1 /* ssl/t1_lib.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 #include <openssl/objects.h> 114 #include <openssl/evp.h> 115 #include <openssl/hmac.h> 116 #ifndef OPENSSL_NO_EC 117 #ifdef OPENSSL_NO_EC2M 118 # include <openssl/ec.h> 119 #endif 120 #endif 121 #include <openssl/ocsp.h> 122 #include <openssl/rand.h> 123 #include "ssl_locl.h" 124 125 const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT; 126 127 #ifndef OPENSSL_NO_TLSEXT 128 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 129 const unsigned char *sess_id, int sesslen, 130 SSL_SESSION **psess); 131 static int ssl_check_clienthello_tlsext_early(SSL *s); 132 int ssl_check_serverhello_tlsext(SSL *s); 133 #endif 134 135 #define CHECKLEN(curr, val, limit) \ 136 (((curr) >= (limit)) || (size_t)((limit) - (curr)) < (size_t)(val)) 137 138 SSL3_ENC_METHOD TLSv1_enc_data = { 139 tls1_enc, 140 tls1_mac, 141 tls1_setup_key_block, 142 tls1_generate_master_secret, 143 tls1_change_cipher_state, 144 tls1_final_finish_mac, 145 TLS1_FINISH_MAC_LENGTH, 146 tls1_cert_verify_mac, 147 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 148 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 149 tls1_alert_code, 150 tls1_export_keying_material, 151 0, 152 SSL3_HM_HEADER_LENGTH, 153 ssl3_set_handshake_header, 154 ssl3_handshake_write 155 }; 156 157 SSL3_ENC_METHOD TLSv1_1_enc_data = { 158 tls1_enc, 159 tls1_mac, 160 tls1_setup_key_block, 161 tls1_generate_master_secret, 162 tls1_change_cipher_state, 163 tls1_final_finish_mac, 164 TLS1_FINISH_MAC_LENGTH, 165 tls1_cert_verify_mac, 166 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 167 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 168 tls1_alert_code, 169 tls1_export_keying_material, 170 SSL_ENC_FLAG_EXPLICIT_IV, 171 SSL3_HM_HEADER_LENGTH, 172 ssl3_set_handshake_header, 173 ssl3_handshake_write 174 }; 175 176 SSL3_ENC_METHOD TLSv1_2_enc_data = { 177 tls1_enc, 178 tls1_mac, 179 tls1_setup_key_block, 180 tls1_generate_master_secret, 181 tls1_change_cipher_state, 182 tls1_final_finish_mac, 183 TLS1_FINISH_MAC_LENGTH, 184 tls1_cert_verify_mac, 185 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 186 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 187 tls1_alert_code, 188 tls1_export_keying_material, 189 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF 190 | SSL_ENC_FLAG_TLS1_2_CIPHERS, 191 SSL3_HM_HEADER_LENGTH, 192 ssl3_set_handshake_header, 193 ssl3_handshake_write 194 }; 195 196 long tls1_default_timeout(void) 197 { 198 /* 199 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for 200 * http, the cache would over fill 201 */ 202 return (60 * 60 * 2); 203 } 204 205 int tls1_new(SSL *s) 206 { 207 if (!ssl3_new(s)) 208 return (0); 209 s->method->ssl_clear(s); 210 return (1); 211 } 212 213 void tls1_free(SSL *s) 214 { 215 #ifndef OPENSSL_NO_TLSEXT 216 if (s->tlsext_session_ticket) { 217 OPENSSL_free(s->tlsext_session_ticket); 218 } 219 #endif /* OPENSSL_NO_TLSEXT */ 220 ssl3_free(s); 221 } 222 223 void tls1_clear(SSL *s) 224 { 225 ssl3_clear(s); 226 s->version = s->method->version; 227 } 228 229 #ifndef OPENSSL_NO_EC 230 231 static int nid_list[] = { 232 NID_sect163k1, /* sect163k1 (1) */ 233 NID_sect163r1, /* sect163r1 (2) */ 234 NID_sect163r2, /* sect163r2 (3) */ 235 NID_sect193r1, /* sect193r1 (4) */ 236 NID_sect193r2, /* sect193r2 (5) */ 237 NID_sect233k1, /* sect233k1 (6) */ 238 NID_sect233r1, /* sect233r1 (7) */ 239 NID_sect239k1, /* sect239k1 (8) */ 240 NID_sect283k1, /* sect283k1 (9) */ 241 NID_sect283r1, /* sect283r1 (10) */ 242 NID_sect409k1, /* sect409k1 (11) */ 243 NID_sect409r1, /* sect409r1 (12) */ 244 NID_sect571k1, /* sect571k1 (13) */ 245 NID_sect571r1, /* sect571r1 (14) */ 246 NID_secp160k1, /* secp160k1 (15) */ 247 NID_secp160r1, /* secp160r1 (16) */ 248 NID_secp160r2, /* secp160r2 (17) */ 249 NID_secp192k1, /* secp192k1 (18) */ 250 NID_X9_62_prime192v1, /* secp192r1 (19) */ 251 NID_secp224k1, /* secp224k1 (20) */ 252 NID_secp224r1, /* secp224r1 (21) */ 253 NID_secp256k1, /* secp256k1 (22) */ 254 NID_X9_62_prime256v1, /* secp256r1 (23) */ 255 NID_secp384r1, /* secp384r1 (24) */ 256 NID_secp521r1, /* secp521r1 (25) */ 257 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */ 258 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */ 259 NID_brainpoolP512r1 /* brainpool512r1 (28) */ 260 }; 261 262 static const unsigned char ecformats_default[] = { 263 TLSEXT_ECPOINTFORMAT_uncompressed, 264 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 265 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 266 }; 267 268 /* The client's default curves / the server's 'auto' curves. */ 269 static const unsigned char eccurves_auto[] = { 270 /* Prefer P-256 which has the fastest and most secure implementations. */ 271 0, 23, /* secp256r1 (23) */ 272 /* Other >= 256-bit prime curves. */ 273 0, 25, /* secp521r1 (25) */ 274 0, 28, /* brainpool512r1 (28) */ 275 0, 27, /* brainpoolP384r1 (27) */ 276 0, 24, /* secp384r1 (24) */ 277 0, 26, /* brainpoolP256r1 (26) */ 278 0, 22, /* secp256k1 (22) */ 279 # ifndef OPENSSL_NO_EC2M 280 /* >= 256-bit binary curves. */ 281 0, 14, /* sect571r1 (14) */ 282 0, 13, /* sect571k1 (13) */ 283 0, 11, /* sect409k1 (11) */ 284 0, 12, /* sect409r1 (12) */ 285 0, 9, /* sect283k1 (9) */ 286 0, 10, /* sect283r1 (10) */ 287 # endif 288 }; 289 290 static const unsigned char eccurves_all[] = { 291 /* Prefer P-256 which has the fastest and most secure implementations. */ 292 0, 23, /* secp256r1 (23) */ 293 /* Other >= 256-bit prime curves. */ 294 0, 25, /* secp521r1 (25) */ 295 0, 28, /* brainpool512r1 (28) */ 296 0, 27, /* brainpoolP384r1 (27) */ 297 0, 24, /* secp384r1 (24) */ 298 0, 26, /* brainpoolP256r1 (26) */ 299 0, 22, /* secp256k1 (22) */ 300 # ifndef OPENSSL_NO_EC2M 301 /* >= 256-bit binary curves. */ 302 0, 14, /* sect571r1 (14) */ 303 0, 13, /* sect571k1 (13) */ 304 0, 11, /* sect409k1 (11) */ 305 0, 12, /* sect409r1 (12) */ 306 0, 9, /* sect283k1 (9) */ 307 0, 10, /* sect283r1 (10) */ 308 # endif 309 /* 310 * Remaining curves disabled by default but still permitted if set 311 * via an explicit callback or parameters. 312 */ 313 0, 20, /* secp224k1 (20) */ 314 0, 21, /* secp224r1 (21) */ 315 0, 18, /* secp192k1 (18) */ 316 0, 19, /* secp192r1 (19) */ 317 0, 15, /* secp160k1 (15) */ 318 0, 16, /* secp160r1 (16) */ 319 0, 17, /* secp160r2 (17) */ 320 # ifndef OPENSSL_NO_EC2M 321 0, 8, /* sect239k1 (8) */ 322 0, 6, /* sect233k1 (6) */ 323 0, 7, /* sect233r1 (7) */ 324 0, 4, /* sect193r1 (4) */ 325 0, 5, /* sect193r2 (5) */ 326 0, 1, /* sect163k1 (1) */ 327 0, 2, /* sect163r1 (2) */ 328 0, 3, /* sect163r2 (3) */ 329 # endif 330 }; 331 332 static const unsigned char suiteb_curves[] = { 333 0, TLSEXT_curve_P_256, 334 0, TLSEXT_curve_P_384 335 }; 336 337 # ifdef OPENSSL_FIPS 338 /* Brainpool not allowed in FIPS mode */ 339 static const unsigned char fips_curves_default[] = { 340 # ifndef OPENSSL_NO_EC2M 341 0, 14, /* sect571r1 (14) */ 342 0, 13, /* sect571k1 (13) */ 343 # endif 344 0, 25, /* secp521r1 (25) */ 345 # ifndef OPENSSL_NO_EC2M 346 0, 11, /* sect409k1 (11) */ 347 0, 12, /* sect409r1 (12) */ 348 # endif 349 0, 24, /* secp384r1 (24) */ 350 # ifndef OPENSSL_NO_EC2M 351 0, 9, /* sect283k1 (9) */ 352 0, 10, /* sect283r1 (10) */ 353 # endif 354 0, 22, /* secp256k1 (22) */ 355 0, 23, /* secp256r1 (23) */ 356 # ifndef OPENSSL_NO_EC2M 357 0, 8, /* sect239k1 (8) */ 358 0, 6, /* sect233k1 (6) */ 359 0, 7, /* sect233r1 (7) */ 360 # endif 361 0, 20, /* secp224k1 (20) */ 362 0, 21, /* secp224r1 (21) */ 363 # ifndef OPENSSL_NO_EC2M 364 0, 4, /* sect193r1 (4) */ 365 0, 5, /* sect193r2 (5) */ 366 # endif 367 0, 18, /* secp192k1 (18) */ 368 0, 19, /* secp192r1 (19) */ 369 # ifndef OPENSSL_NO_EC2M 370 0, 1, /* sect163k1 (1) */ 371 0, 2, /* sect163r1 (2) */ 372 0, 3, /* sect163r2 (3) */ 373 # endif 374 0, 15, /* secp160k1 (15) */ 375 0, 16, /* secp160r1 (16) */ 376 0, 17, /* secp160r2 (17) */ 377 }; 378 # endif 379 380 int tls1_ec_curve_id2nid(int curve_id) 381 { 382 /* ECC curves from RFC 4492 and RFC 7027 */ 383 if ((curve_id < 1) || ((unsigned int)curve_id > 384 sizeof(nid_list) / sizeof(nid_list[0]))) 385 return 0; 386 return nid_list[curve_id - 1]; 387 } 388 389 int tls1_ec_nid2curve_id(int nid) 390 { 391 /* ECC curves from RFC 4492 and RFC 7027 */ 392 switch (nid) { 393 case NID_sect163k1: /* sect163k1 (1) */ 394 return 1; 395 case NID_sect163r1: /* sect163r1 (2) */ 396 return 2; 397 case NID_sect163r2: /* sect163r2 (3) */ 398 return 3; 399 case NID_sect193r1: /* sect193r1 (4) */ 400 return 4; 401 case NID_sect193r2: /* sect193r2 (5) */ 402 return 5; 403 case NID_sect233k1: /* sect233k1 (6) */ 404 return 6; 405 case NID_sect233r1: /* sect233r1 (7) */ 406 return 7; 407 case NID_sect239k1: /* sect239k1 (8) */ 408 return 8; 409 case NID_sect283k1: /* sect283k1 (9) */ 410 return 9; 411 case NID_sect283r1: /* sect283r1 (10) */ 412 return 10; 413 case NID_sect409k1: /* sect409k1 (11) */ 414 return 11; 415 case NID_sect409r1: /* sect409r1 (12) */ 416 return 12; 417 case NID_sect571k1: /* sect571k1 (13) */ 418 return 13; 419 case NID_sect571r1: /* sect571r1 (14) */ 420 return 14; 421 case NID_secp160k1: /* secp160k1 (15) */ 422 return 15; 423 case NID_secp160r1: /* secp160r1 (16) */ 424 return 16; 425 case NID_secp160r2: /* secp160r2 (17) */ 426 return 17; 427 case NID_secp192k1: /* secp192k1 (18) */ 428 return 18; 429 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 430 return 19; 431 case NID_secp224k1: /* secp224k1 (20) */ 432 return 20; 433 case NID_secp224r1: /* secp224r1 (21) */ 434 return 21; 435 case NID_secp256k1: /* secp256k1 (22) */ 436 return 22; 437 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 438 return 23; 439 case NID_secp384r1: /* secp384r1 (24) */ 440 return 24; 441 case NID_secp521r1: /* secp521r1 (25) */ 442 return 25; 443 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */ 444 return 26; 445 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */ 446 return 27; 447 case NID_brainpoolP512r1: /* brainpool512r1 (28) */ 448 return 28; 449 default: 450 return 0; 451 } 452 } 453 454 /* 455 * Get curves list, if "sess" is set return client curves otherwise 456 * preferred list. 457 * Sets |num_curves| to the number of curves in the list, i.e., 458 * the length of |pcurves| is 2 * num_curves. 459 * Returns 1 on success and 0 if the client curves list has invalid format. 460 * The latter indicates an internal error: we should not be accepting such 461 * lists in the first place. 462 * TODO(emilia): we should really be storing the curves list in explicitly 463 * parsed form instead. (However, this would affect binary compatibility 464 * so cannot happen in the 1.0.x series.) 465 */ 466 static int tls1_get_curvelist(SSL *s, int sess, 467 const unsigned char **pcurves, 468 size_t *num_curves) 469 { 470 size_t pcurveslen = 0; 471 if (sess) { 472 *pcurves = s->session->tlsext_ellipticcurvelist; 473 pcurveslen = s->session->tlsext_ellipticcurvelist_length; 474 } else { 475 /* For Suite B mode only include P-256, P-384 */ 476 switch (tls1_suiteb(s)) { 477 case SSL_CERT_FLAG_SUITEB_128_LOS: 478 *pcurves = suiteb_curves; 479 pcurveslen = sizeof(suiteb_curves); 480 break; 481 482 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 483 *pcurves = suiteb_curves; 484 pcurveslen = 2; 485 break; 486 487 case SSL_CERT_FLAG_SUITEB_192_LOS: 488 *pcurves = suiteb_curves + 2; 489 pcurveslen = 2; 490 break; 491 default: 492 *pcurves = s->tlsext_ellipticcurvelist; 493 pcurveslen = s->tlsext_ellipticcurvelist_length; 494 } 495 if (!*pcurves) { 496 # ifdef OPENSSL_FIPS 497 if (FIPS_mode()) { 498 *pcurves = fips_curves_default; 499 pcurveslen = sizeof(fips_curves_default); 500 } else 501 # endif 502 { 503 if (!s->server || s->cert->ecdh_tmp_auto) { 504 *pcurves = eccurves_auto; 505 pcurveslen = sizeof(eccurves_auto); 506 } else { 507 *pcurves = eccurves_all; 508 pcurveslen = sizeof(eccurves_all); 509 } 510 } 511 } 512 } 513 /* We do not allow odd length arrays to enter the system. */ 514 if (pcurveslen & 1) { 515 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR); 516 *num_curves = 0; 517 return 0; 518 } else { 519 *num_curves = pcurveslen / 2; 520 return 1; 521 } 522 } 523 524 /* Check a curve is one of our preferences */ 525 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len) 526 { 527 const unsigned char *curves; 528 size_t num_curves, i; 529 unsigned int suiteb_flags = tls1_suiteb(s); 530 if (len != 3 || p[0] != NAMED_CURVE_TYPE) 531 return 0; 532 /* Check curve matches Suite B preferences */ 533 if (suiteb_flags) { 534 unsigned long cid = s->s3->tmp.new_cipher->id; 535 if (p[1]) 536 return 0; 537 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) { 538 if (p[2] != TLSEXT_curve_P_256) 539 return 0; 540 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) { 541 if (p[2] != TLSEXT_curve_P_384) 542 return 0; 543 } else /* Should never happen */ 544 return 0; 545 } 546 if (!tls1_get_curvelist(s, 0, &curves, &num_curves)) 547 return 0; 548 for (i = 0; i < num_curves; i++, curves += 2) { 549 if (p[1] == curves[0] && p[2] == curves[1]) 550 return 1; 551 } 552 return 0; 553 } 554 555 /*- 556 * Return |nmatch|th shared curve or NID_undef if there is no match. 557 * For nmatch == -1, return number of matches 558 * For nmatch == -2, return the NID of the curve to use for 559 * an EC tmp key, or NID_undef if there is no match. 560 */ 561 int tls1_shared_curve(SSL *s, int nmatch) 562 { 563 const unsigned char *pref, *supp; 564 size_t num_pref, num_supp, i, j; 565 int k; 566 /* Can't do anything on client side */ 567 if (s->server == 0) 568 return -1; 569 if (nmatch == -2) { 570 if (tls1_suiteb(s)) { 571 /* 572 * For Suite B ciphersuite determines curve: we already know 573 * these are acceptable due to previous checks. 574 */ 575 unsigned long cid = s->s3->tmp.new_cipher->id; 576 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 577 return NID_X9_62_prime256v1; /* P-256 */ 578 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 579 return NID_secp384r1; /* P-384 */ 580 /* Should never happen */ 581 return NID_undef; 582 } 583 /* If not Suite B just return first preference shared curve */ 584 nmatch = 0; 585 } 586 /* 587 * Avoid truncation. tls1_get_curvelist takes an int 588 * but s->options is a long... 589 */ 590 if (!tls1_get_curvelist 591 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp, 592 &num_supp)) 593 /* In practice, NID_undef == 0 but let's be precise. */ 594 return nmatch == -1 ? 0 : NID_undef; 595 if (!tls1_get_curvelist 596 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref, 597 &num_pref)) 598 return nmatch == -1 ? 0 : NID_undef; 599 600 /* 601 * If the client didn't send the elliptic_curves extension all of them 602 * are allowed. 603 */ 604 if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) { 605 supp = eccurves_all; 606 num_supp = sizeof(eccurves_all) / 2; 607 } else if (num_pref == 0 && 608 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) { 609 pref = eccurves_all; 610 num_pref = sizeof(eccurves_all) / 2; 611 } 612 613 k = 0; 614 for (i = 0; i < num_pref; i++, pref += 2) { 615 const unsigned char *tsupp = supp; 616 for (j = 0; j < num_supp; j++, tsupp += 2) { 617 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) { 618 if (nmatch == k) { 619 int id = (pref[0] << 8) | pref[1]; 620 return tls1_ec_curve_id2nid(id); 621 } 622 k++; 623 } 624 } 625 } 626 if (nmatch == -1) 627 return k; 628 /* Out of range (nmatch > k). */ 629 return NID_undef; 630 } 631 632 int tls1_set_curves(unsigned char **pext, size_t *pextlen, 633 int *curves, size_t ncurves) 634 { 635 unsigned char *clist, *p; 636 size_t i; 637 /* 638 * Bitmap of curves included to detect duplicates: only works while curve 639 * ids < 32 640 */ 641 unsigned long dup_list = 0; 642 # ifdef OPENSSL_NO_EC2M 643 EC_GROUP *curve; 644 # endif 645 646 clist = OPENSSL_malloc(ncurves * 2); 647 if (!clist) 648 return 0; 649 for (i = 0, p = clist; i < ncurves; i++) { 650 unsigned long idmask; 651 int id; 652 id = tls1_ec_nid2curve_id(curves[i]); 653 # ifdef OPENSSL_FIPS 654 /* NB: 25 is last curve ID supported by FIPS module */ 655 if (FIPS_mode() && id > 25) { 656 OPENSSL_free(clist); 657 return 0; 658 } 659 # endif 660 # ifdef OPENSSL_NO_EC2M 661 curve = EC_GROUP_new_by_curve_name(curves[i]); 662 if (!curve || EC_METHOD_get_field_type(EC_GROUP_method_of(curve)) 663 == NID_X9_62_characteristic_two_field) { 664 if (curve) 665 EC_GROUP_free(curve); 666 OPENSSL_free(clist); 667 return 0; 668 } else 669 EC_GROUP_free(curve); 670 # endif 671 idmask = 1L << id; 672 if (!id || (dup_list & idmask)) { 673 OPENSSL_free(clist); 674 return 0; 675 } 676 dup_list |= idmask; 677 s2n(id, p); 678 } 679 if (*pext) 680 OPENSSL_free(*pext); 681 *pext = clist; 682 *pextlen = ncurves * 2; 683 return 1; 684 } 685 686 # define MAX_CURVELIST 28 687 688 typedef struct { 689 size_t nidcnt; 690 int nid_arr[MAX_CURVELIST]; 691 } nid_cb_st; 692 693 static int nid_cb(const char *elem, int len, void *arg) 694 { 695 nid_cb_st *narg = arg; 696 size_t i; 697 int nid; 698 char etmp[20]; 699 if (elem == NULL) 700 return 0; 701 if (narg->nidcnt == MAX_CURVELIST) 702 return 0; 703 if (len > (int)(sizeof(etmp) - 1)) 704 return 0; 705 memcpy(etmp, elem, len); 706 etmp[len] = 0; 707 nid = EC_curve_nist2nid(etmp); 708 if (nid == NID_undef) 709 nid = OBJ_sn2nid(etmp); 710 if (nid == NID_undef) 711 nid = OBJ_ln2nid(etmp); 712 if (nid == NID_undef) 713 return 0; 714 for (i = 0; i < narg->nidcnt; i++) 715 if (narg->nid_arr[i] == nid) 716 return 0; 717 narg->nid_arr[narg->nidcnt++] = nid; 718 return 1; 719 } 720 721 /* Set curves based on a colon separate list */ 722 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 723 const char *str) 724 { 725 nid_cb_st ncb; 726 ncb.nidcnt = 0; 727 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb)) 728 return 0; 729 if (pext == NULL) 730 return 1; 731 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt); 732 } 733 734 /* For an EC key set TLS id and required compression based on parameters */ 735 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id, 736 EC_KEY *ec) 737 { 738 int is_prime, id; 739 const EC_GROUP *grp; 740 const EC_METHOD *meth; 741 if (!ec) 742 return 0; 743 /* Determine if it is a prime field */ 744 grp = EC_KEY_get0_group(ec); 745 if (!grp) 746 return 0; 747 meth = EC_GROUP_method_of(grp); 748 if (!meth) 749 return 0; 750 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field) 751 is_prime = 1; 752 else 753 is_prime = 0; 754 /* Determine curve ID */ 755 id = EC_GROUP_get_curve_name(grp); 756 id = tls1_ec_nid2curve_id(id); 757 /* If we have an ID set it, otherwise set arbitrary explicit curve */ 758 if (id) { 759 curve_id[0] = 0; 760 curve_id[1] = (unsigned char)id; 761 } else { 762 curve_id[0] = 0xff; 763 if (is_prime) 764 curve_id[1] = 0x01; 765 else 766 curve_id[1] = 0x02; 767 } 768 if (comp_id) { 769 if (EC_KEY_get0_public_key(ec) == NULL) 770 return 0; 771 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { 772 if (is_prime) 773 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 774 else 775 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 776 } else 777 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 778 } 779 return 1; 780 } 781 782 /* Check an EC key is compatible with extensions */ 783 static int tls1_check_ec_key(SSL *s, 784 unsigned char *curve_id, unsigned char *comp_id) 785 { 786 const unsigned char *pformats, *pcurves; 787 size_t num_formats, num_curves, i; 788 int j; 789 /* 790 * If point formats extension present check it, otherwise everything is 791 * supported (see RFC4492). 792 */ 793 if (comp_id && s->session->tlsext_ecpointformatlist) { 794 pformats = s->session->tlsext_ecpointformatlist; 795 num_formats = s->session->tlsext_ecpointformatlist_length; 796 for (i = 0; i < num_formats; i++, pformats++) { 797 if (*comp_id == *pformats) 798 break; 799 } 800 if (i == num_formats) 801 return 0; 802 } 803 if (!curve_id) 804 return 1; 805 /* Check curve is consistent with client and server preferences */ 806 for (j = 0; j <= 1; j++) { 807 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves)) 808 return 0; 809 if (j == 1 && num_curves == 0) { 810 /* 811 * If we've not received any curves then skip this check. 812 * RFC 4492 does not require the supported elliptic curves extension 813 * so if it is not sent we can just choose any curve. 814 * It is invalid to send an empty list in the elliptic curves 815 * extension, so num_curves == 0 always means no extension. 816 */ 817 break; 818 } 819 for (i = 0; i < num_curves; i++, pcurves += 2) { 820 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1]) 821 break; 822 } 823 if (i == num_curves) 824 return 0; 825 /* For clients can only check sent curve list */ 826 if (!s->server) 827 return 1; 828 } 829 return 1; 830 } 831 832 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats, 833 size_t *num_formats) 834 { 835 /* 836 * If we have a custom point format list use it otherwise use default 837 */ 838 if (s->tlsext_ecpointformatlist) { 839 *pformats = s->tlsext_ecpointformatlist; 840 *num_formats = s->tlsext_ecpointformatlist_length; 841 } else { 842 *pformats = ecformats_default; 843 /* For Suite B we don't support char2 fields */ 844 if (tls1_suiteb(s)) 845 *num_formats = sizeof(ecformats_default) - 1; 846 else 847 *num_formats = sizeof(ecformats_default); 848 } 849 } 850 851 /* 852 * Check cert parameters compatible with extensions: currently just checks EC 853 * certificates have compatible curves and compression. 854 */ 855 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) 856 { 857 unsigned char comp_id, curve_id[2]; 858 EVP_PKEY *pkey; 859 int rv; 860 pkey = X509_get_pubkey(x); 861 if (!pkey) 862 return 0; 863 /* If not EC nothing to do */ 864 if (pkey->type != EVP_PKEY_EC) { 865 EVP_PKEY_free(pkey); 866 return 1; 867 } 868 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec); 869 EVP_PKEY_free(pkey); 870 if (!rv) 871 return 0; 872 /* 873 * Can't check curve_id for client certs as we don't have a supported 874 * curves extension. 875 */ 876 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id); 877 if (!rv) 878 return 0; 879 /* 880 * Special case for suite B. We *MUST* sign using SHA256+P-256 or 881 * SHA384+P-384, adjust digest if necessary. 882 */ 883 if (set_ee_md && tls1_suiteb(s)) { 884 int check_md; 885 size_t i; 886 CERT *c = s->cert; 887 if (curve_id[0]) 888 return 0; 889 /* Check to see we have necessary signing algorithm */ 890 if (curve_id[1] == TLSEXT_curve_P_256) 891 check_md = NID_ecdsa_with_SHA256; 892 else if (curve_id[1] == TLSEXT_curve_P_384) 893 check_md = NID_ecdsa_with_SHA384; 894 else 895 return 0; /* Should never happen */ 896 for (i = 0; i < c->shared_sigalgslen; i++) 897 if (check_md == c->shared_sigalgs[i].signandhash_nid) 898 break; 899 if (i == c->shared_sigalgslen) 900 return 0; 901 if (set_ee_md == 2) { 902 if (check_md == NID_ecdsa_with_SHA256) 903 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256(); 904 else 905 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384(); 906 } 907 } 908 return rv; 909 } 910 911 # ifndef OPENSSL_NO_ECDH 912 /* Check EC temporary key is compatible with client extensions */ 913 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) 914 { 915 unsigned char curve_id[2]; 916 EC_KEY *ec = s->cert->ecdh_tmp; 917 # ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL 918 /* Allow any curve: not just those peer supports */ 919 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) 920 return 1; 921 # endif 922 /* 923 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other 924 * curves permitted. 925 */ 926 if (tls1_suiteb(s)) { 927 /* Curve to check determined by ciphersuite */ 928 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 929 curve_id[1] = TLSEXT_curve_P_256; 930 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 931 curve_id[1] = TLSEXT_curve_P_384; 932 else 933 return 0; 934 curve_id[0] = 0; 935 /* Check this curve is acceptable */ 936 if (!tls1_check_ec_key(s, curve_id, NULL)) 937 return 0; 938 /* If auto or setting curve from callback assume OK */ 939 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb) 940 return 1; 941 /* Otherwise check curve is acceptable */ 942 else { 943 unsigned char curve_tmp[2]; 944 if (!ec) 945 return 0; 946 if (!tls1_set_ec_id(curve_tmp, NULL, ec)) 947 return 0; 948 if (!curve_tmp[0] || curve_tmp[1] == curve_id[1]) 949 return 1; 950 return 0; 951 } 952 953 } 954 if (s->cert->ecdh_tmp_auto) { 955 /* Need a shared curve */ 956 if (tls1_shared_curve(s, 0)) 957 return 1; 958 else 959 return 0; 960 } 961 if (!ec) { 962 if (s->cert->ecdh_tmp_cb) 963 return 1; 964 else 965 return 0; 966 } 967 if (!tls1_set_ec_id(curve_id, NULL, ec)) 968 return 0; 969 /* Set this to allow use of invalid curves for testing */ 970 # if 0 971 return 1; 972 # else 973 return tls1_check_ec_key(s, curve_id, NULL); 974 # endif 975 } 976 # endif /* OPENSSL_NO_ECDH */ 977 978 #else 979 980 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) 981 { 982 return 1; 983 } 984 985 #endif /* OPENSSL_NO_EC */ 986 987 #ifndef OPENSSL_NO_TLSEXT 988 989 /* 990 * List of supported signature algorithms and hashes. Should make this 991 * customisable at some point, for now include everything we support. 992 */ 993 994 # ifdef OPENSSL_NO_RSA 995 # define tlsext_sigalg_rsa(md) /* */ 996 # else 997 # define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa, 998 # endif 999 1000 # ifdef OPENSSL_NO_DSA 1001 # define tlsext_sigalg_dsa(md) /* */ 1002 # else 1003 # define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa, 1004 # endif 1005 1006 # ifdef OPENSSL_NO_ECDSA 1007 # define tlsext_sigalg_ecdsa(md) 1008 /* */ 1009 # else 1010 # define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, 1011 # endif 1012 1013 # define tlsext_sigalg(md) \ 1014 tlsext_sigalg_rsa(md) \ 1015 tlsext_sigalg_dsa(md) \ 1016 tlsext_sigalg_ecdsa(md) 1017 1018 static unsigned char tls12_sigalgs[] = { 1019 # ifndef OPENSSL_NO_SHA512 1020 tlsext_sigalg(TLSEXT_hash_sha512) 1021 tlsext_sigalg(TLSEXT_hash_sha384) 1022 # endif 1023 # ifndef OPENSSL_NO_SHA256 1024 tlsext_sigalg(TLSEXT_hash_sha256) 1025 tlsext_sigalg(TLSEXT_hash_sha224) 1026 # endif 1027 # ifndef OPENSSL_NO_SHA 1028 tlsext_sigalg(TLSEXT_hash_sha1) 1029 # endif 1030 }; 1031 1032 # ifndef OPENSSL_NO_ECDSA 1033 static unsigned char suiteb_sigalgs[] = { 1034 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256) 1035 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384) 1036 }; 1037 # endif 1038 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs) 1039 { 1040 /* 1041 * If Suite B mode use Suite B sigalgs only, ignore any other 1042 * preferences. 1043 */ 1044 # ifndef OPENSSL_NO_EC 1045 switch (tls1_suiteb(s)) { 1046 case SSL_CERT_FLAG_SUITEB_128_LOS: 1047 *psigs = suiteb_sigalgs; 1048 return sizeof(suiteb_sigalgs); 1049 1050 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 1051 *psigs = suiteb_sigalgs; 1052 return 2; 1053 1054 case SSL_CERT_FLAG_SUITEB_192_LOS: 1055 *psigs = suiteb_sigalgs + 2; 1056 return 2; 1057 } 1058 # endif 1059 /* If server use client authentication sigalgs if not NULL */ 1060 if (s->server && s->cert->client_sigalgs) { 1061 *psigs = s->cert->client_sigalgs; 1062 return s->cert->client_sigalgslen; 1063 } else if (s->cert->conf_sigalgs) { 1064 *psigs = s->cert->conf_sigalgs; 1065 return s->cert->conf_sigalgslen; 1066 } else { 1067 *psigs = tls12_sigalgs; 1068 return sizeof(tls12_sigalgs); 1069 } 1070 } 1071 1072 /* 1073 * Check signature algorithm is consistent with sent supported signature 1074 * algorithms and if so return relevant digest. 1075 */ 1076 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, 1077 const unsigned char *sig, EVP_PKEY *pkey) 1078 { 1079 const unsigned char *sent_sigs; 1080 size_t sent_sigslen, i; 1081 int sigalg = tls12_get_sigid(pkey); 1082 /* Should never happen */ 1083 if (sigalg == -1) 1084 return -1; 1085 /* Check key type is consistent with signature */ 1086 if (sigalg != (int)sig[1]) { 1087 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE); 1088 return 0; 1089 } 1090 # ifndef OPENSSL_NO_EC 1091 if (pkey->type == EVP_PKEY_EC) { 1092 unsigned char curve_id[2], comp_id; 1093 /* Check compression and curve matches extensions */ 1094 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec)) 1095 return 0; 1096 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) { 1097 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); 1098 return 0; 1099 } 1100 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */ 1101 if (tls1_suiteb(s)) { 1102 if (curve_id[0]) 1103 return 0; 1104 if (curve_id[1] == TLSEXT_curve_P_256) { 1105 if (sig[0] != TLSEXT_hash_sha256) { 1106 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, 1107 SSL_R_ILLEGAL_SUITEB_DIGEST); 1108 return 0; 1109 } 1110 } else if (curve_id[1] == TLSEXT_curve_P_384) { 1111 if (sig[0] != TLSEXT_hash_sha384) { 1112 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, 1113 SSL_R_ILLEGAL_SUITEB_DIGEST); 1114 return 0; 1115 } 1116 } else 1117 return 0; 1118 } 1119 } else if (tls1_suiteb(s)) 1120 return 0; 1121 # endif 1122 1123 /* Check signature matches a type we sent */ 1124 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs); 1125 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) { 1126 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1]) 1127 break; 1128 } 1129 /* Allow fallback to SHA1 if not strict mode */ 1130 if (i == sent_sigslen 1131 && (sig[0] != TLSEXT_hash_sha1 1132 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { 1133 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE); 1134 return 0; 1135 } 1136 *pmd = tls12_get_hash(sig[0]); 1137 if (*pmd == NULL) { 1138 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST); 1139 return 0; 1140 } 1141 /* 1142 * Store the digest used so applications can retrieve it if they wish. 1143 */ 1144 if (s->session && s->session->sess_cert) 1145 s->session->sess_cert->peer_key->digest = *pmd; 1146 return 1; 1147 } 1148 1149 /* 1150 * Get a mask of disabled algorithms: an algorithm is disabled if it isn't 1151 * supported or doesn't appear in supported signature algorithms. Unlike 1152 * ssl_cipher_get_disabled this applies to a specific session and not global 1153 * settings. 1154 */ 1155 void ssl_set_client_disabled(SSL *s) 1156 { 1157 CERT *c = s->cert; 1158 const unsigned char *sigalgs; 1159 size_t i, sigalgslen; 1160 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0; 1161 c->mask_a = 0; 1162 c->mask_k = 0; 1163 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */ 1164 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s)) 1165 c->mask_ssl = SSL_TLSV1_2; 1166 else 1167 c->mask_ssl = 0; 1168 /* 1169 * Now go through all signature algorithms seeing if we support any for 1170 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. 1171 */ 1172 sigalgslen = tls12_get_psigalgs(s, &sigalgs); 1173 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) { 1174 switch (sigalgs[1]) { 1175 # ifndef OPENSSL_NO_RSA 1176 case TLSEXT_signature_rsa: 1177 have_rsa = 1; 1178 break; 1179 # endif 1180 # ifndef OPENSSL_NO_DSA 1181 case TLSEXT_signature_dsa: 1182 have_dsa = 1; 1183 break; 1184 # endif 1185 # ifndef OPENSSL_NO_ECDSA 1186 case TLSEXT_signature_ecdsa: 1187 have_ecdsa = 1; 1188 break; 1189 # endif 1190 } 1191 } 1192 /* 1193 * Disable auth and static DH if we don't include any appropriate 1194 * signature algorithms. 1195 */ 1196 if (!have_rsa) { 1197 c->mask_a |= SSL_aRSA; 1198 c->mask_k |= SSL_kDHr | SSL_kECDHr; 1199 } 1200 if (!have_dsa) { 1201 c->mask_a |= SSL_aDSS; 1202 c->mask_k |= SSL_kDHd; 1203 } 1204 if (!have_ecdsa) { 1205 c->mask_a |= SSL_aECDSA; 1206 c->mask_k |= SSL_kECDHe; 1207 } 1208 # ifndef OPENSSL_NO_KRB5 1209 if (!kssl_tgt_is_available(s->kssl_ctx)) { 1210 c->mask_a |= SSL_aKRB5; 1211 c->mask_k |= SSL_kKRB5; 1212 } 1213 # endif 1214 # ifndef OPENSSL_NO_PSK 1215 /* with PSK there must be client callback set */ 1216 if (!s->psk_client_callback) { 1217 c->mask_a |= SSL_aPSK; 1218 c->mask_k |= SSL_kPSK; 1219 } 1220 # endif /* OPENSSL_NO_PSK */ 1221 # ifndef OPENSSL_NO_SRP 1222 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) { 1223 c->mask_a |= SSL_aSRP; 1224 c->mask_k |= SSL_kSRP; 1225 } 1226 # endif 1227 c->valid = 1; 1228 } 1229 1230 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, 1231 unsigned char *limit, int *al) 1232 { 1233 int extdatalen = 0; 1234 unsigned char *orig = buf; 1235 unsigned char *ret = buf; 1236 # ifndef OPENSSL_NO_EC 1237 /* See if we support any ECC ciphersuites */ 1238 int using_ecc = 0; 1239 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) { 1240 int i; 1241 unsigned long alg_k, alg_a; 1242 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 1243 1244 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { 1245 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 1246 1247 alg_k = c->algorithm_mkey; 1248 alg_a = c->algorithm_auth; 1249 if ((alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe) 1250 || (alg_a & SSL_aECDSA))) { 1251 using_ecc = 1; 1252 break; 1253 } 1254 } 1255 } 1256 # endif 1257 1258 /* don't add extensions for SSLv3 unless doing secure renegotiation */ 1259 if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding) 1260 return orig; 1261 1262 ret += 2; 1263 1264 if (ret >= limit) 1265 return NULL; /* this really never occurs, but ... */ 1266 1267 if (s->tlsext_hostname != NULL) { 1268 /* Add TLS extension servername to the Client Hello message */ 1269 size_t size_str; 1270 1271 /*- 1272 * check for enough space. 1273 * 4 for the servername type and entension length 1274 * 2 for servernamelist length 1275 * 1 for the hostname type 1276 * 2 for hostname length 1277 * + hostname length 1278 */ 1279 size_str = strlen(s->tlsext_hostname); 1280 if (CHECKLEN(ret, 9 + size_str, limit)) 1281 return NULL; 1282 1283 /* extension type and length */ 1284 s2n(TLSEXT_TYPE_server_name, ret); 1285 s2n(size_str + 5, ret); 1286 1287 /* length of servername list */ 1288 s2n(size_str + 3, ret); 1289 1290 /* hostname type, length and hostname */ 1291 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name; 1292 s2n(size_str, ret); 1293 memcpy(ret, s->tlsext_hostname, size_str); 1294 ret += size_str; 1295 } 1296 1297 /* Add RI if renegotiating */ 1298 if (s->renegotiate) { 1299 int el; 1300 1301 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { 1302 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1303 return NULL; 1304 } 1305 1306 if ((limit - ret - 4 - el) < 0) 1307 return NULL; 1308 1309 s2n(TLSEXT_TYPE_renegotiate, ret); 1310 s2n(el, ret); 1311 1312 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { 1313 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1314 return NULL; 1315 } 1316 1317 ret += el; 1318 } 1319 # ifndef OPENSSL_NO_SRP 1320 /* Add SRP username if there is one */ 1321 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the 1322 * Client Hello message */ 1323 1324 size_t login_len = strlen(s->srp_ctx.login); 1325 if (login_len > 255 || login_len == 0) { 1326 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1327 return NULL; 1328 } 1329 1330 /*- 1331 * check for enough space. 1332 * 4 for the srp type type and entension length 1333 * 1 for the srp user identity 1334 * + srp user identity length 1335 */ 1336 if (CHECKLEN(ret, 5 + login_len, limit)) 1337 return NULL; 1338 1339 /* fill in the extension */ 1340 s2n(TLSEXT_TYPE_srp, ret); 1341 s2n(login_len + 1, ret); 1342 (*ret++) = (unsigned char)login_len; 1343 memcpy(ret, s->srp_ctx.login, login_len); 1344 ret += login_len; 1345 } 1346 # endif 1347 1348 # ifndef OPENSSL_NO_EC 1349 if (using_ecc) { 1350 /* 1351 * Add TLS extension ECPointFormats to the ClientHello message 1352 */ 1353 const unsigned char *pcurves, *pformats; 1354 size_t num_curves, num_formats, curves_list_len; 1355 1356 tls1_get_formatlist(s, &pformats, &num_formats); 1357 1358 if (num_formats > 255) { 1359 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1360 return NULL; 1361 } 1362 /*- 1363 * check for enough space. 1364 * 4 bytes for the ec point formats type and extension length 1365 * 1 byte for the length of the formats 1366 * + formats length 1367 */ 1368 if (CHECKLEN(ret, 5 + num_formats, limit)) 1369 return NULL; 1370 1371 s2n(TLSEXT_TYPE_ec_point_formats, ret); 1372 /* The point format list has 1-byte length. */ 1373 s2n(num_formats + 1, ret); 1374 *(ret++) = (unsigned char)num_formats; 1375 memcpy(ret, pformats, num_formats); 1376 ret += num_formats; 1377 1378 /* 1379 * Add TLS extension EllipticCurves to the ClientHello message 1380 */ 1381 pcurves = s->tlsext_ellipticcurvelist; 1382 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) 1383 return NULL; 1384 1385 if (num_curves > 65532 / 2) { 1386 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1387 return NULL; 1388 } 1389 curves_list_len = 2 * num_curves; 1390 /*- 1391 * check for enough space. 1392 * 4 bytes for the ec curves type and extension length 1393 * 2 bytes for the curve list length 1394 * + curve list length 1395 */ 1396 if (CHECKLEN(ret, 6 + curves_list_len, limit)) 1397 return NULL; 1398 1399 s2n(TLSEXT_TYPE_elliptic_curves, ret); 1400 s2n(curves_list_len + 2, ret); 1401 s2n(curves_list_len, ret); 1402 memcpy(ret, pcurves, curves_list_len); 1403 ret += curves_list_len; 1404 } 1405 # endif /* OPENSSL_NO_EC */ 1406 1407 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 1408 size_t ticklen; 1409 if (!s->new_session && s->session && s->session->tlsext_tick) 1410 ticklen = s->session->tlsext_ticklen; 1411 else if (s->session && s->tlsext_session_ticket && 1412 s->tlsext_session_ticket->data) { 1413 ticklen = s->tlsext_session_ticket->length; 1414 s->session->tlsext_tick = OPENSSL_malloc(ticklen); 1415 if (!s->session->tlsext_tick) 1416 return NULL; 1417 memcpy(s->session->tlsext_tick, 1418 s->tlsext_session_ticket->data, ticklen); 1419 s->session->tlsext_ticklen = ticklen; 1420 } else 1421 ticklen = 0; 1422 if (ticklen == 0 && s->tlsext_session_ticket && 1423 s->tlsext_session_ticket->data == NULL) 1424 goto skip_ext; 1425 /* 1426 * Check for enough room 2 for extension type, 2 for len rest for 1427 * ticket 1428 */ 1429 if (CHECKLEN(ret, 4 + ticklen, limit)) 1430 return NULL; 1431 s2n(TLSEXT_TYPE_session_ticket, ret); 1432 s2n(ticklen, ret); 1433 if (ticklen > 0) { 1434 memcpy(ret, s->session->tlsext_tick, ticklen); 1435 ret += ticklen; 1436 } 1437 } 1438 skip_ext: 1439 1440 if (SSL_CLIENT_USE_SIGALGS(s)) { 1441 size_t salglen; 1442 const unsigned char *salg; 1443 salglen = tls12_get_psigalgs(s, &salg); 1444 1445 /*- 1446 * check for enough space. 1447 * 4 bytes for the sigalgs type and extension length 1448 * 2 bytes for the sigalg list length 1449 * + sigalg list length 1450 */ 1451 if (CHECKLEN(ret, salglen + 6, limit)) 1452 return NULL; 1453 s2n(TLSEXT_TYPE_signature_algorithms, ret); 1454 s2n(salglen + 2, ret); 1455 s2n(salglen, ret); 1456 memcpy(ret, salg, salglen); 1457 ret += salglen; 1458 } 1459 # ifdef TLSEXT_TYPE_opaque_prf_input 1460 if (s->s3->client_opaque_prf_input != NULL) { 1461 size_t col = s->s3->client_opaque_prf_input_len; 1462 1463 if ((long)(limit - ret - 6 - col < 0)) 1464 return NULL; 1465 if (col > 0xFFFD) /* can't happen */ 1466 return NULL; 1467 1468 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 1469 s2n(col + 2, ret); 1470 s2n(col, ret); 1471 memcpy(ret, s->s3->client_opaque_prf_input, col); 1472 ret += col; 1473 } 1474 # endif 1475 1476 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { 1477 int i; 1478 size_t extlen, idlen; 1479 int lentmp; 1480 OCSP_RESPID *id; 1481 1482 idlen = 0; 1483 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 1484 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 1485 lentmp = i2d_OCSP_RESPID(id, NULL); 1486 if (lentmp <= 0) 1487 return NULL; 1488 idlen += (size_t)lentmp + 2; 1489 } 1490 1491 if (s->tlsext_ocsp_exts) { 1492 lentmp = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 1493 if (lentmp < 0) 1494 return NULL; 1495 extlen = (size_t)lentmp; 1496 } else 1497 extlen = 0; 1498 1499 if (extlen + idlen > 0xFFF0) 1500 return NULL; 1501 /* 1502 * 2 bytes for status request type 1503 * 2 bytes for status request len 1504 * 1 byte for OCSP request type 1505 * 2 bytes for length of ids 1506 * 2 bytes for length of extensions 1507 * + length of ids 1508 * + length of extensions 1509 */ 1510 if (CHECKLEN(ret, 9 + idlen + extlen, limit)) 1511 return NULL; 1512 1513 s2n(TLSEXT_TYPE_status_request, ret); 1514 s2n(extlen + idlen + 5, ret); 1515 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 1516 s2n(idlen, ret); 1517 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 1518 /* save position of id len */ 1519 unsigned char *q = ret; 1520 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 1521 /* skip over id len */ 1522 ret += 2; 1523 lentmp = i2d_OCSP_RESPID(id, &ret); 1524 /* write id len */ 1525 s2n(lentmp, q); 1526 } 1527 s2n(extlen, ret); 1528 if (extlen > 0) 1529 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 1530 } 1531 # ifndef OPENSSL_NO_HEARTBEATS 1532 /* Add Heartbeat extension */ 1533 1534 /*- 1535 * check for enough space. 1536 * 4 bytes for the heartbeat ext type and extension length 1537 * 1 byte for the mode 1538 */ 1539 if (CHECKLEN(ret, 5, limit)) 1540 return NULL; 1541 1542 s2n(TLSEXT_TYPE_heartbeat, ret); 1543 s2n(1, ret); 1544 /*- 1545 * Set mode: 1546 * 1: peer may send requests 1547 * 2: peer not allowed to send requests 1548 */ 1549 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) 1550 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 1551 else 1552 *(ret++) = SSL_TLSEXT_HB_ENABLED; 1553 # endif 1554 1555 # ifndef OPENSSL_NO_NEXTPROTONEG 1556 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { 1557 /* 1558 * The client advertises an emtpy extension to indicate its support 1559 * for Next Protocol Negotiation 1560 */ 1561 1562 /*- 1563 * check for enough space. 1564 * 4 bytes for the NPN ext type and extension length 1565 */ 1566 if (CHECKLEN(ret, 4, limit)) 1567 return NULL; 1568 s2n(TLSEXT_TYPE_next_proto_neg, ret); 1569 s2n(0, ret); 1570 } 1571 # endif 1572 1573 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) { 1574 /*- 1575 * check for enough space. 1576 * 4 bytes for the ALPN type and extension length 1577 * 2 bytes for the ALPN protocol list length 1578 * + ALPN protocol list length 1579 */ 1580 if (CHECKLEN(ret, 6 + s->alpn_client_proto_list_len, limit)) 1581 return NULL; 1582 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 1583 s2n(2 + s->alpn_client_proto_list_len, ret); 1584 s2n(s->alpn_client_proto_list_len, ret); 1585 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len); 1586 ret += s->alpn_client_proto_list_len; 1587 s->cert->alpn_sent = 1; 1588 } 1589 # ifndef OPENSSL_NO_SRTP 1590 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { 1591 int el; 1592 1593 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 1594 1595 /*- 1596 * check for enough space. 1597 * 4 bytes for the SRTP type and extension length 1598 * + SRTP profiles length 1599 */ 1600 if (CHECKLEN(ret, 4 + el, limit)) 1601 return NULL; 1602 1603 s2n(TLSEXT_TYPE_use_srtp, ret); 1604 s2n(el, ret); 1605 1606 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { 1607 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1608 return NULL; 1609 } 1610 ret += el; 1611 } 1612 # endif 1613 custom_ext_init(&s->cert->cli_ext); 1614 /* Add custom TLS Extensions to ClientHello */ 1615 if (!custom_ext_add(s, 0, &ret, limit, al)) 1616 return NULL; 1617 1618 /* 1619 * Add padding to workaround bugs in F5 terminators. See 1620 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this 1621 * code works out the length of all existing extensions it MUST always 1622 * appear last. 1623 */ 1624 if (s->options & SSL_OP_TLSEXT_PADDING) { 1625 int hlen = ret - (unsigned char *)s->init_buf->data; 1626 /* 1627 * The code in s23_clnt.c to build ClientHello messages includes the 1628 * 5-byte record header in the buffer, while the code in s3_clnt.c 1629 * does not. 1630 */ 1631 if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 1632 hlen -= 5; 1633 if (hlen > 0xff && hlen < 0x200) { 1634 hlen = 0x200 - hlen; 1635 if (hlen >= 4) 1636 hlen -= 4; 1637 else 1638 hlen = 0; 1639 1640 /*- 1641 * check for enough space. Strictly speaking we know we've already 1642 * got enough space because to get here the message size is < 0x200, 1643 * but we know that we've allocated far more than that in the buffer 1644 * - but for consistency and robustness we're going to check anyway. 1645 * 1646 * 4 bytes for the padding type and extension length 1647 * + padding length 1648 */ 1649 if (CHECKLEN(ret, 4 + hlen, limit)) 1650 return NULL; 1651 s2n(TLSEXT_TYPE_padding, ret); 1652 s2n(hlen, ret); 1653 memset(ret, 0, hlen); 1654 ret += hlen; 1655 } 1656 } 1657 1658 if ((extdatalen = ret - orig - 2) == 0) 1659 return orig; 1660 1661 s2n(extdatalen, orig); 1662 return ret; 1663 } 1664 1665 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, 1666 unsigned char *limit, int *al) 1667 { 1668 int extdatalen = 0; 1669 unsigned char *orig = buf; 1670 unsigned char *ret = buf; 1671 # ifndef OPENSSL_NO_NEXTPROTONEG 1672 int next_proto_neg_seen; 1673 # endif 1674 # ifndef OPENSSL_NO_EC 1675 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1676 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1677 int using_ecc = (alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe)) 1678 || (alg_a & SSL_aECDSA); 1679 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); 1680 # endif 1681 /* 1682 * don't add extensions for SSLv3, unless doing secure renegotiation 1683 */ 1684 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 1685 return orig; 1686 1687 ret += 2; 1688 if (ret >= limit) 1689 return NULL; /* this really never occurs, but ... */ 1690 1691 if (!s->hit && s->servername_done == 1 1692 && s->session->tlsext_hostname != NULL) { 1693 if ((long)(limit - ret - 4) < 0) 1694 return NULL; 1695 1696 s2n(TLSEXT_TYPE_server_name, ret); 1697 s2n(0, ret); 1698 } 1699 1700 if (s->s3->send_connection_binding) { 1701 int el; 1702 1703 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { 1704 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1705 return NULL; 1706 } 1707 1708 /*- 1709 * check for enough space. 1710 * 4 bytes for the reneg type and extension length 1711 * + reneg data length 1712 */ 1713 if (CHECKLEN(ret, 4 + el, limit)) 1714 return NULL; 1715 1716 s2n(TLSEXT_TYPE_renegotiate, ret); 1717 s2n(el, ret); 1718 1719 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { 1720 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1721 return NULL; 1722 } 1723 1724 ret += el; 1725 } 1726 # ifndef OPENSSL_NO_EC 1727 if (using_ecc) { 1728 const unsigned char *plist; 1729 size_t plistlen; 1730 /* 1731 * Add TLS extension ECPointFormats to the ServerHello message 1732 */ 1733 1734 tls1_get_formatlist(s, &plist, &plistlen); 1735 1736 if (plistlen > 255) { 1737 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1738 return NULL; 1739 } 1740 1741 /*- 1742 * check for enough space. 1743 * 4 bytes for the ec points format type and extension length 1744 * 1 byte for the points format list length 1745 * + length of points format list 1746 */ 1747 if (CHECKLEN(ret, 5 + plistlen, limit)) 1748 return NULL; 1749 1750 s2n(TLSEXT_TYPE_ec_point_formats, ret); 1751 s2n(plistlen + 1, ret); 1752 *(ret++) = (unsigned char)plistlen; 1753 memcpy(ret, plist, plistlen); 1754 ret += plistlen; 1755 1756 } 1757 /* 1758 * Currently the server should not respond with a SupportedCurves 1759 * extension 1760 */ 1761 # endif /* OPENSSL_NO_EC */ 1762 1763 if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 1764 /*- 1765 * check for enough space. 1766 * 4 bytes for the Ticket type and extension length 1767 */ 1768 if (CHECKLEN(ret, 4, limit)) 1769 return NULL; 1770 s2n(TLSEXT_TYPE_session_ticket, ret); 1771 s2n(0, ret); 1772 } 1773 1774 if (s->tlsext_status_expected) { 1775 /*- 1776 * check for enough space. 1777 * 4 bytes for the Status request type and extension length 1778 */ 1779 if (CHECKLEN(ret, 4, limit)) 1780 return NULL; 1781 s2n(TLSEXT_TYPE_status_request, ret); 1782 s2n(0, ret); 1783 } 1784 # ifdef TLSEXT_TYPE_opaque_prf_input 1785 if (s->s3->server_opaque_prf_input != NULL) { 1786 size_t sol = s->s3->server_opaque_prf_input_len; 1787 1788 if ((long)(limit - ret - 6 - sol) < 0) 1789 return NULL; 1790 if (sol > 0xFFFD) /* can't happen */ 1791 return NULL; 1792 1793 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 1794 s2n(sol + 2, ret); 1795 s2n(sol, ret); 1796 memcpy(ret, s->s3->server_opaque_prf_input, sol); 1797 ret += sol; 1798 } 1799 # endif 1800 1801 # ifndef OPENSSL_NO_SRTP 1802 if (SSL_IS_DTLS(s) && s->srtp_profile) { 1803 int el; 1804 1805 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 1806 1807 /*- 1808 * check for enough space. 1809 * 4 bytes for the SRTP profiles type and extension length 1810 * + length of the SRTP profiles list 1811 */ 1812 if (CHECKLEN(ret, 4 + el, limit)) 1813 return NULL; 1814 1815 s2n(TLSEXT_TYPE_use_srtp, ret); 1816 s2n(el, ret); 1817 1818 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { 1819 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 1820 return NULL; 1821 } 1822 ret += el; 1823 } 1824 # endif 1825 1826 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 1827 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) 1828 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { 1829 const unsigned char cryptopro_ext[36] = { 1830 0xfd, 0xe8, /* 65000 */ 1831 0x00, 0x20, /* 32 bytes length */ 1832 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 1833 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 1834 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 1835 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 1836 }; 1837 1838 /* check for enough space. */ 1839 if (CHECKLEN(ret, sizeof(cryptopro_ext), limit)) 1840 return NULL; 1841 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext)); 1842 ret += sizeof(cryptopro_ext); 1843 1844 } 1845 # ifndef OPENSSL_NO_HEARTBEATS 1846 /* Add Heartbeat extension if we've received one */ 1847 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) { 1848 /*- 1849 * check for enough space. 1850 * 4 bytes for the Heartbeat type and extension length 1851 * 1 byte for the mode 1852 */ 1853 if (CHECKLEN(ret, 5, limit)) 1854 return NULL; 1855 s2n(TLSEXT_TYPE_heartbeat, ret); 1856 s2n(1, ret); 1857 /*- 1858 * Set mode: 1859 * 1: peer may send requests 1860 * 2: peer not allowed to send requests 1861 */ 1862 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) 1863 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 1864 else 1865 *(ret++) = SSL_TLSEXT_HB_ENABLED; 1866 1867 } 1868 # endif 1869 1870 # ifndef OPENSSL_NO_NEXTPROTONEG 1871 next_proto_neg_seen = s->s3->next_proto_neg_seen; 1872 s->s3->next_proto_neg_seen = 0; 1873 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) { 1874 const unsigned char *npa; 1875 unsigned int npalen; 1876 int r; 1877 1878 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, 1879 s-> 1880 ctx->next_protos_advertised_cb_arg); 1881 if (r == SSL_TLSEXT_ERR_OK) { 1882 /*- 1883 * check for enough space. 1884 * 4 bytes for the NPN type and extension length 1885 * + length of protocols list 1886 */ 1887 if (CHECKLEN(ret, 4 + npalen, limit)) 1888 return NULL; 1889 s2n(TLSEXT_TYPE_next_proto_neg, ret); 1890 s2n(npalen, ret); 1891 memcpy(ret, npa, npalen); 1892 ret += npalen; 1893 s->s3->next_proto_neg_seen = 1; 1894 } 1895 } 1896 # endif 1897 if (!custom_ext_add(s, 1, &ret, limit, al)) 1898 return NULL; 1899 1900 if (s->s3->alpn_selected) { 1901 const unsigned char *selected = s->s3->alpn_selected; 1902 size_t len = s->s3->alpn_selected_len; 1903 1904 /*- 1905 * check for enough space. 1906 * 4 bytes for the ALPN type and extension length 1907 * 2 bytes for ALPN data length 1908 * 1 byte for selected protocol length 1909 * + length of the selected protocol 1910 */ 1911 if (CHECKLEN(ret, 7 + len, limit)) 1912 return NULL; 1913 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 1914 s2n(3 + len, ret); 1915 s2n(1 + len, ret); 1916 *ret++ = len; 1917 memcpy(ret, selected, len); 1918 ret += len; 1919 } 1920 1921 if ((extdatalen = ret - orig - 2) == 0) 1922 return orig; 1923 1924 s2n(extdatalen, orig); 1925 return ret; 1926 } 1927 1928 # ifndef OPENSSL_NO_EC 1929 /*- 1930 * ssl_check_for_safari attempts to fingerprint Safari using OS X 1931 * SecureTransport using the TLS extension block in |d|, of length |n|. 1932 * Safari, since 10.6, sends exactly these extensions, in this order: 1933 * SNI, 1934 * elliptic_curves 1935 * ec_point_formats 1936 * 1937 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, 1938 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. 1939 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from 1940 * 10.8..10.8.3 (which don't work). 1941 */ 1942 static void ssl_check_for_safari(SSL *s, const unsigned char *data, 1943 const unsigned char *limit) 1944 { 1945 unsigned short type, size; 1946 static const unsigned char kSafariExtensionsBlock[] = { 1947 0x00, 0x0a, /* elliptic_curves extension */ 1948 0x00, 0x08, /* 8 bytes */ 1949 0x00, 0x06, /* 6 bytes of curve ids */ 1950 0x00, 0x17, /* P-256 */ 1951 0x00, 0x18, /* P-384 */ 1952 0x00, 0x19, /* P-521 */ 1953 1954 0x00, 0x0b, /* ec_point_formats */ 1955 0x00, 0x02, /* 2 bytes */ 1956 0x01, /* 1 point format */ 1957 0x00, /* uncompressed */ 1958 }; 1959 1960 /* The following is only present in TLS 1.2 */ 1961 static const unsigned char kSafariTLS12ExtensionsBlock[] = { 1962 0x00, 0x0d, /* signature_algorithms */ 1963 0x00, 0x0c, /* 12 bytes */ 1964 0x00, 0x0a, /* 10 bytes */ 1965 0x05, 0x01, /* SHA-384/RSA */ 1966 0x04, 0x01, /* SHA-256/RSA */ 1967 0x02, 0x01, /* SHA-1/RSA */ 1968 0x04, 0x03, /* SHA-256/ECDSA */ 1969 0x02, 0x03, /* SHA-1/ECDSA */ 1970 }; 1971 1972 if (limit - data <= 2) 1973 return; 1974 data += 2; 1975 1976 if (limit - data < 4) 1977 return; 1978 n2s(data, type); 1979 n2s(data, size); 1980 1981 if (type != TLSEXT_TYPE_server_name) 1982 return; 1983 1984 if (limit - data < size) 1985 return; 1986 data += size; 1987 1988 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 1989 const size_t len1 = sizeof(kSafariExtensionsBlock); 1990 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); 1991 1992 if (limit - data != (int)(len1 + len2)) 1993 return; 1994 if (memcmp(data, kSafariExtensionsBlock, len1) != 0) 1995 return; 1996 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0) 1997 return; 1998 } else { 1999 const size_t len = sizeof(kSafariExtensionsBlock); 2000 2001 if (limit - data != (int)(len)) 2002 return; 2003 if (memcmp(data, kSafariExtensionsBlock, len) != 0) 2004 return; 2005 } 2006 2007 s->s3->is_probably_safari = 1; 2008 } 2009 # endif /* !OPENSSL_NO_EC */ 2010 2011 /* 2012 * tls1_alpn_handle_client_hello is called to save the ALPN extension in a 2013 * ClientHello. data: the contents of the extension, not including the type 2014 * and length. data_len: the number of bytes in |data| al: a pointer to the 2015 * alert value to send in the event of a non-zero return. returns: 0 on 2016 * success. 2017 */ 2018 static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, 2019 unsigned data_len, int *al) 2020 { 2021 unsigned i; 2022 unsigned proto_len; 2023 2024 if (data_len < 2) 2025 goto parse_error; 2026 2027 /* 2028 * data should contain a uint16 length followed by a series of 8-bit, 2029 * length-prefixed strings. 2030 */ 2031 i = ((unsigned)data[0]) << 8 | ((unsigned)data[1]); 2032 data_len -= 2; 2033 data += 2; 2034 if (data_len != i) 2035 goto parse_error; 2036 2037 if (data_len < 2) 2038 goto parse_error; 2039 2040 for (i = 0; i < data_len;) { 2041 proto_len = data[i]; 2042 i++; 2043 2044 if (proto_len == 0) 2045 goto parse_error; 2046 2047 if (i + proto_len < i || i + proto_len > data_len) 2048 goto parse_error; 2049 2050 i += proto_len; 2051 } 2052 2053 if (s->cert->alpn_proposed != NULL) 2054 OPENSSL_free(s->cert->alpn_proposed); 2055 s->cert->alpn_proposed = OPENSSL_malloc(data_len); 2056 if (s->cert->alpn_proposed == NULL) { 2057 *al = SSL_AD_INTERNAL_ERROR; 2058 return -1; 2059 } 2060 memcpy(s->cert->alpn_proposed, data, data_len); 2061 s->cert->alpn_proposed_len = data_len; 2062 return 0; 2063 2064 parse_error: 2065 *al = SSL_AD_DECODE_ERROR; 2066 return -1; 2067 } 2068 2069 /* 2070 * Process the ALPN extension in a ClientHello. 2071 * al: a pointer to the alert value to send in the event of a failure. 2072 * returns 1 on success, 0 on failure: al set only on failure 2073 */ 2074 static int tls1_alpn_handle_client_hello_late(SSL *s, int *al) 2075 { 2076 const unsigned char *selected = NULL; 2077 unsigned char selected_len = 0; 2078 2079 if (s->ctx->alpn_select_cb != NULL && s->cert->alpn_proposed != NULL) { 2080 int r = s->ctx->alpn_select_cb(s, &selected, &selected_len, 2081 s->cert->alpn_proposed, 2082 s->cert->alpn_proposed_len, 2083 s->ctx->alpn_select_cb_arg); 2084 2085 if (r == SSL_TLSEXT_ERR_OK) { 2086 OPENSSL_free(s->s3->alpn_selected); 2087 s->s3->alpn_selected = OPENSSL_malloc(selected_len); 2088 if (s->s3->alpn_selected == NULL) { 2089 *al = SSL_AD_INTERNAL_ERROR; 2090 return 0; 2091 } 2092 memcpy(s->s3->alpn_selected, selected, selected_len); 2093 s->s3->alpn_selected_len = selected_len; 2094 # ifndef OPENSSL_NO_NEXTPROTONEG 2095 /* ALPN takes precedence over NPN. */ 2096 s->s3->next_proto_neg_seen = 0; 2097 # endif 2098 } 2099 } 2100 2101 return 1; 2102 } 2103 2104 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, 2105 unsigned char *limit, int *al) 2106 { 2107 unsigned short type; 2108 unsigned short size; 2109 unsigned short len; 2110 unsigned char *data = *p; 2111 int renegotiate_seen = 0; 2112 2113 s->servername_done = 0; 2114 s->tlsext_status_type = -1; 2115 # ifndef OPENSSL_NO_NEXTPROTONEG 2116 s->s3->next_proto_neg_seen = 0; 2117 # endif 2118 2119 if (s->s3->alpn_selected) { 2120 OPENSSL_free(s->s3->alpn_selected); 2121 s->s3->alpn_selected = NULL; 2122 } 2123 s->s3->alpn_selected_len = 0; 2124 if (s->cert->alpn_proposed) { 2125 OPENSSL_free(s->cert->alpn_proposed); 2126 s->cert->alpn_proposed = NULL; 2127 } 2128 s->cert->alpn_proposed_len = 0; 2129 # ifndef OPENSSL_NO_HEARTBEATS 2130 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 2131 SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 2132 # endif 2133 2134 # ifndef OPENSSL_NO_EC 2135 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) 2136 ssl_check_for_safari(s, data, limit); 2137 # endif /* !OPENSSL_NO_EC */ 2138 2139 /* Clear any signature algorithms extension received */ 2140 if (s->cert->peer_sigalgs) { 2141 OPENSSL_free(s->cert->peer_sigalgs); 2142 s->cert->peer_sigalgs = NULL; 2143 } 2144 # ifndef OPENSSL_NO_SRP 2145 if (s->srp_ctx.login != NULL) { 2146 OPENSSL_free(s->srp_ctx.login); 2147 s->srp_ctx.login = NULL; 2148 } 2149 # endif 2150 2151 s->srtp_profile = NULL; 2152 2153 if (data == limit) 2154 goto ri_check; 2155 2156 if (limit - data < 2) 2157 goto err; 2158 2159 n2s(data, len); 2160 2161 if (limit - data != len) 2162 goto err; 2163 2164 while (limit - data >= 4) { 2165 n2s(data, type); 2166 n2s(data, size); 2167 2168 if (limit - data < size) 2169 goto err; 2170 # if 0 2171 fprintf(stderr, "Received extension type %d size %d\n", type, size); 2172 # endif 2173 if (s->tlsext_debug_cb) 2174 s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg); 2175 /*- 2176 * The servername extension is treated as follows: 2177 * 2178 * - Only the hostname type is supported with a maximum length of 255. 2179 * - The servername is rejected if too long or if it contains zeros, 2180 * in which case an fatal alert is generated. 2181 * - The servername field is maintained together with the session cache. 2182 * - When a session is resumed, the servername call back invoked in order 2183 * to allow the application to position itself to the right context. 2184 * - The servername is acknowledged if it is new for a session or when 2185 * it is identical to a previously used for the same session. 2186 * Applications can control the behaviour. They can at any time 2187 * set a 'desirable' servername for a new SSL object. This can be the 2188 * case for example with HTTPS when a Host: header field is received and 2189 * a renegotiation is requested. In this case, a possible servername 2190 * presented in the new client hello is only acknowledged if it matches 2191 * the value of the Host: field. 2192 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 2193 * if they provide for changing an explicit servername context for the 2194 * session, i.e. when the session has been established with a servername 2195 * extension. 2196 * - On session reconnect, the servername extension may be absent. 2197 * 2198 */ 2199 2200 if (type == TLSEXT_TYPE_server_name) { 2201 unsigned char *sdata; 2202 int servname_type; 2203 int dsize; 2204 2205 if (size < 2) 2206 goto err; 2207 n2s(data, dsize); 2208 size -= 2; 2209 if (dsize > size) 2210 goto err; 2211 2212 sdata = data; 2213 while (dsize > 3) { 2214 servname_type = *(sdata++); 2215 n2s(sdata, len); 2216 dsize -= 3; 2217 2218 if (len > dsize) 2219 goto err; 2220 2221 if (s->servername_done == 0) 2222 switch (servname_type) { 2223 case TLSEXT_NAMETYPE_host_name: 2224 if (!s->hit) { 2225 if (s->session->tlsext_hostname) 2226 goto err; 2227 2228 if (len > TLSEXT_MAXLEN_host_name) { 2229 *al = TLS1_AD_UNRECOGNIZED_NAME; 2230 return 0; 2231 } 2232 if ((s->session->tlsext_hostname = 2233 OPENSSL_malloc(len + 1)) == NULL) { 2234 *al = TLS1_AD_INTERNAL_ERROR; 2235 return 0; 2236 } 2237 memcpy(s->session->tlsext_hostname, sdata, len); 2238 s->session->tlsext_hostname[len] = '\0'; 2239 if (strlen(s->session->tlsext_hostname) != len) { 2240 OPENSSL_free(s->session->tlsext_hostname); 2241 s->session->tlsext_hostname = NULL; 2242 *al = TLS1_AD_UNRECOGNIZED_NAME; 2243 return 0; 2244 } 2245 s->servername_done = 1; 2246 2247 } else 2248 s->servername_done = s->session->tlsext_hostname 2249 && strlen(s->session->tlsext_hostname) == len 2250 && strncmp(s->session->tlsext_hostname, 2251 (char *)sdata, len) == 0; 2252 2253 break; 2254 2255 default: 2256 break; 2257 } 2258 2259 dsize -= len; 2260 } 2261 if (dsize != 0) 2262 goto err; 2263 2264 } 2265 # ifndef OPENSSL_NO_SRP 2266 else if (type == TLSEXT_TYPE_srp) { 2267 if (size == 0 || ((len = data[0])) != (size - 1)) 2268 goto err; 2269 if (s->srp_ctx.login != NULL) 2270 goto err; 2271 if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL) 2272 return -1; 2273 memcpy(s->srp_ctx.login, &data[1], len); 2274 s->srp_ctx.login[len] = '\0'; 2275 2276 if (strlen(s->srp_ctx.login) != len) 2277 goto err; 2278 } 2279 # endif 2280 2281 # ifndef OPENSSL_NO_EC 2282 else if (type == TLSEXT_TYPE_ec_point_formats) { 2283 unsigned char *sdata = data; 2284 int ecpointformatlist_length = *(sdata++); 2285 2286 if (ecpointformatlist_length != size - 1 || 2287 ecpointformatlist_length < 1) 2288 goto err; 2289 if (!s->hit) { 2290 if (s->session->tlsext_ecpointformatlist) { 2291 OPENSSL_free(s->session->tlsext_ecpointformatlist); 2292 s->session->tlsext_ecpointformatlist = NULL; 2293 } 2294 s->session->tlsext_ecpointformatlist_length = 0; 2295 if ((s->session->tlsext_ecpointformatlist = 2296 OPENSSL_malloc(ecpointformatlist_length)) == NULL) { 2297 *al = TLS1_AD_INTERNAL_ERROR; 2298 return 0; 2299 } 2300 s->session->tlsext_ecpointformatlist_length = 2301 ecpointformatlist_length; 2302 memcpy(s->session->tlsext_ecpointformatlist, sdata, 2303 ecpointformatlist_length); 2304 } 2305 # if 0 2306 fprintf(stderr, 2307 "ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", 2308 s->session->tlsext_ecpointformatlist_length); 2309 sdata = s->session->tlsext_ecpointformatlist; 2310 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 2311 fprintf(stderr, "%i ", *(sdata++)); 2312 fprintf(stderr, "\n"); 2313 # endif 2314 } else if (type == TLSEXT_TYPE_elliptic_curves) { 2315 unsigned char *sdata = data; 2316 int ellipticcurvelist_length = (*(sdata++) << 8); 2317 ellipticcurvelist_length += (*(sdata++)); 2318 2319 if (ellipticcurvelist_length != size - 2 || 2320 ellipticcurvelist_length < 1 || 2321 /* Each NamedCurve is 2 bytes. */ 2322 ellipticcurvelist_length & 1) 2323 goto err; 2324 2325 if (!s->hit) { 2326 if (s->session->tlsext_ellipticcurvelist) 2327 goto err; 2328 2329 s->session->tlsext_ellipticcurvelist_length = 0; 2330 if ((s->session->tlsext_ellipticcurvelist = 2331 OPENSSL_malloc(ellipticcurvelist_length)) == NULL) { 2332 *al = TLS1_AD_INTERNAL_ERROR; 2333 return 0; 2334 } 2335 s->session->tlsext_ellipticcurvelist_length = 2336 ellipticcurvelist_length; 2337 memcpy(s->session->tlsext_ellipticcurvelist, sdata, 2338 ellipticcurvelist_length); 2339 } 2340 # if 0 2341 fprintf(stderr, 2342 "ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", 2343 s->session->tlsext_ellipticcurvelist_length); 2344 sdata = s->session->tlsext_ellipticcurvelist; 2345 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) 2346 fprintf(stderr, "%i ", *(sdata++)); 2347 fprintf(stderr, "\n"); 2348 # endif 2349 } 2350 # endif /* OPENSSL_NO_EC */ 2351 # ifdef TLSEXT_TYPE_opaque_prf_input 2352 else if (type == TLSEXT_TYPE_opaque_prf_input) { 2353 unsigned char *sdata = data; 2354 2355 if (size < 2) { 2356 *al = SSL_AD_DECODE_ERROR; 2357 return 0; 2358 } 2359 n2s(sdata, s->s3->client_opaque_prf_input_len); 2360 if (s->s3->client_opaque_prf_input_len != size - 2) { 2361 *al = SSL_AD_DECODE_ERROR; 2362 return 0; 2363 } 2364 2365 if (s->s3->client_opaque_prf_input != NULL) { 2366 /* shouldn't really happen */ 2367 OPENSSL_free(s->s3->client_opaque_prf_input); 2368 } 2369 2370 /* dummy byte just to get non-NULL */ 2371 if (s->s3->client_opaque_prf_input_len == 0) 2372 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); 2373 else 2374 s->s3->client_opaque_prf_input = 2375 BUF_memdup(sdata, s->s3->client_opaque_prf_input_len); 2376 if (s->s3->client_opaque_prf_input == NULL) { 2377 *al = TLS1_AD_INTERNAL_ERROR; 2378 return 0; 2379 } 2380 } 2381 # endif 2382 else if (type == TLSEXT_TYPE_session_ticket) { 2383 if (s->tls_session_ticket_ext_cb && 2384 !s->tls_session_ticket_ext_cb(s, data, size, 2385 s->tls_session_ticket_ext_cb_arg)) 2386 { 2387 *al = TLS1_AD_INTERNAL_ERROR; 2388 return 0; 2389 } 2390 } else if (type == TLSEXT_TYPE_renegotiate) { 2391 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 2392 return 0; 2393 renegotiate_seen = 1; 2394 } else if (type == TLSEXT_TYPE_signature_algorithms) { 2395 int dsize; 2396 if (s->cert->peer_sigalgs || size < 2) 2397 goto err; 2398 n2s(data, dsize); 2399 size -= 2; 2400 if (dsize != size || dsize & 1 || !dsize) 2401 goto err; 2402 if (!tls1_save_sigalgs(s, data, dsize)) 2403 goto err; 2404 } else if (type == TLSEXT_TYPE_status_request) { 2405 2406 if (size < 5) 2407 goto err; 2408 2409 s->tlsext_status_type = *data++; 2410 size--; 2411 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { 2412 const unsigned char *sdata; 2413 int dsize; 2414 /* Read in responder_id_list */ 2415 n2s(data, dsize); 2416 size -= 2; 2417 if (dsize > size) 2418 goto err; 2419 2420 /* 2421 * We remove any OCSP_RESPIDs from a previous handshake 2422 * to prevent unbounded memory growth - CVE-2016-6304 2423 */ 2424 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, 2425 OCSP_RESPID_free); 2426 if (dsize > 0) { 2427 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 2428 if (s->tlsext_ocsp_ids == NULL) { 2429 *al = SSL_AD_INTERNAL_ERROR; 2430 return 0; 2431 } 2432 } else { 2433 s->tlsext_ocsp_ids = NULL; 2434 } 2435 2436 while (dsize > 0) { 2437 OCSP_RESPID *id; 2438 int idsize; 2439 if (dsize < 4) 2440 goto err; 2441 n2s(data, idsize); 2442 dsize -= 2 + idsize; 2443 size -= 2 + idsize; 2444 if (dsize < 0) 2445 goto err; 2446 sdata = data; 2447 data += idsize; 2448 id = d2i_OCSP_RESPID(NULL, &sdata, idsize); 2449 if (!id) 2450 goto err; 2451 if (data != sdata) { 2452 OCSP_RESPID_free(id); 2453 goto err; 2454 } 2455 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { 2456 OCSP_RESPID_free(id); 2457 *al = SSL_AD_INTERNAL_ERROR; 2458 return 0; 2459 } 2460 } 2461 2462 /* Read in request_extensions */ 2463 if (size < 2) 2464 goto err; 2465 n2s(data, dsize); 2466 size -= 2; 2467 if (dsize != size) 2468 goto err; 2469 sdata = data; 2470 if (dsize > 0) { 2471 if (s->tlsext_ocsp_exts) { 2472 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 2473 X509_EXTENSION_free); 2474 } 2475 2476 s->tlsext_ocsp_exts = 2477 d2i_X509_EXTENSIONS(NULL, &sdata, dsize); 2478 if (!s->tlsext_ocsp_exts || (data + dsize != sdata)) 2479 goto err; 2480 } 2481 } 2482 /* 2483 * We don't know what to do with any other type * so ignore it. 2484 */ 2485 else 2486 s->tlsext_status_type = -1; 2487 } 2488 # ifndef OPENSSL_NO_HEARTBEATS 2489 else if (type == TLSEXT_TYPE_heartbeat) { 2490 switch (data[0]) { 2491 case 0x01: /* Client allows us to send HB requests */ 2492 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 2493 break; 2494 case 0x02: /* Client doesn't accept HB requests */ 2495 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 2496 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 2497 break; 2498 default: 2499 *al = SSL_AD_ILLEGAL_PARAMETER; 2500 return 0; 2501 } 2502 } 2503 # endif 2504 # ifndef OPENSSL_NO_NEXTPROTONEG 2505 else if (type == TLSEXT_TYPE_next_proto_neg && 2506 s->s3->tmp.finish_md_len == 0) { 2507 /*- 2508 * We shouldn't accept this extension on a 2509 * renegotiation. 2510 * 2511 * s->new_session will be set on renegotiation, but we 2512 * probably shouldn't rely that it couldn't be set on 2513 * the initial renegotation too in certain cases (when 2514 * there's some other reason to disallow resuming an 2515 * earlier session -- the current code won't be doing 2516 * anything like that, but this might change). 2517 * 2518 * A valid sign that there's been a previous handshake 2519 * in this connection is if s->s3->tmp.finish_md_len > 2520 * 0. (We are talking about a check that will happen 2521 * in the Hello protocol round, well before a new 2522 * Finished message could have been computed.) 2523 */ 2524 s->s3->next_proto_neg_seen = 1; 2525 } 2526 # endif 2527 2528 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation && 2529 s->s3->tmp.finish_md_len == 0) { 2530 if (tls1_alpn_handle_client_hello(s, data, size, al) != 0) 2531 return 0; 2532 } 2533 2534 /* session ticket processed earlier */ 2535 # ifndef OPENSSL_NO_SRTP 2536 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) 2537 && type == TLSEXT_TYPE_use_srtp) { 2538 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) 2539 return 0; 2540 } 2541 # endif 2542 2543 data += size; 2544 } 2545 2546 /* Spurious data on the end */ 2547 if (data != limit) 2548 goto err; 2549 2550 *p = data; 2551 2552 ri_check: 2553 2554 /* Need RI if renegotiating */ 2555 2556 if (!renegotiate_seen && s->renegotiate && 2557 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { 2558 *al = SSL_AD_HANDSHAKE_FAILURE; 2559 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT, 2560 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 2561 return 0; 2562 } 2563 2564 return 1; 2565 err: 2566 *al = SSL_AD_DECODE_ERROR; 2567 return 0; 2568 } 2569 2570 /* 2571 * Parse any custom extensions found. "data" is the start of the extension data 2572 * and "limit" is the end of the record. TODO: add strict syntax checking. 2573 */ 2574 2575 static int ssl_scan_clienthello_custom_tlsext(SSL *s, 2576 const unsigned char *data, 2577 const unsigned char *limit, 2578 int *al) 2579 { 2580 unsigned short type, size, len; 2581 /* If resumed session or no custom extensions nothing to do */ 2582 if (s->hit || s->cert->srv_ext.meths_count == 0) 2583 return 1; 2584 2585 if (limit - data <= 2) 2586 return 1; 2587 n2s(data, len); 2588 2589 if (limit - data < len) 2590 return 1; 2591 2592 while (limit - data >= 4) { 2593 n2s(data, type); 2594 n2s(data, size); 2595 2596 if (limit - data < size) 2597 return 1; 2598 if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0) 2599 return 0; 2600 2601 data += size; 2602 } 2603 2604 return 1; 2605 } 2606 2607 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, 2608 unsigned char *limit) 2609 { 2610 int al = -1; 2611 unsigned char *ptmp = *p; 2612 /* 2613 * Internally supported extensions are parsed first so SNI can be handled 2614 * before custom extensions. An application processing SNI will typically 2615 * switch the parent context using SSL_set_SSL_CTX and custom extensions 2616 * need to be handled by the new SSL_CTX structure. 2617 */ 2618 if (ssl_scan_clienthello_tlsext(s, p, limit, &al) <= 0) { 2619 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2620 return 0; 2621 } 2622 2623 if (ssl_check_clienthello_tlsext_early(s) <= 0) { 2624 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT); 2625 return 0; 2626 } 2627 2628 custom_ext_init(&s->cert->srv_ext); 2629 if (ssl_scan_clienthello_custom_tlsext(s, ptmp, limit, &al) <= 0) { 2630 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2631 return 0; 2632 } 2633 2634 return 1; 2635 } 2636 2637 # ifndef OPENSSL_NO_NEXTPROTONEG 2638 /* 2639 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 2640 * elements of zero length are allowed and the set of elements must exactly 2641 * fill the length of the block. 2642 */ 2643 static char ssl_next_proto_validate(unsigned char *d, unsigned len) 2644 { 2645 unsigned int off = 0; 2646 2647 while (off < len) { 2648 if (d[off] == 0) 2649 return 0; 2650 off += d[off]; 2651 off++; 2652 } 2653 2654 return off == len; 2655 } 2656 # endif 2657 2658 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, 2659 unsigned char *d, int n, int *al) 2660 { 2661 unsigned short length; 2662 unsigned short type; 2663 unsigned short size; 2664 unsigned char *data = *p; 2665 int tlsext_servername = 0; 2666 int renegotiate_seen = 0; 2667 2668 # ifndef OPENSSL_NO_NEXTPROTONEG 2669 s->s3->next_proto_neg_seen = 0; 2670 # endif 2671 s->tlsext_ticket_expected = 0; 2672 2673 if (s->s3->alpn_selected) { 2674 OPENSSL_free(s->s3->alpn_selected); 2675 s->s3->alpn_selected = NULL; 2676 } 2677 # ifndef OPENSSL_NO_HEARTBEATS 2678 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 2679 SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 2680 # endif 2681 2682 if ((d + n) - data <= 2) 2683 goto ri_check; 2684 2685 n2s(data, length); 2686 if ((d + n) - data != length) { 2687 *al = SSL_AD_DECODE_ERROR; 2688 return 0; 2689 } 2690 2691 while ((d + n) - data >= 4) { 2692 n2s(data, type); 2693 n2s(data, size); 2694 2695 if ((d + n) - data < size) 2696 goto ri_check; 2697 2698 if (s->tlsext_debug_cb) 2699 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg); 2700 2701 if (type == TLSEXT_TYPE_server_name) { 2702 if (s->tlsext_hostname == NULL || size > 0) { 2703 *al = TLS1_AD_UNRECOGNIZED_NAME; 2704 return 0; 2705 } 2706 tlsext_servername = 1; 2707 } 2708 # ifndef OPENSSL_NO_EC 2709 else if (type == TLSEXT_TYPE_ec_point_formats) { 2710 unsigned char *sdata = data; 2711 int ecpointformatlist_length = *(sdata++); 2712 2713 if (ecpointformatlist_length != size - 1) { 2714 *al = TLS1_AD_DECODE_ERROR; 2715 return 0; 2716 } 2717 if (!s->hit) { 2718 s->session->tlsext_ecpointformatlist_length = 0; 2719 if (s->session->tlsext_ecpointformatlist != NULL) 2720 OPENSSL_free(s->session->tlsext_ecpointformatlist); 2721 if ((s->session->tlsext_ecpointformatlist = 2722 OPENSSL_malloc(ecpointformatlist_length)) == NULL) { 2723 *al = TLS1_AD_INTERNAL_ERROR; 2724 return 0; 2725 } 2726 s->session->tlsext_ecpointformatlist_length = 2727 ecpointformatlist_length; 2728 memcpy(s->session->tlsext_ecpointformatlist, sdata, 2729 ecpointformatlist_length); 2730 } 2731 # if 0 2732 fprintf(stderr, 2733 "ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); 2734 sdata = s->session->tlsext_ecpointformatlist; 2735 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 2736 fprintf(stderr, "%i ", *(sdata++)); 2737 fprintf(stderr, "\n"); 2738 # endif 2739 } 2740 # endif /* OPENSSL_NO_EC */ 2741 2742 else if (type == TLSEXT_TYPE_session_ticket) { 2743 if (s->tls_session_ticket_ext_cb && 2744 !s->tls_session_ticket_ext_cb(s, data, size, 2745 s->tls_session_ticket_ext_cb_arg)) 2746 { 2747 *al = TLS1_AD_INTERNAL_ERROR; 2748 return 0; 2749 } 2750 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) 2751 || (size > 0)) { 2752 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 2753 return 0; 2754 } 2755 s->tlsext_ticket_expected = 1; 2756 } 2757 # ifdef TLSEXT_TYPE_opaque_prf_input 2758 else if (type == TLSEXT_TYPE_opaque_prf_input) { 2759 unsigned char *sdata = data; 2760 2761 if (size < 2) { 2762 *al = SSL_AD_DECODE_ERROR; 2763 return 0; 2764 } 2765 n2s(sdata, s->s3->server_opaque_prf_input_len); 2766 if (s->s3->server_opaque_prf_input_len != size - 2) { 2767 *al = SSL_AD_DECODE_ERROR; 2768 return 0; 2769 } 2770 2771 if (s->s3->server_opaque_prf_input != NULL) { 2772 /* shouldn't really happen */ 2773 OPENSSL_free(s->s3->server_opaque_prf_input); 2774 } 2775 if (s->s3->server_opaque_prf_input_len == 0) { 2776 /* dummy byte just to get non-NULL */ 2777 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); 2778 } else { 2779 s->s3->server_opaque_prf_input = 2780 BUF_memdup(sdata, s->s3->server_opaque_prf_input_len); 2781 } 2782 2783 if (s->s3->server_opaque_prf_input == NULL) { 2784 *al = TLS1_AD_INTERNAL_ERROR; 2785 return 0; 2786 } 2787 } 2788 # endif 2789 else if (type == TLSEXT_TYPE_status_request) { 2790 /* 2791 * MUST be empty and only sent if we've requested a status 2792 * request message. 2793 */ 2794 if ((s->tlsext_status_type == -1) || (size > 0)) { 2795 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 2796 return 0; 2797 } 2798 /* Set flag to expect CertificateStatus message */ 2799 s->tlsext_status_expected = 1; 2800 } 2801 # ifndef OPENSSL_NO_NEXTPROTONEG 2802 else if (type == TLSEXT_TYPE_next_proto_neg && 2803 s->s3->tmp.finish_md_len == 0) { 2804 unsigned char *selected; 2805 unsigned char selected_len; 2806 2807 /* We must have requested it. */ 2808 if (s->ctx->next_proto_select_cb == NULL) { 2809 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 2810 return 0; 2811 } 2812 /* The data must be valid */ 2813 if (!ssl_next_proto_validate(data, size)) { 2814 *al = TLS1_AD_DECODE_ERROR; 2815 return 0; 2816 } 2817 if (s-> 2818 ctx->next_proto_select_cb(s, &selected, &selected_len, data, 2819 size, 2820 s->ctx->next_proto_select_cb_arg) != 2821 SSL_TLSEXT_ERR_OK) { 2822 *al = TLS1_AD_INTERNAL_ERROR; 2823 return 0; 2824 } 2825 /* 2826 * Could be non-NULL if server has sent multiple NPN extensions in 2827 * a single Serverhello 2828 */ 2829 OPENSSL_free(s->next_proto_negotiated); 2830 s->next_proto_negotiated = OPENSSL_malloc(selected_len); 2831 if (!s->next_proto_negotiated) { 2832 *al = TLS1_AD_INTERNAL_ERROR; 2833 return 0; 2834 } 2835 memcpy(s->next_proto_negotiated, selected, selected_len); 2836 s->next_proto_negotiated_len = selected_len; 2837 s->s3->next_proto_neg_seen = 1; 2838 } 2839 # endif 2840 2841 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) { 2842 unsigned len; 2843 2844 /* We must have requested it. */ 2845 if (!s->cert->alpn_sent) { 2846 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 2847 return 0; 2848 } 2849 if (size < 4) { 2850 *al = TLS1_AD_DECODE_ERROR; 2851 return 0; 2852 } 2853 /*- 2854 * The extension data consists of: 2855 * uint16 list_length 2856 * uint8 proto_length; 2857 * uint8 proto[proto_length]; 2858 */ 2859 len = data[0]; 2860 len <<= 8; 2861 len |= data[1]; 2862 if (len != (unsigned)size - 2) { 2863 *al = TLS1_AD_DECODE_ERROR; 2864 return 0; 2865 } 2866 len = data[2]; 2867 if (len != (unsigned)size - 3) { 2868 *al = TLS1_AD_DECODE_ERROR; 2869 return 0; 2870 } 2871 if (s->s3->alpn_selected) 2872 OPENSSL_free(s->s3->alpn_selected); 2873 s->s3->alpn_selected = OPENSSL_malloc(len); 2874 if (!s->s3->alpn_selected) { 2875 *al = TLS1_AD_INTERNAL_ERROR; 2876 return 0; 2877 } 2878 memcpy(s->s3->alpn_selected, data + 3, len); 2879 s->s3->alpn_selected_len = len; 2880 } 2881 2882 else if (type == TLSEXT_TYPE_renegotiate) { 2883 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 2884 return 0; 2885 renegotiate_seen = 1; 2886 } 2887 # ifndef OPENSSL_NO_HEARTBEATS 2888 else if (type == TLSEXT_TYPE_heartbeat) { 2889 switch (data[0]) { 2890 case 0x01: /* Server allows us to send HB requests */ 2891 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 2892 break; 2893 case 0x02: /* Server doesn't accept HB requests */ 2894 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 2895 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 2896 break; 2897 default: 2898 *al = SSL_AD_ILLEGAL_PARAMETER; 2899 return 0; 2900 } 2901 } 2902 # endif 2903 # ifndef OPENSSL_NO_SRTP 2904 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 2905 if (ssl_parse_serverhello_use_srtp_ext(s, data, size, al)) 2906 return 0; 2907 } 2908 # endif 2909 /* 2910 * If this extension type was not otherwise handled, but matches a 2911 * custom_cli_ext_record, then send it to the c callback 2912 */ 2913 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0) 2914 return 0; 2915 2916 data += size; 2917 } 2918 2919 if (data != d + n) { 2920 *al = SSL_AD_DECODE_ERROR; 2921 return 0; 2922 } 2923 2924 if (!s->hit && tlsext_servername == 1) { 2925 if (s->tlsext_hostname) { 2926 if (s->session->tlsext_hostname == NULL) { 2927 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); 2928 if (!s->session->tlsext_hostname) { 2929 *al = SSL_AD_UNRECOGNIZED_NAME; 2930 return 0; 2931 } 2932 } else { 2933 *al = SSL_AD_DECODE_ERROR; 2934 return 0; 2935 } 2936 } 2937 } 2938 2939 *p = data; 2940 2941 ri_check: 2942 2943 /* 2944 * Determine if we need to see RI. Strictly speaking if we want to avoid 2945 * an attack we should *always* see RI even on initial server hello 2946 * because the client doesn't see any renegotiation during an attack. 2947 * However this would mean we could not connect to any server which 2948 * doesn't support RI so for the immediate future tolerate RI absence on 2949 * initial connect only. 2950 */ 2951 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 2952 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { 2953 *al = SSL_AD_HANDSHAKE_FAILURE; 2954 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, 2955 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 2956 return 0; 2957 } 2958 2959 return 1; 2960 } 2961 2962 int ssl_prepare_clienthello_tlsext(SSL *s) 2963 { 2964 2965 # ifdef TLSEXT_TYPE_opaque_prf_input 2966 { 2967 int r = 1; 2968 2969 if (s->ctx->tlsext_opaque_prf_input_callback != 0) { 2970 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, 2971 s-> 2972 ctx->tlsext_opaque_prf_input_callback_arg); 2973 if (!r) 2974 return -1; 2975 } 2976 2977 if (s->tlsext_opaque_prf_input != NULL) { 2978 if (s->s3->client_opaque_prf_input != NULL) { 2979 /* shouldn't really happen */ 2980 OPENSSL_free(s->s3->client_opaque_prf_input); 2981 } 2982 2983 if (s->tlsext_opaque_prf_input_len == 0) { 2984 /* dummy byte just to get non-NULL */ 2985 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); 2986 } else { 2987 s->s3->client_opaque_prf_input = 2988 BUF_memdup(s->tlsext_opaque_prf_input, 2989 s->tlsext_opaque_prf_input_len); 2990 } 2991 if (s->s3->client_opaque_prf_input == NULL) { 2992 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, 2993 ERR_R_MALLOC_FAILURE); 2994 return -1; 2995 } 2996 s->s3->client_opaque_prf_input_len = 2997 s->tlsext_opaque_prf_input_len; 2998 } 2999 3000 if (r == 2) 3001 /* 3002 * at callback's request, insist on receiving an appropriate 3003 * server opaque PRF input 3004 */ 3005 s->s3->server_opaque_prf_input_len = 3006 s->tlsext_opaque_prf_input_len; 3007 } 3008 # endif 3009 3010 s->cert->alpn_sent = 0; 3011 return 1; 3012 } 3013 3014 int ssl_prepare_serverhello_tlsext(SSL *s) 3015 { 3016 return 1; 3017 } 3018 3019 static int ssl_check_clienthello_tlsext_early(SSL *s) 3020 { 3021 int ret = SSL_TLSEXT_ERR_NOACK; 3022 int al = SSL_AD_UNRECOGNIZED_NAME; 3023 3024 # ifndef OPENSSL_NO_EC 3025 /* 3026 * The handling of the ECPointFormats extension is done elsewhere, namely 3027 * in ssl3_choose_cipher in s3_lib.c. 3028 */ 3029 /* 3030 * The handling of the EllipticCurves extension is done elsewhere, namely 3031 * in ssl3_choose_cipher in s3_lib.c. 3032 */ 3033 # endif 3034 3035 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 3036 ret = 3037 s->ctx->tlsext_servername_callback(s, &al, 3038 s->ctx->tlsext_servername_arg); 3039 else if (s->initial_ctx != NULL 3040 && s->initial_ctx->tlsext_servername_callback != 0) 3041 ret = 3042 s->initial_ctx->tlsext_servername_callback(s, &al, 3043 s-> 3044 initial_ctx->tlsext_servername_arg); 3045 3046 # ifdef TLSEXT_TYPE_opaque_prf_input 3047 { 3048 /* 3049 * This sort of belongs into ssl_prepare_serverhello_tlsext(), but we 3050 * might be sending an alert in response to the client hello, so this 3051 * has to happen here in ssl_check_clienthello_tlsext_early(). 3052 */ 3053 3054 int r = 1; 3055 3056 if (s->ctx->tlsext_opaque_prf_input_callback != 0) { 3057 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, 3058 s-> 3059 ctx->tlsext_opaque_prf_input_callback_arg); 3060 if (!r) { 3061 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 3062 al = SSL_AD_INTERNAL_ERROR; 3063 goto err; 3064 } 3065 } 3066 3067 if (s->s3->server_opaque_prf_input != NULL) { 3068 /* shouldn't really happen */ 3069 OPENSSL_free(s->s3->server_opaque_prf_input); 3070 } 3071 s->s3->server_opaque_prf_input = NULL; 3072 3073 if (s->tlsext_opaque_prf_input != NULL) { 3074 if (s->s3->client_opaque_prf_input != NULL && 3075 s->s3->client_opaque_prf_input_len == 3076 s->tlsext_opaque_prf_input_len) { 3077 /* 3078 * can only use this extension if we have a server opaque PRF 3079 * input of the same length as the client opaque PRF input! 3080 */ 3081 3082 if (s->tlsext_opaque_prf_input_len == 0) { 3083 /* dummy byte just to get non-NULL */ 3084 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); 3085 } else { 3086 s->s3->server_opaque_prf_input = 3087 BUF_memdup(s->tlsext_opaque_prf_input, 3088 s->tlsext_opaque_prf_input_len); 3089 } 3090 if (s->s3->server_opaque_prf_input == NULL) { 3091 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 3092 al = SSL_AD_INTERNAL_ERROR; 3093 goto err; 3094 } 3095 s->s3->server_opaque_prf_input_len = 3096 s->tlsext_opaque_prf_input_len; 3097 } 3098 } 3099 3100 if (r == 2 && s->s3->server_opaque_prf_input == NULL) { 3101 /* 3102 * The callback wants to enforce use of the extension, but we 3103 * can't do that with the client opaque PRF input; abort the 3104 * handshake. 3105 */ 3106 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 3107 al = SSL_AD_HANDSHAKE_FAILURE; 3108 } 3109 } 3110 3111 err: 3112 # endif 3113 switch (ret) { 3114 case SSL_TLSEXT_ERR_ALERT_FATAL: 3115 ssl3_send_alert(s, SSL3_AL_FATAL, al); 3116 return -1; 3117 3118 case SSL_TLSEXT_ERR_ALERT_WARNING: 3119 ssl3_send_alert(s, SSL3_AL_WARNING, al); 3120 return 1; 3121 3122 case SSL_TLSEXT_ERR_NOACK: 3123 s->servername_done = 0; 3124 default: 3125 return 1; 3126 } 3127 } 3128 3129 int tls1_set_server_sigalgs(SSL *s) 3130 { 3131 int al; 3132 size_t i; 3133 /* Clear any shared sigtnature algorithms */ 3134 if (s->cert->shared_sigalgs) { 3135 OPENSSL_free(s->cert->shared_sigalgs); 3136 s->cert->shared_sigalgs = NULL; 3137 s->cert->shared_sigalgslen = 0; 3138 } 3139 /* Clear certificate digests and validity flags */ 3140 for (i = 0; i < SSL_PKEY_NUM; i++) { 3141 s->cert->pkeys[i].digest = NULL; 3142 s->cert->pkeys[i].valid_flags = 0; 3143 } 3144 3145 /* If sigalgs received process it. */ 3146 if (s->cert->peer_sigalgs) { 3147 if (!tls1_process_sigalgs(s)) { 3148 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE); 3149 al = SSL_AD_INTERNAL_ERROR; 3150 goto err; 3151 } 3152 /* Fatal error is no shared signature algorithms */ 3153 if (!s->cert->shared_sigalgs) { 3154 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, 3155 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS); 3156 al = SSL_AD_ILLEGAL_PARAMETER; 3157 goto err; 3158 } 3159 } else 3160 ssl_cert_set_default_md(s->cert); 3161 return 1; 3162 err: 3163 ssl3_send_alert(s, SSL3_AL_FATAL, al); 3164 return 0; 3165 } 3166 3167 /* 3168 * Upon success, returns 1. 3169 * Upon failure, returns 0 and sets |al| to the appropriate fatal alert. 3170 */ 3171 int ssl_check_clienthello_tlsext_late(SSL *s, int *al) 3172 { 3173 3174 /* 3175 * If status request then ask callback what to do. Note: this must be 3176 * called after servername callbacks in case the certificate has changed, 3177 * and must be called after the cipher has been chosen because this may 3178 * influence which certificate is sent 3179 */ 3180 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) { 3181 int ret; 3182 CERT_PKEY *certpkey; 3183 certpkey = ssl_get_server_send_pkey(s); 3184 /* If no certificate can't return certificate status */ 3185 if (certpkey != NULL) { 3186 /* 3187 * Set current certificate to one we will use so SSL_get_certificate 3188 * et al can pick it up. 3189 */ 3190 s->cert->key = certpkey; 3191 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 3192 switch (ret) { 3193 /* We don't want to send a status request response */ 3194 case SSL_TLSEXT_ERR_NOACK: 3195 s->tlsext_status_expected = 0; 3196 break; 3197 /* status request response should be sent */ 3198 case SSL_TLSEXT_ERR_OK: 3199 if (s->tlsext_ocsp_resp) 3200 s->tlsext_status_expected = 1; 3201 break; 3202 /* something bad happened */ 3203 case SSL_TLSEXT_ERR_ALERT_FATAL: 3204 default: 3205 *al = SSL_AD_INTERNAL_ERROR; 3206 return 0; 3207 } 3208 } 3209 } 3210 3211 if (!tls1_alpn_handle_client_hello_late(s, al)) { 3212 return 0; 3213 } 3214 3215 return 1; 3216 } 3217 3218 int ssl_check_serverhello_tlsext(SSL *s) 3219 { 3220 int ret = SSL_TLSEXT_ERR_NOACK; 3221 int al = SSL_AD_UNRECOGNIZED_NAME; 3222 3223 # ifndef OPENSSL_NO_EC 3224 /* 3225 * If we are client and using an elliptic curve cryptography cipher 3226 * suite, then if server returns an EC point formats lists extension it 3227 * must contain uncompressed. 3228 */ 3229 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 3230 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 3231 if ((s->tlsext_ecpointformatlist != NULL) 3232 && (s->tlsext_ecpointformatlist_length > 0) 3233 && (s->session->tlsext_ecpointformatlist != NULL) 3234 && (s->session->tlsext_ecpointformatlist_length > 0) 3235 && ((alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe)) 3236 || (alg_a & SSL_aECDSA))) { 3237 /* we are using an ECC cipher */ 3238 size_t i; 3239 unsigned char *list; 3240 int found_uncompressed = 0; 3241 list = s->session->tlsext_ecpointformatlist; 3242 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) { 3243 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) { 3244 found_uncompressed = 1; 3245 break; 3246 } 3247 } 3248 if (!found_uncompressed) { 3249 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, 3250 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 3251 return -1; 3252 } 3253 } 3254 ret = SSL_TLSEXT_ERR_OK; 3255 # endif /* OPENSSL_NO_EC */ 3256 3257 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 3258 ret = 3259 s->ctx->tlsext_servername_callback(s, &al, 3260 s->ctx->tlsext_servername_arg); 3261 else if (s->initial_ctx != NULL 3262 && s->initial_ctx->tlsext_servername_callback != 0) 3263 ret = 3264 s->initial_ctx->tlsext_servername_callback(s, &al, 3265 s-> 3266 initial_ctx->tlsext_servername_arg); 3267 3268 # ifdef TLSEXT_TYPE_opaque_prf_input 3269 if (s->s3->server_opaque_prf_input_len > 0) { 3270 /* 3271 * This case may indicate that we, as a client, want to insist on 3272 * using opaque PRF inputs. So first verify that we really have a 3273 * value from the server too. 3274 */ 3275 3276 if (s->s3->server_opaque_prf_input == NULL) { 3277 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 3278 al = SSL_AD_HANDSHAKE_FAILURE; 3279 } 3280 3281 /* 3282 * Anytime the server *has* sent an opaque PRF input, we need to 3283 * check that we have a client opaque PRF input of the same size. 3284 */ 3285 if (s->s3->client_opaque_prf_input == NULL || 3286 s->s3->client_opaque_prf_input_len != 3287 s->s3->server_opaque_prf_input_len) { 3288 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 3289 al = SSL_AD_ILLEGAL_PARAMETER; 3290 } 3291 } 3292 # endif 3293 3294 OPENSSL_free(s->tlsext_ocsp_resp); 3295 s->tlsext_ocsp_resp = NULL; 3296 s->tlsext_ocsp_resplen = -1; 3297 /* 3298 * If we've requested certificate status and we wont get one tell the 3299 * callback 3300 */ 3301 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) 3302 && !(s->hit) && s->ctx && s->ctx->tlsext_status_cb) { 3303 int r; 3304 /* 3305 * Call callback with resp == NULL and resplen == -1 so callback 3306 * knows there is no response 3307 */ 3308 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 3309 if (r == 0) { 3310 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 3311 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 3312 } 3313 if (r < 0) { 3314 al = SSL_AD_INTERNAL_ERROR; 3315 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 3316 } 3317 } 3318 3319 switch (ret) { 3320 case SSL_TLSEXT_ERR_ALERT_FATAL: 3321 ssl3_send_alert(s, SSL3_AL_FATAL, al); 3322 return -1; 3323 3324 case SSL_TLSEXT_ERR_ALERT_WARNING: 3325 ssl3_send_alert(s, SSL3_AL_WARNING, al); 3326 return 1; 3327 3328 case SSL_TLSEXT_ERR_NOACK: 3329 s->servername_done = 0; 3330 default: 3331 return 1; 3332 } 3333 } 3334 3335 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 3336 int n) 3337 { 3338 int al = -1; 3339 if (s->version < SSL3_VERSION) 3340 return 1; 3341 if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) { 3342 ssl3_send_alert(s, SSL3_AL_FATAL, al); 3343 return 0; 3344 } 3345 3346 if (ssl_check_serverhello_tlsext(s) <= 0) { 3347 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT); 3348 return 0; 3349 } 3350 return 1; 3351 } 3352 3353 /*- 3354 * Since the server cache lookup is done early on in the processing of the 3355 * ClientHello, and other operations depend on the result, we need to handle 3356 * any TLS session ticket extension at the same time. 3357 * 3358 * session_id: points at the session ID in the ClientHello. This code will 3359 * read past the end of this in order to parse out the session ticket 3360 * extension, if any. 3361 * len: the length of the session ID. 3362 * limit: a pointer to the first byte after the ClientHello. 3363 * ret: (output) on return, if a ticket was decrypted, then this is set to 3364 * point to the resulting session. 3365 * 3366 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key 3367 * ciphersuite, in which case we have no use for session tickets and one will 3368 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 3369 * 3370 * Returns: 3371 * -1: fatal error, either from parsing or decrypting the ticket. 3372 * 0: no ticket was found (or was ignored, based on settings). 3373 * 1: a zero length extension was found, indicating that the client supports 3374 * session tickets but doesn't currently have one to offer. 3375 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but 3376 * couldn't be decrypted because of a non-fatal error. 3377 * 3: a ticket was successfully decrypted and *ret was set. 3378 * 3379 * Side effects: 3380 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 3381 * a new session ticket to the client because the client indicated support 3382 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 3383 * a session ticket or we couldn't use the one it gave us, or if 3384 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 3385 * Otherwise, s->tlsext_ticket_expected is set to 0. 3386 */ 3387 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 3388 const unsigned char *limit, SSL_SESSION **ret) 3389 { 3390 /* Point after session ID in client hello */ 3391 const unsigned char *p = session_id + len; 3392 unsigned short i; 3393 3394 *ret = NULL; 3395 s->tlsext_ticket_expected = 0; 3396 3397 /* 3398 * If tickets disabled behave as if no ticket present to permit stateful 3399 * resumption. 3400 */ 3401 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 3402 return 0; 3403 if ((s->version <= SSL3_VERSION) || !limit) 3404 return 0; 3405 if (p >= limit) 3406 return -1; 3407 /* Skip past DTLS cookie */ 3408 if (SSL_IS_DTLS(s)) { 3409 i = *(p++); 3410 3411 if (limit - p <= i) 3412 return -1; 3413 3414 p += i; 3415 } 3416 /* Skip past cipher list */ 3417 n2s(p, i); 3418 if (limit - p <= i) 3419 return -1; 3420 p += i; 3421 3422 /* Skip past compression algorithm list */ 3423 i = *(p++); 3424 if (limit - p < i) 3425 return -1; 3426 p += i; 3427 3428 /* Now at start of extensions */ 3429 if (limit - p <= 2) 3430 return 0; 3431 n2s(p, i); 3432 while (limit - p >= 4) { 3433 unsigned short type, size; 3434 n2s(p, type); 3435 n2s(p, size); 3436 if (limit - p < size) 3437 return 0; 3438 if (type == TLSEXT_TYPE_session_ticket) { 3439 int r; 3440 if (size == 0) { 3441 /* 3442 * The client will accept a ticket but doesn't currently have 3443 * one. 3444 */ 3445 s->tlsext_ticket_expected = 1; 3446 return 1; 3447 } 3448 if (s->tls_session_secret_cb) { 3449 /* 3450 * Indicate that the ticket couldn't be decrypted rather than 3451 * generating the session from ticket now, trigger 3452 * abbreviated handshake based on external mechanism to 3453 * calculate the master secret later. 3454 */ 3455 return 2; 3456 } 3457 r = tls_decrypt_ticket(s, p, size, session_id, len, ret); 3458 switch (r) { 3459 case 2: /* ticket couldn't be decrypted */ 3460 s->tlsext_ticket_expected = 1; 3461 return 2; 3462 case 3: /* ticket was decrypted */ 3463 return r; 3464 case 4: /* ticket decrypted but need to renew */ 3465 s->tlsext_ticket_expected = 1; 3466 return 3; 3467 default: /* fatal error */ 3468 return -1; 3469 } 3470 } 3471 p += size; 3472 } 3473 return 0; 3474 } 3475 3476 /*- 3477 * tls_decrypt_ticket attempts to decrypt a session ticket. 3478 * 3479 * etick: points to the body of the session ticket extension. 3480 * eticklen: the length of the session tickets extenion. 3481 * sess_id: points at the session ID. 3482 * sesslen: the length of the session ID. 3483 * psess: (output) on return, if a ticket was decrypted, then this is set to 3484 * point to the resulting session. 3485 * 3486 * Returns: 3487 * -1: fatal error, either from parsing or decrypting the ticket. 3488 * 2: the ticket couldn't be decrypted. 3489 * 3: a ticket was successfully decrypted and *psess was set. 3490 * 4: same as 3, but the ticket needs to be renewed. 3491 */ 3492 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, 3493 int eticklen, const unsigned char *sess_id, 3494 int sesslen, SSL_SESSION **psess) 3495 { 3496 SSL_SESSION *sess; 3497 unsigned char *sdec; 3498 const unsigned char *p; 3499 int slen, mlen, renew_ticket = 0; 3500 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 3501 HMAC_CTX hctx; 3502 EVP_CIPHER_CTX ctx; 3503 SSL_CTX *tctx = s->initial_ctx; 3504 3505 /* Initialize session ticket encryption and HMAC contexts */ 3506 HMAC_CTX_init(&hctx); 3507 EVP_CIPHER_CTX_init(&ctx); 3508 if (tctx->tlsext_ticket_key_cb) { 3509 unsigned char *nctick = (unsigned char *)etick; 3510 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 3511 &ctx, &hctx, 0); 3512 if (rv < 0) 3513 return -1; 3514 if (rv == 0) 3515 return 2; 3516 if (rv == 2) 3517 renew_ticket = 1; 3518 } else { 3519 /* Check key name matches */ 3520 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 3521 return 2; 3522 if (HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 3523 tlsext_tick_md(), NULL) <= 0 3524 || EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 3525 tctx->tlsext_tick_aes_key, 3526 etick + 16) <= 0) { 3527 goto err; 3528 } 3529 } 3530 /* 3531 * Attempt to process session ticket, first conduct sanity and integrity 3532 * checks on ticket. 3533 */ 3534 mlen = HMAC_size(&hctx); 3535 if (mlen < 0) { 3536 goto err; 3537 } 3538 /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 3539 if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) { 3540 HMAC_CTX_cleanup(&hctx); 3541 EVP_CIPHER_CTX_cleanup(&ctx); 3542 return 2; 3543 } 3544 3545 eticklen -= mlen; 3546 /* Check HMAC of encrypted ticket */ 3547 if (HMAC_Update(&hctx, etick, eticklen) <= 0 3548 || HMAC_Final(&hctx, tick_hmac, NULL) <= 0) { 3549 goto err; 3550 } 3551 HMAC_CTX_cleanup(&hctx); 3552 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { 3553 EVP_CIPHER_CTX_cleanup(&ctx); 3554 return 2; 3555 } 3556 /* Attempt to decrypt session data */ 3557 /* Move p after IV to start of encrypted ticket, update length */ 3558 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 3559 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 3560 sdec = OPENSSL_malloc(eticklen); 3561 if (sdec == NULL 3562 || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) { 3563 EVP_CIPHER_CTX_cleanup(&ctx); 3564 OPENSSL_free(sdec); 3565 return -1; 3566 } 3567 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) { 3568 EVP_CIPHER_CTX_cleanup(&ctx); 3569 OPENSSL_free(sdec); 3570 return 2; 3571 } 3572 slen += mlen; 3573 EVP_CIPHER_CTX_cleanup(&ctx); 3574 p = sdec; 3575 3576 sess = d2i_SSL_SESSION(NULL, &p, slen); 3577 OPENSSL_free(sdec); 3578 if (sess) { 3579 /* 3580 * The session ID, if non-empty, is used by some clients to detect 3581 * that the ticket has been accepted. So we copy it to the session 3582 * structure. If it is empty set length to zero as required by 3583 * standard. 3584 */ 3585 if (sesslen) 3586 memcpy(sess->session_id, sess_id, sesslen); 3587 sess->session_id_length = sesslen; 3588 *psess = sess; 3589 if (renew_ticket) 3590 return 4; 3591 else 3592 return 3; 3593 } 3594 ERR_clear_error(); 3595 /* 3596 * For session parse failure, indicate that we need to send a new ticket. 3597 */ 3598 return 2; 3599 err: 3600 EVP_CIPHER_CTX_cleanup(&ctx); 3601 HMAC_CTX_cleanup(&hctx); 3602 return -1; 3603 } 3604 3605 /* Tables to translate from NIDs to TLS v1.2 ids */ 3606 3607 typedef struct { 3608 int nid; 3609 int id; 3610 } tls12_lookup; 3611 3612 static tls12_lookup tls12_md[] = { 3613 {NID_md5, TLSEXT_hash_md5}, 3614 {NID_sha1, TLSEXT_hash_sha1}, 3615 {NID_sha224, TLSEXT_hash_sha224}, 3616 {NID_sha256, TLSEXT_hash_sha256}, 3617 {NID_sha384, TLSEXT_hash_sha384}, 3618 {NID_sha512, TLSEXT_hash_sha512} 3619 }; 3620 3621 static tls12_lookup tls12_sig[] = { 3622 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 3623 {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 3624 {EVP_PKEY_EC, TLSEXT_signature_ecdsa} 3625 }; 3626 3627 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 3628 { 3629 size_t i; 3630 for (i = 0; i < tlen; i++) { 3631 if (table[i].nid == nid) 3632 return table[i].id; 3633 } 3634 return -1; 3635 } 3636 3637 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen) 3638 { 3639 size_t i; 3640 for (i = 0; i < tlen; i++) { 3641 if ((table[i].id) == id) 3642 return table[i].nid; 3643 } 3644 return NID_undef; 3645 } 3646 3647 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, 3648 const EVP_MD *md) 3649 { 3650 int sig_id, md_id; 3651 if (!md) 3652 return 0; 3653 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 3654 sizeof(tls12_md) / sizeof(tls12_lookup)); 3655 if (md_id == -1) 3656 return 0; 3657 sig_id = tls12_get_sigid(pk); 3658 if (sig_id == -1) 3659 return 0; 3660 p[0] = (unsigned char)md_id; 3661 p[1] = (unsigned char)sig_id; 3662 return 1; 3663 } 3664 3665 int tls12_get_sigid(const EVP_PKEY *pk) 3666 { 3667 return tls12_find_id(pk->type, tls12_sig, 3668 sizeof(tls12_sig) / sizeof(tls12_lookup)); 3669 } 3670 3671 const EVP_MD *tls12_get_hash(unsigned char hash_alg) 3672 { 3673 switch (hash_alg) { 3674 # ifndef OPENSSL_NO_MD5 3675 case TLSEXT_hash_md5: 3676 # ifdef OPENSSL_FIPS 3677 if (FIPS_mode()) 3678 return NULL; 3679 # endif 3680 return EVP_md5(); 3681 # endif 3682 # ifndef OPENSSL_NO_SHA 3683 case TLSEXT_hash_sha1: 3684 return EVP_sha1(); 3685 # endif 3686 # ifndef OPENSSL_NO_SHA256 3687 case TLSEXT_hash_sha224: 3688 return EVP_sha224(); 3689 3690 case TLSEXT_hash_sha256: 3691 return EVP_sha256(); 3692 # endif 3693 # ifndef OPENSSL_NO_SHA512 3694 case TLSEXT_hash_sha384: 3695 return EVP_sha384(); 3696 3697 case TLSEXT_hash_sha512: 3698 return EVP_sha512(); 3699 # endif 3700 default: 3701 return NULL; 3702 3703 } 3704 } 3705 3706 static int tls12_get_pkey_idx(unsigned char sig_alg) 3707 { 3708 switch (sig_alg) { 3709 # ifndef OPENSSL_NO_RSA 3710 case TLSEXT_signature_rsa: 3711 return SSL_PKEY_RSA_SIGN; 3712 # endif 3713 # ifndef OPENSSL_NO_DSA 3714 case TLSEXT_signature_dsa: 3715 return SSL_PKEY_DSA_SIGN; 3716 # endif 3717 # ifndef OPENSSL_NO_ECDSA 3718 case TLSEXT_signature_ecdsa: 3719 return SSL_PKEY_ECC; 3720 # endif 3721 } 3722 return -1; 3723 } 3724 3725 /* Convert TLS 1.2 signature algorithm extension values into NIDs */ 3726 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid, 3727 int *psignhash_nid, const unsigned char *data) 3728 { 3729 int sign_nid = NID_undef, hash_nid = NID_undef; 3730 if (!phash_nid && !psign_nid && !psignhash_nid) 3731 return; 3732 if (phash_nid || psignhash_nid) { 3733 hash_nid = tls12_find_nid(data[0], tls12_md, 3734 sizeof(tls12_md) / sizeof(tls12_lookup)); 3735 if (phash_nid) 3736 *phash_nid = hash_nid; 3737 } 3738 if (psign_nid || psignhash_nid) { 3739 sign_nid = tls12_find_nid(data[1], tls12_sig, 3740 sizeof(tls12_sig) / sizeof(tls12_lookup)); 3741 if (psign_nid) 3742 *psign_nid = sign_nid; 3743 } 3744 if (psignhash_nid) { 3745 if (sign_nid == NID_undef || hash_nid == NID_undef 3746 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, 3747 sign_nid) <= 0) 3748 *psignhash_nid = NID_undef; 3749 } 3750 } 3751 3752 /* Given preference and allowed sigalgs set shared sigalgs */ 3753 static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig, 3754 const unsigned char *pref, size_t preflen, 3755 const unsigned char *allow, 3756 size_t allowlen) 3757 { 3758 const unsigned char *ptmp, *atmp; 3759 size_t i, j, nmatch = 0; 3760 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) { 3761 /* Skip disabled hashes or signature algorithms */ 3762 if (tls12_get_hash(ptmp[0]) == NULL) 3763 continue; 3764 if (tls12_get_pkey_idx(ptmp[1]) == -1) 3765 continue; 3766 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) { 3767 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) { 3768 nmatch++; 3769 if (shsig) { 3770 shsig->rhash = ptmp[0]; 3771 shsig->rsign = ptmp[1]; 3772 tls1_lookup_sigalg(&shsig->hash_nid, 3773 &shsig->sign_nid, 3774 &shsig->signandhash_nid, ptmp); 3775 shsig++; 3776 } 3777 break; 3778 } 3779 } 3780 } 3781 return nmatch; 3782 } 3783 3784 /* Set shared signature algorithms for SSL structures */ 3785 static int tls1_set_shared_sigalgs(SSL *s) 3786 { 3787 const unsigned char *pref, *allow, *conf; 3788 size_t preflen, allowlen, conflen; 3789 size_t nmatch; 3790 TLS_SIGALGS *salgs = NULL; 3791 CERT *c = s->cert; 3792 unsigned int is_suiteb = tls1_suiteb(s); 3793 if (c->shared_sigalgs) { 3794 OPENSSL_free(c->shared_sigalgs); 3795 c->shared_sigalgs = NULL; 3796 c->shared_sigalgslen = 0; 3797 } 3798 /* If client use client signature algorithms if not NULL */ 3799 if (!s->server && c->client_sigalgs && !is_suiteb) { 3800 conf = c->client_sigalgs; 3801 conflen = c->client_sigalgslen; 3802 } else if (c->conf_sigalgs && !is_suiteb) { 3803 conf = c->conf_sigalgs; 3804 conflen = c->conf_sigalgslen; 3805 } else 3806 conflen = tls12_get_psigalgs(s, &conf); 3807 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) { 3808 pref = conf; 3809 preflen = conflen; 3810 allow = c->peer_sigalgs; 3811 allowlen = c->peer_sigalgslen; 3812 } else { 3813 allow = conf; 3814 allowlen = conflen; 3815 pref = c->peer_sigalgs; 3816 preflen = c->peer_sigalgslen; 3817 } 3818 nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen); 3819 if (nmatch) { 3820 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS)); 3821 if (!salgs) 3822 return 0; 3823 nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen); 3824 } else { 3825 salgs = NULL; 3826 } 3827 c->shared_sigalgs = salgs; 3828 c->shared_sigalgslen = nmatch; 3829 return 1; 3830 } 3831 3832 /* Set preferred digest for each key type */ 3833 3834 int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize) 3835 { 3836 CERT *c = s->cert; 3837 /* Extension ignored for inappropriate versions */ 3838 if (!SSL_USE_SIGALGS(s)) 3839 return 1; 3840 /* Should never happen */ 3841 if (!c) 3842 return 0; 3843 3844 if (c->peer_sigalgs) 3845 OPENSSL_free(c->peer_sigalgs); 3846 c->peer_sigalgs = OPENSSL_malloc(dsize); 3847 if (!c->peer_sigalgs) 3848 return 0; 3849 c->peer_sigalgslen = dsize; 3850 memcpy(c->peer_sigalgs, data, dsize); 3851 return 1; 3852 } 3853 3854 int tls1_process_sigalgs(SSL *s) 3855 { 3856 int idx; 3857 size_t i; 3858 const EVP_MD *md; 3859 CERT *c = s->cert; 3860 TLS_SIGALGS *sigptr; 3861 if (!tls1_set_shared_sigalgs(s)) 3862 return 0; 3863 3864 # ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL 3865 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) { 3866 /* 3867 * Use first set signature preference to force message digest, 3868 * ignoring any peer preferences. 3869 */ 3870 const unsigned char *sigs = NULL; 3871 if (s->server) 3872 sigs = c->conf_sigalgs; 3873 else 3874 sigs = c->client_sigalgs; 3875 if (sigs) { 3876 idx = tls12_get_pkey_idx(sigs[1]); 3877 md = tls12_get_hash(sigs[0]); 3878 c->pkeys[idx].digest = md; 3879 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN; 3880 if (idx == SSL_PKEY_RSA_SIGN) { 3881 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = 3882 CERT_PKEY_EXPLICIT_SIGN; 3883 c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 3884 } 3885 } 3886 } 3887 # endif 3888 3889 for (i = 0, sigptr = c->shared_sigalgs; 3890 i < c->shared_sigalgslen; i++, sigptr++) { 3891 idx = tls12_get_pkey_idx(sigptr->rsign); 3892 if (idx > 0 && c->pkeys[idx].digest == NULL) { 3893 md = tls12_get_hash(sigptr->rhash); 3894 c->pkeys[idx].digest = md; 3895 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN; 3896 if (idx == SSL_PKEY_RSA_SIGN) { 3897 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = 3898 CERT_PKEY_EXPLICIT_SIGN; 3899 c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 3900 } 3901 } 3902 3903 } 3904 /* 3905 * In strict mode leave unset digests as NULL to indicate we can't use 3906 * the certificate for signing. 3907 */ 3908 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { 3909 /* 3910 * Set any remaining keys to default values. NOTE: if alg is not 3911 * supported it stays as NULL. 3912 */ 3913 # ifndef OPENSSL_NO_DSA 3914 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 3915 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 3916 # endif 3917 # ifndef OPENSSL_NO_RSA 3918 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { 3919 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 3920 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 3921 } 3922 # endif 3923 # ifndef OPENSSL_NO_ECDSA 3924 if (!c->pkeys[SSL_PKEY_ECC].digest) 3925 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 3926 # endif 3927 } 3928 return 1; 3929 } 3930 3931 int SSL_get_sigalgs(SSL *s, int idx, 3932 int *psign, int *phash, int *psignhash, 3933 unsigned char *rsig, unsigned char *rhash) 3934 { 3935 const unsigned char *psig = s->cert->peer_sigalgs; 3936 if (psig == NULL) 3937 return 0; 3938 if (idx >= 0) { 3939 idx <<= 1; 3940 if (idx >= (int)s->cert->peer_sigalgslen) 3941 return 0; 3942 psig += idx; 3943 if (rhash) 3944 *rhash = psig[0]; 3945 if (rsig) 3946 *rsig = psig[1]; 3947 tls1_lookup_sigalg(phash, psign, psignhash, psig); 3948 } 3949 return s->cert->peer_sigalgslen / 2; 3950 } 3951 3952 int SSL_get_shared_sigalgs(SSL *s, int idx, 3953 int *psign, int *phash, int *psignhash, 3954 unsigned char *rsig, unsigned char *rhash) 3955 { 3956 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs; 3957 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen) 3958 return 0; 3959 shsigalgs += idx; 3960 if (phash) 3961 *phash = shsigalgs->hash_nid; 3962 if (psign) 3963 *psign = shsigalgs->sign_nid; 3964 if (psignhash) 3965 *psignhash = shsigalgs->signandhash_nid; 3966 if (rsig) 3967 *rsig = shsigalgs->rsign; 3968 if (rhash) 3969 *rhash = shsigalgs->rhash; 3970 return s->cert->shared_sigalgslen; 3971 } 3972 3973 # ifndef OPENSSL_NO_HEARTBEATS 3974 int tls1_process_heartbeat(SSL *s) 3975 { 3976 unsigned char *p = &s->s3->rrec.data[0], *pl; 3977 unsigned short hbtype; 3978 unsigned int payload; 3979 unsigned int padding = 16; /* Use minimum padding */ 3980 3981 if (s->msg_callback) 3982 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, 3983 &s->s3->rrec.data[0], s->s3->rrec.length, 3984 s, s->msg_callback_arg); 3985 3986 /* Read type and payload length first */ 3987 if (1 + 2 + 16 > s->s3->rrec.length) 3988 return 0; /* silently discard */ 3989 hbtype = *p++; 3990 n2s(p, payload); 3991 if (1 + 2 + payload + 16 > s->s3->rrec.length) 3992 return 0; /* silently discard per RFC 6520 sec. 4 */ 3993 pl = p; 3994 3995 if (hbtype == TLS1_HB_REQUEST) { 3996 unsigned char *buffer, *bp; 3997 int r; 3998 3999 /* 4000 * Allocate memory for the response, size is 1 bytes message type, 4001 * plus 2 bytes payload length, plus payload, plus padding 4002 */ 4003 buffer = OPENSSL_malloc(1 + 2 + payload + padding); 4004 if (buffer == NULL) 4005 return -1; 4006 bp = buffer; 4007 4008 /* Enter response type, length and copy payload */ 4009 *bp++ = TLS1_HB_RESPONSE; 4010 s2n(payload, bp); 4011 memcpy(bp, pl, payload); 4012 bp += payload; 4013 /* Random padding */ 4014 if (RAND_bytes(bp, padding) <= 0) { 4015 OPENSSL_free(buffer); 4016 return -1; 4017 } 4018 4019 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 4020 3 + payload + padding); 4021 4022 if (r >= 0 && s->msg_callback) 4023 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 4024 buffer, 3 + payload + padding, 4025 s, s->msg_callback_arg); 4026 4027 OPENSSL_free(buffer); 4028 4029 if (r < 0) 4030 return r; 4031 } else if (hbtype == TLS1_HB_RESPONSE) { 4032 unsigned int seq; 4033 4034 /* 4035 * We only send sequence numbers (2 bytes unsigned int), and 16 4036 * random bytes, so we just try to read the sequence number 4037 */ 4038 n2s(pl, seq); 4039 4040 if (payload == 18 && seq == s->tlsext_hb_seq) { 4041 s->tlsext_hb_seq++; 4042 s->tlsext_hb_pending = 0; 4043 } 4044 } 4045 4046 return 0; 4047 } 4048 4049 int tls1_heartbeat(SSL *s) 4050 { 4051 unsigned char *buf, *p; 4052 int ret = -1; 4053 unsigned int payload = 18; /* Sequence number + random bytes */ 4054 unsigned int padding = 16; /* Use minimum padding */ 4055 4056 /* Only send if peer supports and accepts HB requests... */ 4057 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) || 4058 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) { 4059 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT); 4060 return -1; 4061 } 4062 4063 /* ...and there is none in flight yet... */ 4064 if (s->tlsext_hb_pending) { 4065 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING); 4066 return -1; 4067 } 4068 4069 /* ...and no handshake in progress. */ 4070 if (SSL_in_init(s) || s->in_handshake) { 4071 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE); 4072 return -1; 4073 } 4074 4075 /* 4076 * Check if padding is too long, payload and padding must not exceed 2^14 4077 * - 3 = 16381 bytes in total. 4078 */ 4079 OPENSSL_assert(payload + padding <= 16381); 4080 4081 /*- 4082 * Create HeartBeat message, we just use a sequence number 4083 * as payload to distuingish different messages and add 4084 * some random stuff. 4085 * - Message Type, 1 byte 4086 * - Payload Length, 2 bytes (unsigned int) 4087 * - Payload, the sequence number (2 bytes uint) 4088 * - Payload, random bytes (16 bytes uint) 4089 * - Padding 4090 */ 4091 buf = OPENSSL_malloc(1 + 2 + payload + padding); 4092 if (buf == NULL) 4093 return -1; 4094 p = buf; 4095 /* Message Type */ 4096 *p++ = TLS1_HB_REQUEST; 4097 /* Payload length (18 bytes here) */ 4098 s2n(payload, p); 4099 /* Sequence number */ 4100 s2n(s->tlsext_hb_seq, p); 4101 /* 16 random bytes */ 4102 if (RAND_bytes(p, 16) <= 0) { 4103 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); 4104 goto err; 4105 } 4106 p += 16; 4107 /* Random padding */ 4108 if (RAND_bytes(p, padding) <= 0) { 4109 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); 4110 goto err; 4111 } 4112 4113 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); 4114 if (ret >= 0) { 4115 if (s->msg_callback) 4116 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 4117 buf, 3 + payload + padding, 4118 s, s->msg_callback_arg); 4119 4120 s->tlsext_hb_pending = 1; 4121 } 4122 4123 err: 4124 OPENSSL_free(buf); 4125 4126 return ret; 4127 } 4128 # endif 4129 4130 # define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2) 4131 4132 typedef struct { 4133 size_t sigalgcnt; 4134 int sigalgs[MAX_SIGALGLEN]; 4135 } sig_cb_st; 4136 4137 static int sig_cb(const char *elem, int len, void *arg) 4138 { 4139 sig_cb_st *sarg = arg; 4140 size_t i; 4141 char etmp[20], *p; 4142 int sig_alg, hash_alg; 4143 if (elem == NULL) 4144 return 0; 4145 if (sarg->sigalgcnt == MAX_SIGALGLEN) 4146 return 0; 4147 if (len > (int)(sizeof(etmp) - 1)) 4148 return 0; 4149 memcpy(etmp, elem, len); 4150 etmp[len] = 0; 4151 p = strchr(etmp, '+'); 4152 if (!p) 4153 return 0; 4154 *p = 0; 4155 p++; 4156 if (!*p) 4157 return 0; 4158 4159 if (!strcmp(etmp, "RSA")) 4160 sig_alg = EVP_PKEY_RSA; 4161 else if (!strcmp(etmp, "DSA")) 4162 sig_alg = EVP_PKEY_DSA; 4163 else if (!strcmp(etmp, "ECDSA")) 4164 sig_alg = EVP_PKEY_EC; 4165 else 4166 return 0; 4167 4168 hash_alg = OBJ_sn2nid(p); 4169 if (hash_alg == NID_undef) 4170 hash_alg = OBJ_ln2nid(p); 4171 if (hash_alg == NID_undef) 4172 return 0; 4173 4174 for (i = 0; i < sarg->sigalgcnt; i += 2) { 4175 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg) 4176 return 0; 4177 } 4178 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg; 4179 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg; 4180 return 1; 4181 } 4182 4183 /* 4184 * Set suppored signature algorithms based on a colon separated list of the 4185 * form sig+hash e.g. RSA+SHA512:DSA+SHA512 4186 */ 4187 int tls1_set_sigalgs_list(CERT *c, const char *str, int client) 4188 { 4189 sig_cb_st sig; 4190 sig.sigalgcnt = 0; 4191 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) 4192 return 0; 4193 if (c == NULL) 4194 return 1; 4195 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); 4196 } 4197 4198 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, 4199 int client) 4200 { 4201 unsigned char *sigalgs, *sptr; 4202 int rhash, rsign; 4203 size_t i; 4204 if (salglen & 1) 4205 return 0; 4206 sigalgs = OPENSSL_malloc(salglen); 4207 if (sigalgs == NULL) 4208 return 0; 4209 for (i = 0, sptr = sigalgs; i < salglen; i += 2) { 4210 rhash = tls12_find_id(*psig_nids++, tls12_md, 4211 sizeof(tls12_md) / sizeof(tls12_lookup)); 4212 rsign = tls12_find_id(*psig_nids++, tls12_sig, 4213 sizeof(tls12_sig) / sizeof(tls12_lookup)); 4214 4215 if (rhash == -1 || rsign == -1) 4216 goto err; 4217 *sptr++ = rhash; 4218 *sptr++ = rsign; 4219 } 4220 4221 if (client) { 4222 if (c->client_sigalgs) 4223 OPENSSL_free(c->client_sigalgs); 4224 c->client_sigalgs = sigalgs; 4225 c->client_sigalgslen = salglen; 4226 } else { 4227 if (c->conf_sigalgs) 4228 OPENSSL_free(c->conf_sigalgs); 4229 c->conf_sigalgs = sigalgs; 4230 c->conf_sigalgslen = salglen; 4231 } 4232 4233 return 1; 4234 4235 err: 4236 OPENSSL_free(sigalgs); 4237 return 0; 4238 } 4239 4240 static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid) 4241 { 4242 int sig_nid; 4243 size_t i; 4244 if (default_nid == -1) 4245 return 1; 4246 sig_nid = X509_get_signature_nid(x); 4247 if (default_nid) 4248 return sig_nid == default_nid ? 1 : 0; 4249 for (i = 0; i < c->shared_sigalgslen; i++) 4250 if (sig_nid == c->shared_sigalgs[i].signandhash_nid) 4251 return 1; 4252 return 0; 4253 } 4254 4255 /* Check to see if a certificate issuer name matches list of CA names */ 4256 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x) 4257 { 4258 X509_NAME *nm; 4259 int i; 4260 nm = X509_get_issuer_name(x); 4261 for (i = 0; i < sk_X509_NAME_num(names); i++) { 4262 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i))) 4263 return 1; 4264 } 4265 return 0; 4266 } 4267 4268 /* 4269 * Check certificate chain is consistent with TLS extensions and is usable by 4270 * server. This servers two purposes: it allows users to check chains before 4271 * passing them to the server and it allows the server to check chains before 4272 * attempting to use them. 4273 */ 4274 4275 /* Flags which need to be set for a certificate when stict mode not set */ 4276 4277 # define CERT_PKEY_VALID_FLAGS \ 4278 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM) 4279 /* Strict mode flags */ 4280 # define CERT_PKEY_STRICT_FLAGS \ 4281 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \ 4282 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE) 4283 4284 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, 4285 int idx) 4286 { 4287 int i; 4288 int rv = 0; 4289 int check_flags = 0, strict_mode; 4290 CERT_PKEY *cpk = NULL; 4291 CERT *c = s->cert; 4292 unsigned int suiteb_flags = tls1_suiteb(s); 4293 /* idx == -1 means checking server chains */ 4294 if (idx != -1) { 4295 /* idx == -2 means checking client certificate chains */ 4296 if (idx == -2) { 4297 cpk = c->key; 4298 idx = cpk - c->pkeys; 4299 } else 4300 cpk = c->pkeys + idx; 4301 x = cpk->x509; 4302 pk = cpk->privatekey; 4303 chain = cpk->chain; 4304 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT; 4305 /* If no cert or key, forget it */ 4306 if (!x || !pk) 4307 goto end; 4308 # ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL 4309 /* Allow any certificate to pass test */ 4310 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) { 4311 rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN | 4312 CERT_PKEY_VALID | CERT_PKEY_SIGN; 4313 cpk->valid_flags = rv; 4314 return rv; 4315 } 4316 # endif 4317 } else { 4318 if (!x || !pk) 4319 return 0; 4320 idx = ssl_cert_type(x, pk); 4321 if (idx == -1) 4322 return 0; 4323 cpk = c->pkeys + idx; 4324 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) 4325 check_flags = CERT_PKEY_STRICT_FLAGS; 4326 else 4327 check_flags = CERT_PKEY_VALID_FLAGS; 4328 strict_mode = 1; 4329 } 4330 4331 if (suiteb_flags) { 4332 int ok; 4333 if (check_flags) 4334 check_flags |= CERT_PKEY_SUITEB; 4335 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags); 4336 if (ok == X509_V_OK) 4337 rv |= CERT_PKEY_SUITEB; 4338 else if (!check_flags) 4339 goto end; 4340 } 4341 4342 /* 4343 * Check all signature algorithms are consistent with signature 4344 * algorithms extension if TLS 1.2 or later and strict mode. 4345 */ 4346 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) { 4347 int default_nid; 4348 unsigned char rsign = 0; 4349 if (c->peer_sigalgs) 4350 default_nid = 0; 4351 /* If no sigalgs extension use defaults from RFC5246 */ 4352 else { 4353 switch (idx) { 4354 case SSL_PKEY_RSA_ENC: 4355 case SSL_PKEY_RSA_SIGN: 4356 case SSL_PKEY_DH_RSA: 4357 rsign = TLSEXT_signature_rsa; 4358 default_nid = NID_sha1WithRSAEncryption; 4359 break; 4360 4361 case SSL_PKEY_DSA_SIGN: 4362 case SSL_PKEY_DH_DSA: 4363 rsign = TLSEXT_signature_dsa; 4364 default_nid = NID_dsaWithSHA1; 4365 break; 4366 4367 case SSL_PKEY_ECC: 4368 rsign = TLSEXT_signature_ecdsa; 4369 default_nid = NID_ecdsa_with_SHA1; 4370 break; 4371 4372 default: 4373 default_nid = -1; 4374 break; 4375 } 4376 } 4377 /* 4378 * If peer sent no signature algorithms extension and we have set 4379 * preferred signature algorithms check we support sha1. 4380 */ 4381 if (default_nid > 0 && c->conf_sigalgs) { 4382 size_t j; 4383 const unsigned char *p = c->conf_sigalgs; 4384 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) { 4385 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign) 4386 break; 4387 } 4388 if (j == c->conf_sigalgslen) { 4389 if (check_flags) 4390 goto skip_sigs; 4391 else 4392 goto end; 4393 } 4394 } 4395 /* Check signature algorithm of each cert in chain */ 4396 if (!tls1_check_sig_alg(c, x, default_nid)) { 4397 if (!check_flags) 4398 goto end; 4399 } else 4400 rv |= CERT_PKEY_EE_SIGNATURE; 4401 rv |= CERT_PKEY_CA_SIGNATURE; 4402 for (i = 0; i < sk_X509_num(chain); i++) { 4403 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) { 4404 if (check_flags) { 4405 rv &= ~CERT_PKEY_CA_SIGNATURE; 4406 break; 4407 } else 4408 goto end; 4409 } 4410 } 4411 } 4412 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */ 4413 else if (check_flags) 4414 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE; 4415 skip_sigs: 4416 /* Check cert parameters are consistent */ 4417 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2)) 4418 rv |= CERT_PKEY_EE_PARAM; 4419 else if (!check_flags) 4420 goto end; 4421 if (!s->server) 4422 rv |= CERT_PKEY_CA_PARAM; 4423 /* In strict mode check rest of chain too */ 4424 else if (strict_mode) { 4425 rv |= CERT_PKEY_CA_PARAM; 4426 for (i = 0; i < sk_X509_num(chain); i++) { 4427 X509 *ca = sk_X509_value(chain, i); 4428 if (!tls1_check_cert_param(s, ca, 0)) { 4429 if (check_flags) { 4430 rv &= ~CERT_PKEY_CA_PARAM; 4431 break; 4432 } else 4433 goto end; 4434 } 4435 } 4436 } 4437 if (!s->server && strict_mode) { 4438 STACK_OF(X509_NAME) *ca_dn; 4439 int check_type = 0; 4440 switch (pk->type) { 4441 case EVP_PKEY_RSA: 4442 check_type = TLS_CT_RSA_SIGN; 4443 break; 4444 case EVP_PKEY_DSA: 4445 check_type = TLS_CT_DSS_SIGN; 4446 break; 4447 case EVP_PKEY_EC: 4448 check_type = TLS_CT_ECDSA_SIGN; 4449 break; 4450 case EVP_PKEY_DH: 4451 case EVP_PKEY_DHX: 4452 { 4453 int cert_type = X509_certificate_type(x, pk); 4454 if (cert_type & EVP_PKS_RSA) 4455 check_type = TLS_CT_RSA_FIXED_DH; 4456 if (cert_type & EVP_PKS_DSA) 4457 check_type = TLS_CT_DSS_FIXED_DH; 4458 } 4459 } 4460 if (check_type) { 4461 const unsigned char *ctypes; 4462 int ctypelen; 4463 if (c->ctypes) { 4464 ctypes = c->ctypes; 4465 ctypelen = (int)c->ctype_num; 4466 } else { 4467 ctypes = (unsigned char *)s->s3->tmp.ctype; 4468 ctypelen = s->s3->tmp.ctype_num; 4469 } 4470 for (i = 0; i < ctypelen; i++) { 4471 if (ctypes[i] == check_type) { 4472 rv |= CERT_PKEY_CERT_TYPE; 4473 break; 4474 } 4475 } 4476 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags) 4477 goto end; 4478 } else 4479 rv |= CERT_PKEY_CERT_TYPE; 4480 4481 ca_dn = s->s3->tmp.ca_names; 4482 4483 if (!sk_X509_NAME_num(ca_dn)) 4484 rv |= CERT_PKEY_ISSUER_NAME; 4485 4486 if (!(rv & CERT_PKEY_ISSUER_NAME)) { 4487 if (ssl_check_ca_name(ca_dn, x)) 4488 rv |= CERT_PKEY_ISSUER_NAME; 4489 } 4490 if (!(rv & CERT_PKEY_ISSUER_NAME)) { 4491 for (i = 0; i < sk_X509_num(chain); i++) { 4492 X509 *xtmp = sk_X509_value(chain, i); 4493 if (ssl_check_ca_name(ca_dn, xtmp)) { 4494 rv |= CERT_PKEY_ISSUER_NAME; 4495 break; 4496 } 4497 } 4498 } 4499 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) 4500 goto end; 4501 } else 4502 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE; 4503 4504 if (!check_flags || (rv & check_flags) == check_flags) 4505 rv |= CERT_PKEY_VALID; 4506 4507 end: 4508 4509 if (TLS1_get_version(s) >= TLS1_2_VERSION) { 4510 if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN) 4511 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; 4512 else if (cpk->digest) 4513 rv |= CERT_PKEY_SIGN; 4514 } else 4515 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN; 4516 4517 /* 4518 * When checking a CERT_PKEY structure all flags are irrelevant if the 4519 * chain is invalid. 4520 */ 4521 if (!check_flags) { 4522 if (rv & CERT_PKEY_VALID) 4523 cpk->valid_flags = rv; 4524 else { 4525 /* Preserve explicit sign flag, clear rest */ 4526 cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN; 4527 return 0; 4528 } 4529 } 4530 return rv; 4531 } 4532 4533 /* Set validity of certificates in an SSL structure */ 4534 void tls1_set_cert_validity(SSL *s) 4535 { 4536 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC); 4537 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN); 4538 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); 4539 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA); 4540 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA); 4541 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); 4542 } 4543 4544 /* User level utiity function to check a chain is suitable */ 4545 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) 4546 { 4547 return tls1_check_chain(s, x, pk, chain, -1); 4548 } 4549 4550 #endif 4551