1 /* $OpenBSD: t1_lib.c,v 1.94 2016/11/05 08:26:37 jsing Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 114 #include <openssl/evp.h> 115 #include <openssl/hmac.h> 116 #include <openssl/objects.h> 117 #include <openssl/ocsp.h> 118 119 #include "ssl_locl.h" 120 #include "bytestring.h" 121 122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 123 const unsigned char *sess_id, int sesslen, 124 SSL_SESSION **psess); 125 126 SSL3_ENC_METHOD TLSv1_enc_data = { 127 .enc = tls1_enc, 128 .mac = tls1_mac, 129 .setup_key_block = tls1_setup_key_block, 130 .generate_master_secret = tls1_generate_master_secret, 131 .change_cipher_state = tls1_change_cipher_state, 132 .final_finish_mac = tls1_final_finish_mac, 133 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 134 .cert_verify_mac = tls1_cert_verify_mac, 135 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 136 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 137 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 138 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 139 .alert_value = tls1_alert_code, 140 .export_keying_material = tls1_export_keying_material, 141 .enc_flags = 0, 142 }; 143 144 SSL3_ENC_METHOD TLSv1_1_enc_data = { 145 .enc = tls1_enc, 146 .mac = tls1_mac, 147 .setup_key_block = tls1_setup_key_block, 148 .generate_master_secret = tls1_generate_master_secret, 149 .change_cipher_state = tls1_change_cipher_state, 150 .final_finish_mac = tls1_final_finish_mac, 151 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 152 .cert_verify_mac = tls1_cert_verify_mac, 153 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 154 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 155 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 156 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 157 .alert_value = tls1_alert_code, 158 .export_keying_material = tls1_export_keying_material, 159 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, 160 }; 161 162 SSL3_ENC_METHOD TLSv1_2_enc_data = { 163 .enc = tls1_enc, 164 .mac = tls1_mac, 165 .setup_key_block = tls1_setup_key_block, 166 .generate_master_secret = tls1_generate_master_secret, 167 .change_cipher_state = tls1_change_cipher_state, 168 .final_finish_mac = tls1_final_finish_mac, 169 .finish_mac_length = TLS1_FINISH_MAC_LENGTH, 170 .cert_verify_mac = tls1_cert_verify_mac, 171 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, 172 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, 173 .server_finished_label = TLS_MD_SERVER_FINISH_CONST, 174 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, 175 .alert_value = tls1_alert_code, 176 .export_keying_material = tls1_export_keying_material, 177 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS| 178 SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS, 179 }; 180 181 long 182 tls1_default_timeout(void) 183 { 184 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 185 * is way too long for http, the cache would over fill */ 186 return (60 * 60 * 2); 187 } 188 189 int 190 tls1_new(SSL *s) 191 { 192 if (!ssl3_new(s)) 193 return (0); 194 s->method->ssl_clear(s); 195 return (1); 196 } 197 198 void 199 tls1_free(SSL *s) 200 { 201 if (s == NULL) 202 return; 203 204 free(s->tlsext_session_ticket); 205 ssl3_free(s); 206 } 207 208 void 209 tls1_clear(SSL *s) 210 { 211 ssl3_clear(s); 212 s->version = s->method->version; 213 } 214 215 216 static int nid_list[] = { 217 NID_sect163k1, /* sect163k1 (1) */ 218 NID_sect163r1, /* sect163r1 (2) */ 219 NID_sect163r2, /* sect163r2 (3) */ 220 NID_sect193r1, /* sect193r1 (4) */ 221 NID_sect193r2, /* sect193r2 (5) */ 222 NID_sect233k1, /* sect233k1 (6) */ 223 NID_sect233r1, /* sect233r1 (7) */ 224 NID_sect239k1, /* sect239k1 (8) */ 225 NID_sect283k1, /* sect283k1 (9) */ 226 NID_sect283r1, /* sect283r1 (10) */ 227 NID_sect409k1, /* sect409k1 (11) */ 228 NID_sect409r1, /* sect409r1 (12) */ 229 NID_sect571k1, /* sect571k1 (13) */ 230 NID_sect571r1, /* sect571r1 (14) */ 231 NID_secp160k1, /* secp160k1 (15) */ 232 NID_secp160r1, /* secp160r1 (16) */ 233 NID_secp160r2, /* secp160r2 (17) */ 234 NID_secp192k1, /* secp192k1 (18) */ 235 NID_X9_62_prime192v1, /* secp192r1 (19) */ 236 NID_secp224k1, /* secp224k1 (20) */ 237 NID_secp224r1, /* secp224r1 (21) */ 238 NID_secp256k1, /* secp256k1 (22) */ 239 NID_X9_62_prime256v1, /* secp256r1 (23) */ 240 NID_secp384r1, /* secp384r1 (24) */ 241 NID_secp521r1, /* secp521r1 (25) */ 242 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */ 243 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */ 244 NID_brainpoolP512r1 /* brainpoolP512r1 (28) */ 245 }; 246 247 static const uint8_t ecformats_default[] = { 248 TLSEXT_ECPOINTFORMAT_uncompressed, 249 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 250 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 251 }; 252 253 static const uint16_t eccurves_default[] = { 254 14, /* sect571r1 (14) */ 255 13, /* sect571k1 (13) */ 256 25, /* secp521r1 (25) */ 257 28, /* brainpool512r1 (28) */ 258 11, /* sect409k1 (11) */ 259 12, /* sect409r1 (12) */ 260 27, /* brainpoolP384r1 (27) */ 261 24, /* secp384r1 (24) */ 262 9, /* sect283k1 (9) */ 263 10, /* sect283r1 (10) */ 264 26, /* brainpoolP256r1 (26) */ 265 22, /* secp256k1 (22) */ 266 23, /* secp256r1 (23) */ 267 8, /* sect239k1 (8) */ 268 6, /* sect233k1 (6) */ 269 7, /* sect233r1 (7) */ 270 20, /* secp224k1 (20) */ 271 21, /* secp224r1 (21) */ 272 4, /* sect193r1 (4) */ 273 5, /* sect193r2 (5) */ 274 18, /* secp192k1 (18) */ 275 19, /* secp192r1 (19) */ 276 1, /* sect163k1 (1) */ 277 2, /* sect163r1 (2) */ 278 3, /* sect163r2 (3) */ 279 15, /* secp160k1 (15) */ 280 16, /* secp160r1 (16) */ 281 17, /* secp160r2 (17) */ 282 }; 283 284 int 285 tls1_ec_curve_id2nid(const uint16_t curve_id) 286 { 287 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 288 if ((curve_id < 1) || 289 ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0]))) 290 return 0; 291 return nid_list[curve_id - 1]; 292 } 293 294 uint16_t 295 tls1_ec_nid2curve_id(int nid) 296 { 297 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 298 switch (nid) { 299 case NID_sect163k1: /* sect163k1 (1) */ 300 return 1; 301 case NID_sect163r1: /* sect163r1 (2) */ 302 return 2; 303 case NID_sect163r2: /* sect163r2 (3) */ 304 return 3; 305 case NID_sect193r1: /* sect193r1 (4) */ 306 return 4; 307 case NID_sect193r2: /* sect193r2 (5) */ 308 return 5; 309 case NID_sect233k1: /* sect233k1 (6) */ 310 return 6; 311 case NID_sect233r1: /* sect233r1 (7) */ 312 return 7; 313 case NID_sect239k1: /* sect239k1 (8) */ 314 return 8; 315 case NID_sect283k1: /* sect283k1 (9) */ 316 return 9; 317 case NID_sect283r1: /* sect283r1 (10) */ 318 return 10; 319 case NID_sect409k1: /* sect409k1 (11) */ 320 return 11; 321 case NID_sect409r1: /* sect409r1 (12) */ 322 return 12; 323 case NID_sect571k1: /* sect571k1 (13) */ 324 return 13; 325 case NID_sect571r1: /* sect571r1 (14) */ 326 return 14; 327 case NID_secp160k1: /* secp160k1 (15) */ 328 return 15; 329 case NID_secp160r1: /* secp160r1 (16) */ 330 return 16; 331 case NID_secp160r2: /* secp160r2 (17) */ 332 return 17; 333 case NID_secp192k1: /* secp192k1 (18) */ 334 return 18; 335 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 336 return 19; 337 case NID_secp224k1: /* secp224k1 (20) */ 338 return 20; 339 case NID_secp224r1: /* secp224r1 (21) */ 340 return 21; 341 case NID_secp256k1: /* secp256k1 (22) */ 342 return 22; 343 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 344 return 23; 345 case NID_secp384r1: /* secp384r1 (24) */ 346 return 24; 347 case NID_secp521r1: /* secp521r1 (25) */ 348 return 25; 349 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */ 350 return 26; 351 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */ 352 return 27; 353 case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */ 354 return 28; 355 default: 356 return 0; 357 } 358 } 359 360 /* 361 * Return the appropriate format list. If client_formats is non-zero, return 362 * the client/session formats. Otherwise return the custom format list if one 363 * exists, or the default formats if a custom list has not been specified. 364 */ 365 static void 366 tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, 367 size_t *pformatslen) 368 { 369 if (client_formats != 0) { 370 *pformats = s->session->tlsext_ecpointformatlist; 371 *pformatslen = s->session->tlsext_ecpointformatlist_length; 372 return; 373 } 374 375 *pformats = s->tlsext_ecpointformatlist; 376 *pformatslen = s->tlsext_ecpointformatlist_length; 377 if (*pformats == NULL) { 378 *pformats = ecformats_default; 379 *pformatslen = sizeof(ecformats_default); 380 } 381 } 382 383 /* 384 * Return the appropriate curve list. If client_curves is non-zero, return 385 * the client/session curves. Otherwise return the custom curve list if one 386 * exists, or the default curves if a custom list has not been specified. 387 */ 388 static void 389 tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves, 390 size_t *pcurveslen) 391 { 392 if (client_curves != 0) { 393 *pcurves = s->session->tlsext_ellipticcurvelist; 394 *pcurveslen = s->session->tlsext_ellipticcurvelist_length; 395 return; 396 } 397 398 *pcurves = s->tlsext_ellipticcurvelist; 399 *pcurveslen = s->tlsext_ellipticcurvelist_length; 400 if (*pcurves == NULL) { 401 *pcurves = eccurves_default; 402 *pcurveslen = sizeof(eccurves_default) / 2; 403 } 404 } 405 406 /* Check that a curve is one of our preferences. */ 407 int 408 tls1_check_curve(SSL *s, const uint16_t curve_id) 409 { 410 const uint16_t *curves; 411 size_t curveslen, i; 412 413 tls1_get_curvelist(s, 0, &curves, &curveslen); 414 415 for (i = 0; i < curveslen; i++) { 416 if (curves[i] == curve_id) 417 return (1); 418 } 419 return (0); 420 } 421 422 int 423 tls1_get_shared_curve(SSL *s) 424 { 425 size_t preflen, supplen, i, j; 426 const uint16_t *pref, *supp; 427 unsigned long server_pref; 428 429 /* Cannot do anything on the client side. */ 430 if (s->server == 0) 431 return (NID_undef); 432 433 /* Return first preference shared curve. */ 434 server_pref = (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE); 435 tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen); 436 tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen); 437 438 for (i = 0; i < preflen; i++) { 439 for (j = 0; j < supplen; j++) { 440 if (pref[i] == supp[j]) 441 return (tls1_ec_curve_id2nid(pref[i])); 442 } 443 } 444 return (NID_undef); 445 } 446 447 /* For an EC key set TLS ID and required compression based on parameters. */ 448 static int 449 tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec) 450 { 451 const EC_GROUP *grp; 452 const EC_METHOD *meth; 453 int is_prime = 0; 454 int nid, id; 455 456 if (ec == NULL) 457 return (0); 458 459 /* Determine if it is a prime field. */ 460 if ((grp = EC_KEY_get0_group(ec)) == NULL) 461 return (0); 462 if ((meth = EC_GROUP_method_of(grp)) == NULL) 463 return (0); 464 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field) 465 is_prime = 1; 466 467 /* Determine curve ID. */ 468 nid = EC_GROUP_get_curve_name(grp); 469 id = tls1_ec_nid2curve_id(nid); 470 471 /* If we have an ID set it, otherwise set arbitrary explicit curve. */ 472 if (id != 0) 473 *curve_id = id; 474 else 475 *curve_id = is_prime ? 0xff01 : 0xff02; 476 477 /* Specify the compression identifier. */ 478 if (comp_id != NULL) { 479 if (EC_KEY_get0_public_key(ec) == NULL) 480 return (0); 481 482 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { 483 *comp_id = is_prime ? 484 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime : 485 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 486 } else { 487 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 488 } 489 } 490 return (1); 491 } 492 493 /* Check that an EC key is compatible with extensions. */ 494 static int 495 tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id) 496 { 497 size_t curveslen, formatslen, i; 498 const uint16_t *curves; 499 const uint8_t *formats; 500 501 /* 502 * Check point formats extension if present, otherwise everything 503 * is supported (see RFC4492). 504 */ 505 tls1_get_formatlist(s, 1, &formats, &formatslen); 506 if (comp_id != NULL && formats != NULL) { 507 for (i = 0; i < formatslen; i++) { 508 if (formats[i] == *comp_id) 509 break; 510 } 511 if (i == formatslen) 512 return (0); 513 } 514 515 /* 516 * Check curve list if present, otherwise everything is supported. 517 */ 518 tls1_get_curvelist(s, 1, &curves, &curveslen); 519 if (curve_id != NULL && curves != NULL) { 520 for (i = 0; i < curveslen; i++) { 521 if (curves[i] == *curve_id) 522 break; 523 } 524 if (i == curveslen) 525 return (0); 526 } 527 528 return (1); 529 } 530 531 /* Check EC server key is compatible with client extensions. */ 532 int 533 tls1_check_ec_server_key(SSL *s) 534 { 535 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; 536 uint16_t curve_id; 537 uint8_t comp_id; 538 EVP_PKEY *pkey; 539 int rv; 540 541 if (cpk->x509 == NULL || cpk->privatekey == NULL) 542 return (0); 543 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL) 544 return (0); 545 rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec); 546 EVP_PKEY_free(pkey); 547 if (rv != 1) 548 return (0); 549 550 return tls1_check_ec_key(s, &curve_id, &comp_id); 551 } 552 553 /* Check EC temporary key is compatible with client extensions. */ 554 int 555 tls1_check_ec_tmp_key(SSL *s) 556 { 557 EC_KEY *ec = s->cert->ecdh_tmp; 558 uint16_t curve_id; 559 560 if (s->cert->ecdh_tmp_auto != 0) { 561 /* Need a shared curve. */ 562 if (tls1_get_shared_curve(s) != NID_undef) 563 return (1); 564 return (0); 565 } 566 567 if (ec == NULL) { 568 if (s->cert->ecdh_tmp_cb != NULL) 569 return (1); 570 return (0); 571 } 572 if (tls1_set_ec_id(&curve_id, NULL, ec) != 1) 573 return (0); 574 575 return tls1_check_ec_key(s, &curve_id, NULL); 576 } 577 578 /* 579 * List of supported signature algorithms and hashes. Should make this 580 * customisable at some point, for now include everything we support. 581 */ 582 583 static unsigned char tls12_sigalgs[] = { 584 TLSEXT_hash_sha512, TLSEXT_signature_rsa, 585 TLSEXT_hash_sha512, TLSEXT_signature_dsa, 586 TLSEXT_hash_sha512, TLSEXT_signature_ecdsa, 587 #ifndef OPENSSL_NO_GOST 588 TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512, 589 #endif 590 591 TLSEXT_hash_sha384, TLSEXT_signature_rsa, 592 TLSEXT_hash_sha384, TLSEXT_signature_dsa, 593 TLSEXT_hash_sha384, TLSEXT_signature_ecdsa, 594 595 TLSEXT_hash_sha256, TLSEXT_signature_rsa, 596 TLSEXT_hash_sha256, TLSEXT_signature_dsa, 597 TLSEXT_hash_sha256, TLSEXT_signature_ecdsa, 598 599 #ifndef OPENSSL_NO_GOST 600 TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256, 601 TLSEXT_hash_gost94, TLSEXT_signature_gostr01, 602 #endif 603 604 TLSEXT_hash_sha224, TLSEXT_signature_rsa, 605 TLSEXT_hash_sha224, TLSEXT_signature_dsa, 606 TLSEXT_hash_sha224, TLSEXT_signature_ecdsa, 607 608 TLSEXT_hash_sha1, TLSEXT_signature_rsa, 609 TLSEXT_hash_sha1, TLSEXT_signature_dsa, 610 TLSEXT_hash_sha1, TLSEXT_signature_ecdsa, 611 }; 612 613 int 614 tls12_get_req_sig_algs(SSL *s, unsigned char *p) 615 { 616 size_t slen = sizeof(tls12_sigalgs); 617 618 if (p) 619 memcpy(p, tls12_sigalgs, slen); 620 return (int)slen; 621 } 622 623 unsigned char * 624 ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 625 { 626 int extdatalen = 0; 627 unsigned char *ret = p; 628 int using_ecc = 0; 629 630 /* See if we support any ECC ciphersuites. */ 631 if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) { 632 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 633 unsigned long alg_k, alg_a; 634 int i; 635 636 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { 637 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 638 639 alg_k = c->algorithm_mkey; 640 alg_a = c->algorithm_auth; 641 642 if ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) { 643 using_ecc = 1; 644 break; 645 } 646 } 647 } 648 649 ret += 2; 650 651 if (ret >= limit) 652 return NULL; /* this really never occurs, but ... */ 653 654 if (s->tlsext_hostname != NULL) { 655 /* Add TLS extension servername to the Client Hello message */ 656 size_t size_str, lenmax; 657 658 /* check for enough space. 659 4 for the servername type and extension length 660 2 for servernamelist length 661 1 for the hostname type 662 2 for hostname length 663 + hostname length 664 */ 665 666 if ((size_t)(limit - ret) < 9) 667 return NULL; 668 669 lenmax = limit - ret - 9; 670 if ((size_str = strlen(s->tlsext_hostname)) > lenmax) 671 return NULL; 672 673 /* extension type and length */ 674 s2n(TLSEXT_TYPE_server_name, ret); 675 676 s2n(size_str + 5, ret); 677 678 /* length of servername list */ 679 s2n(size_str + 3, ret); 680 681 /* hostname type, length and hostname */ 682 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 683 s2n(size_str, ret); 684 memcpy(ret, s->tlsext_hostname, size_str); 685 ret += size_str; 686 } 687 688 /* Add RI if renegotiating */ 689 if (s->renegotiate) { 690 int el; 691 692 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { 693 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 694 ERR_R_INTERNAL_ERROR); 695 return NULL; 696 } 697 698 if ((size_t)(limit - ret) < 4 + el) 699 return NULL; 700 701 s2n(TLSEXT_TYPE_renegotiate, ret); 702 s2n(el, ret); 703 704 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { 705 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 706 ERR_R_INTERNAL_ERROR); 707 return NULL; 708 } 709 710 ret += el; 711 } 712 713 if (using_ecc) { 714 size_t curveslen, formatslen, lenmax; 715 const uint16_t *curves; 716 const uint8_t *formats; 717 int i; 718 719 /* 720 * Add TLS extension ECPointFormats to the ClientHello message. 721 */ 722 tls1_get_formatlist(s, 0, &formats, &formatslen); 723 724 if ((size_t)(limit - ret) < 5) 725 return NULL; 726 727 lenmax = limit - ret - 5; 728 if (formatslen > lenmax) 729 return NULL; 730 if (formatslen > 255) { 731 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 732 ERR_R_INTERNAL_ERROR); 733 return NULL; 734 } 735 736 s2n(TLSEXT_TYPE_ec_point_formats, ret); 737 s2n(formatslen + 1, ret); 738 *(ret++) = (unsigned char)formatslen; 739 memcpy(ret, formats, formatslen); 740 ret += formatslen; 741 742 /* 743 * Add TLS extension EllipticCurves to the ClientHello message. 744 */ 745 tls1_get_curvelist(s, 0, &curves, &curveslen); 746 747 if ((size_t)(limit - ret) < 6) 748 return NULL; 749 750 lenmax = limit - ret - 6; 751 if (curveslen > lenmax) 752 return NULL; 753 if (curveslen > 65532) { 754 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 755 ERR_R_INTERNAL_ERROR); 756 return NULL; 757 } 758 759 s2n(TLSEXT_TYPE_elliptic_curves, ret); 760 s2n((curveslen * 2) + 2, ret); 761 762 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for 763 * elliptic_curve_list, but the examples use two bytes. 764 * https://www1.ietf.org/mail-archive/web/tls/current/msg00538.html 765 * resolves this to two bytes. 766 */ 767 s2n(curveslen * 2, ret); 768 for (i = 0; i < curveslen; i++) 769 s2n(curves[i], ret); 770 } 771 772 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 773 int ticklen; 774 if (!s->new_session && s->session && s->session->tlsext_tick) 775 ticklen = s->session->tlsext_ticklen; 776 else if (s->session && s->tlsext_session_ticket && 777 s->tlsext_session_ticket->data) { 778 ticklen = s->tlsext_session_ticket->length; 779 s->session->tlsext_tick = malloc(ticklen); 780 if (!s->session->tlsext_tick) 781 return NULL; 782 memcpy(s->session->tlsext_tick, 783 s->tlsext_session_ticket->data, ticklen); 784 s->session->tlsext_ticklen = ticklen; 785 } else 786 ticklen = 0; 787 if (ticklen == 0 && s->tlsext_session_ticket && 788 s->tlsext_session_ticket->data == NULL) 789 goto skip_ext; 790 /* Check for enough room 2 for extension type, 2 for len 791 * rest for ticket 792 */ 793 if ((size_t)(limit - ret) < 4 + ticklen) 794 return NULL; 795 s2n(TLSEXT_TYPE_session_ticket, ret); 796 797 s2n(ticklen, ret); 798 if (ticklen) { 799 memcpy(ret, s->session->tlsext_tick, ticklen); 800 ret += ticklen; 801 } 802 } 803 skip_ext: 804 805 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 806 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 807 return NULL; 808 809 s2n(TLSEXT_TYPE_signature_algorithms, ret); 810 s2n(sizeof(tls12_sigalgs) + 2, ret); 811 s2n(sizeof(tls12_sigalgs), ret); 812 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 813 ret += sizeof(tls12_sigalgs); 814 } 815 816 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 817 s->version != DTLS1_VERSION) { 818 int i; 819 long extlen, idlen, itmp; 820 OCSP_RESPID *id; 821 822 idlen = 0; 823 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 824 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 825 itmp = i2d_OCSP_RESPID(id, NULL); 826 if (itmp <= 0) 827 return NULL; 828 idlen += itmp + 2; 829 } 830 831 if (s->tlsext_ocsp_exts) { 832 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 833 if (extlen < 0) 834 return NULL; 835 } else 836 extlen = 0; 837 838 if ((size_t)(limit - ret) < 7 + extlen + idlen) 839 return NULL; 840 s2n(TLSEXT_TYPE_status_request, ret); 841 if (extlen + idlen > 0xFFF0) 842 return NULL; 843 s2n(extlen + idlen + 5, ret); 844 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 845 s2n(idlen, ret); 846 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 847 /* save position of id len */ 848 unsigned char *q = ret; 849 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 850 /* skip over id len */ 851 ret += 2; 852 itmp = i2d_OCSP_RESPID(id, &ret); 853 /* write id len */ 854 s2n(itmp, q); 855 } 856 s2n(extlen, ret); 857 if (extlen > 0) 858 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 859 } 860 861 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { 862 /* The client advertises an emtpy extension to indicate its 863 * support for Next Protocol Negotiation */ 864 if ((size_t)(limit - ret) < 4) 865 return NULL; 866 s2n(TLSEXT_TYPE_next_proto_neg, ret); 867 s2n(0, ret); 868 } 869 870 if (s->alpn_client_proto_list != NULL && 871 s->s3->tmp.finish_md_len == 0) { 872 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len) 873 return (NULL); 874 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 875 s2n(2 + s->alpn_client_proto_list_len, ret); 876 s2n(s->alpn_client_proto_list_len, ret); 877 memcpy(ret, s->alpn_client_proto_list, 878 s->alpn_client_proto_list_len); 879 ret += s->alpn_client_proto_list_len; 880 } 881 882 #ifndef OPENSSL_NO_SRTP 883 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { 884 int el; 885 886 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 887 888 if ((size_t)(limit - ret) < 4 + el) 889 return NULL; 890 891 s2n(TLSEXT_TYPE_use_srtp, ret); 892 s2n(el, ret); 893 894 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { 895 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 896 ERR_R_INTERNAL_ERROR); 897 return NULL; 898 } 899 ret += el; 900 } 901 #endif 902 903 /* 904 * Add padding to workaround bugs in F5 terminators. 905 * See https://tools.ietf.org/html/draft-agl-tls-padding-03 906 * 907 * Note that this seems to trigger issues with IronPort SMTP 908 * appliances. 909 * 910 * NB: because this code works out the length of all existing 911 * extensions it MUST always appear last. 912 */ 913 if (s->options & SSL_OP_TLSEXT_PADDING) { 914 int hlen = ret - (unsigned char *)s->init_buf->data; 915 916 /* 917 * The code in s23_clnt.c to build ClientHello messages 918 * includes the 5-byte record header in the buffer, while the 919 * code in s3_clnt.c does not. 920 */ 921 if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 922 hlen -= 5; 923 if (hlen > 0xff && hlen < 0x200) { 924 hlen = 0x200 - hlen; 925 if (hlen >= 4) 926 hlen -= 4; 927 else 928 hlen = 0; 929 930 s2n(TLSEXT_TYPE_padding, ret); 931 s2n(hlen, ret); 932 memset(ret, 0, hlen); 933 ret += hlen; 934 } 935 } 936 937 if ((extdatalen = ret - p - 2) == 0) 938 return p; 939 940 s2n(extdatalen, p); 941 return ret; 942 } 943 944 unsigned char * 945 ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 946 { 947 int using_ecc, extdatalen = 0; 948 unsigned long alg_a, alg_k; 949 unsigned char *ret = p; 950 int next_proto_neg_seen; 951 952 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 953 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 954 using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) && 955 s->session->tlsext_ecpointformatlist != NULL; 956 957 ret += 2; 958 if (ret >= limit) 959 return NULL; /* this really never occurs, but ... */ 960 961 if (!s->hit && s->servername_done == 1 && 962 s->session->tlsext_hostname != NULL) { 963 if ((size_t)(limit - ret) < 4) 964 return NULL; 965 966 s2n(TLSEXT_TYPE_server_name, ret); 967 s2n(0, ret); 968 } 969 970 if (s->s3->send_connection_binding) { 971 int el; 972 973 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { 974 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 975 ERR_R_INTERNAL_ERROR); 976 return NULL; 977 } 978 979 if ((size_t)(limit - ret) < 4 + el) 980 return NULL; 981 982 s2n(TLSEXT_TYPE_renegotiate, ret); 983 s2n(el, ret); 984 985 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { 986 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 987 ERR_R_INTERNAL_ERROR); 988 return NULL; 989 } 990 991 ret += el; 992 } 993 994 if (using_ecc && s->version != DTLS1_VERSION) { 995 const unsigned char *formats; 996 size_t formatslen, lenmax; 997 998 /* 999 * Add TLS extension ECPointFormats to the ServerHello message. 1000 */ 1001 tls1_get_formatlist(s, 0, &formats, &formatslen); 1002 1003 if ((size_t)(limit - ret) < 5) 1004 return NULL; 1005 1006 lenmax = limit - ret - 5; 1007 if (formatslen > lenmax) 1008 return NULL; 1009 if (formatslen > 255) { 1010 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1011 ERR_R_INTERNAL_ERROR); 1012 return NULL; 1013 } 1014 1015 s2n(TLSEXT_TYPE_ec_point_formats, ret); 1016 s2n(formatslen + 1, ret); 1017 *(ret++) = (unsigned char)formatslen; 1018 memcpy(ret, formats, formatslen); 1019 ret += formatslen; 1020 } 1021 1022 /* 1023 * Currently the server should not respond with a SupportedCurves 1024 * extension. 1025 */ 1026 1027 if (s->tlsext_ticket_expected && 1028 !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 1029 if ((size_t)(limit - ret) < 4) 1030 return NULL; 1031 1032 s2n(TLSEXT_TYPE_session_ticket, ret); 1033 s2n(0, ret); 1034 } 1035 1036 if (s->tlsext_status_expected) { 1037 if ((size_t)(limit - ret) < 4) 1038 return NULL; 1039 1040 s2n(TLSEXT_TYPE_status_request, ret); 1041 s2n(0, ret); 1042 } 1043 1044 #ifndef OPENSSL_NO_SRTP 1045 if (SSL_IS_DTLS(s) && s->srtp_profile) { 1046 int el; 1047 1048 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 1049 1050 if ((size_t)(limit - ret) < 4 + el) 1051 return NULL; 1052 1053 s2n(TLSEXT_TYPE_use_srtp, ret); 1054 s2n(el, ret); 1055 1056 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { 1057 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 1058 ERR_R_INTERNAL_ERROR); 1059 return NULL; 1060 } 1061 ret += el; 1062 } 1063 #endif 1064 1065 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || 1066 (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) && 1067 (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { 1068 static const unsigned char cryptopro_ext[36] = { 1069 0xfd, 0xe8, /*65000*/ 1070 0x00, 0x20, /*32 bytes length*/ 1071 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 1072 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 1073 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 1074 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 1075 }; 1076 if ((size_t)(limit - ret) < sizeof(cryptopro_ext)) 1077 return NULL; 1078 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext)); 1079 ret += sizeof(cryptopro_ext); 1080 } 1081 1082 next_proto_neg_seen = s->s3->next_proto_neg_seen; 1083 s->s3->next_proto_neg_seen = 0; 1084 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) { 1085 const unsigned char *npa; 1086 unsigned int npalen; 1087 int r; 1088 1089 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, 1090 s->ctx->next_protos_advertised_cb_arg); 1091 if (r == SSL_TLSEXT_ERR_OK) { 1092 if ((size_t)(limit - ret) < 4 + npalen) 1093 return NULL; 1094 s2n(TLSEXT_TYPE_next_proto_neg, ret); 1095 s2n(npalen, ret); 1096 memcpy(ret, npa, npalen); 1097 ret += npalen; 1098 s->s3->next_proto_neg_seen = 1; 1099 } 1100 } 1101 1102 if (s->s3->alpn_selected != NULL) { 1103 const unsigned char *selected = s->s3->alpn_selected; 1104 unsigned int len = s->s3->alpn_selected_len; 1105 1106 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0) 1107 return (NULL); 1108 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 1109 s2n(3 + len, ret); 1110 s2n(1 + len, ret); 1111 *ret++ = len; 1112 memcpy(ret, selected, len); 1113 ret += len; 1114 } 1115 1116 if ((extdatalen = ret - p - 2) == 0) 1117 return p; 1118 1119 s2n(extdatalen, p); 1120 return ret; 1121 } 1122 1123 /* 1124 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a 1125 * ClientHello. 1126 * data: the contents of the extension, not including the type and length. 1127 * data_len: the number of bytes in data. 1128 * al: a pointer to the alert value to send in the event of a non-zero 1129 * return. 1130 * returns: 1 on success. 1131 */ 1132 static int 1133 tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, 1134 unsigned int data_len, int *al) 1135 { 1136 CBS cbs, proto_name_list, alpn; 1137 const unsigned char *selected; 1138 unsigned char selected_len; 1139 int r; 1140 1141 if (s->ctx->alpn_select_cb == NULL) 1142 return (1); 1143 1144 if (data_len < 2) 1145 goto parse_error; 1146 1147 CBS_init(&cbs, data, data_len); 1148 1149 /* 1150 * data should contain a uint16 length followed by a series of 8-bit, 1151 * length-prefixed strings. 1152 */ 1153 if (!CBS_get_u16_length_prefixed(&cbs, &alpn) || 1154 CBS_len(&alpn) < 2 || 1155 CBS_len(&cbs) != 0) 1156 goto parse_error; 1157 1158 /* Validate data before sending to callback. */ 1159 CBS_dup(&alpn, &proto_name_list); 1160 while (CBS_len(&proto_name_list) > 0) { 1161 CBS proto_name; 1162 1163 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name) || 1164 CBS_len(&proto_name) == 0) 1165 goto parse_error; 1166 } 1167 1168 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, 1169 CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg); 1170 if (r == SSL_TLSEXT_ERR_OK) { 1171 free(s->s3->alpn_selected); 1172 if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) { 1173 *al = SSL_AD_INTERNAL_ERROR; 1174 return (-1); 1175 } 1176 memcpy(s->s3->alpn_selected, selected, selected_len); 1177 s->s3->alpn_selected_len = selected_len; 1178 } 1179 1180 return (1); 1181 1182 parse_error: 1183 *al = SSL_AD_DECODE_ERROR; 1184 return (0); 1185 } 1186 1187 int 1188 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1189 int n, int *al) 1190 { 1191 unsigned short type; 1192 unsigned short size; 1193 unsigned short len; 1194 unsigned char *data = *p; 1195 unsigned char *end = d + n; 1196 int renegotiate_seen = 0; 1197 int sigalg_seen = 0; 1198 1199 s->servername_done = 0; 1200 s->tlsext_status_type = -1; 1201 s->s3->next_proto_neg_seen = 0; 1202 free(s->s3->alpn_selected); 1203 s->s3->alpn_selected = NULL; 1204 s->srtp_profile = NULL; 1205 1206 if (data == end) 1207 goto ri_check; 1208 1209 if (end - data < 2) 1210 goto err; 1211 n2s(data, len); 1212 1213 if (end - data != len) 1214 goto err; 1215 1216 while (end - data >= 4) { 1217 n2s(data, type); 1218 n2s(data, size); 1219 1220 if (end - data < size) 1221 goto err; 1222 1223 if (s->tlsext_debug_cb) 1224 s->tlsext_debug_cb(s, 0, type, data, size, 1225 s->tlsext_debug_arg); 1226 /* The servername extension is treated as follows: 1227 1228 - Only the hostname type is supported with a maximum length of 255. 1229 - The servername is rejected if too long or if it contains zeros, 1230 in which case an fatal alert is generated. 1231 - The servername field is maintained together with the session cache. 1232 - When a session is resumed, the servername call back invoked in order 1233 to allow the application to position itself to the right context. 1234 - The servername is acknowledged if it is new for a session or when 1235 it is identical to a previously used for the same session. 1236 Applications can control the behaviour. They can at any time 1237 set a 'desirable' servername for a new SSL object. This can be the 1238 case for example with HTTPS when a Host: header field is received and 1239 a renegotiation is requested. In this case, a possible servername 1240 presented in the new client hello is only acknowledged if it matches 1241 the value of the Host: field. 1242 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1243 if they provide for changing an explicit servername context for the session, 1244 i.e. when the session has been established with a servername extension. 1245 - On session reconnect, the servername extension may be absent. 1246 1247 */ 1248 1249 if (type == TLSEXT_TYPE_server_name) { 1250 unsigned char *sdata; 1251 int servname_type; 1252 int dsize; 1253 1254 if (size < 2) { 1255 *al = SSL_AD_DECODE_ERROR; 1256 return 0; 1257 } 1258 n2s(data, dsize); 1259 1260 size -= 2; 1261 if (dsize > size) { 1262 *al = SSL_AD_DECODE_ERROR; 1263 return 0; 1264 } 1265 1266 sdata = data; 1267 while (dsize > 3) { 1268 servname_type = *(sdata++); 1269 1270 n2s(sdata, len); 1271 dsize -= 3; 1272 1273 if (len > dsize) { 1274 *al = SSL_AD_DECODE_ERROR; 1275 return 0; 1276 } 1277 if (s->servername_done == 0) 1278 switch (servname_type) { 1279 case TLSEXT_NAMETYPE_host_name: 1280 if (!s->hit) { 1281 if (s->session->tlsext_hostname) { 1282 *al = SSL_AD_DECODE_ERROR; 1283 return 0; 1284 } 1285 if (len > TLSEXT_MAXLEN_host_name) { 1286 *al = TLS1_AD_UNRECOGNIZED_NAME; 1287 return 0; 1288 } 1289 if ((s->session->tlsext_hostname = 1290 malloc(len + 1)) == NULL) { 1291 *al = TLS1_AD_INTERNAL_ERROR; 1292 return 0; 1293 } 1294 memcpy(s->session->tlsext_hostname, sdata, len); 1295 s->session->tlsext_hostname[len] = '\0'; 1296 if (strlen(s->session->tlsext_hostname) != len) { 1297 free(s->session->tlsext_hostname); 1298 s->session->tlsext_hostname = NULL; 1299 *al = TLS1_AD_UNRECOGNIZED_NAME; 1300 return 0; 1301 } 1302 s->servername_done = 1; 1303 1304 1305 } else { 1306 s->servername_done = s->session->tlsext_hostname && 1307 strlen(s->session->tlsext_hostname) == len && 1308 strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1309 } 1310 break; 1311 1312 default: 1313 break; 1314 } 1315 1316 dsize -= len; 1317 } 1318 if (dsize != 0) { 1319 *al = SSL_AD_DECODE_ERROR; 1320 return 0; 1321 } 1322 1323 } 1324 1325 else if (type == TLSEXT_TYPE_ec_point_formats && 1326 s->version != DTLS1_VERSION) { 1327 unsigned char *sdata = data; 1328 size_t formatslen; 1329 uint8_t *formats; 1330 1331 if (size < 1) { 1332 *al = TLS1_AD_DECODE_ERROR; 1333 return 0; 1334 } 1335 formatslen = *(sdata++); 1336 if (formatslen != size - 1) { 1337 *al = TLS1_AD_DECODE_ERROR; 1338 return 0; 1339 } 1340 1341 if (!s->hit) { 1342 free(s->session->tlsext_ecpointformatlist); 1343 s->session->tlsext_ecpointformatlist = NULL; 1344 s->session->tlsext_ecpointformatlist_length = 0; 1345 1346 if ((formats = reallocarray(NULL, formatslen, 1347 sizeof(uint8_t))) == NULL) { 1348 *al = TLS1_AD_INTERNAL_ERROR; 1349 return 0; 1350 } 1351 memcpy(formats, sdata, formatslen); 1352 s->session->tlsext_ecpointformatlist = formats; 1353 s->session->tlsext_ecpointformatlist_length = 1354 formatslen; 1355 } 1356 } else if (type == TLSEXT_TYPE_elliptic_curves && 1357 s->version != DTLS1_VERSION) { 1358 unsigned char *sdata = data; 1359 size_t curveslen, i; 1360 uint16_t *curves; 1361 1362 if (size < 2) { 1363 *al = TLS1_AD_DECODE_ERROR; 1364 return 0; 1365 } 1366 n2s(sdata, curveslen); 1367 if (curveslen != size - 2 || curveslen % 2 != 0) { 1368 *al = TLS1_AD_DECODE_ERROR; 1369 return 0; 1370 } 1371 curveslen /= 2; 1372 1373 if (!s->hit) { 1374 if (s->session->tlsext_ellipticcurvelist) { 1375 *al = TLS1_AD_DECODE_ERROR; 1376 return 0; 1377 } 1378 s->session->tlsext_ellipticcurvelist_length = 0; 1379 if ((curves = reallocarray(NULL, curveslen, 1380 sizeof(uint16_t))) == NULL) { 1381 *al = TLS1_AD_INTERNAL_ERROR; 1382 return 0; 1383 } 1384 for (i = 0; i < curveslen; i++) 1385 n2s(sdata, curves[i]); 1386 s->session->tlsext_ellipticcurvelist = curves; 1387 s->session->tlsext_ellipticcurvelist_length = curveslen; 1388 } 1389 } 1390 else if (type == TLSEXT_TYPE_session_ticket) { 1391 if (s->tls_session_ticket_ext_cb && 1392 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1393 *al = TLS1_AD_INTERNAL_ERROR; 1394 return 0; 1395 } 1396 } else if (type == TLSEXT_TYPE_renegotiate) { 1397 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 1398 return 0; 1399 renegotiate_seen = 1; 1400 } else if (type == TLSEXT_TYPE_signature_algorithms) { 1401 int dsize; 1402 if (sigalg_seen || size < 2) { 1403 *al = SSL_AD_DECODE_ERROR; 1404 return 0; 1405 } 1406 sigalg_seen = 1; 1407 n2s(data, dsize); 1408 size -= 2; 1409 if (dsize != size || dsize & 1) { 1410 *al = SSL_AD_DECODE_ERROR; 1411 return 0; 1412 } 1413 if (!tls1_process_sigalgs(s, data, dsize)) { 1414 *al = SSL_AD_DECODE_ERROR; 1415 return 0; 1416 } 1417 } else if (type == TLSEXT_TYPE_status_request && 1418 s->version != DTLS1_VERSION) { 1419 1420 if (size < 5) { 1421 *al = SSL_AD_DECODE_ERROR; 1422 return 0; 1423 } 1424 1425 s->tlsext_status_type = *data++; 1426 size--; 1427 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { 1428 const unsigned char *sdata; 1429 int dsize; 1430 /* Read in responder_id_list */ 1431 n2s(data, dsize); 1432 size -= 2; 1433 if (dsize > size) { 1434 *al = SSL_AD_DECODE_ERROR; 1435 return 0; 1436 } 1437 1438 /* 1439 * We remove any OCSP_RESPIDs from a 1440 * previous handshake to prevent 1441 * unbounded memory growth. 1442 */ 1443 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, 1444 OCSP_RESPID_free); 1445 s->tlsext_ocsp_ids = NULL; 1446 if (dsize > 0) { 1447 s->tlsext_ocsp_ids = 1448 sk_OCSP_RESPID_new_null(); 1449 if (s->tlsext_ocsp_ids == NULL) { 1450 *al = SSL_AD_INTERNAL_ERROR; 1451 return 0; 1452 } 1453 } 1454 1455 while (dsize > 0) { 1456 OCSP_RESPID *id; 1457 int idsize; 1458 if (dsize < 4) { 1459 *al = SSL_AD_DECODE_ERROR; 1460 return 0; 1461 } 1462 n2s(data, idsize); 1463 dsize -= 2 + idsize; 1464 size -= 2 + idsize; 1465 if (dsize < 0) { 1466 *al = SSL_AD_DECODE_ERROR; 1467 return 0; 1468 } 1469 sdata = data; 1470 data += idsize; 1471 id = d2i_OCSP_RESPID(NULL, 1472 &sdata, idsize); 1473 if (!id) { 1474 *al = SSL_AD_DECODE_ERROR; 1475 return 0; 1476 } 1477 if (data != sdata) { 1478 OCSP_RESPID_free(id); 1479 *al = SSL_AD_DECODE_ERROR; 1480 return 0; 1481 } 1482 if (!sk_OCSP_RESPID_push( 1483 s->tlsext_ocsp_ids, id)) { 1484 OCSP_RESPID_free(id); 1485 *al = SSL_AD_INTERNAL_ERROR; 1486 return 0; 1487 } 1488 } 1489 1490 /* Read in request_extensions */ 1491 if (size < 2) { 1492 *al = SSL_AD_DECODE_ERROR; 1493 return 0; 1494 } 1495 n2s(data, dsize); 1496 size -= 2; 1497 if (dsize != size) { 1498 *al = SSL_AD_DECODE_ERROR; 1499 return 0; 1500 } 1501 sdata = data; 1502 if (dsize > 0) { 1503 if (s->tlsext_ocsp_exts) { 1504 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1505 X509_EXTENSION_free); 1506 } 1507 1508 s->tlsext_ocsp_exts = 1509 d2i_X509_EXTENSIONS(NULL, 1510 &sdata, dsize); 1511 if (!s->tlsext_ocsp_exts || 1512 (data + dsize != sdata)) { 1513 *al = SSL_AD_DECODE_ERROR; 1514 return 0; 1515 } 1516 } 1517 } else { 1518 /* We don't know what to do with any other type 1519 * so ignore it. 1520 */ 1521 s->tlsext_status_type = -1; 1522 } 1523 } 1524 else if (type == TLSEXT_TYPE_next_proto_neg && 1525 s->s3->tmp.finish_md_len == 0 && 1526 s->s3->alpn_selected == NULL) { 1527 /* We shouldn't accept this extension on a 1528 * renegotiation. 1529 * 1530 * s->new_session will be set on renegotiation, but we 1531 * probably shouldn't rely that it couldn't be set on 1532 * the initial renegotation too in certain cases (when 1533 * there's some other reason to disallow resuming an 1534 * earlier session -- the current code won't be doing 1535 * anything like that, but this might change). 1536 1537 * A valid sign that there's been a previous handshake 1538 * in this connection is if s->s3->tmp.finish_md_len > 1539 * 0. (We are talking about a check that will happen 1540 * in the Hello protocol round, well before a new 1541 * Finished message could have been computed.) */ 1542 s->s3->next_proto_neg_seen = 1; 1543 } 1544 else if (type == 1545 TLSEXT_TYPE_application_layer_protocol_negotiation && 1546 s->ctx->alpn_select_cb != NULL && 1547 s->s3->tmp.finish_md_len == 0) { 1548 if (tls1_alpn_handle_client_hello(s, data, 1549 size, al) != 1) 1550 return (0); 1551 /* ALPN takes precedence over NPN. */ 1552 s->s3->next_proto_neg_seen = 0; 1553 } 1554 1555 /* session ticket processed earlier */ 1556 #ifndef OPENSSL_NO_SRTP 1557 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1558 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) 1559 return 0; 1560 } 1561 #endif 1562 1563 data += size; 1564 } 1565 1566 /* Spurious data on the end */ 1567 if (data != end) 1568 goto err; 1569 1570 *p = data; 1571 1572 ri_check: 1573 1574 /* Need RI if renegotiating */ 1575 1576 if (!renegotiate_seen && s->renegotiate) { 1577 *al = SSL_AD_HANDSHAKE_FAILURE; 1578 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1579 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1580 return 0; 1581 } 1582 1583 return 1; 1584 1585 err: 1586 *al = SSL_AD_DECODE_ERROR; 1587 return 0; 1588 } 1589 1590 /* 1591 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1592 * elements of zero length are allowed and the set of elements must exactly fill 1593 * the length of the block. 1594 */ 1595 static char 1596 ssl_next_proto_validate(const unsigned char *d, unsigned int len) 1597 { 1598 CBS npn, value; 1599 1600 CBS_init(&npn, d, len); 1601 while (CBS_len(&npn) > 0) { 1602 if (!CBS_get_u8_length_prefixed(&npn, &value) || 1603 CBS_len(&value) == 0) 1604 return 0; 1605 } 1606 return 1; 1607 } 1608 1609 int 1610 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1611 int n, int *al) 1612 { 1613 unsigned short type; 1614 unsigned short size; 1615 unsigned short len; 1616 unsigned char *data = *p; 1617 unsigned char *end = d + n; 1618 int tlsext_servername = 0; 1619 int renegotiate_seen = 0; 1620 1621 s->s3->next_proto_neg_seen = 0; 1622 free(s->s3->alpn_selected); 1623 s->s3->alpn_selected = NULL; 1624 1625 if (data == end) 1626 goto ri_check; 1627 1628 if (end - data < 2) 1629 goto err; 1630 n2s(data, len); 1631 1632 if (end - data != len) 1633 goto err; 1634 1635 while (end - data >= 4) { 1636 n2s(data, type); 1637 n2s(data, size); 1638 1639 if (end - data < size) 1640 goto err; 1641 1642 if (s->tlsext_debug_cb) 1643 s->tlsext_debug_cb(s, 1, type, data, size, 1644 s->tlsext_debug_arg); 1645 1646 if (type == TLSEXT_TYPE_server_name) { 1647 if (s->tlsext_hostname == NULL || size > 0) { 1648 *al = TLS1_AD_UNRECOGNIZED_NAME; 1649 return 0; 1650 } 1651 tlsext_servername = 1; 1652 1653 } 1654 else if (type == TLSEXT_TYPE_ec_point_formats && 1655 s->version != DTLS1_VERSION) { 1656 unsigned char *sdata = data; 1657 size_t formatslen; 1658 uint8_t *formats; 1659 1660 if (size < 1) { 1661 *al = TLS1_AD_DECODE_ERROR; 1662 return 0; 1663 } 1664 formatslen = *(sdata++); 1665 if (formatslen != size - 1) { 1666 *al = TLS1_AD_DECODE_ERROR; 1667 return 0; 1668 } 1669 1670 if (!s->hit) { 1671 free(s->session->tlsext_ecpointformatlist); 1672 s->session->tlsext_ecpointformatlist = NULL; 1673 s->session->tlsext_ecpointformatlist_length = 0; 1674 1675 if ((formats = reallocarray(NULL, formatslen, 1676 sizeof(uint8_t))) == NULL) { 1677 *al = TLS1_AD_INTERNAL_ERROR; 1678 return 0; 1679 } 1680 memcpy(formats, sdata, formatslen); 1681 s->session->tlsext_ecpointformatlist = formats; 1682 s->session->tlsext_ecpointformatlist_length = 1683 formatslen; 1684 } 1685 } 1686 else if (type == TLSEXT_TYPE_session_ticket) { 1687 if (s->tls_session_ticket_ext_cb && 1688 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1689 *al = TLS1_AD_INTERNAL_ERROR; 1690 return 0; 1691 } 1692 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) { 1693 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1694 return 0; 1695 } 1696 s->tlsext_ticket_expected = 1; 1697 } 1698 else if (type == TLSEXT_TYPE_status_request && 1699 s->version != DTLS1_VERSION) { 1700 /* MUST be empty and only sent if we've requested 1701 * a status request message. 1702 */ 1703 if ((s->tlsext_status_type == -1) || (size > 0)) { 1704 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1705 return 0; 1706 } 1707 /* Set flag to expect CertificateStatus message */ 1708 s->tlsext_status_expected = 1; 1709 } 1710 else if (type == TLSEXT_TYPE_next_proto_neg && 1711 s->s3->tmp.finish_md_len == 0) { 1712 unsigned char *selected; 1713 unsigned char selected_len; 1714 1715 /* We must have requested it. */ 1716 if (s->ctx->next_proto_select_cb == NULL) { 1717 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1718 return 0; 1719 } 1720 /* The data must be valid */ 1721 if (!ssl_next_proto_validate(data, size)) { 1722 *al = TLS1_AD_DECODE_ERROR; 1723 return 0; 1724 } 1725 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) { 1726 *al = TLS1_AD_INTERNAL_ERROR; 1727 return 0; 1728 } 1729 s->next_proto_negotiated = malloc(selected_len); 1730 if (!s->next_proto_negotiated) { 1731 *al = TLS1_AD_INTERNAL_ERROR; 1732 return 0; 1733 } 1734 memcpy(s->next_proto_negotiated, selected, selected_len); 1735 s->next_proto_negotiated_len = selected_len; 1736 s->s3->next_proto_neg_seen = 1; 1737 } 1738 else if (type == 1739 TLSEXT_TYPE_application_layer_protocol_negotiation) { 1740 unsigned int len; 1741 1742 /* We must have requested it. */ 1743 if (s->alpn_client_proto_list == NULL) { 1744 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1745 return 0; 1746 } 1747 if (size < 4) { 1748 *al = TLS1_AD_DECODE_ERROR; 1749 return (0); 1750 } 1751 1752 /* The extension data consists of: 1753 * uint16 list_length 1754 * uint8 proto_length; 1755 * uint8 proto[proto_length]; */ 1756 len = ((unsigned int)data[0]) << 8 | 1757 ((unsigned int)data[1]); 1758 if (len != (unsigned int)size - 2) { 1759 *al = TLS1_AD_DECODE_ERROR; 1760 return (0); 1761 } 1762 len = data[2]; 1763 if (len != (unsigned int)size - 3) { 1764 *al = TLS1_AD_DECODE_ERROR; 1765 return (0); 1766 } 1767 free(s->s3->alpn_selected); 1768 s->s3->alpn_selected = malloc(len); 1769 if (s->s3->alpn_selected == NULL) { 1770 *al = TLS1_AD_INTERNAL_ERROR; 1771 return (0); 1772 } 1773 memcpy(s->s3->alpn_selected, data + 3, len); 1774 s->s3->alpn_selected_len = len; 1775 1776 } else if (type == TLSEXT_TYPE_renegotiate) { 1777 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1778 return 0; 1779 renegotiate_seen = 1; 1780 } 1781 #ifndef OPENSSL_NO_SRTP 1782 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1783 if (ssl_parse_serverhello_use_srtp_ext(s, data, 1784 size, al)) 1785 return 0; 1786 } 1787 #endif 1788 1789 data += size; 1790 1791 } 1792 1793 if (data != d + n) { 1794 *al = SSL_AD_DECODE_ERROR; 1795 return 0; 1796 } 1797 1798 if (!s->hit && tlsext_servername == 1) { 1799 if (s->tlsext_hostname) { 1800 if (s->session->tlsext_hostname == NULL) { 1801 s->session->tlsext_hostname = 1802 strdup(s->tlsext_hostname); 1803 1804 if (!s->session->tlsext_hostname) { 1805 *al = SSL_AD_UNRECOGNIZED_NAME; 1806 return 0; 1807 } 1808 } else { 1809 *al = SSL_AD_DECODE_ERROR; 1810 return 0; 1811 } 1812 } 1813 } 1814 1815 *p = data; 1816 1817 ri_check: 1818 1819 /* Determine if we need to see RI. Strictly speaking if we want to 1820 * avoid an attack we should *always* see RI even on initial server 1821 * hello because the client doesn't see any renegotiation during an 1822 * attack. However this would mean we could not connect to any server 1823 * which doesn't support RI so for the immediate future tolerate RI 1824 * absence on initial connect only. 1825 */ 1826 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { 1827 *al = SSL_AD_HANDSHAKE_FAILURE; 1828 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1829 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1830 return 0; 1831 } 1832 1833 return 1; 1834 1835 err: 1836 *al = SSL_AD_DECODE_ERROR; 1837 return 0; 1838 } 1839 1840 int 1841 ssl_check_clienthello_tlsext_early(SSL *s) 1842 { 1843 int ret = SSL_TLSEXT_ERR_NOACK; 1844 int al = SSL_AD_UNRECOGNIZED_NAME; 1845 1846 /* The handling of the ECPointFormats extension is done elsewhere, namely in 1847 * ssl3_choose_cipher in s3_lib.c. 1848 */ 1849 /* The handling of the EllipticCurves extension is done elsewhere, namely in 1850 * ssl3_choose_cipher in s3_lib.c. 1851 */ 1852 1853 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1854 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1855 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1856 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1857 1858 switch (ret) { 1859 case SSL_TLSEXT_ERR_ALERT_FATAL: 1860 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1861 return -1; 1862 case SSL_TLSEXT_ERR_ALERT_WARNING: 1863 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1864 return 1; 1865 case SSL_TLSEXT_ERR_NOACK: 1866 s->servername_done = 0; 1867 default: 1868 return 1; 1869 } 1870 } 1871 1872 int 1873 ssl_check_clienthello_tlsext_late(SSL *s) 1874 { 1875 int ret = SSL_TLSEXT_ERR_OK; 1876 int al = 0; /* XXX gcc3 */ 1877 1878 /* If status request then ask callback what to do. 1879 * Note: this must be called after servername callbacks in case 1880 * the certificate has changed, and must be called after the cipher 1881 * has been chosen because this may influence which certificate is sent 1882 */ 1883 if ((s->tlsext_status_type != -1) && 1884 s->ctx && s->ctx->tlsext_status_cb) { 1885 int r; 1886 CERT_PKEY *certpkey; 1887 certpkey = ssl_get_server_send_pkey(s); 1888 /* If no certificate can't return certificate status */ 1889 if (certpkey == NULL) { 1890 s->tlsext_status_expected = 0; 1891 return 1; 1892 } 1893 /* Set current certificate to one we will use so 1894 * SSL_get_certificate et al can pick it up. 1895 */ 1896 s->cert->key = certpkey; 1897 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1898 switch (r) { 1899 /* We don't want to send a status request response */ 1900 case SSL_TLSEXT_ERR_NOACK: 1901 s->tlsext_status_expected = 0; 1902 break; 1903 /* status request response should be sent */ 1904 case SSL_TLSEXT_ERR_OK: 1905 if (s->tlsext_ocsp_resp) 1906 s->tlsext_status_expected = 1; 1907 else 1908 s->tlsext_status_expected = 0; 1909 break; 1910 /* something bad happened */ 1911 case SSL_TLSEXT_ERR_ALERT_FATAL: 1912 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1913 al = SSL_AD_INTERNAL_ERROR; 1914 goto err; 1915 } 1916 } else 1917 s->tlsext_status_expected = 0; 1918 1919 err: 1920 switch (ret) { 1921 case SSL_TLSEXT_ERR_ALERT_FATAL: 1922 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1923 return -1; 1924 case SSL_TLSEXT_ERR_ALERT_WARNING: 1925 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1926 return 1; 1927 default: 1928 return 1; 1929 } 1930 } 1931 1932 int 1933 ssl_check_serverhello_tlsext(SSL *s) 1934 { 1935 int ret = SSL_TLSEXT_ERR_NOACK; 1936 int al = SSL_AD_UNRECOGNIZED_NAME; 1937 1938 /* If we are client and using an elliptic curve cryptography cipher 1939 * suite, then if server returns an EC point formats lists extension 1940 * it must contain uncompressed. 1941 */ 1942 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1943 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1944 if ((s->tlsext_ecpointformatlist != NULL) && 1945 (s->tlsext_ecpointformatlist_length > 0) && 1946 (s->session->tlsext_ecpointformatlist != NULL) && 1947 (s->session->tlsext_ecpointformatlist_length > 0) && 1948 ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) { 1949 /* we are using an ECC cipher */ 1950 size_t i; 1951 unsigned char *list; 1952 int found_uncompressed = 0; 1953 list = s->session->tlsext_ecpointformatlist; 1954 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) { 1955 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) { 1956 found_uncompressed = 1; 1957 break; 1958 } 1959 } 1960 if (!found_uncompressed) { 1961 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 1962 return -1; 1963 } 1964 } 1965 ret = SSL_TLSEXT_ERR_OK; 1966 1967 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1968 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1969 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1970 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1971 1972 /* If we've requested certificate status and we wont get one 1973 * tell the callback 1974 */ 1975 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) && 1976 s->ctx && s->ctx->tlsext_status_cb) { 1977 int r; 1978 /* Set resp to NULL, resplen to -1 so callback knows 1979 * there is no response. 1980 */ 1981 free(s->tlsext_ocsp_resp); 1982 s->tlsext_ocsp_resp = NULL; 1983 s->tlsext_ocsp_resplen = -1; 1984 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1985 if (r == 0) { 1986 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 1987 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1988 } 1989 if (r < 0) { 1990 al = SSL_AD_INTERNAL_ERROR; 1991 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1992 } 1993 } 1994 1995 switch (ret) { 1996 case SSL_TLSEXT_ERR_ALERT_FATAL: 1997 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1998 1999 return -1; 2000 case SSL_TLSEXT_ERR_ALERT_WARNING: 2001 ssl3_send_alert(s, SSL3_AL_WARNING, al); 2002 2003 return 1; 2004 case SSL_TLSEXT_ERR_NOACK: 2005 s->servername_done = 0; 2006 default: 2007 return 1; 2008 } 2009 } 2010 2011 /* Since the server cache lookup is done early on in the processing of the 2012 * ClientHello, and other operations depend on the result, we need to handle 2013 * any TLS session ticket extension at the same time. 2014 * 2015 * session_id: points at the session ID in the ClientHello. This code will 2016 * read past the end of this in order to parse out the session ticket 2017 * extension, if any. 2018 * len: the length of the session ID. 2019 * limit: a pointer to the first byte after the ClientHello. 2020 * ret: (output) on return, if a ticket was decrypted, then this is set to 2021 * point to the resulting session. 2022 * 2023 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key 2024 * ciphersuite, in which case we have no use for session tickets and one will 2025 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 2026 * 2027 * Returns: 2028 * -1: fatal error, either from parsing or decrypting the ticket. 2029 * 0: no ticket was found (or was ignored, based on settings). 2030 * 1: a zero length extension was found, indicating that the client supports 2031 * session tickets but doesn't currently have one to offer. 2032 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but 2033 * couldn't be decrypted because of a non-fatal error. 2034 * 3: a ticket was successfully decrypted and *ret was set. 2035 * 2036 * Side effects: 2037 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 2038 * a new session ticket to the client because the client indicated support 2039 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 2040 * a session ticket or we couldn't use the one it gave us, or if 2041 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2042 * Otherwise, s->tlsext_ticket_expected is set to 0. 2043 */ 2044 int 2045 tls1_process_ticket(SSL *s, const unsigned char *session, int session_len, 2046 const unsigned char *limit, SSL_SESSION **ret) 2047 { 2048 /* Point after session ID in client hello */ 2049 CBS session_id, cookie, cipher_list, compress_algo, extensions; 2050 2051 *ret = NULL; 2052 s->tlsext_ticket_expected = 0; 2053 2054 /* If tickets disabled behave as if no ticket present 2055 * to permit stateful resumption. 2056 */ 2057 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 2058 return 0; 2059 if (!limit) 2060 return 0; 2061 2062 if (limit < session) 2063 return -1; 2064 2065 CBS_init(&session_id, session, limit - session); 2066 2067 /* Skip past the session id */ 2068 if (!CBS_skip(&session_id, session_len)) 2069 return -1; 2070 2071 /* Skip past DTLS cookie */ 2072 if (SSL_IS_DTLS(s)) { 2073 if (!CBS_get_u8_length_prefixed(&session_id, &cookie)) 2074 return -1; 2075 } 2076 2077 /* Skip past cipher list */ 2078 if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list)) 2079 return -1; 2080 2081 /* Skip past compression algorithm list */ 2082 if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo)) 2083 return -1; 2084 2085 /* Now at start of extensions */ 2086 if (CBS_len(&session_id) == 0) 2087 return 0; 2088 if (!CBS_get_u16_length_prefixed(&session_id, &extensions)) 2089 return -1; 2090 2091 while (CBS_len(&extensions) > 0) { 2092 CBS ext_data; 2093 uint16_t ext_type; 2094 2095 if (!CBS_get_u16(&extensions, &ext_type) || 2096 !CBS_get_u16_length_prefixed(&extensions, &ext_data)) 2097 return -1; 2098 2099 if (ext_type == TLSEXT_TYPE_session_ticket) { 2100 int r; 2101 if (CBS_len(&ext_data) == 0) { 2102 /* The client will accept a ticket but doesn't 2103 * currently have one. */ 2104 s->tlsext_ticket_expected = 1; 2105 return 1; 2106 } 2107 if (s->tls_session_secret_cb) { 2108 /* Indicate that the ticket couldn't be 2109 * decrypted rather than generating the session 2110 * from ticket now, trigger abbreviated 2111 * handshake based on external mechanism to 2112 * calculate the master secret later. */ 2113 return 2; 2114 } 2115 2116 r = tls_decrypt_ticket(s, CBS_data(&ext_data), 2117 CBS_len(&ext_data), session, session_len, ret); 2118 2119 switch (r) { 2120 case 2: /* ticket couldn't be decrypted */ 2121 s->tlsext_ticket_expected = 1; 2122 return 2; 2123 case 3: /* ticket was decrypted */ 2124 return r; 2125 case 4: /* ticket decrypted but need to renew */ 2126 s->tlsext_ticket_expected = 1; 2127 return 3; 2128 default: /* fatal error */ 2129 return -1; 2130 } 2131 } 2132 } 2133 return 0; 2134 } 2135 2136 /* tls_decrypt_ticket attempts to decrypt a session ticket. 2137 * 2138 * etick: points to the body of the session ticket extension. 2139 * eticklen: the length of the session tickets extenion. 2140 * sess_id: points at the session ID. 2141 * sesslen: the length of the session ID. 2142 * psess: (output) on return, if a ticket was decrypted, then this is set to 2143 * point to the resulting session. 2144 * 2145 * Returns: 2146 * -1: fatal error, either from parsing or decrypting the ticket. 2147 * 2: the ticket couldn't be decrypted. 2148 * 3: a ticket was successfully decrypted and *psess was set. 2149 * 4: same as 3, but the ticket needs to be renewed. 2150 */ 2151 static int 2152 tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2153 const unsigned char *sess_id, int sesslen, SSL_SESSION **psess) 2154 { 2155 SSL_SESSION *sess; 2156 unsigned char *sdec; 2157 const unsigned char *p; 2158 int slen, mlen, renew_ticket = 0; 2159 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 2160 HMAC_CTX hctx; 2161 EVP_CIPHER_CTX ctx; 2162 SSL_CTX *tctx = s->initial_ctx; 2163 2164 /* 2165 * The API guarantees EVP_MAX_IV_LENGTH bytes of space for 2166 * the iv to tlsext_ticket_key_cb(). Since the total space 2167 * required for a session cookie is never less than this, 2168 * this check isn't too strict. The exact check comes later. 2169 */ 2170 if (eticklen < 16 + EVP_MAX_IV_LENGTH) 2171 return 2; 2172 2173 /* Initialize session ticket encryption and HMAC contexts */ 2174 HMAC_CTX_init(&hctx); 2175 EVP_CIPHER_CTX_init(&ctx); 2176 if (tctx->tlsext_ticket_key_cb) { 2177 unsigned char *nctick = (unsigned char *)etick; 2178 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 2179 &ctx, &hctx, 0); 2180 if (rv < 0) { 2181 HMAC_CTX_cleanup(&hctx); 2182 EVP_CIPHER_CTX_cleanup(&ctx); 2183 return -1; 2184 } 2185 if (rv == 0) { 2186 HMAC_CTX_cleanup(&hctx); 2187 EVP_CIPHER_CTX_cleanup(&ctx); 2188 return 2; 2189 } 2190 if (rv == 2) 2191 renew_ticket = 1; 2192 } else { 2193 /* Check key name matches */ 2194 if (timingsafe_memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2195 return 2; 2196 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2197 tlsext_tick_md(), NULL); 2198 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2199 tctx->tlsext_tick_aes_key, etick + 16); 2200 } 2201 2202 /* 2203 * Attempt to process session ticket, first conduct sanity and 2204 * integrity checks on ticket. 2205 */ 2206 mlen = HMAC_size(&hctx); 2207 if (mlen < 0) { 2208 HMAC_CTX_cleanup(&hctx); 2209 EVP_CIPHER_CTX_cleanup(&ctx); 2210 return -1; 2211 } 2212 2213 /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 2214 if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) { 2215 HMAC_CTX_cleanup(&hctx); 2216 EVP_CIPHER_CTX_cleanup(&ctx); 2217 return 2; 2218 } 2219 eticklen -= mlen; 2220 2221 /* Check HMAC of encrypted ticket */ 2222 if (HMAC_Update(&hctx, etick, eticklen) <= 0 || 2223 HMAC_Final(&hctx, tick_hmac, NULL) <= 0) { 2224 HMAC_CTX_cleanup(&hctx); 2225 EVP_CIPHER_CTX_cleanup(&ctx); 2226 return -1; 2227 } 2228 2229 HMAC_CTX_cleanup(&hctx); 2230 if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) { 2231 EVP_CIPHER_CTX_cleanup(&ctx); 2232 return 2; 2233 } 2234 2235 /* Attempt to decrypt session data */ 2236 /* Move p after IV to start of encrypted ticket, update length */ 2237 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2238 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2239 sdec = malloc(eticklen); 2240 if (sdec == NULL || 2241 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) { 2242 free(sdec); 2243 EVP_CIPHER_CTX_cleanup(&ctx); 2244 return -1; 2245 } 2246 if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) { 2247 free(sdec); 2248 EVP_CIPHER_CTX_cleanup(&ctx); 2249 return 2; 2250 } 2251 slen += mlen; 2252 EVP_CIPHER_CTX_cleanup(&ctx); 2253 p = sdec; 2254 2255 sess = d2i_SSL_SESSION(NULL, &p, slen); 2256 free(sdec); 2257 if (sess) { 2258 /* The session ID, if non-empty, is used by some clients to 2259 * detect that the ticket has been accepted. So we copy it to 2260 * the session structure. If it is empty set length to zero 2261 * as required by standard. 2262 */ 2263 if (sesslen) 2264 memcpy(sess->session_id, sess_id, sesslen); 2265 sess->session_id_length = sesslen; 2266 *psess = sess; 2267 if (renew_ticket) 2268 return 4; 2269 else 2270 return 3; 2271 } 2272 ERR_clear_error(); 2273 /* For session parse failure, indicate that we need to send a new 2274 * ticket. */ 2275 return 2; 2276 } 2277 2278 /* Tables to translate from NIDs to TLS v1.2 ids */ 2279 2280 typedef struct { 2281 int nid; 2282 int id; 2283 } tls12_lookup; 2284 2285 static tls12_lookup tls12_md[] = { 2286 {NID_md5, TLSEXT_hash_md5}, 2287 {NID_sha1, TLSEXT_hash_sha1}, 2288 {NID_sha224, TLSEXT_hash_sha224}, 2289 {NID_sha256, TLSEXT_hash_sha256}, 2290 {NID_sha384, TLSEXT_hash_sha384}, 2291 {NID_sha512, TLSEXT_hash_sha512}, 2292 {NID_id_GostR3411_94, TLSEXT_hash_gost94}, 2293 {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256}, 2294 {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512} 2295 }; 2296 2297 static tls12_lookup tls12_sig[] = { 2298 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2299 {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2300 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}, 2301 {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01}, 2302 }; 2303 2304 static int 2305 tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 2306 { 2307 size_t i; 2308 for (i = 0; i < tlen; i++) { 2309 if (table[i].nid == nid) 2310 return table[i].id; 2311 } 2312 return -1; 2313 } 2314 2315 int 2316 tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 2317 { 2318 int sig_id, md_id; 2319 if (!md) 2320 return 0; 2321 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2322 sizeof(tls12_md) / sizeof(tls12_lookup)); 2323 if (md_id == -1) 2324 return 0; 2325 sig_id = tls12_get_sigid(pk); 2326 if (sig_id == -1) 2327 return 0; 2328 p[0] = (unsigned char)md_id; 2329 p[1] = (unsigned char)sig_id; 2330 return 1; 2331 } 2332 2333 int 2334 tls12_get_sigid(const EVP_PKEY *pk) 2335 { 2336 return tls12_find_id(pk->type, tls12_sig, 2337 sizeof(tls12_sig) / sizeof(tls12_lookup)); 2338 } 2339 2340 const EVP_MD * 2341 tls12_get_hash(unsigned char hash_alg) 2342 { 2343 switch (hash_alg) { 2344 case TLSEXT_hash_sha1: 2345 return EVP_sha1(); 2346 case TLSEXT_hash_sha224: 2347 return EVP_sha224(); 2348 case TLSEXT_hash_sha256: 2349 return EVP_sha256(); 2350 case TLSEXT_hash_sha384: 2351 return EVP_sha384(); 2352 case TLSEXT_hash_sha512: 2353 return EVP_sha512(); 2354 #ifndef OPENSSL_NO_GOST 2355 case TLSEXT_hash_gost94: 2356 return EVP_gostr341194(); 2357 case TLSEXT_hash_streebog_256: 2358 return EVP_streebog256(); 2359 case TLSEXT_hash_streebog_512: 2360 return EVP_streebog512(); 2361 #endif 2362 default: 2363 return NULL; 2364 } 2365 } 2366 2367 /* Set preferred digest for each key type */ 2368 2369 int 2370 tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 2371 { 2372 int idx; 2373 const EVP_MD *md; 2374 CERT *c = s->cert; 2375 CBS cbs; 2376 2377 /* Extension ignored for inappropriate versions */ 2378 if (!SSL_USE_SIGALGS(s)) 2379 return 1; 2380 2381 /* Should never happen */ 2382 if (!c || dsize < 0) 2383 return 0; 2384 2385 CBS_init(&cbs, data, dsize); 2386 2387 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; 2388 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 2389 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2390 c->pkeys[SSL_PKEY_ECC].digest = NULL; 2391 c->pkeys[SSL_PKEY_GOST01].digest = NULL; 2392 2393 while (CBS_len(&cbs) > 0) { 2394 uint8_t hash_alg, sig_alg; 2395 2396 if (!CBS_get_u8(&cbs, &hash_alg) || 2397 !CBS_get_u8(&cbs, &sig_alg)) { 2398 /* Should never happen */ 2399 return 0; 2400 } 2401 2402 switch (sig_alg) { 2403 case TLSEXT_signature_rsa: 2404 idx = SSL_PKEY_RSA_SIGN; 2405 break; 2406 case TLSEXT_signature_dsa: 2407 idx = SSL_PKEY_DSA_SIGN; 2408 break; 2409 case TLSEXT_signature_ecdsa: 2410 idx = SSL_PKEY_ECC; 2411 break; 2412 case TLSEXT_signature_gostr01: 2413 case TLSEXT_signature_gostr12_256: 2414 case TLSEXT_signature_gostr12_512: 2415 idx = SSL_PKEY_GOST01; 2416 break; 2417 default: 2418 continue; 2419 } 2420 2421 if (c->pkeys[idx].digest == NULL) { 2422 md = tls12_get_hash(hash_alg); 2423 if (md) { 2424 c->pkeys[idx].digest = md; 2425 if (idx == SSL_PKEY_RSA_SIGN) 2426 c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 2427 } 2428 } 2429 2430 } 2431 2432 /* Set any remaining keys to default values. NOTE: if alg is not 2433 * supported it stays as NULL. 2434 */ 2435 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2436 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2437 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { 2438 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2439 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2440 } 2441 if (!c->pkeys[SSL_PKEY_ECC].digest) 2442 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2443 #ifndef OPENSSL_NO_GOST 2444 if (!c->pkeys[SSL_PKEY_GOST01].digest) 2445 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); 2446 #endif 2447 return 1; 2448 } 2449