search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Update LibreSSL from version 2.4.2 => 2.4.3
[dragonfly.git] / crypto / libressl / ssl / t1_lib.c
blobc1e5f54aec1dc96794d88c4646362021c89499ff
1 /* $OpenBSD: t1_lib.c,v 1.87 2016/05/30 13:42:54 beck Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112 #include <stdio.h>
113
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/objects.h>
117 #include <openssl/ocsp.h>
118
119 #include "ssl_locl.h"
120 #include "bytestring.h"
121
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123 const unsigned char *sess_id, int sesslen,
124 SSL_SESSION **psess);
125
126 SSL3_ENC_METHOD TLSv1_enc_data = {
127 .enc = tls1_enc,
128 .mac = tls1_mac,
129 .setup_key_block = tls1_setup_key_block,
130 .generate_master_secret = tls1_generate_master_secret,
131 .change_cipher_state = tls1_change_cipher_state,
132 .final_finish_mac = tls1_final_finish_mac,
133 .finish_mac_length = TLS1_FINISH_MAC_LENGTH,
134 .cert_verify_mac = tls1_cert_verify_mac,
135 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
136 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
137 .server_finished_label = TLS_MD_SERVER_FINISH_CONST,
138 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
139 .alert_value = tls1_alert_code,
140 .export_keying_material = tls1_export_keying_material,
141 .enc_flags = 0,
142 };
143
144 SSL3_ENC_METHOD TLSv1_1_enc_data = {
145 .enc = tls1_enc,
146 .mac = tls1_mac,
147 .setup_key_block = tls1_setup_key_block,
148 .generate_master_secret = tls1_generate_master_secret,
149 .change_cipher_state = tls1_change_cipher_state,
150 .final_finish_mac = tls1_final_finish_mac,
151 .finish_mac_length = TLS1_FINISH_MAC_LENGTH,
152 .cert_verify_mac = tls1_cert_verify_mac,
153 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
154 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
155 .server_finished_label = TLS_MD_SERVER_FINISH_CONST,
156 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
157 .alert_value = tls1_alert_code,
158 .export_keying_material = tls1_export_keying_material,
159 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV,
160 };
161
162 SSL3_ENC_METHOD TLSv1_2_enc_data = {
163 .enc = tls1_enc,
164 .mac = tls1_mac,
165 .setup_key_block = tls1_setup_key_block,
166 .generate_master_secret = tls1_generate_master_secret,
167 .change_cipher_state = tls1_change_cipher_state,
168 .final_finish_mac = tls1_final_finish_mac,
169 .finish_mac_length = TLS1_FINISH_MAC_LENGTH,
170 .cert_verify_mac = tls1_cert_verify_mac,
171 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
172 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
173 .server_finished_label = TLS_MD_SERVER_FINISH_CONST,
174 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
175 .alert_value = tls1_alert_code,
176 .export_keying_material = tls1_export_keying_material,
177 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|
178 SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS,
179 };
180
181 long
182 tls1_default_timeout(void)
183 {
184 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
185 * is way too long for http, the cache would over fill */
186 return (60 * 60 * 2);
187 }
188
189 int
190 tls1_new(SSL *s)
191 {
192 if (!ssl3_new(s))
193 return (0);
194 s->method->ssl_clear(s);
195 return (1);
196 }
197
198 void
199 tls1_free(SSL *s)
200 {
201 if (s == NULL)
202 return;
203
204 free(s->tlsext_session_ticket);
205 ssl3_free(s);
206 }
207
208 void
209 tls1_clear(SSL *s)
210 {
211 ssl3_clear(s);
212 s->version = s->method->version;
213 }
214
215
216 static int nid_list[] = {
217 NID_sect163k1, /* sect163k1 (1) */
218 NID_sect163r1, /* sect163r1 (2) */
219 NID_sect163r2, /* sect163r2 (3) */
220 NID_sect193r1, /* sect193r1 (4) */
221 NID_sect193r2, /* sect193r2 (5) */
222 NID_sect233k1, /* sect233k1 (6) */
223 NID_sect233r1, /* sect233r1 (7) */
224 NID_sect239k1, /* sect239k1 (8) */
225 NID_sect283k1, /* sect283k1 (9) */
226 NID_sect283r1, /* sect283r1 (10) */
227 NID_sect409k1, /* sect409k1 (11) */
228 NID_sect409r1, /* sect409r1 (12) */
229 NID_sect571k1, /* sect571k1 (13) */
230 NID_sect571r1, /* sect571r1 (14) */
231 NID_secp160k1, /* secp160k1 (15) */
232 NID_secp160r1, /* secp160r1 (16) */
233 NID_secp160r2, /* secp160r2 (17) */
234 NID_secp192k1, /* secp192k1 (18) */
235 NID_X9_62_prime192v1, /* secp192r1 (19) */
236 NID_secp224k1, /* secp224k1 (20) */
237 NID_secp224r1, /* secp224r1 (21) */
238 NID_secp256k1, /* secp256k1 (22) */
239 NID_X9_62_prime256v1, /* secp256r1 (23) */
240 NID_secp384r1, /* secp384r1 (24) */
241 NID_secp521r1, /* secp521r1 (25) */
242 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */
243 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */
244 NID_brainpoolP512r1 /* brainpoolP512r1 (28) */
245 };
246
247 static const uint8_t ecformats_default[] = {
248 TLSEXT_ECPOINTFORMAT_uncompressed,
249 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
250 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
251 };
252
253 static const uint16_t eccurves_default[] = {
254 14, /* sect571r1 (14) */
255 13, /* sect571k1 (13) */
256 25, /* secp521r1 (25) */
257 28, /* brainpool512r1 (28) */
258 11, /* sect409k1 (11) */
259 12, /* sect409r1 (12) */
260 27, /* brainpoolP384r1 (27) */
261 24, /* secp384r1 (24) */
262 9, /* sect283k1 (9) */
263 10, /* sect283r1 (10) */
264 26, /* brainpoolP256r1 (26) */
265 22, /* secp256k1 (22) */
266 23, /* secp256r1 (23) */
267 8, /* sect239k1 (8) */
268 6, /* sect233k1 (6) */
269 7, /* sect233r1 (7) */
270 20, /* secp224k1 (20) */
271 21, /* secp224r1 (21) */
272 4, /* sect193r1 (4) */
273 5, /* sect193r2 (5) */
274 18, /* secp192k1 (18) */
275 19, /* secp192r1 (19) */
276 1, /* sect163k1 (1) */
277 2, /* sect163r1 (2) */
278 3, /* sect163r2 (3) */
279 15, /* secp160k1 (15) */
280 16, /* secp160r1 (16) */
281 17, /* secp160r2 (17) */
282 };
283
284 int
285 tls1_ec_curve_id2nid(uint16_t curve_id)
286 {
287 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
288 if ((curve_id < 1) ||
289 ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0])))
290 return 0;
291 return nid_list[curve_id - 1];
292 }
293
294 uint16_t
295 tls1_ec_nid2curve_id(int nid)
296 {
297 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
298 switch (nid) {
299 case NID_sect163k1: /* sect163k1 (1) */
300 return 1;
301 case NID_sect163r1: /* sect163r1 (2) */
302 return 2;
303 case NID_sect163r2: /* sect163r2 (3) */
304 return 3;
305 case NID_sect193r1: /* sect193r1 (4) */
306 return 4;
307 case NID_sect193r2: /* sect193r2 (5) */
308 return 5;
309 case NID_sect233k1: /* sect233k1 (6) */
310 return 6;
311 case NID_sect233r1: /* sect233r1 (7) */
312 return 7;
313 case NID_sect239k1: /* sect239k1 (8) */
314 return 8;
315 case NID_sect283k1: /* sect283k1 (9) */
316 return 9;
317 case NID_sect283r1: /* sect283r1 (10) */
318 return 10;
319 case NID_sect409k1: /* sect409k1 (11) */
320 return 11;
321 case NID_sect409r1: /* sect409r1 (12) */
322 return 12;
323 case NID_sect571k1: /* sect571k1 (13) */
324 return 13;
325 case NID_sect571r1: /* sect571r1 (14) */
326 return 14;
327 case NID_secp160k1: /* secp160k1 (15) */
328 return 15;
329 case NID_secp160r1: /* secp160r1 (16) */
330 return 16;
331 case NID_secp160r2: /* secp160r2 (17) */
332 return 17;
333 case NID_secp192k1: /* secp192k1 (18) */
334 return 18;
335 case NID_X9_62_prime192v1: /* secp192r1 (19) */
336 return 19;
337 case NID_secp224k1: /* secp224k1 (20) */
338 return 20;
339 case NID_secp224r1: /* secp224r1 (21) */
340 return 21;
341 case NID_secp256k1: /* secp256k1 (22) */
342 return 22;
343 case NID_X9_62_prime256v1: /* secp256r1 (23) */
344 return 23;
345 case NID_secp384r1: /* secp384r1 (24) */
346 return 24;
347 case NID_secp521r1: /* secp521r1 (25) */
348 return 25;
349 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
350 return 26;
351 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
352 return 27;
353 case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */
354 return 28;
355 default:
356 return 0;
357 }
358 }
359
360 /*
361 * Return the appropriate format list. If client_formats is non-zero, return
362 * the client/session formats. Otherwise return the custom format list if one
363 * exists, or the default formats if a custom list has not been specified.
364 */
365 static void
366 tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats,
367 size_t *pformatslen)
368 {
369 if (client_formats != 0) {
370 *pformats = s->session->tlsext_ecpointformatlist;
371 *pformatslen = s->session->tlsext_ecpointformatlist_length;
372 return;
373 }
374
375 *pformats = s->tlsext_ecpointformatlist;
376 *pformatslen = s->tlsext_ecpointformatlist_length;
377 if (*pformats == NULL) {
378 *pformats = ecformats_default;
379 *pformatslen = sizeof(ecformats_default);
380 }
381 }
382
383 /*
384 * Return the appropriate curve list. If client_curves is non-zero, return
385 * the client/session curves. Otherwise return the custom curve list if one
386 * exists, or the default curves if a custom list has not been specified.
387 */
388 static void
389 tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves,
390 size_t *pcurveslen)
391 {
392 if (client_curves != 0) {
393 *pcurves = s->session->tlsext_ellipticcurvelist;
394 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
395 return;
396 }
397
398 *pcurves = s->tlsext_ellipticcurvelist;
399 *pcurveslen = s->tlsext_ellipticcurvelist_length;
400 if (*pcurves == NULL) {
401 *pcurves = eccurves_default;
402 *pcurveslen = sizeof(eccurves_default) / 2;
403 }
404 }
405
406 /* Check that a curve is one of our preferences. */
407 int
408 tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
409 {
410 CBS cbs;
411 const uint16_t *curves;
412 size_t curveslen, i;
413 uint8_t type;
414 uint16_t cid;
415
416 CBS_init(&cbs, p, len);
417
418 /* Only named curves are supported. */
419 if (CBS_len(&cbs) != 3 ||
420 !CBS_get_u8(&cbs, &type) ||
421 type != NAMED_CURVE_TYPE ||
422 !CBS_get_u16(&cbs, &cid))
423 return (0);
424
425 tls1_get_curvelist(s, 0, &curves, &curveslen);
426
427 for (i = 0; i < curveslen; i++) {
428 if (curves[i] == cid)
429 return (1);
430 }
431 return (0);
432 }
433
434 int
435 tls1_get_shared_curve(SSL *s)
436 {
437 size_t preflen, supplen, i, j;
438 const uint16_t *pref, *supp;
439 unsigned long server_pref;
440
441 /* Cannot do anything on the client side. */
442 if (s->server == 0)
443 return (NID_undef);
444
445 /* Return first preference shared curve. */
446 server_pref = (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE);
447 tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen);
448 tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen);
449
450 for (i = 0; i < preflen; i++) {
451 for (j = 0; j < supplen; j++) {
452 if (pref[i] == supp[j])
453 return (tls1_ec_curve_id2nid(pref[i]));
454 }
455 }
456 return (NID_undef);
457 }
458
459 /* For an EC key set TLS ID and required compression based on parameters. */
460 static int
461 tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec)
462 {
463 const EC_GROUP *grp;
464 const EC_METHOD *meth;
465 int is_prime = 0;
466 int nid, id;
467
468 if (ec == NULL)
469 return (0);
470
471 /* Determine if it is a prime field. */
472 if ((grp = EC_KEY_get0_group(ec)) == NULL)
473 return (0);
474 if ((meth = EC_GROUP_method_of(grp)) == NULL)
475 return (0);
476 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
477 is_prime = 1;
478
479 /* Determine curve ID. */
480 nid = EC_GROUP_get_curve_name(grp);
481 id = tls1_ec_nid2curve_id(nid);
482
483 /* If we have an ID set it, otherwise set arbitrary explicit curve. */
484 if (id != 0)
485 *curve_id = id;
486 else
487 *curve_id = is_prime ? 0xff01 : 0xff02;
488
489 /* Specify the compression identifier. */
490 if (comp_id != NULL) {
491 if (EC_KEY_get0_public_key(ec) == NULL)
492 return (0);
493
494 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
495 *comp_id = is_prime ?
496 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime :
497 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
498 } else {
499 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
500 }
501 }
502 return (1);
503 }
504
505 /* Check that an EC key is compatible with extensions. */
506 static int
507 tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id)
508 {
509 size_t curveslen, formatslen, i;
510 const uint16_t *curves;
511 const uint8_t *formats;
512
513 /*
514 * Check point formats extension if present, otherwise everything
515 * is supported (see RFC4492).
516 */
517 tls1_get_formatlist(s, 1, &formats, &formatslen);
518 if (comp_id != NULL && formats != NULL) {
519 for (i = 0; i < formatslen; i++) {
520 if (formats[i] == *comp_id)
521 break;
522 }
523 if (i == formatslen)
524 return (0);
525 }
526
527 /*
528 * Check curve list if present, otherwise everything is supported.
529 */
530 tls1_get_curvelist(s, 1, &curves, &curveslen);
531 if (curve_id != NULL && curves != NULL) {
532 for (i = 0; i < curveslen; i++) {
533 if (curves[i] == *curve_id)
534 break;
535 }
536 if (i == curveslen)
537 return (0);
538 }
539
540 return (1);
541 }
542
543 /* Check EC server key is compatible with client extensions. */
544 int
545 tls1_check_ec_server_key(SSL *s)
546 {
547 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
548 uint16_t curve_id;
549 uint8_t comp_id;
550 EVP_PKEY *pkey;
551 int rv;
552
553 if (cpk->x509 == NULL || cpk->privatekey == NULL)
554 return (0);
555 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL)
556 return (0);
557 rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec);
558 EVP_PKEY_free(pkey);
559 if (rv != 1)
560 return (0);
561
562 return tls1_check_ec_key(s, &curve_id, &comp_id);
563 }
564
565 /* Check EC temporary key is compatible with client extensions. */
566 int
567 tls1_check_ec_tmp_key(SSL *s)
568 {
569 EC_KEY *ec = s->cert->ecdh_tmp;
570 uint16_t curve_id;
571
572 if (s->cert->ecdh_tmp_auto != 0) {
573 /* Need a shared curve. */
574 if (tls1_get_shared_curve(s) != NID_undef)
575 return (1);
576 return (0);
577 }
578
579 if (ec == NULL) {
580 if (s->cert->ecdh_tmp_cb != NULL)
581 return (1);
582 return (0);
583 }
584 if (tls1_set_ec_id(&curve_id, NULL, ec) != 1)
585 return (0);
586
587 return tls1_check_ec_key(s, &curve_id, NULL);
588 }
589
590 /*
591 * List of supported signature algorithms and hashes. Should make this
592 * customisable at some point, for now include everything we support.
593 */
594
595 static unsigned char tls12_sigalgs[] = {
596 TLSEXT_hash_sha512, TLSEXT_signature_rsa,
597 TLSEXT_hash_sha512, TLSEXT_signature_dsa,
598 TLSEXT_hash_sha512, TLSEXT_signature_ecdsa,
599 #ifndef OPENSSL_NO_GOST
600 TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512,
601 #endif
602
603 TLSEXT_hash_sha384, TLSEXT_signature_rsa,
604 TLSEXT_hash_sha384, TLSEXT_signature_dsa,
605 TLSEXT_hash_sha384, TLSEXT_signature_ecdsa,
606
607 TLSEXT_hash_sha256, TLSEXT_signature_rsa,
608 TLSEXT_hash_sha256, TLSEXT_signature_dsa,
609 TLSEXT_hash_sha256, TLSEXT_signature_ecdsa,
610
611 #ifndef OPENSSL_NO_GOST
612 TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256,
613 TLSEXT_hash_gost94, TLSEXT_signature_gostr01,
614 #endif
615
616 TLSEXT_hash_sha224, TLSEXT_signature_rsa,
617 TLSEXT_hash_sha224, TLSEXT_signature_dsa,
618 TLSEXT_hash_sha224, TLSEXT_signature_ecdsa,
619
620 TLSEXT_hash_sha1, TLSEXT_signature_rsa,
621 TLSEXT_hash_sha1, TLSEXT_signature_dsa,
622 TLSEXT_hash_sha1, TLSEXT_signature_ecdsa,
623 };
624
625 int
626 tls12_get_req_sig_algs(SSL *s, unsigned char *p)
627 {
628 size_t slen = sizeof(tls12_sigalgs);
629
630 if (p)
631 memcpy(p, tls12_sigalgs, slen);
632 return (int)slen;
633 }
634
635 unsigned char *
636 ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
637 {
638 int extdatalen = 0;
639 unsigned char *ret = p;
640 int using_ecc = 0;
641
642 /* See if we support any ECC ciphersuites. */
643 if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) {
644 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
645 unsigned long alg_k, alg_a;
646 int i;
647
648 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
649 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
650
651 alg_k = c->algorithm_mkey;
652 alg_a = c->algorithm_auth;
653
654 if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) ||
655 (alg_a & SSL_aECDSA))) {
656 using_ecc = 1;
657 break;
658 }
659 }
660 }
661
662 ret += 2;
663
664 if (ret >= limit)
665 return NULL; /* this really never occurs, but ... */
666
667 if (s->tlsext_hostname != NULL) {
668 /* Add TLS extension servername to the Client Hello message */
669 size_t size_str, lenmax;
670
671 /* check for enough space.
672 4 for the servername type and extension length
673 2 for servernamelist length
674 1 for the hostname type
675 2 for hostname length
676 + hostname length
677 */
678
679 if ((size_t)(limit - ret) < 9)
680 return NULL;
681
682 lenmax = limit - ret - 9;
683 if ((size_str = strlen(s->tlsext_hostname)) > lenmax)
684 return NULL;
685
686 /* extension type and length */
687 s2n(TLSEXT_TYPE_server_name, ret);
688
689 s2n(size_str + 5, ret);
690
691 /* length of servername list */
692 s2n(size_str + 3, ret);
693
694 /* hostname type, length and hostname */
695 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
696 s2n(size_str, ret);
697 memcpy(ret, s->tlsext_hostname, size_str);
698 ret += size_str;
699 }
700
701 /* Add RI if renegotiating */
702 if (s->renegotiate) {
703 int el;
704
705 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
706 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
707 ERR_R_INTERNAL_ERROR);
708 return NULL;
709 }
710
711 if ((size_t)(limit - ret) < 4 + el)
712 return NULL;
713
714 s2n(TLSEXT_TYPE_renegotiate, ret);
715 s2n(el, ret);
716
717 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
718 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
719 ERR_R_INTERNAL_ERROR);
720 return NULL;
721 }
722
723 ret += el;
724 }
725
726 if (using_ecc) {
727 size_t curveslen, formatslen, lenmax;
728 const uint16_t *curves;
729 const uint8_t *formats;
730 int i;
731
732 /*
733 * Add TLS extension ECPointFormats to the ClientHello message.
734 */
735 tls1_get_formatlist(s, 0, &formats, &formatslen);
736
737 if ((size_t)(limit - ret) < 5)
738 return NULL;
739
740 lenmax = limit - ret - 5;
741 if (formatslen > lenmax)
742 return NULL;
743 if (formatslen > 255) {
744 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
745 ERR_R_INTERNAL_ERROR);
746 return NULL;
747 }
748
749 s2n(TLSEXT_TYPE_ec_point_formats, ret);
750 s2n(formatslen + 1, ret);
751 *(ret++) = (unsigned char)formatslen;
752 memcpy(ret, formats, formatslen);
753 ret += formatslen;
754
755 /*
756 * Add TLS extension EllipticCurves to the ClientHello message.
757 */
758 tls1_get_curvelist(s, 0, &curves, &curveslen);
759
760 if ((size_t)(limit - ret) < 6)
761 return NULL;
762
763 lenmax = limit - ret - 6;
764 if (curveslen > lenmax)
765 return NULL;
766 if (curveslen > 65532) {
767 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
768 ERR_R_INTERNAL_ERROR);
769 return NULL;
770 }
771
772 s2n(TLSEXT_TYPE_elliptic_curves, ret);
773 s2n((curveslen * 2) + 2, ret);
774
775 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
776 * elliptic_curve_list, but the examples use two bytes.
777 * https://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
778 * resolves this to two bytes.
779 */
780 s2n(curveslen * 2, ret);
781 for (i = 0; i < curveslen; i++)
782 s2n(curves[i], ret);
783 }
784
785 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
786 int ticklen;
787 if (!s->new_session && s->session && s->session->tlsext_tick)
788 ticklen = s->session->tlsext_ticklen;
789 else if (s->session && s->tlsext_session_ticket &&
790 s->tlsext_session_ticket->data) {
791 ticklen = s->tlsext_session_ticket->length;
792 s->session->tlsext_tick = malloc(ticklen);
793 if (!s->session->tlsext_tick)
794 return NULL;
795 memcpy(s->session->tlsext_tick,
796 s->tlsext_session_ticket->data, ticklen);
797 s->session->tlsext_ticklen = ticklen;
798 } else
799 ticklen = 0;
800 if (ticklen == 0 && s->tlsext_session_ticket &&
801 s->tlsext_session_ticket->data == NULL)
802 goto skip_ext;
803 /* Check for enough room 2 for extension type, 2 for len
804 * rest for ticket
805 */
806 if ((size_t)(limit - ret) < 4 + ticklen)
807 return NULL;
808 s2n(TLSEXT_TYPE_session_ticket, ret);
809
810 s2n(ticklen, ret);
811 if (ticklen) {
812 memcpy(ret, s->session->tlsext_tick, ticklen);
813 ret += ticklen;
814 }
815 }
816 skip_ext:
817
818 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
819 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
820 return NULL;
821
822 s2n(TLSEXT_TYPE_signature_algorithms, ret);
823 s2n(sizeof(tls12_sigalgs) + 2, ret);
824 s2n(sizeof(tls12_sigalgs), ret);
825 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
826 ret += sizeof(tls12_sigalgs);
827 }
828
829 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
830 s->version != DTLS1_VERSION) {
831 int i;
832 long extlen, idlen, itmp;
833 OCSP_RESPID *id;
834
835 idlen = 0;
836 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
837 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
838 itmp = i2d_OCSP_RESPID(id, NULL);
839 if (itmp <= 0)
840 return NULL;
841 idlen += itmp + 2;
842 }
843
844 if (s->tlsext_ocsp_exts) {
845 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
846 if (extlen < 0)
847 return NULL;
848 } else
849 extlen = 0;
850
851 if ((size_t)(limit - ret) < 7 + extlen + idlen)
852 return NULL;
853 s2n(TLSEXT_TYPE_status_request, ret);
854 if (extlen + idlen > 0xFFF0)
855 return NULL;
856 s2n(extlen + idlen + 5, ret);
857 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
858 s2n(idlen, ret);
859 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
860 /* save position of id len */
861 unsigned char *q = ret;
862 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
863 /* skip over id len */
864 ret += 2;
865 itmp = i2d_OCSP_RESPID(id, &ret);
866 /* write id len */
867 s2n(itmp, q);
868 }
869 s2n(extlen, ret);
870 if (extlen > 0)
871 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
872 }
873
874 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
875 /* The client advertises an emtpy extension to indicate its
876 * support for Next Protocol Negotiation */
877 if ((size_t)(limit - ret) < 4)
878 return NULL;
879 s2n(TLSEXT_TYPE_next_proto_neg, ret);
880 s2n(0, ret);
881 }
882
883 if (s->alpn_client_proto_list != NULL &&
884 s->s3->tmp.finish_md_len == 0) {
885 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
886 return (NULL);
887 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
888 s2n(2 + s->alpn_client_proto_list_len, ret);
889 s2n(s->alpn_client_proto_list_len, ret);
890 memcpy(ret, s->alpn_client_proto_list,
891 s->alpn_client_proto_list_len);
892 ret += s->alpn_client_proto_list_len;
893 }
894
895 #ifndef OPENSSL_NO_SRTP
896 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
897 int el;
898
899 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
900
901 if ((size_t)(limit - ret) < 4 + el)
902 return NULL;
903
904 s2n(TLSEXT_TYPE_use_srtp, ret);
905 s2n(el, ret);
906
907 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
908 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
909 ERR_R_INTERNAL_ERROR);
910 return NULL;
911 }
912 ret += el;
913 }
914 #endif
915
916 /*
917 * Add padding to workaround bugs in F5 terminators.
918 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
919 *
920 * Note that this seems to trigger issues with IronPort SMTP
921 * appliances.
922 *
923 * NB: because this code works out the length of all existing
924 * extensions it MUST always appear last.
925 */
926 if (s->options & SSL_OP_TLSEXT_PADDING) {
927 int hlen = ret - (unsigned char *)s->init_buf->data;
928
929 /*
930 * The code in s23_clnt.c to build ClientHello messages
931 * includes the 5-byte record header in the buffer, while the
932 * code in s3_clnt.c does not.
933 */
934 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
935 hlen -= 5;
936 if (hlen > 0xff && hlen < 0x200) {
937 hlen = 0x200 - hlen;
938 if (hlen >= 4)
939 hlen -= 4;
940 else
941 hlen = 0;
942
943 s2n(TLSEXT_TYPE_padding, ret);
944 s2n(hlen, ret);
945 memset(ret, 0, hlen);
946 ret += hlen;
947 }
948 }
949
950 if ((extdatalen = ret - p - 2) == 0)
951 return p;
952
953 s2n(extdatalen, p);
954 return ret;
955 }
956
957 unsigned char *
958 ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
959 {
960 int using_ecc, extdatalen = 0;
961 unsigned long alg_a, alg_k;
962 unsigned char *ret = p;
963 int next_proto_neg_seen;
964
965 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
966 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
967 using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) ||
968 alg_a & SSL_aECDSA) &&
969 s->session->tlsext_ecpointformatlist != NULL;
970
971 ret += 2;
972 if (ret >= limit)
973 return NULL; /* this really never occurs, but ... */
974
975 if (!s->hit && s->servername_done == 1 &&
976 s->session->tlsext_hostname != NULL) {
977 if ((size_t)(limit - ret) < 4)
978 return NULL;
979
980 s2n(TLSEXT_TYPE_server_name, ret);
981 s2n(0, ret);
982 }
983
984 if (s->s3->send_connection_binding) {
985 int el;
986
987 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
988 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
989 ERR_R_INTERNAL_ERROR);
990 return NULL;
991 }
992
993 if ((size_t)(limit - ret) < 4 + el)
994 return NULL;
995
996 s2n(TLSEXT_TYPE_renegotiate, ret);
997 s2n(el, ret);
998
999 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1000 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
1001 ERR_R_INTERNAL_ERROR);
1002 return NULL;
1003 }
1004
1005 ret += el;
1006 }
1007
1008 if (using_ecc && s->version != DTLS1_VERSION) {
1009 const unsigned char *formats;
1010 size_t formatslen, lenmax;
1011
1012 /*
1013 * Add TLS extension ECPointFormats to the ServerHello message.
1014 */
1015 tls1_get_formatlist(s, 0, &formats, &formatslen);
1016
1017 if ((size_t)(limit - ret) < 5)
1018 return NULL;
1019
1020 lenmax = limit - ret - 5;
1021 if (formatslen > lenmax)
1022 return NULL;
1023 if (formatslen > 255) {
1024 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
1025 ERR_R_INTERNAL_ERROR);
1026 return NULL;
1027 }
1028
1029 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1030 s2n(formatslen + 1, ret);
1031 *(ret++) = (unsigned char)formatslen;
1032 memcpy(ret, formats, formatslen);
1033 ret += formatslen;
1034 }
1035
1036 /*
1037 * Currently the server should not respond with a SupportedCurves
1038 * extension.
1039 */
1040
1041 if (s->tlsext_ticket_expected &&
1042 !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
1043 if ((size_t)(limit - ret) < 4)
1044 return NULL;
1045
1046 s2n(TLSEXT_TYPE_session_ticket, ret);
1047 s2n(0, ret);
1048 }
1049
1050 if (s->tlsext_status_expected) {
1051 if ((size_t)(limit - ret) < 4)
1052 return NULL;
1053
1054 s2n(TLSEXT_TYPE_status_request, ret);
1055 s2n(0, ret);
1056 }
1057
1058 #ifndef OPENSSL_NO_SRTP
1059 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1060 int el;
1061
1062 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1063
1064 if ((size_t)(limit - ret) < 4 + el)
1065 return NULL;
1066
1067 s2n(TLSEXT_TYPE_use_srtp, ret);
1068 s2n(el, ret);
1069
1070 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1071 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
1072 ERR_R_INTERNAL_ERROR);
1073 return NULL;
1074 }
1075 ret += el;
1076 }
1077 #endif
1078
1079 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 ||
1080 (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) &&
1081 (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1082 static const unsigned char cryptopro_ext[36] = {
1083 0xfd, 0xe8, /*65000*/
1084 0x00, 0x20, /*32 bytes length*/
1085 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1086 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1087 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1088 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1089 };
1090 if ((size_t)(limit - ret) < sizeof(cryptopro_ext))
1091 return NULL;
1092 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext));
1093 ret += sizeof(cryptopro_ext);
1094 }
1095
1096 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1097 s->s3->next_proto_neg_seen = 0;
1098 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1099 const unsigned char *npa;
1100 unsigned int npalen;
1101 int r;
1102
1103 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1104 s->ctx->next_protos_advertised_cb_arg);
1105 if (r == SSL_TLSEXT_ERR_OK) {
1106 if ((size_t)(limit - ret) < 4 + npalen)
1107 return NULL;
1108 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1109 s2n(npalen, ret);
1110 memcpy(ret, npa, npalen);
1111 ret += npalen;
1112 s->s3->next_proto_neg_seen = 1;
1113 }
1114 }
1115
1116 if (s->s3->alpn_selected != NULL) {
1117 const unsigned char *selected = s->s3->alpn_selected;
1118 unsigned int len = s->s3->alpn_selected_len;
1119
1120 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1121 return (NULL);
1122 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1123 s2n(3 + len, ret);
1124 s2n(1 + len, ret);
1125 *ret++ = len;
1126 memcpy(ret, selected, len);
1127 ret += len;
1128 }
1129
1130 if ((extdatalen = ret - p - 2) == 0)
1131 return p;
1132
1133 s2n(extdatalen, p);
1134 return ret;
1135 }
1136
1137 /*
1138 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1139 * ClientHello.
1140 * data: the contents of the extension, not including the type and length.
1141 * data_len: the number of bytes in data.
1142 * al: a pointer to the alert value to send in the event of a non-zero
1143 * return.
1144 * returns: 1 on success.
1145 */
1146 static int
1147 tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1148 unsigned int data_len, int *al)
1149 {
1150 CBS cbs, proto_name_list, alpn;
1151 const unsigned char *selected;
1152 unsigned char selected_len;
1153 int r;
1154
1155 if (s->ctx->alpn_select_cb == NULL)
1156 return (1);
1157
1158 if (data_len < 2)
1159 goto parse_error;
1160
1161 CBS_init(&cbs, data, data_len);
1162
1163 /*
1164 * data should contain a uint16 length followed by a series of 8-bit,
1165 * length-prefixed strings.
1166 */
1167 if (!CBS_get_u16_length_prefixed(&cbs, &alpn) ||
1168 CBS_len(&alpn) < 2 ||
1169 CBS_len(&cbs) != 0)
1170 goto parse_error;
1171
1172 /* Validate data before sending to callback. */
1173 CBS_dup(&alpn, &proto_name_list);
1174 while (CBS_len(&proto_name_list) > 0) {
1175 CBS proto_name;
1176
1177 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name) ||
1178 CBS_len(&proto_name) == 0)
1179 goto parse_error;
1180 }
1181
1182 r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
1183 CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg);
1184 if (r == SSL_TLSEXT_ERR_OK) {
1185 free(s->s3->alpn_selected);
1186 if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) {
1187 *al = SSL_AD_INTERNAL_ERROR;
1188 return (-1);
1189 }
1190 memcpy(s->s3->alpn_selected, selected, selected_len);
1191 s->s3->alpn_selected_len = selected_len;
1192 }
1193
1194 return (1);
1195
1196 parse_error:
1197 *al = SSL_AD_DECODE_ERROR;
1198 return (0);
1199 }
1200
1201 int
1202 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1203 int n, int *al)
1204 {
1205 unsigned short type;
1206 unsigned short size;
1207 unsigned short len;
1208 unsigned char *data = *p;
1209 int renegotiate_seen = 0;
1210 int sigalg_seen = 0;
1211
1212 s->servername_done = 0;
1213 s->tlsext_status_type = -1;
1214 s->s3->next_proto_neg_seen = 0;
1215 free(s->s3->alpn_selected);
1216 s->s3->alpn_selected = NULL;
1217
1218 if (data >= (d + n - 2))
1219 goto ri_check;
1220 n2s(data, len);
1221
1222 if (data > (d + n - len))
1223 goto ri_check;
1224
1225 while (data <= (d + n - 4)) {
1226 n2s(data, type);
1227 n2s(data, size);
1228
1229 if (data + size > (d + n))
1230 goto ri_check;
1231 if (s->tlsext_debug_cb)
1232 s->tlsext_debug_cb(s, 0, type, data, size,
1233 s->tlsext_debug_arg);
1234 /* The servername extension is treated as follows:
1235
1236 - Only the hostname type is supported with a maximum length of 255.
1237 - The servername is rejected if too long or if it contains zeros,
1238 in which case an fatal alert is generated.
1239 - The servername field is maintained together with the session cache.
1240 - When a session is resumed, the servername call back invoked in order
1241 to allow the application to position itself to the right context.
1242 - The servername is acknowledged if it is new for a session or when
1243 it is identical to a previously used for the same session.
1244 Applications can control the behaviour. They can at any time
1245 set a 'desirable' servername for a new SSL object. This can be the
1246 case for example with HTTPS when a Host: header field is received and
1247 a renegotiation is requested. In this case, a possible servername
1248 presented in the new client hello is only acknowledged if it matches
1249 the value of the Host: field.
1250 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1251 if they provide for changing an explicit servername context for the session,
1252 i.e. when the session has been established with a servername extension.
1253 - On session reconnect, the servername extension may be absent.
1254
1255 */
1256
1257 if (type == TLSEXT_TYPE_server_name) {
1258 unsigned char *sdata;
1259 int servname_type;
1260 int dsize;
1261
1262 if (size < 2) {
1263 *al = SSL_AD_DECODE_ERROR;
1264 return 0;
1265 }
1266 n2s(data, dsize);
1267
1268 size -= 2;
1269 if (dsize > size) {
1270 *al = SSL_AD_DECODE_ERROR;
1271 return 0;
1272 }
1273
1274 sdata = data;
1275 while (dsize > 3) {
1276 servname_type = *(sdata++);
1277
1278 n2s(sdata, len);
1279 dsize -= 3;
1280
1281 if (len > dsize) {
1282 *al = SSL_AD_DECODE_ERROR;
1283 return 0;
1284 }
1285 if (s->servername_done == 0)
1286 switch (servname_type) {
1287 case TLSEXT_NAMETYPE_host_name:
1288 if (!s->hit) {
1289 if (s->session->tlsext_hostname) {
1290 *al = SSL_AD_DECODE_ERROR;
1291 return 0;
1292 }
1293 if (len > TLSEXT_MAXLEN_host_name) {
1294 *al = TLS1_AD_UNRECOGNIZED_NAME;
1295 return 0;
1296 }
1297 if ((s->session->tlsext_hostname =
1298 malloc(len + 1)) == NULL) {
1299 *al = TLS1_AD_INTERNAL_ERROR;
1300 return 0;
1301 }
1302 memcpy(s->session->tlsext_hostname, sdata, len);
1303 s->session->tlsext_hostname[len] = '\0';
1304 if (strlen(s->session->tlsext_hostname) != len) {
1305 free(s->session->tlsext_hostname);
1306 s->session->tlsext_hostname = NULL;
1307 *al = TLS1_AD_UNRECOGNIZED_NAME;
1308 return 0;
1309 }
1310 s->servername_done = 1;
1311
1312
1313 } else {
1314 s->servername_done = s->session->tlsext_hostname &&
1315 strlen(s->session->tlsext_hostname) == len &&
1316 strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1317 }
1318 break;
1319
1320 default:
1321 break;
1322 }
1323
1324 dsize -= len;
1325 }
1326 if (dsize != 0) {
1327 *al = SSL_AD_DECODE_ERROR;
1328 return 0;
1329 }
1330
1331 }
1332
1333 else if (type == TLSEXT_TYPE_ec_point_formats &&
1334 s->version != DTLS1_VERSION) {
1335 unsigned char *sdata = data;
1336 size_t formatslen;
1337 uint8_t *formats;
1338
1339 if (size < 1) {
1340 *al = TLS1_AD_DECODE_ERROR;
1341 return 0;
1342 }
1343 formatslen = *(sdata++);
1344 if (formatslen != size - 1) {
1345 *al = TLS1_AD_DECODE_ERROR;
1346 return 0;
1347 }
1348
1349 if (!s->hit) {
1350 free(s->session->tlsext_ecpointformatlist);
1351 s->session->tlsext_ecpointformatlist = NULL;
1352 s->session->tlsext_ecpointformatlist_length = 0;
1353
1354 if ((formats = reallocarray(NULL, formatslen,
1355 sizeof(uint8_t))) == NULL) {
1356 *al = TLS1_AD_INTERNAL_ERROR;
1357 return 0;
1358 }
1359 memcpy(formats, sdata, formatslen);
1360 s->session->tlsext_ecpointformatlist = formats;
1361 s->session->tlsext_ecpointformatlist_length =
1362 formatslen;
1363 }
1364 } else if (type == TLSEXT_TYPE_elliptic_curves &&
1365 s->version != DTLS1_VERSION) {
1366 unsigned char *sdata = data;
1367 size_t curveslen, i;
1368 uint16_t *curves;
1369
1370 if (size < 2) {
1371 *al = TLS1_AD_DECODE_ERROR;
1372 return 0;
1373 }
1374 n2s(sdata, curveslen);
1375 if (curveslen != size - 2 || curveslen % 2 != 0) {
1376 *al = TLS1_AD_DECODE_ERROR;
1377 return 0;
1378 }
1379 curveslen /= 2;
1380
1381 if (!s->hit) {
1382 if (s->session->tlsext_ellipticcurvelist) {
1383 *al = TLS1_AD_DECODE_ERROR;
1384 return 0;
1385 }
1386 s->session->tlsext_ellipticcurvelist_length = 0;
1387 if ((curves = reallocarray(NULL, curveslen,
1388 sizeof(uint16_t))) == NULL) {
1389 *al = TLS1_AD_INTERNAL_ERROR;
1390 return 0;
1391 }
1392 for (i = 0; i < curveslen; i++)
1393 n2s(sdata, curves[i]);
1394 s->session->tlsext_ellipticcurvelist = curves;
1395 s->session->tlsext_ellipticcurvelist_length = curveslen;
1396 }
1397 }
1398 else if (type == TLSEXT_TYPE_session_ticket) {
1399 if (s->tls_session_ticket_ext_cb &&
1400 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
1401 *al = TLS1_AD_INTERNAL_ERROR;
1402 return 0;
1403 }
1404 } else if (type == TLSEXT_TYPE_renegotiate) {
1405 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1406 return 0;
1407 renegotiate_seen = 1;
1408 } else if (type == TLSEXT_TYPE_signature_algorithms) {
1409 int dsize;
1410 if (sigalg_seen || size < 2) {
1411 *al = SSL_AD_DECODE_ERROR;
1412 return 0;
1413 }
1414 sigalg_seen = 1;
1415 n2s(data, dsize);
1416 size -= 2;
1417 if (dsize != size || dsize & 1) {
1418 *al = SSL_AD_DECODE_ERROR;
1419 return 0;
1420 }
1421 if (!tls1_process_sigalgs(s, data, dsize)) {
1422 *al = SSL_AD_DECODE_ERROR;
1423 return 0;
1424 }
1425 } else if (type == TLSEXT_TYPE_status_request &&
1426 s->version != DTLS1_VERSION) {
1427
1428 if (size < 5) {
1429 *al = SSL_AD_DECODE_ERROR;
1430 return 0;
1431 }
1432
1433 s->tlsext_status_type = *data++;
1434 size--;
1435 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1436 const unsigned char *sdata;
1437 int dsize;
1438 /* Read in responder_id_list */
1439 n2s(data, dsize);
1440 size -= 2;
1441 if (dsize > size) {
1442 *al = SSL_AD_DECODE_ERROR;
1443 return 0;
1444 }
1445
1446 /*
1447 * We remove any OCSP_RESPIDs from a
1448 * previous handshake to prevent
1449 * unbounded memory growth.
1450 */
1451 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
1452 OCSP_RESPID_free);
1453 s->tlsext_ocsp_ids = NULL;
1454 if (dsize > 0) {
1455 s->tlsext_ocsp_ids =
1456 sk_OCSP_RESPID_new_null();
1457 if (s->tlsext_ocsp_ids == NULL) {
1458 *al = SSL_AD_INTERNAL_ERROR;
1459 return 0;
1460 }
1461 }
1462
1463 while (dsize > 0) {
1464 OCSP_RESPID *id;
1465 int idsize;
1466 if (dsize < 4) {
1467 *al = SSL_AD_DECODE_ERROR;
1468 return 0;
1469 }
1470 n2s(data, idsize);
1471 dsize -= 2 + idsize;
1472 size -= 2 + idsize;
1473 if (dsize < 0) {
1474 *al = SSL_AD_DECODE_ERROR;
1475 return 0;
1476 }
1477 sdata = data;
1478 data += idsize;
1479 id = d2i_OCSP_RESPID(NULL,
1480 &sdata, idsize);
1481 if (!id) {
1482 *al = SSL_AD_DECODE_ERROR;
1483 return 0;
1484 }
1485 if (data != sdata) {
1486 OCSP_RESPID_free(id);
1487 *al = SSL_AD_DECODE_ERROR;
1488 return 0;
1489 }
1490 if (!sk_OCSP_RESPID_push(
1491 s->tlsext_ocsp_ids, id)) {
1492 OCSP_RESPID_free(id);
1493 *al = SSL_AD_INTERNAL_ERROR;
1494 return 0;
1495 }
1496 }
1497
1498 /* Read in request_extensions */
1499 if (size < 2) {
1500 *al = SSL_AD_DECODE_ERROR;
1501 return 0;
1502 }
1503 n2s(data, dsize);
1504 size -= 2;
1505 if (dsize != size) {
1506 *al = SSL_AD_DECODE_ERROR;
1507 return 0;
1508 }
1509 sdata = data;
1510 if (dsize > 0) {
1511 if (s->tlsext_ocsp_exts) {
1512 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1513 X509_EXTENSION_free);
1514 }
1515
1516 s->tlsext_ocsp_exts =
1517 d2i_X509_EXTENSIONS(NULL,
1518 &sdata, dsize);
1519 if (!s->tlsext_ocsp_exts ||
1520 (data + dsize != sdata)) {
1521 *al = SSL_AD_DECODE_ERROR;
1522 return 0;
1523 }
1524 }
1525 } else {
1526 /* We don't know what to do with any other type
1527 * so ignore it.
1528 */
1529 s->tlsext_status_type = -1;
1530 }
1531 }
1532 else if (type == TLSEXT_TYPE_next_proto_neg &&
1533 s->s3->tmp.finish_md_len == 0 &&
1534 s->s3->alpn_selected == NULL) {
1535 /* We shouldn't accept this extension on a
1536 * renegotiation.
1537 *
1538 * s->new_session will be set on renegotiation, but we
1539 * probably shouldn't rely that it couldn't be set on
1540 * the initial renegotation too in certain cases (when
1541 * there's some other reason to disallow resuming an
1542 * earlier session -- the current code won't be doing
1543 * anything like that, but this might change).
1544
1545 * A valid sign that there's been a previous handshake
1546 * in this connection is if s->s3->tmp.finish_md_len >
1547 * 0. (We are talking about a check that will happen
1548 * in the Hello protocol round, well before a new
1549 * Finished message could have been computed.) */
1550 s->s3->next_proto_neg_seen = 1;
1551 }
1552 else if (type ==
1553 TLSEXT_TYPE_application_layer_protocol_negotiation &&
1554 s->ctx->alpn_select_cb != NULL &&
1555 s->s3->tmp.finish_md_len == 0) {
1556 if (tls1_alpn_handle_client_hello(s, data,
1557 size, al) != 1)
1558 return (0);
1559 /* ALPN takes precedence over NPN. */
1560 s->s3->next_proto_neg_seen = 0;
1561 }
1562
1563 /* session ticket processed earlier */
1564 #ifndef OPENSSL_NO_SRTP
1565 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
1566 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
1567 return 0;
1568 }
1569 #endif
1570
1571 data += size;
1572 }
1573
1574 *p = data;
1575
1576 ri_check:
1577
1578 /* Need RI if renegotiating */
1579
1580 if (!renegotiate_seen && s->renegotiate) {
1581 *al = SSL_AD_HANDSHAKE_FAILURE;
1582 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1583 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1584 return 0;
1585 }
1586
1587 return 1;
1588 }
1589
1590 /*
1591 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1592 * elements of zero length are allowed and the set of elements must exactly fill
1593 * the length of the block.
1594 */
1595 static char
1596 ssl_next_proto_validate(const unsigned char *d, unsigned int len)
1597 {
1598 CBS npn, value;
1599
1600 CBS_init(&npn, d, len);
1601 while (CBS_len(&npn) > 0) {
1602 if (!CBS_get_u8_length_prefixed(&npn, &value) ||
1603 CBS_len(&value) == 0)
1604 return 0;
1605 }
1606 return 1;
1607 }
1608
1609 int
1610 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1611 int n, int *al)
1612 {
1613 unsigned short length;
1614 unsigned short type;
1615 unsigned short size;
1616 unsigned char *data = *p;
1617 int tlsext_servername = 0;
1618 int renegotiate_seen = 0;
1619
1620 s->s3->next_proto_neg_seen = 0;
1621 free(s->s3->alpn_selected);
1622 s->s3->alpn_selected = NULL;
1623
1624 if (data >= (d + n - 2))
1625 goto ri_check;
1626
1627 n2s(data, length);
1628 if (data + length != d + n) {
1629 *al = SSL_AD_DECODE_ERROR;
1630 return 0;
1631 }
1632
1633 while (data <= (d + n - 4)) {
1634 n2s(data, type);
1635 n2s(data, size);
1636
1637 if (data + size > (d + n))
1638 goto ri_check;
1639
1640 if (s->tlsext_debug_cb)
1641 s->tlsext_debug_cb(s, 1, type, data, size,
1642 s->tlsext_debug_arg);
1643
1644 if (type == TLSEXT_TYPE_server_name) {
1645 if (s->tlsext_hostname == NULL || size > 0) {
1646 *al = TLS1_AD_UNRECOGNIZED_NAME;
1647 return 0;
1648 }
1649 tlsext_servername = 1;
1650
1651 }
1652 else if (type == TLSEXT_TYPE_ec_point_formats &&
1653 s->version != DTLS1_VERSION) {
1654 unsigned char *sdata = data;
1655 size_t formatslen;
1656 uint8_t *formats;
1657
1658 if (size < 1) {
1659 *al = TLS1_AD_DECODE_ERROR;
1660 return 0;
1661 }
1662 formatslen = *(sdata++);
1663 if (formatslen != size - 1) {
1664 *al = TLS1_AD_DECODE_ERROR;
1665 return 0;
1666 }
1667
1668 if (!s->hit) {
1669 free(s->session->tlsext_ecpointformatlist);
1670 s->session->tlsext_ecpointformatlist = NULL;
1671 s->session->tlsext_ecpointformatlist_length = 0;
1672
1673 if ((formats = reallocarray(NULL, formatslen,
1674 sizeof(uint8_t))) == NULL) {
1675 *al = TLS1_AD_INTERNAL_ERROR;
1676 return 0;
1677 }
1678 memcpy(formats, sdata, formatslen);
1679 s->session->tlsext_ecpointformatlist = formats;
1680 s->session->tlsext_ecpointformatlist_length =
1681 formatslen;
1682 }
1683 }
1684 else if (type == TLSEXT_TYPE_session_ticket) {
1685 if (s->tls_session_ticket_ext_cb &&
1686 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
1687 *al = TLS1_AD_INTERNAL_ERROR;
1688 return 0;
1689 }
1690 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) {
1691 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1692 return 0;
1693 }
1694 s->tlsext_ticket_expected = 1;
1695 }
1696 else if (type == TLSEXT_TYPE_status_request &&
1697 s->version != DTLS1_VERSION) {
1698 /* MUST be empty and only sent if we've requested
1699 * a status request message.
1700 */
1701 if ((s->tlsext_status_type == -1) || (size > 0)) {
1702 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1703 return 0;
1704 }
1705 /* Set flag to expect CertificateStatus message */
1706 s->tlsext_status_expected = 1;
1707 }
1708 else if (type == TLSEXT_TYPE_next_proto_neg &&
1709 s->s3->tmp.finish_md_len == 0) {
1710 unsigned char *selected;
1711 unsigned char selected_len;
1712
1713 /* We must have requested it. */
1714 if (s->ctx->next_proto_select_cb == NULL) {
1715 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1716 return 0;
1717 }
1718 /* The data must be valid */
1719 if (!ssl_next_proto_validate(data, size)) {
1720 *al = TLS1_AD_DECODE_ERROR;
1721 return 0;
1722 }
1723 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) {
1724 *al = TLS1_AD_INTERNAL_ERROR;
1725 return 0;
1726 }
1727 s->next_proto_negotiated = malloc(selected_len);
1728 if (!s->next_proto_negotiated) {
1729 *al = TLS1_AD_INTERNAL_ERROR;
1730 return 0;
1731 }
1732 memcpy(s->next_proto_negotiated, selected, selected_len);
1733 s->next_proto_negotiated_len = selected_len;
1734 s->s3->next_proto_neg_seen = 1;
1735 }
1736 else if (type ==
1737 TLSEXT_TYPE_application_layer_protocol_negotiation) {
1738 unsigned int len;
1739
1740 /* We must have requested it. */
1741 if (s->alpn_client_proto_list == NULL) {
1742 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1743 return 0;
1744 }
1745 if (size < 4) {
1746 *al = TLS1_AD_DECODE_ERROR;
1747 return (0);
1748 }
1749
1750 /* The extension data consists of:
1751 * uint16 list_length
1752 * uint8 proto_length;
1753 * uint8 proto[proto_length]; */
1754 len = ((unsigned int)data[0]) << 8 |
1755 ((unsigned int)data[1]);
1756 if (len != (unsigned int)size - 2) {
1757 *al = TLS1_AD_DECODE_ERROR;
1758 return (0);
1759 }
1760 len = data[2];
1761 if (len != (unsigned int)size - 3) {
1762 *al = TLS1_AD_DECODE_ERROR;
1763 return (0);
1764 }
1765 free(s->s3->alpn_selected);
1766 s->s3->alpn_selected = malloc(len);
1767 if (s->s3->alpn_selected == NULL) {
1768 *al = TLS1_AD_INTERNAL_ERROR;
1769 return (0);
1770 }
1771 memcpy(s->s3->alpn_selected, data + 3, len);
1772 s->s3->alpn_selected_len = len;
1773
1774 } else if (type == TLSEXT_TYPE_renegotiate) {
1775 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1776 return 0;
1777 renegotiate_seen = 1;
1778 }
1779 #ifndef OPENSSL_NO_SRTP
1780 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
1781 if (ssl_parse_serverhello_use_srtp_ext(s, data,
1782 size, al))
1783 return 0;
1784 }
1785 #endif
1786
1787 data += size;
1788
1789 }
1790
1791 if (data != d + n) {
1792 *al = SSL_AD_DECODE_ERROR;
1793 return 0;
1794 }
1795
1796 if (!s->hit && tlsext_servername == 1) {
1797 if (s->tlsext_hostname) {
1798 if (s->session->tlsext_hostname == NULL) {
1799 s->session->tlsext_hostname =
1800 strdup(s->tlsext_hostname);
1801
1802 if (!s->session->tlsext_hostname) {
1803 *al = SSL_AD_UNRECOGNIZED_NAME;
1804 return 0;
1805 }
1806 } else {
1807 *al = SSL_AD_DECODE_ERROR;
1808 return 0;
1809 }
1810 }
1811 }
1812
1813 *p = data;
1814
1815 ri_check:
1816
1817 /* Determine if we need to see RI. Strictly speaking if we want to
1818 * avoid an attack we should *always* see RI even on initial server
1819 * hello because the client doesn't see any renegotiation during an
1820 * attack. However this would mean we could not connect to any server
1821 * which doesn't support RI so for the immediate future tolerate RI
1822 * absence on initial connect only.
1823 */
1824 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
1825 *al = SSL_AD_HANDSHAKE_FAILURE;
1826 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1827 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1828 return 0;
1829 }
1830
1831 return 1;
1832 }
1833
1834 int
1835 ssl_check_clienthello_tlsext_early(SSL *s)
1836 {
1837 int ret = SSL_TLSEXT_ERR_NOACK;
1838 int al = SSL_AD_UNRECOGNIZED_NAME;
1839
1840 /* The handling of the ECPointFormats extension is done elsewhere, namely in
1841 * ssl3_choose_cipher in s3_lib.c.
1842 */
1843 /* The handling of the EllipticCurves extension is done elsewhere, namely in
1844 * ssl3_choose_cipher in s3_lib.c.
1845 */
1846
1847 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1848 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1849 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1850 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1851
1852 switch (ret) {
1853 case SSL_TLSEXT_ERR_ALERT_FATAL:
1854 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1855 return -1;
1856 case SSL_TLSEXT_ERR_ALERT_WARNING:
1857 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1858 return 1;
1859 case SSL_TLSEXT_ERR_NOACK:
1860 s->servername_done = 0;
1861 default:
1862 return 1;
1863 }
1864 }
1865
1866 int
1867 ssl_check_clienthello_tlsext_late(SSL *s)
1868 {
1869 int ret = SSL_TLSEXT_ERR_OK;
1870 int al = 0; /* XXX gcc3 */
1871
1872 /* If status request then ask callback what to do.
1873 * Note: this must be called after servername callbacks in case
1874 * the certificate has changed, and must be called after the cipher
1875 * has been chosen because this may influence which certificate is sent
1876 */
1877 if ((s->tlsext_status_type != -1) &&
1878 s->ctx && s->ctx->tlsext_status_cb) {
1879 int r;
1880 CERT_PKEY *certpkey;
1881 certpkey = ssl_get_server_send_pkey(s);
1882 /* If no certificate can't return certificate status */
1883 if (certpkey == NULL) {
1884 s->tlsext_status_expected = 0;
1885 return 1;
1886 }
1887 /* Set current certificate to one we will use so
1888 * SSL_get_certificate et al can pick it up.
1889 */
1890 s->cert->key = certpkey;
1891 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1892 switch (r) {
1893 /* We don't want to send a status request response */
1894 case SSL_TLSEXT_ERR_NOACK:
1895 s->tlsext_status_expected = 0;
1896 break;
1897 /* status request response should be sent */
1898 case SSL_TLSEXT_ERR_OK:
1899 if (s->tlsext_ocsp_resp)
1900 s->tlsext_status_expected = 1;
1901 else
1902 s->tlsext_status_expected = 0;
1903 break;
1904 /* something bad happened */
1905 case SSL_TLSEXT_ERR_ALERT_FATAL:
1906 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1907 al = SSL_AD_INTERNAL_ERROR;
1908 goto err;
1909 }
1910 } else
1911 s->tlsext_status_expected = 0;
1912
1913 err:
1914 switch (ret) {
1915 case SSL_TLSEXT_ERR_ALERT_FATAL:
1916 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1917 return -1;
1918 case SSL_TLSEXT_ERR_ALERT_WARNING:
1919 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1920 return 1;
1921 default:
1922 return 1;
1923 }
1924 }
1925
1926 int
1927 ssl_check_serverhello_tlsext(SSL *s)
1928 {
1929 int ret = SSL_TLSEXT_ERR_NOACK;
1930 int al = SSL_AD_UNRECOGNIZED_NAME;
1931
1932 /* If we are client and using an elliptic curve cryptography cipher
1933 * suite, then if server returns an EC point formats lists extension
1934 * it must contain uncompressed.
1935 */
1936 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1937 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1938 if ((s->tlsext_ecpointformatlist != NULL) &&
1939 (s->tlsext_ecpointformatlist_length > 0) &&
1940 (s->session->tlsext_ecpointformatlist != NULL) &&
1941 (s->session->tlsext_ecpointformatlist_length > 0) &&
1942 ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) {
1943 /* we are using an ECC cipher */
1944 size_t i;
1945 unsigned char *list;
1946 int found_uncompressed = 0;
1947 list = s->session->tlsext_ecpointformatlist;
1948 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
1949 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
1950 found_uncompressed = 1;
1951 break;
1952 }
1953 }
1954 if (!found_uncompressed) {
1955 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1956 return -1;
1957 }
1958 }
1959 ret = SSL_TLSEXT_ERR_OK;
1960
1961 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1962 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1963 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1964 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1965
1966 /* If we've requested certificate status and we wont get one
1967 * tell the callback
1968 */
1969 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) &&
1970 s->ctx && s->ctx->tlsext_status_cb) {
1971 int r;
1972 /* Set resp to NULL, resplen to -1 so callback knows
1973 * there is no response.
1974 */
1975 free(s->tlsext_ocsp_resp);
1976 s->tlsext_ocsp_resp = NULL;
1977 s->tlsext_ocsp_resplen = -1;
1978 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1979 if (r == 0) {
1980 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1981 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1982 }
1983 if (r < 0) {
1984 al = SSL_AD_INTERNAL_ERROR;
1985 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1986 }
1987 }
1988
1989 switch (ret) {
1990 case SSL_TLSEXT_ERR_ALERT_FATAL:
1991 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1992
1993 return -1;
1994 case SSL_TLSEXT_ERR_ALERT_WARNING:
1995 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1996
1997 return 1;
1998 case SSL_TLSEXT_ERR_NOACK:
1999 s->servername_done = 0;
2000 default:
2001 return 1;
2002 }
2003 }
2004
2005 /* Since the server cache lookup is done early on in the processing of the
2006 * ClientHello, and other operations depend on the result, we need to handle
2007 * any TLS session ticket extension at the same time.
2008 *
2009 * session_id: points at the session ID in the ClientHello. This code will
2010 * read past the end of this in order to parse out the session ticket
2011 * extension, if any.
2012 * len: the length of the session ID.
2013 * limit: a pointer to the first byte after the ClientHello.
2014 * ret: (output) on return, if a ticket was decrypted, then this is set to
2015 * point to the resulting session.
2016 *
2017 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2018 * ciphersuite, in which case we have no use for session tickets and one will
2019 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2020 *
2021 * Returns:
2022 * -1: fatal error, either from parsing or decrypting the ticket.
2023 * 0: no ticket was found (or was ignored, based on settings).
2024 * 1: a zero length extension was found, indicating that the client supports
2025 * session tickets but doesn't currently have one to offer.
2026 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2027 * couldn't be decrypted because of a non-fatal error.
2028 * 3: a ticket was successfully decrypted and *ret was set.
2029 *
2030 * Side effects:
2031 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2032 * a new session ticket to the client because the client indicated support
2033 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2034 * a session ticket or we couldn't use the one it gave us, or if
2035 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2036 * Otherwise, s->tlsext_ticket_expected is set to 0.
2037 */
2038 int
2039 tls1_process_ticket(SSL *s, const unsigned char *session, int session_len,
2040 const unsigned char *limit, SSL_SESSION **ret)
2041 {
2042 /* Point after session ID in client hello */
2043 CBS session_id, cookie, cipher_list, compress_algo, extensions;
2044
2045 *ret = NULL;
2046 s->tlsext_ticket_expected = 0;
2047
2048 /* If tickets disabled behave as if no ticket present
2049 * to permit stateful resumption.
2050 */
2051 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2052 return 0;
2053 if (!limit)
2054 return 0;
2055
2056 if (limit < session)
2057 return -1;
2058
2059 CBS_init(&session_id, session, limit - session);
2060
2061 /* Skip past the session id */
2062 if (!CBS_skip(&session_id, session_len))
2063 return -1;
2064
2065 /* Skip past DTLS cookie */
2066 if (SSL_IS_DTLS(s)) {
2067 if (!CBS_get_u8_length_prefixed(&session_id, &cookie))
2068 return -1;
2069 }
2070
2071 /* Skip past cipher list */
2072 if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list))
2073 return -1;
2074
2075 /* Skip past compression algorithm list */
2076 if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo))
2077 return -1;
2078
2079 /* Now at start of extensions */
2080 if (CBS_len(&session_id) == 0)
2081 return 0;
2082 if (!CBS_get_u16_length_prefixed(&session_id, &extensions))
2083 return -1;
2084
2085 while (CBS_len(&extensions) > 0) {
2086 CBS ext_data;
2087 uint16_t ext_type;
2088
2089 if (!CBS_get_u16(&extensions, &ext_type) ||
2090 !CBS_get_u16_length_prefixed(&extensions, &ext_data))
2091 return -1;
2092
2093 if (ext_type == TLSEXT_TYPE_session_ticket) {
2094 int r;
2095 if (CBS_len(&ext_data) == 0) {
2096 /* The client will accept a ticket but doesn't
2097 * currently have one. */
2098 s->tlsext_ticket_expected = 1;
2099 return 1;
2100 }
2101 if (s->tls_session_secret_cb) {
2102 /* Indicate that the ticket couldn't be
2103 * decrypted rather than generating the session
2104 * from ticket now, trigger abbreviated
2105 * handshake based on external mechanism to
2106 * calculate the master secret later. */
2107 return 2;
2108 }
2109
2110 r = tls_decrypt_ticket(s, CBS_data(&ext_data),
2111 CBS_len(&ext_data), session, session_len, ret);
2112
2113 switch (r) {
2114 case 2: /* ticket couldn't be decrypted */
2115 s->tlsext_ticket_expected = 1;
2116 return 2;
2117 case 3: /* ticket was decrypted */
2118 return r;
2119 case 4: /* ticket decrypted but need to renew */
2120 s->tlsext_ticket_expected = 1;
2121 return 3;
2122 default: /* fatal error */
2123 return -1;
2124 }
2125 }
2126 }
2127 return 0;
2128 }
2129
2130 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2131 *
2132 * etick: points to the body of the session ticket extension.
2133 * eticklen: the length of the session tickets extenion.
2134 * sess_id: points at the session ID.
2135 * sesslen: the length of the session ID.
2136 * psess: (output) on return, if a ticket was decrypted, then this is set to
2137 * point to the resulting session.
2138 *
2139 * Returns:
2140 * -1: fatal error, either from parsing or decrypting the ticket.
2141 * 2: the ticket couldn't be decrypted.
2142 * 3: a ticket was successfully decrypted and *psess was set.
2143 * 4: same as 3, but the ticket needs to be renewed.
2144 */
2145 static int
2146 tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2147 const unsigned char *sess_id, int sesslen, SSL_SESSION **psess)
2148 {
2149 SSL_SESSION *sess;
2150 unsigned char *sdec;
2151 const unsigned char *p;
2152 int slen, mlen, renew_ticket = 0;
2153 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2154 HMAC_CTX hctx;
2155 EVP_CIPHER_CTX ctx;
2156 SSL_CTX *tctx = s->initial_ctx;
2157 /* Need at least keyname + iv + some encrypted data */
2158 if (eticklen < 48)
2159 return 2;
2160 /* Initialize session ticket encryption and HMAC contexts */
2161 HMAC_CTX_init(&hctx);
2162 EVP_CIPHER_CTX_init(&ctx);
2163 if (tctx->tlsext_ticket_key_cb) {
2164 unsigned char *nctick = (unsigned char *)etick;
2165 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2166 &ctx, &hctx, 0);
2167 if (rv < 0) {
2168 EVP_CIPHER_CTX_cleanup(&ctx);
2169 return -1;
2170 }
2171 if (rv == 0) {
2172 EVP_CIPHER_CTX_cleanup(&ctx);
2173 return 2;
2174 }
2175 if (rv == 2)
2176 renew_ticket = 1;
2177 } else {
2178 /* Check key name matches */
2179 if (timingsafe_memcmp(etick, tctx->tlsext_tick_key_name, 16))
2180 return 2;
2181 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2182 tlsext_tick_md(), NULL);
2183 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2184 tctx->tlsext_tick_aes_key, etick + 16);
2185 }
2186 /* Attempt to process session ticket, first conduct sanity and
2187 * integrity checks on ticket.
2188 */
2189 mlen = HMAC_size(&hctx);
2190 if (mlen < 0) {
2191 EVP_CIPHER_CTX_cleanup(&ctx);
2192 return -1;
2193 }
2194 eticklen -= mlen;
2195 /* Check HMAC of encrypted ticket */
2196 HMAC_Update(&hctx, etick, eticklen);
2197 HMAC_Final(&hctx, tick_hmac, NULL);
2198 HMAC_CTX_cleanup(&hctx);
2199 if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) {
2200 EVP_CIPHER_CTX_cleanup(&ctx);
2201 return 2;
2202 }
2203 /* Attempt to decrypt session data */
2204 /* Move p after IV to start of encrypted ticket, update length */
2205 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2206 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2207 sdec = malloc(eticklen);
2208 if (!sdec) {
2209 EVP_CIPHER_CTX_cleanup(&ctx);
2210 return -1;
2211 }
2212 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2213 if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) {
2214 free(sdec);
2215 EVP_CIPHER_CTX_cleanup(&ctx);
2216 return 2;
2217 }
2218 slen += mlen;
2219 EVP_CIPHER_CTX_cleanup(&ctx);
2220 p = sdec;
2221
2222 sess = d2i_SSL_SESSION(NULL, &p, slen);
2223 free(sdec);
2224 if (sess) {
2225 /* The session ID, if non-empty, is used by some clients to
2226 * detect that the ticket has been accepted. So we copy it to
2227 * the session structure. If it is empty set length to zero
2228 * as required by standard.
2229 */
2230 if (sesslen)
2231 memcpy(sess->session_id, sess_id, sesslen);
2232 sess->session_id_length = sesslen;
2233 *psess = sess;
2234 if (renew_ticket)
2235 return 4;
2236 else
2237 return 3;
2238 }
2239 ERR_clear_error();
2240 /* For session parse failure, indicate that we need to send a new
2241 * ticket. */
2242 return 2;
2243 }
2244
2245 /* Tables to translate from NIDs to TLS v1.2 ids */
2246
2247 typedef struct {
2248 int nid;
2249 int id;
2250 } tls12_lookup;
2251
2252 static tls12_lookup tls12_md[] = {
2253 {NID_md5, TLSEXT_hash_md5},
2254 {NID_sha1, TLSEXT_hash_sha1},
2255 {NID_sha224, TLSEXT_hash_sha224},
2256 {NID_sha256, TLSEXT_hash_sha256},
2257 {NID_sha384, TLSEXT_hash_sha384},
2258 {NID_sha512, TLSEXT_hash_sha512},
2259 {NID_id_GostR3411_94, TLSEXT_hash_gost94},
2260 {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256},
2261 {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512}
2262 };
2263
2264 static tls12_lookup tls12_sig[] = {
2265 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2266 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2267 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
2268 {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01},
2269 };
2270
2271 static int
2272 tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2273 {
2274 size_t i;
2275 for (i = 0; i < tlen; i++) {
2276 if (table[i].nid == nid)
2277 return table[i].id;
2278 }
2279 return -1;
2280 }
2281
2282 int
2283 tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2284 {
2285 int sig_id, md_id;
2286 if (!md)
2287 return 0;
2288 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2289 sizeof(tls12_md) / sizeof(tls12_lookup));
2290 if (md_id == -1)
2291 return 0;
2292 sig_id = tls12_get_sigid(pk);
2293 if (sig_id == -1)
2294 return 0;
2295 p[0] = (unsigned char)md_id;
2296 p[1] = (unsigned char)sig_id;
2297 return 1;
2298 }
2299
2300 int
2301 tls12_get_sigid(const EVP_PKEY *pk)
2302 {
2303 return tls12_find_id(pk->type, tls12_sig,
2304 sizeof(tls12_sig) / sizeof(tls12_lookup));
2305 }
2306
2307 const EVP_MD *
2308 tls12_get_hash(unsigned char hash_alg)
2309 {
2310 switch (hash_alg) {
2311 case TLSEXT_hash_sha1:
2312 return EVP_sha1();
2313 case TLSEXT_hash_sha224:
2314 return EVP_sha224();
2315 case TLSEXT_hash_sha256:
2316 return EVP_sha256();
2317 case TLSEXT_hash_sha384:
2318 return EVP_sha384();
2319 case TLSEXT_hash_sha512:
2320 return EVP_sha512();
2321 #ifndef OPENSSL_NO_GOST
2322 case TLSEXT_hash_gost94:
2323 return EVP_gostr341194();
2324 case TLSEXT_hash_streebog_256:
2325 return EVP_streebog256();
2326 case TLSEXT_hash_streebog_512:
2327 return EVP_streebog512();
2328 #endif
2329 default:
2330 return NULL;
2331 }
2332 }
2333
2334 /* Set preferred digest for each key type */
2335
2336 int
2337 tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2338 {
2339 int idx;
2340 const EVP_MD *md;
2341 CERT *c = s->cert;
2342 CBS cbs;
2343
2344 /* Extension ignored for inappropriate versions */
2345 if (!SSL_USE_SIGALGS(s))
2346 return 1;
2347
2348 /* Should never happen */
2349 if (!c || dsize < 0)
2350 return 0;
2351
2352 CBS_init(&cbs, data, dsize);
2353
2354 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2355 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2356 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2357 c->pkeys[SSL_PKEY_ECC].digest = NULL;
2358 c->pkeys[SSL_PKEY_GOST01].digest = NULL;
2359
2360 while (CBS_len(&cbs) > 0) {
2361 uint8_t hash_alg, sig_alg;
2362
2363 if (!CBS_get_u8(&cbs, &hash_alg) ||
2364 !CBS_get_u8(&cbs, &sig_alg)) {
2365 /* Should never happen */
2366 return 0;
2367 }
2368
2369 switch (sig_alg) {
2370 case TLSEXT_signature_rsa:
2371 idx = SSL_PKEY_RSA_SIGN;
2372 break;
2373 case TLSEXT_signature_dsa:
2374 idx = SSL_PKEY_DSA_SIGN;
2375 break;
2376 case TLSEXT_signature_ecdsa:
2377 idx = SSL_PKEY_ECC;
2378 break;
2379 case TLSEXT_signature_gostr01:
2380 case TLSEXT_signature_gostr12_256:
2381 case TLSEXT_signature_gostr12_512:
2382 idx = SSL_PKEY_GOST01;
2383 break;
2384 default:
2385 continue;
2386 }
2387
2388 if (c->pkeys[idx].digest == NULL) {
2389 md = tls12_get_hash(hash_alg);
2390 if (md) {
2391 c->pkeys[idx].digest = md;
2392 if (idx == SSL_PKEY_RSA_SIGN)
2393 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2394 }
2395 }
2396
2397 }
2398
2399 /* Set any remaining keys to default values. NOTE: if alg is not
2400 * supported it stays as NULL.
2401 */
2402 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2403 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2404 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
2405 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2406 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2407 }
2408 if (!c->pkeys[SSL_PKEY_ECC].digest)
2409 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2410 #ifndef OPENSSL_NO_GOST
2411 if (!c->pkeys[SSL_PKEY_GOST01].digest)
2412 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194();
2413 #endif
2414 return 1;
2415 }
DragonFly BSD