Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 1258b6a756674d63f172602d8041ccc0dffd03d1 / . / ssl / t1_lib.c
blob: ec4137f774d5134105d0fb24011ee6d9392ddd8f [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
109#include <stdio.h>
110#include <assert.h>
111
112#include <openssl/evp.h>
113#include <openssl/hmac.h>
114#include <openssl/mem.h>
115#include <openssl/obj.h>
116#include <openssl/rand.h>
117
118#include "ssl_locl.h"
119#ifndef OPENSSL_NO_TLSEXT
120static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
121 const unsigned char *sess_id, int sesslen,
122 SSL_SESSION **psess);
123static int ssl_check_clienthello_tlsext_early(SSL *s);
124int ssl_check_serverhello_tlsext(SSL *s);
125#endif
126
127SSL3_ENC_METHOD TLSv1_enc_data={
128 tls1_enc,
129 tls1_mac,
130 tls1_setup_key_block,
131 tls1_generate_master_secret,
132 tls1_change_cipher_state,
133 tls1_final_finish_mac,
134 TLS1_FINISH_MAC_LENGTH,
135 tls1_cert_verify_mac,
136 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138 tls1_alert_code,
139 tls1_export_keying_material,
140 0,
141 SSL3_HM_HEADER_LENGTH,
142 ssl3_set_handshake_header,
143 ssl3_handshake_write
144 };
145
146SSL3_ENC_METHOD TLSv1_1_enc_data={
147 tls1_enc,
148 tls1_mac,
149 tls1_setup_key_block,
150 tls1_generate_master_secret,
151 tls1_change_cipher_state,
152 tls1_final_finish_mac,
153 TLS1_FINISH_MAC_LENGTH,
154 tls1_cert_verify_mac,
155 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
156 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
157 tls1_alert_code,
158 tls1_export_keying_material,
159 SSL_ENC_FLAG_EXPLICIT_IV,
160 SSL3_HM_HEADER_LENGTH,
161 ssl3_set_handshake_header,
162 ssl3_handshake_write
163 };
164
165SSL3_ENC_METHOD TLSv1_2_enc_data={
166 tls1_enc,
167 tls1_mac,
168 tls1_setup_key_block,
169 tls1_generate_master_secret,
170 tls1_change_cipher_state,
171 tls1_final_finish_mac,
172 TLS1_FINISH_MAC_LENGTH,
173 tls1_cert_verify_mac,
174 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
175 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
176 tls1_alert_code,
177 tls1_export_keying_material,
178 SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF
179 |SSL_ENC_FLAG_TLS1_2_CIPHERS,
180 SSL3_HM_HEADER_LENGTH,
181 ssl3_set_handshake_header,
182 ssl3_handshake_write
183 };
184
185long tls1_default_timeout(void)
186 {
187 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
188 * is way too long for http, the cache would over fill */
189 return(60*60*2);
190 }
191
192int tls1_new(SSL *s)
193 {
194 if (!ssl3_new(s)) return(0);
195 s->method->ssl_clear(s);
196 return(1);
197 }
198
199void tls1_free(SSL *s)
200 {
201#ifndef OPENSSL_NO_TLSEXT
202 if (s->tlsext_session_ticket)
203 {
204 OPENSSL_free(s->tlsext_session_ticket);
205 }
206#endif /* OPENSSL_NO_TLSEXT */
207 ssl3_free(s);
208 }
209
210void tls1_clear(SSL *s)
211 {
212 ssl3_clear(s);
213 s->version = s->method->version;
214 }
215
216#ifndef OPENSSL_NO_EC
217
218static int nid_list[] =
219 {
220 NID_sect163k1, /* sect163k1 (1) */
221 NID_sect163r1, /* sect163r1 (2) */
222 NID_sect163r2, /* sect163r2 (3) */
223 NID_sect193r1, /* sect193r1 (4) */
224 NID_sect193r2, /* sect193r2 (5) */
225 NID_sect233k1, /* sect233k1 (6) */
226 NID_sect233r1, /* sect233r1 (7) */
227 NID_sect239k1, /* sect239k1 (8) */
228 NID_sect283k1, /* sect283k1 (9) */
229 NID_sect283r1, /* sect283r1 (10) */
230 NID_sect409k1, /* sect409k1 (11) */
231 NID_sect409r1, /* sect409r1 (12) */
232 NID_sect571k1, /* sect571k1 (13) */
233 NID_sect571r1, /* sect571r1 (14) */
234 NID_secp160k1, /* secp160k1 (15) */
235 NID_secp160r1, /* secp160r1 (16) */
236 NID_secp160r2, /* secp160r2 (17) */
237 NID_secp192k1, /* secp192k1 (18) */
238 NID_X9_62_prime192v1, /* secp192r1 (19) */
239 NID_secp224k1, /* secp224k1 (20) */
240 NID_secp224r1, /* secp224r1 (21) */
241 NID_secp256k1, /* secp256k1 (22) */
242 NID_X9_62_prime256v1, /* secp256r1 (23) */
243 NID_secp384r1, /* secp384r1 (24) */
244 NID_secp521r1, /* secp521r1 (25) */
245 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */
246 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */
247 NID_brainpoolP512r1 /* brainpool512r1 (28) */
248 };
249
250
251static const unsigned char ecformats_default[] =
252 {
253 TLSEXT_ECPOINTFORMAT_uncompressed,
254 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
255 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
256 };
257
258static const unsigned char eccurves_default[] =
259 {
260 0,14, /* sect571r1 (14) */
261 0,13, /* sect571k1 (13) */
262 0,25, /* secp521r1 (25) */
263 0,28, /* brainpool512r1 (28) */
264 0,11, /* sect409k1 (11) */
265 0,12, /* sect409r1 (12) */
266 0,27, /* brainpoolP384r1 (27) */
267 0,24, /* secp384r1 (24) */
268 0,9, /* sect283k1 (9) */
269 0,10, /* sect283r1 (10) */
270 0,26, /* brainpoolP256r1 (26) */
271 0,22, /* secp256k1 (22) */
272 0,23, /* secp256r1 (23) */
273 0,8, /* sect239k1 (8) */
274 0,6, /* sect233k1 (6) */
275 0,7, /* sect233r1 (7) */
276 0,20, /* secp224k1 (20) */
277 0,21, /* secp224r1 (21) */
278 0,4, /* sect193r1 (4) */
279 0,5, /* sect193r2 (5) */
280 0,18, /* secp192k1 (18) */
281 0,19, /* secp192r1 (19) */
282 0,1, /* sect163k1 (1) */
283 0,2, /* sect163r1 (2) */
284 0,3, /* sect163r2 (3) */
285 0,15, /* secp160k1 (15) */
286 0,16, /* secp160r1 (16) */
287 0,17, /* secp160r2 (17) */
288 };
289
290static const unsigned char suiteb_curves[] =
291 {
292 0, TLSEXT_curve_P_256,
293 0, TLSEXT_curve_P_384
294 };
295
296int tls1_ec_curve_id2nid(int curve_id)
297 {
298 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
299 if ((curve_id < 1) || ((unsigned int)curve_id >
300 sizeof(nid_list)/sizeof(nid_list[0])))
301 return 0;
302 return nid_list[curve_id-1];
303 }
304
305int tls1_ec_nid2curve_id(int nid)
306 {
307 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
308 switch (nid)
309 {
310 case NID_sect163k1: /* sect163k1 (1) */
311 return 1;
312 case NID_sect163r1: /* sect163r1 (2) */
313 return 2;
314 case NID_sect163r2: /* sect163r2 (3) */
315 return 3;
316 case NID_sect193r1: /* sect193r1 (4) */
317 return 4;
318 case NID_sect193r2: /* sect193r2 (5) */
319 return 5;
320 case NID_sect233k1: /* sect233k1 (6) */
321 return 6;
322 case NID_sect233r1: /* sect233r1 (7) */
323 return 7;
324 case NID_sect239k1: /* sect239k1 (8) */
325 return 8;
326 case NID_sect283k1: /* sect283k1 (9) */
327 return 9;
328 case NID_sect283r1: /* sect283r1 (10) */
329 return 10;
330 case NID_sect409k1: /* sect409k1 (11) */
331 return 11;
332 case NID_sect409r1: /* sect409r1 (12) */
333 return 12;
334 case NID_sect571k1: /* sect571k1 (13) */
335 return 13;
336 case NID_sect571r1: /* sect571r1 (14) */
337 return 14;
338 case NID_secp160k1: /* secp160k1 (15) */
339 return 15;
340 case NID_secp160r1: /* secp160r1 (16) */
341 return 16;
342 case NID_secp160r2: /* secp160r2 (17) */
343 return 17;
344 case NID_secp192k1: /* secp192k1 (18) */
345 return 18;
346 case NID_X9_62_prime192v1: /* secp192r1 (19) */
347 return 19;
348 case NID_secp224k1: /* secp224k1 (20) */
349 return 20;
350 case NID_secp224r1: /* secp224r1 (21) */
351 return 21;
352 case NID_secp256k1: /* secp256k1 (22) */
353 return 22;
354 case NID_X9_62_prime256v1: /* secp256r1 (23) */
355 return 23;
356 case NID_secp384r1: /* secp384r1 (24) */
357 return 24;
358 case NID_secp521r1: /* secp521r1 (25) */
359 return 25;
360 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
361 return 26;
362 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
363 return 27;
364 case NID_brainpoolP512r1: /* brainpool512r1 (28) */
365 return 28;
366 default:
367 return 0;
368 }
369 }
370/* Get curves list, if "sess" is set return client curves otherwise
371 * preferred list
372 */
373static void tls1_get_curvelist(SSL *s, int sess,
374 const unsigned char **pcurves,
375 size_t *pcurveslen)
376 {
377 if (sess)
378 {
379 *pcurves = s->session->tlsext_ellipticcurvelist;
380 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
381 return;
382 }
383 /* For Suite B mode only include P-256, P-384 */
384 switch (tls1_suiteb(s))
385 {
386 case SSL_CERT_FLAG_SUITEB_128_LOS:
387 *pcurves = suiteb_curves;
388 *pcurveslen = sizeof(suiteb_curves);
389 break;
390
391 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
392 *pcurves = suiteb_curves;
393 *pcurveslen = 2;
394 break;
395
396 case SSL_CERT_FLAG_SUITEB_192_LOS:
397 *pcurves = suiteb_curves + 2;
398 *pcurveslen = 2;
399 break;
400 default:
401 *pcurves = s->tlsext_ellipticcurvelist;
402 *pcurveslen = s->tlsext_ellipticcurvelist_length;
403 }
404 if (!*pcurves)
405 {
406 *pcurves = eccurves_default;
407 *pcurveslen = sizeof(eccurves_default);
408 }
409 }
410/* Check a curve is one of our preferences */
411int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
412 {
413 const unsigned char *curves;
414 size_t curveslen, i;
415 unsigned int suiteb_flags = tls1_suiteb(s);
416 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
417 return 0;
418 /* Check curve matches Suite B preferences */
419 if (suiteb_flags)
420 {
421 unsigned long cid = s->s3->tmp.new_cipher->id;
422 if (p[1])
423 return 0;
424 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
425 {
426 if (p[2] != TLSEXT_curve_P_256)
427 return 0;
428 }
429 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
430 {
431 if (p[2] != TLSEXT_curve_P_384)
432 return 0;
433 }
434 else /* Should never happen */
435 return 0;
436 }
437 tls1_get_curvelist(s, 0, &curves, &curveslen);
438 for (i = 0; i < curveslen; i += 2, curves += 2)
439 {
440 if (p[1] == curves[0] && p[2] == curves[1])
441 return 1;
442 }
443 return 0;
444 }
445
446/* Return nth shared curve. If nmatch == -1 return number of
447 * matches. For nmatch == -2 return the NID of the curve to use for
448 * an EC tmp key.
449 */
450
451int tls1_shared_curve(SSL *s, int nmatch)
452 {
453 const unsigned char *pref, *supp;
454 size_t preflen, supplen, i, j;
455 int k;
456 /* Can't do anything on client side */
457 if (s->server == 0)
458 return -1;
459 if (nmatch == -2)
460 {
461 if (tls1_suiteb(s))
462 {
463 /* For Suite B ciphersuite determines curve: we
464 * already know these are acceptable due to previous
465 * checks.
466 */
467 unsigned long cid = s->s3->tmp.new_cipher->id;
468 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
469 return NID_X9_62_prime256v1; /* P-256 */
470 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
471 return NID_secp384r1; /* P-384 */
472 /* Should never happen */
473 return NID_undef;
474 }
475 /* If not Suite B just return first preference shared curve */
476 nmatch = 0;
477 }
478 tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
479 &supp, &supplen);
480 tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
481 &pref, &preflen);
482 preflen /= 2;
483 supplen /= 2;
484 k = 0;
485 for (i = 0; i < preflen; i++, pref+=2)
486 {
487 const unsigned char *tsupp = supp;
488 for (j = 0; j < supplen; j++, tsupp+=2)
489 {
490 if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
491 {
492 if (nmatch == k)
493 {
494 int id = (pref[0] << 8) | pref[1];
495 return tls1_ec_curve_id2nid(id);
496 }
497 k++;
498 }
499 }
500 }
501 if (nmatch == -1)
502 return k;
503 return 0;
504 }
505
506int tls1_set_curves(unsigned char **pext, size_t *pextlen,
507 int *curves, size_t ncurves)
508 {
509 unsigned char *clist, *p;
510 size_t i;
511 /* Bitmap of curves included to detect duplicates: only works
512 * while curve ids < 32
513 */
514 unsigned long dup_list = 0;
515 clist = OPENSSL_malloc(ncurves * 2);
516 if (!clist)
517 return 0;
518 for (i = 0, p = clist; i < ncurves; i++)
519 {
520 unsigned long idmask;
521 int id;
522 id = tls1_ec_nid2curve_id(curves[i]);
523 idmask = 1L << id;
524 if (!id || (dup_list & idmask))
525 {
526 OPENSSL_free(clist);
527 return 0;
528 }
529 dup_list |= idmask;
530 s2n(id, p);
531 }
532 if (*pext)
533 OPENSSL_free(*pext);
534 *pext = clist;
535 *pextlen = ncurves * 2;
536 return 1;
537 }
538
539/* TODO(fork): remove */
540#if 0
541#define MAX_CURVELIST 28
542
543typedef struct
544 {
545 size_t nidcnt;
546 int nid_arr[MAX_CURVELIST];
547 } nid_cb_st;
548
549static int nid_cb(const char *elem, int len, void *arg)
550 {
551 nid_cb_st *narg = arg;
552 size_t i;
553 int nid;
554 char etmp[20];
555 if (narg->nidcnt == MAX_CURVELIST)
556 return 0;
557 if (len > (int)(sizeof(etmp) - 1))
558 return 0;
559 memcpy(etmp, elem, len);
560 etmp[len] = 0;
561 nid = EC_curve_nist2nid(etmp);
562 if (nid == NID_undef)
563 nid = OBJ_sn2nid(etmp);
564 if (nid == NID_undef)
565 nid = OBJ_ln2nid(etmp);
566 if (nid == NID_undef)
567 return 0;
568 for (i = 0; i < narg->nidcnt; i++)
569 if (narg->nid_arr[i] == nid)
570 return 0;
571 narg->nid_arr[narg->nidcnt++] = nid;
572 return 1;
573 }
574/* Set curves based on a colon separate list */
575int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
576 const char *str)
577 {
578 nid_cb_st ncb;
579 ncb.nidcnt = 0;
580 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
581 return 0;
582 if (pext == NULL)
583 return 1;
584 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
585 }
586#endif
587
588/* For an EC key set TLS id and required compression based on parameters */
589static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
590 EC_KEY *ec)
591 {
592 int is_prime = 1, id;
593 const EC_GROUP *grp;
594 if (!ec)
595 return 0;
596
597 /* TODO(fork): remove. All curves are prime now. */
598 grp = EC_KEY_get0_group(ec);
599 if (!grp)
600 return 0;
601#if 0
602 /* Determine if it is a prime field */
603 meth = EC_GROUP_method_of(grp);
604 if (!meth)
605 return 0;
606 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
607 is_prime = 1;
608 else
609 is_prime = 0;
610#endif
611
612 /* Determine curve ID */
613 id = EC_GROUP_get_curve_name(grp);
614 id = tls1_ec_nid2curve_id(id);
615 /* If we have an ID set it, otherwise set arbitrary explicit curve */
616 if (id)
617 {
618 curve_id[0] = 0;
619 curve_id[1] = (unsigned char)id;
620 }
621 else
622 {
623 curve_id[0] = 0xff;
624 if (is_prime)
625 curve_id[1] = 0x01;
626 else
627 curve_id[1] = 0x02;
628 }
629 if (comp_id)
630 {
631 if (EC_KEY_get0_public_key(ec) == NULL)
632 return 0;
633 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
634 {
635 if (is_prime)
636 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
637 else
638 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
639 }
640 else
641 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
642 }
643 return 1;
644 }
645/* Check an EC key is compatible with extensions */
646static int tls1_check_ec_key(SSL *s,
647 unsigned char *curve_id, unsigned char *comp_id)
648 {
649 const unsigned char *p;
650 size_t plen, i;
651 int j;
652 /* If point formats extension present check it, otherwise everything
653 * is supported (see RFC4492).
654 */
655 if (comp_id && s->session->tlsext_ecpointformatlist)
656 {
657 p = s->session->tlsext_ecpointformatlist;
658 plen = s->session->tlsext_ecpointformatlist_length;
659 for (i = 0; i < plen; i++, p++)
660 {
661 if (*comp_id == *p)
662 break;
663 }
664 if (i == plen)
665 return 0;
666 }
667 if (!curve_id)
668 return 1;
669 /* Check curve is consistent with client and server preferences */
670 for (j = 0; j <= 1; j++)
671 {
672 tls1_get_curvelist(s, j, &p, &plen);
673 for (i = 0; i < plen; i+=2, p+=2)
674 {
675 if (p[0] == curve_id[0] && p[1] == curve_id[1])
676 break;
677 }
678 if (i == plen)
679 return 0;
680 /* For clients can only check sent curve list */
681 if (!s->server)
682 return 1;
683 }
684 return 1;
685 }
686
687static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
688 size_t *pformatslen)
689 {
690 /* If we have a custom point format list use it otherwise
691 * use default */
692 if (s->tlsext_ecpointformatlist)
693 {
694 *pformats = s->tlsext_ecpointformatlist;
695 *pformatslen = s->tlsext_ecpointformatlist_length;
696 }
697 else
698 {
699 *pformats = ecformats_default;
700 /* For Suite B we don't support char2 fields */
701 if (tls1_suiteb(s))
702 *pformatslen = sizeof(ecformats_default) - 1;
703 else
704 *pformatslen = sizeof(ecformats_default);
705 }
706 }
707
708/* Check cert parameters compatible with extensions: currently just checks
709 * EC certificates have compatible curves and compression.
710 */
711static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
712 {
713 unsigned char comp_id, curve_id[2];
714 EVP_PKEY *pkey;
715 int rv;
716 pkey = X509_get_pubkey(x);
717 if (!pkey)
718 return 0;
719 /* If not EC nothing to do */
720 if (pkey->type != EVP_PKEY_EC)
721 {
722 EVP_PKEY_free(pkey);
723 return 1;
724 }
725 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
726 EVP_PKEY_free(pkey);
727 if (!rv)
728 return 0;
729 /* Can't check curve_id for client certs as we don't have a
730 * supported curves extension.
731 */
732 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
733 if (!rv)
734 return 0;
735 /* Special case for suite B. We *MUST* sign using SHA256+P-256 or
736 * SHA384+P-384, adjust digest if necessary.
737 */
738 if (set_ee_md && tls1_suiteb(s))
739 {
740 int check_md;
741 size_t i;
742 CERT *c = s->cert;
743 if (curve_id[0])
744 return 0;
745 /* Check to see we have necessary signing algorithm */
746 if (curve_id[1] == TLSEXT_curve_P_256)
747 check_md = NID_ecdsa_with_SHA256;
748 else if (curve_id[1] == TLSEXT_curve_P_384)
749 check_md = NID_ecdsa_with_SHA384;
750 else
751 return 0; /* Should never happen */
752 for (i = 0; i < c->shared_sigalgslen; i++)
753 if (check_md == c->shared_sigalgs[i].signandhash_nid)
754 break;
755 if (i == c->shared_sigalgslen)
756 return 0;
757 if (set_ee_md == 2)
758 {
759 if (check_md == NID_ecdsa_with_SHA256)
760 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
761 else
762 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
763 }
764 }
765 return rv;
766 }
767/* Check EC temporary key is compatible with client extensions */
768int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
769 {
770 unsigned char curve_id[2];
771 EC_KEY *ec = s->cert->ecdh_tmp;
772#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
773 /* Allow any curve: not just those peer supports */
774 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
775 return 1;
776#endif
777 /* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384,
778 * no other curves permitted.
779 */
780 if (tls1_suiteb(s))
781 {
782 /* Curve to check determined by ciphersuite */
783 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
784 curve_id[1] = TLSEXT_curve_P_256;
785 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
786 curve_id[1] = TLSEXT_curve_P_384;
787 else
788 return 0;
789 curve_id[0] = 0;
790 /* Check this curve is acceptable */
791 if (!tls1_check_ec_key(s, curve_id, NULL))
792 return 0;
793 /* If auto or setting curve from callback assume OK */
794 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
795 return 1;
796 /* Otherwise check curve is acceptable */
797 else
798 {
799 unsigned char curve_tmp[2];
800 if (!ec)
801 return 0;
802 if (!tls1_set_ec_id(curve_tmp, NULL, ec))
803 return 0;
804 if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
805 return 1;
806 return 0;
807 }
808
809 }
810 if (s->cert->ecdh_tmp_auto)
811 {
812 /* Need a shared curve */
813 if (tls1_shared_curve(s, 0))
814 return 1;
815 else return 0;
816 }
817 if (!ec)
818 {
819 if (s->cert->ecdh_tmp_cb)
820 return 1;
821 else
822 return 0;
823 }
824 if (!tls1_set_ec_id(curve_id, NULL, ec))
825 return 0;
826/* Set this to allow use of invalid curves for testing */
827#if 0
828 return 1;
829#else
830 return tls1_check_ec_key(s, curve_id, NULL);
831#endif
832 }
833
834#else
835
836static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
837 {
838 return 1;
839 }
840
841#endif /* OPENSSL_NO_EC */
842
843#ifndef OPENSSL_NO_TLSEXT
844
845/* List of supported signature algorithms and hashes. Should make this
846 * customisable at some point, for now include everything we support.
847 */
848
849#ifdef OPENSSL_NO_RSA
850#define tlsext_sigalg_rsa(md) /* */
851#else
852#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
853#endif
854
855#ifdef OPENSSL_NO_DSA
856#define tlsext_sigalg_dsa(md) /* */
857#else
858#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
859#endif
860
861#ifdef OPENSSL_NO_ECDSA
862#define tlsext_sigalg_ecdsa(md) /* */
863#else
864#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
865#endif
866
867#define tlsext_sigalg(md) \
868 tlsext_sigalg_rsa(md) \
869 tlsext_sigalg_dsa(md) \
870 tlsext_sigalg_ecdsa(md)
871
872static unsigned char tls12_sigalgs[] = {
873#ifndef OPENSSL_NO_SHA512
874 tlsext_sigalg(TLSEXT_hash_sha512)
875 tlsext_sigalg(TLSEXT_hash_sha384)
876#endif
877#ifndef OPENSSL_NO_SHA256
878 tlsext_sigalg(TLSEXT_hash_sha256)
879 tlsext_sigalg(TLSEXT_hash_sha224)
880#endif
881#ifndef OPENSSL_NO_SHA
882 tlsext_sigalg(TLSEXT_hash_sha1)
883#endif
884};
885#ifndef OPENSSL_NO_ECDSA
886static unsigned char suiteb_sigalgs[] = {
887 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
888 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
889};
890#endif
891size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
892 {
893 /* If Suite B mode use Suite B sigalgs only, ignore any other
894 * preferences.
895 */
896#ifndef OPENSSL_NO_EC
897 switch (tls1_suiteb(s))
898 {
899 case SSL_CERT_FLAG_SUITEB_128_LOS:
900 *psigs = suiteb_sigalgs;
901 return sizeof(suiteb_sigalgs);
902
903 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
904 *psigs = suiteb_sigalgs;
905 return 2;
906
907 case SSL_CERT_FLAG_SUITEB_192_LOS:
908 *psigs = suiteb_sigalgs + 2;
909 return 2;
910 }
911#endif
912 /* If server use client authentication sigalgs if not NULL */
913 if (s->server && s->cert->client_sigalgs)
914 {
915 *psigs = s->cert->client_sigalgs;
916 return s->cert->client_sigalgslen;
917 }
918 else if (s->cert->conf_sigalgs)
919 {
920 *psigs = s->cert->conf_sigalgs;
921 return s->cert->conf_sigalgslen;
922 }
923 else
924 {
925 *psigs = tls12_sigalgs;
926 return sizeof(tls12_sigalgs);
927 }
928 }
929/* Check signature algorithm is consistent with sent supported signature
930 * algorithms and if so return relevant digest.
931 */
932int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
933 const unsigned char *sig, EVP_PKEY *pkey)
934 {
935 const unsigned char *sent_sigs;
936 size_t sent_sigslen, i;
937 int sigalg = tls12_get_sigid(pkey);
938 /* Should never happen */
939 if (sigalg == -1)
940 return -1;
941 /* Check key type is consistent with signature */
942 if (sigalg != (int)sig[1])
943 {
944 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE);
945 return 0;
946 }
947#ifndef OPENSSL_NO_EC
948 if (pkey->type == EVP_PKEY_EC)
949 {
950 unsigned char curve_id[2], comp_id;
951 /* Check compression and curve matches extensions */
952 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
953 return 0;
954 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id))
955 {
956 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_CURVE);
957 return 0;
958 }
959 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
960 if (tls1_suiteb(s))
961 {
962 if (curve_id[0])
963 return 0;
964 if (curve_id[1] == TLSEXT_curve_P_256)
965 {
966 if (sig[0] != TLSEXT_hash_sha256)
967 {
968 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_ILLEGAL_SUITEB_DIGEST);
969 return 0;
970 }
971 }
972 else if (curve_id[1] == TLSEXT_curve_P_384)
973 {
974 if (sig[0] != TLSEXT_hash_sha384)
975 {
976 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_ILLEGAL_SUITEB_DIGEST);
977 return 0;
978 }
979 }
980 else
981 return 0;
982 }
983 }
984 else if (tls1_suiteb(s))
985 return 0;
986#endif
987
988 /* Check signature matches a type we sent */
989 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
990 for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2)
991 {
992 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
993 break;
994 }
995 /* Allow fallback to SHA1 if not strict mode */
996 if (i == sent_sigslen && (sig[0] != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
997 {
998 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE);
999 return 0;
1000 }
1001 *pmd = tls12_get_hash(sig[0]);
1002 if (*pmd == NULL)
1003 {
1004 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_UNKNOWN_DIGEST);
1005 return 0;
1006 }
1007 /* Store the digest used so applications can retrieve it if they
1008 * wish.
1009 */
1010 if (s->session && s->session->sess_cert)
1011 s->session->sess_cert->peer_key->digest = *pmd;
1012 return 1;
1013 }
1014/* Get a mask of disabled algorithms: an algorithm is disabled
1015 * if it isn't supported or doesn't appear in supported signature
1016 * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific
1017 * session and not global settings.
1018 *
1019 */
1020void ssl_set_client_disabled(SSL *s)
1021 {
1022 CERT *c = s->cert;
1023 const unsigned char *sigalgs;
1024 size_t i, sigalgslen;
1025 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
1026 c->mask_a = 0;
1027 c->mask_k = 0;
1028 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1029 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1030 c->mask_ssl = SSL_TLSV1_2;
1031 else
1032 c->mask_ssl = 0;
1033 /* Now go through all signature algorithms seeing if we support
1034 * any for RSA, DSA, ECDSA. Do this for all versions not just
1035 * TLS 1.2.
1036 */
1037 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
1038 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2)
1039 {
1040 switch(sigalgs[1])
1041 {
1042#ifndef OPENSSL_NO_RSA
1043 case TLSEXT_signature_rsa:
1044 have_rsa = 1;
1045 break;
1046#endif
1047#ifndef OPENSSL_NO_DSA
1048 case TLSEXT_signature_dsa:
1049 have_dsa = 1;
1050 break;
1051#endif
1052#ifndef OPENSSL_NO_ECDSA
1053 case TLSEXT_signature_ecdsa:
1054 have_ecdsa = 1;
1055 break;
1056#endif
1057 }
1058 }
1059 /* Disable auth and static DH if we don't include any appropriate
1060 * signature algorithms.
1061 */
1062 if (!have_rsa)
1063 {
1064 c->mask_a |= SSL_aRSA;
1065 c->mask_k |= SSL_kDHr|SSL_kECDHr;
1066 }
1067 if (!have_dsa)
1068 {
1069 c->mask_a |= SSL_aDSS;
1070 c->mask_k |= SSL_kDHd;
1071 }
1072 if (!have_ecdsa)
1073 {
1074 c->mask_a |= SSL_aECDSA;
1075 c->mask_k |= SSL_kECDHe;
1076 }
1077#ifndef OPENSSL_NO_PSK
1078 /* with PSK there must be client callback set */
1079 if (!s->psk_client_callback)
1080 {
1081 c->mask_a |= SSL_aPSK;
1082 c->mask_k |= SSL_kPSK;
1083 }
1084#endif /* OPENSSL_NO_PSK */
1085 c->valid = 1;
1086 }
1087
1088/* byte_compare is a compare function for qsort(3) that compares bytes. */
1089static int byte_compare(const void *in_a, const void *in_b)
1090 {
1091 unsigned char a = *((const unsigned char*) in_a);
1092 unsigned char b = *((const unsigned char*) in_b);
1093
1094 if (a > b)
1095 return 1;
1096 else if (a < b)
1097 return -1;
1098 return 0;
1099}
1100
1101unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1102 {
1103 int extdatalen=0;
1104 unsigned char *ret = p;
1105#ifndef OPENSSL_NO_EC
1106 /* See if we support any ECC ciphersuites */
1107 int using_ecc = 0;
1108 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s))
1109 {
1110 int i;
1111 unsigned long alg_k, alg_a;
1112 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1113
1114 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1115 {
1116 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1117
1118 alg_k = c->algorithm_mkey;
1119 alg_a = c->algorithm_auth;
1120 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
1121 || (alg_a & SSL_aECDSA)))
1122 {
1123 using_ecc = 1;
1124 break;
1125 }
1126 }
1127 }
1128#endif
1129
1130 /* don't add extensions for SSLv3 unless doing secure renegotiation */
1131 if (s->client_version == SSL3_VERSION
1132 && !s->s3->send_connection_binding)
1133 return p;
1134
1135 ret+=2;
1136
1137 if (ret>=limit) return NULL; /* this really never occurs, but ... */
1138
1139 if (s->tlsext_hostname != NULL)
1140 {
1141 /* Add TLS extension servername to the Client Hello message */
1142 unsigned long size_str;
1143 long lenmax;
1144
1145 /* check for enough space.
1146 4 for the servername type and entension length
1147 2 for servernamelist length
1148 1 for the hostname type
1149 2 for hostname length
1150 + hostname length
1151 */
1152
1153 if ((lenmax = limit - ret - 9) < 0
1154 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1155 return NULL;
1156
1157 /* extension type and length */
1158 s2n(TLSEXT_TYPE_server_name,ret);
1159 s2n(size_str+5,ret);
1160
1161 /* length of servername list */
1162 s2n(size_str+3,ret);
1163
1164 /* hostname type, length and hostname */
1165 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
1166 s2n(size_str,ret);
1167 memcpy(ret, s->tlsext_hostname, size_str);
1168 ret+=size_str;
1169 }
1170
1171 /* Add RI if renegotiating */
1172 if (s->renegotiate)
1173 {
1174 int el;
1175
1176 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
1177 {
1178 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1179 return NULL;
1180 }
1181
1182 if((limit - p - 4 - el) < 0) return NULL;
1183
1184 s2n(TLSEXT_TYPE_renegotiate,ret);
1185 s2n(el,ret);
1186
1187 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
1188 {
1189 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1190 return NULL;
1191 }
1192
1193 ret += el;
1194 }
1195
1196
1197#ifndef OPENSSL_NO_EC
1198 if (using_ecc)
1199 {
1200 /* Add TLS extension ECPointFormats to the ClientHello message */
1201 long lenmax;
1202 const unsigned char *plist;
1203 size_t plistlen;
1204
1205 tls1_get_formatlist(s, &plist, &plistlen);
1206
1207 if ((lenmax = limit - ret - 5) < 0) return NULL;
1208 if (plistlen > (size_t)lenmax) return NULL;
1209 if (plistlen > 255)
1210 {
1211 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1212 return NULL;
1213 }
1214
1215 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1216 s2n(plistlen + 1,ret);
1217 *(ret++) = (unsigned char)plistlen ;
1218 memcpy(ret, plist, plistlen);
1219 ret+=plistlen;
1220
1221 /* Add TLS extension EllipticCurves to the ClientHello message */
1222 plist = s->tlsext_ellipticcurvelist;
1223 tls1_get_curvelist(s, 0, &plist, &plistlen);
1224
1225 if ((lenmax = limit - ret - 6) < 0) return NULL;
1226 if (plistlen > (size_t)lenmax) return NULL;
1227 if (plistlen > 65532)
1228 {
1229 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1230 return NULL;
1231 }
1232
1233 s2n(TLSEXT_TYPE_elliptic_curves,ret);
1234 s2n(plistlen + 2, ret);
1235
1236 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
1237 * elliptic_curve_list, but the examples use two bytes.
1238 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
1239 * resolves this to two bytes.
1240 */
1241 s2n(plistlen, ret);
1242 memcpy(ret, plist, plistlen);
1243 ret+=plistlen;
1244 }
1245#endif /* OPENSSL_NO_EC */
1246
1247 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
1248 {
1249 int ticklen;
1250 if (!s->new_session && s->session && s->session->tlsext_tick)
1251 ticklen = s->session->tlsext_ticklen;
1252 else if (s->session && s->tlsext_session_ticket &&
1253 s->tlsext_session_ticket->data)
1254 {
1255 ticklen = s->tlsext_session_ticket->length;
1256 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1257 if (!s->session->tlsext_tick)
1258 return NULL;
1259 memcpy(s->session->tlsext_tick,
1260 s->tlsext_session_ticket->data,
1261 ticklen);
1262 s->session->tlsext_ticklen = ticklen;
1263 }
1264 else
1265 ticklen = 0;
1266 if (ticklen == 0 && s->tlsext_session_ticket &&
1267 s->tlsext_session_ticket->data == NULL)
1268 goto skip_ext;
1269 /* Check for enough room 2 for extension type, 2 for len
1270 * rest for ticket
1271 */
1272 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
1273 s2n(TLSEXT_TYPE_session_ticket,ret);
1274 s2n(ticklen,ret);
1275 if (ticklen)
1276 {
1277 memcpy(ret, s->session->tlsext_tick, ticklen);
1278 ret += ticklen;
1279 }
1280 }
1281 skip_ext:
1282
1283 if (SSL_USE_SIGALGS(s))
1284 {
1285 size_t salglen;
1286 const unsigned char *salg;
1287 salglen = tls12_get_psigalgs(s, &salg);
1288 if ((size_t)(limit - ret) < salglen + 6)
1289 return NULL;
1290 s2n(TLSEXT_TYPE_signature_algorithms,ret);
1291 s2n(salglen + 2, ret);
1292 s2n(salglen, ret);
1293 memcpy(ret, salg, salglen);
1294 ret += salglen;
1295 }
1296
1297#ifdef TLSEXT_TYPE_opaque_prf_input
1298 if (s->s3->client_opaque_prf_input != NULL)
1299 {
1300 size_t col = s->s3->client_opaque_prf_input_len;
1301
1302 if ((long)(limit - ret - 6 - col < 0))
1303 return NULL;
1304 if (col > 0xFFFD) /* can't happen */
1305 return NULL;
1306
1307 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1308 s2n(col + 2, ret);
1309 s2n(col, ret);
1310 memcpy(ret, s->s3->client_opaque_prf_input, col);
1311 ret += col;
1312 }
1313#endif
1314
1315 /* TODO(fork): we probably want OCSP stapling, but it currently pulls in a lot of code. */
1316#if 0
1317 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1318 {
1319 int i;
1320 long extlen, idlen, itmp;
1321 OCSP_RESPID *id;
1322
1323 idlen = 0;
1324 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1325 {
1326 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1327 itmp = i2d_OCSP_RESPID(id, NULL);
1328 if (itmp <= 0)
1329 return NULL;
1330 idlen += itmp + 2;
1331 }
1332
1333 if (s->tlsext_ocsp_exts)
1334 {
1335 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1336 if (extlen < 0)
1337 return NULL;
1338 }
1339 else
1340 extlen = 0;
1341
1342 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
1343 s2n(TLSEXT_TYPE_status_request, ret);
1344 if (extlen + idlen > 0xFFF0)
1345 return NULL;
1346 s2n(extlen + idlen + 5, ret);
1347 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1348 s2n(idlen, ret);
1349 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1350 {
1351 /* save position of id len */
1352 unsigned char *q = ret;
1353 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1354 /* skip over id len */
1355 ret += 2;
1356 itmp = i2d_OCSP_RESPID(id, &ret);
1357 /* write id len */
1358 s2n(itmp, q);
1359 }
1360 s2n(extlen, ret);
1361 if (extlen > 0)
1362 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1363 }
1364#endif
1365
1366#ifndef OPENSSL_NO_HEARTBEATS
1367 /* Add Heartbeat extension */
1368 s2n(TLSEXT_TYPE_heartbeat,ret);
1369 s2n(1,ret);
1370 /* Set mode:
1371 * 1: peer may send requests
1372 * 2: peer not allowed to send requests
1373 */
1374 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1375 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1376 else
1377 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1378#endif
1379
1380#ifndef OPENSSL_NO_NEXTPROTONEG
1381 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
1382 {
1383 /* The client advertises an emtpy extension to indicate its
1384 * support for Next Protocol Negotiation */
1385 if (limit - ret - 4 < 0)
1386 return NULL;
1387 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1388 s2n(0,ret);
1389 }
1390#endif
1391
1392 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)
1393 {
1394 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1395 return NULL;
1396 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1397 s2n(2 + s->alpn_client_proto_list_len,ret);
1398 s2n(s->alpn_client_proto_list_len,ret);
1399 memcpy(ret, s->alpn_client_proto_list,
1400 s->alpn_client_proto_list_len);
1401 ret += s->alpn_client_proto_list_len;
1402 }
1403
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame^]1404 if (s->tlsext_channel_id_enabled)
1405 {
1406 /* The client advertises an emtpy extension to indicate its
1407 * support for Channel ID. */
1408 if (limit - ret - 4 < 0)
1409 return NULL;
1410 if (s->ctx->tlsext_channel_id_enabled_new)
1411 s2n(TLSEXT_TYPE_channel_id_new,ret);
1412 else
1413 s2n(TLSEXT_TYPE_channel_id,ret);
1414 s2n(0,ret);
1415 }
1416
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1417 if(SSL_get_srtp_profiles(s))
1418 {
1419 int el;
1420
1421 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1422
1423 if((limit - p - 4 - el) < 0) return NULL;
1424
1425 s2n(TLSEXT_TYPE_use_srtp,ret);
1426 s2n(el,ret);
1427
1428 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1429 {
1430 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1431 return NULL;
1432 }
1433 ret += el;
1434 }
1435
1436 /* Add TLS extension Server_Authz_DataFormats to the ClientHello */
1437 /* 2 bytes for extension type */
1438 /* 2 bytes for extension length */
1439 /* 1 byte for the list length */
1440 /* 1 byte for the list (we only support audit proofs) */
1441 if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
1442 {
1443 const unsigned short ext_len = 2;
1444 const unsigned char list_len = 1;
1445
1446 if (limit < ret + 6)
1447 return NULL;
1448
1449 s2n(TLSEXT_TYPE_server_authz, ret);
1450 /* Extension length: 2 bytes */
1451 s2n(ext_len, ret);
1452 *(ret++) = list_len;
1453 *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
1454 }
1455
1456 /* Add custom TLS Extensions to ClientHello */
1457 if (s->ctx->custom_cli_ext_records_count)
1458 {
1459 size_t i;
1460 custom_cli_ext_record* record;
1461
1462 for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
1463 {
1464 const unsigned char* out = NULL;
1465 unsigned short outlen = 0;
1466
1467 record = &s->ctx->custom_cli_ext_records[i];
1468 /* NULL callback sends empty extension */
1469 /* -1 from callback omits extension */
1470 if (record->fn1)
1471 {
1472 int cb_retval = 0;
1473 cb_retval = record->fn1(s, record->ext_type,
1474 &out, &outlen,
1475 record->arg);
1476 if (cb_retval == 0)
1477 return NULL; /* error */
1478 if (cb_retval == -1)
1479 continue; /* skip this extension */
1480 }
1481 if (limit < ret + 4 + outlen)
1482 return NULL;
1483 s2n(record->ext_type, ret);
1484 s2n(outlen, ret);
1485 memcpy(ret, out, outlen);
1486 ret += outlen;
1487 }
1488 }
1489
1490#ifdef TLSEXT_TYPE_padding
1491 /* Add padding to workaround bugs in F5 terminators.
1492 * See https://tools.ietf.org/html/draft-agl-tls-padding-02
1493 *
1494 * NB: because this code works out the length of all existing
1495 * extensions it MUST always appear last.
1496 */
1497 {
1498 int hlen = ret - (unsigned char *)s->init_buf->data;
1499 /* The code in s23_clnt.c to build ClientHello messages includes the
1500 * 5-byte record header in the buffer, while the code in s3_clnt.c does
1501 * not. */
1502 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
1503 hlen -= 5;
1504 if (hlen > 0xff && hlen < 0x200)
1505 {
1506 hlen = 0x200 - hlen;
1507 if (hlen >= 4)
1508 hlen -= 4;
1509 else
1510 hlen = 0;
1511
1512 s2n(TLSEXT_TYPE_padding, ret);
1513 s2n(hlen, ret);
1514 memset(ret, 0, hlen);
1515 ret += hlen;
1516 }
1517#endif
1518
1519 if ((extdatalen = ret-p-2) == 0)
1520 return p;
1521
1522 s2n(extdatalen,p);
1523 return ret;
1524 }
1525
1526unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1527 {
1528 int extdatalen=0;
1529 unsigned char *ret = p;
1530#ifndef OPENSSL_NO_NEXTPROTONEG
1531 int next_proto_neg_seen;
1532#endif
1533#ifndef OPENSSL_NO_EC
1534 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1535 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1536 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1537 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1538#endif
1539 /* don't add extensions for SSLv3, unless doing secure renegotiation */
1540 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1541 return p;
1542
1543 ret+=2;
1544 if (ret>=limit) return NULL; /* this really never occurs, but ... */
1545
1546 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1547 {
1548 if ((long)(limit - ret - 4) < 0) return NULL;
1549
1550 s2n(TLSEXT_TYPE_server_name,ret);
1551 s2n(0,ret);
1552 }
1553
1554 if(s->s3->send_connection_binding)
1555 {
1556 int el;
1557
1558 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1559 {
1560 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1561 return NULL;
1562 }
1563
1564 if((limit - p - 4 - el) < 0) return NULL;
1565
1566 s2n(TLSEXT_TYPE_renegotiate,ret);
1567 s2n(el,ret);
1568
1569 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1570 {
1571 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1572 return NULL;
1573 }
1574
1575 ret += el;
1576 }
1577
1578#ifndef OPENSSL_NO_EC
1579 if (using_ecc)
1580 {
1581 const unsigned char *plist;
1582 size_t plistlen;
1583 /* Add TLS extension ECPointFormats to the ServerHello message */
1584 long lenmax;
1585
1586 tls1_get_formatlist(s, &plist, &plistlen);
1587
1588 if ((lenmax = limit - ret - 5) < 0) return NULL;
1589 if (plistlen > (size_t)lenmax) return NULL;
1590 if (plistlen > 255)
1591 {
1592 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1593 return NULL;
1594 }
1595
1596 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1597 s2n(plistlen + 1,ret);
1598 *(ret++) = (unsigned char) plistlen;
1599 memcpy(ret, plist, plistlen);
1600 ret+=plistlen;
1601
1602 }
1603 /* Currently the server should not respond with a SupportedCurves extension */
1604#endif /* OPENSSL_NO_EC */
1605
1606 if (s->tlsext_ticket_expected
1607 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
1608 {
1609 if ((long)(limit - ret - 4) < 0) return NULL;
1610 s2n(TLSEXT_TYPE_session_ticket,ret);
1611 s2n(0,ret);
1612 }
1613
1614 if (s->tlsext_status_expected)
1615 {
1616 if ((long)(limit - ret - 4) < 0) return NULL;
1617 s2n(TLSEXT_TYPE_status_request,ret);
1618 s2n(0,ret);
1619 }
1620
1621#ifdef TLSEXT_TYPE_opaque_prf_input
1622 if (s->s3->server_opaque_prf_input != NULL)
1623 {
1624 size_t sol = s->s3->server_opaque_prf_input_len;
1625
1626 if ((long)(limit - ret - 6 - sol) < 0)
1627 return NULL;
1628 if (sol > 0xFFFD) /* can't happen */
1629 return NULL;
1630
1631 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1632 s2n(sol + 2, ret);
1633 s2n(sol, ret);
1634 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1635 ret += sol;
1636 }
1637#endif
1638
1639 if(s->srtp_profile)
1640 {
1641 int el;
1642
1643 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1644
1645 if((limit - p - 4 - el) < 0) return NULL;
1646
1647 s2n(TLSEXT_TYPE_use_srtp,ret);
1648 s2n(el,ret);
1649
1650 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1651 {
1652 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1653 return NULL;
1654 }
1655 ret+=el;
1656 }
1657
1658 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
1659 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1660 { const unsigned char cryptopro_ext[36] = {
1661 0xfd, 0xe8, /*65000*/
1662 0x00, 0x20, /*32 bytes length*/
1663 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1664 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1665 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1666 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1667 if (limit-ret<36) return NULL;
1668 memcpy(ret,cryptopro_ext,36);
1669 ret+=36;
1670
1671 }
1672
1673#ifndef OPENSSL_NO_HEARTBEATS
1674 /* Add Heartbeat extension if we've received one */
1675 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1676 {
1677 s2n(TLSEXT_TYPE_heartbeat,ret);
1678 s2n(1,ret);
1679 /* Set mode:
1680 * 1: peer may send requests
1681 * 2: peer not allowed to send requests
1682 */
1683 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1684 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1685 else
1686 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1687
1688 }
1689#endif
1690
1691#ifndef OPENSSL_NO_NEXTPROTONEG
1692 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1693 s->s3->next_proto_neg_seen = 0;
1694 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1695 {
1696 const unsigned char *npa;
1697 unsigned int npalen;
1698 int r;
1699
1700 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1701 if (r == SSL_TLSEXT_ERR_OK)
1702 {
1703 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1704 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1705 s2n(npalen,ret);
1706 memcpy(ret, npa, npalen);
1707 ret += npalen;
1708 s->s3->next_proto_neg_seen = 1;
1709 }
1710 }
1711#endif
1712
1713 /* If the client supports authz then see whether we have any to offer
1714 * to it. */
1715 if (s->s3->tlsext_authz_client_types_len)
1716 {
1717 size_t authz_length;
1718 /* By now we already know the new cipher, so we can look ahead
1719 * to see whether the cert we are going to send
1720 * has any authz data attached to it. */
1721 const unsigned char* authz = ssl_get_authz_data(s, &authz_length);
1722 const unsigned char* const orig_authz = authz;
1723 size_t i;
1724 unsigned authz_count = 0;
1725
1726 /* The authz data contains a number of the following structures:
1727 * uint8_t authz_type
1728 * uint16_t length
1729 * uint8_t data[length]
1730 *
1731 * First we walk over it to find the number of authz elements. */
1732 for (i = 0; i < authz_length; i++)
1733 {
1734 unsigned short length;
1735 unsigned char type;
1736
1737 type = *(authz++);
1738 if (memchr(s->s3->tlsext_authz_client_types,
1739 type,
1740 s->s3->tlsext_authz_client_types_len) != NULL)
1741 authz_count++;
1742
1743 n2s(authz, length);
1744 /* n2s increments authz by 2 */
1745 i += 2;
1746 authz += length;
1747 i += length;
1748 }
1749
1750 if (authz_count)
1751 {
1752 /* Add TLS extension server_authz to the ServerHello message
1753 * 2 bytes for extension type
1754 * 2 bytes for extension length
1755 * 1 byte for the list length
1756 * n bytes for the list */
1757 const unsigned short ext_len = 1 + authz_count;
1758
1759 if ((long)(limit - ret - 4 - ext_len) < 0) return NULL;
1760 s2n(TLSEXT_TYPE_server_authz, ret);
1761 s2n(ext_len, ret);
1762 *(ret++) = authz_count;
1763 s->s3->tlsext_authz_promised_to_client = 1;
1764 }
1765
1766 authz = orig_authz;
1767 for (i = 0; i < authz_length; i++)
1768 {
1769 unsigned short length;
1770 unsigned char type;
1771
1772 authz_count++;
1773 type = *(authz++);
1774 if (memchr(s->s3->tlsext_authz_client_types,
1775 type,
1776 s->s3->tlsext_authz_client_types_len) != NULL)
1777 *(ret++) = type;
1778 n2s(authz, length);
1779 /* n2s increments authz by 2 */
1780 i += 2;
1781 authz += length;
1782 i += length;
1783 }
1784 }
1785
1786 /* If custom types were sent in ClientHello, add ServerHello responses */
1787 if (s->s3->tlsext_custom_types_count)
1788 {
1789 size_t i;
1790
1791 for (i = 0; i < s->s3->tlsext_custom_types_count; i++)
1792 {
1793 size_t j;
1794 custom_srv_ext_record *record;
1795
1796 for (j = 0; j < s->ctx->custom_srv_ext_records_count; j++)
1797 {
1798 record = &s->ctx->custom_srv_ext_records[j];
1799 if (s->s3->tlsext_custom_types[i] == record->ext_type)
1800 {
1801 const unsigned char *out = NULL;
1802 unsigned short outlen = 0;
1803 int cb_retval = 0;
1804
1805 /* NULL callback or -1 omits extension */
1806 if (!record->fn2)
1807 break;
1808 cb_retval = record->fn2(s, record->ext_type,
1809 &out, &outlen,
1810 record->arg);
1811 if (cb_retval == 0)
1812 return NULL; /* error */
1813 if (cb_retval == -1)
1814 break; /* skip this extension */
1815 if (limit < ret + 4 + outlen)
1816 return NULL;
1817 s2n(record->ext_type, ret);
1818 s2n(outlen, ret);
1819 memcpy(ret, out, outlen);
1820 ret += outlen;
1821 break;
1822 }
1823 }
1824 }
1825 }
1826
1827 if (s->s3->alpn_selected)
1828 {
1829 const unsigned char *selected = s->s3->alpn_selected;
1830 unsigned len = s->s3->alpn_selected_len;
1831
1832 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1833 return NULL;
1834 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1835 s2n(3 + len,ret);
1836 s2n(1 + len,ret);
1837 *ret++ = len;
1838 memcpy(ret, selected, len);
1839 ret += len;
1840 }
1841
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame^]1842 /* If the client advertised support for Channel ID, and we have it
1843 * enabled, then we want to echo it back. */
1844 if (s->s3->tlsext_channel_id_valid)
1845 {
1846 if (limit - ret - 4 < 0)
1847 return NULL;
1848 if (s->s3->tlsext_channel_id_new)
1849 s2n(TLSEXT_TYPE_channel_id_new,ret);
1850 else
1851 s2n(TLSEXT_TYPE_channel_id,ret);
1852 s2n(0,ret);
1853 }
1854
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1855 if ((extdatalen = ret-p-2)== 0)
1856 return p;
1857
1858 s2n(extdatalen,p);
1859 return ret;
1860 }
1861
1862#ifndef OPENSSL_NO_EC
1863/* ssl_check_for_safari attempts to fingerprint Safari using OS X
1864 * SecureTransport using the TLS extension block in |d|, of length |n|.
1865 * Safari, since 10.6, sends exactly these extensions, in this order:
1866 * SNI,
1867 * elliptic_curves
1868 * ec_point_formats
1869 *
1870 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1871 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1872 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1873 * 10.8..10.8.3 (which don't work).
1874 */
1875static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
1876 unsigned short type, size;
1877 static const unsigned char kSafariExtensionsBlock[] = {
1878 0x00, 0x0a, /* elliptic_curves extension */
1879 0x00, 0x08, /* 8 bytes */
1880 0x00, 0x06, /* 6 bytes of curve ids */
1881 0x00, 0x17, /* P-256 */
1882 0x00, 0x18, /* P-384 */
1883 0x00, 0x19, /* P-521 */
1884
1885 0x00, 0x0b, /* ec_point_formats */
1886 0x00, 0x02, /* 2 bytes */
1887 0x01, /* 1 point format */
1888 0x00, /* uncompressed */
1889 };
1890
1891 /* The following is only present in TLS 1.2 */
1892 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1893 0x00, 0x0d, /* signature_algorithms */
1894 0x00, 0x0c, /* 12 bytes */
1895 0x00, 0x0a, /* 10 bytes */
1896 0x05, 0x01, /* SHA-384/RSA */
1897 0x04, 0x01, /* SHA-256/RSA */
1898 0x02, 0x01, /* SHA-1/RSA */
1899 0x04, 0x03, /* SHA-256/ECDSA */
1900 0x02, 0x03, /* SHA-1/ECDSA */
1901 };
1902
1903 if (data >= (d+n-2))
1904 return;
1905 data += 2;
1906
1907 if (data > (d+n-4))
1908 return;
1909 n2s(data,type);
1910 n2s(data,size);
1911
1912 if (type != TLSEXT_TYPE_server_name)
1913 return;
1914
1915 if (data+size > d+n)
1916 return;
1917 data += size;
1918
1919 if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
1920 {
1921 const size_t len1 = sizeof(kSafariExtensionsBlock);
1922 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1923
1924 if (data + len1 + len2 != d+n)
1925 return;
1926 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
1927 return;
1928 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
1929 return;
1930 }
1931 else
1932 {
1933 const size_t len = sizeof(kSafariExtensionsBlock);
1934
1935 if (data + len != d+n)
1936 return;
1937 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
1938 return;
1939 }
1940
1941 s->s3->is_probably_safari = 1;
1942}
1943#endif /* !OPENSSL_NO_EC */
1944
1945/* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1946 * ClientHello.
1947 * data: the contents of the extension, not including the type and length.
1948 * data_len: the number of bytes in |data|
1949 * al: a pointer to the alert value to send in the event of a non-zero
1950 * return.
1951 *
1952 * returns: 0 on success. */
1953static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1954 unsigned data_len, int *al)
1955 {
1956 unsigned i;
1957 unsigned proto_len;
1958 const unsigned char *selected;
1959 unsigned char selected_len;
1960 int r;
1961
1962 if (s->ctx->alpn_select_cb == NULL)
1963 return 0;
1964
1965 if (data_len < 2)
1966 goto parse_error;
1967
1968 /* data should contain a uint16 length followed by a series of 8-bit,
1969 * length-prefixed strings. */
1970 i = ((unsigned) data[0]) << 8 |
1971 ((unsigned) data[1]);
1972 data_len -= 2;
1973 data += 2;
1974 if (data_len != i)
1975 goto parse_error;
1976
1977 if (data_len < 2)
1978 goto parse_error;
1979
1980 for (i = 0; i < data_len;)
1981 {
1982 proto_len = data[i];
1983 i++;
1984
1985 if (proto_len == 0)
1986 goto parse_error;
1987
1988 if (i + proto_len < i || i + proto_len > data_len)
1989 goto parse_error;
1990
1991 i += proto_len;
1992 }
1993
1994 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1995 s->ctx->alpn_select_cb_arg);
1996 if (r == SSL_TLSEXT_ERR_OK) {
1997 if (s->s3->alpn_selected)
1998 OPENSSL_free(s->s3->alpn_selected);
1999 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
2000 if (!s->s3->alpn_selected)
2001 {
2002 *al = SSL_AD_INTERNAL_ERROR;
2003 return -1;
2004 }
2005 memcpy(s->s3->alpn_selected, selected, selected_len);
2006 s->s3->alpn_selected_len = selected_len;
2007 }
2008 return 0;
2009
2010parse_error:
2011 *al = SSL_AD_DECODE_ERROR;
2012 return -1;
2013 }
2014
2015static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2016 {
2017 unsigned short type;
2018 unsigned short size;
2019 unsigned short len;
2020 unsigned char *data = *p;
2021 int renegotiate_seen = 0;
2022 size_t i;
2023
2024 s->servername_done = 0;
2025 s->tlsext_status_type = -1;
2026#ifndef OPENSSL_NO_NEXTPROTONEG
2027 s->s3->next_proto_neg_seen = 0;
2028#endif
2029
2030 /* Clear observed custom extensions */
2031 s->s3->tlsext_custom_types_count = 0;
2032 if (s->s3->tlsext_custom_types != NULL)
2033 {
2034 OPENSSL_free(s->s3->tlsext_custom_types);
2035 s->s3->tlsext_custom_types = NULL;
2036 }
2037
2038 if (s->s3->alpn_selected)
2039 {
2040 OPENSSL_free(s->s3->alpn_selected);
2041 s->s3->alpn_selected = NULL;
2042 }
2043
2044#ifndef OPENSSL_NO_HEARTBEATS
2045 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2046 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2047#endif
2048
2049#ifndef OPENSSL_NO_EC
2050 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
2051 ssl_check_for_safari(s, data, d, n);
2052#endif /* !OPENSSL_NO_EC */
2053
2054 /* Clear any signature algorithms extension received */
2055 if (s->cert->peer_sigalgs)
2056 {
2057 OPENSSL_free(s->cert->peer_sigalgs);
2058 s->cert->peer_sigalgs = NULL;
2059 }
2060 /* Clear any shared sigtnature algorithms */
2061 if (s->cert->shared_sigalgs)
2062 {
2063 OPENSSL_free(s->cert->shared_sigalgs);
2064 s->cert->shared_sigalgs = NULL;
2065 }
2066 /* Clear certificate digests and validity flags */
2067 for (i = 0; i < SSL_PKEY_NUM; i++)
2068 {
2069 s->cert->pkeys[i].digest = NULL;
2070 s->cert->pkeys[i].valid_flags = 0;
2071 }
2072
2073 if (data >= (d+n-2))
2074 goto ri_check;
2075 n2s(data,len);
2076
2077 if (data > (d+n-len))
2078 goto ri_check;
2079
2080 while (data <= (d+n-4))
2081 {
2082 n2s(data,type);
2083 n2s(data,size);
2084
2085 if (data+size > (d+n))
2086 goto ri_check;
2087#if 0
2088 fprintf(stderr,"Received extension type %d size %d\n",type,size);
2089#endif
2090 if (s->tlsext_debug_cb)
2091 s->tlsext_debug_cb(s, 0, type, data, size,
2092 s->tlsext_debug_arg);
2093/* The servername extension is treated as follows:
2094
2095 - Only the hostname type is supported with a maximum length of 255.
2096 - The servername is rejected if too long or if it contains zeros,
2097 in which case an fatal alert is generated.
2098 - The servername field is maintained together with the session cache.
2099 - When a session is resumed, the servername call back invoked in order
2100 to allow the application to position itself to the right context.
2101 - The servername is acknowledged if it is new for a session or when
2102 it is identical to a previously used for the same session.
2103 Applications can control the behaviour. They can at any time
2104 set a 'desirable' servername for a new SSL object. This can be the
2105 case for example with HTTPS when a Host: header field is received and
2106 a renegotiation is requested. In this case, a possible servername
2107 presented in the new client hello is only acknowledged if it matches
2108 the value of the Host: field.
2109 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2110 if they provide for changing an explicit servername context for the session,
2111 i.e. when the session has been established with a servername extension.
2112 - On session reconnect, the servername extension may be absent.
2113
2114*/
2115
2116 if (type == TLSEXT_TYPE_server_name)
2117 {
2118 unsigned char *sdata;
2119 int servname_type;
2120 int dsize;
2121
2122 if (size < 2)
2123 {
2124 *al = SSL_AD_DECODE_ERROR;
2125 return 0;
2126 }
2127 n2s(data,dsize);
2128 size -= 2;
2129 if (dsize > size )
2130 {
2131 *al = SSL_AD_DECODE_ERROR;
2132 return 0;
2133 }
2134
2135 sdata = data;
2136 while (dsize > 3)
2137 {
2138 servname_type = *(sdata++);
2139 n2s(sdata,len);
2140 dsize -= 3;
2141
2142 if (len > dsize)
2143 {
2144 *al = SSL_AD_DECODE_ERROR;
2145 return 0;
2146 }
2147 if (s->servername_done == 0)
2148 switch (servname_type)
2149 {
2150 case TLSEXT_NAMETYPE_host_name:
2151 if (!s->hit)
2152 {
2153 if(s->session->tlsext_hostname)
2154 {
2155 *al = SSL_AD_DECODE_ERROR;
2156 return 0;
2157 }
2158 if (len > TLSEXT_MAXLEN_host_name)
2159 {
2160 *al = TLS1_AD_UNRECOGNIZED_NAME;
2161 return 0;
2162 }
2163 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
2164 {
2165 *al = TLS1_AD_INTERNAL_ERROR;
2166 return 0;
2167 }
2168 memcpy(s->session->tlsext_hostname, sdata, len);
2169 s->session->tlsext_hostname[len]='\0';
2170 if (strlen(s->session->tlsext_hostname) != len) {
2171 OPENSSL_free(s->session->tlsext_hostname);
2172 s->session->tlsext_hostname = NULL;
2173 *al = TLS1_AD_UNRECOGNIZED_NAME;
2174 return 0;
2175 }
2176 s->servername_done = 1;
2177
2178 }
2179 else
2180 s->servername_done = s->session->tlsext_hostname
2181 && strlen(s->session->tlsext_hostname) == len
2182 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
2183
2184 break;
2185
2186 default:
2187 break;
2188 }
2189
2190 dsize -= len;
2191 }
2192 if (dsize != 0)
2193 {
2194 *al = SSL_AD_DECODE_ERROR;
2195 return 0;
2196 }
2197
2198 }
2199
2200#ifndef OPENSSL_NO_EC
2201 else if (type == TLSEXT_TYPE_ec_point_formats)
2202 {
2203 unsigned char *sdata = data;
2204 int ecpointformatlist_length = *(sdata++);
2205
2206 if (ecpointformatlist_length != size - 1 ||
2207 ecpointformatlist_length < 1)
2208 {
2209 *al = TLS1_AD_DECODE_ERROR;
2210 return 0;
2211 }
2212 if (!s->hit)
2213 {
2214 if(s->session->tlsext_ecpointformatlist)
2215 {
2216 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2217 s->session->tlsext_ecpointformatlist = NULL;
2218 }
2219 s->session->tlsext_ecpointformatlist_length = 0;
2220 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2221 {
2222 *al = TLS1_AD_INTERNAL_ERROR;
2223 return 0;
2224 }
2225 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2226 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2227 }
2228#if 0
2229 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
2230 sdata = s->session->tlsext_ecpointformatlist;
2231 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2232 fprintf(stderr,"%i ",*(sdata++));
2233 fprintf(stderr,"\n");
2234#endif
2235 }
2236 else if (type == TLSEXT_TYPE_elliptic_curves)
2237 {
2238 unsigned char *sdata = data;
2239 int ellipticcurvelist_length = (*(sdata++) << 8);
2240 ellipticcurvelist_length += (*(sdata++));
2241
2242 if (ellipticcurvelist_length != size - 2 ||
2243 ellipticcurvelist_length < 1)
2244 {
2245 *al = TLS1_AD_DECODE_ERROR;
2246 return 0;
2247 }
2248 if (!s->hit)
2249 {
2250 if(s->session->tlsext_ellipticcurvelist)
2251 {
2252 *al = TLS1_AD_DECODE_ERROR;
2253 return 0;
2254 }
2255 s->session->tlsext_ellipticcurvelist_length = 0;
2256 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
2257 {
2258 *al = TLS1_AD_INTERNAL_ERROR;
2259 return 0;
2260 }
2261 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
2262 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
2263 }
2264#if 0
2265 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
2266 sdata = s->session->tlsext_ellipticcurvelist;
2267 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
2268 fprintf(stderr,"%i ",*(sdata++));
2269 fprintf(stderr,"\n");
2270#endif
2271 }
2272#endif /* OPENSSL_NO_EC */
2273#ifdef TLSEXT_TYPE_opaque_prf_input
2274 else if (type == TLSEXT_TYPE_opaque_prf_input)
2275 {
2276 unsigned char *sdata = data;
2277
2278 if (size < 2)
2279 {
2280 *al = SSL_AD_DECODE_ERROR;
2281 return 0;
2282 }
2283 n2s(sdata, s->s3->client_opaque_prf_input_len);
2284 if (s->s3->client_opaque_prf_input_len != size - 2)
2285 {
2286 *al = SSL_AD_DECODE_ERROR;
2287 return 0;
2288 }
2289
2290 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2291 OPENSSL_free(s->s3->client_opaque_prf_input);
2292 if (s->s3->client_opaque_prf_input_len == 0)
2293 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2294 else
2295 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
2296 if (s->s3->client_opaque_prf_input == NULL)
2297 {
2298 *al = TLS1_AD_INTERNAL_ERROR;
2299 return 0;
2300 }
2301 }
2302#endif
2303 else if (type == TLSEXT_TYPE_session_ticket)
2304 {
2305 if (s->tls_session_ticket_ext_cb &&
2306 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2307 {
2308 *al = TLS1_AD_INTERNAL_ERROR;
2309 return 0;
2310 }
2311 }
2312 else if (type == TLSEXT_TYPE_renegotiate)
2313 {
2314 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
2315 return 0;
2316 renegotiate_seen = 1;
2317 }
2318 else if (type == TLSEXT_TYPE_signature_algorithms)
2319 {
2320 int dsize;
2321 if (s->cert->peer_sigalgs || size < 2)
2322 {
2323 *al = SSL_AD_DECODE_ERROR;
2324 return 0;
2325 }
2326 n2s(data,dsize);
2327 size -= 2;
2328 if (dsize != size || dsize & 1 || !dsize)
2329 {
2330 *al = SSL_AD_DECODE_ERROR;
2331 return 0;
2332 }
2333 if (!tls1_process_sigalgs(s, data, dsize))
2334 {
2335 *al = SSL_AD_DECODE_ERROR;
2336 return 0;
2337 }
2338 /* If sigalgs received and no shared algorithms fatal
2339 * error.
2340 */
2341 if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
2342 {
2343 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2344 *al = SSL_AD_ILLEGAL_PARAMETER;
2345 return 0;
2346 }
2347 }
2348
2349 /* TODO(fork): we probably want OCSP stapling support, but this pulls in a lot of code. */
2350#if 0
2351 else if (type == TLSEXT_TYPE_status_request)
2352 {
2353
2354 if (size < 5)
2355 {
2356 *al = SSL_AD_DECODE_ERROR;
2357 return 0;
2358 }
2359
2360 s->tlsext_status_type = *data++;
2361 size--;
2362 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
2363 {
2364 const unsigned char *sdata;
2365 int dsize;
2366 /* Read in responder_id_list */
2367 n2s(data,dsize);
2368 size -= 2;
2369 if (dsize > size )
2370 {
2371 *al = SSL_AD_DECODE_ERROR;
2372 return 0;
2373 }
2374 while (dsize > 0)
2375 {
2376 OCSP_RESPID *id;
2377 int idsize;
2378 if (dsize < 4)
2379 {
2380 *al = SSL_AD_DECODE_ERROR;
2381 return 0;
2382 }
2383 n2s(data, idsize);
2384 dsize -= 2 + idsize;
2385 size -= 2 + idsize;
2386 if (dsize < 0)
2387 {
2388 *al = SSL_AD_DECODE_ERROR;
2389 return 0;
2390 }
2391 sdata = data;
2392 data += idsize;
2393 id = d2i_OCSP_RESPID(NULL,
2394 &sdata, idsize);
2395 if (!id)
2396 {
2397 *al = SSL_AD_DECODE_ERROR;
2398 return 0;
2399 }
2400 if (data != sdata)
2401 {
2402 OCSP_RESPID_free(id);
2403 *al = SSL_AD_DECODE_ERROR;
2404 return 0;
2405 }
2406 if (!s->tlsext_ocsp_ids
2407 && !(s->tlsext_ocsp_ids =
2408 sk_OCSP_RESPID_new_null()))
2409 {
2410 OCSP_RESPID_free(id);
2411 *al = SSL_AD_INTERNAL_ERROR;
2412 return 0;
2413 }
2414 if (!sk_OCSP_RESPID_push(
2415 s->tlsext_ocsp_ids, id))
2416 {
2417 OCSP_RESPID_free(id);
2418 *al = SSL_AD_INTERNAL_ERROR;
2419 return 0;
2420 }
2421 }
2422
2423 /* Read in request_extensions */
2424 if (size < 2)
2425 {
2426 *al = SSL_AD_DECODE_ERROR;
2427 return 0;
2428 }
2429 n2s(data,dsize);
2430 size -= 2;
2431 if (dsize != size)
2432 {
2433 *al = SSL_AD_DECODE_ERROR;
2434 return 0;
2435 }
2436 sdata = data;
2437 if (dsize > 0)
2438 {
2439 if (s->tlsext_ocsp_exts)
2440 {
2441 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2442 X509_EXTENSION_free);
2443 }
2444
2445 s->tlsext_ocsp_exts =
2446 d2i_X509_EXTENSIONS(NULL,
2447 &sdata, dsize);
2448 if (!s->tlsext_ocsp_exts
2449 || (data + dsize != sdata))
2450 {
2451 *al = SSL_AD_DECODE_ERROR;
2452 return 0;
2453 }
2454 }
2455 }
2456 /* We don't know what to do with any other type
2457 * so ignore it.
2458 */
2459 else
2460 s->tlsext_status_type = -1;
2461 }
2462#endif
2463
2464#ifndef OPENSSL_NO_HEARTBEATS
2465 else if (type == TLSEXT_TYPE_heartbeat)
2466 {
2467 switch(data[0])
2468 {
2469 case 0x01: /* Client allows us to send HB requests */
2470 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2471 break;
2472 case 0x02: /* Client doesn't accept HB requests */
2473 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2474 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2475 break;
2476 default: *al = SSL_AD_ILLEGAL_PARAMETER;
2477 return 0;
2478 }
2479 }
2480#endif
2481#ifndef OPENSSL_NO_NEXTPROTONEG
2482 else if (type == TLSEXT_TYPE_next_proto_neg &&
2483 s->s3->tmp.finish_md_len == 0 &&
2484 s->s3->alpn_selected == NULL)
2485 {
2486 /* We shouldn't accept this extension on a
2487 * renegotiation.
2488 *
2489 * s->new_session will be set on renegotiation, but we
2490 * probably shouldn't rely that it couldn't be set on
2491 * the initial renegotation too in certain cases (when
2492 * there's some other reason to disallow resuming an
2493 * earlier session -- the current code won't be doing
2494 * anything like that, but this might change).
2495
2496 * A valid sign that there's been a previous handshake
2497 * in this connection is if s->s3->tmp.finish_md_len >
2498 * 0. (We are talking about a check that will happen
2499 * in the Hello protocol round, well before a new
2500 * Finished message could have been computed.) */
2501 s->s3->next_proto_neg_seen = 1;
2502 }
2503#endif
2504
2505 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2506 s->ctx->alpn_select_cb &&
2507 s->s3->tmp.finish_md_len == 0)
2508 {
2509 if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
2510 return 0;
2511#ifndef OPENSSL_NO_NEXTPROTONEG
2512 /* ALPN takes precedence over NPN. */
2513 s->s3->next_proto_neg_seen = 0;
2514#endif
2515 }
2516
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame^]2517 else if (type == TLSEXT_TYPE_channel_id &&
2518 s->tlsext_channel_id_enabled)
2519 s->s3->tlsext_channel_id_valid = 1;
2520
2521 else if (type == TLSEXT_TYPE_channel_id_new &&
2522 s->tlsext_channel_id_enabled)
2523 {
2524 s->s3->tlsext_channel_id_valid = 1;
2525 s->s3->tlsext_channel_id_new = 1;
2526 }
2527
2528
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2529 /* session ticket processed earlier */
2530 else if (type == TLSEXT_TYPE_use_srtp)
2531 {
2532 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
2533 al))
2534 return 0;
2535 }
2536
2537 else if (type == TLSEXT_TYPE_server_authz)
2538 {
2539 unsigned char *sdata = data;
2540 unsigned char server_authz_dataformatlist_length;
2541
2542 if (size == 0)
2543 {
2544 *al = TLS1_AD_DECODE_ERROR;
2545 return 0;
2546 }
2547
2548 server_authz_dataformatlist_length = *(sdata++);
2549
2550 if (server_authz_dataformatlist_length != size - 1)
2551 {
2552 *al = TLS1_AD_DECODE_ERROR;
2553 return 0;
2554 }
2555
2556 /* Successful session resumption uses the same authz
2557 * information as the original session so we ignore this
2558 * in the case of a session resumption. */
2559 if (!s->hit)
2560 {
2561 if (s->s3->tlsext_authz_client_types != NULL)
2562 OPENSSL_free(s->s3->tlsext_authz_client_types);
2563 s->s3->tlsext_authz_client_types =
2564 OPENSSL_malloc(server_authz_dataformatlist_length);
2565 if (!s->s3->tlsext_authz_client_types)
2566 {
2567 *al = TLS1_AD_INTERNAL_ERROR;
2568 return 0;
2569 }
2570
2571 s->s3->tlsext_authz_client_types_len =
2572 server_authz_dataformatlist_length;
2573 memcpy(s->s3->tlsext_authz_client_types,
2574 sdata,
2575 server_authz_dataformatlist_length);
2576
2577 /* Sort the types in order to check for duplicates. */
2578 qsort(s->s3->tlsext_authz_client_types,
2579 server_authz_dataformatlist_length,
2580 1 /* element size */,
2581 byte_compare);
2582
2583 for (i = 0; i < server_authz_dataformatlist_length; i++)
2584 {
2585 if (i > 0 &&
2586 s->s3->tlsext_authz_client_types[i] ==
2587 s->s3->tlsext_authz_client_types[i-1])
2588 {
2589 *al = TLS1_AD_DECODE_ERROR;
2590 return 0;
2591 }
2592 }
2593 }
2594 }
2595
2596 /* If this ClientHello extension was unhandled and this is
2597 * a nonresumed connection, check whether the extension is a
2598 * custom TLS Extension (has a custom_srv_ext_record), and if
2599 * so call the callback and record the extension number so that
2600 * an appropriate ServerHello may be later returned.
2601 */
2602 else if (!s->hit && s->ctx->custom_srv_ext_records_count)
2603 {
2604 custom_srv_ext_record *record;
2605
2606 for (i=0; i < s->ctx->custom_srv_ext_records_count; i++)
2607 {
2608 record = &s->ctx->custom_srv_ext_records[i];
2609 if (type == record->ext_type)
2610 {
2611 size_t j;
2612
2613 /* Error on duplicate TLS Extensions */
2614 for (j = 0; j < s->s3->tlsext_custom_types_count; j++)
2615 {
2616 if (type == s->s3->tlsext_custom_types[j])
2617 {
2618 *al = TLS1_AD_DECODE_ERROR;
2619 return 0;
2620 }
2621 }
2622
2623 /* NULL callback still notes the extension */
2624 if (record->fn1 && !record->fn1(s, type, data, size, al, record->arg))
2625 return 0;
2626
2627 /* Add the (non-duplicated) entry */
2628 s->s3->tlsext_custom_types_count++;
2629 s->s3->tlsext_custom_types = OPENSSL_realloc(
2630 s->s3->tlsext_custom_types,
2631 s->s3->tlsext_custom_types_count * 2);
2632 if (s->s3->tlsext_custom_types == NULL)
2633 {
2634 s->s3->tlsext_custom_types = 0;
2635 *al = TLS1_AD_INTERNAL_ERROR;
2636 return 0;
2637 }
2638 s->s3->tlsext_custom_types[
2639 s->s3->tlsext_custom_types_count - 1] = type;
2640 }
2641 }
2642 }
2643
2644 data+=size;
2645 }
2646
2647 *p = data;
2648
2649 ri_check:
2650
2651 /* Need RI if renegotiating */
2652
2653 if (!renegotiate_seen && s->renegotiate &&
2654 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2655 {
2656 *al = SSL_AD_HANDSHAKE_FAILURE;
2657 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2658 return 0;
2659 }
2660 /* If no signature algorithms extension set default values */
2661 if (!s->cert->peer_sigalgs)
2662 ssl_cert_set_default_md(s->cert);
2663
2664 return 1;
2665 }
2666
2667int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
2668 {
2669 int al = -1;
2670 if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0)
2671 {
2672 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2673 return 0;
2674 }
2675
2676 if (ssl_check_clienthello_tlsext_early(s) <= 0)
2677 {
2678 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_CLIENTHELLO_TLSEXT);
2679 return 0;
2680 }
2681 return 1;
2682}
2683
2684#ifndef OPENSSL_NO_NEXTPROTONEG
2685/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2686 * elements of zero length are allowed and the set of elements must exactly fill
2687 * the length of the block. */
2688static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2689 {
2690 unsigned int off = 0;
2691
2692 while (off < len)
2693 {
2694 if (d[off] == 0)
2695 return 0;
2696 off += d[off];
2697 off++;
2698 }
2699
2700 return off == len;
2701 }
2702#endif
2703
2704static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2705 {
2706 unsigned short length;
2707 unsigned short type;
2708 unsigned short size;
2709 unsigned char *data = *p;
2710 int tlsext_servername = 0;
2711 int renegotiate_seen = 0;
2712
2713#ifndef OPENSSL_NO_NEXTPROTONEG
2714 s->s3->next_proto_neg_seen = 0;
2715#endif
2716
2717 if (s->s3->alpn_selected)
2718 {
2719 OPENSSL_free(s->s3->alpn_selected);
2720 s->s3->alpn_selected = NULL;
2721 }
2722
2723#ifndef OPENSSL_NO_HEARTBEATS
2724 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2725 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2726#endif
2727
2728 if (data >= (d+n-2))
2729 goto ri_check;
2730
2731 n2s(data,length);
2732 if (data+length != d+n)
2733 {
2734 *al = SSL_AD_DECODE_ERROR;
2735 return 0;
2736 }
2737
2738 while(data <= (d+n-4))
2739 {
2740 n2s(data,type);
2741 n2s(data,size);
2742
2743 if (data+size > (d+n))
2744 goto ri_check;
2745
2746 if (s->tlsext_debug_cb)
2747 s->tlsext_debug_cb(s, 1, type, data, size,
2748 s->tlsext_debug_arg);
2749
2750 if (type == TLSEXT_TYPE_server_name)
2751 {
2752 if (s->tlsext_hostname == NULL || size > 0)
2753 {
2754 *al = TLS1_AD_UNRECOGNIZED_NAME;
2755 return 0;
2756 }
2757 tlsext_servername = 1;
2758 }
2759
2760#ifndef OPENSSL_NO_EC
2761 else if (type == TLSEXT_TYPE_ec_point_formats)
2762 {
2763 unsigned char *sdata = data;
2764 int ecpointformatlist_length = *(sdata++);
2765
2766 if (ecpointformatlist_length != size - 1)
2767 {
2768 *al = TLS1_AD_DECODE_ERROR;
2769 return 0;
2770 }
2771 s->session->tlsext_ecpointformatlist_length = 0;
2772 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
2773 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2774 {
2775 *al = TLS1_AD_INTERNAL_ERROR;
2776 return 0;
2777 }
2778 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2779 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2780#if 0
2781 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2782 sdata = s->session->tlsext_ecpointformatlist;
2783 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2784 fprintf(stderr,"%i ",*(sdata++));
2785 fprintf(stderr,"\n");
2786#endif
2787 }
2788#endif /* OPENSSL_NO_EC */
2789
2790 else if (type == TLSEXT_TYPE_session_ticket)
2791 {
2792 if (s->tls_session_ticket_ext_cb &&
2793 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2794 {
2795 *al = TLS1_AD_INTERNAL_ERROR;
2796 return 0;
2797 }
2798 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2799 || (size > 0))
2800 {
2801 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2802 return 0;
2803 }
2804 s->tlsext_ticket_expected = 1;
2805 }
2806#ifdef TLSEXT_TYPE_opaque_prf_input
2807 else if (type == TLSEXT_TYPE_opaque_prf_input)
2808 {
2809 unsigned char *sdata = data;
2810
2811 if (size < 2)
2812 {
2813 *al = SSL_AD_DECODE_ERROR;
2814 return 0;
2815 }
2816 n2s(sdata, s->s3->server_opaque_prf_input_len);
2817 if (s->s3->server_opaque_prf_input_len != size - 2)
2818 {
2819 *al = SSL_AD_DECODE_ERROR;
2820 return 0;
2821 }
2822
2823 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2824 OPENSSL_free(s->s3->server_opaque_prf_input);
2825 if (s->s3->server_opaque_prf_input_len == 0)
2826 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2827 else
2828 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2829
2830 if (s->s3->server_opaque_prf_input == NULL)
2831 {
2832 *al = TLS1_AD_INTERNAL_ERROR;
2833 return 0;
2834 }
2835 }
2836#endif
2837 else if (type == TLSEXT_TYPE_status_request)
2838 {
2839 /* MUST be empty and only sent if we've requested
2840 * a status request message.
2841 */
2842 if ((s->tlsext_status_type == -1) || (size > 0))
2843 {
2844 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2845 return 0;
2846 }
2847 /* Set flag to expect CertificateStatus message */
2848 s->tlsext_status_expected = 1;
2849 }
2850#ifndef OPENSSL_NO_NEXTPROTONEG
2851 else if (type == TLSEXT_TYPE_next_proto_neg &&
2852 s->s3->tmp.finish_md_len == 0)
2853 {
2854 unsigned char *selected;
2855 unsigned char selected_len;
2856
2857 /* We must have requested it. */
2858 if (s->ctx->next_proto_select_cb == NULL)
2859 {
2860 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2861 return 0;
2862 }
2863 /* The data must be valid */
2864 if (!ssl_next_proto_validate(data, size))
2865 {
2866 *al = TLS1_AD_DECODE_ERROR;
2867 return 0;
2868 }
2869 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2870 {
2871 *al = TLS1_AD_INTERNAL_ERROR;
2872 return 0;
2873 }
2874 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2875 if (!s->next_proto_negotiated)
2876 {
2877 *al = TLS1_AD_INTERNAL_ERROR;
2878 return 0;
2879 }
2880 memcpy(s->next_proto_negotiated, selected, selected_len);
2881 s->next_proto_negotiated_len = selected_len;
2882 s->s3->next_proto_neg_seen = 1;
2883 }
2884#endif
2885
2886 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)
2887 {
2888 unsigned len;
2889
2890 /* We must have requested it. */
2891 if (s->alpn_client_proto_list == NULL)
2892 {
2893 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2894 return 0;
2895 }
2896 if (size < 4)
2897 {
2898 *al = TLS1_AD_DECODE_ERROR;
2899 return 0;
2900 }
2901 /* The extension data consists of:
2902 * uint16 list_length
2903 * uint8 proto_length;
2904 * uint8 proto[proto_length]; */
2905 len = data[0];
2906 len <<= 8;
2907 len |= data[1];
2908 if (len != (unsigned) size - 2)
2909 {
2910 *al = TLS1_AD_DECODE_ERROR;
2911 return 0;
2912 }
2913 len = data[2];
2914 if (len != (unsigned) size - 3)
2915 {
2916 *al = TLS1_AD_DECODE_ERROR;
2917 return 0;
2918 }
2919 if (s->s3->alpn_selected)
2920 OPENSSL_free(s->s3->alpn_selected);
2921 s->s3->alpn_selected = OPENSSL_malloc(len);
2922 if (!s->s3->alpn_selected)
2923 {
2924 *al = TLS1_AD_INTERNAL_ERROR;
2925 return 0;
2926 }
2927 memcpy(s->s3->alpn_selected, data + 3, len);
2928 s->s3->alpn_selected_len = len;
2929 }
2930
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame^]2931 else if (type == TLSEXT_TYPE_channel_id)
2932 s->s3->tlsext_channel_id_valid = 1;
2933
2934 else if (type == TLSEXT_TYPE_channel_id_new)
2935 {
2936 s->s3->tlsext_channel_id_valid = 1;
2937 s->s3->tlsext_channel_id_new = 1;
2938 }
2939
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2940 else if (type == TLSEXT_TYPE_renegotiate)
2941 {
2942 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2943 return 0;
2944 renegotiate_seen = 1;
2945 }
2946#ifndef OPENSSL_NO_HEARTBEATS
2947 else if (type == TLSEXT_TYPE_heartbeat)
2948 {
2949 switch(data[0])
2950 {
2951 case 0x01: /* Server allows us to send HB requests */
2952 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2953 break;
2954 case 0x02: /* Server doesn't accept HB requests */
2955 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2956 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2957 break;
2958 default: *al = SSL_AD_ILLEGAL_PARAMETER;
2959 return 0;
2960 }
2961 }
2962#endif
2963 else if (type == TLSEXT_TYPE_use_srtp)
2964 {
2965 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2966 al))
2967 return 0;
2968 }
2969
2970 else if (type == TLSEXT_TYPE_server_authz)
2971 {
2972 /* We only support audit proofs. It's an error to send
2973 * an authz hello extension if the client
2974 * didn't request a proof. */
2975 unsigned char *sdata = data;
2976 unsigned char server_authz_dataformatlist_length;
2977
2978 if (!s->ctx->tlsext_authz_server_audit_proof_cb)
2979 {
2980 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2981 return 0;
2982 }
2983
2984 if (!size)
2985 {
2986 *al = TLS1_AD_DECODE_ERROR;
2987 return 0;
2988 }
2989
2990 server_authz_dataformatlist_length = *(sdata++);
2991 if (server_authz_dataformatlist_length != size - 1)
2992 {
2993 *al = TLS1_AD_DECODE_ERROR;
2994 return 0;
2995 }
2996
2997 /* We only support audit proofs, so a legal ServerHello
2998 * authz list contains exactly one entry. */
2999 if (server_authz_dataformatlist_length != 1 ||
3000 sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof)
3001 {
3002 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
3003 return 0;
3004 }
3005
3006 s->s3->tlsext_authz_server_promised = 1;
3007 }
3008
3009 /* If this extension type was not otherwise handled, but
3010 * matches a custom_cli_ext_record, then send it to the c
3011 * callback */
3012 else if (s->ctx->custom_cli_ext_records_count)
3013 {
3014 size_t i;
3015 custom_cli_ext_record* record;
3016
3017 for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
3018 {
3019 record = &s->ctx->custom_cli_ext_records[i];
3020 if (record->ext_type == type)
3021 {
3022 if (record->fn2 && !record->fn2(s, type, data, size, al, record->arg))
3023 return 0;
3024 break;
3025 }
3026 }
3027 }
3028
3029 data += size;
3030 }
3031
3032 if (data != d+n)
3033 {
3034 *al = SSL_AD_DECODE_ERROR;
3035 return 0;
3036 }
3037
3038 if (!s->hit && tlsext_servername == 1)
3039 {
3040 if (s->tlsext_hostname)
3041 {
3042 if (s->session->tlsext_hostname == NULL)
3043 {
3044 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
3045 if (!s->session->tlsext_hostname)
3046 {
3047 *al = SSL_AD_UNRECOGNIZED_NAME;
3048 return 0;
3049 }
3050 }
3051 else
3052 {
3053 *al = SSL_AD_DECODE_ERROR;
3054 return 0;
3055 }
3056 }
3057 }
3058
3059 *p = data;
3060
3061 ri_check:
3062
3063 /* Determine if we need to see RI. Strictly speaking if we want to
3064 * avoid an attack we should *always* see RI even on initial server
3065 * hello because the client doesn't see any renegotiation during an
3066 * attack. However this would mean we could not connect to any server
3067 * which doesn't support RI so for the immediate future tolerate RI
3068 * absence on initial connect only.
3069 */
3070 if (!renegotiate_seen
3071 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
3072 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
3073 {
3074 *al = SSL_AD_HANDSHAKE_FAILURE;
3075 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
3076 return 0;
3077 }
3078
3079 return 1;
3080 }
3081
3082
3083int ssl_prepare_clienthello_tlsext(SSL *s)
3084 {
3085
3086#ifdef TLSEXT_TYPE_opaque_prf_input
3087 {
3088 int r = 1;
3089
3090 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
3091 {
3092 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
3093 if (!r)
3094 return -1;
3095 }
3096
3097 if (s->tlsext_opaque_prf_input != NULL)
3098 {
3099 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
3100 OPENSSL_free(s->s3->client_opaque_prf_input);
3101
3102 if (s->tlsext_opaque_prf_input_len == 0)
3103 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
3104 else
3105 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
3106 if (s->s3->client_opaque_prf_input == NULL)
3107 {
3108 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_MALLOC_FAILURE);
3109 return -1;
3110 }
3111 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
3112 }
3113
3114 if (r == 2)
3115 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
3116 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
3117 }
3118#endif
3119
3120 return 1;
3121 }
3122
3123int ssl_prepare_serverhello_tlsext(SSL *s)
3124 {
3125 return 1;
3126 }
3127
3128static int ssl_check_clienthello_tlsext_early(SSL *s)
3129 {
3130 int ret=SSL_TLSEXT_ERR_NOACK;
3131 int al = SSL_AD_UNRECOGNIZED_NAME;
3132
3133#ifndef OPENSSL_NO_EC
3134 /* The handling of the ECPointFormats extension is done elsewhere, namely in
3135 * ssl3_choose_cipher in s3_lib.c.
3136 */
3137 /* The handling of the EllipticCurves extension is done elsewhere, namely in
3138 * ssl3_choose_cipher in s3_lib.c.
3139 */
3140#endif
3141
3142 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
3143 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
3144 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
3145 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
3146
3147#ifdef TLSEXT_TYPE_opaque_prf_input
3148 {
3149 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
3150 * but we might be sending an alert in response to the client hello,
3151 * so this has to happen here in
3152 * ssl_check_clienthello_tlsext_early(). */
3153
3154 int r = 1;
3155
3156 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
3157 {
3158 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
3159 if (!r)
3160 {
3161 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3162 al = SSL_AD_INTERNAL_ERROR;
3163 goto err;
3164 }
3165 }
3166
3167 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
3168 OPENSSL_free(s->s3->server_opaque_prf_input);
3169 s->s3->server_opaque_prf_input = NULL;
3170
3171 if (s->tlsext_opaque_prf_input != NULL)
3172 {
3173 if (s->s3->client_opaque_prf_input != NULL &&
3174 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
3175 {
3176 /* can only use this extension if we have a server opaque PRF input
3177 * of the same length as the client opaque PRF input! */
3178
3179 if (s->tlsext_opaque_prf_input_len == 0)
3180 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
3181 else
3182 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
3183 if (s->s3->server_opaque_prf_input == NULL)
3184 {
3185 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3186 al = SSL_AD_INTERNAL_ERROR;
3187 goto err;
3188 }
3189 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
3190 }
3191 }
3192
3193 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
3194 {
3195 /* The callback wants to enforce use of the extension,
3196 * but we can't do that with the client opaque PRF input;
3197 * abort the handshake.
3198 */
3199 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3200 al = SSL_AD_HANDSHAKE_FAILURE;
3201 }
3202 }
3203
3204 err:
3205#endif
3206 switch (ret)
3207 {
3208 case SSL_TLSEXT_ERR_ALERT_FATAL:
3209 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3210 return -1;
3211
3212 case SSL_TLSEXT_ERR_ALERT_WARNING:
3213 ssl3_send_alert(s,SSL3_AL_WARNING,al);
3214 return 1;
3215
3216 case SSL_TLSEXT_ERR_NOACK:
3217 s->servername_done=0;
3218 default:
3219 return 1;
3220 }
3221 }
3222
3223int ssl_check_clienthello_tlsext_late(SSL *s)
3224 {
3225 int ret = SSL_TLSEXT_ERR_OK;
3226 int al;
3227
3228 /* If status request then ask callback what to do.
3229 * Note: this must be called after servername callbacks in case
3230 * the certificate has changed, and must be called after the cipher
3231 * has been chosen because this may influence which certificate is sent
3232 */
3233 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
3234 {
3235 int r;
3236 CERT_PKEY *certpkey;
3237 certpkey = ssl_get_server_send_pkey(s);
3238 /* If no certificate can't return certificate status */
3239 if (certpkey == NULL)
3240 {
3241 s->tlsext_status_expected = 0;
3242 return 1;
3243 }
3244 /* Set current certificate to one we will use so
3245 * SSL_get_certificate et al can pick it up.
3246 */
3247 s->cert->key = certpkey;
3248 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3249 switch (r)
3250 {
3251 /* We don't want to send a status request response */
3252 case SSL_TLSEXT_ERR_NOACK:
3253 s->tlsext_status_expected = 0;
3254 break;
3255 /* status request response should be sent */
3256 case SSL_TLSEXT_ERR_OK:
3257 if (s->tlsext_ocsp_resp)
3258 s->tlsext_status_expected = 1;
3259 else
3260 s->tlsext_status_expected = 0;
3261 break;
3262 /* something bad happened */
3263 case SSL_TLSEXT_ERR_ALERT_FATAL:
3264 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3265 al = SSL_AD_INTERNAL_ERROR;
3266 goto err;
3267 }
3268 }
3269 else
3270 s->tlsext_status_expected = 0;
3271
3272 err:
3273 switch (ret)
3274 {
3275 case SSL_TLSEXT_ERR_ALERT_FATAL:
3276 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3277 return -1;
3278
3279 case SSL_TLSEXT_ERR_ALERT_WARNING:
3280 ssl3_send_alert(s, SSL3_AL_WARNING, al);
3281 return 1;
3282
3283 default:
3284 return 1;
3285 }
3286 }
3287
3288int ssl_check_serverhello_tlsext(SSL *s)
3289 {
3290 int ret=SSL_TLSEXT_ERR_NOACK;
3291 int al = SSL_AD_UNRECOGNIZED_NAME;
3292
3293#ifndef OPENSSL_NO_EC
3294 /* If we are client and using an elliptic curve cryptography cipher
3295 * suite, then if server returns an EC point formats lists extension
3296 * it must contain uncompressed.
3297 */
3298 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3299 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3300 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
3301 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
3302 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
3303 {
3304 /* we are using an ECC cipher */
3305 size_t i;
3306 unsigned char *list;
3307 int found_uncompressed = 0;
3308 list = s->session->tlsext_ecpointformatlist;
3309 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
3310 {
3311 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
3312 {
3313 found_uncompressed = 1;
3314 break;
3315 }
3316 }
3317 if (!found_uncompressed)
3318 {
3319 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
3320 return -1;
3321 }
3322 }
3323 ret = SSL_TLSEXT_ERR_OK;
3324#endif /* OPENSSL_NO_EC */
3325
3326 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
3327 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
3328 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
3329 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
3330
3331#ifdef TLSEXT_TYPE_opaque_prf_input
3332 if (s->s3->server_opaque_prf_input_len > 0)
3333 {
3334 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
3335 * So first verify that we really have a value from the server too. */
3336
3337 if (s->s3->server_opaque_prf_input == NULL)
3338 {
3339 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3340 al = SSL_AD_HANDSHAKE_FAILURE;
3341 }
3342
3343 /* Anytime the server *has* sent an opaque PRF input, we need to check
3344 * that we have a client opaque PRF input of the same size. */
3345 if (s->s3->client_opaque_prf_input == NULL ||
3346 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
3347 {
3348 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3349 al = SSL_AD_ILLEGAL_PARAMETER;
3350 }
3351 }
3352#endif
3353
3354 /* If we've requested certificate status and we wont get one
3355 * tell the callback
3356 */
3357 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
3358 && s->ctx && s->ctx->tlsext_status_cb)
3359 {
3360 int r;
3361 /* Set resp to NULL, resplen to -1 so callback knows
3362 * there is no response.
3363 */
3364 if (s->tlsext_ocsp_resp)
3365 {
3366 OPENSSL_free(s->tlsext_ocsp_resp);
3367 s->tlsext_ocsp_resp = NULL;
3368 }
3369 s->tlsext_ocsp_resplen = -1;
3370 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3371 if (r == 0)
3372 {
3373 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
3374 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3375 }
3376 if (r < 0)
3377 {
3378 al = SSL_AD_INTERNAL_ERROR;
3379 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3380 }
3381 }
3382
3383 switch (ret)
3384 {
3385 case SSL_TLSEXT_ERR_ALERT_FATAL:
3386 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3387 return -1;
3388
3389 case SSL_TLSEXT_ERR_ALERT_WARNING:
3390 ssl3_send_alert(s,SSL3_AL_WARNING,al);
3391 return 1;
3392
3393 case SSL_TLSEXT_ERR_NOACK:
3394 s->servername_done=0;
3395 default:
3396 return 1;
3397 }
3398 }
3399
3400int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
3401 {
3402 int al = -1;
3403 if (s->version < SSL3_VERSION)
3404 return 1;
3405 if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0)
3406 {
3407 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3408 return 0;
3409 }
3410
3411 if (ssl_check_serverhello_tlsext(s) <= 0)
3412 {
3413 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_SERVERHELLO_TLSEXT);
3414 return 0;
3415 }
3416 return 1;
3417}
3418
3419/* Since the server cache lookup is done early on in the processing of the
3420 * ClientHello, and other operations depend on the result, we need to handle
3421 * any TLS session ticket extension at the same time.
3422 *
3423 * session_id: points at the session ID in the ClientHello. This code will
3424 * read past the end of this in order to parse out the session ticket
3425 * extension, if any.
3426 * len: the length of the session ID.
3427 * limit: a pointer to the first byte after the ClientHello.
3428 * ret: (output) on return, if a ticket was decrypted, then this is set to
3429 * point to the resulting session.
3430 *
3431 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
3432 * ciphersuite, in which case we have no use for session tickets and one will
3433 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
3434 *
3435 * Returns:
3436 * -1: fatal error, either from parsing or decrypting the ticket.
3437 * 0: no ticket was found (or was ignored, based on settings).
3438 * 1: a zero length extension was found, indicating that the client supports
3439 * session tickets but doesn't currently have one to offer.
3440 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
3441 * couldn't be decrypted because of a non-fatal error.
3442 * 3: a ticket was successfully decrypted and *ret was set.
3443 *
3444 * Side effects:
3445 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
3446 * a new session ticket to the client because the client indicated support
3447 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
3448 * a session ticket or we couldn't use the one it gave us, or if
3449 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
3450 * Otherwise, s->tlsext_ticket_expected is set to 0.
3451 */
3452int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
3453 const unsigned char *limit, SSL_SESSION **ret)
3454 {
3455 /* Point after session ID in client hello */
3456 const unsigned char *p = session_id + len;
3457 unsigned short i;
3458
3459 *ret = NULL;
3460 s->tlsext_ticket_expected = 0;
3461
3462 /* If tickets disabled behave as if no ticket present
3463 * to permit stateful resumption.
3464 */
3465 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
3466 return 0;
3467 if ((s->version <= SSL3_VERSION) || !limit)
3468 return 0;
3469 if (p >= limit)
3470 return -1;
3471 /* Skip past DTLS cookie */
3472 if (SSL_IS_DTLS(s))
3473 {
3474 i = *(p++);
3475 p+= i;
3476 if (p >= limit)
3477 return -1;
3478 }
3479 /* Skip past cipher list */
3480 n2s(p, i);
3481 p+= i;
3482 if (p >= limit)
3483 return -1;
3484 /* Skip past compression algorithm list */
3485 i = *(p++);
3486 p += i;
3487 if (p > limit)
3488 return -1;
3489 /* Now at start of extensions */
3490 if ((p + 2) >= limit)
3491 return 0;
3492 n2s(p, i);
3493 while ((p + 4) <= limit)
3494 {
3495 unsigned short type, size;
3496 n2s(p, type);
3497 n2s(p, size);
3498 if (p + size > limit)
3499 return 0;
3500 if (type == TLSEXT_TYPE_session_ticket)
3501 {
3502 int r;
3503 if (size == 0)
3504 {
3505 /* The client will accept a ticket but doesn't
3506 * currently have one. */
3507 s->tlsext_ticket_expected = 1;
3508 return 1;
3509 }
3510 if (s->tls_session_secret_cb)
3511 {
3512 /* Indicate that the ticket couldn't be
3513 * decrypted rather than generating the session
3514 * from ticket now, trigger abbreviated
3515 * handshake based on external mechanism to
3516 * calculate the master secret later. */
3517 return 2;
3518 }
3519 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
3520 switch (r)
3521 {
3522 case 2: /* ticket couldn't be decrypted */
3523 s->tlsext_ticket_expected = 1;
3524 return 2;
3525 case 3: /* ticket was decrypted */
3526 return r;
3527 case 4: /* ticket decrypted but need to renew */
3528 s->tlsext_ticket_expected = 1;
3529 return 3;
3530 default: /* fatal error */
3531 return -1;
3532 }
3533 }
3534 p += size;
3535 }
3536 return 0;
3537 }
3538
3539/* tls_decrypt_ticket attempts to decrypt a session ticket.
3540 *
3541 * etick: points to the body of the session ticket extension.
3542 * eticklen: the length of the session tickets extenion.
3543 * sess_id: points at the session ID.
3544 * sesslen: the length of the session ID.
3545 * psess: (output) on return, if a ticket was decrypted, then this is set to
3546 * point to the resulting session.
3547 *
3548 * Returns:
3549 * -1: fatal error, either from parsing or decrypting the ticket.
3550 * 2: the ticket couldn't be decrypted.
3551 * 3: a ticket was successfully decrypted and *psess was set.
3552 * 4: same as 3, but the ticket needs to be renewed.
3553 */
3554static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
3555 const unsigned char *sess_id, int sesslen,
3556 SSL_SESSION **psess)
3557 {
3558 SSL_SESSION *sess;
3559 unsigned char *sdec;
3560 const unsigned char *p;
3561 int slen, mlen, renew_ticket = 0;
3562 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3563 HMAC_CTX hctx;
3564 EVP_CIPHER_CTX ctx;
3565 SSL_CTX *tctx = s->initial_ctx;
3566 /* Need at least keyname + iv + some encrypted data */
3567 if (eticklen < 48)
3568 return 2;
3569 /* Initialize session ticket encryption and HMAC contexts */
3570 HMAC_CTX_init(&hctx);
3571 EVP_CIPHER_CTX_init(&ctx);
3572 if (tctx->tlsext_ticket_key_cb)
3573 {
3574 unsigned char *nctick = (unsigned char *)etick;
3575 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3576 &ctx, &hctx, 0);
3577 if (rv < 0)
3578 return -1;
3579 if (rv == 0)
3580 return 2;
3581 if (rv == 2)
3582 renew_ticket = 1;
3583 }
3584 else
3585 {
3586 /* Check key name matches */
3587 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3588 return 2;
3589 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3590 tlsext_tick_md(), NULL);
3591 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3592 tctx->tlsext_tick_aes_key, etick + 16);
3593 }
3594 /* Attempt to process session ticket, first conduct sanity and
3595 * integrity checks on ticket.
3596 */
3597 mlen = HMAC_size(&hctx);
3598 if (mlen < 0)
3599 {
3600 EVP_CIPHER_CTX_cleanup(&ctx);
3601 return -1;
3602 }
3603 eticklen -= mlen;
3604 /* Check HMAC of encrypted ticket */
3605 HMAC_Update(&hctx, etick, eticklen);
3606 HMAC_Final(&hctx, tick_hmac, NULL);
3607 HMAC_CTX_cleanup(&hctx);
3608 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
3609 return 2;
3610 /* Attempt to decrypt session data */
3611 /* Move p after IV to start of encrypted ticket, update length */
3612 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3613 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3614 sdec = OPENSSL_malloc(eticklen);
3615 if (!sdec)
3616 {
3617 EVP_CIPHER_CTX_cleanup(&ctx);
3618 return -1;
3619 }
3620 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
3621 if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0)
3622 return 2;
3623 slen += mlen;
3624 EVP_CIPHER_CTX_cleanup(&ctx);
3625 p = sdec;
3626
3627 sess = d2i_SSL_SESSION(NULL, &p, slen);
3628 OPENSSL_free(sdec);
3629 if (sess)
3630 {
3631 /* The session ID, if non-empty, is used by some clients to
3632 * detect that the ticket has been accepted. So we copy it to
3633 * the session structure. If it is empty set length to zero
3634 * as required by standard.
3635 */
3636 if (sesslen)
3637 memcpy(sess->session_id, sess_id, sesslen);
3638 sess->session_id_length = sesslen;
3639 *psess = sess;
3640 if (renew_ticket)
3641 return 4;
3642 else
3643 return 3;
3644 }
3645 ERR_clear_error();
3646 /* For session parse failure, indicate that we need to send a new
3647 * ticket. */
3648 return 2;
3649 }
3650
3651/* Tables to translate from NIDs to TLS v1.2 ids */
3652
3653typedef struct
3654 {
3655 int nid;
3656 int id;
3657 } tls12_lookup;
3658
3659static tls12_lookup tls12_md[] = {
3660 {NID_md5, TLSEXT_hash_md5},
3661 {NID_sha1, TLSEXT_hash_sha1},
3662 {NID_sha224, TLSEXT_hash_sha224},
3663 {NID_sha256, TLSEXT_hash_sha256},
3664 {NID_sha384, TLSEXT_hash_sha384},
3665 {NID_sha512, TLSEXT_hash_sha512}
3666};
3667
3668static tls12_lookup tls12_sig[] = {
3669 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3670 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3671 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
3672};
3673
3674static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
3675 {
3676 size_t i;
3677 for (i = 0; i < tlen; i++)
3678 {
3679 if (table[i].nid == nid)
3680 return table[i].id;
3681 }
3682 return -1;
3683 }
3684
3685static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
3686 {
3687 size_t i;
3688 for (i = 0; i < tlen; i++)
3689 {
3690 if ((table[i].id) == id)
3691 return table[i].nid;
3692 }
3693 return NID_undef;
3694 }
3695
3696int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
3697 {
3698 int sig_id, md_id;
3699 if (!md)
3700 return 0;
3701 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
3702 sizeof(tls12_md)/sizeof(tls12_lookup));
3703 if (md_id == -1)
3704 return 0;
3705 sig_id = tls12_get_sigid(pk);
3706 if (sig_id == -1)
3707 return 0;
3708 p[0] = (unsigned char)md_id;
3709 p[1] = (unsigned char)sig_id;
3710 return 1;
3711 }
3712
3713int tls12_get_sigid(const EVP_PKEY *pk)
3714 {
3715 return tls12_find_id(pk->type, tls12_sig,
3716 sizeof(tls12_sig)/sizeof(tls12_lookup));
3717 }
3718
3719const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3720 {
3721 switch(hash_alg)
3722 {
3723#ifndef OPENSSL_NO_MD5
3724 case TLSEXT_hash_md5:
3725#ifdef OPENSSL_FIPS
3726 if (FIPS_mode())
3727 return NULL;
3728#endif
3729 return EVP_md5();
3730#endif
3731#ifndef OPENSSL_NO_SHA
3732 case TLSEXT_hash_sha1:
3733 return EVP_sha1();
3734#endif
3735#ifndef OPENSSL_NO_SHA256
3736 case TLSEXT_hash_sha224:
3737 return EVP_sha224();
3738
3739 case TLSEXT_hash_sha256:
3740 return EVP_sha256();
3741#endif
3742#ifndef OPENSSL_NO_SHA512
3743 case TLSEXT_hash_sha384:
3744 return EVP_sha384();
3745
3746 case TLSEXT_hash_sha512:
3747 return EVP_sha512();
3748#endif
3749 default:
3750 return NULL;
3751
3752 }
3753 }
3754
3755static int tls12_get_pkey_idx(unsigned char sig_alg)
3756 {
3757 switch(sig_alg)
3758 {
3759#ifndef OPENSSL_NO_RSA
3760 case TLSEXT_signature_rsa:
3761 return SSL_PKEY_RSA_SIGN;
3762#endif
3763#ifndef OPENSSL_NO_DSA
3764 case TLSEXT_signature_dsa:
3765 return SSL_PKEY_DSA_SIGN;
3766#endif
3767#ifndef OPENSSL_NO_ECDSA
3768 case TLSEXT_signature_ecdsa:
3769 return SSL_PKEY_ECC;
3770#endif
3771 }
3772 return -1;
3773 }
3774
3775/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3776static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3777 int *psignhash_nid, const unsigned char *data)
3778 {
3779 int sign_nid = 0, hash_nid = 0;
3780 if (!phash_nid && !psign_nid && !psignhash_nid)
3781 return;
3782 if (phash_nid || psignhash_nid)
3783 {
3784 hash_nid = tls12_find_nid(data[0], tls12_md,
3785 sizeof(tls12_md)/sizeof(tls12_lookup));
3786 if (phash_nid)
3787 *phash_nid = hash_nid;
3788 }
3789 if (psign_nid || psignhash_nid)
3790 {
3791 sign_nid = tls12_find_nid(data[1], tls12_sig,
3792 sizeof(tls12_sig)/sizeof(tls12_lookup));
3793 if (psign_nid)
3794 *psign_nid = sign_nid;
3795 }
3796 if (psignhash_nid)
3797 {
3798 if (sign_nid && hash_nid)
3799 OBJ_find_sigid_by_algs(psignhash_nid,
3800 hash_nid, sign_nid);
3801 else
3802 *psignhash_nid = NID_undef;
3803 }
3804 }
3805/* Given preference and allowed sigalgs set shared sigalgs */
3806static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
3807 const unsigned char *pref, size_t preflen,
3808 const unsigned char *allow, size_t allowlen)
3809 {
3810 const unsigned char *ptmp, *atmp;
3811 size_t i, j, nmatch = 0;
3812 for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2)
3813 {
3814 /* Skip disabled hashes or signature algorithms */
3815 if (tls12_get_hash(ptmp[0]) == NULL)
3816 continue;
3817 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3818 continue;
3819 for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2)
3820 {
3821 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1])
3822 {
3823 nmatch++;
3824 if (shsig)
3825 {
3826 shsig->rhash = ptmp[0];
3827 shsig->rsign = ptmp[1];
3828 tls1_lookup_sigalg(&shsig->hash_nid,
3829 &shsig->sign_nid,
3830 &shsig->signandhash_nid,
3831 ptmp);
3832 shsig++;
3833 }
3834 break;
3835 }
3836 }
3837 }
3838 return nmatch;
3839 }
3840
3841/* Set shared signature algorithms for SSL structures */
3842static int tls1_set_shared_sigalgs(SSL *s)
3843 {
3844 const unsigned char *pref, *allow, *conf;
3845 size_t preflen, allowlen, conflen;
3846 size_t nmatch;
3847 TLS_SIGALGS *salgs = NULL;
3848 CERT *c = s->cert;
3849 unsigned int is_suiteb = tls1_suiteb(s);
3850 /* If client use client signature algorithms if not NULL */
3851 if (!s->server && c->client_sigalgs && !is_suiteb)
3852 {
3853 conf = c->client_sigalgs;
3854 conflen = c->client_sigalgslen;
3855 }
3856 else if (c->conf_sigalgs && !is_suiteb)
3857 {
3858 conf = c->conf_sigalgs;
3859 conflen = c->conf_sigalgslen;
3860 }
3861 else
3862 conflen = tls12_get_psigalgs(s, &conf);
3863 if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb)
3864 {
3865 pref = conf;
3866 preflen = conflen;
3867 allow = c->peer_sigalgs;
3868 allowlen = c->peer_sigalgslen;
3869 }
3870 else
3871 {
3872 allow = conf;
3873 allowlen = conflen;
3874 pref = c->peer_sigalgs;
3875 preflen = c->peer_sigalgslen;
3876 }
3877 nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
3878 if (!nmatch)
3879 return 1;
3880 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3881 if (!salgs)
3882 return 0;
3883 nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
3884 c->shared_sigalgs = salgs;
3885 c->shared_sigalgslen = nmatch;
3886 return 1;
3887 }
3888
3889
3890/* Set preferred digest for each key type */
3891
3892int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
3893 {
3894 int idx;
3895 size_t i;
3896 const EVP_MD *md;
3897 CERT *c = s->cert;
3898 TLS_SIGALGS *sigptr;
3899 /* Extension ignored for inappropriate versions */
3900 if (!SSL_USE_SIGALGS(s))
3901 return 1;
3902 /* Should never happen */
3903 if (!c)
3904 return 0;
3905
3906 c->peer_sigalgs = OPENSSL_malloc(dsize);
3907 if (!c->peer_sigalgs)
3908 return 0;
3909 c->peer_sigalgslen = dsize;
3910 memcpy(c->peer_sigalgs, data, dsize);
3911
3912 tls1_set_shared_sigalgs(s);
3913
3914#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
3915 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
3916 {
3917 /* Use first set signature preference to force message
3918 * digest, ignoring any peer preferences.
3919 */
3920 const unsigned char *sigs = NULL;
3921 if (s->server)
3922 sigs = c->conf_sigalgs;
3923 else
3924 sigs = c->client_sigalgs;
3925 if (sigs)
3926 {
3927 idx = tls12_get_pkey_idx(sigs[1]);
3928 md = tls12_get_hash(sigs[0]);
3929 c->pkeys[idx].digest = md;
3930 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3931 if (idx == SSL_PKEY_RSA_SIGN)
3932 {
3933 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3934 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3935 }
3936 }
3937 }
3938#endif
3939
3940 for (i = 0, sigptr = c->shared_sigalgs;
3941 i < c->shared_sigalgslen; i++, sigptr++)
3942 {
3943 idx = tls12_get_pkey_idx(sigptr->rsign);
3944 if (idx > 0 && c->pkeys[idx].digest == NULL)
3945 {
3946 md = tls12_get_hash(sigptr->rhash);
3947 c->pkeys[idx].digest = md;
3948 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3949 if (idx == SSL_PKEY_RSA_SIGN)
3950 {
3951 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3952 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3953 }
3954 }
3955
3956 }
3957 /* In strict mode leave unset digests as NULL to indicate we can't
3958 * use the certificate for signing.
3959 */
3960 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
3961 {
3962 /* Set any remaining keys to default values. NOTE: if alg is
3963 * not supported it stays as NULL.
3964 */
3965#ifndef OPENSSL_NO_DSA
3966 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
3967 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
3968#endif
3969#ifndef OPENSSL_NO_RSA
3970 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
3971 {
3972 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
3973 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
3974 }
3975#endif
3976#ifndef OPENSSL_NO_ECDSA
3977 if (!c->pkeys[SSL_PKEY_ECC].digest)
3978 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
3979#endif
3980 }
3981 return 1;
3982 }
3983
3984
3985int SSL_get_sigalgs(SSL *s, int idx,
3986 int *psign, int *phash, int *psignhash,
3987 unsigned char *rsig, unsigned char *rhash)
3988 {
3989 const unsigned char *psig = s->cert->peer_sigalgs;
3990 if (psig == NULL)
3991 return 0;
3992 if (idx >= 0)
3993 {
3994 idx <<= 1;
3995 if (idx >= (int)s->cert->peer_sigalgslen)
3996 return 0;
3997 psig += idx;
3998 if (rhash)
3999 *rhash = psig[0];
4000 if (rsig)
4001 *rsig = psig[1];
4002 tls1_lookup_sigalg(phash, psign, psignhash, psig);
4003 }
4004 return s->cert->peer_sigalgslen / 2;
4005 }
4006
4007int SSL_get_shared_sigalgs(SSL *s, int idx,
4008 int *psign, int *phash, int *psignhash,
4009 unsigned char *rsig, unsigned char *rhash)
4010 {
4011 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
4012 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
4013 return 0;
4014 shsigalgs += idx;
4015 if (phash)
4016 *phash = shsigalgs->hash_nid;
4017 if (psign)
4018 *psign = shsigalgs->sign_nid;
4019 if (psignhash)
4020 *psignhash = shsigalgs->signandhash_nid;
4021 if (rsig)
4022 *rsig = shsigalgs->rsign;
4023 if (rhash)
4024 *rhash = shsigalgs->rhash;
4025 return s->cert->shared_sigalgslen;
4026 }
4027
4028
4029#ifndef OPENSSL_NO_HEARTBEATS
4030int
4031tls1_process_heartbeat(SSL *s)
4032 {
4033 unsigned char *p = &s->s3->rrec.data[0], *pl;
4034 unsigned short hbtype;
4035 unsigned int payload;
4036 unsigned int padding = 16; /* Use minimum padding */
4037
4038 /* Read type and payload length first */
4039 hbtype = *p++;
4040 n2s(p, payload);
4041 pl = p;
4042
4043 if (s->msg_callback)
4044 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
4045 &s->s3->rrec.data[0], s->s3->rrec.length,
4046 s, s->msg_callback_arg);
4047
4048 if (hbtype == TLS1_HB_REQUEST)
4049 {
4050 unsigned char *buffer, *bp;
4051 int r;
4052
4053 /* Allocate memory for the response, size is 1 bytes
4054 * message type, plus 2 bytes payload length, plus
4055 * payload, plus padding
4056 */
4057 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
4058 bp = buffer;
4059
4060 /* Enter response type, length and copy payload */
4061 *bp++ = TLS1_HB_RESPONSE;
4062 s2n(payload, bp);
4063 memcpy(bp, pl, payload);
4064 bp += payload;
4065 /* Random padding */
4066 RAND_pseudo_bytes(bp, padding);
4067
4068 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
4069
4070 if (r >= 0 && s->msg_callback)
4071 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
4072 buffer, 3 + payload + padding,
4073 s, s->msg_callback_arg);
4074
4075 OPENSSL_free(buffer);
4076
4077 if (r < 0)
4078 return r;
4079 }
4080 else if (hbtype == TLS1_HB_RESPONSE)
4081 {
4082 unsigned int seq;
4083
4084 /* We only send sequence numbers (2 bytes unsigned int),
4085 * and 16 random bytes, so we just try to read the
4086 * sequence number */
4087 n2s(pl, seq);
4088
4089 if (payload == 18 && seq == s->tlsext_hb_seq)
4090 {
4091 s->tlsext_hb_seq++;
4092 s->tlsext_hb_pending = 0;
4093 }
4094 }
4095
4096 return 0;
4097 }
4098
4099int
4100tls1_heartbeat(SSL *s)
4101 {
4102 unsigned char *buf, *p;
4103 int ret;
4104 unsigned int payload = 18; /* Sequence number + random bytes */
4105 unsigned int padding = 16; /* Use minimum padding */
4106
4107 /* Only send if peer supports and accepts HB requests... */
4108 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
4109 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
4110 {
4111 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
4112 return -1;
4113 }
4114
4115 /* ...and there is none in flight yet... */
4116 if (s->tlsext_hb_pending)
4117 {
4118 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_TLS_HEARTBEAT_PENDING);
4119 return -1;
4120 }
4121
4122 /* ...and no handshake in progress. */
4123 if (SSL_in_init(s) || s->in_handshake)
4124 {
4125 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_UNEXPECTED_MESSAGE);
4126 return -1;
4127 }
4128
4129 /* Check if padding is too long, payload and padding
4130 * must not exceed 2^14 - 3 = 16381 bytes in total.
4131 */
4132 assert(payload + padding <= 16381);
4133
4134 /* Create HeartBeat message, we just use a sequence number
4135 * as payload to distuingish different messages and add
4136 * some random stuff.
4137 * - Message Type, 1 byte
4138 * - Payload Length, 2 bytes (unsigned int)
4139 * - Payload, the sequence number (2 bytes uint)
4140 * - Payload, random bytes (16 bytes uint)
4141 * - Padding
4142 */
4143 buf = OPENSSL_malloc(1 + 2 + payload + padding);
4144 p = buf;
4145 /* Message Type */
4146 *p++ = TLS1_HB_REQUEST;
4147 /* Payload length (18 bytes here) */
4148 s2n(payload, p);
4149 /* Sequence number */
4150 s2n(s->tlsext_hb_seq, p);
4151 /* 16 random bytes */
4152 RAND_pseudo_bytes(p, 16);
4153 p += 16;
4154 /* Random padding */
4155 RAND_pseudo_bytes(p, padding);
4156
4157 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
4158 if (ret >= 0)
4159 {
4160 if (s->msg_callback)
4161 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
4162 buf, 3 + payload + padding,
4163 s, s->msg_callback_arg);
4164
4165 s->tlsext_hb_pending = 1;
4166 }
4167
4168 OPENSSL_free(buf);
4169
4170 return ret;
4171 }
4172#endif
4173
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame^]4174#if !defined(OPENSSL_NO_TLSEXT)
4175/* tls1_channel_id_hash calculates the signed data for a Channel ID on the given
4176 * SSL connection and writes it to |md|. */
4177int
4178tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s)
4179 {
4180 EVP_MD_CTX ctx;
4181 unsigned char temp_digest[EVP_MAX_MD_SIZE];
4182 unsigned temp_digest_len;
4183 int i;
4184 static const char kClientIDMagic[] = "TLS Channel ID signature";
4185
4186 if (s->s3->handshake_buffer)
4187 if (!ssl3_digest_cached_records(s))
4188 return 0;
4189
4190 EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic));
4191
4192 if (s->hit && s->s3->tlsext_channel_id_new)
4193 {
4194 static const char kResumptionMagic[] = "Resumption";
4195 EVP_DigestUpdate(md, kResumptionMagic,
4196 sizeof(kResumptionMagic));
4197 if (s->session->original_handshake_hash_len == 0)
4198 return 0;
4199 EVP_DigestUpdate(md, s->session->original_handshake_hash,
4200 s->session->original_handshake_hash_len);
4201 }
4202
4203 EVP_MD_CTX_init(&ctx);
4204 for (i = 0; i < SSL_MAX_DIGEST; i++)
4205 {
4206 if (s->s3->handshake_dgst[i] == NULL)
4207 continue;
4208 EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]);
4209 EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len);
4210 EVP_DigestUpdate(md, temp_digest, temp_digest_len);
4211 }
4212 EVP_MD_CTX_cleanup(&ctx);
4213
4214 return 1;
4215 }
4216#endif
4217
4218/* tls1_record_handshake_hashes_for_channel_id records the current handshake
4219 * hashes in |s->session| so that Channel ID resumptions can sign that data. */
4220int tls1_record_handshake_hashes_for_channel_id(SSL *s)
4221 {
4222 int digest_len;
4223 /* This function should never be called for a resumed session because
4224 * the handshake hashes that we wish to record are for the original,
4225 * full handshake. */
4226 if (s->hit)
4227 return -1;
4228 /* It only makes sense to call this function if Channel IDs have been
4229 * negotiated. */
4230 if (!s->s3->tlsext_channel_id_new)
4231 return -1;
4232
4233 digest_len = tls1_handshake_digest(
4234 s, s->session->original_handshake_hash,
4235 sizeof(s->session->original_handshake_hash));
4236 if (digest_len < 0)
4237 return -1;
4238
4239 s->session->original_handshake_hash_len = digest_len;
4240
4241 return 1;
4242 }
4243
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]4244/* TODO(fork): remove */
4245#if 0
4246#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
4247
4248typedef struct
4249 {
4250 size_t sigalgcnt;
4251 int sigalgs[MAX_SIGALGLEN];
4252 } sig_cb_st;
4253
4254static int sig_cb(const char *elem, int len, void *arg)
4255 {
4256 sig_cb_st *sarg = arg;
4257 size_t i;
4258 char etmp[20], *p;
4259 int sig_alg, hash_alg;
4260 if (sarg->sigalgcnt == MAX_SIGALGLEN)
4261 return 0;
4262 if (len > (int)(sizeof(etmp) - 1))
4263 return 0;
4264 memcpy(etmp, elem, len);
4265 etmp[len] = 0;
4266 p = strchr(etmp, '+');
4267 if (!p)
4268 return 0;
4269 *p = 0;
4270 p++;
4271 if (!*p)
4272 return 0;
4273
4274 if (!strcmp(etmp, "RSA"))
4275 sig_alg = EVP_PKEY_RSA;
4276 else if (!strcmp(etmp, "DSA"))
4277 sig_alg = EVP_PKEY_DSA;
4278 else if (!strcmp(etmp, "ECDSA"))
4279 sig_alg = EVP_PKEY_EC;
4280 else return 0;
4281
4282 hash_alg = OBJ_sn2nid(p);
4283 if (hash_alg == NID_undef)
4284 hash_alg = OBJ_ln2nid(p);
4285 if (hash_alg == NID_undef)
4286 return 0;
4287
4288 for (i = 0; i < sarg->sigalgcnt; i+=2)
4289 {
4290 if (sarg->sigalgs[i] == sig_alg
4291 && sarg->sigalgs[i + 1] == hash_alg)
4292 return 0;
4293 }
4294 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
4295 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
4296 return 1;
4297 }
4298
4299/* Set suppored signature algorithms based on a colon separated list
4300 * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */
4301int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
4302 {
4303 sig_cb_st sig;
4304 sig.sigalgcnt = 0;
4305 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
4306 return 0;
4307 if (c == NULL)
4308 return 1;
4309 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
4310 }
4311#endif
4312
4313int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
4314 {
4315 unsigned char *sigalgs, *sptr;
4316 int rhash, rsign;
4317 size_t i;
4318 if (salglen & 1)
4319 return 0;
4320 sigalgs = OPENSSL_malloc(salglen);
4321 if (sigalgs == NULL)
4322 return 0;
4323 for (i = 0, sptr = sigalgs; i < salglen; i+=2)
4324 {
4325 rhash = tls12_find_id(*psig_nids++, tls12_md,
4326 sizeof(tls12_md)/sizeof(tls12_lookup));
4327 rsign = tls12_find_id(*psig_nids++, tls12_sig,
4328 sizeof(tls12_sig)/sizeof(tls12_lookup));
4329
4330 if (rhash == -1 || rsign == -1)
4331 goto err;
4332 *sptr++ = rhash;
4333 *sptr++ = rsign;
4334 }
4335
4336 if (client)
4337 {
4338 if (c->client_sigalgs)
4339 OPENSSL_free(c->client_sigalgs);
4340 c->client_sigalgs = sigalgs;
4341 c->client_sigalgslen = salglen;
4342 }
4343 else
4344 {
4345 if (c->conf_sigalgs)
4346 OPENSSL_free(c->conf_sigalgs);
4347 c->conf_sigalgs = sigalgs;
4348 c->conf_sigalgslen = salglen;
4349 }
4350
4351 return 1;
4352
4353 err:
4354 OPENSSL_free(sigalgs);
4355 return 0;
4356 }
4357
4358static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
4359 {
4360 int sig_nid;
4361 size_t i;
4362 if (default_nid == -1)
4363 return 1;
4364 sig_nid = X509_get_signature_nid(x);
4365 if (default_nid)
4366 return sig_nid == default_nid ? 1 : 0;
4367 for (i = 0; i < c->shared_sigalgslen; i++)
4368 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
4369 return 1;
4370 return 0;
4371 }
4372/* Check to see if a certificate issuer name matches list of CA names */
4373static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
4374 {
4375 X509_NAME *nm;
4376 int i;
4377 nm = X509_get_issuer_name(x);
4378 for (i = 0; i < sk_X509_NAME_num(names); i++)
4379 {
4380 if(!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
4381 return 1;
4382 }
4383 return 0;
4384 }
4385
4386/* Check certificate chain is consistent with TLS extensions and is
4387 * usable by server. This servers two purposes: it allows users to
4388 * check chains before passing them to the server and it allows the
4389 * server to check chains before attempting to use them.
4390 */
4391
4392/* Flags which need to be set for a certificate when stict mode not set */
4393
4394#define CERT_PKEY_VALID_FLAGS \
4395 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
4396/* Strict mode flags */
4397#define CERT_PKEY_STRICT_FLAGS \
4398 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
4399 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
4400
4401int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
4402 int idx)
4403 {
4404 int i;
4405 int rv = 0;
4406 int check_flags = 0, strict_mode;
4407 CERT_PKEY *cpk = NULL;
4408 CERT *c = s->cert;
4409 unsigned int suiteb_flags = tls1_suiteb(s);
4410 /* idx == -1 means checking server chains */
4411 if (idx != -1)
4412 {
4413 /* idx == -2 means checking client certificate chains */
4414 if (idx == -2)
4415 {
4416 cpk = c->key;
4417 idx = cpk - c->pkeys;
4418 }
4419 else
4420 cpk = c->pkeys + idx;
4421 x = cpk->x509;
4422 pk = cpk->privatekey;
4423 chain = cpk->chain;
4424 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
4425 /* If no cert or key, forget it */
4426 if (!x || !pk)
4427 goto end;
4428#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
4429 /* Allow any certificate to pass test */
4430 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
4431 {
4432 rv = CERT_PKEY_STRICT_FLAGS|CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_VALID|CERT_PKEY_SIGN;
4433 cpk->valid_flags = rv;
4434 return rv;
4435 }
4436#endif
4437 }
4438 else
4439 {
4440 if (!x || !pk)
4441 goto end;
4442 idx = ssl_cert_type(x, pk);
4443 if (idx == -1)
4444 goto end;
4445 cpk = c->pkeys + idx;
4446 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
4447 check_flags = CERT_PKEY_STRICT_FLAGS;
4448 else
4449 check_flags = CERT_PKEY_VALID_FLAGS;
4450 strict_mode = 1;
4451 }
4452
4453 if (suiteb_flags)
4454 {
4455 int ok;
4456 if (check_flags)
4457 check_flags |= CERT_PKEY_SUITEB;
4458 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
4459 if (ok != X509_V_OK)
4460 {
4461 if (check_flags)
4462 rv |= CERT_PKEY_SUITEB;
4463 else
4464 goto end;
4465 }
4466 }
4467
4468 /* Check all signature algorithms are consistent with
4469 * signature algorithms extension if TLS 1.2 or later
4470 * and strict mode.
4471 */
4472 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode)
4473 {
4474 int default_nid;
4475 unsigned char rsign = 0;
4476 if (c->peer_sigalgs)
4477 default_nid = 0;
4478 /* If no sigalgs extension use defaults from RFC5246 */
4479 else
4480 {
4481 switch(idx)
4482 {
4483 case SSL_PKEY_RSA_ENC:
4484 case SSL_PKEY_RSA_SIGN:
4485 case SSL_PKEY_DH_RSA:
4486 rsign = TLSEXT_signature_rsa;
4487 default_nid = NID_sha1WithRSAEncryption;
4488 break;
4489
4490 case SSL_PKEY_DSA_SIGN:
4491 case SSL_PKEY_DH_DSA:
4492 rsign = TLSEXT_signature_dsa;
4493 default_nid = NID_dsaWithSHA1;
4494 break;
4495
4496 case SSL_PKEY_ECC:
4497 rsign = TLSEXT_signature_ecdsa;
4498 default_nid = NID_ecdsa_with_SHA1;
4499 break;
4500
4501 default:
4502 default_nid = -1;
4503 break;
4504 }
4505 }
4506 /* If peer sent no signature algorithms extension and we
4507 * have set preferred signature algorithms check we support
4508 * sha1.
4509 */
4510 if (default_nid > 0 && c->conf_sigalgs)
4511 {
4512 size_t j;
4513 const unsigned char *p = c->conf_sigalgs;
4514 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2)
4515 {
4516 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4517 break;
4518 }
4519 if (j == c->conf_sigalgslen)
4520 {
4521 if (check_flags)
4522 goto skip_sigs;
4523 else
4524 goto end;
4525 }
4526 }
4527 /* Check signature algorithm of each cert in chain */
4528 if (!tls1_check_sig_alg(c, x, default_nid))
4529 {
4530 if (!check_flags) goto end;
4531 }
4532 else
4533 rv |= CERT_PKEY_EE_SIGNATURE;
4534 rv |= CERT_PKEY_CA_SIGNATURE;
4535 for (i = 0; i < sk_X509_num(chain); i++)
4536 {
4537 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i),
4538 default_nid))
4539 {
4540 if (check_flags)
4541 {
4542 rv &= ~CERT_PKEY_CA_SIGNATURE;
4543 break;
4544 }
4545 else
4546 goto end;
4547 }
4548 }
4549 }
4550 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4551 else if(check_flags)
4552 rv |= CERT_PKEY_EE_SIGNATURE|CERT_PKEY_CA_SIGNATURE;
4553 skip_sigs:
4554 /* Check cert parameters are consistent */
4555 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4556 rv |= CERT_PKEY_EE_PARAM;
4557 else if (!check_flags)
4558 goto end;
4559 if (!s->server)
4560 rv |= CERT_PKEY_CA_PARAM;
4561 /* In strict mode check rest of chain too */
4562 else if (strict_mode)
4563 {
4564 rv |= CERT_PKEY_CA_PARAM;
4565 for (i = 0; i < sk_X509_num(chain); i++)
4566 {
4567 X509 *ca = sk_X509_value(chain, i);
4568 if (!tls1_check_cert_param(s, ca, 0))
4569 {
4570 if (check_flags)
4571 {
4572 rv &= ~CERT_PKEY_CA_PARAM;
4573 break;
4574 }
4575 else
4576 goto end;
4577 }
4578 }
4579 }
4580 if (!s->server && strict_mode)
4581 {
4582 STACK_OF(X509_NAME) *ca_dn;
4583 int check_type = 0;
4584 switch (pk->type)
4585 {
4586 case EVP_PKEY_RSA:
4587 check_type = TLS_CT_RSA_SIGN;
4588 break;
4589 case EVP_PKEY_DSA:
4590 check_type = TLS_CT_DSS_SIGN;
4591 break;
4592 case EVP_PKEY_EC:
4593 check_type = TLS_CT_ECDSA_SIGN;
4594 break;
4595 case EVP_PKEY_DH:
4596 case EVP_PKEY_DHX:
4597 {
4598 int cert_type = X509_certificate_type(x, pk);
4599 if (cert_type & EVP_PKS_RSA)
4600 check_type = TLS_CT_RSA_FIXED_DH;
4601 if (cert_type & EVP_PKS_DSA)
4602 check_type = TLS_CT_DSS_FIXED_DH;
4603 }
4604 }
4605 if (check_type)
4606 {
4607 const unsigned char *ctypes;
4608 int ctypelen;
4609 if (c->ctypes)
4610 {
4611 ctypes = c->ctypes;
4612 ctypelen = (int)c->ctype_num;
4613 }
4614 else
4615 {
4616 ctypes = (unsigned char *)s->s3->tmp.ctype;
4617 ctypelen = s->s3->tmp.ctype_num;
4618 }
4619 for (i = 0; i < ctypelen; i++)
4620 {
4621 if (ctypes[i] == check_type)
4622 {
4623 rv |= CERT_PKEY_CERT_TYPE;
4624 break;
4625 }
4626 }
4627 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4628 goto end;
4629 }
4630 else
4631 rv |= CERT_PKEY_CERT_TYPE;
4632
4633
4634 ca_dn = s->s3->tmp.ca_names;
4635
4636 if (!sk_X509_NAME_num(ca_dn))
4637 rv |= CERT_PKEY_ISSUER_NAME;
4638
4639 if (!(rv & CERT_PKEY_ISSUER_NAME))
4640 {
4641 if (ssl_check_ca_name(ca_dn, x))
4642 rv |= CERT_PKEY_ISSUER_NAME;
4643 }
4644 if (!(rv & CERT_PKEY_ISSUER_NAME))
4645 {
4646 for (i = 0; i < sk_X509_num(chain); i++)
4647 {
4648 X509 *xtmp = sk_X509_value(chain, i);
4649 if (ssl_check_ca_name(ca_dn, xtmp))
4650 {
4651 rv |= CERT_PKEY_ISSUER_NAME;
4652 break;
4653 }
4654 }
4655 }
4656 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4657 goto end;
4658 }
4659 else
4660 rv |= CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE;
4661
4662 if (!check_flags || (rv & check_flags) == check_flags)
4663 rv |= CERT_PKEY_VALID;
4664
4665 end:
4666
4667 if (TLS1_get_version(s) >= TLS1_2_VERSION)
4668 {
4669 if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
4670 rv |= CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_SIGN;
4671 else if (cpk->digest)
4672 rv |= CERT_PKEY_SIGN;
4673 }
4674 else
4675 rv |= CERT_PKEY_SIGN|CERT_PKEY_EXPLICIT_SIGN;
4676
4677 /* When checking a CERT_PKEY structure all flags are irrelevant
4678 * if the chain is invalid.
4679 */
4680 if (!check_flags)
4681 {
4682 if (rv & CERT_PKEY_VALID)
4683 cpk->valid_flags = rv;
4684 else
4685 {
4686 /* Preserve explicit sign flag, clear rest */
4687 cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
4688 return 0;
4689 }
4690 }
4691 return rv;
4692 }
4693
4694/* Set validity of certificates in an SSL structure */
4695void tls1_set_cert_validity(SSL *s)
4696 {
4697 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4698 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4699 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4700 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
4701 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
4702 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
4703 }
4704/* User level utiity function to check a chain is suitable */
4705int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
4706 {
4707 return tls1_check_chain(s, x, pk, chain, -1);
4708 }
4709
4710#endif