */ 279 15, /* secp160k1 (15) */ 280 16, /* secp160r1 (16) */ 281 17, /* secp160r2 (17) */ 282 }; 283 284 int 285 tls1_ec_curve_id2nid(uint16_t curve_id) 286 { 287 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 288 if ((curve_id < 1) || 289 ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0]))) 290 return 0; 291 return nid_list[curve_id - 1]; 292 } 293 294 uint16_t 295 tls1_ec_nid2curve_id(int nid) 296 { 297 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 298 switch (nid) { 299 case NID_sect163k1: /* sect163k1 (1) */ 300 return 1; 301 case NID_sect163r1: /* sect163r1 (2) */ 302 return 2; 303 case NID_sect163r2: /* sect163r2 (3) */ 304 return 3; 305 case NID_sect193r1: /* sect193r1 (4) */ 306 return 4; 307 case NID_sect193r2: /* sect193r2 (5) */ 308 return 5; 309 case NID_sect233k1: /* sect233k1 (6) */ 310 return 6; 311 case NID_sect233r1: /* sect233r1 (7) */ 312 return 7; 313 case NID_sect239k1: /* sect239k1 (8) */ 314 return 8; 315 case NID_sect283k1: /* sect283k1 (9) */ 316 return 9; 317 case NID_sect283r1: /* sect283r1 (10) */ 318 return 10; 319 case NID_sect409k1: /* sect409k1 (11) */ 320 return 11; 321 case NID_sect409r1: /* sect409r1 (12) */ 322 return 12; 323 case NID_sect571k1: /* sect571k1 (13) */ 324 return 13; 325 case NID_sect571r1: /* sect571r1 (14) */ 326 return 14; 327 case NID_secp160k1: /* secp160k1 (15) */ 328 return 15; 329 case NID_secp160r1: /* secp160r1 (16) */ 330 return 16; 331 case NID_secp160r2: /* secp160r2 (17) */ 332 return 17; 333 case NID_secp192k1: /* secp192k1 (18) */ 334 return 18; 335 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 336 return 19; 337 case NID_secp224k1: /* secp224k1 (20) */ 338 return 20; 339 case NID_secp224r1: /* secp224r1 (21) */ 340 return 21; 341 case NID_secp256k1: /* secp256k1 (22) */ 342 return 22; 343 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 344 return 23; 345 case NID_secp384r1: /* secp384r1 (24) */ 346 return 24; 347 case NID_secp521r1: /* secp521r1 (25) */ 348 return 25; 349 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */ 350 return 26; 351 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */ 352 return 27; 353 case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */ 354 return 28; 355 default: 356 return 0; 357 } 358 } 359 360 /* 361 * Return the appropriate format list. If client_formats is non-zero, return 362 * the client/session formats. Otherwise return the custom format list if one 363 * exists, or the default formats if a custom list has not been specified. 364 */ 365 static void 366 tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, 367 size_t *pformatslen) 368 { 369 if (client_formats != 0) { 370 *pformats = s->session->tlsext_ecpointformatlist; 371 *pformatslen = s->session->tlsext_ecpointformatlist_length; 372 return; 373 } 374 375 *pformats = s->tlsext_ecpointformatlist; 376 *pformatslen = s->tlsext_ecpointformatlist_length; 377 if (*pformats == NULL) { 378 *pformats = ecformats_default; 379 *pformatslen = sizeof(ecformats_default); 380 } 381 } 382 383 /* 384 * Return the appropriate curve list. If client_curves is non-zero, return 385 * the client/session curves. Otherwise return the custom curve list if one 386 * exists, or the default curves if a custom list has not been specified. 387 */ 388 static void 389 tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves, 390 size_t *pcurveslen) 391 { 392 if (client_curves != 0) { 393 *pcurves = s->session->tlsext_ellipticcurvelist; 394 *pcurveslen = s->session->tlsext_ellipticcurvelist_length; 395 return; 396 } 397 398 *pcurves = s->tlsext_ellipticcurvelist; 399 *pcurveslen = s->tlsext_ellipticcurvelist_length; 400 if (*pcurves == NULL) { 401 *pcurves = eccurves_default; 402 *pcurveslen = sizeof(eccurves_default) / 2; 403 } 404 } 405 406 /* Check that a curve is one of our preferences. */ 407 int 408 tls1_check_curve(SSL *s, const unsigned char *p, size_t len) 409 { 410 CBS cbs; 411 const uint16_t *curves; 412 size_t curveslen, i; 413 uint8_t type; 414 uint16_t cid; 415 416 CBS_init(&cbs, p, len); 417 418 /* Only named curves are supported. */ 419 if (CBS_len(&cbs) != 3 || 420 !CBS_get_u8(&cbs, &type) || 421 type != NAMED_CURVE_TYPE || 422 !CBS_get_u16(&cbs, &cid)) 423 return (0); 424 425 tls1_get_curvelist(s, 0, &curves, &curveslen); 426 427 for (i = 0; i < curveslen; i++) { 428 if (curves[i] == cid) 429 return (1); 430 } 431 return (0); 432 } 433 434 int 435 tls1_get_shared_curve(SSL *s) 436 { 437 size_t preflen, supplen, i, j; 438 const uint16_t *pref, *supp; 439 unsigned long server_pref; 440 441 /* Cannot do anything on the client side. */ 442 if (s->server == 0) 443 return (NID_undef); 444 445 /* Return first preference shared curve. */ 446 server_pref = (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE); 447 tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen); 448 tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen); 449 450 for (i = 0; i < preflen; i++) { 451 for (j = 0; j < supplen; j++) { 452 if (pref[i] == supp[j]) 453 return (tls1_ec_curve_id2nid(pref[i])); 454 } 455 } 456 return (NID_undef); 457 } 458 459 /* For an EC key set TLS ID and required compression based on parameters. */ 460 static int 461 tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec) 462 { 463 const EC_GROUP *grp; 464 const EC_METHOD *meth; 465 int is_prime = 0; 466 int nid, id; 467 468 if (ec == NULL) 469 return (0); 470 471 /* Determine if it is a prime field. */ 472 if ((grp = EC_KEY_get0_group(ec)) == NULL) 473 return (0); 474 if ((meth = EC_GROUP_method_of(grp)) == NULL) 475 return (0); 476 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field) 477 is_prime = 1; 478 479 /* Determine curve ID. */ 480 nid = EC_GROUP_get_curve_name(grp); 481 id = tls1_ec_nid2curve_id(nid); 482 483 /* If we have an ID set it, otherwise set arbitrary explicit curve. */ 484 if (id != 0) 485 *curve_id = id; 486 else 487 *curve_id = is_prime ? 0xff01 : 0xff02; 488 489 /* Specify the compression identifier. */ 490 if (comp_id != NULL) { 491 if (EC_KEY_get0_public_key(ec) == NULL) 492 return (0); 493 494 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { 495 *comp_id = is_prime ? 496 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime : 497 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 498 } else { 499 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 500 } 501 } 502 return (1); 503 } 504 505 /* Check that an EC key is compatible with extensions. */ 506 static int 507 tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id) 508 { 509 size_t curveslen, formatslen, i; 510 const uint16_t *curves; 511 const uint8_t *formats; 512 513 /* 514 * Check point formats extension if present, otherwise everything 515 * is supported (see RFC4492). 516 */ 517 tls1_get_formatlist(s, 1, &formats, &formatslen); 518 if (comp_id != NULL && formats != NULL) { 519 for (i = 0; i < formatslen; i++) { 520 if (formats[i] == *comp_id) 521 break; 522 } 523 if (i == formatslen) 524 return (0); 525 } 526 527 /* 528 * Check curve list if present, otherwise everything is supported. 529 */ 530 tls1_get_curvelist(s, 1, &curves, &curveslen); 531 if (curve_id != NULL && curves != NULL) { 532 for (i = 0; i < curveslen; i++) { 533 if (curves[i] == *curve_id) 534 break; 535 } 536 if (i == curveslen) 537 return (0); 538 } 539 540 return (1); 541 } 542 543 /* Check EC server key is compatible with client extensions. */ 544 int 545 tls1_check_ec_server_key(SSL *s) 546 { 547 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; 548 uint16_t curve_id; 549 uint8_t comp_id; 550 EVP_PKEY *pkey; 551 int rv; 552 553 if (cpk->x509 == NULL || cpk->privatekey == NULL) 554 return (0); 555 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL) 556 return (0); 557 rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec); 558 EVP_PKEY_free(pkey); 559 if (rv != 1) 560 return (0); 561 562 return tls1_check_ec_key(s, &curve_id, &comp_id); 563 } 564 565 /* Check EC temporary key is compatible with client extensions. */ 566 int 567 tls1_check_ec_tmp_key(SSL *s) 568 { 569 EC_KEY *ec = s->cert->ecdh_tmp; 570 uint16_t curve_id; 571 572 if (s->cert->ecdh_tmp_auto != 0) { 573 /* Need a shared curve. */ 574 if (tls1_get_shared_curve(s) != NID_undef) 575 return (1); 576 return (0); 577 } 578 579 if (ec == NULL) { 580 if (s->cert->ecdh_tmp_cb != NULL) 581 return (1); 582 return (0); 583 } 584 if (tls1_set_ec_id(&curve_id, NULL, ec) != 1) 585 return (0); 586 587 return tls1_check_ec_key(s, &curve_id, NULL); 588 } 589 590 /* 591 * List of supported signature algorithms and hashes. Should make this 592 * customisable at some point, for now include everything we support. 593 */ 594 595 static unsigned char tls12_sigalgs[] = { 596 TLSEXT_hash_sha512, TLSEXT_signature_rsa, 597 TLSEXT_hash_sha512, TLSEXT_signature_dsa, 598 TLSEXT_hash_sha512, TLSEXT_signature_ecdsa, 599 #ifndef OPENSSL_NO_GOST 600 TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512, 601 #endif 602 603 TLSEXT_hash_sha384, TLSEXT_signature_rsa, 604 TLSEXT_hash_sha384, TLSEXT_signature_dsa, 605 TLSEXT_hash_sha384, TLSEXT_signature_ecdsa, 606 607 TLSEXT_hash_sha256, TLSEXT_signature_rsa, 608 TLSEXT_hash_sha256, TLSEXT_signature_dsa, 609 TLSEXT_hash_sha256, TLSEXT_signature_ecdsa, 610 611 #ifndef OPENSSL_NO_GOST 612 TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256, 613 TLSEXT_hash_gost94, TLSEXT_signature_gostr01, 614 #endif 615 616 TLSEXT_hash_sha224, TLSEXT_signature_rsa, 617 TLSEXT_hash_sha224, TLSEXT_signature_dsa, 618 TLSEXT_hash_sha224, TLSEXT_signature_ecdsa, 619 620 TLSEXT_hash_sha1, TLSEXT_signature_rsa, 621 TLSEXT_hash_sha1, TLSEXT_signature_dsa, 622 TLSEXT_hash_sha1, TLSEXT_signature_ecdsa, 623 }; 624 625 int 626 tls12_get_req_sig_algs(SSL *s, unsigned char *p) 627 { 628 size_t slen = sizeof(tls12_sigalgs); 629 630 if (p) 631 memcpy(p, tls12_sigalgs, slen); 632 return (int)slen; 633 } 634 635 unsigned char * 636 ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 637 { 638 int extdatalen = 0; 639 unsigned char *ret = p; 640 int using_ecc = 0; 641 642 /* See if we support any ECC ciphersuites. */ 643 if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) { 644 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 645 unsigned long alg_k, alg_a; 646 int i; 647 648 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { 649 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 650 651 alg_k = c->algorithm_mkey; 652 alg_a = c->algorithm_auth; 653 654 if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || 655 (alg_a & SSL_aECDSA))) { 656 using_ecc = 1; 657 break; 658 } 659 } 660 } 661 662 ret += 2; 663 664 if (ret >= limit) 665 return NULL; /* this really never occurs, but ... */ 666 667 if (s->tlsext_hostname != NULL) { 668 /* Add TLS extension servername to the Client Hello message */ 669 size_t size_str, lenmax; 670 671 /* check for enough space. 672 4 for the servername type and extension length 673 2 for servernamelist length 674 1 for the hostname type 675 2 for hostname length 676 + hostname length 677 */ 678 679 if ((size_t)(limit - ret) < 9) 680 return NULL; 681 682 lenmax = limit - ret - 9; 683 if ((size_str = strlen(s->tlsext_hostname)) > lenmax) 684 return NULL; 685 686 /* extension type and length */ 687 s2n(TLSEXT_TYPE_server_name, ret); 688 689 s2n(size_str + 5, ret); 690 691 /* length of servername list */ 692 s2n(size_str + 3, ret); 693 694 /* hostname type, length and hostname */ 695 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 696 s2n(size_str, ret); 697 memcpy(ret, s->tlsext_hostname, size_str); 698 ret += size_str; 699 } 700 701 /* Add RI if renegotiating */ 702 if (s->renegotiate) { 703 int el; 704 705 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { 706 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 707 ERR_R_INTERNAL_ERROR); 708 return NULL; 709 } 710 711 if ((size_t)(limit - ret) < 4 + el) 712 return NULL; 713 714 s2n(TLSEXT_TYPE_renegotiate, ret); 715 s2n(el, ret); 716 717 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { 718 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 719 ERR_R_INTERNAL_ERROR); 720 return NULL; 721 } 722 723 ret += el; 724 } 725 726 if (using_ecc) { 727 size_t curveslen, formatslen, lenmax; 728 const uint16_t *curves; 729 const uint8_t *formats; 730 int i; 731 732 /* 733 * Add TLS extension ECPointFormats to the ClientHello message. 734 */ 735 tls1_get_formatlist(s, 0, &formats, &formatslen); 736 737 if ((size_t)(limit - ret) < 5) 738 return NULL; 739 740 lenmax = limit - ret - 5; 741 if (formatslen > lenmax) 742 return NULL; 743 if (formatslen > 255) { 744 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 745 ERR_R_INTERNAL_ERROR); 746 return NULL; 747 } 748 749 s2n(TLSEXT_TYPE_ec_point_formats, ret); 750 s2n(formatslen + 1, ret); 751 *(ret++) = (unsigned char)formatslen; 752 memcpy(ret, formats, formatslen); 753 ret += formatslen; 754 755 /* 756 * Add TLS extension EllipticCurves to the ClientHello message. 757 */ 758 tls1_get_curvelist(s, 0, &curves, &curveslen); 759 760 if ((size_t)(limit - ret) < 6) 761 return NULL; 762 763 lenmax = limit - ret - 6; 764 if (curveslen > lenmax) 765 return NULL; 766 if (curveslen > 65532) { 767 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 768 ERR_R_INTERNAL_ERROR); 769 return NULL; 770 } 771 772 s2n(TLSEXT_TYPE_elliptic_curves, ret); 773 s2n((curveslen * 2) + 2, ret); 774 775 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for 776 * elliptic_curve_list, but the examples use two bytes. 777 * https://www1.ietf.org/mail-archive/web/tls/current/msg00538.html 778 * resolves this to two bytes. 779 */ 780 s2n(curveslen * 2, ret); 781 for (i = 0; i < curveslen; i++) 782 s2n(curves[i], ret); 783 } 784 785 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 786 int ticklen; 787 if (!s->new_session && s->session && s->session->tlsext_tick) 788 ticklen = s->session->tlsext_ticklen; 789 else if (s->session && s->tlsext_session_ticket && 790 s->tlsext_session_ticket->data) { 791 ticklen = s->tlsext_session_ticket->length; 792 s->session->tlsext_tick = malloc(ticklen); 793 if (!s->session->tlsext_tick) 794 return NULL; 795 memcpy(s->session->tlsext_tick, 796 s->tlsext_session_ticket->data, ticklen); 797 s->session->tlsext_ticklen = ticklen; 798 } else 799 ticklen = 0; 800 if (ticklen == 0 && s->tlsext_session_ticket && 801 s->tlsext_session_ticket->data == NULL) 802 goto skip_ext; 803 /* Check for enough room 2 for extension type, 2 for len 804 * rest for ticket 805 */ 806 if ((size_t)(limit - ret) < 4 + ticklen) 807 return NULL; 808 s2n(TLSEXT_TYPE_session_ticket, ret); 809 810 s2n(ticklen, ret); 811 if (ticklen) { 812 memcpy(ret, s->session->tlsext_tick, ticklen); 813 ret += ticklen; 814 } 815 } 816 skip_ext: 817 818 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 819 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 820 return NULL; 821 822 s2n(TLSEXT_TYPE_signature_algorithms, ret); 823 s2n(sizeof(tls12_sigalgs) + 2, ret); 824 s2n(sizeof(tls12_sigalgs), ret); 825 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 826 ret += sizeof(tls12_sigalgs); 827 } 828 829 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 830 s->version != DTLS1_VERSION) { 831 int i; 832 long extlen, idlen, itmp; 833 OCSP_RESPID *id; 834 835 idlen = 0; 836 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 837 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 838 itmp = i2d_OCSP_RESPID(id, NULL); 839 if (itmp <= 0) 840 return NULL; 841 idlen += itmp + 2; 842 } 843 844 if (s->tlsext_ocsp_exts) { 845 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 846 if (extlen < 0) 847 return NULL; 848 } else 849 extlen = 0; 850 851 if ((size_t)(limit - ret) < 7 + extlen + idlen) 852 return NULL; 853 s2n(TLSEXT_TYPE_status_request, ret); 854 if (extlen + idlen > 0xFFF0) 855 return NULL; 856 s2n(extlen + idlen + 5, ret); 857 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 858 s2n(idlen, ret); 859 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 860 /* save position of id len */ 861 unsigned char *q = ret; 862 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 863 /* skip over id len */ 864 ret += 2; 865 itmp = i2d_OCSP_RESPID(id, &ret); 866 /* write id len */ 867 s2n(itmp, q); 868 } 869 s2n(extlen, ret); 870 if (extlen > 0) 871 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 872 } 873 874 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { 875 /* The client advertises an emtpy extension to indicate its 876 * support for Next Protocol Negotiation */ 877 if ((size_t)(limit - ret) < 4) 878 return NULL; 879 s2n(TLSEXT_TYPE_next_proto_neg, ret); 880 s2n(0, ret); 881 } 882 883 if (s->alpn_client_proto_list != NULL && 884 s->s3->tmp.finish_md_len == 0) { 885 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len) 886 return (NULL); 887 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 888 s2n(2 + s->alpn_client_proto_list_len, ret); 889 s2n(s->alpn_client_proto_list_len, ret); 890 memcpy(ret, s->alpn_client_proto_list, 891 s->alpn_client_proto_list_len); 892 ret += s->alpn_client_proto_list_len; 893 } 894 895 #ifndef OPENSSL_NO_SRTP 896 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { 897 int el; 898 899 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 900 901 if ((size_t)(limit - ret) < 4 + el) 902 return NULL; 903 904 s2n(TLSEXT_TYPE_use_srtp, ret); 905 s2n(el, ret); 906 907 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { 908 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 909 ERR_R_INTERNAL_ERROR); 910 return NULL; 911 } 912 ret += el; 913 } 914 #endif 915 916 /* 917 * Add padding to workaround bugs in F5 terminators. 918 * See https://tools.ietf.org/html/draft-agl-tls-padding-03 919 * 920 * Note that this seems to trigger issues with IronPort SMTP 921 * appliances. 922 * 923 * NB: because this code works out the length of all existing 924 * extensions it MUST always appear last. 925 */ 926 if (s->options & SSL_OP_TLSEXT_PADDING) { 927 int hlen = ret - (unsigned char *)s->init_buf->data; 928 929 /* 930 * The code in s23_clnt.c to build ClientHello messages 931 * includes the 5-byte record header in the buffer, while the 932 * code in s3_clnt.c does not. 933 */ 934 if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 935 hlen -= 5; 936 if (hlen > 0xff && hlen < 0x200) { 937 hlen = 0x200 - hlen; 938 if (hlen >= 4) 939 hlen -= 4; 940 else 941 hlen = 0; 942 943 s2n(TLSEXT_TYPE_padding, ret); 944 s2n(hlen, ret); 945 memset(ret, 0, hlen); 946 ret += hlen; 947 } 948 } 949 950 if ((extdatalen = ret - p - 2) == 0) 951 return p; 952 953 s2n(extdatalen, p); 954 return ret; 955 } 956 957 unsigned char * 958 ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 959 { 960 int using_ecc, extdatalen = 0; 961 unsigned long alg_a, alg_k; 962 unsigned char *ret = p; 963 int next_proto_neg_seen; 964 965 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 966 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 967 using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || 968 alg_a & SSL_aECDSA) && 969 s->session->tlsext_ecpointformatlist != NULL; 970 971 ret += 2; 972 if (ret >= limit) 973 return NULL; /* this really never occurs, but ... */ 974 975 if (!s->hit && s->servername_done == 1 && 976 s->session->tlsext_hostname != NULL) { 977 if ((size_t)(limit - ret) < 4) 978 return NULL; 979 980 s2n(TLSEXT_TYPE_server_name, ret); 981 s2n(0, ret); 982 } 983 984 if (s->s3->send_connection_binding) { 985 int el; 986 987 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { 988 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 989 ERR_R_INTERNAL_ERROR); 990 return NULL; 991 } 992 993 if ((size_t)(limit - ret) < 4 + el) 994 return NULL; 995 996 s2n(TLSEXT_TYPE_renegotiate, ret); 997 s2n(el, ret); 998 999 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { 1000 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1001 ERR_R_INTERNAL_ERROR); 1002 return NULL; 1003 } 1004 1005 ret += el; 1006 } 1007 1008 if (using_ecc && s->version != DTLS1_VERSION) { 1009 const unsigned char *formats; 1010 size_t formatslen, lenmax; 1011 1012 /* 1013 * Add TLS extension ECPointFormats to the ServerHello message. 1014 */ 1015 tls1_get_formatlist(s, 0, &formats, &formatslen); 1016 1017 if ((size_t)(limit - ret) < 5) 1018 return NULL; 1019 1020 lenmax = limit - ret - 5; 1021 if (formatslen > lenmax) 1022 return NULL; 1023 if (formatslen > 255) { 1024 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1025 ERR_R_INTERNAL_ERROR); 1026 return NULL; 1027 } 1028 1029 s2n(TLSEXT_TYPE_ec_point_formats, ret); 1030 s2n(formatslen + 1, ret); 1031 *(ret++) = (unsigned char)formatslen; 1032 memcpy(ret, formats, formatslen); 1033 ret += formatslen; 1034 } 1035 1036 /* 1037 * Currently the server should not respond with a SupportedCurves 1038 * extension. 1039 */ 1040 1041 if (s->tlsext_ticket_expected && 1042 !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 1043 if ((size_t)(limit - ret) < 4) 1044 return NULL; 1045 1046 s2n(TLSEXT_TYPE_session_ticket, ret); 1047 s2n(0, ret); 1048 } 1049 1050 if (s->tlsext_status_expected) { 1051 if ((size_t)(limit - ret) < 4) 1052 return NULL; 1053 1054 s2n(TLSEXT_TYPE_status_request, ret); 1055 s2n(0, ret); 1056 } 1057 1058 #ifndef OPENSSL_NO_SRTP 1059 if (SSL_IS_DTLS(s) && s->srtp_profile) { 1060 int el; 1061 1062 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 1063 1064 if ((size_t)(limit - ret) < 4 + el) 1065 return NULL; 1066 1067 s2n(TLSEXT_TYPE_use_srtp, ret); 1068 s2n(el, ret); 1069 1070 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { 1071 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1072 ERR_R_INTERNAL_ERROR); 1073 return NULL; 1074 } 1075 ret += el; 1076 } 1077 #endif 1078 1079 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || 1080 (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) && 1081 (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { 1082 static const unsigned char cryptopro_ext[36] = { 1083 0xfd, 0xe8, /*65000*/ 1084 0x00, 0x20, /*32 bytes length*/ 1085 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 1086 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 1087 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 1088 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 1089 }; 1090 if ((size_t)(limit - ret) < sizeof(cryptopro_ext)) 1091 return NULL; 1092 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext)); 1093 ret += sizeof(cryptopro_ext); 1094 } 1095 1096 next_proto_neg_seen = s->s3->next_proto_neg_seen; 1097 s->s3->next_proto_neg_seen = 0; 1098 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) { 1099 const unsigned char *npa; 1100 unsigned int npalen; 1101 int r; 1102 1103 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, 1104 s->ctx->next_protos_advertised_cb_arg); 1105 if (r == SSL_TLSEXT_ERR_OK) { 1106 if ((size_t)(limit - ret) < 4 + npalen) 1107 return NULL; 1108 s2n(TLSEXT_TYPE_next_proto_neg, ret); 1109 s2n(npalen, ret); 1110 memcpy(ret, npa, npalen); 1111 ret += npalen; 1112 s->s3->next_proto_neg_seen = 1; 1113 } 1114 } 1115 1116 if (s->s3->alpn_selected != NULL) { 1117 const unsigned char *selected = s->s3->alpn_selected; 1118 unsigned int len = s->s3->alpn_selected_len; 1119 1120 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0) 1121 return (NULL); 1122 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 1123 s2n(3 + len, ret); 1124 s2n(1 + len, ret); 1125 *ret++ = len; 1126 memcpy(ret, selected, len); 1127 ret += len; 1128 } 1129 1130 if ((extdatalen = ret - p - 2) == 0) 1131 return p; 1132 1133 s2n(extdatalen, p); 1134 return ret; 1135 } 1136 1137 /* 1138 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a 1139 * ClientHello. 1140 * data: the contents of the extension, not including the type and length. 1141 * data_len: the number of bytes in data. 1142 * al: a pointer to the alert value to send in the event of a non-zero 1143 * return. 1144 * returns: 1 on success. 1145 */ 1146 static int 1147 tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, 1148 unsigned int data_len, int *al) 1149 { 1150 CBS cbs, proto_name_list, alpn; 1151 const unsigned char *selected; 1152 unsigned char selected_len; 1153 int r; 1154 1155 if (s->ctx->alpn_select_cb == NULL) 1156 return (1); 1157 1158 if (data_len < 2) 1159 goto parse_error; 1160 1161 CBS_init(&cbs, data, data_len); 1162 1163 /* 1164 * data should contain a uint16 length followed by a series of 8-bit, 1165 * length-prefixed strings. 1166 */ 1167 if (!CBS_get_u16_length_prefixed(&cbs, &alpn) || 1168 CBS_len(&alpn) < 2 || 1169 CBS_len(&cbs) != 0) 1170 goto parse_error; 1171 1172 /* Validate data before sending to callback. */ 1173 CBS_dup(&alpn, &proto_name_list); 1174 while (CBS_len(&proto_name_list) > 0) { 1175 CBS proto_name; 1176 1177 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name) || 1178 CBS_len(&proto_name) == 0) 1179 goto parse_error; 1180 } 1181 1182 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, 1183 CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg); 1184 if (r == SSL_TLSEXT_ERR_OK) { 1185 free(s->s3->alpn_selected); 1186 if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) { 1187 *al = SSL_AD_INTERNAL_ERROR; 1188 return (-1); 1189 } 1190 memcpy(s->s3->alpn_selected, selected, selected_len); 1191 s->s3->alpn_selected_len = selected_len; 1192 } 1193 1194 return (1); 1195 1196 parse_error: 1197 *al = SSL_AD_DECODE_ERROR; 1198 return (0); 1199 } 1200 1201 int 1202 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1203 int n, int *al) 1204 { 1205 unsigned short type; 1206 unsigned short size; 1207 unsigned short len; 1208 unsigned char *data = *p; 1209 unsigned char *end = d + n; 1210 int renegotiate_seen = 0; 1211 int sigalg_seen = 0; 1212 1213 s->servername_done = 0; 1214 s->tlsext_status_type = -1; 1215 s->s3->next_proto_neg_seen = 0; 1216 free(s->s3->alpn_selected); 1217 s->s3->alpn_selected = NULL; 1218 s->srtp_profile = NULL; 1219 1220 if (data == end) 1221 goto ri_check; 1222 1223 if (end - data < 2) 1224 goto err; 1225 n2s(data, len); 1226 1227 if (end - data != len) 1228 goto err; 1229 1230 while (end - data >= 4) { 1231 n2s(data, type); 1232 n2s(data, size); 1233 1234 if (end - data < size) 1235 goto err; 1236 1237 if (s->tlsext_debug_cb) 1238 s->tlsext_debug_cb(s, 0, type, data, size, 1239 s->tlsext_debug_arg); 1240 /* The servername extension is treated as follows: 1241 1242 - Only the hostname type is supported with a maximum length of 255. 1243 - The servername is rejected if too long or if it contains zeros, 1244 in which case an fatal alert is generated. 1245 - The servername field is maintained together with the session cache. 1246 - When a session is resumed, the servername call back invoked in order 1247 to allow the application to position itself to the right context. 1248 - The servername is acknowledged if it is new for a session or when 1249 it is identical to a previously used for the same session. 1250 Applications can control the behaviour. They can at any time 1251 set a 'desirable' servername for a new SSL object. This can be the 1252 case for example with HTTPS when a Host: header field is received and 1253 a renegotiation is requested. In this case, a possible servername 1254 presented in the new client hello is only acknowledged if it matches 1255 the value of the Host: field. 1256 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1257 if they provide for changing an explicit servername context for the session, 1258 i.e. when the session has been established with a servername extension. 1259 - On session reconnect, the servername extension may be absent. 1260 1261 */ 1262 1263 if (type == TLSEXT_TYPE_server_name) { 1264 unsigned char *sdata; 1265 int servname_type; 1266 int dsize; 1267 1268 if (size < 2) { 1269 *al = SSL_AD_DECODE_ERROR; 1270 return 0; 1271 } 1272 n2s(data, dsize); 1273 1274 size -= 2; 1275 if (dsize > size) { 1276 *al = SSL_AD_DECODE_ERROR; 1277 return 0; 1278 } 1279 1280 sdata = data; 1281 while (dsize > 3) { 1282 servname_type = *(sdata++); 1283 1284 n2s(sdata, len); 1285 dsize -= 3; 1286 1287 if (len > dsize) { 1288 *al = SSL_AD_DECODE_ERROR; 1289 return 0; 1290 } 1291 if (s->servername_done == 0) 1292 switch (servname_type) { 1293 case TLSEXT_NAMETYPE_host_name: 1294 if (!s->hit) { 1295 if (s->session->tlsext_hostname) { 1296 *al = SSL_AD_DECODE_ERROR; 1297 return 0; 1298 } 1299 if (len > TLSEXT_MAXLEN_host_name) { 1300 *al = TLS1_AD_UNRECOGNIZED_NAME; 1301 return 0; 1302 } 1303 if ((s->session->tlsext_hostname = 1304 malloc(len + 1)) == NULL) { 1305 *al = TLS1_AD_INTERNAL_ERROR; 1306 return 0; 1307 } 1308 memcpy(s->session->tlsext_hostname, sdata, len); 1309 s->session->tlsext_hostname[len] = '\0'; 1310 if (strlen(s->session->tlsext_hostname) != len) { 1311 free(s->session->tlsext_hostname); 1312 s->session->tlsext_hostname = NULL; 1313 *al = TLS1_AD_UNRECOGNIZED_NAME; 1314 return 0; 1315 } 1316 s->servername_done = 1; 1317 1318 1319 } else { 1320 s->servername_done = s->session->tlsext_hostname && 1321 strlen(s->session->tlsext_hostname) == len && 1322 strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1323 } 1324 break; 1325 1326 default: 1327 break; 1328 } 1329 1330 dsize -= len; 1331 } 1332 if (dsize != 0) { 1333 *al = SSL_AD_DECODE_ERROR; 1334 return 0; 1335 } 1336 1337 } 1338 1339 else if (type == TLSEXT_TYPE_ec_point_formats && 1340 s->version != DTLS1_VERSION) { 1341 unsigned char *sdata = data; 1342 size_t formatslen; 1343 uint8_t *formats; 1344 1345 if (size < 1) { 1346 *al = TLS1_AD_DECODE_ERROR; 1347 return 0; 1348 } 1349 formatslen = *(sdata++); 1350 if (formatslen != size - 1) { 1351 *al = TLS1_AD_DECODE_ERROR; 1352 return 0; 1353 } 1354 1355 if (!s->hit) { 1356 free(s->session->tlsext_ecpointformatlist); 1357 s->session->tlsext_ecpointformatlist = NULL; 1358 s->session->tlsext_ecpointformatlist_length = 0; 1359 1360 if ((formats = reallocarray(NULL, formatslen, 1361 sizeof(uint8_t))) == NULL) { 1362 *al = TLS1_AD_INTERNAL_ERROR; 1363 return 0; 1364 } 1365 memcpy(formats, sdata, formatslen); 1366 s->session->tlsext_ecpointformatlist = formats; 1367 s->session->tlsext_ecpointformatlist_length = 1368 formatslen; 1369 } 1370 } else if (type == TLSEXT_TYPE_elliptic_curves && 1371 s->version != DTLS1_VERSION) { 1372 unsigned char *sdata = data; 1373 size_t curveslen, i; 1374 uint16_t *curves; 1375 1376 if (size < 2) { 1377 *al = TLS1_AD_DECODE_ERROR; 1378 return 0; 1379 } 1380 n2s(sdata, curveslen); 1381 if (curveslen != size - 2 || curveslen % 2 != 0) { 1382 *al = TLS1_AD_DECODE_ERROR; 1383 return 0; 1384 } 1385 curveslen /= 2; 1386 1387 if (!s->hit) { 1388 if (s->session->tlsext_ellipticcurvelist) { 1389 *al = TLS1_AD_DECODE_ERROR; 1390 return 0; 1391 } 1392 s->session->tlsext_ellipticcurvelist_length = 0; 1393 if ((curves = reallocarray(NULL, curveslen, 1394 sizeof(uint16_t))) == NULL) { 1395 *al = TLS1_AD_INTERNAL_ERROR; 1396 return 0; 1397 } 1398 for (i = 0; i < curveslen; i++) 1399 n2s(sdata, curves[i]); 1400 s->session->tlsext_ellipticcurvelist = curves; 1401 s->session->tlsext_ellipticcurvelist_length = curveslen; 1402 } 1403 } 1404 else if (type == TLSEXT_TYPE_session_ticket) { 1405 if (s->tls_session_ticket_ext_cb && 1406 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1407 *al = TLS1_AD_INTERNAL_ERROR; 1408 return 0; 1409 } 1410 } else if (type == TLSEXT_TYPE_renegotiate) { 1411 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 1412 return 0; 1413 renegotiate_seen = 1; 1414 } else if (type == TLSEXT_TYPE_signature_algorithms) { 1415 int dsize; 1416 if (sigalg_seen || size < 2) { 1417 *al = SSL_AD_DECODE_ERROR; 1418 return 0; 1419 } 1420 sigalg_seen = 1; 1421 n2s(data, dsize); 1422 size -= 2; 1423 if (dsize != size || dsize & 1) { 1424 *al = SSL_AD_DECODE_ERROR; 1425 return 0; 1426 } 1427 if (!tls1_process_sigalgs(s, data, dsize)) { 1428 *al = SSL_AD_DECODE_ERROR; 1429 return 0; 1430 } 1431 } else if (type == TLSEXT_TYPE_status_request && 1432 s->version != DTLS1_VERSION) { 1433 1434 if (size < 5) { 1435 *al = SSL_AD_DECODE_ERROR; 1436 return 0; 1437 } 1438 1439 s->tlsext_status_type = *data++; 1440 size--; 1441 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { 1442 const unsigned char *sdata; 1443 int dsize; 1444 /* Read in responder_id_list */ 1445 n2s(data, dsize); 1446 size -= 2; 1447 if (dsize > size ) { 1448 *al = SSL_AD_DECODE_ERROR; 1449 return 0; 1450 } 1451 while (dsize > 0) { 1452 OCSP_RESPID *id; 1453 int idsize; 1454 if (dsize < 4) { 1455 *al = SSL_AD_DECODE_ERROR; 1456 return 0; 1457 } 1458 n2s(data, idsize); 1459 dsize -= 2 + idsize; 1460 size -= 2 + idsize; 1461 if (dsize < 0) { 1462 *al = SSL_AD_DECODE_ERROR; 1463 return 0; 1464 } 1465 sdata = data; 1466 data += idsize; 1467 id = d2i_OCSP_RESPID(NULL, 1468 &sdata, idsize); 1469 if (!id) { 1470 *al = SSL_AD_DECODE_ERROR; 1471 return 0; 1472 } 1473 if (data != sdata) { 1474 OCSP_RESPID_free(id); 1475 *al = SSL_AD_DECODE_ERROR; 1476 return 0; 1477 } 1478 if (!s->tlsext_ocsp_ids && 1479 !(s->tlsext_ocsp_ids = 1480 sk_OCSP_RESPID_new_null())) { 1481 OCSP_RESPID_free(id); 1482 *al = SSL_AD_INTERNAL_ERROR; 1483 return 0; 1484 } 1485 if (!sk_OCSP_RESPID_push( 1486 s->tlsext_ocsp_ids, id)) { 1487 OCSP_RESPID_free(id); 1488 *al = SSL_AD_INTERNAL_ERROR; 1489 return 0; 1490 } 1491 } 1492 1493 /* Read in request_extensions */ 1494 if (size < 2) { 1495 *al = SSL_AD_DECODE_ERROR; 1496 return 0; 1497 } 1498 n2s(data, dsize); 1499 size -= 2; 1500 if (dsize != size) { 1501 *al = SSL_AD_DECODE_ERROR; 1502 return 0; 1503 } 1504 sdata = data; 1505 if (dsize > 0) { 1506 if (s->tlsext_ocsp_exts) { 1507 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1508 X509_EXTENSION_free); 1509 } 1510 1511 s->tlsext_ocsp_exts = 1512 d2i_X509_EXTENSIONS(NULL, 1513 &sdata, dsize); 1514 if (!s->tlsext_ocsp_exts || 1515 (data + dsize != sdata)) { 1516 *al = SSL_AD_DECODE_ERROR; 1517 return 0; 1518 } 1519 } 1520 } else { 1521 /* We don't know what to do with any other type 1522 * so ignore it. 1523 */ 1524 s->tlsext_status_type = -1; 1525 } 1526 } 1527 else if (type == TLSEXT_TYPE_next_proto_neg && 1528 s->s3->tmp.finish_md_len == 0 && 1529 s->s3->alpn_selected == NULL) { 1530 /* We shouldn't accept this extension on a 1531 * renegotiation. 1532 * 1533 * s->new_session will be set on renegotiation, but we 1534 * probably shouldn't rely that it couldn't be set on 1535 * the initial renegotation too in certain cases (when 1536 * there's some other reason to disallow resuming an 1537 * earlier session -- the current code won't be doing 1538 * anything like that, but this might change). 1539 1540 * A valid sign that there's been a previous handshake 1541 * in this connection is if s->s3->tmp.finish_md_len > 1542 * 0. (We are talking about a check that will happen 1543 * in the Hello protocol round, well before a new 1544 * Finished message could have been computed.) */ 1545 s->s3->next_proto_neg_seen = 1; 1546 } 1547 else if (type == 1548 TLSEXT_TYPE_application_layer_protocol_negotiation && 1549 s->ctx->alpn_select_cb != NULL && 1550 s->s3->tmp.finish_md_len == 0) { 1551 if (tls1_alpn_handle_client_hello(s, data, 1552 size, al) != 1) 1553 return (0); 1554 /* ALPN takes precedence over NPN. */ 1555 s->s3->next_proto_neg_seen = 0; 1556 } 1557 1558 /* session ticket processed earlier */ 1559 #ifndef OPENSSL_NO_SRTP 1560 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1561 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) 1562 return 0; 1563 } 1564 #endif 1565 1566 data += size; 1567 } 1568 1569 /* Spurious data on the end */ 1570 if (data != end) 1571 goto err; 1572 1573 *p = data; 1574 1575 ri_check: 1576 1577 /* Need RI if renegotiating */ 1578 1579 if (!renegotiate_seen && s->renegotiate) { 1580 *al = SSL_AD_HANDSHAKE_FAILURE; 1581 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1582 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1583 return 0; 1584 } 1585 1586 return 1; 1587 1588 err: 1589 *al = SSL_AD_DECODE_ERROR; 1590 return 0; 1591 } 1592 1593 /* 1594 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1595 * elements of zero length are allowed and the set of elements must exactly fill 1596 * the length of the block. 1597 */ 1598 static char 1599 ssl_next_proto_validate(const unsigned char *d, unsigned int len) 1600 { 1601 CBS npn, value; 1602 1603 CBS_init(&npn, d, len); 1604 while (CBS_len(&npn) > 0) { 1605 if (!CBS_get_u8_length_prefixed(&npn, &value) || 1606 CBS_len(&value) == 0) 1607 return 0; 1608 } 1609 return 1; 1610 } 1611 1612 int 1613 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1614 int n, int *al) 1615 { 1616 unsigned short type; 1617 unsigned short size; 1618 unsigned short len; 1619 unsigned char *data = *p; 1620 unsigned char *end = d + n; 1621 int tlsext_servername = 0; 1622 int renegotiate_seen = 0; 1623 1624 s->s3->next_proto_neg_seen = 0; 1625 free(s->s3->alpn_selected); 1626 s->s3->alpn_selected = NULL; 1627 1628 if (data == end) 1629 goto ri_check; 1630 1631 if (end - data < 2) 1632 goto err; 1633 n2s(data, len); 1634 1635 if (end - data != len) 1636 goto err; 1637 1638 while (end - data >= 4) { 1639 n2s(data, type); 1640 n2s(data, size); 1641 1642 if (end - data < size) 1643 goto err; 1644 1645 if (s->tlsext_debug_cb) 1646 s->tlsext_debug_cb(s, 1, type, data, size, 1647 s->tlsext_debug_arg); 1648 1649 if (type == TLSEXT_TYPE_server_name) { 1650 if (s->tlsext_hostname == NULL || size > 0) { 1651 *al = TLS1_AD_UNRECOGNIZED_NAME; 1652 return 0; 1653 } 1654 tlsext_servername = 1; 1655 1656 } 1657 else if (type == TLSEXT_TYPE_ec_point_formats && 1658 s->version != DTLS1_VERSION) { 1659 unsigned char *sdata = data; 1660 size_t formatslen; 1661 uint8_t *formats; 1662 1663 if (size < 1) { 1664 *al = TLS1_AD_DECODE_ERROR; 1665 return 0; 1666 } 1667 formatslen = *(sdata++); 1668 if (formatslen != size - 1) { 1669 *al = TLS1_AD_DECODE_ERROR; 1670 return 0; 1671 } 1672 1673 if (!s->hit) { 1674 free(s->session->tlsext_ecpointformatlist); 1675 s->session->tlsext_ecpointformatlist = NULL; 1676 s->session->tlsext_ecpointformatlist_length = 0; 1677 1678 if ((formats = reallocarray(NULL, formatslen, 1679 sizeof(uint8_t))) == NULL) { 1680 *al = TLS1_AD_INTERNAL_ERROR; 1681 return 0; 1682 } 1683 memcpy(formats, sdata, formatslen); 1684 s->session->tlsext_ecpointformatlist = formats; 1685 s->session->tlsext_ecpointformatlist_length = 1686 formatslen; 1687 } 1688 } 1689 else if (type == TLSEXT_TYPE_session_ticket) { 1690 if (s->tls_session_ticket_ext_cb && 1691 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1692 *al = TLS1_AD_INTERNAL_ERROR; 1693 return 0; 1694 } 1695 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) { 1696 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1697 return 0; 1698 } 1699 s->tlsext_ticket_expected = 1; 1700 } 1701 else if (type == TLSEXT_TYPE_status_request && 1702 s->version != DTLS1_VERSION) { 1703 /* MUST be empty and only sent if we've requested 1704 * a status request message. 1705 */ 1706 if ((s->tlsext_status_type == -1) || (size > 0)) { 1707 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1708 return 0; 1709 } 1710 /* Set flag to expect CertificateStatus message */ 1711 s->tlsext_status_expected = 1; 1712 } 1713 else if (type == TLSEXT_TYPE_next_proto_neg && 1714 s->s3->tmp.finish_md_len == 0) { 1715 unsigned char *selected; 1716 unsigned char selected_len; 1717 1718 /* We must have requested it. */ 1719 if (s->ctx->next_proto_select_cb == NULL) { 1720 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1721 return 0; 1722 } 1723 /* The data must be valid */ 1724 if (!ssl_next_proto_validate(data, size)) { 1725 *al = TLS1_AD_DECODE_ERROR; 1726 return 0; 1727 } 1728 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) { 1729 *al = TLS1_AD_INTERNAL_ERROR; 1730 return 0; 1731 } 1732 s->next_proto_negotiated = malloc(selected_len); 1733 if (!s->next_proto_negotiated) { 1734 *al = TLS1_AD_INTERNAL_ERROR; 1735 return 0; 1736 } 1737 memcpy(s->next_proto_negotiated, selected, selected_len); 1738 s->next_proto_negotiated_len = selected_len; 1739 s->s3->next_proto_neg_seen = 1; 1740 } 1741 else if (type == 1742 TLSEXT_TYPE_application_layer_protocol_negotiation) { 1743 unsigned int len; 1744 1745 /* We must have requested it. */ 1746 if (s->alpn_client_proto_list == NULL) { 1747 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1748 return 0; 1749 } 1750 if (size < 4) { 1751 *al = TLS1_AD_DECODE_ERROR; 1752 return (0); 1753 } 1754 1755 /* The extension data consists of: 1756 * uint16 list_length 1757 * uint8 proto_length; 1758 * uint8 proto[proto_length]; */ 1759 len = ((unsigned int)data[0]) << 8 | 1760 ((unsigned int)data[1]); 1761 if (len != (unsigned int)size - 2) { 1762 *al = TLS1_AD_DECODE_ERROR; 1763 return (0); 1764 } 1765 len = data[2]; 1766 if (len != (unsigned int)size - 3) { 1767 *al = TLS1_AD_DECODE_ERROR; 1768 return (0); 1769 } 1770 free(s->s3->alpn_selected); 1771 s->s3->alpn_selected = malloc(len); 1772 if (s->s3->alpn_selected == NULL) { 1773 *al = TLS1_AD_INTERNAL_ERROR; 1774 return (0); 1775 } 1776 memcpy(s->s3->alpn_selected, data + 3, len); 1777 s->s3->alpn_selected_len = len; 1778 1779 } else if (type == TLSEXT_TYPE_renegotiate) { 1780 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1781 return 0; 1782 renegotiate_seen = 1; 1783 } 1784 #ifndef OPENSSL_NO_SRTP 1785 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1786 if (ssl_parse_serverhello_use_srtp_ext(s, data, 1787 size, al)) 1788 return 0; 1789 } 1790 #endif 1791 1792 data += size; 1793 1794 } 1795 1796 if (data != d + n) { 1797 *al = SSL_AD_DECODE_ERROR; 1798 return 0; 1799 } 1800 1801 if (!s->hit && tlsext_servername == 1) { 1802 if (s->tlsext_hostname) { 1803 if (s->session->tlsext_hostname == NULL) { 1804 s->session->tlsext_hostname = 1805 strdup(s->tlsext_hostname); 1806 1807 if (!s->session->tlsext_hostname) { 1808 *al = SSL_AD_UNRECOGNIZED_NAME; 1809 return 0; 1810 } 1811 } else { 1812 *al = SSL_AD_DECODE_ERROR; 1813 return 0; 1814 } 1815 } 1816 } 1817 1818 *p = data; 1819 1820 ri_check: 1821 1822 /* Determine if we need to see RI. Strictly speaking if we want to 1823 * avoid an attack we should *always* see RI even on initial server 1824 * hello because the client doesn't see any renegotiation during an 1825 * attack. However this would mean we could not connect to any server 1826 * which doesn't support RI so for the immediate future tolerate RI 1827 * absence on initial connect only. 1828 */ 1829 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { 1830 *al = SSL_AD_HANDSHAKE_FAILURE; 1831 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1832 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1833 return 0; 1834 } 1835 1836 return 1; 1837 1838 err: 1839 *al = SSL_AD_DECODE_ERROR; 1840 return 0; 1841 } 1842 1843 int 1844 ssl_check_clienthello_tlsext_early(SSL *s) 1845 { 1846 int ret = SSL_TLSEXT_ERR_NOACK; 1847 int al = SSL_AD_UNRECOGNIZED_NAME; 1848 1849 /* The handling of the ECPointFormats extension is done elsewhere, namely in 1850 * ssl3_choose_cipher in s3_lib.c. 1851 */ 1852 /* The handling of the EllipticCurves extension is done elsewhere, namely in 1853 * ssl3_choose_cipher in s3_lib.c. 1854 */ 1855 1856 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1857 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1858 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1859 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1860 1861 switch (ret) { 1862 case SSL_TLSEXT_ERR_ALERT_FATAL: 1863 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1864 return -1; 1865 case SSL_TLSEXT_ERR_ALERT_WARNING: 1866 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1867 return 1; 1868 case SSL_TLSEXT_ERR_NOACK: 1869 s->servername_done = 0; 1870 default: 1871 return 1; 1872 } 1873 } 1874 1875 int 1876 ssl_check_clienthello_tlsext_late(SSL *s) 1877 { 1878 int ret = SSL_TLSEXT_ERR_OK; 1879 int al = 0; /* XXX gcc3 */ 1880 1881 /* If status request then ask callback what to do. 1882 * Note: this must be called after servername callbacks in case 1883 * the certificate has changed, and must be called after the cipher 1884 * has been chosen because this may influence which certificate is sent 1885 */ 1886 if ((s->tlsext_status_type != -1) && 1887 s->ctx && s->ctx->tlsext_status_cb) { 1888 int r; 1889 CERT_PKEY *certpkey; 1890 certpkey = ssl_get_server_send_pkey(s); 1891 /* If no certificate can't return certificate status */ 1892 if (certpkey == NULL) { 1893 s->tlsext_status_expected = 0; 1894 return 1; 1895 } 1896 /* Set current certificate to one we will use so 1897 * SSL_get_certificate et al can pick it up. 1898 */ 1899 s->cert->key = certpkey; 1900 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1901 switch (r) { 1902 /* We don't want to send a status request response */ 1903 case SSL_TLSEXT_ERR_NOACK: 1904 s->tlsext_status_expected = 0; 1905 break; 1906 /* status request response should be sent */ 1907 case SSL_TLSEXT_ERR_OK: 1908 if (s->tlsext_ocsp_resp) 1909 s->tlsext_status_expected = 1; 1910 else 1911 s->tlsext_status_expected = 0; 1912 break; 1913 /* something bad happened */ 1914 case SSL_TLSEXT_ERR_ALERT_FATAL: 1915 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1916 al = SSL_AD_INTERNAL_ERROR; 1917 goto err; 1918 } 1919 } else 1920 s->tlsext_status_expected = 0; 1921 1922 err: 1923 switch (ret) { 1924 case SSL_TLSEXT_ERR_ALERT_FATAL: 1925 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1926 return -1; 1927 case SSL_TLSEXT_ERR_ALERT_WARNING: 1928 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1929 return 1; 1930 default: 1931 return 1; 1932 } 1933 } 1934 1935 int 1936 ssl_check_serverhello_tlsext(SSL *s) 1937 { 1938 int ret = SSL_TLSEXT_ERR_NOACK; 1939 int al = SSL_AD_UNRECOGNIZED_NAME; 1940 1941 /* If we are client and using an elliptic curve cryptography cipher 1942 * suite, then if server returns an EC point formats lists extension 1943 * it must contain uncompressed. 1944 */ 1945 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1946 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1947 if ((s->tlsext_ecpointformatlist != NULL) && 1948 (s->tlsext_ecpointformatlist_length > 0) && 1949 (s->session->tlsext_ecpointformatlist != NULL) && 1950 (s->session->tlsext_ecpointformatlist_length > 0) && 1951 ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { 1952 /* we are using an ECC cipher */ 1953 size_t i; 1954 unsigned char *list; 1955 int found_uncompressed = 0; 1956 list = s->session->tlsext_ecpointformatlist; 1957 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) { 1958 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) { 1959 found_uncompressed = 1; 1960 break; 1961 } 1962 } 1963 if (!found_uncompressed) { 1964 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 1965 return -1; 1966 } 1967 } 1968 ret = SSL_TLSEXT_ERR_OK; 1969 1970 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1971 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1972 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1973 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1974 1975 /* If we've requested certificate status and we wont get one 1976 * tell the callback 1977 */ 1978 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) && 1979 s->ctx && s->ctx->tlsext_status_cb) { 1980 int r; 1981 /* Set resp to NULL, resplen to -1 so callback knows 1982 * there is no response. 1983 */ 1984 free(s->tlsext_ocsp_resp); 1985 s->tlsext_ocsp_resp = NULL; 1986 s->tlsext_ocsp_resplen = -1; 1987 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1988 if (r == 0) { 1989 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 1990 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1991 } 1992 if (r < 0) { 1993 al = SSL_AD_INTERNAL_ERROR; 1994 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1995 } 1996 } 1997 1998 switch (ret) { 1999 case SSL_TLSEXT_ERR_ALERT_FATAL: 2000 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2001 2002 return -1; 2003 case SSL_TLSEXT_ERR_ALERT_WARNING: 2004 ssl3_send_alert(s, SSL3_AL_WARNING, al); 2005 2006 return 1; 2007 case SSL_TLSEXT_ERR_NOACK: 2008 s->servername_done = 0; 2009 default: 2010 return 1; 2011 } 2012 } 2013 2014 /* Since the server cache lookup is done early on in the processing of the 2015 * ClientHello, and other operations depend on the result, we need to handle 2016 * any TLS session ticket extension at the same time. 2017 * 2018 * session_id: points at the session ID in the ClientHello. This code will 2019 * read past the end of this in order to parse out the session ticket 2020 * extension, if any. 2021 * len: the length of the session ID. 2022 * limit: a pointer to the first byte after the ClientHello. 2023 * ret: (output) on return, if a ticket was decrypted, then this is set to 2024 * point to the resulting session. 2025 * 2026 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key 2027 * ciphersuite, in which case we have no use for session tickets and one will 2028 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 2029 * 2030 * Returns: 2031 * -1: fatal error, either from parsing or decrypting the ticket. 2032 * 0: no ticket was found (or was ignored, based on settings). 2033 * 1: a zero length extension was found, indicating that the client supports 2034 * session tickets but doesn't currently have one to offer. 2035 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but 2036 * couldn't be decrypted because of a non-fatal error. 2037 * 3: a ticket was successfully decrypted and *ret was set. 2038 * 2039 * Side effects: 2040 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 2041 * a new session ticket to the client because the client indicated support 2042 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 2043 * a session ticket or we couldn't use the one it gave us, or if 2044 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2045 * Otherwise, s->tlsext_ticket_expected is set to 0. 2046 */ 2047 int 2048 tls1_process_ticket(SSL *s, const unsigned char *session, int session_len, 2049 const unsigned char *limit, SSL_SESSION **ret) 2050 { 2051 /* Point after session ID in client hello */ 2052 CBS session_id, cookie, cipher_list, compress_algo, extensions; 2053 2054 *ret = NULL; 2055 s->tlsext_ticket_expected = 0; 2056 2057 /* If tickets disabled behave as if no ticket present 2058 * to permit stateful resumption. 2059 */ 2060 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 2061 return 0; 2062 if (!limit) 2063 return 0; 2064 2065 if (limit < session) 2066 return -1; 2067 2068 CBS_init(&session_id, session, limit - session); 2069 2070 /* Skip past the session id */ 2071 if (!CBS_skip(&session_id, session_len)) 2072 return -1; 2073 2074 /* Skip past DTLS cookie */ 2075 if (SSL_IS_DTLS(s)) { 2076 if (!CBS_get_u8_length_prefixed(&session_id, &cookie)) 2077 return -1; 2078 } 2079 2080 /* Skip past cipher list */ 2081 if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list)) 2082 return -1; 2083 2084 /* Skip past compression algorithm list */ 2085 if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo)) 2086 return -1; 2087 2088 /* Now at start of extensions */ 2089 if (CBS_len(&session_id) == 0) 2090 return 0; 2091 if (!CBS_get_u16_length_prefixed(&session_id, &extensions)) 2092 return -1; 2093 2094 while (CBS_len(&extensions) > 0) { 2095 CBS ext_data; 2096 uint16_t ext_type; 2097 2098 if (!CBS_get_u16(&extensions, &ext_type) || 2099 !CBS_get_u16_length_prefixed(&extensions, &ext_data)) 2100 return -1; 2101 2102 if (ext_type == TLSEXT_TYPE_session_ticket) { 2103 int r; 2104 if (CBS_len(&ext_data) == 0) { 2105 /* The client will accept a ticket but doesn't 2106 * currently have one. */ 2107 s->tlsext_ticket_expected = 1; 2108 return 1; 2109 } 2110 if (s->tls_session_secret_cb) { 2111 /* Indicate that the ticket couldn't be 2112 * decrypted rather than generating the session 2113 * from ticket now, trigger abbreviated 2114 * handshake based on external mechanism to 2115 * calculate the master secret later. */ 2116 return 2; 2117 } 2118 2119 r = tls_decrypt_ticket(s, CBS_data(&ext_data), 2120 CBS_len(&ext_data), session, session_len, ret); 2121 2122 switch (r) { 2123 case 2: /* ticket couldn't be decrypted */ 2124 s->tlsext_ticket_expected = 1; 2125 return 2; 2126 case 3: /* ticket was decrypted */ 2127 return r; 2128 case 4: /* ticket decrypted but need to renew */ 2129 s->tlsext_ticket_expected = 1; 2130 return 3; 2131 default: /* fatal error */ 2132 return -1; 2133 } 2134 } 2135 } 2136 return 0; 2137 } 2138 2139 /* tls_decrypt_ticket attempts to decrypt a session ticket. 2140 * 2141 * etick: points to the body of the session ticket extension. 2142 * eticklen: the length of the session tickets extenion. 2143 * sess_id: points at the session ID. 2144 * sesslen: the length of the session ID. 2145 * psess: (output) on return, if a ticket was decrypted, then this is set to 2146 * point to the resulting session. 2147 * 2148 * Returns: 2149 * -1: fatal error, either from parsing or decrypting the ticket. 2150 * 2: the ticket couldn't be decrypted. 2151 * 3: a ticket was successfully decrypted and *psess was set. 2152 * 4: same as 3, but the ticket needs to be renewed. 2153 */ 2154 static int 2155 tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2156 const unsigned char *sess_id, int sesslen, SSL_SESSION **psess) 2157 { 2158 SSL_SESSION *sess; 2159 unsigned char *sdec; 2160 const unsigned char *p; 2161 int slen, mlen, renew_ticket = 0; 2162 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 2163 HMAC_CTX hctx; 2164 EVP_CIPHER_CTX ctx; 2165 SSL_CTX *tctx = s->initial_ctx; 2166 /* Need at least keyname + iv + some encrypted data */ 2167 if (eticklen < 48) 2168 return 2; 2169 /* Initialize session ticket encryption and HMAC contexts */ 2170 HMAC_CTX_init(&hctx); 2171 EVP_CIPHER_CTX_init(&ctx); 2172 if (tctx->tlsext_ticket_key_cb) { 2173 unsigned char *nctick = (unsigned char *)etick; 2174 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 2175 &ctx, &hctx, 0); 2176 if (rv < 0) { 2177 EVP_CIPHER_CTX_cleanup(&ctx); 2178 return -1; 2179 } 2180 if (rv == 0) { 2181 EVP_CIPHER_CTX_cleanup(&ctx); 2182 return 2; 2183 } 2184 if (rv == 2) 2185 renew_ticket = 1; 2186 } else { 2187 /* Check key name matches */ 2188 if (timingsafe_memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2189 return 2; 2190 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2191 tlsext_tick_md(), NULL); 2192 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2193 tctx->tlsext_tick_aes_key, etick + 16); 2194 } 2195 /* Attempt to process session ticket, first conduct sanity and 2196 * integrity checks on ticket. 2197 */ 2198 mlen = HMAC_size(&hctx); 2199 if (mlen < 0) { 2200 EVP_CIPHER_CTX_cleanup(&ctx); 2201 return -1; 2202 } 2203 eticklen -= mlen; 2204 /* Check HMAC of encrypted ticket */ 2205 HMAC_Update(&hctx, etick, eticklen); 2206 HMAC_Final(&hctx, tick_hmac, NULL); 2207 HMAC_CTX_cleanup(&hctx); 2208 if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) { 2209 EVP_CIPHER_CTX_cleanup(&ctx); 2210 return 2; 2211 } 2212 /* Attempt to decrypt session data */ 2213 /* Move p after IV to start of encrypted ticket, update length */ 2214 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2215 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2216 sdec = malloc(eticklen); 2217 if (!sdec) { 2218 EVP_CIPHER_CTX_cleanup(&ctx); 2219 return -1; 2220 } 2221 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 2222 if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) { 2223 free(sdec); 2224 EVP_CIPHER_CTX_cleanup(&ctx); 2225 return 2; 2226 } 2227 slen += mlen; 2228 EVP_CIPHER_CTX_cleanup(&ctx); 2229 p = sdec; 2230 2231 sess = d2i_SSL_SESSION(NULL, &p, slen); 2232 free(sdec); 2233 if (sess) { 2234 /* The session ID, if non-empty, is used by some clients to 2235 * detect that the ticket has been accepted. So we copy it to 2236 * the session structure. If it is empty set length to zero 2237 * as required by standard. 2238 */ 2239 if (sesslen) 2240 memcpy(sess->session_id, sess_id, sesslen); 2241 sess->session_id_length = sesslen; 2242 *psess = sess; 2243 if (renew_ticket) 2244 return 4; 2245 else 2246 return 3; 2247 } 2248 ERR_clear_error(); 2249 /* For session parse failure, indicate that we need to send a new 2250 * ticket. */ 2251 return 2; 2252 } 2253 2254 /* Tables to translate from NIDs to TLS v1.2 ids */ 2255 2256 typedef struct { 2257 int nid; 2258 int id; 2259 } tls12_lookup; 2260 2261 static tls12_lookup tls12_md[] = { 2262 {NID_md5, TLSEXT_hash_md5}, 2263 {NID_sha1, TLSEXT_hash_sha1}, 2264 {NID_sha224, TLSEXT_hash_sha224}, 2265 {NID_sha256, TLSEXT_hash_sha256}, 2266 {NID_sha384, TLSEXT_hash_sha384}, 2267 {NID_sha512, TLSEXT_hash_sha512}, 2268 {NID_id_GostR3411_94, TLSEXT_hash_gost94}, 2269 {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256}, 2270 {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512} 2271 }; 2272 2273 static tls12_lookup tls12_sig[] = { 2274 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2275 {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2276 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}, 2277 {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01}, 2278 }; 2279 2280 static int 2281 tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 2282 { 2283 size_t i; 2284 for (i = 0; i < tlen; i++) { 2285 if (table[i].nid == nid) 2286 return table[i].id; 2287 } 2288 return -1; 2289 } 2290 2291 int 2292 tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 2293 { 2294 int sig_id, md_id; 2295 if (!md) 2296 return 0; 2297 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2298 sizeof(tls12_md) / sizeof(tls12_lookup)); 2299 if (md_id == -1) 2300 return 0; 2301 sig_id = tls12_get_sigid(pk); 2302 if (sig_id == -1) 2303 return 0; 2304 p[0] = (unsigned char)md_id; 2305 p[1] = (unsigned char)sig_id; 2306 return 1; 2307 } 2308 2309 int 2310 tls12_get_sigid(const EVP_PKEY *pk) 2311 { 2312 return tls12_find_id(pk->type, tls12_sig, 2313 sizeof(tls12_sig) / sizeof(tls12_lookup)); 2314 } 2315 2316 const EVP_MD * 2317 tls12_get_hash(unsigned char hash_alg) 2318 { 2319 switch (hash_alg) { 2320 case TLSEXT_hash_sha1: 2321 return EVP_sha1(); 2322 case TLSEXT_hash_sha224: 2323 return EVP_sha224(); 2324 case TLSEXT_hash_sha256: 2325 return EVP_sha256(); 2326 case TLSEXT_hash_sha384: 2327 return EVP_sha384(); 2328 case TLSEXT_hash_sha512: 2329 return EVP_sha512(); 2330 #ifndef OPENSSL_NO_GOST 2331 case TLSEXT_hash_gost94: 2332 return EVP_gostr341194(); 2333 case TLSEXT_hash_streebog_256: 2334 return EVP_streebog256(); 2335 case TLSEXT_hash_streebog_512: 2336 return EVP_streebog512(); 2337 #endif 2338 default: 2339 return NULL; 2340 } 2341 } 2342 2343 /* Set preferred digest for each key type */ 2344 2345 int 2346 tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 2347 { 2348 int idx; 2349 const EVP_MD *md; 2350 CERT *c = s->cert; 2351 CBS cbs; 2352 2353 /* Extension ignored for inappropriate versions */ 2354 if (!SSL_USE_SIGALGS(s)) 2355 return 1; 2356 2357 /* Should never happen */ 2358 if (!c || dsize < 0) 2359 return 0; 2360 2361 CBS_init(&cbs, data, dsize); 2362 2363 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; 2364 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 2365 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2366 c->pkeys[SSL_PKEY_ECC].digest = NULL; 2367 c->pkeys[SSL_PKEY_GOST01].digest = NULL; 2368 2369 while (CBS_len(&cbs) > 0) { 2370 uint8_t hash_alg, sig_alg; 2371 2372 if (!CBS_get_u8(&cbs, &hash_alg) || 2373 !CBS_get_u8(&cbs, &sig_alg)) { 2374 /* Should never happen */ 2375 return 0; 2376 } 2377 2378 switch (sig_alg) { 2379 case TLSEXT_signature_rsa: 2380 idx = SSL_PKEY_RSA_SIGN; 2381 break; 2382 case TLSEXT_signature_dsa: 2383 idx = SSL_PKEY_DSA_SIGN; 2384 break; 2385 case TLSEXT_signature_ecdsa: 2386 idx = SSL_PKEY_ECC; 2387 break; 2388 case TLSEXT_signature_gostr01: 2389 case TLSEXT_signature_gostr12_256: 2390 case TLSEXT_signature_gostr12_512: 2391 idx = SSL_PKEY_GOST01; 2392 break; 2393 default: 2394 continue; 2395 } 2396 2397 if (c->pkeys[idx].digest == NULL) { 2398 md = tls12_get_hash(hash_alg); 2399 if (md) { 2400 c->pkeys[idx].digest = md; 2401 if (idx == SSL_PKEY_RSA_SIGN) 2402 c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 2403 } 2404 } 2405 2406 } 2407 2408 /* Set any remaining keys to default values. NOTE: if alg is not 2409 * supported it stays as NULL. 2410 */ 2411 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2412 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2413 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { 2414 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2415 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2416 } 2417 if (!c->pkeys[SSL_PKEY_ECC].digest) 2418 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2419 #ifndef OPENSSL_NO_GOST 2420 if (!c->pkeys[SSL_PKEY_GOST01].digest) 2421 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); 2422 #endif 2423 return 1; 2424 } 2425