search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Import LibreSSL v2.4.2 to vendor branch
[dragonfly.git] / crypto / libressl / ssl / t1_lib.c
blobb225bb3c8761a75da035ba398b9d739105c5483a
1 /* $OpenBSD: t1_lib.c,v 1.86 2016/03/10 23:21:46 mmcc Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112 #include <stdio.h>
113
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/objects.h>
117 #include <openssl/ocsp.h>
118
119 #include "ssl_locl.h"
120 #include "bytestring.h"
121
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123 const unsigned char *sess_id, int sesslen,
124 SSL_SESSION **psess);
125
126 SSL3_ENC_METHOD TLSv1_enc_data = {
127 .enc = tls1_enc,
128 .mac = tls1_mac,
129 .setup_key_block = tls1_setup_key_block,
130 .generate_master_secret = tls1_generate_master_secret,
131 .change_cipher_state = tls1_change_cipher_state,
132 .final_finish_mac = tls1_final_finish_mac,
133 .finish_mac_length = TLS1_FINISH_MAC_LENGTH,
134 .cert_verify_mac = tls1_cert_verify_mac,
135 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
136 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
137 .server_finished_label = TLS_MD_SERVER_FINISH_CONST,
138 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
139 .alert_value = tls1_alert_code,
140 .export_keying_material = tls1_export_keying_material,
141 .enc_flags = 0,
142 };
143
144 SSL3_ENC_METHOD TLSv1_1_enc_data = {
145 .enc = tls1_enc,
146 .mac = tls1_mac,
147 .setup_key_block = tls1_setup_key_block,
148 .generate_master_secret = tls1_generate_master_secret,
149 .change_cipher_state = tls1_change_cipher_state,
150 .final_finish_mac = tls1_final_finish_mac,
151 .finish_mac_length = TLS1_FINISH_MAC_LENGTH,
152 .cert_verify_mac = tls1_cert_verify_mac,
153 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
154 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
155 .server_finished_label = TLS_MD_SERVER_FINISH_CONST,
156 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
157 .alert_value = tls1_alert_code,
158 .export_keying_material = tls1_export_keying_material,
159 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV,
160 };
161
162 SSL3_ENC_METHOD TLSv1_2_enc_data = {
163 .enc = tls1_enc,
164 .mac = tls1_mac,
165 .setup_key_block = tls1_setup_key_block,
166 .generate_master_secret = tls1_generate_master_secret,
167 .change_cipher_state = tls1_change_cipher_state,
168 .final_finish_mac = tls1_final_finish_mac,
169 .finish_mac_length = TLS1_FINISH_MAC_LENGTH,
170 .cert_verify_mac = tls1_cert_verify_mac,
171 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
172 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
173 .server_finished_label = TLS_MD_SERVER_FINISH_CONST,
174 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
175 .alert_value = tls1_alert_code,
176 .export_keying_material = tls1_export_keying_material,
177 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|
178 SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS,
179 };
180
181 long
182 tls1_default_timeout(void)
183 {
184 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
185 * is way too long for http, the cache would over fill */
186 return (60 * 60 * 2);
187 }
188
189 int
190 tls1_new(SSL *s)
191 {
192 if (!ssl3_new(s))
193 return (0);
194 s->method->ssl_clear(s);
195 return (1);
196 }
197
198 void
199 tls1_free(SSL *s)
200 {
201 if (s == NULL)
202 return;
203
204 free(s->tlsext_session_ticket);
205 ssl3_free(s);
206 }
207
208 void
209 tls1_clear(SSL *s)
210 {
211 ssl3_clear(s);
212 s->version = s->method->version;
213 }
214
215
216 static int nid_list[] = {
217 NID_sect163k1, /* sect163k1 (1) */
218 NID_sect163r1, /* sect163r1 (2) */
219 NID_sect163r2, /* sect163r2 (3) */
220 NID_sect193r1, /* sect193r1 (4) */
221 NID_sect193r2, /* sect193r2 (5) */
222 NID_sect233k1, /* sect233k1 (6) */
223 NID_sect233r1, /* sect233r1 (7) */
224 NID_sect239k1, /* sect239k1 (8) */
225 NID_sect283k1, /* sect283k1 (9) */
226 NID_sect283r1, /* sect283r1 (10) */
227 NID_sect409k1, /* sect409k1 (11) */
228 NID_sect409r1, /* sect409r1 (12) */
229 NID_sect571k1, /* sect571k1 (13) */
230 NID_sect571r1, /* sect571r1 (14) */
231 NID_secp160k1, /* secp160k1 (15) */
232 NID_secp160r1, /* secp160r1 (16) */
233 NID_secp160r2, /* secp160r2 (17) */
234 NID_secp192k1, /* secp192k1 (18) */
235 NID_X9_62_prime192v1, /* secp192r1 (19) */
236 NID_secp224k1, /* secp224k1 (20) */
237 NID_secp224r1, /* secp224r1 (21) */
238 NID_secp256k1, /* secp256k1 (22) */
239 NID_X9_62_prime256v1, /* secp256r1 (23) */
240 NID_secp384r1, /* secp384r1 (24) */
241 NID_secp521r1, /* secp521r1 (25) */
242 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */
243 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */
244 NID_brainpoolP512r1 /* brainpoolP512r1 (28) */
245 };
246
247 static const uint8_t ecformats_default[] = {
248 TLSEXT_ECPOINTFORMAT_uncompressed,
249 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
250 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
251 };
252
253 static const uint16_t eccurves_default[] = {
254 14, /* sect571r1 (14) */
255 13, /* sect571k1 (13) */
256 25, /* secp521r1 (25) */
257 28, /* brainpool512r1 (28) */
258 11, /* sect409k1 (11) */
259 12, /* sect409r1 (12) */
260 27, /* brainpoolP384r1 (27) */
261 24, /* secp384r1 (24) */
262 9, /* sect283k1 (9) */
263 10, /* sect283r1 (10) */
264 26, /* brainpoolP256r1 (26) */
265 22, /* secp256k1 (22) */
266 23, /* secp256r1 (23) */
267 8, /* sect239k1 (8) */
268 6, /* sect233k1 (6) */
269 7, /* sect233r1 (7) */
270 20, /* secp224k1 (20) */
271 21, /* secp224r1 (21) */
272 4, /* sect193r1 (4) */
273 5, /* sect193r2 (5) */
274 18, /* secp192k1 (18) */
275 19, /* secp192r1 (19) */
276 1, /* sect163k1 (1) */
277 2, /* sect163r1 (2) */
278 3, /* sect163r2 (3) */
279 15, /* secp160k1 (15) */
280 16, /* secp160r1 (16) */
281 17, /* secp160r2 (17) */
282 };
283
284 int
285 tls1_ec_curve_id2nid(uint16_t curve_id)
286 {
287 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
288 if ((curve_id < 1) ||
289 ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0])))
290 return 0;
291 return nid_list[curve_id - 1];
292 }
293
294 uint16_t
295 tls1_ec_nid2curve_id(int nid)
296 {
297 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
298 switch (nid) {
299 case NID_sect163k1: /* sect163k1 (1) */
300 return 1;
301 case NID_sect163r1: /* sect163r1 (2) */
302 return 2;
303 case NID_sect163r2: /* sect163r2 (3) */
304 return 3;
305 case NID_sect193r1: /* sect193r1 (4) */
306 return 4;
307 case NID_sect193r2: /* sect193r2 (5) */
308 return 5;
309 case NID_sect233k1: /* sect233k1 (6) */
310 return 6;
311 case NID_sect233r1: /* sect233r1 (7) */
312 return 7;
313 case NID_sect239k1: /* sect239k1 (8) */
314 return 8;
315 case NID_sect283k1: /* sect283k1 (9) */
316 return 9;
317 case NID_sect283r1: /* sect283r1 (10) */
318 return 10;
319 case NID_sect409k1: /* sect409k1 (11) */
320 return 11;
321 case NID_sect409r1: /* sect409r1 (12) */
322 return 12;
323 case NID_sect571k1: /* sect571k1 (13) */
324 return 13;
325 case NID_sect571r1: /* sect571r1 (14) */
326 return 14;
327 case NID_secp160k1: /* secp160k1 (15) */
328 return 15;
329 case NID_secp160r1: /* secp160r1 (16) */
330 return 16;
331 case NID_secp160r2: /* secp160r2 (17) */
332 return 17;
333 case NID_secp192k1: /* secp192k1 (18) */
334 return 18;
335 case NID_X9_62_prime192v1: /* secp192r1 (19) */
336 return 19;
337 case NID_secp224k1: /* secp224k1 (20) */
338 return 20;
339 case NID_secp224r1: /* secp224r1 (21) */
340 return 21;
341 case NID_secp256k1: /* secp256k1 (22) */
342 return 22;
343 case NID_X9_62_prime256v1: /* secp256r1 (23) */
344 return 23;
345 case NID_secp384r1: /* secp384r1 (24) */
346 return 24;
347 case NID_secp521r1: /* secp521r1 (25) */
348 return 25;
349 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
350 return 26;
351 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
352 return 27;
353 case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */
354 return 28;
355 default:
356 return 0;
357 }
358 }
359
360 /*
361 * Return the appropriate format list. If client_formats is non-zero, return
362 * the client/session formats. Otherwise return the custom format list if one
363 * exists, or the default formats if a custom list has not been specified.
364 */
365 static void
366 tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats,
367 size_t *pformatslen)
368 {
369 if (client_formats != 0) {
370 *pformats = s->session->tlsext_ecpointformatlist;
371 *pformatslen = s->session->tlsext_ecpointformatlist_length;
372 return;
373 }
374
375 *pformats = s->tlsext_ecpointformatlist;
376 *pformatslen = s->tlsext_ecpointformatlist_length;
377 if (*pformats == NULL) {
378 *pformats = ecformats_default;
379 *pformatslen = sizeof(ecformats_default);
380 }
381 }
382
383 /*
384 * Return the appropriate curve list. If client_curves is non-zero, return
385 * the client/session curves. Otherwise return the custom curve list if one
386 * exists, or the default curves if a custom list has not been specified.
387 */
388 static void
389 tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves,
390 size_t *pcurveslen)
391 {
392 if (client_curves != 0) {
393 *pcurves = s->session->tlsext_ellipticcurvelist;
394 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
395 return;
396 }
397
398 *pcurves = s->tlsext_ellipticcurvelist;
399 *pcurveslen = s->tlsext_ellipticcurvelist_length;
400 if (*pcurves == NULL) {
401 *pcurves = eccurves_default;
402 *pcurveslen = sizeof(eccurves_default) / 2;
403 }
404 }
405
406 /* Check that a curve is one of our preferences. */
407 int
408 tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
409 {
410 CBS cbs;
411 const uint16_t *curves;
412 size_t curveslen, i;
413 uint8_t type;
414 uint16_t cid;
415
416 CBS_init(&cbs, p, len);
417
418 /* Only named curves are supported. */
419 if (CBS_len(&cbs) != 3 ||
420 !CBS_get_u8(&cbs, &type) ||
421 type != NAMED_CURVE_TYPE ||
422 !CBS_get_u16(&cbs, &cid))
423 return (0);
424
425 tls1_get_curvelist(s, 0, &curves, &curveslen);
426
427 for (i = 0; i < curveslen; i++) {
428 if (curves[i] == cid)
429 return (1);
430 }
431 return (0);
432 }
433
434 int
435 tls1_get_shared_curve(SSL *s)
436 {
437 size_t preflen, supplen, i, j;
438 const uint16_t *pref, *supp;
439 unsigned long server_pref;
440
441 /* Cannot do anything on the client side. */
442 if (s->server == 0)
443 return (NID_undef);
444
445 /* Return first preference shared curve. */
446 server_pref = (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE);
447 tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen);
448 tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen);
449
450 for (i = 0; i < preflen; i++) {
451 for (j = 0; j < supplen; j++) {
452 if (pref[i] == supp[j])
453 return (tls1_ec_curve_id2nid(pref[i]));
454 }
455 }
456 return (NID_undef);
457 }
458
459 /* For an EC key set TLS ID and required compression based on parameters. */
460 static int
461 tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec)
462 {
463 const EC_GROUP *grp;
464 const EC_METHOD *meth;
465 int is_prime = 0;
466 int nid, id;
467
468 if (ec == NULL)
469 return (0);
470
471 /* Determine if it is a prime field. */
472 if ((grp = EC_KEY_get0_group(ec)) == NULL)
473 return (0);
474 if ((meth = EC_GROUP_method_of(grp)) == NULL)
475 return (0);
476 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
477 is_prime = 1;
478
479 /* Determine curve ID. */
480 nid = EC_GROUP_get_curve_name(grp);
481 id = tls1_ec_nid2curve_id(nid);
482
483 /* If we have an ID set it, otherwise set arbitrary explicit curve. */
484 if (id != 0)
485 *curve_id = id;
486 else
487 *curve_id = is_prime ? 0xff01 : 0xff02;
488
489 /* Specify the compression identifier. */
490 if (comp_id != NULL) {
491 if (EC_KEY_get0_public_key(ec) == NULL)
492 return (0);
493
494 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
495 *comp_id = is_prime ?
496 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime :
497 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
498 } else {
499 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
500 }
501 }
502 return (1);
503 }
504
505 /* Check that an EC key is compatible with extensions. */
506 static int
507 tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id)
508 {
509 size_t curveslen, formatslen, i;
510 const uint16_t *curves;
511 const uint8_t *formats;
512
513 /*
514 * Check point formats extension if present, otherwise everything
515 * is supported (see RFC4492).
516 */
517 tls1_get_formatlist(s, 1, &formats, &formatslen);
518 if (comp_id != NULL && formats != NULL) {
519 for (i = 0; i < formatslen; i++) {
520 if (formats[i] == *comp_id)
521 break;
522 }
523 if (i == formatslen)
524 return (0);
525 }
526
527 /*
528 * Check curve list if present, otherwise everything is supported.
529 */
530 tls1_get_curvelist(s, 1, &curves, &curveslen);
531 if (curve_id != NULL && curves != NULL) {
532 for (i = 0; i < curveslen; i++) {
533 if (curves[i] == *curve_id)
534 break;
535 }
536 if (i == curveslen)
537 return (0);
538 }
539
540 return (1);
541 }
542
543 /* Check EC server key is compatible with client extensions. */
544 int
545 tls1_check_ec_server_key(SSL *s)
546 {
547 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
548 uint16_t curve_id;
549 uint8_t comp_id;
550 EVP_PKEY *pkey;
551 int rv;
552
553 if (cpk->x509 == NULL || cpk->privatekey == NULL)
554 return (0);
555 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL)
556 return (0);
557 rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec);
558 EVP_PKEY_free(pkey);
559 if (rv != 1)
560 return (0);
561
562 return tls1_check_ec_key(s, &curve_id, &comp_id);
563 }
564
565 /* Check EC temporary key is compatible with client extensions. */
566 int
567 tls1_check_ec_tmp_key(SSL *s)
568 {
569 EC_KEY *ec = s->cert->ecdh_tmp;
570 uint16_t curve_id;
571
572 if (s->cert->ecdh_tmp_auto != 0) {
573 /* Need a shared curve. */
574 if (tls1_get_shared_curve(s) != NID_undef)
575 return (1);
576 return (0);
577 }
578
579 if (ec == NULL) {
580 if (s->cert->ecdh_tmp_cb != NULL)
581 return (1);
582 return (0);
583 }
584 if (tls1_set_ec_id(&curve_id, NULL, ec) != 1)
585 return (0);
586
587 return tls1_check_ec_key(s, &curve_id, NULL);
588 }
589
590 /*
591 * List of supported signature algorithms and hashes. Should make this
592 * customisable at some point, for now include everything we support.
593 */
594
595 static unsigned char tls12_sigalgs[] = {
596 TLSEXT_hash_sha512, TLSEXT_signature_rsa,
597 TLSEXT_hash_sha512, TLSEXT_signature_dsa,
598 TLSEXT_hash_sha512, TLSEXT_signature_ecdsa,
599 #ifndef OPENSSL_NO_GOST
600 TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512,
601 #endif
602
603 TLSEXT_hash_sha384, TLSEXT_signature_rsa,
604 TLSEXT_hash_sha384, TLSEXT_signature_dsa,
605 TLSEXT_hash_sha384, TLSEXT_signature_ecdsa,
606
607 TLSEXT_hash_sha256, TLSEXT_signature_rsa,
608 TLSEXT_hash_sha256, TLSEXT_signature_dsa,
609 TLSEXT_hash_sha256, TLSEXT_signature_ecdsa,
610
611 #ifndef OPENSSL_NO_GOST
612 TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256,
613 TLSEXT_hash_gost94, TLSEXT_signature_gostr01,
614 #endif
615
616 TLSEXT_hash_sha224, TLSEXT_signature_rsa,
617 TLSEXT_hash_sha224, TLSEXT_signature_dsa,
618 TLSEXT_hash_sha224, TLSEXT_signature_ecdsa,
619
620 TLSEXT_hash_sha1, TLSEXT_signature_rsa,
621 TLSEXT_hash_sha1, TLSEXT_signature_dsa,
622 TLSEXT_hash_sha1, TLSEXT_signature_ecdsa,
623 };
624
625 int
626 tls12_get_req_sig_algs(SSL *s, unsigned char *p)
627 {
628 size_t slen = sizeof(tls12_sigalgs);
629
630 if (p)
631 memcpy(p, tls12_sigalgs, slen);
632 return (int)slen;
633 }
634
635 unsigned char *
636 ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
637 {
638 int extdatalen = 0;
639 unsigned char *ret = p;
640 int using_ecc = 0;
641
642 /* See if we support any ECC ciphersuites. */
643 if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) {
644 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
645 unsigned long alg_k, alg_a;
646 int i;
647
648 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
649 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
650
651 alg_k = c->algorithm_mkey;
652 alg_a = c->algorithm_auth;
653
654 if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) ||
655 (alg_a & SSL_aECDSA))) {
656 using_ecc = 1;
657 break;
658 }
659 }
660 }
661
662 ret += 2;
663
664 if (ret >= limit)
665 return NULL; /* this really never occurs, but ... */
666
667 if (s->tlsext_hostname != NULL) {
668 /* Add TLS extension servername to the Client Hello message */
669 size_t size_str, lenmax;
670
671 /* check for enough space.
672 4 for the servername type and extension length
673 2 for servernamelist length
674 1 for the hostname type
675 2 for hostname length
676 + hostname length
677 */
678
679 if ((size_t)(limit - ret) < 9)
680 return NULL;
681
682 lenmax = limit - ret - 9;
683 if ((size_str = strlen(s->tlsext_hostname)) > lenmax)
684 return NULL;
685
686 /* extension type and length */
687 s2n(TLSEXT_TYPE_server_name, ret);
688
689 s2n(size_str + 5, ret);
690
691 /* length of servername list */
692 s2n(size_str + 3, ret);
693
694 /* hostname type, length and hostname */
695 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
696 s2n(size_str, ret);
697 memcpy(ret, s->tlsext_hostname, size_str);
698 ret += size_str;
699 }
700
701 /* Add RI if renegotiating */
702 if (s->renegotiate) {
703 int el;
704
705 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
706 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
707 ERR_R_INTERNAL_ERROR);
708 return NULL;
709 }
710
711 if ((size_t)(limit - ret) < 4 + el)
712 return NULL;
713
714 s2n(TLSEXT_TYPE_renegotiate, ret);
715 s2n(el, ret);
716
717 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
718 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
719 ERR_R_INTERNAL_ERROR);
720 return NULL;
721 }
722
723 ret += el;
724 }
725
726 if (using_ecc) {
727 size_t curveslen, formatslen, lenmax;
728 const uint16_t *curves;
729 const uint8_t *formats;
730 int i;
731
732 /*
733 * Add TLS extension ECPointFormats to the ClientHello message.
734 */
735 tls1_get_formatlist(s, 0, &formats, &formatslen);
736
737 if ((size_t)(limit - ret) < 5)
738 return NULL;
739
740 lenmax = limit - ret - 5;
741 if (formatslen > lenmax)
742 return NULL;
743 if (formatslen > 255) {
744 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
745 ERR_R_INTERNAL_ERROR);
746 return NULL;
747 }
748
749 s2n(TLSEXT_TYPE_ec_point_formats, ret);
750 s2n(formatslen + 1, ret);
751 *(ret++) = (unsigned char)formatslen;
752 memcpy(ret, formats, formatslen);
753 ret += formatslen;
754
755 /*
756 * Add TLS extension EllipticCurves to the ClientHello message.
757 */
758 tls1_get_curvelist(s, 0, &curves, &curveslen);
759
760 if ((size_t)(limit - ret) < 6)
761 return NULL;
762
763 lenmax = limit - ret - 6;
764 if (curveslen > lenmax)
765 return NULL;
766 if (curveslen > 65532) {
767 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
768 ERR_R_INTERNAL_ERROR);
769 return NULL;
770 }
771
772 s2n(TLSEXT_TYPE_elliptic_curves, ret);
773 s2n((curveslen * 2) + 2, ret);
774
775 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
776 * elliptic_curve_list, but the examples use two bytes.
777 * https://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
778 * resolves this to two bytes.
779 */
780 s2n(curveslen * 2, ret);
781 for (i = 0; i < curveslen; i++)
782 s2n(curves[i], ret);
783 }
784
785 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
786 int ticklen;
787 if (!s->new_session && s->session && s->session->tlsext_tick)
788 ticklen = s->session->tlsext_ticklen;
789 else if (s->session && s->tlsext_session_ticket &&
790 s->tlsext_session_ticket->data) {
791 ticklen = s->tlsext_session_ticket->length;
792 s->session->tlsext_tick = malloc(ticklen);
793 if (!s->session->tlsext_tick)
794 return NULL;
795 memcpy(s->session->tlsext_tick,
796 s->tlsext_session_ticket->data, ticklen);
797 s->session->tlsext_ticklen = ticklen;
798 } else
799 ticklen = 0;
800 if (ticklen == 0 && s->tlsext_session_ticket &&
801 s->tlsext_session_ticket->data == NULL)
802 goto skip_ext;
803 /* Check for enough room 2 for extension type, 2 for len
804 * rest for ticket
805 */
806 if ((size_t)(limit - ret) < 4 + ticklen)
807 return NULL;
808 s2n(TLSEXT_TYPE_session_ticket, ret);
809
810 s2n(ticklen, ret);
811 if (ticklen) {
812 memcpy(ret, s->session->tlsext_tick, ticklen);
813 ret += ticklen;
814 }
815 }
816 skip_ext:
817
818 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
819 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
820 return NULL;
821
822 s2n(TLSEXT_TYPE_signature_algorithms, ret);
823 s2n(sizeof(tls12_sigalgs) + 2, ret);
824 s2n(sizeof(tls12_sigalgs), ret);
825 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
826 ret += sizeof(tls12_sigalgs);
827 }
828
829 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
830 s->version != DTLS1_VERSION) {
831 int i;
832 long extlen, idlen, itmp;
833 OCSP_RESPID *id;
834
835 idlen = 0;
836 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
837 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
838 itmp = i2d_OCSP_RESPID(id, NULL);
839 if (itmp <= 0)
840 return NULL;
841 idlen += itmp + 2;
842 }
843
844 if (s->tlsext_ocsp_exts) {
845 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
846 if (extlen < 0)
847 return NULL;
848 } else
849 extlen = 0;
850
851 if ((size_t)(limit - ret) < 7 + extlen + idlen)
852 return NULL;
853 s2n(TLSEXT_TYPE_status_request, ret);
854 if (extlen + idlen > 0xFFF0)
855 return NULL;
856 s2n(extlen + idlen + 5, ret);
857 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
858 s2n(idlen, ret);
859 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
860 /* save position of id len */
861 unsigned char *q = ret;
862 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
863 /* skip over id len */
864 ret += 2;
865 itmp = i2d_OCSP_RESPID(id, &ret);
866 /* write id len */
867 s2n(itmp, q);
868 }
869 s2n(extlen, ret);
870 if (extlen > 0)
871 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
872 }
873
874 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
875 /* The client advertises an emtpy extension to indicate its
876 * support for Next Protocol Negotiation */
877 if ((size_t)(limit - ret) < 4)
878 return NULL;
879 s2n(TLSEXT_TYPE_next_proto_neg, ret);
880 s2n(0, ret);
881 }
882
883 if (s->alpn_client_proto_list != NULL &&
884 s->s3->tmp.finish_md_len == 0) {
885 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
886 return (NULL);
887 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
888 s2n(2 + s->alpn_client_proto_list_len, ret);
889 s2n(s->alpn_client_proto_list_len, ret);
890 memcpy(ret, s->alpn_client_proto_list,
891 s->alpn_client_proto_list_len);
892 ret += s->alpn_client_proto_list_len;
893 }
894
895 #ifndef OPENSSL_NO_SRTP
896 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
897 int el;
898
899 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
900
901 if ((size_t)(limit - ret) < 4 + el)
902 return NULL;
903
904 s2n(TLSEXT_TYPE_use_srtp, ret);
905 s2n(el, ret);
906
907 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
908 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
909 ERR_R_INTERNAL_ERROR);
910 return NULL;
911 }
912 ret += el;
913 }
914 #endif
915
916 /*
917 * Add padding to workaround bugs in F5 terminators.
918 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
919 *
920 * Note that this seems to trigger issues with IronPort SMTP
921 * appliances.
922 *
923 * NB: because this code works out the length of all existing
924 * extensions it MUST always appear last.
925 */
926 if (s->options & SSL_OP_TLSEXT_PADDING) {
927 int hlen = ret - (unsigned char *)s->init_buf->data;
928
929 /*
930 * The code in s23_clnt.c to build ClientHello messages
931 * includes the 5-byte record header in the buffer, while the
932 * code in s3_clnt.c does not.
933 */
934 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
935 hlen -= 5;
936 if (hlen > 0xff && hlen < 0x200) {
937 hlen = 0x200 - hlen;
938 if (hlen >= 4)
939 hlen -= 4;
940 else
941 hlen = 0;
942
943 s2n(TLSEXT_TYPE_padding, ret);
944 s2n(hlen, ret);
945 memset(ret, 0, hlen);
946 ret += hlen;
947 }
948 }
949
950 if ((extdatalen = ret - p - 2) == 0)
951 return p;
952
953 s2n(extdatalen, p);
954 return ret;
955 }
956
957 unsigned char *
958 ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
959 {
960 int using_ecc, extdatalen = 0;
961 unsigned long alg_a, alg_k;
962 unsigned char *ret = p;
963 int next_proto_neg_seen;
964
965 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
966 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
967 using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) ||
968 alg_a & SSL_aECDSA) &&
969 s->session->tlsext_ecpointformatlist != NULL;
970
971 ret += 2;
972 if (ret >= limit)
973 return NULL; /* this really never occurs, but ... */
974
975 if (!s->hit && s->servername_done == 1 &&
976 s->session->tlsext_hostname != NULL) {
977 if ((size_t)(limit - ret) < 4)
978 return NULL;
979
980 s2n(TLSEXT_TYPE_server_name, ret);
981 s2n(0, ret);
982 }
983
984 if (s->s3->send_connection_binding) {
985 int el;
986
987 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
988 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
989 ERR_R_INTERNAL_ERROR);
990 return NULL;
991 }
992
993 if ((size_t)(limit - ret) < 4 + el)
994 return NULL;
995
996 s2n(TLSEXT_TYPE_renegotiate, ret);
997 s2n(el, ret);
998
999 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1000 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
1001 ERR_R_INTERNAL_ERROR);
1002 return NULL;
1003 }
1004
1005 ret += el;
1006 }
1007
1008 if (using_ecc && s->version != DTLS1_VERSION) {
1009 const unsigned char *formats;
1010 size_t formatslen, lenmax;
1011
1012 /*
1013 * Add TLS extension ECPointFormats to the ServerHello message.
1014 */
1015 tls1_get_formatlist(s, 0, &formats, &formatslen);
1016
1017 if ((size_t)(limit - ret) < 5)
1018 return NULL;
1019
1020 lenmax = limit - ret - 5;
1021 if (formatslen > lenmax)
1022 return NULL;
1023 if (formatslen > 255) {
1024 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
1025 ERR_R_INTERNAL_ERROR);
1026 return NULL;
1027 }
1028
1029 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1030 s2n(formatslen + 1, ret);
1031 *(ret++) = (unsigned char)formatslen;
1032 memcpy(ret, formats, formatslen);
1033 ret += formatslen;
1034 }
1035
1036 /*
1037 * Currently the server should not respond with a SupportedCurves
1038 * extension.
1039 */
1040
1041 if (s->tlsext_ticket_expected &&
1042 !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
1043 if ((size_t)(limit - ret) < 4)
1044 return NULL;
1045
1046 s2n(TLSEXT_TYPE_session_ticket, ret);
1047 s2n(0, ret);
1048 }
1049
1050 if (s->tlsext_status_expected) {
1051 if ((size_t)(limit - ret) < 4)
1052 return NULL;
1053
1054 s2n(TLSEXT_TYPE_status_request, ret);
1055 s2n(0, ret);
1056 }
1057
1058 #ifndef OPENSSL_NO_SRTP
1059 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1060 int el;
1061
1062 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1063
1064 if ((size_t)(limit - ret) < 4 + el)
1065 return NULL;
1066
1067 s2n(TLSEXT_TYPE_use_srtp, ret);
1068 s2n(el, ret);
1069
1070 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1071 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
1072 ERR_R_INTERNAL_ERROR);
1073 return NULL;
1074 }
1075 ret += el;
1076 }
1077 #endif
1078
1079 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 ||
1080 (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) &&
1081 (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1082 static const unsigned char cryptopro_ext[36] = {
1083 0xfd, 0xe8, /*65000*/
1084 0x00, 0x20, /*32 bytes length*/
1085 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1086 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1087 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1088 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1089 };
1090 if ((size_t)(limit - ret) < sizeof(cryptopro_ext))
1091 return NULL;
1092 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext));
1093 ret += sizeof(cryptopro_ext);
1094 }
1095
1096 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1097 s->s3->next_proto_neg_seen = 0;
1098 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1099 const unsigned char *npa;
1100 unsigned int npalen;
1101 int r;
1102
1103 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1104 s->ctx->next_protos_advertised_cb_arg);
1105 if (r == SSL_TLSEXT_ERR_OK) {
1106 if ((size_t)(limit - ret) < 4 + npalen)
1107 return NULL;
1108 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1109 s2n(npalen, ret);
1110 memcpy(ret, npa, npalen);
1111 ret += npalen;
1112 s->s3->next_proto_neg_seen = 1;
1113 }
1114 }
1115
1116 if (s->s3->alpn_selected != NULL) {
1117 const unsigned char *selected = s->s3->alpn_selected;
1118 unsigned int len = s->s3->alpn_selected_len;
1119
1120 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1121 return (NULL);
1122 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1123 s2n(3 + len, ret);
1124 s2n(1 + len, ret);
1125 *ret++ = len;
1126 memcpy(ret, selected, len);
1127 ret += len;
1128 }
1129
1130 if ((extdatalen = ret - p - 2) == 0)
1131 return p;
1132
1133 s2n(extdatalen, p);
1134 return ret;
1135 }
1136
1137 /*
1138 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1139 * ClientHello.
1140 * data: the contents of the extension, not including the type and length.
1141 * data_len: the number of bytes in data.
1142 * al: a pointer to the alert value to send in the event of a non-zero
1143 * return.
1144 * returns: 1 on success.
1145 */
1146 static int
1147 tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1148 unsigned int data_len, int *al)
1149 {
1150 CBS cbs, proto_name_list, alpn;
1151 const unsigned char *selected;
1152 unsigned char selected_len;
1153 int r;
1154
1155 if (s->ctx->alpn_select_cb == NULL)
1156 return (1);
1157
1158 if (data_len < 2)
1159 goto parse_error;
1160
1161 CBS_init(&cbs, data, data_len);
1162
1163 /*
1164 * data should contain a uint16 length followed by a series of 8-bit,
1165 * length-prefixed strings.
1166 */
1167 if (!CBS_get_u16_length_prefixed(&cbs, &alpn) ||
1168 CBS_len(&alpn) < 2 ||
1169 CBS_len(&cbs) != 0)
1170 goto parse_error;
1171
1172 /* Validate data before sending to callback. */
1173 CBS_dup(&alpn, &proto_name_list);
1174 while (CBS_len(&proto_name_list) > 0) {
1175 CBS proto_name;
1176
1177 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name) ||
1178 CBS_len(&proto_name) == 0)
1179 goto parse_error;
1180 }
1181
1182 r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
1183 CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg);
1184 if (r == SSL_TLSEXT_ERR_OK) {
1185 free(s->s3->alpn_selected);
1186 if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) {
1187 *al = SSL_AD_INTERNAL_ERROR;
1188 return (-1);
1189 }
1190 memcpy(s->s3->alpn_selected, selected, selected_len);
1191 s->s3->alpn_selected_len = selected_len;
1192 }
1193
1194 return (1);
1195
1196 parse_error:
1197 *al = SSL_AD_DECODE_ERROR;
1198 return (0);
1199 }
1200
1201 int
1202 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1203 int n, int *al)
1204 {
1205 unsigned short type;
1206 unsigned short size;
1207 unsigned short len;
1208 unsigned char *data = *p;
1209 int renegotiate_seen = 0;
1210 int sigalg_seen = 0;
1211
1212 s->servername_done = 0;
1213 s->tlsext_status_type = -1;
1214 s->s3->next_proto_neg_seen = 0;
1215 free(s->s3->alpn_selected);
1216 s->s3->alpn_selected = NULL;
1217
1218 if (data >= (d + n - 2))
1219 goto ri_check;
1220 n2s(data, len);
1221
1222 if (data > (d + n - len))
1223 goto ri_check;
1224
1225 while (data <= (d + n - 4)) {
1226 n2s(data, type);
1227 n2s(data, size);
1228
1229 if (data + size > (d + n))
1230 goto ri_check;
1231 if (s->tlsext_debug_cb)
1232 s->tlsext_debug_cb(s, 0, type, data, size,
1233 s->tlsext_debug_arg);
1234 /* The servername extension is treated as follows:
1235
1236 - Only the hostname type is supported with a maximum length of 255.
1237 - The servername is rejected if too long or if it contains zeros,
1238 in which case an fatal alert is generated.
1239 - The servername field is maintained together with the session cache.
1240 - When a session is resumed, the servername call back invoked in order
1241 to allow the application to position itself to the right context.
1242 - The servername is acknowledged if it is new for a session or when
1243 it is identical to a previously used for the same session.
1244 Applications can control the behaviour. They can at any time
1245 set a 'desirable' servername for a new SSL object. This can be the
1246 case for example with HTTPS when a Host: header field is received and
1247 a renegotiation is requested. In this case, a possible servername
1248 presented in the new client hello is only acknowledged if it matches
1249 the value of the Host: field.
1250 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1251 if they provide for changing an explicit servername context for the session,
1252 i.e. when the session has been established with a servername extension.
1253 - On session reconnect, the servername extension may be absent.
1254
1255 */
1256
1257 if (type == TLSEXT_TYPE_server_name) {
1258 unsigned char *sdata;
1259 int servname_type;
1260 int dsize;
1261
1262 if (size < 2) {
1263 *al = SSL_AD_DECODE_ERROR;
1264 return 0;
1265 }
1266 n2s(data, dsize);
1267
1268 size -= 2;
1269 if (dsize > size) {
1270 *al = SSL_AD_DECODE_ERROR;
1271 return 0;
1272 }
1273
1274 sdata = data;
1275 while (dsize > 3) {
1276 servname_type = *(sdata++);
1277
1278 n2s(sdata, len);
1279 dsize -= 3;
1280
1281 if (len > dsize) {
1282 *al = SSL_AD_DECODE_ERROR;
1283 return 0;
1284 }
1285 if (s->servername_done == 0)
1286 switch (servname_type) {
1287 case TLSEXT_NAMETYPE_host_name:
1288 if (!s->hit) {
1289 if (s->session->tlsext_hostname) {
1290 *al = SSL_AD_DECODE_ERROR;
1291 return 0;
1292 }
1293 if (len > TLSEXT_MAXLEN_host_name) {
1294 *al = TLS1_AD_UNRECOGNIZED_NAME;
1295 return 0;
1296 }
1297 if ((s->session->tlsext_hostname =
1298 malloc(len + 1)) == NULL) {
1299 *al = TLS1_AD_INTERNAL_ERROR;
1300 return 0;
1301 }
1302 memcpy(s->session->tlsext_hostname, sdata, len);
1303 s->session->tlsext_hostname[len] = '\0';
1304 if (strlen(s->session->tlsext_hostname) != len) {
1305 free(s->session->tlsext_hostname);
1306 s->session->tlsext_hostname = NULL;
1307 *al = TLS1_AD_UNRECOGNIZED_NAME;
1308 return 0;
1309 }
1310 s->servername_done = 1;
1311
1312
1313 } else {
1314 s->servername_done = s->session->tlsext_hostname &&
1315 strlen(s->session->tlsext_hostname) == len &&
1316 strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1317 }
1318 break;
1319
1320 default:
1321 break;
1322 }
1323
1324 dsize -= len;
1325 }
1326 if (dsize != 0) {
1327 *al = SSL_AD_DECODE_ERROR;
1328 return 0;
1329 }
1330
1331 }
1332
1333 else if (type == TLSEXT_TYPE_ec_point_formats &&
1334 s->version != DTLS1_VERSION) {
1335 unsigned char *sdata = data;
1336 size_t formatslen;
1337 uint8_t *formats;
1338
1339 if (size < 1) {
1340 *al = TLS1_AD_DECODE_ERROR;
1341 return 0;
1342 }
1343 formatslen = *(sdata++);
1344 if (formatslen != size - 1) {
1345 *al = TLS1_AD_DECODE_ERROR;
1346 return 0;
1347 }
1348
1349 if (!s->hit) {
1350 free(s->session->tlsext_ecpointformatlist);
1351 s->session->tlsext_ecpointformatlist = NULL;
1352 s->session->tlsext_ecpointformatlist_length = 0;
1353
1354 if ((formats = reallocarray(NULL, formatslen,
1355 sizeof(uint8_t))) == NULL) {
1356 *al = TLS1_AD_INTERNAL_ERROR;
1357 return 0;
1358 }
1359 memcpy(formats, sdata, formatslen);
1360 s->session->tlsext_ecpointformatlist = formats;
1361 s->session->tlsext_ecpointformatlist_length =
1362 formatslen;
1363 }
1364 } else if (type == TLSEXT_TYPE_elliptic_curves &&
1365 s->version != DTLS1_VERSION) {
1366 unsigned char *sdata = data;
1367 size_t curveslen, i;
1368 uint16_t *curves;
1369
1370 if (size < 2) {
1371 *al = TLS1_AD_DECODE_ERROR;
1372 return 0;
1373 }
1374 n2s(sdata, curveslen);
1375 if (curveslen != size - 2 || curveslen % 2 != 0) {
1376 *al = TLS1_AD_DECODE_ERROR;
1377 return 0;
1378 }
1379 curveslen /= 2;
1380
1381 if (!s->hit) {
1382 if (s->session->tlsext_ellipticcurvelist) {
1383 *al = TLS1_AD_DECODE_ERROR;
1384 return 0;
1385 }
1386 s->session->tlsext_ellipticcurvelist_length = 0;
1387 if ((curves = reallocarray(NULL, curveslen,
1388 sizeof(uint16_t))) == NULL) {
1389 *al = TLS1_AD_INTERNAL_ERROR;
1390 return 0;
1391 }
1392 for (i = 0; i < curveslen; i++)
1393 n2s(sdata, curves[i]);
1394 s->session->tlsext_ellipticcurvelist = curves;
1395 s->session->tlsext_ellipticcurvelist_length = curveslen;
1396 }
1397 }
1398 else if (type == TLSEXT_TYPE_session_ticket) {
1399 if (s->tls_session_ticket_ext_cb &&
1400 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
1401 *al = TLS1_AD_INTERNAL_ERROR;
1402 return 0;
1403 }
1404 } else if (type == TLSEXT_TYPE_renegotiate) {
1405 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1406 return 0;
1407 renegotiate_seen = 1;
1408 } else if (type == TLSEXT_TYPE_signature_algorithms) {
1409 int dsize;
1410 if (sigalg_seen || size < 2) {
1411 *al = SSL_AD_DECODE_ERROR;
1412 return 0;
1413 }
1414 sigalg_seen = 1;
1415 n2s(data, dsize);
1416 size -= 2;
1417 if (dsize != size || dsize & 1) {
1418 *al = SSL_AD_DECODE_ERROR;
1419 return 0;
1420 }
1421 if (!tls1_process_sigalgs(s, data, dsize)) {
1422 *al = SSL_AD_DECODE_ERROR;
1423 return 0;
1424 }
1425 } else if (type == TLSEXT_TYPE_status_request &&
1426 s->version != DTLS1_VERSION) {
1427
1428 if (size < 5) {
1429 *al = SSL_AD_DECODE_ERROR;
1430 return 0;
1431 }
1432
1433 s->tlsext_status_type = *data++;
1434 size--;
1435 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1436 const unsigned char *sdata;
1437 int dsize;
1438 /* Read in responder_id_list */
1439 n2s(data, dsize);
1440 size -= 2;
1441 if (dsize > size ) {
1442 *al = SSL_AD_DECODE_ERROR;
1443 return 0;
1444 }
1445 while (dsize > 0) {
1446 OCSP_RESPID *id;
1447 int idsize;
1448 if (dsize < 4) {
1449 *al = SSL_AD_DECODE_ERROR;
1450 return 0;
1451 }
1452 n2s(data, idsize);
1453 dsize -= 2 + idsize;
1454 size -= 2 + idsize;
1455 if (dsize < 0) {
1456 *al = SSL_AD_DECODE_ERROR;
1457 return 0;
1458 }
1459 sdata = data;
1460 data += idsize;
1461 id = d2i_OCSP_RESPID(NULL,
1462 &sdata, idsize);
1463 if (!id) {
1464 *al = SSL_AD_DECODE_ERROR;
1465 return 0;
1466 }
1467 if (data != sdata) {
1468 OCSP_RESPID_free(id);
1469 *al = SSL_AD_DECODE_ERROR;
1470 return 0;
1471 }
1472 if (!s->tlsext_ocsp_ids &&
1473 !(s->tlsext_ocsp_ids =
1474 sk_OCSP_RESPID_new_null())) {
1475 OCSP_RESPID_free(id);
1476 *al = SSL_AD_INTERNAL_ERROR;
1477 return 0;
1478 }
1479 if (!sk_OCSP_RESPID_push(
1480 s->tlsext_ocsp_ids, id)) {
1481 OCSP_RESPID_free(id);
1482 *al = SSL_AD_INTERNAL_ERROR;
1483 return 0;
1484 }
1485 }
1486
1487 /* Read in request_extensions */
1488 if (size < 2) {
1489 *al = SSL_AD_DECODE_ERROR;
1490 return 0;
1491 }
1492 n2s(data, dsize);
1493 size -= 2;
1494 if (dsize != size) {
1495 *al = SSL_AD_DECODE_ERROR;
1496 return 0;
1497 }
1498 sdata = data;
1499 if (dsize > 0) {
1500 if (s->tlsext_ocsp_exts) {
1501 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1502 X509_EXTENSION_free);
1503 }
1504
1505 s->tlsext_ocsp_exts =
1506 d2i_X509_EXTENSIONS(NULL,
1507 &sdata, dsize);
1508 if (!s->tlsext_ocsp_exts ||
1509 (data + dsize != sdata)) {
1510 *al = SSL_AD_DECODE_ERROR;
1511 return 0;
1512 }
1513 }
1514 } else {
1515 /* We don't know what to do with any other type
1516 * so ignore it.
1517 */
1518 s->tlsext_status_type = -1;
1519 }
1520 }
1521 else if (type == TLSEXT_TYPE_next_proto_neg &&
1522 s->s3->tmp.finish_md_len == 0 &&
1523 s->s3->alpn_selected == NULL) {
1524 /* We shouldn't accept this extension on a
1525 * renegotiation.
1526 *
1527 * s->new_session will be set on renegotiation, but we
1528 * probably shouldn't rely that it couldn't be set on
1529 * the initial renegotation too in certain cases (when
1530 * there's some other reason to disallow resuming an
1531 * earlier session -- the current code won't be doing
1532 * anything like that, but this might change).
1533
1534 * A valid sign that there's been a previous handshake
1535 * in this connection is if s->s3->tmp.finish_md_len >
1536 * 0. (We are talking about a check that will happen
1537 * in the Hello protocol round, well before a new
1538 * Finished message could have been computed.) */
1539 s->s3->next_proto_neg_seen = 1;
1540 }
1541 else if (type ==
1542 TLSEXT_TYPE_application_layer_protocol_negotiation &&
1543 s->ctx->alpn_select_cb != NULL &&
1544 s->s3->tmp.finish_md_len == 0) {
1545 if (tls1_alpn_handle_client_hello(s, data,
1546 size, al) != 1)
1547 return (0);
1548 /* ALPN takes precedence over NPN. */
1549 s->s3->next_proto_neg_seen = 0;
1550 }
1551
1552 /* session ticket processed earlier */
1553 #ifndef OPENSSL_NO_SRTP
1554 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
1555 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
1556 return 0;
1557 }
1558 #endif
1559
1560 data += size;
1561 }
1562
1563 *p = data;
1564
1565 ri_check:
1566
1567 /* Need RI if renegotiating */
1568
1569 if (!renegotiate_seen && s->renegotiate) {
1570 *al = SSL_AD_HANDSHAKE_FAILURE;
1571 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1572 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1573 return 0;
1574 }
1575
1576 return 1;
1577 }
1578
1579 /*
1580 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1581 * elements of zero length are allowed and the set of elements must exactly fill
1582 * the length of the block.
1583 */
1584 static char
1585 ssl_next_proto_validate(const unsigned char *d, unsigned int len)
1586 {
1587 CBS npn, value;
1588
1589 CBS_init(&npn, d, len);
1590 while (CBS_len(&npn) > 0) {
1591 if (!CBS_get_u8_length_prefixed(&npn, &value) ||
1592 CBS_len(&value) == 0)
1593 return 0;
1594 }
1595 return 1;
1596 }
1597
1598 int
1599 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1600 int n, int *al)
1601 {
1602 unsigned short length;
1603 unsigned short type;
1604 unsigned short size;
1605 unsigned char *data = *p;
1606 int tlsext_servername = 0;
1607 int renegotiate_seen = 0;
1608
1609 s->s3->next_proto_neg_seen = 0;
1610 free(s->s3->alpn_selected);
1611 s->s3->alpn_selected = NULL;
1612
1613 if (data >= (d + n - 2))
1614 goto ri_check;
1615
1616 n2s(data, length);
1617 if (data + length != d + n) {
1618 *al = SSL_AD_DECODE_ERROR;
1619 return 0;
1620 }
1621
1622 while (data <= (d + n - 4)) {
1623 n2s(data, type);
1624 n2s(data, size);
1625
1626 if (data + size > (d + n))
1627 goto ri_check;
1628
1629 if (s->tlsext_debug_cb)
1630 s->tlsext_debug_cb(s, 1, type, data, size,
1631 s->tlsext_debug_arg);
1632
1633 if (type == TLSEXT_TYPE_server_name) {
1634 if (s->tlsext_hostname == NULL || size > 0) {
1635 *al = TLS1_AD_UNRECOGNIZED_NAME;
1636 return 0;
1637 }
1638 tlsext_servername = 1;
1639
1640 }
1641 else if (type == TLSEXT_TYPE_ec_point_formats &&
1642 s->version != DTLS1_VERSION) {
1643 unsigned char *sdata = data;
1644 size_t formatslen;
1645 uint8_t *formats;
1646
1647 if (size < 1) {
1648 *al = TLS1_AD_DECODE_ERROR;
1649 return 0;
1650 }
1651 formatslen = *(sdata++);
1652 if (formatslen != size - 1) {
1653 *al = TLS1_AD_DECODE_ERROR;
1654 return 0;
1655 }
1656
1657 if (!s->hit) {
1658 free(s->session->tlsext_ecpointformatlist);
1659 s->session->tlsext_ecpointformatlist = NULL;
1660 s->session->tlsext_ecpointformatlist_length = 0;
1661
1662 if ((formats = reallocarray(NULL, formatslen,
1663 sizeof(uint8_t))) == NULL) {
1664 *al = TLS1_AD_INTERNAL_ERROR;
1665 return 0;
1666 }
1667 memcpy(formats, sdata, formatslen);
1668 s->session->tlsext_ecpointformatlist = formats;
1669 s->session->tlsext_ecpointformatlist_length =
1670 formatslen;
1671 }
1672 }
1673 else if (type == TLSEXT_TYPE_session_ticket) {
1674 if (s->tls_session_ticket_ext_cb &&
1675 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
1676 *al = TLS1_AD_INTERNAL_ERROR;
1677 return 0;
1678 }
1679 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) {
1680 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1681 return 0;
1682 }
1683 s->tlsext_ticket_expected = 1;
1684 }
1685 else if (type == TLSEXT_TYPE_status_request &&
1686 s->version != DTLS1_VERSION) {
1687 /* MUST be empty and only sent if we've requested
1688 * a status request message.
1689 */
1690 if ((s->tlsext_status_type == -1) || (size > 0)) {
1691 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1692 return 0;
1693 }
1694 /* Set flag to expect CertificateStatus message */
1695 s->tlsext_status_expected = 1;
1696 }
1697 else if (type == TLSEXT_TYPE_next_proto_neg &&
1698 s->s3->tmp.finish_md_len == 0) {
1699 unsigned char *selected;
1700 unsigned char selected_len;
1701
1702 /* We must have requested it. */
1703 if (s->ctx->next_proto_select_cb == NULL) {
1704 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1705 return 0;
1706 }
1707 /* The data must be valid */
1708 if (!ssl_next_proto_validate(data, size)) {
1709 *al = TLS1_AD_DECODE_ERROR;
1710 return 0;
1711 }
1712 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) {
1713 *al = TLS1_AD_INTERNAL_ERROR;
1714 return 0;
1715 }
1716 s->next_proto_negotiated = malloc(selected_len);
1717 if (!s->next_proto_negotiated) {
1718 *al = TLS1_AD_INTERNAL_ERROR;
1719 return 0;
1720 }
1721 memcpy(s->next_proto_negotiated, selected, selected_len);
1722 s->next_proto_negotiated_len = selected_len;
1723 s->s3->next_proto_neg_seen = 1;
1724 }
1725 else if (type ==
1726 TLSEXT_TYPE_application_layer_protocol_negotiation) {
1727 unsigned int len;
1728
1729 /* We must have requested it. */
1730 if (s->alpn_client_proto_list == NULL) {
1731 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1732 return 0;
1733 }
1734 if (size < 4) {
1735 *al = TLS1_AD_DECODE_ERROR;
1736 return (0);
1737 }
1738
1739 /* The extension data consists of:
1740 * uint16 list_length
1741 * uint8 proto_length;
1742 * uint8 proto[proto_length]; */
1743 len = ((unsigned int)data[0]) << 8 |
1744 ((unsigned int)data[1]);
1745 if (len != (unsigned int)size - 2) {
1746 *al = TLS1_AD_DECODE_ERROR;
1747 return (0);
1748 }
1749 len = data[2];
1750 if (len != (unsigned int)size - 3) {
1751 *al = TLS1_AD_DECODE_ERROR;
1752 return (0);
1753 }
1754 free(s->s3->alpn_selected);
1755 s->s3->alpn_selected = malloc(len);
1756 if (s->s3->alpn_selected == NULL) {
1757 *al = TLS1_AD_INTERNAL_ERROR;
1758 return (0);
1759 }
1760 memcpy(s->s3->alpn_selected, data + 3, len);
1761 s->s3->alpn_selected_len = len;
1762
1763 } else if (type == TLSEXT_TYPE_renegotiate) {
1764 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1765 return 0;
1766 renegotiate_seen = 1;
1767 }
1768 #ifndef OPENSSL_NO_SRTP
1769 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
1770 if (ssl_parse_serverhello_use_srtp_ext(s, data,
1771 size, al))
1772 return 0;
1773 }
1774 #endif
1775
1776 data += size;
1777
1778 }
1779
1780 if (data != d + n) {
1781 *al = SSL_AD_DECODE_ERROR;
1782 return 0;
1783 }
1784
1785 if (!s->hit && tlsext_servername == 1) {
1786 if (s->tlsext_hostname) {
1787 if (s->session->tlsext_hostname == NULL) {
1788 s->session->tlsext_hostname =
1789 strdup(s->tlsext_hostname);
1790
1791 if (!s->session->tlsext_hostname) {
1792 *al = SSL_AD_UNRECOGNIZED_NAME;
1793 return 0;
1794 }
1795 } else {
1796 *al = SSL_AD_DECODE_ERROR;
1797 return 0;
1798 }
1799 }
1800 }
1801
1802 *p = data;
1803
1804 ri_check:
1805
1806 /* Determine if we need to see RI. Strictly speaking if we want to
1807 * avoid an attack we should *always* see RI even on initial server
1808 * hello because the client doesn't see any renegotiation during an
1809 * attack. However this would mean we could not connect to any server
1810 * which doesn't support RI so for the immediate future tolerate RI
1811 * absence on initial connect only.
1812 */
1813 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
1814 *al = SSL_AD_HANDSHAKE_FAILURE;
1815 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1816 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1817 return 0;
1818 }
1819
1820 return 1;
1821 }
1822
1823 int
1824 ssl_check_clienthello_tlsext_early(SSL *s)
1825 {
1826 int ret = SSL_TLSEXT_ERR_NOACK;
1827 int al = SSL_AD_UNRECOGNIZED_NAME;
1828
1829 /* The handling of the ECPointFormats extension is done elsewhere, namely in
1830 * ssl3_choose_cipher in s3_lib.c.
1831 */
1832 /* The handling of the EllipticCurves extension is done elsewhere, namely in
1833 * ssl3_choose_cipher in s3_lib.c.
1834 */
1835
1836 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1837 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1838 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1839 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1840
1841 switch (ret) {
1842 case SSL_TLSEXT_ERR_ALERT_FATAL:
1843 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1844 return -1;
1845 case SSL_TLSEXT_ERR_ALERT_WARNING:
1846 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1847 return 1;
1848 case SSL_TLSEXT_ERR_NOACK:
1849 s->servername_done = 0;
1850 default:
1851 return 1;
1852 }
1853 }
1854
1855 int
1856 ssl_check_clienthello_tlsext_late(SSL *s)
1857 {
1858 int ret = SSL_TLSEXT_ERR_OK;
1859 int al = 0; /* XXX gcc3 */
1860
1861 /* If status request then ask callback what to do.
1862 * Note: this must be called after servername callbacks in case
1863 * the certificate has changed, and must be called after the cipher
1864 * has been chosen because this may influence which certificate is sent
1865 */
1866 if ((s->tlsext_status_type != -1) &&
1867 s->ctx && s->ctx->tlsext_status_cb) {
1868 int r;
1869 CERT_PKEY *certpkey;
1870 certpkey = ssl_get_server_send_pkey(s);
1871 /* If no certificate can't return certificate status */
1872 if (certpkey == NULL) {
1873 s->tlsext_status_expected = 0;
1874 return 1;
1875 }
1876 /* Set current certificate to one we will use so
1877 * SSL_get_certificate et al can pick it up.
1878 */
1879 s->cert->key = certpkey;
1880 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1881 switch (r) {
1882 /* We don't want to send a status request response */
1883 case SSL_TLSEXT_ERR_NOACK:
1884 s->tlsext_status_expected = 0;
1885 break;
1886 /* status request response should be sent */
1887 case SSL_TLSEXT_ERR_OK:
1888 if (s->tlsext_ocsp_resp)
1889 s->tlsext_status_expected = 1;
1890 else
1891 s->tlsext_status_expected = 0;
1892 break;
1893 /* something bad happened */
1894 case SSL_TLSEXT_ERR_ALERT_FATAL:
1895 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1896 al = SSL_AD_INTERNAL_ERROR;
1897 goto err;
1898 }
1899 } else
1900 s->tlsext_status_expected = 0;
1901
1902 err:
1903 switch (ret) {
1904 case SSL_TLSEXT_ERR_ALERT_FATAL:
1905 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1906 return -1;
1907 case SSL_TLSEXT_ERR_ALERT_WARNING:
1908 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1909 return 1;
1910 default:
1911 return 1;
1912 }
1913 }
1914
1915 int
1916 ssl_check_serverhello_tlsext(SSL *s)
1917 {
1918 int ret = SSL_TLSEXT_ERR_NOACK;
1919 int al = SSL_AD_UNRECOGNIZED_NAME;
1920
1921 /* If we are client and using an elliptic curve cryptography cipher
1922 * suite, then if server returns an EC point formats lists extension
1923 * it must contain uncompressed.
1924 */
1925 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1926 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1927 if ((s->tlsext_ecpointformatlist != NULL) &&
1928 (s->tlsext_ecpointformatlist_length > 0) &&
1929 (s->session->tlsext_ecpointformatlist != NULL) &&
1930 (s->session->tlsext_ecpointformatlist_length > 0) &&
1931 ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) {
1932 /* we are using an ECC cipher */
1933 size_t i;
1934 unsigned char *list;
1935 int found_uncompressed = 0;
1936 list = s->session->tlsext_ecpointformatlist;
1937 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
1938 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
1939 found_uncompressed = 1;
1940 break;
1941 }
1942 }
1943 if (!found_uncompressed) {
1944 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1945 return -1;
1946 }
1947 }
1948 ret = SSL_TLSEXT_ERR_OK;
1949
1950 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1951 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1952 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1953 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1954
1955 /* If we've requested certificate status and we wont get one
1956 * tell the callback
1957 */
1958 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) &&
1959 s->ctx && s->ctx->tlsext_status_cb) {
1960 int r;
1961 /* Set resp to NULL, resplen to -1 so callback knows
1962 * there is no response.
1963 */
1964 free(s->tlsext_ocsp_resp);
1965 s->tlsext_ocsp_resp = NULL;
1966 s->tlsext_ocsp_resplen = -1;
1967 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1968 if (r == 0) {
1969 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1970 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1971 }
1972 if (r < 0) {
1973 al = SSL_AD_INTERNAL_ERROR;
1974 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1975 }
1976 }
1977
1978 switch (ret) {
1979 case SSL_TLSEXT_ERR_ALERT_FATAL:
1980 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1981
1982 return -1;
1983 case SSL_TLSEXT_ERR_ALERT_WARNING:
1984 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1985
1986 return 1;
1987 case SSL_TLSEXT_ERR_NOACK:
1988 s->servername_done = 0;
1989 default:
1990 return 1;
1991 }
1992 }
1993
1994 /* Since the server cache lookup is done early on in the processing of the
1995 * ClientHello, and other operations depend on the result, we need to handle
1996 * any TLS session ticket extension at the same time.
1997 *
1998 * session_id: points at the session ID in the ClientHello. This code will
1999 * read past the end of this in order to parse out the session ticket
2000 * extension, if any.
2001 * len: the length of the session ID.
2002 * limit: a pointer to the first byte after the ClientHello.
2003 * ret: (output) on return, if a ticket was decrypted, then this is set to
2004 * point to the resulting session.
2005 *
2006 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2007 * ciphersuite, in which case we have no use for session tickets and one will
2008 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2009 *
2010 * Returns:
2011 * -1: fatal error, either from parsing or decrypting the ticket.
2012 * 0: no ticket was found (or was ignored, based on settings).
2013 * 1: a zero length extension was found, indicating that the client supports
2014 * session tickets but doesn't currently have one to offer.
2015 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2016 * couldn't be decrypted because of a non-fatal error.
2017 * 3: a ticket was successfully decrypted and *ret was set.
2018 *
2019 * Side effects:
2020 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2021 * a new session ticket to the client because the client indicated support
2022 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2023 * a session ticket or we couldn't use the one it gave us, or if
2024 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2025 * Otherwise, s->tlsext_ticket_expected is set to 0.
2026 */
2027 int
2028 tls1_process_ticket(SSL *s, const unsigned char *session, int session_len,
2029 const unsigned char *limit, SSL_SESSION **ret)
2030 {
2031 /* Point after session ID in client hello */
2032 CBS session_id, cookie, cipher_list, compress_algo, extensions;
2033
2034 *ret = NULL;
2035 s->tlsext_ticket_expected = 0;
2036
2037 /* If tickets disabled behave as if no ticket present
2038 * to permit stateful resumption.
2039 */
2040 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2041 return 0;
2042 if (!limit)
2043 return 0;
2044
2045 if (limit < session)
2046 return -1;
2047
2048 CBS_init(&session_id, session, limit - session);
2049
2050 /* Skip past the session id */
2051 if (!CBS_skip(&session_id, session_len))
2052 return -1;
2053
2054 /* Skip past DTLS cookie */
2055 if (SSL_IS_DTLS(s)) {
2056 if (!CBS_get_u8_length_prefixed(&session_id, &cookie))
2057 return -1;
2058 }
2059
2060 /* Skip past cipher list */
2061 if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list))
2062 return -1;
2063
2064 /* Skip past compression algorithm list */
2065 if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo))
2066 return -1;
2067
2068 /* Now at start of extensions */
2069 if (CBS_len(&session_id) == 0)
2070 return 0;
2071 if (!CBS_get_u16_length_prefixed(&session_id, &extensions))
2072 return -1;
2073
2074 while (CBS_len(&extensions) > 0) {
2075 CBS ext_data;
2076 uint16_t ext_type;
2077
2078 if (!CBS_get_u16(&extensions, &ext_type) ||
2079 !CBS_get_u16_length_prefixed(&extensions, &ext_data))
2080 return -1;
2081
2082 if (ext_type == TLSEXT_TYPE_session_ticket) {
2083 int r;
2084 if (CBS_len(&ext_data) == 0) {
2085 /* The client will accept a ticket but doesn't
2086 * currently have one. */
2087 s->tlsext_ticket_expected = 1;
2088 return 1;
2089 }
2090 if (s->tls_session_secret_cb) {
2091 /* Indicate that the ticket couldn't be
2092 * decrypted rather than generating the session
2093 * from ticket now, trigger abbreviated
2094 * handshake based on external mechanism to
2095 * calculate the master secret later. */
2096 return 2;
2097 }
2098
2099 r = tls_decrypt_ticket(s, CBS_data(&ext_data),
2100 CBS_len(&ext_data), session, session_len, ret);
2101
2102 switch (r) {
2103 case 2: /* ticket couldn't be decrypted */
2104 s->tlsext_ticket_expected = 1;
2105 return 2;
2106 case 3: /* ticket was decrypted */
2107 return r;
2108 case 4: /* ticket decrypted but need to renew */
2109 s->tlsext_ticket_expected = 1;
2110 return 3;
2111 default: /* fatal error */
2112 return -1;
2113 }
2114 }
2115 }
2116 return 0;
2117 }
2118
2119 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2120 *
2121 * etick: points to the body of the session ticket extension.
2122 * eticklen: the length of the session tickets extenion.
2123 * sess_id: points at the session ID.
2124 * sesslen: the length of the session ID.
2125 * psess: (output) on return, if a ticket was decrypted, then this is set to
2126 * point to the resulting session.
2127 *
2128 * Returns:
2129 * -1: fatal error, either from parsing or decrypting the ticket.
2130 * 2: the ticket couldn't be decrypted.
2131 * 3: a ticket was successfully decrypted and *psess was set.
2132 * 4: same as 3, but the ticket needs to be renewed.
2133 */
2134 static int
2135 tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2136 const unsigned char *sess_id, int sesslen, SSL_SESSION **psess)
2137 {
2138 SSL_SESSION *sess;
2139 unsigned char *sdec;
2140 const unsigned char *p;
2141 int slen, mlen, renew_ticket = 0;
2142 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2143 HMAC_CTX hctx;
2144 EVP_CIPHER_CTX ctx;
2145 SSL_CTX *tctx = s->initial_ctx;
2146 /* Need at least keyname + iv + some encrypted data */
2147 if (eticklen < 48)
2148 return 2;
2149 /* Initialize session ticket encryption and HMAC contexts */
2150 HMAC_CTX_init(&hctx);
2151 EVP_CIPHER_CTX_init(&ctx);
2152 if (tctx->tlsext_ticket_key_cb) {
2153 unsigned char *nctick = (unsigned char *)etick;
2154 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2155 &ctx, &hctx, 0);
2156 if (rv < 0) {
2157 EVP_CIPHER_CTX_cleanup(&ctx);
2158 return -1;
2159 }
2160 if (rv == 0) {
2161 EVP_CIPHER_CTX_cleanup(&ctx);
2162 return 2;
2163 }
2164 if (rv == 2)
2165 renew_ticket = 1;
2166 } else {
2167 /* Check key name matches */
2168 if (timingsafe_memcmp(etick, tctx->tlsext_tick_key_name, 16))
2169 return 2;
2170 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2171 tlsext_tick_md(), NULL);
2172 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2173 tctx->tlsext_tick_aes_key, etick + 16);
2174 }
2175 /* Attempt to process session ticket, first conduct sanity and
2176 * integrity checks on ticket.
2177 */
2178 mlen = HMAC_size(&hctx);
2179 if (mlen < 0) {
2180 EVP_CIPHER_CTX_cleanup(&ctx);
2181 return -1;
2182 }
2183 eticklen -= mlen;
2184 /* Check HMAC of encrypted ticket */
2185 HMAC_Update(&hctx, etick, eticklen);
2186 HMAC_Final(&hctx, tick_hmac, NULL);
2187 HMAC_CTX_cleanup(&hctx);
2188 if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) {
2189 EVP_CIPHER_CTX_cleanup(&ctx);
2190 return 2;
2191 }
2192 /* Attempt to decrypt session data */
2193 /* Move p after IV to start of encrypted ticket, update length */
2194 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2195 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2196 sdec = malloc(eticklen);
2197 if (!sdec) {
2198 EVP_CIPHER_CTX_cleanup(&ctx);
2199 return -1;
2200 }
2201 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2202 if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) {
2203 free(sdec);
2204 EVP_CIPHER_CTX_cleanup(&ctx);
2205 return 2;
2206 }
2207 slen += mlen;
2208 EVP_CIPHER_CTX_cleanup(&ctx);
2209 p = sdec;
2210
2211 sess = d2i_SSL_SESSION(NULL, &p, slen);
2212 free(sdec);
2213 if (sess) {
2214 /* The session ID, if non-empty, is used by some clients to
2215 * detect that the ticket has been accepted. So we copy it to
2216 * the session structure. If it is empty set length to zero
2217 * as required by standard.
2218 */
2219 if (sesslen)
2220 memcpy(sess->session_id, sess_id, sesslen);
2221 sess->session_id_length = sesslen;
2222 *psess = sess;
2223 if (renew_ticket)
2224 return 4;
2225 else
2226 return 3;
2227 }
2228 ERR_clear_error();
2229 /* For session parse failure, indicate that we need to send a new
2230 * ticket. */
2231 return 2;
2232 }
2233
2234 /* Tables to translate from NIDs to TLS v1.2 ids */
2235
2236 typedef struct {
2237 int nid;
2238 int id;
2239 } tls12_lookup;
2240
2241 static tls12_lookup tls12_md[] = {
2242 {NID_md5, TLSEXT_hash_md5},
2243 {NID_sha1, TLSEXT_hash_sha1},
2244 {NID_sha224, TLSEXT_hash_sha224},
2245 {NID_sha256, TLSEXT_hash_sha256},
2246 {NID_sha384, TLSEXT_hash_sha384},
2247 {NID_sha512, TLSEXT_hash_sha512},
2248 {NID_id_GostR3411_94, TLSEXT_hash_gost94},
2249 {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256},
2250 {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512}
2251 };
2252
2253 static tls12_lookup tls12_sig[] = {
2254 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2255 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2256 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
2257 {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01},
2258 };
2259
2260 static int
2261 tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2262 {
2263 size_t i;
2264 for (i = 0; i < tlen; i++) {
2265 if (table[i].nid == nid)
2266 return table[i].id;
2267 }
2268 return -1;
2269 }
2270
2271 int
2272 tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2273 {
2274 int sig_id, md_id;
2275 if (!md)
2276 return 0;
2277 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2278 sizeof(tls12_md) / sizeof(tls12_lookup));
2279 if (md_id == -1)
2280 return 0;
2281 sig_id = tls12_get_sigid(pk);
2282 if (sig_id == -1)
2283 return 0;
2284 p[0] = (unsigned char)md_id;
2285 p[1] = (unsigned char)sig_id;
2286 return 1;
2287 }
2288
2289 int
2290 tls12_get_sigid(const EVP_PKEY *pk)
2291 {
2292 return tls12_find_id(pk->type, tls12_sig,
2293 sizeof(tls12_sig) / sizeof(tls12_lookup));
2294 }
2295
2296 const EVP_MD *
2297 tls12_get_hash(unsigned char hash_alg)
2298 {
2299 switch (hash_alg) {
2300 case TLSEXT_hash_sha1:
2301 return EVP_sha1();
2302 case TLSEXT_hash_sha224:
2303 return EVP_sha224();
2304 case TLSEXT_hash_sha256:
2305 return EVP_sha256();
2306 case TLSEXT_hash_sha384:
2307 return EVP_sha384();
2308 case TLSEXT_hash_sha512:
2309 return EVP_sha512();
2310 #ifndef OPENSSL_NO_GOST
2311 case TLSEXT_hash_gost94:
2312 return EVP_gostr341194();
2313 case TLSEXT_hash_streebog_256:
2314 return EVP_streebog256();
2315 case TLSEXT_hash_streebog_512:
2316 return EVP_streebog512();
2317 #endif
2318 default:
2319 return NULL;
2320 }
2321 }
2322
2323 /* Set preferred digest for each key type */
2324
2325 int
2326 tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2327 {
2328 int idx;
2329 const EVP_MD *md;
2330 CERT *c = s->cert;
2331 CBS cbs;
2332
2333 /* Extension ignored for inappropriate versions */
2334 if (!SSL_USE_SIGALGS(s))
2335 return 1;
2336
2337 /* Should never happen */
2338 if (!c || dsize < 0)
2339 return 0;
2340
2341 CBS_init(&cbs, data, dsize);
2342
2343 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2344 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2345 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2346 c->pkeys[SSL_PKEY_ECC].digest = NULL;
2347 c->pkeys[SSL_PKEY_GOST01].digest = NULL;
2348
2349 while (CBS_len(&cbs) > 0) {
2350 uint8_t hash_alg, sig_alg;
2351
2352 if (!CBS_get_u8(&cbs, &hash_alg) ||
2353 !CBS_get_u8(&cbs, &sig_alg)) {
2354 /* Should never happen */
2355 return 0;
2356 }
2357
2358 switch (sig_alg) {
2359 case TLSEXT_signature_rsa:
2360 idx = SSL_PKEY_RSA_SIGN;
2361 break;
2362 case TLSEXT_signature_dsa:
2363 idx = SSL_PKEY_DSA_SIGN;
2364 break;
2365 case TLSEXT_signature_ecdsa:
2366 idx = SSL_PKEY_ECC;
2367 break;
2368 case TLSEXT_signature_gostr01:
2369 case TLSEXT_signature_gostr12_256:
2370 case TLSEXT_signature_gostr12_512:
2371 idx = SSL_PKEY_GOST01;
2372 break;
2373 default:
2374 continue;
2375 }
2376
2377 if (c->pkeys[idx].digest == NULL) {
2378 md = tls12_get_hash(hash_alg);
2379 if (md) {
2380 c->pkeys[idx].digest = md;
2381 if (idx == SSL_PKEY_RSA_SIGN)
2382 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2383 }
2384 }
2385
2386 }
2387
2388 /* Set any remaining keys to default values. NOTE: if alg is not
2389 * supported it stays as NULL.
2390 */
2391 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2392 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2393 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
2394 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2395 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2396 }
2397 if (!c->pkeys[SSL_PKEY_ECC].digest)
2398 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2399 #ifndef OPENSSL_NO_GOST
2400 if (!c->pkeys[SSL_PKEY_GOST01].digest)
2401 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194();
2402 #endif
2403 return 1;
2404 }
DragonFly BSD