blob: 301d49a1d4d13ed708be1d502f061ececb23b9d3 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -07001/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
David Benjamin9e4e01e2015-09-15 01:48:04 -0400109#include <openssl/ssl.h>
110
David Benjaminf0ae1702015-04-07 23:05:04 -0400111#include <assert.h>
David Benjamine3aa1d92015-06-16 15:34:50 -0400112#include <limits.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700113#include <stdio.h>
David Benjamin35a7a442014-07-05 00:23:20 -0400114#include <stdlib.h>
David Benjaminf0ae1702015-04-07 23:05:04 -0400115#include <string.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700116
David Benjamin03973092014-06-24 23:27:17 -0400117#include <openssl/bytestring.h>
David Benjamind6a4ae92015-08-06 11:10:51 -0400118#include <openssl/digest.h>
David Benjaminf0ae1702015-04-07 23:05:04 -0400119#include <openssl/err.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700120#include <openssl/evp.h>
121#include <openssl/hmac.h>
122#include <openssl/mem.h>
123#include <openssl/obj.h>
124#include <openssl/rand.h>
Matt Braithwaitee564a5b2015-09-30 15:24:05 -0700125#include <openssl/type_check.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700126
David Benjamin2ee94aa2015-04-07 22:38:30 -0400127#include "internal.h"
Adam Langleyfcf25832014-12-18 17:42:32 -0800128
129
David Benjamin6c7aed02014-08-27 16:42:38 -0400130static int ssl_check_clienthello_tlsext(SSL *s);
131static int ssl_check_serverhello_tlsext(SSL *s);
Adam Langley95c29f32014-06-20 12:00:00 -0700132
David Benjamin338fcaf2014-12-11 01:20:52 -0500133const SSL3_ENC_METHOD TLSv1_enc_data = {
David Benjamin41ac9792014-12-23 10:41:06 -0500134 tls1_prf,
Adam Langleyfcf25832014-12-18 17:42:32 -0800135 tls1_setup_key_block,
136 tls1_generate_master_secret,
137 tls1_change_cipher_state,
138 tls1_final_finish_mac,
Adam Langleyfcf25832014-12-18 17:42:32 -0800139 tls1_cert_verify_mac,
140 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
141 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
142 tls1_alert_code,
143 tls1_export_keying_material,
144 0,
Adam Langleyfcf25832014-12-18 17:42:32 -0800145};
Adam Langley95c29f32014-06-20 12:00:00 -0700146
David Benjamin338fcaf2014-12-11 01:20:52 -0500147const SSL3_ENC_METHOD TLSv1_1_enc_data = {
David Benjamin41ac9792014-12-23 10:41:06 -0500148 tls1_prf,
Adam Langleyfcf25832014-12-18 17:42:32 -0800149 tls1_setup_key_block,
150 tls1_generate_master_secret,
151 tls1_change_cipher_state,
152 tls1_final_finish_mac,
Adam Langleyfcf25832014-12-18 17:42:32 -0800153 tls1_cert_verify_mac,
154 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
155 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
156 tls1_alert_code,
157 tls1_export_keying_material,
158 SSL_ENC_FLAG_EXPLICIT_IV,
Adam Langleyfcf25832014-12-18 17:42:32 -0800159};
Adam Langley95c29f32014-06-20 12:00:00 -0700160
David Benjamin338fcaf2014-12-11 01:20:52 -0500161const SSL3_ENC_METHOD TLSv1_2_enc_data = {
David Benjamin41ac9792014-12-23 10:41:06 -0500162 tls1_prf,
Adam Langleyfcf25832014-12-18 17:42:32 -0800163 tls1_setup_key_block,
164 tls1_generate_master_secret,
165 tls1_change_cipher_state,
166 tls1_final_finish_mac,
Adam Langleyfcf25832014-12-18 17:42:32 -0800167 tls1_cert_verify_mac,
168 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
169 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
170 tls1_alert_code,
171 tls1_export_keying_material,
David Benjaminc7817d82015-11-05 18:28:33 -0500172 SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF,
Adam Langleyfcf25832014-12-18 17:42:32 -0800173};
Adam Langley95c29f32014-06-20 12:00:00 -0700174
Adam Langleyfcf25832014-12-18 17:42:32 -0800175static int compare_uint16_t(const void *p1, const void *p2) {
176 uint16_t u1 = *((const uint16_t *)p1);
177 uint16_t u2 = *((const uint16_t *)p2);
178 if (u1 < u2) {
179 return -1;
180 } else if (u1 > u2) {
181 return 1;
182 } else {
183 return 0;
184 }
185}
David Benjamin35a7a442014-07-05 00:23:20 -0400186
Adam Langleyfcf25832014-12-18 17:42:32 -0800187/* Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
188 * more than one extension of the same type in a ClientHello or ServerHello.
189 * This function does an initial scan over the extensions block to filter those
David Benjamin35a7a442014-07-05 00:23:20 -0400190 * out. */
Adam Langleyfcf25832014-12-18 17:42:32 -0800191static int tls1_check_duplicate_extensions(const CBS *cbs) {
192 CBS extensions = *cbs;
193 size_t num_extensions = 0, i = 0;
194 uint16_t *extension_types = NULL;
195 int ret = 0;
David Benjamin35a7a442014-07-05 00:23:20 -0400196
Adam Langleyfcf25832014-12-18 17:42:32 -0800197 /* First pass: count the extensions. */
198 while (CBS_len(&extensions) > 0) {
199 uint16_t type;
200 CBS extension;
David Benjamin35a7a442014-07-05 00:23:20 -0400201
Adam Langleyfcf25832014-12-18 17:42:32 -0800202 if (!CBS_get_u16(&extensions, &type) ||
203 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
204 goto done;
205 }
David Benjamin35a7a442014-07-05 00:23:20 -0400206
Adam Langleyfcf25832014-12-18 17:42:32 -0800207 num_extensions++;
208 }
David Benjamin35a7a442014-07-05 00:23:20 -0400209
Adam Langleyfcf25832014-12-18 17:42:32 -0800210 if (num_extensions == 0) {
211 return 1;
212 }
David Benjamin9a373592014-07-25 04:27:53 -0400213
Adam Langleyfcf25832014-12-18 17:42:32 -0800214 extension_types =
215 (uint16_t *)OPENSSL_malloc(sizeof(uint16_t) * num_extensions);
216 if (extension_types == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400217 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800218 goto done;
219 }
David Benjamin35a7a442014-07-05 00:23:20 -0400220
Adam Langleyfcf25832014-12-18 17:42:32 -0800221 /* Second pass: gather the extension types. */
222 extensions = *cbs;
223 for (i = 0; i < num_extensions; i++) {
224 CBS extension;
David Benjamin35a7a442014-07-05 00:23:20 -0400225
Adam Langleyfcf25832014-12-18 17:42:32 -0800226 if (!CBS_get_u16(&extensions, &extension_types[i]) ||
227 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
228 /* This should not happen. */
229 goto done;
230 }
231 }
232 assert(CBS_len(&extensions) == 0);
David Benjamin35a7a442014-07-05 00:23:20 -0400233
Adam Langleyfcf25832014-12-18 17:42:32 -0800234 /* Sort the extensions and make sure there are no duplicates. */
235 qsort(extension_types, num_extensions, sizeof(uint16_t), compare_uint16_t);
236 for (i = 1; i < num_extensions; i++) {
237 if (extension_types[i - 1] == extension_types[i]) {
238 goto done;
239 }
240 }
David Benjamin35a7a442014-07-05 00:23:20 -0400241
Adam Langleyfcf25832014-12-18 17:42:32 -0800242 ret = 1;
243
David Benjamin35a7a442014-07-05 00:23:20 -0400244done:
David Benjamin2755a3e2015-04-22 16:17:58 -0400245 OPENSSL_free(extension_types);
Adam Langleyfcf25832014-12-18 17:42:32 -0800246 return ret;
247}
David Benjamin35a7a442014-07-05 00:23:20 -0400248
Adam Langleyfcf25832014-12-18 17:42:32 -0800249char ssl_early_callback_init(struct ssl_early_callback_ctx *ctx) {
250 CBS client_hello, session_id, cipher_suites, compression_methods, extensions;
David Benjamin8f2c20e2014-07-09 09:30:38 -0400251
Adam Langleyfcf25832014-12-18 17:42:32 -0800252 CBS_init(&client_hello, ctx->client_hello, ctx->client_hello_len);
Adam Langleydc9b1412014-06-20 12:00:00 -0700253
Adam Langleyfcf25832014-12-18 17:42:32 -0800254 if (/* Skip client version. */
255 !CBS_skip(&client_hello, 2) ||
256 /* Skip client nonce. */
257 !CBS_skip(&client_hello, 32) ||
258 /* Extract session_id. */
259 !CBS_get_u8_length_prefixed(&client_hello, &session_id)) {
260 return 0;
261 }
Adam Langleydc9b1412014-06-20 12:00:00 -0700262
Adam Langleyfcf25832014-12-18 17:42:32 -0800263 ctx->session_id = CBS_data(&session_id);
264 ctx->session_id_len = CBS_len(&session_id);
Adam Langleydc9b1412014-06-20 12:00:00 -0700265
Adam Langleyfcf25832014-12-18 17:42:32 -0800266 /* Skip past DTLS cookie */
267 if (SSL_IS_DTLS(ctx->ssl)) {
268 CBS cookie;
Adam Langleydc9b1412014-06-20 12:00:00 -0700269
Adam Langleyfcf25832014-12-18 17:42:32 -0800270 if (!CBS_get_u8_length_prefixed(&client_hello, &cookie)) {
271 return 0;
272 }
273 }
Adam Langleydc9b1412014-06-20 12:00:00 -0700274
Adam Langleyfcf25832014-12-18 17:42:32 -0800275 /* Extract cipher_suites. */
276 if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) ||
277 CBS_len(&cipher_suites) < 2 || (CBS_len(&cipher_suites) & 1) != 0) {
278 return 0;
279 }
280 ctx->cipher_suites = CBS_data(&cipher_suites);
281 ctx->cipher_suites_len = CBS_len(&cipher_suites);
Adam Langleydc9b1412014-06-20 12:00:00 -0700282
Adam Langleyfcf25832014-12-18 17:42:32 -0800283 /* Extract compression_methods. */
284 if (!CBS_get_u8_length_prefixed(&client_hello, &compression_methods) ||
285 CBS_len(&compression_methods) < 1) {
286 return 0;
287 }
288 ctx->compression_methods = CBS_data(&compression_methods);
289 ctx->compression_methods_len = CBS_len(&compression_methods);
Adam Langleydc9b1412014-06-20 12:00:00 -0700290
Adam Langleyfcf25832014-12-18 17:42:32 -0800291 /* If the ClientHello ends here then it's valid, but doesn't have any
292 * extensions. (E.g. SSLv3.) */
293 if (CBS_len(&client_hello) == 0) {
294 ctx->extensions = NULL;
295 ctx->extensions_len = 0;
296 return 1;
297 }
Adam Langleydc9b1412014-06-20 12:00:00 -0700298
Adam Langleyfcf25832014-12-18 17:42:32 -0800299 /* Extract extensions and check it is valid. */
300 if (!CBS_get_u16_length_prefixed(&client_hello, &extensions) ||
301 !tls1_check_duplicate_extensions(&extensions) ||
302 CBS_len(&client_hello) != 0) {
303 return 0;
304 }
305 ctx->extensions = CBS_data(&extensions);
306 ctx->extensions_len = CBS_len(&extensions);
Adam Langleydc9b1412014-06-20 12:00:00 -0700307
Adam Langleyfcf25832014-12-18 17:42:32 -0800308 return 1;
309}
Adam Langleydc9b1412014-06-20 12:00:00 -0700310
David Benjamind4c2bce2015-10-17 12:28:18 -0400311int SSL_early_callback_ctx_extension_get(
Adam Langleyfcf25832014-12-18 17:42:32 -0800312 const struct ssl_early_callback_ctx *ctx, uint16_t extension_type,
313 const uint8_t **out_data, size_t *out_len) {
314 CBS extensions;
Adam Langleydc9b1412014-06-20 12:00:00 -0700315
Adam Langleyfcf25832014-12-18 17:42:32 -0800316 CBS_init(&extensions, ctx->extensions, ctx->extensions_len);
Adam Langleydc9b1412014-06-20 12:00:00 -0700317
Adam Langleyfcf25832014-12-18 17:42:32 -0800318 while (CBS_len(&extensions) != 0) {
319 uint16_t type;
320 CBS extension;
David Benjamin8f2c20e2014-07-09 09:30:38 -0400321
Adam Langleyfcf25832014-12-18 17:42:32 -0800322 /* Decode the next extension. */
323 if (!CBS_get_u16(&extensions, &type) ||
324 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
325 return 0;
326 }
Adam Langleydc9b1412014-06-20 12:00:00 -0700327
Adam Langleyfcf25832014-12-18 17:42:32 -0800328 if (type == extension_type) {
329 *out_data = CBS_data(&extension);
330 *out_len = CBS_len(&extension);
331 return 1;
332 }
333 }
Adam Langleydc9b1412014-06-20 12:00:00 -0700334
Adam Langleyfcf25832014-12-18 17:42:32 -0800335 return 0;
336}
Adam Langley95c29f32014-06-20 12:00:00 -0700337
David Benjamin52e5bac2014-12-27 02:27:35 -0500338struct tls_curve {
339 uint16_t curve_id;
340 int nid;
Sigbjorn Vik2b23d242015-06-29 15:07:26 +0200341 const char curve_name[8];
David Benjamin52e5bac2014-12-27 02:27:35 -0500342};
343
David Benjamin70bd80a2014-12-27 03:06:46 -0500344/* ECC curves from RFC4492. */
David Benjamin52e5bac2014-12-27 02:27:35 -0500345static const struct tls_curve tls_curves[] = {
Sigbjorn Vik2b23d242015-06-29 15:07:26 +0200346 {21, NID_secp224r1, "P-224"},
347 {23, NID_X9_62_prime256v1, "P-256"},
348 {24, NID_secp384r1, "P-384"},
349 {25, NID_secp521r1, "P-521"},
Adam Langleyfcf25832014-12-18 17:42:32 -0800350};
Adam Langley95c29f32014-06-20 12:00:00 -0700351
Adam Langleyfcf25832014-12-18 17:42:32 -0800352static const uint16_t eccurves_default[] = {
David Benjamin55a43642015-04-20 14:45:55 -0400353 23, /* X9_62_prime256v1 */
David Benjamin52e5bac2014-12-27 02:27:35 -0500354 24, /* secp384r1 */
Adam Langleyd98dc132015-09-23 16:41:33 -0700355#if defined(BORINGSSL_ANDROID_SYSTEM)
356 25, /* secp521r1 */
357#endif
Adam Langleyfcf25832014-12-18 17:42:32 -0800358};
Adam Langley95c29f32014-06-20 12:00:00 -0700359
Adam Langleyfcf25832014-12-18 17:42:32 -0800360int tls1_ec_curve_id2nid(uint16_t curve_id) {
David Benjamin52e5bac2014-12-27 02:27:35 -0500361 size_t i;
362 for (i = 0; i < sizeof(tls_curves) / sizeof(tls_curves[0]); i++) {
363 if (curve_id == tls_curves[i].curve_id) {
364 return tls_curves[i].nid;
365 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800366 }
David Benjamin52e5bac2014-12-27 02:27:35 -0500367 return NID_undef;
Adam Langleyfcf25832014-12-18 17:42:32 -0800368}
Adam Langley95c29f32014-06-20 12:00:00 -0700369
David Benjamin70bd80a2014-12-27 03:06:46 -0500370int tls1_ec_nid2curve_id(uint16_t *out_curve_id, int nid) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800371 size_t i;
David Benjamin52e5bac2014-12-27 02:27:35 -0500372 for (i = 0; i < sizeof(tls_curves) / sizeof(tls_curves[0]); i++) {
373 if (nid == tls_curves[i].nid) {
David Benjamin70bd80a2014-12-27 03:06:46 -0500374 *out_curve_id = tls_curves[i].curve_id;
375 return 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800376 }
377 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800378 return 0;
379}
380
Sigbjorn Vik2b23d242015-06-29 15:07:26 +0200381const char* tls1_ec_curve_id2name(uint16_t curve_id) {
382 size_t i;
383 for (i = 0; i < sizeof(tls_curves) / sizeof(tls_curves[0]); i++) {
384 if (curve_id == tls_curves[i].curve_id) {
385 return tls_curves[i].curve_name;
386 }
387 }
388 return NULL;
389}
390
Adam Langleyfcf25832014-12-18 17:42:32 -0800391/* tls1_get_curvelist sets |*out_curve_ids| and |*out_curve_ids_len| to the
392 * list of allowed curve IDs. If |get_peer_curves| is non-zero, return the
393 * peer's curve list. Otherwise, return the preferred list. */
David Benjamin42e9a772014-09-02 23:18:44 -0400394static void tls1_get_curvelist(SSL *s, int get_peer_curves,
Adam Langleyfcf25832014-12-18 17:42:32 -0800395 const uint16_t **out_curve_ids,
396 size_t *out_curve_ids_len) {
397 if (get_peer_curves) {
David Benjamin55a43642015-04-20 14:45:55 -0400398 /* Only clients send a curve list, so this function is only called
399 * on the server. */
400 assert(s->server);
Adam Langleyfcf25832014-12-18 17:42:32 -0800401 *out_curve_ids = s->s3->tmp.peer_ellipticcurvelist;
402 *out_curve_ids_len = s->s3->tmp.peer_ellipticcurvelist_length;
403 return;
404 }
Adam Langley95c29f32014-06-20 12:00:00 -0700405
Adam Langleyfcf25832014-12-18 17:42:32 -0800406 *out_curve_ids = s->tlsext_ellipticcurvelist;
407 *out_curve_ids_len = s->tlsext_ellipticcurvelist_length;
408 if (!*out_curve_ids) {
409 *out_curve_ids = eccurves_default;
410 *out_curve_ids_len = sizeof(eccurves_default) / sizeof(eccurves_default[0]);
411 }
412}
David Benjamined439582014-07-14 19:13:02 -0400413
Adam Langleyfcf25832014-12-18 17:42:32 -0800414int tls1_check_curve(SSL *s, CBS *cbs, uint16_t *out_curve_id) {
415 uint8_t curve_type;
416 uint16_t curve_id;
417 const uint16_t *curves;
418 size_t curves_len, i;
David Benjamined439582014-07-14 19:13:02 -0400419
Adam Langleyfcf25832014-12-18 17:42:32 -0800420 /* Only support named curves. */
421 if (!CBS_get_u8(cbs, &curve_type) ||
422 curve_type != NAMED_CURVE_TYPE ||
423 !CBS_get_u16(cbs, &curve_id)) {
424 return 0;
425 }
David Benjamined439582014-07-14 19:13:02 -0400426
Adam Langleyfcf25832014-12-18 17:42:32 -0800427 tls1_get_curvelist(s, 0, &curves, &curves_len);
428 for (i = 0; i < curves_len; i++) {
429 if (curve_id == curves[i]) {
430 *out_curve_id = curve_id;
431 return 1;
432 }
433 }
Adam Langley95c29f32014-06-20 12:00:00 -0700434
Adam Langleyfcf25832014-12-18 17:42:32 -0800435 return 0;
436}
David Benjamin072334d2014-07-13 16:24:27 -0400437
Adam Langleyfcf25832014-12-18 17:42:32 -0800438int tls1_get_shared_curve(SSL *s) {
David Benjamin55a43642015-04-20 14:45:55 -0400439 const uint16_t *curves, *peer_curves, *pref, *supp;
440 size_t curves_len, peer_curves_len, pref_len, supp_len, i, j;
David Benjamin072334d2014-07-13 16:24:27 -0400441
Adam Langleyfcf25832014-12-18 17:42:32 -0800442 /* Can't do anything on client side */
443 if (s->server == 0) {
444 return NID_undef;
445 }
446
David Benjamin55a43642015-04-20 14:45:55 -0400447 tls1_get_curvelist(s, 0 /* local curves */, &curves, &curves_len);
448 tls1_get_curvelist(s, 1 /* peer curves */, &peer_curves, &peer_curves_len);
Adam Langleyfcf25832014-12-18 17:42:32 -0800449
David Benjamin55a43642015-04-20 14:45:55 -0400450 if (peer_curves_len == 0) {
451 /* Clients are not required to send a supported_curves extension. In this
452 * case, the server is free to pick any curve it likes. See RFC 4492,
453 * section 4, paragraph 3. */
454 return (curves_len == 0) ? NID_undef : tls1_ec_curve_id2nid(curves[0]);
455 }
456
457 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
458 pref = curves;
459 pref_len = curves_len;
460 supp = peer_curves;
461 supp_len = peer_curves_len;
462 } else {
463 pref = peer_curves;
464 pref_len = peer_curves_len;
465 supp = curves;
466 supp_len = curves_len;
467 }
468
469 for (i = 0; i < pref_len; i++) {
470 for (j = 0; j < supp_len; j++) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800471 if (pref[i] == supp[j]) {
472 return tls1_ec_curve_id2nid(pref[i]);
473 }
474 }
475 }
476
477 return NID_undef;
478}
Adam Langley95c29f32014-06-20 12:00:00 -0700479
David Benjamin072334d2014-07-13 16:24:27 -0400480int tls1_set_curves(uint16_t **out_curve_ids, size_t *out_curve_ids_len,
Adam Langleyfcf25832014-12-18 17:42:32 -0800481 const int *curves, size_t ncurves) {
482 uint16_t *curve_ids;
483 size_t i;
484
Adam Langleyfcf25832014-12-18 17:42:32 -0800485 curve_ids = (uint16_t *)OPENSSL_malloc(ncurves * sizeof(uint16_t));
486 if (curve_ids == NULL) {
487 return 0;
488 }
489
490 for (i = 0; i < ncurves; i++) {
David Benjamin70bd80a2014-12-27 03:06:46 -0500491 if (!tls1_ec_nid2curve_id(&curve_ids[i], curves[i])) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800492 OPENSSL_free(curve_ids);
493 return 0;
494 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800495 }
496
David Benjamin2755a3e2015-04-22 16:17:58 -0400497 OPENSSL_free(*out_curve_ids);
Adam Langleyfcf25832014-12-18 17:42:32 -0800498 *out_curve_ids = curve_ids;
499 *out_curve_ids_len = ncurves;
500
501 return 1;
502}
Adam Langley95c29f32014-06-20 12:00:00 -0700503
David Benjamin072334d2014-07-13 16:24:27 -0400504/* tls1_curve_params_from_ec_key sets |*out_curve_id| and |*out_comp_id| to the
505 * TLS curve ID and point format, respectively, for |ec|. It returns one on
506 * success and zero on failure. */
Adam Langleyfcf25832014-12-18 17:42:32 -0800507static int tls1_curve_params_from_ec_key(uint16_t *out_curve_id,
508 uint8_t *out_comp_id, EC_KEY *ec) {
509 int nid;
510 uint16_t id;
511 const EC_GROUP *grp;
Adam Langley95c29f32014-06-20 12:00:00 -0700512
Adam Langleyfcf25832014-12-18 17:42:32 -0800513 if (ec == NULL) {
514 return 0;
515 }
Adam Langley95c29f32014-06-20 12:00:00 -0700516
Adam Langleyfcf25832014-12-18 17:42:32 -0800517 grp = EC_KEY_get0_group(ec);
518 if (grp == NULL) {
519 return 0;
520 }
David Benjamin072334d2014-07-13 16:24:27 -0400521
Adam Langleyfcf25832014-12-18 17:42:32 -0800522 /* Determine curve ID */
523 nid = EC_GROUP_get_curve_name(grp);
David Benjamin70bd80a2014-12-27 03:06:46 -0500524 if (!tls1_ec_nid2curve_id(&id, nid)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800525 return 0;
526 }
David Benjamin072334d2014-07-13 16:24:27 -0400527
Adam Langleyfcf25832014-12-18 17:42:32 -0800528 /* Set the named curve ID. Arbitrary explicit curves are not supported. */
529 *out_curve_id = id;
530
531 if (out_comp_id) {
532 if (EC_KEY_get0_public_key(ec) == NULL) {
533 return 0;
534 }
535 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
536 *out_comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
537 } else {
538 *out_comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
539 }
540 }
541
542 return 1;
543}
David Benjamin072334d2014-07-13 16:24:27 -0400544
Adam Langleyfcf25832014-12-18 17:42:32 -0800545/* tls1_check_curve_id returns one if |curve_id| is consistent with both our
546 * and the peer's curve preferences. Note: if called as the client, only our
David Benjamin42e9a772014-09-02 23:18:44 -0400547 * preferences are checked; the peer (the server) does not send preferences. */
Adam Langleyfcf25832014-12-18 17:42:32 -0800548static int tls1_check_curve_id(SSL *s, uint16_t curve_id) {
549 const uint16_t *curves;
David Benjamin55a43642015-04-20 14:45:55 -0400550 size_t curves_len, i, get_peer_curves;
David Benjamin42e9a772014-09-02 23:18:44 -0400551
Adam Langleyfcf25832014-12-18 17:42:32 -0800552 /* Check against our list, then the peer's list. */
David Benjamin55a43642015-04-20 14:45:55 -0400553 for (get_peer_curves = 0; get_peer_curves <= 1; get_peer_curves++) {
554 if (get_peer_curves && !s->server) {
555 /* Servers do not present a preference list so, if we are a client, only
556 * check our list. */
557 continue;
558 }
559
560 tls1_get_curvelist(s, get_peer_curves, &curves, &curves_len);
561 if (get_peer_curves && curves_len == 0) {
562 /* Clients are not required to send a supported_curves extension. In this
563 * case, the server is free to pick any curve it likes. See RFC 4492,
564 * section 4, paragraph 3. */
565 continue;
566 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800567 for (i = 0; i < curves_len; i++) {
568 if (curves[i] == curve_id) {
569 break;
570 }
571 }
Adam Langley95c29f32014-06-20 12:00:00 -0700572
Adam Langleyfcf25832014-12-18 17:42:32 -0800573 if (i == curves_len) {
574 return 0;
575 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800576 }
David Benjamin033e5f42014-11-13 18:47:41 -0500577
Adam Langleyfcf25832014-12-18 17:42:32 -0800578 return 1;
579}
David Benjamin033e5f42014-11-13 18:47:41 -0500580
Adam Langleyfcf25832014-12-18 17:42:32 -0800581int tls1_check_ec_cert(SSL *s, X509 *x) {
582 int ret = 0;
583 EVP_PKEY *pkey = X509_get_pubkey(x);
584 uint16_t curve_id;
585 uint8_t comp_id;
586
587 if (!pkey ||
588 pkey->type != EVP_PKEY_EC ||
589 !tls1_curve_params_from_ec_key(&curve_id, &comp_id, pkey->pkey.ec) ||
590 !tls1_check_curve_id(s, curve_id) ||
David Benjaminfc059942015-07-30 23:01:59 -0400591 comp_id != TLSEXT_ECPOINTFORMAT_uncompressed) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800592 goto done;
593 }
594
595 ret = 1;
David Benjamin033e5f42014-11-13 18:47:41 -0500596
597done:
David Benjamin2755a3e2015-04-22 16:17:58 -0400598 EVP_PKEY_free(pkey);
Adam Langleyfcf25832014-12-18 17:42:32 -0800599 return ret;
600}
David Benjamin42e9a772014-09-02 23:18:44 -0400601
Adam Langleyfcf25832014-12-18 17:42:32 -0800602int tls1_check_ec_tmp_key(SSL *s) {
David Benjaminc0f763b2015-03-27 02:05:39 -0400603 if (s->cert->ecdh_nid != NID_undef) {
David Benjamindd978782015-04-24 15:20:13 -0400604 /* If the curve is preconfigured, ECDH is acceptable iff the peer supports
David Benjaminc0f763b2015-03-27 02:05:39 -0400605 * the curve. */
606 uint16_t curve_id;
607 return tls1_ec_nid2curve_id(&curve_id, s->cert->ecdh_nid) &&
608 tls1_check_curve_id(s, curve_id);
Adam Langleyfcf25832014-12-18 17:42:32 -0800609 }
610
David Benjamindd978782015-04-24 15:20:13 -0400611 if (s->cert->ecdh_tmp_cb != NULL) {
612 /* Assume the callback will provide an acceptable curve. */
613 return 1;
614 }
615
616 /* Otherwise, the curve gets selected automatically. ECDH is acceptable iff
617 * there is a shared curve. */
618 return tls1_get_shared_curve(s) != NID_undef;
Adam Langleyfcf25832014-12-18 17:42:32 -0800619}
Adam Langley95c29f32014-06-20 12:00:00 -0700620
621/* List of supported signature algorithms and hashes. Should make this
Adam Langleyfcf25832014-12-18 17:42:32 -0800622 * customisable at some point, for now include everything we support. */
Adam Langley95c29f32014-06-20 12:00:00 -0700623
Adam Langley95c29f32014-06-20 12:00:00 -0700624#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
Adam Langley95c29f32014-06-20 12:00:00 -0700625
Adam Langley95c29f32014-06-20 12:00:00 -0700626#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
Adam Langley95c29f32014-06-20 12:00:00 -0700627
Adam Langleyfcf25832014-12-18 17:42:32 -0800628#define tlsext_sigalg(md) tlsext_sigalg_rsa(md) tlsext_sigalg_ecdsa(md)
Adam Langley95c29f32014-06-20 12:00:00 -0700629
David Benjamincff64722014-08-19 19:54:46 -0400630static const uint8_t tls12_sigalgs[] = {
Adam Langleyfcf25832014-12-18 17:42:32 -0800631 tlsext_sigalg(TLSEXT_hash_sha512)
632 tlsext_sigalg(TLSEXT_hash_sha384)
633 tlsext_sigalg(TLSEXT_hash_sha256)
634 tlsext_sigalg(TLSEXT_hash_sha224)
635 tlsext_sigalg(TLSEXT_hash_sha1)
Adam Langley95c29f32014-06-20 12:00:00 -0700636};
David Benjamin05da6e12014-07-12 20:42:55 -0400637
Adam Langleyfcf25832014-12-18 17:42:32 -0800638size_t tls12_get_psigalgs(SSL *s, const uint8_t **psigs) {
David Benjamin3dd90162015-08-09 11:26:40 -0400639 *psigs = tls12_sigalgs;
640 return sizeof(tls12_sigalgs);
Adam Langleyfcf25832014-12-18 17:42:32 -0800641}
Adam Langley95c29f32014-06-20 12:00:00 -0700642
Adam Langleyfcf25832014-12-18 17:42:32 -0800643/* tls12_check_peer_sigalg parses a SignatureAndHashAlgorithm out of |cbs|. It
644 * checks it is consistent with |s|'s sent supported signature algorithms and,
645 * if so, writes the relevant digest into |*out_md| and returns 1. Otherwise it
646 * returns 0 and writes an alert into |*out_alert|. */
647int tls12_check_peer_sigalg(const EVP_MD **out_md, int *out_alert, SSL *s,
648 CBS *cbs, EVP_PKEY *pkey) {
649 const uint8_t *sent_sigs;
650 size_t sent_sigslen, i;
David Benjaminb4d65fd2015-05-29 17:11:21 -0400651 int sigalg = tls12_get_sigid(pkey->type);
Adam Langleyfcf25832014-12-18 17:42:32 -0800652 uint8_t hash, signature;
653
654 /* Should never happen */
655 if (sigalg == -1) {
David Benjamin3570d732015-06-29 00:28:17 -0400656 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
Adam Langleyfcf25832014-12-18 17:42:32 -0800657 *out_alert = SSL_AD_INTERNAL_ERROR;
658 return 0;
659 }
660
661 if (!CBS_get_u8(cbs, &hash) ||
662 !CBS_get_u8(cbs, &signature)) {
David Benjamin3570d732015-06-29 00:28:17 -0400663 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
Adam Langleyfcf25832014-12-18 17:42:32 -0800664 *out_alert = SSL_AD_DECODE_ERROR;
665 return 0;
666 }
667
668 /* Check key type is consistent with signature */
669 if (sigalg != signature) {
David Benjamin3570d732015-06-29 00:28:17 -0400670 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800671 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
672 return 0;
673 }
674
675 if (pkey->type == EVP_PKEY_EC) {
676 uint16_t curve_id;
677 uint8_t comp_id;
678 /* Check compression and curve matches extensions */
679 if (!tls1_curve_params_from_ec_key(&curve_id, &comp_id, pkey->pkey.ec)) {
680 *out_alert = SSL_AD_INTERNAL_ERROR;
681 return 0;
682 }
683
684 if (s->server && (!tls1_check_curve_id(s, curve_id) ||
David Benjaminfc059942015-07-30 23:01:59 -0400685 comp_id != TLSEXT_ECPOINTFORMAT_uncompressed)) {
David Benjamin3570d732015-06-29 00:28:17 -0400686 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800687 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
688 return 0;
689 }
690 }
691
692 /* Check signature matches a type we sent */
693 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
694 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
695 if (hash == sent_sigs[0] && signature == sent_sigs[1]) {
696 break;
697 }
698 }
699
David Benjamin788be4a2015-10-30 17:50:57 -0400700 if (i == sent_sigslen) {
David Benjamin3570d732015-06-29 00:28:17 -0400701 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800702 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
703 return 0;
704 }
705
706 *out_md = tls12_get_hash(hash);
707 if (*out_md == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400708 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_DIGEST);
Adam Langleyfcf25832014-12-18 17:42:32 -0800709 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
710 return 0;
711 }
712
713 return 1;
714}
715
716/* Get a mask of disabled algorithms: an algorithm is disabled if it isn't
717 * supported or doesn't appear in supported signature algorithms. Unlike
718 * ssl_cipher_get_disabled this applies to a specific session and not global
719 * settings. */
720void ssl_set_client_disabled(SSL *s) {
721 CERT *c = s->cert;
722 const uint8_t *sigalgs;
723 size_t i, sigalgslen;
724 int have_rsa = 0, have_ecdsa = 0;
725 c->mask_a = 0;
726 c->mask_k = 0;
727
Adam Langleyfcf25832014-12-18 17:42:32 -0800728 /* Now go through all signature algorithms seeing if we support any for RSA,
729 * DSA, ECDSA. Do this for all versions not just TLS 1.2. */
730 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
731 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
732 switch (sigalgs[1]) {
733 case TLSEXT_signature_rsa:
734 have_rsa = 1;
735 break;
736
737 case TLSEXT_signature_ecdsa:
738 have_ecdsa = 1;
739 break;
740 }
741 }
742
743 /* Disable auth if we don't include any appropriate signature algorithms. */
744 if (!have_rsa) {
745 c->mask_a |= SSL_aRSA;
746 }
747 if (!have_ecdsa) {
748 c->mask_a |= SSL_aECDSA;
749 }
750
751 /* with PSK there must be client callback set */
752 if (!s->psk_client_callback) {
753 c->mask_a |= SSL_aPSK;
754 c->mask_k |= SSL_kPSK;
755 }
756}
Adam Langley95c29f32014-06-20 12:00:00 -0700757
Adam Langley614c66a2015-06-12 15:26:58 -0700758/* tls_extension represents a TLS extension that is handled internally. The
759 * |init| function is called for each handshake, before any other functions of
760 * the extension. Then the add and parse callbacks are called as needed.
761 *
762 * The parse callbacks receive a |CBS| that contains the contents of the
763 * extension (i.e. not including the type and length bytes). If an extension is
764 * not received then the parse callbacks will be called with a NULL CBS so that
765 * they can do any processing needed to handle the absence of an extension.
766 *
767 * The add callbacks receive a |CBB| to which the extension can be appended but
768 * the function is responsible for appending the type and length bytes too.
769 *
770 * All callbacks return one for success and zero for error. If a parse function
771 * returns zero then a fatal alert with value |*out_alert| will be sent. If
772 * |*out_alert| isn't set, then a |decode_error| alert will be sent. */
773struct tls_extension {
774 uint16_t value;
775 void (*init)(SSL *ssl);
776
777 int (*add_clienthello)(SSL *ssl, CBB *out);
778 int (*parse_serverhello)(SSL *ssl, uint8_t *out_alert, CBS *contents);
779
780 int (*parse_clienthello)(SSL *ssl, uint8_t *out_alert, CBS *contents);
781 int (*add_serverhello)(SSL *ssl, CBB *out);
782};
783
784
785/* Server name indication (SNI).
786 *
787 * https://tools.ietf.org/html/rfc6066#section-3. */
788
789static void ext_sni_init(SSL *ssl) {
790 ssl->s3->tmp.should_ack_sni = 0;
791}
792
793static int ext_sni_add_clienthello(SSL *ssl, CBB *out) {
794 if (ssl->tlsext_hostname == NULL) {
795 return 1;
796 }
797
798 CBB contents, server_name_list, name;
799 if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||
800 !CBB_add_u16_length_prefixed(out, &contents) ||
801 !CBB_add_u16_length_prefixed(&contents, &server_name_list) ||
802 !CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name) ||
803 !CBB_add_u16_length_prefixed(&server_name_list, &name) ||
804 !CBB_add_bytes(&name, (const uint8_t *)ssl->tlsext_hostname,
805 strlen(ssl->tlsext_hostname)) ||
806 !CBB_flush(out)) {
807 return 0;
808 }
809
810 return 1;
811}
812
813static int ext_sni_parse_serverhello(SSL *ssl, uint8_t *out_alert, CBS *contents) {
814 if (contents == NULL) {
815 return 1;
816 }
817
818 if (CBS_len(contents) != 0) {
819 return 0;
820 }
821
822 assert(ssl->tlsext_hostname != NULL);
823
824 if (!ssl->hit) {
825 assert(ssl->session->tlsext_hostname == NULL);
826 ssl->session->tlsext_hostname = BUF_strdup(ssl->tlsext_hostname);
827 if (!ssl->session->tlsext_hostname) {
828 *out_alert = SSL_AD_INTERNAL_ERROR;
829 return 0;
830 }
831 }
832
833 return 1;
834}
835
836static int ext_sni_parse_clienthello(SSL *ssl, uint8_t *out_alert, CBS *contents) {
837 if (contents == NULL) {
838 return 1;
839 }
840
841 /* The servername extension is treated as follows:
842 *
843 * - Only the hostname type is supported with a maximum length of 255.
844 * - The servername is rejected if too long or if it contains zeros, in
845 * which case an fatal alert is generated.
846 * - The servername field is maintained together with the session cache.
847 * - When a session is resumed, the servername callback is invoked in order
848 * to allow the application to position itself to the right context.
849 * - The servername is acknowledged if it is new for a session or when
850 * it is identical to a previously used for the same session.
851 * Applications can control the behaviour. They can at any time
852 * set a 'desirable' servername for a new SSL object. This can be the
853 * case for example with HTTPS when a Host: header field is received and
854 * a renegotiation is requested. In this case, a possible servername
855 * presented in the new client hello is only acknowledged if it matches
856 * the value of the Host: field.
857 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
858 * if they provide for changing an explicit servername context for the
859 * session,
860 * i.e. when the session has been established with a servername extension.
861 */
862
863 CBS server_name_list;
864 char have_seen_host_name = 0;
865
866 if (!CBS_get_u16_length_prefixed(contents, &server_name_list) ||
867 CBS_len(&server_name_list) == 0 ||
868 CBS_len(contents) != 0) {
869 return 0;
870 }
871
872 /* Decode each ServerName in the extension. */
873 while (CBS_len(&server_name_list) > 0) {
874 uint8_t name_type;
875 CBS host_name;
876
877 if (!CBS_get_u8(&server_name_list, &name_type) ||
878 !CBS_get_u16_length_prefixed(&server_name_list, &host_name)) {
879 return 0;
880 }
881
882 /* Only host_name is supported. */
883 if (name_type != TLSEXT_NAMETYPE_host_name) {
884 continue;
885 }
886
887 if (have_seen_host_name) {
888 /* The ServerNameList MUST NOT contain more than one name of the same
889 * name_type. */
890 return 0;
891 }
892
893 have_seen_host_name = 1;
894
895 if (CBS_len(&host_name) == 0 ||
896 CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||
897 CBS_contains_zero_byte(&host_name)) {
898 *out_alert = SSL_AD_UNRECOGNIZED_NAME;
899 return 0;
900 }
901
902 if (!ssl->hit) {
903 assert(ssl->session->tlsext_hostname == NULL);
904 if (ssl->session->tlsext_hostname) {
905 /* This should be impossible. */
906 return 0;
907 }
908
909 /* Copy the hostname as a string. */
910 if (!CBS_strdup(&host_name, &ssl->session->tlsext_hostname)) {
911 *out_alert = SSL_AD_INTERNAL_ERROR;
912 return 0;
913 }
914
915 ssl->s3->tmp.should_ack_sni = 1;
916 }
917 }
918
919 return 1;
920}
921
922static int ext_sni_add_serverhello(SSL *ssl, CBB *out) {
923 if (ssl->hit ||
924 !ssl->s3->tmp.should_ack_sni ||
925 ssl->session->tlsext_hostname == NULL) {
926 return 1;
927 }
928
929 if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||
930 !CBB_add_u16(out, 0 /* length */)) {
931 return 0;
932 }
933
934 return 1;
935}
936
937
Adam Langley5021b222015-06-12 18:27:58 -0700938/* Renegotiation indication.
939 *
940 * https://tools.ietf.org/html/rfc5746 */
941
942static int ext_ri_add_clienthello(SSL *ssl, CBB *out) {
943 CBB contents, prev_finished;
944 if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
945 !CBB_add_u16_length_prefixed(out, &contents) ||
946 !CBB_add_u8_length_prefixed(&contents, &prev_finished) ||
947 !CBB_add_bytes(&prev_finished, ssl->s3->previous_client_finished,
948 ssl->s3->previous_client_finished_len) ||
949 !CBB_flush(out)) {
950 return 0;
951 }
952
953 return 1;
954}
955
956static int ext_ri_parse_serverhello(SSL *ssl, uint8_t *out_alert,
957 CBS *contents) {
958 if (contents == NULL) {
959 /* No renegotiation extension received.
960 *
961 * Strictly speaking if we want to avoid an attack we should *always* see
962 * RI even on initial ServerHello because the client doesn't see any
963 * renegotiation during an attack. However this would mean we could not
964 * connect to any server which doesn't support RI.
965 *
966 * A lack of the extension is allowed if SSL_OP_LEGACY_SERVER_CONNECT is
967 * defined. */
968 if (ssl->options & SSL_OP_LEGACY_SERVER_CONNECT) {
969 return 1;
970 }
971
972 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
David Benjamin3570d732015-06-29 00:28:17 -0400973 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
Adam Langley5021b222015-06-12 18:27:58 -0700974 return 0;
975 }
976
977 const size_t expected_len = ssl->s3->previous_client_finished_len +
978 ssl->s3->previous_server_finished_len;
979
980 /* Check for logic errors */
981 assert(!expected_len || ssl->s3->previous_client_finished_len);
982 assert(!expected_len || ssl->s3->previous_server_finished_len);
983
984 /* Parse out the extension contents. */
985 CBS renegotiated_connection;
986 if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
987 CBS_len(contents) != 0) {
David Benjamin3570d732015-06-29 00:28:17 -0400988 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);
Adam Langley5021b222015-06-12 18:27:58 -0700989 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
990 return 0;
991 }
992
993 /* Check that the extension matches. */
994 if (CBS_len(&renegotiated_connection) != expected_len) {
David Benjamin3570d732015-06-29 00:28:17 -0400995 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
Adam Langley5021b222015-06-12 18:27:58 -0700996 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
997 return 0;
998 }
999
1000 const uint8_t *d = CBS_data(&renegotiated_connection);
1001 if (CRYPTO_memcmp(d, ssl->s3->previous_client_finished,
1002 ssl->s3->previous_client_finished_len)) {
David Benjamin3570d732015-06-29 00:28:17 -04001003 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
Adam Langley5021b222015-06-12 18:27:58 -07001004 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
1005 return 0;
1006 }
1007 d += ssl->s3->previous_client_finished_len;
1008
1009 if (CRYPTO_memcmp(d, ssl->s3->previous_server_finished,
1010 ssl->s3->previous_server_finished_len)) {
David Benjamin3570d732015-06-29 00:28:17 -04001011 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
Adam Langley5021b222015-06-12 18:27:58 -07001012 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1013 return 0;
1014 }
1015 ssl->s3->send_connection_binding = 1;
1016
1017 return 1;
1018}
1019
1020static int ext_ri_parse_clienthello(SSL *ssl, uint8_t *out_alert,
1021 CBS *contents) {
1022 /* Renegotiation isn't supported as a server so this function should never be
1023 * called after the initial handshake. */
1024 assert(!ssl->s3->initial_handshake_complete);
1025
1026 CBS fake_contents;
1027 static const uint8_t kFakeExtension[] = {0};
1028
1029 if (contents == NULL) {
1030 if (ssl->s3->send_connection_binding) {
1031 /* The renegotiation SCSV was received so pretend that we received a
1032 * renegotiation extension. */
1033 CBS_init(&fake_contents, kFakeExtension, sizeof(kFakeExtension));
1034 contents = &fake_contents;
1035 /* We require that the renegotiation extension is at index zero of
1036 * kExtensions. */
1037 ssl->s3->tmp.extensions.received |= (1u << 0);
1038 } else {
1039 return 1;
1040 }
1041 }
1042
1043 CBS renegotiated_connection;
1044
1045 if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
1046 CBS_len(contents) != 0) {
David Benjamin3570d732015-06-29 00:28:17 -04001047 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);
Adam Langley5021b222015-06-12 18:27:58 -07001048 return 0;
1049 }
1050
1051 /* Check that the extension matches */
1052 if (!CBS_mem_equal(&renegotiated_connection, ssl->s3->previous_client_finished,
1053 ssl->s3->previous_client_finished_len)) {
David Benjamin3570d732015-06-29 00:28:17 -04001054 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
Adam Langley5021b222015-06-12 18:27:58 -07001055 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
1056 return 0;
1057 }
1058
1059 ssl->s3->send_connection_binding = 1;
1060
1061 return 1;
1062}
1063
1064static int ext_ri_add_serverhello(SSL *ssl, CBB *out) {
1065 CBB contents, prev_finished;
1066 if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
1067 !CBB_add_u16_length_prefixed(out, &contents) ||
1068 !CBB_add_u8_length_prefixed(&contents, &prev_finished) ||
1069 !CBB_add_bytes(&prev_finished, ssl->s3->previous_client_finished,
1070 ssl->s3->previous_client_finished_len) ||
1071 !CBB_add_bytes(&prev_finished, ssl->s3->previous_server_finished,
1072 ssl->s3->previous_server_finished_len) ||
1073 !CBB_flush(out)) {
1074 return 0;
1075 }
1076
1077 return 1;
1078}
1079
Adam Langley0a056712015-07-01 15:03:33 -07001080
1081/* Extended Master Secret.
1082 *
1083 * https://tools.ietf.org/html/draft-ietf-tls-session-hash-05 */
1084
1085static void ext_ems_init(SSL *ssl) {
1086 ssl->s3->tmp.extended_master_secret = 0;
1087}
1088
1089static int ext_ems_add_clienthello(SSL *ssl, CBB *out) {
1090 if (ssl->version == SSL3_VERSION) {
1091 return 1;
1092 }
1093
1094 if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||
1095 !CBB_add_u16(out, 0 /* length */)) {
1096 return 0;
1097 }
1098
1099 return 1;
1100}
1101
1102static int ext_ems_parse_serverhello(SSL *ssl, uint8_t *out_alert,
1103 CBS *contents) {
1104 if (contents == NULL) {
1105 return 1;
1106 }
1107
1108 if (ssl->version == SSL3_VERSION || CBS_len(contents) != 0) {
1109 return 0;
1110 }
1111
1112 ssl->s3->tmp.extended_master_secret = 1;
1113 return 1;
1114}
1115
1116static int ext_ems_parse_clienthello(SSL *ssl, uint8_t *out_alert, CBS *contents) {
1117 if (ssl->version == SSL3_VERSION || contents == NULL) {
1118 return 1;
1119 }
1120
1121 if (CBS_len(contents) != 0) {
1122 return 0;
1123 }
1124
1125 ssl->s3->tmp.extended_master_secret = 1;
1126 return 1;
1127}
1128
1129static int ext_ems_add_serverhello(SSL *ssl, CBB *out) {
1130 if (!ssl->s3->tmp.extended_master_secret) {
1131 return 1;
1132 }
1133
1134 if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||
1135 !CBB_add_u16(out, 0 /* length */)) {
1136 return 0;
1137 }
1138
1139 return 1;
1140}
1141
Adam Langley9b05bc52015-07-01 15:25:33 -07001142
1143/* Session tickets.
1144 *
1145 * https://tools.ietf.org/html/rfc5077 */
1146
1147static int ext_ticket_add_clienthello(SSL *ssl, CBB *out) {
1148 if (SSL_get_options(ssl) & SSL_OP_NO_TICKET) {
1149 return 1;
1150 }
1151
1152 const uint8_t *ticket_data = NULL;
1153 int ticket_len = 0;
1154
1155 /* Renegotiation does not participate in session resumption. However, still
1156 * advertise the extension to avoid potentially breaking servers which carry
1157 * over the state from the previous handshake, such as OpenSSL servers
1158 * without upstream's 3c3f0259238594d77264a78944d409f2127642c4. */
1159 if (!ssl->s3->initial_handshake_complete &&
1160 ssl->session != NULL &&
1161 ssl->session->tlsext_tick != NULL) {
1162 ticket_data = ssl->session->tlsext_tick;
1163 ticket_len = ssl->session->tlsext_ticklen;
1164 }
1165
1166 CBB ticket;
1167 if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
1168 !CBB_add_u16_length_prefixed(out, &ticket) ||
1169 !CBB_add_bytes(&ticket, ticket_data, ticket_len) ||
1170 !CBB_flush(out)) {
1171 return 0;
1172 }
1173
1174 return 1;
1175}
1176
1177static int ext_ticket_parse_serverhello(SSL *ssl, uint8_t *out_alert,
1178 CBS *contents) {
1179 ssl->tlsext_ticket_expected = 0;
1180
1181 if (contents == NULL) {
1182 return 1;
1183 }
1184
1185 /* If |SSL_OP_NO_TICKET| is set then no extension will have been sent and
1186 * this function should never be called, even if the server tries to send the
1187 * extension. */
1188 assert((SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0);
1189
1190 if (CBS_len(contents) != 0) {
1191 return 0;
1192 }
1193
1194 ssl->tlsext_ticket_expected = 1;
1195 return 1;
1196}
1197
1198static int ext_ticket_parse_clienthello(SSL *ssl, uint8_t *out_alert, CBS *contents) {
1199 /* This function isn't used because the ticket extension from the client is
David Benjaminc7ce9772015-10-09 19:32:41 -04001200 * handled in ssl_session.c. */
Adam Langley9b05bc52015-07-01 15:25:33 -07001201 return 1;
1202}
1203
1204static int ext_ticket_add_serverhello(SSL *ssl, CBB *out) {
1205 if (!ssl->tlsext_ticket_expected) {
1206 return 1;
1207 }
1208
1209 /* If |SSL_OP_NO_TICKET| is set, |tlsext_ticket_expected| should never be
1210 * true. */
1211 assert((SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0);
1212
1213 if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
1214 !CBB_add_u16(out, 0 /* length */)) {
1215 return 0;
1216 }
1217
1218 return 1;
1219}
1220
1221
Adam Langley2e857bd2015-07-01 16:09:19 -07001222/* Signature Algorithms.
1223 *
1224 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
1225
1226static int ext_sigalgs_add_clienthello(SSL *ssl, CBB *out) {
1227 if (ssl3_version_from_wire(ssl, ssl->client_version) < TLS1_2_VERSION) {
1228 return 1;
1229 }
1230
1231 const uint8_t *sigalgs_data;
1232 const size_t sigalgs_len = tls12_get_psigalgs(ssl, &sigalgs_data);
1233
1234 CBB contents, sigalgs;
1235 if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms) ||
1236 !CBB_add_u16_length_prefixed(out, &contents) ||
1237 !CBB_add_u16_length_prefixed(&contents, &sigalgs) ||
1238 !CBB_add_bytes(&sigalgs, sigalgs_data, sigalgs_len) ||
1239 !CBB_flush(out)) {
1240 return 0;
1241 }
1242
1243 return 1;
1244}
1245
1246static int ext_sigalgs_parse_serverhello(SSL *ssl, uint8_t *out_alert,
1247 CBS *contents) {
1248 if (contents != NULL) {
1249 /* Servers MUST NOT send this extension. */
1250 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
David Benjamin3570d732015-06-29 00:28:17 -04001251 OPENSSL_PUT_ERROR(SSL, SSL_R_SIGNATURE_ALGORITHMS_EXTENSION_SENT_BY_SERVER);
Adam Langley2e857bd2015-07-01 16:09:19 -07001252 return 0;
1253 }
1254
1255 return 1;
1256}
1257
1258static int ext_sigalgs_parse_clienthello(SSL *ssl, uint8_t *out_alert,
1259 CBS *contents) {
1260 OPENSSL_free(ssl->cert->peer_sigalgs);
1261 ssl->cert->peer_sigalgs = NULL;
1262 ssl->cert->peer_sigalgslen = 0;
1263
Adam Langley2e857bd2015-07-01 16:09:19 -07001264 if (contents == NULL) {
1265 return 1;
1266 }
1267
1268 CBS supported_signature_algorithms;
1269 if (!CBS_get_u16_length_prefixed(contents, &supported_signature_algorithms) ||
Steven Valdez0d62f262015-09-04 12:41:04 -04001270 CBS_len(contents) != 0 ||
1271 CBS_len(&supported_signature_algorithms) == 0 ||
1272 !tls1_parse_peer_sigalgs(ssl, &supported_signature_algorithms)) {
Adam Langley2e857bd2015-07-01 16:09:19 -07001273 return 0;
1274 }
1275
1276 return 1;
1277}
1278
1279static int ext_sigalgs_add_serverhello(SSL *ssl, CBB *out) {
1280 /* Servers MUST NOT send this extension. */
1281 return 1;
1282}
1283
1284
Adam Langleybb0bd042015-07-01 16:21:03 -07001285/* OCSP Stapling.
1286 *
1287 * https://tools.ietf.org/html/rfc6066#section-8 */
1288
1289static void ext_ocsp_init(SSL *ssl) {
1290 ssl->s3->tmp.certificate_status_expected = 0;
1291}
1292
1293static int ext_ocsp_add_clienthello(SSL *ssl, CBB *out) {
1294 if (!ssl->ocsp_stapling_enabled) {
1295 return 1;
1296 }
1297
1298 CBB contents;
1299 if (!CBB_add_u16(out, TLSEXT_TYPE_status_request) ||
1300 !CBB_add_u16_length_prefixed(out, &contents) ||
1301 !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) ||
1302 !CBB_add_u16(&contents, 0 /* empty responder ID list */) ||
1303 !CBB_add_u16(&contents, 0 /* empty request extensions */) ||
1304 !CBB_flush(out)) {
1305 return 0;
1306 }
1307
1308 return 1;
1309}
1310
1311static int ext_ocsp_parse_serverhello(SSL *ssl, uint8_t *out_alert,
Paul Lietaraeeff2c2015-08-12 11:47:11 +01001312 CBS *contents) {
Adam Langleybb0bd042015-07-01 16:21:03 -07001313 if (contents == NULL) {
1314 return 1;
1315 }
1316
1317 if (CBS_len(contents) != 0) {
1318 return 0;
1319 }
1320
1321 ssl->s3->tmp.certificate_status_expected = 1;
1322 return 1;
1323}
1324
1325static int ext_ocsp_parse_clienthello(SSL *ssl, uint8_t *out_alert,
1326 CBS *contents) {
Paul Lietaraeeff2c2015-08-12 11:47:11 +01001327 if (contents == NULL) {
1328 return 1;
1329 }
1330
1331 uint8_t status_type;
1332 if (!CBS_get_u8(contents, &status_type)) {
1333 return 0;
1334 }
1335
1336 /* We cannot decide whether OCSP stapling will occur yet because the correct
1337 * SSL_CTX might not have been selected. */
1338 ssl->s3->tmp.ocsp_stapling_requested = status_type == TLSEXT_STATUSTYPE_ocsp;
1339
Adam Langleybb0bd042015-07-01 16:21:03 -07001340 return 1;
1341}
1342
1343static int ext_ocsp_add_serverhello(SSL *ssl, CBB *out) {
Paul Lietar62be8ac2015-09-16 10:03:30 +01001344 /* The extension shouldn't be sent when resuming sessions. */
1345 if (ssl->hit ||
1346 !ssl->s3->tmp.ocsp_stapling_requested ||
Paul Lietaraeeff2c2015-08-12 11:47:11 +01001347 ssl->ctx->ocsp_response_length == 0) {
1348 return 1;
1349 }
1350
1351 ssl->s3->tmp.certificate_status_expected = 1;
1352
1353 return CBB_add_u16(out, TLSEXT_TYPE_status_request) &&
1354 CBB_add_u16(out, 0 /* length */);
Adam Langleybb0bd042015-07-01 16:21:03 -07001355}
1356
1357
Adam Langley97dfcbf2015-07-01 18:35:20 -07001358/* Next protocol negotiation.
1359 *
1360 * https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html */
1361
1362static void ext_npn_init(SSL *ssl) {
1363 ssl->s3->next_proto_neg_seen = 0;
1364}
1365
1366static int ext_npn_add_clienthello(SSL *ssl, CBB *out) {
1367 if (ssl->s3->initial_handshake_complete ||
1368 ssl->ctx->next_proto_select_cb == NULL ||
David Benjamin091c4b92015-10-26 13:33:21 -04001369 (ssl->options & SSL_OP_DISABLE_NPN) ||
Adam Langley97dfcbf2015-07-01 18:35:20 -07001370 SSL_IS_DTLS(ssl)) {
1371 return 1;
1372 }
1373
1374 if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
1375 !CBB_add_u16(out, 0 /* length */)) {
1376 return 0;
1377 }
1378
1379 return 1;
1380}
1381
1382static int ext_npn_parse_serverhello(SSL *ssl, uint8_t *out_alert,
1383 CBS *contents) {
1384 if (contents == NULL) {
1385 return 1;
1386 }
1387
1388 /* If any of these are false then we should never have sent the NPN
1389 * extension in the ClientHello and thus this function should never have been
1390 * called. */
1391 assert(!ssl->s3->initial_handshake_complete);
1392 assert(!SSL_IS_DTLS(ssl));
1393 assert(ssl->ctx->next_proto_select_cb != NULL);
David Benjamin091c4b92015-10-26 13:33:21 -04001394 assert(!(ssl->options & SSL_OP_DISABLE_NPN));
Adam Langley97dfcbf2015-07-01 18:35:20 -07001395
David Benjamin76c2efc2015-08-31 14:24:29 -04001396 if (ssl->s3->alpn_selected != NULL) {
1397 /* NPN and ALPN may not be negotiated in the same connection. */
1398 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1399 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
1400 return 0;
1401 }
1402
Adam Langley97dfcbf2015-07-01 18:35:20 -07001403 const uint8_t *const orig_contents = CBS_data(contents);
1404 const size_t orig_len = CBS_len(contents);
1405
1406 while (CBS_len(contents) != 0) {
1407 CBS proto;
1408 if (!CBS_get_u8_length_prefixed(contents, &proto) ||
1409 CBS_len(&proto) == 0) {
1410 return 0;
1411 }
1412 }
1413
1414 uint8_t *selected;
1415 uint8_t selected_len;
1416 if (ssl->ctx->next_proto_select_cb(
1417 ssl, &selected, &selected_len, orig_contents, orig_len,
1418 ssl->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) {
1419 *out_alert = SSL_AD_INTERNAL_ERROR;
1420 return 0;
1421 }
1422
1423 OPENSSL_free(ssl->next_proto_negotiated);
1424 ssl->next_proto_negotiated = BUF_memdup(selected, selected_len);
1425 if (ssl->next_proto_negotiated == NULL) {
1426 *out_alert = SSL_AD_INTERNAL_ERROR;
1427 return 0;
1428 }
1429
1430 ssl->next_proto_negotiated_len = selected_len;
1431 ssl->s3->next_proto_neg_seen = 1;
1432
1433 return 1;
1434}
1435
1436static int ext_npn_parse_clienthello(SSL *ssl, uint8_t *out_alert,
1437 CBS *contents) {
1438 if (contents != NULL && CBS_len(contents) != 0) {
1439 return 0;
1440 }
1441
1442 if (contents == NULL ||
1443 ssl->s3->initial_handshake_complete ||
1444 /* If the ALPN extension is seen before NPN, ignore it. (If ALPN is seen
1445 * afterwards, parsing the ALPN extension will clear
1446 * |next_proto_neg_seen|. */
1447 ssl->s3->alpn_selected != NULL ||
1448 ssl->ctx->next_protos_advertised_cb == NULL ||
1449 SSL_IS_DTLS(ssl)) {
1450 return 1;
1451 }
1452
1453 ssl->s3->next_proto_neg_seen = 1;
1454 return 1;
1455}
1456
1457static int ext_npn_add_serverhello(SSL *ssl, CBB *out) {
1458 /* |next_proto_neg_seen| might have been cleared when an ALPN extension was
1459 * parsed. */
1460 if (!ssl->s3->next_proto_neg_seen) {
1461 return 1;
1462 }
1463
1464 const uint8_t *npa;
1465 unsigned npa_len;
1466
1467 if (ssl->ctx->next_protos_advertised_cb(
1468 ssl, &npa, &npa_len, ssl->ctx->next_protos_advertised_cb_arg) !=
1469 SSL_TLSEXT_ERR_OK) {
1470 ssl->s3->next_proto_neg_seen = 0;
1471 return 1;
1472 }
1473
1474 CBB contents;
1475 if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
1476 !CBB_add_u16_length_prefixed(out, &contents) ||
1477 !CBB_add_bytes(&contents, npa, npa_len) ||
1478 !CBB_flush(out)) {
1479 return 0;
1480 }
1481
1482 return 1;
1483}
1484
1485
Adam Langleyab8d87d2015-07-10 12:21:39 -07001486/* Signed certificate timestamps.
1487 *
1488 * https://tools.ietf.org/html/rfc6962#section-3.3.1 */
1489
1490static int ext_sct_add_clienthello(SSL *ssl, CBB *out) {
1491 if (!ssl->signed_cert_timestamps_enabled) {
1492 return 1;
1493 }
1494
1495 if (!CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) ||
1496 !CBB_add_u16(out, 0 /* length */)) {
1497 return 0;
1498 }
1499
1500 return 1;
1501}
1502
1503static int ext_sct_parse_serverhello(SSL *ssl, uint8_t *out_alert,
1504 CBS *contents) {
1505 if (contents == NULL) {
1506 return 1;
1507 }
1508
1509 /* If this is false then we should never have sent the SCT extension in the
1510 * ClientHello and thus this function should never have been called. */
1511 assert(ssl->signed_cert_timestamps_enabled);
1512
1513 if (CBS_len(contents) == 0) {
1514 *out_alert = SSL_AD_DECODE_ERROR;
1515 return 0;
1516 }
1517
1518 /* Session resumption uses the original session information. */
1519 if (!ssl->hit &&
1520 !CBS_stow(contents, &ssl->session->tlsext_signed_cert_timestamp_list,
1521 &ssl->session->tlsext_signed_cert_timestamp_list_length)) {
1522 *out_alert = SSL_AD_INTERNAL_ERROR;
1523 return 0;
1524 }
1525
1526 return 1;
1527}
1528
1529static int ext_sct_parse_clienthello(SSL *ssl, uint8_t *out_alert,
1530 CBS *contents) {
Paul Lietar4fac72e2015-09-09 13:44:55 +01001531 return contents == NULL || CBS_len(contents) == 0;
Adam Langleyab8d87d2015-07-10 12:21:39 -07001532}
1533
1534static int ext_sct_add_serverhello(SSL *ssl, CBB *out) {
Paul Lietar62be8ac2015-09-16 10:03:30 +01001535 /* The extension shouldn't be sent when resuming sessions. */
1536 if (ssl->hit ||
1537 ssl->ctx->signed_cert_timestamp_list_length == 0) {
Paul Lietar4fac72e2015-09-09 13:44:55 +01001538 return 1;
1539 }
1540
1541 CBB contents;
1542 return CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) &&
1543 CBB_add_u16_length_prefixed(out, &contents) &&
1544 CBB_add_bytes(&contents, ssl->ctx->signed_cert_timestamp_list,
1545 ssl->ctx->signed_cert_timestamp_list_length) &&
1546 CBB_flush(out);
Adam Langleyab8d87d2015-07-10 12:21:39 -07001547}
1548
1549
Adam Langleyf18e4532015-07-10 13:39:53 -07001550/* Application-level Protocol Negotiation.
1551 *
1552 * https://tools.ietf.org/html/rfc7301 */
1553
1554static void ext_alpn_init(SSL *ssl) {
1555 OPENSSL_free(ssl->s3->alpn_selected);
1556 ssl->s3->alpn_selected = NULL;
1557}
1558
1559static int ext_alpn_add_clienthello(SSL *ssl, CBB *out) {
1560 if (ssl->alpn_client_proto_list == NULL ||
1561 ssl->s3->initial_handshake_complete) {
1562 return 1;
1563 }
1564
1565 CBB contents, proto_list;
1566 if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
1567 !CBB_add_u16_length_prefixed(out, &contents) ||
1568 !CBB_add_u16_length_prefixed(&contents, &proto_list) ||
1569 !CBB_add_bytes(&proto_list, ssl->alpn_client_proto_list,
1570 ssl->alpn_client_proto_list_len) ||
1571 !CBB_flush(out)) {
1572 return 0;
1573 }
1574
1575 return 1;
1576}
1577
1578static int ext_alpn_parse_serverhello(SSL *ssl, uint8_t *out_alert,
1579 CBS *contents) {
1580 if (contents == NULL) {
1581 return 1;
1582 }
1583
1584 assert(!ssl->s3->initial_handshake_complete);
1585 assert(ssl->alpn_client_proto_list != NULL);
1586
David Benjamin76c2efc2015-08-31 14:24:29 -04001587 if (ssl->s3->next_proto_neg_seen) {
1588 /* NPN and ALPN may not be negotiated in the same connection. */
1589 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1590 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
1591 return 0;
1592 }
1593
Adam Langleyf18e4532015-07-10 13:39:53 -07001594 /* The extension data consists of a ProtocolNameList which must have
1595 * exactly one ProtocolName. Each of these is length-prefixed. */
1596 CBS protocol_name_list, protocol_name;
1597 if (!CBS_get_u16_length_prefixed(contents, &protocol_name_list) ||
1598 CBS_len(contents) != 0 ||
1599 !CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) ||
1600 /* Empty protocol names are forbidden. */
1601 CBS_len(&protocol_name) == 0 ||
1602 CBS_len(&protocol_name_list) != 0) {
1603 return 0;
1604 }
1605
1606 if (!CBS_stow(&protocol_name, &ssl->s3->alpn_selected,
1607 &ssl->s3->alpn_selected_len)) {
1608 *out_alert = SSL_AD_INTERNAL_ERROR;
1609 return 0;
1610 }
1611
1612 return 1;
1613}
1614
1615static int ext_alpn_parse_clienthello(SSL *ssl, uint8_t *out_alert,
1616 CBS *contents) {
1617 if (contents == NULL) {
1618 return 1;
1619 }
1620
1621 if (ssl->ctx->alpn_select_cb == NULL ||
1622 ssl->s3->initial_handshake_complete) {
1623 return 1;
1624 }
1625
1626 /* ALPN takes precedence over NPN. */
1627 ssl->s3->next_proto_neg_seen = 0;
1628
1629 CBS protocol_name_list;
1630 if (!CBS_get_u16_length_prefixed(contents, &protocol_name_list) ||
1631 CBS_len(contents) != 0 ||
1632 CBS_len(&protocol_name_list) < 2) {
1633 return 0;
1634 }
1635
1636 /* Validate the protocol list. */
1637 CBS protocol_name_list_copy = protocol_name_list;
1638 while (CBS_len(&protocol_name_list_copy) > 0) {
1639 CBS protocol_name;
1640
1641 if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name) ||
1642 /* Empty protocol names are forbidden. */
1643 CBS_len(&protocol_name) == 0) {
1644 return 0;
1645 }
1646 }
1647
1648 const uint8_t *selected;
1649 uint8_t selected_len;
1650 if (ssl->ctx->alpn_select_cb(
1651 ssl, &selected, &selected_len, CBS_data(&protocol_name_list),
1652 CBS_len(&protocol_name_list),
1653 ssl->ctx->alpn_select_cb_arg) == SSL_TLSEXT_ERR_OK) {
1654 OPENSSL_free(ssl->s3->alpn_selected);
1655 ssl->s3->alpn_selected = BUF_memdup(selected, selected_len);
1656 if (ssl->s3->alpn_selected == NULL) {
1657 *out_alert = SSL_AD_INTERNAL_ERROR;
1658 return 0;
1659 }
1660 ssl->s3->alpn_selected_len = selected_len;
1661 }
1662
1663 return 1;
1664}
1665
1666static int ext_alpn_add_serverhello(SSL *ssl, CBB *out) {
1667 if (ssl->s3->alpn_selected == NULL) {
1668 return 1;
1669 }
1670
1671 CBB contents, proto_list, proto;
1672 if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
1673 !CBB_add_u16_length_prefixed(out, &contents) ||
1674 !CBB_add_u16_length_prefixed(&contents, &proto_list) ||
1675 !CBB_add_u8_length_prefixed(&proto_list, &proto) ||
1676 !CBB_add_bytes(&proto, ssl->s3->alpn_selected, ssl->s3->alpn_selected_len) ||
1677 !CBB_flush(out)) {
1678 return 0;
1679 }
1680
1681 return 1;
1682}
1683
1684
Adam Langley49c7af12015-07-10 14:33:46 -07001685/* Channel ID.
1686 *
1687 * https://tools.ietf.org/html/draft-balfanz-tls-channelid-01 */
1688
1689static void ext_channel_id_init(SSL *ssl) {
1690 ssl->s3->tlsext_channel_id_valid = 0;
1691}
1692
1693static int ext_channel_id_add_clienthello(SSL *ssl, CBB *out) {
1694 if (!ssl->tlsext_channel_id_enabled ||
1695 SSL_IS_DTLS(ssl)) {
1696 return 1;
1697 }
1698
1699 if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||
1700 !CBB_add_u16(out, 0 /* length */)) {
1701 return 0;
1702 }
1703
1704 return 1;
1705}
1706
1707static int ext_channel_id_parse_serverhello(SSL *ssl, uint8_t *out_alert,
1708 CBS *contents) {
1709 if (contents == NULL) {
1710 return 1;
1711 }
1712
1713 assert(!SSL_IS_DTLS(ssl));
1714 assert(ssl->tlsext_channel_id_enabled);
1715
1716 if (CBS_len(contents) != 0) {
1717 return 0;
1718 }
1719
1720 ssl->s3->tlsext_channel_id_valid = 1;
1721 return 1;
1722}
1723
1724static int ext_channel_id_parse_clienthello(SSL *ssl, uint8_t *out_alert,
1725 CBS *contents) {
1726 if (contents == NULL ||
1727 !ssl->tlsext_channel_id_enabled ||
1728 SSL_IS_DTLS(ssl)) {
1729 return 1;
1730 }
1731
1732 if (CBS_len(contents) != 0) {
1733 return 0;
1734 }
1735
1736 ssl->s3->tlsext_channel_id_valid = 1;
1737 return 1;
1738}
1739
1740static int ext_channel_id_add_serverhello(SSL *ssl, CBB *out) {
1741 if (!ssl->s3->tlsext_channel_id_valid) {
1742 return 1;
1743 }
1744
1745 if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||
1746 !CBB_add_u16(out, 0 /* length */)) {
1747 return 0;
1748 }
1749
1750 return 1;
1751}
1752
Adam Langley391250d2015-07-15 19:06:07 -07001753
1754/* Secure Real-time Transport Protocol (SRTP) extension.
1755 *
1756 * https://tools.ietf.org/html/rfc5764 */
1757
Adam Langley391250d2015-07-15 19:06:07 -07001758
1759static void ext_srtp_init(SSL *ssl) {
1760 ssl->srtp_profile = NULL;
1761}
1762
1763static int ext_srtp_add_clienthello(SSL *ssl, CBB *out) {
1764 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
1765 if (profiles == NULL) {
1766 return 1;
1767 }
1768 const size_t num_profiles = sk_SRTP_PROTECTION_PROFILE_num(profiles);
1769 if (num_profiles == 0) {
1770 return 1;
1771 }
1772
1773 CBB contents, profile_ids;
1774 if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
1775 !CBB_add_u16_length_prefixed(out, &contents) ||
1776 !CBB_add_u16_length_prefixed(&contents, &profile_ids)) {
1777 return 0;
1778 }
1779
1780 size_t i;
1781 for (i = 0; i < num_profiles; i++) {
1782 if (!CBB_add_u16(&profile_ids,
1783 sk_SRTP_PROTECTION_PROFILE_value(profiles, i)->id)) {
1784 return 0;
1785 }
1786 }
1787
1788 if (!CBB_add_u8(&contents, 0 /* empty use_mki value */) ||
1789 !CBB_flush(out)) {
1790 return 0;
1791 }
1792
1793 return 1;
1794}
1795
1796static int ext_srtp_parse_serverhello(SSL *ssl, uint8_t *out_alert,
1797 CBS *contents) {
1798 if (contents == NULL) {
1799 return 1;
1800 }
1801
1802 /* The extension consists of a u16-prefixed profile ID list containing a
1803 * single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field.
1804 *
1805 * See https://tools.ietf.org/html/rfc5764#section-4.1.1 */
1806 CBS profile_ids, srtp_mki;
1807 uint16_t profile_id;
1808 if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
1809 !CBS_get_u16(&profile_ids, &profile_id) ||
1810 CBS_len(&profile_ids) != 0 ||
1811 !CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
1812 CBS_len(contents) != 0) {
1813 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1814 return 0;
1815 }
1816
1817 if (CBS_len(&srtp_mki) != 0) {
1818 /* Must be no MKI, since we never offer one. */
1819 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_MKI_VALUE);
1820 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1821 return 0;
1822 }
1823
1824 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
1825
1826 /* Check to see if the server gave us something we support (and presumably
1827 * offered). */
1828 size_t i;
1829 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(profiles); i++) {
1830 const SRTP_PROTECTION_PROFILE *profile =
1831 sk_SRTP_PROTECTION_PROFILE_value(profiles, i);
1832
1833 if (profile->id == profile_id) {
1834 ssl->srtp_profile = profile;
1835 return 1;
1836 }
1837 }
1838
1839 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1840 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1841 return 0;
1842}
1843
1844static int ext_srtp_parse_clienthello(SSL *ssl, uint8_t *out_alert,
1845 CBS *contents) {
1846 if (contents == NULL) {
1847 return 1;
1848 }
1849
1850 CBS profile_ids, srtp_mki;
1851 if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
1852 CBS_len(&profile_ids) < 2 ||
1853 !CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
1854 CBS_len(contents) != 0) {
1855 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1856 return 0;
1857 }
1858 /* Discard the MKI value for now. */
1859
1860 const STACK_OF(SRTP_PROTECTION_PROFILE) *server_profiles =
1861 SSL_get_srtp_profiles(ssl);
1862
1863 /* Pick the server's most preferred profile. */
1864 size_t i;
1865 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(server_profiles); i++) {
1866 const SRTP_PROTECTION_PROFILE *server_profile =
1867 sk_SRTP_PROTECTION_PROFILE_value(server_profiles, i);
1868
1869 CBS profile_ids_tmp;
1870 CBS_init(&profile_ids_tmp, CBS_data(&profile_ids), CBS_len(&profile_ids));
1871
1872 while (CBS_len(&profile_ids_tmp) > 0) {
1873 uint16_t profile_id;
1874 if (!CBS_get_u16(&profile_ids_tmp, &profile_id)) {
1875 return 0;
1876 }
1877
1878 if (server_profile->id == profile_id) {
1879 ssl->srtp_profile = server_profile;
1880 return 1;
1881 }
1882 }
1883 }
1884
1885 return 1;
1886}
1887
1888static int ext_srtp_add_serverhello(SSL *ssl, CBB *out) {
1889 if (ssl->srtp_profile == NULL) {
1890 return 1;
1891 }
1892
1893 CBB contents, profile_ids;
1894 if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
1895 !CBB_add_u16_length_prefixed(out, &contents) ||
1896 !CBB_add_u16_length_prefixed(&contents, &profile_ids) ||
1897 !CBB_add_u16(&profile_ids, ssl->srtp_profile->id) ||
1898 !CBB_add_u8(&contents, 0 /* empty MKI */) ||
1899 !CBB_flush(out)) {
1900 return 0;
1901 }
1902
1903 return 1;
1904}
1905
Adam Langleybdd5d662015-07-20 16:19:08 -07001906
1907/* EC point formats.
1908 *
1909 * https://tools.ietf.org/html/rfc4492#section-5.1.2 */
1910
1911static int ssl_any_ec_cipher_suites_enabled(const SSL *ssl) {
1912 if (ssl->version < TLS1_VERSION && !SSL_IS_DTLS(ssl)) {
1913 return 0;
1914 }
1915
1916 const STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(ssl);
1917
1918 size_t i;
1919 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
1920 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(cipher_stack, i);
1921
1922 const uint32_t alg_k = cipher->algorithm_mkey;
1923 const uint32_t alg_a = cipher->algorithm_auth;
1924 if ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) {
1925 return 1;
1926 }
1927 }
1928
1929 return 0;
1930}
1931
Adam Langleybdd5d662015-07-20 16:19:08 -07001932static int ext_ec_point_add_extension(SSL *ssl, CBB *out) {
David Benjaminfc059942015-07-30 23:01:59 -04001933 CBB contents, formats;
Adam Langleybdd5d662015-07-20 16:19:08 -07001934 if (!CBB_add_u16(out, TLSEXT_TYPE_ec_point_formats) ||
1935 !CBB_add_u16_length_prefixed(out, &contents) ||
David Benjaminfc059942015-07-30 23:01:59 -04001936 !CBB_add_u8_length_prefixed(&contents, &formats) ||
1937 !CBB_add_u8(&formats, TLSEXT_ECPOINTFORMAT_uncompressed) ||
Adam Langleybdd5d662015-07-20 16:19:08 -07001938 !CBB_flush(out)) {
1939 return 0;
1940 }
1941
1942 return 1;
1943}
1944
1945static int ext_ec_point_add_clienthello(SSL *ssl, CBB *out) {
1946 if (!ssl_any_ec_cipher_suites_enabled(ssl)) {
1947 return 1;
1948 }
1949
1950 return ext_ec_point_add_extension(ssl, out);
1951}
1952
1953static int ext_ec_point_parse_serverhello(SSL *ssl, uint8_t *out_alert,
1954 CBS *contents) {
1955 if (contents == NULL) {
1956 return 1;
1957 }
1958
1959 CBS ec_point_format_list;
1960 if (!CBS_get_u8_length_prefixed(contents, &ec_point_format_list) ||
1961 CBS_len(contents) != 0) {
1962 return 0;
1963 }
1964
David Benjaminfc059942015-07-30 23:01:59 -04001965 /* Per RFC 4492, section 5.1.2, implementations MUST support the uncompressed
1966 * point format. */
1967 if (memchr(CBS_data(&ec_point_format_list), TLSEXT_ECPOINTFORMAT_uncompressed,
1968 CBS_len(&ec_point_format_list)) == NULL) {
1969 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
Adam Langleybdd5d662015-07-20 16:19:08 -07001970 return 0;
1971 }
1972
1973 return 1;
1974}
1975
1976static int ext_ec_point_parse_clienthello(SSL *ssl, uint8_t *out_alert,
1977 CBS *contents) {
1978 return ext_ec_point_parse_serverhello(ssl, out_alert, contents);
1979}
1980
1981static int ext_ec_point_add_serverhello(SSL *ssl, CBB *out) {
1982 const uint32_t alg_k = ssl->s3->tmp.new_cipher->algorithm_mkey;
1983 const uint32_t alg_a = ssl->s3->tmp.new_cipher->algorithm_auth;
David Benjaminfc059942015-07-30 23:01:59 -04001984 const int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
Adam Langleybdd5d662015-07-20 16:19:08 -07001985
1986 if (!using_ecc) {
1987 return 1;
1988 }
1989
1990 return ext_ec_point_add_extension(ssl, out);
1991}
1992
Adam Langley273d49c2015-07-20 16:38:52 -07001993
1994/* EC supported curves.
1995 *
1996 * https://tools.ietf.org/html/rfc4492#section-5.1.2 */
1997
1998static void ext_ec_curves_init(SSL *ssl) {
1999 OPENSSL_free(ssl->s3->tmp.peer_ellipticcurvelist);
2000 ssl->s3->tmp.peer_ellipticcurvelist = NULL;
2001 ssl->s3->tmp.peer_ellipticcurvelist_length = 0;
2002}
2003
2004static int ext_ec_curves_add_clienthello(SSL *ssl, CBB *out) {
2005 if (!ssl_any_ec_cipher_suites_enabled(ssl)) {
2006 return 1;
2007 }
2008
2009 CBB contents, curves_bytes;
2010 if (!CBB_add_u16(out, TLSEXT_TYPE_elliptic_curves) ||
2011 !CBB_add_u16_length_prefixed(out, &contents) ||
2012 !CBB_add_u16_length_prefixed(&contents, &curves_bytes)) {
2013 return 0;
2014 }
2015
2016 const uint16_t *curves;
2017 size_t curves_len;
2018 tls1_get_curvelist(ssl, 0, &curves, &curves_len);
2019
2020 size_t i;
2021 for (i = 0; i < curves_len; i++) {
2022 if (!CBB_add_u16(&curves_bytes, curves[i])) {
2023 return 0;
2024 }
2025 }
2026
2027 return CBB_flush(out);
2028}
2029
2030static int ext_ec_curves_parse_serverhello(SSL *ssl, uint8_t *out_alert,
2031 CBS *contents) {
2032 /* This extension is not expected to be echoed by servers and is ignored. */
2033 return 1;
2034}
2035
2036static int ext_ec_curves_parse_clienthello(SSL *ssl, uint8_t *out_alert,
2037 CBS *contents) {
2038 if (contents == NULL) {
2039 return 1;
2040 }
2041
2042 CBS elliptic_curve_list;
2043 if (!CBS_get_u16_length_prefixed(contents, &elliptic_curve_list) ||
2044 CBS_len(&elliptic_curve_list) == 0 ||
2045 (CBS_len(&elliptic_curve_list) & 1) != 0 ||
2046 CBS_len(contents) != 0) {
2047 return 0;
2048 }
2049
2050 ssl->s3->tmp.peer_ellipticcurvelist =
2051 (uint16_t *)OPENSSL_malloc(CBS_len(&elliptic_curve_list));
2052
2053 if (ssl->s3->tmp.peer_ellipticcurvelist == NULL) {
2054 *out_alert = SSL_AD_INTERNAL_ERROR;
2055 return 0;
2056 }
2057
2058 const size_t num_curves = CBS_len(&elliptic_curve_list) / 2;
2059 size_t i;
2060 for (i = 0; i < num_curves; i++) {
2061 if (!CBS_get_u16(&elliptic_curve_list,
2062 &ssl->s3->tmp.peer_ellipticcurvelist[i])) {
2063 goto err;
2064 }
2065 }
2066
2067 assert(CBS_len(&elliptic_curve_list) == 0);
2068 ssl->s3->tmp.peer_ellipticcurvelist_length = num_curves;
2069
2070 return 1;
2071
2072err:
2073 OPENSSL_free(ssl->s3->tmp.peer_ellipticcurvelist);
2074 ssl->s3->tmp.peer_ellipticcurvelist = NULL;
2075 *out_alert = SSL_AD_INTERNAL_ERROR;
2076 return 0;
2077}
2078
2079static int ext_ec_curves_add_serverhello(SSL *ssl, CBB *out) {
2080 /* Servers don't echo this extension. */
2081 return 1;
2082}
2083
2084
Adam Langley614c66a2015-06-12 15:26:58 -07002085/* kExtensions contains all the supported extensions. */
2086static const struct tls_extension kExtensions[] = {
2087 {
Adam Langley5021b222015-06-12 18:27:58 -07002088 /* The renegotiation extension must always be at index zero because the
2089 * |received| and |sent| bitsets need to be tweaked when the "extension" is
2090 * sent as an SCSV. */
2091 TLSEXT_TYPE_renegotiate,
2092 NULL,
2093 ext_ri_add_clienthello,
2094 ext_ri_parse_serverhello,
2095 ext_ri_parse_clienthello,
2096 ext_ri_add_serverhello,
2097 },
2098 {
Adam Langley614c66a2015-06-12 15:26:58 -07002099 TLSEXT_TYPE_server_name,
2100 ext_sni_init,
2101 ext_sni_add_clienthello,
2102 ext_sni_parse_serverhello,
2103 ext_sni_parse_clienthello,
2104 ext_sni_add_serverhello,
2105 },
Adam Langley0a056712015-07-01 15:03:33 -07002106 {
2107 TLSEXT_TYPE_extended_master_secret,
2108 ext_ems_init,
2109 ext_ems_add_clienthello,
2110 ext_ems_parse_serverhello,
2111 ext_ems_parse_clienthello,
2112 ext_ems_add_serverhello,
2113 },
Adam Langley9b05bc52015-07-01 15:25:33 -07002114 {
2115 TLSEXT_TYPE_session_ticket,
2116 NULL,
2117 ext_ticket_add_clienthello,
2118 ext_ticket_parse_serverhello,
2119 ext_ticket_parse_clienthello,
2120 ext_ticket_add_serverhello,
2121 },
Adam Langley2e857bd2015-07-01 16:09:19 -07002122 {
2123 TLSEXT_TYPE_signature_algorithms,
2124 NULL,
2125 ext_sigalgs_add_clienthello,
2126 ext_sigalgs_parse_serverhello,
2127 ext_sigalgs_parse_clienthello,
2128 ext_sigalgs_add_serverhello,
2129 },
Adam Langleybb0bd042015-07-01 16:21:03 -07002130 {
2131 TLSEXT_TYPE_status_request,
2132 ext_ocsp_init,
2133 ext_ocsp_add_clienthello,
2134 ext_ocsp_parse_serverhello,
2135 ext_ocsp_parse_clienthello,
2136 ext_ocsp_add_serverhello,
2137 },
Adam Langley97dfcbf2015-07-01 18:35:20 -07002138 {
2139 TLSEXT_TYPE_next_proto_neg,
2140 ext_npn_init,
2141 ext_npn_add_clienthello,
2142 ext_npn_parse_serverhello,
2143 ext_npn_parse_clienthello,
2144 ext_npn_add_serverhello,
2145 },
Adam Langleyab8d87d2015-07-10 12:21:39 -07002146 {
2147 TLSEXT_TYPE_certificate_timestamp,
2148 NULL,
2149 ext_sct_add_clienthello,
2150 ext_sct_parse_serverhello,
2151 ext_sct_parse_clienthello,
2152 ext_sct_add_serverhello,
2153 },
Adam Langleyf18e4532015-07-10 13:39:53 -07002154 {
2155 TLSEXT_TYPE_application_layer_protocol_negotiation,
2156 ext_alpn_init,
2157 ext_alpn_add_clienthello,
2158 ext_alpn_parse_serverhello,
2159 ext_alpn_parse_clienthello,
2160 ext_alpn_add_serverhello,
2161 },
Adam Langley49c7af12015-07-10 14:33:46 -07002162 {
2163 TLSEXT_TYPE_channel_id,
2164 ext_channel_id_init,
2165 ext_channel_id_add_clienthello,
2166 ext_channel_id_parse_serverhello,
2167 ext_channel_id_parse_clienthello,
2168 ext_channel_id_add_serverhello,
2169 },
Adam Langley391250d2015-07-15 19:06:07 -07002170 {
2171 TLSEXT_TYPE_srtp,
2172 ext_srtp_init,
2173 ext_srtp_add_clienthello,
2174 ext_srtp_parse_serverhello,
2175 ext_srtp_parse_clienthello,
2176 ext_srtp_add_serverhello,
2177 },
Adam Langleybdd5d662015-07-20 16:19:08 -07002178 {
2179 TLSEXT_TYPE_ec_point_formats,
David Benjaminfc059942015-07-30 23:01:59 -04002180 NULL,
Adam Langleybdd5d662015-07-20 16:19:08 -07002181 ext_ec_point_add_clienthello,
2182 ext_ec_point_parse_serverhello,
2183 ext_ec_point_parse_clienthello,
2184 ext_ec_point_add_serverhello,
2185 },
Adam Langley273d49c2015-07-20 16:38:52 -07002186 {
2187 TLSEXT_TYPE_elliptic_curves,
2188 ext_ec_curves_init,
2189 ext_ec_curves_add_clienthello,
2190 ext_ec_curves_parse_serverhello,
2191 ext_ec_curves_parse_clienthello,
2192 ext_ec_curves_add_serverhello,
2193 },
Adam Langley614c66a2015-06-12 15:26:58 -07002194};
2195
2196#define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
2197
Adam Langley4cfa96b2015-07-01 11:56:55 -07002198OPENSSL_COMPILE_ASSERT(kNumExtensions <=
2199 sizeof(((SSL *)NULL)->s3->tmp.extensions.sent) * 8,
David Benjamin7ca4b422015-07-13 16:43:47 -04002200 too_many_extensions_for_sent_bitset);
Adam Langley4cfa96b2015-07-01 11:56:55 -07002201OPENSSL_COMPILE_ASSERT(kNumExtensions <=
2202 sizeof(((SSL *)NULL)->s3->tmp.extensions.received) *
2203 8,
David Benjamin7ca4b422015-07-13 16:43:47 -04002204 too_many_extensions_for_received_bitset);
Adam Langley4cfa96b2015-07-01 11:56:55 -07002205
Adam Langley614c66a2015-06-12 15:26:58 -07002206static const struct tls_extension *tls_extension_find(uint32_t *out_index,
2207 uint16_t value) {
2208 unsigned i;
2209 for (i = 0; i < kNumExtensions; i++) {
2210 if (kExtensions[i].value == value) {
2211 *out_index = i;
2212 return &kExtensions[i];
2213 }
2214 }
2215
2216 return NULL;
2217}
2218
Adam Langley09505632015-07-30 18:10:13 -07002219int SSL_extension_supported(unsigned extension_value) {
2220 uint32_t index;
2221 return extension_value == TLSEXT_TYPE_padding ||
2222 tls_extension_find(&index, extension_value) != NULL;
2223}
2224
David Benjamine8d53502015-10-10 14:13:23 -04002225int ssl_add_clienthello_tlsext(SSL *ssl, CBB *out, size_t header_len) {
Adam Langleyfcf25832014-12-18 17:42:32 -08002226 /* don't add extensions for SSLv3 unless doing secure renegotiation */
David Benjamine8d53502015-10-10 14:13:23 -04002227 if (ssl->client_version == SSL3_VERSION &&
2228 !ssl->s3->send_connection_binding) {
2229 return 1;
Adam Langleyfcf25832014-12-18 17:42:32 -08002230 }
Adam Langley95c29f32014-06-20 12:00:00 -07002231
David Benjamine8d53502015-10-10 14:13:23 -04002232 size_t orig_len = CBB_len(out);
2233 CBB extensions;
2234 if (!CBB_add_u16_length_prefixed(out, &extensions)) {
Adam Langley33ad2b52015-07-20 17:43:53 -07002235 goto err;
Adam Langleyfcf25832014-12-18 17:42:32 -08002236 }
Adam Langley95c29f32014-06-20 12:00:00 -07002237
David Benjamine8d53502015-10-10 14:13:23 -04002238 ssl->s3->tmp.extensions.sent = 0;
2239 ssl->s3->tmp.custom_extensions.sent = 0;
Adam Langley95c29f32014-06-20 12:00:00 -07002240
Adam Langley614c66a2015-06-12 15:26:58 -07002241 size_t i;
2242 for (i = 0; i < kNumExtensions; i++) {
2243 if (kExtensions[i].init != NULL) {
David Benjamine8d53502015-10-10 14:13:23 -04002244 kExtensions[i].init(ssl);
Adam Langley614c66a2015-06-12 15:26:58 -07002245 }
2246 }
Adam Langley95c29f32014-06-20 12:00:00 -07002247
Adam Langley614c66a2015-06-12 15:26:58 -07002248 for (i = 0; i < kNumExtensions; i++) {
Adam Langley33ad2b52015-07-20 17:43:53 -07002249 const size_t len_before = CBB_len(&extensions);
David Benjamine8d53502015-10-10 14:13:23 -04002250 if (!kExtensions[i].add_clienthello(ssl, &extensions)) {
Adam Langley33ad2b52015-07-20 17:43:53 -07002251 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
2252 ERR_add_error_dataf("extension: %u", (unsigned)kExtensions[i].value);
2253 goto err;
Adam Langleyfcf25832014-12-18 17:42:32 -08002254 }
Adam Langley95c29f32014-06-20 12:00:00 -07002255
Adam Langley33ad2b52015-07-20 17:43:53 -07002256 if (CBB_len(&extensions) != len_before) {
David Benjamine8d53502015-10-10 14:13:23 -04002257 ssl->s3->tmp.extensions.sent |= (1u << i);
Adam Langley614c66a2015-06-12 15:26:58 -07002258 }
Adam Langleyfcf25832014-12-18 17:42:32 -08002259 }
Adam Langley75712922014-10-10 16:23:43 -07002260
David Benjamine8d53502015-10-10 14:13:23 -04002261 if (!custom_ext_add_clienthello(ssl, &extensions)) {
Adam Langley09505632015-07-30 18:10:13 -07002262 goto err;
2263 }
2264
David Benjamine8d53502015-10-10 14:13:23 -04002265 if (!SSL_IS_DTLS(ssl)) {
2266 header_len += CBB_len(&extensions) - orig_len;
Adam Langleyfcf25832014-12-18 17:42:32 -08002267 if (header_len > 0xff && header_len < 0x200) {
Adam Langley10a1a9d2015-10-21 14:49:23 -07002268 /* Add padding to workaround bugs in F5 terminators. See RFC 7685.
Adam Langleyfcf25832014-12-18 17:42:32 -08002269 *
2270 * NB: because this code works out the length of all existing extensions
2271 * it MUST always appear last. */
David Benjamin0a968592015-07-21 22:06:19 -04002272 size_t padding_len = 0x200 - header_len;
Adam Langleyfcf25832014-12-18 17:42:32 -08002273 /* Extensions take at least four bytes to encode. Always include least
2274 * one byte of data if including the extension. WebSphere Application
2275 * Server 7.0 is intolerant to the last extension being zero-length. */
2276 if (padding_len >= 4 + 1) {
2277 padding_len -= 4;
2278 } else {
2279 padding_len = 1;
2280 }
Adam Langley95c29f32014-06-20 12:00:00 -07002281
Adam Langley33ad2b52015-07-20 17:43:53 -07002282 uint8_t *padding_bytes;
2283 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_padding) ||
2284 !CBB_add_u16(&extensions, padding_len) ||
2285 !CBB_add_space(&extensions, &padding_bytes, padding_len)) {
2286 goto err;
Adam Langleyfcf25832014-12-18 17:42:32 -08002287 }
Adam Langley75712922014-10-10 16:23:43 -07002288
Adam Langley33ad2b52015-07-20 17:43:53 -07002289 memset(padding_bytes, 0, padding_len);
Adam Langleyfcf25832014-12-18 17:42:32 -08002290 }
2291 }
Adam Langley75712922014-10-10 16:23:43 -07002292
Adam Langley33ad2b52015-07-20 17:43:53 -07002293 /* If only two bytes have been written then the extensions are actually empty
2294 * and those two bytes are the zero length. In that case, we don't bother
2295 * sending the extensions length. */
David Benjamine8d53502015-10-10 14:13:23 -04002296 if (CBB_len(&extensions) - orig_len == 2) {
2297 CBB_discard_child(out);
Adam Langley33ad2b52015-07-20 17:43:53 -07002298 }
2299
David Benjamine8d53502015-10-10 14:13:23 -04002300 return CBB_flush(out);
Adam Langley33ad2b52015-07-20 17:43:53 -07002301
2302err:
Adam Langley33ad2b52015-07-20 17:43:53 -07002303 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
David Benjamine8d53502015-10-10 14:13:23 -04002304 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -08002305}
Adam Langley95c29f32014-06-20 12:00:00 -07002306
David Benjamin56380462015-10-10 14:59:09 -04002307int ssl_add_serverhello_tlsext(SSL *ssl, CBB *out) {
2308 const size_t orig_len = CBB_len(out);
2309
2310 CBB extensions;
2311 if (!CBB_add_u16_length_prefixed(out, &extensions)) {
Adam Langley33ad2b52015-07-20 17:43:53 -07002312 goto err;
Adam Langley614c66a2015-06-12 15:26:58 -07002313 }
2314
2315 unsigned i;
2316 for (i = 0; i < kNumExtensions; i++) {
David Benjamin56380462015-10-10 14:59:09 -04002317 if (!(ssl->s3->tmp.extensions.received & (1u << i))) {
Adam Langley614c66a2015-06-12 15:26:58 -07002318 /* Don't send extensions that were not received. */
2319 continue;
Adam Langleyfcf25832014-12-18 17:42:32 -08002320 }
Adam Langley95c29f32014-06-20 12:00:00 -07002321
David Benjamin56380462015-10-10 14:59:09 -04002322 if (!kExtensions[i].add_serverhello(ssl, &extensions)) {
Adam Langley33ad2b52015-07-20 17:43:53 -07002323 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
2324 ERR_add_error_dataf("extension: %u", (unsigned)kExtensions[i].value);
2325 goto err;
Adam Langley614c66a2015-06-12 15:26:58 -07002326 }
Adam Langleyfcf25832014-12-18 17:42:32 -08002327 }
Adam Langley95c29f32014-06-20 12:00:00 -07002328
David Benjamin56380462015-10-10 14:59:09 -04002329 if (!custom_ext_add_serverhello(ssl, &extensions)) {
Adam Langley09505632015-07-30 18:10:13 -07002330 goto err;
2331 }
2332
Adam Langley33ad2b52015-07-20 17:43:53 -07002333 /* If only two bytes have been written then the extensions are actually empty
2334 * and those two bytes are the zero length. In that case, we don't bother
2335 * sending the extensions length. */
David Benjamin56380462015-10-10 14:59:09 -04002336 if (CBB_len(&extensions) - orig_len == 2) {
2337 CBB_discard_child(out);
Adam Langley33ad2b52015-07-20 17:43:53 -07002338 }
2339
David Benjamin56380462015-10-10 14:59:09 -04002340 return CBB_flush(out);
Adam Langley33ad2b52015-07-20 17:43:53 -07002341
2342err:
Adam Langley33ad2b52015-07-20 17:43:53 -07002343 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
David Benjamin56380462015-10-10 14:59:09 -04002344 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -08002345}
Adam Langley95c29f32014-06-20 12:00:00 -07002346
Adam Langleyfcf25832014-12-18 17:42:32 -08002347static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) {
Adam Langley614c66a2015-06-12 15:26:58 -07002348 size_t i;
2349 for (i = 0; i < kNumExtensions; i++) {
2350 if (kExtensions[i].init != NULL) {
2351 kExtensions[i].init(s);
2352 }
2353 }
2354
2355 s->s3->tmp.extensions.received = 0;
Adam Langley09505632015-07-30 18:10:13 -07002356 s->s3->tmp.custom_extensions.received = 0;
Adam Langley5021b222015-06-12 18:27:58 -07002357 /* The renegotiation extension must always be at index zero because the
2358 * |received| and |sent| bitsets need to be tweaked when the "extension" is
2359 * sent as an SCSV. */
2360 assert(kExtensions[0].value == TLSEXT_TYPE_renegotiate);
Adam Langley614c66a2015-06-12 15:26:58 -07002361
Adam Langleyfcf25832014-12-18 17:42:32 -08002362 /* There may be no extensions. */
Adam Langley33ad2b52015-07-20 17:43:53 -07002363 if (CBS_len(cbs) != 0) {
2364 /* Decode the extensions block and check it is valid. */
2365 CBS extensions;
2366 if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
2367 !tls1_check_duplicate_extensions(&extensions)) {
Adam Langleyfcf25832014-12-18 17:42:32 -08002368 *out_alert = SSL_AD_DECODE_ERROR;
2369 return 0;
2370 }
Adam Langley95c29f32014-06-20 12:00:00 -07002371
Adam Langley33ad2b52015-07-20 17:43:53 -07002372 while (CBS_len(&extensions) != 0) {
2373 uint16_t type;
2374 CBS extension;
Adam Langley95c29f32014-06-20 12:00:00 -07002375
Adam Langley33ad2b52015-07-20 17:43:53 -07002376 /* Decode the next extension. */
2377 if (!CBS_get_u16(&extensions, &type) ||
2378 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
2379 *out_alert = SSL_AD_DECODE_ERROR;
2380 return 0;
2381 }
2382
David Benjaminc7ce9772015-10-09 19:32:41 -04002383 /* RFC 5746 made the existence of extensions in SSL 3.0 somewhat
2384 * ambiguous. Ignore all but the renegotiation_info extension. */
2385 if (s->version == SSL3_VERSION && type != TLSEXT_TYPE_renegotiate) {
2386 continue;
2387 }
2388
Adam Langley33ad2b52015-07-20 17:43:53 -07002389 unsigned ext_index;
2390 const struct tls_extension *const ext =
2391 tls_extension_find(&ext_index, type);
2392
2393 if (ext == NULL) {
Adam Langley09505632015-07-30 18:10:13 -07002394 if (!custom_ext_parse_clienthello(s, out_alert, type, &extension)) {
2395 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
2396 return 0;
2397 }
Adam Langley33ad2b52015-07-20 17:43:53 -07002398 continue;
2399 }
2400
Adam Langley614c66a2015-06-12 15:26:58 -07002401 s->s3->tmp.extensions.received |= (1u << ext_index);
2402 uint8_t alert = SSL_AD_DECODE_ERROR;
2403 if (!ext->parse_clienthello(s, &alert, &extension)) {
2404 *out_alert = alert;
Adam Langley33ad2b52015-07-20 17:43:53 -07002405 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
2406 ERR_add_error_dataf("extension: %u", (unsigned)type);
Adam Langleyfcf25832014-12-18 17:42:32 -08002407 return 0;
2408 }
Adam Langley614c66a2015-06-12 15:26:58 -07002409 }
Adam Langleyfcf25832014-12-18 17:42:32 -08002410 }
Adam Langley75712922014-10-10 16:23:43 -07002411
Adam Langley614c66a2015-06-12 15:26:58 -07002412 for (i = 0; i < kNumExtensions; i++) {
2413 if (!(s->s3->tmp.extensions.received & (1u << i))) {
2414 /* Extension wasn't observed so call the callback with a NULL
2415 * parameter. */
2416 uint8_t alert = SSL_AD_DECODE_ERROR;
2417 if (!kExtensions[i].parse_clienthello(s, &alert, NULL)) {
Adam Langley33ad2b52015-07-20 17:43:53 -07002418 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
2419 ERR_add_error_dataf("extension: %u", (unsigned)kExtensions[i].value);
Adam Langley614c66a2015-06-12 15:26:58 -07002420 *out_alert = alert;
2421 return 0;
2422 }
2423 }
2424 }
2425
Adam Langleyfcf25832014-12-18 17:42:32 -08002426 return 1;
2427}
Adam Langley95c29f32014-06-20 12:00:00 -07002428
Adam Langleyfcf25832014-12-18 17:42:32 -08002429int ssl_parse_clienthello_tlsext(SSL *s, CBS *cbs) {
2430 int alert = -1;
2431 if (ssl_scan_clienthello_tlsext(s, cbs, &alert) <= 0) {
2432 ssl3_send_alert(s, SSL3_AL_FATAL, alert);
2433 return 0;
2434 }
Adam Langley95c29f32014-06-20 12:00:00 -07002435
Adam Langleyfcf25832014-12-18 17:42:32 -08002436 if (ssl_check_clienthello_tlsext(s) <= 0) {
David Benjamin3570d732015-06-29 00:28:17 -04002437 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_TLSEXT);
Adam Langleyfcf25832014-12-18 17:42:32 -08002438 return 0;
2439 }
Adam Langley95c29f32014-06-20 12:00:00 -07002440
Adam Langleyfcf25832014-12-18 17:42:32 -08002441 return 1;
2442}
Adam Langley95c29f32014-06-20 12:00:00 -07002443
Matt Braithwaitee564a5b2015-09-30 15:24:05 -07002444OPENSSL_COMPILE_ASSERT(kNumExtensions <= sizeof(uint32_t) * 8, too_many_bits);
2445
Adam Langleyfcf25832014-12-18 17:42:32 -08002446static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert) {
Adam Langley614c66a2015-06-12 15:26:58 -07002447 uint32_t received = 0;
Adam Langley614c66a2015-06-12 15:26:58 -07002448
Adam Langley33ad2b52015-07-20 17:43:53 -07002449 if (CBS_len(cbs) != 0) {
2450 /* Decode the extensions block and check it is valid. */
2451 CBS extensions;
2452 if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
2453 !tls1_check_duplicate_extensions(&extensions)) {
Adam Langleyfcf25832014-12-18 17:42:32 -08002454 *out_alert = SSL_AD_DECODE_ERROR;
2455 return 0;
2456 }
Adam Langley95c29f32014-06-20 12:00:00 -07002457
Adam Langley614c66a2015-06-12 15:26:58 -07002458
Adam Langley33ad2b52015-07-20 17:43:53 -07002459 while (CBS_len(&extensions) != 0) {
2460 uint16_t type;
2461 CBS extension;
2462
2463 /* Decode the next extension. */
2464 if (!CBS_get_u16(&extensions, &type) ||
2465 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
2466 *out_alert = SSL_AD_DECODE_ERROR;
2467 return 0;
2468 }
2469
2470 unsigned ext_index;
2471 const struct tls_extension *const ext =
2472 tls_extension_find(&ext_index, type);
2473
Adam Langley09505632015-07-30 18:10:13 -07002474 if (ext == NULL) {
2475 if (!custom_ext_parse_serverhello(s, out_alert, type, &extension)) {
2476 return 0;
2477 }
2478 continue;
2479 }
2480
2481 if (!(s->s3->tmp.extensions.sent & (1u << ext_index))) {
2482 /* If the extension was never sent then it is illegal. */
David Benjamin3570d732015-06-29 00:28:17 -04002483 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
Adam Langley33ad2b52015-07-20 17:43:53 -07002484 ERR_add_error_dataf("extension :%u", (unsigned)type);
Adam Langleyfcf25832014-12-18 17:42:32 -08002485 *out_alert = SSL_AD_DECODE_ERROR;
2486 return 0;
2487 }
David Benjamin03973092014-06-24 23:27:17 -04002488
Adam Langley614c66a2015-06-12 15:26:58 -07002489 received |= (1u << ext_index);
2490
2491 uint8_t alert = SSL_AD_DECODE_ERROR;
2492 if (!ext->parse_serverhello(s, &alert, &extension)) {
Adam Langley33ad2b52015-07-20 17:43:53 -07002493 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
2494 ERR_add_error_dataf("extension: %u", (unsigned)type);
Adam Langley614c66a2015-06-12 15:26:58 -07002495 *out_alert = alert;
Adam Langleyfcf25832014-12-18 17:42:32 -08002496 return 0;
2497 }
Adam Langley614c66a2015-06-12 15:26:58 -07002498 }
Adam Langleyfcf25832014-12-18 17:42:32 -08002499 }
Adam Langley95c29f32014-06-20 12:00:00 -07002500
Adam Langley33ad2b52015-07-20 17:43:53 -07002501 size_t i;
Adam Langley614c66a2015-06-12 15:26:58 -07002502 for (i = 0; i < kNumExtensions; i++) {
2503 if (!(received & (1u << i))) {
2504 /* Extension wasn't observed so call the callback with a NULL
2505 * parameter. */
2506 uint8_t alert = SSL_AD_DECODE_ERROR;
2507 if (!kExtensions[i].parse_serverhello(s, &alert, NULL)) {
Adam Langley33ad2b52015-07-20 17:43:53 -07002508 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
2509 ERR_add_error_dataf("extension: %u", (unsigned)kExtensions[i].value);
Adam Langley614c66a2015-06-12 15:26:58 -07002510 *out_alert = alert;
Adam Langleyfcf25832014-12-18 17:42:32 -08002511 return 0;
2512 }
Adam Langleyfcf25832014-12-18 17:42:32 -08002513 }
2514 }
Adam Langley95c29f32014-06-20 12:00:00 -07002515
Adam Langleyfcf25832014-12-18 17:42:32 -08002516 return 1;
2517}
Adam Langley95c29f32014-06-20 12:00:00 -07002518
Adam Langleyfcf25832014-12-18 17:42:32 -08002519static int ssl_check_clienthello_tlsext(SSL *s) {
2520 int ret = SSL_TLSEXT_ERR_NOACK;
2521 int al = SSL_AD_UNRECOGNIZED_NAME;
Adam Langleyed8270a2014-09-02 13:52:56 -07002522
Adam Langleyfcf25832014-12-18 17:42:32 -08002523 /* The handling of the ECPointFormats extension is done elsewhere, namely in
2524 * ssl3_choose_cipher in s3_lib.c. */
Adam Langley95c29f32014-06-20 12:00:00 -07002525
Adam Langleyfcf25832014-12-18 17:42:32 -08002526 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) {
2527 ret = s->ctx->tlsext_servername_callback(s, &al,
2528 s->ctx->tlsext_servername_arg);
2529 } else if (s->initial_ctx != NULL &&
2530 s->initial_ctx->tlsext_servername_callback != 0) {
2531 ret = s->initial_ctx->tlsext_servername_callback(
2532 s, &al, s->initial_ctx->tlsext_servername_arg);
2533 }
Adam Langley95c29f32014-06-20 12:00:00 -07002534
Adam Langleyfcf25832014-12-18 17:42:32 -08002535 switch (ret) {
2536 case SSL_TLSEXT_ERR_ALERT_FATAL:
2537 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2538 return -1;
Adam Langley95c29f32014-06-20 12:00:00 -07002539
Adam Langleyfcf25832014-12-18 17:42:32 -08002540 case SSL_TLSEXT_ERR_ALERT_WARNING:
2541 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2542 return 1;
Adam Langley95c29f32014-06-20 12:00:00 -07002543
Adam Langleyfcf25832014-12-18 17:42:32 -08002544 case SSL_TLSEXT_ERR_NOACK:
Adam Langley614c66a2015-06-12 15:26:58 -07002545 s->s3->tmp.should_ack_sni = 0;
Adam Langleyfcf25832014-12-18 17:42:32 -08002546 return 1;
Adam Langley95c29f32014-06-20 12:00:00 -07002547
Adam Langleyfcf25832014-12-18 17:42:32 -08002548 default:
2549 return 1;
2550 }
2551}
Adam Langleyed8270a2014-09-02 13:52:56 -07002552
Adam Langleyfcf25832014-12-18 17:42:32 -08002553static int ssl_check_serverhello_tlsext(SSL *s) {
David Benjaminfc059942015-07-30 23:01:59 -04002554 int ret = SSL_TLSEXT_ERR_OK;
Adam Langleyfcf25832014-12-18 17:42:32 -08002555 int al = SSL_AD_UNRECOGNIZED_NAME;
Adam Langley95c29f32014-06-20 12:00:00 -07002556
Adam Langleyfcf25832014-12-18 17:42:32 -08002557 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) {
2558 ret = s->ctx->tlsext_servername_callback(s, &al,
2559 s->ctx->tlsext_servername_arg);
2560 } else if (s->initial_ctx != NULL &&
David Benjaminb18f0242015-03-10 18:30:08 -04002561 s->initial_ctx->tlsext_servername_callback != 0) {
Adam Langleyfcf25832014-12-18 17:42:32 -08002562 ret = s->initial_ctx->tlsext_servername_callback(
2563 s, &al, s->initial_ctx->tlsext_servername_arg);
2564 }
Adam Langley95c29f32014-06-20 12:00:00 -07002565
Adam Langleyfcf25832014-12-18 17:42:32 -08002566 switch (ret) {
2567 case SSL_TLSEXT_ERR_ALERT_FATAL:
2568 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2569 return -1;
David Benjamin03973092014-06-24 23:27:17 -04002570
Adam Langleyfcf25832014-12-18 17:42:32 -08002571 case SSL_TLSEXT_ERR_ALERT_WARNING:
2572 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2573 return 1;
2574
2575 default:
2576 return 1;
2577 }
2578}
2579
2580int ssl_parse_serverhello_tlsext(SSL *s, CBS *cbs) {
2581 int alert = -1;
Adam Langleyfcf25832014-12-18 17:42:32 -08002582 if (ssl_scan_serverhello_tlsext(s, cbs, &alert) <= 0) {
2583 ssl3_send_alert(s, SSL3_AL_FATAL, alert);
2584 return 0;
2585 }
2586
2587 if (ssl_check_serverhello_tlsext(s) <= 0) {
David Benjamin3570d732015-06-29 00:28:17 -04002588 OPENSSL_PUT_ERROR(SSL, SSL_R_SERVERHELLO_TLSEXT);
Adam Langleyfcf25832014-12-18 17:42:32 -08002589 return 0;
2590 }
2591
2592 return 1;
2593}
Adam Langley95c29f32014-06-20 12:00:00 -07002594
David Benjamine3aa1d92015-06-16 15:34:50 -04002595int tls_process_ticket(SSL *ssl, SSL_SESSION **out_session,
2596 int *out_send_ticket, const uint8_t *ticket,
2597 size_t ticket_len, const uint8_t *session_id,
2598 size_t session_id_len) {
2599 int ret = 1; /* Most errors are non-fatal. */
2600 SSL_CTX *ssl_ctx = ssl->initial_ctx;
2601 uint8_t *plaintext = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -07002602
David Benjamine3aa1d92015-06-16 15:34:50 -04002603 HMAC_CTX hmac_ctx;
2604 HMAC_CTX_init(&hmac_ctx);
2605 EVP_CIPHER_CTX cipher_ctx;
2606 EVP_CIPHER_CTX_init(&cipher_ctx);
2607
2608 *out_send_ticket = 0;
2609 *out_session = NULL;
2610
2611 if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
2612 goto done;
Adam Langleyfcf25832014-12-18 17:42:32 -08002613 }
2614
David Benjamine3aa1d92015-06-16 15:34:50 -04002615 if (ticket_len == 0) {
Adam Langleyfcf25832014-12-18 17:42:32 -08002616 /* The client will accept a ticket but doesn't currently have one. */
David Benjamine3aa1d92015-06-16 15:34:50 -04002617 *out_send_ticket = 1;
2618 goto done;
Adam Langleyfcf25832014-12-18 17:42:32 -08002619 }
2620
David Benjaminadcc3952015-04-26 13:07:57 -04002621 /* Ensure there is room for the key name and the largest IV
2622 * |tlsext_ticket_key_cb| may try to consume. The real limit may be lower, but
2623 * the maximum IV length should be well under the minimum size for the
2624 * session material and HMAC. */
David Benjamine3aa1d92015-06-16 15:34:50 -04002625 if (ticket_len < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) {
2626 goto done;
Adam Langleyfcf25832014-12-18 17:42:32 -08002627 }
David Benjamine3aa1d92015-06-16 15:34:50 -04002628 const uint8_t *iv = ticket + SSL_TICKET_KEY_NAME_LEN;
Adam Langleyfcf25832014-12-18 17:42:32 -08002629
David Benjamine3aa1d92015-06-16 15:34:50 -04002630 if (ssl_ctx->tlsext_ticket_key_cb != NULL) {
2631 int cb_ret = ssl_ctx->tlsext_ticket_key_cb(ssl, (uint8_t*)ticket /* name */,
2632 (uint8_t*)iv, &cipher_ctx, &hmac_ctx,
2633 0 /* decrypt */);
2634 if (cb_ret < 0) {
2635 ret = 0;
2636 goto done;
Adam Langleyfcf25832014-12-18 17:42:32 -08002637 }
David Benjamine3aa1d92015-06-16 15:34:50 -04002638 if (cb_ret == 0) {
2639 goto done;
Adam Langleyfcf25832014-12-18 17:42:32 -08002640 }
David Benjamine3aa1d92015-06-16 15:34:50 -04002641 if (cb_ret == 2) {
2642 *out_send_ticket = 1;
Adam Langleyfcf25832014-12-18 17:42:32 -08002643 }
2644 } else {
David Benjamine3aa1d92015-06-16 15:34:50 -04002645 /* Check the key name matches. */
2646 if (memcmp(ticket, ssl_ctx->tlsext_tick_key_name,
2647 SSL_TICKET_KEY_NAME_LEN) != 0) {
2648 goto done;
Adam Langleyfcf25832014-12-18 17:42:32 -08002649 }
David Benjamine3aa1d92015-06-16 15:34:50 -04002650 if (!HMAC_Init_ex(&hmac_ctx, ssl_ctx->tlsext_tick_hmac_key,
2651 sizeof(ssl_ctx->tlsext_tick_hmac_key), tlsext_tick_md(),
Adam Langleyfcf25832014-12-18 17:42:32 -08002652 NULL) ||
David Benjamine3aa1d92015-06-16 15:34:50 -04002653 !EVP_DecryptInit_ex(&cipher_ctx, EVP_aes_128_cbc(), NULL,
2654 ssl_ctx->tlsext_tick_aes_key, iv)) {
2655 ret = 0;
2656 goto done;
Adam Langleyfcf25832014-12-18 17:42:32 -08002657 }
2658 }
David Benjamine3aa1d92015-06-16 15:34:50 -04002659 size_t iv_len = EVP_CIPHER_CTX_iv_length(&cipher_ctx);
Adam Langleyfcf25832014-12-18 17:42:32 -08002660
David Benjamine3aa1d92015-06-16 15:34:50 -04002661 /* Check the MAC at the end of the ticket. */
2662 uint8_t mac[EVP_MAX_MD_SIZE];
2663 size_t mac_len = HMAC_size(&hmac_ctx);
2664 if (ticket_len < SSL_TICKET_KEY_NAME_LEN + iv_len + 1 + mac_len) {
David Benjaminadcc3952015-04-26 13:07:57 -04002665 /* The ticket must be large enough for key name, IV, data, and MAC. */
David Benjamine3aa1d92015-06-16 15:34:50 -04002666 goto done;
Adam Langleyfcf25832014-12-18 17:42:32 -08002667 }
David Benjamine3aa1d92015-06-16 15:34:50 -04002668 HMAC_Update(&hmac_ctx, ticket, ticket_len - mac_len);
2669 HMAC_Final(&hmac_ctx, mac, NULL);
2670 if (CRYPTO_memcmp(mac, ticket + (ticket_len - mac_len), mac_len) != 0) {
2671 goto done;
Adam Langleyfcf25832014-12-18 17:42:32 -08002672 }
2673
David Benjamine3aa1d92015-06-16 15:34:50 -04002674 /* Decrypt the session data. */
2675 const uint8_t *ciphertext = ticket + SSL_TICKET_KEY_NAME_LEN + iv_len;
2676 size_t ciphertext_len = ticket_len - SSL_TICKET_KEY_NAME_LEN - iv_len -
2677 mac_len;
2678 plaintext = OPENSSL_malloc(ciphertext_len);
2679 if (plaintext == NULL) {
2680 ret = 0;
2681 goto done;
Adam Langleyfcf25832014-12-18 17:42:32 -08002682 }
David Benjamine3aa1d92015-06-16 15:34:50 -04002683 if (ciphertext_len >= INT_MAX) {
2684 goto done;
Adam Langleyfcf25832014-12-18 17:42:32 -08002685 }
David Benjamine3aa1d92015-06-16 15:34:50 -04002686 int len1, len2;
2687 if (!EVP_DecryptUpdate(&cipher_ctx, plaintext, &len1, ciphertext,
2688 (int)ciphertext_len) ||
2689 !EVP_DecryptFinal_ex(&cipher_ctx, plaintext + len1, &len2)) {
2690 ERR_clear_error(); /* Don't leave an error on the queue. */
2691 goto done;
Adam Langleyfcf25832014-12-18 17:42:32 -08002692 }
2693
David Benjamine3aa1d92015-06-16 15:34:50 -04002694 /* Decode the session. */
2695 SSL_SESSION *session = SSL_SESSION_from_bytes(plaintext, len1 + len2);
2696 if (session == NULL) {
2697 ERR_clear_error(); /* Don't leave an error on the queue. */
2698 goto done;
2699 }
2700
2701 /* Copy the client's session ID into the new session, to denote the ticket has
2702 * been accepted. */
2703 memcpy(session->session_id, session_id, session_id_len);
2704 session->session_id_length = session_id_len;
2705
2706 *out_session = session;
2707
2708done:
2709 OPENSSL_free(plaintext);
2710 HMAC_CTX_cleanup(&hmac_ctx);
2711 EVP_CIPHER_CTX_cleanup(&cipher_ctx);
2712 return ret;
Adam Langleyfcf25832014-12-18 17:42:32 -08002713}
Adam Langley95c29f32014-06-20 12:00:00 -07002714
2715/* Tables to translate from NIDs to TLS v1.2 ids */
Adam Langleyfcf25832014-12-18 17:42:32 -08002716typedef struct {
2717 int nid;
2718 int id;
2719} tls12_lookup;
Adam Langley95c29f32014-06-20 12:00:00 -07002720
Adam Langleyfcf25832014-12-18 17:42:32 -08002721static const tls12_lookup tls12_md[] = {{NID_md5, TLSEXT_hash_md5},
2722 {NID_sha1, TLSEXT_hash_sha1},
2723 {NID_sha224, TLSEXT_hash_sha224},
2724 {NID_sha256, TLSEXT_hash_sha256},
2725 {NID_sha384, TLSEXT_hash_sha384},
2726 {NID_sha512, TLSEXT_hash_sha512}};
Adam Langley95c29f32014-06-20 12:00:00 -07002727
Adam Langleyfcf25832014-12-18 17:42:32 -08002728static const tls12_lookup tls12_sig[] = {{EVP_PKEY_RSA, TLSEXT_signature_rsa},
2729 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}};
Adam Langley95c29f32014-06-20 12:00:00 -07002730
Adam Langleyfcf25832014-12-18 17:42:32 -08002731static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen) {
2732 size_t i;
2733 for (i = 0; i < tlen; i++) {
2734 if (table[i].nid == nid) {
2735 return table[i].id;
2736 }
2737 }
Adam Langley95c29f32014-06-20 12:00:00 -07002738
Adam Langleyfcf25832014-12-18 17:42:32 -08002739 return -1;
2740}
Adam Langley95c29f32014-06-20 12:00:00 -07002741
David Benjaminb4d65fd2015-05-29 17:11:21 -04002742int tls12_get_sigid(int pkey_type) {
2743 return tls12_find_id(pkey_type, tls12_sig,
2744 sizeof(tls12_sig) / sizeof(tls12_lookup));
2745}
2746
David Benjamind1d80782015-07-05 11:54:09 -04002747int tls12_get_sigandhash(SSL *ssl, uint8_t *p, const EVP_MD *md) {
Adam Langleyfcf25832014-12-18 17:42:32 -08002748 int sig_id, md_id;
Adam Langley95c29f32014-06-20 12:00:00 -07002749
Adam Langleyfcf25832014-12-18 17:42:32 -08002750 if (!md) {
2751 return 0;
2752 }
Adam Langley95c29f32014-06-20 12:00:00 -07002753
Adam Langleyfcf25832014-12-18 17:42:32 -08002754 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2755 sizeof(tls12_md) / sizeof(tls12_lookup));
2756 if (md_id == -1) {
2757 return 0;
2758 }
Adam Langley95c29f32014-06-20 12:00:00 -07002759
David Benjamind1d80782015-07-05 11:54:09 -04002760 sig_id = tls12_get_sigid(ssl_private_key_type(ssl));
Adam Langleyfcf25832014-12-18 17:42:32 -08002761 if (sig_id == -1) {
2762 return 0;
2763 }
Adam Langley95c29f32014-06-20 12:00:00 -07002764
Adam Langleyfcf25832014-12-18 17:42:32 -08002765 p[0] = (uint8_t)md_id;
2766 p[1] = (uint8_t)sig_id;
2767 return 1;
2768}
2769
Adam Langleyfcf25832014-12-18 17:42:32 -08002770const EVP_MD *tls12_get_hash(uint8_t hash_alg) {
2771 switch (hash_alg) {
2772 case TLSEXT_hash_md5:
2773 return EVP_md5();
2774
2775 case TLSEXT_hash_sha1:
2776 return EVP_sha1();
2777
2778 case TLSEXT_hash_sha224:
2779 return EVP_sha224();
2780
2781 case TLSEXT_hash_sha256:
2782 return EVP_sha256();
2783
2784 case TLSEXT_hash_sha384:
2785 return EVP_sha384();
2786
2787 case TLSEXT_hash_sha512:
2788 return EVP_sha512();
2789
2790 default:
2791 return NULL;
2792 }
2793}
Adam Langley95c29f32014-06-20 12:00:00 -07002794
David Benjaminec2f27d2014-11-13 19:17:25 -05002795/* tls12_get_pkey_type returns the EVP_PKEY type corresponding to TLS signature
2796 * algorithm |sig_alg|. It returns -1 if the type is unknown. */
Adam Langleyfcf25832014-12-18 17:42:32 -08002797static int tls12_get_pkey_type(uint8_t sig_alg) {
2798 switch (sig_alg) {
2799 case TLSEXT_signature_rsa:
2800 return EVP_PKEY_RSA;
2801
2802 case TLSEXT_signature_ecdsa:
2803 return EVP_PKEY_EC;
2804
2805 default:
2806 return -1;
2807 }
2808}
Adam Langley95c29f32014-06-20 12:00:00 -07002809
Steven Valdez0d62f262015-09-04 12:41:04 -04002810OPENSSL_COMPILE_ASSERT(sizeof(TLS_SIGALGS) == 2,
2811 sizeof_tls_sigalgs_is_not_two);
Adam Langleyfcf25832014-12-18 17:42:32 -08002812
Steven Valdez0d62f262015-09-04 12:41:04 -04002813int tls1_parse_peer_sigalgs(SSL *ssl, const CBS *in_sigalgs) {
Adam Langleyfcf25832014-12-18 17:42:32 -08002814 /* Extension ignored for inappropriate versions */
Steven Valdez0d62f262015-09-04 12:41:04 -04002815 if (!SSL_USE_SIGALGS(ssl)) {
Adam Langleyfcf25832014-12-18 17:42:32 -08002816 return 1;
2817 }
David Benjamincd996942014-07-20 16:23:51 -04002818
Steven Valdez0d62f262015-09-04 12:41:04 -04002819 CERT *const cert = ssl->cert;
2820 OPENSSL_free(cert->peer_sigalgs);
2821 cert->peer_sigalgs = NULL;
2822 cert->peer_sigalgslen = 0;
2823
2824 size_t num_sigalgs = CBS_len(in_sigalgs);
2825
2826 if (num_sigalgs % 2 != 0) {
Adam Langleyfcf25832014-12-18 17:42:32 -08002827 return 0;
2828 }
Steven Valdez0d62f262015-09-04 12:41:04 -04002829 num_sigalgs /= 2;
2830
2831 /* supported_signature_algorithms in the certificate request is
2832 * allowed to be empty. */
2833 if (num_sigalgs == 0) {
2834 return 1;
2835 }
2836
2837 /* This multiplication doesn't overflow because sizeof(TLS_SIGALGS) is two
2838 * (statically asserted above) and we just divided |num_sigalgs| by two. */
2839 cert->peer_sigalgs = OPENSSL_malloc(num_sigalgs * sizeof(TLS_SIGALGS));
2840 if (cert->peer_sigalgs == NULL) {
2841 return 0;
2842 }
2843 cert->peer_sigalgslen = num_sigalgs;
2844
2845 CBS sigalgs;
2846 CBS_init(&sigalgs, CBS_data(in_sigalgs), CBS_len(in_sigalgs));
2847
2848 size_t i;
2849 for (i = 0; i < num_sigalgs; i++) {
2850 TLS_SIGALGS *const sigalg = &cert->peer_sigalgs[i];
2851 if (!CBS_get_u8(&sigalgs, &sigalg->rhash) ||
2852 !CBS_get_u8(&sigalgs, &sigalg->rsign)) {
2853 return 0;
2854 }
2855 }
Adam Langley95c29f32014-06-20 12:00:00 -07002856
Adam Langleyfcf25832014-12-18 17:42:32 -08002857 return 1;
2858}
David Benjaminec2f27d2014-11-13 19:17:25 -05002859
David Benjamind1d80782015-07-05 11:54:09 -04002860const EVP_MD *tls1_choose_signing_digest(SSL *ssl) {
2861 CERT *cert = ssl->cert;
2862 int type = ssl_private_key_type(ssl);
Steven Valdez0d62f262015-09-04 12:41:04 -04002863 size_t i, j;
David Benjaminec2f27d2014-11-13 19:17:25 -05002864
Steven Valdez0d62f262015-09-04 12:41:04 -04002865 static const int kDefaultDigestList[] = {NID_sha256, NID_sha384, NID_sha512,
2866 NID_sha224, NID_sha1};
2867
2868 const int *digest_nids = kDefaultDigestList;
2869 size_t num_digest_nids =
2870 sizeof(kDefaultDigestList) / sizeof(kDefaultDigestList[0]);
2871 if (cert->digest_nids != NULL) {
2872 digest_nids = cert->digest_nids;
2873 num_digest_nids = cert->num_digest_nids;
2874 }
2875
2876 for (i = 0; i < num_digest_nids; i++) {
2877 const int digest_nid = digest_nids[i];
2878 for (j = 0; j < cert->peer_sigalgslen; j++) {
2879 const EVP_MD *md = tls12_get_hash(cert->peer_sigalgs[j].rhash);
2880 if (md == NULL ||
2881 digest_nid != EVP_MD_type(md) ||
2882 tls12_get_pkey_type(cert->peer_sigalgs[j].rsign) != type) {
2883 continue;
2884 }
2885
2886 return md;
Adam Langleyfcf25832014-12-18 17:42:32 -08002887 }
Adam Langleyfcf25832014-12-18 17:42:32 -08002888 }
Adam Langley95c29f32014-06-20 12:00:00 -07002889
Adam Langleyfcf25832014-12-18 17:42:32 -08002890 /* If no suitable digest may be found, default to SHA-1. */
2891 return EVP_sha1();
2892}
Adam Langley95c29f32014-06-20 12:00:00 -07002893
David Benjamind6a4ae92015-08-06 11:10:51 -04002894int tls1_channel_id_hash(SSL *ssl, uint8_t *out, size_t *out_len) {
2895 int ret = 0;
Adam Langleyfcf25832014-12-18 17:42:32 -08002896 EVP_MD_CTX ctx;
Adam Langleyfcf25832014-12-18 17:42:32 -08002897
2898 EVP_MD_CTX_init(&ctx);
David Benjamind6a4ae92015-08-06 11:10:51 -04002899 if (!EVP_DigestInit_ex(&ctx, EVP_sha256(), NULL)) {
2900 goto err;
Adam Langleyfcf25832014-12-18 17:42:32 -08002901 }
Adam Langleyfcf25832014-12-18 17:42:32 -08002902
David Benjamind6a4ae92015-08-06 11:10:51 -04002903 static const char kClientIDMagic[] = "TLS Channel ID signature";
2904 EVP_DigestUpdate(&ctx, kClientIDMagic, sizeof(kClientIDMagic));
2905
2906 if (ssl->hit) {
2907 static const char kResumptionMagic[] = "Resumption";
2908 EVP_DigestUpdate(&ctx, kResumptionMagic, sizeof(kResumptionMagic));
2909 if (ssl->session->original_handshake_hash_len == 0) {
2910 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2911 goto err;
2912 }
2913 EVP_DigestUpdate(&ctx, ssl->session->original_handshake_hash,
2914 ssl->session->original_handshake_hash_len);
2915 }
2916
2917 uint8_t handshake_hash[EVP_MAX_MD_SIZE];
2918 int handshake_hash_len = tls1_handshake_digest(ssl, handshake_hash,
2919 sizeof(handshake_hash));
2920 if (handshake_hash_len < 0) {
2921 goto err;
2922 }
2923 EVP_DigestUpdate(&ctx, handshake_hash, (size_t)handshake_hash_len);
2924 unsigned len_u;
2925 EVP_DigestFinal_ex(&ctx, out, &len_u);
2926 *out_len = len_u;
2927
2928 ret = 1;
2929
2930err:
2931 EVP_MD_CTX_cleanup(&ctx);
2932 return ret;
Adam Langleyfcf25832014-12-18 17:42:32 -08002933}
Adam Langley1258b6a2014-06-20 12:00:00 -07002934
2935/* tls1_record_handshake_hashes_for_channel_id records the current handshake
2936 * hashes in |s->session| so that Channel ID resumptions can sign that data. */
Adam Langleyfcf25832014-12-18 17:42:32 -08002937int tls1_record_handshake_hashes_for_channel_id(SSL *s) {
2938 int digest_len;
2939 /* This function should never be called for a resumed session because the
2940 * handshake hashes that we wish to record are for the original, full
2941 * handshake. */
2942 if (s->hit) {
2943 return -1;
2944 }
Adam Langley1258b6a2014-06-20 12:00:00 -07002945
Adam Langleyfcf25832014-12-18 17:42:32 -08002946 digest_len =
2947 tls1_handshake_digest(s, s->session->original_handshake_hash,
2948 sizeof(s->session->original_handshake_hash));
2949 if (digest_len < 0) {
2950 return -1;
2951 }
Adam Langley1258b6a2014-06-20 12:00:00 -07002952
Adam Langleyfcf25832014-12-18 17:42:32 -08002953 s->session->original_handshake_hash_len = digest_len;
Adam Langley1258b6a2014-06-20 12:00:00 -07002954
Adam Langleyfcf25832014-12-18 17:42:32 -08002955 return 1;
2956}